fast zero knowledge proofs and post quantum signatures
play

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio - PowerPoint PPT Presentation

Apr 11, 2023 •418 likes •1.21k views

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

  1. Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi – Aarhus University @claudiorlandi

  2. Based on joint work with: • Meliisa Chase (Microsoft) • David Derler (TU Graz) • Tore Frederiksen (BIU) • Irene Giacomelli (UW-Madison) • Steven Goldfeder (Princeton) • Marek Jawurek (SAP) • Florian Kerschbaum (SAP) • Jesper Madsen (AU) • Jesper Buus Nielsen (AU) • Sebastian Ramacher (TU Graz) • Christian Rechberger (TU Graz, DTU) • Daniel Slamanig (TU Graz) • Greg Zaverucha (Microsoft)

  3. Motivation: Authentication P V “I am Claudio” “I know my password” “Here is my Pa55w0rD”

  4. Motivation: Authentication A V P “I am Claudio” “Here is my Pa55w0rD” “I am Claudio” “Here is my Pa55w0rD”

  5. Motivation: Zero-Knoweldge Authentication P V “I am Claudio” q a q a

  6. ZK: Definitions P(x) V “I know x s.t. f(x)=1” q Only P knows x a q P,V know f a

  7. ZK: Definitions P(x) V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q a q a

  8. ZK: Definitions P V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q • Proof-of-Knowledge a* q • If P does not know x à V rejects a*

  9. ZK: Definitions P(x) V • Completeness • P,V honest à V accepts “I know x s.t. f(x)=1” q* • Proof-of-Knowledge a q* • If P does not know x à V rejects a • Zero-Knowledge • V learns nothing about x

  10. What can be proven in ZK? Feasability : NP, even PSPACE! This talk: Can we construct efficient proofs for non- algebraic languages such as Efficiently : algebraic languages (Schnorr, …, Groth-Sahai, …) “I know x such that SHA(x)=y”? Two protocols: SNARKS (generic) • ZKGC (from Garbled Circuits) • Short proofs, efficient verification J • ZKBoo (from MPC) • Slow prover L One application: • Implementations: Pinocchio, libsnark, • Generic (post-quantum) signatures

  11. Example: Schnorr Protocol Go to Example

  12. The Crypto Toolbox Stronger assumption Weaker assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 12

  13. Zero-Knowledge from Garbled Circuits Jawurek, Ferschbaum, Orlandi CCS 2013

  14. Zero-Knowledge vs Secure 2PC f,x f,y f,x f B A V P f(x,y) f(x)=1

  15. Garbled Circuits Values in a box are “garbled” d r [F] y f De Gb [Y] [X] Ev e En x Correct if y=f(x)

  16. Garbled Circuits: Authenticity d r [F] y* f De Gb [y*] [X] Ev e En x y* = f(x) OR y* = ⊥

  17. (HV)ZKGC to prove f(x)=y Prover(x) Verifier( ) ([F],e,d) ß Gb( f,r ) x e OT [X] [F] [Y] ß Ev([F],[X]) [Y] Accept if De(d,[Y])=y

  18. (HV)ZKGC to prove f(x)=y Prover(?) Verifier( ) ([F],e,d) ß Gb( f,r ) x* e OT [X] [F] [Y*] De(d,[Y*])={f(x*), ⊥ } Authenticity!

  19. (HV)ZKGC to prove f(x)=y Prover(x) Verifier( ) ([G],e,d) ß Gb( g,r ) x e OT [X] [G] [Y] [Y] ß Ev([G],[X]) Learn g(x)=De(d,[Y]) Corrupt V can change f with g breaking ZK!

  20. Garbled circuits with active security? How can the verifier prove that f was garbled correctly (without breaking soundness)? • Plenty of (costly) solutions are known for 2PC • Zero-Knowledge • Cut-and-choose • Etc. • Can we do better for ZK?

  21. ZKGC to prove f(x)=y Prover(x) Verifier( ) ([F],e,d) ß Gb( f,r ) x e OT Commitment [X] [F] [Z] ß Ev([F],[X]) Comm([Y]) r If [F]!=Gb(f,r) abort Open([Y]) else Accept if De(d,[Y])=y Active security Using only 1 GC!

  22. Recap: ZK based on GC • The main idea: • In ZK the verifier (Bob) has no secrets! • After the protocol, Bob can reveal all his randomness. • Alice can simply check that Bob behaved honestly by redoing his entire computation .

  23. Privacy-Free Garbled Circuits Frederiksen, Nielsen, Orlandi EUROCRYPT 2015

  24. Main idea • In 2PC the garbler has secret input • GC privacy à privacy of input • In ZK V has no input to protect • Can we get more efficient GC without privacy? Yes!

  25. Example: Privacy Free Garbling Go to PFGC

  26. Runtime (rough estimates) • Proof of “c=AES(k,m)” for secret k and public (c,m) • AES: 35k gates (7k ANDs/28k XORs) • Communication : 204kB (98% GC) • Runtime : • OT : 29.4ms (Using Chou-Orlandi OT) (|w|=128) • Garbling : 721µs (Using JustGarble GaXR) • Eval : 273 µs • Total (Garble+OT+Eval+Garble) ~ 31.2ms (+network)

  27. Applications Hu, Mohassel, Rosulek • Sublinear ZK (via ORAM) , Crypto 2015 Chase, Ganesh, Mohassel, • Privacy-Preserving Credentials , Crypto 2016 Kolesnikov, Krawczyk, Lindell, Malozemoff, Rabin, • Attribute-Based KE with General Policies , CCS 2016 Baum; Katz, Malozemoff, Wang; Afshar, Mohassel, Rosulek, • Input validity in 2PC , SCN 2016; ePrint; ePrint …

  28. ZKBoo: Faster Zero-Knowledge for Boolean Circuits Giacomelli, Madsen, Orlandi USENIX Security 2016

  29. From ZKGC to ZKBoo • ZKGC is inherently interactive ( private coin, cannot use Fiat-Shamir) • IKOS ( Ishai, Kushilevitz, Ostrovsky, Sahai ) proposed in 2007 a method to get ZK from MPC. Plugging the right MPC protocol one can get ZK with very good asymptotic complexity. • ZKBoo can be seen as a generalization, simplification and implementation of IKOS with the sole goal of practical efficiency.

  30. To build ZKBoo, we need to find a suitable Instead of MPC protocol, we speak about (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  31. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  32. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : f 1 f 1 f 1 1 2 3 { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N 12 / 19

  33. x Share To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : f 1 f 1 f 1 1 2 3 { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) 3 } j =1 ,..., N f 2 f 2 f 2 1 2 3 . . . . . . . . . w N w N w N 1 2 3 12 / 19

  34. To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) . . . 3 } j =1 ,..., N . . . . . . . . . . . . . . . w N w N w N 1 2 3 Output 1 Output 2 Output 3 12 / 19

  35. To build ZKBoo, we need to find a suitable w 0 w 0 w 0 Instead of MPC protocol, we speak about 1 2 3 (2 , 3) -decomposition for C : { Share , Output 1 , Output 2 , Output 3 , Rec } w 1 w 1 w 1 1 2 3 ∪ { f ( j ) 1 , f ( j ) 2 , f ( j ) . . . 3 } j =1 ,..., N . . . . . . . . . . . . . . . w N w N w N • correct: y = C ( x ) 1 2 3 • 2-private: ∀ e ∈ [3] ∃ a PPT simulator S e that perfectly simulate the Output 1 Output 2 Output 3 y 1 y 2 distribution of ( { w i } i ∈ { e , e +1 } , y e +2 ) y 3 Rec y 12 / 19

  36. Example: the linear decomposition • Computation in a ring (R,+,·) • Add(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) • z 1 = x 1 + y 1 • z 2 = x 2 + y 2 • Share(x) • z 3 = z 3 + y 3 • Get random x 1 , x 2 ß R • Let x 3 = x - x 1 - x 2 • Mul(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) • z 1 = x 1 y 1 + x 1 y 2 + x 2 y 1 + r 1 - r 2 • Rec(y 1 ,y 2 ,y 3 ) • z 2 = x 2 y 2 + x 2 y 3 + x 3 y 2 + r 2 - r 3 • y = y 1 + y 2 + y 3 • z 3 = x 3 y 3 + x 3 y 1 + x 1 y 3 + r 3 - r 1

  37. Example: the linear decomposition Correctness: z 1 +z 2 +z 3 = • Computation in a ring (R,+,·) • Add(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) (x 1 +x 2 +x 3 ) (y 1 +y 2 +y 3 ) • z 1 = x 1 + y 1 • z 2 = x 2 + y 2 • Share(x) • z 3 = z 3 + y 3 • Get random x 1 , x 2 ß R 2-privacy: • Let x 3 = x - x 1 - x 2 • Mul(x 1 ,x 2 ,x 3 ,y 1 ,y 2 ,y 3 ) Any pair (z i ,z i+1 ) is • z 1 = x 1 y 1 + x 1 y 2 + x 2 y 1 + r 1 - r 2 uniform random • Rec(y 1 ,y 2 ,y 3 ) • z 2 = x 2 y 2 + x 2 y 3 + x 3 y 2 + r 2 - r 3 (thanks to r 1 ,r 2 ,r 3 ) • y = y 1 + y 2 + y 3 • z 3 = x 3 y 3 + x 3 y 1 + x 1 y 3 + r 3 - r 1

  38. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y 13 / 19

  39. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y x w 0 w 0 w 0 1 2 3 f 1 f 1 f 1 1 2 3 w 1 w 1 w 1 1 2 3 f 2 f 2 f 2 1 2 3 . . . . . . . . . w N w N w N 1 2 3 y 1 y 2 y 3 y 13 / 19

  40. Public data: C : { 0 , 1 } n → { 0 , 1 } m (boolean circuit) and y ∈ { 0 , 1 } m Input: x s.t. C ( x ) = y x w 0 w 0 w 0 1 2 3 w 0 w 0 w 0 1 2 3 f 1 f 1 f 1 1 2 3 w 1 w 1 w 1 1 2 3 w 1 w 1 w 1 1 2 3 . . . . . . . . . . . . . . . . . . f 2 f 2 f 2 1 2 3 w 1 w 1 w 1 1 2 3 . . . . . . . . . y 1 y 2 y 3 w N w N w N 1 2 3 y 1 y 2 y 3 y 13 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

505 views • 34 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

949 views • 39 slides
McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J.

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

388 views • 19 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50 General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4

1.24k views • 89 slides
Precision cosmology with 21cm intensity mapping in the

Precision cosmology with 21cm intensity mapping in the

Precision cosmology with 21cm intensity mapping in the post-reioniza7on era Francisco Villaescusa-Navarro --- INAF/INFN Trieste ICTP, Trieste,

410 views • 28 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
Euclid galaxy clustering simulation requirements: the basics Gigi Guzzo & Will Percival (for

Euclid galaxy clustering simulation requirements: the basics Gigi Guzzo & Will Percival (for

Euclid Consortium Euclid galaxy clustering simulation requirements: the basics Gigi Guzzo & Will Percival (for the GC SWG) Euclid Simulation SWG meeting Barcelona 4-5 Dec 2014 1 Why redshift surveys need simulations Euclid

393 views • 12 slides
12 Principles of 3D CG Animation Amy Gooch CS395: Intro to Animation Summer 2004 12 Principles

12 Principles of 3D CG Animation Amy Gooch CS395: Intro to Animation Summer 2004 12 Principles

12 Principles of 3D CG Animation Amy Gooch CS395: Intro to Animation Summer 2004 12 Principles of Animation Created by Disney Studios in 1930s Snow White (1937) Pinocchio & Fantastia (1940) Dumbo (1941) Bambi (1942)

479 views • 13 slides
ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 Akbar Birbal Games Akbar

ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 Akbar Birbal Games Akbar

ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 Akbar Birbal Games Akbar Verifier Prover Switch or not with prob. Claim: different colors Reject if wrong answer Answer yes or no to Else accept

512 views • 25 slides
Observational Constraints on Reionization History Tirthankar Roy Choudhury Cosmological

Observational Constraints on Reionization History Tirthankar Roy Choudhury Cosmological

Observational Constraints on Reionization History Tirthankar Roy Choudhury Cosmological Reionization 19 February 2010 Tirthankar Roy Choudhury HRI, Allahabad (19-02-10) Plan of the talk Evidence for extended reionization from semi-analytical

436 views • 32 slides
zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

Introduction Prerequisites The Proof Applications References zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs Introduction Effjciently verify the correctness of computations without executing

1.06k views • 68 slides
Tom Nichols VP PC Games, North America Aeria Games & Entertainment Agenda Aeria Games?

Tom Nichols VP PC Games, North America Aeria Games & Entertainment Agenda Aeria Games?

Monetization Lessons from Asian F2P Games Tom Nichols VP PC Games, North America Aeria Games & Entertainment Agenda Aeria Games? Who? What ARPU can I expect from a F2P game? What can I do to drive higher ARPU? How can I drive

410 views • 24 slides

More recommend