<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sullivan-tls-xof-ciphers-00" category="std" consensus="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="TLS 1.3 Schedule Profiles">TLS 1.3 Cipher Suites with Alternative Key-Schedule Profiles</title>
    <seriesInfo name="Internet-Draft" value="draft-sullivan-tls-xof-ciphers-00"/>
    <author fullname="Nick Sullivan">
      <organization>Cryptography Consulting LLC</organization>
      <address>
        <email>nicholas.sullivan+ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>TLS</workgroup>
    <keyword>TLS 1.3</keyword>
    <keyword>key schedule</keyword>
    <keyword>schedule profile</keyword>
    <keyword>XOF</keyword>
    <keyword>deck function</keyword>
    <keyword>duplex</keyword>
    <keyword>sponge</keyword>
    <keyword>cSHAKE</keyword>
    <keyword>KMAC</keyword>
    <keyword>cipher suites</keyword>
    <abstract>
      <?line 208?>

<t>TLS 1.3 builds its key schedule on HKDF over the cipher suite's hash.
This document defines TLS 1.3 cipher suites that build it on a deck
function over a single permutation instead, the one a deployment already
carries when it uses SHA-3, ML-KEM, or ML-DSA.  One permutation then
runs the whole schedule, and a full handshake takes about a third of the
permutation calls an HKDF schedule over that permutation would.  Such a
cipher suite names an AEAD algorithm together with a schedule profile
that defines every key-schedule function the connection uses.  The
profile follows from the negotiated cipher suite alone, so no new
extension is defined and the TLS 1.3 state machine and wire format are
unchanged.  Two profiles are defined, one on the standard SHA-3 function
and one on a faster reduced-round variant of it.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Transport Layer Security Working Group mailing list (tls@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/grittygrease/draft-sullivan-tls-xof-ciphers"/>.</t>
    </note>
  </front>
  <middle>
    <?line 223?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Every TLS 1.3 <xref target="RFC8446"/> cipher suite builds its key schedule on HKDF
over the cipher suite's hash.  This document defines cipher suites that
build it on a deck function instead, running the whole schedule on one
permutation, the one a deployment already carries when it uses SHA-3,
ML-KEM, or ML-DSA.  Instantiating HKDF with a SHA-3 hash would remove
SHA-2 without changing how the schedule works.  This document changes
the schedule itself, not the hash.</t>
      <t>This document extends the agility TLS 1.3 already has, in which groups,
KEMs, signature schemes, PSKs, and AEAD algorithms are all negotiated,
to the key schedule itself.  A TLS 1.3 cipher suite normally identifies
an AEAD algorithm and the hash used with HKDF.  The cipher suites
defined here instead identify an AEAD algorithm and a complete schedule
profile:</t>
      <artwork><![CDATA[
cipher suite = AEAD algorithm + ScheduleProfile
]]></artwork>
      <t>A schedule profile (<xref target="schedule-profiles"/>) defines every key-schedule
computation the connection uses:  the transcript hash, the secret and
key derivations, the Finished and PSK binder MACs, and the Encrypted
Client Hello acceptance computations.  The cipher suite selects the
profile by itself, through the ordinary cipher_suites and cipher_suite
fields, with no separately negotiated extension.</t>
      <t>Both profiles express the schedule as one deck function <xref target="FARFALLE"/>,
defined once for both in <xref target="deck-schedule"/>, and select different
permutations for it:  TLS13-TURBOSHAKE256 (<xref target="turboshake-profile"/>) uses
the 12-round TurboSHAKE256 <xref target="RFC9861"/>, and TLS13-SHAKE256
(<xref target="shake-profile"/>) uses the 24-round SHAKE256 <xref target="FIPS202"/>.  Finished,
PSK binder, and Encrypted Client Hello acceptance values all use one MAC
(<xref target="mac-op"/>).</t>
      <section anchor="design-goals">
        <name>Design Goals</name>
        <t>A schedule profile turns the whole derivation surface of a connection
into one named, testable object.  Every value comes from one permutation
family, every output binds the profile identity and the governing cipher
suite, and every derivation has a byte-exact test vector
(<xref target="test-vectors"/>).  Neither profile uses SHA-2, HMAC, or HKDF in any
role, and the correspondence with RFC 8446 can be audited shape by shape
(<xref target="shapes"/>).  A deployment that already carries a Keccak permutation
for SHA-3, ML-KEM, or ML-DSA reuses it for the entire schedule.</t>
        <t>The alternative is to keep RFC 8446's HKDF schedule and give it a SHA-3
hash.  That inherits RFC 8446's analysis directly, and <xref target="fips-schedule"/>
records a variant close to it.</t>
        <t>The deck is faster than that alternative.  HKDF is built on HMAC, which
runs every derivation as two nested hash calls, overhead that exists
only to key a hash not built for keying.  A keyed sponge needs no such
wrapper:  it produces each value in one squeeze, with no separate
extract step between stages.</t>
        <t>Over the representative handshake of <xref target="comparison"/>, the deck costs 52
Keccak-f[1600] permutation calls against 156 for a hash-only
HKDF-SHA3-256.  That factor of three follows from HKDF's definition over
HMAC, so no HKDF instantiation removes it.</t>
      </section>
      <section anchor="scope">
        <name>Scope</name>
        <t>This document does not define a new version of TLS.  It changes no
wire structure and no state machine:  the cipher suite code point is
negotiated in the cipher_suites field and selected in the
ServerHello as always, and the schedule profile is not independently
negotiable.  A cipher suite of this document governs only the AEAD
and the key schedule.  It does not by itself make a connection free
of SHA-2:  certificate-based authentication is negotiated separately
and commonly relies on SHA-2.  A deployment that requires a fully
SHA-2-free connection must additionally restrict itself to
SHA-2-free signature schemes and certificate chains, or use PSK-only
authentication (<xref target="security-considerations"/>).</t>
      </section>
    </section>
    <section anchor="conventions">
      <name>Conventions and Definitions</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <t>This document uses the following terms.</t>
      <dl>
        <dt>schedule profile:</dt>
        <dd>
          <t>The set of algorithms and encodings, selected by a TLS 1.3 cipher
suite, that defines every key-schedule computation of a
connection (<xref target="schedule-profiles"/>).  Written ScheduleProfile when
referring to the named component of a cipher suite.</t>
        </dd>
        <dt>selected_cipher_suite:</dt>
        <dd>
          <t>The cipher suite selected in the ServerHello message, as a 16-bit
integer.  uint16(selected_cipher_suite) yields its two-octet RFC
8446 encoding.</t>
        </dd>
        <dt>recorded cipher suite:</dt>
        <dd>
          <t>For a resumption PSK, the cipher suite of the ticket; for an
imported PSK, target_ciphersuite (<xref target="psk-importer"/>).</t>
        </dd>
        <dt>governing cipher suite:</dt>
        <dd>
          <t>The cipher suite value a derived output binds, determined by the
rules of <xref target="governing-profile"/>.  For an output computed before the
server's selection is known (an early-stage output when a PSK is
offered, a PSK binder, a PSK import), it is the PSK's recorded
cipher suite.  For every other output it is selected_cipher_suite.
Stage secrets and other values internal to a schedule bind no cipher
suite (<xref target="schedule-profiles"/>).</t>
        </dd>
        <dt>trunk (stage trunk):</dt>
        <dd>
          <t>The running deck accumulator for a schedule stage (E, H, or T),
which absorbs the stage's inputs, is forked for the stage's leaf
outputs, and is ratcheted to produce the stage secret.</t>
        </dd>
        <dt>DHE:</dt>
        <dd>
          <t>The (EC)DHE shared secret, computed as in RFC 8446, Section 7.4.</t>
        </dd>
        <dt>Nk, Nn:</dt>
        <dd>
          <t>The AEAD key and nonce lengths of the selected cipher suite, in
octets.</t>
        </dd>
        <dt>FLen:</dt>
        <dd>
          <t>The length of Finished and PSK binder verify_data: 64 octets in
both profiles of this document.</t>
        </dd>
        <dt>uint16(n):</dt>
        <dd>
          <t>The two-octet big-endian encoding of n, as in the TLS presentation
language.</t>
        </dd>
        <dt>||:</dt>
        <dd>
          <t>Octet-string concatenation.</t>
        </dd>
        <dt>x[a..b]:</dt>
        <dd>
          <t>Octets a through b-1 of the octet string x, indexed from zero.</t>
        </dd>
        <dt>frame(x):</dt>
        <dd>
          <t>uint16(len(x)) || x, where len(x) is the octet length of x.</t>
        </dd>
        <dt/>
        <dd>
          <t>Strings are length-prefixed only:  they are not null-terminated or
otherwise padded after x.  Both profiles of this document build every
derivation input from framed items, so inputs are injectively encoded.
Inputs longer than 0xFFFE octets do not occur:  variable-length public
values are reduced by the transcript hash or explicitly bounded before
framing, and the one variable-length secret input, an external PSK, is
bounded by <xref target="psk-importer"/>.</t>
        </dd>
      </dl>
      <t>An empty value contributes frame("") wherever it is framed, encoding as
the two octets 0x0000 with no payload octets.  An absent input omits its
framed items entirely.  Omitting an input is not the same as framing an
empty value.</t>
      <section anchor="transcript-hash">
        <name>Transcript Hash</name>
        <t>The transcript hash is an unkeyed 64-octet hash defined by the schedule
profile of the governing cipher suite (<xref target="turboshake-profile"/>,
<xref target="shake-profile"/>).  TranscriptHash is computed over the handshake
transcript as in RFC 8446, Section 4.4.1:  message type and
length fields are included, and record-layer framing is excluded.
TranscriptHash accepts any octet string.  The RFC 8446 rules define only
how the handshake transcript is serialized before hashing, and the same
function is applied to non-transcript inputs such as exporter labels and
imported PSK identities.  For a HelloRetryRequest, the RFC 8446 Section
4.4.1 synthetic-message construction is retained, substituting
TranscriptHash for Hash.  In both profiles of this document,
TranscriptHash takes no cipher suite input, so a client can compute its
checkpoints before the ServerHello.  Cipher suite binding happens at
output derivations only.</t>
        <t>This document uses the following checkpoint values:</t>
        <dl>
          <dt>TH_CH0:</dt>
          <dd>
            <t>TranscriptHash of the partial ClientHello transcript of RFC 8446,
Section 4.2.11.2:  the handshake messages through the ClientHello,
with the ClientHello truncated after the
PreSharedKeyExtension.identities field and the binders list
excluded.  After a HelloRetryRequest, this partial transcript
includes the first ClientHello and the HelloRetryRequest via the
synthetic-message construction of <xref target="transcript-hash"/>, exactly as
in RFC 8446.</t>
          </dd>
          <dt>TH_CH:</dt>
          <dd>
            <t>TranscriptHash(ClientHello).</t>
          </dd>
          <dt>TH_SH:</dt>
          <dd>
            <t>TranscriptHash(ClientHello up to and including ServerHello).</t>
          </dd>
          <dt>TH_SF:</dt>
          <dd>
            <t>TranscriptHash(ClientHello up to and including the server
Finished message).</t>
          </dd>
          <dt>TH_CF:</dt>
          <dd>
            <t>TranscriptHash(ClientHello up to and including the client
Finished message).</t>
          </dd>
        </dl>
        <t>For a Finished MAC computed by either peer, the covered transcript
is taken up to but not including the Finished message being
computed, consistent with RFC 8446, Section 4.4.4.</t>
      </section>
    </section>
    <section anchor="schedule-profiles">
      <name>Schedule Profiles</name>
      <t>A schedule profile is a set of algorithms and encodings selected by
a TLS 1.3 cipher suite.  A schedule profile specifies:</t>
      <ul spacing="normal">
        <li>
          <t>profile_id, a fixed octet string naming the profile, bound into
its derivations;</t>
        </li>
        <li>
          <t>SecretLen, the length of stage and traffic secrets;</t>
        </li>
        <li>
          <t>FLen, the length of Finished and binder verify_data;</t>
        </li>
        <li>
          <t>TranscriptHash(messages), the unkeyed transcript hash of
<xref target="transcript-hash"/>;</t>
        </li>
        <li>
          <t>the derivation of initial and stage secrets from PSK and
key-exchange inputs (an extract operation, a stage accumulator,
or an equivalent construction);</t>
        </li>
        <li>
          <t>the derivation of every handshake, application, exporter, and
resumption secret;</t>
        </li>
        <li>
          <t>the Finished MAC and PSK binder computations;</t>
        </li>
        <li>
          <t>record key and IV derivation;</t>
        </li>
        <li>
          <t>traffic-secret update;</t>
        </li>
        <li>
          <t>exporter derivation;</t>
        </li>
        <li>
          <t>resumption PSK derivation;</t>
        </li>
        <li>
          <t>the Encrypted Client Hello acceptance computations; and</t>
        </li>
        <li>
          <t>the domain-separation and input-framing rules its derivations
use.</t>
        </li>
      </ul>
      <t>A schedule profile is not independently negotiated.  It is selected
solely by the negotiated cipher suite:  the ClientHello
cipher_suites field offers, and the ServerHello cipher_suite field
selects, as in RFC 8446, Section 4.1.  Future
specifications may define additional schedule profiles by
registering new TLS 1.3 cipher suites whose definitions include the
complete profile.</t>
      <t>Every derivation of a schedule profile MUST bind at least the following
into the input of the underlying primitive:  a protocol identifier (the
profiles of this document use profile_id strings beginning "TLS 1.3"),
the profile_id, the governing cipher suite for any output that leaves
the schedule, the derivation label, the output length (a profile MAY
instead fix the length of an internal stage secret as a profile
constant, provided the operation that produces it is domain-separated
from every variable-length operation), the transcript checkpoint or
other public context where applicable, and the secret input or the stage
that carries it.  All variable-length items MUST be length-framed.  No
two distinct derivation paths may produce identical encoded inputs to
the underlying primitive unless they intentionally derive the same
value.</t>
      <t>Both profiles of this document bind the output length as uint16, so no
output longer than 65534 octets is derivable.  The one derivation whose
length is caller-chosen is the exporter:  an implementation MUST reject
a TLS-Exporter request for more than 65534 octets rather than reduce the
requested length modulo 65536, which would let two different requested
lengths bind the same encoded value.  Every other output length in this
document is a profile constant or Nk + Nn, all far below the bound, so
the exporter is the only derivation where this rejection can occur.</t>
    </section>
    <section anchor="governing-profile">
      <name>The Governing Profile</name>
      <t>Every output of a schedule profile binds a governing cipher suite,
and through it a governing profile.  The rules are:</t>
      <ul spacing="normal">
        <li>
          <t>After the ServerHello of a full handshake, the governing cipher
suite is selected_cipher_suite, and the governing profile is the
schedule profile of that suite.</t>
        </li>
        <li>
          <t>A PSK binder is computed before the server selects a cipher
suite.  Its governing cipher suite is the PSK's recorded cipher
suite, and it is computed and verified under the schedule profile
associated with that PSK.  As in RFC 8446, Section 4.2.11, a
server MUST verify the binder of any PSK it selects, and MUST
perform that verification under that PSK's recorded cipher suite.</t>
        </li>
        <li>
          <t>Early-stage outputs derived before the ServerHello (early traffic
keys, the early exporter secret) are governed by the offered
PSK's recorded cipher suite.</t>
        </li>
        <li>
          <t>After a HelloRetryRequest, an updated binder remains governed by
the PSK's recorded cipher suite.  A client SHOULD omit from its
updated ClientHello any PSK whose recorded cipher suite is
incompatible with the cipher suite implied by the
HelloRetryRequest, and MUST recompute binders as required by RFC
8446, Section 4.2.11.2.</t>
        </li>
        <li>
          <t>A server MUST NOT select a PSK unless the schedule profile of the
cipher suite it selects is compatible with the schedule profile
associated with the PSK.  Two schedule profiles are compatible only if
they have the same profile_id and identical profile parameters.  This
document defines no broader compatibility.  Because each profile of
this document additionally binds the recorded cipher suite into the
binder, a server MUST NOT select a PSK whose recorded cipher suite
differs from the cipher suite it selects.  This is stricter than RFC
8446, Section 4.2.11, which requires only that the selected cipher
suite share the PSK's Hash.  Because a schedule profile is not
independently negotiated, compatibility requires the full cipher
suite, not merely its transcript hash, to match.</t>
        </li>
        <li>
          <t>For 0-RTT, the server MUST require the selected cipher suite to
equal the PSK's recorded cipher suite (<xref target="zero-rtt"/>), unless a
future specification defines a narrower compatibility rule.</t>
        </li>
      </ul>
      <t>A PSK that is offered but not selected leaves no trace in the
schedule.  If the server does not select the client's PSK, both
peers compute the connection's schedule as a handshake without a
PSK:  the client discards any PSK-keyed schedule state it built for
the binder or for early data, along with its outputs, and begins the
schedule again with the empty PSK, applying the destruction rules of
its profile.</t>
      <t>Implementations MUST associate every PSK and session ticket with
the cipher suite, and therefore the schedule profile, under which
it was established.</t>
    </section>
    <section anchor="derived-outputs">
      <name>Keyed Derivations</name>
      <t>Every derivation in this document that is keyed by a retained
octet-string secret, rather than by a live stage of a profile's
schedule, is a deck session rooted at that secret (<xref target="deck-schedule"/>),
specified once for both profiles in <xref target="expand-op"/> since the deck is
identical up to its permutation.  MAC computes Finished, PSK binders,
and Encrypted Client Hello acceptance confirmations.  <xref target="mac-op"/> defines
it once as a byte layout over the profile's permutation, and each
profile fixes that permutation (<xref target="turboshake-mac"/>, <xref target="shake-mac"/>).
Stage schedules themselves remain profile-specific
(<xref target="turboshake-profile"/>, <xref target="shake-profile"/>).  This section covers
everything derived from the octet-string secrets those schedules
produce.</t>
      <section anchor="expand-op">
        <name>Expanding a Retained Secret</name>
        <t>A value keyed by a retained octet-string secret is produced by a deck
session (<xref target="deck-schedule"/>) rooted at that secret.  The deck is
initialized, the secret is absorbed, the session is forked under a label
and the governing cipher suite of the output, any context is absorbed,
and the deck is squeezed to the output length.  Written with the deck
operations of <xref target="deck-interface"/>:</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", secret)
F = Fork(D, label, suite)
Absorb(F, "context", context)      # omitted when context is empty
out = Squeeze(F, "out", L)
]]></artwork>
        <t>suite is the governing cipher suite of the output
(<xref target="governing-profile"/>), bound by the Fork; label is an ASCII label;
context is an octet string; and L is the output length in octets.
Because every item is length-framed by the deck (<xref target="domain-separation"/>),
distinct expansions map to distinct deck inputs.  When context is empty
its Absorb is omitted rather than framed as an empty value.  The frame
of the following "out" tag delimits the absence, so an omitted context
and an empty one never yield the same input.  No two expansions in this
document share the same label unless they intentionally derive the same
value, and L never exceeds 65534 octets (<xref target="schedule-profiles"/>).  This
expansion is the analogue of RFC 8446's HKDF-Expand-Label and carries
the same RFC 8446 labels.  It is a use of the deck, not a separate
construction.</t>
      </section>
      <section anchor="mac-op">
        <name>MAC</name>
        <t>MAC(key, suite, label, message, L) computes every tag in this document:
the PSK binder, both Finished values, and the ECH acceptance
confirmation.  Both profiles use it.  This section defines it once over
the profile's permutation, and each profile fixes that permutation
(<xref target="turboshake-mac"/>, <xref target="shake-mac"/>).</t>
        <t>MAC builds the octet string mac_input from a key, a positional tuple X,
and a fixed customization string S, then applies the profile's
permutation to mac_input as a sponge, with a 136-octet rate, a 512-bit
capacity, and domain-separation byte 0x04 appended in the manner of
TurboSHAKE <xref target="RFC9861"/>, squeezing 8 * L bits:</t>
        <artwork><![CDATA[
K = key
X = frame(profile_id) || frame(uint16(suite))
      || frame(label) || frame(message)
S = "TLS 1.3 MAC"
mac_input = bytepad(encode_string("KMAC") || encode_string(S), 136)
            || bytepad(encode_string(K), 136)
            || X || right_encode(8 * L)
]]></artwork>
        <t>The four length encoders are byte-oriented.  For a non-negative integer
n, let b be the number of octets in its minimal big-endian form, taking
b to be 1 when n is 0.  left_encode(n) is the single octet b followed by
n as b octets.  right_encode(n) is n as b octets followed by the single
octet b.  For an octet string s of len(s) octets, encode_string(s) is
left_encode(8 * len(s)) followed by s.  bytepad(s, w) is left_encode(w)
followed by s, then zero octets until the length is a multiple of w.</t>
        <t>The input X is positional.  Unlike the deck's Absorb and Fork inputs,
which pair each value with a frame(tag), the MAC fields carry no
per-item tags.  Their fixed order and length-framing parse them
unambiguously, and S is the same in every invocation of either profile.</t>
        <t>The two profiles fix the permutation.  On the Keccak-p[1600,12] of
TLS13-TURBOSHAKE256 the sponge is TurboSHAKE256(mac_input, 0x04, L),
which this document names TurboKMAC256.  On the Keccak-f[1600] of
TLS13-SHAKE256 it is the sponge cSHAKE256 and KMAC256 are built on, and
the result is byte-for-byte NIST KMAC256 <xref target="SP800-185"/>.  This layout and
the 0x04 domain byte are the ones cSHAKE and KMAC use, so those
equalities hold by construction.  MAC is defined by the layout above,
not by reference to KMAC.</t>
        <t>Because right_encode(8 * L) binds the output length into mac_input
before the permutation runs, neither profile is KMACXOF256, and outputs
of different lengths are unrelated.  MAC is the analogue of RFC 8446's
HMAC-based Finished and binder MACs and carries the same RFC 8446
labels.  No two invocations share a label unless they derive the same
value, and L never exceeds 65534 octets (<xref target="schedule-profiles"/>).</t>
      </section>
      <section anchor="record-keys-generic">
        <name>Record Keys</name>
        <t>Record keys are derived from a traffic secret in one call, so a
retained traffic secret suffices to re-derive its keys, as in RFC
8446.  The governing cipher suite is that of the traffic secret:
for early-data keys, derived before the ServerHello, it is the
offered PSK's recorded cipher suite, whose Nk and Nn apply.</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", traffic_secret)
key_block = Squeeze(Fork(D, "key", suite), "out", Nk + Nn)

write_key = key_block[0..Nk]
write_iv  = key_block[Nk..Nk+Nn]
]]></artwork>
        <t>The split is unambiguous:  Nk and Nn are fixed by the suite, which
is bound into the derivation together with the output length.  The
traffic secret is already specific to one direction and one stage,
so no direction or epoch input is needed.  The per-record nonce
construction, record format, and AEAD additional data are unchanged
from RFC 8446.</t>
      </section>
      <section anchor="key-update-generic">
        <name>Key Update</name>
        <t>A key update derives the next traffic-secret generation from the
current one:</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", app_traffic_secret_N)
app_traffic_secret_{N+1} =
    Squeeze(Fork(D, "traffic upd", suite), "out", SecretLen)
]]></artwork>
        <t>with record keys re-derived from the new secret as above.  Each
generation is an erasure boundary:  an implementation MUST destroy
the previous secret, its keys, and any schedule state derived from
them after the new generation is installed, and MUST NOT derive
generation N+1 from anything other than generation N (in
particular, not from a retained stage accumulator or a counter).</t>
      </section>
      <section anchor="finished-and-binder-mac">
        <name>Finished and PSK Binder MACs</name>
        <t>Finished and PSK binder verify_data are computed under a dedicated MAC
key, expanded from a stage or traffic secret (<xref target="expand-op"/>), rather
than by MACing that secret directly.  This matches RFC 8446, Section
4.4.4, field for field:  finished_key and binder_key take the roles
of RFC 8446's identically named intermediates, and MAC takes the role of
RFC 8446's HMAC.</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", base_key)
finished_key = Squeeze(Fork(D, "finished", suite), "out", SecretLen)
verify_data  = MAC(finished_key, suite, label, th, FLen)
]]></artwork>
        <t>For a Finished message, base_key is the sender's handshake traffic
secret, selected as in RFC 8446, Section 4.4; suite is
selected_cipher_suite; label is "finished"; and th covers the transcript
up to but not including the Finished message being computed.  For a PSK
binder, the dedicated key is derived in two steps, as RFC 8446,
Section 7.1 derives binder_key and then finished_key from it:</t>
        <artwork><![CDATA[
De = Init(); Absorb(De, "secret", early_secret)
binder_key   = Squeeze(Fork(De, ext_or_res_label, suite), "out", 64)
Db = Init(); Absorb(Db, "secret", binder_key)
finished_key = Squeeze(Fork(Db, "finished", suite), "out", SecretLen)
verify_data  = MAC(finished_key, suite, label, TH_CH0, FLen)
]]></artwork>
        <t>early_secret is the early-stage secret of the schedule keyed by that
PSK; ext_or_res_label is "ext binder" for an external PSK and "res
binder" for a resumption PSK, and label takes the same value in the MAC
call; suite is the PSK's recorded cipher suite.  Both finished_key and
binder_key are 64 octets, the length of every stage and traffic secret
in both profiles (SecretLen, <xref target="turboshake-profile"/>, <xref target="shake-profile"/>),
matching RFC 8446's use of Hash.length for the same intermediates.
Binder verification follows <xref target="governing-profile"/>.</t>
        <t><xref target="comparison"/> counts every finished_key and binder_key derivation of a
representative full handshake against the corresponding RFC 8446
HKDF-Expand-Label calls.</t>
        <t>finished_key and binder_key are dedicated MAC keys:  neither is ever
used to derive record keys, an exporter, or any other output.  No
joint-security argument about reusing one secret across the deck and the
MAC is therefore needed, and the MAC's security as a keyed function
rests on the same sponge assumptions as the deck itself (<xref target="FSKS"/>,
<xref target="KEYEDDUPLEX"/>).  The structure is otherwise identical to RFC 8446's,
field for field:  finished_key and binder_key exist for the same reason
in both, and the only substitution is the MAC for HMAC as the keyed
function that consumes them (<xref target="cryptographic-analysis"/>).  The RFC 8446
key-schedule analysis of these intermediates therefore transfers
directly, in both profiles of this document.</t>
        <t>Binders are computed before the ServerHello.  This is possible in both
profiles because stage secrets bind no cipher suite:  the client
ratchets a clone of the early trunk to obtain early_secret at
ClientHello time, in either profile (<xref target="deck-schedule"/>).</t>
      </section>
      <section anchor="exporters-generic">
        <name>Exporters</name>
        <t>Exporters are keyed by the retained exporter master secret:</t>
        <artwork><![CDATA[
TLS-Exporter(label, context, length):
    D = Init(); Absorb(D, "secret", exp_master)
    F = Fork(D, "exporter", suite)
    Absorb(F, "context", frame(TranscriptHash(label))
                         || frame(TranscriptHash(context)))
    return Squeeze(F, "out", length)
]]></artwork>
        <t>The early exporter is the same construction keyed by e_exp_master,
with the offered PSK's recorded cipher suite as its governing
suite.  Hashing the label and the context bounds them and keeps the
composite context injective.  An implementation MUST reject a
TLS-Exporter request for more than 65534 octets
(<xref target="schedule-profiles"/>).</t>
      </section>
      <section anchor="resumption-generic">
        <name>Resumption PSK</name>
        <t>The resumption PSK for a NewSessionTicket is:</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", res_master)
F = Fork(D, "resumption", suite); Absorb(F, "context", ticket_nonce)
resumption_psk = Squeeze(F, "out", 64)
]]></artwork>
      </section>
      <section anchor="ech-generic">
        <name>ECH Acceptance Confirmations</name>
        <t>For the cipher suites of this document, the ECH acceptance signals
of <xref target="RFC9849"/> are:</t>
        <artwork><![CDATA[
accept_confirmation =
    MAC(ClientHelloInner.random, selected_cipher_suite,
        "ech accept confirmation",
        TranscriptHash(ech_conf_messages), 8)

hrr_accept_confirmation =
    MAC(ClientHelloInner.random, selected_cipher_suite,
        "hrr ech accept confirmation",
        TranscriptHash(hrr_ech_conf_messages), 8)
]]></artwork>
        <t>replacing the HKDF-Extract and HKDF-Expand-Label computations of
<xref target="RFC9849"/>, with ech_conf_messages and hrr_ech_conf_messages the
handshake message ranges that document identifies for each
confirmation, per RFC 8446, Section 4.4.1.
TranscriptHash(ech_conf_messages) is RFC 9849's transcript_ech_conf,
i.e. the same single transcript-hash operation, applied once.  The
selected cipher suite is known to both peers when each confirmation
is computed and checked.</t>
        <t>Keying the confirmation on ClientHelloInner.random alone matches
<xref target="RFC9849"/>, whose confirmation key is HKDF-Extract(0,
ClientHelloInner.random), with no handshake secret mixed in.  This
document computes a single MAC under that same key in place of RFC
9849's extract-then-expand, so the acceptance signal keeps its RFC 9849
properties.  Only a server that decrypted the inner ClientHello, and so
learned ClientHelloInner.random, can compute the confirmation, and no
network attacker can forge it.  Because the confirmation transcript
covers the ServerHello, it binds its handshake and does not transplant
to another.</t>
      </section>
      <section anchor="import-derivation">
        <name>PSK Import Derivation</name>
        <t>An external PSK is imported per target cipher suite
(<xref target="psk-importer"/>).  The import derivation, for every profile of
this document, is:</t>
        <artwork><![CDATA[
D = Init(); Absorb(D, "secret", epsk)
F = Fork(D, "derived psk", target_ciphersuite)
Absorb(F, "context", TranscriptHash(ImportedIdentityV2))
ipsk = Squeeze(F, "out", SecretLen)
]]></artwork>
        <t>with target_ciphersuite as the governing suite, following the shape of
the RFC 9258 derivation, with the entire serialized ImportedIdentityV2
reduced by the transcript hash as the context.  ipsk is an explicit
octet string by design:  it crosses a system boundary into the PSK
store.  epsk is absorbed as the secret of a deck expansion
(<xref target="expand-op"/>) in both profiles, so a low-entropy or
attacker-influenced epsk never keys either profile's underlying
permutation directly.</t>
      </section>
    </section>
    <section anchor="cipher-suites">
      <name>Cipher Suites and Code Points</name>
      <t>This document defines five cipher suites.  As in TLS 1.3, the code
point is negotiated in the cipher_suites field of the ClientHello
and selected in the ServerHello.  The suffix of each name denotes
the complete schedule profile of the suite, not merely a transcript
hash or MAC.</t>
      <artwork><![CDATA[
enum {
    TLS_AES_128_GCM_TURBOSHAKE256       = {0xTBD, 0xTBD},
    TLS_AES_256_GCM_TURBOSHAKE256       = {0xTBD, 0xTBD},
    TLS_CHACHA20_POLY1305_TURBOSHAKE256 = {0xTBD, 0xTBD},
    TLS_AES_128_GCM_SHAKE256            = {0xTBD, 0xTBD},
    TLS_AES_256_GCM_SHAKE256            = {0xTBD, 0xTBD}
} CipherSuite;
]]></artwork>
      <table anchor="suite-table">
        <name>Cipher Suites and Their Schedule Profiles</name>
        <thead>
          <tr>
            <th align="left">Cipher Suite</th>
            <th align="left">AEAD</th>
            <th align="left">ScheduleProfile</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">TLS_AES_128_GCM_TURBOSHAKE256</td>
            <td align="left">AES-128-GCM</td>
            <td align="left">TLS13-TURBOSHAKE256</td>
          </tr>
          <tr>
            <td align="left">TLS_AES_256_GCM_TURBOSHAKE256</td>
            <td align="left">AES-256-GCM</td>
            <td align="left">TLS13-TURBOSHAKE256</td>
          </tr>
          <tr>
            <td align="left">TLS_CHACHA20_POLY1305_TURBOSHAKE256</td>
            <td align="left">ChaCha20-Poly1305</td>
            <td align="left">TLS13-TURBOSHAKE256</td>
          </tr>
          <tr>
            <td align="left">TLS_AES_128_GCM_SHAKE256</td>
            <td align="left">AES-128-GCM</td>
            <td align="left">TLS13-SHAKE256</td>
          </tr>
          <tr>
            <td align="left">TLS_AES_256_GCM_SHAKE256</td>
            <td align="left">AES-256-GCM</td>
            <td align="left">TLS13-SHAKE256</td>
          </tr>
        </tbody>
      </table>
      <t>The suites of a profile differ only in the AEAD algorithm and its
key and nonce lengths.  The AEAD algorithms, their Nk and Nn, and
the per-record nonce construction are those of RFC 8446 and its
cipher suites.  Code points are to be assigned by IANA
(<xref target="iana-considerations"/>).</t>
      <t>An implementation MUST NOT combine an AEAD algorithm and a schedule
profile that are not registered together as a cipher suite:  each
cipher suite is a single negotiated value that determines both.</t>
    </section>
    <section anchor="deck-schedule">
      <name>The Deck Schedule</name>
      <t>Both schedule profiles of this document express the key schedule as a
deck function.  The key schedule is a derivation tree, and a
sponge-based primitive can express a tree natively:  absorb inputs into
a running accumulator, fork where the tree branches, and squeeze outputs
at the leaves.</t>
      <t>The schedule's normative interface is a deck function <xref target="FARFALLE"/>:  a
keyed function with extendable input and incremental output, the
abstraction under which forked-state designs carry security contracts
<xref target="JAMMIN"/>.  This section defines the deck operations once, for both
profiles.  <xref target="turboshake-profile"/> and <xref target="shake-profile"/> each give a
short instantiation naming the profile's XOF, permutation, and
domain-separation constants.</t>
      <t>This document uses the following terms.</t>
      <dl>
        <dt>deck function:</dt>
        <dd>
          <t>A keyed cryptographic function taking a sequence of input strings
and producing output of arbitrary length, supporting extendable
input and incremental output <xref target="FARFALLE"/>.</t>
        </dd>
        <dt>stage:</dt>
        <dd>
          <t>One of the three phases of the schedule: early (keyed by the PSK),
handshake (adds the key-exchange secrets), and application.
Stages are separated by ratchets, and each key-update generation
adds a further ratchet.</t>
        </dd>
        <dt>fork:</dt>
        <dd>
          <t>Deriving a leaf value from a stage by extending the stage's input
sequence with a label and the governing cipher suite and
squeezing.  In a stateful implementation, a fork is a clone of
the stage accumulator.  Forks are only permitted from an
accumulator that has not produced output.</t>
        </dd>
        <dt>ratchet:</dt>
        <dd>
          <t>Crossing a stage boundary by squeezing an explicit stage secret
directly from the trunk (the Ratchet operation of <xref target="deck-interface"/>)
and reinitializing the next stage from it, after which every
accumulator of the completed stage is destroyed
(<xref target="erasure-boundaries"/>).  The squeeze-and-reinitialize pattern
follows the RATCHET operation of <xref target="STROBE"/> and the Ratchet call of
Cyclist <xref target="XOODYAK"/>.</t>
        </dd>
      </dl>
      <t>The presentation is stateful, but the construction is not.  Every
derived value equals one invocation of a profile's deck function over
the framed derivation path from its stage's initialization to that
value, with no extract-then-expand structure, and an implementation that
recomputes each value from its path is as conformant as one that
maintains cloned accumulators.  The three stages of <xref target="key-schedule"/> are
protocol phases separated by ratchets, not KDF steps:  shared trunks
absorb each input once, the handshake holds only two intermediate
secrets, and the one-way truncations fall at the stage boundaries where
TLS must erase prior state.</t>
      <t>The keyed-duplex construction underlying both profiles has concrete
security bounds <xref target="FSKS"/> <xref target="KEYEDDUPLEX"/> <xref target="DUPLEXSEC"/>, and the TLS
1.3 key schedule has a proof framework based on derivation graphs
with explicit intermediate values <xref target="TLS13KS"/>.
<xref target="cryptographic-analysis"/> composes those lines of work into a
handshake-level security argument for the TLS13-TURBOSHAKE256
profile.</t>
      <section anchor="deck-interface">
        <name>The Deck Schedule Interface</name>
        <t>The schedule is expressed through operations that build input sequences
for the deck function DF(S, L), which maps a completed sequence S and an
output length L to L octets of output.  Each profile's instantiation of
DF is given in <xref target="turboshake-instantiation"/> and <xref target="shake-instantiation"/>.
Every operation that absorbs data contributes frame(tag) ||
frame(value) to the sequence, so distinct input sequences yield distinct
absorbed strings.</t>
        <section anchor="operations">
          <name>Operations</name>
          <t>Each operation's effect on a sequence is:</t>
          <artwork><![CDATA[
Init()              seq = frame(profile_id)

Absorb(S, tag, v)   seq(S) = seq(S) || frame(tag) || frame(v)

Fork(S, label, cs)  new S' with
                    seq(S') = seq(S) || frame(label)
                              || frame("suite") || frame(uint16(cs))

Squeeze(S, tag, L)  seq(S) = seq(S) || frame(tag)
                             || frame(uint16(L))
                    output DF(S, L)

Ratchet(S, label)   Squeeze(S, label, SecretLen)
]]></artwork>
          <dl>
            <dt>Init():</dt>
            <dd>
              <t>Begin a session by framing the governing profile's profile_id
(<xref target="turboshake-profile"/>, <xref target="shake-profile"/>).</t>
            </dd>
            <dt>Absorb(S, tag, value):</dt>
            <dd>
              <t>Add one tagged input to S, returning S.</t>
            </dd>
            <dt>Fork(S, label, suite):</dt>
            <dd>
              <t>Branch a new sequence for a single output.  The copy diverges from S
under the framed label, and suite, the governing cipher suite of the
output being derived, is bound under the fixed tag "suite".  S is
unmodified.  An implementation MUST NOT apply Fork to a sequence that
has produced output.</t>
            </dd>
            <dt>Squeeze(S, tag, L):</dt>
            <dd>
              <t>Terminate S and produce L octets.  An implementation MUST NOT absorb
further input into a squeezed S and MUST NOT fork it.  Binding L into
the sequence before output ensures that outputs of different lengths
are unrelated rather than prefixes of one another.  L never exceeds
65534 octets for any derivation in this document.</t>
            </dd>
            <dt>Ratchet(S, label):</dt>
            <dd>
              <t>Cross a stage boundary:  squeeze the 64-octet stage secret
directly from the stage trunk under the stage label, terminating
the trunk.  A ratchet output binds no cipher suite:  stage secrets
never leave the schedule, and every output that does binds its
governing suite at its own Fork or expansion (<xref target="governing-profile"/>,
<xref target="expand-op"/>).  The ratchet labels "early secret" and "main secret"
are reserved:  they appear as no absorb tag, fork label, or squeeze
tag elsewhere in either profile.</t>
            </dd>
          </dl>
          <t>Leaf derivations keyed by a live stage use Fork and Squeeze.
Derivations keyed by a retained octet-string secret use a deck expansion
(<xref target="expand-op"/>), built from the same Init, Absorb, Fork, and Squeeze
operations over each profile's DF.</t>
        </section>
        <section anchor="one-shot-equivalence">
          <name>One-Shot Equivalence</name>
          <t>Because Fork applies only before output and Squeeze, and therefore
Ratchet, terminates a sequence, every derived value is exactly one
deck-function invocation over the framed path from Init to its final
squeeze.  Derived values are therefore byte-exact and testable without
reference to any internal state.  An implementation MAY realize forks by
cloning a running accumulator or by recomputing each leaf from its path.
Both strategies MUST produce identical octets.</t>
        </section>
      </section>
      <section anchor="shapes">
        <name>Derivation Shapes</name>
        <t>Every RFC 8446 derivation replaced by this document is an instance
of one of six shapes.  This table is the specification frame for
<xref target="key-schedule"/> and makes the RFC 8446 correspondence auditable.</t>
        <table anchor="shape-table">
          <name>Derivation Shapes and Their Realizations</name>
          <thead>
            <tr>
              <th align="left">Shape</th>
              <th align="left">RFC 8446 sites</th>
              <th align="left">Realization</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Root absorb</td>
              <td align="left">early_secret; PSK import</td>
              <td align="left">Init + Absorb secret</td>
            </tr>
            <tr>
              <td align="left">Accumulate</td>
              <td align="left">handshake_secret (per component)</td>
              <td align="left">Absorb secret</td>
            </tr>
            <tr>
              <td align="left">Ratchet</td>
              <td align="left">early_secret; main_secret; key update</td>
              <td align="left">Ratchet or expand</td>
            </tr>
            <tr>
              <td align="left">Branch</td>
              <td align="left">traffic/master secrets; resumption</td>
              <td align="left">Fork + Squeeze</td>
            </tr>
            <tr>
              <td align="left">Expand-to-use</td>
              <td align="left">record keys; exporters</td>
              <td align="left">Expand from a secret</td>
            </tr>
            <tr>
              <td align="left">Keyed check</td>
              <td align="left">Finished; PSK binders</td>
              <td align="left">MAC</td>
            </tr>
          </tbody>
        </table>
        <t>Shapes 1 through 3 act on the trunk of a stage.  Shapes 4 through 6 are
forks or self-contained keyed calls.  The early_secret of RFC 8446
becomes this document's first ratchet, and the handshake_secret extract
becomes an accumulation into the handshake stage.  Both stage boundaries
remain explicit octet-string secrets (<xref target="erasure-boundaries"/>).  Record
keys are derived from their traffic secret by a separate call, as in RFC
8446, so a retained traffic secret suffices to re-derive its keys.
Deriving them by squeezing alongside the secret would save a few
invocations but break that re-derivability, so the schedule keeps the
separate call.</t>
      </section>
      <section anchor="key-schedule">
        <name>Key Schedule</name>
        <t>The schedule has three stages separated by two ratchets, and each
key-update generation adds a further ratchet.  Stage trunks and stage
secrets bind no cipher suite value, matching the RFC 8446 extracts they
replace:  a client offering several cipher suites of this document
computes one schedule, and only leaf derivations differ, in their framed
suffix alone.  The governing cipher suite is bound at each leaf
derivation, by Fork or expansion.  In the listing below, suite denotes
the governing cipher suite of the leaf being derived:  the offered PSK's
recorded cipher suite in the early stage, and selected_cipher_suite
thereafter.  This listing is identical for both profiles.  Only each
profile's DF and MAC instantiations differ (<xref target="turboshake-profile"/>,
<xref target="shake-profile"/>).</t>
        <artwork><![CDATA[
E = Init()
Absorb(E, "psk", PSK)              # root absorb; see {{absent-empty}}
                                   # for the no-PSK encoding

# early-stage leaves (0-RTT only); governing suite: recorded
c_e_traffic  = Squeeze(Absorb(Fork(E, "c e traffic", suite),
                              "th", TH_CH), "out", SecretLen)
e_exp_master = Squeeze(Absorb(Fork(E, "e exp master", suite),
                              "th", TH_CH), "out", SecretLen)

early_secret = Ratchet(E, "early secret")
# ratchet: E is terminally squeezed; destroy every
# early-stage accumulator

H = Init()
Absorb(H, "early", early_secret)
Absorb(H, "dh", DHE)               # accumulate; once per component
Absorb(H, "th", TH_SH)             # shared branch context

# governing suite below: selected_cipher_suite
c_hs_traffic = Squeeze(Fork(H, "c hs traffic", suite), "out", SecretLen)
s_hs_traffic = Squeeze(Fork(H, "s hs traffic", suite), "out", SecretLen)

main_secret  = Ratchet(H, "main secret")
# ratchet: H is terminally squeezed; destroy every
# handshake-stage accumulator

T = Init()
Absorb(T, "main", main_secret)
Absorb(T, "th", TH_SF)

c_ap_traffic = Squeeze(Fork(T, "c ap traffic", suite), "out", SecretLen)
s_ap_traffic = Squeeze(Fork(T, "s ap traffic", suite), "out", SecretLen)
exp_master   = Squeeze(Fork(T, "exp master", suite), "out", SecretLen)

Absorb(T, "th", TH_CF)
res_master   = Squeeze(Fork(T, "res master", suite), "out", SecretLen)
# destroy T
]]></artwork>
        <t>When the negotiated group is a hybrid or other multi-component key
exchange, DHE is not one secret.  Each component shared secret is
absorbed by its own Absorb(H, "dh", component), in the order that group
defines them, and the components are never concatenated first.  Both
peers MUST absorb in that order, so they build the same handshake-stage
input sequence.</t>
        <section anchor="absent-empty">
          <name>Absent and Empty Inputs</name>
          <t>A handshake without a PSK still executes Absorb(E, "psk", "").  That
contributes frame("psk") followed by frame(""), that is, 0x0003 || "psk"
|| 0x0000.  This is unambiguous because a PSK of this document is never
zero-length (an imported or resumption PSK is 64 octets).  In that case
the early stage carries no leaves and early_secret is a single
deterministic, public constant of the profile, as RFC 8446's
early secret is the extract of two known constants.  The stage exists
for uniformity across handshake modes, and the schedule's security does
not rest on its secrecy when no PSK is present.  A PSK-only handshake
omits Absorb(H, "dh", ...) entirely:  the tag "dh" does not appear in
the sequence.</t>
        </section>
        <section anchor="suite-binding-and-stage-secrets">
          <name>Suite Binding and Stage Secrets</name>
          <t>A server never selects a PSK whose recorded cipher suite differs
from the cipher suite it selects (<xref target="governing-profile"/>), so
early_secret never feeds the handshake stage under a suite the
transcript does not confirm.</t>
          <t>early_secret and main_secret are the schedule's explicit stage secrets,
and like the RFC 8446 extracts they replace they are interoperable octet
strings:  an implementation that computes them by cloned accumulators
and one that computes them as one-shot invocations over the framed path
MUST produce identical octets.  An implementation MUST destroy each
stage secret once the next stage has absorbed it
(<xref target="erasure-boundaries"/>).  Note that main_secret binds TH_SH through its
trunk, where the corresponding RFC 8446 extract binds no transcript.
This is a strict superset binding, computed identically by both peers,
and is intentional.</t>
        </section>
      </section>
    </section>
    <section anchor="turboshake-profile">
      <name>The TLS13-TURBOSHAKE256 Profile</name>
      <t>The TLS13-TURBOSHAKE256 schedule profile instantiates the deck
schedule of <xref target="deck-schedule"/> with TurboSHAKE256 <xref target="RFC9861"/>, built
on the 12-round Keccak-p[1600,12] permutation of <xref target="FIPS202"/>.</t>
      <t>The profile parameters are:</t>
      <dl>
        <dt>profile_id:</dt>
        <dd>
          <t>The fixed ASCII string "TLS 1.3 DeckSchedule v1" (23 octets),
absorbed first into every derivation as frame(profile_id)
(<xref target="deck-interface"/>).</t>
        </dd>
        <dt>SecretLen:</dt>
        <dd>
          <t>64 octets, the length of every stage and traffic secret.</t>
        </dd>
        <dt>FLen:</dt>
        <dd>
          <t>64 octets.</t>
        </dd>
      </dl>
      <section anchor="turboshake-instantiation">
        <name>Instantiation</name>
        <t>The deck function is:</t>
        <artwork><![CDATA[
DF(S, L) = TurboSHAKE256(seq(S), 0x1F, L)
]]></artwork>
        <t>where seq(S) is the concatenation of every framed item of S in order.
TurboSHAKE256's output length is in octets per <xref target="RFC9861"/>, so L is
passed unchanged, unlike the SHAKE256 profile, whose bit-oriented length
needs an 8 * L conversion (<xref target="shake-instantiation"/>).  The transcript
hash of <xref target="transcript-hash"/> is instantiated with the same function:
TranscriptHash(x) = TurboSHAKE256("tls13 hash" || x, 0x1F, 64).  The
domain-separation byte for the deck and the transcript hash is fixed to
0x1F, the RFC 9861 default, so an API without the D parameter implements
both unchanged.  The MAC (<xref target="mac-op"/>) requires D = 0x04, so the
TurboSHAKE interface this profile uses MUST expose the domain byte.
TurboSHAKE256 uses the Keccak-p[1600,12] permutation as a sponge:
input is absorbed into a 1600-bit state in rate-sized blocks of 136
octets, with the permutation applied after each block, and output is
read from the same state.  The capacity is the 512-bit portion of the
state that input and output never touch.  It is what the erasure
argument of <xref target="erasure-boundaries"/> relies on, and the 64-octet secret,
transcript-hash, and MAC lengths used throughout this document are set
to match it.  The stateful view of this construction is analyzed as a
duplex <xref target="DUPLEX"/>, under the keyed-sponge and keyed-duplex results
<xref target="FSKS"/> <xref target="KEYEDDUPLEX"/> <xref target="DUPLEXSEC"/>.</t>
        <section anchor="required-api-surface">
          <name>Required API Surface</name>
          <t>The required API surface is incremental absorption, cloning of an
unfinalized state, and one-shot squeeze with the output length
known up front.  Cloning before any output is incremental input to
two separate invocations, which Section 2.1 of <xref target="RFC9861"/> permits;
no absorb-after-squeeze occurs anywhere in this document, so no
access below the TurboSHAKE interface is required.  The clone
discipline is the same one TLS stacks already apply to SHA-2
transcript-hash checkpoints.</t>
        </section>
      </section>
      <section anchor="turboshake-mac">
        <name>MAC</name>
        <t>This profile's MAC is the construction of <xref target="mac-op"/> over this profile's
Keccak-p[1600,12] permutation.</t>
      </section>
    </section>
    <section anchor="shake-profile">
      <name>The TLS13-SHAKE256 Profile</name>
      <t>The TLS13-SHAKE256 schedule profile instantiates the deck schedule of
<xref target="deck-schedule"/> with plain SHAKE256 <xref target="FIPS202"/>, built on the 24-round
Keccak-f[1600] permutation, in place of TurboSHAKE256's
Keccak-p[1600,12].  This profile mirrors the TLS13-TURBOSHAKE256
profile's framing exactly:  domain separation comes from the same
framed-prefix mechanism the TurboSHAKE profile uses, an absorbed
frame(profile_id) at Init (<xref target="deck-interface"/>), not from cSHAKE's
function-name and customization-string inputs.  The two profiles' decks
therefore differ only in the underlying permutation, so expansion
(<xref target="expand-op"/>) and the MAC construction (<xref target="mac-op"/>) are shared by
both profiles, each differing only in which permutation it invokes
(<xref target="shake-mac"/>, <xref target="turboshake-mac"/>).</t>
      <t>The profile parameters are:</t>
      <dl>
        <dt>profile_id:</dt>
        <dd>
          <t>The fixed ASCII string "TLS 1.3 SHAKESchedule v1" (24 octets),
absorbed first into every derivation as frame(profile_id)
(<xref target="deck-interface"/>), as in the TLS13-TURBOSHAKE256
profile.</t>
        </dd>
        <dt>SecretLen:</dt>
        <dd>
          <t>64 octets, the length of every stage and traffic secret.</t>
        </dd>
        <dt>FLen:</dt>
        <dd>
          <t>64 octets.</t>
        </dd>
      </dl>
      <section anchor="shake-instantiation">
        <name>Instantiation</name>
        <t>The deck function is:</t>
        <artwork><![CDATA[
DF(S, L) = SHAKE256(seq(S), 8 * L)
]]></artwork>
        <t>where seq(S) is the concatenation of every framed item of S in order,
SHAKE256(X, L) is the function of <xref target="FIPS202"/> with X the main input and
L the output length in bits, and 8 * L converts this document's
octet-oriented L to the bit-oriented L argument of SHAKE256.  SHAKE256
takes no function-name or customization-string input.  Domain separation
for this profile comes entirely from seq(S) itself beginning with
frame(profile_id) (<xref target="deck-interface"/>), the same mechanism the
TLS13-TURBOSHAKE256 profile uses in place of a fixed domain-separation
byte.  The transcript hash of <xref target="transcript-hash"/> is instantiated with
the same function: TranscriptHash(x) = SHAKE256("tls13 hash" || x, 512).
SHAKE256 uses the Keccak-f[1600] permutation as a sponge with a
136-octet rate and a 512-bit capacity, the same rate and capacity as
TurboSHAKE256.  Input is absorbed in rate-sized blocks with the
permutation applied after each block, and output is read from the same
state.  The capacity is what the erasure argument of
<xref target="erasure-boundaries"/> relies on, and the 64-octet secret,
transcript-hash, and MAC lengths used throughout this document match it
in both profiles.</t>
        <section anchor="required-api-surface-1">
          <name>Required API Surface</name>
          <t>The required API surface is incremental absorption, cloning of an
unfinalized state, and one-shot squeeze with the output length known
up front, as in <xref target="turboshake-instantiation"/>.  No
absorb-after-squeeze occurs anywhere in this document, so no access
below the SHAKE256 interface is required.</t>
        </section>
      </section>
      <section anchor="shake-mac">
        <name>MAC</name>
        <t>This profile's MAC is the construction of <xref target="mac-op"/> over this profile's
Keccak-f[1600] permutation.</t>
      </section>
    </section>
    <section anchor="psk-importer">
      <name>PSK Importer</name>
      <t>TLS 1.3 permits external PSKs <xref target="RFC8446"/>, and <xref target="RFC9258"/> imports an
external PSK into a target KDF, producing a PSK bound to its target.  An
external PSK used with a cipher suite of this document is imported per
target cipher suite into an ipsk.  ImportedIdentityV2 below is this
document's own variant of the ImportedIdentity struct of RFC 9258,
Section 4, binding target_ciphersuite where that structure binds
target_kdf:</t>
      <artwork><![CDATA[
struct {
    opaque external_identity<1..2^16-1>;
    opaque context<0..2^16-1>;
    uint16 target_protocol;      /* 0x0304 for TLS 1.3 */
    uint16 target_ciphersuite;   /* a cipher suite of this document */
} ImportedIdentityV2;
]]></artwork>
      <t>The client offers the full ImportedIdentityV2 serialization as the
PskIdentity.identity, and a server that recognizes the structure
recomputes ipsk and MUST verify target_ciphersuite equals the cipher
suite it selects (<xref target="alerts"/>).  A server that does not recognize the
structure treats the entry as an unknown PSK identity, per ordinary RFC
8446 handling.  The import derivation is the generic derivation of
<xref target="import-derivation"/>, keyed by epsk under target_ciphersuite.</t>
      <t>Binding target_ciphersuite rather than RFC 9258's target_kdf diversifies
the imported PSK per cipher suite.  That is one step finer than RFC
9258's per-KDF granularity, and it matches the per-suite binding this
document uses everywhere else.  It reuses the TLS Cipher Suites registry
and registers no TLS KDF Identifier.  The five code points of
<xref target="cipher-suites"/> are the only values target_ciphersuite takes.</t>
      <t>An endpoint MUST NOT use the raw external PSK epsk directly as a
TLS PSK for a cipher suite of this document, and MUST NOT import an
epsk longer than 0xFFFE octets, so every framed value fits a single
frame.  A client that imports one external PSK for use with more
than one cipher suite of this document MUST produce a separate
ImportedIdentityV2, and hence a separate ipsk, per
target_ciphersuite.</t>
    </section>
    <section anchor="zero-rtt">
      <name>Zero-RTT and Early Data</name>
      <t>Early data remains PSK-only and remains replayable under the RFC 8446
anti-replay model.  This document changes neither.  A client MAY send
early data only if the first offered PSK's recorded cipher suite is
among the cipher suites it offers and the remembered ALPN and early-data
policy match the ticket.  A server MUST reject early data unless the
selected cipher suite equals the offered PSK's recorded cipher suite,
the selected ALPN equals the ticket's, and all RFC 8446 anti-replay
checks pass.  The suite-equality check, not the binder, prevents
redirecting early data to a different AEAD.</t>
    </section>
    <section anchor="alerts">
      <name>Alerts</name>
      <t>This section lists the alerts an implementation of this document
sends, in addition to those already defined by RFC 8446:</t>
      <ul spacing="normal">
        <li>
          <t>illegal_parameter: a raw external PSK offered for a cipher suite of
this document without import (<xref target="psk-importer"/>); or an
ImportedIdentityV2 whose target_ciphersuite does not equal the
selected cipher suite.</t>
        </li>
        <li>
          <t>decrypt_error: a Finished or PSK binder MAC that fails
verification, as in RFC 8446.</t>
        </li>
        <li>
          <t>handshake_failure: no cipher suite of this document is mutually
supported when one is required.</t>
        </li>
      </ul>
    </section>
    <section anchor="companion-mechanisms">
      <name>Companion Mechanisms</name>
      <t>Several deployed mechanisms invoke HKDF-Expand-Label directly.
This document defines the Encrypted Client Hello confirmation for
its cipher suites (<xref target="ech-generic"/>), because ECH
is pervasive in the deployments most likely to exercise these
schedules.  The remaining mechanisms are out of scope until a
companion document defines their analogues.</t>
      <section anchor="out-of-scope">
        <name>Out of Scope</name>
        <ul spacing="normal">
          <li>
            <t>DTLS 1.3 <xref target="RFC9147"/> derives a record sequence-number encryption key
(Section 4.2.3) and separates its schedule with the "dtls13" label
prefix (Section 5.9).  DTLS-OK is N in <xref target="iana-considerations"/>.</t>
          </li>
          <li>
            <t>QUIC <xref target="RFC9001"/> derives its Initial secrets and its "quic key", "quic
iv", "quic hp", and "quic ku" values with HKDF-Expand-Label.</t>
          </li>
          <li>
            <t>Exported Authenticators <xref target="RFC9261"/> derive their own Finished keys
with HKDF-Expand-Label.</t>
          </li>
        </ul>
        <t>An endpoint negotiating a cipher suite of this document MUST NOT
use these mechanisms with that connection unless a specification
defines their derivations for its schedule profile.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to register five code points in the TLS Cipher
Suites registry per the procedures of <xref target="RFC8447"/>.</t>
      <table anchor="iana-suite-table">
        <name>Requested TLS Cipher Suites Registrations</name>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Description</th>
            <th align="left">DTLS-OK</th>
            <th align="left">Recommended</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">TBD</td>
            <td align="left">TLS_AES_128_GCM_TURBOSHAKE256</td>
            <td align="left">N</td>
            <td align="left">N</td>
          </tr>
          <tr>
            <td align="left">TBD</td>
            <td align="left">TLS_AES_256_GCM_TURBOSHAKE256</td>
            <td align="left">N</td>
            <td align="left">N</td>
          </tr>
          <tr>
            <td align="left">TBD</td>
            <td align="left">TLS_CHACHA20_POLY1305_TURBOSHAKE256</td>
            <td align="left">N</td>
            <td align="left">N</td>
          </tr>
          <tr>
            <td align="left">TBD</td>
            <td align="left">TLS_AES_128_GCM_SHAKE256</td>
            <td align="left">N</td>
            <td align="left">N</td>
          </tr>
          <tr>
            <td align="left">TBD</td>
            <td align="left">TLS_AES_256_GCM_SHAKE256</td>
            <td align="left">N</td>
            <td align="left">N</td>
          </tr>
        </tbody>
      </table>
      <t>The reference for each entry is this document.  DTLS-OK is N
(<xref target="companion-mechanisms"/>).  Recommended is N pending working group
consensus.</t>
      <t>The ScheduleProfile column of <xref target="suite-table"/> is explanatory in
this document.  It is not independently negotiated, and no registry
of schedule profiles is created.  Future documents that define new
TLS 1.3 alternative key-schedule profiles are expected to register
new TLS cipher-suite code points whose definitions include the
complete schedule profile.</t>
      <t>OPEN ISSUE:  Because every derived output binds the governing cipher
suite value, no final test vector can exist before code points are
assigned.  Early code point allocation under RFC 7120 should be
considered once the document is adopted.  Until then, the test vectors
of <xref target="test-vectors"/> use declared placeholder values.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section follows RFC 3552.  It states what the schedules
protect, the assumptions they rest on, the properties common to
every schedule profile of this document, and the analysis specific
to each profile.</t>
      <section anchor="profile-separation">
        <name>Schedule-Profile Separation</name>
        <t>Every derivation of both profiles binds the profile_id and, for every
output that leaves the schedule, the governing cipher suite
(<xref target="schedule-profiles"/>).  Labels, output lengths, profile identifiers,
cipher suite values, and context fields are length-framed and bound into
each output.  No output of one profile can then collide with an output
of another, or of any future profile with a distinct profile_id, even
when they share a permutation:  the profile_id separates them at the
input encoding.  Nor can any output be transplanted between cipher
suites, even between two suites of the same profile:  the suite binding
separates them.  Within each profile, distinct derivation paths produce
distinct primitive inputs.  <xref target="domain-separation"/> gives the byte-level
argument for TLS13-TURBOSHAKE256.  The same framing, with this profile's
own profile_id and lengths, gives it for TLS13-SHAKE256.</t>
      </section>
      <section anchor="psk-profile-binding">
        <name>PSK Profile Binding</name>
        <t>A PSK is associated with the schedule profile under which it was
established, and its binder is computed and verified under that
profile and the PSK's recorded cipher suite
(<xref target="governing-profile"/>).  This matters because the binder is
computed before the server selects a cipher suite:  without the
recorded-suite rule, a PSK established under one profile could key
the early stage of another, and the binder would not detect it.
The server-side selection rules ensure that no secret derived from
a PSK ever feeds a schedule other than the one the PSK is bound to.
For 0-RTT the rule is strictest, requiring the selected cipher
suite to equal the PSK's recorded cipher suite:  early-data keys
are derived and used before the server's selection can be
confirmed by the transcript, so suite equality, not the binder,
prevents redirecting early data to a different AEAD or profile.</t>
      </section>
      <section anchor="downgrade-resistance">
        <name>Downgrade Resistance</name>
        <t>The governing cipher suite is bound into every derived output, and the
selected cipher suite appears in the ServerHello and therefore in TH_SH.
In both profiles, intermediate secrets are suite-independent, but no
output leaves the schedule without a suite binding, and the server never
selects a PSK whose recorded suite differs from its selected suite
(<xref target="governing-profile"/>), so no output is keyed under a suite the
transcript does not confirm.  Downgrade among the suites of this
document is prevented by the transcript and the per-output suite
binding, and, for early data, by the suite-equality check.  A client
that requires an alternative schedule profile MUST offer only cipher
suites of this document.</t>
        <t>The two profiles of this document share the same schedule structure and
the same composed security argument (<xref target="cryptographic-analysis"/>),
differing only in the underlying permutation.  Cipher-suite negotiation
integrity guarantees that the selection is authentic.  A deployment that
offers suites of both profiles accepts whichever the peer selects.</t>
      </section>
      <section anchor="psk-entropy">
        <name>PSK Entropy</name>
        <t>As in RFC 8446, binder unforgeability against an attacker who can
guess an external PSK requires the PSK to have adequate entropy,
since such an attacker can recompute the binder offline.  External
PSKs SHOULD have at least 64 octets of entropy.</t>
      </section>
      <section anchor="authentication-is-out-of-scope">
        <name>Authentication Is Out of Scope</name>
        <t>A cipher suite of this document governs only the AEAD and the key
schedule.  A fully SHA-2-free connection also requires SHA-2-free
authentication: certificate-based authentication is negotiated
separately, through the signature_algorithms and
signature_algorithms_cert extensions, and commonly relies on SHA-2.
A deployment that must avoid SHA-2 entirely MUST restrict those
extensions accordingly, or use PSK-only authentication.</t>
      </section>
      <section anchor="retained-rfc-8446-properties">
        <name>Retained RFC 8446 Properties</name>
        <t>0-RTT replay properties and forward secrecy via key erasure (realized by
each profile's destruction rules) are unchanged from RFC 8446.  In both
profiles, hybrid key-exchange components remain separated:  each
component secret is absorbed separately, and secrets are not
concatenated before derivation (<xref target="deck-schedule"/>).</t>
      </section>
      <section anchor="turboshake-sec">
        <name>TLS13-TURBOSHAKE256 Considerations</name>
        <t>The considerations of this subsection apply only to the
TLS13-TURBOSHAKE256 profile.</t>
        <section anchor="cryptographic-analysis">
          <name>Cryptographic Analysis</name>
          <t>The keyed sponge and keyed duplex have concrete security bounds <xref target="FSKS"/>
            <xref target="KEYEDDUPLEX"/>, surveyed in <xref target="DUPLEXSEC"/>; deck-function session modes
are analyzed in <xref target="JAMMIN"/>; and the TLS 1.3 key schedule is proven in a
multi-stage derivation framework <xref target="TLS13KS"/>.  This subsection develops
the security argument for the schedule of this document by composing
those results.</t>
          <section anchor="threat-model-and-goals">
            <name>Threat Model and Goals</name>
            <t>The adversary model and key-schedule goals are those of <xref target="TLS13KS"/>:  an
active network adversary that controls message delivery, may learn
selected stage secrets under compromise predicates, and seeks to
distinguish unseen traffic keys, forge Finished or binder values, break
forward secrecy across ratchet boundaries, or downgrade the negotiated
cipher suite.  Authentication of peer identity remains outside the
cipher suite, as in RFC 8446.  The schedule must provide
indistinguishability of record keys and exporter outputs under the
chosen AEAD, integrity of the handshake transcript through Finished and
binder verification, forward secrecy from handshake compromise to
application traffic once (EC)DHE is used, and the RFC 8446 0-RTT replay
model when early data is accepted.</t>
          </section>
          <section anchor="primitive-assumptions">
            <name>Primitive Assumptions</name>
            <t>The deck function DF is modeled as a sponge over a random permutation
<xref target="FIPS202"/> <xref target="DUPLEXSEC"/>.  TranscriptHash is an unkeyed XOF on inputs
prefixed with "tls13 hash" (<xref target="transcript-hash"/>).  Every keyed
derivation is a single call DF(S, L) where seq(S) is an injectively
framed byte string (<xref target="domain-separation"/>).
<xref target="turboshake-instantiation"/> fixes the XOF, domain-separation parameter,
and output lengths for the cipher suites defined here.  Under injective
framing, distinct derivations map to distinct sponge inputs, and the
keyed-duplex analyses <xref target="FSKS"/> <xref target="KEYEDDUPLEX"/> bound the adversary's
advantage in distinguishing outputs or forging MAC values as a function
of permutation queries and output length.  TurboKMAC256 is introduced
by this document and is not covered by NIST's KMAC security analysis,
which is scoped to the Keccak-f[1600]-based cSHAKE256 of KMAC256.
Its security is treated here as inheriting from the generic
keyed-sponge and keyed-duplex bounds of <xref target="FSKS"/> and <xref target="KEYEDDUPLEX"/>,
which are stated over an idealized permutation of any round count, not
as a NIST-validated instance of KMAC256.</t>
          </section>
          <section anchor="security-strength-and-round-margin">
            <name>Security Strength and Round Margin</name>
            <t>TLS13-TURBOSHAKE256 targets 256-bit security, the level its 512-bit
capacity supports.  Its guarantees at that level all rest on the
12-round Keccak-p[1600,12] permutation of TurboSHAKE256:  collision
resistance of the transcript hash, indistinguishability of the stage and
traffic secrets, and unforgeability of the Finished and binder values.
<xref target="RFC9861"/> claims that permutation's security at 256 bits.</t>
            <t>The reduced round count is the only structural difference from a
full-permutation instantiation.  Capacity, framing, and the derivation
graph match the TLS13-SHAKE256 profile, which reaches the same target
over the full 24-round Keccak-f[1600] permutation.  A deployment that
prefers that larger round margin can negotiate TLS13-SHAKE256, the
conservative choice (<xref target="shake-profile"/>).</t>
          </section>
          <section anchor="derivation-graph">
            <name>Derivation Graph</name>
            <t>Each derived octet string is one leaf of a derivation tree (<xref target="shapes"/>).
Stage trunks E, H, and T absorb the inputs that RFC 8446 mixes through
chained HKDF-Extract and Derive-Secret calls.  Ratchets emit the only
stage-boundary secrets, early_secret and main_secret (<xref target="comparison"/>).
finished_key and binder_key are the schedule's other intermediate
secrets.  Each is a deck expansion of a retained secret (<xref target="expand-op"/>),
a fresh deck rooted at that secret rather than a fork of a live stage
trunk, and each keys exactly one MAC invocation and no other output
(<xref target="finished-and-binder-mac"/>).  Every remaining leaf equals an
expansion, a MAC invocation, or Squeeze(Fork(...)), and each stage
secret equals Ratchet(...), hence one deck-function or MAC invocation
each (<xref target="expand-op"/>, <xref target="mac-op"/>, <xref target="deck-interface"/>).  The comparison of
<xref target="comparison"/> maps every HKDF-Expand-Label site to a unique framed
path, and no RFC 8446 secret is derived without a matching leaf here.
The mapping is one-to-one on derived values with one intentional
divergence:  main_secret binds TH_SH through its trunk where the RFC
8446 extract binds no transcript.  That extra binding front-loads
transcript agreement that RFC 8446 enforces only at Finished.  It
removes no binding RFC 8446 requires, but it makes this tree a strict
superset of the proven RFC 8446 derivation graph rather than an exact
image of it.</t>
            <t>Under the random-permutation model, each leaf is idealized as an
independent random-oracle call on its framed path, the standard
idealization step for keyed-sponge proofs <xref target="FSKS"/>.  It applies at two
levels.  A traffic or master secret is forked from a live stage trunk
whose absorbed secrets have, by fork time, mixed across the full state,
so the full-state keyed-duplex bound of <xref target="KEYEDDUPLEX"/> governs it.  A
retained-secret expansion of <xref target="expand-op"/> is instead a fresh deck
rooted at a single secret absorbed through the rate, an outer-keyed
sponge governed by the keyed-sponge bound of <xref target="FSKS"/>.  Because that
secret is itself an idealized-uniform ratchet or fork output, the two
levels compose by the standard hybrid over the derivation tree.</t>
            <t>This idealization connects the schedule to the multi-stage framework.
<xref target="TLS13KS"/> is defined over discrete extract-and-expand invocations, so
it does not by itself cover a single running sponge state.  The
keyed-sponge idealization, not <xref target="TLS13KS"/> directly, carries this
document's continuous deck into that framework's scope.</t>
          </section>
          <section anchor="multi-stage-security">
            <name>Multi-Stage Security</name>
            <t><xref target="TLS13KS"/> models TLS 1.3 as a multi-stage authenticated key exchange
whose stages align with Early, Handshake, and Application secrets.
Extract transitions pass an intermediate secret into the next stage
while erasing the prior stage's expandable state.  Here, early_secret
and main_secret are explicit ratchet outputs, and the destruction rules
of <xref target="erasure-boundaries"/> enforce the same erasure:  once H absorbs
early_secret, the early stage MUST NOT remain usable, and likewise for
main_secret into T.</t>
            <t>Given (EC)DHE, early_secret and main_secret depend on secrets the
adversary does not know at the ratchet.  The 512-bit capacity withheld
at each squeeze prevents recovering pre-ratchet sponge states from
ratchet outputs alone (<xref target="erasure-boundaries"/>).  This matches the
extract semantics on which <xref target="TLS13KS"/> relies:  stage t+1 keys are
unpredictable from stage t traffic keys even if stage t was compromised
before the ratchet, provided the fresh key-exchange contribution was not
learned.</t>
            <t>Traffic and master secrets within a stage are forks from a common trunk
that already binds TH_SH or TH_SF.  Fork labels, suite bindings, and
transcript absorbs are framed separately (<xref target="domain-separation"/>), so
fork security reduces to the multi-user keyed-duplex bounds of
<xref target="KEYEDDUPLEX"/> on a single stage trunk.  Finished and binder MACs are
MAC invocations (<xref target="finished-and-binder-mac"/>, <xref target="mac-op"/>), a
construction independent of expansion, yielding the same
PRF-on-transcript role as HMAC in the <xref target="TLS13KS"/> analysis.</t>
            <t>Composing the stage arguments in order E, H, T, under the keyed-sponge
idealization above, gives an argument, in the random-permutation model,
for the same class of multi-stage key-schedule goals as <xref target="TLS13KS"/> for
connections that use this schedule in place of HKDF, modulo the
keyed-sponge and keyed-duplex advantage terms of <xref target="FSKS"/> and
<xref target="KEYEDDUPLEX"/>:  record keys, exporter keys, resumption PSKs, and
key-update secrets are argued to inherit the same indistinguishability
and integrity guarantees, conditional on the AEAD and authentication
assumptions of RFC 8446.  This document does not claim a formal
reproduction of the <xref target="TLS13KS"/> theorem, whose statement is proved over
discrete extract-and-expand nodes.</t>
            <t>The subsections below restate protocol-specific assumptions, downgrade
controls, and implementation obligations that the model treats as
explicit rules rather than derived properties.</t>
          </section>
        </section>
        <section anchor="erasure-boundaries">
          <name>Erasure Boundaries and One-Wayness</name>
          <section anchor="the-invertibility-hazard">
            <name>The Invertibility Hazard</name>
            <t>A sponge accumulator is built on a permutation
(<xref target="turboshake-instantiation"/>), and permutations are invertible:  an
accumulator derived from another by absorption alone carries its full
past with it.  Given a state equal to the permutation of a prior state
XORed with a publicly known block (a label, a transcript hash, a stage
marker), anyone holding the later state recovers the earlier one.  This
holds for any sponge-based realization of the deck function, not only
the instantiation of this document.  A design that carried a raw
accumulator across a stage boundary would therefore let a post-handshake
state compromise re-derive handshake traffic secrets.</t>
            <t>One-wayness comes only from truncation at squeeze time:  a squeeze
withholds the capacity, 512 bits in the instantiation of
<xref target="turboshake-instantiation"/>, so no squeezed output, of any length,
permits reconstruction of the state that produced it.  Accordingly, an
explicit ratchet sits at every boundary where TLS requires erasure or
compromise isolation:  the early-to-handshake transition (early_secret),
the handshake-to-application transition (main_secret), and every
key-update generation.</t>
          </section>
          <section anchor="state-handling-rules">
            <name>State-Handling Rules</name>
            <t>An implementation MUST destroy every accumulator of a stage when
the stage's ratchet is crossed, MUST NOT retain a forked
accumulator as a successor across a ratchet, and MUST NOT
serialize, export, or compare accumulators.  Squeezed octet-string
secrets are subject to the same discipline as their RFC 8446
counterparts: an implementation MUST destroy handshake-stage
traffic secrets and record keys when their RFC 8446 analogues would
be destroyed, and MUST destroy each stage secret once the next
stage has absorbed it.</t>
            <t>Every cloned accumulator is a 200-octet copy of secret capacity.  Clones
exist from fork to squeeze.  An implementation SHOULD keep that window
short and MUST zeroize each clone when it is destroyed, exactly as it
zeroizes key material.  Within a stage, retaining accumulators is
equivalent to retaining the stage's secrets:  compromise of a live
accumulator yields that stage's underived leaves, as compromise of a
stage secret does in RFC 8446, and no more.</t>
          </section>
        </section>
        <section anchor="domain-separation">
          <name>Domain Separation</name>
          <t>Every sequence begins with frame(profile_id) for the fixed profile_id
"TLS 1.3 DeckSchedule v1", separating these derivations from any other
use of the instantiation's XOF.  The invariant the analysis relies on is
that distinct derivation paths yield distinct byte strings as
deck-function inputs.  The framing rules give this jointly:  every
absorbed item carries a framed tag, every fork absorbs a framed label
and the governing cipher suite, output length is bound before squeezing,
the ratchet labels are reserved for ratchets, and no label is shared
between MAC-type and expand-type uses.  Absent inputs are distinguished
from empty inputs by the framed tag stream (<xref target="conventions"/>).  Unkeyed
transcript hashing is separated at the byte level:  a TranscriptHash
input begins with the octets of "tls13 hash" (0x74 0x6c ...), whereas
every keyed sequence begins with uint16(len(profile_id)) = 0x00 0x17.
These leading octets cannot coincide.  The MAC (<xref target="mac-op"/>) uses domain
byte 0x04 where a deck derivation uses the instantiation XOF's native
byte, so a MAC output and a deck output over one permutation cannot
coincide, and their input encodings differ.</t>
        </section>
        <section anchor="related-constructions">
          <name>Related Constructions</name>
          <t>Running-state protocol constructions with fork and ratchet operations
have precedent: BLINKER <xref target="BLINKER"/> builds a two-party record protocol
from a single sponge state with domain-separated forks; STROBE
<xref target="STROBE"/> defines KEY, PRF, and RATCHET operations over a duplex, with
RATCHET zeroizing rate bytes against rollback; Cyclist <xref target="XOODYAK"/> makes
the ratchet a first-class call; and Disco <xref target="DISCO"/> composes STROBE with
the Noise handshake, the closest existing analogue of a handshake key
schedule over a forked state.  Disco's formal analysis is thin relative
to the Noise literature.  This document treats it as precedent, not
assurance.</t>
        </section>
      </section>
      <section anchor="shake-sec">
        <name>TLS13-SHAKE256 Considerations</name>
        <t>The TLS13-SHAKE256 profile is structurally identical to the
TLS13-TURBOSHAKE256 profile (<xref target="deck-schedule"/>), so the Cryptographic
Analysis, Erasure Boundaries, and Related Constructions arguments of
<xref target="turboshake-sec"/> apply to it directly, with SHAKE256's
Keccak-f[1600] permutation in place of TurboSHAKE256's
Keccak-p[1600,12] and this profile's own profile_id and lengths in
place of the TLS13-TURBOSHAKE256 profile's (<xref target="shake-instantiation"/>).
It does not use raw keyed SHAKE256 for any keyed operation:  expansion
is a deck-native absorb-then-squeeze session over a framed protocol
identifier (<xref target="expand-op"/>), and MAC is the construction of <xref target="mac-op"/>,
whose key block, function name, and customization string provide the
keyed-mode domain separation that bare SHAKE256 lacks (<xref target="shake-mac"/>).
KMACXOF256 is not used.  Every MAC invocation binds its output length,
so outputs of different lengths are unrelated.</t>
      </section>
      <section anchor="sec-test-vectors">
        <name>Test Vectors</name>
        <t>Each schedule profile requires independent test vectors covering every
derivation it defines.  <xref target="test-vectors"/> provides vectors for both
profiles.  Final vectors for both profiles require assigned code points
(<xref target="iana-considerations"/>).</t>
      </section>
      <section anchor="out-of-scope-1">
        <name>Out of Scope</name>
        <t>QUIC, DTLS 1.3, and Exported Authenticators remain out of scope for
both profiles (<xref target="companion-mechanisms"/>):  an endpoint negotiating a
cipher suite of this document MUST NOT use those mechanisms with
that connection unless a specification defines their derivations
for its schedule profile.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8447" target="https://www.rfc-editor.org/info/rfc8447" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8447.xml">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.</t>
              <t>This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8447"/>
          <seriesInfo name="DOI" value="10.17487/RFC8447"/>
        </reference>
        <reference anchor="RFC9258" target="https://www.rfc-editor.org/info/rfc9258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9258.xml">
          <front>
            <title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title>
            <author fullname="D. Benjamin" initials="D." surname="Benjamin"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes an interface for importing external Pre-Shared Keys (PSKs) into TLS 1.3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9258"/>
          <seriesInfo name="DOI" value="10.17487/RFC9258"/>
        </reference>
        <reference anchor="RFC9849" target="https://www.rfc-editor.org/info/rfc9849" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9849.xml">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC9861" target="https://www.rfc-editor.org/info/rfc9861" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9861.xml">
          <front>
            <title>KangarooTwelve and TurboSHAKE</title>
            <author fullname="B. Viguier" initials="B." surname="Viguier"/>
            <author fullname="D. Wong" initials="D." role="editor" surname="Wong"/>
            <author fullname="G. Van Assche" initials="G." role="editor" surname="Van Assche"/>
            <author fullname="Q. Dang" initials="Q." role="editor" surname="Dang"/>
            <author fullname="J. Daemen" initials="J." role="editor" surname="Daemen"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>This document defines four eXtendable-Output Functions (XOFs), hash functions with output of arbitrary length, named TurboSHAKE128, TurboSHAKE256, KT128, and KT256.</t>
              <t>All four functions provide efficient and secure hashing primitives, and the last two are able to exploit the parallelism of the implementation in a scalable way.</t>
              <t>This document is a product of the Crypto Forum Research Group. It builds up on the definitions of the permutations and of the sponge construction in NIST FIPS 202 and is meant to serve as a stable reference and an implementation guide.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9861"/>
          <seriesInfo name="DOI" value="10.17487/RFC9861"/>
        </reference>
        <reference anchor="FIPS202" target="https://csrc.nist.gov/pubs/fips/202/final">
          <front>
            <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="FIPS" value="202"/>
          <seriesInfo name="DOI" value="10.6028/NIST.FIPS.202"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="SP800-185" target="https://csrc.nist.gov/pubs/sp/800/185/final">
          <front>
            <title>SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2016" month="December"/>
          </front>
          <seriesInfo name="NIST" value="SP 800-185"/>
          <seriesInfo name="DOI" value="10.6028/NIST.SP.800-185"/>
        </reference>
        <reference anchor="RFC9001" target="https://www.rfc-editor.org/info/rfc9001" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9001.xml">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9261" target="https://www.rfc-editor.org/info/rfc9261" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9261.xml">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="SP800-133" target="https://csrc.nist.gov/pubs/sp/800/133/r2/final">
          <front>
            <title>Recommendation for Cryptographic Key Generation</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2020" month="June"/>
          </front>
          <seriesInfo name="NIST" value="SP 800-133r2"/>
          <seriesInfo name="DOI" value="10.6028/NIST.SP.800-133r2"/>
        </reference>
        <reference anchor="SP800-108" target="https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final">
          <front>
            <title>Recommendation for Key Derivation Using Pseudorandom Functions</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="SP 800-108r1"/>
          <seriesInfo name="DOI" value="10.6028/NIST.SP.800-108r1-upd1"/>
        </reference>
        <reference anchor="SP800-56C" target="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">
          <front>
            <title>Recommendation for Key-Derivation Methods in Key-Establishment Schemes</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2020" month="August"/>
          </front>
          <seriesInfo name="NIST" value="SP 800-56Cr2"/>
          <seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Cr2"/>
        </reference>
        <reference anchor="DUPLEX" target="https://keccak.team/files/SpongeDuplex.pdf">
          <front>
            <title>Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications</title>
            <author initials="G." surname="Bertoni">
              <organization/>
            </author>
            <author initials="J." surname="Daemen">
              <organization/>
            </author>
            <author initials="M." surname="Peeters">
              <organization/>
            </author>
            <author initials="G." surname="Van Assche">
              <organization/>
            </author>
            <date year="2011"/>
          </front>
          <seriesInfo name="Selected Areas in Cryptography" value="SAC 2011"/>
          <seriesInfo name="DOI" value="10.1007/978-3-642-28496-0_19"/>
        </reference>
        <reference anchor="FSKS" target="https://eprint.iacr.org/2015/541">
          <front>
            <title>Security of Full-State Keyed Sponge and Duplex: Applications to Authenticated Encryption</title>
            <author initials="B." surname="Mennink">
              <organization/>
            </author>
            <author initials="R." surname="Reyhanitabar">
              <organization/>
            </author>
            <author initials="D." surname="Vizar">
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2015"/>
        </reference>
        <reference anchor="KEYEDDUPLEX" target="https://eprint.iacr.org/2017/498">
          <front>
            <title>Full-State Keyed Duplex with Built-In Multi-User Support</title>
            <author initials="J." surname="Daemen">
              <organization/>
            </author>
            <author initials="B." surname="Mennink">
              <organization/>
            </author>
            <author initials="G." surname="Van Assche">
              <organization/>
            </author>
            <date year="2017"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2017"/>
          <seriesInfo name="DOI" value="10.1007/978-3-319-70697-9_21"/>
        </reference>
        <reference anchor="DUPLEXSEC" target="https://eprint.iacr.org/2022/1340">
          <front>
            <title>Understanding the Duplex and Its Security</title>
            <author initials="B." surname="Mennink">
              <organization/>
            </author>
            <date year="2023"/>
          </front>
          <seriesInfo name="IACR Transactions on Symmetric Cryptology" value="2023(2)"/>
          <seriesInfo name="DOI" value="10.46586/tosc.v2023.i2.1-46"/>
        </reference>
        <reference anchor="FARFALLE" target="https://keccak.team/farfalle.html">
          <front>
            <title>Farfalle: Parallel Permutation-Based Cryptography</title>
            <author initials="G." surname="Bertoni">
              <organization/>
            </author>
            <author initials="J." surname="Daemen">
              <organization/>
            </author>
            <author initials="S." surname="Hoffert">
              <organization/>
            </author>
            <author initials="M." surname="Peeters">
              <organization/>
            </author>
            <author initials="G." surname="Van Assche">
              <organization/>
            </author>
            <author initials="R." surname="Van Keer">
              <organization/>
            </author>
            <date year="2017"/>
          </front>
          <seriesInfo name="IACR Transactions on Symmetric Cryptology" value="2017(4)"/>
          <seriesInfo name="DOI" value="10.46586/tosc.v2017.i4.1-38"/>
        </reference>
        <reference anchor="JAMMIN" target="https://eprint.iacr.org/2022/531">
          <front>
            <title>Jammin' on the Deck</title>
            <author initials="N." surname="Bacuieti">
              <organization/>
            </author>
            <author initials="J." surname="Daemen">
              <organization/>
            </author>
            <author initials="S." surname="Hoffert">
              <organization/>
            </author>
            <author initials="G." surname="Van Assche">
              <organization/>
            </author>
            <author initials="R." surname="Van Keer">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2022"/>
        </reference>
        <reference anchor="XOODYAK" target="https://keccak.team/xoodyak.html">
          <front>
            <title>Xoodyak, a Lightweight Cryptographic Scheme</title>
            <author initials="J." surname="Daemen">
              <organization/>
            </author>
            <author initials="S." surname="Hoffert">
              <organization/>
            </author>
            <author initials="M." surname="Peeters">
              <organization/>
            </author>
            <author initials="G." surname="Van Assche">
              <organization/>
            </author>
            <author initials="R." surname="Van Keer">
              <organization/>
            </author>
            <date year="2020"/>
          </front>
          <seriesInfo name="IACR Transactions on Symmetric Cryptology" value="2020(S1)"/>
          <seriesInfo name="DOI" value="10.46586/tosc.v2020.iS1.60-87"/>
        </reference>
        <reference anchor="BLINKER" target="https://eprint.iacr.org/2013/772">
          <front>
            <title>Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation</title>
            <author initials="M.-J. O." surname="Saarinen">
              <organization/>
            </author>
            <date year="2014"/>
          </front>
          <seriesInfo name="CT-RSA" value="2014"/>
          <seriesInfo name="DOI" value="10.1007/978-3-319-04852-9_14"/>
        </reference>
        <reference anchor="STROBE" target="https://eprint.iacr.org/2017/003">
          <front>
            <title>The STROBE Protocol Framework</title>
            <author initials="M." surname="Hamburg">
              <organization/>
            </author>
            <date year="2017"/>
          </front>
        </reference>
        <reference anchor="DISCO" target="https://eprint.iacr.org/2019/180">
          <front>
            <title>Disco: Modern Session Encryption</title>
            <author initials="D." surname="Wong">
              <organization/>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="TLS13KS" target="https://eprint.iacr.org/2021/467">
          <front>
            <title>Key-Schedule Security for the TLS 1.3 Standard</title>
            <author initials="C." surname="Brzuska">
              <organization/>
            </author>
            <author initials="A." surname="Delignat-Lavaud">
              <organization/>
            </author>
            <author initials="C." surname="Egger">
              <organization/>
            </author>
            <author initials="C." surname="Fournet">
              <organization/>
            </author>
            <author initials="K." surname="Kohbrok">
              <organization/>
            </author>
            <author initials="M." surname="Kohlweiss">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2022"/>
        </reference>
      </references>
    </references>
    <?line 1727?>

<section anchor="comparison">
      <name>Comparison with RFC 8446</name>
      <t>This appendix is non-normative.  It compares the RFC 8446 schedule with
the deck schedule of <xref target="deck-schedule"/>.  Both profiles of this document
share this schedule and differ only in the underlying permutation, so
the comparison applies equally to TLS13-TURBOSHAKE256 and
TLS13-SHAKE256.  The figure labels the deck side generically for that
reason.  With finished_key and binder_key as dedicated MAC keys
(<xref target="finished-and-binder-mac"/>), the two schedules are close structurally,
not only in the values they produce:  both carry the same named
intermediates, binder_key and finished_key, into the same MAC step, and
both produce the same six traffic and master secrets from the same three
trunk inputs.  The figure shows the two schedules side by side for a
full handshake, lining up node for node where they agree.  The table
maps each RFC 8446 construction to its replacement.</t>
      <figure anchor="comparison-figure">
        <name>The Two Schedules Side by Side</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="832" width="568" viewBox="0 0 568 832" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,112 L 8,144" fill="none" stroke="black"/>
              <path d="M 8,320 L 8,368" fill="none" stroke="black"/>
              <path d="M 8,528 L 8,560" fill="none" stroke="black"/>
              <path d="M 32,144 L 32,224" fill="none" stroke="black"/>
              <path d="M 32,256 L 32,312" fill="none" stroke="black"/>
              <path d="M 32,368 L 32,432" fill="none" stroke="black"/>
              <path d="M 32,464 L 32,520" fill="none" stroke="black"/>
              <path d="M 32,560 L 32,672" fill="none" stroke="black"/>
              <path d="M 48,80 L 48,104" fill="none" stroke="black"/>
              <path d="M 64,288 L 64,312" fill="none" stroke="black"/>
              <path d="M 64,496 L 64,520" fill="none" stroke="black"/>
              <path d="M 88,144 L 88,208" fill="none" stroke="black"/>
              <path d="M 88,368 L 88,416" fill="none" stroke="black"/>
              <path d="M 128,112 L 128,144" fill="none" stroke="black"/>
              <path d="M 128,320 L 128,368" fill="none" stroke="black"/>
              <path d="M 128,528 L 128,560" fill="none" stroke="black"/>
              <path d="M 264,112 L 264,144" fill="none" stroke="black"/>
              <path d="M 264,240 L 264,272" fill="none" stroke="black"/>
              <path d="M 264,336 L 264,368" fill="none" stroke="black"/>
              <path d="M 264,464 L 264,496" fill="none" stroke="black"/>
              <path d="M 264,560 L 264,592" fill="none" stroke="black"/>
              <path d="M 288,144 L 288,232" fill="none" stroke="black"/>
              <path d="M 288,272 L 288,328" fill="none" stroke="black"/>
              <path d="M 288,368 L 288,456" fill="none" stroke="black"/>
              <path d="M 288,496 L 288,552" fill="none" stroke="black"/>
              <path d="M 288,592 L 288,704" fill="none" stroke="black"/>
              <path d="M 304,80 L 304,104" fill="none" stroke="black"/>
              <path d="M 344,144 L 344,208" fill="none" stroke="black"/>
              <path d="M 344,368 L 344,416" fill="none" stroke="black"/>
              <path d="M 384,112 L 384,144" fill="none" stroke="black"/>
              <path d="M 384,240 L 384,272" fill="none" stroke="black"/>
              <path d="M 384,336 L 384,368" fill="none" stroke="black"/>
              <path d="M 384,464 L 384,496" fill="none" stroke="black"/>
              <path d="M 384,560 L 384,592" fill="none" stroke="black"/>
              <path d="M 8,112 L 128,112" fill="none" stroke="black"/>
              <path d="M 264,112 L 384,112" fill="none" stroke="black"/>
              <path d="M 8,144 L 128,144" fill="none" stroke="black"/>
              <path d="M 264,144 L 384,144" fill="none" stroke="black"/>
              <path d="M 88,176 L 112,176" fill="none" stroke="black"/>
              <path d="M 344,176 L 368,176" fill="none" stroke="black"/>
              <path d="M 88,192 L 112,192" fill="none" stroke="black"/>
              <path d="M 344,192 L 368,192" fill="none" stroke="black"/>
              <path d="M 88,208 L 112,208" fill="none" stroke="black"/>
              <path d="M 344,208 L 368,208" fill="none" stroke="black"/>
              <path d="M 264,240 L 384,240" fill="none" stroke="black"/>
              <path d="M 264,272 L 384,272" fill="none" stroke="black"/>
              <path d="M 8,320 L 128,320" fill="none" stroke="black"/>
              <path d="M 264,336 L 384,336" fill="none" stroke="black"/>
              <path d="M 8,368 L 128,368" fill="none" stroke="black"/>
              <path d="M 264,368 L 384,368" fill="none" stroke="black"/>
              <path d="M 88,400 L 112,400" fill="none" stroke="black"/>
              <path d="M 344,400 L 368,400" fill="none" stroke="black"/>
              <path d="M 88,416 L 112,416" fill="none" stroke="black"/>
              <path d="M 344,416 L 368,416" fill="none" stroke="black"/>
              <path d="M 264,464 L 384,464" fill="none" stroke="black"/>
              <path d="M 264,496 L 384,496" fill="none" stroke="black"/>
              <path d="M 8,528 L 128,528" fill="none" stroke="black"/>
              <path d="M 8,560 L 128,560" fill="none" stroke="black"/>
              <path d="M 264,560 L 384,560" fill="none" stroke="black"/>
              <path d="M 32,592 L 56,592" fill="none" stroke="black"/>
              <path d="M 264,592 L 384,592" fill="none" stroke="black"/>
              <path d="M 32,608 L 56,608" fill="none" stroke="black"/>
              <path d="M 32,624 L 56,624" fill="none" stroke="black"/>
              <path d="M 288,624 L 312,624" fill="none" stroke="black"/>
              <path d="M 32,640 L 56,640" fill="none" stroke="black"/>
              <path d="M 288,640 L 312,640" fill="none" stroke="black"/>
              <path d="M 288,656 L 312,656" fill="none" stroke="black"/>
              <path d="M 288,672 L 312,672" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="376,416 364,410.4 364,421.6" fill="black" transform="rotate(0,368,416)"/>
              <polygon class="arrowhead" points="376,400 364,394.4 364,405.6" fill="black" transform="rotate(0,368,400)"/>
              <polygon class="arrowhead" points="376,208 364,202.4 364,213.6" fill="black" transform="rotate(0,368,208)"/>
              <polygon class="arrowhead" points="376,192 364,186.4 364,197.6" fill="black" transform="rotate(0,368,192)"/>
              <polygon class="arrowhead" points="376,176 364,170.4 364,181.6" fill="black" transform="rotate(0,368,176)"/>
              <polygon class="arrowhead" points="320,672 308,666.4 308,677.6" fill="black" transform="rotate(0,312,672)"/>
              <polygon class="arrowhead" points="320,656 308,650.4 308,661.6" fill="black" transform="rotate(0,312,656)"/>
              <polygon class="arrowhead" points="320,640 308,634.4 308,645.6" fill="black" transform="rotate(0,312,640)"/>
              <polygon class="arrowhead" points="320,624 308,618.4 308,629.6" fill="black" transform="rotate(0,312,624)"/>
              <polygon class="arrowhead" points="312,104 300,98.4 300,109.6" fill="black" transform="rotate(90,304,104)"/>
              <polygon class="arrowhead" points="296,704 284,698.4 284,709.6" fill="black" transform="rotate(90,288,704)"/>
              <polygon class="arrowhead" points="296,552 284,546.4 284,557.6" fill="black" transform="rotate(90,288,552)"/>
              <polygon class="arrowhead" points="296,456 284,450.4 284,461.6" fill="black" transform="rotate(90,288,456)"/>
              <polygon class="arrowhead" points="296,328 284,322.4 284,333.6" fill="black" transform="rotate(90,288,328)"/>
              <polygon class="arrowhead" points="296,232 284,226.4 284,237.6" fill="black" transform="rotate(90,288,232)"/>
              <polygon class="arrowhead" points="120,416 108,410.4 108,421.6" fill="black" transform="rotate(0,112,416)"/>
              <polygon class="arrowhead" points="120,400 108,394.4 108,405.6" fill="black" transform="rotate(0,112,400)"/>
              <polygon class="arrowhead" points="120,208 108,202.4 108,213.6" fill="black" transform="rotate(0,112,208)"/>
              <polygon class="arrowhead" points="120,192 108,186.4 108,197.6" fill="black" transform="rotate(0,112,192)"/>
              <polygon class="arrowhead" points="120,176 108,170.4 108,181.6" fill="black" transform="rotate(0,112,176)"/>
              <polygon class="arrowhead" points="72,520 60,514.4 60,525.6" fill="black" transform="rotate(90,64,520)"/>
              <polygon class="arrowhead" points="72,312 60,306.4 60,317.6" fill="black" transform="rotate(90,64,312)"/>
              <polygon class="arrowhead" points="64,640 52,634.4 52,645.6" fill="black" transform="rotate(0,56,640)"/>
              <polygon class="arrowhead" points="64,624 52,618.4 52,629.6" fill="black" transform="rotate(0,56,624)"/>
              <polygon class="arrowhead" points="64,608 52,602.4 52,613.6" fill="black" transform="rotate(0,56,608)"/>
              <polygon class="arrowhead" points="64,592 52,586.4 52,597.6" fill="black" transform="rotate(0,56,592)"/>
              <polygon class="arrowhead" points="56,104 44,98.4 44,109.6" fill="black" transform="rotate(90,48,104)"/>
              <polygon class="arrowhead" points="40,672 28,666.4 28,677.6" fill="black" transform="rotate(90,32,672)"/>
              <polygon class="arrowhead" points="40,520 28,514.4 28,525.6" fill="black" transform="rotate(90,32,520)"/>
              <polygon class="arrowhead" points="40,432 28,426.4 28,437.6" fill="black" transform="rotate(90,32,432)"/>
              <polygon class="arrowhead" points="40,312 28,306.4 28,317.6" fill="black" transform="rotate(90,32,312)"/>
              <polygon class="arrowhead" points="40,224 28,218.4 28,229.6" fill="black" transform="rotate(90,32,224)"/>
              <g class="text">
                <text x="16" y="36">RFC</text>
                <text x="52" y="36">8446</text>
                <text x="100" y="36">(HKDF)</text>
                <text x="284" y="36">Deck</text>
                <text x="340" y="36">schedule</text>
                <text x="400" y="36">(this</text>
                <text x="464" y="36">document)</text>
                <text x="28" y="68">0,</text>
                <text x="56" y="68">PSK</text>
                <text x="304" y="68">PSK</text>
                <text x="40" y="132">Early</text>
                <text x="92" y="132">Secret</text>
                <text x="280" y="132">E</text>
                <text x="312" y="132">stage</text>
                <text x="164" y="180">binder_key</text>
                <text x="420" y="180">binder_key</text>
                <text x="128" y="196">c</text>
                <text x="144" y="196">e</text>
                <text x="184" y="196">traffic</text>
                <text x="384" y="196">c</text>
                <text x="400" y="196">e</text>
                <text x="440" y="196">traffic</text>
                <text x="128" y="212">e</text>
                <text x="152" y="212">exp</text>
                <text x="196" y="212">master</text>
                <text x="384" y="212">e</text>
                <text x="408" y="212">exp</text>
                <text x="452" y="212">master</text>
                <text x="328" y="228">ratchet</text>
                <text x="388" y="228">"early</text>
                <text x="448" y="228">secret"</text>
                <text x="56" y="244">Derive-Secret</text>
                <text x="152" y="244">"derived"</text>
                <text x="324" y="260">early_secret</text>
                <text x="432" y="260">RATCHET</text>
                <text x="472" y="260">1</text>
                <text x="64" y="276">DHE</text>
                <text x="332" y="292">re-init;</text>
                <text x="396" y="292">absorb</text>
                <text x="480" y="292">early_secret,</text>
                <text x="316" y="308">DHE,</text>
                <text x="360" y="308">TH_SH</text>
                <text x="404" y="308">once</text>
                <text x="56" y="340">Handshake</text>
                <text x="44" y="356">Secret</text>
                <text x="280" y="356">H</text>
                <text x="312" y="356">stage</text>
                <text x="128" y="404">c</text>
                <text x="148" y="404">hs</text>
                <text x="192" y="404">traffic</text>
                <text x="384" y="404">c</text>
                <text x="404" y="404">hs</text>
                <text x="448" y="404">traffic</text>
                <text x="128" y="420">s</text>
                <text x="148" y="420">hs</text>
                <text x="192" y="420">traffic</text>
                <text x="384" y="420">s</text>
                <text x="404" y="420">hs</text>
                <text x="448" y="420">traffic</text>
                <text x="56" y="452">Derive-Secret</text>
                <text x="152" y="452">"derived"</text>
                <text x="328" y="452">ratchet</text>
                <text x="384" y="452">"main</text>
                <text x="440" y="452">secret"</text>
                <text x="64" y="484">0</text>
                <text x="320" y="484">main_secret</text>
                <text x="432" y="484">RATCHET</text>
                <text x="472" y="484">2</text>
                <text x="332" y="516">re-init;</text>
                <text x="396" y="516">absorb</text>
                <text x="476" y="516">main_secret,</text>
                <text x="320" y="532">TH_SF</text>
                <text x="364" y="532">once</text>
                <text x="36" y="548">Main</text>
                <text x="84" y="548">Secret</text>
                <text x="280" y="580">T</text>
                <text x="312" y="580">stage</text>
                <text x="72" y="596">c</text>
                <text x="92" y="596">ap</text>
                <text x="136" y="596">traffic</text>
                <text x="72" y="612">s</text>
                <text x="92" y="612">ap</text>
                <text x="136" y="612">traffic</text>
                <text x="80" y="628">exp</text>
                <text x="124" y="628">master</text>
                <text x="328" y="628">c</text>
                <text x="348" y="628">ap</text>
                <text x="392" y="628">traffic</text>
                <text x="80" y="644">res</text>
                <text x="124" y="644">master</text>
                <text x="184" y="644">(TH_CF)</text>
                <text x="328" y="644">s</text>
                <text x="348" y="644">ap</text>
                <text x="392" y="644">traffic</text>
                <text x="336" y="660">exp</text>
                <text x="380" y="660">master</text>
                <text x="336" y="676">res</text>
                <text x="380" y="676">master</text>
                <text x="440" y="676">(TH_CF)</text>
                <text x="16" y="692">per</text>
                <text x="64" y="692">traffic</text>
                <text x="128" y="692">secret:</text>
                <text x="40" y="708">"key"</text>
                <text x="72" y="708">+</text>
                <text x="100" y="708">"iv"</text>
                <text x="72" y="724">Expand-Labels</text>
                <text x="272" y="724">per</text>
                <text x="320" y="724">traffic</text>
                <text x="384" y="724">secret:</text>
                <text x="432" y="724">one</text>
                <text x="472" y="724">call,</text>
                <text x="520" y="724">split</text>
                <text x="16" y="756">per</text>
                <text x="68" y="756">base_key</text>
                <text x="116" y="756">or</text>
                <text x="272" y="756">per</text>
                <text x="324" y="756">base_key</text>
                <text x="372" y="756">or</text>
                <text x="48" y="772">binder_key:</text>
                <text x="312" y="772">binder_key:</text>
                <text x="68" y="788">finished_key</text>
                <text x="128" y="788">=</text>
                <text x="324" y="788">finished_key</text>
                <text x="384" y="788">=</text>
                <text x="68" y="804">Expand-Label</text>
                <text x="164" y="804">"finished"</text>
                <text x="420" y="804">expand(...,"finished",...,SecretLen)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
 RFC 8446 (HKDF)                  Deck schedule (this document)

   0, PSK                            PSK
      |                               |
      v                               v
 +--------------+                +--------------+
 | Early Secret |                | E stage      |
 +--+------+----+                +--+------+----+
    |      |                        |      |
    |      +--> binder_key          |      +--> binder_key
    |      +--> c e traffic         |      +--> c e traffic
    |      +--> e exp master        |      +--> e exp master
    v                               v ratchet "early secret"
 Derive-Secret "derived"         +--------------+
    |                            | early_secret |  RATCHET 1
    |  DHE                       +--+-----------+
    |   |                           | re-init; absorb early_secret,
    v   v                           | DHE, TH_SH once
 +--------------+                   v
 | Handshake    |                +--------------+
 | Secret       |                | H stage      |
 +--+------+----+                +--+------+----+
    |      |                        |      |
    |      +--> c hs traffic        |      +--> c hs traffic
    |      +--> s hs traffic        |      +--> s hs traffic
    v                               |
 Derive-Secret "derived"            v ratchet "main secret"
    |                            +--------------+
    |   0                        | main_secret  |  RATCHET 2
    |   |                        +--+-----------+
    v   v                           | re-init; absorb main_secret,
 +--------------+                   | TH_SF once
 | Main Secret  |                   v
 +--+-----------+                +--------------+
    |                            | T stage      |
    +--> c ap traffic            +--+-----------+
    +--> s ap traffic               |
    +--> exp master                 +--> c ap traffic
    +--> res master (TH_CF)         +--> s ap traffic
    |                               +--> exp master
    v                               +--> res master (TH_CF)
 per traffic secret:                |
   "key" + "iv"                     v
   Expand-Labels                 per traffic secret: one call, split

 per base_key or                 per base_key or
 binder_key:                      binder_key:
   finished_key =                  finished_key =
   Expand-Label "finished"         expand(...,"finished",...,SecretLen)
]]></artwork>
        </artset>
      </figure>
      <t>expand(...) in the figure denotes a deck expansion (<xref target="expand-op"/>).  It
is figure-only shorthand and is not a function name this document
defines.</t>
      <t>Both schedules fork binder_key from the same Early Secret analogue, and
both derive finished_key from binder_key or from a traffic secret by the
same "finished" label, feeding the same MAC step (HMAC on the left, MAC
on the right, <xref target="finished-and-binder-mac"/>).  The schedules diverge in
topology, not in which named secrets exist: RFC 8446 threads every stage
transition through a discrete HKDF-Extract, salted by a
Derive-Secret("derived") call, where the deck schedule absorbs each
stage's inputs into one running state and crosses the boundary with a
single ratchet.  The Finished and binder MACs, record keys, exporters,
resumption PSK, key updates, and PSK import each replace their RFC 8446
counterparts one for one, and <xref target="shapes"/> gives the per-shape rules.</t>
      <section anchor="invocation-count">
        <name>Invocation Count</name>
        <t>The figure of <xref target="comparison-figure"/> shows structural closeness.  This
table quantifies it.  Both profiles of this document share the deck
schedule and therefore the same invocation count, differing only in the
underlying permutation, so the count is given once for both.  The
handshake counted is one full 1-RTT handshake that offers and selects a
PSK, uses (EC)DHE, accepts 0-RTT early data, issues one
NewSessionTicket, and performs one KeyUpdate in each direction, the
maximal common case both RFC 8446, Section 7.1 and <xref target="key-schedule"/>
cover completely.  A deck invocation is one expand, MAC, or Ratchet
call, matching the One-Shot Equivalence of <xref target="deck-interface"/>.  An RFC
8446 invocation is one HKDF-Extract, HKDF-Expand-Label, or HMAC call.
Fork and Absorb build an input sequence rather than invoking the
primitive and are not separately counted, matching how <xref target="shapes"/>
already accounts for deck operations.</t>
        <table anchor="invocation-count-table">
          <name>Invocation Count for One Full Handshake</name>
          <thead>
            <tr>
              <th align="left">Derived value</th>
              <th align="left">Deck (this document)</th>
              <th align="left">RFC 8446</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Early Secret / early_secret</td>
              <td align="left">1 (Ratchet)</td>
              <td align="left">1 (HKDF-Extract)</td>
            </tr>
            <tr>
              <td align="left">binder_key</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">finished_key (binder)</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">PSK binder verify_data</td>
              <td align="left">1 (MAC)</td>
              <td align="left">1 (HMAC)</td>
            </tr>
            <tr>
              <td align="left">client_early_traffic_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">early_exporter_master_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">early traffic key + iv</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">"derived" salt (to Handshake Secret)</td>
              <td align="left">0</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">Handshake Secret / main_secret</td>
              <td align="left">1 (Ratchet)</td>
              <td align="left">1 (HKDF-Extract)</td>
            </tr>
            <tr>
              <td align="left">client_handshake_traffic_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">server_handshake_traffic_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">client hs traffic key + iv</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">server hs traffic key + iv</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">finished_key (server Finished)</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">server Finished verify_data</td>
              <td align="left">1 (MAC)</td>
              <td align="left">1 (HMAC)</td>
            </tr>
            <tr>
              <td align="left">finished_key (client Finished)</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">client Finished verify_data</td>
              <td align="left">1 (MAC)</td>
              <td align="left">1 (HMAC)</td>
            </tr>
            <tr>
              <td align="left">"derived" salt (to Master Secret)</td>
              <td align="left">0</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">Master Secret (2nd ratchet)</td>
              <td align="left">1 (Ratchet)</td>
              <td align="left">1 (HKDF-Extract)</td>
            </tr>
            <tr>
              <td align="left">client_application_traffic_secret_0</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">server_application_traffic_secret_0</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">exporter_master_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">resumption_master_secret</td>
              <td align="left">1 (Fork+Squeeze)</td>
              <td align="left">1 (Derive-Secret)</td>
            </tr>
            <tr>
              <td align="left">client ap traffic key + iv (gen 0)</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">server ap traffic key + iv (gen 0)</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">client_application_traffic_secret_1</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">client ap traffic key + iv (gen 1)</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">server_application_traffic_secret_1</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">server ap traffic key + iv (gen 1)</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">resumption PSK (NewSessionTicket)</td>
              <td align="left">1 (expand)</td>
              <td align="left">1 (Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">TLS-Exporter output (one request)</td>
              <td align="left">1 (expand)</td>
              <td align="left">2 (Derive-Secret + Expand-Label)</td>
            </tr>
            <tr>
              <td align="left">Total</td>
              <td align="left">29</td>
              <td align="left">39</td>
            </tr>
          </tbody>
        </table>
        <t>Of the deck total, 3 invocations are MAC (the PSK binder and both
Finished values) and 26 are expand, Ratchet, or Fork+Squeeze.  Of the
RFC 8446 total, 3 invocations are HMAC and 36 are HKDF-Extract or
HKDF-Expand-Label.  This operation count understates the difference,
because it counts operations rather than the permutation calls that are
the cost unit the two schedules share.  Each HKDF or HMAC operation is
two nested hash calls, so over the same 24-round Keccak-f[1600]
permutation a hash-only HKDF-SHA3-256 instantiation of the RFC 8446
schedule costs 156 permutation calls for this handshake against the
deck's 52, a factor of three.  HMAC's nested hashing is the overhead a
keyed sponge does not carry.  The deck is lower at the operation level
too, in every row where RFC 8446 needs two Expand-Label calls, one for
"key" and one for "iv", against this document's single expansion that
outputs Nk + Nn octets and splits the result (<xref target="record-keys-generic"/>),
and in the two rows where RFC 8446's chained-extract structure needs an
explicit Derive-Secret("derived") call to salt the next HKDF-Extract,
which this document's ratchet does not need.  The composed security
argument of <xref target="cryptographic-analysis"/> does not rest on either count.</t>
      </section>
    </section>
    <section anchor="implementation-considerations">
      <name>Implementation Considerations</name>
      <t>This appendix is non-normative.</t>
      <t>The profile of <xref target="turboshake-instantiation"/> requires incremental XOF
absorption, cloning of an unfinalized state, and one-shot squeeze.
Output lengths are always known up front.  See
<xref target="turboshake-instantiation"/> for the concrete API surface and
permutation parameters of that profile.  <xref target="shake-instantiation"/> gives
the analogous parameters for the TLS13-SHAKE256 profile.</t>
      <t>Stage trunks and stage secrets bind no cipher suite value, so a client
offering several cipher suites of this document maintains one schedule
regardless of how many suites it offers.  Only leaf derivations differ,
and only in their framed suffix.</t>
      <t>An implementation choosing the one-shot recomputation strategy for
leaves retains raw key-exchange inputs longer than the stateful
strategy.  The stateful strategy is the appropriate choice wherever the
erasure semantics of <xref target="erasure-boundaries"/> matter.  Accumulator clones
follow the lifetime and zeroization rules of <xref target="erasure-boundaries"/>.</t>
      <t>Both ratchets consume a transcript checkpoint that the corresponding RFC
8446 extracts do not:  the handshake stage absorbs TH_SH and the
application stage absorbs TH_SF at initialization.  A stack that mirrors
RFC 8446's derivation order and computes its master secret before the
server Finished exists must defer the second ratchet until that
checkpoint is available.  In the one stack ported so far this was code
motion within existing functions, with no change to message flow.</t>
      <t>The destruction rules of <xref target="erasure-boundaries"/> bound what an
implementation deliberately retains.  In garbage-collected runtimes,
zeroization is inherently best effort:  the runtime may have copied or
moved key material, and erasing every copy is not achievable from the
language.  Such implementations satisfy the destruction rules by ceasing
use, dropping references, and zeroizing the buffers they control, as
they already do for RFC 8446 key material.</t>
      <t>A cipher suite is a single negotiated value that determines both the
AEAD algorithm and the schedule profile.  There is no mechanism for
combining them independently (<xref target="cipher-suites"/>).  PSKs and session
tickets carry their originating cipher suite, and therefore their
schedule profile, with them (<xref target="governing-profile"/>).  A client that
offers PSKs associated with different schedule profiles computes each
binder under its own PSK's profile, which requires maintaining
transcript-hash state per governing profile for the partial ClientHello
transcript.</t>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix is non-normative.</t>
      <t>Complete machine-readable test vectors for both profiles are published
as artifacts in this document's repository, alongside the reference
implementation that generated them and the independent implementations
that reproduced them.  Every derived output binds the governing cipher
suite, so no final vector can exist before code points are assigned
(<xref target="iana-considerations"/>):  the sets use declared private-use
placeholder values (0xFF01 to 0xFF03 for the TLS13-TURBOSHAKE256 suites,
0xFF04 and 0xFF05 for the TLS13-SHAKE256 suites).  The vectors track
this document's expansion and MAC operations (<xref target="expand-op"/>,
<xref target="mac-op"/>) and are regenerated whenever that encoding or the code
points change.  Each set is generated by one implementation and
reproduced by an independent implementation constructed from this
document alone.</t>
      <section anchor="turboshake-vectors">
        <name>TLS13-TURBOSHAKE256 Vectors</name>
        <t>The published set contains 44 vectors:  transcript-hash pins, the no-PSK
early_secret, a full schedule trace with a PSK and a key-exchange secret
(resumption and external binders, early leaves, both stage secrets, and
all six traffic and master secrets), record key blocks for both key
lengths under all three suites, the Finished MAC, two key-update
generations, resumption PSKs with present and empty nonces, exporters
including the early exporter, both ECH confirmations, a PSK-only trace
pinning the omitted "dh" absorb, suite-binding cross-checks, the
HelloRetryRequest synthetic transcript, and the PSK-importer ipsk in
three variants, including an epsk at the 0xFFFE frame limit.</t>
      </section>
      <section anchor="shake-vectors">
        <name>TLS13-SHAKE256 Vectors</name>
        <t>This profile's vector set tracks the deck schedule of <xref target="deck-schedule"/>
instantiated with SHAKE256 (<xref target="shake-instantiation"/>), mirroring the
coverage of <xref target="turboshake-vectors"/>:  transcript-hash pins, the no-PSK
early_secret, a full schedule trace with a PSK and a key-exchange
secret, record key blocks for both key lengths, two key-update
generations, resumption PSKs, exporters, both ECH confirmations,
suite-binding cross-checks, the HelloRetryRequest synthetic transcript,
and the PSK-importer ipsk.  The published set contains 40 vectors,
generated from this profile and reproduced by an independent
implementation built from this document alone.  Within this profile's
two suites and single PSK-importer ipsk, it omits the third-suite
cross-checks and the extra import variants of <xref target="turboshake-vectors"/>.  A
message-level full-handshake trace in the style of RFC 8448 has not yet
been extracted, though a reference implementation now wires this profile
into a TLS stack.</t>
      </section>
    </section>
    <section anchor="fips-schedule">
      <name>A Fully FIPS-Component Key Schedule (Informative)</name>
      <t>This appendix is non-normative.  It records an extract-and-expand
schedule assembled entirely from FIPS-approved components, for deployers
and future work that need that property before or instead of the deck
schedule of <xref target="deck-schedule"/>.  This document does not define this
schedule as a profile:  it has no code point, no cipher suite, and no
IANA registration, and <xref target="cipher-suites"/> and <xref target="iana-considerations"/> are
unaffected by it.</t>
      <t>The TLS13-SHAKE256 profile's deck schedule of <xref target="deck-schedule"/> is built
from FIPS 202 and SP 800-185 functions used in isolation, SHAKE256
<xref target="FIPS202"/> for the deck and KMAC256 <xref target="SP800-185"/> for the MAC, but as a
keyed-duplex key-derivation function the deck is not itself an approved
key-derivation function under any current NIST Special Publication, and
no CAVP or CMVP testing covers it.  A deployment that requires
FIPS-approved primitives throughout therefore cannot use the deck.  This
appendix records an approved-component alternative for it, subject to
the validation caveats below.  TLS13-TURBOSHAKE256, whose TurboSHAKE256
and TurboKMAC256 are not approved functions, is not available to such a
deployment either.</t>
      <t>The schedule is the RFC 8446, Section 7.1 extract-and-expand structure
with its PRF replaced by KMAC256 <xref target="SP800-185"/> throughout, and its
Extract step drawn from NIST SP 800-56C <xref target="SP800-56C"/> rather than from
HKDF-Extract.</t>
      <dl>
        <dt>Extract:</dt>
        <dd>
          <t>An SP 800-56C two-step randomness-extraction step,
PRK = KMAC256(K = salt, X = IKM, L = 512, S = ""), applied at
each of the three stage transitions of RFC 8446, Section 7.1:
Early = Extract(0, PSK), Handshake = Extract(derived, (EC)DHE),
and Master = Extract(derived, 0), where derived is the RFC 8446
Derive-Secret("", "derived", "") intermediate at each transition
and 0 denotes an all-zero string of the same length as the
adjacent secret.</t>
        </dd>
        <dt>Expand:</dt>
        <dd>
          <t>An SP 800-108 KBKDF counter-mode expansion with KMAC256 as the
PRF, used for every Derive-Secret and HKDF-Expand-Label site of
RFC 8446, Section 7.1: record keys, traffic secrets, exporter and
resumption secrets, and the Finished and PSK binder keys.</t>
        </dd>
        <dt>TranscriptHash:</dt>
        <dd>
          <t>An approved SHA-3-family function: SHA3-256, SHA3-384, or, for a
variable-length instantiation with an explicit output length,
SHAKE256 or cSHAKE256 <xref target="FIPS202"/> <xref target="SP800-185"/>.</t>
        </dd>
      </dl>
      <t>This schedule is structurally RFC 8446, Section 7.1 with its PRF
replaced by another approved PRF.  Most of the CMVP approved-CVL
decomposition of the TLS 1.3 KDF therefore transfers directly:
<xref target="SP800-133"/> for the initial all-zero input and <xref target="SP800-108"/> for
Expand, for which SP 800-108 recognizes KMAC as a PRF.  The RFC 8446
key-schedule security analysis is likewise modular over the underlying
PRF and re-instantiates with KMAC256.  The one component that does not
transfer for free is the <xref target="SP800-56C"/> Extract step:  SP 800-56C's
approved randomness-extraction functions are HMAC- and AES-CMAC-based,
so whether KMAC256 is approved there, rather than HMAC, is a point a
validation would have to establish, and this document does not assert
it.</t>
      <t>This document does not claim that a schedule built this way is fully
FIPS-validated or fully FIPS-validatable today.  It is assembled
entirely from FIPS-approved components, and whether a CMVP validation of
the composite reuses existing CAVP test vectors for SP 800-56C and SP
800-108 or requires its own named CVL entry is a determination for a
validation laboratory and CMVP, not one this document makes.  This
appendix records the approvable variant for deployers and future work.
It is not a profile this document defines.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIANovTGoAA829+3rbyJUv+n89BY78h6VpUpbka8uT2UeWpVjj6zbVSWdP
5uiDSEhCRAIMAEpmbM+znGc5T7bXtWoVAFJyJ5l9+ku6KRKXuqxa9/Vbw+HQ
NXkzzfaT03ejZHf7cXKYz6+yKhkt8iark9u8uUoOpk1WFWmT32TJ22w5HI2v
sslimiWfqvIin2a1S8/Pq+wmPKR7xaQcF+kM3jOp0otmWC+m0/wmLYbNtB5+
KS+GY3ptPdzZceO0yS7Larmf1M3E5fNqP2mqRd3s7ez8vLPn0ipL95NRNl5U
ebN0t2V1fVmVizm93V1nS/hmsu+SZKjDoc/wQ1LLsOgL/SOZ8xjpy18/HtN/
J9n4OrlYFOMmLwv+ZjGfZl/4znlZXPL149Gbg7dH9PHt+4ND/o5XsKYVdC5d
NFdlxQO6gGnzMnzI4QUjWQX4LUnK6jIt8r+l+Mb95LBazpvyskrnV8vksCxg
wZq8uEzevTukq7NZmk/3kyIfX5XTtN7WBf0pz5qL//sSf90elzPnirKa0dbh
CD4fH+7t7v4sH1/sPn+iH588eRY+PpePP+89faEfXzz52X98tosfj08+jfZ2
9vZpPE1aXWbNfnLVNPN6/9GjcV2Nt4u8brYvy5tH88V5/egin9eP4Ab4UKRT
votpbwNWcQhU06TFJIXNSz5l1WzR0FIMX6V1NknepPVVAj//me5Lkj8nR1+a
DC4/n2bDj4tmvmiSY9mveoMuCguP/wxxgWHd6aHpNDkpanj7osmS8sK/ucZX
JKfZ+Koop+Xlku6dAD3uJ3s7u0+HOy/omzqr8qzOi4tSn45rAfOA2W3IN68/
nuwnuzvbz3b2Xjz6cDI63cZrtuEK5/BOsyujTy92doa7L57eeynr+SO45RHc
snIxX8MYb2Dh/KLsC7EOiFIHySkSNC7rIF7XT2mVTqfZFH/6Jy3ks+Hu3oqF
xJXCOXxKZE1Wr+fo07ZcI3S5s7OrJLpraJipVRb58eMfXuTHjx9VfUT7OYMD
NkMaxJVIYEvtqc3HyCuT32dFVtEF/5y13NsZ7jy731o+flytoU5dTbwqLNfO
ix9erp0Xj6rdR4v5ZPd+a4arRMTKX/1SI5v7VGeLSVnBxMtZIM1/8gHfe7L6
gLfWcudFtXv3WuJVQ1wJv6BPnx3+6II+ffZofG8CRPFsFvN9BisEk86LsIh4
yVHdAOPM6yu4uyFpPcv+WYu6c99FhbW5B4HSVXDR618+vTv6tX8xr7PxOL3e
brJ09ojUj0cjEtmvSYZvzycX0Try10h2zVWW8KWgYcAXIFs+pXWdHMCiwErl
qJpMkqNijOecNQNaM5j+xwaF/sF8PsWrVhNpjpz499vJq6xqyiKPv//37eR1
CntRxF+/3waJmIESVnce84e0SA5q1GViFru7Ysk3Rtk0G+MsDkCPQsqIVI0N
3I6DQ3pCeyt2d3aeP/r5+Yvh4+GzJ3vDPdAIng13znZ/Rl1g9HbUvxfZvMqL
ZjtPx9U20NIjlKOPnj7ZjUWWaHNIVcegyQyBtBpSNmGgvCG0yLxTOhe72ElT
rtylNRvxahvOSFHkxXX8/eft5HO2vAKFDA5KWsU/voZlB0WtamkHq1b8YHRy
cPj5T59ON0hD2CWR9vboT0ev19Fwz7o9f/Tk5xfRunXWiheI1fZXi3zaDE+A
C6DuOPylJrV+Pi+rZs2KrCDBVQu1hgSf33dBnq+htMe7Pw+f7zz7+fnw57O9
XX/uR0cr+Gh32fb2QIQ/2YnW7ZdiAocJ2Zeeelk4JLKTpvbmxf1Jx/O7x6um
jZNOTkGm1SlLsQQ49GgJHLypQFvgY4j8k5dl7/Hm3lZ7ZZ48e/ri2aOmrMfb
N3jJdr63vTt8ghrA8cHn44N3747uwRLT6gJVvO2rZhZLlGP5Zd9rgT2qeMQv
/mE8brSdvCkvLuCO38r77OHFn95mWXVPivzBrdl9vvnkjq3Zfb6dP4GteYwH
9t8P3r8/+fADBPv0ccwf/z2dzfLiIY6KiBWs0zUr/wFWPh0vwBL8+5b+Nyzx
3iq9vn3o90jS//rx4+s/Hby9m2S/lOVkCX90KPZX/gFsmORdfnnV3Gb475Yi
zgrOjzO9/waa3Nv5R7GLnc3R7l38Ymc7H+2CTjV8gUfh1buTD2+PPt9b/jx+
9Pz5XrT6r7JlCRzzfTnJkCOCwCGGmjL/zBLUUKsJeoGaclxOk4uqnCWpjLG1
RyzlDbtZs1/vh7BjH7eTUZrCKGXb/DF/smpJD0+Hn0cHcoaf3CF1dp68eLoH
UoceNzr9/PHVCtbaK6l3dh5HK3WKmiU9JKzGcZXOMvRfrZspkGA6O19Ul11W
9vpkdPjx3mP6+dHui1gKvs7rcblPu1cBaWV1jTbDvfQmUIH+CPsVjwkVwdN3
o93H99cF93YfPXn2PBpV5GH0iiEaN8j6vIdRbI81YzwENlj9bVFfp/H3B3DY
s2l+WaTN8F16ky4mnfuOLi+zqvPtcbmoiqzFC95uJ2/Lq/OqvO5sHHw/BX5U
17+dRQ6HQ4f/StLzuqmAETinK3COpw0UeNBWrG8TucSbt6+Pk/Im4yWz/siH
dXKV1lfb7vQqr5NJOV6QBTjJwLrMar+6kQsTHpI2/Dp4Gz4/Jf+oU/8ovypN
arKYknk4wrgUwL8nAxpIWWR063xaLum16RRskMnSjdMKFyO5BfUdX7Go4Q9y
Yw2S9++Gb4/eD8AOxY+vR7B7yccifguq/a5aoBUAr7m9KmEUuh7k3YLXousV
5l5M6qv0OgPSvIZ3pOflAoYBt+XApsD4gPudffIYlCA0b3lJwxrz2sKy2Itv
y8V0AsMbLcZXwOXsIibo9aUHHRwdvIaJX5ZA1lczMFvghOBlpLKnXa80vUX3
J4P3LnG7h/46vwm01WVRZPwnriGM5RQnxI+CMzSdlrc1c2G8vMguyyYnayka
bDqFrRokdZkU8L/s1mXoayXugFRDg5nQutojWZMdMkvHV3nB5tptXuFb0dWZ
pFXmYKiwA5cZLtLpbalzrPFHfeyAyETmU8spZ2IIDnl8uFwGO5sCjVVJBesx
zibDqlzArzcgGFIgMdjTvNnmMzTLJxNYUfcgOSmaqoTL6WHuiFZVp/H1q/jD
v3+PV+WOA+fWHjjcib4T1z1prnvSwib78wTUXqjtEhM83gZrY8l4/fFL1hw/
13f80AkEawuEgyOgkyHUy9uEE+bDAJsyg2Vx+P0eXYTnjYgAb70qb3mbdego
DOvOWjHR1C66FLYhm14MgEIbegaztRZfI7qdMFtIL/MpShLdZ5093DhAN8gt
aCFXCYWS6oGDScPXNUkJ1GRq9pENkk+jtzXzlPgkMxEDuzCnauCakt4d0QuP
HGZ50MtvE4rYTKfLJJ+gN+MixwBbh3Ho6aPFXqBdRnuAu8HHvhWH0lMLX2VK
RvqGZQ9jYq45LmdgFzdh3ZWZ7Dv3X/BPzOR+137ITz4SKIFAvskddPhcsvn1
q343VL7w/fvWGtbncHBGBLS5335C3zaoQo+rfN7QWvFZqLNxlTU4SYwYwkvU
ZVrz78d5kddXwuRgy5PzHF0GyfuDQ9l9vEpUpWziDqc50tubDDhsko7H2RxO
yDhLzBDrnm2BcaA3rma5IytxvvTE3VwBOV5e8fGtQLdOYQ34AWfCMnAs9hsH
9AJsasDkAPy7zuZgyzcZEJTh956jw5l5VcKVnhdnX+YVqILxwUxrYh8xM/r6
VX0O378PPIGVOG9U187xsTlehrf5bYNradA89WSSo4EFi2cZVk0PyEF1ZIVy
ePrL51cfKXy19/QZ0gocyvOSRLlSCxILbjuxid09kQOneJ2/kXg7xi91EPx0
/d0hEfY9kxZj74k80zxOYqDfv8PmKs0MXCAYfounk2QVndyk0wVuJrAPeB+t
NYaTYTwgT4flHAYCG/XgAWiuyJOS35fptO49R7AwkR4USBtIrrpIx+S6T81h
caCTl/RKVFJQV8soPAAXnv8FLoGpsYSkQSJJZ6JDlLEe5i7SWT5dDuSslhyV
xYXgAekQmes0S3+OLlF0kjhjSnZEybx2/CwzCzjEMPzzZZMNsy+gEdNwkxsY
aFnhguGfQ/4TGQiM/kOWk4ql7/fybW+QvKFYKBAbiTGg1rRYuqpUvZHZSgUH
AsxTGDasHp0rIKMEdQSQnUVyDudjMclxf4F65nSC6YPQ0zyTgRxY6UuKXVsE
p8lb8nrEywrDW6UNg4Sl6YDYVhMJF7cKZ5eEIkqmkMSRk7v8OsvmfiKgp8Qq
Ls7+ki5uVLA7r8nAyPMClhR1IfOEtEinyxoFMAxg3CAp4GO+fsXQv2EAriK/
AE5X9bTxtAS6h1GRtoYDJl4DzxL1Dpar0DXzM4HB8L7VpJ2RysQ7StKcbYIO
BQEBNbeo2Na4ZSRASc8fkF5/hYKRXpR9yeumdmUBrJPWCyiWL0elg1+Iiw4/
AO3S/l6TF54TROAFGcwRWTAYBO62Suewq8DSYEXnpH4itwV1WQ5WTnpbUv91
kWV/y7oMHLVwNAFBK4aNO8+a2wz0NTiqoBvBmn1U9bPKkIEDFfBmB5sHzv3X
ryiRYM3rskAe2OhCj0uYavJ0zzH9DS/+/B+7z3Z2/vyfSY85dJmiApHsAgvE
+fOiDHGdHG4H8tPHQ2CQSivAdeA0sn1VZS1DBO94KFZF7s1Jx9vIJoicTa91
wjWsWNZMLsAXR+MSzlvbrC2zmvaKZRMMFIwZYBUVmTIwHGD/qM96FRMudmS0
gLEN1gEqfkjAuAnWuBHNIpLk43ICHK4EXgrU6IykzQtzsUptEtJGDPrr3Cir
YIAiIFAi3KZLo3J0+H3OM0RpM8+QRcGx09cDDyeqjAZKu2BXibkvCnikc3gH
KnFOX2hVV14rv6peUYF1uc4imQJbm2UOY8TIZmG9xlmFqiyG5obnFEZIQ7RO
DEuzaEFpoYFgnJuGV2VTZJPoCcUH9/LUKvvrAvawFqN/ydbHEEdkRzhbAAmn
k0nOoW16eI2u1UZn1ZT21o4twKpXmBcSUY4KJJA6CnHQAvhMtGaKQkHcWkMY
Tw3ikDNEapHymO91gzegIkRhT3826uTrg3H49TuzStyjW2KoG+9/GZ1uDPi/
yYeP9Pnz0f/85eTz0Wv8DBN6985/cHLF6M3HX969Dp/CnYcf378/+vCab4Zv
k+grt/H+4E8bTJ0bHz+dnnz8cPBug0nZkhiaRsBBz5HJAfMG/oSbnKJVgqr5
OZP/q8NP/9//u/sEmNT/JYlqYILzH5iqBn+ghcpvI2rgP2FxYY2Bt6YVCXDQ
ocbpPG9S5OhwhGowMwuye7bdv/6PKTKC4bP/8W+uzS28osfsiaxr4H3IW9un
bt/tky5fZ+RhsEYgqiwFMAO4HQ1IPd3nKDtic88lieg5d/l4rKGDr4M7DSGv
sJzgbPwRBgVqftsIo3WDZ1QZaN4VzZPNVNL/6G0giNh5kkbMA5dCZnRmGZqu
R49tEzig5WxwfGqQW7Q/abL7bHieo18VqeMyq2DoC/i4+2yz921byZJsHHLF
gCQflnBJg4oIPIK0Mt0BGC+rGi0PF473mCQXnPnFjLzdeF4HXb7OTsEETu91
1rxkeYeLl88wkJ5N5DbydMso+UbYlnl9PZTrKj7bbU03Wb18rBSkrLigXWXU
6QF8i7RJBtc5cW3czwXabyTl/XuCJYMWCg1en8RUhQ/IYFaZPKSmXQKBzEsv
rPm6wDO0CTfDKZsCaaLWoQ8iv1FKZnKOvm4KmaEhkSaRJcRX0HpsDVALyvm8
wdfwPt0oJG5LcjxsMSlIj5fX8gN6KWQbQzY0RDb0+Vzy3WJqESPClCagfeN2
xcGivI+P6Moz5hwoCsV1sskLQn9s6Xaqj44ULDD2FrPFNEVFiJUm/06+d/MI
rBESHqdbA3gx+6PS87qszmv1hl6iQzEvYProtCIz+Rp2UFV/vWKapZjixAsl
2gNcDWIG3olb3pSqgob7ZK1gTq/fHOkcNo8Ot+BPtGcqkst4ySDQDqcQqQ0w
wIAN0czz7SfwoA/Xg+RDoc8i5xBp0bTGaExNs+Kyuar1lHmWYSkAvXM4GTzk
yIyP32X+kXw/pQ2t8NgA3eQXy7NJ2qT7ybMn8hh+5Hnk+GgrRvAq4UKF39LA
bc7zyyHoWzkeCeE2+IRiIEuinvGgi1O62BT0zAUsNjz82zd86kd82hAVD2QK
sCigSRR0NVzy5c//kW5vn//5P/2VNUUr2Ct0PtzVheMxyVO+DEgd/IKEgRr2
37KqhIddYLhx8wvNRSYGywdfbCV//vbnb3jbLXkH+Vs9nfzosNBftuH+Eb2J
fZ78ExwLEGBfMhbNrCEv6XdUFQtMVGKORfpdiUeLzuNtDqrSHPQw3LoLtPS+
wJF/tXZnJBhFPAGeY0w7Oho8a5ou+tGzWU2GBB8bGlJeoGMD2CooEbR72QRZ
xglfMUXrTSzOnS/Hx8dHSjWTkmZTwllGQ46MV0xAl9WZL86n+dgl3p1TZRqW
EC7d9kbicc++YBpbDno7EOSimHiODA/CScBCB/0fLcT2a8WZSfPDK8m5R7yN
ZBPxZP/kZdKWS0AaB3APSMHg4ilgf88XZKkQ1WxsbDFxoJHJjJfXdxCoP2XX
G5rWslw7X3bgH2/IztPltATjWk4y6O4F8jfcUN63coYSHf7v7OaJQ2O6xMgf
XEFRh1T3Wuwf4h5wD54+WTSU02ZWbCeehvWnkoKvD8KODHFHRKVu71NOwTvg
7mTgP3siXIB+U8+nbHHbVa5ntF/2r3JmDlzXF4n2tB/XGxmWZ8U+/uQtfmdm
sYpRPwFGvQu0LBpZ0iznZPQ6IS52J8upGU8XExLsxUTk9XCaLuG1uuQ5+o/5
qm3XGiu7O3EdlxG/Er+4d6mxGiMmOxlQGicy4dswMdIB4EBM878FXQb3JTo3
SBshYI27icmjLAlBFA3tA5kL1BTFJX84HRRg3ecZBYMnzip/6s7MKd7KWiUp
uZ+zplp+BmMUzEpWLP0UZfEdLX5SLwv4FTTMoW4CmoXkgZDBwvFOOThaL845
Axtm115g1ALesIvupLhDuA3aN3NA3Gs+QpzCU2rUkcbsu0aPp9AcHVWg9vE1
OT5qo0labR/GcxgFUnPOu7xCow1N3MaJSmfiMLTznYBej40W3i9sdx9uenN2
+GaHhHY8SzmK8xSsduCP7I5nk8RQAFzlDwpqkv6o7G3v7m7vifsnUKNsWx3F
a8yzSZ1DJtj6nvRFzlZm0ccq+KcqG5G69TZbHvk4TSAz4z3CB7KiA2Irr9GG
8ucP+Cs9dAU5wrLqMoSpkw1G98sy51XdREPWt3aemdzkqdoQ6wmaLJQ22/0O
kgTd+SAF05qG4fdgWza0u5+bZmRbfNnojsuSxZxUftSIaaZIQ4ZY9THHv+Ex
rMLio1wIByl1yIMPf+uD+fiteDCzHf/L+4NDY96BjiMBkAztMI5p3KCJZnce
1T0g5kIGANJfHIt2EO13w4lHRqTvGtBGAx3iWY0CJbHAeUJurk6VKEjjrpXV
G+VCBn6X98U6X1zb+eKNy56H1/NsTGF34CRD/fYsJ4NWVFyrbhcs+kyEa8Dq
FtqYJZIyao6Bs72Eh45IZXsn7iujXbMlRoesSi8u8rFasHjXcc8Nkd3TtXnw
thaxKbfa4kepTtPRTNGC7Dmn+EQOG3itG5Ns0D8JrIRc2pHlTco4ykkUnAk5
toBFkb9dRe0m66wU3Cjn4g3F1ZbVCKYzclJ2YqCTF/g9SSTDXLb6h8fuA8+x
Byz+x/IiFfEDGaNxCvEs9KHRAWsZmjbUj9ezfuTt3ZM/mCHR83h/h6K9L+aY
IIg/eIUjvj72VLUfZrMRVkaZoyHSXGWtyhmoF0NxulOIjKgXLh6qZsdaWYuU
Ya1AIm+vOqKdwIRx8XMswThwXF1O0R4TLXpFbprIXsMwXV9khVxQJmxifY/2
er5cnJr1YI2WvIvK3QL9/074g1YezdKlDzD5cEJnPWrkQlV2icyR2UZ2uyLf
8vYKY6ET4/QXmUzi1afkyIO3NYEtpvhuKmFCMQFycKVo0Kd1E6tSnAiAX4k5
diEMAp48xRAnPCkHAwzLlhN4wVwTmX2iUpVsmkyWHsMd4yKBoQoHRb3xMmdf
2YYsycbWwBmOStx3jRHFblmfc0AOdZjhTStrbNBmDaTTS3oc3yqcdTMNy3bw
J6cJU8D+W/yXDFExty3jY8+2ZnESi0pB7cZvbnK0xOmdyuwkmVSjwmxhx8cS
Tgix0kxyMWIfgH+ScHXDzY2CXFaOnaDsqSBDHxiv+H2EJ57b5AfrW0isl5ET
UzVvIccskYPptDMutuCZ8ryriK17zMwoHboLJnAogMSt/g+6KfoF8Wypo5Kp
bAzrLC4bFR8gZFfRKXw5lWSmJe1T4aN97FcPxqE6Ce5yPeXqiYnoBXabfWoS
s1aLxvqSnj19+jg4IJWRcpD2VHw7ZgWIDagZjoY+FmRVwzF+Xah3ToUFHsgC
netTLGORWBEte5Whr4sVoOGRypZKlHY8ODO22dojBHq60qGzF4v4j9wJyy9D
m8H2AFvFe59J4oVkfwKbSnh/Jccr8Tc79fz69STvje4sb4YmHkVuf10QjjE6
vzG5OW+Jnjck2Q/XyU/JB9QngD4v0goIcSoOBVLTcMecXUvv+Symy3hDMloo
Msj/IpIBzWHyB5JKi9v4e8+iNN729UE3HqNcW2bVz7E5dypdwfUGEqRnm5Py
dMKFKh0SCUVImjWptAdqbEZykYYQp8n381wfFVkVfgnsozMeWVt8RHuydNSA
p2ikEcZp9Svr6jJ+Bra3fCJl2hojqRn1KrHRG4DqhGdJGWqiAeBXpGWjC4kY
T292BjwjretyzHqMuABgivBC5JcrlQ30MwwozivTo5PMar2x+Vn+LNkL1SRB
i8GaLLgD7gexgAn4/FoesaQh6Kh5ON35m3046sT8ah+W7Hf5JJsUJ1Qll/V+
ya3lX/xhYwmzRR5G3qbgSpVIIvpE7hjiGlcH+m1Jufb2UYXoOUVtX+eS1ZRg
bEXxgUmWBPqr2b5BR1jiXxP7S3h/WKnrfTJ76EEAYmpWk2PmpfcWxdfN2Gfp
I769s50o31cvnTqI0lpzY+gRIV7eJj34Fx8/S32Y/CE5uxzJDaJ1xVnOWqFc
Q6N6mNrTvdcByuT8YAlJV81GOjKPJiaeXzgJSF2lRuZbVZQOudcwdB6oec2o
0lOqEjDc1K7hKMrkvCpTNQLxxVRqgHGsbJyizktpfmFxaDRRgozNQwoZsyvI
RdR0DOv42PrarVpDfDghEs+mLmjFpmlhBrJ9SpRS7WA1Jak+4HOyJMksbfri
vV6wULTZHEjxautq9khKtjbpGPXbm4N4b8KIyARCqddm+2i9zjIMPHGiSaeO
oAT1tBlf0VlBB9zO8PPp6cBKJTmI9KbVAe6EvERwFbpi1zMhjBZhOHdYNc33
76DryyFEUXGx4Ow0a516Gk2TAlT18rZNo6QZkAGPdEIbk9fKd70T0A+bbSqk
ePTWZJq0aBMEL+wC+FxBIcfgyIQZUnQSwxQOHZNeuoqDUvObMBXFlCGkxu+u
BUUpZtxrUiZzaDApxgJNQ/x3KJm5JueCadun8TorVzlHgyUVutEGVBN3yRwI
qSFKrSDztY5WgpNkA8fiQCTNGM2spXoMJ1nwi2v+jsMXBOv+JFLqxZjyXFHs
QXGwwTpzFS/nK9H7XftIe/WsMmpU60ANRD/gPGpYp1sMhSlsEEb3QNsVzBET
tPn6QPSCoSzQ9x7vRCc9UMmO94hS5TTi5UqbH6HpJ9Y0ocunaMqJgnIR7ICH
tQumPxkIlIuji1SVJSlzMgKxdTc7BStbA/X5dOpbvNihQhdQamBpqV4Dq2El
u0Yy2V0QL+xip20O2dVweIzfvg71JEYLrlnnv4+rr7jICWOOK49CIYmyBEcV
hmM5VFhPkUzTJR4nH0j2q5hExYTkZQeBFgpL8y9aJmyzxePINrwfgzwa1aY/
t7adpGnJWtMhmgGzQC7DapqOYqiMza2KmCf9EfMrMlPEWsO51Y7OTHPFyVms
x3rh10NwOCoUoH6UTnwSnFNwRLvOwAefhW7Fww8HItAEcllOsOgh9L73IsnK
m+RqqrtW8u0h1H6SFiPQ0yH76jFeHlXD4QGhdLPwfa1Fv5JoxkwhZb+Z61p5
famTzAkGxInV4WRf5R+jFR9SATHRtNTI8DdprZ650qp4D5ikQNLSkGsOi56+
f9eKxdfJ75ITWIHNrZfJAY1h8/Ug2eA12BioPeKO4TqQ6tf4q7gJOfvUyV3H
cJfMZ2OgM9viWv4HZBuQzorJkWbaJAjQOwSPH/FE6UnwDTzl3ZZUSEb26X3W
F09FT9bnlsaixKLCGb3k+UhOy8Ho8OSEv3np7P4UUZiL4gXJO+8baTtjND3P
a7zE9dH9h7dEjj8dC+03EnE7/EAc1zsF6QDV4monxmn8hUgx5AVEuuhdauSy
vGOk2ci2WAkio0ppzjZjiI8N/exksUPeAe1YAtwLRjHNKXMJL6CEpjFXz+MS
yvtkWETr/i1Uc0cpVZTQHOwSmhL5R8l/Zlag4/YKqjLdyTv7g17PgewtjyX7
MqbCpcgZuDrJnKwiP0KlDywFKy8Xmc2lkBqzIfPL4TsaKhVRsBfZ+Vn4RBnO
ufGxopSrIy88+bCWnoYaKRsLZO6MMvXrA5F+zsGfm8B+B6oKydH2CenvtoIE
ZhrGLW6rLPtOFHVvgZE24OODnIliKoUP3xjp7Kx07mQ74hTzpi25VJFXqU1F
UvcQ0sl6Ie3uJaRx1RT/wMtIjX/DRWcm7zJNaHlBBytrDYY1iK6W/MqsXoPo
40XdwPH4mxSn8sNGJHkKSc+K6kZBmYtAP0rzZtJhuOxuoGAEu4+fSZYeUgaO
6OnuHhUajNN5Ogbjh1epG/0kZWjny86ThDKUJqGGYZaCWYJ+NxcKi+OqYhZe
OJUXyb/AmYL31Sp63gLPh8Vxv8J/Oa8yOCC2km/f5EutfSBpsyXoMP5XIlhz
tWaBuBE8VcNnSPUbLqzP72hO83SyyR72M17uzQ3EAt6gp8U/jEBwwALq2/0Y
+h/zdsXVv+K/KkTkOuMbNmlRVMgRdy0XlYoRvqZiHw5V+JYVqrcUK+IUF8zV
A6Ne6li5XMQBuWOo4RxDTBQ7XszO2Tvqs71J2Z7B8ZwBOZrcbXSOYvnGNcY/
z6VIaZelNjGzHXj1NLvwEyh8YrTA3Ug6uEgGdiZSjel5SHSNloCfEF1ibzbP
dvJsU7phDx4pOpisXW/JcwatXazxVc4OH9efb9mKXoqj1L1F8IAtltrhxtst
F10v5xSdETqJBYiZqQ2PEseeIfrknH2Ct1Lby0T5K+m3nkvACH4ppvl1MJoe
esmN5xRVF619cOxWmqd5ZUto5eTzwQC+LcFQ5F6Sx4qiZonxOWAlQ9JO4DKB
ZoBnSXpPRVpuMbF6CwUx0qqm4c3cokhnQEeLclFrnfPIUwbLcNWBiptyHDJR
olp0WY/GguFojDk2DT8yA5Ly3DmX5w529/78n8SNelASaCRciQzjioAQNj1n
GBCfQ7Gnaxqb5oxbRDcjq+Ci3ngsoVTYD8SPIRT5yEjG/idcMXkkn3cp4OYk
HPZ+Iuo9FXcjL4CjOiTOjHDA/tavXz18OtU4kdAUQ1YfRKyc2TzzdlWZSoLg
YS6u40H5S9ob2XyO3HKcdnlVTon2Ix2DjXYDiyQnWIdwDoJ64KRcliruCEUA
GA2+DOPNojD3sEnjCW7r21b6ORODsRISq99BQWqhH8BQ8c2/fjyG5ZNiSvbV
oI4bQrUaoMW1WhRVNpWsHZnuaiWPSrelyLcvOw0xVKzaF46MPsN5tU8U4HCE
alF40x5N9x+t25L6KBCGb7Mlerck6R2DWcNLhHbPx6BTfvapXgplZXwKaSuT
T+v8MZzPVoLzPoDWlfUC/8oIraHKhjI/AaCy2UqO0mTZXFkX6kx9Uk/8pn3n
3Z1DdHfK89fH+EwJn1OH8RrX9UCiEB+uaUc+sI6HKd73MstlwGdqnsMIz86n
Jdh/xo4Wc30DftxQc93b1pIHsOXcbQU/nGFmHulj/Jz/2Nne/nD9n/JjfpNE
P364xl9/+lD8p9FdatBRaQmMMNhP7AyrTESKynVdCfKq1iZPVISed5LGwHB9
bhAYgWuTVu0RRdRblgi2C0NyaG4fAU2g523gGGIh/IyEMC/HV6a+Bo4MY7Yx
gxlKaiOV8EUW10CzHhn0zeJkhcw4IjDmKgIHx4lNJt37AfmWk18ongrHDpNG
ObhqTh2hbUjMVUiVeUmB9n8rvfLS92Hwnj43XlTE6WAx7uscApI9iynx7MOW
6/n264efdr8nvyOFuEOeumsw9i6Z+tRg1ZKJACrDYjwrmFgov1ubeIZSB9Nn
0Etrps5uHfirxkgREV+KjXZW5Q5RdKJcip2Z3eRA4N4Jb/gQOTWW7eiKHSQ+
YhaqHGi88cAI32M61fIiH8jkp9hZwNIKay3EiVsGZ469LtnMC0dFDuPFNK3Y
WSBM2fPcTo4xJRiDkF+g71CkQKe69JWRZV8fXMjPQ/RrsJgj29m5e5Sl+og1
ZZaohxVOnADZIxAUmdTsSQ5yReIdVVtsbEaBiC0NlzgNl8ADOfwUYh4K2KMK
FAU2s7qbnEIlS6AvcpotSg36BCSka3CmGc88U/qzSUWrR2Ql0jOMT8iHRTBe
y2V/uPLwAeNbms4CWgeXKOljUNu0niXWpu51ilE3wXGBSWMH3SNI9Pe1x9Tu
JTwEPUz2uW1XU3M1oEx+Pd+t2g3vidJReg0aPREVAUqaMjhKr9Ej6eO0a6r9
Xoakk97kLeMdDtN/KZ4sCaCoCqG1Iz9eMuIJ3lv2cDicOtNYFuoBkDVQdoKu
GMz8AGOVdaBQqxWqz3e9RDBkKN64IqZVSeDxIiDroZ7Mkg/pSV4RMc9POiSU
4altzsrqDIyZsyiM4Cnp2ZMt9/q856XnEc3619xBtef/JLLlmrqYdO1K+IxU
kywmv2h1v4oHH/4ivFPY+JedVSLyQznO896QDO+otJlhZ+AWF13UwfQgQ54e
GjgI2Rsed0ucBA6Z0Mt75Ab6jDDy3LY5nyUJ5O0edaBdu8P+gVUlPy5vF3Fu
mrKh+8dAB464OR46wy/FkU6ZNVrqq/nd7L4wPHjbvTJiS3NLFMarH27EuRhs
jCWqOtXXSYtWIYNrAZq1kJwVjYyzRhSqz87WdaMOBGSGmAhrhsGWnJHCpO2A
pFOLOufJOEJfxbAU22dGVZNqfK0u0iKFJqQzcxL8XzA7f6ioUPDmS0kLI3xq
hPgjLacIxQXjqpTcO0YXYc7mgnEuuR2su4dABFxA2C76ppr99ahUKLgywmDV
HoEZaUF8N2mt54pyCUPIluGyQO3ANkBcum7622iYyKKqYSSuUfSHkBcBixhI
dOB+TMkguL6YiLHFEQFc0kGyKAqga4RS6hC2Ik8hllFTgRd/R8vjDM52yiVn
i5mkK+DMx7aZwVCBEMPUPS1GwE4eMJE5ZN06djZHB4UtZum5gK3Y4Q89CCav
NPfT6pgry7Q1vW8OxEXZk/KKUNFzLt6quMYvRs2JKrWkbFWgZyhBe0rQ3RdB
WjBuDlmq56iVRxIWy8Ojmul8RpAwLU9qXzaET8+g81dzMgZ/NnZk+B0Xycim
LBgJPlt5xmiU6jZhOWgrKzZFXErAdyDsfotR/u/STOE9Z/wKjqXYJIQNHYSX
6nRJbzYCe8BbhZ8cOYqDNEkrYtN7o+Y2yL0w1AU2jOhkL8hUjYeklett/eNR
Sbhf9ewsLMHABd/H3f4l0nltqr9TIf2GwSDELatBZ5YXnCxAlrAcZvwNoVHZ
sUVgaDUDPEpigWLHMIDJ6pIbkFw/WHLj7vBERgWg6IzULww1n4rj3FzJWtGH
7FZafJxybmBe39frgVqZUmVEkeFFniZf9hMk5yOekctoy4X7zub1dW8mDGrF
TEd4hA/fJAchue3QJrfhqR5fmRU4Lrsw/D0AGD1xecZ4nJKBKkHdJ4hByHUz
NBq++MwG8MXLg/qz4VMnGCje5g6WwTCLy2T8SdzIxoqPEmXubYRLWkcSbqBB
nJlq7hdbzl1V1dk/aYzw6OSHx4njWTFW3l1Q7qbpWI+naGpcCo4nsUd1M0XM
6AMwGyWh/8776Em9I6Ez3gHySCpGg2VcRl9g5uH4JTl4fBUlcgzQN7oKYaeN
htOzgcgd8W6cy0Obb+6HPXD5NrCdoJdxBLpVoh+V0AvKDR47cRn3p6B7jD+0
40mpoJRsioNTgNXO1LVLoajElJKC32Y+tTmiP/jfCsLjbiPqcWptJ0UMogeJ
M8ASyubOwK14+FaAUQ67LHrFjBzzeaE5TKHfhOb/+JY2FBYM9VK0+DSQIkHq
1QCYk60TLIMh+hqG7IqTiGLW5TYibBRKGx+B6tYcgWUJUugjKqu+wEOwQjX/
t6FoOuakWLwZTgUv3RTkbxEXJMVn3oL5tPdsIDh9rsgabMwBiliTwjZXdBcc
gUvJU9IIZmfTjYfI+I3aISQOcuL8jVFHeTlSO0CPgXUGNZKQUchyYJmI4u2E
wJhsD+GvDxigaRgsye8Mcma9B6jqKo4TnlzG8IyLY3pAPFmf52+MqTpgpkDG
rSn0acmc+8tcoInrlrRVBxj8stEHOboiM7XFeE5kzieCwv+HPVDr8lViuD8a
0QN3mrZTVcV7ZMB0rzLBx6d1YZsIW8xHqxgqJgTGPmB7dUfu7kDXk0HJWsDW
0TwlCiKwey7KqTlH9wMeTMZpJzObOcGyxmwRjZmEmB36LesG9Dl4fKaPl9xm
HUDwg0kFgs+XdC1nfceoE/AtWMNhhl2L5kus4tejOMyLi+kCMwom/HIOc1OY
KLaP0OXjC+SjRDrv+yfoaab+UWgucojA5p8Y3+vrA97yIStV3zuA65KkeIF+
kEj/8uWukqCmMESTzCloenI/0HQxHC0CSA+OesewzTia/oX8bijQMNQAAwZu
IpmnnV43rWrGnrqw1LI4xXM0gYisWMySr6QbwbzPDo5GZ7t7L85+f/j+LM7V
4X9+l3zd+XL66jUm5cB/vg+iO+G633Dn4ZsD+N/eztmnj+/+tPt452nr/vXv
1NG2XvcDo73Pne670B2R3UvhNN8iYky+cSD5WwfN+pv7NhwO/f/hvvVrjQ8a
DeG3IfyWfOvtMGOf0r/u/BT4dI+n3LUHMNOrFP63tzP8VE6XeMU9xtXZm/6J
rZ3THdMx937dTx7QARhybxhq1/i7jS6/4ES6DrbXhtimwRwLaA2cdCSlunx8
e7pRYY11L3qwnO9WPy7iMHkVsjFCYlk7hyH2RXByWFlHaU1+BG2uduj7PtQG
5j6tUYawYDo5+HCAbD5Pi7QX8H+FFwGD38CTzrmbXn9/rg7WKHdIEdRdhRsi
97Skk6QBI8H76diUaZkDXvk1bJkDJqKCCgB5TfLKo19gb+Kw+1gPaH1yAq/S
rdru4KzYNlRR+zScgIsaUcn+x03WaoVOV1U001aQjt3ZkqEWoGLGrBTQW1O6
IeEuMwRnnEoJCUPOELJb6hG+LUIZlUp5rJCMH3QOYgLNG9HMWc3yeXdSDc3F
tZISqjN5WHNDOJ/wzD2cQjFjbzsuHLCL/fpiG1NHvJR9u3POkcSAbcXUN/XV
WmgYa9PRABfBKaJcDDbULA8kdc2s9ZEFwhCGe9Gi4/7XIT2zXdPgIwm2houK
aLTO0jugqZSxL/JFE+kEv1jUUx8j2PcrVNnjPjJd8D5Y8F8/Hg861RSuWyeg
KDP1fXBKtZdEtGmIBaldg6IQgunrSbnpZAD+lTQ9htvDvRP4LARJKCZSKUiB
ooApU53nsA2wMcwr0Us3Ry0aLwu0QHXzq6khIi3sAYHOf4IkD4587uwzByUo
q9sB333xA29GznVQnAnoPlh9m+lk4k98QAmUKMOWnN+A3Odh/pn1eqAsSrWV
gIOphAlZZCZLCBdvMuFmMRVxSLkTo4NA5zhNMi15ExBZX9hglIWDrmtaTm/p
WLB+AnKR3ZMc9dgRvSJpk+EIfUkJA/umnF51sZi2xAbhU1KSvA2zCLJJJ82J
Ey+ueelI9CLFc7WaZFfh2pi8KOL72H4NZYuvS5U4ptMQDy7YIZpNQrW8PGo2
YemAr5AxVlgUUCJMCjZKQoabNFogw5HfZODTeis+t+RgVJmveNXdoRRBfqWk
fwwkOY05nELLR2lhF4k1EzRzjDJTKE2OgGrQnuP8uqFMOs9MHFBYPyWKmXEh
0kiDvgnEcZCwOs304PTwzdFpe6bcSVyYnl0RjGvznh8uxwgIDBf/+vHj6z8d
vKWTe8qJfL4jAWN5MDUNKIFH7OUIfhr2W7G4nDoh+AxQdjz3hozLHEwJfktM
+cI1KbtsYb55PB1zgmSRfN0XpY1Idre693p8biHerCmKbT2LHuSBcqJubH4Y
NKicIt7o3EJZXDTaEJMegGKhIUAhOnMTSzWqnDJ75GZtvIc2EMwxBucBFYWN
rmBoePyoVx9mQIGkl94cdEBqJ4oKTUVg+0iU4pIHVou1DIrGQgn2Iews2WS1
DZdnw9t0qXDVJJ8vkNIUxsWecekkDNNBU5+6bOGBQLrL4RQRtW37vlWgRkyw
OPBLTHQGyy8OcV/xNuAAaaCsbEj8ThMQklb+AfzNH0dHh9r5E8cNA3RYLBdp
jlcK3Ai7RCRKvk9WFkln8eRKorp2olcJH7MrqX0gvn4lcwqHtu1W5wpw5yXW
HND8mJJyhGVTXPmEzs8QrBhOgUlNk27SiGZA9NiPLpQdPehT10+8fimKe+Cm
sVbKQP+kK2cBgs6ob7ZnPOsqIv9qp+OL2cLr480RlSEJB56l89o0IJ4EATqS
w+zimph3yBneaU0H1v5pgs2RKYN9WLcUQGCW3EASlcSCYTyMfhld3NIyW79t
K6JfDOqpHXwoz67bWQOr1Kj/ivRnIZLZUugDnTR5AX3Ze2tFpXpcf3be+yj6
Ie32g+Sj3x3naEn8QDFkARb4WFqO+5UO3mr2VMfZAnBZXx2rUy80lvKml4Pk
Zosv3hxtwfXywaca0Pz9XzdbFL+9xps1kaLeSihdfPSQ4Wz6MhfoqQ/7ns9J
D6tzHugff/UG6V0b3WJcGAUMTf3jOrV3W3fMbP172y95tyI5Qwhdj4hzIu79
KuEKm7HJynV897yLqKC9QsQi2mpG+Dhf+hYesTpqqsv9FrOWc28Ili5BEImT
6TPhUhT4+lLxXJH0RwNJMqGS8O0OTXC4gyZChrV09vSEKw22pEBX+cApqTbz
JZwUmN6ldjEeIXKfh3AUrUReRFqENum7A4jDN9ySDGfRlAh4iOt8zFso9ojI
AkJxMLwR4wAuilk5Iaih1Qkm6Bqi6ikuiuUWZjp50kkSkmNdJb1LwdSOQDsz
CXNVyN13Ua+elSOh7SUEMragpHKo4HEpmssorutgS4Xih9IP5J0C5lvOp8lq
srRZgaq11rIJFmVf3SIq77ZyMUL8kF5VLCbIvcYxxaRdKAhPiUoFFWd6DZrV
ds/x9DZRxyDaT7w3CGftGwvdaQ6ZhnMWgJS+1UID2VUM+CTBhiIgy0pNKNuk
u5vBF6X5uUQWhxxVkYVve3VbDG6K4foALzygFR9EDZLg1G4LJmXuhyVYIv2Q
NgPqS2CDZgpyK3OSRj0b7HSQiConi1MJsHwjFILWUAXn1Lcs406iZOaq14+O
ChGsLC0qsrxtuLJwjOGFGfv8OpmJQBDv0Gtgm9sYACgDXYZBdFoFqibn52+7
1/33rQWOYpTE9aHGgWLfeZLCiBjKiIFEpAc0moEdTgSzRAclVq5eH6u2ATbD
6AoslSNt1DDOQrEzz1IwPsgKiY+5eWMLrU4PVyBvDs96Rcm0+/ZmKmmr3FwG
jju54IahGZQxXG9iKRAMUlwWxWy7gLdOnew/0N5r+65ai8slcdc0qqd5MIae
xy50UUk4shaLJt+sSDI8+BOmNpPf4IJ8OOdLh7Ynu1x6vNJIsFR/zqYuef9w
48idFZm62+Khb9DwvMTtIY7dBWH3/Rhhs03uxYj63WMnF258r/h/PpBiWCfn
fqlH0PpPOUTPCvaYwJckZ7jOv3ASgUcj5eX0KAMW/JJ2kbAdu+Y27MXMV4P4
wYUCAtqSdDHJ6fnYrpGnlnwLV9cUyoIvsuCe6EYjP5elWgFwrU1tfmk6osJP
RGM/KeSFnGR8woFuJL7dG4CaH705F1BPatq7haG8zhPUP9R+P/JD/4cppw13
KEOe0HNE3fqmpSqPonzo+qVNPf3Gp/wnPcj0AEnla8ohsoFvtljipc8TxjXl
C72TNUyFQScp4wxfIQUBLy1IInyPGVsStMRdi4OWXXINgUuzlxSzlAt2vZH7
OEnZUApOSQZvRxaOahzf8MTfQPAWjs9pSUjlFxgGFO4tvn+qR2ExFiW/mxCk
O8fTSxRrjsrDWpp0VcoX1bvRIRRxkfnnwAnzLIIZoVidJlVOJiU8IXbzOAFo
9L6PXujENQ5Rxk1w/bgJHL1tlbaeLw3Yl0AoxCgIki/z2yAVRNiKGTRreasR
ARaDtzalhxsd1KgPpclFdussVAX6U8+BUV8n0pheEtIYetenBJq6OE07j6YY
CuJNXDXiZy3nzBWlHRmHY+RIRH9fNzrieqMjq2Ij2l6ZfY5sJlFXkHUVIYm4
bH05WsR6hToZy0PSgrnPjED6Ug0AUxZIlHR6R4K3815dqpuKFFXSOKZtpYxt
iIGkIOSVaAFOEocoT/VOkA229GC3vXx1Nr3tfNnVczmsQxFgcuFccocKMXOj
HKX1SJA0o8j4lCKcqHyivyW6Jl6I0txwd3aTWBWlhTtScChi4jF3ZOy5qeju
4uRqPqvFjyW10Vd5R1413ZQf6pIqPqsjn2GpDoijQbLByZMYe4x9LA8IOlXk
9EuYNRyyr9yddkhojd+/3+FEkseoe7MohyiStB0d5kfY0lhB0t4k0HAiyK2X
betoPzRFH59lCjFhq4w14RPdIzi7ceKLwkPt7x3j3miuNqS8t7dO2JbkrHk1
9U+R+qh/2LvjCuPfqVbCL7Tm3RYsrwYgkyNSB9k8QFQBdUG81EidxPfiHTHq
snNvOsTzRl/ZqQA3F0xwOq/fHLWIC8jCPz17yQCOkdZmn6FLMnqz1XqGBHo4
mcRDisI02lY18Y/9FUd3fHZVe1pqVY+/IRq6qrtE1LM59R0Pqu/7IGfU0MTs
Mj7EWuzRJr+59yaHkEnPRp92NvpU3roxsOpx9LPfomMY/Pgsna9ahlNaT0St
vdd6rn9Qfd8HmfPagSQ45ULCzkHt25aeGR8eU/XW2sejf+4ej3/gN+pU/NME
4MvheZ9ydglK9JwzGq6W51WO6HxSQU3IgkN/hghaU5NG6BRqD8JQOK3RoHCT
nCmPYRCiJ+dL75pqn/Bgbam2IJiBpOfRkJ1JbpoFpdzfyRov+9MwoAmTLWjC
pM2Lyi2NERjxXxPQxPdZEVIGq5BLCbV5L06L5F0cMRIXzQH3XsehHREe8Qkn
t319EMk9RFrq6blABheI/OkUGH82Jk2rI2c3Ntg5lzaup6k8XhPDUPpu84NE
mgIMuIv8YwyW0A0OPnBjeVOwbAC4fIkyj7CTWEiJ5piDQH00fLu/IhSDlFW7
ghLu8SAOW6quUfu7OnMtrcnD2oH2K0KedewYKkPDE04TKVF9Gg9MZz5pYHZh
k9MivBNQ5awMDC3hpJPqBan6XNYVUtW0FB+HSiXzHJFdFDnmNlAkmcEFTFlc
ObFgxiY10Uef0dHrOOe0JuuYMjhwXOOloKmWupSSgEJ+aGzNQdp4aFpfzgJk
dzhy29vbW1ITQvmYZH1j/AR+DaVC4rzNC2djCELvnEeu0QZyMdIqjMS97XzD
Iz6WoafYXQ2cpIOOu6uDzgqP9ha1oIsohEdwQWCFPSa5h4mSBjIMBae1L345
pBpru6VHsfMriFyPIB42tjcvS7pPeIzWfttN3XriTq8kbZUcx+cKmOskNt2L
PSYQC2K+qSXek1zjFMuu5w7O0BnWV4RIFIzyPh+vW+/jXBn98poGWjMx5I02
/zCZZpRZotIlJ8T+VZ6RD2Ujk7L7xIEUUg2T0PYPLEO0wgcm57gfB8VzBh/t
CTSz7ZSVptLcCTNFgabltfCcQaj5tJBd50tTMMoEQmhuHnXep4b3FTSEFok9
5h27Nfpu6/Z/8lajyScO3XhCfqDxAVPiToSLG0N5U3jEiadvd29YkWnfh8Br
y6noVccnn0Z7O3sm567dT0yKykNUneKwPjTMXRnEleZRvTFbx/uAbnY3ks29
xyqW0NTy1MUuQXLomXiIuHTqnqSNxONn2ARKDBirwobj+41IRhjAbz+BnVon
US5ORARxdg0vY5wyZIopJTMCtNEY55hzMlCH2D023TX4pEjCRu6LBEUJU6Rm
BipiLkFQ0fDliOBbUffadtGrHtZtjN46tMUgYy+GiS+pl4abp5RB5aEwqaOX
8ldPll76sxA6zxuPjC6vcwWJCuClDDsPs8GCW4mi9uYradi0U8J20df23UM0
Fk2rGR8pnCGhvVVu+qW7KRvNtN59TBWaG6jWfdH9efZExtSTa0+4zVHqmKoj
7aLPvNb0itLxc1VW4eJj0UEKhoM26Dj4dOJ1WrzudTijgeXXjlic3yVZOXRX
bYbOSluhqRxW9zKwNivotl1AKOIgxVRZA5UMkFTBMIiUUxvQ6ha9hRKDuxiS
6Y2w7zyoaxBEnKaB92JzBO2MVlDXhGFNlbeEgUsu1t3Hz5yyAE8B0dsEcYCz
qckJSndbpGkk/IraaUehZw14Up6OtGjQ0ymtGxKqXeDzSX5yGiybCr6AQV7C
KlRTLsZXvoHIrXYeFMHrfNYkUX2fOIZNlSh10IBDmgYDL7rWcQmYlYqivTB5
kkxqUftH4kZU3k7Oce3/kYVU/5s8u/XGTDtBm3JI/yY9bJwk1GrSK7KbkCHC
ObeK6FVM4iRchlzHmp37ZNKKXv1Zm4riWRotiLYViMb8Ui986ZItMSFCnLN3
XGPY1NfWLQqKtBMF0jqo8160Ok2c6UdIdmz4LOZIZWRtHMrTJdXA9ItvDUnz
0Kg5uQ/FGCVSk1QV4mNvezcJmDHI4aWYon7pfBbJkI7E0Bd/YdNo6k/o80Za
YAHcSBwBI+raNK3uZSV56O2qJ2hKqQ55DbYIZhJH4EuoM6NSUWMZeQCN5pwy
TMB7czDca1O16SRf2946rf4xUgsVnPsGMT4iXFox35ZO9HJ7p7uDtbU0yx6l
crU++YOqZGJUSbdClQSrBzbR6JJeCxz47gb0wL0nrEu6TgeFqOjMoou0dI2+
lVF3iM5jlldVKZgba3LBH9Y+9VNyZPYTlTtRrdssq2OGzRnLkyFn0yWzDKVj
Xs/aVGolHCEiquxx3SY4wJ4pDaJPGzX4zdyzAdZB9Y4hlfMTFo1tK6TBaN8j
jBQe023jIe1u7ULCTk8xsqlGiDaoLtcAORjExZjsI42BOL+49ZeuhfxA0pPH
w/iPPCTpfWKEbs4m7nXGEGJxK6d2e6etf6xNQjvRMkqe/DONEo34r6LrxCTe
/fdaL3+X4dKxWaJWSf8Ii2Xg/Dt+pZfm2v24GPeYrszUfqVLiBt4Dcu964pb
Ai7JNaPAGiFNJ2NFmrp6E+adljtEhs27xCpnOnRMPdCdZjhfELAxFwAjYTUT
wHy9NnOTkhTDO5nbqbuReY4uPqOdUs9fUieoKKHLyfpJ10vgiFv29u+JDAMr
C7SBWsdIcmQntK265EetutCHz1t1bRChLxHF9hh0oK9jc9dVxkqvxLOWipTJ
uriJm6AeqDEQ+rj5EfurvAGR1rHhRO77rhHUY+6oXul+g32TdO0bt8q+aRsl
lu7d/zmjRC2RDg71/6/Vfo53OFX7VVisK+piDOa/R0lPWEl3QUkPHbB6VXSj
Pf8zFefeY0ZacwBOQ8/UgwjkzDmV7WLERLhpNZs56FDWWkq2e/aevkCGQk/B
JXMx2hq7GQRk7e1rRFjwgAUcYeHUKUmy5gvJ9R4/iIhWiui7SVCtSJ8FeHM9
AG8yrIKAwZAzdCDGxPDKWYg5k3aJ1uUNnEcTpWvfLhXImsWJSxSaFDwZqGe9
D09NnflpY2CzyXEv8zi7nlyoGiGvYaSpcp7+dZH5PTvLZTD/uru9vff/7D4b
7v7bS3uh5JH8607rZy5K07FpbfJLTkZ59C/o33q884R8ckov//Ko504zq5d8
510bB4/53rMVLw2wsM0JVC1mOu3bPwWQ8yIGOfqn+lov2db1GSimjgFaxHDf
ZQGsSGxn3QlbNE6Ycr60ibsq9O2o1MqH8KDrCw+mU9SY2Dt7EI3FR/X8oMQF
ptTRgMyRLsQIFbeUjsaLgj0hdAr9XNEjDVohcFpOzqfkWQozThlpAle5g3Lo
O1Iz2m4M1Q+yqou7CCwigDvjSokrqrM+Ala+4jjY6i09Sg+VS+BR4KK+mvBZ
SYHxRx/nTclWceuGU84vkFZY2RzLOswbnLwBsaKw2P4ShCk2EfKEkje+S474
QIeSfKWziEBFSQMiBZ1PNhYMsVsS4f0zb6a3EPgYwqlaOgayYDwn0nnxWhzY
icLSVtqvmsCMDCwV7UwM3PfdtECcLrVypWfdScVmjKqsmDBUny/hU9DPKr2N
oTVpo33NGjklcbgBjHrt+W81gBIiRIGCj8UsbN2nnS/Hx8dH3qqry9gEEiSH
vDHpFvQTnS1hIew8FqmFxBDNhFIjalE2ELWbuyhRA7+1PCyKKJsG1V0OxdO9
4oIT426EyQ6M3GqdlQfJ/8L8FUwepQQeSgR5jTXmXx9QZkvVNFh8Q99T7Tln
69ch5YJJir+kmP2S4vPBV+wrD1BZGvIllAwyVV9TwMy9Yshk6Y1hFxirlbB3
kSSr0FjYlSEt1cktcB+Ed8zOmpUKLxxlf+deFqg6jJomtgFGNfTdpw8hCYc6
HLp5Oc3HS1FyKYxECOWW61osdzP20HJyBZayYfT36YsoqSryJBqreQIP66F2
WQMZZyDp/K44cs1iBVftM3wIrE/aly7Zd8seNLa0udMSdnWjABeMklsAUmmY
nywpbaG4FkHoiPgOSExhqhjLK9FdFdkLk8GlRyhf2E3y6OTrI43U5PXUZoHs
FsBYmDqoTZNVXQbQgYZJPp1ml6DreF/WPtaAtNmS7kYvD6ISWUvSGhUU/tOF
An7JDV1cr9rIkdoejurFOG0NkVGS9BLSNs5MoJ7PMnTm7ttGYfBy01COGqQh
K7tI8ylW2tpWPYNWQzB6cqgPwltAgdjvFGz0qdRgRiww8QNHzVhiqI9jhldZ
dIyc5BA7ABWUMKMOD4KR1a+H3g+CNDSSyo4JEDXiKQUvSS0Ozh5A+IBf2w9G
i1R4VChgNuPGJtxLJEKrxjpBFBUxY0G3rmkvQGWzkmB4dPgGkdCBRd+kNcPz
SbwAR09xY+CWwNswoM9xlexLVo1zFpt15vNT9MwyN8YjaCaeclksVT+Oy3km
fbZT5xexd855lWh/XnFXfuSHjPAhSACvVW1n+233yXPQC7RtWqqleZpEN5Su
6hkvZc5Y7OijDUD3e9uPt6RohKUY43r72Ik32Tcm5DLa4HpqctlSDME/6+n2
z6gB4xCHHylr8AOb8b0omtswm//5y8mhzGRnZ9fMBEdwwhhSvihN0DyTDSDV
ccLtYukzIuHd6B/J1XyD+a5ct9hQVYlm0qFFHIf0+wBOvoCZUpoUpqqpkfws
DE12iWrf9VBjFRqMYdXjIz1Ms6TZgr6HOgLalFso8VkSk33hxkZFphhMU4bC
jIpqXUxitn4K2Wq03QZtiFBQsXGH2TfEae/ZTefoWuEkWd1wdy1Vfrv6bYgF
iPLsWsozw7tzyGMMQ6sUg4v9GM8pkv0t+QOpi9+S1xl7zbiIVUnwG5UrzmYZ
teBslfkq8PCr18nd8MMf+P+d61cBDfddfzek8Kq39MAG3zWgnkuxspY2rwcT
+LPftq4985m3JNTXMtvTGnhtrCEGbN4KHbQ4Aga7eiWJry7V7SL+MRd4RoTT
wv9ynj5SH6KKKPBqG156XE4XM/G5mcmy7xzTZGEV4IAvOek4HiwnnXBPTJAK
OJYCLaJQ36BNFoKhR2y+DY+LOR9o3XO/zAWZ+/oe7VNC5xJxcLz7Lp2S8kPQ
sVHfMf9clC0wB9Y9zCFzCKeDj7FmY3ToWL+hl+Z8mrntJzslVmKpwyJ//HT0
ITkZjX452g+9I2LUhgiVpOmpe3RRQSlGgNBlTOgKoPiMEfGA4XwRAlHyPcYx
UrNTjGaqCUGFN1yAerZiQrA5hJrT8929naS+oorfc258jWxL2qtIvpYBMJiU
c96wX0hgozTgSIUZpvQawm+G8g1Q1oKWdjyluDDFfRCvD/svkvQhhjrS1PsO
U9Wk/C5jjXR0xZnEqT1++nSP6ZU87iYm4VUUQieEW3kKthdgw0nflPc/UD4r
/UswkjYjTd5JlLUXXL9j/dM7tDueCiDMj7J4I6zW6IEd6okdhayFrw/kUhMl
85AUcZ/JGGcwkF6I6SXUx8W3+XAW6EYqPeyKrYOMWtnpK0lI0oMdFEU16kFI
T/H+nnoQg3YzcfD6abcy6pnA55yfNBTfCF4Uus87WlbTktJgCKNa7+OiKcla
TAeZTrEUnh3xhVzuKIJD1VmEkUN/LpMLZlj6EHHeezi7sMKE3lK4W6kDW3Jq
BMIxhvCF1H6YbQnKZkOJ/0S4kumo5bc0KWYKJu/rPDPNZdCszJrbDGdnmEzN
g/K/UU6YKTmXwKOMR0YXeQJdPEAYyh9z7Fse0fIgrEcLEdXDeDmzYgpa7hNb
vn7thIOBkVzmSpWEQ0OQkS5CiuyJPKsDgSLAnBrkkz2jKBNqrvHxCOR6Kbq3
eYl/vm/doydWHb8ciNIjK8tHBWhSOgRspxy384/bHMVClcMAbtPaMeoOqdgD
r/yL5dxuZsWGczYxHZ88vL6ypjX+HLeixse0VicX7rnpmuRH4sY9PTrFHRXK
kVogXSZ92df2i8SuGPKAnbJhDWRq0ckmsYYWHcUPTD2bPdM6fxkwo1+gfoNV
bIhMSYUkOuQhoWXwuAnvB+WIQLgx2yxK34HeYH84GXAogUpN/l0IBLD/OtMd
CfALTblNbQC5uJ68gQJayrUtsBQD8VN4vO7YAyMKBgocddOs23RqoqC+RTbi
LKAJLhvFLTu7SjV0uj7InVixQK9E1tPWiHzcxstI0YiWT8+pTy+5v08PmXUk
VF/D2b6sUti+zxmIYIZhoq29C/qind/l1TlPPSvcply7580508AnRgCjLkJY
A7XtTjrNkiL4XW/tV+oONWr4QPrVBxjZjgQ3xa4RQzelkKZe0K2tF4wKBQ3I
tS7FWt6haQYhvYRjaj9WBZiYXQ1+9Bg+xVkNVgipjxD9CmDcS4bFU7BrJNqS
J72BPqjPOW1iBk6Cr1JNgULbmDIdhk/OjTKkbUbiu68rcjsLtOsvYcXDS3f/
yhBt1WYy0syWkJsnPXDM65pDD1w3u3N1wimmsFtzzPt/qMV1k13Siy8XIP7h
LwXJDMxNiwXUL0ULHpyVLOkkihLWLtaLuX1hzdI101JKrP1T+RSk+xH3KwPx
HTmfByo9FgU1ERQ4JN/IHXdbOw3CIUKu6NCJKV3bjD/fE4gKgAbbPCIU0wRJ
q+E4OAxh4OqcOi4uxlfR85Hj+lC+lWywDJg0j7ahvNFR7svozcdf3r2WtxDT
gBH7tFBKwuRX8jIYHyCu/kndcsIe3OG2Y2agQO1X2uRIzh5Ka6VM2kzMgVhy
8j7o+Vlm3XnptC7DioVrXBqNcT8Zo+VG7j7tkRNfEbdq88rtlNLwuCiVaA67
W+JJOQs9mejQ9P1whi/lDho1F1iwEYO243QZst143NuuQ7cMNJ/elKCH0jUh
eVPCeFLVSvEkF96EFE15EJc4AYn2hhBpNHPtwyzQYj4Q98mbu86xyiGxUmMH
E5hdWd2m1cTXxd/kpCv4vL9NAXWkXPAWsCaVGi+MHrUl+LZSksYixQd4CKMg
6pwzUPyMqLeKwaMQNDePFeYbQwWsjIBe4CHGze6z4z+IXJA9LoK2EO3H2Dcr
m7b3JcR2HB0mpQ/eK87E2Onhj1S9OFfHB1e58JGS6rzV6beS7HgYNec5UM/E
1wcreLtpcJC0i60SKbYiJqLNDILkaDUzcK0SLIRUAaVjyVmrUT3WyyRGNlV0
b8JvIIXUF4rRrdqX6aXtiJB0OiKwzSfo+Klj2BW2DcxWhl4Jtt2BdnwKqz9B
G7Sc1xL2XtW9wJZuxzwRoQC4KzuY1o1oWVS2xnuFJUHoK03eY6YCTe33JXb1
pi1JJ5gmhElPM/9z5Bu9xGvjJnBmQoRX4FJqAJ/4xrj+mRpDAREAD9F20vAe
TE5aIqAQ4c5VRdCBI4AF0ehwfnCcc+qaAcosHiHtHZZl14heKM6AywUYdHBX
Ta4JqVtA+2MgHXptuFhkm/qJCJrQtZmSoH8omHLIOibuOPEaJG6SEQOt7KqW
4INFJB1B88983gmojgqpGD2iE7EWn4TuErF7pEq42aHG6RdD1Ql4pQEX5fQP
wRf1wOE+1cWNca+5yR4bEaxMiYcnoG8YDViFnV9hFG66xFHwvb3ExKrDM81u
Y1e50N/Kbyj5lzePDrcE1AhtyWCEeDlkZY9j8pYG3t72y1WFkyRkVNW8M+kg
OHX7yla4TwY9V0pNlbVRCjImXFBDb6OyOltPEteOtlvFC+bvomAe+evHY4KR
If+WE8B28fpE9QabPWUNW9quiBmuQWCMOhtStyRfgtMusSEAYkz+oRaAUuzG
dehSULLZ63Tbwh4va1qIMPI8bhz1meuWuvskFkbTiB3BnkHGaQqaGINzoIgD
+ZN0+M678XqcjOiSmqMk9L/JrvLaB7M9qhRmSZetabojrhjLcx+CFJrcwGJQ
46wiMcc29K0jlFxkXvgVprUorjYDkTIxOuIooSzjr4usUjUrWjCkM9yLt/Ak
yscnbBLpi+A6wNMCX8Jm803GdXnJh5PRKehg+AwjskTWD5y4GmvOz5hoNVM7
CV+06bFXMWAOMqxtd9IYNCWMe3K4jzaUeSF8ysmV46tKJCnFra/pFn2Ci7t4
qzhpP1YrZBbkK2no1XyqC2Taopa2cE7Qk86gKGP4d0OeKEfbhAs2hH3LJ9LO
mT1I0YyZ+/gw1ghmTAUcOLjP9NT3KRKB61XPOLOqTrBlLcEWyHO0tg97I6GD
RWqFnC+4kaSlmsJdtTWXUx/LwZuRNyiYFVL/jwDARAVHoDJQtISqRCvvTfON
E+NCLZQ+/dKMtCKtUXRxjaKc0pZFLTdZARXrAMipQsn6eJrmM/EamAlZmC/4
BRcfC/22NXbPHUYMHWiSOGnY6jDBrC5xOY61d6JDe3UYFbJaXon+Dl/h5TmY
Sr3AwBxp3yaVs1XhbdBTkMIrtGrU04fOGyYlF4ChsJJAa7TXVqz1elDmlM4g
6zjFZ1eyOjOiZ3I6eM2pNdiBhM8L9CyyuwtUkxzFfy/SLZ0hg2f+e1wK6e/k
3a+2wb1kvBNUsPSjj5rkynvmHI50Eczz0SB5wxvg4QhxvaQnLs3X6yIzkXKk
I4F6xSazpDQxDBU+iHsnDLlO18OgCwBonWSzvPG0xAhbQ99L0pP+WnAzzRGp
8lqk84WchzPtJs1ngv/sQqFxwKGvQ56iSea+GW/oXUJr61HIw1iiDhwOBBpw
hCu+GQGIs4lnQ3KPrXyQ/p707NA3RPG/FMqbFV7T8EJwlX2bC0k54YlJ5BaG
putCzSl5TbRiXNWpkKBIBCR5ylTrJRPHaFP8OrIbIpBQxPLbMuO10OH6TMWA
xWsHkh2PU4kt3LJqvYzdJvE6D0y13KCvT6jvDaVkIiUThmy4Hx2HNbopqLXE
ijA5PP/rQrHlHIZvfYZPaBvh3Sh6QkOcwWOj0/qSNkdsFl4/D8cX+ydQQ4wi
bnQimXzcjtMDsDnpd1UQnvo9AOWkrUHAk/P1QesQ5KSkhi7xRTBUhDmclinW
rZnowSWwmuC8Cwh1KMDG2hMGflHZRdIaGw6UN1zyrS/wt6prk+M6VJ1zrc0S
iLEpsJ3zwHYBWxOdG30dSliyREew4JPl8pkERzHm6X7xRRNsBEVSjUymgem4
whjpolRRlZYzkSl9RAlLrVaKIGoazMKBKgTIDCdOnscv5HomOByRZkg9LYPC
zvk+2oQHuc5t6Uj3IcTDYHxWSdTlgwC2qAO4ducwLYyIchzHvoyTkJ0b6PCi
EBBxsSafYTMAMuvE6eClL9f9OmmQQGoCQz11NVtWbGPTQ93mBKN04JQND30j
DMOlI1ah9fBYvG15swu82VuPKm90ltb5XUnZMnJX4KJshco28OBCUC3aIzMl
v0uvfKZA2riwBwJEYBX0oaC4hvZelUiM0NXdbLOGrXxUTojJIy2rRtTSEbTd
eURzEmpoRVDFFLI+Q+8oRO3TO9aYHbIRS+9F5CJyjGpnX9wjaUUTQTHVpctN
tJNhm3FlxuKWkP3Stkiy0qYaPzag7Kw4uG6HqdUGA4/z264LRvdfXhAUMYl1
aauCpRk684diKqoC956Wx6PRkq7totUhFlJ7/ywZWXZRTaCCs8gTdfHLYZRO
IDCzy4KlBCU9gkanfigWVAfG/aRqjlONjTi4pHtiqRH7SDoR99BJJqCfonk5
ZYgDTbnwDYEvBXE25W70fmveZNi62Wp3rg+61mPVxk3tamsrtIInbjXcm4ig
YB7IVSA6yQ33Rju6Rpi6fLRs2oyvX5S4yqLGufGYsCDkFv19WHNip0MLdwpk
8XvqRisuvzs0XBYcSdgwsiGCU9ofDawD1p7NoZMLqhdtRA2ikKtsOnHayUQR
EUxyCZ0vbhKaDXXt7eniPAfX2hZupLK+UTrnSamZ5lTtqDNsvp2PKRTI1pw9
JBwm9G0Lm592E+0t5BYFe9I5U50BXfiqyG3OuX75hf/xNq2Ng3biTAaP77gk
fmimNRYarSCbQJ8j/d1SZ8HGURiAvLCn8n7eV9tPi7aBG7XyKa+04ZtIXs2u
JanL7YalUs6qdpiBh80KMHfcNzGsB3FSCx+XSEmTzsX0VlY8QrhvlfOT+DHJ
HO80YBdBHcsCEGjVCj9VO+IlXYlF6gY1A6fT49oAg4C3PLYMqJRrpYljbQQ0
TVwMsWiUMwzxB2OHWi/7HDJEefn0+Rh086FZx6qckgvvDQ+ILrVkq45EIIVD
DWxZb4+ExmoP5CSG+OkqXMdYGUzPS1S7OCETNVh5nm9dsFJj9a26Ocdlihwf
pm/lTl/oLGp4TiwupCGIm4DVmdzUClmAozcEDwJjWExL43le5eAMLmWURB1P
Z5ucgD+YwNAgRIX4zxj6X06FaY5lI9y4lOzvFfdsWK0+Lx6DY/dk6iC0dsE1
r+lUUQJ9qkechOBs6r1pD9cpyQ75X+jXY9/BDKzBKuN84lCFG5Mj/A0cbqZg
w8TJQ0ZYeSMKmlunoBUYcRYPYYj9KoolulVxKRVTZKgJ/rasYBBijU4jqpK7
2yokPgedJjXERUyGol+CiIEJwF5HoBxUa9GpBR2SNSTmfyRpGa+8eKLXY2fT
P6bLAjOSvj7okWE+Co3dVBEALRd/7Jv0b2iqYZ8BIWXToRMTKBUkMkp4d5vr
wkniRzHX14K5z2+mlHQKWYdXRX32JLeXWut5TCaR0arikukJRhjCVXNhNJtW
rKWkghksmbKl5gVGoYKg7TWZ+/Xj5wDiwx0vQKIwTAmhaSWbqW/B3fWQizgE
zQms0IpWYInDxSIZ5Z3YaUlep6pK7XW0nJOf5cg4vC/0dua9kWBNZRipnJUo
KDqQBjNTzpuONqebecjuYkyAkkwBWt8J16pHWyQGcbtdtGRch1zYKeqDCcgM
DH1qBw2etQkrh06HUSTbBhCwMAsI+1YImwHwyAvD4SYQuOo9DBBcaMJTiz5t
hkxqI60mhSi99x70SwoaqMhpr9PaiKlmv/pO4mrNSgiKA30Dp2hVuN0xWpYI
U4WK9m3R2T9gE8DYlRmbEzUBiDTi/QtbQe4xtMh8Vp0mcpHI86uf1+XUlq5w
pnhTDltpBYx5sBk1F2N0iNDOB+5qJQj4+2yzKtOPu7+xow+/4aoM3wjsT/KZ
jCN3V7sLWoiovbDvgEoZB85rLw9DJgnVMJY1pS4Y4whdM+LYBvU6OgNE/wuC
VrNHIup06gubFecpU4lOfmf24UacFr1bI09KpmWps6IdpBYBfwg7I5luwJRT
LYD2GCkU+soqeFsDJkgX7yJawXZ/ptZhFGiWkL2iFVHmhaG6n5kCWCb6eE0O
6fQoiZKN4h4lrrdHybbWynWbr3DUY29nR1AHx+WcIo61hnL47AvudoYiGIsx
iZuw/8+f6N4GK5Jpiz1R+dTegkpV3rr6itGAZHqIdYNQWDQ9GiUvVi4Odr8g
Gg/BWHrj5DZKpEdTk4gnVGal2gGT6bPVTRvrcV2mfc0bLpzV6yzpy3ZSBNiz
Ax+9iYh9yYV6AvjGt5N2T5KaixMoKar1pLjtDOl8Ua61BB8QukjUGoE/jaok
u5acbrzCPzDgqQQYuminailwlk74xa3sXTLwAKy8aHUW5aSIbrLkKBXBFggj
j6QDrNKvH48VrqxQPL7Glo+G7OG8ZiN5dakdbUP43WT7kBrZ7hxvUKUVRJsV
zEvGd4C3/wULiglUm9mxOV3ZzGtYqVrYsJvaw55OiTfC9QJGzFDPVn81zqDb
i4Qdy+K98E2NWbwoh2a/ALE/bNFV3QhWTtwtGPuaUdQLzTeCrnZaGwkG7rBZ
zjPNtkOLgP5GhDM85dxxTgLGVCEVjCTCA4dNp65zeo14psPi4G5k6YzDusUN
x7jEb/QL5465lsIocbPQBFlsBNpc8oSTDhOno0n9qKV6ikP7PP84CW3ny/Mn
yc6XZ+OEA5akHKDdEbLQ+o8SYyVuwkbZ87TF/UN2sDHKc4oA1hSzJ/VWxjBO
C05TAkoFg39VTxICl+PzTfjA1JdElBeJWptT4KHoYg0NzhicNK6/oadIm218
m5AagyfS87R2+EZrDI0twKN2Omrvo82rJK7Y1da/Hm12Snt3aFQ70FQ+s1N/
GBuUEVyq8iw6TShX1R051yRxR5nYcxC4Gbp49pNX704+vD36DGaxfMJ0Nuyw
iOewuS2HKOWXKqH1rU6b1YunynhCeQgxl+XDdV2/TEannz++OgIdmD8QQAyD
rLw9+tMg+fT5mJfp88Hp4ZujUzNyzbxkTwhX6Tq9jGUc8SQcAm5b7atswJye
nqfj65fJ4XKMcF0w2V8/fnz9p4O3FO2+FhhFXa2UcdqG7AXCmCRnjb8GnajE
1M6T0eFHTCLikFItkwqA0h9KFFle8WGHOQjsGnOsSDfgrnys1LCUDAqyLXXR
SUsQUqMFNJKHtbg5AvtnEBGs85ky/YpKxwMCwxwXc1FlHQeKeA9Ak0jrQB2a
5QaKfqq9BdsZR11IhlaRQn+GkhSoSr4UloP5TnR3Fyr01VL4FvNR+YLT8oVB
j4tDKK3vtBlPZNtiw5l9D+1DMB7n42RE+t3WFf0Q4D/Y80K4R4SavLoqHSFa
/NNDoljvcj6s1zTOcifGvYaqCULNMZP3z1F3An/tjyzqAb5nhE8cGkppo4BQ
o7/PY1BrFYdSvaQAKNMJeBCd9CLWku8DIj2QKCFqwwJn7rUcxNSXeiyLqq8J
ZRL8MH5a9L31dBAhzeschb5foyl1n4lbVsDqYoooSBxJ15U1nvgkpFY2E0c6
qFWvVXooe8BnFF+YgmelBq6fqpjU5RwjM/oD47AwksowgmaRzLpOBar3ANhI
gYV5SXywjLVAm5HuYdsIxqEFBSPLW/sHIV1FhV0cBgEe0b4iVG3K8BKFvLFY
OOhe7AVV2+pDjUOUtYFHjmOyWIV4JoHPCLsOowHx2FZjOHFv0H64M3c/uDMJ
NJRduDN3P7izZCXcmVsDdzYcDhMUrh4BkbPKiBN6+11QEDnBTDIqsAa+mORf
mO6LYVESOuGNQAWLN6OOyz6icnXnXZRrm19Kg+nVFdBOK6BtkAZ3+4f647gm
zqvTbCNyFbOs6OPBGHJpYYYotvEliisxVMJUkQFJNjw9l83RFDPG0prydP9I
OuC6zE/0FkwkgQJZDKE4rE2L9Pk0ASWJmAppNZEkHzh1E+uaKeQyotyIPxLo
nY4G2oTL4HUqKJXQplnUg2jgWFlqJjYI6Rd0PxUtNNmcI1l6+AiX2F9TA8k1
q8PQcZ++5grLhjlHMDaBeXfqK4SV6i4N7RIYdPRfEo+UAG51win7UBZziiDR
RfTBpyIuOXVQm5xgMN9xaibyZX8kIkknHQWkLbFAAPzXf/1Xkqb1zaULd21i
4HEr6fzzOjpOm9E52XIIeb8zoPrzNf/Az44/fVt3Gf4u193ccd2NS34aRv/8
1L6k/buDlzPWmSRcd8YCv4uTUMcCz5DH/LTqHdHvzsxx5VT1d3sx3P5vlq7b
F7d+79w6TkJQo+9W83vnXkoiUqrvudf+TjffuTnecNqwPdo3XCvjfUM8fBt2
PVt7tm4h+ccoPQiuVQtwV2/GusH+f8L2tV637pXfMKKEwH8vtQ4gyoXyK7Ru
lb4llNkkGSoIL3MnOSdE9N9Cylrv0vQRvay2vrkzlDf/R4l+nFzVbdJd9Xvn
5vqOm+v2zXeR7re7aTSJCFwUfaHvdSsgg+qn752VA4qy3Sx9791Nrb30fTdt
tunbjGBwL0L9xilXQtnfkvfsc/dT6Pxz4zpjvffSrZnIaYuyE09TWPTZYper
1ksIqf+O+LldPmofHb833IU6rdy1Cet2aKRw5913z7o7lnsR/oqROIYPjiJ0
++17aQU2EEg6+SnZyG82ep5Pe4yAMqFypO5c0vcuTsWYTkGjBvW5cTwiTFAg
QVl2l7r1uzNyszN0/sdcgIOMNOXfdS+Pf29PK9nQ38M6sGcC63kG4dcB/umb
NFKzQ4IWDibDUJRKwRYm5xlolSOvVY5Eq8T/IqBweM+W6tryCDDKS3KBtmu1
Wn4TrjXBKge6j5FgKOx4RU7uUCKcxl6SlgWlVr1zZGoFRZhc0UbTidXrSEFT
f6hR3iWTI9oBeoJ5Iub9szM6piWJpzh6kdkkybVBsD2bzOhtB1CNydXP6znN
LpoB/ubkiyq/vGowhXJtCdmpKQyoEylKItjkcl7CLAXKznc4LSTllG0QchHv
B2UdrZB0Utvmnc6kQ2g1RhoKCWzxIRwlhBSjIozURfJu08u7LTl1oRAqNqw1
NkcwORq0lcAV2WB4cH3ZQeNbE1IWhMBy+mwS7neotQpRdvaqLNdBfyJjPXBx
EiO1YEo4B0QcvASXyI0tyHIS42hdUgPNBi0y+K/2fdNKUQM0So2Q8GuOhGqn
VO+uO6QS4a8PggdvSG8Rz7icVfJZdLgAvIiNS1NVTMY25ixpNhdneP91kbJb
VKqA1ns7DN4blftEHo+QbWWyO/18pPS9F8jNrekczJ4RKZe+pES6UiHQ8ZxL
aYqFCVkQFp9U8JLpvEuIHyaPCJ1aphGOhyR0RAYU3fNFBYrlxrAhFqUvr+sF
Rcwz9yG7HbED+pQ60fh0Qwyz8EjeZstfOL9IMW0FdlLgoMFA/5JjSEay1ccp
lhyVxhc28J3Un2/vCmnZzOLv3x0X8yiu+HQpuXRUX+P3ItcOTnMCH4QzQklA
Ukvq+DT7EkvcAcx5G2FXySNN5xhbh5mpEuUkFV8J2X1rzF46RaI0EuKiOAzC
J+V45AFrmBRf5IIaAlPUYLFNVaUeKDJ0F0CASSox4JbN0BeCMTOGs2MOrfNt
38d0KXuOOYLrI4zUGeG1LTKlDgmYohn7QbBBgvLmVncE1/I6PGobrLvJpuzR
Fv9l13KLOhMY4UZX8B7L5RH/5usj8bjJd2/13Gq3iO80TXW4md8ZIefQ1bB9
OkL+CNczZOUZT0nEbTQ13OmfJONs9YD5fuXhZ6yD/tbn2JoWUEjzm/bM9/pm
Hgw9FI6wwaUxtf07wFBb9e721bDT1nS710bLcobuRL99SRmd9R/yKOllZkzt
H1pZwYn9rbfHxCwPU63gflTduul+pB2/V9bgx97buul+7+0hxPdsk92HCqNL
k829kPOx9UMkaBJtW5RztvMbyPAf9bi/n0UE7fC3P0P21bgEPEVvXoIus9Mh
j3UH4+99zN07tvsj1LpyOLs/Mqu/fzh3rc49hxNbA8lmW6e730nGxjtHMYJe
skkWDvf76RtL7Ej8Kel5aondwOHin+Ffj3/W1kIt4yBuMNSxJlBvAU0uOUad
2Ash9AZ8NDUbDb5qkDyOigJRb6KcObzMiH4ytTDMHjgXRey4v9neM608JkXz
s2akwzjs8QGdkQfggtm6ahCkGuKzH/OzI6icsnLdbmCSr+R1NTEnyOaQ+lua
u4ddGjhtOoClvqzymVwyq2m2S3gImYfNi5SaoKI9UuPLpOitFepDc0rhcXDk
XvkNo0VTDW4quFUU5lHyW8g68tADZG6tBGNydowpPYTdNbRaozcHj4fchL1T
lmO6m3pjD2dUJ7uYBNSZOkeU89oYW5pKh/uLBAbG/1Ps5pqAwSBFERQqxUp2
mDomUIa5SlIq5ZTCXK8IccJFgLGhgA8DwuILYJOnTqblLVKpoCP5ReUOH01Z
UnUn+0Yq0PrZheGpsKCuCrj8kdtO1l8Mfcf+zJRqy9kw3aDmeGHixgDAdHd2
XgTHGiOKSw7Oh2tgAB8KTV8l8xTdmbwIDOGKrjj2aSBmRm3bLkrxpCe2Cv0A
8bQQfIGBpoa+YtzjtfOUbX3PWq8PlSeg8qEFErF9J2h57RXQmIjfOnyrgReK
MOJDIxb2dqxAibeNvxmOjnvs8gkG+4za68XFE91Ge9HvKzpDrc4+Yd+Madm0
FuHSZEONK37rFFOIXSgwHFCtBrlLLhj2kzp4ESAOg78o3Q1rNM+1UsR9jNEw
qbZnepsuaykfXMwZcwiLfLLsDiROhdJUDOaDTyeIrowGP/lbLRvwqJziPUp9
4yJK2+p/A7nFnFYjlJcICmIepAPoTweFVY/g1+jERGjBKKs6TVulKRrlZ0s7
hVJ9U7U0WI3BQzveMDTaGsbnLYLP1lXZZVpNKE0KbkFnwowKJlstmFHqIQ8m
qCNb08GSSFBNg5csrzy8wAKUnC/bfQVo46syFMZ7slDsfp+RCJRzSek/Tvp5
cGFOrRmaAZRB/LS2nbgvE7xYTJ0+TB3X8n14iXBvODRVOa8I/kSg+ogriQBz
WhNosCtWYo9wbyCuSfSVQWMun+J2bex/zy8yLL0kiuAs7zRgm6x+vkYitJ6D
0mQW+BxbY0vNODjlzpdTA0eG8zwvPeZWBAeGlIMMSuobg4QUAANxk3OoXzyq
Ec5x97pjFG05d22V2XFrbmzcwOOa5dgSuXaG+9uObpVqcdLdgVNEYySrAObh
2vYxhRtqxpmeIKAjUweWloYSgoU09gMpZ1YNOelNmk9RZWUgfqFZGb1kS8IB
vUhFqWCUkUnmZiWDhEiDME2L1zBTLenUeOaZjEFMKcz4BdDHtgI3twBv1hAd
VwZRwz/EIYuPHUKXn2fiUJSzxHMCVnCOcIyIbcpI5hUuBwxm4CxN5oJdy50v
zynb/wKWXalF7iJodEHEn+eEV+5mBDZgK/SkrlVAhFi9ocJDDciNr/LsJkC8
4M5OYZ0WMFKUCNj/I54haC3w3/piKXZCe90QbT6j12EN2iCZwGEnJD7ftFQi
KqHaguI6iwsBAc2WCgiP5XuOc9i0nXlJIsCrZVExYqc7iIWuDsjr4pSVHqCY
JEj5quRfx+kzjIR22vCQSJ2sVWJzVcYrGbJlBb9jdu6rG2etZqaYwGva0kgt
FnVL4RAEWZqOG9nXIbsRWx9X+WVecEpvC/29HXfJK9cesm9Kl1E52Iqma9pT
KLHtbXh0rWZyIUO82yjVMxGK9fkGNoSy3XDNAbcH64DNiiqkIpWaFsR45RIa
xJh9KOdTXUtVBAzBYQdr7l9ObbHMc6gjaCt5vZW4fqeGd6g9W2d4ikDCIo2y
2W0T2bvZ5aiDEYgD1fBhATE2kCG5QAK+pSJniHCDHXMHhDJxqfj/4US1mRDR
ttSuM8pSoGObcN862dpFypf7N9x90XT/vH+vWQUhuDCp9nf2mPUJ96uT7LVh
JDV/iNq+kijLECjJdVvAYsXh8fHOLvJ/+vS4pUzGCdXSydLRpU9o8ejj01Uq
KN+gUXvde5T21669o8He03oT41RoQbE6W5qocSvQK/3mYvG26E5pKAZMvKYO
MlLWlwWgOhlqRhgIDzpn6NsWKaFWbygCo//FGhoKicQKlxI3SSOYlNUda8xh
DFaIPZLm4NAMUFKQuvrkiS46EkiLX4D8qTn3vCiHmFgcI9GlgqHpMRgrtGcE
bQVdXFyqGWnDAq+3aVyFXMMr7baY4ynWsq9HJ0YQ2SScqIIG9Pqc8i2bvMA1
R4a3YH6vmnjS5A5NcvSmKC3T/L26RqFedAsEtAsX0C66sE68HHMscxbUfy47
LkqW6D6XwnFba5XrPH39VRbg6PCNNtnT16WhhxQtv4M98/AA5SxvkKA2Jlcb
ovUKGJv2POUckSEplTxVRyz/c9ZUS+mvntTLAn4AuRo1iFTGiO/nDA+UUfP6
mhuU4wpKlTy1S9TJISfDi0ThR+5wfMR2GdgbM4KC6BY6mlKpDm1HRXnCMJHG
iYnY4o11dSouWNQqpv3LV9bnDcQ20Eg55Q4IWm/kEPBlVv8th8zpvesJP/TQ
/QF6ttk/q4jS3UFiyT1JzK0kMREXq3jajvK0gQt82nNVr/Iw+MlqHt1WDxg2
KzynxZ09qEere7Fp5Ex6KivWnTkNyLExUz8lPKSS7rrOrqA/d4x/LblVetJW
Ux4BFIsFx/2ZGe44wgYaZ+r5rJslnxSxGV4QYguaPktg3+cIwiBGOSZ+IKo4
5cB51aot3xAR9FZ6KIbVcZS9lhK4EdmspF8eUHxlmWBHn+Gh7wr3FkjWA3ts
nhQXqlNuAVu4gCUMx/l+VW58PLTdYwtazqRm1XU2O8dWRL7VH9EADY+8MjfZ
xDS4G0h6C3ZrQMZOdVPcmZy6eHFD4oz0RHbuIRzcUlU7rPYTZGgDBObuqrJb
gcnHuaGsTZgZEU6aNhLPG9lco1YO2u4+xeRwJwcfDlCTyslBRS5WTqRqGWfy
ba82KkipILPZoics5e11JesP63swcY9t5/wGJXs7ezSS0afkxc7OcPfF0+Dk
4F7JeRGQswae60cdpVR5pSHg07TLz9evo0/yWHMZKQmIDo8LHbczQjZrm9lp
Wq9/ujgYAui2UphbdavoLQXY/4uKzErsipOMsLwUG5gS7F3YKQcbe3jwh09I
aIfv4b9odRGfZuy6XOHj4r6XamC6mOx9cpjvwSEdwsWiFvAQbUA+4f67lD/p
T6c5h/rcYWgGaTvycinswIBmOalxxAZAHES7ITAFAoDEN3W1ZQWcjMr+6ZRG
DZw00c1P1fjG1Auk3jcK4lDPV2fWjcMnik5puhzaqGCcktgDcekjS07wEGsE
6tBEWjo7/dQY9sO3ovcA25RrPanS24J5GVMMH5Gnzw79k+AzxllMwJaQlm2I
CqG7+NO+28fURfMYhDChVzH0K2bPasQsl/YBWMT16fPb5Hc6i038jBGxQfIr
fDp5+36QvIMPT3f3YK3gw8YGIg5QgS9C7DhuH+rbHLHuLvGMACNuEEyjJccq
BE4a/F0i89jkKsstg1lufhR7fqD5rVs4AzJI2e7ouXJHgXq8M6BFBC5pBwk3
BiE5aYBTjvHPFS07zFAGsROqDxBcczpEd6FCKChCIena0gSLga/h5slfgJx8
81XaVaS/eFN3d14kb19hnF0ythmEIVjmRKP+COnDCVmGmC316Sa/SJyygWNf
0e+kvIAn9O9dnJfeaVXlEXeR7SVWlY26WUUGniati+sNn8zQ2QazSdbEcwZs
BPx4eJHOctQNhE3sJ5oWMOBPj188wcSNgZQkJ6y0AfcYKnpWlD3AKn4RUOdb
qBNJMFDQQ+T/iDshGoag3RQsJ4pQYPpZkuU6znIdBXT1ywAXAMd9j+kaQmkk
XzxPP/zDO8xfYOhpmyGh0G1IV8YZi2tOXlTFeNl3fkKPHxt5K/GbQO+c2swK
iNyw80Iwoo8klwZvZt+poW2kp8uCAPuoCR9pSjyvU3teIzjqTqc+yptQ6H2C
l06rkGkScvURw1usEGNbancdbWDHr6baLC8U2QsvSp7TlaI5UT9u4S8xG7fM
H9S+wKcfkjDmTezn1EFl0hSiIeeUH4GGjn8Rii1BoQCjI7IwjRD9w2lzB5E8
eUPKEoUcOKqVOiPOGYaWwjUgYhHOmSw+Pbe9Ki/q6xUYb40S/Cqkas4yCueB
7TuJk1Goh/qcs8YTmgziGgf7RL4XLWCSLtm2yOtgN7j72g0pxcd4+VI+PGYt
gA82Pr0jJ7hhqrPwwTvS6jo+dCOOWQ92SuyIuOczKCS4wLVQcFKpv/xSW45x
uEcUT2JfZmCgApUVhpAZIwLHrXDFrVI1xvtaqQD6MDdH1hRkMTKnkpY5RRhJ
vkxOTfsWaWiB3P8GwpDb0YhuAQA=

-->

</rfc>
