<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-jose-hpke-encrypt-22" category="std" consensus="true" submissionType="IETF" updates="7516" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Use of HPKE in JWE">Use of Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-jose-hpke-encrypt-22"/>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author fullname="Aritra Banerjee">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>London</city>
          <country>United Kingdom</country>
        </postal>
        <email>aritra.banerjee@nokia.com</email>
      </address>
    </author>
    <author initials="O." surname="Steele" fullname="Orie Steele">
      <organization>Tradeverifyd</organization>
      <address>
        <postal>
          <country>United States</country>
        </postal>
        <email>orie@or13.io</email>
      </address>
    </author>
    <author initials="M." surname="Jones" fullname="Michael B. Jones">
      <organization>Self-Issued Consulting</organization>
      <address>
        <postal>
          <country>United States</country>
        </postal>
        <email>michael_b_jones@hotmail.com</email>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>JOSE</workgroup>
    <keyword>Hybrid Public Key Encryption</keyword>
    <keyword>HPKE</keyword>
    <keyword>JSON Web Encryption</keyword>
    <keyword>JWE</keyword>
    <keyword>JSON Object Signing and Encryption</keyword>
    <keyword>JOSE</keyword>
    <keyword>Hybrid</keyword>
    <abstract>
      <?line 115?>

<t>This specification defines how to use Hybrid Public Key Encryption (HPKE) with
JSON Web Encryption (JWE).
HPKE enables public key encryption
of arbitrary-sized plaintexts to a recipient's public key, and provides security
against adaptive chosen ciphertext attacks.
This specification chooses a specific subset of the HPKE features to use with JWE.</t>
      <t>This specification updates RFC 7516 (JWE) to enable use of
Integrated Encryption as a Key Management Mode.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-jose.github.io/draft-ietf-jose-hpke-encrypt/draft-ietf-jose-hpke-encrypt.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-jose-hpke-encrypt/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        jose Working Group mailing list (<eref target="mailto:jose@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/jose/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/jose/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt"/>.</t>
    </note>
  </front>
  <middle>
    <?line 127?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Hybrid Public Key Encryption (HPKE) <xref target="I-D.ietf-hpke-hpke"/> is a public key encryption
(PKE) scheme that provides encryption of arbitrary-sized plaintexts to a
recipient's public key.
This specification enables JSON Web Encryption (JWE) <xref target="RFC7516"/> to leverage HPKE,
bringing support for HPKE encryption and KEMs to JWE,
and the possibility of utilizing future HPKE algorithms.</t>
    </section>
    <section anchor="notational-conventions">
      <name>Notational Conventions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This specification uses the following abbreviations and terms:</t>
      <ul spacing="normal">
        <li>
          <t>Content Encryption Key (CEK), Header Parameter, and JOSE Header,
as defined in <xref target="RFC7516"/>.</t>
        </li>
        <li>
          <t>Hybrid Public Key Encryption (HPKE), as defined in <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>pkR is the public key of the recipient, as defined in <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>skR is the private key of the recipient, as defined in <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>Key Encapsulation Mechanism (KEM), per <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>Key Derivation Function (KDF), per <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>Authenticated Encryption with Associated Data (AEAD); see <xref target="I-D.ietf-hpke-hpke"/> and <xref target="RFC7516"/>.</t>
        </li>
        <li>
          <t>Additional Authenticated Data (AAD); see <xref target="I-D.ietf-hpke-hpke"/> and <xref target="RFC7516"/>.</t>
        </li>
      </ul>
      <t>This specification defines the following terms:</t>
      <dl>
        <dt>Key Management Mode</dt>
        <dd>
          <t>A method of determining whether a Content Encryption Key (CEK) value is used
and, if so, what CEK value to use.
Each algorithm used for making these determinations uses a
specific Key Management Mode.
Key Management Modes employed by this specification are
Key Encryption,
Key Wrapping,
Direct Key Agreement,
Key Agreement with Key Wrapping,
Direct Encryption,
and
Integrated Encryption.
Of these, only Integrated Encryption is defined by this
specification; the remaining modes are defined in <xref target="RFC7516"/>
and are included here because this specification replaces the
Message Encryption and Message Decryption procedures
of <xref target="RFC7516"/> in their entirety.</t>
        </dd>
        <dt>Integrated Encryption</dt>
        <dd>
          <t>A Key Management Mode in which the plaintext is directly encrypted
without the use of a Content Encryption Key (CEK).
This mode corresponds to the Single-Shot API defined in
<xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>, which is used in
cases where applications encrypt only a single message to
a recipient's public key. This mode is appropriate when there is
exactly one recipient and no separate content encryption algorithm
is required.</t>
        </dd>
      </dl>
      <t>The definition of Key Management Mode above replaces the one in JWE <xref target="RFC7516"/>.</t>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>This specification defines the use of HPKE in JWE for two Key Management Modes:</t>
      <ul spacing="normal">
        <li>
          <t>Key Encryption, and</t>
        </li>
        <li>
          <t>Integrated Encryption.</t>
        </li>
      </ul>
      <t>It specifies the Integrated Encryption Key Management Mode and registers the
corresponding JWE algorithm identifiers for both modes. Distinct JWE algorithms
are defined for Key Encryption and Integrated Encryption
so that they are fully specified, as required by <xref target="RFC9864"/>.</t>
      <t>Test vectors for all algorithms defined in this document are provided in
<xref target="test-vectors"/>.</t>
      <t>When the Key Management Mode is Integrated Encryption, HPKE is used to directly
encrypt the plaintext, and the "enc" header parameter <bcp14>MUST NOT</bcp14> be included.
This specification updates the definition of the "enc" header parameter in
<xref section="4.1.2" sectionFormat="of" target="RFC7516"/> to require that it be omitted when Integrated
Encryption is used.</t>
      <t>When the Key Management Mode is Key Encryption,
HPKE is used to encrypt the Content Encryption Key (CEK).
In this mode, the "enc" header parameter is used as specified in JWE <xref target="RFC7516"/>.
The HPKE AEAD encryption function used internally by HPKE
is distinct from the JWE AEAD algorithm specified in "enc".</t>
      <t>In both Key Management Modes,
the HPKE key encapsulation mechanism (KEM), key derivation function (KDF),
and authenticated encryption with additional data (AEAD) encryption function
utilized depend on the JWE algorithm used.</t>
      <t>HPKE supports two modes, which are described in Table 1 of <xref target="I-D.ietf-hpke-hpke"/>.
In this specification, both "mode_base" and "mode_psk" are supported
for both Key Management Modes.
When the "psk_id" header parameter is present, the HPKE mode is "mode_psk";
otherwise, the HPKE mode is "mode_base".</t>
      <t>JWE supports two kinds of serializations:</t>
      <ul spacing="normal">
        <li>
          <t>the JWE Compact Serialization described in <xref section="3.1" sectionFormat="of" target="RFC7516"/>, and</t>
        </li>
        <li>
          <t>the JWE JSON Serialization described in <xref section="3.2" sectionFormat="of" target="RFC7516"/>.</t>
        </li>
      </ul>
      <t>Certain JWE features are only supported in specific serializations.
For example, the JWE Compact Serialization does not support:</t>
      <ul spacing="normal">
        <li>
          <t>the JWE AAD value conveyed by the "aad" member,</t>
        </li>
        <li>
          <t>multiple recipients, and</t>
        </li>
        <li>
          <t>unprotected header parameters.</t>
        </li>
      </ul>
      <t>Key Encryption can be used with a JWE AAD value
when using the JWE JSON Serialization.
Single recipient Key Encryption with no JWE AAD value can be expressed
in the JWE Compact Serialization.</t>
      <section anchor="encapsulated-secrets">
        <name>Encapsulated Secrets</name>
        <t>HPKE encapsulated secret is defined in <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        <t>When using Integrated Encryption, the JWE Encrypted Key of the sole recipient
is the HPKE encapsulated secret.</t>
        <t>When using Key Encryption, each recipient's JWE Encrypted Key
is the encrypted content encryption key, and the value of header parameter "ek"
is the base64url encoding of the HPKE encapsulated secret.</t>
      </section>
    </section>
    <section anchor="integrated-encryption">
      <name>Integrated Encryption</name>
      <t>When using Integrated Encryption with HPKE:</t>
      <ul spacing="normal">
        <li>
          <t>The protected header <bcp14>MUST</bcp14> contain an "alg" value that is
an HPKE JWE algorithm using Integrated Encryption.</t>
        </li>
        <li>
          <t>The "enc" header parameter <bcp14>MUST NOT</bcp14> be present.
This is because no separate content encryption algorithm is used in this mode.</t>
        </li>
        <li>
          <t>The protected header parameter "psk_id" <bcp14>MAY</bcp14> be present.</t>
        </li>
        <li>
          <t>The header parameter "ek" <bcp14>MUST NOT</bcp14> be present.</t>
        </li>
        <li>
          <t>There <bcp14>MUST</bcp14> be exactly one recipient.</t>
        </li>
        <li>
          <t>The JWE Encrypted Key <bcp14>MUST</bcp14> be the encapsulated secret, as defined in <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>The JWE Initialization Vector and JWE Authentication Tag <bcp14>MUST</bcp14> be the empty octet sequence.</t>
        </li>
        <li>
          <t>The JWE AAD <bcp14>MAY</bcp14> be present when using the JWE JSON Serialization.</t>
        </li>
        <li>
          <t>The HPKE aad parameter <bcp14>MUST</bcp14> be set to the "Additional Authenticated Data encryption parameter" value specified in Step 15 of <xref target="encryption"/>.</t>
        </li>
        <li>
          <t>The HPKE info parameter defaults to the empty octet sequence;
mutually known private information (a concept also utilized in <xref target="NIST.SP.800-56Ar3"/>)
<bcp14>MAY</bcp14> be used instead so the application can include it during key derivation.</t>
        </li>
        <li>
          <t>The JWE Ciphertext is the ciphertext from the HPKE encryption,
as defined in <xref section="5.2" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
      </ul>
      <section anchor="int-algs">
        <name>Integrated Encryption Algorithms using HPKE</name>
        <t>The following JWE algorithms using HPKE are defined for use with
Integrated Encryption as the Key Management Mode:</t>
        <table anchor="ciphersuite-int-algs">
          <name>Algorithms using HPKE for Integrated Encryption</name>
          <thead>
            <tr>
              <th align="left">"alg"</th>
              <th align="left">HPKE KEM</th>
              <th align="left">HPKE KDF</th>
              <th align="left">HPKE AEAD</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">HPKE-0</td>
              <td align="left">DHKEM(P-256, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-128-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-1</td>
              <td align="left">DHKEM(P-384, HKDF-SHA384)</td>
              <td align="left">HKDF-SHA384</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-2</td>
              <td align="left">DHKEM(P-521, HKDF-SHA512)</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-3</td>
              <td align="left">DHKEM(X25519, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-128-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-4</td>
              <td align="left">DHKEM(X25519, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">ChaCha20Poly1305</td>
            </tr>
            <tr>
              <td align="left">HPKE-5</td>
              <td align="left">DHKEM(X448, HKDF-SHA512)</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-6</td>
              <td align="left">DHKEM(X448, HKDF-SHA512)</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">ChaCha20Poly1305</td>
            </tr>
            <tr>
              <td align="left">HPKE-7</td>
              <td align="left">DHKEM(P-256, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-256-GCM</td>
            </tr>
          </tbody>
        </table>
        <t>The HPKE KEM, KDF, and AEAD values are chosen from the IANA HPKE registry <xref target="IANA.HPKE"/>.</t>
      </section>
    </section>
    <section anchor="key-encryption">
      <name>Key Encryption</name>
      <t>When using the JWE JSON Serialization,
recipients using Key Encryption with HPKE can be added alongside other recipients
(e.g., those using "ECDH-ES+A128KW" or "RSA-OAEP-256"),
since HPKE is used to encrypt the Content Encryption Key (CEK).</t>
      <t>When using Key Encryption with HPKE:</t>
      <ul spacing="normal">
        <li>
          <t>The "alg" header parameter <bcp14>MUST</bcp14> be an HPKE JWE algorithm using Key Encryption.</t>
        </li>
        <li>
          <t>The header parameter "psk_id" <bcp14>MAY</bcp14> be present.</t>
        </li>
        <li>
          <t>The header parameter "ek" <bcp14>MUST</bcp14> be present and contain the base64url-encoded HPKE encapsulated secret.</t>
        </li>
        <li>
          <t>The HPKE aad parameter defaults to the empty octet sequence.</t>
        </li>
        <li>
          <t>The HPKE info parameter is set to the value of the "Recipient_structure" defined below.</t>
        </li>
        <li>
          <t>The HPKE plaintext <bcp14>MUST</bcp14> be set to the CEK.</t>
        </li>
        <li>
          <t>The recipient's JWE Encrypted Key is the ciphertext from the HPKE Encryption,
as defined in <xref section="5.2" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
      </ul>
      <section anchor="recipient_structure">
        <name>Recipient_structure</name>
        <t>The "Recipient_structure" used as the value of the HPKE info parameter
when performing Key Encryption with HPKE
provides context information used in key derivation.
To ensure compactness and interoperability,
this structure is encoded in a binary format.
The encoding is as follows:</t>
        <artwork><![CDATA[
Recipient_structure = ASCII("JOSE-HPKE rcpt") ||
                      BYTE(255) ||
                      ASCII(content_encryption_alg) ||
                      BYTE(255) ||
                      recipient_extra_info
]]></artwork>
        <t>Where:</t>
        <ul spacing="normal">
          <li>
            <t>ASCII("JOSE-HPKE rcpt"): A fixed ASCII string identifying the context of the structure.</t>
          </li>
          <li>
            <t>BYTE(255): A separator byte (0xFF) used to delimit fields.</t>
          </li>
          <li>
            <t>ASCII(content_encryption_alg): Identifies the content encryption algorithm
with which the HPKE-encrypted Content Encryption Key (CEK) is used.
Its value <bcp14>MUST</bcp14> be the "enc" (encryption algorithm) header parameter value
in the JOSE Header.
This field provides JWE context information to the HPKE key schedule,
which ensures that the encapsulated secret is bound to the selected content encryption algorithm.</t>
          </li>
          <li>
            <t>BYTE(255): A separator byte (0xFF) used to delimit fields.</t>
          </li>
          <li>
            <t>recipient_extra_info: An octet string containing additional context information
that the application includes in the key derivation.
Mutually known private information (a concept also utilized in <xref target="NIST.SP.800-56Ar3"/>) <bcp14>MAY</bcp14> be used in this input parameter.
If no additional context information is provided, this field <bcp14>MUST</bcp14> be the empty octet sequence.</t>
          </li>
        </ul>
        <t>Note that Integrated Encryption does not use the "Recipient_structure" because the JWE Protected Header and JWE AAD are included in the HPKE aad value, which binds these parameters to the ciphertext.</t>
        <section anchor="recipientstructure-example">
          <name>Recipient_structure Example</name>
          <t>The "Recipient_structure" encoded in binary as specified in <xref target="recipient_structure"/>, and using the field values
(content_encryption_alg = "A128GCM", recipient_extra_info = ""),
results in the following byte sequence:</t>
          <artwork><![CDATA[
"JOSE-HPKE rcpt\xffA128GCM\xff"
]]></artwork>
          <t>The corresponding hexadecimal representation is:</t>
          <artwork><![CDATA[
4a4f53452d48504b452072637074ff4131323847434dff
]]></artwork>
          <t>This value is used as the HPKE "info" parameter when performing Key Encryption with HPKE.</t>
        </section>
      </section>
      <section anchor="ke-algs">
        <name>Key Encryption Algorithms using HPKE</name>
        <t>The following JWE algorithms using HPKE are defined for use with
Key Encryption as the Key Management Mode:</t>
        <table anchor="ciphersuite-ke-algs">
          <name>Algorithms using HPKE for Key Encryption</name>
          <thead>
            <tr>
              <th align="left">"alg"</th>
              <th align="left">HPKE KEM</th>
              <th align="left">HPKE KDF</th>
              <th align="left">HPKE AEAD</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">HPKE-0-KE</td>
              <td align="left">DHKEM(P-256, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-128-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-1-KE</td>
              <td align="left">DHKEM(P-384, HKDF-SHA384)</td>
              <td align="left">HKDF-SHA384</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-2-KE</td>
              <td align="left">DHKEM(P-521, HKDF-SHA512)</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-3-KE</td>
              <td align="left">DHKEM(X25519, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-128-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-5-KE</td>
              <td align="left">DHKEM(X448, HKDF-SHA512)</td>
              <td align="left">HKDF-SHA512</td>
              <td align="left">AES-256-GCM</td>
            </tr>
            <tr>
              <td align="left">HPKE-7-KE</td>
              <td align="left">DHKEM(P-256, HKDF-SHA256)</td>
              <td align="left">HKDF-SHA256</td>
              <td align="left">AES-256-GCM</td>
            </tr>
          </tbody>
        </table>
        <t>The HPKE KEM, KDF, and AEAD values are chosen from the IANA HPKE registry <xref target="IANA.HPKE"/>.</t>
      </section>
    </section>
    <section anchor="producing-and-consuming-jwes">
      <name>Producing and Consuming JWEs</name>
      <t>Sections 5.1 (Message Encryption) and 5.2 (Message Decryption) of <xref target="RFC7516"/>
are replaced by the following sections,
which add processing rules for using Integrated Encryption as the Key Management Mode.</t>
      <section anchor="encryption">
        <name>Message Encryption</name>
        <t>The message encryption process is as follows.
The order of the steps is not significant in cases where
there are no dependencies between the inputs and outputs of the steps.</t>
        <ol spacing="normal" type="1"><li>
            <t>Determine the Key Management Mode employed by the algorithm
used to determine the Content Encryption Key value.
(This is the algorithm recorded in the
"alg" (algorithm)
Header Parameter of the resulting JWE.)</t>
          </li>
          <li>
            <t>When Key Wrapping, Key Encryption,
or Key Agreement with Key Wrapping is employed,
generate a random CEK value to use for subsequent steps
unless one was already generated for a previously
processed recipient, in which case, let that be the one used
for subsequent steps.
See <xref target="RFC8937"/> for
considerations on generating random values.
The CEK <bcp14>MUST</bcp14> have a length equal to that
required for the content encryption algorithm.</t>
          </li>
          <li>
            <t>When Direct Key Agreement or Key Agreement with Key Wrapping
is employed, use the key agreement algorithm
to compute the value of the agreed upon key.
When Direct Key Agreement is employed,
let the CEK be the agreed upon key.
When Key Agreement with Key Wrapping is employed,
the agreed upon key will be used to wrap the CEK.</t>
          </li>
          <li>
            <t>When Key Wrapping, Key Encryption,
or Key Agreement with Key Wrapping is employed,
encrypt the CEK to the recipient and let the result be the
JWE Encrypted Key.</t>
          </li>
          <li>
            <t>When Direct Key Agreement or Direct Encryption is employed,
let the JWE Encrypted Key be the empty octet sequence.</t>
          </li>
          <li>
            <t>When Direct Encryption is employed,
let the CEK be the shared symmetric key.</t>
          </li>
          <li>
            <t>When Integrated Encryption is employed,
let the JWE Encrypted Key be as specified by the Integrated Encryption algorithm.</t>
          </li>
          <li>
            <t>Compute the encoded key value BASE64URL(JWE Encrypted Key).</t>
          </li>
          <li>
            <t>If the JWE JSON Serialization is being used, and
there are multiple recipients, repeat this process
(steps 1-8)
for each recipient.</t>
          </li>
          <li>
            <t>Generate a random JWE Initialization Vector of the correct size
for the content encryption algorithm (if required for the algorithm);
otherwise, let the JWE Initialization Vector be the empty octet sequence.</t>
          </li>
          <li>
            <t>Compute the encoded Initialization Vector value
BASE64URL(JWE Initialization Vector).</t>
          </li>
          <li>
            <t>If a "zip" parameter was included,
compress the plaintext using the specified compression algorithm,
and let M be the octet sequence representing the compressed plaintext;
otherwise, let M be the octet sequence representing the plaintext.</t>
          </li>
          <li>
            <t>Create the JSON object(s) containing the desired set of Header Parameters,
which together comprise the JOSE Header: one or more of the JWE Protected
Header, the JWE Shared Unprotected
Header, and the JWE Per-Recipient Unprotected Header.</t>
          </li>
          <li>
            <t>Compute the Encoded Protected Header value
BASE64URL(UTF8(JWE Protected Header)).
If the JWE Protected Header is not present
(which can only happen when using the JWE JSON Serialization
and no "protected" member is present),
let this value be the empty string.</t>
          </li>
          <li>
            <t>Let the Additional Authenticated Data encryption parameter be
ASCII(Encoded Protected Header).
However, if a JWE AAD value is present
(which can only be the case when using the JWE JSON Serialization),
instead let the Additional Authenticated Data encryption parameter be
ASCII(Encoded Protected Header || '.' || BASE64URL(JWE AAD)).</t>
          </li>
          <li>
            <t>If Integrated Encryption is not being employed,
encrypt M using the CEK, the JWE Initialization Vector, and
the Additional Authenticated Data value
using the specified content encryption algorithm
to create the JWE Ciphertext value and the JWE Authentication Tag
(which is the Authentication Tag output from the encryption operation).</t>
          </li>
          <li>
            <t>If Integrated Encryption is being employed,
encrypt M
using the specified Integrated Encryption algorithm
to create the JWE Ciphertext value.
Let the JWE Authentication Tag be the empty octet sequence.</t>
          </li>
          <li>
            <t>Compute the encoded ciphertext value BASE64URL(JWE Ciphertext).</t>
          </li>
          <li>
            <t>Compute the encoded Authentication Tag value
BASE64URL(JWE Authentication Tag).</t>
          </li>
          <li>
            <t>If a JWE AAD value is present,
compute the encoded AAD value BASE64URL(JWE AAD).</t>
          </li>
          <li>
            <t>Create the desired serialized output.
The Compact Serialization of this result is the string
BASE64URL(UTF8(JWE Protected Header))
|| '.' || BASE64URL(JWE Encrypted Key)
|| '.' || BASE64URL(JWE Initialization Vector)
|| '.' || BASE64URL(JWE Ciphertext)
|| '.' || BASE64URL(JWE Authentication Tag).
The JWE JSON Serialization is described in <xref section="7.2" sectionFormat="of" target="RFC7516"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="decryption">
        <name>Message Decryption</name>
        <t>The message decryption process is the reverse of the
encryption process.
The order of the steps is not significant in cases where
there are no dependencies between the inputs and outputs of the steps.
If any of these steps fail, the encrypted content cannot be validated.</t>
        <t>When there are multiple recipients,
it is an application decision which of the recipients' encrypted content
must successfully validate for the JWE to be accepted.
In some cases, encrypted content for all recipients must successfully validate
or the JWE will be considered invalid.
In other cases, only the encrypted content for a single recipient
needs to be successfully validated.
However, in all cases, the encrypted content for at least one recipient
<bcp14>MUST</bcp14> successfully validate or the JWE <bcp14>MUST</bcp14> be considered invalid.</t>
        <ol spacing="normal" type="1"><li>
            <t>Parse the JWE representation to extract the serialized values
for the components of the JWE.
When using the JWE Compact Serialization,
these components are
the base64url-encoded representations of
the JWE Protected Header,
the JWE Encrypted Key,
the JWE Initialization Vector,
the JWE Ciphertext, and
the JWE Authentication Tag.
When using the JWE JSON Serialization,
these components also include the base64url-encoded representation of
the JWE AAD, along with the unencoded
JWE Shared Unprotected Header and
JWE Per-Recipient Unprotected Header values.
When using the JWE Compact Serialization,
the JWE Protected Header,
the JWE Encrypted Key,
the JWE Initialization Vector,
the JWE Ciphertext, and
the JWE Authentication Tag
are represented as base64url-encoded values in that order,
with each value being separated from the next by a single period ('.') character,
resulting in exactly four delimiting period characters being used.
The JWE JSON Serialization
is described in <xref section="7.2" sectionFormat="of" target="RFC7516"/>.</t>
          </li>
          <li>
            <t>Base64url decode the encoded representations of
the JWE Protected Header,
the JWE Encrypted Key,
the JWE Initialization Vector,
the JWE Ciphertext,
the JWE Authentication Tag, and
the JWE AAD,
following the restriction that no line breaks, whitespace, or other additional characters have been used.</t>
          </li>
          <li>
            <t>Verify that the octet sequence resulting from decoding the encoded JWE Protected Header
is a UTF-8-encoded representation of
a completely valid JSON object
conforming to <xref target="RFC8259"/>;
let the JWE Protected Header be this JSON object.</t>
          </li>
          <li>
            <t>If using the JWE Compact Serialization, let the JOSE Header be the
JWE Protected Header.
Otherwise, when using the JWE JSON Serialization,
let the JOSE Header be the union of
the members of the JWE Protected Header,
the JWE Shared Unprotected Header and
the corresponding JWE Per-Recipient Unprotected Header,
all of which must be completely valid JSON objects.
During this step,
verify that the resulting JOSE Header does not contain duplicate
Header Parameter names.
When using the JWE JSON Serialization, this restriction includes
that the same Header Parameter name also <bcp14>MUST NOT</bcp14> occur in
distinct JSON object values that together comprise the JOSE Header.</t>
          </li>
          <li>
            <t>Verify that the implementation understands and can process
all fields that it is required to support,
whether required by this specification,
by the algorithms being used,
or by the "crit" Header Parameter value,
and that the values of those parameters are also understood and supported.</t>
          </li>
          <li>
            <t>Determine the Key Management Mode employed by the algorithm
specified by the
"alg" (algorithm) Header Parameter.</t>
          </li>
          <li>
            <t>If using Integrated Encryption, Direct Encryption, or Direct Key Agreement,
verify that there is exactly one recipient.</t>
          </li>
          <li>
            <t>Verify that the JWE uses a key known to the recipient.</t>
          </li>
          <li>
            <t>When Direct Key Agreement or Key Agreement with Key Wrapping
is employed, use the key agreement algorithm
to compute the value of the agreed upon key.
When Direct Key Agreement is employed,
let the CEK be the agreed upon key.
When Key Agreement with Key Wrapping is employed,
the agreed upon key will be used to decrypt the JWE Encrypted Key.</t>
          </li>
          <li>
            <t>When Key Wrapping, Key Encryption,
or Key Agreement with Key Wrapping is employed,
decrypt the JWE Encrypted Key to produce the CEK.
The CEK <bcp14>MUST</bcp14> have a length equal to that
required for the content encryption algorithm.
Note that when there are multiple recipients,
each recipient will only be able to decrypt JWE Encrypted Key values
that were encrypted to a key in that recipient's possession.
It is therefore normal to only be able to decrypt one of the
per-recipient JWE Encrypted Key values to obtain the CEK value.
Also, see <xref section="11.5" sectionFormat="of" target="RFC7516"/> for security considerations
on mitigating timing attacks.</t>
          </li>
          <li>
            <t>When Direct Key Agreement or Direct Encryption is employed,
verify that the JWE Encrypted Key value is an empty octet sequence.</t>
          </li>
          <li>
            <t>When Direct Encryption is employed,
let the CEK be the shared symmetric key.</t>
          </li>
          <li>
            <t>If Integrated Encryption is not being employed,
record whether the CEK could be successfully determined for this recipient or not.</t>
          </li>
          <li>
            <t>If the JWE JSON Serialization is being used and
there are multiple recipients, repeat this process
(steps 4-13)
for each recipient contained in the representation.</t>
          </li>
          <li>
            <t>Compute the Encoded Protected Header value
BASE64URL(UTF8(JWE Protected Header)).
If the JWE Protected Header is not present
(which can only happen when using the JWE JSON Serialization
and no "protected" member is present),
let this value be the empty string.</t>
          </li>
          <li>
            <t>Let the Additional Authenticated Data encryption parameter be
ASCII(Encoded Protected Header).
However, if a JWE AAD value is present
(which can only be the case when using the JWE JSON Serialization),
instead let the Additional Authenticated Data encryption parameter be
ASCII(Encoded Protected Header || '.' || BASE64URL(JWE AAD)).</t>
          </li>
          <li>
            <t>If Integrated Encryption is not being employed,
decrypt the JWE Ciphertext using the CEK, the JWE Initialization Vector,
the Additional Authenticated Data value,
and the JWE Authentication Tag
(which is the Authentication Tag input to the calculation)
using the content encryption algorithm specified in the "enc" header parameter,
returning the decrypted plaintext and validating the JWE Authentication Tag
in the manner specified for the algorithm,
rejecting the input without emitting any decrypted output
if the JWE Authentication Tag is incorrect.</t>
          </li>
          <li>
            <t>If Integrated Encryption is being employed,
verify that no "enc" header parameter is present.</t>
          </li>
          <li>
            <t>If Integrated Encryption is being employed,
decrypt the JWE Ciphertext
using the specified Integrated Encryption algorithm,
returning the decrypted plaintext
in the manner specified for the algorithm,
rejecting the input without emitting any decrypted output
if the decryption fails.</t>
          </li>
          <li>
            <t>If a "zip" parameter was included,
uncompress the decrypted plaintext using the specified compression algorithm.</t>
          </li>
          <li>
            <t>If there was no recipient for which all of the decryption steps succeeded,
then the JWE <bcp14>MUST</bcp14> be considered invalid.
Otherwise, output the plaintext.
In the JWE JSON Serialization case, also return a result to the application
indicating for which of the recipients the decryption succeeded and failed.</t>
          </li>
        </ol>
        <t>Finally, note that it is an application decision which algorithms
may be used in a given context.
Even if a JWE can be successfully decrypted,
unless the algorithms used in the JWE are acceptable
to the application, it <bcp14>SHOULD</bcp14> consider the JWE to be invalid.</t>
      </section>
    </section>
    <section anchor="distinguishing">
      <name>Distinguishing Between JWS and JWE Objects</name>
      <t><xref section="9" sectionFormat="of" target="RFC7516"/> is updated to delete the last bullet, which says:</t>
      <ul spacing="normal">
        <li>
          <t>The JOSE Header for a JWS can also be distinguished from
the JOSE Header for a JWE by
determining whether an
"enc" (encryption algorithm) member exists.
If the "enc" member exists, it is a JWE;
otherwise, it is a JWS.</t>
        </li>
      </ul>
      <t>The deleted test no longer works when Integrated Encryption is used.</t>
      <t>The other methods of distinguishing between
JSON Web Signature (JWS) <xref target="RFC7515"/> and
JSON Web Encryption (JWE) <xref target="RFC7516"/> objects continue to work.</t>
    </section>
    <section anchor="jwk-representations-for-jwe-hpke-keys">
      <name>JWK Representations for JWE HPKE Keys</name>
      <t>The JSON Web Key (JWK) <xref target="RFC7517"/> representations for keys
used with the JWE algorithms defined in this specification are as follows.
The valid combinations of the
"alg", "kty", and "crv" in the JWK are shown in <xref target="ciphersuite-kty-crv"/>.</t>
      <table anchor="ciphersuite-kty-crv">
        <name>JWK Types and Curves for JWE HPKE Ciphersuites</name>
        <thead>
          <tr>
            <th align="left">"alg" values</th>
            <th align="left">"kty"</th>
            <th align="left">"crv"</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">HPKE-0, HPKE-0-KE, HPKE-7, HPKE-7-KE</td>
            <td align="left">EC</td>
            <td align="left">P-256</td>
          </tr>
          <tr>
            <td align="left">HPKE-1, HPKE-1-KE</td>
            <td align="left">EC</td>
            <td align="left">P-384</td>
          </tr>
          <tr>
            <td align="left">HPKE-2, HPKE-2-KE</td>
            <td align="left">EC</td>
            <td align="left">P-521</td>
          </tr>
          <tr>
            <td align="left">HPKE-3, HPKE-3-KE, HPKE-4</td>
            <td align="left">OKP</td>
            <td align="left">X25519</td>
          </tr>
          <tr>
            <td align="left">HPKE-5, HPKE-5-KE, HPKE-6</td>
            <td align="left">OKP</td>
            <td align="left">X448</td>
          </tr>
        </tbody>
      </table>
      <t>Examples of JWKs for each algorithm are provided in <xref target="test-vectors"/>.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This specification uses HPKE, and the security considerations of
<xref target="I-D.ietf-hpke-hpke"/> are therefore applicable.</t>
      <t>HPKE assumes the sender is in possession of the public key of the recipient and
HPKE JOSE makes the same assumption. Hence, some form of public key distribution
mechanism is assumed to exist but is outside the scope of this document.</t>
      <t>HPKE in Base mode does not provide proof of sender origin
as part of the HPKE KEM. PSK mode authenticates the sender
as a holder of the pre-shared key (see <xref section="9.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>).</t>
      <t>This specification relies on a source of randomness being available on the device.
When used, the CEK has to be randomly generated.
Likewise, when used, the JWE Initialization Vector has to be randomly generated.
In both cases, the guidance on randomness in <xref target="RFC8937"/> applies.</t>
      <section anchor="key-management">
        <name>Key Management</name>
        <t>A KEM key pair used with HPKE is intended for use with a
specific mode and HPKE algorithm suite. Using the same
KEM key pair with multiple modes or multiple HPKE algorithm
suites in parallel is <bcp14>NOT RECOMMENDED</bcp14>.</t>
        <t>In principle, such use could be supported by the HPKE key
schedule, since it takes both the suite_id variable, which
encodes the full ciphersuite, and the mode byte as inputs,
ensuring that cryptographically distinct keys are derived
for each combination of ciphersuite and mode. However, there
is no formal proof of security for this at the time of
writing; see <xref section="9.2.2" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        <t>Likewise,the same key <bcp14>SHOULD NOT</bcp14> be used with both HPKE and
non-HPKE algorithms (e.g., "ECDH-ES" or "ECDH-ES+A128KW").</t>
        <t>When using Key Encryption in a multi-recipient scenario, the
security of the content is limited by the weakest algorithm used
to encrypt the CEK.</t>
      </section>
      <section anchor="jwt-best-current-practices">
        <name>JWT Best Current Practices</name>
        <t>The guidance in <xref target="RFC8725"/> about encryption is also pertinent to this specification.</t>
        <t>RFC Editor Note: If draft-ietf-oauth-8725bis has been published as
an RFC by the time this document is processed, please update the
reference from <xref target="RFC8725"/> to the published RFC for
draft-ietf-oauth-8725bis.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="json-web-signature-and-encryption-algorithms">
        <name>JSON Web Signature and Encryption Algorithms</name>
        <t>The following entries are added to the IANA "JSON Web Signature and Encryption Algorithms" registry <xref target="IANA.JOSE"/> established by <xref target="RFC7518"/>:</t>
        <section anchor="hpke-0">
          <name>HPKE-0</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-0</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-128-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-1">
          <name>HPKE-1</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-1</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(P-384, HKDF-SHA384) KEM, HKDF-SHA384 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-2">
          <name>HPKE-2</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-2</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(P-521, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-3">
          <name>HPKE-3</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-3</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(X25519, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-128-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-4">
          <name>HPKE-4</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-4</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(X25519, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and ChaCha20Poly1305 AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-5">
          <name>HPKE-5</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-5</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(X448, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-6">
          <name>HPKE-6</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-6</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(X448, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and ChaCha20Poly1305 AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-7">
          <name>HPKE-7</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-7</t>
            </li>
            <li>
              <t>Algorithm Description: Integrated Encryption with HPKE using DHKEM(P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="int-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-0-ke">
          <name>HPKE-0-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-0-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-128-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-1-ke">
          <name>HPKE-1-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-1-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(P-384, HKDF-SHA384) KEM, HKDF-SHA384 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-2-ke">
          <name>HPKE-2-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-2-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(P-521, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-3-ke">
          <name>HPKE-3-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-3-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(X25519, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-128-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-5-ke">
          <name>HPKE-5-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-5-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(X448, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
        <section anchor="hpke-7-ke">
          <name>HPKE-7-KE</name>
          <ul spacing="normal">
            <li>
              <t>Algorithm Name: HPKE-7-KE</t>
            </li>
            <li>
              <t>Algorithm Description: Key Encryption with HPKE using DHKEM(P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-256-GCM AEAD</t>
            </li>
            <li>
              <t>Algorithm Usage Location(s): "alg"</t>
            </li>
            <li>
              <t>JOSE Implementation Requirements: Optional</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="ke-algs"/> of [[ this specification ]]</t>
            </li>
            <li>
              <t>Algorithm Analysis Documents(s): <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="json-web-signature-and-encryption-header-parameters">
        <name>JSON Web Signature and Encryption Header Parameters</name>
        <t>The following entries are added to the IANA "JSON Web Signature and Encryption Header Parameters" registry <xref target="IANA.JOSE"/>:</t>
        <section anchor="ek">
          <name>ek</name>
          <ul spacing="normal">
            <li>
              <t>Header Parameter Name: "ek"</t>
            </li>
            <li>
              <t>Header Parameter Description: A base64url-encoded encapsulated secret, as defined in <xref section="5" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
            <li>
              <t>Header Parameter Usage Location(s): JWE</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="encapsulated-secrets"/> of [[ this specification ]]</t>
            </li>
          </ul>
        </section>
        <section anchor="pskid">
          <name>psk_id</name>
          <ul spacing="normal">
            <li>
              <t>Header Parameter Name: "psk_id"</t>
            </li>
            <li>
              <t>Header Parameter Description: A base64url-encoded key identifier (kid) for the pre-shared key, as defined in <xref section="5.1.2" sectionFormat="of" target="I-D.ietf-hpke-hpke"/></t>
            </li>
            <li>
              <t>Header Parameter Usage Location(s): JWE</t>
            </li>
            <li>
              <t>Change Controller: IETF</t>
            </li>
            <li>
              <t>Specification Document(s): <xref target="overview"/> of [[ this specification ]]</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="summary-of-updates-to-rfc-7516-jwe">
      <name>Summary of Updates to RFC 7516 (JWE)</name>
      <t>This specification updates JSON Web Encryption (JWE) <xref target="RFC7516"/>
to enable the use of Integrated Encryption.
The specific updates made are as follows:</t>
      <ul spacing="normal">
        <li>
          <t>Adds the Integrated Encryption Key Management Mode and correspondingly
updates the Key Management Mode definition (<xref target="terminology"/>).</t>
        </li>
        <li>
          <t>Updates the "enc" header parameter to be absent when
Integrated Encryption is used in (<xref target="overview"/>).</t>
        </li>
        <li>
          <t>Replaces the Message Encryption procedure (<xref target="encryption"/>),
adding Integrated Encryption.</t>
        </li>
        <li>
          <t>Replaces the Message Decryption procedure (<xref target="decryption"/>),
adding Integrated Encryption.</t>
        </li>
        <li>
          <t>Updates the methods for distinguishing between JWS and JWE objects
(<xref target="distinguishing"/>)
because Integrated Encryption does not use the "enc" header parameter.</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-hpke">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Karthikeyan Bhargavan" initials="K." surname="Bhargavan">
              <organization>Inria</organization>
            </author>
            <author fullname="Benjamin Lipp" initials="B." surname="Lipp">
              <organization>Inria</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
         </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document describes a scheme for hybrid public key encryption
   (HPKE).  This scheme provides a variant of public key encryption of
   arbitrary-sized plaintexts for a recipient public key.  It also
   includes a variant that authenticates possession of a pre-shared key.
   HPKE works for any combination of an asymmetric Key Encapsulation
   Mechanism (KEM), key derivation function (KDF), and authenticated
   encryption with additional data (AEAD) encryption function.  We
   provide instantiations of the scheme using widely used and efficient
   primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key
   agreement, HMAC-based key derivation function (HKDF), and SHA2.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-hpke-03"/>
        </reference>
        <reference anchor="RFC7516">
          <front>
            <title>JSON Web Encryption (JWE)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Hildebrand" initials="J." surname="Hildebrand"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7516"/>
          <seriesInfo name="DOI" value="10.17487/RFC7516"/>
        </reference>
        <reference anchor="RFC7517">
          <front>
            <title>JSON Web Key (JWK)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7517"/>
          <seriesInfo name="DOI" value="10.17487/RFC7517"/>
        </reference>
        <reference anchor="RFC8725">
          <front>
            <title>JSON Web Token Best Current Practices</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="225"/>
          <seriesInfo name="RFC" value="8725"/>
          <seriesInfo name="DOI" value="10.17487/RFC8725"/>
        </reference>
        <reference anchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC8937">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7518">
          <front>
            <title>JSON Web Algorithms (JWA)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7518"/>
          <seriesInfo name="DOI" value="10.17487/RFC7518"/>
        </reference>
        <reference anchor="RFC9864">
          <front>
            <title>Fully-Specified Algorithms for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>This specification refers to cryptographic algorithm identifiers that fully specify the cryptographic operations to be performed, including any curve, key derivation function (KDF), and hash functions, as being "fully specified". It refers to cryptographic algorithm identifiers that require additional information beyond the algorithm identifier to determine the cryptographic operations to be performed as being "polymorphic". This specification creates fully-specified algorithm identifiers for registered JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) polymorphic algorithm identifiers, enabling applications to use only fully-specified algorithm identifiers. It deprecates those polymorphic algorithm identifiers.</t>
              <t>This specification updates RFCs 7518, 8037, and 9053. It deprecates polymorphic algorithms defined by RFCs 8037 and 9053 and provides fully-specified replacements for them. It adds to the instructions to designated experts in RFCs 7518 and 9053.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9864"/>
          <seriesInfo name="DOI" value="10.17487/RFC9864"/>
        </reference>
        <reference anchor="I-D.ietf-cose-hpke">
          <front>
            <title>Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Michael B. Jones" initials="M. B." surname="Jones">
              <organization>Self-Issued Consulting</organization>
            </author>
            <author fullname="Orie Steele" initials="O." surname="Steele">
              <organization>Tradeverifyd</organization>
            </author>
            <author fullname="Ajitomi, Daisuke" initials="A." surname="Daisuke">
              <organization>bibital LLC</organization>
            </author>
            <author fullname="Laurence Lundblade" initials="L." surname="Lundblade">
              <organization>Security Theory LLC</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   This specification defines hybrid public-key encryption (HPKE) for
   use with CBOR Object Signing and Encryption (COSE).  HPKE offers a
   variant of public-key encryption of arbitrary-sized plaintexts for a
   recipient public key.

   HPKE is a general encryption framework utilizing an asymmetric key
   encapsulation mechanism (KEM), a key derivation function (KDF), and
   an Authenticated Encryption with Associated Data (AEAD) algorithm.

   This document defines the use of HPKE with COSE.  Authentication for
   HPKE in COSE is provided by COSE-native security mechanisms or by the
   pre-shared key authenticated variant of HPKE.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-hpke-26"/>
        </reference>
        <reference anchor="IANA.HPKE" target="https://www.iana.org/assignments/hpke">
          <front>
            <title>Hybrid Public Key Encryption (HPKE)</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IANA.JOSE" target="https://www.iana.org/assignments/jose">
          <front>
            <title>JSON Web Signature and Encryption Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="NIST.SP.800-56Ar3" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, NIST Special Publication 800-56A Revision 3</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2018" month="April"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 976?>

<section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix provides test vectors for each algorithm defined in this document.
For each algorithm, a private JWK, a Flattened JWE JSON Serialization example with
Additional Authenticated Data, and a JWE Compact Serialization example are provided.
Long lines in the examples are folded using the single backslash strategy from
<xref target="RFC8792"/>. Before using a folded example as a test vector, remove the RFC 8792
header and unfold the lines according to that strategy.
The complete unfolded vector set is available as <tt>examples/jose-vectors.json</tt>
in the <eref target="https://github.com/ietf-wg-jose/draft-ietf-jose-hpke-encrypt">repository</eref>
for this document.</t>
      <!-- begin:test-vectors ; see README for regeneration instructions, do not edit -->

<section anchor="hpke-0-1">
        <name>HPKE-0</name>
        <figure>
          <name>HPKE-0 Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "EC",
  "crv": "P-256",
  "x": "qy-BxXhaelX9Fqe8muRTu8HhseHYgMMGxyfAnIy0MC0",
  "y": "ctfHN7Y4pkj7vZI-sgJ6BqsYwG-PDnB8j7TsfzHHJOI",
  "d": "aAKxBMAkNm2AZDGv7LN5yodDwahJ5rKbrgiiz3dUIH4",
  "alg": "HPKE-0",
  "use": "enc",
  "kid": "KfvD-eYaynUKba0ow-v9uoEV-twV6mYDyiAOWO6LoPM"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-0 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTAiLCJraWQiOiJLZnZELWVZYXluVUtiYTBv\
    dy12OXVvRVYtdHdWNm1ZRHlpQU9XTzZMb1BNIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "BNC1LPfAH7I5Fxi7X7lrQLFkdpZcSGoXpBw4FYvCY1wZqAX5\
    3caa-lyNLPHkzwQMAMFHoOoN_TRGSzb2Gw4aDlA",
  "ciphertext": "I0sH6mQa6r-mgLHqI23-wzBmsTULQoNtANiHF_incW5y5BIB7qo\
    0XN3NoOqf1IvH1UEfE1_Tu9Baf6M3z_E9eJK1oDV1Q8A6VnZUnhj0cf2UNQhufoV\
    JOlpbPolLiecxwitIqYKPKfzJmG1uZ7lA0xUAiNPkUR9OSHpLYr9HWAa1DWDbczW\
    OMtFnxCJwd-PfyjX5-5-X6kAcdj5z-Kx4losmN2k7r2T1BUnHNnZlSgcz5nSZBxv\
    KqkXX3xl0Tw9ys--37IJD7UcIFfST6b0PXHzuKSw-attSD_67SRcpcxUTm3nyvtr\
    oYF8sg0ztQLuNkC-gwe7-uxPNO2iBDIypgImhvlTaAEcuHJDtFgU5geIXFMAlMDA\
    g7cSk4ssR"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-0 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTAiLCJraWQiOiJLZnZELWVZYXluVUtiYTBvdy12OXVvRVYtdHdW\
Nm1ZRHlpQU9XTzZMb1BNIn0.BKqUaiyoPbH1jnjApcpjGqswg7npGSSXFcFv1nGaL6YY\
s3S27c8Yi5V5rsds91bV_UjdqzLlj2zuuAPWetLMab8..fO8VQt1DsdgtijGci90sO8s\
Nvws6im8Yko4NnMWXVAM5GaHbHYRSGnjs6M7GnkcaTrEjy8cxDDLZFKTwMdYGOjYBsbT\
VVAoIImVd8tXZNjQswaPU8t8OP1jCwo6iw8t4-Hm6hCE61uzhEd_r9XkN4blHjrcAoCI\
Ccwqn_5lgJCTPQezJtiTAhrtHpC1quPA3aO2Pyhui5CzOtk967IC8v28jq6K7C3mbu-m\
10bo0aWqdybibCiiS5A89PXFWurW83HNnJFdoiqZRTtF4d_OAQ2Jq9FCrahrh43Xqp1z\
3HYjf73_rOHYWXzv8jGorDAKjsPgxYN_9TgGUstjiRIMLj9dJXxqrPkRLQ4VSAzVWCNe\
5MabAR1sFFB5tx_gA.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-0-ke-1">
        <name>HPKE-0-KE</name>
        <figure>
          <name>HPKE-0-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "EC",
  "crv": "P-256",
  "x": "erH26InyPQifTIwmyKs63u4SUzglAHXNm2ZWT2LQ-rM",
  "y": "GTGOC0_TnYc_Cm4dsgY8qdixil7AObs5-Xtk0QJeoH8",
  "d": "MzJOwOcw1LDGZ-Ia6Zz5ay9zWUZKIhXkBcfq0dPA5Do",
  "alg": "HPKE-0-KE",
  "use": "enc",
  "kid": "23i_7tQXiLxih47kQtE2yHy7d8q253Kp9R9i6aDyHng"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-0-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTAtS0UiLCJraWQiOiIyM2lfN3RRWGlMeGlo\
    NDdrUXRFMnlIeTdkOHEyNTNLcDlSOWk2YUR5SG5nIiwiZW5jIjoiQTEyOEdDTSIs\
    ImVrIjoiQkNlSmd0RGZGeVdtTDlJek0yT1Vnd1owWm9tWHVhb3BEcW5fR0JYX2V4\
    N0pENlRyWWpLOUI5R2ZRYWhIamRuTGlsQ2V6WlNSX2NvaUtnVC1IQVhnSlFNIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "hsc8LLwbgwf33MdT",
  "ciphertext": "vwkACubXsG6xfuEbeZW24DJWq-ZlRExN1uaTyfwaNoCwDaURkrC\
    0Vkc5w9B_KntgOMYvOgAVfSkqkztcRFX-AKIaOKGKYvPAY9ujuQtyA7SFMvaOjma\
    o2XD96LtoeexaYrganCxHvJhjgyRH8xpb_QYVUGdmpjj9r_uNqZVTAuuUlrE87Lb\
    GkNaQuHpRCpYG7JbYHp8Sovnbepy84ORGXkhg7KamMfQQQ_ob5C5aY0g2BBqRgyu\
    NErzDCq3RVVo91ddpGbSys25jlvAbqziBW1YOLIoLoGJDdqbykKzjravg1R1g7QC\
    OpdN0ozcE_oEEHFEyRTilYRkxH_CqV2hxhakqDpGj3Q9qHGigJEk",
  "tag": "Afab-bCOAfBSYJgIsaxxZQ",
  "encrypted_key": "-mXiAU7aot-kdZ8KhWDoM_jXHk6_B5g0vH77u6r49os"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-0-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTAtS0UiLCJraWQiOiIyM2lfN3RRWGlMeGloNDdrUXRFMnlIeTdk\
OHEyNTNLcDlSOWk2YUR5SG5nIiwiZW5jIjoiQTEyOEdDTSIsImVrIjoiQk4xRWI1bVFC\
ZTgyLVRpWTJYc0xjWEhmb3ZjNWFxajRIRW5Ick10aFFoMDhqUDl5Vjd2U3VBZjZuYjNL\
Q3pSUWJmbHlGV2k3bDlrR3BtTm1xaTNYaW1RIn0.lnz6tY7OMgEqr2dUBFLhbRV5SV5N\
nnE75YoGf8fdCdQ.B01l-CsTkWGSh-8o.n33IRmokhNrqtaG5AL9COw-bVmYiPqCLBgl\
udwQF3hyMYuagt4xxbKA2YdLHzgYk4ZCZQRdK5UJJcIKUsBsWNyDYhS0oZVcxq3wXOeG\
6jkEqUCzTU3PS0JeLW8uihm9gSjlW42dKUiYjqXL8kIJuWbCxqYs-Dslm5hfx4u_a06h\
vIRvJjVVQ4eWZMtUo5nIumyyid9qKwFFo_BLXaSxRZ7sa4TSRpu1Qywl8t3HcnnKThFf\
CSc6jIcJ3O9GIFXMDKqzBiciaxjim3xfv6A3qMHmIkF_rTT0dj9qmlolOfZeElX7sseq\
0EpOe9MPwcpFR3mZVUCe74FGUJNj4szJTb8pVgaZ9Yo5rXFKKn9s.MCd0fKMDwsgD6MW\
2XKzWWg
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-1-1">
        <name>HPKE-1</name>
        <figure>
          <name>HPKE-1 Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "EC",
  "crv": "P-384",
  "x": "CTphb4EF35SSZgrk9rYHXkdalQLTGRApFRiAF8eVteQtOIZRbZKV0iEv9eiS\
    ElLT",
  "y": "6KddFD8aAVzoJNq1Jr_4oZ3t7SGZm3qgXMHN7sB_KAlxTydxRaVXArFKQyyf\
    fOj6",
  "d": "UzFpz5G-_kWkiCKWCWdRXFxVoz9fTY4u9I_XmfPoOI7eEf0glEARLbsx06wb\
    1EYu",
  "alg": "HPKE-1",
  "use": "enc",
  "kid": "K4P-SJHnqUpz-qTXlYCBV6ITFu8sH_gsx2KGMEcjk9s"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-1 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTEiLCJraWQiOiJLNFAtU0pIbnFVcHotcVRY\
    bFlDQlY2SVRGdThzSF9nc3gyS0dNRWNqazlzIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "BFX1YGr3AR4szfTMVMWctHh2LGBPFdGdJCfft3QYR0mL-zCe\
    JgZkcYzFlD1EID8dFfDv_YNU8DRmm3qzQ8oMsW4ZA3Qs_iQpaEVj3AOsNWFD-yLq\
    1dt1fF4r6VAufu0unw",
  "ciphertext": "_AB6I_8GkA-U9Il2XFNJ3kBDAJ9P1erWUzWzBFgRFM1NhlkE6ph\
    ABLmhTNc517Vk-YJ0P_7WQqbUnMwgRBQYDycPdhh11ZGvRYI6EjbHXRD8ctVDX_W\
    aWE6RPfY3GxA1Rplh5ZcKYus2Pln1nOseFvC9NEZkuLNLyM8jBVgwq_EQtH1GQlS\
    ZwK8I1TyBOcBtWcXnYqy-XK8Rbj3eifbQESKZPedVqMXcQ03u4xdikZp5aqLJCLm\
    wN16pYTgSzXDW0d0IHPc1tqLF4eUFrFfPokckpe92pP5q1DMetRLP7G46oPLXMBQ\
    8tFd_FxtdVF1mrqV3l2KB-JC6unu9ZWwEBt6s-p1xZ2jjIiqTC0Hy-0pK8YmfOEK\
    j5SKk_re1"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-1 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTEiLCJraWQiOiJLNFAtU0pIbnFVcHotcVRYbFlDQlY2SVRGdThz\
SF9nc3gyS0dNRWNqazlzIn0.BG5NsNBMLw2aHZgcyEGwC2D5L3NQqWp6TCVneiNrWzK9\
OCuIqpZ6mxkTxf-UXtO2BiQjFLSm2GCnPItrjFEjHzTvg_aPUjZVNsSWFhgHseLC40zv\
BvBqhqGyRT1btnzhYw..k283DSyVnTKkfQnB0ngaY03st55x1OBqHLvnvp7VM0jA-yxg\
C7QgdAiyDCxfnpBgLE680KyJPJcDo0F9K50O2wZOBC5VAPUZlvkOkGucTvEfnVn6HPd1\
c-Btpm4eMEHOzEZ69nMQptgOtaA_XTdhiA34CX_bMaPO0MwrXu76HrMlfSXZ1C-298ZP\
HDOBHUx4IJROJaXMh4NKq76VLkIsdAdgguT4SXaTYBka5c1vEcLtjQh5zKtQHXHHevHO\
6gZmneYsg6sx-PvrXPItQe33bGwYAJ5zxhKTynoOfDa_zfZFSdWz3OX1wMa8WZMbCU1i\
bIjiEv0H1pOO0cs8mt7Xs5xjTqKBlW6m8EecD2H9YBqB4DVbMsckNnxkqIEM.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-1-ke-1">
        <name>HPKE-1-KE</name>
        <figure>
          <name>HPKE-1-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "EC",
  "crv": "P-384",
  "x": "D7VTLUkObllwTg8aYvZPdcnNINDy25kvNre97TKptpQSB6-IjvHLCWQJHzlD\
    iGYA",
  "y": "njG34YWeObrJ8AUOH4lvqspRcCViqbkn2vUPbcTUUSOub44OkVrFqwznzkdI\
    EKrT",
  "d": "DJll4Ommwo21BHxww16GgoGaxXWPKFY6r_ppQ7wRempir7VQ4zr0r8_iqqHf\
    9hUp",
  "alg": "HPKE-1-KE",
  "use": "enc",
  "kid": "dCxtIy9H8XajATicOvCTQMh4ZPgz6YsOK5ssKHeWWEs"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-1-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTEtS0UiLCJraWQiOiJkQ3h0SXk5SDhYYWpB\
    VGljT3ZDVFFNaDRaUGd6NllzT0s1c3NLSGVXV0VzIiwiZW5jIjoiQTI1NkdDTSIs\
    ImVrIjoiQk10NGNmbG4xbk02SU5uUFF1cVRvUEpWamdySlQ1SVNlS3ZRdE5VX0FH\
    UnR1YWJTeGFhYndjTi13S3pfQU1OUXYxM1VZa0xvSDhxTGlVMHJSeG4ySWoxQVFC\
    UDBXSUY4b0Zsc3g1YUhWLXY4WWp2bDVzTkg5UnFuNFpiOWplTmNaUSJ9",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "Wi1O4jqJpo9trvrT",
  "ciphertext": "GVGKeyg8z5mBfpS-02_JtaGiif95jyOWTHY6VgNgIgj38noe_Lc\
    eUOkpsHVrTj_3EBRE_d7U8zsOuSLUVj9PQd-rXy2m8rdUsCkOS9-_0ik4tgH_o2d\
    1wfLH8MTjzYHpcFeIVCX_1w3yRa2fhN7Rg_98A2Pd_sTH0A2CPtMhvETG-8JRQwl\
    LZTkFWl6jpEQ6qH07NHBpy1QXLsWdHSXIY3Bnusu9EpORV2W40Z8N2RWmtT4rej3\
    Ccg7JCr-9pBNlKdA6gX_YTRxCFWop1v_567S-qkTcm2eqpGs67S_97BauEzVUMiK\
    qa0sMaz1BwbNoA14Ey3orPEL0suJYxTAbj8jEo3EDbL_bz0dIsVw",
  "tag": "127mPyxGskfRdYmBmbGm9w",
  "encrypted_key": "-3WGOxsdBssqlYpsWKmSs4rKWbqh4_guvdNyelGiCoSkSNzC\
    4lRnGxvPOy835mfJ"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-1-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTEtS0UiLCJraWQiOiJkQ3h0SXk5SDhYYWpBVGljT3ZDVFFNaDRa\
UGd6NllzT0s1c3NLSGVXV0VzIiwiZW5jIjoiQTI1NkdDTSIsImVrIjoiQkxyVFI4SEpk\
cUY4eklnc2h5TmtvaVcyTHplbjdoa2VialhfRDhNMWVtaWg0Y3JlWFVEUnVtRFVRWFlC\
ZjN5QXdOVWRaNHoyNUExaF9Bd3hPVTNGUWE3S09UT2ZPNUlYVkItT21IcFNVaEpQcHBH\
SXFyTjJkOWxWNWZpS0djUkVjZyJ9.biPJlwnk1MoJKdzAXLS9go5jflQ68qihUJqreC4\
hALwF9nXjghFzKY6yj4hyUtRa.schW4QaSX0SNVOqD.5rtsaBNI2luA7gSzaHub-dSBO\
OlJkT7FbwtEoJRx8PMiSqtWIDlv21yvUjalft6EYxfQHSjmi0yPVjhjmpCj26Qga2gko\
DLxAgOB4tzpIsk-gSgHY3YpgZLkSyxx-ZhtaAdXphQAzPmaeDjM8_DRnvSzyH-Hwg9HH\
s7jmIzqJVsoBULQop0Lk7brPXiiB5s08F2Ib6rdercbgDTTZdVXcyiNQhKoGBUOjy50F\
xW4GkuyTW2MH0_0VecBSrAWVg248pJSnPwvVcdCocPTYmFiSw6M9MSwl3A8KKlU33qUY\
apB75qOUY2zQmh8IYFFUiyMwLX50EKws1YSmNGHYbp4iDCQ1ZAqTCwY7oM2JGM.PhKLq\
KcrR4CexYEDXRlEoA
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-2-1">
        <name>HPKE-2</name>
        <figure>
          <name>HPKE-2 Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "EC",
  "crv": "P-521",
  "x": "ACDaefJAD-xbCAk4C5QadlEtEinEV9JRqyz7MHzSjK-8V2zn0dvNYRtdQYfy\
    ddZ1LiN9dzTxuyEaqlJ44-NzoJQc",
  "y": "AF9ye0Rd9NTTGSTlkBUcpzXttxHOaTfQi5E6QNublPXTyuRX-X54EDzdy1tn\
    sBECHNmTAx7rNiR42_Y6ZbKauCTE",
  "d": "APRq4c1AiF5IoYKHKz7TaFknSvSxn-gH5ZurH386OD1dO6I2tcbHlfPPoFUO\
    8miVUihJuHIpcxDFGIRwe6kgPZ-V",
  "alg": "HPKE-2",
  "use": "enc",
  "kid": "MDVVyxq8x1VX7I1X3oVf3nJY51r55uNlZ9xHpC-7sS0"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-2 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTIiLCJraWQiOiJNRFZWeXhxOHgxVlg3STFY\
    M29WZjNuSlk1MXI1NXVObFo5eEhwQy03c1MwIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "BABLi4eakSyaQfL3PjQqiFyDexcKydTcQirDIQRFF2f9uh9e\
    ZUECuH6Ows0u8YFnjCkg3zJ3yR0IX96ZbvHxfEVwgwC231EE1fQQiaHHYCOLQ8eA\
    7uv8lyLgSk6Z542ocdJUWWbxMMbnBwkEWKnCxYtynpohK_aSvTo1tVceSeZx9wGf\
    Og",
  "ciphertext": "u5D9fUTR78AJtFaJ0u64aF7t9cBTVcfdP6KCl2atfY8F6RfnejV\
    qeq8kQOGdhwAijGihwWy8-hIVVK0HpT3VZdP1Wblf1FdHdbtgIt9m8Eb530sDFWm\
    O7hdgz6P_yc134MyA_SXYDpMEP0SEN-q53flL3c-hYpNHVFp6cACAbzZ8Gqg4tom\
    ZAuxiuODgrj14P4gCuhgas8h_AyxDC0kPctSBime1Tcnekp7TnJjVUpcmyzzpSSU\
    wmec1J526NCkbDFLiY1dr3Tq7UjZi6cnfsA00d2HPWCW8x6UjEY7aehKTKz06_Io\
    woDzeryLGntpYwt9DeJp5ZXeaCd9eLlRDXo70Ow9Wy21flTWDv9h7CVUpNE-JP3U\
    LAF7FGOiA"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-2 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTIiLCJraWQiOiJNRFZWeXhxOHgxVlg3STFYM29WZjNuSlk1MXI1\
NXVObFo5eEhwQy03c1MwIn0.BAAwPUHl_bLWN0BFN3kjTKNBJ5CUlaRVs8MjYuQdjyjV\
i4RMZj19-5xAajscJ8zRJhAtkMMQaoI316TSY0KJVSynygAggzz5tz7I9Y_zJVn_1eIM\
VKyWZ8Mo0zI7htZSxw0MOcmVfEgxPzSQWDNlsAVrfd06ygq0wOPrV4Rm6mDKEWZNzg..\
Vgu7cjxvVby8xIponvp03Zk6sm4mBtu5xYR2fIC_R6WK86ReBTtipkfCOavcLcQKrCeV\
PtPjnRizaDPXD41IOzrCCWVfTDLV0Y9OdeDjzLuwBn_5Bj9jO40XvnfPcRCUBINuN-Yf\
UgG0mMBmIbmOCUATQHT6M_cRaY9F861Phu15hURAZCxv5QwY1XrvlWceziY1euzMjaQC\
aTxfa6nsVyr9zd-U8suti2dknVValb0XJRKiBph8pwJ3Zuc7SY1fGYTSIskDkw5Npojt\
HnzFayla3w0L3e2vy9EEnJ0UxgO5Sd9inFqXYwV92ZqzrX7Dy4-LkY1JRx7bPMwkMZuC\
Begz0YcXpwzaJO29sr8Osecmn1UUFKkLNC6gqjPA.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-2-ke-1">
        <name>HPKE-2-KE</name>
        <figure>
          <name>HPKE-2-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "EC",
  "crv": "P-521",
  "x": "AKA9Ra4-VaZVMoXlIbU2DNQSiKe92-zXuGI73CtGpibQbmyTpuLV4TN3UWcG\
    HpO8krMaStuxuJOToVLqVUWm0zmF",
  "y": "Ac-o4fIpIKZqPQKtEi7f04_vXnW-3BH2K14WSUp_tWsgSuHai8CGuWcwGkB5\
    iKNpwOvh77Br0Vk69orojXETMy7W",
  "d": "AdeDTmkW31gpYbnoI9V297i0tA28dNYR1VS2lRyn04x9UQItmnUG7fp2Wc9C\
    QgGd1XCWYjtJsl9IQx8q0ylTKD2T",
  "alg": "HPKE-2-KE",
  "use": "enc",
  "kid": "hsRjjUtVSsbXZr5gfmhzqZ-RSs-K_ofzOV09sHt6x8w"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-2-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTItS0UiLCJraWQiOiJoc1JqalV0VlNzYlha\
    cjVnZm1oenFaLVJTcy1LX29mek9WMDlzSHQ2eDh3IiwiZW5jIjoiQTI1NkdDTSIs\
    ImVrIjoiQkFIbWg0VmVCVEpqTEIwVTJNSG00RG1KMFRGWXFjSC1fRE9xMFExRDRh\
    YVJpajBfOFR5U2VwMG9TWGNwREtNWVFNejNSN3hFRmVOMmJTcWNoN0U5SThEenR3\
    QkxwWW1ycmFBSzFNdTdORWhtQmZrM3paYXpmZFlaa2d4ZVVEcV8xOGJLVDRZWjBx\
    ZmVpQUNMUzJ4SlJfdUIxT3l0eTU0dmdLS3ZpSi1uRXdaSFNDcDNFUSJ9",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "SYlEtaEkTYevJFBW",
  "ciphertext": "ZXzPE7tkBWov5kjsQ47b92iXu_t46Et7ndoEe7ZWB6xKz15sC8G\
    L0XKCYJRTueJLMwJsd9jHzcyFrqMp8sDSJMlFSZfvlnzLJube8bEByDbIMUvCp7B\
    fyknjwPzkdthDwvU4iaT6ajpgzJ3XeZA44zoEPp8plP7ZSQR8fnuhew1R7XBnpY-\
    dLOD5DyvPA7D3LRxejD73gooVPsyU_tR3lmpPclXq_KK00XiVnuDjN1w53RmgOPt\
    Q7Tmb4x1xkNcu4e-wCjjF2cZ82WNLjXhLWFaAlToVrCkyHIy7j_uAWy8w1WyausE\
    5pOGaUuVX2i2jSG6A-zMU4yUsgsv7CbFD866LvykzvmSXT-6MQ5I",
  "tag": "3J67UwTJseHhB_oYfWamxA",
  "encrypted_key": "VKWtVxVx6mS9pBXZzkD8Op8f0BFKXVEmd9svXFgXwkMycMXi\
    zR1zmQdO0_FozxPF"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-2-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTItS0UiLCJraWQiOiJoc1JqalV0VlNzYlhacjVnZm1oenFaLVJT\
cy1LX29mek9WMDlzSHQ2eDh3IiwiZW5jIjoiQTI1NkdDTSIsImVrIjoiQkFFTUlGcWlG\
UHVFekhlb1RIVXFHenV0MWlVY0VsX0lUWGRjNlJKUEhfUWM4UzdQVkFfcHROMUttLXVM\
ZG9TWWxfRmNlMmdabXpwbjlTRWpiZVRVOXMxOGJ3Q1pxUUpWcXhidF9jVXk2RklFZGsx\
UEh6c0F4a1Rfa0NJNjh5R3NJSVZWQ0JBYkROQWhEb1NBOWt3UGVMd29ESXlwUVgwWnBn\
bW9rVFhVUlVJM0NrVlJTUSJ9.np-f7Zgo1yJFO4h5HJkPi8EYTsdGFCmnk16aTe4ft5E\
VXcZhu4HSGpWyNTjxbSKT.Pe4QDK53sKuyRFcy.brG_KUQoD1h52jWgbDb1zFzbMIfWb\
BcK-naIdYJtYW5iJ6qw8-a-9FcXL2x2sIRoMsj2KqylIqNCPE9OYr96GWlsYucz-tRHq\
cwGkoG6JaUIq3OMxr0MekOfWtII8epaldQw1SyNWenaTc2jGjyoA9MJ78VV_O4uKORhT\
i4lP8bcv6X-d3utnIeUSgTUQQc4AWBUoSfymKHeo7gL9ACAwoGSI-mgIeDeI-7K5m18V\
jD_5rLzTFEKVFhrMB_c7mSVd-_nv6bVtncrros3_5a4I5C5V0s17cTljDJOTiR2i4s3i\
PyVaki8544bIBU0_t6lHFQtotb5ZL8zUP50iyNeYjbXSdwdn1Es3ain4SA.Os8mE9afh\
0oe6UgoNp6-yw
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-3-1">
        <name>HPKE-3</name>
        <figure>
          <name>HPKE-3 Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "OKP",
  "crv": "X25519",
  "x": "Pyv22rGl5uY-24SOA_wda7PO4bIw6bobrD1_5VgF3H4",
  "d": "VtBu3AuB4_RKgDCDqj1j-_Kzf12ekvaGxoAGmMDcDks",
  "alg": "HPKE-3",
  "use": "enc",
  "kid": "n9hjOrhXxsQ_lTMu3PqkjHgwJURHZPF3HY5p-LFEgyg"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-3 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTMiLCJraWQiOiJuOWhqT3JoWHhzUV9sVE11\
    M1Bxa2pIZ3dKVVJIWlBGM0hZNXAtTEZFZ3lnIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "Ch0FElgndJcJkvCLEWpRpYJo3gbwn-CzVke-s_XH5Qc",
  "ciphertext": "9iGWYstawHANKOPNlkohsf0uSr5B1fSsTt5AYJzgI7WckZSyHoo\
    M2gEGrNf1b8TzPtWAnq7fGXgSTd76-Bg_DsDu-EsdEnb9XE9-7jaLLbP_pJ2JNK6\
    R1k420ZvpTqlAPk0Zu1tW8ZREYDtbw0K8aM4gIY4P8vqFba2mJxv0OxEXTP5ur2p\
    TOOcWhZ0E4ICUMDD1xcgzgziEsunxeFdU2X2okwVRr6pQP4XIe81bde7OY1qhaa8\
    4mxmMBNoOBgkE3vlV58KHR_JFKUkGlt_0FKBsrpt1yq9gZUzF2_8uqD1xHiMrw3z\
    yLcKH0hdJvLfZv3s_0sYAk98tPF4uZVmkyF-FC0n83vghekRCLR_HJg_QZhfWsSA\
    hETnydVyJ"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-3 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTMiLCJraWQiOiJuOWhqT3JoWHhzUV9sVE11M1Bxa2pIZ3dKVVJI\
WlBGM0hZNXAtTEZFZ3lnIn0.UkLR0N2IgxHkSZMhcCfxVO_F12kcq32ccJ8x8M4MfBE.\
.I8Obflj3vInszfr9sC1tnnhaGPSGAL9L1-mURYJqYWWxTlI0OZrFSKiPY7dAuyrITxT\
iaboZTF2yNo0swzp8S5DTil1KdxCzrMUtz5Lb-rMbR5Q5uNO7NXegJceIQkR8p7iMfNX\
ETCI8Pv36J45yDQDHrjNc6ZuJ8Xn6pHNFFot67L1GI0ULsrS2TCqztg2p76A1nObMGvA\
-1w5zwU6NN7p9WPCrvIKwO6MIl-LR4MV0-jnlmd5dlw3wGP5DDfqms7lZNbZ5X2d5U0s\
_7aT4Zar6ixUZrI6bSj4gntrEg8nLz9IlBT6tE6Gic3I2Abxbj1Ewn20WAZetzAQzWNd\
Jk7lIZYAJZLeeBip605kw5DuwSEK_3jlXnPsDO3Zs.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-3-ke-1">
        <name>HPKE-3-KE</name>
        <figure>
          <name>HPKE-3-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "OKP",
  "crv": "X25519",
  "x": "4XxzVQ5b1_2KId4eH7vCgtTMFS-xpFQdlewl7Ldgwmc",
  "d": "nV8mMuP37Pu7zvd7i-Fqg8HLYpu2wWOZFb1FdkpV6iY",
  "alg": "HPKE-3-KE",
  "use": "enc",
  "kid": "rZvhw8SPuKMGlrnzm-J4DZ-G4niXcJkKvb8tAbz4jJc"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-3-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTMtS0UiLCJraWQiOiJyWnZodzhTUHVLTUds\
    cm56bS1KNERaLUc0bmlYY0prS3ZiOHRBYno0akpjIiwiZW5jIjoiQTEyOEdDTSIs\
    ImVrIjoiYmI2ZTlwaGtPSkstQ0hkaFR2WDFEVnd1MHNidXhoeUJTWXFGSXFSWXYw\
    VSJ9",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "p1k2S0Msw_G9W3jh",
  "ciphertext": "AAmFYE2Bd90ybLZfRKLnyaiCFFBICLQ2857GNggF6XHVwRu1BFB\
    gG-kSsGNO_XU1F_KCJIjjmphNm7wjRcSon1yKrJfgOGPD7X1Ft3O83qyJ0HNHGE1\
    lgwELwYVsbNQ3MnbsrQFXfctTPEPFCqMfkvuNcmxPdXyMUI9jw4vZcPgn7EMDYYw\
    CnVV4AGJXR-wd6bpYPxoz86k_elWnHtobyGLzSJGvcl2MUvpTThrji_Oi3jel0Se\
    vyJpYrJxzzEbPAYAKURdPDxY6fEGuYPx-eTq12_a5T_buhvKsJnuzUTk1ll4K9Pv\
    6n1b24Fj5oJ6J5sPzehBvDjuJbV2blEoQFAHxpPP34lS4GPqeUPU",
  "tag": "EtvUOjRzhh3I03xF5A9TOQ",
  "encrypted_key": "otTTPK-6HbSKlyuEjdAQVUQisPPIeePcDf9ASl1rzsI"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-3-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTMtS0UiLCJraWQiOiJyWnZodzhTUHVLTUdscm56bS1KNERaLUc0\
bmlYY0prS3ZiOHRBYno0akpjIiwiZW5jIjoiQTEyOEdDTSIsImVrIjoiWGJmaDE5cnBi\
bHBDTHNjOGVqelhUSE9SY1hFa0IwUDJaNkhpcGpONV9VdyJ9.T5egCQZlUyP8UKtq8Xr\
fHgIbEdNLwID1-nupqh_APHw.Q7ejfTauKt1TiYTW.6KHlyH3zHQlDPTrw3R1v8csmoL\
s59QY1B2NpWGhD1eoPdHAriRdhz62FY3JbDDykg0u_LfWTs0cMj5xqhAXLYnWFBpWqNl\
GSAZAcE_S9EBAg02ymscpqhRygMhu_mPXpLwr8INYCA59utnQN6d4yHcV3LgocTx4OV3\
2wPtm9ztydPGVLA2VQhCDx_AytmkRbiv01WjH71WWvBeSElHBlGlNl-6t1sIv8VaTPUp\
CO3b_iaoLbiRxhH_zTiLsVjJFiR_GeSo7qBnmvEYOvb_QncKGBi3RPwoOJBuI5cEJfVZ\
o2oenqla61H6glWOazG6lwtgA0Yz4y0b7reLaYISQ_e9hRlohzGjSsHd6WLYw.l7VO2L\
xXTh-CTI1qDf6FeA
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-4-1">
        <name>HPKE-4</name>
        <figure>
          <name>HPKE-4 Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "OKP",
  "crv": "X25519",
  "x": "N5icT6hvBDpsc9a2t1mXfsDBGsvi4VNTNoINejK5nCY",
  "d": "0EeYQgglJkckhiVP5aGzyrQHepapUd39QlbI53HnWOQ",
  "alg": "HPKE-4",
  "use": "enc",
  "kid": "EMf0FmafX1CDECti7cvCWZddOvzvPf3_nmXI39eiO18"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-4 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTQiLCJraWQiOiJFTWYwRm1hZlgxQ0RFQ3Rp\
    N2N2Q1daZGRPdnp2UGYzX25tWEkzOWVpTzE4In0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "WPuUGt62N-ZPXl0IMvwqVI5AuWnkn-ShiF3T5xF2KAQ",
  "ciphertext": "dKwJ1poXJWUfVzLGr1UbCfJpZ8bx4tLlzFMwlcb-RN4do0umqfR\
    c_J70pxgWt6MEpFxAFd8ZzDUzGtjZbt4k1c5vcCX8_XLT87JUYEAFLcPzgT6pdqg\
    EjOJHd3E84HgphLSC-D117RVpHH-lkUp7NKg8hbJ67ZrDnPvT_JwpAw8898diWI-\
    Gys3K6tSox0RLHFVldHTjJQWE28EPWWJ6ewklqd28rgTMc8zm2lpapa3p5hOSYxU\
    B2IQ6CkU7U7SaPNrW3VspdVCbpjajOchTWIBokxihbxyIH3IT5xMhYjhcrkFRLbF\
    1X_adZjTF1nQFXnBSynAnEs5q2RBExeNLYb6Dc9TDDzjV009xEqX7mpsrhJKlkw5\
    -SlFIsaF4"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-4 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTQiLCJraWQiOiJFTWYwRm1hZlgxQ0RFQ3RpN2N2Q1daZGRPdnp2\
UGYzX25tWEkzOWVpTzE4In0.Y2SoN-pcwe65RNXeomaV8hgkqY5sBn1t9VLp2Y9_1UU.\
.qQJ1rsCOLV0Z2sFQh1MjkYP2Lmu2O_4g2JWWxWSJNqgvPVmXoEoW7Ls7WNcW49aSYJi\
AmT_J_W3TfhP48qPpsAuaLP1MK4iA-hWF0LLfCAQM5wST86_eO2ewwSfXEwTsJoMeqw2\
A4lTifulJmNT8IXHzhU7SmmLuRoni_MUpD5NzCy7_M4yb5v1wQ0CcbjiBJZn14Y9dufP\
0v6kFoR50ca95rIflu54TH_i-Z9CReJHZBmlcKcsuejfP7HCpQx60VRCpFZ9IsSIQgGJ\
u4QSMzQToDZW6vhnSQBzeqafxC4082Lrh3YlQ21CCJ6AjOEuStYvvtYd6Yem9GxG17Y_\
Q-b5yePFrn2gHa0j7avoqKQqTjiuTGjruFejEBjnj.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-5-1">
        <name>HPKE-5</name>
        <figure>
          <name>HPKE-5 Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "OKP",
  "crv": "X448",
  "x": "fjqBGwWuU4fodrTA1rAnN8x1WykKMo_MXoFDdssKrzo_FAj1v70mJx5dn6Zd\
    J896Tg0HcLSPjlE",
  "d": "aw967bbjUbpRJLrL18RI0EfPRQGRHCVC1eUdM7sTODLvnPXYniZ0Sx0wMWi7\
    gHLFH2GQPPc254g",
  "alg": "HPKE-5",
  "use": "enc",
  "kid": "VlMlFEMhh4sRZdmn0SZIcar1R4xs_g1lj04VbypUALQ"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-5 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTUiLCJraWQiOiJWbE1sRkVNaGg0c1JaZG1u\
    MFNaSWNhcjFSNHhzX2cxbGowNFZieXBVQUxRIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "9iaTop5blWck0Uc_ozrHcl2qWFfKSD6o4c_C941JenqyncVy\
    hPD6wlzoyAQ9BQdb23DGzgSwkc4",
  "ciphertext": "On1bbT5LwjcoHTUdnST4CxrHQ-LDr3fnKjX07Tkwpg7ZfdXFYTU\
    IO636QxV7FwF28rOlVN14RQdDAOGBuDKuPaUlWeCrmv8RBUNk1VxSLjqH9t-_jkq\
    VZcrDKJId_V8CWu28f8Aj3ZOULDMByyex2yrdO9icyn3zm2DhO6CEQskZywNUiZH\
    1yDaGSS5WhtchdvhI_GznPws3s5VuQECS7B-Iwlm8vZyKFkmfDgtr4wjSKS4fcTw\
    tP_F-7OyYvXgzGMBX2CTdbzArBJ4LKXbjEwWf-UEMNaLksc0LLd-nta6pfhGDB44\
    btYtochVDzA4zcQvW9CfE_9em2h1cpGiQURa2mwmUEatyTE45BpcVZlg_gU5YgJM\
    xreLHSNb9"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-5 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTUiLCJraWQiOiJWbE1sRkVNaGg0c1JaZG1uMFNaSWNhcjFSNHhz\
X2cxbGowNFZieXBVQUxRIn0.rZnCIn9zB_pE5h9x_yH8i7HEGgE8419BEA9p43tL5J1h\
WOzzEtvB8pX4SsdqTDqMheg9wXwG4Zc..TmMhj_n4VL90wOkc8XfHe_PDCopXxf3y9Xf\
H-fcrNSCLaaGYsnGr2N2aZ7h9xEN04oz_fdzL5H7s3hXHLj1Pj9gruRCsKSTj7JwLkbP\
HUJONxqni6IeJcX76Y6XFpsYWc-JP42bLqTUUpJEnn9tQ1bfsOLphKu5IqqYImrWMhHn\
6mKp-zx0MP4MzLDP7ekiV17d0fzA3t3cHji5Y1joGfC7qyLd764I9vyfClCABPTEvWoF\
mgs_Gh9P42SCN9SoVhQTo93NgDxUd4mMEUfcd531xHRUt8Ha9AVnjlTHSEhuHojArPQ9\
odytAHanhU3-1EBPCCZKInagtCOnpmbQ49UMkts0SqJjoH1kzirqwaE6qN2uFz1pResn\
LntUc.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-5-ke-1">
        <name>HPKE-5-KE</name>
        <figure>
          <name>HPKE-5-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "OKP",
  "crv": "X448",
  "x": "SCgsstfA1mjLmj64RyHxAjTiNf9X_V4JtsHzFPIL6dDplDoFadwuaM3AEyrP\
    DLPLWrZeyknvjL4",
  "d": "oD7GBrxRotc1KI9ji-K0eWrvGXCwA2xCwI4Yb367MJseu7W0IegT9qf8-KIf\
    maPHPncoo78KzNs",
  "alg": "HPKE-5-KE",
  "use": "enc",
  "kid": "aaWgexNI9cl1t1km3gXz-cWbaK3fSGZrQnF53D9PSaQ"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-5-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTUtS0UiLCJraWQiOiJhYVdnZXhOSTljbDF0\
    MWttM2dYei1jV2JhSzNmU0daclFuRjUzRDlQU2FRIiwiZW5jIjoiQTI1NkdDTSIs\
    ImVrIjoiWmRZV0lScTl5THFTY3p6Ny1oX25VWkFIVC1zdVo4d09DcDY1QVVNYUN0\
    WV9ZdE1iZldoTHJDc2pXcS1mMEZRTVdFN2xQQUxfaG5zIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "RBEq5h4tlGQUAb0c",
  "ciphertext": "p_SAPca5Qn_2KtcZhyxY3QMG6_TiiG6uCn8jRl0fSk5_0du2Cqn\
    mYTQGGpCvit7aFdl_IGXKdqukWjSqsKhEcj33J7sVAc2gyghxW-3GVY-ejKJdUZ2\
    5g66VYIQzUzq7V8U7MTbGLesozqb61eKkYOliSRmRLuokMD9MioCyGM7kkUzmrhO\
    M2ScdpC6g9gZjbknMlbUlCs117mXK823LAdxVMsbuArZrgyyh4_hqmjWAqM7PC7H\
    a35pEcA3ioS-9eZwSgzKNFLsa2lgLqYKzJeJy0GftC9kKVu_srnJV3tyirDvgAHm\
    OSs0sSnGSlLKVu3Il8i7qRGmIYSx69hVCGX6vihLOqfG1I1VLNkY",
  "tag": "fwVENoMLLO4cpAvn_vtrxg",
  "encrypted_key": "ccsTG2EzsVLztP7542Vxe07BIqcA3V3FkFOW58ntY2qx9K8z\
    xcz8_LWABrUkAmYr"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-5-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTUtS0UiLCJraWQiOiJhYVdnZXhOSTljbDF0MWttM2dYei1jV2Jh\
SzNmU0daclFuRjUzRDlQU2FRIiwiZW5jIjoiQTI1NkdDTSIsImVrIjoiTmFYbG9MSXI5\
QWJwSnBaY1pFd2d2WVdJcm1EbEJsVDZzdVFmUEp2dHRFeE5kQ2x6QVpTeUhNQVpFVEtH\
c25fbzU4RHlvQlRfdG5NIn0.OSbqI3MBLE-Za6f-HbGMMBRTdOlexA66Sc1OHmQ87bcN\
mOTu1C-ozuQ3O9bG5n0a.p67n2dVwqFUZ2PtZ.WNFqUPwGfkQyP9RfnGlLaPxmNxPvdM\
47XwlnjPHQJr0DZ6DWTWZrB3Y886qUAj34TdAIxlWxX4OJbe9fqywlU57fGBk6Z27KOV\
x7ZHg3ILCGcnf7_b9nqJLlKJqg8YGNGX_eUD6IkXttvYMnsyc7uPW5DKTGqmr3RzPxCt\
RMxJckt-pDn6rlJCLs_40RdVHBR6KaNnyKP2UNXo-efgdEUHBm03Np5FKk3EPUDjN3e3\
YoummCeGWWI9apX1rodGWYa65QhDmXafZaIHJJ2-JIRfYEIJtya6Oi_WX7DrRIGg0dwj\
DNCLRo0QGoIod1Twjqcl7kONuEHRtRnLVXrcmiGxcytcIMKS5Kib6nItI.D_0s3aOb2o\
hF7fLlxSR7Ew
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-6-1">
        <name>HPKE-6</name>
        <figure>
          <name>HPKE-6 Private JWK</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "kty": "OKP",
  "crv": "X448",
  "x": "wKnPzBmQ6-0gjEaxhJNY6mG0mDDsVZ_Hvah1mYzPDkUWgPRIQXwr32LDjohW\
    SDLTGeIq1HQ5K6E",
  "d": "LMXuTYqcBW6XUwctj79OVmuuj2P26jBJ8Uaz6d0sae3GrbGOEVYrs6FGBwph\
    zT8ie65RYAz4uNU",
  "alg": "HPKE-6",
  "use": "enc",
  "kid": "bjp4-nQuEki4p5Z7ewD3ScjtBwu3glF6OdfloVMoiew"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-6 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTYiLCJraWQiOiJianA0LW5RdUVraTRwNVo3\
    ZXdEM1NjanRCd3UzZ2xGNk9kZmxvVk1vaWV3In0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "rBiPWmIS81SOhelCXdTXZRuPo3P1bwojxmRJg1pjfzUszzBu\
    8R1gFRB6ys9q3parvYE9iXG1qvk",
  "ciphertext": "TbXxj9-BYgLgY1MjODWPGeri42N1sLdCFdjeXqs7J41XSeoEhTk\
    I5Yi798SEkisrVEj8mbvLjbZIJGj3B5RgqIEf1H966WzEN5v8lzSOcCe30tFINLR\
    YvapLCf6SZgBq65LNgdh3ESdbWz2lzil4NnRWEvxOTb0hEtWYqNccb2LFZKK3FJ-\
    cwu3AqlDw9jzW6z_DU0_Jvlm81nhVXQWSBXsYtEx934ILrQP_he-YJeIBWCnmhwp\
    yNoaO7sd_rx0E8LpOIgz4qghnc3SmEy57bOl-vh9piCv9kG-Uo-Q1Izf5yOmM5j4\
    u-0uNTTInJPhVoXymUH3CHStxbApPOqqBfYIg6xpBuL3EZWKTzL5MldbsGQojbMz\
    uz5kUm2Zz"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-6 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTYiLCJraWQiOiJianA0LW5RdUVraTRwNVo3ZXdEM1NjanRCd3Uz\
Z2xGNk9kZmxvVk1vaWV3In0.LC3EuX-_0LRsjWeC3CAWdjn7rCafsXw8L2SOg77NCiiW\
iKrzput6yVjqDiNXgwwlUaKrqj8efis..ZGNpmUbZKvTxPDczH_W2nIuUauEn8taTkvl\
05XgPteujObbS2CdIkkkRaxsvEumNTGFtc71nWiEt5_U7BzHTDMf7xCfLNlVorM5pRvV\
TWziF0jkLA0PUe-PPxgnXVZdpAG-QfCZHl3D2suW88G4MEXH9FReIaHRHXB_RP4fsDYq\
RSEK2i0gOziI7iOwk4yGVCkLkMI5g8aIQVjgIcApJL-1Tulz19hlrGKxMM4gEfB7VLQg\
O3zpTPD5hhKBc2ofIHffEupwaNlg9fbNk1779wKvLxDbKrBWyxhRMkB-YZt-fgCVqblI\
c_Y5xdqaLErGBgUNpNIqlN4wAuuiB5VJafKZ0jzadtMlFoxsnPTh1Xl02sgR9ZsQl6S-\
aEdFH.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-7-1">
        <name>HPKE-7</name>
        <figure>
          <name>HPKE-7 Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "EC",
  "crv": "P-256",
  "x": "z860carZ9CSxTjXo7MK65h_TaZX7ipi2iUh_Bh-VP54",
  "y": "i9X0v8PwcNgbsoMhAz-_W2OPaFU--BQAgWVzJVOfedo",
  "d": "nklFxo0VoD3POieIKD2I_6O4pyuoX1755y_r8My3kL4",
  "alg": "HPKE-7",
  "use": "enc",
  "kid": "YGdLPiZno0vV3kJKu4kEMQEjK3_upFF2D_lFDf1FFwk"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-7 Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTciLCJraWQiOiJZR2RMUGlabm8wdlYza0pL\
    dTRrRU1RRWpLM191cEZGMkRfbEZEZjFGRndrIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "encrypted_key": "BJsgimlSAygpn6mErqMkZcmzVLsX6V9aYArVYAjg2LEi2shW\
    QopeMMr5n4VNH_kCeuqXRd2LtFjQd2eWsXTAcs8",
  "ciphertext": "ny4HVMntsCPyijVFtO41pSpN_jusNGtAaYjD_glEgkQlnMlJuDy\
    iTbL9_IgWjcmaQv-ahcToh6pussscT37Oki95DB56UEK1sgwv23m54UgDFDS3Q2U\
    I48pRzgsONMJdc46-UjqCXvDgbGZfA7Afn-mCGJZo90Tr2QyDMpevwYv4-Zd6ldw\
    2QrF7pUXXOLUP8yh2Y8qZB7JkyUvN5gH8QIgIcC11a-2-YWWSO3JgpJ4R51YESAO\
    J6MbaW2otZU7JY9GW7dKpwd3mym6IxJ4onwSvABkmVaFSqxOEBlStSLirlR0sf1q\
    9HK_gn8HHNjlaNNja2yE3C42ESTWAoH1uapvfMaQJE1ZWG7ru77nMBQJPRxAb-dX\
    TUJa3jeVF"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-7 JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTciLCJraWQiOiJZR2RMUGlabm8wdlYza0pLdTRrRU1RRWpLM191\
cEZGMkRfbEZEZjFGRndrIn0.BL2AEDUZhRslwuzyKdVKVaGwBpFly_SgLlxy2wTg42Vy\
fob2tCdv0SgN6OMR16kilUZ17jafK0Gzw0plYKGm08Y..0-DVK3WNJxSSX4hn0KgFlV4\
vRS4iJLiNCmjl9J4QKCYiOzmdHmWXvB4MS56wOmpVhDbboVIC0wOBxsUlWIXIg6N9DSl\
u-iwlgiqrVj2v61LrX-qjB7MAg0X5DQJSOWg-saAkhf2lEJ4z0meZIdAlY93_vgAUHKo\
HsSp_EciL28JtLrBU18WHv34eHONzWsVYdj-ycaBqLUAkcfYrlNZrVpCR6OdNXkuOmkh\
qrIZjFEl67VZVY5NfbvyFRAkkqgd42wvATdGk2gw_jDZe1fvzGNuV-e5UCrHQ-5Es2rm\
sLe-nfeB_9iUe-2nZswWS2qndvz6ZANF9Kj2QMJXCLN7RRSLLjP58sxoyDZC8nRBdJxs\
JKXc8G5eYFLJ1Bc4w.
]]></artwork>
        </figure>
      </section>
      <section anchor="hpke-7-ke-1">
        <name>HPKE-7-KE</name>
        <figure>
          <name>HPKE-7-KE Private JWK</name>
          <sourcecode type="json"><![CDATA[{
  "kty": "EC",
  "crv": "P-256",
  "x": "1nm4Hz__urAJOmnQoT4-Cddab4mIgwNPFpo_mq__Huk",
  "y": "0zf-qAB9KJP6qgtYNSP6MTdVBxzgBachQ2XdgCsOk8o",
  "d": "8CpCdkAF51G_YJPb29O3LKLBKTibK4FHWO9lYehzLqE",
  "alg": "HPKE-7-KE",
  "use": "enc",
  "kid": "SMa7O1lSKSi2LJCin1PfZRYA7KGKky5oSfaMO9UOYWA"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-7-KE Flattened JWE JSON Serialization</name>
          <sourcecode type="json"><![CDATA[NOTE: '\' line wrapping per RFC 8792

{
  "protected": "eyJhbGciOiJIUEtFLTctS0UiLCJraWQiOiJTTWE3TzFsU0tTaTJM\
    SkNpbjFQZlpSWUE3S0dLa3k1b1NmYU1POVVPWVdBIiwiZW5jIjoiQTI1NkdDTSIs\
    ImVrIjoiQkFyRmpzNzhKekJ0aTM0a2toZ3NCanRHOGFGSWduSDBSclRtczZ2ck00\
    QnVFMUVFajY4RGJBallMenVjWmJnSFpZTk50NjJQOFJTaU5mVWsycjFURFZRIn0",
  "aad": "VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc",
  "iv": "sXE8-PM-BegS6637",
  "ciphertext": "ge8gDn9qTkGUqH53xmrFgSKAqcmduhDJolm9-sm-tQs5HBc2vgC\
    WwCZbeHc3P64tRAYUTqqlAHrgqYaMxT7EIawB_WVr5yAOdMu4zPsysaUikKAG6aZ\
    LywpdEaOGn6TxCdTUczJQ59bza8JxscPGzPdko8z73QUBnuYnr1lUlJWy9pWj29m\
    wVwGJA0T9AvQucNdgb8lQEEcpPiaajGSPYIXV6XeKUQlblUstGl1S6dScULaCw5R\
    AX7gAlHmLDMF0QMG8Hpiehok1bfDOE0gRqhlu1ywc69-X_4ESQFc9v4tph7r6nYB\
    dy9qa-dP_qeVBstgDuvud0kcQH6Xmozg9PTAoS-W7_LA7aIuEmuE",
  "tag": "I7DBYo_2YzG2JC3mWifjFw",
  "encrypted_key": "BcEhfoYFVMDky_AjhhCCAm97yYO-JgiClODO0rLqq0k0lIPu\
    t-RPfaqHKITbK8ng"
}
]]></sourcecode>
        </figure>
        <figure>
          <name>HPKE-7-KE JWE Compact Serialization</name>
          <artwork><![CDATA[NOTE: '\' line wrapping per RFC 8792

eyJhbGciOiJIUEtFLTctS0UiLCJraWQiOiJTTWE3TzFsU0tTaTJMSkNpbjFQZlpSWUE3\
S0dLa3k1b1NmYU1POVVPWVdBIiwiZW5jIjoiQTI1NkdDTSIsImVrIjoiQkNreC1vcWRk\
MG9yNTYydXVJdy1ESzl3WnZRYlZMaWs0a1cxQWNXLXhrbTFNelgxMm5CWTAyc0J5b252\
S3ljTmNRZVp1WXh2dmc3RGEwcEQ5WWdOTDRRIn0.w3y9z4g5rGR6jFE0-4fnEzw8ggQB\
-1ECteJLFkG9VOMsD7vUzwjUQocHQpza_rn8._ZHPJxfrMRpRsti3.4-7hvn-TE54CZm\
2h71DE4B-4m7-162t1GVG8fLfYpotwL5Cit4bO4EcTTZshXpFoltYHiyXnkUhTtv6h1y\
J691-ZMM8tdYXbNe9W_aYs6yeK8s-taWVZo7Lcbo7foXNRHk2h-Rg8l_JBzDoMojW8pV\
5SHUekKw4jcc88XRyhIRiL1yoQ_nIOrlY2mkvUCcmYaq2JKTwXFp01kM9eWBA_kYj0Td\
VAKnKEsizphFrSiXipoLDSDx0nFq6JiiXnBoqase2U9_zqb1i_76PX7oSUuf_oBJL3PF\
92qNb1rWjhGij7lpff4eA6BuyW2NX2baxB5qAZB4KZlFT6w2_LXzytVVEdogi7zmfgmS\
R4C-Y.Bdp4d-yiZdsAul1rM2jmAA
]]></artwork>
        </figure>
        <!-- end:test-vectors -->

</section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This specification leverages text from <xref target="I-D.ietf-cose-hpke"/>.
We would like to thank
Richard Barnes,
Mike Bishop,
Brian Campbell,
Matt Chanda,
Deb Cooley,
David Dong,
Christopher Inacio,
Paul Kyzivat,
Ilari Liusvaara,
Neil Madden,
Aaron Parecki,
Filip Skokan,
Sebastian Stenzel,
�ric Vyncke,
and
Peter Yee
for their contributions to the specification.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>-22</t>
      <ul spacing="normal">
        <li>
          <t>Removed HPKE-4-KE and HPKE-6-KE at the request of Deb Cooley.  They were:  </t>
          <ul spacing="normal">
            <li>
              <t>HPKE-4-KE: Key Encryption with HPKE using DHKEM(X25519, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and ChaCha20Poly1305 AEAD</t>
            </li>
            <li>
              <t>HPKE-6-KE: Key Encryption with HPKE using DHKEM(X448, HKDF-SHA512) KEM, HKDF-SHA512 KDF, and ChaCha20Poly1305 AEAD</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>-21</t>
      <ul spacing="normal">
        <li>
          <t>Addressed review comments by Mike Bishop and Christopher Inacio.</t>
        </li>
      </ul>
      <t>-20</t>
      <ul spacing="normal">
        <li>
          <t>Added a complete set of test vectors.</t>
        </li>
        <li>
          <t>Cleaned up presentation of tables and examples.</t>
        </li>
        <li>
          <t>Corrected text referring to the IANA "JSON Web Signature and Encryption Header Parameters" registry.</t>
        </li>
        <li>
          <t>Corrected text referring to the "aad" JWE parameter.</t>
        </li>
      </ul>
      <t>-19</t>
      <ul spacing="normal">
        <li>
          <t>Applied editorial improvements suggested by Peter Yee.</t>
        </li>
      </ul>
      <t>-18</t>
      <ul spacing="normal">
        <li>
          <t>Rewrote Key Management guidance in Security Considerations section.</t>
        </li>
      </ul>
      <t>-17</t>
      <ul spacing="normal">
        <li>
          <t>Clarified in Section 3 that only Integrated Encryption is newly
defined; other Key Management Modes are from <xref target="RFC7516"/>.</t>
        </li>
        <li>
          <t>Added explanation that Integrated Encryption corresponds to the
Single-Shot API in <xref section="6.1" sectionFormat="of" target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>Renamed "Flattened JWE JSON Serialization Example" to
"JWE JSON Serialization Example".</t>
        </li>
        <li>
          <t>Added note explaining HPKE-7/HPKE-7-KE pairing rationale.</t>
        </li>
        <li>
          <t>Added qualifying clause to step 9 of Message Encryption and
step 13 of Message Decryption regarding multiple recipients.</t>
        </li>
        <li>
          <t>Updated authentication wording in Security Considerations to use
HPKE spec terminology "proof of sender origin".</t>
        </li>
        <li>
          <t>Replaced RFC4086 with <xref target="RFC8937"/>.</t>
        </li>
        <li>
          <t>Upgraded <bcp14>SHOULD NOT</bcp14> to <bcp14>MUST NOT</bcp14> for key reuse across Key
Encryption and Integrated Encryption modes.</t>
        </li>
        <li>
          <t>Added RFC Editor note regarding draft-ietf-oauth-8725bis.</t>
        </li>
        <li>
          <t>Updated Algorithm Analysis field in IANA registrations to point
to specific sections of <xref target="I-D.ietf-hpke-hpke"/>.</t>
        </li>
        <li>
          <t>Moved IANA.JOSE and IANA.HPKE to informative references.</t>
        </li>
      </ul>
      <t>-16</t>
      <ul spacing="normal">
        <li>
          <t>Change uses of Key Establishment Mode to Key Management Mode to align with JWE terminology.</t>
        </li>
      </ul>
      <t>-15</t>
      <ul spacing="normal">
        <li>
          <t>Defined the Integrated Encryption Key Establishment Mode
and updated JWE to enable its use.</t>
        </li>
        <li>
          <t>Specified distinct algorithms for use with Key Encryption and Integrated Encryption
so that they are fully-specified.</t>
        </li>
        <li>
          <t>Updated the Message Encryption and Message Decryption procedures from JWE.</t>
        </li>
        <li>
          <t>Said that JWS and JWE objects can no longer be distinguished by the presence of
an "enc" header parameter.</t>
        </li>
        <li>
          <t>Many editorial improvements.</t>
        </li>
      </ul>
      <t>-14</t>
      <ul spacing="normal">
        <li>
          <t>Added HPKE-7.</t>
        </li>
        <li>
          <t>Update to Recipient_structure.</t>
        </li>
        <li>
          <t>Removed text related to apu and apv.</t>
        </li>
        <li>
          <t>Updated description of mutually known private information.</t>
        </li>
      </ul>
      <t>-13</t>
      <ul spacing="normal">
        <li>
          <t>Removed orphan text about AKP kty field</t>
        </li>
        <li>
          <t>Fixed bug in "include-fold" syntax</t>
        </li>
        <li>
          <t>Switched reference from RFC 9180 to
draft-ietf-hpke-hpke</t>
        </li>
        <li>
          <t>Editorial improvements to abstract and
introduction.</t>
        </li>
        <li>
          <t>Removed Section 8.2 "Static Asymmetric
Authentication in HPKE"</t>
        </li>
      </ul>
      <t>-12</t>
      <ul spacing="normal">
        <li>
          <t>Added the Recipient_structure</t>
        </li>
      </ul>
      <t>-11</t>
      <ul spacing="normal">
        <li>
          <t>Fix too long lines</t>
        </li>
      </ul>
      <t>-10</t>
      <ul spacing="normal">
        <li>
          <t>Addressed WGLC review comments by Neil Madden and Sebastian Stenzel.</t>
        </li>
      </ul>
      <t>-09</t>
      <ul spacing="normal">
        <li>
          <t>Corrected examples.</t>
        </li>
      </ul>
      <t>-08</t>
      <ul spacing="normal">
        <li>
          <t>Use "enc":"int" for integrated encryption.</t>
        </li>
        <li>
          <t>Described reasons for excluding authenticated HPKE.</t>
        </li>
        <li>
          <t>Stated that mutually known private information <bcp14>MAY</bcp14> be used as the HPKE info value.</t>
        </li>
      </ul>
      <t>-07</t>
      <ul spacing="normal">
        <li>
          <t>Clarifications</t>
        </li>
      </ul>
      <t>-06</t>
      <ul spacing="normal">
        <li>
          <t>Remove auth mode and auth_kid from the specification.</t>
        </li>
        <li>
          <t>HPKE AAD for JOSE HPKE Key Encryption is now empty.</t>
        </li>
      </ul>
      <t>-05</t>
      <ul spacing="normal">
        <li>
          <t>Removed incorrect text about HPKE algorithm names.</t>
        </li>
        <li>
          <t>Fixed #21: Comply with NIST SP 800-227 Recommendations for Key-Encapsulation Mechanisms.</t>
        </li>
        <li>
          <t>Fixed #19: Binding the Application Context.</t>
        </li>
        <li>
          <t>Fixed #18: Use of apu and apv in Recipient context.</t>
        </li>
        <li>
          <t>Added new Section 7.1 (Authentication using an Asymmetric Key).</t>
        </li>
        <li>
          <t>Updated Section 7.2 (Key Management) to prevent cross-protocol attacks.</t>
        </li>
        <li>
          <t>Updated HPKE Setup info parameter to be empty.</t>
        </li>
        <li>
          <t>Added details on HPKE AEAD AAD, compression and decryption for HPKE Integrated Encryption.</t>
        </li>
      </ul>
      <t>-04</t>
      <ul spacing="normal">
        <li>
          <t>Fixed #8: Use short algorithm identifiers, per the JOSE naming conventions.</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Added new section 7.1 to discuss Key Management.</t>
        </li>
        <li>
          <t>HPKE Setup info parameter is updated to carry JOSE context-specific data for both modes.</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Fixed #4: HPKE Integrated Encryption "enc: dir".</t>
        </li>
        <li>
          <t>Updated text on the use of HPKE Setup info parameter.</t>
        </li>
        <li>
          <t>Added Examples in Sections 5.1, 5.2 and 6.1.</t>
        </li>
        <li>
          <t>Use of registered HPKE  "alg" value in the recipient unprotected header for Key Encryption.</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Apply feedback from call for adoption.</t>
        </li>
        <li>
          <t>Provide examples of auth and psk modes for JSON and Compact Serializations</t>
        </li>
        <li>
          <t>Simplify description of HPKE modes</t>
        </li>
        <li>
          <t>Adjust IANA registration requests</t>
        </li>
        <li>
          <t>Remove HPKE Mode from named algorithms</t>
        </li>
        <li>
          <t>Fix AEAD named algorithms</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Created initial working group version from draft-rha-jose-hpke-encrypt-07</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y96ZbqSJIu+p+n4ET96J19g0gk5l3d57QACcQgQCOiby+O
JiShEQ2AyMp+lvss98muuwYQERB7Z+bOrnN71V61KgOQzN3NzM0+Mzd3r9Vq
lciMbO1r9YULtaq3q44TOTDV6jKWbVOpTrWkirtKkPiR6bnVL+PlFP+pejIj
ozphFlRV0OS73ycC/tNLRZLlQDuWaIK3qqZbBb++VBQp0nQvSL5Ww0itxL4K
Podfq50W0q5UVE9xJQd0Rw2kXVQztWhX23uhVjN8S6tpWUs1FK2EseyYYQga
jRIfPE/iLFFxY0fWgq8VSPJrRfHcUHPDGBCPglirgA41KlKgSaBjjKbEgRkl
L5WTF1h64MU++HayYEAHLS0BX6pfK9Xap9xIfwcjg/99wIz0a+H260Lea0pU
ZUzdNV29Krnq+4dB67c2K5Wj5sZgGNVq0T3IiBfwORvxiwB6DimN4M/we0cy
7fyxf4Oce/MCHX4vBYoBvjeiyA+//vwzfAx+ZR61t+Kxn+EXP8uBdwq1nyGB
n+GLOpBzLINXUzmc9FQUP38mGviWDQUalRosv/2W0XwzvU/pfPrjmxE59kul
EkaAiVvJ9lzAjkQLK775tfrvkae8VkMviAJtF4K/Eif/IwpMJXqtKp7jaG4E
vgHK5ki+D3j4H5WKFEeGF0ChgyFUq7vYtjNNZM0gdiRbC09SUKU1VU3SBwDT
JNe8SFB6X6uUZ5lS+r0CtOprtS+5OuhYoKXfBZqePjWVAleKJCt/0ovdCM4D
0lXzl7VchJbnqpEZ/JsOP7+BHoPRfujYWHJdLayyoWJ4O8019Qf94lwg5SAE
fYLzMDK0aj92VTAWzQiq89g1FSN9q5ix4Pn+qTp/Kw2F0mLZBNNKvxtKXzpK
gfluICMtcCQ3yb9UQR+7rVanUx6akXb6Lbp2Gozx/OZq0YMBYmCGBhLkpRbs
Ne072D4DfIOTqdwpMKRIU6tTIGbVc+7YLKUNvMl5A//mQnL37DZdYD4Wb1Um
0jQ760LWuUVgauVv7zvGBpKqAc6bu0QtN+mBt/7NC5AGmAAPu8lEcPbcNz9/
q06Ajoel1udAcJJmV/vln+67wGj2rkaGYQyoDoApjO0IsKDcGScjspW3e0jj
3wwvKvQtfQxYSCCwfBKHkJyZknsz3Z3386fddz2gCRHQPWi/aGKAIkgv/7OL
dJrwT7I2TM1PNrXh/+UPQE9w+7NTvNZBW8WfaOtKrNcAD1Rgh+4b7HZ66I1I
6/ZnN/+z123fd0MpzAygB77GKOwNWvev6TirV/OQ/wO8/po+lH2TO9HvcJ75
81Kga9GNu6fT6c2UXCmzxcCv6W5qpH6GHbr2B3qI39Sfq1uCXkeK4kB753eq
mA18MTDJTvgbOwatMuwYRTLsG7N869brtVYbCxqfdZBKdVOygckLQRfjKIUH
DLTjUqCGaedYTTFcz/b05G4otJYZbjUlUQXyri4lM6gJJsAYgNM1HLgDwPbQ
gP2rMoqhOcA6ciF0kUMzVAINtDbzdCkdbnUAOeDpgeQbyWs6iirja4oJOpeJ
L2snHxZo/mhCtAEgxEM+uUfbj+XwzTXD6E33jj/DP+A3P+dUS0TDnz8w7c1X
dxnhFLtUMT8w7SpaR7qVSg2AtPT/gZUGTkxSgK1kDTOshpDyruipqu1M6A8M
71SNvGoM2PK9WK7yFMu9VVLsprmAtYC2n1ECCKmq3bALEKEUyNCUBkktNC/A
Dvi2ZLqRdo5C2BcJuA3F9E0gmH8qE3lNBe4H3tEEPqka5qCsIung7TCqSqrk
wzldBc4CQDlg5H1DCyDZqhRFkmKFb484AZ4GjwNtun5fBXAx1KLCB6Zj2mnp
hAgLZmWgVsDfHnI3x6nQcqRQNWMPfDfjTUrC21VIMGqgVNAWlngpwc5A/s/B
VNK1VEPnwEG+ZXJ1TFUFbqTyFzAvosBTYyXla+V75PfLLx8N6a+/Vk3Y4mNx
fUnfC9MJAtghRTcJ3J6qfluolcdCfSiSQoGeKhoYR276QecBdRt6T8CqVFav
FcAHV4czOYx9H2C7dP7nqnnjMlCmKT5PewdovlbgF1DevgcMl2zaOQyKI/Dn
BVLbxalNTAlJV0v4BiVBeVFhrID3BFg8nblQN7SUoTBECKsvc45hX16z/1ap
Rfo3ja84ksaH8G9mjM1m1z8q+RPMeMHNhre/bm8OFvM5Tg2zl8G31buvKi9z
THzJps3LYsmSCwqbvcDQKoI8B4A2TnULRDmQCbJWhQILfGj7VKCFFSBkJQBo
ToXv9AfL//f/QZqA9f8jd9GA99kH6KTBh5OhuVlrnmsn+UfAUTBFfV8DeBhQ
kWy7qki+GUk2wNRA00NggdwqmKhQvf/53yFn/uNr9V9kxUea/zP/Ag747suC
Z3dfpjz7+M2HlzMmPvjqQTNXbt59/47T9/3FxLvPBd9LX/7L/7KB7a3WkO7/
+p8VqD0sQMJm5sWqv/wlun369bF1geYKaurOs23vlMaHKSI3M4eRigBSCQE4
qUGFjKCYS5MIGocvA3z602t1rAHsCb1jAKAieCkTIMQO+U+vMCYMc4eRakJp
8r1VPo96c7vz+oHCIzMEifkWDa1ROg9v9ii3xFcT8v30whK9wDwCU/sHCebj
k3wAkTNxzAEEAUg6dKpfgD0BY/UBPz8nMNTSvsC3idhVMk5Nh8Q3X8YAToLG
RXnvM1J/hIWhB9AD/GkIIsfqFwzHhj/9FbhK7Znlh8J+J09MVc3clt03l9P8
zSQ/wx/3alwo7QPnVwEwpwo01PBUKD1Vy6YJfAsYGkAmAC7sM1WvHiU71qAy
gPkDwyzQz9equQPR/ysgARwbeCp/KHPyMK7FJcW4Gfv01dSbOFKaTQHtAk9e
dCaffun8hIHmFVA8dObVR18Dr+r4tpeAZuQks9P3jJPSLMH9LHvNvxGCLEEB
Pw/NACaQ4NeYHmhpC8Vz1y8ytXny6j19wC0YWDwCLHAoi13Gi9fM9j8GNuZt
juWDKzEpHd5f82kJIstUtE7KEuigHtufrGPpA6ar2LEKnoC+BDgzRYIg6wEH
Aw1AEyXTPfD+XAtDCB3we2hQfD3Url8D4KNoKkSB4DWgg2UQkjpVzQyqcLoA
BwqAzWN0l+rxA8FDCicDxNiZrSrAU8qzVB72FZal2gsl58VR+nSGJr+h/1BK
6USEPAWheADG4XuumgIgSIUBDLe1GgMC+yq2JEscB2/+8gujZXaq/YbAxh5N
/dd8BPkcy95UJDgdTqlUgI5dw5piNJnCAPSdNg+meMb3CGY8noUCb6WRQOzq
A9EA8w6tO0QdcDhQI6CctLOU8s5zS+Y+lbDrASvmS1BAgB0Z48r4sJj0gAho
I9AOMZCD+paBupQ5ZoF9H8lTkr2jdqdsaR+yxPY7A/mX6gIA2KOpnYD/9/I/
Hzv/suGMPyTMU9sUnbyHpgUY1n9+bznSef3Pz+Z1hYyK5vMmH0/sh+MHLIb5
vxDYxmyu3XQOTm3Y25thBQEFmDigGfAsHIPsAcOUzv43GI9HYHZH96+ElbJZ
gO+8gx6wA4+nYOhlkQzEpqntgFnE5DpSNUUDhcChqUqlBXNAmTvTQLR5BNPB
yzsLQe2tX2VT9RFo59FTOjl++QXmvms5qZS2kKvvYxMRPh7Qa64C+bQD87kw
GZVikt0ZlQzjwa9ewO8vwGKmGNAvMGC1AN1ZTJDZ1YeRWhHoRh+mxCfU05EX
5qT5hryh8IW7gC5nfiYmM4L98BwzgsNOJ/iNDZV7/wIZ8B1sfO8/3/OvzLbP
jSqZCxnq6uuno86pS+FN0R5aA7bIOUD0VrZIuwIq5sYVUAUgDSgu0NB0aSn1
Fflc2QWek3YH0k8p3SbbXftpd1NvlU26R5bjtXJNhOTpgRL+dd7jX/iIekO4
u3uEm8bZ0h2w1N7hWOmGQNUbjn3EikoWnQMaquZraeR5HfQ9agMjTPufpwTC
1EqmBqbwWpk5KUW8bJqqQTJX/xiRF9K/mxWvGSNfIPWtDNzfSxaCp5/90HpJ
m8o7AjT4au8esf7tpssv4N2tqT7WLRC1h2kgc5VU4R1v7f614kHPeDJD7elz
aX8BsyAH73gF8C7ACoAXIRCtZOcrB5lTKVg+8BxfgsuW5UfumXqb+Y0MSFw1
v/BFBbE0+/OdlO4tCOj+QAsiqfCJRe4Osj1FG1feQzq3tN/dwN4qBJALgA8A
j+fs+mSIHiDvAuCUU04D7+vsA5MviysUmBu6YnsgUUkC4nQ0uBD9Ct5w4LIL
aO6GVMKMK7Vq7ALPEYEBpwj3Xv4wB/XO+SmSC41maimyOXXflUpqRuMwD2Ke
MPytkoHCEnJ6105K2/XejzNrXTtDrYTRlul+zkCIgf5Siqvh4pAGk/AhAERa
6etamH39a6XINZdeyX4rhxl3atJ6hlsLh5Gx44mLLfqPFyA8ZUXu6UKvzKRK
nnF41sP79t4jMg2GnGXc+6HVgv41HniEX68Zc/hkJhbQ2Q+m40WzXgp6cO63
m3FgQzpeitLKOfDHI/nLE5D1TZZmupOtmgEFZ9MUzTsVT4EIHBycy0CpXoBR
fymC9BQbhGkImHXwvdV/2vRb3t53wJ/crl6jJ/C/Irb83gCiFA/dsMLbsyGX
RFPY+zkm3nUle/OhKB/3PX0BGL/0x3RiPgiKCroflbx4Lde590rwMXn2HTPu
1hYJQePNlPIpGs6ykNCo3JAC/JWV9PvuOD5M0wMGAtsLQCPonlYmDm3SPfuq
32n5MhpZsl9S32sHoAeXiPLQ+eXznFlJKa5kCi2+w2JMpPlVpJUhjttbN37l
od7OK/UHcF4CfuMaxz9iyV9hwU8cxSlctFyYci/SodfVcIjQJKjIigaQr2SD
KOmKrlKpfliH/PVXuECdszfXcBDuAW6FWVdK8X7qE/JYAiJ6NYaLNO+wYlly
g9vyXW6eSgt6V3T7blXnUbL6qowZSnjiAP7yxI6V1rxzpUmb/OUvAH/XwBQP
f80SArck5n2UWn7pfcBaLCQ+Xwd8EsIAg/m33BZW/5bRBtC7+vFf8eOQKH1K
o4HiAUColv6rFn88+nf/44NHU0KQeq0Ofh2OQXe+LGtoqw1iU9B6jRlj4MNP
aR9un8EnDGdqCNqtjQbzW49SQkiJUKPbvBECH+4Igc85IUDyASG0RKiFIjdC
LQS9IwQ+f0qocSW0RlstpPdubN8/tOZvIzQwJPA/tL707ARp1Fs3Qq0boWaz
+35kv2Fo7d9G6HmPOr9d/O969MvX6l+yqR7GZqTViomW1Xb868vjCQnn08Np
9JJP0GKWvMLZkCGjdCKkZjiLDfLCgatxgRUy2XtZIiuAmaBrrU+euXtX5lmG
Pc/dy+ttOTx8CANv4KgA0yAohtkD23P10AQ2NA3lSoFC5Yv2pr9BnAoGkdN8
wQfDcQ1n/i8M6OFUeKkCJr3QDFZbYHgqnhcQj4MnFe1DBun7MyDPsewDhJcZ
rceICw7yEyR3T/s5CvrdqKmEEaB2FLDzDhnXUmQMWPQcET8FDt/jqD9z9DDP
cMMcV0ifAhC60IMtUNNYgfHuy22xRQOu6Y7ybX3hAZoBYi0e/jQM+aZfxn+M
X34wNuB/g4/f5jP9MTOK5NsH3j1gdRYd+1oAodFnel25FsOkAQDEKiU4VYD+
9yCHhdMrhMNQsmDYBVFyqnNpUs8DDUtZAQpMvEGxX8dthtVCA2FEVJVNVwJm
KWszyx1eYze4MhLmwATmaf7zP/+z8oiX/1rFmAFJfkkr2muZvVP86AU4or9d
K/Lu//VFFv8CXNcnj2Q087hoe4NoWzCv/xjlm+QBwwNpC1meDg5aokBLM1JP
RgQX33bmGXAvfSAt84acylYfksJoF8IsovuCVbBE5dZDSCwPAGEGLwFg+kv9
TBA/3dLwmm06AOwCfG+r4dutY0/Y8rVKFusg4a0jz9elUj28rRqmDviWFPh0
NfyaK69WSWCSshlRjqyy2PjLo5Z/+mhFs6RStVokem71I9fIOWXCrXoMmpNH
kyY3QtdkMyw9U2NbgyYkG2o2d8LrGs6zJJDsxa5a0As1OwuzP2PpD5DvI+UE
hNzCzmcKl/uWtHTnFjo+YAfcwFEMsxxN5ZFUWDD8vYkBYdmfEe69C/aydIbp
+nF004VUpXYwO/L50LKsdbYa9ppRylTk2/F9hfKiPAH0OHS65mOzGoBnPuFW
JZABteU1GZOXRV2zEHD9pFxkkLP96uVT/S9WEuQ0VZ7VhtyStIUm3txl6t4e
+zc8yzt/5tBKfiD3Au+Xln755ZGTzBLtJYiacT3DwZUnpgk4iRcIIgFOf3l9
qOTwCQgnwcxMQU7OoVtcnE6gQoa5O3pnoP/v826XtwL/fMmsOmuU6xUgKUM7
A/EopgM0K9By0FYoVU66KTV3rUazharNbqvelMFf9Q7abnTqneZu10QaSAMF
kWOn2Wiqu13Rkhne1wkViCHt4gsc50vJ6n0vTHirpEDm3c/PMgsA/vyoxML7
JfHvyihUf1xS4UfmFWqglR+VWrin9ceyC/e0/liCoUzrD+YYWne0/lh2oPO7
eP+NuD5X82+H9fdK/OfG8yCgX6Y19cWuy3QzlJNPv7BSyaOWEIQtSPXLx+Kx
n9K3YEzz5WMJ2U/vysbSEpa8ROi6KHib8GHe1mslX6FW1awILUwZFMSwSD6b
789XWZ7P+Sy6elD/li65FbnnjNtFWVY5lZ315D7MyEIQL4DO84qeNT99Kl0f
hRta4UK5C7FAuTiskhVtQY64Xr6cD1qDSFjWopOWL4KnYCMLlrw4Sv8utwPG
hLxVAcuzikztaRHIfZmldgerqyWAV6bzBFCnGpdtgvxSrBHdkYT+ErKkgA3p
o5mx/XID1em378uxb5XK+Za8dNPJT9ko08TLXfXmg8JQuJnqW1WfaViZMyR7
R9dcLV3YkqoB4DWYQO+rY1PFS3fKQI8eZezPmOfaUC/g4tIJ7mWxAzCo5Eoy
c1ESzLUcTS8O7WzrVq5Omlquyr4WRUJFea3aMEkBUV+ODmETeTVv9WF/Mqkw
abFyvgHw11/hk/l+RBem0oK8IBGIM+9jOruyYWfmJKPDZsmRDKAa0hFyx9Zc
HXATNAqwSJQVluV7X/P6sbQk7xux3FtJoI8qd79DhtkO0JIcr9gXxgbS9cV7
RQc9hjmIONI+JkbSdwBQ9LPV5IwHz7v4QYcyaWUsywX2nORv1tAH5MBrtn0N
T8DQTuDtW0rrz54zdylTMOYc799XnRZMySZ0zpf09Q/5te9Rig+12s/F8DF/
93mM9b7t72mjJOrQkKD2h4kDDFlQ7Pa6UX1aIv4ben8X8OSG/IkXfDfTBiWl
LwIpq7Dl1T7G4O0mR8++fGj2p5wAufusUCmtEoBKAjXxNS+er1ZvLu5hpQ9A
Aloa62eRMTSHmVfJXChS6/50tXT3VSJ5p0YfrPbzBfZ8kqeBlQId80W7Ev+W
uap+MXcfDdzNlf01m0O3YrOyFB9359u6+Ehkj2kVyajqO0E+fLokUKn6cjH9
uwBPCq8x/2vuM5y0qOm+orYUTd8Usnj0jnUZlcISzK+e7G7Et6D2lpF08lqq
W6MPufzdFK9kCvYCL51zN1VoLz2B5Ev4UzlZBX9VtTAVe75F9j1iCbMR5llJ
T8/25qT9N4tUyy07+DX14XBDjRdcHc9dKqYEi25FWExmXLhbUdzdY0XZU0pI
C2rX/En5jWt+8oN24bl2fUgHPVIsjiW6Xx4lj376KXNv5INBFQRzVJyLJpvs
BeBxs1pFA26edL+vauWqWwBBv1wHWlQYlspEfyob12vO424OZpnKnDuzfP7+
9joXQDRtKst7P+Nszqqxd4I7edNtWe8KFkudf8imvO8QJ34fr3IWFBUr9p88
wurf/lb9p7d/gv+5N0pwP13JBj11i1BPMp/yGHXMSyMGbvj1c3t755O+Meib
1j+2cp8uUWQQs2Rb7kt7MtmW5+vHgq+yvPPQ6kFVWBYN3oL9Un/SBbVU5t/B
5095/JQL30Ad38mIbBbMSs7ywUB/n6dU3vP8XgtvPfnpEyIPevPM13589M7R
PpvbNyf7oe3r0x/nz0cXdnNS2ZTXinRBKZJ7WMmduqB0v1eKz3N9y4zh91v+
9MlnM/4eT3766GPE8ukrJUl++txDARW8eQ5rn5Tgdz6W4JdyS6VNlL/8RdWe
5JZU7VFuKQuW4LlUBT6oaB+SUH//tBPUareoBw+L5neSab+WzVHJYILOZDYd
qrUJ91GVdy59EidUzFQvgecrrwjC9ZAUamaG8v0O9/CfPnah4sQh3LKgQBZm
e+CKrlxBPdSE7HAISYErhbCTpFsNPSdztiBs+Ti0YlNcqcjpeVOVUktFAF9k
ZlI1Sx9MW81qnvJmU7f/mLVZgil8t3eh4mpatt0V1rs86gpo5QZBisMq0sY+
aScC2EEKo/ti6kqaI3rM2tJ4i6XOR+NNTRqA1aX1yXdrXbBM65ye8ZMvcV9t
Xb6Ydx/POT7oonvT3PT4mmsC5h4vPTSO18RLeEdOyg+ug+9+LJS67zNs/Prw
I9v5evfrnam8/+kxrLl75GYK7+HOY/P3lBePyvceMwIuohc1zt/DjffMAL7s
NSvxy/JN8PvYzd+9Jok+Bj+l5errU9+Ke+4ym79ZA/4Pk10W+ASlMDdbuv0o
gHx5KE3ES1HmMvKIFXI8TasU0VC2BpPt8FBvyNKFIEou7VkH8NL01OoX4GdB
tAykA/hWUL0l7kGTxb6LnRcHRfEI/CkncH21nD36llMu8r7f75ihXelft/oA
v+Gp91Dr/4wp+w2RP1ALMHtyk3c9UCTLtKaHeaYWE8oc+Pn0AB4ZwEUr2/4Z
aSFQdnh6RZA7mXLtyk0sadJf1jS32FMKecmnJzdWr3U6HzIvhQakGpTyu+hb
wfFHbC0EK1UB0Kx1v2FCpNQQgShWK1xNOY1TLHcUhQrAc2QLImir9+uvf/2Q
af0Qvcr5URolmjc4/z2G40b+lvx5n/1+32qm+otbguu7Avt3eeMPzQGL+s70
ZumR8GH66aGOf9sCX1Ord+cdfMsm58lBADtAVzIcl+ImWftUurkRH2ZbavKK
Uc3PqB3faWdpJbHEmmvBVFH1rMYZtNQeL0vCg0Wf+44HQrlGVde5WJSw5fzK
uxcCwo+by9zrdX+bpyhxkB0xUr1tey9xpTD1GelvJSKfzGUTct25TjZ4HG6Q
niScxQIw/VTO1EPRZcWA1eLogtLZIXDa5RuEiyRp1qnyWRMP9pOnz75fp75b
YSjWrIp9xcATRC8f2ZhVqV2zhNdR5pxK9d+7L1qDTjUrDsyG7gE/Bd+9bqH+
QSvu79dxHq+RfxjSeyP0ZPPuxyONSotnH85I+jBp8sLrx7smH+oNnAXZOVDp
slJWg/l+QfAfq75/yqpvnkd4jEj+/GXgT5uH/fPTAiOt4NKfX1sAX7lVzJ6+
I8MA37hfYcy4XKTa05MxSqz+OM5SBJq1Ctu7RdDpOa9QeAUQvzvoyQvDbN0s
X0Ep8nCBtvPSRE3gZBx51p90UWl3tSMAX9duI3nW2ZSgfN3zcy14yTqB2fCg
uOzcuwJcI8hb6/7smrQIJT+Z9l19SaZQbhVifj2rMYnMFI1dj6f9Iev97x3+
k+HmKaT/8sX/37PGkdVPXd1l0Zjixbb6IZlzrdkqpkfqgQvhg29AK799Ef8H
reE3a0jj2SJ+gb1u5eX3UP8fK5X/WKn8//NK5XvHWFr9+k1Ll79l2bIMdv/Y
+mK2y6XYwyHZSn7+1U/v1gQ/rZu5256RIvWHJ5AUVi+Kg1LZRWHCb1UncFx5
WrmsQk+GmDfpwEs1glJXPtTvFM3DKKqgmw2/OHVSg4exZSXSSaln2dJI1tju
k+5U011DeenR71yTLbs5aEQeH+Vym4u/s5nnSvt714K/U7h/N5GVluHg8lX4
2+qjYveuQuqR1n53rdSdlw6yamLXKzlMyIa8ND7Lmbzrf+ZzU3SgqaUQ4nYa
1WcLMPDhUvIpLzCAb5Zqp1K/6X5ivfPS5TSGzoSeHmuari5HH45JyaWuph9h
yvA6wg8Leh8GWwwzNQtQdGlwTpjpIYGv0CzfDlT85vph6ZxNR0rKe/6kqm4e
4f0KXs4CHH66+sH8uIJ3kCzXgtdKXhz+LpVx20+Yn90XFOuNENlXPvLpFQ4i
P7a9kN317eIw+2Ih7S/5EaJ6bIYG5Go/X9mdCMx1i1924xY8b0y9e/jXSum0
yt492oebxNITMIvdoFqOy2y4ICiDscPTkTKGhlKSHZbHvstKZouVsCuQdame
gN6XOpGvPVSqHxKaxat4VYZF9A8PxYYq9ele3hxyaWfQYphv3ry5prtfXwvV
gW3CrHGp+PD2C3M9I9dObxKAh5ymSXfP1aHN8AIrfH+M5ztLnGfXIZUsHZ+d
/J2mqO7FU6zSVx7cXgNQC3O7K6KVnU3+/PqSuwOd88xqquWmm+16gD1P1Wki
TKv0u0USKAsoiWxfkpbktz9cW0u3XoMXb83ArQjvl1ogFQu+fDu57zonnp8w
++GI8A87crKcMbCy8vWY8jw+TnNsr9UXK0qKuyKU4Phym43T7LjK9J6GdGnp
bhNXlNTA4+m60t/Kx7OF1Wf//pa1Bf+bNnS/XfCTf8X2wOrtyKLr5sDX2ybB
/M/O693eNXyQtZ3uXitvBXwtbQl82Nvbm3ArYGnj32tpA+A33myhSHmb3+tt
u99rcSLQ3ZuL6TL9b7YHsLSp7/W2ue+1OLnn8ZvNZrf6cNtdJrFi2x2UL5v4
WpbPHsTBUXuny4PbyyHcfJdvTU4VCLwd3iLZG859d9Jx9cFJx3+pFtcqpnvs
SnmSp3depLe7XMH8kzQLXNh5djNBeqJwkUXKvQnwL8XZsFIYxk5+8kII64CC
DKiWElKFG/7kcorUyGSn2EBT7UhWQTJdxIBtZCfYACvuwjXHtJYGrsxBUiXC
0NAFphynuOB2ym663w52NDunBxpm4GpS6wsgSno2UNqa4vnatZytOIO6GCq8
0AUGoOnhr9fFn1xk8L/gxfSs15QLQKq66VaAUQHQ7/5ipCk+f6sumWlGqXyu
b5mPlfROI8OzSwVawPDV8jwRHO2X+9RaLz0dtvJIjj89vlIi0GxYtQUNIGBp
HCjp6LN9EOkBKxm8l47wRkuYL/TcHEIdTZjzytexssMIsgSTIRXlQhkZu7SL
7a0yMy3tbl2yePX5LofPCRZHMJdqjoCbUyW4igwHeBtKcQtCvqEtVWUtfLvu
Mr+tvVQqWLqNG7LYl8ygdCRsceQThLKuqt1vHa9KlevBuE5xnvv91UfV1Ca8
5bemFRpeuWstJXVNlGXXOcBq/+Kbe4qVzMqkUw7EGAA+2bCD7+7byQ6r9gMQ
eJjp2bwAaxppx0sJweKA33yxqThOpHI9TqSanXsFYEuUztCU8+kgYB+2Joys
AYyX7eJYh0q2AJ/fWRLD2rCbZbyZpZRZ6VkHUn40RvhaSY8sybgE8HcKO7Lb
5IDypgC5WL+Evj/fzh8AlJ0dDp0a15LvhnpdajttOj1T9JaWSs1cJU3GZIcD
2eVJnRvOa3o0zxRHppNeS3YK0rKUv1bfT0n006OarvPhauygGtzuVro/kDjl
dyZ+YC9dz629u1irmh9oVhxilp1e9u5Es8/PH0ujlVTXSun/UNFcIFkvZVLl
yozrfqgsfQO4kpbn3FTopEE9KS2lZVtP35+Vlu40/AvEiCyIM8DzwKcGkOIS
FpEAS5MDw+vMvs7lDppCVDmN1u/gcBoU+FoApAIppeHQe/sHWoXXzeGqCQ0N
XO75CpF86WpcD1rnGmxGNsPUFKWVLKnHSaMMKayACARSyYecKsT9HQa3tDa0
dj4sfdTyICjlJ3CuQPPguNJql/LI8iju1h5sCe7FfdbHFCVku/bvIQII0uC3
v2aM/i3XVr47UgOMKDDz0wKyA/byTqaNvvwW0i8fDhWA7h8MWyuumtRud0nA
q0V//fVrdv5LhlzhCXlXalUqu7Q3+6X8wzAt80ob//qtc5XzSfH82Ib0+ITy
wQ2loxRu50rAYxXu+sCl5dozL1O8L+FPXzPkX8mupa6S90UTdLZamd4E+rW6
8LOULbyZDCAaPdtWHwCRwN1g6c3ctexyzatnH+bKl7b0yy/Xk1d/hZP23//9
UQz0H/9x12MMNJiE4KmCVJjT+o5bbUpCQp4KCflRQvp4FsmdkGAIciek4pCN
fwipEBL6VEjojxLSx0Ne7oQEj1P5h5A+FVLjqZAaP0ZID0/P+Ye9+21Saj6V
UvPvIqUPxw7/Q1SFqFpPRdX6QaL6eITUP4zeb5NR+6mM2n8HGf1jMj0VVOep
oDp/LzD+j9n0Xkgw1/88aII/PhXV07PW/3sGTMWBkj9QRE9vdilHS58JCPkR
AvrvEiz9nQSEfiYg9EcI6L9LoPR3ElDjMwE1/riA/hsFSX8nCbU+k1DrB0jo
vwvq/jvJp/OZfDp/D5DwDwH9+r15+w9Hi/3w9P2HFp5l8fNUvWZBZfqwry7T
qfQqxQe/3mkV9mBP+oP7C37HnXqPmn6gUxMB//1Koj26ivNzjUn5lt3J8xnv
8lt7fhf/0n1E1wvEq18sU/3pWiJ7X2bwCV+Li6j/Xry93vv+LX5Wmdhx4Hn/
4DGuuIDbS1fTYPFaVsz2uIomf/q7SuCylc1sZ5VxvWz+yX2a7K2aV7k240iq
9q4aLb0IClPV33Ob/N1+6vTU4PL144/eKl1J/gWWIMHiSM/29CQrIqnd2Pe0
FL84/Ea+3h0JKyQ/q1uEavWlLM6sKTo75jtr68Gh2+mqqpqWLd7f/Zhu/4DH
ETy/zfQZ+aH2mHzpCKbvJF9mVFGLCWfY42LMu8LavJIStAJbvq+tTS+QLG7h
+N6rPB7KCfayVgPGQbHgFGHhyntWdANXi++qz/Kpke5WUs3z7UqatFA1f+pR
Vdv7sstbURXx4eHX9ITr7M6ViTCFHwlgNiPNzY97eFApnl82nV3d8OnmlgxO
SJ/cSF3QKlfivVVm8GgZePjF9X4Orajmgw/uYIFW+WqQ/IATyNXQlkID7rUC
ndCTrCI5X93vob/++lbtZ2V12ctSQevaD1gAVmIw3CnngDmSNgNNFyRTMW7X
rsQupJBVU6cdlhS4CTA/vSKtoyk685ZfEZKdkJC/Cc96yYquwuw6oFvhF+jL
/y7G/fPeC7VCNd72oef+7+K26n8PNN8LYTlF8h9fjCjyw68//6wD2cTyG2js
59RJnPQapPBzqYYhpZg6j3wa/1S5VtqU6vD+5X9AfQVow/1aVs9qVnZDA3g4
z+4/AIgkP5Y8LWnJbnIx4b0AgFw6NTSgKtVa7X+muKooJ/jP//zPKhxP5RdY
AQ5Lbr/C8pkXON/TylvwMbsEMP3mDD8fklr/vDYkzV73iIPWdWKajbtjI9TG
oj6fj87JDnPJpD4f1LO3UqJKtBtTHbHpW/vOcUPWQn3S7h9C8TSqLYduv7vv
sOHuMh5PFmT2lgrfkrDpuT/HLMpBsc1wdOzMqFbiqcOTZExawVQOdNO8NFSO
HDeztyAYBu9l48u+AjYBfgUtQvoZeH74ebo7DmuaKCUuN5WluneqHXuxh/O1
6MS3HXGYmNhCWLRn3nL+Uvk1vfvll69FRWx+i+nyNnlfYAFo9K8vUK3aPYAl
1BD43whVgwQWxN4z+raZEXYsmRjySDEX5oTk8IiYsZg5G0wCSVjB72Ybd4PP
BH4jru2Y5yJTZPtHNUHQxZo/0rwYqWNVoBxkQ49tf8X11uxlM5eRPkW6OQPg
BfKgHX5k2CS+seXR+ag2KE9aY7qMiroKvycmvuzkDLruwN4CMATf7FMDZLbc
YeMO2SLOZmfdsYPVjLBUf6MwI2/t909NQjwOROS0OWDrVkORpJqdULPl2Lqc
VnNsToy9hUdtWXrEXGR0dGpKQxvLtey6WQo2RdbDcdtZSe2g5uiz8YFEG7XT
pe+ELDdbeVSEUeaY2JquIrSSVp/sdw5efU2B0SwOO4Q8jhEO3+HIlo17fWnX
njcuW7ynTaaIN+SRVRdr8+6Gc419XdmhHLUy4p3HTxa2Ly89e2ZqyhmYVfIg
TpfT3WXijJB407Gx+pnDTGppcXRvwYz9mRj0xgImIUNhKCsXYTGPCPc8mJzU
2nKX7NctENOv2xamqPvWpTY9N20vdCjU6gQoi/Q5d0y5G5vRlUvLZTb983F6
sNbrxtmus6deEtZqjQ45GXY4hSR2DNuW68v1+BJPmVMNeAZmuG13GFrxlTPH
Og03OQL4KBLdUK9fotUspqxBTT9pnVp8XlIL1OwPycTXScc42qyE4Uo8ngwj
QudaukauiTlmz4eY3lEYqxmG9FM1/5ZT+rbuV/5EJX/rTw+cZCbeUh4je3eP
+Yq/Hx3Ck95x/RHDrAmFOCLuSJq1RTFsMGhH6Ypmi28FoRr2EJnfcnv1cJnZ
e/QSx9hS0KLZXJK7b2+7RZdfRcgwVPXI3IPe9+rhohtSx1PYNp2uaHlNyp0L
ax6bt0bSWB6LNDNy92F73hm5liKxAb5Pusp5OJxtiCl7mqviaLEX+6HM8jzm
kaTDq91ovaH2q/AkLblu1F0skf3g5LXNUzdq1sZO2xjgbSS+GLi6DXpri2rK
9ngfKJg3IAfK6eBuW7Y+GbDLlXaZRCaLGUE09gfIIV5iDWmBLhMjNluDyyKy
eu0OOege0e7+0J52Bg1HjmsOUpe9uiQc1EQ25YFpMi2s21uuCSEOhG4DqOqE
UD3zsKHZiGiq2wW2QieHHjEIJCMwmo31wUcujbG433Ua22AxFoX15djdj7xg
iE334VI/i9S2x+ojLoz2Jk3OZ/ueOlmfD8HSomerJs9gF14YUFoLcByjkZAg
+q3ovNWxt8eq+BTMfNRBW9tFuQbeLwf9HqenBWO0TbrJcmXuWPLkJNOw3Yib
DHfRbWy8Bv5pI7DobFUL5iWnN2JHi0F9y7qish04TTXUxe4BwEnT7mALOQR2
IrLqq4nmjbslpze/TBanhXJCZsPRpkZK7c2lJSW9i8BtpqSxtvrK7lBXl1hr
6D1wemCIn/o9tGFuO9Fqbc7OptHsWKsIR5Nx0lG7B7TVmPo9ume2pWEydvVn
BgFuZvmzXF/E1LmSZSCTOWrvqAZNCyN7ro1sjxqqAbemiblrkxqrWosxnlAs
NVOGNrMQLFTk6BYzarmkeTI3QmtP7j1zxeLJAleHLEOGYNIF6XcWZTOOWqdH
m5HGqxE7tCeaVU9YhHdVxDsJTi8SxrwhN/o48DY7uj4R1yjfpOo+Ttl0Igj+
bMGRLRrd0KJgkJJDx+zIDlco3xZsilmj1FHiIpcfIOSKN1zGJn6/SzZTpTRC
pTubnWT9tGs05ir7yIEeTxY2iOV1OGqfdzEuaxsBbQ4nwqG2sWn8TCGxxCa7
k0R5g9NQ4mgrGNR5S2mdev3t1I30xVw8LnSM3zHWwbpECk2sa9iUlBbT0VQ8
LjGxF+/jVZRgHYaYH6XF3pE8dD3stWeRpwHALAa65A7O4+PE2OsJPe6efXm7
EnlupDr+ft8LtjF12PAsFsecHeDdzkweWZS0isc+PfDFUWcii2O/y3hHV9b8
pNtc0KO1ZeidqeTMd6vVauvJrUFLEus62u8faD2JKTy4DAeHBs3zXg9RVX8k
M0mItvb2EZMPF7MvIOJiRnozbzQZqgc5saaXfSAddYRG9M5qsPBVqu5dFHzr
4fiYwBOaNW2Rts7j7eDAo8bZkKzD0B/tG6veYTwy9QluZayPpHTiYTtJrsmD
BbbrM+JEJ0PpfN6snoCpmrM2Ma4jeVHNUjfdqSEMvfl2vx5b7W2/pdeP404n
bgfNnhd+Nv/+HJ/8Xzj7mmdaIIH3JQYbVk9mPO0L7ERU6ue9gBuO3NjsKYE4
S3uapIUWqVhIXSIIbz40DtzQbvF7FeUafH+z38TinpqtGj7DCRNHHtsjHrUa
8tAO6EY/Yh3kLLGUKAkIDbGC7V7akdhZzHX8EKAq1ydmhkzzLYZvUa6Ld1qi
N9p1d+pAXb3164hdG4SsJYwYo9b13txGg6QdzzKo4BBJoxY26w0Wp5rMO6K5
PAxmfd2O1dOKaBjJXIwlPWqez/IUQ0V1Nr7ootXcDDYrWp22uMlEIadc2A8F
KhmKBlP3NrxyPjRO64U2au8t/MANLizXWDL1iTYTurFpOD2d2dtCE1WnnCnu
D+tZ1yInsSAPzgcxrA1D22kZu3Mz3kr1tnEk6eNkz/OrpiZs5hHnAZHETpKY
au8wPQFGbvuztcSc6U0nlJosQ/sxskpOdjdqjBXXnbIGsRswSntPKpPGojci
ifV8OD1c+qZiSue96TTOu2MbaxzmY4e0iG3AsnV13zs4tmcvdhsNt9edMNQO
ddxfaL358qT4BN1wNjw30DpNYsRNqH0zvExYuevzurTpiV4rWBPTqdsL3+YD
tb6bzoenUB+25wK6nl4EQX86Ff4YJkC+FxA0us0SIBiwviE3caLRYpiNHli9
QByvLVWyVzN2RGNgtCZGdDU+0lbRgtzQ8mbK10382NNMBrdnbAkltKeqSgy7
EsZfvAl1QCbBtultGlGHGW2cxkFfz0HkHALzjNlnNlHPtMSvsYCYrpJkt1vs
2yXowF0I/9Ia1baWYJmDqTAQVHpNnHnv0tuxYjPukdu1s1t6C7Kj4bu6buMY
PZPDc719khFcjD/iCeTzILq5rDGTsXvg/EvtwK5tcdDn2yRLxN1wvNXDMzod
zXFlb/WeGTPkz0IS+F18QRFYxNV9UnYJXhl7kcLTokzYw5UtogxPj1TWuDBE
z1UaesLUVYoWqIN0sS8/MIgm1og4ChoYDfR+x875uaBEYwOdjfpLQh2pk8Fu
FzVWIl13ZrXLQJvoG0sRL6CPCE4OuyqxGx63IsV1h7QDtOKy6nrzUGhusMYq
3JorX8L5fQNbhMBqDmvJ7ICoEbIjmkGbx+JdXI/d0yO4sMX6bXLbHVlYjeuR
NromqEnD6g+xSW+JaIHAXYRLn9CBwUcow7bwtm9g/ZljsJTSQjq8VRMn9eW2
I6wOMufOTzrdX4nDRFmqhoEgm9GRFsk2vpfHa3rYVSJ+uN4KkoC36eVObIzO
GEL7ttHaKFMxDtGl7SLuItSI46BH4RsrnlGzZN7d93n9dNjiq2iMjFY2szlN
uyTCJv2F0o8EZe2Kh6S2nnZped/QzJ28wpnpZqmp/GG+VlZ1gNLPqmlt/JZ0
mE0GM+dEIW1fZHXmsh4KdbVOjpcKEh1mRFPjiIAAs8NSLF/rof6ydUCGcy2i
Z8vOqNn2lrP1vL/qRoS6Jc6RyhOIExz4ho1O+7XJoB27cW8jnPB+1A5rPnLe
oPs9aR7YQX2c1Or+tCs6uwU+3beYqbUNNOTpjPhTfPsPmw9v/VGLCqn+fHZC
pfFGVxJ8dBqgw9asQa0Ogt9mB7yrmVQgXKa9xSAmD/6m7Zwt9ryrcetogfbN
1Z6YMQ46GrhLMgr2BL4fX9ijvgUx8H7DUyEjEIY+DrXZoFm/HPvH/sE4jAAs
Q+TIvRji6e3NQruNIZPwLju1diu3X3d1AAkbYdRqnZFF/zCeHd2j3+Hn9T1W
S876oLPSVcxMhoPzzvX7+gxvd+vTZLKcKEOvTvSmrfoCPW0W/UGLx5bcxj5a
C2sUK+wR37m82x4vVUSp9SPfaWpzfLy44Jt2z52vfICYIwnbrlnVMLFGc7De
ynNpuajPT8E67rTHwdzeMesNMqihve5mOR4u+mPu3CQn9GIiredGk5oeOm1+
ZpGhiqm6HrNNZi2xYt+SWgpyxJVZtF8Zrcs0Wo3X47F2HC/a+sZxNTHU2+G5
tjwGa8DEldZoyKOTiE1al7MxZRPXW+yG0vay2xCMKlwaizVymktdAAbkAYeY
MrkHzqg+RvzFoq6EXSfqrMPWec8epn1baDtdXFOG6Lgn9g/95pCX56FiUe7Z
OpD4/GFojvxRN/wbQvN7Tzzs8OyMsxaybZ9YvSuJx81SVVyKpIYJ2rKOVKD1
OuzUj/wV02/XyP1xPBsIq8n4Yg/NkYiVPLG7HzWaoqAt5GDSxbjFuGkfD6FP
KwPePMiWix65paywHMcsYrnZXFh8QBxOF/diqSQ+DdiSJx5ObLu5cJyThyL9
8fl0Qtoj3RtJ57WwnBJiO9j6/qpzojXHN4MOwGmXoB50t+bhMN71DM5/4Im/
Fdmrg3NEJr1xdy3tMdZUFscBuwIatlnql7YYLqatMJyONUHAnzrjPzGyx9/F
FhNr1TDqzNpqMUNDFAW/z4/sPdvYDHmCoKQhLYGQsU3Z9oWth4jSoGbMiF/z
df5yH1uQCGW9jy2QOjWiHHnUPMtWHWW4VswRBAJs3JHDfUFy1ISxVwjDUzbT
2NAq3uLXdWLMuTQiChNWGxGG6Kp71kQaTMPfrThkwa3F8xzhN1L9fAT9PYNI
n5+PJ4w2aiaM4J1XII7hhv01w4lNub4Jgd1ERM4QZmuxKQg+Kg/5C2vpLc4l
YorwzYXg26xDSRwz6f2RlIBgIovm/jDxvV4UHIOHKYERP5pqid69tJz+zmdq
dXQ7AeGLae56rX2yENix2OZ1Sif1faPretp2pmjcwvLDMR+w+20D79P4Vu1w
3Uu4iJkZx+97y5VaC9YJ6nQDlQsH1oLp1bZ102pG+njroSpy2s3G3Tm7v4Bg
XiE0kgeGETk1ElpCdwbVofVtr4uhS3UbsuM6hg6W0dw44uyo1p3Qq5M927AW
IdjtvY+v2odxvUON+36CrNazUFDHzJoUG303DuMeCC9oHhWa9U2XQmnBidhm
oO0bA0XvTAZBref3KXuqYm19vRVZ+jwgBM9HjttWu8PUDharOKh28Ech+Ljt
dfpSjF94bm5OD1I9nEsXpH+SKQ9DmnjS8IIlPquH8UQ8s5i87+5xr4EP5dlW
vtRVMuRPdykBBO04y+Q8Cq0drYpOHyij0zs9Swk0hNHiHKr9MDzYoh8KU4cJ
m8FUkA9Gc6vHR5VKNHtkDjzGYqjLoGnTLlCP5SLpNlrObvLZbP5zsMR/4Vw+
JzxBNhnctxQwtzTLdhXUaLFOdJR4JWHHvi3vVU9CeTAmY0cPDWou8JEk6HWx
MbEFgsc5l49ogqcFwh5s9lRrtVYXvEBL1NhLKA4/S0SvrzaMJc9SI07AG0y9
x7HoZklxtshbZMSiCKkQFC/h/koZ94H6EQm7n1gL4SxQwsYH+GjPWfx+k0x6
b7K5nNgn10Lm3mSqXrD1jOnpXmu/s1ft7sE0uMkh0AZNA5udALxa73WDuEzF
drJvGgkX0dJbqBhCcyUx6zpD8YvD8K0VRKHUp0jUjrEOQK3SOJZrKtNfLOyJ
xXYI+RTh3oQ+d5dzkzlEAjm0jyiSHLm9ZO+iNi6ed6sxs3fMerLk98be8Qd7
tL3SJVS3vOHsjOmLfjO6+GRo1XRGH4sN0dc3M4tJzufaxgDoRl37xgq7LB1J
G+7n3e2Qdo/MJRnXxie9Nx6Hnb1DXg4TPvT6cJXOr8+sjhws16bZb4X1LoGS
chveoaLI+pBlNyq/VhKTWhlTb9TnFvukVSfOQnNkxQkroPNxfVvnNaXPBJjA
62iz608Yd3k68oo68JQlKzqEyZza896cOdkNrDud2lyjceBEye93WocFJ6KX
lWN0SZEgODOZn2brVh2fnkJEZBxqNBZlv2kOBytkgwFsfhI73hydjOZvS2M6
O0yVgG4OtLOID9e0jXvY04n1x+AO+r1Yp4UiJayDDYaStptgw9pZHmBWc9Ba
SaqNR7jp4nxvQh+SS2c+vjD7aa3Loxe3rh4pkY7UlbhLVHWDzEyqp17Yc5zg
0sGeNJs16uJNVkoJA2FEL9HqtNqjWHbEsLbV5xT/so6i83ghsbuV2cLbKyqW
7eWaTWJ6XVu3mvjwoiZI5IZ9fDCmHBY7dwLKpJvoVmxv5KkUD1i8hI2wJX1o
KghmEi3SE6fj6aXDSoTlMkfm7Nb0cWsTB+NGt70YIuqiTaKRIo/t3XLpEdyi
65g8ZxqTeEz6ynlIjEj6pLUtfbmp8R8xE/opYJoPeT45H7pnhF93SGTd8Phd
w52ILSRotWLK3vTOY39Q64RM/YmJRf8stESWrStFExtBWxvnxVg/87beYFhC
nKM9AVizmLGBrVkDy7nmFzLhtTTcOK2SekNB5qcfmL0AUb/Z1CRgFaTVbtZY
7lcHk0iG2lmZJiqrrMxgSK5ogkB3vdjoaRsOH8Tj9uIU1uOuSLj7gaU3LhMA
AOrkugeU4jg+73D+pIPIsYHgOLJbrUxpPBYHi9mqq2Gd+Ni1k5nOWO1Nq4l6
ijrhBEE+z+ey2z9ZuDB1B2cxSlzfM6ZbiTmyHhLxisZom3PvNNot9EdIKG4N
ezuOpTtdbBIR0qQet5sS0Yl6Sp/llZ26bE8HNipFO7FLtOmdq+35g3boWqvF
SDVOmLkfmcZJSLo1g+T5aX3ssw1+oy4RQbZ3CKGOVTnSyagHoie51aiHQ0Jw
Fh1DBfB7uU0UpNGcJ9iWWYtDf44v6wxO1Q6txs6eNZSaIfrUmCf8toINMPmy
6Y4OejPynA0Wn814MdSDPdJcNvVBbOhS2DW2WHIeDurWUomYvuloCKu4muV3
WHey5zlfcZLLxWcY7uRoCjJpoW1qYMlDYmaKiBo02EMHRNpmW3F3IVavq+h4
KQyE7rnN7XGxI2kggpxe6u0t6Z284UULktnIjXzxFPWG2sRvbdaaNFB72sym
h2uvU1+cekKCIjubFYbHntEZgB5QeG2ybHAzjOgQo4WJPZ1BfwpC+WHz562P
YaclN7a38kyg6n2Calh7dkr1J60BZ0s0H3bnezFeqftkz5tNer7ZI71a64xJ
+1CZdC/0xMAiaz5fSR7ZQNosI9anE55J3ETHdP1yaUWXDtkTt5cJ724RjZzz
00TYdOde/UJ2jGjDnE/1+UJx+B2un5cXZiUMKTvE+GCn1tuJfqifFsuAb9JO
2xlOcWFDXfS3N16PO8r+fOTlpHsmfc89+vXGxmqHTtPpR3HrLNLojhxs6bYw
7bZprc9Gpm/tBgvpqMyU1TQYaPwyWu5dGshguFwPmwi5uASDgcDv2OGMr4u9
hQqwwGUWn/ruttXf9/aLZn19dHdLhR5wfZKKqZq44/RR3Zn3HVJ2FgMOY1dj
tj3fKrQk9ohuG1kaMdIyOBrbDM7H1uokIuvgaAuKdgFaqsWX+V5aDST2vJPa
bsgnQe+i1rhuGEcmqlouz0u2XF9P6KnZ942uf5o0NrHSYURkNxIhhrSG1qlF
+d4+GrsXQkpsqXGqzxoaekx6OO5O6txZX7QYtWe6xGEtnvgeujlcgnVnmDRr
M0tEAKjqyMv5yZpv4kFf0y91UVn7p4s0WaC9MOguQk1xXITjiKk1owZt/bBf
Pi5cQP8oXPgN2ZF3iGGK9WipWeOlDT/31jYpc+iQWjHmVOuhtcs6HpGdxiAa
+aa8kp2E9eMZ32SpBicoo7G/6FrBXGKi+BxPFqzHzw48Jzj1i0OUEYNS85o7
0ienm8NyNQVgpLOrN7fHtSvUGv0xOkWaAsP520gIdSYeS2Z3MIoF5TSy+i1z
SvmnxdHodPpBnbfaPS/w9mucnScdoYwYgLaxjiU0EN0XZdcjezza65j1CEO7
KkA4CM+gNp249ea5x63IyHG5UWfno4LSG6z0kYqsB4K4jyah3SNX5+6hntjs
dIiyDxDDt7IsRkjv91zEM6G83gQtfecYl8OmRjNhbbr1dpcFX++F46h97p6e
mbw/MctCvo/MPGD9D5INYi2buoi2ISl73t04iKe5hDTjJ6ySILM12nM0qyfM
h/aFGa9QbWg0vh2ZEaQMoize4Qc87h9YnDzx7IRiRvU6PUKmc4IeCWtizwyQ
HY33znMCP9ND2hD5iS/t+7sFQbc4lD/NRz1WGFEnGo8ogScobU8xVMMgaIdf
zB3QP4HyqDrXYlgD11y6ASLCkyAgieIQfeZCUCqrLmjBiFbOJpg3fElc+84G
+BQJVZsbnscVvntejCYzfkhvhH3/vHF4f8VRc+4yaTL2ZKdy5Jlt2HWN5eqq
o86YBojoTAQgW1ViCGqoDCnij2ZpGBFgdAm3WFE7Toi+8AibbNaXJd6JrL7g
HVvWPlw1O3IPNdfxNmq28ajjqh6udTZCv32eXpBWOOiOZvX1dCBOaDbWJrP5
aRKqvf34oiREcJj73XDITOY2wWx2R9u9zCaxrHVlvJ8MZXLOHQd+p79LLHd/
Wl4sNTKGpyPXNCW2Le19HQC1tbbBms2Lhy/9rm8vOxtmRXd3bmxoJ4TurPuu
L9bU2WLYGibHJdYZNmb0WdsPOw3d8/hlmHDbiG7Yjr9U7PVhO53W62uTd+Ph
nkJOrQbt6ItltOqwjtw8I2eLUuKmVjsN9nsCVTZdVKBm+7UxEwgJs4HZCQZW
MiaTzn4bYwB+nRAhkeIQb/mLkcTF/Bo10T0zamO1y5xrJlyoh8fOQCaG3XZ7
dkysy9Fh1mytPV+1yLssTWPS7nAndhJqY6O/9cSdIDln7AkE5qdCxJ/5c9th
en5/vblYw+7C7+4AJpiuedxRe+FxTehr4C4SZb42LzRycVbqor4lvMt5SXxm
Df4cDPRfaQsIlrNHimCPOIBiNcuwZYQm+TUx1ly+PhdsXqzz4bpuc8KI3lP2
ZMrhxo4T5k3uoq54i9gpY3ox56JotubnG2gThPOOdih77qiSDLyuvLdZWvDN
DU/zi/UczunGCvHPHOcLytowVaK359cWSls2sRmFZ0C/rdSJpoTQO6lOTai9
0aIb1IThN8KqPumLFr1YCQYuI1R/IUQNbsTPVbSHM2v7xPH6SXD7riz0Ap4w
eM7mJ/M6FfD2hIW24M31a7vORveQZEIsmkZrPLGWZhcX2VAdEQPHtZC2xGrN
XdTC+bWyMeLmmBn5QkKx+7PMTNm3pdZcDaetRjiNE5pQkjc5GG2n3MobIkYL
3Qu6PJSRC3GR5+ROkPvKtOZKpCpOIlFomZP24dStSbUeoaxn6BkNSdqbh3t0
ekhs8kANlnhvIQa99kiwQzFWLrWIHh+gv/VG7YnEkYfGYn4O6nPNWuyEiCS7
mi/Z6uqEMAklaK7EKuh+tE88rDefdLo8v1004+mCNlizaS+7snJsr2tqI45c
UuMYneVWK6WJCX3OY3aJMx1rXkef9UAYc/JGDFlzdFIbamStM205SJffD7et
YHZhCXwKWBvM+1ul4zC8Wtu6x7bMR2DaBV7Y2LakJtkatPh6iHQU1t4PAQAx
adRshg1zmfCSZXZbzaZM9rn6NmrbY2IVeZHc2sy6F27ZqpsJpYl7ec2oJ9VF
8LAhmW6Twd4WYdfBe9LOqHtam9M9ym/XktPTifnHYFvjCWZbTJd3oC3bY19C
bcvkiKLByG7FYg1tMgtse1KlznIBxntqy54cDJFti9eJRrHvIfNKUT9uYHG/
uaWn+nAwPOyRfW07vewQVLOO0ujsYSNnDjyaFX4EPo1PUY/bM/aLwFifw9XW
ZudxY3mw9mP9NOHo8WYJ+iG2/NqMwPXkWdVo48+CPPOyiYsXgnFgGxNPGBsX
ju+FPI4gc6R/llCf3DTUKc9PSMHuj+Z1Y0OtsYjFN8SmYbs/LlUyMOoEbuuu
OlEm1nEwwwWf9sWJ19Dlk1sbXHhLq4Xb9bhVpN3ucUDPHAliGEmnMUZNF0vK
tjwj3NVjJmj1kR0TslELEycXnewIirVhkrHnzVEdHwXUDpG77GUZCZh76OxG
a51h1U671te3w3AY1/BQxV25t8Z7tc5ems3k5dafoBNq2qYRq4nWN0efPdjY
0qpvYiQSuhsaF4eRfKpPu9K8qZNic9k9HghZQp3J+VhfnPE1u2zFAeqzi4Ui
GJs63iQH3Hw4RM6KftEvJh7G7lkjVA5do5514umg7a+WzTWpdRFZ1ToLETkY
ktRtOmcQJVLeoq9beONo863udExvJ8SUs0Z2tK0T034Y+BGSHHr6hrsQ6LYb
H0AzY3MenBqXZKZMx3VDnRxnu82xEW7roYhZvW60JJrxhneshKgRg7rbbRx1
Q7PowYzejif6drUxdkLIYAbOuonKJ88WUhp/jn/+YYr7xlkzuk6hpH4eW8xm
biiD3ZlfbAkEtZRDA1WUSffcnTfnuz7+9kZ2F/LO3jeOpBtedkEvHCCR6xrS
aMmMsFlvhtQcjhYnBxF4YNYm64tNQDBTcyl2VCxOApI9s6YkexuWQBPKq4en
i99lWkPWtJGpeh5cAuDFL62ZXAvmMt1atWJq0aHWmj5RNHJl0V2/Y853FIjx
BmR3eWy0J81WMlwNx8GeUtqbeNJdu21/TBGEF7U7M2RE1rlZGDAoOzhcIh31
O20McRfyfHTEagBLXk5cm6I6fk9YDoIjOT0t2nPSrs3o5pyv1/au7agt1T41
TqNlazjcHZywY28oedNao2qLq4fbjsQ2N1LQNs/cJiDbMrNv6m4U4HrXnV16
pN1n2xHeHplKg0Qx+SzvEfzkonUB22jRBVtdBEqdWB2b3IjYZDPTtL7pt+st
69QaxicGn24be3vtLsPhorEJHyYHGn/UyzxPDnzT0TTX5wu/asnIFp2SalMb
d44DPWLnBFM7+8QKNHeyOzNVPxXmLvMGfNeZx8tGZxl3Lke1Y9aIg94dz0Q/
Rk/CYkPICKFaPt82xQeO5lsRdrA5Gqcus4yn85EduBenNmkON7VR0zXXwKRO
j3I3wuRLcz9Rnk3YPzHCnr9H1Yngbjz1YrAA+c5YTg0VpwW0CJlSOC3NOKUu
O7Yo1v0ARJbmYkz3RderS5a//1aNtOiQ6Ia1T9IoWjJWGK3qhiURNCoMCRzu
UZiPKVNdG57GTVgQaY+YNcEIMI/1B6NVH7FQpj4PT9tRT2jsjUdeCsMcQsTR
vtqrJ/Jss6OnMzeRzAFB9MnBbIV2W50RpetEez3mT3SM9Im+PqpZTDiiFts1
hxDb6WBC7veOb1BO57SnFcZzkWQaTHb6YrQcdtYIETUW3cYhmdTH1HiEI7Z+
wmcnkQ9latWYu3IYrIj1TonYJb4kBof5zjrGlOKcl+o6mXNkb39qHjfKUnc7
+HwoiqeBy/NNbDRZ07WT2pZ9cXn2Lt22tdVswR1HnpyMZhdmMjoqNgoCZJ9l
jWBvbhdmY6/ZdUY7JhNfDCbnywWXl5iITTlaXQ7PYnuHj2JArKaxBwTdSi12
K8fGcRpO3PjCsRZi281pb3lsu4iMNol9y5u0J61wedGM/nG4jycyj8o27q0I
bHz2l8tG02aao+VB45bcXbSKR0dusacvBgjI6o0z0cJ67OLZNgMvYtnltNYe
g3DDTmJ8r2IrnluZ4XJJatpSGe56GGMjwSUkP5tEf47j+y+bQsJo4khDvKW4
fVMe94fsmNovRvxBsw2OwXuMiBiEVCdP3HAiUZbhKyN/QfE9XoVL+WxL0wer
jc0lyy43jQ7ddbAb66SMq9TsRA6Rmhv7B2OLLcent1VH2+9YKZ5GCGuKrPDW
no7tZNy4jFf2cMkClEIjx64SOt4sbPVWItJHKV8YGUNE85bqGAtM+v/r7cuW
HEWTNe/zKcJqbs45VophR9RcjAECJAQIscONjH3fQRK09aONzSPNKwxIkRmR
VZHV3dVVxywtMyIF/+L+uX/uP5K+IJkxiLVh3tvtpjwGxosQmVoP+GKG3tuE
tAS7MlmqMVup4FTSIX3mohIMRcYANJW9v6xFmWIxGS+lbDXCrdseJJsmUWJp
1M4SFiDT3jdgIa597Y6cDBi6yUNJzMMUyJwhkJBxTujd/UJOQ5krXnoFQDPb
46BpXqlQZYo9VXCFVGywAewP163harLe0CfYu6RuLXipck/2l1lLhd7IeDZV
Llyo1nhLVeWVsU9X73Ku/CNHpbAi3+oTT40H1Gf4yHBqqA6rtnAxcI/FhXly
Zw4rbkNMAvaMTICHd6Hg2gf1fAmJRCnqZOYytd8HmCnYt9cCN06QcLe0ZENr
B7DdRRgbfvrUHv73+znkj9KshKa+hiVXatf0PuFCA1haUb+juP6aIoakSfVB
CrMjWtH2B5oFmNA+x3HB536epIaMutw8def90q43egAT58I7oPC+Mr9mgY80
i/wuxzJiBLClG1kgvWPoIcX9K206QXC6zlc5gi9VaR1gIkxP4PYH6QH5qwj2
/DEzsJpp35QSTJwivp8BhT3DSiNBEnQGA9fhFDmoGkjn7Hkx+WAy+XwyjUab
l07kT+vnTHnUuQGDpI0jWwVwEK+31jig5GhWebVRk5SFNfTOQkfy/BlTBscb
Dza1xZt6ZMwC14G6R0d842y9OzIIxcyKt8L3NoqEBDUwlm2k+BceB5p7bA6Y
yDTsnWSDrTPv9JkbMscbkBz00atPW9uLJWhbnNdthmQFX55jDWuCNmayE78P
YGaL7OMmEVR6swNBXDGa/X5T5HqDS8d4m3g8hjvdrpKv2oW/NeRtuyW2QWoe
NtzUw0dsUOs7oAh71iiCvZbxZ5OBtoxsmjwW3vKiDaBtF2uiv51LqFgQ6cIN
mpxU+65T0OGM0bmO67jqylJnwkbfBAbtNZmbnfxEMw9Und/TxLtPhz18WMwn
JnaW+F3OKoLHgtbFDZxMY8FqofiKUqeKrJgebSGFYu6hJNgetvMJbbebMwMA
iDvTWnjZ9F3CH4ul8N6oBXvoXRb5IXT/Elr704D7akNqLW0a/xZiqLL0TnXp
Gtskzlsb7akKHAhDaCCbuIC6/vrannmw6+mTYAAO1LPnBBSz3JYhoRyh0wWJ
IX5p5EyVl9r4KhulVTO1iQs9bkq+iRCuavMpWS4QuJiwFiUysm3lpidHV5BB
8Yik5CYxWUAQIpo8i+hN1bbYJTxB4e2mRhZz03q+FsP2BpFIoaXRWPClpG0P
1n5OFu+XpTAqdZVeRL3ZodJMT/hFRCYPvYK3M0D7XpZSvFOBiE0EYyQDVyxn
awUFfJdAu0NUjCii7S/pxiFoJeT3DlUW/tHvx4VsZXxPN+c7BhgK3bAOcejV
wznm+BE5q+J81uqdY2LXpFLP1By2bnSnEWALCV0C28UZAmmax8jsxIzqYF+v
gx1gdlgS3J0Dcfty3njoFMpsV0Hx3gUy3L3W7fHcalk6alzWjWyYMVRWZZ/2
c8i/yTLoP8syCLL9wDFR1lLczRx1JKqDTiPBjqyk7R00p/wo1hfRqtld0PfH
bq4vLJmBVxwo+TsaVJgT8FsC02Jg7wuqnBUf36vl3ggM97xM9xqFFzoB3CoH
gIlk5cwpe9qgwVAPRLzXTjvhWsmWXaUOoN6Bm2imeLwX2D3EnWXZh1Ak/i1H
ob/LUUYhFiwjJgnSK05QVoDqHHy3AxXk3l9isMgAxPCmRieF8w8CHf2rOOq7
6tX0GLBXckNyuRjwQX4Jb3AUWclVTSnxM1aV9skS5v7d4+qbxDppaFHGWb8r
fx5HEamr1Q3qFaafA7p/qeduv7QxrclGR3WH1Yh/oQkE5JdCa6p8Y0rkHXYr
5noizwR1DjwI3nFzrN5yH/mMw05L6+JpqHDL/Hq/1OeVqiH0vdufN8Kug6Pq
mFkAruW3JsadKLBYW9MPJwzGzncDZ2/sQhSnwpBARDkHO/LEUePuOMquXpgh
3ZXXrULpUg4ad1XI2j0xbC5Z3hqO3+2O/CG4GFvaHKFttCUz2Fl1wkRqmsI7
NHXBiUj9qYIXAtolJ4xmzn3uTDdJT509OO1cTlVRMxn8JLgmhws3V/Kth3vU
GM8MreLU5nAryu3VmY5sXka7eOiQW6YeVSTytdsgX9gNfprsqxXPnEhZEK0F
3kx2FI8IR8vLmJsZbXRGlFwh7/0lQQabanCxJkq4HYUg3mAPtZ8Yu5lEZv98
NQk6Yi5EWEIJ6DdcetYVFypvpc64w6QxCEo1vrFwxSXWUTvmxftS9e5VySN+
CO2/hMP+NGC/dk5FHypipi4NgybE/TLttym+Z7h4qUtAgmJIokHgQUB5MDFP
S1M9XKltYyFqH7TarhWTMCZu1o1DHP/1VSvFJLtUiCEQwO2U+1sr2ocXeUfX
jXWP4IlYft9EfieptOC6nN1XXLdwrevgy8yMBCD1fImCWUD3eA8n1l7IQDkj
4m5U6P6oahnO34Tck/c6f5LubZVih5D3LRyzMYttetv0N7yMQJ7Qarre8ExV
EcMZ9KL+JDTJcUQPbWsfys4Uk32FlcdmM98BUUbEWdjJeJinBogHQDST8AD7
+yxFbTCruYjG20kIcAw5ENcpoguapGSNuZo1W8b9hUuIZUqVlgi1NpKFzwhY
ind3PUBKkdEjP0Bh8L5X9GG7dwnSqLJC26tMMu7rjOzkM1EH00Du3SrR4Q3I
UDJNO8dD5cYDfaqa0jsjhC7mQw+oLZ/VezCf0669uQzWStDIzmCjhH0lVIPu
f8px6L/Lcf/CmeX3NKfScd8PEQmWmVBmGKJM+zuZaakUEdbFQPih38+sfBCw
YNcUu5p1g9voijDJTJ28E2TB7JxwyqtrJnx8dFbvcI7q7ko9+ODxQGTp5giE
ZnflLPpGQnf6dkBsD8Zwke/DETeBQxhrRBttN8dDVLryXq78usa3x1n65NEa
+o9OPF3XjMO7dCD8AhzAvIRja974puce4UjlnO5csSi8I2TV/SHT/YUnnvqv
j2sS2wgqx1qKfa3IvB0LiOYwiFBghymYGRCfqLNU6kDg+gU7Kpk+K7virEOs
8o/eR2CWimMAheprBartWc2GG0yawHqpkQ0zZw9LuTEHRo0EALHzdzZ4NgzJ
1iXANAgnYMDUKYJa2/M7H2osXwWXQHEUzQhYCbqfl7wUuRz6xz/R/TwcXTqQ
Fk2QoeDOOukBnz7Cay4qKfsueq4u0HHwnWS62/BZ5LCLlqYcNtLVNlMKIFJz
9AIEI0S3VWlrZ45r6Gs64C4bFJcDZx2DdszNTG37Y8L4GQzzeG+QPhRPcXI3
NzBn2JswO/KB7kBojGGGfTjP+tzixlbHRc3jhLCv59bDwPCY26ciVZVSEcY6
F3eEmNb0xIl4nutz2SUnEVL9oKGxmIidzMsrsfD0gu6XtrG0jlsIFsjgboi9
N5Kd08XTlCCXpC0zk2xFXKbxvQujDeOTcFqrGyJ0bmo8HyVW6F2oiIXWPs58
yE8AFw00kR+N8dJ3FW/Aw5R2u2tM7suT2gO9WnFqISwvw4di4YpW4cqDrd4X
/Bo0Z2HXNBFObcSBB9AQpNz+7nA0uhmMVIuCcEL8hrxWl+vQ3eMflEu+32sc
xMy9IcyDjKMIZNxDAKcO7bIFA2Zz9mSi22qwofZOHLfz3Z+3F8EkqU7PydLu
fi8I/xpa/m8LQa1kbY8jRNU6oGeTv6kV5dpgwwZQAJlGwPslyHgM3xs7ZwlF
dqlfGijYK2zIoPkZumPnpYsN9URa/mUNZtgvlX/kzTqi7IvruVCigEMfX9p2
Ur32AIuUwGwcF4s2e48TRUrRglMR3kkMU33wtC/PW9zzpfKkjSC9qefxDJ8I
j0MrwH1tMLyCAuPWsgv85cF5NSW21eUbF+XnSSaUqOIKwZXvpXSXr4GI4Nat
qDJ5f+Y7YOdgO1MznY6C7e0Wa/WltES0gDzcC/NuISfeC4monW6FjuIRR+WY
A+HHk3HHnX0MHwSa86sIv3hE1fJCceTbeGtzEmddQn2HHXJrGK62WPWTj4+y
ie6OGteWHazM8p0eFPHO+/mwaXYV1hU8LfQXBFACY08p2NGVqukoQ7pk1Zsw
igNG31MlAEsNyh5zmJH1XSbBIWzXY1nSIWeaB8JtLLCrA860XQw9J7vSciPH
Pex5HtrwByWymQM/TC52Si+mhe865bDUcsEt20m0oNTAmasPdQBqt6z1Czw/
SSOzVwalEgyr88uUu/vT4B/Eo4oeUw+rDsPhdXcBetg9eVCdsHgkFHdVwZlP
30GD/vsnrtgfKxJux0qeqfKMbYA4Y9x7wks2VnJAudv1hnPZX90ELO1Z3uW6
GcvK4WzdOhgSdlmdmOpO0Ljw0IL7M3rEPvbCgmiNmt36lIlZ+s0fMpw4GeU4
ZpAMYRnFb3V3xgKgd0OY6zzuxBh212MsR92aZNa26XqaY5MzMkr6b4sE7Hcr
BC9rkE11Hpk8RRrUwcPbDlb9bKBuIxwXLHYKoqI2xDoNf/SuY+yvKg/sj3kp
dSsSEExUCXSjczXlJhk17FgBI4JS5lYKHcD67EB3TsqJ3CnvVyMHr65pwH9e
L9xRqWyWB3ULqqckLGgr0CxHGeUalkHvVmf3UuFjsMmiWe/nmRq3ChizCoVN
PdHCjdtdbYZILQ5sr/ln5K551j0jNpQdC7ENitlpZ8rcgmsEksBeCGg2yEKr
7XEeAS01rJlEyw+oneLEVl2c13cGk21L7ypknnPguQymUCVuD0wE7gkMM2dG
Qq/bYlZPPh3CwMAeJEGxr24j0BGmOjHVYqggxUECM2rgmTNUzGmBSJViMtf7
SfOAhBlMu5V834ME1jkeYZbf+AtIyLbY3YhsNrH5stOBC39del+wSgzrbKqU
1dsDcydg5CB0Z/mShBubDw+USVdlcmumxfwnvA8u3R1gtkJzOsQz0sZJ5cNq
yUwo7p2KzTUhmpS+Ejm30evNGTzMETqdShHNkHEDjJKmHSpeTozamkp9D9N7
dbh7ZCOf2paK7EOM3RtqFGDGMY/a0qiJReD13LnOPHEeZzTXS8iZfwjtv4R0
/zRgvwo0zIzW5gIISp+ZIQ3TpBlkFd7RbtRbt60AqacYxyU6Tc302M3NOGCT
kbW7VLLi20JD7rFrs20Ypf3rq8NJTal7zvGq3eWdP+8vJlQdRt0dmWo7uFp+
LQDUiuUhHLOT56kQHRzyPFfce39lxlLSOHbwcbAyU2ZALzpOzXttJ0b4nY4E
qTDqTkQb5Wpo5pyyQJYLJCDr4UaW73FlGU7QkNzmHNHOvoB3UD+a2y2HiIy1
J1glPLh7ZW9RF0VGon5nt4rKHKEUiE9zesDT0y1HJs6gcyEXD2i8dQ9nI4sP
PtnwwgbUxmIGiaTouONdFJGYiSjcEM7xCZ4bTd6hSXKkfKiODvsoYsbm5kpF
TESelIM4TtyOV+G+844dZU73RBFzamM7wyaKaaP1ioN/sdF70LoC03FUrEuN
dGgLCbmR45hSqMG70dEBstkNBrFg63tfyVoCWgUA9bFCOP25wNSNywTs/tNe
GPs3OQ7/Y19JOm8xwHc7h6DVu5ZZNS4eMTS5aK5j4WmTQqmeXKhkY8go8uHD
OilhAdetfPOl2OtrMSHnzYKfk+yy+mZDncnYNGbeOEVhUH98w09esPcaMOod
LJ/S8HDcQYcLdkKaaawtEEfR6dJtxQnOhU++hxv/XWazuUCQU6eqgasB5/xx
RHJGPDPZEb6MDctCu0vB7iKQZW/5D8If/6uYzf+YABwFUkSdK1yv3N6Cwp5d
oBECTekUHVQUsxFEkAB9xuHEXIk8xmGcjOWUKuj+xA/h8n2cloVKTnFTYSXT
tWLu+OVsCL2FGYRrk51hk1kMCUwK9Yl5rptQFDu0Qgxpf8npcGwtJYCEgc3O
ARSavaWRfr/9jOWqCdkbYjX0tDylmcEOJwRs1Ea6ZGMvcQPp2tnuEhdMnJ+L
pVnkx92Uap5AXA6xmfmle75u3MTX6gRrxr7vfQ3GT3lKoDsKxXTmCPbx7QrB
JYro8Y7dqfAZ0g/ItlHmuD9JIh/4CLbRs5a2rrvY45yIxMmo2pQ0xzs1AWgd
dJ52YhNeb/YV2TgBVgQ36NyxeKNb1knQ5e2UQPa2dSiczyf9KqHxfns+LMmG
BkF3A21s01RPMB83PKKgoM2o5InHRM81oXpwdJy3Cc7Eg2NzC+ByKrHDnUfq
6qZeSSovDZdV2/uJoQp1UIW0KxSgj8CW2B8vcbXd76WscKWFFKCJgWkEYlTN
JOs9OLrNNRLdM8+Ajsnh3YjjlUideVm5k94msDSdd+EsNH70QRH8r2G5Pw3k
r5QAkcxOdxKlL27jPB0D42i43I1q2GK6qPHSKkzQTYuXbnuKag8a6OAKqLGE
nUQFxPK00B0Qz5ZcDHDzDWgK+8iVwNZ+fQU2O+MImxJ/V1ULSSrgGLOFgVwV
FUl5IZXoMisIHjkfaTs9zWWwL03rSiGiimK3U9kYyc7zauNAA7cTde/1wjxY
S70hETu1GDfprYjTtjMy6IqBQmdt2ozCRTIGLHR3XmxsxpveJfMkggqGR2ag
DJ1DQBY2AV+uManvj/W+V5sLs9gR2vKD0FE6uDX3VxgJ9ydpNnvDDrLN5LtU
K+hk7kd2V0hOZzS0slTtkpWPpzJP2u6wmJIpMNxwDBuVIu86sQqZ520cINDt
SmoBl0Px7ZLtnBCMrjMnjcYmRHV6fQqDMj3Ulb0QbqoopC5EuhA2VDn9zVSh
tgquM+aQEkscM+gs8hYtSLiiqIKQyei2v9fTzqG3lUIF/L3nj5a/5dDQZgUe
pHzk9inj4f8u4/3h7+EGqxLZz5fL2JH8qazOtYZs6CBwPaQ8xDdJZpv6UraX
y37MP5AeMEeblqSIIy9jbTzYkipjohYY1H2OKddPzpAVxHR/yrcfSW9LN3SQ
kywKcheblz2IOMHCUaCOWuodEXZvnojCDpNZaJlPSO8fnfmqooufwEI9qikk
8HRagXLkLO0hfuSO+YTWauSKJ0I/2eaPPjqP/4Vnvv6vD5w0zWRgbWZ7HRg0
V+NFNZcaL2PPTtGopr5+a04guHAOeqBU2joonwxDNo2A+ic+OzYpZTNLc3IM
cx5wNRFwoaF2YIle6ur9iWM51QxGdUepfqEM/lJl+zkAnCuDFXWDdTMbUTie
cotCDCsjM0u+UtnG0XIUkDL+fGJ5zdXR0jD7yc9YXWGdP/7g9XkG3FvMdiOL
GyqMVQyD8c8INA638a4iWi3n9HaPwveyY2P1SLZ+GYzJjq+Lktj05WY49+h+
KWyvMW3eaMcL9z4sY8igkLautW1B7ru4tV3xruHMwb1RF9Po0Ik8BeKIzHI/
9a6e5keSw1xHmG5NwLgnrsK0Ox1ouj/zZ5TwZne7RLYvc7Mc5PV2xuGzTlWj
XXVgoRe8ORGNmUFEeTNuHE8CGkFez6MvBbG3Lc4M4zdy6roZp8r2wTIwKzzq
58Ir9H7gClDFAtXXBZe+oQpp4TFZ7EthJ7LAWeS2+yYNk3qBRLQ7MUCstEkx
gtPNx4iNdUEY9cz6xBUZmgTvsMqmgolo3U0gX9rQoPoh3o3XMQBy/7zHrLKe
Y0LWyFrdmPhFIHH3MDLlyHx3BnzAd5RdXyB75iCehkszjTL2R1+6RflMEtU2
a4i7fLqQWZLQNFkS+GSfNnyc0sVpdwI6oW2BHCgO8jhsFDly2/3xoHnH7Q+/
HB//y86A/ztDUupCGrz6ppKLHDFJmj0FlsEHE8iocwGb1ZKoCkd0zR5wQf9+
NiVLsJLO01gpLOK7WKK0qZGTD/CoB6GQCheZVkqKYzSgaSVQUPqwwjE3nzmj
phmctJ3yeGR8gydiRmK04xRsIUNgg0QVM9+2cXymNiBDDyEvsDlHGCex3+FX
fb5l+rn29+dmdi9dtX29OHuZv0edqDRKP6TwK7LBk2u10RgUoZ0SSnBwxyDU
BinxDYhBA8gZ3DYSIruph5uA0umAeCeE8TXN6ROrYetisPfpZFW5nmjDFUvA
iccIcOOI4nYIbMuTQsK8uHaPTeFx22+GpeF3alzwvRqPaktS9jmUbJR4W1x4
at7VYp2Z28ZA1b0e5scbkvn+dmspU3JQUgGc6vOlOpy6wobK/KrTfmm7LcQf
tZvFNgCYi0RoUuQltzNg4S7yWB2ZPp2bhO3U1EqbWtipuztQsS3Gp6lVUXXr
9iGkE5e59cD0gmOyhdeqPkaXmuIFWGYJqJU8sDOzhEszvGiiCAlJjBonE5Is
yHPvFNqSDoUcnYLVsBt0Eax5GgyDCeo4xecyiktVQeiN/UoFDRJsptQJenIs
wE6EspL89F24+B8/E36IYYVV8L0U1lPS6oX086q+FWEQP1RG12mrsfTCLgyW
4dxiIeG/f6p3WITXsHPjh7TbfXholr387W//+5vCo/9Vqevvf3/9YoYvt3os
gpcizcM3jbEq/6Kk/rrWF8rtqrD/+Yu4vkqlfVI3P3+hlv1VL7RbNl5YFMuL
S2546D8G7s9fdqG3WKIuwmn52b2mwcuuruKfv9BJl/ZDvTLKy6Fy/bT++Yvs
jsXLcZpXwv/5y6Fwu/RFSMf+6rrdMpQUpsWLuEqcVj9/Id1u2ZvsdqGfpz9/
YdMibV7UvM7d5UU19NwlPJZVqUuWmsNlUf/v//6fLvVfjKny8/DnL8vivsgP
aUM7DN+UycK0e/FXvcrUGx/SYl+FVL+z5+vqjK+qlS/7dRPd9ANvbCDoy5f/
elEeIm/B21usV3ys2m7Po5XHb8Njmi5sx1Ubro5e3q32+vKiJeH0cluG/uXL
kug378P8NQLXi+eWPxAg18UEwgD6FOn9NjH2L0z8r+g2fz7tYkJwNSEZBF3Y
r8KSXbgKSq5Cd484ePGmlw9ofBvq19hahREh4G2gcBUN/CaUtwrjLRb/KHv4
ulxHF6G78tvYrOKp/TfF4fXSVT+vf8z0VUDvcceqzLkWnM8468Io7LpvSn1/
ihzvPzPNo+R7JKDvZCFB4rH7pinSVZAwWBX9lrT0kparMOJTQfmlH+MlT6xj
L1b9Fh6P27dPIN/WqvrXMqPxmAZu5YernKIa+mOXDtOq/NqnwZtiX78q+n7V
0QTxLw8DL+EdpU8lya/6s/BT07CuiunH+qJVeHsIn74pUf6vl3pYPf2J9umb
oOMz433TdH39BoPw3hTLHY+BHxN/Pue75urXlLDMrj5UITdqUg8vpHz4XkcX
ewV/pKL7+rBjtXgmePnpH6phMk+A/bTMuxZ5/+Cq951Vq5se20urFRxPavqf
7wzVuOkDNU//uEX4fm87LiNH0/qqXzxESZdNL6hoXoh1U5/Itq7Z9OV5CQh/
vOaD9uqCYfepXFmOxZCucpgLjtOlgl6Qt07+VFddYvNd6PORWt70Ln8HW8vy
llUuK3hkoDVbv3yQuX20gsualj9LGK+htSA/Tqufnp54KMYGq/omAmyxZyZ7
SnoSMP50l94smFgto+7Xt2e+SCdtnVPUVe3x80ofq/xyF67Gcv2u7vsVjsuK
vjfSD/BVrlB9t/8qBMo8AvTpxnfLfdDXrFczbbY4hHrpd+b7RJp8ibLiEWaP
FPSWTN5t19RpNSxrXb38Vb34LVz71Wp/+9uPcCw+aO2bQvhzi+tvD0cs46XV
YptymeoaPjPV0qWsW12SAPZIAk+V6MVsj5kerNKv+XVJ5u8KxstAnwkbL/+9
ADV+Y581ND54/TEHus6xexOs/X2t5d9Ou1jkIcH6ZtfH+N/EoNPhoXO8GuFN
z3q55Knru5R83wRwnwq6Kyoea/wVa/4QEWswvcm7Div5P7LYWBTTpv862UeX
/0BMeR3+90SQ+2dmXDb22IabBs8pP9EtfvGXWqqqX4qldlsCyAs/ah4/6eJN
ZrxfPbz48mG9H8oU/9fqzOkHNPRwHfJO1s+k9b7hh87319RxeSrBLtt5/VBp
vVHjU0x+xUkzPsWCm+tHwwXvouor/MpxWFLfQj1rpV19Uy7+BuI3+oI/1nR1
1ywYfk7oevW4kMFRfsmXJPWIuuVKNr2vFhofKeynBR/FGISbtQH46aWflrri
vlp/wYefPMqbtyh5OmfNBQS4BZ75/0P8f4vE5WbmczZf9+2tkb4i8pGh01WM
PRjfmPh9E19pa/sKvfykrpWO/0L201JhLcWwv9xIfp+Tl42sTvlptQb07qiH
ivFvHbNe9SjiFkssi3qi6KlnvL4EfF/fmZxAf1bkfaj+H678TY2/+gZ4VDnv
JdJ7fba89ihh9P5NPPuXxRXDT4/4TN9jMPyg+L2mjhUf3sMtbr+mw4cg9n11
4UPg+TtN6tUkj0ga3qJyiaV/DKkXkbTXgHqoprtPcfFH+lyvebm6xfgowICP
RdPTDav1AOwdjI/lPMjkifXlt0u+BPUDSJ/0Mf/1nIckd49tPTL4439+labW
kqu+vYRlMzzSKoB+DIAF0E9zf4yBxzDvmuFrtfMgqWcs/A8I/OXRHi92eeRF
6bAwqSq/bAFgaZnwFUQPzwdvJLUub1nUZlmU2/Rj8Wa4cGlKq7QvPw4NEr8s
rUAVfBXvflS8b7BdyoZ1jR+v3v7yQMQS/B9SxIrvbzh+tIRvd73VVgsyv0YM
vhR6//Gr6HgT/64+hNC6+v/8mHne74de/uN7cvvPBycvEfCYfK0lNutZdu3X
xdIpDqsK+ceRHqZWw2FpVB6I+ZZl12EWXL257evig3Bw02Jh2+rN+0uXtULg
50dHtMbgV+oI3iljtf/j6k/Z6oEJ5Mu7Vd+MuvRj3QcufFkqtsVIS1rs+p9f
mvDRcj9Rt+DjUW3W1brp1eWPMeEv39m8/2DzZW8LA/njs9D6YL1vsP7UJAuU
v/L5MoLvdt30XMGbkzffCqDlIvexb69+C6rnmqAP+0R++R2rPLLML8squ5++
4+o1SOqntvr4RN4Pl/vuNearQP17r9S/oK/gz8tf0MNbS8fx+pbeliGfNd56
GvEc/fno5plNvoref6u+X8bq28OSr1z9FnG/9jL4tYlc6C0MA28B4zO9+EuS
e9zkBvW39CkvXLQ4/VsWfoTZmqPWBTd9/jTrM/msTc2jd//s1Kxfs+rCbWtb
8mvSfuzvMdDDWtm49PG/qXO/nq3078nycd+jjnxs4NmQvRdub3T1CI/fvLZY
4sFa9EILwyMHpsNKv0uvkq9Ajrt6ceZ1Afojetbxn9TdJe4m+3retnkjmzW3
/3/9K0e4VxoBAA==

-->

</rfc>
