Cryptography on the Blockchain - bitcoinschool.gr · Cryptography on the Blockchain IACR Summer School on Blockchain Techs Vassilis Zikas RPI Aggelos Kiayias, Hong-Shen Zhou, and

Cryptographyon the Blockchain

IACR Summer School on Blockchain Techs

Vassilis ZikasRPI

Aggelos Kiayias, Hong-Shen Zhou, and Vassilis Zikas, Fair and Robust Multi-Party Computation using a Global Transaction Ledger, EUROCRYPT 2016.

Bitcoin

What is bitcoin and how does it work?

Bitcoin


Is it secure?

(in restricted models)

Bitcoin


Is it secure?


What do we get from it?

Bitcoin


Is it secure?


What do we get from it?

Bitcoin

What Crypto can get from Bitcoin?


In this talk“Bitcoin = Ledger-based cryptocurrency”



A public transaction ledger

Some economic stuff …


A bulletin board with a filter on what gets

written there





People (good or bad) want money


written there




The Public Transaction Ledger“What is exactly the problem that bitcoin solves?” AK, 2016

The Public Transaction Ledger

The core security goal of Bitcoin is to ensure that all parties establish a common and irreversible view

of the sequence of transactions

“What is exactly the problem that bitcoin solves?” AK, 2016

“Backbone” [GarayKiayiasLeonardos15]









This goal can be captured as an ideal Transaction-Ledger Functionality






This goal can be captured as an ideal Transaction-Ledger Functionality

“If we had a trusted third party instead of the Bitcoin network, how would we expect it to behave?”


Crypto On Blockchain

Outline

• The functionality offered by blockchains

• Leveraging Security Loss with Coins … in Secure Function Evaluation (SFE)

• A formal cryptographic (UC) model for security proofs


Outline





StateSt

Gledger


GetState

“State”

StateSt

Gledger


GetState

“State”

StateSt

(Submit, x)

Gledger


GetState

“State”

StateSt||x

(Submit, x)

Gledger


GetState

“State”

StateSt||x

(Submit, x)

Gledger

• In reality: Not a Bulletin Board• Inputs (transactions) are filtered


GetState

“State”

StateSt

(Submit, x)

Gledger



GetState

“State”

StateSt

(Submit, x)Validate(.)

x

Gledger



GetState

“State”

StateSt

(Submit, x)“State”Validate(.)

x

Gledger



GetState

“State”

StateSt


x

NoYes

Gledger



GetState

“State”

StateSt


x

NoYesx

Gledger



Validate(.)

GetState

“State”

StateSt||x

(Submit, x)“State” x

NoYesx

Gledger



Validate(.)

GetState

“State”

StateSt||x


NoYesx

Gledger

• In reality: Not a Bulletin Board• Inputs (transactions) are filtered• The order in which transactions in

“State” are inserted might be adversarial … but not too adversarial


Validate(.)

GetState

“State”

StateSt||x


NoYesx

Gledger

Can reorder the recently inserted transactions


Validate(.)

GetState

“State”

StateSt||x


NoYesx

Gledger


The Public Transaction Ledger & Time

Gledger

Validate(.)

GetState

“State”

State

NoYes

Buffer



Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYes

Buffer



Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYes

Buffer“State”



Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYesx

Buffer“State”



Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYesx

Buffer“State”


x


Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYesx

Bufferx1,x2,…

“State”


x


Gledger

Validate(.)

GetState

“State”

State(Submit, x)x

NoYesx

Bufferx1,x2,… = π(x1,…)

“State”

(Permute,π)


x


Gledger

Validate(.)

GetState

“State”

State(Submit, x)“State” x

NoYesx

Buffer

(Permute,π)

time?

x1,x2,… = π(x1,…)


x


Gledger

Validate(.)

GetState

“State”


NoYesx

Buffer

(Permute,π)

time?

t

x1,x2,… = π(x1,…)


x


Gledger

Validate(.)

GetState

“State”


NoYesx


(Permute,π)

time?

t

Blockify(.) ?


x


Gledger

Validate(.)

GetState

“State”


NoYesx


(Permute,π)

xtime?

t

Blockify(.) ?


x


Gledger

Validate(.)

GetState

“State”


NoYesx

Buffer

(Permute,π)

xtime?

t

Blockify(.) ?


x


Gledger

Validate(.)

GetState

“State”


NoYesx

Buffer

(Permute,π)

x (B, t)time?

t

Blockify(.) ?


x

What Crypto can we get from Bitcoin?





written there The Model

(Gledger, Gclock)-hybrid (G)UC protocols








• Compatibility with standard crypto-protocols (+ composition theorem)









• Cryptographically as useful as having access to (synchronous) stateful broadcast










“This cryptography has been around for a long time” JB 2016










“This cryptography has been around for a long time” JB 2016


Outline





Outline




Secure Function Evaluation (SFE)

Goal: Parties P1,…,Pn with inputs x1,…,xn wish to compute a function f(x1,…,xn) securely


F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World


F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World

P1 P2 Pn…

Real World


F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World

P1 P2 Pn…

Real World≈

π1(x1) π2(x2) πn(xn)


F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World

P1 P2 Pn…

Real World≈



F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World

P1 P2 Pn…

Real World≈


???


F f

P1 P2 Pn

x1 x2 xnf(x)̅

f(x)̅ f(x)̅=y…

Ideal World

P1 P2 Pn…

Real World≈


???Protocol π is secure if for every adversary: • (privacy) Whatever the adversary learns he could compute by himself• (correctness) Honest (uncorrupted) parties learn their correct outputs

Fair SFE

In fair SFE: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output

Fair SFE


F f

P1 P2 Pn

y⊥⊥

Fair SFE


F f

P1 P2 Pn

y⊥⊥ ✘ (Unfair)

Fair SFE


F f

P1 P2 Pn

y⊥⊥

Fair SFE is impossible against corrupted majorities [Cleve86]

✘ (Unfair)

Fair SFE


F f

P1 P2 Pn

y⊥⊥


Security against corrupted majorities

Security with abort =

✘ (Unfair)

Fair SFE


F f

P1 P2 Pn

y⊥⊥


Security against corrupted majorities

Security with abort =

✘ (Unfair)

Discounted security

SFE with Fair(ness) Compensation

SFE with fair compensation: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output or get compensated.

Idea [AndrychowiczDziembowskiMalinowskiMazurek14]: We can leverage unfairness with $$$



F f

P1 P2 Pn

y⊥⊥

!"" ✘ (Unfair)




+ -+

! ! #

F f

P1 P2 Pn

y⊥⊥

!"" ✘ (Unfair)




+ -+

! ! # ✔ (“fair”)

F f

P1 P2 Pn

y⊥⊥

!"" ✘ (Unfair)


SFE with Fair(ness) Comp.: Construction [BentovKumaresan14,15]

Tools 1/2 : Authenticated Additive Secret Sharing

PnP1

x=x1⊕ … ⊕ xn , (sk,vk)←KeyGen

[x]1 = x1,Sigsk(x1),vk [x]n = xn,Sigsk(xn),vk

…


Tools 1/2 : Authenticated Additive Secret Sharing

PnP1

x=x1⊕ … ⊕ xn , (sk,vk)←KeyGen

[x]1 = x1,Sigsk(x1),vk [x]n = xn,Sigsk(xn),vk

• No n-1 parties have info on x • Together all n parties can recover x• No party can lie about its share

• Only x might be reconstructed!

…


Tools 2/2 : Claim and Refund TransactionsS transfers q coins to R such that



• Time restriction τ



time• Time restriction τ



time τ R can claim

coins S can claim coins




time τ R can claim


• A predicate (relation) R(state,buffer,tx):• In order to spend the coins the receiver needs to

submit a tx satisfying R (at the point of validation).




time τ R can claim





• Supported by Bitcoin scripting language• Captured by Validate(.)

SFE with Fair(ness) Comp.: Construction

Protocol Idea for computing y=f(x1,…,xn)1. Run SFE with unfair abort to compute n-out-of-n

authenticated sharing [y] of y=f(x1,…,xn)• E.g., Every Pi receives share [y]i such that

y=[y]1+…+[y]n and public signature on [y]i

[BentovKumaresan14,15]


Protocol Idea for computing y=f(x1,…,xn)

F f

P1 P2 Pn

x1 x2 xn[f(x)̅]1

[f(x)̅]2…

[f(x)̅]n

1. Run SFE with unfair abort to compute n-out-of-n authenticated sharing [y] of y=f(x1,…,xn)• E.g., Every Pi receives share [y]i such that




Protocol Idea for computing y=f(x1,…,xn)

F f

P1 P2 Pn

x1 x2 xn[f(x)̅]1

[f(x)̅]2…

[f(x)̅]n

Abort at this point is fair

1. Run SFE with unfair abort to compute n-out-of-n authenticated sharing [y] of y=f(x1,…,xn)• E.g., Every Pi receives share [y]i such that




2. Use the following reconstruction idea:

2.1. Every Pi transfers 1 bitcoin to every Pj with the restriction: • Pj can claim (spend) this coin in round ρij if it submits to

the ledger his valid share (and signature) by round ρij • if Pj has not claimed this coin by the end of round ρij,

then the coin is “refunded” to Pi (i.e., after round ρij, Pi can spend this coin himself).

Protocol Idea for computing y=f(x1,…,xn) [BentovKumaresan14,15]


2. Use the following reconstruction idea:

2.1. Every Pi transfers 1 bitcoin to every Pj with the restriction: • Pj can claim (spend) this coin in round ρij if it submits to

the ledger his valid share (and signature) by round ρij • if Pj has not claimed this coin by the end of round ρij,

then the coin is “refunded” to Pi (i.e., after round ρij, Pi can spend this coin himself).

2.2. Proceed in rounds in which the parties claim the coins from other parties by announcing their shares (and signatures)



Security (SFE with fair compensation): Follow the money …

• If the adversary announces all his shares then every party:• Sends n coins in phase two (one to each party)• Claims back n coins in phase three (one from each party)

• If a corrupted party Pj does not announce his share then every party • Sends n coins in phase two (one to each party)• Claims back

• n coins in phase three for announcing his shares• the coin that it had sent to Pj


[BentovKumaresan14,15]Rethinking SFE w Fair(ness) Compensation

Time


TimeProtocol Starts


TimeProtocol StartsSharing is Output, Committed transactionsSeconds



1 hour Start reclaiming transactions




output or compensation is settled several hours




“several” = • [BentovKumaresan14] linear in players (n) • [BentovKumaresan15] constant






What if the adversary aborts before making the committed transactions?







This can be confirmed here …








… and reclaimed here …

















O(n)times

=O(n)hours

till output


Rethinking SFE w Fair(ness) Compensation


P1 P2 Pn

y⊥⊥

!""+ -+

! ! #

✘ (Unfair)

✔ (“fair”)

F f



P1 P2 Pn

y⊥⊥

!""+ -+

! ! #+ +

$ $

✘ (Unfair)

✔ (“fair”)

F f



P1 P2 Pn

y⊥⊥

!""+ -+

! ! #+ +

$ $

DoS

%

+

✘ (Unfair)

✔ (“fair”)

F f



P1 P2 Pn

y⊥⊥

!""+ -+

! ! #+ +

$ $ ✘

DoS

%

+

✘ (Unfair)

✔ (“fair”)

F f

SFE with Robust(ness) Compensation


Fair SFE: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output



SFE with fair compensation: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output or get compensated




robust

(fast …)




robust

How can we get robustness?

(fast …)

SFE with Robust Compen. : Construction

S transfers q coins to R such thatTools 1/3 : Special Transaction


S transfers q coins to R such that• Time restriction (τ-, τ+)

Tools 1/3 : Special Transaction


S transfers q coins to R such that

time• Time restriction (τ-, τ+)




time τ- τ+

coins are blocked

R can claim coins

S can claim coins

• Time restriction (τ-, τ+)




time τ- τ+

coins are blocked

R can claim coins

S can claim coins

• Link: A reference ref such that only a transaction with the same reference can spend the q coins





time τ- τ+

coins are blocked

R can claim coins

S can claim coins








time τ- τ+

coins are blocked

R can claim coins

S can claim coins








time τ- τ+

coins are blocked

R can claim coins

S can claim coins



submit a tx satisfying R (at the point of validation).(τ-,τ+), ref, R



SFE with Robust Compen. : ConstructionTools 2/3 : Semi-honest SFEAn SFE protocol which is secure when parties follow their instructions


Example: A Summation protocol

Sum Protocol II

· · ·

x1

x11

x12

· · · x1n

x2

x21

x22

· · · x2n

............

xn xn1 xn2 · · · xnn

y1

y2

· · · yn y =

nX

i=1

yi

…

P1 P2 Pn

P1

P2

Pn



Sum Protocol II

· · ·

x1

x11

x12

· · · x1n

x2

x21

x22

· · · x2n

............


y1

y2

· · · yn y =

nX

i=1

yi

…

P1 P2 Pn

P1

P2

Pn

x1 =nM

j=1

x1j



Sum Protocol II

· · ·

x1

x11

x12

· · · x1n

x2

x21

x22

· · · x2n

............


y1

y2

· · · yn y =

nX

i=1

yi

…

P1 P2 Pn

P1

P2

Pn

x1 =nM

j=1

x1j

…

x2 =nM

j=1

x2j

xn =nM

j=1

xnj



Sum Protocol II

· · ·

x1

x11

x12

· · · x1n

x2

x21

x22

· · · x2n

............


y1

y2

· · · yn y =

nX

i=1

yi

…

P1 P2 Pn

P1

P2

Pn

x1 =nM

j=1

x1j

…

x2 =nM

j=1

x2j

xn =nM

j=1

xnj

y =nM

i=1

yi



Secure (private) against arbitrary many colluding parties

Sum Protocol II

· · ·

x1

x11

x12

· · · x1n

x2

x21

x22

· · · x2n

............


y1

y2

· · · yn y =

nX

i=1

yi

…

P1 P2 Pn

P1

P2

Pn

x1 =nM

j=1

x1j

…

x2 =nM

j=1

x2j

xn =nM

j=1

xnj

y =nM

i=1

yi


Assuming a public key infrastructure (commitments/encryption/signatures) there exists a semi-honest SFE protocol π for every function which

• Uses only public communication• Tolerates arbitrary many semi-honest parties• Terminates in constant rounds

Compile a semi-honest SFE protocol π into (malicious) secure

SFE with Robust Compen. : ConstructionTools 3/3 : The GMW Compiler



Round 0: Setup generation (+ commitments to randomness)

Round 1: Every Pi commits to its input

Rounds 2 … ρπ + 1: Execute π round-by-round so that in each round every party proves (in ZK) that he follows π

Tools 3/3 : The GMW Compiler






Security (with abort)

• Privacy: The parties see the following: - Setup- Commitments- Messages from π

• Correctness:- If ZKPs succeed then

the parties are indeed following π

- Else abort

Tools 3/3 : The GMW Compiler

SFE with Robust Compen. : ConstructionIdea: Use “GMW”-like compiler on the Ledger





GMW





GMWRound 0: Setup generation (+ commitments to randomness)

Round 1: Do nothing

Round 2: Every Pi commits to its input and broadcasts his view of the public setup.

Rounds 3 … ρπ + 2: Execute π round-by-round so that in each round every party proves (in NIZK) that he follows π

GMW’:



Round 1: Do nothing


Rounds 3 … ρπ + 2: Execute π round-by-round so that in each round every party proves (in NIZK) that the follows π

GMW’:



Round 1: Do nothing



GMW’: SFE with Robust Compensation



Round 1: Do nothing






Round 1: Do nothing







Round 1: Do nothing




Round 1: Every party Pi makes n·ρπ + 1 special 1-coin transactions B(i,j,r):

• Pj can spend coin in round r• ref needs to have the protocol ID• R is true if the transaction which

spends the coin includes a valid r-round message for Pj




Round 1: Do nothing







Rounds 3 … ρπ + 2: Execute GMW(π) round-by-round so that in each round r every party spends all its round r referenced coins by a transaction which includes the round r message in GMW(π).




Round 1: Do nothing




Validate(.) executes the code of an extra party without inputs in GMW and rejects if abort.






SFE with Robust Compen. : ConstructionSecurity with Robust Compensation. • Case 1: The adversary correctly makes all the

“committing” transactions in Round 1• If no party cheats then every party claims from

each of the other parties as many coins as he deposited by simply executing his protocol.

• If some party Pj cheats, then every party still claims all his coins as above + all the committed coins that Pj cannot spend as he did not execute his protocol.

SFE with Robust Compen. : ConstructionSecurity with Robust Compensation. • Case 2: Some corrupted party does not make

(consistent) transactions in Round 1• e.g. aborts or commits to a different setup.



… seems to have similar issue as before …




• Solution: The validation predicate can be changed as:• Separates the parties into “islands” of consistent

setups (depending on their Round-1 transactions).• For each island I⊆[n]: Compute the function among

parties in I (with all other parties’ input being 0)



Round 1: Do nothing











Round 1: Do nothing










(consistent) transaction in Round 1• e.g. aborts or commits to a different setup.

• All honest parties are on the same island• Corrupted parties can choose to play with the honest parties or

participate in a computation independent of honest inputs.


• Solution: The validation predicate can be changed as:• Separates the parties into “islands” of consistent

setups (depending on their Round-1 transactions).• For each island I⊆[n]: Compute the function among

parties in I (with all other parties’ input being 0)


Outline




A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

???

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

??? Should capture all properties we

want from π

W(F f)

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

??? Should capture all properties we

want from π

Benefits of this Modeling

Benefits of this Modeling

• A single abstraction of the functionality offered by cryptocurrencies - Advanced transactions correspond to an advanced

validation predicate

• A definition of fair compensation as a (UC) functionality-wrapper forces us to be precise- An explicit formation of synchrony with a single global

clock (capturing what protocols assume in reality).

• Compatibility with standard (formal) analysis of crypto protocols

• A (universal) composition theorem

W(F f)

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

???

W(F f)

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

???

SFE with Robust Compen. : FunctionalityA wrapper functionality W(F f) with three predicates:• (QInit, QDlvr, QAbrt)

SFE with Robust Compen. : Functionality

Idea: The predicates are used to filter the adversarial influence• QInit(State,Walleti) = True iff the Walleti has enough

funds

• QDlvr(State, Walleti) = True iff it is OK to deliver to Pi

• E.g., if Pi does not “owe” money

• QAbrt(State, Walleti) = True iff it is OK for Pi to abort• E.g., if Pi has an increase of funds

A wrapper functionality W(F f) with three predicates:• (QInit, QDlvr, QAbrt)


Phase 1: Resource Allocation

Gledger

F f

W(F f)



Pi“allocate”

Gledger

F f

W(F f)



Pi“allocate”

“allocate Pi”

Gledger

F f

W(F f)



Pi“allocate”

“allocate Pi”

“r”

Gledger

F f

W(F f)



Pi“allocate”

“allocate Pi”

“r”

Create (PKi, SKi) = Gen(r,1k)

Gledger

F f

W(F f)



Pi“allocate”

“allocate Pi”

“r”

Create (PKi, SKi) = Gen(r,1k)PKi

Gledger

F f

W(F f)



Pi“allocate”

“allocate Pi”

“r”


Gledger

m,F mF f

W(F f)



Pi“allocate”

“allocate Pi”

“r”


Gledger

m,F mm for Simm F f

W(F f)


F f

Phase 2: Input

Pi

m,F mm for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F mm for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F m

getState

m for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F m

getStateState

m for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F m

getStateState

xQInit(State,PKi)

YesNo

m for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F m

getStateState

xQInit(State,PKi)

YesNox

m for Simm

Gledger


W(F f)


F f

Phase 2: Input

Pi“Input, x”

m,F m

getStateState

xQInit(State,PKi)

YesNox

m for Simm

Gledger


W(F f)


Phase 3: OutputPi

A wrapper functionality WP1,…,Pn(F f) with three predicates:• (QInit, QDlvr, QAbrt)

F f

Gledger W(F f)

m for Simmm,F m


Phase 3: OutputPi

Deliver, (f(x1),…,f(xn))


F f

Gledger W(F f)

m for Simmm,F m


Phase 3: OutputPi


Ready for FairDeliver+

Corrupt outputs


F f

Gledger W(F f)

m for Simmm,F m


Phase 3: OutputPi



Corrupt outputs


F f

Gledger

Deliver/Abort Pi

W(F f)

m for Simmm,F m

getStateState


Phase 3: OutputPi



Corrupt outputs


F f

Gledger

Deliver/Abort Pi

W(F f)

m for Simmm,F m

getStateState


Phase 3: OutputPi



Corrupt outputs


F f

Gledger

Deliver/Abort Pi

W(F f)

The adversary can deliver to Pi only if QDlvr(State, Pi)=True

The adversary can make Pi abort only if QAbrt(State, Pi)=True

m for Simmm,F m

getStateState


Phase 3: OutputPi



Corrupt outputs


F f

Gledger

Deliver/Abort Pi

W(F f)

The adversary can deliver to Pi only if QDlvr(State, Pi)=True

The adversary can make Pi abort only if QAbrt(State, Pi)=True

m for Simmm,F m

? f(xi)/⊥

W(F f)

A Formal Model: GUC

P1 P2 Pn…

Ideal World F f

P1 P2 Pn…

Real World

≈


GLedger

GLedger

???

Take Away Message and Open Directions

Take Away Message and Open Directions• Bitcoin opens new directions for cryptographic models

- Adding a reward/punishment mechanism restricts the set of likely attacks

- Limitations of crypto should be reconsidered (Impossibilities/Efficiencies)

• The choice of the model makes a difference when suggesting a solution- Safe strategy: Rectify the cryptographic model (Bonus:

compatibility)

Take Away Message and Open Directions• Bitcoin opens new directions for cryptographic models

- Adding a reward/punishment mechanism restricts the set of likely attacks

- Limitations of crypto should be reconsidered (Impossibilities/Efficiencies)

• The choice of the model makes a difference when suggesting a solution- Safe strategy: Rectify the cryptographic model (Bonus:

compatibility)

Future directions• A game theoretic analysis might allow us to improve

existing results • What more can we get from Bitcoin?• The right model for exploring its rational aspects?

Cryptography on the Blockchain - bitcoinschool.gr · Cryptography on the Blockchain IACR Summer School on Blockchain Techs Vassilis Zikas RPI Aggelos Kiayias, Hong-Shen Zhou, and

Documents