Electricity Carbon Quota Trading Scheme based on Certificateless Signature and Blockchain

The carbon trading market can promote “carbon peaking” and “carbon neutrality” at low cost, but carbon emission quotas face attacks such as data forgery, tampering, counterfeiting, and replay in the electricity trading market. Certificateless signatures are a new cryptographic technology that can address traditional cryptography’s general essential certificate requirements and avoid the problem of crucial escrow based on identity cryptography. However, most certificateless signatures still suffer from various security flaws. We present a secure and efficient certificateless signing scheme by examining the security of existing certificateless signature schemes. To ensure the integrity and verifiability of electricity carbon quota trading, we propose an electricity carbon quota trading scheme based on a certificateless signature and blockchain. Our scheme utilizes certificateless signatures to ensure the validity and nonrepudiation of transactions and adopts blockchain technology to achieve immutability and traceability in electricity carbon quota transactions. In addition, validating electricity carbon quota transactions does not require time-consuming bilinear pairing operations. The results of the analysis indicate that our scheme meets existential unforgeability under adaptive selective message attacks, offers conditional identity privacy protection, resists replay attacks, and demonstrates high computing and communication performance.


Introduction
More than forty percent of all carbon emissions in China are produced by the electric power industry, making it a significant sector.In addition, according to a report by Ember, a UK-based independent climate think tank, carbon emissions from the power industry reached a new peak in 2021, rising by 778 million tons annually.According to research, limiting carbon emissions in the electricity industry is essential for achieving an early carbon emissions peak [1].
Carbon emissions are considered a commodity in carbon trading, which uses a market mechanism to raise the price of carbon emissions to regulate and lower them and to foster low-carbon, sustainable development.Government departments assign carbon emission quotas [2][3][4] to each firm in accordance with predetermined guidelines to attain the objectives of "carbon peaking" and "carbon neutrality".Suppose the actual carbon emissions of an enterprise are higher than the initial quota allocated by the government.If an enterprise's actual carbon emissions exceed the initial quota assigned by the government, the enterprise must acquire the additional quota on the carbon trading market.Using energy-saving and emission-reduction technologies, if an enterprise's actual carbon emissions are lower than the government-allocated quota, it can sell and trade the excess carbon quota to generate revenue.Fig. 1 depicts the carbon quota trading procedure between two businesses.Blockchain technology has the characteristics of immutability and transaction traceability, providing technical support for the realization of secure and trusted carbon quota trading.Zhang et al. [5] established a carbon quota trading model with blockchain technology to ensure the fairness of carbon quota allocation.Zhu et al. [6] proposed a multi-energy primary energy storage optimization configuration model based on blockchain to improve energy self-sufficiency.Ji et al. [7] designed an electricity carbon rights trading mechanism based on an alliance chain to improve the market returns of all participants.Yuan et al. [8] used blockchain technology to build a carbon emission data-sharing platform to realize the traceability and sharing of carbon trading.However, these schemes still suffered from complex key management and low transaction efficiency.
Certificateless signatures maintain the advantages of identity-based cryptographic systems without vital public certificates and can ensure the integrity, identity authentication, and nonrepudiation of carbon quota trading.Electricity carbon quota trading scheme based on certificateless signature and blockchain offers several advantages: Efficiency: Traditional carbon quota trading requires the involvement of government regulatory bodies for verification and approval, which is time-consuming and costly.However, Certificateless signature and blockchain-based scheme eliminates the need for certificate verification and enables fast, automated transaction verification and settlement, reducing intermediaries and increasing transaction efficiency.

Security:
The scheme based on certificateless signature uses digital signatures to verify information authenticity, while blockchain technology ensures the immutability of transaction records, guaranteeing transaction safety and reliability.

Decentralization:
The blockchain-based scheme does not require a centralized platform as an intermediary; all transactions are recorded on the blockchain, enhancing transaction transparency and traceability while removing intermediaries.
Compared to traditional schemes, the proposed Electricity Carbon Quota Trading Scheme based on Certificateless Signature and Blockchain has the following advantages: 1. Traditional schemes rely on third-party certificate authorities for identity verification, adding extra time and expense.But the certificateless public key cryptography-based scheme is decentralized and does not require certificate verification, thus enabling faster transactions.
2. The use of digital signature verification ensures transactional authenticity and integrity, while blockchain technology enforces immutability, guaranteeing transaction safety and reliability.
3. Traditional schemes require businesses to purchase a fixed number of carbon quotas.By contrast, the certificateless signature and blockchain-based scheme allow for instantaneous carbon quota trading, making it more flexible.4. Traditional schemes require payment of multiple types of fees and costs, while the certificateless signature and blockchain-based solution can reduce transaction costs.
In conclusion, the electricity carbon quota trading scheme based on certificateless signature and blockchain provides greater efficiency, security, and decentralization compared to traditional schemes.Researchers have presented several certificateless signature techniques [9][10][11] in recent years.The user's private key is divided into two pieces for the certificateless signature: a secret value chosen randomly by the user and a partial private key derived by the semi-trusted key generation center (KGC).For the security of certificateless signature schemes, attackers are divided into two categories: one is the attacker that imitates malicious users, usually known as the first type of attacker A1.It can launch public key replacement attacks and mastering user secret values but is unaware of KGC's master key.The KGC attacker is an additional type of attacker that mimics malicious attacks.It is usually called the second type of attacker A2.It has access to the master key of the KGC, but it is prohibited from launching public key replacement attacks and cannot determine the user's secret value.Mei et al. [12] suggested a certificateless signature scheme that enables conditional privacy protection; however, signature verification efficiency might be improved.Deng et al. [13] proposed a new certificateless signature scheme, but it could not resist replay attacks and did not consider anonymity.To solve these problems, Wang et al. [14] proposed an undocumented signature scheme that supports anonymity and traceability (referred to as Wang et al.'s scheme).Wang et al. [15] have presented a novel blockchain-based smart car carbon emission cap-and-trade system.The proposed system employs a dual-chain architecture, wherein the data chain is utilized to chronicle the data collated from automobiles to guarantee the dependability of the data, thereby ensuring correctness of the carbon emission calculation outcomes.Luo et al. [16] have proposed a carbon quota trading scheme for power generation based on blockchain technology, which integrates lightweight certificateless signature technology and smart contracts to realize an automated carbon quota trading mechanism.However, we find that Wang et al.'s scheme has security defects and cannot resist signature forgery attacks launched by two types of attackers.
Our contributions: To ensure the integrity and identity authentication of electricity carbon quota trading, we propose a scheme of electricity carbon quota trading based on the blockchain and certificateless signatures.The main work is as follows: (1) We evaluate the security of Wang et al.'s scheme and present two types of forgery attacks.
(2) Aiming at the security defects of Wang et al.'s scheme, we propose an improved certificateless signature scheme.
(3) We suggest an improved signature method and blockchain technology-based trading scheme to make electric carbon quota trading tamper-proof and traceable.
(4) A security study demonstrates that our scheme has low computing and communication costs, provides anonymity and traceability of power enterprise identification, and can withstand forgery and replay attacks.

Preparatory Knowledge
Let p and q be two large prime numbers, G 1 and G 2 be two cyclic groups of order q, G be a cyclic group of order p, and P and P be generators of G and G 1 , respectively.
(3) Validity: There is an effective algorithm to calculate e (aP, bP).
(q, G 1 , G 2 , e, P) satisfying the above conditions is usually called a bilinear group [14].

Definition 1
The CDH hypothesis is said to be valid if there is no polynomial-time algorithm that can solve the CDH issue with a nonnegligible probability [8].
Discrete Logarithms (DL) Problem: Given a tuple P, Pz ∈ G 2 and calculate z ∈ Z * p .Definition 2 The DL hypothesis is said to be true if there is no polynomial-time algorithm that can solve the DL problem with a nonnegligible probability [11].

Security Model
The central objective of our security model is to comprehensively address the security challenges related to carbon emission quotas in the electricity trading market.Specifically, the proposed model strives to prevent various types of malicious attacks, such as data falsification, tampering, forgery, and replay attacks.
To overcome the limitations imposed by traditional cryptography's reliance on fundamental certification requirements and avoid critical custody issues based on identity-based cryptography, a certificate-free signature scheme has been proposed as a feasible solution.The proposed certificatefree signature scheme is highly secure and efficient, aimed at ensuring the validity and non-repudiation of all transactions involved in carbon emission quota trading.In addition, blockchain technology has been deployed to achieve the immutability and traceability of all power carbon quota transactions.This scheme provides conditional identity privacy protection, enhances defense against replay attacks, and has high computational and communication performance.
In response to the security vulnerabilities of Wang et al.'s scheme, we propose the security model for our scheme and divide the adversaries of the certificate-free signing scheme into two categories: A 1 and A 2 .
A 1 : These are adversaries who launch forged attacks against malicious users.They can select a target user with a pseudonym PID * 1 , obtain their secret value x * 1 and public key PK * 1 = X * 1 , R * 1 , and attempt to obtain a legal signature for any message of the target user through a series of forged attacks, as described in detail in the following text.
A 2 : These are adversaries who launch forged attacks against malicious KGCs.As malicious KGCs, they not only know the main secret key of KGC and partial private key d * 2 of users but also can modify system parameters.They can first select a target user for the attack, obtain their pseudonym PID * 2 and public key PK * 2 = X * 2 , R * 2 , and then attempt to forge a legal signature for any message of the target user through a series of forged attacks, as described in detail in the following text.

Security Analysis of Wang et al.'s Scheme
This section focuses mostly on reviewing the certificateless signature scheme proposed by Wang et al. [14], analyzing its security, and presenting the related enhancement scheme.

Wang et al.'s Scheme Description
The certificateless signature of Wang et al.'s scheme consists of the six methods listed below: (1) System establishment: Given a security parameter ζ , the KGC generates system parameters and master keys using the following procedures. 1 Select bilinear groups (q, G 1 , G 2 , e, P) and Q ∈ G 1 .
2 Select random number s, k ∈ Z * q as the master key and then calculate P pub = sP. 3Select three hash functions (2) Pseudonym generation: The user whose real identity is ID i selects a random number t i ∈ Z * q , calculates T i = t i P, and secretly sends (ID i , T i ) to the KGC.
After receiving (ID i , T i ), the KGC verifies the correctness of ID i , computes PID i = ID i ⊕ H 1 (kP + T i ) using the master key k, and finally sends the user the pseudonym PID i .
(3) Generation of partial private keys: The KGC generates partial private keys for users with the alias PID i using the following methods: 1 Select a random number r i ∈ Z * q and then calculate R i = r i P. 2 Calculate 3 Calculate partial private key d i = r i + k i s mod q. 4 Send (d i , R i ) to the user through the secure channel.
(4) Public/private key generation: After receiving (d i , R i ) from KGC, the user using pseudonym PID i chooses a random number x i ∈ Z * q , computes X i = x i P, and establishes public key PK i = (X i , R i ) and private key SK i = (x i , d i ).
(5) Signature generation: For message m i , the user with pseudonym PID i generates the signature of m i . 1 Randomly select u i ∈ Z * q , and calculate U i = u i P and V i = u i Q. 2 Select a timestamp TS i and calculate ) Signature verification: The verifier goes through the following motions to ensure that m i TS i 's signature on 1 Check the freshness of TS i .If TS i is within the effective time, perform the following operation 2 ; otherwise, terminate the operation. 2Calculate The verifier accepts the signature if the aforementioned equation is true; otherwise, σ i is rejected.
The relevant process of the Wang et al.'s scheme is shown in Fig. 2.

Forgery Attack of Wang et al.'s Scheme
Here are the specific steps for the two forgery attacks that Wang et al.'s scheme cannot resist.
(1) Forgery attack by malicious users: Let A 1 be the first type of attacker targeting Wang et al.'s scheme.A 1 selects a target user with pseudonym PID * 1 and obtains its secret value x * 1 and public key Through the subsequent attack methods, A 1 can falsify the target user's actual signature on any message. 1 1 and timestamp TS * 1 at random and calculate The following verifies the legitimacy of A 1 's forged signature σ * 1 : The given reasoning demonstrates that σ * 1 satisfies Wang et al.'s signature verification equation.In the above attack, A 1 does not know the master key of the KGC.Therefore, A 1 's assault based on forgery is successful.Wang et al.'s scheme is not secure against the first type of forgery attacker A 1 .
(2) Forgery attack of malicious KGC: Let A 2 be the second type of attacker against Wang et al.'s scheme.A 2 selects a target user and obtains its pseudonym PID * 2 and public key PK * 2 = X * 2 , R * 2 .Because A 2 is a malicious KGC, it not only knows the KGC's master key and part of the user's private key d * 2 but can also modify system parameters.A 2 can fake the valid signature of the target user for any information via the following attack techniques: The following verifies the legitimacy of the signature forged by A 2 :

Improved Certificateless Signature Scheme
To address the security flaws of Wang et al.'s scheme, we provide an enhanced certificateless signing scheme below.The cyclic group of the elliptic curve is chosen to improve the communication performance of the updated scheme.The specific description is as follows: (1) System establishment: The KGC performs the following actions to produce system parameters and master keys based on security parameter ζ : 1 Select an elliptic curve cyclic group G of prime p and a generator P of G. 2 Select a random number s, k ∈ Z * p as the master key and then calculate P pub = sP. 3Select four hash functions: q , H 4 : Z * q × G 1 → Z * q . 4Expose system parameter params = q, G 1 , G 2 , e, P, P pub , H 1 , H 2 , H 3 , H 4 .
(2) Kana generation: This algorithm is the same as Wang et al.'s scheme.
(3) Partial private key generation: This algorithm is the same as Wang et al.'s scheme, but the only difference is that the value of k i is (4) Public/private key generation: This algorithm is the same as Wang et al.'s scheme.
(5) Signature generation: For message m i , the user with pseudonym PID i generates m i 's signature. 1Randomly select u i ∈ Z * p and then calculate U i = u i P. 2 Select a timestamp TS i and calculate 3 Calculate w i = u i + h i x i + l i d i mod p. 4 Output signature σ i = (U i , w i ) of m i TS i .(6) Signature verification: The verifier performs the following steps to check the validity of m i TS i 's signature σ i = (U i , w i ).
1 Check the freshness of TS i .If TS i is within the valid time, perform the following operation 2 ; otherwise, terminate the operation. 2Calculate If the above formula is true, the verifier accepts the signature; otherwise, it rejects σ i .
The related process of the Improved certificateless signature scheme is shown in Fig. 3.
is the input value of k i ; and in l i = H 4 h i , P pub , h i , P pub is the input value of l i .In addition, w i binds the hash function to the secret value and partial private key.Based on the unidirectional and anti-collision properties of the hash function, the attacker cannot forge valid signatures by modifying system parameters and replacing public keys.Consequently, the modified scheme is resistant to the two types of forgery attacks outlined in Section 3.2.

Electricity Carbon Quota Trading Scheme Based on Certificateless Signature and Blockchain
Based on the improved certificateless signing scheme and blockchain technology presented in Section 3.3, we propose and analyze a secure and effective power carbon quota trading scheme.

System Model
The carbon quota trading model proposed in this paper is shown in Fig. 4, including six participants: the environmental protection management department (EPMD), quota seller enterprise (QSE), blockchain network (BN), quota buyer enterprise (QBE), audit department (AD), and distributed storage hash table (DSHT).(2) QSE: Power enterprises with surplus carbon quotas sign the carbon quota to be sold and then publish it to the blockchain network for trading.
(3) BN: This network is mainly accountable for processing the storage and transaction requests of power carbon quota transactions and validating transaction legitimacy.
(4) QBE: Power enterprises with insufficient carbon quotas purchase carbon quotas through the blockchain network and pay transaction costs to the seller enterprises.
(5) AD: Mainly audits electric power enterprise carbon emission quotas and actual carbon emissions and assists the environmental protection management department in resolving transaction disputes.
(6) DSHT: Mainly stores relevant data on electric power enterprises and carbon quota transactions.Essentially, it is a distributed storage space that divides the data into several small pieces, gives them to different clients for storage, and then uses the storage address to read the data.
(4) Quota purchase: When the enterprise with the pseudonym PID j purchases the electricity carbon quota m i,1 , the purchase transaction T j = PID j , PK j , Addr i , θ j is broadcast in the blockchain network, where PID j and PK j are the pseudonym and public key of the buyer's enterprise, and θ j is the prepayment amount.The blockchain node takes PID i , PK i = (X i , R i ) , m i,1 , TS i , σ i from address Addr i of the distributed storage hash table and then performs the following operations.Find the cred KC value of the buyer's enterprise and the seller's enterprise in the enterprise credit pool KC.If c i = 1 or c j = 1 indicates that the credit degree of the buying and selling enterprises does not match and the electricity carbon quota transaction is risky, terminate the operation.
The enterprises of both parties shall go through the relevant carbon quota transfer filing formalities in the environmental protection management department and terminate the carbon quota transaction.
(5) Dispute arbitration: If there is a dispute regarding the electric carbon emission quota m i,1 sold by the seller's enterprise, the audit department shall investigate the power enterprise's actual carbon emissions and carbon quota.If there is any violation in the power enterprise, the audit department will set the credit value of the power enterprise to 1 in the enterprise credit pool KC and submit it to the environmental protection management department for corresponding punishment.The specific interaction between QSE, QBE, EPMD and blockchain is shown in Fig. 5.

Security Authentication
Based on the methods in [10,14], Theorem 1 and Theorem 2 prove that our proposed scheme can resist signature forgery attacks from malicious users and malicious KGCs.
Theorem 1 If the DL hypothesis is true, our scheme is unfakable for the first type of attacker.
Proof: If the first type of attacker C forges a valid signature of our scheme, then the DL problem can be solved by constructing an Algorithm C as the challenger.Given an instance of a DL problem (P, aP), C aims to calculate a ∈ Z * p .(1) System initialization: C sets P pub = aP and then runs the system establishment algorithm to send the generated parameter params to A 1 .
(2) Query: C creates 5 blank initialized tables {L 1 , L 2 , L 3 , L 4 , L u } in response to A 1 s request.Let PID * indicate the pseudonym of the target user. 1 4 H 4 query.When A 1 queries H 4 h i , P pub , if h i , P pub , l i exists in L 4 , C sends l i to A 1 ; Otherwise, select l i ∈ Z * p , store h i , P pub , l i in L 4 and return l i to A 1 . 5Public key query: When A 1 queries PID i 's public key, if (PID i , d i , R i , x i , X i ) exists in L u , C sends (X i , R i ) to A 1 ; Otherwise, C performs the following operations: • If PID i = PID * , C randomly select x i , d i , k i ∈ Z * p , calculate X i = x i P and R i = d i P − k i P pub , and there are (PID i , d i , R i , x i , X i ) and PID i , R i , P pub , k i respectively in L u and L 2 , send (X i , R i ) to A 1 . • Therefore, w * P − wP = l * k * aP − l * kaP, so we can calculate a = w * − w k Nevertheless, the DL problem is difficult to solve in polynomial time, indicating that A 1 's proposed attack is not feasible.Therefore, our scheme can resist signature forging attacks from malicious users.
Theorem 2 If the LD hypothesis is valid, our scheme is unforgeable for the second type of attacker.
The proving procedure for Theorem 2 is comparable to that of Theorem 1.Because the second sort of attacker has access to the KGC's master key, partial private key queries and public key replacement queries are no longer conducted.

Security Analysis
(1) Anonymity: The real identity ID i of the power enterprise and the master key k of the environmental protection management department generate the pseudonym PID i = ID i ⊕ H 1 (kP + T i ) of the power enterprise.If the attacker cannot know k and T i , he cannot calculate ID i from PID i .The master key k is kept secret by the environmental protection management department, but deriving t i from T i = t i P is equivalent to solving the DL problem.Therefore, our scheme satisfies the anonymity of power enterprise identity.
(2) Traceability: When there is a dispute in an enterprise-issued energy carbon quota transaction, the environmental protection management department looks up (ID i , PID i , T i ) in the information table L ID of the power enterprise through PID i in the transaction and calculates ID i = PID i ⊕ H 1 (kP + T i ).If ID i = ID i , the environmental protection management department can determine the real identity ID i of the power enterprise participating in the transaction.Therefore, our scheme satisfies the traceability of power enterprise identity.
(3) Integrity, authenticity, and nonrepudiation: The power carbon quota transaction issued by the enterprise of the seller must be appended with signature σ i = (U i , w i ), and the transaction information T i must be maintained in the blockchain.Theorems 1 and 2 demonstrate that adversaries cannot fabricate valid signatures of our scheme, and blockchain ensures the traceability and tamper-proofness of transaction data.Consequently, our scheme satisfies the integrity, authenticity, and nonrepudiation requirements of electrical carbon quota trading and is capable of withstanding attacks such as forgery, impersonation, and tampering.
(4) Resist replay attack: When the buyer's enterprise purchases the electricity carbon quota, it checks the freshness of the transaction through timestamp TS i .Since TS i is the input value of hash values h i and l i , if the attacker attempts to modify TS i , the signature cannot be verified.Therefore, our scheme can resist replay attacks.

Performance Analysis
Tables 1 and 2 exhibit the performance and function comparisons between our scheme and published schemes [10,11,14].Reference [18] evaluated the operation time of cryptographic operations, where T M = 1.9456 ms, T H = 2.3366 ms, and T P = 15.0738ms.To achieve the same level of security in schemes based on the bilinear group and elliptic curve group, 512-bit prime numbers q and 160-bit prime numbers p are selected, respectively.Table 1 only considers the operations with high computational overhead.T M , T H , and T P are used to represent a dot product operation, hash operation mapped to point and bilinear pair operation, respectively; |p|, |G| and |G 1 | represent the length of an element in Z p , G, and G 1 , respectively.Our scheme is based on a cyclic group of an elliptic curve.and the signature verification phase does not involve time-consuming bilinear pair operations.As seen in Tables 1 and 2, Figs.6, and 7, compared with other schemes [10,11,14], our scheme has the minimum time cost in generating and verifying signatures and the shortest signature length.Our scheme introduces the use of blockchain technology to eliminate intermediaries and improve the efficiency, transparency, and traceability of carbon quota trading in the electricity industry.The experimental environment for building the blockchain is Intel(R) Xeon(R) Gold 6133 2.50 GHz with Ubuntu Server 22.04 LTS 64-bit operating system, and the underlying platform for the blockchain is Hyperledger Fabric.The experiment simulated the generation of 1,000 to 5,000 user data entries, and tested the time it takes to upload the user data to the blockchain and the time it takes to retrieve the data from the blockchain.The specific test results are shown in Figs. 8 and 9.
The test results show that as the amount of user data increases, the upload time slightly increases and the efficiency decreases slightly, but this decrease is within an acceptable range compared to the significant increase in data volume.When retrieving user data, the blockchain needs to run a consensus algorithm to disclose data to the nodes, and the degree of impact on time varies depending on the consensus algorithm used, so the retrieval time is slightly lower than the upload time.We propose an efficient electricity carbon emission quota trading scheme based on an improved certificateless signature scheme and blockchain technology.Ensure the integrity and security of the transaction by signing without the certificate, and using the blockchain to store the transaction data to improve the anti-tampering and traceability of the power carbon quota transaction.
Our scheme provides conditional privacy protection, not only to protect the identity privacy of power enterprises but also to track the real identity of power enterprises that issue disputed transactions.However, our scheme does not consider the confidentiality of transaction data.Therefore, we plan to design a power carbon quota trading scheme based on blockchain and encryption technology in the future.

Figure 1 :
Figure 1: Overview of carbon quota trading

Figure 3 :
Figure 3: Improved certificateless signature scheme In the hash valueh i = H 3 (m i TS i , PID i , U i , PK i ), (U i , PK i ) is the input value of h i ; in k i = H 2 PID i , R i , P pub , R i , P pubis the input value of k i ; and in l i = H 4 h i , P pub , h i , P pub is the input value of l i .In addition, w i binds the hash function to the secret value and partial private key.Based on the unidirectional and anti-collision properties of the hash function, the attacker cannot forge valid signatures by modifying system parameters and replacing public keys.Consequently, the modified scheme is resistant to the two types of forgery attacks outlined in Section 3.2.

1
Check the freshness of TS i .If |TS i − TS 0 | > λ, terminate the operation; otherwise, perform step2 , where TS 0 and λ represent the maximum values of the current timestamp and the effective time, respectively.

Figure 5 :
Figure 5: The interactions between blockchain and entities

Figure 6 :
Figure 6: Comparison of computational overhead

Figure 7 :
Figure 7: Comparison of signature length

Figure 8 :
Figure 8: User data upload time

Figure 9 :
Figure 9: User data return time Q * The given reasoning demonstrates that σ * 2 satisfies Wang et al.'s signature verification equation.However, A 2 does not know the target user's secret value x * 2 in the above attack.Therefore, A 2 's forgery attack is successful.Wang et al.'s scheme is also unsafe for the second type of forgery attacker A 2 .

Table 1 :
Computational performance and signature length comparison √ and × indicate whether the function is satisfied or not.