CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST...

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Dingding Jia, Xianhui Lu, Bao [email protected]

CT-RSA 2017 02-17

mailto:[email protected]

Outline

•Background

•Motivation

•Our contribution• Existence: RSO-CCA from RSO-CPA and IND-CCA

• RSO-CPA from IND-CPA

• The construction in [CS02] is RSO-CCA secure

Public Key Encryption with labels (PKE)Key Generator:

𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑝𝑘, 𝑠𝑘)

Sender:𝑐 ← 𝐸𝑛𝑐(𝑝𝑘,𝑚, 𝑙; 𝑟)

Receiver:𝑚 ← 𝐷𝑒𝑐(𝑠𝑘, 𝑐, 𝑙)

pk sk

c

Adversary

(𝑚0, 𝑚1) 𝑐𝑏 = 𝐸𝑛𝑐(𝑝𝑘,𝑚𝑏)

𝑏′

The adversary succeeds if 𝑏′ = 𝑏

One-time unforgeable signature

• The adversary succeeds if 𝑚′, 𝜎′ ≠ (𝑚, 𝜎) and 𝑉𝑒𝑟 𝑣𝑘,𝑚′, 𝜎′ = 1

Key Generator: 𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑣𝑘, 𝑠𝑖𝑔𝑘)

Sender:𝜎 ← 𝑆𝑖𝑔𝑛(𝑆𝑖𝑔𝑘,𝑚)

Receiver:{0,1} ← 𝑉𝑒𝑟 𝑣𝑘,𝑚, 𝜎

sigk vk

𝜎

Adversary

m 𝜎 = 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘,𝑚)

𝑚′, 𝜎′

Simulation Soundness NIZK

• CRSGen→CRS

• Prover: P(CRS,x,w)→ 𝜋 to prove 𝑥 ∈ 𝐿,w witness

• Verifier: V(CRS,x,𝜋)→{0,1}

CRSGen→CRS

(x,w)

P(CRS,x,w)→ 𝜋Multi-time

CRS←Simu

(x,w)

Simu(CRS,x)→ 𝜋Multi-time

Real world Simulated worldindistinguishable

Adaversary

PKE with Receiver Selective Opening Security

2016-12-14 6

Sender

Receivern

Receiver1

Receiver2

… …

𝑐1 = 𝐸𝑛𝑐(𝑝𝑘1, 𝑚1)

𝑐2 = 𝐸𝑛𝑐(𝑝𝑘2, 𝑚2)

𝑐𝑛 = 𝐸𝑛𝑐(𝑝𝑘𝑛, 𝑚𝑛)

Corrupted, 𝑠𝑘1revealed

Is 𝑚2 protected well?

Corrupted , 𝑠𝑘𝑛revealed

What if the adversary also has access to the decryption oracle?

The formal definition of RSO

𝐾𝑒𝑦𝑔𝑒𝑛 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}

(𝑑𝑖𝑠𝑡𝑗 , 𝑅𝑒𝑑𝑖𝑠𝑡𝑗)

Adversary Challenger

𝑝𝑘𝑖 𝑖∈[𝑛]

𝒄𝟎𝒋

𝒎𝒃𝟏… ,𝒎𝒃𝒍, 𝒔𝒌𝑰

𝐼 ⊂ [𝑛]

𝑏′

𝒎𝟏𝒋 ← 𝑅𝑒𝑑𝑖𝑠𝑡𝑗(𝒎𝟎𝑰),

𝒎𝟎𝒋 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,

𝒄𝟎𝒋 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}

𝑨𝒅𝒗 = 2Pr 𝑏′ − 𝑏 − 1

𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)

Dec Oracle

(𝑐, 𝑖)

multi-time

A simpler Case: single message security

• 𝑨𝒅𝒗 ≤ 𝑙𝐴𝑑𝑣

𝑠𝑒𝑡𝑢𝑝 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}

(dist,Redist)

Adversary Challenger

𝑝𝑘𝑖 𝑖∈[𝑛]

𝒄𝟎

𝒎𝒃, 𝒔𝒌𝑰

𝐼 ⊂ [𝑛]

𝑏′

𝒎𝟏 ← 𝑅𝑒𝑑𝑖𝑠𝑡 (𝒎𝟎𝑰),

𝒎𝟎 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,𝒄𝟎 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}

𝐴𝑑𝑣 = 2Pr 𝑏′ − 𝑏 − 1

𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)

Dec

(𝑐, 𝑖)

Motivation

• RSO-CPA secure constructions• Key simuletabe PKE [HPW15]

• NCER[CHK05,HPW15]

• RSO-CCA secure construction• Not known yet

A World just like the real experiment & embed the problem in the experiment

The challenge

• For RSO case, the simulator should produce a CT satisfying:• With sk, CT and m are bonded

• Without sk, CT computationally hides m

Adversary simulator

Problem solved

Hard solved

problem

Remaining info after decryption queries for CCA case

RSO-CCA from RSO-CPA

• pk=(𝑝𝑘1, 𝑝𝑘2, 𝐶𝑅𝑆),sk=𝑠𝑘1• CT=(𝑣𝑘, 𝑐1, 𝑐2, 𝜋, 𝜎)

• 𝑣𝑘, 𝑠𝑖𝑔𝑘 ← 𝑆. 𝐾𝑒𝑦𝑔𝑒𝑛;

• 𝑐1 ← E1. Enc pk1, m; r1 ; 𝑐2 ← E2. Enc pk2, m, vk; r1 ;

• 𝜋 ← 𝑃. 𝑃 𝐶𝑅𝑆, 𝑐1, 𝑐2, 𝑟1, 𝑟2 ;

• 𝜎 ← 𝑆. 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘, 𝑐1, 𝑐2, 𝜋)

RSO-CPA

RSO-CCA

IND-CCA NIZK

𝐸1 𝐸2 𝑃

Sig

𝑆

Security: high level idea

• How to open secret key?• sk ←sk for RSO-CPA

• How to answer decryption queries?• sk for IND-CCA

• Is this reasonable?• Simulation sound NIZK assured that for queries from the

adversary, sk for RSO-CPA and sk for CCA PKE lead to the same result

Security Proof: hybrid

Game 0: real game when the challenger opens (𝒎𝟎, 𝒔𝒌𝑰)

Game 9: real game when the challenger opens (𝒎𝟏, 𝒔𝒌𝑰)

≈𝐶 Game 1 ≈𝐶 ⋯ ≈𝐶 Game 8≈𝐶

Security proof : concrete

RSO-CPA to RSA-CCA

RSO-CPA PKE

+CCA PKE +Simulation

sound NIZK

CPA PKEWeak HPS ←

RSO-CCA PKE

universal2 HPS →

RSO-CCA PKE=

←

One-time signature

RSO-CPA from IND-CPA

𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0

𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0pk sk

𝑏1, 𝑏2, …𝑏𝑛

𝑠𝑘1,𝑏1, 𝑠𝑘2,𝑏2, … , 𝑠𝑘𝑛,𝑏𝑛

Enc:

𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)

𝐸𝑛𝑐(𝑝𝑘1,1, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 𝑘𝑛)

𝑘 ⊕𝑚

𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 1 − 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)

𝐸𝑛𝑐(𝑝𝑘1,1, 1 − 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 1 − 𝑘𝑛)

𝑘 ⊕𝑚

IND-CPA

𝑘1 ∘ k2 ∘ ⋯ ∘ 𝑘𝑛

Security: high level

• the simulator should produce a CT satisfying:• With sk, CT and m are bonded

CT՞𝑠𝑘(𝑘1,𝑏1, … , 𝑘𝑛,𝑏𝑛), hence m bonded

• Without sk, CT computationally hides m

𝑐𝑖,0 and 𝑐𝑖,0 encapsulates different bits, hence m information-theoretically hidden

Warm up: DDH assumption

• Group G of prime order p, generator g

• a,b,c chosen uniformly random from 𝑍𝑝

• 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 ≈𝐶 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑎𝑏

Review: CCA construction from CS98

• Keygen: 𝑔1,𝑔2, ←𝑅 𝐺 , 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2 ←𝑅 𝑍𝑝pk: 𝑢 = 𝑔1

𝑥1𝑔2𝑥2, v = 𝑔1

𝑦1𝑔2𝑦2 , ℎ = 𝑔1

𝑧1𝑔2𝑧2,collision resistant H

sk: 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2

• Enc: 𝑐1 = 𝑔1

𝑟 , 𝑐2 = 𝑔2𝑟 , c3 = hr ⋅ 𝑚

𝑒 = 𝑢𝑡𝑣 𝑟, where 𝑡 = 𝐻(𝑐1, 𝑐2, 𝑐3)

• Dec:𝑒?= 𝑐1

𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2, if yes, return 𝑚 ← 𝑐3/𝑐1

𝑧1𝑐2𝑧2

An observation:

• 𝑐1 = 𝑔1𝑟1 , 𝑐2 = 𝑔2

𝑟2 , c3 = 𝑐1𝑧1𝑐2

𝑧2 ⋅ 𝑚, 𝑒 =

𝑐1𝑥1𝑡+𝑦1𝑐2

𝑥2𝑡+𝑦2

𝑟1 = 𝑟2, ciphertext only related pk

𝑟1 ≠ 𝑟2, ciphertext reveal more information about skthan pk

Security: high level

• Challenge ciphertext𝑐1 = 𝑔1

𝑟1 , 𝑐2 = 𝑔2𝑟2 , c3 = 𝑐1

𝑧1𝑐2𝑧2 ⋅ 𝑚, 𝑒 = 𝑐1

𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2

With sk, bonded with m; without sk, information theoretically hides m

• Decryption query ciphertext

𝑐1 = 𝑔1𝑟 , 𝑐2 = 𝑔2

𝑟 , c3 = ℎ𝑟 ⋅ 𝑚, 𝑒 = 𝑢𝑡𝑣 𝑟

With out sk, the adversary can only produce cipher of this type; ciphertext of this type will not leak information of sk more than pk

Conclusion

RSO-CPA PKE

+CCA PKE +Simulation

sound NIZK

CPA PKEWeak HPS ←

RSO-CCA PKE

universal2 HPS →

RSO-CCA PKE=

←

One-time signature

Thanks for your attention!

Questions?

SESSION ID:SESSION ID:

#RSAC

Yohei Watanabe

New Revocable IBE in Prime-Order Groups:Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters

CRYP-F03

JSPS Research Fellow (PD), The University of Electro Communications, JapanCollaborative Researcher, AIST, Japan

Joint work with Keita Emura (NICT, Japan) and Jae Hong Seo (Myongji Univ., Korea)

#RSAC

Identity-Based Encryption (IBE) [Sha84,BF01]

25

Public-key encryption enabling to use arbitrary strings as public keys

Key Generation Center (KGC)

ID ID

ID

plaintext ciphertext

ID

Sender Receiver

IDsecret key

master key

ID

ID

ID

#RSAC

Revocation Functionality in IBE

26

Naïve solution by Boneh and Franklin [BF01]

Consider ID||𝑇 as the identity

KGC’s overhead is huge

ID||𝑇

ID||𝑇

ID||𝑇


master key

Sender Receiver

secret key

ID||𝑇

ID||𝑇

Send secret key toevery non-revoked user IDfor each time period 𝑇

KGC

ID||𝑇

ID||𝑇

ID||𝑇

#RSAC

IBE with Efficient Revocation [BGK08]

27

Called Revocable IBE (RIBE)

Using the complete subtree (CS) method [NNL01]

KGC broadcasts key update at each time period 𝑇

KGC’s overhead can be reduced!𝑇

ID𝑇


Sender Receiver

KGC

key update

master key

𝑇

IDID𝑇ID

𝑇

ID

𝑇

𝑇

𝑇RL𝑇

Revocation List

ID

𝑇

ID𝑇

decryption key

#RSAC

History of Security Models of RIBE

28

[BGK08] proved their scheme is selectively secure

[LV09] proposed the first adaptively secure RIBE scheme

[SE13] introduced decryption key exposure resistance (DKER)By defining a decryption key exposure oracle

DKER is important!

RIBE should be an efficient realization of [BF01]’s solution

[BF01]’s solution supports DKER

Decryption keys potentially have the risk of leakage

#RSAC

Classification of Adaptively Secure RIBE

29

Adaptively Secure

Decryption Key Exposure Resistant(DKER)

with Short Public Parameters

[LV09][SE13]

[IWS15] [CLL+12]

[Lee16]

[This Work]

over Prime-Order Groups

[CZ15] (lattice-based)

[SLLW14][LLP14]

#RSAC

Our Contribution

30

Propose a new RIBE scheme

Meets adaptive security

— Under a mild variant of the symmetric external Diffie-Hellman (SXDH) assumption

Supports DKER [SE13]

— Desirable security notion for RIBE

Achieves constant-size public parameters

— NOT depend on the identity size

Constructed over asymmetric bilinear groups of prime order

— Realize small element sizes and faster operations

#RSAC

RIBE: Model (Recall)

31

ID𝑇


Sender Receiver

KGCkey update

𝑇

IDID𝑇

ID

𝑇

ID

𝑇

𝑇

𝑇RL𝑇

Revocation List

ID

𝑇

ID𝑇

IDsecret key

master key

ID

decryption key

Secret key generation Key update generation

Encryption Decryption key generation

Decryption

#RSAC

RIBE: Adaptive Security with DKER

32

ChallengerAdversary

I

secret key for I

Oracles

𝑀0, 𝑀1,I*, 𝑇∗

𝐶𝐼∗,𝑇∗∗

𝒃′

I

𝑇

key update𝑇

(I, 𝑇)

I𝑇 dec. key

(I, 𝑇)RL𝑇

updated

𝐶𝐼∗,𝑇∗∗ ← 𝐸𝑛𝑐(𝑀𝑏 , I

∗, 𝑇∗)

If I∗ is issued,I∗ must be revoked before 𝑇∗

(I∗, 𝑇∗) cannot be issued

The oracle captures DKER!

SKGen

Revoke

KeyUp

DKGen

#RSAC

What is the Difficulty of This Work?

33

The currently-known constant-size IBE schemes are constructed

from stronger assumptions; or

from simple assumptions via the dual system encryption approach

The dual system encryption technique [Wat09] seems not applicable to RIBE constructions with DKER…

Seemingly suitable for constructing RIBE schemes from simple assumptions

However, the approach does not work well

#RSAC

Dual System Encryption in IBE

34

Prepare semi-functional ciphertexts (SF-CT) and secret keys (SF-SK).SF-CT can be decrypted by only normal SKs

SF-SK can decrypt only normal CTs

#RSAC

Essential Part in the Transition from Gamei-1 to Gamei

35

Simulator has to embed some function 𝑓 into public parametersRandomness 𝑟𝐶 ≔ 𝑓(I∗) for the challenge CT

Randomness 𝑟𝐾 ≔ 𝑓(I) for the i-th SK query

𝑟𝐶 is independent of 𝑟𝐾 from an adversarial viewSince 𝑓 is a pairwise independent function and I∗ ≠ I

The games are successfully simulated !

#RSAC

Dual System Encryption in RIBE with DKER

36

Adversary can also get …Decryption keys for (I∗, 𝑇) such that 𝑇 ≠ 𝑇∗

Secret key for I∗ (though it should be revoked before 𝑇∗)

𝑟𝐶 is NOT independent of 𝑟𝐾 from an adversarial viewIf i-th SK query is I∗ (then it holds 𝑟𝐶 = 𝑟𝐾 = 𝑓(I∗))

We cannot transition from Gamei-1 to Gamei

#RSAC

Our Approach

37

Taking the Seo-Emura approach [SE13] !

Waters IBE [Wat05]

Boneh-Boyen IBE [BB04]

Seo-Emura RIBE [SE13]

Adaptively secureWaters IBE [Wat05]

Adaptively secure

Basic IBE

Boneh-Boyen IBE [BB04]

Proposed RIBEAdaptively secure Basic IBE

Adaptively secureConstant-size

public parameter

Red.

Decisional Bilinear Diffie-Hellman

(DBDH) assumptionRed.

Red. Red.

Simple and static computational assumption(s)

[SE13] [Wat05]

Dual system encryption

#RSAC

Details of the Seo-Emura technique

38

Most non-trivial part is simulating decryption keys for (I∗, 𝑇) s.t. 𝑇 ≠ 𝑇∗

Almost all queries can be easily simulated due to adaptive security of Waters IBE

Seo and Emura employed two techniques:

Boneh-Boyen technique [BB04]

To answer all queries not related to 𝑇∗ by embedding 𝑇∗ into public parameters

𝑇∗ can be guessed with polynomial loss

Secret-key re-randomizationTo make biased distribution on randomness of decryption keys uniform

#RSAC

39

Requirements for Applying the Seo-Emura technique

Basic IBE must satisfies …

(0) Constant-size public parameters

(1) Secret-key re-randomization property (by public parameters)

(2) Applicability of Boneh-Boyen technique(2-1) Each component of SK contains at most one component of the master key (MK)

(2-2) Each component of MK is available in the public parameter in some form

cf. Bone-Boyen IBE [BB04]

For DBDH instance (𝑔, 𝑔𝑎, 𝑔𝑏 , 𝑔𝑐 , 𝑍 ∈ {𝑒 𝑔, 𝑔 𝑎𝑏𝑐 , 𝑅} ),

𝑃𝑃 ≔ 𝑔, 𝑔1 ≔ 𝑔𝛼 , 𝑔2, ℎ ∈ 𝔾4, 𝑀𝐾 ≔ 𝛼 ∈ ℤ𝑝, 𝑆𝐾𝐼𝐷 ≔ 𝑔2𝛼 𝑔1

𝐼𝐷 ℎ 𝑟 , 𝑔𝑟 ∈ 𝔾2

Set 𝑔𝛼 ≔ 𝑔𝑎, 𝑔2 ≔ 𝑔𝑏, and ℎ ≔ 𝑔𝑎 −𝐼𝐷∗𝑔𝑦

Then 𝑔1𝐼𝐷ℎ 𝑟𝑔2

−𝑦

𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟𝑔2−

𝑦

𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎𝑏 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟−𝑏

𝐼𝐷−𝐼𝐷∗ = 𝑔2𝛼 𝑔1

𝐼𝐷 ℎ ǁ𝑟

#RSAC

Basic IBE Scheme from Jutla-Roy IBE [JR13,RS14]

40

Most of dual-system-encryption-based IBE schemes do not satisfy (1) and (2)e.g., DPVS-based IBE schemes do not satisfy any requirement

We employ the Jutla-Roy IBE [JR13,RS14] as “Basic IBE”Achieves constant-size public parameters

Satisfies requirements (1) and (2-1), but not (2-2)

Modify the Jutla-Roy IBE to additionally satisfy the requirement (2-2) !

#RSAC

Security of Modified Jutla-Roy IBE

41

Jutla-Roy IBE [JR13,RS14]

Adaptively secure

DDH1 assumptionand

DDH2 assumption(SXDH assumption)

Reduction

Modified Jutla-Roy IBE Adaptively secure

Augmented DDH1 (ADDH1) assumptionand

DDH2 assumption

Reduction

[Original]

[This Work]Static assumptionSimilar to DDH1v assumption [RCS12]


#RSAC

Our RIBE Scheme: Construction

42

Constructed based on the Jutla-Roy IBE

Security is proved under adaptive security of the modified Jutla-Roy IBE

Jutla-Roy IBE

Boneh-Boyen IBE

Proposed RIBEAdaptively secure

Red. Red.


Modified Jutla-Roy IBE Adaptively secure

ADDH1 assumptionand

DDH2 assumption

#RSAC

Comparison

43

Scheme #𝒎𝒑𝒌 #𝒎𝒔𝒌 #𝑪

Seo-Emura [SE13] 𝟔 + ℓ |𝔾𝒑| |𝔾𝑝| 3 𝔾𝑝 + |𝔾𝑇𝑠𝑦𝑚

|

Lee [Lee16] 8 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝

| |𝔾𝑁| 4 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝

|

Our Scheme 𝟕 𝔾𝟏 + 𝟏𝟏 𝔾𝟐 + |𝔾𝑻𝒂𝒔𝒚𝒎

| 2|𝔾2| 4 𝔾1 + 𝔾𝑇𝑎𝑠𝑦𝑚

+ ℤ𝑝

Scheme #𝒔𝒌 #𝒌𝒖 #𝒅𝒌 Assumption

Seo-Emura [SE13] 2 log 𝑛 |𝔾𝑝| 2𝑟 log𝑛

𝑟|𝔾𝑝| 3 𝔾𝑝 DBDH

Lee [Lee16] 2 log 𝑛 𝔾𝑁 2𝑟 log𝑛

𝑟𝔾𝑁 + 2 ℤ𝑁 4 𝔾𝑁 Static (over composite-order groups)

Our Scheme 5 log 𝑛 𝔾2 3𝑟 log𝑛

𝑟|𝔾2| 6 𝔾2 ADDH1 and DDH2

𝑛 … No. of users; 𝑟 … No. of revoked users; ℓ… bit-length of ID;

#RSAC

Concluding Remarks

44

Proposed a new RIBE scheme

Adaptively SecureDKER

with Short Public Parameters

[LV09][SE13] [IWS15] [CLL+12]

[Lee16]

[This Work]over Prime-Order Groups

[CZ15](lattice-based)

[SLLW14][LLP14]

Extension:CCA security

Server-aided RIBEThank you!

Icons: Material Design by Google | Apache License Ver. 2.0Font Awesome by Dave Gandy | CC BY 3.0

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST...

Documents

Transcript of CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST...