1. Trang chủ
  2. » Công Nghệ Thông Tin

foundations of cryptography - vol. 1, basic tools

393 265 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Tiêu đề Foundations of Cryptography - Vol. 1, Basic Tools
Tác giả Oded Goldreich
Trường học Weizmann Institute of Science
Chuyên ngành Cryptography
Thể loại Giáo trình
Năm xuất bản 2001
Thành phố Cambridge
Định dạng
Số trang 393
Dung lượng 5,12 MB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

www.dbebooks.com - Free Books & magazines Foundations of Cryptography Cryptography is concerned with the conceptualization, definition, and construction of computing systems that address security concerns. The design of cryptographic systems must be based on firm foundations. This book presents a rigorous and systematic treatment of the foundational issues: defining cryptographic tasks and solving new cryptographic problems using existing tools. It focuses on the basic mathematical tools: computational difficulty (one-way functions), pseudorandomness, and zero-knowledge proofs. The emphasis is on the clarification of fundamental concepts and on demonstrat- ing the feasibility of solving cryptographic problems rather than on describing ad hoc approaches. The book is suitable for use in a graduate course on cryptography and as a reference book for experts. The author assumes basic familiarity with the design and analysis of algorithms; some knowledge of complexity theory and probability is also useful. Oded Goldreich is Professor of Computer Science at the Weizmann Institute of Science and incumbent of the Meyer W. Weisgal Professorial Chair. An active researcher, he has written numerous papers on cryptography and is widely considered to be one of the world experts in the area. He is an editor of Journal of Cryptology and SIAM Journal on Computing and the author of Modern Cryptography, Probabilistic Proofs and Pseudorandomness, published in 1999 by Springer-Verlag. Foundations of Cryptography Basic Tools Oded Goldreich Weizmann Institute of Science           The Pitt Building, Trumpington Street, Cambridge, United Kingdom    The Edinburgh Building, Cambridge CB2 2RU, UK 40 West 20th Street, New York, NY 10011-4211, USA 477 Williamstown Road, Port Melbourne, VIC 3207, Australia Ruiz de Alarcón 13, 28014 Madrid, Spain Dock House, The Waterfront, Cape Town 8001, South Africa http://www.cambridge.org First published in printed format ISBN 0-521-79172-3 hardback ISBN 0-511-04120-9 eBook Oded Goldreich 2004 First published 2001 Reprinted with corrections 2003 2001 (netLibrary) © To Dana Contents List of Figures page xii Preface xiii 1 Introduction 1 1.1. Cryptography: Main Topics 1 1.1.1. Encryption Schemes 2 1.1.2. Pseudorandom Generators 3 1.1.3. Digital Signatures 4 1.1.4. Fault-Tolerant Protocols and Zero-Knowledge Proofs 6 1.2. Some Background from Probability Theory 8 1.2.1. Notational Conventions 8 1.2.2. Three Inequalities 9 1.3. The Computational Model 12 1.3.1. P,NP, andNP-Completeness 12 1.3.2. Probabilistic Polynomial Time 13 1.3.3. Non-Uniform Polynomial Time 16 1.3.4. Intractability Assumptions 19 1.3.5. Oracle Machines 20 1.4. Motivation to the Rigorous Treatment 21 1.4.1. The Need for a Rigorous Treatment 21 1.4.2. Practical Consequences of the Rigorous Treatment 23 1.4.3. The Tendency to Be Conservative 24 1.5. Miscellaneous 25 1.5.1. Historical Notes 25 1.5.2. Suggestions for Further Reading 27 1.5.3. Open Problems 27 1.5.4. Exercises 28 vii CONTENTS 2 Computational Difficulty 30 2.1. One-Way Functions: Motivation 31 2.2. One-Way Functions: Definitions 32 2.2.1. Strong One-Way Functions 32 2.2.2. Weak One-Way Functions 35 2.2.3. Two Useful Length Conventions 35 2.2.4. Candidates for One-Way Functions 40 2.2.5. Non-Uniformly One-Way Functions 41 2.3 Weak One-Way Functions Imply Strong Ones 43 2.3.1. The Construction and Its Analysis (Proof of Theorem 2.3.2) 44 2.3.2. Illustration by a Toy Example 48 2.3.3. Discussion 50 2.4. One-Way Functions: Variations 51 2.4.1. ∗∗ Universal One-Way Function 52 2.4.2. One-Way Functions as Collections 53 2.4.3. Examples of One-Way Collections 55 2.4.4. Trapdoor One-Way Permutations 58 2.4.5. ∗∗ Claw-Free Functions 60 2.4.6. ∗∗ On Proposing Candidates 63 2.5. Hard-Core Predicates 64 2.5.1. Definition 64 2.5.2. Hard-Core Predicates for Any One-Way Function 65 2.5.3. ∗∗ Hard-Core Functions 74 2.6. ∗∗ Efficient Amplification of One-Way Functions 78 2.6.1. The Construction 80 2.6.2. Analysis 81 2.7. Miscellaneous 88 2.7.1. Historical Notes 89 2.7.2. Suggestions for Further Reading 89 2.7.3. Open Problems 91 2.7.4. Exercises 92 3 Pseudorandom Generators 101 3.1. Motivating Discussion 102 3.1.1. Computational Approaches to Randomness 102 3.1.2. A Rigorous Approach to Pseudorandom Generators 103 3.2. Computational Indistinguishability 103 3.2.1. Definition 104 3.2.2. Relation to Statistical Closeness 106 3.2.3. Indistinguishability by Repeated Experiments 107 3.2.4. ∗∗ Indistinguishability by Circuits 111 3.2.5. Pseudorandom Ensembles 112 3.3. Definitions of Pseudorandom Generators 112 3.3.1. Standard Definition of Pseudorandom Generators 113 viii CONTENTS 3.3.2. Increasing the Expansion Factor 114 3.3.3. ∗∗ Variable-Output Pseudorandom Generators 118 3.3.4. The Applicability of Pseudorandom Generators 119 3.3.5. Pseudorandomness and Unpredictability 119 3.3.6. Pseudorandom Generators Imply One-Way Functions 123 3.4. Constructions Based on One-Way Permutations 124 3.4.1. Construction Based on a Single Permutation 124 3.4.2. Construction Based on Collections of Permutations 131 3.4.3. ∗∗ Using Hard-Core Functions Rather than Predicates 134 3.5. ∗∗ Constructions Based on One-Way Functions 135 3.5.1. Using 1-1 One-Way Functions 135 3.5.2. Using Regular One-Way Functions 141 3.5.3. Going Beyond Regular One-Way Functions 147 3.6. Pseudorandom Functions 148 3.6.1. Definitions 148 3.6.2. Construction 150 3.6.3. Applications: A General Methodology 157 3.6.4. ∗∗ Generalizations 158 3.7. ∗∗ Pseudorandom Permutations 164 3.7.1. Definitions 164 3.7.2. Construction 166 3.8. Miscellaneous 169 3.8.1. Historical Notes 169 3.8.2. Suggestions for Further Reading 170 3.8.3. Open Problems 172 3.8.4. Exercises 172 4 Zero-Knowledge Proof Systems 184 4.1. Zero-Knowledge Proofs: Motivation 185 4.1.1. The Notion of a Proof 187 4.1.2. Gaining Knowledge 189 4.2. Interactive Proof Systems 190 4.2.1. Definition 190 4.2.2. An Example (Graph Non-Isomorphism inIP) 195 4.2.3. ∗∗ The Structure of the Class IP 198 4.2.4. Augmentation of the Model 199 4.3. Zero-Knowledge Proofs: Definitions 200 4.3.1. Perfect and Computational Zero-Knowledge 200 4.3.2. An Example (Graph Isomorphism inPZK) 207 4.3.3. Zero-Knowledge with Respect to Auxiliary Inputs 213 4.3.4. Sequential Composition of Zero-Knowledge Proofs 216 4.4. Zero-Knowledge Proofs forNP 223 4.4.1. Commitment Schemes 223 4.4.2. Zero-Knowledge Proof of Graph Coloring 228 ix [...]... indicate advanced material xi List of Figures 0.1 0.2 0.3 1.1 2.1 2.2 2.3 3.1 3.2 3.3 3.4 3.5 3.6 4.1 4.2 4.3 B.1 Organization of the work Rough organization of this volume Plan for one-semester course on the foundations of cryptography Cryptography: two points of view One-way functions: an illustration The naive view versus the actual proof of Proposition 2.3.3 The essence of Construction 2.6.3 Pseudorandom... 4: Zero-Knowledge Proof Systems Volume 2: Basic Applications Chapter 5: Encryption Schemes Chapter 6: Signature Schemes Chapter 7: General Cryptographic Protocols Volume 3: Beyond the Basics ··· Figure 0.1: Organization of the work (basic tools) It provides chapters on computational difficulty (one-way functions), pseudorandomness, and zero-knowledge proofs These basic tools will be used for the basic. .. 4.7.5 Proofs of Identity (Identification Schemes) 4.7.6 Strong Proofs of Knowledge 4.8.∗ Computationally Sound Proofs (Arguments) 4.8.1 Definition 4.8.2 Perfectly Hiding Commitment Schemes 4.8.3 Perfect Zero-Knowledge Arguments for N P 4.8.4 Arguments of Poly-Logarithmic Efficiency 4.9.∗ Constant-Round Zero-Knowledge Proofs 4.9.1 Using Commitment Schemes with Perfect Secrecy 4.9.2 Bounding the Power of Cheating... well as variants of it) Zero-Knowledge as a Paradigm A major tool in the construction of cryptographic protocols is the concept of zeroknowledge proof systems and the fact that zero-knowledge proof systems exist for all languages in N P (provided that one-way functions exist) Loosely speaking, a zeroknowledge proof yields nothing but the validity of the assertion Zero-knowledge proofs provide a tool... Chapter 4, devoted to zero-knowledge proofs, is on the foregoing result (i.e., the construction of zero-knowledge proofs for any N P -statement) In addition, we shall consider numerous variants and aspects of the notion of zero-knowledge proofs and their effects on the applicability of this notion 1.2 Some Background from Probability Theory Probability plays a central role in cryptography In particular,... cannot be considered a stand-alone course in cryptography because this volume does not consider at all the basic tasks of encryption and signatures Practice The aim of this work is to provide sound theoretical foundations for cryptography As argued earlier, such foundations are necessary for any sound practice of cryptography Indeed, sound practice requires more than theoretical foundations, whereas this... hand, a message-authentication scheme does not necessarily constitute a digital-signature scheme Signatures Widen the Scope of Cryptography Considering the problem of digital signatures as belonging to cryptography widens the scope of this area from the specific secret-communication problem to a variety of problems concerned with limiting the “gain” that can be achieved by “dishonest” behavior of parties... Importance of Interaction and Randomness 4.5.2 Limitations of Unconditional Results 4.5.3 Limitations of Statistical ZK Proofs 4.5.4 Zero-Knowledge and Parallel Composition 4.6.∗ Witness Indistinguishability and Hiding 4.6.1 Definitions 4.6.2 Parallel Composition 4.6.3 Constructions 4.6.4 Applications 4.7.∗ Proofs of Knowledge 4.7.1 Definition 4.7.2 Reducing the Knowledge Error 4.7.3 Zero-Knowledge Proofs of. .. with a zero-knowledge proof that this bit is indeed the least significant bit of the message We stress that the foregoing statement is of the “N P type” (since the proof specified earlier can be efficiently verified), and therefore the existence of zero-knowledge proofs for N P -statements implies that the foregoing statement can be proved without revealing anything beyond its validity The focus of Chapter... all) is to construct a solution based on a better-understood assumption (i.e., one that is more common and widely believed) For example, looking at the definition of zero-knowledge proofs, it is not a priori clear that such proofs exist at all (in a non-trivial sense) The non-triviality of the notion was first demonstrated by presenting a zero-knowledge proof system for statements regarding Quadratic Residuosity . material. xi List of Figures 0.1 Organization of the work page xvi 0.2 Rough organization of this volume xvii 0.3 Plan for one-semester course on the foundations of cryptography xviii 1.1 Cryptography: . editor of Journal of Cryptology and SIAM Journal on Computing and the author of Modern Cryptography, Probabilistic Proofs and Pseudorandomness, published in 1999 by Springer-Verlag. Foundations of. of the work. (basic tools) . It provides chapters on computational difficulty (one-way functions), pseudorandomness, and zero-knowledge proofs. These basic tools will be used for the basic applications

Ngày đăng: 25/03/2014, 11:16

Nguồn tham khảo

Tài liệu tham khảo Loại Chi tiết
4.10. ∗∗ NON-INTERACTIVE ZERO-KNOWLEDGE PROOFSdirected graphs (and the existence of directed Hamiltonian cycles). Next, we present a basic zero-knowledge system in which Hamiltonian graphs are accepted with prob- ability 1, whereas non-Hamiltonian graphs on n vertices are rejected with probability (n − 3 / 2 ). (This system builds on the one presented in Construction 4.7.14.) Sách, tạp chí
Tiêu đề: n"vertices are rejected with probability"(n
1. π 1 (V ) × π 2 (V ) does not equal H. Because the prover must reveal all entries not in the sub-matrix π 1 (V ) × π 2 (V ), it follows that it must reveal some row or column of H. But such a row or column must contain a 1-entry, and so the verifier will reject Sách, tạp chí
Tiêu đề: π"1("V")×"π"2("V") does not equal"H". Because the prover must reveal all entries not inthe sub-matrix"π"1("V")×"π"2("V"), it follows that it must reveal some row or columnof "H
4.10. ∗∗ NON-INTERACTIVE ZERO-KNOWLEDGE PROOFSlanguage L is unboundedly zero-knowledge if for every polynomial p there exists a probabilistic polynomial-time algorithm M such that the following two ensembles are computationally indistinguishable Sách, tạp chí
Tiêu đề: language L is"unboundedly zero-knowledge
2. {M (x 1 , . . . , x p(n) )} x 1 , . . . , x p(n) ∈ L nεwhere L def = L ∩ { 0 , 1 } .We comment that the non-interactive proof systems presented earlier (e.g., Construc- tion 4.10.4) are not unboundedly zero-knowledge; see Exercise 34.We now turn to the construction of unboundedly zero-knowledge (non-interactive) proof systems. The underlying idea is to facilitate the simulation by potentially prov- ing a fictitious assertion regarding a portion of the common reference string. The as- sertion that will be potentially proved (about this portion) will have the following properties Sách, tạp chí
Tiêu đề: 1", . . . ,x"p(n))}x"1, . . . ,"x"p(n")∈"L"nε"where L"def= "L"∩ {0,1}
3. The decision problem for the assertion is in N P. This will allow a reduction to an N P -complete problem.An immediate assertion, concerning strings, that comes to mind is being produced by a pseudorandom generator. This yields the following construction, where G denotes such a generator Sách, tạp chí
Tiêu đề: N P". This will allow a reduction to an"N P"-complete problem.An immediate assertion, concerning strings, that comes to mind is being produced bya pseudorandom generator. This yields the following construction, where "G
1. Using a standard reduction of L 2 to L 1 , the prover reduces (x, p) ∈ {0, 1} +2 to y ∈ {0, 1} q() . In addition, when given an N P-witness u for x ∈ L, the prover reduces 26 u to a witness, denoted w, for y ∈ L 1 Sách, tạp chí
Tiêu đề: 2"to L"1", the prover reduces(x,p")∈ {0,1}"+2"to y"∈ {0,1}"q("). In addition, when given anN P-witness u for x" ∈ "L, the proverreduces"26"u to a witness, denotedw, for y"∈"L
2. Invokes V on common input y, common reference string s, and prover’s output π, and decides as V does.Note that the reduction maps ( + 2 )-bit-long instances of L 2 to instances of L 1 having length q( ). Recall that by the hypothesis, the proof system ( P , V ) handles L 1 instances of length q( ) by using a reference string of length q ( ) = n − 2 , which exactly matches the length of s. Let ε > 0 be a constant satisfying n ε ≤ (i.e., (2 + q ( )) ε ≤ ). Then we have the following Sách, tạp chí
Tiêu đề: Note that the reduction maps ("+2")-bit-long instances of "L"2 to instances of "L"1having length"q("). Recall that by the hypothesis, the proof system ("P,V") handles"L"1instances of length"q(") by using a reference string of length"q(")=n"−2", whichexactly matches the length of"s". Let"ε >"0 be a constant satisfying"n"ε" ≤"(i.e., (2"+q("))ε"≤
1. The distributions of the common reference string are indeed very different in the two cases (i.e., real execution versus simulator’s output). Yet, by the pseudoran- domness of G, this difference is computationally indistinguishable. Thus, the ver- ifier’s view in real execution is computationally indistinguishable from its view in the case in which the common reference string is selected exactly as in the simulation (but the prover acts as in Construction 4.10.12) Sách, tạp chí
Tiêu đề: The distributions of the common reference string"are indeed very different in thetwo cases (i.e., real execution versus simulator’s output). Yet, by the pseudoran-domness of"G
2. The zero-knowledge property of P implies that P is witness-indistinguishable (as defined in Section 4.6). Thus, one cannot distinguish the case in which P uses a witness for x ∈ L (as in Construction 4.10.12) from the case in which P uses as witness a seed for the pseudorandom sequence p (as done by the simulator). The same holds when repeating the proving process polynomially many times.In other words, the zero-knowledge claim is proved by using a hybrid argument, where the (single) intermediate hybrid corresponds to executing the prover strat- egy (as is) on a pseudorandom reference string as produced by the simulator (rather than on a truly random reference string). These two observations establish that this intermediate hybrid is computationally indistinguishable from both of the extreme hybrids (which are the ensembles we wish to relate).Using Theorem 4.10.10 and Proposition 4.10.13, we obtain the following Sách, tạp chí
Tiêu đề: P"implies that"P"is witness-indistinguishable (asdefined in Section 4.6). Thus, one cannot distinguish the case in which"P" uses awitness for"x"∈"L" (as in Construction 4.10.12) from the case in which"P" uses aswitness a seed for the pseudorandom sequence "p
4.11. ∗∗ MULTI-PROVER ZERO-KNOWLEDGE PROOFSzero-knowledge. Furthermore, assuming the existence of families of trapdoor permutations, the prover strategy in such a proof system can be implemented by a probabilistic polynomial-time machine that gets an N P -witness as auxiliary input.The “furthermore” statement extends to a model that allows the adaptive selection of polynomially many assertions (i.e., a model that combines the two extensions discussed in this subsection) Sách, tạp chí
Tiêu đề: zero-knowledge. Furthermore, assuming the existence of families of trapdoorpermutations, the prover strategy in such a proof system can be implemented bya probabilistic polynomial-time machine that gets anN P-witness as auxiliaryinput."The “furthermore
4.11. ∗∗ MULTI-PROVER ZERO-KNOWLEDGE PROOFSvia parallel repetitions is problematic (in general) in this context; see the suggestions for further reading at the end of the chapter.The notion of zero-knowledge (for multi-prover systems) remains exactly as in the one-prover case. Actually, we make the definition of perfect zero-knowledge more strict by requiring that the simulator never fail (i.e., never outputs the special symbol ⊥ ). 31 Namely Sách, tạp chí
Tiêu đề: parallel
4.11.2. Two-Sender Commitment SchemesThe thrust of the current section is toward a method for constructing perfect zero- knowledge two-prover proof systems for every language in N P . This method makes essential use of a commitment scheme for two senders and one receiver that possesses information-theoretic secrecy and unambiguity properties (i.e., is perfectly hiding and perfectly binding). We stress that it is impossible to achieve information-theoretic secrecy and unambiguity properties simultaneously in the single-sender model Sách, tạp chí
Tiêu đề: N P". This method makesessential use of a commitment scheme"for two senders and one receiver
1. As in Definition 4.4.1, a receiver’s view of an interaction with the (first) sender, denoted (r , m), consists of the random coins used by the receiver, denoted r , and the sequence of messages received from the ( first) sender, denoted m Sách, tạp chí
Tiêu đề: receiver’s view of an interaction
2. Let σ ∈ {0, 1}. We say that the string s is a possible σσσ -opening of the receiver’s view (r , m) if m describes the messages received by R when R uses local coins r and interacts with machine S 1 , which uses local coins s and input (σ, 1 n ) Sách, tạp chí
Tiêu đề: ∈ {0,1}". We say that the string s is a"possible"σσσ"-opening"of the receiver’sview(r,m)if m describes the messages received by R when R uses local coins rand interacts with machine S"1", which uses local coins s and input(σ,"1
4. Let S ∗ 1 be as before, and for each σ ∈ { 0 , 1 } let p σ be an upper bound on the probability of a σ -opening of the receiver’s view of the interaction with S 1 ∗ . We say that the receiver’s view of the interaction with S ∗ 1 is unambiguous if p 0 + p 1 ≤ 1 + 2 − n .The unambiguity requirement asserts that for every program for the first sender S 1 ∗ the receiver’s interaction with S 1 ∗ is unambiguous.In the formulation of the unambiguity requirement, the random variables X represent possible strategies of the second sender. Such a strategy may depend on the random Sách, tạp chí
Tiêu đề: ∗1 "be as before, and for eachσ" ∈ {0,1}"let p"σ be an upper bound on theprobability of aσ-opening of the receiver’s view of the interaction with S"1∗". We saythat"the receiver’s view of the interaction with"S"∗1is unambiguous"if p"0+"p"1≤1+2−"n.The"unambiguity requirement"asserts that for every program for the first senderS"1∗"the receiver’s interaction with S"1∗"is unambiguous."In the formulation of the unambiguity requirement, the random variables"X
4.11. ∗∗ MULTI-PROVER ZERO-KNOWLEDGE PROOFSinput that is shared by the two senders, but is independent of the receiver’s random coins (since information on these coins, if any, is only sent to the first sender). The strategies employed by the two senders determine, for each possible coin-tossing of the receiver, a pair of probabilities corresponding to their success in a 0-opening and a 1-opening. (In fact, bounds on these probabilities are determined merely by the strategy of the first sender.) The unambiguity condition asserts that the average of these pairs, taken over all possible receiver’s coin tosses, is a pair that sums up to at most 1 + 2 − n . Intuitively, this means that the senders cannot do more harm than deciding at random whether to commit to 0 or to 1. Both the secrecy and unambiguity requirements are information-theoretic (in the sense that no computational restrictions are placed on the adversarial strategies). We stress that we have implicitly assumed that the reveal phase takes the following canonical form Sách, tạp chí
Tiêu đề: n
2. For each i , the first sender computes c i def = π r i (s i ) + σ mod 3 and sends c 1 ã ã ã c nto the receiver.We remark that the second sender could have opened the commitment either way if it had known r (sent by the receiver to the first sender). The point is that the second sender does not know r, and this fact drastically limits its ability to cheat Sách, tạp chí
Tiêu đề: i" def="π"r"i(s"i)+σ" mod 3"and sends c"1ã ã ã"c"n"to the receiver."We remark that the"second"sender could have opened the commitment either way ifit had known"r" (sent by the receiver to the"first" sender). The point is that the secondsender does not know"r
4.11.3. Perfect Zero-Knowledge for N P N P N PTwo-prover perfect zero-knowledge proof systems for any language in N P follow easily by modifying Construction 4.4.7. The modification consists of replacing the bit- commitment scheme used in Construction 4.4.7 with the two-sender bit-commitment Sách, tạp chí
Tiêu đề: N PN PN P"Two-prover perfect zero-knowledge proof systems for any language in "N P
1. The simulator generates random “commitments to nothing.” Namely, the simulator in- vokes the verifier and answers the verifier’s messages that belong to the commit phase by a sequence of uniformly chosen strings over {0, 1, 2} Sách, tạp chí
Tiêu đề: commitments to nothing
2. Upon receiving the query-edge (u , v) from the verifier, the simulator uniformly selects two different colors, φ u and φ v , and opens the corresponding commitments so as to reveal these values. The simulator has no difficulty in doing so, because, unlike the second prover, it knows the messages sent by the verifier in the commit phase. Specifically, given the receiver’s view of the commit phase, (r 1 ã ã ã r n , c 1 ã ã ã c n ), a 0-opening (resp Sách, tạp chí
Tiêu đề: u, v") from the verifier, the simulator uniformly selectstwo different colors,"φ"u"and"φ"v", and opens the corresponding commitments so as to revealthese values. The simulator has no difficulty in doing so, because, unlike the secondprover, it knows the messages sent by the verifier in the commit phase. Specifically,given the receiver’s view of the commit phase, ("r"1ã ã ã"r"n",c"1ã ã ã"c"n

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN