MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Similar documents
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Cube Attacks on Stream Ciphers Based on Division Property

Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

A New Distinguisher on Grain v1 for 106 rounds

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

Deterministic Cube Attacks:

Fault Analysis of the KATAN Family of Block Ciphers

On the Design of Trivium

Automatic Search for A Variant of Division Property Using Three Subsets (Full Version)

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Resilience to Distinguishing Attacks on WG-7 Cipher and Their Generalizations

ACORN: A Lightweight Authenticated Cipher (v3)

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Analysis of Modern Stream Ciphers

Algebraic Immunity of S-boxes and Augmented Functions

Lightweight Cryptography for RFID Systems

Cube Analysis of KATAN Family of Block Ciphers

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Cube attack in finite fields of higher order

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

Stream Ciphers: Cryptanalytic Techniques

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Improved Cascaded Stream Ciphers Using Feedback

Dynamic Cube Attack on 105 round Grain v1

Sequences, DFT and Resistance against Fast Algebraic Attacks

Key Recovery with Probabilistic Neutral Bits

Cryptanalysis of the Stream Cipher ABC v2

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Division Property: a New Attack Against Block Ciphers

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

On Stream Ciphers with Small State

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Algebraic analysis of Trivium-like ciphers (Poster)

Structural Evaluation by Generalized Integral Property

Lecture 10-11: General attacks on LFSR based stream ciphers

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

New Implementations of the WG Stream Cipher

The WG Stream Cipher

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Numerical Solvers in Cryptanalysis

Some Randomness Experiments on TRIVIUM

Zero-Sum Partitions of PHOTON Permutations

Differential Fault Analysis of Trivium

Cryptanalysis of Achterbahn

Cryptanalysis of Full Sprout

On the Security of NOEKEON against Side Channel Cube Attacks

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

Algebraic Attack Against Trivium

Differential Fault Analysis on the families of SIMON and SPECK ciphers

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Affine equivalence in the AES round function

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Fast correlation attacks on certain stream ciphers

Cryptanalysis of the Stream Cipher DECIM

L9: Galois Fields. Reading material

MILP-aided Cryptanalysis of Round Reduced ChaCha

A TMDTO Attack Against Lizard

Some Randomness Experiments on TRIVIUM

Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

STREAM CIPHER. Chapter - 3

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

A Weak Cipher that Generates the Symmetric Group

Linear Approximations for 2-round Trivium

The Hash Function JH 1

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Nonlinear Equivalence of Stream Ciphers

Comparison of cube attacks over different vector spaces

Design of a New Stream Cipher: PALS

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Computing the biases of parity-check relations

Block Cipher Cryptanalysis: An Overview

Linear Cryptanalysis of Reduced-Round Speck

Modified Alternating Step Generators

The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function

A Byte-Based Guess and Determine Attack on SOSEMANUK

Cryptanalysis of the Knapsack Generator

A survey of algebraic attacks against stream ciphers

Improved Linear Cryptanalysis of SOSEMANUK

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

Open problems related to algebraic attacks on stream ciphers

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

Breaking the F-FCSR-H Stream Cipher in Real Time

Gurgen Khachatrian Martun Karapetyan

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Two Generic Methods of Analyzing Stream Ciphers

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Security Evaluation of Stream Cipher Enocoro-128v2

Improved Linear Distinguishers for SNOW 2.0

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Searching for Nonlinear Feedback Shift Registers with Parallel Computing

Transcription:

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo, ON, N2L 3G1, CANADA IMACC 2017, 12-14 December 2017 St Catherines College, University of Oxford, Oxford

Outline Introduction WG stream cipher Cube attack on WG-5 Comparison with Grain128a & Trivium Conclusions 1

Introduction

Cube attacks Proposed in 2007 1, 2009 2 Basic idea: Let f : F 5 2 F 2 given by f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 k 0 + v 0 v 1 k 2 + v 0 v 1 + k 0 k 1 + v 1 k 2 + k 2 + 1 = f (k 0, k 1, k 2, v 0, v 1 ) = v 0 v 1 (k 0 + k 2 + 1) + k 0 k 1 + v 1 k 2 + k 2 + 1 Summing f over all possible choices of v 0, v 1 gives f (k 0, k 1, k 2, 0, 0) + f (k 0, k 1, k 2, 0, 1) + f (k 0, k 1, k 2, 1, 0)+ f (k 0, k 1, k 2, 1, 1) = k 0 + k 2 + 1, which gives a linear relation of the two key bits k 0 and k 2. 1 Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an algebraic IV differential attack. Cryptology eprint Archive, Report 2007/413 2 Dinur, I., and Shamir, A. Cube attacks on tweakable blackbox polynomials. EUROCRYPT 2009 2

Cube attacks (ctd.) Mathematical description Initialization phase k v Update state k = (k 0, k 1,..., k n 1 ): secret variables v = (v 0, v 1,..., v m 1 ): public variables z = f (k, v): first keystream bit z = f (k, v) I = {i 1, i 2,, i I } {0, 1,, m 1}: cube indices f (k, v) can be represented as : f (k, v) = t I p(k, v) + q(k, v), where, t I = v i1 v i2 v i I, p(k, v) is a polynomial that does not contain any of the cube indices variables (v i1, v i2,, v i I ), and q(k, v) is independent of at least one variable from (v i1, v i2,, v i I ). 3

Cube attacks (ctd) Let C I denote the set of all the possible 2 I values of (v i1, v i2,, v i I ), and the remaining input n + m I variables are set to some constant values, then C I f (k, v) = p(k, v) p(k, v) is called superpoly corresponding to cube C I. Simpler p(k, v) leads to algebraic attacks by solving equations. 4

Division property Definition: Division property 3 Let X F n 2, 0 k n, we say that X has the division property Dk n if π u (x) = 0, for all u F n 2 s.t w u < k. x X Definition: Bit based Division property 4 Let X be a multiset whose elements take a value of F n 2. Let W be a set whose elements take an n-dimensional vector of binary elements. The multiset X has the division property D 1,n W if it fulfills the following conditions: { unknown if there exists w W s.t u w, π u (x) = 0 otherwise, x X where u, w, x F n 2, π u(x) = n 1 i=0 x u i i and u w if u i w i for all i. 3 Todo, Y.: Structural evaluation by generalized integral property. EUROCRYPT 2015. 4 Todo, Y., and Morii, M. Bit-based division property and application to simon family. FSE 2016 5

MILP models for bit-based division property propagation Mixed Integer Linear Programming models M.var a, b 1, b 2,..., b m a COPY {b 1, b 2,..., b m } as binary. M.con a = b 1 + b 2 +... + b m. {a 1, a 2,..., a m } XOR b M.var a 1, a 2, a m, b as binary. M.con a 1 + a 2 + + a m = b. {a 1, a 2,..., a m } AND b M.var a 1, a 2, a m, b as binary. M.con b a i for i = 1, 2,, m. Solutions of inequalities corresponds to all division trails. 6

Division property & Cube attacks To check if secret variable k j is involved in superpoly 1. For a given cube C I, start with the initial division property D 1,n W, where W = {(v, e j)} and v i = 1 if i {i 1, i 2,, i I }, k j = 1 and v i = 0, k j = 0 for all remaining indices. 2. Add the constraint z = 1 3. If there is no division trial s.t steps 1 & 2 are satisfied, then k j is not involved in the superpoly of C I [Todo et al.] 5. 5 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO 2017 7

Our Contributions We investigate the security of nonlinear intialization phase of WG-5 with respect to cube attacks. We present an argument to show WG-5 initialization phase is more resistant to cube attacks than that of Grain128a and Trivium. 8

WG stream cipher

General architecture for WG ciphers cl 1 cl 2 c2 c1 m m m m m a l 1 a l 2...... a 2 a 1 a 0 Initialization phase m x d W GP -m(x d ) m T r(.) 1 Mathematical parameters m : Bit width of LFSR g(x) : Generating polynomial for GF(2 m ) p(x) = l 1 i=1 c ix i + x l Primitive polynomial for LFSR l : Degree of p Find k s.t 3k 1 mod m r 1 = 2 k + 1 r 2 = 2 2k + 2 k + 1 r 3 = 2 2k 2 k + 1 r 4 = 2 2k + 2 k 1 W GP -m(x) = t(x + 1) + 1 t(x) = x + x r1 + x r2 + x r3 + x r4, where x GF (2 m ) gcd(d, 2 m 1 ) = 1 9

WG ciphers: Randomness properties Randomness properties of WG keystream Long period: 2 lm 1 Balanced Ideal 2-level autocorrelation Ideal t-tuple distribution 10

WG-5 Specification WG-5 6 is a lightweight version of estream submission WG cipher 7 5 γ 5 5 5 5 5 5 S i [31] S i [30]...... S i [8] S i [7] S i [6] S i [5] S i [4] S i [3] S i [2] S i [1] S i [0] Initialization phase 5 x 3 W GP -5(x 3 ) 5 T r(.) g(x) = x 5 + x 4 + x 2 + x + 1 p(x) = x 32 + x 7 + x 6 + x 4 + x 3 + x 2 + γ γ = α 4 + α 3 + α 2 + α + 1 Initial state { S 0 K[j mod 2], if j 0 mod 2 [j] = IV [j mod 2], if j 0 mod 2 # initialization rounds: 64 1 6 Aagaard, M. D., Gong, G., and Mota, R. K. Hardware implementations of the wg-5 cipher for passive rfid tags. 7 Nawaz, Y., and Gong, G. Wg: A family of stream ciphers with designed randomness properties. 11

Cube attack on WG-5

Attack framework Notations key: k = (k 0, k 1,..., k 79 ), IV: v = (v 0, v 1,..., v 79 ) first keystream bit: z = f (k, v) superpoly: CI f (k, v) = p( k, v), where C I is the cube of length I, v = {{v 0, v 1,..., v 79 } {v i1, v i2,..., v i I }}, k = {k j1, k j2,..., k j J }, and J is the number of variables in k 12

Attack framework The attack consists of two phases: 1) Offline phase 2) Online phase Offline phase Goal: To recover a superpoly that is almost balanced for a given cube C I. Steps: 1. Create a MILP model M that encodes the division trails for WG-5 reduced to R rounds. 2. Evaluate the secret variables k involved in the superpoly p. 3. Choose a value for v and recover p( k, v) by trying out all 2 I + J possible values. Also, store p( k, v) for all values of k. 13

Attack framework (ctd.) Goal: Online phase To recover the entire secret key. Steps: 1. Query the cube C I to the encryption oracle to obtain the value of p( k, v) and compare to the previously stored values. This step reduces the keyspace by half. We use multiple cubes to reduce keyspace further. 2. Guess the remaining secret key values. 14

MILP model for WG-5 initialization Algorithm 1 MILP model for the initialization of WG-5 1: function WG5Eval(R) 2: Prepare empty MILP Model M 3: M.var S 0 [j] for 0 j 31 4: for i = 1 to R do S 0 [j] = (s 0 5j, s0 5j+1, s0 5j+2, s0 5j+3, s0 5j+4 ) 5: (M, S, a) = WGP(S i 1 ) 6: (M, S, b) = FBK(S, [0, 2, 3, 4, 6, 7]) 7: for j = 0 to 30 do 8: S i [j] = S [j + 1] 9: end for 10: M.con S [0] = 0 11: M.var S i [31] as binary 12: M.con S i [31] = a + b 13: end for 14: (M, S, z) = KSG(S R ) 15: for j = 0 to 31 do 16: S [j] = 0 17: end for 18: M.con z = 1 19: end function 15

MILP model for WG permutation (WGP-5) WGP-5 = [ 0x0, 0x1, 0x1C, 0x4, 0x12, 0x10, 0x1F, 0x13, 0x1E, 0x3, 0x19, 0x15, 0x5, 0x16, 0x18, 0x8, 0xB, 0xF, 0x7, 0xE, 0x17, 0xA, 0xC, 0x6, 0xD, 0x2, 0x14, 0x1D, 0x1B, 0x11, 0x9, 0x1A ] Modeling division trails of WGP-5 Let (x 0, x 1, x 2, x 3, x 4 ) and (y 0, y 1, y 2, y 3, y 4 ) be the input and output of the WGP-5 Sbox, respectively. Reduce the #inequalities using inequality generator() function in Sage and Algorithms 1 and 2 in [XZBL] 8. 8 Xiang, Z., Zhang, W., Bao, Z., and Lin, D.: Applying milp method to searching integral distinguishers based on division property for 6 lightweight block ciphers. ASIACRYPT 2016 16

MILP model for WG permutation (WGP-5) (ctd.) 2x 0 + 2x 1 + 2x 2 + 2x 3 + 6x 4 3y 0 3y 1 3y 2 3y 3 3y 4 1 4x 3 y 0 y 1 y 2 y 3 y 4 1 4x 0 y 0 y 1 y 2 y 3 y 4 1 x 0 x 2 x 3 y 0 + 4y 1 y 2 y 3 2y 4 4 6x 0 3x 1 6x 3 6x 4 + 2y 0 4y 1 + 3y 2 y 3 + 2y 4 19 3x 0 x 1 x 2 3x 3 2x 4 + 9y 0 + 7y 1 + 8y 2 + 9y 3 + 9y 4 0 x 0 + x 1 + x 2 + x 3 + x 4 3y 0 3y 1 3y 2 3y 3 + 5y 4 2 x 0 3x 2 3x 3 2x 4 + y 0 + y 2 + y 3 2y 4 8 x 0 x 1 + 2x 2 x 3 x 4 y 0 2y 1 2y 2 + 3y 3 y 4 5 x 0 2x 1 2x 2 2x 3 x 4 2y 0 y 1 y 2 y 3 + 5y 4 8 2x 0 x 1 2x 2 2x 4 + y 0 + y 1 y 2 + y 4 6 x 0 x 2 x 3 + y 0 y 4 3. 17

MILP model for FBK and KSG MILP model for FBK The feedback function is given by S i [0] S i [2] S i [3] S i [4] S i [6] S i [7] Model division property of bitwise XOR only. MILP model for KSG The keystream bit at R-th round is given by z = Tr(WGP-5(S R [31]) 3 ) = s R 155 + sr 156 + sr 157 + sr 158 + sr 159 + s R 155 sr 156 + sr 155 sr 157 + sr 155 sr 159 + sr 156 sr 158 + sr 156 sr 159 + sr 155 sr 156 sr 157 + s R 155 sr 157 sr 158 + sr 155 sr 157 sr 159 + sr 155 sr 158 sr 159 + sr 156 sr 157 sr 158 + sr 156 sr 158 sr 159 Model division property of bitwise XOR and AND. 18

Number of MILP variables & constraints Function # of variables # of constraints WGP 15 17 FBK 65 35 KSG 79 63 R round of WG-5 160+159R + 5R 161 + 115R + 10R 19

MILP model to find involved secret variables in superpoly Step 4-6 sets the input initial division property. 20

Results Rounds Involved secret variables J Time complexity log 2 (.) 15 {k 5, k 6,..., k 54 } 54 16 {k 5, k 6,..., k 54 } 54 17 {k 5, k 6,..., k 59 } 59 18 {k 5, k 6,..., k 59 } 59 19 {k 5, k 6,..., k 64 } 64 20 {k 5, k 6,..., k 64 } 64 21 {k 5, k 6,..., k 69 } 69 22 {k 5, k 6,..., k 69 } 69 23 {k 5, k 6,..., k 74 } 74 24 {k 5, k 6,..., k 74 } 74 Table 1: Involved secret variables in superpoly for cube indices I {I 1, I 2, I 3, I 4, I 5} I 1 = {0, 1, 2, 3}, I 2 = {0, 1, 2, 4}, I 3 = {0, 1, 3, 4}, I 4 = {0, 2, 3, 4}, I 5 = {1, 2, 3, 4} 21

Key recovery for 24 rounds Key recovery procedre 1. Choose a value in the constant part of the IV and vary all 2 4 2 70 values to recover p(k 5, k 6,..., k 74, v) where v = ({v 0, v 1,..., v 79 } {v j j I i }) for 1 i 5 and R = 24. 2. Store 2 70 values of p( k, v). 3. Query the cube C Ii to the encryption oracle and compute the sum CIi f (k, v). 4. Compare above sum with values of p stored in the offline phase and discard the values of {k 5, k 6,..., k 74 } for which the sum is different. Data complexity: 5 2 4 2 6.32 Time complexity: 5 2 74 + 2 75 2 76.81 22

Attack comparison with algebraic attacks Existing algebraic attack 9 on WG-5 require data and time complexity 2 15 and 2 33, resp. Not applicable if WGP-5 is feedback into the state during KSG phase. Our attack remains unaffected by feedback of WGP-5 during KSG phase. 9 Ronjom, S. Improving algebraic attacks on stream ciphers based on linear feedback shift register over F2 K. DCC 2017. 23

Comparison with Grain128a & Trivium

Grain128a 24 5 NLFSR b 7 2 g 6 f LFSR s 7 1 h z Key : 128-bit, IV : 96 bit, #initialization rounds : 256 Initial state : (b 0, b 1,..., b 127 ) = (k 0, k 1,..., k 127 ), (s 0, s 1,..., s 127 ) = (iv 0, iv 1,..., iv 95, 1,..., 1, 0). State update function: g b 0 + b 26 + b 56 + b 91 + b 96 + b 3 b 67 + b 11 b 13 + b 17 b 18 + b 27 b 59 + b 40 b 48 + b 61 b 65 + b 68 b 84 + b 88 b 92 b 93 b 95 + b 22 b 24 b 25 + b 70 b 78 b 82 f s 0 + s 7 + s 38 + s 70 + s 81 + s 96 h b 12 s 8 + s 13 s 20 + b 95 s 42 + s 60 s 79 + b 12 b 95 s 94 z h + s 93 + b 2 + b 15 + b 36 + b 45 + b 64 + b 73 + b 89 (b 0, b 1,..., b 127 ) (b 1, b 2,..., b 127, g + s 0 + z) (s 0, s 1,..., s 127 ) (s 1, s 2,..., s 127, f + z) 24

Trivium + Key: 80 bit s0... s65... s68... s90 s91 s92 IV : 80 bit #initialization rounds: 1152 Initial state: + (s 0, s 1,..., s 92 ) = (k 0, k 1,..., k 79, 0,..., 0) + (s 93, s 94,..., s 176 ) = (iv 0, iv 1,..., iv 79, 0,..., 0) + (s 177, s 178,..., s 287 ) = (0, 0,..., 0, 1, 1, 1) s93... s161... s170... s174 s175 s176 State update function: t 1 s 65 + s 92 + t 2 s 161 + s 176 + + z t 3 s 242 + s 287 z t 1 + t 2 + t 3 + t 1 t 1 + s 90 s 91 + s 170 s177... s242... s263... s285 s286 s287 t 2 t 2 + s 174 s 175 + s 263 t 3 t 3 + s 285 s 286 + s 68 + + (s 0, s 1,..., s 92 ) (t 3, s 0,..., s 91 ) (s 93, s 1,..., s 176 ) (t 1, s 93,..., s 175 ) (s 177, s 1,..., s 287 ) (t 2, s 177,..., s 286 ). 25

Comparison of initialization phases g(y 0, y 1,..., y m 1) f(x 0, x 1,..., x n 1) NLFSR LFSR ) G(Yi2) G(Yik) G(Yi1 n+m bits 26

Comparison of initialization phases (cont.) Observations on keystream bit For Trivium, the degree of z is 3 after 81 rounds. For Grain128a, the degree of z is 6 after 32 rounds. For WG-5 the degree of z is 6 after 1 round. Degree of WG-5 grows much faster than Grain128a and Trivium. 27

Comparison of initialization phases (cont.) More observations For WG-5, 5 bits processed by WGP-5 at the i-th round are used to generate the keystream bit at round (i + 1) along with 5 6 = 30 new bits from the feedback function. For Grain128a, updated bits b 127 and s 127 in i-th round are used in keystream bit at i + 32 and i + 33, respectively. For Trivium, the values of t 1, t 2 and t 3 at i-th round are used in keystream bit at i + 90, i + 81 and i + 108 rounds, respectively. Cube attack can cover more than half number of rounds for Grain128a (183/256) and Trivium (832/1152) ([Todo et al.] 10 ) compared to WG-5 (24/64). 10 Todo, Y., Isobe, T., Hao, Y., and Meier, W. Cube attacks on non-blackbox polynomials based on division property. CRYPTO 2017 28

Conclusions

Conclusions In this paper: we investigated the security of reduced-round WG-5 with respect to cube attacks. the attack require data complexity: 5 2 4 2 6.32 and time complexity: 5 2 74 + 2 75 2 76.81 for 24 rounds. we compared WG-5 initialization phase with that of Grain128a and Trivium and showed that WG-5 is more resistant to cube attacks. Full paper can be found at: http://cacr.uwaterloo.ca/techreports/2017/cacr2017-06.pdf 29

Thank you for your attention! Communication Security (ComSec) Lab Department of Electrical and Computer Engineering University of Waterloo Waterloo, ON, N2L 3G1, CANADA www.comsec.uwaterloo.ca 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback