CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST...
Transcript of CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST...
CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
Dingding Jia, Xianhui Lu, Bao [email protected]
CT-RSA 2017 02-17
Outline
•Background
•Motivation
•Our contribution• Existence: RSO-CCA from RSO-CPA and IND-CCA
• RSO-CPA from IND-CPA
• The construction in [CS02] is RSO-CCA secure
Public Key Encryption with labels (PKE)Key Generator:
𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑝𝑘, 𝑠𝑘)
Sender:𝑐 ← 𝐸𝑛𝑐(𝑝𝑘,𝑚, 𝑙; 𝑟)
Receiver:𝑚 ← 𝐷𝑒𝑐(𝑠𝑘, 𝑐, 𝑙)
pk sk
c
Adversary
(𝑚0, 𝑚1) 𝑐𝑏 = 𝐸𝑛𝑐(𝑝𝑘,𝑚𝑏)
𝑏′
The adversary succeeds if 𝑏′ = 𝑏
One-time unforgeable signature
• The adversary succeeds if 𝑚′, 𝜎′ ≠ (𝑚, 𝜎) and 𝑉𝑒𝑟 𝑣𝑘,𝑚′, 𝜎′ = 1
Key Generator: 𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑣𝑘, 𝑠𝑖𝑔𝑘)
Sender:𝜎 ← 𝑆𝑖𝑔𝑛(𝑆𝑖𝑔𝑘,𝑚)
Receiver:{0,1} ← 𝑉𝑒𝑟 𝑣𝑘,𝑚, 𝜎
sigk vk
𝜎
Adversary
m 𝜎 = 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘,𝑚)
𝑚′, 𝜎′
Simulation Soundness NIZK
• CRSGen→CRS
• Prover: P(CRS,x,w)→ 𝜋 to prove 𝑥 ∈ 𝐿,w witness
• Verifier: V(CRS,x,𝜋)→{0,1}
CRSGen→CRS
(x,w)
P(CRS,x,w)→ 𝜋Multi-time
CRS←Simu
(x,w)
Simu(CRS,x)→ 𝜋Multi-time
Real world Simulated worldindistinguishable
Adaversary
PKE with Receiver Selective Opening Security
2016-12-14 6
Sender
Receivern
Receiver1
Receiver2
… …
𝑐1 = 𝐸𝑛𝑐(𝑝𝑘1, 𝑚1)
𝑐2 = 𝐸𝑛𝑐(𝑝𝑘2, 𝑚2)
𝑐𝑛 = 𝐸𝑛𝑐(𝑝𝑘𝑛, 𝑚𝑛)
Corrupted, 𝑠𝑘1revealed
Is 𝑚2 protected well?
Corrupted , 𝑠𝑘𝑛revealed
What if the adversary also has access to the decryption oracle?
The formal definition of RSO
𝐾𝑒𝑦𝑔𝑒𝑛 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}
(𝑑𝑖𝑠𝑡𝑗 , 𝑅𝑒𝑑𝑖𝑠𝑡𝑗)
Adversary Challenger
𝑝𝑘𝑖 𝑖∈[𝑛]
𝒄𝟎𝒋
𝒎𝒃𝟏… ,𝒎𝒃𝒍, 𝒔𝒌𝑰
𝐼 ⊂ [𝑛]
𝑏′
𝒎𝟏𝒋 ← 𝑅𝑒𝑑𝑖𝑠𝑡𝑗(𝒎𝟎𝑰),
𝒎𝟎𝒋 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,
𝒄𝟎𝒋 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}
𝑨𝒅𝒗 = 2Pr 𝑏′ − 𝑏 − 1
𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)
Dec Oracle
(𝑐, 𝑖)
multi-time
A simpler Case: single message security
• 𝑨𝒅𝒗 ≤ 𝑙𝐴𝑑𝑣
𝑠𝑒𝑡𝑢𝑝 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}
(dist,Redist)
Adversary Challenger
𝑝𝑘𝑖 𝑖∈[𝑛]
𝒄𝟎
𝒎𝒃, 𝒔𝒌𝑰
𝐼 ⊂ [𝑛]
𝑏′
𝒎𝟏 ← 𝑅𝑒𝑑𝑖𝑠𝑡 (𝒎𝟎𝑰),
𝒎𝟎 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,𝒄𝟎 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}
𝐴𝑑𝑣 = 2Pr 𝑏′ − 𝑏 − 1
𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)
Dec
(𝑐, 𝑖)
Motivation
• RSO-CPA secure constructions• Key simuletabe PKE [HPW15]
• NCER[CHK05,HPW15]
• RSO-CCA secure construction• Not known yet
A World just like the real experiment & embed the problem in the experiment
The challenge
• For RSO case, the simulator should produce a CT satisfying:• With sk, CT and m are bonded
• Without sk, CT computationally hides m
Adversary simulator
Problem solved
Hard solved
problem
Remaining info after decryption queries for CCA case
RSO-CCA from RSO-CPA
• pk=(𝑝𝑘1, 𝑝𝑘2, 𝐶𝑅𝑆),sk=𝑠𝑘1• CT=(𝑣𝑘, 𝑐1, 𝑐2, 𝜋, 𝜎)
• 𝑣𝑘, 𝑠𝑖𝑔𝑘 ← 𝑆. 𝐾𝑒𝑦𝑔𝑒𝑛;
• 𝑐1 ← E1. Enc pk1, m; r1 ; 𝑐2 ← E2. Enc pk2, m, vk; r1 ;
• 𝜋 ← 𝑃. 𝑃 𝐶𝑅𝑆, 𝑐1, 𝑐2, 𝑟1, 𝑟2 ;
• 𝜎 ← 𝑆. 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘, 𝑐1, 𝑐2, 𝜋)
RSO-CPA
RSO-CCA
IND-CCA NIZK
𝐸1 𝐸2 𝑃
Sig
𝑆
Security: high level idea
• How to open secret key?• sk ←sk for RSO-CPA
• How to answer decryption queries?• sk for IND-CCA
• Is this reasonable?• Simulation sound NIZK assured that for queries from the
adversary, sk for RSO-CPA and sk for CCA PKE lead to the same result
Security Proof: hybrid
Game 0: real game when the challenger opens (𝒎𝟎, 𝒔𝒌𝑰)
Game 9: real game when the challenger opens (𝒎𝟏, 𝒔𝒌𝑰)
≈𝐶 Game 1 ≈𝐶 ⋯ ≈𝐶 Game 8≈𝐶
RSO-CPA to RSA-CCA
RSO-CPA PKE
+CCA PKE +Simulation
sound NIZK
CPA PKEWeak HPS ←
RSO-CCA PKE
universal2 HPS →
RSO-CCA PKE=
←
One-time signature
RSO-CPA from IND-CPA
𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0
𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0pk sk
𝑏1, 𝑏2, …𝑏𝑛
𝑠𝑘1,𝑏1, 𝑠𝑘2,𝑏2, … , 𝑠𝑘𝑛,𝑏𝑛
Enc:
𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)
𝐸𝑛𝑐(𝑝𝑘1,1, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 𝑘𝑛)
𝑘 ⊕𝑚
𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 1 − 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)
𝐸𝑛𝑐(𝑝𝑘1,1, 1 − 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 1 − 𝑘𝑛)
𝑘 ⊕𝑚
IND-CPA
𝑘1 ∘ k2 ∘ ⋯ ∘ 𝑘𝑛
Security: high level
• the simulator should produce a CT satisfying:• With sk, CT and m are bonded
CT՞𝑠𝑘(𝑘1,𝑏1, … , 𝑘𝑛,𝑏𝑛), hence m bonded
• Without sk, CT computationally hides m
𝑐𝑖,0 and 𝑐𝑖,0 encapsulates different bits, hence m information-theoretically hidden
Warm up: DDH assumption
• Group G of prime order p, generator g
• a,b,c chosen uniformly random from 𝑍𝑝
• 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 ≈𝐶 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑎𝑏
Review: CCA construction from CS98
• Keygen: 𝑔1,𝑔2, ←𝑅 𝐺 , 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2 ←𝑅 𝑍𝑝pk: 𝑢 = 𝑔1
𝑥1𝑔2𝑥2, v = 𝑔1
𝑦1𝑔2𝑦2 , ℎ = 𝑔1
𝑧1𝑔2𝑧2,collision resistant H
sk: 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2
• Enc: 𝑐1 = 𝑔1
𝑟 , 𝑐2 = 𝑔2𝑟 , c3 = hr ⋅ 𝑚
𝑒 = 𝑢𝑡𝑣 𝑟, where 𝑡 = 𝐻(𝑐1, 𝑐2, 𝑐3)
• Dec:𝑒?= 𝑐1
𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2, if yes, return 𝑚 ← 𝑐3/𝑐1
𝑧1𝑐2𝑧2
An observation:
• 𝑐1 = 𝑔1𝑟1 , 𝑐2 = 𝑔2
𝑟2 , c3 = 𝑐1𝑧1𝑐2
𝑧2 ⋅ 𝑚, 𝑒 =
𝑐1𝑥1𝑡+𝑦1𝑐2
𝑥2𝑡+𝑦2
𝑟1 = 𝑟2, ciphertext only related pk
𝑟1 ≠ 𝑟2, ciphertext reveal more information about skthan pk
Security: high level
• Challenge ciphertext𝑐1 = 𝑔1
𝑟1 , 𝑐2 = 𝑔2𝑟2 , c3 = 𝑐1
𝑧1𝑐2𝑧2 ⋅ 𝑚, 𝑒 = 𝑐1
𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2
With sk, bonded with m; without sk, information theoretically hides m
• Decryption query ciphertext
𝑐1 = 𝑔1𝑟 , 𝑐2 = 𝑔2
𝑟 , c3 = ℎ𝑟 ⋅ 𝑚, 𝑒 = 𝑢𝑡𝑣 𝑟
With out sk, the adversary can only produce cipher of this type; ciphertext of this type will not leak information of sk more than pk
Conclusion
RSO-CPA PKE
+CCA PKE +Simulation
sound NIZK
CPA PKEWeak HPS ←
RSO-CCA PKE
universal2 HPS →
RSO-CCA PKE=
←
One-time signature
SESSION ID:SESSION ID:
#RSAC
Yohei Watanabe
New Revocable IBE in Prime-Order Groups:Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters
CRYP-F03
JSPS Research Fellow (PD), The University of Electro Communications, JapanCollaborative Researcher, AIST, Japan
Joint work with Keita Emura (NICT, Japan) and Jae Hong Seo (Myongji Univ., Korea)
#RSAC
Identity-Based Encryption (IBE) [Sha84,BF01]
25
Public-key encryption enabling to use arbitrary strings as public keys
Key Generation Center (KGC)
ID ID
ID
plaintext ciphertext
ID
Sender Receiver
IDsecret key
master key
ID
ID
ID
#RSAC
Revocation Functionality in IBE
26
Naïve solution by Boneh and Franklin [BF01]
Consider ID||𝑇 as the identity
KGC’s overhead is huge
ID||𝑇
ID||𝑇
ID||𝑇
plaintext ciphertext
master key
Sender Receiver
secret key
ID||𝑇
ID||𝑇
Send secret key toevery non-revoked user IDfor each time period 𝑇
KGC
ID||𝑇
ID||𝑇
ID||𝑇
#RSAC
IBE with Efficient Revocation [BGK08]
27
Called Revocable IBE (RIBE)
Using the complete subtree (CS) method [NNL01]
KGC broadcasts key update at each time period 𝑇
KGC’s overhead can be reduced!𝑇
ID𝑇
plaintext ciphertext
Sender Receiver
KGC
key update
master key
𝑇
IDID𝑇ID
𝑇
ID
𝑇
𝑇
𝑇RL𝑇
Revocation List
ID
𝑇
ID𝑇
decryption key
#RSAC
History of Security Models of RIBE
28
[BGK08] proved their scheme is selectively secure
[LV09] proposed the first adaptively secure RIBE scheme
[SE13] introduced decryption key exposure resistance (DKER)By defining a decryption key exposure oracle
DKER is important!
RIBE should be an efficient realization of [BF01]’s solution
[BF01]’s solution supports DKER
Decryption keys potentially have the risk of leakage
#RSAC
Classification of Adaptively Secure RIBE
29
Adaptively Secure
Decryption Key Exposure Resistant(DKER)
with Short Public Parameters
[LV09][SE13]
[IWS15] [CLL+12]
[Lee16]
[This Work]
over Prime-Order Groups
[CZ15] (lattice-based)
[SLLW14][LLP14]
#RSAC
Our Contribution
30
Propose a new RIBE scheme
Meets adaptive security
— Under a mild variant of the symmetric external Diffie-Hellman (SXDH) assumption
Supports DKER [SE13]
— Desirable security notion for RIBE
Achieves constant-size public parameters
— NOT depend on the identity size
Constructed over asymmetric bilinear groups of prime order
— Realize small element sizes and faster operations
#RSAC
RIBE: Model (Recall)
31
ID𝑇
plaintext ciphertext
Sender Receiver
KGCkey update
𝑇
IDID𝑇
ID
𝑇
ID
𝑇
𝑇
𝑇RL𝑇
Revocation List
ID
𝑇
ID𝑇
IDsecret key
master key
ID
decryption key
Secret key generation Key update generation
Encryption Decryption key generation
Decryption
#RSAC
RIBE: Adaptive Security with DKER
32
ChallengerAdversary
I
secret key for I
Oracles
𝑀0, 𝑀1,I*, 𝑇∗
𝐶𝐼∗,𝑇∗∗
𝒃′
I
𝑇
key update𝑇
(I, 𝑇)
I𝑇 dec. key
(I, 𝑇)RL𝑇
updated
𝐶𝐼∗,𝑇∗∗ ← 𝐸𝑛𝑐(𝑀𝑏 , I
∗, 𝑇∗)
If I∗ is issued,I∗ must be revoked before 𝑇∗
(I∗, 𝑇∗) cannot be issued
The oracle captures DKER!
SKGen
Revoke
KeyUp
DKGen
#RSAC
What is the Difficulty of This Work?
33
The currently-known constant-size IBE schemes are constructed
from stronger assumptions; or
from simple assumptions via the dual system encryption approach
The dual system encryption technique [Wat09] seems not applicable to RIBE constructions with DKER…
Seemingly suitable for constructing RIBE schemes from simple assumptions
However, the approach does not work well
#RSAC
Dual System Encryption in IBE
34
Prepare semi-functional ciphertexts (SF-CT) and secret keys (SF-SK).SF-CT can be decrypted by only normal SKs
SF-SK can decrypt only normal CTs
#RSAC
Essential Part in the Transition from Gamei-1 to Gamei
35
Simulator has to embed some function 𝑓 into public parametersRandomness 𝑟𝐶 ≔ 𝑓(I∗) for the challenge CT
Randomness 𝑟𝐾 ≔ 𝑓(I) for the i-th SK query
𝑟𝐶 is independent of 𝑟𝐾 from an adversarial viewSince 𝑓 is a pairwise independent function and I∗ ≠ I
The games are successfully simulated !
#RSAC
Dual System Encryption in RIBE with DKER
36
Adversary can also get …Decryption keys for (I∗, 𝑇) such that 𝑇 ≠ 𝑇∗
Secret key for I∗ (though it should be revoked before 𝑇∗)
𝑟𝐶 is NOT independent of 𝑟𝐾 from an adversarial viewIf i-th SK query is I∗ (then it holds 𝑟𝐶 = 𝑟𝐾 = 𝑓(I∗))
We cannot transition from Gamei-1 to Gamei
#RSAC
Our Approach
37
Taking the Seo-Emura approach [SE13] !
Waters IBE [Wat05]
Boneh-Boyen IBE [BB04]
Seo-Emura RIBE [SE13]
Adaptively secureWaters IBE [Wat05]
Adaptively secure
Basic IBE
Boneh-Boyen IBE [BB04]
Proposed RIBEAdaptively secure Basic IBE
Adaptively secureConstant-size
public parameter
Red.
Decisional Bilinear Diffie-Hellman
(DBDH) assumptionRed.
Red. Red.
Simple and static computational assumption(s)
[SE13] [Wat05]
Dual system encryption
#RSAC
Details of the Seo-Emura technique
38
Most non-trivial part is simulating decryption keys for (I∗, 𝑇) s.t. 𝑇 ≠ 𝑇∗
Almost all queries can be easily simulated due to adaptive security of Waters IBE
Seo and Emura employed two techniques:
Boneh-Boyen technique [BB04]
To answer all queries not related to 𝑇∗ by embedding 𝑇∗ into public parameters
𝑇∗ can be guessed with polynomial loss
Secret-key re-randomizationTo make biased distribution on randomness of decryption keys uniform
#RSAC
39
Requirements for Applying the Seo-Emura technique
Basic IBE must satisfies …
(0) Constant-size public parameters
(1) Secret-key re-randomization property (by public parameters)
(2) Applicability of Boneh-Boyen technique(2-1) Each component of SK contains at most one component of the master key (MK)
(2-2) Each component of MK is available in the public parameter in some form
cf. Bone-Boyen IBE [BB04]
For DBDH instance (𝑔, 𝑔𝑎, 𝑔𝑏 , 𝑔𝑐 , 𝑍 ∈ {𝑒 𝑔, 𝑔 𝑎𝑏𝑐 , 𝑅} ),
𝑃𝑃 ≔ 𝑔, 𝑔1 ≔ 𝑔𝛼 , 𝑔2, ℎ ∈ 𝔾4, 𝑀𝐾 ≔ 𝛼 ∈ ℤ𝑝, 𝑆𝐾𝐼𝐷 ≔ 𝑔2𝛼 𝑔1
𝐼𝐷 ℎ 𝑟 , 𝑔𝑟 ∈ 𝔾2
Set 𝑔𝛼 ≔ 𝑔𝑎, 𝑔2 ≔ 𝑔𝑏, and ℎ ≔ 𝑔𝑎 −𝐼𝐷∗𝑔𝑦
Then 𝑔1𝐼𝐷ℎ 𝑟𝑔2
−𝑦
𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟𝑔2−
𝑦
𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎𝑏 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟−𝑏
𝐼𝐷−𝐼𝐷∗ = 𝑔2𝛼 𝑔1
𝐼𝐷 ℎ ǁ𝑟
#RSAC
Basic IBE Scheme from Jutla-Roy IBE [JR13,RS14]
40
Most of dual-system-encryption-based IBE schemes do not satisfy (1) and (2)e.g., DPVS-based IBE schemes do not satisfy any requirement
We employ the Jutla-Roy IBE [JR13,RS14] as “Basic IBE”Achieves constant-size public parameters
Satisfies requirements (1) and (2-1), but not (2-2)
Modify the Jutla-Roy IBE to additionally satisfy the requirement (2-2) !
#RSAC
Security of Modified Jutla-Roy IBE
41
Jutla-Roy IBE [JR13,RS14]
Adaptively secure
DDH1 assumptionand
DDH2 assumption(SXDH assumption)
Reduction
Modified Jutla-Roy IBE Adaptively secure
Augmented DDH1 (ADDH1) assumptionand
DDH2 assumption
Reduction
[Original]
[This Work]Static assumptionSimilar to DDH1v assumption [RCS12]
Dual system encryption
#RSAC
Our RIBE Scheme: Construction
42
Constructed based on the Jutla-Roy IBE
Security is proved under adaptive security of the modified Jutla-Roy IBE
Jutla-Roy IBE
Boneh-Boyen IBE
Proposed RIBEAdaptively secure
Red. Red.
Dual system encryption
Modified Jutla-Roy IBE Adaptively secure
ADDH1 assumptionand
DDH2 assumption
#RSAC
Comparison
43
Scheme #𝒎𝒑𝒌 #𝒎𝒔𝒌 #𝑪
Seo-Emura [SE13] 𝟔 + ℓ |𝔾𝒑| |𝔾𝑝| 3 𝔾𝑝 + |𝔾𝑇𝑠𝑦𝑚
|
Lee [Lee16] 8 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝
| |𝔾𝑁| 4 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝
|
Our Scheme 𝟕 𝔾𝟏 + 𝟏𝟏 𝔾𝟐 + |𝔾𝑻𝒂𝒔𝒚𝒎
| 2|𝔾2| 4 𝔾1 + 𝔾𝑇𝑎𝑠𝑦𝑚
+ ℤ𝑝
Scheme #𝒔𝒌 #𝒌𝒖 #𝒅𝒌 Assumption
Seo-Emura [SE13] 2 log 𝑛 |𝔾𝑝| 2𝑟 log𝑛
𝑟|𝔾𝑝| 3 𝔾𝑝 DBDH
Lee [Lee16] 2 log 𝑛 𝔾𝑁 2𝑟 log𝑛
𝑟𝔾𝑁 + 2 ℤ𝑁 4 𝔾𝑁 Static (over composite-order groups)
Our Scheme 5 log 𝑛 𝔾2 3𝑟 log𝑛
𝑟|𝔾2| 6 𝔾2 ADDH1 and DDH2
𝑛 … No. of users; 𝑟 … No. of revoked users; ℓ… bit-length of ID;
#RSAC
Concluding Remarks
44
Proposed a new RIBE scheme
Adaptively SecureDKER
with Short Public Parameters
[LV09][SE13] [IWS15] [CLL+12]
[Lee16]
[This Work]over Prime-Order Groups
[CZ15](lattice-based)
[SLLW14][LLP14]
Extension:CCA security
Server-aided RIBEThank you!
Icons: Material Design by Google | Apache License Ver. 2.0Font Awesome by Dave Gandy | CC BY 3.0