On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Merkle Puzzles Are Optimal
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
On Black-Box Separations in Cryptography
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Oblivious Transfer based on the McEliece Assumptions
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Cryptography Lecture 9 Stefan Dziembowski
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
1 How to Prove that Minicrypt=Cryptomania (in the future) Danny Harnik Moni Naor.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Pseudo-random generators Talk for Amnon ’ s seminar.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Homework 8 Solutions Problem 1. Draw a diagram showing the various classes of languages that we have discussed and alluded to in terms of which class.
Bounded key-dependent message security
Topic 36: Zero-Knowledge Proofs
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Modern symmetric-key Encryption
Topic 14: Random Oracle Model, Hashing Applications
Cryptography Lecture 19.
Cryptography Lecture 6.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
On the Efficiency of 2 Generic Cryptographic Constructions
Cryptography Lecture 8.
Impossibility of SNARGs
Identity Based Encryption from the Diffie-Hellman Assumption
Cryptography Lecture 26.
Presentation transcript:

On Black-Box Separations in Cryptography Omer Reingold Closed captioning and other considerations provided by Tal Malkin, Luca Trevisan, and Salil Vadhan

Crypto - The Merry Old Days

Identification Digital Signatures Cryptographic Protocols, Primitives, and Assumptions Encryption Electronic Voting Electronic Commerce One-Way Functions Pseudo-Random Generators Trapdoor Permutations Factoring RSA DDH Oblivious Transfer Strong RSA Dense Crypto System Homomorphic Encryption UOWHFs ID Based Encryption PIRs

Determining The Relationships Among Different Primitives Most tasks in complexity-based crypto imply P NP (or even OWF). Simplify our conception of the world. Construct protocols with as strong security guarantee as possible. Reductions: Given any implementation of primitive A, construct implementation of primitive B.

OWF PRG PRF MACENC COM ZK ID UOWHF SIG TDP PKEOT KA CCA-PKE CLAW-FREE CF-HASH Some Known Reductions NIZK

Are All Crypto Primitives Equivalent? If so: either no cryptography or Cryptomania! But some tasks seem significantly harder than others (e.g. private key vs. public key encryption). In what sense can we claim that primitive A does not imply primitive B if we believe that both exist? After all, a reduction of B to A can ignore A and build B from scratch...

Black-Box Separations – Where it Begun Impagliazzo-Rudich [89] While not clear how to formalize/show non-implications in general can do that wrt black-box reductions.

(Fully) Black-Box Reductions Given a black-box implementation for primitive A, construct implementation of primitive B. A B Usually, still not structured enough to rule out: Need black-box proof of security (several flavors). Adv. for B Adv. for A A Such fully black-box reductions relativize (hold relative to every oracle).

What's not Black Box? No idea … ask Boaz … Oh well … Cook-Levin reduction is used in: OWF ZK proofs for all NP [GMW91] Non–BB carries on to applications: –Semi-honest OT malicious OT [ GMW87] –OWF ID schemes [FFS88] Similarly, circuit of f used in secure computation of f. [Yao86,GMW87] –[Beaver96] Few OTs + OWF -> Many OTs Baraks Non-BB ZK and subsequent results. Use both old and new non-bb techniques.

What do Black-Box Separations Mean? This talk will concentrate on mathematical rather than philosophical meaning. Still … Few Non black-box techniques (and in limited settings). Inherent limitation on efficiency. Therefore, black-box separations are explanation/indication for the hardness of finding reduction (esp. efficient ones). BB-reductions more robust – work wrt. physical implementations of primitives.

What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Analogy from complexity: A Cook/Karp reduction of problem A to problem B is a black-box proof that B P A P. SAT P QBF 2 P true but inherently non-BB (QBF 2 is quantified Boolean formula with 2 alternations).

What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Examples from cryptography: TDP seems to be of different complexity than OWF. [IR89] supports. Collision resistant hashing might have seemed similar in nature to OWFs. [Simon98] challenged (this is consistent with recent cryptanalysis attacks against popular hash functions).

What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Guidance for black-box constructions? Particular construction cannot be proved in BB? May be easier to change the construction than overcome the obstacle. Examples: –Want to reduce Stat-Commit to OWF? Probably not a good approach: Stat-Commit -> OWP -> OWF. –[Myers 04], shows no BB proof for one particular natural construction (static to adaptive security).

What do Black-Box Separations Mean? Insight into the relevant primitives. Guidance for non black-box reductions or even for black-box reductions. (Sometimes most meaningful when looking inside the box.) Word of warning: Potentially, a non black-box proof may follow a black-box approach most of the way with a small non black-box fix.

Black-Box and Oracle Separations [IR89] there exists an oracle relative to which one-way function exists but key- agreement does not: No fully black-box reduction of key- agreement to one-way function. Many other BB separations/lower bounds [Rud91,Sim98,KST99,KSS00,GKM+00,GT00, GMR01,CHL02,...] –Various notions of BB reductions, in particular not always implying oracle separation (e.g. [ GMR01]).

Crypto After IR (Impagliazzos Worlds) Trapdoor Permutation Public Key Encryption Key Agreement Secure Multi-Party Computation (OT) Private Key Encryption One Way Functions Digital Sig. Pseudorandom Generators Algoritmica, Heuristica, Pessiland Not even an hierarchy of problems [GKMVR00]

This Talk [IR89]: The separation, its proof and interpretation of results. As many separations and proof intuitions. Focus on techniques and subtleties. Beware: some cheating involved

The Impagliazzo-Rudich Results Thm: If P=NP, Key Agreement ( KA ) is impossible in the Random Oracle model: KA (Alice,Bob) Eve, for random permutation f, Eve f breaks (Alice f,Bob f ) Cor 1: There is an oracle relative to which OWP exists and KA does not. The oracle: (f, PSPACE) since P PSPACE =NP PSPACE Cor 2: There is no fully-BB reduction from KA to OWP. Cor 3: …

[IR89] - Why f is OWP Intuitively obvious: when trying to invert f on some y= f (x), have no chance unless accidentally query f on x. With q queries chances for that < 2q/2 n More formally: M making q queries, n-bit y Pr f [M f (y) = f - 1 (y)] < (2q+2)/2 n Fix n, by Markov Pr f { Pr y [M f (y) = f - 1 (y)] > n 2 (2q+2)/2 n } < 1/n 2 M, with prob. 1 over f Pr y [M f (y) = f - 1 (y)] > n 2 (2q+2)/2 n only finitely often …. With prob. 1 over f, M …

Why f is OWP Against Circuits Too many circuit families for uniform argument (not enumerable). [GT00]: f is exponentially hard even against circuits. High level idea: Consider C that makes q queries and -inverts f. C gives some non-trivial information on f a compact description of f, relative to C. Loosely, the description of f contains two carefully chosen subsets X and Y and f | {0,1} n \X –f (X)=Y. –Y contains 1/q frac. of ys on which C inverts. –X and Y allow reconstruction of f |X. Setting parameters correctly: #descriptions << (2 n )! C only -invert exp. small fraction of the f s.

[IR89] – How Eve Finds the Secret Recall, we assume P=NP, and want to show that Eve f breaks (Alice f,Bob f ). P=NP implies that without f no cryptographic hardness. In particular, no KA ! In fact, for the purpose of oracle separation, we can essentially assume Eve, Alice and Bob are all powerful and only bounded by number of queries to f. In this setting, a clear characterization of knowledge: The queries made to f and its answers.

[IR89] – How Eve Finds the Secret Cont. If s is the key agreed by Alice and Bob, assume wlog that both parties query f on s. Therefore s is anintersection query. Enough that Eve finds all likely intersection queries. Eves algorithm (over simplified): Let T be the transcript of (Alice f,Bob f ), let L be a list of queries and answers to f (initially empty). Repeat polynomial number of times: –Simulate: sample a random view of Alice which is consistent with T and L. –Update: Repeat all the simulated queries Alice makes, but this time to real f. Insert to L. Output a random query from L.

[IR89] – How Eve Finds the Secret Cont. Eves algorithm (over simplified): Let T be the transcript of (Alice f,Bob f ), let L be a list of queries and answers to f (initially empty). Repeat polynomial number of times: –Simulate: sample a random view of Alice which is consistent with T and L. –Update: Repeat all the simulated queries Alice makes, but this time to real f. Insert to L. Output a random query from L. Intuition: Whenever simulated Alice is consistent with real Bobs view, simulated Alice has a fair chance to query s. Any inconsistency reveals one of Bobs queries. This can happen only polynomial number of times.

[IR89] Results – Revisited Thm: If P=NP, Key Agreement ( KA ) is impossible in the Random Oracle model. Cannot get a more natural and meaningful separation. How can a reduction overcome this separation? Traditional interpretation: to overcome the separation the construction of KA must use code of OWP. [RTV04] shows that there is no limitation in using OWP as a black box in construction of KA. Separation might be overcome using code of adversary in proof of security (as in [Bar01,Bar02]).

Taxonomy of Black-Box Reductions I (the case OWF ) KA ) [RTV04] Black-box implementation: eff. (Alice, Bob) s.t. OWF f (Alice f,Bob f ) is a secure KA. Proof of security: Eve breaking (Alice f,Bob f ) ) Adv inverting f Fully-BB reduction: eff. Adv Eve (even not eff) [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv [ Eve f breaks (Alice f,Bob f ) ) Adv f inverts f ] [IR89] No relativizing, thus also No Fully; If P=NP no Semi f (Alice, Bob)

Semi-BB vs. Relativizing Fully-BB reduction: eff. Adv Eve (even not eff) [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv [ Eve f breaks (Alice f,Bob f ) ) Adv f inverts f ] [IR89] No relativizing, thus also No Fully; If P=NP no Semi Semi: BB implementation with arbitrary pf of security? No - [RTV04] No relativizing ) No Semi Pf idea: can embed into f an arbitrary oracle, in particular can embed Eve. Embedding technique due to [Sim98]

Semi-BB vs. Relativizing Semi-BB reduction: eff Eve eff. Adv [ Eve f breaks (Alice f,Bob f ) ) Adv f inverts f ] [RTV04] No relativizing ) No Semi Pf sketch: –Let O be oracle s.t. 9 OWF g and no KA –Define –Every (Alice f,Bob f ) can be broken in PPT f, but f cannot be inverted in PPT f ) no semi-BB reduction

Taxonomy II – BB Implementation with Free Proof of Security Fully-BB reduction: eff. Adv Eve (even not eff) [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] Semi-BB reduction: eff Eve eff. Adv [ Eve f breaks (Alice f,Bob f ) ) Adv f inverts f ] Mildly-BB reduction: eff Eve eff. Adv [ Eve breaks (Alice f,Bob f ) ) Adv f inverts f ] Now Eve is really efficient. Fully-BBRelativizingSemi-BBMildly-BB Free Fully-BBRelativizingSemi-BBMildly-BB Free

The Power of Mildly-BB Mildly-BB reduction: eff Eve eff. Adv [ Eve breaks (Alice f,Bob f ) ) Adv f inverts f ] Only Mildly-BB separations are about efficiency of reductions [GT00,GGK03]. Thm: 9 OWF ) 9 KA if and only if there is a mildly-BB reduction from KA to OWF. Conclusion: the restriction is in BB proof of security rather than in BB implementation. Fully-BB RelativizingSemi-BBMildly-BB Free

The Power of Mildly-BB Mildly-BB reduction: eff Eve eff. Adv [ Eve breaks (Alice f,Bob f ) ) Adv f inverts f ] Thm: 9 OWF ) 9 KA if and only if there is a mildly-BB reduction from KA to OWF. Pf sketch: Given OWF oracle f (against PPT f ), construct secure KA (against PPT). Case I: 9 KA –Construction ignores oracle, just executes secure KA Fully-BBRelativizingSemi-BBMildly-BB Free

The Power of Mildly-BB Mildly-BB reduction: eff Eve eff. Adv [ Eve breaks (Alice f,Bob f ) ) Adv f inverts f ] Thm: 9 OWF ) 9 KA if and only if there is a mildly-BB reduction from KA to OWF. Pf sketch: Given OWF oracle f (against PPT f ), construct secure KA (against PPT). Case II: No KA and therefore no OWF –Every function easy to compute is easy to invert. ) Oracle- OWF f must be hard to compute. –KA protocol: Alice sends random ( x, r ), agree on h f ( x ), r i Fully-BBRelativizingSemi-BBMildly-BB Free

OWF vs. OWP [IR,KSS00] Random Oracle separates OWF from OWP. A much simpler argument for weaker result: Thm. G f is a permutation for every function f For all f can invert G f (using a PSPACE-complete oracle). Adv algorithm on input y= G f (x): Let L be a list of queries and answers to f (initially empty). Repeat polynomial number of times: –Simulate: generate some f and x such that f is consistent with L and y= G f (x). –Update: Repeat all the simulated queries of G f (x) but this time to real f. Insert to L. Output last x. Correctness: If x x then the evaluations G f (x) and G f (x) must reveal a new inconsistency of f and f.

OWF vs. OWP Cont. Where is the weakness? To argue that G is insecure we assumed it is correct: G f is a permutation for every function f. Is this legitimate?

More on Relatevizing vs. BB Reductions In some scenarios (e.g. KA -> OWF), No relativizing reduction, No fully-BB reduction. Not always: Consider the construction of Trapdoor (poly-1) Functions from PKE. –[BHSV98] gives a construction in the random oracle model. Hard to come up with an oracle separation (as the oracle may potentially be used for BHSV-transformation). –[GMR01] solves it by showing for any particular construction an oracle that foils it (rather than giving one oracle that foils all constructions). [Myers04] takes it further, considers one specific (but very natural) construction and gives an oracle that foils it. Are we happy/unhappy with this?

[Rudich91]: Hard to Reduce Interaction [Rud 91] Separate k-message KA from (k-1)-message KA. For k=3 oracle O contains: f 1, f 2, f 3, length tripling random functions, R defined below, П - PSPACE complete. 3 KA : On an incorrect input R outputs a random string. Bob s Alice z,r z = R (s,m 3 ) m 1 =f 1 (z,r) m 2 =f 2 (s,m 1 ) m 3 =f 3 (z,r,m 2 ) z

[Rud91]: No 2-KA ( PKE) relative to O Without R no KA [IR89] Let (Alice,Bob) be two message protocol. Assume Alice makes a useful query R (s,m 3 ). –(s,m 3 ) is a correct input to R must have been created by 3 correct consecutive invocations either Alice or Bob must already know z,r,s. –If its Alice, R is not needed. –Otherwise, Eve can also know (s,m 3 ) and apply R. Bob s Alice z,r z = R (s,m 3 ) m 1 =f 1 (z,r) m 2 =f 2 (s,m 1 ) m 3 =f 3 (z,r,m 2 ) z

How do we define BB access to a protocol? In [Rudich91] and most subsequent works this means black-box access to the message and output functions of the parties. Can consider a more restricted notion where the access is to a third party implementing the functionality. (Closer in spirit to a physical implementation). May make arguments much simpler but need to be careful. For example OT in this model does not imply OWF. Other possible formalizations in between [HKNRR05]

OWF vs. Collision Resistant Hashing [Simon98] gives an oracle separating the two. Here Simon Light: In particular, consider only regular hash functions (every image has the same number of preimages). –Regular coll. resistant implied by claw-free permutations. Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If C g is regular for every function g then Q outputs uniformly selected x and x such that C f (x) = C f (x). Note: relative to this oracle may have collision- resistant hash functions (using Q itself). [Simon98] handles this case as well.

OWF vs. Collision Resistant Hashing Cont. Oracle: f - random functions, П - PSPACE complete, and Q on input circuit C defined as follows: If C g is regular for every function g then Q outputs uniformly selected x and x such that C f (x) = C f (x). Proof intuition: Assume want to find f - 1 (y). Due to universal regularity, the only information given by x and x are the values of f queried by the evaluations C f (x), and C f (x). As long as none of these queries is f - 1 (y) not much help. By regularity, x and x are each uniformly distributed (though they are correlated). By union bound, only negligible chance to encounter f - 1 (y).

Limitation On Efficiency This line considers the most efficient (black-box) construction (rather than the minimal assumption necessary) [KST99,GT00, GGK03]. Example: OWP PRG. Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP). PRGseed m bits f output m+k bits

Limitation On Efficiency Cont. Thm [GT00] PRG that expands the seed by k bits requires (k/s) invocations of the OWP (where s is the security parameter of the OWP). Idea: Define f(w,z)=g(w),z, where w is O(s)-bit long and g is random Each invocation only gives O(s) bits of randomness Can simulate f using randomness from the seed. PRGseed m bits f output m+k bits

Concluding Remarks Many more beautiful arguments we did not touch! BB separations - a useful research tool. The extent to which the proof of security is black-box plays a major role. Definitions are subtle, need to make sure we understand the mathematical/philosophical meaning of what we prove.

Some Open Problems More Non black-box techniques. Can we Razborov-Rudich Impagliazzo- Rudich ? Power of reductions that use code of primitive but are BB wrt adversary?

[ GKMVR00 ] incomparability of PKE and OT OT PKE by an extension of [Rud91]. PKE OT by oracle containing: f 1, f 2, R, П, (similar to [Rud91]) to allow PKE. But with a small twist… Bob z,s Alice r z m 1 =f 1 (r) m 2 =f 2 (z,s,m 1 ) z = R (r,m 2 ) Important: define f 2 and R to output on incorrect inputs (sort of validity tests) Prevent this specific key agreement from being fakable, and turns out to be sufficient.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.