Non‐quantum cryptanalysis of the noisy version of Aaronson–Christiano's quantum money scheme
2018; Institution of Engineering and Technology; Volume: 13; Issue: 4 Linguagem: Inglês
10.1049/iet-ifs.2018.5307
ISSN1751-8717
AutoresMarta Conde Pena, Raúl Durán Dı́az, Jean‐Charles Faugère, Luis Hernández Encinas, Ludovic Perret,
Tópico(s)Analytic Number Theory Research
ResumoIET Information SecurityVolume 13, Issue 4 p. 362-366 Research ArticleFree Access Non-quantum cryptanalysis of the noisy version of Aaronson–Christiano's quantum money scheme Marta Conde Pena, Marta Conde Pena Instituto de Tecnologías Físicas y de la Información (ITEFI), Consejo Superior de Investigaciones Científicas (CSIC), C/ Serrano 144, 28006 Madrid, SpainSearch for more papers by this authorRaul Durán Díaz, Raul Durán Díaz Universidad de Alcalá, 28871 Alcalá de Henares, SpainSearch for more papers by this authorJean-Charles Faugère, Jean-Charles Faugère Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005 Paris, France INRIA, Paris-Rocquencourt Center, POLSYS Project, 4, place Jussieu, LIP6, F-75252 Paris Cedex 05, France CNRS, UMR 7606, LIP6, F-75005 Paris, FranceSearch for more papers by this authorLuis Hernández Encinas, Corresponding Author Luis Hernández Encinas luis@iec.csic.es Instituto de Tecnologías Físicas y de la Información (ITEFI), Consejo Superior de Investigaciones Científicas (CSIC), C/ Serrano 144, 28006 Madrid, SpainSearch for more papers by this authorLudovic Perret, Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005 Paris, France INRIA, Paris-Rocquencourt Center, POLSYS Project, 4, place Jussieu, LIP6, F-75252 Paris Cedex 05, France CNRS, UMR 7606, LIP6, F-75005 Paris, FranceSearch for more papers by this author Marta Conde Pena, Marta Conde Pena Instituto de Tecnologías Físicas y de la Información (ITEFI), Consejo Superior de Investigaciones Científicas (CSIC), C/ Serrano 144, 28006 Madrid, SpainSearch for more papers by this authorRaul Durán Díaz, Raul Durán Díaz Universidad de Alcalá, 28871 Alcalá de Henares, SpainSearch for more papers by this authorJean-Charles Faugère, Jean-Charles Faugère Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005 Paris, France INRIA, Paris-Rocquencourt Center, POLSYS Project, 4, place Jussieu, LIP6, F-75252 Paris Cedex 05, France CNRS, UMR 7606, LIP6, F-75005 Paris, FranceSearch for more papers by this authorLuis Hernández Encinas, Corresponding Author Luis Hernández Encinas luis@iec.csic.es Instituto de Tecnologías Físicas y de la Información (ITEFI), Consejo Superior de Investigaciones Científicas (CSIC), C/ Serrano 144, 28006 Madrid, SpainSearch for more papers by this authorLudovic Perret, Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005 Paris, France INRIA, Paris-Rocquencourt Center, POLSYS Project, 4, place Jussieu, LIP6, F-75252 Paris Cedex 05, France CNRS, UMR 7606, LIP6, F-75005 Paris, FranceSearch for more papers by this author First published: 01 July 2019 https://doi.org/10.1049/iet-ifs.2018.5307Citations: 2AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract At STOC 2012, Aaronson and Christiano proposed a noisy and a noiseless version of the first public-key quantum money scheme endowed with a security proof. This paper addresses the so-called noisy hidden subspaces problem, on which the noisy version of their scheme is based. The first contribution of this work is a non-quantum cryptanalysis of the above-mentioned noisy quantum money scheme extended to prime fields , with , that runs in randomised polynomial time. This finding is supported with experimental results showing that, in practice, the algorithm presented is efficient and succeeds with overwhelming probability. The second contribution is a non-quantum randomised polynomial-time cryptanalysis of the noisy quantum money scheme over succeeding with a certain probability for values of the noise lying within a certain range. This result disproves a conjecture made by Aaronson and Christiano about the non-existence of an algorithm that solves the noisy hidden subspaces problem over and succeeds with such probability. 1 Introduction The impossibility of creating cash that is theoretically impossible to forge seems to be an inherent limitation of money constructed under the laws of classical physics. However, around 1980 Wiesner proposed to construct money taking advantage of the laws of quantum mechanics instead: the no-cloning theorem states that it is impossible to create identical copies of an unknown quantum state, so Wiesner thought of adding to the banknotes a certain number of photons polarised in secret directions only known by the bank [1]. As a consequence of the no-cloning theorem, the probability of a successful forgery decreases exponentially with the number of photons. The idea of Wiesner brought hope to the possibility of unforgeable money, but it also presented several drawbacks, some of which have been corrected over time (e.g. the need for a huge database with information about the circulating banknotes in [2] or the fact that money can only be verified by the bank that issued it in [3, 4]). Nevertheless, most efforts in the field of quantum money today are put into a more ambitious aim: constructing quantum money that can be verified by anyone (note that this was not the approach of [3, 4]). This kind of quantum money is called public-key quantum money. In a public-key quantum money scheme, anyone (and not only the issuing bank) endowed with the appropriate quantum device can verify whether a banknote is genuine. Aaronson gave in [5] the first formal treatment of public-key quantum money and he states that a public-key quantum money scheme must rely on a computational hardness assumption rather than on the uncloneability of quantum states alone. Some work has been done in the construction of public quantum money schemes so far: the first public-key quantum money scheme was proposed by Aaronson [5], and it was based on random stabiliser states (a certain type of quantum states), but it was broken in [6]. Depending on the parameters of the scheme, the break was achieved either using the verification circuit description to recover the secret information, or by generating states that were different from an intended money state but still passed the verification procedure with high probability. Later Farhi et al. [7] proposed a scheme based on knot theory, which has been followed up by the work of [8]. However, all these schemes present a common issue: they lack formal security proofs. Aaronson and Christiano are the first ones to propose a public-key quantum money scheme [9] and achieve a security proof assuming the hardness of a certain computational problem. This scheme of Aaronson and Christiano is the focus of this paper. A high-level description of the base problem on which Aaronson and Christiano construct their scheme is as follows. Denoting by , a finite field of prime order and setting , given a pair of m -tuples of polynomials , where the polynomial components of vanish on an unknown subspace and the polynomial components of vanish on its orthogonal, , all the components being of the same degree, d, the problem is to recover (or , indistinctly). They also propose a modification of the former problem by adding some noise to further disguise the subspaces. This new problem is the same as the previous one except that now some polynomials in vanishing on subspaces other than and are added as noise. These two problems, which the authors refer to as the hidden subspaces problem and the noisy hidden subspaces problem, respectively, are at the core of the noise-free and the noisy version of Aaronson–Christiano's scheme. The hidden subspaces problem is similar to other problems used as a basis for multivariate cryptography, so it is reasonable to assume that it might be hard. However, provided that the choice of parameters is as specified by Aaronson and Christiano in [9], it is shown in [10] that the hidden subspaces problem is solved in polynomial time over when its order is a large prime and in heuristic polynomial time over . The results of [10] heuristically break Aaronson–Christiano's scheme in its noise-free version and invalidate the possibility of an extension of the noise-free version of the scheme to for large prime orders of the base field , which was an open question. The noisy version of the scheme is not considered in [10], but it has recently been tackled in [11] (and reported on in [12]), where a break of the noisy scheme is achieved via a quantum reduction from the problem of breaking the noisy scheme to the problem of breaking the noiseless scheme, which was already solved in [10]. At this point, the authors want to stress out that, to the best of our knowledge, here, the authors are the first ones to reach significant results regarding the cryptanalysis of the noisy version of Aaronson–Christiano's scheme from a non-quantum perspective. Contributions and outline. Here, the authors build upon the work of [10], now focusing on the noisy version of the scheme. As an extension of the results of [9, 10], the authors first show that there exists a randomised polynomial-time attack for the noisy version of Aaronson–Christiano's scheme extended to a field , with , where d is the degree of the instance considered. This means that, analogously to what happens with the noise-free version, the noisy version of the scheme extended to a prime field of size different from is not secure. The authors then support our theoretical findings by reporting experimental results which show that the attack is efficient and succeed with overwhelming probability in practice. Finally, the authors present an attack for the noisy version of Aaronson–Christiano's scheme over , with , which happens to disprove a conjecture of Aaronson–Christiano in [9, Conjecture 32] – stating that no polynomial-time algorithm recovers with a probability of success , where n is the number of variables of the instance – for values of the noise within a certain range. The authors want to remark that our algorithms are the first non-quantum ones that achieve a break of the noisy scheme of Aaronson and Christiano. The authors dedicate Section 2 to define the hidden subspaces problem and its noisy counterpart and the authors include preliminary results of [9, 10] that will be used or referred to. In Section 3, the authors develop our first main result: in Section 3.1, they present our cryptanalysis of the noisy hidden subspaces problem over when and in Section 3.2, they report experimental results that show the efficiency of the attack in practice. In Section 4, the authors describe our non-quantum polynomial-time cryptanalysis of the noisy hidden subspaces problem over , with . In Section 5, the authors finish with the conclusions. 2 Preliminaries The authors dedicate this section to fix some notation and to define precisely both the hidden subspaces problem over (the for short) and the noisy hidden subspaces problem over (the for short), where is a finite field of prime order. The authors also state some facts from [9, 10] that will be assumed or referred to in the rest of the paper. Throughout this paper, always denotes a finite field of prime order. The authors write and so they denote by the polynomial ring in n variables over . The authors set to be the probability that a matrix over is invertible. Finally, n always denotes an even integer and . The authors start by defining the hidden subspaces problem: Hidden Subspaces Problem () Input: of degree , with . Find: a subspace of dimension such that where denotes the orthogonal complement of with respect to the usual scalar product in . The way the input polynomials for are chosen is specified by Aaronson and Christiano in [9]: once the degree d is fixed, each is chosen uniformly at random among the polynomials of degree d that vanish on , and analogously each is chosen uniformly at random among the degree-d polynomials that vanish on (Lemma 28). From now on and unless otherwise said, a degree-d instance of refers to one generated under these conditions. Now the authors move on to define the noisy version of the hidden subspaces problem: The Noisy Hidden Subspaces Problem (The ) Input: polynomials of degree , , where and . Find: a subspace of dimension such that for some with , where denotes the orthogonal complement of with respect to the standard scalar product in . In what follows, the authors say that a polynomial (resp. ) is non-noisy if (resp. ), and the authors say that it is noisy otherwise. The way the input polynomials for the are chosen is also given in [9]. For the non-noisy polynomials, the criterion is the same as for , this is, if , then is chosen uniformly at random among the polynomials of degree d vanishing on (analogously, if , then is chosen uniformly at random among the polynomials of degree d vanishing on ). The way to generate the noisy polynomials is as follows: if , then is chosen uniformly at random among the polynomials of degree d that vanish on a random -dimensional . Analogously, if , then is chosen uniformly at random among the polynomials that vanish on a random -dimensional subspace . Note that in the , there is no orthogonality relation between and and that (respectively ) is in principle different for each (respectively for each ). Unless it is otherwise stated, from now on a degree-d instance of the is one satisfying these conditions. Furthermore, to avoid overcomplicated notation later on, given an instance of the , the authors define the weight of a vector with respect to , denoted by , as the cardinal of the set that is, . The authors also define the set as Both of these definitions can be written analogously with respect to . The authors finish this section recalling three results: the first one is a result from [9] that will be needed in section 3, the second one is the main theorem from [10] about the cryptanalysis of the and the third one states a conjecture made in [9] claiming that no polynomial-time algorithm could recover with success probability . Lemma 1.([9], Lemma 30): Let be an instance of the . Then, and , where denotes the probability of an event and refers to the standard big asymptotic notation ([9], Lemma 30). This result allows to test whether or not a given element in belongs to . Note too that Lemma 1 can be extended to a field with . Theorem 1.(Theorem 4): There is a (heuristic) randomised polynomial-time algorithm solving with a complexity of where is the linear algebra constant, and with success probability , where denotes the probability that a random matrix with entries in is invertible ([10], Theorem 4). Conjecture 1.([9], Conjecture 32): Set and and let be a degree d instance of the . Under these conditions, there is no polynomial-time quantum algorithm that can solve the with success probability ([9], Conjecture 32). 3 for This section is dedicated to describe our first main contribution. In Section 3.1, the authors present our randomised polynomial-time cryptanalysis of the , with . In Section 3.2, the authors report experimental results showing that this algorithm is very efficient in practice and that its probability of success is overwhelming. 3.1 Cryptanalysis of the for The cryptanalysis of the with the constraint turns out to be an extension of the attack for degree- instances of the mentioned by Aaronson and Christiano in [9]. This extension is possible due to a key observation which authors state in Lemma 3. The attack mentioned in [9] for linear instances of the is as follows: Lemma 2.If is a degree instance of the , there exists an attack that recovers in randomised polynomial time ([9], Claim 35). The attack makes use of the fact that if is a degree instance of the , then it occurs that (1)The analogous property holds for the components of , but for simplicity of exposition the authors assume that it is the characterisation (1) that the authors use. This property implies the existence of as many as non-noisy polynomials vanishing on there exist, that is, . Since deciding if a given element of belongs to can be done efficiently by applying Lemma 1, the authors can recover elements of . Now the authors can extract linearly independent elements from the recovered elements with a probability at least equal to the probability that a certain has rank , which according to the formula of Theorem 1.1 in [13], is The attack of Lemma 2 is formulated for , but it is clear that it can also be applied when the size of the field is different from two. In fact, the attack of Lemma 2 serves as a basis for the cryptanalysis of degree d instances of the when due to the following key observation (a similar idea was already used in [14]): Lemma 3.For , any degree d instance of the can be reduced to a degree instance of the . Proof.Let be a degree d instance of the and recall that is a solution of that instance of the if and for all . Note now that any element of the subspace can be written as , where is a vector of formal variables and is, abusing notation, a basis matrix of the subspace .Since for , every polynomial vanishes on and keeping in mind that , it must occur that all the coefficients of are zero. In particular, it occurs that for all .An analogous argument can be used to infer that for all , and so the authors can state that if is a solution of the degree d instance of the , then is also a solution of the degree instance of the . This way the authors conclude that the degree d instance of the can be reduced to the degree instance of the .Furthermore, it is worth noting that the algorithm of the in [10] ensures that, whenever it succeeds, the solution of an instance of the has an unique solution. This implies that the solution of the degree instance is necessarily . □ The use of Lemmas 2 and 3 together allows us to obtain a cryptanalysis for degree d instances of the when : Theorem 2.There is a randomised polynomial-time algorithm that solves the when with complexity and probability of success at least Proof.Let be a degree d instance of the with . Denoting the linear parts of the components of and by where , the algorithm showed in Fig. 1 solves the as an application of both Lemmas 2 and 3.The algorithm above succeeds if among the elements from there are linearly independent ones, that is, if the corresponding matrix has rank . The probability that a matrix has rank is greater than the probability that a certain submatrix has rank , which equals following the formula in Theorem 1.1 of [13], which makes sense because the elements are random (recall that is randomly selected).However, the algorithm above works only for degree-d instances of the such that there are at least components of with linear terms (so Lemma 2 can be applied). It can be easily seen that the probability of this event (which can be computed using the binomial distribution) equals: Therefore, the overall success probability of the algorithm is Regarding the complexity, the computational cost of the loop that obtains is . Computing a row echelon form to find linearly independent elements costs , so the total complexity is the sum of both, which is as expected. □ Fig. 1Open in figure viewerPowerPoint Algorithm to solve the This result means that there is a randomised polynomial-time algorithm solving the when , with the choice of parameters given in [9]. However, it is worth mentioning that our attack could be avoided if a set of parameters other than the one proposed by the authors of [9] is used (e.g. considering homogeneous instances). 3.2 Experimental results Here, the authors present experimental results (see Tables 1 and 2) to complete the theoretical result of our randomised polynomial-time algorithm of Theorem 2. The experiments show that the cryptanalysis of the noisy version of Aaronson–Christiano's scheme extended to a field (with ) is not only very efficient in practice but also succeeds with overwhelming probability. Table 1. Performance of the cryptanalysis (Theorem 2) of the Parameters field n 10 12 14 20 10 12 14 20 time (in sec.) 0.25 0.6 1.59 13.13 0.43 1.03 3.09 20.14 Table 2. Performance of the cryptanalysis (Theorem 2) of the Parameters field n 10 12 14 10 12 14 time (in sec.) 1.28 4.41 11.32 2.54 7.85 17.96 All experiments were run on a 2.93 GHz Intel PC with 128 Gb of RAM with the Magma software [15] (V2.19-1). The Magma source code is available upon request. Regarding the speed, we can see that the cryptanalysis is very fast and that an increase in the size of the field does not entail a significant decrease of the speed. Regarding the probability of success, the first factor in the probability of success given in Theorem 2 with parameters , , and is whereas the second factor amounts to The probability of success – which is the probability of both factors – for those parameters is already overwhelming. Furthermore, both factors of the probability in Theorem 2 increase with n and , and so asymptotically speaking the situation only improves. 4 Here, the authors show that there exists a randomised polynomial-time algorithm solving the with success probability provided that the proportion of noise lies within a certain range. This demonstrates that Conjecture 1, precisely claiming the contrary, is false. Even more, the conjecture states that no such quantum algorithm exists and our algorithm solving the is purely classical. The algorithm that breaks Conjecture 1 combines both an exhaustive search and the algorithm solving from [10]. Given a degree-d instance of the , where , the intuitive idea of the algorithm is choosing n polynomials at random from and hoping that they happen to be non-noisy. If they are, the algorithm for the of Theorem 1 can be applied (at this point we want to stress out that the heuristic randomised polynomial-time algorithm solving a degree-d instance of presented in [10] also works if is not known). If the randomised algorithm for succeeds, the output is a solution for the , and if the algorithm for the fails, the authors repeat the process. The following result approximates the probability that n polynomials chosen at random from are non-noisy. Lemma 4.Given a degree-d instance of the , the probability of choosing n polynomials from (analogously from ) that are non-noisy is given by the quotient The asymptotic expression of the above probability, which the authors denote by , is as follows: Proof.We rely on the following asymptotic approximation of a binomial coefficient, which derives from Stirling's approximation where is the binary entropy. By means of these approximations, we get the expression above. □ As the algorithm solving is randomised, we also need to take into consideration its probability of success to determine the probability of success of the algorithm. The following result sums it up. Theorem 3.Given a degree-d instance of the , the algorithm runs in polynomial time and succeeds with probability Proof.Choosing n random polynomials from takes time, and so the running time of the algorithm is times the running time of the algorithm for , which was polynomial (Theorem 1). Concerning the probability, on the one hand, the probability that the n randomly chosen polynomials are non-noisy is , and on the other hand, the algorithm for works with probability . □ Finally, the authors prove that if the proportion of noise lies within a certain range, the algorithm succeeds with probability . Theorem 4.Let . Given a degree-d instance of the , the algorithm has an asymptotic probability of success for , Proof.Once a proportion of noise is fixed, the expression depends solely on n. Since the success probability of the algorithm is and considering that , the success probability of the algorithm is if and only if is , namely, if . Solving numerically the latter inequality, the authors obtain that this happens whenever , with . □ Remark 1.The success probability of our algorithm can be made any higher (e.g. ) at the expense of suitably reducing the width of the interval within which such success probability is reached. Remark 2.It is also easy to check that increasing (but fixed) values of give increasing values of the boundary; this fact justifies the choice of in the statement of Theorem 4. In particular, this theorem implies that, for , there is a non-quantum polynomial-time algorithm for the with a success probability that is, at least, , thus contradicting the conjecture of Aaronson–Christiano on the noisy version of their scheme. 5 Conclusions This work is concerned with the cryptanalysis of the noisy version of Aaronson–Christiano's public-key quantum money scheme from a non-quantum point of view. Our first contribution is an algorithm solving the with the constraint , where d is the degree of the instance of the problem. Our second contribution is an algorithm solving the that disproves the conjecture of Aaronson–Christiano for certain values of the noise. Along the present paper, the authors have presented a non-quantum algorithm that solves the in randomised polynomial-time when , thus achieving a total break of the noisy version of Aaronson–Christiano's scheme extended to fields under this requirement. They have also carried out several experiments (summarised in Tables 1 and 2), which clearly show that this algorithm is very efficient in practice and succeeds with overwhelming probability. Finally, the authors have presented a non-quantum randomised polynomial-time algorithm that solves the with probability for noise values within the interval where in the worst-case scenario and increases with an increase of . This way the authors disprove a conjecture that Aaronson and Christiano made for the noisy version of their quantum money scheme [9, Conjecture 32]. To the best of our knowledge, this is the first work that focuses on Aaronson–Christiano's noisy scheme from a purely classical (as opposed to quantum) perspective and achieves significant results regarding its cryptanalysis. 6 Acknowledgment This work has been partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under project COPCIS, reference TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain) under project reference S2013/ICE-3095-CIBERDINE-CM, also co-funded by European Union FEDER funds. 7 References 1Wiesner, S.: 'Conjugate coding', ACM SIGACT News, 1983, 15, (1), pp. 78– 88 2Bennett, C.H., Brassard, G., Breidbard, S. et al: 'Quantum cryptography, or unforgeable subway tokens'. Advances in Cryptology (CRYPTO 1982), 1982, pp. 267– 275 3Gavinsky, D.: 'Quantum money with classical verification'. IEEE 27th Annual IEEE Conf. on Computational Complexity (CCC), 2012, pp. 42– 52, Also published in arXiv:1109.0372v2 4Mosca, M., Stebila, D.: 'Quantum coins', Error-Correcting Codes, Finite Geometry and Cryptography, 2010, 523, pp. 3– 47 5Aaronson, S.: 'Quantum copy-protection and quantum money'. IEEE 24th Annual IEEE Conf. on Computational Complexity (CCC), 2009, pp. 229– 242 6Lutomirski, A., Aaronson, S., Farhi, E. et al: 'Breaking and making quantum money: toward a new quantum cryptography protocol'. Innovations in Computer Science (ICS), 2010, pp. 20– 31 7Farhi, E., Gosset, D., Hassidim, A. et al: 'Quantum money from knots'. Innovations in Theoretical Computer Science (ITCS), 2012, pp. 276– 289 8Lutomirski, A.: ' Component mixers and a hardness result for counterfeiting quantum money', arXiv: 1107.0321, 2011 9Aaronson, S., Christiano, P.: 'Quantum money from hidden subspaces'. 44th Symp. on Theory of Computing Conf. (STOC), 2012, pp. 41– 60 10Conde Pena, M., Faugère, J.-C., Perret, L.: 'Algebraic cryptanalysis of a quantum money scheme: the noise-free case'. 18th IACR Int. Conf. on Practice and Theory in Public-Key Cryptography (PKC), 2015, pp. 194– 213 11Aaronson, S.: 'Public-key quantum money'. Lecture notes for the 28th McGill Invitational Workshop on Computational Complexity, 2016, pp. 81– 88, Also published in arXiv:1607.05256 12Ben-David, S., Sattath, O.: ' Quantum tokens for digital signatures', IACR Cryptology ePrint Archive, 2017. Available at http://eprint.iacr.org/2017/094 13Brent, R.P., McKay, B.D.: 'Determinants and rank of random matrices over ', Discrete Math.., 1987, 66, pp. 35– 50 14Faugère, J.C., Perret, L.: 'Polynomial equivalence problems: algorithmic and theoretical aspects'. Advances in Cryptology (EUROCRYPT 2006), 2006, pp. 30– 47 15Bosma, W., Cannon, J.J., Playoust, C.: 'The magma algebra system I: the user language', J. Symb. Comput., 1997, 24, (3–4), pp. 235– 265 Citing Literature Volume13, Issue4July 2019Pages 362-366 FiguresReferencesRelatedInformation
Referência(s)