Create a dedicated crate for the DKG (#141)

* Add dkg crate

* Remove F_len and G_len

They're generally no longer used.

* Replace hash_to_vec with a provided method around associated type H: Digest

Part of trying to minimize this trait so it can be moved elsewhere. Vec, 
which isn't std, may have been a blocker.

* Encrypt secret shares within the FROST library

Reduces requirements on callers in order to be correct.

* Update usage of Zeroize within FROST

* Inline functions in key_gen

There was no reason to have them separated as they were. sign probably 
has the same statement available, yet that isn't the focus right now.

* Add a ciphersuite package which provides hash_to_F

* Set the Ciphersuite version to something valid

* Have ed448 export Scalar/FieldElement/Point at the top level

* Move FROST over to Ciphersuite

* Correct usage of ff in ciphersuite

* Correct documentation handling

* Move Schnorr signatures to their own crate

* Remove unused feature from schnorr

* Fix Schnorr tests

* Split DKG into a separate crate

* Add serialize to Commitments and SecretShare

Helper for buf = vec![]; .write(buf).unwrap(); buf

* Move FROST over to the new dkg crate

* Update Monero lib to latest FROST

* Correct ethereum's usage of features

* Add serialize to GeneratorProof

* Add serialize helper function to FROST

* Rename AddendumSerialize to WriteAddendum

* Update processor

* Slight fix to processor

crypto/frost/src/tests/curve.rs

@@ -2,23 +2,7 @@ use rand_core::{RngCore, CryptoRng};
 
 use group::Group;
 
-use crate::{Curve, FrostCore, tests::core_gen};
-
-// Test generation of FROST keys
-fn key_generation<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  // This alone verifies the verification shares and group key are agreed upon as expected
-  core_gen::<_, C>(rng);
-}
-
-// Test serialization of generated keys
-fn keys_serialization<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  for (_, keys) in core_gen::<_, C>(rng) {
-    assert_eq!(
-      &FrostCore::<C>::deserialize::<&[u8]>(&mut keys.serialize().as_ref()).unwrap(),
-      &keys
-    );
-  }
-}
+use crate::Curve;
 
 // Test successful multiexp, with enough pairs to trigger its variety of algorithms
 // Multiexp has its own tests, yet only against k256 and Ed25519 (which should be sufficient
@@ -28,7 +12,7 @@ pub fn test_multiexp<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
   let mut sum = C::G::identity();
   for _ in 0 .. 10 {
     for _ in 0 .. 100 {
-      pairs.push((C::random_F(&mut *rng), C::generator() * C::random_F(&mut *rng)));
+      pairs.push((C::random_nonzero_F(&mut *rng), C::generator() * C::random_nonzero_F(&mut *rng)));
       sum += pairs[pairs.len() - 1].1 * pairs[pairs.len() - 1].0;
     }
     assert_eq!(multiexp::multiexp(&pairs), sum);
@@ -40,8 +24,4 @@ pub fn test_curve<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
   // TODO: Test the Curve functions themselves
 
   test_multiexp::<_, C>(rng);
-
-  // Test FROST key generation and serialization of FrostCore works as expected
-  key_generation::<_, C>(rng);
-  keys_serialization::<_, C>(rng);
 }

crypto/frost/src/tests/literal/dalek.rs

@@ -5,7 +5,7 @@ use crate::{
   tests::vectors::{Vectors, test_with_vectors},
 };
 
-#[cfg(any(test, feature = "ristretto"))]
+#[cfg(feature = "ristretto")]
 #[test]
 fn ristretto_vectors() {
   test_with_vectors::<_, curve::Ristretto, curve::IetfRistrettoHram>(

crypto/frost/src/tests/literal/ed448.rs

@@ -1,8 +1,11 @@
 use rand_core::OsRng;
 
+use ciphersuite::Ciphersuite;
+
+use schnorr::SchnorrSignature;
+
 use crate::{
-  curve::{Curve, Ed448, Ietf8032Ed448Hram, IetfEd448Hram},
-  schnorr::{SchnorrSignature, verify},
+  curve::{Ed448, Ietf8032Ed448Hram, IetfEd448Hram},
   tests::vectors::{Vectors, test_with_vectors},
 };
 
@@ -37,11 +40,9 @@ fn ed448_8032_vector() {
   let R = Ed448::read_G::<&[u8]>(&mut sig.as_ref()).unwrap();
   let s = Ed448::read_F::<&[u8]>(&mut &sig[57 ..]).unwrap();
 
-  assert!(verify(
-    A,
-    Ietf8032Ed448Hram::hram(&context, &R, &A, &msg),
-    &SchnorrSignature::<Ed448> { R, s }
-  ));
+  assert!(
+    SchnorrSignature::<Ed448> { R, s }.verify(A, Ietf8032Ed448Hram::hram(&context, &R, &A, &msg))
+  );
 }
 
 #[test]

crypto/frost/src/tests/literal/mod.rs

@@ -1,6 +1,6 @@
-#[cfg(any(test, feature = "dalek"))]
+#[cfg(any(feature = "ristretto", feature = "ed25519"))]
 mod dalek;
-#[cfg(feature = "kp256")]
+#[cfg(any(feature = "secp256k1", feature = "p256"))]
 mod kp256;
 #[cfg(feature = "ed448")]
 mod ed448;

crypto/frost/src/tests/mod.rs

@@ -2,21 +2,16 @@ use std::collections::HashMap;
 
 use rand_core::{RngCore, CryptoRng};
 
-use group::ff::Field;
+pub use dkg::tests::{key_gen, recover_key};
 
 use crate::{
-  Curve, FrostParams, FrostCore, FrostKeys, lagrange,
-  key_gen::{SecretShare, Commitments as KGCommitments, KeyGenMachine},
+  Curve, ThresholdKeys,
   algorithm::Algorithm,
   sign::{Writable, PreprocessMachine, SignMachine, SignatureMachine, AlgorithmMachine},
 };
 
 /// Curve tests.
 pub mod curve;
-/// Schnorr signature tests.
-pub mod schnorr;
-/// Promotion tests.
-pub mod promote;
 /// Vectorized test suite to ensure consistency.
 pub mod vectors;
 
@@ -39,102 +34,11 @@ pub fn clone_without<K: Clone + std::cmp::Eq + std::hash::Hash, V: Clone>(
   res
 }
 
-/// Generate FROST keys (as FrostCore objects) for tests.
-pub fn core_gen<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) -> HashMap<u16, FrostCore<C>> {
-  let mut machines = HashMap::new();
-  let mut commitments = HashMap::new();
-  for i in 1 ..= PARTICIPANTS {
-    let machine = KeyGenMachine::<C>::new(
-      FrostParams::new(THRESHOLD, PARTICIPANTS, i).unwrap(),
-      "FROST Test key_gen".to_string(),
-    );
-    let (machine, these_commitments) = machine.generate_coefficients(rng);
-    machines.insert(i, machine);
-
-    commitments.insert(i, {
-      let mut buf = vec![];
-      these_commitments.write(&mut buf).unwrap();
-      KGCommitments::read::<&[u8]>(
-        &mut buf.as_ref(),
-        FrostParams { t: THRESHOLD, n: PARTICIPANTS, i: 1 },
-      )
-      .unwrap()
-    });
-  }
-
-  let mut secret_shares = HashMap::new();
-  let mut machines = machines
-    .drain()
-    .map(|(l, machine)| {
-      let (machine, mut shares) =
-        machine.generate_secret_shares(rng, clone_without(&commitments, &l)).unwrap();
-      let shares = shares
-        .drain()
-        .map(|(l, share)| {
-          let mut buf = vec![];
-          share.write(&mut buf).unwrap();
-          (l, SecretShare::<C>::read::<&[u8]>(&mut buf.as_ref()).unwrap())
-        })
-        .collect::<HashMap<_, _>>();
-      secret_shares.insert(l, shares);
-      (l, machine)
-    })
-    .collect::<HashMap<_, _>>();
-
-  let mut verification_shares = None;
-  let mut group_key = None;
-  machines
-    .drain()
-    .map(|(i, machine)| {
-      let mut our_secret_shares = HashMap::new();
-      for (l, shares) in &secret_shares {
-        if i == *l {
-          continue;
-        }
-        our_secret_shares.insert(*l, shares[&i].clone());
-      }
-      let these_keys = machine.complete(rng, our_secret_shares).unwrap();
-
-      // Verify the verification_shares are agreed upon
-      if verification_shares.is_none() {
-        verification_shares = Some(these_keys.verification_shares());
-      }
-      assert_eq!(verification_shares.as_ref().unwrap(), &these_keys.verification_shares());
-
-      // Verify the group keys are agreed upon
-      if group_key.is_none() {
-        group_key = Some(these_keys.group_key());
-      }
-      assert_eq!(group_key.unwrap(), these_keys.group_key());
-
-      (i, these_keys)
-    })
-    .collect::<HashMap<_, _>>()
-}
-
-/// Generate FROST keys for tests.
-pub fn key_gen<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) -> HashMap<u16, FrostKeys<C>> {
-  core_gen(rng).drain().map(|(i, core)| (i, FrostKeys::new(core))).collect()
-}
-
-/// Recover the secret from a collection of keys.
-pub fn recover<C: Curve>(keys: &HashMap<u16, FrostKeys<C>>) -> C::F {
-  let first = keys.values().next().expect("no keys provided");
-  assert!(keys.len() >= first.params().t().into(), "not enough keys provided");
-  let included = keys.keys().cloned().collect::<Vec<_>>();
-
-  let group_private = keys.iter().fold(C::F::zero(), |accum, (i, keys)| {
-    accum + (keys.secret_share() * lagrange::<C::F>(*i, &included))
-  });
-  assert_eq!(C::generator() * group_private, first.group_key(), "failed to recover keys");
-  group_private
-}
-
 /// Spawn algorithm machines for a random selection of signers, each executing the given algorithm.
 pub fn algorithm_machines<R: RngCore, C: Curve, A: Algorithm<C>>(
   rng: &mut R,
   algorithm: A,
-  keys: &HashMap<u16, FrostKeys<C>>,
+  keys: &HashMap<u16, ThresholdKeys<C>>,
 ) -> HashMap<u16, AlgorithmMachine<C, A>> {
   let mut included = vec![];
   while included.len() < usize::from(keys[&1].params().t()) {

crypto/frost/src/tests/promote.rs

@@ -1,121 +0,0 @@
-use std::{marker::PhantomData, collections::HashMap};
-
-use rand_core::{RngCore, CryptoRng};
-
-use zeroize::Zeroize;
-
-use group::Group;
-
-use crate::{
-  Curve, // FrostKeys,
-  promote::{GeneratorPromotion /* CurvePromote */},
-  tests::{clone_without, key_gen, schnorr::sign_core},
-};
-
-/*
-#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
-struct AltFunctions<C: Curve> {
-  _curve: PhantomData<C>,
-}
-
-impl<C: Curve> Curve for AltFunctions<C> {
-  type F = C::F;
-  type G = C::G;
-
-  const ID: &'static [u8] = b"alt_functions";
-
-  fn generator() -> Self::G {
-    C::generator()
-  }
-
-  fn hash_msg(msg: &[u8]) -> Vec<u8> {
-    C::hash_msg(&[msg, b"alt"].concat())
-  }
-
-  fn hash_binding_factor(binding: &[u8]) -> Self::F {
-    C::hash_to_F(b"rho_alt", binding)
-  }
-
-  fn hash_to_F(dst: &[u8], msg: &[u8]) -> Self::F {
-    C::hash_to_F(&[dst, b"alt"].concat(), msg)
-  }
-}
-
-// Test promotion of FROST keys to another set of functions for interoperability
-fn test_ciphersuite_promotion<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  let keys = key_gen::<_, C>(&mut *rng);
-  for keys in keys.values() {
-    let promoted: FrostKeys<AltFunctions<C>> = keys.clone().promote();
-    // Verify equivalence via their serializations, minus the ID's length and ID itself
-    assert_eq!(
-      keys.serialize()[(4 + C::ID.len()) ..],
-      promoted.serialize()[(4 + AltFunctions::<C>::ID.len()) ..]
-    );
-  }
-}
-*/
-
-#[derive(Clone, Copy, PartialEq, Eq, Debug, Zeroize)]
-struct AltGenerator<C: Curve> {
-  _curve: PhantomData<C>,
-}
-
-impl<C: Curve> Curve for AltGenerator<C> {
-  type F = C::F;
-  type G = C::G;
-
-  const ID: &'static [u8] = b"alt_generator";
-
-  fn generator() -> Self::G {
-    C::G::generator() * C::hash_to_F(b"FROST_tests", b"generator")
-  }
-
-  fn hash_to_vec(dst: &[u8], data: &[u8]) -> Vec<u8> {
-    C::hash_to_vec(&[b"FROST_tests_alt", dst].concat(), data)
-  }
-
-  fn hash_to_F(dst: &[u8], data: &[u8]) -> Self::F {
-    C::hash_to_F(&[b"FROST_tests_alt", dst].concat(), data)
-  }
-}
-
-// Test promotion of FROST keys to another generator
-fn test_generator_promotion<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  // A seeded RNG can theoretically generate for C1 and C2, verifying promotion that way?
-  // TODO
-  let keys = key_gen::<_, C>(&mut *rng);
-
-  let mut promotions = HashMap::new();
-  let mut proofs = HashMap::new();
-  for (i, keys) in &keys {
-    let promotion = GeneratorPromotion::<_, AltGenerator<C>>::promote(&mut *rng, keys.clone());
-    promotions.insert(*i, promotion.0);
-    proofs.insert(*i, promotion.1);
-  }
-
-  let mut new_keys = HashMap::new();
-  let mut group_key = None;
-  let mut verification_shares = None;
-  for (i, promoting) in promotions.drain() {
-    let promoted = promoting.complete(&clone_without(&proofs, &i)).unwrap();
-    assert_eq!(keys[&i].params(), promoted.params());
-    assert_eq!(keys[&i].secret_share(), promoted.secret_share());
-
-    if group_key.is_none() {
-      group_key = Some(keys[&i].group_key());
-      verification_shares = Some(keys[&i].verification_shares());
-    }
-    assert_eq!(keys[&i].group_key(), group_key.unwrap());
-    assert_eq!(&keys[&i].verification_shares(), verification_shares.as_ref().unwrap());
-
-    new_keys.insert(i, promoted);
-  }
-
-  // Sign with the keys to ensure their integrity
-  sign_core(rng, &new_keys);
-}
-
-pub fn test_promotion<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  // test_ciphersuite_promotion::<_, C>(rng);
-  test_generator_promotion::<_, C>(rng);
-}

crypto/frost/src/tests/schnorr.rs

@@ -1,131 +0,0 @@
-use std::{marker::PhantomData, collections::HashMap};
-
-use rand_core::{RngCore, CryptoRng};
-
-use group::{ff::Field, Group, GroupEncoding};
-
-use crate::{
-  Curve, FrostKeys,
-  schnorr::{self, SchnorrSignature},
-  algorithm::{Hram, Schnorr},
-  tests::{key_gen, algorithm_machines, sign as sign_test},
-};
-
-pub(crate) fn core_sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  let private_key = C::random_F(&mut *rng);
-  let nonce = C::random_F(&mut *rng);
-  let challenge = C::random_F(rng); // Doesn't bother to craft an HRAm
-  assert!(schnorr::verify::<C>(
-    C::generator() * private_key,
-    challenge,
-    &schnorr::sign(private_key, nonce, challenge)
-  ));
-}
-
-// The above sign function verifies signing works
-// This verifies invalid signatures don't pass, using zero signatures, which should effectively be
-// random
-pub(crate) fn core_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  assert!(!schnorr::verify::<C>(
-    C::generator() * C::random_F(&mut *rng),
-    C::random_F(rng),
-    &SchnorrSignature { R: C::G::identity(), s: C::F::zero() }
-  ));
-}
-
-pub(crate) fn core_batch_verify<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  // Create 5 signatures
-  let mut keys = vec![];
-  let mut challenges = vec![];
-  let mut sigs = vec![];
-  for i in 0 .. 5 {
-    keys.push(C::random_F(&mut *rng));
-    challenges.push(C::random_F(&mut *rng));
-    sigs.push(schnorr::sign::<C>(keys[i], C::random_F(&mut *rng), challenges[i]));
-  }
-
-  // Batch verify
-  let triplets = (0 .. 5)
-    .map(|i| (u16::try_from(i + 1).unwrap(), C::generator() * keys[i], challenges[i], sigs[i]))
-    .collect::<Vec<_>>();
-  schnorr::batch_verify(rng, &triplets).unwrap();
-
-  // Shift 1 from s from one to another and verify it fails
-  // This test will fail if unique factors aren't used per-signature, hence its inclusion
-  {
-    let mut triplets = triplets.clone();
-    triplets[1].3.s += C::F::one();
-    triplets[2].3.s -= C::F::one();
-    if let Err(blame) = schnorr::batch_verify(rng, &triplets) {
-      assert_eq!(blame, 2);
-    } else {
-      panic!("batch verification considered a malleated signature valid");
-    }
-  }
-
-  // Make sure a completely invalid signature fails when included
-  for i in 0 .. 5 {
-    let mut triplets = triplets.clone();
-    triplets[i].3.s = C::random_F(&mut *rng);
-    if let Err(blame) = schnorr::batch_verify(rng, &triplets) {
-      assert_eq!(blame, u16::try_from(i + 1).unwrap());
-    } else {
-      panic!("batch verification considered an invalid signature valid");
-    }
-  }
-}
-
-pub(crate) fn sign_core<R: RngCore + CryptoRng, C: Curve>(
-  rng: &mut R,
-  keys: &HashMap<u16, FrostKeys<C>>,
-) {
-  const MESSAGE: &[u8] = b"Hello, World!";
-
-  let machines = algorithm_machines(rng, Schnorr::<C, TestHram<C>>::new(), keys);
-  let sig = sign_test(&mut *rng, machines, MESSAGE);
-
-  let group_key = keys[&1].group_key();
-  assert!(schnorr::verify(group_key, TestHram::<C>::hram(&sig.R, &group_key, MESSAGE), &sig));
-}
-
-#[derive(Clone)]
-pub struct TestHram<C: Curve> {
-  _curve: PhantomData<C>,
-}
-impl<C: Curve> Hram<C> for TestHram<C> {
-  #[allow(non_snake_case)]
-  fn hram(R: &C::G, A: &C::G, m: &[u8]) -> C::F {
-    C::hash_to_F(b"challenge", &[R.to_bytes().as_ref(), A.to_bytes().as_ref(), m].concat())
-  }
-}
-
-fn sign<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  let keys = key_gen::<_, C>(&mut *rng);
-  sign_core(rng, &keys);
-}
-
-fn sign_with_offset<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  let mut keys = key_gen::<_, C>(&mut *rng);
-  let group_key = keys[&1].group_key();
-
-  let offset = C::hash_to_F(b"FROST Test sign_with_offset", b"offset");
-  for i in 1 ..= u16::try_from(keys.len()).unwrap() {
-    keys.insert(i, keys[&i].offset(offset));
-  }
-  let offset_key = group_key + (C::generator() * offset);
-  assert_eq!(keys[&1].group_key(), offset_key);
-
-  sign_core(rng, &keys);
-}
-
-pub fn test_schnorr<R: RngCore + CryptoRng, C: Curve>(rng: &mut R) {
-  // Test Schnorr signatures work as expected
-  // This is a bit unnecessary, as they should for any valid curve, yet this establishes sanity
-  core_sign::<_, C>(rng);
-  core_verify::<_, C>(rng);
-  core_batch_verify::<_, C>(rng);
-
-  // Test Schnorr signatures under FROST
-  sign::<_, C>(rng);
-  sign_with_offset::<_, C>(rng);
-}

crypto/frost/src/tests/vectors.rs

@@ -6,17 +6,17 @@ use rand_core::{RngCore, CryptoRng};
 
 use group::{ff::PrimeField, GroupEncoding};
 
+use dkg::tests::{test_ciphersuite as test_dkg};
+
 use crate::{
   curve::Curve,
-  FrostCore, FrostKeys,
+  ThresholdCore, ThresholdKeys,
   algorithm::{Schnorr, Hram},
   sign::{
     Nonce, GeneratorCommitments, NonceCommitments, Commitments, Writable, Preprocess,
     PreprocessData, SignMachine, SignatureMachine, AlgorithmMachine,
   },
-  tests::{
-    clone_without, curve::test_curve, schnorr::test_schnorr, promote::test_promotion, recover,
-  },
+  tests::{clone_without, recover_key, curve::test_curve},
 };
 
 pub struct Vectors {
@@ -76,8 +76,8 @@ impl From<serde_json::Value> for Vectors {
   }
 }
 
-// Load these vectors into FrostKeys using a custom serialization it'll deserialize
-fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<u16, FrostKeys<C>> {
+// Load these vectors into ThresholdKeys using a custom serialization it'll deserialize
+fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<u16, ThresholdKeys<C>> {
   let shares = vectors
     .shares
     .iter()
@@ -87,7 +87,7 @@ fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<u16, FrostKe
 
   let mut keys = HashMap::new();
   for i in 1 ..= u16::try_from(shares.len()).unwrap() {
-    // Manually re-implement the serialization for FrostCore to import this data
+    // Manually re-implement the serialization for ThresholdCore to import this data
     let mut serialized = vec![];
     serialized.extend(u32::try_from(C::ID.len()).unwrap().to_be_bytes());
     serialized.extend(C::ID);
@@ -99,13 +99,13 @@ fn vectors_to_multisig_keys<C: Curve>(vectors: &Vectors) -> HashMap<u16, FrostKe
       serialized.extend(share.to_bytes().as_ref());
     }
 
-    let these_keys = FrostCore::<C>::deserialize::<&[u8]>(&mut serialized.as_ref()).unwrap();
+    let these_keys = ThresholdCore::<C>::deserialize::<&[u8]>(&mut serialized.as_ref()).unwrap();
     assert_eq!(these_keys.params().t(), vectors.threshold);
     assert_eq!(usize::from(these_keys.params().n()), shares.len());
     assert_eq!(these_keys.params().i(), i);
     assert_eq!(these_keys.secret_share(), shares[usize::from(i - 1)]);
     assert_eq!(hex::encode(these_keys.group_key().to_bytes().as_ref()), vectors.group_key);
-    keys.insert(i, FrostKeys::new(these_keys));
+    keys.insert(i, ThresholdKeys::new(these_keys));
   }
 
   keys
@@ -117,17 +117,18 @@ pub fn test_with_vectors<R: RngCore + CryptoRng, C: Curve, H: Hram<C>>(
 ) {
   // Do basic tests before trying the vectors
   test_curve::<_, C>(&mut *rng);
-  test_schnorr::<_, C>(&mut *rng);
-  test_promotion::<_, C>(rng);
+
+  // Test the DKG
+  test_dkg::<_, C>(&mut *rng);
 
   // Test against the vectors
   let keys = vectors_to_multisig_keys::<C>(&vectors);
   let group_key =
-    C::read_G::<&[u8]>(&mut hex::decode(&vectors.group_key).unwrap().as_ref()).unwrap();
+    <C as Curve>::read_G::<&[u8]>(&mut hex::decode(&vectors.group_key).unwrap().as_ref()).unwrap();
   let secret =
     C::read_F::<&[u8]>(&mut hex::decode(&vectors.group_secret).unwrap().as_ref()).unwrap();
   assert_eq!(C::generator() * secret, group_key);
-  assert_eq!(recover(&keys), secret);
+  assert_eq!(recover_key(&keys), secret);
 
   let mut machines = vec![];
   for i in &vectors.included {