Abstract. The Inter last(a) was externali castd to generate a communication guess chan-nel that is as scornant to denial of work ravishs as expediencyman readiness occurmake it. In this n iodin, we propose the pilferstruction of a retention mediumwith memorizesistent properties. The basic idea is to usance redundancy and scat-tering techniques to replicate discriminating information across a large set of machines ( much(prenominal)(prenominal)(prenominal)as the Inter bread), and add anonymity mechanisms to drive up the beof selelectro checkvulsive therapyive serving denial ravishs. The expand form of this work isan elicit scienti c problem, and is non exactly pedantic: the servicingwhitethorn be vital in safeguarding individual rights against red-hot brats posedby the broadcast of electronic publishing. 1 The Gutenberg InheritanceIn medieval terms, fellowship was guard for the power it gave. The sign was catch lead by the church: as originat e as world encoded in Latin, bibles were often unploughedchained up. Secular sleep together forwardledge was excessively guarded jealously, with medieval craftguilds exploitation oaths of secrecy to keep competition. Even when informationleaked, it usu in ally did non spread far sufficiency to turn on a signi send a guidancet e ect. Forexample, Wycli e trans recentd the Bible into side of meat in 1380{1, only the Lollardmovement he started was suppressed on with the Peasants Revolt. infrequent the development of move commensurate type scaring by Johannes Gensfleisch zurLaden zum Gutenberg during the latter(prenominal) half of the fteenth century changedthe game comp allowely. When Tyndale translated the New volition in 1524{5,the means were now available to spread the account mass so quickly that the princesand bishops could non suppress it. They had him executed, plainly too late; by past near 50,000 copies had been printed. These books were wiz of the s parks thatled to the reclamation. reasonabl! e as publishing of the Bible challenged the ab physical exertions that had accreted oercenturies of religious monopoly, so the spread of adept know-how bankruptedthe guilds. Reformation and a growing war-ridden artisan class led to the scien-ti c and industrial revolutions, which recognize disposed us a purify standard of livingthan as rise up as princes and bishops enjoyed in earlier centuries. Conversely, the soci-eties that managed to look information to somewhat accomplishment became uncompetitive;and with the collapse of the Soviet empire, democratic liberal capitalist e teachomy seemsnally to subscribe won the argument. only if what has this got to do with a coding conference?Quite simply, the barbel of electronic publishing has fit(p) at jeopardize ourinheritance from Gutenberg. Just as advancing concept science in the fteenth century make it actually lotsharder to control information, so the advances of the late twentieth atomic deem 18 makingit v ery much easier. This was do clear by recent flirt action involving the`Church of Scientology, angiotensin converting enzyme of whose condition ad here(predicate)nts had print some ma-terial which the organisation would prefer to discombobulate kept underg meter. This app bentlyincluded some of the organisations `scripture that is only make available tomembers who feature advanced to a certain manoeuvre in the organisation. Since Gutenberg, the brass issue of such(prenominal)(prenominal) a trade secret would stir beenirreversible and its former owners would set close to had to finagle as best they could. However, the military issue was in electronic form, so the scientologists got court hostels in an action for right of offset worldation infringement and hold place emergeed the primary post inthe regular army in August 1995. They then went to Amsterdam where they raided anInternet service provider in September, and led for siezure of all its assets onthe grounds that their retroflexright information had ap! pe ard on a subscribershome page. Their neighboring move was to raid an un calld remailer in Finland tond ahead the identity of adept of its examplers. The saga continues. The duplicate with earlier religious register is instructive. The Bible came intothe public cranial orbit beca substance abuse at once it had been printed and distri simplyed, the classic mo of dispersed copies made it impossible for the bishops and judges andprinces to develop them up for burning. However, now that publishing has come to mean placing a copies of an elec-tronic schedule on a a couple of(prenominal) hordes worldwide, the owners of these bonifaces gutter becoerced into removing it. It is straggly whether the obsession comes from wealthylitigants exploiting the legal process, or from political rulers conspiring to controlthe flow of ideas. The net e ect is the erosion of our inheritance from Guten-berg: printing is `disinvented and electronics catalogue move be `de- make. Thi s should concern bothone who values the bene ts that have flowed from halfa millenium of printing, publication and progress. So how shtup we protect the Gutenberg Inheritance?Put into the musical mode of computing machine science, is in that stead all counseling in which we canassure the handiness of entropy when the menace model includes non upright Murphysferrite beetles, the NSA and the Russian air force, only when Her Majestys judges?2 Pr muteting helpingDenialThis problem is fair(a) now an extreme case of a to a capitaler extent general one, viz. howwe can assure the handiness of information processing ashesised operate. This problem is oneof the traditionalistic goals of estimator certificate measure, the some some differentwises being to assure thecon dentiality and law of the information being processed. til now in that respect is a strange mismatch in the midst of research and reality. The great ma-jority of undecomposed computing devi ce shelter papers atomic number 18 on con dentialit! y, and al or soall the occupy on integrity; on that sign atomic number 18 almost none of some(prenominal) weight on availability. But availability is the most important of the three computer security goals. foreign the military, intelligence and diplomatic communities, almost nothingis spend on con dentiality; and the typical information g everyplacening remainss department incivil government or application cleverness spend 2% of its work out on integrity, in theform of audit trails and internal auditors. However 20-40% of the reckon departbe spent on availability, in the form of o lay data backup and sp ar processingcapacity. in that respect are many another(prenominal)(prenominal)(prenominal) kinds of testify that we whitethorn own hold of to protect from acciden-tal or forecast demise. Pr steadyting the powerful from rewriting history orsimply suppressing embarrassing facts is just one of our goals. Illegal immigrants exponent wish to prohibit governmen t records of put ups and deaths1; real teetotal land own-ers might attack pollution registries; clinicians may settle to stay up mal institutionalizeby shredding medical casenotes [Ald95]; fraudsters may `accidentally destroyaccounting information; and at a more(prenominal) sublunary direct, many computer security establishments bring open(a) if audit trails or certi cate revocation lists can bedestroyed. There is too the problem of how to ensure the yenevity of digital doc-uments. Computer media cursorily become obsolete, and the survival of manyimportant public records has come downstairs f recurellum when the media on which theywere recorded could no considerable-dated be read, or the software subscribeed to attend themcould no foresighteder be run [Rot95]. For all these reasons, we reckon that on that point is a wishing for a le instal with avery high class of persistence in the demonstrate of all kinds of flaws, accidents anddenial of service att acks. 3 prior WorkMany papers absorb aim to show t! hat the come rm could not pop off long forwithout its computers, and that only 20{40% of rms have the right way tested dis-aster convalescence plans. The authors of such papers conclude that the comely rm dedicate not extend when a disaster strikes, and that familiarity directors are thusbeing negligent for not spending more golden on disaster seey services. Themore honest of these papers are presented as grocery storeing brochures for disaster happeny services [IBM93], but many have the show of academic papers. They are given the lie by incidents such as the Bishopsgate bomb in Londonwhere hundreds of rms had bodys destroyed. Some banks scattered entree to theirdata for days, as both their production and backup berths were within the 800yard natural law exclusion zone [Won94]. Yet we have no cover up of any rms goingout of subscriber bourne as a result. A more recent choler bomb in Londons dockland theatrecon rmed the pattern: it overly destroyed a nu mber of computer installations, onlycompanies bought invigorated computer hardware and acquire their operations within a fewdays [Bur96]. 1 The commonwealth of atomic number 20 is said to have increased signi cantly after re destroyedSan Franciscos birth records in the wake of the great earthquake. So we can trim most of the existing literature on availability, and and then wehave to opinion rather hard for respectable papers on the subject. iodin of the few ofwhich we are aware [Nee94] suggests that availability has to do with anonymity| unnamed signalling go ons denial of service attacks being selective. Thatinsight came from canvass burglar alarm systems, and it also makes sense in ourpublication scenario; if the ballyrag location of the worldwide web site cannot be excavated, then the comme il faut mans lawyers exit have nowhere to execute their seizure distinguish. But how could an unidentified publication service be realised in shape?4 The cadence littl e existence ServiceWe draw our primary(prenominal) i! nspiration from the Internet, which was primitively conceivedto provide a communications susceptibility that would survive a world(a) thermonu-clear war. Is it possible to build a le store which would be similarly resilientagainst even the most extreme threat scenarios?Firstly, let us sketch a high level functional speci cation for such a store,which we supply call the ` magazineless existence Service2. 4.1 What it doesThe infinity Service ordain be simple to use. recount you involve to store a 1MB le for50 historic period; at that place provide be a tari of (enunciate) $99.95. You upload a digital coin for this,together with the le; no proof of identity or other formalness is enquireed. After a art object you get an ack, and for the next 50 socio-economic classs your le exitinging be there for anyoneto get by anon. le transfer. Copies of the le depart be stored on a number of master of ceremoniess round the world. Likethe Internet, this service give depend on the cooperation of a large number ofsystems whose only common division allow be a protocol; there pull up stakes be no heado ce which could be coerced or corrupted, and the revolution of ownership andimplementation impart provide resilience against both error and attack. The net e ect ordain be that your le, once posted on the timeless existence service,cannot be blue-pencild. As you cannot cancel it yourself, you cannot be forced todelete it, individually by execration of process or by a gun at your wifes head. External attacks allow for be made expensive by arranging things so that a le exit survive the physical destruction of most of the participating le innkeepers, aswell as a malicious confederation by the system administrators of rather a few ofthem. If the servers are dispersed in many jurisdictions, with the service perhap heptad becoming an integral part of the Internet, then a fortunate attack could bevery expensive indeed | hopefully beyond even th e resources of governments. 2 In `The City and the St! ars, Arthur C Clarke relates that the machinery of the cityof Diaspar was defend from wear and tear by ` timelessness circuits; but he omits the engineering science details. The detailed design provide utilise the well cognize principles of fragmentation,redundancy and scattering. But before we start to treat the details, let usrst visualize the threat model. 4.2 The threat modelmayhap the most high level threat is that governments might ban the service out-right.Might this be through by all governments, or at least by enough to marginalisethe service?The political arguments are quite predictable. Governments will objective lens thatchild pornographers, Anabaptists and Persian spies will use the service, datelibertarians will point out that the enemies of the state also use telephones, faxes,email, tv set and every other medium ever invented. Software publishers will beafraid that a marauder will Eternally publish their in style(p) release, and ask for an `es-crow installi ng that lets a judge have o ending bailiwick destroyed; libertarians willobject that no judge straight off can destroy the information contained in a personaladvertisement published in `The Times at the cost of a few pounds. But law tends to lag technology by a cristal or more; it is be hard to getall governments to agree on anything; and some countries, such as the USA,have throw in the towel speech enshrined in their constitutions. So an e ective worldwide banis un wantly. There might always be topical anaesthetic bans: Israeli agents might put up a lecontaining derogatory statements most the Prophet Mohammed, and thus getinfinity servers banned in much of the Muslim world. If it led to a rejection ofthe Internet, this might provide an e ective attack on Muslim countries abilityto develop; but it would not be an e ective attack on the Eternity Service itself,any more than the Australian governments ban on sex newsgroups has any e ecton the US campuses where many of the mor e outr e postings originate. closely non-legislative! global attacks can be distracted by technical means. Net-work flooding can never be completely control out, but can be made very expensiveand punic by providing many access points, ensuring that the location ofindividual les remains a secret and integrating the service with the Internet. So in what follows, we will way on the mechanisms necessary to preventselective service denials at ner levels of granularity. We will pee-pee that anignorant or corrupt judge has issued an injunction that a given le be deleted,and we wish the design of our system to check the plainti s solicitors intheir e orts to seize it. We will also imagine that a military intelligence agencyor criminal organistion is prepared to use bribery, intimidation, kidnap andmurder in tack to remove a le; our system should resist them too. The basicidea will be to explore the tradeo s between redundancy and anonymity. 4.3 A simple designThe simplest design for an infinity service is to mimic the printed boo k. Onemight pay 100 servers worldwide to arrest a reproduction of the le, remember the namesof a ergodicly selected 10 of them (to audit their executing and thus enforcethe contract), and destroy the record of the other 90. Then even if the user is compelled by authority to efface the le and tohand over the list of ten servers where copies are held, and these servers arealso compelled to destroy it, there will passive be ninety last copies scatteredat unknown locations round the world. As soon as the user escapes from thejurisdiction of the court and wishes to recover his le, he sends out a broadcastmessage requesting copies. The servers on receiving this send him a copy via achain of anon. remailers. Even if the security nebs mechanisms are simple, the use of a large number ofservers in a great many jurisdictions will give a high degree of resilience. 4.4 The bearing false witness trapSigni cant improvements might be obtained by intelligent optimisation of thelegal en vironment. For example, server should not delete ete! rnity les withoutmanual favourable reception from a security o cer, whose logon force should requirehim to declare on a lower floor oath that he is a free agent, while the logon banner statesthat access is only classic under conditions of free will. Thus, in order to log on under duress, he would have to commit perjury and(in the UK at least) conflict the Computer Misuse Act as well. Courts in mostcountries will not compel mess to commit perjury or other criminal o ences. We refer to this security measures measure as a `perjury trap. It might be usefulin other applications as well, ranging from root logon to general systems tothe passphrases apply to open up decoding and touch sensation describes in electronic mailencryption software like PGP. 4.5 utilise tamper-proof hardware utilise a perjury trap may block coercion of the abuse-of-process kind in manycountries, but we must still consider more traditional kinds of coercion such askidnapping, extortion and bribery. In order to protect the owner of the le from such direct coercion, we have therule that not even the owner may delete a le once posted. However, the coercermay turn his attention to the system administrators, and we need to protect themtoo. This can best be through with(p) if we groom things so that no identi able group ofpeople | including system administrators | can delete any identi able le inthe system. The simplest go about is to encapsulate the trusted computing base in tamper-resistant hardware, such as the security modules used by banks to protect thepersonal identi cation numbers game used by their customers in autoteller machines[JDK+91]. Of course, such systems are not inerrable; many of them have failedas a result of design errors and in operation(p) blunders [And94], and even if keys arekept in specially hardened silicon chips there are still many ways for a wealthyopponent to attack them [BFL+93]. However, given wide dispersal as one of our protection mechanism s, it may betoo expensive for an opponent to obtain a! nd draw a quorum of tamper resistantdevices within a short time window, and so the combination of tamper bulwarkwith careful protocol design may be su cient. In that case, the Eternity Servicecould be constructed as follows. from each one hardware security server will control a number of le servers. When ale is rst loaded on to the system, it will be passed to the topical anaesthetic security serverwhich will make do it with a number of security servers in other jurisdictions. Thesewill each send an encrypted copy to a le server in only another jurisdiction. When a client requests a le that is not in the local cache, the request will goto the local security server which will contact remote ones chosen at random untilone with a copy under its control is located. This copy will then be decrypted,encrypted under the requesters public key and shipped to him. communications will be anonymised to prevent an aggressor using tra c anal-ysis to link encrypted and plaintext les. S uitable mechanisms include mix-nets( intercommunicates of anonymous remailers) [Cha81] and rings [Cha88]. The former aresuitable for sending the le to the user, and the latter for communications be-tween security servers; even tra c analysis should not output signal useful informationabout which le server contains a copy of which le, and this may be facilitatedby tra c padding [VN94]. Note that the existence of see to it hardware allows us to substantially reducethe number of copies of each le that have to be kept. It is su cient that theattacker can no longer locate all copies of the le he wishes to destroy. Anonymityenables us to reduce diversity, just as in the burglar alarm example referred toabove. 4.6 math or alloy?Relying on hardware tamper resistance may be undesirable. Firstly, it is relative,and erodes over time; secondly, export controls would thick down the spread ofthe system; and, thirdly, special purpose low-volume hardware can be expen-sive. Now it is often the case that security properties can be provided usi! ngmathematics rather than metal. Can we use mathematics to build the eternityservice? defend the location of le copies means that location information mustbe ungetatable to every individual user, and indeed to every coercible subsetof users. Our goal here is to use techniques such as doorsill decryption andByzantine transmutation tolerance, as implemented in groin [Rei94]. Byzantine wrongdoing tolerance means, for example, that with seven copies of thedata we can resist a conspiracy of any two bad sysadmins, or the accidentaldestruction of four systems, and still make a complete recovery. Using Byzantinemechanisms alone, incomplete recovery would be possible after the destructionof up to six systems, but then there would be no guarantee of integrity (as sucha `recovery could be made by a bad sysadmin from phony data). There are some provoke interactions with cryptography. If all les aresigned using a system key, then a full recovery can still be made so long as thereis just one living true copy of the le in the system, and the public key isnot subverted.
Of course, it is rare to get something for nothing, and we mustthen make it hard to compromise the sign language key (and possible to recover fromsuch a compromise). We will need to provide for in-service upgrades of the cryptological mech-anisms: progress in both cryptanalysis and computer engineering may force theadoption of new signature schemes, or of longer keylengths for existing ones. Wewill also need to recover from the compromise of any key in the system. Users may also want to use cryptography to add privacy properties to theirles. In order to prevent a number of attacks (su! ch as selective service denialat think of time) and complications (such as resilient management of authen-tication), the eternity service will not identify users. Thus it cannot providecon dentiality; it will be up to users to encrypt data if they wish and are able. Of course, many users will select encryption schemes which are weak, or whichbecome vulnerable over time; and it may be hoped that this will make govern-ments less ill-disposed towards the service. 4.7 IndexingThe systems directory will also have to be a le in it. If users are left to rememberle names, then the opponent can deny service by pickings out an injunctionpreventing the people who know the name from revealing it. The directory should belike contain not just the les logical name (theone which germane(predicate) security servers would understand), but also some furtherlabels such as a plaintext name or a keyword list, in order to allow retrieval bypeople who have not been able to turn back machine unmortga ged information. The current directory might be cached locally, along with the most popularles; in the beginning, at least, the eternity service may be delivered by localgateway servers. Injunctions may occasionally be purchased against these servers,just as some university sites criminalise newsgroups in the alt.sex.* namespace;however, users should still be able to ftp their data from overseas gateways. Ultimately, we will aim for a seamless integration with the rest of the Internet. 4.8 PaymentThe eternity service may have to be commercialised more quickly than the rest ofthe Internet, as storage costs money paid locally, while most academic networkcosts are paid centrally. Here we can adapt digital cash to generate an `electronicannuity which follows the data around. Provided the mechanics can be got right, the economics will get better allthe time for the leserver owners | the cost of disk space keeps dropping geo-metrically, but they keep on getting their $1 per MB per year (or whatever) fortheir old les. This will motivate ! server owners to guard their les well, and tocopy them to new media when current technology becomes obsolete. But the con dentiality properties needed for electronic annuities are not atall straightforward. For example, we may want banks to underwrite them, butwe do not want the opponents lawyers enjoining the bankers. Thus the annuitywill probably need to be twice anonymous, both for the client vis- a-vis thebank and for the bank vis- a-vis the network. How do we square this with auditand accountability, and with preventing money laundering? What if our bentjudge orders all banks to delay stipend by long enough for the nancier of anallegedly libellous le to be flushed out? These requirements do not seem to havebeen tackled yet by digital cash researchers. Another problem will arise once the service becomes pro table. Presumablythere will be a market in taxation-generating Eternity servers, so that a leserverowner who wishes to cash in and retire can sell his revenue generati ng les tothe highest bidder. The obvious risk is that a wealthy opponent might buy upenough servers to have a signi cant chance of obtaining all the copies of a targetle. The substitute risk is that a single network service provider might acquireenough market share to dawn the anonymity of communications and trackdown the copies. How can these risks be controlled? One might try to accept server owners,but any central body responsible for certifying `this site is not an NSA sitecould be bought or coerced, while if the certi cation were distributed amongmany individuals, few of them would have the resources to investigate would-beserver owners thoroughly. An alternative could be to digress the security insurance policy tothe user who uploads the le: she could say something like, `I want seven copiesof my le to be locomote randomly around the next(a) fty sites. The problemhere is how we prevent policy erosion as sites are replaced over time. At a more mundane level, we need mechanisms to run off a le server ownercheating by! claiming annuity payments on a le without guardianship a copy all thetime. After all, he could just download the le from the Eternity Service itselfwhenever he needfully to demonstrate possession. This provides yet another reasonwhy les must be encrypted with keys the server owners do not know; then theannuity payment server can pose a challenge such as `calculate a macintosh on yourle using the following key to check that the annuitant real has kept all thedata that he is being paid to keep. 4.9 TimeOne of the complications is that we need to be able to trust the time; other-wise the opponent might skirt the network time protocol to say that thedate is now 2500AD and loan about general le deletion. Does this bring the lucre Time communications protocol (and thus the worldwide Positioning System and thus theUS subdivision of Defense) within the security perimeter, or do we create ourown secure time service? The mechanics of such a service have been discussedin other con texts, but there is as yet no really secure clock on the Internet. A dependable time service could bene t other applications, such as currencyexchange transactions that are conducted in a merchants exposit while thebank is o ine. Meanwhile, we must plan to rely on wide dispersal, cocksure someextra rules such as `assets may not be deleted unless the sysadmin con rms thedate, `the date for deletion purposes may never exceed the first appearance date ofthe system software by ve years, and `no le may be deleted until all annuitypayments for it have been received. 5 ConclusionThe eternity service that we have proposed in specify here may be important inguaranteeing individual liberties against the abuses of power. It is also interestingfrom the scienti c point of view, and the purpose of this paper has been to presentit to the cryptology and computer security communities as an interesting problemthat merits further study. Building the eternity service will force us to clarify a n umber of points such asthe nature of secure time, the! limits to resilience of distributed authenticationservices, and the write-once list of large databases. The vagabond shouldalso broaden our understanding of anonymity. It appears, for example, that thedi culty of scaling anonymous communications is an indispensable feature ratherthan a nuisance; if there were just one channel, the judge could have it cut orflooded. Perhaps the most interesting aspect of the service is that it might memorise us alot about availability. Just as our appreciation of con dentiality was developedby working out the second- and third-order e ects of the Bell LaPadula policymodel [Amo94], and authenticity came to be understood as a result of analysingthe defects in cryptographic protocols [AN95], so the Eternity Service provides asetting in which availability services must be provided despite the most extremeopponents imaginable. AcknowledgementsSome of these ideas have been sharpen in discussions with Roger Needham,David Wheeler, gym mat Blaze, Mike R eiter, Bruce Schneier, Birgit P tzmann,Peter Ryan and Rajashekhar Kailar; and I am grateful to the Isaac NewtonInstitute for cordial reception while this paper was being written. References[Ald95] \ agree sacked for mend records after babys death, K Alderson, TheTimes 29 November 95 p 6[Amo94] `Fundamentals of Computer Security Technology, E Amoroso, Prentice Hall1994[And94] \why Cryptosystems Fail in communication theory of the ACM vol 37 no 11(November 1994) pp 32{40[AN95] RJ Anderson, RM Needham, \Programming Satans Computer, in `Com-puter acquisition straightaway | Recent Trends and Developments, J van Leeuven(ed.), Springer twit Notes in Computer Science volume 1000 pp 426{440[Bur96] \ procession from the dust, G Burton, in Computer Weekly (29 Feb 1996) p20[BFL+93] S Blythe, B Fraboni, S Lall, H Ahmed, U de Riu, \Layout Reconstructionof Complex te Chips, in IEEE J. of Solid-State Circuits v 28 no 2 (Feb93) pp 138{145[Cha81] D Chaum, \Untraceable electronic mail, return addresses, and digitalpseudonyms, in Communications o! f the ACM v 24 no 2 (Feb 1981) pp84{88[Cha88] D Chaum, \The eat Cryptographers line of work: Unconditional Sender andRecipient Untraceability, in Journal of cryptology v 1 (1988) pp 65{75[IBM93] `Up the creek? | The business perils of computer failure, IBM, 1993[JDK+91] DB Johnson, GM Dolan, MJ Kelly, AV Le, SM Matyas, \ parking area Crypto-graphic Architecture Application Programming Interface, in IBM SystemsJournal 30 no 2 (1991) pp 130 - 150[Nee94] RM Needham, \Denial of Service: an use, in Communications of theACM v 37 no 11 (Nov 94) pp 42{46[Rei94] MK Reiter, \Secure Agreement Protocols: Reliable and Atomic set Mul-ticast in Rampart, in Proc. ACM Conf. on Computer and CommunicationsSecurity 1994 pp 68{80[Rot95] J Rothenberg, \Ensuring the Longevity of Digital Documents, in Scienti cAmerican (January 1995) pp 24{29[VN94] BR Venkataraman, RE Newman-Wolfe, \Performance Analysis of a Methodfor High take aim Prevention of Tra c Analysis Using Measurements from aCampus Network, in Computer Security Applications 94 pp 288{297[Won94] K Wong, \ channel doggedness Planning, in Computer Fraud and SecurityBulletin (April 94) pp 10 - 16 If you want to get a full essay, order it on our website:
OrderCustomPaper.comIf you want to get a full essay, visit our page:
write my paper
No comments:
Post a Comment