<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-vos-cfrg-pqpake-02" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Hybrid PQ-PAKE">Hybrid Post-Quantum Password Authenticated Key Exchange</title>
    <seriesInfo name="Internet-Draft" value="draft-vos-cfrg-pqpake-02"/>
    <author initials="J." surname="Vos" fullname="Jelle Vos">
      <organization>Apple, Inc.</organization>
      <address>
        <email>jelle_v_vos@apple.com</email>
      </address>
    </author>
    <author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki">
      <organization>University of California, Irvine</organization>
      <address>
        <email>sjarecki@ics.uci.edu</email>
      </address>
    </author>
    <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
      <organization>Apple, Inc.</organization>
      <address>
        <email>caw@heapingbits.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <abstract>
      <?line 124?>

<t>This document describes the CPaceOQUAKE+ protocol, a hybrid asymmetric
password-authenticated key exchange (aPAKE) that supports mutual
authentication in a client-server setting secure against
quantum-capable attackers. CPaceOQUAKE+ is composed of two stages
— CPace and OQUAKE+ — that run sequentially,
with the output of CPace feeding as the secret_context into OQUAKE+. OQUAKE+ is an
augmented variant of OQUAKE that adds password confirmation.
This document also describes standalone OQUAKE+, a post-quantum aPAKE,
and CPaceOQUAKE, the hybrid symmetric PAKE composed of the CPace and OQUAKE stages.
This document recommends configurations for CPaceOQUAKE+.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://example.com/LATEST"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-vos-cfrg-pqpake/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        CFRG Crypto Forum Research Group mailing list (<eref target="mailto:WG@example.com"/>),
        which is archived at <eref target="https://example.com/WG"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/USER/REPO"/>.</t>
    </note>
  </front>
  <middle>
    <?line 137?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Asymmetric (or Augmented) Password Authenticated Key Exchange (aPAKE)
protocols are designed to provide password authentication and
mutually authenticated key exchange in a client-server setting without
relying on a public key infrastructure (PKI) and without
disclosing passwords to servers or other entities other than the client
machine. The only stage where PKI is required is during a client's registration.</t>
      <t>In the asymmetric PAKE setting, the client first registers a password
verifier with the server. A verifier is a value that is derived from the
password and which the server will later use to verify the client
knowledge of the password. After registration, the client uses its password
and the server uses the corresponding verifier to establish an authenticated
shared secret such that the server learns nothing of the client's password.</t>
      <t>OPAQUE-3DH <xref target="OPAQUE"/> and SPAKE2+ <xref target="SPAKE2PLUS"/>
are two examples of specified aPAKE protocols. These protocols provide
security in classical threat models. However, in the presence
of a quantum-capable attacker, both OPAQUE and SPAKE2+ fail to provide the
desired level of security. Both protocols are vulnerable to a Harvest Now, Decrypt
Later (HNDL) attack executed by a quantum-capable attacker, in which the attacker learns the shared secret and uses it
to compromise application traffic. For a password-authenticated protocol, this HNDL threat is
more severe than for plain (unauthenticated) key exchange: breaking underlying classical
assumption of a PAKE that is not unconditionally password hiding does not merely
disclose the traffic of one harvested session, but can retroactively recover the password itself
from the harvested transcript. Since passwords are long-lived credentials, this grants a
quantum-capable attacker indefinite impersonation capability rather than a one-time confidentiality
loss; see <xref target="retroactive-recovery"/> for a detailed treatment of this attack.
Upgrading both protocols to provide post-quantum security is non-trivial, especially as
there are no known efficient constructions for certain building blocks used in these
protocols (such as the OPRF used in OPAQUE-3DH). As the threat of quantum-capable
attackers looms, the viability of existing aPAKE protocols in practice diminishes in time.</t>
      <t>This document describes the CPaceOQUAKE+ protocol, an aPAKE that supports mutual
authentication in a client-server setting secure against
quantum-capable attackers. CPaceOQUAKE+ is composed of two stages
that run sequentially: CPace and OQUAKE+.
The design securely composes multiple existing primitives <xref target="VJWYMS25"/>.</t>
      <t>This document fully specifies CPaceOQUAKE+ and all dependencies necessary
to implement it. <xref target="configurations"/> provides recommended configurations.</t>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <t>PAKE deployments vary along two largely independent dimensions: how long a password is used
for, and what role the PAKE plays in the surrounding protocol. A password can be an ephemeral,
high-entropy, one-time secret (e.g., a pairing code shown on a screen), or a long-lived,
human-memorable credential that is reused across many protocol runs. Independently, the PAKE can
be the mechanism that establishes the resulting secure channel, or it can run over a channel that
is already secure for other reasons, in which case the PAKE serves only to confirm knowledge of
the password over that channel. Crossing these two dimensions gives four cases, which helps
clarify which deployments motivate a post-quantum aPAKE such as CPaceOQUAKE+, and which do not.</t>
      <ol spacing="normal" type="1"><li>
          <t>Device pairing (ephemeral password; PAKE establishes the channel). Two devices bootstrap a
secure channel using a short-lived, high-entropy, one-time password or PIN, e.g., displayed on
one device and typed into the other. A quantum-capable attacker is only relevant here if a
post-quantum threat model is assumed at all, and even then this is a comparatively weak
motivating example for a PQ-PAKE: because the password is used exactly once, retroactively
recovering it (see <xref target="retroactive-recovery"/>) has little value to an attacker, as there is no
future session to impersonate. HNDL against the resulting channel's <em>traffic</em> remains a
legitimate concern, but that concern is the same one that motivates post-quantum key exchange
generally and is not specific to the PAKE.</t>
        </li>
        <li>
          <t>Password confirmation over an already-secure channel (long-lived password; PAKE does not
establish the channel). The channel's confidentiality and post-quantum security come from
elsewhere, e.g., a hybrid KEM used in the surrounding transport protocol, and the PAKE is used
only to bind knowledge of a long-lived password to that channel. The full machinery of a
PQ aPAKE is not required to realize this case in isolation. Notably, this document's own
OQUAKE+ design internally contains a version of this case: the password-confirmation (PC)
sub-stage described in <xref target="oquakeplus-finish"/> confirms the password over a channel already
established by the preceding KEM-based exchange, layered on top of case 3 below.</t>
        </li>
        <li>
          <t>Long-lived-password pairing (long-lived password; PAKE establishes the channel). This is
the classic aPAKE deployment, e.g., a client authenticating to a server with an account
password. It is also the case where retroactive password recovery is most damaging: because the
password is reused indefinitely, recovering it does not merely disclose one harvested session's
traffic, it lets the attacker impersonate the client in every future session until the password
is changed. This is the primary use case targeted by CPaceOQUAKE+.</t>
        </li>
        <li>
          <t>Degenerate case (ephemeral password; PAKE does not establish the channel). Included only
for completeness of the taxonomy above; it is not a realistic deployment, since there is little
reason to spend a one-time password confirming a channel that the password neither secures nor
will be reused for.</t>
        </li>
      </ol>
      <t>A PQ PAKE -- and a hybrid PQ PAKE in particular -- helps address cases 1 and 3, closing
the gap on this protocol needed for such use cases in practice.</t>
    </section>
    <section anchor="related-work">
      <name>Related Work</name>
      <t>This section relates CPaceOQUAKE+ to existing standardized PAKEs and to the broader post-quantum
PAKE research literature, and addresses why this problem is not already solved, why it remains an
active research problem, and why the state of the art is nonetheless mature enough for CFRG to
engage with it.</t>
      <section anchor="existing-solutions-and-their-gaps">
        <name>Existing Solutions and Their Gaps</name>
        <t>OPAQUE-3DH and SPAKE2+ are standardized aPAKEs, and CPace <xref target="CPACE"/> is an
emerging symmetric PAKE, but all three are purely classical constructions: none provide
security against a quantum-capable attacker. NIST's post-quantum cryptography standardization
effort has, to date, produced key encapsulation mechanisms <xref target="FIPS203"/> and signature schemes, but
no PAKE. A seemingly obvious fix is to run an existing classical PAKE inside, or alongside, a
post-quantum or hybrid KEM already deployed at the transport layer (e.g., hybrid key exchange in
TLS 1.3). This does not solve the PAKE-specific problem: it protects the resulting session key
against a future quantum-capable attacker, but does nothing for the classical PAKE's own handshake
transcript. If that classical PAKE's underlying hard problem is later broken, the <em>password</em>
itself becomes retroactively recoverable from the harvested transcript, as detailed in
<xref target="retroactive-recovery"/>, independent of whatever post-quantum protection was applied to the
surrounding transport. This is the concrete gap that simply layering a post-quantum KEM around an
existing classical PAKE does not close, and it is the gap this document addresses directly.</t>
      </section>
      <section anchor="ongoing-research">
        <name>Ongoing Research</name>
        <t>[[EDITOR'S NOTE: remove in the final version of this document]]</t>
        <t>The compiler techniques underlying this document's design are recent and remain under active
development. The KEM-to-PAKE compiler underlying OQUAKE <xref target="ABJ25"/>, the timing side-channel fix
required to use it safely with ML-KEM <xref target="TEMPO"/>, the PAKE combiners used to hybridize it with
CPace <xref target="HR24"/><xref target="LL24"/>, and closely related asymmetric PAKE compilers <xref target="Gu24"/><xref target="LLH24"/> were all
published in 2024 and 2025. The security analysis backing this document's specific composition
<xref target="VJWYMS25"/> is similarly new. Concretely, <xref target="TEMPO"/> identifies and fixes a timing side channel in
OQUAKE's ML-KEM key-generation step (see <xref target="timing-and-tempo"/>) that was only discovered in 2025,
after OQUAKE's core compiler had already been analyzed, illustrating that this design space is
still being hardened rather than settled. Likewise, this document currently carries an open issue
regarding whether OQUAKE's proof of security extends to the UC bare PAKE model without requiring
party or session identifiers (see <xref target="symmetric-identities"/>); this extension is believed to hold on
the basis of the existing NoIC/OQUAKE analysis in <xref target="ABJ25"/> but has not yet been published. Finally,
no single compiler approach
has yet converged as the preferred solution across the range of use cases in <xref target="use-cases"/>: designs
optimized for case 3 (this document's target) make different tradeoffs than designs optimized for,
e.g., case 1 or case 2.</t>
      </section>
      <section anchor="readiness-for-cfrg-engagement">
        <name>Readiness for CFRG Engagement</name>
        <t>[[EDITOR'S NOTE: remove in the final version of this document]]</t>
        <t>Despite being new, the core sequential-composition design in this document has already been
independently analyzed by at least three different groups (see <xref target="hybrid-design"/>), which
substantially increases confidence in the design beyond what a single analysis would provide.
This document's source also includes concrete test vectors for each protocol it specifies, to
support independent implementation and verification. The remaining gaps identified above, most
notably the unpublished bare-PAKE proof
extension and the open question of identity requirements, are well-scoped and do not call the core
design into question; they are the kind of item best resolved through the scrutiny that CFRG
engagement itself provides, rather than a prerequisite to starting that engagement.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="notation-and-terminology">
        <name>Notation and Terminology</name>
        <t>The following functions and operators are used throughout the document.</t>
        <ul spacing="normal">
          <li>
            <t>The function <tt>random(n)</tt> generates a cryptographically secure pseudorandom
byte string of length <tt>n</tt> bytes.</t>
          </li>
          <li>
            <t>The associative binary operator <tt>||</tt> denotes concatenation of two byte strings.</t>
          </li>
          <li>
            <t>The binary function <tt>XOR(a, b)</tt> denotes an element-wise XOR operation between
two byte strings <tt>a</tt> and <tt>b</tt> of the same length.</t>
          </li>
          <li>
            <t>The functions <tt>bytes_to_int</tt> and <tt>int_to_bytes</tt> convert
byte strings to and from non-negative integers. bytes_to_int and int_to_bytes
are implemented as OS2IP and I2OSP as described in <xref target="RFC8017"/>, respectively.</t>
          </li>
          <li>
            <t>The function <tt>lv_encode</tt> encodes a byte string with a two-byte, big-endian
length prefix. For example, lv_enode((0x00, 0x01, 0x02)) = (0x00, 0x03, 0x00, 0x01, 0x02).
The function <tt>lv_decode</tt> parses a byte string that is expected to be encoded
with a two-byte length preceding the remaining bytes, e.g.,
<tt>lv_decode((0x00, 0x03, 0x00, 0x01, 0x02)) = (0x00, 0x01, 0x02)</tt>. Note that <tt>lv_decode</tt>
can fail when the length of the actual bytes does not match that encoded in the
prefix. For example, <tt>lv_decode((0xFF, 0xFF, 0x00))</tt> will fail.</t>
          </li>
          <li>
            <t>The notation <tt>bytes[l..h]</tt> refers to the slice of byte array <tt>bytes</tt> starting
at index <tt>l</tt> and ending at index <tt>h-1</tt>. For example, given <tt>bytes = (0x00, 0x01, 0x02)</tt>, then <tt>bytes[0..1] = 0x00</tt> and <tt>bytes[0..3] = (0x00, 0x01, 0x02)</tt>. Similarly, the notation <tt>bytes[l..]</tt> refers to the slice of the byte
array <tt>bytes</tt> starting at <tt>l</tt> until the end of <tt>bytes</tt>, i.e.., <tt>bytes[l..] = bytes[l..len(bytes)]</tt>.</t>
          </li>
        </ul>
        <t>All algorithms and procedures described in this document are laid out
in a Python-like pseudocode. Each function takes a set of inputs and parameters
and produces a set of output values. Parameters become constant values once
the protocol variant and the configuration are fixed.</t>
      </section>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>This document aims to specify two protocols: a symmetric and an asymmetric hybrid PAKE.
In the symmetric PAKE setting, the client and server share a password and use it to
establish an authenticated shared secret. In the asymmetric PAKE setting, the client first
registers a password verifier with the server. A verifier is a value that is derived
from the password and which the client will later use to demonstrate knowledge of the password.
After registration, the client uses its password and the server uses the corresponding
verifier to establish an authenticated shared secret such that the server learns nothing
of the client's password.</t>
      <t>The protocols specified in this document are built from two stages:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>CPace</strong> <xref target="CPACE"/>: A classical elliptic curve-based symmetric PAKE.</t>
        </li>
        <li>
          <t><strong>OQUAKE</strong>: A new post-quantum symmetric PAKE built from a BUA-sKEM; see <xref target="quake"/>.</t>
        </li>
      </ol>
      <t>An abstract overview of CPaceOQUAKE is shown in the figure below.</t>
      <artset>
        <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="376" viewBox="0 0 376 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
            <path d="M 104,48 L 104,96" fill="none" stroke="black"/>
            <path d="M 152,64 L 152,112" fill="none" stroke="black"/>
            <path d="M 152,176 L 152,224" fill="none" stroke="black"/>
            <path d="M 168,232 L 168,272" fill="none" stroke="black"/>
            <path d="M 192,160 L 192,176" fill="none" stroke="black"/>
            <path d="M 224,232 L 224,272" fill="none" stroke="black"/>
            <path d="M 240,64 L 240,112" fill="none" stroke="black"/>
            <path d="M 240,176 L 240,224" fill="none" stroke="black"/>
            <path d="M 296,48 L 296,96" fill="none" stroke="black"/>
            <path d="M 152,64 L 240,64" fill="none" stroke="black"/>
            <path d="M 64,96 L 144,96" fill="none" stroke="black"/>
            <path d="M 248,96 L 336,96" fill="none" stroke="black"/>
            <path d="M 152,112 L 240,112" fill="none" stroke="black"/>
            <path d="M 152,176 L 184,176" fill="none" stroke="black"/>
            <path d="M 200,176 L 240,176" fill="none" stroke="black"/>
            <path d="M 152,224 L 240,224" fill="none" stroke="black"/>
            <path d="M 96,272 L 168,272" fill="none" stroke="black"/>
            <path d="M 224,272 L 280,272" fill="none" stroke="black"/>
            <polygon class="arrowhead" points="312,96 300,90.4 300,101.6" fill="black" transform="rotate(180,304,96)"/>
            <polygon class="arrowhead" points="288,272 276,266.4 276,277.6" fill="black" transform="rotate(0,280,272)"/>
            <polygon class="arrowhead" points="256,96 244,90.4 244,101.6" fill="black" transform="rotate(180,248,96)"/>
            <polygon class="arrowhead" points="200,176 188,170.4 188,181.6" fill="black" transform="rotate(90,192,176)"/>
            <polygon class="arrowhead" points="152,96 140,90.4 140,101.6" fill="black" transform="rotate(0,144,96)"/>
            <polygon class="arrowhead" points="104,272 92,266.4 92,277.6" fill="black" transform="rotate(180,96,272)"/>
            <polygon class="arrowhead" points="104,96 92,90.4 92,101.6" fill="black" transform="rotate(0,96,96)"/>
            <g class="text">
              <text x="108" y="36">Client</text>
              <text x="300" y="36">Server</text>
              <text x="192" y="84">CPace</text>
              <text x="40" y="100">PRS</text>
              <text x="188" y="100">(Stage</text>
              <text x="228" y="100">1)</text>
              <text x="360" y="100">PRS</text>
              <text x="192" y="132">|</text>
              <text x="192" y="148">SK1</text>
              <text x="196" y="196">OQUAKE</text>
              <text x="188" y="212">(Stage</text>
              <text x="228" y="212">2)</text>
              <text x="44" y="276">client_key</text>
              <text x="332" y="276">server_key</text>
            </g>
          </svg>
        </artwork>
        <artwork type="ascii-art"><![CDATA[
            Client                  Server
              |                       |
              |     +----------+      |
              |     |  CPace   |      |
     PRS ---->+---->| (Stage 1)|<-----+<---- PRS
                    +----------+
                         |
                        SK1
                         |
                    +----v-----+
                    |  OQUAKE  |
                    | (Stage 2)|
                    +----------+
                      |      |
                      |      |
  client_key <--------+      +------> server_key
]]></artwork>
      </artset>
      <t>Additionally, the document specifies <strong>OQUAKE+</strong>, an augmented variant of OQUAKE that
adds password confirmation to upgrade the symmetric PAKE to an asymmetric PAKE; see
<xref target="oquakeplus-stage"/>.</t>
      <t>These building blocks are composed into the following named protocols:</t>
      <ul spacing="normal">
        <li>
          <t><strong>CPaceOQUAKE</strong>: A hybrid symmetric PAKE combining CPace and OQUAKE.</t>
        </li>
        <li>
          <t><strong>OQUAKE+</strong>: A post-quantum aPAKE; see <xref target="oquakeplus-stage"/>.</t>
        </li>
        <li>
          <t><strong>CPaceOQUAKE+</strong>: A hybrid aPAKE combining CPace and OQUAKE+.</t>
        </li>
      </ul>
      <t>An abstract overview of CPaceOQUAKE+ is shown in the figure below.</t>
      <artset>
        <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="432" viewBox="0 0 432 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
            <path d="M 112,48 L 112,208" fill="none" stroke="black"/>
            <path d="M 160,64 L 160,112" fill="none" stroke="black"/>
            <path d="M 160,176 L 160,240" fill="none" stroke="black"/>
            <path d="M 176,248 L 176,288" fill="none" stroke="black"/>
            <path d="M 232,248 L 232,288" fill="none" stroke="black"/>
            <path d="M 248,64 L 248,112" fill="none" stroke="black"/>
            <path d="M 248,176 L 248,240" fill="none" stroke="black"/>
            <path d="M 304,48 L 304,208" fill="none" stroke="black"/>
            <path d="M 160,64 L 248,64" fill="none" stroke="black"/>
            <path d="M 72,96 L 152,96" fill="none" stroke="black"/>
            <path d="M 256,96 L 344,96" fill="none" stroke="black"/>
            <path d="M 160,112 L 248,112" fill="none" stroke="black"/>
            <path d="M 160,176 L 248,176" fill="none" stroke="black"/>
            <path d="M 72,208 L 152,208" fill="none" stroke="black"/>
            <path d="M 256,208 L 344,208" fill="none" stroke="black"/>
            <path d="M 160,240 L 248,240" fill="none" stroke="black"/>
            <path d="M 104,288 L 176,288" fill="none" stroke="black"/>
            <path d="M 232,288 L 288,288" fill="none" stroke="black"/>
            <polygon class="arrowhead" points="320,208 308,202.4 308,213.6" fill="black" transform="rotate(180,312,208)"/>
            <polygon class="arrowhead" points="320,96 308,90.4 308,101.6" fill="black" transform="rotate(180,312,96)"/>
            <polygon class="arrowhead" points="296,288 284,282.4 284,293.6" fill="black" transform="rotate(0,288,288)"/>
            <polygon class="arrowhead" points="264,208 252,202.4 252,213.6" fill="black" transform="rotate(180,256,208)"/>
            <polygon class="arrowhead" points="264,96 252,90.4 252,101.6" fill="black" transform="rotate(180,256,96)"/>
            <polygon class="arrowhead" points="160,208 148,202.4 148,213.6" fill="black" transform="rotate(0,152,208)"/>
            <polygon class="arrowhead" points="160,96 148,90.4 148,101.6" fill="black" transform="rotate(0,152,96)"/>
            <polygon class="arrowhead" points="112,288 100,282.4 100,293.6" fill="black" transform="rotate(180,104,288)"/>
            <polygon class="arrowhead" points="112,208 100,202.4 100,213.6" fill="black" transform="rotate(0,104,208)"/>
            <polygon class="arrowhead" points="112,96 100,90.4 100,101.6" fill="black" transform="rotate(0,104,96)"/>
            <g class="text">
              <text x="116" y="36">Client</text>
              <text x="308" y="36">Server</text>
              <text x="200" y="84">CPace</text>
              <text x="36" y="100">Verifier</text>
              <text x="196" y="100">(Stage</text>
              <text x="236" y="100">1)</text>
              <text x="388" y="100">Verifier</text>
              <text x="200" y="132">|</text>
              <text x="192" y="148">sec_ctx=SK1</text>
              <text x="200" y="164">|</text>
              <text x="200" y="196">OQUAKE+</text>
              <text x="36" y="212">Verifier</text>
              <text x="196" y="212">(Stage</text>
              <text x="236" y="212">2)</text>
              <text x="388" y="212">Verifier</text>
              <text x="44" y="228">seed</text>
              <text x="372" y="228">Public</text>
              <text x="416" y="228">key</text>
              <text x="52" y="292">client_key</text>
              <text x="340" y="292">server_key</text>
            </g>
          </svg>
        </artwork>
        <artwork type="ascii-art"><![CDATA[
            Client                  Server
              |                       |
              |     +----------+      |
              |     |  CPace   |      |
 Verifier---->+---->| (Stage 1)|<-----+<---- Verifier
              |     +----------+      |
              |          |            |
              |    sec_ctx=SK1        |
              |          |            |
              |     +----------+      |
              |     | OQUAKE+  |      |
 Verifier---->+---->| (Stage 2)|<-----+<---- Verifier
    seed            |          |            Public key
                    +----------+
                      |      |
                      |      |
  client_key <--------+      +------> server_key
]]></artwork>
      </artset>
      <t>We note that this standard only specifies the compositions listed above.
It is not necessarily true that one can securely compose all PAKEs this way.</t>
      <t>The rest of this document specifies CPaceOQUAKE+ and its dependencies. <xref target="CPaceOQUAKE"/>
specifies CPace and OQUAKE as individual stages and their composition into CPaceOQUAKE.
<xref target="CPaceOQUAKEplus"/> specifies OQUAKE+ and its composition with CPace into
CPaceOQUAKE+. Each of these pieces build upon the cryptographic dependencies
specified in <xref target="crypto-deps"/>.</t>
    </section>
    <section anchor="crypto-deps">
      <name>Cryptographic Dependencies</name>
      <t>The protocols in this document have four primary dependencies:</t>
      <ul spacing="normal">
        <li>
          <t>Key Encapsulation Mechanism (KEM); <xref target="deps-kem"/></t>
        </li>
        <li>
          <t>Splittable Binary Key Encapsulation Mechanism with specific uniformity properties (binary UPK-ANO-KEM, or BUA-sKEM); <xref target="deps-BUA-sKEM"/></t>
        </li>
        <li>
          <t>Key Derivation Function (KDF); <xref target="deps-symmetric"/></t>
        </li>
        <li>
          <t>Key Stretching Function (KSF); <xref target="deps-ksf"/></t>
        </li>
      </ul>
      <t><xref target="configurations"/> specifies different combinations of each of these dependencies
that are suitable for implementation.</t>
      <section anchor="deps-kem">
        <name>Key Encapsulation Mechanism</name>
        <t>A Key Encapsulation Mechanism (KEM) is an algorithm that is used for exchanging
a secret from one party to another. We require an IND-CCA-secure KEM with key
derivation from a seed. It consists of the following syntax.</t>
        <ul spacing="normal">
          <li>
            <t>DeriveKeyPair(seed): Deterministic algorithm to derive a key pair
<tt>(sk, pk)</tt> from the byte string <tt>seed</tt>, where <tt>seed</tt> <bcp14>MUST</bcp14> have <tt>Nseed</tt> bytes.</t>
          </li>
          <li>
            <t>Encaps(pk): Randomized algorithm to generate an ephemeral,
fixed-length symmetric key (the KEM shared secret) and
a fixed-length encapsulation of that key that can be decapsulated
by the holder of the secret key corresponding to <tt>pk</tt>. This function
can raise an <tt>EncapsError</tt> on encapsulation failure.</t>
          </li>
          <li>
            <t>Decaps(ct, sk): Deterministic algorithm using the secret key <tt>sk</tt>
to recover the ephemeral symmetric key (the KEM shared secret) from
its encapsulated representation <tt>ct</tt>. This function can raise a
<tt>DecapsError</tt> on decapsulation failure.</t>
          </li>
          <li>
            <t>Nseed: The length in bytes of the seed used to derive a key pair.</t>
          </li>
          <li>
            <t>Nct: The length in bytes of an encapsulated key produced by this KEM.</t>
          </li>
          <li>
            <t>Npk: The length in bytes of a public key for this KEM.</t>
          </li>
        </ul>
        <t>This specification uses X-Wing <xref target="XWING"/>.</t>
      </section>
      <section anchor="deps-BUA-sKEM">
        <name>Splittable binary UPK-ANO-KEM</name>
        <t>A binary UPK-ANO-KEM supports the same functions as defined above for
a KEM, and it must also be IND-CCA secure, but it must also achieve
two additional security properties. Namely, in addition to IND-CCA
security, a binary UPK-ANO-KEM requires that:</t>
        <ol spacing="normal" type="1"><li>
            <t>Public keys are indistinguishable from random strings of bytes (of
the same length), i.e. uniform public keys (UPK); and</t>
          </li>
          <li>
            <t>Ciphertexts are anonymous in the presence of chosen ciphertext
attack (ANO-CCA), i.e. anonymous ciphertexts (ANO).</t>
          </li>
        </ol>
        <t>These additional properties are crucial for the security of OQUAKE. In
other words, one <bcp14>MUST NOT</bcp14> use a KEM that has no uniform public keys
and/or no anonymous ciphertexts in place of a UPK-ANO-KEM.</t>
        <t>In this specification, we also require a third property: the KEM must be splittable. A splittable KEM (sKEM) implements the <tt>Split(pk) -&gt; (t, ⍴)</tt> function and its inverse, which takes a public key and splits it into a part <tt>⍴</tt> that is indepdendent of the KEM's secret key and can therefore be made public, and a part <tt>t</tt> that does depend on the secret key. This property allows parties to perform variable-time operations on <tt>⍴</tt> without revealing information about the secret key. We use N⍴ to denote the byte-length of ⍴ and Nt to denote the byte-length of t. We use <tt>Combine(t, ⍴) -&gt; pk</tt> to refer to the inverse operation of <tt>Split</tt>.</t>
        <t>In the remainder of this specification, we abbreviate 'splittable binary UPK-ANO-KEM' as BUA-sKEM.
This specification uses a variant of ML-KEM1024 <xref target="FIPS203"/>, which we therefore denote by ML-BUA-sKEM1024. It is specified in <xref target="ML-BUA-sKEM"/>.
This is instantiated with "KemeleonNR - ML-KEM1024" <xref target="KEMELEON"/>. Note that, while
Kemeleon provides uniform encoding for KEM ciphertexts and public keys, we only
require uniform enoding for public keys. Future specifications can replace ML-BUA-sKEM1024 with another splittable binary UPK-ANO-KEM that is more efficient if one becomes available.</t>
      </section>
      <section anchor="deps-symmetric">
        <name>Key Derivation Function</name>
        <t>A Key Derivation Function (KDF) is a function that takes some source of initial
keying material and uses it to derive one or more cryptographically strong keys.
This specification uses a KDF with the following API and parameters:</t>
        <ul spacing="normal">
          <li>
            <t>Extract(salt, ikm): Extract a pseudorandom key of fixed length <tt>Nx</tt> bytes from
input keying material <tt>ikm</tt> and an optional byte string <tt>salt</tt>.</t>
          </li>
          <li>
            <t>Expand(prk, info, L): Expand a pseudorandom key <tt>prk</tt> using the optional string <tt>info</tt>
into <tt>L</tt> bytes of output keying material.</t>
          </li>
          <li>
            <t>Nx: The output size of the <tt>Extract()</tt> function in bytes.</t>
          </li>
        </ul>
      </section>
      <section anchor="deps-ksf">
        <name>Key Stretching Function</name>
        <t>This specification makes use of a Key Stretching Function (KSF), which is a slow
and expensive cryptographic hash function with the following API:</t>
        <ul spacing="normal">
          <li>
            <t>Stretch(msg, salt, L): Apply a key stretching function to stretch the input <tt>msg</tt>
and salt <tt>salt</tt>, hardening it against offline dictionary attacks. This function also
needs to satisfy collision resistance. The output is a string of L bytes.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="ML-BUA-sKEM">
      <name>ML-BUA-sKEM: A BUA-sKEM around ML-KEM</name>
      <section anchor="splittable-ml-kem">
        <name>Splittable ML-KEM</name>
        <t>ML-KEM <xref target="FIPS203"/> is already specified in a way that allows one to separate out the part of the public key that does not depend on the secret key; this feature is also used in Kemeleon <xref target="KEMELEON"/>. The Split function is defined as follows for ML-KEM <xref target="TEMPO"/>. The part of the public key that does not depend on the secret key represents the final 32 bytes. For this reason, Nt = ML-KEM.Npk - 32 and N⍴ = 32.</t>
        <artwork><![CDATA[
ML-KEM.Split

Input:
- pk, an ML-KEM public key, a byte string of ML-KEM.Npk bytes

Output:
- t, part of the public key that depends on the secret key
- ⍴, part of the public key that does NOT depend on the secret key

def Split(pk):
  t = pk[0 : ML-KEM.Npk - 32]
  ⍴ = pk[ML-KEM.Npk - 32 : ML-KEM.Npk]
  return t, ⍴
]]></artwork>
        <t>For ML-KEM, the inverse of the split operation is concatenation.</t>
        <artwork><![CDATA[
ML-KEM.Combine

Input:
- t, part of the public key that depends on the secret key
- ⍴, part of the public key that does NOT depend on the secret key

Output:
- pk, an ML-KEM public key, a byte string of ML-KEM.Npk bytes

def Combine(t, ⍴):
  return t || ⍴
]]></artwork>
      </section>
      <section anchor="ml-bua-skem-key-derivation">
        <name>ML-BUA-sKEM Key Derivation</name>
        <t>The design of ML-BUA-sKEM is such that it does not change the internals of ML-KEM; it only uses the Split function. To ensure that the public key generated by ML-BUA-sKEM.DeriveKeyPair is binary and uniform, it uses Kemeleon <xref target="KEMELEON"/> to (re-)encode ML-KEM's public keys. In the PAKEs described in this specification, it is crucial that this happens in constant time. For this reason, ML-BUA-sKEM uses the non-rejection sampling variants of Kemeleon, as denoted by <tt>VectorEncodeNR</tt> and <tt>VectorDecodeNR</tt>. ML-BUA-sKEM is defined as follows.</t>
        <artwork><![CDATA[
ML-BUA-sKEM.DeriveKeyPair

Input:
- seed, a random byte string of ML-BUA-sKEM.Nseed bytes

Output:
- sk, a secret decapsulation key, a byte string
- upk, a uniform public key for encapsulation, a byte string

Parameter:
- Kemeleon.sec_param, a security parameter that tunes the bias of the produced upk

def DeriveKeyPair(seed):
  (sk, pk) = ML-KEM.DeriveKeyPair(seed)
  (t, ⍴) = ML-KEM.Split(pk)
  ut = VectorEncodeNR(t)
  upk = ut || ⍴
  return sk, upk
]]></artwork>
        <t>The uniform public keys produced by ML-BUA-sKEM are longer than those produced by ML-KEM. The final 32 bytes of the public key still represent the part that does not depend on the secret key.</t>
        <artwork><![CDATA[
ML-BUA-sKEM.Split

Input:
- upk, an ML-BUA-sKEM public key, a byte string of ML-BUA-sKEM.Npk bytes

Output:
- ut, part of the uniform public key that depends on the secret key
- ⍴, part of the uniform public key that does NOT depend on the secret key

def Split(upk):
  ut = upk[0 : ML-BUA-sKEM.Nt]
  ⍴ = upk[ML-BUA-sKEM.Nt : ML-BUA-sKEM.Npk]
  return ut, ⍴
]]></artwork>
        <t>For ML-BUA-sKEM, the inverse of the split operation is concatenation.</t>
        <artwork><![CDATA[
ML-BUA-sKEM.Combine

Input:
- ut, part of the uniform public key that depends on the secret key
- ⍴, part of the uniform public key that does NOT depend on the secret key

Output:
- upk, an ML-BUA-sKEM public key, a byte string of ML-BUA-sKEM.Npk bytes

def Combine(ut, ⍴):
  return ut || ⍴
]]></artwork>
      </section>
      <section anchor="ml-bua-skem-encapsulation-decapsulation">
        <name>ML-BUA-sKEM Encapsulation &amp; Decapsulation</name>
        <t>ML-BUA-sKEM encapsulation undoes the uniform encoding performed during key derivation before calling ML-KEM.Encaps on the non-uniform public key.</t>
        <artwork><![CDATA[
ML-BUA-sKEM.Encaps

Input:
- upk, an ML-BUA-sKEM public key

Output:
- k, a symmetric shared secret, a byte string
- ct, an anonymous ciphertext encapsulating k, a byte string

Parameter:
- Kemeleon.sec_param, a security parameter that tunes the bias of the consumed upk

def Encaps(upk):
  (ut, ⍴) = ML-BUA-sKEM.Split(upk)
  t = VectorDecodeNR(ut)
  pk = ML-KEM.Combine(t, ⍴)
  return ML-KEM.Encaps(pk)
]]></artwork>
        <t>The decapsulation procedure for ML-BUA-sKEM is exactly the same as for ML-KEM.</t>
        <artwork><![CDATA[
ML-BUA-sKEM.Decaps

Input:
- ct, an anonymous ciphertext encapsulating k, a byte string
- sk, a secret decapsulation key, a byte string

Output:
- k, a symmetric shared secret, a byte string

def Decaps(ct, sk):
  return ML-KEM.Decaps(ct, sk)
]]></artwork>
      </section>
    </section>
    <section anchor="CPaceOQUAKE">
      <name>CPaceOQUAKE Protocol</name>
      <t>The hybrid, symmetric PAKE protocol, denoted CPaceOQUAKE consists of CPace <xref target="CPACE"/>
combined with OQUAKE <xref target="ABJ25"/>. OQUAKE is a PAKE built from a BUA-sKEM and KDF, using a
2-rounds of Feistel network to password-encrypt the BUA-sKEM public key.
The OQUAKE protocol is based on the "NoIC" protocol analyzed in <xref target="ABJ25"/>.</t>
      <t>The CPaceOQUAKE protocol is based on the `Sequential PAKE Combiner' protocol proposed by
<xref target="HR24"/>. A very close variant of this protocol was also analyzed in <xref target="LL24"/>.</t>
      <t>At a high level, CPaceOQUAKE is a four-message protocol that runs between client and server
wherein, upon completion, both parties share the same session key if they agree
on the password-related string (PRS). Otherwise, they obtain random session keys.
This is summarized in the diagram below.</t>
      <artset>
        <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="376" viewBox="0 0 376 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
            <path d="M 104,48 L 104,96" fill="none" stroke="black"/>
            <path d="M 152,64 L 152,112" fill="none" stroke="black"/>
            <path d="M 152,176 L 152,224" fill="none" stroke="black"/>
            <path d="M 168,232 L 168,272" fill="none" stroke="black"/>
            <path d="M 192,160 L 192,176" fill="none" stroke="black"/>
            <path d="M 224,232 L 224,272" fill="none" stroke="black"/>
            <path d="M 240,64 L 240,112" fill="none" stroke="black"/>
            <path d="M 240,176 L 240,224" fill="none" stroke="black"/>
            <path d="M 296,48 L 296,96" fill="none" stroke="black"/>
            <path d="M 152,64 L 240,64" fill="none" stroke="black"/>
            <path d="M 64,96 L 144,96" fill="none" stroke="black"/>
            <path d="M 248,96 L 336,96" fill="none" stroke="black"/>
            <path d="M 152,112 L 240,112" fill="none" stroke="black"/>
            <path d="M 152,176 L 184,176" fill="none" stroke="black"/>
            <path d="M 200,176 L 240,176" fill="none" stroke="black"/>
            <path d="M 152,224 L 240,224" fill="none" stroke="black"/>
            <path d="M 96,272 L 168,272" fill="none" stroke="black"/>
            <path d="M 224,272 L 280,272" fill="none" stroke="black"/>
            <polygon class="arrowhead" points="312,96 300,90.4 300,101.6" fill="black" transform="rotate(180,304,96)"/>
            <polygon class="arrowhead" points="288,272 276,266.4 276,277.6" fill="black" transform="rotate(0,280,272)"/>
            <polygon class="arrowhead" points="256,96 244,90.4 244,101.6" fill="black" transform="rotate(180,248,96)"/>
            <polygon class="arrowhead" points="200,176 188,170.4 188,181.6" fill="black" transform="rotate(90,192,176)"/>
            <polygon class="arrowhead" points="152,96 140,90.4 140,101.6" fill="black" transform="rotate(0,144,96)"/>
            <polygon class="arrowhead" points="104,272 92,266.4 92,277.6" fill="black" transform="rotate(180,96,272)"/>
            <polygon class="arrowhead" points="104,96 92,90.4 92,101.6" fill="black" transform="rotate(0,96,96)"/>
            <g class="text">
              <text x="108" y="36">Client</text>
              <text x="300" y="36">Server</text>
              <text x="192" y="84">CPace</text>
              <text x="40" y="100">PRS</text>
              <text x="188" y="100">(Stage</text>
              <text x="228" y="100">1)</text>
              <text x="360" y="100">PRS</text>
              <text x="192" y="132">|</text>
              <text x="192" y="148">SK1</text>
              <text x="196" y="196">OQUAKE</text>
              <text x="188" y="212">(Stage</text>
              <text x="228" y="212">2)</text>
              <text x="44" y="276">client_key</text>
              <text x="332" y="276">server_key</text>
            </g>
          </svg>
        </artwork>
        <artwork type="ascii-art"><![CDATA[
            Client                  Server
              |                       |
              |     +----------+      |
              |     |  CPace   |      |
     PRS ---->+---->| (Stage 1)|<-----+<---- PRS
                    +----------+
                         |
                        SK1
                         |
                    +----v-----+
                    |  OQUAKE  |
                    | (Stage 2)|
                    +----------+
                      |      |
                      |      |
  client_key <--------+      +------> server_key
]]></artwork>
      </artset>
      <t>CPaceOQUAKE composes CPace and OQUAKE by first running CPace to completion
between client and server, and then running OQUAKE with the CPace session
key provided as the secret_context. We explain the composition in more detail in
<xref target="cpacequake-composition"/>.</t>
      <t>All PAKEs in this document share a common interface. Each takes as input a
password-related string PRS (or a verifier derived from it), a public_context,
and a secret_context. The public_context binds public session information that
both parties agree on, such as an optional session identifier sid and optional
client and server identifiers U and S (e.g., a device identifier, an IP address,
or a URL). The secret_context binds confidential information shared by both
parties, such as the session key of a preceding protocol stage; it is never sent
on the wire. Both the public_context and the secret_context are optional; a party
that does not use one passes the empty string b"" (equivalently, None). Two parties
obtain matching session keys only if their PRS, public_context, and secret_context
match. See <xref target="identities"/> for more discussion about the identities and how they are
chosen in practice.</t>
      <t>The public_context is constructed from the optional sid, U, and S using the
following utility function. Each of sid, U, and S is optional and defaults to the
empty string b"". Applications <bcp14>MAY</bcp14> include additional public information by
prepending or appending it to the returned value.</t>
      <artwork><![CDATA[
EncodePublicContext

Input:
- sid, session identifier, a byte string
- U and S, client and server identifiers

Output:
- public_context, the encoded public context, a byte string

def EncodePublicContext(sid, U, S):
  public_context =
    bytes_to_int(len(sid), 4) || sid ||
    bytes_to_int(len(U), 4) || U ||
    bytes_to_int(len(S), 4) || S
  return public_context
]]></artwork>
      <section anchor="cpace">
        <name>CPace Specification</name>
        <t>CPace is a classical elliptic curve-based PAKE <xref target="CPACE"/>. This section wraps the CPace specification in a consistent interface.
We use an interactive version of CPace that takes two rounds, in which there is a designated initiator and responder.
In other words, the responder only starts executing the protocol after it received the first message from the initiator.</t>
        <t>The flow of the protocol consists of two messages sent between initiator and responder, produced by the functions
Init, Respond, and Finish, described below. Both parties take as input a password-related
string PRS, a public_context, and a secret_context (see <xref target="CPaceOQUAKE"/>). Upon completion, both parties
obtain matching session keys if their PRS, public_context, secret_context, and key length (specified by N)
match. Otherwise, they obtain random keys. In exceptional cases, the protocol aborts.</t>
        <t>CPace derives its generator from PRS, a channel identifier (CI), and a session identifier (sid);
CI may carry confidential information and is never sent on the wire, whereas sid is public and is
additionally bound into the session key. Accordingly, CPace uses the secret_context as its CI and the
public_context as its sid.</t>
        <section anchor="initiation">
          <name>Initiation</name>
          <t>The initiator starts the protocol using its password-related string PRS, binding the session to the
public_context and secret_context.</t>
          <artwork><![CDATA[
CPace.Init

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string

Output:
- ya, discrete logarithm intended to be stored in secret until the protocol finishes
- Ya, public point, intended to be sent to the responder

Parameters:
- G, a group environment as specified in CPace

def Init(PRS, public_context, secret_context):
  g = G.calculate_generator(H, PRS, secret_context, public_context)
  ya = G.sample_scalar()
  Ya = G.scalar_mult(ya, g)
  return ya, Ya
]]></artwork>
        </section>
        <section anchor="response">
          <name>Response</name>
          <t>The responder performs the same actions as the initiator.
Since it already received the initiator's message, it can immediately finish its execution of the protocol.
It outputs the shared secret and a message Yb intended to be sent to the initiator.</t>
          <artwork><![CDATA[
CPace.Respond

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- Ya, public point, received from the initiator

Output:
- ISK, the established shared secret
- Yb, public point, intended to be sent to the initiator

Parameters:
- G, a group environment as specified in CPace
- H, a hash function as specified in CPace

Exceptions:
- CPaceError, raised when an invalid value was encountered in CPace

def Respond(PRS, public_context, secret_context, Ya):
  g = G.calculate_generator(H, PRS, secret_context, public_context)
  yb = G.sample_scalar()
  Yb = G.scalar_mult(yb, g)

  K = G.scalar_mult_vfy(yb, Ya)
  If K = G.I, raise CPaceError

  ISK = H.hash(lv_cat(G.DSI || b"_ISK", public_context, K) || transcript(Ya, Yb))

  return ISK, Yb
]]></artwork>
          <t>The functions <tt>lv_cat</tt> and <tt>transcript</tt> are defined in <xref target="CPACE"/>.</t>
        </section>
        <section anchor="finish">
          <name>Finish</name>
          <t>The initiator finishes the protocol by combining the discrete logarithm ya generated by CPace.Init and the message Yb received
from the responder.</t>
          <artwork><![CDATA[
CPace.Finish

Input:
- ya, discrete logarithm that was generated using CPace.Init
- public_context, optional public context, a byte string
- Yb, public point, received from the responder

Output:
- ISK, the established shared secret

Parameters:
- G, a group environment as specified in CPace
- H, a hash function as specified in CPace

Exceptions:
- CPaceError, raised when an invalid value was encountered in CPace

def Finish(ya, public_context, Yb):
  K = G.scalar_mult_vfy(ya, Yb)
  If K = G.I, raise CPaceError

  ISK = H.hash(lv_cat(G.DSI || b"_ISK", public_context, K) || transcript(Ya, Yb))

  return ISK
]]></artwork>
        </section>
      </section>
      <section anchor="quake">
        <name>OQUAKE Specification</name>
        <t>OQUAKE is a PAKE built on a BUA-sKEM and KDF.  If the BUA-sKEM provides security against quantum-enabled attacks,
then so does OQUAKE. It consists of two messages sent between initiator and responder, produced by
the functions Init, Respond, and Finish, described below. Both parties take as input a password-related
string PRS, a public_context, and a secret_context. Upon completion, both parties obtain matching session keys if
their PRS, public_context, secret_context, and key length (specified by N) match. Otherwise,
they obtain random session keys.</t>
        <t>When a secret_context is provided, OQUAKE derives an effective password from (PRS, secret_context) and uses it in place
of PRS throughout the protocol. This allows OQUAKE to be securely composed with a preceding protocol
stage whose output key is provided as the secret_context.</t>
        <t>The public_context (see <xref target="CPaceOQUAKE"/>) typically encodes a session identifier sid and client and
server identifiers U and S. It has the following requirements. If a client and server identifier are provided:</t>
        <ul spacing="normal">
          <li>
            <t>The session identifier must match between the client and server</t>
          </li>
          <li>
            <t>This session identifier has not been used before in a session between the client and server</t>
          </li>
        </ul>
        <t>If no client and server identifiers are provided:</t>
        <ul spacing="normal">
          <li>
            <t>The session identifier must match between the client and server</t>
          </li>
          <li>
            <t>This session identifier has not been used before by the client or server in any session with any other party</t>
          </li>
        </ul>
        <t>These requirements originate from the security proof for OQUAKE. If these requirements are not met, the proof
does not apply, but this does not mean that the protocol becomes vulnerable.</t>
        <t>The specification follows the design as presented in <xref target="VJWYMS25"/>, with the splittable KEM technique described
in <xref target="TEMPO"/>, which prevents timing attacks caused by rejection sampling in ML-KEM. See <xref target="timing-and-tempo"/>
for more information on the timing attack and this fix.</t>
        <section anchor="initiation-1">
          <name>Initiation</name>
          <t>Init takes as input the initiator's PRS, a public_context, and a secret_context.
It produces a state for the initiator to store, as well as a
protocol message that is sent to the responder. Its implementation is as follows.</t>
          <artwork><![CDATA[
OQUAKE.Init

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string

Output:
- state, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Init(PRS, public_context, secret_context):
  if secret_context is None:
    secret_context = b""
  prk_ePRS = KDF.Extract(PRS, DST || "OQUAKE-context" || public_context || secret_context)
  effective_PRS = KDF.Expand(prk_ePRS, DST || "effective_PRS", Nkey)

  seed = random(BUA-sKEM.Nseed)
  (pk, sk) = BUA-sKEM.DeriveKeyPair(seed)
  (ut, ⍴) = BUA-sKEM.Split(pk)

  r = random(3 * Nsec)

  // T = XOR(t, H(public_context, effective_PRS, ⍴, r))
  prk_T_pad = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || ⍴ || r)
  T_pad = KDF.Expand(prk_T_pad, DST || "T_pad", BUA-sKEM.Nt)
  T = XOR(ut, T_pad)

  // s = XOR(r, H(public_context, effective_PRS, ⍴, T))
  prk_s_pad = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || ⍴ || T)
  s_pad = KDF.Expand(prk_s_pad, DST || "s_pad", 3 * Nsec)
  s = XOR(r, s_pad)

  init_msg = s || T || ⍴

  return State(effective_PRS, sk, pk, s, T, public_context, secret_context), init_msg
]]></artwork>
        </section>
        <section anchor="response-1">
          <name>Response</name>
          <t>Respond takes as input the PRS, a public_context, a secret_context, and the initiator's protocol message.
It produces a 32-byte symmetric key and a protocol message intended to be sent to the initiator. Its implementation
is as follows.</t>
          <artwork><![CDATA[
OQUAKE.Respond

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- init_msg, encoded protocol message, a byte string

Output:
- ss, output shared secret, a byte string of 32 bytes
- resp_msg, encoded protocol message, a byte string

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Respond(PRS, public_context, secret_context, init_msg):
  (s, T, ⍴) = init_msg[0 : (3 * Nsec)], init_msg[(3 * Nsec) : (6 * Nsec)], init_msg[(6 * Nsec) : (6 * Nsec) + N⍴]

  if secret_context is None:
    secret_context = b""
  prk_ePRS = KDF.Extract(PRS, DST || "OQUAKE-context" || public_context || secret_context)
  effective_PRS = KDF.Expand(prk_ePRS, DST || "effective_PRS", Nkey)

  prk_s_pad = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || ⍴ || T)
  s_pad = KDF.Expand(prk_s_pad, DST || "s_pad", 3 * Nsec)
  r = XOR(s, s_pad)

  prk_T_pad = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || ⍴ || r)
  T_pad = KDF.Expand(prk_T_pad, DST || "T_pad", BUA-sKEM.Nt)
  ut = XOR(T, T_pad)

  pk = BUA-sKEM.Combine(ut, ⍴)
  (ct, k) = BUA-sKEM.Encaps(pk)

  prk_sk = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || s || T || pk || ct || k)
  intermediate_key = KDF.Expand(prk_sk, DST || "sk", Nkey)

  transcript = s || T || ⍴ || ct
  prk_final = KDF.Extract(intermediate_key, DST || "final_key" || public_context || secret_context || transcript)
  key = KDF.Expand(prk_final, DST || "key", Nkey)

  h = KDF.Expand(prk_sk, DST || "confirm", Nkc)

  resp_msg = ct || h

  return resp_msg, key
]]></artwork>
        </section>
        <section anchor="quake-finish">
          <name>Finish</name>
          <t>Finish takes as input the initiator-created state that is output from Init
as well as the responder's reply message resp_msg. It produces a symmetric key
that is output to the initiator. Its implementation
is as follows.</t>
          <artwork><![CDATA[
OQUAKE.Finish

Input:
- state, opaque state for the initiator to store
- resp_msg, encoded protocol message, a byte string

Output:
- ss, output shared secret, a byte string of 32 bytes

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

Exceptions:
- AuthenticationError, raised when the key confirmation fails

def Finish(state, resp_msg):
  (effective_PRS, sk, pk, s, T, public_context, secret_context) = state
  ct, h = resp_msg[0..Nct], resp_msg[Nct..]

  try:
    k = BUA-sKEM.Decaps(sk, ct)
    prk_sk = KDF.Extract(effective_PRS, DST || "OQUAKE" || public_context || s || T || pk || ct || k)

    intermediate_key = KDF.Expand(prk_sk, DST || "sk", Nkey)

    transcript = s || T || ⍴ || c
    prk_final = KDF.Extract(intermediate_key, DST || "final_key" || public_context || secret_context || transcript)
    key = KDF.Expand(prk_final, DST || "key", Nkey)

    h_expected = KDF.Expand(prk_sk, DST || "confirm", Nkc)
    if h != h_expected:
      return random(Nkey)

    return key
  catch DecapsError:
    return random(Nkey)
]]></artwork>
        </section>
      </section>
      <section anchor="cpacequake-composition">
        <name>Composition of CPace &amp; OQUAKE</name>
        <t>CPaceOQUAKE is a sequential composition of CPace (see <xref target="cpace"/>) and
OQUAKE (see <xref target="quake"/>). Whereas running CPace and OQUAKE in parallel realizes
a worst-of-both worlds PAKE, this sequential composition realizes a
best-of-both worlds PAKE. In other words, CPaceOQUAKE remains as secure
as the strongest PAKE, resisting attacks that break the classical CPace
(e.g. by a quantum-capable attacker) or attacks that break the
quantum-resistant OQUAKE (e.g. by a flaw in the BUA-sKEM). This assumes that
OQUAKE is instantiated with a quantum-resistant BUA-sKEM.</t>
        <t>The reason a parallel combiner does not achieve best-of-both-worlds security
is that it requires both constituent PAKEs to be unconditionally password
hiding, meaning that the password must not be learnable even if all
computational assumptions underlying the PAKE break. Intuitively, if one
PAKE is not unconditionally password hiding, an attacker that breaks its
computational assumptions can recover the password, and knowing the password
is sufficient to then defeat the other PAKE as well. CPace is unconditionally
password hiding in the sense that, even if the Diffie-Hellman assumption
fails, the protocol transcript (including the exchanged group elements) is
statistically independent of the password-related string PRS: PRS is only
used to derive a generator, while the transmitted points are fresh random
scalar multiples of this generator and hence are uniformly distributed in the
group. OQUAKE, however, is not unconditionally password hiding: an attacker
that can break the D-MLWE assumption can distinguish ML-KEM public keys and
ciphertexts from random bitstrings and thereby mount offline dictionary
attacks to recover the password. Because no currently known post-quantum
PAKE built on standard primitives such as ML-KEM achieves unconditional
password hiding, a parallel combiner cannot provide the desired hybrid
security guarantee.</t>
        <t>The sequential combiner overcomes this limitation. Instead of running OQUAKE
on the original password-related string PRS, CPaceOQUAKE feeds the CPace
session key to OQUAKE as the secret_context, which binds the original PRS to the CPace
session key. Even if an attacker breaks D-MLWE and can distinguish OQUAKE
public keys and ciphertexts, offline dictionary attacks against the original
PRS are infeasible because the CPace-derived session key material is
computationally indistinguishable from a random value (under the gap
Diffie-Hellman assumption). The sequential composition is analyzed in <xref target="HR24"/>
and a close variant is analyzed in <xref target="LL24"/>.</t>
        <t>To be precise, CPaceOQUAKE first runs CPace to completion using
password-related string PRS, establishing a session key SK1. It then runs
OQUAKE using PRS and secret_context=SK1. OQUAKE derives an effective password from
(PRS, SK1) and uses it throughout the protocol, producing session key SK2.
The CPaceOQUAKE session key is SK2, which transitively depends on SK1
through the effective password derivation.</t>
        <t>This is outlined in the diagram below. CPace is initiated by the client, and
OQUAKE is also initiated by the client after CPace completes.
Unlike OQUAKE, CPaceOQUAKE does not require a shared session identifier sid, although this
is strongly recommended. If no sid is provided, CPace will run without an sid, and OQUAKE
will use a random string generated with random material provided by both parties. If an
sid is provided, both CPace and OQUAKE will use this sid.</t>
        <t>An overview of the protocol flow is shown below. The protocol has five functions. Init,
InitiatorContinue, and InitiatorFinish are intended to be called by the client, and Respond
and ResponderFinish are intended to be called by the server.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="560" width="504" viewBox="0 0 504 560" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,96 L 112,240" fill="none" stroke="black"/>
              <path d="M 112,288 L 112,464" fill="none" stroke="black"/>
              <path d="M 352,56 L 352,144" fill="none" stroke="black"/>
              <path d="M 352,184 L 352,352" fill="none" stroke="black"/>
              <path d="M 352,416 L 352,520" fill="none" stroke="black"/>
              <path d="M 72,48 L 392,48" fill="none" stroke="black"/>
              <path d="M 120,128 L 344,128" fill="none" stroke="black"/>
              <path d="M 120,224 L 344,224" fill="none" stroke="black"/>
              <path d="M 120,336 L 344,336" fill="none" stroke="black"/>
              <path d="M 120,448 L 344,448" fill="none" stroke="black"/>
              <path d="M 72,528 L 392,528" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="352,336 340,330.4 340,341.6" fill="black" transform="rotate(0,344,336)"/>
              <polygon class="arrowhead" points="352,128 340,122.4 340,133.6" fill="black" transform="rotate(0,344,128)"/>
              <polygon class="arrowhead" points="128,448 116,442.4 116,453.6" fill="black" transform="rotate(180,120,448)"/>
              <polygon class="arrowhead" points="128,224 116,218.4 116,229.6" fill="black" transform="rotate(180,120,224)"/>
              <g class="text">
                <text x="32" y="36">Client:</text>
                <text x="144" y="36">PRS,pub_ctx,sec_ctx</text>
                <text x="312" y="36">Server:</text>
                <text x="424" y="36">PRS,pub_ctx,sec_ctx</text>
                <text x="60" y="68">ctx,</text>
                <text x="100" y="68">msg1</text>
                <text x="128" y="68">=</text>
                <text x="152" y="84">CPaceOQUAKE.Init(PRS,pub_ctx,sec_ctx)</text>
                <text x="220" y="116">msg1</text>
                <text x="276" y="164">ctx,</text>
                <text x="316" y="164">msg2</text>
                <text x="344" y="164">=</text>
                <text x="320" y="180">CPaceOQUAKE.Respond(PRS,pub_ctx,sec_ctx,msg1)</text>
                <text x="220" y="212">msg2</text>
                <text x="60" y="260">ctx,</text>
                <text x="100" y="260">msg3</text>
                <text x="128" y="260">=</text>
                <text x="124" y="276">CPaceOQUAKE.InitiatorContinue(</text>
                <text x="64" y="292">PRS,pub_ctx</text>
                <text x="184" y="292">sec_ctx,ctx,msg2)</text>
                <text x="220" y="324">msg3</text>
                <text x="248" y="372">server_key,</text>
                <text x="316" y="372">msg4</text>
                <text x="344" y="372">=</text>
                <text x="268" y="388">CPaceOQUAKE.ResponderFinish(</text>
                <text x="288" y="404">PRS,pub_ctx,sec_ctx,ctx,msg3)</text>
                <text x="220" y="436">msg4</text>
                <text x="84" y="484">client_key</text>
                <text x="136" y="484">=</text>
                <text x="152" y="500">CPaceOQUAKE.InitiatorFinish(ctx,msg4)</text>
                <text x="112" y="516">|</text>
                <text x="68" y="548">output</text>
                <text x="140" y="548">client_key</text>
                <text x="316" y="548">output</text>
                <text x="388" y="548">server_key</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Client: PRS,pub_ctx,sec_ctx        Server: PRS,pub_ctx,sec_ctx
        -----------------------------------------
     ctx, msg1 =                           |
CPaceOQUAKE.Init(PRS,pub_ctx,sec_ctx)      |
             |                             |
             |           msg1              |
             |---------------------------->|
             |                             |
             |                  ctx, msg2 =
             |   CPaceOQUAKE.Respond(PRS,pub_ctx,sec_ctx,msg1)
             |                             |
             |           msg2              |
             |<----------------------------|
             |                             |
     ctx, msg3 =                           |
CPaceOQUAKE.InitiatorContinue(             |
  PRS,pub_ctx,sec_ctx,ctx,msg2)            |
             |                             |
             |           msg3              |
             |---------------------------->|
             |                             |
             |           server_key, msg4 =
             |     CPaceOQUAKE.ResponderFinish(
             |       PRS,pub_ctx,sec_ctx,ctx,msg3)
             |                             |
             |           msg4              |
             |<----------------------------|
             |                             |
     client_key =                          |
CPaceOQUAKE.InitiatorFinish(ctx,msg4)      |
             |                             |
        -----------------------------------------
     output client_key              output server_key
]]></artwork>
        </artset>
        <section anchor="client-initiation">
          <name>Client Initiation</name>
          <t>The client initiates a CPace exchange with the server using input PRS, a public_context,
and a secret_context. The output of this process is some state for
completing the protocol and a protocol message. The client sends this message to the server.</t>
          <artwork><![CDATA[
CPaceOQUAKE.Init

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string

Output:
- state, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- CPace, parameterized instance of CPace

def Init(PRS, public_context, secret_context):
  ctx1, msg1 = CPace.Init(PRS, public_context, secret_context)
  s1 = random(32)
  init_msg = s1 || lv_encode(msg1)

  return (ctx1, s1), init_msg
]]></artwork>
        </section>
        <section anchor="server-response">
          <name>Server Response</name>
          <t>The server processes the client message using its input PRS, a public_context, and
a secret_context. The server responds to the CPace session
that the client initiated, completing Stage 1.</t>
          <t>The server <bcp14>MUST</bcp14> ensure that exactly one of <tt>s1</tt> and a sid in the public_context exists. It <bcp14>MUST</bcp14> abort if the message does
not have the correct length.</t>
          <artwork><![CDATA[
CPaceOQUAKE.Respond

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- init_msg, the message received from the client

Output:
- state, opaque state for the responder to store
- msg, an encoded protocol message for the responder to send to the initiator

Parameters:
- CPace, parameterized instance of CPace
- DST, domain separation tag, a byte string

def Respond(PRS, public_context, secret_context, init_msg):
  s1, msg1 = init_msg[0..32], lv_decode(init_msg[32..])

  key1, msg2 = CPace.Respond(PRS, public_context, secret_context, msg1)

  s2 = random(32)

  resp_msg = s2 || lv_encode(msg2)

  return State(s1, s2, key1), resp_msg
]]></artwork>
        </section>
        <section anchor="client-continue">
          <name>Client Continue</name>
          <t>The client finishes CPace (Stage 1) and initiates OQUAKE (Stage 2). The client derives
the CPace session key, then uses it as the secret_context for OQUAKE. The output is a new state
and an OQUAKE init message to send to the server.</t>
          <t>The client must ensure that exactly one of (s1, s2) and a sid in the public_context exists.
The client should abort when the message does not have the correct length.</t>
          <artwork><![CDATA[
CPaceOQUAKE.InitiatorContinue

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- (ctx1, s1), the state generated by CPaceOQUAKE.Init
- resp_msg, the message received from the server

Output:
- state, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- CPace, parameterized instance of CPace
- OQUAKE, parameterized instance of OQUAKE
- DST, domain separation tag, a byte string

def InitiatorContinue(PRS, public_context, secret_context, (ctx1, s1), resp_msg):
  s2 = resp_msg[0..32]
  msg2 = lv_decode(resp_msg[32..])

  key1 = CPace.Finish(ctx1, public_context, msg2)

  prk_extended_sid = KDF.Extract(s1 || s2, DST || "CPaceOQUAKE")
  extended_sid = KDF.Expand(prk_extended_sid, DST || "SID", 32)

  ctx2, msg3 = OQUAKE.Init(PRS, extended_sid || public_context, key1)

  return ctx2, msg3
]]></artwork>
        </section>
        <section anchor="server-finish">
          <name>Server Finish</name>
          <t>The server completes the protocol by responding to the OQUAKE session (Stage 2).
The server uses the CPace session key from Stage 1 as the secret_context for OQUAKE.
The OQUAKE output key is the CPaceOQUAKE session key.</t>
          <t>The server should abort when the message does not have the correct length.</t>
          <artwork><![CDATA[
CPaceOQUAKE.ResponderFinish

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- ctx, state from the server's Response
- msg3, the message received from the client, a byte string

Output:
- key, an N-byte shared secret
- msg, an encoded protocol message for the responder to send to the initiator

Parameters:
- OQUAKE, parameterized instance of OQUAKE
- DST, domain separation tag, a byte string

def ResponderFinish(PRS, public_context, secret_context, ctx, msg3):
  (s1, s2, key1) = ctx

  prk_extended_sid = KDF.Extract(s1 || s2, DST || "CPaceOQUAKE")
  extended_sid = KDF.Expand(prk_extended_sid, DST || "SID", 32)

  resp_msg, server_key = OQUAKE.Respond(PRS, extended_sid || public_context, key1, msg3)

  return server_key, resp_msg
]]></artwork>
        </section>
        <section anchor="client-finish">
          <name>Client Finish</name>
          <t>The client finishes the protocol by completing OQUAKE (Stage 2). The OQUAKE
output key is the CPaceOQUAKE session key.</t>
          <artwork><![CDATA[
CPaceOQUAKE.InitiatorFinish

Input:
- ctx, state from OQUAKE.Init (stored by CPaceOQUAKE.InitiatorContinue)
- msg4, the message received from the server, a byte string

Output:
- key, an N-byte shared secret

Parameters:
- OQUAKE, parameterized instance of OQUAKE

def InitiatorFinish(ctx, msg4):
  client_key = OQUAKE.Finish(ctx, msg4)
  return client_key
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="CPaceOQUAKEplus">
      <name>CPaceOQUAKE+ Protocol</name>
      <t>CPaceOQUAKE+ is the five-message aPAKE resulting from composing CPace
(Stage 1) and OQUAKE+ (Stage 2). At a
high level, this involves running CPace on a verifier of the
client's password, followed by OQUAKE+, which performs the post-quantum
key exchange and password confirmation in a single stage. To ensure
that the client does indeed know the password pertaining to that verifier,
the OQUAKE+ stage uses a seed derived from the password. Both the verifier and
the seed are derived from the password using a key stretching function.
The seed is later used to derive a KEM public key. We refer to the collection
of the verifier and this public key as 'the verifiers'.</t>
      <t>This document also specifies standalone OQUAKE+ (see <xref target="oquakeplus-standalone"/>),
a post-quantum aPAKE that uses the OQUAKE+ stage without the classical CPace stage.</t>
      <t>The CPaceOQUAKE+ protocol can be seen as a close variant (and a specific
instance) of the `augmented PAKE' construction presented in <xref target="LLH24"/> and in <xref target="Gu24"/>.</t>
      <section anchor="registering-clients">
        <name>Registering Clients</name>
        <t>This subsection specifies functions for generating the verifiers and
a protocol for registering clients.</t>
        <section anchor="gen-verifiers">
          <name>Generating Verifiers</name>
          <t>Verifiers are random-looking value derived from password-related strings
from which it is computionally impractical to derive the password-related
string. To make verifiers unique between different users with the same
password or servers that they interact with, we employ a salt, a user
account identifier, and an optional server identifier. The material
required for the verifiers is generated as follows:</t>
          <artwork><![CDATA[
GenVerifierMaterial

Input:
- PRS, password-related string, a byte string
- salt, client-specific salt, a byte string
- U and S, client and server identifiers

Output:
- ss, output shared secret, a byte string of 32 bytes
- resp_msg, encoded protocol message, a byte string

Parameters:
- KEM, a KEM instance
- KSF, a parameterized KSF instance
- DST, domain separation tag, a byte string

def GenVerifierMaterial(PRS, salt, U, S):
  verifier_seed = KSF.Stretch(DST || PRS || U || S, salt, Nverifier + KEM.Nseed)
  verifier = verifier_seed[0:Nverifier]
  seed = verifier_seed[Nverifier:Nverifier + KEM.Nseed]
  return verifier, seed
]]></artwork>
          <t>To derive an actual public key from the verifier material, we use the following function:</t>
          <artwork><![CDATA[
GenVerifiers

Input:
- PRS, password-related string, a byte string
- salt, client-specific salt, a byte string
- U and S, client and server identifiers

Output:
- ss, output shared secret, a byte string of 32 bytes
- resp_msg, encoded protocol message, a byte string

Parameters:
- KEM, a KEM instance

def GenVerifiers(PRS, salt, U, S):
  verifier, seed = GenVerifierMaterial(PRS, salt, U, S)
  (pk, sk) = KEM.DeriveKeyPair(seed)
  return verifier, pk
]]></artwork>
          <t>The server <bcp14>MUST</bcp14> store pk; it <bcp14>MUST NOT</bcp14> store seed.</t>
        </section>
        <section anchor="registration">
          <name>Registration</name>
          <t>The registration phase consists of one message sent from the client to the server. This message
contains the verifier, a public key, and 32-byte salt. The server stores this information corresponding to
the client for future use in the verification flow. This phase requires a secure channel from client to
server in order to transfer the password verifier and public key.
The salt can be sent in plain text.</t>
          <t>We recommend that the salt is a random byte string: <tt>salt = random(32)</tt>. However, in practice this
may require an additional communication flow, used by the server to send the salt to the client
before protocol CPaceOQUAKE+ starts. Instead, one may consider deriving the salt from some
client-specific value that it knows and can retain locally.</t>
          <t>A high level flow overview of the registration flow is below.</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="192" width="440" viewBox="0 0 440 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 104,80 L 104,168" fill="none" stroke="black"/>
                <path d="M 328,80 L 328,168" fill="none" stroke="black"/>
                <path d="M 64,48 L 368,48" fill="none" stroke="black"/>
                <path d="M 112,112 L 320,112" fill="none" stroke="black"/>
                <path d="M 64,176 L 368,176" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="328,112 316,106.4 316,117.6" fill="black" transform="rotate(0,320,112)"/>
                <g class="text">
                  <text x="32" y="36">Client:</text>
                  <text x="84" y="36">PRS,</text>
                  <text x="128" y="36">salt,</text>
                  <text x="164" y="36">U,</text>
                  <text x="184" y="36">S</text>
                  <text x="328" y="36">Server:</text>
                  <text x="376" y="36">N/A</text>
                  <text x="24" y="68">(v,</text>
                  <text x="56" y="68">pk)</text>
                  <text x="80" y="68">=</text>
                  <text x="160" y="68">GenVerifiers(PRS,</text>
                  <text x="256" y="68">salt,</text>
                  <text x="292" y="68">U,</text>
                  <text x="316" y="68">S)</text>
                  <text x="160" y="100">salt,</text>
                  <text x="196" y="100">v,</text>
                  <text x="224" y="100">pk,</text>
                  <text x="252" y="100">U,</text>
                  <text x="272" y="100">S</text>
                  <text x="256" y="148">Store</text>
                  <text x="304" y="148">(salt</text>
                  <text x="348" y="148">v,</text>
                  <text x="376" y="148">pk,</text>
                  <text x="404" y="148">U,</text>
                  <text x="428" y="148">S)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
Client: PRS, salt, U, S              Server: N/A
       ---------------------------------------
 (v, pk) = GenVerifiers(PRS, salt, U, S)
            |                           |
            |    salt, v, pk, U, S      |
            |-------------------------->|
            |                           |
            |                Store (salt, v, pk, U, S)
            |                           |
       ---------------------------------------
]]></artwork>
          </artset>
        </section>
      </section>
      <section anchor="oquakeplus-stage">
        <name>The OQUAKE+ Stage</name>
        <t>OQUAKE+ is an augmented variant of OQUAKE that adds password confirmation
to upgrade the symmetric PAKE to an asymmetric PAKE. It uses the registered
verifiers from the previous subsection. In the OQUAKE+ stage, the client
proves knowledge of its password without revealing it by responding to a
challenge from the server. OQUAKE+ is parameterized by a BUA-sKEM, KEM,
KDF, and KSF; see <xref target="configurations"/> for specific parameter configurations.</t>
        <t>OQUAKE+ is a three-message flow between the client and server.
The client initiates the OQUAKE key exchange. The server responds
with the OQUAKE key exchange response and a password confirmation
challenge (piggybacked into a single message). The client completes
the OQUAKE key exchange, then responds to the challenge.</t>
        <t>A high level overview of this flow is below.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="432" width="448" viewBox="0 0 448 432" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 104,104 L 104,256" fill="none" stroke="black"/>
              <path d="M 104,304 L 104,392" fill="none" stroke="black"/>
              <path d="M 328,56 L 328,160" fill="none" stroke="black"/>
              <path d="M 328,208 L 328,352" fill="none" stroke="black"/>
              <path d="M 64,48 L 368,48" fill="none" stroke="black"/>
              <path d="M 112,144 L 320,144" fill="none" stroke="black"/>
              <path d="M 112,240 L 320,240" fill="none" stroke="black"/>
              <path d="M 112,336 L 320,336" fill="none" stroke="black"/>
              <path d="M 64,400 L 368,400" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="328,336 316,330.4 316,341.6" fill="black" transform="rotate(0,320,336)"/>
              <polygon class="arrowhead" points="328,144 316,138.4 316,149.6" fill="black" transform="rotate(0,320,144)"/>
              <polygon class="arrowhead" points="120,240 108,234.4 108,245.6" fill="black" transform="rotate(180,112,240)"/>
              <g class="text">
                <text x="32" y="36">Client:</text>
                <text x="76" y="36">v,</text>
                <text x="112" y="36">seed,</text>
                <text x="168" y="36">pub_ctx</text>
                <text x="296" y="36">Server:</text>
                <text x="340" y="36">v,</text>
                <text x="368" y="36">pk,</text>
                <text x="416" y="36">pub_ctx</text>
                <text x="104" y="68">|</text>
                <text x="44" y="84">ctx,</text>
                <text x="84" y="84">msg1</text>
                <text x="112" y="84">=</text>
                <text x="176" y="84">OQUAKE+.Init(</text>
                <text x="52" y="100">v,</text>
                <text x="100" y="100">pub_ctx,</text>
                <text x="172" y="100">sec_ctx)</text>
                <text x="196" y="132">msg1</text>
                <text x="156" y="180">ctx,</text>
                <text x="196" y="180">msg2</text>
                <text x="224" y="180">=</text>
                <text x="300" y="180">OQUAKE+.Respond(</text>
                <text x="164" y="196">v,</text>
                <text x="212" y="196">pub_ctx,</text>
                <text x="284" y="196">sec_ctx,</text>
                <text x="344" y="196">msg1,</text>
                <text x="384" y="196">pk)</text>
                <text x="196" y="228">msg2</text>
                <text x="48" y="276">client_key,</text>
                <text x="116" y="276">msg3</text>
                <text x="144" y="276">=</text>
                <text x="216" y="276">OQUAKE+.Finish(</text>
                <text x="36" y="292">ctx,</text>
                <text x="80" y="292">seed,</text>
                <text x="128" y="292">msg2,</text>
                <text x="188" y="292">pub_ctx)</text>
                <text x="196" y="324">msg3</text>
                <text x="172" y="372">server_key</text>
                <text x="224" y="372">=</text>
                <text x="312" y="372">OQUAKE+.Verify(ctx,</text>
                <text x="416" y="372">msg3)</text>
                <text x="328" y="388">|</text>
                <text x="44" y="420">output</text>
                <text x="116" y="420">client_key</text>
                <text x="276" y="420">output</text>
                <text x="348" y="420">server_key</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Client: v, seed, pub_ctx         Server: v, pk, pub_ctx
       ---------------------------------------
            |                           |
   ctx, msg1 = OQUAKE+.Init(            |
     v, pub_ctx, sec_ctx)               |
            |                           |
            |         msg1              |
            |-------------------------->|
            |                           |
            |    ctx, msg2 = OQUAKE+.Respond(
            |      v, pub_ctx, sec_ctx, msg1, pk)
            |                           |
            |         msg2              |
            |<--------------------------|
            |                           |
client_key, msg3 = OQUAKE+.Finish(      |
  ctx, seed, msg2, pub_ctx)             |
            |                           |
            |         msg3              |
            |-------------------------->|
            |                           |
            |   server_key = OQUAKE+.Verify(ctx, msg3)
            |                           |
       ---------------------------------------
  output client_key            output server_key
]]></artwork>
        </artset>
        <section anchor="initiation-2">
          <name>Initiation</name>
          <t>Init takes the same inputs as OQUAKE.Init and produces the same outputs.
It is defined identically to OQUAKE.Init (see <xref target="quake"/>).</t>
          <artwork><![CDATA[
OQUAKE+.Init

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string

Output:
- state, opaque state for the initiator to store
- msg, an encoded protocol message for the initiator to send to the responder

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Init(PRS, public_context, secret_context):
  return OQUAKE.Init(PRS, public_context, secret_context)
]]></artwork>
        </section>
        <section anchor="response-2">
          <name>Response</name>
          <t>Respond takes as input the PRS, a public_context, a secret_context, the initiator's
protocol message, and the client's registered public key.
It produces an opaque state and a protocol message that combines
the OQUAKE response with a password confirmation challenge.</t>
          <t>The implementation <bcp14>MUST NOT</bcp14> reveal server_key from the state.</t>
          <artwork><![CDATA[
OQUAKE+.Respond

Input:
- PRS, password-related string, a byte string
- public_context, optional public context, a byte string
- secret_context, optional secret context, a byte string
- init_msg, encoded protocol message, a byte string
- pk, client-registered public key, a KEM public key

Output:
- state, opaque state for the server to store values to complete the protocol
- resp_msg, encoded protocol message, a byte string

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KEM, a KEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Respond(PRS, public_context, secret_context, init_msg, pk):
  oquake_resp, SK = OQUAKE.Respond(PRS, public_context, secret_context, init_msg)

  (c, k) = KEM.Encaps(pk)
  r = KDF.Expand(SK, DST || "OTP", Nct)
  enc_c = XOR(c, r)

  confirm_input = public_context || enc_c

  prk_k_h1 = KDF.Extract(SK, DST || "h1" || confirm_input)
  prk_k_h2 = KDF.Extract(SK, DST || "h2" || confirm_input || k)

  client_confirm = KDF.Expand(prk_k_h1, DST || "client_confirm", Nkc)

  server_confirm = KDF.Expand(prk_k_h2, DST || "server_confirm", Nkc)
  server_key = KDF.Expand(prk_k_h2, DST || "key", Nkey)

  resp_msg = oquake_resp || enc_c || client_confirm

  return State(server_confirm, server_key), resp_msg
]]></artwork>
        </section>
        <section anchor="oquakeplus-finish">
          <name>Finish</name>
          <t>Finish takes as input the initiator-created state from Init, the seed
used to derive the KEM key pair during registration, the responder's
combined reply message, and the public_context.</t>
          <t>The client completes the OQUAKE key exchange to recover the shared secret,
then uses it to decrypt the password confirmation challenge. The client
re-derives the KEM key pair from the seed and decapsulates the KEM
ciphertext to recover the shared secret and derive password confirmation
values and a new shared secret.</t>
          <t>The client checks that the server-provided confirmation value matches its
own and aborts if not. Otherwise, it returns its own password confirmation
value. The client outputs the new shared secret as its output.</t>
          <artwork><![CDATA[
OQUAKE+.Finish

Input:
- state, opaque state for the initiator to store
- seed, seed used to derive KEM public key
- resp_msg, encoded protocol message, a byte string
- public_context, optional public context, a byte string

Output:
- client_key, a 32-byte string
- response, an encoded protocol message for the client to send to the server

Exceptions:
- AuthenticationError, raised when the password confirmation values do not match

Parameters:
- BUA-sKEM, a BUA-sKEM instance
- KEM, a KEM instance
- KDF, a KDF instance
- DST, domain separation tag, a byte string

def Finish(state, seed, resp_msg, public_context):
  oquake_resp = resp_msg[0 : Nct_bua + Nkc]
  enc_c = resp_msg[Nct_bua + Nkc : Nct_bua + Nkc + Nct]
  client_confirm_target = resp_msg[Nct_bua + Nkc + Nct :]

  SK = OQUAKE.Finish(state, oquake_resp)

  r = KDF.Expand(SK, DST || "OTP", Nct)
  c = XOR(enc_c, r)

  (pk, sk) = KEM.DeriveKeyPair(seed)

  try:
    k = KEM.Decaps(sk, c)

    confirm_input = public_context || enc_c

    prk_k_h1 = KDF.Extract(SK, DST || "h1" || confirm_input)
    prk_k_h2 = KDF.Extract(SK, DST || "h2" || confirm_input || k)

    client_confirm = KDF.Expand(prk_k_h1, DST || "client_confirm", Nkc)

    server_confirm = KDF.Expand(prk_k_h2, DST || "server_confirm", Nkc)
    client_key = KDF.Expand(prk_k_h2, DST || "key", Nkey)

    if client_confirm != client_confirm_target:
      raise AuthenticationError

    return client_key, server_confirm
  catch DecapsError:
    raise AuthenticationError
]]></artwork>
        </section>
        <section anchor="verify">
          <name>Verify</name>
          <t>Upon receipt of the response, the server validates that the password confirmation
value matches its own value. If the value does not match, the server aborts.
Otherwise, the server outputs the new shared secret as its output.</t>
          <artwork><![CDATA[
OQUAKE+.Verify

Input:
- state, opaque state produced by Respond
- server_confirm_target, client's response message, a byte string

Output:
- server_key, a 32-byte string

Exceptions:
- AuthenticationError, raised when the password confirmation values do not match

Parameters:

def Verify(state, server_confirm_target):
  (server_confirm, server_key) = state
  if server_confirm != server_confirm_target:
    raise AuthenticationError
  return server_key
]]></artwork>
        </section>
      </section>
      <section anchor="oquakeplus-standalone">
        <name>Standalone OQUAKE+</name>
        <t>OQUAKE+ can be used as a standalone post-quantum aPAKE without the
classical CPace stage. The client runs OQUAKE+ with the verifier as
the password-related string, and uses the seed to respond to the
password confirmation challenge.</t>
        <t>Standalone OQUAKE+ consists of three messages:</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="536" viewBox="0 0 536 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 104,128 L 104,240" fill="none" stroke="black"/>
              <path d="M 104,272 L 104,360" fill="none" stroke="black"/>
              <path d="M 384,56 L 384,160" fill="none" stroke="black"/>
              <path d="M 384,184 L 384,320" fill="none" stroke="black"/>
              <path d="M 88,48 L 400,48" fill="none" stroke="black"/>
              <path d="M 112,144 L 376,144" fill="none" stroke="black"/>
              <path d="M 112,224 L 376,224" fill="none" stroke="black"/>
              <path d="M 112,304 L 376,304" fill="none" stroke="black"/>
              <path d="M 88,368 L 400,368" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,304 372,298.4 372,309.6" fill="black" transform="rotate(0,376,304)"/>
              <polygon class="arrowhead" points="384,144 372,138.4 372,149.6" fill="black" transform="rotate(0,376,144)"/>
              <polygon class="arrowhead" points="120,224 108,218.4 108,229.6" fill="black" transform="rotate(180,112,224)"/>
              <g class="text">
                <text x="32" y="36">Client:</text>
                <text x="132" y="36">PRS,salt,U,S,sid</text>
                <text x="304" y="36">Server:</text>
                <text x="388" y="36">v,pk,U,S,sid</text>
                <text x="16" y="68">(v,</text>
                <text x="56" y="68">seed)</text>
                <text x="88" y="68">=</text>
                <text x="232" y="68">GenVerifierMaterial(PRS,salt,U,S)</text>
                <text x="32" y="84">pub_ctx</text>
                <text x="72" y="84">=</text>
                <text x="196" y="84">EncodePublicContext(sid,U,S)</text>
                <text x="104" y="100">|</text>
                <text x="20" y="116">ctx,</text>
                <text x="60" y="116">msg1</text>
                <text x="88" y="116">=</text>
                <text x="212" y="116">OQUAKE+.Init(v,pub_ctx,None)</text>
                <text x="244" y="132">msg1</text>
                <text x="140" y="180">ctx,</text>
                <text x="180" y="180">msg2</text>
                <text x="208" y="180">=</text>
                <text x="376" y="180">OQUAKE+.Respond(v,pub_ctx,None,msg1,pk)</text>
                <text x="244" y="212">msg2</text>
                <text x="48" y="260">client_key,</text>
                <text x="116" y="260">msg3</text>
                <text x="144" y="260">=</text>
                <text x="268" y="260">OQUAKE+.Finish(ctx,seed,msg2</text>
                <text x="420" y="260">pub_ctx)</text>
                <text x="244" y="292">msg3</text>
                <text x="212" y="340">server_key</text>
                <text x="264" y="340">=</text>
                <text x="372" y="340">OQUAKE+.Verify(ctx,msg3)</text>
                <text x="384" y="356">|</text>
                <text x="76" y="388">output</text>
                <text x="148" y="388">client_key</text>
                <text x="348" y="388">output</text>
                <text x="420" y="388">server_key</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Client: PRS,salt,U,S,sid          Server: v,pk,U,S,sid
          ----------------------------------------
(v, seed) = GenVerifierMaterial(PRS,salt,U,S)  |
pub_ctx = EncodePublicContext(sid,U,S)         |
            |                                  |
ctx, msg1 = OQUAKE+.Init(v,pub_ctx,None)       |
            |               msg1               |
            |--------------------------------->|
            |                                  |
            |  ctx, msg2 = OQUAKE+.Respond(v,pub_ctx,None,msg1,pk)
            |                                  |
            |               msg2               |
            |<---------------------------------|
            |                                  |
client_key, msg3 = OQUAKE+.Finish(ctx,seed,msg2,pub_ctx)
            |                                  |
            |               msg3               |
            |--------------------------------->|
            |                                  |
            |        server_key = OQUAKE+.Verify(ctx,msg3)
            |                                  |
          ----------------------------------------
      output client_key                 output server_key
]]></artwork>
        </artset>
      </section>
      <section anchor="cpacequakeplus-composition">
        <name>Composition of CPace &amp; OQUAKE+</name>
        <t>CPaceOQUAKE+ is the composition of CPace (Stage 1) and OQUAKE+
(Stage 2). It is a hybrid
aPAKE that provides security against both classical and quantum-capable
attackers.</t>
        <t>The composition is strictly sequential. First, the parties run CPace
using the verifier derived from the client's password.
The client recovers this verifier using the <tt>GenVerifierMaterial</tt> function.
After CPace completes, the parties proceed with OQUAKE+,
which is initiated by the client. The server uses the stored
public key to challenge the client, and the client uses the seed produced
by <tt>GenVerifierMaterial</tt> to prove knowledge of the password. This seed
<bcp14>MUST</bcp14> remain secret to prevent impersonation.</t>
        <t>An overview of the composition is below.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="432" viewBox="0 0 432 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 112,48 L 112,208" fill="none" stroke="black"/>
              <path d="M 160,64 L 160,112" fill="none" stroke="black"/>
              <path d="M 160,176 L 160,240" fill="none" stroke="black"/>
              <path d="M 176,248 L 176,288" fill="none" stroke="black"/>
              <path d="M 232,248 L 232,288" fill="none" stroke="black"/>
              <path d="M 248,64 L 248,112" fill="none" stroke="black"/>
              <path d="M 248,176 L 248,240" fill="none" stroke="black"/>
              <path d="M 304,48 L 304,208" fill="none" stroke="black"/>
              <path d="M 160,64 L 248,64" fill="none" stroke="black"/>
              <path d="M 72,96 L 152,96" fill="none" stroke="black"/>
              <path d="M 256,96 L 344,96" fill="none" stroke="black"/>
              <path d="M 160,112 L 248,112" fill="none" stroke="black"/>
              <path d="M 160,176 L 248,176" fill="none" stroke="black"/>
              <path d="M 72,208 L 152,208" fill="none" stroke="black"/>
              <path d="M 256,208 L 344,208" fill="none" stroke="black"/>
              <path d="M 160,240 L 248,240" fill="none" stroke="black"/>
              <path d="M 104,288 L 176,288" fill="none" stroke="black"/>
              <path d="M 232,288 L 288,288" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="320,208 308,202.4 308,213.6" fill="black" transform="rotate(180,312,208)"/>
              <polygon class="arrowhead" points="320,96 308,90.4 308,101.6" fill="black" transform="rotate(180,312,96)"/>
              <polygon class="arrowhead" points="296,288 284,282.4 284,293.6" fill="black" transform="rotate(0,288,288)"/>
              <polygon class="arrowhead" points="264,208 252,202.4 252,213.6" fill="black" transform="rotate(180,256,208)"/>
              <polygon class="arrowhead" points="264,96 252,90.4 252,101.6" fill="black" transform="rotate(180,256,96)"/>
              <polygon class="arrowhead" points="160,208 148,202.4 148,213.6" fill="black" transform="rotate(0,152,208)"/>
              <polygon class="arrowhead" points="160,96 148,90.4 148,101.6" fill="black" transform="rotate(0,152,96)"/>
              <polygon class="arrowhead" points="112,288 100,282.4 100,293.6" fill="black" transform="rotate(180,104,288)"/>
              <polygon class="arrowhead" points="112,208 100,202.4 100,213.6" fill="black" transform="rotate(0,104,208)"/>
              <polygon class="arrowhead" points="112,96 100,90.4 100,101.6" fill="black" transform="rotate(0,104,96)"/>
              <g class="text">
                <text x="116" y="36">Client</text>
                <text x="308" y="36">Server</text>
                <text x="200" y="84">CPace</text>
                <text x="36" y="100">Verifier</text>
                <text x="196" y="100">(Stage</text>
                <text x="236" y="100">1)</text>
                <text x="388" y="100">Verifier</text>
                <text x="200" y="132">|</text>
                <text x="192" y="148">sec_ctx=SK1</text>
                <text x="200" y="164">|</text>
                <text x="200" y="196">OQUAKE+</text>
                <text x="36" y="212">Verifier</text>
                <text x="196" y="212">(Stage</text>
                <text x="236" y="212">2)</text>
                <text x="388" y="212">Verifier</text>
                <text x="44" y="228">seed</text>
                <text x="372" y="228">Public</text>
                <text x="416" y="228">key</text>
                <text x="52" y="292">client_key</text>
                <text x="340" y="292">server_key</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
            Client                  Server
              |                       |
              |     +----------+      |
              |     |  CPace   |      |
 Verifier---->+---->| (Stage 1)|<-----+<---- Verifier
              |     +----------+      |
              |          |            |
              |    sec_ctx=SK1        |
              |          |            |
              |     +----------+      |
              |     | OQUAKE+  |      |
 Verifier---->+---->| (Stage 2)|<-----+<---- Verifier
    seed            |          |            Public key
                    +----------+
                      |      |
                      |      |
  client_key <--------+      +------> server_key
]]></artwork>
        </artset>
        <t>Upon successful completion of the entire protocol, the client and server will share a
symmetric key that was authenticated by knowledge of the password. The protocol
aborts if the password did not match. The protocol flows are shown below.
Note here that if the client does not know the salt, the server must send
it to the client before the protocol starts, which it can do in plain text.</t>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="656" width="560" viewBox="0 0 560 656" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 104,160 L 104,272" fill="none" stroke="black"/>
              <path d="M 104,336 L 104,480" fill="none" stroke="black"/>
              <path d="M 104,528 L 104,616" fill="none" stroke="black"/>
              <path d="M 384,56 L 384,192" fill="none" stroke="black"/>
              <path d="M 384,224 L 384,384" fill="none" stroke="black"/>
              <path d="M 384,416 L 384,488" fill="none" stroke="black"/>
              <path d="M 384,504 L 384,576" fill="none" stroke="black"/>
              <path d="M 88,48 L 400,48" fill="none" stroke="black"/>
              <path d="M 112,176 L 376,176" fill="none" stroke="black"/>
              <path d="M 112,256 L 376,256" fill="none" stroke="black"/>
              <path d="M 112,368 L 376,368" fill="none" stroke="black"/>
              <path d="M 112,464 L 376,464" fill="none" stroke="black"/>
              <path d="M 112,560 L 376,560" fill="none" stroke="black"/>
              <path d="M 88,624 L 400,624" fill="none" stroke="black"/>
              <path class="jump" d="M 384,504 C 378,504 378,488 384,488" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="384,560 372,554.4 372,565.6" fill="black" transform="rotate(0,376,560)"/>
              <polygon class="arrowhead" points="384,368 372,362.4 372,373.6" fill="black" transform="rotate(0,376,368)"/>
              <polygon class="arrowhead" points="384,176 372,170.4 372,181.6" fill="black" transform="rotate(0,376,176)"/>
              <polygon class="arrowhead" points="120,464 108,458.4 108,469.6" fill="black" transform="rotate(180,112,464)"/>
              <polygon class="arrowhead" points="120,256 108,250.4 108,261.6" fill="black" transform="rotate(180,112,256)"/>
              <g class="text">
                <text x="32" y="36">Client:</text>
                <text x="132" y="36">PRS,salt,U,S,sid</text>
                <text x="304" y="36">Server:</text>
                <text x="388" y="36">v,pk,U,S,sid</text>
                <text x="16" y="68">(v,</text>
                <text x="56" y="68">seed)</text>
                <text x="88" y="68">=</text>
                <text x="232" y="68">GenVerifierMaterial(PRS,salt,U,S)</text>
                <text x="32" y="84">pub_ctx</text>
                <text x="72" y="84">=</text>
                <text x="196" y="84">EncodePublicContext(sid,U,S)</text>
                <text x="104" y="100">|</text>
                <text x="48" y="116">Stage</text>
                <text x="84" y="116">1:</text>
                <text x="120" y="116">CPace</text>
                <text x="104" y="132">|</text>
                <text x="20" y="148">ctx,</text>
                <text x="60" y="148">msg1</text>
                <text x="88" y="148">=</text>
                <text x="232" y="148">CPaceOQUAKE+.Init(v,pub_ctx,None)</text>
                <text x="244" y="164">msg1</text>
                <text x="148" y="212">ctx,</text>
                <text x="188" y="212">msg2</text>
                <text x="216" y="212">=</text>
                <text x="392" y="212">CPaceOQUAKE+.Respond(v,pub_ctx,None,msg1)</text>
                <text x="244" y="244">msg2</text>
                <text x="48" y="292">Stage</text>
                <text x="84" y="292">2:</text>
                <text x="128" y="292">OQUAKE+</text>
                <text x="104" y="308">|</text>
                <text x="20" y="324">ctx,</text>
                <text x="60" y="324">msg3</text>
                <text x="88" y="324">=</text>
                <text x="224" y="324">CPaceOQUAKE+.InitiatorContinue(</text>
                <text x="64" y="340">v,pub_ctx</text>
                <text x="164" y="340">None,ctx,msg2)</text>
                <text x="244" y="356">msg3</text>
                <text x="140" y="404">ctx,</text>
                <text x="180" y="404">msg4</text>
                <text x="208" y="404">=</text>
                <text x="344" y="404">CPaceOQUAKE+.ResponderContinue(</text>
                <text x="248" y="420">v,pub_ctx,None,ctx,msg3,pk)</text>
                <text x="244" y="452">msg4</text>
                <text x="48" y="500">client_key,</text>
                <text x="116" y="500">msg5</text>
                <text x="144" y="500">=</text>
                <text x="268" y="500">CPaceOQUAKE+.InitiatorFinish</text>
                <text x="116" y="516">ctx,seed,msg4,pub_ctx)</text>
                <text x="244" y="548">msg5</text>
                <text x="164" y="596">server_key</text>
                <text x="216" y="596">=</text>
                <text x="380" y="596">CPaceOQUAKE+.ResponderFinish(ctx,msg5)</text>
                <text x="384" y="612">|</text>
                <text x="76" y="644">output</text>
                <text x="148" y="644">client_key</text>
                <text x="348" y="644">output</text>
                <text x="420" y="644">server_key</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Client: PRS,salt,U,S,sid          Server: v,pk,U,S,sid
          ----------------------------------------
(v, seed) = GenVerifierMaterial(PRS,salt,U,S)  |
pub_ctx = EncodePublicContext(sid,U,S)         |
            |                                  |
   Stage 1: CPace                              |
            |                                  |
ctx, msg1 = CPaceOQUAKE+.Init(v,pub_ctx,None)  |
            |               msg1               |
            |--------------------------------->|
            |                                  |
            |   ctx, msg2 = CPaceOQUAKE+.Respond(v,pub_ctx,None,msg1)
            |                                  |
            |               msg2               |
            |<---------------------------------|
            |                                  |
   Stage 2: OQUAKE+                            |
            |                                  |
ctx, msg3 = CPaceOQUAKE+.InitiatorContinue(    |
   v,pub_ctx,None,ctx,msg2)                    |
            |               msg3               |
            |--------------------------------->|
            |                                  |
            |  ctx, msg4 = CPaceOQUAKE+.ResponderContinue(
            |    v,pub_ctx,None,ctx,msg3,pk)   |
            |                                  |
            |               msg4               |
            |<---------------------------------|
            |                                  |
client_key, msg5 = CPaceOQUAKE+.InitiatorFinish(
   ctx,seed,msg4,pub_ctx)                      |
            |                                  |
            |               msg5               |
            |--------------------------------->|
            |                                  |
            |  server_key = CPaceOQUAKE+.ResponderFinish(ctx,msg5)
            |                                  |
          ----------------------------------------
      output client_key                 output server_key
]]></artwork>
        </artset>
      </section>
    </section>
    <section anchor="configurations">
      <name>CPaceOQUAKE+ Configurations</name>
      <t>CPaceOQUAKE+ is instantiated by selecting a configuration of a group and hash function
for the CPace protocol, a KEM, KDF, KSF, for the OQUAKE+ stage, and a KEM and KDF
for the OQUAKE stage, and a general purpose cryptographic hash function H. The KEM, KDF,
are not required to be the same, so they are distinguished by "PC-" and "PAKE-"
prefixes, e.g., PC-KDF and PAKE-KDF are the KDFs for the OQUAKE+ stage
and the OQUAKE stage, respectively.</t>
      <t>The <bcp14>RECOMMENDED</bcp14> configuration is below.</t>
      <ul spacing="normal">
        <li>
          <t>CPace-Group: CPACE-RISTR255-SHA512 <xref section="4" sectionFormat="of" target="CPACE"/></t>
        </li>
        <li>
          <t>CPace-Hash: SHA-512</t>
        </li>
        <li>
          <t>KEM: X-Wing <xref target="XWING"/>, where Nseed = 32, Nct = 1120, and Npk = 1216.</t>
        </li>
        <li>
          <t>PC-KDF: HKDF-SHA-256</t>
        </li>
        <li>
          <t>PC-KSF: Argon2id(S = zeroes(16), p = 4, T = Nh, m = 2^21, t = 1, v = 0x13, K = nil, X = nil, y = 2) <xref target="ARGON2"/></t>
        </li>
        <li>
          <t>BUA-sKEM: ML-BUA-sKEM1024 <xref target="deps-BUA-sKEM"/>, where Kemeleon.sec_param = 256, Nseed = 64, Npk = 1594, and Nct = 1568.</t>
        </li>
        <li>
          <t>PAKE-KDF: HKDF-SHA-256</t>
        </li>
        <li>
          <t>H: SHA256</t>
        </li>
        <li>
          <t>DST: "1b3abc3cd05e8054e8399bc38dfcbc1321d2e1b02da335ed1e8031ef5199f672" (a randomly generated 32-byte string)</t>
        </li>
      </ul>
      <t>The <bcp14>RECOMMENDED</bcp14> parameters are (see <xref target="params"/>):</t>
      <ul spacing="normal">
        <li>
          <t>Nverifier = 32</t>
        </li>
        <li>
          <t>Nkc = 64</t>
        </li>
        <li>
          <t>Nsec = 32</t>
        </li>
        <li>
          <t>Nkey = 32, this is achieved by choosing H in CPace with H.b_in_bytes = 32</t>
        </li>
      </ul>
      <t>Other documents can define configurations as needed for their use case, subject to the following requirements:</t>
      <ol spacing="normal" type="1"><li>
          <t>KEM <bcp14>MUST</bcp14> be a hybrid KEM, i.e., one that achieves both classical and post-quantum security.</t>
        </li>
        <li>
          <t>The parameters must be chosen so they correspond with this KEM. E.g., Nseed must have the correct length.</t>
        </li>
      </ol>
      <t>For instance, one possible additional configuration is as follows.</t>
      <ul spacing="normal">
        <li>
          <t>CPace-Group: CPACE-P256<em>XMD:SHA-256_SSWU_NU</em>-SHA256 <xref section="4" sectionFormat="of" target="CPACE"/></t>
        </li>
        <li>
          <t>CPace-Hash: SHA-256</t>
        </li>
        <li>
          <t>KEM: X-Wing <xref target="XWING"/>, where Nseed = 32, Nct = 1120, and Npk = 1216.</t>
        </li>
        <li>
          <t>PC-KDF: HKDF-SHA-256</t>
        </li>
        <li>
          <t>PC-KSF: Scrypt(N = 32768, r = 8, p = 1) <xref target="SCRYPT"/></t>
        </li>
        <li>
          <t>BUA-sKEM: ML-BUA-sKEM1024 <xref target="deps-BUA-sKEM"/>, where Kemeleon.sec_param = 256, Nseed = 64, Npk = 1594, and Nct = 1568.</t>
        </li>
        <li>
          <t>PAKE-KDF: HKDF-SHA-256</t>
        </li>
        <li>
          <t>H: SHA256</t>
        </li>
        <li>
          <t>DST: "b840fa4d4b4caec9e25d13d8c016cfe93e7468d54e936490bd0b0a3ffca1a01b" (a randomly generated 32-byte string)</t>
        </li>
      </ul>
    </section>
    <section anchor="implementation-considerations">
      <name>Implementation Considerations</name>
      <t>Some functions included in this specification are fallible (as noted by their ability
to raise exceptions). The explicit errors generated
throughout this specification, along with conditions that lead to each error,
are as follows:</t>
      <ul spacing="normal">
        <li>
          <t>AuthenticationError: The OQUAKE+ stage fails password confirmation checks at the
client or server; <xref target="oquakeplus-stage"/></t>
        </li>
      </ul>
      <t>Beyond these explicit errors, CPaceOQUAKE+ implementations can produce implicit errors.
For example, if protocol messages sent between client and server do not match
their expected size, an implementation should produce an error.</t>
      <t>The errors in this document are meant as a guide for implementors. They are not an
exhaustive list of all the errors an implementation might emit. For example, an
implementation might run out of memory.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section discusses security considerations for the protocols specified in
this document.</t>
      <section anchor="hybrid-design">
        <name>Hybrid Design</name>
        <t>CPaceOQUAKE and CPaceOQUAKE+ are hybrid PAKE protocols, meaning that the overall
protocol remains secure so long as either the classical assumptions underlying
CPace, i.e., the gap Diffie-Hellman assumption, or the post-quantum assumptions,
i.e., D-MLWE used by OQUAKE, hold. This protects against vulnerabilities in
either the classical or post-quantum components.</t>
        <t>Moreover, OQUAKE does not unconditionally hide the password. If the underlying
security assumptions were to break, then the password would be revealed to the
attacker. The reason for this is that an attacker that can break the D-MLWE
assumption can distinguish actual ML-KEM public keys and ciphertexts from
random bitstrings. For OQUAKE, this would allow the attacker to perform offline
dictionary attacks on the password. This is also the reason a parallel
combiner cannot provide the desired hybrid security (see <xref target="cpacequake-composition"/>):
if one PAKE is not unconditionally password hiding, breaking its underlying
assumption can yield the password, and learning the password is sufficient to
also break the other PAKE. In contrast, the sequential hybrid variants do not
suffer from the same weakness: the input to OQUAKE is an effective password,
derived from (PRS, secret_context) where the secret_context is the CPace session key, not the
original PRS. Performing an offline dictionary attack against the original PRS
would require the attacker to also guess the CPace-derived key, which is
computationally indistinguishable from a random value under the gap
Diffie-Hellman assumption.</t>
        <t>The benefits of this hybrid protection come at the cost of protocol and round
complexity. From a protocol perspective, beyond two independent PAKEs treated
nearly as black boxes, additional protocol logic is needed to combine the PAKEs
together and produce a shared secret based on both PAKEs. From a round
perspective, the hybrid PAKE introduces additional round trips, complicating
integration into higher-level protocols like TLS. Finally, the hybrid protocol
is comparatively new and has not yet received significant peer review
(compared to the non-hybrid PAKEs). However, the backing analysis has been
independently analyzed by at least three different groups, improving
overall confidence in the design.</t>
      </section>
      <section anchor="retroactive-recovery">
        <name>Retroactive Password and Session Key Recovery</name>
        <t>A PAKE is unconditionally password hiding if its protocol messages remain statistically
independent of the password even when every computational assumption underlying the PAKE fails.
Few efficient PAKEs achieve this: as discussed in <xref target="cpacequake-composition"/>, CPace does, but
OQUAKE does not, and this is true of PAKEs generally, not just the ones specified in this document.
This property is what makes CPace safe to use as the first stage of a sequential combiner: its
output key is never subjected to a verification check on its own, so an attacker who breaks the
Diffie-Hellman assumption learns nothing from the CPace messages alone. It does not, by itself,
mean that a session key derived by CPace stays safe once it <em>is</em> checked against something -- e.g.,
confirmed directly, or used to encrypt subsequent traffic, as happens in an ordinary standalone
deployment. This section generalizes that latter observation into a broader principle and uses it
to answer two concrete questions: which classical PAKEs allow a quantum-capable attacker to
retroactively recover a session when deployed this ordinary way, and does the same hold for
EKE-style PAKEs.</t>
        <t>The general principle is this: for any PAKE that is not unconditionally password hiding, breaking
its underlying computational assumption -- whether that happens contemporaneously or, as with a
future quantum computer, retroactively against a transcript recorded today -- allows an attacker
to mount an offline dictionary attack against that transcript, provided the attacker also has some
way to check a candidate password against it. In practice that check comes for free: an explicit
password-confirmation message, present in most aPAKEs, serves directly as the check, and even
without one, any subsequent application traffic encrypted under the resulting session key serves
the same purpose. Once the attacker recovers the password this way, two consequences follow. First,
the attacker can derive the session key of the harvested session and decrypt its traffic, exactly
as in ordinary Harvest Now, Decrypt Later against unauthenticated key exchange. Second, and unlike
that ordinary case, the attacker also now holds a long-lived credential: they can impersonate the
client in every future session until the password is changed. Retroactive password recovery is
therefore strictly worse for a PAKE than HNDL is for plain key exchange, which is why deploying a
post-quantum KEM only at the transport layer, as discussed in <xref target="related-work"/>, does not address
the risk that a classical PAKE poses on its own.</t>
        <t>This principle applies directly to classical Diffie-Hellman-based PAKEs, including CPace, SPAKE2,
and SPAKE2+, when deployed in the ordinary way, i.e., with the resulting session key confirmed or
used directly, rather than fed onward as an opaque input to a second PAKE stage as in
<xref target="cpacequake-composition"/>: their protocol messages are deterministic functions of a
password-derived generator and per-session exponents, so a quantum-capable attacker able to solve
the discrete logarithm or Diffie-Hellman problem can, for each candidate password, recompute the
generator, recompute the candidate shared secret from the recorded messages, and check it against
the verification signal described above. SPAKE2+ is a sharper case:
its password-derived offset is applied to fixed, standardized constant
points (commonly written M and N) shared by every server and session on a given group, rather than
to a fresh per-session generator as in CPace. Solving a single discrete logarithm instance for that
group -- e.g., the discrete log of M or N, using a quantum computer, even a slow one -- therefore
yields a capability reusable against any server using that group: a single live exchange with the
server, plus a confirmation or subsequent-traffic verification signal, is then enough to
brute-force the password offline with classical computation alone.</t>
        <t>This principle applies equally to EKE-style PAKEs, including KEM-based
compilers such as OQUAKE (see <xref target="ABJ25"/>): the first protocol flow is, conceptually, a
password-encrypted public key or ciphertext, so an attacker who recovers the password by breaking
the KEM's hardness assumption (D-MLWE, for the ML-KEM-based instantiation in this document) can
decrypt that flow and derive the identical session key an honest party would. The password-hiding
failure of OQUAKE described in <xref target="cpacequake-composition"/> and <xref target="hybrid-design"/> is the concrete
instance of this general EKE-style argument for the specific construction used in this document.</t>
        <t>This is precisely why the sequential hybrid composition specified in this document is valuable:
an attacker must break both a classical and a post-quantum hard problem simultaneously to
retroactively recover the password protected by CPaceOQUAKE(+), a strictly stronger guarantee than
any single-primitive PAKE, classical or post-quantum alone, can offer.</t>
      </section>
      <section anchor="identities">
        <name>Identities</name>
        <t>Client and server identities are essential to authenticated key exchange protocols,
and PAKEs are no exception. This section discusses the role and importance of
identities in the PAKE protocols specified in this document.</t>
        <section anchor="symmetric-identities">
          <name>Symmetric PAKE identities</name>
          <t>PAKEs are often analyzed in the universal composability (UC) framework,
which imposes several requirements on the protocols: (1) the existence
of a globally-unique session identifer associated with each protocol invocation,
and (2) unique party identifiers. Both are considered as inputs to PAKEs, along
with the password itself. In practice, however, computing or agreeing on session
and party identifiers is non-trivial and cumbersome. For example, agreeing on a
globally unique session identifier requires a protocol to run before the PAKE.
Moreover, assigning identifiers to parties -- especially in symmetric PAKE settings --
is problematic as there are rarely pragmatic choices to be made for each party's
identifier. IP addresses are not always unique, PKI or some other registry
mechanism for assigning names may not exist, and so on.</t>
          <t>Intuitively, in symmetric settings, passwords are the only secret input to the
PAKE protocol; party identities are assumed to be public. As such, an adversary
is assumed to know these identifiers. Fortunately, there exists a UC
model in which symmetric PAKEs such as CPace are proven secure
without requiring party or session identifiers -- the bare PAKE
model <xref target="BARE-PAKE"/>.
The UC bare PAKE model, and proof of security for CPace in this model,
demonstrate that PAKEs are universally composable without relying on
unique party or session identifiers. We believe that the current proof
of security of OQUAKE in <xref target="ABJ25"/> can be extended to show that NoIC,
the basis of OQUAKE, realizes the Bare PAKE model as well, although
we note that that this proof has not been published yet.</t>
          <t>As such, for the PAKEs in <xref target="CPaceOQUAKE"/>, both the party and session identifier
are optional. Applications are free to choose values for these identifiers
if applicable, but they are not required for security.</t>
          <t>[[OPEN ISSUE: adjust the requirements for the identities in OQUAKE on the basis on the bare PAKE analysis]]</t>
        </section>
        <section anchor="asymmetric-identities">
          <name>Asymmetric PAKE identities</name>
          <t>In contrast to the symmetric PAKE setting, party identities in the asymmetric
PAKE setting play a different role. The very nature of the asymmetric PAKE
is that one server, with many different registered passwords, can authenticate
many different clients. Consequently, when the protocol runs, the server
needs some way to determine which password registration to use in the protocol.
Beyond ensuring that the server is authenticating the correct client, the
client's identity is what helps the server make this selection.</t>
          <t>However, the server identifier carries a similar burden. Indeed,
the server identifier is used to distinguish distinct server instances
from each other so, for example, a client cannot mistakenly authenticate
with server A when communicating with server B. This is especially
important if the client re-uses their identifier across server instances,
since a password registration for server A would then be valid for server B
if the server identity were not incorporated into the protocol.</t>
          <t>Based on this, client and server identities are <bcp14>RECOMMENDED</bcp14> for the asymmetric
PAKEs specified in this document (in <xref target="CPaceOQUAKEplus"/>). Both
client and server identities can be long-lived, e.g., a client identity
could be an email address and a server identity could be a domain name.</t>
          <t>Practically, applications should be mindful of what happens when these
identities change. Since they are both included in the password verifier
(see <xref target="gen-verifiers"/>), changing either identifier will require the
veirifer to be re-computed and the client to be re-registered. For a single
client, this change is minimal, but for a single server, which can have
many registered clients, this change can be expensive. Applications therefore
ought to consider the longevitiy and uniqueness of their party identifiers
when instantiating these protocols.</t>
        </section>
      </section>
      <section anchor="timing-and-tempo">
        <name>Timing Attacks and Tempo</name>
        <t>OQUAKE (without the fix from <xref target="TEMPO"/>) is subject to a timing attack
due to how the ML-KEM expands the key-generation seed (rho) to a matrix (A).
An internal function — SampleNTT — uses rejection sampling based on the seed
and therefore is variable time. In NoIC / OQUAKE, after a sender password-encrypts
a public key, an attacker can perform an offline dictionary attack based on
this key in the following way:</t>
        <ol spacing="normal" type="1"><li>
            <t>Password-decrypt the authenticated public key using a candidate password.</t>
          </li>
          <li>
            <t>Time the seed-to-matrix expansion step using this candidate public key and
compare it against the known timing target.</t>
          </li>
        </ol>
        <t>The Tempo fix addresses this issue by ensuring that input to SampleNTT is not
secret-dependent.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">
          <front>
            <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title>
            <author>
              <organization>National Institute of Standards and Technology (NIST)</organization>
            </author>
            <date year="2015" month="August"/>
          </front>
        </reference>
        <reference anchor="FIPS203" target="https://csrc.nist.gov/pubs/fips/203/final">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization>National Institute of Standards and Technology (NIST)</organization>
            </author>
            <date year="2024" month="August"/>
          </front>
        </reference>
        <reference anchor="CPACE">
          <front>
            <title>CPace, a balanced composable PAKE</title>
            <author fullname="Michel Abdalla" initials="M." surname="Abdalla">
              <organization>Alloc Init Labs - New York</organization>
            </author>
            <author fullname="Björn Haase" initials="B." surname="Haase">
              <organization>Endress + Hauser Liquid Analysis - Gerlingen</organization>
            </author>
            <author fullname="Julia Hesse" initials="J." surname="Hesse">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <date day="22" month="April" year="2026"/>
            <abstract>
              <t>   This document describes CPace which is a protocol that allows two
   parties that share a low-entropy secret (password) to derive a strong
   shared key without disclosing the secret to offline dictionary
   attacks.  The CPace protocol was tailored for constrained devices and
   can be used on groups of prime- and non-prime order.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-cpace-21"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
        <reference anchor="XWING">
          <front>
            <title>X-Wing: general-purpose hybrid post-quantum KEM</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Peter Schwabe" initials="P." surname="Schwabe">
              <organization>MPI-SP &amp; Radboud University</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This memo defines X-Wing, a general-purpose post-quantum/traditional
   hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML-
   KEM-768.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-connolly-cfrg-xwing-kem-10"/>
        </reference>
        <reference anchor="KEMELEON">
          <front>
            <title>Kemeleon Encodings</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <author fullname="Shannon Veitch" initials="S." surname="Veitch">
              <organization>ETH Zurich</organization>
            </author>
            <date day="29" month="November" year="2024"/>
            <abstract>
              <t>   This document specifies Kemeleon encoding algorithms for encoding ML-
   KEM public keys and ciphertexts as random bytestrings.  Kemeleon
   encodings provide obfuscation of public keys and ciphertexts, relying
   on module LWE assumptions.  This document specifies a number of
   variants of these encodings, with differing failure rates, output
   sizes, and performance profiles.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-veitch-kemeleon-00"/>
        </reference>
        <reference anchor="ARGON2">
          <front>
            <title>Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications</title>
            <author fullname="A. Biryukov" initials="A." surname="Biryukov"/>
            <author fullname="D. Dinu" initials="D." surname="Dinu"/>
            <author fullname="D. Khovratovich" initials="D." surname="Khovratovich"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="September" year="2021"/>
            <abstract>
              <t>This document describes the Argon2 memory-hard function for password hashing and proof-of-work applications. We provide an implementer-oriented description with test vectors. The purpose is to simplify adoption of Argon2 for Internet protocols. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9106"/>
          <seriesInfo name="DOI" value="10.17487/RFC9106"/>
        </reference>
        <reference anchor="SCRYPT">
          <front>
            <title>The scrypt Password-Based Key Derivation Function</title>
            <author fullname="C. Percival" initials="C." surname="Percival"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>This document specifies the password-based key derivation function scrypt. The function derives one or more secret keys from a secret string. It is based on memory-hard functions, which offer added protection against attacks using custom hardware. The document also provides an ASN.1 schema.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7914"/>
          <seriesInfo name="DOI" value="10.17487/RFC7914"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="Gu24" target="https://www.escholarship.org/uc/item/7qm0220s">
          <front>
            <title>New Paradigms For Efficient Password Authentication Protocols</title>
            <author initials="Y." surname="Gu" fullname="Yanqi Gu">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="LLH24" target="https://eprint.iacr.org/2024/1400">
          <front>
            <title>Efficient Asymmetric PAKE Compiler from KEM and AE</title>
            <author initials="Y." surname="Lyu" fullname="You Lyu">
              <organization/>
            </author>
            <author initials="S." surname="Liu" fullname="Shengli Liu">
              <organization/>
            </author>
            <author initials="S." surname="Han" fullname="Shuai Han">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="LL24" target="https://eprint.iacr.org/2024/1630">
          <front>
            <title>Hybrid Password Authentication Key Exchange in the UC Framework</title>
            <author initials="Y." surname="Lyu" fullname="You Lyu">
              <organization/>
            </author>
            <author initials="S." surname="Liu" fullname="Shengli Liu">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="HR24" target="https://eprint.iacr.org/2024/1621">
          <front>
            <title>PAKE Combiners and Efficient Post-Quantum Instantiations</title>
            <author initials="J." surname="Hesse" fullname="Julia Hesse">
              <organization/>
            </author>
            <author initials="M." surname="Rosenberg" fullname="Michael Rosenberg">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ABJ25" target="https://eprint.iacr.org/2025/231">
          <front>
            <title>NoIC: PAKE from KEM without Ideal Ciphers</title>
            <author initials="A." surname="Arriaga" fullname="Afonso Arriaga">
              <organization/>
            </author>
            <author initials="M." surname="Barbosa" fullname="Manuel Barbosa">
              <organization/>
            </author>
            <author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="TEMPO" target="https://eprint.iacr.org/2025/1399">
          <front>
            <title>Tempo: ML-KEM to PAKE Compiler Resilient to Timing Attacks</title>
            <author initials="A." surname="Arriaga" fullname="Afonso Arriaga">
              <organization/>
            </author>
            <author initials="M." surname="Barbosa" fullname="Manuel Barbosa">
              <organization/>
            </author>
            <author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="VJWYMS25" target="https://eprint.iacr.org/2025/1343">
          <front>
            <title>A Hybrid Asymmetric Password-Authenticated Key Exchange in the Random Oracle Model</title>
            <author initials="J." surname="Vos" fullname="Jelle Vos">
              <organization/>
            </author>
            <author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki">
              <organization/>
            </author>
            <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
              <organization/>
            </author>
            <author initials="C." surname="Yun" fullname="Cathie Yun">
              <organization/>
            </author>
            <author initials="S." surname="Myers" fullname="Steve Myers">
              <organization/>
            </author>
            <author initials="Y." surname="Sierra" fullname="Yannick Sierra">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OPAQUE">
          <front>
            <title>The OPAQUE Augmented PAKE Protocol</title>
            <author fullname="Daniel Bourdrez" initials="D." surname="Bourdrez">
         </author>
            <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
              <organization>AWS</organization>
            </author>
            <author fullname="Kevin Lewi" initials="K." surname="Lewi">
              <organization>Meta</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare, Inc.</organization>
            </author>
            <date day="21" month="November" year="2024"/>
            <abstract>
              <t>   This document describes the OPAQUE protocol, an augmented (or
   asymmetric) password-authenticated key exchange (aPAKE) that supports
   mutual authentication in a client-server setting without reliance on
   PKI and with security against pre-computation attacks upon server
   compromise.  In addition, the protocol provides forward secrecy and
   the ability to hide the password from the server, even during
   password registration.  This document specifies the core OPAQUE
   protocol and one instantiation based on 3DH.  This document is a
   product of the Crypto Forum Research Group (CFRG) in the IRTF.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-opaque-18"/>
        </reference>
        <reference anchor="SPAKE2PLUS">
          <front>
            <title>SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol</title>
            <author fullname="T. Taubert" initials="T." surname="Taubert"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes SPAKE2+, a Password-Authenticated Key Exchange (PAKE) protocol run between two parties for deriving a strong shared key with no risk of disclosing the password. SPAKE2+ is an augmented PAKE protocol, as only one party has knowledge of the password. This method is simple to implement, compatible with any prime-order group, and computationally efficient.</t>
              <t>This document was produced outside of the IETF and IRTF and represents the opinions of the authors. Publication of this document as an RFC in the Independent Submissions Stream does not imply endorsement of SPAKE2+ by the IETF or IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9383"/>
          <seriesInfo name="DOI" value="10.17487/RFC9383"/>
        </reference>
        <reference anchor="BARE-PAKE">
          <front>
            <title>Bare PAKE: Universally Composable Key Exchange from Just Passwords</title>
            <author fullname="Manuel Barbosa" initials="M." surname="Barbosa">
              <organization/>
            </author>
            <author fullname="Kai Gellert" initials="K." surname="Gellert">
              <organization/>
            </author>
            <author fullname="Julia Hesse" initials="J." surname="Hesse">
              <organization/>
            </author>
            <author fullname="Stanislaw Jarecki" initials="S." surname="Jarecki">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
          <seriesInfo name="Lecture Notes in Computer Science" value="pp. 183-217"/>
          <seriesInfo name="DOI" value="10.1007/978-3-031-68379-4_6"/>
          <seriesInfo name="ISBN" value="[&quot;9783031683787&quot;, &quot;9783031683794&quot;]"/>
          <refcontent>Springer Nature Switzerland</refcontent>
        </reference>
      </references>
    </references>
    <?line 1984?>

<section anchor="params">
      <name>Deriving parameters</name>
      <t>This section discusses how to generate parameters, given an upper bound on an adversary's advantage in breaking the hybrid (a)PAKE. The parameters in this standard correspond to a classical hardness of 117 bits (considering the attacker can break CPace) and a quantum hardness of 100 bits. We assume that an adversary can perform at most 2^qq queries to random oracles or (a)PAKE sessions. We use qq = 64. The derivation below uses some approximations, ignoring small constants in the exponent such as 1 and 1.6. We also only study dominant terms in the advantage equations.</t>
      <section anchor="parameters-for-cpaceoquake">
        <name>Parameters for CPaceOQUAKE+</name>
        <t>We have the following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>Nseed * 8 + Nverifier * 8 &gt;= 2 * qq + classical hardness</t>
          </li>
          <li>
            <t>Nverifier * 8 &gt;= qq + classical hardness</t>
          </li>
          <li>
            <t>Nkc * 8 &gt;= qq + classical hardness</t>
          </li>
          <li>
            <t>KEM failure &lt;= -qq - classical hardness</t>
          </li>
          <li>
            <t>KEM ind vs classical &lt;= -qq - classical hardness</t>
          </li>
          <li>
            <t>KEM ind vs quantum &lt;= -qq - quantum hardness</t>
          </li>
          <li>
            <t>CPaceOQUAKE vs classical &lt;= classical hardness</t>
          </li>
          <li>
            <t>CPaceOQUAKE vs quantum &lt;= quantum hardness</t>
          </li>
        </ul>
        <t>For ML-KEM we have Nseed = 32.
For consistency, the spec uses Nverifier = 32.
ML-KEM1024's failure probability is 2^-175.2. This is slightly too large, but we deem it acceptable: the chance that an adversary encounters a failure is purely statistical and very small.</t>
        <t>The following subsection discusses the parameters and hardness of CPaceOQUAKE.</t>
      </section>
      <section anchor="parameters-for-cpaceoquake-1">
        <name>Parameters for CPaceOQUAKE</name>
        <t>For the security of CPaceOQUAKE+, we require that CPaceOQUAKE provides:</t>
        <ul spacing="normal">
          <li>
            <t>CPaceOQUAKE vs classical &lt;= classical hardness</t>
          </li>
          <li>
            <t>CPaceOQUAKE vs quantum &lt;= quantum hardness</t>
          </li>
        </ul>
        <t>We have the following requirements when CPaceOQUAKE relies on CPace's security:</t>
        <ul spacing="normal">
          <li>
            <t>CPace vs classical &lt;= classical hardness</t>
          </li>
          <li>
            <t>Nkey * 8 &gt;= qq + classical hardness</t>
          </li>
          <li>
            <t>KEM failure &lt;= -qq - classical hardness</t>
          </li>
        </ul>
        <t>We have the following requirements when CPaceOQUAKE relies on OQUAKE's security:</t>
        <ul spacing="normal">
          <li>
            <t>OQUAKE vs classical &lt;= classical hardness</t>
          </li>
          <li>
            <t>OQUAKE vs quantum &lt;= quantum hardness</t>
          </li>
          <li>
            <t>Nkey * 8 &gt;= 2*qq + classical hardness</t>
          </li>
        </ul>
        <t>So, the smallest Nkey = 32.
We ignore the KEM failure following the same reasoning as above.</t>
        <t>The following subsections discuss the parameters and hardness of CPace and OQUAKE.</t>
      </section>
      <section anchor="parameters-for-cpace">
        <name>Parameters for CPace</name>
        <t>We refer to the CPace <xref target="CPACE"/>. This standard requires Nkey, the number of bytes in
CPace's session key, to be 32, so one must set H.bmax_in_bytes = 32.</t>
      </section>
      <section anchor="parameters-for-oquake">
        <name>Parameters for OQUAKE</name>
        <t>We have the following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>BUA-sKEM ind vs classical &lt;= -qq - classical hardness</t>
          </li>
          <li>
            <t>BUA-sKEM ind vs quantum &lt;= -qq - quantum hardness</t>
          </li>
          <li>
            <t>BUA-sKEM public key uniformity vs classical &lt;= -qq - classical hardness</t>
          </li>
          <li>
            <t>BUA-sKEM public key uniformity vs quantum &lt;= -qq - quantum hardness</t>
          </li>
          <li>
            <t>BUA-sKEM ciphertext uniformity vs classical &lt;= -qq - classical hardness</t>
          </li>
          <li>
            <t>BUA-sKEM ciphertext uniformity vs quantum &lt;= -qq - quantum hardness</t>
          </li>
          <li>
            <t>BUA-sKEM key * 8 &gt;= qq + classical hardness</t>
          </li>
          <li>
            <t>KEM failure &lt;= -qq - classical hardness</t>
          </li>
        </ul>
        <t>For ML-BUA-sKEM, if we set Kemeleon.sec_param to 256, it is as hard or harder to break public key and ciphertext uniformity as it is to break indistinguishability, so we discuss all three properties at once.</t>
        <t>For ML-BUA-sKEM1024, the resistance to classical attacks is approximately <tt>253 - qq</tt> bits of security. So for qq = 64, classical hardness is approximately 189 bits of security. The resistance to quantum attacks is approximately <tt>230 - qq</tt> bits of security. So for qq = 64, quantum hardness is approximately 166 bits of security.</t>
        <t>The ML-BUA-sKEM key is 32 bytes, so this satisfies the requirements.
We ignore the KEM failure following the same reasoning as above.</t>
        <!--
# Test Vectors {#test-vectors}

This section contains test vectors for the algorithms and protocols specified
in this document. The test vectors correspond to the configuration specified
in {{configurations}}.


## OQUAKE+ Test Vectors {#tv-PCP}

This section contains test vectors for the OQUAKE+ stage specified in {{oquakeplus-stage}}.
Each vector consists of the following entries:

- seed: 32-byte seed for KEM encapsulation, encoded as a hexadecimal string;
- salt: 32-byte salt for password verification registration, encoded as a hexadecimal string;
- PRS: password reference string, encoded as a hexadecimal string;
- SID: optional session ID, encoded as a hexadecimal string;
- pk: derived KEM public key, serialized using SerializePublicKey and encoded as a hexadecimal string;
- SK: 32-byte shared secret for the OQUAKE+ stage, encoded as a hexadecimal string;
- challenge: protocol message output from Challenge, encoded as a hexadecimal string;
- response: protocol message output from Response, encoded as a hexadecimal string; and
- key: derived shared secret output from the Challenge and Response for server and client, respectively, encoded as a hexadecimal string.

For these test vectors, the KSF is SHA-256. The vectors are below.

~~~
seed: 40e5a6554eb988ee21e84a593f744e611ededff48dfb0e43c763b3a8b0315bb
a11af1e05e840a1521987ecf82a37fdbbb0216ecbc85ce51005fc61b83d7c0929
salt:  b33f867d93433ff91557e6ecad9d934935cf8da580538c0e444eee15c86c32
04
PRS:  746573742070617373776f7264
SID:  4c43fe04b479f5b41eab59f18d93d5a9
pk:  67f7248ab55a3a35c6e9e1acece73d69d50a67f87b0a1c4aef942953567b6d7a
101ce75dfe04c5f7979f93d1749fd98c92dcb75c975d2830ac04a387b78a13573b076
ee3505a66c58c3a404a202c1f0b7d4a2b1bdd6696e1caa35bf89df6ec3f54d786b3b7
7f26ab3a3af755ee96c6f155088721966cb732e1c40f2e78a614b8abfc030c6d61399
f804531c90ce50275cec8035b77c3e8b7b049793d51b022690088e7eab901198b6e09
071dc946e67732c7a4bbb394714a61402dc64a28bab16f111ce34149a8150b19fbca9
36c45311020fe357300801ecb8b5513ab12e48592f6d922666a72229c9bfad3c92f15
0e2223154db9b50fb07fc0748fbef872ea9b5e3c22447487c1805ca0af8725573828d
40aacac9759ed48664c12a8641577cb8c5aa1a501fccc2149d123a4c48592fc6c9089
54f0e383996b8687d658a94a18a242274c08839b306b81270b1c717dfcb36c10809b8
ee5b70c724ba761b2c5e4ab43823725fb5fc46b17007038266b258ad19ac4369e8cd4
53c566a6aa85677056933bd926d466a5f4a9b0dcaab0d3f8a5e603681f960b099a5d1
ef8b677a27b02b9ae84a34f1f24445788be59752a68b4777613598786a50d42568675
82ad9a5a79e7663b5b28303959f5c5a69f5173d702bda6b6a0e0656613e58ad9e75aa
b353b8a570b88a79d3e020ad50738a4e17b82b0852544b212990843076a070323a491
8bf1f3144a70ac156232d83773d3d5c1137907e83b0c68165f71a1128122418669565
9293caf20512c73b3fd2a4d85f99d422c5829685138c921468126709187eb408668e6
a9e023565899ca69a53f1f79c70d2c525c7919289247278021387351ead1122fa5c7f
ac0022a0ab4413437d091804e543d3deaace3360978e926cb71bb32280b2948cb061b
7eb6187ee020602037144b93bbdacc1c5f362dc2c7a738057e5c973e0cf77f3023461
1052e949b22e0a32d67d68e5ea28c7e95493419732f249aa28c08e9509b9940845625
5e46fbc46898c61a6408b97b00ee1a868b2128266bcc7bca38e214b43364b408c0c54
67b472e592f1165aa9612b863b511ce31795fe320a0ab6f6851ca4f896675fc02eeb8
4f3d01ba691b51396a42eec0ab32f77eb061a72c902f3f45ba424088444c4857913be
91bb31e161245f3cde1aacfdce5a866224f3db0bcd53529b1da2be6020d1489839e00
04071a5607f33f890b386d6835792788e3c794136503f0c4269afa031ef6305d010b0
35a1325a8909179ce57972375e5b9284cc328b66f6e076d1ba085e38c9cedf29f2913
470f6051f1fa6a3880bd45e5784f019a93f37789880eb01c3fb9cc3ddb096968675a5
d65acb99571de52bf5d282731f34d5e69c070da3795202f65354034e65f35267b74a6
b3ea469936230f493c4235365d4357629e9429c2ab9edcb279be2688f690849e0b1be
d94b7a0d1113c6c372d247cd7b46b9cb492324c9e705692e888a7ffe52ca9f00f5dc8
2888370b09db519e8aa743052142e34294423a29e30428ccc94859693d07b5cdf6115
e176fe8da8dae1b4bc7a5c5b752a52e5ccdced571fbeb3b0f14a5fd2a397406980fd8
078e8786d70b2738187747658f58658b14d2b14d1f04ca18347a044c9b21b0bdb035e
33d2aeee45ab3106c4d8ba8ec9c9dc3eb4167db9965d92765c9b4522bb08cf35fd56c
1a19c426d38a6263c45728
SK:  75e99907f38993c973b58599ca73122e568baa5cfa2736e5049dd079f295362e
challenge:  3a27df1e4b119f391ec2e83cd864658df3b4cec728b32ff704cfc24fb
af3cf72a31c6a115f1fb58269c36d5256e6cf92f62de157b4b3e5669d09982391be43
6038da6950b09b2f6a860b793be2e670b723a5066e854bd505e7634f18fdae30e2ee7
2467132a56bbf22b854286ef7ea3c5b508088d78ebcc0db57ca7afebff377f233f10a
34ab5bbda3c200a0f1127127eaa89c621a39c67335c308869e7c100f9a98d94ebf264
698a6b24ab316347b62e2e4408bbb4241ad2430a156147914132ca937cc43dc2d37ea
1cf7ecf285195ab7dd2d6583b1ddfaed1c3d87bdea64f015e7dfaf6f5ea727b23bce6
3ea5e0614fbd345e01839983291ad7b696d1a08e262efde487e85a44384ed610704b4
9fa9d00c27ceeee88733bcefbb6b5f975eab85069988bc58883ba380c42b0d8dec070
8f9e1c6d0705606c0c0f82d10c9eb2ea17556897ba953819e717e3117f8b0f753bffa
4357d8f94b4b25acba72580682d3cd7d65d28286200bf4d2cd75dd4df4d94baf64fbb
3e57ac127f07164b99db146f29cddc404e313baabbecee1bd8393da7539da7b15f08b
7a8208d29c636257bae5fed04cd3935d1e342bc7eb29ccdc68a71a47c5f06fcbdd492
a0b80fbf23731d501c32c5fc28d974288f2c926b5eec29d4c905518d3e3bab3cdb411
842c3e2e1a3a414aff34f627b11db5f58d5d1e29e21294407c48f44f0b1c01237756f
4ed85032b5acdb7ee5cda80383fc8621b713b17472c549b362f9afd208ca2f6d4bd67
5f8a6af2c047f261b83b6e40bceac3416f7f749b81b780475c0a636d0ddb9eb49fd30
630b07dcd9ef2af3809bd251a94da40881b5116b27ab9f0d84f12072bf050d7d15e86
9770397fcf4508861f76ea461378d236ed99ab903a4026d19a22038e58f349d251e7b
d6148030f530d1c7e84a1a15febd2c21030c11a8bd2fe52bc629b650b330a7431c3e4
d6111eba76abdc95dd3af8f5839317bc2fa737107b9610280841d3af9c5b0dc69032c
f23bee87fdbde6c39a100994e5c2df3b3e70f9f52f388c9d65079ec15154bb731e6b1
3c33f438779572d23a67f5b421db648b27dcab657ba03dd355ee90dff8c4c8ef7bd2f
ed0b0dbbf7db006f0b5c045b92e77b84e9da9fdf4290a00ed8fb4d634f34ff6d84b71
951d2181c990bd374f47fd170b46fe61756b0a6011b41e4577a7e985feefbb312ed12
c2151cdcf633d3ef175ffc2f23ab28f3a80e39eea740683601a6498f4b97ad8f78884
592e3c8524d278a9a26801e813e73d228b76026f236d4cef2165ae9988ada31cca20a
f029d14969ecbd169d01de04ff946db136ecdefcaff840e21b18b6b14a1a1a3315e17
701ff74fb07f4c1d35bb6bc641ccc84a3d37aecb6fee530554d267195119da7f44e1b
a3aed0c67c07395d9e75a4e690ed0164787fa6a63b8cdd38fa090ea23982871fa1e9a
bf90712985d70e965402e1b0d4382b7be3b72e41282fdf44984a8901bdb0c5f3ce602
6d371738970a0ebc12cbe06f495b76b82217eef79908c52b8e557c47ea289255ac477
f3d9e19ff2325ae771d04195d5424c86f40a31869c31f2f585f53e924b6de8db4c812
2f02e76a2d09dc8ae767eddca309fce33f50b770f7dd5cfdd4f46c2112bee16f93499
5fa0b2f5e69dd9958f4fcc73840598e13f
response:  37fb1b659261093758f48f540f337893076b8819ef5f556696fa9ba8f8
717d91
key:  eebae83892d72a88e2d53b2a3b3f5ac0c24c9c69c8416312557f77008db9cc1
e

32 1120 32
32
seed: 3b30129132073b2a61e29403e2d57f60e530fe823ddeed80ee218a6c931f805
7764f38b1eb5665ab5972c9db8a5d8e06388a1296e440d7975639e71a37993d30
salt:  3c8fd7ae7c9aa2b2d1c4789f046f8b3155a76c566829df38d6cff98ca2ef5a
07
PRS:  746573742070617373776f7264
SID:  773d45f4506bff8e1cd2e9d062b8a23e
pk:  8e3292fd769532243b141b0c922b76ec63c6f2128faa9687c2196c7c99347d96
07c765a3e0faaea43829e8134c54a4c7bda82231999c61053cf29b2ef6fa91f5da948
4ac33f0fa510b8b324697686bc1c4dcf2b4ebe636f2957b8626c823a9c92b8b9b2401
2cf65cbda16038a8911c7488c76326b5cc4648a62b8bb476bffa79a523347c7443a2d
7432ca7f016e9100620264eb9e05250e18cbfd02347f3681b513eaadb6d7067984d9b
5692f703273c6e19f16e757a45adabcc4d3a3ef1eab1890a0959a93c88627f057b78f
94940a29a65fbc0ce96276d9c334edbca17d18404a996594efa0672ab2e1bd078e0fa
6611127835e9757b5c8033d67a318b01d07a536732742efbcac9c90830e30b4caa116
39c5681a4c16fe703d2e68b26cb6628a74b039344b6c58ed0d7ab63809940c393c463
6cd8836b9327c052d839d6bc503484303ad84d36fc98625ac457ca2d50969ccd31560
ea465abfa8d0240c20bc17aa95309dae53ec510b78b4143b3f97333aa7166d80a67b9
8f9d78ac64003b90595c330aae1ba15f1c733392ab89c21213e20c273d958311d4314
ad21593859e3bb9c12b26c916c27fad4ccbea3a916bbb481012b8fd6600bf23365b07
6be7f8b3d128426f5269a355bc4c628663e96154a65fa8ea357eca432360979218775
9d248bee2593ae47071486a9b05913534b2f6e94111c76488fca850798715cbb32664
c9352c5793f69fd9f3c9a4604aa86466f6008f94d7c719aac8bc5a2471a50f4a6b3db
010656e3544f1e940e1f6233d7c4595d8355b5055ec7c3c029407d0ac5b40357bf3ca
09a1743ef9d16a3212767b12b388148e94c13612112deeb34078b33ef8976501867b8
2965f1933123910a0da81b396dc32d66485b18748b0e2b0cb760fc42770766a401761
b08c3b7784167fd1983575f94c09b32f38a684f126312a9ab96f29c66812903107bdb
47bcdb226404e50a2c3360a15f95e115654062974322905db67a17eda1c190219e4e9
15a8189bb07a0441e37851312348c488f6514ffe35332ef99da4371025e53bf531202
3b199da26b05af08f54e2280b5594d498519060129117c0c396853f3a4edc42b91cd7
0dd9c53e7843963d033b7cd384e91353526941c7a4ada76a90dfecb0e6cc243393af7
572cda8654b68d99a3c8176c8897ec7076b39e7978bc0427ee8908e9648b75913f610
5e5128aea2552ac547375217aee72104d244cc50585749b9011651c5f408c9b4076c5
a256429f582f58502dea8a12bbb4f644c93845aa72f46109bd3ac3ec224c17a4e7eac
83296c0e803c7090cab15688c78bb733f284bfc03646c8984943c29be0601bb77b604
8c418981a0099221679696ee917cc47e17d5c56ad4c11c02e3b7fd4c1624bec169ab9
16adc07e53870c46a8cba3a4784d9c53af537e6931bf96aa6e3e80cc5be359ab67a01
8797eb5f670f488c103254e5bb539cdd4560e0a2a19e86a3fe0767359014ea57ac9ba
0d5366ce17e3c4a6280136cb3c42960ed0887f1e9019064683d75708c71b9e14118be
bfb6c394c5279d38380a7a920ac08ab8b5477a4174469aad57435792c5e784b0a8005
3a50600891a84a7fb0ceada135936877d6f2fdf320cbd88d62311b60a73d482319811
4d094af545fce5335a145011115721d2bf9ad6e22dd012bf4244733737bf74bfe349b
d2d91e0f8b60c0dd863f2c
SK:  000a7035444b5505dceaabc0494c435631abb144ca0242d450d463f792325e5e
challenge:  afd063e56a36a60fa0520e132f583b75fd82d0c823240e94f85dbf464
098c503af451d9e91d253d1f2ee3da15d00370a80a1f7328e8b4f2135878dcff0a579
86a7617774d64c00aab8e3dca2732857cb3635dc3e788e7ecf07d115db713a8d42a4d
6e17dbb1af37d1dffc789344631cf38ff80534d18e8769bdebe2b2a7d77f7f8cd802e
c644d596186b696144df96a3cd14c5177be93a9c7b2b4cb152f1f3313f69bd5fa206c
317b6d5bbeb578b0241d21d5ccee07aa055dce6f969d921f448ce455287ea6eba1833
6155b4c7fae472445d2f30588084bc7225fa07a887db6e586e4d4f44af1c294cb112d
84536b877c570053a365780e2f3ccfdc92be8cfb527eaa3ac87e2c02aac6d129d04e1
81a404354c9fc2eb4d73513131bb437048e974f3e6907d2b28d56493634e5b9edb8f7
e356854119dbede512f6cc52794d1c15059bbc59d3783b07088c55b48f8b4b69fba9f
5dbe845eeb86034ef3b6d0765f1bcf361952fcd94f9ca33dcf2f5cae6943518fc87ba
aa4acc5d8ef056bd65e60ac52617254681e41b31bdb51803d1a27731dc4183255ebb9
4db1b45e7a84821e358a3ce0bbfc8f982bfb7ad1deb61e6b8718875c6cf6549dab765
45da0d71891f7fb95d51bdb7aa362e7e27706761da2f78a70f00aeec0d6d2f710720e
2431c6c35e3760b93051d2e83c6c68c125e895973555a9de6b736ea8d38d913f2d0ec
9d7d41fd23ae1f999af5e1e3f10d4dd2753f7f83b550139848bf582833bd34248c424
5f01f3131176eec196dc4ecb6c6517a7cec94dde2806af44557c5ec07d63e6efa219a
723bec5f4e2470e5a57b021b395fd1f8d36826d99a9b0eaf1458d25fd52ae499a1587
0197f4ecde53cdd7b076b44bded65e6a291b8a1722af52bfff782173d06f65678a186
095fc48d1be339ce280c21d356c298a60ebfa9ca421ca091ab5e2f28f5167b641c0de
1cba4c5ddcf27950350134701696fe5b6063b3a21d7690a2c2406a949db2f88c2d205
e20f92012618ae0698e071c2fc6d81bad5c791dfb8e391b4138edd92bcbd05cab4566
160421165406b4fe3e17f87e80af03e942396c8dcf590da6b9b30f0d08802df320c84
c88d46251cfb77f3b94a7908caa718ce2deb31209c00dcd0c990c31c1da93f4755cd8
97685c1234e3cb92b08ea6ff7ce035bd2372552e29fa98e7ef9890ae9d61c83c8b275
9f3edee6cebbd97f1b6b063efffcdc792e64343bd368a99166d313f6c7757182d89a2
9c9f6f32947d95dccd47164184c51b555e303fce895f9750f2938d94912fe40e7cf2a
3b5cd9c486906f9f76744de9269c4dd3e1469cd0dd720ddb59f5effe454da764a99f1
1fee3abe86ff00a190c1de28965fc9b3a42ceb6f41659c140773abdc2e0902a8a0c56
117a25c6f7b19c5e5d9c421daae445c402a500c0fdee03dce2f5dfd6d74613de7096a
ac90db5ebbcdd92837f9fad8ae397d7fefdf10aebdf6df4b27f5f61c5ffc47016fd5b
8f0456c858d92aa3f0188dad5b271779ca0ae479d0bcc301be32397aa9905b164b788
7136b5b33a39e49bc6a9f9f57482b2aec082faecadeb0eeceda3fb6ccc07132c37601
f7849711dd4d5d5a27ea3f43f32a1dee7b773fea55cc4b6ca3e46efae52259d1aa079
2fbaa62a0e7f126eb9d80ebe44064e008c
response:  5d30fbc51d341e49c0cdc96ccfe18a25372cea8cd7eed01acae245d402
6bde16
key:  ee7ac0f6a0ab18483d203aae52aa893b746ab54df182ff2e2e0d1d4f73605d5
0
~~~

## OQUAKE Protocol Test Vectors {#tv-OQUAKE}

This section contains test vectors for the OQUAKE protocol specified in {{quake}}.
Each vector consists of the following entries:

- PRS: password reference string, encoded as a hexadecimal string;
- SID: optional session ID, encoded as a hexadecimal string;
- init_msg: output message from Init, encoded as a hexadecimal string;
- resp_msg: output message from Respond, encoded as a hexadecimal string; and
- key: derived shared secret shared between client and server, respectively, encoded as a hexadecimal string.

The vectors are below.

~~~
PRS: 4b6cf40f371bc801e81b8f2b26cd5a0f
SID:  652b728f66e2ee44a5354dfb7236cdca
init_msg:  59fb9e82387ce589dc8e2f4a2759eb9402ad30968545a119419e9a36bd
eb4d712489761cc7cd4e8856289840903e871a12c9ecf199e7e2e4e43816fe6049a6c
9ae29ea00a0bd58411bfd9a789c9b57ad7d7e45a867e7565bdd21ef79a708f27f4b92
918bc8967d35c609e6acae596b994719f9a84388d9c2707bf8db15ed13f42ca327844
c42e331ee892847bda3a21e9b9d56e47374374e94a0bf3301b09bed0d9813af3d7b52
fb85e50063917c63070000213f24e8af110197a1a8186ef62fd59dc3dffc1d0dd7819
722950694195694b97f8d62dab464321433134f4bc140c6e107b282a3e71dfa3645d1
4f7e4da70fd99e89be47f1f26b7c3a33e005a43abb71813a1fef959dc7acb109e3323
e4241f35596dfef0715e0c0106d9530af464c4699b2e3925a6dd6e996e97eb42ce57a
187c8e94d901510d462e02f0092622a67edd3a612b78fad83aa9b557ed42ebc0bcb7e
9b72bfff81916f232085c7b0d618411d39ccbac4c3091f3506d246de2d5ead0a5b184
ca5b36dd408419edc21742d6b141e9cb647a55bb0797fb3308ad49cc567a4d0338049
44cba3303de1bc088f240a45f9526bece4c372c9a50e83a669e1bece4ae92e3736f95
99d4f1f65434db5c5b7cfedbbbb9c2620f2f0e9804046ef53b5c47f0876be57970c93
74eeff829bbeb265afffed437f1c23b60af5a5210bef5f76b334bd269ae17b890320d
5e54051985cd7b67ae9a7472d70fb6eb0575a5bd44b64ab55b2cade147c6f4aa2aefb
dcb4b1662eb6c0fd292877d688cc5df46f39189869cd8c027b405833d10ed3b3f75d0
55f49e4bea1267e2635a0d182df59862fa31bee58318be03310e9d5eabd404fe91e8c
179af9c0a64d4b02d68d4f23ebb01d9674581d06d6211f47afadaf94f94eca7855ad6
10f68e4c39c045f4c41740ae668f203b712cb29607a824bf9d3a7a09455676fbbafd1
c6dc3b35837a7a6f9ae8b47237c2f9d462f9f068135190a9bac33575f8bfdde1d0775
f156db3731619ed0e06f00fb597688bd6d4e5364e02c91870cfdb593c6ed88e072a18
bd13bebe80942db9c317b7d7b9461d168295fe4ceb262a343393c8e76d214236dd807
46a98da9dd89ce75ce70155426b7d79186c526c0bdf37e27b683e9183da95d38d9159
d00a1d6382d18a96a571e2a94dbf0271f04dde59029b7e8c5a606e1833cbbd85e8d07
93b016113049d011a94a0f7530cb152894eee984541efd7d79c67495b11358d270bcd
809734860461989bf21f5cb2b87ae7b59865465eae9275b7ef904d5425d459f0c185a
eaddd3e76b4177b2171bddb9af2568f62c19c5a08491e1c690d7631cd938381488993
4923a0a2f12fd93623b762b6284f7eea3f9e2890970a851d1afe57d617f94d40aab58
85c10cd3dde1b0444ac20368f0e6ec5f3912558c9c2f23ab0a2ced9043a84291cb5c9
41a2ffbab5a7d355fb0b86a888290bcf77414f0aec23ed728803454b1be26b3f365cc
2a5986b8f85359a1d8c205946ca9e7875647cc11d02db5d7a1e588f56f9fcb971be59
246d2aefe07a420d156aedcbdbc8892958d0b7957508f94d1c97d9a80242f383d5da5
5c8dc41ef43f1cac4877b4417ddb0df0c30cfbccb7dc3a15105322ce2ff15e8c00615
9d073af55e8de553bc1b1d3cc1eef9c515e3daa6be4320e076213cafc87c4c9c4dbb3
7c9f31d1a69efa63560091c2b69de070a131755a871913ecc4e7cd9046f9d7e9ad690
45102f34f9896f3b9c66fe6fd57d14830a1bd9e4be02cb3dfa57fde56a53aca03e84d
f1a502c32646852947
resp_msg:  3c69d8f3bdbec6939b033a0cff661a5f90b3ec64dcdf0bdf3adeeae196
08affa26fe752f3e555ecdbe86f94d97429aba9bb0f2919a126b9640d480d5898c0f1
09c2594359298cfae0042d602836f3011bafd355d145999bfec12856f9a268a980cc6
cf0f428048e34b147215b3e710c252730ad3e55992f020c36953e2dad702d53a2b6ba
683d9dad12dcd4b02c8b5db9dbf7947797ab349a3567130bd7c69fa034b366e3b2144
a3be4def379dd68ce5c2127e50d6084f5e602c901af8dc245fca25f211a5c7b52b1c1
bda95dae0c32f457ea4159dbff55c0d30f709d848e0aa099bc769c2f477826b60810b
2be56b85d05f3c2a21a4b992323b3dac596d8386b0b8520d7c382ef0a33066f706464
24087d18907c8cb18c867af40479fb5d0d07440bbecef42ecdd52eb86002af611d34a
239d843e86491e6cac35954dc24a7fce979de6533996e46866e6ef66804ae7f9b3c49
b5372aa4143b08093cfb18057558083788c45cea615d4d44c7ba55938743fc4e7dfeb
eb1558556adcf19a0cdecf56f09da2c56cbe3d94d6157e8425b421080a890ca3cb52b
c909889b6e108f483b46e36e7443944345cc64a8973fbaf0b42359e7d505dc4442273
fe7da0568358a17817b7af22af9344e44cb43a83af27255a04d0a77d7c0c78231c7b1
ac2f0c3bd106ea5243d556ba5b6e0671723238ab82573247030b4f8c65dc3a075d713
2db25843ba711800b7a28dc1301e19d9a5750622149e8892523ae40ca1390e19b3bba
a92b4ffc87dbd2d9c6a3479ff802c02b54d85e91fb94c458fcd1158df8f7b20e274a6
a15866d33926189ce9c02798bf89e15943fbc73d6ca679c0773304aff40eb12836988
75e7ba4bf8058f67ef53cd5e924d8be307a57b037938adb6b198edc2c4c3136de60c6
aedf6df29028576ed39e84f6b4b8c4bff4971123039e3fb2dcb0c742e3bb213740740
52e02cab1f460880ff5335c4b1dcd9335ef213e36a51f6cb94550b3423d72c18df738
283faa8c419186acc853f08eea3e981ec9e131221fd93bd4dec2e7037b39330a5863a
cedbcbf5b069198194405d1498448a17303f0e963cac45ba981ce512b2a2cf1e0b54b
ce01f366b22c366b7bff5a56c094e005f9115ba3e6497274874e3ae62424d9f206d3b
b2e13976c345f1cb6b730f40103a6dad5b5db0689478139240b547926d41854837786
a753f0276e50ad4d8758fb8c59d46829000b81cb3e0a8d8a416008613495086f40d72
ca2d2184f8634c9c24961265dc54fa7bcd64057c0462c3cc476574ab7ec52a28799d4
747b2ea046da24703209a2bb437ebfafe144d87e2af44831fd29e72cf3f991885ac55
72366a7d363520713879bd1294c0f4130870aad78902ef083572672220e4d565e82a1
ea97b99d25954843f0293e64e37a367a08ff46f11bad769e56f41024332ea16085086
244368d75eda13117d37df5e388d2e198704c2e7f9349ac82014fe0da23c74be0a8a2
5c07b48689b92dbf6f328f998c32af4bdfd2f1add5285161983b58e5c86413e15b2b1
410dacf4daa116b9a9663ea40a3383375033ee94893
key:  e795ba6852ff724c76b21a65e3e0c889ec75b5c0f1a59c8abb3ebb414a5b9af
a
~~~

## CPaceOQUAKE Protocol Test Vectors {#tv-CPaceOQUAKE}

This section contains test vectors for the CPaceOQUAKE protocol specified in {{quake}}.
Each vector consists of the following entries:

- PRS: password reference string, encoded as a hexadecimal string;
- SID: optional session ID, encoded as a hexadecimal string;
- respond_seed: 64-byte seed used by the Respond function, encoded as a hexadecimal string;
- client_respond_seed: 32-byte seed used by the Finish function, encoded as a hexadecimal string;
- init_msg: output message from Init, encoded as a hexadecimal string;
- resp_msg: output message from Respond, encoded as a hexadecimal string;
- finish_msg: output message from Finish, encoded as a hexadecimal string; and
- key: derived shared secret shared between client and server, respectively, encoded as a hexadecimal string.

The vectors are below.

~~~
PRS: 95fdc24f9330e38e226b6169c9b76243
SID:  019ffb301f2cd83a7fe4f20cca7b8a1d
respond_seed:  4af73379f88cee47ac4a34a41204603cb673304b00b471777a8ba0
abbadea6481d1f03f00b20571b9b3f9019430a9f6ca807bfd9877844ea2c846b7a691
c4429
client_respond_seed:  a1359fa55ee62e45abc989df0ebbf1f9d6d77799271944b
b7f161b1318edf4ae
init_msg:  0470fb7f997079372fadf64cc0bea52b60a25aa2a75eb613c8c6ecff48
382cbbe1ee710fdd7761b8998d4c81ac001c2e1a186bba88dfe3046b7ba26085714d7
eb4d79c6d58b61b99272ed87b7180bd96c3e9bbe02c59dfeda84c95d06f3a7fdf11
resp_msg:  04d8ac3a98d80ba2e26c9afa92eea9ca6eb28fbd0661a1086a04062432
64b9c021efb7e8a4a81599ca92e0a9d6e713f379c9133fdcce8829510f7106c9007e9
48b3f865a6ce7365c86f540ad587dfc79fc3ef81708ede611e79009fe13fa5a08dead
3b519a73394e1c965aff84a27f83cc28940ae0c517c3450f09761a2b5ecd53069e76c
f63c084c3d0965f4a624cd4c916156b92966cc7a2c78a809a8d611cb387c5f5a4cca5
cd98edd163df78c8c6ed204b3e6defb7f2e8cb5d45157fded7ac8190fe45bb7481401
1c59fc02ce5a91dbb003b8ec39018a1b47d59ce6f748b40523e3a8c4a9625439506f8
56cc4025269c608fa8d6358c292d4e2e2d41e26199b2b61d0b12ce780518c663fe641
b1af74ca57178e1666dcdef7a50d474a47519cf565f5b3045c36c9c8752246cd6d7b1
376c0c7688453b5c120a70503a8d407287bae71e976f3e0ce54ee2ce1e2c7d3fb2937
b34a6c40b4608dcf615e628f0c56fc31921a25a4261593022c5f222bcd9e08f4b3e09
1c466d4f62ffeb48538f79574b04c0d181ad30f9488aee97153bb5b570b40b425a60f
2d42b88cf8a434c7eb9f844358c49a0d6c35dbb87c39da659e4567607f9211ae45b87
303754211bc799952ee027ca93913997547a20d17c70f012f26db4562476010c82101
9825365e732c113695302ae82fad948cefa6c1527b4e7867db3060b9d5106ebc154eb
69d0454d5040789e5593a4a3290305d9f780798e750c6c56f2ef1653e9271aeeee7db
5850b7ee6f54e7e865f485832aecd3a1f75ad2f0fe9f0b0e9db2a84fe2bde39c240b9
b16b4241a585e579444e4212f7f047360b6750bc88d9b682892fc21fac3c6ae27d7fc
46773424f931ffc325e098157899226498beca1ea65370f314c3b78fc963edb7ff1fb
cc1554df08cc46d7438d96ae91b9e5038bbeeabff2fda5d242e678e19959a5d7c4491
9fcc63e41232b4b674f0f9d03777a4d06286e55b6bebc67e6def1c64abf758e5fe2a1
f490312ed5715fe6a3659c1067c69630801d1d75bfe9a4e67b6ea638ee6452cecb96f
8ffbd99ab95b067e1fc25f847024e25822ca42d5676bb66e17e71bf72900134ac3597
5c559faf239ecf1ab465f1613d3cb184186e831c1b8b2448145f05b35e7a0215b2a81
4e53fe4c2108833f050fee8c2239dc1bf67c87dd2c6f1332d06e8f337644ed7685bc6
79d8dd8786915756f2705a4d1f97179943934ae6823b36c8d2096165d70506b595659
ac1452449f1ca3a35fcd08c793df9f8798830dab531e9147d1a7847eb564d1eaf5290
c612b3e282fe661f5530f692ec362eebdf4acf6308f588e9729bebd1d22407541d464
68cc8f85c492e9a575e7a406b01482bde89c60e43720682bb8fd8f14627dc262d1d1c
86ca004672368b4d008cc3d2bb205f62c431f5f29763bb0452058edf265f5a2b14ea7
d65a75ecb763e3581dd5b329b3e7ca9c4cb128c7f4e61abe7c6d9e428f687c261fadd
772bf9db759d7f07c3de34a85fee53bfb9e7acd93dfe597d716f2471c65b3d905a108
4f485e5beb0b5e03de550a476bd2f38455ecf1b324c906caeb3ed38e2135e6817c291
8fa430d1fc042dfea4325f6f0ffe5632277e56bc615f3448dc0f3c22ea154edea2081
31730e1dc06548d92d224e598ded68052276c68833f4018e0e6c2758ad18306a10aae
b2ef65d04f41c948a082a7125129aa55930e4408e807287c89d8938c1c5580d44ac3e
a34629ece428be94edcc530eb481516d99e5796f3c807604cb3b1cbb181323da06b81
6e82555674e2aaad11fd42b0b523fc5ab9534a32591ecead66af7bab26357d6c0a1f7
39ee6ea87cce2ec3a76744fb3420d8973607a82e017d1f815fab2905e6a1daf724326
563e31de4e3be87ab4e7765822bd833c1e80a6704655951519b44db6d04aa4c130991
ec4b0
finish_msg:  ede54396ba16d1bbaa128dec29f4b6c4ae3fcbe358c7e3039c328f3e
d6329be53cc00acbbb29779dafd66ddcf9cc646cae3342c27c268dc1cf30e17cac3d2
7ef67e57be40dc8407fb3604c9953066191cb814829efb83f8dc1eca01e5d11cc2982
0a7bfe2905e48207ed4531413a671f2798771c1b134aae989222590839ee3a9d325ee
364ceb5fe151e79c1ada732ad1f16332b125b80a24338a9198746e5c482208355fd71
1eb9883b7178b0b30d8fbefdfd6476ad59937809ece53dda7159b1fc9681f882e02e3
f7ca4c6d347faab6a3c2bee9fb40b2b128d1515835278bbbb39fd128d09fcb9244bb5
0eaf45a3737851845faeb8be99f56e5133cb9e64247296823ad1957385e521e714ca3
f3bd5a20b2d0d7062a7b1d39ca26b6535ecc8b540748d1e9e1ec7ebe3567ee9d74ac1
3cfafa9c4dbc9ece8e95873f7804d2aaa9c1ae9b258ad9bf235065b9404f6b977dd7d
382f94a7f8222a479f38dbe62d6b6c18725b7cc54f52a8b391f8d4bf2aab5555aaa43
ed39363011975d9c0ee518d1ed101e6972c728c4f7c697d89b3ff30352c85c10574ee
7d25e340c68149d48358aeda8cc0120234613ee5c62be2313a83e6c5dd943ee2b8029
ad5ccab1fac80ba26df5186ea7f077b0ea907fa787624a2bc723c91a0dde8e347eb25
921a8b1fe0c63101b8e95611656d1dcd3950a19412b3e380031131fd11dfbe6b6c5ec
8910e267a997a8141a883c6bb160abca75bf0175b2dd8f5d64cd21b9c824b49e0dbf4
24fb11334c35c9e34b13bb00a6cb4f88e3524b3db4b7a4e412b492dae2f5de34720bf
7165e240113839c390d4152b89c26f6abffb75d7c65e6ccc8b827299c76e26a8767ef
4f7f812345cbc0f87a3ca4185b2cb1d0493d4868c76b82b498d25735cda0d8fa1af98
3a0650da133afb581a73b4c0c2efae82f394269af4826dcf8b5c40b3a3f73ce5c447d
441416fa8429fbee319cc8f3abba7c0942908d6b5f8be4670b418c8ac5a33a24fbd19
471bc9de44f56a0c1b9a02156049c8679c2287a8c99045eb31eb04c9aed7c64d4652f
1b6c230ebbe56e34d2e02f8f9025fd85f254f232a1c9599913513950d24bbee7a9a6c
f49bb5c4bcb90bed2d1745e29c50b858297c1e8efcd7f38a9eb4ee54484f5b3403e77
979900c97296c3b79f4b6c8473496715d1d21e4ece8c2a7c3b0c02c052529ee5460c7
106730c4782a5557caed41f0578056c6d5e894dd14880bb14cf85562b79f18b937576
28a1a61722f6dade684638fb2047576e692b206905749fb362ed7d6e5af17be94b2f8
7e2236e53a7fa521172a7c395a4842d21ad69d0689689c92943669f63f9652b86ecf0
b120ab0bb280934cb67db883f0d2f210224cf3f7f2f1254a689aab54a8366ad264852
8edfb014e0de56aaf2415a50b6d446c83178ba76fdcf86f1c9b336449d346c1d44216
6de28f89b33063ab3f493af1ec393e665fff1ee4acbed39fa9b05169c256a5670ff0d
7d7afbd56308bf997f78e5ec9035117f7495c09d7d6539f63ce4af995eca7d27a4f4c
35bfd9d2def1792cce03c67547618e31c75fa11568c7d
key:  ffd24aec545e3a8c651d25d31dd8ece89aca16c41f4a7688f126702faf27ef5
e
~~~

## CPaceOQUAKE+ Protocol Test Vectors {#tv-CPaceOQUAKEplus}

This section contains test vectors for the CPaceOQUAKE+ protocol specified in {{quake}}.
Each vector consists of the following entries:

- PRS: password reference string, encoded as a hexadecimal string;
- SID: optional session ID, encoded as a hexadecimal string;
- pcp_salt: 32-byte salt used for in OQUAKE+ registration phase, encoded as a hexadecimal string;
- respond_seed: 64-byte seed used by the Respond function, encoded as a hexadecimal string;
- client_respond_seed: 32-byte seed used by the Finish function, encoded as a hexadecimal string;
- pcp_init_seed: 64-byte seed used by the Challenge function, encoded as a hexadecimal string;
- init_msg: output message from Init, encoded as a hexadecimal string;
- resp_msg: output message from Respond, encoded as a hexadecimal string;
- finish_msg: output message from Finish, encoded as a hexadecimal string;
- challenge: protocol message output from Challenge, encoded as a hexadecimal string;
- response: protocol message output from Response, encoded as a hexadecimal string; and
- key: derived shared secret shared between client and server, respectively, encoded as a hexadecimal string.

The vectors are below.

~~~
PRS: 41ac73f17f60eec0ee8cce874a4f9a7c
SID:  0744270cab992ae77c1cbea2ebb4c03f
pcp_salt:  9f5b52b091f6cea43c531ab526c6380ba665482eae33fc5c7e8f321572
3db2cc
respond_seed:  9ca72674368b8e8eb3b8868ac7be437a081a46be2480166e128ebb
048583324c8cc54cf679fd91e98f99567204e49517d745c4ed5d54913fb55c084e9ef
4ecab
client_respond_seed:  9bf12f1a9d1edd3e5aca33042fe51a2d42c37fb2f979812
ab150d8fc3e1811ca
pcp_init_seed:  6e410475f8c923df6420589ff93cc60f21a523f1f4d0de7b4bb62
d7078fc7e74f2c9a84a5b5d893fb75cb89711d8d83ef188f63c64d3106bdaa5331deb
db21f3
init_msg:  042d6e23f15b0ca7c0854f57ef4d12b855b74c04e29f6c73424f1f0100
3d7c26577f39c922ea3cdaf212603f462cd2bd774270c87d1997820c1a05f59ff2fe3
3d7ac9d31530e9fdb4cd0c76c893afb570bd6444f63e9dcee3c3bfea04f3b287da8
resp_msg:  0473c52c05586d8c1fc3c83ea8713c575fcbc176a23d4fdd92408c758c
f2d455da463d75b015cec7bb421c5e9dcb49873f3c4ee92e1dbb66f32c5d480d09971
e1fd6f48b5a7221b97444d46c555fc41cc17c2809afb8cf9c4aabb5d41378e98505ac
c2553b27572898d72c52ba345d24239565b5aaeeb23fedbcf4bd11db9a81088e35438
b196b8c42702111579ef5c66b0df7937aef44b24f8178f0a2d731f8d0eafcb32ab3c8
e0dac5b162a02773e15f280998091d0418c6679093a668f5f3f84877509224dcf84b0
f0aaf79ee5903682c9c3a34c6541dd85fb2e11f640f2f178cbfe963d44d2a41b6bdae
e83d3391a9e84c3b7add5759eec7cc8002d6405ddaca1f84c45d6526826b5db09c49b
d0b2d291777dec859e276304ecdb6dbe0e84c8aa7e564c59c4a36185137163349d779
9f9fbbe584801c7b1e4683f332a4b08e9892172de0bd2f1bbcd213284b1303c5cb6f9
5a1e31b7833be5e0a1330a8a0b03701871c234e0a8c3b5f1471579c05ba6f42283a0d
65d0ca7a5058a5b93a7a11d9d75d08764517fbb07a1ecdeab00d4f6e2058011bcf5ac
94d51ba21fc1dedb59bbd851ac0e6be58485c835ce439b58615080982985aeb73f272
59119384c94630d8a8ec7300d5f0b71db3ef5469b26fe8ee3c6b19cbffbb85531b81e
c4df164fc5e52bac40d084142c39504e55668626886b225fcf263c345c9155d805d1e
679907b8b3cbef82bd3bbfc6ba66047f79f284d7c401f5910c11fd1ac7523057c65c0
8802b525996874f748a529f1d4717827bf202a0ba8dbd3eae5cedf25bfb6b5f7d4e1b
bbe27d00d0fa120584c93899220579270bad126182384e5e42fece3439b9f87302127
de09ef6f0d6f01ecc7e1c779fab4bf3753d77d2a1af21a73d3da03de568dbb533da5c
1319bfc51ad887124bec5742acc2db42d91527c5f03913e8a388341db1f5df395e237
44e5ea29799fca3e2953da5aac19ade8bca6039bcbf4363ba0412d239b9fae4ddf527
ac62d6d060fcf152e84c568b17f232f2755ae6307459935dd761b56f50075188173a0
b1a708e0c463feea1addfd2110d131853596bd24940566c27cf5ace6582a116d72250
f5d2c5cba3939b60364a29e22652c299ec274135cfe1c7483a76b57f51278f342e47b
0efa6b02624a7263184a7148cb500c19b6dcc4d8d0fa4864bcd48d2c982850587b8e4
cc97f1a21e3a1306a9797f00a2e2db20c4a5ba2b3063a231b00bd21b63ffe1856def7
00b583bb1dee0b68e3c5c0713136f4cce803c4e206a18de44e9010138a19eb56efc79
28de6681ef3e7c780bcfe18a120c581ed02980f1f94638281208ddb52f293ccd717be
b4fd1db30467d9c3e0eb6dacfb333479cf984a2f536cedf29b2fe4a060a44026d96d8
522f808a8af156e0da559cf795d5c87cc2aedfa872e4a8f9cbbdd197651f128b1e314
51bd97d1086fb97178a1a35510fe90c56d5fa1692e17a9226134db1de8e00480ab964
f81b8fc07744af32f31d6290d8d62d9c353356d3ce61a76f6f486b6069c92de0826cb
67ec5567fc43b03dd3c3c1213f389d27df91e5b6135518cfc252ef80d26c41b96a738
35c280381dcc2bba3e8174fc953fe9d0beff59bb993a00bf791bf6b8eb1e1deaa541b
f444f3fcb6388612585ca5e0d2b9e3e015a93dffd6f9e8d078310099d3cc848e8df8c
e1b3c574f161ba6c188aba22ebc3578054426e2dd6a587e93fc82c2ba672cd2b5b4d3
ef3a1b15ee89321977074fd413281978049f0404dc3691bb0a05dac4b0448787febea
dcb8fc5389573f95f3070b0119d629aefd228367e25dc0b39e48bdcf9f69be9ceeee8
5265935ce91743bb1f7af5f77a027ade15345c6dc31bfe6b146503ad2c0ebb0d0bffb
cc46f49a0ffe089ad53a70fed545862ae88cb3f05d3801de7c648dc2f5e485a685a25
a9466
finish_msg:  6b5cb16f05cce347ef09985934b84aa864525eed628bf4f629eb5a4e
00e79dc9af0369524728b4b02fb35340735afe1982e9630276cc11507aa867b08f1a8
b4b334b77e5dfc0490b28a37a24db5ee81dc83b7e62ca5309277384191c50491c6239
8113a9a97ea10d394a87a7695960ccbe696ba9ccc66e8798d7f6993cb7166c3782e54
e306cf726afb1e2608c4bc0478ab210d63b99111262ab45da115c44b233a2c5e000e1
b533741ee1ee4fc61663c33f4f642e2e44687334a1ff89eaba2e81d10b0ab62c80379
9846a732cce5aff1e0cfa15ff25c9ef7b736a9bd8e687202b6689971c5c80642386a0
9309dc0c2848b8255d1b8621ad36df2fef748bae6075a7a7a3b5d53cc0dce36ca71b2
70380fb4c27be9327dc0fd6cee07bb626d989e4ed31bfb09247d92fd954fa238b037b
2a1bceca482db496a43e2c1ce75d4897bbabae60b61f9e3720cf912b42f0895326147
f4ecdbd84263a839a8f4279f41d01ca221340141218b6bcbecc0a45fbc1611dc1db20
cf5b6eef0838ca41ffe9ac0ceccf19dcecd8195998f5ab2f79da7b1e32aa64ea39a82
4ea12e9c0f435ee4fc6648a90e6d8fb2d0f68b0d921aa8d3eccbc7ffa06a12c06cf49
6c12eaf93f160ab4cfcf120cbd9561e5a98f15432d25f04c01210c657efb8f195c7db
66fe449e1cdfa806b216d8d3956f683438c323a9f119e69152032f548faaf349288d2
f1be03dd489073ac60ff78013cd36a4d14041a57925065978eef792eb7acf8de709bc
960dda900a362ef2711e07b50613ce91dc5d01900780bd1a5615091993b27aa362516
fe0a9622ee5baaf06584190324d8be291d7f696eef2afcc3df1e9d6b7dd7eee874e30
487ade9bf79e4766976228880bc8a72d23f4550ea6822e071230db6343b833cb44072
ca144ad94fe14283ec2b98c80e6be4aaf518e6a9db3b6bac9cc0b80100968bd614bc4
8109ecc5ebfb56ec3a3455872bcd2d1ce8b30d57c4960f6389d504bb22f0092121132
df9192bff2ef8bd3fd12a6ed1191643e79000bcbde5cd47f1581f46f82ebbba3f0d03
913bca0498ff384be79a485aad91fe75cdbe4dbb6a884f8ea9237ab4f3ac54817f1d8
0b1100d4a022325e8a144e13873c4ce5604f8cdfd3e5b21c04ed0deaaab9406381212
b9be4f1b216fc3790b2abd521ae18ba9fa8375f96a9b4963722864230cbb598902360
798fceb7c7fc8c672c7b6c362fde5f08d04b85e744a870e2d3dc3520bddf38d5bd50d
274571313789d8efd9c32a6155609abcde0287f374c89e60487fd8e4882bd24491996
0c048984e2e14464afe449032b560c3a2a93896dfcea0d04960cda6e2858b0291709e
7a1cc61f33b65f05d4d84ac4e48ee8e86ae11750102dffc96473db257e445b821fa5b
8ca563acbd5711e07c643e2840f4a0491d4e3df82952aaeabf0adce061d2c7d54540c
a22e22dfdf4332fdcc949e6af3a9d1d0c5bb0506e94f63083241ec57a435719850fbf
802187d700d4088694db7e188971a9184f741d70603b5f784cc826835d4da0725fa77
f0e78d787959b4e66be1732b7cfcf0d28323daa3f198b
challenge:  4902871a0bd91409647c036591ccbf0f6a794d0ad20aeed41e1920888
0a8bd5ec184c0206e37257b788417bc1f8fc49d6ae783378859166328f07754548b53
7a08d0b23cb5addbdcadee252524c964da28a518cf57f947358fd7275b10d48cfccc2
506b81858446a8490e62d17596c6a5e508044177bbb0b398fe55e6e4183dcd330dced
4f9fc8db636f14fcb8213a95f79d32e3b4baec543189dcb0f2f1c8a92d406eabc4cc5
301a5f7dd05a0dcdcaffbb0f66ff5d6c862daf56940fbcd658bf738af27285c6bbe29
70439a52912cbe78a1462d1e34553e757809c4a4ea5467dc47b8272f5027f61363212
d8d23e29c6f4d5f701395ab5a67229291e8c6a24f34ace8c6ceeaf71b9f7c5e2f134e
97960bad15746462c35bddcf07bcd0871b0dd1ab40334f160d57d05772244df5be8b6
66add46870abc4579653df10c6e363ee38aa572fa4e31c3c569f1e636c27bcba4c806
3a0b0547c793acef5240602049aa19e4a3524e3382a803f215824e69bca890ec4d838
4582d5739ece314e346cf5b9ed59a252ba84edac83ff10af3b3531ce6d628f9215d7b
21c79001cd81c9cc42d9dd38c2c338c52062990a6858ec6eaee5352c4d35de8f7a6d0
d38ef7b556581bffe57a7ffcb47b62f74b4d5b9d2c2167bba8456326b6a6aaded31bd
6234e6accd4f65602f3cd31f8e4314bea25ff56876b1cc3f6884091c296285c6c6aa0
7ca143282b267064de7d15212388a9b1a8af395ec76f4e699d4e445666ff19c55fba0
ab02bb1cc0ce769c61f4e950c866796fc34d9adf50320f95256fd2bcd498683d1a923
c8155f1afa09a67ef5205bb4337da9b848a3855ca544470fde7426087f46e86584ece
d565cccb803e418c06f76e7fe5c85becf2b3cf2e6ee55bb00d367373619067c9379c0
3017c201a03ba783f183cc7f2d620aca9a58dc9bc0fa3a770859ea021a597a4938ea8
f098edbd3231a2eb9b05e13b4366567097c1bcdeeb4de7ff2f4935028eea7eeab3065
95dddae916057039cca50cf0ed1f392526979a8636aca9d6459536f014a21024fde3e
7d53690cb660f6baa8b93f37d054d59ec7c3d0420de912abbf33e018762ce1c1158e7
3420e520eba03c804cef703add7a9ec9cedcf200b8b8c8a37f7d25d5c60484a067106
aa6900857c6c68a2ec51241352bf9223947ddaa9273429dc5f624d6e6b82ae245e139
c91e3fb26c07e2a50122240401782b982fdabdba1d773d559c3429d68564c379d433e
fb54aa0548de8f115f69b2d6e93a7a9fbc8115e2f17ab2e67fd1583cbbdf71f03561e
2477af18d14d25fc47befc3b6f53dd980bd55cf1607e042d312d8b629101f4be66266
20e21326d1bfd832c1d54035ae1160d1bab5120e2b33b2e3f29e5a94e19dbfd02b7f9
675ae056dd58bf8d62ad8192280b71148e080091efa793b37be7614aec16d0203bf6f
fe68e9d0c33a93226c95758f85f974a5d44800e029380b510d30f20c34519114ad793
8a581d82dea7dc56e3e66d27ac03e6a1350c63043274be8ea4b5a0150d888804b37ec
5ad0ac43846cb4cac7ddfddeccca5ace739febdd9aa7c383d3c47d88f0bfaf43900a2
fd846e0dbdc9065923fe7c97566e112318e0b7acc4430c470cdeae0ce8dd03b74a08f
52b8a2a3dc72c945a00ac470c0934e1820
response:  0302cb4f4b3679b8d66ff3ca9d5c1c7571ab48f3741d69eb8aebccdc36
b1f680
key:  20a66324c9db64f2907bbe5171856e6c38f6575c431535a4c733a4f92d1698d
c
~~~

-->

<!--
# Acknowledgments
{:numbered="false"}

TODO acknowledge.
-->

</section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y96XYb15ko+r+eoiKvdURaAIx5YKJ00xosxjLFiFIcr1y3
WMMusiIAhVQBpBhZvc4L3H/nAe5D3Ce4j9JPcr9pT4UCRNlOYvdqrsQigao9
fPubp91ut4N1vp6ro/Des9u4zNPwrKjW7T9uouV6swjPoqq6Kco0PN6sr9Ry
nSfRWqXh1+o2fPIuuYqWl+peEMVxqa6dEf7YPjv++sm9AB++LMrbozBfZkUQ
pEWyjBYwV1pG2bp9XVTtJCsv26u/raK3qt3tB9UmXuRVlRfL9e0KHjx5+epp
AEMPguVmEavyKEhhzKPgWi038E8YXpbFZnUUPnr68iv4i196VN6u1kX4tChh
By9VpaIyuQq/wifhmUWUz4/Cb7/6d/UuWqzmqpMUC/gYnzkKr9brVXX0xRfO
d198iyNf5uurTXwUvj5/8vKLl0/OXsBnc1hKtW5+6fnxqyfnr4IgArgVsOyw
DS+EAIfqKPxDJ/xTUdHfDI4/qPlcmc+K8jJa5n+P1gCFo/B4BUO2wpNl0qFv
Fa//r/jKm+s3AMN/j1ZmG84s553wD1Gpkre5M9P5Goau5tGN950/4+tlfq3K
Kl/fhkUWPormeVaUyzyCRZTX+VK5y6j+ysP8e55UnU2Sd1S68VbxqBMed8Jv
iyJ1VvHoqsyrdbG6UqX37Z12nkQ3/36lolW+vIzzddVZqnUQBMuiXMB714QU
T0/Ozvvd/hG9ptH7/Nlxe0AASKMyPQrPVLnYrGmu9pdRBVj9LKquQvgaUHut
4Kl4rtovNuvVZh0+3SwTfLK6x2NG5aVyTn55PV9tYlgLbKtzWVx/gb/gJ1/g
Ur44PTl/1cHfOrCqzirNaBDCZCCsy1bY7/ZG9JlBF/ppy78EmaPwlBYbzQEk
Fexqs1Z4QHpHFS39lUqulsW8uLwND3DaQwOOgQ+Ob4p0A/t7Hq2BqJVAAOi6
/WSZRKtqM6fJwm8UUnleLcw8zRBIqjKx26etZ/mq+gLmhV9g0dtb7g//UVsO
kN04+PDVpj/0d3+qboC3lVGaXy4q5BThkyzLkxxYXCPPQ1CclcW6SIr5Dhy4
ubnpqCq5KuZRWV3lqw5s4ItN8kW+VosvJn9bdPv9brV3x0wc30XLv+WwZPj4
+fNn9YXbZR5Xt4uFWpd5EiK3DR8Vi1U+B4rKymIRfv3kGwLO8ZPm1apVmS/X
nTxKSlooHscXvWG3e5cVFpvw+e1mx7fnALPLeR4+z3c/sYlyoLYlbbG+Qy1E
dpyCK3qAxYTwZfj6Ufi0hKHh+befst3x4Ofe7rOX9e3os4mBc5aMsA6qubIW
URx+y6M9jGbHPvq9O+zjD5t5HoXPVFWpHU98kwNc1Tx8WVRqCdL2Er4//vIP
/VGNeIqTR0eMdAbXbkA+FsAoT1IF1PooR95+9z2MvugP7rKF4wwgU4THZZlH
l9GuXUSgG8zDL6MyLqpdDzUJwldPvjl74W/1lVqsChjyeRs3CUqFT2qgXORz
Okn46lW+AJkUHq/XUfL2U/beG8xm//LN/+kP3373zXntqI9DoUaX2Qhhtner
hJouXwK2A368KKME9BuQOGr+KVAZDu6C1Z7udLe9Nj23SydpeDJaX+Uq/G6z
3Dmluobt3gIF7Obxyzx5G57nqiwjUF/a7XYYxdUaIAXazKurvApBWd4sELVS
kCplHquKYProLErUiz++Bjx8EK5EJLXCKLzik4rMSQUrfVKRd1Jv4aSUPqmD
CDH6EIaO1mG1Wa2Kcl2FoBhtQGRHPuuFU43ChPC9XakSlMSwUqA+ANJXKtmU
KgS8BK1vHfyNWVobNAnUosKIaALg0fHXD9sEtXVVoO4Bcn19U4TAAy9VFfzX
//4//ChxTP08fkorLTdLmPNvG1xdNJ/ftgJkQASggjU2VF3p/UypFJcYMfxg
paVav0nAwlDv1rAnoFwZvhM66wLpFG0u8QBgbdcR0NySBuVHeBVRCiqIhjLs
ZJnlpHUUy07tDKM5UK49yIoUmHmxVHpKPMEVSgMBXUjn0gpw9w7IWrQHOeqa
AuBBUmOKAz4BbX1pQBQFjLNMK97B5aZkCRSCDuUdV4fxdJGn6VwFwWcgsdYl
qJGkGQeBwyMO4M1jDb3Du1iRGhEDjdJwAoBQALL8cgnPwinBN9d5qizAa+gJ
Ow0Ycee34R6U34PGIsWCUs1v8W8cNQRldg57wjFArywjoFLYMqL7wdnXJ4cE
Yf1imlfJvKjwXb3MCtfO81Sg1IbFGlkMrm2dAyrwn4BOzDJ5XcEiSq5AYeiE
rxCjl7AhOrzwBh5WIUyLKFoCAeQlbA+Pc1MSkssA9/HbyxwZCqNjcMLjRzWk
kZ23nMlDwOJqLe+TzmL2AnZ3mWfAtEJDbrwzsPJC8x1SD5DMfKOYTHB58N01
rJT0BXgtsIeI0LsCxcMZDUafz8m8LsNNpRCANPitC6K3y+JmrtJLpfFdDwlr
yfBNFwDe/mDIKgTT0W4LF+FMTw/QC0VZqmpVLImDmA3CesDwB86Wk8HoI1tQ
XUV4KMxogKfS1gAMzgRzFZVAYEs4fEKzzFnefbsuOLYXZ8d/fP2kPXj8LHz/
/t/4r4cn7cedvFxn7D0pVhEwwg8fCJTneKr9B/gw/3r2/PX5w5dPH80G08GH
DwESFbJZ8VVUOHe1UgluLGWmY6RKRegH8Lc0KTQYEL9HDwEQUzKH5cLe57CJ
UsFGFyjo4eVnxQ0IwrKl1YEVwFItExXAnFG4S0a0whjAEvJWvT1lYP+7jADx
CBkEQnsOM81pM7KyTvglDuOzk+vNHLRwmg7GAWU4guMAXD8tblrhYziw29U6
eE54d/Ds9PHzQ1kVgAuGRU4S3+5dOuzUIrP+WB83IYCHHLg7wcYAFoQcHAgk
B5CjT0czNsBhtBg6ZKdaYqyJdasLrJG/4/L1geRVsChKxL5rZB/EbJC5r+Yg
rsODzdIb6dBjl0dhDGO8RTTdLIGMmTGaMw/g381iReukYz0z0jEnBIe3EqQf
tuOBkRnKv8qJqtJC8YMLhWxXs1A6Xr11HBqF5RWfFwGQvISALCDrE9gPgLMs
QHsCNgOToFC7Jr7qyAsgeTXPAs2DnNFgmiXK5tW6AzoZoKjDvRFvQFJftufE
weDcUtY6KoH0JbwMzCTaqfUAVqQqy5f5GoTPYgUsFUBBEKMnwYIAQgI+ZQRB
hJttr/OFYpEsE8JjAUCm+i3sXgGFO1tuy4ZvgQ1khCWpWgO50N4ABUjSE5tB
5kzr6gSvV5foAYEziH1ScYWtq5NYqscTW7ZBjFzDulrADZGFsOCtgjUJKYTb
sgiRTS9DZUxe2BALUKNiJKpcIx7Gm3zOq5kXYEAhYaTCOsBitas7IJYq6tyL
s5dPzZOWWR6CEOAHhARg77XjCYxSCsdbLCoWEbAfORB4Q70DAUJi1eeLONcK
VfUcMCVFsw8EgaKP8dA6P06DX8o0vzRVvFHhPtrWzlGx1BqbrALwQQbFjczX
OYgcC1Ww+hY5Ym8FyKztzw8ftsCXbRCxtJSq/HXjAmBBMO8KdFgQL/jEUiXA
H6LyFrlqjoKOBsqBvN+/97VcIBjB9cqqwiqt6cIdVHdfA1N6FOFe3n8GKAcg
hd8/BAGdGsw/L25xmgrNBSAEZBoExzmau/NbYgO8yDVijVoiB6vADC5uiMM4
vB2PA7E6AAJpiY6Ep1DMmS8yPs6j20oL12pTlsWGFRWNVKiVWfMEECzGAwsV
GLnAbIFwg6v88qqtUI1f3bYs1xHxdKA6lx2yTKKc1MsEJDuIMKRoUo0BrZVa
HrZCYjmWS8LAm0W0bC8UyB1CO8s2jXAoFdEtGP3A00J4/NYsHNENEPTEAgxM
PLtx2EoQMyAWxj9Nwxq1TGgNNA5EO0sW+PRSzWnFuUgOQG0SFpH+lsYKkFPO
gXmkt/rlzKjv8DEw8coR+IgMdoVEkxVr7iTYyTQMXZ018GSTSCvYgqwByBPh
gksnBkiYZLEmvCS6yYpNSVPDUngdV2q+qgKQz6Qv82cubi4KoDgQ8432ZqhZ
q0tiLUdHTwsU1UANvQ7oS9c5SUrGjQODVmZXv2Vg1A9Fdgg8+hXuiYapQAYV
a1TXVyG5rfzzAmJg8waQr1wLkoU7sNcCtQzPTk5BPBEag2KBFIP8jTw3qFDw
5LRBjB2m7A8gNwKeMxLQbqku5wtsTl2jd4DEXp7x+j3guooxmUeoNCHuo2dg
zgAG3YwoeclCmowoZJ5RGYlScwN6GA4tR4gAETVeZL4EXkFlU0m0EXyssxR8
JwF6gsUnquXrTTi6aBI4OhDIwT5V4xBUKJCe+XoNSxCDryBBZhRiFtMIF1QZ
cPxsQ7azKHAhM2jRicDgJb1VhFeNhAUXwED6XPTCz+HbBT7KMJ+DxQcYgNid
4O5K0Q+ZrvgTXAjxy2ihCAXoS00VlX9uriKME1wqNB9IzVmmWsEVwZSEgjl4
BJ2g37FuD9czJKxmqXlLu4boB46uWaMjrSnjSqz9WaMo+9f9qq490qqbNTrA
NEXWOQ0+rxR5GjTpGO8iesEdvcyTOqREo9LiKTWpZYpaphHtMWOMQSZ6XNET
IxZ3CbQuc8R9ol4QiqekJIWNsODsj8LM5HyMmwQGAZDP878rJjFi2TliRMHR
zg4YggjWW9HstQYCkASRh2NrrUO0HOAWgFKEEOhQZEwMKXrO9pCZ58ijxbaH
EQdnjw6J5W3iNrt5tMJIcH7/voDjegs8fFO1M9I1QWmREapwW4xYOSY45iEM
G7FijyfsG4VjbccRMwfG9laIrLIkZgmAW+FmCF4DYC7z4qYTDDrhc3NSbbMC
Iw524/EeecCcD9fLDhGyMuU4rRSzaCkeHVc7RkxE2964ktbso0kSQFSiHeso
OiFFhJyzNB9ukF1sDsOz0NWcD19aABmFabSILmFGj+O6Uzh6jjUCEb98Lluz
gUNjAzcavfcZQMwCW/j+XK0r3+Xg8FTX9QXopGgHNS4MkEHfioNKOAXiLmFD
ao5GEAeYLAyCG2a9hwI6jFm+x3iIegKzzbU8vFtRMGDYxd1Olsl8kxJSsrAi
+7FAEbiGOapKu9LW0btiWSyA48UA5t8ijIQbRMwDwAJJPIyqyOw3soqFGstD
VPXIiYu6qGuc113/4oF1lEifOpcqJ+2RWT6up8QZyNsZK40osCdQsI6RjxFU
MDRE817p9Cphp2CERiXsYwPKHj5Fqh8GJUqEBGmFYY/eHbRCcUuT1nkJSlYh
eoZRuZdKpTw7a4H6cD1rl+ygl2pOHqdvi/ItmEIl/9nG6PsHsd1gh8Ta+Lua
yYbuU20DVpLKAUw5pW1xiFxEaQw0mALAXJnF5lap07rgoBC3NiisCEy8fZjz
5urWbBEUt4XBAK3UF3PSIvG5fG01iWUgdG/mkAG0IszcE1a+Nr5nOAdxiij4
c67IoCEKU8tic3nFsZSnL7+CnQVqeUm+fORMOSrTn30WPtEAOS/mG/aNUG7L
lcrL8KsIVHrXFex6RdHP4kGRuGXFi2Uj/f373zw6O35UdxwnK/gSRAlHu5Ak
L+lIvAgBa1BoYaMSy26dlZj2xvHrOXWOCAzbrmKt1O32n4L8PTl/db+mhJFX
trgEy+Dq1tkpyc5AZRlqHKCHthBpMMGohVOnm0THfbx8JmMvos9BEqPEdY4S
nc+sSpBBVbT1YMlBfzQFQBdGGkfdOb7Oiw3YX/k7YooFWZFoW+tztMARYq0A
GGwoo2Tkv6LA2yl86ehZGk+ZS7G1ID5R0bNIRGsrXd6shbqCV8/Pw15noIWr
YbGE/UY3axslVnD9CEkCeQMQ8rYpzUIDpgrsoYpE2ePW31hBR2EPpAlHzAuo
WNmCE12m1RWoPYHrnD3JRA+sv+L4pkFepi7NcxwJWMlbJXGgzzVH/jxgnzCK
b1CAq2YvMu1jr9eY7BzjcQWo77KYWp4TCJgHunVQIvsoL4BHIN/AyBQMUJor
Bo1Kty+h0diBFTCrZ4ciusFuGWVYTnkzEsLRqMQLdmCxwR7STpjFsGjVYmXt
h70NM05BA0erk7ndi+VlgcPr5Nwg+Mtfnjw+efXi5f3z8PTFKzBhgR0DzLSd
QSmEW4q1nuf77wPyPSY6L2eNKYH53zbKQ4y6Ti9KfETqXkLrXaYiB/i9kA8w
SDG6VKzwPTY9UGFeF20Td6dZnakk4v7+PaVP4bkT5XKGENJ+W2sJwEEC10JB
sQsgraKMTH6UEZJ99P49JSjpwfTcklhGqgO8z2wAbRwYBV8PtAzA3LQPH96/
x5Q7HAQ3S+fIPgwS6fXwsN4bckvMouT3n+Ev4Q15+efzgALkZFgA3DAjjYbG
JB4GlpUAcIi3FRxCDCyh6UQMF2KvMQWNAtc3jKgGmJyDxgOrXqqbTvhIUB21
agOikK1echfjYgDK+Jt7AkZPA3Ll44IFCKiBs7VFaUV8A2pfaU8Ij9CGQdtr
TA5DLwgRGBIqmbWovCO5G3iMWkFEEWkzTYLROIM3V1FqmH2s1JLh9HfUTUAz
3HAMm6BFEiA3mFuhAEd7CYiVVEjN/hSmTLgRJQwOzFGNf56/VTc50q5PqXBC
JblZQecrSwZbWACjguGrjQIUvUSpizkSV4rGNZsBZoXhORt6BfmzpnwS0eJe
P4IDLwVj2Qem0wUZ81EvRVX2FiWgli7mBMtKw94gZ5u/xAQKgP9veS80K79a
oZGaq2shiWJOPj/SKCPEP9HaDJvDjMYvhGYNkpLpLfRLwgudXcj8btWaz8kg
fid8mi85DwnUBdSz5875AvtGUXAV4AD4MnBnwI9LojdtiWeqpMCwqH/aLU6S
l2Q5rNlTyd+/tzGID0eCElVQrBBD/y6avJjsB3VCY4PtEJTUtxjBymB2ymIs
Qd0usqxirJExQ2/MVsD6Bg3dC/UkfebsLxVGFFH/NRrvE1J3ceKfgc0/VtUK
46iM68AAWjpRQznxqbbDP6yvpobyeBou2QW5G24wREghfzSxI3JIog5sAUbl
JwY/mfe2eUJATPHJY1WLpPbOKQyUoE2prHsuMQCQtcbqttAxn0jjk0HMm2Iz
T7V+XUvnQiZabEr0aaNXI2eDubIKAZasAISTdVHyGakosbFfEj060IYadSCB
SE9vMRE1k3gluTGJuNFekb6IchRPCfSCypJzyjZ5izwoQC7kcKPNb5ZWkiDD
aOuoa5EFlri1S5GYE4p4nXsgPOFWO/wo3tEi8X6j5vM2cGX08OP7HMYAxJ3P
DfoE1qdXmHGRtYBCTVkz8NxbdFfiVMD64ZAoS4rNSMQMMvTINExKIOLlLXNs
qk1ShggkDcFEHVu10D/wAtpAhWi+pihsadm/HYdM8UfISZbWXnzMLib8m1Ui
NAc4j+HeN6/PX91r8b9Iffj7yyd/fH3y8slj/P382fHz5+aXQJ44f/bi9fPH
9jf75qMX33zz5PQxvwyfht5Hwb1vjr+7x1rGvRdnr05enB4/v7dNhQTaAt0f
5ExdlYr1kMDzgX756Oz/+396Q7RkXz591O/1ZsCT+Y9pb0LayBVq9zgbCWH+
Ew8vAPYLSiaFzOG4wS7J15S8AeTPoUz0+QA0P/8LQub7o/B3cbLqDX8vH+CG
vQ81zLwPCWbbn2y9zEBs+KhhGgNN7/MapP31Hn/n/a3h7nz4u3+bA38O273p
v/0+IJaNPm9Dx68UurGomoYRKCvm8+KGzDVdA8VQXqF2hEwET5C1TyaBYsN2
qj5iTBsVfz0PEF6UlBh+sDy8CLVvkMJd1tJHm2NuAq+rSm3Sgt8KQuDIa/R5
lJI7NweiADX5YnlB31QdmQ9MlyLJKXqGgQb0WOpVhxc//HAB3Ba4gDBHWIIk
5Uj2gzOJGVFGsRv584uXBxGYtod2MHQCMHdso6IVwiMyLb4Rq/UNyppwa47w
IrogyF7EF1pBoSAVb69TAyI8T5t9sy7eAOXIq/AbfkDfXIiesfYhVnGMTnIx
MY1nCbodAQkp8JJSQ9yh2cpzBqZqSWWlAOsxL877J2f07En/xfkZW8ReGIOo
tduboPFRUsoQ29n1rYUX8+s3IBVBU7wI+V/EDvfU2auPMGzjx3AC+WUbpFNO
RUWCEKhV5e84bU4Cpa2QhoYRDw6677rdVgj/7dF/+4eH4cPQfjqg//pPYCHi
1kpTxSsFDbbaWqhOdlDvcLusj8ZKdoVO9tpOnLVLbGbtyVI6AIl/wNt2/oP9
K/f3pj+9oIiXxECdvcDImBlBCZc3HJI2K9MezwTzkng9TvwiWut0V9miaDYw
YuNx+Bt4+hQXxv/tdg+Bqsg3juvQSLLU3IrR/y/zTufq+4uQFGhjcVRzjOrD
SgmkYNBEt/L8hZGniMWs1ryDVTD9KHaq2M+v2r2L2oox8ULP3gzUFofxZYHd
Tqf3PTyIz2kC118Mvt91LOfayGX9tmHXuzdNdg48RnTatPWQTvvCifoo1mvk
QbA7O6oDOr4zGyzU/AGYcEB/HH5/gaGKOUYaLwuw/a4WLB1AuQH0pSCHxwS2
Zf88ylOs2Qgope3sFuzCZXsOVqowfUSNTvgElVRDdWuwWioK8ZEPLQe9cS3z
RlgHiFnrgSwDHcHOs1IdQskKVYdqQPl5cQGyKxuzOfgRypLgVB2tIutiEK2I
eplitCf0NqSkn70A/nudq5t6SluULyoJKSWU135T2PTCI1yu8cNQUGPpemZ0
HIjyDCSv/w5p/eTjllxBzEJ2080kERnVfwxQ7Exu9/OXMSDHzOCuVQVBU1WB
Taz/cVUFNqN3R1WBrGC7qiAF63NJ/hUV7q4nCD61nsCgxt56AltMsbeeIPzk
eoJgTz3Bqys3nd9m/jfSJmbkrsXzbfJBjyj56/PPya34+ecfCS5hDaF1IoMZ
lq8w8gpa3bWSlAMfdyhz5vPP2Rnz+ef4Plj5tawVH9ucZUbhl6+P29XXT77R
SdKUOkFJpcdLU2JHeRJIl6ZMTJw/ubYJjEPiEvVPSXkI/vM//zOMour60tTz
4c8jRoOtn3M6nMD/8Ift5/jzxucetM3Pg33PwX/ZzWsmkOfOXp6H+PbvaaTf
/xAenFOGSe/wh9/xsPQPPlcbONxaQOMDjYuyP+df9z71NZryes+UP+g8nF0j
mF32D/dMsX9XPhj3fc1k9gYt7d/VDkvm+b3QKT6DOAS4mNqKiJZnLTl5zpoK
Hnz+OaeHf6QeMdhdj0iRBUr3V03iQrL2/E+JggIv+4g4gGRoY05qPWU/Erd2
UbmplNaExOrX1BF0aBkKJ3EJfmd9Y8xKcD31vEPDGGDhENu5rZohNG2ntooH
3jKij8z+4G685cF/L+byJxFed2Eu+tmftIrtDTY+B2LyTbJ+9xAYz/7d33G8
T4CSPuc7Qqm/D0qAq+ld1nxmilN/mYzuW7JdlBO70hkcUtZquN36SrlhP0zB
oig7eYtBzzUZXLq4I0e3canVQUw5SaLtwhNy+nFiEU1/E92KGlSi/7YeY9hX
ZoIqnltmgsUkzkMfPgS1l93i6wiDNml+nadoNrMqpfXEvHR3zozTGbgTePMg
6/rwwVlofY3uWKRR82Jw2MDLzmOzirVFLPPMFSXiI1MHaVFIRbLrlPP2H3jq
4/v3/GQbHqlIRnwmnbj0u4/dEp33n7mP1xXThmDNteJqB5186K6EBAmVk+9o
XnQAGuHhb2GNOFv7rVrAYbXD8xWm+VF6x5fs2ds3BoHSRKg3S2yLtcB4Ayx7
pUqq5j4QD+Hrs6/bx6cvMJhMOT9aK7Vr0J/QQnDax2jM8Jy62xQs+/FT+4qR
h+ad8zWYBAkl0zjvnDvvvK0yeDpoqHqy+GPDWSzkpPwfC+A8/PDOnhsgYNRt
kzMIMZjkR4Y4JLgPpu8/MweCKY8fPULOVbPeBmMK6sxJnfuEZlCkbSYyDSgn
jYLMpO1Ifce3SoeLcNyT08ftR4+OdU6+bmxD7DW15yOmBvJoyiFGnwEwKxNX
tgpPdQugeEcecDpfBTs8i/ISA4bp4RF8uCaHO+ejOtsqxLiFaZDfYlY1uvsO
qretcPX28MLmI7nexgsc9qIlOcz8V0hBDKKfi1P+xHjJGdYHMOCRNGvhDEJ3
HSZ5168cC9nL0RavoNXVcLkHa86R8W1XapWATin/VT9Br5AMLxyGU724bi1V
+ilym0oKO4b2wf7V7nI+bnzVr9yHbVys3l5IjpT2I4mXs4yo4HoZXjA4npRl
UV5ggqy/MvRCbjBShGdJcEswb/jtnmPc6Potd2kX1Vt0sFI1gq1StknRdwOl
1Gogv7fLxKwPxWX22l+YrOvbdjeNOMWbsbu2kK7tmrDniLywcnRYtUt+UHMA
KjWZSFsITGMk650jREt/K/SeTuWMJZkXQEHjrN7uHsdt2cFJhvpFyU4WJs47
JO/Mn9vf4lG9f/+bP397cvoVOTOArJdAybfs0HiHBM2ig/maIz22ub7mbIbN
I3treMzU+ZpwjxNmQ3Ujy5daCcK9AFMjmSKZd4tNJc1lgESEe4kKxAmX3jNY
KqOuVYDOnMhYoDZvxwqyTngKa0HbFN2y8igeqsxhsnqxCKNhW8JTKY9kzR4j
q6mynYjaEGXfbHJAbZNiyUE+E6sSHz5IVqmYdEJih+yn1qLYOXV4HFYDUhAZ
DjqUuCEZdvzhyYH/L28XmMFb601BdS5X2P8sTMw7UioeHuD2YPd6YjtK4oyP
Tx0aE9mBs6MnkKFcbrBm3qTBmmMwVj36VwMuOKUYPtU4hjooTU5MQgdmlJye
1AQN9IV/AbMsix1Lxgz/eZRIAZZzkLpxTJ1oQMRIhomRnvgUJ97iJm+54AkX
R/gH6FkZeqFcaks9+NBBxeJd6w9MEBdEYyifQrAtDoDd/tf//f+i8NOsTKu8
OQY6MatNnL4SIHD4AHm/cbSKMlaXVCOE+kB4AWNeGEWC8lxSm6Aru7hfuSyc
Uie5Y0+psoKM+HCBzhWeUUoRZPy1jE5RMlaiQlGu7ZjCpDX40Gwpbiqu8FDc
kkGVdLDk/MHepFSDYkLLGKqQvdjsumusdcEaI90QE2EW6wi9O/u3FMQPT2EA
Zt5itrGC0bbBP3wAd3e63v/c2ox5Ie0P9fnhWYI0ZgmYsf8bB5BDdKLlGJIi
FLiwHYw4FmqkfjNmUkfiHLWW+9U+Nn0fmazm0Z2d0iFyPW6cI9rDPFenhECj
3o1ysEKgA7ILXtLT4Ju69KxmQTlPoZTRGd256QypuNVUeO9roJK5KpanL8O2
s6J7KMHg9yfPn7w4JSF2rXKwEFBu0fMwrA350prnKtCD2U4ImolQEFfn6iOd
ulyDImyWyxDkqTBL8wQ7ih3EeaEDRgvXW7gQr6SdCzOkGtx0OR8zxb1Hayia
Wt/YBiQ5t5LRGf/RNSg4xJQCY600mWIiz60Npu2VnXYbR6xs0JI8IMSYKgw0
SpoexS9zTA0MACYIJaxfLlEwON2BHH0KFw9wpF01JMysS+wkQeDdg86wPhts
s+bK8dlJLYxKlvWTd+TZPKiiOeBM/nYBKq98hkzOSc4h7ghbIgXfJOacvhOb
w2itGLEN6/u9gJEvdLyzWInU9O0bWMEFWS7vVvDgwap82yLm1gqf06JWwnjr
a7qAJy8cfdwMr0fGQS5oaWgsPL+w6qSEjGurJSX0Heug8kSFWfciMi40zFxp
pZVUB9WaLHhtFIPp3qiwLgiJkLOSuN7rCNBsiXCxgmOmuDhmo4DJel337lxh
B2yz3GYEIYyQ+Q4W1SWYQIQWCH9s2X0rGn9ll2RpoNAfC8NHsF3AIBe0LBxI
zrgleexSIKvLjIoso/S1NKcBqc8K91utGzmonARY08hxdoBclaFZOJ/nFVcm
oskegcrXcc+Q4WRSy56bA/vMZUUYHdC/67IZXaXxmcvE64YCPxSYig5bgeZ2
G3GFQoQeS2YeohJQ0wJsKUitIWjlEq8ujcbiKD5W9UDn6S71Q3LoM8UVcLoq
Wtf6GwlxB/GC0KQtO4jvWDKVoBNnH9drW/j1n7QVawJXTlL5oC9HSdk8tFmu
7G2hJvNQFtIBuxIEKjxMKg7qOg/hL47OyLF1aHOojwDCHAExrN5SeE62Ytfb
quWCGd2BZuFUuoAbzOMwQEN7903brbb3C6/COj/yMgINbYZdQAsCOKDQqNvY
bRehsnr7l254VAfO9/Atgwa+rwPOfRofhAk25TJk3Y+DAk/Nwbd8xU+8CIQ8
VgvMaxma/mmIcumcx78YkPZEfxJi4HnUFOcjB5zhDz9YgH7mcaeaWhK4fbl4
KvMkyhaTUOI2IpACUj4dbnJR2XVSQT3Fb0xqi0/xQMYFqH3VpjShHw+W2qmY
1nTjjuclpUIeVuxIF2J1kjoe0Lx350rIMA9K1T7krETZBqbGuOqoWBgcLdrO
W6vZGVz4qK14G+C6woTzJRnVJpmM2sJtcx73KAwkMSW3VH+V+s8K0w6p+yhb
IHQKeuNSd4pGBkHy4k9U2PGENnn6UtIN+cPHSj7s1DFgmzVbCms+GIfY0OWH
+Cy61jZamxHIfbjN9tCjbTz1vu9xm1Tg+Q1RVYObg93/rsu2/nJg0v2OKIDC
QOxgyJg0XlmIOMP0s3K0m6WcT5xHxuFp3JOwKibZJjc/kK123FtJ0/AgPqdt
ZPOc4cnw7QZ5sn/GB2v6AvjGQ/xauILhEzgtro3YxKsr1egsc52sLm7o1pe2
QXFRqfrTuEZOivbkbAMD5SpFI52t0nI3ud6AlHVJvLEc12ziY2zX4meTUN7U
hEkD2n26UNk5yKdI6Y2IacKJjRXUdj9rK6c3LKid7+oPe8J60yCt9aM/UWSb
Gbfl9i8N1g4W/Ex45cr0zbZQ3+yV6n5g9H9JEEr+DlzY1gJXYJ0Uwru2/Dri
VARqlg7iCCAn1BmzIwudC/it0DsvRcMMBdY2mBuOnF+7M726J8BCwkTGvGDY
tozAwByGiRuc3S5scLv/eBmBSgB1+zMyQsKumoINKjDT97kbPSXauC/I4TX8
gji/rwtrIWIxyzs3EiZGIPgi1yTua+vMVRR050ATh4lcI65Raagd+E84mE/V
FH4k8ogQ9+K7W3D0vxdq9RKJ9WVR4fvP3BQhBjknFrbqCY62bZ5W6dwR3SQD
3dKBEq8/fAikDYQ4h+vNJ/S9Fuzc2J0yTdri14+ftnS3zaDfJt8GzflUYT4W
9olaY6cnikjodnZwdOhHIsRoIGTuDCyLsKXG2AeiUob10r1C9+z3pgDbLcSX
3C0XMDsHvDg3BeHm3h7qlnHfvoPxFspWjW8D3SJDyg5uuTuG6/r3O2ZRaxaK
q3or5f4amBSK3lHsUcrd6Vv1TPOIEpraC8xmu3QKTHTD5UpXC25XcASU4ZEv
W5ynJS3QuCE69fKWsBEXehh6dTr3oB98TbXNl6VSgYDMnKhuCCIi7eDs5fkh
4BG63XX7CPT0xtS5W8ds7eiVDV4A71sABP9um0amOcwZLX6lia/48z9Z9Tun
+Fcmm/rsUvqOb2VigtkiN5xslk5Ct9y/wGQU7KQ809N0ad6XcY27nMcTaggk
iwXjamnzJUQUKFXv+DaGWhos0syCQ4nYXYp7S/2Gimsoj93tdMFMx6S7buVQ
6qovbHJeSPPSLEp0eZ0EzStxy0fBLmaA2H9ADYdNBZN3v0u+PmyZ4LveJF9l
FG1t/ZWxEc2dTNgU1nhmTDsYJ4JNxQ4enyMmFiL70x2s3RDSdksZ7AAkZez8
TLBdJOc2oHnNLfdsR3RpHG2fIb0GC6C55VUrIAC9fvn80DRBcu+d4j26/Xm9
HYqKAqiK2wxkm3Z3jESWmXPWk6kZNqKE8oxN+0vF9wQs15rd3+SlkotS1tvn
YKvYvKUjEmmw/VaSHG4D34bfSO9SRCFRidVitb7VKBTfuwew/NsGzIy5dHc/
heelJbhsNxDxQkXFtcZz0muJhVheIk626hgnh+kuPqCxOiBEUH1yuwiRIsuU
llfJhieyqRL2URoVW/avpTNIIPlCfpvMBrxmo5gbJTp3ITl4ikrh65bgmglW
Bjb+tlnz5RTWz6pTuP1388qOSg1PVBZt5mtdKxzUD6NDoTsTgf/m+DvdOsZL
YGKSdBEV1CZAu5UUThfU7Ej+4Kg1p2yg8kx1S/ONEjuBHVicFfZITsdxK5J+
vEW320aBUGarocrVIWDPK1/DEkJOKVaXHVoM2rYNGtZ9oIF/TrZC7dgfkrBz
OyocYAE1vANscniIJj9yox9+aH7utXnq9c5nzs0z59ZW8ZdhXAosnc69iPL7
z7hcU0SoNJ/fX7Z5xjbGb8QGkfirbvx6U6KDwJGG3nx8fQkbNNyWWIuiQHKG
IpFP0orVaQkl0tpmU2A2I5sp/v1LEsaUyAcJMM60wP4f3OmPEoRVSVXUXp4d
Y618bS5gwzxNvglKpxFYY4VKhKmNbKJybgikRM/QCr4heLMM4RMZULfjUeYR
vaRy2KKMUhEDN5bBjh21aomzTlop7DUHzH7JjzLDeEpdxVtOzIN1c7lDS+eg
YbMwqx9sGQuB1Q8a5H/YJP915yyvjAakwOt9Vs1+ubBfJPjT86JQgEqqyoGN
vQPcTg+1vNhv+JjokXqXKM125VYOH0tizPXtaDJjrYlrxyUiVsj9zQJD06PQ
ai4Hj04OLTC3FBviK78NHp0AeLiZ3+1uNUPfYmAUg9BRDKSMANsk5fSYMEd+
KYicElY4ns3Sqfh0DgQkS5IU1DoQpTxv3MS66qoFw+LRidY9grpKwg/AgigH
G6+gzOXGZCYlSw9Crx78WaS6pfoNum2LlDObuG/uqWhaz5aGIdKN9tnB1TlC
jTGyeeZtyVZHXSPQ9wup9haOO3owuc52STcrIm8jui6FO8bNi8uIyxmQI9Pl
SNzEpgIws1UvAztd5DXEM7kbCwb9LtLkGK6KHHuu18dTS0dlEE7mOGQrXNpX
uGxquwdC+zoviyW3K6jlUhL8WWDjIRzcgRmQ7L4MH4ZfdUDoJVSE8MaQ5cGz
Fp9fHbr+oOhzvY1oEIrcqjcVDBaVB/jFd/IFffIGL8Q6QEhfOo5a/Pu7SAvr
z4RNV8qULIpIEr+9UzcQ2aqBmozhG+1y2/nck1HmwfuVljEtfTVSvliAQRFh
c1U5SS44YRmoq3XscVOZJmdS7bruMDLi8Lt4HwK4MtISlEitXw1NNWG9gf62
PuDS4Mn516KbOjd3ePDE0eNPoClnmp9AU+3wGV0I46UK7iC/J1oe0jT0IdUZ
tbj+KOXmUqTrgWmQi4FAjlXUyDeoAW7Rs+DAXUgaaennI+t4F1nH22QdE1nD
l1/Xv3tznd3S97A0+P4kk0dOBCgOmPB9QAP4+lkH4X0wv34DGvTBV53H5yeo
7cf33sD397bB8DUZA7ZB+QGi4XfxIS1JWA0h2HexjQQ5reV4IskfscNcyKXM
nC9C3m6t/jO7YkWyLoq1EPBFQ3zrNFVgv/CWxAFW6qUKWbFqvBMOO9GUZRsC
OSq+w0X0Kg0T2SHvTF9nuwbWIBzp/hN4yjbxbrMGRw5+Emv4VVM4nw/Jxjpw
AYePdlMVI/m/mqqMqS2O4bqtzS2JgmBHVA6BvRWT64R894EbX9PFGls3bOg7
GNQSk45TnSLdCshtjTfRF6ZtwHYB80+yNQPP1gx/SbbmR6zK8CNWZfDzWZXh
llUZfDScFnxLhFS3mHJzJzeAVxBKm5UR3burapdYEWs5aJB5h17BiS4JxGZi
6PCvNXe1V4yS20dS03UzIlE9/E4cqe51ue2nDvTt9nTnlam3cHe3I3TS6Ght
dCrgBY9SJGN7iu6JDFh/YrA7IEDUcyVLs25atwM1XVoS7XVP8qU6stEj3S63
YW1USsk9NjVRUrxoKzzc1t64rSF0E3tqYE/p/ZLiky8deOwfPYAdLYv9Htdf
xJ7E9yVj0eUCvE4USbdmKCkquxUfIAc0pH7XPUoYIb/M6U41I6Dd4mksfCpK
y1h14wxvDL4XG72Ca+MdKrLAhE7wspdbfW+le2PPQkW6isxTo6SQzd5tL0Th
u1x10cXa5oJHlZQ9r7UyZy/aaDm9GP1KXXO3iuXgAb1sbidhD+wKq0+pBoPv
3BAhFNI9ecQIG5Kcc5NiIyGa7es2AhOocT1Z4rfy5hIVMadrmhr8RaRG1qKe
dYv4U+QLGr9ux1G6IExXd1vhSUVQBd1XVlFnegpXmgvOjUKr6xcb3SLIeKp6
I366WbaWwy3I+Gv1RBEQ8cUIMe5jIIUXqCKNO0lwRKcO1ua3lb10bqfryWbA
OvoZ1+aS1kypU1xb6Xz6+PwVKDsFXSokNVvkT4y2AP3p3qo8a9AHMJB6JE3E
vO8eYqSPGjG/faNQpj8kzVJXKtKksFrUce8x2rTl1Xv4WU3IYtjKXxEMbfSN
N+74ulSTZrVzeA+Dun0KIp9UaSoUeCh60IFfQEBJ8pg2WlEyfXN9gk2nd1Ir
a3mVmASJarudaBB+jj1OEvr8iy/CV/AVNniHIZ4d1E/DW3yL847Lw0MB76s3
qyitwbf2hg/pHRDG7G34p8Rx/TENTOljOxz9CcB0Ur3pZdkLwoMe0Zus5Ivy
rpt8ZTZZ/bybfIXjVs2brPxNVrJJe2Khu5HKbBCJ/A2wBPiuojl0grU12M6R
p9TXzdUa8C/s96OU2DLTNPltxfhpEjS7hEujPVGXTHXGVhc/gz43lPfbCUl5
dJ0p3skR2yBygj0i59fnq9XH2NopPfZJKmzPIoXgexKM0cTWNTLwFgqbT5zy
XyCUPsnlqqEodU9EQcKC9VdUq2L57ff2pb/YT/GRceMj48ZHwgdUsPt98N9X
MP7yuG4pXLdyue4vUgJSnRQu9ZUrAal6ol6TZLQGRGBM8vdVDaeKQp/J259h
p1ZAwaLgvwl9SsUflAojoThKid0+qrfOOb11cca6K+tCkCeRLXD1nr+L+rR2
CnoaP7oTAfheU9xQ4x5oUDsHju7s42r/pqXbNb2RiEOWWSu8x6C8cqS+5bsm
e9jGL7SPts2Biw9BIJ/vMxbbeKsby7Noba03EQnkLyAjzDH6PGvjfkVNb26N
TMZv/i9cIzmZXMPSlehBbaKfKrW3YiOfbIH9CJH206ToP1si+jGPY3tZA3zU
EPxAQHFLSqcfO7ZVrLxoh8BZQ4+l509RS5HccUxMpodvkX704Hj3zGmy/t5O
9xf4s9P5nhnGLUtJjzVKyROuICES/mdwPprmpzC/j7I/s5F/Lv/7URwQeOAb
c4/UpzBDgmIGGPCbh84QR1KEoTkiG8HObPIF9xZPyEPr9Ao9Cna9bDJNnTIG
k7j5v0x52mc7qhj8Og5uyGMLuZKmQcXhL3eOcJ9Zef/AuwbksBN+K0ltfvWH
Ux+CkQ8g//lcYbF6NM//DjwmwszQat0usjYFjeCveVpR2E6u0t2xRj1CGAV4
YWTTAJQ66KWfugDgfnfEsDmiEuhICLX6wibmvAruaOS6Wkk0xLCCt+IG1wm9
HGulYga63nTnre2HlNLdOFyg39GdlNYagM642Ty60WVfpge2jhlVWBbLwzqx
0O1md3Z5dirbs08So7ChBhcj8Mnpm7Gt/1y6n4buMbTlGLQXP8hlm7m+mxgb
ouN5UeZ+vsYj1u3kyVTegIxbOpmQ2rwNrvKUzFp025ub4NwaO458cNyCb/Ah
0KPXHKkVb9ZGRNqwzMZEfgQYCx7/WnO5WpmOBpFpvcn5Zr2WdLsLzgS4VJux
Y8WhXjEW6Mr5O2dOmZd7VsRd+2xDYz2sREOXHBlzvwmoOtA05mPNBfsPYxcq
rowgojiT/vmoNnVCk6Fe20dQ24dGu0otK93uUMMWP3+cw8yq/QwGXdDlJ3or
AcnmWuauI0YOuDJC70YajgOySn6FNDA95Iu5sfHYWuKO7h26tUumGvJQjyju
mnOlS7DVVdmkMEkXR45/4DIX+RpHopwSjjdlgMZXwqQDzpoIMWsiB62wMoWt
NgWZSlyoHW5k2zjy1eawvHiztvf60aZ1hXELC2MUVcndDdmOXGQLbL9vw7Me
t795/u0T53Toe6dz8HZ3JarQCdxGlW5j4RiwWHoLi1etVMCqFpiK0tBeLjDM
r2jE7k74paKIFgVEzSXqiO5L7xKawM/wMLdg4HUGRK2VKe6SHQm/qiF6Hc1b
jUwPgITQl/irCfqhPs3F56aBc3i5gbdBTTFhQ0+O8XC4bY4yEqLMccly1fMJ
sEUV0e2Bfj2krjGTmOl8f8q1K/Ey7tqna0cCt9ANjsFeqLGdD6CDj1xe501P
SQxF87Cd8Inmug7vE7anUVB6/rq4Jzut4Z7bJLW1p2Whyddx1xngOrk/NrDB
KqfmpoJiZu1tXW/pgsb00cxrbJo5T1OzbdO2ibOyDkiq0DSX0SrYySFNSWOj
xkNXNLgF8VxVL/Wffk391rOmeP4VSVdMFaGqCw8/dPVu1VS6yyl6+4pXWzZv
jrQlD4rnX/fI3l5LhW+lVRPO/KPT2Ur6f0hv3Tn9JmCXIrzk59zsyLHRCVa1
pCR4v9/Z6obglfhX+Ixpio2yQRQDt4cOFpO7t5c3LNo2hNEt9NnhMNd5oOut
sn4rp8VJYEuROB2j5Wrput/kjmelvIqHlKPGrpyvl3RTqBY+LhyM2mcblBuH
QlPODyxnjl2zCQhAQXRTESrYc8qXLxYLCpBQVgewel0SY3KveG10xSRgjWnB
jTcS5aIDCbegZ7h3u9fs3skyJbVXvjRkbTKhpCpYJ65xgtEy2FoSPbRl3pjp
2WqhSprjpXdrmV/BgcVp5uoyOdxX7hOYfpMhvpi8vw4n/gUn2j+EhZL5cqMY
EOZjcasxu/MiUKgwNWKMjkUEzu/qzgPJvaLk8eKWE9xmgnStFvBxvDusJXeI
6a4E3HGi8RHTx6B91x9+A4fAVIUe2PG7f35wLeGOyQyoreGwsafCro4YH32Y
VrX34X3b+/3PtQz50YDqSxmt96wLHTdEVQNQC7d0+POBp7//4d/tg8+PAY+G
weATkcWjvIOtkZsgJdDqH+7b4F3W3PQwbWHvw/8UzLJdQwiqwybMasQtzWYO
msfeA8/Bz4h9w/0P//zYZxux7EG/HdgnABMwDH8aq9q3M++H35AwgrN+70dH
GWo9ZCgMJL2H6sWlooxoJQU9kyxetQ+gfoG1LjilaFFztseetiiyQqfvFF58
SLKYLhDQoZhAK79bRemNyR48uOylUmwo5ZXNOyy2ROXW4f5qkjp+oamEBM+W
7R8o7bE4GmX82j8iIxAorWc0C1umdKf3MRGg56TD9Q9rGVQ9DC7Mr98wQA5Y
rNqY6gFPXvW2MqKIqFiNqlW0Cp0IbutrQBk3NZht1fY+QiJzopmQZBI5jcpz
A5g+TcY/W6NyUKQd+pI+Xx1v9XQjk9vtWjdKpLs6svCi6l3olOHc2Eu1qJF6
hxU4ZHvSeNQrQDsrNSjQqgnQqqH7/Gi1eNFdspZSkwZy/TWnYblb366N44O6
K4nb2ukfQ+L+2w6J7yyqvSOJ/xNzsSrLGWwiVqcz6H/fQqpOqa/ogflq0O90
vif6BuHY01p46BVi320VhlFUfZ+9+Fka8G2dv/QPtzI1cRdVn/I2kNHo920O
hwhvrfh6ottUokrcULft46YWRq7rQJbud+eJTPHvBFsshLuQkuNIe3QanZRe
kYgj6CnUuQQTnMP2chGOiUrma1dEuzhoRLWzSgou7eFJAsfDu/Ild+zqqtjM
U+FQJsfB5VHhp/GoLWvlV8StXKnHYVnkOttVy6725CbJ7OdxuuLqV63GtI2H
bveT4hz7UfUSvqF7J5bknpqXcsMsysmT4etOhPlZNmke8dmkYZDW8ultr8Zw
Nsr9fMcOqzdIg34CCmtcyO10ZoeDSvcor7TpZZtW6nxrxzg/eYxZnLwCWGDf
eBfqniZ/+K1MF2HCDou2o1l+LHqf2xpA9Cbjyd1qDODf3Yvf1tzbljW7A5q+
Qlt8mSlK2P3H2bLbsNivRzWjb/vbfaXwZ2eSNS/Er4hFkgNLOJXP2O5X1h4g
TjW4m9K3r9k3tQJfhqdS/lDrmPIP1Pj+cUyu7oC6E4szbkNJxHf1JsqJfffL
4EBWFFpfjOVFnqJ5F3Yke3aYkuvw26kuuuyprizWuZNjDzZrijoC/gmcY6dK
tEXtdWpyXoBT5p5cDUqHJyQPmRKGd1M/fiy1/Vj68AW740OkNbOfw/VKeqnL
zoOOXDKPNzTrf7CjW/9qvqn8bMQH+hwx3GUat0dnnKdXYUYNXneI0JOIuE4w
DHxTQw/n4A12iw/cbvHklMuX18Uco8l+uiLlupnuyxyykxbG9ysn9YpTvBkh
ZE5Tn+12EPMyVRCoxqPJ14FKHNhLYeaGAdjXT3GfYefSry1vCsk7zH9SnAvm
Z8LhlceRNAIq2FzRm6PWGAZe3CdCLjGlMlGv83QtM0f3NTaAQhcRozU2lCjV
7rf1FQi7rrLUaoeimCsK3HL74vvaLQjY5tu78Bhvo+QK+ECiru5KxevrXGFd
hffdh6r7OhpvWnxTEF13G6kky2iOJp/BOM6HLSghFjG8bR/68OGwFUQeMghy
05EY7co/DR3qbkgxFbzYurPhgdPmFNO9CJLUkKCeIHIg5qn0Mgg0tzg0F61G
m8sFtzDAld63LZZzus7E62/w/PkzTC8Rax8++Goj6SZUsnmJ7WgpFM9CodLX
r25i3dfWwtY2uUGNQew97YI3RyReSRtNL9APaSdi8qikO8FXdpQ/mRHefwaD
t82IwJHsd4jD7E9pz4vibU73xM03NcTeoRpW3CdLLoiV/tSYN2SyhhbS0Brv
tzN43ZS2KO14iAPg9bQOADbcLEL39kjzDCgAcRXQCb62EROQCTa5zfTqqEzi
7K3pCEwv0XXTCgRxgYnGfAdtRIMGUUKdpWrd2f1rhbc6lrDk1tkW+g7r1OiD
dke52xDM1tEcsRCHM9Tn840e7Meq6rwrxpG2pgGz15/aCPtfVLEqpTn1qpzz
pzqV0eoG8OFPqFptOAnpe0QANP269cm+kb4DMGtHX3AsGiumfUkH7tAMcGq4
9YPQ609gPn/oj/2X7pF553vb58B/xjxx1Di+c0ubEZE0kPTxs+JniS1BN9au
M1awJ2g0whM56SRD28lIc7lt5K7+B6s/htV1LKz2ol9L48Nd8NbvgrG7AcYW
qrh3QbrhKzIc4Fu6LII+OX2hP8XBOrqvAcqu0gmKl84n4eoqqpTXTg51D60o
U1uBmiVf82FzaYi8EKBhR8UvLsra2J+2PlLb7AAg5MX8aAOV1qVtvyDytjg+
psBZEXL8bEP3YCNBiFucp9fdlCQLDhU02rIpFpHb4ZRp3c3WgN6r6SUGoqgU
5wIlZma1xHJfFazfpUU3pRvVaanbteFSuSsaqZqStWhLT+g1CjNsX9d6xDev
ewGai074zCT02+stOEMS+4ub5Mqle08Ezgti34FVK9RNn5zkCONX0SvTajHH
9aSHl6FDT3/k7t4m/bzFeBbdMu6l+koa08U70tedYepEUOc9rDPpwh+0TyqT
710qaso3L6iGA5MlnTu9pHV/LXfSIwmdP+ncdrWdeeiQtp+lonMPT784Dj4t
DSYID671lbN7eZCXjLMvF+eH7Sd5mGuuSrWrrz1556SuT5zdAxRxqoOtBf2I
7d0VwDq1wXH5PBAX8/vPfAPr0vb7fMBJ76G1W5wL5nQDRcREIKiq2fQOgFA2
q8syktKO2j2C64LG9z+lxAJjwWkTBNQGq9daI7hU1znezmgNH3M5tmf7tVx6
xcRjGB6pZ67SS3LouK32jaGIjeGiuVwRs+XsjwLgnHP0gm95izuhA0JfU6Rq
Q1v5jf8JuNB7SWrkb0MpEUUwXm6YNvW1P4YP2Ps8/ec6/uFhor6y/h+i8L29
CzvN6WNOXMP1uTQmrQTGUGp4Q56qlE75asQaC9eDVX55eRtjmYvc2mA8ObIp
P+RtAjXBjgVI2LueYWNmrLNNn2Nih76PcclrVo/I7e0mZxsOKTQvX38ys/wU
JuFmbwtecMysgZ1cmyWRh95J2N5mPHdnUbUnP5az/Q/jwE56toGE9tg3jdsA
DYYkSaqfAw57k7P3Zcd+ChysO7kWOn2gndB2dtkroi4uzwDgsDbmz7D3vdnV
/ygcaAjaPOiQtnF7YENQ/zgp/JFE3x1pvnt6gWpnFGcbUuG9G2IhdVw3YzHP
yqUX1IQNHbK6RX7KrUHQm2ZKF3Woxm9M4HZhefA/Sbb/Lft1ijW+lWbxscTc
f1BbQQ+s96utFrS28aAJLVnF0bNJvQZFS//4d7Qc5GJvrjD29Aqjy+h24Y3R
J1e1QE2l1grXeDBY2XS5lFUqcXk1uvs1Z8ve1XPVJkVJbODGA9WeLPvJXWnc
Me3JICPLunIqdJUXTf+ndEBs9jf/y/oikqqD3IBNxDcIACwG3pHzcOcU34C6
1UmzulqfOm7U5+Rm4A0ipjfTqzPsFMRtneAQ3iTSKS/BlraUJMaU94Z5zMOG
hkf0ms4nefvmqlfLI3Hnu+pR1yRv0EP7an/fq/3tV22vKNEA5NvtZBRcl9Mk
yXvaaRwnvGLfME4+jP+0bbnk6UV7R6i1eXIyoh0MMUCm/XtL306R9pbk5tU0
JkybpneOz+IndL4zre4kHxZjE7XQOH6O9Eh3Y0d5Gaabku9NsI6z2iWc96mp
QUxaldcnzwopHyv9dGg/1bDJhK41+PBjB4GX1U0bScrbVa2hzw4B5VjSQal7
N1TbQHC8HSqVa3uRgunKKvO809lk75plgNIr5Pf8AcKbWT5T3rn7fg1+V8q0
gLJ8vm1q0r2tszuV7nTg2y0DLB2neegCTKxqWRZr71pNariEOMw3PFL7lN2r
9rwT7oVzW9vQV0byQzVp/9ObHbJhRwdWw/Ga/Pwxgu5HqxOOsHZNVacptJ5A
K1t308FtyGa7/OBH9UVsJh1BzLTgey8Qj35BQt/v18gIYM+2dm9cTc57ueXh
EQrdN/EmwtbFb5PvHfHr9mW0T9TfwP8m6++3RN+bdVReqvXucei98Ij6Pbqa
h783Z+GmV/5ddAitP9BmtA5xh3Blvflkve+k9CX8BG3kJ+kjP4NG8rPpJD+X
VlLLnPwUvYR6SNa285uHzZhnekvS3WsNrMDrMOnyKH/hexpP7hzZ6DXshAoC
uvaLcltXaxui03zPsVrohjqRtfVmfdsyyBVwJK9EMsk9bZKHZW7vwYe92fRl
0P7d0vrbHy/U9Lb3CjX3enBt87ZrwJezbLnWv5jmd2jk6yRdb8mdf6KoIJYt
7kjDsht2KUnyuzVnp50udZf3qBHooHHUj+FqQ466aZ96vp28WQ8r6rxNG56S
nADSRSK5hUiP0pDX6eRuBs25m66iRS239EwmHmUTFdiNs9tXoltdGR2X9Ffx
Y8n92h919jSAxc03odCcucDwaEe8ncLEr1vwS55aX7ENJYGskm8dx/UdPdLt
4ECCVbXQu5fMo1dwiC5vHdN6GD4hFeyMJNojFmh4o7s8udMJ/5GfH4KdIatr
07MEr0c4NC/sm2E73HT3WMOnhxx2LWlf7MnfFTUAan1KgGnXnN7PdrTpE8JN
8vNjjvKjwSfuQAN6KQWcdLzpZ998Ldz0r8AB/vlYCOrTIlANc92J7NsmjPyR
zjPhvuYz+7tmP/DaZpMY2Nk62xSrNLfMbqpHCZx6lBPJFJN+oU4dwO6LZ7lT
spEjOHKts3Sgu2tW2r/gd45EWUFl6ra5ZAcsrrLSlyXKZa3YY48La7hQwxNE
W1UdW5UxXkKGuFAkS9CMYge+aGDiF04pyHFTd0J/vdTgRHf205U4gaTe7+yR
6GWCWNFJNV5O11Fyr5vkDvt6PX5Tk75aBwxgzuYtwriU1eMn9fhVNnIpJwxD
MRduV671VBqA7oHEAA3AuFjqNpINPQdruODkgoQswl0Skrq9rR8W4n6HqZ30
/kPjcw8sRT/Y99wP0ibMTgDPaSgSh3vAfM5Sm4iEB/SPefYnrWJ7g43PSboF
tirdv/s7jvcJUNL86I5Q6u+DEmHuHdZ8Zl1vYcOPu/jGB9zFfuxrh9H/rgYS
mef3W6yejNJqk2Dbo2wzdxvYCjUg9yvdLrCNqWXcz5OswzAK/MvezP31kTU9
mMXspWcnPGf9tZ4JloLWbOytWjfQjK6ZxeW4HUOD0wLMP2y2LWm22VZ1IA5o
SgM5j9Oxh6mfCXodg7yWKKwv+3XjipIf3LLFTdS6udjKk/4f60BeEAZ1ZDja
x174tBlc+8PVUXYYIb8G+8MzQLw97bFC/nuYIKHGl/6RZe4/dg+NL7g9T7fw
ZbuxKc1QA3djL9O7LemXYdyYQvYd+KUsDLbnagbGAK3gj27/Lovzfrbbkv4r
LOHRTlxx+ra6tvHQ2MY/ZtOf/AItce8L/wys8ozlZrTyu7aOfiWms18g9MhL
4Eez2c/83zaVvYuHYrRAqTifugB4L6POFMltL3RTSlRdGWsw0LFSlqNWe4s4
JkkhSCp21Q/WKio4HE8XgGDpwuOngf+g/xwXImM8uFxh3TxlJRSXZbQCxcdf
WfiMNTWzjACVNKdFvm6ZrpNaQU0puPCaWiXYCyQYPvfOHrXv0TLuoW+gfS8A
Uy/L36HpizdAtUJ4AEOt+Ag9QX+Ipga/V80gCLTR6u8XHcV8L8Fcd1p6+eTR
i2++eXL6+Mnj2gk51qN0KWt/heeF6s3xoyftlyfnr172R6P2+bPjUa8fvn9/
LgX+Q3aRwEMfPph3nwEcj0J4tg0Pc3T5KPxz+1tEjvfvf/Pnb09Ov3p40n7c
gVUsi/n8tp1k5WX7HZbQtt+qxYcPqImi8nsqNZ6DPkVL4bder9/l0zyly0h7
/d64g3mHBLyj8Bn8F5fZ7o/G8vE5fHxcXhbLfp4e4G2yf1claNAHvfFhK8QY
87BFF36fXgFfhH/7/9HvgTKNg7fCa/in+643AByA35Y5oOaf9S/IEkBewpaO
X3714rT/8OXTR7Ned0yg0GH2I7ygRv/R6/aH8HyqVpX5zO72a7UAIgJzH41P
Kq7BCUbjloHDGJYq+x7NhgIHhstoPCU4COZsQeIZnQj//vj81VF4rxcPojgZ
JGl3pKbd0VBNB7MZfDBNsyROeoN+L+2rXtztp9FgMFJpD54a9FQ26s1m2XjS
vxce6MrI+a1T4+9Hrw63kc/UDbHhI6nd9Gn14cPhEWKhrebG08cP3iYEAPwV
4GM/Js6MCLKWmzbkJiCiuuSq4LYyz9CW0bdOrK+AuuM3+fINFTTzWBxZNM1B
+Iouzkyv1TdhqGgJB2LbHeTkb4I3MCxZbeK/YmsyMbtsdbgwDhodNtnrEN8i
P1CsjO+QOU7eUR0u0+TqNn27UYPP0AtUaSdjJ+iLpWmBTUYhXvJwBbxvadiV
Le7VUSoAIiYThE+ILzHy0cu72689LUqTJMLrhmXxfTxeqWuN7Xj3qjbynjNA
2Td//ubxkaDym/Pzb1+/OX39ps3ofHdmxLj/C2BG5yR2Dk5prMl42qJUkSkz
ox4xlPNHL787e4UMZTLrDX8lDCWeDrtZNEyH8TCJVDJT/VHaG6TTpNsbJ5ma
DdRkOJ6mwGlmg/Fw1o3TbtyNBlmWRL2o24vvzFA+C0/8/PVHUsbM9BkE59jx
3bac4Svo9N076ICVEkZ+m+58i+ZzwtaDiHwrxrecY+pBPsfbDjH+SrFpZeLx
Uvin3q3meZKvQ4VxaqfhSeBdUlSfGW/RKQAPiewSfWuZ5FPM8Z4wmFIB7fO4
rIJ4LVQaswGOvBJbbjtEt/TtzL2kbEXO4TAOOttU5rdbHZAuFaBk8KW6LVj5
qLZA0PL1S7/egHmrONTpO+fNDvES9S7CV+hKxnqCXcVF/LqGdNvJ5+U38Bma
m2Cr/O+cvlcrgZAGlHpRmN+HyxHdSc5V44/tIFUqurJyzekDoO+lnP9nRscd
4XmwWkg3ay4D9e4qAn6KiY9zUBRJRZ7P2Y/JM20vcJFfXgGMFvm6E3oQgvEa
H8WgT8E3IizUoihRD8T+ohKFqtOMRCaYlYL6mmyow7yJWiXe80YZ1YdjUJvI
LPDAxB2jnrF4e6yq/HIJJgaLu3ZKf9fuscXD9BAIgSfykUJrZtqGK0MxUIL3
gRq80ZfCSq8JEHxEdnBkKiehz+5RI1Qbbw4NpH0vS2Z84zJa7b4XsxVqAHl5
JHboVsAjyYV5uuODbvt3Vcx1uAj3Aedib8C73syRvxBbyqlTXNC4EViBNztF
jJbSQeubolQF9aqo3wFWv4XySl+KaN3ekrXlQMdGNx3o3ZAHu+C7AaXq2XON
3xDRxUoKj5TJbNGBT+avcmEt4xxreawW1e9ebboOM9hzHab0/Gm+FTOs34oZ
bN2KyaSoz4zWxluKkEPTIuwCC91FUN9yGDTcclgsa6DWF8hRs7r1VcPtvcHd
L7K05OxeAr19qzRq4XwZbvhJl+ES7PX9Ew521I7gNlfz1Nsnqx50r2/94tuw
fvFtQKCwx2zvvaW+C5jZWkaVCYiYaxcFBNJAQqfBBTi2cusJsEL1BgZfgrg5
kmR2KuMwt2nmO+4rbAVeMF2ah9Qumr+RuM5WR+V8RzfmFsEeqcK9nrMTnjE2
kc9lufvmzMaLM3GEgFFVd6WpIytB+XKDl+iYZZmrNGlZOiD/Iy/QvOP9mSKC
Y9CpsnxtL+CV4xTuyG2KFirUnTQLlqve9T6gi+FltxQ8fIdWUviU12Wewqi7
OE4Am0XBuSm8y4jlQmsu4wmWgLNzajcZzxHacUE+HcfqMYPPi0tgL7mxHrnO
D0mXK1FxXNAyLxUhtFM67V7HSJkCcYTiArZM9iC9aPbCm/Q2gqO70jMHCtH1
p3ad9CLsK19VcosLaZVAvthK8FJbbdgAA5tTqLLN7SmsCkD3S756fo5JKIQJ
3tQmTiqtE6l0gO7XxJRd8Q0Srt+qtW2vi+oBqcwA+pWiJh+YBhEc8BhGZsCb
y7azS1TOTT8m/B47eDCxRPPbCjEIDw1UyMA5XTxKfccqtkkhRZyIBzMlbT9G
cmgCnLDrY4GdkwJRO1i3Tuk+aH3XJ6k4um8mgD5itnGmORx1bROC/1phjjHl
2NyCllTa59uSenP7AfuDaL78EZ6MCjT1ldlSonXuiXvpdrDn0m2+D5wyjBUt
btft5o3XrZMBAro9nLQyvJwpSV81j1R9hISktU9pO7pLRulrRFFxAWLdrIOa
JqMzekRjKDcUwOdJxRU8F+76141mkEvlq7JhTZXVKhl24aVO1TeoeCyo4k9Y
d5SR1kO3luoOyHgJL5ti5A9vuDf6iGu/vC7YS0Vt2dijxJge+b3VyHhDTiB5
9eSGdvWim6tC382MImQnm2XhS3C7Mn2ZrTwyaEPJxJTwZsEMhALTq3nWClAb
F+XMu1FACw7daxuBAWoWwaogWlmHn+fV57whzMcWqYUtyHhF7TZ7ygOxXrGf
cY5uKDzEwnYUBtKjakPqx0RgxqZxiHQtPI+raAUYTsZcRH3lchKWNvUbhDj2
SV1ISpljFgnSgAmpjXQAM5YfxGh5OvwxApAXUUp3deXLBG+Od+8uDqjpVHWD
4u8GhcASuboKYbEV5/mLbLW6vJAKqZVRPU/QlduBwzHkNl6qnzCnQRTMW1RC
HQYIN5G0CKSzNdoQGiN0d96Tr5+A/X87F2ElotmEVcxe80qoGVX2aHkb2nzI
T1UlA1+V3M11AD1ga2IGRWtzzqReAdsA3UMVmwov9SkJEbhjQiDNC10jabNG
meEDUuNjxB0IkxLrYxC6JYvyNLrFJdAJVS4F4mEvqMPuHbW0aO1M0bI3GXsK
GmlnKMCoRR+cG6c1IjOIUMdOqTbHglUPj+6DE685YST1qiHfWU/9HEHWHZGK
K14de0G45zkyhS3SORppaoGKF+W/VlIRUhky1eyQ5mNEQ6ES6MIKjL0Tujik
C6c418xOyFhTOJaRGh3SdpR32Q4vIDCYLJG/TvhimdRUXiex1YEb23RIFkKp
vK5EaTecTrgNvME4eGDKt90liVgFfQ5WRi4p+VJqmIl3IdIbpiWXUQVUUG6J
9RmPEJ5ix8jH8uJzaq6uT3uz9JPZ/MZp5wppUEpN6HJw7kRvZuCAxjbeYd4Z
8gT0eaErpT0n3g5MLGWhdiShBXZjSSarksIZ6esmWoSQnwYC0Ek+37L/eMVg
Dbvqk3lA60VoiiD9c4abSY6GZyr2ykWGDy3DZ6ePn+PQ+Dknufkt2ky28c3V
rbBLUh4Dz6WCboNiOb/VZgcR7govsZlHt4r5TE2dkUKfNizrLSoxxu8Cqjgg
MSNrmVdvtRj1hQC6dFTlSHzd1t6RNEgyLtkhazCD+BpAm00JoVf2lJubE1rh
OX7R53tX+Xe6EsGVIKLk+jKEfVum6qmZOK0cB9FC0tvKc7ANhJMvw4xsnZuo
5Cot0zHHmOXUrKeQwLmoWUQswW7t8Ui8+9uKMV91AGS0wMwOIB0nlIDKm2WG
WqkRf38hRhtYRnqbwEDZ48Z62W7BTX9hqTheYEEogGhDWgGYjVEJkFygklPT
32D18OICKY1zJChcsM3/W9zgFiUbUaFZce0L51Xf4jTqoBF5Gl7MP1iEYMcv
Zj2BrTEQ5o02EKAfGEMg2GJF7Q2ukQsxWnH9BE66Iv5ZqaPAbYhpgA0itFJc
bkF4TjofZlKkLVHiABP/zl0WKEcFKDZHfw8ajAsi1hsA5xpwmLNGTg/1XkE5
Zaaki06XljuTy+0yRxuIbD8PRUmhQ7FZXXnH7yBGZSLQsGU4ZE6VkT6SDWdt
bnphr2e0DjiHRmvBYR1HEDe/QRQ5bZn7OLaVGjLiYF7qxAuKCAxnWGZAfjm6
VgLRk6JecN6bilFVK0BLAx9d9BGJPXxkd4QSYfum50BfkYORJJ0ppLWJonTk
flvL+gYcaomrDHswYHQNtd64hP21YReJ76s2GhcH2QwXdNRIMWl2slHkHtKS
rqb/ugwTJAHzUvIv5XPUJKoNEGNkb8hkn+vxl3/oj9DF6piGXkI4bK9FRoFa
rTdsozpMxyo/Tk0LwM56qxttwGb1BjDeKNprTne6jyZSmaL301WvD9ibbjOx
2Gku8sOmg7EN5FvNh8hWAtsFBvCF9uk0XSE3q+7/50kJ2MgVWuVrKg+6ZQe7
Tm4QmLDREKCTAZUJ2xvYcpu9rgRayfv3fkjqgy0JY/sscG9fog1qy8fiRVRe
cmjQ9PjS7XK9q1Y2VaNzIdDeflCok7xCuwPVj2ZHtlsAtNtjgaOhvxVp+Chw
sYLzQciNTm7EqJZYUrvbBpHCyJsqX4BANxbVTrPTQzZx1W7duHXw4JAa7plq
NhgJuEYZXm4i0KfWSjGTJc5D7KUNVLrI2YlGoZfdQS8i7hapogU679gNd0Ko
RtGz95/l5g8MQ+64OoGeRdUAb97mc0Cmv1O9dkKUgc7pqyQIbDMIag4GG3cl
UVuI2yBH81VjXuCsR3QvPyS6133Fl0z6LbBzFximKKbtgcUuv8hQdBonqSxh
s8yRuwhnLSotPg5ePzoEwQi2F+q7pohvwVpspchp6qVGmRCY3s9ReNA75OA4
3q6LxlfASaXzIkb22JZbczTXkLsuqMi+KhLOUSX+T9qR4bV4XZhkYtARHfQP
9QU8zGqcSzPkgiwEgI6Ec9MA6XsKuCAigXI6bANqa8aQh8yzvjHMKw5quUsI
r9pA8w0McPp9qTcV8NVitVWxN2UJwjK/zoVs4aRjtLgWqp4o4IwaBRp4YTPw
crKIzTUNBmaYBLNZulVEFHhzwslIiJcUxXMXitFPqe5EDYZQVGJF9Y7soN0h
IPDBgH2tyHIiVMTZf4BZMHSVU4msBoB5yd8mV0WecP/EGBuOSC4GHzqC7n4V
uFcYnZxpm0tVNj1jfoOOSYZKKzz7+oQUEwwtcaBR2q7dBguFlJ5XC7YtzbaX
EfpR8HoFHI9wlnVkkMoUzjoBxpQzo2z5+9dbtz00K5MDTJqraOPG8kGdyqP+
33pIYpgWCXKTs8yKQyc8ZhWlxTdSEP3CvvLKfVwXmVXKJwdArfUGrXqJ8pRC
nogtrx8FiyJVSGFiR/tHbDUj9gVHXLmHqinnaAS2+z2iIEKVt0VJSXVErUSL
DWMcCCeQ6d+//7cvj18+aeNHDx+/OOn0uvC/7uSL2WTaHrS7g157PB1MZu3h
mzFebIY6xetHdpiQhmnpUBxe0JLZEDqeOq9fs1l+HBSdBcl6dnlEa4f3GzY5
vzWMcq6cZv/s5AR69xhR87bpjrxYzSV6oiOfm5IiVLTgwF2wVYtIGRI9VHdB
0deFkhV6RYceoXPp5BH7tkDRyys7BhqOxhWuwi99mJF/FWxUZIe4tcur4Ibo
yyw0kow4hquO/GE4jtGTEudvqbOeQVOtUzE8aROOGoHOlLgwbBfh5hpwFnCU
R6ebwwEVWA8jHxK6P9mdWvDtetQ1Ryb36QCzJMRDGSOPjTdy+9pWtQBdnWCy
c4O//OXF2ZPT8OT8/PUTMJtSE4DyRKHppueJfH3V8jJ0zmXpU4CJcn7/Pcv8
42qP0I92SH0nncL0r2tk1q1ttiOKgR06cF9AnxveQmEjqqjtsFpPJjiwFlHl
/VGYvnUGEJqw2qYkkbtAJdEZ1GnYqzkqK4Ou5hbU3tL3DFKSHOvd89uW013J
ZJZtlpVbeBtgZJ998qH45LUnSembRK3X0rn3RsKFuT9+R+dY0j2hXpKb1k29
cmUdcdXp2bqxwdq971SOyMYur9R8VbmD0p2EnK6q5MpNwFgvlr51qxjAtCxz
vtIJVPN5VAItlPA1Kjx4kWkraH4PQ9i6F6STmcW/J2vzhphecg0jyXSWx1Uh
ni+j55g2nJwOtYChYEfkpXUPnfBFhj/mw3XuYtJ5ufLAlzYTyyovgVbM6yXa
pWrr7hG5t9soKYuq2tpUKwC7hvI8mtEjM8m4uFJK2yH/R6y4DZv7wJeBrMU3
X245Gw8BAlMVJQbE1vpCEx/pgi91egkiwe7b5Ix24VZ3aJZVo/t9Vkl4UGfl
dJnwh0NWuoO984v0smEIXU9l0EADIEh0tiFGthZRPtfqn5i7dYDZ53XDS1Tt
AD5n+qJPcs244kPSiFH9zJcptioABnbjhiM1E6mUa8iZkEwucSmWICTO/PT1
hkvPAnEs+TeffgCjmoZFVJb8UAcTqROCk/sVXAOq5nLfLmVktsVrmNYbo5gH
LHdlU0N7/wLLeEzwBikHHeoL9N+hmMycFywP57A3+nyia+HLDg8XxuwPbPQX
hG+OLmVPolv3Jqoha866kmvPcFOIOeoajuFWAmGod5H3i2UPxgjqdldAp+g4
vZjxVo7Vyn6GVznl5x1LdidO8AqD0SBz1/RVGz5qU3za9KULD9xLgrP8HTvf
379/9eSbsxdwrpwRaaqMopCHEs9OkG5Ie7mSBFRJblXUuJL5/Ft129Z38JKJ
CaA9KK+KQx4OrKkSZj04Puxg4xm6SBZd96Y28r/+9/8Jz4nbnr56RX8RtyvV
X/XFv/glLim2nESaWwsuSZCOnFNlztGPHE1WUDlQ5wy/MHpmRA2DIupngRkV
NUdoFdRvOPTDsDrpdm/0Xa+TE9cp+4bXbMu3QJ5z1daZjUjYtta+I8jxzGpX
/HZMhmu0YNMGOO110Rbg03GR3gqovzKe9rxyB3Juu5a8RmQaNgjDh73ExiKC
ItxoUfI2GBMRwawZLNlSFV5CfFvTO4zVac+eszkCNkvbJneMSg1Ojk+Pm8sM
DONntZ+fjBJ9e1gbzDlM1sNBHuuLCZ1CtvefSbHgzqoFwv3C1OE4L7ckhgPY
sFlhpCmmrEcKv1sb+D4mRl4DbWMkMV/avGYnnfEgOuSc41d+mZ0pMpJYlFtg
R+RlfZXGzw6cptebUGI5hqkYZHo+D5vZX0ui8lDEluugNaN1uzQamYhszYcm
ZV7v0iePNadu9P/jb3/DRCRS5qjkiVJ2QVtI5hh3LvXGtWHFc6D2Ci9iSRlD
hPz6zF+ouJhZBGnGIAnL4l3OYR8MolwuC9pttZAESuKrxoTQQVTjNejRznud
MW9vTo4Vchxv0luU1fkSdTJUvK0dYs4TAwAa1YBF2/6n1qLXHd7wZlBT9Liz
krMt9XSfh1PsFW1KV/Hv3z8M+/ALgOZBw8F7la7y+J5H3yYffwh5vY6D/O5h
2IYn27ufBCUlvK6c7+/8isY680IdDXUJpgi1+iyN49decObYGp3KxES23cgp
2RJNriKTVqcgKCQTGXVQRkS/wLgT8EhYTwm0r+GHrkftyAaK7v9HuzcZdfrW
FKjmWGpFAZAinCNvZd3mBvFfLYgVJ+jqp+iL5D5Fy6SJGLGf/GbJZdFmBegg
2ZCb08nTJeznODUSjHBzi572IspaQMGtvKZ0a8swHMh3go/QBcOehZZ1LbmE
Q/djW+UStuqerG6JeBT8o3Hk4+TL+rg7Zqko6lvIp/dtDZxd791WSsXpPxvB
/sTN8Af13XwK4O8Gc3/b/c93bTw4L4QmEYcpj03X8ndwqyQU7OUnGkJ24yan
jwuicq7o46SS3RRh0rHuRBBOu889VCEXSIvttDY502jSUjW6jvJpjcAEVk5J
Y8U3lhS1wYm5J0G+DCz6OaVAbHthDToJPaVbva2xpcEieud3NWhetFDxHWWb
c2HEJ8mK+nt3ERjmHVeBXuZU5gRc5sfMvnOkT1qPc43MT1zPzpE+aT0/L2cR
UWqvCckzZOCIVQ09BAAFqYlAvpYWDpQZAEPgv+I/IC3Vt0927Jya81OmhX6t
Vj1G4pfQ/UYZ4uVyafTTSykGuaLWVErQ2doQinVzQ1IuORxeUqQuv+SsMtFO
Uexe9EcDPIu/XbB27sRTMI+L6En03laTZr81YG86axjp1dbaTP7C7pUNunde
2ZaNsL2u8Xh7HOajDiR1Ycqgz3xKuh4hc0P1JMvNldmWi/wc7Dz43W/abTAH
X6Gg+BOw8oLsQFjBun3Nf9atQQxcUNk3PhTKQ9Y9Ob8sKNGu0tG9evJEsJU8
QafkjeabdpIr5LQ48Qbbvk9b2LMucq9v7rp99ujs07bld33wXK5NTRw6wRN0
pPMotZsB3MOB3aM9SPIAdewj25RDSWyLfExLfQMXVcDrG5KoN8KVehelsJwF
pndR9fRvcbBovnYGg784Idt3cUr2n3/h2R1GP3t5fuR61Cm8kyhzx8Idhjg/
eXzkXi/Jovjk8Z1eXr09MoVPviyi0oic4qepOHfO9QfcsfRr4Zp3WePXDgj9
rN3mrml3GNN0yD7avuBKatTIK/lIP3enUfWVKB8Z9KW5b+ZjY5Ljq40QtZD2
QeCOS6qZaf2N0NUzuQEUklXiwHb7qH10NR1jGFU+n2DZ8/X5U2Sd0kJHhzqZ
fsnZbzt4B0xkw64aRePRaKji2XSqVL+npsNoNBtkk+FQjXs9LCPOsuE0zeKu
Gg6SyXgQD6Jp3B30RnEcRL1elPUUNvgadqPeqN+bTScqyab9aDDJ0jiOu/3e
WCVxMh0latTrdkdZMu7F00E6Sbqz/ixg+gzjwSCbjifpbDCE37JZbzSaKHgx
Smf42WwwgkHTaDTtjgbTBJYCy1OqN0qm42TQD7rDgEgxnAzHo8lgMux3J91x
D34bTCbjbNIfDwMitHCYDAeZ6g7j4WSWjeJhT0XxaJb1pjBNOopmAZJUOJ7A
O8MpfDWKBhFMPlYz1QNtOVGTQTqepaNuBM9MJzHsOhlGKpsN+7PRYDSexON0
EgW9bg8eHaU4VTLKJjOYDSboTYazLJ1Nk1k/TeLJKJnBM/3poBsl3WE0gPEm
06g3gC3E3ck4UGow6sIBjZPRNBlEQ3im3+0nvawbT1L4Pe7FaToez8aql0Sw
zDibztIMwDbIRsN0Mh3Hg3gSTLL+OIJTG0TZZDRSajZOxhkAuDudTuDAYPR4
MujDEMNu1lewgHFvGMPes6Q76CbjdNwbzGZBNu0OR4NeMuvCQXb7sHaVTLsw
52SSDNQ0BlAMYZcARGzp1h/PujC+mgB4Z90eoEU8Vt1Z0J300mQ2HKvxBOZM
JtEQcGQwG056Q5y2C2AZw8amcRT3YJE9gOJg2BvOomlv1I17syxO4IwG4wTX
AlpXN1MILZir2wM0m8KB9Qbwbl8Np6NZPxunM1jLeBxN+v3+LJnFWZQOAPqw
/6Cr4DPA42Eaz+JRFzB8AlueDKdZrOBo+yqCj9Ug6feHQ/h0kvQA+5KoG+GX
gJ+DaX+aBoD3URLhQc5UOpyOx8Ok14+m42FvBJCJp8koinrRqNvLkiTpw1bS
Xh+OMuH1JWMA6HQWjIZZVw2wQd44no6nk3Q8mkazYdSbRv1hvz8ZJgDNwSwe
dOH7Xn8CsEgmvQl20gNg9GD7s3gK+ALH0U0AdeNoAmTWT0ZqGMVDWOkAlpzF
QH3DcdybdIE84MPxOO7DPGlvFgFZjGdqmqTDYDRIRgCxcRRNAZ8n3dF4NhjE
AMhxOoTPR9kQANNNAePgv0C20UiNu4PxtJfNxt24O5tFo7QXAAhjeDvqA2L0
41mEjGUwzHoZQHM4mkynsRoB0PrReAq0CFQKaA/MYwoTdNMh8C9gB6MAGEkK
40WTmZqMgfeMYqSWwQxIdgSQHcM/QOXpBKZIo3E8jrqqO4bV9wYKNwZvAfiD
eDAaAEaPAGzTKYyVDhSgTgRUDIcYDVVvEk/7cXc66o+Gw7jf68/gUIYDIMEI
AYXnNesF0xhWP+gNh9EE6LU3GvcH/XQKDGaQAtYnvd5gMutO1BRoNwFojIHs
e8Ag+3Be/WEPMGM2Go8CYHqDJMr63VEP8B+4aZb2o2E6HWWzGewbjmzan42n
gMbIJXpDGKk/nnRnPWCs8bALw0zVOIhmsANgN6PpbJYAGKLRABY3mSWTbgpD
9EfJZNab9aez/nDSn0yBCwNzGYyA26Wwon4WwQNZAFwHSBUwOh4Oe8B5JynO
0x2q0RD3pACz1WAw7s4mUwXHD3yiB9Ta70+7cX82nCYx8Ng4gHWNcXUI0zH8
fwDEPIxngxiOJEl6wP4GY6BrpHYAdxcYO/I9OIIkm0yyAexjOO4Bxxz11Ww4
i/t91Y0AsiANYKsjBdwgmajZCITAsAfv9QGDZhF+2oVVjQDxZzOAyxDOYxQA
vo+BRwDUgMmOe9EYvolngIJdkBZAlVM8XUL8JJkALxlMQeaBMIBdDhG6STcZ
DQPg4gA2hQTag3OMotm41we6BPwjjtSbzEbAeACFAHTjDE8riYbAfMeAs8BD
+koBNQ6zQdrtxXA6PXhvMBtHQ/gigVdgDxOAGkAP+BIwgH42yIajGL6HJUyB
PpA7wAEOYhXMEOQ91YMVDAGSSQr7iJIsBS4M+xkDasE0cTdOUhA//VncS0Eu
KDyHtDcEKAwAU7ogIIHzRqMxsDiUtLNuPJgCZ58C85wBfkyBzU1mgAPjUXeQ
dZMh8O8oi6gd53jQHcE+gLKDwQiEUx/mnQGeALIpeHsCrGUEfAeQbZiALAaq
B4gooJ0U9g40pRCRE1Aj+jP4X28QDCfdbAzoDwgLTGYwBWxKhzDEZApMEFgR
aB9AVLD0aRdg1ANhFs9g5BR2OQNZh3whGgXAIaMEjn4EEkWN+nGGgrQ/GQCJ
DlPgSDNg5d0U1JDZCGRmNgboDLsDUGoAiCOgqHgCEgc4g4qG49kMMHTQzQDF
YOvALMajdAigGfdnCgV70gcppkBi9yezWPXH02k2Rg4BoAURrIJ0NownEQAc
eABwdOC1KdBdkgIajWHt8XAGrGKYADdCZtpXU+RCWQbLBmmWdbuw9mQa9OHj
wQQ5aAr4Asw4iibAhECpArwZwDKGsLYIljToDgH7E5CjIEOAOafdSTxKQPD3
QKoBMxtnCnQl+J/qxcMYyA5YZYysFihslCSAOilADaQcqAfdDCTvCHnQYDYZ
dsezaTdLpyCnpwqZMXBW2PRgCvQ9GU6A3WSjKfw37g3TPv4HVJFhAlJqMIT9
A94C+YL4j+GoBiMVDAYwLuhpwxHgfK8LUjsFyT5VgA+zFLQGUL+AyuEQAd6A
hmPgC/Fw1O+D2jhN4JiydDROAmCiM8TIFHj1uD+GIxpN+tMAjZIQUG8GzBqw
GhjhANlKPAKgAE8ETABOAmIkjmD/GcihwRgUF5C/AC7ERDjlvgocMyQE4IJE
7alhDApLNpiBRgFnBSQH0hw2nWaDeAhaD0yOFJxNYOtZAvQHejAQJmiMEehH
Y2D5I0BtWAcQUTIYp8CNQd9JMlRH+kC+I0ALwDuQUjPgtzOQzUDjoFwHIEXh
0EBMIA7E8DQQOGh6wElVHxQm+BXOf9Qdj9V0NIxBeo1AKKJMnWZw1gPQZ5Sa
BP3heAJUCsQexxnAEp7tT8cqA1UMBDsoOlPgMaAcKmCBXcC0CcAqylScIdVl
fWAPvW4UDEBvGCEHB/2nC3wOGGF/Av8DmTCdJeN+D/AlGU8GoBsPYDzQHUA/
AkwG8gVVGuyJDHVuQCeQyv0hHj+sFJTjPixyiEw5joHb9SIglAFaDqD8YSdS
WDiQxGCSgD4CIiMdwIRBD2ALRkUf2OwMMGmSpn3UjwbA69IsUimwiBRUZ5BX
Y+QgABX4OBtnIDtA+MX9QZyAyARKH4Fy0IPzSgfAb7o9VLemA+BJEVAqcJa0
B/wKyLuvshT0RxDlo2gIytNQgQ4M3AQkRDDLIji1btKfJIDYQMkAAhg+i+Mx
aFeg0IDCO4UzgpGnMchyIOkYeByyVNCWpmDPwUDBNANzAlTrLjIEoItu0gWb
Ke39/+2d3c4uSXKVz+sqGnNoGVVmVf4hQEJCnMIdWPlrELaxMIgDbp7nqd0z
021sM7aQDBbW9Lhn7+9736rMiBVrRUZE3mDEgHgGiDohrIyOmVawAK5H2AlI
Djy2wGbO6ZcQtfgongseBxryuiikzCdhtHJIIbFmNnAcHJY/S2u9i3/nd1gh
lmKwLqlAZ2I5hAiiIDQEz854yFwLTfDyxbxDHwP1A6JAeYCczkM0/ntg7Ozm
VXqNd138UsavMPG+CZELF1n8OIRQBAOLeL0mBGUQMHRAkl/PsFieq8WrQ9Ag
4lgh7ouBs7OwGZwMm0LUgbuEy8hKE0cjdInYCeGv8DmecPDSIApE7Y2AC4oG
yYN46Fj2i+vxrAF7B8GWzwOQyvQwxkK4PS+mA6m+YeelpHwudp2NfOJgZdeA
3gCxHcVTn4PqBObwMqg0RAHKADPPEeMHSIGurvDAQ3O5Evw4Q/fQd+owpS9K
6CVe7z4hNIhTtDbknc+DeSGrUJaAxk24wxaUi899EYNRJ2tCaE8EbKT7K6aA
RFhdziDDCHhaIVAd7AxQQAITFW/YdFn4RM1Xg8yD8mdCNvRZCGM2/EFc2Tng
ccHdkWsqTeCWUBxhc3CwygI2v2+XQeCFV6AMT3qIeOwoxB6IZrd5JBSOojHA
tfhfRrgBWLQBr0Di3wY09nS/fkoIW5nSB4oQu0SeGl2wFuj4hKKi3fG6Afe6
YZz1Df5IA8LQHoRfLOPCUAZOaKphAbFP62AQdJC9isL1Q8Q9aAQIVoWF4BFg
/4a7o/oGqjds1ND1TEAPPy9wBUP3o7ZP4BPmkl8oIysPz9Oob2jI84noe51T
5zsryOqrXttpwwvMJaLd2PRNTEYyQ4x2QV+8G3dhNw+BHDy9sa4z3iV+8x/s
pcIhwtVSWDFUdLbzi5/yHuxmodigEmdngCEPLARJbe6CSAip3g31sMUgYh5w
GC+2AUq6JuQNIr8Pv3bwIparI6DOgx1viCH4SMivMHyZcsMJ4MqdB4MRVoQg
j/5MVBHYUZCjHeaDzK6IKzQPMmAUeCZIgb0SGE+UK2+Rry9DIX5AJDk3noru
JUTg5sGgB2O7eef2ZqAGu4PUHjTRqS8xLIwAhwSCtKr+INChNFdBQOMon0hH
YbMJIu5EZkOElJasVecLWKSNYSZUPSSPeEEoB6Zwb6DrAhDYJuIWKIyI/KEP
4YSN7bgBv4Ip4a4QfZQwfAMKzF91IjQ4CmXqYTfk5IFxAB01QY825AV3cZD9
UmiPMgAj1MOr0HC/WdhXyhykRaqhKT2/4DOgOrwFNQnRBYHnID5BQiFrqPwY
wXyMSy2Kohv4IbH6LQqiFhOohGy+IP+EknbYBEIAlhbAXF57EfUxTj4OMYX4
hIkgvfEv8O9BzL0jL1gihAZ9eUU2CS7RI4QEKsrn5LJB//7c7agBD/4LemDb
KN0DWJ83Y2SoIkJCPqboGlgHfvMdrOcCSoCN9yCzCKA30n6H51y/y8/+9JQD
ec4YGQ5OyPfHAYD3RqHA/lXfqHVi3+GRJUuZ0At7PPUy84Eg/5KyP6G1OiyN
NVkwMKRMRAkNuBjSmkUiVBMmAAysBA4SzNygvm6ClbIiXPu6nviNWndKP//5
+fxhPMQC9Ao46sdlIwYKwo8v6BetDJ4dAQR+Hn/CcoH6CXwdRO5VCuH1gSnv
wcMns4xqvWUeYlU2GkTqfEGWDi10VMqPcV7FQnwF9H9OjeKBZ2HbZap6ByyB
ja+gPIAAEQ1YQslmbCp+xjcuqOZpBiFWrsPkf9/UqIkMJCaxIUMv2K+5UOTr
ztgeLrB/pEaRihEmuwo89UF9EgNfbJ+wjOnjyvBzEAHbP8rmWqYpxsnDYyPs
WuaBJky/o//5CcIPPtPElJcw2l9UOVHWvBy8HgV/J5g1AYSXcf8DUomgh7ju
gjYfkVCm8nFUXEEb4keoDH5lwEE3kVSmD/wiHCab1VEevM7gA987XBGETKBS
D3JvnBR5X15CBbxamgENJQB0VwC+WlyXXho66uFl+MkXybAughqsFf4U8m4E
IAgXq7qJ34i3dO9Q5zjLPAc6JX+xGjLal6niOxfgYbVxqQyP2abCCurSfFqB
miGeVoerv4Q/oRyCGaohpCW18iSQy92SueNztRcjRSR2dO7A+IEnhNXC/dG+
a6DVYAPVTLKqi0iJz2b8ZohgS9nHml7Z6AzmI+IwTNUlEf+Bz4glaHJ+sKOf
Cg+LNjUpq6S7KxoEpoIiRATBuAnWvC6bCkQQiYkZ2wxMBqZzhAC+yETMAiyC
KYPAmPnIkhvegWCO0suoIvQXIWo0vmyyoPLPxT7DzV6TdA8Bi7WBRDZWQlhU
0uClZgugmnhIvi95Dk54kMU3W4+owVJKl18DeZDVZ09NqVTi6it2oCWfBwke
MrHZdP9o8naUUyfs3PcDU0oN+QOtUWlLgbAefqmxnIgknIB9jmoFQBpmA/2E
/rwXoiek9qBTiRSAECjKmrQAohJ+CKUEAiIVf6BKquE2+XRWzvJ4TC9DgcqV
x1YOPMR7CC9qx5wN3GRASljdnIH5DM/REtDc/BUiCneLX0KvRSV9uqB1MBzA
iwfq+y0EtrdmE7wJ7EvPqw7d7TUVD6LBwGevsijCIZ6D42UABNRL0GCk6ske
cBDjGguOlZkJNyEE3hLvF04DrexTbdTja07qPjwirzGuO5i73U+CixNoIQMB
2v54VvSy0mx8Ur9Cv8CTZ97icVl3hxICzJgpXwvgQQLxyM1WhdwfdoFgNlhC
AJd343MnnCMYvEDu8fAZrCI/TySGHxIrgYsLYGY7G/RDeY63gUphPIjEaW6S
lUi4IVgxoCzAn1ToIPKILCVnCHQoOVzmMSADxdAjjWsm3JCJ74TAP7LSnj+u
bmDqku9Pd2WTvjBc6S/rgm5GgUQwxdQs3j1NympvDW6EeRM0IdnCEL+VwJXC
EmxQbYZ2g78b8nmFxBvUNrAdUzUIsmKWmfd74bGmtBLa2POU58GnkYEYCww8
pq3eTPwkrAW4928Axzt1lB8Be38J4QSYoOHU6Hf+ImfAXfHiXNMD4wR91MCN
qFIu1A3YAI3EgVt+FuAyCq4qS9bqtGWYHeAH9sFLZNuQuxuOTzjHwzzLuiDr
SjJef+SqdgEMWXYQsWHqbsQwpDb2FyYeYVPgJgYgpy+a9yG+XLweHkQkghlE
bOklMCa4V9+7oGbgkS8eidnVpFDzNIuVgseZLm5YntH34rczzB6C9ZGsG9vq
xnc9GKENBeHlEnASYU5B+fYQwbaHS+LQ60nZvMxG5Hl7ERLP325kh/ekEI+q
cuU5uPp3LodTzUrgaO+DEJY3Qi8xtIHPXWwnGw3wqoWgkYQYzwhZWvMqBToN
iUtZpMGrYX4s/vF/ZGgh6ihriBfOs6DJbH4tN0jciWIK6mK4YvM6JlGgek+A
D+fecVyem5WC/xKZNEIibGX5YUAnQx4NrMjDiMnA3tNjguEFnDcm3U144q7H
zHHhA+7w7m5mAs6HvRBt8txmQSZwgcHhw3OYrm1Z8l5h7mDGrfW92fPlVNif
EojCEBSi1oa3DzUiRCN6BgRnRJD2Fj19rd3DQxh1f0EPyATxmf3+8uMzaajI
rnpD7L4UHHDW0LgvUR/n31ipx1cE91IWLgzthzdCLCp0DC4Dz+WroFdVYlND
uF6Y9ssSQrgmS2xmHeIFygasGgnImvaVca21hH9U44thStoQmNjAhnGjxSM8
mIiNYLonTlUzJjJ/pEbvm6+8BdMX5wQWeMyuIzTPwGGboQ+4G8GagBjZCPQL
v17MVeMTv06NdvhLNmfZH+QRFIFADDw/GjvWk86qaAcZFsEViD1oIx6a0HBD
RQnVHV4ZkCqNd0vErBP3fli1tIikxaXt4cAn6iYAwx+fVEuFx50bIyDwZg80
SykoZsCTiIseehAo0d8h4I8nP8mccvlOnechMrCWyywNMf/1jO3Kmj4v3c/D
3yLgp0KD3UasgsVH4v688KNdobdjwSAJzb2sgmRA7cMDTBnjzisRW2Gb+BVL
uHSAZ6Jy4RA44W4SzTIgoRMHjp4bPsINn0kwjneel1mOvPADvAPvZg8U/jjm
3LhAZ4HdMaQVYopgjYysE72f0KEbXxsm3SFH0H++BNpA7MZE0iKoAFXmS8Ys
MarJCqqI9847VdSG2g3LC+CGT0cUvEAmCBa2SwjHxOGZSAUkDZ81PWqCMu86
z0hf/hfg4hkiwEEgz9APNALq+pLp3VgWWHdm3INo/xhgAIhBJLmNvSj4R7ld
sPBYF5iJ0zziQYOdVkAd8CBivMr2sZfYfAB9PZaNmQFDJoTNhP8WT1pxcuyL
NUAXDuJAO6O3c7Hxm7fyHC576nOeYbbVmD7Y6oxCjmcuDLUhch8Fw0mz82i8
QIDk1ALsdOIP341cg1/nsbIn3YQIFGsBxYjSqHwk2PDABsxeAXs0cykA40Vp
Q+9wdXQuz8I24P/E3VQxln0PkBxSVPHuUTr26Dnqdh8C+5VmVpy8BFu4RbrY
WkgIf4UGAnRU+H4vluI5BvtR1BLZ478DRQVu8RKPG1fGJsyk4bBXNP8GCCai
f77h1Lf5Jg858sygM55f0RVsHLKyLZ7GYxMcCF1pwMTJ94Q0lvWGY6YMioZQ
A8g2L3YCGLJWLER8/OURd8JDmKrDwFgtI3hAMgJUfK+EYDqaBzGbBw1yq9cU
ziS+ll7mnuz52oB9Bj5e0x/J/PkCiTLCBWbTr2IK0Gi8oZOWMyULDqRqgBJS
HGVQY5YdwGk3dv+mCgSdRbDfL38cQBqoZyt8xMTg8ONVLL8ZAOfa36YjqAIi
mF2PvCobdljjaOXBDbdN2aqdirRtFljUFQiBRDefHBWwsGicDap3bwQIBvfG
AOoSQEbCx5DKKVg4BOO5174CcRYgWRplaWCni8i7BVMgeEq+vyIsPhiQkg0C
uVAkLAWujjfEFQlTCI9DaINaBsiNB3vACk5/cFmYLNHNEoF1xNFmMvFBgYE0
g6hlmQsWmzMkAOIk4eErwGVCvGcQhUAP+Xs8HIW/TYGaiG0FhiUq5zYe3/FH
EKzIA8LgizYDZYdH/oPQV0xrKa+ANciSqcu7gexrEkca1AdDxZhRFG9JCei9
1PdpylchAaNZsAESshP40pPG+mpcUtzRMxqDAL7F+mzUYphYuIlcBA8ABO+H
TIyx2HRC8zC0saVzsSRI1Pd5NdRc0ciqvw+6J2qJh0V+th4v1O7JvF4zpwFQ
z/V6eIKyJgJg9vjX/RDZcSYPhW5YvR70NuBsEyELe9sh07xYw2LYR5D+wHwI
JpZa8IdrsdgQkelZAM67loVqyUth3vRKi9XwJ1zhEEo7eMda4PMwIBYO21PB
wJ6gbJGXzQcNkhCbENbymHSPG4YZYak3ZPDCC+GwMx+0EvRuJx8MG0Pb4nrz
5SfT7TkViwfSsWknLUTpKh4gLOQ9MfCCrnmmyNpOjak+hddCoHeMjDB6NswI
NbXHOnkdxGU5cEPZNI6jieOXA5l9Y32z4qloaUghqqwuTJafJ742i7CId8Sd
Medz627YoWoe+TM8xIIFXET+PBLSrqMCYEsTJ/EwANFmVAdJ4OrdGsMNMuyJ
YHpkiBOI8RxShAwXjv62gnQH2cDcbgj0tIDN7yzzLlg0rLUnk0X8dn/2Kzjt
RPBFghLJ4S+RsARt7ey8am+PZspwmPvL74ZNzl+mRtPCiQhyQIdJftwC08TP
5tkWhMG72VH4+ELSQA87gSsSH16zykBWyL9NjcKf75MtU8E0YcURJuajeYoL
b4PVQ3rZElbieDR7E4ZeeFiGL6br/nGZ828ryH/6978pqv1fK8l/HpH09ygm
/12p7l8pJ/+qyf9+NeT/0IXZ//HP/+N//eM/+8s/+ee/KQ/+TRXyVybsTei/
dznz3/wxP98Q/n+iiPk384n/pisP/+6Fyn9b8fG3OzrLMduPRps/zpUggF8q
DDe7z89Z6Uy4LYTInC1vgLlayEPYIu7zg7Nfv1vqn8BHeCQipBITUvUoA5h6
8dnUcDkxDM8yI4EUh2G+iM4Gfxrr+uhqgJoQZcKcBUDftSaUJvQFnETbWs0X
Z0NbhNZkXPvd71PNbRIlW4fUt+6xcrdgAqZfYbHjrNZRGQAxYhbeVKyGqbns
kjJBC87vGQ98jXcvHsARXFCrqPtclpXHd4N/4OEoDivdSgDEYJIPiNhmLDeC
sMIwvUAZXIoAUASyCLpWDT3BpEesr2l1OcNuQE9CBngUwH8I4Twr8gQUvdsw
CYs+Ra6hoOH7F/yAWHATIc0e5AfCzf9FqSALBJ0KUqcezC0Bexnpm6ztUVyF
L3LV0CBpsVkU4ckU/z2IuwpjqC0S8YnhVR6hS4bhyew3bxUtIt8FisIOvZaU
AkzbwEcMYgMqT/sWC0ohqROQf8DR1F9iG6LPdyAwnubTgIIjsI4PYeLa1p0c
CC58kx8A69MmroUbkpgeeA2PNK0JG6xfi6nnhRBvjX+swIxWvfUrYGLmEle7
Q5L2QsLvSPwleEMSv+Ozp1s2WKoBENjFAhJ/zLagwqFZZV9tlI9MskbBc9R4
w3AgnzAWjWdBIiGD8yXINZ+ZZ4xvXp5B7b6QxsL6Nfn/D09pFWSwTg1miqL3
DJX9hlC/hfBk4o919xi+9kVQIeoXVPH9PBXzvd7X/A60hQAyLDdmh+/+mmRk
hQmPr4Vts0ED0As958bP+ccwLFaKmMFPXhaxsicQRoT0+ArPiFp2AgysNUNK
WaTd+MbbMJmkQOzijeAeXzkh5O+5sEt4To1NeRxz6qwRKwebgME+JlMORD+G
e3g6aJ7vgaubAP9qeS0OuJeZvRd901hTC3wKD9qt11hYEGp43MlKwrE8gLDc
CXohGQgvhg5qdDjCGdea6EpoINuWpT8RdzLLA9OGpGMtVoqBEjK1iigugy9F
6qxw7+VBQknrvhIKBRYydrecd8f8JAsG4ZMw54rbdGTk3p4S1AHBevjt5i7z
eDfEu4GP8wogBYr17tlbkGHYGWKN3cC37rBADMQNXpfxrRAgzh3T4xdQuWgb
YAhRt6B6UILqdjYLFA7Wjr3AqHJmz29ogUfR5tUs6nnHQWv3gl5BgaEwzxgd
ZXVNU+EDMfug1eDhlnhbNvsUREbTISBbNxr5MSXs0e18vuw3YhBV5xkSdPyE
lNew3CdrupZvWxDpaSkrjOQGh9MjR8L0gpnIIw/2iGxVJQ0srF5jWSsLBeYh
o+e6ZlfAWjAfRRw8Gk3Q5qkxgSpfBhn3LbhTeC1fgI2VCzbUoJmN/9Xs3uAf
nDu9AsxCLNWs9Md3ETYK7pErEgilz++kHwo5tWvJwZGo1nOhIDKCNOxopc44
WIcVk7w+cgnrRkhZxX6DeFjMRJGAtpWVuWBnsOEQHisW72ClT/8qv+4vo1Sb
/S+EpoSLH8OK1XiWDgRTZ8sOgbku1qM8yAt8DTdo48RwEns7qgfKQ8tLLwJX
Fy64KnjJ0/HGkEmCKUKipn4BNYoRFbHZLdDFvpOBKVqmD+ZPFUO3IDZY1oYE
KKbUVjPHGt5qbeZlESxENMJ/wW8LbkfJcRBhxXVJdVO03NZDVKhv6Ihd/AzB
6cmCKb9ULxUgbNhTdwLWCx+Y0eYDQCWbBsAXEYFWHP+odlEfb0CasFBfVPwE
b8C6wHNAyUfqBtl0xj1q7rViKCzcKeUN78ElQJuN+ELNPiy1xb4YA9w/w/Yv
FBELCGmpyYx3wP1R3pjc7PCDSoAHSSYwjqOOtIiS+DdiX6mHgGUVMQPrNa2S
NfGNUgMTUu7WGq/hQQaGiz0MK5PSjyO0MFFSMACztocFRpX0dCVFuLaAMgmT
kAFGWdVfLJte7CSGg6Qg6uC13ZDl6b0q7lgchvDOwdPAu5jY1wh3ApxnGEQh
XgI8Zo/5UYwdmQ/xibepepjA7KbLplUW2PgAvRHHjxtIiDgdpMuERYB75Lb4
HdzjscCxw6haeDa6CT3sHmWPV7eJ73ZfL88YrY3CcLM5g5llWvCLYmW7VaMI
eCEVaBgQDhwNccrqpQe+JGN7F/hCvELLRU8Fknr9+h2p/gkYQYjx4YtIltvT
BsiLHj7QTX7xWCfPX7xrsoS6PeEBZwmWMUB+To8ebFtettX8c30qXFZAAG59
dI/brHpvwv5o+YUp1Btq2FhytPuNnSZzjmx0najG+zZy3yhn3tkqL7AWA+WN
U4OSnD1DrFqQxVjA1T1nvua5YX7VDCtxkPgVQ7L2DU+JKRaWavmArVnngylY
ugGH6PbNLFaLnRn98tSk8Ych8rpGl1mxWujigKC+yO7Sx/N6xmyBMctBmGw2
Cbywj7wfgAHa2QHid20QEhzNdVqKZ91wgtSAEFYHCeWoVijgtKdhomgBpmBP
CpRzhBkAdCGV5WDnzgtt6i/YypNgm/NWHpebneOFwYWbhZkl6/I8ZmWh+Sa4
wRVxMPyT+GvVVYT+dutb4VkErtWnFBCEynp/wvWgkTVCCaVBGFvxKOm9bMqw
aKLdUD7Qt07oOzTxtoWQFbpxGnT8Vx/LNmAFK8Uv8YzesCgfFd+v+Pi8GGUW
JYGIyaajZFiCXs6EXJpuTY8tYBtbZUXl05ldBapP86yrXUPt3/tXomDT14NT
25aGO9WbSAwpeYlbEE8QHGLDikL9wGHI/tHPoLwDsUNYgwx4woeYweCRb+KS
pRARXjgHfo4Z8zHWd8avGJLvs4wNgTHdpotNbCDUkK5bu/VA5veTt2UxjX94
EJv5UFQPUIv/2FoBMK7vMArojpjmhf+sfidbUUywVgM3gYWV82Rmy0rFblAp
mt7rxKe7w788XC4ep/GK4SIKiHHwAGIpzPAFFtl62F2GUZRQ3HPP+GIqj4li
y1ROndkzo35D0TDpC5iOqLZn9BJYVWC3R4wUYyeuNRvRAGHofYDKic3JBDiC
BUBrNz8xnuGpQYt8tpi4hgd0M8M4MJUDZMMPTbgQ5eHzw5O4VM/0pKquUw/B
9YZY2JliXtrc42N9nHykyS1btcdzBzEDOLcZdSI2bHYpGK21zu/N9oofzRxY
Isxj9J5sEamLjBt5bQHggmc+1vGgN3BWVmdZdtmqAkLJEeBFOCv4QjwyXUds
9KwN5vXw/u+BDwzsDaf8MmTRxrzNY9nbyuaoPweggMrEQaDAKiRPtOHM5ofx
ZdsHACwLm/lXK0gfLKgnBAQBEr4J/mI1RGCYyDrlsUvmOb17xC0h63NaXnBX
CQR8KGwEukUNEB0+E/K8bOJgv8uA84GErOrTr2kt1DhpIEo9kLUMXJCFUb2a
odlbSzsfQ2kCx2uwf9m8YZx2PLOLeMD2BMMuSiIM/6+ITx33gYYqRk9jYxFV
G58v0R7Sd2MxmchNiIBrs7/jsvTqge5OPIbYPTxzAc9RpKisL+sJCkOkwWDI
NDvnl5evHRN69tqBWNkjD12wEJtckHerWlBp+6lUXFqDOfMShAW8eFUgxEPs
jOxGmX91oqzyZeFURFMeVsmAHl9b3/SS9J5uHQohLOF70Pv5WE2QE+YKc4Qa
4yxF/Yd8K3Yx8EOrf84Wb+LVdwroCcjZnpl6huixDopHUbXZ4wMHZFfhnDMl
T3Zs3F2e7EZTsnz68LjxJXS+OCVqoBPDwCRB29IapFWMuBAcFlZb0QaQ11bs
aYiiLb5tObIbgmLtjzUK9ajhjLSepxAw+OzbIhP7MDBUV4cY8EIyF+7kSX+A
Vj1Aqb1tcO1t1/v9amdfJWyfNd7wx33z+g+OMFzzHiFpN6SsspWjgTXfCQKc
jsj/uBQQjAU97sYPGLCU3XambZc774vXw9wD5JXPneddX5UdNLxZ69Ut9IUO
PkDU86AN3grp/jkPDH0cXf5z7GsnVuKWnRWyCRMg2xPynyQkMNoJTA4Vpa0T
SZZ/9d/mgX85+utvSQb/cmj+3ykj/FemuP1jSwv/PMvlj3+UGOf3FyNOvhnl
48dVTD8ndn87D/f3G6jx5Wz/+Ndf8aspKr/8in/r1YP/4e/2Df93JbX5pPO9
xN/8WT9e8v/R/Ljn13YXGrW2fcry2pDNJCO73ufn/Pht8b+16idO04zl7JfI
MidoTSRb168N4icognVEzZPivd9CfIOeEA4icH1D7fJHJAbh4vWwrfQ6+n2B
Cf1rsKvBpk9g9IarJOurrJXlKezja8RtlGkx610te3w38bK+hDTboC9YX2zX
X2upP30VVIi4tAmQX8vobI6zgM7YeN88akSEtFiM1oTNcoDIARrDWA4k+Zcn
AbdNxvxEa+WG25R4OhTmnfMe0kMziDGZ4QPRWdUHYp+hwLDYCwkw4fIoXvTT
WcvRBKMC0steCVvmkbI7eODPmoD/x4Zcgz+SjHBRwrvKj/MEqB9Sj89XdJS4
7VIswX7nRrTfZjdhREToQ1ipr21QNzGBPVwEpF8KVVhvRTGYn+LXe9wWDPcD
1YT4OAFg29cz+HV0K3Q8E3xvrSRetvRBHcM+ppv66ygNG2SbffasKq9pwzV2
FZ4Hk5vbLAji26IRx1PcSPLrrcMJLalnR6BkQ5K9GrCT6hQK7GlaQhsKVGx9
k2MKv9mOXR/d3BDGszzwRm5gYPCjMNuX2K2ez5wKmTCrdav5UiiSoRs9wuLD
HJTWCU3mFIh5HWgZUnI+6/aM23rAd9oMiD1A+pHSOc8Jd0cgYI0NvsMDQX2q
7YapYwY9XXBOKx5CfiCW9TOAhQ8Q+qC92k7cqD0TYeFLLCxcBaJ4e/w+BmQu
2EEQ2D47/m3Hb2Eh9+9n1D0RBAH3w4cWIXUjJllBqFOE4MpeCdoxoZPQE6de
UEZP2C17ndiQVeqQnjojNOHd7DZUjy0PHkpgTuuG4bMPkHrUKNH/QGgQzWjq
8k4TjqXukJEPdlaVb6IGLO0trL46j0UAMdBnD/uLTkkxvnnqYHbDFftRzb6+
X3YeYOjltoQPD7hLtDIKm0GwYqrbaTDv3jwNDzihRdB//O2Ct2Mqr21rt+Uh
7AxuXY+1BphKaBAQPPDlpZCnt3MvEH1x2OKompSnNlb35SVs3jzo1heqj0Zq
ycYBSCCaPHigd+A6tUN5SuCJB1TGdjn1prnVg6x74wDuDtYPq4WDgn4QOhYY
snYv66HYOazDltaMRn1NdN/Ah2kJ97uWC0lQksUwyK7WGmoG5y12KzcH5PB3
WBzPVKa1VyEeCLpFNBDgDJeHEwbspaFAcZ/t9JsQvkzMHfu2EmE5UsOE2QzJ
UwT21+54zP72zE5lO/irFwFvE51FIMm5DvA3JT6e/Vg0jo5pGLQl+hsuOO0N
wpYBy6/xqwQ78hHd47JO2cZWPXmDDfpSTfWxNmJ5fFZSh5Bi8Q317nkE8gdt
sONY+1Ec8GBYXf7Ryp08KSzN0UwsUzzlgMIPD595DJOZqw2USHXsDfIMOEMZ
o3ZXOfN6HQj0fuEuoJ0tQb0RXYm3c4IPwmxsdDYRKD2s7xNeC+vRzmg0tFw5
ttxfc5qvJ2ZUO3dWeU3K8yXNMmBMuIK4u6PS4lk9LXTYzrpKs5cm2WfgoBcc
evKphMQnWlNYXtaAFX+Mhq8NURWVlRBqbAiaWrwIpjoGK1bte1Z4IIrvrx8T
d+SPrJy1/ObOps3y48SiFVAUg+W1B7GMzNsR6PHlhD9NmwEu1Mn40ZarVi07
sHYJ6y1IlB1TxXFwoqW9jpEtcMU3eQ4FH9ruyzIVhEcytp74fMfXHrsmo+ez
HhNaTqfZ1YKrUQdSB2hL5wYjLFq8TSay7wiPjcTcrz2+tdp9BUJvQDKa2+J3
D69W7c53vhT6iZXa1W6+jEksq7dYrqu0VddyuERje7XN4rEtrAL/xbNeW4IQ
ydUknbVliEd4j72WdqYlp+i0q0+ekUdtZrsd0XXmst67geZ4N8ZfH2TSSA9I
FUDh0KEjlqJnvmpbxdfua3pA+2wbNTeR8ySb+pzQMS2qtEqJFXQCip3Jlq9a
a48GXQDmjceHZYIwY20eAoAmcX9JIpbNgjlEYNVXnJjg+LQSbc4fNvPUE5DQ
ZXkmyueFeVWo0w2RUPYSKpZFQYQ4fhye5SHLi2cAks0ZbOAfmtimKWDGmOY0
jt3LNxaF77cf5bHSNCAmB7hgOhismpb8OlDnON6tD/4wm0S3wMJePdYA+XkV
j6Vx9wI3cS4Az7HZlK/N2GYQvIlo6Mi04xSnVTy9hi7OzJetxn5iItcrnOzE
it1EcA+WU7q7bXRWKRNeksY4vtEoMI2+ecj1TeTB8DJcgvgX8ABQG1w99nDw
fbYwsR64JN+dnxhLMcvLVqbzYLsLHevQLtQ7sAbtiDe2+5jT2YG/zOm1rMwt
5NmrFZ7EUT7GCljNmrBet60msXzDsTCkzPt0GObXhghJ482C41fgNVDIEFOI
rX+J1vubbrHrFygn/BUVXh2ClCpBWH/cF3zbyTLTZR8I9Q3pwvAMcAHZb3ED
OEp0nXxMJtKNZ0BfhkUN8Vn9mwF24VsxeSILDvTuXKdjnGOp43NmEjEeQ0Jy
jgnkK2fYwejDo+dCzPsK7i+7wC3wLfA+zb5/NYjHtNu9TN3+OAXet32D8Lt0
+AQ2GDwLq5tNeGKGv2BsYe13P2PX0g1eToshoC8PNsP+OuiwbtYIPhXaeF/7
H+0Qsx/rbuz0nsT165ei7icrwG0RGj04T2j0jvWa0mvH+iFwgne14cQZUeYf
nUAELcEPNHqree0WYPF4atQDj8xCWFrbTE5rdA+v6jiPmE31zqOZFNPzK15l
mzNNZez3XuiY2/oJd6QZt0EMDxQ94WQ7z6iPRxqsdr/DTmzItOw3XvAnQP5b
NX7ytgYEWHqDcwaCNb5IJbFXvCZWESAtHbwd3QRZbMtguK8ne36NBwbnMBBJ
bI0iVrMtcFgiFWY4WGZTV7Wb1SwvYWryldHkGHKywFe/SY+e8dt0ALlY37g7
KzlxTOh8g73BmbddKYtvgJ6NYJitbL+GEPdzHRboBTnsaO192PxgJ3g70i6f
pC5nLPCt0c4lR/wd+xTX/Z18gtvQtMtybHSeTS0VIkvMAQL0iAZH3Sl4It6I
hs4wa8YDJ9U5dw9QQc8gtID+y9M78I/vtYGU4OxQEitnbFJz7NOeHmSZg+ap
nOO4pYD2GcB9wDec0hkQRznlCaYlXtvRYrU8Eql36V8uOIrtm5fnQbrFOMma
MvPgmBZCcakdj7XNhzWP3aQ/BGRAfBePMoNzAweell7CD7oa5ojFvHyah9uW
3OMNz2V+/cme/jkeEvEG6AaffcEgd7aPHHSZ75FJFLwUaYbZ2oL5HY8ny2eu
sjCb5/1m0b1tvd8BizpzOuTkx9S1x6kmma2Lj20ySB/rzgnBMHpsCa1unfiX
s0f8KDzzOkm2YLtzKVbUO32J2GpOojvhJT4IMVg1YY+vd+CLQ+8cCBIOciE/
vMRwebN15Xj1ckRMsnD5/aLxU9FQcGPwLFigvl07dvGqLdyooNJh2/ARKGe1
cQFgRM6P2eVS4BRsBX5xkp1CK8L8plUsDuuyJelyYBOfjhB4ElvtganxFHya
Hgnx0PAK+1Gd6fXKAp3ftfpX8OwbYWrnIuKlbQ95cGqjcg+J5pQGq5xOlmMO
T5Wm7QOOqBg1YsUNYcUrgLeexVjRBqZGj8qGI4AKjtTN6o9InAYdmz1j2X50
JxTCgpcHWE6i0XE7gq/V6yEiIPE6L9WdOwXVcVLVPaN1yJgkcvsb6PbaCYEM
subqdiLoKY8HtC/86Hrf4Diar0yCRQfPm7TGcrrusFbnliBLhwU8+3Uc1etR
aCfU8L2uKt55vVZzNiIBJp77Daq1j0FaIem5KctDYMQIW4PCWPa/1XINyywe
tBMh4rkCOx6NiB7gsubrK66rp912bkBD0M6Wy3WisOfi1hhpQzB6GT4WYjUm
DHz4qgMYuQfq3vmr7FqbyQNfQLsYmTbU0QFi3Xk7OAQc4lUgO+yhlKs5geOe
cr+s5vgReeCSz9vA7yQbDES+KRNmpRz/6EFfQs43Py6jpi95/3M7uSHCE+xQ
37bQ3PZZof7zsvHmXVY24GeQObaJ4B79vlCH8zFKvmJly20+csBQX5CkF8WA
5HZyEJYFdeXfcxMCmqEK+UGs36mfYFua3dyVqBad9pNMNFlFx+f53A0Wzubz
NhZgLE+csoWrETzIuUGDT7Mat5opu9F9Ea/jWaPn0K+Jw4XKRhbA7pAIdrYe
+4Cs+LENvTZRDhbpsc6KtlDHSwYrT8Y5Ld1AouBGnf1B9tvj+hinICVHu0VW
2NBAJATQwK8J/0Zq5suSSBi4f3dnLPZxlJ+TiZ0iALNPB324N0g/BNfz9beb
S42Wi9ibylODmAX/QUvB94epQ9B/AzzouOTsLeurcIRvstbjelj8yM8la+tW
BC3OOy/H8K6GsTl2p8VpdwoqMRFe4ZWeVxPn7NrGq9fPBzTnYLmo7oR5mh7K
dmWlBaVaVcNqHe0L3QnoETMz55sJGlV0Hule+687oPnD3/OE5rsL8+97SvOH
/xiPaf5i/sUf/zWD47/zE9fgt1ck/+Gvb1H9i//Qf5+Z4v/PHwS5Pl+y/X/z
+L8bhf7/z5n+sY29/4foGAl9QsnDN35pS4urpxVmtk8jgv3mRAwBG4uzE1qL
jsRC1Y3do0fa837O9Tv3/skZ8IQ0q+vzNLWAELctMxKSHwlvNl0QtzIRUe20
u/NEe/QvGCLg/leP15w8CjZbLQDJrY5YrRA4HtyaScsNQn8zhPutdzBfF/mZ
cd1f4tVMiFXlBE6Y0rG3v1kfQIQiwm/CDyq82I237UV77cgdFsQ5N0M6SSAa
f8PxGpolWFzQ1BGWA3Ybn+/XIX2hmyKfTuRCv6BHQ7ycPCHHnM8OFSnbr7/i
9T9luLG84zio+vF4zYxUO6chuvMNB3BQ0iFmIcy2Q09HjhcSzbRt2eV1mKMz
FCxwqe2RMKOmv2a7uqqzjpxK8kgLnR47Vu/pMc0wLtY+nOfXJ37ReQl8X4KA
yVirMovw+C7n5ySUF9v/2h6a549cM/wr3PflgJmYk52p0p3ooNTVHWKVMRcr
XVYcq5TPqiwFhBqg4xGEdzrJ2WsHTfx4QNQcNwRxZfMwtuU5yqzto+UQZhQJ
vNjBPGtCsKGKxyoZFCycGGX26xM/uHmSR6aaV51o8Ac6ZKom8BfOmXaCUe4s
/XtstnQeSUnVqYjrTWlhZ47BgF05q784cDWgo5oNDU1t+2BH9m54bJWtRUH8
WZ16837h2uivjGSwRjoqo3Ar+fmEvp7p3D0TdB6vWWZ0kM7OCOUTHCfpSMIb
E7tgWE5jK47sRb04LDOO/rxf8v0xl8vn941KfGwTmVbBOKbTif/3J8bep8I1
nYvveB20hCMynAo3c7a02ePdzi7DbV8PIOu5MWcHQddlhmEOdMJg7S7rcab9
oRFJUooFNccXaPzzjc3zLK002Gy3FSLBXqt11OnGKBwqVr/81A1LLTL7ZuE5
Nmzz0Qtne6Vr6VjPBZx4mwJY5ewvC8lgqg56t90YLXnt+ljbhz/u+h1lWPVj
m5qzjZDa9nZYkrZkfnzxZMUg3/ayf+VgLLfzP8x6xOYxPXDqQKlYYK82skOg
x779cOdIw63fmdyjBxaKWCrmjGDRpbTLrliVVhWTLKe0/hTzYN1em6zNSKER
1r5N3AZ7e2N4HEUTHrhtcupiu1IPsNtR7PKHNVvl/Vj2dFteeIdq8/nzWgnF
66YTUIrJwkUrk86LKkTGrsvsqgOJnbdj9ZGdJ9hDc3StTUIvEHi+GUbBbn0E
yO354BZ6LJeezvy7UFIpjA5G2Aptw8jXWuHp/c4/3jThTPjF+zQUcw6ORW7V
mY59D3wDsX6lFoJje7ywwkSZk6u9a2IlL+DASIEo5F0bVoFXHdr6yan0F29Y
jBr2Ne2vze+xpzrazGV3PFo7qrgc6OTovuxQcesIca3jjGtTAt6Csqp1ifvK
qtDipLvp7RTg0eP8iGyEcrSsI62r87XeO4BJwRmsZxkwwWAr9jJh4rIrn+CG
ZM6ETc+kgWgEpt3rQFoZJ944x+h18QVEvfQNbk9OzmHPyvqmaGIrsSzW4UbI
uPDfdCPP6e5vnDy/v765A9GBTmkbY7zHg6X2aOa5LQi/MKfmUL8blPHyDkIC
xsd7dCLFQe8CXqgqcxzRjMYy8+0ZQubhBoFg9TSv8AQi22RrV602cDoMAqTu
c0Yg2Pk4KX5Thj2m3dV58w+OOpwkCN4nQka53ve7aECpf+zgdjo4H9/7DA2i
UsfshIJmySiR/RmAdnBQrC/UN7L98CVXnyb6EM43m8jX6nwOIA+O1UYT2/Ow
baG0lv/Bt60sSfmk+y6JWBcKLuApvkUUjlwCEne3HhB5GMK9rHWx1cQDFOf8
YTlmrjX5bbbdesDl0BdQKnkPhB19djV4P8fr6PhInIsztrb5RZA62VLuyEMT
/8Sokxz7d4iO+y3QEo+jxx3N7RWHlDnxKHjzg7MAWPm8HExYtYS35hdkeCtf
7LhUPRiD3e81p3MWbD59AAVnVdiIeN+WsRDIeVM8vcfxafeI29wCDUj5HBve
k+er5eIPnTU0bLq/R/bKgvR16ocH/JAI3ga06GFNNQHlNKg7PNXRUizztkrl
8vTA8Wr7eCBWqt0+NtVjxzPxx+uOjsAPDqf1gpfgVGsAJDrBYc5VzKNcg4ir
/3tc52xFgJal6NPuSmu9CYeWtZz05B83HwzHPnQso7/fbGUbD64U46k3sNLt
gjM6JSDaAoeV7KiZ0cLr7lU0b4cH2h8G+SjZuxOio0WdJugYmAYpsYjXpiJn
kTgHMHhub7mFI4eCh5rBYVfRkt/lKlabTert0Ln3Ol/3tWXkDgdyNF1YOTZH
lmdr2J0Kx0c5uzaYjpEZ2GdhPZqRoTrVEZTC+2Cr8INnfLOSIS2OQXQ+/3K6
PpQ2WXDl2G6n5+MlrMGKJjd4EG8IubDK6KDtgHHFYf00rgGANo+fHfqwzxHR
caLuSMTSPHvG1FiR4K0lROJxHbmWp0NOWs0hJiDfCfBwuWbha0jd80tJTvt6
7urzDY+23cnGEgvyJyxoyLber9bM0oxaO7ZqD+/z5e7QGkSftXLH3HdzODgO
xo+WjzamAXm9sLYe7NHekMEYHMTNR0qVsLDmGYPzXG84xuNtIeOGWWJOlrlA
QGo5GwFjJypblFjKRIRq8JPb6yIclcRWwYGcyfzYXZrWvJ19B3vzqMvBU7v9
GFiP1eXkfVqOg3v1p1O6TbSe9BfbX5Oxx+ZOVtX52K+XgnS82nwsoG98u6yv
OFbP4KJ3BSTNJmJxqBLCqRUtgIQlAuux0MFzZo9mnQ5M7LUWucd0dbws//rE
z6mr3v10OwnL84MjQeOJ31F/jJNMHofxxhUwPh6kDmc4gw+7wG2bg2lySx4a
ORHqjsfrf967PMnKc6BJOmalvL15yVlbjny8KxAF03y/XmLPlJcnzg2GRdAo
PdrOzPphlB6fbVRBd3aoRNK2a6g1Px0IAU+7EExPb+Ac8H2vp+G+pTsxt+Xb
6Z7ZE802kUl5W6uwkLTeXzGcNooO4xnTe20A0WslMgzb8q/bZgsHyWOCkc8l
ELXmoFbWezgfiteZ8mDz8dCNmyUJtgw9QP22ovH19rWcfww8V7B9tzFkLzF4
oZm2lmjdvqUXvnQEm5Nf5Yj11TlNZ1q0F7y9xwmUkIPZHIFeHqeGrrr5NEgE
gqIqI6ajY/mix5LEqzls1YMJR0J5fL2Co3mt4rK/5OyvTI4gSUDsthXDFNd3
hotgAksJPiNe3l11H/RV/EatWUVx48bf4DQ1JvBanXm5tGCocnRIj02n9jDw
JBLScREtx3QiapUoeDsPcX/+uLbNMRAAz/ckoBUAYe0GnuRhUDwYfHqiV1Zc
39AoXhsU8AAN2QKX9YwAQYFoRjhhegG28A01Z+t5F5vq0W52hkFPCYAXIXzk
/TUxVA+AjjVBTu+d9mfx7nOBE7AGVAl7f8qPqxc2DL3nF73K90bkP2HMPiFI
Svqx2U4vbnBeT3njsu8bD/Y0zpFefPqY5TgB2MkWGtvbLjAOBYyIP9+xmnec
eJnAJMqkHCxzxFNQZdEpWpbh8W439LJ4As7Tpmltmb2a7+stF0aw24YDHsKD
Pu9Lggva84CPHNBrWwkUb4cJvo6N9raBaGPFhdiwbsT9sDHVrIInsghgDMaa
ITAzOCAwehrrNVUO0wCckeLIP4cSDdRAvtFRDcLhgQg8LAQthV/hg5xIOL3g
yEJXS3O9JglYaKh8hes3Xy0FUMpy2QzyE8B4Rr5Pt+epv04qRNjnxO5iRHQ6
ASM4esrrSorAa+/PfQHnYGwzaMGwskOroxf/WCDXv8sHjm1PG4T0IqxiVxVa
zolUX4e411XYpuM1ZI6v2wiJ6hzR0SqeproBJT2j3fgjFMXWTiTq9GYN41u2
qT6AIy8o5Tk/QIGXJG8NVJcTxazCdMw4vJcvd+g8K3iyIRyMG6iUb86FI3Sf
eBnTm1MsjOSoBg/6e96o+Ibseb46YMddLC/QcGAHNMuOm2pCbjjcad3P5WVX
E1qNcVkaNPi1bqDgJYMttrbW2l1skzYyf8NkHutMCKwTq4FiB68tGtBkBCGh
7JtiWV2n/d19Nl+QC6nkGMdj/guLNB1kbqr37kk+b8g7xWs4WQTTw2TP9FK3
Ab6uhNfAFB0viKM7xVfAY2mAhliFOHzElvp2O2L5AtbPxBLxMIuLPbR3/KgT
UrZ3piyWsia7JQkONxTiIeTiBnA8qwaSF/ysC5aePo5brCUixFvhYnsn79I6
G7XvCD8A4SeYx/t5GQakuyoRrY/DjPN186YOsvFSFPAehqdzfpebEJCIFl0B
BwTPjQi/3e+52ERYvKMpYQpYyoXmJmI5y3Jk6wPtMnthKXwb9u341h1CSZhZ
dPwLtLKYJAUZXktorfl0uBdxE6zEINIPR5xaCRHBQdCGUEQmzmMNenRA/Dh3
BwFx1mWBMfziveclBYt8zTp2alm23l4H5RwLZsDe6bwTPNxZpJ7n4aZBZdgd
6epIEK+ZubwYr5ZVtJnvFqPXm16CA4RDb/bBETktKrlNWRRvOIPo1sdX77dX
KnbvYIB5eKMSxB2DQF4MqDZrW4TO2/s9rdrC0r0G81djVV87KvkqOwLAMlfM
4b7od6D5OLnLsZe8f3SWo0XguBoPiqV7wUra04lz3rtngPpGwANKheByML4X
+OnbhAx/nBxlZ3GUYzdYwwovuMxHm0OyoxeZCVm0wT16dP26f6tDfj6mnpzC
AIXyLgJHRTjyRgIPQ7/SV5CGqbxOCX6NNx61Jy8a7U4Pqs6bLsXrYGGl9eyU
ttnj+lj78Rjc1/U6FaGKdfkEYpcGw2Z6eep6bCV9x3dCigg1hfll18BMK+Tt
+XXs+UzXc9u3D+bezldxQJTZGFYyHytCvLlnAY/stBPWvEZq2Fb6dRcjELK5
jQbDeB/H/LfvUg4V1esrbfHxcSp/NQHXnVCsApxv+co7jhejHqJKduz4tbxV
x3IDmDIirDgL04sg1AaxxW+kS7Zywjpd/x0G048tNcdJl7zfA69FLOcvo4IK
yV/bpWOjHHA7LHktXjyyLOm9H+8CyyI2b1+K95YuiAUwni+P3G0ELVbKvJYX
JiOUw5Z42r1ZAuJoRMZ7RO0NoIRm70+QZH0DKQniVprgVV59gPSa+yRHT2J+
XsjomPFu7cx+EM7elHQiWB+9XgVoBxa3qQL0HQrBSzSsRVbBbk/yzzcBNjVU
AeLJK7c6PPs4LNB7fLx5djvWplqTn5b8LUxDS5AaGeDM9Xhny3Q8ujemOBO9
3UqNunnNbulqit6jkBC/qJ687st6U9hr8ipN2KIjR7yaj0DrZWWOWmbrRvtu
NspyQi+a9G6I74LU9XHMdWUzmzYjm4sEUh2cu8xAbwf+e/gEU07ZIUd49nNs
rvhGYkAotDrMAHZcDOu4qDPQnD0Af1neqRy9KqSNYKLAjNVEf7uqbdkfn7K2
7QQWWOXXqQX79mugjw5FALBf78nE9B0ETkR7F3rteLfV7XAnGNky5BN7HQER
DK3XrIQYFJE34PSvbzzeyQ7ep0ClkGJm0pKKGpntRC4CmQqlENrtJKgWxFy2
4QIRUA/L6SsU0yunkLOoAgzTazq83gMw2N+AKrRS9maS7BjvMpttSbc+XWbE
sW8787GKYLdQORF7uPtEaCWkZbOCqqNCy20i3KqjDiXsL6Fto+zQkXWb1oxP
8DDQEhCowbC4xRIQi4GMp3Zu8YjAi9dOg89ek2TXAGosXd5UtWwoyLiY9aas
AMLghu8cp4VFGB1kHMfxwVb24oLHBOfbrYlB9O/H2jz+sN3egwE0QSet8HEo
9W1TR/vuNyAMR7gJENSHA9q8sA6yOKHUjgvY5bJGdzuH23up8E/vYCpK9VV6
29+lmyyufd/DQq2nHGsClzPl3mo2ygavCwXhXc2miL2VLXoPRjQ1aAm4pf2o
J6IXQtc7KOHKaO53ZQcVx2/upN3r12zha/3Pjox3VGiI1sh7D0KVm9pwMdbo
RNPibAZojJ+Gc2bnimHKvOF1rA/qtxXaeKgXKZpdd/ya5wDe/oyy/pCxeGPJ
d6dCqt/gpONkpUeFckXHuHult7dUelaFTMTsRz6WtDZJPpYrVJbtseETIhQe
tAg3voI6R0Lmy0kM8FvLjmFUtussbxBNkhxANjg9KPhDAz5EfDqxKY5eJ0V8
173Yfnh5Wem+U142An5D77pS7rsyAfrjAJPqdJztxTIAHY9aoOfdMfzLy3Tt
Ekd75GrmC2SDqUWb/5L9/d4aXN4OHXn5lG1ru1cxhG9CipNe3gQL5+MWH34R
yhH21asJiFkW1vGq1i3BOaznfuwWegh90ZZ1nOYlVt3fMbAK5eXp9rySg+em
1yJaMDk7nGw50GvqCt3uwOZVcGCMRWUec7EBfMK5bf0nrpr4vVjS15Snl78p
3Tz+K96i7Zk4iGcJvipuvu9XNueIElsDdyW0O7nUxv0rfVcTdWiEk+ne5OTF
74etSIPHIa1/MVb1fpwU5JhBUAYMWwLno5umaVlWMYpWuXRYuW0+2jsyzcld
I4DZ98/VWoCOVOr1Nqf8OhajeHwWirlqr6HzLg0ky+tZsO2GhW2D3kRvP6vr
mj+qtf7oj/7Vdf2Lf/JHf3T905/+9fxPf/6f//uf7vUnf7b//L/+5fU//vmf
/7c/G/u/7PUv/+D0P/3L/QdWaP27f/Pvfuq//cn9z76P+J8vE77QNeABAA==

-->

</rfc>
