- About this Journal
- Abstracting and Indexing
- Aims and Scope
- Article Processing Charges
- Articles in Press
- Author Guidelines
- Bibliographic Information
- Citations to this Journal
- Contact Information
- Editorial Board
- Editorial Workflow
- Free eTOC Alerts
- Publication Ethics
- Reviewers Acknowledgment
- Submit a Manuscript
- Subscription Information
- Table of Contents
Advances in Artificial Intelligence
Volume 2011 (2011), Article ID 464971, 10 pages
Generalization of the Self-Shrinking Generator in the Galois Field
1Computer Systems Department, Faculty of Computer Systems and Control, Technical University of Sofia, 8 Kliment Ohridski Street, Sofia 1000, Bulgaria
2Communication and Computer Technique Department, National Military University “Vasil Levski”, 1a Karel Shkorpil Street, Shumen 9701, Bulgaria
3Computer System and Technology Department, University of Shumen “Bishop Konstantin Preslavsky”, 115 Universitetska Street, Shumen 9712, Bulgaria
Received 13 December 2010; Revised 5 February 2011; Accepted 24 February 2011
Academic Editor: Farouk Yalaoui
Copyright © 2011 Antoniya Todorova Tasheva et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
The proposed by Meier and Staffelbach Self-Shrinking Generator (SSG) which has efficient hardware implementation only with a single Linear Feedback Shift Register is suitable for low-cost and fast stream cipher applications. In this paper we generalize the idea of the SSG for arbitrary Galois Field . The proposed variant of the SSG is called the -ary Generalized Self-Shrinking Generator (pGSSG). We suggest a method for transformation of a non-binary self-shrunken pGSSG sequence into balanced binary sequence. We prove that the keystreams of the pGSSG have large period and good statistical properties. The analysis of the experimental results shows that the pGSSG sequences have good randomness properties. We examine the complexity of exhaustive search and entropy attacks of the pGSSG. We show that the pGSSG is more secure than SSG and Modified SSG against these attacks. We prove that the complexity of the used pGSSG attacks increases with increasing the prime . Previously mentioned properties give the reason to say that the pGSSG satisfy the basic security requirements for a stream chipper and can be useful as a part of modern stream ciphers.
The binary Pseudorandom Sequences (PRSs) with maximum period and good statistical and correlation properties have established themselves as foundation for generation of many signals used in modern communication and information systems. Among the most important applications [1, 2] of these signals are the Code Division Multiple Access (CDMA) systems, wireless networks, and communication systems where the multiple access interference is minimized. Generators of pseudorandom sequences for security at authorization process and stream cipher are other key areas of the PRSs implementation in different kinds of local and global networks.
A great number of methods for generation of pseudorandom sequences are used in practice [3–13]. They are divided as linear and nonlinear . Most linear methods such as Linear Congruent Generator, Multiplicative Linear Congruent Generator and Multiply Recursive Generator  cannot be used for ensuring the security and for information encryption in the communication network. Digital multi-step and formal series  can solve that problem but they are too slow because many steps are done recursive. In order to ensure practical stability of a chosen crypto-algorithm it is necessary to break the linearity in the generated linear sequence. It could be done by applying a nonlinear function over a part of the generated bits for additional allocation [5, 12]. The binary sequences with maximum period (-sequences) are mainly used in many communication systems because of their properties such as uniformly allocation of the binary digits and the runs over its period and the ideal two-level autocorrelation. The main methods for generation of the -sequences are Linear Feedback Shift Register (LFSR) which function is described by algebra in finite Galois field and Feedback with Carry Shift Register (FCSR) where the algebra in finite 2-adic field is used.
Self-shrinking generator  is a keystream generator used as a stream cipher. It is based on the shrinking principle [4, 14] and has remarkably low hardware requirements. So far, it has shown considerable resistance against cryptanalysis. The binary sequences generated by shrinking generator have very good encryption properties [4, 5, 9, 12, 15, 16].
The self-shrinking generator (SSG) was proposed by Meier and Staffelbach at Euro-crypt'94 in . It is a variant of the original Shrinking Generator given by Coppersmith et al. in . This amazingly simple cipher, containing a single LFSR, has up to now surprisingly well-resisted all the known cryptographic attack techniques. In  Mihaljevic presented a faster attack with minimal time complexity that needs a longer part of keystream sequence. It is shown that cryptanalysis is successful with high probability after steps, , where is -bit section of the keystream and is the key length. Since the procedure is done for , the running time can vary from in the very best case to under more unfavorable circumstances. Later Zenner et al. improve the cryptanalysis of self-shrinking generator. The attack  is based on a backtracking algorithm and will reconstruct the key from a short sequence of known keystream bits. The algorithm takes at most steps, where is the key length.
An attack on SSG requiring very small keystream data is the binary decision diagram (BDD) cryptanalysis proposed by Krause in  with time complexity and equivalent memory complexity . The BBD-attack was improved in  with the same time complexity and only memory complexity.
The best tradeoff between time, memory and data complexity today is the new guess-and-determine cryptanalysis . The time complexity of this attack is and memory complexity from keystream bits for , and time complexity and memory complexity from keystream bits for .
In this paper a -ary generalized self-shrinking generator which produces nonbinary sequences is proposed. A method for transformation of nonbinary self-shrunken sequence into balance binary sequence is given.
The paper is organized as follows. First, the basic principles of the -ary LFSR are described. In Section 3 the function of the Self-Shrinking Generator is given. The working algorithm of the -ary Generalized Self-Shrinking Generator for Galois Field is given in Section 4. Then the properties of the proposed pGSSG are discussed and analyzed. Finally, the security of the pGSSG against the exhaustive search and entropy attacks are analysed.
2. Basics Principles of the -Ary LFSR
Definition 1. If is a prime then generated -ary pseudorandom sequence (pPRS) consists of numbers and the appearance of every number is independent by the value of the previous and the following digits in the sequence.
2.1. pLFSR with Fibonachi Architecture
Definition 2. -ary LFSR with Fibonachi architecture and length (Figure 1) consists of stages (delay elements) , , and one input and one output.
Every element can remember one -ary number. The register is initialized by -ary sequence .
During each clock cycle the following operations are performed.(1)The content of stage 0 is output and forms part of the output sequence.(2)The content of element is passed to element for each , .(3)A calculation of the linear recurrent dependency is done and its result is stored in the most left element of the register.
The output sequence is described by (1) taking into consideration , the first -ary digits are eliminated from the output sequence.
Every configuration of this architecture is defined by the feedback coefficients , . The generated output sequence is well defined for and the feedback polynomial Every infinite -ary sequence can be represented by its generating function which is an element of the ring of the formal powers with coefficients in .
The generated sequence is periodic only if the generating function could be represented as a quotient of two polynomials The generated sequence is strictly periodic if the following condition is in effect: The reverse dependence is in effect as well. If is a strictly periodic sequence and is its generating function then is a connection polynomial of the pLFSR which generates sequence and a polynomial defines the initial state of the register by using
2.2. pLFSR with Galois Architecture
Definition 3. -ary LFSR with Galois architecture and length (Figure 2) consists of delay elements , , and one input and one output. The multipliers of the feedback are given as . Every element can remember one -ary number. The register is initialized by -ary sequence .
During each clock cycle the following operations are performed.(1)The content of stage 0 is output and forms part of the output sequence.(2)The content of element is passed to element for each , , and the following recurrent dependencies are in effect (3)The output of the element 0 is implemented in every multiplier of feedbacks and a sum with the previous element by modulo is done.
The Galois architecture of pLFSR is described by the feedback polynomial which is defined by (2) and the polynomial which is defined by the initial state of the register .
The generated output sequence is a sequence of polynomial coefficients . The reverse statement for defining and initial state by using (8) is also in effect.
2.3. Properties of the pLFSR Sequences
One of the most important properties of the pLFSR is the maximal period  and it depends on the length of the registers pPRS sequences which have a maximal period (mp-sequences) are used in cryptography and in communication systems for designing complex signals due to their good correlation properties. In order to generate mp-sequences it is necessary that the feedback polynomial of the pLFSR is primitive in extended Galois field .
The uniform allocation of the -ary digits and their runs (series) is another important property. The following statements are true.(i)The number of appearances of all nonzero elements in maximal period is for and the number of zero elements is . (ii)Every nonzero -ary runs (series) with length , appears in a period times and times if it is zero.
Figure 3 shows the 3LFSR register with Galois architecture and length . As one can see the output numbers 1 and 2 appear times in one period and the number of zeros is . All nonzero runs with length 2 appear only ones and zero run is not used.
3. Nonbinary Self-Shrinking Generator
3.1. Basics of Shrinking Generators
The shrinking generator [4, 9] consists of two Linear Feedback Shift Registers (LFSR) and generating the -sequences (denoted as sequence) and (denoted as sequence), respectively. The keystream sequence is constructed from these two sequences according to the following selection rule: for every clock , consider the selection bit . If , the output is . Otherwise, discard both and . This way, a nonlinear keystream is generated. Even a cryptanalyst who knows part of the keystream sequence cannot tell easily which corresponds to which , since the length of the gaps (i.e., the number of that has been discarded) is unknown. In [4, 14] the shrinking generator is shown to have good algebraic and statistical properties. It is shown that the number of attacks that could reconstruct the initial state of and increases and requires exponential running time in the length of register (LFSR ).
The self-shrinking generator is a modified version of the shrinking generator and was first presented by Meier and Staffelbach in .
The self-shrinking generator requires only one LFSR , whose length will be denoted by . The LFSR generates an -sequence . The selection rule is the same as for shrinking generator, using the even bits as -bits and the odd bits as -bits in the above sense. Thus, the self-shrinking rule requires a couple as input and outputs if .
The close relationship between shrinking and self-shrinking generator is shown in Figure 4.
In  an algorithm is given that transforms an -bit self-shrinking generator into a -bit shrinking generator. It is also shown that a shrinking generator with register lengths and has an equivalent self-shrinking generator of length . Despite this similarity, the self-shrinking generator has shown even more resistance to cryptanalysis than the shrinking generator .
3.2. -ary Generalized Self-Shrinking Generator
The proposed -ary generalized Self-Shrinking Generator (pGSSG), given in Figure 4, consists of a pLFSR generator , whose length will be denoted by . It generates sequence with -ary digits (i.e., , ) and . The multipliers of the feedbacks are given by coefficients , of the primitive polynomial in . Every element can remember one -ary number. The register is initialized by -ary sequence .
The pGSSG selects a portion of the output -ary LFSR sequence by controlling the -ary LFSR itself using the following algorithm.
Definition 4. The algorithm of the -ary Generalized Self-Shrinking Generator (Figure 5) consists of the following steps.(1)The -ary LFSR is clocked with clock sequence with period .(2)The output pLFSR sequence is split into -tuples , .(3)If the whole -tuple is discarded from the GSSG output, that is, the output is shrunken. (4)When , the corresponding digit in the -tuple forms the output of the GSSG. For example, if , then is output and the other digits are discard. If , then is output and the other digits are discard and so on. If , then is output and the other digits are discard.(5)The shrunken -ary GSSG output sequence is transformed into binary sequence in which every -ary number is presented with binary digits, where is the smallest integer which is greater or equal to . Every output number from 1 to of -ary GSSG sequence is depicted with -ary expansion of the number: For example the transformation of every -ary digit for is done according to the Table 1.(6)Every -ary zero in its appearance () of the generated -ary sequence can be represented binary by number , and initial condition .
Let us chose Extended Galois field and the primitive polynomial that generates is . Then the corresponding pLFSR (i.e., 3LFSR) will be as shown in Figure 6.
The feedback polynomial is and all algebraic function is done modulo (i.e., ).
Let the initial state be .
For all possible 3-tuples generated by the 3LFSR the 3GSSG output for a period will be and the way of its derivation according to the given algorithm is shown in Table 2.
The period of sequence is . The output is chosen from the value of the first symbol of 3-tuple, which defines which symbol forms the 3GSSG output. It is pointed out by the bold digits. Then the 3-ary output sequence is transformed into binary by the rules 5 and 6 in the pGSSG algorithm for given in Table 1.
The binary output is given in the brackets in Table 2.
Let us chose Extended Galois field and primitive polynomial is . The corresponding pLFSR (i.e., 5LFSR) is shown in Figure 7.
The feedback polynomial is and all algebraic function is done modulo 5 (i.e., ).
Let the initial state be .
For a part of all possible 5-tuples generated by the 5LFSR the output of the 5SSG generator for a part of period will be . The way of its derivation according to the given algorithm is shown in Table 3.
The period is . The output is chosen from the value of the first symbol of 5-tuple, which defines which position symbol from this point to be selected to exit. Finally the 5-ary output sequence is transformed into binary by the rules 5 and 6 in the pGSSG algorithm for given in Table 1. The binary output is given in the brackets in Table 3.
4. Properties of the pGSSG Output Sequence
The research of the -ary GSSG has been modeled with Visual C++. To analyze the properties of the -ary GSSG output sequence have been made more than 1000 tests with prime up to 257 and various primitive feedback polynomials and initial states.
In this section first the pGSSG period is established. Then is proven that the output pGSSG sequence is balanced, that is, the number of 1s and 0s are equal in a period of pGSSG sequence. In Section 4.3 the minimum length of the used pLFSR registers to guarantee a key length of 512 and 1024 bits, which is useful for cryptographic applications nowadays, is calculated. Finally the good randomness properties of the pGSSG output sequences are proven by the results of the statistical NIST test suite.
4.1. Period of pGSSG
Hence a -ary LFSR sequence is with period then the pGSSG output sequence also is periodic. In fact after bits of the original sequence, the sequence of -tuples has been processed and the next -tuple will be the same as first . As is well known, the -tuples occurs balanced in one -sequence period. Therefore of all -tuples will begin with bit of all will begin with 1 and so on of all will begin with . Thus the -tuples will be discarding because they begin with 0 bit. Remaining -tuples will produce an one bit in the output sequence because this -tuples begin with nonzero bits. Consequently the period of the -ary GSSG output sequence will be-ary digits.
When pGSSG output sequence is transformed into balanced binary sequence the period will be bits.
4.2. Number of Elements in -Ary GSSG Sequence
Since the -sequence, produced by the -ary LFSR is balanced and the pGSSG output sequence also is balanced the number of the each elements is equal to After binary transformation the balanced property is in fact also, thus the number of zeros and ones are equal to The experimental results for different pGSSG and their parameters are given in Table 4.
4.3. Key for Encryption
The encryption key for the GSSG is an initial state of the pLFSR register. Thus the encryption key will be long -ary digits.
One -ary digit may be presented by bits, where denote the smallest integer greater and equal to . Consequently length of the encryption key is As one can see the greater is the longer the key is. Table 5 shows the minimum length of the used pLFSR register to guarantee a key length of 512 and 1024 bits, which are useful for cryptographic applications nowadays.
4.4. Statistical Properties
To test statistical properties of the keystreams generated by the pGSSG with prime up to 257, 1000 sequences of length 106 have been tested by the National Institute of Standards and Technology (NIST) statistical test suite . Table 6 shows the NIST test results for two sets of 100 keystreams each of length 106 for and . To generate these 100 keystreams randomly chosen primitive polynomials and initial states are used.
The results demonstrate that pGSSG keystreams have good randomness properties, that is, they are well balanced, uniform, scalable and uncompressible.
Unfortunately, the hardware implementation of the pGSSG is not as simple as the original SSG, because the algebraic operations are performed in the , . It takes triggers to present one -ary number. Hardware accelerators can perform the computationally intensive operations far quicker. Field-Programmable Gate Arrays (FPGAs) are well-suited for this application due to their reconfigurability and versatility.
The pGSSG is more suitable for software implementation. The cases with and are particularly suitable, because the binary output of the generator produces 4 or 8 bits at a time, respectively.
The goal of the stream cipher attack based on a clock controlled generators is to recover the secret key that includes the initial state of the used LFSRs. For better security the key may contain the feedback polynomial of the LFSRs. In this section, the security of the pGSSG against the exhaustive search and entropy attacks are analysed.
The suggested from Maier and Staffelbach two general attacks named exhaustive search attack and entropy attack  recover the initial state of the SSG from the knowledge of the short segment of the generated keystream requiring respectively and computational steps.
In these attacks we assume that the secret key consists only of the initial state of the -ary GSSG.
5.1. Exhaustive Search Attack
Let be a known portion of the binary keystream generated by pGSSG. As the prime is also known the attacker can divide it by bits. Each portion of bits presents one -ary number.
Let then be a known -ary portion of the pGSSG. The -ary number for some is generated by the -tuple of the output pLFSR sequence , , where the index is unknown.
From the knowledge of the first -ary number one can conclude that for the first -tuple there is possible cases: For each case in (17) there are possibilities for the unknown -ary numbers. In other hand by definition 4 of the pGSSG algorithm for the -ary number there are two possible cases: first, the one -ary number from 1 to , defined by (10) or second, the -ary zero in its appearance by (11).
Therefore the number of possibilities for the first -ary number is .
For the next known -ary number there are the same possible cases for the second -tuple : In addition to the above cases there are another possibilities for which the output pGSSG sequence is shrunken Hence all possible cases for the -ary number are For each of these possibilities there are another possibilities for the next -tuple and so on.
Therefore, for reconstructing -tuples, that is, -ary numbers, are needed possible states for the pLFSR.
Example 1 (). The known bit portion of the sequence is equal to the known -ary portion of the pGSSG because bits. Every bit 0 can present the 3-ary bit 1 or the 3-ary zero. The bit 1 can present the 3-ary bit 2 or the 3-ary zero (see Table 1). From the known first bit there are two possible cases for the first triple
Each 3-ary number , that is, the six possible cases are
and another six possible cases in which is 3-ary zero are
For the next triple there are 12 possibilities of the same kind
and 9 possible cases when the output is shrunken
Therefore the possible cases are
which is listed above.
Then we calculate the possible pLFSR states
Example 2 (). The number of possible cases for the 5-tuples are and states of the used pLFSR are
5.2. Entropy Attack
The entropy of the -tuples will be calculated. As mentioned above for the -tuple there are possibilities, where are in the form (18). In the half of these possibilities -ary number and the probability of each of them is . In the other half and each of them has probability . The other possibilities of the form (19) also have probability .
Therefore, the entropy of the -tuple is Because the entropy per one -ary number is , the entropy search among all different cases would require steps.
For the entropy of 3-tuples is Hence, the complexity of the entropy attack is .
The results show that the pGSSG is more secure than SSG and MSSG against exhaustive search and entropy attack. The complexity of the used pGSSG attack increases with increasing the prime .
6. Conclusions and Future Works
In this paper the generalization of the self-shrinking generator in Galois Field for arbitrary prime is proposed. The architecture of the new -ary Generalized Self-Shrinking Generator is suggested. It is proved that the pGSSG has large period and good statistical properties. The experimental results analysis shows that the sequence generated by pGSSG is well balanced, uniform, scalable, uncompressible and unpredictable.
The complexity of the exhaustive search and entropy attack of the pGSSG is established. It is shown that the pGSSG is more secure than SSG and MSSG against exhaustive search and entropy attack. It is proven that the complexity of the used pGSSG attack increases with increasing the prime .
Above-mentioned properties give the reason to consider the pGSSG as a pseudorandom generator that can be useful as a part of modern stream ciphers.
However, there are some theoretical and practical issues that need to be addressed. From a theoretical point of view, improved cryptanalysis of the pGSSG keystream sequences is necessary to be done and the complexity of other known self-shrinking attacks like attack using long keystream segment, BDD-based attack and guess-and-determine attack, must be investigated.
On the practical side, the hardware FPGA implementation of the pGSSG generator must be designed. It will provide faster execution of the algebraic operations in the for any prime number .
The authors would like to thank the referees for their helpful comments.
- A. Afzal, WiMAX Security (MAC and Physical Layer), NYC OEM Consultation Project, Spring, Willits, Calif, USA, 2006.
- S. W. Golomb and G. Gong, Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar, Cambridge University Press, New York, NY, USA, 2005.
- M. K. Chetry and W. B. Vasantha Kandaswamy, “A note on self-shrinking lagged fibonacci generator,” International Journal of Network Security, vol. 11, no. 1, pp. 11–13, 2010.
- D. Coppersmith, H. Krawczyk, and Y. Mansour, “The shrinking generator,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '93), vol. 773, pp. 22–39, Springer, Berlin, Germany, 1993.
- E. J. Dudewicz and T. G. Ralley, The Handbook of Random Number Generation and Testing with TESTRAND Computer Code, American Sciences Press, Columbus, Ohio, USA, 1981.
- A. Fúster-Sabatera and P. Caballero-Gil, “Analysis of the generalized self-shrinking generator,” Computers & Mathematics with Applications, vol. 61, no. 4, pp. 871–880, 2011.
- G. Guang, Sequence Analysis, Department of Combinatorics and Optimization, University of Waterloo, Ontario, Canada, 1999.
- A. Kanso, “Modified self-shrinking generator,” Computers and Electrical Engineering, vol. 36, pp. 993–1001, 2010.
- H. Krawczyk, “The shrinking generator: some practical considerations,” in Proceedings of the International Workshop on Fast Software Encryption, R. Andersen, Ed., vol. 809 of Lecture Notes in Computer Science, pp. 45–46, Springer, Berlin, Germany, 1994.
- J. L. Massey, “Some applications of coding theory in cryptography,” in Codes and Ciphers: Cryptography and Coding IV, P. G. Farrell, Ed., pp. 33–47, Formara, Essex, UK, 1995.
- W. Meier and O. Staffelbach, “The self-shrinking generator,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '94), A. De Santis, Ed., vol. 950 of Lecture Notes in Computer Science, pp. 205–214, Springer, Berlin, Germany, 1995.
- B. Schneier, Applied Cryptography, John Wiley & Sons, New York, NY, USA, 1998.
- B. Stoyanov, A. Milev, and A. Nachev, “Research on the self-shrinking 2-adic cryptographic generator,” Journal of Communication and Computer, vol. 7, no. 11, pp. 67–71, 2010.
- I. Shparlinski, “On some properties of the shrinking generator,” Designs, Codes, and Cryptography, vol. 23, no. 2, pp. 147–155, 2001.
- S. R. Blackburn, “The linear complexity of the self-shrinking generator,” IEEE Transactions on Information Theory, vol. 45, no. 6, pp. 2073–2077, 1999.
- B. Stoyanov, “Improved cryptanalysis of the self-shrinking p-adic cryptographic generator,” in Proceedings of the International Conference Information Research and Applications, M. Krassimir, I. Krassimir, and M. Ilia, Eds., pp. 112–115, Varna, Bulgaria, July 2008.
- M. J. Mihaljevic, “A faster cryptanalysis of self-shrinking generator,” in Proceedings of the Australasian Conference on Information Security and Privacy (ACISP '96), J. Pieprzyk and J. Seberry, Eds., vol. 1172 of Lecture Notes in Computer Science, pp. 182–189, Springer, Berlin, Germany, 1996.
- E. Zenner, M. Krause, and S. Lucks, “Improved cryptanalysis of self-shrinking generator,” in Proceedings of the Australasian Conference on Information Security and Privacy (ACIPS ;01), vol. 2119 of Lecture Notes in Computer Science, pp. 21–35, Springer, Berlin, Germany, 2001.
- M. Krause, “BDD-based cryptanalysis of keystream generators,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT '02), vol. 2332/2002 of Lecture Notes in Computer Science, pp. 222–237, Springer, Berlin, Germany, 2002.
- M. Hell and T. Johansson, “Two new attacks on the self-shrinking generator,” IEEE Transactions on Information Theory, vol. 52, no. 8, pp. 3837–3843, 2006.
- B. Zhang and D. Feng, “New guess-and-determine attack on the self-shrinking generator,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '06), vol. 4284/2006, pp. 54–68, Springer, Berlin, Germany, 2006.
- T. Tashev and B. Bedzhev, “Modeling of the linear feedback shift registers in the galois field with arbitrary prime base,” in Proceedings of the International Scientific and Applied Science Conference, pp. 261–265, 2006.
- A. Rukhin, J. Soto, J. Nechvatal, et al., Special Publication 800-22, Revision 1a, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, April 2010, ps. 131, http://csrc.nist.gov/groups/ST/toolkit/rng/documents/SP800-22rev1a.pdf.