two attacks on a white box aes implementation
play

Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , - PowerPoint PPT Presentation

Jun 29, 2023 •40 likes •320 views

Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , Matthieu Rivain 1 , Yoni De Mulder 3 , Peter Roelse 4 , and Bart Preneel 3 1 CryptoExperts, France { tancrede.lepoint,matthieu.rivain } @cryptoexperts.com 2 Ecole Normale

  1. Two Attacks on a White-Box AES Implementation Tancrède Lepoint 1,2 , Matthieu Rivain 1 , Yoni De Mulder 3 , Peter Roelse 4 , and Bart Preneel 3 1 CryptoExperts, France { tancrede.lepoint,matthieu.rivain } @cryptoexperts.com 2 ´ Ecole Normale Sup´ erieure, France 3 KU Leuven and iMinds, Belgium { yoni.demulder,bart.preneel } @esat.kuleuven.be 4 Irdeto B.V., The Netherlands peter.roelse@irdeto.com SAC 2013, Vancouver, Canada August 15th, 2013

  2. What is White-Box Cryptography ?

  3. White-Box Cryptography ‣ focuses on the software implementation of cryptographic primitives executed in an untrusted environment. ‣ aims at protecting the embedded secret cryptographic key; it has the objective that the white-box implementation behaves as a “virtual black box” : ‣ a white-box adversary may not have any advantage over a black-box attacker, i.e., he is unable to extract any more key information than he could extract under a black-box attack (oracle access to the WB implementation).

  4. m/c m/c - debug - reverse engineer adversary adversary - inspect memory E k ( · ) E k ( · ) D k ( · ) D k ( · ) - inject faults - alter implementation c/m c/m black-box model white-box model • Black-box attacker: • White-box attacker: ‣ only has access to the input/output ‣ h a s f u l l a c c e s s t o t h e s o f twa r e implementation of the cryptographic behavior of the cryptographic algorithm. algorithm. ‣ has no visibility into its execution. ‣ has full control over its execution environment. ‣ has the goal to extract the secret cryptographic key ( key recovery ).

  5. When the attacker has knowledge of the internal structure of a cryptographic primitive, the way how it is implemented is the sole remaining line of defense . ‣ S-box Blanking Attack [Kerins and Kursawe, 2006] x r − 1 x r − 1 S 0 ⊕ ⊕ k w k w x r = S ( x r − 1 ) ⊕ k w x r = 0 ⊕ k w = k w

  6. Use case: a (very) simplified DRM model User’s Playback Device Remote Content Provider WB Impl. E k ( m ) m m E k D k E k ( m ) k Lic YES NO License Lic License Verifier Generator player EVE The trusted digital media player (containing the WB implementation) is • deployed in an untrusted environment (the end-user’s playback device). • The goal of a malicious behaving end-user is to extract the secret decryption key out of the decryption routine in order to: ‣ decrypt the encrypted content while circumventing the License Verification ‣ distribute the key to non-authorized end-users

  7. White-Box AES Implementation

  8. State-of-the-Art

  9. Perturbated White-box AES White-box AES Implementation Implementation Chow, Eisen, Johnson, van Oorschot [2002] Bringer, Chabanne, Dottax [2006] De Mulder, Wyseur and Preneel [2010] Billet, Gilbert and White-box AES Implementation Ech-Chatbi [2004] based on Wide Linear Encodings Xiao and Lai [2009] De Mulder, Roelse and Preneel [2012] Generic Class White-box AES Implementation Michiels, Gorissen and Hollmann [2008] based on Dual Ciphers of AES Karroumi [2010]

  10. Perturbated White-box AES White-box AES Implementation Implementation Chow, Eisen, Johnson, van Oorschot [2002] Bringer, Chabanne, Dottax [2006] De Mulder, Wyseur and Preneel [2010] Billet, Gilbert and White-box AES Implementation Ech-Chatbi [2004] based on Wide Linear Encodings Xiao and Lai [2009] a new attack based on collision De Mulder, Roelse and Preneel [2012] Generic Class White-box AES Implementation Michiels, Gorissen and Hollmann [2008] based on Dual Ciphers of AES Karroumi [2010]

  11. Aspects of Chow’s White-Box AES Implementation

  12. Descriptions of AES-128 Conventional way: Used for WB AES: 1. for r from 1 to 9: 1. AddRoundKey ( K (1) ); ( 2. for r from 1 to 9: (a) ShiftRows; ( Round 1-9 ^ (b) AddRoundKey ( K (r) ); (a) SubBytes; Round 1-9 (c) SubBytes; (b) ShiftRows; (d) MixColumns; (c) MixColumns; 2. ShiftRows; ( (d) AddRoundKey ( K (r+1) ); ( ^ 3. SubBytes; 3. AddRoundKey ( K (10) ); Round 10 Round 10 4. SubBytes; 4. ShiftRows; 5. AddRoundKey ( K (11) ). 5. AddRoundKey ( K (11) ).

  13. AES Subround 8 8 8 8 ⊕ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) 0 1 2 3 for r from 1 to 9: S S S S (a) ShiftRows; (b) AddRoundKey ( K (r) ); MixColumns (c) SubBytes; 2 3 ‘02’ ‘03’ ‘01’ ‘01’ (d) MixColumns; 6 7 ‘01’ ‘02’ ‘03’ ‘01’ 6 7 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ 8 8 8 8 for 0 ≤ j ≤ 3 and 1 ≤ r ≤ 9

  14. Encoded AES Subround the naive version the generic version 8 8 8 8 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 8 8 8 8 0 1 2 3 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) Π ( r,j ) 0 1 2 3 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 0 1 2 3 1 2 0 3 S S S S S S S S MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 ‘01’ ‘02’ ‘03’ ‘01’ 6 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 2 0 1 2 3 Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 8 8 8 8 0 1 2 3 8 8 8 8 new attack (collisions) BGE attack

  15. Revisiting the BGE Attack

  16. ‣ obtain the output encodings up to an a ffi ne part BGE Attack ‣ the same for the input through round r-1 Phase 1 ^ Q ( r − 1 ,j 0 ) i 0 8 8 8 8 8 8 8 8 ^ ^ ^ ^ P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 0 1 2 3 Π ( r,j ) Π ( r,j ) 1 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 0 1 2 3 1 2 0 3 S S S S S S S S Phase 1 MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) Π ( r,j ) 2 2 ^ ^ ^ ^ Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8

  17. ‣ fully recover the a ffi ne output encodings and the key- BGE Attack dependent a ffi ne input encodings Phase 2 ‣ fully recover the a ffi ne input encodings through round r-1 ^ Q ( r − 1 ,j 0 ) ^ Q ( r − 1 ,j 0 ) i 0 i 0 8 8 8 8 ^ ^ ^ ^ 8 8 8 8 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 Π ( r,j ) 1 ⊕ ¯ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) ¯ ¯ ¯ ⊕ ⊕ ⊕ ⊕ 0 1 2 3 k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 8 8 8 8 1 2 0 3 S S S S Phase 2 with MixColumns [ k ( r, π ( r ) ( j )) k ( r,j ) ] 0 ≤ i ≤ 3 = ( Π ( r,j ) [¯ ) − 1 � � ] 0 ≤ i ≤ 3 2 3 1 i i ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) 2 8 8 8 8 ^ ^ ^ ^ Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8

  18. Original Improved BGE Attack BGE Attack [Tolhuizen, 2012] Phase 1: 2 19 2 30 Phase 2: 2 29 2 22 Phase 3: no given work factor ‣ apply Phases 1 and 2 to rounds r ‣ apply Phases 1 and 2 only to round r to obtain the r th round key and r+1 to obtain the round keys ‣ relate both round keys via: ‣ a new method to obtain the ( r+1 ) th 2 18 1. the white-box implementation round key ‣ an e ffi cient method to determine 2. the AES key scheduling algorithm the correct order of the round keys 2 13 total work factor: 2 30 total work factor: 2 22

  19. ‣ obtain the ( r+1 ) th round key BGE Attack ‣ correctness: is non-a ffi ne for � c ⊕ S − 1 ( x ) � S Phase 3 all non-zero values of c k ⊕ S − 1 ( x ) 0 0 0 8 8 8 8 P ( r +1 ,j ) P ( r +1 ,j ) P ( r +1 ,j ) P ( r +1 ,j ) 0 1 2 3 8 8 8 8 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ 0 1 2 3 0 1 2 3 S S S S S S S S Π ( r +1 ,j ) Π ( r +1 ,j ) a ffi ne? 1 1 Phase 3 MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r +1 ,j ) Π ( r +1 ,j ) 2 2 ^ ^ ^ ^ Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8

  20. New Attack based on Collisions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box

Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations Matthieu Rivain 1 Junwei Wang 1,2,3 1 CryptoExperts 2 University of Luxembourg 3 University Paris 8 CHES 2019, Atalanta White-Box

800 views • 43 slides
White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough . White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

477 views • 29 slides
RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q

RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q

RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q very small. - Difference of p and q should not be very small. More subtle, e.g.: Thm: If 3d < n and q<p<2q, then d can be found in

206 views • 8 slides
Crossing the SDN/NFV Deployment Chasm Initiation -> Ideation -> Implementation? NFV white

Crossing the SDN/NFV Deployment Chasm Initiation -> Ideation -> Implementation? NFV white

Getting past Ideation; Crossing the SDN/NFV Deployment Chasm Initiation -> Ideation -> Implementation? NFV white paper published in October 2012 implementations globally, at scale remains a successfully initiated the SDN/NFV industry and

277 views • 3 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group

Overview of Countermeasures against Implementation Attacks Marcel Medwed UCL Crypto Group Marcel.medwed@uclouvain.be Design and Security of Cryptographic Algorithms and Devices 1 Albena, May 2011 Outline 1. Motivation & general

787 views • 40 slides
White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud & Implementation Paris, June 27-28 2017 Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box

543 views • 29 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs

Evolution of White-Box Cryptography: From Table-Based Implementations to Recent Designs Michael J. Wiener 2016 August 14 1 Outline Why do we bother with white-box cryptography (WBC)? The origins of WBC Attacks and

379 views • 34 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES

Design and Implementation of an Espionage Network for Cache- based Side Channel Attacks on AES Bholanath Roy Research Scholar Advanced Encryption Standard(AES) Design of an Espionage Network : Attack Architecture Espionage Infrastructure

435 views • 4 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
How to Reveal the Secrets of an Obscure White-Box Implementation Louis Goubin 4 Pascal Paillier 1

How to Reveal the Secrets of an Obscure White-Box Implementation Louis Goubin 4 Pascal Paillier 1

How to Reveal the Secrets of an Obscure White-Box Implementation Louis Goubin 4 Pascal Paillier 1 Matthieu Rivain 1 Junwei Wang 1 , 2 , 3 1 CryptoExperts 2 University of Luxembourg 3 University of Paris 8 4 University of

1.01k views • 44 slides
2015 Implementation Plan Constance White, Vice President of Compliance W E C C E S T E R

2015 Implementation Plan Constance White, Vice President of Compliance W E C C E S T E R

2015 Implementation Plan Constance White, Vice President of Compliance W E C C E S T E R N L E C T R I C I T Y O O R D I N A T I N G O U N C I L RAI Compliance Activities Overview Risk-based Compliance

447 views • 11 slides
Hand-arm disorders disorders Occasional attacks affecting only Occasional attacks affecting

Hand-arm disorders disorders Occasional attacks affecting only Occasional attacks affecting

Hand-arm vibration syndrome Vibratory Tools and Processes Percussive metal-working tools Causes Vibration-induced Hand-arm vibration white finger, VWF Grinders and other rotary tools Classification staging and scoring

339 views • 3 slides
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur,

Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC K.U.Leuven and Philips Research March 27 2007 White-Box Attack Context key key ke y

555 views • 10 slides
LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity

LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity

LibreOffice's Android port By Miklos Vajna Software Engineer at Collabora Productivity 2015-09-24 @CollaboraOffice www.CollaboraOffice.com What has been done Cross-compiling, single .so Need to decide what will be run on the machine

500 views • 30 slides
On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10

On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10

On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10 - Turku Luca Mariot, Alberto Leporati Dipartimento di Informatica, Sistemistica e Comunicazione Universit degli Studi Milano - Bicocca

372 views • 22 slides
VAEs in manufacturing 2018-05-25 DATE Steel production Steel producer Massive I -beams are

VAEs in manufacturing 2018-05-25 DATE Steel production Steel producer Massive I -beams are

VAEs in manufacturing 2018-05-25 DATE Steel production Steel producer Massive I -beams are cast and then milled into various shapes to be shipped to their clients. Variations in the shape of the I -beams can cause milling

546 views • 16 slides
ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE

ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE

ACCC Public Forum on TransGrid and EnergyAustralia Revenue Cap Decisions Simon Bartlett, CE Powerlink Queensland 18 March 2005 Key Messages New framework does not provide the level of certainty and is not as efficient as ACCC described.

742 views • 9 slides
Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com

Faster formulas for elliptic curves Hseyin H sl hisil.huseyin@gmail.com www.huseyinhisil.net ECC2010, Redmond Hseyin H sl () October 19, 2010 1 / 36 Faster formulas for elliptic curves (A roadmap for formula-hunters)

825 views • 55 slides
Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6

Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6

Algebraic Cryptanalysis of HFE Isomorphism of Polynomials (IP) The Functional Decomposition Problem Conclusion Grbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Universit Paris 6 INRIA ludovic.perret@lip6.fr

693 views • 46 slides
3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series

3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series

3D Bipedal Walking including COM height variations St ephane Caron CRI Group Seminar Series May 14, 2018 What do we want? COMANOID project https://comanoid.cnrs.fr 2 What do we want? COMANOID project Aircraft entry plan (2017) 3

783 views • 25 slides

More recommend