Abstract
With the growing popularity of cryptocurrencies, interest in digital signatures is also on the rise. Researchers have been attempting since the 90s to enhance known signature schemes with new properties useful in specific cases. One such property of threshold schemes is non-interactivity: allowing a subset of a group of people to generate a signature without having to interact. A solution to the quest for non-interactivity is to divide the signature into two steps: the presigning (or offline) phase condenses most communication rounds and can be performed long before the signature is needed, while the signing (or online) phase takes only a single round and happens after the message is chosen. Most protocols however require that the subset of the signers be fixed before presigning, since they are the only ones who participate in it.
In this paper, we present a non-interactive threshold ECDSA protocol that removes the need for this assumption entirely and works for any number of participants and threshold value. The security of this scheme is proven in a simulation-based definition. To evaluate the performance of the protocol, it has been implemented in Rust and benchmarked.
Supported by IRT SystemX, Radboud University, and La Caisse des Dépôts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Commitment schemes can also involve trapdoor functions Equiv and values tk.
- 2.
We chose in this article to use the secret notations defined by [1]. These refer differently to a value u and its associated secret [u], whose value is unknown. This also allows us to differentiate between a share \(u_i\) of \([u]_n^t\) and the associated additive share \(u_{i,S}\) within the subset \(S\subset P\).
- 3.
The \(i \rightarrow j\) notation for shares and secret values is determined by who created them, in this case player \(P_i\).
References
Aumasson, J., Hamelink, A., Shlomovits, O.: A survey of ECDSA threshold signing. IACR Cryptol. ePrint Arch., 1390 (2020). https://eprint.iacr.org/2020/1390
Bao, F., Deng, R.H., Zhu, H.F.: Variations of Diffie-Hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39927-8_28
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Boneh, D.: Digital signature standard. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd Ed, p. 347. Springer, Cham (2011). https://doi.org/10.1007/978-1-4419-5906-5_145
Canetti, R., Gennaro, R., Goldfeder, S., Makriyannis, N., Peled, U.: UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, 9–13 November 2020, pp. 1769–1787. ACM (2020). https://doi.org/10.1145/3372297.3423367
Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 191–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_7
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergaard, M.B.: Fast threshold ECDSA with honest majority. J. Comput. Secur. 30(1), 167–196 (2022). https://doi.org/10.3233/JCS-200112
Damgård, I., Keller, M., Larraia, E., Miles, C., Smart, N.P.: Implementing AES via an actively/covertly secure dishonest-majority MPC protocol. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 241–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_14
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure two-party threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21–23 May 2018, San Francisco, California, USA, pp. 980–997. IEEE Computer Society (2018). https://doi.org/10.1109/SP.2018.00036
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA from ECDSA assumptions: the multiparty case. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19–23, 2019, pp. 1051–1066. IEEE (2019). https://doi.org/10.1109/SP.2019.00024
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1179–1194. ACM (2018). https://doi.org/10.1145/3243734.3243859
Gennaro, R., Goldfeder, S.: One round threshold ECDSA with identifiable abort. IACR Cryptol. ePrint Arch., 540 (2020). https://eprint.iacr.org/2020/540
Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9
Keller, M., Pastro, V., Rotaru, D.: Overdrive: making SPDZ great again. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_6
Komlo, C., Goldberg, I.: FROST: flexible round-optimized schnorr threshold signatures. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 34–65. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_2
Kravitz, D.W.: Digital signature algorithm, US Patent 5,231,668 (1993)
Lindell, Y.: Fast secure two-party ECDSA signing. J. Cryptol. 34(4), 44 (2021). https://doi.org/10.1007/s00145-021-09409-9
Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1837–1854. ACM (2018). https://doi.org/10.1145/3243734.3243788
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Pettit, M.: Efficient threshold-optimal ECDSA. In: Conti, M., Stevens, M., Krenn, S. (eds.) CANS 2021. LNCS, vol. 13099, pp. 116–135. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92548-2_7
Poupard, G., Stern, J.: Short proofs of knowledge for factoring. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 147–166. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-540-46588-1_11
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983). https://doi.org/10.1145/357980.358017
Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). http://doi.acm.org/10.1145/359168.359176
Tymokhanov, D., Shlomovits, O.: Alpha-rays: key extraction attacks on threshold ECDSA implementations. IACR Cryptol. ePrint Arch., 1621 (2021). https://eprint.iacr.org/2021/1621
ZenGo X: Multi party ECDSA (2019). https://github.com/ZenGo-X/multi-party-ecdsa. Accessed 21 Dec 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Security Proof
Security Proof
Because our protocols are very similar, our proof is largely based on those presented in [12, 13]. We attempt to prove the following:
Theorem 1
Assuming that:
-
The strong RSA assumption holds;
-
\(\{\text {KG}, \text {Com}, \text {Ver}, \text {Equiv}\}\) is a non-malleable equivocable commitment scheme;
-
\(\mathscr {E}\) is a semantically secure encryption scheme
then our threshold DSA protocol is simulatable.
The key generation and presigning phases are performed by all the players, but the signing only involves \(P_1, \dots , P_{t+1}\). The ordering of the players has no effect on the protocol, provided that it remains constant.
We assumed the existence of an adversary \(\mathcal {A}\) who controls players \(P_2, \dots , P_{t+1}\). The simulator plays \(\mathcal {S}\) the role of \(P_1\). The key generation and presigning phases are performed by all the players, but the signing only involves \(P_1, \dots , P_{t+1}\).
For simplicity’s sake, we focus on the case where there is only one honest player and \(n=t+1\). The proof is valid for any number of corrupted players up to the threshold t and does not differ if we add other honest players, so long as \(P_1\) is both a signer and takes part in the computing of R.
Because \(\mathcal {A}\) is a rushing adversary, the corrupted players will speak last in every round. \(\mathcal {A}\) will have the players generate a public/private key pair ([x], y) and will then asks the players to sign a certain number of messages \((m_1, \dots , m_l)\). Using the information gathered during those signings, \(\mathcal {A}\) then tries to forge a signature to a new message \(m \ne m_j\) for the public key y.
1.1 Key Generation
The key generation protocol we use is strictly identical to that of [12, 13], we refer to their own proof and only recall a shortened version of it here.
Simulation
-
\(P_1\) selects \(u_1 \in _R \mathbb {Z}_q\) and computes \([KGC_1, KGD_1]=\text {Com}(g^{u_1})\). He then broadcasts \(KGC_1\) as well as \(E_1\), his public key for Paillier’s cryptosystem.
-
\(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \((KGC_i, E_i)\) for \(i>1\).
-
-
\(P_1\) broadcasts \(KGD_1\) (\(y_1\) is the decommitted value) and performs a Feldman-VSS with \(y_1\) as the free term in the exponent.
-
\(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \(KGD_i\) for \(i>1\) (\(y_i\) is the decommitted value) and performs a Feldman-VSS with free term \(y_i\).
-
-
The simulator rewinds back to the decommitment step and changes \(P_1\)’s opening to \(\widehat{KGD_1}\) so that the decommitted value becomes \(\hat{y}_1 = y \cdot \prod _{i=2}^n y_i^{-1}\). He then simulates the Feldman-VSS with free term \(\hat{y}_1\).
-
\(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \(\widehat{KGD_i}\) for \(i>1\). Let \(\hat{y}_i\) be the decommitted value, which can be \(\perp \) if \(\mathcal {A}\) chooses to abort.
-
-
The players compute \(\hat{y} = \prod _{i=1}^n \hat{y}_i\) (the product is set to \(\perp \) if any \(\hat{y}_i\) is set to \(\perp \)).
Lemma 1
The simulation is indistinguishable from the real protocol and it either outputs y or it aborts.
Proof
\(\text {Sim-Key-Gen}\) uses a simulated Feldman-VSS with free term \(\hat{y}_1\). This simulation is however identical to the real Feldman-VSS in its distribution. The simulation is therefore indistinguishable from the real protocol. Because of the rewinding step, it will always either abort (output \(\perp \)) or output a valid y. Details of the proof are given by [12]. \(\square \)
1.2 Protocol
Now that a key has been generated, \(\mathcal {A}\) will ask the players to sign a certain number of messages.
\(\mathcal {S}\) must simulate the threshold signature protocol while still playing as \(P_1\): on input R it simulates the presigning (or offline phase, Sect. 3.2), on input the signature (r, s) it simulates the signing (or online phase, Sect. 3.3).
Note that \(\mathcal {S}\) does not have access to the private state of \(P_1\): it does not know \(P_1\)’s share \(x_1\) of the secret key [x] nor the private key associated to \(P_1\)’s public key \(E_1\).
Presignature Simulation
-
Step 1. The generation of k is identical to that of x. Recall that R is given as an input and that \(R=g^{(k^{-1})}\). \(\mathcal {S}\) does not know k or \(g^k\) and is unable to force the group to generate the right value k.
\(P_1\) proceeds as he did during the Key Generation simulation without the rewinding step. The random secret generated by the group is \(k'\). The values \(g^{k'}\) and \(g^{k_i}\) are public. As before, \(P_1\) does not know its own share \(k_1\).
-
Step 2. \(\mathcal {S}\) must simulate the sharing of [kx] without knowing either \(k_1\) or \(x_1\). \(P_1\) chooses new random values for \(\hat{k}_1\) and \(\hat{x}_1\) to participate in the MtAwc protocol. He also generates the local Shamir secrets \([u_1]\) and \([v_1]\) of shares \((u_{1\rightarrow j})\) and \((u_{1\rightarrow j})\).
-
\(\underline{Initiator for k_1 and x_j.}\) \(\mathcal {S}\) does not know \(k_1\). \(P_1\) participates using his random value \(\hat{k}_1\). It must simulate the ZK proof of consistency between \(E_1(\hat{k}_1)\) and \(g^{k_1}\). \(\mathcal {S}\) is unable to decrypt \(c_{j\rightarrow 1}\). It extracts \(P_j\)’s shares \(x_j\) and \(u_{j\rightarrow 1}\) from the ZK proofs and computes \(a_{1\rightarrow j} = \hat{k}_1 x_j + u_{j\rightarrow 1} + v_{1\rightarrow j}\) before broadcasting it.
-
\(\underline{Respondent for k_j and x_1.}\) Similarly, \(\mathcal {S}\) does not know \(x_1\). \(P_1\) participates using his random value \(\hat{x}_1\). It must simulate the ZK proof of consistency with \(g^{x_1}\). \(\mathcal {S}\) knows \(u_{1\rightarrow j}\) and can extract the value \(k_j\) from the range proof. Once \(P_j\) broadcasts \(a_{j\rightarrow 1}\), \(\mathcal {S}\) can compute \(v_{j\rightarrow 1} = a_{j\rightarrow 1} - (k_j \hat{x}_1 + u_{1\rightarrow j})\).
-
Finally, \(\mathcal {S}\) broadcasts \(a_{1\rightarrow 1} = \hat{x}_1 \hat{k}_1 + u_{1\rightarrow 1} + v_{1\rightarrow 1}\) and the other players broadcast \(a_{j\rightarrow j}\). \(\mathcal {S}\) can compute \((u_{j\rightarrow j} + v_{j\rightarrow j}) = a_{j\rightarrow j} - x_j k_j\)
Using the broadcasted values, \(\mathcal {S}\) can also compute \((u_{j\rightarrow i} + v_{i\rightarrow j}) = a_{i\rightarrow j} - k_i x_j\). Note that \(\mathcal {S}\) cannot be sure that the values \((a_{j\rightarrow \cdot })\) published by the other players are consistent and define a valid Shamir secret, but this is fine since we do not try to achieve robustness. If \(\mathcal {A}\) misbehaves, the protocol will abort.
-
-
Step 3. Because we only consider the case \(n=t+1\), \(P_1\) must participate in the computing of R. \(\mathcal {S}\) can therefore ensure that the group will end up with the value of R given as input.
\(P_1\) chooses his share \(\gamma _1\) normally. All players broadcast \(C_i\). They then calculate their local share \(k_{i,S}\) to participate in the MtA protocol (\(S'=S=P\) in this situation).
-
\(\underline{Initiator for k_{1,S} and \gamma _j.}\) \(\mathcal {S}\) does not know \(k_{1,S}\), it uses \(\hat{k}_{1,S}\) calculated from his previously chosen random share. It is consistent with the share used previously since \(E_1(\hat{k}_{1,S}) = \lambda _{1,S} \times _E E_1(\hat{k}_1)\).
\(\mathcal {S}\) is unable to decrypt \(\alpha _{1\rightarrow j}\). It can extract \(P_j\)’s shares \(\gamma _j\) and \(\beta _{j\rightarrow 1}\) from the ZK range proof and computes \(\alpha _{1\rightarrow j} = \gamma _j \hat{k}_{1,S} - \beta _{j\rightarrow 1}\).
-
\(\underline{Respondent for k_{j,S} and \gamma _1.}\) \(\mathcal {S}\) has \(P_1\) execute the protocol correctly and already knows \(k_{j,S}\).
Since \(\mathcal {S}\) knows \(\beta _{1\rightarrow j}\), it computes \(\alpha _{j\rightarrow 1} = \gamma _1 k_{j,S} - \beta _{1\rightarrow j}\).
The group can now calculate R, this is done in a series of steps:
-
They first have to compute \(\delta \). \(P_1\) broadcasts:
$$ \hat{\delta }_1 = \hat{k}_{1,S} \gamma _1 + \sum _{j > 1}(\alpha _{1\rightarrow j} + \beta _{1\rightarrow j}) \mod q $$The other players then broadcast their share:
$$ \delta _i=k_{i,S} \gamma _i + \sum _{j\ne i}(\alpha _{i\rightarrow j} + \beta _{i\rightarrow j}) \mod q $$The players can compute \(\hat{\delta } = \hat{\delta }_1 + \sum _{j\ne i}\delta _j = \hat{k} \gamma \).
-
The players then broadcast the values \(D_i\) to decommit \(\varGamma _i\) and compute \(\varGamma \).
-
At this point, \(\mathcal {S}\) can verify that the shares published by the adversary up to this point are coherent by making sure that
The simulation branches into two versions depending on weather this assertion is true (semi-correct execution) or false (non semi-correct execution):
-
Semi-correct execution. S knows all the values \(\gamma _i\). It rewinds to just before the decommitment step and has \(P_1\) broadcast a simulated opening \(\widehat{D_1}\) such that the decommitted value is:
$$ \widehat{\varGamma }_1 = R^{\hat{\delta }} \prod _{i>1}\varGamma _i^{-1} $$The other players broadcast \(D_i\) to decommit \(\varGamma _i\). The players compute
$$ \widehat{\varGamma }=\widehat{\varGamma }_1 \prod _{i>1}\varGamma _i \text { and } R=\varGamma ^{\hat{\delta }^{-1}} $$Finally, \(P_1\) broadcasts \(\widehat{\varLambda }_1 = g^{\hat{\delta }} \prod _{i>1}\varGamma ^{k_{i,S}}\) with a simulated ZK proof of consistency with \(E_1(\hat{k_{1,S}})\) published during the MtA. The other players broadcast \(\varLambda _i = \varGamma ^{k_{i,S}}\). They can all verify that:
$$ \widehat{\varLambda } = \widehat{\varLambda }_1 \prod _{i>1}\varLambda _i {\mathop {=}\limits ^{?}} g^{\hat{\delta }} $$ -
Non semi-correct execution. \(P_1\) broadcast \(\varLambda _1 = \varGamma ^{\hat{k}_{1,S}}\) with the correct ZK proof of consistency with \(E_1(\hat{k}_{1,S})\). Since we know Assertion 1 failed, one of \(\mathcal {A}\)’s ZK proofs is sure to fail and the protocol will abort.
Signature Simulation. Here, \(\mathcal {S}\) receives the correct signature (r, s) as input, where \(r=H'(R)\). Here the simulator also knows the subset since \(S=P\). In a situation where it isn’t known in advance, the simulator can just reveal an incorrect \(s_1\), wait for the other signers to reveal themselves, and rewind up to before having sent his share.
Let \(s_\mathcal {A}\) be the sum of the other players’ shares and of the public values:
\(\mathcal {S}\) already knows the public values \((a_{i\rightarrow j, S})\) and the private shares \((k_{i,S})\). The simulator also knows \((u_{j\rightarrow 1})\), \((v_{j\rightarrow 1})\) and \((u_{j\rightarrow i} + v_{i\rightarrow j})\) for \(i,j > 1\). It can therefore calculate the sum of the local Shamir secrets:
\(\mathcal {S}\) broadcasts his share of the signature \(s_1 = s - s_\mathcal {A}\). The other players broadcast their share \(s_i\) and the group can verify that (r, s) is a valid signature. If not, the protocol aborts.
Lemma 2
Assuming that:
-
The strong RSA assumption holds;
-
\(\{\text {KG}, \text {Com}, \text {Ver}, \text {Equiv}\}\) is a non-malleable equivocable commitment scheme;
-
\(\mathscr {E}\) is a semantically secure encryption scheme
then the simulation of the protocol without roll call has the following properties:
-
1.
It is computationally indistinguishable from a real execution;
-
2.
On input m, it either outputs a valid signature (r, s) or it aborts.
Proof
Semi-correct execution. The only way that \(\mathcal {A}\) could differentiate between a real execution and a simulated one would be to verify whether \(P_1\) is using the right values \(x_1\) and \(k_1\). Recall that the values \(g^{x_1}\) and \(g^{k_1}\) are public.
In the real protocol, \(R=g^{(k^{-1})}\) and the “public key” published during the generation of k is \(g^k\). In the simulation, \(R=g^{(k^{-1})}\) is given as input thereby indirectly fixing the value of k while the public key published by the group is \(g^{k'}\). This is computationally indistinguishable assuming inverse-DDH.
In the MtA protocols, \(P_1\) publishes \(E_1(\hat{k}_1)\) and \(E_1(\hat{k}_{1,S})=\lambda _{1,S} E_1(\hat{k}_1)\). Since S simulates the ZK proofs, these do not give any more information. Distinguishing between the real value and the simulated one is infeasible under the semantic security of the encryption scheme.
At the end of the modified MtA, we make the values \(a_{i\rightarrow j} = k_i x_j + u_{j\rightarrow i} + v_{i\rightarrow j}\). The adversary could try to extract \(k_1\) or \(x_1\). However, it does not know \(u_{1\rightarrow j}\) and \(u_{1\rightarrow j}\). \(\mathcal {A}\) could try to verify the consistency of \(g^{a_{i\rightarrow j}}\), but it does not know \(g^{u_{1\rightarrow j}}\) nor \(g^{v_{1\rightarrow j}}\).
The adversary could also decide to use inconsistent values \(u_{i\rightarrow j}\) and \(v_{i\rightarrow j}\) that do not define a functional Shamir secret. This is akin to \(\mathcal {A}\) publishing the wrong values of \(s_i\), using the wrong \(\sigma _i\) in the previous protocol. The Eq. 2 used by \(P_1\) to generate \(s_1\) would be null and the produced signature would be invalid. The protocol aborts during the last verification step.
During signing, we know that the shares \(k_i\) used by the adversary are correct and (r, s) is a correct signature of m by y. Therefore, the share \(s_1\) is consistent with a correct share for \(P_1\). If the protocol terminates, it outputs (r, s).
Non semi-correct execution. If the adversary misbehaves during the presignature, the execution is non semi-correct. Both the protocol and the simulation will abort when one of the ZK proofs published by \(\mathcal {A}\) fails.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bouez, A., Singh, K. (2023). One Round Threshold ECDSA Without Roll Call. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-30872-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30871-0
Online ISBN: 978-3-031-30872-7
eBook Packages: Computer ScienceComputer Science (R0)