<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sullivan-cfrg-raae-01" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="raAE">Random-Access Authenticated Encryption</title>
    <seriesInfo name="Internet-Draft" value="draft-sullivan-cfrg-raae-01"/>
    <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
      <organization>Cryptography Consulting LLC</organization>
      <address>
        <email>nicholas.sullivan+ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum</workgroup>
    <abstract>
      <?line 157?>

<t>This document defines random-access authenticated encryption (raAE), a
primitive that partitions a message into an indexed sequence of segments
that can be encrypted and decrypted independently and in any order.  It
also specifies SEAL (Segmented Encryption and Authentication Layer), a
parameterized construction that defines a family of concrete raAE
instantiations, one for each valid choice of an Authenticated Encryption
with Associated Data (AEAD) algorithm, a key derivation function (KDF),
and associated parameters.</t>
      <t>SEAL provides two profiles, immutable (write-once) and mutable (in-place
ciphertext rewrite), each with per-segment authentication.  A separately
configured snapshot authenticator can additionally authenticate the
complete, indexed segment set.</t>
      <t>The document also defines the security notions of raAE, specifies the
requirements for conforming constructions, analyzes SEAL against those
requirements, and provides example cipher suites and test vectors.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Crypto Forum Research Group mailing list (cfrg@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/grittygrease/draft-sullivan-cfrg-raae"/>.</t>
    </note>
  </front>
  <middle>
    <?line 177?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Large encrypted content is often stored as a sequence of fixed-size
segments, so that an application can read or modify any part of it
without processing the whole.  Encrypted backups, encrypted file
formats, object stores with partial updates, and full-disk encryption
over fixed-size blocks all work this way.  Such a system needs to
encrypt, decrypt, or re-encrypt any individual segment on its own and in
arbitrary order, and to verify that the stored object as a whole is
authentic and complete, without re-encrypting the segments that did not
change.</t>
      <t>This document specifies the raAE primitive (<xref target="raae"/>), whose base
interface and security notions come from Fábrega et al. (<xref target="FLRR25"/>),
and defines SEAL (Segmented Encryption and Authentication Layer), a
parameterized construction of raAE.  The base algorithms encrypt and
decrypt segments in arbitrary order, so a caller can read or replace any
segment on its own.  On top of that base, the extended raAE interface
adds in-place rewrite and a snapshot, a stored value that authenticates
the segment set as the writer last recorded it.  A rewrite re-encrypts
only the changed segment and updates the snapshot, leaving every other
segment untouched.  Appending to the end, or truncating from the end,
composes the same per-segment operations, so the snapshot stays
consistent without a separate algorithm.</t>
      <t>SEAL builds the primitive from a chosen AEAD algorithm, a key derivation
function (KDF), and configuration parameters.  Under a snapshot
authenticator, it binds every segment tag and the count into a public
snapshot value that an adversary cannot forge without the
content-derived key.</t>
      <figure anchor="fig-overview">
        <name>The raAE primitive and the SEAL construction</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="520" viewBox="0 0 520 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,128 L 8,272" fill="none" stroke="black"/>
              <path d="M 8,320 L 8,368" fill="none" stroke="black"/>
              <path d="M 40,208 L 40,256" fill="none" stroke="black"/>
              <path d="M 128,32 L 128,80" fill="none" stroke="black"/>
              <path d="M 224,208 L 224,256" fill="none" stroke="black"/>
              <path d="M 240,88 L 240,120" fill="none" stroke="black"/>
              <path d="M 240,280 L 240,368" fill="none" stroke="black"/>
              <path d="M 264,208 L 264,256" fill="none" stroke="black"/>
              <path d="M 296,320 L 296,368" fill="none" stroke="black"/>
              <path d="M 376,32 L 376,80" fill="none" stroke="black"/>
              <path d="M 448,208 L 448,256" fill="none" stroke="black"/>
              <path d="M 496,320 L 496,368" fill="none" stroke="black"/>
              <path d="M 512,128 L 512,272" fill="none" stroke="black"/>
              <path d="M 128,32 L 376,32" fill="none" stroke="black"/>
              <path d="M 128,80 L 376,80" fill="none" stroke="black"/>
              <path d="M 8,128 L 512,128" fill="none" stroke="black"/>
              <path d="M 40,208 L 224,208" fill="none" stroke="black"/>
              <path d="M 264,208 L 448,208" fill="none" stroke="black"/>
              <path d="M 40,256 L 224,256" fill="none" stroke="black"/>
              <path d="M 264,256 L 448,256" fill="none" stroke="black"/>
              <path d="M 8,272 L 512,272" fill="none" stroke="black"/>
              <path d="M 8,320 L 240,320" fill="none" stroke="black"/>
              <path d="M 296,320 L 496,320" fill="none" stroke="black"/>
              <path d="M 8,368 L 240,368" fill="none" stroke="black"/>
              <path d="M 296,368 L 496,368" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="248,312 236,306.4 236,317.6" fill="black" transform="rotate(90,240,312)"/>
              <polygon class="arrowhead" points="248,120 236,114.4 236,125.6" fill="black" transform="rotate(90,240,120)"/>
              <g class="text">
                <text x="212" y="52">raAE</text>
                <text x="272" y="52">primitive</text>
                <text x="212" y="68">abstract</text>
                <text x="288" y="68">interface</text>
                <text x="204" y="148">SEAL</text>
                <text x="276" y="148">construction</text>
                <text x="88" y="164">parameterized</text>
                <text x="156" y="164">by</text>
                <text x="176" y="164">a</text>
                <text x="212" y="164">cipher</text>
                <text x="264" y="164">suite</text>
                <text x="312" y="164">(AEAD</text>
                <text x="344" y="164">+</text>
                <text x="376" y="164">KDF),</text>
                <text x="408" y="164">a</text>
                <text x="448" y="164">maximum</text>
                <text x="64" y="180">segment</text>
                <text x="120" y="180">size,</text>
                <text x="160" y="180">and</text>
                <text x="188" y="180">an</text>
                <text x="224" y="180">epoch</text>
                <text x="276" y="180">length</text>
                <text x="104" y="228">mutability:</text>
                <text x="320" y="228">snapshot:</text>
                <text x="96" y="244">immutable</text>
                <text x="144" y="244">|</text>
                <text x="184" y="244">mutable</text>
                <text x="300" y="244">none</text>
                <text x="328" y="244">|</text>
                <text x="368" y="244">present</text>
                <text x="300" y="308">provides</text>
                <text x="72" y="340">per-segment</text>
                <text x="172" y="340">authenticity</text>
                <text x="356" y="340">snapshot</text>
                <text x="432" y="340">integrity</text>
                <text x="88" y="356">(always</text>
                <text x="156" y="356">present)</text>
                <text x="360" y="356">(when</text>
                <text x="420" y="356">present)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                  .------------------------------.
                  |        raAE primitive        |
                  |      abstract interface      |
                  '------------------------------'
                                |
                                v
   .--------------------------------------------------------------.
   |                      SEAL construction                       |
   |   parameterized by a cipher suite (AEAD + KDF), a maximum    |
   |   segment size, and an epoch length                          |
   |                                                              |
   |   .----------------------.    .----------------------.       |
   |   |  mutability:         |    |  snapshot:           |       |
   |   |  immutable | mutable |    |  none | present      |       |
   |   '----------------------'    '----------------------'       |
   '--------------------------------------------------------------'
                                |
                                v   provides
   .----------------------------.      .------------------------.
   |  per-segment authenticity  |      |   snapshot integrity   |
   |      (always present)      |      |     (when present)     |
   '----------------------------'      '------------------------'
]]></artwork>
        </artset>
      </figure>
      <t>raAE separates the two authentication scopes that applications often
conflate:</t>
      <dl>
        <dt>Per-segment authenticity:</dt>
        <dd>
          <t>One AEAD tag verifies under the segment index, a finality bit
marking the last segment, and any caller-supplied associated data.
It does not establish that the segment belongs to the current
snapshot.</t>
        </dd>
        <dt>Snapshot integrity:</dt>
        <dd>
          <t>When a snapshot authenticator is configured, snapshot verification
checks that the present segment tags and the count are exactly the
set the writer last recorded, under a content-derived key.  It does
not establish freshness against whole-object rollback, which a
consuming protocol must supply.</t>
        </dd>
      </dl>
      <t>raAE and SEAL are deliberately distinct layers.  A
consuming protocol supplies serialization, storage transactions, key
management, and rollback protection, which are out of scope here.</t>
      <t>The remainder of this document presents raAE first and SEAL second.
<xref target="related-work"/> situates raAE against prior segmented
authenticated-encryption (AE) constructions.
<xref target="conventions"/> fixes terminology and notation.  <xref target="raae"/> specifies the
raAE primitive and its extended snapshot operations.  <xref target="framework"/>
defines SEAL.  <xref target="security-properties"/> states the target security
properties an raAE construction must meet, the assumptions SEAL's
components must satisfy, and the operational limits on its use, and
defines the security notions.  Cipher suites, serialization layouts,
and named instantiations are in <xref target="concrete"/>, <xref target="file-layouts"/>, and
<xref target="named-instantiations"/>, and the appendices provide the test vectors.</t>
      <section anchor="related-work">
        <name>Related Work</name>
        <t>CHAIN (<xref target="HRRV15"/>) is a segmented authenticated-encryption construction
that chains state from one segment to the next.  It is sequential by
construction and supports neither independent random-access reads nor
in-place segment rewrites.</t>
        <t>STREAM (<xref target="HRRV15"/>) turns a nonce-based AEAD into a segmented
construction using induced nonces that encode a message nonce, the
segment index, and a final-segment bit.  STREAM supports random-access
decryption and encryption of individual segments, but defines neither
authenticated snapshots nor authenticated rewrites.  SEAL's derived
nonce mode (<xref target="derived-nonces"/>) follows STREAM's counter-plus-final-bit
structure and adds those operations.</t>
        <t>Tink Streaming AEAD (<xref target="Tink"/>) and OpenPGP v2 Symmetrically Encrypted
and Integrity Protected Data (SEIPD) packets (<xref target="RFC9580"/>) are
deployed STREAM-family formats.  Both derive a message key and nonce
prefix from a key and a salt, encrypt each chunk under an AEAD nonce
carrying the chunk index, and detect truncation with a final tag over
the empty string.  Tink derives an AES-GCM key with the HMAC-based Key
Derivation Function (HKDF) (<xref target="RFC5869"/>), while v2 SEIPD selects its
cipher and AEAD from packet identifiers.  Each chunk is
independently authenticated and can be verified locally at its boundary.
Neither format defines an in-place rewrite operation or a snapshot
authenticator over an updatable set of segment tags.</t>
        <t>SEAL's snapshot authenticator is a keyed multiset hash over the segment
tags, the MSet-XOR-Hash of Clarke, Devadas, van Dijk, Gassend, and Suh
(<xref target="MSetHash"/>), published behind a deterministic mask this document adds
(<xref target="masked-multiset-hash"/>).  Each segment contributes a keyed KDF
evaluation of its index and AEAD tag, the contributions XOR into an
accumulator that any rewrite updates in O(1), and a domain-separated
snapshot tag binds the segment count and the accumulator.</t>
        <t>Fábrega et al. (<xref target="FLRR25"/>) formalized random-access AEAD security over
a raAE primitive syntax in which segment encryption and decryption may
be invoked in arbitrary order, and gave a construction, FLOE (Fast
Lightweight Online Encryption), proved to meet it.  FLOE realizes the
base interface:  segments are written once, and there is no snapshot.
SEAL realizes that primitive with the extension of this document, and
<xref target="raae-security"/> defines the security notions used in its analysis.</t>
        <t>Each precedent covers part of the random-access AE design space.  raAE
is the abstract interface that generalizes the family with three
capabilities none of them combines: arbitrary-order encryption, in-place
authenticated rewrite, and an O(1) updatable snapshot over the whole
segment set.  SEAL realizes all three in one construction.</t>
      </section>
    </section>
    <section anchor="conventions">
      <name>Conventions and Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>A message segment is a unit of plaintext that is individually encrypted
and authenticated.  Segments need not be uniform in length.  A
construction <bcp14>MAY</bcp14> set a maximum segment size, and any segment <bcp14>MAY</bcp14> be
shorter than that maximum.</t>
      <t>A message is the content that one CEK and salt pair protects, the unit
the primitive encrypts.  An object is that message in stored form: the
ciphertext segments, their metadata, and any snapshot that a storage
layer holds.  Each object carries one message, whose content may change
through rewrite and length-changing operations.</t>
      <t>A ciphertext core is the AEAD encryption output corresponding to one
message segment, excluding file-level headers and external segment
metadata.  An AEAD-specific split divides this output into ct_i, the
encrypted segment body, and tag_i, the authentication tag.</t>
      <t>A ciphertext segment is the stored representation of one encrypted
message segment.  Depending on nonce_mode, it contains the ciphertext
core and <bcp14>MAY</bcp14> also contain a stored nonce or other per-segment metadata.</t>
      <t>Segment metadata is per-segment information needed to decrypt or verify
a ciphertext segment, such as a stored nonce, tag, finality status, or
profile-defined values.</t>
      <t>This document writes AEAD.Encrypt and AEAD.Decrypt for the authenticated
encryption and decryption operations defined in <xref target="RFC5116"/>.</t>
      <t>A subscript denotes a per-segment value: X_i is the value X for the
segment at index i, as in A_i, P_i, ct_i, and tag_i.  A value written
f(i), as in segment_key(i) or nonce(i), is computed from the index by
the named derivation.  X[a:b] is the octet range of X from offset
a inclusive to offset b exclusive.</t>
      <t>The remaining terms (ikm, label, info, L, salt, CEK, protocol_id,
nonce_mode, epoch, epoch_key, payload_key, segment_key, snap_key, and
the commitment) are defined in <xref target="framework"/> where they first appear.</t>
      <section anchor="taxonomy">
        <name>Taxonomy</name>
        <t>This document uses the following terms to keep the raAE primitive, the
SEAL construction, profiles, and consuming protocols distinct.</t>
        <dl>
          <dt>raAE primitive:</dt>
          <dd>
            <t>The abstract random-access AE interface and security target.</t>
          </dd>
          <dt>Extended raAE interface:</dt>
          <dd>
            <t>The base interface plus snapshot maintenance and verification.</t>
          </dd>
          <dt>SEAL construction:</dt>
          <dd>
            <t>The concrete construction specified in <xref target="framework"/>.</t>
          </dd>
          <dt>Cipher suite:</dt>
          <dd>
            <t>The AEAD and KDF algorithms and their sizes.</t>
          </dd>
          <dt>Profile:</dt>
          <dd>
            <t>A named set of fixed parameter choices, identified by a
protocol_id, needed for interoperability (<xref target="profiles"/>).</t>
          </dd>
          <dt>Parameter set:</dt>
          <dd>
            <t>The per-object values that affect derivation and verification.</t>
          </dd>
          <dt>Consuming protocol:</dt>
          <dd>
            <t>The protocol or format that stores objects and manages keys.</t>
          </dd>
          <dt>Serialization:</dt>
          <dd>
            <t>The consuming protocol's wire or storage encoding.</t>
          </dd>
          <dt>Segment:</dt>
          <dd>
            <t>A zero-based independently encrypted plaintext unit.</t>
          </dd>
          <dt>Epoch:</dt>
          <dd>
            <t>A group of 2^epoch_length segment indices sharing one epoch key.</t>
          </dd>
          <dt>Snapshot value:</dt>
          <dd>
            <t>The public value that, when a snapshot authenticator is configured,
authenticates one segment set.</t>
          </dd>
          <dt>Per-segment authenticity:</dt>
          <dd>
            <t>AEAD verification for one segment only.</t>
          </dd>
          <dt>Snapshot integrity:</dt>
          <dd>
            <t>Verification of the complete segment tag set and snapshot.</t>
          </dd>
          <dt>External freshness:</dt>
          <dd>
            <t>Rollback protection supplied outside raAE.</t>
          </dd>
        </dl>
      </section>
      <section anchor="notation">
        <name>Notation</name>
        <dl>
          <dt>I2OSP(n, w):</dt>
          <dd>
            <t>The w-octet big-endian encoding of the non-negative integer n, as
defined in <xref target="RFC8017"/>.</t>
          </dd>
          <dt>uint8(n), uint16(n), uint32(n), uint64(n):</dt>
          <dd>
            <t>Shorthand for I2OSP(n, 1), I2OSP(n, 2), I2OSP(n, 4), and I2OSP(n, 8)
respectively.</t>
          </dd>
          <dt>||:</dt>
          <dd>
            <t>Octet string concatenation.</t>
          </dd>
          <dt>XOR:</dt>
          <dd>
            <t>Bitwise exclusive-or of two octet strings of equal length.</t>
          </dd>
          <dt>x[a:b]:</dt>
          <dd>
            <t>Octets a through b-1 inclusive of x (zero-based, half-open
interval).</t>
          </dd>
          <dt>[x, y, ...]:</dt>
          <dd>
            <t>An ordered list of octet strings.  A single-element list is written
[x].  The brackets denote a list, not an optional parameter.</t>
          </dd>
          <dt>frame, encode:</dt>
          <dd>
            <t>The length-prefixed injective encoding used by SEAL, defined in
<xref target="concrete-framing"/>.  frame is total over all field
lengths.  The construction requires an injective framing
(<xref target="framing"/>) but does not mandate this encoding.  Another profile
<bcp14>MAY</bcp14> use any injective encoding that meets <xref target="framing"/>.</t>
          </dd>
          <dt>Nk:</dt>
          <dd>
            <t>Key size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Nn:</dt>
          <dd>
            <t>Nonce size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Np:</dt>
          <dd>
            <t>Presented nonce size in octets: the per-segment nonce stored in
metadata.  Np = Nn in random nonce mode and Np = 0 in derived nonce
mode, where the nonce is recomputed from the key schedule.</t>
          </dd>
          <dt>Nh:</dt>
          <dd>
            <t>Hash or pseudorandom function (PRF) output size in octets for the
chosen KDF.</t>
          </dd>
          <dt>Nt:</dt>
          <dd>
            <t>Authentication tag size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Na:</dt>
          <dd>
            <t>The snapshot value length in octets, the output size of the
configured snapshot authenticator.  It <bcp14>MAY</bcp14> depend on the segment
count n_seg, and is 0 when none (<xref target="snapshot-authenticator"/>).</t>
          </dd>
          <dt>n_seg:</dt>
          <dd>
            <t>The number of ciphertext segments in a stored message.  Written
n_seg (lowercase) to distinguish it from the per-message nonce N in
the raAE interface (<xref target="raae-syntax"/>).</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="raae">
      <name>The raAE Primitive</name>
      <section anchor="raae-overview">
        <name>Overview</name>
        <t>Random-access authenticated encryption (raAE) partitions a message into
segments, each encrypted and decrypted on its own and in any order.  A
reader can open one segment without the rest of the message, and a
writer can encrypt one without holding the others.  In the base
interface <xref target="FLRR25"/>, each segment is written once and thereafter only
read.</t>
        <t>The extended raAE interface keeps that base and adds one capability:  a
segment already written may be replaced in place, without disturbing the
rest.  Rewriting changes the threat model.  A storage layer holding the
ciphertext can roll a segment back to an older valid copy, substitute
one valid same-index segment for another, or drop one, and per-segment
authentication still passes on each segment it is shown.  An optional
snapshot authenticates the segment set as the writer last recorded it,
so a reader can detect these changes.  The extension (<xref target="raae-writable"/>)
defines the snapshot and the operations that maintain it.</t>
        <t>The security notions follow the interface.  raAE and its rewrites target
ra-ROR (random-access real-or-random) and ra-CMT (random-access context
commitment) (<xref target="raae-security"/>).  Rewriting leaves both untouched, since
replacing a segment is an encryption the read-only adversary could
already ask for.  Snapshot authentication adds the one notion of its
own, snapshot integrity (<xref target="snapshot-integrity"/>).</t>
      </section>
      <section anchor="raae-syntax">
        <name>Interface</name>
        <t>The base raAE interface, from <xref target="FLRR25"/>, is a tuple of five algorithms:
KeyGen, StartEnc, EncSeg, StartDec, and DecSeg.</t>
        <dl>
          <dt>KeyGen:</dt>
          <dd>
            <t>Randomized key generation.  Takes no input.  Outputs a secret key K.</t>
          </dd>
          <dt>StartEnc(K, N, G):</dt>
          <dd>
            <t>Deterministic.  Takes a secret key K, nonce N, and global associated
data G.  Outputs a ciphertext header T_g and an initial per-message
encryption state S.</t>
          </dd>
          <dt>EncSeg(S, p, A_i, M_i):</dt>
          <dd>
            <t>Randomized.  Takes the encryption state S, a position identifier
p, per-segment associated data A_i, and message segment M_i.
Outputs a ciphertext segment C_i.  S is not modified.  EncSeg may
be called with the same S at any position, in any order, or
concurrently.</t>
          </dd>
          <dt>StartDec(K, N, G, T_g):</dt>
          <dd>
            <t>Deterministic.  Takes key K, nonce N, global associated data G, and
ciphertext header T_g.  Outputs a per-message decryption state S or
an error.</t>
          </dd>
          <dt>DecSeg(S, p, A_i, C_i):</dt>
          <dd>
            <t>Deterministic.  Takes the decryption state S, position identifier
p, per-segment associated data A_i, and ciphertext segment C_i.
Outputs message segment M_i or an error.</t>
          </dd>
        </dl>
        <t>The position identifier p = (i, b) consists of a segment number i and a
terminal bit b in {0, 1}.  They impose a total ordering on segments and
carry a truncation defense: a ciphertext lacking a segment with b = 1 is
incomplete.  The encryption state S is immutable.  That immutability is
what makes arbitrary-order and fully parallel operation possible.  The
ciphertext header T_g commits to K, the nonce N, and global associated
data G.  A headerless scheme emits T_g = empty.</t>
      </section>
      <section anchor="raae-writable">
        <name>Extended Interface</name>
        <t>Replacing a segment already written, without re-encrypting the others,
requires no new operation:  re-encrypting a position is an ordinary
EncSeg call over the immutable state, and it leaves ra-ROR and ra-CMT
untouched.</t>
        <t>Rewriting gives a storage layer something to attack:  it can roll a
segment back to an older valid copy, substitute one valid same-index
segment for another, or drop one while per-segment authentication still
passes on what it presents.  A scheme that supports rewriting <bcp14>MAY</bcp14> carry
a snapshot, a value over the current set of segments that a reader
checks to detect these changes.</t>
        <t>Two operations, added by this document, maintain and check the snapshot.
RewriteSeg replaces a segment and updates the snapshot in the same step.
SnapVerify decides whether a given set of segments is the one the writer
last recorded.</t>
        <dl>
          <dt>RewriteSeg(S, p, A_i, M'_i, C_i, snapshot):</dt>
          <dd>
            <t>Randomized.  Takes the encryption state S and position identifier p,
per-segment associated data A_i, the new message segment M'_i, the
existing ciphertext C_i at position p, and the current snapshot.
Outputs replacement ciphertext C'_i and an updated snapshot
value, snapshot'.</t>
          </dd>
          <dt>SnapVerify(S, segments, snapshot):</dt>
          <dd>
            <t>Deterministic.  Takes the encryption state S, the present segments
(the (position, ciphertext segment) pairs of the current object
state), and the snapshot.  Outputs accept or reject.</t>
          </dd>
        </dl>
        <t>The extension also changes two base signatures.  In the extended
interface:</t>
        <dl>
          <dt>StartEnc(K, N, G):</dt>
          <dd>
            <t>Deterministic.  As in <xref target="raae-syntax"/>, and additionally outputs the
initial snapshot value, the snapshot over the empty segment set.</t>
          </dd>
          <dt>EncSeg(S, p, A_i, M_i):</dt>
          <dd>
            <t>Randomized.  As in <xref target="raae-syntax"/>, and additionally outputs the
snapshot value over the segment set that results from adding C_i at
position p.</t>
          </dd>
        </dl>
        <t>The snapshot is an authenticator over the set of segments belonging to
the current object state.  When the scheme supports incremental
update, an update can run in time independent of the total segment
count.  This is an implementation goal, not a syntactic requirement of
the interface.  The base primitive has no snapshot value.  The
snapshot, the two signature changes above, RewriteSeg, and SnapVerify
are defined by this document.</t>
        <t>These additions define the extended raAE interface of this document:
the tuple (KeyGen, StartEnc, EncSeg, StartDec, DecSeg, RewriteSeg,
SnapVerify) over the auxiliary snapshot value.  The first five
algorithms are those of <xref target="raae-syntax"/>, with the snapshot outputs of
StartEnc and EncSeg defined above.  The snapshot value, RewriteSeg, and
SnapVerify are the extension.  A scheme can realize the base interface
alone, as FLOE (<xref target="FLRR25"/>) does.  SEAL (<xref target="framework"/>) realizes the
full extended interface.  Length change adds no further algorithm, as
the next paragraph describes.</t>
        <t>Changing a message's length is a composition of these operations,
not a separate algorithm in either direction.  Position-addressed
encryption over immutable state already permits re-encrypting a
position or encrypting at a higher index (see <xref target="ra-ror"/>).</t>
        <t>A holder appends by encrypting the new segments and re-marking the old
final segment with RewriteSeg to clear its terminal bit.  It truncates
by re-marking the new final segment with RewriteSeg, dropping the
trailing segments, and updating the snapshot over the surviving set.
Appending to an empty object skips the re-mark, since there is no old
final segment, and truncating away every segment yields the empty
object, with no new final segment to re-mark.</t>
        <t>Length changes occur only at the end of the message: a holder may
append segments or drop a suffix, but cannot remove or renumber front or
interior segments, because positions are index-addressed.  Each step
updates the snapshot, and <xref target="extend"/> gives the construction for both
directions.</t>
      </section>
    </section>
    <section anchor="framework">
      <name>SEAL: A Concrete raAE Construction</name>
      <t>SEAL is a parameterized construction for realizing the raAE primitive
defined in <xref target="raae"/>.  A SEAL instantiation combines an AEAD, a KDF, a
key schedule, a nonce-generation method, a commitment mechanism, and an
optional snapshot authenticator to produce an raAE scheme for segmented
stored content.</t>
      <t>The raAE interface defines what operations and security properties a
scheme provides.  SEAL defines how those operations are realized from
standard cryptographic components.  Different SEAL instantiations <bcp14>MAY</bcp14>
select different AEADs, KDFs, nonce modes, commitment mechanisms, or
snapshot authenticators, provided they satisfy the requirements of this
section.</t>
      <t>The remainder of this section specifies the common SEAL construction.
<xref target="security-properties"/> analyzes its security, and concrete parameter
choices and interoperable suites are in <xref target="concrete"/>.</t>
      <t>The key hierarchy is shown below.  A CEK and per-content salt feed the
payload schedule, which derives four values.  The payload key feeds
per-segment keys (optionally through epoch keys), and each segment
produces an AEAD tag.  When a snapshot authenticator is configured,
every tag feeds it to produce the snapshot.</t>
      <figure anchor="fig-hierarchy">
        <name>SEAL Key Hierarchy</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="624" width="272" viewBox="0 0 272 624" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,240 L 8,288" fill="none" stroke="black"/>
              <path d="M 24,208 L 24,232" fill="none" stroke="black"/>
              <path d="M 40,240 L 40,288" fill="none" stroke="black"/>
              <path d="M 64,240 L 64,288" fill="none" stroke="black"/>
              <path d="M 72,80 L 72,128" fill="none" stroke="black"/>
              <path d="M 88,208 L 88,232" fill="none" stroke="black"/>
              <path d="M 88,352 L 88,400" fill="none" stroke="black"/>
              <path d="M 96,136 L 96,160" fill="none" stroke="black"/>
              <path d="M 120,240 L 120,288" fill="none" stroke="black"/>
              <path d="M 120,496 L 120,544" fill="none" stroke="black"/>
              <path d="M 128,32 L 128,72" fill="none" stroke="black"/>
              <path d="M 136,240 L 136,288" fill="none" stroke="black"/>
              <path d="M 152,136 L 152,160" fill="none" stroke="black"/>
              <path d="M 152,208 L 152,232" fill="none" stroke="black"/>
              <path d="M 168,80 L 168,128" fill="none" stroke="black"/>
              <path d="M 176,352 L 176,400" fill="none" stroke="black"/>
              <path d="M 184,240 L 184,288" fill="none" stroke="black"/>
              <path d="M 192,552 L 192,576" fill="none" stroke="black"/>
              <path d="M 216,208 L 216,488" fill="none" stroke="black"/>
              <path d="M 264,496 L 264,544" fill="none" stroke="black"/>
              <path d="M 72,80 L 168,80" fill="none" stroke="black"/>
              <path d="M 72,128 L 168,128" fill="none" stroke="black"/>
              <path d="M 8,240 L 40,240" fill="none" stroke="black"/>
              <path d="M 64,240 L 120,240" fill="none" stroke="black"/>
              <path d="M 136,240 L 184,240" fill="none" stroke="black"/>
              <path d="M 8,288 L 40,288" fill="none" stroke="black"/>
              <path d="M 64,288 L 120,288" fill="none" stroke="black"/>
              <path d="M 136,288 L 184,288" fill="none" stroke="black"/>
              <path d="M 88,352 L 176,352" fill="none" stroke="black"/>
              <path d="M 88,400 L 176,400" fill="none" stroke="black"/>
              <path d="M 120,496 L 264,496" fill="none" stroke="black"/>
              <path d="M 120,544 L 264,544" fill="none" stroke="black"/>
              <path d="M 92,296 L 116,344" fill="none" stroke="black"/>
              <path d="M 172,456 L 188,488" fill="none" stroke="black"/>
              <path d="M 156,408 L 168,432" fill="none" stroke="black"/>
              <path d="M 200,144 L 208,160" fill="none" stroke="black"/>
              <path d="M 40,160 L 48,144" fill="none" stroke="black"/>
              <path d="M 96,432 L 108,408" fill="none" stroke="black"/>
              <path d="M 140,344 L 164,296" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="224,488 212,482.4 212,493.6" fill="black" transform="rotate(90,216,488)"/>
              <polygon class="arrowhead" points="216,160 204,154.4 204,165.6" fill="black" transform="rotate(63.43494882292201,208,160)"/>
              <polygon class="arrowhead" points="200,576 188,570.4 188,581.6" fill="black" transform="rotate(90,192,576)"/>
              <polygon class="arrowhead" points="196,488 184,482.4 184,493.6" fill="black" transform="rotate(63.43494882292201,188,488)"/>
              <polygon class="arrowhead" points="176,432 164,426.4 164,437.6" fill="black" transform="rotate(63.43494882292201,168,432)"/>
              <polygon class="arrowhead" points="160,232 148,226.4 148,237.6" fill="black" transform="rotate(90,152,232)"/>
              <polygon class="arrowhead" points="160,160 148,154.4 148,165.6" fill="black" transform="rotate(90,152,160)"/>
              <polygon class="arrowhead" points="148,344 136,338.4 136,349.6" fill="black" transform="rotate(116.56505117707799,140,344)"/>
              <polygon class="arrowhead" points="136,72 124,66.4 124,77.6" fill="black" transform="rotate(90,128,72)"/>
              <polygon class="arrowhead" points="124,344 112,338.4 112,349.6" fill="black" transform="rotate(63.43494882292201,116,344)"/>
              <polygon class="arrowhead" points="104,432 92,426.4 92,437.6" fill="black" transform="rotate(116.56505117707799,96,432)"/>
              <polygon class="arrowhead" points="104,160 92,154.4 92,165.6" fill="black" transform="rotate(90,96,160)"/>
              <polygon class="arrowhead" points="96,232 84,226.4 84,237.6" fill="black" transform="rotate(90,88,232)"/>
              <polygon class="arrowhead" points="48,160 36,154.4 36,165.6" fill="black" transform="rotate(116.56505117707799,40,160)"/>
              <polygon class="arrowhead" points="32,232 20,226.4 20,237.6" fill="black" transform="rotate(90,24,232)"/>
              <g class="text">
                <text x="104" y="36">CEK</text>
                <text x="156" y="36">salt</text>
                <text x="120" y="100">Payload</text>
                <text x="124" y="116">Schedule</text>
                <text x="28" y="180">commit</text>
                <text x="96" y="180">payload</text>
                <text x="160" y="180">nonce</text>
                <text x="220" y="180">snap</text>
                <text x="88" y="196">key</text>
                <text x="156" y="196">base</text>
                <text x="216" y="196">key</text>
                <text x="24" y="260">cmt</text>
                <text x="80" y="260">seg</text>
                <text x="160" y="260">nonce</text>
                <text x="92" y="276">key(i)</text>
                <text x="160" y="276">(i)</text>
                <text x="132" y="372">AEAD</text>
                <text x="136" y="388">Seal(i)</text>
                <text x="92" y="452">ct_i</text>
                <text x="168" y="452">tag_i</text>
                <text x="188" y="516">Snapshot</text>
                <text x="192" y="532">Authenticator</text>
                <text x="188" y="596">snapshot</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                  CEK + salt
                      |
                      v
               .-----------.
               |  Payload  |
               |  Schedule |
               '-----------'
            /     |      |     \
           v      v      v      v
       commit  payload  nonce   snap
                key     base    key
         |       |       |       |
         v       v       v       |
       .---.  .------. .-----.   |
       |cmt|  |seg   | |nonce|   |
       |   |  |key(i)| | (i) |   |
       '---'  '------' '-----'   |
                  \       /      |
                   \     /       |
                    v   v        |
                 .----------.    |
                 |   AEAD   |    |
                 |  Seal(i) |    |
                 '----------'    |
                   /      \      |
                  v        v     |
                ct_i     tag_i   |
                            \    |
                             v   v
                     .-----------------.
                     |    Snapshot     |
                     |  Authenticator  |
                     '-----------------'
                              |
                              v
                          snapshot
]]></artwork>
        </artset>
      </figure>
      <section anchor="raae-mapping">
        <name>Construction Overview</name>
        <t>A commitment lets a reader reject a wrong key or parameter set before
decrypting anything.  An optional snapshot authenticates the current set
of segments.</t>
        <t>SEAL realizes the raAE operations of <xref target="raae-syntax"/> as follows:</t>
        <table anchor="op-mapping">
          <name>raAE operations and their SEAL realizations</name>
          <thead>
            <tr>
              <th align="left">raAE operation</th>
              <th align="left">SEAL realization</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">StartEnc</td>
              <td align="left">Derive the payload schedule from the CEK and salt, committing G (<xref target="key-derivation"/>)</td>
            </tr>
            <tr>
              <td align="left">StartDec</td>
              <td align="left">Re-derive the schedule and verify the stored commitment (<xref target="framework-commitment"/>)</td>
            </tr>
            <tr>
              <td align="left">EncSeg, DecSeg</td>
              <td align="left">EncryptSegment and DecryptSegment (<xref target="segment-subroutines"/>)</td>
            </tr>
            <tr>
              <td align="left">RewriteSeg</td>
              <td align="left">RewriteSegment, then update the snapshot authenticator for the changed segment (<xref target="full-rewrite"/>)</td>
            </tr>
            <tr>
              <td align="left">SnapVerify</td>
              <td align="left">Check the present indices and finality, then verify the snapshot via the authenticator (<xref target="snapshot-authenticator"/>)</td>
            </tr>
          </tbody>
        </table>
        <t>SEAL's salt, payload_info, and G carry the raAE per-message inputs, and
the commitment stands in for the header (<xref target="components"/>).</t>
      </section>
      <section anchor="components">
        <name>Component Suite and Parameters</name>
        <t anchor="parameters">This section names every parameter, input, and derived symbol the
construction uses.  <xref target="param-table"/> summarizes them, grouped by what
sets each one.  The entries that follow define the suite choices, the
profile-level constants, the algorithm-determined sizes, and the
per-message inputs.  Derived values are defined where they are computed,
in the sections the table cites.</t>
        <table anchor="param-table">
          <name>Parameters, inputs, and derived values</name>
          <thead>
            <tr>
              <th align="left">Parameter</th>
              <th align="left">Type or range</th>
              <th align="left">Set by</th>
              <th align="left">Defined in</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">AEAD</td>
              <td align="left">RFC 5116 algorithm</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete-algorithms"/></td>
            </tr>
            <tr>
              <td align="left">KDF</td>
              <td align="left">kdf_id from <xref target="kdf-table"/></td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete-framing"/></td>
            </tr>
            <tr>
              <td align="left">segment_max</td>
              <td align="left">power of two, at least 4096</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete"/></td>
            </tr>
            <tr>
              <td align="left">epoch_length</td>
              <td align="left">integer r in 0 to 63</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">protocol_id</td>
              <td align="left">octet string</td>
              <td align="left">application</td>
              <td align="left">
                <xref target="security-domain-separation"/></td>
            </tr>
            <tr>
              <td align="left">nonce_mode</td>
              <td align="left">"random" or "derived"</td>
              <td align="left">message, within the profile</td>
              <td align="left">
                <xref target="nonce-generation"/></td>
            </tr>
            <tr>
              <td align="left">aad_label</td>
              <td align="left">ASCII string ("SEAL-DATA" in SEAL)</td>
              <td align="left">profile</td>
              <td align="left">
                <xref target="concrete-segment-aad"/></td>
            </tr>
            <tr>
              <td align="left">commitment_length</td>
              <td align="left">integer, at least 16, default Nh</td>
              <td align="left">profile</td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
            </tr>
            <tr>
              <td align="left">Nk, Nn, Nt</td>
              <td align="left">sizes in octets</td>
              <td align="left">AEAD</td>
              <td align="left">
                <xref target="notation"/></td>
            </tr>
            <tr>
              <td align="left">Nh</td>
              <td align="left">size in octets</td>
              <td align="left">KDF</td>
              <td align="left">
                <xref target="notation"/></td>
            </tr>
            <tr>
              <td align="left">CEK</td>
              <td align="left">32 uniform random octets</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">salt</td>
              <td align="left">32 uniform random octets</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">payload_info</td>
              <td align="left">ordered element list</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="seal-encodings"/></td>
            </tr>
            <tr>
              <td align="left">G</td>
              <td align="left">octet string, empty by default</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="framework-commitment"/></td>
            </tr>
            <tr>
              <td align="left">commitment</td>
              <td align="left">commitment_length octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">payload_key</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">snap_key</td>
              <td align="left">Nh octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">nonce_base</td>
              <td align="left">Nn octets, derived mode only</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">epoch_key(i)</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">segment_key(i)</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">nonce(i)</td>
              <td align="left">Nn octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="nonce-generation"/></td>
            </tr>
            <tr>
              <td align="left">segment_aad(i, is_final, A_i)</td>
              <td align="left">octet string</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="concrete-segment-aad"/></td>
            </tr>
            <tr>
              <td align="left">tag(i)</td>
              <td align="left">Nt octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="segment-subroutines"/></td>
            </tr>
          </tbody>
        </table>
        <t>SEAL fixes the segment additional authenticated data (AAD) encoding, the
commitment derivation, and the snapshot value for every suite.  They are
specified in <xref target="concrete-segment-aad"/>, <xref target="framework-commitment"/>, and
<xref target="snapshot-authenticator"/> respectively, and are encoded identically
across all SEAL cipher suites.  The resulting octet lengths still vary
by suite, because Nh and Nt are suite-dependent.</t>
        <section anchor="suite-choices">
          <name>Suite Choices</name>
          <t>A suite is assembled from the following choices.</t>
          <dl>
            <dt>AEAD:</dt>
            <dd>
              <t>An authenticated encryption with associated data algorithm
satisfying the interface of <xref target="RFC5116"/>, with Nk-octet keys,
Nn-octet nonces, and Nt-octet authentication tags.</t>
            </dd>
            <dt>KDF:</dt>
            <dd>
              <t>A key derivation function supporting the abstract interface defined
in <xref target="concrete-framing"/>.  See <xref target="kdf-table"/> for the permitted KDFs.</t>
            </dd>
            <dt>segment_max:</dt>
            <dd>
              <t>A positive integer, a power of two and at least 4096 octets.  Each
segment carries at most this many plaintext octets.  The
length-dependent limits of <xref target="aead-usage-limits"/> are computed at
this size.</t>
            </dd>
            <dt>epoch_length:</dt>
            <dd>
              <t>A non-negative integer r in 0 to 63.  Each epoch covers 2^r
consecutive segments aligned to a multiple of 2^r
(<xref target="epoch-key-derivation"/>).  Profiles <bcp14>MAY</bcp14> restrict r further per AEAD
(<xref target="concrete"/>).  The value sets a rotation granularity, not an on/off
switch:  r = 0 selects the finest rotation, a fresh epoch key for
every segment, and no value of r disables epoch-key derivation.  A
flat key, one epoch key covering all segments, is r = 63.</t>
            </dd>
            <dt>protocol_id:</dt>
            <dd>
              <t>An application-chosen octet string that binds all derived values to
a specific protocol version.  Selection guidance is in
<xref target="security-domain-separation"/>.</t>
            </dd>
            <dt>nonce_mode:</dt>
            <dd>
              <t>A payload_info element selecting one of two nonce constructions,
"random" or "derived".  The constructions are defined in
<xref target="nonce-generation"/>, the default mode each SEAL suite uses in the
mutable profile (<xref target="aead-table"/>), and the valid (nonce_mode,
snap_id) tuples for each profile in <xref target="profiles"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="profile-constants">
          <name>Profile-Level Constants</name>
          <t>One constant is fixed by the profile rather than carried per message.</t>
          <dl>
            <dt>aad_label:</dt>
            <dd>
              <t>A profile-level ASCII string bound as the first element of the
segment AAD encoding (<xref target="concrete-segment-aad"/>).  Consuming
protocols <bcp14>MAY</bcp14> define their own profiles with a distinct aad_label.</t>
            </dd>
          </dl>
        </section>
        <section anchor="algorithm-sizes">
          <name>Algorithm-Determined Sizes</name>
          <t>The sizes Nk, Nn, Nt, and Nh are fixed by the chosen AEAD and KDF rather
than by the parameter set directly.  They are defined in <xref target="notation"/>,
with concrete values in <xref target="aead-table"/> and <xref target="kdf-table"/>.  One
configurable length defaults from Nh.</t>
          <dl>
            <dt>commitment_length:</dt>
            <dd>
              <t>A positive integer of at least 16, defaulting to Nh, the length in
octets of the key commitment prefix.  The collision bounds for each
length are given in <xref target="appendix-commitment"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="message-inputs">
          <name>Per-Message Inputs</name>
          <t>An encrypted message is built from four input values.</t>
          <dl>
            <dt>CEK:</dt>
            <dd>
              <t>A 32-octet uniform random Content Encryption Key generated fresh for
each message.  The CEK is input keying material for the key
schedule, not an AEAD key.</t>
            </dd>
            <dt>salt:</dt>
            <dd>
              <t>A per-content value of 32 uniformly random octets.  The salt
separates payload schedule outputs across messages even when the
CEK is reused.  <xref target="full-encryption"/> and <xref target="extend"/> give the rules
for generating and reusing it, and <xref target="salt-reuse"/> analyzes the
consequences of reuse.</t>
            </dd>
            <dt>payload_info:</dt>
            <dd>
              <t>The committed record of the object's configuration: an ordered
list of parameter set context elements covering key derivation,
AEAD operations, AAD construction, and nonce construction, which
the commitment (<xref target="framework-commitment"/>) binds.  The profile fixes
the concrete element set and their encodings.  SEAL's payload_info
is specified in <xref target="seal-encodings"/>.</t>
            </dd>
            <dt>G:</dt>
            <dd>
              <t>An octet string of global associated data, the G input of StartEnc in
the raAE primitive (<xref target="raae-syntax"/>), binding whole-message
application context such as a name, version, or policy.  G defaults to
the empty octet string and is never stored:  a decryptor supplies it
from application context, and the commitment binds it
(<xref target="framework-commitment"/>).</t>
            </dd>
          </dl>
          <t>The remaining symbols in <xref target="param-table"/> are derived values.  The
payload schedule (<xref target="key-derivation"/>) computes the per-message values
commitment, payload_key, snap_key, and nonce_base once from the CEK and
payload_info (the commitment also binds G, <xref target="framework-commitment"/>),
and they are fixed for the message's lifetime.  The per-segment values
epoch_key(i), segment_key(i), nonce(i), segment_aad(i, is_final, A_i),
and tag(i) are defined where they are computed:
<xref target="epoch-key-derivation"/>, <xref target="nonce-generation"/>,
<xref target="concrete-segment-aad"/>, and <xref target="segment-subroutines"/>.</t>
        </section>
      </section>
      <section anchor="concrete-framing">
        <name>The KDF Combiner</name>
        <t>The KDF combiner uses a length-prefixed encoding for all of its inputs.</t>
        <artwork><![CDATA[
frame(x):
    if len(x) <= 0xFFFE:  return uint16(len(x)) || x     ;; literal
    else:                 return uint16(0xFFFF) || LH(x) ;; digest



encode(x1, ..., xn) = frame(x1) || ... || frame(xn)
]]></artwork>
        <t>frame is total over every field length.  A field of at most 0xFFFE
octets is emitted literally behind its 2-octet length, identical to a
plain length prefix.  The reserved length 0xFFFF is a typed prefix
meaning that an Nh-octet digest LH(x) of an over-large field follows in
place of the field itself.</t>
        <t>LH(x), the over-large-field digest, runs the cipher suite's native KDF
primitive directly on x, invoking neither encode nor frame, and returns
Nh octets.  The two-step and one-step classes are HPKE's: a two-step KDF
(<xref target="RFC9180"/>) uses its extract step, and a one-step KDF
(<xref target="I-D.ietf-hpke-pq"/>) its XOF, with x carried under the label
"raAE-LP-v1":</t>
        <artwork><![CDATA[
two-step:  LH(x) = Extract("raAE-LP-v1", x)
one-step:  LH(x) = XOF("raAE-LP-v1" || x, Nh)
]]></artwork>
        <t>Routing LH through the KDF would encode-frame x and recurse, because
frame of an over-large x would re-enter LH.  LH therefore runs the
native primitive directly on x.  The injectivity of encode and the
domain-separation and collision properties of LH are established in
<xref target="framing"/>.</t>
        <t>Key material is derived through a KDF with the interface</t>
        <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L)
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>protocol_id: binds the output to a specific protocol
version and application context.</t>
          </li>
          <li>
            <t>label: a unique ASCII string identifying the
derivation role.</t>
          </li>
          <li>
            <t>ikm: input keying material, provided as a single
octet string or an ordered list of octet strings.</t>
          </li>
          <li>
            <t>info: context information, provided as a single
octet string or an ordered list of octet strings.</t>
          </li>
          <li>
            <t>L: the requested output length in octets.</t>
          </li>
        </ul>
        <t>This KDF binds protocol_id, a label, and inputs of any size into a
derived value; frame reduces any over-large input to a fixed-size digest
before the KDF sees it.  Any protocol instantiates the combiner by
supplying its own protocol_id, which domain-separates its derivations
from those of every other protocol.  SEAL's two profiles instantiate
the combiner at protocol_id SEAL-RW-v1 and SEAL-RO-v1 (<xref target="profiles"/>).</t>
        <t>The KDF is built from the cipher suite's hash in one of two forms.  The
cipher suite's kdf_id (<xref target="kdf-table"/>) selects which one.</t>
        <section anchor="two-step-kdf">
          <name>Two-Step KDF</name>
          <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L):
  extract_input = encode(protocol_id, label,
                         ...ikm)
  prk = Extract(salt=protocol_id,
                ikm=extract_input)
  expand_info = encode(protocol_id, label,
                       ...info, uint16(L))
  return Expand(prk, expand_info, L)
]]></artwork>
          <t>The notation <tt>...x</tt> means each element of the sequence x, whether ikm or
info, is a separate argument to encode.  A single octet string is the
one-element sequence containing it.  An absent value is the empty
sequence and contributes no arguments.  The empty sequence and the
one-element sequence whose element is the empty octet string are
distinct:  the first adds nothing to the encode, the second adds one
zero-length field.  A derivation with no info <bcp14>MUST</bcp14> use the empty
sequence, not the empty octet string, so that every implementation
encodes a given (protocol_id, label, ikm, info, L) tuple to the same
octets.  The protocol_id appears in both the Extract salt and the
extract_input as a defensive measure, and binding in either position
suffices for domain separation.</t>
          <t>The label appears in both Extract and Expand so that label binding is
preserved even if one phase is weak in isolation.  Implementations <bcp14>MAY</bcp14>
amortize the Extract computation internally when deriving multiple
outputs from the same protocol_id, label, and ikm.</t>
        </section>
        <section anchor="one-step-kdf">
          <name>One-Step KDF</name>
          <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L):
  M = encode(protocol_id, label,
             encode(...ikm), encode(...info),
             uint16(L))
  return XOF(M, L)
]]></artwork>
          <t>The XOF-based form frames ikm and info each as a single element of one
length-prefixed encode and squeezes L octets of output.  protocol_id
binding is via the message-side encode prefix only.  In both forms the
encoded input ends with uint16(L):  the two-step form places it last in
expand_info and the one-step form places it last in M.  Within a fixed
kdf_id, distinct (protocol_id, label, ikm, info, L) tuples yield
distinct outputs, by the injectivity of encode (established in
<xref target="framing"/> and demonstrated in <xref target="combiner-vectors"/>).  The two forms
are not mutually injective:  a cipher suite's kdf_id (<xref target="kdf-table"/>)
selects one form for that suite, and payload_info commits to the kdf_id
(<xref target="seal-encodings"/>), so no derivation ever compares outputs across
forms.  The two-step form binds ikm in Extract and info in Expand.  A
multi-value ikm or info is the encode of its elements, so any number of
elements is admitted.</t>
          <t>The following example expands M for combiner vector KDF.33
(<xref target="combiner-vectors"/>): TurboSHAKE-256, label "commit", ikm a single
32-octet element of repeated 0xAA, info the two elements 010203 and
0405, and L = 64.  Each frame is a 2-octet length followed by the
element, and the ikm and info lists are each one nested encode:</t>
          <artwork><![CDATA[
M, 71 octets, in frame order:

000a 5345414c2d52572d7631      frame(protocol_id "SEAL-RW-v1")
0006 636f6d6d6974              frame(label "commit")
0022 0020 aa..aa (32 octets)   frame(encode(...ikm)): one inner
                               frame wrapping the single element
0009 0003 010203 0002 0405     frame(encode(...info)): inner
                               frames of 3 and 2 octets
0002 0040                      frame(uint16(L)), L = 64

XOF(M, 64) = the KDF.33 output
]]></artwork>
          <t>With info = [], the empty sequence, the fourth frame is the two octets
0000: encode() of no elements is the empty octet string, and its frame
is a zero length with no content.  With info = [""], one zero-length
element, the inner encode is 0000 and the fourth frame is 0002 0000.
KDF.8 and KDF.28 (<xref target="combiner-vectors"/>) exercise the same distinction
in the two-step form.</t>
        </section>
      </section>
      <section anchor="seal-encodings">
        <name>SEAL Encodings and Labels</name>
        <t>SEAL fixes the concrete encodings the combiner and the AEAD consume: the
payload_info tuple, the segment AAD, and the derivation labels.</t>
        <section anchor="payload-info-construction">
          <name>Payload Info Construction</name>
          <artwork><![CDATA[
payload_info = [aead_id, segment_max_be, kdf_id, snap_id,
                nonce_mode, epoch_length_u8, salt]
]]></artwork>
          <t>Element encodings for SEAL:</t>
          <ul spacing="normal">
            <li>
              <t>aead_id: 2 octets, uint16(id), the unsigned 16-bit AEAD identifier
from <xref target="aead-table"/> (for example, 0x0002 for AES-256-GCM).</t>
            </li>
            <li>
              <t>segment_max_be: 4 octets, uint32(segment_max).  SEAL's segment
sizes are given in <xref target="concrete"/>.</t>
            </li>
            <li>
              <t>kdf_id: 2 octets, uint16(id), the unsigned 16-bit KDF identifier
from <xref target="kdf-table"/> (0x0001 for HKDF-SHA-256 per <xref target="RFC9180"/> Section
7.2; 0x0013 for TurboSHAKE-256 per <xref target="I-D.ietf-hpke-pq"/>).</t>
            </li>
            <li>
              <t>snap_id: 2 octets, uint16(id), the snapshot authenticator identifier
from <xref target="snapshot-table"/> (0x0000 for none, 0x0001 for the masked
multiset hash).</t>
            </li>
            <li>
              <t>nonce_mode: 1 octet, the nonce construction (<xref target="nonce-mode-table"/>):
0x00 for random, 0x01 for derived.  <xref target="aead-table"/> gives the default
mode each SEAL suite uses in the mutable profile.  A profile <bcp14>MAY</bcp14>
select another valid (nonce_mode, snap_id) tuple.</t>
            </li>
            <li>
              <t>epoch_length_u8: 1 octet, uint8(epoch_length).  Valid values per
<xref target="aead-table"/>.  Implementations <bcp14>MUST</bcp14> reject epoch_length &gt;= 64 on
both encode and decode.</t>
            </li>
            <li>
              <t>salt: 32 raw octets, the per-message salt.</t>
            </li>
          </ul>
          <t>The aad_label is a profile-level constant for SEAL (see
<xref target="concrete-segment-aad"/>) and is not carried in payload_info.  It is
bound transitively via protocol_id.  The KDF (<xref target="concrete-framing"/>)
applies frame to each element of the list.</t>
        </section>
        <section anchor="concrete-segment-aad">
          <name>Segment AAD</name>
          <t>The segment AAD binds each segment to its context.  What it must carry
depends on the nonce mode: a random nonce binds neither the segment
index nor the finality bit, so the AAD must, whereas a derived nonce
binds both (<xref target="derived-nonces"/>).</t>
          <artwork><![CDATA[
segment_aad(i, is_final, A_i):
  if nonce_mode is "random":
    if A_i is empty:
      return encode(aad_label, uint64(i), uint8(is_final))
    return encode(aad_label, uint64(i), uint8(is_final), A_i)
  ;; derived nonce mode: index and is_final are bound in the nonce
  if A_i is empty:
    return ""              ;; no AEAD associated-data pass
  return encode(aad_label, A_i)
]]></artwork>
          <table anchor="segment-aad-modes">
            <name>Segment AAD by nonce mode</name>
            <thead>
              <tr>
                <th align="left"> </th>
                <th align="left">Random nonce mode</th>
                <th align="left">Derived nonce mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Index i and is_final</td>
                <td align="left">bound in the AAD</td>
                <td align="left">bound in the nonce</td>
              </tr>
              <tr>
                <td align="left">A_i, when present</td>
                <td align="left">appended as a fourth encode element</td>
                <td align="left">the sole variable element</td>
              </tr>
              <tr>
                <td align="left">A_i, when empty</td>
                <td align="left">omitted, not a zero-length element</td>
                <td align="left">segment_aad is empty, with no associated-data pass</td>
              </tr>
            </tbody>
          </table>
          <t>aad_label is the profile-chosen label from the parameter set, the index
i is a big-endian 8-octet integer, and is_final is 1 for the last
segment and 0 for all others.  Because encode length-prefixes every
element, omitting an empty A_i stays injective, so the index and
finality bit remain authenticated.  Any profile that defines a
random-mode segment_aad <bcp14>MUST</bcp14> preserve injectivity and <bcp14>MUST</bcp14> authenticate
the segment index and finality bit.  aad_label is bound transitively
through protocol_id (<xref target="parameter-mismatch"/>), so segment_aad need not
repeat it for cross-profile separation.</t>
          <t>More generally, the binding of the triple (i, is_final, A_i) <bcp14>MUST</bcp14> be
unambiguous under one segment key, so that no two distinct triples
present the same inputs to the AEAD.  In random nonce mode segment_aad
alone <bcp14>MUST</bcp14> injectively bind the triple, because the nonce is an
independent random draw.  In derived nonce mode i and is_final are bound
in the nonce and A_i, when present, in segment_aad, and the (nonce,
segment_aad) pair <bcp14>MUST</bcp14> jointly determine the triple
(<xref target="derived-nonces"/>).</t>
          <t>A_i is the caller-supplied per-segment associated data of EncSeg and
DecSeg (<xref target="raae-syntax"/>), passed to the segment algorithms
(<xref target="segment-subroutines"/>).  It <bcp14>MAY</bcp14> be empty and <bcp14>MAY</bcp14> differ per segment.
Unlike a global associated data value G, which the commitment fixes at
creation (<xref target="framework-commitment"/>), A_i rides the per-segment AEAD
associated data and is rewritable: a rewrite can change a segment's A_i.
The example test vectors use an empty A_i, so the random-mode vectors
keep the three-element encoding and the derived-mode vector has an empty
segment_aad.</t>
          <t>The salt is not included in the AAD because it is already bound into
segment_key via the payload schedule.  Different messages produce
different segment keys even at the same index.  Transposing two segments
within a message fails because the AAD at each position encodes the
expected index.</t>
          <t>Unauthorized truncation is detectable, and <xref target="full-decryption"/>
requires a decryptor to reject it.  A reader that sees the
highest-indexed present segment carry is_final = 0 knows more data
must follow.  Authorized truncation by the CEK holder instead
re-marks the new final segment and updates the snapshot
(<xref target="extend"/>).  Extension is also caught: appending after a segment
marked is_final = 1 either invalidates the original final segment
on re-read or produces a ciphertext that cannot verify.</t>
          <t>Each segment binds both its index and its finality bit, through
the AAD in random nonce mode and through the nonce in derived
nonce mode.  This per-segment binding, rather than reliance on
the snapshot alone, catches these attacks.  A reader can
check them without holding all tags before decrypting any one
segment.</t>
          <t>The per-segment AEAD binds a segment's index and finality, not its
length (through the AAD in random nonce mode and through the nonce in
derived nonce mode).  A segment's ciphertext length is authenticated
implicitly by the AEAD tag over the ciphertext: altering, truncating, or
splicing a segment ciphertext is an AEAD forgery, not a parsing
ambiguity.  Because segments <bcp14>MAY</bcp14> be shorter than segment_max, the
consuming format <bcp14>MUST</bcp14> convey each segment's ciphertext length to the
decoder.  A wrong length yields an AEAD rejection, never a silent
accept.</t>
        </section>
        <section anchor="labels">
          <name>Labels</name>
          <table anchor="label-table">
            <name>SEAL core KDF labels by role</name>
            <thead>
              <tr>
                <th align="left">Derivation role</th>
                <th align="left">Label variable</th>
                <th align="left">Value</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Commitment</td>
                <td align="left">commit_label</td>
                <td align="left">"commit"</td>
              </tr>
              <tr>
                <td align="left">Payload key</td>
                <td align="left">payload_key_label</td>
                <td align="left">"payload_key"</td>
              </tr>
              <tr>
                <td align="left">Snapshot authenticator key</td>
                <td align="left">snap_key_label</td>
                <td align="left">"acc_key"</td>
              </tr>
              <tr>
                <td align="left">Nonce base</td>
                <td align="left">nonce_base_label</td>
                <td align="left">"nonce_base"</td>
              </tr>
              <tr>
                <td align="left">Epoch key</td>
                <td align="left">epoch_key_label</td>
                <td align="left">"epoch_key"</td>
              </tr>
            </tbody>
          </table>
          <t>SEAL fixes each label to the value above.  The construction formulas
reference labels by variable name, so the labels are SEAL parameters
rather than constants of the raAE construction.  Each value is an ASCII
string and is distinct from all others.  These label strings are frozen
for wire compatibility.  In particular the snapshot authenticator key
snap_key uses the label string "acc_key", retained from an earlier name.
These are the always-present key-schedule labels.  The masked multiset
hash (<xref target="masked-multiset-hash"/>), the plaintext-bound nonce construction
(<xref target="appendix-pt-bound"/>), and hedged randomness (<xref target="hedged-randomness"/>)
each define their own labels.</t>
        </section>
      </section>
      <section anchor="key-derivation">
        <name>Key Schedule and Nonce Generation</name>
        <t>A message's entire key hierarchy grows from two random values: the
32-octet CEK and the per-content salt.  All other keys are derived
deterministically through the KDF of <xref target="concrete-framing"/>.</t>
        <section anchor="payload-schedule">
          <name>Payload Schedule</name>
          <t>Four values are derived from the CEK and per-content salt.  The
commitment allows early rejection of a wrong key and additionally binds
the global associated data G (<xref target="message-inputs"/>).  The payload key
encrypts segments through epoch keys.  The snapshot authenticator key is
used by the configured snapshot authenticator.  The nonce base
(derived-mode only) seeds deterministic per-segment nonces.</t>
          <artwork><![CDATA[
payload_info = [aead_id,
                uint32(segment_max),    ;; segment_max_be
                kdf_id,
                snap_id,
                nonce_mode,
                uint8(epoch_length),    ;; epoch_length_u8
                salt]

commitment  = KDF(protocol_id, commit_label,
                  [CEK], [...payload_info, G], commitment_length)
payload_key = KDF(protocol_id, payload_key_label,
                  [CEK], payload_info, Nk)
snap_key     = KDF(protocol_id, snap_key_label,
                  [CEK], payload_info, Nh)

;; For derived nonce mode only:
nonce_base  = KDF(protocol_id, nonce_base_label,
                  [CEK], payload_info, Nn)
]]></artwork>
          <t>G is the global associated data of <xref target="message-inputs"/>, always the last
element of the commitment info.  It defaults to the empty octet string,
one zero-length element, so every commitment derivation includes it.
The other three derivations never take G.</t>
        </section>
        <section anchor="epoch-key-derivation">
          <name>Epoch Key Derivation</name>
          <t>AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305 use a 96-bit nonce.  At
a 2^(-32) collision-probability target, the random-nonce budget is about
2^32 encryptions per key.  For rewritable content, this limit can be
reached through repeated modifications to the same segments.  Epoch keys
partition the nonce space:  each epoch key covers at most 2^r segment
positions (initial writes plus rewrites), so the per-key invocation
count is bounded regardless of the content's total size.</t>
          <t>When epoch_length = r is specified, the segment key for segment i is an
epoch key derived from the payload key:</t>
          <artwork><![CDATA[
segment_key(i):
  epoch_index = i >> epoch_length
  return KDF(protocol_id, epoch_key_label,
             [payload_key],
             [uint64(epoch_index)], Nk)
]]></artwork>
          <t>At epoch_length = 0 the shift is the identity, so each segment has its
own epoch key.  At a large epoch_length every segment shares one epoch
key.  Implementations <bcp14>MUST</bcp14> apply this derivation at every epoch_length,
including 0, and <bcp14>MUST NOT</bcp14> use payload_key directly as a segment key.
Epoch keys implement the parallel external rekeying pattern of
<xref target="RFC8645"/>, adapted for random-access patterns.</t>
        </section>
        <section anchor="nonce-generation">
          <name>Nonce Generation</name>
          <t>Two nonce modes, random and derived, trade off AEAD flexibility,
storage cost, and trust in a cryptographically secure pseudorandom
number generator (CSPRNG).  Derived mode needs misuse-resistant
authenticated encryption (MRAE) unless the profile is write-once
(<xref target="profiles"/>).  The chosen mode is part of the parameter set and <bcp14>MUST</bcp14>
be consistent across all segments of a message.</t>
          <figure anchor="fig-nonce-modes">
            <name>The Two Nonce Modes</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="328" viewBox="0 0 328 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 104,64 L 104,96" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="112,96 100,90.4 100,101.6" fill="black" transform="rotate(90,104,96)"/>
                  <g class="text">
                    <text x="32" y="36">Random:</text>
                    <text x="188" y="36">Derived:</text>
                    <text x="196" y="52">nonce_base</text>
                    <text x="44" y="68">Random(Nn)</text>
                    <text x="96" y="68">-</text>
                    <text x="176" y="68">|</text>
                    <text x="168" y="84">XOR</text>
                    <text x="256" y="84">((i&lt;&lt;1)|is_final)</text>
                    <text x="176" y="100">|</text>
                    <text x="112" y="116">nonce_i</text>
                    <text x="184" y="116">nonce_i</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
Random:            Derived:
                   nonce_base
Random(Nn) -.        |
            |      XOR ((i<<1)|is_final)
            v        |
          nonce_i  nonce_i
]]></artwork>
            </artset>
          </figure>
          <t>The two modes differ as follows:</t>
          <table anchor="nonce-mode-comparison">
            <name>Random and derived nonce modes</name>
            <thead>
              <tr>
                <th align="left">Property</th>
                <th align="left">Random nonce mode</th>
                <th align="left">Derived nonce mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Per-segment nonce stored</td>
                <td align="left">yes, in segment metadata</td>
                <td align="left">no</td>
              </tr>
              <tr>
                <td align="left">CSPRNG required</td>
                <td align="left">yes</td>
                <td align="left">no</td>
              </tr>
              <tr>
                <td align="left">AEAD requirement</td>
                <td align="left">any AEAD</td>
                <td align="left">MRAE, or any in a write-once profile</td>
              </tr>
              <tr>
                <td align="left">Rewrite</td>
                <td align="left">fresh nonce each write</td>
                <td align="left">nonce fixed by index, reused on rewrite</td>
              </tr>
              <tr>
                <td align="left">Per-segment AAD</td>
                <td align="left">binds index and finality</td>
                <td align="left">empty when no A_i (index/finality in nonce)</td>
              </tr>
              <tr>
                <td align="left">Minimum nonce size Nn</td>
                <td align="left">no added constraint</td>
                <td align="left">at least 8 octets</td>
              </tr>
            </tbody>
          </table>
          <section anchor="random-nonce-mode">
            <name>Random Nonce Mode</name>
            <t>In random nonce mode (nonce_mode = "random"), each segment gets an
independent random nonce:</t>
            <artwork><![CDATA[
nonce(i) = Random(Nn)
]]></artwork>
            <t>Each segment's nonce is stored in per-segment metadata and <bcp14>MUST</bcp14>
be accessible to any reader that decrypts individual segments.
This mode requires a functioning CSPRNG.  The nonce collision
probability across independently generated per-segment nonces
follows the standard birthday bound.  See <xref target="aead-usage-limits"/>.</t>
            <t>Two optional encryptor-side hedges harden this mode against
different threats.  Hedged randomness (<xref target="hedged-randomness"/>)
mixes in a long-term key and defends against a weak or
predictable CSPRNG.  It does not defend against CSPRNG state
duplication, since identical CSPRNG output still yields identical
hedged output.  Only the plaintext-bound construction
(<xref target="appendix-pt-bound"/>), which mixes in plaintext content,
defends against state duplication.  Both are implementation-local,
leave the wire format unchanged, and are not separate nonce modes.</t>
          </section>
          <section anchor="derived-nonces">
            <name>Derived Nonce Mode</name>
            <t>Derived nonce mode is intended for profiles that do not store a
per-segment nonce.  Nonces are derived deterministically from the
payload schedule.  Derived nonce mode is defined only for AEADs whose
nonce size Nn is at least 8 octets.
The segment index occupies the high bits of an 8-octet counter and the
finality bit occupies the low bit, so the per-segment AAD need not carry
either one.  The XOR is applied to the last 8 octets of nonce_base, with
the remaining octets unchanged:</t>
            <artwork><![CDATA[
nonce(i) = nonce_base[0:Nn-8]
           || (nonce_base[Nn-8:Nn]
               XOR uint64((i << 1) | is_final))
]]></artwork>
            <t>No per-segment nonce storage is required.</t>
            <t>The encoded value (i &lt;&lt; 1) | is_final <bcp14>MUST</bcp14> fit in the low 8 octets of
nonce_base, so the segment index i <bcp14>MUST</bcp14> be less than 2^63.  This caps an
object at 2^63 segments, far beyond any reachable object.  See
<xref target="max-object-size"/> for the resulting size limit.</t>
            <t>A derived nonce is fixed by the segment index, so re-encrypting a
segment reuses its nonce.  An MRAE AEAD such as AES-256-GCM-SIV
(<xref target="RFC8452"/>) tolerates that reuse, degrading to equality leakage rather
than plaintext recovery, within the per-segment rewrite limit given in
<xref target="aead-usage-limits"/>.  A non-MRAE AEAD does not: reusing its nonce
leaks plaintext, so with a non-MRAE AEAD, derived nonce mode <bcp14>MUST</bcp14> be
confined to a write-once profile, in which each segment is encrypted
exactly once.</t>
            <t>A write-once profile rewrites nothing and performs no length change.  A
rewrite would repeat a derived nonce, and a length change re-marks the
terminal segment under a fresh nonce (is_final flips the low bit).  The
write-once discipline is the simplest rule that keeps every derived
nonce unique.  It <bcp14>MUST</bcp14> draw a fresh salt for every object, so the nonce
base differs, and <bcp14>MUST NOT</bcp14> re-encrypt under that salt after a crash
(<xref target="nonce-misuse"/>).</t>
            <t>Folding is_final into the nonce also removes a per-segment cost.  The
nonce binds the index and finality, so the per-segment associated data
need not carry them: segment_aad is empty when the caller supplies no
A_i, and is encode(aad_label, A_i) otherwise (<xref target="concrete-segment-aad"/>).
When A_i is empty the AEAD processes no associated data, removing the
per-segment associated-data pass that random nonce mode incurs.  This is
the structural reason an immutable, write-once profile in derived nonce
mode coincides with STREAM (<xref target="related-work"/>) at the nonce-and-AEAD
layer: a key-derived counter-plus-final-bit nonce over a per-segment
AEAD with no associated data.</t>
          </section>
        </section>
      </section>
      <section anchor="framework-commitment">
        <name>Commitment</name>
        <t>Per-segment AEAD authenticates the ciphertext core together with the
segment index and finality bit (through the segment AAD in random nonce
mode and through the nonce in derived nonce mode) so position binding
for the segment being opened is already provided.  Two further
properties remain: context commitment, provided here, and snapshot
membership, provided by the snapshot authenticator
(<xref target="snapshot-authenticator"/>).  The commitment lets a reader reject an
incorrect CEK or parameter context before attempting any segment
decryption, providing ra-CMT-style context commitment (<xref target="ra-cmt"/>) for
the construction.</t>
        <t>The commitment is a commitment_length-octet value the payload schedule
derives from the CEK, payload_info, and the global associated data G
(<xref target="key-derivation"/>).</t>
        <t>Before decrypting any segment, a reader derives the expected commitment
from the CEK, payload_info, and G, and compares it octet-for-octet with
the stored value.  A reader <bcp14>MUST</bcp14> verify the commitment before decrypting
any segment and <bcp14>MUST</bcp14> treat a mismatch as an authentication failure for
the object.  A mismatch indicates a wrong key, a wrong parameter set, a
wrong G, or a corrupted header.  This check provides ra-CMT context
commitment.  The reduction outline and bound are in <xref target="key-commitment"/>.</t>
        <t>G is the global associated data input of StartEnc in the raAE primitive
(<xref target="raae-syntax"/>), binding whole-message application context such as a
name, version, or policy.  The key schedule commits G by appending it as
one length-prefixed element after payload_info in the commitment info
input (<xref target="key-derivation"/>), so the commitment covers G just as the
primitive's ciphertext header T_g does (<xref target="FLRR25"/>).</t>
        <t>G is bound through the commitment, which is fixed when the content is
created, so G is immutable:  changing it invalidates the stored
commitment.  Segment contents remain rewritable through the snapshot
authenticator (<xref target="snapshot-authenticator"/>).</t>
        <t>G defaults to the empty octet string, so a message whose application
supplies no context commits over an empty final element.  G is never
stored.  A decryptor supplies it from application context, and a wrong G
fails the commitment check (<xref target="full-decryption"/>) the same way a wrong
CEK does (<xref target="parameter-mismatch"/>).</t>
      </section>
      <section anchor="snapshot-authenticator">
        <name>Snapshot Authenticator</name>
        <t>The snapshot authenticator binds the current set of segment tags into
the public snapshot value.  A SEAL profile selects one with snap_id
(<xref target="snapshot-table"/>).</t>
        <section anchor="snapshot-interface">
          <name>Interface and Requirements</name>
          <t>A snapshot authenticator provides the following operations:</t>
          <dl>
            <dt>add(i, tag):</dt>
            <dd>
              <t>Fold one segment's tag into the running value.</t>
            </dd>
            <dt>remove(i, tag):</dt>
            <dd>
              <t>Take one segment's tag back out.  An updatable authenticator provides
this operation, so a single segment can be rewritten or dropped
without rebuilding.  An add-only authenticator omits it and rebuilds
the value by re-adding the surviving segments.</t>
            </dd>
            <dt>set_length(n):</dt>
            <dd>
              <t>Set the segment count to n.</t>
            </dd>
            <dt>snapshot():</dt>
            <dd>
              <t>Bind the current state into the snapshot value, which authenticates
the (index, tag) set and the count n_seg.</t>
            </dd>
            <dt>verify(snapshot):</dt>
            <dd>
              <t>Recompute the snapshot value over the current (index, tag) set and
accept only if it matches the stored snapshot, in constant time.</t>
            </dd>
          </dl>
          <t>The scheme's RewriteSeg and SnapVerify (<xref target="raae-writable"/>) are realized
from these operations.  SnapVerify(S, segments, snapshot) checks a
stored snapshot:</t>
          <ol spacing="normal" type="1"><li>
              <t>Let n_seg be the number of present segments.</t>
            </li>
            <li>
              <t>Verify that the present segments occupy exactly the indices
  0..n_seg-1, each once.  Finality is not checked here: is_final is
  authenticated by the segment AEAD at decryption, and
  <xref target="full-decryption"/> rejects a present set whose highest-indexed
  segment does not carry is_final = 1.</t>
            </li>
            <li>
              <t>Call verify(snapshot) over the present (index, tag) set and the
  count n_seg.</t>
            </li>
          </ol>
          <t>A duplicate or missing index is caught only by step 2, because an
authenticator's verify <bcp14>MAY</bcp14> accept a malformed index multiset.  An
implementation <bcp14>MUST NOT</bcp14> skip the index-set check.  SEAL's masked
multiset hash realizes verify in <xref target="masked-multiset-hash"/>.</t>
          <t>SnapVerify above checks the whole-object target.  An authenticator <bcp14>MAY</bcp14>
also support a single-segment target that verifies one (index, tag)
against the recorded set.  The masked multiset hash reads all tags and
supports the whole-object target only.  The snapshot value stays a
single target-independent value of length Na, with no per-segment proof
stored.</t>
          <t>A conforming authenticator's snapshot() <bcp14>MUST</bcp14> bind both the (index, tag)
set and the count n_seg, so a verifier detects any added, dropped,
reordered, re-marked, or otherwise altered segment, and the snapshot
value <bcp14>MUST</bcp14> be
unforgeable by a party without the authenticator's key, under that
authenticator's security assumption.  How the value is computed, and
whether a single-segment change updates it in place or rebuilds it, is
the authenticator's choice.  The masked multiset hash
(<xref target="masked-multiset-hash"/>) updates in place in O(1).</t>
          <t>The snapshot value length is written Na and <bcp14>MAY</bcp14> depend on n_seg, with Na
= 0 meaning no value.  A fixed-length authenticator suits any layout,
while a count-dependent one is supported only by the split layout of a
mutable object (<xref target="file-layouts"/>).</t>
          <t>A segment's finality is a function of its index and the count:</t>
          <artwork><![CDATA[
is_final(i) = 1 if i = n_seg - 1, else 0
]]></artwork>
          <t>It is carried by that segment's tag.  Because finality follows the
count, changing n_seg re-marks the boundary segment on its own, so
rewrite, extend, and truncate are one update over the segments whose
tag changes:</t>
          <ol spacing="normal" type="1"><li>
              <t>Under the current count, remove each changed segment's current
  tag (remove(i, tag)).  The current n_seg fixes which segment
  is terminal, so each removal carries that segment's current finality.</t>
            </li>
            <li>
              <t>Set the length to the new count (set_length(n)).</t>
            </li>
            <li>
              <t>Under the new count, re-encrypt each surviving changed segment under
  its new finality and add its new tag (add(i, tag)).  New
  segments are added here.  Discarded segments are not added back.</t>
            </li>
            <li>
              <t>Call snapshot(), which recomputes the snapshot value over the new
  count and segment set.</t>
            </li>
          </ol>
          <t>Each operation is an instance of that shape over different segments:</t>
          <table anchor="length-change-table">
            <name>Rewrite, extend, and truncate</name>
            <thead>
              <tr>
                <th align="left">Operation</th>
                <th align="left">Count</th>
                <th align="left">Tags removed</th>
                <th align="left">Tags added</th>
                <th align="left">Terminal re-mark</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Rewrite</td>
                <td align="left">unchanged</td>
                <td align="left">the changed segment</td>
                <td align="left">the changed segment</td>
                <td align="left">none</td>
              </tr>
              <tr>
                <td align="left">Extend by k</td>
                <td align="left">n_seg to n_seg+k</td>
                <td align="left">old terminal</td>
                <td align="left">old terminal and k new</td>
                <td align="left">old final, 1 to 0 (none if empty)</td>
              </tr>
              <tr>
                <td align="left">Truncate to m</td>
                <td align="left">n_seg to m</td>
                <td align="left">the tail and old terminal</td>
                <td align="left">new terminal</td>
                <td align="left">new final, 0 to 1 (none if m=0)</td>
              </tr>
            </tbody>
          </table>
          <t>Each operation re-encrypts only the segments whose tag changes, so a
caller that cannot recover a re-encrypted segment's plaintext cannot
perform it.</t>
          <t>This sequence uses remove, so it is the updatable-authenticator path.
An add-only authenticator instead resets and re-adds the surviving
segments to rebuild the snapshot value.</t>
        </section>
        <section anchor="snapshot-selection">
          <name>Selecting an Authenticator</name>
          <t>A SEAL profile selects its snapshot authenticator with snap_id
(<xref target="snapshot-table"/>):  0x0000 for none, or 0x0001 for the masked
multiset hash.</t>
        </section>
        <section anchor="snapshot-none">
          <name>None</name>
          <t>With snap_id = 0x0000 there is no snapshot authenticator: no snapshot
value is produced (Na = 0), snapshot() and verify() are no-ops, and a
mutable object rests on per-segment authentication alone.  Such a
profile <bcp14>MUST NOT</bcp14> produce the empty object (n_seg = 0).  With no snapshot
value to bind the zero count, a truncation that removed every segment
would be indistinguishable from a legitimate empty object, so a valid
object always has at least one segment (<xref target="snapshot-limitations"/>).</t>
        </section>
        <section anchor="masked-multiset-hash">
          <name>Masked Multiset Hash</name>
          <t>With snap_id = 0x0001 the snapshot authenticator builds an updatable,
masked multiset hash over the segment tags.  It accumulates one indexed,
keyed contribution per segment, in the MSet-XOR-Hash form of Clarke et
al.  (<xref target="MSetHash"/>), then publishes that accumulator behind a
deterministic mask this document adds.  Its per-segment contribution is:</t>
          <artwork><![CDATA[
contrib(i) = KDF(protocol_id, contrib_label,
                 [snap_key],
                 [uint64(i), tag(i)], Nh)
]]></artwork>
          <t>The masked multiset hash fixes three labels:  contrib_label =
"acc_contrib", snapshot_tag_label = "snapshot_tag", and
snapshot_mask_label = "snapshot_mask", each distinct from all other SEAL
labels.</t>
          <t>The finality bit is bound through tag(i):  it is an AEAD input in both
nonce modes (segment_aad in random mode, the low nonce bit in derived
mode, <xref target="derived-nonces"/>), so flipping it changes tag(i), hence
contrib(i), hence the accumulator.  No explicit binding in contrib is
needed.</t>
          <t>The masked multiset hash aggregates the per-segment contributions into
the accumulator acc by bitwise XOR:</t>
          <artwork><![CDATA[
acc = contrib(0) XOR contrib(1) XOR ... XOR contrib(n_seg-1)
]]></artwork>
          <t>The accumulator is an Nh-octet value, with the all-zero string as the
value for the empty segment set.
XOR is order-independent, so the accumulator does not depend on segment
order, and it is its own inverse, so rewriting segment i removes its old
contribution and adds the new one by XOR, in O(1) time and without
re-reading any other segment.</t>
          <t>An object with n_seg = 0 is a valid empty object.  It holds the salt,
the commitment, and the snapshot value, with no ciphertext segments and
no per-segment tags.  Its accumulator is the XOR over the empty segment
set, namely 0^Nh, and the same masking as any other count applies, so
the empty snapshot is not a fixed constant but a masked authenticator
over zero segments:</t>
          <artwork><![CDATA[
acc          = 0^Nh
snapshot_tag = snaptag(0, 0^Nh)
mask         = snapmask(0, snapshot_tag)
snapshot     = snapval(0, 0^Nh) = mask || snapshot_tag
]]></artwork>
          <t>An empty object is distinct from a zero-length plaintext, which is one
final segment (n_seg = 1) whose plaintext has length 0.</t>
          <t>To rewrite segment i without re-reading the other tags, the writer first
recovers the accumulator from the stored snapshot by removing the mask,
acc = wrapped_acc XOR snapmask(n_seg, snapshot_tag).  It then XORs
contrib(i) computed from the old tag (stored alongside the ciphertext)
out of acc, XORs in contrib(i) computed from the new tag, and produces
the new snapshot value over the unchanged count.  The wrapped_acc and
snapshot_tag <bcp14>MUST</bcp14> come from locally trusted snapshot state
(<xref target="full-rewrite"/>).</t>
          <t>The accumulator is linear, and publishing it in the clear would let a
write adversary recombine the differences between successive values into
a non-historical segment set (<xref target="appendix-snapshot"/>).  The masked
multiset hash therefore does two things.  First it authenticates the
count and accumulator with the snapshot tag, a message authentication
code (MAC) under snap_key with its own label:</t>
          <artwork><![CDATA[
snaptag(n_seg, acc) = KDF(protocol_id, snapshot_tag_label,
                          [snap_key],
                          [uint64(n_seg), acc], Nh)
]]></artwork>
          <t>Write snapshot_tag = snaptag(n_seg, acc) for the present count and
accumulator.  Second, the masked multiset hash derives a mask from
snap_key under the third label, seeded by that synthetic tag rather than
by a fresh nonce, and XORs it into the accumulator to form the masked
accumulator wrapped_acc:</t>
          <artwork><![CDATA[
snapmask(n_seg, snapshot_tag) =
    KDF(protocol_id, snapshot_mask_label,
        [snap_key],
        [uint64(n_seg), snapshot_tag], Nh)

mask        = snapmask(n_seg, snapshot_tag)
wrapped_acc = acc XOR mask
snapshot    = wrapped_acc || snapshot_tag
]]></artwork>
          <t>Seeding the mask with the synthetic tag rather than a fresh nonce is the
synthetic-IV derandomization of deterministic authenticated encryption
(<xref target="DAE"/>):  the snapshot stays a deterministic function of (n_seg, acc)
while the published accumulator is hidden behind a one-time pad
(<xref target="appendix-snapshot"/>).  The count n_seg is not stored in the snapshot
value.  The verifier supplies it as the number of segments present, and
snaptag binds it under the MAC.</t>
          <t>The masked multiset hash stores wrapped_acc and snapshot_tag, each Nh
octets, so Na = 2*Nh.  <xref target="snapshot-interface"/> defines Na in general.</t>
          <t>As a function of the count and accumulator, the snapshot value is</t>
          <artwork><![CDATA[
snapval(n_seg, acc) = wrapped_acc || snapshot_tag
]]></artwork>
          <t>The snapshot tag binds n_seg and the accumulator under snap_key, and the
mask hides the accumulator behind a tag-derived one-time pad.  The
forgery bound and the masking argument are in <xref target="snapshot-security"/> and
<xref target="appendix-snapshot"/>.</t>
          <t>SnapVerify runs only after the verifier has re-derived and checked the
commitment as part of decryption (<xref target="full-decryption"/>).  The snapshot's
per-object binding rests on snap_key (<xref target="appendix-snapshot"/>).</t>
          <t>The masked multiset hash realizes verify(snapshot) for the SnapVerify
of <xref target="snapshot-interface"/>.  SnapVerify supplies the count n_seg and the
present segment tags:</t>
          <artwork><![CDATA[
verify(snapshot):
  ;; Caller (SnapVerify, {{snapshot-interface}}) MUST already have
  ;; checked that the present indices are exactly 0..n_seg-1, each
  ;; once.  This accumulator is order-independent under XOR, so a
  ;; duplicate or missing index is invisible here and MUST NOT be
  ;; skipped by the caller.
  acc_calc      = XOR over i of contrib(i)   ;; present segment tags
  tag_calc      = snaptag(n_seg, acc_calc)
  snapshot_calc = (acc_calc XOR snapmask(n_seg, tag_calc)) || tag_calc
  compare snapshot_calc to snapshot in constant time
          (on any mismatch, reject)
  return accept
]]></artwork>
          <t>The comparison runs in constant time (<xref target="constant-time"/>).  Because the
accumulator is order-independent under XOR, a duplicate or missing
index can leave acc_calc recomputing to the genuine accumulator and the
comparison passing, which is why SnapVerify's index-set check
(<xref target="snapshot-interface"/>) is mandatory.</t>
          <t>verify returns only accept or reject.  An implementation <bcp14>MUST NOT</bcp14>
surface the recomputed accumulator or any value derived from it, and
<bcp14>MUST NOT</bcp14> signal through an error code or timing whether the snapshot tag
matched while the masked accumulator did not.  The mask hides the
accumulator only against a one-bit verifier:  exposing it, or
distinguishing a tag-valid accumulator-mismatch from a plain reject,
reinstates the recombination attack of <xref target="appendix-snapshot"/>.</t>
          <t>A modified tag or count changes the recomputed snapshot, and a different
key or parameter context fails the commitment check that precedes
SnapVerify (<xref target="full-decryption"/>).  The forgery bound is in
<xref target="snapshot-security"/> and the rollback limitation in
<xref target="snapshot-limitations"/>.</t>
        </section>
      </section>
      <section anchor="segment-subroutines">
        <name>Segment Algorithms</name>
        <t>The construction defines the per-segment subroutines EncryptSegment,
DecryptSegment, and RewriteSegment.  In this random-access construction,
is_final is an explicit input to each subroutine.  Full-message
encryption derives it from the total segment count n_seg, while
random-access decryption and rewrite callers supply it directly.  The
full-message procedures (<xref target="full-encryption"/>, <xref target="full-decryption"/>,
<xref target="extend"/>) and the rewrite procedure (<xref target="full-rewrite"/>) compose them.</t>
        <t>Each subroutine is the cryptographic core of one operation of the base
or extended raAE interface (<xref target="raae-syntax"/>, <xref target="raae-writable"/>),
refining the operation-level mapping of <xref target="op-mapping"/> to the signature
level.  The primitive's position identifier p = (i, b) appears here as
the explicit arguments i and is_final.  Its immutable state S is
realized by the payload schedule:  the segment_key(i), nonce(i), and
segment_aad calls below read the schedule from context rather than
taking S as an argument.  Its message segment M_i is the plaintext P_i,
and its opaque ciphertext segment C_i is stored as the field triple
(nonce_metadata(i), ct_i, tag_i).</t>
        <table anchor="subroutine-mapping">
          <name>Segment subroutines and the primitive operations they realize</name>
          <thead>
            <tr>
              <th align="left">Subroutine</th>
              <th align="left">Realizes</th>
              <th align="left">Composed by</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">EncryptSegment</td>
              <td align="left">EncSeg</td>
              <td align="left">
                <xref target="full-encryption"/>, <xref target="extend"/></td>
            </tr>
            <tr>
              <td align="left">DecryptSegment</td>
              <td align="left">DecSeg</td>
              <td align="left">
                <xref target="full-decryption"/></td>
            </tr>
            <tr>
              <td align="left">RewriteSegment</td>
              <td align="left">the encryption core of RewriteSeg</td>
              <td align="left">
                <xref target="full-rewrite"/> and <xref target="extend"/>, which add the snapshot bookkeeping</td>
            </tr>
          </tbody>
        </table>
        <t>These subroutines emit ct_i and tag_i as separate fields, and ct_i has
length len(P_i), which can be shorter than segment_max.  The consuming
format conveys each segment's ciphertext length to the decoder so
DecryptSegment can recover the two fields, as required by
<xref target="concrete-segment-aad"/>.</t>
        <t>In every subroutine, i is the segment index (a non-negative integer),
is_final is 1 for the last segment and 0 for all others, A_i is the
caller-supplied associated data for segment i, and P_i is the segment
plaintext.  The subroutines call segment_key(i) and nonce(i) as defined
in <xref target="key-derivation"/>, with nonce(i) following the chosen nonce_mode,
and segment_aad(i, is_final, A_i) as defined in
<xref target="concrete-segment-aad"/>.</t>
        <t>nonce_metadata(i) denotes the stored nonce metadata for segment i:
nonce(i) when nonce_mode is "random", and empty when it is "derived".
In random mode DecryptSegment reads its nonce from nonce_metadata_i,
and in derived mode it recomputes nonce(i).</t>
        <section anchor="encryptsegment">
          <name>EncryptSegment</name>
          <artwork><![CDATA[
EncryptSegment(i, is_final, A_i, P_i):
  key   = segment_key(i)
  nonce = nonce(i)                        ;; per nonce_mode
  aad   = segment_aad(i, is_final, A_i)
  C_i   = AEAD.Encrypt(key, nonce, aad, P_i)
  split C_i into ct_i and tag_i
  return (nonce_metadata(i), ct_i, tag_i)
]]></artwork>
          <t>AEAD.Encrypt and AEAD.Decrypt are the interfaces of <xref target="RFC5116"/>
Sections 2.1 and 2.2.  For the AEADs in <xref target="aead-table"/> the tag is the
final Nt octets of C_i, so ct_i is the first len(P_i) octets and
C_i = ct_i || tag_i.  EncryptSegment splits C_i at that boundary, and
DecryptSegment reassembles it.</t>
          <t>The caller folds tag_i into the snapshot authenticator with add(i,
tag_i) (<xref target="snapshot-authenticator"/>).  EncryptSegment itself does no
snapshot work.</t>
        </section>
        <section anchor="decryptsegment">
          <name>DecryptSegment</name>
          <t>DecryptSegment returns the segment plaintext, or a decryption error:</t>
          <artwork><![CDATA[
DecryptSegment(i, is_final, A_i, nonce_metadata_i, ct_i, tag_i):
  key   = segment_key(i)
  nonce = nonce_metadata_i or nonce(i)    ;; per nonce_mode (above)
  aad   = segment_aad(i, is_final, A_i)
  C_i   = ct_i || tag_i
  P_i   = AEAD.Decrypt(key, nonce, aad, C_i)
          (on verification failure, return a decryption error)
  return P_i
]]></artwork>
        </section>
        <section anchor="rewritesegment">
          <name>RewriteSegment</name>
          <t>RewriteSegment assumes the caller has already verified the commitment or
otherwise confirmed it holds the correct CEK.  A rewrite under the wrong
key produces unreadable ciphertext and corrupts the snapshot
authenticator's state.  The error is detectable only on a subsequent
read.</t>
          <t>RewriteSegment(i, is_final, A_i, new_P_i) is defined as
EncryptSegment(i, is_final, A_i, new_P_i): a rewrite is a fresh
encryption of the new plaintext new_P_i.  The output
(new_nonce_metadata_i, new_ct_i, new_tag_i) replaces the stored nonce
metadata, ciphertext, and tag for segment i.</t>
          <t>RewriteSegment produces the replacement ciphertext and tag only.  The
caller updates the snapshot authenticator by reading the stored old tag
and calling remove(i, old_tag_i) then add(i, new_tag_i)
(<xref target="full-rewrite"/>).</t>
        </section>
      </section>
      <section anchor="toplevel-algorithms">
        <name>Top-level Algorithms</name>
        <t>The top-level algorithms compose the segment subroutines
(<xref target="segment-subroutines"/>) over complete messages.  They call the
snapshot-authenticator operations of <xref target="snapshot-authenticator"/> (add(i,
tag), remove(i, tag), set_length(n), snapshot(), and verify()) without
referring to how any is computed.  The authenticator selected by snap_id
(<xref target="snapshot-table"/>) realizes those operations.  For the masked multiset
hash they reduce to the accumulator, snapshot-tag, and mask formulas of
<xref target="masked-multiset-hash"/>.</t>
        <t>These procedures do not expose per-segment associated data, so they pass
an empty A_i to each subroutine.  An application that needs per-segment
A_i calls the subroutines directly.</t>
        <section anchor="read-only-ops">
          <name>Read-Only Operations</name>
          <t>Encryption and decryption are available in every SEAL profile.  They
write a message once and read individual segments.  Neither rewrites a
stored segment.  When the profile configures no snapshot authenticator
(snap_id = 0x0000, <xref target="snapshot-table"/>), the snapshot steps below are
omitted, and a reader relies on per-segment authentication alone.</t>
          <section anchor="full-encryption">
            <name>Encryption</name>
            <t>Encryption runs in two phases.  The first phase derives the per-message
schedule and writes the commitment.  The second encrypts each segment
independently and, under a snapshot authenticator, adds its tag with
add(i, tag).  Then snapshot() binds the whole set into the stored
snapshot value.  Because the segments are independent, the second phase
may run in any order or in parallel.</t>
            <figure anchor="fig-encrypt-build">
              <name>Key Schedule and Segment Encryption</name>
              <artset>
                <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="528" viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                    <path d="M 64,48 L 64,64" fill="none" stroke="black"/>
                    <path d="M 64,96 L 64,112" fill="none" stroke="black"/>
                    <path d="M 152,112 L 152,128" fill="none" stroke="black"/>
                    <path d="M 152,160 L 152,176" fill="none" stroke="black"/>
                    <path d="M 152,208 L 152,224" fill="none" stroke="black"/>
                    <path d="M 24,112 L 240,112" fill="none" stroke="black"/>
                    <polygon class="arrowhead" points="160,224 148,218.4 148,229.6" fill="black" transform="rotate(90,152,224)"/>
                    <polygon class="arrowhead" points="160,176 148,170.4 148,181.6" fill="black" transform="rotate(90,152,176)"/>
                    <polygon class="arrowhead" points="160,128 148,122.4 148,133.6" fill="black" transform="rotate(90,152,128)"/>
                    <polygon class="arrowhead" points="72,64 60,58.4 60,69.6" fill="black" transform="rotate(90,64,64)"/>
                    <g class="text">
                      <text x="44" y="36">CEK,</text>
                      <text x="84" y="36">salt</text>
                      <text x="48" y="84">payload</text>
                      <text x="116" y="84">schedule</text>
                      <text x="24" y="132">v</text>
                      <text x="240" y="132">v</text>
                      <text x="44" y="148">commitment</text>
                      <text x="152" y="148">payload_key</text>
                      <text x="252" y="148">snap_key</text>
                      <text x="96" y="196">EncryptSegment(i,</text>
                      <text x="188" y="196">P_i)</text>
                      <text x="248" y="196">using</text>
                      <text x="320" y="196">payload_key</text>
                      <text x="404" y="196">(one</text>
                      <text x="440" y="196">per</text>
                      <text x="492" y="196">segment)</text>
                      <text x="128" y="244">ct_i,</text>
                      <text x="176" y="244">tag_i</text>
                    </g>
                  </svg>
                </artwork>
                <artwork type="ascii-art"><![CDATA[
   CEK, salt
       |
       v
  payload schedule
       |
  .----+----------+----------.
  v               v          v
commitment   payload_key   snap_key
                  |
                  v
   EncryptSegment(i, P_i)   using payload_key   (one per segment)
                  |
                  v
             ct_i, tag_i
]]></artwork>
              </artset>
            </figure>
            <t>The per-segment tags then feed the snapshot authenticator, which adds
each one and binds them into the snapshot value
(<xref target="snapshot-authenticator"/>).</t>
            <t>An application that writes a new message <bcp14>MUST</bcp14> generate a fresh,
uniformly random salt.  Given a CEK, that salt, a parameter set, G, and
a plaintext P split into segments P_0 through P_{n_seg-1}:</t>
            <artwork><![CDATA[
derive  commitment, payload_key, snap_key from the payload schedule
        (and nonce_base, in derived mode)
store   commitment

for i in 0 .. n_seg-1:
    is_final = 1 if i = n_seg-1, else 0
    nonce_metadata_i, ct_i, tag_i
        = EncryptSegment(i, is_final, empty, P_i)
    store nonce_metadata_i, ct_i, tag_i
    if snapshot authentication is enabled (snap_id != 0x0000):
        add(i, tag_i)

if snapshot authentication is enabled (snap_id != 0x0000):
    set_length(n_seg)
    snapshot = snapshot()
    store snapshot
]]></artwork>
            <t>A zero-length plaintext produces a single segment of length 0 with
is_final = 1.</t>
          </section>
          <section anchor="full-decryption">
            <name>Decryption of Segment i</name>
            <t>Opening a segment is a local operation: check the commitment to reject a
wrong key early, then AEAD-decrypt the one segment.  This yields
per-segment authenticity over the ciphertext core, the segment index,
and the finality bit.  Under a snapshot authenticator (snap_id !=
0x0000), whole-set authenticity is a separate and stronger check that
requires every tag.  It detects any added, dropped, reordered, or
re-marked segment, and same-index rollback to an older sibling.  A
reader holding only one segment gets per-segment authenticity but <bcp14>MUST
NOT</bcp14> claim snapshot integrity until it runs SnapVerify
(<xref target="snapshot-authenticator"/>).  A profile with no snapshot authenticator
(snap_id = 0x0000) defines no snapshot, so per-segment authenticity is
the whole integrity guarantee.</t>
            <t>Given the CEK, salt, parameter set, G, segment index i, finality status,
and the stored ciphertext segment for index i:</t>
            <artwork><![CDATA[
derive  commitment from CEK, salt, and G
derive  payload_key, snap_key from CEK and salt
if stored commitment != derived commitment:  return error
P_i = DecryptSegment(i, is_final, empty, nonce_metadata_i, ct_i, tag_i)
       (return its error on failure)
if snapshot authentication is enabled and all tags are available:
    if SnapVerify(snapshot) fails:  return error  (do not deliver P_i)
return P_i
]]></artwork>
            <t>Here SnapVerify is the three-argument SnapVerify(S, segments, snapshot)
of <xref target="raae-writable"/>, with S the derived schedule and segments the
present (index, tag) pairs.</t>
            <t>SnapVerify needs every tag, so a reader that streams segments in order
cannot gate their release on snapshot integrity without first buffering
all tags or using a layout that carries the tags in a header.
Delivering on per-segment authenticity alone forgoes snapshot freshness
for that segment (<xref target="snapshot-limitations"/>).  A streaming reader
likewise cannot rule out truncation before the end of the stream:
plaintext delivered before the highest-indexed segment verifies under
is_final = 1, and before SnapVerify passes where a snapshot
authenticator is configured, <bcp14>MUST</bcp14> be treated as unverified with respect
to completeness.</t>
            <t>A decryptor <bcp14>MUST</bcp14> reject a truncated object, one whose highest-indexed
segment does not carry is_final = 1.  A run of segments 0 through k-1
whose last segment (index k-1) carries is_final = 0 is incomplete, and
the decryptor <bcp14>MUST</bcp14> fail rather than return the partial plaintext.</t>
            <t>The check works because the application supplies the segment count
n_seg, from which the decryptor derives the finality each segment must
carry (<xref target="segment-subroutines"/>).  It then verifies the final segment
under is_final = 1.  A truncated object, whose last surviving segment
was written as non-final, fails that verification.  The finality bit is
bound per segment and is unforgeable without the CEK: in derived nonce
mode it occupies the low bit of the segment nonce
(<xref target="nonce-generation"/>), and in random nonce mode it is bound through
segment_aad (<xref target="concrete-segment-aad"/>).  An adversary therefore cannot
re-mark a non-final segment as final and can only drop trailing
segments, which this check detects.</t>
            <t>Authorized truncation by the CEK holder re-encrypts the new final
segment under is_final = 1 with a fresh nonce (<xref target="extend"/>), so a
legitimately truncated object still ends with is_final = 1 and verifies.
This check needs no snapshot authenticator.</t>
            <t>Truncation to an empty object is covered too.  A profile with no
snapshot authenticator forbids the zero-segment object, so a valid
object always has at least one segment, and a decryptor <bcp14>MUST</bcp14> reject one
that has none.  Under a snapshot authenticator the snapshot binds the
count, so the empty object (n_seg = 0) is a distinct authenticated state
(<xref target="snapshot-limitations"/>).</t>
            <t>On a commitment mismatch the implementation <bcp14>MUST NOT</bcp14> proceed with
decryption, <bcp14>SHOULD</bcp14> zeroize derived key material, and <bcp14>MUST</bcp14> return an
error.  Under a snapshot authenticator, when all segment tags are
available (for example, a full read or an integrity audit), the reader
<bcp14>MUST</bcp14> run SnapVerify (<xref target="snapshot-authenticator"/>) on the stored snapshot
before delivering any plaintext, and <bcp14>MUST</bcp14> return an error if SnapVerify
fails.  With no snapshot authenticator there is no such check, and
per-segment authentication stands alone.</t>
            <t>Decryption can fail in up to three distinguishable ways:</t>
            <table anchor="decryption-failures">
              <name>Decryption failure conditions</name>
              <thead>
                <tr>
                  <th align="left">Failure</th>
                  <th align="left">Cause</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="left">Commitment mismatch</td>
                  <td align="left">wrong key or parameters</td>
                </tr>
                <tr>
                  <td align="left">AEAD verification failure</td>
                  <td align="left">corrupted or tampered segment</td>
                </tr>
                <tr>
                  <td align="left">Snapshot mismatch</td>
                  <td align="left">segment set or count modified (snapshot authenticator only)</td>
                </tr>
              </tbody>
            </table>
            <t>Implementations <bcp14>SHOULD</bcp14> report these as distinct error conditions for
local diagnosis, but <bcp14>SHOULD</bcp14> return a single opaque error to untrusted
callers to avoid leaking an oracle (for example, distinguishing "wrong
key" from "tampered segment" over a network).</t>
          </section>
        </section>
        <section anchor="rewritable-ops">
          <name>Rewritable Operations</name>
          <t>Rewriting and length change are available only in a mutable profile,
which configures a snapshot authenticator (snap_id = 0x0001).  Each
re-encrypts only the segments whose tag changes and updates the
snapshot over the new segment set.  A caller that cannot recover a
re-encrypted segment's plaintext cannot perform them.</t>
          <section anchor="full-rewrite">
            <name>Rewriting Segment i</name>
            <t>A rewrite touches exactly one segment and never reads another.
Replacing a segment removes its old tag from the snapshot authenticator
and adds the new one, then updates the snapshot over the unchanged
count with snapshot().
The update trusts, rather than re-verifies, the stored snapshot state.
The old tag is already stored alongside the old ciphertext, so no other
segment is read or decrypted (<xref target="snapshot-authenticator"/>).  This
single-segment update and the trust in stored snapshot state are
properties of an updatable authenticator like the masked multiset hash,
which folds the change in O(1).  An add-only authenticator re-reads the
surviving tags to rebuild on rewrite.</t>
            <t>The procedure is:</t>
            <artwork><![CDATA[
read   old_tag_i
new_nonce_metadata_i, new_ct_i, new_tag_i
       = RewriteSegment(i, is_final, empty, new_P_i)
remove(i, old_tag_i)                    (count n_seg unchanged)
add(i, new_tag_i)
snapshot      = snapshot()
store  new_nonce_metadata_i, new_ct_i, new_tag_i, snapshot
]]></artwork>
            <t>In derived nonce mode the nonce for segment i is deterministic, so a
rewrite reuses the same nonce under a key whose derivation context is
identical.  This is safe because a mutable profile that selects derived
nonce mode requires an MRAE AEAD (AES-256-GCM-SIV).  MRAE AEADs are
designed to tolerate nonce reuse, degrading to equality leakage rather
than plaintext recovery, within the per-segment rewrite limit in
<xref target="rewrite-budget-security"/>.  The snapshot update proceeds identically.</t>
            <t>The stored snapshot cannot be validated during an in-place rewrite.
Validation is SnapVerify (<xref target="snapshot-authenticator"/>), which recomputes
the authenticator from every segment's tag and so requires reading all
tags.  During a rewrite the application trusts the stored snapshot
state, applies remove and add for the one changed segment, and produces
the new value with snapshot().  Because it trusts that state, the writer
<bcp14>MUST</bcp14> take it from locally trusted storage or run SnapVerify first.
Otherwise a storage adversary can roll the stored snapshot back and have
the writer rebuild on it, laundering the rollback into a snapshot that
verifies going forward (<xref target="snapshot-limitations"/>).  Full validation is a
separate operation that an application performs when it has access to
all tags (for example, on a full read or an integrity audit).</t>
          </section>
          <section anchor="extend">
            <name>Changing Message Length</name>
            <t>An application that holds the CEK <bcp14>MAY</bcp14> change a stored message's
length in either direction: appending new segments, or truncating
to a prefix.  The two directions share one shape.  Exactly one
retained segment, the old or the new terminal one, is re-encrypted
to move the finality bit, with none re-encrypted when appending
from the empty object or truncating to it.  Every other changed
segment is removed or added by tag without re-encryption, and the
snapshot is updated over the new count (<xref target="fig-length-change"/>).
Both reuse the existing salt: an application extending an existing
message <bcp14>MUST</bcp14> reuse the salt from the object it extends.  A fresh salt
would change every payload schedule output and force re-encryption of
the retained segments.</t>
            <figure anchor="fig-length-change">
              <name>Append and Truncate</name>
              <artset>
                <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="576" viewBox="0 0 576 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                    <g class="text">
                      <text x="20" y="36">Both</text>
                      <text x="84" y="36">directions</text>
                      <text x="152" y="36">share</text>
                      <text x="192" y="36">one</text>
                      <text x="232" y="36">shape</text>
                      <text x="272" y="36">(no</text>
                      <text x="324" y="36">terminal</text>
                      <text x="392" y="36">re-mark</text>
                      <text x="440" y="36">for</text>
                      <text x="472" y="36">the</text>
                      <text x="24" y="52">empty</text>
                      <text x="84" y="52">object):</text>
                      <text x="28" y="84">1.</text>
                      <text x="72" y="84">re-mark</text>
                      <text x="120" y="84">the</text>
                      <text x="164" y="84">single</text>
                      <text x="228" y="84">terminal</text>
                      <text x="296" y="84">segment</text>
                      <text x="372" y="84">remove</text>
                      <text x="408" y="84">+</text>
                      <text x="432" y="84">add</text>
                      <text x="468" y="84">(new</text>
                      <text x="516" y="84">count)</text>
                      <text x="28" y="100">2.</text>
                      <text x="68" y="100">update</text>
                      <text x="112" y="100">the</text>
                      <text x="164" y="100">boundary</text>
                      <text x="236" y="100">segments</text>
                      <text x="284" y="100">by</text>
                      <text x="312" y="100">tag</text>
                      <text x="380" y="100">remove</text>
                      <text x="420" y="100">or</text>
                      <text x="448" y="100">add</text>
                      <text x="500" y="100">(each)</text>
                      <text x="28" y="116">3.</text>
                      <text x="68" y="116">update</text>
                      <text x="112" y="116">the</text>
                      <text x="164" y="116">snapshot</text>
                      <text x="396" y="116">snapshot()</text>
                      <text x="44" y="148">append</text>
                      <text x="120" y="148">(n_seg'</text>
                      <text x="160" y="148">=</text>
                      <text x="192" y="148">n_seg</text>
                      <text x="224" y="148">+</text>
                      <text x="248" y="148">k):</text>
                      <text x="76" y="164">terminal</text>
                      <text x="120" y="164">=</text>
                      <text x="144" y="164">old</text>
                      <text x="184" y="164">final</text>
                      <text x="240" y="164">n_seg-1</text>
                      <text x="320" y="164">(is_final</text>
                      <text x="368" y="164">1</text>
                      <text x="388" y="164">-&gt;</text>
                      <text x="416" y="164">0);</text>
                      <text x="452" y="164">none</text>
                      <text x="484" y="164">if</text>
                      <text x="520" y="164">n_seg</text>
                      <text x="552" y="164">=</text>
                      <text x="568" y="164">0</text>
                      <text x="56" y="180">add</text>
                      <text x="84" y="180">IN</text>
                      <text x="128" y="180">the</text>
                      <text x="160" y="180">new</text>
                      <text x="212" y="180">segments</text>
                      <text x="364" y="180">n_seg..n_seg+k-1</text>
                      <text x="52" y="196">truncate</text>
                      <text x="120" y="196">(n_seg'</text>
                      <text x="160" y="196">=</text>
                      <text x="184" y="196">m):</text>
                      <text x="76" y="212">terminal</text>
                      <text x="120" y="212">=</text>
                      <text x="144" y="212">new</text>
                      <text x="184" y="212">final</text>
                      <text x="224" y="212">m-1</text>
                      <text x="320" y="212">(is_final</text>
                      <text x="368" y="212">0</text>
                      <text x="388" y="212">-&gt;</text>
                      <text x="416" y="212">1);</text>
                      <text x="452" y="212">none</text>
                      <text x="484" y="212">if</text>
                      <text x="504" y="212">m</text>
                      <text x="520" y="212">=</text>
                      <text x="536" y="212">0</text>
                      <text x="68" y="228">remove</text>
                      <text x="128" y="228">the</text>
                      <text x="184" y="228">discarded</text>
                      <text x="260" y="228">segments</text>
                      <text x="340" y="228">m..n_seg-1</text>
                    </g>
                  </svg>
                </artwork>
                <artwork type="ascii-art"><![CDATA[
Both directions share one shape (no terminal re-mark for the
empty object):

  1. re-mark the single terminal segment   remove + add (new count)
  2. update the boundary segments by tag    remove or add  (each)
  3. update the snapshot                    snapshot()

  append   (n_seg' = n_seg + k):
     terminal = old final n_seg-1  (is_final 1 -> 0); none if n_seg = 0
     add IN   the new segments       n_seg..n_seg+k-1
  truncate (n_seg' = m):
     terminal = new final m-1      (is_final 0 -> 1); none if m = 0
     remove   the discarded segments m..n_seg-1
]]></artwork>
              </artset>
            </figure>
            <artwork><![CDATA[
re-mark the terminal segment t:
   append:    t = n_seg - 1    is_final: 1 -> 0
   truncate:  t = m - 1        is_final: 0 -> 1

if a terminal segment t exists (n_seg >= 1 for append, m >= 1 for
truncate):
   read   salt, payload schedule, snapshot value, segment t
          (truncate also reads old_tag_j for discarded j in m..n_seg-1)
   P_t    = plaintext of segment t       (decrypt, or use if held)
   meta, ct, new_tag_t
          = RewriteSegment(t, is_final_t, empty, P_t)
   under the old count:  remove(t, old_tag_t)
else:
   (append from empty: no old terminal; the appended loop below
    marks the last new segment is_final = 1.  truncate to m = 0:
    no segment remains, so nothing is re-marked.)
truncate:  for j in m .. n_seg-1:  remove(j, old_tag_j)

n_seg' = n_seg+k (append) or m (truncate)
set_length(n_seg')

if a terminal segment t exists:  add(t, new_tag_t)
append:    for j in n_seg .. n_seg+k-1:
              meta_j, ct_j, tag_j
                  = EncryptSegment(j, is_final_j, empty, P_j)
              add(j, tag_j)
           (is_final_j = 1 only for the last segment)

snapshot      = snapshot()
store  segment t and snapshot; append adds the new segments,
       truncate drops segments m..n_seg-1
]]></artwork>
            <t>Changing message length re-encrypts the terminal segment, except when
truncating to the empty object (m = 0), where no segment remains.  A
caller that cannot recover that segment's plaintext cannot do it.</t>
            <t>Each add and remove takes the segment's stored tag, which already
encodes that segment's is_final bit, so an implementation never tracks
finality separately.</t>
            <t>A botched incremental update corrupts the snapshot authenticator's state
silently, surfacing only at a later SnapVerify.  An implementation <bcp14>MAY</bcp14>
run SnapVerify over the new segment set immediately after a length
change to catch this.  A botched update yields a value that the
from-scratch recomputation will not match, turning a silent corruption
into a caught error.</t>
            <t>Both operations count against the same per-CEK AEAD usage budget as
initial encryption (<xref target="aead-usage-limits"/>).  Each re-encrypts one
terminal segment, except a truncate to the empty object (m = 0), which
re-encrypts none.  In derived nonce mode the nonce for the re-marked
segment is fixed by its index and finality bit.  Re-marking flips the
finality bit, so this nonce differs from the segment's previous one, but
repeated length changes can make the same (index, finality bit) pair
recur, and only an MRAE AEAD tolerates the resulting nonce reuse
(<xref target="key-derivation"/>).</t>
            <t>Applications that do not need length changes <bcp14>MAY</bcp14> simply forbid them.
The salt-reuse requirement applies only when a length change is
performed.  An application that re-encrypts the entire content can
generate a fresh salt and is not bound by the constraints in this
section.</t>
            <t>Test vectors for the SEAL profile are provided in <xref target="test-vectors"/>, and
the serialization layouts are in <xref target="file-layouts"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="concrete">
        <name>SEAL Suites</name>
        <t>This section lists example algorithm suites for the SEAL construction.
SEAL's concrete framing and procedures are defined in <xref target="framework"/>.</t>
        <section anchor="concrete-algorithms">
          <name>Algorithms</name>
          <t>SEAL defines the following AEAD algorithms.  Each has a code point, a
key size, a nonce size, a default nonce mode, and an epoch_length range.
The key size Nk is 16 octets for AES-128-GCM and 32 octets for the other
suites.  All use a 16-octet authentication tag (Nt = 16).</t>
          <table anchor="aead-table">
            <name>SEAL AEAD algorithms</name>
            <thead>
              <tr>
                <th align="left">Algorithm</th>
                <th align="left">aead_id</th>
                <th align="left">Nk</th>
                <th align="left">Nn</th>
                <th align="left">default mode</th>
                <th align="left">epoch_length</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM</td>
                <td align="left">0x0001</td>
                <td align="left">16</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM</td>
                <td align="left">0x0002</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305</td>
                <td align="left">0x001D</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">0x001F</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">derived</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256</td>
                <td align="left">0x0021</td>
                <td align="left">32</td>
                <td align="left">32</td>
                <td align="left">random</td>
                <td align="left">63</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256X2</td>
                <td align="left">0x0024</td>
                <td align="left">32</td>
                <td align="left">32</td>
                <td align="left">random</td>
                <td align="left">63</td>
              </tr>
            </tbody>
          </table>
          <t>The aead_id values are the unsigned 16-bit code points from the IANA
AEAD Algorithms Registry (<xref target="RFC5116"/>), encoded as uint16(id).  The
registry's textual identifiers are, in table order, AEAD_AES_128_GCM,
AEAD_AES_256_GCM, AEAD_CHACHA20_POLY1305, AEAD_AES_256_GCM_SIV,
AEAD_AEGIS256, and AEAD_AEGIS256X2.  AES-128-GCM and AES-256-GCM are
specified in <xref target="NIST-SP-800-38D"/>, ChaCha20-Poly1305 in <xref target="RFC8439"/>,
AES-256-GCM-SIV in <xref target="RFC8452"/>, and AEGIS-256 and AEGIS-256X2 in
<xref target="I-D.irtf-cfrg-aegis-aead"/>.  The AEGIS code points 0x0021 and 0x0024
are early allocations that firm up when that I-D is published as an RFC.</t>
          <t>The 96-bit-nonce AEADs (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305) and
the MRAE AES-256-GCM-SIV (in derived nonce mode) rotate the segment key
and may set epoch_length anywhere in 0 to 63.  The 256-bit-nonce
AEADs (AEGIS-256, AEGIS-256X2) use a flat key (epoch_length = 63, one
epoch key covering every segment).
<xref target="epoch-length-guidance"/> gives the per-suite budgets that fix these
ranges.</t>
          <t>The default nonce_mode column gives each AEAD's mode in the mutable
profile, SEAL-RW-v1.  The immutable profile, SEAL-RO-v1, instead pairs a
derived nonce with any of these AEADs, because its write-once rule keeps
every derived nonce unique and needs no MRAE AEAD (<xref target="profiles"/>).</t>
          <t>SEAL permits the KDF cipher suites in <xref target="kdf-table"/>, identified by
entries from the HPKE KDF Registry (<xref target="RFC9180"/> Section 7.2 and
<xref target="I-D.ietf-hpke-pq"/>):</t>
          <table anchor="kdf-table">
            <name>Permitted SEAL KDF Cipher Suites</name>
            <thead>
              <tr>
                <th align="left">kdf_id</th>
                <th align="left">Name</th>
                <th align="left">Construction</th>
                <th align="left">Nh</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x0001</td>
                <td align="left">HKDF-SHA-256</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">32</td>
              </tr>
              <tr>
                <td align="left">0x0002</td>
                <td align="left">HKDF-SHA-384</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">48</td>
              </tr>
              <tr>
                <td align="left">0x0003</td>
                <td align="left">HKDF-SHA-512</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">64</td>
              </tr>
              <tr>
                <td align="left">0x0013</td>
                <td align="left">TurboSHAKE-256</td>
                <td align="left">One-step XOF (absorb+squeeze)</td>
                <td align="left">64</td>
              </tr>
            </tbody>
          </table>
          <t>HKDF-SHA-256 is specified in <xref target="RFC5869"/>.  TurboSHAKE-256 is the
extendable-output mode of the SHA-3 family selected by
<xref target="I-D.ietf-hpke-pq"/>.  The <tt>kdf_id</tt> values are the unsigned 16-bit code
points from the HPKE KDF Registry, encoded as uint16(id).  Nh and
<tt>commitment_length</tt> equal the KDF's primitive output size, 32 octets for
HKDF-SHA-256, 48 for HKDF-SHA-384, and 64 for HKDF-SHA-512 and
TurboSHAKE-256.  HKDF-SHA-256 is the baseline KDF.  The others are
optional alternatives.</t>
          <t>The two-step Extract and Expand are HKDF-Extract and HKDF-Expand.  The
one-step XOF uses TurboSHAKE256 with D = 0x1F, the Derive convention's
domain-separator byte, which an implementation <bcp14>MUST NOT</bcp14> change.</t>
          <t>The snapshot authenticator is selected by snap_id:</t>
          <table anchor="snapshot-table">
            <name>SEAL Snapshot Authenticators</name>
            <thead>
              <tr>
                <th align="left">snap_id</th>
                <th align="left">Name</th>
                <th align="left">Snapshot value</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x0000</td>
                <td align="left">none</td>
                <td align="left">none produced</td>
              </tr>
              <tr>
                <td align="left">0x0001</td>
                <td align="left">masked multiset hash</td>
                <td align="left">snapshot, per <xref target="snapshot-authenticator"/></td>
              </tr>
            </tbody>
          </table>
          <t>snap_id = 0x0000 selects no snapshot authenticator:  no snapshot value
is produced and a reader relies on per-segment authentication alone.  An
immutable (write-once) profile enforces snap_id = 0x0000.  A profile
that supports rewrite requires snap_id = 0x0001, so every rewritable
object carries whole-object integrity (<xref target="rewritable-ops"/>).</t>
          <t>The nonce mode is carried explicitly by nonce_mode:</t>
          <table anchor="nonce-mode-table">
            <name>SEAL Nonce Modes</name>
            <thead>
              <tr>
                <th align="left">nonce_mode</th>
                <th align="left">Name</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x00</td>
                <td align="left">random</td>
              </tr>
              <tr>
                <td align="left">0x01</td>
                <td align="left">derived</td>
              </tr>
            </tbody>
          </table>
          <t>The two constructions are defined in <xref target="nonce-generation"/>.</t>
          <t>The supported maximum segment sizes are 16384 and 65536 octets.  Both
values are powers of two and at least 4096 octets.  The 16384-octet size
aligns to 16 KiB memory pages (for example, on Apple Silicon).  The
65536-octet size aligns to 64 KiB (four 16 KiB pages).</t>
          <t>The aad_label is "SEAL-DATA".  Under snap_id = 0x0001 the snapshot
authenticator is the masked multiset hash (<xref target="snapshot-authenticator"/>),
with wrapped_acc and the snapshot tag each an Nh-octet value, so Na =
2*Nh.</t>
        </section>
        <section anchor="profiles">
          <name>Composing a SEAL Suite</name>
          <t>A SEAL suite fixes an AEAD and a KDF (<xref target="aead-table"/>, <xref target="kdf-table"/>), a
maximum segment size, a snapshot authenticator (snap_id,
<xref target="snapshot-table"/>), a nonce mode (nonce_mode, <xref target="nonce-mode-table"/>),
and an epoch length.  The protocol_id identifies the parameters a
profile fixes, and only certain (nonce_mode, snap_id) tuples are valid
under each one.  This document defines two named profiles, SEAL-RW-v1
and SEAL-RO-v1.</t>
          <t>A profile's payload_info <bcp14>MUST</bcp14> carry the full parameter context
affecting key derivation, AEAD operations, AAD construction, and nonce
construction, so that the commitment (<xref target="framework-commitment"/>) binds
that context.</t>
          <t>SEAL-RW-v1 is the mutable profile (read-write).  It requires snap_id
0x0001 (the masked multiset hash), so every rewritable object carries
whole-object integrity, and permits a random nonce or a derived nonce
with an MRAE AEAD.  It supports rewrite, extend, and truncate, and
carries SEAL's snapshot machinery:  the accumulator, its mask, the
snapshot value, and SnapVerify.  Unauthorized truncation surfaces at two
points:  the terminal finality check of <xref target="full-decryption"/>, and
SnapVerify over the complete segment set, which also binds the segment
count.</t>
          <t>SEAL-RO-v1 is the immutable profile (read-only).  Here "immutable" names
the writer's write-once discipline, not a tamper-evidence guarantee.  It
selects a derived nonce and sets snap_id to 0x0000, so that no snapshot
authenticator runs, and it is write-once:  an encryptor <bcp14>MUST NOT</bcp14> rewrite
a segment once it has been written.  The rule is load-bearing:  a
rewrite would repeat the segment's derived nonce, with the consequences
given in <xref target="nonce-misuse"/>.  Because each derived nonce is then used only
once, the profile works with any AEAD, including a non-MRAE one.  See
<xref target="nonce-generation"/>.</t>
          <t>SEAL-RO-v1 provides per-segment confidentiality and integrity, binding
the segment index and the finality bit, and key commitment through the
commitment field, but not snapshot or whole-object integrity.
Whole-object integrity, when needed, comes from the snapshot in the
mutable profile or a layer above SEAL.  Truncation detection rests on
the finality bit alone and surfaces only when the highest-indexed
present segment verifies under is_final = 1 (<xref target="full-decryption"/>), so a
consumer of streamed plaintext has no completeness guarantee before that
terminal check.</t>
          <table anchor="profile-table">
            <name>SEAL profiles</name>
            <thead>
              <tr>
                <th align="left">protocol_id</th>
                <th align="left">nonce_mode</th>
                <th align="left">snap_id</th>
                <th align="left">mutability</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">SEAL-RW-v1</td>
                <td align="left">random or derived</td>
                <td align="left">0x0001</td>
                <td align="left">rewrite/extend/truncate</td>
              </tr>
              <tr>
                <td align="left">SEAL-RO-v1</td>
                <td align="left">derived</td>
                <td align="left">0x0000</td>
                <td align="left">write-once</td>
              </tr>
            </tbody>
          </table>
          <t>An encryptor <bcp14>MUST</bcp14> set payload_info to a (nonce_mode, snap_id) tuple that
is valid for its protocol_id, and a decryptor <bcp14>MUST</bcp14> reject any object
whose tuple is not.  A derived nonce under SEAL-RW-v1 requires an MRAE
AEAD; SEAL-RO-v1 admits any AEAD because the write-once rule keeps each
derived nonce unique.</t>
          <section anchor="profile-applicability">
            <name>Choosing a Profile</name>
            <t>Pick the profile from how the stored content changes after it is first
written.</t>
            <t>SEAL-RW-v1 (mutable) fits content updated in place:  editable files,
mutable object stores, and append-or-truncate logs.  It carries snap_id
0x0001, so a reader detects tampering with the current segment set as
a whole: any added, dropped, reordered, or re-marked segment, a
same-index rollback, or a count change (<xref target="snapshot-integrity"/>).
Whole-object freshness beyond replay still comes from a layer above SEAL
(<xref target="snapshot-limitations"/>).  A derived nonce under this profile requires
an MRAE AEAD, while a random nonce works with any of the suites.</t>
            <t>SEAL-RO-v1 (immutable) fits write-once content: archives, backups,
content-addressed blobs, and write-once media.  It stores no per-segment
nonce and works with any AEAD, so it is the smaller and simpler choice
when content is never rewritten.  Whole-object integrity, if needed,
comes from a layer above SEAL.</t>
            <t><xref target="epoch-length-guidance"/> covers epoch_length selection, and
<xref target="concrete-algorithms"/> covers the per-AEAD trade-offs that further
narrow the suite.</t>
          </section>
        </section>
      </section>
      <section anchor="file-layouts">
        <name>Serialization Layouts</name>
        <t>This section describes three serialization layouts a consuming protocol
can use to store raAE output:  linear, aligned, and split.  The
parameterized SEAL construction mandates none of them.  Each named
instantiation binds one, and the consuming protocol pins the remaining
details (<xref target="named-instantiations"/>).  The commitment field in every
layout is commitment_length octets (<xref target="algorithm-sizes"/>); the figures
annotate it with its default, commitment_length = Nh.</t>
        <section anchor="linear-layout">
          <name>Linear Layout</name>
          <t>In a linear layout the salt, commitment, snapshot value, and segment
data appear in sequence.  The salt comes first because it is needed to
derive all payload schedule values.  The commitment follows so a reader
can reject a wrong key before reading any segment data.  The snapshot
value (Na octets), the configured authenticator's output,
precedes the segment data so a streaming reader has it before the
segments and can check it once all are read.  Segments then follow in
index order.</t>
          <t>When the object has at least one segment, that final segment carries
is_final = 1.  An empty object (n_seg = 0) has zero segments, so no
segment is final.</t>
          <figure anchor="fig-linear-layout">
            <name>Linear Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="528" viewBox="0 0 528 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                  <path d="M 64,32 L 64,112" fill="none" stroke="black"/>
                  <path d="M 168,32 L 168,112" fill="none" stroke="black"/>
                  <path d="M 296,32 L 296,112" fill="none" stroke="black"/>
                  <path d="M 384,32 L 384,112" fill="none" stroke="black"/>
                  <path d="M 432,32 L 432,112" fill="none" stroke="black"/>
                  <path d="M 520,32 L 520,112" fill="none" stroke="black"/>
                  <path d="M 8,32 L 520,32" fill="none" stroke="black"/>
                  <path d="M 8,112 L 520,112" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="36" y="52">salt</text>
                    <text x="116" y="52">commitment</text>
                    <text x="212" y="52">snapshot</text>
                    <text x="336" y="52">segment</text>
                    <text x="408" y="52">...</text>
                    <text x="472" y="52">segment</text>
                    <text x="36" y="68">(32)</text>
                    <text x="92" y="68">(Nh)</text>
                    <text x="228" y="68">(Na)</text>
                    <text x="320" y="68">0</text>
                    <text x="348" y="68">data</text>
                    <text x="472" y="68">n_seg-1</text>
                    <text x="336" y="84">[nonce]</text>
                    <text x="472" y="84">[nonce]</text>
                    <text x="316" y="100">ct</text>
                    <text x="336" y="100">+</text>
                    <text x="360" y="100">tag</text>
                    <text x="452" y="100">ct</text>
                    <text x="472" y="100">+</text>
                    <text x="496" y="100">tag</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------+------------+---------------+----------+-----+----------+
| salt | commitment | snapshot      | segment  | ... | segment  |
| (32) | (Nh)       |     (Na)      |  0 data  |     | n_seg-1  |
|      |            |               | [nonce]  |     | [nonce]  |
|      |            |               | ct + tag |     | ct + tag |
+------+------------+---------------+----------+-----+----------+
]]></artwork>
            </artset>
          </figure>
          <t>Brackets mark the nonce, which precedes the ciphertext and tag for a
segment and is stored only in random nonce mode.  In derived nonce mode
(AES-256-GCM-SIV) the nonce is recomputed from the key schedule, so no
nonce is stored.</t>
          <t>A streaming reader recovers segment boundaries from the segment lengths.
Because a segment <bcp14>MAY</bcp14> be shorter than segment_max (<xref target="conventions"/>), a
linear layout that is to be read as a stream <bcp14>MUST</bcp14> keep every non-final
segment at the full segment_max, leaving only the final segment short.
A reader then finds each boundary at the fixed segment length.  A layout
that stores shorter interior segments <bcp14>MUST</bcp14> record their lengths so the
reader can locate each segment.</t>
          <t>Linear layout supports streaming writes.  A writer emits the salt,
commitment, and a placeholder for the snapshot value, then streams
segments.  After all segments are written the writer seeks back to the
snapshot position and writes the final value in place.</t>
        </section>
        <section anchor="aligned-layout">
          <name>Aligned Layout</name>
          <t>In an aligned layout the ciphertext segments occupy slots aligned to
segment_max, so a reader can seek to any segment with page-aligned I/O.
An arbitrary-length prefix, which the consuming protocol uses for its
own machinery and which raAE does not specify, comes first; the raAE
header follows; the ciphertext follows the header.</t>
          <figure anchor="fig-aligned-layout">
            <name>Aligned Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="376" viewBox="0 0 376 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,288" fill="none" stroke="black"/>
                  <path d="M 312,48 L 312,56" fill="none" stroke="black"/>
                  <path d="M 368,32 L 368,288" fill="none" stroke="black"/>
                  <path d="M 8,32 L 368,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 368,80" fill="none" stroke="black"/>
                  <path d="M 8,128 L 368,128" fill="none" stroke="black"/>
                  <path d="M 8,190 L 368,190" fill="none" stroke="black"/>
                  <path d="M 8,194 L 368,194" fill="none" stroke="black"/>
                  <path d="M 8,224 L 368,224" fill="none" stroke="black"/>
                  <path d="M 8,256 L 368,256" fill="none" stroke="black"/>
                  <path d="M 8,288 L 368,288" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="44" y="52">prefix</text>
                    <text x="116" y="52">(consuming</text>
                    <text x="196" y="52">protocol</text>
                    <text x="272" y="52">machinery</text>
                    <text x="56" y="68">arbitrary</text>
                    <text x="128" y="68">length;</text>
                    <text x="176" y="68">not</text>
                    <text x="232" y="68">specified</text>
                    <text x="296" y="68">here)</text>
                    <text x="48" y="100">header:</text>
                    <text x="104" y="100">salt,</text>
                    <text x="176" y="100">commitment,</text>
                    <text x="264" y="100">snapshot,</text>
                    <text x="64" y="116">per-segment</text>
                    <text x="148" y="116">metadata</text>
                    <text x="216" y="116">(broken</text>
                    <text x="264" y="116">out</text>
                    <text x="308" y="116">below)</text>
                    <text x="48" y="148">leading</text>
                    <text x="104" y="148">slot:</text>
                    <text x="156" y="148">either</text>
                    <text x="200" y="148">the</text>
                    <text x="240" y="148">first</text>
                    <text x="308" y="148">ciphertext</text>
                    <text x="48" y="164">segment</text>
                    <text x="92" y="164">(&lt;</text>
                    <text x="120" y="164">B),</text>
                    <text x="148" y="164">or</text>
                    <text x="180" y="164">zero</text>
                    <text x="232" y="164">padding</text>
                    <text x="276" y="164">to</text>
                    <text x="296" y="164">a</text>
                    <text x="52" y="180">multiple</text>
                    <text x="100" y="180">of</text>
                    <text x="120" y="180">B</text>
                    <text x="60" y="212">ciphertext</text>
                    <text x="136" y="212">segment</text>
                    <text x="268" y="212">(=</text>
                    <text x="292" y="212">B)</text>
                    <text x="32" y="244">...</text>
                    <text x="40" y="276">final</text>
                    <text x="108" y="276">ciphertext</text>
                    <text x="184" y="276">segment</text>
                    <text x="272" y="276">(&lt;=</text>
                    <text x="300" y="276">B)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+--------------------------------------------+
| prefix (consuming protocol machinery,      |
| arbitrary length; not specified here)      |
+--------------------------------------------+
| header: salt, commitment, snapshot,        |
| per-segment metadata (broken out below)    |
+--------------------------------------------+
| leading slot: either the first ciphertext  |
| segment (< B), or zero padding to a        |
| multiple of B                              |
+============================================+
| ciphertext segment            (= B)        |
+--------------------------------------------+
| ...                                        |
+--------------------------------------------+
| final ciphertext segment      (<= B)       |
+--------------------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>Offsets are measured from index 0, the start of the prefix.  Let B =
segment_max and let H be the offset at which the ciphertext begins (the
prefix length plus the header length).  The leading slot, from H up to
the first segment boundary M * B, is filled in one of two ways, chosen
before writing:</t>
          <ul spacing="normal">
            <li>
              <t>No padding: the first ciphertext segment occupies the slot, with
M = ceil(H / B).  It is shorter than B and ends on the boundary M * B.</t>
            </li>
            <li>
              <t>Padding: the slot is zero-padded to a multiple of B, with
M &gt;= ceil(H / B) (the next boundary, or a larger multiple to reserve
whole segment slots for append headroom).</t>
            </li>
          </ul>
          <t>From M * B onward every ciphertext segment begins at a multiple of B and
is a full B octets, with the final segment at most B.  H, M, and the
first-segment length all follow from the prefix and header sizes, so a
writer computes them before emitting any ciphertext.</t>
          <t>The header holds the salt, the commitment, the snapshot value, and one
metadata entry per segment:</t>
          <figure anchor="fig-aligned-header">
            <name>Aligned Layout Header</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="96" width="488" viewBox="0 0 488 96" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 64,32 L 64,80" fill="none" stroke="black"/>
                  <path d="M 168,32 L 168,80" fill="none" stroke="black"/>
                  <path d="M 296,32 L 296,80" fill="none" stroke="black"/>
                  <path d="M 480,32 L 480,80" fill="none" stroke="black"/>
                  <path d="M 8,32 L 480,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 480,80" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="36" y="52">salt</text>
                    <text x="116" y="52">commitment</text>
                    <text x="212" y="52">snapshot</text>
                    <text x="352" y="52">per-segment</text>
                    <text x="436" y="52">metadata</text>
                    <text x="36" y="68">(32)</text>
                    <text x="116" y="68">(Nh)</text>
                    <text x="228" y="68">(Na)</text>
                    <text x="332" y="68">(n_seg</text>
                    <text x="368" y="68">*</text>
                    <text x="416" y="68">meta_len)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------+------------+---------------+----------------------+
| salt | commitment | snapshot      | per-segment metadata |
| (32) |    (Nh)    |     (Na)      | (n_seg * meta_len)   |
+------+------------+---------------+----------------------+
]]></artwork>
            </artset>
          </figure>
          <t>Each metadata entry holds the segment's stored nonce and its AEAD tag:</t>
          <figure anchor="fig-meta-entry">
            <name>Metadata Entry</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="96" width="216" viewBox="0 0 216 96" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 112,32 L 112,80" fill="none" stroke="black"/>
                  <path d="M 208,32 L 208,80" fill="none" stroke="black"/>
                  <path d="M 8,32 L 208,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 208,80" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="60" y="52">[nonce(i)]</text>
                    <text x="164" y="52">tag(i)</text>
                    <text x="60" y="68">(Nn)</text>
                    <text x="136" y="68">(Nt</text>
                    <text x="160" y="68">=</text>
                    <text x="184" y="68">16)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------------+-----------+
| [nonce(i)] |   tag(i)  |
|    (Nn)    | (Nt = 16) |
+------------+-----------+
]]></artwork>
            </artset>
          </figure>
          <t>The bracketed nonce is present only in random nonce mode.  The tag is
always present, Nt = 16 octets in every SEAL suite (<xref target="aead-table"/>).
Each metadata entry holds the Np-octet presented nonce and the Nt-octet
tag, so meta_len = Np + Nt octets.  A random-nonce entry sets Np = Nn
and is Nn + Nt octets.  A derived-nonce entry recomputes the nonce from
the key schedule, so Np = 0 and the entry is Nt octets.  The per-suite
values are:</t>
          <table anchor="meta-len-table">
            <name>Metadata entry size by AEAD</name>
            <thead>
              <tr>
                <th align="left">AEAD</th>
                <th align="left">nonce mode</th>
                <th align="left">meta_len</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305</td>
                <td align="left">random (Nn = 12)</td>
                <td align="left">28</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256, AEGIS-256X2</td>
                <td align="left">random (Nn = 32)</td>
                <td align="left">48</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">derived</td>
                <td align="left">16</td>
              </tr>
            </tbody>
          </table>
          <t>The n_seg entries total n_seg * meta_len octets, so the whole header is
32 + commitment_length + Na + n_seg * meta_len octets.  With the default
commitment_length = Nh and the masked multiset hash's Na = 2 * Nh, the
header is 32 + 3 * Nh + n_seg * meta_len octets.</t>
          <t>A reader verifies the commitment and the snapshot value from the header
alone, then seeks to any segment using these offsets.  Because the
snapshot is computed from the per-segment tags alone (the snapshot
authenticator takes the segment tag, not the ciphertext), and
the header holds every tag in its metadata entries, a reader
authenticates the whole object's snapshot from the header without
reading or streaming any ciphertext.  This supports efficient
random-access reads.</t>
        </section>
        <section anchor="split-layout">
          <name>Split Layout</name>
          <t>A split layout separates the ciphertext from the metadata into two
streams that grow independently.  The data stream holds the ciphertext
segments, each a full segment_max except the last.  Segment i is at
offset i * B.  The metadata stream holds the salt, the commitment, the
n_seg per-segment metadata entries (each meta_len octets, broken out in
<xref target="fig-meta-entry"/>), and the snapshot value last.  Because the snapshot
is computed from the per-segment tags alone (<xref target="masked-multiset-hash"/>)
and every tag lives in the metadata stream, a reader authenticates the
snapshot by reading only the metadata stream, never the data stream that
holds the ciphertext.</t>
          <figure anchor="fig-split-layout">
            <name>Split Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="560" viewBox="0 0 560 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,64 L 8,192" fill="none" stroke="black"/>
                  <path d="M 8,256 L 8,304" fill="none" stroke="black"/>
                  <path d="M 64,256 L 64,304" fill="none" stroke="black"/>
                  <path d="M 168,256 L 168,304" fill="none" stroke="black"/>
                  <path d="M 176,64 L 176,192" fill="none" stroke="black"/>
                  <path d="M 272,256 L 272,304" fill="none" stroke="black"/>
                  <path d="M 320,256 L 320,304" fill="none" stroke="black"/>
                  <path d="M 424,256 L 424,304" fill="none" stroke="black"/>
                  <path d="M 552,256 L 552,304" fill="none" stroke="black"/>
                  <path d="M 8,64 L 176,64" fill="none" stroke="black"/>
                  <path d="M 8,96 L 176,96" fill="none" stroke="black"/>
                  <path d="M 8,128 L 176,128" fill="none" stroke="black"/>
                  <path d="M 8,160 L 176,160" fill="none" stroke="black"/>
                  <path d="M 8,192 L 176,192" fill="none" stroke="black"/>
                  <path d="M 8,256 L 552,256" fill="none" stroke="black"/>
                  <path d="M 8,304 L 552,304" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="20" y="36">data</text>
                    <text x="72" y="36">stream:</text>
                    <text x="32" y="84">seg</text>
                    <text x="56" y="84">0</text>
                    <text x="76" y="84">ct</text>
                    <text x="124" y="84">(=</text>
                    <text x="148" y="84">B)</text>
                    <text x="32" y="116">seg</text>
                    <text x="56" y="116">1</text>
                    <text x="76" y="116">ct</text>
                    <text x="124" y="116">(=</text>
                    <text x="148" y="116">B)</text>
                    <text x="32" y="148">...</text>
                    <text x="32" y="180">seg</text>
                    <text x="80" y="180">n_seg-1</text>
                    <text x="128" y="180">(&lt;=</text>
                    <text x="156" y="180">B)</text>
                    <text x="36" y="228">metadata</text>
                    <text x="104" y="228">stream:</text>
                    <text x="36" y="276">salt</text>
                    <text x="116" y="276">commitment</text>
                    <text x="220" y="276">meta_0</text>
                    <text x="296" y="276">...</text>
                    <text x="368" y="276">meta_last</text>
                    <text x="468" y="276">snapshot</text>
                    <text x="36" y="292">(32)</text>
                    <text x="116" y="292">(Nh)</text>
                    <text x="220" y="292">(meta_len)</text>
                    <text x="372" y="292">(meta_len)</text>
                    <text x="484" y="292">(Na)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
data stream:

+--------------------+
| seg 0 ct    (= B)  |
+--------------------+
| seg 1 ct    (= B)  |
+--------------------+
| ...                |
+--------------------+
| seg n_seg-1 (<= B) |
+--------------------+

metadata stream:

+------+------------+------------+-----+------------+---------------+
| salt | commitment |   meta_0   | ... | meta_last  | snapshot      |
| (32) |    (Nh)    | (meta_len) |     | (meta_len) |     (Na)      |
+------+------------+------------+-----+------------+---------------+
]]></artwork>
            </artset>
          </figure>
          <t>Because neither stream embeds the other, both grow by appending.
Extending a message appends one ciphertext segment to the data stream,
appends one metadata entry to the metadata stream, and rewrites the
trailing snapshot value.  Truncating drops the tail of each stream and
rewrites the snapshot value.  Neither operation shifts an existing
ciphertext segment, which the in-place aligned layout cannot avoid once
the header grows.</t>
        </section>
        <section anchor="read-only-layouts">
          <name>Immutable-Profile Layouts</name>
          <t>Under an immutable profile (SEAL-RO-v1:  snap_id = 0x0000 with a derived
nonce), two fields drop out of the layouts above.  No snapshot
authenticator runs, so there is no snapshot value, and each nonce is
recomputed from the key schedule, so Np = 0 and no nonce is stored.  A
metadata entry is then the Nt-octet tag alone.  The linear layout
reduces to the salt, the commitment, and the per-segment ciphertext and
tags.  The aligned and split headers reduce to 32 + commitment_length +
Nt * n_seg octets, the salt and commitment followed by one tag per
segment.  In the aligned layout every ciphertext segment begins at a
multiple of segment_max, so a reader seeks to any segment by arithmetic
on its index and verifies it from its own tag, with no shared snapshot
to read or maintain.</t>
        </section>
      </section>
      <section anchor="named-instantiations">
        <name>SEAL Named Instantiations</name>
        <t>SEAL has many parameters (<xref target="components"/>).  A relying protocol that does
not want to choose them all can cite one of the named instantiations
in the table below.  Each row fixes a profile, a segment size, the nonce
mode, a snapshot authenticator, and one of the serialization layouts of
<xref target="file-layouts"/>, leaving the cipher suite (an aead_id and a kdf_id from
<xref target="concrete"/>) to the referencing protocol.  Each instantiation applies
to a cipher suite the same way, so a protocol writes
SEAL-simple(aead_id, kdf_id), SEAL-disk(aead_id, kdf_id), and so on,
to obtain a complete raAE scheme.</t>
        <table anchor="named-instantiation-table">
          <name>SEAL named instantiations</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Profile</th>
              <th align="left">segment_max</th>
              <th align="left">nonce_mode</th>
              <th align="left">epoch</th>
              <th align="left">layout</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">SEAL-attachment</td>
              <td align="left">SEAL-RO-v1</td>
              <td align="left">65536</td>
              <td align="left">derived</td>
              <td align="left">32</td>
              <td align="left">linear</td>
            </tr>
            <tr>
              <td align="left">SEAL-simple</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">65536</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">linear</td>
            </tr>
            <tr>
              <td align="left">SEAL-memory</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">aligned</td>
            </tr>
            <tr>
              <td align="left">SEAL-disk</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">split</td>
            </tr>
            <tr>
              <td align="left">SEAL-compact</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">derived</td>
              <td align="left">16</td>
              <td align="left">aligned</td>
            </tr>
          </tbody>
        </table>
        <t>Each instantiation is named for its primary use case, described below.
The snapshot authenticator follows the profile: SEAL-RO-v1 sets snap_id
0x0000 and SEAL-RW-v1 sets snap_id 0x0001 (<xref target="profiles"/>).</t>
        <t>Every instantiation uses commitment_length = Nh and a fresh 32-octet
salt per object (<xref target="full-encryption"/>).  The epoch_length is the value
in the table.  The write-once SEAL-attachment performs no rewrites, so
it takes a larger epoch (32), while the four mutable schemes take a
conservative 16 that leaves the per-epoch-key budget headroom for
rewrites, which reuse the epoch key (<xref target="aead-usage-limits"/>).  A
256-bit-nonce suite (AEGIS-256, AEGIS-256X2) uses a flat key
(epoch_length 63) regardless of the row (<xref target="aead-table"/>), and a
referencing protocol <bcp14>MAY</bcp14> override the epoch.  Each instantiation binds
the layout named in its row (<xref target="file-layouts"/>).  The layout fixes field
order and placement, and the consuming protocol pins the remaining
serialization details, such as the aligned layout's prefix and leading
slot, for byte-level interoperability.  SEAL-compact is mutable with a
derived nonce, so an in-place rewrite reuses that nonce, which requires
an MRAE AEAD (<xref target="profiles"/>).  The write-once SEAL-attachment and the
random-nonce SEAL-simple, SEAL-memory, and SEAL-disk admit any AEAD.</t>
        <t>SEAL-attachment is for write-once content read whole.  It carries no
snapshot authenticator, because under the immutable profile per-segment
authentication and the finality bit detect truncation, reordering, and
tampering on a whole-object read, and write-once leaves no earlier
version to roll a segment back to (<xref target="snapshot-limitations"/>).  Its
linear layout takes the reduced immutable form (<xref target="read-only-layouts"/>).</t>
        <t>SEAL-simple is the basic mutable object with whole-object integrity from
the masked multiset hash (<xref target="masked-multiset-hash"/>), stored in the
linear layout (<xref target="linear-layout"/>).  SEAL-memory targets in-memory random
access with the aligned layout (<xref target="aligned-layout"/>).  SEAL-disk rewrites
individual segments on stored media, with the split layout
(<xref target="split-layout"/>) holding the headers apart from the segment data so a
rewrite touches one segment and extension appends to both streams.</t>
        <t>SEAL-compact is the aligned layout with a derived nonce.  Like
SEAL-memory it stores each segment at a fixed offset for random access,
but the derived nonce is recomputed rather than stored, so each
per-segment metadata entry is Nt octets instead of Nn + Nt
(<xref target="aligned-layout"/>).  Because that region scales with the object,
removing the stored nonce saves Nn octets per segment, a substantial
part of the metadata for the large random-access objects the aligned
layout targets.  It reuses the derived nonce on an in-place rewrite, so
it requires an MRAE AEAD and the rewrite is deterministic.</t>
      </section>
    </section>
    <section anchor="security-properties">
      <name>Security Analysis</name>
      <t>This section states the construction's target security properties, the
assumptions its components must satisfy, and the operational limits on
its use, but does not reproduce the formal proofs.  The division of
labor is deliberate.  The ra-ROR and ra-CMT notions are taken unchanged
from <xref target="FLRR25"/>, whose proofs apply to SEAL's realization of the base
interface.  Snapshot integrity is the one notion this document defines.
<xref target="appendix-snapshot"/> argues its bound, and integrating that argument
into a combined proof is deferred to <xref target="SEALPROOFS"/>, the companion
formal write-up, in preparation, that this document cites for every
deferred proof.  The limits of <xref target="aead-usage-limits"/> are operational
deployment bounds, not proof obligations.  The security notions are
defined in <xref target="raae-security"/>.</t>
      <section anchor="operational-summary">
        <name>Operational Summary</name>
        <t>The construction provides the following properties against an adversary
that observes ciphertexts, tampers with stored segments or their order,
and attempts decryption with chosen keys, but does not know the CEK or
per-content salt:</t>
        <dl>
          <dt>Confidentiality:</dt>
          <dd>
            <t>The construction targets ra-ROR (<xref target="ra-ror"/>): the adversary learns
nothing about the plaintext beyond what the underlying AEAD already
permits.  The adversary observes the message's segment count and the
per-segment lengths from the wire format.  Segment boundary metadata
is not confidential.</t>
          </dd>
          <dt>Integrity:</dt>
          <dd>
            <t>A reader that runs snapshot verification, including its index-set
check over the correct segment count n_seg (<xref target="snapshot-interface"/>),
detects any added, dropped, reordered, or re-marked segment, including
same-index rollback to an older valid segment.  Per-segment AEAD
verification alone detects modification of individual segments and
relocation of a segment to a different index, but reverting a segment
to a previous version at the same index is not detected.  Snapshot
verification realizes the snapshot integrity notion of
<xref target="snapshot-integrity"/>.  Replacement of the entire message with a
previous valid version under the same CEK is not detected, even when
performing snapshot verification.  Rollback resistance at the message
level is the application's responsibility (<xref target="snapshot-limitations"/>).</t>
          </dd>
          <dt>Context commitment:</dt>
          <dd>
            <t>A reader that verifies the commitment (<xref target="framework-commitment"/>)
rejects a wrong CEK, parameter context, or global associated data
before decrypting any segment, per the ra-CMT notion (<xref target="ra-cmt"/>).
Commitment to segment positions is out of scope.  See
<xref target="key-commitment"/> for that gap and its non-normative mitigations.</t>
          </dd>
          <dt>Rewrite safety:</dt>
          <dd>
            <t>An individual segment can be rewritten in place under the same CEK
without re-derivation of other keys, provided the per-key AEAD usage
budget (<xref target="aead-usage-limits"/>) is not exceeded.  A rewrite reuses the
segment's derived nonce, so in derived nonce mode it <bcp14>MUST</bcp14> use an MRAE
AEAD (<xref target="derived-nonces"/>).  Rewrite safety is otherwise a corollary of
ra-ROR and snapshot integrity (<xref target="raae-relations"/>).</t>
          </dd>
          <dt>Out of scope:</dt>
          <dd>
            <t>Atomicity of writes (the application <bcp14>MUST</bcp14> use write-ahead logging or
copy-on-write); confidentiality of segment count or layout;
traffic-analysis resistance; side channels in the application's
storage layer; protection of the CEK before encryption or after
decryption.</t>
          </dd>
        </dl>
      </section>
      <section anchor="raae-security">
        <name>Security Notions</name>
        <t>raAE has two security tiers.  The base tier comprises the two notions
inherited from <xref target="FLRR25"/>, ra-ROR and ra-CMT, summarized here.  The
extension tier adds one notion, snapshot integrity, defined by this
document.  A construction <bcp14>MAY</bcp14> provide the base tier only.  Advantage
definitions and proofs for ra-ROR and ra-CMT are in <xref target="FLRR25"/>.</t>
        <section anchor="ra-ror">
          <name>ra-ROR</name>
          <t>ra-ROR (random-access real-or-random) is the joint confidentiality and
authenticity notion for raAE in a multi-user, nonce-respecting setting.
An adversary with adaptive encryption and decryption access across many
key instances, sessions, and arbitrary positions cannot distinguish real
ciphertexts and headers from random, and cannot make an out-of-context
ciphertext segment decrypt.  The game is defined in <xref target="FLRR25"/>.</t>
          <t>The encryption core of the extension operations is ordinary EncSeg.
A RewriteSeg produces its replacement ciphertext as a repeated
EncSeg at the same position, and appending is EncSeg at fresh
positions plus one RewriteSeg of the old final segment.</t>
          <t>In random nonce mode these draw fresh nonces and stay within the
nonce-respecting ra-ROR game.  In derived nonce mode a rewrite
reuses the position's derived nonce.  This is a deliberate
nonce-repeating query.  The underlying MRAE AEAD handles it under
the equality-leakage relaxation that derived nonce mode documents
(<xref target="appendix-nonce-modes"/>), not the unmodified nonce-respecting
game.</t>
          <t>These operations also maintain a snapshot value.  That value is
outside the <xref target="FLRR25"/> syntax.  It is governed not by ra-ROR but by
the snapshot integrity notion of <xref target="snapshot-integrity"/>.</t>
        </section>
        <section anchor="ra-cmt">
          <name>ra-CMT</name>
          <t>ra-CMT (random-access context commitment) is the segment-level
commitment notion:  no single ciphertext segment decrypts successfully
under two different decryption contexts (key, nonce, global associated
data, and per-segment associated data).  In the position-respecting
variant ra-CMT the two contexts share a position.  The ra-CMT-p variant
lets the adversary choose the positions freely.  Because the scheme is
random access, committing one segment's context commits the full
ciphertext's context.  Both game variants are defined in <xref target="FLRR25"/>.</t>
          <t>ra-CMT is distinct from the per-AEAD notions CMT-1 and CMT-4 of
<xref target="RFC9771"/>: a scheme can achieve ra-CMT through an external commitment
mechanism even when its underlying AEAD commits to nothing.  The
Invisible Salamanders attacks (<xref target="DGRW18"/>) show what a non-committing
AEAD permits, and <xref target="ADG22"/> frames it as a key-commitment failure with
fixes.</t>
        </section>
        <section anchor="snapshot-integrity">
          <name>Snapshot Authentication</name>
          <t>Per-segment AEAD authenticates a segment at its position, but it does
not authenticate the current object snapshot: which set of segments
belongs to the current stored object state.  An adversary with write
access to stored segments can silently substitute an old valid
same-index segment or delete a segment, and per-segment AEAD
verification at each presented segment still passes.  (A segment moved
to a different index fails its AEAD check through the index binding of
<xref target="concrete-segment-aad"/>.)</t>
          <t>Snapshot authentication covers that set.  The resulting notion, snapshot
integrity, is the one this document adds.  The construction that
realizes it is in <xref target="snapshot-authenticator"/>, its bound is in
<xref target="snapshot-security"/>, and the supporting reduction is in
<xref target="appendix-snapshot"/>.  A combined formal treatment with the ra-ROR
framework is in preparation (<xref target="SEALPROOFS"/>).</t>
          <t>A construction <bcp14>MAY</bcp14> omit snapshot integrity, providing only the
per-segment guarantees and ra-CMT.  SEAL provides it under a snapshot
authenticator (snap_id != 0x0000) and omits it otherwise (<xref target="profiles"/>).</t>
        </section>
      </section>
      <section anchor="raae-relations">
        <name>Relations to Other Notions</name>
        <dl>
          <dt>AEAD (<xref target="RFC5116"/>):</dt>
          <dd>
            <t>raAE generalizes AEAD to multi-segment content with arbitrary-order
encryption.  A single-segment raAE is an AEAD.</t>
          </dd>
          <dt>nOAE2 (<xref target="Tink"/>):</dt>
          <dd>
            <t>nOAE2 is the nonce-based online authenticated encryption notion for
schemes that encrypt in order and support random-access decryption.
Hoang and Shen introduced nOAE2 in their analysis of Tink Streaming
AEAD (<xref target="Tink"/>), where they also show STREAM satisfies it.  ra-ROR is
strictly stronger:  every ra-ROR-secure scheme is nOAE2-secure when
used in order, but nOAE2-secure schemes can fail when encryption order
is arbitrary (<xref target="FLRR25"/>).</t>
          </dd>
          <dt>Commitment (<xref target="RFC9771"/>):</dt>
          <dd>
            <t>CMT-1 and CMT-4 (<xref target="RFC9771"/>) are per-AEAD commitment notions.
ra-CMT is the corresponding notion for segmented random-access
schemes.  See <xref target="ra-cmt"/>.</t>
          </dd>
        </dl>
        <t>Rewrite safety and extension safety are corollaries of the notions
above, not additional notions.  Replacing a segment in place is an
EncSeg at an already-used position together with a snapshot update.  In
random nonce mode it adds no adversary capability beyond ra-ROR
(<xref target="ra-ror"/>) and snapshot integrity (<xref target="snapshot-integrity"/>).  In
derived nonce mode the rewrite repeats the segment nonce, so it <bcp14>MUST</bcp14> use
an MRAE AEAD (<xref target="derived-nonces"/>), and it adds the equality-leakage
relaxation that derived nonce mode already documents
(<xref target="appendix-nonce-modes"/>).  Each rewrite also counts against the
per-key AEAD usage budget (<xref target="aead-usage-limits"/>).</t>
        <t>Appending and truncating likewise add no algorithm (<xref target="extend"/>) and no
notion.  An adversary's ability to add, drop, reorder, or re-mark a
terminal segment is exactly the snapshot integrity adversary of
<xref target="snapshot-integrity"/>, and detection follows from the index and
finality binding of <xref target="concrete-segment-aad"/> together with snapshot
verification.  Rollback of the whole object to an earlier honest (state,
snapshot) after truncation is the freshness case that snapshot integrity
excludes (<xref target="snapshot-limitations"/>).  The application supplies it.</t>
      </section>
      <section anchor="adversary-model">
        <name>Adversary Model and Assumptions</name>
        <t>The adversary model is that of the ra-ROR game (<xref target="ra-ror"/>, <xref target="FLRR25"/>).
In the construction's terms: the adversary can observe all ciphertexts
and content metadata, tamper with individual segments or their ordering,
replace the snapshot value, and attempt decryption with chosen keys.
The adversary does not know the CEK, any derived key, or the per-content
salt.  Every bound in this section assumes the CEK is secret and
uniform: an application <bcp14>MUST</bcp14> supply a CEK that is either generated
uniformly at random or derived so that it is computationally
indistinguishable from uniform, such as the output of a KDF keyed by a
secret.  When multiple messages share a CEK, the per-content salt
separates payload schedule outputs across messages under the PRF
assumption.  The multi-message advantage grows linearly in the number of
messages.  The construction claims the properties below against this
adversary.</t>
        <t>The persistent state of an raAE object, and the party that owns each
item, is:</t>
        <dl>
          <dt>CEK:</dt>
          <dd>
            <t>Secret key-management state.  It is the root secret for the object.</t>
          </dd>
          <dt>salt:</dt>
          <dd>
            <t>Stored object metadata.  It separates objects under one CEK.</t>
          </dd>
          <dt>parameter set:</dt>
          <dd>
            <t>Profile or object metadata.  It fixes suite, maximum segment size,
and epoch policy.</t>
          </dd>
          <dt>commitment:</dt>
          <dd>
            <t>Stored object metadata.  It rejects wrong key or parameter context
before decryption.</t>
          </dd>
          <dt>segment metadata:</dt>
          <dd>
            <t>Storage-format state.  It holds AEAD tags and, in random nonce mode,
per-segment nonces.</t>
          </dd>
          <dt>snapshot:</dt>
          <dd>
            <t>Stored object metadata.  It authenticates the segment tag set and
segment count.</t>
          </dd>
          <dt>external freshness state:</dt>
          <dd>
            <t>Consuming-protocol state.  It detects whole-object rollback.</t>
          </dd>
        </dl>
        <t>The security argument relies on three distinct assumptions about the
KDF.  For derivations whose input keying material is secret and
uniformly random, including payload_key, snap_key, nonce_base,
epoch_key, and the snapshot authenticator's keyed derivations, the KDF
is assumed to be a multi-user PRF with domain separation by protocol_id
and label.</t>
        <t>For commitment, the function</t>
        <artwork><![CDATA[
Commit(CEK, payload_info, G, L) =
    KDF(protocol_id, "commit", [CEK], [...payload_info, G], L)
]]></artwork>
        <t>is additionally assumed to be collision resistant over adversarially
chosen tuples (CEK, payload_info, G), with G empty by default.  PRF
security alone is not sufficient for this property, because the
commitment adversary may choose the CEK and context values.</t>
        <t>For the plaintext-bound nonce construction, the plaintext digest step
targets collision resistance, not PRF security.</t>
        <t>For the HKDF cipher suites (HKDF-SHA-256, HKDF-SHA-384, and
HKDF-SHA-512), the PRF assumptions are placed on HKDF keyed by the CEK
or payload_key, and the collision-resistance assumption on the commit
derivation reduces to the collision resistance of the underlying SHA-2
variant (SHA-256, SHA-384, or SHA-512).  Because every SEAL KDF output
is at most Nh octets, HKDF-Expand makes a single HMAC call per
derivation.  The extractor-then-PRF analysis of HKDF is in <xref target="RFC5869"/>.</t>
        <t>For TurboSHAKE-256 (the one-step XOF cipher suite defined in
<xref target="I-D.ietf-hpke-pq"/>), the same PRF and collision-resistance assumptions
are placed on the XOF as instantiated by that HPKE KDF registry entry,
which fixes the primitive and its parameters but carries no security
assumptions of its own.</t>
      </section>
      <section anchor="framing">
        <name>raAE Construction Requirements</name>
        <t>The bounds below rely on properties of the construction's components,
namely the KDF framing and the snapshot authenticator.  The requirements
those components <bcp14>MUST</bcp14> satisfy are obligations on the raAE construction,
not part of the raAE primitive of <xref target="raae"/>.</t>
        <t>A profile selects the concrete framing for every derivation surface: the
KDF input assembly (<xref target="key-derivation"/>), the payload_info construction
(<xref target="components"/>), the segment AAD (<xref target="concrete-segment-aad"/>), and the
snapshot authenticator's keyed inputs (<xref target="snapshot-authenticator"/>).  The
requirements below are the contract that any such framing <bcp14>MUST</bcp14> meet.
SEAL is one such framing (<xref target="concrete-framing"/>, <xref target="seal-encodings"/>).</t>
        <t>The per-component requirements any raAE construction must satisfy are
as follows.</t>
        <dl>
          <dt>Pseudorandomness:</dt>
          <dd>
            <t>KDF outputs <bcp14>MUST</bcp14> be computationally indistinguishable from random to
an adversary that does not know the ikm, assuming the underlying
hash or PRF is a secure pseudorandom function.</t>
          </dd>
          <dt>Injectivity:</dt>
          <dd>
            <t>The construction <bcp14>MUST</bcp14> define the encoding of the tuple (protocol_id,
label, ikm, info, L) into the underlying primitive input, and that
encoding <bcp14>MUST</bcp14> be injective: distinct tuples <bcp14>MUST</bcp14> map to distinct
primitive inputs.  This is a requirement on the encoding, not on the
KDF.  The KDF need not itself be injective, because injectivity is
supplied by the encoding placed in front of it.  ikm and info <bcp14>MUST</bcp14> be
unambiguously separable in the encoded input, whatever the number of
elements each contains.
The two-step form binds ikm and info in its separate Extract and
Expand inputs.  The one-step form frames ikm and info each as a single
encode element.  Where the encoding admits inputs too large to encode
literally, it <bcp14>MAY</bcp14> substitute a fixed-length digest of the over-large
field.  The encoding is then injective only up to the collision
resistance of that digest, which the construction <bcp14>MUST</bcp14> justify and
domain-separate from the literal encoding (<xref target="concrete-framing"/>).</t>
          </dd>
          <dt>Label uniqueness:</dt>
          <dd>
            <t>Each derivation role, including commitment, payload key, snapshot
authenticator key, nonce base, epoch key, segment nonce, hedged key,
and the authenticator's internal roles, <bcp14>MUST</bcp14> use a distinct label
string within each protocol version.</t>
          </dd>
          <dt>Protocol binding:</dt>
          <dd>
            <t>The protocol_id <bcp14>MUST</bcp14> appear as a distinct component of the KDF
primitive input.  Different application protocols using the same
AEAD and KDF <bcp14>MUST</bcp14> use different protocol_id values to ensure that
derived values from one protocol cannot be confused with those from
another.</t>
          </dd>
          <dt>Output length commitment:</dt>
          <dd>
            <t>The requested output length L <bcp14>MUST</bcp14> be part of the KDF primitive
input.  This prevents attacks in which an adversary attempts to use
a truncated version of a longer derived output as a valid shorter
one.</t>
          </dd>
          <dt>Cross-role isolation:</dt>
          <dd>
            <t>A KDF output for one derivation role, such as payload_key, <bcp14>MUST</bcp14> be
computationally independent of the output for any other role, such
as snap_key, even when derived from the same CEK and payload_info.
This property follows from label uniqueness and PRF security of the
underlying primitive.</t>
          </dd>
          <dt>Snapshot authenticator:</dt>
          <dd>
            <t>The construction <bcp14>MUST</bcp14> bind the current set of segment tags and
the segment count into a public snapshot value that an adversary
without the authenticator's secret key cannot forge for a modified
set of tags or count, even after observing snapshot values and their
deltas across rewrites.  How the value is computed, and whether a
single-segment change updates it in place or rebuilds it, is the
authenticator's choice.  SEAL's snapshot authenticators are in
<xref target="snapshot-authenticator"/>.</t>
          </dd>
        </dl>
        <t>SEAL's construction (<xref target="framework"/>) satisfies these requirements.  Its
KDF (<xref target="concrete-framing"/>), any of the cipher suites in <xref target="kdf-table"/>
keyed by the CEK, is modeled as a pseudorandom function.  Its encode
framing (<xref target="concrete-framing"/>) is injective and places protocol_id and
the output length L in the primitive input, so injectivity, protocol
binding, and output-length commitment hold.  SEAL's labels
(<xref target="label-table"/>, the masked multiset hash's labels in
<xref target="masked-multiset-hash"/>, the plaintext-bound construction's labels in
<xref target="appendix-pt-bound"/>, and the hedged-randomness label in
<xref target="hedged-randomness"/>) are distinct, giving label uniqueness and, with
PRF security, cross-role isolation.  SEAL's masked multiset hash
(<xref target="snapshot-authenticator"/>) satisfies the snapshot authenticator
requirement, with its forgery argument in <xref target="snapshot-security"/>.</t>
        <t>encode is injective.  Among fields of at most 0xFFFE octets each frame
entry is self-delimiting, so the concatenation parses uniquely
regardless of the number of arguments, and distinct input tuples produce
distinct output strings.  For over-large fields the encoding is
injective only up to the collision resistance of LH, not
unconditionally: a literal entry carries a length prefix in the range
0x0000 through 0xFFFE while a digest entry carries the reserved prefix
0xFFFF, so a literal entry and a digest entry never collide, and a
collision between two digest entries reduces to a collision in LH.  A
0xFFFF entry is bind-only: it commits to the field but does not carry
it, so a protocol that must recover a field from the encoding <bcp14>MUST</bcp14> keep
that field at most 0xFFFE octets.  No SEAL input approaches 0xFFFE
octets, so for SEAL frame is byte-identical to a plain 2-octet length
prefix and LH is never invoked.</t>
        <t>The "raAE-LP-v1" prefix (the HKDF-Extract salt in the two-step class, a
fixed input prefix in the one-step class) is distinct from every
protocol_id and label, so LH inputs are domain-separated from encode
inputs.  LH is a shared collision-resistant digest rather than a
per-protocol separator: the same over-large field yields the same LH
value in every protocol that reuses this combiner.  Cross-protocol
separation comes from protocol_id in the KDF inputs and from aad_label
in the segment AAD, not from LH.</t>
        <t>A concrete SEAL suite specifies the following.</t>
        <dl>
          <dt>AEAD:</dt>
          <dd>
            <t>One of the algorithms from <xref target="concrete-algorithms"/>, with associated
Nk, Nn, and Nt values.</t>
          </dd>
          <dt>KDF:</dt>
          <dd>
            <t>One of the KDF cipher suites from <xref target="kdf-table"/>.</t>
          </dd>
          <dt>nonce_mode:</dt>
          <dd>
            <t>A per-object payload_info field constrained by the profile, not a
suite-fixed lock.  <xref target="aead-table"/> gives the default mode each suite
uses in the mutable profile.  A profile <bcp14>MAY</bcp14> select any valid
(nonce_mode, snap_id) tuple (<xref target="parameter-misuse"/>): in the mutable
profile an MRAE AEAD <bcp14>MAY</bcp14> use either mode, and the immutable profile
SEAL-RO-v1 pairs a derived nonce with any AEAD because write-once
keeps every derived nonce unique.</t>
          </dd>
          <dt>epoch_length:</dt>
          <dd>
            <t>The key-rotation granularity, with range given by <xref target="aead-table"/>.
Per <xref target="security-properties"/>, a 96-bit-nonce AEAD rotates the segment
key to bound per-key nonce-collision risk and an MRAE AEAD rotates to
bound its per-key encryption count, so both take epoch_length in 0 to
63.  A 256-bit-nonce AEAD makes both negligible and uses a flat key.</t>
          </dd>
          <dt>segment_max:</dt>
          <dd>
            <t>One of the sizes from <xref target="concrete"/>: 16384 or 65536 octets.</t>
          </dd>
        </dl>
        <t>Fábrega et al. (<xref target="FLRR25"/>) proved ra-ROR and ra-CMT security for a
construction that instantiates the same component contracts enumerated
above, and SEAL's analysis of those notions follows the same structure.
SEAL's additional components (the epoch keys and the snapshot maintained
across rewrite and length change) are analyzed in <xref target="segment-security"/>
and <xref target="snapshot-security"/>.</t>
      </section>
      <section anchor="segment-security">
        <name>Segment Confidentiality and Integrity</name>
        <t>The construction targets ra-ROR security (<xref target="ra-ror"/>).  The ra-ROR
advantage bound, its adversary parameters, and the per-term analysis are
in <xref target="appendix-reductions"/>, with the full proof in preparation
(<xref target="SEALPROOFS"/>).  This section states the property and the operational
quantities a deployment needs.</t>
        <t>Ciphertext cores are indistinguishable from random under the ra-ROR
definition, up to the public length leakage, the equality leakage
allowed by derived nonce mode, and public metadata exposed by the
consuming format (file-level headers, stored nonces in random mode, the
salt, and the commitment).  Each segment AEAD ciphertext binds the
segment to its own index and finality bit (through segment_aad in random
nonce mode and through the nonce in derived nonce mode) so an adversary
cannot modify or substitute a segment under a given index, or flip its
finality bit, without causing an AEAD verification failure on that
segment.  Same-index rollback to an older valid segment within the same
message is not detected by per-segment AEAD alone.  This requires the
snapshot verification of <xref target="snapshot-authenticator"/>.</t>
        <t>The multi-message advantage grows linearly in the number of messages.
In derived nonce mode the salt-collision term q_m^2/2^256 is the only
quadratic floor for the 256-bit-key suites.  For AES-128-GCM the
epoch-key collision floor E^2/2^128 (<xref target="appendix-adv-notation"/>) is
an additional quadratic term that dominates.  In random nonce mode,
with or without the plaintext-bound hedge, the nonce-collision term is
also quadratic:</t>
        <artwork><![CDATA[
nonce collision:  q^2 / 2^(8*Nn + 1)
at Nn = 12:       q^2 / 2^97
]]></artwork>
        <t>where q is the number of segment encryptions under one key and Nn is the
nonce length in octets.  The block-size birthday term is derived in
<xref target="aead-usage-limits"/>.</t>
        <t>Segment size enters the analysis only through the forgery and block-size
terms, both bounded in <xref target="aead-usage-limits"/>.  It does not affect the
confidentiality or commitment terms.  A segment's length is
authenticated implicitly by its AEAD tag, not through segment_aad or the
nonce, so the analysis assumes the consuming format conveys each
segment's true ciphertext length.  Segments shorter than segment_max
consume no more than their share of the per-key budget and need no
separate accounting.</t>
      </section>
      <section anchor="key-commitment">
        <name>Commitment Security</name>
        <t>The ra-CMT notion is defined in <xref target="ra-cmt"/>.</t>
        <t>raAE's commitment target is ra-CMT (random-access context commitment),
not the per-AEAD notion CMT-1 (<xref target="RFC9771"/>).  CMT-1 is key commitment
defined for
AEADs, but raAE is a higher-level construction whose commitment binds
the CEK and the full payload_info, which together carry the full
parameter context that affects encryption, decryption, AAD construction,
nonce construction, and key derivation.</t>
        <t>ra-CMT relies on the collision resistance of the commitment derivation
map over the tuple (protocol_id, "commit", CEK, payload_info, G,
commitment_length), with G empty by default.  PRF security alone does
not suffice, because the commitment adversary may choose the CEK and the
context values (<xref target="key-derivation"/>).  SEAL sets commitment_length = Nh,
so the commitment offers about 2^128 collision-search work with
HKDF-SHA-256 and about 2^256 with TurboSHAKE-256.  The reduction outline
for this assumption and the collision quantities for a general
commitment_length are in <xref target="appendix-commitment"/>.</t>
        <t>The commitment bounds the ra-CMT variant in which the positions match
(<xref target="ra-cmt"/>).  It does not bind the segment position.  Position binding
for the ra-CMT-p variant is inherited from the underlying AEAD's
commitment level.  Because the SEAL AEADs are not natively
key-committing, position confusion under an adversarially chosen key is
out of scope, consistent with <xref target="FLRR25"/>.  A malicious encryptor that
controls the CEK can craft a single ciphertext segment that opens at two
positions, and the per-segment AEAD tag does not prevent it.</t>
        <t>The per-segment associated data A_i is likewise outside the commitment:
SEAL binds A_i through segment_aad and the AEAD tag for that segment.
Contexts that differ only in A_i are therefore not commitment
collisions.  Their separation relies on AEAD commitment for the segment
AAD.  A_i is also rewritable across rewrites and is not bound at the
snapshot level.  An application that needs it bound there <bcp14>MUST</bcp14> bind it
externally.  The exact accounting of this term in the ra-CMT reduction
is deferred to <xref target="appendix-reductions"/>.</t>
        <t>A deployment that must defend against a malicious encryptor who controls
the CEK can close the adversarial-key position gap by one of two
changes.  These are non-normative.  SEAL adds none of them to the
construction.</t>
        <ul spacing="normal">
          <li>
            <t>A context-committing AEAD, so that each segment ciphertext
commits to its full decryption context rather than relying on the
external commitment over (CEK, payload_info, G).</t>
          </li>
          <li>
            <t>A per-segment collision-resistant position commitment, on the order
of 16 to 64 octets per segment, bound alongside the segment so that
no segment opens at two positions.</t>
          </li>
        </ul>
        <t>Several AEADs including AES-GCM (<xref target="NIST-SP-800-38D"/>) and
ChaCha20-Poly1305 (<xref target="RFC8439"/>) lack strong native key or context
commitment.  CMT-4 (<xref target="RFC9771"/>) is full commitment to key, nonce,
associated data, and plaintext.  None of the SEAL AEADs is relied upon
to provide CMT-1 or CMT-4.  In particular, AES-256-GCM-SIV is not a
key-committing AEAD, and key-commitment attacks against it are known
(for example partitioning oracles).  raAE obtains ra-CMT context
commitment from the external commitment over (CEK, payload_info, G)
regardless of the AEAD's own committing or non-committing properties,
provided that the commitment check is not bypassed and that payload_info
contains the full parameter context that influences any later derivation
or AEAD operation.</t>
        <t>With commitment_length = Nh and Nt = 16, ra-CMT is bounded by the
commitment collision resistance, and ra-CMT-p adds the per-segment AEAD
commitment term.  The ra-CMT collision bound is derived in
<xref target="appendix-commitment"/>, and the ra-CMT-p bound is stated there as a
sum.  The two key regimes differ.  Under honestly generated keys the
idealized per-pair tag-forgery floor is 2^(-128) because Nt = 16, and
concrete per-AEAD authenticity bounds degrade with segment length
(<xref target="aead-usage-limits"/>).  Under an adversarially chosen CEK the position
term is the AEAD's commitment level, which the SEAL AEADs are not
relied upon to provide.</t>
        <t>The global associated data G (<xref target="framework-commitment"/>) enters the
committed map as an additional input, empty by default, and the
collision-resistance argument above applies unchanged with G in the
committed context.  This matches the ra-CMT treatment of global
associated data in <xref target="FLRR25"/>.</t>
        <t>The ra-CMT and ra-CMT-p notions are defined in <xref target="FLRR25"/>.  SEAL
realizes ra-CMT through the external commitment over (CEK, payload_info,
G), independent of the underlying AEAD's own commitment level.  Position
binding for ra-CMT-p is inherited from the underlying AEAD's commitment
level, as described above.  This document states these properties and
their component bounds.  The exact accounting of the per-segment
associated data and position terms in the ra-CMT-p reduction is the open
item deferred to the proof in preparation (<xref target="SEALPROOFS"/>).</t>
      </section>
      <section anchor="snapshot-security">
        <name>Snapshot Authenticator Security</name>
        <t>Snapshot authentication is an extension this document adds to the
<xref target="FLRR25"/> raAE framework.  The raAE primitive and its ra-ROR and ra-CMT
notions are taken unchanged from <xref target="FLRR25"/>, whose proofs apply to
SEAL's realization of the base interface.  The snapshot authenticator
adds two operations (RewriteSeg, SnapVerify) over an auxiliary snapshot
value and one new security property, snapshot integrity
(<xref target="snapshot-integrity"/>).  Integrating its reduction into a single
combined proof with the ra-ROR framework is in preparation and will be
published separately (<xref target="SEALPROOFS"/>).</t>
        <t>Snapshot integrity is keyed by snap_key and protects the writer's
current segment set against a storage or write adversary that does not
hold snap_key.  A verifier who holds snap_key, hence the CEK from which
it is derived, detects any added, dropped, reordered, re-marked, or
otherwise altered segment.  It gives no protection among parties that
share the CEK, because any CEK-holder can recompute snap_key, and it is
not a third-party-verifiable commitment to a segment set.  An
application that needs sender attribution or third-party verifiability
<bcp14>MUST</bcp14> add a signing layer over the snapshot context.</t>
        <t>Per-segment AEAD binds each segment's index and finality bit.  The
snapshot authenticator adds authentication of the full set of segment
tags and the count n_seg as a single unit, which detects same-index
rollback, segment-set modification, and count changes.  The index-set
check in SnapVerify (<xref target="snapshot-interface"/>) is mandatory: an
authenticator's verify <bcp14>MAY</bcp14> accept a malformed index multiset, so without
the check a duplicated or dropped index could pass.</t>
        <t>A profile <bcp14>MUST</bcp14> keep each of an authenticator's KDF labels inside the
injective encode frame (<xref target="concrete-framing"/>) so distinct roles cannot
collide on the primitive input.</t>
        <t>Whole-object rollback to a previously valid snapshot is out of scope and
is treated in <xref target="snapshot-limitations"/>.  snap_key is not exposed through
any public API.  It is derived internally per message from the CEK and
salt, so snap_key exposure is not a threat surface in the construction
itself.</t>
        <section anchor="snapshot-security-mmh">
          <name>Masked Multiset Hash</name>
          <t>SEAL's masked multiset hash (snap_id 0x0001) publishes snapshot =
wrapped_acc || snapshot_tag.  The snapshot tag is a MAC over the count
and accumulator under snap_key, and wrapped_acc is that accumulator
hidden behind a deterministic, tag-derived one-time pad.  The mask is
what stops a write adversary from recombining the differences between
published accumulators into a non-historical segment set.  Its three
labels, contrib_label, snapshot_tag_label, and snapshot_mask_label, are
distinct under the encode frame.</t>
          <t>Its forgery advantage Adv_acc is bounded by a fresh-input MAC term, a
mix-and-match term, and a birthday term in the number of published
snapshots that the deterministic masking introduces, on no assumption
beyond the multi-user PRF the key schedule already uses.
<xref target="appendix-adv-notation"/> states the bound and <xref target="appendix-snapshot"/>
derives it.</t>
        </section>
      </section>
      <section anchor="aead-usage-limits">
        <name>Capacity and Usage Limits</name>
        <t>These usage limits are organized around independent limit classes, not
around named suites.  The accounting unit is one segment encryption
under one segment-encryption key (an epoch key).  For random-nonce AEADs
that budget is a single per-epoch-key pool.  For a derived-nonce MRAE
AEAD (AES-256-GCM-SIV in SEAL) there are two separate budgets: a
per-epoch-key budget for distinct derived nonces, and a
per-derived-nonce budget for repeated encryption of one segment.  Such
an AEAD therefore does not follow a simple "divide the per-key budget by
2^epoch_length" model.</t>
        <t>The length-dependent limits in this section are computed at the suite's
segment_max, the largest plaintext one segment encryption carries.
Independent of these per-key budgets, a segment-encryption procedure
<bcp14>MUST</bcp14> respect each underlying AEAD's per-invocation input limits.</t>
        <section anchor="accounting-model">
          <name>Accounting Model</name>
          <t>One segment encryption consumes one write from a segment-encryption
key's budget.  Initial writes and rewrites are both segment encryptions.
The budget belongs to the epoch key, not the CEK.</t>
          <dl>
            <dt>epoch-key budget:</dt>
            <dd>
              <t>the segment encryptions allowed under one epoch key.</t>
            </dd>
            <dt>write (initial write):</dt>
            <dd>
              <t>the first encryption of a segment.</t>
            </dd>
            <dt>rewrite:</dt>
            <dd>
              <t>a later encryption of the same segment.</t>
            </dd>
            <dt>epoch_length (r):</dt>
            <dd>
              <t>the base-2 log of the number of segments that share one epoch key.</t>
            </dd>
          </dl>
          <t>For a random-nonce AEAD an epoch key has one budget, shared by the
segments under it.  For a derived-nonce MRAE AEAD an epoch key has two:
how many distinct segment nonces it may cover, and how many times any
one segment may be re-encrypted at its fixed nonce.</t>
        </section>
        <section anchor="limit-classes">
          <name>Limit Classes</name>
          <t>Six phenomena bound how much may be encrypted.  Each is set by one
property of the AEAD or the segment size, and each bounds
confidentiality or integrity.</t>
          <table anchor="limit-class-table">
            <name>Usage-limit classes</name>
            <thead>
              <tr>
                <th align="left">Limit class</th>
                <th align="left">Applies to</th>
                <th align="left">Depends on</th>
                <th align="left">Failure mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Random-nonce collision</td>
                <td align="left">random nonce modes</td>
                <td align="left">nonce size</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">Forgery bound</td>
                <td align="left">all AEADs</td>
                <td align="left">MAC strength, segment size</td>
                <td align="left">integrity</td>
              </tr>
              <tr>
                <td align="left">Block-size birthday</td>
                <td align="left">block-cipher AEADs</td>
                <td align="left">total blocks</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">MRAE distinct-nonce</td>
                <td align="left">derived-nonce MRAE across segments</td>
                <td align="left">derived-nonce count</td>
                <td align="left">confidentiality and integrity</td>
              </tr>
              <tr>
                <td align="left">Fixed-nonce data volume</td>
                <td align="left">derived-nonce hot rewrites</td>
                <td align="left">segment size, rewrites</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">Epoch-key collision</td>
                <td align="left">128-bit-key AEADs</td>
                <td align="left">key size</td>
                <td align="left">confidentiality</td>
              </tr>
            </tbody>
          </table>
          <t>Random-nonce collision and the block-size birthday bound the
confidentiality of fresh-nonce encryption, and forgery bounds integrity
for every decryption.  Two further classes apply only in derived-nonce
MRAE mode: a derived-key collision across the distinct segment nonces
under an epoch key, and a data-volume limit on repeated encryption of a
single hot segment, one rewritten many times at its one derived nonce.
A sixth class applies only to 128-bit-key AEADs: a collision across the
distinct epoch keys that holds the number of epoch keys per payload_key
below about 2^48 (<xref target="epoch-length-guidance"/>).</t>
        </section>
        <section anchor="binding-limits-for-profiled-suites">
          <name>Binding Limits for Profiled Suites</name>
          <t>For each profiled suite the binding limit is the smallest applicable
class.  At 65536-octet (64 KiB) segments and a 2^-32 advantage target:</t>
          <table anchor="budget-table">
            <name>Binding limits for profiled suites at 64 KiB</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">Binding limit</th>
                <th align="left">Budget</th>
                <th align="left">Failure mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived, distinct segments</td>
                <td align="left">MRAE distinct-nonce</td>
                <td align="left">~2^48 per epoch key</td>
                <td align="left">confidentiality and integrity</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived, hot segment</td>
                <td align="left">fixed-nonce data volume</td>
                <td align="left">~2^36 per segment at 64 KiB</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256, random</td>
                <td align="left">forgery bound</td>
                <td align="left">~2^83 per key</td>
                <td align="left">integrity</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256X2, random</td>
                <td align="left">forgery bound</td>
                <td align="left">~2^83 per key</td>
                <td align="left">integrity</td>
              </tr>
            </tbody>
          </table>
          <t>The 96-bit-nonce suites bind on random-nonce collision.  AEGIS makes
nonce collision negligible with a 256-bit nonce (~2^112) and binds on
forgery.  A derived-nonce MRAE AEAD has the two limits above, the
distinct-derived-nonce ceiling and the fixed-nonce data-volume cap, not
a single shared pool.</t>
        </section>
        <section anchor="max-object-size">
          <name>Maximum Write-Once Object Size</name>
          <t>Two limits bound a write-once object: each epoch key's AEAD write
budget, and the 2^63 segment index ceiling.</t>
          <t>Under a flat key (one epoch key for the whole object), the AEAD budget
sets the size:</t>
          <table anchor="write-once-table">
            <name>Flat-key write-once size limit</name>
            <thead>
              <tr>
                <th align="left">Suite</th>
                <th align="left">Flat-key write-once limit</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM</td>
                <td align="left">~2^36 segments</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">~2^48 segments</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, AEGIS-256, AEGIS-256X2</td>
                <td align="left">2^63 segments</td>
              </tr>
            </tbody>
          </table>
          <t>For the block ciphers this limit is a confidentiality bound.  The
AES-GCM suites (AES-128-GCM and AES-256-GCM) bind on the block-size
birthday and AES-256-GCM-SIV on the distinct-derived-nonce budget.
ChaCha20-Poly1305 and AEGIS have no write-count confidentiality bound
below the index ceiling.  The AES-128-GCM, AES-256-GCM, and
ChaCha20-Poly1305 figures assume derived nonce mode, which these
non-MRAE suites may use only in a write-once profile.  In the default
random nonce mode they bind earlier, at the random-nonce-collision
budget of about 2^32 per epoch key (<xref target="budget-table"/>).</t>
          <t>With epoch rotation each epoch key carries a fresh budget, so any suite
can reach the 2^63-segment ceiling, about 2^79 octets at 64 KiB
segments.  For AES-128-GCM this requires a sufficiently large
epoch_length.  At epoch_length 0 its epoch-key collision floor caps
the object near 2^48 segments (<xref target="epoch-length-guidance"/>).  Reaching
2^63 needs epoch_length at least 15, so the distinct epoch keys stay
near 2^48.
A rotating profile <bcp14>MUST</bcp14> keep each epoch key's 2^epoch_length initial
writes within its per-key budget.  For a derived-nonce MRAE AEAD that
means 2^epoch_length below the distinct-derived-nonce budget of about
2^48.  Rewrite capacity is a separate condition
(<xref target="rewrite-budget-security"/>).</t>
        </section>
        <section anchor="rewrite-budget-security">
          <name>Rewrite Capacity</name>
          <t>A rewrite consumes the same budget as an initial write.  How that budget
is shared depends on the nonce mode.</t>
          <t>For the random-nonce AEADs, epoch_length divides one per-epoch-key pool
among the 2^epoch_length segments that share the key.  If rewrites are
spread evenly, the count each segment can take falls as epoch_length
rises:</t>
          <table anchor="rewrite-random-table">
            <name>Rewrite share by epoch_length</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">epoch_length</th>
                <th align="left">Segments per epoch key</th>
                <th align="left">Rewrites per segment</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^32</td>
              </tr>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^26</td>
              </tr>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^22</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^32</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^26</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^22</td>
              </tr>
            </tbody>
          </table>
          <t>For a derived-nonce MRAE AEAD the hot-segment rewrite cap is not divided
by 2^epoch_length, because a rewrite reuses the segment's one derived
nonce:</t>
          <table anchor="rewrite-siv-table">
            <name>GCM-SIV rewrite cap by epoch_length</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">epoch_length</th>
                <th align="left">Segments per epoch key</th>
                <th align="left">Hot-segment rewrite cap</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
            </tbody>
          </table>
          <t>The hot-segment cap is length-dependent:  about 2^36 at 64 KiB segments
and about 2^38 at 16 KiB.  The distinct-derived-nonce budget stays about
2^48 per epoch key.  A derived-nonce MRAE AEAD thus has two separate
constraints, the distinct derived nonces per epoch key and the repeated
encryptions at one derived nonce.  AEGIS uses a flat key, and its
forgery budget, about 2^83 per key from <xref target="I-D.irtf-cfrg-aegis-aead"/>,
exceeds any reachable rewrite workload.</t>
          <t>Applications <bcp14>MUST</bcp14> track segment encryptions per key and freeze the
object before a budget is exceeded.  The CEK is fixed per object and
cannot be rotated in place, so continued writing requires a new object
under a fresh CEK.</t>
        </section>
        <section anchor="epoch-length-guidance">
          <name>Choosing epoch_length</name>
          <t>epoch_length means different things by mode.  For the random-nonce
AEADs, a smaller epoch_length puts fewer segments under each key, so
each segment keeps a larger share of the random-nonce collision pool, at
the cost of more epoch keys to derive and hold.  For a derived-nonce
MRAE AEAD, a smaller epoch_length reduces the distinct derived nonces
under an epoch key but does not raise the hot-segment rewrite cap, which
is per derived nonce and length-dependent.  AEGIS has a 256-bit nonce
and a high forgery floor, so a flat key (epoch_length 63) is the natural
choice.</t>
          <t>The cipher suite's default epoch_length, used when a referencing
protocol does not choose one, is 0 for the suites with an epoch_length
range and 63 for the AEGIS suites.  epoch_length 0 derives a fresh epoch
key per segment, the finest rotation, giving each segment the largest
share of the random-nonce collision pool.  The AEGIS 256-bit nonce makes
a flat key safe.  The named instantiations (<xref target="named-instantiations"/>) do
not take this default:  each pins an epoch_length tuned to its profile
and object size, trading some rotation for fewer epoch keys while
staying within budget.</t>
          <t>The epoch keys are independent under the PRF security of the KDF
(<xref target="RFC8645"/>), so no epoch key is weaker than another.  The epoch_length
parameter controls budget distribution, not key strength.</t>
          <t>For AES-128-GCM the 128-bit AEAD key adds one further constraint.  The
epoch-key collision term (<xref target="appendix-adv-notation"/>) is about
E^2/2^128 over the E distinct epoch keys, so an AES-128-GCM profile
<bcp14>SHOULD</bcp14> keep distinct epoch keys per payload_key below about 2^48, which
holds that term within the 2^-32 target.  At epoch_length 0 this caps
an AES-128-GCM object at about 2^48 segments, far below the 2^63 index
ceiling, so it constrains only extreme object sizes.</t>
        </section>
        <section anchor="derivations">
          <name>Derivations</name>
          <t>The per-suite figures come from the bounds below.</t>
          <section anchor="confidentiality-nonce-collision">
            <name>Confidentiality (Nonce Collision)</name>
            <t>For random nonce mode with Nn-octet nonces and q segment encryptions
under one key, the collision probability follows the birthday bound:</t>
            <artwork><![CDATA[
P(collision) <= q^2 / 2^(8*Nn + 1)
]]></artwork>
            <t>When epoch_length = r is specified, q counts encryptions per epoch key
(initial writes plus rewrites within that epoch), not across the whole
content.  Each epoch key has an independent budget.</t>
            <t>For derived nonce mode, nonces are deterministic and distinct across
segment indices, so this collision term does not apply.  The limits on
reusing a derived nonce are in <xref target="mrae-bounds"/>.</t>
          </section>
          <section anchor="confidentiality-block-size-birthday-bound">
            <name>Confidentiality (Block-Size Birthday Bound)</name>
            <t>Nonce collisions alone do not exhaust the confidentiality bound.
Following the AEAD usage-limits analysis (<xref target="I-D.irtf-cfrg-aead-limits"/>
Section 5), block-cipher AEADs have a distinguishing bound that grows
with the total number of cipher blocks processed under a key.  For the
AES-GCM suites (AES-128-GCM and AES-256-GCM), if s is the total number
of AAD-plus-plaintext 128-bit blocks and q is the number of encryption
queries under a key, the confidentiality advantage is at most:</t>
            <artwork><![CDATA[
CA <= ((s + q + 1)^2) / 2^129
]]></artwork>
            <t>For 65536-octet segments (L = 4096 blocks per segment), s = L * q in the
worst case, so CA scales as q^2 * L^2 / 2^129.  In random nonce mode the
nonce-collision bound q^2 / 2^97 dominates for typical deployments
because L^2 / 2^32 is small.  In derived nonce mode the nonce-collision
term vanishes and the block-size term is the binding confidentiality
constraint.</t>
            <t>For ChaCha20-Poly1305 there is no comparable block-size bound because
ChaCha20 is a stream cipher, leaving nonce collision and forgery as the
only relevant terms.  <xref target="mrae-bounds"/> gives the derived-nonce block-size
limits.  No analogous block-size confidentiality bound has been
published for AEGIS-256 or AEGIS-256X2.  Nonce collision (negligible at
a 256-bit nonce) and the per-key margin govern AEGIS confidentiality.
The per-query forgery bound governs integrity.</t>
            <t>SEAL implementations <bcp14>MUST</bcp14> compute usage budgets from the AEAD-specific
confidentiality and integrity bounds, not from nonce-collision
probability alone.  <xref target="budget-table"/> gives the binding limit per suite.</t>
          </section>
          <section anchor="integrity-forgery">
            <name>Integrity (Forgery)</name>
            <t>Each AEAD decryption query gives the adversary a chance to forge a valid
ciphertext.  The forgery advantage per query depends on the AEAD and
segment_max.</t>
            <t>For the AES-GCM suites (AES-128-GCM and AES-256-GCM)
(<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5.1):</t>
            <artwork><![CDATA[
IA <= 2 * v * (L + 1) / 2^128
]]></artwork>
            <t>where v is the number of forgery attempts and L = 4096 blocks per
segment.</t>
            <t>For ChaCha20-Poly1305 (<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5.2):</t>
            <artwork><![CDATA[
IA <= v * (L' + 1) / 2^103
]]></artwork>
            <t>Here v is the number of forgery attempts and L' is the segment length in
16-octet Poly1305 blocks (about 4096 at 65536-octet segments), per
<xref target="I-D.irtf-cfrg-aead-limits"/>.  The 2^103 denominator (not 2^128)
reflects Poly1305's per-query forgery bound.  At 65536-octet segments,
the integrity limit for ChaCha20-Poly1305 is tighter than for AES-GCM.</t>
          </section>
          <section anchor="mrae-bounds">
            <name>Derived-Nonce Bounds</name>
            <t>A derived-nonce MRAE AEAD has two limits the random-nonce analysis above
does not capture.</t>
            <t>Across the distinct segment nonces under one epoch key, the derived-key
analysis of <xref target="RFC8452"/> Section 9 (<xref target="BHT18"/>) bounds the number of
distinct derived nonces at about 2^48 for a 2^-32 advantage.</t>
            <t>For a single hot segment, every rewrite reuses that segment's one
derived nonce, so N rewrites of an L-block segment run AES-CTR under one
derived per-record key.  The binding term is the keystream block-size
birthday over the total blocks, in the form of
<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5 with s = N * L blocks and q = N
queries:</t>
            <artwork><![CDATA[
((s + q + 1)^2) / 2^129 <= 2^-32
]]></artwork>
            <t>The N * L term dominates, so this holds while N * L stays below about
2^48, giving N &lt;= about 2^48 / L.  That is about 2^36 rewrites of one 64
KiB segment (L = 4096) and about 2^38 at 16 KiB.  This per-nonce cap
does not divide by 2^epoch_length, because the segment reuses the same
derived nonce regardless of epoch_length.</t>
            <t>Distinct plaintexts under the fixed nonce produce distinct synthetic IVs
and hence distinct counter keystreams (the GCM-SIV synthetic-IV
construction, <xref target="RFC8452"/>), so confidentiality degrades only by this
block-birthday term and not by nonce reuse.  Two rewrites with identical
plaintext and associated data produce identical ciphertext
(deterministic-MRAE equality leakage), independent of this count.</t>
          </section>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>raAE's ra-ROR security target (<xref target="ra-ror"/>) rests on three assumptions:
the AEAD is multi-user real-or-random (mu-ROR) secure, the KDF is a
secure multi-user pseudorandom function (mu-PRF), and nonces do not
collide.  Each subsection below describes a way one of these can fail
and what breaks.</t>
      <t>Integrity across the SEAL suite is bounded by the 16-octet AEAD tag (Nt
= 16): no suite member offers more than approximately 128 bits of
forgery resistance per query (<xref target="budget-table"/>).  The AEGIS algorithms'
256-bit keys raise confidentiality margins, not the tag-length forgery
floor.</t>
      <section anchor="detection-summary">
        <name>Detection Summary</name>
        <t>The table below maps common failure modes to the check that detects them
and notes the cases where raAE provides no detection.  The rows detected
by SnapVerify assume a snapshot authenticator is configured (snap_id !=
0x0000).  Without one, those modes go undetected.  The one exception is
a dropped trailing segment: the per-segment finality requirement of
<xref target="full-decryption"/> detects it in any profile, with no snapshot
authenticator.</t>
        <table anchor="detection-table">
          <name>Failure modes and the checks that detect them</name>
          <thead>
            <tr>
              <th align="left">Failure mode</th>
              <th align="left">Detected by</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Wrong CEK, salt, or parameter set</td>
              <td align="left">The commitment, before any segment decryption, provided reader and writer use the same payload_info construction.</td>
            </tr>
            <tr>
              <td align="left">Modified ciphertext core or AEAD tag</td>
              <td align="left">AEAD.Decrypt for the affected segment.</td>
            </tr>
            <tr>
              <td align="left">Segment moved to a different index</td>
              <td align="left">AEAD.Decrypt: the segment index and finality bit are authenticated by segment_aad (random nonce mode) or by the nonce (derived nonce mode).</td>
            </tr>
            <tr>
              <td align="left">Segment copied from another object at the same index</td>
              <td align="left">Detected when the copied segment was encrypted under a different CEK or salt.  Reusing a salt with the same CEK breaks this separation (<xref target="salt-reuse"/>).</td>
            </tr>
            <tr>
              <td align="left">Segment copied from another version at the same index</td>
              <td align="left">Not detected by per-segment AEAD alone; detected by SnapVerify, unless the whole object (including snapshot) is rolled back to that earlier valid version.</td>
            </tr>
            <tr>
              <td align="left">Dropped trailing segment(s) (truncation)</td>
              <td align="left">The finality requirement of <xref target="full-decryption"/>, in any profile: the highest-indexed present segment then carries is_final = 0 and the decryptor rejects.  Truncation to zero present segments is rejected by the zero-segment prohibition without a snapshot authenticator, and detected by SnapVerify with one (<xref target="snapshot-limitations"/>).</td>
            </tr>
            <tr>
              <td align="left">Missing interior, duplicated, reordered, or inserted segment</td>
              <td align="left">SnapVerify, which checks the segment count, finality, and recomputed snapshot value.</td>
            </tr>
            <tr>
              <td align="left">Stale snapshot value</td>
              <td align="left">SnapVerify, unless the stale value is part of a whole-object rollback to a previously valid snapshot.</td>
            </tr>
            <tr>
              <td align="left">Whole-object rollback</td>
              <td align="left">Not detected by raAE alone; the consuming protocol needs authenticated external freshness state.</td>
            </tr>
            <tr>
              <td align="left">Concurrent lost update</td>
              <td align="left">Not a cryptographic forgery; the consuming protocol needs writer serialization or another way to publish object state atomically.</td>
            </tr>
            <tr>
              <td align="left">Equality leakage in derived nonce mode</td>
              <td align="left">Not an authentication failure; rewriting equal plaintext at the same index under derived nonce mode can reveal equality (<xref target="nonce-generation"/>, <xref target="nonce-misuse"/>).</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="nonce-misuse">
        <name>Nonce Misuse</name>
        <t>Nonce reuse under a non-MRAE AEAD leaks plaintext:  an adversary who
observes two ciphertexts under the same key and nonce recovers the XOR
of the plaintexts (for CTR-based AEADs) and can forge new ciphertexts.
For AES-GCM and ChaCha20-Poly1305, nonce reuse also recovers the
polynomial authentication key, enabling forgery of arbitrary messages.</t>
        <t>Random nonce mode depends entirely on the CSPRNG.  If the CSPRNG returns
duplicated state, segments collide.  Derived nonce mode removes that
dependence, since nonces are deterministic, but the determinism is
itself a hazard: re-encrypting a segment with different content under
its repeated derived nonce is a two-time pad, catastrophic for a
non-MRAE AEAD.</t>
        <t>A non-MRAE AEAD therefore uses derived nonces only in a write-once
profile that draws a fresh salt per object and never re-encrypts under
it after a crash (<xref target="derived-nonces"/>).  An MRAE AEAD instead degrades
only to equality leakage, not plaintext recovery.</t>
        <t>The plaintext-bound construction (<xref target="appendix-pt-bound"/>) partially
defends against CSPRNG duplication: different plaintexts at the same
index produce different nonces because the plaintext digest differs,
but equal plaintexts still collide.  Implementations that need a full
defense against random number generator (RNG) state duplication <bcp14>MUST</bcp14>
use derived nonce mode with an MRAE AEAD.</t>
      </section>
      <section anchor="parameter-mismatch">
        <name>Parameter Set Mismatch</name>
        <t>The full parameter set that affects encryption, decryption, AAD
construction, nonce construction, and key derivation is bound into
payload_info (see <xref target="components"/>) and therefore into the commitment.  A
reader using a different parameter set than the writer triggers a
commitment mismatch before any AEAD operation is attempted.  A reader
supplying a different G than the encryptor likewise triggers a
commitment mismatch (<xref target="framework-commitment"/>).  Consuming protocols
<bcp14>MUST</bcp14> still reject unrecognized or unsupported parameter values before
decryption, since the commitment check detects mismatch but does not by
itself indicate which parameter value the recipient is unable to
support.</t>
        <t>One profile-level constant is bound transitively rather than via
payload_info:  aad_label is bound through protocol_id (each profile
fixes its own aad_label).  nonce_mode, by contrast, is carried in
payload_info, so the commitment binds it directly.  Each SEAL AEAD
additionally sets a default nonce mode (see <xref target="aead-table"/>).  Profiles
<bcp14>MUST NOT</bcp14> share a protocol_id across distinct aad_label values.  Reusing
a protocol_id with a changed aad_label produces objects whose commitment
matches the wrong reader but whose per-segment AEAD verification fails
with no clear error attribution.</t>
      </section>
      <section anchor="framing-label-errors">
        <name>Framing and Label Errors</name>
        <t>Two classes of implementation error break cross-role isolation.  A
non-injective framing function maps distinct KDF input tuples to the
same primitive input, correlating outputs that should be independent.
Implementations <bcp14>MUST</bcp14> verify injectivity per <xref target="framing"/>.  Reusing a
label across roles (for example, "commit" for both commitment and
payload key) has the same effect.  Labels <bcp14>MUST</bcp14> be distinct within a
protocol version, and a new version that changes any derivation <bcp14>MUST</bcp14>
change the protocol_id.</t>
      </section>
      <section anchor="parameter-misuse">
        <name>Parameter Misuse</name>
        <t>The nonce mode and AEAD choice are coupled, and the table gives the rule
for each pairing:</t>
        <table anchor="nonce-aead-table">
          <name>Nonce mode by AEAD class</name>
          <thead>
            <tr>
              <th align="left">AEAD class</th>
              <th align="left">random nonce</th>
              <th align="left">derived nonce</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">non-MRAE</td>
              <td align="left">valid</td>
              <td align="left">mutable: unsafe; write-once: valid</td>
            </tr>
            <tr>
              <td align="left">MRAE</td>
              <td align="left">wasteful</td>
              <td align="left">valid</td>
            </tr>
          </tbody>
        </table>
        <t>Rewrite is where the coupling matters.  A derived nonce is fixed by
the segment index, so a rewrite reuses it, while a random nonce is drawn
fresh every time.  A repeat is catastrophic for a non-MRAE AEAD and only
equality-leaking for an MRAE one, which is what the table reflects.
<xref target="derived-nonces"/> gives the rules and their consequences.</t>
        <t>The optional plaintext-bound construction (<xref target="appendix-pt-bound"/>) is an
encryptor-side hedge over random nonce mode, not a separate nonce mode.
See <xref target="concrete-algorithms"/> for SEAL's per-AEAD guidance.</t>
      </section>
      <section anchor="snapshot-limitations">
        <name>Snapshot Integrity Limitations</name>
        <t>Snapshot integrity has the following limitations.</t>
        <t>First, a reader that does not run snapshot verification
(<xref target="snapshot-authenticator"/>) does not verify that a segment belongs to
the current authenticated snapshot.  Such a reader gets per-segment AEAD
authenticity only, without the snapshot integrity guarantee of
<xref target="snapshot-integrity"/>: the ciphertext core is authenticated under the
segment index and finality bit, but the reader cannot detect that the
segment was substituted from a previous valid version of the same
message at the same index, nor that other segments were dropped or
rolled back.  Such readers <bcp14>MUST</bcp14> still verify the commitment per
<xref target="framework-commitment"/>.  Applications that support random-access
single-segment reads <bcp14>MUST</bcp14> either run snapshot verification on every read
or explicitly document that they accept per-segment authenticity without
snapshot freshness.</t>
        <t>Conversely, snapshot verification over the segment tags authenticates
the tag set, its positions, and the count.  It does not confirm that a
tag is a valid AEAD tag for the ciphertext beside it.  Decrypting that
segment is what establishes that, so snapshot verification layers set,
position, and count binding on top of per-segment AEAD without replacing
it.</t>
        <t>Second, snapshot integrity does not provide freshness against
whole-object rollback.  A storage adversary that rolls back the entire
encrypted object, including the snapshot, to a previously valid version
is not detected by raAE alone, because the rolled-back snapshot is
itself a valid snapshot for that prior state.  This is replay of an
intact prior snapshot, not a forgery:  it stays out of scope unless the
consuming protocol authenticates external freshness into the snapshot
context.  Applications that require whole-object rollback resistance
<bcp14>MUST</bcp14> bind an authenticated version field, timestamp, monotonic counter,
or authenticated storage layer into that context.  Relatedly,
<xref target="full-rewrite"/> requires a writer to update only trusted snapshot
state, so a rewrite cannot launder a rolled-back snapshot into a valid
ongoing history.</t>
        <t>Third, same-index rollback within a snapshot is detected when snapshot
verification runs.  If an adversary replaces one segment with a
previously valid same-index segment but leaves the current snapshot
value in place, the recomputed snapshot value no longer matches the
stored one, so verification fails except with negligible forgery
probability (see <xref target="snapshot-security"/>).</t>
        <t>Detecting these substitutions is a benefit of the design, not a
limitation.  It is the property that distinguishes raAE's snapshot
integrity from per-segment AEAD authenticity.</t>
        <t>Truncation, including removal of the final segment marked is_final = 1,
is detected by snapshot verification.  The removed segment is absent
from the recomputed snapshot value and the count n_seg no longer matches
the segments present, so verification fails.  Truncation is not a
separate limitation.  It is a special case of the first limitation above
for readers that skip snapshot verification.</t>
      </section>
      <section anchor="salt-reuse">
        <name>Salt Reuse</name>
        <t>Reusing a salt with the same CEK across two files produces identical
payload schedule outputs: the same payload_key, the same snap_key, and,
in derived nonce mode, the same nonce_base.  The damage depends on the
nonce mode.</t>
        <t>In every nonce mode, an adversary can silently swap same-index segments
between the two files: both per-segment AEAD checks and the snapshot
authenticator accept the swap.  Salt reuse is therefore an integrity
break in every configuration.</t>
        <t>In derived nonce mode the nonces also repeat across the two files, so
an MRAE AEAD degrades to deterministic encryption and leaks plaintext
equality between same-index segments.  A non-MRAE AEAD under derived
nonces, a combination the construction forbids (<xref target="derived-nonces"/>),
would permit plaintext recovery.</t>
        <t>In random nonce mode (and with the plaintext-bound hedge) fresh nonces
keep confidentiality intact, although the per-key nonce-collision budget
of <xref target="confidentiality-nonce-collision"/> then counts encryptions across
both files under the single CEK.  The integrity break above remains.
Applications <bcp14>MUST</bcp14> therefore ensure salt uniqueness per CEK when creating
a new message.  The freshness requirement in <xref target="full-encryption"/> exists
for this reason.</t>
      </section>
      <section anchor="rewrite-hazards">
        <name>Rewrite Hazards</name>
        <t>Rewriting introduces the following hazards.</t>
        <t>Applications <bcp14>MUST</bcp14> track total segment encryptions per key and freeze the
object before exceeding the budget in <xref target="rewrite-budget-security"/>.  For
the 96-bit-nonce AEADs (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305) the
binding limit is the per-epoch-key collision pool of roughly 2^32
encryptions, counted across every segment that shares the key.  Spread
evenly, that pool gives each segment a uniform rewrite share of roughly
2^(32 - epoch_length), as tabulated in <xref target="rewrite-budget-security"/>.  See
<xref target="epoch-length-guidance"/>.  Exceeding the per-epoch-key pool risks nonce
collisions and plaintext recovery.</t>
        <t>A mutable profile with derived nonces and an MRAE AEAD (SEAL-RW-v1)
reuses a segment's deterministic nonce across non-terminal rewrites, and
a crash that replays a write reuses it again.  Confidentiality there
rests on the per-segment rewrite limit (<xref target="rewrite-budget-security"/>),
not on nonce uniqueness: the AEAD degrades to
equality leakage between identical rewrites rather than to plaintext
recovery, as long as that budget is respected.</t>
        <t>For the masked multiset hash, when multiple writers rewrite different
segments concurrently, each computes an independent accumulator
difference (old_contrib XOR new_contrib).  Applying these differences is
commutative, but the read-modify-write on the stored accumulator
requires coordination.  Supplying that coordination, for example a
compare-and-swap on the published snapshot value and segment count, is
the consuming protocol's responsibility, consistent with the
serialization and storage transactions this document places out of
scope.  The snapshot tag and the mask <bcp14>MUST</bcp14> be recomputed over the final
accumulator and segment count inside the same critical section that
publishes the snapshot update.  Otherwise a storage layer can publish a
masked accumulator and a snapshot tag that were computed for different
accumulators.  As a recovery mechanism, the accumulator can always be
rebuilt from scratch by XOR-ing all contrib values and then re-masked.</t>
        <t>Length changes are a separate concurrency case.  Append and truncate
change the segment count and re-mark a terminal segment.  Those updates
do not commute with each other or with a concurrent rewrite of the old
or new terminal segment unless the consuming protocol serializes them.</t>
        <t>Per-segment associated data A_i is rewritable, not fixed at creation.
Unlike a global associated data value G, which the commitment fixes when
the object is created (<xref target="framework-commitment"/>), A_i rides the
per-segment AEAD associated data (<xref target="concrete-segment-aad"/>), so a
rewrite can replace a segment's A_i, for example to change a policy or
version field.  A reader therefore cannot treat A_i as context fixed at
creation the way it can treat G.  An application that needs context
fixed at creation places it in G, which the commitment binds, rather
than in A_i.</t>
        <t>raAE also does not guarantee atomic rewrites.  A segment rewrite touches
the nonce metadata, ciphertext core, AEAD tag, and the snapshot value.
A crash between any two of these leaves the content inconsistent.
Applications <bcp14>MUST</bcp14> use write-ahead logging, copy-on-write, or an
equivalent mechanism to make rewrites recoverable.</t>
      </section>
      <section anchor="constant-time">
        <name>Constant-Time Implementation</name>
        <t>Several raAE operations handle secret data and <bcp14>MUST</bcp14> be implemented in
constant time to prevent timing side-channels.</t>
        <t>The KDF calls in the payload schedule and epoch key derivation take the
CEK or payload_key as input keying material.  Implementations <bcp14>MUST</bcp14>
ensure that HKDF-Extract and HKDF-Expand execute in constant time with
respect to their key inputs.  In practice this is satisfied by HMAC
implementations that do not branch on key octets.</t>
        <t>Both the commitment comparison (<xref target="full-decryption"/>) and the snapshot
comparison in SnapVerify <bcp14>MUST</bcp14> use a constant-time octet comparison.
SnapVerify <bcp14>MUST</bcp14> compare the full recomputed snapshot value, the masked
accumulator and the snapshot tag together, in one constant-time
comparison, so that no observable difference reveals which half differs
(<xref target="masked-multiset-hash"/>).  A variable-time comparison reveals the
position of the first differing octet.  An adversary who can retry
tampered inputs learns the expected value one octet at a time and can
then present a matching stored value.  This reduces the forgery cost of
either check to a linear number of trials (for the snapshot, the bound
of <xref target="snapshot-security"/>).</t>
        <t>AEAD.Encrypt and AEAD.Decrypt operations inherit the constant-time
requirements of the underlying AEAD.  Implementations <bcp14>SHOULD</bcp14> use AEAD
libraries that document constant-time guarantees.</t>
      </section>
      <section anchor="properties-not-provided">
        <name>Properties Not Provided</name>
        <t>raAE protects segment content and binds segments together.  It
deliberately does not address four concerns that belong to the consuming
protocol.</t>
        <t>The CEK must remain available as long as any reader needs access, so
there is no forward secrecy.  Ciphertexts are not bound to any sender
identity.  A signing or MAC layer is needed for sender authentication.
Key identifiers and structural features of the encrypted format are
visible, so unlinkability requires application-layer measures.  Finally,
snapshot verification covers segments within a message but cannot detect
replacement of the message itself.  An adversary who swaps one encrypted
message for another goes undetected unless the application binds message
identity externally.</t>
        <t>These concerns are not artifacts of raAE's design.  Any raAE
construction inherits them from the consuming protocol's scope.</t>
      </section>
      <section anchor="security-domain-separation">
        <name>Cross-Application Domain Separation</name>
        <t>Two applications that both reuse the same SEAL profile label
(<xref target="profiles"/>) with the same input keying material, the same
payload_info, and the same G derive identical commitments, keys, nonces,
and AADs.  The protocol_id provides cross-application domain separation
only when it is distinct per application.  Applications whose keying
material may be shared across systems <bcp14>SHOULD</bcp14> use an application-specific
protocol_id (for example, "myapp-backup-v1") rather than a SEAL profile
label.  An application adopting a SEAL profile (<xref target="profiles"/>) unchanged
<bcp14>MAY</bcp14> use that profile's label.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
      <t>SEAL consumes identifiers from existing IANA registries: the AEAD
Algorithms Registry (<xref target="RFC5116"/>) for <tt>aead_id</tt> values and the HPKE KDF
Registry (<xref target="RFC9180"/> Section 7.2) for <tt>kdf_id</tt> values.  No new
raAE-side registries are created.</t>
      <t>The following code points are early allocations in their respective
registries.  Each registry reference firms up when the referenced I-D
is published as an RFC, and the corresponding SEAL normative reference
is a downref under IRTF stream conventions until then.</t>
      <table anchor="iana-early-alloc">
        <name>Early-Allocation Code Points</name>
        <thead>
          <tr>
            <th align="left">Registry</th>
            <th align="left">Code point</th>
            <th align="left">Algorithm</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">AEAD Algorithms (<xref target="RFC5116"/>)</td>
            <td align="left">0x0021</td>
            <td align="left">AEGIS-256</td>
            <td align="left">
              <xref target="I-D.irtf-cfrg-aegis-aead"/></td>
          </tr>
          <tr>
            <td align="left">AEAD Algorithms (<xref target="RFC5116"/>)</td>
            <td align="left">0x0024</td>
            <td align="left">AEGIS-256X2</td>
            <td align="left">
              <xref target="I-D.irtf-cfrg-aegis-aead"/></td>
          </tr>
          <tr>
            <td align="left">HPKE KDF (<xref target="RFC9180"/> Section 7.2)</td>
            <td align="left">0x0013</td>
            <td align="left">TurboSHAKE-256</td>
            <td align="left">
              <xref target="I-D.ietf-hpke-pq"/></td>
          </tr>
        </tbody>
      </table>
      <t>Future SEAL profiles <bcp14>MAY</bcp14> consume additional entries from either registry
without revising this document.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="RFC8452">
          <front>
            <title>AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption</title>
            <author fullname="S. Gueron" initials="S." surname="Gueron"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="Y. Lindell" initials="Y." surname="Lindell"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This memo specifies two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated.</t>
              <t>This document is the product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8452"/>
          <seriesInfo name="DOI" value="10.17487/RFC8452"/>
        </reference>
        <reference anchor="RFC9180" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9180.xml">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC9771">
          <front>
            <title>Properties of Authenticated Encryption with Associated Data (AEAD) Algorithms</title>
            <author fullname="A. Bozhko" initials="A." role="editor" surname="Bozhko"/>
            <date month="May" year="2025"/>
            <abstract>
              <t>Authenticated Encryption with Associated Data (AEAD) algorithms provide both confidentiality and integrity of data. The widespread use of AEAD algorithms in various applications has led to an increased demand for AEAD algorithms with additional properties, driving research in the field. This document provides definitions for the most common of those properties and aims to improve consistency in the terminology used in documentation. This document is a product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9771"/>
          <seriesInfo name="DOI" value="10.17487/RFC9771"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aegis-aead">
          <front>
            <title>The AEGIS Family of Authenticated Encryption Algorithms</title>
            <author fullname="Frank Denis" initials="F." surname="Denis">
              <organization>Fastly Inc.</organization>
            </author>
            <author fullname="Samuel Lucas" initials="S." surname="Lucas">
              <organization>Individual Contributor</organization>
            </author>
            <date day="5" month="October" year="2025"/>
            <abstract>
              <t>   This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and
   AEGIS-256X AES-based authenticated encryption algorithms designed for
   high-performance applications.

   The document is a product of the Crypto Forum Research Group (CFRG).
   It is not an IETF product and is not a standard.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-aegis-aead.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aegis-aead-18"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-pq">
          <front>
            <title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>Selkie Cryptography</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Updating key exchange and public-key encryption protocols to resist
   attack by quantum computers is a high priority given the possibility
   of "harvest now, decrypt later" attacks.  Hybrid Public Key
   Encryption (HPKE) is a widely-used public key encryption scheme based
   on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
   Function (KDF), and an Authenticated Encryption with Associated Data
   (AEAD) scheme.  In this document, we define KEM algorithms for HPKE
   based on both post-quantum KEMs and hybrid constructions of post-
   quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
   that is suitable for use with these KEMs.  When used with these
   algorithms, HPKE is resilient with respect to attacks by a quantum
   computer.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-04"/>
        </reference>
        <reference anchor="NIST-SP-800-38D" target="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf">
          <front>
            <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
            <author initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-38D"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8645">
          <front>
            <title>Re-keying Mechanisms for Symmetric Keys</title>
            <author fullname="S. Smyshlyaev" initials="S." role="editor" surname="Smyshlyaev"/>
            <date month="August" year="2019"/>
            <abstract>
              <t>A certain maximum amount of data can be safely encrypted when encryption is performed under a single key. This amount is called the "key lifetime". This specification describes a variety of methods for increasing the lifetime of symmetric keys. It provides two types of re-keying mechanisms based on hash functions and block ciphers that can be used with modes of operations such as CTR, GCM, CBC, CFB, and OMAC.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8645"/>
          <seriesInfo name="DOI" value="10.17487/RFC8645"/>
        </reference>
        <reference anchor="RFC8937">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
        <reference anchor="RFC9580">
          <front>
            <title>OpenPGP</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="D. Huigens" initials="D." surname="Huigens"/>
            <author fullname="J. Winter" initials="J." surname="Winter"/>
            <author fullname="Y. Niibe" initials="Y." surname="Niibe"/>
            <date month="July" year="2024"/>
            <abstract>
              <t>This document specifies the message formats used in OpenPGP. OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management.</t>
              <t>This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.</t>
              <t>This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("The Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in OpenPGP").</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9580"/>
          <seriesInfo name="DOI" value="10.17487/RFC9580"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="BHT18" target="https://eprint.iacr.org/2018/136">
          <front>
            <title>Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds</title>
            <author initials="P." surname="Bose">
              <organization/>
            </author>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="S." surname="Tessaro">
              <organization/>
            </author>
            <date year="2018"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2018/136"/>
        </reference>
        <reference anchor="HRRV15" target="https://eprint.iacr.org/2015/189">
          <front>
            <title>Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance</title>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="R." surname="Reyhanitabar">
              <organization/>
            </author>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="D." surname="Vizár">
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2015/189"/>
        </reference>
        <reference anchor="Tink" target="https://eprint.iacr.org/2020/1019">
          <front>
            <title>Security of Streaming Encryption in Google's Tink Library</title>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="Y." surname="Shen">
              <organization/>
            </author>
            <date year="2020"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2020/1019"/>
        </reference>
        <reference anchor="DGRW18" target="https://doi.org/10.1007/978-3-319-96884-1_6">
          <front>
            <title>Fast Message Franking: From Invisible Salamanders to Encryptment</title>
            <author initials="Y." surname="Dodis">
              <organization/>
            </author>
            <author initials="P." surname="Grubbs">
              <organization/>
            </author>
            <author initials="T." surname="Ristenpart">
              <organization/>
            </author>
            <author initials="J." surname="Woodage">
              <organization/>
            </author>
            <date year="2018"/>
          </front>
          <seriesInfo name="CRYPTO 2018, LNCS" value="vol. 10991, pp. 155-186"/>
          <seriesInfo name="DOI" value="10.1007/978-3-319-96884-1_6"/>
        </reference>
        <reference anchor="ADG22" target="https://www.usenix.org/conference/usenixsecurity22/presentation/albertini">
          <front>
            <title>How to Abuse and Fix Authenticated Encryption Without Key Commitment</title>
            <author initials="A." surname="Albertini">
              <organization/>
            </author>
            <author initials="T." surname="Duong">
              <organization/>
            </author>
            <author initials="S." surname="Gueron">
              <organization/>
            </author>
            <author initials="S." surname="Kölbl">
              <organization/>
            </author>
            <author initials="A." surname="Luykx">
              <organization/>
            </author>
            <author initials="S." surname="Schmieg">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="USENIX Security 2022" value="pp. 3291-3308"/>
        </reference>
        <reference anchor="FLRR25" target="https://eprint.iacr.org/2025/2275">
          <front>
            <title>Random-Access AEAD for Fast Lightweight Online Encryption</title>
            <author initials="A." surname="Fábrega">
              <organization/>
            </author>
            <author initials="J." surname="Len">
              <organization/>
            </author>
            <author initials="T." surname="Ristenpart">
              <organization/>
            </author>
            <author initials="G." surname="Rubin">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="EUROCRYPT" value="2026"/>
          <seriesInfo name="DOI" value="10.1007/978-3-032-25333-0_10"/>
        </reference>
        <reference anchor="MSetHash" target="https://doi.org/10.1007/978-3-540-40061-5_12">
          <front>
            <title>Incremental Multiset Hash Functions and Their Application to Memory Integrity Checking</title>
            <author initials="D." surname="Clarke">
              <organization/>
            </author>
            <author initials="S." surname="Devadas">
              <organization/>
            </author>
            <author initials="M." surname="van Dijk">
              <organization/>
            </author>
            <author initials="B." surname="Gassend">
              <organization/>
            </author>
            <author initials="G. E." surname="Suh">
              <organization/>
            </author>
            <date year="2003"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2003, LNCS 2894, pp. 188-207"/>
          <seriesInfo name="DOI" value="10.1007/978-3-540-40061-5_12"/>
        </reference>
        <reference anchor="DAE" target="https://doi.org/10.1007/11761679_23">
          <front>
            <title>A Provable-Security Treatment of the Key-Wrap Problem</title>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="T." surname="Shrimpton">
              <organization/>
            </author>
            <date year="2006"/>
          </front>
          <seriesInfo name="EUROCRYPT" value="2006, LNCS 4004, pp. 373-390"/>
          <seriesInfo name="DOI" value="10.1007/11761679_23"/>
        </reference>
        <reference anchor="SEALPROOFS">
          <front>
            <title>Security Analysis of the SEAL Construction: raAE, Snapshot Integrity, and Commitment</title>
            <author initials="" surname="TBD">
              <organization/>
            </author>
            <date/>
          </front>
          <seriesInfo name="Work in Progress" value="manuscript in preparation"/>
        </reference>
      </references>
    </references>
    <?line 3823?>

<section anchor="appendix-pt-bound">
      <name>Optional Plaintext-Bound Nonce Construction</name>
      <t>This appendix is informative.  It describes an optional encryptor-side
construction that mixes plaintext content into the per-segment nonce
derivation to defend against RNG state duplication.  The construction is
encryptor-only: the decryptor reads the resulting nonce from the wire
(in the same slot used by random mode) and never invokes any of the
machinery below.  Implementations <bcp14>MAY</bcp14> use this construction in place of
a fresh CSPRNG call when generating nonces under nonce_mode "random".
The wire format is indistinguishable from random mode and decryption is
unaffected.</t>
      <t>One such construction:</t>
      <artwork><![CDATA[
pt_digest(i) = LH(plaintext_i)

encryption_params = [aead_id, segment_max_be, kdf_id]
pt_hash(i) = KDF(protocol_id, pt_hash_label,
                 [pt_digest(i)],
                 encryption_params, Nh)

nonce_ctx = encode(protocol_id, uint64(i), pt_hash(i))
nonce(i) = KDF(protocol_id, pt_nonce_label,
               [Random(Nn), payload_key],
               [...payload_info, nonce_ctx], Nn)
]]></artwork>
      <t>This construction fixes two labels:</t>
      <table anchor="pt-bound-labels">
        <name>Plaintext-bound construction labels</name>
        <thead>
          <tr>
            <th align="left">Derivation role</th>
            <th align="left">Label variable</th>
            <th align="left">Value</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Plaintext digest binding</td>
            <td align="left">pt_hash_label</td>
            <td align="left">"pt-nonce"</td>
          </tr>
          <tr>
            <td align="left">Final nonce derivation</td>
            <td align="left">pt_nonce_label</td>
            <td align="left">"nonce"</td>
          </tr>
        </tbody>
      </table>
      <t>Both labels are distinct from all other SEAL labels.  Neither
derivation uses nonce_base_label (<xref target="label-table"/>): the "nonce_base"
label belongs to derived nonce mode and does not appear in this
construction.  In the final derivation nonce_ctx enters the info list
as one element after the payload_info elements: its encode output is
framed behind a length prefix like any other element, not spliced
flat into the list.  Component vectors for both KDF classes are in
<xref target="pt-bound-vectors"/>.</t>
      <t>LH is the over-large-field digest of <xref target="concrete-framing"/>, which runs
the cipher suite's native KDF primitive directly on its input and
returns Nh octets.  It is collision-resistant per <xref target="framing"/>.
Decryptors never compute pt_digest.</t>
      <t>When the encryptor's CSPRNG produces duplicated state (for example, from
a virtual machine snapshot or a fork without reseed), two encryptions of
distinct plaintexts at the same segment index still produce distinct
nonces because pt_hash(i) differs.  Two encryptions of identical
plaintexts at the same index produce identical nonces, resulting in
deterministic encryption: the ciphertexts are identical, revealing only
that the plaintexts are equal.  No additional information beyond this
equality is leaked.</t>
      <t>For rewrites under this construction, the encryptor recomputes
pt_hash(i) with the new plaintext, derives a fresh nonce(i) using the
new pt_hash(i) and a new Random(Nn), seals the new plaintext under the
new nonce, and updates the snapshot value as in
<xref target="full-rewrite"/>.</t>
      <t>The construction is observationally equivalent to nonce_mode "random" at
the wire format.  A decryptor cannot distinguish whether the encryptor
used a fresh CSPRNG call or this construction to produce the stored
nonce.  Implementations that elect to use this construction internally
do not need to advertise it.</t>
    </section>
    <section anchor="hedged-randomness">
      <name>Optional Hedged Randomness</name>
      <t>When a long-term symmetric key sk of at least Nh octets is available to
the encryptor, implementations <bcp14>SHOULD</bcp14> mix it into random generation
using the hedging pattern of <xref target="RFC8937"/>.  If only an asymmetric private
key is available, it <bcp14>MUST</bcp14> first be processed through a KDF to produce a
uniform symmetric key.</t>
      <artwork><![CDATA[
hedge_key = KDF(protocol_id, hedge_label, sk, [], Nh)

HedgedRandom(n, label):
  return KDF(protocol_id, label,
      [hedge_key, Random(n)], [], n)
]]></artwork>
      <t>This construction fixes one label, hedge_label = "hedge", distinct from
all other SEAL labels.</t>
      <t>HedgedRandom output depends on both the CSPRNG and sk, so a weak CSPRNG
alone cannot predict it.  Hedging does not help when the CSPRNG state
itself is duplicated (VM snapshots, fork without reseed).  Identical
CSPRNG output still produces identical HedgedRandom output.  An optional
encryptor-side construction that mixes plaintext content into the
per-segment nonce derivation to defend against state duplication is
described in <xref target="appendix-pt-bound"/>.  That construction is orthogonal to
hedging and the two <bcp14>MAY</bcp14> be combined.</t>
    </section>
    <section anchor="appendix-reductions">
      <name>Proof Status and Security Claim Provenance</name>
      <t>This appendix is informative.  It states what is proven, where, and by
whom.  Each result below is inherited from <xref target="FLRR25"/>, argued in this
document, or deferred to a companion proof paper in preparation
(<xref target="SEALPROOFS"/>).</t>
      <dl>
        <dt>Inherited from <xref target="FLRR25"/>:</dt>
        <dd>
          <t>The ra-ROR and ra-CMT games, their advantages, and their proofs apply
to SEAL's realization of the base interface, summarized in
<xref target="segment-security"/> and <xref target="key-commitment"/>.  The ra-CMT-p notion and
its base proof are likewise inherited, but SEAL's realization of its
position binding is argued here (see below).</t>
        </dd>
        <dt>Argued in this document:</dt>
        <dd>
          <t>The mechanisms this document adds beyond <xref target="FLRR25"/> are argued in the
subsections below.  These are the snapshot authenticator that realizes
snapshot integrity, the nonce modes, the per-segment associated data
and position binding of ra-CMT-p (bound stated here, formal accounting
deferred), and the injectivity and domain separation of the KDF
combiner.  The combiner argument is structural and proof-complete
(<xref target="concrete-framing"/>).  The others state their bounds.  Their full
proofs are not here.</t>
        </dd>
        <dt>Referenced from external work:</dt>
        <dd>
          <t>The capacity, rewrite, and maximum-object-size bounds
(<xref target="aead-usage-limits"/>) are operational ceilings derived from
<xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9, and <xref target="BHT18"/>,
not security reductions proven here.</t>
        </dd>
        <dt>Deferred to <xref target="SEALPROOFS"/>:</dt>
        <dd>
          <t>The formal proof of snapshot integrity as an extension of the ra-ROR
framework, the real-or-random treatment of the derived-nonce equality
leakage (which relaxes that framework's nonce-respecting hypothesis to
deterministic MRAE), and the per-segment associated data and position
accounting of ra-CMT-p.</t>
        </dd>
        <dt>Precedent, not proof:</dt>
        <dd>
          <t>The derived-nonce unique-nonce transform rests on TLS 1.3
(<xref target="RFC8446"/>) and STREAM (<xref target="HRRV15"/>) precedent, treated in
<xref target="appendix-nonce-modes"/>.  That precedent does not prove SEAL-RO-v1.
The KDF hierarchy, the arbitrary-position ra-ROR syntax, the ra-CMT
commitment, the epoch accounting, and the object-level semantics
remain SEAL-specific proof obligations.</t>
        </dd>
      </dl>
      <t>The combiner's input encoding is injective and canonical, so distinct
(protocol_id, label, ikm, info, L) tuples map to distinct primitive
inputs and a given tuple has one encoding across implementations
(<xref target="concrete-framing"/>, <xref target="framing"/>).  Injectivity comes from the
length-prefixed encoding, not from the KDF, which need not itself be
injective.  Collision resistance is assumed only of LH, and only for
over-large fields.  The commitment derivation carries its own separate
collision-resistance assumption (<xref target="appendix-commitment"/>).</t>
      <t>The capacity and usage limits in <xref target="aead-usage-limits"/>, including the
maximum write-once object size (<xref target="max-object-size"/>) and the derived
nonce bounds (<xref target="mrae-bounds"/>), are operational ceilings.  They are
referenced from <xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9
with <xref target="BHT18"/>, and the 2^63 segment-index ceiling, not proven here.</t>
      <section anchor="appendix-proof-map">
        <name>Provenance of the Security Claims</name>
        <table anchor="proof-map-table">
          <name>Provenance of the security claims</name>
          <thead>
            <tr>
              <th align="left">Property</th>
              <th align="left">Source</th>
              <th align="left">Argument</th>
              <th align="left">Rests on</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ra-ROR</td>
              <td align="left">
                <xref target="FLRR25"/> notion and base proof; SEAL's arbitrary-position ra-ROR syntax is a SEAL-specific obligation</td>
              <td align="left">
                <xref target="appendix-adv-notation"/>, <xref target="appendix-ror"/></td>
              <td align="left">mu-PRF KDF (two keying levels), mu-ROR AEAD, no nonce collision, fresh per-message salt</td>
            </tr>
            <tr>
              <td align="left">ra-CMT (commitment, position-respecting)</td>
              <td align="left">
                <xref target="FLRR25"/></td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
              <td align="left">collision resistance of the commitment derivation map over (protocol_id, "commit", CEK, payload_info, G, commitment_length)</td>
            </tr>
            <tr>
              <td align="left">ra-CMT-p (per-segment associated-data and position commitment)</td>
              <td align="left">
                <xref target="FLRR25"/> notion and base proof; SEAL position-binding realization and per-segment associated-data and position accounting argued here, formal write-up in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
              <td align="left">ra-CMT collision bound plus the underlying AEAD's commitment bound for the forged position</td>
            </tr>
            <tr>
              <td align="left">KDF combiner injectivity and domain separation</td>
              <td align="left">this document (structural, proof-complete)</td>
              <td align="left">
                <xref target="concrete-framing"/>, <xref target="framing"/></td>
              <td align="left">injectivity of the length-prefixed encoding (KDF need not be injective); collision resistance of LH for over-large fields only</td>
            </tr>
            <tr>
              <td align="left">Snapshot integrity (masked multiset hash)</td>
              <td align="left">this document, <xref target="appendix-snapshot"/></td>
              <td align="left">
                <xref target="appendix-snapshot"/></td>
              <td align="left">mu-PRF KDF under snap_key; MAC unforgeability of snapshot_tag over (n_seg, acc); deterministic-masking birthday and mix-and-match terms; per-object separation via salt-bound snap_key</td>
            </tr>
            <tr>
              <td align="left">AEAD usage, rewrite, and max-object bounds</td>
              <td align="left">external work (operational, not proven here)</td>
              <td align="left">
                <xref target="aead-usage-limits"/>, <xref target="max-object-size"/>, <xref target="mrae-bounds"/></td>
              <td align="left">
                <xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9 with <xref target="BHT18"/>, 2^63 segment-index ceiling</td>
            </tr>
            <tr>
              <td align="left">Derived-nonce unique-nonce transform</td>
              <td align="left">precedent, not proof (TLS 1.3 <xref target="RFC8446"/>, STREAM <xref target="HRRV15"/>)</td>
              <td align="left">
                <xref target="derived-nonces"/>, <xref target="appendix-nonce-modes"/></td>
              <td align="left">write-once uniqueness discipline reducing to nonce-respecting AEAD security</td>
            </tr>
            <tr>
              <td align="left">Derived-nonce equality leakage (MRAE)</td>
              <td align="left">this document; full proof in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="appendix-nonce-modes"/></td>
              <td align="left">MRAE AEAD (<xref target="RFC8452"/>); per-segment fixed-nonce data-volume cap</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="appendix-adv-notation">
        <name>Advantage Notation and Adversary Parameters</name>
        <t>For a ra-ROR adversary (<xref target="adversary-model"/>) using at most u distinct
CEKs and q_m messages, each encrypted with an independent fresh 32-octet
per-content salt (<xref target="full-encryption"/>), across E total epochs and making
q_e encryption and q_d decryption segment queries with sigma = q_e +
q_d, the advantage is bounded by:</t>
        <artwork><![CDATA[
Adv_raROR(A) <= Adv_salt_coll
                   + Adv_muPRF(KDF, B_KDF)
                   + Adv_muROR(AEAD, B_AEAD)
                   + Adv_nonce_coll
                   + Adv_acc
]]></artwork>
        <t>The terms in the bound are as follows.</t>
        <dl>
          <dt>Adv_salt_coll</dt>
          <dd>
            <t>The probability that two messages encrypted under one CEK draw
the same salt.  Because the salt is a 32-octet value drawn
uniformly at random, this term is at most q_m^2 / 2^256.  A salt
collision is not a PRF-distinguishing event: the KDF
deterministically produces identical payload_key, snap_key, and
nonce_base outputs whenever (CEK, payload_info) repeats, so the
event must be charged separately.  Conditioned on no salt
collision, distinct messages under one CEK have distinct
payload_info values and therefore independent KDF outputs under
the mu-PRF assumption.  This term holds only under the fresh
per-message uniform salt requirement of <xref target="full-encryption"/>.  A
profile that reuses salts or draws them non-uniformly forfeits it
and must argue payload-schedule separation by other means
(<xref target="salt-reuse"/>).</t>
          </dd>
          <dt>Adv_muPRF(KDF, B_KDF)</dt>
          <dd>
            <t>The multi-user PRF advantage of the KDF, covering two keying levels.
Level A is keyed by the CEK and produces payload_key, snap_key, and
nonce_base.  It has u users, queried once per message.  Level B is
keyed by payload_key (producing epoch_key per <xref target="epoch-key-derivation"/>
and, in the plaintext-bound construction, per-segment nonces per
<xref target="appendix-pt-bound"/>) and by snap_key (producing the snapshot
authenticator's keyed derivations).  It has q_m users.  The snap_key
subset of Level B feeds the configured snapshot authenticator and is
counted under Adv_acc below.  It is not counted again here.</t>
          </dd>
          <dt>Adv_muROR(AEAD, B_AEAD)</dt>
          <dd>
            <t>The multi-user real-or-random advantage of the AEAD over sigma total
segment queries.  There is one mu-ROR user per distinct segment key,
for E epoch keys total (E = q_m when each message uses a single flat
epoch key).  This advantage absorbs a key-collision birthday term of
about E^2/2^(8*Nk) over the E distinct keys.  For the 256-bit-key
suites (Nk = 32) that term is about E^2/2^256 and is negligible.  For
AES-128-GCM (Nk = 16) it is about E^2/2^128 and is the binding
epoch-key collision floor.  <xref target="epoch-length-guidance"/> bounds E
for that suite.</t>
          </dd>
          <dt>Adv_nonce_coll</dt>
          <dd>
            <t>The probability of a nonce collision under any segment key.  In
derived nonce mode it is zero, conditional on no salt collision
(already charged via Adv_salt_coll).  In random nonce mode (with or
without the plaintext-bound hedge) it is bounded per
<xref target="confidentiality-nonce-collision"/>.  The
derived-mode statement relies on the deterministic-MRAE analysis in
<xref target="appendix-nonce-modes"/>.</t>
          </dd>
          <dt>Adv_acc</dt>
          <dd>
            <t>The masked multiset hash's snapshot forgery advantage, present only
under snap_id 0x0001 and zero otherwise.  SEAL authenticates the XOR
accumulator (<xref target="snapshot-authenticator"/>) with a snapshot tag, a MAC
under snap_key, and masks the published accumulator with a
deterministic tag-derived pad.  A different snapshot authenticator
contributes its own term in place of Adv_acc.</t>
          </dd>
        </dl>
        <t>The Adv_acc term is bounded by:</t>
        <artwork><![CDATA[
Adv_acc <= Adv_muPRF_acc
           + q_s^2 / 2^(8*Nh)          (snapshot-collision birthday)
           + q_v / 2^(8*Nh)            (fresh-input tag forgery)
           + q_s * q_v / 2^(8*Nh)      (mix-and-match accumulator guess)
]]></artwork>
        <t>Here Adv_muPRF_acc is the snap_key subset of B_KDF's Level B queries,
counted here and not again in Adv_muPRF(KDF, B_KDF).  q_s is the number
of published snapshot states the adversary observes and q_v the number
of SnapVerify queries it makes.  The q_s^2 birthday term is the cost of
the deterministic masking (<xref target="appendix-snapshot"/>).  The dominant terms
are that birthday and the mix-and-match q_s * q_v / 2^(8*Nh), and for
the SEAL suites (8*Nh of 256, 384, or 512) every term is negligible.</t>
      </section>
      <section anchor="appendix-ror">
        <name>ra-ROR Reduction</name>
        <t>The reduction follows the <xref target="FLRR25"/> hybrid over the two-level key
schedule (<xref target="key-derivation"/>).  Condition on no salt collision
(Adv_salt_coll).  Replace the CEK-keyed KDF outputs, then the
payload_key- and snap_key-keyed outputs, with uniformly random values
(Adv_muPRF at the two keying levels).  Bound the resulting segment AEAD
outputs (Adv_muROR).  A flat epoch key is the single-epoch case of the
same argument.  The segment AEAD calls are nonce-respecting only under
no nonce collision, the event charged to Adv_nonce_coll
(<xref target="appendix-adv-notation"/>).  In derived nonce mode this term is zero
conditional on the same no-salt-collision event
(<xref target="appendix-nonce-modes"/>).  The snapshot authenticator's forgery enters
separately as Adv_acc (<xref target="snapshot-security"/>).  The reduction constructs
adversaries B_KDF against multi-user PRF security of the KDF and B_AEAD
against multi-user real-or-random security of the AEAD, each running in
time approximately that of A.</t>
      </section>
      <section anchor="appendix-commitment">
        <name>Commitment</name>
        <t>ra-CMT security reduces to collision resistance of the commitment
derivation map over the tuple (protocol_id, "commit", CEK, payload_info,
G, commitment_length), with G empty by default.  PRF security alone is
not sufficient for this reduction, because the commitment adversary may
choose the CEK and the context values.  The collision-resistance
assumption captured in <xref target="key-derivation"/> is what makes the reduction
sound.</t>
        <t>For commitment_length = L octets, the relevant quantities are:</t>
        <artwork><![CDATA[
fixed-pair collision probability:  2^(-8*L)
q-query birthday probability:      q^2 / 2^(8*L + 1)
collision-search work factor:      about 2^(4*L)
]]></artwork>
        <t>Thus 16 octets gives about 2^64 collision-search work, 32 octets gives
about 2^128 (capped by SHA-256's own 2^128 collision resistance for
HKDF-SHA-256), 48 octets gives about 2^192 (capped by SHA-384's 2^192
for HKDF-SHA-384), and 64 octets gives about 2^256 (for HKDF-SHA-512,
capped by SHA-512's 2^256, and for TurboSHAKE-256).  The fixed-pair
collision probabilities at 32, 48, and 64 octets are 2^(-256), 2^(-384),
and 2^(-512), respectively.</t>
        <t>The ra-CMT-p advantage is bounded by the sum of two terms:  the
commitment collision bound above and the underlying AEAD's commitment
bound for the forged position.</t>
        <t>Position binding for ra-CMT-p is inherited from the underlying AEAD's
commitment level (<xref target="key-commitment"/>).  The notion and base proof are
inherited from <xref target="FLRR25"/>.  The exact per-segment associated data and
position accounting is deferred to <xref target="SEALPROOFS"/>.</t>
      </section>
      <section anchor="appendix-snapshot">
        <name>Snapshot Authenticator</name>
        <t>SEAL's snapshot authenticator (snap_id 0x0001) is the MSet-XOR-Hash of
Clarke et al. (<xref target="MSetHash"/>) with a deterministic mask this document
adds.  Each segment contributes a keyed KDF evaluation of its index and
tag, the contributions XOR into an accumulator, and the published value
masks that accumulator under snap_key.  A different authenticator that
meets the requirement of <xref target="framing"/> carries its own argument.</t>
        <t>The adversary has full read and write access to the stored segments,
their metadata, and the snapshot, and wins by making SnapVerify accept a
(segment set, snapshot) pair other than the writer's current state.
Whole-object rollback to an earlier honest state is excluded and is the
application's freshness responsibility (<xref target="snapshot-limitations"/>).</t>
        <t>Publishing the accumulator in the clear would be insecure.  That is the
MSet-XOR-Hash with its mask removed, which is only set-collision
resistant.  A write adversary reads the accumulator across honest
rewrites, collects the contribution differences old_contrib XOR
new_contrib, and after more than 8*Nh of them solves a GF(2) system for
a subset of segments it can revert without changing the accumulator.
The current snapshot tag still verifies, so a non-historical mixture of
versions is accepted with no MAC forgery.</t>
        <t>The deterministic mask defeats this attack.  Here wrapped_acc = acc XOR
snapmask(n_seg, snapshot_tag) hides the accumulator behind a one-time
pad keyed by snap_key and seeded by the synthetic snapshot tag, the
synthetic-IV derandomization of deterministic authenticated encryption
(<xref target="DAE"/>).  Two published states that collide on (n_seg, acc), or on the
snapshot tag at equal count, would expose a raw accumulator difference.
Over q_s published states that costs a birthday term q_s^2 / 2^m, with m
= 8*Nh.  Off that event the masks are independent one-time pads, the
published transcript is independent of every accumulator, and the
recombination above has no linear system left to solve.  Security
reduces to the PRF security of the KDF.  The mask protects the
accumulator only against a verifier that returns one bit, which is why
SnapVerify does not surface the recovered accumulator
(<xref target="masked-multiset-hash"/>).</t>
        <t>A forgery is then one of two events.  Either a fresh snapshot-tag input
is guessed, a MAC forgery bounded by q_v / 2^m over q_v verifications,
or a different segment set is made to hit a published accumulator by
chance, a mix-and-match bounded by q_s * q_v / 2^m against q_s published
states.  The mix-and-match term is a set collision on the keyed
contribution function and relies on the set-collision resistance of the
MSet-XOR-Hash-style construction (<xref target="MSetHash"/>).  The formal bound for
this term is discharged in <xref target="SEALPROOFS"/>.  Collecting the terms, the
snapshot forgery advantage Adv_acc of <xref target="appendix-adv-notation"/> is</t>
        <artwork><![CDATA[
Adv_acc <= Adv_muPRF_acc + q_s^2 / 2^m + q_v / 2^m + q_s * q_v / 2^m
]]></artwork>
        <t>with m = 8*Nh and dominant terms q_s^2 / 2^m and q_s * q_v / 2^m, both
negligible at Nh of 32, 48, or 64.  The argument relies on segment AEAD
authenticity, already charged as Adv_muROR, and adds no term beyond
Adv_acc.  Per-object separation comes from the salt-bound snap_key, and
the authenticator needs no assumption beyond the multi-user PRF the key
schedule already uses.  It does not need the commitment's collision
resistance.  Integrating this reduction into the combined ra-ROR proof
is in preparation (<xref target="SEALPROOFS"/>).</t>
      </section>
      <section anchor="appendix-nonce-modes">
        <name>Nonce Modes</name>
        <t>The unique-nonce transform of <xref target="derived-nonces"/>, which XORs the
segment index and finality bit into nonce_base, follows TLS 1.3
(<xref target="RFC8446"/>) static-IV-XOR-identifier and STREAM (<xref target="HRRV15"/>)
counter-plus-final-bit precedent.  Under the write-once uniqueness
discipline every derived nonce is distinct, which reduces
unique-nonce record protection to nonce-respecting AEAD security.
This is precedent, not a SEAL-specific proof.</t>
        <t>In derived nonce mode the nonce-collision term is zero conditional on no
salt collision, because each segment index maps to one derived nonce and
a fresh per-message salt makes the segment keys distinct across
messages.  A rewrite reuses a segment's derived nonce, so the
construction relies on the underlying MRAE AEAD: re-encrypting the same
plaintext and associated data under the same key and nonce reproduces
the same ciphertext, which leaks only equality of those inputs, while
distinct inputs remain real-or-random secure (<xref target="RFC8452"/>).  The formal
real-or-random treatment of this equality leakage for derived nonce mode
is in preparation (<xref target="SEALPROOFS"/>).  That treatment builds on the
<xref target="FLRR25"/> ra-ROR analysis and changes its nonce-respecting hypothesis:
a rewrite repeats a segment's derived nonce, so the proof replaces the
nonce-respecting AEAD assumption with deterministic-MRAE security, under
which nonce reuse leaks only input equality.</t>
      </section>
    </section>
    <section anchor="appendix-rationale">
      <name>Design Rationale</name>
      <t>This appendix is informative.</t>
      <section anchor="key-schedule-design-rationale">
        <name>Key Schedule Design Rationale</name>
        <t>The per-content salt makes the payload schedule unique even when a CEK
is reused across messages, which matters for applications that derive
CEKs from group keys.  The encryptor chooses the salt locally at write
time.  A per-message counter would instead require synchronized state.</t>
        <t>The CEK is 32 octets regardless of the AEAD key size Nk, so a
128-bit-key AEAD still derives its keys from a 256-bit CEK.</t>
        <t>Epoch keys bound the number of AEAD invocations under any one segment
encryption key.  Several considerations motivate this.</t>
        <dl>
          <dt>AEAD per-key bounds:</dt>
          <dd>
            <t>The per-key bounds of the underlying AEAD (birthday for 96-bit-nonce
schemes, block-size for AES, integrity forgery for all schemes) become
the limiting factor on security long before the nonce space is fully
exhausted.</t>
          </dd>
          <dt>Write-once content:</dt>
          <dd>
            <t>This matters even for content written once: large content with many
segments can place many AEAD invocations under a single key.</t>
          </dd>
          <dt>Rewrites:</dt>
          <dd>
            <t>Rewrites consume additional invocations and can exhaust the same
budget faster than write-once use, but they are not the only reason
for epoching.  Write-once large content benefits from the same
partitioning.</t>
          </dd>
          <dt>Random access:</dt>
          <dd>
            <t>Rekeying the entire content would defeat the random-access property,
so epoch keys bound the per-key invocation count without requiring a
full re-encryption.</t>
          </dd>
        </dl>
        <t>Labels separate derivation roles: commitment and payload_key share the
same inputs but different labels, making them independent under the PRF
assumption.  Once CEK and salt are chosen the hierarchy is fixed, with
no mutable state to synchronize across writers.</t>
      </section>
      <section anchor="nonce-mode-design-rationale">
        <name>Nonce Mode Design Rationale</name>
        <t>Random mode is simplest but trusts the CSPRNG completely.  Derived mode
removes that trust.  In a mutable profile it requires an MRAE AEAD,
because an in-place rewrite reuses the segment nonce
(<xref target="parameter-misuse"/>).  In the immutable profile SEAL-RO-v1 the
write-once rule keeps every derived nonce unique, so derived mode pairs
with any AEAD.  <xref target="aead-table"/> gives the default nonce_mode each suite
uses in the mutable profile, and a profile <bcp14>MAY</bcp14> select another valid
(nonce_mode, snap_id) tuple.</t>
      </section>
      <section anchor="snapshot-authenticator-design-rationale">
        <name>Snapshot Authenticator Design Rationale</name>
        <t>Three shapes were considered for whole-object integrity over an
updatable segment set.  A MAC over the concatenated tag list is the
simplest, but a rewrite changes one tag in the middle of the input, so
the writer recomputes over all n_seg tags on every update.  A Merkle
tree over the tags updates in O(log n) and can offer per-segment
inclusion proofs, but it either stores interior nodes that grow with the
object or re-reads segment tags to rebuild paths, and it rests on
collision resistance of a hash.  The masked multiset hash updates in
O(1) per rewrite, stores a single value of 2*Nh octets regardless of
object size, needs no per-segment proofs, and needs only the multi-user
PRF assumption the key schedule already carries.  Its costs are the ones
this document states explicitly:  the accumulator stays masked, the
verifier returns a single bit (<xref target="masked-multiset-hash"/>), and the
deterministic mask adds the q_s^2 birthday term to the bound
(<xref target="appendix-snapshot"/>).  A profile that needs per-segment inclusion
proofs or third-party verifiability needs a different authenticator
under its own snap_id (<xref target="snapshot-interface"/>).</t>
        <t>The accumulator is on the wire so a stateless writer can resume the O(1)
update from the stored snapshot alone, rather than holding it in trusted
state or re-reading every tag.  Publishing it is why the mask and the
one-bit verifier are needed:  an exposed accumulator would let a write
adversary recombine observed values (<xref target="appendix-snapshot"/>).</t>
      </section>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix is informative.</t>
      <t>All vectors use protocol_id = "SEAL-RW-v1", CEK = 32 octets of 0xAA, and
salt = 32 octets of 0x04.  Each block opens with its parameter set,
grouped into three buckets:  the cipher suite (aead_id, kdf_id), the
geometry (segment_max), and the operational parameters (epoch_length,
nonce_mode, snap_id).  aead_id and kdf_id are the 2-octet IANA code
points from <xref target="aead-table"/> and <xref target="kdf-table"/>.  Then come the
payload_info elements as encoded on the wire, the payload schedule
outputs, the per-segment values, and the snapshot fields.  Hexadecimal
values wrap at 16 octets per line.</t>
      <t>The snapshot fields are the internal accumulator acc, the mask
snapmask(n_seg, snapshot_tag), the published wrapped_acc = acc XOR mask,
and the snapshot tag.  The snapshot stored on the wire is wrapped_acc ||
snapshot_tag (<xref target="masked-multiset-hash"/>).  The accumulator is an
intermediate value and is not on the wire, and the count is recovered
from the segment set.</t>
      <t>Single-segment plaintexts are "Hello, SEAL!" (12 octets).  Two-segment
messages append "Two segments of SEAL" (20 octets) as the final segment.
Most vectors use nonce_mode "random" with stored nonces 0x03 and 0x07
repeated to the AEAD nonce length.  The derived-nonce vector in
<xref target="derived-nonce-vector"/> instead recomputes each nonce from nonce_base,
and the cross-epoch vector in <xref target="cross-epoch-vector"/> sets epoch_length 0
and exposes the intermediate epoch_key and segment_key for each segment.
<xref target="single-trace"/> gives the full KDF trace for one commitment.  The other
blocks list schedule outputs only.  The eighteen computed positive
vectors, plus the negative SnapVerify vector in <xref target="snapverify-reject"/>,
are published byte-for-byte as raae-v1-vectors.json in the draft
repository.</t>
      <t>The vectors are organized by purpose:</t>
      <dl>
        <dt>Annotated walkthrough:</dt>
        <dd>
          <t><xref target="single-trace"/> shows one complete HKDF-SHA-256 trace, including the
commitment KDF inputs.  Use it to debug framing, payload_info
construction, commitment derivation, segment AAD, accumulator
contribution, and snapshot_tag computation.</t>
        </dd>
        <dt>Combiner injectivity coverage:</dt>
        <dd>
          <t><xref target="combiner-vectors"/> exercises the KDF combiner in isolation and
demonstrates encode() injectivity, including the empty-sequence and
same-octets-different-grouping cases.  The 38 combiner vectors are
published as raae-v1-combiner-kdf-vectors.json.</t>
        </dd>
        <dt>Cipher-suite coverage:</dt>
        <dd>
          <t>The single-segment and two-segment vectors exercise the listed AEAD
and segment-size combinations with HKDF-SHA-256.  Use these to check
AEAD code points, segment_max encoding, nonce storage, and
finality-bit handling.</t>
        </dd>
        <dt>KDF coverage:</dt>
        <dd>
          <t><xref target="turboshake-vectors"/> covers the TurboSHAKE-256 KDF suite and its
64-octet Nh outputs.</t>
        </dd>
        <dt>Rewrite coverage:</dt>
        <dd>
          <t><xref target="rewrite-vector"/> shows a segment rewrite and the corresponding
accumulator and snapshot_tag update.</t>
        </dd>
        <dt>Derived-nonce coverage:</dt>
        <dd>
          <t><xref target="derived-nonce-vector"/> covers AES-256-GCM-SIV in derived nonce mode,
where the nonce is recomputed rather than stored.</t>
        </dd>
        <dt>Epoch coverage:</dt>
        <dd>
          <t><xref target="cross-epoch-vector"/> shows epoch_length = 0, the finest rotation,
and exposes per-segment epoch_key and segment_key values.  The
AEGIS-256 blocks exercise the opposite endpoint, the flat key at
epoch_length = 63.</t>
        </dd>
        <dt>Plaintext-bound nonce coverage:</dt>
        <dd>
          <t><xref target="pt-bound-vectors"/> exposes the component values of the optional
plaintext-bound nonce construction, which no end-to-end vector can
reach.</t>
        </dd>
        <dt>Global associated data coverage:</dt>
        <dd>
          <t><xref target="g-commitment-vector"/> pins the commitment's G input at its empty
default, which equals the <xref target="single-trace"/> commitment, and at a
nonempty value.</t>
        </dd>
        <dt>Empty-AAD coverage:</dt>
        <dd>
          <t>All vectors use empty per-segment A_i.  As specified in
<xref target="concrete-segment-aad"/>, an empty A_i is omitted from the encoding
rather than encoded as a zero-length fourth element.</t>
        </dd>
        <dt>Negative coverage:</dt>
        <dd>
          <t><xref target="snapverify-reject"/> changes the accumulator without recomputing the
snapshot tag; SnapVerify rejects the stored snapshot.</t>
        </dd>
      </dl>
      <t>The JSON file is the complete corpus for automated tests.  The text
below is intended for debugging and review.</t>
      <section anchor="single-trace">
        <name>Single Segment, AES-256-GCM, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  payload_key  (32 octets):
    c1f2663e99977428dc0fec1566ce15e9
    1398634ab9b1d004945de48560707062
  snap_key     (32 octets):
    bc314ecaa8ff6c1c4ebc13b54597a10d
    2bcf412b40c428a0e411a828fcfb52ef

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    6a2b84e72ce8edbf4259eebd
  tag          (16 octets):
    a821834621b302b0eb00b0245fff2efb
  contrib      (32 octets):
    97b74013b135f6fe1739da05e1720b90
    dc596a6d09e29bfe437bb710391c9ba8

accumulator  (32 octets):
    97b74013b135f6fe1739da05e1720b90
    dc596a6d09e29bfe437bb710391c9ba8
mask         (32 octets):
    9356a1f7905b40b4561315a6892503d6
    2b0c7162aa19285f939325709f5847fb
wrapped_acc  (32 octets):
    04e1e1e4216eb64a412acfa368570846
    f7551b0fa3fbb3a1d0e89260a644dc53
snapshot_tag (32 octets):
    4e7bb00b4216798e02e511b26f0167c2
    a3f6c791407994e1f503f3923e591438

KDF trace for the commitment (HKDF-SHA-256):
  extract_input = encode(protocol_id, "commit", CEK):
    000a5345414c2d52572d76310006636f
    6d6d69740020aaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaa
  prk = HKDF-Extract(salt = protocol_id, extract_input):
    8eb0007f1e8ac96904742b4fb4448aba
    9d8a4b319f72f7e4a6d7bb8aab95737d
  expand_info = encode(protocol_id, "commit", ...payload_info, G,
                       I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000200020004000040000002
    00010002000100010000010100200404
    04040404040404040404040404040404
    04040404040404040404040404040000
    00020020
  commitment = HKDF-Expand(prk, expand_info, 32):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
]]></artwork>
      </section>
      <section anchor="g-commitment-vector">
        <name>Commitment with Global Associated Data</name>
        <t>These vectors pin the G input (<xref target="framework-commitment"/>) against the
schedule of <xref target="single-trace"/>:  the same CEK, salt, and payload_info with
G at its empty default and at a nonempty value.  The default case equals
the <xref target="single-trace"/> commitment, since every commitment includes the G
element.  These values are printed here only and are not part of the
end-to-end corpus.</t>
        <artwork><![CDATA[
G default (empty):
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  (the Single Segment, AES-256-GCM, HKDF-SHA-256, 16384
   commitment)

G = "raae-demo-g":
  G            (11 octets):
    726161652d64656d6f2d67
  commitment   (32 octets):
    d8eedb1fa0f77428cc33d252eb307796
    ae3bb911c2f6ea7a9e5b0bde312afd73
]]></artwork>
      </section>
      <section anchor="combiner-vectors">
        <name>KDF Combiner Vectors</name>
        <t>These vectors exercise the KDF combiner (<xref target="concrete-framing"/>) in
isolation.  They demonstrate that encode() is injective over
(protocol_id, label, ikm, info, L): distinct inputs, including inputs
whose octets concatenate to the same string under a different grouping,
produce distinct framed inputs and therefore distinct outputs.  The full
set of 38 combiner vectors, covering both KDF classes and every SEAL
label, is published byte-for-byte as raae-v1-combiner-kdf-vectors.json
in the draft repository.  All blocks below use ikm equal to a single
32-octet element of 0xAA.  Hexadecimal values wrap at 16 octets per
line.</t>
        <t>The first pair frames the same five info octets 01 02 03 04 05 two ways.
Because encode length-prefixes each element, the two expand_info values
differ, so the outputs differ.  The second pair shows that the empty
sequence and a one-element sequence whose element is the empty octet
string are distinct.  The third pair repeats the distinction in the
one-step form, where encode(...ikm) and encode(...info) are each a
single nested element of the message.</t>
        <artwork><![CDATA[
KDF.29  HKDF-SHA-256, label "commit"  (info = [010203, 0405])
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000301020300020405000200
    20
  output (32 octets):
    0dfb8948fcc220f61f43f291648903b7
    1fe6e5208647b6e18d3308f59fca0fa0

KDF.30  HKDF-SHA-256, label "commit"  (info = [0102, 030405])
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000201020003030405000200
    20
  output (32 octets):
    299aa40869ae880bc8a064bb5afe38c4
    13f420ff30bcbfac7651d5e248b3db98

KDF.8  HKDF-SHA-256, label "commit"  (info = [], the empty sequence)
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400020020
  output (32 octets):
    90073e3e9f1c855c2b7460e851f75d1a
    063a1daf007f81e4a695da1a0f97fca6

KDF.28  HKDF-SHA-256, label "commit"  (info = [""], one empty element)
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000000020020
  output (32 octets):
    5a4b4b2d59f5989c598f05a0a448acda
    faf27e10914c3894430ee7482c9a1913

KDF.33  TurboSHAKE-256, label "commit"  (info = [010203, 0405])
  encoded_input = encode(protocol_id, "commit",
                       encode(...ikm), encode(...info),
                       I2OSP(64, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400220020aaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaa0009000301020300
    02040500020040
  output (64 octets):
    dcefbcdced8b413e18303d2ffe1cac63
    44ee71b13324caa91d1712efc6b81ca8
    9ce2b62ce3aedde0ed16e14d7d17e2f2
    bc69f5e856eb96f9e4845f8522b0a9b5

KDF.34  TurboSHAKE-256, label "commit"  (info = [0102, 030405])
  encoded_input = encode(protocol_id, "commit",
                       encode(...ikm), encode(...info),
                       I2OSP(64, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400220020aaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaa0009000201020003
    03040500020040
  output (64 octets):
    02958e6256193c71b0cc4b8ac3273b31
    15d1ac30fd9aab537ad6916206be9828
    9146b56526054b3c11e22f2c375d0b24
    43e8d2ad2e6a89b874aa9ef4ce2c9c77
]]></artwork>
      </section>
      <section anchor="single-segment-aes-256-gcm-hkdf-sha-256-65536">
        <name>Single Segment, AES-256-GCM, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    df4b1428af3c5ecb6d804159fec249e0
  contrib      (32 octets):
    73e62d2574a38dc44b406a0c2f2d57b1
    2b7ca777b053cdbb4e9d6f1b3257991a

accumulator  (32 octets):
    73e62d2574a38dc44b406a0c2f2d57b1
    2b7ca777b053cdbb4e9d6f1b3257991a
mask         (32 octets):
    dfd59806ded61dbf83bab8a7e143da0e
    01714d207c2f53af86e00c875590093b
wrapped_acc  (32 octets):
    ac33b523aa75907bc8fad2abce6e8dbf
    2a0dea57cc7c9e14c87d639c67c79021
snapshot_tag (32 octets):
    5a7713eab7ce2f7f246647aa407e14fa
    f295a04333f06c27cdc1193252a9b8bc
]]></artwork>
      </section>
      <section anchor="single-segment-chacha20-poly1305-hkdf-sha-256-16384">
        <name>Single Segment, ChaCha20-Poly1305, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9ef7166bbce42787fd834f79d29f85b6
    6a050b24f372ecfb79a66b3f2fdc1acb
  payload_key  (32 octets):
    d0f1d392a371642db684a23858c0193c
    2d7406cb4360c81ef9190391cacf885f
  snap_key     (32 octets):
    b156708dc559791d78014bae5e01b5fd
    f8a397c2d140fd9b9468e3cceeb8aa5d

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    f1d968bc047a7bf6a15ef400
  tag          (16 octets):
    567deca2d91b732fd1f814a65335df79
  contrib      (32 octets):
    235bfbd70b8ce751d3720bea8351f039
    dac89c0055d817a5b949a8582c590035

accumulator  (32 octets):
    235bfbd70b8ce751d3720bea8351f039
    dac89c0055d817a5b949a8582c590035
mask         (32 octets):
    3beeed96dd10cd4bc3ec5f439a789d84
    acd1542b0edabd0c48c1bfb4766af53e
wrapped_acc  (32 octets):
    18b51641d69c2a1a109e54a919296dbd
    7619c82b5b02aaa9f18817ec5a33f50b
snapshot_tag (32 octets):
    b7a4b41dfb8de76d9ebaf0833f72d03b
    277bab9453c9085553dee456c998f4b7
]]></artwork>
      </section>
      <section anchor="single-segment-chacha20-poly1305-hkdf-sha-256-65536">
        <name>Single Segment, ChaCha20-Poly1305, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    ed76666a233fc9724c82f209aea191fa
    bdf8e65f12fa97f0a4e317839ee56f19
  payload_key  (32 octets):
    a859c3a684d35378bbbcf7ed48286313
    3e3af8d2cbf8d40687d693243c32cdea
  snap_key     (32 octets):
    aa42a852946818754780e48a9209a451
    345367bd07a04ad794c62a703366aa90

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    db9cf72ba226e3210aa9fcb5
  tag          (16 octets):
    f5048c0d08372770fe066f2b5c052ab8
  contrib      (32 octets):
    aec6ba40c8e7234e704d3a689866dcb0
    efb84a6f0c75e27ea45756486d2b9a72

accumulator  (32 octets):
    aec6ba40c8e7234e704d3a689866dcb0
    efb84a6f0c75e27ea45756486d2b9a72
mask         (32 octets):
    b372584c8a52e2daec61e6b3b2740b87
    c56913270ebf83456636645bccbd125c
wrapped_acc  (32 octets):
    1db4e20c42b5c1949c2cdcdb2a12d737
    2ad1594802ca613bc2613213a196882e
snapshot_tag (32 octets):
    2eb1e1d010fa697a4c577445e36aacc6
    3cfbaafc893b8cd6730099c560d3524a
]]></artwork>
      </section>
      <section anchor="single-segment-aegis-256-hkdf-sha-256-16384">
        <name>Single Segment, AEGIS-256, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    c4e0d853da06a0d7da0f062952ce8c1d
    c9936ec06b883accd2117aed9475f0cb
  payload_key  (32 octets):
    7b69e4c6a70d806c97315c4f37e698f8
    ad104677c20b4336ad81c9de7544246a
  snap_key     (32 octets):
    fb987468cf2e7f1321b8130b68933c7f
    039a39b0606fc7bc106d3169a9323d73

Segment 0 (is_final=1):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    91c6c2100dd9d365e5a6df47
  tag          (16 octets):
    f48dd988d409eb7b90b4fe6447ec7b25
  contrib      (32 octets):
    176e02c54d994c99f50928a7c67386fb
    ea17424dbcf70230e9f4bea73f5265a4

accumulator  (32 octets):
    176e02c54d994c99f50928a7c67386fb
    ea17424dbcf70230e9f4bea73f5265a4
mask         (32 octets):
    5e9bb90f0671afe58fb72584dce62ae6
    6bfaa33159a97eefc2de2304c8b2528a
wrapped_acc  (32 octets):
    49f5bbca4be8e37c7abe0d231a95ac1d
    81ede17ce55e7cdf2b2a9da3f7e0372e
snapshot_tag (32 octets):
    cb35b42e68a265b2c6a09de9b381044b
    29f46e98342a44f6eaae3eb8f7470789
]]></artwork>
      </section>
      <section anchor="single-segment-aegis-256-hkdf-sha-256-65536">
        <name>Single Segment, AEGIS-256, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    6bb3b3000bbdba28de3a8fcf29fd862e
    094e2e28c6df0d677aeba07ab747fe18
  payload_key  (32 octets):
    425c1db85e1d3c85025ab41d5e263db9
    c4969b4599942fa582d2394f0c5870e4
  snap_key     (32 octets):
    4bb7fb2a1e5036cbe9aa018af5b5fe56
    2fd60a1c388c54168621a40530ae4237

Segment 0 (is_final=1):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    f53c634ccf8aab1157fa44fd
  tag          (16 octets):
    90b6fa24f3cd9cb2b18574536f7bfdfc
  contrib      (32 octets):
    0b649e2b2702281a67ac5ab72c4b8e68
    afbe4135ee9a5fe693f34b6383377a24

accumulator  (32 octets):
    0b649e2b2702281a67ac5ab72c4b8e68
    afbe4135ee9a5fe693f34b6383377a24
mask         (32 octets):
    462e3c1a58d6f5f665988d3a28769729
    3bb3fa914b43a3d99b69da1b9491d1a3
wrapped_acc  (32 octets):
    4d4aa2317fd4ddec0234d78d043d1941
    940dbba4a5d9fc3f089a917817a6ab87
snapshot_tag (32 octets):
    34303daf7ba4f37eeddd4fd2bb382bb2
    439ceaecb5c240fc2839e2602d3a7d33
]]></artwork>
      </section>
      <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-16384">
        <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  payload_key  (32 octets):
    c1f2663e99977428dc0fec1566ce15e9
    1398634ab9b1d004945de48560707062
  snap_key     (32 octets):
    bc314ecaa8ff6c1c4ebc13b54597a10d
    2bcf412b40c428a0e411a828fcfb52ef

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    6a2b84e72ce8edbf4259eebd
  tag          (16 octets):
    1574936244d54aedf589c87002dbac90
  contrib      (32 octets):
    322c4622cd9f50552740d1eee7a530eb
    3fd371e44178b8ce18816b53dd3f1587
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    50b0eda5d7a86a5a94e501f317020173
    6d755d56
  tag          (16 octets):
    f22fb2b4bfed679d1d90d2a0814e429c
  contrib      (32 octets):
    7455e0472187dcd04a5747d508587a8c
    9f3e281818188be0edd46be8e32d4a6e

accumulator  (32 octets):
    4679a665ec188c856d17963beffd4a67
    a0ed59fc5960332ef55500bb3e125fe9
mask         (32 octets):
    ad55f19bb8997c8ad0def92830f0ce09
    4542ec804f7b99e66f294164985979a8
wrapped_acc  (32 octets):
    eb2c57fe5481f00fbdc96f13df0d846e
    e5afb57c161baac89a7c41dfa64b2641
snapshot_tag (32 octets):
    a08c73b5c414542cc06830d893d0eaca
    c749418dea32b11d5cc121d6b2db93b8
]]></artwork>
      </section>
      <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536">
        <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    2597e2f2243b98c4bb7f320dc2f46ce3
  contrib      (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    f17c9cac3693dcb4bdd524714da804d4
    c4390056
  tag          (16 octets):
    97d4f0d1303a2b112eac5aae081ef6bf
  contrib      (32 octets):
    a8e8df627852127e058558353da2def9
    9a83928b4c96ef37a5d0b08068b1a87c

accumulator  (32 octets):
    a563e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask         (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
wrapped_acc  (32 octets):
    3109c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67
]]></artwork>
      </section>
      <section anchor="two-segment-chacha20-poly1305-hkdf-sha-256-16384">
        <name>Two Segment, ChaCha20-Poly1305, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9ef7166bbce42787fd834f79d29f85b6
    6a050b24f372ecfb79a66b3f2fdc1acb
  payload_key  (32 octets):
    d0f1d392a371642db684a23858c0193c
    2d7406cb4360c81ef9190391cacf885f
  snap_key     (32 octets):
    b156708dc559791d78014bae5e01b5fd
    f8a397c2d140fd9b9468e3cceeb8aa5d

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    f1d968bc047a7bf6a15ef400
  tag          (16 octets):
    0359d2adbe709e374e6fae7830001295
  contrib      (32 octets):
    92c78ada192f60346b35491986711454
    9e20d72ede4b78a9567cf414365bc781
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    4d8f7a1b6aa589808c384a52bd90e4d0
    a44ed35e
  tag          (16 octets):
    61c3caca0ecda929269f52978f4a60e1
  contrib      (32 octets):
    85db0789dfd84dfaeb095fc28101d929
    af58800d6ae8882353c83c9a6013492c

accumulator  (32 octets):
    171c8d53c6f72dce803c16db0770cd7d
    31785723b4a3f08a05b4c88e56488ead
mask         (32 octets):
    e399bc51986eaf7f8d7cbcb3e76da43a
    b9607c01e413dd462639c4fd50191f32
wrapped_acc  (32 octets):
    f48531025e9982b10d40aa68e01d6947
    88182b2250b02dcc238d0c730651919f
snapshot_tag (32 octets):
    f4bfbdff53178451463ef23c73a31ab5
    06a6acfb49282af14598b2f49f32ceeb
]]></artwork>
      </section>
      <section anchor="two-segment-chacha20-poly1305-hkdf-sha-256-65536">
        <name>Two Segment, ChaCha20-Poly1305, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    ed76666a233fc9724c82f209aea191fa
    bdf8e65f12fa97f0a4e317839ee56f19
  payload_key  (32 octets):
    a859c3a684d35378bbbcf7ed48286313
    3e3af8d2cbf8d40687d693243c32cdea
  snap_key     (32 octets):
    aa42a852946818754780e48a9209a451
    345367bd07a04ad794c62a703366aa90

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    db9cf72ba226e3210aa9fcb5
  tag          (16 octets):
    6423011bc81f13a30ef51ff32f209cff
  contrib      (32 octets):
    fab6f671b544bb356337a2b811475663
    cc5fab22c29a6770c6cd035bc44d0554
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    85ead0c3a974dd014622ec0e2ba9a6e6
    199a7b88
  tag          (16 octets):
    3ee3399f906110b8e7900805f2b72a85
  contrib      (32 octets):
    361a4ce5127403db2e54950d48a81af1
    a71913771db2885bcb6bcdab971a3611

accumulator  (32 octets):
    ccacba94a730b8ee4d6337b559ef4c92
    6b46b855df28ef2b0da6cef053573345
mask         (32 octets):
    b62dbfa20e0725e6cc0bb81b169f6294
    a8b1d7b94968ac589c9b7ebcffc37882
wrapped_acc  (32 octets):
    7a810536a9379d0881688fae4f702e06
    c3f76fec96404373913db04cac944bc7
snapshot_tag (32 octets):
    e0b3b1cadba56bb4994d7872b57aff7f
    42215a8e2b7a2241cffd5107f571d560
]]></artwork>
      </section>
      <section anchor="two-segment-aegis-256-hkdf-sha-256-16384">
        <name>Two Segment, AEGIS-256, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    c4e0d853da06a0d7da0f062952ce8c1d
    c9936ec06b883accd2117aed9475f0cb
  payload_key  (32 octets):
    7b69e4c6a70d806c97315c4f37e698f8
    ad104677c20b4336ad81c9de7544246a
  snap_key     (32 octets):
    fb987468cf2e7f1321b8130b68933c7f
    039a39b0606fc7bc106d3169a9323d73

Segment 0 (is_final=0):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    91c6c2100dd9d365e5a6df47
  tag          (16 octets):
    c4837c14751196e622301d3e8a5e00b2
  contrib      (32 octets):
    002805d6180149a3852b8afd82b40db9
    4d4e2af23a11bfb1e2922e5e3efb4210
Segment 1 (is_final=1):
  nonce        (32 octets):
    09090909090909090909090909090909
    09090909090909090909090909090909
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    006704b222fa9285da01b706be831b76
    ead7332c
  tag          (16 octets):
    9965b57015a2b058514fb1fca7708242
  contrib      (32 octets):
    f1edcc4f336fb96b7319d30bca9a9194
    e6795e34a3a0b19652521d749dd2e767

accumulator  (32 octets):
    f1c5c9992b6ef0c8f63259f6482e9c2d
    ab3774c699b10e27b0c0332aa329a577
mask         (32 octets):
    0affb88aa98af47cf91aa6c80b733679
    070bc7b44df36f22859f0c89a91a3cc9
wrapped_acc  (32 octets):
    fb3a711382e404b40f28ff3e435daa54
    ac3cb372d4426105355f3fa30a3399be
snapshot_tag (32 octets):
    3d8899806c647a198c1c4e23f6ce8a2e
    be5d8cba11d65a16bbd2e7d5c4f415fc
]]></artwork>
      </section>
      <section anchor="two-segment-aegis-256-hkdf-sha-256-65536">
        <name>Two Segment, AEGIS-256, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    6bb3b3000bbdba28de3a8fcf29fd862e
    094e2e28c6df0d677aeba07ab747fe18
  payload_key  (32 octets):
    425c1db85e1d3c85025ab41d5e263db9
    c4969b4599942fa582d2394f0c5870e4
  snap_key     (32 octets):
    4bb7fb2a1e5036cbe9aa018af5b5fe56
    2fd60a1c388c54168621a40530ae4237

Segment 0 (is_final=0):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    f53c634ccf8aab1157fa44fd
  tag          (16 octets):
    c466896ca6da6509959b1c0c10dd688d
  contrib      (32 octets):
    e558127502262f71ac5ce07b9e0e101f
    177a5428a10ecb464cfcd731d75b35fe
Segment 1 (is_final=1):
  nonce        (32 octets):
    09090909090909090909090909090909
    09090909090909090909090909090909
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    40865396160e5aa905a96d3a6552f6cc
    fecf30ec
  tag          (16 octets):
    ddd6e4979a6d648400b236abc617d033
  contrib      (32 octets):
    23f4cfab2a5601a75d7f87148c5f32fd
    d8ab5ac1a16d25c9688e61b7d09171bb

accumulator  (32 octets):
    c6acddde28702ed6f123676f125122e2
    cfd10ee90063ee8f2472b68607ca4445
mask         (32 octets):
    8d8832a7c865352b6ebcfabaa1c85c69
    0aacfbfb2bf08a73cc090281bea1ca42
wrapped_acc  (32 octets):
    4b24ef79e0151bfd9f9f9dd5b3997e8b
    c57df5122b9364fce87bb407b96b8e07
snapshot_tag (32 octets):
    016300d12db61dc1b6b11fbeee8ecaf8
    614efe5802f3fc919ab8aa665cdf9294
]]></artwork>
      </section>
      <section anchor="turboshake-vectors">
        <name>TurboSHAKE-256 Cipher Suite Vectors</name>
        <t>These two vectors exercise the one-step TurboSHAKE-256 cipher suite
(<xref target="kdf-table"/>), for which Nh = 64.  The commitment, snap_key, contrib,
the accumulator, and the snapshot tag are therefore 64 octets, while
payload_key (Nk) and the nonces (Nn) are unchanged.</t>
        <section anchor="single-segment-aes-256-gcm-turboshake-256-65536">
          <name>Single Segment, AES-256-GCM, TurboSHAKE-256, 65536</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0013  (TurboSHAKE-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0013
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (64 octets):
    b19991b71ed275d98070eab735179d60
    be397354a85f6d6f58e74dcb90f0ff43
    8271da594a267d81aaa74a88736ba549
    d9e88c1b9d9a972135220b76c9568483
  payload_key  (32 octets):
    bdecddf1340029c520b9b4a9e1b15144
    d283209261a58113294728e337d14ea8
  snap_key     (64 octets):
    92fc2e47ac72bbdbcac62a67ced07dad
    a1e907bd82e92a68ba5f6098ec067931
    e59683904d5213ddd0abe237ac0f9450
    ef33180028f2ea7e47d738e6f3faed01

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    429b98993decaa7c1792d52d
  tag          (16 octets):
    be8cd796db427f283859fa6722708d5b
  contrib      (64 octets):
    371669ebb5f158b73bd65f0f66a33878
    3e2372d1cbfced76ff866e264fb6c85f
    151dcdf2662d286cc065844a2b5aff57
    200d689ad4ee7d027df20be43747bbf2

accumulator  (64 octets):
    371669ebb5f158b73bd65f0f66a33878
    3e2372d1cbfced76ff866e264fb6c85f
    151dcdf2662d286cc065844a2b5aff57
    200d689ad4ee7d027df20be43747bbf2
mask         (64 octets):
    39bc62cc8b75a8745da4cf36061350a1
    a1c439359cde43df5355ce7c8527cb0f
    23dbf74cd0534517d729fc1ebad29d15
    b27c8f0373ca74ccc7a19de9e174ce39
wrapped_acc  (64 octets):
    0eaa0b273e84f0c36672903960b068d9
    9fe74be45722aea9acd3a05aca910350
    36c63abeb67e6d7b174c785491886242
    9271e799a72409ceba53960dd63375cb
snapshot_tag (64 octets):
    75dd576b0a3f5ba7181b3e183e6ef741
    b1e7ea93a7852fc0c7657ed905f74eb6
    45570ac0b639c2f901797f1152c8c7d4
    196aed0cf4af2308431af242399b0c22
]]></artwork>
        </section>
        <section anchor="two-segment-aes-256-gcm-turboshake-256-65536">
          <name>Two Segment, AES-256-GCM, TurboSHAKE-256, 65536</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0013  (TurboSHAKE-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0013
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (64 octets):
    b19991b71ed275d98070eab735179d60
    be397354a85f6d6f58e74dcb90f0ff43
    8271da594a267d81aaa74a88736ba549
    d9e88c1b9d9a972135220b76c9568483
  payload_key  (32 octets):
    bdecddf1340029c520b9b4a9e1b15144
    d283209261a58113294728e337d14ea8
  snap_key     (64 octets):
    92fc2e47ac72bbdbcac62a67ced07dad
    a1e907bd82e92a68ba5f6098ec067931
    e59683904d5213ddd0abe237ac0f9450
    ef33180028f2ea7e47d738e6f3faed01

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    429b98993decaa7c1792d52d
  tag          (16 octets):
    c2afc8ba9d2d163d600a88ed34420cc8
  contrib      (64 octets):
    97b151445a7f50b4f41811e8b9d0f4c9
    04648ba6d13085e7d7180d94321aa3f8
    4f895847053ce9c66e4b27f4251f6ffc
    356e72ec1a867e2b405163732b65b8c1
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    7597ac827f175c664e7bebb8b828753b
    fc778463
  tag          (16 octets):
    78545349b2e5092b9d279c97abfe1511
  contrib      (64 octets):
    df8a6116f5535741f7973cfbb2aa6ef0
    78f54da534fea79f953ef95b6a60c5d8
    eaa6a034c9dc8186f27726ae99772694
    0cb46e83581e1466f34a46a76abbca41

accumulator  (64 octets):
    483b3052af2c07f5038f2d130b7a9a39
    7c91c603e5ce22784226f4cf587a6620
    a52ff873cce068409c3c015abc684968
    39da1c6f42986a4db31b25d441de7280
mask         (64 octets):
    49cc05dd25532375d143f69b276b0b8d
    5246388217b39b7ef2262b6e7f293fdc
    a43408f13b9172cb3e98a72c735d2546
    e15b860122ebea099a7cbd987bfee991
wrapped_acc  (64 octets):
    01f7358f8a7f2480d2ccdb882c1191b4
    2ed7fe81f27db906b000dfa1275359fc
    011bf082f7711a8ba2a4a676cf356c2e
    d8819a6e607380442967984c3a209b11
snapshot_tag (64 octets):
    f6b15b8cf01fd11587f9fe7a32185abe
    31ac84194ae3eed199a5b19ba83b0cdf
    bf0c8e3b4f48199b01bdd1710d87c076
    9d0cdc82f5292a913b7f1d14cd93b843
]]></artwork>
        </section>
      </section>
      <section anchor="rewrite-vector">
        <name>Segment Rewrite Vector</name>
        <t>This vector applies RewriteSegment (<xref target="full-rewrite"/>) to segment 0 of a
two-segment AES-256-GCM message, replacing its plaintext under a fresh
nonce.  acc_delta = old_contrib XOR new_contrib, the new accumulator is
the old accumulator XOR acc_delta, and the snapshot tag is recomputed
over the count and the new accumulator.</t>
        <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536-rewrite">
          <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536 (Rewrite)</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    2597e2f2243b98c4bb7f320dc2f46ce3
  contrib      (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    f17c9cac3693dcb4bdd524714da804d4
    c4390056
  tag          (16 octets):
    97d4f0d1303a2b112eac5aae081ef6bf
  contrib      (32 octets):
    a8e8df627852127e058558353da2def9
    9a83928b4c96ef37a5d0b08068b1a87c

accumulator  (32 octets):
    a563e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask         (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
wrapped_acc  (32 octets):
    3109c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67

Rewrite of segment 0:
  new_nonce    (12 octets):
    0b0b0b0b0b0b0b0b0b0b0b0b
  new_ciphertext (22 octets):
    f20adfd4e5ab8016903d7eaa022f65c7
    0a3f9988b1e5
  new_tag      (16 octets):
    ff3268f44b36f41c84a2e85d0a975d38
  old_contrib  (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
  new_contrib  (32 octets):
    d1799e445a84608aae7dfca35bc03813
    138fd92f58adb6c1fec48907e9a90f9e
  acc_delta    (32 octets):
    dcf2a2f66b1657f4265ed5e6ade32d18
    0993d24e2cf7f962649bece68b1fe9ec
  new_accumulator (32 octets):
    7991412622d672f4abf8a4966662e6ea
    890c4ba4143b59f65b1439878118a7e2
  new_mask        (32 octets):
    76615f532f527eaecac7d2fa4232fc32
    10596f72a1e2637cfbb5db656d53c9ac
  new_wrapped_acc (32 octets):
    0ff01e750d840c5a613f766c24501ad8
    995524d6b5d93a8aa0a1e2e2ec4b6e4e
  new_snapshot_tag (32 octets):
    bba55e58311ebbd38d7880a9ebec3d19
    3212c0600ce04aeeb7c18ee62e33b9cc
]]></artwork>
        </section>
      </section>
      <section anchor="derived-nonce-vector">
        <name>Derived-Nonce Cipher Suite Vector</name>
        <t>This vector exercises AES-256-GCM-SIV (<xref target="aead-table"/>), the MRAE cipher
suite that uses derived nonce mode.  There is no stored per-segment
nonce:  each nonce is recomputed from nonce_base by the formula in
<xref target="derived-nonces"/>, which XORs uint64((i &lt;&lt; 1) | is_final), the segment
index and finality bit, into the low 8 octets of nonce_base (here Nn =
12).  The block applies RewriteSegment to segment 0.  Because the nonce
is recomputed deterministically, the rewrite reuses the same nonce as
the original segment 0.  AES-256-GCM-SIV is misuse-resistant, so the
reuse leaks only equality of identical plaintext-and-context pairs, not
plaintext.</t>
        <section anchor="two-segment-aes-256-gcm-siv-hkdf-sha-256-65536-rewrite">
          <name>Two Segment, AES-256-GCM-SIV, HKDF-SHA-256, 65536 (Rewrite)</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001f  (AEAD_AES_256_GCM_SIV)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  0
    nonce_mode    derived
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001f
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 01
  epoch_length_u8 ( 1 octets): 00
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    bf20f8c7691934f0ccf767b2a5ac19e4
    67228674414f68d839a6698a3edd1813
  payload_key  (32 octets):
    d2f4ae67c4024a3b61b902188a75cdc4
    757245350393608e8d4af530b91a4411
  snap_key     (32 octets):
    18e303acfa725f11d6a75a48723fb408
    c481e5703032b0e5f1724461f8901bbc
  nonce_base   (12 octets):
    8a2860a4c1e733427aaa7aeb

Segment 0 (is_final=0):
  nonce        (12 octets):  (derived from nonce_base, not stored)
    8a2860a4c1e733427aaa7aeb
  epoch_key    (32 octets):
    a65f10ea805ada25b9f1ef7527383cde
    423b104e8813edaed5490747633291c6
  segment_key  (32 octets):
    a65f10ea805ada25b9f1ef7527383cde
    423b104e8813edaed5490747633291c6
  segment_aad  ( 0 octets): (empty)
  ciphertext   (12 octets):
    b3b34ccfb3481851057f1eab
  tag          (16 octets):
    2d143f398a84cdfd47146c194e1c177c
  contrib      (32 octets):
    fce4eed2d488b1ee8994c270cd145202
    ea63b9fd0c0f7401c5cad41c767e91c6
Segment 1 (is_final=1):
  nonce        (12 octets):  (derived from nonce_base, not stored)
    8a2860a4c1e733427aaa7ae8
  epoch_key    (32 octets):
    3cd69f36c405895994a14b8b5aafaf09
    09517de95d17e6b903cf350fa8769826
  segment_key  (32 octets):
    3cd69f36c405895994a14b8b5aafaf09
    09517de95d17e6b903cf350fa8769826
  segment_aad  ( 0 octets): (empty)
  ciphertext   (20 octets):
    3392acaffbaaa0224644ee4b0efa53ad
    c0d21628
  tag          (16 octets):
    408046d4fb0789a8ae0c41ddb0f66fc3
  contrib      (32 octets):
    7e2e00b404bf5962b6220c4196298f4b
    d25bff62bd9e3230ddd0d344e2b78cc1

accumulator  (32 octets):
    82caee66d037e88c3fb6ce315b3ddd49
    3838469fb1914631181a075894c91d07
mask         (32 octets):
    b0c48fd39186cb0b55dd036ffd1c46ef
    73c6b282977ecd28e6065cdcc64e36d2
wrapped_acc  (32 octets):
    320e61b541b123876a6bcd5ea6219ba6
    4bfef41d26ef8b19fe1c5b8452872bd5
snapshot_tag (32 octets):
    44dea9b3ed7c07f3e95bfe10848430f3
    cc1059251c3cf85d2c2e717634155aaf

Rewrite of segment 0:
  new_nonce    (12 octets):
    8a2860a4c1e733427aaa7aeb
  new_ciphertext (22 octets):
    f1cb96bd31369de3d8f26e007bf71759
    51a0c59330b0
  new_tag      (16 octets):
    74105b3b59dd624421f67f295921841d
  old_contrib  (32 octets):
    fce4eed2d488b1ee8994c270cd145202
    ea63b9fd0c0f7401c5cad41c767e91c6
  new_contrib  (32 octets):
    64064c4b612f62cafad57b458158d125
    08164dc2bef7594568a978f6f2a1ae55
  acc_delta    (32 octets):
    98e2a299b5a7d3247341b9354c4c8327
    e275f43fb2f82d44ad63acea84df3f93
  new_accumulator (32 octets):
    1a284cff65903ba84cf7770417715e6e
    da4db2a003696b75b579abb210162294
  new_mask        (32 octets):
    5f4185e7b2b940639b4fa672174edf71
    a88c8015423ed35d14134b1741d869a2
  new_wrapped_acc (32 octets):
    4569c918d7297bcbd7b8d176003f811f
    72c132b54157b828a16ae0a551ce4b36
  new_snapshot_tag (32 octets):
    a4ad2d7fa8abbbec998af5c3ced3514f
    e420923c403ba57771bad99a8d03034a
]]></artwork>
        </section>
      </section>
      <section anchor="cross-epoch-vector">
        <name>Cross-Epoch Key Vector</name>
        <t>This vector sets epoch_length = 0, the finest epoch partition, so the
epoch index equals the segment index and each segment is sealed under a
distinct epoch key (<xref target="epoch-key-derivation"/>).  The block exposes the
intermediate epoch_key(i) and segment_key(i) for each segment.  At
epoch_length = 0 the shift is the identity, so segment_key(i) equals
epoch_key(i), and epoch_key(0) and epoch_key(1) differ.</t>
        <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536-epochlength-0">
          <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536, epoch_length 0</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  0
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 00
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    248167fa761884de975ed84dd2464c7b
    0e85cfaf205470750ca644137da76517
  payload_key  (32 octets):
    e27e393efb0b8abec87b27fa0ae3f19c
    0f19093877aae8267d14be74b035eeb6
  snap_key     (32 octets):
    f152bcb8e03852f726a7824c902e9b4f
    aa9b849478cd115c1a3de02b8f04ddb8

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  epoch_key    (32 octets):
    cfe9ccdc21e8021fd5cada3fff397f2b
    86431ec14eb0ac60809e4aee4a497f36
  segment_key  (32 octets):
    cfe9ccdc21e8021fd5cada3fff397f2b
    86431ec14eb0ac60809e4aee4a497f36
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    04b77b3d7370bf0ce5baeb78
  tag          (16 octets):
    4fd2abdb95a887e32aacced927ea7666
  contrib      (32 octets):
    22f6f5e04dc24fcd3ea57d2aab707c37
    7530de5b5cde77959c85888afe189675
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  epoch_key    (32 octets):
    c6b0ed6d72fe7fe3114623c98f527e3d
    3644cfdc88c56f6e4550495dc92b3fe2
  segment_key  (32 octets):
    c6b0ed6d72fe7fe3114623c98f527e3d
    3644cfdc88c56f6e4550495dc92b3fe2
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    550d0675f7ed31bf5377805fcf64bb30
    38167fe1
  tag          (16 octets):
    15c5bbacef49c9e0cc6f4a16a1fb0204
  contrib      (32 octets):
    e9341dfae1376b08122e20e8580b1e94
    7b771e1cf4b11cf5472868cc34a18870

accumulator  (32 octets):
    cbc2e81aacf524c52c8b5dc2f37b62a3
    0e47c047a86f6b60dbade046cab91e05
mask         (32 octets):
    4b770b765273b67eda59116abc4521c7
    28998adf914b868f6c94bcdda7f57910
wrapped_acc  (32 octets):
    80b5e36cfe8692bbf6d24ca84f3e4364
    26de4a983924edefb7395c9b6d4c6715
snapshot_tag (32 octets):
    7ec104576a2197294a35d2d28000331e
    30dc4172f1f18492950e15ef0c1f1742
]]></artwork>
        </section>
      </section>
      <section anchor="pt-bound-vectors">
        <name>Plaintext-Bound Nonce Component Vectors</name>
        <t>These vectors exercise the optional plaintext-bound nonce construction
(<xref target="appendix-pt-bound"/>) component by component: the plaintext digest
pt_digest, the bound digest pt_hash, the framed nonce_ctx, and the
final nonce.  The construction is encryptor-only and its output is
indistinguishable from random mode on the wire, so no end-to-end
vector exercises it; component values are the only way to check an
implementation byte for byte.  The labels are those of
<xref target="pt-bound-labels"/>, and nonce_ctx enters the final derivation as a
single framed info element after the payload_info elements.</t>
        <t>Each block reuses the payload_key, payload_info, and salt of a
published cipher-suite block, so the values chain into the payload
schedules above.  The random_input value stands in for the fresh
Random(Nn) draw of the construction, and both blocks bind the
plaintext "Hello, SEAL!".  These component vectors are printed in
this appendix only and are not part of the end-to-end corpus.</t>
        <section anchor="aes-256-gcm-hkdf-sha-256-16384-segment-0">
          <name>AES-256-GCM, HKDF-SHA-256, 16384, Segment 0</name>
          <t>The payload schedule is that of <xref target="single-trace"/>.</t>
          <artwork><![CDATA[
plaintext    (12 octets):
    48656c6c6f2c205345414c21
random_input (12 octets):
    0f0f0f0f0f0f0f0f0f0f0f0f
pt_digest    (32 octets):
    e66fec4cada0ccdb73930622ef393d5b
    a05fb73bdd81205a9f828f75e85ded81
pt_hash      (32 octets):
    072fa800d5069a226a7322c5b3fb704f
    8564fd2075dd9de6de274a2b5645faaa
nonce_ctx    (56 octets):
    000a5345414c2d52572d763100080000
    0000000000000020072fa800d5069a22
    6a7322c5b3fb704f8564fd2075dd9de6
    de274a2b5645faaa
nonce        (12 octets):
    ef044c5a935e8bd52db61582
]]></artwork>
        </section>
        <section anchor="aes-256-gcm-turboshake-256-65536-segment-1">
          <name>AES-256-GCM, TurboSHAKE-256, 65536, Segment 1</name>
          <t>The payload schedule is that of the single-segment TurboSHAKE-256
block (<xref target="turboshake-vectors"/>).  The segment index is 1, visible in
the second framed element of nonce_ctx.</t>
          <artwork><![CDATA[
plaintext    (12 octets):
    48656c6c6f2c205345414c21
random_input (12 octets):
    0f0f0f0f0f0f0f0f0f0f0f0f
pt_digest    (64 octets):
    f809e1b9b0e28d0fd1dce5cf9e4aae59
    fde2b08a551c311b621323a5d2f3c78d
    e55c22edcdd091231c4509849acf592a
    85ab446dfcff4fac008194e6ef59d9b4
pt_hash      (64 octets):
    ad6a35f94960ee1004391bdfaee16149
    ef56bca4fd5b98abfec56fdb80752624
    ade63d71f3b15e9aa5dd9fb0ffa8e533
    f7ef5caa7620432cf1c1bf7d97611536
nonce_ctx    (88 octets):
    000a5345414c2d52572d763100080000
    0000000000010040ad6a35f94960ee10
    04391bdfaee16149ef56bca4fd5b98ab
    fec56fdb80752624ade63d71f3b15e9a
    a5dd9fb0ffa8e533f7ef5caa7620432c
    f1c1bf7d97611536
nonce        (12 octets):
    dbd450bb6f147795caeeee12
]]></artwork>
        </section>
      </section>
      <section anchor="snapverify-reject">
        <name>Negative SnapVerify Vector</name>
        <t>This vector demonstrates the snapshot integrity check.  It takes the
honest state of the two-segment AES-256-GCM, HKDF-SHA-256, 65536 vector
and flips the first octet of the stored masked accumulator, leaving the
snapshot tag unchanged.  SnapVerify recomputes the snapshot from the two
present segment tags (<xref target="masked-multiset-hash"/>):  the recomputed
accumulator is the honest one, so the recomputed snapshot tag equals the
stored tag, but the recomputed wrapped accumulator differs from the
tampered one.  The single constant-time comparison of the full
recomputed snapshot against the stored value therefore fails, and
SnapVerify returns reject without revealing which half differed.  A
consumer <bcp14>MUST</bcp14> treat this entry as expect-reject and <bcp14>MUST NOT</bcp14> accept it
as a valid snapshot.</t>
        <section anchor="tampered-accumulator-snapshot-tag-not-recomputed">
          <name>Tampered Accumulator, Snapshot Tag Not Recomputed</name>
          <artwork><![CDATA[
Source: the two-segment AES-256-GCM, HKDF-SHA-256, 65536 vector;
        the tamper flips the first octet of the stored masked
        accumulator, with the snapshot_tag left unchanged.

tampered_accumulator (32 octets):
    a463e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask                 (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
tampered_wrapped_acc (32 octets):
    3009c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67

SnapVerify recomputes the snapshot from the present segment tags
and compares it, whole, against the stored value in constant
time. The recomputed wrapped accumulator differs from the stored
tampered one, so the comparison fails.

SnapVerify result: reject
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="changes-from-draft-sullivan-cfrg-raae-00">
      <name>Changes from draft-sullivan-cfrg-raae-00</name>
      <t>This appendix is informative.  It summarizes the substantive changes
from the -00 revision.</t>
      <ul spacing="normal">
        <li>
          <t>SEAL: the -00 monolithic raAE-v1 profile became SEAL, a
parameterized construction with two named profiles, SEAL-RW-v1
(mutable) and SEAL-RO-v1 (write-once).  payload_info gained snap_id
(the snapshot authenticator identifier) and dropped aad_label,
segment_max is a power of two of at least 4096 octets, and the five
named instantiations fix complete parameter sets and a serialization
layout (<xref target="named-instantiations"/>).</t>
        </li>
        <li>
          <t>Structural split: the raAE primitive (<xref target="raae"/>), the SEAL construction
that realizes it (<xref target="framework"/>), and the cipher suites (<xref target="concrete"/>)
are now specified separately.</t>
        </li>
        <li>
          <t>Snapshot authenticator (<xref target="snapshot-authenticator"/>): -00 published
the bare XOR accumulator as its whole-object check.  That design is
superseded for a security reason: a write adversary can recombine
observed accumulator differences into a non-historical segment set
that still verifies (<xref target="appendix-snapshot"/>), so the -00 snapshot
offers no whole-object integrity against rewrites.  The replacement
is the masked multiset hash: a snapshot tag MACs the count and
accumulator, and a deterministic, tag-derived mask hides the
accumulator, so the published value is wrapped_acc || snapshot_tag.</t>
        </li>
        <li>
          <t>Wire format, code points: aead_id and kdf_id are now 2-octet IANA
code points.</t>
        </li>
        <li>
          <t>Wire format, salt: the per-content salt is now a fixed 32 octets.</t>
        </li>
        <li>
          <t>Wire format, KDF output size: TurboSHAKE-256 uses Nh = 64.</t>
        </li>
        <li>
          <t>KDF framing: the KDF framing function is total, and the one-step
form frames ikm and info each as one element.</t>
        </li>
        <li>
          <t>Security analysis: reorganized to be property-oriented.  The body
states properties, assumptions, requirements, and operational limits.
The reductions, bounds, and proof symbols are in
<xref target="appendix-reductions"/>, and the formal proofs are deferred to a
companion paper in preparation.</t>
        </li>
        <li>
          <t>Integrity requirements: unauthorized truncation detection is a
normative decryptor requirement, n_seg = 0 is disallowed without a
snapshot authenticator, snapshot verification is required when all
segment tags are available, commitment_length is at least 16 octets,
and the snapshot comparison is constant-time.</t>
        </li>
        <li>
          <t>SEAL-compact named instantiation: added SEAL-compact (SEAL-RW-v1,
derived nonce, aligned layout), naming an already-buildable
combination that gives large random-access objects compact
per-segment metadata.  Byte-neutral.</t>
        </li>
        <li>
          <t>The wire-format and snapshot changes above are reflected in a
regenerated test-vector corpus (<xref target="test-vectors"/>).</t>
        </li>
        <li>
          <t>Normative tightenings from implementation evidence: epoch-key
derivation applies at every epoch_length and payload_key is never
a segment key (<xref target="epoch-key-derivation"/>), a SEAL-RO-v1 encryptor
<bcp14>MUST NOT</bcp14> rewrite a written segment (<xref target="profiles"/>), streamed
plaintext is unverified for completeness until the terminal
finality check (<xref target="full-decryption"/>), and the SnapVerify
comparison covers the full snapshot value in one constant-time
comparison (<xref target="constant-time"/>).</t>
        </li>
        <li>
          <t>Presentation, from the same evidence: the plaintext-bound
construction's labels are tabulated adjacent to the construction
(<xref target="appendix-pt-bound"/>), the profiles state where truncation
detection surfaces, and the layout size formulas carry Nt
symbolically.</t>
        </li>
        <li>
          <t>Test vectors, from the same evidence: component vectors for the
plaintext-bound nonce construction (<xref target="pt-bound-vectors"/>), a worked
byte-layout example for the one-step KDF (<xref target="one-step-kdf"/>), and
regenerated TurboSHAKE-256 cipher-suite vectors matching the nested
one-step framing this document specifies.</t>
        </li>
        <li>
          <t>Terminology: the interface extension is named the extended raAE
interface throughout, replacing the earlier "mutable raAE"
phrasing, so no text suggests two primitives named raAE.  Mutable
and immutable now describe only the SEAL profiles' write
discipline.</t>
        </li>
        <li>
          <t>Attribution: the introduction credits the base interface and
security notions to Fábrega et al., related work names FLOE as the
base-interface construction of that work, and the extension section
states which interface tier each construction realizes.</t>
        </li>
        <li>
          <t>Global associated data: G is a per-message input, the StartEnc G
of the primitive, always the last element of the commitment
derivation and empty by default.  It is never stored.  Every
commitment value changes, and the test-vector corpus is
regenerated.  <xref target="g-commitment-vector"/> pins the default and a
nonempty G.</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks Andrés Fábrega, Thomas Ristenpart, Gregory Rubin,
Richard Barnes, Thibault Meunier, Kenny Paterson, Christopher Patton,
and Christopher A. Wood for their reviews, comments, and discussions.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAJ8uTGoAA7y96XocybEl+N+fIpr1g0ArEwWAS7EgUT0ocJ3iNgC13E8q
cQKZASCKuUAZkSQhgvdZpl9iHmD6xcaOLe7mEZEgS90zuFdFIDMWX8xtt2Pj
8Ti0dTurDopbx+ViupyPDyeTqmmKw3V7US3aelK21bR4vJisri7berm4FcrT
01X1gW5YlYePb4XpcrIo5/SA6ao8a8fNejarP5SL8eRsdT5elWU13t0LeMr5
cnV1UNSLs2WoL1cHRbtaN+3+7u6Pu/uhWZ/O66ah57dXl/Ss58dvn4RyVZX6
68fl6v35arm+PCiOMJBl8WS5Ws9D09Kg35Wz5YJuuqqa0MzLVfvun+tlWzUH
xWIZLuuDUBTjol1O+N9muWpX1Vkjf1zN+fdQ0myXK7myXtCdr3aKE50JfVgU
MsVX9eR9/vlydV4u6n+VWBob2/mqvLy4Ko6WC1qMtl6cFy9eHPHV1bysZzSs
enKxnJXNji3W7+qqPfvfzvHtzmQ5D2GxXM3pmR8qDOn4ydH+3t6P+uuDvR/u
6q/39vbu268P7scLdvd+sF/v3omf3r23r7/+uPdg13794Yc9/Pp8/GinXrVn
smtldV439N9yGr+j8Y0vLt9X48t/4rNXz0/ejk/ejB/s7o7vPHh0wLNry9V5
1R4UF2172Rx8//3iw+xyfdrsLOqm3Tlffvgev+CT719U5+Xk6vuTN/xRc1lN
6hLXzkButJLy2OnO5fRMnmwkWtHqzKvFlK8qzpar4qfZkvbkqL68qFbFy+W0
aorlWfH6slrJnvydH1AUfy+eEpnUzfdHy/Wi1WuLradHL7cLoqHi6cvDo1t8
baIF/Cg9vNwpHoEIa9l2GgCNh4j3h/HeHn/SVKu6akDddifW6KA4kckVb9Ls
Cl21EHB5vtEP7t61LX1w/+49+/XHO7alP96TzevuWDkdz+p53Tb48qdnb/ce
DG9KdbmqF+1OXU5WO0S83+/v7j34fu/O/c46f6ibmkn38PHJmBZpfPL8z7QK
oOfxmuZanFST9apur0ZpgZ+UDRb25+qqeESr8YEnO+LV/alq8dVPtPbT5oZl
frND1zRV/uGfd4q3O8WzZbk4z784oS+IV5WrZbYpew827Mit54dHx7doftUb
LEJhc8eAnh0f/3nv3jev2b3v9x78mK3Z68WsXlQ53xwnvsnLQNuTluvVcjGp
xscVLWfxsm7oH/qjqcHSJtUNa7RxOY53iuPq6oL4UVuelqveyh4vz8uP5VX+
+aOd4s/1v/7Hf1/lS3jv25eQlwLjfVsv3n/rAu7vfr+3u5evoJEUDvAJMely
DgJ0S1gv3GleLs9n1e2G31q8qE9X5erq31m1/yBOTzuWTX9/95unrxPBmx89
Pf7LpmM3XdY8873dnT3iGt//+MOD8Z3xnb0fxz/ef/Dg7njvXX4CcZaKlyDu
86p4sioXxHnOD+i35bx4vsDpPJ1VaTVOylk5JwqrVg1JOlsz4pTtDUtCM3+0
nNZNj1Certanp52PafGOiTarxSUJ2Pyr/32n+MtyOaWRfuMxPDr+jzdvX/Ml
o+LFq6MTrOiH5Wyn2Nv98ce9UXF5Sb/euzfee3D/lt306PVzXHbDAuLSw0dP
9/eHt+Djx487dMgW9SfeiclycVatKjpr38unjZLf/v73l6uKPmqZgX1fzk6r
FfHCOtugZ8uPWOnDUxxfnO0n9af88KfdcST8l5o2Yt0ykzwiWVZ/bZMOd4rD
bAB+Rx6tlwM88em6Wi0XvY9//h//9+x01nv6i/XV+0+9i08mF/O6Os9Pxf6m
Df3TyeNXz/8aZQJfi83CPt7Z/3FvfOfO7gNM8smL4+P9b+ay+/e+39//4V4u
mnIt9fHhI1YD+Ly8qM8v2o8V/psWX/my12BvWuwn/+O/k3p7XvZI/EW1+OYT
8ZS+Wp92dIX9+5uW7/Gfjl/zmcCa4cKbiX73zv54/96dO/Tbu71dXPvypGqf
lc3Fb+E99+7uju/u7t7fG997t7efrfFzWqsKdEl6C4v8pmoLPL94sl5MsIYN
k/zbi6pepZU+vLyMKg4djZfVnDR+4lak+jNVHF1UE7CxGzaApNHRrFy9r3oE
+aj6UE7LDlMirYy05+JR/ev7/Iuf6BSUDZ3haW9jHkOzv8i1uDubdubwBAw/
7szuHeFXxf6DH+8qm3rwYLy/+8PNO5avNcuKw8fftll7ez/c37v/w4/v9u9k
e3RYvFktP5QkBcbx2L0lmcn8BBKUOBG4zPgvZI2kPaKb6Jb5zSrYoKLwFnJy
Vc/JwOnowN9K17v3dfVoKXT17vxAPPzH3U2r5yaPS04eH754c/z69ZOTg2HF
4XBRzq5IhbL54wa2w8jWnIiJBqN1VJwsysvmYtkm6hQ99ZtY8tufHrkFOCtn
qrAOrMBfyGSgm7Ds5yRTGkyO5PS6mazqyxbfkKgh/lEKYwrj8bgoT2m45aQN
4e0FTYXs6zXv6bQ6I0bW0AyYA5bCAcvMTq+SpNnCTLdpWoH4Kk2KbAxak7It
wK5qPcTFXFUM4rxLWgH6d1p9ogc11T/XkI1YyaY6xwCawLdP6KrTyt5El2Ld
ppX9hQdc0rmjG2ZXovRC9yWlbkXayQ4ZLm2gFVsWbPWd0YLJLm2dyFsyZwPf
74QqPnpRXlUrmRet27wiu6L+F901cdssE7UFK2mP5vWM9Uq6inhbWzEdkP0F
bbut+cnNqFiSoIA0qcrJBXGWWU2PvVjWsgw0701OkfCRxHpx2DRLsvXw1aOy
LYstSCeyLmfnS6KwizmNuXhPcn8ajaPiTPlpsfXzoyfbo4D5lukxcYbNTgi8
TJd06GsYue3HJf44q2cVDbyez9ctmEGx9ZHeVY1hW4hhG7+oF+PLWTmpwoSN
5bb61Barii+n5eQp8zTIdB7rlnvqolHS7h0SNTC9VrOrABWqPl+vQC92oNwd
tJAglnI6ZXIrZyAIt4I4ovSM+eWMpjhypCfvJqGzgzNQpSPAhGPbigNuOlux
WApF0z7JCU/khbesiJxrkWkN7zCGTqY3DAxPOA3YAPGQfxlZlucliIQeArPU
P0YYRtyP6lOJiRSyuEWzpmUVKUn/tsWHakLrgW3EEZ/X0+msCuE78J/Vciov
D+EFhIE7WjS0FvNmjka/FQ09BEcORO2P6FlNKzdu6CAEO620BEs5B9gDJ5qx
JyQopnQiiznp/2dXfD7BFvCoumVqhpJKkwOPwSJhsT9eLGcV0cDjOL7TcvJ+
fUmvSkMGQQbxauBAnf5KE5dhN0peYD+kWKwvwT91Gc/Ws9mYTJH3joOF5Qda
yDSz4hSuHpr5bFbAFUNjonUhOUVDOlkT9dKSXJE+Ni8WVTWFHRT0YSPjTyPM
eVWN9XOeN5FdTVu4piEZ5cHUJDpZflSrfRHK1WndwsIUNiaDJo5JI8T68TIz
Pcr+6LR5m3jVaAdDJH2+OdG9rXYaly24baWyM+JGROZhQhb+ebXTFQ8ZwfMh
KBLj3/r8Ga7YL1/opH8EKdPWET3X8ISdEU/gIfUOE42R+CFMTtOKiwqHcAfP
E1UeTwwiAeRU/n/AzPVM0zaDGWDgiac2RdrLadBtTgsH2dPdOjoWJR2C2axa
ZWeBBPFMluIq9CmB3v4aau2l6Ba0HxjIiBebOCkk3lRWPS5qIM6HIQjbNV7L
y1BGhgmhoFRDAmetMtqzScjdynNF0BWfRzxuVcxg+qyqCaYHFxNzaXtZIqom
LBezK75RKChxWoxIj6PQXRzbrCo/gBorInRaQPpyFddmTSoDHbtqihdeQuYz
3S5lSRZTPmy0iQvsNX3DhGTfMd8nOtQX0tZncmdp/ltjY2lQtFrlVQPZ07D1
1cYDVEbZlOjD5Obpup5N5WXpVPCISoh4shTElrxBWIeOsNZjLCJQyNnJ66L4
E9wxbqdDJhpJ3hEJEfNpdHFt6m15LtwFGwVftepmhfjHQ1wHTy6QsvSUBmRO
NE0HGFKOZImtjYhaliZjnhJtP02Pluc///M/i7JsPpgfwf/sjG/82Rm45dp+
6XAg+3rzLab3pgO0+ZbbNw/s9sAtnXd+9YoPuOIrC/C1H16g6+HnM1lmfO6G
keIZOYc8vQLlOmVD1M3id4USZzEvP9Xz9Tx7RuQi9AwhYCKd6nJJ0nNWLc5J
PN+8Yhvm8q0/8Rkb1nWn+Mp3/hn0P9Zt6xnJrIP0Dv2PnZMD//6BZyTV+bpI
v8l3CxgE14W6Azc8YwMt3i6+8p094yu0/LWf/yW0Tv8zTfarZK8bsfEaI/pB
OwLqhS0hE6Rxszq6iXJS2ypnpOI1tgfb2SbIP1sf6dn5BV9fWN2CjdfcBmMM
nw+K74i/j6GKfqirj+JyeHjrbV/FMp7dO9e3voTA15p0EjEEAy43r4pmQnJP
tT2nsavyz+bWDD6HEN5sWNuDcEBqSiWyDJKEFVQohWuWRl6TYHsLjIIUtxJn
iMQR/JjzEmFO0UBZt9AbjF9cqfI0btYYY5VZrKRElCCA56SvLum1kERk/9Cp
qpsLpyfrGE6r2XJx3pjWQPrnij4OiS4gv3skgln+BXtebrI766ZIxukoXSXL
IctKb5nAI9mkYdlBd7K46QjjcgV9j8SU6FIYatVuVMdGuu5lMSR84zKForNQ
ZzSQiwX7d9QAZTNirIbFajmbwfaCMl/D8sFckG7ABi2d5HY5Wc6InWH3sEsQ
9EyDmIwYtjSPaTWrTysx5sm8aEhNo4fPoJNDgTkMA8/UTW/Y20Vk8y+N8kKH
hSOJRPiiKc2YplmGOVnU51WiIBs8P7OayO06DxoUtBU4nXAWCpJulToBVkie
4MVkBdybPrptjRzJs3rVtGmiZNUsF9OdQBZQNeOgLIzHL19IBrZrPo2yMLrO
dKCJfhqzX0LmXxt7/9rh4+3cd4B30AcfcDn9Sa+A8UrkVcHRsJwtz8UhRltt
7hQzy7ruij5rgRkS7YxIz0lP5oedQUOQ6QVvkPGXZt6Nad0vEVCqMEQiuciR
2BUdzcCQroOWwGPK9BUmr3lVtWIFERdYzy+FYeGltxtR8he8NUKLNNbmTH2t
uCeOn6xvSV8wk2vdiIISbnL30LyOvL9llFMlSJnIqRELFSk8MOa9y48pjoxE
3jh2DH75MsJC1nTY9G58goF8/sxPGOdP0G9lBcQKmlSNSVNZ19wB9N13xbFQ
YsHu4c/fZYQZwtGzw+evYGJLTgKZ2OBnZSLKYiNR+v1Rd+0F6Fq2WQwe6DSR
wQnfXRBlCTeqG/UrsY/mlH18acfZS0AMYLmiHVpUNexB7/Ht+KZhWUMErEI0
gu3Fap+yX/Pt8ePDl/l82/WK3dMLzpGApT0Vmaa2UDqf2fjW7KuiAa0n1VRu
Vu5Oa4R8n+Tw5i+ZcENXILJ9zkIxythTNqt1pHEFstma88HWye0KvGo9LxMR
6+k6Oal1NXN+Ew86r2LH1x+XsNDjVqhsCTw3+PbY8aOfjmU5sLpnxIGXHxud
z+1GRBtJ9MvZuhnLzKELyMKSCJU1mbIBDeeRYzvEnJGAkfI1eJvotfgYL8Ot
r4k+3jx9U3zYL06u5mTErOoJu4OjK5FPaAoVvhHRED3pJ4+fv3m0TSbQ5H1F
i0GP11QofsOqosW/nC2v6HqZ01g9/uqIpCX6aUnGjSyFowJY+MKSaW2I4dFm
fDK3gH1H1FbO2ujjFE/55GJNs1bhrr4DecikXK2uTH+SyxxhTSvMK7pFiDjY
Kar0xiobdE12+VTETa/o5K7oaTuSXqMzaOSdnJnF4+SH4J5nLw+P9Lz8TLI3
5WHF0G2x9QwWoq4h8gbVK0gsjzcIS01EOqNxNmDFGi8Q9x3H27E+shVFjWMP
wcUaw+O0NHUTOqGgjHjZdyKRJFVRp8VsKURBxxUS4BTJYuWKVJdXymlkN1Nc
Z9F3rkXKhPNpk++Flxi3s9OLLT4ocSnUxYqfuo7oeGxWMplKKgRZNEp+gSg5
P96puQGPEyGJSP34r6+PxxxOpzdKuHtk8e1RDGiPLIIthIOYNW2ZRfp5z9gj
1FzAG1Bd1EyqoC9oG1DmJqTKN+87uhJOMR6Er4gp2MDHF/JQ20RbCKitq5oY
VZUmS+QTKnifysjd2NVKRJ6IhKY8UrVZn8DylqZuscZAfHNN7+e1VDfWVdxI
80eScH69tbdtbJn4LcmzsZlS0+QOw9ERf5o3MFRpNwGd3ki7e5NTW2htxq6W
XKjx7KIiwoe17NqCzdWiLT9h7KLX2miq3BnuJMa8vAqnUEU+LN9X00G/Ne44
L5l9eaE3Kp68eP242EIGTHAZMP3EF1AMqSUVRy6gt4mzmG8n7o3JivrJLvbo
hTuIbiNRl7A/iEWJANWlhRoFIeUMN9a+3XPL1q1QZFis0zZKRxmpmtbFOeS2
4KSx3hj/WzeyeqDIUrMBaKuZpom9k1ogVAFnaQx5ScAk32R6TVOfk01OjA5B
L4kXy1sHPJU8vfNqQdwnrqOFnXWuqwrC4VIcVjXbxotKXz9HrOUU0zpIGz/m
jXdEM4r8LgyqAtGjhxPjmVs0F4wxsTUZXExBlYi0X4iy8Zixmhiopzloscir
MFNHsoGcmfP5O28IiQHHcoqm1BS3Xv7p5O2tkfxbvHrNvx8//j/+9Pz48SP8
fvLs8MWL+EvQK06evf7Ti0fpt3Tn0euXLx+/eiQ306dF9lG49fLwP27J4tx6
/ebt89evDl/cwrw6rJGImE7GqdL+JcwBODdIuUC+xqlQ1k9Hb/6f/2vvLhkJ
/0UT84km5Q+k5tMfcEfJ2zjiIn/Sql8FGAjlik83LS8RQ92WM4RAScZcINyo
9u5//RtW5peD4g+nk8u9u3/UDzDh7ENbs+xDXrP+J72bZREHPhp4TVzN7PPO
SufjPfyP7G9bd/fhH/4bM6jx3oP/9scQwmHUyqJCDpmzXtR8SInusS2fWjlr
deN0alrlKtMks+MB2jYGhtAw+1pol+nJ4PLYDnF+R59HNChoFhJxi970IQ96
Ct7g+lM6WBdkH/BRKzUXRW/f8dNUbmJBfr4OJ+3o8c9iaZHaSTyqXpmnRHUI
rEjII1kW48MMFhZ+rpXrphwfizRi2gcSE0q5IMkuaZHXR7e1JTiIm2WUtSyt
zecT2GNUEEuZRiVQhwBlGKwO09JhWADapk2STwOSNKfVcn1+kUVKZWfGfAW0
6sz0OCzc+CfLVVxTFtLeAlu3l2u+ZFU1l8sYqqRxhQ7VkaL/aTJb8xXiBqg+
VDM6mSVnV7NpRzJrtUimXLClkuXHy8fq0JmQACF2XzClslhALoeMhvWgSfuu
FjM05VBEq3M5NV9Jea6XdX3G9E13IdzxcTkJq8pnNeNEYVPSseksA03lUWVB
XbqejZt3sCk5condY8cCU3B8d+BNwIhxEjhdR69MYW6xTqGFs1LvwwRxHUn1
7nyE2fhLY+kMxkaHWrQaSwCgp0tqRigHVmZEJjy8jU1nUCPRWqM/HE6TNbJY
VkFTrcaifGisvuklYYhFzhSw8zglJsgHj3RwZ8tVdydp/TfrhonkC3s9u6y0
AuzLFyaAZn2qWYWk4ixFX/cLxiM+KP76rjbCkADyX208UR0o1RVS1CyZ6F2H
IL43+I+QayRJzjWQ56haGM626m27T5/4jkQ/fYpd4XXmK9hFP6dzAH5kqQHy
3tMrZm/isEsBeHrZX//+t/Lg9O+/2BSWk7Zir9M5a1J/VQ/X2Rkxbdr6ekEn
ueHMx6V+WpzK+canmWeZOQKpME2xVb+fj4pZeVrNRkxno+LFSJ0AxJtH0Rn+
rp6Ogj8YHEnVfzBpurS8mi3LqfzhlkNiEvIb1FwRBJZ8uq3uebfZzrULjWLF
rsUrc3azXiG+xbflp+ViOYcO1uqvX7pkurbEC/EEpanTMr2vqsuBFCLhUb3g
1sglIWo+RCdi0MTIgsUg4jMRx3nr9emeEr4hQUk81dDrhzNv7MG5IVPAvZWE
2Jz1iQWqrfjpPjZkaSN+qvbQmEKaaQrmwO9vFz3LO6ntMZJusmBz2uczqUFF
AhgqBljMG1lh3Hioh0LdFZwclxIDNFkV+aDmlpFEgVBkNGsMEwefV4c5jATS
YQXblsIfQK+Pj6e32ujBWVTGCytUneDsDB+5DNeBlT3q0Uh8qkWZltHZw4/V
/EF5oSyRRJUaWBXsqfF+f7dTnRfdRhLiiqWPBazYMwwPW5Q5stD/omVRT1ru
yEpyOqmkUMlAjjj4cjtXK2OP9v8h7EDzK5yzmQMFzUW5EhFbaSKGpOWcZGk+
cYE4B8il/ozYvPjWQGgo8syyLBYg+bY3RZaZZP1mMgX5Z8Dg2Riy/bO/U81u
S4PM0p9Y415MfRD4salcMTKKJx73Q4lFjEojdoMQDOcOMmt8pYE3Yo0WgyPW
+Hz/9cmbLcQgt22ZP45FsJzW52OoQEiSUTKxgRPbHy+qc67dlWnSAYHZh2Bu
V0yjJJsZwZqufLAFTwx+27sff72zH3+9f5d+xUhOYEVccHosLXMcJpxh8Y99
/8dddZPFDx5s02Cg8WJtSIvF3lxfc5IAz098y8zRSrBCPaB/fX2Ma36q2491
UyV5OV5K8PXjUgWv3M9Z19U/EdtQOyqETyqo47ugjph+fzrec6KZbv5UbKXj
NiouytnZmHgSQvTMn4jewYn+/rdPo4IE5s7OjjwZtg58JHAek5BhpdYPTBLW
6TfS3KoZx6DlQiQOq75SFPTYv/9i2aUrDTGIEkWDxvUjNhlLqGIarIw8l4bF
vH6kISYjIbVbJKTApPCrbEKiJPZVEXuGpBk5mgmFi0eO8XS6msinKPhNrPss
UZslbuwZHYq6mqHSSV7a6Fwy+aSp6+o1t7How+nWLZFZ/KZtiUxZ/gYKSyVd
v24Su4Spoxq8iAvUoZHSL/WQV0MTVmsUy+veRiv46j2WDTWRnOgNj5PQjKnK
gymauJF5PVdS/+ZbL3HrG7GJolmSP+RAskIcS9SrxGjgrXK236vL4mHxCuur
mkzhInE4mHzBLr63NBCJGRWF6I9RsdMb64YzSbpaMjxpDTJv1zPosK9Y5EhA
gXajqdbTpb4/pay+OX6ybYbn8EpxPgyvFWkkeKwIwp65+ZsXurQz0UldVYkY
nyT2rR+j8FpJbrm50kSi16A/EdUFFwGlCEyhkYDFO/pEuCQt7q5IT3bE0gGw
R4+zR4sWxDfaRBbr+akkogz4Twpv7KpVTcP7S+Q3/KhiixTvajUhjrfNlisr
yedrZP+QfR33GsSXxayLV0J3UUVP+u2WOcs5/CDj/q6IuWpvorvo83ecdsJC
8bWltsmHMdWNvj3+LZVmm+vKXEkKx043lY71yi6yurHDsGIXDIcNIRwyxcPl
OUPgRbd+dDqxDytojtZEBLq4ChYpSxouLAvdMm8DK30ulNQpmEixIp2V87r4
CEkKkJRneDU0JJ6JGp8bagfYDGtSoUGKwLMv3sIIyHstk+E+w4Ov4vvhWjut
rLCBV5R/SzUnoLr16lTnHLByNONj9r+xZsCOOU0PukB5KXOqmQhW1aCT+8+e
471ySB0iNS0lbXDVUCHlhnQP3aqVdstLmMVrMgbrlhhewEzlK9QHjMU3YA8B
1ylFAHGhwXSF0oyF7rRj2aGbZNnWM8jvpmH9t7N5kgFzIQUfh0nghyG2U+Wx
xq+XZowCF584QrZ8gIuqsboME98pMmbnGk9FQIdOdp4WFcfWTasyDzDslJLD
Ykp2vcCZeALUCaNEqGGvmH9mGSdqf5M1Pz5+fYzz38n6mZGmOJZPJQGErjx6
+bZ7JbuA2WmYHB9bvYDfdkaRqEipkBxAkiNWoIyg5E1Av6BvXFZmQYSFZ1fC
IsrpmKMzrm5iuSYlys4QIudnLFdOBnaeLdupxppBp7KMGgsPRD6jodRmL2Pi
p8qnuRbQmMt3no/LjjEXyJnESMSEZ0UcMmnXqERk/8AHXyt1EEjFeopo1Ant
YPt4MRkhPHwCicifPKomcn7oF/qUhiU3sK3FW8cBcegfEutUt9zb8j3rijQ0
kt0olWIhLklrUGP5lp9hGeqLt34eFa9GxVM2dB75pIX4uPzekUk/DYTPlqek
AafM48D12CUq/N3bHSMSB37x9t25RUnphZzl5kQsPcVRiiTNncD85FXaOhkV
lyPxhr58V2/nyxIHzmHt3lOQaX25bGpBsolpM3DNjPJc+TybWl7HLo9OeIyG
gFTrwdnaNUfsoz2R4Hwr9Z41j1WmxIkHBaQEJ3VPU2Cea7JOCk3LsJGPMrHM
rnHWzjRzW6x/JSXb4xEW/YaN7u5vb291Z8VTWgxvarbtXmlyjnTdCRk0mMJq
xYkgQu1+d490d4cHjOXpP3b0P7m9G3bP7fAAAXCaU5oJ+4j6oyhgd2zRe04l
ZRmga1zSHh+lGm2tepLMGhmgqFJjP8buqNj7IqKJjDsu3gOrEUMUxKCBopQr
QpvFyXC4LOW7keAisVYd5PRKbPt9zreZEE9p3HuSS2aeIpOOvQPGIWEr5uGr
EMiYpxohPOejiEPmL508C6tD5lJoHIaZyyaj6TLkkrw9DPMVkWPsRf955My4
jTwrcqxDfcwMYhGm3Rzpf3gWnvtQUgFFSkSXd09cRPWANPcBQdjRDm8qPBbd
dxSi04BY+4JMhLgeB0XnLs/bWODSmhIBra6UdTJ7SfknqeiKN08NstakuyoW
SXMIqdgUkzNl4FxyITuaaLMkm/xCI7xl2xJp0Xhrr4uG36iLFkO6aPiaLqpJ
lZsBFUQZDUkZZfKsU0WD6NlCD+IJj7nHcRFg9PI5C3lVsRjZccmVQ3cyHc1v
rzppsIqY5bBmShwGzj9XnUtakHixOrlbUeVk1oanZqrqju5iBdpQA6XxxLqh
JFmydlQ6NW11ucPO5j9LHT4xZY6yk1XPnqmSKWTRm3OdFLekrYdMW490VnUF
/20VEEnD+22KgBgoQ0wa/vmvigpmK3QWe8LgtiUSkA7zSbwJnsPSiCHM44sv
U91CJI24OUnm6N5IMqV72u13telRsk/JM0N3M+2lBbqtMQHZJqymQ6nwi7hZ
3g4pVG2/ZAve9y18vpU0lr5g3ea0mggTZPOX+BJKuvCG7bRAcWGckkEmjCQa
rCrc5c15Ntok+cHsZzo1rMAjp7BESr3zLJgLILj45bcpyoeNhBgyr8/IfAUJ
dWWpgxbqML03d8eN8nMW+YZmoWdBom9Uh/+94XW8hN1kaq23K3FUga/baL7+
lL0PQuU4R5HOzeKNHITl00BCuLwk5xRSoCiyJPRpRSgF3j34EfkBwqwjn64T
llqQgzJKZ0Yk0po9xm09r7JaGiVO0bDMmcFeTFZC6kZnUkMvmsfEnvNlOdN4
heQhT5AJ7pBr6MGha+ZHAzOllF2UWT6v7IaqP0nMtFrJGuk6knx5ukTWQGKi
msce2UDwOQ5dASKbBhVTCcVyX7IT03WadVOID3iiYg5vfYvtK5ZANmrHuLYT
nZTrT6RTwm0wtECalgHzO/jQPjv3uYDmrH8skuUVz6CeC9owGzSvoapUtna8
0vri7pnuLL8XluXKLWYT4Z2EfhUYBbnA0fvpkU1m4mprNPncZ84jbmTpxFtZ
JsR2nmYOZTttpSfHFxIZEFISRwuR4tl6JVLdYXQIOArq11hrZ+jtwvJ1oa8c
WeJg9EnfbmLkgY1mBiKpXVA6K3BCgs8wtAgOrRamTOloTdQX8kYfNqZhA/It
T+1iAupov1EzvwRzZ5mbqdYhjS9lg+MLjOuiPrcivE/FVlNVTFjjlcUtDtkx
i1Xj4sQGJ62j7UOb8FYb3u+LwOn+IOVJmW3mFDjkMc44s7m1clexHSUso9Zf
1YTTq+7D8fIbHz5idfrSXMtksdHBW5w7DSLqihE3qSfEmvXqQ/1BbiPeksHV
wHxmGWcs/X19qSBKMlT1LooXX8scemuiykKCuwGCYgfa5Qph2iZJ1SBv1KOv
Nla+GDQ+HQXtZXYsiC1MSBhJjrnWr3PgKwt8wMxWAoCnR4gg7bYZK0Tf67Oz
+pPUJCqCDImL5YdKVBz1D5CohQBZiariKqVRzVhNSgR/jVqtuJYIM52FWF9E
qnsYxhzCOn7+LHzhyxe18dpuPBs2F5zAIZ49rq1ltoP8myMP9JdhQJK5nHiS
5nkxJ7gBguqMFwG8y2gsz2QLWcaH1HQzO5Wn+4rhWOlhdYOw1X5+9AQgWD6w
O4rlr8nVimDzxRIVYS5ZkD4ERdTN3DK1Q0xT2JAV1DJ2IKpkY2W38v2zrPhd
g5iaqm3pkrnMtUAEm64u8JAl7PlS8qCvMsARkxX2oAsOQ+RlpkxKKjwkEC6t
H8oVjS41XSBFJ5WcI4O5PmOM53ZgHxoYzkHqHImB24XYESJm2pBm5ML39MfQ
ikty8PAqNyOb4lRyNbX6XVmLAyRUtYUGY9U1by+GAA+aKs81tGMxn9OHvXxF
wBEM1/xHiEOwa7sk5m/KsYmHIWhSocZkY7YgpJeCHPZr6HdSyc8FmbblanJx
FSNrrFR/5ONhpQ6weq0ggMsezipZtaAJtO5YSEmdFcKeLdcry8YWFcjuwMvx
mCZ4mxr5gsWWHRAG8ZCkpJh816jh5wODQY9LPLScd1/8JhSSIMIAGRQ8LPh5
3EHMvSM3wnJh1X7H67QB2WcT4s+H7ucexKeH5nVNyoyuZf+J9OWJbkn/y9sZ
kI7/5nu7Of3zd3/Bh8F/7Ao5gkXcYj2gYjP25gwCwA/rrvJ3uuZ607/pkg8b
/o2X7Aga0o7hIu1EfKR4yfVk3tKjr5HxgZdc84ivs0vkf9eSJE+XFMiVzy65
LYBFtw266HaEMBra6b/rv9/3ZtS95vv+pN3PBzfnoUsc8exsuASz4ONiuFyD
l5wQY7c5D13iyOn2xuF+7yc2eMmH/Jf+JShu4F+4tmHTi+LP3zeOJX9n79TJ
Tx9AawhPr9CVi1HoG15KFx5mDGjThX3Uq6+hiH0NQ2zDHPkn+gU9olYSCwqp
xfILKYDP7JtbkqCU6W7dbKV5yabBFy6BSgJ6JgmnmmghHjpgsZL6es58AYly
Pq+dZBKpPlUE8YACv7jiKEKeCDLI600SJxd7cE4kKybwxq9oUU7B6XsEYF0r
UsdBCNedO2iz3UP1o3BNW8n/o+ujy+Ba2vGIiOnK05Rp5ssOTdvhhXgKM54W
bZzS+mHLx3c8qvCO40qxraIbjB8f8/+vfDGa2yrvIhinz+0N5qMRz0xxbfXs
Jy5QoIVV9hGyLOTXcbM+JeneQq+0Bzqz1f8hNhx21HxzeWZNdq5SymMOpIq5
AMlYE2XiKiWny7V0Qchc11YKwAFIrT3TofiVi56dulQXlB/STemLNAgcu+Wl
HRc7c10iTLUnXdpqbn1JcBhMIFbZJAVSuPOphKGceeTC8JwZ0gwVOxWsybOr
2NZVY6pbUClNnY9pMkf2UXGytirRWKPScOl5vEcLn0xxRvGM4a3G4z+SsRk+
i+TlNlfz0+VMktlyhKFKoLb49rGmY5EmPCcb3Q43GWJc/iF+TRhGpNoDv4sr
YxcphN2uaquc0fwr5+QUVM9Y0sPKsFYhSkkqD6y0it3kmBobCAjmgTHFQEbo
7wjXecqctZDHu2VdpRk+tlTkUbAwnJre4gdmo2AisE4guASH+wUMLBUSXRdv
ry7Fs8AePjoiYMFXzKqiIe3YmWNrrE5coxVagepH54+71iW79unzyf1K24T7
UW51Xbyfnr2rp5Y/RX/FrRx8SkxW50dYHd+8/AR0UOTxal3ECJ6YWYVA4t3d
H+8PPkwfklUFXccSEkYH2IVhcP9OdjtfP+6yYX6Uq+2iS30FBP3pod+vPQxc
DqWSnpYKGun6W5Kxdwt7dUsPxy0gpcZi7hpCUvkZUye/peu50GeXxDC4sJIu
Ojw5ev7cxrnF8n/86PDtISMz4K9thl5Nz4y7YdydnqbPTdykt6JuS/buc5lF
uSYD89VF5+kK3vYpk0H88FfvR8WrBf2vxYbwIU/Z75EgMefWz5Xf0MmVN/Lr
XQzhe13c2Y+gBJrAH+/LTi0/YZAU2Hj+X/Egz95BVFpmk1XRDD2sQfanVXzY
mXvaIcuRelxPr+J+DD1rWC/obHgxtPtxtsbPL+EA1Rd8dc5QELHt/+ZjrLK3
YBr4954hh5At12uUlFiFhD2Ejye7fn/jg2NtshhcmyZpGs1XOE+nwPt/+nlW
Hu4nfcOTNnAZGxXxByS91c07Vqs4VL3d55Cbnn4DvyEDUUfZfn2Ug8qo6mRO
jTClLOkyI681xceLmDZ9zDBGXYA8xdY7NRtT6UqDpjR2Qkeq4sTTlLakn/6g
EXnukCOBDUgnywkEDF+nCnp4BUcbj7ZBPm3SZLNaRvV2r7TADO+cyrWz2VUo
J6tlIzBG4hn1OKGqgEkCAectMkVo+ZyWCHxA9tqpTjKFN+hIcymX4AXxl+MY
tGcN9TtVTI/Ucfr5O7lKVbkvgtaAKxB2aJpqfjrz5V2pKF/vQBiPhIxWPG6s
wxEkwU7OUNR/kFkhDmgLYWRxcwcnofGoV++1ChY+UaQmvVroB4IkOdJ10A/7
uCQYN4k7qYfe1PhIEyVsTAPQWqqLcuLKpsLIE457ejXOTAmJqbYCW4cROeVN
RibxqlTFK4naSacTMsvUOjnyGssKCVbf4G64TIa7BtEOzzl/OpaKx3vfcraL
1ommtA+DwcWWcFvfNRi6NveFV8Dp4ZLqIrEBUjRodl6rVMCAoUJlr2VaSE4c
4AqNtv8PTeyGuiiYdjFCPKvPFwK3UgrwoVYbyD1bmxg86jgUyoBjL1yntaoB
+xBD+2CdIHV5TtKYt/XECgNq1Ltj5dznpOOsZ6VEMaxSd/H98gzdoxsi5skF
Ela59tKALfmggRW38TmMhY7y8hQLABkhn86HcYXuF0vLTzorkADQgO6aIk49
xy05pIcAu71gwI+s1l9WnB1OMw8Oi9pPGjHtTwhOwTcmkLT6sRZeZlJNCscY
DhGPzWUHcpkKhC0MoyjiLmDvZcQnvE68uut6Wmo1qhYn32RDoFYyWhB6wrwu
aRqkbIRBH+hRE39+3pGL3jhohQxUOTcd3BQebF9JGGkGv2ierEqxaS544cyZ
GSFF7JpQxL4QZi9s6dG0aqwkKiVHeMuBwmhGG23dtmQiNanFnD2PGVtC3VAp
oodl/IKt/SOz9kmemB8gegBIprw2jL5Sip6k7Pz0KjPNaAUuDJdMmFWmNtKL
o4WmW5d5HDKTjfFZreBNEp5sb2PdrjHGQ4HjkjLwrU2KAU55BAdxmCWNFvaa
a6RecZGoLZhB6EYE+zgHXcjD6Bl5lDwjJ2zIff4uuU3YtNNqKzHzkuWnwk4g
6rOlzcqeFc5FljnwMtsOZN5mSVqYXTndKQeNSObhSJoLxsCsHmG+yhOh5k04
Gcgtq6rYpY8pWO0jpX3NnXwFxIaeETUsHblsZMCg1mSaVxdyuGJtN22jKsia
mCIsL+qbApAQz/KMDEswHSaudFKioOSVkqRuWYEhq93OT7UaWwvt56xI03Yr
pY9Fs4YutnAFyQ6aDx2jtA6bY8xilkbcLzLYZYHu7KsC1DG4jzSc7Rqg/Zzq
5ljfg6hRAQNukGrF36o7njkuXkuLhgWely3j3ETtRkKaKTauwo+JUXBk4BDQ
nXQx9ii6kqOATMnMVWAJhRJlTr1LegGEZcyIZo1bZ8Fu1oXU1wsv0Amt0PB+
Ku0K4CtPCmyk4Sz3R9zJ9CKkdmPexskX55qspqjvMXUIQx7za3yuQ2tAAtY3
UZpF4jJIWCeiEnzQXFVHKQowCpasrdspuK8lMWVEIwG5Kh5Jfu614tUYZZOE
f64yQGrwJvpSCzDRHHurNOjyzuecIqEYAd8WamFVwRIoVFiwZRmfouwnie/W
hQuiwyeB0fsVhe7edCGyup4i2oWnBuriVRlaxOGKQOE0T/WI0GUx4pUDJPTa
ICaAhBFPHG+R/iqpDDTrmKm7llADF4z4otoS1/xcLuly8POnibmymhWz/fJZ
KQLFAqqlRsVQy291hUjDsk4r3JVHktz7g3JVHGmjRfHj+zbveQ/9TmIeKlry
+IbIJ69DqgHT4waDoUK1VxqzyGIMQp7lZE8XMc+D5HmnGBN9N3SZnWIpA3GL
wgUZsjJPN7sgtJ1lDHmIrDd+61KI67MKKft2ZrpIi03wnrZRx1M2ckCIN3qr
dDTibvqGyMxB2GR+jYZV4bDZS6PcdMh7pVCDNHGoO0eS0bgS2OfcOhciw1UT
u4p167KHkBT1Qy6nQ7WgActznIpTov5TwJa2Pm1Li+36DI+hP4s/kHH36cmT
J4+5NBH9QwxiSy7YLq6vi0+cj/D739PutUDq5mdUM1Sjdn/yZ/Cjn/AzXjzD
6+gZ05qkXBvoR/xPW5/2GJpqVHxabJPlpiPd47voc/yjny22ZTJhCNBJjE2G
dHK4xPqBaF/sXJDpBtWuAM2k0konN7uytgBYRdNS5Imj5CtjOz6wf8J0rEwn
Q5B6hXOvX8pSKNDAFWKccnmYV+Uimp4kC19d6CtloXThpJE2JjqecbdjmZe1
JCHOLQ0dVNbKtzSBanaGDGg8Q3GC4iPGcpG8ZoR6Gg9LKwYdndiFuEDQvSBJ
BFPEUXz5aST4+5iENbfRvjHovqIwX6JzcIOaEN37ulZkwo6R2VwI+Hclf0xm
Ut+Jc/rszc+PbwPkPV2LAWlDkz1paCLGpzR8YmcYrrMOCPGxet/z8aOdumrP
xheX76vx5T+5XVCLTgtP1JH3KZp6qQkcm0eBEwDGL96MP+zdOtADZuOiIyE7
9hAlxxjGlr+cqHw72FjctfTa7Do+dmRBXRjJHzMTOacbYuplqxziIxA4dMnH
cjQ+6XpP1qsmOWH13PRo6ZM+ggsooHO9eIZqkmeSuo8En0gdQclhAynohhqI
Gbd6OItdhDSa3vN+aAqtGTEu65lupmGws9qavImHIgdCg4UQlfw6dvSJK1XK
OlmlUCrIkcWlL7cyoE8DsQWgrSLZ2j6Mfdj4wLXOUAAu6bPU9RChtlO0HiHH
vkKyQ08WB4KAt5OynfsNtOLV3NAMlxj9wiu0GKcn0IgPhm0fl1UtAM4M72dm
ZlQaV04d3wAOiNdA3Y/6ncOU/l/6lhcHMeebdl+gKTGzLgCawUljj2U/ss0s
bTslE1tLwxiNQ8PMzMozPe33ihlI49P05St/YGSFeatdo3WVbJISF09nUzFX
4nS4q+QyTEn1KR9d5PzpVZDmg2KeNea0STPSVO68p4uwvkQTTVA9TwvnXC/q
+LRkdsCLGB1DbmwhGxr3IklJE5x7cPwX4ldSo8h/vsafPTRc02ZyD8GAuOFO
QNo7Q72boC5TnDtXaz7KVubA2Y7ealkopA6Ja+MtMekTEwK/4ewfcHE4c/N3
svcPlakN3bs5p5PUGXruNvvo3jsJAdP7YQaP3b2TbnuYjWCbh3RJ6y5q+78z
IAyHZ6jq2ottAT5lFe4xP5we937kX+RYIfbUHG7F/0kP+/R/FtBmNGMr92oW
5j+AWDOgAZqVVEXhudqsz+oFV+drK+WSmTlU0pydCCwBS9VkZuvLFEZfjpKk
pJanTfLl1L6uLN6lJR2xhdNiGccTYca0vtvdsXEQ0rnBPvav7Bi3yKRVb+xB
4RzEWsoZ0Tn4fl6UkeWTLR3QXWBUWGWTrOXx2jl5YZVzTDrcIwUx2v5KiGts
eLjaYh5dApm15AXVqt03EUzi66dMK451foCqCJma6FmPQLez0c2YZrjjsal9
SOaxDcmPLQslgdKB7kLU2qxXqp2aSyPVp1pJXuAqv4mGIITvFkl9UfYmCVrd
gdmguACZj1FcNrkhvrYJl9FoYCdgLb0mLi+4iJi4WVWiKR79upxZhOx5tuhS
nFXOERnWCmR7v1i6svus/0gZDzsamTBYWdCwZDDnZOTSDBwytIMsVN/PlcG+
JvI3BktmrSm6Y+LOX34rw335G3iaXqf8deT/pidud64eYndQwF92mBt9plDm
7KFmlaBhpiWqBMJyZeyIIZzJcT2cxEFrXWH56YhVcLG+cK5+WfidDHg+JBKJ
Wczmj2eobn2o9mFkMHFGyWACZOkpR8HyPfgocFUz84G4HMpzoonFs1aMGaAM
IXZBurcXOxE60cyr4XuKl6j6kpxH1ZmCyO5Rij99K4dopCI4skpzpY8saDRs
fmxtNiE0UWjO3mB2lGrOhOg9Y+1CmwLqUS1hNAaGiFu30lEpAjizX/Kb9JVg
+gqOu5Ca9fbTLBou9vNeOoeZxQENfm7Y6ruHt5lNL5ae+7PzFAyh5PYAWSAi
OG2rQwnqHn3PJfyer/GIalMZOG7PnGSsMpalvF7VOOFlripz6/NQoWpHoOAQ
Pf7QDqbiqVF+m/J9qk8l2KCqKcQEef2i1iq7x/DMd+6ErcF9PSjerleny5Nn
hz8/Hu/fu6/0V9yShb41kmNvBk2MXrnjvqqI84N2dj8dHgrN2nFKgYvdvd39
3Tvsdd29u3tPdvYFEhbuWkJJdG6VHe+TzjjGUG1xki87Y00zhqtj21kT6IuF
2FEGuS6sjrjeD3sxUxLlBOIlgHlG1+zu7pbFvTt3793duzvZn97bv/fD/vSH
+3f2hJeKa86L5lvJLLi1jdvvF/fv3D+7P6X/+/GHu7kKKrfna42b9vcL+s9u
UZY7O2VZbN3Z1xFux5tynk87iBnWiwWjB974IxP8uCojPkKHe2PUP9IAaKd0
w+h3GhHtmBt1R8hsH/yGtzOzZzoobGZB3kEvueG+rSS7Rko3aDzAsuv+XXiS
1O4kUteTrQIN3LdQU+Fvv4ycUpeUPUmjQ1KRw8xXEk6D3D0w+cp+yYUj7426
rUHVNfLgwOQNNdVo2zRSK5oXcREHfOvWL5IA5FTbRP/C9BfJ8QiQcvqJB6M7
KV3q3d0d6CM7DywFYWf/QTHMIIi5VKtJrVoyq0Mmf6Ahai5/xjDF28/ZMY+N
Ict5B7lzgmPOrHupqSl8GO/P7XGdHsc8pW1LJQ3qMmHBUtMshZhZktiGEw18
EhvLBNAo1XM8xNcTKufIXkKbhLwKlt0uWfDdKb3ZRL1m9PQN0l43KE2meLd+
IC2kflEqfqz8Ni0IWD2jV8A3pyM4iIcq2rb1dNvaADaSiLd3H926tT+6Rx7V
6pYsS2SLUypEzoyIwzMB4TO0kyZ5gZbS23Ba5VM/KO5mA7mzv+Uu2E7+lwS4
Lyk0nXwNDxEw1uX8LZNk18vAHH3q5xbPao9nhV7XYxKGmBpnOjlHe3EiGW70
lB929n/Pi7F3h2/LZajeOOBp54USWrhpFpvwAQYmElOf89ns8rAWjLrkpsca
NHdy5iw114Sah+YS8QqVjB6XNKts27LwIC6PGh3sF7xPEFA4P4QHIK9XVyMn
c2RUlkBbNBiuLS5uyrPrZtmxqW+5CDAHC3WHGdbmQLJdJ9UOa9A5hW4hpBmP
/x50/Gd+qGZZXfLW5JMbMlbheNAq46yu64+QawWTGNswzmqaVuwLAgEhRQeZ
OKvyY9YKw0fKcZHqi6mISmBrBosCIzthUKiNUd7tmIiwbGOYCH0CHEcUECcy
6yXjj9TlheSEkZEAM87pTKpu45RuDaVqb4dSkxpEgrXLQRcbND5LpXcZhC68
7CdhiPbpQlHwM2R/elPdRsh5hu4QqNX5umkVP1WSsBvrHZLQXxDKyDq6yAss
SOjkURAgroWezdhK8hTpSY3o0Rgh3qr9XtSV4/vByOOZYmgZ9buxpN2LG5qF
yI2ZAzi59Zmv5qNdtkTaGD0/lHaQrOccqDRTR4KqRpHaYneqetvOjr2R/Q//
1o0y1sBB+WwNdN1TV3m7hSWKUGLt9ilsmI6O6datXE7T60hHk6TNmFU05ooJ
oPGGGybDAxYhfl0M/lwrDKZv/3Mdy2z9h1zhOvAz9PHgpShGei7NOvNVus7X
6JBrFPvLxtVMjODJDjQrSb9WuDgLf6naqezLTuu1UP5yhkSeVc3MO36XPVf0
6OtiKYav4VN69256qCPruJkJI21ou7SYyjEFlmJNxJbwvOHK7QCqqDJ22qb8
N8url+9SQx6f0GcaO9Cga2HHrmfcA7V6U2GJ3yG6OglxuJdSHxe6bDelwbTa
iOYnrUDSXcg9clrWnkyJpcE3RHw7HA6SDVdNcu1EnhTPWfAsS5PDeu20NQDI
kpm9O4bdVQbt8MHk7TeSRaT5hTPHFmbL3/q3BK/jJybgB0fjyLauL51iQ2lv
1W9pbhu2cDyvm3nZTi7MveRHbK3Cg/hDuCsTvDFwLo1t9pnz/CXCpZJdNZsJ
hEP0ihua64qrZQbKEnkJTquwXpRkFJ2vl+tG8zV8nyPJilO/O50GGLTRfSgP
V/f7ok0GngaL1cfGzYjZr9rvUuYWQEA+ZVyRYJBUVKu1Ja9LlXGJqTAwbfBg
tvqmKak48uo+s+9ysMjnQ8awcE2PYbG7x409mYSiHY68rBT0Z5nYr8uam3pG
yAQ3s7BB9h6mFsrcNGM1jj0nb0LvJgpQ4FYcM8UzGchIZTT4aYweRfR+wzEI
G/FNUhO0U3Nd8OFC8QQD3PnS1J3wp8Wsfo8mDhsabojT86mF6TvplMJ0yjZM
0BZKLYhNOZXMe1baAT3PluRyr17VoiilgqMCucIamLaFBzatQcPabMjyPESz
DI5oqhe1RdaZOj60LWHihJHzeYalF4fYAxk9r1IcNGYoZv6GaupvZtxke5Gn
OoOhRkxP9W3ugSmBjCik7TBJJypDhjXBnZqpcYG5BVG6WbgZ9GFMyFekuZDA
DjNQPA7VlRnXILYLjR4sFSFEuBg/RibZhI8WBzEj5aysZ03GDzAlBFa52slg
bC2iKmFNFPRqk91PtEh/WkAOLAWE0/UN4WwotCQAOVhyKlcQpFYsX76klhU+
lZpRVNk6k9i5AUNJZKLSoTCUbtNKcwfJa/TQ8opuE/kTqgnfL5C0OAffB90G
NibEu70jYFz9iWhsBznLisyKNBUaUFCkVzkjfSzYTT0RwBCsZAI84HHEoGcK
Agx9SVKQbMwy4t5KM7p4fALeW0395PYseFwv2M6Or6UZnfM12egC9xgdY2E5
HT7iJXr4fV5vRZcVaCOAyXszzVk+kvsb1X94XDNrSoV7MDLb2HXTpxmqfIry
J6RrDVXdMyeV3qOscG5VzWouiCS7PvfuCCr2BBqFLBaYDjcgaTzZ0QqE2BJj
3us+CKUP5dOKSVbkmGQcjY08XDr+dNipFX465thXoUQHR7cyVcC3/Dr95gUN
fYG+LYkucQy+3U8C4PaqZUDqBdpNz67smBjYpmtkEh9DBD1rK/HKJ+RlgWTl
52T9b9zr64TjSStMqrnVDUO7B58LooPRMjm9O1ZAq4Rt0J/ZiMJ5Qw1TwZqP
aydz1jfo0w/EuL1rYnBlRPoHcRJx+0sFr9PvFUraZiHcjfMWpaIEAb4ZjqX0
qVBnivjrYbc+ylMuc+uVL0smHX/2Z1YG4jWbDNdvN18Z9SapE30bWjQI1e/1
M4usxVFE176BfWaPcLUkEXbolvvwVoRnG/DOCoKLVaCkcdAjaFHldhuFdCA2
oNHOKFLZij2EHpE+vCWPeBwLwgceEWtJ4jDoEfHDWzwKWMD8bQ4norjAK/HK
SVgEhwvb3gERYaqUF6j2KSqgbzDQhcWer8l0JcnFGsWkci+I9CPFUqpu6fdQ
7vnNCSMsZMXJsdpZDSeu5MrgjTXKHNPfcBaQZxzyCqtoHUkFlTeo3zKDlglb
K3Ou+Vkt/1UtkEBAvFmLa+isSBcxMV+42e0EoAM3OfhRnhnRgNjVHZfAUuUi
LY3gcSq5tkdGitakqxkaA2EBd6wfhmbklrOPZMmPTUdBtU+swdLYl2yYhAdi
cCBwXippDPL52D4f43NW1VmhNLiKsWie/XgBlI5YfHup18VSeBrIObfngPhY
oKkZXS4fjtOH8AczzfVKu130jqtmTzycpBy2pwkV/fN3nWInIKykUi3sx6oL
Rn2+guYmXh3SaVXQidtfIo8xNcKAMc1y8UDV4MxGUqJGu1K5YFYl9+vJ0KY1
uC0wHwOQJnnc0qYfwpMEd50V5fVQPAcG+jZH+iml4gZEdpUEiLQFTECpZbdZ
D+sWrPds6tPI1JWXWcd8IwfObW0xmiRY+1jc3bYmfRZdNwEFxbEc/xs6hb+N
egs3dd7KzDhknSHxGgjd2f71+8DHorRN8eNeeHggdDrC57//fSfe2gezlshz
7/NviUQPDqMT+bJhdMJl/fdxDNvTEU24lwrpZfdQ1vbfiEx/GRV/29nZyXFE
n/7igfZtcMEjsw28rifnb3hn/r5X77cTh8bPwNNzFeDbH03jDrSiT1Kg1CvS
oLOD4Epah17dVR2+/eWxxPCp+ao2HFfmQN3jOlL5knzTnQid2/8UInSFz5uy
Z0In9aWI/mrSDyT9ehCMzHwlXIHCRs9SlYVV5fM+rKK6Ld+TiFA2KqoV5IhT
ez9/N1gnC6itk/He/gMkQox8VoRItqOLkv5/f3f8Zjm72ruze088S8WPkp/A
GwahQJp3sf+PrfGd/e1UEQa38al1I5Um2iPvhFKmtCY5KUYKSdU27P/jzr7D
+WILldEdCqat5CSznCM8s24ESYq9ZadojV1CiEQWG5P8pCXwxNqFp5z1hF9d
JOW0Caz5CMRXZKPNJZrWKYxFB9kooWHt/yM6H0NqErNl7ei0t/jlbJ06jW9H
vRHMl9n94sNSBiu90KLnn2EazsvVlHuoRjLlBbltBbaKksVtG7JA/cNilUEU
5ElGigSVAhLq4U5T7clhJ+gOOuFaKQHnUhwegtjmD+mpf/xjNqoUhewxho5B
0OELf3MM8ZfudxqMde/e/kUYoTCMw7a7NLuyGBf1WSz6kNSVVoIRWaAd/k/t
gZ5IgU8EF7Ch6ix7fN4iqbmQVF5DyApy82DCBVIJrG1cOtexjMO/BYDF4B/Q
uHdHKeT06rUUjHj5EutAS9+QlNFU0jFIRSIxKMgdg+GHQ0UCbZzWLZLlgI+Q
A8y5Rw/u3+VO7eW0ZMiZlFgzhq3eNHaHJa8NqLu9On7py5q1q1GN1iFHwklS
crLymfo+ZtUntWpGwXroTpZNamYlOe9l3mOH1UCGAKOJN9V6upR3Bc121nEB
lPzo5M3xq6fbDmSaZd+Ctat53dDaj2m/a7b1wkZkw62Xx4ePt4v1gs+2i9Fy
NQk4xZhzADrVemqxShjXUiDAv4w95OAsRhXhtLIu2awnJyTJ1DfrLHm9s2Yt
EvjP4AR05gcDotvJd71ziwR3Ie008JO3XdB0g7++Pi62tuo//GFv+zomUmQX
DnbtkHfV8ZesHUNK/YpBc6wdqEro7yW+uqW5NrCY5FqNK3VaFbyRwuer35oJ
4XG+33S1besdcF1cVY0P+KErVsm6DHwtAqfMdGddlvSe9LX6zFJLzGv2rCqS
M4htJLW9V0L+icQSZHRqJVBcK5aTDJO5oX0hH0XAMGa3I8VAKthlrld2Zqz5
GlKo0A9/X6tuxTFQJLLQvm7xdd/Ha+qFvF16ELwkMTtf20Zwme+rhayItHAW
4x5mP1bDEL4eRHhbJhWXIShlF3UDRUAI5rjHcTxHkm4exM/0skRWIQyGol1e
H8kgy1xCTZQXN+eMBTkYbOb7TfhGZOGHRTpploube2NjDFsJDulwbmsitXl+
Iay7PpWyPxCODzGpB5+3sv5QT9cpbtLsSM03T9MFrwwglZvaMjVnhmtUKYNX
KZVVubWYecSxvgEbDHeDBbx1VDutV+3FtNSwY4RXHUAjjQ3BFW9YefZyJfVc
7PFBKfRqyjBgNs/yvETMy0UioceXrGo++2bX0ZydlnxA0aR3DFs9+iy4NhIe
cnkVDjGqDpcrZEdMawkjppWF9bKsJCwrt8Y7lZdwq84wXUfAA2sLmZBU9Eqt
7hcUYXXUx4uCusZifdzrxexq0Of2bd42ic3HpUg4s2YLhO5KSM9RNxGEOJYK
rZfXvo5npGuTckm8QIHY2B+qAQ2iUOl/kpCYsXyx8tkd/h09+8b50+EnbaaT
YxHCgHxgJDztFHsm8UUp8ZfztZQ347wCzKZL5zRDfmPuM+t750x778FaOQUm
H5TBMTEUu6TRHz5qpFA65Ly2bvpsdSdLXRVGj7ael9bcDzFphDsV6SGmlLHt
kwon8qyt7AnoKuKzTy87UsbSnDQHVoO+qUsJtA0MXTNc2mX0CSThsDxzmoyk
6rGHMGGL6YWRZAbYcnrC33YPXi3GD37xOs31tQkEvgLf00W/dJUqjFYNnK26
+MMfCsAvFS5PVTj+q2WfGRamAXPiiSgO1tVdC04l1jDwYLEmzurWUjmw6m55
gl+eJs/sqTV9UxPACtVxabP3/8HozCwfJuUlyzltUlu2/K3DCz4rV3T3FZfP
i/ihpQaPkzuEiwf4/T+N5SMG+3BQ2QkOnUmWeTx3EM6leRdbNpsHz67bv9iu
YLVH4D2in2TB6paoXoav55wu45Pnf1Z0pAd37+0jYb1dzqqVZiOU+lDAkJJ1
Yi19affkNNBpe48t9YCsiUUC1vEDB399FxNHF6adiSfFyljCsCgsFGw7zcck
yoEDqdSpg6W+b9JYeN0UxzZ7yGjId2i5guzsjljcfS2VtWSREJnShKxawzwN
1adSYY8mFW/3gLZr/piI3aAhBqnJXsTiNzndXDhra2eITJxD2Ul0N0yr7O7C
p8GE2E3axi45kWWmcsd8cjJprXmz8j21AoOb1LRuJjVxs0UsC2xY7AEKfG0Z
rUgBs1ZRea6IYBpprh02AkmNcUDSvTR2SLAOz3rmNb0f7l7RfZqOMyIdnQjW
VRoQhKbsTFZlcxFSuQ5b0ZKZ+EQzSFKO8aJ1L5ZkIGnrzJUjjtRh9utS+RKH
LDfY5Y4MCJOOYznkgoVTXQ4Gc7sjSKymUybky8UycKqehnKHc/HFE/wRFY03
IEuLz8/XB6T0EqJyaO+Kj9IFGeX1MrCq4Qm7THThST1jhjTFtcacocpIAE3U
u/WK3UVlw5haqTn8aOgg1p3M2cBPnyzp+ZxdySzk5O3x48OXnFtazXh83Osa
xT5tooYxDXLM2Zez8qpaIcMy+sLZHmQNYwx/7Jg3Pjm4JRknIyDuUDGQpM+L
GBu3mWPfteD2maIhvOmmMg10WUzJMpzW0C7PBYTHYNFCLlm7eeN5opNXhToJ
T+GbMsh8whOORcxy1NyxYOI15pRVrBCRMs8JdzHH0wDHQCRAZZCWCMGByIk6
lfDKMthUgytDSZGcmJgfOK/gl2su6kt33WmnrWAWJA03tROMmSBfabcJo5x2
CN5UDktnPTdtDprjBpfnPOW4GVGl1E4bOa5YleOjl2/HTXtlMY9sMSSpejyZ
M7IxALbbTuKKqnU+iNVkPdXVbazKtqh9Q4m2IbahdvH3od6IN8XLwxBmLg3x
p8H0v9SFwtbbxsAhN0unTXMJXxvbU2v9rTgatTYpGdPrdQWiRq8uEV4Rn9LI
Asx1q/RgxN1pBDeNJP3alSgIVpJRSB51p60MMozXYoLyeKJye5hu5H6azC5c
IsMo/tEp4CmDfPxUXH7gKas1e+alC2VUwDlh05rWKw0a9bl4eIRNnWqSFFn6
rGswNJP0TLCG6dj1DnD918K1Q2DXKUEqolmGb4W6vhnoOtwAdI1ZwtsS044M
yuUpeEtKNa4hKTnu28MQ0giKaDZZEoVOqhNmDjL7ofMSVRJ3i8Yfnxa/IpAh
nSoS9mued6ktR9++Oxe1nd7x5MXx8f49OYtPXYWREwaeA4ueHa2jpNRoFg4J
fS6VgL+ExspPjML+oBDtVxesm3Mtxy6nspOoufHzTTz4eHAm6EwafHvfWJ73
NwT1Ge0mFgEISJwjq+D0uQ67blSTsMIM0VqVLhhM3TDSgyyB4r8NYKR/BSHd
Tv/TIEUKXVLh0701UFGwnQLiH8srew76P0RCGawnU9AME695Y+7P321YdC0S
GU53Siq56zRdpE7TkjXOVSIsrNantBad7m28gJJ5GUvYEmYTq1CaUpTpAIYH
oDHJ57E7F9b2OEVSGj+1CE8rLc+GJxU5KoacoJBS44ODEMopFzjT9LbRIQBm
jq+KQ3i/PE/Gzmq9YKeTTDgEsXj8E94iPaT/hNOSiGC5VnxFrrXgczQ8Ymu9
FYeqB0EheFLZCBIw9Fi2aNREIpuUuksGbbDk/1UFONFp7DdOUx6zUzF/95IP
Td0qLDLfYz0aRE1Bai/p9tNpRARarz4IKl4KOaAfseo4WwteETTg9VqqJFfQ
gkJZsq3b4kt/sgLASIXsUY7LnxOcMcZMkdcRb6nPCNviO0ro2xfvaDT0etEr
tuy5PIjjSiHvB17pagV0hEMvQpMHTo4X5219xmgAqXbDdB17NjtTIrwCY//r
aaU75hAnrrU4w8imtt8mjY0zsy0GNGppCT+NOhogbiPlg8nHZ2ydjJy3L66F
cC6I6s5w6djsAfy60nUEDbL9YpBk3fomIot94F+YEqe2Yvcq8S5fFeY2Ug8B
UCWBFbKzw28b740MrYv9fE9iVFKhJjBqtVYOfE00diVLA+h4GcUojCE1a4MS
iqFqMDVFBCXDptGqhOqUe7luVTES1Kv42tsJ8MgeIRmgS5WJ6uxdm8ib+9B4
Aj+M4Rhuik1SRLyF4hlutH5L6BQdKQHMtJ8Kb8nSyrgEkaKq4qhUUSInAV3O
4K+zWruYEs4MJ+SRn+SRat7Xl8kNNOYuNti8BPmjADQZ/IxRdhwJ67vDOee0
AO6ocLGBUTWHnFhdVb+3JM0pi8w4IwOGwr+lHSUjIx4n6Yh7hbJ5VLVmGvl9
ChYmE484+v7gUFWm13fS6eNktdEeS2DQo45i4xQM3fJtn3tJjT4daJEjcv3Y
B7hj+yZ1nL4qEz6C91CRpFqemeYEMoPDeLniqqQuxSQer+7lmu0VhaTNlmgD
p1bxp0u70nJNwRznHIORyb0RiWRFTR+Zuxe/QsBFZx7XdvHau7aLmSYry5AK
57mWiwU2DBDO9LmKAhZ3dufMdmHys/ZOkfU5hBW2nl9qsPTZ8qOTtzie2nxF
OJFhQvfoT93bVsIpwSLtdrGKwpwbWamDsDse6Qd7AyWGzYUd6b32Uvrl9dae
gZp3iDBV6Jna8qpM1eRMichf0Y2XhrFlQK6g9QGxDpnavQTo8tbDLTu4AIIS
IpmVV7RTI1pB6KWl0JZrjboUj70eLYu6moAgBtrqIzhYGgxPSs8dlHvGSeJL
rJbfaYBnTkalBIzUhsaciZHsLYhpAkLimHusSiCgyWJ3XEAUzoigdzX4yGBK
EWzpVGVtpom6qsM4KpeqIamvo2Qyyquy+mE2VkuXWokkagHhx0G1+MyokNLh
mPK3mAhquejHQjRJtEUtQCLcUJqFrBvVN/4UW4yY7qVjFSVclAINAvsKSLkY
eiE9civX2KPHUZ8os5WaNVEuE+ocvCcaMkq5qfw4EuDWn7ez4PZcW2pRhEwj
zioyuSxbeN5WpkNvi2aQph8vHPmgjoThokbeWQjhRZgF4oRWAG4gKcRD4xe8
Ss4swhK9qj4mJUZSHSS1C0oWQwI0k1LFmbuGC1/5Opg/O+GuKThJIpgOvzKl
Oy9A72rdCx6IrBI7oi25t2qt3jsquVq5J50arO9PyYnAl/rIHl6BJBm+jo9A
Iema89beQvwK8UztT5kb/WGRRD0m3ZxDl3uYEvtiwoKCHXU3bNOnQOqTsk4+
XTjl7/ExUy6sKvzyO3wEWzYGOTt/YvHe837LF4oXs4cn7HI+RAVmw74TSfN7
aweYrpj7F851qG1Zy3M772Wiyv/Ut3Gb6L30tvnD3W0rNxWHnkw/Lzs9vom9
IBewQwbpjDTC1vvcpnDcRnSNoAFDjyugQX12j49jlNuddpcixXcEjWNzZYkk
48WGB5yvIPTEb6xjAnx0Dow7zoGyvdgJmw14xXrgtlpto2b8mBseZMZ6iHNn
8ArWDQYOXUTJs2bKqILd5GpqrKcz+2MGnUDgLxscNV/1DR0IVGSGVUm/DMNV
ZmpLynSv/HjxiC8K+KsvRjWCvKPlBnhsTm4Y8YH/KkRtTaEppsUWaTT0uO2R
132xIWrZbSt7HC8vNUzf0ynQwpzxArO4cB6yYFQIyBN2qoeIaGkGlo7HO1dV
YZHDiyEainB/Qu0yATIxDLHKnNJDjmiijLDFrOAiSHrGqdjwqJQ+X9eNJA6J
Q5Xk33nd1mi/lA3PtH34qWNWkhSNMQSOpbp59CpPNZw3I36O5Fd8KTrtSyOO
Z7CuPn83qNIOE8beDVHNQjXs0vn2RmHQousqPGzYSc4H2dNrVL23aj2q/2CE
UpXKtVuphSyS/aIxjZekWIz/+vp4zJNjzkNC72gGG6ioyAhBNyNaKVz3zBVl
L8Sh21yYAhMHgplJp78yLznmwyZOyulyIm1owGp4Ik0n/8MNu25MtdWPRbMd
KPPkbzfWJv7NSie7RUi+EAmokNLg8hffJ26jsW2o0ij8kzrxgyIfSfEwcFm9
fngrHfB39CK7prjlP70lxlv8CK8euBIf31LX1gZkAWasIVawYx5Z+kE/kMST
PygM80kxPSTWpe1XHE5NU8T6Yc6iiUkL89hGB7lPlsXTerQbuWQA1oxPM5Kn
LjUCpXJWBzciHRIZEYkc9BMxqxMhcqYtotAM4+Jb0eitMG2RGRRzKwf3uDw/
RzGfbxk7RKgu2OEPA/0OhYvmzo4EOmtGzvjmoT1ii/QY5Ivan3vyJ1p1+o/V
n+np0r9MduxVliswSi36iCzGzJcNlUIMOGHeJhMNvt6pyZp2y14S7/uJcU4/
Bpe6boZ5hGXCAwy0nkOO2oitXiA4WmnCJpQ1FyIg+9XSxPj62TRkDKK0Jk1m
6YAR0pLTqEfmV2AXOV+pLpig+FARyIhPS4IyQuNnkSPiyzLpJ/a4gD17CSTs
GKhJqjuVs3Zkfd5iWLbrNcp2CAHJFANOZtECyX4Z2UX+33R3v9Uk6Sgyst0M
nGSAMDqpgrv/eHXhRoSYIshf6SKtiZpOEttka9091+ahnnTtQpMiE6drcfby
scqzeniIQo3JkooHI/485IEGzx7pM/wJbrA74q+3WXC6e/A9PsIF/tbt+CB3
IW1CfBB9xI+6vs7us3LURa4V9SFdsnpyl1EbA/JAzMqh1KJqRWQqtkWyCqC9
WK9b8Cg7Hi7T2UXtIkVjh7QmnUhF+DDftpLeZ0ENk6Z3elNvqjyCI6G8lHzI
qzRSHsZNP6rpO/wF6ourb65YvwNyUliHoGsbL9XNd5lGwYYh3As6HOiv51zO
02bZd9vBPG2TyYif69j88KPVc6FtgBQiLtg3m9wJyQbnc6HOIL8AmeTG2BVr
a65KLJexwKZERatfYSnqsbC/7nNq9Ng56UjjKZWZqi4W8zVkcUjlXWnG8wxO
ckk7JlaJjYczjj0op4Yzap4NVKacVu3HijaoWUsp2Qfrji4yTtLCSZOjsXCx
kZMWha8OsrmlRL3B+EwbO+Ky8EBFJ2d2NxysQ6++uu0nX4bk1PFrE6VdXFjZ
5ZgTkptEQdpYvTw82lbve4Tg4CeZiJI2slY9r+xH6ZteP6iS9jW9G9pY3qyg
9jRVfvU2vztTVf8i3GGYXfrxmry3AGFczZCrUCfcBnHk7OWOfmQpf8Lnmcgd
0FT0QdKOrqbWgKxhrSv5m68WdAmMBIzXYW8FDp649HoheDngbQrzewJopYuY
N/Az+khn1W/nRn5FCjzWffPmJu087dvQXnZ3zr9FtzATYw9v5qPBM52HhfFe
XJ8JuZw9D8u1E9oOz9jdIdq0M52qB20XGi8fP/8zCIONgfpfpQUvcotwU409
mOCjw8fixsmOsoYjO8/x4RFP4xq8aS3/iJvUdfjoRT1FPajZrNxzj5XFy3Ia
buZlLtxoClCq0u0HB/WuGJL0+WJl08mHiOpfBJU2ucK5QVKL3brjRQzsJiOG
B9Z0BVVGC2pJkrJlfT9IG2e31P7f/+urC26sMpBO9SUCrr9CRqhhjkOH7oau
Uoy2w7Q7nWnMPeaOJ3S0nNt+narfdoSAdcrgDTPF15NDzv+jciyn8iImhg35
OvD8WK7gaUjrWBTa05Ju9eVR4ba+vDEb1/lJJewr/RTDIEHmSQvcVV68vWet
UkckOiiUpCjaSDnXWtNf2g4kW4KnSGksw1mJndSB2w2XpqiObGZ3dE9G2bDp
dN1Axp1MDpfwYuIsLURgNKkhis1ymdI57KQQxO3vYi9DpzbR0U8HY+SyI4kF
bKXXjDaMRTMcrPDiovxQySPStnSSnzTBSZoQauJTN9VJHqH5ThxG6LC9ni2v
xM9GM4czpA3KjalAZLbXgjPA/u+seOxUp4GUnUsHiccLsyP5bu/or4kJu2i2
1iA5p7rzY4b2QAK02UP6ig5/DUSSyCD4+ofFVhzAkMliD97eBnOxvziSyJUJ
nce1zu/fzcxzytwWuyuuYnnASJPCXMtcyZByHMxhW/DJ7j5eC834A+Y6ciB/
SsDn4bfsfTm459pKCOmjUn8fF8/CsK6JNkmANRcZeDfYIjIYmw1K1DhjO9rG
Hy+u3ME0pOiU5pVFerIzBDAHAEbQq65ikqYuqTFDza+0miDJ29qQaRaataQU
t5p5pdajn5KCsoiwyjC3ahXXKW+tPofFb05WpJivVtxNdcqrTNsmxRBVG3s4
OcEVJBMUefymz5hLxTveai5xdIZWklkZCchyRCwKSCu4Zk1GADvtk0LsYybL
VXDRGMGxhrQTJ5h7cMw4N18I+zF0uZFmxYF186Oa9WlIWS3nO4NlD0u4Q0WH
q8QjsDTPVHQO5zuVMmUl4z4G7hEaGS7/uiEZn5kw8aBJhVzrPJl2ozzMZT7z
y7BRssv4l7MZ532ngFTnpixSpWn9lo0au3JwE0ypOPVNOYyfONBkU926jm13
GxqFYGr6mhG6hfi/Neveso21WOK5QqzkaGL+3aPguw/hSJijXoIN1o4tDQXe
AKy1GvLBgXKZDWqlF2xwCspelkNuKWI4RyEfm1NyJBBuDT4gsCTRC5nZbcRk
M83ODUmqd6frldRi8FdplEBaGyCXUXAtExIp6PvjE4u+Z4hlw1KY/Dx2L4jr
FRvDeMA0qVOVRuou5UG1c0b/4qacim/ClVyR1fZaxGBC3WRynPQzQdpgF569
Q5sCzrVBMB/15eVY/6ZTYCn7YJbEuIFLQDcYWK8rlYplralpZXEJkV6PitNt
LvcqactEKRGfXiQuU7WbTosf9afHIigtJDiBGWKZ8abEdCsvzUrNMBUVMJV/
Y9vNxclAVPCyITbGXSr4dqtdYwo2puSdIW3J1sKJlSPqVHTosTujUvzL1Boo
OZTfvKtHwXpYLC/Lf66rgahDcST3mtdVC2IAHxT7ESkilgJQ8TQn7TtJAXtX
Q4u/Lk4SLSKRSXV3xtoH3fKC9tHWcoZTXFuroutiw5Gy08NZRzl7YoS3/O4s
Kd9lWKU7mGASc7ET40oq4sPiYdQmMDaUWGky7UR8TpfL98BzwEZqp7i4SHYW
uq3iPDeO4N92HlyNBr64MhtJ8fHQK8LdXjEMK+2TPAhbhe2NOEm8x5phwpeR
2WVNOeifLaKfmIGnxUSbWk84kH7uPREUqknaTjTf2ndCm5OuEHnq7O2EG6BM
onMejuM4gQScQ1S2sefoDgO+aRpKXKdREY9OXr+/Ja7vBeLBNfeO425627kw
y1vpZeXF3VZ6oyJ18ArdDl7detsM9lX26M277khDPOxmlrvtnzjkSOVT/JgI
fVRGGKkQq4J9bWuMVer1qUiOJY3AW3q4b5dzOdwb1L1SdJ2NG9XjOHQfKbx5
hZTmJhguXrZkBwniScEKh/qRysI6NBCJVd9SFf/WjoMI5Hs7VCkFGBFdR9h5
PvbIhBNyg4yi9WmtNlhDjs7Yovof8g97qzsCgbBTQjDFH3Y2PygCp0Feib09
+AMjvFq5NQvc8zB76OAG03UQJ7iOu/3pkLfYxWZOfbTJeyMXS/I8SyC493Nm
lQzlrwkgC9m6V/Jj+APdstjBImo4jeglx0+O7u3t3f/yJWhf7qbY39nj+/d3
9hXsGjcKxBoflazpNLOj8txOtrCGV60DKTvSvm88v9okLIJdxmftYmgPWI6H
cq36I2pAYeeSkleu4aUrtbbIMu9FB+lTatNU89OZQpmLfSCuqzNJZWAB0a+m
HMjGlATwIIt/cyl3b+A06mp2ZqkjKXwBTBal/nzooT8VMfU9y3bhd0ZTcBo+
m9/mw8sfNXCGeoc3I7RvP13uEcVylZ243ukiUYPis+1/45RlVEKfv/GnTyfb
P31H8hDvqhKPQI52MYqOqt56Oi/WG4H0/U/Zu1zBCqGjcHFBk/lfhfo4a1Nd
ouqXsFqXaJkjh6S1Ai1GH5N6Qp+G4yBfFCFErKoUN5EKeuxfbBO3XuDFAmKf
lBKBJWE8jk7Lu16lFiwHFb7i58n6BYr/BWYmRLOkdyMjg9sy5kszRIvVx3fM
HBzgI6loX5UDdp9vXim1RYjieVtaTUFkQSS7QW/XWQlgKNkA9Gn/cOBTOSD4
TRnCquJCr76sDnbryK32yDh+LsB7C5Q2TWxmfofohvnOscsoVjlarv5QB8Nu
mq6g58YCdhm55qWwEMezJMBhdUL0rU0bj1LW6FZjOMuDTspbMojFTM68Oe3y
kj8dp86rhn4db0hfebdASs1IWuDmpq3igMftMyLX2K1TFu1KtEcO8w6ydm+J
5LGXjgSwaiEIi+1RkRdYITnA1TL5hPhRlhG/7XL5zuicqQf6gmxqBstOtZBK
tZ1SP64yEBv0pkqCFHNqOTkrK4k3NWCwsZVaY5JQ38tTSBMbxzQkSaDQRmaC
0r+xTFlsO+dwUuBZ9t3eiIZnaZtX0l4+68k96HVDBYnDMpF+zwybn4Gu0e3i
2Gg7Vkf0mJk4IEWJoYZfJ4L5/B2OGVepoMYBRTmLzCHn/XPw63wgecTstDb7
zReRKMlazlN0jsS2zex2GYLARu2a4M5GoMmEZxD9m38xRB0roYi9nm4oAglb
3cqRLCoYHWjdnAegP4qziGYeYt96cWxHoLOZlJB/vfxD8Y/d+n7+rutXyZbf
4k6wry+JAI0jqL7KH2XIXxiCeWkb3y5NFzSX5GancqJRESuvvH/AQ6rPuAJx
FME3h9d6JDnB0IfB+xk0zNUoyjsXvtomIdpwiTwnsyXNV0CPOgVPWZgtr2TM
0qTbND1erDAvOU7PgOHItF1xb/UV10Nr+46slQMpZAyYhrRiU9JiP4UP9EsP
DM5dtIMWl79L3S7drwjEfijyH/f3h6y3VtaZpIhx/IFkteuBzzDKoq+msC5T
FAJJm79gCy5qV7Wy/VvelH6crp61mVBCG2s5m7jceg3+TNFIx8EaT3QzskXW
n1XV9AZ9wvkFm6CgJArHZuQ334ReczMQImcn99i0cTBW54wJclzSoPhNBRyF
9aKG7EEHPvFuaK++p4w1XAoFRgzYkaAaePg6Ae8Lpfc3qznPU4oH5M273RgM
ffPus6YufDGDTFhJkWNKJtJIXdD6LY669E+qhrm3FPG643PZFt5e+LcFxsmE
3VvsFjs7hY5PuqZkbal9df041dbjuhuNxji8hwNHImnuLJejY6RQUPmvP5mG
NUR+WuJcLSBopkWURv/FxNF2agyTeCVeHv4nn+hVOk5/lE/tiQ8dH3YTjRaW
unKGk+t9f+8O3FVCJdkVCZDD51gfAG/6RJeECUUXLgiBFJZF3smZbSjO6U6a
4UGMGmcGa+r8bjiP77n98mp2pUV1sNDthRI8SwWLlsgjTRzCoJRHWddAb2qO
YORdxARCJVg0wReFReSATaLVb3PQbR4prgzDsfjh1NK4SsML7A1uMXfYGTG0
HmKzEdHkBHWCu/hthG0pHGwLqVYRuSXHaEFdi6AqpeA6N0UppN090pcU5yyo
JmWtz9VMT2vG7V02rjtKXbgDCxI+JkScc58S1FbnDN6ypstn7OeFTuWS1b7i
MDuMiubHTu3t11TM7RjkdzexCbBxKor4ImpQGvv5mjaR/oIGKTIBV0W9ZDQg
DvLoCfGTSGhwkqybRIGqYQ/EIpkXy/2bBYRIAjcWBpONF94gPaxJLatWYHM6
kPRoYmYJiNo+PYi+LnbxhDfsoL3JlajM/GZnovHfLX049FfxISUX3PY3cmO2
DyIOlLeZDkxKJAL0qZTIg+nMj0ak9uWUDA2wGBZKPXffM8TcXX6MOra5QnYc
01zda4eR5CR3s5NZoLGnE40Kyo5k5kXCKXBpmxny2WVJJkueLyuWbGQ8Wkvu
WyY1wAOeu97A9UJU9qA4D+dlax2jyQ6rYA4tF0PH32q1xHA6XSMniVGIbZuQ
hdyIhFH4IMWTMLCYyoA16QoFBQ6PZEuEaW0+1mz9cVYS/OxxdKz9oY+RooMn
OJqbauTBkmRdxPeFkYRZ/b4Sd6ziX2BjeBKp/l8hmCXGPjVvozzqIAUvjc7g
oEl3dHDy4kAjhJqA1ngxL6xAn+G2Hb4PxuzhLJFNkLTsRbIuzqPYF6UV8FzE
LteL6KBm8qTVBOx1QOhKHWlYXG1eYmCx/CDTBiIWyTTiGTAA6iA0oE35JmBA
dnWvF1khQdK434/3gjw7C0/LOcG325He3FN3JYPN5iSqvsbn/aTAPbJCEeUR
oqWvuL1qClFrzIk1AUR7mggkyO4yZ85kadpZVlfQrC5m52Je5ePyrokogLIm
JPN10wZZyI3OUVe4GMktPjE6KsQr0duN/g77HeiiooaPZcI6KzkSPFYpYkmK
ETcw9s16e9Er7g+SeuhsaGtf4QHqPCodScODDY0dNjRziidYX7Cw7pe9xqBf
1IFbD3XYGwAjyFKmbminoRi1VtbYxmpCxdQxjKUyrWNaDoVak/AO1EJofdAx
0aC0nnn0m1EkrgjBrvopDjexjeWKs8Q8s7uyVWW1kv104+jhsjALjyAe7D4F
WTOerM2MSxrUjP0EjiLlpRnBaQs47r4mhY3+BdGvXlfWBFAmKMJxo7qJ8+ug
XZYJPTtVSHN+DvcFWg4psmGDkUE7eFqrQ47tvmjU/buQLzEVeJALozCbj9WF
HLjq63ZQ5qKJ/hsDxGsyjPIejI5YRrF8PK+Fi7XAm8QvmaKLrEtEajnA+Qwb
AFQ5XKCSKmtocfLs9Z9ePOKFRr8tO/7QkkFQqxq8JxZ4WAh4EVg5/OpKjSSR
xiUfRaU0JEf+Frcq+lRi7CMuHZvNxE/PqfZOjSrX07pVP7mqHjIuknl5cvZG
m6rQpuGdOvcQO0RElQq2p0sl6C+CBXm9Oi3I7gNQSX0SSshRa4YjpGMnwvUG
Rz63x2yiP9+5MMDDWATXABaSuBO3pe8AKuGkMHTdE+1icV0csdx1+Zjh2vfJ
iQR2nTpZZIn0TepnO5Q5QPelfhaYOm20B1Xlu09smdzbYgizalPafywG2Nqw
smDkhg2XKH2sg4mdhd3S2Tjhp5eG8HD1dtt960lZVQzs23IUrnQ4EFbZYc/g
9iDiIJrW5fli2dQkSeAtiE/SfAp1XmlWrjyH9o9mK1ABwXLRwWc/LOspt5RT
oLXlqpz0zlCnbuNWTHa4JcrSre4e3LJuSouqhTq2veMzOJhwOjE7+1yDdscR
vQXnJO+lloftBOgc87aMa2sUFzS9NEXUvu6JMsQtTi5CAdxvxPDj4bp0gCSV
PJJkBosDWXYT5l/4Rsw/611nWfzfpQXnbO+uQ9JyBmBQWCZHu1wzVHzqn1dl
Gh+3rTBo6AWnzezQXiFdIndndpB2JAUjYoIMu5yGAHjUoTmYYNEH01Aoh4jq
J55gaUiqqK98BriVvLcsxqa0jIaYuWbi8GNsMq7J1SCmCK7zeSgNvB6SrJt6
eTVRLClnqaZfy3iDThU6IMw6NXOBxR73g9NgYekacEkP1k19IWCJD2UmcBmt
nbCzlCclJ9RQmG/q+qAwM3pKouUiEbAED5n6iauNlwpZEqIbr2KR8mXCNycU
hRg/uSljylxumvsUBlN0Bn62fBlwpNLt0E/k8UgLRR7H0LjSN09p1I13PB/q
6yaHTBKLfWqU5ZhFVAQ1CoxDaL9TPiXAerL+kaK2MdwJ88SU7B1LUIhwY8vo
1DWQHnNWJdj/Lhc3R5JAeeZdKzv9xX3b1a1Ov1XQYvxWFMZphQohaTRq/Vd1
Ov//9V/lTHX9aHy6ngIVPxX0dbH09aCr9u06cHNOzNsBzqWi4bQqrPnStKDD
o8K+XowFNj0esT/LVeoB/kYduA+l3Ed6F+6f4XRqgxp2uC7TPkY4tdksKELZ
Ix1xklMdp45w9UFFnJneyIDHDLLbsKetwAKCroN4vAHRSep0uyImZXDUbRpN
qTzXI2eJhdGiWY9VGfagnLRpM7hkbomwv3cnvG5jQ4F4cXJccDnLUlLs+vhb
iFxhYowQkIblGS6qdWcln2nLV4xBLw7AOz2Kw27Rj3W+xA20qB/L1fRmty9K
MI0oDTM7xABfqigUWNA8JSF26bW6CjbVpf4SuFLmBc+1WE6V/ZoxaIrTkcHQ
v9Rkhxeig37+Tt0lw3kSKWUYvhr0FTCl1XZCkydux3Io5J1Jopjkt3HgN7Wa
c+piwwno5hYiDZy3QlrPKatAalV8TAPEcQW9Z+xxKLVJs0PUpeTE30jxprks
k6oaAbRZG2OVJamjGAGfp27wN9X3VDlmtRjwNrvUxzFzb2SzBPPlaPJj6T7M
S2UKX6ZKCRYw9nVqqFCasqW4dikxLYGypOhKo/x1muvqioyPTgvn4wwdnB0o
Py3ZWW+u5uqT2EocBzzoEq7QjnJfuzRk+TTpUdJ2OULYqSOs1Yc00oMiNmhW
1GMlN2G03WwWTbjmudPRmFT5oiBTVFwhOV00WQ4ZT3gzjaGgJhGN+UyVzwa/
zdukvhXwa9tFPGltENNtkV0Y5/4d8+2tuDMIde7vRPX+ot8lojFKSA8RGiEF
Dd57POFO9oRcG8t/nGaGmgqmZKh6rOTdji0yfle8tyyYOJeHCfDeUn0K1+d7
rxj/sdjd/n1hqPTRyRcslaZ4/qooulZkoyOTzks7CsM/3gOuiUHnp+HNB4YV
ncfFHENi1TUOaxfD2nPDmqch6XLKkKb9XgzziCeTpcxlp8g8KIeylKDNtw5T
XxX8RCE90mh5QrITBzwz36jE51od6BrjeluaA7l+btfm18vkOW+pHHiznOHG
/LF/fKg1mzKYET3VPgr2Pll+tVgs3yE/pkmDN2DX+EJfWZMam0gLdBhTZo/8
ysNIO/IrxEzaDc4PePNOgd2S9ur7Ltpr1DQdSUyZKeCimk35ETBFkHiQzA8/
wp5R1Saj6l3r0tIkJTMV07DxzN1ojMRwq82NrkZ+HK/jlh5A0S7xPEbI940g
fm/aoiARzJbLS8mC5pGm5jIcQvPOmU7wrc3aUNAROND8PO/0ABiKGvutAGk2
qRnUznZwVIcNkm3xuYFxwr+mCf9KrCZnL797bzPfZnSdRAzboZsjd3v7a+R7
IGl6fhfJRk3nKY5UqNxGCx5z4La7UIJ49yvnovwquSi/DmTW9rIVf3WE8asj
jF+7uboYpz04+24r3c+RKPY4DJVPb4dvMLbTCnl0u98bu8+8VFE5s+FEQkH4
r9nEDMkwjzqmKQCqEXZje92NQwMSBiGCMhVyTakfKpprQwjJUOiTK+es3eCA
7DQW6rkdp0sp+mTUEMgoKYsQtZDMnCzSfjuCQXCKjCYxiyMNxWPLab+VUTyH
rFc2HBzsBKbEL9muyEJpQsoNU2uCreNDYM4z+lGN8C/fOzOhP1iQ128nx9G0
pqZtapFrKeBOMcePW32jh8LKmWzD8FCH/xE6lt0m9zCQRKppLcFYAeIrlU6C
yc8lbUWrAWXWCm2mOjtJ9ZQo51o9KlDGwDTHzWTFN5vxLiP8iCAvdlfxxRBa
UA8vT99WDCibahJqQ0eJ5AVRE10llwI2uk6E7D+CawSmEntt1nwKxA2CasR6
UXOeh1NRt7RAmi8Vq1INysfSFcu768nA3XR0yoyf33Rq6k4UQGO63+JVE2Va
ub+3VQTe/PSq04Wtkz57LLeyST2rL10JeLSyODhcG0SAgFM1ztOeju2q+lAv
142Ycadc7XYpyUdZdKVh98G8fF+lPbLMN/9qSYEDAPha0aPlDHgnnHnVrKqy
gfOYu+hFJ1sY6nuO05qMJuUHmjaIRILuiGFmNzhiVxrt1xDIWzWixmJTrVJL
5+gO4kGLTdqJMtWNNVGSDt0Dxn6XT4NXrFJzdFrI0K2OEKNOk2fYM8eZKoZq
yLhW4K9SJ8W+frGz4N+rGiTrTIgZNQmn0nc8giGmnZynAibQIuVL70HmoyVb
NRyKN0RdbR+YYEPzpoKKD4Y3nay5DuTzd5ZE8yW2lxIksBnrw+pzScWk3BGx
6gzbw3jtBO28ag+m9ZKcQPXCWXliyVF1w/nAWBE2RpBRB/pdXvMas32ymld+
v0ctSwAk0o03XmychV1MgrR3uazZPcjl3k39L84yEKK2v7TDvGMNmjVCZv/l
cnLxzkQ9aE0o1R5WvHrP4C/3DbcBawZ39t7+A7iz+Tl39v23rDNLaImXGfRK
/Fsc6nv3tY1HJ/bPePivYPvs3ReYpbhuxXUBJouA6DWGQ/9BRzqbFHO663wi
GxrPafjfD//amhpdY470n336jyZyXUtntvt3YHbIy3a3C3uC+vPtCbjvzv43
P4G0Lfr//d3xm+Xsau/O7j19zt6j3/acTmTBnvIke4qJhpse8/Q5P0gfsL9n
D7iTDYNuzS7/677dcPeGG2BpJyCRCAQFqu/Qt5Wh2YYrQL8hmqwXGiUhMkKW
XjoATsw8P3x1yAgp/ugdV+fECyQTMuKgkEQVLU9yXukxe/e36qnWUZI4kXsQ
GiAVEwW1CZuNByUtpyTyL21g8N53tCnviMDe0aaMQvyElos/kWuOnh3S/+/v
vnvz+sV/gADcvXrlO9rQeD8tOH08imgv8aO/ArmleyI9gSK8hOxdySxhLvXq
+cnb8cmb8YPd3fGdB4/Ai/sEyVfSWj24e+dHAPp1SS19f29fubmjo+wvIhOO
LT0fP9qpV+3ZeHK2Oh+XWN8xtjoGl/iObFuVGhlmiuksMEQw6osQlFlmYhlo
GUgQ+iiFzPQJvZFb0iWkdI7N0bA1RvUjU5L0adJ43JZbzZFfyoFV2o5CTDWN
fI22ulmnUp5XrJZtdO+pIoaiUymXv2JVO2No5eJKLCau3uMzrCuGt8UJhDgB
XfiR34Nt5cFnZBYwg9/K3vGQHso52oE/5ivY6IIcymJlxKA/f+aLzHl2vq6n
6C765UtxnhVMswhQJTpu0ifJMAosb6yFVyakBC1mspyt5wt9Iqc2Y35oiM7J
tRLO1BCttf0bsTQfH/9l/GFPlyjBH3aueU3XjGLDSK6i4AZvfr8kSxXlzGea
F8VrnHrDQ2mWiKkokvBsAwuvCbJm+ePWixp5UJK+olmoLlD8+bMOUfMhRaGC
2aBa3c+Pnmgmhykxgmg2PRvHgpLIpBgkrgLmdOX447M3Pz/m53R44o97D3Zp
/xQbqvhhZ1/B2fnUVnRqLy7fV+PLf6KFASQ0vVSFMvTy9IMEOwfHOvhDN5mY
5p/rceen98HAD18DeRRl+DOa1/jk2f9L27sut3FkW8L/8ylq5B8C2gBbomS1
TR9PBHWzFC1LCkl9mehpq4tAkawjXGgUIIkt+rzLPMv3Yl/utS+5M6tAyZ4z
jpk4LQKoyuu+rr32MUQQveXNh/WUuAb4k0cfySvffv3o40WNQHklCis4LW7P
uPPt3S99xt1v0zPu+Gd8ExXwFz7j3l17xm16xpvd5mQdn/HnR6KYX6wafsbf
XzwmJqUuuhdfd/E4Nf+OIkUeQLrWToOq2pc4QeRe4UDR5j/gQ8QmNKndbOnI
hs5VBinNb+99x5I6H5nQgXEmiGFznNnBNRUkPRa0Oo1W9OLS05QMni+5uP/i
E/avLzEDQmkG9I75fmX//Bwn/V8JeCwy8V8MtNCbB8/VGCp5jmxjZxZwtpQT
OhtkFvtjxcoy7lf2AZ0VGke+vHF85dYgr1THRSQO0viZEhiR0c1wkjXiE1QB
sNg2mxV4HVXQbvUoyinEWOQk0gr7E4rP5A/0BbGM1v4kAoKTxkxjhNB8CPzi
7cecyH3IRYvgyVzR4G52IZqI0b2cSmQMvEQET5A43F4ec3GKD4pmGL0apwEy
HMgthVf2BJfJptdZxmNYgvFXkwTbK7G+RJLpV1WG3Kq0xfXA6PB3a7J7/ehU
NMafDfaeqFKTkQlKaq4hOBJm14zZJTPmbdmyBsmQLmUBr4GormkunH3GZBG+
u/DvZYqh8ElINsEoKe+xxS6aFTLSXa8rsi/24MoKKuFab7ZdlUBpgh0qYbwI
kLFRkCDGWuahxWlcca75dcODjBSYZbBk6yni6406ec7cuKGjtI3HPxlVuAHO
xkqXwJ/l7NjqMbIDKN6dnq/b9oE5mjgpXCtFbxk4K88x6p8oxK5OH8FFfBRm
ILzSL79SKcC7QOe7/tgud8sUtgbNFT3p9j3S6JC833xzRyMahJai/q9Ox1ys
P5AgJc31Yc3nTCtv7t76zv2Q3oynSlCD3hXqRVROgI3evlf9ub1fLZvlGvgH
Cg/2UEAUXIzqsY27tV6p64kBuodW6aFRa9BD43N2G30DHm099aLrzH11ieAV
lu7D4zfHN6ygpTyXWZ6hXyq6D3B7PQovQAeUrZmyjAbFfGDVD7R3lS5Ngbs0
cSSNCbY58J/if9Wnr8xmtq7r7HZwI2Nt98vygiyCUc5rOskNaCroC0OnaPJ5
yP4kDFJf1f6SjtLtm9iRTrcEi+ejcxIKNsp4a9eWDH3xt1LNSuqCjjVwMfFZ
syE8TT4KGf242u4uFnIJuAiN0+DK6aNAWet1bUHLeE+oBetcZWPn/TBMJ7lc
yH/J98ikEhqDNspc6SuJmlUEQgkg12tqEerTU/JSpFwnhes5huISPfEP8d9Z
h4ZEDR3yvyN7IW2JXAnayAV1p+nvVG2F6jjWAjIycdl42nZ5ChDxCKRwUBZS
f1uqjCAXc7Tv7o0HdUmV65IwrEsESipOZZ2XrQqnrK+TFQ84uak85lLvTQQK
JmA2yWdxkF+Vm0TV7RIt47mK52dzKc0GMiZBGh0asubIOBEQOFI+sfmXVT1Y
rSpNb1A9GY+p+AnyQsvIWTaJK0TB1NBvaoHJDOVJjV3SJUtTQjluVeJh02po
brWq5+WFOy+9eIWcGBR/kTtAgaAb9q0buHmdg8/ezCIShLtpLxZggOd+xlwg
NW0oNUPfSBwotLNBTbPiIAgZxTYZNlEbKeOfXh5nshWahLhhfJvsNEJCfKw0
raoFrGTny8kKqZKH2zIyxPaEmrlKPbkIRwRfqI9slCfTk6am0BU93QoGGJbI
ycYiJ5nN1fUXJyEBOlvCXZ+BIcaZIsu2i/4PPFbFXHPr+mzlWuFR23UNi+HA
L9mepz1mogALN9FFo9jUbLFjiCbqvHEHWRC/bpqwxyByR0oScF3Z4f2UdQef
ea5fN/Egze2Cj06mtHAfXEt/5WBhYoUSVoZt3n4PfQy4ThCNJa14arPH7j0I
f9sjw5jrHh1XJ2hE3A2UdHGIMJTXCUJuUV8SfIH4qCGX6AglqcE18OCJlBZ/
oZy4UI/gVqiMSRlc+nbJclH2e8sJPvLi9cEeTFL+wt0npKcmOEZI8Wb9tVc5
UUe64ol4pN4mQAKkHtJu3r7IHAUz8vX2O48UC9xiYfa6x/tc4YG/7feYUU2b
FGzyRYwQY55Sen6EIgD+yDrqjwa3SA98IQ/Ux/hfq0/u/uQEbDFlcn3kpA34
PWof3WDMfiH1SL9n9hDALNfYaryPUb5w4zLQSqHBqmvqex1BACLbuFzCnsJP
ZTwAnN0yfk0n1W1BWfGEFMT3fk3rORsaItQyLpTBwDk3exyKm6d6iLU6Ai/l
TpsXMBVkBJ/HuMovW2GtM5OY5AQxKm9TSYrBJLRyFuCmVvAx1F1eNU1m4Y1E
tIzjl7adPUWh+y2KsaDhmrnYaGwdm0wyIgtqZSt7BVzfdL2Z2jFdrFF69DTF
CXJLMed3UoI51vNowmfabLfZeBHUMbapZvl79HlOumqIky4MMNJJfwLfz64q
Wx2ecWXZuBDzRt4Uz8rlGgC+uIyXwvbhhH1fil9HL7HvNAOzpIdDz3PwFq80
VyuN5UJlK2cMox4yNTwya01Oijv4cmji2m+iNfyeTgGt3+4inhL5bBq3JI4J
zaUW6xM5J+4ZQOWJXc5NkVcZFV5IFtygndGt5axjAkvGX0KzIQZLJS7rlnwB
Um16yklISAl2MsP26WuqIGBtHa7dwLhu+3OLSEd2eWqUrVX17HyrHYexsZ9q
XpIhYZt4Xabr01PNTO42wK2s4h1T8bDjYl+0JPQopWeCUvr0VQZPKgBI0fKa
bdoTOOhEWLEH6ZT6SZnkJhY25GuJYhY4YHSt46xDlCdkz9cEdlsgFSLEkERL
KyEk85rhEPUgTtJalDvyaJZmqfgi+PKh5QasrdD+wIUBYk/twP6wq4t2pQg7
Cu6THTmnCp4FmgfiudPsuZ3vPZ5bisaCHoQ2junv8xyNJl4oqKMbPkXQLz74
ezFXwbgQABEmcdpKWX6LKl7knScDT/6hstjTMyy37HrcdF5+2fZfUdZcy54k
jrtGSio85e+QH6uXFM2duNEfKubF7dDCWwLryd1hpr1U5ImrSLeLKg6FH7JG
6KSoueIo58B6A3HWeTUSuBOZsLkldhQxIK0ydmW4ABDxF2XCHFetRs9r2Shh
uEkEdD1kM5/xSdDWpBlMAmuEUZZEfbB7261j1jOSKyPCYu++FUeSVqiWqcCj
SkSLK1kRwq2wXoMOjKfBSPJFxu0nZhK0gy9y0MhMSaW22s+oRM8nBiPPKLkG
xZRH8K7qnFtd6NC/9sbz14Ux3WNP93+gPBkduCt/Sq6KYrREYxP/58HBQfaH
+ITRnUNKTI+en4/NcKb/4mkY279v8Z7KR1epGI2e4H5UDfwD//4HlNs/0xPS
H77wCXHJv0Y4+qr3h/+GlcyKzbzcUMcgEy7kGNyn2oEG8S+pM9OoBCJK2cUY
6AmDoi87H4Lv1SYvwlDTI6vbhyIPPfYChytHQZG1JzYHHOjRVD+G42o/4IEg
CNy7wlLmYXUqWj6ZAVj0M5bS0dK6b3wN+hGBsK/p4ijEe5KJ7iTmX4rvmi2i
NT0JJXIA3fKY2Ykid0WisMbCl9Z9m0LY7t0TNBu3Og2LKiSTnAZ9AB4cYWsl
aQTli9CSVZTqC1pPGmrJgmOZiGQp2SrUBUFruDZRbXTqFM6imKOnthtdXqF8
UyJpdEtfwynxZJNxO59ly2fh4bTHTNuPoUmZf2O4JijK4BUle61wn4RlUMHF
pQrFAgmdrYl8eg0XqKTl58SGUlCmeGn8vCGSTuHRzsLN1pa36PTBe8bKTd08
Q3wzOsWMBbHRcmthpaabtxf6TNEd81PG+7RY0wQWShMSsjPl3b8ZDnsjnOBJ
O8PkoVThVJ/y9I8vDsAcsDlpozG8uTQeepTxTxzx6ICpB+CHRBzC+sMqhfN5
sZiGg6xWo3VlUNHlxNsxbKPR9wJz/6ox8n25JGqkILYmNMF9nfdl/32NWBfN
kohxenOzqUwskpVWSa7G925KlHIngKaqtd8+GJ7Q0TUm4yTFmK6yeK41Bh2d
bNbv4tGm44Sq0vHvHMxCjDs6dEfKCMHHnixPtycYjA5k9B/V/TEcf1gsF9Ft
lUrA2o8dqSwKM0Wv43517X9x7D/8hv9o7ANs6+6/0Q9xiO7pv3VlyMr5wv9+
x9NZquybweg/3OB/89O9GZJLJCt6zwQXGSIvom/ciNxcRgsX9joUMRvFt5Si
rN4YZ65RgDxrtnF7f/CCSgj0ttUTEE6TFY03kC5zsibN/6Q5I4eSEqFBrqu1
yth5SSB/VlfSH2AhUX7C1JEhHePCyLisfqr+UN2fsEW9WHAAT73jD2vQS06k
H7Byagqj3VEI0+q5Hfmj4ctiaSxPOcxDBHlpFUfwQzVr2sXoSfXHuNcc0mm7
3JK5j2Vs2B1nNGA2g4M4lpd+IPQKegooZy+YkASXMruJbhD/MxsF56FX2A9r
vSpJlA01vbDHgCutazbvqVeNdpwSswb6K/ERYN826/WScCuPaYMw9jgj0PWw
VTWwdnIiUN+aCxIK/3D3RzK57ou/6VJ5BUsyAVTj/tynlOqk+imxsGDfprlF
BTtCfMLUoIdPZC2zQeuNfzedpGnEuLDWxxRgUe+ULJ+tus9plgLhOU9NO5x5
VCATJoPGEAM9UgNKqgMk8FFiyz76v/ATS3n1JS7ioKZy3iEJNnEQ+96heMJ/
4Fr+uBVjL/p+37CHBKGs+KAgrJ7gQ5KHCI4VS+t2qSwrT1FXsnM55lifDW1A
f8i0vP/Qbrr/xNLE36Kzrri1o+crWTWrnCu1Qv5AP3GaxJQnIJP+Saf1iP6q
oLwTdkV9KlvTmNe5ksDzgZkyCIG1/GpSyVg1bpd3OmTgVgHQihLi+oV/fiHo
MXlJtvT4wpa/ELQXhh4nivFdRF//+Tah+o5lRlIUxC+DGoxfjd9fBXGpn696
vxT/Ofup636ePGeSIWHQV8ZLbtnQ+Rn0tm0OPLTyGgddBLoT5+was8SD0fRP
th5lynbgv+sztkWF5ecKqFIKNx5nOhiQCYffmpXjqg2zaiY3n+wBLFTu5g/I
q7J6C9LL+aIaVB9AVwbXJa5PntH9KT+QQGqecE5F7w/LLy3C2a63SrfkZJpp
KmFXZ8UpIineoDuH8Zz1w9NfE0Ty631PU5rubaqtCsMhbjtqQ0izKMwIiFkd
xjc8P2cslo2swsju4KNrRhJSMCNrMuHURg8cyp61aVp+ZQDkQj1+OO2Fj8t9
ZrYo1GLTsssbWmYUa/3IVa//IYM8RtdAZHu0IswmslqXLv04VbxnCt669JAs
BOrNHyvwAFtM3jPq+76eHDi+mXXAyZbO9RVmy5iCPxaaKawQgXlaDKc5PW1n
LaUoRDIKvSFoniTq8RotES3mgVRUingcS8tEjQ4JGUovhGmjtjXgvpEf1kEb
FiGedbZBbN71TxWpyPkBjtG5lun2Btf4grHHvQCdknLQ74irJ2UGmJC23gZx
WloY2/xeG2/v3XttN6ZRGraPVGCAE64vKJyfj8LaXKNbU5KBGyUzylq86rn+
TTdiXxfnMbRjOtMLVG9qsWa+SulgV72DnS6q61ZuIdPeg4R0pzgBQMcMHYMs
cOR+ERXooN34NUc5ol6ewbCVMMIeJ1y/ffuLvz0QVvjMszVNIkGBvd8OxVKl
Ge63nntJjAHreo/1L6xbt6qUEuLTS+mxvnewxw0YJXNfUzK9Pzk34b9pRt4+
9vLLAFxOxCFNI5doJQEyOXTN8qSRA4eSvAlRIJ2zyIpn2fhGo1WbGDiNdos/
7pgEuO/+Cj+QP/vB/6SwkeXr/XsHVE2KZwdtDFTIC4eKjJ8xh9gWtn27IK+b
cwA8b1Ju/pn9R2kT8kSo2523p8jPJgLS/qR9HNpYoovoufB/cQsJ4Nad7qOl
Vz31VJE4U4WOJShH6tae8BzSBGY1BMtOCJ+jqlcqpg2OMppwyn5/WDO8oeOW
TDR6CZ0ZIITgMLRen0FTs72Yeq0MxAKwQeq6hS9K1jkHZLWuyrwdEbQVh0zh
zd7TYjbthRaNNDk4Ig6Eu9tqT+hBHakqLMMuZ+lO5eSmF+iBMCCM7D6ZKfQy
etc+SzpE5+oPYr+qjtVxMXighEpwWSndOJroRWqkwHnU7XnvhH5JRCv4iNbe
BM+g5UuSBeCXJp6RsF4VbF5meCvPN5phfFgJ9Z029CH6XMdXvl0bPTWheahy
yPEvPQfw+GmG5om3aBDkI1wGhGZYovlQKlZCMnZ5EddytTWg3qZZXGYZGeHd
arpA9/xDzbJwRkjQhkNrFKEDyINCCAnUJIVJ+XiCGCR8oZErMdY2ivBx5Vgi
jEipZa4EM0c+CJ3S3iZREpBLHeWGEGDr01DyXKU8cbJcNDxCyUNhyOE0qVAx
IKiQEHBUoyQXbNOcRjmxmvkl1QnnMC8hI2M67+y1fCGWaLMkB9J2h6U+Qx4Z
MziSEU5kcGOpCJu33buBz4R4f72a0JvXJyhSq1NhDfKIJKaWDXDqqFq9Mvjv
VWbBFxWuXEZ3pRfRQhz7arcH62ATVYVCxuvtNi6f2D0O7Hkl9aWeeAmsSCIC
7QG8UFUGaU8/Ng4lEFOVv5Wi0uK3XOJa/lYFkf2Y9uDLfsqC1H5I20G0AHt+
m+ZbvBflwH2xMICPH7qsFnnNTyopPXw7od7bJSVBdmjWyk0zGH85lyt+HWOA
zy7LvT/y2+pLn6RDeJUKG/9WfkWrEHqcLswcn08FqfRrojNK2HfnUOKYUEwU
1FfEmJSLJHLKBKvM4LKC8ZVyeicE5csOVFwecmt0sFqb7UhyIFCXCQRBLCHE
N44se4VOI/9CJctqRPFd7rj5BNe0NJv3YKqg0wNxTxLQkQkxLBgYRGbl1BQS
WDfSkLQBiNHgG5/RfsLO45AxKamkvYZJqXNUSiGnUrp3Zxxff1Zv5gsKk4jo
J8VSRrYF5xKG5DNQTASH2mgfJ7xkWGxrLaoakXaRcDPk1bmGsVwp/4B1HizT
ALAj14mSsZ2bY1+G+s0VnWCAJ9wPsO4GDCTmBdV8miRwgyRwhRxkuohW1ILh
S3AiuMqDQjRePMVDrseMjfC8msR4e4uOM6mfUL3NEXeDVQHl1f7sBdL8YpZe
cJpg4kX7JAkXiGuU0RhkX8sL3NNbzq72KwvYhEOcMK8h2dunNLFbJRr0vvvj
6wtKpo2BQkEpS3G1uVZaEjdaYqNWsYL+KFlRIM2iV/ggEiJKJKKEa6MZTvBB
6duKvjPJclN817UlIk+3XQkEtPgu+xFztxRocQdujtJxNPou1fKJt6edVUX1
D3MlDDN/WKJoHwfDnjDcRJOQUgSZTyr+LoewY/LestiSJIcLoX/hYxsk9mtZ
9cLNAQ4/w7ulR+Mgq5wmXHX7vp3vagfQW1ujOJS0uOS9jx+jyscHmKOhS1E+
tZbV8aupN3cfOGoY8lC2GixbDKJcsBOzGDEWgoNSNEei0brJTvIMrEkeCWDR
QgCZ9l0T/Jq3BtTMGnkD68AwT4k800UXQ423YxJOBELYqzx2Pr/vM8jLzDwC
VG+3NwydJx+NLi8qNcl/hj1bnmLMoCc+Q7xnVhPBhO2q9D3mJna6fVn2vMMF
f66xb49kgNu1OxE1uAgXDoVkU0i0+xv0SfP5C357tmXBbj2Ov/IzWJ+5fHkh
6np6RI2i4W5wKhv17JU97sjBJhY+tF2rjqMAvexa8qu1Fds0NUws641ACt+Z
ltZiHzQ3o/lU+owqPYNzEXUXdfoFu/BcyqgeOfrIx22I0uX0MlkBFsOL15cN
KSqSpv+DdnV0HA32uWmEtUnMwM0y/ij+aX2qwRuSBJ10/VnUJ8w8Q/2KT8BY
rfX9dbTFX3Hwsp4++OkNPd2YgkhQr1z/Tdz7T58eP3v16vAbcqi5wpXfCz8X
8VEhpYjX2awVOUPEsRZga1B1NwmxVFiu4lkuPAkOHku1HWJIIcZMCfx+nKr2
+fXXOO6znXQmBbRKm8nT46WNAlqOxa9Bzyq9/Xp5AlYkTIbXKhqQ3JE8zpnm
9PLVixePX9O8Ja52Ua+IIV+Wn5Xo7gIcttHwQkIOSllYUPwsZsaXzfVY9ja8
3yJ8fAqIO2PAysYeuVMTH3KxWF8mBF7HSVOe0vok3kdWzFpRpEfX7XnI2KE2
dd34hoWIVL1w5/T1bkkOImfms2o440ngA6r02641qTYLoNiLdrdjbP36BIi3
zsX26FLBlBFRp43vTM1BJrUboQ1mvp/tloqAuiqV/POPGXBIbkZX3Kt3KylT
pKYF0QUiGa5GH1p+hfAg53o4CkdVb/Kq6uV6kT1TTzfgcWL8YGrnF+2tzaoL
lbWUiXdVFE8iIJCq3Q/KpgMjksN5wvfMLTYqZaHRCK69xpaURbk0qUtlVNy+
QczpKgsQa9mCaf0PRIOPQ+9TuYaYVEURKmXB9/QYBwTWl7tOa+eqMkip7VYu
4+77g3vqDgvExjFSRyKhmEncMZsNSsCzyXEsuiyYhiACQ1RlVd6/q2TbRheq
aqB4m4PLFdddMLVACm+/dKtN+xkfkbVG5wSxDo97ms9MsA5ZfWT6U68hpXNG
H2Cf8qqlm0SjVCR8ETYkjbZZs2fqMyaNCLnFhPoDtevzwZOV7eaBIrOh8r2c
EeuGMquVlIBI/qi7qmq4xB0NNMyXVgXTcI8GTf2Jr1q5wWPpdQrJGcMs6NIX
c5iQfF5xK55KAzZ5Vs/NiwalGx7NlJYMKcqsbf21i88Rp1vspNR4Alqzi2ZC
1wr7xzWuFUQRt+qxOFf/Ru3DB+1n4cLB+U8hLOIq1bgwkz5rGK7C2WJ9QrSo
XbeetdyAlu++4HJV9uaFrUyNuWULJJkdIilnSxi88SEPHANOam2kJURoMCzZ
vm62vlAWHzoz1HbET0vMVkK61BeGIKUisxUkGUXJiIhWVaQ2qW/QwVhk1Wrg
siFDcqLW55bZjNh67R8vAnGnhpWuizIpaLgSrJSszYdG6ijWlpro0PJywG5P
/E2PMSFvqIpZMkBlk+dgvbD6fE3EYDDYBCfa4ahtQ4GgcJRUFr/J8JoSAshX
Epu2TS1uo7iOdwZKiq67M0kHBMNIjJIo2vxNeOEOAXZqu14SWSc4JCSBPiou
W5oFW241OblEDHLGaC5SLOuLy2k8Ikwt932P58k11GMls9Z4wPdoz1gTzGta
q8eRRML3FVrJk2G9ahaG5slEAW2OdP8Fp8P3iA6KXyLyjiSWAuBdo88N061A
p+lflXNBbL7na80u5kZeCEgMUVqR8upmI26pRYOYFWTG4w8wgjetunIgLVxr
OjDucGt5ce819JwOCmKSHQliBUq/C+NCChbgZejLlvyCycD5mBi7KXrutESJ
zBY3bkBmpFEwWO6ZOSf8Ioo70ffn76MfTNcNDxWRU6/m6vFw0KD0oKzNjs5Y
cBLyTVpw2IK00mwe9jCAC+Kq4b+OVU38J9HsDTGNpVCh05w8tLiRSPohlBVl
BEFnmOCM1IwwPkYbagvwzLEzxEV1zusLSEZ3uGimzqCWQdezzbrjTDT65nAs
fYZ8RvycqSOZEFtr/pIU11ZzjFfZtd05FsEBVzpXEiKWKC/PRJkIuJvZO4ik
eP+m69OpklsOIARkAnKez2DCdDkzrts95HzSCszouqnBYUfUNUMjAbeJtiDN
8tFqFi1kqj5O3TKt7TinEpwZ48EYoJKULl6BH5PZXLp+nuNIelKmbyPLFdJS
o8iL7pAbjUwlda9NJchPB4oRBAw839QfJInGsp5F9rbmsyNB0t5pkzNPS763
zZp1gg8uTqRzKDWVYmtb5lfUAIe9mRaQXvzLLvrZsuHOf0phpCiLKbtE+g2f
I0YMunoKEUU/7R2JYlI8H12XsIHhq8jpEMfTGEWipeXyeIUz71Zs0Osz3GIF
rBLOX9f4AwYGTMWPeKiEQcxg+nEtdRcofq5SLh3sqruMv/9oFXFn5ECtMAyG
iPJOkVtwchk+Z6jvM9NN9pFohOwj6w6yj/5SyL5Zz6I1+SeHkhNWngORhyDs
5txfev+NJww2XkXJ3Uth4+W26uoOOeEmw4m2Q5RpE7WMeiYv8K7GApvI0nOb
eJyATHqW/V6/j/qPMDiyMKpPbQjciLu236YIXvz69KKS34dFo/FXk+UJ0+OE
bry6DdRchlxGDhnAtiwYLhuy5USSL8zKd0zCPXFtndRN3xJqcBa4MuABUnIn
emU1SDhDO8y2OZAaN1fjV7QQ3NmI/tddBgFRI5Y//en2r78e0UXh+ZHJTvXo
8Sil9WaCzZrbuG9QNmyHLCwbstXabpn8QQjvMhJjy2A9gsWWebqieCylqF7X
i5q4opBPoWzjOyC2Hv746m+3vyXbvSMqPcR6mKM0rT134ZIYDx+4T5+OH/54
eEgODrlnEF9QHbkDVJ3W7WK3YZc4IDOtZQYDPQbo7H/6auA+h1DGKgqcee1z
LICQmJYiQdI6xJn/IXunQqWnDH7y+iNJGVOaJhncXSAAyurMEI9GxCe0LEoD
yMHuvm0jTLgsd5QTzEUUQfogzWA5KdJud9tGojjC5u0iPVaKTHSBQFjVLq1S
iAZEefIYz5ZTVKngzvBxIOm7iNIEXB+jY/uEmvDOw1A0B9vdpSJJjpA5Eln5
mjDT8k0xnjcVtTUaiY1DeD2Q1Gb5KBxw6Oir5pRvBZob6sHz16U4fx4aJzPf
+LR8UJVKDyxwxBxdEBf7OPMnKQvA3/Vc8imq7So7uDyH6XPm8lr95UCyQXwK
yRxIGoDSmNtED7K1LEuweIuM3OUISAD4FAOapPbdlTUhFoa8HvZjfEFHln40
strOOSqSQ06RejV8nEERhln5q/+hmOwxwzEh84gFzPz6HkorippX6rTTfXuB
cEfhhia3PgSNKKTuguTZw6lhemY+CNKLVnwcx8i8tT1IbCwI4ka3OFnz2EM2
G+zH7DhZo4M4+NWL40eHNJg37eqdjIT/1roa1Cm5kGCEoj5CXr7Nvf+QXDRy
8RW1RXdIvgSWBAMMyaksMq3esa+qJ+taeqm+hmZabbWpi4xyJekRi0VESUpz
qV5ryZqL4cgktal4/OUlm5zQTK/fvHp0/JPkLxkAfWBhm5bDFpt2BrG5pfAh
kbAotT6+xZfPWRs8Sv2zBFvB7a0rIRzX/mu6ciSoSdyxUs7CILzZtJPmdY6S
ecEhVB8RNVsBG1yaE9kXuK+JWiA9c7Q74FCWGC+WlqDg7jyJRvjpcuwAJ3Bb
nA4HhzWrFBvtRScLbIX+Ee2KObqGZj4C35YQDYoihMJ+Pm8lpafj1/h6lgxI
sU1cD+eWgn4JWagpNs5onrbrswZXXTAbJr6Y0xdGceg7mS0rAjLqnSFbXygt
thLZsmj1GbZrQofDXLkYwZ5u3ylmSn5kXpXqAqUpJNoDtPUCosbZj/kNOZnh
C5xMWewvcjYNiC+TwV1GwLLzLdtDP9D8mTAzt/LWiqvUpYL+uWjfNRzhnaPs
JTWLjg9j1nDdLJDZqTB2htpNKtzh7SYjZy4JOcvG+VxcVfe6wdMZbT7WkER7
3FeXID0Nw+djIhEvjbwqqtncECsJ8c3b1ayq9plVxb1I7J570klyd31xsuQU
BadXnUdTKm7kCCbvxICIY6Hedh08RCAlVuhZraii/hqF5iNlNpvuepjfmyK4
TlprIdoByv/Ylpp6VC2wqscOI/PpK9sMHNyFdi623+GvPPjaMn4unuTz7JMq
k/Pid5cQnnhgujIhT+pEsuVcAJOCkIELl9iy0DS3AhOEAHcIgpdhEwiaGSTm
lx9LV2Qm0IXrkAsHxeoMYhgmSLqp+EAQQ9BbDtkA7DvJCKhosZcFdqM4KKCZ
JBInadL40abhorHdqiXr9whaoMyw4CTEq4bfKQmk1C1Kn43GHrEAC2O/B4G2
Q2kdzYCAUBaXAD5a7JhxpHQ75Zk5RlraTCIhTr2r4qJwuoAIPmlG4NyOi2yV
Y5K3TSEYLGyxiICHhFSG3yMK5vemSLk+NCUJX7567FBjWgYPs9ZqWTUlwRWY
UsTCrDFQ7bvlCdpYBH3+kCc1W9Tt0uoyFI+Dgg6nD4hpRk+XBMEJfxMXmr1S
cttpFVdCpM3Aw1RjWG9IbuOqflhJD4KofZbk+hGO5tGfych6zaeIohXLaJye
NUt7ukUmcc/X660eOUUg8ivj2BiaEx+W+f56Q4XG3bZGQYq88uSAxrHEp6QE
d/Rl6XEvU3uTwUcywB+FDZPBNnmEKoFlhnqJi3W8GLSUeb7+ukFrIj6RRcex
9Nt39bLtSPeV4FN9Galwhu/4deaifqVUgqM4GSQjmhT4IDZsDoJpnM9Nqk+5
4egQuIEC4CtZajU+3+JySXFh/LDVtYRiaiUUbm4Kncnh76JateGhZjoVGuha
YDLXvEUgPbTT4FqB+8Y+VqElni5DJNsVyZy4f2QVxIVHKcewEF1cWmorIZ60
hQkkOJzwFJB+S17nhHuM8597TBUlITjLPDdMFmdxBuB7g6yfC1Gvzx6SiGJF
xJ1m9VKhXubSN0mBqkTTRCKjW296NGun0Rqh34E24r/EDxsJ0CT1a5lUP06q
Z+Pqh0C8BHGAo6wTyw1+7I1J9Y/403/G/3NwcFD8/p/0AH4LZmeuDumabKrx
qQsGzWqmfsuoMpWDLbSNKGFp7Tc45rHg7H8UGvKTS6UMIrhXlPPptAHbJXCN
bqe8MCLjuI8GSejLie/z4vMfzkCqs1g/6VuzWD5ulaqe9yMDGE5Z6a+0yMU1
8cuBiPP2jGxMalUcFOTYX7WZeJV0WnSi7rVP+j3XR3mH515r5+B7OgvhPT09
u4mbhn1TisDwS0y3y3IESE93lVIFlsxh6mFb9nBlheRVDw63U5TdD62FWqou
VYCJWsZnZPO2Kcdx6mR9I7RE60azY4sCZ1qYF5+fW7G96zGNvDhC85wde/LT
8YNo5lJQudm4yWh1I3eqpm45UWhMscwuaoSF1dBramLO21s0Mh9JhDf1ts7q
n1PSZ7Bp+VgpA5ay2TjL125UNFmyU0C/p9fWnavu0yMRV816mm+kpzkXaEwC
pxxYwbOdpG3KFTrm6u1Pdr4EzI58VgJAQE0mCGB3CDbTA2+VveLiBvYZPn1F
0eK4X8oaCDy32GhUyl8xxlqNNzljhYOTag4mgcoXxRGmCcvjP6MrLKKfhha2
0GiunIGtfC5nYEx6gprrJmC6mWRBDsgXmOArrh38qQDQcbisv2mlzRRlunCt
bTYGqHfKTZvJHamWFm1MCZXlyQKBITI/0y/s6GWdw/zoQ0mxMMnsmGMO/Qx7
/olKak+xoClojDP3u8u2wJJd9Bukhvym0TXizvNc90AYTPKGdMWwecsmuj3M
J9FKzZb/jp+KHkt42B1BlZrVbE1GiuugzX6RLE92ejCA3mHIKmJQhlB3GmiJ
j3zZNbv5mq0iMvvI4EsCUA7gSVO6hdUet1As2u0a1rnTn8aIkfvR7TuCGXVS
opuL8vgIlA2u2TZqOQOK+PSFG7WZO8DUkPnZvt9XPIDZsGgUTDOvr94TbiiX
2UEEKSZba8JjZSMkWk1M9ZbrnnTDcLz0MNZbTovwq3RFWxlrvDxm/Yrdwwen
JgZo+wxI6+zxXQbPcSdBBYO+ki0G/mOApSeyhzaaWvHg8yhCm8VpNrJkF7Vp
YSUPwTEoswBseqIgogqLB4LR40hixNWTciHtnHxCg9lF2XnSnu3Wu46SGrB5
6TS1bgp6XSfI3Bt3WnLI4+ou5A4g0Uv3klxtShS8YbAHq0mUwHJvqGw8Unmu
fmz1iPW0OEui6t2iO82LRyo+wD+TGfuSbaBnoNHBcjBkU5xE6UAo8mm7Xksx
YDwK/HM6kMTVTNdwgvD48f/KkuhcfandEcSsVCBaXLwpHhgfg/J5tUz0/cqP
ZIeA056gI8/tMIDZc0usVjO27MaQ38D/jCKJWhLz8rK/M7XFt+ivTDONbVBY
kmB8hhby3HdRpdgja20r5uSaitaT3+e9Jo0omQ8ohRV5ijb5hQC0ThJXw6RM
XJw38zOJCkqcApHQQhWhSoa8bhpbNCwT9juJBAgfSfxJc0RiIWY8g7jjUnNB
4lz/JGFylYK+UyreIp27cD7tXUmvyHEhr7Und+KJeWiQCB+S1Jd0idkUFqam
P2kZSOTYNBOywo9PGIJx4InEXyWoxivlcxwT0qe2DAJVPeGGXUiVCU6ArCrU
ptNeIJHOwHayVeSe5IEjtcziUSZrN/vmMxPh3sSiidlCUWZUluoNO5oEbdom
UFK70obbXklaVV2cO+W7Kup/LW01U2UNwqsLJH9tTWSE2E4pgWIS/vgMojUL
4QGFRqd00OIVXzMUgEtakrqHjcf1UMW10Shv5uElKT5gHSjZqUme9Ab0n0SM
Oj2c5tq58EuCgukUU2W81hMB+ePMSBb3zq/PE0qLQkjg996PlqFCK/V1+sEw
Vme92W9p0CXMAVQZzsqCgaHKTFyud5Dq2YtdtPhnJTOqGJyuujNVvwxJms5C
wXpL4kacNbwdlaJkERjkHaORIbS0I/mI3eBcF+dv+uSLnUq5lmsjFtvaAvLK
okDNC8TwUwCtkbgKW8Y5J+6oyqlAjkhbVk5tM0hJE+ZIVZ7sWoqyUpPvVitw
ymXgzqCCzvEExNkXO6kzyAvkCvdAyBQYgJn23dd+AXBoUI4tkMbeYBcGD7p/
w5qNU0zqf2ZRHYQI3s1PlZwnlPEYrALSeo00Axs2mjEGNS2u9UrGHJpQs8AI
d7IOzsYaXcpMMeh6JjJqocy4nKSeoqLBhJQOT5v2ZDVC62k/ccWRrsf/0sVh
D3IPYzj/hgMlw/QkRaROInpFPMA/xrACF/Jlj4Rj02CaXC4RTPhl70OFw6iO
nlRnLW7fkDSTpihepk2q2YDgTys2tCjhOq84P9F7bpB3miepfSlkzsalAXKM
YVYNL7ayP3IEYVhSskYYSUkRSnTu1sfHjx8/UtoNWEe4hqFRUhBybqZUw7BE
Dxzjr6dzHgXKSkyYetMhcUjLurgMfWIs8zpsFoIWNiuKQyDiykk5SrBP5V6w
OddJViOZ5Tq3bW6Th8+b44Ux/uwJ3L4Q7znBolQ1H6H1q9rVWyTlObpWV1k/
Nb2wG5K6SiGnKFdZbm00LT5G/rwtw1Up2T+XZwb87rHwMebDYOa47ElMk40J
zjV5H9J8T5rth4aSBSgxsN/Ru13ouHYrFKf07An403ggiTKGhA04kY5IsTik
OfIp6O+bkRnQJC9Duy2pJaGXEXGR7pBwx+jnZr7kgQDqyhik+Sp9bfBAM7su
x5A4vnYR31iDBYi/GFxXBtLp+C5uAGZHbGRc2jYjGO2amxXG5RCKPtn64DjN
nj1JPbPb1fv1O7TBJDvnBsWYps9eTt/fvmFt6TT5MFXXGaR/ytmn/vdsUVPF
Qx2YIIgnk583c6zx3XG/PIFJPQqVozGaOH0aODvPkJu5cyn7IOrOPHqebK2U
sv1IuKVnPCtRDVRXSoryO6JBmMzU8mJXl+l64wvPngTry8jR1fwsWZUWm0oE
h6bIMVvzpitdrtA1LPdrJKtrIVo217iveTSf2cuUL7lQK4eO8LV4cwQ4zXFh
1wJH2woWjCQHDDQm+/hFIpVNnc61fHWwCbqoDVcJFC/Bu0n1XIrynrukW5xV
8ZJ+Gkze5Uwmwh4b8yq7QrSfksLO4tO8d6zx61QDa/RygvREXIzqnfl4L9az
dwdVlbMokv42eiakLRl0yCRaaJFTMWOjtiHImewAqtaAPUI/CNrDUuTCiaoa
pXlNlOJzrMHNT58svTJdtl18FahT8rfB6+d3ZKBLeiHSZYwxEj5hsWx6rHuh
8pykF3W76UpmMdllYQq0eGNizYvPIBnZ+dyD/Zj1NFkLjtFS/TFKPGzW7JVW
Z1GP7QirSyYR3gnFht1Agj3fJXIlX8YJUhy+T2RF1lz1nWfgxODxshx2gdFf
MhHbTgpV6A8MInW6G6yJpOD8atsDKZwu4DFmFcNDsrpZ+GmdEL6BpzSnUl1V
t/g59+7gCOUMongd5zLxgFVztmjPUFNFoyoYRBMAhhiMi6uHrnLl1aYSMSbe
jcqJSYOt387j/+//nJCdVRFYY3GQwchRQdEoFtmXgpvTzg2ke+UsPinp5G0K
cWnyhpyfaMcxVE5w28pmSShZl5/lQJKWxHkOXjybB7DbNAfqGjrst0vqQVla
7NAc52RLa/kpDSjzoIVtlJ0g+MPsHWCQ/9YaP02JJXs6cDnbsKUN6gKW+A/6
JfCVUQqB1a148gA7VUHQZPvkceQZRVpIyDuhFaNDnqJiKRucs+wTxDRtD2W2
MHtzvqzOKGkTqCdqoSNUZFmhUOgVCmlroT5hnUWYBhjmwi87OndMxFU54jBK
tdCBf5BKaGcgUORww3UJtYRklDVLtAkT5wxIsEhOiEDe2X1VILz+NdSpM0Af
Ay9ldfy4xLD48WLdmfILiVtXIG8j5uwFA48QCkwygsTOod74NUjVoqFCwotY
fbKC67OiSN9wFZkcPCLRL2mvgNROICN2HakPoxIsmj9pVMGXAWBAqaxPSCqH
yurHQtKbwnFKm0CRNSALswyNdQCTmjDWQkIWRfTei/YCnar90CcW4SMdyQAD
XpKs2lGrUbWsL3Fhvf4t3FmOaYCD+IqTLVicAE7rFa5aLw1QswizZJaWz8ac
17j3I21vfj9a19DAQKrvKUWhE+i0MSTLL2+XPx/+8fBnAttYQeXikm73nK76
LO7Sep06vatCRYuSnYQ7ybl3DQaxBIkZPL2RH/UIL4zfrXzBSZxq1NJbhU+g
TeXKq5Y0IgxcUu1Ur8GDGGKamAQIxPUmCxuXMS6Eo1wDiXKN0DEzHn0bwZFg
DhXuJt8+qqpffj6s/lgd/jz69g+gYr09DnGY0kbxSNpI6Ze++5OACrlK7hcr
BbRd1eOWbCAPOqbFhZOgBRkyoGQMZd0pT8hSn3JHxHazPZ/Xlzo/OzEc2OsX
6lAc2MGSKaTAdbuNMx24cDSJEguExTGml6PKppMOTNgA1ehD72X0rQYk6tNT
lK2wWM6ZlDxClAszuDLTiAaMbj/khZVEBk3UNwugLH1bWOXY6ItSvg0hFXBl
K+FrHXrqI/7hPdlDgLOn0UXLIqOd4NEmesSi4bSzTEVD0eGNh54ziVqtyQUH
2gZcLGopyULhFOMirOyA6BrIyGa/NtpMrrzRmJ8+fVVwo7HoyonYSjYcV3lI
kZWbXbZdTIXbdtUXs3ow/Eun5VgcpOoyq7WkWAL+2nacHUq8DDpIKqalpwih
p1XwVuft2TmFN6DvMxvwg+LYdBqJ8V8Td8kUy+C9AhvQAi7E2ey7oQfPl0QY
Dn/nhMHEwfUnwIyVALk+HJdGRUvgUJtGkuHx6tdDUd2k04MCgXmMRHMAZeTQ
1oM47X431M/BoKsCBm3cEAyEbjLMc/VbMM8iYxzueRDmpzXwHQOZh9qFTIIF
4e31a4IEKPaflWEKx3VRx8fjgUJ/pDo8tpn9Z/kd/Rvrk8NmDXSpFATx22Q6
BMOEO2RyD8FcOcueM6dSLT/QrNaoykyPe8rEA3Wc0g1hFOo2iQvFMBtWAFfa
SGaixJydh4zVMVcJln0uuR3pgGgJsWTZgloxJecNJ2AyvrnteY8l92bnUfMQ
CAX7DY4CpAhWhsa3AjPkAqRmjohlkuqbGcbRGpuos7BRLuBq9oSLyZgKJ7jc
UlCFg+C4b0j7LWtSbcRbKlJDOCxxtDcEYtEzjzZdm/p0m2DeQ70OUY0VtxqQ
ceoBa1s13BxOVWnaMEGJcFnnm+LrBeNRdfwWDV6tFNgTUXksCxaeHSX6yZDK
1tHZiIzP09jKHihVkmC86JJaT3V6rkBiN1wrxczEpknsAonBReo3RayTbC3r
/fVQajAtynHaO545DE+Oi8BdLrAGDMSTmwBjlgnekgeix/Q4L6zkhirkqlMq
iH+KmTlMR7u1iilr5otyaGclsEJoO7EkV/5qm/wJPTb0wfAFIu8ukpDSTPRj
mpsSfg+e66iOKz3WITvWCxXu7l7BErI7SJSu0jyQJhTPNQeeZCsJrIYNd2Sv
KvmFZMBCg0sJU2TBuji1KdNHwu9wZFh0GiZWnZo1mXAtkiufrUOSmYyKPtFY
lrnRhn2GiR3gpWJ9PVyCJIPOej0O5IycIEtYQ7EhlEEjLg11kFpX9+4Odo2Q
sws+Jr3fVgfJaxOYn01JkpwMSuoCbsp75FtZCicgJPmn5JtGVfL86es309cv
p9/eujW98+1DIREID87r+P8Ob01frheXt+/c+kZsyG/v3vmOvrOgSAITkohU
13pK44m0BRCDs6T8aGXjvOm7dojLSSgE4EQBKK3Snz13nQudukEEAlDl3UW8
cPGpykzKhm8cJQbEjjJB+toZZQomWBjy6uPiTF8//atKk7pQWHJQxXz0xGCK
9tPbScQU8bIQ+n0VRiio+Fij4Q5eSxvF/Lj1bNF0Y1C/oPwXaGYVHv01dcnl
33aOB/ANrM4RQfPEdJuCLs335AiOUllYNN3rmR9LJfElyLZU59R5ni0ocNt7
B4MWf/x2NDyFGvMyHsBt42tDA8IuUZlYWDae/7+1GXSo17fu+ZZiEfcmjltG
nXALeKZZDVbmpfxEtKCMg6THTla44xndoHuy0WvlMYghezKZGPZ6+zXC1qrD
CAkWooV7YMh4XFWq0SK/nDV7/JA7CTPvRdTyRibAGQtajLjhoInipBYl98h2
mGpogyNa8fWHP48o/DU2f8PWmUSLpZPNV80od8UqnlOHkbkkC/PmCWF/m7y/
XGs0MmVCsqiDRnzcLSiNWg9r71u0wcmZKskZMeaG2dyj/7afLt4Fk+TM0M/I
l6y7Ko8BCpqu9AUnzmMbqu5TIBbyXtpONbWlURdTGGfTGBLpJEK88EWazHtJ
XG1RsPDcSxE+SAasTM/+JvnGOcNslmxxJAq7gnnyt4rGQFXGAyDmntvj5GTm
+qh/pShG5bPm+XyhT+VNaDl+defahGrn7TcZx1/KUnUZB4UAM9uNy4Hy9brW
gC1a5xU7CB1sdFQUWswt3TjZjO5PUmUrsFVklq9k1XpZuSH6vj3UmoR7SpG4
frJzP9li2yk5qXCi91gT1XR1HL/QzXZzTYhnlZZa0drLX4drmkH1ad0Hm0GF
65tBVb4Z1Jv9UE2eXdQDjgR5lCisJ1jqv1K25nIsJftR8uw+touWgkSJXQkw
JoB1iUe++dDr33U5RCsfruUOS62lmM7bjhKD46WyqugwVZBDVteRQwJ0TiSg
J01AurM7Bz8oB325grU8fsOdtQyArUUMfDm4rwCffKzphoIlVg8ghjwFnc2F
09YE2iBzXxllIPCzvQ5RDWlJwi4f046kmopzMpgsrIFDBnUWmPlHrIzJlzbr
sU49lLIMru3EYts4uleOSjHqabX2jRZqgHlh+gpLY+Co/FYh7Goy0EjiH6bn
nKicwYWTygE3QSF/a4UEl67xZj4FW86UVwaRgtzHqP0uIBwQ9oQDuoYNiu02
yt+d8CD6l1T6EhCrBS60ms9xUM9WjNq+bDYpEmzXQfXpAAkwx268+3uz25Pc
lorlPT2jcdELwSfyAqZ2XpwStDhF7PnU58nVNBIAy2r99Ngk4t6gaWarj6Ou
UlmXJWkygMdngYUqdaESD2LlJNHeZlOoeoiPpBkT2HkVyhqQ9/wAQrJRDuVC
giaUg4JZQQurcHiEHyRBisAJD6Wu5js+IQ0SXnI75MdxMos5SIWz4nqD+/Je
Mr1TOTjCLVolgfr7DvwtqHhG9u6p0uhS0TAXFkrJTxAktUYgyrK+6CENcfjk
LaoWlwoTMCGY9wmCnUGaftNwDjGD+GfcdnGjTVZaUx1GmIjhFujiCwrl+OVT
Y61KDpEG4RA0UXCAmVSSshCECbGs6vvwIoJJqFNPr2wo5MmMBmrGZMwEXCIt
5N4/ceXET1o58YRq1QfMjulyef6rFQsNN8bN27CPK9VErkLph/BhQ67f/G08
tdXVlX3yNl7UUsNTEBcpOqIjcc3bdmTCUThpFk2b3QJigUPruRD1r1JSQPeb
cN5GtUAI/POWYfu+J+gEfqBVJq6a6balnhq11hrTGpCQBg97VHYX3A0r13SM
fmpYtWs1qRaMzsCpBvi/09puhJ1aCBS1iMZc/BOg77mofwq9vGmawHduwlHS
9uStwsndGuvfPAXqW5qKfbBxZR4JsOWvLFEU+DoYA7Ecz9/rYruYQ810XFPG
ydNe0jITfn5JuJDVfArHS/+KrSgADCUaxlbLtESXojbZNmKbYHkp43GH4CXx
jVqOLAhX7NYAOsZltWUIbmLpU1pVApNmLUZzgIuH2UnwE+DFAZJwYZZNRJgP
6ot6psDFv0AWPONGn5++6gcJtPsH07FKR1CgAjZn9QqhjXojlI3JFcT3uDqh
4S6gQb7FXewN+0NH3XlTpCqNAqSHXgkJvKKq0sF7aR1H5KEoaHQs2KKsOzuC
EVxMIkCG1qlqcuMS9OhivV7IMwyRLY9B1zGm2O1FQFfws8caTNo00slKMBL8
2u5ISiPS62Q85AXbFcmwWNrCCL/Lx+N+qz17MirqU79qFAmgcmKFxqWclKXZ
GLeLhUHs9QZoRZshIMjJZTj82eOob3BJpcQq+G/T4mx0fYbPjRKoNHPrM0TH
JLoCDq7CQCtUi0Q/IDGDDZ8YLbQiXFsZqOjKmXSTZOf6gxWNk1m8nVFywTyR
nilsofTjEfRMqgVSrxliiecsSvE4nXdQ0YbwYs/gGZnD14FlPxejDIyS4u03
O5kJ3MKWsE2VS/SlrN+mkZ7nfYAY07rq1uYtLhyVg6JnmLmyPMOEdvc5GA9A
U0htusv22PgknuWo9aMf6+NO2023LY61rQXhUHiC9PVawt35l7eGQrffZAUA
o429i6ID00Nqx9cvajRmXc7/MkiqmAgLjZ7oqbyAQpc7+iGv2kRLqySSbq/h
pYLrsk8W7Xl4FDxHgUjzl+DhVamSU2eSOwgYCxlBLGLsJ1tEvKmrmr9g9G20
nNQDyFcWmUVU9XBnLD7uUC7VA9YF0cZrP1YX0Z5fxyfVorzwOmJPkAfbUxXc
DDmxlRxrMGC5S8dUeRqc6U+Z/JQewEG8IdifxSficK9ksFBc1VV1LLHeeP6v
qoeQH8jBX1WPBUAMdOxVuJpOp9n/j4965fc+JSyu+jhTehX/C+jIq6ocJj3u
sdhDvGJX4IbmyPoVrJ5ogeMQT7IliB+mAAw95v4AjPNK8JVSDKZP3UZzY8Ef
dXsGhaOnx0qmejV0PAV4YEe6/BI7t/2XMFOQn8BjEPfwrxBefb9eEHyxfOI5
2tSLxLsqzoX7YGhajwbQx1cV4ZMVvKxrBONt36Z9Oqq+guSf4kBx3VS8UttF
88ONvyQrSw2lG9Ha2nNqNMYwhMI1+EX/eJ+KccyP89A/hEX8kepcuNHT2LlG
JW+iGXO62wAiIEOWQKuiXLItCNh5FA46mZWvqpwL9lsGpVMwWJNTP1IIHbd/
KtvPC4lU46D5Uwcx8c7X9oYJhG9qnOslHksz43lJMo26tXykJClkhGaDGL28
7p+Ro6y4Ok03eUGuyAn6hCOSucZx3yEf3jHMBGHbE0jfXcDiWR+L5XW2a+eU
yNK0wFfVfcm3iNlPuy1U0/NoGNK9YP2lBEr8CZex4hDK73nNtT/eMkoksskk
MEgFklgjChduuZ5NCqlH9+5Wf27vj7N+4XGdDn+e3jl0Dh/jeo9ILmNY1R9F
3toMeATx32yvfJFcdqUGE5XFV7mm9rf+vw5/joOiVU+qdVhqOEfgv/fBPWjJ
/7NxkwMzcUHu4kpC1wyK/P/C0fvc2/rSfP+73T2NTzrdK/Vpnvc8HIjuLh+w
vfP98elrJry1ZTwttGt86rd38FSeSTlqecLfD3/nM0g1sNWXa4XsYPPVzC9g
l6Z3Q5DzWZGtfAkIvPVqz/GgK0lT4GrWshDFF7ZK0xyp2xErZRRndvv2ITdP
4dB7dEBk+kix7DNQz+vUqVljCVxN6kVi4dvOmnbhqWLLs6AqYFZfSKhB3Xmx
p+HHa0CSWfL/htrpF/SIFxzKfU069dNX0cWU4C60LC1xGquEWlzltTDMH7Gs
tLN/U6pAuMmfmvc6gcOf791xHY0QD+c5xlEKIMPqiKtR5loY3tN3YhH6V06F
4GWh0zacNAsnQqOIjA+GfnKzEDka9spJd0/tziWh0L/IJhKyLw0IMncZ3a2K
P/eL1MmNSSPOb83QlGAjYV50T5T7G/aTQCOFMcK0WN2TFthvSRgpAlAZw33F
Gm2sW4CxXb/cZAtmshU/wIrJ1/dcAnHsB2CG/Cy6zef1e5Tx8CpIvmhoSmI0
bDWDZMePA3L7dn6yB+h42p7tUKKLwqXBSlmDBHUoe5pCJMhSktNHCUw1IrP7
lRgdpIeOgHYGWnZtqU8cVl5aEk00juSlYCrPk3sJ61DMp57GjMaUF9NsQwEk
x98x7oT8/jvCIG5RbR7+umIKZJILnKKtBStFBz4hZXlDJjayP32nyFeT/xYg
GKyh9EWltWP2X1xy9CyLfLCNlsVCbsEA3l+HGaUt46QlFUalpVV+5a+zRKm9
G7XAXZ0F3HTOHmcjqAkqVEeL8vY3ViQ3ZDVTz+9grycLnXeFAZhDeUUvp/PY
ZSWRpyD+oRT4ekYJC7FdH4tBqn7Z1KveK9Llu/au27kMmFalLdPRhW4mgIo6
xZWNwgr1LvzdqRzexGWgPoA+zLIBn77a9xtK0Cq3goUkLZSm5YBAB2VxO2My
tFg75TxFJ89TNGWrlbO4xq5RQz9wP8lPCAel2U3rh+4DYyf4bmW/GwrgSSqG
BM1pFioN3QXlZMDvSGzCKdWfw+2papIoRU6jH0SyMBtq2LTRWx5yZbKBXaV6
zdKWfqVD8qbuF3g4w17JLYpnmJfwhT+6R///Lv/q8N6X/uo23nXrUH94+Fmf
pj+46749MKrrvj40HLIt9PTLocvsC2t2iZNycpltmpoX14kChB1Sf9d0kY0p
ACc5KubL4qw6fI9rBil8V74RugtVsEH/f3PYnuwZ7f7zNuTEFVt5z3tm1//M
7+lv+V2xucVP/TZ37ft8j9UM89Md2Ok3xV7KHpZZrqMq2RR+ENY93Ndh3vmW
vnH7Hn1DTLDrNQNpvM4ph3z/rvXAtue7TlMDpjuCsXZtpRXTngRkcVAMTy8x
t5AlerYD4TN1PAuyJIWldcGcaPWZZI2cJy3ITzRs2WxPp7PTzdm0pgYqU8pf
//rrhHpGwp5AtwcS09hp3VqCOVL8jNuHKopNWgoQ39G7wcyVvp9J4Zrm3ww8
EvtHOqDVLq3Mo2gU0iF9CzlDctFYUzdA/I2Wm/ms5kbcC9OHIBftakdg800r
DcLNtiMYKT9KY6VidHJyjrT9A6pQpp9lAuDTV8PmWZEVYyMm8ZCTRXRGhIms
r9kQKvW1VsPXEhjc5K8Gu95p8yHpMk1zQakyXfw6ZBqWKc5qNl8LcoI9YTAy
A8gLYFzamjn+wXLgo65rOaSS+gJZ7oBED3aL9k7LODX3X6GBeHZOmxmvodQb
7tEZE0Wk8pHM3a1EfpWEkd26c8ASs2AOCyLQFFRZWYqwdqYwRDbRe3fGxjdS
b3co72beaCnadryCNztj8cs1G7PPE3856TYGLZFDYOyOiUqUK+yjPAFl861U
9bozM92W1EwukNfR/KJ/oT/ghTD8SeHyKFZGbxA+DjAofb0hR6HQ7lYdQOMc
zo6swyqELz2v5oTTQPPAG4fr3KZQo235PgNrEqEbY9Q/fcLfp/nfCQE5XzMF
BpmsDOXnPaJe6Yj7U4lZsaTVdrfiSgQ4REJgCDg7izLOrkURiiBmt142yUOm
HeAb7+4e2HED6TPXuEFjHThJngOOKcAMx5G1Li0Z6tGXQUow7939Bkzh8USv
1u7exVl/aOICKFeptD2QUg9/lvISO5S+i5yna65QZ8ZFYGMkGyveTEFvpGki
VsnQKfM5m3CWXzONLPGnIU8c8LXraZDESkisSYZ0fDTkTEuEIhuw7vPrJy/+
8uwhu9FDfniRmarKzJTKLU1w1VzZ50m0OAPEeZ/BmARzvFLooRik6tKtT4Wp
aplEp2zj/G5EHBh9bYEWbqNuyy4pPWpG1ywbf74VxvMwta90TASwtzUgRjyz
CWjre6jxM77qkQmOnuOiP9AtHkclXYTwyjCWuB/9eBiE4vOVJN3EgKPL+suQ
eePAddC+rDFNMG3WJ9oL3XM65kloZbZ6OZqlCfzHD0O8VkxdhUbH2Rb/UKEg
Utly55M4WmkVX9pidvRCjheKny52juTAzlctx2ksVLQp94xgepBWygo6yaE0
9SqTPSajrOFqEfHU9d6UkNGMB53HEFwyoAXOD+GutivveqKyorS7CCpJTqxX
gRxDZEpKo0B5VpabumHask5oLYfOIGNEkBC5r/t7n340DuF5rrE6Y84RaPp5
veu0vHkomB7XS5iPU8rCA04TDdaob+LXc6tdDa8FN/hN3M0B+Api4dq2B3yR
9EqFSsSTAEq8YGVQDHZJGXd5mKBfAAFETbZa2OxnieX7m5ID0YI5rTq1nvx7
Q3zv8fHDKR3faYI2qrKQsfAN7pG9OSjgL7tm01pr79rf5yIfa6n21MRT7/CD
Y7q5o1EX7+svuLM/H45xi28ffifX97ES1YqMSZHfZ/Ei37313T1bwGQ+kR6O
nz6r/kDT4KLZ6JF15Et37O7Ed3ezeoGUAoTHH6pnIkLiy/ew9eFBJQMfb3ii
zEucf2wRXl4A8p5oQ7qg8RZ9Y1RIJJDI3Oc37+FHLLMLuLBxfblGYQDA42up
FVJR7JBzzEXU9LMvDDNGHAkAWmkO55FCWASZl+VvJHxMNShLOe4TCrjDih3C
HxkinwEs0I+bZtHQGTLKvELGZEzeWSQjZcUEHAv+frr96zNiZnHjH5QkEMon
eXHDKUwtySJW/h9/P2Tyi2xSI8/gTGnjzNoeZ4xEpAaW0S6JB/aMTKiVGOjF
2A7MEqBLeFlgAviXXYY55I4FBLKm4+cjEVq7x9B7wSgnc4Lk3FT05KwH/cqh
Frwdjqi+PKxevysxaZn6cnuZI4Au1NNTjZLokEcCW4yaAzoV8t4Rz/AqpQe7
Pl8odZuhqR/3YZKuXSER24gC7JeK0Ij40UWeQXuseUi5yzj8FjkerldQlSmo
g9tjFapPIVRJnr2P/z9KSZKrIte+zeg83/clvE1TO6DRiAYErbHZ7pMYXzzw
w2LgPOibbtS37sion/ymQd801FjGU0HkHbdVmdhwZWYjNuwx2Xo7qHeiaqH5
Xzs9OTMYezwdK9YHcZ1GdDmwEUT5cspdfnUQAuwfuNR9eJt5HYET7HoX+LKc
Dm4JLUd7dm4EnafiNMaDppfqochPlmL32Zn49JUXt8yAdQ30JkFZekGIRD9K
gJzgurhcMF17OP4sVnMI1D/JhD9Z654tXiiSvjl05+47OqD3n7y5/S25sI7z
LzUz3Reezt0/ph8sUIWGzR/CgzLotZdnSSxvnGgJ2WthsjxP/gZXrT6bMtbE
Ang7dlgfvHmVlskeRIeLCvk2c7Es3zgp6w0F8rRZZQ/hShJ9psNuT7TCDW1Y
4+p94fUXJhki/yEDLLc/4x/VzlQZscdWhMSjPRBJQTPjB4pLIwZZcno4QMCN
k/ibnPBwAYXAAQWJuT2nd7iN/2P1DEtYby0CwokYv0d0Su/dDS4rk8zWcXVt
foYjrxq9qy/SbZEyqWvSeF7q+UQe0YfnlmXOO5XBNUJ4qDfA/ITOxcNcFYZ2
13J39nIVv0Ou6NO/ciKKSQ9ci9Md1QynsybtGDRFZg+YPv1rxlM38fd5rJmL
zC4RliIJr6DSpY02N85yXpYJgmHQYdl6xNUSGHrm3FfWtikkrwkbWDCx6FKk
Nk+OJG+UuemMUCobAgwx3sBL30HdfpW4VR6sUZquZCHUFkJKnWfZJ78aoXHZ
C0JYjX1LCKo924ots2kaV2MaL6GZN1Tdn8pMiflkut5IXrsaLXf0mrF0CZ9o
qBQXJUjrcPfzwYaIeMrLV4+llbwIX44BaAW99SXYnWiJH99f5eZBQXOdWBNR
kUcoCiLnx7FE7fNJnMC7Dn3LVZG6wI1rsNSjIqvMlDDSztHzbSBerfER2ADx
u2UjWgWcuokCG/3DPrZLpjih0OkJwiynlqN0JFHJ4BxAjPmAfmrfdDOou4Ho
Kad9yuvCLkeXCu6obFyMJRlGQLqGa3sfNsob8nq3XFKPBYhbTnTz8i/rCyZN
cm0QuAhJm+WBvoFJVBrjZVkGuY9KTF6T5GJbVfh81gzGWa3ld1I0QoYGhQu1
GQJhHBxJhYAG6z3UO9z+dMUR1XliAfgfP0i/PVrevwk9P/JD3ICGp3S2hlDk
F6eu5MjMXgirUfT7lJuCPG1AjUVAH5n7pxLbmESyVvKkUokeZJo8m6hIdfW4
CytYGrQTFqTWap2IgbI5oxItr2SQneWzneN0/wZKSVDBMIUDYcYtXdGhLAIp
OcevqclqgiLKzDwXuHEVbtCgROgOiJenMhVWg67A9f/KCEu5Okxa5noqYGrm
UinzIF3JK/zPg4f8esvTMV25Z8ihJ2oXgSUaHoG8IOWlGcqaPy+vQ93T7gTd
gTJS/xNbF5D/jnrBpjHNQcSMgOIHOp7kg56tL1olrpJUk0tb2KLqNGzHkSHl
8B0eYM1H6i5VSlqwL60H4Q2oqUoNuvNXFhtG10ELfFqnaBa0lRRle2oxdP6A
9oU0+9yctAf30KSef1FXlO+z7yRhMYmzhD1kMXtdwFGiatU7hewXEbTQU4Sj
RVhygQ4WjhbtC49pPdwjCEbdOJpA3GUcSQ2+UnukQTUgDSaFDOCDie4A3ZaZ
gLgFaNesPGF2YzXscTpv8cJoo96y2JS8A3X/tBIgVbCB0pz/3WzW5YOF8fU/
bY3pUfRF24w4zPP2hDnrtPvJPhktvV0Ht4wPGsnc0T6KGzlSP7VdJ1Qa8Zf0
1EQglHFqoWi3I3mS7sJVdkoYbQ5FlocZpAWc7puQkTbGO5C365ajHj2ppuwt
frXvVHb4tnXuJsorLlP/8Dt4g3gAw4xD/bsENSz3R6L90jvEABWMss5lnXE+
AvKANslgF+GXRztWidgWhJ/h1uLy9rriwxdN+otzavbDFslnXi+aJO5g60j5
NiY/yCgkZlAO61rqdYsGI9voLs6YURyVuoWBPtx6Soe7Kqm9xAD6XvwJ4Dfo
iY5Yoi/FWNIOvIXx/O8b6ter4yIEBmKtwg4rwkD/as0lDwSfaKZTUeGSWWrG
OKYn3Gw1mGqEU4zGIAeKfsIbogOSvVATeZDqpjusMgOieAF9YCtBkEbXvYsO
dOBG9w1HlpKW964oFk5hc+rIgWqAL8zfX7wKSqKZXFkQPz9482pKPAxzzumx
Uz7j6NgZ0ye6dx4Y0kKjtQMwYOdJKjl+Gku4iN+jgCBR0OYHBYGsZhW3RIhK
4QCgwXUUkht0ArEeWlLE7Y+GhqHpkUSsrvHoB69fvnr+I4PO07/jqLa7zaoL
jkIN53+SBHhysx72T2JURev3yheo/ioiVS19Z19umpvXsFrRP6OBFZN6EU6s
/ne9mR856gexKVxDNGeCSEadj0Ngekopz87vD3JR1AJZabAmcaO3NfGlq2SJ
7ml2PkEcl5/YrRHZIK5SBAeH6ouCVojwHdrUHxL4C3ZSjtOUXs9p9p1NLVqs
W1yi2QZ0ZZ8+ZZFYoVs+9q1LCZRFlQUaEwlaRV6GHdj9SzJJDu2ltsAoOpJl
bYY8POhCvoGmoUQpSYI0cHuExMAuZ1DPXkutydKWukvqRGNg0ZhiTfp1WXsf
/UrzkH7R/O1uEuj0FfKXlFELzns97k+LXJmRT9LGUQMkzIfut8xHjXeOHosc
poB/nOVY9IqbLJJvgQY7IOIVaOhPYRS1L83feh39rShymXPs01dZG2H8UTDk
BXE7uWlf2qapCLl9WZsmC4+A9C1kntuoaxr0odXuq9LTwN0nMMVtMy8SPeLF
QTTYSTom5dRY3onu327aszO0MPI877pE3j3NGeoZp4BMEvz5Y/FQQ7cjQEw5
iB/Ti1OjD+sG85lB7Kccp/YMPeOmY3YoPq1sWkfZQDf1jGnSQCNI41zDck0L
JP2heNLBbzZL63zZJT6jwYW0Zh5DfHKpIhuIIjrhbBMXbxX0ftSibcN9jHYr
NjvWQYZ6wPRUIid9IzPpfCSYmnjLupabFWVtRN63dXbayIzQZuru50JC7tux
jzz/RKCQdmeNS+0RtBm4AdLJ++SSEZpRdQAqzM4T2gLkjR36XbW4kr0leRSX
ZAt8FUKYxmIfEpn84pKbdtWGbXZSQi6Ub5ZN4xSSDTkpz1+8EQx7nU1bopsJ
ImarJb3czZcP+Q+lVl8JstPvRCp3osi6Xuu54LnpPyCeJBebTpUQa5eeeq+h
qqCpCIayoGrMZrNZZ0zALCsfMwsrJ4Ixvkf0RYqRC0HrFMOe4vedVOAr3wxx
n2cKQF6D6EWFpZsSoWvc+/WilhjkMSyHxBAr70nxbARFbcURDgdvG7rQGa85
x7xyRliiw4zu0YLrTaOXjMoGqSsEye1JBlo+CKX+wmEQwl0dIgjB0VrdOGt9
CIepOK2bE/hrfauU1CoPhhO43nzLldVcLwN4Eo2WARNsoIHi654xxy53dHLp
IcFT1gmnLzEU5eUhw1yDQFgJIS2GQHcqCYqWP2PDIB3mUq2aF5MpVPZk3mT1
o4LToCZZKEgQYkHayHmiYGDnKuFONrsF97djmVO3m7jQqKDjRwkhWBYHvCoM
BA7L2n/ZP3r/ROjWrNcqPoxdf/nvqlruMMYjUhr1aXRRk9F6JN81Bi79zYco
9ZpoWcg/syeKf8leYJJM6mA+Twt4cukmDU4qyYe3GvBnwUkmUzyNS1LIm85X
nSWjnhORUR31wrBSX1Lk2oUpe9EYeV56FlnnqyCFGUjUk7MgVgB5FSzvS6+h
8BGYfD+avWpkT8nI1vYTatohk8AqE7Out+7YKDqECFpLI784U+artwzpjy8F
M69Y7usLaU3yu0x4dGQIZtlMwYWNdsQMBOg3NBYaZ6sZ92XXr8UIFLLslKiK
k6KlEXJm60Gj5WJFr4mUpnuWgnye89nH/gb7BKg0OjWksPsJwTeIBnKCs1Nz
lKH25VO7lQvWOR2VNVEo2meP0+9FErMxbkc2MWFyKZmExPJIWgrbgV81jfBM
OpblHY6yJj5r1Jb7PtP9NhBxyeO2xX81nHIaagnBceUy4dKWQT+Lz4TrcyMp
IiBTkUJFizZpw0CXk0hd3DUxYBHOPObuKTmtdXov3kaHVjaZ44MWAvlAskhz
d+tNcMF+3QIetSgxts1tgzPjj3FjwwY/iRhfJ8ranc1jBVFxq2EhmXNVe/Vc
Xt60GPze40kRIYUf1fMAZW6dpa3Nii74pfLyZ+0v/YFSRn57mYV34xV6QF2k
N9FB8O1G8tFY+wVNRaDVgTtEzP5BKTw0AUBFWL+bJ0Mj8qaryOdqE/Y6GBE7
H46iw2Z2mE8ayDhQoUqGjysJqC2GHmSR101H0prR1/QF47bvTxYdJ0AxOrGO
pL7pggKxkFC5AEV4aQ3rzY2aaFGjihF8268bouUY6uniW5pyq70Uf5fIRRjM
GXBfcml/UnQ9oe90ku2C00vRxpCShPyoiWts6CXNZE86Qq5rUK6CwZxDjnDi
qzjFSFwXhBRILBokWDfVC0r9aAKCoVZIVcVV5XhrHEY0nWf2TRs7qzYJzUYv
s9U6+azzQkrVhIEERXa+hzIjFgexzH3q8tWXEZIW3JP7SfCRkLqm5jmKJsnK
07ZZxIMEespttPInUW3HKa9X0c4RwNaEpEahkuSccE8VGX2deqmQU0FMyfMo
CRTEICYZdW9KReYauFlrBohjlZtd5zVf0Ci1N+1EZSxqTTMMHw7uRcAQ76hr
17Qx3JWA45zthu6R9U1J66j+SNZuY55lz1MDJn/toyzuOPSeJTb4Cjc5Cz07
16GfqksDMlthB+IiNQOtj1HeBCrV90sMZjgHSe40mR7UuSM56YGWhRtHYLH7
vrhAXARpkuocFDTkAf8Srug3AwNbUBBQEQuLrkn6HQcdkvukWTWnrbWAmzfU
y0euZEjWm/UmEW+PWZylXbIVaqE1HSBxtmRJasKg6KMGnOajw2IJcC/qkBSJ
t1n7+SCXniitqUuTz7HfngR/jk4uh5WHdUtnTIrTQvUJpdyDFWzs3+OhDkK9
ffcuVKcJ/T27n4MArCer2f0DW1JzzSVhIqkxmi0SFWalrws6nPsMsGnF1tC7
9mLP+rB7QLmUVw378A5PQs7lZ3ApivYj8mGKnqVwloN9SjTD+mhIIOaoj1Uy
SDoTwfuWLnHDh7LH7uscaaScpPK01EsSr3mVScjYrJ6qXeefmAkcSml2cWog
Z+s+1BcDUoXq0tDLhf1QXYwjDu70LoRkhvVgDePM1IbEN+JryWimPeD0KF/T
jYbiHT00x9panZfC83S7P1MiZ13J4bI7LKdNCtQfPsmSUMPbdVFN61iemfoi
y1mbk6+dcIZWFgZVHiTIUvzBmm9U3GlHm57lWRcSrSftvBtM/U3CB+54RUPf
k8obLGocAXunl6IME8DZH0u+UvhFUJ9f4kjZZppQ37lz6/apdW29okkmawOQ
6XPF578KRqlfoi2lzTiffHEdKIBrL4igRhuZWakaDhf3Wo1ClQzhgyGaHjua
zQo9qiA9dquWAixkqVH4lMQH9P+M2lZxxJyCk+JravmYWXcexoV6adhDaVJx
ts3HeO5AU1QJx2LdqZDTONkTJMk7R6nHafPOYml5y6Ai2iFfvoadiKs7fjdH
EfMSqfWvfEU03720gVzrDBWU0Q1zsfVoPw1cD4OBvjhhkEI8p/DLWVFIISFF
tLhETa6nmpqIAWy5E5ZLCUSnJH9WQkOSDqx+IbH6kfNBL+IAXkbjUtPBQvXM
JmOCS2MKhz+P7hxW06xMY4xetNEL3S1Sm7frlvh1Q81T93BmUjYq27g+42G1
abt3nRD7+Bp93wXei5xjDTMbUyYDOIqqKvZLkngcUSxw+upv0/e3x0EitxYr
u9kVIlrqy3hrSM7yh/XCqjiYWFahE+I6kceXmp5ZfJidY07BZiIOEiG4Cok8
Z6U7xyfuWorMCZhx0MaLRp6ECpsTpUYKJVzDlE2qM7F6FZ8aJZCbaSrdFZwZ
svy4zjrrUyWth5q5K1kdapY3YamHv1H3JnbejBIjZciDgxMpzo9uA06/WKs9
6gvf5C41m6tG68X8rfSGI1QXSVr991jc48vkRfg2dW2HDPyObEwiA/cxxyk6
YV5OeeSyseL++JGYrzpbrzdzUdIIA6b3wvFNn04qlzNjFEC0jxs0jYMZpsco
9bzt2+0FtLTtwjD48SZvHxX/sNuFRnoUATD3kgOpHhWJF4gLjwx7PdPwgm++
rP4qAh0BgY6hbodqDaK3oKb1nFdiMT+4QME3QOzN1LXeZNN4RmqN2wfOrCls
SE0as5A2xxDiGF9srSNuEasgo1ghoHWQU14Oqc4niB1GVNjmxN3U9Lj77od0
JDuEKfjiRauAcpFtt2SD37+LBlMvPnARYjxqJ7t2IZX0XRRawF9c0qGfwpUB
XokvgoA7ZOlX3BCY5hKv8DOu47HsKKAAns+Xb+TsEi4ZX6FGev0JGL3x+dN8
gxjajPbDhK1TmZt6wL1BXp+3ogvC4ML3UPQAN2GFwKI+y4IvSIhglSfiLEYB
QBEosrDK13mI9EDcTU89n5Nl0eK3LOM7ftuyNKS3k/YSYgPkGumOw9ojq+wv
K0L7xEGfLdYnhOosnsTX+EfHT+5zAgw5IVHqia4pySh9W/dDhCYY5AYFUXSt
+xGLYiS+T612d6uJzJLLKOvgomkaocp0bnxfLs+idpGzUUfjINqR1O4qZOFE
h6ByBrXE69CcFtOoO40X2hoHXWOGjNSXIM8inYZf/chQxz09ouVhobdhKsi4
YmrftgCnMxFNGqBJ47fjQA+4lpL9Swuvp6QZg8dNF3MgvTAPtuudBVvEDWu2
NW3RpMyqTSxVMek52lJAEA0stmnUIkCHIeojrwWPPlAoYNl2lRTDkOtDzjmb
LvU5wUcX67MzUJhFuX85jfYVPpwwpJ6MkzYOBjEuFXB0NohL0JklLATpMkmX
UEF4Td8QIDfHrDAnGX9M8WhK45LJTXYOrb/B9YiGaTWn6omGTjafdFoqVT4G
5WGElsHKgALeomzlfcP/RjVOvE9TmsOqWWgKncA6M1BuS5V7LxaEJnDG5eXw
J8J92ASplPLkdXUnEKD4D0E5QEYNAFABYxEvFKf8SRzT9NFH8tVYDMsfLjCS
j9HQ3CL+m0+XxGvQ5pKcZWjZmcNAOiYfuqCHtjPhbKRSrTiKDlV2UQM9+en4
QSjJZCQ/zsDAeBVIpnO7VO4oEBfy/nrbu2ZsDbUdAxB6BU3jfnDJ/SJvRG7H
tq6yg8MDcG86COWvxCZjs2QHaOWeKOrEmcM922Vb2kLbdbSpQXnUrhDozwbm
piJIQRJe8dqi3gEOk7N8ueajE2l1Xi9OFdJMmAMe0VQN9CkZ6AIGjwOPZyo+
jVfDrZ8+ErpDMpJ5TJbfgKwkLaIIXF+dIapiu7kMlDCi4ik5SiR1NiuWOs1H
dilEF6IaG7sC/APGJWUXAQaMVpLVHJfGtWRrXGqmOGnnmXC1XEIIeIOkwqXQ
mLI+ixb9GxJtzJbumoDaihTluRBacXxqT9IC0OxHHCIwRJgVmToB1a7iUFpj
rHNHwAWDOl36ot3rgDAQkkw67AB5LNp45VC+J9dQTPb8HpiO6gT4xrkR+hkV
Lr3UetxPX13YJ0T0OdVKXaERgEUFiGeyBVmppFZNqfmBXAGkAMK8iUOlZWkW
Ljddz+cbsttO1zsAmGbNRiUKQ2KsalyNOkMFinwm2bokTkAO5lX1+7pd4AY5
P1d4uskOkRI1wCkQCN46frN4HD7UmznrkxmFcR64oiOSExByDCmWVisNF2jA
Fd8yOTplp3BzNmidKcnRDu8Wn4F/VpQBHYQ/kzjGo6LI3XTioFEEmDiQq9OG
yJAbOy8p807RoxqlxuF927UwWjuqTo9H/50m4lK+NSn9KY9u2dSkYNDrpQX+
eBKGwQxSz5RQMpoeVYQNedcZjCeIPanlq5Cj8mVO2A9JF/KQOUdqszQQz6kr
5ztbS+hXEmnOE/D2IR9OeYBtl+XgF1LswhwJfAx1v6mS5bSe8TWV1CGnIDFu
RilkVRN67dndSJxqg247+9NsFQFf7Eyy6uEap/p1Kph2VB9zfDhN1dQCZq57
SAFEyTnvYh41YOcalwPil9SJ/AE1GnmybNBeScmrAv9uWpF++qMyoDtmFLME
4jVkamDJg4AJ4vj4ofZv9xh0Y4FgJLbfYF4MV1rO5U6IVHEM2BDGFMV2Py2x
FQxI54kGnaj2Dpb+Mtpw9jKa0ctMLNeZX5IY9LLSgxxMvbyMvwBeYXcxfX/7
xjgL49XZTjE2u+//1PO1FstlG1tsafTqGb8ffjr+X8K2AFgMvhJPIz+euGae
Hj8/7vPMtPWq7nPMvMniRYSwjNIUD5CIkjIRWoMfL+VwP5D5oAngZxvqt7AF
/ZMFRcOxYUarV/w5CmBfPX7wze3b92h6tK7/IvRxXOV/FcGR6snLPz8CbXfx
4+9uf3vLEVP96eBQHvRufuqewwySq+YDVCGjYdMwGQfOjruoppRymVGq7WLd
rkSLEEXAJVqVz8xOEINcLPR4WUJ6uFaKbHTgSmcPay0ux+4i0TjYZ/Pq6fQh
aPwtwMhEw3HOHkG34cAhAv/YpBWUSfvePSsghT9ff1jFP0mm7emrN4+N4JMQ
fyueCzWfXyAcBaYRW22q9tZ1IB4N3U10H9L5XIWrowRiP/KI9qM9/1tR9O54
5KfiqiIul8PblWutGf/3dT0+qi9+6t0qa9j5Jc/Vg3jN+eOH375DTBC7zcn6
9ZPjPz/Kx93E559fvGumF7/guQS/x+3E6ZridCn8/hH+dGwHjnfiJU4kGgzt
yK7IJEd0PKOEkPtapcokQv3hwPOtFdip7HFIOEUyQxAVd5Ihnoe4YQAQkoR5
ofD0l5Z3Bu9gpSzlTqN++qqPURe5ox+QjCflI4dXUKGJDmqV8PA5qD3X3RCI
S8TmUlIrBU/EIPURN06Iec+fYASniKVKkShVvPZKQUXB5ZZD5xD3pMGOBPKU
eDhq4SuM15acPqPTNTPjA6EyRxKvYBzKgqLinYIqgQJgnplUddyu3q/fSRUN
W2lR+ZEHBi5KsMoPBCdMizCRkjeBONxGHpl1jOHSX4qnsLxS1gKdgybxU8ld
dYOHe4Opb2lqauxiux2wC1Y/FsHNULhDDMXREhO9sv9I8WG3QzoqDV4pBy+2
b7mGeNSOiVP6ychOxNt2HFyS+C0Kh4jM8B+ifqyWnjhg355EPc/q5J/0VHLS
+ZlRDIycaTCp5FOurZuEqvzvH35Q/xz4Qm9Qk+r5eRwsr+ls+zG+NX4nrk3+
4l2c2L278aE2hvi/x/yz/WPlpw4P9h9MVDB6vqJnpuhXf9T/ODg4yO1HG+0/
4/BXYyN3LI8ZB9HBPIp6MhRVpd4JqF5L77mSkkANjMQ//BVxCSlhKquorimw
yv9AYv1lWXiuKISrfFNpGDcuBOJwAxoBPpdcYydHKv6pW2P6qfzOaq5UHnJd
Y6cy/+V1NT/8VRL9iM3JL8HYoFYy11bEm8p+FnQDf48sIRb8XughgZ4QbDLe
qOK43FILVVme3UhfvCHlhqkGZgjfhWvs2hNQPAcSDsldTw2mnVwZaOkGmC4A
RYSFHwQV6tE62oZavE2Wb8K34CK+XMwuH0eztGVAEg2O4YAkW5CvoaLMc6Ct
lXj4IlpNUUFxtojkK5ZUnsXppY7UQrTL0XzH1AyNDGAEqZ2PvviMsoup8BIB
aqle5UYMIZr8eiTk6+jG8OyJImHIhZ+icdAUiRo9sArJ4jyR1YZqooQAzZx+
ztsvrdhYpJGk8lWtcqZgMC0Vu48ExBD2kSiVNEKsIFHDlEwVvL7t1amGh6oK
O1FcSmRugvFAOn+4EMl6E8cp6scAniX9SeGX0QWIqut9tOR2cAChDFOcF9V/
8RfvXHVG1zRzapcd5ZHHTXlO4WGGi4JEjmuJSm7VUNBdOE0iEWHhL83fPURg
2g0wD/X5SxWamEyNeLz2ISTL2jA5j/qwiUSdudJlQTWbMgQ/KPKOCO8ifP3J
7DTLDkyfl2u4L2QtKToGbRLrd4ZeseST4gIL1THJz0eK/HdeQ1sMhNLONlBt
CpnYXExN7sTsbQJ+kZ6Uipe9Wuw0Dp+/wFXQ0d+FCJoeIQn1gXQgJ5V6ZRba
Mi23MjXXYHQDLpG3XQ8ZYNrnzplgUpSrK6hRv2SSkZUnkQy31AGW6JBRuB7Y
J07U8clM4JygDR8H+VqahWS59tmmGvVTXAIIXiikSzFISqRULTPumo/yhLCw
c9k7wDk/fQV87Fy4b+lvv4rkqRF6BhKt6i6Xyya6TDPu3PUOZUbae9pkIDDy
FruWOlBbsUmvhYNEnJbk9oi+EKs3MYEFO4tA8iLuiGrqVeJG/+7On4D9e3rK
JTcUcEojvoDybIJ0M7MBUj0eJ9A4W3TSuB42SrZRQyO43auD4hyzNTkQaxur
iezogKnJH7KdGRdxUv3jn2LX8sbInYq3mnk7jqKJyYqm/6zMWv2HvXaiF3MV
7Wo8/7N2JxkMMiY3wDj+G/jnjUluToVhcyqfg1oTDvR/ovlTuStIC7yTOihq
MScfBO6WJPcwGh3zlhAldE+fyAEwG+q8WbigkTwYatC4XTINOfrrTyZvusmg
3qNjZJpGniiTyfSZK62oBmbOwU311csC9N/uq4eer15d66v3KZuimtE4gsBs
BwrmlRK+J2g3cZHOIEPitdaLaEwRUVuTE33SCPof+gspunhHX8eh7DiCmai/
40SXyNk1K5BDu9AI0qJZUPba4AhmKvWsLSpf4jMnzMLA2ubkkqpElykASXaA
UD23lt7USuxPnx4/e/Xq8BsyGaN1uePVgprWEBBwI7Tgm41S7CIvvWq5DRwV
v9YXCEfQAbZgfvQj6Mq8fPXixePXnIR9uu/lR+GIi6aY8hxItXr64Kc31Vk0
drgFcbtJPRtSPXH8K8bAKbLLKCLiCIWZgJjOjU6Ss1jkvrAyOeVWumDFBh1T
VMTU4kaxVil9jFd9+hTlTVkELkOO45xe0BUVhGaoYD/jXbxAZCQZzZRtAeNa
hwdLrY8rq582x5TOB28TkqAo1MPeIsedbaDF8HRxDe1TokXRa1IstLQnDD90
j2zigBJ5e2cRJk7CKSZjD2u3YLgZ00cP6tU/s3WXHEhpPH2xH/cXKgayl4uE
pJ/syohd6Y57KPM1wZ0ithzgIilnVNkBH6c4u+feYWe2yFf5xqKVCoONxQj5
n1hCrQB0mWGMnA4HHapoKWxpeUdDzpzyxUMNCRerHH3uhcKfx3+C7a6yCyHZ
UJo0cVCmLIOkb6SYmcCKekZm9UU9w2aINcrLsaw/tsvdUiqWXROxjgcN+hjf
tQ9wICqIUGAFJRC5s2aiYYSCrQai7677yGS4I8xELqV0hSHTAC65itwkVkVG
6io8dIIsF1C6BHI6+OJSmXi/Up+TMrSAK09bwdIrDsUwoFrLm3VcACLSp9bz
Dj3qHsXnaPnASLz5ZlF/VOCIveOmxHCmmoiiiqHLCzot1FMnarCqqL+gug13
zq+5Ydn9outmV8ZfMkLnRl+smVtoBIunC5pPj4sn5B+AsEsdjZRpvHn2urp9
cIfPFXb+7j0Fl71+8+rR8U/0wZNXr/56+xvQVqY3bwWFK5LcdKwQ3ZJMSUrf
fpfzLnBKJe7j9P3tg8AXj4zi8zYe5M3sXMSUsbxOTfpou47LqKE+TvRAxAVi
2WBU+3ATgD5Mq5k2Q24Ys+p1zZJ6NM86mMaMK6DRaYpaD+nJoj0zNhwvfG5q
FAdhL1EgifZMcFxEGUDePoFkNW4xZH9X7bvlpOJo77OxcqEt6wuYZBYt0YBS
EGwZu9FURbXi3yDdLDgRHpUk5wuXKQyKw4kPLsGCdXKaGuymlnhBaqY4mEfU
1vJC1/hOBLhGzOBW0odiUp/QNGS9ENbTGjTX64OUMppWMJEUXY1nTyZGLEUS
JaQAHiOtu6QmFF/pTFxjeBd2Q60BCP1428x3fcmYoXKKSjkYIt85MAFojvT/
YiO5L8cLbpAgqsCxj/leyBXwjR+9ovDI0KyAVjt5jYoWkSSa9qgOXrRLoKY2
hT77PWqECQqTGrGBoiG0moIca7PG0CYqTKkwQE+te5HqufnfZflQ6P14cX6l
3MdL5T24ql6vdxsQyR2r0UCZdpGMrsuH6/YhYufKW27JFHVG6PdqaX5OdnHx
fy5okojBm/b0F5/4j9ChCLx11BmIs+fkOwkeCRKOGvRx/yGk7mlty06jEwk6
kZZSNBlKe2Xy5CSMvHzVSTl9OM6XJ5uBvyXxk9nQBZcdHb6rJP9QKJWLTCVc
nHAnljxX9uPEPUyLQ92MyHAdVsvTnlp2Txp/8TFIq6RGs/c/8Pgvfb2zCZxr
YlY2y4ndBQsYb3Bduw+ys2XjXjTyHgDe3uyyghB8V6HCQBu7AdMyIwejFvrn
Df2rwmMaJUN+UljxvAefUVvxO/6lcr72aatqRMM1zXSSXJNm/P3eE/vsCVag
p3hYJ6GRRd+yHQ1Vj47L+Wf3XO3jckOzvzshwHFy5dn4HoDb3QqbpLBXZ3W/
JWw+Xy/QoEzovI2/zy1aVNChnbc2jIPTQvJpNZ8yHTL6EX+PY636Ku3v+5bZ
RiTxqoNLmCLoxL5TpI8STXaVO1XVyOmwnt7ggzKocQd06KTXSHkItvR5jVeV
Gm+/puMGOF9ivF95K9zs/2oktnzlDPmJGvHehqeplAwZk70WPPGaJuPDMTxE
E3TWEgdpw/5fy2j0nneEHTVXsT/LXvn2CB5TeQu+F852zPUz0q2cgCud9x0S
vy96i320MZHcnb5fLwjaFY04BRKoIZFzt/aNEZvtDMaINAQ5tv7Iz9fbJPqP
DdZtfLuZ+ZIpfe2eqqE7+y2ZovoPzHwBOCtz+3Br+WqXHI6oJaWV6Nultc6Q
wvOEmle6fV9+zvbBnUPu7YfYsQaUYSiMBmg7yMZkn+ORkGfAJevkYpMwCb+8
bUo2mV/eZtAk3Sjpeyr9UduzZV39UNHPv44PmYvHaGud9SVU4FJc87ebOq7g
6HhMzUvp3zT6tyTe+5ChqvoaX1nuolgdwX+5/zb+n/F1X8XTYWbdf0v/95ov
C/Li2ndHQew6uEK+askdi1EEEDtB1YK+JJvUkYLFjXeM88vRRtT977UzI6+R
CkiI+pdivZaL555m931PVdp7mLJ6NCTpyrTBlVJ4UApNWTsnfMO1v64e03gk
fz5E+9rDb+5xwUh8OPx61b1KqVXF/Zi6fCo6CBHQ9siFCjPlhVzuQJ4l46fK
aKlC5VA7RjFOmSGgK0Y9g3Ms5EraUpdCjVxHiUIcymSc1zCS1NEE1/0DghjT
QYdji/aExbRdtsy2LN+o8/q9Q0NUOTQnh3tbZ4l0tcle0PlxXxXeczEnkuOr
VWbYOW4XDDPHdcAlKUEDcH6EJTeZ5GqoZZsXGiCOrwyoLyFtoKjoCR0SJegY
gyISYjZJZyz+n9MGjvZW4tZYe5jMuipTK1F1tsmJgo+WTdS3HBfLG/DxxeqL
Agn7p96tWDOTQyl6PeEaIejL0kOjINgzRKOO6ZDHz1KDOLCxcRybT+8XnlnO
ZVEUaEf5/k08lyxC6ZxJ89REycRvv085vSq939fmjngAuGug2wH/DWBIxocz
TS7br7/yDlgf7OvItid94DBYlfIQo2fh5ixcMiLd6HyChMbgUyQ3dXHTQLtx
WilSi1grR+RBj9ekDA6tLtUpauakgElbpe7JzNBwsbTKmcR3RiR8whFvVcYZ
txJlXzUEsk/D9M5gEQzvHUfu70JyjBUptDNNMte1vApcB0iyRqII3KKYqNrK
hvR0ECk0H2f8KFV/d6L9R4+gsZecX4fRYUJCyIyYoYzAfiQ99QFjlTxpIvVJ
t96c0G84ZWgebNbNen1KBwANxR/9fPjHw59H3/7h+btx4lx5lOZAA2XCLQ5O
cZvgqe4+MFOj5+/iFO4cjkWLqgpzb6BiBN5tRwAqRF5V5Si75GG3742lEMs/
hRofy1Og6jl+oGtSMHVxK+Kq2ktipa7TI9kbodKOU5JD5SyRvsGARopFwEib
17lWtkzw9XQF1dsDqvIUqdklGHgMv5ZUXno4id96QYj+S9OZ5Dxmlg0HpYe4
+7j3Ja22J3bfQ+LXbr2pqCLns/x7fDPSVGF7c9ZQiC0WbWOMWAM9zus4+csO
iYLr8ii8PWQEyh0fiBw4ylYr+raLMrHScYALKx8ZaOcop7l1G0cNHUuhBCmB
ThxOFMLKuZlpMn9H9s2X+l9L8S/8NZ4GgDgdiTKhKsIU6vF30j/UFWi5twkn
cJlvoxbdeu4uaiZZST2phsUy5PGKO+W4RABf61SooWJawvsqtPX2D/sZ9A1x
MWA0YBMz8/6Xt50YvCSVzsfps5EtZ1+wjcuHvB98RHwIjLGptNSprX9i7wFd
9YfBx4zy2I7fg2hOdZ2iwJ6QhsjmqWLLtHNSnrCa4olVJSqaZhJU4UHf1Nz1
XLQf8cwM2V5xj2n08jKmMSB+ggHmMIH0iI8ozrP10WSv833xGEeKob5nuwWD
i5oHvIO5ymnVJGDWhd71rzSMNhoM4ykOIQq1dgWWEnL5Qq0sJ1nwDVZ6tkm0
Hv/bb+f/pv3ki3UqVJK416rQ8AXamKi3JtWdb+8CifTN7ajipNuLTMopM4Q1
JBTxSjEAGd4qXn2+KwYRUAcVY3bh8/PLk03rSNCoGyXnZUnxmqk+YmiQNy/H
3nka1iOjnsZ4JRxOYlhP2Rh0HhDiCAzEccbvlLGFcpzlV/YLSKTkhIhKYr+L
x4Cjq9Dyfn6GnGppyObr17K+JeqhjcwIZDITFEYkoh29edwRg//uqKW5m5ai
ZdTKzTiMwerDsJYipJecvTCUQkLOHQ6vKu3tuoxzjPamtUSfD3IYu2gBaalQ
GBAWoFitp3DaktTEeLK3Zvp1fFAQ9pXOgupTLo0JyXOnmIuK+dEeQhTlKNcr
YB5PvM8ihEioQJgZzLLwJC2mmBxJnEU2/cPArwrbv3wAew4wvje71UqKF5hx
5iKafR/bJU+Qe79E5afUVJb5cTfdJZSICwXppBwfxPTRX5bxC0MZP1wZIBq+
PPcXBnN/clN/rKiT5SW5j9JFkLoE+rVmvHD01wB32p2etjN0anT8w3N1XH3/
Dd/tzbTMsr4Ms/P1ujOp44rMGZprlfQMVuijD4JDH8zqi+1uo4jbUipaIxbo
KREoMtjQkZCROpDe8lAlp6DuFVEVxVMNb5AAMlsp51cjhwPn1LTNkwYnv+Go
IgU0/fYPz8bhlylp0MukvfLv0X+/JFvoWTRLbo8dDKNrCBXE6R6iHFlv5Efs
MsUf3aW3aJx010WvSgsImFhYv3jvbjX42Kj6DrNfBP0FeWKjWY1uR/HEvH5y
TPXmN9lS5I8HDzdpWzCQyS/i6bv77fCgbn93WL4iKuL4CnwE1mt7UvxA1Hmc
yuDTyAEdZb+J2jzaV9nz45/wfGh9MQ6KknqVX2mfw9A+41Rs4/LR/MqRkRqh
Q8Dzp/+F8YPLhP5FdsbEkTso30zK0O+J6LPM3y0hQ6I+hZV0hLilbytbZraZ
4Fyv33Xp7XBtepvAeCUgFt0ZdNh9EPjgC/1Y2eoZ9THQuhGDSAOgdPbizeWX
zcd6tv0cBDEMgQ3Qi2MfmLPoQXecRbyckjDrltlOvL+aR8lGuVs6Vmvmp9fN
dko8r0+I1TFa1Q8W1DikIr60xQGtGX3jCVO8qcfZt7rzzCK1lTUKEU/cpe5g
XSXrsCER7XHjqXNbgEer4ly7rnYgY+b2OivvOzlIqLkpkP9BHd86I3sufOTC
r+3jv8OyabYq+Mtgu0EjSuybWYR8/ZL2oqioMADWzIHLjJ1MFaY8ZMJFp+xX
k8DI6UTiWbIB8l8+tIRwv5RcoHe4pEdGHUa6M2h3pj8fo1mohOyLNtd0jbX5
Dxpahb8NNoLinSFWkDY+5DxqfCtyadHIZ7EjWZOicMERC5Fp6BoYeIbpzBz0
bReRRHjJm65xar/REifnNr4fUhdbmCWNQmplLPmVwJGnvcQxl644rpUmLHei
QUy+kZUS40TJprpuTEqnkXE6cjaX1yokHnl6KvjvyluQ8Y0XTOXBMZVLD1vU
li/X7OuuKvNNkenp1guuLP3x8Sh6p8wxBTVbu/iCEbAJMy4V1262FgkEzdPA
4jONRtk0ivvspf6FLXdJke6m3CYLacTohIMpJoomofrlykWcYs2or9aA4YhL
ITdtQEqRwK23Uj9Sb7fcfQ5Rlg8baHF4HT/Q47GQNFz6pYJ3PKxnXJ0rHXK2
lVaKH/eSmRcvuC9xk+dVmIK88Vr3chX/D402j+nBu9TPpk//Sq4cXBBXcJPP
Nm+alpKA5K89PH4kmi9qdxfQ0ThOLcp9DnZ6D1tCAENaAuVE7FsGnShpPF+x
5uPFuuPGtx+yFUpH9yC8IEeEYiv7RtKhKXkeCUrxvaV4HsvwAx9q4mA/PeUf
C9euBHeVrSClZ3WDKKrJlnlIowA8aLZpL5T3Jf3sVAI4Q7oHfQ9SUx02i4Sf
TFhB5X4tmlNUDOP2oVkG+0jBOXc09j2+qhggONfGkglZ6laaK2zFk631qlk5
E9MikEd2Io2KtT/wpSeutQqDboe6M1GBSLoWXQuu4Yel7hzq9LOoZaJasTOx
WbAamOFJq7VN4KOtJoVciRoMYVI0wPY335uxGqhbsq9L//S0kh03F/SB7KQO
aXzLeg7K5nNq0bEnYH5yCbp6VMoX4cJsJD4OvLT9yE49dxpUT7WP/ZOWZo23
vCVAA9ESMuVgjeCZNN9nTDJd1Y8Z5Opv2m0vF0UJbG4TqivDaFkz7UMWWiJk
mwSuekAzqUpIHfnY45jkUqaXfbEQEcyvPZEvCjRcnzfIkgVLF/Vf9gL4S/GC
Wd5UIm8UcetCytkTOQCehY6jzKL66uC6GNZcmH9qzl48XPfuytpaBV7ayL19
l6kjVp7ek2ga4ppiDFC95Io9O6mb1PWhcM0gwjQvTBkCmzJMAsows5yZ/za+
zgVajE6jB++Q85zC0zodSmMXbXeZQiELDt10lC4hnW0EQAkjXG+NIi4FD437
RuuhNQIPNzBA+vvS4GqgNDh6a8wh9xOFP72L5qOibJjsQaHiIPdhpCyU44WU
RpnXtrfmuSSkysSSA1qXllelkdCBSYEbnygy95WrSS5pMyUg+xRvplR+ws/G
lf6LYZYGYa7BwVxZjeaBacebajRArBBDtnCkfzZzVX1SWH89VvYgaP/dAu9b
lotg4z/f+c/JUR9E72fhQ549SaHNrCsXb+mSWIjjVEg15i+v0VNqTzlJCko6
1ICjoJXudQpzk04ZWS+q/7+9N1uS60iyBN/9K7xZDw2KRFBsX1CdD6gsNitn
KskUMrtqRkZaKLYCXgyER7t7EEQx82Pmcb6jf2yOmtm9ft0jAAdZyEyQBQSJ
xf0utqipnqOqpnZ64tXizXPa3YkdODUrCwfMnBz8lM5rmcDnlD7UKvfOpROa
PjrzmCyO1aPQw4SVp2mfsrVW8xXHCkCTxPRjExv6mbOhm33b7kdd4X279KYc
yySN7X5jo+Jjvv5ymu18YvpWb98lS7z3PC27HeXzQLzeRd8Mwnp8B53fczyu
cxEEnCsSjJyItmVynM9DrPYtW2+frsJCQlr+5WURGa6z+cjhw3R66INFuTAH
44y2B5kc07q9GqGxscVxyMF9P21kmuexUXQMcitp8Y+tZvb667GF4bRwxfTh
pboVTbdTmfRvJpN0/tiu1R/kbR9X5IMTPLoia5C3Z2wFCl6smlXqpYq6O+CY
R967/rIV0+m12B7W3O4T0jPRm6V+vtve303ZV81bOdee6mGT/THTmAq13vRc
4jblLW7VtMRS1Qz1PwgeoVjyXU3HgoOjphe77W2rRzE8RHPNfHTuGAjYledh
l1vd9GXeXEtooG2YX45aMyvK6Bq5YkOXN5/BVAyLRLjpuV47cEotawdxrlaf
H9Pk4hwEPp7J0J5HRUinUTxmXi1Oyl7U3JxOWhxnw5wWpcbiPbTaRW21jyMb
5iNJe5rYtKX89NM3HMawfjKTXprv5TGVlDYHWWqlRSJm7rte0oAue/b5N1eL
DVETbm4Sg4Ebt31KFgiQbuQjN19a87S3EFBHmINxtiMNxkGbs+Vb7+9Ct9Xk
waTkp/LDi9DOTqdaeEe7P1ZE73hjVV2Cm+jXFizrS4aE7tAYYSpP133D1/xd
Q9yYl2Me5b6fp9YyDuibN07mlPjYyz6NE03bREx/f6zk8PJBY5f51MOjFVtP
JxnWsD9M3tIl5tkfj/57PZezoNubwuonrY68wZZOgJZCvBajdzoM41DyExje
mnFHBwZQY+kB6ORITW1+5N7TkRTR8ggA8XaLsW0ruTvGOq9vd18PL/R0qDnl
nmJBlsdW1CTNx0EbJ7YdqzWRfmgbZ6i73ee9SE2nUpG9Huh8WNwiXE0FVfdP
TyLAlLO9yJ/uh5fOORjDkNPIH9l9r3x1NTnEm99z6dQ5gg7QkNVJZv5XrTb0
CC43ZdlKrxOW6NhnLq7QFgQF9bpXinI5pvNIR9mT7VJJTmp+HGd5TiMeMTRf
L+oMUz2WVnGAtkCQlO3u98NRPFW4G3s6226IsUesY4zuxx52o93Yc0TCg/NT
N/POglY0ZMZ2V6sJw7btTNd9KZ4hyiUc7YqLTgeYNmVdv9zsxxaAuYbq5uV5
A471LNoML9bX7r6t63K3f5RIdCPby0Is+t7iG/vV2In1ejr3ZmxlHEVjR+D3
0NzILZFhWaCwo3ZK81r1Q1xvB5U9afkg23NHqOjWvtcJnI4S+R5YJa+eHB99
NaWPjvIUb40DPoZDdqWdGHFHu7n6uZHdRo1TYF4t4zVHK9E8ZOF21Uo9dnE9
OsMaCCAn25wzQruDIc23DbKTW46Kxk7hk0kmu+o7QsgJdZJp7a68kWSX6UC1
YQLb0p1OyRnrYlEnczQU+qN5pek5DfT26Z8P4URzy+47DMiBhuOY6kJXT9Us
8fqvntxsn69vP501/JaUxTKYu2q1I6aw/Lbue6ewJkYZ+had2/eKXBtydmzz
tKoAvl4dj0EdQ96qfl73ENB8nHPoNYj7KZyk2Q4vRoGwtvh6+YTVm3x2oWUq
L7zB50nMiy6vvnrCP237C+adwKMHs50cp2bVteghokfw2mpRMOPq6N9ZBsGn
0erF3su0nenU4bM63QM1+X7WD3w/I6Ta3D/7KSQw4AgFzFanu9tH/KD8QAB5
c6CK9g+CNLjm9X4MV3c1zr7xyS0+D0ns5yu/wa999Pw/EnBqrrbDG/JZh9ep
H/715pzVZ6c7tvpwLgd7FtLVqJzVc6l2lFpCdTl6z6Y9B+M8qjdFulfdEM6V
W0bawDLyOtefO9ZlOQm2zj6BVri1BfXalDTxGWu6BxAb7KIrSS679lmcKjCF
vueMBsoduzo5qoa2yrVkinbAZjNkkyt9sdbGJkZKuQ2EsBaR4r5J4dWL13OY
aJ5Oig7R1M+C0RBcC9g9XfcCWhTfOkuhb3DqhtInBo9aRn6Hg3FKj87TDsI3
TT6R2D+Sff+XUYT7x7+DZB/mItsXqeuzFl/t997vT482+s36k+Ox5z3Xr+3A
mdY8dAD74dmz7tdtsOfBt0xNWR6NhVDNm9v9MWQ+W/qWYrBqdLSFAJrkk26O
9+m7chjpRSdVvtdP5mMN+jEGn/Zl+rxsqZDr6/WUvkCnHSyqgS3L7twdt38/
WZ5jf7V6zOKiK+OV7WH9rbOemfbgtsOCqAb7ahyvM/KCTtDDqLiY6/RJV8/d
jd7jjI+VeCdffS/wnpdL6OpRJ8JqmVZ9og+6UD1yhutcuemfyg8hl7Qhv9UQ
QYp/E/k/pveRmSAv7VjiZ0+ZB2YqbXyWzpCOx1e+PYp+dZax82ggvj2nJ7ed
9Kiv55PmDa2xVEGb/clT//Sn1bIFb9HtUwDmVLsBKLVOvyyZvJaLs9PHDsOT
uTtmpN7fjkPvR+B0ddR0C7S1Wn3TM8xnW3parPyTfyo3N9urhov/yyfrJ3xa
kiOkP2OXeUdzVw/rTyjeP9Nn2oWBJ+ABgk0PIPk7vJgOMpgO1l79njZcLLXI
Y7W6e+2APvZjlyn0g2zdx1/sqrsQe7Lb7PDpSL2vyml7xkkti/7aXmX85Juh
AynGN3uhZpjYAPrijJpFQGSWoX6gWye081tog9rx8+M79rQglipkzdqDugnY
HxfCJBPHfbw9zaOrKvp3Y/sLt/9n6NnYU0AH7J6Sj8aVW1Fr+qoXxLldBryW
tTVXTQnvOxqfQdS0u4EA2OQG3Dx/cShdHfWTZ3uC4veEgto0Xx0rFd2W5/20
hUVCwHK8aCk1E/katpZwIZWzJEE9Lun4mioJbXfX9BcSsl0ImEA+2bHP/m0c
sdv41i7UdoIjNWk7Z/NM8tdKq+2eh+5kpI3U9zuag6cwdrct8ks6JNx8N4qC
k//jwQBj6b/aTyPZKPJ6mVDcR/u8ctyyDGKbk/kY4//Rqrf3ws7x/vl6JAOe
Zs73HXGLfdmPluO6OoZ2aTPBMrVisaOuXTjtm5n1WJ/NcbDn6rePlYfqh2I/
L31UpgpSx0M76DTnXdpMIn1WZgraa3sz11lp+wRfti51vN2P+Pl0+cKzMezb
A6ChKBY4Ilrr5sXq1nV/PaPS64YW2ll2YT/nRUh3bM9CIsgHtjxybpKvuYNk
ipfCRuPTwMZ1BxvLcWnW5FQFN51xVK3zq6fRGk5UAp89JL9eLvvunF1kBQ2I
tBS5IUWHVou4nXRf0ndtVzNtHDqe5ndyyNNJPcjmlUWr2s7UPrBTZLjB2HZy
eXcQ9mldSsKB8tP3L8J3ZSEL4+BV6tvZkXD0gD5wnaXS9nujBkIi1th1ztHh
eva6wT4X+rUtyDm6NDsNjsZzcWbg2R7ZB+tg+AGoWO7SlJw24Q3GZPSZNpNT
LOGL3/7++pvf/QvJ/sNIHflEW+XyhV982PehVpdUpdvGOSpxthIfNTptUE6s
zm/W7Goy0cQLdiPV5WpI3GSPlnDwzaZouTmmydp0VOEwJCfivb1rGpkcyLnJ
4mgIbZJrD5/rChwbayTl5Z5tD39sNh4eH3RiWtPxNKKOVoe7aC7Zv36wCX16
y1LjTvFD6sL1YXtNqGiYMjoOnIrUwjCjyV/cbCMh2rPA9Gmbny+2Ehwn7W5z
O7f5mJTyxXQa0aGf4kRqsFftJt/i1LIWvJz2cZ6ZrGWJyOZXPDRnOrrZt1z1
w8ohXU3DPmta49jacx7Y71lKybNvN+Rr2K9HEsSxDvFcC3BSZ4HOlbxqDLg9
Brc20v+SIjiLPRmTdqKBXSyEieFQFeqWLzGqKrQzufHHYEPoy5cT9Dgd+EcQ
x+xdPPfzHEMQfVEejfmSQ/z9Etz0Z+4fc0EMLPJ/fPPVl+vuHT/KZ0MR0FN3
9yM+e3/YvuyAl1x4w4CRhK4Wpxkcyu10QnfDDvNRDXSeZXk1/L/dD/VNH/+r
pXa6OrEiV6Bv0ik6snkpPSMH7g9LOk7HlSz59tO2d30iwP1X2ysi1utWE+Vb
vPVbvONbvLVvdB8MeXkxx8UnW7Nw4cTY+xuW5mvdm4vPF6y9X3aiSNa8fbag
Hev1iFP1Zw4n1VlDHq0FuTql3k8mmNPqkQ/mMCSwHelyOiJ46nrmW0/XNDyr
kz59Gwtdo06uYQr/r84H7OGz+Oq8L49fczoQdA1fXnOmh7+9d2dXtPeQQ2dZ
00Ae39MGFY1+68+7XQShO3VbPD3F0Y+8WNkSWElWMR/xo7OxhnHvuQ3cV95L
PWgneYlCmhCD0p4ZqbQrWujMJcssLUp1kXF6+JbEqzBGFu+9tUq4nFgtiWtj
UuG6+HYRl97hyQHt4BnT6JXORTltmMWPEdN8tVc81peYJFclheBqNYknVWLi
Mmo0Gb1huV0kYqqKi6hYQkPQd8V5cMLVVKMWpa5WY+Wv2frJZv9tg3W/4e0V
3cxNc8jP51A+/rOQWShz3CjU2Y2MeY0hVVwlkZVSXON/fOpY+zVddPzFm1Qd
M7Eea44JIjpVrEjFlRyrEtqXEmkUCLcdZXF2Qo0bMRrcSWUEj5KJyEpkLDKh
dK0VAxSP3OgNwuxthDxh5LnU1dTCrfQ5MI2/CBZ9709O2ptgMvNF+FiLkjZG
y5n0PPkY3Ooktf4v9ZLmg37jqvRSm8Cr9UxDXqLShkuug3FeaCazGQLFkuVG
BCwY4XT10kuhLfNVO2UxXEtv2GMrv3D8KMFNiUYFyGZINUjj8Ayn+juq1ZpH
ho9rjDJgeRS0wbBglEIf5ZmL7cEiL+g2JpFeYr0rTBTNeRSmMnyQRJ92iUVj
PVfMeo9GVXSxSi9k0fhQus5kjq6RU9h1ZometiQVuvjwbQdjj59Ke7L5/bgc
wnE5QMtYka2RtCCgQ0zt0p3x4yEBTLDwyK/epQu/HlzUCvZRNavWmc97B54M
d/xJw086NxruaKUwW3lxIXnjmYKui6pGLGkH1dllKrugooRytaLaoiCdmBwX
oPa0lTa3gbuDue0m89KwPThZ94tHzgzuv34nvvrmD08o5118+vOGGmPd/1eT
nR02uT2Jjy/5+L+pqfbROxuwixcttKGg/07t2zxvNH4Yse+ulmNJe+Pfq9Xr
OxROa0r0ygyd0Tw7Mpp/JEbz4989xmIayt0ffW53wzU3sZgnfb9rO77ldD/1
vLelZQLMLsj6gM88XRQ/bUUmSKKvTjJ7mrC1NJovTnjTnJEx0aBzEjT5kftV
rURLZ1ari8wKX6UpLX0xi92JNejFF6uJoUxnR011QMnpudscay2N8w3znPtF
8dhpn82Cg3bWMJ1K+MXc9CetV5/+9SBTQ8M/lW3Qwxc1/MGeKbTYXHDkH7x+
/gk18ovlun/C+WkHrDAcP1pko4zG4q74m73Y7+wKcASvgdUG4lKSMgtgJsAE
a70ZnEbG6DlPopoSbPBFRxZzkTBrNVt5XDRkTWa36THk+sBNer4+TvwkJz7T
xw/EImY9u1KnM0EWvtQe6D/6U5dn3hATfofTbZ6uz/Lal57Y/gmds0fVi3q0
b5HTM289b5WJDy1xb8qmPGYNTP7Zq9X5ocHrcSb14vycw1wed75o8hGOJHo6
+mtsNH7Eybuo8PrwDGrye7UVSwGt1TQa+3cJQLzRQbxaRiPWi2jEuvlShoOs
E3lyqGDwxxbYdsJgVzGruXLzdMb3iKmfhmDXbwvBrhYh2H70adufP+jqPE2V
ZKNpzHErGDCoO5MwXmum2w7LV+E1lMxUY3qcJH56aMMpAe4evrY5c2H/R/Wt
Lglz3v8UZuofz+WvaCtMb3H3Zs5HMHcX2DISMHZMT0M1f9XFdPp4eFy6vu8V
04eILs+Sn7wtlAXTXz/tYGiTOq7azFGnluyxP5S7tptjHEg5rUAAGkxvTxNb
fNQKU7fjo2nIwmpkC5FflvZcH2e8xcFHOeCh42n/rvDrM3Xaz3KdkBT03cBb
/w9Ai2DyioCI/p+f/nQ81is3/aUgmOzNawAIDexAqBMR+mMcyPqQZuQanVeg
uUkIVg2vSlbhuVHOMxltZ+C1GNgo5oyy0RTuspTMVe1rgtIPrFGAzyT7SUN5
RcT4gxxK0YaSNZb+E4ZSeB+CwiD5UJxjMbnAjIpRh1qkS2o4M0C4Wa0S38ca
kjWaZ12EclHm6Dub+sy980j+z6vFSpxW6wc4ouytQ+dBj2SRhWCS0zoJcHgD
LqtBsoGMOkMCVgLDDZWolOPEkICxAocEegtBNH3oxLuP3SefYPTaEXJt9CaH
44c2eOwdBlCDO6qIp3msSucTfqtMBxaIYabcB7CGKmzhDLQ9SSx6JVkpVjmR
PBAql2MZy/VZpPEn6cQeV3g3cv8mRnqq8q/O9f0FJmvUzx9sIR5zHPw8pwH9
IhfeUjn3Ni00tFrOqjlzAOZUakz4PbuouITihUrKAradp5CM7LRDYRJ55FIK
lULwPHPLRanJRIfLXF9gqYhoRCoylJwLK5lDj6tscXERVQw/qYH4YNWZEr2p
viindHVaiMiCj3rIh/qJ8nGq6D/KxyPyMVucyWH8bvLBhAd5NJgC7mWCELCU
VMSCl8LKKHvAhpMCTZLVDPMUtbQBfeFGMBOLd2LIB1cmalA/w7SKMnFeBMQi
SahfFkW3XUoWl0XIopjgfHRWQdxKVZCt5JO1Rw73E9ir0VqaDzc21pv3a4+N
cfYxNvbusTFy50MsCq1Zn4QFxHPaQb1yJQDn+iKOzEmsIJNtKY7L7HOG/hXc
pQJVIppL+a2xsRity8EyoEPvszTJuuKCizxYj3d1UwIUpIRmeHZUFu2BYbfk
cQKqBxoodnUpNua19JqFaHXMpWZjS+U6RuhAo6FJuv7LEuu7ZM1SsSlK44t1
3jBTk9KaCf2riY1xx3XlAsa0YtqExgwyMCOarLfHxnJVkVPcsMqkS4omO4Ym
+VqSUL50f/TbYmOAv0ZkmB8VpMtJAc4xE1iCCGVtIx8hJZuCtTYyLVOOURWf
TeWR4kqY9XApNvZ+XvL22FiuAKGOGRh5w3OsTsYAQQLuVDIHVvrEAKKoLJjF
q7UM1ZnCWHJWa1hDLy/FxmDOZNRChmBxgwXTqrBKIWJpwULFLrQisFyCtinZ
5PF2PD4b6ZOxyXom+IXYmMYYAHJhZcC8VVuFMmC/RPCoK3UgahjgwJSUsjID
TQCsxjmF+QTwkovpzRbxty8C/hPs+g/bm9dcMv24V/c/YBd5nuzib//pGf4T
7Ns/fPXP/ze962PmyGSJeH4H6/gxc+QnWcdSLTcmYjUqYZ2t2UlVrc/Cg0vE
Hg6A1tGEK6u0oqQarQ+4RVZRsYJCihetY2aVZ+lFkHiZEjkap4KQsMOJERju
KiADs5sUlTTQLrxUz32L8YdUndP1onWMXBvLoCqhmCyYlXWMqxiKLoxHXXvm
SHVBemiyzBWB7OiVcUWmVAqFb3X+1VhHjLg30GoMetDGagLXQP/taW+3jhjE
XFIQ2fNoYVMzr46rYLSUOkM0LlpHIXWsACUsAj5ZjZmnZI4SnNS8Yka7SITk
fGJM6+y4DRoT4QMEQiSyKlJfso7v5yVvt44yllIwijlzlrKKSZakq5I+AFHl
HsaDecuYL8qwySFmlpRLHC1TwGQB5rJcsI7cRY01wUHzkgg8cOaLVgGyL/Di
2IXWgjImJ6KOTICH+sod+oPGBNgyLM0L1jFacjhxch4DZZrsSwwViBe4SWQm
Yx9QgIiAAQKO8KxB5lyK0iZ574CX3sIXL1rH/zBr/GtYx188d3wn6/iRO/4U
61iIWWEdCyyVBB4IWAr0zTxmgns+YGXM1RVDTKQGbysLqkhunfSlaEBxf9E6
QiP5JANsYpZaWhdhjcFosnLCGTkYqiyEvLNIAOkZdpLwMbCrkkmKBOh80ToC
DAu8SZDB4wDvCuaxKBc89UfpLtewQtJYqDELoByy9SoZAVorJUYheParsY45
eoyxiEEIU6TgjLRqivqidYS6hYZnGerTQmWyWpgxFao5MfCI6C5ax1CSiSAm
yRUrpCqWYdopG9EZk1McngKoapjcypLVRdiCCbLaKGeyiLA+4pJ1fD8vebt1
jBgA7bAkghZFZHolL4CFUQDHRdeDkUkbz6WwrBC5hDkxkCSlY0oxc6HTJeuY
wWgFJfligDmsd4Kwg+fCUgIuSju4IyywV46JFAyXMQn8LrjEGjXOiXLBOooS
eeEZYlOD8TCVSVurlC4SIp9Sh8ASsDeECjghATiysRJi6dE7hjUrVHibN3Vs
EXrvnFHwoy8V7xg27q9JFUdQ40O0hoL/8riirB+0NUyqsOw0OYbACLPFn5UZ
4TUlpyfeoSrgojQlMROdk1g+WXAgb6BoZTU0zWWuaKPxBWaHnKkOfNBbyXUi
7lkMkGiPgGDFM2UseBwDX8RCBb5PHuAWtkEoc9ka1uidhSVMVRRbSV1EBzgJ
YuqlTLYOm+VBFiNrzlMbE2cmS258gOGVlAb3ztbwwRzqt/+860V/C9MJRm4S
LCbLmTzduuhgclX2sulUDrc4gi9gIDZ6zF0tRikwGRuFvmg6uTUFSl6r7AFM
vIct9sIFm6COnamdxwCaWchAJgzFhGTFg72UYEGUhNFBXTKd7+clbzeduviI
7mP1WB5q0a7GZktzKoBbZXhdYg3gdzBtgJWlVExhwatgcDFWaNEF06nQcgBJ
ML/iirTJhojlKyQPXodptTpecuE2Fa2LTRk4RgSfAznUGTl7LpjOFMHClSjG
BXQ7CqxahlXoo3RYn2oQS4yNKR7WXwSlKKE0FFmiq1ZZBiL9M0znf5hQ/gVN
5zvyyF+66fzAiOQHbjpNBC6mdL8YMziHy2BztFkNayM7I0acxQPrFuES1CkD
xITZjAFMLGKh1MLdRdOpAKiBmJ0GnJXJUbAvkN8H6N5Qvtqw4t74qLSHegNj
1U5AKXgF26wdYLq6aDpVjLYSAi+aSZNi8SEw7gLUjYYuG/upajYs8CSdgyrl
Bp3k4CNaslCUAHD/T2k6q5bJSJVSpa1CnGtbSSVe3s0HU2lqIA98yj5FEbnT
lrh6tbHmmi6aTtyvfIF6h7kSjgdjQ4JwWEEpKNDfXU/WWBSXumBKMZXGyypV
BBWQEsIoLprO9/OSt5tOhdUiE4fcZlN1NUYTopBYU5Yi9V3GJZZbDZ4rgMMg
YciBKXPg5P7lmQd5yXRmFQIspa1Z5QwwCwqdrctMyQwS2l0lXrEcwbGDzr4m
WZmDneaW/MwmEP19u+mUirLDAuYvNGxbcs6QBIGWO/zWc7yU9KmAWIP8CsWA
AMirJAwT6LDNcrEPgwpVvfv2kw82gecXH6L8uLn9vdvOj5vb32lzO/vQnLDs
ojn82ZvbYTiVl0YolbUKJVftfAJ6gWKMIfnLCTxSwCYZ/JaJ32lNLsvMSyk2
AKKUTlxkzdLygo5aR1FGCrqZqGXOsnKApXka+E/1hdvHf97zNPA3oJJj9cLB
RlkLXupsgzNBB8BQzXiF/aNUV9uJislW69zQ3QWWLwTQYVSxFqxUn3n2oJ2B
OQi+Ev4yVAGu0YUpK7izOcHoBsy2zZo5jHlwfb37KoGUeftxkVKkszKN6WJc
gimXoIoyLYlBY4kDoWIFZ269kbHUSvd3xzKWHuXoU/kBJiVWntaaILwsXAC6
+AtQJWStKwfTd9ApyYXMcqkeNhzEPxXWVQomU5TkmAIS8L5QLAEIAzjKURJD
cBegCnReAoosWjleGasxJ28ql8QgHGh3v0gDdGmbuOExUEg82ETh4GBUFEZd
Sq7C3CULJYV7qLUpMYM+ZOdlZrCPPQoG/Yx2g9gECXQKzpESFzybiCVJPvOf
DlU+5hp/AFDlA6P5HzhU+Zhr/E65xr9AqPKzc40BadqeHaFk9C4154kULCdR
FaClvMzcs4sSlF9yL8CQi3NCwkSA+uIjyv1pzQs8gX1z2E7QySCJWsO4cSOi
KcaKXwtUqdxC4EKCpMmcADJy1kJRenKACc19ZSfQZsbeAap4C8rNiCHIQEZL
FPJXhMIo+9C0zOQLsXwsvIyJsE4LLmxhWO5gIhQiE2Tr+1sCWLtwUcEyF1D9
QJt0MAyGVqyz6WIsX4OWwNQqn7CiMIAZ+ATYLNGOsTh2gznmK+BDkA5CybyS
1VWgNc4Cswrw6FKNJAUsbpVKFaBXQwkx6THCSirLtB0aEyCMA7fIqqzxTOoA
5OwsOmJY0QBOF6CK5NCJAAnO1FqZFQLYuwiIawVIStVMMKJoW3xKMUgGghda
egE3iXnO6sU88ATomnwB5IRwxCSc8JYCGYphLeiRaFoUVqAE6cBgQlFh2pUE
VMOw0bzbN0CVj0ngHwRs+ZgE/v5hy8ck8HdJAv8FwpafnQQO9e5p92gslvki
oZVNDQB3FMPiwl+O1XsBWBoyldOrYM8g51IrTKaD7SIaOQQPSAjilIsCpg0e
U0euL0y+jrid/1pgi8qu2sCjgXA572B1oIRh12L2rKjcnxqUKlnqcnFuDE8S
64Gcojl44QVtBIedc1UFmGJ+cW6czpEi7xkLXWXMa0SnKbqAvmQ/YiihaodO
Z0P1MYA5tUwOaB9v4FJhdi/nUfDkMgW8KMucjK1M3NCLAV2yzQMTADpZIaMK
FEEJVKIxOVcoDdHBDlyALQUoJSZNUlVCtdVlsBDwEEpyh00f+bkgJBYqhqJO
5CUStK9MAeYwyuGV4gJsqcppQBdBZMsBJbKsWAjQF4xy9lX3FDnH8Z0Q5EpD
ZxPUWmbJSgbWB6GvF2BLVbSXoVZN46E0V0B8VUg8IEge4ohpmmCgBSMG34lQ
sYi8i2ARHn0gzfVzYcvH7PwPBrZ89LZ8zM5/79n5v0DY8rOz84ErJeM8AjpW
DuXJStW8VtnkItXLjL6GaEABARUV+KME9QZhF2DaXFlKXu8kNWlcJ0QSMIdk
zkzKAEwxKdhyDWzzK4EtTkOnMQi/typn4GgjAP1ZwcSg4yNNkXsPaOncxbmR
pUjY6+qZ4ZxFV6yn9ukqoiXZvzg30vCgQPA5RetkjqIAUWrYYxcch0HsC8lS
cSRrOb4HYQAaMBEwKXrLAx7AL8GWBGSF7qkA4402Ap2RCESwCaqd4ru3xUTg
Wad1rsLBUEeWg0mlMi21lZiGSzsnDNhPhU0uzAJXmJRYhIhFDiBnoAKG3olg
L5SyYlxIFOD00Rbonpqghdwl2GIxJmiPCV6CyDEKXToHqKcoYbWw4W2R1Zpa
kjdQwdKCZ2FYmcIQeIh/upTDUliUEdQsx6DBHpX3lCaDdattqHUkUSshuA4O
QoOFJBRHB7LmzFaNOdKGvTEw9HHbxFlLPpjczw/Mu/KB535+3DbxTtsmHoMp
v5zcz8uY5mdvm0jKSZsIf3DuYXUFQZwsiwu6MNYyBS9EkJiAmc2GkysMUwOY
SQG87CjFaEoLVlkVsEohA6ft67wID2OvC4gonTjA3hnTPHi7f/vPu170twBA
jBnLFJAekQfhNJYuj5ZqsTmJv3QjCoUKoy/SxYn03miYRgZzCMigHXg+BrpS
/R7mhLo8kZWXnGhNS4OFaCKWOESJxRQo9XTghmKsx7SpIAOLEBgttACQUD5n
rFljLwGgypOGNvIUOYTmcdVIoYFLwHeKx9h2RRIBsaBtvI8ceNBGlihDJgQJ
SKytvQCAGOABFB1QPeRQ2VQ9D0BQjqFLYDh+AsOAIBGYuqK/AsPvqT3U1SBT
8pf8NlECC3LpKPhDtZOA1cAEipKYxqCn4g0y0T5WSIwwhJe0rrJS5Imgary0
/0Vm5zzVT0pUbYh711L6BJ3BgeU50vpj0dkBU3KejQ4cQIkmIpNyhpTW9FMB
0MfNL39zAPSB+Wk+cAD0cfPLO21++bUDoJ+9+SUpA3xpEvBSMJp5r2F1EgOu
zBmkNl+0m0Vrx4WFSAgjquWg0wnUO/rCCmBAR60cIqcp3xoGLYHfq1QTDDtM
p44Sc/ufEgBRgXQtveGU4kEuRh28oUoSWgsYuR6zrSVViUG7OJEZ81UUpbWa
DDyhCL1Sxn4y3Gbgh4sTCcuKaQlYf9owHqzOtjrLFZYZ+fg6NskuRNrhClOb
oROoBkQxQGuZeW55jBc9QCYktBS6iDwlVE0RjbT0h+aAxN0DlCqoVCkeCFGW
4qpQFoDJUaQJQn3RA+QAHACXbKLh1QS1IvUrBKqoDlg1UBKFeyiZmkJjFpgH
kiAcjwWXBXXJAwTcqkq1EHKuAemzr/jJGdLsvS2uJ44lbXOlfkXwT1UBW2wE
VrIELx3WyAUAxLiBYs+covk8Jx4NFnalslmupDBYp+FoR9GOiUqOeu6pxCQl
X6dcPbm7jgDo9Mzkft70+pt2bPLxcJlHTl6ejpehgzcePWJmPqzi7BVLvLR6
8uOPdKjJIcSb8uc/f3rVTkjr58x+2c7mVeOQjJPzj4a9uJpk92p1dqLq1Xwm
8/IA1XYOxvGQl7ladDvZ9qasltbuyZfffTo/pGmbPT677Wdp3N/2k1xzO/n0
Qjnn81rgf90kay5x8WkTfvWBv/eZZt2iTf/5An/nldRBaz0VJwQdhlXPIGDA
bkCKUnPrAb0G7ZIen6jgdKXTsbQrVuXUyi7UqjoDccLyHLRXQRibHVhosLjD
WWki0MCoIuiLo6J+PlMlBsGhsAWYqkleG6ecvAhNYy6wKJVLqknvk6ajLaMK
vvAI1az6QGUBi8A8aChgKXgrFKMVrkhpM/RnOxngFJqej4oXNYHr2pBgioC0
6dABEYxNJTObwyDuvFAN3kxkHl+6SInCzDtyPVo/itAXDaMpPVNZC8qZyCxE
sFo8mVWv9FQ9SkruyLdURQkWLwZagqUl/ow38l9NqTAlfPSO0mFp455NkDE6
e+Aybo3FAUFSFUclbMX0kgcDEyIEJajph0ewns8oJcoZXyKoBdcO8h2z0ZBe
Y4KUznbrKmlmRKZU4EQR8VqdMeA8qkaTesYcbZiDdc60wxGEx1HAyWinIPV0
3k3Vo44WZfs4HzKdUZGZADKgkppKgoJFSjQ+A04fenNPIdiD1nrgTpESGqqD
s0rnQOnPhhkscLC3sVwomVxqnzIeDKQktaatDk4LmyIbtatBL6tVKTMSPkBZ
C2abOPhrFj7zTsoibnCVScA4qJiUEvmLcoEOwL+gqs7A3IPDIwp4Jp4hiyO2
Kg3EiBIjDYvMuDwyzStUHEZAQ8RglTxwrAyA7Cl4zuRYt2CtRmI9R2MLnVpK
77eOcvMceKoSQ5dAuVqK7ArFfEJXiAUQ34I+0um84Oh5a6GUs7YmsiBBjIPl
AK3tQJRigEjHBvqIN6CRMlD2fAWfs0bbksExcEkZWadKa8sC7W2QPonqGVaf
rSCPIrlkR8I/94ZUTqqKHNjMKcnxFzBt7yNLQswA822bzz4io/VHZPQRGX1E
Rn8jZPQLTNP62cgoCSqlGYPPQAJGQjAZRKtkqZRgMMkXkZG3XT50sFT/miIp
kIziIImM0nTGAjMKLzG0wctpYATYIZa9kgLSLIdzQlXn6Yh3Oj+j+AQsomBm
qRQBrwAn3cMltSm064EHB6tJYVONZlspIu2FTL+aPHVLZSgSln7lsPLG0JHz
wHMuOuGsHoXCa7LWqRbCefssE6pAGz0lamH5Ym6E9QlviLVg9h7mqT84Ua26
YDiHhqLEKsUrbD8VYo0iBApOjrdUrTIdC1ax2HzFsBT8Fk0wLOncZxnoyQQm
IRk5Oe5MFdYKgAYq9iHMiJwycvsWJ6FkClcG61UFZYI1odXRe5A6dt5cKLwo
qQpwFYnym5iEAiDhizZQRkRvbqJEACYLcCSIgFNCGHJqUm0DM23eDQBE1ZHH
rwDdEQKTicLGQKyO8sEGgM2Ap7hZeGeCylHyKDRkgWcIq2MX8K/ygNXAaQKD
K+jkMK5kNZgswm3RdaWoBSbaOcFtlJR+VsmDHrEYqvCy5r46goL6dlDi0XMr
KP3eOwDHBBuDp6sRJedYKYaRBzWWwAhapggDZSEMmAZ+Cf9i8jExEAg63AXL
GMg9R7SMjnDhsU+gAKGoxXHMboY1Qz9AEWog17+kOg7jSZz8qaJaS2VVYhCB
Cj4YYH9t0ohGZed4S3Fk0NwMWsnDBjiVZIAhivx8G+J5a6uJ1N1U0ezMqVZI
JWweoHkcZrG/AyA1OcVhYYssJVMepYb9jgFixMB+uoGkkHeRpOHQIsBZHjMd
GciysxCyPrZQeilT8rMWMF0eE4EFjPlMmSovqEWZqElPfV1e7Y5O1fWPf7fr
HyyPs9/shyt1jYm52QDgjbumh9CZ9vc3N9fjXjql+7Cd9BZs27auw+rwans9
fbTA29Ppvld0yvBNSO2MbTq++SbQafBQT9Px2XVX9i9WTY1+RgH79G0uN4ew
/s16e5O/nRTI//XV1+vb8mr6dz9nFR8s/bDrTT/OHvedfEz3zs99g7MWg7Er
wF5394eSV3Swdrsmbe/Rr9kze/q+zy5Rjkfi+usnY5A//Vj54hdBPD7uxRgQ
+2Pli4+VL06DtR8rX3ysfPGx8sX6l1T5YjUBQ2C3Gci1tQJsNa+Xh2slPv4z
blxI9hNxnhUkWMg1o+8hOjQVwwvzEAITAus4dVc/+ZG9dxCbosczZ/l+WIAO
Wsa4qhS0clU8UZWB4iB6wYPlSCJPS+T4l9I76yUefeQtVHDOF3JhgEwzh8UH
C5UCbSMDcRwWk4NCZg9g70KOJvFaknKeQUyCZ9UTkTgi4sfEO6cqAkYShMRo
cmugjbCeJmSqlMc7k2Qk8UIVkSqIihEGnL3AJmO8a/EtsYf6slysD/cfwMQq
DnYoYDCh4UHyXQBXxS9RTOmbMdF02IFAO/wj5RSD70BjYSVxToeOToO2XLEP
X2QMDBKZIU1n1hToRJtFhc3HR0l2pcCZ9rTvPHDK/rPkM9AYQG1oQ7oPU4+W
y/ahGGCt8mI1FdJj0I6GLKABRVSa8TAcC95rqGFADQ2uhRUbGL0SP+inKaqM
F104ny0GrQuVMOUFOEO6bJ2DuIIpJ6o43JUI9GxihlHpQFDGEm3irhQqhwz7
mhZpxP9YdpvvS77+sq3XR5JowPfyuKat6cdZ35Q/s1+SlutvfvcvRPwIYS8S
ZQiQ//7rZ58PI7Zq7ASfBvA4esJ43TC5BIJ7Js2uELO6BWvEG/E9GMXEFjvl
e7ru6L7feMLCgP63LwesjmFf1vF1a0fd7khK15vb1Y8/nvRz/+c/X418HnC+
/foeVNOoJ0826//239b80/Wf1hNCGF2amrIBF/2h0bz27ebweh03YHO4f9su
vNm+WrsxqaQ7F6160nr55e36NysuPh0JRPFmm757E69ekmhc/w8Q8fuRxtSe
uzodhkzs8OXmdrM/bFK4uXnd2z5YOf5sM9C6A7Y0RjIMKrzbPKcenbzwfLrx
upebPZ4Cpr/HW0JLe2odX7Wnr29K+A79vr15vS7/674PEEZhk/FIatOR1l9j
EK9JKZIxuAub3f4KLTqs5gsukGZq0F+QOPP6CHH+Fu/8a5Nn9gh5HrL8t2bP
LV/2w2LP/CJ7Zh80ewaWZdUlgEvuJcX3YYiNpTTXkLgv/cWUOOIMoCpX1bgM
aB2M8S7IkmHI+eVgWyazDGySFEhxkAAvkY7WdjC9OuXU32KBgZWWGjBYApYA
5Ss6xpRFzwNePc/XG9kzjBKxilSDFSCOPBs8PihnhaxRMTeICogG4DWupJNT
cR3eqgyvQAgc6HWe8aZCH0GcLmAsWFAJFlpKJSzFJ0OJP4t241+TgTqzKU05
DeP06dtfPEngGJiHZIaKULACtqYDSJKOvgJzW4AY6WTK3ScMEBM5U4CcHNMa
ANUU0B5YhwQC5e0sumnlvaFaxXt+S6e46yMZXT8pL+8Orz+96DegPR+U7I/f
HXcaiMyiKSFe9hu0SARgIYBxImoAkmvo8L/CE7f2cgHpmgC8Sgb3boyhODrI
SVDVIQ7KwzpCLMEANtXMEqsWHCnpFDLYAtZdaWPwM/wG70GO3EU5wiwaX6XB
KtbOa/QtcBVdBH2voc7bCSgPqXgNllEMlrmk8AargU7JcOKyHL3vt7y7HJ07
PiSVjEu0YTA0VqiMwuwqaI0atBzB+8SyAPW6XIQCCogpk1VtBbAA2AujUtg5
Upoa6MNF4QJLoV23UPSxgmOA7Qk6n5Ljr+2c5KFpdaygizF70CzJKFGAgttU
BMGldLEIhRMJCN+YzCTRzyQpOa6AfEbKORjJF1jQYI6+Ru6pYBQoFA/MYrZU
8jyzS3swIx1VXbP03JkErq41GgnGXDNPypTu5bQymdhcCbakLFwxjNL2UzKq
SJMvbUGQgtHWC6145EJCKgIV49BYe4ICXSPFK9YCnp4FXor16ivWuY4OS5VK
SWR9wfGhVC7BRygyCohVCXGk+DJzyinJ6lSxhRih0FQ5rTqdRRLFcig8xTWJ
9M91fLzFGlx0fPBEmyyy5NJ4sPHsKkaAMRsrWqb7HGtMadJewv6yi44Pq9DJ
SMya/OpKCV4NBWrRce5UKzTwdsfH+1GclxwfRjGjiB5zgSWClR2ytlFpx7Wj
M2G7anHcqJxEJOPllTYuUIE7U+mM9KL1RceHd0UE4T00ls1SKIupjl5qvDk5
KbpfqQhL57nXKKojV23IBsgF1pP2HFcv38XxwSECKmG1a+i/SDarWmuZgqni
uowK/Jni8yIwLDDat03bwH2IUXByzvWKLxcdH5qSXHQBLIweQyh9VC2bmFtV
MmSm2386zYDRgfSSigli4rhUlOPJszM+TB6Wtzo+MNoeKsRRHquNKWYbMTHW
oPXV8bFdzorEgd2wtDF5jrbNGejSoLHECnne3snxETDiIlsYDAxGLHTUPMAm
1ii1HTC3T5Ki5C8JS4Th1RhbHkP20N2Z4OPy6N3f7rb7/fXnZD7X/yfM2uzt
SO2LZlcf93XsibefMLDfrFnn0bD8ZX/oXwJg7w4bYm0zAe6fdwdB4777pedg
ffQcNJo1f7zHX8MNgMIIc68y0ffbNL2o7fr58cfeZPzjugGLRhj//OdTL0L5
4W47GP6KOPTuZcmbAFU244gnm757aGHy6SPa3bRsFVH/w+p8FHp3XmxqazX9
o9P6w+s2BmfP7EOwWr66R9SPn7BPzz7gn67zptbyswLmV6fTxn7xYfPHmP/H
sPnPDpt/2MRfgBvBRgdrQMMBZLzVhWqyZoK5yXY0yYrToNNVME0npmqWAjAw
lzbjPiDwi8SfDncHnS+VErsC9KyzlOMYWCiSIlDD3c098wBpwDDFUdIvAD/t
J2B0Vl9Lx79QG4hrAWvhCqMKM5Xy66wTAKNMFLJVfdEBqjnlFWAwJUYlHmQu
TERXGXod3V8kbP52QpUqBd2ANXhxDJgpE6AJslZwUMCnPgfOKMlL4qpEFpIB
i/CFvPAqKFwkLxOq9/2Wv2YKALiOtZFKN1lGCWlFR2Bc+w5sq2YRYo5eU+Z4
oQIxCbbdU+CGandeZFsUBKx0GhQGTtWUZQECwDNDxEJI0g6XFRgW2gRiUqwF
3E1OOwckUbjzxuq/RArABZEydKKWAYCqxVYQNyqdKBMIIsWs5Kh9bCjqnBMV
iTDVFMobUeDSyYsoaxGXReo9v+WveuaYZplhbqiSquSg0tJaqgWZqqG6m2Or
UlOOraD1pfPgwBgjkHtVQK6g9JQWS4iUQ+WJpr8vVIjwsh2IVaBVMaqubfQn
vesYiNDID7ZYBRzkFCyf43dNuxAM6DwwKLS3ZRcLC0SwTtpJgXuhF2kLU9SU
DiNtNCLIoeyVbeXaHWYrGpYBdiH/JoXoeWGXCgvQSqUdGOTwox1etIWDc6qx
AAbHRzhdUNGikCsdkIoeVJO8Ai/PlExvPWcXWD3GRIP9Q6OBUogYq4G5SmA+
rbqSGbm4JkNteUoAAT2B6bHS6+SjySoZMKMLrN5CCzKlrQmC07GuKlAycRYk
dBI6sssHywk8S1ReQXA9mC6jsxqhofCBVcd9X+s/zPGnf9gCca9HaHT78m57
S5rhWFzg7nAd6ZIHpQUeLytw14HcIsDV7h6KBUK3P+zuE11E1QVoVG/z5ofr
6S2UM5vmVsTXx388bc8/psPmzXPQkNXd4dv+t05O+sv6J2t8R7Bv0BbCeKMd
36bDD3Ne66rpv/WUUNvLGRybSSC/3Kbd6zv09rqF9OhGys3d3h/u7okFUDy0
0ZXn95v9CwoCd39nh6ktvLvGk6gZrza70njC7RaPzdeH7TX+WD0IMW8Of78Y
iO/DzT0+HBUSemDxVXhNkVFAK4qc3q42L+86dG1YGmN3aKHf9pfRrxtgnZvp
MeBI621d/fjjPMP9a4oJh9vFSKGd4A37ifxhrI7cax3wuNW+V1gYQ9yw9YDR
61APIzX4BHqPr/dgOJ8T6u7MbRGaXQC4q5Nbe+Magm351Hf38QaDjvd2BXvd
Q+3tgRMpncYvvYD0HIPU47GrCZ6iK3H7/TRYffLwTprj9oA1hXoz5ua2DWyX
KkrG/rpd2gpQ5F14RQ07nIlRb3bcHkZf9+u4GfJ3lOlP/qnc3KCH33z+7J//
yye9HfuylIOx5mgG73Z0Fw336kDMfVpL61lG6SpysxNJn9p0lDk8dnd3vx8c
89IRyVdzqjxrCmAavBnbdzIc2ot+/LFLxPVhBxv05z9/NkjosaePoQvljDYJ
P1UkwWYTy1cnM/EQlNTHf46q4XELZ6jQryLQyWjrBNSxZFTPGfhT9s3odNKj
rm3fdoYFpFo/lY6dBSdxOoOX8NVQMW8wPgyqONCZEZqRr4kIAB20qgE0gNcG
A3DaECxktEfY5wIzIWzb2W2UriGE1XEh0jv0+cEkjIUjHNFCW5GtkTMgeYhw
AQDOG9b9kGetO29Yd9w92ro3IkbYHsAtDBw4k4u0Fy4art1yB/LlTcdH2eOX
Za95Z7r0Tc6l04euuq6B9Xmkbs7sSjr1V+H5/Gr9/Wa/Id3eVhxdggWeJ603
Kbw52QUT9iHI/YOtOMShePSAysJlVjPP4C+pErEKZbjZK6YZqK95LwGjKW1d
ChmAOKpMduyFKlonrJcMoMQ8F5IDUjEP3EF4zouR4UZF55TJALJV1ZAglRS5
NAWXZLDgsxV03tqQDYBOpaLfrBQItZKeRwKmhRs+Aj94lqENaeCQETguYl0D
2oM8Q3SFEaOyJSQYjI1XGen4ajrVKHug4YqFULTsYBPou2raumkAkqVIlSdg
cZu9NSDn4Juna9G5/9hapP6w8y4Ohnnaz/Mu9tae9fO8i73fZ/087+IUe3mk
n29c1TlmTHWMpnJFBJOCc2joAl9+WZ4DH3xf1t8A1f4L4EJdeJ8J6X7fPrve
lX/Dp2fO51xeNssZDlOe1rTziFbR8x1lUzXYg7X6O9qO9N3w9r7YNtc0zHQP
XNG9b9hv9XjOVG/AqiW23WzuJsyzw0PbAMwKpmfnDSfjSWmrmxK+p81b1J6T
HVPHslTr5ajMiWtnXW0AcnRgdQeYQR2YOoLn7UmD9QZcT17Oa1pJ0GFP1yPj
bd6gdbrrq307Bgu/zzBpkUR30vSjH381eo5Pr9YRaunstkGUTraTdV/2fu7R
6hBe3hV6Ct49qduOIBtiCreH68PmZcc9YbfZA2aOcaftdavHWhmeQ8PuD8vJ
6ZDtWFCshs3NvsGw1cnwwwrcUv4gCSLgOYAxurUr35dwQ/PY0yNfhJs6OtIm
8NmKmnr/Etj29//jmz+uD7sS6O2NLBx2rwkXlx/u8Mgh4g2QtUu//OqPNDzl
DuJ8WBF+pqZujp2ZvP7TKD1bitc3U4//iHn5cks7F+dJ7svvm+39jvJEf6bw
//1qWvbtAa0RP2ExzHefLAoa1hPxbiT3ptTDSbW2STDeHmAM6r3vgpg13V9m
N8Tcr7eGGSX7xeyK+Cn66zHd1TRsX96N61IW8vYGiuiN6xica1IOK1IOn3WO
9tM0z3jkiQKald9C2zRV8dlZN/dQsk+HnpgMHR0mBtkdbwD3qwfwz5sbsOPb
61R3z693AFXXjA0DN3O0zb7R5N3LZiW7HYM6eYkG/Ps0kvexdZesaF8i+9Xc
ETySdBQA6fYWDb1ulPHp/BXs5/YGa26TQGOffX79Pcc0bOsGKjaWRFnPdD2G
u4VKRmQQb86nro++bF9t17cN4o5H7DtBvf76X/HcFcXa7lview9j9q++olc+
6VuoCUoQrD5xANA8DwX+7Ya0xpMT6Qn3+GfLlW4WqwVY66bs+jvybtvnGk9r
Tour00AcDW9Y321fQXWRkkIPyFdwIOMM4VLMTyTquLu5YpzJAT5cGH3om48D
s4sZI/G4wTAdx6sHyRvRxl93Gyjxf2834DE34TWZEZjo9sDr0wcSzWiT1kb6
fkf55neYrz6BNGPE7l9u2tzjGSRE87YCGuBTR9q6k58dWax/b+upbUWnZr7a
7r5rd07dXIZ9G4TAkxKMID2fIp7NZfAKzSmJBpxi5NThQ7l53Zv8+AzhQdPc
XZ9809AIieTsp1l1yxLpVWOn+bxgw7451poyuN7GZjgnpPdH6mMu+81z8snR
hN9jEe9LpuxCupcI2X0DhxgJLOOn+KjnMIUMuLkPMMsp3HalESF+FHuOmLnv
H1UbpVUVbc6iQJTuGgsY37b0/UmXQQKm0d8fNjc36wZrN31kZ+fmNDJtIoa2
oSGZPqd2dEV1uz3t+xHvTopx7GLYT06qViygMU88ZSC7x2LfNBgnmO73z367
P92yv1o/LNIaTndTXNGt11NOZzOhL7A4OzQ8u3109OifG4p8v15awT/96QQT
NBn7182u71oJByoim/GQLUZi/3QOyFPTRkB9klhx3UHJ7559+ayFN+bbHj6T
vIfDn1x2ffcFTSb5FNvum1dUZmHzA9o828+HD6HEgeEB3mPZPT2vpNtcmVOZ
XLp7yjQAquwvX3wAZHs7u5sP20O4OS7ZqVQvekXvnrIVNt+97J7o5k8lJ2qg
LSdl8kT05TotiXAbbl7vN3uyYNvd83DbtD1kO5KFphSMw+trSDf5evOUTrPN
r2mdHRoRG1dtSP+HPYxVc/XvqWDF/7rHwDR/bm/1IqNjfUN6DMM3yWvuSgtX
NqfzuAMPp0TD1y/jdjioN6TXFovoeOfkoJ72NlG0gW7v9+WClbTrfQs93+AO
vcXI3gWCsgASQCRNp02283fzKlt25SmgKamybTeM0La3qfu8aUnMkxVa1HQY
cnw1IgXLR12tb7+FxmjJQ7gjbyBpNzBOeaYb00FDDzXr1fHzrltGG9qWp/YG
PAWXr/HIoxHsBJGGI3wPLEPW+WqReTHl1lDzJ6M4hxDJlj4o+bEAR7jphKbN
8OO6XQSt9YgNxdLNpKhPrntyhBH00pM9cZjiG2h6/LObUmjO275SAvUVGj6/
vo73m5tMnevzDJ3eB6cp5Od42B53755Pvvxrol17LJKmXPfr0Q7CQMdtdmvY
9pDDIdBOs9eAL7fl/gAL3br5xxHBue5KoIci5jEaWLAFEdrgg3ne4E1tMNoc
78rzcktrgwQK7Hv4HYcrvvkkj5/OMOHLWbwOm+cvoKswDANyngV9gAhzabsE
50S5aWBHuGbssEPbwXBhEE9yrdpKXGTOkDKky0giZtF6eyYe5m0JAefIGR4x
s99pJ143z+jP/Gw8dwKZ3VgSr37ZMMPRh4pW3d8OQ9tN/4TNbml2Yc02N528
NsMVaF3M2xR7uGyq1DOW69z0IfZH3D8pkC76ierc7GdPxGJpThyF9O/J6jh9
QMdbx2+nGf5D50ihR4qOdIWQ+nFOTwKgPWbXA/kzFPyv+5MYX4hkjAnd5H8D
SuhbKc8jU4S9H4/EXg3+1idkuNVete2bR23Y5GvSh/v7XcWLFrB6AGGykNNG
VCy8sIPofUkrr6v8vk+zLzFySo0F8OaheBgSGxG5paS8MfTc5Ow8rt1llwBz
kzcKm16P1pcfAgnYHPWbi+eTBcezpn9fA5NMgnS22h8tsz9ilVMXsMjTi+E7
XJNzrjVkftkEFZqXKW8BtRpqGUh9P0aPRH57s33+ustLS4ClOUEnsED2w3Z0
Fd0CgvQxqWaiHYQh5xsOL3bb++dkn5ZFqdo9YQctslt/Mphfu/cTGvoXu0Cu
vCnC3dbr/v45RSP2jYfNvGZqA90KVfv7/qRhezYvpycTGAPATLtNHHHvmQNN
gvlfO8onQdzsMbA3gPZtMJ4dKMPlvtufMRi77YARa7CeTGSjk5H9cqj69M10
4nbbaSAWz3//3/9vxLSGNZAmbAINTF9hJDetR/v1f//nrz4nLNalkR59fXz0
iRg2BxpUMd18XDLHidqXaYUODNadkYspollo2O/kuRMTbKPwxc02AiIBsm3T
prWVrNvT9ReDJUMMR+2xdYs0DZZ5CLvD57dp/UVjJ0MTjLkj4/wqvN6PFU7Z
4Mfo1+HkPIgz80N5zrTNiVI7gNQCKEp3fkymZrho8OHnZJ9WJwmjXc0OO3sc
sEcsaSOIi/X3GWHJ59fHZ01p739e321ue0dGezrv6blwva1fkEd2/Sx9B2G8
KbmZqv3qx6e39y8juZF+80kNN/vySU+NWXfQSDN7+91+/ew27/73/7efJecK
IGIL5rT+Goyq3FJs/mr9Bb7ZQiV+fQ8Mc7X6GrMcdnn9D2F3Sx3944tNbE37
fbm/xZSDfJTb29frPwRKzCCT8dsXO2Knjdvj0wM+az625efPPlv/63abJy22
2TUPUnm179DwCN9pGd3vSQIhQf8/nPaIC93/AwA=

-->

</rfc>
