Low Randomness Masking and Shulfifgn:

Similar documents
From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Power Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.

Variety of scalable shuffling countermeasures against side channel attacks

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Threshold Implementations. Svetla Nikova

Information Theoretic and Security Analysis of a 65-nanometer DDSLL AES S-box

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Design of a High Throughput 128-bit AES (Rijndael Block Cipher)

IMPROVING CPA ATTACK AGAINST DSA AND ECDSA

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

An Architecture-Independent Instruction Shuffler to Protect against Side-Channel Attacks

Is Your Mobile Device Radiating Keys?

DPA Leakage Models for CMOS Logic Circuits

Robust profiled attacks: should the adversary trust the dataset?

A Frequency Leakage Model and its application to CPA and DPA

The EM Side Channel(s)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CESEL: Flexible Crypto Acceleration. Kevin Kiningham Dan Boneh, Mark Horowitz, Philip Levis

Electromagnetic-based Side Channel Attacks

Comparison of Profiling Power Analysis Attacks Using Templates and Multi-Layer Perceptron Network

Lejla Batina. Advanced side- channel a.acks: DPA & Countermeasures

Number-Theoretic Algorithms

paioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech

Network Security: Secret Key Cryptography

Adaptive Vision Leveraging Digital Retinas: Extracting Meaningful Segments

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /VETECF.2011.

Block Ciphers Security of block ciphers. Symmetric Ciphers

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

Information Security Theory vs. Reality

k-nearest Neighbors Algorithm in Profiling Power Analysis Attacks

Recommendations for Secure IC s and ASIC s

Analysis of the Wireless Covert Channel Attack: Carrier Frequency Selection

Transient-Steady Effect Attack on Block Ciphers

Power Analysis Based Side Channel Attack

When Failure Analysis Meets Side-Channel Attacks

Finding the key in the haystack

A Lower Bound for Comparison Sort

Introduction to Cryptography CS 355

Correlation Power Analysis of Lightweight Block Ciphers

Lecture 7: The Principle of Deferred Decisions

Evaluation of On-chip Decoupling Capacitor s Effect on AES Cryptographic Circuit

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

How cryptographic benchmarking goes wrong. Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance.

Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base

Evaluation of the Masked Logic Style MDPL on a Prototype Chip

Generic Attacks on Feistel Schemes

Fast Sorting and Pattern-Avoiding Permutations

Smashing the Implementation Records of AES S-box

Introduction to Cryptography

Minimum key length for cryptographic security

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

Interactive Visualizations for Cyber-

Bandit Algorithms Continued: UCB1

Glitch-Free Implementation of Masking in Modern FPGAs

arxiv: v1 [cs.cr] 2 May 2016

The EM Side Channel(s):Attacks and Assessment Methodologies

Applying Attribute-Based Encryption in Two-Way Radio Talk Groups: A Feasibility Study

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

DETECTING POWER ATTACKS ON RECONFIGURABLE HARDWARE. Adrien Le Masle, Wayne Luk

Mastermind Revisited

Power Analysis Attacks on SASEBO January 6, 2010

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Optimal user pairing for multiuser MIMO

Model-Based Design for Sensor Systems

Differential Power Analysis Attack on the Secure Bit Permutation in the McEliece Cryptosystem

Optimization Techniques for Alphabet-Constrained Signal Design

Overview GAME THEORY. Basic notions

Differential Cryptanalysis of REDOC III

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Hardware Bit-Mixers. Laszlo Hars January, 2016

CDMA Receivers for High Spectral Utilization MPRG

Lecture 19 November 6, 2014

Signatures for Network Coding

Investigations of Power Analysis Attacks on Smartcards

Prevention of Eavesdropping in OFDMA Systems

Factorization of permutation

אני יודע מה עשית בפענוח האחרון : התקפות ערוצי צד על מחשבים אישיים

Animation Demos. Shows time complexities on best, worst and average case.

Alternating Permutations

Research Statement. Sorin Cotofana

Some Areas for PLC Improvement

Improving Text Indexes Using Compressed Permutations

Generic Attacks on Feistel Schemes

Practical Experiences with NFC Security on mobile Phones

Wormhole-Based Anti-Jamming Techniques in Sensor. Networks

On Symmetric Key Broadcast Encryption

Deep Learning for Autonomous Driving

Distributed Settlers of Catan

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Artificial Neural Networks. Artificial Intelligence Santa Clara, 2016

An enciphering scheme based on a card shuffle

V.Sorge/E.Ritter, Handout 2

We are IntechOpen, the world s leading publisher of Open Access books Built by scientists, for scientists. International authors and editors

FACTORS AND PRIMES IN TWO SMARANDACHE SEQUENCES RALF W. STEPHAN Abstract. Using a personal computer and freely available software, the author factored

TMA4155 Cryptography, Intro

Mohammed Ghowse.M.E 1, Mr. E.S.K.Vijay Anand 2

Image Encryption Based on New One-Dimensional Chaotic Map

Cryptanalysis of an Improved One-Way Hash Chain Self-Healing Group Key Distribution Scheme

Transcription:

Low Randomness Masking and Shulfifgn: An Evaluation Using Mutual Information Kostas Papagiannopoulos kostaspap88@gmail.com kpcrypto.net Radboud University Nijmegen Digital Security Department The Netherlands 1

Overview Masking, shuffling and the cost of RNG New countermeasure variants that recycle randomness Pitfalls in formal security and noise amplification 2

Introduction Masking and Shuffling Schemes Against Side-Channel Analysis 3

Introduction: Masking Schemes S6 S7 S0 Secret S S1 S2 One of the most popular countermeasures against SCA Forces the adversary to recombine shares Performs noise amplification [1] S5 S3 S4 [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks 3

Introduction: Masking Schemes S7 S0 S1 One of the most popular countermeasures against SCA Forces the adversary to recombine shares S6 Secret S S2 Performs noise amplification [1] S5 S4 S3 Computationally demanding in operations and RNG, O(n 2 ) random elements for ISW multiplication with n shares [2] [1] Suresh Chari, Charanjit S. Jutla, Josyula R. Rao, and Pankaj Rohatgi. Towards sound approaches to counteract power-analysis attacks. [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks 3

Introduction: Shuffling Schemes Sbox1 Sbox2 Sbox3 Sbox4 Widely deployed countermeasure Permutes blocks Performs noise amplification [3] Sbox3 Sbox1 Sbox4 Sbox2 [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms 6

Introduction: Shuffling Schemes Sbox1 Sbox2 Sbox3 Sbox4 Sbox3 Sbox1 Sbox4 Sbox2 Widely deployed countermeasure Permutes blocks Performs noise amplification [3] Computationally demanding in RNG, approx. k ceil log 2 k random bits, for k operations shuffled [4] [3] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and François-Xavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note [4] Donald E. Knuth. The Art of Computer Programming, Volume 2 (3rd Ed.): Seminumerical Algorithms 6

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] RNG 38% Cipher 62% [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] RNG 38% Cipher 62% 2 nd -order PRESENT on ARM Cortex-M4 truerng [6] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] RNG 38% Cipher 62% 2 nd -order PRESENT on ARM Cortex-M4 truerng [6] RNG 25% Cipher 75% [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] RNG 38% Cipher 62% 2 nd -order PRESENT on ARM Cortex-M4 truerng [6] RNG 25% Cipher 75% 4 th -order AES on ARM Cortex-A with NEON assembly /dev/urandom [7] [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Introduction: RNG Overhead The RNG constitutes a considerable performance overhead 2 nd -order AES on AVR pseudorng [5] RNG 38% Cipher 62% 2 nd -order PRESENT on ARM Cortex-M4 truerng [6] RNG 25% Cipher 75% Cipher 1% 4 th -order AES on ARM Cortex-A with NEON assembly /dev/urandom [7] RNG 99% [5] Josep Balasch, Sebastian Faust, Benedikt Gierlichs, Clara Paglialonga, and François-Xavier Standaert. Consolidating inner product masking [6] Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider and Lejla Batina. Bitsliced masking and arm: Friends or foes? [7] Benjamin Gregoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen. Vectorizing Higher-Order Masking 10

Recycled Randomness Masking Reducing the RNG overhead in masking with RRM 15

RRM: Example Assume two 2 nd -order secure, independent ISW mult. gadgets z = xy, c = ab z 0 = x 0 y 0 w 0 w 1 z 1 = x 1 y 1 ((w 0 x 0 y 1 ) x 1 y 0 ) w 2 z 2 = x 2 y 2 ((w 1 x 0 y 2 ) x 2 y 0 ) ((w 2 x 1 y 2 ) x 2 y 1 ) c 0 = a 0 b 0 t 0 t 1 c 1 = a 1 b 1 ((t 0 a 0 b 1 ) a 1 b 0 ) t 2 c 2 = a 2 b 2 ((t 1 a 0 b 2 ) a 2 b 0 ) ((t 2 a 1 b 2 ) a 2 b 1 ) 16

RRM: Example Recycle some random numbers from the first to the second gadget z 0 = x 0 y 0 w 0 w 1 z 1 = x 1 y 1 ((w 0 x 0 y 1 ) x 1 y 0 ) w 2 z 2 = x 2 y 2 ((w 1 x 0 y 2 ) x 2 y 0 ) ((w 2 x 1 y 2 ) x 2 y 1 ) c 0 = a 0 b 0 w 0 w 1 c 1 = a 1 b 1 ((w 0 a 0 b 1 ) a 1 b 0 ) t 2 c 2 = a 2 b 2 ((w 1 a 0 b 2 ) a 2 b 0 ) ((t 2 a 1 b 2 ) a 2 b 1 ) Reduced Randomness cost by 2 random numbers 17

RRM: Example Formal security verification [8] : the 2-multiplication gadget is 2-NI z 0 = x 0 y 0 w 0 w 1 z 1 = x 1 y 1 ((w 0 x 0 y 1 ) x 1 y 0 ) w 2 z 2 = x 2 y 2 ((w 1 x 0 y 2 ) x 2 y 0 ) ((w 2 x 1 y 2 ) x 2 y 1 ) c 0 = a 0 b 0 w 0 w 1 c 1 = a 1 b 1 ((w 0 a 0 b 1 ) a 1 b 0 ) t 2 c 2 = a 2 b 2 ((w 1 a 0 b 2 ) a 2 b 0 ) ((t 2 a 1 b 2 ) a 2 b 1 ) [8] Jean-Sebastien Coron. Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations. 18

RRM: Example Recycle more! z 0 = x 0 y 0 w 0 w 1 z 1 = x 1 y 1 ((w 0 x 0 y 1 ) x 1 y 0 ) w 2 z 2 = x 2 y 2 ((w 1 x 0 y 2 ) x 2 y 0 ) ((w 2 x 1 y 2 ) x 2 y 1 ) c 0 = a 0 b 0 w 0 w 1 c 1 = a 1 b 1 ((w 0 a 0 b 1 ) a 1 b 0 ) w 2 c 2 = a 2 b 2 ((w 1 a 0 b 2 ) a 2 b 0 ) ((w 2 a 1 b 2 ) a 2 b 1 ) Reduced Randomness cost by 3 random numbers 19

RRM: Example Formal security verification : INSECURE, check z 2 c 2 z 0 = x 0 y 0 w 0 w 1 z 1 = x 1 y 1 ((w 0 x 0 y 1 ) x 1 y 0 ) w 2 z 2 = x 2 y 2 ((w 1 x 0 y 2 ) x 2 y 0 ) ((w 2 x 1 y 2 ) x 2 y 1 ) c 0 = a 0 b 0 w 0 w 1 c 1 = a 1 b 1 ((w 0 a 0 b 1 ) a 1 b 0 ) w 2 c 2 = a 2 b 2 ((w 1 a 0 b 2 ) a 2 b 0 ) ((w 2 a 1 b 2 ) a 2 b 1 ) Recycling excessively can hurt probing security even between independent gadgets 20

RRM: Efficient Gadgets Search for 2-multiplication, NI gadgets that recycle randomness Recycling 2-mult ISW gadgets [2] 2-mult BBP gadgets [9] Security Order Security Order 1 2 3 1 2 3 Yes 1 4 8 1 2 6 No 2 6 12 2 4 8 Randomness Cost Table [2] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks [9] Sonia Belaïd, Fabrice Benhamouda, Alain Passelègue, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud. Randomness complexity of private circuits for multiplication. 24

RRM: Noise Amplification Pitfall Central Limit Theorem: Let m occurrences of random number, emitting leakages L 1, L 2,,L m ~ N(μ, σ) Averaging leakages gives: L avg = 1 σ m i=1 m σ L i ~ N(μ, ), m i.e. exploiting the recycling can de-noise the signal [10] [10] Alberto Battistello, Jean-Sébastien Coron, Emmanuel Prouff, and Rina Zeitoun. Horizontal side-channel attacks and countermeasures on the ISW masking scheme [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks. 26

RRM: Noise Amplification Pitfall Central Limit Theorem: Let m occurrences of random number, emitting leakages L 1, L 2,,L m ~ N(μ, σ) Averaging leakages gives: L avg = 1 σ m i=1 m σ L i ~ N(μ, ), m i.e. exploiting the recycling can de-noise the signal [10] Let 2 types of adversaries and we perform an information-theoretic analysis [11] C1: naive, doesn t see recycling C2: smart, can see leakages from recycling [10] Alberto Battistello, Jean-Sébastien Coron, Emmanuel Prouff, and Rina Zeitoun. Horizontal side-channel attacks and countermeasures on the ISW masking scheme [11] François-Xavier Standaert, Tal Malkin, and Moti Yung. A unified framework for the analysis of side-channel key recovery attacks. 26

RRM: Noise Amplification Pitfall 29

RRM: Noise Amplification Pitfall 1. The naive adversary C1 cannot take advantage of recycling 29

RRM: Noise Amplification Pitfall 1. The naive adversary C1 cannot take advantage of recycling 2. The smart adversary C2 can shift the curve to the right 29

RRM: Noise Amplification Pitfall 1. The naive adversary C1 cannot take advantage of recycling 2. The smart adversary C2 can shift the curve to the right 3. Excessive recycling can damage the security 29

RRM: Noise Amplification Pitfall 1. The naive adversary C1 cannot take advantage of recycling 2. The smart adversary C2 can shift the curve to the right 3. Excessive recycling can damage the security 4. RRM is a tradeoff between security and randomness cost 29

Reduced Randomness Shuffling Reducing the RNG overhead in shuffling with RRS 29

RRS: Original Shuffling Block1 Block1 Block1 Block2 Block2 Block2 Block3 Block3 Block3 Block4 Block4 Block4 Shuffle Shuffle Shuffle 35

RRS: Original Shuffling Block1 Block2 Block1 Block2 Block1 Block2 Randomness cost: Shuffle 3 layers independently Each layer must shuffle 4 blocks 3 4 log 2 4 = 24 bits Block3 Block3 Block3 Block4 Block4 Block4 Shuffle Shuffle Shuffle 35

RRS: Partitioned Shuffling Block1 Block1 Block1 Partition the layers in two, i.e. partition factor f p = 2 Block2 Block2 Block2 Block3 Block3 Block3 Block4 Block4 Block4 Permutation Permutation Permutation 39

RRS: Partitioned Shuffling Block1 Block1 Block1 Partition the layers in two, i.e. partition factor f p = 2 Block2 Block3 Block2 Block3 Block2 Block3 Randomness cost: Shuffle 6 layers independently Each partitioned layer shuffles 2 blocks 6 2 log 2 2 = 12 bits < 24 bits Block4 Block4 Block4 Permutation Permutation Permutation 39

RRS: Original Shuffling Block1 Block1 Block1 Block2 Block2 Block2 Block3 Block3 Block3 Block4 Block4 Block4 Shuffle Shuffle Shuffle 34

RRS: Merged Shuffling Block1 Block2 Block1 Block2 Block1 Block2 Merge the 2 layers and shuffle them together, i.e. merge factor f m = 2 Block3 Block3 Block3 Block4 Block4 Block4 Shuffle Merged Layer 1,2 Shuffle 35

RRS: Merged Shuffling Block1 Block2 Block3 Block4 Block1 Block2 Block3 Block4 Block1 Block2 Block3 Block4 Merge the 2 layers and shuffle them together, i.e. merge factor f m = 2 Randomness cost: Shuffle 2 layers: Merged layer 1,2 Layer 3 Merged layer 1,2 has 4 blocks Non-merged layer 3 has 4 blocks 4 log 2 4 + 4 log 2 4 = 16 bits < 24 bits Shuffle Merged Layer 1,2 Shuffle 36

RRS: Noise Amplification 1. Partitioning or merging layers can reduce the randomness cost 39

RRS: Noise Amplification 1. Partitioning or merging layers can reduce the randomness cost 2. Like RRM it damages the noise amplification stage of shuffling 39

RRS: Noise Amplification 1. Partitioning or merging layers can reduce the randomness cost 2. Like RRM it damages the noise amplification stage of shuffling 3. RRS is a tradeoff between security and randomness cost 39

Future Directions Towards parametric design for side-channel countermeasures 40

Future Directions: RNG We have demonstrated how to reduce the randomness cost in masking and shuffling 23

Future Directions: RNG We have demonstrated how to reduce the randomness cost in masking and shuffling Establish the required properties for a generator used in side-channel protection 23

Future Directions: Parametric Design Modern architecture: x th -order masking 48

Future Directions: Parametric Design Modern architecture: x th -order masking Parametric architecture: multitude of countermeasure variants to choose from e.g. x th -order masking with y recycled random numbers and merged shuffling of z cipher layers 48

Future Directions: Parametric Design Modern architecture: x th -order masking Parametric architecture: multitude of countermeasure variants to choose from e.g. x th -order masking with y recycled random numbers and merged shuffling of z cipher layers Athens Tower, 1971 48

Future Directions: Parametric Design Modern architecture: x th -order masking Parametric architecture: multitude of countermeasure variants to choose from e.g. x th -order masking with y recycled random numbers and merged shuffling of z cipher layers Athens Tower, 1971 Turning Torso Malmö, 2005 48

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback