FPGA Implementation and Comparison of Protections Against SCAs for - - PowerPoint PPT Presentation

FPGA Implementation and Comparison of Protections Against SCAs for RLWE

Timo Zijlstra 1 Karim Bigou 2 Arnaud Tisserand 1

1CNRS Lab-STICC UMR 6285, UBS 2Universit´

e de Bretagne Occidentale - Lab-STICC UMR CNRS 6285

December 17, 2019

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 1 / 26

Overview

1

RLWE-based Cryptography

2

Side channel vulnerabilities

3

Countermeasures against SCA

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 2 / 26

RLWE Encryption scheme [LPR10]

LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Zq[x]/(xn + 1)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

RLWE Encryption scheme [LPR10]

LWE cryptography introduced by Regev [Reg05] Ring-LWE (RLWE) first appeared in [LPR10] Keys, ciphertexts are polynomials in Zq[x]/(xn + 1) Alice (KeyGen, Decrypt) : Bob (Encrypt) : a

$

← − random polynomial s, e

$

← − poly w/ small coefficients b ← a · s + e

a,b

− − → e1, e2, e3

$

← − small c1 ← a · e1 + e2 µ′ ← D(c2 − c1 · s)

c1,c2

← − − − c2 ← b · e1 + e3 + E(µ)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 3 / 26

Encryption scheme in pictures

• 1. Encode E: 0 → 0 and 1 → q

2. q/4 3q/4 q/2

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

Encryption scheme in pictures

• 1. Encode E: 0 → 0 and 1 → q

2. q/4 3q/4 q/2

• 2. Encryption: ciphertext coefficient

distribution is uniformly random over Zq.

q/4 3q/4 q/2

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

Encryption scheme in pictures

• 1. Encode E: 0 → 0 and 1 → q

2. q/4 3q/4 q/2

• 3. Decryption: result is close to E(µ).

q/4 3q/4 q/2

• 2. Encryption: ciphertext coefficient

distribution is uniformly random over Zq.

q/4 3q/4 q/2

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

Encryption scheme in pictures

• 1. Encode E: 0 → 0 and 1 → q

2. q/4 3q/4 q/2

• 3. Decryption: result is close to E(µ).

q/4 3q/4 q/2

• 2. Encryption: ciphertext coefficient

distribution is uniformly random over Zq.

q/4 3q/4 q/2

• 4. Decode D: left → 1, right → 0

q/4 3q/4 q/2 1

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 4 / 26

Decryption function

Input: ciphertext c1, c2 Compute d = c2 − c1 · s

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

Decryption function

Input: ciphertext c1, c2 Compute d = c2 − c1 · s → use NTT: d ← c2 − NTT−1(ˆ c1 · ˆ s) Multiplication in NTT domain is point-wise: ˆ c1 · ˆ s =

• ˆ

c1,1 · ˆ s1 mod q, . . . ,ˆ c1,n · ˆ sn mod q

• 1 polynomial multipication takes n multiplications in Zq

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 5 / 26

Side Channel Analysis model

Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q, the power trace allows to guess: HW(c · s mod q) + N(0, σ)

memory modular mul. HW

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

Side Channel Analysis model

Attack each modular multiplication separately during decryption Hypothesis: for each c · s mod q, the power trace allows to guess: HW(c · s mod q) + N(0, σ)

memory modular mul. HW

CPA Attack:

1 Generate random ciphertexts 2 Predict power traces 3 Measure power traces during decryption 4 Compute correlation between traces and predictions 5 Maximum correlation is obtained for the correct guess Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 6 / 26

Side Channel Attack simulation

Simulate CPA in SageMath: Machine executing one instruction per cycle Correlations from CPA:

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 7 / 26

Countermeasures

Randomize computations How to obtain correct results from randomized computations?

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

Countermeasures

Randomize computations How to obtain correct results from randomized computations?

1

Masking [RRVV15]

[RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

Countermeasures

Randomize computations How to obtain correct results from randomized computations?

1

Masking [RRVV15]

[RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA

2

Blinding and Shifting [Saa18]

We implement on FPGA

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

Countermeasures

Randomize computations How to obtain correct results from randomized computations?

1

Masking [RRVV15]

[RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA

2

Blinding and Shifting [Saa18]

We implement on FPGA

3

Permutation (randomize the order of computations)

We propose 2 methods

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

Countermeasures

Randomize computations How to obtain correct results from randomized computations?

1

Masking [RRVV15]

[RRVV15] reports FPGA implementation Masked decryption 3 times slower than unmasked We optimize and re-implement it on FPGA

2

Blinding and Shifting [Saa18]

We implement on FPGA

3

Permutation (randomize the order of computations)

We propose 2 methods

4

Redundant secret key representation

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 8 / 26

Countermeasure: Blinding [Saa18]

For all integers a, b: ac1 · bs = (ab)(c1 · s)

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

Countermeasure: Blinding [Saa18]

For all integers a, b: ac1 · bs = (ab)(c1 · s)

1 Pick some random a, b ∈ Z/qZ and

compute (ab)−1

2 Compute ac1 · bs 3 Multiply by (ab)−1 and subtract c2

to obtain correct d

4 Decode

→ [Saa18]: use pre-computed roots

• f unity ωi, ωj, ωn−i−j

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

Countermeasure: Blinding [Saa18]

For all integers a, b: ac1 · bs = (ab)(c1 · s)

1 Pick some random a, b ∈ Z/qZ and

compute (ab)−1

2 Compute ac1 · bs 3 Multiply by (ab)−1 and subtract c2

to obtain correct d

4 Decode

→ [Saa18]: use pre-computed roots

• f unity ωi, ωj, ωn−i−j

Reminder

Decrypt(c1, c2) = D(c2 − c1s) Computation of c1 · s randomized at each run. d is not randomized = ⇒ decoding algorithm is not protected → use the blinding method in combination with another countermeasure.

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 9 / 26

Countermeasure: Shifting [Saa18]

1 Multiply s and c1 by xi and xj respectively, for random i, j < n 2 Obtain c1sxi+j 3 Multiply by x−(i+j) Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

Countermeasure: Shifting [Saa18]

1 Multiply s and c1 by xi and xj respectively, for random i, j < n 2 Obtain c1sxi+j 3 Multiply by x−(i+j)

In Zq[x]/(xn + 1) : multiply by xi ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT(xi) = (1, ωi, ω2i, . . . ) → still easy to compute (since ωi is pre-computed for all i < n)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

Countermeasure: Shifting [Saa18]

1 Multiply s and c1 by xi and xj respectively, for random i, j < n 2 Obtain c1sxi+j 3 Multiply by x−(i+j)

In Zq[x]/(xn + 1) : multiply by xi ⇐ ⇒ shift i positions to the right → easy to compute NTT domain: pointwise multiplication by NTT(xi) = (1, ωi, ω2i, . . . ) → still easy to compute (since ωi is pre-computed for all i < n) Shifted decryption:

1 Get random indices i, j < n 2 Compute NTT(xi) ⊙ s, NTT(xj) ⊙ c1 and NTT(xi+j) ⊙ c2 3 Decrypt and shift i + j positions to the left. Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 10 / 26

Countermeasure: Masked Decryption [RRVV15]

Use linearity: a(b + c) = ab + ac.

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Countermeasure: Masked Decryption [RRVV15]

Use linearity: a(b + c) = ab + ac.

1 Generate a uniform random s′ and let

s′′ ← s − s′. → then s = s′ + s′′.

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Countermeasure: Masked Decryption [RRVV15]

Use linearity: a(b + c) = ab + ac.

1 Generate a uniform random s′ and let

s′′ ← s − s′. → then s = s′ + s′′.

2 Compute (part of) the decryption

function for both shares:

d′ ← c2 − c1s′ d′′ ← −c1s′′

Then D(d′ + d′′) = µ.

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Countermeasure: Masked Decryption [RRVV15]

Use linearity: a(b + c) = ab + ac.

1 Generate a uniform random s′ and let

s′′ ← s − s′. → then s = s′ + s′′.

2 Compute (part of) the decryption

function for both shares:

d′ ← c2 − c1s′ d′′ ← −c1s′′

Then D(d′ + d′′) = µ.

Reminder

Decrypt(c1, c2) = D(c2 − c1s)

Do not take off the mask

Computing d = d′ + d′′ means that d appears unmasked in the

• implementation. An attacker may use SCA to:

1 learn the coefficients of d = c2 − c1s 2 and compute the secret key s = (c2 − d)c−1

1 .

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 11 / 26

Decoding with Masking [RRVV15]

Do not compute d′ + d′′. What about D(d′) + D(d′′)? Does not work because of non linearity: q/4 3q/4 q/2

1

d' d'' d Use a masked decoder Dmasked : (d′, d′′) → D(d′ + d′′) = µ.

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 12 / 26

Masked decoding problem [RRVV15]

q/4 3q/4 q/2

1

d' d'' d

Easy case (left)

0 ≤ d′′ < q

4 and q 4 ≤ d′ < q 2,

therefore q

4 ≤ d′ + d′′ < 3q 4 .

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 13 / 26

Masked decoding problem [RRVV15]

q/4 3q/4 q/2

1

d' d'' d

Easy case (left)

0 ≤ d′′ < q

4 and q 4 ≤ d′ < q 2,

therefore q

4 ≤ d′ + d′′ < 3q 4 .

Hard cases (below)

Both d′ and d′′ are in the interval [0, q

4), therefore 0 ≤ d′ + d′′ < q 2. q/4 3q/4 q/2

1

d' d'' d q/4 3q/4 q/2

1

d' d'' d

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 13 / 26

Solving the hard cases

In [RRVV15], use resharing:

1 Let d′ ← d′ + δ, d′′ ← d′′ − δ. 2 d′ + d′′ = d still holds. 3 New d′ is in different quadrant

→ Easy case!

q/4 3q/4 q/2

1

d' d''

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 14 / 26

Solving the hard cases

In [RRVV15], use resharing:

1 Let d′ ← d′ + δ, d′′ ← d′′ − δ. 2 d′ + d′′ = d still holds. 3 New d′ is in different quadrant

→ Easy case! Problem: Does not always work. [RRVV15]: repeat 16 times → find a solution with high probability

q/4 3q/4 q/2

1

d' d''

1

d' d''

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 14 / 26

Deterministic algorithm

We propose a deterministic masked decoder

1 Set δ = min( q

4 − d′, d′′).

2 Shift d′, d′′ by exactly the right distance δ.

1

d' d''

3 d′′ goes to

q

4, q 2

• while d′′ stays in
• 0, q

4

• .

→ works for all d′, d′′.

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 15 / 26

Countermeasure: Permutations

Pointwise multiplications can be computed in any order Instead of: a0 · b0, a1 · b1, . . . compute: aσ(0) · bσ(0), aσ(1) · bσ(1), . . . for some random permutation σ

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 16 / 26

Countermeasure: Permutations

Pointwise multiplications can be computed in any order Instead of: a0 · b0, a1 · b1, . . . compute: aσ(0) · bσ(0), aσ(1) · bσ(1), . . . for some random permutation σ Also works for pointwise multiplications in the NTT → protects against [PPM17] SPA attack

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 16 / 26

Countermeasure: Permutations

Pointwise multiplications can be computed in any order Instead of: a0 · b0, a1 · b1, . . . compute: aσ(0) · bσ(0), aσ(1) · bσ(1), . . . for some random permutation σ Also works for pointwise multiplications in the NTT → protects against [PPM17] SPA attack 2 permutation methods:

1 LFSR counter

Cheap: initial state defines random permutation Only 255 permutations possible for n = 256

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 16 / 26

Countermeasure: Permutations

Pointwise multiplications can be computed in any order Instead of: a0 · b0, a1 · b1, . . . compute: aσ(0) · bσ(0), aσ(1) · bσ(1), . . . for some random permutation σ Also works for pointwise multiplications in the NTT → protects against [PPM17] SPA attack 2 permutation methods:

1 LFSR counter

Cheap: initial state defines random permutation Only 255 permutations possible for n = 256

2 Permutation network

Uses n

2 log(n) random bits

nn/2 different permutations possible

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 16 / 26

Countermeasure: Redundant representation

Use a redundant representation to randomize secret key In RSA/ECC:

1

Secret key is scalar or exponent in some group.

2

Randomize by adding multiples of the group order. → new secret key is still a valid decryption key

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 17 / 26

Countermeasure: Redundant representation

Use a redundant representation to randomize secret key In RSA/ECC:

1

Secret key is scalar or exponent in some group.

2

Randomize by adding multiples of the group order. → new secret key is still a valid decryption key

We apply this to RLWE crypto:

1

Secret key: n coefficients in Z/qZ.

2

For each coefficient: add a small random multiple of q.

3

Perform computations in Z/(2rq)Z. → r is the redundancy parameter

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 17 / 26

Does it work?

Correlation analysis for different redundancy levels.

Attacking one single modular multiplication Hamming Weight model assuming noiseless observations

Simulations in SageMath (σ = 0):

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 18 / 26

Implementation on Artix-7 FPGA using HLS, for n = 256

Protection Source Implem. Time (µs) Slice, LUT, DSP, BRAM None

• [RRVV15]

23.5

• , 1713, 1, -

Masking [RRVV15] [RRVV15] 75.2

• , 2014, 1, -

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 19 / 26

Implementation on Artix-7 FPGA using HLS, for n = 256

Protection Source Implem. Time (µs) Slice, LUT, DSP, BRAM None

• [RRVV15]

23.5

• , 1713, 1, -

Masking [RRVV15] [RRVV15] 75.2

• , 2014, 1, -

None

• This work

7.8 483, 1163, 2, 3 Masking [RRVV15] This work 10.1 2187, 5500, 5, 6 Our Mask. This work This work 10.1 1722, 4269, 5, 6

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 19 / 26

Implementation on Artix-7 FPGA using HLS, for n = 256

Protection Source Implem. Time (µs) Slice, LUT, DSP, BRAM None

• [RRVV15]

23.5

• , 1713, 1, -

Masking [RRVV15] [RRVV15] 75.2

• , 2014, 1, -

None

• This work

7.8 483, 1163, 2, 3 Masking [RRVV15] This work 10.1 2187, 5500, 5, 6 Our Mask. This work This work 10.1 1722, 4269, 5, 6 Blinding [Saa18] This work 10.6 941, 2284, 3, 4 Shifting [Saa18] This work 14.8 832, 2150, 3, 4 Shift + Blind [Saa18] This work 14.7 1063, 2781, 3, 4

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 19 / 26

Implementation on Artix-7 FPGA using HLS, for n = 256

Protection Source Implem. Time (µs) Slice, LUT, DSP, BRAM None

• [RRVV15]

23.5

• , 1713, 1, -

Masking [RRVV15] [RRVV15] 75.2

• , 2014, 1, -

None

• This work

7.8 483, 1163, 2, 3 Masking [RRVV15] This work 10.1 2187, 5500, 5, 6 Our Mask. This work This work 10.1 1722, 4269, 5, 6 Blinding [Saa18] This work 10.6 941, 2284, 3, 4 Shifting [Saa18] This work 14.8 832, 2150, 3, 4 Shift + Blind [Saa18] This work 14.7 1063, 2781, 3, 4 Permutation This work This work 11.4 3183, 7385, 2, 4 LFSR ctr. This work This work 10.3 1069, 2861, 2, 3

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 19 / 26

Implementation on Artix-7 FPGA using HLS, for n = 256

Protection Source Implem. Time (µs) Slice, LUT, DSP, BRAM None

• [RRVV15]

23.5

• , 1713, 1, -

Masking [RRVV15] [RRVV15] 75.2

• , 2014, 1, -

None

• This work

7.8 483, 1163, 2, 3 Masking [RRVV15] This work 10.1 2187, 5500, 5, 6 Our Mask. This work This work 10.1 1722, 4269, 5, 6 Blinding [Saa18] This work 10.6 941, 2284, 3, 4 Shifting [Saa18] This work 14.8 832, 2150, 3, 4 Shift + Blind [Saa18] This work 14.7 1063, 2781, 3, 4 Permutation This work This work 11.4 3183, 7385, 2, 4 LFSR ctr. This work This work 10.3 1069, 2861, 2, 3

• Redund. r = 1 This work This work

8.5 629, 1599, 2, 3 r = 2 This work This work 8.2 611, 1664, 2, 3 r = 3 This work This work 8.9 807, 2067, 2, 3 r = 4 This work This work 8.5 872, 2285, 2, 3 r = 5 This work This work 9.0 990, 2677, 2, 6

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 19 / 26

Conclusion

Ring-LWE crypto should be protected against SCA

Masking Blinding Redundancy Permutations

Performant implementations using High Level Synthesis Future work: experimental validation of effectiveness

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 20 / 26

Thank you for your attention!

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 21 / 26

Bibliography I

• V. Lyubashevsky, C. Peikert, and O. Regev, On ideal lattices and

learning with errors over rings, Proc. 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), Monaco, June 2010, pp. 1–23.

• R. Primas, P. Pessl, and S. Mangard, Single-trace side-channel attacks
• n masked lattice-based encryption, Proc. 19th International

Conference on Cryptographic Hardware and Embedded Systems(CHES) (Taipei, Taiwan), September 2017, pp. 513–533.

• O. Regev, On lattices, learning with errors, random linear codes, and

cryptography, Proc. 37th Annual ACM Symposium on Theory of Computing (Baltimore, MD, USA), May 2005, pp. 84–93.

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 22 / 26

Bibliography II

• O. Reparaz, S. Sinha Roy, F. Vercauteren, and I. Verbauwhede, A

masked ring-LWE implementation, Proc. 17th International Workshop

• n Cryptographic Hardware and Embedded Systems (CHES)

(Saint-Malo, France), September 2015, pp. 683–702. M.-J. O. Saarinen, Arithmetic coding and blinding countermeasures for lattice signatures - engineering a side-channel resistant post-quantum signature scheme with compact signatures, J. Cryptographic Engineering 8 (2018), no. 1, 71–84.

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 23 / 26

Counter- Entropy

• Lat. Clk. Time Slice, LUT, DSP,

measure added (bits) (ns) (µs) BRAM None 2800 8.3 23.5

• , 1713, 1, -

Masking 3328 7500 10 75.2

• , 2014, 1, -

None 2357 3.3 7.8 483, 1163, 2, 3 Blinding 16 2768 3.8 10.6 941, 2284, 3, 4 Shifting 16 3138 4.7 14.8 832, 2150, 3, 4 Shift + Blind 32 3183 4.6 14.7 1063, 2781, 3, 4 Masking 3328 2517 4.0 10.1 2187, 5500, 5, 6 Our Mask. 3328 2510 4.0 10.1 1722, 4269, 5, 6 Permutation 1280 2521 4.5 11.4 3183, 7385, 2, 4 LFSR ctr. 71 2846 3.6 10.3 1069, 2861, 2, 3 r = 1 256 2272 3.7 8.5 629, 1599, 2, 3 r = 2 512 2273 3.6 8.2 611, 1664, 2, 3 r = 3 768 2333 3.8 8.9 807, 2067, 2, 3 r = 4 1024 2338 3.6 8.5 872, 2285, 2, 3 r = 5 1280 2352 3.8 9.0 990, 2677, 2, 6 r = 6 1536 2394 3.9 9.4 1254, 3466, 3, 6

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 24 / 26

Permutation Network

Swap x and y if b = 1:

x y

b k 1 k

Network for coefficient vector of length n = 8:

1 2 3 4 5 6 7 1 2 3 4 5 6 7

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 25 / 26

Schematic of redundancy countermeasure

Decrypt Redundant Decoder

w+r w+r

+ + RAM Mul

r w+r r w

TR 2r Mul

w

Redundancy is not removed for decoding → use a special decoder

Timo Zijlstra (CNRS) Indocrypt 2019 December 17, 2019 26 / 26