<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-hpke-hpke-04" category="std" consensus="true" obsoletes="9180" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="HPKE">Hybrid Public Key Encryption</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-hpke-04"/>
    <author initials="R." surname="Barnes" fullname="Richard L. Barnes">
      <organization/>
      <address>
        <email>rlb@ipv.sx</email>
      </address>
    </author>
    <author initials="K." surname="Bhargavan" fullname="Karthik Bhargavan">
      <organization>Inria</organization>
      <address>
        <email>karthikeyan.bhargavan@inria.fr</email>
      </address>
    </author>
    <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
      <organization>Rosenpass</organization>
      <address>
        <email>ietf@benjaminlipp.de</email>
      </address>
    </author>
    <author initials="C." surname="Wood" fullname="Christopher A. Wood">
      <organization/>
      <address>
        <email>caw@heapingbits.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>HPKE</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 263?>

<t>This document describes a scheme for hybrid public key encryption (HPKE).  This
scheme provides a variant of public key encryption of arbitrary-sized plaintexts
for a recipient public key. It also includes a variant that authenticates
possession of a pre-shared key. HPKE works for any combination of an
asymmetric Key Encapsulation Mechanism (KEM), key derivation function (KDF), and authenticated encryption
with additional data (AEAD) encryption function. This document provides
instantiations of the scheme using widely used and efficient primitives, such as
Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation
function (HKDF), and SHA-2.</t>
      <t>This document obsoletes RFC 9180.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/hpkewg/hpke"/>.</t>
    </note>
  </front>
  <middle>
    <?line 277?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Encryption schemes that combine asymmetric and symmetric algorithms have been
specified and practiced since the early days of public key cryptography, e.g.,
<xref target="RFC1421"/>. Combining the two yields the key management advantages of asymmetric
cryptography and the performance benefits of symmetric cryptography. The traditional
combination has been "encrypt the symmetric key with the public key." "Hybrid"
public key encryption (HPKE) schemes, specified here, take a different approach:
"generate the symmetric key and its encapsulation with the public key."
Specifically, encrypted messages convey a shared secret encapsulated with a
public key scheme, along with one or more arbitrary-sized ciphertexts encrypted
using that key. This type of public key encryption has many applications in
practice, including Messaging Layer Security <xref target="RFC9420"/>, TLS Encrypted
ClientHello <xref target="RFC9849"/>, and Oblivious HTTP <xref target="RFC9458"/>.</t>
      <t>Currently, there are numerous competing and non-interoperable standards and
variants for hybrid encryption, mostly variants on the Elliptic Curve Integrated Encryption Scheme (ECIES), including ANSI X9.63
(ECIES) <xref target="ANSI"/>, IEEE 1363a <xref target="IEEE1363"/>, ISO/IEC 18033-2 <xref target="ISO"/>, and SECG SEC 1
<xref target="SECG"/>.  See <xref target="MAEA10"/> for a thorough comparison.  All these existing
schemes have problems, e.g., because they rely on outdated primitives, lack
proofs of indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2) security, or fail to provide test vectors.</t>
      <t>This document defines an HPKE scheme that provides a subset
of the functions provided by the collection of schemes above but
specified with sufficient clarity that they can be interoperably
implemented. The HPKE construction defined herein is secure against (adaptive)
chosen ciphertext attacks (IND-CCA2-secure) under classical assumptions about
the underlying primitives <xref target="HPKEAnalysis"/> <xref target="AJKL23"/> <xref target="ABHKLR20"/>, and post-quantum
secure when used with a post-quantum secure KEM <xref target="AJKL23"/> <xref target="ABHKLR20"/>. A summary of
these analyses is in <xref target="sec-properties"/>.</t>
    </section>
    <section anchor="requirements-notation">
      <name>Requirements Notation</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
    </section>
    <section anchor="notation">
      <name>Notation</name>
      <t>The following terms are used throughout this document to describe the
operations, roles, and behaviors of HPKE:</t>
      <ul spacing="normal">
        <li>
          <t><tt>(skX, pkX)</tt>: A key encapsulation mechanism (KEM) key pair used in role X,
where X is one of S, R, or E as sender, recipient, and ephemeral, respectively;
<tt>skX</tt> is the private key and <tt>pkX</tt> is the public key.</t>
        </li>
        <li>
          <t><tt>pk(skX)</tt>: The KEM public key corresponding to the KEM private key <tt>skX</tt>.</t>
        </li>
        <li>
          <t>Sender (S): Role of entity that sends an encrypted message.</t>
        </li>
        <li>
          <t>Recipient (R): Role of entity that receives an encrypted message.</t>
        </li>
        <li>
          <t>Ephemeral (E): Role of a fresh random value meant for one-time use.</t>
        </li>
        <li>
          <t><tt>I2OSP(n, w)</tt>: Convert non-negative integer <tt>n</tt> to a <tt>w</tt>-length,
big-endian byte string, as described in <xref target="RFC8017"/>.</t>
        </li>
        <li>
          <t><tt>OS2IP(x)</tt>: Convert byte string <tt>x</tt> to a non-negative integer, as
described in <xref target="RFC8017"/>, assuming big-endian byte order.</t>
        </li>
        <li>
          <t><tt>concat(x0, ..., xN)</tt>: Concatenation of byte strings.
<tt>concat(0x01, 0x0203, 0x040506) = 0x010203040506</tt>.</t>
        </li>
        <li>
          <t><tt>lengthPrefixed(x)</tt>: The two-byte length of the byte string <tt>x</tt>, concatenated
with <tt>x</tt> itself.  (<tt>lengthPrefixed(x) = concat(I2OSP(len(x), 2), x)</tt>)  It is
an error to call this function with an <tt>x</tt> value that is more than 65535 bytes
long.</t>
        </li>
        <li>
          <t><tt>random(n)</tt>: A pseudorandom byte string of length <tt>n</tt> bytes</t>
        </li>
        <li>
          <t><tt>xor(a,b)</tt>: XOR of byte strings; <tt>xor(0xF0F0, 0x1234) = 0xE2C4</tt>.
It is an error to call this function with two arguments of unequal
length.</t>
        </li>
      </ul>
      <t>Values that are indicated in double quotes (e.g., "key")
represent sequences of bytes, not text strings.
The value of bytes is the ASCII encoding <xref target="RFC20"/> of the quoted string.
An empty string ("") indicates a zero-length byte sequence.
These byte sequences values do not include any zero byte marker at the end,
such as can be used in some methods of representing strings.</t>
    </section>
    <section anchor="base-crypto">
      <name>Cryptographic Dependencies</name>
      <t>HPKE variants rely on the following primitives:</t>
      <ul spacing="normal">
        <li>
          <t>A Key Encapsulation Mechanism (KEM); see <xref target="crypto-kem"/></t>
        </li>
        <li>
          <t>A Key Derivation Function (KDF); see <xref target="crypto-kdf"/></t>
        </li>
        <li>
          <t>An Authenticated Encryption with Associated Data (AEAD); see <xref target="crypto-aead"/></t>
        </li>
      </ul>
      <t>A <em>ciphersuite</em> is a triple (KEM, KDF, AEAD) containing a choice of algorithm
for each primitive.</t>
      <t>A set of algorithm identifiers for concrete instantiations of these
primitives is provided in <xref target="ciphersuites"/>.  Algorithm identifier
values are two bytes long.</t>
      <section anchor="crypto-kem">
        <name>Key Encapsulation Mechanisms</name>
        <t>Each KEM is parameterized by the following constants (all measured in bytes):</t>
        <dl spacing="compact">
          <dt><tt>Nsecret</tt>:</dt>
          <dd>
            <t>The length of a KEM shared secret produced by this KEM.</t>
          </dd>
          <dt><tt>Nenc</tt>:</dt>
          <dd>
            <t>The length of an encapsulated secret produced by this KEM.</t>
          </dd>
          <dt><tt>Npk</tt>:</dt>
          <dd>
            <t>The length of an encoded public key for this KEM.</t>
          </dd>
          <dt><tt>Nsk</tt>:</dt>
          <dd>
            <t>The length of an encoded private key for this KEM.</t>
          </dd>
        </dl>
        <t>A key encapsulation mechanism (KEM) provides the following functions:</t>
        <dl>
          <dt><tt>GenerateKeyPair()</tt>:</dt>
          <dd>
            <t>Randomized algorithm to generate a key pair <tt>(skX, pkX)</tt>.</t>
          </dd>
          <dt><tt>DeriveKeyPair(ikm)</tt>:</dt>
          <dd>
            <t>Deterministic algorithm to derive a key pair <tt>(skX,
pkX)</tt> from the byte string <tt>ikm</tt>, where <tt>ikm</tt> is an arbitrary-length byte
string (within the bounds in <xref target="input-limits"/>).  The <tt>ikm</tt> input SHOULD have
at least <tt>Nsk</tt> bytes of entropy.</t>
          </dd>
          <dt><tt>SerializePublicKey(pkX)</tt>:</dt>
          <dd>
            <t>Produce a byte string of length <tt>Npk</tt> encoding the
public key <tt>pkX</tt>.</t>
          </dd>
          <dt><tt>DeserializePublicKey(pkXm)</tt>:</dt>
          <dd>
            <t>Parse a byte string of length <tt>Npk</tt> to recover a
public key. This function can raise a <tt>DeserializeError</tt> error upon <tt>pkXm</tt>
deserialization failure.</t>
          </dd>
          <dt><tt>Encap(pkR)</tt>:</dt>
          <dd>
            <t>Randomized algorithm to generate an ephemeral, fixed-length
shared secret and a fixed-length encapsulation of that secret (also known as
the KEM ciphertext) that can be decapsulated by the holder of the private
key corresponding to <tt>pkR</tt>. This function can raise an <tt>EncapError</tt> on
encapsulation failure.</t>
          </dd>
          <dt><tt>Decap(enc, skR)</tt>:</dt>
          <dd>
            <t>Deterministic algorithm using the private key <tt>skR</tt> to
recover the shared secret from the encapsulated secret <tt>enc</tt>. This function
can raise a <tt>DecapError</tt> on decapsulation failure.</t>
          </dd>
        </dl>
        <t>The notation <tt>pk(skX)</tt>, depending on its use and the KEM and its
implementation, is either the
computation of the public key using the private key, or just syntax
expressing the retrieval of the public key, assuming it is stored along
with the private key object.</t>
        <t>Beyond the above, a KEM MAY also expose the following functions, whose behavior
is detailed in <xref target="serializeprivatekey"/>:</t>
        <dl>
          <dt><tt>SerializePrivateKey(skX)</tt>:</dt>
          <dd>
            <t>Produce a byte string of length <tt>Nsk</tt> encoding the private
key <tt>skX</tt>.</t>
          </dd>
          <dt><tt>DeserializePrivateKey(skXm)</tt>:</dt>
          <dd>
            <t>Parse a byte string of length <tt>Nsk</tt> to recover a
private key. This function can raise a <tt>DeserializeError</tt> error upon <tt>skXm</tt>
deserialization failure.</t>
          </dd>
        </dl>
        <t>Senders and recipients MUST validate KEM inputs and outputs as described
in <xref target="kem-ids"/>.</t>
      </section>
      <section anchor="crypto-kdf">
        <name>Key Derivation Functions</name>
        <t>A key derivation function (KDF) is either
a one-stage KDF, with a single <tt>Derive</tt> function,
or a two-stage KDF, with <tt>Extract</tt> and <tt>Expand</tt> functions.</t>
        <t>A one-stage KDF provides the function:</t>
        <dl>
          <dt><tt>Derive(ikm, L)</tt>:</dt>
          <dd>
            <t>Derive an <tt>L</tt>-byte value from the input keying material
<tt>ikm</tt>.</t>
          </dd>
        </dl>
        <t>A two-stage KDF provides the functions:</t>
        <dl>
          <dt><tt>Extract(salt, ikm)</tt>:</dt>
          <dd>
            <t>Extract a pseudorandom key of fixed length <tt>Nh</tt> bytes
from input keying material <tt>ikm</tt> and an optional byte string
<tt>salt</tt>.</t>
          </dd>
          <dt><tt>Expand(prk, info, L)</tt>:</dt>
          <dd>
            <t>Expand a pseudorandom key <tt>prk</tt> using
optional string <tt>info</tt> into <tt>L</tt> bytes of output keying material.</t>
          </dd>
        </dl>
        <t>The <tt>Nh</tt> parameter indicates security strength of KDF, in bytes.
For a two-stage KDF, <tt>Nh</tt> is the output size of the <tt>Extract()</tt> function.</t>
        <t>Certain functions have a different structure depending on whether a one-stage or
two-stage KDF is being used.  For clarity, such functions will be described
twice in this document, once with the suffix <tt>_OneStage</tt> and once with the
suffix <tt>_TwoStage</tt>, representing the versions of the function to be used with a
one-stage or two-stage KDF, respectively.  For example, the <tt>Foo</tt> function would
be invoked by calling <tt>Foo_OneStage</tt> when using a one-stage KDF, and by calling
<tt>Foo_TwoStage</tt> when using a two-stage KDF.</t>
      </section>
      <section anchor="crypto-aead">
        <name>AEAD Encryption Algorithm</name>
        <t>An AEAD encryption algorithm <xref target="RFC5116"/> provides the functions:</t>
        <dl>
          <dt><tt>Seal(key, nonce, aad, pt)</tt>:</dt>
          <dd>
            <t>Encrypt and authenticate plaintext
<tt>pt</tt> with associated data <tt>aad</tt> using symmetric key <tt>key</tt> and nonce
<tt>nonce</tt>, yielding ciphertext and tag <tt>ct</tt>. This function
 can raise a <tt>MessageLimitReachedError</tt> upon failure.</t>
          </dd>
          <dt><tt>Open(key, nonce, aad, ct)</tt>:</dt>
          <dd>
            <t>Decrypt ciphertext and tag <tt>ct</tt> using
associated data <tt>aad</tt> with symmetric key <tt>key</tt> and nonce <tt>nonce</tt>,
returning plaintext message <tt>pt</tt>. This function can raise an
<tt>OpenError</tt> or <tt>MessageLimitReachedError</tt> upon failure.</t>
          </dd>
        </dl>
        <t>AEAD functions have the following parameters (all measured in bytes):</t>
        <dl spacing="compact">
          <dt><tt>Nk</tt>:</dt>
          <dd>
            <t>The length a key for this algorithm.</t>
          </dd>
          <dt><tt>Nn</tt>:</dt>
          <dd>
            <t>The length of a nonce for this algorithm.</t>
          </dd>
          <dt><tt>Nt</tt>:</dt>
          <dd>
            <t>The length of the authentication tag for this algorithm.</t>
          </dd>
        </dl>
      </section>
      <section anchor="crypto-domain">
        <name>Labeled Derivation Functions</name>
        <t>The following functions are defined to facilitate domain separation of
KDF calls as well as context binding:</t>
        <artwork><![CDATA[
# For use with one-stage KDFs
def LabeledDerive(ikm, label, context, L):
  labeled_ikm = concat(
    ikm,
    "HPKE-v1",
    suite_id,
    lengthPrefixed(label),
    I2OSP(L, 2),
    context,
  )
  return Derive(labeled_ikm, L)
]]></artwork>
        <artwork><![CDATA[
# For use with two-stage KDFs
def LabeledExtract(salt, label, ikm):
  labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
  return Extract(salt, labeled_ikm)

def LabeledExpand(prk, label, info, L):
  labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
                        label, info)
  return Expand(prk, labeled_info, L)
]]></artwork>
        <t>The value of <tt>suite_id</tt> depends on where the KDF is used; it is assumed
implicit from the implementation and not passed as a parameter. If used
inside a KEM algorithm, <tt>suite_id</tt> MUST start with "KEM" and identify
this KEM algorithm; if used in the remainder of HPKE, it MUST start with
"HPKE" and identify the entire ciphersuite in use. See sections <xref target="dhkem"/>
and <xref target="encryption-context"/> for details.</t>
      </section>
      <section anchor="dhkem">
        <name>DH-Based KEM (DHKEM)</name>
        <t>Suppose we are given a KDF, and a Diffie-Hellman (DH) group providing the
following operations:</t>
        <dl>
          <dt><tt>DH(skX, pkY)</tt>:</dt>
          <dd>
            <t>Perform a non-interactive Diffie-Hellman exchange using
the private key <tt>skX</tt> and public key <tt>pkY</tt> to produce a Diffie-Hellman shared
secret of length <tt>Ndh</tt>. This function can raise a <tt>ValidationError</tt> as described
in <xref target="validation"/>.</t>
          </dd>
        </dl>
        <t>A DH-based KEM is parameterized by the constants (in bytes):</t>
        <dl spacing="compact">
          <dt><tt>Ndh</tt>:</dt>
          <dd>
            <t>The length of the shared secret produced by <tt>DH()</tt>.</t>
          </dd>
          <dt><tt>Nsk</tt>:</dt>
          <dd>
            <t>The length of a Diffie-Hellman private key.</t>
          </dd>
          <dt><tt>Npk</tt>:</dt>
          <dd>
            <t>The length of a serialized public key for the DH group.</t>
          </dd>
          <dt><tt>Nenc</tt>:</dt>
          <dd>
            <t>Equal to <tt>Npk</tt>. Encapsulated shared secrets are serialized
DH public keys in this KEM algorithm.</t>
          </dd>
        </dl>
        <t>Then we can construct a KEM that implements the interface defined in <xref target="crypto-kem"/>
called <tt>DHKEM(Group, KDF)</tt> in the following way, where <tt>Group</tt> denotes the
Diffie-Hellman group and <tt>KDF</tt> denotes the KDF. The function parameters <tt>pkR</tt> and <tt>pkS</tt>
are deserialized public keys, and <tt>enc</tt> is a serialized public key. Since
encapsulated shared secrets are Diffie-Hellman public keys in this KEM algorithm,
we use <tt>SerializePublicKey()</tt> and <tt>DeserializePublicKey()</tt> to encode and decode
them, respectively. <tt>GenerateKeyPair()</tt> produces a key pair
for the Diffie-Hellman group in use. <xref target="derive-key-pair"/> contains the
<tt>DeriveKeyPair()</tt> function specification for DHKEMs defined in this document.</t>
        <artwork><![CDATA[
# For use with one-stage KDFs
def ExtractAndExpand_OneStage(dh, kem_context):
  return LabeledDerive(dh, "shared_secret", kem_context, Nsecret)

# For use with two-stage KDFs
def ExtractAndExpand_TwoStage(dh, kem_context):
  eae_prk = LabeledExtract("", "eae_prk", dh)
  shared_secret = LabeledExpand(eae_prk, "shared_secret",
                                kem_context, Nsecret)
  return shared_secret

def Encap(pkR):
  skE, pkE = GenerateKeyPair()
  dh = DH(skE, pkR)
  enc = SerializePublicKey(pkE)

  pkRm = SerializePublicKey(pkR)
  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret, enc

def Decap(enc, skR):
  pkE = DeserializePublicKey(enc)
  dh = DH(skR, pkE)

  pkRm = SerializePublicKey(pk(skR))
  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret
]]></artwork>
        <t>The implicit <tt>suite_id</tt> value used within <tt>LabeledExtract</tt>, <tt>LabeledExpand</tt>, and
<tt>LabeledDerive</tt> is defined as follows, where <tt>kem_id</tt> is defined in <xref target="kem-ids"/>:</t>
        <artwork><![CDATA[
suite_id = concat("KEM", I2OSP(kem_id, 2))
]]></artwork>
        <t>The KDF used in DHKEM can be equal to or different from the KDF used
in the remainder of HPKE, depending on the chosen variant.
Implementations MUST make sure to use the constants (<tt>Nh</tt>) and function
calls (<tt>LabeledExtract</tt>, <tt>LabeledExpand</tt>, and <tt>LabeledDerive</tt>) of the appropriate KDF when
implementing DHKEM. See <xref target="kdf-choice"/> for a comment on the choice of
a KDF for the remainder of HPKE, and <xref target="domain-separation"/> for the
rationale of the labels.</t>
        <t>For the variants of DHKEM defined in this document, the size <tt>Nsecret</tt> of the
KEM shared secret is equal to the output length of the hash function
underlying the KDF. For P-256, P-384, and P-521, the size <tt>Ndh</tt> of the
Diffie-Hellman shared secret is equal to 32, 48, and 66, respectively,
corresponding to the x-coordinate of the resulting elliptic curve point <xref target="IEEE1363"/>.
For X25519 and X448, the size <tt>Ndh</tt> is equal to 32 and 56, respectively
(see <xref section="5" sectionFormat="of" target="RFC7748"/>).</t>
      </section>
    </section>
    <section anchor="hpke">
      <name>Hybrid Public Key Encryption</name>
      <t>In this section, we define a few HPKE variants.  All variants take a
recipient public key <tt>pkR</tt> and a sequence of plaintexts <tt>pt</tt> and produce an
encapsulated secret <tt>enc</tt> and a sequence of ciphertexts <tt>ct</tt>.  These outputs are
constructed so that only the holder of <tt>skR</tt> can decapsulate the key from
<tt>enc</tt> and decrypt the ciphertexts.  All the algorithms also take an
<tt>info</tt> parameter that can be used to influence the generation of keys
(e.g., to fold in identity information) and an <tt>aad</tt> parameter that
provides additional authenticated data to the AEAD algorithm in use.</t>
      <t>In addition to the base case of encrypting to a public key, we include a variant
that authenticates possession of a pre-shared key. The authenticated variant
contributes additional keying material to the encryption operation. The
following one-byte values will be used to distinguish between modes:</t>
      <table anchor="hpke-modes">
        <name>HPKE Modes</name>
        <thead>
          <tr>
            <th align="left">Mode</th>
            <th align="left">Value</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">mode_base</td>
            <td align="left">0x00</td>
          </tr>
          <tr>
            <td align="left">mode_psk</td>
            <td align="left">0x01</td>
          </tr>
          <tr>
            <td align="left">RESERVED</td>
            <td align="left">0x02</td>
          </tr>
          <tr>
            <td align="left">RESERVED</td>
            <td align="left">0x03</td>
          </tr>
        </tbody>
      </table>
      <t>(The values 0x02 and 0x03 were used in <xref target="RFC9180"/> to reflect additional
variants which have been removed from this specification.)</t>
      <t>Both variants follow the same basic two-step pattern:</t>
      <ol spacing="normal" type="1"><li>
          <t>Set up an encryption context that is shared between the sender
and the recipient.</t>
        </li>
        <li>
          <t>Use that context to encrypt or decrypt content.</t>
        </li>
      </ol>
      <t>A <em>context</em> is an implementation-specific structure that encodes
the AEAD algorithm and key in use, and manages the nonces used so
that the same nonce is not used with multiple plaintexts. It also
has an interface for exporting secret values, as described in
<xref target="hpke-export"/>. See <xref target="hpke-dem"/> for a description of this structure
and its interfaces. HPKE decryption fails when the underlying AEAD
decryption fails.</t>
      <t>The constructions described here presume that the relevant non-private
parameters (<tt>enc</tt>, <tt>psk_id</tt>, etc.) are transported between the sender and the
recipient by some application making use of HPKE. Moreover, a recipient with more
than one public key needs some way of determining which of its public keys was
used for the encapsulation operation. As an example, applications may send this
information alongside a ciphertext from the sender to the recipient. Specification of
such a mechanism is left to the application. See <xref target="metadata"/> for more
details.</t>
      <t>The procedures described in this section are laid out in a
Python-like pseudocode. The algorithms in use are left implicit.</t>
      <section anchor="encryption-context">
        <name>Creating the Encryption Context</name>
        <t>The variants of HPKE defined in this document share a common
key schedule that translates the protocol inputs into an encryption
context. The key schedule inputs are as follows:</t>
        <ul spacing="normal">
          <li>
            <t><tt>mode</tt> - A one-byte value indicating the HPKE mode, defined in <xref target="hpke-modes"/>.</t>
          </li>
          <li>
            <t><tt>shared_secret</tt> - A KEM shared secret generated for this transaction.</t>
          </li>
          <li>
            <t><tt>info</tt> - Application-supplied information (optional; default value "").</t>
          </li>
          <li>
            <t><tt>psk</tt> - A pre-shared key (PSK) held by both the sender
and the recipient (optional; default value "").</t>
          </li>
          <li>
            <t><tt>psk_id</tt> - An identifier for the PSK (optional; default value "").</t>
          </li>
        </ul>
        <t>Senders and recipients MUST validate KEM inputs and outputs as described
in <xref target="kem-ids"/>.</t>
        <t>The <tt>info</tt> parameter used by HPKE is not related to the optional string <tt>info</tt>
used by the <tt>LabeledExpand()</tt> or <tt>Expand()</tt> functions detailed in <xref target="base-crypto"/>.</t>
        <t>The <tt>psk</tt> and <tt>psk_id</tt> parameters MUST appear together or not at all.
That is, if a non-default value is provided for one of them, then
the other MUST be set to a non-default value. This requirement is
encoded in <tt>VerifyPSKInputs()</tt> below.</t>
        <t>The <tt>psk</tt>, <tt>psk_id</tt>, and <tt>info</tt> parameters have maximum lengths that depend
on the KDF itself, on the definition of <tt>LabeledExtract()</tt>, and on the
constant labels used together with them. See <xref target="kdf-input-length"/> for
precise limits on these lengths.</t>
        <t>The <tt>key</tt>, <tt>base_nonce</tt>, and <tt>exporter_secret</tt> computed by the key schedule
have the property that they are only known to the holder of the recipient
private key, and the entity that used the KEM to generate <tt>shared_secret</tt> and
<tt>enc</tt>.</t>
        <t>The HPKE algorithm identifiers, i.e., the KEM <tt>kem_id</tt>, KDF <tt>kdf_id</tt>, and
AEAD <tt>aead_id</tt> 2-byte code points, as defined in <xref target="kemid-values"/>, <xref target="kdfid-values"/>,
and <xref target="aeadid-values"/>, respectively, are assumed implicit from the implementation
and not passed as parameters. The implicit <tt>suite_id</tt> value used within
<tt>LabeledExtract</tt>, <tt>LabeledExpand</tt>, and <tt>LabeledDerive</tt> is defined based on them as follows:</t>
        <artwork><![CDATA[
suite_id = concat(
  "HPKE",
  I2OSP(kem_id, 2),
  I2OSP(kdf_id, 2),
  I2OSP(aead_id, 2)
)
]]></artwork>
        <artwork><![CDATA[
default_psk = ""
default_psk_id = ""

def VerifyPSKInputs(mode, psk, psk_id):
  got_psk = (psk != default_psk)
  got_psk_id = (psk_id != default_psk_id)
  if got_psk != got_psk_id:
    raise Exception("Inconsistent PSK inputs")

  if got_psk and mode == mode_base:
    raise Exception("PSK input provided when not needed")
  if (not got_psk) and mode == mode_psk:
    raise Exception("Missing required PSK input")

# For use with a one-stage KDF
def CombineSecrets_OneStage(mode, shared_secret, info, psk, psk_id):
  secrets = concat(
    lengthPrefixed(psk),
    lengthPrefixed(shared_secret)
  )
  context = concat(
    mode,
    lengthPrefixed(psk_id),
    lengthPrefixed(info)
  )

  secret = LabeledDerive(secrets, "secret", context, Nk + Nn + Nh)

  key = secret[:Nk]
  base_nonce = secret[Nk:(Nk + Nn)]
  exporter_secret = secret[(Nk + Nn):]

  return (key, base_nonce, exporter_secret)

# For use with a two-stage KDF
def CombineSecrets_TwoStage(mode, shared_secret, info, psk, psk_id):
  psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
  info_hash = LabeledExtract("", "info_hash", info)
  key_schedule_context = concat(mode, psk_id_hash, info_hash)

  secret = LabeledExtract(shared_secret, "secret", psk)

  key = LabeledExpand(secret, "key", key_schedule_context, Nk)
  base_nonce = LabeledExpand(secret, "base_nonce",
                             key_schedule_context, Nn)
  exporter_secret = LabeledExpand(secret, "exp",
                                  key_schedule_context, Nh)

  return (key, base_nonce, exporter_secret)

def KeySchedule<ROLE>(mode, shared_secret, info, psk, psk_id):
  VerifyPSKInputs(mode, psk, psk_id)

  key, base_nonce, exporter_secret =
    CombineSecrets(mode, shared_secret, info, psk, psk_id)

  return Context<ROLE>(key, base_nonce, 0, exporter_secret)
]]></artwork>
        <t>The <tt>ROLE</tt> template parameter is either S or R, depending on the role
of sender or recipient, respectively. The third parameter in the
<tt>Context&lt;ROLE&gt;</tt> refers to the sequence number, which is initialized with
a 0 value. See <xref target="hpke-dem"/> for a discussion of the key schedule output,
including the role-specific Context structure and its Application Programming Interface (API), and the
usage of the sequence number.</t>
        <t>Note that when a two-stage KDF is used, the <tt>key_schedule_context</tt>
construction in <tt>CombineSecrets_TwoStage()</tt> is equivalent to serializing a
structure of the following form in the TLS presentation syntax:</t>
        <artwork><![CDATA[
struct {
    uint8 mode;
    opaque psk_id_hash[Nh];
    opaque info_hash[Nh];
} KeyScheduleContext;
]]></artwork>
        <section anchor="hpke-kem">
          <name>Encryption to a Public Key</name>
          <t>The most basic function of an HPKE scheme is to enable encryption
to the holder of a given KEM private key.  The <tt>SetupBaseS()</tt> and
<tt>SetupBaseR()</tt> procedures establish contexts that can be used to
encrypt and decrypt, respectively, for a given private key.</t>
          <t>The KEM shared secret is combined via the KDF
with information describing the key exchange, as well as the
explicit <tt>info</tt> parameter provided by the caller.</t>
          <t>The parameter <tt>pkR</tt> is a public key, and <tt>enc</tt> is an encapsulated
KEM shared secret.</t>
          <artwork><![CDATA[
def SetupBaseS(pkR, info):
  shared_secret, enc = Encap(pkR)
  return enc, KeyScheduleS(mode_base, shared_secret, info,
                           default_psk, default_psk_id)

def SetupBaseR(enc, skR, info):
  shared_secret = Decap(enc, skR)
  return KeyScheduleR(mode_base, shared_secret, info,
                      default_psk, default_psk_id)
]]></artwork>
        </section>
        <section anchor="mode-psk">
          <name>Authentication Using a Pre-Shared Key</name>
          <t>This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given PSK. The PSK also
improves confidentiality guarantees in certain adversary models, as
described in more detail in <xref target="sec-properties"/>. We assume that both
parties have been provisioned with both the PSK value <tt>psk</tt> and another
byte string <tt>psk_id</tt> that is used to identify which PSK should be used.</t>
          <t>The primary difference from the base case is that the <tt>psk</tt> and <tt>psk_id</tt> values
are used as <tt>ikm</tt> inputs to the KDF (instead of using the empty string).</t>
          <t>The PSK MUST have at least 32 bytes of entropy and SHOULD be of length <tt>Nh</tt>
bytes or longer. See <xref target="security-psk"/> for a more detailed discussion.</t>
          <artwork><![CDATA[
def SetupPSKS(pkR, info, psk, psk_id):
  shared_secret, enc = Encap(pkR)
  return enc, KeyScheduleS(mode_psk, shared_secret, info, psk, psk_id)

def SetupPSKR(enc, skR, info, psk, psk_id):
  shared_secret = Decap(enc, skR)
  return KeyScheduleR(mode_psk, shared_secret, info, psk, psk_id)
]]></artwork>
        </section>
      </section>
      <section anchor="hpke-dem">
        <name>Encryption and Decryption</name>
        <t>HPKE allows multiple encryption operations to be done based on a
given setup transaction.  Since the public key operations involved
in setup are typically more expensive than symmetric encryption or
decryption, this allows applications to amortize the cost of the
public key operations, reducing the overall overhead.</t>
        <t>In order to avoid nonce reuse, however, this encryption must be
stateful. Each of the setup procedures above produces a role-specific
context object that stores the AEAD and secret export parameters.
The AEAD parameters consist of:</t>
        <ul spacing="normal">
          <li>
            <t>The AEAD algorithm in use</t>
          </li>
          <li>
            <t>A secret <tt>key</tt></t>
          </li>
          <li>
            <t>A base nonce <tt>base_nonce</tt></t>
          </li>
          <li>
            <t>A sequence number (initially 0)</t>
          </li>
        </ul>
        <t>The secret export parameters consist of:</t>
        <ul spacing="normal">
          <li>
            <t>The HPKE ciphersuite in use and</t>
          </li>
          <li>
            <t>An <tt>exporter_secret</tt> used for the secret export interface (see
<xref target="hpke-export"/>)</t>
          </li>
        </ul>
        <t>All these parameters except the AEAD sequence number are constant.
The sequence number provides nonce uniqueness: The nonce used for
each encryption or decryption operation is the result of XORing
<tt>base_nonce</tt> with the current sequence number, encoded as a big-endian
integer of the same length as <tt>base_nonce</tt>. Implementations MAY use a
sequence number that is shorter than the nonce length (padding on the left
with zero), but MUST raise an error if the sequence number overflows. The AEAD
algorithm produces ciphertext that is Nt bytes longer than the plaintext.
Nt = 16 for AEAD algorithms defined in this document.</t>
        <t>Additionally, each AEAD algorithm has a maximum plaintext length (P_MAX)
as specified in <xref target="RFC5116"/>. For AES-128-GCM and AES-256-GCM, P_MAX is
2^36 - 31 bytes. For ChaCha20Poly1305, P_MAX is 2^38 - 64 bytes.
Implementations MUST NOT encrypt plaintexts larger than P_MAX. Exceeding
either the sequence number limit or P_MAX for the AEAD in use results in
loss of confidentiality and integrity guarantees.</t>
        <t>Encryption is unidirectional from sender to recipient. The sender's
context can encrypt a plaintext <tt>pt</tt> with associated data <tt>aad</tt> as
follows:</t>
        <artwork><![CDATA[
def ContextS.Seal(aad, pt):
  ct = Seal(self.key, self.ComputeNonce(self.seq), aad, pt)
  self.IncrementSeq()
  return ct
]]></artwork>
        <t>The recipient's context can decrypt a ciphertext <tt>ct</tt> with associated
data <tt>aad</tt> as follows:</t>
        <artwork><![CDATA[
def ContextR.Open(aad, ct):
  pt = Open(self.key, self.ComputeNonce(self.seq), aad, ct)
  if pt == OpenError:
    raise OpenError
  self.IncrementSeq()
  return pt
]]></artwork>
        <t>Each encryption or decryption operation increments the sequence number for
the context in use. The per-message nonce and sequence number increment
details are as follows:</t>
        <artwork><![CDATA[
def Context<ROLE>.ComputeNonce(seq):
  seq_bytes = I2OSP(seq, Nn)
  return xor(self.base_nonce, seq_bytes)

def Context<ROLE>.IncrementSeq():
  if self.seq >= (1 << (8*Nn)) - 1:
    raise MessageLimitReachedError
  self.seq += 1
]]></artwork>
        <t>The sender's context MUST NOT be used for decryption. Similarly, the recipient's
context MUST NOT be used for encryption. Higher-level protocols reusing the HPKE
key exchange for more general purposes can derive separate keying material as
needed using the secret export interface; see <xref target="hpke-export"/> and <xref target="bidirectional"/>
for more details.</t>
        <t>It is up to the application to ensure that encryptions and decryptions are
done in the proper sequence, so that encryption and decryption nonces align.
If <tt>ContextS.Seal()</tt> or <tt>ContextR.Open()</tt> would cause the <tt>seq</tt> parameter to
overflow, then the implementation MUST fail with an error. (In the pseudocode
above, <tt>Context&lt;ROLE&gt;.IncrementSeq()</tt> fails with an error when <tt>seq</tt> overflows,
which causes <tt>ContextS.Seal()</tt> and <tt>ContextR.Open()</tt> to fail accordingly.)
Note that the internal <tt>Seal()</tt> and <tt>Open()</tt> calls inside correspond to the
context's AEAD algorithm.</t>
        <t>In parallel or concurrent environments, the <tt>ComputeNonce()</tt>, <tt>Seal()</tt>, and
<tt>IncrementSeq()</tt> operations MUST be done as an atomic unit, e.g., by holding
a lock on <tt>ContextS</tt> for the duration of <tt>ContextS.Seal()</tt>. If other calls to
<tt>Seal()</tt> are interleaved before <tt>IncrementSeq()</tt> completes, this will result
in multiple encryptions with the same sequence number, and thus the same nonce.</t>
      </section>
      <section anchor="hpke-export">
        <name>Secret Export</name>
        <t>HPKE provides an interface for exporting secrets from the encryption context
using a variable-length pseudorandom function (PRF). This interface takes as input a context
string <tt>exporter_context</tt> and a desired length <tt>L</tt> in bytes, and produces
a secret derived from the internal exporter secret using the corresponding
KDF Expand function. For the KDFs defined in this specification, <tt>L</tt> has
a maximum value of <tt>255*Nh</tt>. Future specifications that define new KDFs
MUST specify a bound for <tt>L</tt>.</t>
        <t>The <tt>exporter_context</tt> parameter has a maximum length that depends on the KDF
itself, on the definition of <tt>LabeledExpand()</tt>, and on the constant labels
used together with them. See <xref target="kdf-input-length"/> for precise limits on this
length.</t>
        <artwork><![CDATA[
# For use with a one-stage KDF
def Context.Export_OneStage(exporter_context, L):
  return LabeledDerive(self.exporter_secret, "sec",
                       exporter_context, L)

# For use with a two-stage KDF
def Context.Export_TwoStage(exporter_context, L):
  return LabeledExpand(self.exporter_secret, "sec",
                       exporter_context, L)
]]></artwork>
        <t>Applications that do not use the encryption API in <xref target="hpke-dem"/> can use
the export-only AEAD ID <tt>0xFFFF</tt> when computing the key schedule. Such
applications can avoid computing the <tt>key</tt> and <tt>base_nonce</tt> values in the
key schedule, as they are not used by the Export interface described above.</t>
        <t>Unlike the similar TLS 1.3 exporter interface (see <xref section="7.5" sectionFormat="of" target="RFC8446"/>),
the HPKE export interface does not provide replay protection. While the resulting
secret will only be known to the sender and recipient, a replayed encapsulated
secret <tt>enc</tt> will produce an identical context, and thus the same exported
secrets. In particular, applications MUST NOT use exported secrets unless it is
safe for the same exported values to be used multiple times.  For example,
applications MUST NOT use an exported secret to derive a (key, nonce) pair for
AEAD encryption (as suggested in <xref section="9.8" sectionFormat="of" target="RFC9180"/>), since reuse of a
(key, nonce) pair harms security in most AEAD algorithms.  In such cases,
applications SHOULD incorporate a fresh recipient-provided nonce when deriving
values from an export context, as discussed in <xref section="4.4" sectionFormat="of" target="RFC9458"/> and
<xref target="bidirectional"/>.</t>
      </section>
    </section>
    <section anchor="single-shot-apis">
      <name>Single-Shot APIs</name>
      <section anchor="single-shot-encryption">
        <name>Encryption and Decryption</name>
        <t>In many cases, applications encrypt only a single message to a recipient's
public key.  This section provides templates for HPKE APIs that implement
stateless "single-shot" encryption and decryption using APIs specified in
<xref target="encryption-context"/> and <xref target="hpke-dem"/>:</t>
        <artwork><![CDATA[
def Seal<MODE>(pkR, info, aad, pt, ...):
  enc, ctx = Setup<MODE>S(pkR, info, ...)
  ct = ctx.Seal(aad, pt)
  return enc, ct

def Open<MODE>(enc, skR, info, aad, ct, ...):
  ctx = Setup<MODE>R(enc, skR, info, ...)
  return ctx.Open(aad, ct)
]]></artwork>
        <t>The <tt>MODE</tt> template parameter is either Base or PSK. The optional parameters
indicated by "..." depend on <tt>MODE</tt> and may be empty. For example, <tt>SetupBase()</tt> has no
additional parameters. <tt>SealPSK()</tt> and <tt>OpenPSK()</tt> would be implemented as follows:</t>
        <artwork><![CDATA[
def SealPSK(pkR, info, aad, pt, psk, psk_id):
  enc, ctx = SetupPSKS(pkR, info, psk, psk_id)
  ct = ctx.Seal(aad, pt)
  return enc, ct

def OpenPSK(enc, skR, info, aad, ct, psk, psk_id):
  ctx = SetupPSKR(enc, skR, info, psk, psk_id)
  return ctx.Open(aad, ct)
]]></artwork>
      </section>
      <section anchor="secret-export">
        <name>Secret Export</name>
        <t>Applications may also want to derive a secret known only to a given recipient.
This section provides templates for HPKE APIs that implement stateless
"single-shot" secret export using APIs specified in <xref target="hpke-export"/>:</t>
        <artwork><![CDATA[
def SendExport<MODE>(pkR, info, exporter_context, L, ...):
  enc, ctx = Setup<MODE>S(pkR, info, ...)
  exported = ctx.Export(exporter_context, L)
  return enc, exported

def ReceiveExport<MODE>(enc, skR, info, exporter_context, L, ...):
  ctx = Setup<MODE>R(enc, skR, info, ...)
  return ctx.Export(exporter_context, L)
]]></artwork>
        <t>As in <xref target="single-shot-encryption"/>, the <tt>MODE</tt> template parameter is either Base or PSK.
The optional parameters indicated by "..." depend on <tt>MODE</tt> and may be empty.</t>
        <t>Secrets exported using this single-shot API face the same replay risks discussed
in <xref target="hpke-export"/>.  Usage of exported secrets needs to be limited as described
in that section.</t>
      </section>
    </section>
    <section anchor="ciphersuites">
      <name>Algorithm Identifiers</name>
      <t>This section lists algorithm identifiers suitable for different HPKE configurations.
Future specifications may introduce new KEM, KDF, and AEAD algorithm identifiers
and retain the security guarantees presented in this document provided they adhere
to the security requirements in <xref target="kem-security"/>, <xref target="kdf-choice"/>, and <xref target="aead-security"/>,
respectively.</t>
      <section anchor="kem-ids">
        <name>Key Encapsulation Mechanisms (KEMs)</name>
        <table anchor="kemid-values">
          <name>KEM IDs</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">KEM</th>
              <th align="left">Nsecret</th>
              <th align="left">Nenc</th>
              <th align="left">Npk</th>
              <th align="left">Nsk</th>
              <th align="left">Auth</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">yes</td>
              <td align="left">RFC 9180</td>
            </tr>
            <tr>
              <td align="left">0x0010</td>
              <td align="left">DHKEM(P-256, HKDF-SHA256)</td>
              <td align="left">32</td>
              <td align="left">65</td>
              <td align="left">65</td>
              <td align="left">32</td>
              <td align="left">yes</td>
              <td align="left">
                <xref target="NISTCurves"/>, <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0011</td>
              <td align="left">DHKEM(P-384, HKDF-SHA384)</td>
              <td align="left">48</td>
              <td align="left">97</td>
              <td align="left">97</td>
              <td align="left">48</td>
              <td align="left">yes</td>
              <td align="left">
                <xref target="NISTCurves"/>, <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0012</td>
              <td align="left">DHKEM(P-521, HKDF-SHA512)</td>
              <td align="left">64</td>
              <td align="left">133</td>
              <td align="left">133</td>
              <td align="left">66</td>
              <td align="left">yes</td>
              <td align="left">
                <xref target="NISTCurves"/>, <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0020</td>
              <td align="left">DHKEM(X25519, HKDF-SHA256)</td>
              <td align="left">32</td>
              <td align="left">32</td>
              <td align="left">32</td>
              <td align="left">32</td>
              <td align="left">yes</td>
              <td align="left">
                <xref target="RFC7748"/>, <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0021</td>
              <td align="left">DHKEM(X448, HKDF-SHA512)</td>
              <td align="left">64</td>
              <td align="left">56</td>
              <td align="left">56</td>
              <td align="left">56</td>
              <td align="left">yes</td>
              <td align="left">
                <xref target="RFC7748"/>, <xref target="RFC5869"/></td>
            </tr>
          </tbody>
        </table>
        <t>The <tt>Auth</tt> column indicates if the KEM algorithm provides the <tt>AuthEncap()</tt>/<tt>AuthDecap()</tt>
interface defined in <xref target="RFC9180"/>.</t>
        <section anchor="serializepublickey-and-deserializepublickey">
          <name>SerializePublicKey and DeserializePublicKey</name>
          <t>For P-256, P-384, and P-521, the <tt>SerializePublicKey()</tt> function of the
KEM performs the uncompressed Elliptic-Curve-Point-to-Octet-String
conversion according to <xref target="SECG"/>. <tt>DeserializePublicKey()</tt> performs the
uncompressed Octet-String-to-Elliptic-Curve-Point conversion.</t>
          <t>For X25519 and X448, the <tt>SerializePublicKey()</tt> and <tt>DeserializePublicKey()</tt>
functions are the identity function, since these curves already use
fixed-length byte strings for public keys.</t>
          <t>Some deserialized public keys MUST be validated before they can be used. See
<xref target="validation"/> for specifics.</t>
        </section>
        <section anchor="serializeprivatekey">
          <name>SerializePrivateKey and DeserializePrivateKey</name>
          <t>As per <xref target="SECG"/>, P-256, P-384, and P-521 private keys are field elements in the
scalar field of the curve being used. For this section, and for
<xref target="derive-key-pair"/>, it is assumed that implementors of ECDH over these curves
use an integer representation of private keys that is compatible with the
<tt>OS2IP()</tt> function.</t>
          <t>For P-256, P-384, and P-521, the <tt>SerializePrivateKey()</tt> function of the KEM
performs the Field-Element-to-Octet-String conversion according to <xref target="SECG"/>. If
the private key is an integer outside the range <tt>[0, order-1]</tt>, where <tt>order</tt>
is the order of the curve being used, the private key MUST be reduced to its
representative in <tt>[0, order-1]</tt> before being serialized.
<tt>DeserializePrivateKey()</tt> performs the Octet-String-to-Field-Element conversion
according to <xref target="SECG"/>.</t>
          <t>For X25519 and X448, private keys are identical to their byte string
representation.</t>
          <t>To catch invalid keys early on, implementors of DHKEMs SHOULD check that
deserialized private keys are not equivalent to 0 (mod <tt>order</tt>), where <tt>order</tt>
is the order of the DH group. Note that this property is trivially true for X25519
and X448 groups, since clamped values can never be 0 (mod <tt>order</tt>).</t>
        </section>
        <section anchor="derive-key-pair">
          <name>DeriveKeyPair</name>
          <t>The keys that <tt>DeriveKeyPair()</tt> produces have only as much entropy as the provided
input keying material. For a given KEM, the <tt>ikm</tt> parameter given to <tt>DeriveKeyPair()</tt> SHOULD
have length at least <tt>Nsk</tt>, and SHOULD have at least <tt>Nsk</tt> bytes of entropy.</t>
          <t>All invocations of KDF functions (such as <tt>LabeledExtract</tt> or <tt>LabeledExpand</tt>) in any
DHKEM's <tt>DeriveKeyPair()</tt> function use the DHKEM's associated KDF (as opposed to
the ciphersuite's KDF).</t>
          <t>For P-256, P-384, and P-521, the <tt>DeriveKeyPair()</tt> function of the KEM performs
rejection sampling over field elements:</t>
          <artwork><![CDATA[
# For use with a one-stage KDF
def DeriveCandidate_OneStage(ikm, counter):
  return LabeledDerive(ikm, "candidate", I2OSP(counter, 1), Nsk)

# For use with a two-stage KDF
def DeriveCandidate_TwoStage(ikm, counter):
  # Note: dkp_prk may be derived once and cached
  dkp_prk = LabeledExtract("", "dkp_prk", ikm)
  return LabeledExpand(dkp_prk, "candidate",
                          I2OSP(counter, 1), Nsk)

def DeriveKeyPair(ikm):
  sk = 0
  counter = 0
  while sk == 0 or sk >= order:
    if counter > 255:
      raise DeriveKeyPairError
    bytes = DeriveCandidate(ikm, counter)
    bytes[0] = bytes[0] & bitmask
    sk = OS2IP(bytes)
    counter = counter + 1
  return (sk, pk(sk))
]]></artwork>
          <t><tt>order</tt> is the order of the curve being used (see Section D.1.2 of <xref target="NISTCurves"/>), and
is listed below for completeness.</t>
          <artwork><![CDATA[
P-256:
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

P-384:
0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf
  581a0db248b0a77aecec196accc52973

P-521:
0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  fa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
]]></artwork>
          <t><tt>bitmask</tt> is defined to be 0xFF for P-256 and P-384, and 0x01 for P-521.
The precise likelihood of <tt>DeriveKeyPair()</tt> failing with DeriveKeyPairError
depends on the group being used, but it is negligibly small in all cases.
See <xref target="api-errors"/> for information about dealing with such failures.</t>
          <t>For X25519 and X448, the <tt>DeriveKeyPair()</tt> function applies a KDF to the input:</t>
          <sourcecode type="pseudocode"><![CDATA[
# For use with a one-stage KDF
def DeriveKeyPair_OneStage(ikm):
  sk = LabeledDerive(ikm, "sk", "", Nsk)
  return (sk, pk(sk))

# For use with a two-stage KDF
def DeriveKeyPair_TwoStage(ikm):
  dkp_prk = LabeledExtract("", "dkp_prk", ikm)
  sk = LabeledExpand(dkp_prk, "sk", "", Nsk)
  return (sk, pk(sk))
]]></sourcecode>
          <t>The <tt>suite_id</tt> used implicitly in <tt>LabeledExtract()</tt>, <tt>LabeledExpand()</tt>, and <tt>LabeledDerive()</tt>
for <tt>DeriveKeyPair(ikm)</tt> is derived from the KEM identifier of the
DHKEM in use (see <xref target="kem-ids"/>), that is, based on the type of key
pair been generated for that DHKEM type.</t>
          <t>For all of the above instances of DHKEM, the <tt>GenerateKeyPair</tt> can be
implemented as <tt>DeriveKeyPair(random(Nsk))</tt>.</t>
        </section>
        <section anchor="validation">
          <name>Validation of Inputs and Outputs</name>
          <t>The following public keys are subject to validation if the group
requires public key validation: the sender MUST validate the recipient's
public key <tt>pkR</tt>; the recipient MUST validate the ephemeral public key
<tt>pkE</tt>. Validation failure yields a <tt>ValidationError</tt>.</t>
          <t>For P-256, P-384, and P-521, senders and recipients MUST perform partial
public key validation on all public key inputs, as defined in Section 5.6.2.3.4
of <xref target="keyagreement"/>. This includes checking that the coordinates are in the
correct range, that the point is on the curve, and that the point is not the
point at infinity. Additionally, senders and recipients MUST ensure the
Diffie-Hellman shared secret is not the point at infinity.</t>
          <t>For X25519 and X448, public keys and Diffie-Hellman outputs MUST be validated
as described in <xref target="RFC7748"/>. In particular, recipients MUST check whether
the Diffie-Hellman shared secret is the all-zero value and abort if so.</t>
        </section>
        <section anchor="future-kems">
          <name>Future KEMs</name>
          <t><xref target="kem-security"/> lists security requirements on a KEM used within HPKE.</t>
          <t>A KEM algorithm may support different encoding algorithms, with different output
lengths, for KEM public keys. Such KEM algorithms MUST specify only one encoding
algorithm whose output length is <tt>Npk</tt>.</t>
        </section>
      </section>
      <section anchor="kdf-ids">
        <name>Key Derivation Functions (KDFs)</name>
        <table anchor="kdfid-values">
          <name>KDF IDs</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">KDF</th>
              <th align="left">Nh</th>
              <th align="left">Two-Stage</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">RFC 9180</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">32</td>
              <td align="left">Y</td>
              <td align="left">
                <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">HKDF-SHA384</td>
              <td align="left">48</td>
              <td align="left">Y</td>
              <td align="left">
                <xref target="RFC5869"/></td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">64</td>
              <td align="left">Y</td>
              <td align="left">
                <xref target="RFC5869"/></td>
            </tr>
          </tbody>
        </table>
        <section anchor="kdf-input-length">
          <name>Input Length Restrictions</name>
          <t>For one-stage KDFs, there is length limit of 65,535 bytes for the <tt>psk</tt>,
<tt>psk_id</tt>, <tt>info</tt> fields. This limitation arises because these fields are all
prefixed with a two-byte length when being used as KDF inputs. There is no
inherent length limitation on <tt>exporter_context</tt>.  If a one-stage KDF has an
input length limit, then implementations MUST limit the length of
<tt>exporter_context</tt> accordingly, so that the <tt>LabeledDerive</tt> call in
<tt>Context.Export</tt> does not overflow the input length limit.</t>
          <t>For two-stage KDFs, this document defines <tt>LabeledExtract()</tt> and <tt>LabeledExpand()</tt> based on the
KDFs listed above. These functions add prefixes to their respective
inputs <tt>ikm</tt> and <tt>info</tt> before calling the KDF's <tt>Extract()</tt> and <tt>Expand()</tt>
functions. This leads to a reduction of the maximum input length that
is available for the inputs <tt>psk</tt>, <tt>psk_id</tt>, <tt>info</tt>, <tt>exporter_context</tt>,
<tt>ikm</tt>, i.e., the variable-length parameters provided by HPKE applications.
The following table lists the maximum allowed lengths of these parameters
for the KDFs defined in this document, as inclusive bounds in bytes:</t>
          <table anchor="input-limits">
            <name>Application Input Limits</name>
            <thead>
              <tr>
                <th align="left">Input</th>
                <th align="left">HKDF-SHA256</th>
                <th align="left">HKDF-SHA384</th>
                <th align="left">HKDF-SHA512</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">psk</td>
                <td align="left">2^{61} - 88</td>
                <td align="left">2^{125} - 152</td>
                <td align="left">2^{125} - 152</td>
              </tr>
              <tr>
                <td align="left">psk_id</td>
                <td align="left">2^{61} - 93</td>
                <td align="left">2^{125} - 157</td>
                <td align="left">2^{125} - 157</td>
              </tr>
              <tr>
                <td align="left">info</td>
                <td align="left">2^{61} - 91</td>
                <td align="left">2^{125} - 155</td>
                <td align="left">2^{125} - 155</td>
              </tr>
              <tr>
                <td align="left">exporter_context</td>
                <td align="left">2^{61} - 120</td>
                <td align="left">2^{125} - 200</td>
                <td align="left">2^{125} - 216</td>
              </tr>
              <tr>
                <td align="left">ikm (DeriveKeyPair)</td>
                <td align="left">2^{61} - 84</td>
                <td align="left">2^{125} - 148</td>
                <td align="left">2^{125} - 148</td>
              </tr>
            </tbody>
          </table>
          <t>This shows that the limits are only marginally smaller than the maximum
input length of the underlying hash function; these limits are large and
unlikely to be reached in practical applications. Future specifications
that define new KDFs MUST specify bounds for these variable-length
parameters.</t>
          <t>Since the above bounds are larger than any values used in practice, it may be
useful for implementations to impose a smaller maximum on the values they will
accept (for example, to avoid dynamic allocations). Implementations MUST
support <tt>info</tt> values of at least 64 bytes. Implementations SHOULD support
<tt>info</tt> values of at least 16384 bytes to accommodate protocols such as</t>
          <t>Encrypted Client Hello <xref target="ECH"/>. Applications seeking
maximum interoperability with resource-constrained HPKE implementations
SHOULD NOT provide <tt>info</tt> values exceeding 64 bytes without confirmation that an
implementation supports larger <tt>info</tt> values.</t>
          <t>The values for <tt>psk</tt>, <tt>psk_id</tt>, <tt>info</tt>, and <tt>ikm</tt>, which are inputs to
<tt>LabeledExtract()</tt>, were computed with the following expression:</t>
          <artwork><![CDATA[
max_size_hash_input - Nb - size_version_label -
    size_suite_id - size_input_label
]]></artwork>
          <t>The value for <tt>exporter_context</tt>, which is an input to <tt>LabeledExpand()</tt>,
was computed with the following expression:</t>
          <artwork><![CDATA[
max_size_hash_input - Nb - Nh - size_version_label -
    size_suite_id - size_input_label - 2 - 1
]]></artwork>
          <t>In these equations, <tt>max_size_hash_input</tt> is the maximum input length
of the underlying hash function in bytes, <tt>Nb</tt> is the block size of the
underlying hash function in bytes, <tt>size_version_label</tt> is the size
of "HPKE-v1" in bytes and equals 7, <tt>size_suite_id</tt> is the size of the
<tt>suite_id</tt> in bytes and equals 5 for DHKEM (relevant for <tt>ikm</tt>) and 10 for the
remainder of HPKE (relevant for <tt>psk</tt>, <tt>psk_id</tt>, <tt>info</tt>, and <tt>exporter_context</tt>),
and <tt>size_input_label</tt> is the size in bytes of the label used as parameter to
<tt>LabeledExtract()</tt> or <tt>LabeledExpand()</tt>, the maximum of which is 13
across all labels in this document.</t>
        </section>
      </section>
      <section anchor="aead-ids">
        <name>Authenticated Encryption with Associated Data (AEAD) Functions</name>
        <table anchor="aeadid-values">
          <name>AEAD IDs</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">AEAD</th>
              <th align="left">Nk</th>
              <th align="left">Nn</th>
              <th align="left">Nt</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">N/A</td>
              <td align="left">RFC 9180</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">AES-128-GCM</td>
              <td align="left">16</td>
              <td align="left">12</td>
              <td align="left">16</td>
              <td align="left">
                <xref target="GCM"/></td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">AES-256-GCM</td>
              <td align="left">32</td>
              <td align="left">12</td>
              <td align="left">16</td>
              <td align="left">
                <xref target="GCM"/></td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">ChaCha20Poly1305</td>
              <td align="left">32</td>
              <td align="left">12</td>
              <td align="left">16</td>
              <td align="left">
                <xref target="RFC8439"/></td>
            </tr>
            <tr>
              <td align="left">0xFFFF</td>
              <td align="left">Export-only</td>
              <td align="left">0</td>
              <td align="left">0</td>
              <td align="left">N/A</td>
              <td align="left">RFC 9180</td>
            </tr>
          </tbody>
        </table>
        <t>The <tt>0xFFFF</tt> AEAD ID is reserved for applications that only use the Export
interface; see <xref target="hpke-export"/> for more details.</t>
      </section>
    </section>
    <section anchor="api-considerations">
      <name>API Considerations</name>
      <t>This section documents considerations for interfaces to implementations of HPKE.
This includes error handling considerations and recommendations that improve
interoperability when HPKE is used in applications.</t>
      <section anchor="auxiliary-authenticated-application-information">
        <name>Auxiliary Authenticated Application Information</name>
        <t>HPKE has two places at which applications can specify auxiliary authenticated information:
(1) during context construction via the Setup <tt>info</tt> parameter, and (2) during Context
operations, i.e., with the <tt>aad</tt> parameter for <tt>Open()</tt> and <tt>Seal()</tt>, and the <tt>exporter_context</tt> parameter
for <tt>Export()</tt>. Application information applicable to multiple operations on a single Context
should use the Setup <tt>info</tt> parameter. This avoids redundantly processing this information for
each Context operation. In contrast, application information that varies on a per-message basis
should be specified via the Context APIs (<tt>Seal()</tt>, <tt>Open()</tt>, or <tt>Export()</tt>).</t>
        <t>Applications that only use the single-shot APIs described in <xref target="single-shot-apis"/> can specify
auxiliary authenticated information using both the Setup <tt>info</tt> parameter and the Context <tt>aad</tt>
and <tt>exporter_context</tt> parameters. Such applications should prefer the <tt>info</tt> parameter, because
<tt>info</tt> is the parameter intended for information that applies to the whole context, and using it
keeps their behavior consistent with applications that also use the underlying multi-shot APIs.</t>
      </section>
      <section anchor="api-errors">
        <name>Errors</name>
        <t>The high-level, public HPKE APIs specified in this document are all fallible.
These include the Setup functions and all encryption context functions.
For example, <tt>Decap()</tt> can fail if the encapsulated secret <tt>enc</tt> is invalid,
and <tt>Open()</tt> may fail if ciphertext decryption fails. The explicit errors
generated throughout this specification, along with the conditions that
lead to each error, are as follows:</t>
        <ul spacing="normal">
          <li>
            <t><tt>ValidationError</tt>: KEM input or output validation failure; <xref target="dhkem"/>.</t>
          </li>
          <li>
            <t><tt>DeserializeError</tt>: Public or private key deserialization failure; <xref target="base-crypto"/>.</t>
          </li>
          <li>
            <t><tt>EncapError</tt>: <tt>Encap()</tt> failure; <xref target="base-crypto"/>.</t>
          </li>
          <li>
            <t><tt>DecapError</tt>: <tt>Decap()</tt> failure; <xref target="base-crypto"/>.</t>
          </li>
          <li>
            <t><tt>OpenError</tt>: Context AEAD <tt>Open()</tt> failure; <xref target="base-crypto"/> and <xref target="hpke-dem"/>.</t>
          </li>
          <li>
            <t><tt>MessageLimitReachedError</tt>: Context AEAD sequence number overflow; <xref target="base-crypto"/> and <xref target="hpke-dem"/>.</t>
          </li>
          <li>
            <t><tt>DeriveKeyPairError</tt>: Key pair derivation failure; <xref target="derive-key-pair"/>.</t>
          </li>
        </ul>
        <t>Implicit errors may also occur. As an example, certain classes of failures,
e.g., malformed recipient public keys, may not yield explicit errors.
For example, for the DHKEM variant described in this specification,
the <tt>Encap()</tt> algorithm fails when given an invalid recipient public key.
However, other KEM algorithms may not have an efficient algorithm for verifying
the validity of public keys. As a result, an equivalent error may not manifest
until AEAD decryption at the recipient.</t>
        <t>The errors in this document are meant as a guide for implementors. They are not
an exhaustive list of all the errors an implementation might emit. For example,
future KEMs might have internal failure cases, or an implementation might run
out of memory.</t>
        <t>How these errors are expressed in an API or handled by applications is an
implementation-specific detail. For example, some implementations may abort or
panic upon a <tt>DeriveKeyPairError</tt> failure given that it only occurs with
negligible probability, whereas other implementations may retry the failed
DeriveKeyPair operation. See <xref target="derive-key-pair"/> for more information.
As another example, some implementations of the DHKEM specified in this document
may choose to transform <tt>ValidationError</tt> from <tt>DH()</tt> into an <tt>EncapError</tt> or
<tt>DecapError</tt> from <tt>Encap()</tt> or <tt>Decap()</tt>, respectively, whereas others may choose
to raise <tt>ValidationError</tt> unmodified.</t>
        <t>Applications using HPKE APIs should not assume that the errors here are complete,
nor should they assume certain classes of errors will always manifest the same way
for all ciphersuites. For example, the DHKEM specified in this document will emit
a <tt>DeserializationError</tt> or <tt>ValidationError</tt> if a KEM public key is invalid. However,
a new KEM might not have an efficient algorithm for determining whether or not a
public key is valid. In this case, an invalid public key might instead yield an
<tt>OpenError</tt> when trying to decrypt a ciphertext.</t>
      </section>
    </section>
    <section anchor="sec-considerations">
      <name>Security Considerations</name>
      <section anchor="sec-properties">
        <name>Security Properties</name>
        <t>HPKE has several security goals, depending on the mode of operation,
against active and adaptive attackers that can compromise partial
secrets of senders and recipients. The desired security goals are
detailed below:</t>
        <ul spacing="normal">
          <li>
            <t>Message secrecy: Confidentiality of the sender's messages against
chosen ciphertext attacks</t>
          </li>
          <li>
            <t>Export key secrecy: Indistinguishability of each export
secret from a uniformly random bitstring of equal length, i.e.,
<tt>Context.Export</tt> is a variable-length PRF</t>
          </li>
          <li>
            <t>Sender authentication: Proof of sender origin for the PSK mode</t>
          </li>
        </ul>
        <t>These security goals are expected to hold for any honest sender and
honest recipient keys, as well as if the honest sender and honest
recipient keys are the same.</t>
        <t>A pre-shared key provides authentication; additionally, it strengthens the
secrecy properties in certain adversary models, including against a
quantum-capable adversary, see <xref target="post-quantum-security"/>.</t>
        <t>HPKE mitigates malleability problems (called benign malleability <xref target="SECG"/>) in prior
public key encryption standards based on ECIES by including all public keys in the
context of the key schedule.</t>
        <t>HPKE does not provide forward secrecy with respect to recipient compromise.
In the Base mode, the secrecy properties are only expected to
hold if the recipient private key <tt>skR</tt> is not compromised at any point
in time. In the PSK mode, the secrecy properties are
expected to hold if the recipient private key <tt>skR</tt> and the pre-shared key
are not both compromised at any point in time. See <xref target="non-goals"/> for more
details.</t>
        <t>Besides forward secrecy, HPKE has other non-goals that are described in
<xref target="non-goals"/>: no tolerance of message reordering or loss, no downgrade or replay
prevention, no hiding of the plaintext length, and no protection against bad
ephemeral randomness. <xref target="non-goals"/> suggests application-level mitigations for some
of them.</t>
        <section anchor="computational-analysis">
          <name>Computational Analysis</name>
          <t>It is shown in <xref target="CS01"/> that a hybrid public key encryption scheme of
essentially the same form as the Base mode described here is
IND-CCA2-secure as long as the underlying KEM and AEAD schemes are
IND-CCA2-secure. Moreover, it is shown in <xref target="HHK06"/> that IND-CCA2 security
of the KEM and the data encapsulation mechanism are necessary conditions
to achieve IND-CCA2 security for hybrid public key encryption.
The main difference between the scheme proposed in <xref target="CS01"/>
and the Base mode in this document (both named HPKE) is that we interpose
some KDF calls between the KEM and the AEAD. Analyzing the HPKE Base mode
instantiation in this document therefore requires verifying that the
additional KDF calls do not cause the IND-CCA2 property to fail, as
well as verifying the additional export key secrecy property.</t>
          <t>A preliminary computational analysis of all HPKE modes has been done
in <xref target="HPKEAnalysis"/>, indicating asymptotic security for the case where
the KEM is DHKEM, the AEAD is any scheme that provides both indistinguishability
under chosen-plaintext attack (IND-CPA) and integrity of ciphertexts (INT-CTXT)
<xref target="BN00"/>, and the DH group and KDF satisfy the following conditions:</t>
          <ul spacing="normal">
            <li>
              <t>DH group: The gap Diffie-Hellman (GDH) problem is hard in the
appropriate subgroup <xref target="GAP"/>.</t>
            </li>
            <li>
              <t><tt>Extract()</tt> and <tt>Expand()</tt>: <tt>Extract()</tt> can be modeled as a random oracle.
<tt>Expand()</tt> can be modeled as a pseudorandom function, wherein the first
argument is the key.</t>
            </li>
          </ul>
          <t>In particular, the KDFs and DH groups defined in this document (see
<xref target="kdf-ids"/> and <xref target="kem-ids"/>) satisfy these properties when used as
specified. The analysis in <xref target="HPKEAnalysis"/> demonstrates that under these
constraints, HPKE continues to provide IND-CCA2 security, and provides
the additional properties noted above. Also, the analysis confirms the
expected properties hold under the different key compromise cases
mentioned above. The analysis considers a sender that sends one message
using the encryption context, and additionally exports two independent
secrets using the secret export interface.</t>
          <t>The table below summarizes the main results from <xref target="HPKEAnalysis"/>. N/A
means that a property does not apply for the given mode, whereas <tt>Y</tt> means
the given mode satisfies the property.</t>
          <table>
            <thead>
              <tr>
                <th align="left">Variant</th>
                <th align="center">Message Sec.</th>
                <th align="center">Export Sec.</th>
                <th align="center">Sender Auth.</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Base</td>
                <td align="center">Y</td>
                <td align="center">Y</td>
                <td align="center">N/A</td>
              </tr>
              <tr>
                <td align="left">PSK</td>
                <td align="center">Y</td>
                <td align="center">Y</td>
                <td align="center">Y</td>
              </tr>
            </tbody>
          </table>
          <t>If non-DH-based KEMs are to be used with HPKE, further analysis will be
necessary to prove their security. The results from <xref target="CS01"/> provide
some indication that any IND-CCA2-secure KEM will suffice here, but are
not conclusive given the differences in the schemes.</t>
          <t>A detailed computational analysis of the PSK mode has been done in
<xref target="AJKL23"/>. In future work, the analyses from <xref target="ABHKLR20"/> and <xref target="AJKL23"/>
can be extended to cover a detailed computational analysis of HPKE's
base mode, the usage of a one-stage KDF, the multi-shot and secret export
interfaces, as well as the examples for bidirectional encryption
<xref target="bidirectional"/> and metadata protection <xref target="metadata"/>.</t>
        </section>
        <section anchor="post-quantum-security">
          <name>Post-Quantum Security</name>
          <t>The computational analyses in <xref target="ABHKLR20"/> and <xref target="AJKL23"/> provide
composition theorems based on PRF assumptions, proving post-quantum
security for HPKE when used with a post-quantum secure KEM.
The analyses in <xref target="CS01"/> and <xref target="HPKEAnalysis"/> are premised on
classical security models and assumptions, and do not consider
adversaries capable of quantum computation.</t>
          <t>The PSK mode can provide a hybrid quantum-resistance property: if the PSK is
not known to a quantum-capable adversary, then that adversary cannot recover
the plaintext even if it can break the (classical) KEM.  This property is
proven in <xref target="AJKL23"/>. The analysis in <xref target="HPKEAnalysis"/> is not sufficient,
because it requires the random oracle model and would need adaption to, for
example, the quantum random oracle model.</t>
        </section>
      </section>
      <section anchor="kem-security">
        <name>Security Requirements on a KEM Used within HPKE</name>
        <t>A KEM used within HPKE MUST allow HPKE to satisfy its desired security
properties described in <xref target="sec-properties"/>. For the security proofs from
<xref target="ABHKLR20"/> and <xref target="AJKL23"/> to apply, the KEM MUST be CCA-secure.
<xref target="domain-separation"/> lists requirements concerning domain separation.</t>
        <t>In particular, the KEM
shared secret MUST be a uniformly random byte string of length <tt>Nsecret</tt>.
This means, for instance, that it would not be sufficient if the KEM
shared secret is only uniformly random as an element of some structured set
(such as an elliptic curve group or a finite field) prior
to its encoding as a byte string, because such an encoding is generally not
uniformly distributed over byte strings of length <tt>Nsecret</tt>.</t>
        <section anchor="kem-key-reuse">
          <name>KEM Key Reuse</name>
          <t>An <tt>ikm</tt> input to <tt>DeriveKeyPair()</tt> (<xref target="derive-key-pair"/>) MUST NOT be
reused elsewhere, in particular not with <tt>DeriveKeyPair()</tt> of a
different KEM.</t>
          <t>Since a KEM key pair belonging to a sender or recipient works with all modes, it can
be used with multiple modes in parallel. HPKE is constructed to be
secure in such settings due to domain separation using the <tt>suite_id</tt>
variable. However, there is no formal proof of security at the time of
writing for using multiple modes in parallel; <xref target="HPKEAnalysis"/>,
<xref target="ABHKLR20"/>, and <xref target="AJKL23"/> only analyze isolated modes.</t>
        </section>
      </section>
      <section anchor="kdf-choice">
        <name>Security Requirements on a KDF</name>
        <t>The choice of the KDF for HPKE SHOULD be made based on the security
level provided by the KEM and, if applicable, by the PSK. The KDF
SHOULD at least have the security level of the KEM and SHOULD
at least have the security level provided by the PSK.</t>
        <t>For the security proofs from <xref target="ABHKLR20"/> and <xref target="AJKL23"/> to apply, the
KDF MUST allow to prove PRF security for the key schedule both with
<tt>shared_secret</tt> or <tt>psk</tt> as PRF key.</t>
      </section>
      <section anchor="aead-security">
        <name>Security Requirements on an AEAD</name>
        <t>All AEADs MUST provide confidentiality (IND-CPA) and ciphertext integrity
(INT-CTXT).</t>
        <t>In practice, all widely deployed IND-CCA2 symmetric authenticated encryption
schemes meet these definitions.  As discussed in <xref target="BN00"/>, IND-CPA and INT-CTXT
together imply IND-CCA2.  We list them separately because they are the AEAD security
properties relied upon by the analyses summarized in <xref target="sec-properties"/>.</t>
      </section>
      <section anchor="security-psk">
        <name>Pre-Shared Key Recommendations</name>
        <t>In the PSK modes, the PSK MUST have at least 32 bytes of
entropy and SHOULD be of length <tt>Nh</tt> bytes or longer. Using a PSK longer than
32 bytes but shorter than <tt>Nh</tt> bytes is permitted.</t>
        <t>HPKE is specified to use HKDF as its key derivation function. HKDF is not
designed to slow down dictionary attacks (see <xref target="RFC5869"/>). Thus, HPKE's
PSK mechanism is not suitable for use with a low-entropy password as the
PSK: In scenarios in which the adversary knows the KEM shared secret
<tt>shared_secret</tt> and has access to an oracle that distinguishes between
a good and a wrong PSK, it can perform PSK-recovering attacks. This oracle
can be the decryption operation on a captured HPKE ciphertext or any other
recipient behavior that is observably different when using a wrong PSK.
The adversary knows the KEM shared secret <tt>shared_secret</tt> if it knows all
KEM private keys of one participant. In the PSK mode, this is trivially
the case if the adversary acts as the sender.</t>
        <t>To recover a lower entropy PSK, an attacker in this scenario can trivially
perform a dictionary attack. Given a set <tt>S</tt> of possible PSK values, the
attacker generates an HPKE ciphertext for each value in <tt>S</tt>, and submits
the resulting ciphertexts to the oracle to learn which PSK is being used by
the recipient. Further, because HPKE uses AEAD schemes that are not key-committing,
an attacker can mount a partitioning oracle attack <xref target="LGR20"/> that can recover
the PSK from a set of <tt>S</tt> possible PSK values, with |S| = m*k, in roughly
m + log k queries to the oracle using ciphertexts of length proportional to
k, the maximum message length in blocks. (Applying the multi-collision algorithm from
<xref target="LGR20"/> requires a small adaptation to the algorithm wherein the appropriate nonce
is computed for each candidate key. This modification adds one call to HKDF per key.
The number of partitioning oracle queries remains unchanged.) As a result, the PSK
must therefore be chosen with sufficient entropy so that m + log k is prohibitive for
attackers (e.g., 2^128). Future specifications can define new AEAD algorithms that
are key-committing.</t>
        <t>Pre-processing a low-entropy password with a memory-hard password-based key
derivation function such as scrypt <xref target="RFC7914"/> or Argon2 <xref target="RFC9106"/> before
using it as a PSK raises the per-guess cost of the attacks described above, but
it does not add entropy and therefore does not by itself make a low-entropy
password safe to use as a PSK.  Applications that need to derive keys from
passwords, and that must tolerate low-entropy passwords, should use a mechanism
designed for that purpose (for example, a password-authenticated key exchange)
rather than relying on HPKE's PSK mode.</t>
      </section>
      <section anchor="domain-separation">
        <name>Domain Separation</name>
        <t>HPKE allows combining a DHKEM variant <tt>DHKEM(Group, KDF')</tt> and a KDF
such that both KDFs are instantiated by the same KDF. By design, the
calls to <tt>Extract()</tt> and <tt>Expand()</tt> inside DHKEM and the remainder of
HPKE use separate input domains. This justifies modeling them as
independent functions even if instantiated by the same KDF.
This domain separation between DHKEM and the remainder of HPKE is achieved by
using prefix-free sets of <tt>suite_id</tt> values in <tt>LabeledExtract()</tt>,
<tt>LabeledExpand()</tt>, and <tt>LabeledDerive()</tt> (<tt>KEM...</tt> in DHKEM and <tt>HPKE...</tt> in the remainder of HPKE).
Recall that a set is prefix-free if no element is a prefix of another within the
set.</t>
        <t>Separation between uses of the one-stage and two-stage KDFs is ensured by the
inclusion of the <tt>suite_id</tt> in <tt>LabeledExtract()</tt>, <tt>LabeledExpand()</tt>, and
<tt>LabeledDerive()</tt>.</t>
        <t>Future KEM instantiations MUST ensure, should <tt>Extract()</tt>,
<tt>Expand()</tt>, and/or <tt>Derive()</tt> be used internally, that they can be modeled as functions
independent from the invocations of these functions in the
remainder of HPKE. One way to ensure this is by using <tt>LabeledExtract()</tt> /
<tt>LabeledExpand()</tt> / <tt>LabeledDerive()</tt> functions with a <tt>suite_id</tt> as defined in <xref target="base-crypto"/>,
which will ensure input domain separation, as outlined above.
Particular attention needs to
be paid if the KEM directly invokes functions that are used internally
in HPKE's <tt>Extract()</tt> or <tt>Expand()</tt>, such as <tt>Hash()</tt> and <tt>HMAC()</tt> in the case of HKDF.
It MUST be ensured that inputs to these invocations cannot collide with
inputs to the internal invocations of these functions inside <tt>Extract()</tt> or
<tt>Expand()</tt>. In HPKE's <tt>KeySchedule()</tt> this is avoided by using <tt>Extract()</tt> instead of
<tt>Hash()</tt> on the arbitrary-length inputs <tt>info</tt> and <tt>psk_id</tt>.</t>
        <t>The string literal "HPKE-v1" used in <tt>LabeledExtract()</tt> / <tt>LabeledExpand()</tt> / <tt>LabeledDerive()</tt>
ensures that any secrets derived in HPKE are bound to the scheme's name
and version, even when possibly derived from the same Diffie-Hellman or
KEM shared secret as in another scheme or version.</t>
      </section>
      <section anchor="non-goals">
        <name>Application Embedding and Non-Goals</name>
        <t>HPKE is designed to be a fairly low-level mechanism.  As a result, it assumes
that certain properties are provided by the application in which HPKE is
embedded and leaves certain security properties to be provided by other
mechanisms. Otherwise said, certain properties are out-of-scope for HPKE.</t>
        <section anchor="message-order-and-message-loss">
          <name>Message Order and Message Loss</name>
          <t>The primary requirement that HPKE imposes on applications is the requirement
that ciphertexts MUST be presented to <tt>ContextR.Open()</tt> in the same order in
which they were generated by <tt>ContextS.Seal()</tt>.  When the single-shot API is
used (see <xref target="single-shot-apis"/>), this is trivially true (since there is only
ever one ciphertext).  Applications that allow for multiple invocations of
<tt>Open()</tt> / <tt>Seal()</tt> on the same context MUST enforce the ordering property
described above.</t>
          <t>Ordering requirements of this character are usually fulfilled by providing a
sequence number in the framing of encrypted messages.  Whatever information is
used to determine the ordering of HPKE-encrypted messages SHOULD be included in
the AAD passed to <tt>ContextS.Seal()</tt> and <tt>ContextR.Open()</tt>.  The specifics of
this scheme are up to the application.</t>
          <t>HPKE is not tolerant of lost messages. Applications MUST be able to detect when
a message has been lost.  When an unrecoverable loss is detected, the application MUST discard
any associated HPKE context.</t>
        </section>
        <section anchor="downgrade-prevention">
          <name>Downgrade Prevention</name>
          <t>HPKE assumes that the sender and recipient agree on what algorithms to use.
Depending on how these algorithms are negotiated, it may be possible for an
intermediary to force the two parties to use suboptimal algorithms.</t>
        </section>
        <section anchor="replay-protection">
          <name>Replay Protection</name>
          <t>The requirement that ciphertexts be presented to the <tt>ContextR.Open()</tt> function
in the same order they were generated by <tt>ContextS.Seal()</tt> provides a degree of
replay protection within a stream of ciphertexts resulting from a given context.
HPKE provides no other replay protection.</t>
          <t>While a sender can guarantee the uniqueness of HPKE ciphertexts, a recipient
might receive the same ciphertext multiple times.  Unless the recipient takes
particular care to guarantee that replay is impossible, such as tracking all enc
values that are received, this can result in multiple contexts that have the
same shared secret.  This is particularly relevant for exported secrets.</t>
          <t>If an attacker can cause a recipient to re-use an <tt>enc</tt> value, any exported
secrets will be the same as in the initial transaction.  While the exported
values are still known only to the sender and recipient (not the replay
attacker), such replay can allow the attacker to cause the recipient to re-use
the exported values.</t>
          <t>Consider the following scenario, in which B is using the recipient-to-sender
encryption described as an example in <xref section="9.8" sectionFormat="of" target="RFC9180"/>:</t>
          <figure anchor="replay-attack">
            <name>Attacker-triggered nonce reuse via replay</name>
            <artwork><![CDATA[
B->A: pk

A:    enc1, ctx = SetupBaseS(pk)
      ct1 = ctx.seal(aad, pt)
A->B: enc1, ct1

B:    ctx = SetupBaseR(sk, enc1)
      key, nonce = ctx.export(...)
      ct2 = AEAD.seal(key, nonce, aad2, pt2)
B->A: ct2

X->B: enc1, ct1 [replay of previously sent values]

B:    ctx = SetupBaseR(sk, enc)
      key, nonce = ctx.export(...)
      ct3 = AEAD.seal(key, nonce, aad3, pt3)
B->X: ct3
]]></artwork>
          </figure>
          <t>In this scenario, if <tt>aad2</tt> is different from <tt>aad3</tt> or <tt>pt2</tt> is different from
<tt>pt3</tt> (for example, due to the use of a timestamp in either field), then the
ciphertexts <tt>ct2</tt> and <tt>ct3</tt> will represent encryptions of different values with
the same (key, nonce) pair -- a nonce reuse condition that can completely break
the authenticated encryption guarantees for several AEAD algorithms, including
those defined in <xref target="aead-ids"/>.</t>
          <t>In order to avoid such risks, applications SHOULD incorporate a fresh
recipient-provided nonce when deriving values from an export context, as
discussed in <xref section="4.4" sectionFormat="of" target="RFC9458"/> and <xref target="bidirectional"/>.</t>
        </section>
        <section anchor="forward-secrecy">
          <name>Forward Secrecy</name>
          <t>HPKE ciphertexts are not forward secret with respect to recipient compromise
in any mode. This means that compromise of long-term recipient secrets allows
an attacker to decrypt past ciphertexts encrypted under said secrets. This is because
only long-term secrets are used on the side of the recipient.</t>
          <t>HPKE ciphertexts are forward secret with respect to sender compromise in all
modes. This is because ephemeral randomness is used on the sender's side, which
is supposed to be erased directly after computation of the KEM shared secret and
ciphertext.</t>
        </section>
        <section anchor="bad-ephemeral-randomness">
          <name>Bad Ephemeral Randomness</name>
          <t>If the randomness used for KEM encapsulation is bad -- i.e., of low entropy or
compromised because of a broken or subverted random number generator -- the
confidentiality guarantees of HPKE degrade significantly. In Base mode,
confidentiality guarantees can be lost completely; in the other modes, at least forward secrecy with
respect to sender compromise can be lost completely.</t>
          <t>Such a situation could also lead to the reuse of the same KEM shared secret
and thus to the reuse of same key-nonce pairs for the AEAD.
The AEADs specified in this document are not secure
in case of nonce reuse. This attack vector is particularly relevant in
the authenticated mode because knowledge of the ephemeral randomness is not
enough to derive <tt>shared_secret</tt> in these modes.</t>
          <t>One way for applications to mitigate the impacts of bad ephemeral randomness is
to combine ephemeral randomness with a local long-term secret that has been
generated securely, as described in <xref target="RFC8937"/>.</t>
        </section>
        <section anchor="hiding-plaintext-length">
          <name>Hiding Plaintext Length</name>
          <t>AEAD ciphertexts produced by HPKE do not hide the plaintext length. Applications
requiring this level of privacy should use a suitable padding mechanism. See
<xref target="RFC9849"/> and <xref target="RFC8467"/> for examples of protocol-specific
padding policies.</t>
        </section>
      </section>
      <section anchor="bidirectional">
        <name>Bidirectional Encryption</name>
        <t>As discussed in <xref target="hpke-dem"/>, HPKE encryption is unidirectional from sender
to recipient. Applications that require bidirectional encryption can derive
necessary keying material with the secret export interface (<xref target="hpke-export"/>).
The type and length of such keying material depends on the application use
case.</t>
        <t>As an example, if an application needs AEAD encryption from the recipient to
the sender, it can derive a key and nonce from the corresponding HPKE context
as follows:</t>
        <artwork><![CDATA[
def EncryptResponse(context, enc, response_aad, response_pt):
  secret = context.Export("[application] response", Nh)
  response_nonce = random(Nh)
  salt = concat(enc, response_nonce)
  prk = Extract(salt, secret)
  aead_key = Expand(prk, "key", Nk)
  aead_nonce = Expand(prk, "nonce", Nn)
  ct = Seal(aead_key, aead_nonce, response_aad, response_pt)
  return (response_nonce, ct)
]]></artwork>
        <t>This example mechanism differs from the example mechanism in <xref target="RFC9180"/> by
incorporating a per-transaction random value <tt>response_nonce</tt>.  Because HPKE
does not provide replay protection, the mechanism in <xref target="RFC9180"/> enabled an
attacker to trigger reuse of a (key, nonce) pair by replaying an HPKE message
under certain application circumstances.  Incorporating per-transaction
entropy ensures that the key and nonce used in AEAD encryption will be distinct
for every invocation of the mechanism.</t>
        <t>In this context, HPKE's limitations with regard to sender authentication become
limits on recipient authentication. In particular, in the Base mode, there is no
authentication of the remote party at all.</t>
      </section>
      <section anchor="metadata">
        <name>Metadata Protection</name>
        <t>The PSK mode of HPKE requires that the recipient
know what key material to use for the sender.  This can be signaled in
applications by sending the PSK ID (<tt>psk_id</tt> above) and/or the sender's public
key (<tt>pkS</tt>).  However, these values themselves might be considered sensitive,
since, in a given application context, they might identify the sender.</t>
        <t>An application that wishes to protect these metadata values without requiring
further provisioning of keys can use an additional instance of HPKE, using the
unauthenticated Base mode.  Where the application might have sent <tt>(psk_id,
enc, ciphertext)</tt> before, it would now send <tt>(enc2, ciphertext2, enc, ciphertext)</tt>,
where <tt>(enc2, ciphertext2)</tt> represent the encryption of the <tt>psk_id</tt> value.</t>
        <t>The cost of this approach is an additional KEM operation each for the sender and
the recipient.  A potential lower-cost approach (involving only symmetric
operations) would be available if the nonce-protection schemes in <xref target="BNT19"/>
could be extended to cover other metadata.  However, this construction would
require further analysis.</t>
      </section>
    </section>
    <section anchor="message-encoding">
      <name>Message Encoding</name>
      <t>This document does not specify a wire format encoding for HPKE messages. Applications
that adopt HPKE must therefore specify an unambiguous encoding mechanism that includes,
minimally: the encapsulated secret <tt>enc</tt>, ciphertext value(s) (and order if there are
multiple), and any info values that are not implicit. One example of a non-implicit
value is the recipient public key used for encapsulation, which may be needed if a
recipient has more than one public key.</t>
      <t>The AEAD interface used in this document is based on <xref target="RFC5116"/>, which produces and
consumes a single ciphertext value. As discussed in <xref target="RFC5116"/>, this ciphertext value
contains the encrypted plaintext as well as any authentication data, encoded in a manner
described by the individual AEAD scheme. Some implementations are not structured in this
way, instead providing a separate ciphertext and authentication tag. When such
AEAD implementations are used in HPKE implementations, the HPKE implementation must combine
these inputs into a single ciphertext value within <tt>Seal()</tt> and parse them out within
<tt>Open()</tt>, where the parsing details are defined by the AEAD scheme. For example, with
the AES-GCM schemes specified in this document, the GCM authentication tag is placed in
the last Nt bytes of the ciphertext output.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>IANA created three new registries as requested in <xref section="11" sectionFormat="of" target="RFC9180"/>:</t>
      <ul spacing="normal">
        <li>
          <t>HPKE KEM Identifiers</t>
        </li>
        <li>
          <t>HPKE KDF Identifiers</t>
        </li>
        <li>
          <t>HPKE AEAD Identifiers</t>
        </li>
      </ul>
      <t>All these registries are under "Hybrid Public Key Encryption", and administered
under a Specification Required policy <xref target="RFC8126"/>.</t>
      <t>This document requests that entries in these registries referring to RFC 9180 be
updated to refer to this document, and provides instructions to the designated
experts for these registries.</t>
      <section anchor="designated-expert-instructions">
        <name>Designated Expert Instructions</name>
        <t>The following instructions apply to all three HPKE registries.</t>
        <t>The DE should verify the following things with regard to a request for
allocation:</t>
        <ul spacing="normal">
          <li>
            <t>The requested entry is not duplicative with any existing registration.</t>
          </li>
          <li>
            <t>The specification defines the algorithm with enough precision that two
independent, interoperable implementations can be produced from it.</t>
          </li>
          <li>
            <t>For a KEM registration, the algorithm meets the security requirements in
<xref target="kem-security"/>, including that the KEM is CCA-secure, the KEM shared
secret is a uniformly random byte string of length <tt>Nsecret</tt>
(<xref target="kem-security"/>), and that the algorithm provides appropriate domain
separation (<xref target="domain-separation"/>).</t>
          </li>
          <li>
            <t>For a KDF registration, the specification meets the requirements in
<xref target="kdf-choice"/> and specifies the input-length bounds required by
<xref target="kdf-input-length"/>.</t>
          </li>
          <li>
            <t>For an AEAD registration, the algorithm meets the requirements in
<xref target="aead-security"/>.</t>
          </li>
          <li>
            <t>The values in the registration (lengths, references, and so on) are internally
consistent and match the cited specification.</t>
          </li>
        </ul>
      </section>
      <section anchor="kem-template">
        <name>KEM Identifiers</name>
        <t>The "HPKE KEM Identifiers" registry lists identifiers for key encapsulation
algorithms defined for use with HPKE.  These identifiers are two-byte values,
so the maximum possible value is 0xFFFF = 65535.</t>
        <t>Template:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The two-byte identifier for the algorithm</t>
          </li>
          <li>
            <t>KEM: The name of the algorithm</t>
          </li>
          <li>
            <t>Nsecret: The length in bytes of a KEM shared secret produced by the algorithm</t>
          </li>
          <li>
            <t>Nenc: The length in bytes of an encoded encapsulated secret produced by the algorithm</t>
          </li>
          <li>
            <t>Npk: The length in bytes of an encoded public key for the algorithm</t>
          </li>
          <li>
            <t>Nsk: The length in bytes of an encoded private key for the algorithm</t>
          </li>
          <li>
            <t>Auth: A boolean indicating if this algorithm provides the <tt>AuthEncap()</tt>/<tt>AuthDecap()</tt> interface</t>
          </li>
          <li>
            <t>Reference: Where this algorithm is defined</t>
          </li>
        </ul>
        <t>Initial contents: Provided in <xref target="kemid-values"/></t>
      </section>
      <section anchor="kdf-identifiers">
        <name>KDF Identifiers</name>
        <t>The "HPKE KDF Identifiers" registry lists identifiers for key derivation
functions defined for use with HPKE.  These identifiers are two-byte values,
so the maximum possible value is 0xFFFF = 65535.</t>
        <t>Template:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The two-byte identifier for the algorithm</t>
          </li>
          <li>
            <t>KDF: The name of the algorithm</t>
          </li>
          <li>
            <t>Nh: For two-stage KDFs, the output size of the Extract function in
bytes.  For one-stage KDFs, the security strength in bytes, as
defined for the KDF identifier.</t>
          </li>
          <li>
            <t>Two-Stage: Whether the KDF provides Extract and Expand functions (Y)
or only a single-stage Derive function (N).  N/A for reserved
entries.</t>
          </li>
          <li>
            <t>Reference: Where this algorithm is defined</t>
          </li>
        </ul>
        <t>Initial contents: Provided in <xref target="kdfid-values"/></t>
      </section>
      <section anchor="aead-identifiers">
        <name>AEAD Identifiers</name>
        <t>The "HPKE AEAD Identifiers" registry lists identifiers for authenticated
encryption with associated data (AEAD) algorithms defined for use with HPKE.
These identifiers are two-byte values, so the maximum possible value is
0xFFFF = 65535.</t>
        <t>Template:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The two-byte identifier for the algorithm</t>
          </li>
          <li>
            <t>AEAD: The name of the algorithm</t>
          </li>
          <li>
            <t>Nk: The length in bytes of a key for this algorithm</t>
          </li>
          <li>
            <t>Nn: The length in bytes of a nonce for this algorithm</t>
          </li>
          <li>
            <t>Nt: The length in bytes of an authentication tag for this algorithm</t>
          </li>
          <li>
            <t>Reference: Where this algorithm is defined</t>
          </li>
        </ul>
        <t>Initial contents: Provided in <xref target="aeadid-values"/></t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9458">
          <front>
            <title>Oblivious HTTP</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="January" year="2024"/>
            <abstract>
              <t>This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9458"/>
          <seriesInfo name="DOI" value="10.17487/RFC9458"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CS01" target="https://eprint.iacr.org/2001/108">
          <front>
            <title>Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack</title>
            <author initials="R." surname="Cramer" fullname="Ronald Cramer">
              <organization/>
            </author>
            <author initials="V." surname="Shoup" fullname="Victor Shoup">
              <organization/>
            </author>
            <date year="2001"/>
          </front>
        </reference>
        <reference anchor="HHK06" target="https://eprint.iacr.org/2006/265">
          <front>
            <title>Some (in)sufficient conditions for secure hybrid encryption</title>
            <author initials="J." surname="Herranz" fullname="Javier Herranz">
              <organization/>
            </author>
            <author initials="D." surname="Hofheinz" fullname="Dennis Hofheinz">
              <organization/>
            </author>
            <author initials="E." surname="Kiltz" fullname="Eike Kiltz">
              <organization/>
            </author>
            <date year="2006"/>
          </front>
        </reference>
        <reference anchor="GAP" target="https://link.springer.com/content/pdf/10.1007/3-540-44586-2_8.pdf">
          <front>
            <title>The Gap-Problems - a New Class of Problems for the Security of Cryptographic Schemes</title>
            <author initials="T." surname="Okamoto" fullname="Tatsuaki Okamoto">
              <organization/>
            </author>
            <author initials="D." surname="Pointcheval" fullname="David Pointcheval">
              <organization/>
            </author>
            <date year="2001"/>
          </front>
          <seriesInfo name="ISBN" value="978-3-540-44586-9"/>
        </reference>
        <reference anchor="ANSI">
          <front>
            <title>ANSI X9.63 Public Key Cryptography for the Financial Services Industry -- Key Agreement and Key Transport Using Elliptic Curve Cryptography</title>
            <author>
              <organization>American National Standards Institute</organization>
            </author>
            <date year="2001"/>
          </front>
        </reference>
        <reference anchor="IEEE1363">
          <front>
            <title>IEEE 1363a, Standard Specifications for Public Key Cryptography - Amendment 1 -- Additional Techniques"</title>
            <author>
              <organization>Institute of Electrical and Electronics Engineers</organization>
            </author>
            <date year="2004"/>
          </front>
        </reference>
        <reference anchor="ISO">
          <front>
            <title>ISO/IEC 18033-2, Information Technology - Security Techniques - Encryption Algorithms - Part 2 -- Asymmetric Ciphers</title>
            <author>
              <organization>International Organization for Standardization / International Electrotechnical Commission</organization>
            </author>
            <date year="2006"/>
          </front>
        </reference>
        <reference anchor="SECG" target="https://secg.org/sec1-v2.pdf">
          <front>
            <title>Elliptic Curve Cryptography, Standards for Efficient Cryptography Group, ver. 2</title>
            <author>
              <organization/>
            </author>
            <date year="2009"/>
          </front>
        </reference>
        <reference anchor="BN00" target="https://eprint.iacr.org/2000/025">
          <front>
            <title>Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm</title>
            <author initials="M." surname="Bellare" fullname="Mihir Bellare">
              <organization>University of California San Diego</organization>
            </author>
            <author initials="C." surname="Namprempre" fullname="Chanathip Namprempre">
              <organization>University of California San Diego</organization>
            </author>
            <date year="2000"/>
          </front>
        </reference>
        <reference anchor="BHK09" target="https://eprint.iacr.org/2009/418">
          <front>
            <title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title>
            <author initials="" surname="Mihir Bellare">
              <organization>University of California San Diego</organization>
            </author>
            <author initials="" surname="Dennis Hofheinz">
              <organization>CWI Amsterdam</organization>
            </author>
            <author initials="" surname="Eike Kiltz">
              <organization>CWI Amsterdam</organization>
            </author>
            <date year="2009"/>
          </front>
        </reference>
        <reference anchor="HPKEAnalysis" target="https://eprint.iacr.org/2020/243">
          <front>
            <title>An Analysis of Hybrid Public Key Encryption</title>
            <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
              <organization>Inria Paris</organization>
            </author>
            <date year="2020"/>
          </front>
        </reference>
        <reference anchor="ABHKLR20" target="https://eprint.iacr.org/2020/1499">
          <front>
            <title>Analysing the HPKE Standard</title>
            <author initials="J." surname="Alwen" fullname="Joël Alwen">
              <organization>Wickr</organization>
            </author>
            <author initials="B." surname="Blanchet" fullname="Bruno Blanchet">
              <organization>Inria Paris</organization>
            </author>
            <author initials="E." surname="Hauck" fullname="Eduard Hauck">
              <organization>Ruhr-Universität Bochum</organization>
            </author>
            <author initials="E." surname="Kiltz" fullname="Eike Kiltz">
              <organization>Ruhr-Universität Bochum</organization>
            </author>
            <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
              <organization>Inria Paris</organization>
            </author>
            <author initials="D." surname="Riepel" fullname="Doreen Riepel">
              <organization>Ruhr-Universität Bochum</organization>
            </author>
            <date year="2020"/>
          </front>
        </reference>
        <reference anchor="MAEA10" target="https://ieeexplore.ieee.org/abstract/document/5604194/">
          <front>
            <title>A Comparison of the Standardized Versions of ECIES</title>
            <author initials="V." surname="Gayoso Martinez" fullname="V. Gayoso Martinez">
              <organization>Applied Physics Institute, CSIC, Madrid, Spain</organization>
            </author>
            <author initials="F." surname="Hernandez Alvarez" fullname="F. Hernandez Alvarez">
              <organization>Applied Physics Institute, CSIC, Madrid, Spain</organization>
            </author>
            <author initials="L." surname="Hernandez Encinas" fullname="L. Hernandez Encinas">
              <organization>Applied Physics Institute, CSIC, Madrid, Spain</organization>
            </author>
            <author initials="C." surname="Sanchez Avila" fullname="C. Sanchez Avila">
              <organization>Polytechnic University, Madrid, Spain</organization>
            </author>
            <date year="2010"/>
          </front>
        </reference>
        <reference anchor="BNT19" target="http://dx.doi.org/10.1007/978-3-030-26948-7_9">
          <front>
            <title>Nonces Are Noticed: AEAD Revisited</title>
            <author initials="M." surname="Bellare" fullname="Mihir Bellare">
              <organization>University of California, San Diego</organization>
            </author>
            <author initials="R." surname="Ng" fullname="Ruth Ng">
              <organization>University of California, San Diego</organization>
            </author>
            <author initials="B." surname="Tackmann" fullname="Björn Tackmann">
              <organization>IBM Research</organization>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="LGR20" target="https://eprint.iacr.org/2020/1491">
          <front>
            <title>Partitioning Oracle Attacks</title>
            <author initials="J." surname="Len" fullname="Julia Len">
              <organization>Cornell Tech</organization>
            </author>
            <author initials="P." surname="Grubbs" fullname="Paul Grubbs">
              <organization>Cornell Tech</organization>
            </author>
            <author initials="T." surname="Ristenpart" fullname="Thomas Ristenpart">
              <organization>Cornell Tech</organization>
            </author>
            <date year="2021"/>
          </front>
        </reference>
        <reference anchor="TestVectors" target="https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/5f503c564da00b0687b3de75f1dfbdfc4079ad31/test-vectors.json">
          <front>
            <title>HPKE Test Vectors</title>
            <author>
              <organization/>
            </author>
            <date year="2021"/>
          </front>
        </reference>
        <reference anchor="keyagreement">
          <front>
            <title>Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography</title>
            <author fullname="Elaine Barker" initials="E." surname="Barker">
              <organization/>
            </author>
            <author fullname="Lily Chen" initials="L." surname="Chen">
              <organization/>
            </author>
            <author fullname="Allen Roginsky" initials="A." surname="Roginsky">
              <organization/>
            </author>
            <author fullname="Apostol Vassilev" initials="A." surname="Vassilev">
              <organization/>
            </author>
            <author fullname="Richard Davis" initials="R." surname="Davis">
              <organization/>
            </author>
            <date month="April" year="2018"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-56ar3"/>
          <refcontent>National Institute of Standards and Technology</refcontent>
        </reference>
        <reference anchor="NISTCurves">
          <front>
            <title>Digital signature standard (DSS)</title>
            <author>
              <organization/>
            </author>
            <date year="2013"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.186-4"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="GCM">
          <front>
            <title>Recommendation for block cipher modes of operation :: GaloisCounter Mode (GCM) and GMAC</title>
            <author fullname="M J Dworkin" initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-38d"/>
          <refcontent>National Institute of Standards and Technology</refcontent>
        </reference>
        <reference anchor="AJKL23" target="https://eprint.iacr.org/2023/1480">
          <front>
            <title>The Pre-Shared Key Modes of HPKE</title>
            <author initials="J." surname="Alwen" fullname="Joël Alwen">
              <organization>AWS-Wickr</organization>
            </author>
            <author initials="J." surname="Janneck" fullname="Jonas Janneck">
              <organization>Ruhr-Universität Bochum</organization>
            </author>
            <author initials="E." surname="Kiltz" fullname="Eike Kiltz">
              <organization>Ruhr-Universität Bochum</organization>
            </author>
            <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
              <organization>Max Planck Institute for Security and Privacy</organization>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="RFC1421">
          <front>
            <title>Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures</title>
            <author fullname="J. Linn" initials="J." surname="Linn"/>
            <date month="February" year="1993"/>
            <abstract>
              <t>This document defines message encryption and authentication procedures, in order to provide privacy-enhanced mail (PEM) services for electronic mail transfer in the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1421"/>
          <seriesInfo name="DOI" value="10.17487/RFC1421"/>
        </reference>
        <reference anchor="RFC9420">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="RFC9849">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC20">
          <front>
            <title>ASCII format for network interchange</title>
            <author fullname="V.G. Cerf" initials="V.G." surname="Cerf"/>
            <date month="October" year="1969"/>
          </front>
          <seriesInfo name="STD" value="80"/>
          <seriesInfo name="RFC" value="20"/>
          <seriesInfo name="DOI" value="10.17487/RFC20"/>
        </reference>
        <reference anchor="RFC7748">
          <front>
            <title>Elliptic Curves for Security</title>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="January" year="2016"/>
            <abstract>
              <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7748"/>
          <seriesInfo name="DOI" value="10.17487/RFC7748"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="ECH">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="RFC7914">
          <front>
            <title>The scrypt Password-Based Key Derivation Function</title>
            <author fullname="C. Percival" initials="C." surname="Percival"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>This document specifies the password-based key derivation function scrypt. The function derives one or more secret keys from a secret string. It is based on memory-hard functions, which offer added protection against attacks using custom hardware. The document also provides an ASN.1 schema.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7914"/>
          <seriesInfo name="DOI" value="10.17487/RFC7914"/>
        </reference>
        <reference anchor="RFC9106">
          <front>
            <title>Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications</title>
            <author fullname="A. Biryukov" initials="A." surname="Biryukov"/>
            <author fullname="D. Dinu" initials="D." surname="Dinu"/>
            <author fullname="D. Khovratovich" initials="D." surname="Khovratovich"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="September" year="2021"/>
            <abstract>
              <t>This document describes the Argon2 memory-hard function for password hashing and proof-of-work applications. We provide an implementer-oriented description with test vectors. The purpose is to simplify adoption of Argon2 for Internet protocols. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9106"/>
          <seriesInfo name="DOI" value="10.17487/RFC9106"/>
        </reference>
        <reference anchor="RFC8937">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
        <reference anchor="RFC8467">
          <front>
            <title>Padding Policies for Extension Mechanisms for DNS (EDNS(0))</title>
            <author fullname="A. Mayrhofer" initials="A." surname="Mayrhofer"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>RFC 7830 specifies the "Padding" option for Extension Mechanisms for DNS (EDNS(0)) but does not specify the actual padding length for specific applications. This memo lists the possible options ("padding policies"), discusses the implications of each option, and provides a recommended (experimental) option.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8467"/>
          <seriesInfo name="DOI" value="10.17487/RFC8467"/>
        </reference>
      </references>
    </references>
    <?line 1950?>

<section anchor="differences-from-rfc-9180">
      <name>Differences from RFC 9180</name>
      <t>This specification is intended to be backwards-compatible with RFC 9180, in the
sense that any behavior specified in both this document and RFC 9180 should
specify identical behavior for any functionality that they both specify.</t>
      <t>Within that constraint, the following list summarizes the major changes from RFC
9180:</t>
      <ul spacing="normal">
        <li>
          <t>Incorporated fixes for all valid errata on RFC 9180.</t>
        </li>
        <li>
          <t>Updated the IANA Considerations section to refer to existing registries.</t>
        </li>
        <li>
          <t>Added a framework for single-stage KDFs.</t>
        </li>
        <li>
          <t>Removed the Auth and AuthPSK modes.</t>
        </li>
        <li>
          <t>Extended the discussion of replay to cover considerations related to exported
secrets.</t>
        </li>
      </ul>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors would like to thank Joël Alwen, Jean-Philippe Aumasson, David
Benjamin, Benjamin Beurdouche, Bruno Blanchet, Brian Campbell, Deirdre Connolly,
Deb Cooley, Frank Denis, Stephen Farrell, Scott Fluhrer, Eduard Hauck, Scott
Hollenbeck, Kevin Jacobs, Jonas Janneck, Michael B. Jones, Burt Kaliski, Eike
Kiltz, Samuel Lee, Julia Len, Ilari Liusvaara, Rohan Mahy, John Mattsson, Cory
Francis Myers, Christopher Patton, Tommy Pauly, Eric Rescorla, Doreen Riepel,
Raphael Robert, Michael Rosenberg, Yaroslav Rosomakho, Rich Salz, Martin
Schanzenbach, David Schinazi, Michael Scott, Filip Skokan, Nick Sullivan, Martin
Thomson, Steven Valdez, Filippo Valsorda, Riad Wahby, Weijun Wang, Bas Westerbaan,
and other contributors in the CFRG and HPKE WG for helpful feedback that greatly
improved this document.</t>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>Each section below contains test vectors for a single HPKE ciphersuite and
contains the following values:</t>
      <ol spacing="normal" type="1"><li>
          <t>Configuration information and private key material: This includes the <tt>mode</tt>,
<tt>info</tt> string, HPKE ciphersuite identifiers (<tt>kem_id</tt>, <tt>kdf_id</tt>, <tt>aead_id</tt>),
and the recipient's key material. Recipient key pairs are generated as <tt>(skR,
pkR) = DeriveKeyPair(ikmR)</tt>.  Key pairs are written in their serialized form
(as produced by <tt>SerializePublicKey</tt> and <tt>SerializePrivateKey</tt>).  For the PSK
mode, the shared PSK and PSK identifier are also included.</t>
        </li>
        <li>
          <t>Context creation intermediate values and outputs: This includes the
randomness <tt>ikmE</tt> used for deterministic encapsulation,
KEM outputs <tt>enc</tt> and <tt>shared_secret</tt> used to create the context, along
with intermediate values <tt>key_schedule_context</tt> and <tt>secret</tt> computed
in the KeySchedule function in <xref target="encryption-context"/>. The outputs
include the context values <tt>key</tt>, <tt>base_nonce</tt>, and <tt>exporter_secret</tt>.
For DHKEM test vectors, the ephemeral key pair (<tt>skEm</tt>, <tt>pkEm</tt>) is also
provided.</t>
        </li>
        <li>
          <t>Encryption test vectors: A fixed plaintext message is encrypted using
different sequence numbers and AAD values using the context computed in (2).
Each test vector lists the sequence number and corresponding nonce computed
with <tt>base_nonce</tt>, the plaintext message <tt>pt</tt>, AAD <tt>aad</tt>, and output
ciphertext <tt>ct</tt>.</t>
        </li>
        <li>
          <t>Export test vectors: Several exported values of the same length with differing
context parameters are computed using the context computed in (2). Each test
vector lists the <tt>exporter_context</tt>, output length <tt>L</tt>, and resulting export
value.</t>
        </li>
      </ol>
      <t>These test vectors are also available in JSON format at <xref target="TestVectors"/>.</t>
      <section anchor="deterministic-encapsulation">
        <name>Deterministic Encapsulation</name>
        <t>The test vectors can support testing of encapsulation as well as decapsulation
if the KEM being tested provides a derandomized encapsulation function:</t>
        <dl>
          <dt><tt>EncapDerand(enc, randomness)</tt></dt>
          <dd>
            <t>Deterministic algorithm to generate an ephemeral, fixed-length
shared secret and a fixed-length encapsulation of that secret (also known as
the KEM ciphertext) that can be decapsulated by the holder of the private
key corresponding to <tt>pkR</tt>. This function can raise an <tt>EncapError</tt> on
encapsulation failure.</t>
          </dd>
        </dl>
        <t>For DHKEM, this function simply replaces <tt>GenerateKeyPair()</tt> with
<tt>DeriveKeyPair()</tt> in the generation of the ephemeral key pair:</t>
        <artwork><![CDATA[
def EncapDerand(pkR, randomness):
  skE, pkE = DeriveKeyPair(randomness)
  dh = DH(skE, pkR)
  enc = SerializePublicKey(pkE)

  pkRm = SerializePublicKey(pkR)
  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret, enc
]]></artwork>
        <t>The input <tt>ikmE</tt> in the context creation inputs is the <tt>randomness</tt> input to
<tt>EncapsDerand()</tt>.</t>
      </section>
      <section anchor="dhkemx25519-hkdf-sha256-hkdf-sha256-aes-128-gcm">
        <name>DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</name>
        <section anchor="base-setup-information">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
pkEm:
37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
skEm:
52c4a758a802cd8b936eceea314432798d5baf2d7e9235dc084ab1b9cfa2f736
ikmR:
6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037
pkRm:
3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d
skRm:
4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8
enc:
37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
shared_secret:
fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc
key_schedule_context: 00725611c9d98c07c03f60095cd32d400d8347d45ed670
97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
12fff91991e93b48de37e7daddb52981084bd8aa64289c3788471d9a9712f397
key: 4531685d41d65f03dc48f6b8302c05b0
base_nonce: 56d890e5accaaf011cff4b7d
exporter_secret:
45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8
]]></artwork>
          <section anchor="encryptions">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 56d890e5accaaf011cff4b7d
ct: f938558b5d72f1a23810b4be2ab4f84331acc02fc97babc53a52ae8218a355a9
6d8770ac83d07bea87e13c512a

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 56d890e5accaaf011cff4b7c
ct: af2d7e9ac9ae7e270f46ba1f975be53c09f8d875bdc8535458c2494e8a6eab25
1c03d0c22a56b8ca42c2063b84

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 56d890e5accaaf011cff4b7f
ct: 498dfcabd92e8acedc281e85af1cb4e3e31c7dc394a1ca20e173cb7251649158
8d96a19ad4a683518973dcc180

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 56d890e5accaaf011cff4b79
ct: 583bd32bc67a5994bb8ceaca813d369bca7b2a42408cddef5e22f880b631215a
09fc0012bc69fccaa251c0246d

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 56d890e5accaaf011cff4b82
ct: 7175db9717964058640a3a11fb9007941a5d1757fda1a6935c805c21af32505b
f106deefec4a49ac38d71c9e0a

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 56d890e5accaaf011cff4a7d
ct: 957f9800542b0b8891badb026d79cc54597cb2d225b54c00c5238c25d05c30e3
fbeda97d2e0e1aba483a2df9f2
]]></artwork>
          </section>
          <section anchor="exported-values">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
3853fe2b4035195a573ffc53856e77058e15d9ea064de3e59f4961d0095250ee

exporter_context: 00
L: 32
exported_value:
2e8f0b54673c7029649d4eb9d5e33bf1872cf76d623ff164ac185da9e88c21a5

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
e9e43065102c3836401bed8c3c3c75ae46be1639869391d62c61f1ec7af54931
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
78628c354e46f3e169bd231be7b2ff1c77aa302460a26dbfa15515684c00130b
pkEm:
0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
skEm:
463426a9ffb42bb17dbe6044b9abd1d4e4d95f9041cef0e99d7824eef2b6f588
ikmR:
d4a09d09f575fef425905d2ab396c1449141463f698f8efdb7accfaff8995098
pkRm:
9fed7e8c17387560e92cc6462a68049657246a09bfa8ade7aefe589672016366
skRm:
c5eb01eb457fe6c6f57577c5413b931550a162c71a03ac8d196babbd4e5ce0fd
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
shared_secret:
727699f009ffe3c076315019c69648366b69171439bd7dd0807743bde76986cd
key_schedule_context: 01e78d5cf6190d275863411ff5edd0dece5d39fa48e04e
ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
3728ab0b024b383b0381e432b47cced1496d2516957a76e2a9f5c8cb947afca4
key: 15026dba546e3ae05836fc7de5a7bb26
base_nonce: 9518635eba129d5ce0914555
exporter_secret:
3d76025dbbedc49448ec3f9080a1abab6b06e91c0b11ad23c912f043a0ee7655
]]></artwork>
          <section anchor="encryptions-1">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 9518635eba129d5ce0914555
ct: e52c6fed7f758d0cf7145689f21bc1be6ec9ea097fef4e959440012f4feb73fb
611b946199e681f4cfc34db8ea

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 9518635eba129d5ce0914554
ct: 49f3b19b28a9ea9f43e8c71204c00d4a490ee7f61387b6719db765e948123b45
b61633ef059ba22cd62437c8ba

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 9518635eba129d5ce0914557
ct: 257ca6a08473dc851fde45afd598cc83e326ddd0abe1ef23baa3baa4dd8cde99
fce2c1e8ce687b0b47ead1adc9

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 9518635eba129d5ce0914551
ct: a71d73a2cd8128fcccbd328b9684d70096e073b59b40b55e6419c9c68ae21069
c847e2a70f5d8fb821ce3dfb1c

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 9518635eba129d5ce09145aa
ct: 55f84b030b7f7197f7d7d552365b6b932df5ec1abacd30241cb4bc4ccea27bd2
b518766adfa0fb1b71170e9392

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 9518635eba129d5ce0914455
ct: c5bf246d4a790a12dcc9eed5eae525081e6fb541d5849e9ce8abd92a3bc15517
76bea16b4a518f23e237c14b59
]]></artwork>
          </section>
          <section anchor="exported-values-1">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
dff17af354c8b41673567db6259fd6029967b4e1aad13023c2ae5df8f4f43bf6

exporter_context: 00
L: 32
exported_value:
6a847261d8207fe596befb52928463881ab493da345b10e1dcc645e3b94e2d95

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
8aff52b45a1be3a734bc7a41e20b4e055ad4c4d22104b0c20285a7c4302401cd
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemx25519-hkdf-sha256-hkdf-sha256-chacha20poly1305">
        <name>DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</name>
        <section anchor="base-setup-information-1">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
909a9b35d3dc4713a5e72a4da274b55d3d3821a37e5d099e74a647db583a904b
pkEm:
1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a
skEm:
f4ec9b33b792c372c1d2c2063507b684ef925b8c75a42dbcbf57d63ccd381600
ikmR:
1ac01f181fdf9f352797655161c58b75c656a6cc2716dcb66372da835542e1df
pkRm:
4310ee97d88cc1f088a5576c77ab0cf5c3ac797f3d95139c6c84b5429c59662a
skRm:
8057991eef8f1f1af18f4a9491d16a1ce333f695d4db8e38da75975c4478e0fb
enc:
1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a
shared_secret:
0bbe78490412b4bbea4812666f7916932b828bba79942424abb65244930d69a7
key_schedule_context: 00431df6cd95e11ff49d7013563baf7f11588c75a6611e
e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
5b9cd775e64b437a2335cf499361b2e0d5e444d5cb41a8a53336d8fe402282c6
key:
ad2744de8e17f4ebba575b3f5f5a8fa1f69c2a07f6e7500bc60ca6e3e3ec1c91
base_nonce: 5c4d98150661b848853b547f
exporter_secret:
a3b010d4994890e2c6968a36f64470d3c824c8f5029942feb11e7a74b2921922
]]></artwork>
          <section anchor="encryptions-2">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 5c4d98150661b848853b547f
ct: 1c5250d8034ec2b784ba2cfd69dbdb8af406cfe3ff938e131f0def8c8b60b4db
21993c62ce81883d2dd1b51a28

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 5c4d98150661b848853b547e
ct: 6b53c051e4199c518de79594e1c4ab18b96f081549d45ce015be002090bb119e
85285337cc95ba5f59992dc98c

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 5c4d98150661b848853b547d
ct: 71146bd6795ccc9c49ce25dda112a48f202ad220559502cef1f34271e0cb4b02
b4f10ecac6f48c32f878fae86b

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 5c4d98150661b848853b547b
ct: 63357a2aa291f5a4e5f27db6baa2af8cf77427c7c1a909e0b37214dd47db122b
b153495ff0b02e9e54a50dbe16

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 5c4d98150661b848853b5480
ct: 18ab939d63ddec9f6ac2b60d61d36a7375d2070c9b683861110757062c52b888
0a5f6b3936da9cd6c23ef2a95c

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 5c4d98150661b848853b557f
ct: 7a4a13e9ef23978e2c520fd4d2e757514ae160cd0cd05e556ef692370ca53076
214c0c40d4c728d6ed9e727a5b
]]></artwork>
          </section>
          <section anchor="exported-values-2">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
4bbd6243b8bb54cec311fac9df81841b6fd61f56538a775e7c80a9f40160606e

exporter_context: 00
L: 32
exported_value:
8c1df14732580e5501b00f82b10a1647b40713191b7c1240ac80e2b68808ba69

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
5acb09211139c43b3090489a9da433e8a30ee7188ba8b0a9a1ccf0c229283e53
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-1">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
35706a0b09fb26fb45c39c2f5079c709c7cf98e43afa973f14d88ece7e29c2e3
pkEm:
2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04
skEm:
0c35fdf49df7aa01cd330049332c40411ebba36e0c718ebc3edf5845795f6321
ikmR:
26b923eade72941c8a85b09986cdfa3f1296852261adedc52d58d2930269812b
pkRm:
13640af826b722fc04feaa4de2f28fbd5ecc03623b317834e7ff4120dbe73062
skRm:
77d114e0212be51cb1d76fa99dd41cfd4d0166b08caa09074430a6c59ef17879
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04
shared_secret:
4be079c5e77779d0215b3f689595d59e3e9b0455d55662d1f3666ec606e50ea7
key_schedule_context: 016870c4c76ca38ae43efbec0f2377d109499d7ce73f4a
9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
16974354c497c9bd24c000ceed693779b604f1944975b18c442d373663f4a8cc
key:
600d2fdb0313a7e5c86a9ce9221cd95bed069862421744cfb4ab9d7203a9c019
base_nonce: 112e0465562045b7368653e7
exporter_secret:
73b506dc8b6b4269027f80b0362def5cbb57ee50eed0c2873dac9181f453c5ac
]]></artwork>
          <section anchor="encryptions-3">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 112e0465562045b7368653e7
ct: 4a177f9c0d6f15cfdf533fb65bf84aecdc6ab16b8b85b4cf65a370e07fc1d78d
28fb073214525276f4a89608ff

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 112e0465562045b7368653e6
ct: 5c3cabae2f0b3e124d8d864c116fd8f20f3f56fda988c3573b40b09997fd6c76
9e77c8eda6cda4f947f5b704a8

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 112e0465562045b7368653e5
ct: 14958900b44bdae9cbe5a528bf933c5c990dbb8e282e6e495adf8205d19da9eb
270e3a6f1e0613ab7e757962a4

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 112e0465562045b7368653e3
ct: c2a7bc09ddb853cf2effb6e8d058e346f7fe0fb3476528c80db6b698415c5f8c
50b68a9a355609e96d2117f8d3

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 112e0465562045b736865318
ct: 2414d0788e4bc39a59a26d7bd5d78e111c317d44c37bd5a4c2a1235f2ddc2085
c487d406490e75210c958724a7

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 112e0465562045b7368652e7
ct: c567ae1c3f0f75abe1dd9e4532b422600ed4a6e5b9484dafb1e43ab9f5fd662b
28c00e2e81d3cde955dae7e218
]]></artwork>
          </section>
          <section anchor="exported-values-3">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
813c1bfc516c99076ae0f466671f0ba5ff244a41699f7b2417e4c59d46d39f40

exporter_context: 00
L: 32
exported_value:
2745cf3d5bb65c333658732954ee7af49eb895ce77f8022873a62a13c94cb4e1

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
ad40e3ae14f21c99bfdebc20ae14ab86f4ca2dc9a4799d200f43a25f99fa78ae
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemp-256-hkdf-sha256-hkdf-sha256-aes-128-gcm">
        <name>DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</name>
        <section anchor="base-setup-information-2">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e
pkEm: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b32
5ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
skEm:
4995788ef4b9d6132b249ce59a77281493eb39af373d236a1fe415cb0c2d7beb
ikmR:
668b37171f1072f3cf12ea8a236a45df23fc13b82af3609ad1e354f6ef817550
pkRm: 04fe8c19ce0905191ebc298a9245792531f26f0cece2460639e8bc39cb7f70
6a826a779b4cf969b8a0e539c7f62fb3d30ad6aa8f80e30f1d128aafd68a2ce72ea0
skRm:
f3ce7fdae57e1a310d87f1ebbde6f328be0a99cdbcadf4d6589cf29de4b8ffd2
enc: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325
ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
shared_secret:
c0d26aeab536609a572b07695d933b589dcf363ff9d93c93adea537aeabb8cb8
key_schedule_context: 00b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce
efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
2eb7b6bf138f6b5aff857414a058a3f1750054a9ba1f72c2cf0684a6f20b10e1
key: 868c066ef58aae6dc589b6cfdd18f97e
base_nonce: 4e0bc5018beba4bf004cca59
exporter_secret:
14ad94af484a7ad3ef40e9f3be99ecc6fa9036df9d4920548424df127ee0d99f
]]></artwork>
          <section anchor="encryptions-4">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 4e0bc5018beba4bf004cca59
ct: 5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f
9076ac232e3ab2523f39513434

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 4e0bc5018beba4bf004cca58
ct: fa6f037b47fc21826b610172ca9637e82d6e5801eb31cbd3748271affd4ecb06
646e0329cbdf3c3cd655b28e82

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 4e0bc5018beba4bf004cca5b
ct: 895cabfac50ce6c6eb02ffe6c048bf53b7f7be9a91fc559402cbc5b8dcaeb52b
2ccc93e466c28fb55fed7a7fec

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 4e0bc5018beba4bf004cca5d
ct: 8787491ee8df99bc99a246c4b3216d3d57ab5076e18fa27133f520703bc70ec9
99dd36ce042e44f0c3169a6a8f

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 4e0bc5018beba4bf004ccaa6
ct: 2ad71c85bf3f45c6eca301426289854b31448bcf8a8ccb1deef3ebd87f60848a
a53c538c30a4dac71d619ee2cd

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 4e0bc5018beba4bf004ccb59
ct: 10f179686aa2caec1758c8e554513f16472bd0a11e2a907dde0b212cbe87d74f
367f8ffe5e41cd3e9962a6afb2
]]></artwork>
          </section>
          <section anchor="exported-values-4">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
5e9bc3d236e1911d95e65b576a8a86d478fb827e8bdfe77b741b289890490d4d

exporter_context: 00
L: 32
exported_value:
6cff87658931bda83dc857e6353efe4987a201b849658d9b047aab4cf216e796

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
d8f1ea7942adbba7412c6d431c62d01371ea476b823eb697e1f6e6cae1dab85a
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-2">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
2afa611d8b1a7b321c761b483b6a053579afa4f767450d3ad0f84a39fda587a6
pkEm: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89
e4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f
skEm:
57427244f6cc016cddf1c19c8973b4060aa13579b4c067fd5d93a5d74e32a90f
ikmR:
d42ef874c1913d9568c9405407c805baddaffd0898a00f1e84e154fa787b2429
pkRm: 040d97419ae99f13007a93996648b2674e5260a8ebd2b822e84899cd52d874
46ea394ca76223b76639eccdf00e1967db10ade37db4e7db476261fcc8df97c5ffd1
skRm:
438d8bcef33b89e0e9ae5eb0957c353c25a94584b0dd59c991372a75b43cb661
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89e
4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f
shared_secret:
2e783ad86a1beae03b5749e0f3f5e9bb19cb7eb382f2fb2dd64c99f15ae0661b
key_schedule_context: 01b873cdf2dff4c1434988053b7a775e980dd2039ea24f
950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
f2f534e55931c62eeb2188c1f53450354a725183937e68c85e68d6b267504d26
key: 55d9eb9d26911d4c514a990fa8d57048
base_nonce: b595dc6b2d7e2ed23af529b1
exporter_secret:
895a723a1eab809804973a53c0ee18ece29b25a7555a4808277ad2651d66d705
]]></artwork>
          <section anchor="encryptions-5">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: b595dc6b2d7e2ed23af529b1
ct: 90c4deb5b75318530194e4bb62f890b019b1397bbf9d0d6eb918890e1fb2be1a
c2603193b60a49c2126b75d0eb

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: b595dc6b2d7e2ed23af529b0
ct: 9e223384a3620f4a75b5a52f546b7262d8826dea18db5a365feb8b997180b22d
72dc1287f7089a1073a7102c27

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: b595dc6b2d7e2ed23af529b3
ct: adf9f6000773035023be7d415e13f84c1cb32a24339a32eb81df02be9ddc6abc
880dd81cceb7c1d0c7781465b2

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: b595dc6b2d7e2ed23af529b5
ct: 1f4cc9b7013d65511b1f69c050b7bd8bbd5a5c16ece82b238fec4f30ba2400e7
ca8ee482ac5253cffb5c3dc577

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: b595dc6b2d7e2ed23af5294e
ct: cdc541253111ed7a424eea5134dc14fc5e8293ab3b537668b8656789628e4589
4e5bb873c968e3b7cdcbb654a4

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: b595dc6b2d7e2ed23af528b1
ct: faf985208858b1253b97b60aecd28bc18737b58d1242370e7703ec33b73a4c31
a1afee300e349adef9015bbbfd
]]></artwork>
          </section>
          <section anchor="exported-values-5">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
a115a59bf4dd8dc49332d6a0093af8efca1bcbfd3627d850173f5c4a55d0c185

exporter_context: 00
L: 32
exported_value:
4517eaede0669b16aac7c92d5762dd459c301fa10e02237cd5aeb9be969430c4

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
164e02144d44b607a7722e58b0f4156e67c0c2874d74cf71da6ca48a4cbdc5e0
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemp-256-hkdf-sha256-hkdf-sha512-aes-128-gcm">
        <name>DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM</name>
        <section anchor="base-setup-information-3">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
4ab11a9dd78c39668f7038f921ffc0993b368171d3ddde8031501ee1e08c4c9a
pkEm: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a
15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580
skEm:
2292bf14bb6e15b8c81a0f45b7a6e93e32d830e48cca702e0affcfb4d07e1b5c
ikmR:
ea9ff7cc5b2705b188841c7ace169290ff312a9cb31467784ca92d7a2e6e1be8
pkRm: 04085aa5b665dc3826f9650ccbcc471be268c8ada866422f739e2d531d4a88
18a9466bc6b449357096232919ec4fe9070ccbac4aac30f4a1a53efcf7af90610edd
skRm:
3ac8530ad1b01885960fab38cf3cdc4f7aef121eaa239f222623614b4079fb38
enc: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a1
5565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580
shared_secret:
02f584736390fc93f5b4ad039826a3fa08e9911bd1215a3db8e8791ba533cafd
key_schedule_context: 005b8a3617af7789ee716e7911c7e77f84cdc4cc46e60f
b7e19e4059f9aeadc00585e26874d1ddde76e551a7679cd47168c466f6e1f705cc93
74c192778a34fcd5ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: 0c7acdab61693f936c4c1256c78e7be30eebfe466812f9cc49f0b58dc970
328dfc03ea359be0250a471b1635a193d2dfa8cb23c90aa2e25025b892a725353eeb
key: 090ca96e5f8aa02b69fac360da50ddf9
base_nonce: 9c995e621bf9a20c5ca45546
exporter_secret: 4a7abb2ac43e6553f129b2c5750a7e82d149a76ed56dc342d7b
ca61e26d494f4855dff0d0165f27ce57756f7f16baca006539bb8e4518987ba61048
0ac03efa8
]]></artwork>
          <section anchor="encryptions-6">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 9c995e621bf9a20c5ca45546
ct: d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c8890
7200b332003543754eb51917ba

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 9c995e621bf9a20c5ca45547
ct: d14414555a47269dfead9fbf26abb303365e40709a4ed16eaefe1f2070f1ddeb
1bdd94d9e41186f124e0acc62d

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 9c995e621bf9a20c5ca45544
ct: 9bba136cade5c4069707ba91a61932e2cbedda2d9c7bdc33515aa01dd0e0f7e9
d3579bf4016dec37da4aafa800

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 9c995e621bf9a20c5ca45542
ct: a531c0655342be013bf32112951f8df1da643602f1866749519f5dcb09cc6843
2579de305a77e6864e862a7600

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 9c995e621bf9a20c5ca455b9
ct: be5da649469efbad0fb950366a82a73fefeda5f652ec7d3731fac6c4ffa21a70
04d2ab8a04e13621bd3629547d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 9c995e621bf9a20c5ca45446
ct: 62092672f5328a0dde095e57435edf7457ace60b26ee44c9291110ec135cb0e1
4b85594e4fea11247d937deb62
]]></artwork>
          </section>
          <section anchor="exported-values-6">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
a32186b8946f61aeead1c093fe614945f85833b165b28c46bf271abf16b57208

exporter_context: 00
L: 32
exported_value:
84998b304a0ea2f11809398755f0abd5f9d2c141d1822def79dd15c194803c2a

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
93fb9411430b2cfa2cf0bed448c46922a5be9beff20e2e621df7e4655852edbc
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-3">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
c11d883d6587f911d2ddbc2a0859d5b42fb13bf2c8e89ef408a25564893856f5
pkEm: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c350
57f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371
skEm:
a5901ff7d6931959c2755382ea40a4869b1dec3694ed3b009dda2d77dd488f18
ikmR:
75bfc2a3a3541170a54c0b06444e358d0ee2b4fb78a401fd399a47a33723b700
pkRm: 043f5266fba0742db649e1043102b8a5afd114465156719cea90373229aabd
d84d7f45dabfc1f55664b888a7e86d594853a6cccdc9b189b57839cbbe3b90b55873
skRm:
bc6f0b5e22429e5ff47d5969003f3cae0f4fec50e23602e880038364f33b8522
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c3505
7f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371
shared_secret:
2912aacc6eaebd71ff715ea50f6ef3a6637856b2a4c58ea61e0c3fc159e3bc16
key_schedule_context: 01713f73042575cebfd132f0cc4338523f8eae95c80a74
9f7cf3eb9436ff1c612ca62c37df27ca46d2cc162445a92c5f5fdc57bcde129ca7b1
f284b0c12297c037ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: ff2051d2128d5f3078de867143e076262ce1d0aecafc3fff3d607f1eaff0
5345c7d5ffcb3202cdecb3d1a2f7da20592a237747b6e855390cbe2109d3e6ac70c2
key: 0b910ba8d9cfa17e5f50c211cb32839a
base_nonce: 0c29e714eb52de5b7415a1b7
exporter_secret: 50c0a182b6f94b4c0bd955c4aa20df01f282cc12c43065a0812
fe4d4352790171ed2b2c4756ad7f5a730ba336c8f1edd0089d8331192058c385bae3
9c7cc8b57
]]></artwork>
          <section anchor="encryptions-7">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 0c29e714eb52de5b7415a1b7
ct: 57624b6e320d4aba0afd11f548780772932f502e2ba2a8068676b2a0d3b5129a
45b9faa88de39e8306da41d4cc

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 0c29e714eb52de5b7415a1b6
ct: 159d6b4c24bacaf2f5049b7863536d8f3ffede76302dace42080820fa51925d4
e1c72a64f87b14291a3057e00a

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 0c29e714eb52de5b7415a1b5
ct: bd24140859c99bf0055075e9c460032581dd1726d52cf980d308e9b20083ca62
e700b17892bcf7fa82bac751d0

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 0c29e714eb52de5b7415a1b3
ct: 93ddd55f82e9aaaa3cfc06840575f09d80160b20538125c2549932977d1238dd
e8126a4a91118faf8632f62cb8

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 0c29e714eb52de5b7415a148
ct: 377a98a3c34bf716581b05a6b3fdc257f245856384d5f2241c8840571c52f5c8
5c21138a4a81655edab8fe227d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 0c29e714eb52de5b7415a0b7
ct: cc161f5a179831d456d119d2f2c19a6817289c75d1c61cd37ac8a450acd9efba
02e0ac00d128c17855931ff69a
]]></artwork>
          </section>
          <section anchor="exported-values-7">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
8158bea21a6700d37022bb7802866edca30ebf2078273757b656ef7fc2e428cf

exporter_context: 00
L: 32
exported_value:
6a348ba6e0e72bb3ef22479214a139ef8dac57be34509a61087a12565473da8d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
2f6d4f7a18ec48de1ef4469f596aada4afdf6d79b037ed3c07e0118f8723bffc
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemp-256-hkdf-sha256-hkdf-sha256-chacha20poly1305">
        <name>DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</name>
        <section anchor="base-setup-information-4">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
f1f1a3bc95416871539ecb51c3a8f0cf608afb40fbbe305c0a72819d35c33f1f
pkEm: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c09582782
4fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291
skEm:
7550253e1147aae48839c1f8af80d2770fb7a4c763afe7d0afa7e0f42a5b3689
ikmR:
61092f3f56994dd424405899154a9918353e3e008171517ad576b900ddb275e7
pkRm: 04a697bffde9405c992883c5c439d6cc358170b51af72812333b015621dc0f
40bad9bb726f68a5c013806a790ec716ab8669f84f6b694596c2987cf35baba2a006
skRm:
a4d1c55836aa30f9b3fbb6ac98d338c877c2867dd3a77396d13f68d3ab150d3b
enc: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c095827824
fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291
shared_secret:
806520f82ef0b03c823b7fc524b6b55a088f566b9751b89551c170f4113bd850
key_schedule_context: 00b738cd703db7b4106e93b4621e9a19c89c838e559642
40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
fe891101629aa355aad68eff3cc5170d057eca0c7573f6575e91f9783e1d4506
key:
a8f45490a92a3b04d1dbf6cf2c3939ad8bfc9bfcb97c04bffe116730c9dfe3fc
base_nonce: 726b4390ed2209809f58c693
exporter_secret:
4f9bd9b3a8db7d7c3a5b9d44fdc1f6e37d5d77689ade5ec44a7242016e6aa205
]]></artwork>
          <section anchor="encryptions-8">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 726b4390ed2209809f58c693
ct: 6469c41c5c81d3aa85432531ecf6460ec945bde1eb428cb2fedf7a29f5a685b4
ccb0d057f03ea2952a27bb458b

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 726b4390ed2209809f58c692
ct: f1564199f7e0e110ec9c1bcdde332177fc35c1adf6e57f8d1df24022227ffa87
16862dbda2b1dc546c9d114374

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 726b4390ed2209809f58c691
ct: 39de89728bcb774269f882af8dc5369e4f3d6322d986e872b3a8d074c7c18e85
49ff3f85b6d6592ff87c3f310c

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 726b4390ed2209809f58c697
ct: bc104a14fbede0cc79eeb826ea0476ce87b9c928c36e5e34dc9b6905d91473ec
369a08b1a25d305dd45c6c5f80

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 726b4390ed2209809f58c66c
ct: 8f2814a2c548b3be50259713c6724009e092d37789f6856553d61df23ebc0792
35f710e6af3c3ca6eaba7c7c6c

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 726b4390ed2209809f58c793
ct: b45b69d419a9be7219d8c94365b89ad6951caf4576ea4774ea40e9b7047a09d6
537d1aa2f7c12d6ae4b729b4d0
]]></artwork>
          </section>
          <section anchor="exported-values-8">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
9b13c510416ac977b553bf1741018809c246a695f45eff6d3b0356dbefe1e660

exporter_context: 00
L: 32
exported_value:
6c8b7be3a20a5684edecb4253619d9051ce8583baf850e0cb53c402bdcaf8ebb

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
477a50d804c7c51941f69b8e32fe8288386ee1a84905fe4938d58972f24ac938
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-4">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
e1a4e1d50c4bfcf890f2b4c7d6b2d2aca61368eddc3c84162df2856843e1057a
pkEm: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653f
a805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246
skEm:
7d6e4e006cee68af9b3fdd583a0ee8962df9d59fab029997ee3f456cbc857904
ikmR:
ee51dec304abf993ef8fd52aacdd3b539108bbf6e491943266c1de89ec596a17
pkRm: 041eb8f4f20ab72661af369ff3231a733672fa26f385ffb959fd1bae46bfda
43ad55e2d573b880831381d9367417f554ce5b2134fbba5235b44db465feffc6189e
skRm:
12ecde2c8bc2d5d7ed2219c71f27e3943d92b344174436af833337c557c300b3
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653fa
805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246
shared_secret:
ac4f260dce4db6bf45435d9c92c0e11cfdd93743bd3075949975974cc2b3d79e
key_schedule_context: 01622b72afcc3795841596c67ea74400ca3b029374d7d5
640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
858c8087a1c056db5811e85802f375bb0c19b9983204a1575de4803575d23239
key:
6d61cb330b7771168c8619498e753f16198aad9566d1f1c6c70e2bc1a1a8b142
base_nonce: 0de7655fb65e1cd51a38864e
exporter_secret:
754ca00235b245e72d1f722a7718e7145bd113050a2aa3d89586d4cb7514bfdb
]]></artwork>
          <section anchor="encryptions-9">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 0de7655fb65e1cd51a38864e
ct: 21433eaff24d7706f3ed5b9b2e709b07230e2b11df1f2b1fe07b3c70d5948a53
d6fa5c8bed194020bd9df0877b

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 0de7655fb65e1cd51a38864f
ct: c74a764b4892072ea8c2c56b9bcd46c7f1e9ca8cb0a263f8b40c2ba59ac9c857
033f176019562218769d3e0452

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 0de7655fb65e1cd51a38864c
ct: dc8cd68863474d6e9cbb6a659335a86a54e036249d41acf909e738c847ff2bd3
6fe3fcacda4ededa7032c0a220

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 0de7655fb65e1cd51a38864a
ct: cd54a8576353b1b9df366cb0cc042e46eef6f4cf01e205fe7d47e306b2fdd90f
7185f289a26c613ca094e3be10

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 0de7655fb65e1cd51a3886b1
ct: 6324570c9d542c70c7e70570c1d8f4c52a89484746bf0625441890ededcc80c2
4ef2301c38bfd34d689d19f67d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 0de7655fb65e1cd51a38874e
ct: 1ea6326c8098ed0437a553c466550114fb2ca1412cca7de98709b9ccdf19206e
52c3d39180e2cf62b3e9f4baf4
]]></artwork>
          </section>
          <section anchor="exported-values-9">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
530bbc2f68f078dccc89cc371b4f4ade372c9472bafe4601a8432cbb934f528d

exporter_context: 00
L: 32
exported_value:
6e25075ddcc528c90ef9218f800ca3dfe1b8ff4042de5033133adb8bd54c401d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
6f6fbd0d1c7733f796461b3235a856cc34f676fe61ed509dfc18fa16efe6be78
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemp-521-hkdf-sha512-hkdf-sha512-aes-256-gcm">
        <name>DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM</name>
        <section anchor="base-setup-information-5">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 7f06ab8215105fc46aceeb2e3dc5028b44364f960426eb0d8e4026c2f8b5d7
e7a986688f1591abf5ab753c357a5d6f0440414b4ed4ede71317772ac98d9239f709
04
pkEm: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8
900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731
ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0
692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0
skEm: 014784c692da35df6ecde98ee43ac425dbdd0969c0c72b42f2e708ab9d5354
15a8569bdacfcc0a114c85b8e3f26acf4d68115f8c91a66178cdbd03b7bcc5291e37
4b
ikmR: 2ad954bbe39b7122529f7dde780bff626cd97f850d0784a432784e69d86ecc
aade43b6c10a8ffdb94bf943c6da479db137914ec835a7e715e36e45e29b587bab3b
f1
pkRm: 0401b45498c1714e2dce167d3caf162e45e0642afc7ed435df7902ccae0e84
ba0f7d373f646b7738bbbdca11ed91bdeae3cdcba3301f2457be452f271fa6837580
e661012af49583a62e48d44bed350c7118c0d8dc861c238c72a2bda17f64704f464b
57338e7f40b60959480c0e58e6559b190d81663ed816e523b6b6a418f66d2451ec64
skRm: 01462680369ae375e4b3791070a7458ed527842f6a98a79ff5e0d4cbde83c2
7196a3916956655523a6a2556a7af62c5cadabe2ef9da3760bb21e005202f7b24628
47
enc: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab89
00aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731e
ce2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed06
92237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0
shared_secret: 776ab421302f6eff7d7cb5cb1adaea0cd50872c71c2d63c30c4f1
d5e43653336fef33b103c67e7a98add2d3b66e2fda95b5b2a667aa9dac7e59cc1d46
d30e818
key_schedule_context: 0083a27c5b2358ab4dae1b2f5d8f57f10ccccc822a4733
26f543f239a70aee46347324e84e02d7651a10d08fb3dda739d22d50c53fbfa8122b
aacd0f9ae5913072ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 49fd9f53b0f93732555b2054edfdc0e3101000d75df714b98ce5aa295a37
f1b18dfa86a1c37286d805d3ea09a20b72f93c21e83955a1f01eb7c5eead563d21e7
key:
751e346ce8f0ddb2305c8a2a85c70d5cf559c53093656be636b9406d4d7d1b70
base_nonce: 55ff7a7d739c69f44b25447b
exporter_secret: e4ff9dfbc732a2b9c75823763c5ccc954a2c0648fc6de80a585
81252d0ee3215388a4455e69086b50b87eb28c169a52f42e71de4ca61c920e7bd24c
95cc3f992
]]></artwork>
          <section anchor="encryptions-10">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 55ff7a7d739c69f44b25447b
ct: 170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b20
0aafcc6d80ea4c795a7c5b841a

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 55ff7a7d739c69f44b25447a
ct: d9ee248e220ca24ac00bbbe7e221a832e4f7fa64c4fbab3945b6f3af0c5ecd5e
16815b328be4954a05fd352256

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 55ff7a7d739c69f44b254479
ct: 142cf1e02d1f58d9285f2af7dcfa44f7c3f2d15c73d460c48c6e0e506a3144ba
e35284e7e221105b61d24e1c7a

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 55ff7a7d739c69f44b25447f
ct: 3bb3a5a07100e5a12805327bf3b152df728b1c1be75a9fd2cb2bf5eac0cca1fb
80addb37eb2a32938c7268e3e5

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 55ff7a7d739c69f44b254484
ct: 4f268d0930f8d50b8fd9d0f26657ba25b5cb08b308c92e33382f369c768b558e
113ac95a4c70dd60909ad1adc7

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 55ff7a7d739c69f44b25457b
ct: dbbfc44ae037864e75f136e8b4b4123351d480e6619ae0e0ae437f036f2f8f1e
f677686323977a1ccbb4b4f16a
]]></artwork>
          </section>
          <section anchor="exported-values-10">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
05e2e5bd9f0c30832b80a279ff211cc65eceb0d97001524085d609ead60d0412

exporter_context: 00
L: 32
exported_value:
fca69744bb537f5b7a1596dbf34eaa8d84bf2e3ee7f1a155d41bd3624aa92b63

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
f389beaac6fcf6c0d9376e20f97e364f0609a88f1bc76d7328e9104df8477013
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-5">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: f3ebfa9a69a924e672114fcd9e06fa9559e937f7eccce4181a2b506df53dbe
514be12f094bb28e01de19dd345b4f7ede5ad7eaa6b9c3019592ec68eaae9a14732c
e0
pkEm: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d
48d0768b368110fab21407c324b8bb4bec63f042cfa4d0868d19b760eb4beba1bff7
93b30036d2c614d55730bd2a40c718f9466faf4d5f8170d22b6df98dfe0c067d02b3
49ae4a142e0c03418f0a1479ff78a3db07ae2c2e89e5840f712c174ba2118e90fdcb
skEm: 012e5cfe0daf5fe2a1cd617f4c4bae7c86f1f527b3207f115e262a98cc6526
8ec88cb8645aec73b7aa0a472d0292502d1078e762646e0c093cf873243d12c39915
f6
ikmR: a2a2458705e278e574f835effecd18232f8a4c459e7550a09d44348ae5d3b1
ea9d95c51995e657ad6f7cae659f5e186126a471c017f8f5e41da9eba74d4e0473e1
79
pkRm: 04006917e049a2be7e1482759fb067ddb94e9c4f7f5976f655088dec452466
14ff924ed3b385fc2986c0ecc39d14f907bf837d7306aada59dd5889086125ecd038
ead400603394b5d81f89ebfd556a898cc1d6a027e143d199d3db845cb91c5289fb26
c5ff80832935b0e8dd08d37c6185a6f77683347e472d1edb6daa6bd7652fea628fae
skRm: 011bafd9c7a52e3e71afbdab0d2f31b03d998a0dc875dd7555c63560e142bd
e264428de03379863b4ec6138f813fa009927dc5d15f62314c56d4e7ff2b485753eb
72
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d4
8d0768b368110fab21407c324b8bb4bec63f042cfa4d0868d19b760eb4beba1bff79
3b30036d2c614d55730bd2a40c718f9466faf4d5f8170d22b6df98dfe0c067d02b34
9ae4a142e0c03418f0a1479ff78a3db07ae2c2e89e5840f712c174ba2118e90fdcb
shared_secret: 0d52de997fdaa4797720e8b1bebd3df3d03c4cf38cc8c1398168d
36c3fc7626428c9c254dd3f9274450909c64a5b3acbe45e2d850a2fd69ac0605fe5c
8a057a5
key_schedule_context: 0124497637cf18d6fbcc16e9f652f00244c981726f293b
b7819861e85e50c94f0be30e022ab081e18e6f299fd3d3d976a4bc590f85bc7711bf
ce32ee1a7fb1c154ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 2cf425e26f65526afc0634a3dba4e28d980c1015130ce07c2ac7530d7a39
1a75e5a0db428b09f27ad4d975b4ad1e7f85800e03ffeea35e8cf3fe67b18d4a1345
key:
f764a5a4b17e5d1ffba6e699d65560497ebaea6eb0b0d9010a6d979e298a39ff
base_nonce: 479afdf3546ddba3a9841f38
exporter_secret: 5c3d4b65a13570502b93095ef196c42c8211a4a188c4590d358
63665c705bb140ecba6ce9256be3fad35b4378d41643867454612adfd0542a684b61
799bf293f
]]></artwork>
          <section anchor="encryptions-11">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 479afdf3546ddba3a9841f38
ct: de69e9d943a5d0b70be3359a19f317bd9aca4a2ebb4332a39bcdfc97d5fe62f3
a77702f4822c3be531aa7843a1

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 479afdf3546ddba3a9841f39
ct: 77a16162831f90de350fea9152cfc685ecfa10acb4f7994f41aed43fa5431f23
82d078ec88baec53943984553e

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 479afdf3546ddba3a9841f3a
ct: f1d48d09f126b9003b4c7d3fe6779c7c92173188a2bb7465ba43d899a6398a33
3914d2bb19fd769d53f3ec7336

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 479afdf3546ddba3a9841f3c
ct: 829b11c082b0178082cd595be6d73742a4721b9ac05f8d2ef8a7704a53022d82
bd0d8571f578c5c13b99eccff8

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 479afdf3546ddba3a9841fc7
ct: a3ee291e20f37021e82df14d41f3fbe98b27c43b318a36cacd8471a3b1051ab1
2ee055b62ded95b72a63199a3f

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 479afdf3546ddba3a9841e38
ct: eecc2173ce1ac14b27ee67041e90ed50b7809926e55861a579949c07f6d26137
bf9cf0d097f60b5fd2fbf348ec
]]></artwork>
          </section>
          <section anchor="exported-values-11">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
62691f0f971e34de38370bff24deb5a7d40ab628093d304be60946afcdb3a936

exporter_context: 00
L: 32
exported_value:
76083c6d1b6809da088584674327b39488eaf665f0731151128452e04ce81bff

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
0c7cfc0976e25ae7680cf909ae2de1859cd9b679610a14bec40d69b91785b2f6
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="dhkemx25519-hkdf-sha256-hkdf-sha256-export-only-aead">
        <name>DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD</name>
        <section anchor="base-setup-information-6">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
55bc245ee4efda25d38f2d54d5bb6665291b99f8108a8c4b686c2b14893ea5d9
pkEm:
e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918
skEm:
095182b502f1f91f63ba584c7c3ec473d617b8b4c2cec3fad5af7fa6748165ed
ikmR:
683ae0da1d22181e74ed2e503ebf82840deb1d5e872cade20f4b458d99783e31
pkRm:
194141ca6c3c3beb4792cd97ba0ea1faff09d98435012345766ee33aae2d7664
skRm:
33d196c830a12f9ac65d6e565a590d80f04ee9b19c83c87f2c170d972a812848
enc:
e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918
shared_secret:
e81716ce8f73141d4f25ee9098efc968c91e5b8ce52ffff59d64039e82918b66
key_schedule_context: 009bd09219212a8cf27c6bb5d54998c5240793a70ca0a8
92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
04d64e0620aa047e9ab833b0ebcd4ff026cefbe44338fd7d1a93548102ee01af
key:
base_nonce:
exporter_secret:
79dc8e0509cf4a3364ca027e5a0138235281611ca910e435e8ed58167c72f79b
]]></artwork>
          <section anchor="exported-values-12">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
7a36221bd56d50fb51ee65edfd98d06a23c4dc87085aa5866cb7087244bd2a36

exporter_context: 00
L: 32
exported_value:
d5535b87099c6c3ce80dc112a2671c6ec8e811a2f284f948cec6dd1708ee33f0

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
ffaabc85a776136ca0c378e5d084c9140ab552b78f039d2e8775f26efff4c70e
]]></artwork>
          </section>
        </section>
        <section anchor="psk-setup-information-6">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
c51211a8799f6b8a0021fcba673d9c4067a98ebc6794232e5b06cb9febcbbdf5
pkEm:
d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d
skEm:
1d72396121a6a826549776ef1a9d2f3a2907fc6a38902fa4e401afdb0392e627
ikmR:
5e0516b1b29c0e13386529da16525210c796f7d647c37eac118023a6aa9eb89a
pkRm:
d53af36ea5f58f8868bb4a1333ed4cc47e7a63b0040eb54c77b9c8ec456da824
skRm:
98f304d4ecb312689690b113973c61ffe0aa7c13f2fbe365e48f3ed09e5a6a0c
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d
shared_secret:
024573db58c887decb4c57b6ed39f2c9a09c85600a8a0ecb11cac24c6aaec195
key_schedule_context: 01446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72
f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
638b94532e0d0bf812cf294f36b97a5bdcb0299df36e22b7bb6858e3c113080b
key:
base_nonce:
exporter_secret:
04261818aeae99d6aba5101bd35ddf3271d909a756adcef0d41389d9ed9ab153
]]></artwork>
          <section anchor="exported-values-13">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
be6c76955334376aa23e936be013ba8bbae90ae74ed995c1c6157e6f08dd5316

exporter_context: 00
L: 32
exported_value:
1721ed2aa852f84d44ad020c2e2be4e2e6375098bf48775a533505fd56a3f416

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
7c9d79876a288507b81a5a52365a7d39cc0fa3f07e34172984f96fec07c44cba
]]></artwork>
          </section>
        </section>
      </section>
    </section>
    <section anchor="edge-case-test-vectors">
      <name>Edge-Case Test Vectors</name>
      <t>This appendix contains test vectors that exercise behavior defined by HPKE itself -- DeriveKeyPair rejection sampling, the labeled key schedule, and the handling of empty and zero-byte inputs -- rather than the underlying KEM, KDF, and AEAD primitives.  Except for the rejection-sampling vector in the first section, all vectors use the suite DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM, because the behavior exercised is independent of the choice of KEM, KDF, and AEAD.</t>
      <section anchor="kem-key-derivation-with-rejection-sampling">
        <name>KEM Key Derivation with Rejection Sampling</name>
        <t>In this vector the recipient <tt>ikm</tt> is chosen so that the candidate private key derived with <tt>counter = 0</tt> (<tt>rejected_candidate</tt> below) is greater than or equal to the order of the P-256 group and is therefore rejected; the key pair is produced from the candidate at <tt>counter = 1</tt>.  This exercises the rejection sampling loop in <tt>DeriveKeyPair</tt>.</t>
        <section anchor="base-setup-information-7">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e
ikmR: 68706b652d656467652d703235362d72656a656374696f6e00000001c6be4ce7
rejected_candidate (counter=0):
ffffffffc6e92ab863d8293933c849d280fc9a40f07471a06702bdf2eac30fa2
skRm: d9cbff7adaa1c604a2e4fcfb762c9e1c5ed7d2e33b15fcad4c6c3f23a9637325
pkRm:
04d3bec6a691f47bbedd5caa1d51c7228f6afeeec5576495b855bbe6595e49643570be
005fc177b3d80f6eeef280b1cf8a565d7ca28116dee2e875550ef3050ca8
enc:
04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325ac98536
d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
shared_secret:
1f38c13d9156ad1439d1edf648a12bf9c62cecb95cbb2087e16683636744251a
key: 58337e18488e9e09ab4278759207d006
base_nonce: d4967824655d4887a04b3d87
exporter_secret:
04f68c9f58b994666057b92606f7b738c47300fcb3a33bac157ee4a934bbae25
]]></artwork>
          <section anchor="encryptions-12">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: d4967824655d4887a04b3d87
ct:
bcf25d5db84780b5b222eb26a63d8fb489c6a0bf1f6281cbc10c633707dbcda9af7cee
7a57abdb59ce4c9d4162
]]></artwork>
          </section>
          <section anchor="exported-values-14">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context: 54657374436f6e74657874
L: 32
exported_value:
abd921fc81dae75036e9146d2e5826e3ea075b410c1c46a0a0533a9e3e685490
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="empty-and-zero-byte-aead-inputs">
        <name>Empty and Zero-Byte AEAD Inputs</name>
        <t>This vector uses a normal context and exercises empty and zero-byte values for the per-message <tt>aad</tt> and <tt>pt</tt> inputs and the <tt>exporter_context</tt> input.</t>
        <section anchor="base-setup-information-8">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
ikmR: 6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037
skRm: 4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8
pkRm: 3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d
enc: 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
shared_secret:
fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc
key: 4531685d41d65f03dc48f6b8302c05b0
base_nonce: 56d890e5accaaf011cff4b7d
exporter_secret:
45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8
]]></artwork>
          <section anchor="encryptions-13">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt:
aad: 436f756e742d30
nonce: 56d890e5accaaf011cff4b7d
ct: 3f431133aa05608a56675bec51d03e0f

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad:
nonce: 56d890e5accaaf011cff4b7c
ct:
af2d7e9ac9ae7e270f46ba1f975be53c09f8d875bdc8535458c2494e8aa7d2bb71109b
5730bb714a8e64e5cc16

sequence number: 2
pt: 00010002000300
aad: 436f756e742d30
nonce: 56d890e5accaaf011cff4b7f
ct: 0be99ddcad54aabf548b3dbae884aff7aaeb0afc9ab60f

sequence number: 3
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 00ff00ff00
nonce: 56d890e5accaaf011cff4b7e
ct:
6b0f4cd351730cd25993d8ad0f11bff1ef2c3a957cb4d8694bb06c60a2f65e4f4cf8c1
ae35431071bb18eff3e8
]]></artwork>
          </section>
          <section anchor="exported-values-15">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context:
L: 32
exported_value:
3853fe2b4035195a573ffc53856e77058e15d9ea064de3e59f4961d0095250ee

exporter_context: 00
L: 32
exported_value:
2e8f0b54673c7029649d4eb9d5e33bf1872cf76d623ff164ac185da9e88c21a5

exporter_context: 0011002200
L: 32
exported_value:
73ac25f70dd55c215b4220e6978533ee2d3a559a48c507b11e200af81e64337a
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="empty-info">
        <name>Empty info</name>
        <t>This vector uses an empty <tt>info</tt> value in the key schedule.</t>
        <section anchor="base-setup-information-9">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info:
ikmE: 7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
ikmR: 6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037
skRm: 4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8
pkRm: 3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d
enc: 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
shared_secret:
fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc
key: a9b96236b306695e8729863403f68d4f
base_nonce: 0816b7f1635cce3ee2a7f611
exporter_secret:
ac9efc2aea9784504d6e817cf056845b1947cb604e6f398704c0524a1cc8e90f
]]></artwork>
          <section anchor="encryptions-14">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 0816b7f1635cce3ee2a7f611
ct:
2a19b5c53b9bc4d52723cfa64b0c0532b9fd5473e8c1105285be1a5fd763463c3d3423
6f5d26ebfe906277e094
]]></artwork>
          </section>
          <section anchor="exported-values-16">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context: 54657374436f6e74657874
L: 32
exported_value:
8a02de446479bb7d27490ed85a69c6bbaddd0969fbc84f7661ab038c9008f053
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="info-with-embedded-zero-bytes">
        <name>info with Embedded Zero Bytes</name>
        <t>This vector uses an <tt>info</tt> value that contains embedded zero bytes in the key schedule.</t>
        <section anchor="base-setup-information-10">
          <name>Base Setup Information</name>
          <artwork><![CDATA[
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info: f0000f00ff
ikmE: 7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
ikmR: 6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037
skRm: 4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8
pkRm: 3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d
enc: 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
shared_secret:
fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc
key: 7d8ac6f5d6276d9411b66d4bfa232381
base_nonce: 626c42fcd01b1690bf10cb44
exporter_secret:
47c5306e700000a21465f2efd0c81d8df46e607b538fb330b213726d1004899e
]]></artwork>
          <section anchor="encryptions-15">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 626c42fcd01b1690bf10cb44
ct:
dccc58fdd5dd0f80a162809a6bd47bf881ce2821b5ab718892dd568e2dcef6c98750fa
1dc39a6182802ef3416c
]]></artwork>
          </section>
          <section anchor="exported-values-17">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context: 54657374436f6e74657874
L: 32
exported_value:
b16979c789e60ff4a21a3975b785ed3114d44525a3f660a4a848891dcf54446a
]]></artwork>
          </section>
        </section>
      </section>
      <section anchor="psk-and-pskid-with-embedded-zero-bytes">
        <name>psk and psk_id with Embedded Zero Bytes</name>
        <t>This vector uses PSK mode with a <tt>psk</tt> and <tt>psk_id</tt> that contain embedded zero bytes.</t>
        <section anchor="psk-setup-information-7">
          <name>PSK Setup Information</name>
          <artwork><![CDATA[
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 78628c354e46f3e169bd231be7b2ff1c77aa302460a26dbfa15515684c00130b
ikmR: d4a09d09f575fef425905d2ab396c1449141463f698f8efdb7accfaff8995098
skRm: c5eb01eb457fe6c6f57577c5413b931550a162c71a03ac8d196babbd4e5ce0fd
pkRm: 9fed7e8c17387560e92cc6462a68049657246a09bfa8ade7aefe589672016366
enc: 0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
shared_secret:
727699f009ffe3c076315019c69648366b69171439bd7dd0807743bde76986cd
key: ca4f3f1e77364e55e5554d480a8ee58a
base_nonce: a8cf850e9bdd7d73155a5243
exporter_secret:
d08a0e5476626a7fccf354ec6b1787a238e53f8e38e96af3d2c4f76f6295007b
psk: 0000000000000000111111111111111100000000000000002222222222222222
psk_id: 0050534b00696400
]]></artwork>
          <section anchor="encryptions-16">
            <name>Encryptions</name>
            <artwork><![CDATA[
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: a8cf850e9bdd7d73155a5243
ct:
cf34c6d0f86cd81c527cff7a2a20541cd017877d6e95f82f9dc13e6937bef65723bf43
d4a2362690c20591ce67
]]></artwork>
          </section>
          <section anchor="exported-values-18">
            <name>Exported Values</name>
            <artwork><![CDATA[
exporter_context: 54657374436f6e74657874
L: 32
exported_value:
000521bf952f7f7c56cf7dbf40ec1f6943a3233abe36a72d20aa4f87e0d90a95
]]></artwork>
          </section>
        </section>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9S92XYb2ZUo+H6+Iopaq024AAgAZ6bTLoqkUnRq4CWVzvRy
u4QAECDCBBBwRIAUrVR9y33ot/veH9D1Y73HM0QESKad3WvdXLYkABFn2Gef
PQ+dTseUaTlPjqM3D6M8nUSX69E8HUffJw/R+XKcP6zKNFuaeDTKkzt46PL7
czPJxst4Aa9M8nhadtKknHZmq9uE/+jtmklcJsdmDH/eZPnDcVSUE3Of5bc3
ebZeySDZqMjmSZkUx9FR/7BnTLrKj6MyXxfloNc76g3MbfIAL02Oo4tlmeTL
pOyc4XzGFGW8nHyK59kS1vCQFGaVHkd/KbNxOyqyvMyTaQH/eljgP/5qTLwu
Z1l+bKJOFKVLmO+qG72KYcDCRPAfb+UqHc/ifBK9DX5LFnE6P47y+eg/0tVd
t/jsBvkeHoQ3buK7eOmN832cl7P0tvJblt/gNvI09oe95WeTh3jZHenz/5Hi
Y91p7qZ61Y3epquVN8urZPm3eJEu3fc0w1VWJMtVXASLx+P5j5G8MIfnu5PE
jX3ajX7Msok39uksT4syW82SPDrxfpXhxvH9f8ySeJUub0ZpWXThXODsltMs
X8RlegfnHkWn173+Mb0kuLV1lhTpzTKCc4tOlvH8oUiLKJtGl3k8LtNxPBe0
64RoF12PZ8kiKaLrZLzOkyi+iWHRZXQyiVc4F6wVdxydprjaMvkMP5VlPL7d
4skBpEl5HM3KclUcv3yZrPJ0WXbTeJx3AV4vAc/6L/u9Q3qYcDbCr+ijRRr6
ryN/OwQ6zQFYuf1akCiDvU3C3yqv/qkbXc/gFlTe/FM6LrNcfoLf3rz5vrcf
gvA6WyTRdrpsFevpNB2nybKMxtlykiKkiggOICoYTDO+yYmF47PBsf9ysL8X
gmP/aXD8sRu9SfI8Xv6jsqs/xncpYFH4Y+XlM3g5m86StPb2WbJcAppUfq28
ft6Nvk/nZfXdc7hW8gP88t3JZQjLj7Mk+i5edS7zbDRPFgVchzh6n9xHp3O4
PYyZ8gvCtYTHCQXT8gF/PEW4Zjd5vJoBqRQkbQbyPF3edguE9E2Sd8fZ4iWc
WQln93I1mQLydfu93sHLnc7ebq+zu7t3uN8ZfDrswm+/GCk/dqMPt/EiK7MK
LD7GZbGOb9PKz/VzuMwAH2Azd/G8ehRwkJPa70WSp3Cv4e7rki6uX70Hen5w
2PF3dIRncPL++iI8BPwm+umou7/jMx0Ptg8W+K/TZbwcp0AnrpP8Lh0DSbhY
ToBV5A9Rp0PvndzkCRwDXAokMvjNR0C6YgUMIfoBFnkTnc+B+gG1iU7XOdIO
b6KtXwpt+4Ho7glcd6Biy+h9jNcNl4ksCvgJrrOADa/LBIFwcX5+3t/Z3wkA
gV9G+G3ctu9F16tknMI1j93t3gSkDs6/nNDe+wiOkwkTBVjHx2Q8W6Z/Xyt6
2i3u/sIt2m0g/p/Pk3GZE91GYPPHbJmOCyDeN+kySfKCtnv9ITxy+OLlxflp
BAx/Z6czaMOwwjiA2NNas3l2g1uy183tAL71WMPJHGSLtJzR5b0EThoNaO/A
9xcJLk64QnXjT9Oz6sZR+NBz/QBMepn+gxeMh6IHpt+9rLwgsClpFwiw02yx
SIsChSqY6Pr89LsQRI9gadtDK5z73PKBAB++QymrHd0BvYkGzVQJGMUN0Xz4
R79zN6gTHLqzr973epU7C3CDCREvk4l3HMD7krngKhAZuG3vM/lUYfl4nb9L
lgmdULZYZQXhKh5hPElvFs/mVb2XvUGFV/WeppLvQGxL5vM4Tyok7l06S/Pa
b4QCPyxB1sgLJf7xPAXoL9M4uoYrf5aCkNs8F8hW7+PFKk/w/5XpTmcx4Mgs
XTU98txZ8YhAUDiqCArrEfyjBNIMyyB4nyXTdMlghqEu3p91Tk9PjqMf4Sjp
fN5k9yR6oOwyi+fzBJhV5yyxd20EQ6QF/JDdJ5M/PPuEjl7u9g+raPX0Cf36
B9EsScigpz9eAAEt4NJO4sUGIcNJE4+8imIbaDaK7JWLswxuwWPK1nPhO+i9
HOzuBPAdPOMG+NqEw8e6RmF3SXoL3s+UiPoJoNzbq0GVMPDm4OIjwiEcLLH6
Bfvp7x4d/eINgfh5Mr9PllXhM/vv/zWv/EL7+TEd326QzgE2r+YgacxAqanA
J18vs/qPNQA14w/IuPF6fFsVUidrZPXhT6zIrWd5x2L7f/9fZfQqG8/Wm9Dz
SRn4Xxj8X0KXxhFB0rxKk1VSEzIzkOCW1d8eXzI89u7k/KRfxUZiLbgEJnkk
wFtODZzrTzgQsieUZk4vzq+bkTRNkuTzag4L6+I/CVHjEYidoLa+nGTjNQpd
L/f2e7v9o92XAeb2n4G5oAx+Fz9kRRa9AwEG5KbqET7yAAueq9U8he1czuDu
jT1hsw06+MVpG16bAJ0BwWEFmnPzIl6T9gby9ST5B1yXO6C61WU8+sivtpC3
/ixADkHmLyoLefSRX20hwLev6Z7DZu/SeVxl3Zt+pgVcZvMHkfY8flWdl4Sr
j/0K536fLVG1OQEdHsWncTKBDZ2fnIFwdZfCMEkDLQUsnXzuTrKUkFMVSlbB
eju9zmD/aPewc/AppKv95zDiX1FUaj/Foq9AVrqpzHMFq/O//ddmAEL2MR7f
LuJllVO8+tt//9/5sv4rk7NX7wD8RRLn4xke29vvarwPtQ+SrpD9fQDaME/E
DrXBKLCJ9/VD3vcMpR9439s651vPgQK/rfK9U4ATnBlpVM2jXQK5ydejUfXa
XcbrefWXZw75EYk9SEhLoMZVnvpxli3ioun3+uDw08ekKP+UoJ2sIluRtIG/
RvJzM9RvQFtcj9gGMwWoi/U6L6cd/EzW65ejeTZ6uTfd6+2M9/Z3J3GvN+rt
Hx6MdibJwd60P5mOJtPxbu/gKJ7s9F+WMGnnjift/g2YTfUA4TPad9U2AUzu
wwXc0O5+b3D48v3F9cfu9WX3sNfr7O2f5Dv4OH5Jql/R8PDri8vrbv9wv7NL
Zq3Td5sH3Dk8I2ntj9+/HYT2BrJ+XeZJ53oG95dtJe+yScKCKcDy2Ui7A0h7
2Av3vPPrC2wnP153HhHaYLg/wrVNavLVH0EDL2q//W8vYL2LP0eXKIjeelYZ
skWozQR1uss8vYvHD8Z0Op1IZRZjPs5AAVHJJYJDH+fpCI4+jgoyY9JAYkBe
sXYCCOzZkqNtRJFWF+4jDGXkrVWe3aUTGgekgzSGsQGZmgeAH+J8lMKC8odO
QeLYag5MEe33hcH54yhPxumKTBtujG50UUbxHIShdDmer8PZyllcEtapdaIw
q6woErK00JSwxqRTMMrTaEQ20C3F1pR4+RABbRilbLuhd5YmdvYk0dLiVbFm
U0f0DihTDJrlItr+/vxdq007nSQIeTYQrZdjhtn3Z6/hZzyXOLCgOLCYeyBP
UexMd3Cj4mgb2X/Lh56O2Y3Co9QTMOghAYikYo0R6VfOaU0q2j08OH+AD7AC
XFNiDUlwxxcpulbQg7Yew4IKU7FInaXwdNJ5A6QZuGW0fX569qZFO7dkrh29
eXdy2hnFBcPag4lxMHnjgHL95qQz6Fax07oIo6vXp+Ql7DI6L9LJZJ4Y8wKN
bXk2WdOIxnjmwUI8R4QXfKxJ5B0mzup9csbEWQx7HIEiYgo2wQqMVuyqgk8A
wnFCQAWhAMA4iR+KCraPA6td0r3pts2XL3+AbfR3B/2vX7uon8CSVF8u77Po
IU3mk4I+4hAA2/hGDNqTOzhQ+ETTuE0YfxpaJL68SnKyqeIiR8kymaYlved2
67+GaATzo+2N8c74d2AG9BNhEW0JBjIu2ZFwoYS3NLG7qVvAlImGbJnHiIie
EuCahfUsyUFWL2MgrXE0AVyDzwiDFSB4PJ4dm60btB7C7WlYC8IAt5sE17Rx
hcZa2OdzPCNeGywA1lMQrMfZ8g7HjIRoFMk4T0pvbPiOL62/Sd4SoPU8o5sG
v2eAekBgFhm6MCuUb2xdl4Vbg1mLJQVwl0gV3YvyYZVspqp4VAukYTFqQOo3
AFVDEbctZBNHfkd7xH+9jR8Sj3Mwkh7tDnpfv7ajj2+v1S4FizqdI4nAe5/p
c4e7R/gcgv0DLOouzdZF9Objx0s70N4hYLsxQDrwGBHSJZ4wwCGJlnDNc3wD
UG6VlLgcHGmZLTvIDfIMUDkegTBdWLM3/G2E5Bc+q3KAaAOcC5goso9lbASt
kDE009/kFTO2+PKQqF2cX7d8kDlvlZFfYY/4JQLAuXDgS3Xy0A+hwwN/vf6g
IEPjP/4R9YE44AckDHAWCTzGVo2vX5k1RShNZeubGYGK7Rrw6AlIx7C1AijR
ZxCiYZlG6R6RsZU4MYUEwVUex0D08Z0HYLEAJORz63JCYPBp/xyUF8CcLJsS
7UiXEx5/ncJlGKVzxJU1aOGwNvXFj8kX33EIHcWkA0XbYnAetNhBTeow7Goa
p7D8TDlXhMJ0pMJ0XVKZAgVHBGC+LfyMrognfBTrUZGURpie8ppCH5lEowf6
ZZzN0TEjfF6BFo8yJP7r0qP9dIN9lzsovbh7mpkAiY6/URL5KPtg0sVqTtQ7
mTCJpVUDSQFBjNmVbIkpHgh6sNsiDHPYVti2DAM3qgG3cNDt8NstOZcxerLZ
RVcU68VKvDEjOG6DEKCn5g+I2u7gAfF8EzagH+A4aRD8TzH9KgKDhFV2/r6G
WwbCrSz+Hp0KJFkwbQwe0h2CtLRpZNANANyLBZBIOBrD6B3TgtChQT6NL19g
nM6KoI1+DiIxL0BN//s6zQnqBRpQWOAwH4WjYjBREW29++H641ab/47ef6B/
X53/jx8urs7P8N8gi7x9a/9h5InrNx9+eHvm/uXePP3w7t35+zN+Gb6Ngq/M
1ruTP28xuLY+XH68+PD+5O0WO2Z8/EZ6CHdB8QhkVbySIH2piD7Bd16dXv4/
/7O/CwD4N6Cug37/iKCHHw77B7vwAcHPs2VLuN/8EdHUAF8AeQVHAY4HSLtK
SxCm4VnAu1l2vyQ87Jrf/WGOolJn/w+/NwjUEI7TDJ1AxJySHKQlXDYddjkj
+gTYVdkYbEq3gOswdEMIGdtRDuJdwasdJUCxUrj5qoQeg6gXDbeL25/a0er2
p9YQ9EDleR5vX4QiOD2xitOcVwWbxTmin9qgQt0T4/kJcYg48jS6bkdXRIrO
CQoJXom20z14ZckKiUMez/EXpAt4U+YP38CIQ1jdEMcj4YJE3MTKIcOV/6OT
PHBbq1vcGO4JgYq3wRcesxwnwtAehHNGA9Az3gw0NY51TauOtq9bGH80p32h
fqEkCndFZLMm4eDbV1bP2r7aMACAIyHasGmMcwUQsE1vjDiawjZmUQ7AyBbA
jufrBF5DZQ15GhxBp0xJJaFRhheDD9eX24Ct9wiXUxS+8pKEgWVyQ6FldDVu
YLPD5RDhEkfD+2EHvZXlDA94lN50YLcp0uOHEsUGDLshDA9ukVyYXv8ACQdM
/eF6cHG5/dmf1xsgGn6W6ZoWg8PD3BsnaDP9xXGq6wN6lOS0AOALILFtf+61
o24XGPXn97IW1BKdPuotCjhkZN/rfe712xH8Oejt0N+7vb3efiv6Fv/dx2/5
G0KYIQPsMgf28zmZ8LY/shLSoRn4AdUcK5BoR2O7rAQjA4nMI4hA8E7mUxBL
tutTwFJkrXzM8AB8244G8H9YQCtC3Z4cRohleY5xP1mEsjmTE6s1MlNZ0oSM
UoSk8AiJ1/BhGe3v7e3s0bpxQJTDad+MiNtLJiWrIllPMkFOf4+wbQEAohmP
Am9/zvLtuD3Cl3/6cFU9jW/4gd7n173XPTyC/mBnlw/gfHC6O8TToh0+a3+o
Dsb5zZo5GUy1XgJro6grXhqwuz/h5kW/RSqMIhrbFAABJ9ka5ea/rzPUnrdZ
+tsCurHVMnkCzKXAK1/AoAl5HGQ3QIuXGZBslC8smiFqMKT1KSVqJ9enFxdI
EzKiVCzyIw9X1KH5JzJU15zA1kEQeVBIb29ttey6UXr7BwhQcp8FurJCWkWR
hF8WvCzkNbRssQqRIQdH4qdBkLhFMZVVV7h+bSOGDRXclFMUGGAJyuQsmxBE
LKBwrRYcwBLD8L+zZIUkeDnGgIsvL9Do0WEN+6sxJPVZTURF7jLgpE78Ap73
W0DNJw1N3wAMUEngaTq3yeLrV/vmmbM/vQ7sT9W3JlN+axltiuphbDwpimyc
0k9nziZVGS1O4gkMZ06iTyykFuu0TD4RxkcAO5CGae3tCJbSjtishaGQMVtB
YtQfQEslzqHWGDIGJqD1Oxh1cQoQ8YPnIhDtYfkgr+esFSKtQQkqajSGFYnx
RN7U0w6IdnvrL0gjO2mYxwjukdx2n8nFYFqDctOLx04R8cQ7O2POcY/I4nEx
MYYPg3hF9gHRVxy2kApB2LSN1AMYarHOeem0hhYg0fA92yqGx4ZJu6PoMU0T
WjRWZELTyWAJ8EgXRwGkbhpiGdpAnhpldbtxkAyB7ok+HO/pvVs89a4nEoUv
fzkmVXlcElI+LThaJTIEt1UhEazfieUJjvYSZMztFi3uingInZbDSKDu1k4V
O6nUF2hxg3RZ7Xjp7YKHPMPzB5kBle5xOCqZUhvGBN5Ao4LUBQytxrhhaGDd
LALTB+FFzh7l0V0YS0k0UgCJIgPVEUVJuiPpcrUuO3O8RHBH2BtgB8bfIlGT
0A6BXL2E84tBp6UjldvCgiZocQ8IimvYWDwHMHJQFMBkm+V+gMcl4xbsegOn
RiRznAj1jMjHK5LFGd5F4zQC98s4L56aBc4AROLsDplKMIuY6SwrR/aSxykN
6E98jux/KFLAGuR8Wt5iyFKkPCUOhDidr1ErM0MiJbDUq+ci3dLXXEgOkyPG
0w3uP7klgkcqd4XIJukS9Pw2OWFul6g0kvCrCoozT7TE8M4cdpJ45EIo2iyb
o94ikoLcY3aX1jUgANDV8BH4AggJPgJa8sOGW/AgeYar2Yaf21Gh4Nx04dY2
pK2ifF0hIsAsigpkiw6gau9hE7EcImmtbAhGq6CMvyMPiOF+8OItRUl3mmUb
nke5hDB4SUbxNUFqYk9LjOXOVBWz/RSWlKRopaV7hFR0XXp44CuzzfAhlfpv
a7jtxQOM+tkkn1GSso/maLDHLIL6gJ62lJK4XJRZTjgOnNU4Q753GNnob6CT
AyBeJQ+ZbI8MeW1hdu9O/sxuQ1hGxtbPJgKP1BF/VkuEQStGAvLJXAUDe4Nl
epj969fjgHTxD0hUiufTrqJCuyq3QVT9kHgFEz2TehUN1MsB8l8gX8WT5Iut
FBwNbu0rRUQ2OECEFC3QLAAh8+DnsnXJ//bUd0MHAUJTJ52I2e/FJqnXl7JA
1lUxYKN/1iG+ick8UaDPjeVVsWUiCoMgK2x7aAdoG7bSgwZdfWl4/plc70M2
Cp1/XsHf7s2CBNpgtoooIg8eW2kBxYR29FYJF4sDcApvh6y+s7JmyQ+zY9g5
osMiLumE0HiAzJpmD5bdPDuJP7KT7SKel0AmVFiRr9HU6+vUdDenzFYcDs6G
VjGnFTauTgQJ4ktAdVbiEffwmoxvsAy6FwzT7VV+iw6baWaBwz80LWwIDw+Z
esFQdgYrLcEoKMgg63nriSuMktXlChGmzVnp3VNs1euBw1shljBEhfaued2E
QDSiKNsyNXoNlWzaA2k5fEJfG7Bg0Ko87wc5g3xvKjsh0BIfcAkQD4nu++gP
hDDEjxRdwvgC6s0g+OHKxSkiMQNu4vsUVBQSAPT+lveo5FXN38Ax0F1t6Tv5
Wz5Hw08flsk1zjwUk7b3kLEPfbzP+KF2qLPjSHdeoK+P0GJs9xwVxt9z9SR8
y6/sOfkcI+Ns81G8zrKhZ8XBXApDxvy77JaFHjT2EHLBo96+xF/COnCF6pBh
3L5p6E272fDNYL1MFilytCljytFF0toNGmboYc+d7EQgNmbu9fv7X78+Qhyu
k3i+TRx8iccEi48noOiUchMlfKAaAeMif/BGr4BK8mE4kwOFwQxhMLmuFY//
EP4Yqtt4jCxzSP8AXKCAClKZPa8ZCggxHAIQ5Lr4FfI8dpInb1HJuUIrRDIR
3kdcz5MoP8Adqu99XCqJ5r1vWIalQs2bZv/jY3u2OyZxFG41GVQsYNVUT+B9
TIZG2OFOVOTMfwEICH0qBKdi5VLC+Ljhoqbvx6Fub/GSzAPLRgsHQ2XDK01G
ERIZHVYSeYDTaRrBNyvAHXsbjxKUDx8XP4DrwGF8rbrQHLxiosTsDgbCNI3H
6GLH+8GvAgtB+IkQbpAMI1Eg2egeY2RjCleh4x6lRM8Bmv/1X/9lXhCtQtFf
Q1EcmUDn4lS34MsWc/yqrSMiO8VIzjk/+AkeceZ8Ck3El+gfFIrbuetv8Ue2
AaYT/lRxCtBwLf6JnQJvyR9AX+jU8KFl0VqEnW1vIbg22mfTZgOaGGw2lGRk
uyjQbNyn25nblf+iW2TD2DxYy4RLcEKLjiOyS7AI+K7qPGE4RU1LspGi1f+8
KYK1VhYhMzqwBtb/oc4zFLmhEKkh59su4gEy1W9EfyN1DuX2BUYlpZ5aHKqd
Qs7KCMtXkOcbxTalGd3oYkrDYnQjxoqwZmfvZdtfGikVcO55yWiwBY9usbbL
5tsHo2ZCNwKsd2o9Aayk4sUTEwVCuo07qoxt6AzCwUXnL1MAimdKxnHR1Unx
PUWiJOLLZMbmexziyxfHgTtyBSQEiDXRgjn72ZvOK4qtxC1sn70hA+aXFzwU
KFvrFSm69xxmdQN3ZokQU5EirsVwYgQnFWcRBq9GNEernNueFJE3asf8s6ie
HHQoPlIKYYhJXKpOlXxGs+tNYrleg23lJ2Zuof3uz0OJFRJlujIu217QtMUG
Fl/vncwe43vR8E+sgML3wtwCjTNi5f/OPkRq5wkewsgewia7vWetD/kcrKmZ
D202zSPU2Wq8wSxehYmv3G82xEdWs28wxcP5vWHMCBwC5+iNJMMcDtr1/By4
dH8HzNvcFABOGNHNU1hdILiOIaP9iJIuYDOemg2hEhrA7l+lJYWovHAMwEQd
U2XHju8uQ/4JPwzp9mxLzjyaAYZKARzy38cP1nZOTyL9W5JvFW9JBex8kUjb
h/GCR0k4pwOwmOjJRWTl1NiR66FhqaDxeCRqhsyI7GNrfAyoDQYrm+SJ86ki
zlPH0zb3pDtFTVb7luyh0dbeomvM7ht6bJLgPzHOa1FVsxr8LXohCs8BYiyq
Np2Dkl2gtCQ9wPE/dPA1IKzif+RTrPhiPJ1ao5PHruwDYU3ho1egz3afK3yJ
sHCyFHnAKobbkxmmEyw+CRsgoUC4diix4YNbfKaf+Ey3gjfbkXgDW+YZAlJt
QapvNi4oiZNPIDyAgFIRrLYwGE5+hX9OZi3rdZBF+u+QECJP1zezUabR/5o3
a8EVDMcymHOm4C6K23NkZeewpBrGoVVzBj8Qx6PHrlrsXIAvG11W5y1Dvrir
xaYnaARv0U6+I6cEvkpjVOFVPZvakWzYM0W388Yrvo9jWiluvPGywnMhAK4I
Tk9uEJ9s/f+8SSeuWlHTkwlZhLXWnhTNpQHGDtveN2SiJQprhsFlI1qrlz4u
hEUUljngOnG6tAg5jzVYi1amC/P0CxRS26II8TAo5XtSOArXKqAS+VHvWqLM
GMVEa+Kzcra+ZzYLtoERkMQWDjeWwJWuuQhkdbHbLzBHA3V4nFvCyn2BB62X
LaLx1sTCSuv282AfVWDfsqo65oKAcEM+A9gdGsKcFwu3QfDpSij97WTa4eAS
G04PogVnGNntcuiJISnZyj4NoGIxnbXyjtPKZWTkI7mU/rFmWlKsUHJ/LcO6
zISpnOQmPsLGRbL52pgOGdbU4zjQf6G44JmMQ/lyFhfOQmu8KHArnuAyLzuD
vf02/LVzuMubvuzsDfrBekCE1bU0CuNNy9oZtKPdQx5xfz9k+G3TGPn6GTSh
LJ9gSpIFKTy1ntNJJ5rVMaasjhWWKAtyMNi0/tNgb69/RNP+tIsLqOwjXCM9
t1dZntnmgKdryRvYw8VgxNvBwe4hxkAge32srgtoaJhiDPLshRyzqIFtlG0Z
BdAPn9xHQdiYJHpYrOHcKNOUIumJkLGNk6OcIZtgyVZWzmgTXWppNrqoG4by
M5bYjBpxcJ711+XoNRYpHcfLWEingPTQ9c+OdKRjXoiATYFDEmbcMiaJS0Hz
FuHyYPw0PnL4MqSWRvw5zjfjBydw+DomlU7nvEkcSuIoxOuNkrCRMEq0z8EG
8K6yyl8+RKkrY9ZStxWbb8M5jUtVcYmeYUYomX4F9cmq6kW5sShL+KPv66Oo
isKOCgnfZpzjSxQH/vX7xAVKKk6ZevZs9FT27MfQZgpf62DIqEF1XpfhNqs+
Plm4nxisNgYa3Tc+gODsXJvOraRH5yUnwdflPWYsLjCjHdjtz5Tb7oTFnyOK
nI1+Nj8ffxv8p5/hF3r7E8GU3+l97vWiyP6yKm4j90uff7k6vz6/+tP5mffL
YOMvO/jLl+OISEKHFsv5+d9yOQNKyN8CWrFtLXAFj4joRQPcJ7kLXv3yBdPt
+ocYfUs+/inmN3nwd2lz97N0PHN5rsjlsjsYRSQGpEu+vtMFMe1VBgzEy7vD
g2ESCsiNuAfYxcpEsgKUL7ECHsC+jyy4jEgb9g9aRUIN3Ra80qOjgSlgAEV/
DVmx9K5rBt3oh0Iiv+1Ymc5AcpD6XLjYZpcDU/nRTxL6FhogO7ppzzlKE7Cu
WpiGC4lLQ0LFF5O5Guftsra/5HoudEZFZjRljKHGXgpYClo9nR9ygYwNo2Ud
ybaJ7waTPHHl1r5BAbKfscglucaYcjO21PIezJcvhGz8PEa2snxEX07QKCLS
Eb9kk/UZJRQoRnNs7SIKSaWfuIJx6Bgq2EFZhrlmCEFTfVIc6H52nL90kq3R
r7vWjD/Gh3mCedFkcdSIGd/LRJwDREu4rCiUgxZUjrstjtjV0qCNWKco57HY
0QOHh3vJtSj/ihtcxcMuXNs8weCadlDDgA8WfjKUn4DZRx7PXibJpODh72OK
mZhoNBranui2Yg4mwNw3zNzHhSG0UWm1ErPniOkJZx2ovzpIEF7AjLhrOmXj
8TEOuRJju+e6tHqFwErIuLudYelSFKo53t6LuAV8mifTUt/1FqQ4CWcYIycU
nCTYORP4R7IZZ+NkAghZSe7xBSs6a7hGFEtEmW/m8qGcAb7MsXQHR4Xg7RZ2
5sQHvtH8Pq5UdUq2v5/mSWwjDDwB71Ro0ZcXDXZ89aU42V9uTbPoz0RRdBWQ
1DW3fLKe6yVAJJ7HaloEgJSwmbmGUFH0SkB3jSyFdxsMqGFXOKNVaykdYYi8
aYhFZitsWANcgpp/+HA71H0dg0NhHAYM1HYeua7LaBzrxHlhab+xRLn8VoN0
OlzyayxEfC31v3xM3tb4nm9wZTEQWNnB1laLRlphZByuIxRyou3L6+9bQH7m
ZH8fZRqdorypxpqeNRVZCDqYd+HSCewlhhmfGOT/w1g6juGuyMpEY2D7dL7C
rvKEVQVVNBvjp4y+SQEyobGvxfEF7pPzhYcxl346jV0inRfbyQWcHt0nOEiy
a5ndcEQTTIbrRil3PsdsIhI82uj0Y5dVCGg/J0SSFUX1XJDquCRpIKOhab5R
QkkpNkswGE6cT7lLT8ZUN01hQFvUn0Aknj7A2V/QkSFAAFrZvb9hn5PR3isH
JVEXi/hzulgvROuXBDE28Bgxd5CblpL12moBmQQVYiv2me3WUFOKJSSYbTxi
2VAxXECt8VkL3/4i+QK0JqbpoAoB7gKN5SQCGbtQ15SSeYp1ga0jHnzSyB52
fZAYk+SWkHCkskM5n8AZG5EiWeN+Aj9SPVJOOaRdkDoMULcXzQSBzkoB/IRZ
yYfmO+iH5FcpH9kXKRCc90o3rDGpCRC1m3TbdlQ1NJLHCj5NphYvOBRniJFd
dDMGTLLJ30LWERUMQ/NkOumw2IgZq3Rm/jfincZBgwcD841wD/L3R0/5+03d
3+8wmRnUs+y45p+zJfoWWvbiMv4tQvbXbKs1EuhCromqxdb7jk4l/E6OBb80
LnAF/hKCQZrlt0Do/S94cviOTPhVWsEsFx6jP+BZsurfZDrWNv71b99G3oAt
9wCPvS3/Ch/DsdD9PbWjwe/uPa7uxl7088/jhJjA9tbFEukD1fQriZ0xG9oi
a783FilLiJXffuvU7Q1j2mEcWSblAhEIxedksiUr3cavZIpWfQ74dsMU71JO
UBAqPXFL36o7ziqRmnQuXNEpuWa3qnPk8flUHDIcZFM9NHXJhtFVlbgp3Fhj
QFUwRUsip2reF3qT1rRhcFxM428aO8Rum4oTT5yRsgN04qkr0nnmbqN/j94v
8Y9ZSyojwgD84F+O39/+FXP4LZ13P72/Pd6Wl1v4TIXyuwftU8d/Nc5NxJGZ
buB2dYCm8w1co03na/2iv+B8+Z+fyATf7DL1ntiyr1IIyjR77D37+5aL8YJt
f1L+V/fCWbKh87XdJI0nbOPawp26gybCYo81lPfs05iD3m5cGiJIq4oBG0Zx
zzzlHt4w07LViEcbpoMHn+GG3jgZw/MXYCOi2/fJw7UM9burD2/Pf/9LEO1p
HiEH9ehKom9pzyHiP3cZ3pZFLZZt1GbtNYCAmSJLgPjaMCoTEAcoYtxlWNhE
tWsU8K8aHJlY/QWrQYmxAp7yqruE0SY4F0gU+STI4eDQkGAHQ7SuorwtgqJ1
jizXixGafthkQ6WKQKSWoBwKF4yjnqoEm2xvaTFeW7N7VYwVPa5tXF0y3aWz
X6oVwtkx1WTnacqYlnYD26RUuwtrT9w+ubxoWbEWNDhKh5g27ROE1vdZKbYI
4sYVqqmhoJIh0XQ5hsa3+ZEqtInMttRJB9L3XAoLacgCpUAYt1/N9XCR1hib
KP5vLGonSSIMCU5SPFZJTKLLvhDur0FgPiR2+Q19zlYxAMEnm395P/tr8Jul
ovzLV/8my9F8o/j94sUL335E6qPnO2SHodQIQPzE0nZibrfBSZwQ7xdFSwu2
hlPtPM/8U1NsYokNrRQX0mzua7i+Kww0vZaYLuO+upJgLLXBJXDssO5ipvxe
S28GTjaTeHkgYgWuahF8D3hhYQTjR9F+au5lqe85ie7SWDVcThb1zUBi+NBL
QyUBJBq17QfSI+Jj1X/WParmkFolOYwjzNUoaR9jRyxF5gXZrUHQXlhIoe7R
73raQeSdxgoDcYjNH1cjaNoSmuQinBwdpsAbDxuvt63c3UzQH2N5np7QrikN
4YKvbMDRplVTAFIQmeRW7S346p9c8KNr9a7iSZgD8oPkVlVqZX95gavowPtf
pUqhFiEGtKegeOuQdSZvwJbYlk4LTIZwK4KMKOclYp4ljljUkeVWAF9ndoUq
CvmFQFUGtOSapVO2G8RUo/FmDRgJ95F7AY0lMzCeYFocVtjDnXARuLDQHBVT
YkvchoJ70Y+q7POK0TqK7hfqO+Sci3RdkJ2pf8taUXHxrM47e168JJuaCUpX
qI1PvYXWYa8B98xvcbyCmxgJwbGegpSqCWps1NhLjnVu87RwkG8wMLLNw9h6
d0AnvGoXVhZAtreNRWdAz6fCTTbp3a981JKV4ZLJfMgJmlojY2dQK5AhVZKp
pMYoCaLbZ0MjT+dUfwazJVi40LxTQlUVMLyTxWgDK27UaQ2sziM1Ddrqv0h3
aLxnyJH+gqqk5IlV/TK68swFWYLhs248H69jlnDuCXFuseuhTcm5d5viHgrJ
Sp2gvdmapWLD175AGARekIjDu9mu6RyK3niYfzq/Y1s/v0/uz4cV1z1mbABm
lyyL9E7Kp7lkQ3+Nuee1bUeSFkdbCvyJKMIs0B39D40HLEqNEmtcIrL/yXqs
1wSdp5geiH/P4BJxtAtVyqOx77JU0x7zhJzus+w+IY8rrclb8gIrUIwSbBdc
JtP1vBtRmSUrzZac7qISDBd/9eLLA6lafWdSboJpBRWnKLxQnaWrEk0ajW/T
pBtPj3kmezGVwaLI2WYfqQb9UHUvDcxCkzh9QdRLckA9A7k8HEjrSJVIGYFD
77WY/GxaatOquHxtLZ2JpEKqIVa3xwfO6XAuF8CAQXVwJyuhCbBAV9vYW1hC
9joH8OomEbnVO9GVPYZP2AAsBtuaWksugb9yXox8Kys3VHssuAV+lINFYs3R
57BExLCfPlxRxrZ3Ki67fczFsOuKo7qEKPnNVYs0WvdSURfDRzQ9tgiOvhvV
QnVP/swHZaqgcNE3dG58+W3Yik6wvcIYIqdRozucZWussQe64mgtaXG2Fg+X
BkkbtUa62FOkG12L7cZhu71+XsSBrvN96VVZ89drI2W65j2S/P4+oV14kR5N
1nAdU6kWPJ565RpS5I11rrnkaoXS5ad3Jz+1TFx4pextJVBOnufI2pPz605/
cNj57pQr8ODnwd4+fm5HNAo6Bwf/ubMfdaKdvtSHoFdPZzH8b9DDFlP9nd6e
ez6C5w/h+f1drSfRGLGN1YlVA/MiQufY6UXgSSN2yTCe4LEbVwqodpTkucM7
wcvQq06QE/LAN4Lq0M8z7qxcFVHJOEHF2EOBtRv0c0C5b5lO0pwjO+I5y3Au
CMULQPloheffFJZuj10oBOpk9gCfKjoQFybwB4mEJJr8dZfqHmitAxRAxiWl
RcC3VA6V1D761yn7J6nJF/8GAG25Qglkc4VvL7B2IR7ddfL3bU9gGZe+Wczu
9zcu9VsCaWWP3hWiOgOVTZpgk9Ejm7zqUoEDLWpAlmzcJH37SzY5LsVLg6/z
+5Rx6btk7JdPgWNlwXH+XCqtIxWN6IwEn0UWhqZmjpEOkeQdraPA5JF5fTiC
nUBjleoBNTXgsk2xCre/iz/o75+Y5H0r/kP4Rq3XAgYsO0tw8k2q9kURn8O5
Qoge85HoWUW//zba7ke/+120ffhbmKkFZKXvH9CmmhB6XjjGvwMR9pFVb6OF
rSVHI8dtvUPDvMVFOsf2Ku1QXfZudOMYDg260Zv0Bi5AZw7i4dyGRxUkN/pB
S8a3BNlwM3Hbw4vrHLOpC7ldVG5JEj+SWlAzUAv2R3qa3wbRRwuoBoKP5JeM
fEr39auxi3IxcFxNGBWCWhAdW/8KP4JVYFL4hjetPGFI3RDrKOv4FrPbNno/
CXUd74JJlCtQ8xvQIi+m0TAkjhLrExIT+JKK5ES2I0U0hEmDgPnMqLDAQTcN
YQSMBNRJQitDk/TRjbYvZEM2yM9IVbjhY7dhqLGr/mhs3ub1WfmlbdjuQBso
GjZN9oParqm8Byw3Ho8pq+Vm/tBteZZ02iO3EJ9Hw2AsHYKzqKQSgsuZEUzQ
+wG3LZRhWJVC+M7ncCGkTK7IosnyLs2zJVFHMdgHJAlDgHQ1khlXBZyndmpM
FGEWxyzHZbYA5Q+YeGnbkTyQLRqljBiEuvEtypgWjkMrUIB+ZjMxamCm0hAc
icVwAbRxYMsFmPMkvqNY3yneotrSMXSIOk2JFkkJBiy7oObcoLQXXrEqFMdr
sjy7UNZFJeCbA0jZu4HlN5AkiLFAaIDYC1ymyFPx3kVQarISY2+0QBTZKEeg
0YrEGpREc4XwLq9etyRezc2KeTQUO8gxGLEdXE10VvdTv47kDcH6KZZCjVVv
h7bcT9vPQSpMrGSSKezEr18nl0En0ScdhQ3yxqg6jlR+c83SNPcOE51rmkCQ
79CmZYK8b5y87yqgDPb2fvse60m8XpOrKXjVRttRKtcyuee8ai4aQg9iOymq
o0snCRNpmFsdgo4QhrqHwNKL67MtjtDt8czAPom79OP6rOYscX3mn4rri5ri
+kCjsYXrWSx4VkANK3V8S1xATRVUWjKnMTueRJKKaYKDFjZ79JsmeGaISLBi
67t83opt1MGvtGKRv04C8xxhTaY5J1WicXJ54QVts18axR60QNGjNE+HgiWJ
uVycRcPe59fwn9Sj4yBM38emPl9Am/V4ZgJrIY7NJr3wPVfhLLCgSBqUeOX9
wdviuONgTptRIz6686rVyfk6SCYArPxhSSkBRKxZ9CRHcb+74+hOaLXyUkEP
ujYZ9HB3F1T9VtuodFk3eU2yhKOotfFVnoA6+kASaiLk6sdZOk88mxK19mKy
R7yJTgAYbBCx6mWv+D1sZPxkEnobgzRPGtQlhIpvBbtHWYyqMzQBjA6FeUok
X8CLMEdeyTSx4vq6cK9aFrZezkGv4KJRpoinibMc+lMpCnjVGy1zxm4yRaU4
o9m8BEqJCVYRlFf36vm1uM466ofVMonbaPBZ39wkRakGH0WKo+6hIgXn5YEW
zK0jyXBN/ndTn2UWY18lWzKUfHFFWTVmwTYB1pRYg96rorJR8RTBbBkoL1KE
XtrxKGZ0rCebFVq6vrR9RDaBM3FhCykPGQp1HVW3vdvdxa39m+3+R8JiTaWh
bOlrKqfbuZ7BZQDSgxXzuMJup4CvOvEqLb4+6Wjx33Anw1nW1BCRARQio00V
xHtk6/qqhk9xGL7K6VfUYeFIM4xcQUyJT+IGFHTzaUthfSJ2RhCqb3kL33pE
vWIxh8byTYtmQ7EwViAd/T4O/Xrx/HfvPpyd/9537IkBinoPcVkX9JaNy89k
yCrXK34lcAbio2rsgidDM1jF9TeWqiuov8jsVS+emIfcEmqz1z1/sgRrHfsc
mqmCGDIc4okYsleUPJ0777rNanEOCOO67ABr2YIVbIkMRqoLz8JZoESeyenb
DcvFuhga1DxQtltmxsuT9sPgSZGBBQUqoHy+V1e312qwHr2up44vNR151X1a
PfrHnMD/zPnjOjYefnUx4Toe9/0+gQl1tasiGeGJUdGA+3gZcgJhDsxquYhB
ZmMxvKzkf4UuRJYumJAuhMajDbSgakUKzp4K6cDX9XvfIDX+MzTAclHGBJ6t
Ueat4IWVH2ilV9xnLlhs9cAfXfE/RTIeWy2Lz9pxspnNfBVjyS8kMGYDgYn+
KQKDOYEsRtmzUOUYUdKtnAR8VulVshLhM0+LW4+nmzpSAef7QcNBa+Ib5zCz
VEaKH9OiINdQW4hwAiewf1eQ+sLr3/TlRdCAyYT3ap4WZdGcJEVVUCnmcRpU
QtLOq9P0RgxJWG+9UX1HqKbSUlwUeNuyip11oW/eTW5Y6qbwKjH6risOLY06
bUr2tbIY6zATTHk3VqyXoXK/v6lN3tSfbeKWLXak1Yow6ch/zASBz083q8IG
SQUWGNVcUayqwVU0op8pInPDfz9rNTb6JwYIwV+rW/oe/8R4O/jrKtG4rKYx
zM/HHf7P/qPpP+9H+Sf/5f/5+Ajws+FKH70erapIcrRENe7r5UnwT/5L/3yA
w8YRpGt9M2xkrj7OxUUopejSG0C3zvWbE/jQwmF2Bnba/T37F39v5/ry5f3F
9UdqbS0pfKh47B3uY4dYO1ffm4sqO+lc8IHm2j20cx0d2L/4+18418Cbi0pH
6Vx7/QHNtb9r5+rv7Ohf8P3+L51r4GDIhZ4qQAxgSP9U6FVg6Mo5VWZy5zVw
MORKUuG2wn3t7du/9M/nzYWVYfysTK0Ng5ft4owKw5BcizcIzdfz9WIZuY4T
EnsR1OwMa/fTmxys1xq+pE8cKdcamg3lU50m2+Vw2XrtP9HO6qUEufjZo1XF
NpQS9ePcSyl7tuJqw7wT+D1bUH8hWKg2ee8QxnQuMeG1U2adD+MyKTvX3Dtk
TD1eKcfCemGQd7km7Btrl/ozm2BmfwacsWklkZtZysE11iX7J4qqmrCWPNnN
tTiVbVIj5geOqqJ6achJc+AOD2ThCzqA+d1N2a7rao+gwIHlSjYVp7X+Hy1H
YD0vpdcwnfuHXCeJCasr02zKmIsartnORzVkc798edHUq4mEOfRu6kG3N2Gk
n3jAEJ1iM4komTvuixhQjGO0FPKPEp3Fhej8FimvtYKFrfcWswPANBSlbYeF
0yt6gjTIPj89exNp3zF7mEbMWhouZpuhWO9ZsC2Nq6I6y2WKgpPtrSItkcPG
Mr/kCrv+VPU7jHTJBHf4NQIQrgztsXpfo6fv6wU1ig/qiKeFD4psXZK3lCyq
5Ocf/qXX5rjSTv+vrjUifTM02nQn90oAVA+2HVXnVLSniFYJUi8L458DNY6u
TK6Xg4d2V6q7qeVXhRDVaE8ATg98phl8G0hR7Q44ozBLpmketGQK0Q0dW9jh
uMRUuCXdbx4pwaiOiBrNVbBaiiqL8XI8S8a3hKQmpDPVZaEpPcwL60UY0K2H
2XrO4doy55Hviuc6IFwvgirQpHccQlvma1YzGGpGocaDFEpqx/N4sXJWayR8
SwxWRiSpLFLoXFCEGmv6V+gD8313f+tVq20IJSUVsIET484pRkqSCWzFIFI6
TGMTLqZbXoqY3HHKenD6Lf+MpeBrK+GD5NIbGq4a9AFt+2kNYQ7Exj6hGBeM
Ue2qsnErLa9+zLa2d65WhqAolLA2RIuKQi0fDKHeb4qGTVjape4yfdQLF6Ss
D5gxo74LlOhGBMPpsfA81pZ/FhHdvARHPu39h1v3N1GNCzQwUqQuYljIsJq7
wTR5XXn2U1gUcW7ndqVuK+NsjcLhZn8rPbU11tdtSWN5sR31W1ij+/Z5DtXq
YqxHtbaYF3Rvj6PJ7Yoqkot9RKMJbMjemALWsKi1PNicTy+/blWbu4SuWnkq
3PAjSXMbQeH2qseuzWiohEePCjnQW/LpnvyD+CN8RsSGf/7+WyZpHKyXTu0r
v4+ASB3LujiIL5hMw/eiSIMNK3APwe2e/Evvr/Cw/ef/EY3SchEXt/QErZzF
CAlFxG/dNvRf/x71vex4suhiAXEtfS30MXoOR2a/rHqizrr97gAfDXVITm9G
JoC2JBJNsZoltw3nMCDMB7CRCnRZj03v81T+68l/08p/o3GyP43jSXzQPzhK
DnenO6MjQLfBdLy/g1zCGLrw/lDP/W98sL+zOznsT3d3DgaTyRQAtnfYj3uT
0WD3cNSLDw7iZJyM+0f7wOHHe4Ojgx2cDWgKztbr/9L5qv/BfNN4r3+4f3hw
uDOaDqZH+/ujg+l43OvvHk4Pekfx3qS3MxrtjY9Gh4dHR+NdWNBotD8dHfST
o/7O4f5u70gdMkPBkqAID5sOMZSAToKALpTREkkqtcq/ws66ktyn0Sa3yTyd
ZRnJ4Q00NE6JNhKpacD+SiQN947wZT1Mc2DJfJnczNMbkJcfomIREzvCVCj2
M3YNB8fEq7RDsYOFKDRBacUR1iOcJLFbEjdO5H5qxaPK4Wb2QB5OSl1ChiTW
Q+LtTP79WMhncwKZKOADjjI1Ef8CySZS0fdcaajpaj+f+Ov8Pumn+X8hAS9u
a/U9HPl+zpKdM9GVo+Lqu1Knak7e+qbaaRvCrsKaVKTFo4jS0BOeb0olMI5K
/LkKglqK/Q2X/iPYSpyKrfHXaqvW1w7KXmFGYCKFrg2FIVDybrUII7zJw+Pj
gqSUrCd1+SmDLqUgsnHiRHpB3EpvjaHYAUzFf1nZP0cobuPBUPMjFJJdwyac
48KVOfwgZQ6/vPAMCtW2e76hgpoTrSWlL4vcW2pCI0JgxPLuF2D1nj32o2/C
MozV2PVqqfZvwica3rZN3L25Dbx7Puz6cBDSwU0vi6auVk/JnsUjZSVF2uTg
nnhuGsFAuapzf52SHF0tOGcr6Hf3u4PuTnfXEJOGF+KbPCFUQKVeglCpVnnB
6iD7tCRK2rUFEPVUqxPmGGfCan7bPc6tAVJL4kl40LCm6jOoU+Jg/AXemCXF
UT50ozBX7DGo2Rj8pxskyHxRfb5NyrmPxGgHCyfQep81Q5ypFIUODNG1AK7q
jlgnlzbBpOM8tTGiC/N5B5MFJYyWQoNHFBM3jYpM7rQ45MgC8OXFlD5h5RP0
NlUdXeIFbHaMZUvpDOZ3e6HqzFgEPDSJU/Vj7JYHi3EOQ9uL3cVbSTNv9wwD
WKJaC65aQnqZZyWlgMdwRoGjBgOTdo4x8jqllwrJ3ejDHh4AUO649njfc2xn
zg47DNGtOexAOPA8WTP8E7hrh9hr1R230f32s/dno3tuozPN95XpKgJXmX0T
XS2eI8f6a/7srb/RIdQbeG8CobMerKff3PHe3CMnFvpzHn2TnDVewUzrrAFA
i7MGMZz4VPSWTxIAgin2fF5yUH4sNV/7sGMY8dE84fLZNIpkYE6j/b323s6e
6G8aOcllY40rGyvFbMg0UAiBpSFELM1TzGQZJTYnpxDDtySyzedYtZU7unti
GxkBZUUURehpZHHBpaCIEVBcVS5F7026nPFd8jdjOUk9Ih5jHqdVSZWD45di
wvJHkpyhtCkRluFWzrxGiKYpicHl6LhEKIJspZromNUAWyhMwkqGLtZX04ac
TB4sVrsDBQ3Z2pUgAWahNcOW9Q3VSiz7Ip6hzAdReTnqWfq2eK6jCZpX6YAL
Z+N10QJGip2wDdArQiwGbG1xLrkIaE+rrtEuznmsFBGTmENIYraf+xYvzX0I
AEemYTTz34HsY+M+LHyLetlkXm27AbfgluCe/Dq7tYQZF6Tj14Di4h5eJFm3
Im5ySApzLH8vVD3D5sZog/qg3oHtbNiYteKaRMUiJ1END0ovKWyeDbVAYdJT
CUAISGuFXkYVKhgwgk1xF00RFrXPsBrbPSVYzeA/v+z3v0ad6PBQPvYHe/i5
vzeof+ZhsGbtpmGOdqrDHNQ/wzDUYXnzao761WH26p9hmCpKVYbpU4yCe23Q
q3zu7/NqbhfRdqABtQLY7FZWA2yt9pkYknATTsIRhuTX/xNuRL9v2SirGRZ0
sWRO3rb1sRdxfpOS4MuWD78Ig6B1SIjl+nr9P4L2Y98IxnvzUC0CMtCtKSOD
oy3Jp0aWW8TrFfUWRj9UcO+aU7JMU0pWKIXJjZHLVtSuvvGruBhXcof1XXnb
Ll5ggpHnIg5ojx5Zd0IuXjZQo8t2up6zhajCqdB7uKBGzrEFtxIP0WFU3kCv
OqZwoIMPC6RsT/2IY1s3Z/KwjDEJE0mPgKfVUDEEYGNUKhYCLxNhzoJ6aGyt
idoA4tCRIczmIfr7SGtYaMFFjqnXBam+Ll1b3Dm2GgTA8nROyjIqHejG/MP5
6ZtvMTjlcPcIlZggrrdIElQbjWMhcI6UqjpKqf4ECTLA47J1Pk46XI8yJkLL
HQ/CzRnZHGaRaP5OuMFES2dYCNEUaPGjIEQ1AnLPLa9xoVSjZKjZqhzB4F2v
ITsj7EYex9yZeBrnKbOKLMXKqmXTySZFDaVsFX2b3+pYGdC4nHuCiT8JgPoJ
u+hRvctPfPU70fsR/EFfi9/5EyUURh32C+APtqi6PEiv8mPVvvO0yzrDdlVW
yc2PM6MTsmZpM/dx8attCpSlf2FnSOaRRvMOL7ThATYelFJYw4a5reujSQgy
T1BYL912+H5khxpRtjX1PxSz4XMGqG/cDog/4VqoLn7nrr9l3yNEpN6KRXSg
gzgLqve+LsWzrzYNsucaMEfbtgkUYQmiOxd97/dcP85qE8/qW4/eoBritbgZ
wrB6uOFW7ML9HqBWIwpqHDRI8zVHNV1PHwdgWIv//R0g+zlW10EtRHpyNBQ5
CgtcYrCcyzmie3HiPNpnWBtmG8OdW55d4csLCiWuWRQoLDqUn97f0p9L+pPi
f59nVvC+aojffV6gbhiMy39uNjD4BZnk9T7Jw/2B+/eXL/AzxWb6rw/kdanf
pK+zkeLp19HUUK3ptOF1Ti3dcZYKTLmFX869hFyZvef92bh3lA6DTh5WPOSM
Xhddqpm9mupLTWwE2FRNspZaTAvRSAnJs3mi4klDbZMXlKdwmlGFC60pAci3
Sok/uy+r2QGK7VLCzr3MHjhtWCeiVSC0aAs3E5qduf4HCHSTuYSi+cOK1Ze6
CU98OEhBVlOXNtAmoa2UVDAM1Ue+qJ/heaxaGl7ZUIK3HkWpGYG2kPI+w+pW
VJGlVNZfzbm2xQjsNGErT89ZeWy2+y0swSHb50JTftVuLbpMmTe1gslMR7cH
dgwxkRi/BCRr3ZY5V1unEpnW6idEff1KJPzKIwUU2K0mmT5YMcSHYuCX5e9R
XwcMsYnFXmETMi5LtqhuRIrOKtY3g0GMHCSHF2TgAIRZos+QSlAWLl3HX5Ct
Qag13b2ufhdc4yMHQTpIbg0GIGREdSaRtfuFrLCQeGFczVyXUqZHqtNSxtm2
g7oeRjsKIIvxTfVyAwFNqCQj1ZwRtfzfrz7CmmcgrKQ+2TrDzedhEUe3SDhn
mnl+kJNJRv3gRgkEV9QWQILkqpdAjKqqDIms4HcawNLRQldrJ6ieffHp38+y
eRJm5vOm09LcJsmq0OjMZBbfpVzoRzvysN22dkiU+qiH5AmDdAnccTF1Ioei
UmSJcmCWMUtvZlxwy7qoXMpjkLIYmjbFvBxN0YII94+MaIVrVewO0rNWoh8J
3mloLOtsiybMvdUcB0IqqsMkft7NHbDpSpL/TCQ/JUSowesQXq29WnNTSia2
BeUZXMa51stZnq1vSD9sKkZDbTi92qFY5Madm0GrKdX7ohp4OHa7XnSuU/cG
H7sOgXiHxc10V3Mof4Pd7mfYgeBrF8fxApJ1IGlYQKVfXCy0i9mtjVfp6Qej
UiKKjjfUtJTH36GjtO/Yg330HVtcEF6xtI36pemhbnq9lldP422qhVcdflMR
1GdOU49XwvMDIFOoxsS5AP1DqyYWYPmvRYCELuc5G4/Xea1RrJaLH8+xRxuJ
SBqh1DZcwmsRz5FUJZ7z23eBtmkK9H88cDhqeAsqt1Ot3azbaVH9hu6uwQ0h
N7TDGedA9ZoQc5AyGQo4Er1ptV3zRktJcz2xiudWt8KBygCnKayBxvDmhC3c
UfMdtDmJiS6doOSH6Re+c/iEakxTdZc2DedC2Fno1PkW8TKdJkUJOnoJ1IYQ
yiMyth2yTUQnSixH3EhpFwkClqpK3azRghWYHzNpwGdr6RhCihnwL8pfmHNp
aKK9pZup1lE7WgAzgM2geyssyjL1fP38EMHUVvrSYBap3IGaxobB8/XSIOWE
5SwS0CIwXuINe9kKtzKucS6JWhTxTQqGCvbsyAl4YlrUTXOuww5rKpW6DtTA
uapV0A2jWAfseAkHOY7WKxLEmi613bgE1ZMmIQIUXVE2JRobgUh20pHoFpLm
gHHohL5NawG2lnNNpCk1ADBhvoEnXnIYY42KOHXNE1K6higHT/s4QGy6BTU7
2SgQGFzseJah9RuFHix6TxFINUbG8XDDszfUIUh6HvsMBSHvMwt5wRIMDrnj
D9VeNAFAGYK8KMzN5kjq+oLWy0U2oW1VxWEW0jyBiAVH6kxbhN3NBXXJXR6L
WRZDk9tmidHe/CLZ/eXNBmItY1Btp3h+Hz8UlpawLB5zy3HSjyiC1Uu8r2D3
cw6NZ8L7bmJfUvCBg9CuQYy68IbRM57Y1Y2ULsOwkpMv1/855Dhsph62Azbh
hDLdhexrTH1mPK7hPc3za6cP5m5AMTwJgzkPXDdJt2oqzMxVkDSMqWbwwKYr
NYPHC++NS9uRRZ72WrR4NoEioa4KXlGCLMauL7V2adQrEzDH0gEA+U2Mu4xi
uhQsdE/iFX8oy3h8S63QtNcTZcRmi5T92BQsqDUibBu2arQcS8haKzJcJBeo
1XYlFKpPPQlE8mJRffxA8lZQVty2eZDKw6L0woC8IUypwAirpS+784YKGF9K
xlGNOZ3iAmBVYCm2dVrM1KCD94xkbzZ22b6JXDkL650i3QICLqU2R2kpVTPx
TTRpiylfrCAwQi2KhNpIVeMRLq9ewzqvpeZb0LnoGBEDj9FrfAf8Yhl0Gcez
NqJm1WFOTUHG0uMbq7SywW+JJVuXSEBcsTkj3ziZikU/r6WWKFm1V+UbE75q
U5iRQFHUXqUvu6uNGmz7mygOYjNT6oFH0EqWnLItZxm5exI92hfJ9dmz98DA
mS3L9aIDLINMRfatttg3V1lRdvQpF7XYlRsJ9DG9oahVcuoqIiEnB1ZZRNvU
UgyRfZneLMOHNGezxf7kFKUKR5Q8TRhjsCdxPilcEND56cX5NUo63qaCcF2b
1mx7ndQ7EOomakUMAT3uYT69LdatupLQanfEjkR0xQnGpXG4sSRf2top2RgE
Dy8N4WVaadAdaKHDQtqw4VLdxBPqBA/ITPG2VJwmBVSLZDl6PR5bjaldkGcs
RI1OIT4bzWIlm9WmVUZ2lSyaYZt5uq6eUGacDf1VUtAVqZxLO7JcgcU1O4zY
gfIk0LhMMNExPA77nQN3QG2WpG6mw3lCmVlE17APVVFgWUNAk/vlTR5PEm69
iaWGMITwDi8tWjfgkVk6EWpIkKl01mDrFjzmqmPaqziKJ8aFxzN9pdStCnSk
QGPQqUiqwstdtD4ClFnFp7qQwGQugx1LqaYT+OMBzaZSgB0jZpZsujy97vVh
NgZjNHsY5aHI4N9ObtSYTQ3qJEvpy2NlMpJ0JUnXXg3vWCSI0ly8P+ucnp4M
mMiQ0YesRbFWxrBmPFJltYARz85YXBmiG70DNMpICU6rG3zz5vvevu5QX7S8
Q13ROhX+m1pMJEFdIdcSj7A+Qds3Ulxn2DIUCjJL4YDqs9ApPQZbDr9Dl6/f
8G2UlPeJVJAX4ON1zmz5Sj48owt3UK8Judt0S5fxQiJEWrZ13L2osDisIe0H
A1S5Krm/AB9CeCBdxqp/+E0J3AoMJ9QAjqg/PlwPxQRT+KXNUrEWCKtP+AUG
3aKkELArwW/BbbPepVw9dQhUbu4Pn3g8V6vUeUKTHUjZOIZ6Lfm8/WsVy7VS
uwIzymxCaewFZyNhMXmuS4a/6kWkihlc+IY4WvGwWJUZiAQhypDtFEF6z6W1
NH+q8FOUuHNNQTRXsIQAaOUNOvq0QQzk+AmRKDuOiLFAGW0TYC9PWpVuN5lv
OS7wsY+d048/fWwB2X31vtfTGl6lV6GAvsAzLGDHxfShEs7i7hEZfvUtbm91
E6+qGRvb3529aanwgZufIbcQQSBCkgknmGNUACZK8Qq+fPnu5FJNt5sCfI+D
36TmC8lV2uFKJOIMnkHBIvJebny+sWS9KOlSdm2a5iTax/kN3w5xtHAD2Up2
i42spQQaAdTmOFvuVSZ1zzGbToy1LrvOP5Ii8QUG0gUl/MNYDZoVH4v7DbgN
i1lwRBrFyCEyMqbRDMZGq2GSlda5A9SUEskqm9WoqC2+T2htKtfYWzeQBxcu
fjIvMoaaXbJEtNmmuSwReQOQZGSX7CXQIJHwlEUy9ZkFywVBhHowGanCBRXl
lDFj1icKSqMRacR4bTdrzqG26LBOUxC6xb5zDBVCrZiK9Wpx6qd6uYjNlUO9
OZ+8WC8WoLH9I9HgrXRpu2GRblg96i5Gaxg0zaoo5qiwlbZRgnEEjc2ELKmq
qWr45yHZd/lU3ROCm2lia38oXcZAHja1/2zV6utk3LXhJfpJdE2MSOgG8eBh
dM5x8PG4+iPMR7wtCrNqah/9BCGJmkG5/BnvhT8abEmD4uDZmw7rQmR3Jh3T
VREndQUPpA2UJSfJ2OIdmbVGiXHCitytRPyseq0YXyunLGKhXDaWC5RhuTDQ
h6gqzCF7opmLNVq2EpL6OA8dBTdWaGzUv1qME0/qUX1OBT7iwdaWspkB+ypQ
yH5ZITj54/dvBzuSLii2/PsME6kdbUjs/k9evfn+7dWgZ+mlvm6ExnPXZFak
xlS7JH7OKvGwflOYUag62o71lTwhCZ9z3uxar04XpxTaLoiKsBmUdYSgkrnf
X71W5JwrtcJWSA72NJgvX/RbW0zvEo0G/4ONBs7A9+VFszGB6U0TcBLhIxvB
bjER386KVLAQ9Dc0PlhrweXVazYtryRGh17D9GlvQSaQsYgBOU4nGWL+85HD
bZbTwzXLVeH1Vhgh3leQH1kvBmCTnZuSAOwa2GjD5N1fORVUF1FXWIhRo01K
ZZnYkANYo+v0IOv1aqYLgVirjNWqeXpAcPdTTn+3FPZYDQM4AihtuAzbtiGO
HrEmlTN1AjnDFMyOA2DQ2Z2k4DppE/VqnC1lW+wIGMItTb1todUi2EsRe6+2
lSF6Joqeu+BPyidiWmEaRQ0njOYPpqXTSMgw4ot7fFh0NFzIHCsIi2WZOpi1
OfjJ9z/o4TQM1A3t4leNCcE/VBKCpaKtd6lOGhOHOVuE8rX4MxycSnqYt1K1
XBtP/qmGN9XaqGtjIovFKzTdMvU0j11jxB6UBtpWp9Rkb+Aiqs5jhcEMZY+O
tKxLqcIiZ6MFadPIS5KcvCT8RuTe2CA6n78zYb63LqDJ7O11dPe7l0uzYAm7
JMGlLTFQfI+0YkWpeIJ2ssRDOK/Yqamln3PsWXUx3JFMamORlRyZMkc0rnmA
0tg6YvQoF/OUikOsBVF1NMrSlyzZllhkueyfl0ZO7XwdAGw0mOS2LN2jsGTp
Ozgn579xa0elEzCJ0hiISwYVOhthSowFMQNjRa6w6wig+NJvXN9cuG27wfHb
8vstGmphguXFiuSe5ZLURxA6JaL/9cGp74nTA4gVSFIVX9NbDWxBQXp5I+6z
2LkyPBMrih3arA/YNVkM2kL/TCDb2WhOtiqkrhNe18bj2rBWLUhkhF+l0msF
8KIkcE/WJD3WboqnKrg0BqOuG+fJZKsNU08y97HapT4bIQXiC0arL9oK7+FL
HH1KlXNsdF7jpr6pm0kCatKukhMuFEh2KFxXxpFwNO7TxPXsteSwS+lxEU/o
g61ad/baSQmSRYUaPhqHg1o0lozaxp022daznrXJa2wDdtv6s23fgWWEZBqb
cEa+4oDa8hwV06UULnzyterSqLK/eYyiPyqYBRSd2th5jMeqHCiY1UxbvouG
rVQUKDJkgmhbsmu6C5IkHIfNIo8e7pKtYpL64fPKOcciaYkYEYmq7Z1D05fn
a7VWMOPMXsJobJ4k3ul7GA3JX7KaZ9jEyhkzHhYgReeYzxjEAnsSuVq6F0lS
ilHGNcTDJkontT5GanaTZdOqdX3GNsPDsBanssFAP0pcFDoObHtY6tFlrasP
1q8pMYF1aQHto9i8AUOEBKeshGwNCptECTrIyxz7KREXZKIfJidQlABN2wE8
+KpZaFa6ld6f+JFONSzKuTOwWU3G1hJ1FTxHScCGZrZ+Zy4t27sggnE3SpzA
a+Nu7Mio3gYN6b1xUqrevEjLkkJrlGq7gJSSQ5gxcZ28zoDCHIrqAiRtQ0h6
iKVXrC+b3kgVugIvG7qtADFYkcNgc44L0HparvoH9cpci/ENtFGCo/VwWOHY
60vhlTyDmToKxhXI58DMJqJx4kDH1OJrnMAK0oyIO2dzsLVOFQJUJQpLvQIB
qHb9yeOO0sgYDRkRx0qJGM1p0s6wnVifhYmjG6yrxy0973P0MMHylM3a4lDw
XUf0EjpkhpkkPvAsqvKTnaKpRTexE1CFWAxji6YjGRKBQI5LL2bAhrlrRets
hElK8YikJhU0RDFl/LO7EDX0OeCMquBkTYvfwNooFMHkVydGdr6UQBhYbIzN
6RtczGkRFBc21lchkq1bHdDFQm0SLA5xmWUBO+MUxuAJVtExUfNdDtRxIbSC
VnSAbmY9yriO/N3oOw6iRSEoGl6TIAe6fUFhiLgdTiZj5mUn1Dh3EqOr50lZ
6hg8w5m+WD3vWnJ6ivUIawKYcua1QAycJZILoeibIY3K9Y6wru0Xohk9mMA7
j+UCyM7npHFaHjVzDtyk1i9OmjsIxEhSUxIEMSPAARdhucCqpmj1wDNHCLJH
nNYozqAvX95+x/zfRk356jwuXYKHENJYzRKA3QhpoiM/X/8cfRst/s/f3pIQ
TskEcJSL6N8BGW6iW1Cbk9xLHpHF8E3wAepoN7lGczErlZm5DZNP1eevRamW
nE8MV30bwx2tZ5CtbeMMlCcu3u7i8li5VThYM4EUOmA7gO1lTnfAq4vl3D2+
d4q6GJrUS/a26GWr83IHP1Y1KUZTjLDxRBwIVMgHpiTugK0CSEJCEqGR+9PG
o1UYc7IxtrPkdvKTbisM9JYTNot14btuR4lGo0k1UKvd6lXW8kPuXNmAM0tH
KQXjobnEBeRtc3z+4D/7g8PWpm7F3NHeVsao9Jik+Sg2JUR6IDkoZXh5axtY
mbA5DszukF9RfxNLPAa/NHBnrfkAV5BCJqVG3VF/FxWVPDrJb7LlwLYkoaAE
LkFkNA+KlW68LBSmK06PJO/crJH1jbPChjcpc680hSVTu0lLz/kymUS+2OOO
zz4yIotQMp/CZblNQsAYCxjqbyrCiq4ThdFaVhYZxVwvOmIqdHd0qMIrYMgo
RcE5WI+r4USwLr1LVoydpOIkIFvoc7WmOIZKKZHYnWAodFMQxmdG+paBFcxU
gAOZ9kFCTFlIsryPJdYz1qGvnQ795UXdZiXiHulCdMVHHNEbV7JFhtya5zu0
0FDjrt+0tBk5KoSEWLQ/UpLY+5tr0dIy1c5rNhQHnuhGryidCQDEzE37zD/i
/MYBURvixakL3y9FYJTbWG1BLDK8d5Wb/oZJF+S1IzunkFY0YRnPU+llxVkb
8GM7Ymtb3XqhUSqbl21tJRKhQ4yVLx1XDutM8wT3xAzFq+Xgmjc31B4xzy2R
G20P0WLU7VJxCLfOISVvy9eNiwblErQhTloh72rBJkJ/2Sl6Cq1hkMJu+Wey
WkmCg1iGSwonLan5Xg2A68LVfnB+KAJoUOKN2gNSmVA9JCOVvFzxs7AexvPr
C5sa8NA4YVNvoiCuKChZasnEMDiicPiXrlYx1ZpLNJ2dk3jYjMEWrIeGcA6L
sSEea3HjSouHslKpTuBfO+Ru9GFJOQ2UE6n1V1nAHj2I0NNQceNlHQGjlw3Y
51YgzM07nLDIbSWxr21YMOUUCV6Yf9+9W0jex2xdzlMXCGEunW0V+BWHSdiu
i2jpXMXpxO/7xY5Iqkl9l90mHsCdQFs5MJNaEu1TNknx1qO37TXexMXMUr43
705Ome65UCs8E6I2F841oMjOqpqWI5Lz9Q9dHF0kPU5YZTbB8y5d7ElcIVIc
bsnDZtLJdN/fJw/XYkfDBxV3KG+f76jgkDeaZoFgEUkFitgy4xyksxy0qI4V
lqWCIqWBE+ik8Iz4GcVHMgeswqhWV1BHi0U0YW9D7ccG7DUMfEWA5YNt36m1
xdXhhchBdc1sa3nShQBAGPdIUZJSB6jNDIeUa9FRHuqlyonxVEsU56auYlMl
Q0tpNUw219mkOIZX7OAcpPIJe1lgUe+zZec7Cmb+8sJFADtTkW/oIT/VNE6x
GxEKSxIQrCIRGwed4J5qjpZUlNOcgUqMetUkHBZmEO1UlmMSWnzCphVQX7Eh
m47rW491Al61PwWbQuyiQWr4gN/cY0hVARShvWmdQF862bRTjOFba5YXj5EG
AX3INU1Dv3kLJ2yk70K6QOOA50NktNKiaVkhJScqaZXMm+1LAkxPDVVK4bql
oqQlKTFXXU3U1tCWeKFNQdKlsQayBy5m5rLsAVY6xnVX6lig2XamQcGVJrkp
dVObqMWvXpai1WC54bZQ27bNHnt40LNiqOsTaZh2q61GkZ+t/RTQr86dkL4Z
m6v+0tZBsa4ThIZmbwhDh6GkXqGN0Fe/v6moPHD+H/SZsKb2lDcLaIY0B7GC
2Meadj1dz6fpXNJoGTvpQppq2rsGaebxQhOgbE0/zc+iQ4Eju0vCOhh6IKQN
cUZfZVciAnTqY3oGaikoQakNZIoHlRdVmhDNLIowha4iH8VPOG2aTkXMakSw
CDgra7pwZ+xZraniO2dSkCY6R43UASFADOtXl8o0CIAxWzRNbM0xNlILh1Lc
BkK7Xop5iQvRYqEwIoUlBWu2a2SKZkOvCCjsBrmE1+nKxphK8iLpb5ricWkT
O1RbY4Jp5UA/88uZb6noP2LwPeO/sz+Qhtw1Z36a4sxmd3tPcirBTcbqjldf
09nNOH2Ng7wWySSVMD53O6hwUmwJLbvnR9ijG52zbjLZ9hX3zb60QV1MF2v0
0CdtVapG0n2NsqnkYuok7rmUzcuQg4Nm+E6NtPr24tBElYkpTy5eVOPRneFV
DJIcZWjPnw7ZTgWaE7Pt2jwAsh+pYZV14qM+YDtjc+DeMkVigcYZ1TK9pbSJ
EwvGGMn954bxHuFzlmVLO9F3jjTlh+WcXB6+CTgqYxCMjRe2MJaoUH9pcakb
Qmq/UIRygjCKYbeaTQfEx9iqrCJmy0InwjHY4IuQRYJoVypQlffU5WxoZ4GQ
pNFbaeFFXGBwi1/VsNqhvUthsFVrNdu9Yx8k6EzoSCNRLoBD22mTvKij2sho
CY11ZxDboFPysqL9GHP3Y/G6RYwHHFMpYwm4qBVLieNxdBwFJNgW6A10Y1ub
Zkheme6sJUcjp4b7FBe6NfZR5UUv76Vh/8Zfoyu/qjnazMhs1oX6U9pOyHvF
Fd7UGG6nwAadvB/jBad7nNgvwsKapDZMOeoe4uWwfZilYOmrzu9PjqPVrTHw
F/wHw/ZB8Cs/R99y0SSMt77eXt22pAfcuOxjA7byc7dAehHHgJqrsmVOOr9/
dWxf7xvz6pgfD0a6orZI+JSOd5s8tNn+LsMy3La73a6bcgC/UbYTzeleAcyK
JwNcwKAlW4GHjfkpXEz0FzlPamOb3KXZusA61HhofDp/fWq9v2i5O48tdweX
u0PL/QmXu0PngIUVeZEdcfVoYUVBug5Iijc3CV5lnp7CqKjaGr+3FalL3vPR
UaQLlicbcB8o69HkQha4HInsKJueMPA9PBDacSV+iQhvIfHSRCpLeACRLkmJ
lHNcmw1FTYzPHoZjnJAkpDFOQcTAdoH14jCIpLtVyYUnld4SDg/ELQ7/6nRg
UT6cbGqTc5xpWQyMtMBoV05l2RAO4si6JHtKWYSK38PL+obhsqLSBt2WQP3K
0SrCmbXGNpOetLgt2qHuIzIojJ3lgG5o8AX9E2A1c67sjtXteN+kVpM2jWRE
yz4TL15qEopLaylMJZZF6cZud1fpxu7eoQ08qkSrayMeSRi+5gw+EeX8c1df
aJBaXD4r49twv1U2/0cu5lNO1OUDkUSM3YxBWvNGUr7DfoDA++qV2FhhsIq/
YqcScCoSqsaWM1puqjX6iPO42e2cajFTZSud2OA2v/pSI7yegJWKRQ4A3FTQ
cABedYlRU9qzrShq4+ik9AUuVOplo3+UKowX1ggCo+AHay+Mp6WsZO0ahzcH
RKCROSxmAvjzKp5E53Z5V3Z5JICUNg6cVkzL1dZJYZ4wbhZGAiLAxUEJIe6t
/y3LjZ8or3AhQjbKs9tkSV1R16O7hBi4RP6KIirSc0ZEpuSKB0HUmkcpVBpF
ORq1HLQgkQ8Vq3eS7dBVL3hsHDGBk57nyNY3Ki6x6CwxWDbiqqmqgnkUb5qn
QS8Fiauw/JLLjWMDVixag/XftIogo7IA0nmMaoFF7BlaF7V36Hl0FzP9Qjru
+hEROyUtieMGn6gHSaFTFH+LVEMtyh5D0JqqzGvvACQYN75JKhaFP2QOlNGh
yINy5zyZ3Njdb7plGDOWLDHQwnPO1qKDtL67xtCqZ6JeOTmzNUFYcl6sKNAH
VoFXYMMqDKVLoR90w0JtlBkmyVTJmWoZbDLwylEyxNF709wp7vBo58Dyijds
6bm0GSjc3QoEUWSpPg2UruSuZY4k5MxSqe5ZLfwQmkCkA6MtkmvDdineCi5G
4Ne2AXermG3DnlX3mnJ4/2DbRQgv5ALb+wdSTMMmfNEU3IrC1n8zOuwqw2qG
GiD9KsgL84qrf3kRclpj6mGnruKjJPJ6YgvS9WUwOIkAokT4nLbbYFAUi8TG
tDWJAkEc9jIcK83gXQHSDRmwmDMQ1PVu8U2nxqJs3taOMCQhVcev9N/17VHI
kvH2d42pFKhMWaP1nmWPGGGft0Prh/D1PON4pA1llKscUzgDFx5BamPfp96S
xSpja5RvDDNBwVXUBrCFrSDBFb1TJNtWVoPFca05/PoTKWD2E2hix66O1LfW
3CJllrf+4m34r/Y1bF474961Mo5qONpBlX4t4rmMCQNsh8tg4Rse4ra66mDC
V9qyHPwVBeBPCCB8hNxN3EQXvsJF3NpndAHBU/QlPrfE58YlaWqohMqobe/d
x0DkdekNN4Daou3Wi+510aRdWC5rIoU71vojdCetno0xDk5u57CTFalz1rSh
AgZHMg7DJaHB+JUXZGhq1ZNqJjOJuNu0INAMR+RIXxpfABb90vHjuEGvGj3I
dOw1k1obmjnP8oQWxPKu1jjNgTlLb1/sxRcApAIOGx4euBxLyVRwN0udmtUb
q3YlDkgel1SiENW1B88bYrvDWerulGd708Sx65oLFip836Bg5WSosJYYCgVY
C0haU2VL32AdPFlrmpo21bSyXQ8r01j9YZGVHClMaT8g+jNTeafZw5de9vAL
mz1cyU1VWdXLu6yWhzUo5bCpneoYKgEWk/fUJq9QdLGYGkWoRNE3nrPzJJBg
RmSImaitC9dzcRZtq2ubvUstjRoJlBMu4mNwLfD87fUQ3WJ+mlTht7laFMkc
vaRsAR4lNqGXJJdlQaGQbUMeODoJtVkHmKy4QeZ0qeTIjbQf/M1Tspz/Ilf5
4eD40pakUjFPT8ozb2BpWiu5GC0sQJe+0ADSKYf1IYjF7OqV4tAsSD3ZtrMo
wlUNZVmLcOz7kVwTf/1erV2y0Ay3+YDahhiB55rUlo5tP/HyngADb8HTA//x
gTA0fwAMeME1NDwNozsrEdFfd/E15kkxh4DZ1XR3DdpMCw79jW0HKL++Eagr
LqOAAoBDrCa9NdTao+gEpLmSFTcOou/QdHaabaQ78zv2QqHhUbOPvEYWLQEV
uupsU0qJySF61/F8LxpeLllHH/tHWBJB368XRRAFUbAsvCR+7iKRTxxGu5bX
ClpQ1VF16Z9r6ilSFfqqo9mo2l3FNSBVtmX7hwCWs3ED6IjLYrVpfs3+TCM5
7dlKwgUqwdB2dPRdxqDh3KyztZdP67iiRBFxr5a2wSqvGD/+cKxo1VzT38dG
xrBtOLttZEsSSjAVmo2VNtRD05LKMcsHckxHVTcPAiaVCusch6ZyBTFijEfR
n40kPFQdUl5FM2saCcwi2vZMvJso7iYU9hV7+TCo1VGJZoq/pQwUr8i5VcA9
4V3ZcKiEp145CBI+9vr9fVRQeA2i0hVsBoJzJV+vbY9SBXG3IdnOG5ORuPIO
VaKkgHqPTGCBIVdgyxXqIFd1yF3xprQZcXjKGCsgg6rrRT5IoA6WZAFRbK32
YL6eoC82VbG25gmXMi7QM6Dht21EmBcM4cJ8/XqziE/hksv4psuue9STWJFu
ml6PrKlJIQuPDb/wTROrgdGgO4pI49LZmw5PPcVDPy4C9sP+swWGE8kjxvWG
ubdMCJ+kygJcnlKqTLJRXeAfAD0oPW39BNhqC9tsKeXcbD9iAOCzdeiShQgb
JNkYkDla2t6XYcc2P+2MmmMQ1bw4eX9Sr9OcAmVFxw3+CFRG23oknFYBkial
7ieUuoVEOSnKqom+38eJ/+C79n7LJ4js7IKlkxR7AuvX2Fy8/jW36vK+pzxd
Pml/IbmUh4y23nAFE+nigUmjznSxpcWykLLCogHRRUOIo2s/l0TzhidsE8FC
tf+GFpX+YJ+MRSEfERgI7URVIbXFisJ1UkudXEoA2D5m2Dd1NYklikLa7mRV
FPBLnNGNFO5orZYcDYjDUOkyrADmesC6RUiagn0Y9Vl4GMR+N6SpNH0OpuOi
XXi96CgQL0RK96bA98/O1Y7FJRYrTma8Xjc19SVWcHIGkG3tShikISmMcQjp
Bw0+mqyFI99pQio5+DkDVNemUUu/DQKehLhKO/IyTM/CocQ4ukKeVFjJubzP
QGv3wr3bkdcfbV4ns6J2WNshKezULP23RCK4XoS/1HZlNZj4remSEk8ZBLYB
BYikhJ8r1OyXfbYKlFSLdLVVXN0VNvw6kw3lDfzSCijw+nZ1IS0vuyfcl4vv
8TLgOJKc1mETErYbC8C0fBACIamDMDxqB8ZG6LnCD2xOVcJcCGelTtS8X+mW
nCu5GD3YIfzniGjICsU68LxjblpfWLngq0Vnl5HCb7rxo23pyt5m6kLV1CQx
NQNxqCVJQzZyPvJbbFHVr7iUVG0Q95JJCE+mKBXCLtWIygQuAZymqPZbTTxg
Sxf7IJV8Um8YJGFSEtfJjcYLllPGG2Sjc/IEggVFAm84ioi6zzqEvpJ4agom
oJoQaoPsrFgrDSq/jfb39nb2kLzJtogqUeNQrkhqh3ZzWm3NrhleAQjwC0uK
hpvWHpB7xA95manK0+MG/6XvlKiNB/DbPNjSCpVNSsaj465unzOspwk0geN9
8bxRvArkTcNgKcdjUH1HWTZPqNGFLaSbqp5dpzmkoOOr2kPlJX2yLbisXgEz
2K6vx9YmEQyaWnxE2x1HjJF9Bu4vtTHgcAiSleB62J6lX7kTRlUK8u9M+NOz
7ozLRTUuf+R/z/ty9vqJ+wIHT5Vqgnw0JqzSDc5ryqzOAL8vNBA9aQBPAwXl
Fot2yHS1D4NFVApXiQLYEjvFohx2Z10k1LC+axyWEKicJe5Bi5C6OCS87Gzw
0n+2/4y+AlogRjfYSH9aKufGuF1tv0fzIxYenVKdKW52ayIVUru/NkpPplWU
rkvwDqervz2J1IGF0CSVhs9eYPfEa/j8LF5hnof60VOob3511MdNPIH7jxBP
j1b6p4pvLR95SxyFje89wpSWTQpq4yi/JtYF3Z8R7TqdTjSKx7eo4p559WNJ
4Fa1S3stB5IhlYV0pspRQuNgzEqBJQNW8BSeNuGNDqQuEoMWewmxRuXD1nEJ
FHtp5BpEh8AFt8oga0xGjYaMHBjyYIfTzjV6yzk0xyWn0gzyPoaqa35vrI2O
0djUrihjVO2pVuT5b9hslZLgHfAMLpOQ2bnM8EqlnyUOEdVCbjAFui7eQ9Sn
ZXskrP6gyi7M0WSB0PbXvjJc1eRYy4TbwQlnlISTYPk8DoX0iSLSb3r2Kllk
dzIvcnhuIQH/sOWi6LFza6ueJWrhE1u++DWtEbvSPztP5qrF23BwVaOkEfjY
RuWQTM/UEC8NtTYjZXme3ko0a7y8jf6Y/ff/mkcn8/sE1IQ/glTTuZyl83S1
wj0skOTB92eAGRPzKln+DVOR2pH+C/6xzifZejwD/e5Vvl5m0at5vISPJX5O
4cKexovVKJnPYZAkzSc5tRBeZpjwbM6SEXwCWeqhHb3OcTVnyTIFKnhdYojO
Mnod5zm9ez3OyjJ6PV/PcjThn0/WqM6/idfjW/nRvIExk+UowW++T+5gcX+M
x9kIRvsj4HABn5ZL+vFdCiiXzKNXXfwFie6rdV5G3wNKFbcpDA7wMd+n8/If
MHS8WMOjbxPY3x/X8zTGkJ12dDEHNI7epuviLgYtsR1dZWg7fhfPHnC6Gf6z
LBl2p1n+YHB3oNtH7x6A8sN3sxyQLEOTWXQJT+JzH7PF4gE+rTGY6BzrtF0l
BVyAOQx/luWYqXSVJqtk3jZX8Yp2cJWNkrx0O7rCkijw1U07+nOcZ8U8vsPv
QKG9nWWwSDRDX8dz2Nc7dMAuzTVevn/AO/F4JqcM0ITrHP8jdcMSfOGEEC2i
69vsNoblvk/Ht9H1ej4HCXBpB/w4yxa06+uSEl2BH02Sf8i7qww/F1k+QYil
8ST6MZ6NYLc/Junf1kv4hMU+X8FZ/YgGmHwUx0tuIszOHOrfjSU9badOQKbX
V9/RPSOG/+N33PAkma+m63k0TZLJiALLkTjdoKkR07a52fwkpJJ0fT6iXehP
FBkHV+c8phqWY3FwYzylM7DjkxxDJ1RJbcFePCslu6u93xnmHVVklgLErt/l
jmw361yTX70+68tQNVEn9LHEuYpDhxUNpDNDbIumSdNaRLW2Ll8W2R6CtoAe
xHY0BCFL/kWhJfDPFo3n6luI5+Q3RbCcLpbPc33JJJoxDrKvMBF+u7i9ogFX
t1ctEGTCkqfp7eKKUga/D4bAYp5lIv1cuIi89FUmaWuB423HYeDc8FqfYWst
jCjx9+4HBiv+0hLBXDzyOKDX1IoVYSTkOADVy3JiFbfjLjKbLtk1g65taUwm
bj5TTaazAh+NxvpD0XCcuAgvRBEr0Z4Pna/L9mossNhu6PnCV8m1y4NLchLt
vhJ5qXmibIqXwC0NksdASByKJJKmDQDiPHzSWpquBTxPJDNoiSkcSO6tVzjA
V5JA2nJSd0dG08rashUexTU61wReb0GIvOiLk3giKY5iG9Xbir8RHznXRfGv
NJ+6ixO1RXa3h8Xt+QLHX+Hf1M0Ij57wWaTGrtnp+gGN/sBoPkBRxnfKaUZq
GkTeIznBUV0iSCU/mJEHM3Jl5y57SkFia3sBZLcHLdowUTVvSaIKsf4ZJiBT
CdIgho/ldv88uWxxAOwyiE/V3Q1XJfyGy8UcHDkTPlIcx3MgDcd4Nrtd7acR
wu9a0lAqyWZBCLboDrQ2hp8AUwGDtt0F3p7CtotdW6g/CkIHPxyvBkKHZHoV
2mofUBP2W9m7Sxe1zTD9+A0U9X0mY4mMFysBMs71h/caUBBj6S9kYcLBtMjp
WUAmzgNDJ0ed+vOgF4FyHgTyLvXcSzfw/MiTxB/PK6nC1QRL9qUEGbZM0oh2
h8MqJQCOyB2Hz+hZCby0hLA1NMeVXTnNDvNRhd+QbU/vcJvvnVjMUW6uJmdQ
fXL3SGVthF+x5tQAs8Gz4NxLss3otr2onsgmXo0SD07O0ontfrgaD90ZZkYm
km4//sXDbHvgl0MJ4rckk7JjqbNyrY/zkuwwAXi5X7YUXbadvPzxCi7VS4oI
qrTD7wSWXklyrpVcq1QulF2A70Un1cloGPNrjxk2GBwzxfXenrdBUjivCQre
c2gZm+EDb7bl8asWb57CZatCAMxz3jKGBJDFpidoBBSKlBCEUcD4Ko0RMFMX
Bnyy1OIyE5CsvXG8SNzgVYq70DhcLXYkDF+rBNUFCo5FENLjIOLK1cs9KgTC
raGQBCr79tNgb69/1KayQ53rNyeDvf1W8KlNQQT9wSEGEmi+UpFwsijo51ZG
pYWjuHQc9QyLksfRzsCwLHkc9Y3IkvhPlEuPo93p/u7+3qC3P91P4M/+oLd7
cDDY39vf2T/a7+N3e3vwOTEIg2MD/zzc7/Umu72d6TjZ3env7ffjZLp3uJMk
/f3+zt7gYDyd7u/tjfs7uzvTwdFhf5Ds7x/09ifTncHOrkF+fWx2DqaTeGdv
/2A0GU32B4fJ4eH+/uF4Z3w4OUiODib9SX+wtzPan+wmMfyxO+7v9aYHu/1p
fzTdhVlNQcPsDca78cHeYXzYG4wnh6Ojnf1knCTxTh8eGhwcHU72RvF0gGMO
dvYm497hbjzqj47G03gwPdjZx01dHZv9yegIlteL497BZLI7SJK95LB/2I+n
8MPBQbK3czjdS/rTZHwY9/YHg53pzs70oNffSfYGe72dA4NoCJs62j0cT5Ne
DMufjPaP9iYHh71k76h3cNCHD/H+eG9/r7c/6g0OdgZHB0ewlt5gNIbFH/b3
xrsT2BQOswuHMN7b6w32AcSH8QRge7AHy5vCQcTxeG+nP4FD2Osd9WD+vfho
CusZ9CeHezu7yWE8PkSD6a8BYf9aHBvYV9I/HB9Ne4NdPPiDo6M42TnaGR8k
h1P43zg5mgz6h4cHALrB4GDU6x8ejHu7ycFk8P+2d2Y9diXZdX4/vyIBv0hA
VyPmQYYeZKkBCzLghi0Yhl/MGLtpVRdpkiWp/Ov9rXNvkpXkze5mMTkIUHWV
xOHmuScidqy9VsQeVrP7jJX9gKBipiZj4NaOOmsZhh/xG/uqcUzvsDIziw95
hrgmRnTU3DszYjZTOVsObvIjPWFyc3nG2g1T3Jsr/MoNZj6E5gyLt5kPbyJW
4I5kZe0+N308hHrcj9G6vXe1tdpVfQ+FZ2YG0FjNKEvGfPosraXgSh0+lxKy
nbXVzE/6mjVGdhQrxPrMYGeK2/g5QtmpF88bmdjN8Y6l/dUdwygVI2ljtLYN
E7F36PmM7fg5S8Ys4t52uOWc4XVKtjIqPbG6GRlhX5a5O/ejSzYsbJbhzMBq
1+V3uYDafxB4vCPFr88/fY9wCjxesjZBMGBzzCFXoKFitUxodvqTVNx48Dv2
xbtPH1BLft6nnWNaWiZvjj814sFX7upLjKWzddxmIJ5J76Ev13rYJXhv+THj
9sAQWmcvtOgaBmcLts5eYCuXnA27wGMZfbWSl/UjWteOD4dpn36Y9k8Mc5zD
vGJSG+yhvFw2O6TOLqk5dtBmmLoLA4l9DrZ1DLEMF6q2d1qtu3hY9sk0w7kW
sazRgl4z+V7CjWG6px+m+xPD3OcwAwC8R+uzOiHTmsMVu0psGHLHQpe3I88B
bjY72KfLZj86gGBTqDaWo8yamq1thpaKj7bw1nOM81j/g2GGpx9m+BPDrOcw
AejOlPSRcou1hs6KrAauWz/xoiB87o4lCqaMCdmK7OFdiunJW2djO1juYYzV
E/gV38AMYOUhzVurGeNnWE+Pmf3xwRZ3DhbcifKKNtcUTCz8n+abtbtXsLwG
2+LU9+B9bEvVx1FMHA5f6vGVsR8b9J1r4UxDC2wBj0MC/nGbNwebPs9g0x8d
bLvCUWUctRi8hOuml1It3gfPkmauY7AvK97HTedij4ElHDgYtmqcDNmb5Y/d
18Q94AMx7tZbKL65ufHZP4fjewl9XhteIPl9/fpXx385mdy93P7fp0TFzYMP
e7kOH4NDxhaz3zhH/pjBZtZn2TjrgrYEvBlkZAdo3ZSHZTnWOj78JnzyI1/G
Lt6GkSa2aTYOA6jQB7hTXN73jcd3Y+cE3eAl2MONnQrvqXAPWUC89WU8jXfG
T3sx0KzflRweeYFVYR4mRYsr9cVje5YJFqvhhWJboCgs1NeC4VXcrxsJQrNG
bjuGCjjfT/p5dPjH6LP9TPS5QMUGiM6rbs+71j6dZxAghNx7huF57XyDE599
N4s0iKnIuKw3/UqfoZgsoJmVXRdLYVlTNT2HbR2MZcxtZ85QqGRwnQjeqAlo
ofNybDXbr/Q5JM/GgkHujoF3m2dfyYTQK5htWdowa9zVBDvWNvAICK0L7F3X
E5S/XOkz6GwqL7Rjjnvt4KC8ceKyfU0DJl5tsHzVTrXssuDUmc22296lMoha
rvS57oVTLAMngOtLfJ8bg9l1YL/BapnHkPgmZgVWvDKyY8VSU3aGNU/pSp8H
VMjY1QN7d6WR9FY5s1mtRx8wn6ZZDCPbZjw8YdqK6+2d0caxzJ7Hy9f/xAy7
AIRh1dX6nAwLsVu0MGDYVoVJZnZ24ptgYUgFDwLh1KAusfH2wspLKpDYYFrY
dZUphJBlDPViKvzqNJAwwSb9qb0w909f3IfMHVxMFd7OAu0Ft8i4nWhsxdkk
8CglpArDCB5bRP6Ygl4JeLTFj5U05mPM3a6Mvho72Wom2FuwJvwA7o2HTHRY
nL5uIG8hA4417Jq1Z2wdQu/qREw8HXP32RXUFD8aOsDQDcQRqAAX84B3WMxn
ilYA6C0z6dg8jmn0Gpg86NOFuVuJrtkbmLR8W6AnoARDwTvwgi49YO4VOpI8
JtAso5HtYOcYwIfM3U8sCKfQwaoBjWNGhmdbFSwRn9BRhGlVPH63tgEHLKLb
JvgGPmek9LfC3B8dsVwlUpi9xg7mBwvUdGNRABeezvbBoiPM5YZqFkKsGpkG
UZ4d9ur4rM7aIszRvqiVVOwOYw8fZi/rSzP3R4YZrpR2+25rx9wYDt7Ug1hZ
sD90KgKj0aKxJ8CwnpBooB04UUNh94JJR2fTew+cxoq1O7axQ0yP0m/Sn8/I
3B8ZZj6H6WIeDbBF4HppEMsuDfD2GVHpiKvl2Shs84a/xR34jtvivzBxxhNH
ceyxHDseIpyYCDRcxnNi3aN+Yeb+yDDtRYch3zOMbEyWp0C9h4h86RWPOzOI
mZbJvrNUAd4TVwrAJsBZ2nJAEfSfCQJNEHBxlg3u4yn93N2Or8Lcbw+2tYtM
iShokBFfwuZkI2bgPgKs4G7CNcJLIygNIo0pDiKN1kcAP5vL0JSj8/ScUpu7
GYYIltuMl/bVfRXmfnOw4QpHI/YtAQWVr8CsQzXWtSCq7TyzwzukDZO1M5ZQ
Vx3oU8lUrHiIcuUjQyUhCj3g9gsWvnC+kBls4YmY+4Tv4Xzggmz+YOHUMUHA
Euxp49tdhdkgki2zAPPDKzhefe4CYuKdd/oo5p4ahgrfmMwxCAyl6GvrUMsV
mFkprDr8eDYfYrdIlSnmBasHkReE59OZe4HuRdxxbCIAkCRMK7dg4T8MEpKM
xh8BJWUNNopVuILTHUGGaCwk5Drpf/6R+d/+vvGvM7998f1PTGB8onNz/8uI
fzW11e6hRFCAbH2LKzvwkq2FTemPPeDRIHiIR1xgDi2FrIM+3yDg98QfGQ0o
8+k1+D4+wtpBa/y2Fo6c00a5TmnRpCNxPJSHaETYJ7uhIbivxB8PPHgb39mT
A+407LwcIEWD1yph7YqkLdJUbLs+OiR6Jj8AhmITVnYh/rYNg77CW0vS6uy/
iq/YZEcsHY7KdLQ0hss2TcgezM3NVjzO1GFj+0r8g8fkdCaNTBx2m1Iac5ck
hjAFiBo8nSdvjyFaD/yCuozR1YEdIw+uxL8YBlot8qRs3kp8HCVfkR/TpiZg
9tIgcZ6swpfZMvo9Dlg5FBUGcrLvT5/hh+zbwPoyGIOIwvz5TRMVSAlUq/BR
KGoR5wWmanD8D2qLWcFtvZmptvzouTmzNjf0vMYl1o0U140E9tfbzrwt0kHr
l+BVsG9sLRjRE+QzOhlyBegzgdmWlsxgvZhwD3Pz/PDwusDA1UedxueOzAIL
D1RMgaRCf9D8jPgt+469DmkS/GOHzDTnPbog1OqT7W4ZYDeEAESDc2i3yEIk
3OUKxjlcQDrZ9wH1BUzmKstmDJQ5Qbl1vyPqpkiA8b6uAV+ATTSmD967JZ0i
4rXgzA/P1QGTWiD0jL+XwBrixpF0H7JzIN9YqBvzr4MgJ1lUmjANwzDTDyTv
KDsKkYODrTKfiIjQAU9bnftW2PmjI5Y7ZEPi9WYxnp3vOgYJ+Rz4Gfgpu6Ht
YJBiy28dwC/r2YWTfYRnQmWyXw6GWv1AN+tirPjp5rTwAfTalz5Xvz3MdQ4z
dR2eo9PhaRi3LYhYSY1lhy7+ROy2Ltt0biXCYGNfxjhTZdWY9VEifsfj6UdF
jGJ5tSL4B3b/pc/Vbw9zXs9gbUh9JsYGZa1oSth2nLNZyz6HrRjHZpIHqpjt
WMChD4DwMqJ0BiYXNpA7GootlOHdLpkdtkrqX/pc/fYw+2U1gRHApDVXrU44
VtxODAmh4RrGuTMPywNahousy3Tci0WCyG9a5/rRbfShxr11MLDqipA5M3VE
+HXO1W8OtpjLDoWAQqXxshPXU3dq7NOED7DTJ/hSjpNvNrjtVHwB1K3hW/l+
dnYvpRwGc03dg7mzAcdpwFlxSZjI1zlXvzXYeIUjmF+znhWBWFe8rwZhNo7Z
Ae052tBYIzOm/o0r8gWAPwQcwI/e5AQcobdHALZHdmWmNaFMLrfYn4id46lP
Zd7xzTj7hUu0u40KAbcl2J7ATowyRV+aPB8K3ug4wPDe/O/jztUL/GtbpLaL
ChiIxnZjdnFQcSQI2yEYKKOtSK5h4cONL1tYRymm9IYM/VR2HtvoBndmRa8Y
tAcR8Yatzha8Rxt5nWoA/L2VzjhhU2Pr+hH94Ff0T3eu/gvptddWaGzzurtD
2YHujMThtXMd2fDf2LWs4GF3GDmTDdlcQ5evfGz5K712SCTc/PAsJKPcw+oE
OOmGf2OI+ASZqgWJAmx0uTTgRvAE+KmP3YQrvTYwKSgxXmbn1iRfvIewVe8d
NhsgEJAbn4Bj5nT14RfSuwRYJFvYO3ul1w5VzibWWberyPHSCl9Sz0PZ3RiE
g6lEvTMfmWwhxOx0MDyXFHbTr/Ta6p4EvORx2bkNrd1LRzXLbVd2h5yNYXxy
LLvNBYKQYZNWUQYrwxbdlV7nPHE7yzievKId3U6x4VoBXDu0ebH91E0ZDPk8
v/VGIS9sch4LYHztc/VPX9yHzD7AHbAu9j7/1MnEiK2mAuGIk2GDb/wU2g78
Sm7ig2H9awgdolmPM3ubCkAHsKXRQBeMFqmOGgErtQYGRQPXx3YZSDvqsoBT
VgSQnwoB0JXkkzF7FEoOOqIIPFZ3VTrmNGMtmCNvgzPCmmxFrkDVbUFL4Qcy
A9W7oeYuzF4BY27PbjzCF4U7SsJFLcizlX7pixfHqpE/FrMZbF984czOoH1R
mPUBs4fjLAM2xMQSx86XFVB45Q+ZvU7uDMITEttxdNW4vAsYga3rFn6A7Hlp
LZZCKUr2E4CXmg2wSCDxW2H2j474PJBuNufNNGHtFtUFkqBI0ZB9F9zomAjV
bhN+DPBgblNs+FEsF/ufucxDGGB4URuQCI4tzcLVZMreX5jZPzLMdDm8HH60
3sAsaN7CCc4ySwrDWjyxGK/i4/hlq0X3qyx9kDeo7G2oEIwBfoCPXorCw6nt
CgzxHUjiWwLmczL7R4Z5Oba00FVUKJor9NlWFQQ1NElHl2GTo1ZguUOYigP9
+HCDkOALp626Z0ensba+YQoLJPStZxGqmpAFX5jZPzJMfzmddS33YXAdWKUf
262Nya4yFbDgA8/bOpHxIcMBUKFGrB+ICFh4hPkf0cB+AHHP86H+ut2zlt09
/Vdh9rcHa8vlLiXANkyGbwRcfW2x6m4/43jZfwvOBShnRWB6/VkLTI7l6RuJ
zSsVDCMU/t4k3S3l6CwiAFB3ARfyNZj9zcG6KxyNmDLkHSdr+HFdD02oOYDq
gGCHI1iK5Vqx11DCbLvrmha03xAmvCQGjCOC3OL8p9dVEv7zjJGz5YmYPaxi
2L7x9EnbKae2FH6XUrZgCyJqO3x+sLozz53FyyvAYmZIus4O5uMiZjJMFDYR
dao3dO7FynlXY4BPNxji6vAFfLk8k5MPauxV3rAGRcjZT2b2DcPRXbYNMATG
2/eEcDqjP2m9gPaj6YCjsfAVhclU+ObiZvAtQz7eO3f/7Xfn2fpnilRHlz9d
qE0QFELl9jRlws8iWsUwcNa66PQRNjx9hOSGDGGOW0cMjSXALFZJZl0kwR0e
orqsaAnFcEf2o4XyBGhj6bDsoPBsfGWWWEe4QSEDxrTigl2xHtAIyJbXfoem
26aowYL547IV4yeo59s8ssAPiC8ca49ePWSdsTinKIl7VQHti0IRHlERn+wo
p4Mf4IRp4E2qX8j/tuFf0/kEs17CS92m8O34hmuweyrdK3p4W5PdBn3Zz600
/UiIU9HkMGOoNk8CW9u0CwLInKN8M9r0oirupCLQrVXXbiaiTWVWFUx20jEO
9NsIMajiWApnSr6uIvgbun00upByqYlBwkkg4b00Vou/zjs5kB/602ZqrbAv
ljdb4eqlNUCCN2W/8MrmKkwYwlK44YLN2eatmSVvSay50tZt7oLu1zH7wFki
CnCweJw6gWMWbrpTHXziOsfjSdb5ocCA0zFHq3Weq5XgkzA13WBABjrDmEBL
0pktfzCqRwW26LN+opfRy6NXB72UGVaalQWtklslD3YBC6RQLauTmTYji1fG
OhbmsAysSpSjFgaP6sGXgR26C0db1x5HjrqkcROEj2gn3Y+YrCNi9OS0h52Y
p/yCwuUHPu1+jG51Zqxv67Ujo4LCcEJgE0xAElcn/ZGlUXR0xmuNbRK8NsH4
zovKS+BOSXgNVgMV3RoDQ/RUxRZN5nXXvB4ICDRsHywhhtFb6BtlPgZe+UMB
wWvMGlhLvjG3iQ4DTBUAopD6MaR+EROT+Q/42MjH4KVsJ1SFmSDotyIgHh3x
yaxZap1/l96wMPxQUtCKRyYkj6vHApEDiM3gGrCpixtWbKDnWAGY9T5OHzqc
d/iZjoTw2+ueLvhblPNzCohHhnlhYRubMTAseP+ATDj4pDUWk2o1+bwKposY
VuCgt4oCyaEAB00ZFAsMTQfOZxlcN3+5FW8KkMSuvJqb0Q+fUUA8MszLmbnY
ROu78YGh6MfVjduKgzQBERG90BfzbdXCgGINxg0e1sscbfUo/qUbBb/AtiFl
GKNiuhp8/NYx8ucUEI8M83IDUkR5dNdb2H21Q2waXmYEoNjC02bMoCZ2udj/
jXVEEkcdn/s+wLlRDx1beTy9CW6FANR5CF/D1m+p3s8vIG4Ptl20r2uKkEe+
o3Ghk2mN5o3lZVzB5zBmG1jcsYtOXLpVcD1UQF4QGR9KO5rOMzy62CjiYGQL
fagLF3Y7v+BzC4ibg+1XOLL4egRrwfezN9fgmbieFWMAUxRUjhOcplmrIE6l
6/EwZ7FinNjMYR8+gWGYfIT9DDC7Sv0mlMZThdzHhcGdFGtBe6wu4FPsERBk
AdIM+QwEA1IACoh9x511rVQ1CLgZ5scF7gw8YhZn8bYrdkLReHkl5nPB72rJ
zRldsFQ+M3XgmFsTp2If6HT0kwUETNmulivwPxWmEJhrBglIJjeNhUkutENi
xNgcVrIsz0ysnJ3oi9h+ydXAk+oAeGxLLFPptomq2ZGT7aH4niAZHrLKB8LO
CalmJiTK6OAMqTdxHZkteK8DPMxG5w2Kc+kgh88Zps2PWw/x0iHmKiujWRO4
NNaC6rEqFYZV4BZhmtGyPE7iNacNEEzdM4sh2Y4kHSzcWpUt2oziP7KLrE3Q
vTRkj3/3fdKrbj35xE5jGNTKhHKIiCs5qgeTTOON4smsDXthii6Cmzksry2z
30btOyh9DvyoVWQNFAp3EIPRVVbsbc52aic4ParQroIcRQegCqWKXX2rA6A6
WEVt7DRoHOywVc+mS2CSY1JXRPa3AiAp1AVhH4rYeHRTRodTZa4RoVl5tT0n
CYUxJqDA7lJAnEUILM8vlEuK+wZp8F1DwJ8Han3a+7xZX1jkAfihXuqCqSEJ
8H+opsF2GS42NRIN3UwYDy6D+Xctxx68YpPs176g+EQTW8eTmNhDCeJWLmwJ
0Nj21XghcC4wtzptBQa7lZ6DMhXoIAg7ZwpDZhD5rC5+H73j6CVDobabe2OB
cMVasDoM4LxNRWbM6QymgFuHYUYwPilDQMH80k3ePp0E4c31EdjQCWprdeUx
D6s/jQbt25SRWHyFJrJJCnBfZpJtR5bQXaKX7qLSrBDmrCdgE3SRhOrEfgpk
BPL1QIJ0XRENnjHzcgtX0qAntdsPJQh8jq/3DZTtxVQlwmQvf24WNilxXeHc
WDEGGIrB7yBUAENcPFrUfDO5A4+O+EyzMyNM6GfPOjSNkJsaUOc9uY3X7Py2
W6/Ub5SWgaezN4titSwm19H8xwBivIwYpAkVfq+7zshuuRXP8jklyCPDvIR4
1AXEeTmX5IySDGENLWJ9QTezuNOCLGGf2zK75BfUG1VWa7YF+3fzwLiHdUUH
KAVMMFhCViqcu3kQ/BklyCPDvBzuNwWDsgkN2MX2McA6yB1sXBC4wm4feGH2
tfe1IRp7saA96wgj113VOIp2f7HsdcU7AGo5F4vL77eU1ueUII8M83pVA3CB
Owq6lBS0tp8RigasypDvrrP8OKwKUhTXnS/KeMWBdIaOc8vHwCmCYa4pNs/D
88Aw6B0a/KtIkNuDDZfAujGVQKdTPYg3ejAoDbBJ5WORASnJGEHXLjeSdcJY
+OJcqgpP4HPrAb72E/Oh9guY54E6Eg8376U+vwS5OdhyhaPdNrrKmVIif6Qq
GWAPyLLG5DPDMozcYdsWGqS71IyuXEPR1L4FhOSh87+1oEILvwZ72VWRhsDX
fCIJgvzBuGrfSrhRTpn3+D14GmugFMuBux58HUCTZ0FqZfz1CA0nZZST+1ES
BOGV8f1THh0gRpiNPFR0Aio2Z4BKAdjwJLOMU5IEdg9Cs59ThdCM8MkSBNGn
sJMQJlwFn67zbrdYG0DUimXlcd7fBziu8s50x4szZC06ZrvMx9xhROue7A7D
f/odRlNKIMCYEe9Q6gLyAyTV2b2hPTg8nwpMdPqJEC7mTOyEGCxTBkSsvdUu
1S9InOJY5saaC8ohxlFLh6XqEjkPKOVgIYpMKnlBUoNGTzjVYWGkcST0RQGa
s1EYokVgwM23dHqLeC2oL+IvhQkfhCtD1l1J8DPEoaLartpFEWN9W/l21ESH
TdnGKuL5W1pVaWWzeAMqDjFZtwwaRPEg0yAswcerdlHm3YbZ4hLgOB02UILY
7VBGtYN1bW/ROkNHIwnvgb7AYJHKMHKIbHmnXVCoLcL+QQMdxm9ktIExDyVp
9OXE9xqyGzXjVDEIFz5VgCe0Ug5bEBQpdXBE8frQPPDOu2qrkB6enfUoJQU0
tggO3zapdkwUgGHxzZr3NX+UiRx15WFVOKfEKuUBrR4blszDlOxsHSSwOZSp
c7AFn5hG1FrdfO5eQHzKOtvjSdb5vfQHp8i27JF1Zo8KDPWAxPZV1z9eqRbI
RnznPCtheGVmlKwyC9H70fajycesuoL0lUHF+lZFJ0psWazgvEwNmjZWEXRA
8fKuLArqtvKi7MnBz8PjWV5Aw2rv5IQAsKjQjDZl7Vl4lpZdatlyUUeixymV
4dd8Lx5vxtGcUyo2rE6RkgwCf6aAc7yN6jNBBhJOgYVyA5fnp1JZEb+Wjela
wYmK30ydDTFcpXL3XXAxoyCGOtPkddoj4ItKRpwh7aHqR/ZwEeke9tv05zsj
259NuaVMcfWJseO40sjIxb4Uvdm3znSLdUgmHIbqOOA5ajaHd6rSggtrHpcC
0kZINNZvkaENUj0Raa2MrsRkgwEirYyyg6qTMNJB1OoXDWQg8g2RG3dpKMye
6sbyk5kKu4YVPsyfRigipZyF1TdnBvOpLNv0gQa60+VL78qu8Uvl9hX42B1E
iRc9T+4tXpYFnNjn8EG3nZArJDJsOtSw0cERnWkUoKgQ8rHgWFFBJjaxPXGb
KfqqsJqgEjMld35Yks00TQuD/1ZU1KNzJtoyvXJuiupc6MLKFNXzGlYzBxUD
KA1cbUNGGggYznNv3YlUE8KQnEJeGNNhEkai1+eIfepiN99MTf6sGdi3h3mJ
MGG1w5l2LsRJdW72Mxi4wZPeERzoJnY6WNwk+9NSmQi7dfi/2emYKmAza1BU
irUlYUywizZ0nPmlM7BvD/OSaI49NstGhj7C3PSdhoWoFtOsqCYdeM/Z3KwD
tQH5jMBnM4wQGrbzqsc8zwDPiPSpCNHZ8EPYsvnStZMeGealnBA4b4fRrg5I
QLRU395ZNnjE56jUhTLwEl6EpUo58Md146u7AcVSCR4sxEGBcBFWuFKBKpYE
MKWbw/wCGdg3B9svdxt9qQogkJTq2l0nzb1G45OCIRoUHUudyuIA3kdWHK1S
DsDyvZvDN5lD501NoRIBLa0vEcOvZ17QV8nAvjXYcIWj5Ex1KetwzfHGuqjh
w1HhxGuCTFF0LelgDxUMWYU3WSUlWa+YlWWP0ItuKJfC1bEIBlmx4tXTU13k
NCytJBwZnlVVLFWhAFbNOkCtasCLxYIDtzp5EB0AY7JtXV4Dkm7Kx+V4hIpX
9wZgXs2d2aQVFpRj3Kb1GXfF89tgpy1O4clY9bQRxhGg9UPl6z5RRTGuXoE8
NBnOcyv9z4AhIWhoVZXkkGx9baASLsKiskhLYX5I4TX7+MSLnE8XQ0OXOEWH
LSVvHbKiPrsyQqHLE1rpdhd8wJ90Gg7wlcZ+TzAuVcPa8V1Al4c1+8AKtBl1
nFYjNHivCJN3OMai6oPZw30VRLuNwlO7U5xmNEdUNRpId8JpKB4ZzY2ZW+Y0
QjR68pD9rfuEqjpnc62TCnn1QNC55nljdhVDKHiE886KpbcVHc0mjKiQ1QIM
rEhsC7mR0fxsNwqXBfCzSpSWAiBexVCOfTMNHvoWVJGhqRRZNymEsBT3D/lz
PewOccUZ7OmryHrzPuvCxbwL6NIdOZy3N6Ot3gGqZZVmDJMrTcU/MB4WDMmt
OKml4BewBPKL/R5TFTNQcrDQrbPziGRSXpoYWprsY/SNcsHh5YwLyoutKhqs
q8iAimuU7K9iiGUQPYVXB1chk5utfxZBMh45dIZr7jUiZirPsNAq5iwGdl78
ROe+gYucTzGxeDyJib13kVMRxGI58KE+s8yO74aXK7CPhUk+s0lUpnAoJSQp
V1SBgMpj6cOmRy9ysvXoYhPww3GgMiZTudG9wbPreCketqqKADaQqSLaFZtQ
hVjbDlW6bUklCKZ4eQsJEOTbmKKIYh9RYcEQ/T7mghOokKI9ttMdHvoGIQo/
z9+QDhN4RoDJIqmiFrFMrF+1tZbRxSUvYKcOEttmdvcGzIxiFRvq5NB1E24f
e9cBuQoa8yZ+WpUqZuOr0GtTClDICpUHKVBbXXVo6kQXtYFad1cdhs2b3spU
oWOb2UKRv7PnwTubrj3QYfxNRT2L7ON3osIVVKTjw3yaOx5iGu6pI/eDbpf7
xKx1vOHM3ECLkvlZl3HW6AOXrTtQnTOclSFkKms6fA97KDXAQjuN14SxDwUZ
QF1NqROXa63C6crAgrB/fyh9bxQQ41vRYY/O2RlQx0oHlohvmoENbE7k3DGU
rNJqDvquagKAsszPwFmzNp4B4yNGjm3CF3drRfWH6ypMJtxdd4q3QrA+pw57
ZJgXfgc0zIQVMFY0tC5RTag4GYWmKL4a+146V/HGTZhegDAZvlsgXF2c4Vh2
ZKRp2AhuC9JbQDPmZW4XAv2MOuyRYV6ueZTzZnVOWM/oeQMnMbqhhjThdlws
SC45AmBeKaasoo60OqBdvLDtWLhYnAxup4+dEWCs+8igxJfWYY8M83JpV3WC
rApRbuHPW/N4GEXaGtV0BGGKEpsZFfzEujhcVHUPADhP63yZ81iqaoLEFIsv
u23swG0Ar9/Mr/rsOuz2YMMlFhQQbbUwRh86fhBCaTsCMnWPt8GRbRdgvclD
aeJ2qoRVzplQFQ3VDTxU0NZ6+FQr/DR6BlG28T9fSYfdHKy5wpH8qXIbbK5F
J9cxgUZV8buIi6brAxUzz3HKHQ9UZxsMLJo25qlSj/MYXtXt8GoDQz4DJfZO
tT1ZRk4sfUniJh1S+Wyc6yCJ0cnymop2hFgwPcWpDgLuTwUBFMcLqpSxP7IS
lg9Kml9mZb5FNRKcFsSqIgEDLoBV1JkpU1B1DghB0FFqVCU8XOon6zB2xdSB
vqI3VGLeQiEQYBuGyzJjUntu1RfuUBsI3TBAorZUEV2HG3x0Rs4nF8K6HY73
CzP1z9JMUMqKWEkFEqp4Lxzf8K3AGxWy2nYPZksZmAjjUHILFEfpU/zwWxXH
xED6Ib4mqcAopl0UggYDValf5fniXWy3UPnFywyVojY1YkNw+yBqC7dVBZQO
xRV5moogqanUqhT4VXOxrammfuxRZe5Cj91tX/ISBtZ7FaecGBf9QhwpvApp
hqyxm1EUlUXNjASKOXCEba8M+9tIIiSMBLfn2+7TcuBx7kxi5fvVhCKounat
VtkP1Rads8Mija77os1N168quY0Gdqo/8VbFNZClq6qqovnwWY4XGrA01RYZ
SgRHIqpyz9a8Ou9V/ihK7g+zjwAfm7UrHGUnRN9ATEBRVERvDZBSKWPYamHR
O7oUm1XSj0g9TE18xpj7OrwtgChRJVRV0nhXwLX3pDQZRFkZJefB/kbM+paz
V7yakuf5XbeKw+z3UupT1jkcT7LOD6UU86FqJXyd6sqoPpSi6nENkD50LLy3
sIosDk5e2X3YtlWFfzxG12X842k5CM+BwvCz5x6sisL6HlgaXPIZ3zmKVyR0
TQELNqqvu9URAUvrZoKh+O6CwAPIMyzNDuT40oGagr5ZWCX7D9XPRRtBSYI5
VJeTbYV8VlHzOt7FxC30kcXnS92rs0JDSi0EyxgYn5kiaqMZ3EZm1aIIkboX
FLYBHsbcV/QqvEGopp2FFY2u2vpOA8/jWYE2S9/XRCi1CsFo2UQJTaAyKwv1
+UCnYJIdIzZLlY0gWiBmGan6G50yMDaMGEBhIicDZKfVGcLW/UdSLCnqO2MA
OlsHhBXgF1REeino/NuJmXt0xOfxKj5jwEygI5ZN00oMXvE5awiPleOAjJB3
6fKRGLQOXZvjGfj82MMxRj/Xcevmz9XoVOWzQ3y+dMzcI8O83A+ooYmKee2s
Cvo6HwZcu9ooeO9U+QBEG7bhMldU/redkDf4A1xsw7XzgZNJbnYEdLcKYkpD
RwQBb/2FVcYjw7yEHAHO7Lis8KKuqlbCWGVgFl4ZP7pUkQRC7aY2OEzgNG5e
Q8WvyirxCJXNuVnYNFPEkUAXBuhgzZdO23lkmBcu2ofFQdmgtgjLjJHrUkAB
mKXSioORdWSWKuQrs1LBZRU3Y+Ksqo60xsFcgK/dNhSkgqVVxi2pJMDXue25
Pdh0afJStrJym8PoSvd9iSbUbD3orAjAunD4kF2UIX4v6gpMxb5Uarbj87B/
HxEnBlA6883O1i9N5c7S16nodXOw+QpHAAcrNZUHUDvMGsamfALVFhbOJmXB
NrxBTkoXyUFn3EvRk5Am5GU6IrCMK3NbJa6malRCQqoif55IZSiGeCip14qE
5IyrVs8KtJIibkwd6i7Ae8ppom504u7RSl3Xxyulj8v7T0NZksvjTpraNyyd
5QXwWcmVypfG1tU2hh0O5zAK0R/AVkfs7LJ6/2SVwRy3s+CjICLaGhScqrKn
OIIiSgiOLNtUmDQqjwgNHwVAoCez48vTpe38Qp3AywXIRDQDYjAUB75dZzCK
vJ+uKb4D9rzmVEsz1tSxc4qmGgqCV3sX+rYVEZBZDqXR1XP8KQ/VGp7y/Ooc
ZQtaq+FbXLZqJVHrWCtFv2EwcGg1foPGwS5dgjypOnGyvaPXlHJWdLKzdeQt
7gyzghLPWosacolYpHudMNMKEPikZ6MORIinsspV5l+RssojjnWrKZzq1qyl
bL80uhK+qgn3oW8rnrdC4GjftXpVu51RZ/tTB4i+olg7LIs1ZdU9bzysfMtS
sdxm3+kEmIFqSWOgYvtJDXqSnIiDUWbmDFtoqABf4tY1dd3T9rPDyp7tCB4B
EhUMl31XGTqPTrCz8mPB5h1VMg8WDfXcquMKjvQQJmRWDUL2SFb5KhedYN0a
czk2DPMGMRO8wHaz3Q4GzhAm8+tDsKflsz2QLB6bVlaP4lW+gdueTzGxdjyJ
iT2UKG2wsMnMsYIq54iFe5wornWIRSkxvvqzyQczE1VQTKWQwxjMNM9fj5cm
c06j3AjJjMYKVgow5dWy2jkMsXynJ6uy/JFQk7NhEiNOVUlgCZ5QohTlhZ6n
M8MIpxG26i1WDNotx64botqZJPwflAOJMpeu0vULh5HXa2kyfO7oXkXxs1aG
ZwLRgbnNCjTj1wW3WNFz0+rCSunDDhrTwE6dWj+8Splnvw5V31p2TES2L4pI
uVGajA2CVta+cEGlwKfKGziUMHROnTM6JBWCY1T+1E9UpDJL4YbRAoezfysS
5dERn3nLVsUjmwrqoLeMGh5NlBg2kE2VbPeaS6val2A7W8BgJEzweVvcoj/Y
aA19A1m0ylTXfdPcLHn+0hLlkWFeipmOzB5X5Wt2qVFhkjLgfOh/ZEpQhQT0
+1AApXo6wdF7YHt3lYFCy4Dth9HBFqBlMTOwr+SkGz0T4peuLPDIMC90do4y
Zirq8sP+TqpN1iFMsXofW0kt4tx8ciqtbNvYqsir84wCLrO60x/p1PSKUxUd
mi0bYJg5cV/8IuT2MNs10yUGxHTWNZZaxU6VbVQRnXGWCoA1bRVN2ioBI+qU
1WHTG1iJQNXsgx0coSIq8oWfg7ebGpZXd86vcxFyc7DXTBckJZRc5y0xOJ2N
Zbam/sBOuMGAVhTV6cry+nxrxAsr707VRsHe4Y6gCr7GDtAZ74tZFNQ1euZr
XYTcGmy+wpFdjfHCzBEvaxoVqo+i3Smp4q5EqRtoU+uUezDxU0KpqlxkXUdD
TKMbfkKwVHx37ISvXHUHOHx4qsoCuCFYEHJwK3RgDJ354WltDzucWdAOTYX6
bwrmNqLvbCFoAjQrutt3E49LFMVx4wz5GtXYY1mVV6J6S/LjE9Wj8kgBq59I
Vw/Bg/P10qeqgRr76RchfGT3aaa63qmfckUf2K4FZf/pqBrFkJOC8XAbaMQ9
dLEIBeOP1FPhg4uQ6OyDRJ5baT3Y4C9L6ym3ItncL9I2d5nN1NQsCDkaNxbY
hrKOl7L/jMNBBEUz1cTcq4DLLOqUAOfbZ2PcY+n2MiXFgMWqgMTYlDmrspcN
prWNWj0oOWRNIa1KR0Nu3Hn0XpU/gmEfJrxVSDrj7/D8oX43OknezaicEvuo
w8eTStkux672tVpV1Oh8IgfTGMNRjVFSOZ5uqZWS9CQUq6B1eciCFxv13utO
/TJVDyKK90L0zFA3Y5F83KzymJVHOeCIeZTpbOJnulWhBr41aWPWVUZSPTcX
hm5IVFJDUUGIaQWPmENBjB6ej4x250mgEt71tmpxF11dnWldKlEGoV8RtrV0
Sz2lYc77UOXpvr7MiQ1KGuKJ6qGtw0WVIlS6podaq5XbnKYq23NkFTbcojQq
4D7VrfewpwVXyO+AKatYSVD5FtS3otSHipBBVlXIUvHcgBuelZ3gVViJzVgt
O/0I14JtKv9SNRuIoZ6tc3xgq+5JLgZRADyOWbPOEVRkMjQ1Pi+BVZsQ7TEE
mbx2RwaapnpnvcIgkVVDUSVncg9U3oY1ChsP/LeRVVuQUmW6KheiezVtfZcy
xZpECPJQz0AUoHKu8lSyDupAP2dSkEJAyEl0sK+NEHWZVQJs2ewzslkbBsqN
4XUdeiirtNo+V1tKeFJQkOKJgm5i4UEKvN1qAZyVYrSSSjc5lU+UfNa3FqUG
rumjSmrbMozSImHyQ/1YMX0ICNqXL81nUTfmlkX3UG0AriejHhH4MyP5gTeo
XS0Ni5UU0//DWLwKkDbc30YJ8F4WmRIuClbWwiqgLZJaoue4QteUmqyYN56I
PGdFgHUFHeSqDokqXM9oi8eHZovM82oGE+WK+K6WzsjVlpsiKNiXs6nV465Y
IzyxI6yXMeCNOytUJleOkO/F6KfsZmDh03cz3vbTd3M6nmQ3P5DFdzkDu8Gp
nZbCHtUAbfQ4umWCFwNU2b+s1qDI6wSeGmS0PdS9hpGreOc+i4tYozPcE4Ub
bz6xDSBetYejrg7Z0bmpdD5bIDJRltk80EzqnPLo3Z/6AmflM/oIjqCGcb/u
bCoXERCwT5EBBhkw28OljaBX7wRINMulPq6QqKAaLcZNKBD6FDgoKqQI0daE
OB2lIWnVPfVsjqETI6N0OHyIl25RGmZrdrPsrFVdUKG9eo1Z28vwdZB5n9Ut
OcCDUsblHKaIEu3WRCSg0HO3oJ5lIB6ruCEmlb3V1fdVuHYm5CZRJ0gkDlOh
zxCDs6x9C2/DKEPds6pYGe+nEOOoSmsGgTH3ZJN6dr8xZmahC34OLFqq3VlV
2hqo6rYoY009n9QXNM2isipqPtnQkNnxUGyVzVdjZLyq+cbUK/wfh421rnw5
G0BsqxjxUNdjXbMrHKEoZi+eInVskIIpNRXrgJHg7MFWg06fKjuSzcOGRBF7
g1dmNbCCNrKJoNMo2Q/CLFdQRcfdMXcBl2JzCltByZqqzRZ1pQDGlg2Cr2Ja
LPFQUJZTpLeHVMB5mxrhsdcNVD+aXvJSCoNKnAGm6JhscQo6Qx1Q25XPwu6H
usn4Xeu309LosTk76Xw2W0cDMNWqwMMIPg7d2qseFr5BccjqmxJQqJiDajXm
VHLRwTyYYg6QDu8s61iKz1ChFYEa6vVLtzS6PcyLHp0q1BbKQiaPpsN5A/53
VUR28H+P71NQISId/aKOy7qHYQtvNjukJS5dgKoxgeqgBhkPjBM/6STGvnBL
o9vDvJZ9Q3+qaLkOwlTIzElENxB6CFG2LjOd8mGyB03BZbwHjCLCo1X9rrdj
MSbg75wXWHVPFptWiOmt1fysLY1uD/NyVuR79w1fmgEwMMs6FT1yuaupLBtY
MTndql1ujg0QRNw56P1i1aFQdvdDCQUTesF+bt7Vk92oosaKX6el0c3Blmuv
XNgunqN6NuoUCoHquBwHF4FWuijXa5QTBQ926s5XnO4gBttU+SCYroVuV5VE
B28nNO0sR9zm+DqFz28ONl7haPa+FUqiol06Ac1xWwgKYq4HhVlFaABIA3Wt
4sJGfT0Ue5G2U7/CdSB2GXjS0XTWoTa6PqhPV3qqMEuj3IbY8awGalPUedBA
OuCjSg2AjaHCuoq5GYMtKuRZU45XTFAJxvBRpwt7KA6NKVJBGHVaaLoqmBh6
WK2VWRAhTkwUdqMm9zNckhkDzMn15D/5dGH7UjtfNdIeOyEIYBIS4ioHLHVt
VFFZEho/m1hSVxaUPcxdkO6w1190AfqUhwTKk8FpNTWoAclSdjqjUlCuUeFh
RbUxpJ3ReGMhTCxcQe1O4E2zr0MXBUt9xJF7KlNr8PhWRU9xEODpUlNz5EBr
kBYVcIGmOTRN4U8UbiY+OY5l3h0SYA9QZuwGllBQdhBFF1R6xLWmhilncBXv
oQecaqCon4tZ3c5DBFK7WtVKrCpbOKs6gzxA/bV40ZH8NnIBLUBbQQ2LR0/8
cFCNUIvOzYeqnRjVW3YjqR53VPbIhBKfbZS2SnHg5hWyrRBHGG9XaWao4JL+
yRMl4Y/A7lMEitMfKkFrGw1W5USKyk+Y3BYYoQtTZA9i1TqErrolIitXNRDQ
/vaQgO00ePpsO+7l2LMzqXXl4ONqCJZUU96p5qQ5G3Iul1xT/2ysIB0Fxa0q
3SlEJiyr9F1T4QVonKsqsTBRkChUEEqVh5WYOraaBwQ/rSLoqo2AxvWQoKmi
FnJdm1yFx3PYrBQLBgmw0EdABhiFCy3Fqyrkgm0UiloKe9WdQ69A/6I9E3pj
brrjRLSnCA9fFiWt4H6EkVGXja3aqme/EYTjRHMoOMce+Wc1IQFem/kLKLfI
ilU1ZZ7VtRA6glACBcQl1sx24I2U7MLrIWbTYUWA3Zn0qNtnRZiygbFzdAx/
B4/rW0pE3akUMh2r7tGLyC40mAEbFURR5wM2uYcSdXSU3SypgkajClqr0awK
Jjm9GvNZ61TtkYBHqoryL2cfsUP1JXW5jaNFoqwy1UvAZ91fx8YMYdMe6bW0
augdDE77SQLM7dXQ5butt4cEYqVK14eCA3yqLd3R9eqM5G03Xhe6zcxRJKVU
z489EdkC2GqfB7ajtMGJe/GZ+fA9LF0voKysyqgoRRCyFOFIyCs4ETprnq28
XA8FDQ+aHPlbSI38FCAJxxMAST2eAEjC8SRA8vB8wqgq6jp7FjWdzeEeVJQf
OohvnNtj2CMMPBsTN6yvBW4/D5+UqXnihM7xlZsDzLOD8JRRnGkgzFEAbfTz
WE8xyM2p9yu0MukOK44D09Pp8aMX/2e50ITpYwgsaVdWyaoqVbCNaomOqkQS
yAwoffRcLDaq63go+qhBmeb+rA+GwRdZ2tJHYbie//HgFvqITEqJuOPMVoEu
o2UVooQxwogR/9/O+QTmFZzgXNAFMCpVygeteguLTVqLGRYSZb0ZC/N0Svjy
Zubm68GImBV2ugJz1bDQgbZhqoFaULMNHeUW1IFRAp1q8ixVgdrqM8HUK0sl
xMv5xM5aWM2GuobbvZXWkoAy9eZRoVAsHhSC1InWGWta4mvqUpsOj6E+7Iqg
OshT7egTAN18U7elLSD9IA2UKQ09xbPKsMFRdRg+bmPbmgZbr2Dh6u+Jd8Pf
GMRmOeA4SacmsSuoYw3eVP3fdGzC6kyFB0GbIYHqt61KzAEoZ7Wmieo7AFtM
8i+1y8C+nb4Kj83ZKQh01IpXDSq+bHrWFvBRkfzgfe4qQsssuQVseaDPK1xg
j6oE4JXwCUfLEFG38Zx4+76iIv0zgNnsl+6rcHuYF+EurQLUu+Itnnkiww2u
D27CJoFO4o5VGhDswd1XFWOyTRcDOJygFjH+KE73FiJDWOuIivji+RGH9aX7
KtweZrvGoU+hTN0qLatKBGcs4rkt1WEUAWuzx+SbMtdUq7QFhe1A3712mz98
xdU4VUzeUwEe0UPwhwLtvnRfhdvDvMYsqyYvLK+AgDYrYXfMqA6Nkkg8R/zU
djkOnONUAXGs1AR15XU4FnfoQhe6AfHNZUQ1EjpbpUCjvk5fhZuDHZdo9HZe
hCiOYyvn0KqUmDrDajpgQLV0l89uuArgS4pcQRsqec2aaBusGf+EZutqJ6k2
lspm9lDJ5m83kfjsfRVuDXZd4WixCrLRgfcbaEM1qUlZYaAK6FDR2nKWmVgx
4rlb1GatAyoITYJn5qPvOlRDraqtRI8b3io1z859ovOJpNLZWwJdx+4gCd5c
N5zurA3d1AKvMdeqmwMGw+dQ8EHOd8Jtqr/Z6uDR8wk4YdEVqO2JB852FnsN
eB6dxoFBBfq5dWlm2NZ4cuvAJPW9GzDivm/mnH7U+YRRS2JEnQ4lEICQWnMG
TcEaEepKN5+1J6i1ekCL2AYDGYGx56L0tPRe9MP/ZC/Z+kfzQC9r891//eH7
n+7+5jd/83cfHQNxu2OzEhfiL4vxZu8MhT8uyN08UzrKdhP6qnZ5TD6bE/iA
hRu1NoEDoAMdBKJUv3Cq9dq1eUGRNtRgb8VIOCiOVVqQhd+7OFQ4pLamQ1R1
tGMrDaNyODBO1Rqtttx3ba5RxS2iio1tHoHGatgE6wRQK/uXfYjKCMOpHTis
Jbbz6D0HJYGveZ/IWXzTmYBVHDNcNyNknSJoUJ8FK8JHomTUc8upuJsqgSvr
Cvmn9Dlv77s21wBHHfAkL+/fhRa66O+qH4Ve28rKr9JPkHOvxIq0IBhN9sOv
w31hUYnbBDHGitwGuFNUo6Ok8sFKD0AsraX7bj6C9FRSeNYZoNMtYQmXwqJP
MMMP45OXsljPizV2l0pbbOg0QFRVu7iqE4Vdqg4LKec7typNBHUDwD3Zgmk8
eo1a8T+4Yv5lAEM1ZVJH/ataQVGGpqryNLWRN62cN8xB/a/l7tT3raskKeuL
EIUpN3Qkv4GmV6du3uqJF/M8bw93akplnPMYklcQdWjBnHzybXyypG9YALhp
ym5atXVVE0OKDsa7FdCjvs5BhXK2bgzBsIgpGXkV2/aF4/+Mot+IIq5zFFwQ
Em8H1VFRUDHAjrqwvjjdiMDNMKKKfFbdNcUi8Ed5ZAcb608E3FkF7VWMLiYc
ye7RKrRdl7WIZpOaQ7XqXONSbLconDLrol09biG+HwfcU3DTFZvHxLM3VlFZ
S5bbpWzVG6lgXKqZg/Ui5bEhUH5i1EXbY99M4/m4g2XUpHIyID7pLNBohteJ
2zRgBSQPJ4UoxJ1uo3t39nmO2yncYOseY/2Sg+UnR94RrVRawcvvpIKC0J8t
VQbMVZWbVHADlppURcnr2sCwahW9PXqf97XUDgDbxKaO40P9AmHwXcWP1It8
pe5ViNGYqMMx5eR2FX5ayueeIlDLzyvy2pmd5zVVAUJ9IdmuTC6CsimSwzdX
1a6azYm2dyj4FbRB1E+8qlJdviIvGzna1K3CU8yy7Cu5EJA4qbO1xePWpGpr
SijIgJVq8J3BNu1sw9quyKtayNsnPMyOZZeSziJQPM4v1eAJivxIqseGkO2R
NVXSooo5YP5NOecX5K1lw1LO7nEe0VBUwAxu7SF8YA3aHlzIEGQ1Tlln0dKi
AHlT2b4Jo/raR3VPsLjvl4LGS3klaqD18pkQp0obaamvrhvgrcLhkwGalSgj
HdKgB6y72oDVx8+mQkhb6QMuoaNNE57yDABI6g3pyWgVWYb7zO7YZWRUiW8K
5WbT+1yfEPQTk17V7RgGAHfFh6rVaNgKDcmN1xhndpeCypdSaeA5RS2vh7I9
iul/BugrKBReUZoKq+EYGyzFGt2exclzXbZTNPKssYWHMcgZ9s2sSBSVVvBP
BPqY3VAv0uh9wDJVmHxBwi81XBtbpqnR0Ml+akUIYvPqW4YdTVVQ/zjQx0ZV
O0xZ7m4X9QFo0zgzVEQL8ggI+IwXLH0Hwa2Kh0fFOcTTod/+so8CfQT+zLUw
TodQMPBAJJLy2pKEia9jsDXxLhnlwstW+Z60tR1GCODqddLvfjN/t777W1Hu
f1yv39z9jzXevHj1+jj+8ffPX9+1ly/XD/P5v97pHdvzH17fvdGH/vnyobs3
v29v7ta/rlfjOT/f1+/bPz9/8epurv38B9aw/3T3n3/7D7+5e/7m9fp+3333
3d3frVfP/3n9w/rpt+35q7tX6//wIDzM3ev2h5ffP//hd7/ikevu+9bX9/w8
lnd3v7t+ddd+mOff/p5f6LN3L/bd+sPLNz+df/P/1qsX3/Wf3qy75z+8/PHN
a33bq8bnX+ktfzh/8scf5nr1/U/6WQTKr+6QIpfHSnvcvXz1/A/P3/B6r399
hx2O9fLNHT7w/Mm3b/rd/Zte54BvOz+wn79iXl5fPsRDv//+7ST9yNToI69/
fM7b/dna6GcdH37F1I52/5y303w/8fOOlXrO2LRW64c3mhh9cPz+xXPUPr/7
cLS/PoUaf37HYlyW5fT1d//y/M3v7/7b24X579fhHsffa6B80XXcl1kZz18+
1zc+w90902vwna8X6/niYhvna/Cdz2dj7C/Pb1nnus7TEubl+56NFz+yB17d
/fWdeXb3F88u042tv/3ZZwz7+xf/8pf6jt+9Wu3N/bpqHv7vj+37uzcvzm97
8Yon38/AWYmIz7+A0Gjkz2Wy69ViWe/XdM3/eH5U7/RSRslnXr56MX8cvNx+
9eIP742BQf3sbe0zbOXcKfeL8fqhvby17LvvX7x4KWt59mAPPPv1V21JfvfJ
Lckvd70J9ps63zv5ppB026iqMedZEL/S9ze9A5hW9Wbm8g8QzJPHyseHK373
F9dp/mvzl6K4l3+g01X1ppOfau9TvVKtoWRFrRxaQDxmHYjBFpW6vt06+1w0
d73yhEnqvq3NpnxPo8PuoG4eOeHtlx146DwV+INb2mjhIEK/YWTqyKue2hc+
BjHxuthrOh4KuMw11XwBgR1VQdAxb2q3s5QSnEJVXHLsYkUVTlVT0C1FX4dR
qoWFrHnJXpz/QiLAyNQ3FT08VUcU5ZAmbn2pLnM0aysFc7SrCv7EFuHXDuHH
U7YI123DUPtGK3dvVeRJ91opFOS+TuxUcpSnRGi7Q3Mtm1LxSWnawUHTrr3r
EKb8VdGpl8pSKEgaZxiVzzhV0ennF0WTOVVppaSgHYgcjElT+mG9UOZrS8rD
onvVpSqzAlV2ie2Sz1pHIXtjVO0Uztabeo2sxRwjylX29pupw/PoiMcbFSve
DmNQ8IASMmJnqVZ3WCsf2UoKxXKhgnYnzGuoAorK0WZmFl7datt5rIWGVsti
yHEd7FHlUH58mfOPozR8m/oIqXwQNE1l6BfqNemsShVZFC+tK0le1ypDyahZ
KluTv4Cyhvquq9Jv3tKC/yVa8J9EC04f//cnN7iSm6sn+1Gg3e5+EOh+f3d9
8/OH32H6LZ5xvvTrtxTh5Xr13R/W69ftd+vuGUv37Pz4s5dvnt0zknsC8+z9
abp+4uNdwW0R/gtdgaI2kTqTzb5Zcc/+RTSxVfxij1pVzB1b18vKjQcUwRdY
LkCbxPF9uHcF88xQ1RGTyoK7pZM6xYIpzyfnFb2CdVRdAE2lDqtbmXZQ9IUk
Nj5fkVq3rUN17BJvU5qATMH1fvPOrQ11PHIqpVwNP6jIVB6EDizqm1nauO+n
pHNzBUQ19dTpiIPJllgR9Z6FmC0NgBbXZVxW7dAaVOuig6+m2DjCvISIeIU/
+Ahozj7VQK4o2U1lPmZeNfPssyebwltQbNBrG9XpxG4L/Wcm38fIrcpRwiEE
qKY6V6XpIOjyKpt/x8KlWfa1mti5rAZMKke25JuQ2+OCkUGipShOcepWwM8R
5LCLN26Y2N8L9k8KQ0DIq4n3Nqq4ILSfN2qVRdXBdgrvljLOVjOlJ6rBGkun
vGG/T+tA9oWlE3L1pGcm2Ir74zvT/NF4+8de+wxdRgxbJYECBCrSGLHGiF9W
JVu/zK0rrye5lP4TL3feWx5tq5OfMuqbQsBVbi/1ppJ0UTfneNddQGwJ8KIU
vViGC1XGi3zTla21pp5JYUa/Ca2sFFZUlMujt9CiVPzn+A839gvm9RISjtdX
M3r4TwxNyZyqFjVxgKWEJvrUVociMrKebs6yfxLXhyPel//+xFufydRHUvO9
AVu1qtc3XawVf6eWJgre2XapyF9T6+UeZkkKQjUJEtjc1lGXMughLsCoWg1Z
k23v9iwwuMoTHVB4Fnqr84HhJStiPXsYbVQvCHVsjGVZtewFFnXXCEpt3Dy2
bKqgEZf8MQcUTjlCHf+bVcDCwTpx4WoHHEVvt9Vlz84JOOMlbApNXRgVQVkw
RNseaciIURqA4dE7TN+Gi1ux8VEVidUDw5nF2jN03W1P32KEqJehIwurm24s
qVhsGwbS3vPg8mO3nPUPV4f8TB94dvHE90r854cGT+xR/91R/tt0lK12tUFM
3atf6HnPqXhVrV8qMzyMOmM8iN6tVnNjnImpLe9kbzTCBtqX2pyshnkHdd5O
ukUc26joV+y2BrAGlbnSVl8dFY6NLiiR4gy3/FbExKMjFqq6ZtXJXB1nO8uM
bTs/lN3VzVCiUK+qepsByaEkJ1eiKkBFRRT5oIzV6YNTpZU4VTlAPSiTw7pN
/egSFR8nJtg0bi7kLqPHgU6Xg8JKFCVddQXb5iVhfvdRAkDIHu7Gq+qEATjf
HUqfIHQ5pvrNHyT010VV3ElV3JQSPzzEpfMg7O356bp/hoTEnYTE6y+AXHdb
xy2nN/13EPu3CWIZLjO0jdg+aaptVk98e99NtcOKfQBiKsEQ3B7TqGlmldg3
0J5wg+1n5QsntYTgn+bU1Vytf6aRDC9zn/1Kc9dCnkXJnPXqLQEPCAXC/62A
2KMjFoipbk0sqm3Int/FNHsGbSkxIihzo9ixXHG2q2yJVW07PprKWUpip6Ge
aGa3w87hVYC/6Ix0bR9s+uhIs48DMQ1FwZylqmnsDupI4KUgsi4TET+6eDob
5u4Ek0UkBN6e94SzA33v+NTL1/90nj9c7l4/Bs4UEiCsufxMu3vGI+7PNs6H
PXuAcLcA7tdPE1zwS881SlL53hhWUL03qyooziuhtTsp3ZxVDd4FKQGlAyr3
z8qDD+guBn9FuhmUoqQSs1kVIwP6wkT1PvQ1DRtCtYG9wzpUhe4DfxmVoqAo
dokuAq9INxDQSu8PMe+VtKGxbVWwUFwqKBxP4xw6w1YHZoVK9daxU6QfknZe
ka7uBRip4onHOJNZ1Y3BtCgy3aAaomow8sKqrdDmUrPmFUtNWUXFfUrX1BfU
ES+nZqU1lrLOlmY9h22dz0tlpmbOccxkVOxj6EBwK7rfKO+q2vezRQ62barg
HLO0l/pEpLP9t3JTUygqk6EcLJ0J95mVuQQwq+Tj4sdKGvOCdKMFkN8iibwU
b+TfGJSqigRmEA97RSmmSgVreeJU/hUz2CBZN2qw83VNdx24epdgOEMtApSy
pFY4GRRl/GoOxv+vKnA8nfLBlHrBFIGAZ/TDnXnvH/veP+//vXvvn7fRD8ZE
WAZzaTQ5xnwrQProhApImbIwkjCU1SpKSxNLyEr1M5iw0Je5VF3ZqsY9u07o
A/LP575UlF/9QngUe0m9zzC2oSZioG/KnxdIjYrTqClodDtv9ltC/E71ol3K
7VJKBF7UN8W9tOymQuTUBmopTaXV68H//wdsJp2l5hkCAA==

-->

</rfc>
