low memory attacks against 2 round even mansour using the
play

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR - PowerPoint PPT Presentation

Jul 13, 2023 •142 likes •733 views

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

  1. Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gaëtan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23

  2. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K P K E ( m ) 2 / 23

  3. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K � n -bit to n -bit public permutation P . secure block cipher E . n -bit secret key K . P K E ( m ) 2 / 23

  4. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K � n -bit to n -bit public permutation P . secure block cipher E . n -bit secret key K . P D = number of calls to keyed E , Q = number of calls to the public P , 1EM provable security up to DQ ≪ 2 n . K ⇒ Security up to birthday bound 2 n / 2 . = E ( m ) 2 / 23

  5. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. m K P K E ( m ) 3 / 23

  6. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y P P ( y ) K E ( x ) 3 / 23

  7. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y = ⇒ x ⊕ E ( x ) ⊕ y ⊕ P ( y ) = 0 P P ( y ) K E ( x ) 3 / 23

  8. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y = ⇒ x ⊕ E ( x ) ⊕ y ⊕ P ( y ) = 0 P Cryptanalysis via n -bit collision search P ( y ) Let f 0 ( x ) = x ⊕ E ( x ) and f 1 ( y ) = y ⊕ P ( y ). Find a collision between f 0 and f 1 , guess K = x ⊕ y . K = ⇒ No gap between the best proofs and attacks. E ( x ) 3 / 23

  9. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K P 1 K P 2 K E ( m ) 4 / 23

  10. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K Provably secure up to 2 2 n / 3 . P 1 Best cryptanalysis time complexity: T = 2 n / n . K P 2 K E ( m ) 4 / 23

  11. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K Provably secure up to 2 2 n / 3 . P 1 Best cryptanalysis time complexity: T = 2 n / n . K GAP There remains a significant gap between the proof, 2 2 n / 3 , and the P 2 best attacks in T = 2 n / n . K E ( m ) 4 / 23

  12. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . m Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K P 1 K P 2 K E ( m ) 5 / 23

  13. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . x Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K y In this work, we use the fact that: P 1 ∀ x , y , z ∈ { 0 , 1 } n , P 1 ( y )  K x ⊕ y = K �  z x ⊕ y = K   = K ⇐ ⇒ P 1 ( y ) ⊕ z = K P 1 ( y ) ⊕ z P 2   P 2 ( z ) ⊕ E ( x ) = K  P 2 ( z ) K E ( x ) 5 / 23

  14. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . x Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K y In this work, we use the fact that: P 1 ∀ x , y , z ∈ { 0 , 1 } n , P 1 ( y )  K x ⊕ y = K �  z x ⊕ y = K   = K ⇐ ⇒ P 1 ( y ) ⊕ z = K P 1 ( y ) ⊕ z P 2   P 2 ( z ) ⊕ E ( x ) = K  P 2 ( z ) � x ⊕ y ⊕ P 1 ( y ) ⊕ z = 0 K = ⇒ x ⊕ E ( x ) ⊕ ⊕ P 2 ( z ) = 0 y E ( x ) 5 / 23

  15. Introduction First attack Clamping attacks Low-Data Attack Conclusion First result : A Link to the 3-XOR 2EM x  ⊕ y ⊕ P 1 ( y ) ⊕ = 0 x z  K x ⊕ E ( x ) ⊕ y ⊕ P 2 ( z ) = 0 y  P 1 P 1 ( y ) K z P 2 P 2 ( z ) K E ( x ) 6 / 23

  16. Introduction First attack Clamping attacks Low-Data Attack Conclusion First result : A Link to the 3-XOR 2EM x  ⊕ y ⊕ P 1 ( y ) ⊕ = 0 x z  K x ⊕ E ( x ) ⊕ y ⊕ P 2 ( z ) = 0 y  P 1 Cryptanalysis via the 3-XOR Problem with 2 n -bit functions P 1 ( y ) f 0 ( x )= x || x ⊕ E ( x ) K z y f 1 ( y )= y ⊕ P 1 ( y ) || P 2 f 2 ( z )= z || P 2 ( z ) P 2 ( z ) Solve the 3-XOR problem between f 0 , f 1 and f 2 . K Guess K = x ⊕ y . E ( x ) 6 / 23

  17. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. 7 / 23

  18. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. Definition (3-XOR problem) Given three functions f 0 , f 1 , f 2 , find three inputs ( x 0 , x 1 , x 2 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) ⊕ f 2 ( x 2 ) = 0. 7 / 23

  19. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. Definition (3-XOR problem) Given three functions f 0 , f 1 , f 2 , find three inputs ( x 0 , x 1 , x 2 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) ⊕ f 2 ( x 2 ) = 0. Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. 7 / 23

  20. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. 8 / 23

  21. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. Solving Random 3-XOR with 2 n -bit elements Requires | L 0 | · | L 1 | · | L 2 | = 2 2 n so at least one list of size 2 2 n / 3 . | L 0 | = | L 1 | = | L 2 | = 2 2 n / 3 is enough: compute sum of all triples to find a solution. So we have a proof and Information Theoretical attack in 2 2 n / 3 . However best algorithms run in time T = O (2 n / n )... 8 / 23

  22. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. Solving Random 3-XOR with 2 n -bit elements Requires | L 0 | · | L 1 | · | L 2 | = 2 2 n so at least one list of size 2 2 n / 3 . | L 0 | = | L 1 | = | L 2 | = 2 2 n / 3 is enough: compute sum of all triples to find a solution. So we have a proof and Information Theoretical attack in 2 2 n / 3 . However best algorithms run in time T = O (2 n / n )... = ⇒ We found the same gap... again ! 8 / 23

  23. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Strategy 3-XOR solving Two main techniques: Multicollision based [Nikolic&Sasaki15] and Linear algebra based [Joux09]. Roughly same asymptotic time complexity. 9 / 23

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick Seurin 4 John Steinberger 1 1 Tsinghua University, China 2 University of Versailles, France 3 Sejong University, Korea 4 ANSSI, France August 18, 2014

1.07k views • 88 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory attacks: an ongoing war David

725 views • 44 slides
Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

1 2 Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round 2 Table 2: Daniel J. Bernstein Ignoring cost of memory: 368 185 enum, ignoring hybrid Tanja Lange 230 169 enum, including hybrid 153

2k views • 65 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universitt Bochum, Germany Inria Paris, France BFA 2017, July 2017 Outline A new condition

442 views • 27 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 " 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR 2018- Rennes | CEA Leti | KERROUMI Sanaa | 08/11/18 SOMMAIRE IoT node Related works Problem statement Proposed methodology Results Take out and

752 views • 36 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks

Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks Author: Ralf-Philipp Weinmann University of Luxembourg WOOT, USENIX, 2012. Presenter: Hyuntae Kim Part 1. Introduction - GSM overview - MS-BTS

1.2k views • 42 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides
New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and

New memory corruption attacks: why can't we have nice things? Mathias Payer (@gannimo) and Nicholas Carlini http://hexhive.github.io (c) Castro Theatre and Spoke Art, 2013 DR. STRANGELOVE DR. STRANGELOVE OR: HOW I LEARNED TO STOP OR: HOW I

549 views • 42 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip

Funderbolt Adventures in Thunderbolt DMA Attacks Russ Sevinsky A Trip Down Memory Lanes A Trip Down Memory Lanes Background Thunderbolt Apple and Intel External Port PCI Express (PCIe) and DisplayPort using the same port

1.23k views • 57 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides

More recommend