格密码写论文综述可选主题（附分析）

前言

本文将总结格密码领域可以选择写论文综述的主题。

主题1：SVP各变形版本之间的规约证明的最新研究总结

SVP: Shortest Vector Problem 最短向量问题

计算SVP，优化SVP，判定SVP，任意两者之间可以互相规约

计算SVPγ，优化SVPγ，判定SVPγ，任意两者之间可以互相规约

备注：需要一定的安全性规约证明的基础

主题2：CVP各变形版本之间的规约证明的最新研究总结

CVP: Closest Vector Problem 最近向量问题

计算CVP，优化CVP，判定CVP，任意两者之间可以互相规约

计算CVPγ，优化CVPγ，判定CVPγ，任意两者之间可以互相规约

备注：需要一定的安全性规约证明的基础

重要文献：

[Babai86] László Babai: On Lovász' lattice reduction and the nearest lattice point problem. Comb. 6(1): 1-13 (1986)

[Klein00] Philip Klein. Finding the closest lattice vector when it’s unusually close. In Proceedings of the eleventh annual ACM-SIAM symposium on Discrete algorithms, SODA ’00, pages 937–941, Philadelphia, PA, USA, 2000. Society for Industrial and Applied Mathematics.

[DL19] Emmanouil Doulgerakis, Thijs Laarhoven, Benne de Weger: Finding Closest Lattice Vectors Using Approximate Voronoi Cells. PQCrypto 2019: 3-22

[LW21] Thijs Laarhoven, Michael Walter: Dual Lattice Attacks for Closest Vector Problems (with Preprocessing). CT-RSA 2021: 478-502

[Laar21] Thijs Laarhoven: Approximate Voronoi cells for lattices, revisited. J. Math. Cryptol. 15(1): 60-71 (2021)

 

主题3：格基约化算法发展与现状

LLL算法可用来解决SVP问题，此算法可实现格基约化。

重要文献：

[2d Reduction] L. Lagrange. Recherches d’arithm´etique. Nouv. M´em. Acad., 1773

[2d Reduction] C. Gauss. Disquisitiones Arithmeticæ. Leipzig, 1801

[HKZ Reduction] C. Hermite. Extraits de lettres de M. Hermite `a M. Jacobi sur diff´erents objets de la th´eoriedes nombres, deuxi`eme lettre. J. Reine Angew. Math., 40:279–290, 1850. Also available in the first volume of Hermite’s complete works, published by Gauthier-Villars

[LLL] A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

[BKZ] C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci., 53:201–224, 1987

[BKZ] C.P. Schnorr, Block Korkin-Zolotarev bases and successive minima. International Computer Science Institute (1992)

[BKZ] C.P. Schnorr, M. Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum

[GHKN06] N. Gama, N. Howgrave-Graham, H. Koy, and P. Q. Nguyen. Rankin’s constant and blockwise lattice reduction. In Proc. of Crypto ’06, volume 4117 of LNCS, pages 112–130. Springer, 2006

[GN08] N. Gama, P.Q. Nguyen, Predicting lattice reduction, Advances in Cryptology–EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 31–51

[BKZ2.0]Y. Chen, P.Q. Nguyen, BKZ 2.0: Better lattice security estimates. Advances in Cryptology– ASIACRYPT 2011, Lecture Notes in Computer Science, vol. 7073 (Springer, Berlin, 2011), pp.1–20

[fpLLL] The FPLLL development team: fplll, a lattice reduction library (2016), https://github.com/fplll/fplll

[MW16] D. Micciancio, M. Walter, Practical, predictable lattice basis reduction, Advances in Cryptology–EUROCRYPT 2016, Lecture Notes in Computer Science, vol. 9665 (Springer, Berlin, 2016), pp.820–849

[AW16] Y. Aono, Y. Wang, T. Hayashi, T. Takagi, Improved progressive BKZ algorithms and their precisecost estimation by sharp simulator. Advances in Cryptology–EUROCRYPT 2016, Lecture Notes in Computer Science, vol. 9665 (Springer, Berlin, 2016), pp. 789–819. Progressive BKZ library is available from https://www2.nict.go.jp/security/pbkzcode/

[YD17] Y. Yu, L. Ducas, Second order statistical behavior of LLL and BKZ, Selected Areas in Cryptography(SAC 2017), Lecture Notes in Computer Science, vol. 10719 (Springer, Berlin, 2017), pp. 3–22

[YY17] J. Yamaguchi, M. Yasuda, Explicit formula for Gram-Schmidt vectors in LLL with deep insertions and its applications, Number-Theoretic Methods in Cryptology (NuTMiC 2017), Lecture Notes in Computer Science, vol. 10737 (Springer, Berlin, 2017), pp. 142–160

[Yasuda20] M. Yasuda, Self-dual DeepBKZ for finding short lattice vectors. J. Math. Cryptol. 14(1), 84–94(2020)

[YY19] M. Yasuda, J. Yamaguchi, A new polynomial-time variant of LLL with deep insertions for decreasing the squared-sum of Gram-Schmidt lengths. Des. Codes Cryptogr. 87,2489–2505 (2019)

主题4：筛法发展与现状

筛法可解决SVP问题。

部分重要论文如下：

[AKS01] M. Ajtai, R. Kumar, D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, in Symposium on Theory of Computing (STOC 2001) (ACM, 2001), pp.601–610

[CharS02] M.S. Charikar, Similarity estimation techniques from rounding algorithms, in Symposium on Theory of Computing (STOC 2002) (ACM, 2002), pp. 380–388

[]NV08 P.Q. Nguyen, T. Vidick, Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)

[MV10] D. Micciancio, P. Voulgaris, Faster exponential time algorithms for the shortest vector problem, in Symposium on Discrete Algorithms (SODA 2010) (ACM-SIAM, 2010), pp.1468–1480

[BLS16] S. Bai, T. Laarhoven, D. Stehlé, Tuple lattice sieving. LMS J. Comput. Math. 19(A),146–162 (2016)

[HK17] G. Herold, E. Kirshanova, Improved algorithms for the approximate k-list problem in Euclidean norm, Public Key Cryptography (PKC 2017), Lecture Notes in Computer Science, vol. 10174(Springer, Berlin, 2017), pp. 16–40

[FBB+14]R. Fitzpatrick, C. Bischof, J. Buchmann, Ö. Dagdelen, F. Göpfert, A. Mariano, B.Y. Yang,Tuning Gauss Sieve for speed. Progress in Cryptology–LATINCRYPT 2014, Lecture Notes in Computer Science, vol. 8895 (Springer, 2014), pp. 288–305

[Ducas18] L. Ducas, Shortest vector from lattice sieving: a few dimensions for free. Adavances in Cryptology–EUROCRYPT 2018, Lecture Notes in Computer Science, , vol. 10820 (Springer, Berlin, 2018), pp. 125–145

[ADH+19] M. Albrecht, L. Ducas, G. Herold, E. Kirshanova, E.W. Postlethwaite, M. Stevens, The general sieve kernel and new records in lattice reduction. Advances in Cryptology–EUROCRYPT 2019, pp. 717–746

 

主题5：枚举算法发展与现状

枚举算法可解决SVP问题。

部分重要论文如下：

[Pohst] M. Pohst, On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM Sigsam Bull. 15(1), 37–44 (1981)

[Kannan] R. Kannan, Improved algorithms for integer programming and related lattice problems, in Symposium on Theory of Computing (STOC 1983) (ACM, 1983), pp. 193–206

[FP85] U. Fincke, M. Pohst, Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–471 (1985)

[SE94] C.P. Schnorr, M. Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

[GNR10] N. Gama, P.Q. Nguyen, O. Regev, Lattice enumeration using extreme pruning, EUROCRYPT 2010, pp. 257–278

[ANSS18] Y. Aono, P.Q. Nguyen, T. Seito, J. Shikata, Lower bounds on lattice enumeration with extremepruning. CRYPTO 2018, pp. 608–637

[ANS18] Yoshinori Aono, Phong Q. Nguyen, Yixin Shen: Quantum Lattice Enumeration and Tweaking Discrete Pruning. ASIACRYPT (1) 2018: 405-434

 

主题6：基础格分析算法发展与现状

主题7：基础格分析算法与对比测试

主题8：SVP挑战

可见网址：SVP Challenge

主题9：格问题计算复杂性研究现状

重要文献：

P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report 81-04, Mathematische Instituut, Universiry of Amsterdam, 1981.

[ABSS97] S. Arora, L. Babai, J. Stern, and E. Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317–331, Apr. 1997. Preliminary version in FOCS93.

[DKS98]I. Dinur, G. Kindler, and S. Safra. Approximating CVP to within almost-polynomial factors is NP-hard. In 39th Annual Symposium on Foundations of Computer Science, pages 99–111, Nov. 1998. IEEE.

[GG98]O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences, 60(3):540–563, 2000. Preliminary version in STOC98

[GMSS99] O. Goldreich, D. Micciancio, S. Safra, and J.-P. Seifert. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Information Processing Letters, 71(2):55–61, 1999.

[Mic01] D. Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Transactions on Information Theory, 47(3):1212–1215, Mar. 2001.

[FM02] U. Feige and D. Micciancio. The inapproximability of lattice and coding problems with preprocessing. Journal of Computer and System Sciences 2003. Preliminary version in CCC 2002.

[Regev03]O. Regev. Improved Inapproximability of Lattice and Coding Problems with Preprocessing. In Proceedings of the 18th IEEE annual Confer_x0002_ence on Computational Complexity - CCC ’03, pages 315–322.

[Ajtai98] M. Ajtai. The shortest vector problem in l2 is NP-hard for randomized reductions (extended abstract)  10-19. STOC 1998.

[Micciancio01] D. Micciancio. The shortest vector problem is NP-hard to approximate to within some constant. SIAM Journal on Computing, 30(6):2008–2035, Mar. 2001. Preliminary version in FOCS98.

[Dinur00] I. Dinur. Approximating SV P ∞ to within almost-polynomial factors is NP-hard. In CIAC 2000, volume 1767 of Lecture Notes in Computer Science, pages 263–276, Rome,

[Khot04] S. Khot. Hardness of approximating the shortest vector problem in lattices. In Proc. 45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 126–135. IEEE, 2004.

主题10：最近向量问题计算复杂性

附相关研究文献：

主题11：最短向量问题计算复杂性

附相关研究文献：

另外附SVP/CVP理论复杂性数轴表：

 

主题12：傅里叶级数在格密码中的应用 

 

主题13：LWE问题及其变形问题

LWE：Learning With Errors 错误学习问题

LWE在发展过程中，一些起关键性作用的论文如下：

重要文献：

[AGVW17] Martin R. Albrecht, Florian Göpfert, Fernando Virdia, Thomas Wunderer: Revisiting the Expected Cost of Solving uSVP and Applications to LWE. ASIACRYPT (1) 2017: 297-322

[ACD+18] Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn W. Postlethwaite, Fernando Virdia, Thomas Wunderer: Estimate All the {LWE, NTRU} Schemes! SCN 2018: 351-367;

[Albrecht17] Martin R. Albrecht: On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL. EUROCRYPT (2) 2017: 103-129

[AD17] Martin R. Albrecht, Amit Deo: Large Modulus Ring-LWE ≥ Module-LWE. ASIACRYPT (1) 2017: 267-296

[SS11] Damien Stehlé, Ron Steinfeld: Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. EUROCRYPT 2011: 27-47

[LPR10] Vadim Lyubashevsky, Chris Peikert, Oded Regev: On Ideal Lattices and Learning with Errors over Rings. EUROCRYPT 2010: 1-23

[PRS17] Chris Peikert, Oded Regev, Noah Stephens-Davidowitz: Pseudorandomness of ring-LWE for any ring and modulus. STOC 2017: 461-473

[BLP+13] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, Damien Stehlé: Classical hardness of learning with errors. STOC 2013: 575-584

[BLVW19] Zvika Brakerski, Vadim Lyubashevsky, Vinod Vaikuntanathan, Daniel Wichs: Worst-Case Hardness for LPN and Cryptographic Hashing via Code Smoothing. EUROCRYPT (3) 2019: 619-635

[PP19] Chris Peikert, Zachary Pepin: Algebraically Structured LWE, Revisited. TCC (1) 2019: 1-23

 

主题14：SIS问题及其变形问题

SIS：短整数解问题。

相关重要文献：

[Ajtai96] Miklós Ajtai: Generating Hard Instances of Lattice Problems (Extended Abstract). STOC 1996: 99-108

[MR04] Daniele Micciancio, Oded Regev: Worst-Case to Average-Case Reductions Based on Gaussian Measures. FOCS 2004: 372-381

[GPV08] Craig Gentry, Chris Peikert, Vinod Vaikuntanathan: Trapdoors for hard lattices and new cryptographic constructions. STOC 2008: 197-206

[MP13] Daniele Micciancio, Chris Peikert: Hardness of SIS and LWE with Small Parameters. CRYPTO (1) 2013: 21-39

[Micciancio02] D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity, 16(4):365–411, 2007. Preliminary version in FOCS 2002.

[LMPR08] V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen. SWIFFT: A modest proposal for FFT hashing. In FSE, pages 54–72. 2008.

[PR06] C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In TCC, pages 145–166. 2006.

[LM06] V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collision resistant. In ICALP (2), pages 144–155. 2006.

[PR07] C. Peikert and A. Rosen. Lattices that admit logarithmic worst-case to average-case connection factors. In STOC, pages 478–487. 2007.

主题15：q-ary格困难问题评估

q-ary格与格的均匀采样相关

格上高斯采样重要文献：

[Peikert10] Chris Peikert: An Efficient and Parallel Gaussian Sampler for Lattices. CRYPTO 2010: 80-97;

[DN12] Léo Ducas, Phong Q. Nguyen:Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic. ASIACRYPT 2012: 415-432;

[DDLL13] Léo Ducas, Alain Durmus, Tancrède Lepoint, Vadim Lyubashevsky:Lattice Signatures and Bimodal Gaussians. CRYPTO (1) 2013: 40-56;

[DLP14] Léo Ducas, Vadim Lyubashevsky, Thomas Prest: Efficient Identity-Based Encryption over NTRU Lattices. ASIACRYPT (2) 2014: 22-41;

[LW15] Vadim Lyubashevsky, Daniel Wichs: Simple Lattice Trapdoor Sampling from a Broad Class of Distributions. Public Key Cryptography 2015: 716-730;

[DM18] Nicholas Genise, Daniele Micciancio: Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus. EUROCRYPT (1) 2018: 174-203;

[DGPW20] Léo Ducas, Steven D. Galbraith, Thomas Prest, Yang Yu: Integral Matrix Gram Root and Lattice Gaussian Sampling Without Floats. EUROCRYPT (2) 2020: 608-637;

[ZY22] Shiduo Zhang, Yang Yu: Towards a Simpler Lattice Gadget Toolkit. PKE 2022.

主题16：基于格的公钥加密算法与安全性评估

格的公钥加密的发展，可见如下：

 

主题17：基于格的数字签名算法

格签名的发展：

主题18：后量子安全性证明理论与标准候选算法 

主题19：基于格的方案构造与算法设计

重要文献：

[CHKP10] David Cash, Dennis Hofheinz, Eike Kiltz, Chris Peikert: Bonsai Trees, or How to Delegate a Lattice Basis. EUROCRYPT 2010: 523-552

[KYY18] Shuichi Katsumata, Shota Yamada, Takashi Yamakawa: Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. ASIACRYPT (2) 2018: 253-282.

[LPS10] Vadim Lyubashevsky, Adriana Palacio, Gil Segev: Public-Key Cryptographic Primitives Provably as Secure as Subset Sum. TCC 2010: 382-400；

[ADPS16] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe: Post-quantum Key Exchange - A New Hope. USENIX Security Symposium 2016: 327-343

[BCD+16] Joppe W. Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Ananth Raghunathan, Douglas Stebila: Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE. CCS 2016: 1006-1018

[BDK+18] Joppe W. Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé: CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM. EuroS&P 2018: 353-367

[DLL+18] Léo Ducas, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé: CRYSTALS - Dilithium: Digital Signatures from Module Lattices. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1): 238-268 (2018)

[KLS18] Eike Kiltz, Vadim Lyubashevsky, Christian Schaffner: A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model. EUROCRYPT (3) 2018: 552-586

[Lyu09] Vadim Lyubashevsky: Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. ASIACRYPT 2009: 598-616

[Lyu12] Vadim Lyubashevsky: Lattice Signatures without Trapdoors. EUROCRYPT 2012: 738-755

[DDLL13] Léo Ducas, Alain Durmus, Tancrède Lepoint, Vadim Lyubashevsky: Lattice Signatures and Bimodal Gaussians. CRYPTO (1) 2013: 40-56

[ABB10] Shweta Agrawal, Dan Boneh, Xavier Boyen: Efficient Lattice (H)IBE in the Standard Model. EUROCRYPT 2010: 553-572;

[Yamada16] Shota Yamada: Adaptively Secure Identity-Based Encryption from Lattices with Asymptotically Shorter Public Parameters. EUROCRYPT (2) 2016: 32-62;

[ZYZ16] Jiang Zhang, Yu Chen, Zhenfeng Zhang: Programmable Hash Functions from Lattices: Short Signatures and IBEs with Small Key Sizes. CRYPTO (3) 2016: 303-332;

[BL16] Xavier Boyen, Qinyi Li: Towards Tightly Secure Lattice Short Signature and Id-Based Encryption. ASIACRYPT (2) 2016: 404-434.

主题20：基于格的属性基加密

参考文献

[BGG+14] Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Nikolaenko, Gil Segev, Vinod Vaikuntanathan, Dhinakaran Vinayagamurthy: Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits. EUROCRYPT 2014: 533-556.

[GVW13] Sergey Gorbunov, Vinod Vaikuntanathan, Hoeteck Wee: Attribute-based encryption for circuits. STOC 2013: 545-554;

[BV16] Zvika Brakerski, Vinod Vaikuntanathan: Circuit-ABE from LWE: Unbounded Attributes and Semi-adaptive Security. CRYPTO (3) 2016: 363-384;

[GVW15] Sergey Gorbunov, Vinod Vaikuntanathan, Hoeteck Wee: Predicate Encryption for Circuits from LWE. CRYPTO (2) 2015: 503-523;

[AMY19] Shweta Agrawal, Monosij Maitra, Shota Yamada: Attribute Based Encryption (and more) for Nondeterministic Finite Automata from LWE. CRYPTO (2) 2019: 765-797;

[DKW21] Pratish Datta, Ilan Komargodski, Brent Waters: Decentralized Multi-authority ABE for DNFs from LWE. EUROCRYPT (1) 2021: 177-209;

[Wee21] Hoeteck Wee: ABE for DFA from LWE Against Bounded Collusions, Revisited. TCC (2) 2021: 288-309;

[Tsa19] Rotem Tsabary: Fully Secure Attribute-Based Encryption for t-CNF from LWE. CRYPTO (1) 2019: 62-85;

[GPW17] Rishab Goyal, Venkata Koppula, Brent Waters: Lockable Obfuscation. FOCS 2017: 612-621;

[Agr17] Shweta Agrawal: Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks. CRYPTO (1) 2017: 3-35.

主题21：基于格的全同态算法

重要文献：

[Gen09] Craig Gentry: Fully homomorphic encryption using ideal lattices. STOC 2009: 169-178

[vDGHV10] Marten van Dijk, Craig Gentry, Shai Halevi, Vinod Vaikuntanathan:

Fully Homomorphic Encryption over the Integers. EUROCRYPT 2010: 24-43

[BV11] Zvika Brakerski, Vinod Vaikuntanathan: Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. CRYPTO 2011: 505-524

[BGV12] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 2012: 309-325

[Bra12] Zvika Brakerski: Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. CRYPTO 2012: 868-886

[GHS12] Craig Gentry, Shai Halevi, Nigel P. Smart: Homomorphic Evaluation of the AES Circuit. CRYPTO 2012: 850-867

[GSW13] Craig Gentry and Amit Sahai and Brent Waters: Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. CRYPTO (1) 2013: 75-92

[AP14] Jacob Alperin-Sheriff, Chris Peikert: Faster Bootstrapping with Polynomial Error. CRYPTO (1) 2014: 297-314

[DM15] Léo Ducas, Daniele Micciancio: FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second. EUROCRYPT (1) 2015: 617-640

[CGGI16] Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, Malika Izabachène: Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds. ASIACRYPT (1) 2016: 3-33

[CKKS17] Jung Hee Cheon, Andrey Kim, Miran Kim, Yong Soo Song: Homomorphic Encryption for Arithmetic of Approximate Numbers. ASIACRYPT (1) 2017: 409-437

[CGGI20] Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, Malika Izabachène: TFHE: Fast Fully Homomorphic Encryption Over the Torus. J. Cryptol. 33(1): 34-91 (2020)