<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-pqsuites-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <?v3xml2rfc silence="Found SVG with width or height specified"?>
  <front>
    <title abbrev="LAKE PQC">Quantum-Resistant Cipher Suites for LAKE</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-pqsuites-00"/>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson</organization>
      <address>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>LAKE Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 69?>

<t>The Lightweight Authenticated Key Exchange (LAKE) protocol, also known as Ephemeral Diffie-Hellman over COSE (EDHOC), achieves post-quantum security by adding new cipher suites with quantum-resistant algorithms, such as ML-DSA for digital signatures and ML-KEM for key exchange. This document specifies how the LAKE protocol operates in a post-quantum setting using both signature-based and PSK-based authentication methods, and defines corresponding cipher suites.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-lake-pqsuites/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Lightweight Authenticated Key Exchange Working Group mailing list (<eref target="mailto:lake@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/lake/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/lake/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/gselander/pq-suites"/>.</t>
    </note>
  </front>
  <middle>
    <?line 73?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Lightweight Authenticated Key Exchange (LAKE) protocol defined in <xref target="RFC9528"/>, also known as Ephemeral Diffie-Hellman over COSE (EDHOC), supports the use of multiple authentication methods and the negotiation of cipher suites based on COSE algorithms. Currently, four asymmetric authentication methods (0, 1, 2, and 3) are defined. In addition, a symmetric key-based authentication method is being developed, see <xref target="I-D.ietf-lake-edhoc-psk"/>.</t>
      <t>Currently defined cipher suites rely on Elliptic Curve Cryptography (ECC) for key exchange and authentication, making them vulnerable in the event that a Cryptographically Relevant Quantum Computer (CRQC) is constructed.</t>
      <t>This document specifies how the LAKE protocol can operate in a post-quantum setting using both signature-based and PSK-based authentication, and defines corresponding cipher suites. With this modification the protocol is no longer dependent on Diffie-Hellman which makes EDHOC a misnomer and we henceforth use the name LAKE for the protocol.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>Readers are expected to be familiar with <xref target="RFC9528"/>. To avoid misunderstanding of the capabilities of the protocol, the name EDHOC is replaced by LAKE. To avoid misunderstanding with terminology from <xref target="RFC9528"/>, the prefix EDHOC is retained when needed, for example in the IANA registries.</t>
      </section>
    </section>
    <section anchor="lake-with-quantum-resistant-algorithms">
      <name>LAKE with Quantum-Resistant Algorithms</name>
      <t>Method 0 in <xref target="RFC9528"/>, which uses digital signatures for authentication by both the Initiator and Responder, and also the PSK method in <xref target="I-D.ietf-lake-edhoc-psk"/>, is straightforward to use with standardized post-quantum algorithms.</t>
      <t>A quantum-resistant signature algorithm, such as ML-DSA <xref target="I-D.ietf-cose-dilithium"/>, is a drop-in replacement for classical signature algorithms such as ECDSA. For post-quantum secure key exchange, a quantum-resistant Key Encapsulation Mechanism (KEM), such as ML-KEM <xref target="I-D.ietf-jose-pqc-kem"/>, can be applied directly to the LAKE protocol, as is detailed in <xref target="KEM"/>.</t>
      <t>To enable post-quantum security support for LAKE it suffices to register new cipher suites using COSE registered algorithms. Cipher suites using ML-KEM-512 <xref target="I-D.ietf-jose-pqc-kem"/> for key exchange and ML-DSA-44 <xref target="I-D.ietf-cose-dilithium"/> for digital signatures are specified in <xref target="suites-registry"/>. As both ML-KEM <xref target="FIPS203"/> and ML-DSA <xref target="FIPS204"/> internally use SHAKE256, it was natural to also use SHAKE256 for key derivation. Additional post-quantum cipher suites may be specified.</t>
      <t>Methods 1–3 in <xref target="RFC9528"/> use a Diffie-Hellman/Non-Interactive Key Exchange (NIKE) based API for authentication. As of this writing, no standardized post-quantum algorithms for these methods exist. To highlight which methods that require DH/NIKE a column is added to the EDHOC Method Type registry, see <xref target="method-update"/>. To highlight matching cipher suites a corresponding column indicating support for DH/NIKE is added, see <xref target="suites-registry"/>.</t>
      <t>An alternative path to post-quantum support for the LAKE protocol, not pursued in this document, is to define new authentication methods based on Key Encapsulation Mechanisms (KEMs).</t>
      <t>Compared to elliptic curve algorithms such as ECDHE, ECDSA, and EdDSA, ML-KEM-512 and ML-DSA-44 introduce significantly higher overhead <xref target="FIPS203"/><xref target="FIPS204"/>. More efficient post-quantum signature schemes are being standardized, such as FN-DSA.</t>
    </section>
    <section anchor="KEM">
      <name>Using KEMs in the Key Exchange</name>
      <t>Given a quantum-resistant KEM, such as ML-KEM-512, with encapsulation key ek, ciphertext c, and shared secret key K (using the notation of <xref target="FIPS203"/>). The Diffie-Hellman procedure in the key exchange is replaced by a KEM procedure as follows:</t>
      <ul spacing="normal">
        <li>
          <t>The Initiator generates a new encapsulation / decapsulation key pair matching the selected cipher suite.</t>
        </li>
        <li>
          <t>The encapsulation key ek is transported in the G_X field in message_1.</t>
        </li>
        <li>
          <t>The Responder calculates (K,c) = Encaps(ek).</t>
        </li>
        <li>
          <t>The ciphertext c is transported in the G_Y field in message_2.</t>
        </li>
        <li>
          <t>The Initiator calculates the shared secret K = Decaps(c).</t>
        </li>
        <li>
          <t>G_XY is the shared secret key K.</t>
        </li>
      </ul>
      <t>The security requirements and security considerations of <xref target="RFC9528"/> and the KEM algorithm used apply. For example, the Initiator MUST generate a new encapsulation / decapsulation key pair for LAKE session.</t>
      <t>Note that G_Y does not contain a public key when a KEM is used in this way. The definition of LAKE message_2 in <xref section="5.3.1" sectionFormat="of" target="RFC9528"/> remains the same:</t>
      <sourcecode type="CDDL"><![CDATA[
message_2 = (
  G_Y_CIPHERTEXT_2 : bstr,
)
]]></sourcecode>
      <t>and G_Y_CIPHERTEXT_2 remains the concatenation of G_Y and CIPHERTEXT_2, the latter is defined in <xref section="5.3.2" sectionFormat="of" target="RFC9528"/>. But now G_Y is a KEM ciphertext.</t>
      <t>Just as with the ephemeral key G_Y, the length of KEM ciphertext G_Y is known from the corresponding algorithm in the selected cipher suite, see <xref target="fig-ct-length"/>. Hence the Initator can separate out the concatenated ciphertexts and decapsulate and decrypt, respectively.</t>
      <figure anchor="fig-ct-length">
        <name>Length of ML-KEM Ciphertext.</name>
        <artwork><![CDATA[
+-------------+------------------------------+
|     KEM     | Length of ciphertext (bytes) |
+=============+==============================+
| ML‑KEM‑512  |                          768 |
| ML‑KEM‑768  |                         1088 |
| ML‑KEM‑1024 |                         1568 |
+-------------+------------------------------+
]]></artwork>
      </figure>
      <t>Note also that this use of KEM applies both to standalone KEM and hybrid KEMs such as, e.g., X-wing <xref target="I-D.connolly-cfrg-xwing-kem"/>.</t>
      <t>Conventions for using post-quantum KEMs within COSE are described in <xref target="I-D.ietf-jose-pqc-kem"/>. The shared secret key K corresponds to the initial shared secret SS' in that document.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The cipher suites defined in <xref target="RFC9528"/> rely on Elliptic Curve Cryptography (ECC) for key exchange and authentication, which would be broken by a Cryptographically Relevant Quantum Computer (CRQC). In contrast, the cipher suites specified in this document use the quantum-resistant algorithms ML-KEM for key exchange and ML-DSA for authentication. When used with Method 0 from <xref target="RFC9528"/>, where both the Initiator and Responder authenticate using digital signatures, or with the PSK method defined in <xref target="I-D.ietf-lake-edhoc-psk"/>, these cipher suites preserve the same security properties even in the presence of a quantum-capable adversary.</t>
      <t>Security considerations of ML-KEM are discussed in <xref target="I-D.sfluhrer-cfrg-ml-kem-security-considerations"/>.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>TBD</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="method-update">
        <name>EDHOC Method Type Registry</name>
        <t>IANA is requested to update the EDHOC Method Type registry with a column with heading "Requires DH/NIKE" indicating that the method requires Diffie-Hellman or Non-Interactive Key Exchange. Valid table entries in this column are "Yes" and "No".</t>
        <t>For the existing Method Types, the following entries are inserted in the new "Requires DH/NIKE" column:</t>
        <artwork><![CDATA[
Value: 0, Requires DH/NIKE: No
Value: 1, Requires DH/NIKE: Yes
Value: 2, Requires DH/NIKE: Yes
Value: 3, Requires DH/NIKE: Yes
]]></artwork>
      </section>
      <section anchor="suites-registry">
        <name>EDHOC Cipher Suites Registry</name>
        <t>IANA is requested to update the EDHOC Cipher Suites registry with a column with heading "Supports DH/NIKE" indicating that the cipher suite supports Diffie-Hellman or Non-Interactive Key Exchange. Valid table entries in this column are "Yes" and "No".</t>
        <t>For the existing cipher suites 0-6, 24, 25, the entry "Yes" is inserted in the new "Supports DH/NIKE" column.</t>
        <t>Furthermore, IANA is requested to register the following entries in the EDHOC Cipher Suites Registry:</t>
        <artwork><![CDATA[
Value: TBD1
Array: 30, -45, 16, TBD10, -48, 10, -16
Description: AES-CCM-16-128-128, SHAKE256, 16, MLKEM512, ML-DSA-44,
             AES-CCM-16-64-128, SHA-256
Supports DH/NIKE: No
Reference: [[This document]]
]]></artwork>
        <artwork><![CDATA[
Value: TBD2
Array: 3, -45, 16, TBD10, -48, 3, -16
Description: A256GCM, SHAKE256, 16, MLKEM512, ML-DSA-44,
             A256GCM, SHA-256
Supports DH/NIKE: No
Reference: [[This document]]
]]></artwork>
        <artwork><![CDATA[
Value: TBD3
Array: 3, -43, 16, TBD12, -48, 3, -43
Description: A256GCM, SHA-384, 16, MLKEM1024, ML-DSA-85,
             A256GCM, SHA-384
Supports DH/NIKE: No
Reference: [[This document]]
]]></artwork>
        <t>Cipher suite TBD3 is intended for for high security applications such as government use and financial applications. This cipher suites consists of algorithms from the Commercial National Security Algorithm (CNSA) 2.0 suite [CNSA2].</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9528">
          <front>
            <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9528"/>
          <seriesInfo name="DOI" value="10.17487/RFC9528"/>
        </reference>
        <reference anchor="I-D.ietf-cose-dilithium">
          <front>
            <title>ML-DSA for JOSE and COSE</title>
            <author fullname="Michael Prorock" initials="M." surname="Prorock">
              <organization>Tradeverifyd</organization>
            </author>
            <author fullname="Orie Steele" initials="O." surname="Steele">
              <organization>Tradeverifyd</organization>
            </author>
            <date day="15" month="November" year="2025"/>
            <abstract>
              <t>   This document specifies JSON Object Signing and Encryption (JOSE) and
   CBOR Object Signing and Encryption (COSE) serializations for Module-
   Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum
   Cryptography (PQC) digital signature scheme defined in US NIST FIPS
   204.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-dilithium-11"/>
        </reference>
        <reference anchor="I-D.ietf-jose-pqc-kem">
          <front>
            <title>Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for JOSE and COSE</title>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of Applied Sciences Bonn-Rhein-Sieg</organization>
            </author>
            <date day="8" month="December" year="2025"/>
            <abstract>
              <t>   This document describes the conventions for using Post-Quantum Key
   Encapsulation Mechanisms (PQ-KEMs) within JOSE and COSE.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-ietf-jose-pqc/.

   Discussion of this document takes place on the jose Working Group
   mailing list (mailto:jose@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/cose/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/jose/.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-jose-pqc-kem-05"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-lake-edhoc-psk">
          <front>
            <title>EDHOC Authenticated with Pre-Shared Keys (PSK)</title>
            <author fullname="Elsa Lopez-Perez" initials="" surname="Lopez-Perez">
              <organization>Inria</organization>
            </author>
            <author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Rafael Marin-Lopez" initials="R." surname="Marin-Lopez">
              <organization>University of Murcia</organization>
            </author>
            <author fullname="Francisco Lopez-Gomez" initials="F." surname="Lopez-Gomez">
              <organization>University of Murcia</organization>
            </author>
            <date day="16" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies a Pre-Shared Key (PSK) authentication method
   for the Ephemeral Diffie-Hellman Over COSE (EDHOC) Lightweight
   Authenticated Key Exchange (LAKE) protocol.  The PSK method provides
   mutual authentication, ephemeral key exchange, identity protection,
   and quantum resistance while incurring lower computational costs than
   the public-key authentication methods specified for EDHOC.  It is
   suited for systems where nodes share a PSK provided out-of-band
   (external PSK) and enables efficient session resumption with less
   computational overhead when the PSK is provided from a previous EDHOC
   session (resumption PSK).  This document details the PSK message
   flow, key derivation changes, message formatting, processing, and
   security considerations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-psk-08"/>
        </reference>
        <reference anchor="I-D.connolly-cfrg-xwing-kem">
          <front>
            <title>X-Wing: general-purpose hybrid post-quantum KEM</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Peter Schwabe" initials="P." surname="Schwabe">
              <organization>MPI-SP &amp; Radboud University</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This memo defines X-Wing, a general-purpose post-quantum/traditional
   hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML-
   KEM-768.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-connolly-cfrg-xwing-kem-10"/>
        </reference>
        <reference anchor="I-D.sfluhrer-cfrg-ml-kem-security-considerations">
          <front>
            <title>ML-KEM Security Considerations</title>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Quynh Dang" initials="Q." surname="Dang">
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <author fullname="John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Kevin Milner" initials="K." surname="Milner">
              <organization>Individual</organization>
            </author>
            <author fullname="Daniel Shiu" initials="D." surname="Shiu">
              <organization>Arqit Quantum Inc</organization>
            </author>
            <date day="13" month="May" year="2026"/>
            <abstract>
              <t>   NIST standardized ML-KEM as FIPS 203 in August 2024.  This document
   discusses how to use ML-KEM within protocols - that is, what problem
   it solves, and what you need to do to use it securely.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-sfluhrer-cfrg-ml-kem-security-considerations-05"/>
        </reference>
        <reference anchor="FIPS203" target="https://doi.org/10.6028/NIST.FIPS.203">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="FIPS 203"/>
        </reference>
        <reference anchor="FIPS204" target="https://doi.org/10.6028/NIST.FIPS.204">
          <front>
            <title>Module-Lattice-Based Digital Signature Standard</title>
            <author>
              <organization/>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="NIST" value="FIPS 204"/>
        </reference>
      </references>
    </references>
    <?line 219?>

<section numbered="false" anchor="acknowledgment">
      <name>Acknowledgments</name>
      <t>This work was supported partially by Vinnova - the Swedish Agency for Innovation Systems - through the EUREKA CELTIC-NEXT project CYPRESS.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8Va63LbxhX+j6fYUj8qNQQlUrKjcOomNEXbiiVZFuXEnkwm
swSWJCIQC2MB0ayjTl6h0wdon6IP0LxJnqTfOQuAAC+y3WSmmrFMYq/n9p3v
HMh1Xee2Kw4dJw3SUHXFy0xGaTZzr5QJTIrPoh/EU5WIYRakyoixTsRZ7/nA
kaNRorCUvojLl33H114kZ9jCT+Q4dQOVjt1Q3ig3fmt4rXtw4HgyVROdLLrC
pL5jstEsMCbQUbqIsfJ0cP3EcW4P383CTjL2uo4QJghV5Cn66IonOot8Mfzm
qZgH6RS/fPzGhaYqmExTYWLlBeNA+Y4TxElXpElm0s7BwRcHHUcmSnbFUHlZ
EqQLZ66Tm0miszgX4Ft8D6KJeErPnBu1wAQfF4pSlUQqdU9IJschjfg/yFBH
uO1CGScOuuK7VHtNYXSSJmps8Gkxow/fO46nfWzaFRlUcexAMhVlLEp+dOOM
7j23t+9l6VRFaUAq8sVztRCDd95URhPVwAqroEbtnvR8JoMQz0nRX5HKWzqZ
0HOZeFM8n6ZpbLr7+zSNHgW3qlVM26cH+6NEz43apw32aeEEms1GWDoxKoS0
KtmP37rWgg3HkbilTrqOi6lCBJHpiqct6NVO5YfWC57+8u9ERvURHNoVgyTw
jNERP1H2/nAJGbWKA79S+ZSWp2fVk75uictEZb/8U5zLNC03sQd+rafRxuGt
p/6IFa1ZPrV+qBPpBCNQF5nr6kn/iwedY/p46p6wAl1PG+X6QQh1BdmsNvQj
DcVvPfdGYcAJonF1s3IaB4fyp9pzY3NTDHk6inQYLlxvnEzcd3NY2+5jh804
zKaJSuzwLKQx1+RujUtFJoAGcRg+0Zonp5fDzsFhl+VOZTJRaVcUXuHrgB2h
fdB6eNA53r84HV63aEULS+wKiwrn2s9C5Z5BV4Gn3MfSWBd1B5EnY5OFfKA4
V+SwgZmJIQWKTHzexEC1gBOowV5DiAad1ICT0WEChzV4oHAu+uwjDLoIigli
GDM6R6UwR58uzNEHhTkJ4PgyFMNgEsk0S9SninD0MSI4juu6Qo5MmkgPeHI9
VeLjMEDsEk7tiTjRgBsdNoUMjRY3kZ5HQhoxAEjPYPgQkoyBge4zFYYzBKC+
BXj3XwwHYndw8uxFfw8rgQPqFmAea5O6by3ii8KJxGghpE/AJSI1F56FfwsA
FnfzFW5S5ggZIoIxNCP4y7wp3ej8zD0Z9jhh+LlyTaFcI6BbmvF8cM4zgLhC
5aK2xPU0MAL5JJtBGSWsGzHVc5GSygiyC00IHZPDYziAJlZlgo0hSGbo90jj
8uUd3BEbni5yOXxefFsagBx6pmBNH0LRLF+NgwjHeDqBBLGOWEc1/bSsgWeB
74cK1t6hDJLA3zza7rfYOz/dJyHfv88B6e7ut7iByeIYScuwSjOjhB6LWRam
QRyqLYpgPdD0CFk8DewYltWdxKoSI3ze0jdaop9BdVEaLpqwepbgxosZtgby
bjtw96Ap2k3RsSY43ENiU4UuWtAuuyqtwASx3A3+dJ9FBfxrpMh8PgIhhAf5
0IdSUO0WeL67g23L65fWqAueKAzhkEEYBjGOJHlvlegnizjVk0TG0wXU3+/v
rfk8S1e/ahO5nXM9Hs7EbRZGsOsIpoEHkAlwcQRHOpUIv+oRWI70Ia5UqG4p
NnNGJ/p6FmegM2K3f/USVwjIkyMgEZwTuiTn/JSo88ipbOT9/oH38QEnviVE
SunqM7CtcWFnunB5VwxGWoC1TbDQV7ECy4CImLYSJXNob0p6x6kcJpALDDXS
iCm+0lyBbIKPwn44loKGowEExKqH7Fo9Gmrd2RHXKpkFyOp6shA74v1Ouvx+
Z0GBfIEopxGN81fIK037v7h4wZ+vBi9fnV4NTujz8Fnv7Kz84OQzhs9evDo7
WX5aruy/OD8fXJzYxXgqao+cxnnvTcPqu/Hi8vr0xUXvrGF9rOoOFHapRtBg
CNePE0WIJY3jK+Mlwcgi0+P+5X/+1T5CGP0BENVpt7+4u8u/HLc/P8KXOdRn
T9MRvNR+hcYWjoxjJRP2pZDcK6aUQdBrhJkSvMHqquX8+csQTiHch1/+BQB7
pSTojuHrqXdwWbqVvedYzsDOsCPnrApmIr9oIW914JNtM2KczOvJuYBlZD6c
LkfE7cj/82fLzFua3LpIQIEfh9LD0cid5Af3HcHXqXiAGCd6Vsd0exy8/131
iFQy5JDKgL/KJ8wif1Pv5Cxe4sJp76KH2ROkZuIsLU5D7Jx88nqB1ysB2nHO
LTwerKUZGxlweLMpm9M1VoAWmuCw5ytFASULbWPoysaySqwfcAKjWQCDEp6j
+5C4SfogCkU5FEfPwdLI6BSOLKPJqVvwV+irhkuVZOQ4vQ1MphRqOXWN0lSu
Vq8C8qtJlMA6diFE7hccQaQjL5Qod72q8ipXKs8Z9HFMC+VusoGiqVrioLS3
LgUziS3UfBeca68mE5GwikzV8oUkIqRHPCE+Q9TWMH+CMEPspno9LXC4Em6Q
t4YFXcEBnD8RFCriHLaZeeaMpGwyiAAGyYDQHnwMx1mvBhSvE1ObaJhwFLMI
n6rcY8N8K7z7oN3ZroDNudq6gnt0dJ83bCW/MGLZrLAqylskedwuCKV6xkZQ
aaG8lsO+yxuUjwlcGZojTv8UC0gQzwedBw+bpMc5DMPn4ypQJUdddVIpJgIz
uGWnwRVycoU1NYvVdT+TC3KQUqJWgSNGtH/9+R+HK2DCx8qV1Lt/oSOX2y0o
jFApr5Dhi1Miw5Yq9C5PNwAO64uhGu43h9Fh3yal/Y8BgyJv42IF8VTvYAjG
8SlgJmS6ntODfAZTr0S9zRAQ4uTZPt0RciEKslnEOOD7NhtRmFggz/H1ehGr
AqMXBfO0+7pZTHVjnqaWZ89kirJtlf/weTV2lJ+Ob6QXPKkGVXHL4nLF0eve
B3SkRMz+xPaIJYG5Xoncyt4bsCDSqYizxGTWy2uMgpES+1mSxxG9pQQoy4l7
UM0wrJk9IunguTKxilcFEfeYiG+G2meDpkVcm48GPn+sQEM93oO8olMc0cw4
uSQgU8EuVGhNwUqq8VqJ0ZY418RVCNQCSgt1fZZZwXhUyFmosJVK1Y+X8P3k
gu5FNFO8YkgjNRRUoBZD73cIhh3nKawZbc4ag/PVvEDyN21SVTXNMyDeNHNv
TNW7VHhWf2bK2geog7LwvOdi18ItEyedlmVjRUV7VPWrVT4OVwKrIn3kEtVw
eIV4SRKgskRSWIehnpuu4/yJt18SkYmK8q6BZN+rS7cPt1yVNpZBsoxCuoxB
icWEsxqSreKsTfpin09kZChqiqBQ4ukPrwXEDvkBrG7kRP3QLncqCRNScejR
jor8ventiUd5QOyqm71yftUmW098s35ip7Wup8qJLHLNuM9x/gkratezx0OS
N3zk2lx2hJatdsqEn6Mn4YHtLZQj9U6mdZZlBinaEGTwMqgpr/hMUxaWO+XE
uLnCQbmwKuz/aeYviQl4ML22gDwXOlU2FZBOfa0Mwx7uT3yd6uJsFNqOhKXu
1k0DY69bwOJcLmwEMB4GRYTwYaV9bCIdKu4miQetw1abJi31klBnO8rVT11x
x/nb8kf0T07OnOVuj8SuI+jaP/RPL58Nrq4Hr6/xuCuoP9l09qprHYd0vja3
eiBEpj5WVIY3KYRWVVdYY0CvROOYKFbaWlXJOjXJWuJxlkKxc96UOTZpcenp
sMTX1GaVeY+SOyRlM4yUj4X54Sqa0Huj8coWxda2mcZVmRWrml+X3pZH0kYQ
KPLqOJi4XuraE0mKZ9Q8KP0xj7AIs5GyyBt1lq7ostyZrmjyvkjhnKr4Tu2f
pqB7KqZPCIGa6Z3P3OpP/dvaz2fOT9zjJv3Qz0/irNRZRV+7owVwYU/85Hz2
qPpT/7b2Q7ufn/3689+xPX5ThhX2vI0/nz88xgm1JfToniXtg+O1Je2DztF9
Sx7wKZ+opaqC33fFTs3c9nXDo8ZSdTmR7y+dtnGXA0heBMvUokHejWV447Ir
LwXSgs7SG0g7DPtPF6Mk8G3mz9N3U6jWpNUUr116gZTXKFteLdnWpo6on8hg
SyhnE3aNnPD+FFxB0dnlVmyl/bO1hrLQtokZLKPLFEyZ4Y8Kptr04fCPNuSg
o4JDMu0p3umKfi1l2ExTJ8ube+i/d9vWVglznSG7oiwaJfpGRZagfHqblnvc
lEwSaVKLX3WZanVkvWdXtCfve1+z7SVMtcTcVGx9S6mMMxjDbdk3Wm9mzalv
98FeUPUAlXvfeuXcpLf9Jb5XGkY1y97TOLI1Xl2DMTZWZPAiay5ZCMhkjFCl
+KN2e4H5vIKAHDG6JNLcNKRXJz5KACMTguDhdj6TK56DKDBeZkz1/p/ynpcD
eEdcUt3ubYiDxyf8Jor6gqtjOzsbCtOrvAxEyVCvSR2HN2He/TZTJm+22tEP
VLnWbGV5zN+oTiJDN64sDzRFgdqoFrA5LBaleUEazdorrkTc10RoiW9kCJhM
2UhwNeqOlkGTX4us0XijTMM2xC90A6p9kle33BLgttFSPmNj0hYaNFZsLLlo
MarKuolpbpDVnl3natUfBxfPVFccNMXq4i5ELobbm4YhSzHe+cD44bbxbdda
ek/9b4Qq/rPaWPhYD6pv+FE+NCxeZ97rQ9XQX74B/b95Uh2JDtyHTdE5wr8H
1q1o70W+TWA2+9O63PYGdFyWYFoy0wkY6UbFlx3VzU6cn3OfkT/stsCfttNL
ErmAj8GH3SNI14akNMDfj/GdPrQfOifMJ2KCp67oDYZuv3+O5267c0z/mpWm
Jm1xfgYM5R5F2aBpOjVmV9nj4VG5hYsdnFXNcTBdqTHyFf3Jmfjuu9or0e+/
3x4JH1ZBp1TBFg0cblIArvm0f/4/SF1Z+HvL+hHCHtaEPVwK26kIe3S4XVj3
8PioIiux91LY4wf3CYuFv6ew1bcGLJmNw5ReIfvMjOgf9f6WrIEpu5dn+qKf
NqHGYFTyMgIFUBYZeUR1qyvyP3+pIwMnfJMycai2rYsiFawRlS7vdSHzjn3J
PcoXfOCUF8Penui0DnKJvqMHne/zv1sZSe+GXxf2PCqCQ+VPbGuGXlrL2rM7
KniibDai9yyPGpFu3OV/QUB/WslvG3J0pa67TIjRh/y3Rd8EqEJupXD54sO5
AvuZit4EplmwMk95nBsBwwXACXLS3ERnE8v7Bq+uBs/BZQZn16d992Lw+pqI
2o+ofEX/zeXVYDhsOf8FW+QEStkqAAA=

-->

</rfc>
