<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-jms-mole-protocols-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MoLE Protocols">MoLE Protocols</title>
    <seriesInfo name="Internet-Draft" value="draft-jms-mole-protocols-00"/>
    <author fullname="Samuel Schlesinger">
      <organization>Google LLC</organization>
      <address>
        <email>sgschlesinger@gmail.com</email>
      </address>
    </author>
    <author fullname="Dennis Jackson">
      <organization>Mozilla</organization>
      <address>
        <email>ietf@dennis-jackson.uk</email>
      </address>
    </author>
    <author fullname="Thibault Meunier">
      <organization>Cloudflare</organization>
      <address>
        <email>ot-ietf@thibault.uk</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>moderation</keyword>
    <keyword>endorsement</keyword>
    <keyword>unlinkability</keyword>
    <keyword>privacy</keyword>
    <abstract>
      <?line 61?>

<t>This document defines protocols that instantiate the MoLE architecture: two
endorsement protocols, by which a Client proves to a Moderator that it holds
an Endorsement from a trusted Anchor without revealing which one, and three
credential protocols, by which a Moderator issues, verifies, and updates
per-Client state without being able to link presentations. It also
establishes the registries that identify these protocols.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://moderation-of-unlinkable-endorsements.github.io/internet-drafts/draft-jms-mole-protocols.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-jms-mole-protocols/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/Moderation-of-unLinkable-Endorsements/internet-drafts"/>.</t>
    </note>
  </front>
  <middle>
    <?line 71?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The MoLE architecture <xref target="ARCHITECTURE"/> defines three roles. Clients obtain
Endorsements from Anchors, redeem them at Moderators in exchange for
Credentials, and present those Credentials to Moderators to access
resources. The architecture states the required properties of Endorsements
and Credentials but does not say how to build them. This document does.</t>
      <t>TODO: the protocols below reflect our current understanding of how MoLE
may work, and showcase agility. They are not final. Some may be removed,
others added.</t>
      <t>It defines two endorsement protocols and three credential protocols. Each is
identified by a type value from a registry established in this document
(<xref target="iana"/>). The HTTP carriage of challenges, redemptions, and
presentations is defined in <xref target="HTTP-TRANSPORT"/>. This document defines the
messages themselves and, for the grant flow, the HTTP exchanges that carry
them.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>Protocol messages are described in TLS presentation language (<xref section="3" sectionFormat="of" target="TLS13"/>). This document also uses the optional-value and variable-size
vector conventions (<tt>optional&lt;T&gt;</tt>, <tt>&lt;V&gt;</tt>) defined in <xref target="HTTP-TRANSPORT"/>.
All constants are in network byte order.</t>
      <t>This document uses the following terms for protocol actions:</t>
      <dl>
        <dt>Grant:</dt>
        <dd>
          <t>An Anchor gives a Client an Endorsement.</t>
        </dd>
        <dt>Redeem:</dt>
        <dd>
          <t>A Client spends an Endorsement at a Moderator. Each Endorsement can be
redeemed once.</t>
        </dd>
        <dt>Issue:</dt>
        <dd>
          <t>A Moderator gives a Client a Credential in return for a redemption.</t>
        </dd>
        <dt>Present:</dt>
        <dd>
          <t>A Client shows a Credential to a Moderator. Each Credential can be
presented once. The update replaces it.</t>
        </dd>
        <dt>Update:</dt>
        <dd>
          <t>The Moderator's adjustment to a presented Credential, returned in the
same exchange.</t>
        </dd>
        <dt>Finalize:</dt>
        <dd>
          <t>The Client-local step that turns a protocol response into a stored
Endorsement or Credential.</t>
        </dd>
      </dl>
    </section>
    <section anchor="common">
      <name>Common Requirements</name>
      <section anchor="message-types">
        <name>Message Types</name>
        <t>Every MoLE protocol message <bcp14>MUST</bcp14> begin with a <tt>uint16</tt> type field:
<tt>endorsement_type</tt> for messages in the endorsement flow, <tt>credential_type</tt>
for messages in the credential flow. Values are assigned in the registries
defined in <xref target="iana"/>. A recipient that does not recognize the type <bcp14>MUST</bcp14>
ignore the message. A Client that receives a challenge with an unknown type
simply does not respond to it.</t>
        <t>The value 0x0000 is reserved in both registries and <bcp14>MUST NOT</bcp14> appear on the
wire. Endorsement type 0x0001 means the Moderator establishes trust in the
Client on its own, and no Endorsement is redeemed.</t>
      </section>
      <section anchor="greasing">
        <name>Greasing</name>
        <t>In order to prevent Moderators from becoming incompatible with future
credential types, Clients <bcp14>SHOULD</bcp14> send presentations whose
<tt>credential_type</tt> is a random value from the reserved greased values
(<xref target="iana-grease"/>), with some non-trivial probability. The body of a
greased presentation is random bytes.</t>
        <t>The greased values follow the pattern 0x?A?A, spread uniformly across the
registry space. Moderators <bcp14>MUST</bcp14> handle them exactly as any other unknown
type and <bcp14>MUST NOT</bcp14> special-case the reserved list: a Moderator that
enumerates greased values defeats their purpose and will still receive
unknown types it did not enumerate.</t>
        <t>Additionally, when a credential is not required, Clients <bcp14>SHOULD</bcp14> randomly
choose not to answer a challenge with some non-trivial probability. This
helps ensure that Moderators maintain their behavior for handling Clients
without credentials, rather than relying on a presentation always being
present.</t>
      </section>
      <section anchor="challenge-binding">
        <name>Challenge Binding</name>
        <t>Every redemption and presentation is bound to the challenge that triggered
it. The binding value is:</t>
        <artwork><![CDATA[
challenge_digest = SHA-256(challenge)
]]></artwork>
        <t>where <tt>challenge</tt> is the challenge structure in its binary form: the
octets of its TLS-presentation encoding. When a challenge arrives
base64url encoded in an HTTP header (<xref target="HTTP-TRANSPORT"/>), the Client first
decodes it, then hashes the resulting octets. The digest is never computed
over the ASCII form. SHA-256 is defined in <xref target="SHA2"/>.</t>
        <t>Each protocol in this document states where <tt>challenge_digest</tt> enters its
messages. A verifier <bcp14>MUST</bcp14> reject a redemption or presentation bound to a
different challenge. This prevents a message captured in one context from
being replayed in another.</t>
        <t>In the endorsement protocols, the presentation is a proof generated at
redemption time, and <tt>challenge_digest</tt> is an input to that proof: it
enters the proof transcript in IHAT and the public inputs in Longfellow.
A proof produced for one challenge does not verify under another.
Challenge binding is separate from the nullifier. The nullifier is a PRF
output over a credential-bound secret and the epoch; it limits a Client
to one presentation per epoch.</t>
      </section>
    </section>
    <section anchor="endorsement-protocols">
      <name>Endorsement Protocols</name>
      <t>An endorsement protocol has two parts. First, the Client runs one or more
request/response exchanges with an Anchor and finalizes the result into an
Endorsement. This is the grant. Second, the Client redeems the Endorsement
at a Moderator, proving it came from an Anchor in the Moderator's accepted
set without revealing which one. Redemption happens inside the Redeem &amp;
Issue flow (<xref target="credential-protocols"/>).</t>
      <figure anchor="fig-endorsement-flow">
        <name>Endorsement grant and redemption</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="416" viewBox="0 0 416 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,64" fill="none" stroke="black"/>
              <path d="M 40,64 L 40,128" fill="none" stroke="black"/>
              <path d="M 40,160 L 40,272" fill="none" stroke="black"/>
              <path d="M 80,32 L 80,64" fill="none" stroke="black"/>
              <path d="M 240,176 L 240,208" fill="none" stroke="black"/>
              <path d="M 248,32 L 248,64" fill="none" stroke="black"/>
              <path d="M 280,64 L 280,144" fill="none" stroke="black"/>
              <path d="M 288,208 L 288,272" fill="none" stroke="black"/>
              <path d="M 320,32 L 320,64" fill="none" stroke="black"/>
              <path d="M 336,176 L 336,208" fill="none" stroke="black"/>
              <path d="M 8,32 L 80,32" fill="none" stroke="black"/>
              <path d="M 248,32 L 320,32" fill="none" stroke="black"/>
              <path d="M 8,64 L 80,64" fill="none" stroke="black"/>
              <path d="M 248,64 L 320,64" fill="none" stroke="black"/>
              <path d="M 40,96 L 64,96" fill="none" stroke="black"/>
              <path d="M 232,96 L 272,96" fill="none" stroke="black"/>
              <path d="M 48,112 L 64,112" fill="none" stroke="black"/>
              <path d="M 240,112 L 280,112" fill="none" stroke="black"/>
              <path d="M 240,176 L 336,176" fill="none" stroke="black"/>
              <path d="M 240,208 L 336,208" fill="none" stroke="black"/>
              <path d="M 48,240 L 112,240" fill="none" stroke="black"/>
              <path d="M 208,240 L 288,240" fill="none" stroke="black"/>
              <path d="M 40,256 L 96,256" fill="none" stroke="black"/>
              <path d="M 216,256 L 280,256" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="288,256 276,250.4 276,261.6" fill="black" transform="rotate(0,280,256)"/>
              <polygon class="arrowhead" points="280,96 268,90.4 268,101.6" fill="black" transform="rotate(0,272,96)"/>
              <polygon class="arrowhead" points="56,240 44,234.4 44,245.6" fill="black" transform="rotate(180,48,240)"/>
              <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/>
              <g class="text">
                <text x="44" y="52">Client</text>
                <text x="284" y="52">Anchor</text>
                <text x="148" y="100">EndorsementRequest</text>
                <text x="304" y="100">\</text>
                <text x="152" y="116">EndorsementResponse</text>
                <text x="304" y="116">|</text>
                <text x="336" y="116">one</text>
                <text x="364" y="116">or</text>
                <text x="396" y="116">more</text>
                <text x="152" y="132">...</text>
                <text x="304" y="132">/</text>
                <text x="360" y="132">exchanges</text>
                <text x="36" y="148">Finalize</text>
                <text x="288" y="196">Moderator</text>
                <text x="160" y="244">Challenge</text>
                <text x="156" y="260">Presentation</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+--------+                    +--------+
| Client |                    | Anchor |
+---+----+                    +---+----+
    |                             |
    +--- EndorsementRequest ----->|  \
    |<-- EndorsementResponse -----+  |  one or more
    |            ...              |  /  exchanges
Finalize                          |
    |
    |                        +-----------+
    |                        | Moderator |
    |                        +-----+-----+
    |                              |
    |<-------- Challenge ----------+
    +------- Presentation -------->|
    |                              |
]]></artwork>
        </artset>
      </figure>
      <t>Exchanges with the Anchor are HTTP POST requests. The request body has media
type <tt>application/mole-endorsement-request</tt> and contains an
<tt>EndorsementRequest</tt>. The response body has media type
<tt>application/mole-endorsement-response</tt> and contains an
<tt>EndorsementResponse</tt>. The endorsement type determines how many exchanges
are needed and what the <tt>body</tt> field contains at each step.</t>
      <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint16 endorsement_type;
  opaque body<V>;
} EndorsementRequest;

struct {
  uint16 endorsement_type;
  opaque body<V>;
} EndorsementResponse;
]]></sourcecode>
      <t>Every endorsement protocol defines two structures. <tt>Challenge</tt> is the
type-specific content of the Moderator's challenge, carried in its
<tt>challenge</tt> field (<xref target="HTTP-TRANSPORT"/>). Its content, including any Anchor
set, is opaque at the transport level. Each endorsement type refines it,
for example into a list of accepted Anchor keys. <tt>Presentation</tt> is the protocol's
final output: the message a Client sends to redeem the Endorsement,
carried in the <tt>endorsement_presentation</tt> field of a <tt>CredentialRequest</tt>
(<xref target="credential-protocols"/>).</t>
      <section anchor="ihat">
        <name>Issuer-Hiding Anonymous Token (IHAT)</name>
        <t>Endorsement type: 0x0002.</t>
        <t>TODO: IHAT is a placeholder name. Once we have a first version for <xref target="CRYPTO"/>,
we would align.</t>
        <t>IHAT is a pairing-free, issuer-hiding endorsement scheme over P-256. The
Anchor blindly signs a Client-chosen nullifier. The Client later proves,
with a 1-of-n OR proof, that its Endorsement verifies under one of the
Anchor keys the Moderator accepts. The cryptographic operations, and the
contents of every message body, are defined in <xref target="CRYPTO"/>. Until that
document is complete, bodies in this section are opaque byte strings
produced and consumed by the functions named below.</t>
        <t>The following primitive types are used in this section:</t>
        <sourcecode type="tls-presentation"><![CDATA[
opaque Scalar[32];  /* big-endian integer mod the group order */
opaque Point[33];   /* P-256 point, SEC1 compressed */
]]></sourcecode>
        <section anchor="configuration">
          <name>Configuration</name>
          <t>The Client needs, from Anchor configuration (<xref target="key-rotation"/>):</t>
          <dl>
            <dt>Anchor Public Key</dt>
            <dd>
              <t><tt>pkA</tt>, a <tt>Point</tt>, as generated in <xref target="CRYPTO"/>.</t>
            </dd>
            <dt>Endorsement Context</dt>
            <dd>
              <t>an opaque byte string identifying the current epoch. Endorsements are
valid for one epoch, see <xref target="key-rotation"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="grant">
          <name>Grant</name>
          <t>The grant takes two exchanges with the Anchor.</t>
          <t>In the first exchange, the Client runs <tt>Prepare(pkA,
endorsement_context)</tt> (<xref target="CRYPTO"/>), keeps the returned client state, and
sends the resulting request as the <tt>body</tt> of an <tt>EndorsementRequest</tt>. The
Anchor runs <tt>Sign(skA, body)</tt>, keeps its own state for the second
exchange, and returns the result in an <tt>EndorsementResponse</tt>.</t>
          <t>In the second exchange, the Client runs <tt>RequestProof(state, body)</tt> and
sends the result. The Anchor runs <tt>Prove(state, body)</tt> and returns the
result.</t>
          <t>The Client finalizes with <tt>Finalize(state, body)</tt>, which verifies the
Anchor's commitment opening and produces an Endorsement. The Endorsement
contains a nullifier <tt>nf</tt> and the <tt>endorsement_context</tt> it was granted
under. If finalization fails, the Client <bcp14>MUST</bcp14> discard the session. It <bcp14>MUST
NOT</bcp14> retry with the same state.</t>
          <t>The Anchor learns neither <tt>nf</tt> nor the final Endorsement, so it cannot
recognize the Endorsement when it is later redeemed.</t>
          <t>TODO: the two exchanges must be correlated, since the Anchor holds state
between them. Either <xref target="CRYPTO"/> adds a session identifier to its messages
or this document mandates connection reuse.</t>
        </section>
        <section anchor="redemption">
          <name>Redemption</name>
          <t>The Moderator's challenge (<xref target="HTTP-TRANSPORT"/>) carries the set of Anchor
keys it accepts:</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  Point keys<V>;      /* accepted Anchor public keys */
} Challenge;
]]></sourcecode>
          <t>The order of <tt>keys</tt> is significant: OR-proof branches are matched to keys
by position. Moderators <bcp14>MUST</bcp14> present the set in the order published in
their configuration (<xref target="key-rotation"/>).</t>
          <t>The Client runs <tt>Present(endorsement, keys, challenge_digest)</tt>
(<xref target="CRYPTO"/>), with <tt>challenge_digest</tt> computed as in <xref target="challenge-binding"/>,
and sends the result:</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque bytes<V>;    /* output of Present */
} Presentation;
]]></sourcecode>
          <t><tt>Present</tt> <bcp14>MUST</bcp14> bind <tt>challenge_digest</tt> into the proof transcript, and
<tt>Verify</tt> <bcp14>MUST</bcp14> fail when given any other <tt>challenge_digest</tt>. This is a
requirement on <xref target="CRYPTO"/>.</t>
          <t>The Moderator runs <tt>Verify(presentation, keys, challenge_digest)</tt>
(<xref target="CRYPTO"/>), which exposes <tt>nf</tt> and <tt>endorsement_context</tt>, and
additionally checks that:</t>
          <ol spacing="normal" type="1"><li>
              <t><tt>endorsement_context</tt> names the current epoch, and</t>
            </li>
            <li>
              <t><tt>nf</tt> has not been seen before in this epoch.</t>
            </li>
          </ol>
          <t>If all checks pass, the Moderator records <tt>nf</tt> and proceeds with credential
issuance. The Endorsement is spent: redeeming it again <bcp14>MUST</bcp14> fail check 2.</t>
        </section>
      </section>
      <section anchor="longfellow">
        <name>Longfellow</name>
        <t>Endorsement type: 0x0003.</t>
        <t>Where IHAT requires Anchors to run new cryptography, this protocol preserves
backward compatibility with credentials Clients may hold, such as mdocs.
The Client proves in zero knowledge, using the scheme of <xref target="LONGFELLOW"/>, that it
holds a valid credential from one of an accepted set of issuers, without
revealing which issuer or any credential attribute. An experimental circuit is
described in <xref target="HIDDEN-ISSUER-CIRCUIT"/>.</t>
        <t>There is no grant exchange in this protocol. The Client obtains its
credential from the Anchor out of band, through whatever legacy issuance
that credential uses. The circuit is likewise distributed out of band and
identified by its hash.</t>
        <section anchor="configuration-1">
          <name>Configuration</name>
          <t>The Client needs, from Moderator configuration (<xref target="key-rotation"/>):</t>
          <dl>
            <dt>Circuit Identifier</dt>
            <dd>
              <t><tt>circuit_id</tt>, the SHA-256 hash of the circuit both parties use.</t>
            </dd>
            <dt>Accepted Issuer Set</dt>
            <dd>
              <t>the credential-issuer certificates the Moderator accepts, in a fixed
published order.</t>
            </dd>
            <dt>Epoch</dt>
            <dd>
              <t>the validity window redemptions must fall in.</t>
            </dd>
          </dl>
        </section>
        <section anchor="redemption-1">
          <name>Redemption</name>
          <t>This protocol needs no type-specific challenge content: <tt>Challenge</tt> is
empty. The accepted issuer set, circuit, and epoch come from configuration.</t>
          <t>The Client evaluates the circuit over its credential to produce a proof and
a nullifier. The nullifier is derived, inside the circuit, from a
credential-bound secret and the current epoch, so one credential yields
exactly one valid nullifier per epoch.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque circuit_id[32];
  opaque nullifier<V>;
  opaque proof<V>;
} Presentation;
]]></sourcecode>
          <t>The public inputs to the proof are the accepted issuer set, the epoch, the
nullifier, and <tt>challenge_digest</tt> (<xref target="challenge-binding"/>). A proof is
valid only for its exact public inputs, so a presentation bound to a
different challenge fails verification. The Moderator
verifies the proof using the verifier of <xref target="LONGFELLOW"/>, then applies the
same epoch and nullifier-freshness checks as IHAT redemption.</t>
        </section>
        <section anchor="differences-from-ihat">
          <name>Differences from IHAT</name>
          <t>While Longfellow does not require the Anchor to actively participate in MoLE,
it is preferred to guarantee and control scarcity. Otherwise, the number of
Endorsements that can be obtained by a given Client is unbounded.
Scarcity comes both from the participation of the Anchor, and from the
one-nullifier-per-epoch rule. Deployments without an aware Anchor remain
possible, but lose Anchor-controlled scarcity.</t>
          <t>The required circuit properties, in particular sound nullifier derivation
from a credential-bound secret, are stated here as requirements on the
circuit. <xref target="HIDDEN-ISSUER-CIRCUIT"/> is one candidate that could be refined.</t>
        </section>
      </section>
    </section>
    <section anchor="credential-protocols">
      <name>Credential Protocols</name>
      <t>A credential protocol has two parts: Redeem &amp; Issue, in which the Client
redeems an Endorsement and receives a Credential from the Moderator, and
presentation, in which the Client shows the Credential and receives an
update. Presentation and update happen in one exchange, following
<xref target="REVERSE-FLOW"/>.</t>
      <figure anchor="fig-credential-flow">
        <name>Redeem &amp; Issue, then presentation and update</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="424" viewBox="0 0 424 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,64" fill="none" stroke="black"/>
              <path d="M 40,64 L 40,128" fill="none" stroke="black"/>
              <path d="M 40,176 L 40,240" fill="none" stroke="black"/>
              <path d="M 80,32 L 80,64" fill="none" stroke="black"/>
              <path d="M 320,32 L 320,64" fill="none" stroke="black"/>
              <path d="M 368,64 L 368,272" fill="none" stroke="black"/>
              <path d="M 416,32 L 416,64" fill="none" stroke="black"/>
              <path d="M 8,32 L 80,32" fill="none" stroke="black"/>
              <path d="M 320,32 L 416,32" fill="none" stroke="black"/>
              <path d="M 8,64 L 80,64" fill="none" stroke="black"/>
              <path d="M 320,64 L 416,64" fill="none" stroke="black"/>
              <path d="M 48,96 L 144,96" fill="none" stroke="black"/>
              <path d="M 240,96 L 368,96" fill="none" stroke="black"/>
              <path d="M 40,112 L 56,112" fill="none" stroke="black"/>
              <path d="M 320,112 L 360,112" fill="none" stroke="black"/>
              <path d="M 48,128 L 112,128" fill="none" stroke="black"/>
              <path d="M 280,128 L 368,128" fill="none" stroke="black"/>
              <path d="M 48,208 L 144,208" fill="none" stroke="black"/>
              <path d="M 240,208 L 368,208" fill="none" stroke="black"/>
              <path d="M 40,224 L 64,224" fill="none" stroke="black"/>
              <path d="M 312,224 L 360,224" fill="none" stroke="black"/>
              <path d="M 48,240 L 144,240" fill="none" stroke="black"/>
              <path d="M 280,240 L 368,240" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="368,224 356,218.4 356,229.6" fill="black" transform="rotate(0,360,224)"/>
              <polygon class="arrowhead" points="368,112 356,106.4 356,117.6" fill="black" transform="rotate(0,360,112)"/>
              <polygon class="arrowhead" points="56,240 44,234.4 44,245.6" fill="black" transform="rotate(180,48,240)"/>
              <polygon class="arrowhead" points="56,208 44,202.4 44,213.6" fill="black" transform="rotate(180,48,208)"/>
              <polygon class="arrowhead" points="56,128 44,122.4 44,133.6" fill="black" transform="rotate(180,48,128)"/>
              <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"/>
              <g class="text">
                <text x="44" y="52">Client</text>
                <text x="368" y="52">Moderator</text>
                <text x="192" y="100">Challenge</text>
                <text x="108" y="116">Redemption</text>
                <text x="160" y="116">+</text>
                <text x="240" y="116">CredentialRequest</text>
                <text x="196" y="132">CredentialResponse</text>
                <text x="36" y="148">Finalize</text>
                <text x="40" y="164">|</text>
                <text x="32" y="180">.</text>
                <text x="48" y="180">.</text>
                <text x="192" y="212">Challenge</text>
                <text x="124" y="228">Presentation</text>
                <text x="184" y="228">+</text>
                <text x="248" y="228">UpdateRequest</text>
                <text x="212" y="244">UpdateResponse</text>
                <text x="36" y="260">Finalize</text>
                <text x="40" y="276">|</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+--------+                             +-----------+
| Client |                             | Moderator |
+---+----+                             +-----+-----+
    |                                        |
    |<------------ Challenge ----------------+
    +-- Redemption + CredentialRequest ----->|
    |<-------- CredentialResponse -----------+
Finalize                                     |
    |                                        |
   ...                                       |
    |                                        |
    |<------------ Challenge ----------------+
    +--- Presentation + UpdateRequest ------>|
    |<------------ UpdateResponse -----------+
Finalize                                     |
    |                                        |
]]></artwork>
        </artset>
      </figure>
      <t>Both parts ride on HTTP requests to the Moderator, since each is an
authorization. Redeem &amp; Issue carries a <tt>CredentialRequest</tt> in the
<tt>Authorization</tt> header and receives the <tt>CredentialResponse</tt> in the
<tt>Mole-Credential</tt> response header. Presentation uses the same
authentication scheme, with the update returned in the same
<tt>Mole-Credential</tt> header under its <tt>update</tt> parameter. Carriage is
defined in <xref target="HTTP-TRANSPORT"/>.</t>
      <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint16 endorsement_type;
  opaque endorsement_presentation<V>;
  uint16 credential_type;
  opaque issuance_request<V>;
} CredentialRequest;

struct {
  uint16 credential_type;
  opaque issuance_response<V>;
} CredentialResponse;
]]></sourcecode>
      <t>The <tt>endorsement_presentation</tt> field carries the <tt>Presentation</tt> structure
of the named endorsement type. With <tt>endorsement_type</tt> 0x0001 it is empty,
and the Moderator relies on its own trust establishment (<xref target="common"/>).</t>
      <t>Every credential protocol defines five structures. <tt>Challenge</tt> is the
type-specific content of the Moderator's challenge, carried in its
<tt>challenge</tt> field (<xref target="HTTP-TRANSPORT"/>). <tt>IssuanceRequest</tt> and
<tt>IssuanceResponse</tt> fill the <tt>issuance_request</tt> and <tt>issuance_response</tt>
fields above. <tt>PresentationAndUpdate</tt> is carried in the
<tt>presentation_and_update</tt> field of a <tt>CredentialPresentation</tt>
(<xref target="HTTP-TRANSPORT"/>). <tt>Update</tt> is returned in the <tt>update</tt> parameter of
the <tt>Mole-Credential</tt> header.</t>
      <section anchor="credential-act">
        <name>Anonymous Credit Tokens (ACT)</name>
        <t>Credential type: 0x0001.</t>
        <t>An ACT credential <xref target="ACT"/> is an anonymous state machine: the Moderator can
test a predicate against the Credential's hidden state and update that
state, without learning the state or linking presentations. This is the
credential protocol that provides every property required by
<xref target="ARCHITECTURE"/>, including that updates provably apply to the credential
that was presented.</t>
        <section anchor="configuration-2">
          <name>Configuration</name>
          <t>The Moderator publishes its ACT public key and the predicate description
(<xref target="key-rotation"/>).</t>
        </section>
        <section anchor="redeem-issue">
          <name>Redeem &amp; Issue</name>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint8 truncated_key_id;
  opaque request<V>;
} IssuanceRequest;

struct {
  opaque response<V>;
} IssuanceResponse;
]]></sourcecode>
          <t>The <tt>request</tt> and <tt>response</tt> fields are defined in <xref target="ACT"/>. The Client
finalizes the response into a Credential with an initial state chosen by
the Moderator's policy.</t>
        </section>
        <section anchor="presentation-and-update">
          <name>Presentation and Update</name>
          <t>The Client presents the Credential against the challenged predicate,
spending it, and in the same message requests the replacement that carries
the updated state.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque challenge_digest[32];
  opaque key_id[32];
  opaque spend_proof<V>;
} PresentationAndUpdate;

struct {
  opaque refund<V>;
} Update;
]]></sourcecode>
          <t>The <tt>spend_proof</tt> and <tt>refund</tt> fields are defined in <xref target="ACT"/>. The
Moderator verifies the spend proof and learns whether the Credential's
hidden state satisfies the challenged predicate. For range-style
predicates, this necessarily reveals the public bound being tested, but
not the hidden state value. The Client finalizes the refund into its new
Credential. ACT guarantees the refund applies to the state that was
presented.</t>
          <t>TODO: the exact mapping between the spend and refund operations of <xref target="ACT"/>
and MoLE's predicate and update is not settled. In particular, <tt>Challenge</tt>
for this type must express the predicate and the charged amount, and its
contents are not yet defined.</t>
          <t>The <tt>Challenge</tt> for this type therefore needs to identify the predicate,
including any public bound, and the update to apply.</t>
        </section>
      </section>
      <section anchor="credential-reverse">
        <name>Privacy Pass with a Reverse Flow</name>
        <t>Credential type: 0x0002.</t>
        <t>The Credential is a single privately verifiable Privacy Pass token. Any
token type registered in the Privacy Pass Token Types registry
(<xref target="PRIVACYPASS-PROTOCOLS"/>) can be used. The Moderator's configuration
names one. The Credential encodes one bit: the Client either holds a valid
token or it does not. Presentation consumes the token. The update, if
granted, is a fresh token issued through the reverse flow of
<xref target="REVERSE-FLOW"/>, with the Moderator acting as both initial and reverse
issuer.</t>
        <t>The presented and reissued token <bcp14>MUST</bcp14> use the same token type and the same
Moderator public key. Anything else partitions Clients and leaks state.</t>
        <section anchor="redeem-issue-1">
          <name>Redeem &amp; Issue</name>
          <t><tt>IssuanceRequest</tt> is a <tt>TokenRequest</tt> and <tt>IssuanceResponse</tt> is a
<tt>TokenResponse</tt>, both as defined for the configured token type in
<xref target="PRIVACYPASS-PROTOCOLS"/>. The finalized token is the Credential.</t>
        </section>
        <section anchor="presentation-and-update-1">
          <name>Presentation and Update</name>
          <t><tt>Challenge</tt> is empty for this type. The challenge octets, and therefore
<tt>challenge_digest</tt>, are constant for a given Moderator configuration.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque token<V>;
  opaque token_request<V>;  /* TokenRequest */
} PresentationAndUpdate;

struct {
  opaque token_response<V>; /* TokenResponse */
} Update;
]]></sourcecode>
          <t>The <tt>token</tt> field carries a <tt>Token</tt> as defined in <xref target="PRIVACYPASS-AUTH"/>.
Its <tt>challenge_digest</tt> field is fixed when the token is issued, one
exchange before it is presented, and <bcp14>MUST</bcp14> equal the Moderator's constant
<tt>challenge_digest</tt> (<xref target="challenge-binding"/>). This binds the token to the
Moderator, not to the exchange that presents it. Anti-replay therefore
does not come from challenge binding: it comes from the token being
single-use. The Moderator <bcp14>MUST</bcp14> reject a token whose nonce it has already
seen.</t>
          <t>If the Moderator's policy allows continued access, it returns an <tt>Update</tt>.
If not, it returns an empty update and the Client is out of credentials.</t>
        </section>
        <section anchor="limitations">
          <name>Limitations</name>
          <t>TODO: define a device binding mechanism, issuing tokens bound to a Client
key so that presentation requires proof of possession. This would restore
the binding between update and presented credential. Open problem.</t>
        </section>
      </section>
      <section anchor="credential-budget">
        <name>Budget Privacy Pass</name>
        <t>Credential type: 0x0003.</t>
        <t>The Credential is a balance, represented as Privacy Pass tokens drawn from
N issuers operated by the same Moderator, where issuer i denominates 2^i
units. Tokens are issued in batches using <xref target="PRIVACYPASS-BATCHED"/>, and any
token type registered in the Privacy Pass Token Types registry that
supports batched issuance can be used. The Client presents whatever tokens
it wants, and the sum of their denominations is the amount spent. The
Moderator returns change and any policy adjustment as freshly issued
tokens through the reverse flow, summing to the intended new balance.</t>
        <t>A presentation reveals that the Client can spend the challenged amount. If
the protocol presents exactly one token for that amount, and balance
management remains Client-local, this is the same disclosure as an ACT
predicate over that amount: the Moderator learns the predicate result, not
the Client's remaining balance. Deployments that allow multiple tokens,
variable denominations, or observable change shapes need padding or another
mitigation.</t>
        <section anchor="redeem-issue-2">
          <name>Redeem &amp; Issue</name>
          <t><tt>IssuanceRequest</tt> is a <tt>BatchTokenRequest</tt> and <tt>IssuanceResponse</tt> is a
<tt>BatchTokenResponse</tt> (<xref target="PRIVACYPASS-BATCHED"/>), for tokens summing to the
initial balance set by the Moderator's policy.</t>
        </section>
        <section anchor="presentation-and-update-2">
          <name>Presentation and Update</name>
          <t>The challenge indicates the amount to spend:</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 amount;
} Challenge;
]]></sourcecode>
          <t>The <tt>amount</tt> is an indicator, not a per-Client value. A Moderator <bcp14>MUST</bcp14>
use the same amount for every Client under a policy: varying it
partitions Clients. Deployments <bcp14>MAY</bcp14> publish the amount out of band
instead (<xref target="key-rotation"/>), in which case the field repeats the published
value.</t>
          <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque tokens<V>;         /* one or more Tokens */
  opaque token_request<V>;  /* BatchTokenRequest */
} PresentationAndUpdate;

struct {
  opaque token_response<V>; /* BatchTokenResponse */
} Update;
]]></sourcecode>
          <t>Challenge binding comes from each <tt>Token</tt> structure, as in
<xref target="credential-reverse"/>. The Client <bcp14>MAY</bcp14> at any time exchange several small
tokens for larger ones at the Moderator's refund endpoint.</t>
        </section>
        <section anchor="when-to-use-it">
          <name>When to use it</name>
          <t>Balances with many possible values need many tokens and padding traffic to
avoid leaking through request counts. If the state fits an ACT credential,
<xref target="credential-act"/> is simpler and leaks less. This protocol fits
deployments that already run Privacy Pass issuers and need only coarse
balances.</t>
        </section>
      </section>
    </section>
    <section anchor="key-rotation">
      <name>Key Rotation and Discovery</name>
      <t>TODO.</t>
      <t>Anchors and Moderators each publish a configuration that Clients fetch
before running any flow. It contains their endpoints, supported endorsement
and credential types, public keys, and, for Moderators, the accepted Anchor
set for each policy. The order of the accepted set is normative: IHAT
OR proofs and Longfellow issuer sets match elements by position, so all
parties must see the same order.</t>
      <t>Endorsements live in epochs. The <tt>endorsement_context</tt> of IHAT and the
epoch of Longfellow name the epoch an Endorsement is granted in, which is
also the window the Moderator's nullifier store covers. Epoch length is a
privacy parameter: short epochs shrink the double-spend store but
partition Clients into smaller anonymity sets. See <xref target="ARCHITECTURE"/> for
the consistency requirements on configuration. A Moderator that shows
different configurations to different Clients can partition them.</t>
      <t>Open questions:</t>
      <ol spacing="normal" type="1"><li>
          <t>Format: a Privacy Pass style directory, or JWKS. Reusing JWKS matters if
deployments want existing key-management tooling, despite feelings.</t>
        </li>
        <li>
          <t>How and when Anchor and Moderator keys rotate.</t>
        </li>
        <li>
          <t>Whether messages carry a key identifier, such as a truncated key
identifier as in Privacy Pass token requests, or a JWK Thumbprint.</t>
        </li>
        <li>
          <t>How Clients validate Moderator configuration without revealing
themselves, and how consistency is audited.</t>
        </li>
      </ol>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>TODO. The list to cover:</t>
      <ol spacing="normal" type="1"><li>
          <t>Anchor set verification: the Client must be able to verify the number
of Anchors in an accepted set, and that these Anchors are real rather
than fabricated by the Moderator. A set padded with fake Anchors
shrinks the effective anonymity set to the Clients of the real ones.</t>
        </li>
        <li>
          <t>Configuration partitioning: accepted-set contents and order as a
fingerprinting vector (with <xref target="ARCHITECTURE"/>).</t>
        </li>
        <li>
          <t>Epoch width versus anonymity set size.</t>
        </li>
      </ol>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>All exchanges defined in this document and <xref target="HTTP-TRANSPORT"/> <bcp14>MUST</bcp14> be
carried over HTTPS.</t>
      <t>TODO. The list to cover:</t>
      <ol spacing="normal" type="1"><li>
          <t>Nullifier store sizing and eviction: the store is per epoch, and a
Moderator that evicts early re-admits spent Endorsements.</t>
        </li>
        <li>
          <t>Anchor key compromise: an attacker with an Anchor key in an accepted set
can mint Endorsements freely. Blast radius and rotation response.</t>
        </li>
        <li>
          <t>Reverse-flow update transfer: the two-credential attack of
<xref target="credential-reverse"/>, and why single-credential enforcement cannot be
verified.</t>
        </li>
        <li>
          <t>Timing and error side channels during verification, especially
distinguishing "bad proof" from "spent nullifier".</t>
        </li>
      </ol>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>This document sketches two candidate registries under a future "MoLE"
group. The values below are candidate values for discussion in this -00
draft and are not stable assignments.</t>
      <t>A registration <bcp14>MUST</bcp14> define the per-type structures its flow requires:
<tt>Challenge</tt> and <tt>Presentation</tt> for endorsement types
(<xref target="endorsement-protocols"/>), and <tt>Challenge</tt>, <tt>IssuanceRequest</tt>,
<tt>IssuanceResponse</tt>, <tt>PresentationAndUpdate</tt>, and <tt>Update</tt> for credential
types (<xref target="credential-protocols"/>). Every message begins with the registered
<tt>uint16</tt> type (<xref target="common"/>). A registration <bcp14>MUST</bcp14> also state how redemption
or presentation binds <tt>challenge_digest</tt> (<xref target="challenge-binding"/>).</t>
      <section anchor="mole-endorsement-types">
        <name>MoLE Endorsement Types</name>
        <table anchor="endorsement-types">
          <name>Candidate MoLE Endorsement Type Values</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">Moderator trust establishment</td>
              <td align="left">
                <xref target="common"/></td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">IHAT</td>
              <td align="left">
                <xref target="ihat"/></td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">Longfellow</td>
              <td align="left">
                <xref target="longfellow"/></td>
            </tr>
            <tr>
              <td align="left">0xFF00 - 0xFFFF</td>
              <td align="left">Reserved for testing</td>
              <td align="left">this document</td>
            </tr>
          </tbody>
        </table>
        <t>The registration template contains:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The two-byte endorsement type.</t>
          </li>
          <li>
            <t>Name: A short name for the protocol.</t>
          </li>
          <li>
            <t>Exchanges: The number of request/response exchanges with the Anchor, or
"none" if the grant is out of band.</t>
          </li>
          <li>
            <t>Publicly Verifiable: Whether the Endorsement can be verified without
Anchor secret key material.</t>
          </li>
          <li>
            <t>Reference: Where the protocol is defined.</t>
          </li>
        </ul>
        <t>The following initial registrations are candidates only.</t>
        <section anchor="iana-ihat">
          <name>IHAT</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0002</t>
            </li>
            <li>
              <t>Name: IHAT</t>
            </li>
            <li>
              <t>Exchanges: 2</t>
            </li>
            <li>
              <t>Publicly Verifiable: Yes</t>
            </li>
            <li>
              <t>Reference: <xref target="ihat"/></t>
            </li>
          </ul>
        </section>
        <section anchor="iana-longfellow">
          <name>Longfellow</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0003</t>
            </li>
            <li>
              <t>Name: Longfellow</t>
            </li>
            <li>
              <t>Exchanges: none (out of band)</t>
            </li>
            <li>
              <t>Publicly Verifiable: Yes</t>
            </li>
            <li>
              <t>Reference: <xref target="longfellow"/></t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mole-credential-types">
        <name>MoLE Credential Types</name>
        <table anchor="credential-types">
          <name>Candidate MoLE Credential Type Values</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">this document</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">ACT</td>
              <td align="left">
                <xref target="credential-act"/></td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">Privacy Pass Reverse Flow</td>
              <td align="left">
                <xref target="credential-reverse"/></td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">Budget Privacy Pass</td>
              <td align="left">
                <xref target="credential-budget"/></td>
            </tr>
            <tr>
              <td align="left">0x0A0A, 0x1A1A, ..., 0xFAFA</td>
              <td align="left">Reserved for greasing</td>
              <td align="left">
                <xref target="greasing"/></td>
            </tr>
            <tr>
              <td align="left">0xFF00 - 0xFFFF</td>
              <td align="left">Reserved for testing</td>
              <td align="left">this document</td>
            </tr>
          </tbody>
        </table>
        <t>The registration template contains:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The two-byte credential type.</t>
          </li>
          <li>
            <t>Name: A short name for the protocol.</t>
          </li>
          <li>
            <t>Bound Update: Whether updates provably apply to the presented
credential.</t>
          </li>
          <li>
            <t>Reference: Where the protocol is defined.</t>
          </li>
        </ul>
        <section anchor="iana-act">
          <name>ACT</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0001</t>
            </li>
            <li>
              <t>Name: ACT</t>
            </li>
            <li>
              <t>Bound Update: Yes</t>
            </li>
            <li>
              <t>Reference: <xref target="credential-act"/></t>
            </li>
          </ul>
        </section>
        <section anchor="iana-reverse">
          <name>Privacy Pass Reverse Flow</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0002</t>
            </li>
            <li>
              <t>Name: Privacy Pass Reverse Flow</t>
            </li>
            <li>
              <t>Bound Update: No</t>
            </li>
            <li>
              <t>Reference: <xref target="credential-reverse"/></t>
            </li>
          </ul>
        </section>
        <section anchor="iana-budget">
          <name>Budget Privacy Pass</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0003</t>
            </li>
            <li>
              <t>Name: Budget Privacy Pass</t>
            </li>
            <li>
              <t>Bound Update: No</t>
            </li>
            <li>
              <t>Reference: <xref target="credential-budget"/></t>
            </li>
          </ul>
        </section>
        <section anchor="iana-grease">
          <name>Greased Values</name>
          <ul spacing="normal">
            <li>
              <t>Value: 0x0A0A, 0x1A1A, 0x2A2A, 0x3A3A, 0x4A4A, 0x5A5A, 0x6A6A, 0x7A7A,
0x8A8A, 0x9A9A, 0xAAAA, 0xBABA, 0xCACA, 0xDADA, 0xEAEA, 0xFAFA</t>
            </li>
            <li>
              <t>Name: RESERVED</t>
            </li>
            <li>
              <t>Bound Update: N/A</t>
            </li>
            <li>
              <t>Reference: <xref target="greasing"/></t>
            </li>
          </ul>
          <t>These values <bcp14>MUST NOT</bcp14> be assigned. Message bodies carrying them contain
random bytes (<xref target="greasing"/>).</t>
        </section>
      </section>
      <section anchor="media-types">
        <name>Media Types</name>
        <table anchor="media-types-table">
          <name>MoLE Media Types</name>
          <thead>
            <tr>
              <th align="left">Media Type</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/mole-endorsement-request</td>
              <td align="left">
                <xref target="endorsement-protocols"/></td>
            </tr>
            <tr>
              <td align="left">application/mole-endorsement-response</td>
              <td align="left">
                <xref target="endorsement-protocols"/></td>
            </tr>
          </tbody>
        </table>
        <t>TODO: full registration templates, following the Privacy Pass template.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="ACT">
          <front>
            <title>Anonymous Credit Tokens</title>
            <author fullname="Samuel Schlesinger" initials="S." surname="Schlesinger">
              <organization>Google</organization>
            </author>
            <author fullname="Jonathan Katz" initials="J." surname="Katz">
              <organization>Google</organization>
            </author>
            <date day="13" month="February" year="2026"/>
            <abstract>
              <t>   This document specifies Anonymous Credit Tokens (ACT), a privacy-
   preserving authentication protocol that enables numerical credit
   systems without tracking individual clients.  Based on keyed-
   verification anonymous credentials and privately verifiable BBS-style
   signatures, the protocol allows issuers to grant tokens containing
   credits that clients can later spend anonymously with that issuer.

   The protocol's key features include: (1) unlinkable transactions -
   the issuer cannot correlate credit issuance with spending, or link
   multiple spends by the same client, (2) partial spending - clients
   can spend a portion of their credits and receive anonymous change,
   and (3) double-spend prevention through cryptographic nullifiers that
   preserve privacy while ensuring each token is used only once.

   Anonymous Credit Tokens are designed for modern web services
   requiring rate limiting, usage-based billing, or resource allocation
   while respecting user privacy.  Example applications include rate
   limiting and API credits.

   This document is a product of the Crypto Forum Research Group (CFRG)
   in the IRTF.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-schlesinger-cfrg-act-01"/>
        </reference>
        <reference anchor="ARCHITECTURE">
          <front>
            <title>Moderation of unLinkable Endorsements (MoLE) Architecture</title>
            <author fullname="Samuel Schlesinger" initials="S." surname="Schlesinger">
              <organization>Google LLC</organization>
            </author>
            <author fullname="Dennis Jackson" initials="D." surname="Jackson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   Moderation of unLinkable Endorsements (MoLE) is an architecture that
   lets a party performing access control (a Moderator) bootstrap trust
   in a client from a third party (an Anchor) that already has a trust
   relationship with that client, and then adjust that trust over time
   in response to the client's behaviour, for example by dynamically
   rate-limiting access.

   MoLE targets open deployments, in which independent parties may be
   responsible for access control and for vouching for clients, whilst
   maintaining strong privacy protections for clients.  These
   protections are designed to hold even if participants in the
   ecosystem collude or otherwise misbehave.

   This document specifies the roles, the information flows between
   them, the privacy and security requirements, and deployment
   considerations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-jms-mole-architecture-00"/>
        </reference>
        <reference anchor="CRYPTO" target="https://moderation-of-unlinkable-endorsements.github.io/internet-drafts/draft-authors-mole-crypto.html">
          <front>
            <title>MoLE Cryptography</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="HTTP-TRANSPORT">
          <front>
            <title>MoLE HTTP Transport</title>
            <author fullname="Samuel Schlesinger" initials="S." surname="Schlesinger">
              <organization>Google LLC</organization>
            </author>
            <author fullname="Dennis Jackson" initials="D." surname="Jackson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   MoLE targets browser deployments, so Clients, Anchors, and Moderators
   need an HTTP transport for the protocol flows defined by the
   architecture.

   This document defines the Mole HTTP authentication scheme, which
   carries challenges and presentations for the endorsement and
   credential flows, and the headers used to return credential material.
   The grant exchanges with the Anchor are defined per protocol in
   [PROTOCOLS].

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-jms-mole-http-transport-00"/>
        </reference>
        <reference anchor="LONGFELLOW">
          <front>
            <title>The Longfellow Zero-knowledge Scheme</title>
            <author fullname="Matteo Frigo" initials="M." surname="Frigo">
              <organization>Google</organization>
            </author>
            <author fullname="abhi shelat" initials="A." surname="shelat">
              <organization>Google</organization>
            </author>
            <date day="2" month="September" year="2025"/>
            <abstract>
              <t>   This document defines an algorithm for generating and verifying a
   succinct non-interactive zero-knowledge argument that for a given
   input x and a circuit C, there exists a witness w, such that C(x,w)
   evaluates to 0.  The technique here combines the MPC-in-the-head
   approach for constructing ZK arguments described in Ligero [ligero]
   with a verifiable computation protocol based on sumcheck for proving
   that C(x,w)=0.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-google-cfrg-libzk-01"/>
        </reference>
        <reference anchor="PRIVACYPASS-AUTH">
          <front>
            <title>The Privacy Pass HTTP Authentication Scheme</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="S. Valdez" initials="S." surname="Valdez"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document defines an HTTP authentication scheme for Privacy Pass, a privacy-preserving authentication mechanism used for authorization. The authentication scheme specified in this document can be used by Clients to redeem Privacy Pass tokens with an Origin. It can also be used by Origins to challenge Clients to present Privacy Pass tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9577"/>
          <seriesInfo name="DOI" value="10.17487/RFC9577"/>
        </reference>
        <reference anchor="PRIVACYPASS-BATCHED">
          <front>
            <title>Batched Token Issuance Protocol</title>
            <author fullname="Raphael Robert" initials="R." surname="Robert">
              <organization>Phoenix R&amp;D</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="4" month="May" year="2026"/>
            <abstract>
              <t>   This document specifies two variants of the Privacy Pass issuance
   protocol that allow for batched issuance of tokens.  These allow
   clients to request more than one token at a time and for issuers to
   issue more than one token at a time.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-batched-tokens-08"/>
        </reference>
        <reference anchor="PRIVACYPASS-PROTOCOLS">
          <front>
            <title>Privacy Pass Issuance Protocols</title>
            <author fullname="S. Celi" initials="S." surname="Celi"/>
            <author fullname="A. Davidson" initials="A." surname="Davidson"/>
            <author fullname="S. Valdez" initials="S." surname="Valdez"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies two variants of the two-message issuance protocol for Privacy Pass tokens: one that produces tokens that are privately verifiable using the Issuer Private Key and one that produces tokens that are publicly verifiable using the Issuer Public Key. Instances of "issuance protocol" and "issuance protocols" in the text of this document are used interchangeably to refer to the two variants of the Privacy Pass issuance protocol.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9578"/>
          <seriesInfo name="DOI" value="10.17487/RFC9578"/>
        </reference>
        <reference anchor="REVERSE-FLOW">
          <front>
            <title>Privacy Pass Reverse Flow</title>
            <author fullname="Thibault Meunier" initials="T." surname="Meunier">
              <organization>Cloudflare Inc.</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   This document specifies an instantiation of Privacy Pass Architecture
   [RFC9576] that allows for a "reverse" flow from the Origin to the
   Client.  It describes a method for an Origin to issue a state update
   to the Client in response to a request in which a token is redeemed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-meunier-privacypass-reverse-flow-06"/>
        </reference>
        <reference anchor="SHA2">
          <front>
            <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="May" year="2011"/>
            <abstract>
              <t>Federal Information Processing Standard, FIPS</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6234"/>
          <seriesInfo name="DOI" value="10.17487/RFC6234"/>
        </reference>
        <reference anchor="TLS13">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="HIDDEN-ISSUER-CIRCUIT" target="https://github.com/thibmeu/longfellow-zk/blob/hidden-issuer-poc/lib/circuits/mdoc/HIDDEN_ISSUER.md">
          <front>
            <title>Hidden issuer circuit for longfellow-zk</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 856?>

<section anchor="example">
      <name>Example</name>
      <t>A Client requests a resource protected by a Moderator that uses credential
type 0x0002 (Privacy Pass Reverse Flow) and accepts endorsement type
0x0002 (IHAT).</t>
      <figure anchor="fig-example">
        <name>Complete exchange</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="392" viewBox="0 0 392 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,32 L 8,64" fill="none" stroke="black"/>
              <path d="M 40,64 L 40,176" fill="none" stroke="black"/>
              <path d="M 40,208 L 40,224" fill="none" stroke="black"/>
              <path d="M 40,256 L 40,288" fill="none" stroke="black"/>
              <path d="M 80,32 L 80,64" fill="none" stroke="black"/>
              <path d="M 160,32 L 160,64" fill="none" stroke="black"/>
              <path d="M 192,64 L 192,288" fill="none" stroke="black"/>
              <path d="M 232,32 L 232,64" fill="none" stroke="black"/>
              <path d="M 288,32 L 288,64" fill="none" stroke="black"/>
              <path d="M 336,64 L 336,288" fill="none" stroke="black"/>
              <path d="M 384,32 L 384,64" fill="none" stroke="black"/>
              <path d="M 8,32 L 80,32" fill="none" stroke="black"/>
              <path d="M 160,32 L 232,32" fill="none" stroke="black"/>
              <path d="M 288,32 L 384,32" fill="none" stroke="black"/>
              <path d="M 8,64 L 80,64" fill="none" stroke="black"/>
              <path d="M 160,64 L 232,64" fill="none" stroke="black"/>
              <path d="M 288,64 L 384,64" fill="none" stroke="black"/>
              <path d="M 40,96 L 184,96" fill="none" stroke="black"/>
              <path d="M 200,96 L 224,96" fill="none" stroke="black"/>
              <path d="M 304,96 L 328,96" fill="none" stroke="black"/>
              <path d="M 48,112 L 184,112" fill="none" stroke="black"/>
              <path d="M 200,112 L 216,112" fill="none" stroke="black"/>
              <path d="M 312,112 L 336,112" fill="none" stroke="black"/>
              <path d="M 40,128 L 64,128" fill="none" stroke="black"/>
              <path d="M 168,128 L 184,128" fill="none" stroke="black"/>
              <path d="M 48,144 L 64,144" fill="none" stroke="black"/>
              <path d="M 168,144 L 192,144" fill="none" stroke="black"/>
              <path d="M 40,160 L 64,160" fill="none" stroke="black"/>
              <path d="M 168,160 L 184,160" fill="none" stroke="black"/>
              <path d="M 48,176 L 64,176" fill="none" stroke="black"/>
              <path d="M 168,176 L 192,176" fill="none" stroke="black"/>
              <path d="M 40,208 L 184,208" fill="none" stroke="black"/>
              <path d="M 200,208 L 224,208" fill="none" stroke="black"/>
              <path d="M 296,208 L 328,208" fill="none" stroke="black"/>
              <path d="M 48,224 L 184,224" fill="none" stroke="black"/>
              <path d="M 200,224 L 224,224" fill="none" stroke="black"/>
              <path d="M 40,256 L 184,256" fill="none" stroke="black"/>
              <path d="M 200,256 L 224,256" fill="none" stroke="black"/>
              <path d="M 304,256 L 328,256" fill="none" stroke="black"/>
              <path d="M 48,272 L 184,272" fill="none" stroke="black"/>
              <path d="M 320,272 L 336,272" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="336,256 324,250.4 324,261.6" fill="black" transform="rotate(0,328,256)"/>
              <polygon class="arrowhead" points="336,208 324,202.4 324,213.6" fill="black" transform="rotate(0,328,208)"/>
              <polygon class="arrowhead" points="336,96 324,90.4 324,101.6" fill="black" transform="rotate(0,328,96)"/>
              <polygon class="arrowhead" points="192,160 180,154.4 180,165.6" fill="black" transform="rotate(0,184,160)"/>
              <polygon class="arrowhead" points="192,128 180,122.4 180,133.6" fill="black" transform="rotate(0,184,128)"/>
              <polygon class="arrowhead" points="56,272 44,266.4 44,277.6" fill="black" transform="rotate(180,48,272)"/>
              <polygon class="arrowhead" points="56,224 44,218.4 44,229.6" fill="black" transform="rotate(180,48,224)"/>
              <polygon class="arrowhead" points="56,176 44,170.4 44,181.6" fill="black" transform="rotate(180,48,176)"/>
              <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"/>
              <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/>
              <g class="text">
                <text x="44" y="52">Client</text>
                <text x="196" y="52">Anchor</text>
                <text x="336" y="52">Moderator</text>
                <text x="264" y="100">request</text>
                <text x="264" y="116">challenge</text>
                <text x="108" y="132">exchange</text>
                <text x="152" y="132">1</text>
                <text x="108" y="148">response</text>
                <text x="152" y="148">1</text>
                <text x="108" y="164">exchange</text>
                <text x="152" y="164">2</text>
                <text x="108" y="180">response</text>
                <text x="152" y="180">2</text>
                <text x="36" y="196">Finalize</text>
                <text x="260" y="212">redeem</text>
                <text x="276" y="228">credential</text>
                <text x="328" y="228">-</text>
                <text x="36" y="244">Finalize</text>
                <text x="264" y="260">present</text>
                <text x="204" y="276">--</text>
                <text x="228" y="276">ok</text>
                <text x="248" y="276">+</text>
                <text x="284" y="276">update</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
+--------+         +--------+      +-----------+
| Client |         | Anchor |      | Moderator |
+---+----+         +---+----+      +-----+-----+
    |                  |                 |
    +------------------|---- request --->|
    |<-----------------|--- challenge ---+
    +--- exchange 1 -->|                 |
    |<-- response 1 ---+                 |
    +--- exchange 2 -->|                 |
    |<-- response 2 ---+                 |
Finalize               |                 |
    +------------------|---- redeem ---->|
    |<-----------------|---- credential -+
Finalize               |                 |
    +------------------|---- present --->|
    |<-----------------|-- ok + update --+
    |                  |                 |
]]></artwork>
        </artset>
      </figure>
      <t>The Moderator challenges the Client:</t>
      <artwork><![CDATA[
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Mole challenge="<credential-challenge>",
                       realm="moderator"
]]></artwork>
      <t>The Client holds no Credential for this Moderator, so it first obtains an
Endorsement. It runs the two IHAT exchanges against the Anchor:</t>
      <artwork><![CDATA[
POST /mole/endorse HTTP/1.1
Host: anchor.example
Content-Type: application/mole-endorsement-request

EndorsementRequest { 0x0002, Prepare(...) }
]]></artwork>
      <t>The Anchor answers each POST with an
<tt>application/mole-endorsement-response</tt> body, and the Client finalizes the
Endorsement.</t>
      <t>The Client then runs Redeem &amp; Issue. It repeats its request, this time
carrying a <tt>CredentialRequest</tt> that redeems the Endorsement bound to the
Moderator's challenge together with a Privacy Pass TokenRequest:</t>
      <artwork><![CDATA[
GET /resource HTTP/1.1
Host: moderator.example
Authorization: Mole credential-request="<credential-request>"
]]></artwork>
      <t>The Moderator verifies the redemption, records its nullifier, and returns
a <tt>CredentialResponse</tt> carrying a TokenResponse in the <tt>Mole-Credential</tt>
header, alongside its unchanged challenge. The Client finalizes it into a
token and answers the challenge:</t>
      <artwork><![CDATA[
GET /resource HTTP/1.1
Host: moderator.example
Authorization: Mole presentation="<credential-presentation>"
]]></artwork>
      <t>The Moderator verifies the presentation and serves the resource. Its
response carries a <tt>Mole-Credential</tt> header whose <tt>update</tt> parameter
holds a fresh token, or an absent update if it chose to consume the
Credential.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8196XbbRrrg/3qKGvmciZ2QVGS7k7TipJuW5Vj3OpZGkpOT
03PHBImihBYIcLBIZmT3s8yz3Ce731YbAFpyJmfO+IclYanlq2/fMB6PVZM1
udnXOz+Xrw/1SVU25aLM6x2VzOeVuR64sUgac1FWm32dFctSqbRcFMkKhkir
ZNmM/7mqx6syN+O1fWX89deqbuerrK6zsmg2a3j26PD8pSra1dxU+yqFEffV
oixqU9Rtva+bqjUK5n6irszmpqzSfaXHelWmpkoaGAP/MkVaVrVZmaLBP9si
z4qrZJ7lWbPBC+squ04WG3VtihZGf6D1RVW2a9jQtGiy8csqaVN9UK5WbQFv
6J/w5g4+xgvcGbq1SrIcbq3beZ4txgmMs8Rh/n7zZFJWF/RIUi0u4ZHLplnX
+7u7eVY39YTv707hXnZt6t0TGmC3O87ujoJVZs1lOye42+2Oy+W4LV7T/gCw
h37n9W5WNKYqTDMm6Nc4Qg7grJtgEavOSLkdKYBhPeGJJ1nZHXN328FOLptV
vqNU0jaXZYVnBLNrvWzznDHiLFm1Jtdni8vc1FlxYSp6AGCRFNnvtKJ9/VNZ
XuRGv359QDcNA7m+qP1bf7/Ai5NFuerP8cIURVbrf0sWVzViRm/8n8vfszxP
wsEz0yz/ntKL43/yi5P2qj/2+WU2T9q80T8bQIXB1R/kZZsu86Qy4QRlM6Y5
GhkAR1dFWa3grWvARq2nB+dABeMXEwZusNnxYlldjJNFg0+dHrw6Oj88OH97
ehg+7s4C0S1rzKJpaQEHp7+dnB/v6wf+UT4ceXxRbdZNSSsVuifqPqDLF1Wy
vtzwzaS6MIBCfy4GDSyFUAimfHV+fjI+P52+OTs5Pj0f3CquZdxUSVGvywqB
8/r4zU8vD1+/Pv41fP6C0ImBmGfz3+FY9cnp0S/Tg99Opmdn4+nb81f7+vTl
wV//8u23nXvPp+cHrw5fhMPhMY6Fl6yTuh7Pk2ZxadJxU14Bt+oMcHJ6fH58
cPz6zM7wHTxwevjL4enZ4fhlZ6UrRqpodGC5BuA5XublDbx69mr6mIb65vGT
p/D3+euzvSd04bunT79RCjlwgFSvjl68OHwzPjo7e3t4Oj44Oj14e3S+Hx73
zqssBcTXwItbU+lFVi3arNEwis7L4mJpcph4/PvVziAayAEDHe4iZsMGdqO3
dud5Od+9pCnGPMV4XS6AC853Zap6dwUCY5dX+o5XOlmlSk0mE6XG47FO5jWc
MqC/AvKrNTzdInrp1CyzwtTasR/dXCYNCKG6QQ4KTA8uGEbokCxAnNyUKkBU
P8JIzzf65jJbXOoEKDmTm8CidVPCJWHBAByeqtGXZZ7WKil0wIT1sipX8DRI
rboxqZ4WC0BzfQPAKttG45EmQDAXMlNZmJFOihTGrIxRi8oAtGD9+ZZ1+UUQ
ROEmoEi2zPA3HKZdo/ys1RqALXsAiAA07ALmBidHcsVdIenCTAZkbUMUXU/0
UaOTvAYgwYsgkupLBADAsjIXIL+qzFhY00qXG7xZG79eODk6uhWcfG4UyMGj
oqnKtF2QtIaDHDgXfXsbsrePH90JE2B0BUQPa+Mt1bqcN0lWqFD4MeAZ3AAM
BKRZ4drgNBoPtxpwRJv3i8sE2CuiujpwMBcYCjzg3RL2FdxGiAUDIVYsFqau
FbxQttUCV4i7izZG4LcQ/N9tBsMhrOCAGgRluQyxB7Epjaacw5mlJTxYlHCU
yQaQ7gZnnrdZntL2cM6INOBpOIPz4xfA+3FaTyNzA6QJy1jmsDgNS9aLtqrw
pbaAbSHtpIgesCicBk9JrWBO0LquGDY1XF8kAJbkgpQr2vAGdmxogXBkST7R
Z+XKaHxxjpteAQ2lI1XCWgBqCfCDFNZ35IkYSFIPkqSnDD1EGRN9mABVZLUS
XMwAtkAsCalt+jrJW2PpUbB3oz1ap4gKTQg79fD2NkuK5OPHR3ySKIn0Iqmq
LAFsAbAA3uS5AdQRFFutiWoIOCoiJI3j0gZpntvbWKp9/Ng7N4fwRq0Aq2BG
+mNVmxyZEMwwIt6MZwriGXkNHOeI/qaFWrQWAsV1bxShCFLhQVlcI5RwbQjX
FzhfRn8zUYJ6jSed1qBuvj073xnxT/3mmH4/Pfwfb49OD1/g7yCKXr92vyh5
4uzV8dvXL/xv/s2D459/Pnzzgl+Gqzq6pHZ+nv62wwi2c3xyfnT8Zvp6p3c6
hGWI+kaTSgHgRg6b1Co19aLK5gzp5wcn//l/9p4CxP8biMbHe3t/BW7Cf3y3
9+1T+OPm0hQ8W1nkG/kT4LRRyXptkgpHgWMGAK6zhtlCTZhfaEBhA9D88h8I
mf/Y18/mi/Xe0x/lAm44umhhFl0kmPWv9F5mIA5cGpjGQTO63oF0vN7pb9Hf
Fu7BxWd/A/lg9Hjvu7/9CEzdmn3aYSceSAR7UEkicQLmR3HRIu0AZZ0ZkgD6
CRCSIuVF6Cw6YxA9uq2FY5ZEXkk+ZlrGI7tOgBhR26yz38EuhDGBJBYBbj+c
2beenf84G+nZs19+nD26gxbVFM+7ZPWBNwYPgtKKrA94CkhQoAxTTbqKiFvq
skS9B7knoOaqJkq1nArkBK1tX6mfkHD31T5IKqsbXGRE3lbniPUJmPCURBm9
Y5+p18Av686jKOcCDUG4Y/jAAl6Yo2nA0tEgASwQn49QmeAZvIbRXVcglxA4
QH1tVdA+k4AXThBRCAPiFQP51PEYsVYlyw3uu9UKRtnlEmdmRQfmXecJCF5Q
x2Dit2v2HuxrVjJk6C9Q6vwT9DECAk3rh/QTjmRLVjDg1DWYfo6vwgwvUcAB
4tk5eHfjvFzAgkHhWzPrxWFqmkYQAKZbo0sDORfOX8OyTAoThMcDkPSrEZ69
WgHFnLLiwHrO7YMFXf0IDzwAY5RoUZ+DxAM+fgjq4IbVq3WHXDVxqDnIwYK0
QVjFrIXl7H0zY3kJ4jNP99UsEMXv8MaMztgRPcMmEtgsh2ZeRvN7aui9QJDj
axP9C5I2kxwYPdmFh3+gcqqIfFlGTwC7KrPI1hlra0mgKcH18gIMczYDaHu4
fQXDlxVflIVNPI7SEPCmEcR3wl7gVYCadFWgGMABVZ2t1iA+gjnxjFNEMMJG
xA/mW1+//xr+oUaAaFdd8z7moBGFWjVyNytFtEiikhHxBk5/EuEKbYnG3YOd
gB0s9o4l3kh7R1vE4rTsFQbOUJG+EUlYlNHwtFTmERPCs58qk6BLAtDvQn4F
BDwqmC3intdo2xSRqk261xyOYoVvZgX8sga5gMYHQXTZkqsiQAncFshbq+eL
vANSTWMzBYQ2KOeqh3K4cOBGsCOYOVAAGZsE9rQBk/L92ip9Y74MMmnEq6tR
iy3KYgzHcy2K51ycisyE5mW6Qa0wUXbISPghEHklKEBqQYl4dpEbrKgnDXpK
4Fj/Nv3bdARcHh4Fm67I0LAHVEsWVVmzhuj02XqdIE8MoE44BAwrzQ3bP+Y9
yB98HXEMFoyKuEVlRYgUoR4IlwVsd0x6fgQ4dGDu90xhMKdBFlZk5nQ2B1Rr
koZWnIE4bKs1mlQ4202WI8PE/4XiVEhcyNB1mqVEWG58gOA0TTOW7vlmRKob
EmogmCwtsqnVQyU+kHyjQPTiWvBh5MhFfWOqPs3fhQNge1yafF1rdFYTY4mN
zRWYqWiqCgTm5jK5zgBuyBnpiJAwZInK2uiL0CKFgfC4YGAUufmG7LPCizBG
tSS/STY1W/fWDmHCPXAbep6xdQcCxF4bz/naRys5vBwPTWGHzvOyZQZHnNyN
zDKvyi4uDEo14H5MHjIh02GG6s+//vUv5d57l2YgGBr9A7q2xo//8s1Dd+sR
PaluUN8GwWIvE33HcwMRtGxpZ8zSYNYEdoIkQ/avKheNacjSxtugeI6jbRlg
S7jMif5VsMmNjYYfiAI1B5z+5mlb5fwws284D7K6LoFG4YAe9rXKR2ybCcdd
ZmBggxzDARC96SZYFEngYanbvKEDpiUzFAVIiNjoD9TIRFvQXFR5bdgYnJ4d
HB3RhicWkj3rE52HqOcq0rKcbtCzscRd0QW8HNVMo9KEThRAVyvZUYKKF6pi
LlKZf6KDIVQLNanDAdgdKiUqzZZLQ24IN5+YBSJTkKdbLQaMMjxt2lYJ1gko
7Y15z343xd4tUgo39pSI3U1IVnX1lsDHxo6SGNtJfwO0uTAFsR+wNRsVbKnJ
VuK9GwBURup5VsBZMcEkDQ+3D8BTAkZxz8Ac5MsGQ2pNgvro1fRcnB/wAEWG
eChSo147NyvYLfL+mjxssETkLAQXh8VOQaFD2rCvxwPGMwhLr7D02qwT3LKX
nkWb53TEjJXuTwbUyelLBawLN0toGfLkMR91beBS43Zl1uXi8ntk83m2yhpv
aCiAFm4gOo01jElvkFocaiouGAl8LThbH5gC3jYtBo8daY+cT7BXpLaXSKER
zVYtqBq4GFRkQXFUKFfgeHedPu99LlZHFKsO97kUayEkb7EAIuelYLvwNvLt
ACUDp0CXT7gcUsn4qeB1FRt+I3Jb00GiybeyPjC3NNGuI/tosTBrZCo1HNEn
nNUTferx/xKVVPR0FXWWsqrAtqr+72xRkoaPnDFABn8uYPyTQNBJUl9fqK/G
8u8rPfDP31UfLDg+DD34we7yA4341SdH5LuK3/vUvw/KvhIC/pSxQdPCfoQR
/icP9az7mCCL3R48GSJVb/rJZNLdlN7VHtecGXrXgj98emsOqHdD4UOg9N1r
1K/uM2q01md2KYHO0l2fXbE+CbmDfebHO1Zmp0Pd4nZfP1hmF2HQkgJtHBz7
YSfkMextRYr23H8HdaaY+EkWC/VX4pM9OSZ5SHgiAl3+YusBWRAYWVnCivgM
SAqYPW1rlyKd4frkzRktBQUfaJYoZtSsj5QzO5ngXjwbW7B3zcav3jWdPMXz
ma6Nmhr0h5FnG2MKK7RAPCJT4MAYVKnIKiBFEoaZ4XJn7JIIpgZbANUXdLQI
72jyOlLnFOuD+hYwgb0buuvP+B5ulesEoERAefbLj9+rjwNk/b36cwZj+HzP
Gi2r2YPSKAyHOK0WcGZ20FV/CVfGZKctQTMgFQht+mWPrzstYMRhDFaKUHsL
lWoG85AGi+HA2k4wQhM+b0lHwGNkXEeRMcKFCRjkBF1wXucgRnJx7/XQo5JN
gz5M7iKwVVfr3PnJ0OIkC1vkk6WvK7NByIRcwNkGFqBf1IoEsGbFZD/0+ni3
Zk2eVJjMRwzD4xupAG6EmSEGrKP5GYy4WjgzJ/EsPapPykGw1I44Rv4qIwBP
wercrMoWLBZMLtAPUSd8BEpOBjSCvKcDyX32Bj12oT/SIVmLRRcpBqtBicJc
lok+LhZg4BrgB9cICjJNUD3EnCzSIG9vOXvk48eRguduyhZ2BiLnAv27wchJ
VsFix8vKmJHkEYwveQPhUdeLS/iFVcMTtE+IWSg5TFBvwRLeaHT+eT1wvEAX
T9FVPOXYMK+pkvj8SIk/cw8TUgp9fMpK8chG6utIY7QRc1GESRIT5agAuTru
NMY/YeALnyED1Ieh3MRHAWkgIRgyOg1RvMU7ZBIjCZwE5pmF9kS/BfTI2a/i
jLKsJqsvB1Y6whEy604lTZ2jKjikZUQYrkCnYnFRK2cYCBOv2xVHSSlo0RYc
mSC8SDlALH4qH9BYV6ihgyUsrhmcqq2D+KmsYX8LS5ZlnS2SPKn+8eTxf3wP
6syXYG6Q9M3ITGrMhUF1KBUVuGzX4lr8ctcOcFLCc/948gTfxwEIk/Qar470
2eHBHkEJZsa1wWvEcB88oNAniPpW8gVVgEYoe+DcgtwBhJF/GJkioMMYiJX+
BmLdVxZPOHNP/7vZqH09W19NZyMkfVrmjIKG3nKMTzkm3wM2YWEQAEX/DF2m
BQWXEP8kaM8GUZQ/oDn37BpI1ZuC9NwITgnTLOLdTBhAFJWy7knUdZrkygbm
t+k43qRm9mEf7BtQyKbBxDIPAUSjMPnmnRjvj2YIZwudRyOgQLO2RpOEZBZB
NguH24VzR44Tq1sldahGIEsu9FYlyZ4nL/YMuNDDGlZKtPpoZlcj7nLJp7GB
+JqsNOU3z1oiB4Aiq6+/BKs4OUDyYJ+CpKz7BNnbQ4EFL3MQJMyvou2dIMvs
vxquWcnLEaV4W5bwYGZNkHiokZiKjsd6tvoFMTFgJBzrAsuR9YjU+i668Uxe
fGjnekUw8D/MiuXMeRVmA9g1Qzv4BqkRURtsXOL7oNks7aaY1JdJZj1Bsmdy
ZqVZDSpAKgdEacuUJEXxJPSXA+SAwTvqoJAhAUUAKODPTYLwLUxGDl1adiFY
xHpKqHboumTzvShKdDqF4ayQd5AHPCMRwSIxCNv4FKCYkFcYDpqj6wz4CL6V
wnQZqgSBBUPJbbwPNTfNjTGFpBsd8gY8wWJOD56JQEe7bJyKY2G1CwIq2m/o
bwR7gDLWkO0WIsoqA9JFOJN3N9jMsQHldlB1FYW3loMjNVI0VhLwADSR6tvk
VqD9E08nxQA1fLYjQQJ11VJx1dH4IIA+ektW1H/cAos1WM0MnyO1FTUfVOUx
NwDUlzH79OaAr4tLEbgrTjVFiOJrCiT4uqwpFtKP/vgUNt666K48My1S8p8U
xyXuknkxK3BMHed4aEKsxaWNdNcb+oiU34C/MwvpO02tbxv5N0nMfqQCFFJK
ROtwunucYSBZ3SnCGVq35dL6FPjkQtNCDs9ueSah9GyL57eQAEnXs8tia/YL
uWFlEGQ6TMSYblEEAbr+yN5NmKjKpwRgOCjSLSI6kdPiSR+GsLn/aRFLN+8x
eFd7fjvIa3mPSRClg/HN4opz0uCU9iZbmDRqoHVfv+EBH094XnRgoCt7juyo
xv/mZlly8IcYi3USA3OnFC6eG9OpRx2VHnkqJru5/cBxLVAdZOz0pppCuyZx
mSedMDmm4gDRMtsVp2tygSE/f760Cv2YzTzvvQdjzmdMbzfpnsB7v1I8hgwv
Ofna5rqS7dpistJNaJlsRgwQ515YSxgXw1mLqxsUaTYeT+HM7rZrFzpdUdpp
jlKixSxkuAL8u56EPEEypWHbv5sKWFRR3uQmRR2mra3eaq3AJaCrz9cHirZ2
mmKhk4j+GqaKoIIulhpoCY7vCl9ny7MeWde16rquJcWd/PKbcOCkAR17Djxn
ghlZgONAJ3gAmH8k+fBZJ8EQZM1Qar0lPURGRFLRpF2uscVQeyCROcsJzRxX
6247EMolM6p5woEBsJIuLslpRpHB3Fwki4226Ko4C9SPhrlqYsG6rek8uzI3
WY1xxlpAkYbzEPnF+bUo0TFsOfkc68oT3j0MrANZ35HTJNDCklW/y9IZE7MN
duJirPfLbo2yazCwQ5Y+6RNTizXsadFnBm2uOClpbIshMD8bJbJN3u75Akak
04Pq9p4SubxUtYmCh8iKZAJCaCYyIPKbMHeY1bElcqusGNR6QiomkCJ2dVyA
ThUS18N+x22ocDxJW3HUI3slB57AjQ0Y4qLIHiR2FB1ZrAwYjO47KFnok6cH
8STM7Smtpu8iqyQrPhlaBFBmmD4eBpncUjmupe4KNXbkSc3xxWBlG3TcAYgk
TwbvMgfySwkDkPdUNDy6ks/D33CjkrfYXSaQiAN5QPs474WCIzUjkbS2wcN1
AVf6VbkFbI1ePxxUvR5hqJ+nA4xiEFEKNVrDeNoEwXiVBO/kc2L/bIiJCcnB
iUmc0KlC81IW5MWMy0UYFDSoY2HUQ2xTTvAkdKc0OAsZdGnWlwXYLVaHALEn
8jdIdUVifSFbQAuWMBIfQ5GdYSWjl/ZBoiBJ8JCxUy0JutgAmMS0Ftka3Qyo
RpSvD0eKmTVAEaaq2Ay4aBMyaI2Lz1TAINBYXVB20jGqkcjaRxLAxwJbzL2O
HEZSKoCKlEghW0TBCqmQeYbuUjo3NC3PZBJiETXzWier/Pop72MZ7JPxzT6p
gNDGHuJYs8QnUbU5yOMXZp2XG16lDUmj7L9BVLc+DayxLBRopjWmFY6oXibH
xC5+YCxgyVFXsJBhWnLVOJZn+aocYu28jTZPgIYIXz0zIKbEZC/lJVtYEHt6
yYhOqXYAsagKs3klwVPWMNmuXFCEBdkW1uikXOCGJ0ee+bkNpKScNuxZW5ge
MRh9ALE4VFwT50bsu8A+y04CEGtW3l2ibHpCNy2dvEsuq/ZgQL0Jche6hTSD
U0k6OV0IdLlookJxjvgkjhX7KjnJX7CJRN7r5jzf6vY2rNckDe++CQudcPj9
khd8jDoKt386kaEz02cE3sOYOP3/LFjrcBi+E4wP00G+0r2gl82M6AX4gwfD
3Ag7+t35Df21f9ZWexkWf+rofwCQnYyGrzTXMkRw7AOSRrdP/r8HZJhHETCX
MI2iyzdIAK+HCRJTKp5btR34JOp7pWRZ2hQKq/QEHINdl4ZLAZHuubRc3LqT
DutybsHBIK3Nkp9NwzFmNskz4jDkb+5jsh/jZ8yo8A/MfDIGD9fhTK6UCHUS
2gS+xwqQ2M4j72Z2BTBRyQq/259Z1s8RT9TUZvz+DGENrzS4mgNb6Jh16i36
5VJ/Qu7Ftji6KMUyQCfBP3jfmrnvBDVEc+6d6WAax72G5cMaGDfK6Di/T1JA
6IvuZC24VA8lqhKHYruZEhP9KzlN+9U5UgXCGiKZeewi7bq7SOf1dR9SFuIK
RWgm1Pu5uoicvpytMqQe2GSVJYaF///JVpkdyfGdBqlSKrhqaXSJlQd0Gl08
EudmDw9miiYGxjEH67aTfDIt0rdCUBisj1JG1CzEiHcw+jtLfMMZIxF+qC0b
Dabr8oA+baPWT3e2MAb2TPqUE3wC8IkyT2r9cHpAmScBiwdjBZh1WMzn/ZV7
E8q4hZdCzLm9hQusxiaUli1TcTh1Bdwb8Gm/g7Sg7KqG4rkoM1Jyx7B3tW46
2h+gD/eakBEDPY+SKSRMaQ0JisY5xyS9gTG6rLjijIeoJUKQnTvUosEld19n
mNrPCR9iTWy8nTHfqG6XgzCjigaR/g00GJDlhmzVjau48D5pehqDmq6Scbs3
zsPTOqk4mo0n5CNWPt/cQZrdnuyHGgwKWV+VF6/3kwzfIfMpcI70HYz6LksD
Dhzz8w5Bx9zcvRGx6i61h4w6JvIq4AdM293EHELa0FWrekndUWFnQBI2IZyq
7Kk8FGEqWU1zqsyPuN+6hJPYCFR7NgvTu4p97vRM3w4KCMTxzdSf60hR/TAH
K9gkD7QHl6rkVa5LV2jL4sh2F8DCTK+LpC7qfV8HWcft1HGTMWJ0LtLK321z
lTk2vAVNlqAAyWv2OY8awdAOPfCF+yCH8jQW+aZoTO/stEkAN5emuZTqnZCF
qYiF1bCn2g01dJIT/RJFO5qt47rZ5Ea5W7XEfwqDLUqSKss3ktAvXjMmfPZW
cN0Mclp0tc7bRlFdHDwWLYgKuaK4RZcYEF5MCshgCnMTyIgJMRzntYpecS65
MmDIlsepkMf5pAZ2Nq7gVVx8kKMgUGdlnYb3OXrsFKSDIyUJvWtf1KF08XJD
aglr04Apk070UegUGoWajlraxAZKaiWPvnlPqWgdlup80pfYTgkWCUKwsESI
wR+bOWhbqmyMbQ2SiuMq1LDieRGnOBzKYQI8hqBLT8gB4kzeEBlcFqMTnyVL
IVYSTrhBlT5JalvzAiKAGlXplxzUDPQEaWG1VVd4bIMJUQVngjYd9oGjblgN
OkWZqqhvUbQC6ryFsTvgp5QnK1nFWB1rKq8TRS9xRi2VzLvGMCjgBrt3cSoJ
+Ucx6XHS6y0QBUcUh7GpVKazMa4dZC/ePJN8ZBtF4ZyaKP4pGyLXunMed2xG
SehkLBNYnLujA/ViqSTracSAJbc2P8kRgtTFEZkc+STJhAelsesACwzQMCBG
uXeJOIKtvGP6o/EUByPksH3zBX7EroMWRVHzViqPSR4F52oxk6zcjlpDSgxh
AhAE5h/ntfiimfBtNFvY8FXtxNWQFtM3JAh8M0Kd00iJ6BsXlKFhH5WLIwZO
4usybQqhxR8HAtpqVqitCMlnbHlv6o6zI0/uUiU6phqZjjFHkWixc19xXarj
EMxsVD9+xH5v209FeoRwPGFLHPj+WgNtNo6c0aXQD0CJPeFR9XN6Pq0q2BG9
XhmMKBofDdlXI+jVrt1vMWcWIgDpEN12hOhdwZqLgaAcD5nVHHPmrCFH95pM
FCSkEXIYl5HqEmRsAIlJb+Rr/gFCSd63xeXwBk53e3SQDCW8EDAkkekq8NhJ
0T0LcVmm2FCi0WIohFqzci1vgGwuihZEp7sVrPuUOkmhKRdi4LVwgTxLlzFm
BcTcvFO+zO9QqwlsArAgKGJgJMmxM8NGYQYSJxsNK/OYg4SBCpTqWYFMjjvG
jXAgm3GLecFizU9wKNhc9z6TpshjywR9ZE7SNYLcHSH915i4n9geX6Q5MfLB
5lJznS180e/K4EFk9YrrOEgfZPPfR2utCYTWYl1GR5ZI5qbkJrHGi3XJZe2S
Zgk7uJQEnsEOOGQ92BVYDS7YppcUi0CNPF6TD7kEZWDFSsnzNr0wTSzkIz1k
Tg9sVUOebFFD5kmOnB07AwVCqx5QQWrseHxTcBn6G5uQJIqnL7gggRZQwo3k
C1GoPoMzKbBXCrkAHv+vTGHPYfQ/8AyJfZTbx1BCaC2B75iRSO9SlNecwvN/
qx2JD6VdY0VXLXOnzlnaV5C6JqpLUpJWqZSSXQSyRIMeIz7BrPKAsK30KLWB
dGXOuOtaXZZYhJvIrh0Z+vZPSc06UL4RWCo5v21qEGa9rVZMD3QTi1UwDE4Z
d4Ih6PLqkoK1taQgTiCCkGL7pGPU8e4wLV1JVkOQt1fY5ApJT+HTXNpmpKEV
IStSq6QAK572zFFyqwJxtyoxDzMfcqBM97ykPibUKgbtNW9Qauk34abrOuvE
to3tHc7OJZavPBS+qGVNRPcCwijgz/NQ3sQKazvWuWy6HinbAi7GkhFqyuUc
cxzppmBCfZkgIqNBBNpgyv0tXfsDhYVNF1YD+RxF8DmSwGdog+Hz9s7DLVT7
SBo9MmLG6Kesei1goxRI4S5/zJvkxScyYp/xJuQG0xK+3iPDGl173zyVF7/f
kv4+49u+QwbNadWCRAeta8XfMO0IaBWZB7JMKh4lz6u8LG0uBBD72Dhwwy4v
1bcKYuT7efqbdZWGkAiyIhU62LA5U98tGiQsuA5KrLmBELHdkHy6oOJNfp76
G1QhaE5i9+0ErLQA9fQOBbmHwn+OltzH9AFVud91JNDXKJZrFWYXXBpxVYCK
ymitgyHy0dIBIv8ACYBNWryWWePj6ItdwfSW81PDa3THULlcbSuYQ2oSPxKQ
AZUbCllRw6CG+lUiWqnnTJLiF1mxAOLMJNsRi/gQ3ZHJSc0RvtRUyRJDZE2p
kusyYzuVYwMsm2x52wLxsaYSJu8uW1IXlW7gZRTDCwM3H7nkBAtKq8AczkFP
c313RPjgmCrt82VSfyntPFIdrNpDqXTGSHbgokzQByAMi3RTLJrUp2XAkV6A
8CmJfm8fRBTFiuvEVl1Knzxf8ELIYqk16WQX03Kt5b80gJhK7CFYe2HdX9yI
8KjxnQZYC7HHjUmMrPrEgVnyIPa71wVVQCPfttcveRQnavoyemZitB/m3oTT
rl4oeovKetASsi3fOe3Q1j4zmILsQ58OWnMtkTa55KAFpUScrQmkYTOnyZWJ
laOO37r05jCLMMcwMHbWxvw9STIfLvOAfYTdjRRn/MHVYK0FuX0ufWJmt+hC
fFow48gl+CtqHYtvSY51l4Z9/h7ZHprQDZtI0yTIjBrOIFHShN/HT/cx4ayS
DGLsBVxh43ScIC1bakZLGh2Pi+5zJ2Ec8pFTnNgON18qNitMoKypz9eZGeiA
js3JxT9Uo75eLFww0eUOxj6USFIS6lOeXJhkGz5PDmJ/z64UNVS//ob7R5PN
RcxHGtnuUewBMAkbAkZMgAIRMG5FvXk3pJf926//foaZOGys4F+IhNxKbIlp
RyGPueG6CdgzPozMINBlm7LEuo4RBifXGbI9Y/ACsJXHE/0Kzp0biZioE5MH
C9XmEXMBofuEmr6R69X1KaW22bAnNHJ9JaOvfUl87BKfwcUHBY9cuNa3D100
jcCRIAiASNrVHHAN5clTXrs9A3IAI1PfVjbR69GE62hct3A2BbDhSog9iNxt
mkmw2K3yoKTceosUtw8E/8eL6IblxETc1JgD0IeIiNFBwI2MKczdjvzctvTU
foBAWpI1Lj8Zt+EKNWspmw6ZnjUYWUi7RF+2jkEs5dIxkeGRYFnvvMoWoREe
9Bye0nLX1JReepImV25MHINpnZU2A6RCWdoxAVvD0H2dYClGJPYeKQxjZhSX
9/RF3iq7vzEO5iNAhdSSENbhWpb0TRjCGOqryM2vH9K6u+zjEWE387abLG2o
Jrtu687SsYs2IcOZWbQVXu1hQy13+uiATbN9WXHg1uz0bYeN9JNYbD9i12CF
7Et86mxyB6a96XBy2IStJUenlsc6vo0KjS3fEIcIQrPDKulNVCcqipSOk5Ta
0pG3IeqxQMfpW4Vw0wmwQ2tDDRyArSWLK1N1G8IRP+mhMy4EGe4q68yCXgqT
gwrwPE8AAFWSZi3jhNWMXO4BnfRp8LEYF7nD0tMlii/ygN6UQZamrBODPLCE
YZ16JLx0I/G48HWDX5tZuL7iXJSJQ0n8OyWedp6t3MlUFXIHTOpEjClMDijS
VozInl2MtJEGtDnx1pTFQAvaHT66M08knr7DtsIOH5AT7juEzUfTN9M+JlPf
6G4H9/rKsCMNs919dn3QmNlaktyumD+CtqOoRwmjqOj2/HkNiny4YVyX34rc
K61UyAuJ4NfQ6Ps/jJUS8qWMPNsNW1BOTe2K+Oy5NQH7csmeBKuZnHs+F49C
8Ev+4ge7ZfejkA+5K+JcRNI/O4mH1CB5uLMiGrs0ih911E/BGw3k3422pc/J
gDa7DRcUZj2RU/ITjZT0YdxtB7udB51LvOdTxb3Po7xHPQRr0i7Z0LqMCvhU
r7MpxT8+I2zCjdyxZ3uo5kpH9w/cID3Mu9ZvUD/enpcNvEAKkmyi9of9buJ5
/8od92EQ28c8mklaQ29ZSSwItBtkL3woYMQDKakftD8bux1JHggHIaPiEzC5
vaXGWR/tBTvIk/ChwAbZMkhQsP1RBnn5EmAypl9evgxhQj48w1rsp2CCKfQh
gTGWSwL9gWMlgxgi7fN3PtqipgBvG8DQnHLOxKwF6fklv8BfL0CJQI2GesnG
8Nwb+urdVCwfMslsxNqVMMNjrgfivhRvSpWZVXi3tkrFgWxVWInq2g4oJmYH
7AG6xdXTPriFXjecj5sugYj+xWWE7DslHl/sf/DCiSRXHq69skqVoiibV9g+
haLmX3oCoqGlVM83Ta47GTm+VZZ1zobnUMcioSaniHiQCGtZMI2lsZs7IcZx
dxJk3kfwfrwNHL8B44g2YZFfooJhBwKaOmpDEC/giVuAfy1eBh6bfhgc06PP
WFdIT54PBnG4P8YGezzQk/3nscJtNz+bHfbovsuIIpaIPrytWxtw6OltbDGy
RKM8re5ATuvbwhuHYqzDS5Jgqxto+vV0BD/3pnvwczKZ4B8vpy+nXV5pPyxB
47mvTPwBNrsd1shqg5V+itN2cPDPYbQdZ+Fn8NnnFIWXL9w4hvfpfHEXswaG
FwTQP4/BIcdAdBRWwZn/MY/Y89s4OO+tdYDqu/hro1TbcFXm9tmE25jk1iF6
q3pTfmJRjhZ4YcPpBbQkl1iwjWsOvPt5a7HUZDv18Qc25Ks5sgr5dEm8iojs
vn7/ePqYfj6ZPqGfT6dP6edfpn+hn99Mv6Gf306/nY4AYb5+/930O7ry1+lf
6ecU/uHP59Pn9PNgekA/X0xf0M/D6eHU0rbb/+nh2eHpL4cv+pvenXZ37Wme
iKx25pP7NsncfyRo4r59JB0xyXEnJR0rS4oq/AILauB+Dqt4Uz9kJ2b8n9sY
sGX1Q/JFGPEdyvV9JA8yvfs0g2buu8U+0/cYRbSzT4+CfJMaRzPLHLOFKoyT
2GUAxp2PNtkIv548zCrroMy6n4Jin7LfEsWORdT4X7oD3z6QPsFUvu6640u9
An53gj/ISSzNLBrb0qDj8qGKy455aWXow62s5BEb69wFpqc6K/s+9eu9q2C8
e+nOYnHf3t7+fUehePfSvYrE+5d8A/wunuJ/LjA53lKk7B4Nsg3GUfmzC9Hu
ae6lP7gAaq3vcHZPj4dq4j8MjPr4/qM+3jbqlmLqPwAsSjEZ3wmscagvbK/m
/uwF2PaAdy1Al1f6K+tM/Ex0iXrsC9laRUt6GbvTsUpVEOxw31kNPOvy/SB0
Ee/uTfb0U9CZ3xa22hu0nF9//XU89XXT9EXzPEhw+WHnWSBY3eUfd0aqvyn6
hz781Q87K7uwHZ/HIqTJKftFGfW1sDnUYZU69fPkVrm221f3KyBH0ltRvLVs
HXqzOazrYi4gEKGPDBBv3xV2pC2Q1KuSvtnFLXvlINQBxxjG55QCeR8xE8V7
bbrIrTDLkbYdfkG7f6Q/eiC5EBx+Xkti9bRacY7f+xME0jc7Tn2Nqo8iUEZH
hAjBgI2TuxjgkpSDzlLZq6TGYeaIckrFcLsA+WTg4GdZoq9lqSi32n85q7xg
RV4qafqJmDKVnPRPh3DQTrp1DtlhqTvnqIuBpYZQzaWxY7KQiz8GqL6luM37
QEeumyKVfcXtpSQ1UyXD3RICCMdJQ7aauVuzrLhmGQZH5wEFFHDWtmA6SeOv
SA0gS2Y/wiNJsZwsyhgaJWX+eUAPHcQxuMM794B5r3UG93SU8+Al0kcblJNn
QQ3Ctr4QnOLerxt3DRmDsiEOYMPkc5IhtlZuSTn3NA4F66guiTC/803T6cI2
h+Qvnt/us8/QpD/sLJO8NlZ9BBXLtZGcqP8Cdqo77J+GAAA=

-->

</rfc>
