Embed Size (px)
Citation preview
Advances in Securely Outsourcing Computation
Xiaofeng Chen
December, 2017
Agenda
• Cloud Computing
• Verifiable Computation
• Secure Outsourcing of Scientific Computations
• Secure Outsourcing of Cryptographic Operations
• Verifiable Database with Updates (VDB)
• Future Works
3
1. Cloud ComputingCloud computing realizes the long dream of computingas a service. The users with resource-constraintdevices can enjoy the unlimited computing resourcesin a pay-per-use manner.
• On-demand self-service
• Ubiquitous network access
• Location independent resource pooling
• Rapid resource elasticity
• Usage-based pricing
• Outsourcing
• ……
4
Outsourcing paradigm• You want to eat a fish = You need to be a fisherman (NEVER!)
• You travel by air = You buy a boing 737 (NEVER!)
• Cloud computing facilitates outsourcing computation.
• Outsourcing computation paradigm:– the clients with resource-constraint devices can outsource the heavy
computation workloads into the cloud server.
– require only one round of interaction between the client and the server.
• Outsourcing computation also suffers from some new securitychallenges.– secrecy
– checkability
– efficiency
5
Outsourcing computation architecture
6
Security model
• Who is the adversary: the untrusted server(s)
– Honest but curious
– Lazy but honest
– One-malicious of two untrusted program
– Refereed delegation of computation
– Fully malicious (dishonest, curious, lazy…)- strongest
7
How to achieve secrecy?
• Encryption (partial solution)+ blinding
– Blinding can preserve some inherent property of operations.
– It requires different logic division and blinding techniques.
– FHE is inefficient and not practical for real-world applications.
8
How to achieve checkability ?
• How to verify the result of a malicious server?
– Some programming error
– Intentionally send a computational indistinguishable (random)
result due to financial reasons
9
• Three kinds of checkability (verifiability):
– Inversion of one–way function problems:
F: given y=f(x), compute x, where f is a one-way function.
Verification is trivial: verification is just compute f(x)=? y
How to achieve checkability ?
10
How to achieve checkability ?• Three kinds of checkability (verifiability):
– Multiple (non-colluding) servers :
given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal?
f(x)_1 = ? f(x)_2 (This is a probabilistic algorithm!)
Note: This idea is a little similar to prisoner's dilemma in game theory.
11
Prisoner’s Dilemma
Case 1: A (Yes); B (Yes); Both are 30 years in prison
Case 2: A (No); B (No); Both set free (Best choice)
Case 3: One (Yes); The other (No); Yes: 10 years; No: 50 years in prison
A B
12
How to achieve checkability ?
• Three kinds of checkability (verifiability):
–One malicious server: verifiable computation
The server needs to provide some auxiliary proof to support result
verification
( It requires different kinds of knowledge proof techniques.)
13
How to achieve efficiency ?
• Verification must be efficient
– The (non-interactive) proof verification is efficient (esp. the 3rd case)
– Computational resources, storage resources, communication resources, etc.
– The verification requires less resources than the computation task itself !
14
Research status• Theoretical community: scientific computation such as matrix
multiplications (inversion), quadrature, linear equations (programming),sequence comparisons ……
• Cryptographic community: wallet with observers, bilinear pairing,
modular exponentiations, OABE, OABS, inversion one-way function ……
– Verifiable computation: will be given later
15
2. Verifiable Computation• A protocol between client and the untrusted server;
–C: a function and some input ; S: outputs and some proof;
– It mainly focus on the 3rd case of outsourcing computations
–Though C is resources-constrained, it is allowed to perform one-time expensive setup phase (offline; pre-computation)
16
Formal definitionsA verifiable computation scheme 𝑉𝐶 = (𝐾𝑒𝑦𝐺𝑒𝑛, 𝑃𝑟𝑜𝐺𝑒𝑛, 𝐶𝑜𝑚𝑝𝑢𝑡𝑒, 𝑉𝑒𝑟𝑖𝑓𝑦) consists of the four
algorithms defined below.
1. 𝐾𝑒𝑦𝐺𝑒𝑛 𝑓, 𝑛 ⟶ 𝑃𝐾, 𝑆𝐾 : Based on the security parameter 𝑛, the randomized keygeneration algorithm generates a public/secret key pair for the function 𝑓. The public key isprovided to the server, while the client keeps the matching secret key private.2. 𝑃𝑟𝑜𝑏𝐺𝑒𝑛𝑆𝐾 𝑥 ⟶ 𝜎𝑥 , 𝜏𝑥 ∶ The problem generation algorithm uses the secret key 𝑆𝐾 toencode the function input 𝑥 as a public value 𝜎𝑥 which is given to the server, and a secretvalue 𝜏𝑥 which is kept private by the client.3. 𝐶𝑜𝑚𝑝𝑢𝑡𝑒𝑃𝐾 𝜎𝑥 ⟶ 𝜎𝑦 ∶ Using the client’s public key for 𝑓 and the encoded input, the
server computes an encoded version of the function’s output 𝑦 = 𝑓 𝑥 .4. 𝑉𝑒𝑟𝑖𝑓𝑦𝑆𝐾 𝜏𝑥 ⟶ 𝑦 ⊥ ∶ Using the secret key 𝑆𝐾 and the secret “decoding” value 𝜏𝑥,the verification algorithm converts the worker’s encoded output into the output of thefunction, e.g., 𝑦 = 𝑓 𝑥 or output ⊥ indicating that 𝜎𝑦 does not represent the valid output of
𝑓 on 𝑥.
17
Security properties• Correct: the value and proof generated by the honest server can be always verified
successfully and accepted by the client.
–honest server results in valid result and proof
• Secure: a malicious server cannot convince a verifier to accept an invalid output
–dishonest server results in invalid result and proof
• Efficient: the verification should not be involved in plenty of expensive resources
(computation, storage, communication) –For real-world applications
Three properties of ZKP:• Completeness: if the statement is true, the honest verifier (that is, one following the protocol
properly) will be convinced of this fact by an honest prover.
• Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.
• Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact.
18
State-of-the-art research• Gennaro et al. firstly introduce and formalize the notion of verifiable
computing. Crypto 10
• This work is suitable for any function (will be encoded by Boolean circuit)
• Theoretically, no more research work is needed (totally solved!).
• FHE is a building block! Inefficient for practical applications.
19
State-of-the-art research• Specific problems require specific trick to design efficient schemes.
– VC for very large datasets Crypto 11
– Memory delegation Crypto 11
– VC for large polynomials and matrix computations CCS 12
– VC for multi-function TCC 12
– VC for quadratic polynomials CCS 13
– Making argument systems for outsourced computation practical NDSS 12
– Taking proof-based verified computation a few steps closer to practicality USENIX 12
– …..
20
3. Secure Outsourcing of Scientific Computations
• It has proved it is impossible to securely outsourcing an exponentialcomputation while locally doing only polynomial computations [1].
• It is meaningful only to consider outsourcing expensive polynomialcomputations.
– Matrix multiplication
– Matrix inversion
– Large-scale system of linear equations
– Matrix determinant
– Linear programming
– ……
[1] M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from an oracle. Proceedings of the 19th Annual ACM
Symposium on Theory of Computing (STOC), pp.195-203,1987. DOI:10.1145/28395.28417.19
21
Secure outsourcing of large-scale linear equations systems
• Problem : − To solve a large-scale system of linear equations 𝐴𝑥 = 𝑏.
− due to the lack of computing resources, it is infeasible for C to carry
out such expensive computation as 𝑂 𝑛𝜌 (2 < 𝜌 ≤ 3) locally .
− outsource the computation workloads to S in pay-per-use manner.
• Goals :− 𝐴, 𝑥, 𝑏 should be privacy and protected.
− efficient
22
Secure outsourcing of large-scale linear equations systems
• Atallah’s scheme [2]
– C selects a random matrix 𝐵 and a random number 𝑗 ∈ {1, 2, … , 𝑛}. Replace the 𝑗𝑡ℎ
column of 𝐵 by 𝑏, i.e. 𝐵 = [𝐵1, … , 𝐵𝑗−1, 𝑏, 𝐵𝑗+1, … , 𝐵𝑛]
– C generates three matrices 𝑃1, 𝑃2, 𝑃3 using the same method as before.
– C computes 𝐴 = 𝑃1𝐴𝑃2−1 and 𝐵 = 𝑃1𝐵𝑃3
−1.
– S solve the linear system 𝐴 𝑋 = 𝐵 and obtains 𝑋 = 𝑃2 𝐴−1 𝐵𝑃3
−1.
– C computes 𝑋 = 𝑃2−1 𝑋𝑃3 = 𝐴−1𝐵.
– The answer 𝑥 is the 𝑗𝑡ℎ column of 𝑋, i.e., 𝑥 = 𝑋𝑗 .
[2] M.J. Atallah, K.N. Pantazopoulos, J.R. Rice, and E.H. Spafford. Secure outsourcing of scientific computations.
Advances in Computers. Vol. 54, pp. 216-272,2001. DOI:10.1016/s0065-2458(01)80019-x. 3, 19, 20, 22, 23
Note: This scheme uses the interactive matrix inversion as a building block!
23
Secure outsourcing of large-scale linear equations systems
I. compute: 𝑐 = 𝐴𝑟 + 𝑏𝑑 = 𝑀𝑐𝑇 = 𝑀𝐴𝑁
II. compute: 𝑥 = 𝑁𝑦 − 𝑟
𝑇, 𝑑
𝑦
𝑇𝑦 = 𝑑
We have: 𝑇𝑦 = 𝑀𝐴𝑁 ∙ 𝑁−1 𝑥 + 𝑟 = 𝑀𝐴 𝑥 + 𝑟 = 𝑀𝑐 = 𝑑
𝑃𝐾, 𝑆𝐾 = (𝑛, (𝑀, 𝑁, 𝑟))
Advantages:• One round in come-and-go manner.• Since 𝑀, 𝑁 are sparse matrices, the computation complexity is 𝑂 𝑛2 locally.• C can detect the misbehavior of S with the probability 1.
24
4. Secure Outsourcing of Cryptographic Operations
• By far, there are two kinds of secure and efficient number-theoretic-based cryptographic systems.
– Integer-factorization-based system (RSA)
– Discrete-logarithm-based system (ElGamal , ECC)
• Require powerful but prohibitively expensive operations
– Exponentiation modulo a large integer (RSA, ECC)
– Bilinear pairings (ID-based encryption scheme, short signature scheme)
Hence, we mainly focus on how to securely outsource such expensive cryptographic operations !
25
Secure outsourcing exponentiation
• Secure outsourcing of single modular exponentiation− Problem: 𝑢𝑎 𝑚𝑜𝑑 𝑝
− Requirement: the inputs and outputs of outsourcing algorithm (𝑢, 𝑎, 𝑢𝑎 )should be protected.
• Secure outsourcing of simultaneous modular exponentiation
− Problem: 𝑢1𝑎𝑢2
𝑏 𝑚𝑜𝑑 𝑝 (chameleon hashing and trapdoor commitment)
− Requirement: the inputs and outputs of outsourcing algorithm
(𝑢1, 𝑎, 𝑢2, 𝑏, 𝑢1𝑎𝑢2
𝑏) should be protected
26
Secure outsourcing of single modular exponentiation
• The first scheme proposed by Hohenberger et al. [3]
− Use random blinding factors to logically split the inputs into two random-looking pieces for two untrusted servers.
− Require one-time expensive computations for C in pre-processing phase.
• Our proposed scheme [4]
− Superior to [3] both in efficiency and checkability− Main idea is similar to “prisoner’s dilemma”
[3] S. Hohenberger and A. Lysyanskaya. How to securely outsource cryptographic computations. Theory of Cryptography,
LNCS 3378, pp. 264-282, Springer, 2005. DOI: 10.1007/978-3-540-30576-7_15. 4,5,7,30,34,35,36,38,40
[4] X. Chen, J. Li, J. Ma, Q. Tang and W. Lou. New algorithms for secure outsourcing of modular exponentiations.
ESORICS, LNCS 7459, pp.541-556, Springer, 2012. DOI: 10.1007/978-3-642-33167-1_31.3,33,35,38,39
27
Secure outsourcing of single modular exponentiation
I. Setup: C create two blinding pairs (𝛼, 𝑔𝛼) , (𝛽, 𝑔𝛽) .
Denote 𝑣 = 𝑔𝛼 mod 𝑝 and 𝜇 = 𝑔𝛽 mod 𝑝 .
II. Logical divisions:− 𝑣 = 𝑔𝛼𝑢𝑎 = (𝑣𝑤)𝑎= 𝑔𝑎𝛼𝑤𝑎 = 𝑔𝛽𝑔𝛾𝑤𝑎 𝑚𝑜𝑑 𝑝
(𝑤 = 𝑢 𝑣 𝑚𝑜𝑑 𝑝, γ = 𝑎𝛼 − 𝛽 𝑚𝑜𝑑 𝑞)
− 𝑢𝑎 = 𝑔𝛽𝑔𝛾𝑤𝑎 = 𝑔𝛽𝑔𝛾𝑤𝑘+𝑙 = 𝑔𝛽𝑔𝛾𝑤𝑘𝑤𝑙 𝑚𝑜𝑑 𝑝( 𝑙 = 𝑎 − 𝑘 𝑚𝑜𝑑 𝑞 )
III. RandC obtain three pairs (𝑡1, 𝑔𝑡1), (𝑡2, 𝑔𝑡2) ,(𝑡3, 𝑔𝑡3).
V. Check𝑔𝑡2=𝑆1 𝑡2 𝑡1, 𝑔𝑡1 =𝑆2 𝑡2 𝑡1, 𝑔𝑡1 and 𝑆1 𝛾 𝑡3, 𝑔𝑡3 =𝑆2 𝛾 𝑡3, 𝑔𝑡3
− If yes, C can compute 𝑢𝑎 = 𝜇𝑔𝛾𝑤𝑘𝑤𝑙
− If not, C outputs “error” !
IV. Query
𝑡2 𝑡1, 𝑔𝑡1
𝛾 𝑡3, 𝑔𝑡3
𝑙, 𝑤
𝑔𝑡2 , 𝑔𝛾 , 𝑤𝑙
𝑡2 𝑡1, 𝑔𝑡1
𝛾 𝑡3, 𝑔𝑡3
𝑘, 𝑤
𝑔𝑡2, 𝑔𝛾, 𝑤𝑘
𝑆1
𝑆2
Note: in the one-malicious model, the equation 𝑺𝟏 𝜸 𝒕𝟑, 𝒈𝒕𝟑 =𝑺𝟐 𝜸 𝒕𝟑, 𝒈𝒕𝟑 implies
both 𝑺𝟏 amd 𝑺𝟐 produce the correct 𝒈𝜸!
Our proposed algorithm E𝑥𝑝:
28
Algorithm[3] Algorithm[4]
MM 9 7
MInv 5 3
6 5
4 3
4 3
Checkability
Comparison of the two algorithms
Algorithm[3] Algorithm[4]
MM 9 10
MInv 5 4
6 5
4 4
4 4
Checkability
Simultaneous modular exponentiationSingle modular exponentiation
29
Our Recent Papers• Xiaofeng Chen, Jin Li, Jianfeng Ma, Qiang Tang, Wenjing Lou, New Algorithms for Secure
Outsourcing of Modular Exponentiations,IEEE Transactions on Parallel and Distributed Systems,
25(9), 2386-2396, 2014.
• Xiaofeng Chen, Jin Li, Xinyi Huang, Jingwei Li, Yang Xiang, Duncan Wong. Secure Outsourced
Attribute-based Signatures. IEEE Transactions on Parallel and Distributed Systems, 25(12): 3285-3294,
2014.
• Xiaofeng Chen, Xinyi Huang, Jin Li, Jianfeng Ma, Wenjing Lou, and Duncan S. Wong, New
Algorithms for Secure Outsourcing of Large-scale Systems of Linear Equations, IEEE Transactions on
Information Forensics and Security, 10(1), 69-78, 2015.
• Xiaofeng Chen, Jin Li, Willy Susilo, Efficient Fair Conditional Payments for Outsourcing
Computations, IEEE Transactions on Information Forensics and Security, 7(6),1687-1694, 2012.
• Xiaofeng Chen, Willy Susilo, Jin Li, Duncan S Wong, Jianfeng Ma, Shaohua Tang, Qiang Tang,
Efficient Algorithms for Secure Outsourcing of Bilinear Pairings, Theoretical Computer Science, 562:
112-121, 2015.
• Haixin Nie, Xiaofeng Chen, Jin Li, Joseph Liu, Wenjing Lou, Efficient and Verifiable Algorithm for
Secure Outsourcing of Large-scale Linear Programming. AINA 2014: 591-596. (Best Paper Award)
• Jin Li, Jingwei Li, Xiaofeng Chen, et al., Identity-based Encryption with Outsourced Revocation in
Cloud Computing. IEEE Transactions on Computers, 64(2): 425-437, 2015.
30
5. Verifiable Database (VDB)• A special kind of verifiable computing (storage)
• Benabbas et al. proposed the notion of VDB– Verifiable delegation of computation over large datasets (Crypto 11)
x v
x, 𝑣′
x, 𝑣′
Client
Server
31
Static Database
Client Server
x ; v; Sig (v)
x v, Sig (v)
Sig (v) can not be forged!!
32
ClientServer
x; v; Sig (v)
x v, Sig (v)
Problem: How to revoke the signature for previous data record?
Paradox: If so, the client have to keep track of every change locally. Why outsourcing?If not, a malicious can utilize the previous (valid) database records and corresponding signatures to respond the current query of the client without being detected (Backward Substitution updates attack).
Dynamic Database (Updatable)
33
• How to design efficient VDB?
• Previous works requires either some non-constant size assumptions or expensive operations;
– q-Strong Diffie-Hellman assumption
– re-shuffling procedures
Verifiable Database with Updates
34
• Why standard assumption is good?– IF related ones: IF ; RSA; Strong-RSA; ……
– DL related ones: DL; CDH; DDH; ……
» Bilinear pairings related ones ……
Verifiable Database with Updates
35
Benabbas-Gennaro-Vahlis Construction
• BGV construction is the first practical solution in the bilinear groups with composite order (Crypto 11);
• The solution is based on verifiable delegation of polynomials (subgroup membership assumption);
• It cannot support public verifiability;
36
Catalano-Fiore Construction
• The second practical construction (PKC 2013);• It is based on a primitive called vector commitment;• The specific constructions based on standard assumptions;• Compare with BGV construction, it only uses the bilinear
groups with prime order;• It can support public verifiability
– The private key of client is not involved in the updating; Surprising it is empty!
– It is good or bad?
37
• Our main contribution– Catalano-Fiore Construction may suffer from the
Forward Automatic Update (FAU) attack;
– Propose a new framework that is public verifiable and secure against FAU attack;
– Present a concrete construction based on Squ-CDH assumption (equals to CDH assumption)
New Construction for VDB
38
• The adversary (just as the real client) can update the database in a forward and automatic manner;
• Forward means that the updating is based on the latest database (new update!).
– We also defined Backward Substitute Update attack
• Automatic means that the updating can be performed at any time and any steps.
V 0
V 1
V i V L
V L+1
FAU attack
39
Why it suffers from FAU attack• The secret key in Catalano-Fiore Construction is
not involved in the updating. – More precise, the secret key of client is empty .
• Why?– In crypto 11 construction, secret key is used for updating
and verification (thus private verifiability);
– Guess: no private key, verification is performed only using the public key? Thus support public verifiability.
– Anyone can update the database (especially the server)!
40
Paradox
• Using SK: cannot support public verifiability
• Not using SK: cannot resist FAU attack
• How to solve this paradox?
– SK must be used in update;
– Signature can be used but not enough (needs revoke?)
41
Our Main Idea• Commitment binding technique: (After T times update )
– it is difficult to forge a new BLS signature!
BLS signature Counter
binding
Database(current)
Public key(last time)
Public key (current)
Recursion definition for PK
42
Our Main Idea• Commitment binding technique: (After T times update )
• The definition for T = 0 (setup phase):
• This results in a general construction for VDB.
43
VDB with Incremental Updates• The data record (plaintext) undergoes frequent while
small (e.g., only some bits) modifications;
• The previous solution requires to re-compute and update the ciphertext from scratch each time;
• it is meaningful to seek for efficient constructions for VDB with incremental updates (Inc-VDB);
− re-computing and updating the ciphertext in both incremental algorithms, rather than from scratch.
44
Motivation
Distributed updates problem!
Incremental cryptography
m1 ... m'i ... mn
c1 ... c'i ... cn
Encrypt
1. The existing incremental schemes
could not solve the distributed
updates problem.
2. The update algorithm of VDBs are
not incremental, and the client
needs to re-compute new updated
token from scratch each time.
File blocks
m1 ... mi ... mn
c1 ... ci ... cn
Encrypt
m'1 ... m'i ... m'n
c'1 ... c'i ... c'n
Encrypt
45
• Our main contribution
– Introduce the notion of verifiable database withincremental updates (Inc-VDB).
– Propose a general Inc-VDB framework byincorporating the primitive of vector commitmentand the encrypt-then-incremental MAC mode ofencryption;
– Introduce a new property called accountability forVDB schemes.
46
Formal Definition of Inc-VDBDefinition 4. A verifiable database scheme with incremental updates 𝐼𝑛𝑐 − 𝑉𝐷𝐵 =(𝑆𝑒𝑡𝑢𝑝, 𝑄𝑢𝑒𝑟𝑦, 𝑉𝑒𝑟𝑖𝑓𝑦, 𝐼𝑛𝑐 − 𝑈𝑝𝑑𝑎𝑡𝑒) consists of the four algorithms defined below.
1. 𝑆𝑒𝑡𝑢𝑝 1𝑘 , 𝐷𝐵 : On input the security parameter 𝑘, the setup algorithm is run by the
client to generate a secret key 𝑆𝐾 to be secretly stored by the client, and a public key 𝑆𝐾that is distributed to all users (including the client itself) for verifying the proofs.2. 𝑄𝑢𝑒𝑟𝑦 𝑃𝐾, 𝑥 : On input an index 𝑥 , the query algorithm is run by the server, andreturns a pair 𝜏 = (𝑣, 𝜋).3. 𝑉𝑒𝑟𝑖𝑓𝑦(𝑃𝐾/𝑆𝐾, 𝑥, 𝜏): The public/private verification algorithm outputs a value 𝑣 if 𝜏 iscorrect with respect to 𝑥, and an error ⊥ otherwise.4. 𝐼𝑛𝑐 − 𝑈𝑝𝑑𝑎𝑡𝑒(𝑆𝐾, 𝑥, 𝑣′): In the update algorithm, the client utilizes the secret key 𝑆𝐾to compute a new token 𝑡𝑥
′ from the previous one in an incremental manner rather thancomputing it from scratch. Then, the client sends the pair 𝑡𝑥
′ , 𝑣′ to the server. If thetoken 𝑡𝑥
′ is valid, the server uses 𝑣′ to update the database record in index 𝑥, and 𝑡𝑥′ to
incrementally update the public key 𝑃𝐾.
47
Our Main Idea
48
Our Main Idea
Incremental Signature:
Server side efficiency:
The server only needs to compute πx once for the first query on index x.
The client computes:
The server compute:
Send to the server
Private key of client
Private key of server
49
Our Main IdeaPublic verifiability:
1. The proof consists of the (BLS) signature of the client and opening of the
vector commitment;
2. Both of them can be verified (only) with the public key;
3. The client needs not store the changes locally or revoke the signature
4. We can use a verifiable random function to achieve private verifiability.
Reduce the client storage overhead:
1. The number of Tx is dependent of q, it is highly undesirable when q becomes
very large.
2. Apply vector commitment over commitments.
50
• Xiaofeng Chen, Jin Li, Xinyi Huang, Jianfeng Ma, Wenjing Lou, New Publicly
Verifiable Databases with Efficient Updates, IEEE Transactions on Dependable
and Secure Computing, 12(5), 546-556, 2015.
• Xiaofeng Chen, Jin Li, Jian Weng, Jianfeng Ma, Wenjing Lou, Verifiable
Computation over Large Database with Incremental Updates, ESORICS 2014,
LNCS 8712, 148–162, 2014. IEEE Transactions on Computers, 65(10), 3184-
3195, 2016.
Our Recent Paper
51
6. Future Works• How do we achieve the CCA2 security for the inputs in outsourcing
paradigm?
• Is it possible to find an efficient algorithm for securely outsourcing
the cryptographic operations by only an untrusted server?
• How to construct efficient VDB schemes supporting all kinds of
update operations?
• How to prove (not only detect ) the misbehavior of an untrusted
server in the multiple results of outsourcing computations?
52
Thank you & questions?
