CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING ... · CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND ... the adversary can only produce cipher of this ... KGC

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Dingding Jia, Xianhui Lu, Bao [email protected]

CT-RSA 2017 02-17

Outline

•Background

•Motivation

•Our contribution• Existence: RSO-CCA from RSO-CPA and IND-CCA

• RSO-CPA from IND-CPA

• The construction in [CS02] is RSO-CCA secure

Public Key Encryption with labels (PKE)Key Generator:

𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑝𝑘, 𝑠𝑘)

Sender:𝑐 ← 𝐸𝑛𝑐(𝑝𝑘,𝑚, 𝑙; 𝑟)

Receiver:𝑚 ← 𝐷𝑒𝑐(𝑠𝑘, 𝑐, 𝑙)

pk sk

c

Adversary

(𝑚0, 𝑚1) 𝑐𝑏 = 𝐸𝑛𝑐(𝑝𝑘,𝑚𝑏)

𝑏′

The adversary succeeds if 𝑏′ = 𝑏

One-time unforgeable signature

• The adversary succeeds if 𝑚′, 𝜎′ ≠ (𝑚, 𝜎) and 𝑉𝑒𝑟 𝑣𝑘,𝑚′, 𝜎′ = 1

Key Generator: 𝐾𝑒𝑦𝑔𝑒𝑛 → (𝑣𝑘, 𝑠𝑖𝑔𝑘)

Sender:𝜎 ← 𝑆𝑖𝑔𝑛(𝑆𝑖𝑔𝑘,𝑚)

Receiver:{0,1} ← 𝑉𝑒𝑟 𝑣𝑘,𝑚, 𝜎

sigk vk

𝜎

Adversary

m 𝜎 = 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘,𝑚)

𝑚′, 𝜎′

Simulation Soundness NIZK

• CRSGen→CRS

• Prover: P(CRS,x,w)→ 𝜋 to prove 𝑥 ∈ 𝐿,w witness

• Verifier: V(CRS,x,𝜋)→{0,1}

CRSGen→CRS

(x,w)

P(CRS,x,w)→ 𝜋Multi-time

CRS←Simu

(x,w)

Simu(CRS,x)→ 𝜋Multi-time

Real world Simulated worldindistinguishable

Adaversary

PKE with Receiver Selective Opening Security

2016-12-14 6

Sender

Receivern

Receiver1

Receiver2

… …

𝑐1 = 𝐸𝑛𝑐(𝑝𝑘1, 𝑚1)

𝑐2 = 𝐸𝑛𝑐(𝑝𝑘2, 𝑚2)

𝑐𝑛 = 𝐸𝑛𝑐(𝑝𝑘𝑛, 𝑚𝑛)

Corrupted, 𝑠𝑘1revealed

Is 𝑚2 protected well?

Corrupted , 𝑠𝑘𝑛revealed

What if the adversary also has access to the decryption oracle?

The formal definition of RSO

𝐾𝑒𝑦𝑔𝑒𝑛 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}

(𝑑𝑖𝑠𝑡𝑗 , 𝑅𝑒𝑑𝑖𝑠𝑡𝑗)

Adversary Challenger

𝑝𝑘𝑖 𝑖∈[𝑛]

𝒄𝟎𝒋

𝒎𝒃𝟏… ,𝒎𝒃𝒍, 𝒔𝒌𝑰

𝐼 ⊂ [𝑛]

𝑏′

𝒎𝟏𝒋 ← 𝑅𝑒𝑑𝑖𝑠𝑡𝑗(𝒎𝟎𝑰),

𝒎𝟎𝒋 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,

𝒄𝟎𝒋 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}

𝑨𝒅𝒗 = 2Pr 𝑏′ − 𝑏 − 1

𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)

Dec Oracle

(𝑐, 𝑖)

multi-time

A simpler Case: single message security

• 𝑨𝒅𝒗 ≤ 𝑙𝐴𝑑𝑣

𝑠𝑒𝑡𝑢𝑝 → 𝑝𝑘𝑖 , 𝑠𝑘𝑖 , 𝑏 ∈𝑅 {0,1}

(dist,Redist)

Adversary Challenger

𝑝𝑘𝑖 𝑖∈[𝑛]

𝒄𝟎

𝒎𝒃, 𝒔𝒌𝑰

𝐼 ⊂ [𝑛]

𝑏′

𝒎𝟏 ← 𝑅𝑒𝑑𝑖𝑠𝑡 (𝒎𝟎𝑰),

𝒎𝟎 = 𝑚1, … ,𝑚𝑛 ← 𝑑𝑖𝑠𝑡,𝒄𝟎 = {𝐸𝑛𝑐(𝑝𝑘𝑖 , 𝑚𝑖; 𝑟𝑖)}

𝐴𝑑𝑣 = 2Pr 𝑏′ − 𝑏 − 1

𝑚 = 𝐷𝑒𝑐(𝑠𝑘𝑖 , 𝑐)

Dec

(𝑐, 𝑖)

Motivation

• RSO-CPA secure constructions• Key simuletabe PKE [HPW15]

• NCER[CHK05,HPW15]

• RSO-CCA secure construction• Not known yet

A World just like the real experiment & embed the problem in the experiment

The challenge

• For RSO case, the simulator should produce a CT satisfying:• With sk, CT and m are bonded

• Without sk, CT computationally hides m

Adversary simulator

Problem solved

Hard solved

problem

Remaining info after decryption queries for CCA case

RSO-CCA from RSO-CPA

• pk=(𝑝𝑘1, 𝑝𝑘2, 𝐶𝑅𝑆),sk=𝑠𝑘1• CT=(𝑣𝑘, 𝑐1, 𝑐2, 𝜋, 𝜎)

• 𝑣𝑘, 𝑠𝑖𝑔𝑘 ← 𝑆. 𝐾𝑒𝑦𝑔𝑒𝑛;

• 𝑐1 ← E1. Enc pk1, m; r1 ; 𝑐2 ← E2. Enc pk2, m, vk; r1 ;

• 𝜋 ← 𝑃. 𝑃 𝐶𝑅𝑆, 𝑐1, 𝑐2, 𝑟1, 𝑟2 ;

• 𝜎 ← 𝑆. 𝑆𝑖𝑔𝑛(𝑠𝑖𝑔𝑘, 𝑐1, 𝑐2, 𝜋)

RSO-CPA

RSO-CCA

IND-CCA NIZK

𝐸1 𝐸2 𝑃

Sig

𝑆

Security: high level idea

• How to open secret key?• sk ←sk for RSO-CPA

• How to answer decryption queries?• sk for IND-CCA

• Is this reasonable?• Simulation sound NIZK assured that for queries from the

adversary, sk for RSO-CPA and sk for CCA PKE lead to the same result

Security Proof: hybrid

Game 0: real game when the challenger opens (𝒎𝟎, 𝒔𝒌𝑰)

Game 9: real game when the challenger opens (𝒎𝟏, 𝒔𝒌𝑰)

≈𝐶 Game 1 ≈𝐶 ⋯ ≈𝐶 Game 8≈𝐶

Security proof : concrete

RSO-CPA to RSA-CCA

RSO-CPA PKE

+CCA PKE +Simulation

sound NIZK

CPA PKEWeak HPS ←

RSO-CCA PKE

universal2 HPS →

RSO-CCA PKE=

←

One-time signature

RSO-CPA from IND-CPA

𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0

𝑝𝑘1,0, 𝑝𝑘2,0, … , 𝑝𝑘𝑛,0pk sk

𝑏1, 𝑏2, …𝑏𝑛

𝑠𝑘1,𝑏1, 𝑠𝑘2,𝑏2, … , 𝑠𝑘𝑛,𝑏𝑛

Enc:

𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)

𝐸𝑛𝑐(𝑝𝑘1,1, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 𝑘𝑛)

𝑘 ⊕𝑚

𝐸𝑛𝑐(𝑝𝑘1,0, 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,0, 1 − 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,0, 𝑘𝑛)

𝐸𝑛𝑐(𝑝𝑘1,1, 1 − 𝑘1), 𝐸𝑛𝑐(𝑝𝑘2,1, 𝑘2), … , 𝐸𝑛𝑐(𝑝𝑘𝑛,1, 1 − 𝑘𝑛)

𝑘 ⊕𝑚

IND-CPA

𝑘1 ∘ k2 ∘ ⋯ ∘ 𝑘𝑛

Security: high level

• the simulator should produce a CT satisfying:• With sk, CT and m are bonded

CT՞𝑠𝑘(𝑘1,𝑏1, … , 𝑘𝑛,𝑏𝑛), hence m bonded

• Without sk, CT computationally hides m

𝑐𝑖,0 and 𝑐𝑖,0 encapsulates different bits, hence m information-theoretically hidden

Warm up: DDH assumption

• Group G of prime order p, generator g

• a,b,c chosen uniformly random from 𝑍𝑝

• 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑐 ≈𝐶 𝐺, 𝑔, 𝑔𝑎 , 𝑔𝑏 , 𝑔𝑎𝑏

Review: CCA construction from CS98

• Keygen: 𝑔1,𝑔2, ←𝑅 𝐺 , 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2 ←𝑅 𝑍𝑝pk: 𝑢 = 𝑔1

𝑥1𝑔2𝑥2, v = 𝑔1

𝑦1𝑔2𝑦2 , ℎ = 𝑔1

𝑧1𝑔2𝑧2,collision resistant H

sk: 𝑥1, 𝑥2, 𝑦1, 𝑦2, 𝑧1, 𝑧2

• Enc: 𝑐1 = 𝑔1

𝑟 , 𝑐2 = 𝑔2𝑟 , c3 = hr ⋅ 𝑚

𝑒 = 𝑢𝑡𝑣 𝑟, where 𝑡 = 𝐻(𝑐1, 𝑐2, 𝑐3)

• Dec:𝑒?= 𝑐1

𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2, if yes, return 𝑚 ← 𝑐3/𝑐1

𝑧1𝑐2𝑧2

An observation:

• 𝑐1 = 𝑔1𝑟1 , 𝑐2 = 𝑔2

𝑟2 , c3 = 𝑐1𝑧1𝑐2

𝑧2 ⋅ 𝑚, 𝑒 =

𝑐1𝑥1𝑡+𝑦1𝑐2

𝑥2𝑡+𝑦2

𝑟1 = 𝑟2, ciphertext only related pk

𝑟1 ≠ 𝑟2, ciphertext reveal more information about skthan pk

Security: high level

• Challenge ciphertext𝑐1 = 𝑔1

𝑟1 , 𝑐2 = 𝑔2𝑟2 , c3 = 𝑐1

𝑧1𝑐2𝑧2 ⋅ 𝑚, 𝑒 = 𝑐1

𝑥1𝑡+𝑦1𝑐2𝑥2𝑡+𝑦2

With sk, bonded with m; without sk, information theoretically hides m

• Decryption query ciphertext

𝑐1 = 𝑔1𝑟 , 𝑐2 = 𝑔2

𝑟 , c3 = ℎ𝑟 ⋅ 𝑚, 𝑒 = 𝑢𝑡𝑣 𝑟

With out sk, the adversary can only produce cipher of this type; ciphertext of this type will not leak information of sk more than pk

Conclusion

RSO-CPA PKE

+CCA PKE +Simulation

sound NIZK

CPA PKEWeak HPS ←

RSO-CCA PKE

universal2 HPS →

RSO-CCA PKE=

←

One-time signature

Thanks for your attention!

Questions?

SESSION ID:SESSION ID:

#RSAC

Yohei Watanabe

New Revocable IBE in Prime-Order Groups:Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters

CRYP-F03

JSPS Research Fellow (PD), The University of Electro Communications, JapanCollaborative Researcher, AIST, Japan

Joint work with Keita Emura (NICT, Japan) and Jae Hong Seo (Myongji Univ., Korea)

#RSAC

Identity-Based Encryption (IBE) [Sha84,BF01]

25

Public-key encryption enabling to use arbitrary strings as public keys

Key Generation Center (KGC)

ID ID

ID

plaintext ciphertext

ID

Sender Receiver

IDsecret key

master key

ID

ID

ID

#RSAC

Revocation Functionality in IBE

26

Naïve solution by Boneh and Franklin [BF01]

Consider ID||𝑇 as the identity

KGC’s overhead is huge

ID||𝑇

ID||𝑇

ID||𝑇

plaintext ciphertext

master key

Sender Receiver

secret key

ID||𝑇

ID||𝑇

Send secret key toevery non-revoked user IDfor each time period 𝑇

KGC

ID||𝑇

ID||𝑇

ID||𝑇

#RSAC

IBE with Efficient Revocation [BGK08]

27

Called Revocable IBE (RIBE)

Using the complete subtree (CS) method [NNL01]

KGC broadcasts key update at each time period 𝑇

KGC’s overhead can be reduced!𝑇

ID𝑇

plaintext ciphertext

Sender Receiver

KGC

key update

master key

𝑇

IDID𝑇ID

𝑇

ID

𝑇

𝑇

𝑇RL𝑇

Revocation List

ID

𝑇

ID𝑇

decryption key

#RSAC

History of Security Models of RIBE

28

[BGK08] proved their scheme is selectively secure

[LV09] proposed the first adaptively secure RIBE scheme

[SE13] introduced decryption key exposure resistance (DKER)By defining a decryption key exposure oracle

DKER is important!

RIBE should be an efficient realization of [BF01]’s solution

[BF01]’s solution supports DKER

Decryption keys potentially have the risk of leakage

#RSAC

Classification of Adaptively Secure RIBE

29

Adaptively Secure

Decryption Key Exposure Resistant(DKER)

with Short Public Parameters

[LV09][SE13]

[IWS15] [CLL+12]

[Lee16]

[This Work]

over Prime-Order Groups

[CZ15] (lattice-based)

[SLLW14][LLP14]

#RSAC

Our Contribution

30

Propose a new RIBE scheme

Meets adaptive security

— Under a mild variant of the symmetric external Diffie-Hellman (SXDH) assumption

Supports DKER [SE13]

— Desirable security notion for RIBE

Achieves constant-size public parameters

— NOT depend on the identity size

Constructed over asymmetric bilinear groups of prime order

— Realize small element sizes and faster operations

#RSAC

RIBE: Model (Recall)

31

ID𝑇

plaintext ciphertext

Sender Receiver

KGCkey update

𝑇

IDID𝑇

ID

𝑇

ID

𝑇

𝑇

𝑇RL𝑇

Revocation List

ID

𝑇

ID𝑇

IDsecret key

master key

ID

decryption key

Secret key generation Key update generation

Encryption Decryption key generation

Decryption

#RSAC

RIBE: Adaptive Security with DKER

32

ChallengerAdversary

I

secret key for I

Oracles

𝑀0, 𝑀1,I*, 𝑇∗

𝐶𝐼∗,𝑇∗∗

𝒃′

I

𝑇

key update𝑇

(I, 𝑇)

I𝑇 dec. key

(I, 𝑇)RL𝑇

updated

𝐶𝐼∗,𝑇∗∗ ← 𝐸𝑛𝑐(𝑀𝑏 , I

∗, 𝑇∗)

If I∗ is issued,I∗ must be revoked before 𝑇∗

(I∗, 𝑇∗) cannot be issued

The oracle captures DKER!

SKGen

Revoke

KeyUp

DKGen

#RSAC

What is the Difficulty of This Work?

33

The currently-known constant-size IBE schemes are constructed

from stronger assumptions; or

from simple assumptions via the dual system encryption approach

The dual system encryption technique [Wat09] seems not applicable to RIBE constructions with DKER…

Seemingly suitable for constructing RIBE schemes from simple assumptions

However, the approach does not work well

#RSAC

Dual System Encryption in IBE

34

Prepare semi-functional ciphertexts (SF-CT) and secret keys (SF-SK).SF-CT can be decrypted by only normal SKs

SF-SK can decrypt only normal CTs

#RSAC

Essential Part in the Transition from Gamei-1 to Gamei

35

Simulator has to embed some function 𝑓 into public parametersRandomness 𝑟𝐶 ≔ 𝑓(I∗) for the challenge CT

Randomness 𝑟𝐾 ≔ 𝑓(I) for the i-th SK query

𝑟𝐶 is independent of 𝑟𝐾 from an adversarial viewSince 𝑓 is a pairwise independent function and I∗ ≠ I

The games are successfully simulated !

#RSAC

Dual System Encryption in RIBE with DKER

36

Adversary can also get …Decryption keys for (I∗, 𝑇) such that 𝑇 ≠ 𝑇∗

Secret key for I∗ (though it should be revoked before 𝑇∗)

𝑟𝐶 is NOT independent of 𝑟𝐾 from an adversarial viewIf i-th SK query is I∗ (then it holds 𝑟𝐶 = 𝑟𝐾 = 𝑓(I∗))

We cannot transition from Gamei-1 to Gamei

#RSAC

Our Approach

37

Taking the Seo-Emura approach [SE13] !

Waters IBE [Wat05]

Boneh-Boyen IBE [BB04]

Seo-Emura RIBE [SE13]

Adaptively secureWaters IBE [Wat05]

Adaptively secure

Basic IBE

Boneh-Boyen IBE [BB04]

Proposed RIBEAdaptively secure Basic IBE

Adaptively secureConstant-size

public parameter

Red.

Decisional Bilinear Diffie-Hellman

(DBDH) assumptionRed.

Red. Red.

Simple and static computational assumption(s)

[SE13] [Wat05]

Dual system encryption

#RSAC

Details of the Seo-Emura technique

38

Most non-trivial part is simulating decryption keys for (I∗, 𝑇) s.t. 𝑇 ≠ 𝑇∗

Almost all queries can be easily simulated due to adaptive security of Waters IBE

Seo and Emura employed two techniques:

Boneh-Boyen technique [BB04]

To answer all queries not related to 𝑇∗ by embedding 𝑇∗ into public parameters

𝑇∗ can be guessed with polynomial loss

Secret-key re-randomizationTo make biased distribution on randomness of decryption keys uniform

#RSAC

39

Requirements for Applying the Seo-Emura technique

Basic IBE must satisfies …

(0) Constant-size public parameters

(1) Secret-key re-randomization property (by public parameters)

(2) Applicability of Boneh-Boyen technique(2-1) Each component of SK contains at most one component of the master key (MK)

(2-2) Each component of MK is available in the public parameter in some form

cf. Bone-Boyen IBE [BB04]

For DBDH instance (𝑔, 𝑔𝑎, 𝑔𝑏 , 𝑔𝑐 , 𝑍 ∈ {𝑒 𝑔, 𝑔 𝑎𝑏𝑐 , 𝑅} ),

𝑃𝑃 ≔ 𝑔, 𝑔1 ≔ 𝑔𝛼 , 𝑔2, ℎ ∈ 𝔾4, 𝑀𝐾 ≔ 𝛼 ∈ ℤ𝑝, 𝑆𝐾𝐼𝐷 ≔ 𝑔2𝛼 𝑔1

𝐼𝐷 ℎ 𝑟 , 𝑔𝑟 ∈ 𝔾2

Set 𝑔𝛼 ≔ 𝑔𝑎, 𝑔2 ≔ 𝑔𝑏, and ℎ ≔ 𝑔𝑎 −𝐼𝐷∗𝑔𝑦

Then 𝑔1𝐼𝐷ℎ 𝑟𝑔2

−𝑦

𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟𝑔2−

𝑦

𝐼𝐷−𝐼𝐷∗ = 𝑔𝑎𝑏 𝑔𝑎 𝐼𝐷−𝐼𝐷∗ +𝑦 𝑟−𝑏

𝐼𝐷−𝐼𝐷∗ = 𝑔2𝛼 𝑔1

𝐼𝐷 ℎ ǁ𝑟

#RSAC

Basic IBE Scheme from Jutla-Roy IBE [JR13,RS14]

40

Most of dual-system-encryption-based IBE schemes do not satisfy (1) and (2)e.g., DPVS-based IBE schemes do not satisfy any requirement

We employ the Jutla-Roy IBE [JR13,RS14] as “Basic IBE”Achieves constant-size public parameters

Satisfies requirements (1) and (2-1), but not (2-2)

Modify the Jutla-Roy IBE to additionally satisfy the requirement (2-2) !

#RSAC

Security of Modified Jutla-Roy IBE

41

Jutla-Roy IBE [JR13,RS14]

Adaptively secure

DDH1 assumptionand

DDH2 assumption(SXDH assumption)

Reduction

Modified Jutla-Roy IBE Adaptively secure

Augmented DDH1 (ADDH1) assumptionand

DDH2 assumption

Reduction

[Original]

[This Work]Static assumptionSimilar to DDH1v assumption [RCS12]

Dual system encryption

#RSAC

Our RIBE Scheme: Construction

42

Constructed based on the Jutla-Roy IBE

Security is proved under adaptive security of the modified Jutla-Roy IBE

Jutla-Roy IBE

Boneh-Boyen IBE

Proposed RIBEAdaptively secure

Red. Red.

Dual system encryption

Modified Jutla-Roy IBE Adaptively secure

ADDH1 assumptionand

DDH2 assumption

#RSAC

Comparison

43

Scheme #𝒎𝒑𝒌 #𝒎𝒔𝒌 #𝑪

Seo-Emura [SE13] 𝟔 + ℓ |𝔾𝒑| |𝔾𝑝| 3 𝔾𝑝 + |𝔾𝑇𝑠𝑦𝑚

|

Lee [Lee16] 8 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝

| |𝔾𝑁| 4 𝔾𝑁 + |𝔾𝑇𝑐𝑜𝑚𝑝

|

Our Scheme 𝟕 𝔾𝟏 + 𝟏𝟏 𝔾𝟐 + |𝔾𝑻𝒂𝒔𝒚𝒎

| 2|𝔾2| 4 𝔾1 + 𝔾𝑇𝑎𝑠𝑦𝑚

+ ℤ𝑝

Scheme #𝒔𝒌 #𝒌𝒖 #𝒅𝒌 Assumption

Seo-Emura [SE13] 2 log 𝑛 |𝔾𝑝| 2𝑟 log𝑛

𝑟|𝔾𝑝| 3 𝔾𝑝 DBDH

Lee [Lee16] 2 log 𝑛 𝔾𝑁 2𝑟 log𝑛

𝑟𝔾𝑁 + 2 ℤ𝑁 4 𝔾𝑁 Static (over composite-order groups)

Our Scheme 5 log 𝑛 𝔾2 3𝑟 log𝑛

𝑟|𝔾2| 6 𝔾2 ADDH1 and DDH2

𝑛 … No. of users; 𝑟 … No. of revoked users; ℓ… bit-length of ID;

#RSAC

Concluding Remarks

44

Proposed a new RIBE scheme

Adaptively SecureDKER

with Short Public Parameters

[LV09][SE13] [IWS15] [CLL+12]

[Lee16]

[This Work]over Prime-Order Groups

[CZ15](lattice-based)

[SLLW14][LLP14]

Extension:CCA security

Server-aided RIBEThank you!

Icons: Material Design by Google | Apache License Ver. 2.0Font Awesome by Dave Gandy | CC BY 3.0