Digital Signature Schemes

and the Random Oracle Model

A. Hülsing

Today‘s goal

PAGE 14-12-2017

Review provable security of “in use”

signature schemes. (PKCS #1 v2.x)

Digital Signature

PAGE 24-12-2017

Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/DSA.jpg

Definition: Digital Signature (formally)

Let 𝓜 be the message space. A digital signature scheme DSig =

(KeyGen, Sign, Verify) is a triple of PPT algorithms

• 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : upon input of a security parameter 𝟏𝒌 outputs a

private signing key 𝒔𝒌 and a public verification key 𝒑𝒌,

• 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : outputs a signature 𝛔 under 𝒔𝒌 for message 𝑴,

if𝑴 ∈𝓜,

• 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : outputs 1 iff 𝛔 is a valid signature on

𝑴 under 𝒑𝒌,

such that the following correctness condition is fulfilled:

∀ 𝒑𝒌, 𝒔𝒌 ← 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 , ∀ 𝑴 ∈ 𝓜 :

𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 = 𝟏.

PAGE 34-12-2017

Attack goals

Consider adversary 𝑨

• Full break (FB): 𝐴 can compute the secret key.

• Universal forgery (UU): 𝐴 can forge a signature for any

given message. 𝐴 can efficiently answer any signing

query.

• Selective forgery (SU): 𝐴 can forge a signature for

some message of its choice. In this case 𝐴 commits itself

to a message before the attack starts.

• Existential forgery (EU): 𝐴 can forge a signature for

one, arbitrary message. 𝐴 might output a forgery for any

message for which it did not learn the signature from an

oracle during the attack.

PAGE 44-12-2017

Attack Models

• Key-only attack (KOA): 𝐴 only gets the public key for

which it has to forge a signature.

• Random message attack (RMA): 𝐴 learns the public

key and the signatures on a set of random messages.

• Adaptively chosen message attack (CMA): 𝐴 learns

the public key and is allowed to adaptively ask for the

signatures on messages of its choice.

PAGE 54-12-2017

Existential unforgeability under adaptive

chosen message attacks

PAGE 64-12-2017

PK, 1n

SIGN

SK

Mi

(σi, Mi)

(σ*, M*) Success if M* ≠ Mi , Ɐ i ∈ [0, q] and

Verify(pk,σ*,M*) = Accept

𝑞𝑠

Reduction

PAGE 74-12-2017

PK, 1n

Mi

(σi, Mi)

(σ*, M*)

Problem

Solution

Implement

SIGNSIGN

Transform Problem

Extract Solution

𝑞𝑠

Why security reductions?

• Current RSA signature standards so far unbroken

• Vulnerabilities might exist! (And existed for previous

proposals)

• Might be possible to forge RSA signatures without

solving RSA problem or factoring!

PAGE 84-12-2017

What could possibly

go wrong?

PAGE 94-12-2017

RSA

Let (𝐍, 𝐞, 𝐝) ⟵ 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌) be a PPT algorithm that

outputs a modulus 𝑵 that is the product of two 𝒌-bit primes

(except possibly with negligible probability), along with an

integer 𝒆 > 𝟎 with 𝐠𝐜𝐝(𝒆,𝝓(𝑵)) = 𝟏 and an integer 𝒅 > 𝟎satisfying 𝒆𝒅 = 𝟏𝐦𝐨𝐝 𝝓 𝑵 .

For any (𝐍, 𝐞, 𝐝) ⟵ 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌) and any 𝒚 ∈ ℤ𝑵∗ we have

(𝒚𝒅)𝒆= 𝒚𝒅𝒆 = 𝒚𝒅𝒆𝐦𝐨𝐝 𝝓 𝑵 = 𝒚𝟏 = 𝒚𝐦𝐨𝐝 𝑵

PAGE 104-12-2017

RSA Assumption

Definition 1. We say that the RSA problem is hard relative

to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is

negligible:

𝑷𝒓[(𝑵, 𝒆, 𝒅) ← 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌); 𝒚 ← ℤ𝑵∗ ;

𝒙 ← 𝑨(𝑵, 𝒆, 𝒚): 𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵].

PAGE 114-12-2017

A simple RSA Signature (a.k.a. textbook RSA)

𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .

Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.

𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔 = (𝑴𝑑 𝐦𝐨𝐝 𝑵)

𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff 𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝑴

PAGE 124-12-2017

Some RSA properties

• Public function:

𝑷 𝒙 = 𝒙𝒆 mod 𝑵

• Secret function:

𝑺 𝒙 = 𝒙𝒅 mod 𝑵

• Reciprocal property (RP):

𝑷 ∘ 𝑺 = 𝑺 ∘ 𝑷 = 𝑰𝒅

• Multiplicative property (MP):

∀𝒙, 𝒚 ∈ ℤ𝑵: 𝑺 𝒙𝒚 = 𝑺 𝒙 𝑺(𝒚)

PAGE 134-12-2017

Existential forgery under KOA

Given public key 𝒑𝒌 = 𝑵, 𝒆

• Choose random 𝝈 ∈ ℤ𝑵.

• Apply public function:

𝑷 𝝈 = 𝝈𝒆𝐦𝐨𝐝 𝑵 = 𝑴

• Return signature-message pair 𝝈,𝑴 .

PAGE 144-12-2017

Universal forgery under CMA

Given public key 𝒑𝒌 = 𝑵, 𝒆

To create a forgery on a given message 𝑴:

1. Choose two messages 𝐱, 𝐲 ∈ ℤ𝑵 such that

𝒙𝒚 = 𝑴𝐦𝐨𝐝 𝑵

2. Ask for signatures 𝝈𝒙 of 𝒙 and 𝝈𝒚 of 𝒚

3. Output forgery (𝝈𝒙𝝈𝒚,𝑴)

PAGE 154-12-2017

Universal forgery under CMA:

The Blinding Attack

Given public key 𝒑𝒌 = 𝑵, 𝒆

To create a forgery on any given message 𝑴:

1. Sample random 𝒓 ∈ ℤ𝑵∗

2. Ask for signature 𝝈 on 𝒓𝒆𝑴𝐦𝐨𝐝 𝑵

3. Output forgery 𝝈

𝒓𝐦𝐨𝐝 𝑵,𝑴

Recall 𝝈 = (𝒓𝒆𝑴)𝒅= 𝒓𝒆𝒅𝑴𝒅 = 𝒓𝑴𝒅𝐦𝐨𝐝 𝑵

Hence𝝈

𝒓= 𝑴𝒅𝐦𝐨𝐝 𝑵

PAGE 164-12-2017

A slightly better RSA Signature

Assume Hashfunction 𝑯: {𝟎, 𝟏}∗→ {𝟎, 𝟏}𝒏 for e.g. 𝒏 = 𝟏𝟔𝟎(like with SHA1)

𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .

Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.

𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that

𝛍 𝑴 = (𝟎…𝟎||𝑯 𝑴 ) ∈ ℤ𝑵∗

Return 𝛔 = 𝛍 𝑴 𝑑 𝐦𝐨𝐝 𝑵

𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff

𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝛍 𝑴 = (𝟎…𝟎||𝑯 𝑴 )

PAGE 174-12-2017

B-smooth

B-smooth: An integer is B-smooth if all its prime factors

are smaller than B.

PAGE 184-12-2017

Remember Index Calculus?

Given public key 𝒑𝒌 = 𝑵, 𝒆

1. Select a bound 𝒚 and let 𝑺 = (𝒑𝟏, . . . , 𝒑𝒍) be the list of

primes smaller than 𝒚.

2. Find at least 𝒍 + 𝟏 messages 𝑴𝒊 such that each

𝛍 𝑴𝒊 = (𝟎…𝟎||𝑯 𝑴𝒊 ) is a product of primes in 𝑺 (i.e.

𝒚–smooth).

3. Express one 𝛍 𝑴𝒋 as a multiplicative combination of

the other 𝛍 𝑴𝒊 by solving a linear system given by the

exponent vectors of the 𝛍 𝑴𝒊 with respect to the

primes in 𝑺.

4. Ask for the signatures on all 𝑴𝒊, 𝒊 ≠ 𝒋 and forge

signature on 𝑴𝒋.

PAGE 194-12-2017

Step 3

Recall 𝛍 𝑴𝒊 = (𝟎…𝟎||𝑯 𝑴𝒊 )

1. We can write ∀𝑴𝒊, 𝟏 ≤ 𝒊 ≤ 𝝉: 𝛍 𝑴𝒊 = 𝒋=𝟏𝒍 𝒑𝒋𝒗𝒊,𝒋

2. Associate with 𝛍 𝑴𝒊 length 𝒍 vector

𝑽𝒊 𝒗𝒊,𝟏𝐦𝐨𝐝 𝒆,… , 𝒗𝒊,𝒍𝐦𝐨𝐝 𝒆

3. 𝝉 ≥ 𝒍 + 1 and there are only 𝒍 linearly independent

length 𝒍 vectors: We can express one vector as

combination of others mod e. Let this be

𝑽𝝉 = 𝒊=𝟏𝝉−𝟏𝜷𝒊𝑽𝒊 + 𝒆𝚪 ; for some 𝚪 = (𝜸𝟏, … , 𝜸𝒍)

4. Hence,

𝛍 𝑴𝝉 = (

𝒋=𝟏

𝒍

𝒑𝒋𝜸𝒋)𝒆

𝒊=𝟏

𝝉−𝟏

𝛍 𝑴𝒊𝜷𝒊

PAGE 204-12-2017

Step 4

1. Ask for signatures 𝝈𝒊 = 𝛍 𝑴𝒊𝒅𝐦𝐨𝐝 𝑵

on 𝑴𝒊 for 𝟏 ≤ 𝒊 < 𝝉

2. Compute:

𝝈 ∗ = 𝛍 𝑴𝝉𝒅 =

𝒋=𝟏

𝒍

𝒑𝒋𝜸𝒋

𝒊=𝟏

𝝉−𝟏

𝛍 𝑴𝒊𝒅 𝜷𝒊𝐦𝐨𝐝 𝑵

3. Output forgery (𝝈 ∗,𝑴𝝉)

PAGE 214-12-2017

Summing up

• Original attack (Misarsky, PKC’98) works even for more

complicated paddings (ISO/IEC 9796-2)

• Attack only works for small 𝒏! (Complexity depends on 𝒍and probability that an 𝒏-bit number is 𝒚-smooth).

• But using SHA-1 (𝒏 = 𝟏𝟔𝟎) the attack takes much less

than 𝟐𝟓𝟎 operations!

There are many ways to make mistakes...

(Similar attacks apply to encryption!)

That‘s why we want security reductions

PAGE 224-12-2017

The Random Oracle Model

PAGE 234-12-2017

Standard model vs. idealized model

Standard model:

Assume building block has property P (e.g., collision

resistance). Use property in reduction.

Idealized model:

Assume a building block behaves perfectly (e.g. hash

function behaves like truely random function). Replace

building block by an oracle in reduction.

PAGE 244-12-2017

Reduction

PAGE 254-12-2017

PK, 1n

Mi

(σi, Mi)

(σ*, M*)

Problem

Solution

Implement

SIGNSIGN

Transform Problem

Extract Solution

𝑞𝑠

Random Oracle Model (ROM)

• Idealized Model

• Perfectly Random Function

PAGE 264-12-2017

Mj

Mj

H(Mj)

H(Mj)

RO

How to implement RO? (In theory)

”Lazy Sampling”:

• Keep list of (𝒙𝒊, 𝒚𝒊)

• Given 𝑴𝒋, search for 𝒙𝒊 = 𝑴𝒋

• If 𝒙𝒊 = 𝑴𝒋 exists, return 𝒚𝒊• Else sample new 𝒚 from Domain,

using uniform distribution

• Add (𝑴𝒋, 𝒚) to table

• Return 𝒚

PAGE 274-12-2017

RO

ROM security

• Take scheme that uses cryptographic hash

• For proof, replace hash by RO

• Different flavors:

Random function vs. Programmable RO

Heuristic security argument

Allows to verify construction

Worked for ”Natural schemes” so far

However: Artificial counter examples exist!

PAGE 284-12-2017

Full Domain Hash

Signature Scheme

PAGE 294-12-2017

Trapdoor (One-way) Permutation

PAGE 304-12-2017

𝑭 𝒑𝒌, 𝒙 = 𝝅(𝒙)

𝑭 𝒔𝒌, 𝒚 = 𝝅−𝟏(𝒚)

Computing 𝝅−𝟏(𝒚)without knowledge of sk

computationally hard

RSA Trapdoor (One-way) Permutation

PAGE 314-12-2017

𝑭 𝒑𝒌, 𝒙 = 𝒙𝒆𝒎𝒐𝒅 𝑵

𝑭 𝒔𝒌, 𝒚 = 𝒚𝒅𝒎𝒐𝒅 𝑵

Computing 𝝅−𝟏(𝒚)without knowledge of sk

computationally hard if

RSA Assumption holds

𝒑𝒌 = 𝑵, 𝒆 ; 𝒔𝒌 = 𝒅𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 ;

Generic FDH: Sign

PAGE 324-12-2017

𝝈 = 𝑭 𝒔𝒌, 𝒚 = 𝝅−𝟏(𝒚)

M𝒚 = 𝑯(𝑴)

𝝈 = 𝑺𝒊𝒈𝒏 𝒔𝒌,𝑴= 𝝅−𝟏(𝑯 𝑴 )= 𝑭(𝒔𝒌,𝑯 𝑴 )

Generic FDH: Verify

PAGE 334-12-2017

M𝒚 = 𝑯(𝑴)

𝑽𝒆𝒓𝒊𝒇𝒚 𝒑𝒌,𝑴, 𝝈 :check 𝒚 = 𝑯 𝑴 == 𝝅 𝝈 = 𝑭 𝒑𝒌, 𝝈 = 𝒚′

𝒚′ = 𝑭 𝒑𝒌, 𝝈 = 𝝅(𝝈)

RSA-PFDH

• Randomized FDH

• Simplified RSA-PSS

• Standardized in PKCS #1 v2

(slightly different randomization)

• Tight Reduction from RSA Assumption in ROM

PAGE 344-12-2017

RSA-PFDH

Assume Hashfunction 𝑯: {𝟎, 𝟏}∗→ ℤ𝑵∗

𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .

Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.

𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓←$𝑼𝜿; Compute 𝐲 = 𝑯(𝒓||𝑴)

Return 𝛔 = (𝒓, 𝒚𝑑 𝐦𝐨𝐝 𝑵)

𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff 𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝑯(𝒓||𝑴)

PAGE 354-12-2017

RSA-PFDH Security

If the RSA Assumption holds, RSA-PFDH is

existentially unforgeable under adaptive chosen

message attacks in the ROM.

PAGE 364-12-2017

Proof

TODO:

Show that any forger A against RSA-PFDH can be used to

break the RSA Assumption with approx. the same time and

success probability.

”Given a forger A against RSA-PFDH with success

probability 𝜺, we construct an oracle Machine MA that

succeeds with probability 𝜺/𝟒.”

PAGE 374-12-2017

Reduction

PAGE 384-12-2017

pk, 1n

Mi

(σi, Mi)

(σ*, M*)

Implement

SIGNSIGN

Transform Problem

Extract Solution

Mj

H(Mj)

RO

𝑵, 𝒆, 𝒚

𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵

Reduction: Transform Problem

PAGE 394-12-2017

pk, 1n

Mi

(σi, Mi)

(σ*, M*)

Implement

SIGNSIGN

Transform Problem

Extract Solution

Mj

H(Mj)

RO

𝑵, 𝒆, 𝒚

𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵

𝒑𝒌 = (𝑵, 𝒆)

𝑵, 𝒆, 𝒚

The RO trick

Simulate RO such that you can answer SIGN-queries.

PAGE 404-12-2017

Reduction: Implement SIGN

PAGE 414-12-2017

pk, 1n

Mi

(σi, Mi)

(σ*, M*)

Implement

SIGNSIGN

Transform Problem

Extract Solution

Mj

H(Mj)

RO

𝑵, 𝒆, 𝒚

𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵

𝒑𝒌 = (𝑵, 𝒆)

𝑵, 𝒆, 𝒚

Implement SIGN – Simulate RO

• Keep table of tripples (∗,∗,∗)

• When A asks for 𝑯(𝒓||𝑴):

1. If there is an entry ((𝒓||𝑴), 𝒙, 𝒛) in table, return 𝒛

2. If list 𝑳𝑴 already exists, go to 3. Otherwise, choose 𝒒𝒔values 𝒓𝑴,𝟏, … , 𝒓𝑴,𝒒𝒔 ← {𝟎, 𝟏}

𝜿 and store them in a list 𝑳𝑴.

3. If 𝒓 ∈ 𝑳𝑴 then let 𝒊 be such that 𝒓 = 𝒓𝑴,𝒊. Choose random

𝒙𝑴,𝒊 ∈ ℤ𝑵∗ and return the answer 𝐳 = 𝒙𝑴,𝒊

𝒆𝐦𝐨𝐝 𝑵. Store

(𝒓||𝑴, 𝒙𝑴,𝒊, 𝒛) in the table. (RP)

4. If 𝒓 ∉ 𝑳𝑴, choose random 𝒙 ∈ ℤ𝑵∗ and return the answer

𝒛 = 𝒚𝒙𝒆𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙, 𝒛) in the table.

PAGE 424-12-2017

Implement SIGN

• When A requests some message 𝑴 to be signed for the

𝒊 th time:

• let 𝒓𝑴,𝒊 be the 𝒊 th value in 𝑳𝑴 and

• compute 𝐳 = 𝐇(𝒓𝑴,𝒊||𝑴) using RO.

• Let (𝒓||𝑴, 𝒙𝑴,𝒊, 𝒛) be the corresponding entry in the RO

table.

• Output signature (𝒓𝑴,𝒊, 𝒙𝑴,𝒊).

PAGE 434-12-2017

Observation

• All SIGN queries can be answered!

• SIGN queries are answered using hash

𝐇(𝒓𝑴,𝒊| 𝑴 = 𝐳 = 𝒙𝑴,𝒊𝒆𝐦𝐨𝐝 𝑵

Signature (𝒓𝑴,𝒊, 𝒙𝑴,𝒊) known by programming RO

• All other hash queries are answered with

𝐇(𝒓| 𝑴 = 𝒛 = 𝒚𝒙𝒆𝐦𝐨𝐝 𝑵(with high probability).

Signature not known!

BUT: Allows to extract solution from forgery!

• Note: Any A with non-negl. success probability has to

query RO for digest of forgery message!

PAGE 444-12-2017

Reduction: Extract Solution

PAGE 454-12-2017

pk, 1n

Mi

(σi, Mi)

(σ*, M*)

Implement

SIGNSIGN

Transform Problem

Extract Solution

Mj

H(Mj)

RO

𝑵, 𝒆, 𝒚

𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵

𝒑𝒌 = (𝑵, 𝒆)

𝑵, 𝒆, 𝒚 𝑞𝑠𝑞𝐻

Reduction: Extract Solution

• If A outputs a forgery (𝑴∗, (𝒓∗, 𝝈∗)):

• If 𝒓∗ ∈ 𝑳𝑴∗ abort.

• Else, let (𝒓∗||𝑴∗, 𝒙, 𝒛) be the corresponding entry of the

table.

• Output𝝈∗

𝒙𝐦𝐨𝐝 𝑵.

• Note:

𝝈∗

𝒙

𝒆

=𝝈∗𝒆

𝒙𝒆=𝑯 𝒓∗||𝑴∗

𝒙𝒆=𝒚𝒙𝒆

𝒙𝒆= 𝒚𝐦𝐨𝐝 𝑵

⟹𝝈∗

𝒙= 𝒆 𝒚𝐦𝐨𝐝 𝑵

PAGE 464-12-2017

Analysis

• Transform Problem:

• Succeeds always

• Generates exactly matching distribution

• Implement SIGN / RO:

• Succeeds always (we choose 𝒓)

• Generates exactly matching distribution:

− RO: Outputs are uniform in ℤ𝑵∗

− SIGN: Follows from RO

• Extract Solution:

• Succeeds iff A succeeds AND

• 𝒓∗ ∉ 𝑳𝑴∗ ⇒ 𝐩 = 𝐏𝐫 𝒓∗ ∉ 𝑳𝑴∗ = (𝟏 − 𝟐

−𝜿)𝒒𝒔

Setting 𝜿 = 𝐥𝐨𝐠𝟐 𝒒𝒔: 𝒑 ≥𝟏

𝟒assuming 𝒒𝒔 ≥ 𝟐

PAGE 474-12-2017

What have we shown?

• We can turn any forger A against RSA-PFDH with

success probability 𝜺 into an algorithm MA that solves the

RSA problem with probability 𝜺/𝟒.

• In reverse:

If there exists no algorithm to solve the RSA problem with

probability ≥ 𝜺 then there exists no forger against RSA-

PFDH that succeeds with probability ≥ 𝟒𝜺.

• As proof is in ROM we have to add

”... As long as the used hash function behaves like a RO.”

PAGE 484-12-2017

How to implement RO? (In practice)

Formerly:

• Use hash function + PRG

• E.g. SHA2 in couter mode /

• SHA2-HMAC in counter mode keyed

with SHA2(M)

Today:

• Use XOF

• E.g. SHAKE128

PAGE 494-12-2017

RO

Conclusion

• Ad Hoc constructions problematic

• Blinding / Index Calculus

• Proofs (even in ROM) allow to check construction

• There is one standardized RSA Sig with proof

• Similar situation for DSA (ROM proof)

PAGE 504-12-2017

Thank you!

Questions?

PAGE 514-12-2017