International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

01 October 2025

Virtual event, Anywhere on Earth, 23 March - 26 March 2026
Event Calendar Event Calendar
Event date: 23 March to 26 March 2026
Submission deadline: 24 October 2025
Notification: 3 December 2025
Expand
University of Klagenfurt
Job Posting Job Posting
Please use this link: https://jobs.aau.at/en/job/university-assistant-predoctoral-and-project-researcher-all-genders-welcome-2/ Level of employment: 100 % (40 hours/week) Minimum salary: € 52,007.20 per annum (gross); classification according to collective agreement: B1 Limited to: 4 years Application deadline: November 5, 2025 Reference code: 702-1/24

Closing date for applications:

Contact: Prof. Gerhard Friedrich, University of Klagenfurt

More information: https://jobs.aau.at/en/job/university-assistant-predoctoral-and-project-researcher-all-genders-welcome-2/

Expand

30 September 2025

Mingshu Cong, Tsz Hon Yuen, Siu-Ming Yiu
ePrint Report ePrint Report
We present DualMatrix, a zkSNARK solution for large-scale matrix multiplication. Classical zkSNARK protocols typically underperform in data analytic contexts, hampered by the large size of datasets and the superlinear nature of matrix multiplication. DualMatrix excels in its scalability. The prover time of DualMatrix scales linearly with respect to the number of non-zero elements in the input matrices. For $n \times n$ matrix multiplication with $N$ non-zero elements across three input matrices, DualMatrix employs a structured reference string (SRS) of size $O(n)$, and achieves RAM usage of $O(N+n)$, transcript size of $O(\log n)$, prover time of $O(N+n)$, and verifier time of $O(\log n)$. The prover time, notably at $O(N+n)$ and surpassing all existing protocols, includes $O(N+n)$ field multiplications and $O(n)$ exponentiations and pairings within bilinear groups. These efficiencies make DualMatrix effective for linear algebra on large matrices common in real-world applications. We evaluated DualMatrix with $2^{15} \times 2^{15}$ input matrices each containing $1G$ non-zero integers, which necessitate $32T$ integer multiplications in naive matrix multiplication. DualMatrix recorded prover and verifier times of $150.84$s and $0.56$s, respectively. When applied to $1M \times 1M$ sparse matrices each containing $1G$ non-zero integers, it demonstrated prover and verifier times of $1,384.45$s and $0.67$s. Our approach outperforms current zkSNARK solutions by successfully handling the large matrix multiplication task in experiment. We extend matrix operations from field matrices to group matrices, formalizing group matrix algebra. This mathematical advancement brings notable symmetries beneficial for high-dimensional elliptic curve cryptography. By leveraging the bilinear properties of our group matrix algebra in the context of the two-tier commitment scheme, DualMatrix achieves efficiency gains over previous matrix multiplication arguments. To accomplish this, we extend and enhance Bulletproofs to construct an inner product argument featuring a transparent setup and logarithmic verifier time.
Expand
Zhuo Wu, Xinxuan Zhang, Yi Deng, Yuanju Wei, Zhongliang Zhang, Liuyu Yang
ePrint Report ePrint Report
This paper introduces the first multilinear polynomial commitment scheme (PCS) over Galois rings achieving $\bigO{\log^2 n}$ verification cost. It achieves $\bigO{n\log n}$ committing time and $\bigO{n}$ evaluation opening prover time. This PCS can be used to construct zero-knowledge proofs for arithmetic circuits over Galois rings, facilitating verifiable computation in applications requiring proofs of polynomial ring operations (e.g., verifiable fully homomorphic encryption). First we construct random foldable linear codes over Galois rings with sufficient code distance and present a distance preservation theorem over Galois rings. Second we extend the $\textsf{Basefold}$ commitment (Zeilberger et al., Crypto 2024) to multilinear polynomials over Galois rings. Our approach reduces proof size and verifier time from $\bigO{\sqrt{n}}$ to $\bigO{\log^2 n}$ compared to Wei et al., PKC 2025. Furthermore, we give a batched multipoint openning protocol for evaluation phase that collapses the proof size and verifier time of $N$ polynomials at $M$ points from $\bigO{NM \log^2 n}$ to $\bigO{\log^2 n}$, prover time from $\bigO{NMn}$ to $\bigO{n}$, further enhancing efficiency.
Expand
Marc Damie, Florian Hahn, Andreas Peter, Jan Ramon
ePrint Report ePrint Report
Distributed Point Functions (DPFs) enable sharing secret point functions across multiple parties, supporting privacy-preserving technologies such as Private Information Retrieval, and anonymous communications. While 2-party PRG-based schemes with logarithmic key sizes have been known for a decade, extending these solutions to multi-party settings has proven challenging. In particular, PRG-based multi-party DPFs have historically struggled with practicality due to key sizes growing exponentially with the number of parties and the field size.

Our work addresses this efficiency bottleneck by optimizing the PRG-based multi-party DPF scheme of Boyle et al. (EUROCRYPT'15). By leveraging the honest-majority assumption, we eliminate the exponential factor present in this scheme. Our construction is the first PRG-based multi-party DPF scheme with practical key sizes, and provides key up to $3\times$ smaller than the best known multi-party DPF. This work demonstrates that with careful optimization, PRG-based multi-party DPFs can achieve practical performances, and even obtain top performances.
Expand
Jeffrey Champion, Fuyuki Kitagawa, Ryo Nishimaki, Takashi Yamakawa
ePrint Report ePrint Report
We initiate the study of untelegraphable encryption (UTE), founded on the no-telegraphing principle, which allows an encryptor to encrypt a message such that a binary string representation of the ciphertext cannot be decrypted by a user with the secret key, a task that is classically impossible. This is a natural relaxation of unclonable encryption (UE), inspired by the recent work of Nehoran and Zhandry (ITCS 2024), who showed a computational separation between the no-cloning and no-telegraphing principles.

In this work, we define and construct UTE information-theoretically in the plain model. Building off this, we give several applications of UTE and study the interplay of UTE with UE and well-studied tasks in quantum state learning, yielding the following contributions:

- A construction of collusion-resistant UTE from standard secret-key encryption (SKE). We additionally show that hyper-efficient shadow tomography (HEST) is impossible assuming collusion-resistant UTE exists. By considering a relaxation of collusion-resistant UTE, we are able to show the impossibility of HEST assuming only pseudorandom state generators (which may not imply one-way functions). This almost unconditionally answers an open inquiry of Aaronson (STOC 2018).

- A construction of UTE from a quasi-polynomially secure one-shot message authentication code (OSMAC) in the classical oracle model, such that there is an explicit attack that breaks UE security for an unbounded polynomial number of decryptors.

- A construction of everlasting secure collusion-resistant UTE, where the decryptor adversary can run in unbounded time, in the quantum random oracle model (QROM), and formal evidence that a construction in the plain model is a challenging task. We additionally show that HEST with unbounded post-processing time (which we call weakly-efficient shadow tomography) is impossible assuming everlasting secure collusion-resistant UTE exists. - A construction of secret sharing for all polynomial-size policies that is resilient to joint and unbounded classical leakage from collusion-resistant UTE and classical secret sharing for all policies. - A construction (and definition) of collusion-resistant untelegraphable secret-key functional encryption (UTSKFE) from single-decryptor functional encryption and plain secret-key functional encryption, and a construction of collusion-resistant untelegraphable public-key functional encryption from UTSKFE, plain SKE, and plain public-key functional encryption.
Expand
Marcin Kostrzewa, Matthew Klein, Ara Adkins, Grzegorz Świrski, Wojciech Żmuda
ePrint Report ePrint Report
Keccak, the hash function at the core of the Ethereum ecosystem, is computationally expensive to reason about in SNARK circuits, creating a critical bottleneck in the ability of the ZK ecosystem to reason about blockchain state. The recent state-of-the-art in proving Keccak permutations relies on proof systems that can perform lookup arguments, which—while exhibiting better performance than directly proving the hash operations in circuit—still typically require tens of thousands of constraints to prove a single keccak-f permutation. This paper introduces a new method, termed keccacheck, which builds upon sum-check with influence from GKR to create circuits that can batch-verify Keccak permutations with fewer than 4000 constraints per instance. Keccacheck achieves this by exploiting the logarithmic scaling of recursive verification of the sum-check protocol, reducing the computational cost of verifying large enough batches to be only slightly higher than evaluating the multilinear extension of the input and output states. Its performance becomes competitive for a batch containing 16 permutations and offers more than a 10x cost reduction for batches of 512 or more permutations. This approach enables new levels of efficiency for the ZK ecosystem, providing the performant storage proofs that are essential to light clients, cross-chain bridges, privacy-focused protocols, and roll-ups.
Expand

29 September 2025

Jonas Bertels, Ingrid Verbauwhede
ePrint Report ePrint Report
NIST recently selected Kyber as a standard for key encapsulation and decapsulation. As such, servers will soon need dedicated hardware for these encapsulation protocols. The computationally critical operation of Kyber is its Number Theoretic Transform, which is commonly accelerated by dedicated hardware such as FPGAs. This work presents an extremely high-throughput design for the Kyber NTT. By utilizing the LUT-based modular multiplication technique used by us in CHES 2025, its area delay product is generally between one and two orders of magnitude better than similar designs in literature. For instance, where Yaman et al. with 16 Processing Elements requires 9500 LUTs and 16 DSPs to perform an NTT in 69 clock cycles, our design requires 67210 LUTs and no DSPs to perform an NTT every clock cycle.
Expand
Pedro Branco, Giulio Malavolta
ePrint Report ePrint Report
A threshold signature allows one to delegate its signing rights to $n$ parties, such that any subset of size $t$ can sign a message on their behalf. In this work, we show how to construct threshold signatures for any $t$ and $n$ from one way functions, thus establishing the latter as a necessary and sufficient computational assumption. Our protocol makes non-black box use of one-way functions, and can be generalized to other access structures, such as monotone policies.
Expand
Geng Wang, Ruoyi Kong, Dawu Gu
ePrint Report ePrint Report
Quadratic functional encryption (QFE for short) is a cryptographic primitive which can output the value of a quadratic function between two vectors, without leaking other information on the plaintext vectors. Since the first breakthrough of Baltico et al. (Crypto 2017), there are already many constructions for QFE from bilinear groups. However, constructing more efficient QFE schemes and proving their security has always been a challenging task. While generic bilinear group model (GBGM for short) can be used to construct highly efficient QFE schemes and proving their security, obtaining a security proof under GBGM is difficult and may contain undiscovered mistakes. In this paper, we solve this problem by presenting new techniques which finally lead to an automated proof tool for QFE schemes, and can also be used to find potential attacks. Our automated proof tool shows that the RPB+19 scheme (Riffel et al, NIPS'19) which is the most efficient QFE scheme in the literature and already used in several works, is in fact insecure, and also gives an attack for the scheme. Finally, we present two new QFE schemes, each shares same efficiency with the RPB+19 scheme from one aspect, and prove their security using our automated proof tool. Our new schemes are more efficient than all existing QFE schemes other than the RPB+19 scheme, which means that they are most efficient among all existing ``secure'' QFE schemes.
Expand
Chris Peikert, Zachary Pepin
ePrint Report ePrint Report
The vast majority of work on the efficiency of lattice-based cryptography, including fully homomorphic encryption~(FHE), has relied on *cyclotomic* number fields and rings. This is because cyclotomics offer a wide variety of benefits, including good geometrical properties, fast ring arithmetic, and rich homomorphic operations like vectorized (SIMD) operations on "packed" plaintexts, automorphisms, and ring-switching. However, selecting a suitable cyclotomic that has the desired number and type of plaintext "slots," while also balancing security and efficiency, is a highly constrained problem that often lacks an ideal solution, resulting in wasted SIMD capacity and lost efficiency.

This work provides a suite of tools for instantiating ring-based lattice cryptography to work over *subfields* of cyclotomics, which provide more flexibility and better-fitting parameters for applications. A particular focus is on realizing FHE with *optimal plaintext packing* and homomorphic SIMD parallelism for *any* plaintext characteristic, along with efficient *packed bootstrapping* that fully exploits this parallelism.

Toward this end, this (two-part) work makes the following main technical contributions, all of which are catalyzed by Galois theory:

-- For sampling and decoding errors in encryption and decryption (respectively), we construct geometrically short, structured bases for the number rings of arbitrary subfields of prime-power cyclotomics (and hence their composites as well).

-- For fast ring arithmetic, we define and establish analogous structural properties for Chinese Remainder Theorem (CRT) bases in *abelian* number rings, and give specialized fast transforms that map between CRT bases and any similarly structured bases.

-- For packed bootstrapping and homomorphic linear algebra, we give a general framework for *homomorphic evaluation of structured linear transforms* in abelian number rings, and show that CRT transforms can be evaluated using relatively few homomorphic operations.
Expand

26 September 2025

Leiden University, LIACS ; Leiden, The Netherlands
Job Posting Job Posting
We are looking for a PhD student to work on Cryptographic Hardware and Design Automation. The project is oriented towards the development of a domain-specific design automation framework for cryptographic hardware. Your work will focus on identifying the mathematical knowledge and properties to guide hardware optimizations tailored to different environments. The optimizations range from algebraic optimizations (e.g., term rewriting) to algorithmic optimizations (e.g., group level algorithms), and to hardware optimizations (e.g., automated pipelining).

Closing date for applications:

Contact: Nusa Zidaric

More information: https://www.universiteitleiden.nl/en/vacancies/2025/q3/16010-phd-candidate-cryptographic-hardware-and-design-automation

Expand
TU Wien, Vienna
Job Posting Job Posting
TU Wien is Austria's largest institution of research and higher education in the fields of technology and natural sciences. At the Institute of Logic and Computation, in the Research Unit of Privacy Enhancing Technologies at TU Wien is offering a 40 hours/week position as university assistant (prae-doc) limited to expected 4 years. Expected start: November 2025.

Tasks:
- Research in the area of privacy enhancing technologies,
- cryptocurrencies, and (applied) cryptography
- proof systems
- Teaching tasks (exercises and exams), student guidance
- Assistance with thesis supervision
- Scientific publishing (journal and conference papers, dissertation)
Participation in scientific events
Assistance with organizational and administrative tasks


Your profile:
Master or diploma degree in computer science, math, or similar fields Knowledge of privacy-enhancing technologies, such as cryptography, differential privacy, and related areas Very good skills in spoken and written English Interest in academic research and teaching Advanced problem solving skills and scientific curiosity Team player with very good communication skills Very good skills in English communication and writing. Knowledge of German (level B2) or willingness to learn it

We offer:
A highly visible and connected international research group A broad range of opportunities in a thriving research area A range of attractive social benefits (see [Fringe-Benefit Catalogue of TU Wien](https://url.tuwien.at/cfjyv)) Internal and external training opportunities, various career options Central location of workplace as well as good accessibility (U1/U4 Karlsplatz)

!!!! Applications only via the website are considered!!!
https://jobs.tuwien.ac.at/Job/258176

Closing date for applications:

Contact: Univ.-Prof. Dr. Dominique Schröder

More information: http://pets.wien

Expand
Helger Lipmaa
ePrint Report ePrint Report
Solving a long-standing open problem, Faonio, Fiore, and Russo proved that the widely used Plonk zk-SNARK is simulation extractable. However, their proof assumes both the random oracle model (ROM) and the algebraic group model. We prove that the same holds in the ROM under falsifiable assumptions. We combine the template of Faust et al., who proved that simulation extractability follows from knowledge soundness, (weak) unique response, and trapdoorless zero-knowledge, with the recent result of Lipmaa, Parisella, and Siim (Crypto 2025), who proved that Plonk has knowledge soundness in the ROM under falsifiable assumptions. For this, we prove that Plonk satisfies new variants of the weak unique response and trapdoorless zero-knowledge properties. We prove that several commonly used gadgets, like the linearization trick, are not trapdoorless zero-knowledge when considered as independent commit-and-prove zk-SNARKs.
Expand
Keitaro Hashimoto, Shuichi Katsumata, Guilhem Niot, Thom Wiggers
ePrint Report ePrint Report
WireGuard is a VPN based on the Noise protocol, known for its high performance, small code base, and unique security features. Recently, Hülsing et al. (IEEE S&P'21) presented post-quantum (PQ) WireGuard, replacing the Diffie-Hellman (DH) key exchange underlying the Noise protocol with key-encapsulation mechanisms (KEMs). Since WireGuard requires the handshake message to fit in one UDP packet of size roughly 1200 B, they combined Classic McEliece and a modified variant of Saber. However, as Classic McEliece public keys are notoriously large, this comes at the cost of severely increasing the server's memory requirement. This hinders deployment, especially in environments with constraints on memory (allocation), such as a kernel-level implementations.

In this work, we revisit PQ WireGuard and improve it on three fronts: design, (computational) security, and efficiency. As KEMs are semantically, but not syntactically, the same as DH key exchange, there are many (in hindsight) ad-hoc design choices being made, further amplified by the recent finding on the binding issues with PQ KEMs (Cremers et al., CCS'24). We redesign PQ WireGuard addressing these issues, and prove it secure in a new computational model by fixing and capturing new security features that were not modeled by Hülsing et al. We further propose 'reinforced KEM' (RKEM) as a natural building block for key exchange protocols, enabling a PQ WireGuard construction where the server no longer needs to store Classical McEliece keys, reducing public key memory by 190 to 390×. In essence, we construct a RKEM named 'Rebar' to compress two ML-KEM-like ciphertexts which may be of an independent interest.
Expand
Vasyl Ustimenko, Tymoteusz Chojecki
ePrint Report ePrint Report
We suggest post quantum secure protocol based on pseudorandom walk on infinite q-regular forest D(q) where q = 2^m, m > 1. Correspondents share positive integer n, pseudorandom tuple from (Fq) ^n and two pseudorandom input words in the alphabet F_q of length O(1). They use the group of cubic multivariate transformations of the vector space of points of D(q) induced by walks on the forest of even length as the platform for the implementation of modified Twisted Diffie-Hellman protocol of Noncommutative Cryptography based on the complexity of the Conjugacy Power Problem. The output of the protocol is a vector from (F_q)^n. In fact the action of the group on the partition set of the bipartite homomorphic image D(n, q) of the forest is used. Correspondents elaborate the collision vector in time O(n^2) in the case when the length of input words is O(1) and the size of private integer parameters is O(n). If length of the input words is also O(n) then the complexity of protocol will be O(n^3). We suggest also the obfuscation of the scheme with hidden graph of the 1complexity O(n^5) for which the output of the algorithm is a symbolic cubic transformation F of (Fq)^n. It can be used symbiotically with the symmetric encryption via the adding to the ciphertext from (F_q)^n the vector F(b_1, b_2, . . . , b_n) where the tuple (b_1, b_2, . . . , b_n) of pseudorandom nature is known publicly.
Expand
Marco Benedetti, Andrej Bogdanov, Enrico M. Malatesta, Marc Mézard, Gianmarco Perrupato, Alon Rosen, Nikolaj I. Schwartzbach, Riccardo Zecchina
ePrint Report ePrint Report
When neural networks are trained to classify a dataset, one finds a set of weights from which the network produces a label for each data point. We study the algorithmic complexity of finding a collision in a single-layer neural net, where a collision is defined as two distinct sets of weights that assign the same labels to all data. For binary perceptrons with oscillating activation functions, we establish the emergence of an overlap gap property in the space of collisions. This is a topological property believed to be a barrier to the performance of efficient algorithms. The hardness is supported by numerical experiments using approximate message passing algorithms, for which the algorithms stop working well below the value predicted by our analysis. Neural networks provide a new category of candidate collision resistant functions, which for some parameter setting depart from constructions based on lattices. Beyond relevance to cryptography, our work uncovers new forms of computational hardness emerging in large neural networks which may be of independent interest.
Expand
Hugo Beguinet, Céline Chevalier, Guirec Lebrun, Thomas Legavre, Thomas Ricosset, Maxime Roméas, Éric Sageloli
ePrint Report ePrint Report
Bandwidth remains a major bottleneck for post-quantum cryptography, especially in authenticated key exchange (AKE). We propose DAKE, a bandwidth-efficient AKE protocol built from double-KEM constructions. DAKE comes in two main versions, achieving weak and full perfect forward secrecy, and admits two further variants: a unilateral version, and one where a signature replaces a KEM on one side. DAKE is proven secure in the standard model under strong variants of the extended Canetti--Krawczyk framework, namely eCKw and eCK-PFS.

At the heart of DAKE lies the double-KEM, a primitive that encapsulates one key under two public keys. To broaden the range of double-KEMs compatible with DAKE, we introduce the chosen-key Fujisaki--Okamoto transform (CK-FO), which upgrades IND-CPA security to IND-CCA and one-sided chosen-key security, proven in the QROM.

As a concrete instantiation, we present Maul, a compact double-KEM derived from ML-KEM and based on the Hint-MLWE assumption. Maul reuses ciphertext components to cut size by up to 40\% compared to two parallel ML-KEMs, while achieving the left-sided chosen-key IND-CCA security required by DAKE via our CK-FO. Instantiating DAKE with Maul yields global communication reductions of about 17% in the mutual setting and 21% in the unilateral setting, outperforming both the double-KEM AKE of Xue et al. (ASIACRYPT 2018) and standard ML-KEM-based AKEs. These results show that double-KEMs offer a practical path toward bandwidth-efficient post-quantum key exchange.
Expand
Abiodun Olaluwe, Nouf Nur Nabilah, Sheikh Tareq, Akshay Raghavendra Kulkarni, Annamalai Annamalai
ePrint Report ePrint Report
The transition to post-quantum cryptography (PQC) is accelerating due to the potential of quantum computing to compromise classical public-key cryptosystems. While standardized schemes such as CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+ offer strong theoretical security, practical deployments remain susceptible to physical-layer vulnerabilities, notably side-channel attacks (SCAs). SCAs exploit unintentional leakages in hardware and software implementations—such as power traces, electromagnetic emissions, and timing variations—to recover secret keys without altering the target system. These attacks are non-invasive, cost-effective, and applicable across diverse platforms, making them a critical threat vector for PQC in embedded and resource-constrained environments.

This survey provides a structured, in-depth review of SCAs targeting PQC implementations, encompassing both classical methods—such as Simple Power Analysis, Differential Power Analysis, Correlation Power Analysis, Template Attacks, and Mutual Information Analysis—and emerging machine learning (ML)-driven approaches. Special attention is given to deep learning models, including CNNs, RNNs, and MLPs, which have demonstrated superior performance in profiling attacks by automatically learning leakage patterns from high-dimensional trace data, even in the presence of countermeasures like masking and desynchronization.

We categorize and compare recent attack strategies, analyze their effectiveness against various PQC schemes, and examine the limitations of existing countermeasures. Finally, we identify open research challenges and outline hybrid defense strategies that integrate classical protections with adaptive, ML-aware mitigation techniques. This comprehensive synthesis aims to bridge the gap between PQC algorithm design and secure, implementation-level deployment in the quantum era.
Expand
Ruida Wang, Jikang Bai, Yijian Liu, Xinxuan Zhang, Xianhui Lu, Lutan Zhao, Kunpeng Wang, Rui Hou
ePrint Report ePrint Report
Bootstrapping, introduced by Gentry at STOC 2009, remains the only known method for realizing fully homomorphic encryption (FHE). Since Alperin-Sheriff and Peikert’s 2014 breakthrough on symmetric group accumulator (ACC) based bootstrapping, algebraic ACC designs have offered the lowest bootstrapping latency. The work of Ducas and Micciancio further advanced this paradigm by embedding $\mathbb{Z}_q$ into the multiplicative subgroup of the cyclotomic ring $\mathcal{R}_N$ and exploiting FFT/NTT for fast computation, leading to the milestone constructions FHEW and TFHE. Despite their efficiency, these ring-based schemes face a fundamental limitation: correctness requires $q < 2N$, rigidly coupling precision, performance, and key size to the polynomial dimension.

We address this limitation by introducing a new accumulator structure - a free $\mathcal{R}_N$-module $\bigoplus_{i=0}^{\tau-1} \mathcal{R}_N X^i$. This generalization decouples $q$ and $N$ through a tunable factor $\tau$, with the classical ring-based construction recovered as the special case $\tau=1$. The computation over resulting $\mathcal{R}_N$-algebra enables efficient computation over $\bigoplus_{i=0}^{\tau-1} \mathcal{R}_N X^i$ can be effectively reduced to the base ring $\mathcal{R}_N$. Based on this structure, we design a bootstrapping scheme that achieves asymptotic improvements in precision, performance, and key size. Experimental results further demonstrate significant concrete gains, confirming the practicality of our approach.
Expand
Next ►