rfc9958.original.xml   rfc9958.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.2. 3) --> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.35 (Ruby 2.5. 9) -->
<?rfc strict="yes"?> <?rfc strict="yes"?>
<?rfc comments="yes"?> <?rfc comments="yes"?>
<?rfc docmapping="yes"?> <?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-ietf-pquip-pqc-engineers-14" category="info" consensus="true" submissionType="I -ietf-pquip-pqc-engineers-14" category="info" consensus="true" submissionType="I
ETF" tocInclude="true" sortRefs="true" symRefs="true" version="3"> ETF" xml:lang="en" number="9958" tocInclude="true" sortRefs="true" symRefs="true
<!-- xml2rfc v2v3 conversion 3.30.1 --> " version="3">
<!-- xml2rfc v2v3 conversion 3.33.0 -->
<link href="https://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers-14
" rel="prev"/>
<front> <front>
<title abbrev="PQC for Engineers">Post-Quantum Cryptography for Engineers</t itle> <title abbrev="PQC for Engineers">Post-Quantum Cryptography for Engineers</t itle>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-engineers-14"/ > <seriesInfo name="RFC" value="9958"/>
<author fullname="Aritra Banerjee"> <author fullname="Aritra Banerjee">
<organization>Nokia</organization> <organization>Nokia</organization>
<address> <address>
<postal> <postal>
<city>London</city> <city>London</city>
<country>United Kingdom</country> <country>United Kingdom</country>
</postal> </postal>
<email>aritra.banerjee@nokia.com</email> <email>aritra.banerjee@nokia.com</email>
</address> </address>
</author> </author>
<author fullname="Tirumaleswar Reddy"> <author fullname="Tirumaleswar Reddy.K">
<organization>Nokia</organization> <organization>Nokia</organization>
<address> <address>
<postal> <postal>
<city>Bangalore</city> <city>Bangalore</city>
<region>Karnataka</region> <region>Karnataka</region>
<country>India</country> <country>India</country>
</postal> </postal>
<email>k.tirumaleswar_reddy@nokia.com</email> <email>k.tirumaleswar_reddy@nokia.com</email>
</address> </address>
</author> </author>
skipping to change at line 54 skipping to change at line 55
<country>Greece</country> <country>Greece</country>
</postal> </postal>
<email>dimitrios.schoinianakis@nokia-bell-labs.com</email> <email>dimitrios.schoinianakis@nokia-bell-labs.com</email>
</address> </address>
</author> </author>
<author fullname="Timothy Hollebeek"> <author fullname="Timothy Hollebeek">
<organization>DigiCert</organization> <organization>DigiCert</organization>
<address> <address>
<postal> <postal>
<city>Pittsburgh</city> <city>Pittsburgh</city>
<country>USA</country> <region>PA</region>
<country>United States of America</country>
</postal> </postal>
<email>tim.hollebeek@digicert.com</email> <email>tim.hollebeek@digicert.com</email>
</address> </address>
</author> </author>
<author initials="M." surname="Ounsworth" fullname="Mike Ounsworth"> <author initials="M." surname="Ounsworth" fullname="Mike Ounsworth">
<organization abbrev="Entrust">Entrust Limited</organization> <organization abbrev="Entrust">Entrust Limited</organization>
<address> <address>
<postal> <postal>
<street>2500 Solandt Road Suite 100</street> <street>2500 Solandt Road, Suite 100</street>
<city>Ottawa, Ontario</city> <city>Ottawa, Ontario</city>
<code>K2K 3G5</code> <code>K2K 3G5</code>
<country>Canada</country> <country>Canada</country>
</postal> </postal>
<email>mike.ounsworth@entrust.com</email> <email>mike@ounsworth.ca</email>
</address> </address>
</author> </author>
<date year="2025" month="August" day="26"/> <date year="2026" month="May"/>
<area>Security</area> <area>SEC</area>
<workgroup>PQUIP</workgroup> <workgroup>pquip</workgroup>
<keyword>PQC</keyword> <keyword>PQC</keyword>
<abstract> <abstract>
<?line 263?> <?line 638?>
<t>The advent of a cryptographically relevant quantum computer (CRQC) would rend <!-- Status of I-Ds in references section:
er state-of-the-art, traditional public key algorithms deployed today obsolete,
as the mathematical assumptions underpinning their security would no longer hold [I-D.bonnell-lamps-chameleon-certs]
. To address this, protocols and infrastructure must transition to post-quantum draft-bonnell-lamps-chameleon-certs-07
algorithms, which are designed to resist both traditional and quantum attacks. T IESG State: I-D Exists as of 11/26/25
his document explains why engineers need to be aware of and understand post-quan
tum cryptography (PQC), detailing the impact of CRQCs on existing systems and th [I-D.connolly-cfrg-xwing-kem]
e challenges involved in transitioning to post-quantum algorithms. Unlike previo draft-connolly-cfrg-xwing-kem-09
us cryptographic updates, this shift may require significant protocol redesign d IESG State: I-D Exists as of 11/26/25
ue to the unique properties of post-quantum algorithms.</t>
[I-D.hale-mls-combiner]
draft-hale-mls-combiner-01
Replaced by draft-ietf-mls-combiner
[I-D.ietf-hpke-pq]
draft-ietf-hpke-pq-03
IESG State: I-D Exists as of 11/26/25
[I-D.ietf-lamps-pq-composite-sigs]
draft-ietf-lamps-pq-composite-sigs-13
IESG state: Publication Requested as of 11/26/25
[I-D.ietf-pquip-hybrid-signature-spectrums]
draft-ietf-pquip-hybrid-signature-spectrums-07
IESG state: RFC Ed Queue as of 11/26/25
[I-D.ietf-pquip-pqc-hsm-constrained]
draft-ietf-pquip-pqc-hsm-constrained-02
IESG State: I-D Exists as of 11/26/25
[I-D.ietf-sshm-ntruprime-ssh]
draft-ietf-sshm-ntruprime-ssh-06
Published as RFC 9941
[I-D.ietf-tls-hybrid-design]
draft-ietf-tls-hybrid-design-16
IESG state: RFC Ed Queue as of 11/26/25
[I-D.irtf-cfrg-bbs-signatures]
draft-irtf-cfrg-bbs-signatures-09
IESG State: I-D Exists as of 11/26/25
[I-D.irtf-cfrg-hybrid-kems]
draft-irtf-cfrg-hybrid-kems-07
IESG State: I-D Exists as of 11/26/25
[I-D.ounsworth-cfrg-kem-combiners]
draft-ounsworth-cfrg-kem-combiners-05
IESG State: Expired as of 11/26/25
-->
<!-- [rfced] FYI - We will do the following when we convert the file to RFCXML:
a) Correct author names in reference entry for draft-ietf-pquip-pqc-hsm-constrai
ned.
Current:
[I-D.ietf-pquip-pqc-hsm-constrained]
Reddy.K, T., Wing, D., S, B., and K. Kwiatkowski,
"Adapting Constrained Devices for Post-Quantum
Cryptography", Work in Progress, Internet-Draft, draft-
ietf-pquip-pqc-hsm-constrained-02, 18 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-pquip-
pqc-hsm-constrained-02>.
b) Update the document to include <sup> elements (per A48 mail).
c) Update draft-hale-mls-combiner-01 to draft-ietf-mls-combiner-02 since -01 was
replaced (note title change).
-->
<!-- XML for reference update (draft-ietf-pquip-pqc-hsm-constrained):
<reference anchor="I-D.ietf-pquip-pqc-hsm-constrained" target="https://datatrack
er.ietf.org/doc/html/draft-ietf-pquip-pqc-hsm-constrained-02">
<front>
<title>Adapting Constrained Devices for Post-Quantum Cryptography</title>
<author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy.K">
<organization>Nokia</organization>
</author>
<author initials="D." surname="Wing" fullname="Dan Wing">
<organization>Citrix</organization>
</author>
<author initials="B." surname="Salter" fullname="Ben Salter">
<organization>UK National Cyber Security Centre</organization>
</author>
<author initials="K." surname="Kwiatkowski" fullname="Kris Kwiatkowski">
<organization>PQShield</organization>
</author>
<date month="October" day="18" year="2025" />
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-hsm-constrained
-02" />
</reference>
-
-->
<t>The advent of a cryptographically relevant quantum computer (CRQC) would rend
er state-of-the-art, traditional public key algorithms deployed today obsolete,
as the mathematical assumptions underpinning their security would no longer hold
. To address this, protocols and infrastructure must transition to post-quantum
algorithms, which are designed to resist both traditional and quantum attacks. T
his document explains why engineers need to be aware of and understand post-quan
tum cryptography (PQC), and it details the impact of CRQCs on existing systems a
nd the challenges involved in transitioning to post-quantum algorithms. Unlike p
revious cryptographic updates, this shift may require significant protocol redes
ign due to the unique properties of post-quantum algorithms.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers/"/>.
</t>
<t>
Discussion of this document takes place on the
pquip Working Group mailing list (<eref target="mailto:pqc@ietf.org"/>),
which is archived at <eref target="https://mailarchive.ietf.org/arch/bro
wse/pqc/"/>.
Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/pqc/"/>
.
</t>
</note>
</front> </front>
<middle> <middle>
<?line 267?> <?line 738?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Quantum computing is no longer just a theoretical concept in computatio nal science and physics; it is now an active area of research with practical imp lications. Considerable research efforts and enormous corporate and government f unding for the development of practical quantum computing systems are currently being invested. At the time this document is published, cryptographically releva nt quantum computers (CRQCs) that can break widely used asymmetric algorithms (a lso known as public key algorithms) are not yet available. However, there is ong oing research and development in the field of quantum computing, with the goal o f building more powerful and scalable quantum computers.</t> <t>Quantum computing is no longer just a theoretical concept in computatio nal science and physics; it is now an active area of research with practical imp lications. Considerable research efforts and enormous corporate and government f unding for the development of practical quantum computing systems are currently being invested. At the time this document is published, cryptographically releva nt quantum computers (CRQCs) that can break widely used asymmetric algorithms (a lso known as public key algorithms) are not yet available. However, there is ong oing research and development in the field of quantum computing, with the goal o f building more powerful and scalable quantum computers.</t>
<t>One common myth is that quantum computers are faster than conventional CPUs and GPUs in all areas. This is not the case; much as GPUs outperform genera l-purpose CPUs only on specific types of problems, so will quantum computers, to o, have a niche set of problems on which they excel. Unfortunately for cryptogra phers, integer factorization and discrete logarithms, the mathematical problems underpinning much of classical public key cryptography, happen to fall within th e niche that quantum computers are expected to excel at. As quantum technology a dvances, there is the potential for future quantum computers to have a significa nt impact on current cryptographic systems. Predicting the date of emergence of a CRQC is a challenging task, and there is ongoing uncertainty regarding when th ey will become practically feasible <xref target="CRQCThreat"/>.</t> <t>One common myth is that quantum computers are faster than conventional CPUs and GPUs in all areas. This is not the case; much as GPUs outperform genera l-purpose CPUs only on specific types of problems, quantum computers also have a niche set of problems on which they excel. Unfortunately for cryptographers, in teger factorization and discrete logarithms, the mathematical problems underpinn ing much of classical public key cryptography, happen to fall within the niche i n which quantum computers are expected to excel. As quantum technology advances, there is the potential for future quantum computers to have a significant impac t on current cryptographic systems. Predicting the date of emergence of a CRQC i s a challenging task, and there is ongoing uncertainty regarding when they will become practically feasible <xref target="CRQCThreat"/>.</t>
<t>Extensive research has produced several post-quantum cryptographic algo rithms that offer the potential to ensure cryptography's survival in the quantum computing era. However, transitioning to a post-quantum infrastructure is not a straightforward task, and there are numerous challenges to overcome. It require s a combination of engineering efforts, proactive assessment and evaluation of a vailable technologies, and a careful approach to product development and deploym ent.</t> <t>Extensive research has produced several post-quantum cryptographic algo rithms that offer the potential to ensure cryptography's survival in the quantum computing era. However, transitioning to a post-quantum infrastructure is not a straightforward task, and there are numerous challenges to overcome. It require s a combination of engineering efforts, proactive assessment and evaluation of a vailable technologies, and a careful approach to product development and deploym ent.</t>
<t>PQC is sometimes referred to as "quantum-proof", "quantum-safe", or "qu antum-resistant". It is the development of cryptographic algorithms designed to secure communication and data in a world where quantum computers are powerful en ough to break traditional cryptographic systems, such as RSA (Rivest–Shamir–Adle man) and ECC (Elliptic Curve Cryptography). PQC algorithms are intended to be re sistant to attacks by quantum computers, which use quantum-mechanical phenomena to solve mathematical problems that are infeasible for classical computers.</t> <t>PQC is sometimes referred to as "quantum-proof", "quantum-safe", or "qu antum-resistant". It is the development of cryptographic algorithms designed to secure communication and data in a world where quantum computers are powerful en ough to break traditional cryptographic systems, such as RSA (Rivest-Shamir-Adle man) and ECC (Elliptic Curve Cryptography). PQC algorithms are intended to be re sistant to attacks by quantum computers, which use quantum-mechanical phenomena to solve mathematical problems that are infeasible for classical computers.</t>
<t>As the threat of CRQCs draws nearer, engineers responsible for designin g, maintaining, and securing cryptographic systems must prepare for the signific ant changes that the existence of CRQCs will bring. Engineers need to understand how to implement post-quantum algorithms in applications, how to evaluate the t rade-offs between security and performance, and how to ensure backward compatibi lity with current systems where needed. This is not merely a one-for-one replace ment of algorithms; in many cases, the shift to PQC will involve redesigning pro tocols and infrastructure to accommodate the significant differences in resource utilization and key sizes between traditional and PQC algorithms. Due to the wi de-ranging nature of these impacts, discussions of protocol changes are integrat ed throughout this document rather than being confined to a single section.</t> <t>As the threat of CRQCs draws nearer, engineers responsible for designin g, maintaining, and securing cryptographic systems must prepare for the signific ant changes that the existence of CRQCs will bring. Engineers need to understand how to implement post-quantum algorithms in applications, how to evaluate the t rade-offs between security and performance, and how to ensure backward compatibi lity with current systems where needed. This is not merely a one-for-one replace ment of algorithms; in many cases, the shift to PQC will involve redesigning pro tocols and infrastructure to accommodate the significant differences in resource utilization and key sizes between traditional and PQC algorithms. Due to the wi de-ranging nature of these impacts, discussions of protocol changes are integrat ed throughout this document rather than being confined to a single section.</t>
<t>This document aims to provide general guidance to engineers working on <t>This document aims to provide general guidance to engineers working on
cryptographic libraries, network security, and infrastructure development, where cryptographic libraries, network security, and infrastructure development, where
long-term security planning is crucial. The document covers topics such as sele long-term security planning is crucial. The document covers topics such as sele
cting appropriate PQC algorithms, understanding the differences between PQC key cting appropriate PQC algorithms and understanding the differences between PQC K
encapsulation mechanisms (KEMs) and traditional Diffie-Hellman and RSA style key ey Encapsulation Mechanisms (KEMs) and traditional Diffie-Hellman (DH) and RSA-s
exchanges, and provides insights into expected key, ciphertext, and signature s tyle key exchanges, and it provides insights into expected differences in keys,
izes and processing time differences between PQC and traditional algorithms. Add ciphertext, signature sizes, and processing times between PQC and traditional al
itionally, it discusses the potential threat to symmetric cryptography and hash gorithms. Additionally, it discusses the potential threat to symmetric cryptogra
functions from CRQCs.</t> phy and hash functions from CRQCs.</t>
<t>It is important to remember that asymmetric algorithms (also known as p <t>It is important to remember that asymmetric algorithms (also known as p
ublic key algorithms) are largely used for secure communications between organiz ublic key algorithms) are largely used for secure communications between organiz
ations or endpoints that may not have previously interacted, so a significant am ations or endpoints that may not have previously interacted, so a significant am
ount of coordination between organizations, and within and between ecosystems ne ount of coordination between organizations, and within and between ecosystems, n
eds to be taken into account. Such transitions are some of the most complicated eeds to be taken into account. Such transitions are some of the most complicated
in the tech industry and will require staged migrations in which upgraded agents in the tech industry and will require staged migrations in which upgraded agent
need to co-exist and communicate with non-upgraded agents at a scale never befo s need to coexist and communicate with non-upgraded agents at a scale never befo
re undertaken.</t> re undertaken.</t>
<t>The National Security Agency (NSA) of the United States released an art <t>The National Security Agency (NSA) of the United States released an art
icle on future PQC algorithm requirements for US national security systems <xref icle on future PQC algorithm requirements for US national security systems <xref
target="CNSA2-0"/> based on the need to protect against deployments of CRQCs in target="CNSA2-0"/> based on the need to protect against deployments of CRQCs in
the future. The German Federal Office for Information Security (BSI) has also r the future. The German Federal Office for Information Security (BSI) has also r
eleased a PQC migration and recommendations document <xref target="BSI-PQC"/> wh eleased a PQC migration and recommendations document <xref target="BSI-PQC"/> th
ich largely aligns with United States National Institute of Standards and Techno at largely aligns with United States National Institute of Standards and Technol
logy (NIST) and NSA guidance, but differs in aspects such as specific PQC algori ogy (NIST) and NSA guidance but differs in aspects such as specific PQC algorith
thm profiles.</t> m profiles.</t>
<t>CRQCs pose a threat to both symmetric and asymmetric cryptographic sche <t>CRQCs pose a threat to both symmetric and asymmetric cryptographic sche
mes. However, the threat to asymmetric cryptography is significantly greater due mes. However, the threat to asymmetric cryptography is significantly greater due
to Shor's <xref target="Shors"/> algorithm, which can break widely-used public to Shor's algorithm <xref target="Shors"/>, which can break widely used public
key schemes like RSA and ECC. Symmetric cryptography and hash functions face a l key schemes like RSA and ECC. Symmetric cryptography and hash functions face a l
ower risk from Grover's <xref target="Grovers"/> algorithm, although the impact ower risk from Grover's algorithm <xref target="Grovers"/>, although the impact
is less severe and can typically be mitigated by doubling key and digest lengths is less severe and can typically be mitigated by doubling key and digest lengths
where the risk applies. It is crucial for the reader to understand that when th where the risk applies. It is crucial for the reader to understand that when "P
e word "PQC" is mentioned in the document, it means asymmetric cryptography (or QC" is mentioned in the document, it means asymmetric cryptography (or public ke
public key cryptography), and not any symmetric algorithms based on stream ciphe y cryptography) and not any symmetric algorithms based on stream ciphers, block
rs, block ciphers, hash functions, MACs, etc., which are less vulnerable to quan ciphers, hash functions, Message Authentication Codes (MACs), etc., which are le
tum computers. This document does not cover such topics as when traditional algo ss vulnerable to quantum computers. This document does not cover topics such as
rithms might become vulnerable (for that, see documents such as <xref target="QC when traditional algorithms might become vulnerable (for that, see documents suc
-DNS"/> and others).</t> h as <xref target="QC-DNS"/> and others).</t>
<t>This document does not cover unrelated technologies like quantum key di <t>This document does not cover unrelated technologies like quantum key di
stribution (QKD) or quantum key generation, which use quantum hardware to exploi stribution (QKD) or quantum key generation, which use quantum hardware to exploi
t quantum effects to protect communications and generate keys, respectively. PQC t quantum effects to protect communications and generate keys, respectively. PQC
is based on conventional math (not on quantum mechanics) and software and can b is based on conventional math (not on quantum mechanics) and software, and it c
e run on any general purpose computer.</t> an be run on any general-purpose computer.</t>
<t>This document does not go into the deep mathematics or technical specif <t>This document does not go into the deep mathematics or technical specif
ication of the PQC algorithms, but rather provides an overview to engineers on t ication of the PQC algorithms but rather provides an overview to engineers on th
he current threat landscape and the relevant algorithms designed to help prevent e current threat landscape and the relevant algorithms designed to help prevent
those threats. Also, the cryptographic and algorithmic guidance given in this d those threats. Also, the cryptographic and algorithmic guidance given in this do
ocument should be taken as non-authoritative if it conflicts with emerging and e cument should be taken as non-authoritative if it conflicts with emerging and ev
volving guidance from the IRTF's Crypto Forum Research Group (CFRG).</t> olving guidance from the IRTF's Crypto Forum Research Group (CFRG).</t>
</section> </section>
<section anchor="terminology"> <section anchor="terminology">
<name>Terminology</name> <name>Terminology</name>
<t>Quantum computer: A computer that performs computations using quantum-m <dl>
echanical phenomena such as superposition and entanglement.</t> <dt>Quantum computer:</dt>
<t>Physical qubit: The basic physical unit in a quantum computer, which is <dd>
prone to noise and errors.</t> <t>A computer that performs computations using quantum-mechanical phen
<t>Logical qubit: A fault-tolerant qubit constructed from multiple physica omena such as superposition and entanglement.</t>
l qubits using quantum error correction; it is the effective unit for reliable q </dd>
uantum computation.</t> <dt>Physical qubit:</dt>
<t>Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to b <dd>
e secure against quantum and classical attacks.</t> <t>The basic physical unit in a quantum computer, which is prone to no
<t>Cryptographically Relevant Quantum Computer (CRQC): A quantum computer ise and errors.</t>
with sufficient logical qubits to break traditional asymmetric cryptographic alg </dd>
orithms (e.g., RSA or ECC) within a practical timeframe.</t> <dt>Logical qubit:</dt>
<t>Public Key Cryptography (also called Asymmetric Cryptography): A class <dd>
of cryptographic algorithms in which separate keys are used for encryption and d <t>A fault-tolerant qubit constructed from multiple physical qubits us
ecryption, or for signing and verification. Throughout this document, the terms ing quantum error correction; it is the effective unit for reliable quantum comp
Public Key Cryptography and Asymmetric Cryptography are used interchangeably.</t utation.</t>
> </dd>
<t>There is ongoing discussion about whether to use the term "post-quantum <dt>Post-Quantum Cryptography (PQC):</dt>
", "quantum ready", "quantum resistant", or "quantum secure", to describe algori <dd>
thms that resist CRQCs, and a consensus has not yet been reached. NIST has coine <t>Cryptographic algorithms designed to be secure against quantum and
d the term "post-quantum" to refer to the algorithms that participated in its co classical attacks.</t>
mpetition-like selection process; in this context, the term can be interpreted t </dd>
o mean "the set of algorithms that are designed to still be relevant after quan <dt>Cryptographically Relevant Quantum Computer (CRQC):</dt>
tum computers exist", and not a statement about their security. "Quantum resista <dd>
nt" or "quantum secure" is obviously the goal of these algorithms, however some <t>A quantum computer with sufficient logical qubits to break traditio
people have raised concerns that labelling a class of algorithms as "quantum res nal asymmetric cryptographic algorithms (e.g., RSA or ECC) within a practical ti
istant" or "quantum secure" could lead to confusion if one or more of those algo meframe.</t>
rithms are later found to be insecure or to not resist quantum computers as much </dd>
as theory predicted. "Quantum ready" is often used to refer to a solution -- de <dt>Public Key Cryptography (also called Asymmetric Cryptography):</dt>
vice, appliance, or software stack -- that has reached maturity with regards to <dd>
integration of these new cryptographic algorithms. That said, the authors recogn <t>A class of cryptographic algorithms in which separate keys are used
ize that there is great variability in how these terms are used. This document u for encryption and decryption or for signing and verification. Throughout this
ses any of these terms interchangeably to refer to such algorithms.</t> document, the terms Public Key Cryptography and Asymmetric Cryptography are used
<t>The terms "current," "state-of-the-art," and "ongoing," as used in this interchangeably.</t>
document, refer to work, research, investigations, deployments, or developments </dd>
that are applicable at the time of publication.</t> </dl>
<t>There is ongoing discussion about whether to use the term "post-quantum
", "quantum ready", "quantum resistant", or "quantum secure" to describe algorit
hms that resist CRQCs, and a consensus has not yet been reached. NIST has coined
the term "post-quantum" to refer to the algorithms that participated in its com
petition-like selection process; in this context, the term can be interpreted to
mean "the set of algorithms that are designed to still be relevant after quant
um computers exist" and not a statement about their security. "Quantum resistant
" or "quantum secure" is obviously the goal of these algorithms; however, some p
eople have raised concerns that labeling a class of algorithms as "quantum resis
tant" or "quantum secure" could lead to confusion if one or more of those algori
thms are later found to be insecure or to not resist quantum computers as much a
s theory predicted. "Quantum ready" is often used to refer to a solution -- devi
ce, appliance, or software stack -- that has reached maturity with regard to int
egration of these new cryptographic algorithms. That said, the authors recognize
that there is great variability in how these terms are used. This document uses
these terms interchangeably to refer to such algorithms.</t>
<t>In this document, the terms "current", "state-of-the-art", and "ongoing
" refer to work, research, investigations, deployments, or developments that are
applicable at the time of publication.</t>
</section> </section>
<section anchor="threat-of-crqcs-on-cryptography"> <section anchor="threat-of-crqcs-on-cryptography">
<name>Threat of CRQCs on Cryptography</name> <name>Threat of CRQCs on Cryptography</name>
<t>When considering the security risks associated with the ability of a qu antum computer to attack traditional cryptography, it is important to distinguis h between the impact on symmetric algorithms and public key ones. Dr. Peter Shor and Dr. Lov Grover developed two algorithms that changed the way the world thin ks of security under the presence of a CRQC.</t> <t>When considering the security risks associated with the ability of a qu antum computer to attack traditional cryptography, it is important to distinguis h between the impact on symmetric algorithms and public key ones. Dr. Peter Shor and Dr. Lov Grover developed two algorithms that changed the way the world thin ks of security under the presence of a CRQC.</t>
<t>Quantum computers are, by their nature, hybrids of classical and quantu m computational units. For example, Shor's algorithm consists of a combination o f quantum and classical computational steps. Thus, the term "quantum adversary" should be thought of as "quantum-enhanced adversary", meaning they have access t o both classical and quantum computational techniques.</t> <t>Quantum computers are, by their nature, hybrids of classical and quantu m computational units. For example, Shor's algorithm consists of a combination o f quantum and classical computational steps. Thus, the term "quantum adversary" should be thought of as "quantum-enhanced adversary", meaning they have access t o both classical and quantum computational techniques.</t>
<t>Despite that large-scale quantum computers do not yet exist to experime nt on, the theoretical properties of quantum computation are very well understoo d. This allows engineers and researchers to reason about the upper limits of qu antum-enhanced computation, and indeed to design cryptographic algorithms that a re resistant to any conceivable form of quantum cryptanalysis.</t> <t>Although large-scale quantum computers do not yet exist to experiment o n, the theoretical properties of quantum computation are very well understood. This allows engineers and researchers to reason about the upper limits of quantu m-enhanced computation and to design cryptographic algorithms that are resistant to any conceivable form of quantum cryptanalysis.</t>
<section anchor="symmetric"> <section anchor="symmetric">
<name>Symmetric Cryptography</name> <name>Symmetric Cryptography</name>
<t>For unstructured data such as symmetric encrypted data or cryptograph ic hashes, although CRQCs can search for specific solutions across all possible input combinations (e.g., Grover's algorithm), no quantum algorithm is known to break the underlying security properties of these classes of algorithms. Symmetr ic-key cryptography, which includes keyed primitives such as block ciphers (e.g. , AES) and message authentication mechanisms (e.g., HMAC-SHA256), relies on secr et keys shared between the sender and receiver and remains secure even in a post -quantum world. Symmetric cryptography also includes hash functions (e.g., SHA-2 56) that are used for secure message digesting without any shared key material. HMAC is a specific construction that utilizes a cryptographic hash function and a secret key shared between the sender and receiver to produce a message authent ication code.</t> <t>For unstructured data such as symmetric encrypted data or cryptograph ic hashes, although CRQCs can search for specific solutions across all possible input combinations (e.g., Grover's algorithm), no quantum algorithm is known to break the underlying security properties of these classes of algorithms. Symmetr ic-key cryptography, which includes keyed primitives such as block ciphers (e.g. , AES) and message authentication mechanisms (e.g., HMAC-SHA256), relies on secr et keys shared between the sender and receiver and remains secure even in a post -quantum world. Symmetric cryptography also includes hash functions (e.g., SHA-2 56) that are used for secure message digesting without any shared key material. Hashed Message Authentication Code (HMAC) is a specific construction that utiliz es a cryptographic hash function and a secret key shared between the sender and receiver to produce a message authentication code.</t>
<t>Grover's algorithm is a quantum search algorithm that provides a theo retical quadratic speedup for searching an unstructured database, compared to tr aditional search algorithms. <t>Grover's algorithm is a quantum search algorithm that provides a theo retical quadratic speedup for searching an unstructured database, compared to tr aditional search algorithms.
This has led to the common misconception that symmetric key lengths need to be d This has led to the common misconception that symmetric key lengths need to be d
oubled for quantum security. When you consider the mapping of hash values to the oubled for quantum security. When you consider the mapping of hash values to the
ir corresponding hash inputs (also known as pre-image), or of ciphertext blocks ir corresponding hash inputs (also known as pre-image) or of ciphertext blocks t
to the corresponding plaintext blocks, as an unstructured database, then Grover’ o the corresponding plaintext blocks as an unstructured database, then Grover's
s algorithm theoretically requires doubling the key sizes of the symmetric algor algorithm theoretically requires doubling the key sizes of the symmetric algorit
ithms that are currently deployed at the time of publication to counter the quad hms that are currently deployed at the time of publication to counter the quadra
ratic speedup and maintain current security level. This is because Grover’s algo tic speedup and maintain the current security level. This is because Grover's al
rithm reduces the amount of operations to break 128-bit symmetric cryptography t gorithm reduces the amount of operations to break 128-bit symmetric cryptography
o 2^{64} quantum operations, which might sound computationally feasible. However to 2^{64} quantum operations, which might sound computationally feasible. Howev
, quantum operations are fundamentally different from classical ones as 2^{64} c er, quantum operations are fundamentally different from classical ones, as 2^{64
lassical operations can be efficiently parallelized, 2^{64} quantum operations m } classical operations can be efficiently parallelized but 2^{64} quantum operat
ust be performed serially, making them infeasible on practical quantum computers ions must be performed serially, making them infeasible on practical quantum com
.</t> puters.</t>
<t>Grover's algorithm is highly non-parallelizable and even if one deplo <t>Grover's algorithm is highly non-parallelizable and even if one deplo
ys 2^c computational units in parallel to brute-force a key using Grover's algor ys 2^c computational units in parallel to brute-force a key using Grover's algor
ithm, it will complete in time proportional to 2^{(128−c)/2}, or, put simply, us ithm, it will complete in time proportional to 2^{(128-c)/2}, or, put simply, us
ing 256 quantum computers will only reduce runtime by a factor of 16, 1024 quant ing 256 quantum computers will only reduce runtime by a factor of 16, 1024 quant
um computers will only reduce runtime by a factor of 32 and so forth (see <xref um computers will only reduce runtime by a factor of 32, and so forth (see <xref
target="NIST"/> and <xref target="Cloudflare"/>). Due to this inherent limitatio target="NIST"/> and <xref target="Cloudflare"/>). Due to this inherent limitati
n, the general expert consensus is that AES-128 (Advanced Encryption Standard) r on, the general expert consensus is that AES-128 remains secure in practice and
emains secure in practice, and key sizes do not necessarily need to be doubled.< key sizes do not necessarily need to be doubled.</t>
/t> <t>It would be natural to ask whether future research will develop a sup
<t>It would be natural to ask whether future research will develop a sup erior algorithm that could outperform Grover's algorithm in the general case. Ho
erior algorithm that could outperform Grover's algorithm in the general case. Ho wever, Christof Zalka has shown that Grover's algorithm achieves the best possib
wever, Christof Zalka has shown that Grover's algorithm achieves the best possib le complexity for this type of search, meaning no significantly faster quantum a
le complexity for this type of search, meaning no significantly faster quantum a pproach is expected <xref target="Grover-Search"/>.</t>
pproach is expected <xref target="Grover-search"/></t> <t>Finally, in their evaluation criteria for PQC, NIST is assessing the
<t>Finally, in their evaluation criteria for PQC, NIST is assessing the security levels of proposed post-quantum algorithms by comparing them against th
security levels of proposed post-quantum algorithms by comparing them against th e equivalent traditional and quantum security of AES-128, AES-192, and AES-256.
e equivalent traditional and quantum security of AES-128, AES-192, and AES-256. This indicates that NIST is confident in the stable security properties of AES,
This indicates that NIST is confident in the stable security properties of AES, even in the presence of both traditional and quantum attacks. As a result, 128-b
even in the presence of both traditional and quantum attacks. As a result, 128-b it algorithms can be considered quantum-safe for the foreseeable future. However
it algorithms can be considered quantum-safe for the foreseeable future. However , for compliance purposes, some organizations, such as the French National Agenc
, for compliance purposes, some organizations, such as the French National Agenc y for the Security of Information Systems (ANSSI) <xref target="ANSSI"/> and the
y for the Security of Information Systems (ANSSI) <xref target="ANSSI"/> and CNS National Security Agency (NSA) (CNSA 2.0) <xref target="CNSA2-0"/>, recommend t
A 2.0 (Commercial National Security Algorithm Suite 2.0) <xref target="CNSA2-0"/ he use of AES-256.</t>
>, recommend the use of AES-256.</t>
</section> </section>
<section anchor="asymmetric-cryptography"> <section anchor="asymmetric-cryptography">
<name>Asymmetric Cryptography</name> <name>Asymmetric Cryptography</name>
<t>“Shor’s algorithm” efficiently solves the integer factorization probl <t>"Shor's algorithm" efficiently solves the integer factorization probl
em (and the related discrete logarithm problem), which underpin the foundations em (and the related discrete logarithm problem), which underpin the foundations
of the vast majority of public key cryptography that the world uses today. This of the vast majority of public key cryptography that the world uses today. This
implies that, if a CRQC is developed, today’s public key algorithms (e.g., RSA, implies that, if a CRQC is developed, today's public key algorithms (e.g., RSA,
Diffie-Hellman and elliptic curve cryptography, as well as less commonly-used va Diffie-Hellman, and ECC, as well as less commonly used variants such as ElGamal
riants such as ElGamal <xref target="RFC6090"/> and Schnorr signatures <xref tar <xref target="RFC6090"/> and Schnorr signatures <xref target="RFC8235"/>) and pr
get="RFC8235"/>) and protocols would need to be replaced by algorithms and proto otocols would need to be replaced by algorithms and protocols that can offer cry
cols that can offer cryptanalytic resistance against CRQCs. Note that Shor’s alg ptanalytic resistance against CRQCs. Note that Shor's algorithm cannot run solel
orithm cannot run solely on a classical computer, it requires a CRQC.</t> y on a classical computer; it requires a CRQC.</t>
<t>For example, studies show that, if a CRQC existed, it could break RSA <t>For example, studies show that, if a CRQC existed, it could break RSA
-2048 in hours or even seconds depending on assumptions about error correction < -2048 in hours or even seconds depending on assumptions about error correction <
xref target="RSAShor"/><xref target="RSA8HRS"/><xref target="RSA10SC"/>. While s xref target="RSAShor"/> <xref target="RSA8HRS"/> <xref target="RSA10SC"/>. While
uch machines are purely theoretical at the time of writing, this illustrates the such machines are purely theoretical at the time of writing, this illustrates t
eventual vulnerability of RSA to CRQCs.</t> he eventual vulnerability of RSA to CRQCs.</t>
<t>For structured data such as public keys and signatures, CRQCs can ful <t>For structured data such as public keys and signatures, CRQCs can ful
ly solve the underlying hard problems used in traditional cryptography (see Shor ly solve the underlying hard problems used in traditional cryptography (see Shor
's algorithm). Because an increase in the size of the key-pair would not provide 's algorithm). Because an increase in the size of the key pair would not provide
a secure solution (short of RSA keys that are many gigabytes in size <xref targ a secure solution (short of RSA keys that are many gigabytes in size <xref targ
et="PQRSA"/>), a complete replacement of the algorithm is needed. Therefore, pos et="PQRSA"/>), a complete replacement of the algorithm is needed. Therefore, pos
t-quantum public key cryptography must rely on problems that are different from t-quantum public key cryptography must rely on problems that are different from
the ones used in traditional public key cryptography (i.e., the integer factoriz the ones used in traditional public key cryptography (i.e., the integer factoriz
ation problem, the finite-field discrete logarithm problem, and the elliptic-cur ation problem, the finite-field discrete logarithm problem, and the elliptic-cur
ve discrete logarithm problem).</t> ve discrete logarithm problem).</t>
</section> </section>
<section anchor="quantum-side-channel-attacks"> <section anchor="quantum-side-channel-attacks">
<name>Quantum Side-channel Attacks</name> <name>Quantum Side-Channel Attacks</name>
<t>Cryptographic side-channel attacks exploit physical implementations, <t>Cryptographic side-channel attacks exploit physical implementations (
such as timing, power consumption, or electromagnetic leakage to recover secret such as timing, power consumption, or electromagnetic leakage) to recover secret
keys.</t> keys.</t>
<t>The field of cryptographic side-channel attacks potentially stands to <t>The field of cryptographic side-channel attacks potentially stands to
gain a boost in attacker power once cryptanalytic techniques can be enhanced wi gain a boost in attacker power once cryptanalytic techniques can be enhanced wi
th quantum computation techniques <xref target="QuantSide"/>. While a full discu th quantum computation techniques <xref target="QuantSide"/>. While a full discu
ssion of quantum side-channel techniques is beyond the scope of this document, i ssion of quantum side-channel techniques is beyond the scope of this document, i
mplementers of cryptographic hardware should be aware that current best-practice mplementers of cryptographic hardware should be aware that current best practice
s for side-channel resistance may not be sufficient against quantum adversaries. s for side-channel resistance may not be sufficient against quantum adversaries.
</t> </t>
</section> </section>
</section> </section>
<section anchor="traditional-cryptographic-primitives-that-could-be-replaced -by-pqc"> <section anchor="traditional-cryptographic-primitives-that-could-be-replaced -by-pqc">
<name>Traditional Cryptographic Primitives that Could Be Replaced by PQC</ <name>Traditional Cryptographic Primitives That Could Be Replaced by PQC</
name> name>
<t>Any asymmetric cryptographic algorithm based on integer factorization, <t>Any asymmetric cryptographic algorithm based on integer factorization,
finite field discrete logarithms, or elliptic curve discrete logarithms will be finite field discrete logarithms, or elliptic-curve discrete logarithms will be
vulnerable to attacks using Shor's algorithm on a CRQC. This document focuses on vulnerable to attacks using Shor's algorithm on a CRQC. This document focuses on
the principal functions of asymmetric cryptography:</t> the principal functions of asymmetric cryptography:</t>
<ul spacing="normal"> <dl>
<li> <dt>Key agreement and key transport:</dt>
<t>Key agreement and key transport: Key agreement schemes, typically r <dd>
eferred to as Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), as we <t>Key agreement schemes, typically referred to as Diffie-Hellman (DH)
ll as key transport, typically using RSA encryption, are used to establish a sha or Elliptic Curve Diffie-Hellman (ECDH), as well as key transport, typically us
red cryptographic key for secure communication. They are one of the mechanisms t ing RSA encryption, are used to establish a shared cryptographic key for secure
hat can be replaced by PQC, as they are based on existing public key cryptograph communication. They are one of the mechanisms that can be replaced by PQC, as th
y and are therefore vulnerable to Shor's algorithm. A CRQC can employ Shor's alg ey are based on existing public key cryptography and are therefore vulnerable to
orithm to efficiently find the prime factors of a large public key (in the case Shor's algorithm. A CRQC can employ Shor's algorithm to efficiently find the pr
of RSA), which in turn can be exploited to derive the private key. In the case o ime factors of a large public key (in the case of RSA), which, in turn, can be e
f Diffie-Hellman, a CRQC has the potential to calculate the discrete logarithm o xploited to derive the private key. In the case of DH, a CRQC has the potential
f the (short or long-term) Diffie-Hellman public key. This, in turn, would revea to calculate the discrete logarithm of the (short- or long-term) DH public key.
l the secret required to derive the symmetric encryption key.</t> This, in turn, would reveal the secret required to derive the symmetric encrypti
</li> on key.</t>
<li> </dd>
<t>Digital signatures: Digital signature schemes are used to authentic <dt>Digital signatures:</dt>
ate the identity of a sender, detect unauthorized modifications to data, and und <dd>
erpin trust in a system. Similar to key agreement, signatures also depend on a p <t>Digital signature schemes are used to authenticate the identity of
ublic-private key pair based on the same mathematics as for key agreement and ke a sender, detect unauthorized modifications to data, and underpin trust in a sys
y transport, and hence a break in existing public key cryptography will also aff tem. Similar to key agreement, signatures also depend on a public-private key pa
ect traditional digital signatures, hence the importance of developing post-quan ir based on the same mathematics as for key agreement and key transport. Because
tum digital signatures.</t> of this, a break in existing public key cryptography will also affect tradition
</li> al digital signatures, hence the importance of developing post-quantum digital s
<li> ignatures.</t>
<t>BBS signatures: BBS (Boneh-Boyen-Shacham) signatures are a privacy- </dd>
preserving signature scheme that offers zero-knowledge proof-like properties by <dt>Boneh-Boyen-Shacham (BBS) signatures:</dt>
allowing selective disclosure of specific signed attributes without revealing th <dd>
e entire set of signed data. The security of BBS signatures relies on the hardne <t>BBS signatures are a privacy-preserving signature scheme that offer
ss of the discrete logarithm problem, making them vulnerable to Shor's algorithm s zero-knowledge proof-like properties by allowing selective disclosure of speci
. A CRQC can break the data authenticity security property of BBS but not the da fic signed attributes without revealing the entire set of signed data. The secur
ta confidentiality (Section 6.9 of <xref target="I-D.irtf-cfrg-bbs-signatures"/> ity of BBS signatures relies on the hardness of the discrete logarithm problem,
).</t> making them vulnerable to Shor's algorithm. A CRQC can break the data authentici
</li> ty security property of BBS but not the data confidentiality (<xref section="6.9
<li> " sectionFormat="of" target="I-D.irtf-cfrg-bbs-signatures"/>).</t>
<t>Content encryption: Content encryption typically refers to the encr </dd>
yption of the data using symmetric key algorithms, such as AES, to ensure confid <dt>Content encryption:</dt>
entiality. The threat to symmetric cryptography is discussed in <xref target="sy <dd>
mmetric"/>.</t> <t>Content encryption typically refers to the encryption of the data u
</li> sing symmetric key algorithms, such as AES, to ensure confidentiality. The threa
</ul> t to symmetric cryptography is discussed in <xref target="symmetric"/>.</t>
</dd>
</dl>
</section> </section>
<section anchor="nist-pqc-algorithms"> <section anchor="nist-pqc-algorithms">
<name>NIST PQC Algorithms</name> <name>NIST PQC Algorithms</name>
<t>At time of writing, NIST have standardized three PQC algorithms, with m ore expected to be standardised in the future (<xref target="NISTFINAL"/>). Thes e algorithms are not necessarily drop-in replacements for traditional asymmetric cryptographic algorithms. For instance, RSA <xref target="RSA"/> and ECC <xref target="RFC6090"/> can be used as both a key encapsulation method (KEM) and as a signature scheme, whereas there is currently no post-quantum algorithm that can perform both functions. When upgrading protocols, it is important to replace th e existing use of traditional algorithms with either a PQC KEM or a PQC signatur e method, depending on how the traditional algorithm was previously being used. Additionally, KEMs, as described in <xref target="KEMs"/>, present a different A PI than either key agreement or key transport primitives. As a result, they may require protocol-level or application-level changes in order to be incorporated. </t> <t>At the time of writing, NIST has standardized three PQC algorithms, wit h more expected to be standardized in the future (see <xref target="NISTFINAL"/> ). These algorithms are not necessarily drop-in replacements for traditional asy mmetric cryptographic algorithms. For instance, RSA <xref target="RSA"/> and ECC <xref target="RFC6090"/> can be used as both a KEM and a signature scheme, wher eas there is currently no post-quantum algorithm that can perform both functions . When upgrading protocols, it is important to replace the existing use of tradi tional algorithms with either a PQC KEM or a PQC signature method, depending on how the traditional algorithm was previously being used. Additionally, KEMs, as described in <xref target="KEMs"/>, present a different API than either key agre ement or key transport primitives. As a result, they may require protocol-level or application-level changes in order to be incorporated.</t>
<section anchor="nist-candidates-selected-for-standardization"> <section anchor="nist-candidates-selected-for-standardization">
<name>NIST Candidates Selected for Standardization</name> <name>NIST Candidates Selected for Standardization</name>
<section anchor="pqc-key-encapsulation-mechanisms-kems"> <!-- [rfced] In Sections 5.1.1, 5.1.2, and 6.1, may we update the lists
to
better indicate the term being defined? We suggest placing the term rather
than the citation before the colon. See the suggested text in a), b), and c)
below.
We also have some additional questions regarding Section 5.1.2:
- How should "FN" in "FN-DSA" be expanded? Perhaps as "Fast-Fourier Transform
over NTRU-Lattice-Based Digital Signature Algorithm"?
- The FN-DSA entry includes pointers to Sections 8.1 and 10.2, but ML-DSA and
SLH-DSA are also mentioned in those setions. Should the pointers to Sections
8.1 and 10.2 apply to all entries?
- We do not see "FN-DSA" mentioned in the URL listed for [FN-DSA]. Please
review. Also, should this reference be to FIPS 206, or should the relationship
between FIPS 206 and Fast Fourier/Falcon be explained for the reader? It seems
that FIPS 206 is still in draft form.
a) Section 5.1.1
Original
* [ML-KEM]: Module-Lattice-based Key-Encapsulation Mechanism
Standard (FIPS-203).
* [HQC]: Hamming Quasi-Cyclic coding algorithm which is based on the
hardness of the syndrome decoding problem for quasi-cyclic
concatenated Reed-Muller and Reed-Solomon (RMRS) codes in the
Hamming metric. Reed-Muller (RM) codes are a class of block
error-correcting codes commonly used in wireless and deep-space
communications, while Reed-Solomon (RS) codes are widely used to
detect and correct multiple-bit errors. HQC has been selected as
part of the NIST post-quantum cryptography project but has not yet
been standardized.
Perhaps:
ML-KEM: Module-Lattice-Based Key Encapsulation Mechanism. See
FIPS 203 [ML-DSA].
HQC: Hamming Quasi-Cyclic. See [HQC]. The coding algorithm based on the
hardness of the syndrome decoding problem for quasi-cyclic
concatenated Reed-Muller and Reed-Solomon (RMRS) codes in the
Hamming metric. Reed-Muller (RM) codes are a class of block
error-correcting codes commonly used in wireless and deep-space
communications, while Reed-Solomon (RS) codes are widely used to
detect and correct multiple-bit errors. HQC has been selected as
part of the NIST post-quantum cryptography project but has not yet
been standardized.
b) Section 5.1.2
Original:
* [ML-DSA]: Module-Lattice-Based Digital Signature Standard (FIPS-
204).
* [SLH-DSA]: Stateless Hash-Based Digital Signature (FIPS-205).
* [FN-DSA]: FN-DSA is a lattice signature scheme (FIPS-206)
(Section 8.1 and Section 10.2).
Perhaps:
ML-DSA: Module-Lattice-Based Digital Signature Algorithm. See FIPS
204 [ML-DSA].
SLH-DSA: Stateless Hash-Based Digital Signature Algorithm. See FIPS
205 [SLH-DSA].
FN-DSA: Fast-Fourier Transform over NTRU-Lattice-Based Digital
Signature Algorithm. See FIPS 206 [FN-DSA].
For more information about these, see Sections 8.1 and 10.2.
c) Section 6.1
Original:
* [FrodoKEM]: Key Encapsulation mechanism based on the hardness of
learning with errors in algebraically unstructured lattices.
* [ClassicMcEliece]: Based on the hardness of syndrome decoding of
Goppa codes. Goppa codes are a class of error-correcting codes
that can correct a certain number of errors in a transmitted
message. The decoding problem involves recovering the original
message from the received noisy codeword.
* [NTRU]: Key encapsulation mechanism based on the "N-th degree
Truncated polynomial Ring Units" (NTRU) lattices. Variants
include Streamlined NTRU Prime (sntrup761), which is leveraged for
use in SSH [I-D.ietf-sshm-ntruprime-ssh].
Perhaps:
FrodoKEM: KEM based on the hardness of learning with errors in
algebraically unstructured lattices. See [FrodoKEM].
Classic McEliece: KEM based on the hardness of syndrome decoding of
Goppa codes. Goppa codes are a class of error-correcting codes
that can correct a certain number of errors in a transmitted
message. The decoding problem involves recovering the original
message from the received noisy codeword. See [ClassicMcEliece].
NTRU: KEM based on the "N-th degree Truncated polynomial Ring
Units" (NTRU) lattices. Variants include Streamlined NTRU Prime
(sntrup761), which is leveraged for use in SSH [RFC9941]. See [NTRU].
-->
<section anchor="pqc-key-encapsulation-mechanisms-kems">
<name>PQC Key Encapsulation Mechanisms (KEMs)</name> <name>PQC Key Encapsulation Mechanisms (KEMs)</name>
<ul spacing="normal"> <dl>
<li> <dt>ML-KEM:</dt>
<t><xref target="ML-KEM"/>: Module-Lattice-based Key-Encapsulation <dd>
Mechanism Standard (FIPS-203).</t> <t>Module-Lattice-Based Key-Encapsulation Mechanism. See FIPS 203
</li> <xref target="ML-KEM"/>.</t>
<li> </dd>
<t><xref target="HQC"/>: Hamming Quasi-Cyclic coding algorithm whi <dt>HQC:</dt>
ch is based on the hardness of the syndrome decoding problem for quasi-cyclic co <dd>
ncatenated Reed-Muller and Reed-Solomon (RMRS) codes in the Hamming metric. Reed <t>Hamming Quasi-Cyclic. See <xref target="HQC"/>. The coding algo
-Muller (RM) codes are a class of block error-correcting codes commonly used in rithm based on the hardness of the syndrome decoding problem for quasi-cyclic co
wireless and deep-space communications, while Reed-Solomon (RS) codes are widely ncatenated Reed-Muller and Reed-Solomon (RMRS) codes in the Hamming metric. Reed
used to detect and correct multiple-bit errors. HQC has been selected as part o -Muller (RM) codes are a class of block error-correcting codes commonly used in
f the NIST post-quantum cryptography project but has not yet been standardized.< wireless and deep-space communications, while Reed-Solomon (RS) codes are widely
/t> used to detect and correct multiple-bit errors. HQC has been selected as part o
</li> f the NIST post-quantum cryptography project but has not yet been standardized.<
</ul> /t>
</dd>
</dl>
</section> </section>
<section anchor="pqc-signatures"> <section anchor="pqc-signatures">
<name>PQC Signatures</name> <name>PQC Signatures</name>
<ul spacing="normal"> <dl>
<li> <dt>ML-DSA:</dt>
<t><xref target="ML-DSA"/>: Module-Lattice-Based Digital Signature <dd>
Standard (FIPS-204).</t> <t>Module-Lattice-Based Digital Signature Algorithm. See FIPS 204
</li> <xref target="ML-DSA"/>.</t>
<li> </dd>
<t><xref target="SLH-DSA"/>: Stateless Hash-Based Digital Signatur <dt>SLH-DSA:</dt>
e (FIPS-205).</t> <dd>
</li> <t>Stateless Hash-Based Digital Signature Algorithm. See FIPS 205
<li> <xref target="SLH-DSA"/>.</t>
<t><xref target="FN-DSA"/>: FN-DSA is a lattice signature scheme ( </dd>
FIPS-206) (<xref target="lattice-based"/> and <xref target="sig-scheme"/>).</t> <dt>FN-DSA:</dt>
</li> <dd>
</ul> <t>Fast-Fourier Transform over NTRU-Lattice-Based Digital Signatur
e Algorithm. See <xref target="FN-DSA"/>; note that NIST has named this algorith
m "FN-DSA" and assigned "FIPS 206" for its specification, but at the time of thi
s document's publication, it has not yet been released.</t>
</dd>
</dl>
<t>For more information about these, see Sections <xref target="lattic
e-based" format="counter"/>, <xref target="hash-based" format="counter"/>, and <
xref target="sig-scheme" format="counter"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="iso-candidates-selected-for-standardization"> <section anchor="iso-candidates-selected-for-standardization">
<name>ISO Candidates Selected for Standardization</name> <name>ISO Candidates Selected for Standardization</name>
<t>At the time of writing, ISO has selected three PQC KEM algorithms as ca ndidates for standardization, which are mentioned in the following subsection.</ t> <t>At the time of writing, ISO has selected three PQC KEM algorithms as ca ndidates for standardization; these are mentioned in the following subsection.</ t>
<section anchor="pqc-key-encapsulation-mechanisms-kems-1"> <section anchor="pqc-key-encapsulation-mechanisms-kems-1">
<name>PQC Key Encapsulation Mechanisms (KEMs)</name> <name>PQC Key Encapsulation Mechanisms (KEMs)</name>
<ul spacing="normal"> <dl>
<li> <dt>FrodoKEM:</dt>
<t><xref target="FrodoKEM"/>: Key Encapsulation mechanism based on t <dd>
he hardness of learning with errors in algebraically unstructured lattices.</t> <t>KEM based on the hardness of learning with errors in algebraicall
</li> y unstructured lattices. See <xref target="FrodoKEM"/>.</t>
<li> </dd>
<t><xref target="ClassicMcEliece"/>: Based on the hardness of syndro <dt>ClassicMcEliece:</dt>
me decoding of Goppa codes. Goppa codes are a class of error-correcting codes th <dd>
at can correct a certain number of errors in a transmitted message. The decoding <t>KEM based on the hardness of syndrome decoding of Goppa codes. Go
problem involves recovering the original message from the received noisy codewo ppa codes are a class of error-correcting codes that can correct a certain numbe
rd.</t> r of errors in a transmitted message. The decoding problem involves recovering t
</li> he original message from the received noisy codeword. See <xref target="ClassicM
<li> cEliece"/>.</t>
<t><xref target="NTRU"/>: Key encapsulation mechanism based on the " </dd>
N-th degree Truncated polynomial Ring Units" (NTRU) lattices. Variants include S <dt>NTRU:</dt>
treamlined NTRU Prime (sntrup761), which is leveraged for use in SSH <xref targe <dd>
t="I-D.ietf-sshm-ntruprime-ssh"/>.</t> <t>KEM based on the "N-th degree Truncated polynomial Ring Units" (N
</li> TRU) lattices. Variants include Streamlined NTRU Prime (sntrup761), which is lev
</ul> eraged for use in SSH <xref target="RFC9941"/>. See <xref target="NTRU"/>.</t>
</dd>
</dl>
</section> </section>
</section> </section>
<section anchor="timeline"> <section anchor="timeline">
<name>Timeline for Transition</name> <name>Timeline for Transition</name>
<t>The timeline, and driving motivation for transition differs slightly be tween data confidentiality (e.g., encryption) and data authentication (e.g., sig nature) use-cases.</t> <t>The timeline and driving motivation for transition differ slightly betw een data confidentiality (e.g., encryption) and data authentication (e.g., signa ture) use cases.</t>
<t>For data confidentiality, one is concerned with the so-called "harvest now, decrypt later" (HNDL) attack where a malicious actor with adequate resource s can launch an attack to store sensitive encrypted data today that they hope to decrypt once a CRQC is available. This implies that, every day, sensitive encry pted data is susceptible to the attack by not implementing quantum-safe strategi es, as it corresponds to data possibly being deciphered in the future.</t> <t>For data confidentiality, one is concerned with the so-called "harvest now, decrypt later" (HNDL) attack where a malicious actor with adequate resource s can launch an attack to store sensitive encrypted data today that they hope to decrypt once a CRQC is available. This implies that, every day, sensitive encry pted data is susceptible to the attack by not implementing quantum-safe strategi es, as it corresponds to data possibly being deciphered in the future.</t>
<t>For authentication, it is often the case that signatures have a very sh ort lifetime between signing and verifying (such as during a TLS handshake) but some authentication use-cases do require long lifetimes, such as signing firmwar e or software that will be active for decades, signing legal documents, or signi ng certificates that will be embedded into hardware devices such as smartcards. Even for short-lived signatures use cases, the infrastructure often relies on lo ng-lived root keys which can be difficult to update or replace on in-field devic es.</t> <t>For authentication, it is often the case that signatures have a very sh ort lifetime between signing and verifying (such as during a TLS handshake), but some authentication use cases do require long lifetimes, such as signing firmwa re or software that will be active for decades, signing legal documents, or sign ing certificates that will be embedded into hardware devices such as smart cards . Even for short-lived signature use cases, the infrastructure often relies on l ong-lived root keys, which can be difficult to update or replace on in-field dev ices.</t>
<figure anchor="Mosca"> <figure anchor="Mosca">
<name>Mosca model</name> <name>Mosca Model</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="448" viewBox="0 0 448 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="448" viewBox="0 0 448 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
<path d="M 208,32 L 208,80" fill="none" stroke="black"/> <path d="M 208,32 L 208,80" fill="none" stroke="black"/>
<path d="M 296,80 L 296,128" fill="none" stroke="black"/> <path d="M 296,80 L 296,128" fill="none" stroke="black"/>
<path d="M 440,32 L 440,80" fill="none" stroke="black"/> <path d="M 440,32 L 440,80" fill="none" stroke="black"/>
<path d="M 8,32 L 440,32" fill="none" stroke="black"/> <path d="M 8,32 L 440,32" fill="none" stroke="black"/>
<path d="M 8,80 L 440,80" fill="none" stroke="black"/> <path d="M 8,80 L 440,80" fill="none" stroke="black"/>
<path d="M 312,96 L 440,96" fill="none" stroke="black"/> <path d="M 312,96 L 440,96" fill="none" stroke="black"/>
<path d="M 8,128 L 296,128" fill="none" stroke="black"/> <path d="M 8,128 L 296,128" fill="none" stroke="black"/>
skipping to change at line 255 skipping to change at line 473
| | | | | |
| y | x | | y | x |
+------------------------+----------+-----------------+ +------------------------+----------+-----------------+
| | <---------------> | | <--------------->
| z | Security gap | z | Security gap
+-----------------------------------+ +-----------------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>These challenges are illustrated nicely by the so-called Mosca model di <t>These challenges are illustrated nicely by the so-called Mosca model di
scussed in <xref target="Threat-Report"/>. In <xref target="Mosca"/>, "x" denote scussed in <xref target="Threat-Report"/>. In <xref target="Mosca"/>, "x" denote
s the time that systems and data need to remain secure, "y" the number of years s the time that systems and data need to remain secure, "y" the number of years
to fully migrate to a PQC infrastructure, and "z" the time until a CRQC that can to fully migrate to a PQC infrastructure, and "z" the time until a CRQC that can
break current cryptography is available. The model assumes either that encrypte break current cryptography is available. The model assumes either that encrypte
d data can be intercepted and stored before the migration is completed in "y" ye d data can be intercepted and stored before the migration is completed in "y" ye
ars, or that signatures will still be relied upon for "x" years after their crea ars, or that signatures will still be relied upon for "x" years after their crea
tion. This data remains vulnerable for the complete "x" years of their lifetime, tion. This data remains vulnerable for the complete "x" years of their lifetime;
thus the sum "x+y" gives us an estimate of the full timeframe that data remain thus, the sum "x+y" gives us an estimate of the full timeframe that data remain
insecure. The model essentially asks how one is preparing IT systems during thos s insecure. The model essentially asks how one is preparing IT systems during th
e "y" years (in other words, how one can minimize those "y" years) to minimize t ose "y" years (in other words, how one can minimize those "y" years) to minimize
he transition phase to a PQC infrastructure and hence minimize the risks of data the transition phase to a PQC infrastructure and hence minimize the risks of da
being exposed in the future.</t> ta being exposed in the future.</t>
<t>Finally, other factors that could accelerate the introduction of a CRQC <t>Finally, other factors that could accelerate the introduction of a CRQC
should not be under-estimated, like for example faster-than-expected advances i should not be underestimated, for example, faster-than-expected advances in qua
n quantum computing and more efficient versions of Shor’s algorithm requiring fe ntum computing and more efficient versions of Shor's algorithm requiring fewer q
wer qubits. Innovation often comes in waves, so it is to the industry’s benefit ubits. Innovation often comes in waves, so it is to the industry's benefit to re
to remain vigilant and prepare as early as possible. Bear in mind also that whil main vigilant and prepare as early as possible. Also, bear in mind that while th
e the industry tracks advances from public research institutions such as univers e industry tracks advances from public research institutions such as universitie
ities and companies that publish their results, there is also a great deal of la s and companies that publish their results, there is also a great deal of large-
rge-budget quantum research being conducted privately by various national intere budget quantum research being conducted privately by various national interests.
sts. Therefore, the true state of quantum computer advancement is likely several Therefore, the true state of quantum computer advancement is likely several yea
years ahead of the publicly available research at the date this is published.</ rs ahead of the publicly available research at the date this document is publish
t> ed.</t>
<t>Organizations should also consider carefully and honestly what their mi <t>Organizations should also carefully and honestly consider what their mi
gration timeline "y" actually is. If you think only of the time between receivin gration timeline "y" actually is. If you only think of the time between receivin
g a patch from your technology vendor, and rolling that patch out, then "y" migh g a patch from your technology vendor and rolling that patch out, then "y" might
t seem as short as a few weeks. However, this represents the minority of migrati seem as short as a few weeks. However, this represents the minority of migratio
on cases; more often, a PQC migration will involve at least some amount of hardw n cases; more often, a PQC migration will involve at least some amount of hardwa
are replacement. For example, performance-sensitive applications will need CPUs re replacement. For example, performance-sensitive applications will need CPUs w
with PQC hardware acceleration. Security-sensitive applications will need PQC TP ith PQC hardware acceleration. Security-sensitive applications will need PQC TPM
Ms, TEEs, Secure Enclaves, and other cryptographic co-processors. Smartcard appl s, Trusted Execution Environments (TEEs), secure enclaves, and other cryptograph
ications will require replacement of the cards as well as of the readers which c ic co-processors. Smart card applications will require replacement of the cards
an come in many form-factors: tap-for-entry door and turnstile readers, PIN pad and readers. The readers can come in many form factors: tap-for-entry door and t
machines, laptops with built-in smartcard readers, and many others.</t> urnstile readers, PIN pad machines, laptops with built-in smart card readers, an
<t>Included in "y" is not only the deployment time, but also preparation t d many others.</t>
ime: integration, testing, auditing, and re-certification of cryptographic envir <t>Included in "y" is not only the deployment time but also the preparatio
onments. Consider also upstream effects that contribute to "y", including lead-t n time: integration, testing, auditing, and recertification of cryptographic env
imes for your vendors to produce PQC-ready products, which may itself include au ironments. Also consider upstream effects that contribute to "y", including lead
diting and certification delays, time for regulating bodies to adopt PQC policie times for vendors to produce PQC-ready products, which may itself include audit
s, time for auditors to become familiar with the new requirements, etc. If you m ing and certification delays, time for regulating bodies to adopt PQC policies,
easure the full migration time "y" from when your vendors begin implementing PQC time for auditors to become familiar with the new requirements, etc. If you meas
functionality, to when you switch off your last non-PQC-capable device, then "y ure the full migration time "y" from when your vendors begin implementing PQC fu
" can be quite long; likely measured in years for even most moderately-sized org nctionality to when you switch off your last non-PQC-capable device, then "y" ca
anizations, this long tail should not discourage early action.</t> n be quite long, likely measured in years for even most moderately sized organiz
<t>Organizations responsible for protecting long-lived sensitive data or o ations. This long tail should not discourage early action.</t>
perating critical infrastructure will need to begin transitioning immediately, p <t>Organizations responsible for protecting long-lived sensitive data or o
articularly in scenarios where data is vulnerable to HNDL attacks. PQ/T <xref ta perating critical infrastructure will need to begin transitioning immediately, p
rget="PQT"/> or PQ key exchange is relatively self-contained, typically requirin articularly in scenarios where data is vulnerable to HNDL attacks. Post-quantum
g changes only to the cryptographic library (e.g., OpenSSL). In contrast, migrat and traditional (PQ/T) <xref target="PQT"/> or PQ key exchange is relatively sel
ing to post-quantum or PQ/T digital signatures involves broader ecosystem change f-contained, typically requiring changes only to the cryptographic library (e.g.
s, including updates to certificates, CAs, Certificate Management Protocols, HSM , OpenSSL). In contrast, migrating to post-quantum or PQ/T digital signatures in
s, and trust anchors. volves broader ecosystem changes, including updates to certificates, certificate
authorities (CAs), Certificate Management Protocols, HSMs, and trust anchors.
Starting early with hybrid key exchange deployments allows organizations to gain operational experience, while prototyping and planning for PQ/T or PQ digital s ignature integration helps identify ecosystem-wide impacts early. This phased ap proach reduces long-term migration risks and ensures readiness for more complex updates.</t> Starting early with hybrid key exchange deployments allows organizations to gain operational experience, while prototyping and planning for PQ/T or PQ digital s ignature integration helps identify ecosystem-wide impacts early. This phased ap proach reduces long-term migration risks and ensures readiness for more complex updates.</t>
</section> </section>
<section anchor="pqc-categories"> <section anchor="pqc-categories">
<name>PQC Categories</name> <name>PQC Categories</name>
<t>The post-quantum cryptographic schemes standardized by NIST can be cate gorized into three main groups: lattice-based, hash-based, and code-based. Other approaches, such as isogeny-based, multivariate-based, and MPC-in-the-Head-base d cryptography, are also being explored in research and standardization efforts. In addition, NIST issued a call for additional digital signature proposals to e xpand the set of post-quantum signatures under evaluation <xref target="AddSig"/ >.</t> <t>The post-quantum cryptographic schemes standardized by NIST can be cate gorized into three main groups: lattice-based, hash-based, and code-based. Other approaches, such as isogeny-based, multivariate-based, and MPC-in-the-Head-base d cryptography, are also being explored in research and standardization efforts. In addition, NIST issued a call for additional digital signature proposals to e xpand the set of post-quantum signatures under evaluation <xref target="AddSig"/ >.</t>
<section anchor="lattice-based"> <section anchor="lattice-based">
<name>Lattice-Based Public Key Cryptography</name> <name>Lattice-Based Public Key Cryptography</name>
<t>Lattice-based public key cryptography leverages the simple constructi on of lattices (i.e., a regular collection of points in a Euclidean space that a re evenly spaced) to create "trapdoor" problems. These problems are efficient to compute if you possess the secret information but challenging to compute otherw ise. Examples of such problems include the shortest vector, closest vector, shor t integer solution, learning with errors, module learning with errors, and learn ing with rounding problems. All of these problems feature strong proofs for wors t-to-average case reduction, effectively relating the hardness of the average ca se to the worst case.</t> <t>Lattice-based public key cryptography leverages the simple constructi on of lattices (i.e., a regular collection of points in a Euclidean space that a re evenly spaced) to create "trapdoor" problems. These problems are efficient to compute if you possess the secret information but challenging to compute otherw ise. Examples of such problems include the shortest vector, closest vector, shor t integer solution, learning with errors, module learning with errors, and learn ing with rounding problems. All of these problems feature strong proofs for wors t-to-average case reduction, effectively relating the hardness of the average ca se to the worst case.</t>
<t>Lattice-based public keys and signatures are larger than those of cla <t>Lattice-based public keys and signatures are larger than those of cla
ssical schemes such as RSA or ECC, but typically by less than an order of magnit ssical schemes such as RSA or ECC, but typically by less than an order of magnit
ude for public keys (about 6–10×) and by roughly one to two orders of magnitude ude for public keys (about 6-10x) and by roughly one to two orders of magnitude
for signatures (about 10–100×), rather than by several orders of magnitude, maki for signatures (about 10-100x) rather than by several orders of magnitude, makin
ng them the best available candidates for general-purpose use such as replacing g them the best available candidates for general-purpose use, such as replacing
the use of RSA in PKIX certificates.</t> the use of RSA in PKIX certificates.</t>
<t>Examples of this class of algorithms include ML-KEM, FN-DSA, ML-DSA a <t>Examples of this class of algorithms include ML-KEM, FN-DSA, ML-DSA,
nd FrodoKEM.</t> and FrodoKEM.</t>
<t>It is noteworthy that lattice-based encryption schemes require a roun <t>It is noteworthy that lattice-based encryption schemes require a roun
ding step during decryption which has a non-zero probability of "rounding the wr ding step during decryption, which has a non-zero probability of "rounding the w
ong way" and leading to a decryption failure, meaning that valid encryptions are rong way" and leading to a decryption failure, meaning that valid encryptions ar
decrypted incorrectly. However, the parameters of NIST PQC candidates are caref e decrypted incorrectly. However, the parameters of NIST PQC candidates are care
ully chosen so that the probability of such a failure is cryptographically negli fully chosen so that the probability of such a failure is cryptographically negl
gible, far lower than the probability of random transmission errors and implemen igible, far lower than the probability of random transmission errors and impleme
tation bugs. In practical terms, these rare decryption failures can be treated t ntation bugs. In practical terms, these rare decryption failures can be treated
he same way as any fatal transport error: both sides simply perform a fresh KEM the same way as any fatal transport error: Both sides simply perform a fresh KEM
operation, generating a new ciphertext and shared secret.</t> operation, generating a new ciphertext and shared secret.</t>
<t>In cryptanalysis, an oracle refers to a system that an attacker can q <t>In cryptanalysis, an oracle refers to a system that an attacker can q
uery to learn whether decryption succeeded or failed. If such an oracle exists, uery to learn whether decryption succeeded or failed. If such an oracle exists,
an attacker could significantly reduce the security of lattice-based schemes tha an attacker could significantly reduce the security of lattice-based schemes tha
t have a relatively high failure rate. However, for most of the NIST PQC proposa t have a relatively high failure rate. However, for most of the NIST PQC proposa
ls, the number of required oracle queries to force a decryption failure is above ls, the number of required oracle queries to force a decryption failure is above
practical limits, as has been shown in <xref target="LattFail1"/>. More recent practical limits, as shown in <xref target="LattFail1"/>. More recent works hav
works have improved upon the results in <xref target="LattFail1"/>, showing that e improved upon the results in <xref target="LattFail1"/>, showing that the cost
the cost of searching for additional failing ciphertexts after one or more have of searching for additional failing ciphertexts after one or more have already
already been found, can be sped up dramatically <xref target="LattFail2"/>. Nev been found can be sped up dramatically <xref target="LattFail2"/>. Nevertheless,
ertheless, at the time this document is published, the PQC candidates by NIST ar at the time this document is published, the PQC candidates by NIST are consider
e considered secure under these attacks and constant monitoring as cryptanalysis ed secure under these attacks, and constant monitoring as cryptanalysis research
research is ongoing.</t> is ongoing.</t>
</section> </section>
<section anchor="hash-based"> <section anchor="hash-based">
<name>Hash-Based Public Key Cryptography</name> <name>Hash-Based Public Key Cryptography</name>
<t>Hash based PKC has been around since the 1970s, when it was developed <t>Hash-based Public Key Cryptography (PKC) has been around since the 19
by Lamport and Merkle. It is used to create digital signature algorithms and it 70s, when it was developed by Lamport and Merkle. It is used to create digital s
s security is based on the security of the underlying cryptographic hash functio ignature algorithms, and its security is based on the security of the underlying
n. Many variants of hash-based signatures (HBS) have been developed since the 70 cryptographic hash function. Many variants of hash-based signatures (HBSs) have
s including the recent XMSS <xref target="RFC8391"/>, HSS/LMS <xref target="RFC8 been developed since the 1970s, including the recent XMSS <xref target="RFC8391
554"/> or BPQS <xref target="BPQS"/> schemes. Unlike many other digital signatur "/>, HSS/LMS <xref target="RFC8554"/>, or BPQS <xref target="BPQS"/> schemes. Un
e techniques, most hash-based signature schemes are stateful, which means that s like many other digital signature techniques, most hash-based signature schemes
igning necessitates the update and careful tracking of the state of the secret k are stateful, which means that signing necessitates the update and careful track
ey. Producing multiple signatures using the same secret key state results in los ing of the state of the secret key. Producing multiple signatures using the same
s of security and may ultimately enable signature forgery attacks against that k secret key state results in loss of security and may ultimately enable signatur
ey.</t> e forgery attacks against that key.</t>
<t>Stateful hash-based signatures with long service lifetimes require ad <t>Stateful hash-based signatures with long service lifetimes require ad
ditional operational complexity compared with other signature types. For example ditional operational complexity compared to other signature types. For example,
, consider a 20-year root key; there is an expectation that 20 years is longer t consider a 20-year root key; there is an expectation that 20 years is longer tha
han the expected lifetime of the hardware that key is stored on, and therefore t n the expected lifetime of the hardware that key is stored on, so the key will n
he key will need to be migrated to new hardware at some point. Disaster-recovery eed to be migrated to new hardware at some point. Disaster-recovery scenarios wh
scenarios where the primary node fails without warning can be similarly tricky. ere the primary node fails without warning can be similarly tricky. This require
This requires careful operational and compliance consideration to ensure that n s careful operational and compliance consideration to ensure that no private key
o private key state can be reused across the migration or disaster recovery even state can be reused across the migration or disaster recovery event. One approa
t. One approach for avoiding these issues is to only use stateful HBS for short- ch for avoiding these issues is to only use stateful HBSs for short-term use cas
term use cases that do not require horizontal scaling, for example signing a bat es that do not require horizontal scaling, for example, signing a batch of firmw
ch of firmware images and then retiring the signing key.</t> are images and then retiring the signing key.</t>
<t>The SLH-DSA algorithm, which was standardized by NIST, leverages the <t>The SLH-DSA algorithm, which was standardized by NIST, leverages the
HORST (hash to obtain random subset with trees) technique and remains the only s HORST (Hash to Obtain Random Subset with Trees) technique and remains the only s
tandardized hash based signature scheme that is stateless, thus avoiding the com tandardized hash based signature scheme that is stateless, thus avoiding the com
plexities associated with state management. SLH-DSA is an advancement on SPHINCS plexities associated with state management. SLH-DSA is an advancement on SPHINCS
which reduces the signature sizes in SPHINCS and makes it more compact.</t> that reduces the signature sizes in SPHINCS and makes it more compact.</t>
</section> </section>
<section anchor="code-based"> <section anchor="code-based">
<name>Code-Based Public Key Cryptography</name> <name>Code-Based Public Key Cryptography</name>
<t>This area of cryptography started in the 1970s and 80s based on the s <t>This area of cryptography started in the 1970s and 1980s and was base
eminal work of McEliece and Niederreiter which focuses on the study of cryptosys d on the seminal work of McEliece and Niederreiter, which focuses on the study o
tems based on error-correcting codes. Some popular error correcting codes includ f cryptosystems based on error-correcting codes. Some popular error-correcting c
e Goppa codes (used in McEliece cryptosystems), encoding and decoding syndrome c odes include Goppa codes (used in McEliece cryptosystems), encoding and decoding
odes used in Hamming quasi-cyclic (HQC), or quasi-cyclic moderate density parity syndrome codes used in HQC, or quasi-cyclic moderate density parity check (QC-M
check (QC-MDPC) codes.</t> DPC) codes.</t>
<t>Examples include all the unbroken NIST Round 4 finalists: Classic McE <t>Examples include all the unbroken NIST Round 4 finalists: Classic McE
liece, HQC (selected by NIST for standardization), and <xref target="BIKE"/>.</t liece, HQC (selected by NIST for standardization), and Bit Flipping Key Encapsul
> ation (BIKE) <xref target="BIKE"/>.</t>
</section> </section>
</section> </section>
<section anchor="KEMs"> <section anchor="KEMs">
<name>KEMs</name> <name>KEMs</name>
<t>A Key Encapsulation Mechanism (KEM) is a cryptographic technique used f or securely exchanging symmetric key material between two parties over an insecu re channel. It is commonly used in hybrid encryption schemes, where a combinatio n of asymmetric (public key) and symmetric encryption is employed. The KEM encap sulation results in a fixed-length symmetric key that can be used with a symmetr ic algorithm, typically a block cipher, in one of two different ways:</t> <t>A Key Encapsulation Mechanism (KEM) is a cryptographic technique used f or securely exchanging symmetric key material between two parties over an insecu re channel. It is commonly used in hybrid encryption schemes where a combination of asymmetric (public key) and symmetric encryption is employed. The encapsulat ion operation of a KEM results in a fixed-length symmetric key that can be used with a symmetric algorithm, typically a block cipher, in one of two different wa ys:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Derive a data encryption key (DEK) to encrypt the data</t> <t>To derive a data encryption key (DEK) to encrypt the data</t>
</li> </li>
<li> <li>
<t>Derive a key encryption key (KEK) used to wrap a DEK</t> <t>To derive a key encryption key (KEK) used to wrap a DEK</t>
</li> </li>
</ul> </ul>
<t>These techniques are often referred to as "hybrid public key encryption <t>These techniques are often referred to as the Hybrid Public Key Encrypt
(HPKE)" <xref target="RFC9180"/> mechanism.</t> ion (HPKE) <xref target="RFC9180"/> mechanism.</t>
<t>The term "encapsulation" is chosen intentionally to indicate that KEM a <t>The term "encapsulation" is chosen intentionally to indicate that KEM a
lgorithms behave differently at the API level from the key agreement or key enci lgorithms behave differently at the API level from the key agreement or key enci
pherment / key transport mechanisms that are in use today. Key agreement schemes pherment and key transport mechanisms that are in use today. Key agreement schem
imply that both parties contribute a public / private key pair to the exchange, es imply that both parties contribute a public-private key pair to the exchange,
while key encipherment / key transport schemes imply that the symmetric key mat while key encipherment and key transport schemes imply that the symmetric key m
erial is chosen by one party and "encrypted" or "wrapped" for the other party. K aterial is chosen by one party and "encrypted" or "wrapped" for the other party.
EMs, on the other hand, behave according to the following API primitives <xref t KEMs, on the other hand, behave according to the following API primitives <xref
arget="PQCAPI"/>:</t> target="PQCAPI"/>:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>def kemKeyGen() -&gt; (pk, sk)</t> <t>def kemKeyGen() -&gt; (pk, sk)</t>
</li> </li>
<li> <li>
<t>def kemEncaps(pk) -&gt; (ss, ct)</t> <t>def kemEncaps(pk) -&gt; (ss, ct)</t>
</li> </li>
<li> <li>
<t>def kemDecaps(ct, sk) -&gt; ss</t> <t>def kemDecaps(ct, sk) -&gt; ss</t>
</li> </li>
</ul> </ul>
<t>where <tt>pk</tt> is the public key, <tt>sk</tt> is the secret key, <tt >ct</tt> is the ciphertext representing an encapsulated key, and <tt>ss</tt> is the shared secret. The following figure illustrates a sample flow of a KEM-based key exchange:</t> <t>where <tt>pk</tt> is the public key, <tt>sk</tt> is the secret key, <tt >ct</tt> is the ciphertext representing an encapsulated key, and <tt>ss</tt> is the shared secret. The following figure illustrates a sample flow of a KEM-based key exchange:</t>
<figure anchor="tab-kem-ke"> <figure anchor="tab-kem-ke">
<name>KEM based key exchange</name> <name>KEM-Based Key Exchange</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="336" width="536" viewBox="0 0 536 336" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="336" width="536" viewBox="0 0 536 336" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,272 L 8,304" fill="none" stroke="black"/> <path d="M 8,272 L 8,304" fill="none" stroke="black"/>
<path d="M 24,80 L 24,112" fill="none" stroke="black"/> <path d="M 24,80 L 24,112" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/>
<path d="M 208,80 L 208,112" fill="none" stroke="black"/> <path d="M 208,80 L 208,112" fill="none" stroke="black"/>
<path d="M 208,272 L 208,304" fill="none" stroke="black"/> <path d="M 208,272 L 208,304" fill="none" stroke="black"/>
<path d="M 224,72 L 224,320" fill="none" stroke="black"/> <path d="M 224,72 L 224,320" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
<path d="M 280,32 L 280,64" fill="none" stroke="black"/> <path d="M 280,32 L 280,64" fill="none" stroke="black"/>
skipping to change at line 388 skipping to change at line 606
|<----------| |<----------|
+------------------------+ | | +------------------------+ | |
| ss = kemDecaps(ct, sk) |-| | | ss = kemDecaps(ct, sk) |-| |
+------------------------+ | | +------------------------+ | |
| | | |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<section anchor="authenticated-key-exchange"> <section anchor="authenticated-key-exchange">
<name>Authenticated Key Exchange</name> <name>Authenticated Key Exchange</name>
<t>Authenticated Key Exchange (AKE) with KEMs where both parties contrib ute a KEM public key to the overall session key is interactive as described in S ection 9.4 of <xref target="RFC9528"/>. However, single-sided KEM, such as when one peer has a KEM key in a certificate and the other peer wants to encrypt for it (as in S/MIME or OpenPGP email), can be achieved using non-interactive HPKE < xref target="RFC9180"/>. The following figure illustrates the Diffie-Hellman (DH ) Key exchange:</t> <t>Authenticated Key Exchange (AKE) with KEMs where both parties contrib ute a KEM public key to the overall session key is interactive as described in < xref section="9.4" sectionFormat="of" target="RFC9528"/>. However, a single-side d KEM, such as when one peer has a KEM key in a certificate and the other peer w ants to encrypt for it (as in S/MIME or OpenPGP email), can be achieved using no n-interactive HPKE <xref target="RFC9180"/>. The following figure illustrates th e DH Key exchange:</t>
<figure anchor="tab-dh-ake"> <figure anchor="tab-dh-ake">
<name>Diffie-Hellman based AKE</name> <name>DH-Based AKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="480" width="552" viewBox="0 0 552 480" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="480" width="552" viewBox="0 0 552 480" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,320 L 8,368" fill="none" stroke="black"/> <path d="M 8,320 L 8,368" fill="none" stroke="black"/>
<path d="M 24,80 L 24,128" fill="none" stroke="black"/> <path d="M 24,80 L 24,128" fill="none" stroke="black"/>
<path d="M 136,336 L 136,344" fill="none" stroke="black"/> <path d="M 136,336 L 136,344" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/>
<path d="M 216,80 L 216,128" fill="none" stroke="black"/> <path d="M 216,80 L 216,128" fill="none" stroke="black"/>
<path d="M 216,320 L 216,368" fill="none" stroke="black"/> <path d="M 216,320 L 216,368" fill="none" stroke="black"/>
<path d="M 232,72 L 232,464" fill="none" stroke="black"/> <path d="M 232,72 L 232,464" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
skipping to change at line 491 skipping to change at line 709
+-------------------------+ | | +-------------------------+ | |
| encrypted | | encrypted |
| content | | content |
|---------->| |---------->|
| | +------------------------+ | | +------------------------+
| | | decryptContent(ss) | | | | decryptContent(ss) |
| | +------------------------+ | | +------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>What's important to note about the sample flow above is that the shar ed secret <tt>ss</tt> is derived using key material from both the Client and the Server, which classifies it as an AKE. There is another property of a key excha nge, called Non-Interactive Key Exchange (NIKE) which refers to whether the send er can compute the shared secret <tt>ss</tt> and encrypt content without requiri ng active interaction (an exchange of network messages) with the recipient. <xre f target="tab-dh-ake"/> shows a Diffie-Hellman key exchange which is an AKE, sin ce both parties are using long-term keys which can have established trust (for e xample, via certificates), but it is not a NIKE, since the client needs to wait for the network interaction to receive the receiver's public key <tt>pk2</tt> be fore it can compute the shared secret <tt>ss</tt> and begin content encryption. However, a DH key exchange can be an AKE and a NIKE at the same time if the rece iver's public key is known to the sender in advance, and many Internet protocols rely on this property of DH-based key exchanges.</t> <t>In the sample flow above, it is important to note that the shared sec ret <tt>ss</tt> is derived using key material from both the client and the serve r, which classifies it as an AKE. There is another property of a key exchange, c alled Non-Interactive Key Exchange (NIKE), that refers to whether the sender ca n compute the shared secret <tt>ss</tt> and encrypt content without requiring ac tive interaction (an exchange of network messages) with the recipient. <xref tar get="tab-dh-ake"/> shows a DH key exchange, which is an AKE since both parties a re using long-term keys that can have established trust (for example, via certif icates), but it is not a NIKE since the client needs to wait for the network int eraction to receive the receiver's public key <tt>pk2</tt> before it can compute the shared secret <tt>ss</tt> and begin content encryption. However, a DH key e xchange can be an AKE and a NIKE at the same time if the receiver's public key i s known to the sender in advance (see <xref target="tab-dh-ake-nike"/>), and man y Internet protocols rely on this property of DH-based key exchanges.</t>
<figure anchor="tab-dh-ake-nike"> <figure anchor="tab-dh-ake-nike">
<name>Diffie-Hellman based AKE and NIKE simultaneously</name> <name>Simultaneous DH-Based AKE and NIKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="400" width="536" viewBox="0 0 536 400" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="400" width="536" viewBox="0 0 536 400" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,80 L 8,192" fill="none" stroke="black"/> <path d="M 8,80 L 8,192" fill="none" stroke="black"/>
<path d="M 136,160 L 136,168" fill="none" stroke="black"/> <path d="M 136,160 L 136,168" fill="none" stroke="black"/>
<path d="M 168,32 L 168,64" fill="none" stroke="black"/> <path d="M 168,32 L 168,64" fill="none" stroke="black"/>
<path d="M 200,80 L 200,192" fill="none" stroke="black"/> <path d="M 200,80 L 200,192" fill="none" stroke="black"/>
<path d="M 216,72 L 216,368" fill="none" stroke="black"/> <path d="M 216,72 L 216,368" fill="none" stroke="black"/>
<path d="M 248,32 L 248,64" fill="none" stroke="black"/> <path d="M 248,32 L 248,64" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
<path d="M 312,72 L 312,368" fill="none" stroke="black"/> <path d="M 312,72 L 312,368" fill="none" stroke="black"/>
skipping to change at line 580 skipping to change at line 798
|---------->| |---------->|
| | +------------------------+ | | +------------------------+
| |-| Long-term server key: | | |-| Long-term server key: |
| | | sk2, pk2 | | | | sk2, pk2 |
| | | ss = KeyEx(pk1, sk2) | | | | ss = KeyEx(pk1, sk2) |
| | | decryptContent(ss) | | | | decryptContent(ss) |
| | +------------------------+ | | +------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>The complication with KEMs is that a KEM <tt>Encaps()</tt> is non-det erministic; it involves randomness chosen by the sender of that message. Therefo re, in order to perform an AKE, the client must wait for the server to generate the needed randomness and perform <tt>Encaps()</tt> against the client key, whic h necessarily requires a network round-trip. Therefore, a KEM-based protocol can either be an AKE or a NIKE, but cannot be both at the same time. Consequently, certain Internet protocols will necessitate a redesign to accommodate this disti nction, either by introducing extra network round-trips or by making trade-offs in security properties.</t> <t>The complication with KEMs is that a KEM <tt>Encaps()</tt> is non-det erministic; it involves randomness chosen by the sender of that message. Therefo re, in order to perform an AKE, the client must wait for the server to generate the needed randomness and perform <tt>Encaps()</tt> against the client key, whic h necessarily requires a network round-trip. Therefore, a KEM-based protocol can either be an AKE or a NIKE, but it cannot be both at the same time. Consequentl y, certain Internet protocols will necessitate a redesign to accommodate this di stinction, either by introducing extra network round trips or by making trade-of fs in security properties.</t>
<figure anchor="tab-kem-ake"> <figure anchor="tab-kem-ake">
<name>KEM based AKE</name> <name>KEM-Based AKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
"1.1" height="480" width="560" viewBox="0 0 560 480" class="diagram" text-anchor "1.1" height="480" width="576" viewBox="0 0 576 480" class="diagram" text-anchor
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,80 L 8,112" fill="none" stroke="black"/>
<path d="M 8,288 L 8,352" fill="none" stroke="black"/> <path d="M 8,288 L 8,352" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 24,80 L 24,112" fill="none" stroke="black"/>
<path d="M 208,80 L 208,112" fill="none" stroke="black"/> <path d="M 200,32 L 200,64" fill="none" stroke="black"/>
<path d="M 208,336 L 208,352" fill="none" stroke="black"/> <path d="M 224,80 L 224,112" fill="none" stroke="black"/>
<path d="M 224,72 L 224,464" fill="none" stroke="black"/> <path d="M 224,288 L 224,352" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 240,72 L 240,464" fill="none" stroke="black"/>
<path d="M 280,32 L 280,64" fill="none" stroke="black"/> <path d="M 280,32 L 280,64" fill="none" stroke="black"/>
<path d="M 320,72 L 320,464" fill="none" stroke="black"/> <path d="M 296,32 L 296,64" fill="none" stroke="black"/>
<path d="M 336,176 L 336,224" fill="none" stroke="black"/> <path d="M 336,72 L 336,464" fill="none" stroke="black"/>
<path d="M 336,416 L 336,464" fill="none" stroke="black"/> <path d="M 352,176 L 352,224" fill="none" stroke="black"/>
<path d="M 360,32 L 360,64" fill="none" stroke="black"/> <path d="M 352,416 L 352,464" fill="none" stroke="black"/>
<path d="M 552,176 L 552,224" fill="none" stroke="black"/> <path d="M 376,32 L 376,64" fill="none" stroke="black"/>
<path d="M 552,416 L 552,464" fill="none" stroke="black"/> <path d="M 568,176 L 568,224" fill="none" stroke="black"/>
<path d="M 184,32 L 264,32" fill="none" stroke="black"/> <path d="M 568,416 L 568,464" fill="none" stroke="black"/>
<path d="M 280,32 L 360,32" fill="none" stroke="black"/> <path d="M 200,32 L 280,32" fill="none" stroke="black"/>
<path d="M 184,64 L 264,64" fill="none" stroke="black"/> <path d="M 296,32 L 376,32" fill="none" stroke="black"/>
<path d="M 280,64 L 360,64" fill="none" stroke="black"/> <path d="M 200,64 L 280,64" fill="none" stroke="black"/>
<path d="M 8,80 L 208,80" fill="none" stroke="black"/> <path d="M 296,64 L 376,64" fill="none" stroke="black"/>
<path d="M 8,112 L 208,112" fill="none" stroke="black"/> <path d="M 24,80 L 224,80" fill="none" stroke="black"/>
<path d="M 232,160 L 312,160" fill="none" stroke="black"/> <path d="M 24,112 L 224,112" fill="none" stroke="black"/>
<path d="M 336,176 L 552,176" fill="none" stroke="black"/> <path d="M 248,160 L 328,160" fill="none" stroke="black"/>
<path d="M 336,224 L 552,224" fill="none" stroke="black"/> <path d="M 352,176 L 568,176" fill="none" stroke="black"/>
<path d="M 232,272 L 312,272" fill="none" stroke="black"/> <path d="M 352,224 L 568,224" fill="none" stroke="black"/>
<path d="M 8,288 L 200,288" fill="none" stroke="black"/> <path d="M 248,272 L 328,272" fill="none" stroke="black"/>
<path d="M 8,352 L 208,352" fill="none" stroke="black"/> <path d="M 8,288 L 224,288" fill="none" stroke="black"/>
<path d="M 232,400 L 312,400" fill="none" stroke="black"/> <path d="M 8,352 L 224,352" fill="none" stroke="black"/>
<path d="M 336,416 L 552,416" fill="none" stroke="black"/> <path d="M 248,400 L 328,400" fill="none" stroke="black"/>
<path d="M 336,464 L 552,464" fill="none" stroke="black"/> <path d="M 352,416 L 568,416" fill="none" stroke="black"/>
<polygon class="arrowhead" points="320,400 308,394.4 308,405.6" <path d="M 352,464 L 568,464" fill="none" stroke="black"/>
fill="black" transform="rotate(0,312,400)"/> <polygon class="arrowhead" points="336,400 324,394.4 324,405.6"
<polygon class="arrowhead" points="320,160 308,154.4 308,165.6" fill="black" transform="rotate(0,328,400)"/>
fill="black" transform="rotate(0,312,160)"/> <polygon class="arrowhead" points="336,160 324,154.4 324,165.6"
<polygon class="arrowhead" points="240,272 228,266.4 228,277.6" fill="black" transform="rotate(0,328,160)"/>
fill="black" transform="rotate(180,232,272)"/> <polygon class="arrowhead" points="256,272 244,266.4 244,277.6"
fill="black" transform="rotate(180,248,272)"/>
<g class="text"> <g class="text">
<text x="220" y="52">Client</text> <text x="236" y="52">Client</text>
<text x="316" y="52">Server</text> <text x="332" y="52">Server</text>
<text x="36" y="100">pk1,</text> <text x="52" y="100">pk1,</text>
<text x="72" y="100">sk1</text> <text x="88" y="100">sk1</text>
<text x="96" y="100">=</text> <text x="112" y="100">=</text>
<text x="152" y="100">kemKeyGen()</text> <text x="168" y="100">kemKeyGen()</text>
<text x="216" y="100">-</text> <text x="232" y="100">-</text>
<text x="240" y="148">pk1</text> <text x="256" y="148">pk1</text>
<text x="328" y="196">-</text> <text x="344" y="196">-</text>
<text x="364" y="196">ss1,</text> <text x="380" y="196">ss1,</text>
<text x="400" y="196">ct1</text> <text x="416" y="196">ct1</text>
<text x="424" y="196">=</text> <text x="440" y="196">=</text>
<text x="492" y="196">kemEncaps(pk1)</text> <text x="508" y="196">kemEncaps(pk1)</text>
<text x="364" y="212">pk2,</text> <text x="380" y="212">pk2,</text>
<text x="400" y="212">sk2</text> <text x="416" y="212">sk2</text>
<text x="424" y="212">=</text> <text x="440" y="212">=</text>
<text x="480" y="212">kemKeyGen()</text> <text x="496" y="212">kemKeyGen()</text>
<text x="288" y="260">ct1,pk2</text> <text x="304" y="260">ct1,pk2</text>
<text x="32" y="308">ss1</text> <text x="32" y="308">ss1</text>
<text x="56" y="308">=</text> <text x="56" y="308">=</text>
<text x="124" y="308">kemDecaps(ct1,</text> <text x="124" y="308">kemDecaps(ct1,</text>
<text x="204" y="308">sk1)</text> <text x="204" y="308">sk1)</text>
<text x="236" y="308">-|</text>
<text x="36" y="324">ss2,</text> <text x="36" y="324">ss2,</text>
<text x="72" y="324">ct2</text> <text x="72" y="324">ct2</text>
<text x="96" y="324">=</text> <text x="96" y="324">=</text>
<text x="164" y="324">kemEncaps(pk2)</text> <text x="164" y="324">kemEncaps(pk2)</text>
<text x="232" y="324">-</text>
<text x="28" y="340">ss</text> <text x="28" y="340">ss</text>
<text x="48" y="340">=</text> <text x="48" y="340">=</text>
<text x="112" y="340">Combiner(ss1,</text> <text x="112" y="340">Combiner(ss1,</text>
<text x="188" y="340">ss2)</text> <text x="188" y="340">ss2)</text>
<text x="240" y="388">ct2</text> <text x="256" y="388">ct2</text>
<text x="328" y="436">-</text> <text x="344" y="436">-</text>
<text x="360" y="436">ss2</text> <text x="376" y="436">ss2</text>
<text x="384" y="436">=</text> <text x="400" y="436">=</text>
<text x="452" y="436">kemDecaps(ct2,</text> <text x="468" y="436">kemDecaps(ct2,</text>
<text x="532" y="436">sk2)</text> <text x="548" y="436">sk2)</text>
<text x="356" y="452">ss</text> <text x="372" y="452">ss</text>
<text x="376" y="452">=</text> <text x="392" y="452">=</text>
<text x="440" y="452">Combiner(ss1,</text> <text x="456" y="452">Combiner(ss1,</text>
<text x="516" y="452">ss2)</text> <text x="532" y="452">ss2)</text>
</g> </g>
</svg> </svg>
</artwork> </artwork>
<artwork type="ascii-art"><![CDATA[ <artwork type="ascii-art"><![CDATA[
+---------+ +---------+ +---------+ +---------+
| Client | | Server | | Client | | Server |
+---------+ +---------+ +---------+ +---------+
+------------------------+ | | +------------------------+ | |
| pk1, sk1 = kemKeyGen() |-| | | pk1, sk1 = kemKeyGen() |-| |
+------------------------+ | | +------------------------+ | |
| | | |
|pk1 | |pk1 |
|---------->| |---------->|
| | +--------------------------+ | | +--------------------------+
| |-| ss1, ct1 = kemEncaps(pk1)| | |-| ss1, ct1 = kemEncaps(pk1)|
| | | pk2, sk2 = kemKeyGen() | | | | pk2, sk2 = kemKeyGen() |
| | +--------------------------+ | | +--------------------------+
| | | |
| ct1,pk2| | ct1,pk2|
|<----------| |<----------|
+------------------------+ | | +--------------------------+ | |
| ss1 = kemDecaps(ct1, sk1)|-| | | ss1 = kemDecaps(ct1, sk1)| | |
| ss2, ct2 = kemEncaps(pk2)| | | ss2, ct2 = kemEncaps(pk2)|-| |
| ss = Combiner(ss1, ss2)| | | | ss = Combiner(ss1, ss2) | | |
+------------------------+ | | +--------------------------+ | |
| | | |
|ct2 | |ct2 |
|---------->| |---------->|
| | +--------------------------+ | | +--------------------------+
| |-| ss2 = kemDecaps(ct2, sk2)| | |-| ss2 = kemDecaps(ct2, sk2)|
| | | ss = Combiner(ss1, ss2) | | | | ss = Combiner(ss1, ss2) |
| | +--------------------------+ | | +--------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>Here, <tt>Combiner(ss1, ss2)</tt>, often referred to as a KEM Combine r, is a cryptographic construction that takes in two shared secrets and returns a single combined shared secret. The simplest combiner is concatenation <tt>ss1 || ss2</tt>, but combiners can vary in complexity depending on the cryptographic properties required. For example, if the combination should preserve IND-CCA2 < xref target="INDCCA2"/> of either input even if the other is chosen maliciously, then a more complex construct is required. Another consideration for combiner d esign is so-called "binding properties" introduced in <xref target="KEEPINGUP"/> , which may require the ciphertexts and recipient public keys to be included in the combiner. KEM combiner security analysis becomes more complicated in hybrid settings where the two KEMs represent different algorithms, for example, where o ne is ML-KEM and the other is ECDH. For a more thorough discussion of KEM combin ers, see <xref target="KEEPINGUP"/>, <xref target="I-D.draft-ounsworth-cfrg-kem- combiners"/>, and <xref target="I-D.irtf-cfrg-hybrid-kems"/>.</t> <t>In the figure above, <tt>Combiner(ss1, ss2)</tt>, often referred to a s a KEM combiner, is a cryptographic construction that takes in two shared secre ts and returns a single combined shared secret. The simplest combiner is concate nation <tt>ss1 || ss2</tt>, but combiners can vary in complexity depending on th e cryptographic properties required. For example, if the combination should pres erve IND-CCA2 (see <xref target="INDCCA2"/>) of either input, even if the other is chosen maliciously, then a more complex construct is required. Another consid eration for combiner design is the so-called "binding properties" introduced in <xref target="KEEPINGUP"/>, which may require the ciphertexts and recipient publ ic keys to be included in the combiner. KEM combiner security analysis becomes m ore complicated in hybrid settings where the two KEMs represent different algori thms, for example, where one is ML-KEM and the other is ECDH. For a more thoroug h discussion of KEM combiners, see <xref target="KEEPINGUP"/>, <xref target="I-D .ounsworth-cfrg-kem-combiners"/>, and <xref target="I-D.irtf-cfrg-hybrid-kems"/> .</t>
</section> </section>
<section anchor="security-properties-of-kems"> <section anchor="security-properties-of-kems">
<name>Security Properties of KEMs</name> <name>Security Properties of KEMs</name>
<t>The security properties described in this section (IND-CCA2 and bindi ng) are not an exhaustive list of all possible KEM security considerations. They were selected because they are fundamental to evaluating KEM suitability in pro tocol design and are commonly discussed in current PQC work.</t> <t>The security properties described in this section (IND-CCA2 and bindi ng) are not an exhaustive list of all possible KEM security considerations. They were selected because they are fundamental to evaluating KEM suitability in pro tocol design and are commonly discussed in current PQC work.</t>
<section anchor="INDCCA2"> <section anchor="INDCCA2">
<name>IND-CCA2</name> <name>IND-CCA2</name>
<t>IND-CCA2 (INDistinguishability under adaptive Chosen-Ciphertext Att ack) is an advanced security notion for encryption schemes. It ensures the confi dentiality of the plaintext and resistance against chosen-ciphertext attacks. An appropriate definition of IND-CCA2 security for KEMs can be found in <xref targ et="CS01"/> and <xref target="BHK09"/>. ML-KEM <xref target="ML-KEM"/> and Class ic McEliece provide IND-CCA2 security.</t> <t>IND-CCA2 (INDistinguishability under adaptive Chosen-Ciphertext Att ack) is an advanced security notion for encryption schemes. It ensures the confi dentiality of the plaintext and resistance against chosen-ciphertext attacks. An appropriate definition of IND-CCA2 security for KEMs can be found in <xref targ et="CS01"/> and <xref target="BHK09"/>. ML-KEM <xref target="ML-KEM"/> and Class ic McEliece provide IND-CCA2 security.</t>
<t>Understanding IND-CCA2 security is essential for individuals involv ed in designing or implementing cryptographic systems and protocols in order to evaluate the strength of the algorithm, assess its suitability for specific use cases, and ensure that data confidentiality and security requirements are met. U nderstanding IND-CCA2 security is generally not necessary for developers migrati ng to using an IETF-vetted key establishment method (KEM) within a given protoco l or flow. IND-CCA2 is a widely accepted security notion for public key encrypti on mechanisms, making it suitable for a broad range of applications. When an IET F specification defines a new KEM, its security considerations should fully desc ribe the relevant cryptographic properties, including IND-CCA2.</t> <t>Understanding IND-CCA2 security is essential for individuals involv ed in designing or implementing cryptographic systems and protocols in order to evaluate the strength of the algorithm, assess its suitability for specific use cases, and ensure that data confidentiality and security requirements are met. U nderstanding IND-CCA2 security is generally not necessary for developers migrati ng to using an IETF-vetted KEM within a given protocol or flow. IND-CCA2 is a wi dely accepted security notion for public key encryption mechanisms, making it su itable for a broad range of applications. When an IETF specification defines a n ew KEM, its security considerations should fully describe the relevant cryptogra phic properties, including IND-CCA2.</t>
</section> </section>
<section anchor="binding"> <section anchor="binding">
<name>Binding</name> <name>Binding</name>
<t>KEMs also have an orthogonal set of properties to consider when des <t>KEMs also have an orthogonal set of properties to consider when des
igning protocols around them: binding <xref target="KEEPINGUP"/>. This can be "c igning protocols around them: binding <xref target="KEEPINGUP"/>. This can be "c
iphertext binding", "public key binding", "context binding", or any other proper iphertext binding", "public key binding", "context binding", or any other proper
ty that is important to not be substituted between KEM invocations. In general, ty that is important to not be substituted between KEM invocations. In general,
a KEM is considered to bind a certain value if substitution of that value by an a KEM is considered to bind a certain value if substitution of that value by an
attacker will necessarily result in a different shared secret being derived. As attacker will necessarily result in a different shared secret being derived. As
an example, if an attacker can construct two different ciphertexts which will de an example, if an attacker can construct two different ciphertexts that will dec
capsulate to the same shared secret; or can construct a ciphertext which will de apsulate to the same shared secret, can construct a ciphertext that will decapsu
capsulate to the same shared secret under two different public keys, or can subs late to the same shared secret under two different public keys, or can substitut
titute whole KEM exchanges from one session into another, then the construction e whole KEM exchanges from one session into another, then the construction is no
is not ciphertext binding, public key binding, or context binding respectively. t ciphertext binding, public key binding, or context binding, respectively. Simi
Similarly, protocol designers may wish to bind protocol state information such a larly, protocol designers may wish to bind protocol state information such as a
s a transaction ID or nonce so that attempts to replay ciphertexts from one sess transaction ID or nonce so that attempts to replay ciphertexts from one session
ion inside a different session will be blocked at the cryptographic level becaus inside a different session will be blocked at the cryptographic level because th
e the server derives a different shared secret and is thus is unable to decrypt e server derives a different shared secret and is thus is unable to decrypt the
the content.</t> content.</t>
<t>The solution to binding is generally achieved at the protocol desig <t>The solution to binding is generally achieved at the protocol desig
n level: It is recommended to avoid using the KEM output shared secret directly n level: It is recommended to avoid using the KEM output shared secret directly
without integrating it into an appropriate protocol. While KEM algorithms provid without integrating it into an appropriate protocol. While KEM algorithms provid
e key secrecy, they do not inherently ensure source authenticity, protect agains e key secrecy, they do not inherently ensure source authenticity, protect agains
t replay attacks, or guarantee freshness. These security properties should be ad t replay attacks, or guarantee freshness. These security properties should be ad
dressed by incorporating the KEM into a protocol that has been analyzed for such dressed by incorporating the KEM into a protocol that has been analyzed for such
protections. Even though modern KEMs such as ML-KEM produce full-entropy shared protections. Even though modern KEMs such as ML-KEM produce full-entropy shared
secrets, it is still advisable for binding reasons to pass it through a key der secrets, it is still advisable for binding reasons to pass the shared secret th
ivation function (KDF) and also include all values that you wish to bind; then f rough a key derivation function (KDF) and also include all values that you wish
inally you will have a shared secret that is safe to use at the protocol level.< to bind; finally, you will have a shared secret that is safe to use at the proto
/t> col level.</t>
</section> </section>
</section> </section>
<section anchor="hpke"> <section anchor="hpke">
<name>HPKE</name> <name>HPKE</name>
<t>Modern cryptography has long used the notion of "hybrid encryption" w <t>Modern cryptography has long used the notion of "hybrid encryption" w
here an asymmetric algorithm is used to establish a key, and then a symmetric al here an asymmetric algorithm is used to establish a key and then a symmetric alg
gorithm is used for bulk content encryption. The previous sections explained imp orithm is used for bulk content encryption. The previous sections explained impo
ortant security properties of KEMs, such as IND-CCA2 security and binding, and e rtant security properties of KEMs, such as IND-CCA2 security and binding, and em
mphasized that these properties must be supported by proper protocol design. One phasized that these properties must be supported by proper protocol design. One
widely deployed scheme that achieves this is HPKE (Hybrid Public Key Encryption widely deployed scheme that achieves this is Hybrid Public Key Encryption (HPKE)
) <xref target="RFC9180"/>.</t> <xref target="RFC9180"/>.</t>
<t>HPKE (hybrid public key encryption) <xref target="RFC9180"/> works wi <t>HPKE <xref target="RFC9180"/> works with a combination of KEMs, KDFs,
th a combination of KEMs, KDFs and AEAD (authenticated encryption with additiona and Authenticated Encryption with Associated Data (AEAD) schemes. HPKE includes
l data) schemes. HPKE includes three authenticated variants, including one that three authenticated variants, including one that authenticates possession of a
authenticates possession of a pre-shared key and two optional ones that authenti pre-shared key and two optional ones that authenticate possession of a KEM priva
cate possession of a key encapsulation mechanism (KEM) private key. HPKE can be te key. HPKE can be extended to support hybrid post-quantum KEM <xref target="I-
extended to support hybrid post-quantum KEM <xref target="I-D.ietf-hpke-pq"/>. M D.ietf-hpke-pq"/>. ML-KEM does not support the static-ephemeral key exchange tha
L-KEM does not support the static-ephemeral key exchange that allows HPKE based t allows HPKE that is based on DH-based KEMs and its optional authenticated mode
on DH based KEMs and its optional authenticated modes as discussed in section 1. s as discussed in <xref section="1.5" sectionFormat="of" target="I-D.connolly-cf
5 of <xref target="I-D.draft-connolly-cfrg-xwing-kem"/>.</t> rg-xwing-kem"/>.</t>
</section> </section>
</section> </section>
<section anchor="pqc-signatures-1"> <section anchor="pqc-signatures-1">
<name>PQC Signatures</name> <name>PQC Signatures</name>
<t>Any digital signature scheme that provides a construction defining secu rity under a post-quantum setting falls under this category of PQC signatures.</ t> <t>Any digital signature scheme that provides a construction defining secu rity under a post-quantum setting falls under this category of PQC signatures.</ t>
<section anchor="security-properties-of-pqc-signatures"> <section anchor="security-properties-of-pqc-signatures">
<name>Security Properties of PQC Signatures</name> <name>Security Properties of PQC Signatures</name>
<section anchor="euf-cma-and-suf-cma"> <section anchor="euf-cma-and-suf-cma">
<name>EUF-CMA and SUF-CMA</name> <name>EUF-CMA and SUF-CMA</name>
<t>EUF-CMA (existential unforgeability under chosen message attack) <x ref target="GMR88"/> is a security notion for digital signature schemes. It guar antees that an adversary, even with access to a signing oracle, cannot forge a v alid signature for an arbitrary message. EUF-CMA provides strong protection agai nst forgery attacks, ensuring the integrity and authenticity of digital signatur es by preventing unauthorized modifications or fraudulent signatures. ML-DSA, FN -DSA, and SLH-DSA provide EUF-CMA security.</t> <t>EUF-CMA (existential unforgeability under chosen message attack) <x ref target="GMR88"/> is a security notion for digital signature schemes. It guar antees that an adversary, even with access to a signing oracle, cannot forge a v alid signature for an arbitrary message. EUF-CMA provides strong protection agai nst forgery attacks, ensuring the integrity and authenticity of digital signatur es by preventing unauthorized modifications or fraudulent signatures. ML-DSA, FN -DSA, and SLH-DSA provide EUF-CMA security.</t>
<t>SUF-CMA (strong unforgeability under chosen message attack) builds upon EUF-CMA by requiring that an adversary cannot produce a different valid sig nature for a message that has already been signed by the signing oracle. Like EU F-CMA, SUF-CMA provides robust assurances for digital signature schemes, further enhancing their security posture. ML-DSA, FN-DSA, and SLH-DSA also achieve SUF- CMA security.</t> <t>SUF-CMA (strong unforgeability under chosen message attack) builds upon EUF-CMA by requiring that an adversary cannot produce a different valid sig nature for a message that has already been signed by the signing oracle. Like EU F-CMA, SUF-CMA provides robust assurances for digital signature schemes, further enhancing their security posture. ML-DSA, FN-DSA, and SLH-DSA also achieve SUF- CMA security.</t>
<t>Understanding EUF-CMA and SUF-CMA security is essential for designi <t>Understanding EUF-CMA and SUF-CMA security is essential for designi
ng or implementing cryptographic systems in order to ensure the security, reliab ng or implementing cryptographic systems in order to ensure the security, reliab
ility, and robustness of digital signature schemes. These notions allow for info ility, and robustness of digital signature schemes. These notions allow for info
rmed decision-making, vulnerability analysis, compliance with standards, and des rmed decision making, vulnerability analysis, compliance with standards, and des
igning systems that provide strong protection against forgery attacks. For devel igning systems that provide strong protection against forgery attacks. For devel
opers migrating to using an IETF-vetted PQC signature scheme within a given prot opers migrating to an IETF-vetted PQC signature scheme within a given protocol o
ocol or flow, a deep understanding of EUF-CMA and SUF-CMA security may not be ne r flow, a deep understanding of EUF-CMA and SUF-CMA security may not be necessar
cessary, as the schemes vetted by IETF adhere to these stringent security standa y, as the schemes vetted by IETF adhere to these stringent security standards.</
rds.</t> t>
<t>EUF-CMA and SUF-CMA are considered strong security benchmarks for p <t>EUF-CMA and SUF-CMA are considered strong security benchmarks for p
ublic key signature algorithms, making them suitable for most applications. IETF ublic key signature algorithms, making them suitable for most applications. Auth
specification authors should include all security concerns in the "Security Con ors of IETF specifications should include all security concerns in the "Security
siderations" section of the relevant RFC and should not assume that implementers Considerations" section of the relevant RFC and should not assume that implemen
are experts in cryptographic theory.</t> ters are experts in cryptographic theory.</t>
</section> </section>
</section> </section>
<section anchor="sig-scheme"> <section anchor="sig-scheme">
<name>Details of FN-DSA, ML-DSA, and SLH-DSA</name> <name>Details of FN-DSA, ML-DSA, and SLH-DSA</name>
<t>ML-DSA <xref target="ML-DSA"/> is a digital signature algorithm based <t>ML-DSA <xref target="ML-DSA"/> is a digital signature algorithm based
on the hardness of lattice problems over module lattices (i.e., the Module Lear on the hardness of lattice problems over module lattices (i.e., the Module Lear
ning with Errors problem (MLWE)). The design of the algorithm is based on the "F ning with Errors (MLWE) problem). The design of the algorithm is based on the "F
iat-Shamir with Aborts" <xref target="Lyu09"/> framework introduced by Lyubashev iat-Shamir with Aborts" <xref target="Lyu09"/> framework introduced by Lyubashev
sky, that leverages rejection sampling to render lattice-based Fiat-Shamir (FS) sky that leverages rejection sampling to render lattice-based Fiat-Shamir (FS) s
schemes compact and secure. ML-DSA uses uniformly-distributed random number samp chemes compact and secure. ML-DSA uses uniformly distributed random number sampl
ling over small integers to compute coefficients in error vectors, which makes t ing over small integers to compute coefficients in error vectors, which makes th
he scheme easier to implement compared with FN-DSA <xref target="FN-DSA"/> which e scheme easier to implement compared to FN-DSA <xref target="FN-DSA"/>, which
uses Gaussian-distributed numbers, necessitating the need to use floating point uses Gaussian-distributed numbers, necessitating the need to use floating-point
arithmetic during signature generation.</t> arithmetic during signature generation.</t>
<t>ML-DSA offers both deterministic and randomized signing and is instan <t>ML-DSA offers both deterministic and randomized signing and is instan
tiated with 3 parameter sets providing different security levels. Security prope tiated with three parameter sets providing different security levels. Security p
rties of ML-DSA are discussed in Section 9 of <xref target="I-D.ietf-lamps-dilit roperties of ML-DSA are discussed in <xref section="9" sectionFormat="of" target
hium-certificates"/>.</t> ="RFC9881"/>.</t>
<t>FN-DSA <xref target="FN-DSA"/> is based on the GPV hash-and-sign latt ice-based signature framework introduced by Gentry, Peikert, and Vaikuntanathan, which is a framework that requires a certain class of lattices and a trapdoor s ampler technique.</t> <t>FN-DSA <xref target="FN-DSA"/> is based on the GPV hash-and-sign latt ice-based signature framework introduced by Gentry, Peikert, and Vaikuntanathan, which is a framework that requires a certain class of lattices and a trapdoor s ampler technique.</t>
<t>The main design principle of FN-DSA is compactness, i.e., it was desi <t>The main design principle of FN-DSA is compactness, i.e., it was desi
gned in a way that achieves minimal total memory bandwidth requirement (the sum gned in a way that achieves minimal total memory bandwidth requirement (the sum
of the signature size plus the public key size). This is possible due to the com of the signature size plus the public key size). This is possible due to the com
pactness of NTRU lattices. FN-DSA also offers very efficient signing and verific pactness of NTRU lattices. FN-DSA also offers very efficient signing and verific
ation procedures. The main potential downsides of FN-DSA refer to the non-trivia ation procedures. The main potential downsides of FN-DSA refer to the non-trivia
lity of its algorithms and the need for floating point arithmetic support in ord lity of its algorithms and the need for floating-point arithmetic support in ord
er to support Gaussian-distributed random number sampling where the other lattic er to support Gaussian-distributed random number sampling where the other lattic
e schemes use the less efficient but easier to support uniformly-distributed ran e schemes use the less efficient but easier to support uniformly distributed ran
dom number sampling.</t> dom number sampling.</t>
<t>Implementers of FN-DSA need to be aware that FN-DSA signing is highly <t>Implementers of FN-DSA need to be aware that FN-DSA signing is highly
susceptible to side-channel attacks, unless constant-time 64-bit floating-point susceptible to side-channel attacks unless constant-time 64-bit floating-point
operations are used. This requirement is extremely platform-dependent, as noted operations are used. This requirement is extremely platform-dependent, as noted
in NIST's report.</t> in NIST's report <xref target="NIST"/>.</t>
<t>The performance characteristics of ML-DSA and FN-DSA may differ based <t>The performance characteristics of ML-DSA and FN-DSA may differ based
on the specific implementation and hardware platform. Generally, ML-DSA is know on the specific implementation and hardware platform. Generally, ML-DSA is know
n for its relatively fast signature generation, while FN-DSA can provide more ef n for its relatively fast signature generation, while FN-DSA can provide more ef
ficient signature verification. The choice may depend on whether the application ficient signature verification. The choice may depend on whether the application
requires more frequent signature generation or signature verification (See <xre requires more frequent signature generation or signature verification (see <xre
f target="LIBOQS"/>). For further clarity on the sizes and security levels, plea f target="LIBOQS"/>). For further clarity on the sizes and security levels, plea
se refer to the tables in <xref target="RecSecurity"/> and <xref target="Compari se refer to the tables in Sections <xref target="RecSecurity" format="counter"/>
sons"/>.</t> and <xref target="Comparisons" format="counter"/>.</t>
<t>SLH-DSA <xref target="SLH-DSA"/> utilizes the concept of stateless ha sh-based signatures, where each signature is unique and unrelated to any previou s signature (as discussed in <xref target="hash-based"/>). This property elimina tes the need for maintaining state information during the signing process. SLH-D SA was designed to sign up to 2^64 messages under a given key pair, and it offer s three security levels. The parameters for each of the security levels were cho sen to provide 128 bits of security, 192 bits of security, and 256 bits of secur ity. SLH-DSA offers smaller public key sizes, larger signature sizes, slower sig nature generation, and slower verification when compared to ML-DSA and FN-DSA. S LH-DSA does not introduce a new hardness assumption beyond those inherent to the underlying hash functions. It builds upon established foundations in cryptograp hy, making it a reliable and robust digital signature scheme for a post-quantum world.</t> <t>SLH-DSA <xref target="SLH-DSA"/> utilizes the concept of stateless ha sh-based signatures, where each signature is unique and unrelated to any previou s signature (as discussed in <xref target="hash-based"/>). This property elimina tes the need for maintaining state information during the signing process. SLH-D SA was designed to sign up to 2^64 messages under a given key pair, and it offer s three security levels. The parameters for each of the security levels were cho sen to provide 128 bits of security, 192 bits of security, and 256 bits of secur ity. SLH-DSA offers smaller public key sizes, larger signature sizes, slower sig nature generation, and slower verification when compared to ML-DSA and FN-DSA. S LH-DSA does not introduce a new hardness assumption beyond those inherent to the underlying hash functions. It builds upon established foundations in cryptograp hy, making it a reliable and robust digital signature scheme for a post-quantum world.</t>
<t>All of these algorithms, ML-DSA, FN-DSA, and SLH-DSA include two sign ature modes: pure mode, where the entire content is signed directly, and pre-has h mode, where a digest of the content is signed.</t> <t>All of these algorithms (ML-DSA, FN-DSA, and SLH-DSA) include two sig nature modes: pure mode, where the entire content is signed directly, and pre-ha sh mode, where a digest of the content is signed.</t>
</section> </section>
<section anchor="details-of-xmss-and-lms"> <section anchor="details-of-xmss-and-lms">
<name>Details of XMSS and LMS</name> <name>Details of XMSS and LMS</name>
<t>The eXtended Merkle Signature Scheme (XMSS) <xref target="RFC8391"/> and Hierarchical Signature Scheme (HSS) / Leighton-Micali Signature (LMS) <xref target="RFC8554"/> are stateful hash-based signature schemes, where the secret k ey state changes over time. In both schemes, reusing a secret key state compromi ses cryptographic security guarantees.</t> <t>The eXtended Merkle Signature Scheme (XMSS) <xref target="RFC8391"/> and Hierarchical Signature Scheme (HSS) / Leighton-Micali Signature (LMS) <xref target="RFC8554"/> are stateful hash-based signature schemes, where the secret k ey state changes over time. In both schemes, reusing a secret key state compromi ses cryptographic security guarantees.</t>
<t>XMSS and LMS can be used for signing a potentially large but fixed nu <t>XMSS and LMS can be used for signing a potentially large but fixed nu
mber of messages and the number of signing operations depends upon the size of t mber of messages, and the number of signing operations depends upon the size of
he tree. XMSS and LMS provide cryptographic digital signatures without relying o the tree. XMSS and LMS provide cryptographic digital signatures without relying
n the conjectured hardness of mathematical problems, instead leveraging the prop on the conjectured hardness of mathematical problems, instead leveraging the pro
erties of cryptographic hash functions. Multi-tree XMSS and LMS (i.e., XMSS-MT a perties of cryptographic hash functions. Multi-tree XMSS and LMS (i.e., XMSS-MT
nd HSS, respectively) use a hyper-tree based hierarchical approach with a Merkle and HSS, respectively) use a hyper-tree-based hierarchical approach with a Merkl
tree at each level of the hierarchy. <xref target="RFC8391"/> describes both si e tree at each level of the hierarchy. <xref target="RFC8391"/> describes both s
ngle-tree and multi-tree variants of XMSS, while <xref target="RFC8554"/> descri ingle-tree and multi-tree variants of XMSS, while <xref target="RFC8554"/> descr
bes the Leighton-Micali One-Time Signature (LM-OTS) system as well as the LMS an ibes the Leighton-Micali One-Time Signature (LM-OTS) system as well as the LMS a
d HSS N-time signature systems. Comparison of XMSS and LMS is discussed in Secti nd HSS N-time signature systems. Comparison of XMSS and LMS is discussed in <xre
on 10 of <xref target="RFC8554"/>.</t> f section="10" sectionFormat="of" target="RFC8554"/>.</t>
<t>The number of tree layers in multi-tree XMSS and HSS provides a trade <t>The number of tree layers in multi-tree XMSS and HSS provides a trade
-off between signature size on the one side and key generation and signing speed -off between signature size on the one side and key generation and signing speed
on the other side. Increasing the number of layers reduces key generation time on the other side. Increasing the number of layers reduces key generation time
exponentially and signing time linearly at the cost of increasing the signature exponentially and signing time linearly at the cost of increasing the signature
size linearly. HSS allows for customization of each subtree whereas XMSS-MT does size linearly. HSS allows for customization of each subtree, whereas XMSS-MT doe
not, electing instead to use the same structure for each subtree.</t> s not, electing instead to use the same structure for each subtree.</t>
<t>Due to the complexities described above, the XMSS and LMS are not a s <t>Due to the complexities described above, XMSS and LMS are not suitabl
uitable replacement for traditional signature schemes like RSA or ECDSA. Applica e replacements for traditional signature schemes like RSA or ECDSA. Applications
tions that expect a long lifetime of a signature, like firmware update or secure that expect a long lifetime of a signature, like firmware update or secure boot
boot, are typical use cases where those schemes can be successfully applied.</t , are typical use cases where those schemes can be successfully applied.</t>
>
<section anchor="lms-key-and-signature-sizes"> <section anchor="lms-key-and-signature-sizes">
<name>LMS Key and Signature Sizes</name> <name>LMS Key and Signature Sizes</name>
<t>The LMS scheme is characterized by four distinct parameter sets: th e underlying hash function (SHA2-256 or SHAKE-256), the length of the digest (24 or 32 bytes), the LMS tree height parameter that controls a maximal number of s ignatures that the private key can produce, and the width of the Winternitz coef ficients (see <xref target="RFC8554"/>, section 4.1) that can be used to trade-o ff signing time for signature size. Parameters can be mixed, providing 80 possib le parameterizations of the scheme.</t> <t>The LMS scheme is characterized by four distinct parameter sets: th e underlying hash function (SHA2-256 or SHAKE-256), the length of the digest (24 or 32 bytes), the LMS tree height parameter that controls a maximal number of s ignatures that the private key can produce, and the width of the Winternitz coef ficients (see <xref section="4.1" sectionFormat="comma" target="RFC8554"/>) that can be used to trade-off signing time for signature size. Parameters can be mix ed, providing 80 possible parameterizations of the scheme.</t>
<t>The public (PK) and private (SK) key size depends on the length of the digest (M). The signature size depends on the digest, the Winternitz paramet er (W), the LMS tree height (H), and the length of the digest. The table below p rovides key and signature sizes for parameterization with the digest size M=32 o f the scheme.</t> <t>The public (PK) and private (SK) key size depends on the length of the digest (M). The signature size depends on the digest, the Winternitz paramet er (W), the LMS tree height (H), and the length of the digest. The table below p rovides key and signature sizes for parameterization with the digest size M=32 o f the scheme.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PK</th> <th align="left">PK</th>
<th align="left">SK</th> <th align="left">SK</th>
<th align="left">W</th> <th align="left">W</th>
<th align="left">H=5</th> <th align="left">H=5</th>
<th align="left">H=10</th> <th align="left">H=10</th>
<th align="left">H=15</th> <th align="left">H=15</th>
skipping to change at line 810 skipping to change at line 1028
<td align="left">1612</td> <td align="left">1612</td>
<td align="left">1772</td> <td align="left">1772</td>
<td align="left">1932</td> <td align="left">1932</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
</section> </section>
<section anchor="hash-then-sign"> <section anchor="hash-then-sign">
<name>Hash-then-Sign</name> <name>Hash-then-Sign</name>
<t>Within the hash-then-sign paradigm, the message is hashed before sign <t>Within the hash-then-sign paradigm, the message is hashed before sign
ing it. By pre-hashing, the onus of resistance to existential forgeries becomes ing it. By pre-hashing, the onus of resistance to existential forgeries becomes
heavily reliant on the collision-resistance of the hash function in use. The has heavily reliant on the collision-resistance of the hash function in use. The has
h-then-sign paradigm has the ability to improve application performance by reduc h-then-sign paradigm has the ability to improve application performance by reduc
ing the size of signed messages that need to be transmitted between application ing the size of signed messages that need to be transmitted between application
and cryptographic module, and making the signature size predictable and manageab and cryptographic module and making the signature size predictable and manageabl
le. As a corollary, hashing remains mandatory even for short messages and assign e. As a corollary, hashing remains mandatory even for short messages and assigns
s a further computational requirement onto the verifier. This makes the performa a further computational requirement onto the verifier. This makes the performan
nce of hash-then-sign schemes more consistent, but not necessarily more efficien ce of hash-then-sign schemes more consistent, but not necessarily more efficient
t.</t> .</t>
<t>Using a hash function to produce a fixed-size digest of a message ens <t>Using a hash function to produce a fixed-size digest of a message ens
ures that the signature is compatible with a wide range of systems and protocols ures that the signature is compatible with a wide range of systems and protocols
, regardless of the specific message size or format. Crucially for hardware secu , regardless of the specific message size or format. Crucially for hardware secu
rity modules, Hash-then-Sign also significantly reduces the amount of data that rity modules, hash-then-sign also significantly reduces the amount of data that
needs to be transmitted and processed by a Hardware Security Module (HSM). Consi needs to be transmitted and processed by a Hardware Security Module (HSM). Consi
der scenarios such as a networked HSM located in a different data center from th der scenarios such as a networked HSM located in a different data center from th
e calling application or a smart card connected over a USB interface. In these c e calling application or a smart card connected over a USB interface. In these c
ases, streaming a message that is megabytes or gigabytes long can result in nota ases, streaming a message that is megabytes or gigabytes long can result in nota
ble network latency, on-device signing delays, or even depletion of available on ble network latency, on-device signing delays, or even depletion of available on
-device memory.</t> -device memory.</t>
<t>Note that the vast majority of Internet protocols that sign large mes <t>Note that the vast majority of Internet protocols that sign large mes
sages already perform some form of content hashing at the protocol level, so thi sages already perform some form of content hashing at the protocol level, so thi
s tends to be more of a concern with proprietary cryptographic protocols, and pr s tends to be more of a concern with proprietary cryptographic protocols and pro
otocols from non-IETF standards bodies. Protocols like TLS 1.3 and DNSSEC use th tocols from non-IETF standards bodies. Protocols like TLS 1.3 and DNSSEC use the
e Hash-then-Sign paradigm. In TLS 1.3 <xref target="RFC8446"/> CertificateVerify hash-then-sign paradigm. In TLS 1.3 <xref target="RFC8446"/> CertificateVerify
messages, the content that is covered under the signature includes the transcri messages, the content that is covered under the signature includes the transcrip
pt hash output (Section 4.4.1 of <xref target="RFC8446"/>), while DNSSEC <xref t t hash output (<xref section="4.4.1" sectionFormat="of" target="RFC8446"/>) whil
arget="RFC4034"/> uses it to provide origin authentication and integrity assuran e DNSSEC <xref target="RFC4034"/> uses it to provide origin authentication and i
ce services for DNS data. Similarly, the Cryptographic Message Syntax (CMS) <xre ntegrity assurance services for DNS data. Similarly, the Cryptographic Message S
f target="RFC5652"/> includes a mandatory message digest step before invoking th yntax (CMS) <xref target="RFC5652"/> includes a mandatory message digest step be
e signature algorithm.</t> fore invoking the signature algorithm.</t>
<t>In the case of ML-DSA, it internally incorporates the necessary hash operations as part of its signing algorithm. ML-DSA directly takes the original message, applies a hash function internally, and then uses the resulting hash va lue for the signature generation process. In the case of SLH-DSA, it internally performs randomized message compression using a keyed hash function that can pro cess arbitrary length messages. In the case of FN-DSA, the SHAKE-256 hash functi on is used as part of the signature process to derive a digest of the message be ing signed.</t> <t>In the case of ML-DSA, it internally incorporates the necessary hash operations as part of its signing algorithm. ML-DSA directly takes the original message, applies a hash function internally, and then uses the resulting hash va lue for the signature generation process. In the case of SLH-DSA, it internally performs randomized message compression using a keyed hash function that can pro cess arbitrary length messages. In the case of FN-DSA, the SHAKE-256 hash functi on is used as part of the signature process to derive a digest of the message be ing signed.</t>
<t>Therefore, ML-DSA, FN-DSA, and SLH-DSA offer enhanced security over t he traditional Hash-then-Sign paradigm because by incorporating dynamic key mate rial into the message digest, a pre-computed hash collision on the message to be signed no longer yields a signature forgery. Applications requiring the perform ance and bandwidth benefits of Hash-then-Sign may still pre-hash at the protocol level prior to invoking ML-DSA, FN-DSA, or SLH-DSA, but protocol designers shou ld be aware that doing so re-introduces the weakness that hash collisions direct ly yield signature forgeries. Signing the full un-digested message is recommende d where applications can tolerate it.</t> <t>Therefore, ML-DSA, FN-DSA, and SLH-DSA offer enhanced security over t he traditional hash-then-sign paradigm because, by incorporating dynamic key mat erial into the message digest, a pre-computed hash collision on the message to b e signed no longer yields a signature forgery. Applications requiring the perfor mance and bandwidth benefits of hash-then-sign may still pre-hash at the protoco l level prior to invoking ML-DSA, FN-DSA, or SLH-DSA, but protocol designers sho uld be aware that doing so reintroduces the weakness that hash collisions direct ly yield signature forgeries. Signing the full un-digested message is recommende d where applications can tolerate it.</t>
</section> </section>
</section> </section>
<section anchor="RecSecurity"> <section anchor="RecSecurity">
<name>NIST Recommendations for Security / Performance Tradeoffs</name> <name>NIST Recommendations for Security and Performance Trade-offs</name>
<t>This information is a re-print of information provided in the NIST PQC <t>This information is a reprint of information provided in the NIST PQC p
project <xref target="NIST"/> as of the time this document is published. The Tab roject <xref target="NIST"/> as of the time this document is published. <xref ta
le 2 denotes the five security levels provided by NIST for PQC algorithms. Neith rget="security-levels-table"/> denotes the five security levels provided by NIST
er NIST nor the IETF make any specific recommendations about which security leve for PQC algorithms. Neither NIST nor the IETF makes any specific recommendation
l to use. In general, protocols will include algorithm choices at multiple level s about which security level to use. In general, protocols will include algorith
s so that users can choose the level appropriate to their policies and data clas m choices at multiple levels so that users can choose the level appropriate to t
sification, similar to how organizations today choose which size of RSA key to u heir policies and data classification, similar to how organizations today choose
se. The security levels are defined as requiring computational resources compara which size of RSA key to use. The security levels are defined as requiring comp
ble to or greater than an attack on AES (128, 192 and 256) and SHA2/SHA3 algorit utational resources comparable to or greater than an attack on AES (128, 192, an
hms, i.e., exhaustive key recovery for AES and optimal collision search for SHA2 d 256) and SHA2/SHA3 algorithms, i.e., exhaustive key recovery for AES and optim
/SHA3.</t> al collision search for SHA2/SHA3.</t>
<table> <table anchor="security-levels-table">
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">AES/SHA(2/3) hardness</th> <th align="left">AES/SHA(2/3) hardness</th>
<th align="left">PQC Algorithm</th> <th align="left">PQC Algorithm</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">1</td> <td align="left">1</td>
skipping to change at line 856 skipping to change at line 1074
<td align="left">SHA-384/SHA3-384 (collision search)</td> <td align="left">SHA-384/SHA3-384 (collision search)</td>
<td align="left">No algorithm tested at this level</td> <td align="left">No algorithm tested at this level</td>
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">AES-256 (exhaustive key recovery)</td> <td align="left">AES-256 (exhaustive key recovery)</td>
<td align="left">ML-KEM-1024, FN-DSA-1024, ML-DSA-87, SLH-DSA-SHA2/S HAKE-256f/s</td> <td align="left">ML-KEM-1024, FN-DSA-1024, ML-DSA-87, SLH-DSA-SHA2/S HAKE-256f/s</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>The SLH-DSA-x-yf/s "f/s" in the above table denotes whether SLH-DSA is <t>The SLH-DSA-x-yf/s "f/s" in the above table denotes whether SLH-DSA is
using SHAKE or SHA-2 as an underlying hash function "x" and whether it is the fa using SHAKE or SHA-2 as an underlying hash function "x" and whether it is the fa
st (f) or small (s) version for "y" bit AES security level. Refer to <xref targe st (f) or small (s) version for "y" bit AES security level. Refer to <xref targe
t="I-D.ietf-lamps-cms-sphincs-plus"/> for further details on SLH-DSA algorithms. t="RFC9814"/> for further details on SLH-DSA algorithms.</t>
</t> <t>The following table compares the signature sizes for different SLH-DSA
<t>The following table compares the signature sizes for different SLH-DSA algorithm categories at equivalent security levels using the "simple" version. T
algorithm categories at equivalent security levels, using the "simple" version. he categories include "f" for fast signature generation and "s" for smaller sign
The categories include "(f)" for fast signature generation, and "(s)" for smalle ature size and faster verification, although with slower signature generation. B
r signature size and faster verification, although with slower signature generat oth SHA-256 and SHAKE-256 parameterizations produce the same signature sizes and
ion. Both SHA-256 and SHAKE-256 parameterizations produce the same signature siz are therefore included together in the table.</t>
es and are therefore included together in the table.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Signature size (in bytes)</th> <th align="left">Signature size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 985 skipping to change at line 1203
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">2592</td> <td align="left">2592</td>
<td align="left">4896</td> <td align="left">4896</td>
<td align="left">4627</td> <td align="left">4627</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="Comparisons"> <section anchor="Comparisons">
<name>Comparing PQC KEMs/Signatures vs. Traditional KEMs (KEXs)/Signatures <name>Comparing PQC KEMs/Signatures and Traditional KEMs/Signatures</name>
</name> <t>This section provides two tables for comparison of different KEMs and s
<t>This section provides two tables for comparison of different KEMs and s ignatures, respectively, in the traditional and post-quantum scenarios. These ta
ignatures respectively, in the traditional and post-quantum scenarios. These tab bles focus on the secret key sizes, public key sizes, and ciphertext/signature s
les focus on the secret key sizes, public key sizes, and ciphertext/signature si izes for the PQC algorithms and their traditional counterparts of similar securi
zes for the PQC algorithms and their traditional counterparts of similar securit ty levels.</t>
y levels.</t> <t>The first table compares traditional and PQC KEMs in terms of security,
<t>The first table compares traditional vs. PQC KEMs in terms of security, public and private key sizes, and ciphertext sizes.</t>
public and private key sizes, and ciphertext sizes.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Ciphertext size (in bytes)</th> <th align="left">Ciphertext size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 1043 skipping to change at line 1261
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-KEM-1024</td> <td align="left">ML-KEM-1024</td>
<td align="left">1568</td> <td align="left">1568</td>
<td align="left">3168</td> <td align="left">3168</td>
<td align="left">1568</td> <td align="left">1568</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>The next table compares traditional vs. PQC signature schemes in terms of security, public, private key sizes, and signature sizes.</t> <t>The next table compares traditional and PQC signature schemes in terms of security, public, private key sizes, and signature sizes.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Signature size (in bytes)</th> <th align="left">Signature size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 1106 skipping to change at line 1324
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">2592</td> <td align="left">2592</td>
<td align="left">4896</td> <td align="left">4896</td>
<td align="left">4627</td> <td align="left">4627</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>As is clear from the above table, PQC KEMs and signature schemes typica lly have significantly larger keys and ciphertexts/signatures than their traditi onal counterparts. These increased key and signatures sizes could introduce prob lems in protocols. As an example, IKEv2 uses UDP as the transport for its messag es. One challenge with integrating a PQC KEM into IKEv2 is that IKE fragmentatio n cannot be utilized in the initial IKE_SA_INIT exchange. To address this issue, <xref target="RFC9242"/> introduces a solution by defining a new exchange calle d the "Intermediate Exchange" which can be fragmented using the IKE fragmentatio n mechanism. <xref target="RFC9370"/> then uses this Intermediate Exchange to ca rry out the PQC key exchange after the initial IKEv2 exchange and before the IKE _AUTH exchange. Another example from <xref target="SP-1800-38C"/> section 6.3.3 shows that increased key and signature sizes cause protocol key exchange message s to span more network packets, therefore it results in a higher total loss prob ability per packet. In lossy network conditions, this may increase the latency o f the key exchange.</t> <t>As is clear from the above table, PQC KEMs and signature schemes typica lly have significantly larger keys and ciphertexts/signatures than their traditi onal counterparts. These increased key and signatures sizes could introduce prob lems in protocols. As an example, the Internet Key Exchange Protocol Version 2 ( IKEv2) uses UDP as the transport protocol for its messages. One challenge with i ntegrating a PQC KEM into IKEv2 is that IKE fragmentation cannot be utilized in the initial IKE_SA_INIT exchange. To address this issue, <xref target="RFC9242"/ > introduces a solution by defining a new exchange called the "Intermediate Exch ange", which can be fragmented using the IKE fragmentation mechanism. <xref targ et="RFC9370"/> then uses this Intermediate Exchange to carry out the PQC key exc hange after the initial IKEv2 exchange and before the IKE_AUTH exchange. Another example from Section 6.3.3 of <xref target="SP-1800-38C"/> shows that increased key and signature sizes cause protocol key exchange messages to span more netwo rk packets, which results in a higher total loss probability per packet. In loss y network conditions, this may increase the latency of the key exchange.</t>
</section> </section>
<section anchor="PQT"> <section anchor="PQT">
<name>Post-Quantum and Traditional Hybrid Schemes</name> <name>Post-Quantum and Traditional (PQ/T) Hybrid Schemes</name>
<t>The migration to PQC is unique in the history of modern digital cryptog raphy in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required lifetimes. The traditional a lgorithms, such as RSA and ECDH, will fall to quantum cryptanalysis, while the p ost-quantum algorithms face uncertainty about the underlying mathematics, compli ance issues, unknown vulnerabilities, and hardware and software implementations that have not had sufficient maturing time to rule out traditional cryptanalytic attacks and implementation bugs.</t> <t>The migration to PQC is unique in the history of modern digital cryptog raphy in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required lifetimes. The traditional a lgorithms, such as RSA and ECDH, will fall to quantum cryptanalysis, while the p ost-quantum algorithms face uncertainty about the underlying mathematics, compli ance issues, unknown vulnerabilities, and hardware and software implementations that have not had sufficient maturing time to rule out traditional cryptanalytic attacks and implementation bugs.</t>
<t>During the transition from traditional to post-quantum algorithms, ther e may be a desire or a requirement for protocols that use both algorithm types. <xref target="I-D.ietf-pquip-pqt-hybrid-terminology"/> defines the terminology f or the post-quantum and traditional (PQ/T) hybrid schemes.</t> <t>During the transition from traditional to post-quantum algorithms, ther e may be a desire or a requirement for protocols that use both algorithm types. <xref target="RFC9794"/> defines the terminology for PQ/T hybrid schemes.</t>
<section anchor="pqt-hybrid-confidentiality"> <section anchor="pqt-hybrid-confidentiality">
<name>PQ/T Hybrid Confidentiality</name> <name>PQ/T Hybrid Confidentiality</name>
<t>The PQ/T Hybrid Confidentiality property can be used to mitigate both <t>The PQ/T Hybrid Confidentiality property can be used to mitigate both
"harvest now, decrypt now" and HNDL attacks described in <xref target="timeline "harvest now, decrypt now" and HNDL attacks described in <xref target="timeline
"/>. If the PQ portion were to have a flaw, the traditional (T) algorithm, which "/>. If the PQ portion were to have a flaw, the traditional (T) algorithm, which
is secure against today’s attackers, prevents immediate decryption ("harvest no is secure against today's attackers, prevents immediate decryption ("harvest no
w, decrypt now"). If the T algorithm is broken in the future by CRQCs, the PQ po w, decrypt now"). If the T algorithm is broken in the future by CRQCs, the PQ po
rtion, assuming it remains secure, prevents later decryption ("harvest now, decr rtion, assuming it remains secure, prevents later decryption (i.e., HNDL). A hyb
ypt later"). A hybrid construction therefore provides confidentiality as long as rid construction therefore provides confidentiality as long as at least one comp
at least one component remains secure. Two types of hybrid key agreement scheme onent remains secure. Two types of hybrid key agreement schemes are discussed be
s are discussed below.</t> low.</t>
<ul spacing="normal"> <dl>
<li> <dt>Concatenated hybrid key agreement scheme:</dt>
<t>Concatenated hybrid key agreement scheme: The final shared secret <dd>
that will be used as an input of the key derivation function is the result of t <t>The final shared secret that will be used as an input of the key
he concatenation of the secrets established with each key agreement scheme. For derivation function is the result of the concatenation of the secrets establishe
example, in <xref target="I-D.ietf-tls-hybrid-design"/>, the client uses the TLS d with each key agreement scheme. For example, in <xref target="I-D.ietf-tls-hyb
supported groups extension to advertise support for a PQ/T hybrid scheme, and t rid-design"/>, the client uses the TLS supported groups extension to advertise s
he server can select this group if it supports the scheme. The hybrid-aware clie upport for a PQ/T hybrid scheme, and the server can select this group if it supp
nt and server establish a hybrid secret by concatenating the two shared secrets, orts the scheme. The hybrid-aware client and server establish a hybrid secret by
which is used as the shared secret in the existing TLS 1.3 key schedule.</t> concatenating the two shared secrets, which is used as the shared secret in the
</li> existing TLS 1.3 key schedule.</t>
<li> </dd>
<t>Cascaded hybrid key agreement scheme: The final shared secret is <dt>Cascaded hybrid key agreement scheme:</dt>
computed by applying as many iterations of the key derivation function as the nu <dd>
mber of key agreement schemes composing the hybrid key agreement scheme. For exa <t>The final shared secret is computed by applying as many iteration
mple, <xref target="RFC9370"/> extends the Internet Key Exchange Protocol Versio s of the key derivation function as the number of key agreement schemes composin
n 2 (IKEv2) to allow one or more PQC algorithms in addition to the traditional a g the hybrid key agreement scheme. For example, <xref target="RFC9370"/> extends
lgorithm to derive the final IKE SA keys using the cascade method as explained i IKEv2 to allow one or more PQC algorithms in addition to the traditional algori
n Section 2.2.2 of <xref target="RFC9370"/>.</t> thm to derive the final IKE Security Association (SA) keys using the cascade met
</li> hod as explained in <xref section="2.2.2" sectionFormat="of" target="RFC9370"/>.
</ul> </t>
</dd>
</dl>
<t>Various instantiations of these two types of hybrid key agreement sch emes have been explored. One must be careful when selecting which hybrid scheme to use. The chosen scheme for protocols like TLS 1.3 <xref target="I-D.ietf-tls- hybrid-design"/> has IND-CCA2 robustness. That is, IND-CCA2 security is guarante ed for the scheme as long as at least one of the component algorithms is IND-CCA 2 secure.</t> <t>Various instantiations of these two types of hybrid key agreement sch emes have been explored. One must be careful when selecting which hybrid scheme to use. The chosen scheme for protocols like TLS 1.3 <xref target="I-D.ietf-tls- hybrid-design"/> has IND-CCA2 robustness. That is, IND-CCA2 security is guarante ed for the scheme as long as at least one of the component algorithms is IND-CCA 2 secure.</t>
</section> </section>
<section anchor="pqt-hybrid-authentication"> <section anchor="pqt-hybrid-authentication">
<name>PQ/T Hybrid Authentication</name> <name>PQ/T Hybrid Authentication</name>
<t>The PQ/T hybrid authentication property provides resilience against c atastrophic breaks or unforeseen vulnerabilities in PQC algorithms, allowing sys tems additional time to stabilize before migrating fully to pure PQ deployments. </t> <t>The PQ/T hybrid authentication property provides resilience against c atastrophic breaks or unforeseen vulnerabilities in PQC algorithms, allowing sys tems additional time to stabilize before migrating fully to pure PQ deployments. </t>
<t>This property ensures authentication using a PQ/T hybrid scheme, as l ong as at least one component algorithm remains secure. For example, a PQ/T hybr id certificate <xref target="I-D.ietf-lamps-pq-composite-sigs"/> can be employed to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid aut hentication protocol does not need to use a PQ/T hybrid certificate; separate ce rtificates could be used for individual component algorithms <xref target="I-D.i etf-lamps-cert-binding-for-multi-auth"/>. When separate certificates are used, i t may be possible for attackers to take them apart or put them together in unexp ected ways, including enabling cross-protocol attacks. The exact risks this pres ents are highly dependent on the protocol and use case, so a full security analy sis is needed. Best practices for ensuring that pairs of certificates are only u sed as intended are discussed in more detail in <xref target="COMPOSITE"/> and < xref target="REUSE"/> of this document.</t> <t>This property ensures authentication using a PQ/T hybrid scheme as lo ng as at least one component algorithm remains secure. For example, a PQ/T hybri d certificate <xref target="I-D.ietf-lamps-pq-composite-sigs"/> can be employed to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid auth entication protocol does not need to use a PQ/T hybrid certificate; separate cer tificates could be used for individual component algorithms <xref target="RFC976 3"/>. When separate certificates are used, it may be possible for attackers to t ake them apart or put them together in unexpected ways, including enabling cross -protocol attacks. The exact risks this presents are highly dependent on the pro tocol and use case, so a full security analysis is needed. Best practices for en suring that pairs of certificates are only used as intended are discussed in mor e detail in Sections <xref target="COMPOSITE" format="counter"/> and <xref targe t="REUSE" format="counter"/> of this document.</t>
<t>The frequency and duration of system upgrades and the time when CRQCs will become widely available need to be weighed to determine whether and when t o support the PQ/T Hybrid Authentication property.</t> <t>The frequency and duration of system upgrades and the time when CRQCs will become widely available need to be weighed to determine whether and when t o support the PQ/T Hybrid Authentication property.</t>
</section> </section>
<section anchor="hybrid-cryptographic-algorithm-combinations-consideration s-and-approaches"> <section anchor="hybrid-cryptographic-algorithm-combinations-consideration s-and-approaches">
<name>Hybrid Cryptographic Algorithm Combinations: Considerations and Ap proaches</name> <name>Hybrid Cryptographic Algorithm Combinations: Considerations and Ap proaches</name>
<section anchor="hybrid-cryptographic-combinations"> <section anchor="hybrid-cryptographic-combinations">
<name>Hybrid Cryptographic Combinations</name> <name>Hybrid Cryptographic Combinations</name>
<t>It is also possible to use more than two algorithms together in a h ybrid scheme, with various methods for combining them. For post-quantum transiti on purposes, the combination of a post-quantum algorithm with a traditional algo rithm is the most straightforward and recommended. The use of multiple post-quan tum algorithms with different mathematical bases has also been considered. Combi ning algorithms in a way that requires both to be used together ensures stronger security, while combinations that do not require both will sacrifice security b ut offer other benefits like backwards compatibility and crypto agility. Includi ng a traditional key alongside a post-quantum key often has minimal bandwidth im pact.</t> <t>It is also possible to use more than two algorithms together in a h ybrid scheme, with various methods for combining them. For post-quantum transiti on purposes, the combination of a post-quantum algorithm with a traditional algo rithm is the most straightforward and recommended. The use of multiple post-quan tum algorithms with different mathematical bases has also been considered. Combi ning algorithms in a way that requires both to be used together ensures stronger security, while combinations that do not require both will sacrifice security b ut offer other benefits like backwards compatibility and crypto agility. Includi ng a traditional key alongside a post-quantum key often has minimal bandwidth im pact.</t>
</section> </section>
<section anchor="COMPOSITE"> <section anchor="COMPOSITE">
<name>Composite Keys in Hybrid Schemes</name> <name>Composite Keys in Hybrid Schemes</name>
<t>When combining keys in an "and" mode, it may make more sense to con <t>When combining keys in an "and" mode, it may make more sense to con
sider them to be a single composite key, instead of two keys. This generally req sider them to be a single composite key instead of two keys. This generally requ
uires fewer changes to various components of PKI ecosystems, many of which are n ires fewer changes to various components of PKI ecosystems, many of which are no
ot prepared to deal with two keys or dual signatures. To those protocol- or appl t prepared to deal with two keys or dual signatures. To those protocol- or appli
ication-layer parsers, a "composite" algorithm composed of two "component" algor cation-layer parsers, a "composite" algorithm composed of two "component" algori
ithms is simply a new algorithm, and support for adding new algorithms generally thms is simply a new algorithm, and support for adding new algorithms generally
already exists. Treating multiple "component" keys as a single "composite" key already exists. Treating multiple "component" keys as a single "composite" key a
also has security advantages such as preventing cross-protocol reuse of the indi lso has security advantages, such as preventing cross-protocol reuse of the indi
vidual component keys and guarantees about revoking or retiring all component ke vidual component keys and guarantees about revoking or retiring all component ke
ys together at the same time, especially if the composite is treated as a single ys together at the same time, especially if the composite is treated as a single
object all the way down into the cryptographic module.</t> object all the way down into the cryptographic module.</t>
<t>All that needs to be done is to standardize the formats of how the <t>All that needs to be done is to standardize the formats of how the
two keys from the two algorithms are combined into a single data structure, and two keys from the two algorithms are combined into a single data structure and h
how the two resulting signatures or KEMs are combined into a single signature or ow the two resulting signatures or KEMs are combined into a single signature or
KEM. The answer can be as simple as concatenation, if the lengths are fixed or KEM. The answer can be as simple as concatenation if the lengths are fixed or ea
easily determined. At the time this document is published, security research is sily determined. At the time this document is published, security research is on
ongoing as to the security properties of concatenation-based composite signature going as to the security properties of concatenation-based composite signatures
s and KEMs vs. more sophisticated signature and KEM combiners, and in which prot and KEMs versus more sophisticated signature and KEM combiners and protocol cont
ocol contexts those simpler combiners are sufficient.</t> exts in which those simpler combiners are sufficient.</t>
<t>One last consideration is the specific pairs of algorithms that can <t>One last consideration is the specific pairs of algorithms that can
be combined. A recent trend in protocols is to only allow a small number of "kn be combined. A recent trend in protocols is to only allow a small number of "kn
own good" configurations that make sense, often referred to in cryptography as a own good" configurations that make sense, often referred to in cryptography as a
"ciphersuite", instead of allowing arbitrary combinations of individual configu "ciphersuite", instead of allowing arbitrary combinations of individual configu
ration choices that may interact in dangerous ways. The current consensus is tha ration choices that may interact in dangerous ways. The current consensus is tha
t the same approach should be followed for combining cryptographic algorithms, a t the same approach should be followed for combining cryptographic algorithms an
nd that "known good" pairs should be explicitly listed ("explicit composite"), i d that "known good" pairs should be explicitly listed ("explicit composite") ins
nstead of just allowing arbitrary combinations of any two cryptographic algorith tead of just allowing arbitrary combinations of any two cryptographic algorithms
ms ("generic composite").</t> ("generic composite").</t>
<t>The same considerations apply when using multiple certificates to t <t>The same considerations apply when using multiple certificates to t
ransport a pair of related keys for the same subject. Exactly how two certificat ransport a pair of related keys for the same subject. Exactly how two certificat
es should be managed in order to avoid some of the pitfalls mentioned above is s es should be managed in order to avoid some of the pitfalls mentioned above is s
till an active area of investigation. Using two certificates keeps the certifica till an active area of investigation. Using two certificates keeps the certifica
te tooling simple and straightforward, but in the end simply moves the problems te tooling simple and straightforward, but in the end, this simply moves problem
with requiring that both certs are intended to be used as a pair, must produce t s (i.e., problems with the requirement that both certificates be used as a pair,
wo signatures which must be carried separately, and both must validate, to the c that two signatures that must be carried separately, and that both validate) to
ertificate management layer, where addressing these concerns in a robust way can the certificate management layer, where addressing these concerns in a robust w
be difficult.</t> ay can be difficult.</t>
<t>At least one scheme has been proposed that allows the pair of certi <t>At least one scheme has been proposed that allows the pair of certi
ficates to exist as a single certificate when being issued and managed, but dyna ficates to exist as a single certificate when being issued and managed but dynam
mically split into individual certificates when needed (<xref target="I-D.draft- ically split into individual certificates when needed (see <xref target="I-D.bon
bonnell-lamps-chameleon-certs"/>).</t> nell-lamps-chameleon-certs"/>).</t>
</section> </section>
<section anchor="REUSE"> <section anchor="REUSE">
<name>Key Reuse in Hybrid Schemes</name> <name>Key Reuse in Hybrid Schemes</name>
<t>An important security note, particularly when using hybrid signatur <t>An important security note, particularly when using hybrid signatur
e keys, but also to a lesser extent hybrid KEM keys, is key reuse. In traditiona e keys, but also to a lesser extent hybrid KEM keys, is key reuse. In traditiona
l cryptography, problems can occur with so-called "cross-protocol attacks" when l cryptography, problems can occur with so-called "cross-protocol attacks" when
the same key can be used for multiple protocols; for example signing TLS handsha the same key can be used for multiple protocols; for example, signing TLS handsh
kes and signing S/MIME emails. While it is not best-practice to reuse keys withi akes and signing S/MIME emails. While it is not best practice to reuse keys with
n the same protocol, for example using the same key for multiple S/MIME certific in the same protocol, e.g., using the same key for multiple S/MIME certificates
ates for the same user, it is not generally catastrophic for security. However, for the same user, it is not generally catastrophic for security. However, key r
key reuse becomes a large security problem within hybrids.</t> euse becomes a large security problem within hybrid schemes.</t>
<t>Consider an {RSA, ML-DSA} hybrid key where the RSA key also appears <t>Consider an {RSA, ML-DSA} hybrid key where the RSA key also appears
within a single-algorithm certificate. In this case, an attacker could perform within a single-algorithm certificate. In this case, an attacker could perform
a "stripping attack" where they take some piece of data signed with the {RSA, ML a "stripping attack" where they take some piece of data signed with the {RSA, ML
-DSA} key, remove the ML-DSA signature and present the data as if it was intende -DSA} key, remove the ML-DSA signature, and present the data as if it was intend
d for the RSA only certificate. This leads to a set of security definitions call ed for the RSA only certificate. This leads to a set of security definitions cal
ed "non-separability properties", which refers to how well the signature scheme led "non-separability properties", which refers to how well the signature scheme
resists various complexities of downgrade / stripping attacks <xref target="I-D. resists various complexities of downgrade/stripping attacks <xref target="I-D.i
draft-ietf-pquip-hybrid-signature-spectrums"/>. Therefore, it is recommended tha etf-pquip-hybrid-signature-spectrums"/>. Therefore, it is recommended that imple
t implementers either reuse the entire hybrid key as a whole, or perform fresh k menters either reuse the entire hybrid key as a whole or perform fresh key gener
ey generation of all component keys per usage, and must not take an existing key ation of all component keys per usage, and must not take an existing key and reu
and reuse it as a component of a hybrid.</t> se it as a component of a hybrid key.</t>
</section> </section>
<section anchor="future-directions-and-ongoing-research"> <section anchor="future-directions-and-ongoing-research">
<name>Future Directions and Ongoing Research</name> <name>Future Directions and Ongoing Research</name>
<t>Many aspects of hybrid cryptography are still under investigation. LAMPS WG at IETF is actively exploring the security properties of these combinat ions, and future standards will reflect the evolving consensus on these issues.< /t> <t>Many aspects of hybrid cryptography are still under investigation. The LAMPS Working Group at IETF is actively exploring the security properties of these combinations, and future standards will reflect the evolving consensus on these issues.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="impact-on-constrained-devices-and-networks"> <section anchor="impact-on-constrained-devices-and-networks">
<name>Impact on Constrained Devices and Networks</name> <name>Impact on Constrained Devices and Networks</name>
<t>PQC algorithms generally have larger keys, ciphertext, and signature si zes than traditional public key algorithms. This has particular impact on constr ained devices that operate with limited data rates. In the IoT space, these cons traints have historically driven significant optimization efforts in the IETF (e .g., LAKE, CoRE) to adapt security protocols to resource-constrained environment s.</t> <t>PQC algorithms generally have larger keys, ciphertext, and signature si zes than traditional public key algorithms. This has particular impact on constr ained devices that operate with limited data rates. In the IoT space, these cons traints have historically driven significant optimization efforts in the IETF (e .g., in the LAKE and CoRE Working Groups) to adapt security protocols to resourc e-constrained environments.</t>
<t>As the transition to PQC progresses, these environments will face simil ar challenges. Larger message sizes can increase handshake latency, raise energy consumption, and require fragmentation logic. Work is ongoing in the IETF to st udy how PQC can be deployed in constrained devices (see <xref target="I-D.ietf-p quip-pqc-hsm-constrained"/>).</t> <t>As the transition to PQC progresses, these environments will face simil ar challenges. Larger message sizes can increase handshake latency, raise energy consumption, and require fragmentation logic. Work is ongoing in the IETF to st udy how PQC can be deployed in constrained devices (see <xref target="I-D.ietf-p quip-pqc-hsm-constrained"/>).</t>
</section> </section>
<section anchor="security-considerations"> <section anchor="security-considerations">
<name>Security Considerations</name> <name>Security Considerations</name>
<section anchor="cryptanalysis"> <section anchor="cryptanalysis">
<name>Cryptanalysis</name> <name>Cryptanalysis</name>
<t>Traditional cryptanalysis exploits weaknesses in algorithm design, ma <t>Traditional cryptanalysis exploits weaknesses in algorithm design, ma
thematical vulnerabilities, or implementation flaws, that are exploitable with c thematical vulnerabilities, or implementation flaws that are exploitable with cl
lassical (i.e. non-quantum) hardware, whereas quantum cryptanalysis harnesses th assical (i.e., non-quantum) hardware, whereas quantum cryptanalysis harnesses th
e power of CRQCs to solve specific mathematical problems more efficiently. Anoth e power of CRQCs to solve specific mathematical problems more efficiently. Quant
er form of quantum cryptanalysis is "quantum side-channel" attacks. In such atta um side-channel attacks are another form of quantum cryptanalysis. In such attac
cks, a device under threat is directly connected to a quantum computer, which th ks, a device under threat is directly connected to a quantum computer, which the
en injects entangled or superimposed data streams to exploit hardware that lacks n injects entangled or superimposed data streams to exploit hardware that lacks
protection against quantum side-channels. Both pose threats to the security of protection against quantum side channels. Both pose threats to the security of c
cryptographic algorithms, including those used in PQC. Developing and adopting n ryptographic algorithms, including those used in PQC. It is crucial to develop a
ew cryptographic algorithms resilient against these threats is crucial for ensur nd adopt new cryptographic algorithms resilient against these threats to ensure
ing long-term security in the face of advancing cryptanalysis techniques.</t> long-term security in the face of advancing cryptanalysis techniques.</t>
<t>Recent attacks on the side-channel implementations using deep learnin <t>Recent attacks on the side-channel implementations using deep learnin
g based power analysis have also shown that one needs to be cautious while imple g-based power analysis have also shown that one needs to be cautious while imple
menting the required PQC algorithms in hardware. Two of the most recent works in menting the required PQC algorithms in hardware. Two of the most recent works in
clude one attack on ML-KEM <xref target="KyberSide"/> and one attack on Saber <x clude one attack on ML-KEM <xref target="KyberSide"/> and one attack on Saber <x
ref target="SaberSide"/>. An evolving threat landscape points to the fact that l ref target="SaberSide"/>. An evolving threat landscape points to the fact that l
attice based cryptography is indeed more vulnerable to side-channel attacks as i attice-based cryptography is indeed more vulnerable to side-channel attacks as i
n <xref target="SideCh"/>, <xref target="LatticeSide"/>. Consequently, there wer n <xref target="SideCh"/> and <xref target="LatticeSide"/>. Consequently, some m
e some mitigation techniques for side channel attacks that have been proposed as itigation techniques for side-channel attacks have been proposed; see <xref targ
in <xref target="Mitigate1"/>, <xref target="Mitigate2"/>, and <xref target="Mi et="Mitigate1"/>, <xref target="Mitigate2"/>, and <xref target="Mitigate3"/>.</t
tigate3"/>.</t> >
</section> </section>
<section anchor="cryptographic-agility"> <section anchor="cryptographic-agility">
<name>Cryptographic Agility</name> <name>Cryptographic Agility</name>
<t>Cryptographic agility is recommended for both traditional and quantum cryptanalysis as it enables organizations to adapt to emerging threats, adopt s tronger algorithms, comply with standards, and plan for long-term security in th e face of evolving cryptanalytic techniques and the advent of CRQCs.</t> <t>Cryptographic agility is recommended for both traditional and quantum cryptanalysis as it enables organizations to adapt to emerging threats, adopt s tronger algorithms, comply with standards, and plan for long-term security in th e face of evolving cryptanalytic techniques and the advent of CRQCs.</t>
<t>Several PQC schemes are available that need to be tested; cryptograph <t>Several PQC schemes are available that need to be tested; cryptograph
y experts around the world are pushing for the best possible solutions, and the y experts around the world are pushing for the best possible solutions, and the
first standards that will ease the introduction of PQC are being prepared. It is first standards that will ease the introduction of PQC are being prepared. This
of paramount importance and a call for imminent action for organizations, bodie is of paramount importance and is a call for imminent action for organizations,
s, and enterprises to start evaluating their cryptographic agility, assess the c bodies, and enterprises to start evaluating their cryptographic agility, assess
omplexity of implementing PQC into their products, processes, and systems, and d the complexity of implementing PQC into their products, processes, and systems,
evelop a migration plan that achieves their security goals to the best possible and develop a migration plan that achieves their security goals to the best poss
extent.</t> ible extent.</t>
<t>An important and often overlooked step in achieving cryptographic agi <t>An important and often overlooked step in achieving cryptographic agi
lity is maintaining a cryptographic inventory. Modern software stacks incorporat lity is maintaining a cryptographic inventory. Modern software stacks incorporat
e cryptography in numerous places, making it challenging to identify all instanc e cryptography in numerous places, making it challenging to identify all instanc
es. Therefore, cryptographic agility and inventory management take two major for es. Therefore, cryptographic agility and inventory management take two major for
ms: First, application developers responsible for software maintenance should ac ms. First, application developers responsible for software maintenance should ac
tively search for instances of hard-coded cryptographic algorithms within applic tively search for instances of hard-coded cryptographic algorithms within applic
ations. When possible, they should design the choice of algorithm to be dynamic, ations. When possible, they should design the choice of algorithm to be dynamic,
based on application configuration. Second, administrators, policy officers, an based on application configuration. Second, administrators, policy officers, an
d compliance teams should take note of any instances where an application expose d compliance teams should take note of any instances where an application expose
s cryptographic configurations. These instances should be managed either through s cryptographic configurations. These instances should be managed through either
organization-wide written cryptographic policies or automated cryptographic pol organization-wide written cryptographic policies or automated cryptographic pol
icy systems.</t> icy systems.</t>
<t>Numerous commercial solutions are available for both detecting hard-c <t>Numerous commercial solutions are available for detecting hard-coded
oded cryptographic algorithms in source code and compiled binaries, as well as p cryptographic algorithms in source code and compiled binaries, as well as provid
roviding cryptographic policy management control planes for enterprise and produ ing cryptographic policy management control planes for enterprise and production
ction environments.</t> environments.</t>
</section> </section>
<section anchor="jurisdictional-fragmentation"> <section anchor="jurisdictional-fragmentation">
<name>Jurisdictional Fragmentation</name> <name>Jurisdictional Fragmentation</name>
<t>Another potential application of hybrids bears mentioning, even thoug h it is not directly PQC-related. That is using hybrids to navigate inter-jurisd ictional cryptographic connections. Traditional cryptography is already fragment ed by jurisdiction: consider that while most jurisdictions support Elliptic Curv e Diffie-Hellman, those in the United States will prefer the NIST curves while t hose in Germany will prefer the Brainpool curves. China, Russia, and other juris dictions have their own national cryptography standards. This situation of fragm ented global cryptography standards is unlikely to improve with PQC. If "and" mo de hybrids become standardized for the reasons mentioned above, then one could i magine leveraging them to create "ciphersuites" in which a single cryptographic operation simultaneously satisfies the cryptographic requirements of both endpoi nts.</t> <t>Another potential application of hybrid schemes bears mentioning, eve n though it is not directly related to PQC: using hybrids to navigate inter-juri sdictional cryptographic connections. Traditional cryptography is already fragme nted by jurisdiction. Consider that while most jurisdictions support ECDH, those in the United States will prefer the NIST curves while those in Germany will pr efer the Brainpool curves. China, Russia, and other jurisdictions have their own national cryptography standards. This situation of fragmented global cryptograp hy standards is unlikely to improve with PQC. If "and" mode hybrid schemes becom e standardized for the reasons mentioned above, then one could imagine leveragin g them to create ciphersuites in which a single cryptographic operation simultan eously satisfies the cryptographic requirements of both endpoints.</t>
</section> </section>
<section anchor="hybrid-key-exchange-and-signatures-bridging-the-gap-betwe <section anchor="hybrid-key-exchange-and-signatures-bridging-the-gap-betwe
en-post-quantum-and-traditional-cryptography"> en-pqt-cryptography">
<name>Hybrid Key Exchange and Signatures: Bridging the Gap Between Post- <name>Hybrid Key Exchange and Signatures: Bridging the Gap Between PQ/T
Quantum and Traditional Cryptography</name> Cryptography</name>
<t>Post-quantum algorithms selected for standardization are relatively n <t>Post-quantum algorithms selected for standardization are relatively n
ew and they have not been subject to the same depth of study as traditional algo ew and have not been subject to the same depth of study as traditional algorithm
rithms. PQC implementations will also be new and therefore more likely to contai s. PQC implementations will also be new and therefore more likely to contain imp
n implementation bugs than the battle-tested crypto implementations that are rel lementation bugs than the battle-tested crypto implementations that are relied o
ied on today. In addition, certain deployments may need to retain traditional al n today. In addition, certain deployments may need to retain traditional algorit
gorithms due to regulatory constraints, for example FIPS <xref target="SP-800-56 hms due to regulatory constraints, e.g., FIPS <xref target="SP-800-56C"/> or Pay
C"/> or PCI compliance <xref target="PCI"/>. Hybrid key exchange is recommended ment Card Industry (PCI) compliance <xref target="PCI"/>. Hybrid key exchange is
to enhance security against the "harvest now, decrypt later" attack. Additionall recommended to enhance security against the HNDL attack. Additionally, hybrid s
y, hybrid signatures provide for time to react in the case of the announcement o ignatures provide for time to react in the case of the announcement of a devasta
f a devastating attack against any one algorithm, while not fully abandoning tra ting attack against any one algorithm, while not fully abandoning traditional cr
ditional cryptosystems.</t> yptosystems.</t>
<t>Hybrid key exchange performs both a classical and a post-quantum key exchange in parallel. It provides security redundancy against potential weakness es in PQC algorithms, allows for a gradual transition of trust in PQC algorithms , and, in backward-compatible designs, enables gradual adoption without breaking compatibility with existing systems. For instance, in TLS 1.3, a hybrid key exc hange can combine a widely supported classical algorithm, such as X25519, with a post-quantum algorithm like ML-KEM. This allows legacy clients to continue usin g the classical algorithm while enabling upgraded clients to proceed with hybrid key exchange. In contrast, overhead-spreading hybrid designs focus on reducing the PQ overhead. For example, approaches like those described in <xref target="I -D.hale-mls-combiner"/> amortize PQ costs by selectively applying PQ updates in key exchange processes, allowing systems to balance security and efficiency. Thi s strategy ensures a post-quantum secure channel while keeping the overhead mana geable, making it particularly suitable for constrained environments.</t> <t>Hybrid key exchange performs both a classical and a post-quantum key exchange in parallel. It provides security redundancy against potential weakness es in PQC algorithms, allows for a gradual transition of trust in PQC algorithms , and, in backward-compatible designs, enables gradual adoption without breaking compatibility with existing systems. For instance, in TLS 1.3, a hybrid key exc hange can combine a widely supported classical algorithm, such as X25519, with a post-quantum algorithm like ML-KEM. This allows legacy clients to continue usin g the classical algorithm while enabling upgraded clients to proceed with hybrid key exchange. In contrast, overhead-spreading hybrid designs focus on reducing the PQ overhead. For example, approaches like those described in <xref target="I -D.hale-mls-combiner"/> amortize PQ costs by selectively applying PQ updates in key exchange processes, allowing systems to balance security and efficiency. Thi s strategy ensures a post-quantum secure channel while keeping the overhead mana geable, making it particularly suitable for constrained environments.</t>
<t>While some hybrid key exchange options introduce additional computati onal and bandwidth overhead, the impact of traditional key exchange algorithms ( e.g., key size) is typically small, helping to keep the overall increase in reso urce usage manageable for most systems. In highly constrained environments, howe ver, those hybrid key exchange protocols may be impractical due to their higher resource requirements compared to pure post-quantum or traditional key exchange approaches. However, some hybrid key exchange designs distribute the PQC overhea d, making them more suitable for constrained environments. The choice of hybrid key exchange design depends on the specific system requirements and use case, so the appropriate approach may vary.</t> <t>While some hybrid key exchange options introduce additional computati onal and bandwidth overhead, the impact of traditional key exchange algorithms ( e.g., key size) is typically small, helping to keep the overall increase in reso urce usage manageable for most systems. In highly constrained environments, howe ver, those hybrid key exchange protocols may be impractical due to their higher resource requirements compared to pure post-quantum or traditional key exchange approaches. However, some hybrid key exchange designs distribute the PQC overhea d, making them more suitable for constrained environments. The choice of hybrid key exchange design depends on the specific system requirements and use case, so the appropriate approach may vary.</t>
</section> </section>
<section anchor="caution-ciphertext-commitment-in-kem-vs-dh"> <section anchor="caution-ciphertext-commitment-in-kem-vs-dh">
<name>Caution: Ciphertext commitment in KEM vs. DH</name> <name>Caution: Ciphertext Commitment in KEM vs. DH</name>
<t>The ciphertext generated by a KEM is not necessarily directly linked to the shared secret it produces. KEMs allow for multiple ciphertexts to encapsu late the same shared secret, which enables flexibility in key management without enforcing a strict one-to-one correspondence between ciphertexts and shared sec rets. This allows for secret reuse across different recipients, sessions, or ope rational contexts without the need for new secrets for each use, simplifying key distribution and reducing computational overhead. In contrast, cryptographic sc hemes like Diffie-Hellman inherently link the public key to the derived shared s ecret, meaning any change in the public key results in a different shared secret .</t> <t>The ciphertext generated by a KEM is not necessarily directly linked to the shared secret it produces. KEMs allow for multiple ciphertexts to encapsu late the same shared secret, which enables flexibility in key management without enforcing a strict one-to-one correspondence between ciphertexts and shared sec rets. This allows for secret reuse across different recipients, sessions, or ope rational contexts without the need for new secrets for each use, simplifying key distribution and reducing computational overhead. In contrast, cryptographic sc hemes like Diffie-Hellman inherently link the public key to the derived shared s ecret, meaning any change in the public key results in a different shared secret .</t>
</section> </section>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA considerations.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="further-reading-resources"> <section anchor="further-reading-and-resources">
<name>Further Reading &amp; Resources</name> <name>Further Reading and Resources</name>
<t>A good book on modern cryptography is Serious Cryptography, 2nd Edition <t>A good book on modern cryptography is "Serious Cryptography, 2nd Editio
, by Jean-Philippe Aumasson, ISBN 9781718503847.</t> n" by Jean-Philippe Aumasson <xref target="Serious-Crypt"/>.</t>
<t>The Open Quantum Safe (OQS) Project <xref target="OQS"/> is an open-sou rce project that aims to support the transition to quantum-resistant cryptograph y.</t> <t>The Open Quantum Safe (OQS) Project <xref target="OQS"/> is an open-sou rce project that aims to support the transition to quantum-resistant cryptograph y.</t>
<t>The IETF's PQUIP Working Group <xref target="PQUIP-WG"/> maintains a li st of PQC-related protocol work within the IETF.</t> <t>The IETF's PQUIP Working Group <xref target="PQUIP-WG"/> maintains a li st of PQC-related protocol work within the IETF.</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.bonnell-lamps-chameleon-certs" to="ENC-PAIR-CE
RTS"/>
<displayreference target="I-D.connolly-cfrg-xwing-kem" to="X-WING"/>
<displayreference target="I-D.hale-mls-combiner" to="PQ-MLS"/>
<displayreference target="I-D.ietf-hpke-pq" to="PQ-HPKE"/>
<displayreference target="I-D.ietf-lamps-pq-composite-sigs" to="ML-DSA-X.509
"/>
<displayreference target="I-D.ietf-pquip-hybrid-signature-spectrums" to="HYB
RID-SIG-SPECT"/>
<displayreference target="I-D.ietf-pquip-pqc-hsm-constrained" to="CONSTRAIN-
DEV-PCQ"/>
<displayreference target="I-D.ietf-tls-hybrid-design" to="TLS-HYB-KEY-EXCH"/
>
<displayreference target="I-D.irtf-cfrg-bbs-signatures" to="BBS-SIG-SCHEME"/
>
<displayreference target="I-D.irtf-cfrg-hybrid-kems" to="PQ-KEM"/>
<displayreference target="I-D.ounsworth-cfrg-kem-combiners" to="KEM-COMBINER
"/>
<references anchor="sec-combined-references"> <references anchor="sec-combined-references">
<name>References</name> <name>References</name>
<references anchor="sec-normative-references"> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="ML-KEM" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.203.pdf"> <reference anchor="ML-KEM" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.203.pdf">
<front> <front>
<title>FIPS-203: Module-Lattice-based Key-Encapsulation Mechanism St andard</title> <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</ti tle>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="203"/>
<seriesInfo name="DOI" value="10.6028/nist.fips.203"/>
</reference> </reference>
<reference anchor="ML-DSA" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.204.pdf"> <reference anchor="ML-DSA" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.204.pdf">
<front> <front>
<title>FIPS-204: Module-Lattice-Based Digital Signature Standard</ti tle> <title>Module-Lattice-Based Digital Signature Standard</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="204"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.204"/>
</reference> </reference>
<reference anchor="SLH-DSA" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.205.pdf"> <reference anchor="SLH-DSA" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.205.pdf">
<front> <front>
<title>FIPS-205: Stateless Hash-Based Digital Signature Standard</ti tle> <title>Stateless Hash-Based Digital Signature Standard</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="205"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.205"/>
</reference> </reference>
<reference anchor="Shors" target="https://arxiv.org/pdf/quant-ph/9508027 "> <reference anchor="Shors" target="https://arxiv.org/pdf/quant-ph/9508027 ">
<front> <front>
<title>Polynomial-time algorithms for prime factorization and discre <title>Polynomial-Time Algorithms for Prime Factorization and Discre
te logarithms on a quantum computer</title> te Logarithms on a Quantum Computer</title>
<author> <author initials="P." surname="Shor" fullname="Peter W. Shor">
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date year="1996" month="January" day="25"/>
</front> </front>
<refcontent>arXiv:quant-ph/9508027v2</refcontent>
</reference> </reference>
<reference anchor="Grovers" target="https://dl.acm.org/doi/10.1145/23781 4.237866"> <reference anchor="Grovers" target="https://dl.acm.org/doi/10.1145/23781 4.237866">
<front> <front>
<title>A fast quantum mechanical algorithm for database search</titl e> <title>A fast quantum mechanical algorithm for database search</titl e>
<author> <author fullname="Lok K. Grover">
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date year="1996" month="July" day="01"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/237814.237866"/>
<refcontent>STOC '96: Proceedings of the twenty-eighth annual ACM symp
osium on Theory of Computing, pp. 212-219</refcontent>
</reference> </reference>
<reference anchor="RSA" target="https://dl.acm.org/doi/pdf/10.1145/35934 0.359342"> <reference anchor="RSA" target="https://dl.acm.org/doi/pdf/10.1145/35934 0.359342">
<front> <front>
<title>A Method for Obtaining Digital Signatures and Public-Key Cryp <title>A Method for Obtaining Digital Signatures and Public-Key Cryp
tosystems+</title> tosystems</title>
<author> <author fullname="Ronald L. Rivest">
<organization/> <organization/>
</author> </author>
<date/> <author initials="A." surname="Shamir">
</front> <organization/>
</reference> </author>
<reference anchor="RFC6090"> <author initials="L." surname="Adleman">
<front> <organization/>
<title>Fundamental Elliptic Curve Cryptography Algorithms</title> </author>
<author fullname="D. McGrew" initials="D." surname="McGrew"/> <date year="1978" month="February"/>
<author fullname="K. Igoe" initials="K." surname="Igoe"/>
<author fullname="M. Salter" initials="M." surname="Salter"/>
<date month="February" year="2011"/>
<abstract>
<t>This note describes the fundamental algorithms of Elliptic Curv
e Cryptography (ECC) as they were defined in some seminal references from 1994 a
nd earlier. These descriptions may be useful for implementing the fundamental al
gorithms without using any of the specialized methods that were developed in fol
lowing years. Only elliptic curves defined over fields of characteristic greater
than three are in scope; these curves are those used in Suite B. This document
is not an Internet Standards Track specification; it is published for informatio
nal purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6090"/>
<seriesInfo name="DOI" value="10.17487/RFC6090"/>
</reference>
<reference anchor="RFC8391">
<front>
<title>XMSS: eXtended Merkle Signature Scheme</title>
<author fullname="A. Huelsing" initials="A." surname="Huelsing"/>
<author fullname="D. Butin" initials="D." surname="Butin"/>
<author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
<author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/>
<author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/>
<date month="May" year="2018"/>
<abstract>
<t>This note describes the eXtended Merkle Signature Scheme (XMSS)
, a hash-based digital signature system that is based on existing descriptions i
n scientific literature. This note specifies Winternitz One-Time Signature Plus
(WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a
multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building
block. XMSS provides cryptographic digital signatures without relying on the con
jectured hardness of mathematical problems. Instead, it is proven that it only r
elies on the properties of cryptographic hash functions. XMSS provides strong se
curity guarantees and is even secure when the collision resistance of the underl
ying hash function is broken. It is suitable for compact implementations, is rel
atively simple to implement, and naturally resists side-channel attacks. Unlike
most other signature systems, hash-based signatures can so far withstand known a
ttacks using quantum computers.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8391"/>
<seriesInfo name="DOI" value="10.17487/RFC8391"/>
</reference>
<reference anchor="RFC8554">
<front>
<title>Leighton-Micali Hash-Based Signatures</title>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="M. Curcio" initials="M." surname="Curcio"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<date month="April" year="2019"/>
<abstract>
<t>This note describes a digital-signature system based on cryptog
raphic hash functions, following the seminal work in this area of Lamport, Diffi
e, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifi
es a one-time signature scheme and a general signature scheme. These systems pro
vide asymmetric authentication without using large integer mathematics and can a
chieve a high security level. They are suitable for compact implementations, are
relatively simple to implement, and are naturally resistant to side-channel att
acks. Unlike many other signature systems, hash-based signatures would still be
secure even if it proves feasible for an attacker to build a quantum computer.</
t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF. This has been reviewed by many researchers, both in the resea
rch group and outside of it. The Acknowledgements section lists many of them.</t
>
</abstract>
</front>
<seriesInfo name="RFC" value="8554"/>
<seriesInfo name="DOI" value="10.17487/RFC8554"/>
</reference>
<reference anchor="RFC8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over t
he Internet in a way that is designed to prevent eavesdropping, tampering, and m
essage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im
plementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC4034">
<front>
<title>Resource Records for the DNS Security Extensions</title>
<author fullname="R. Arends" initials="R." surname="Arends"/>
<author fullname="R. Austein" initials="R." surname="Austein"/>
<author fullname="M. Larson" initials="M." surname="Larson"/>
<author fullname="D. Massey" initials="D." surname="Massey"/>
<author fullname="S. Rose" initials="S." surname="Rose"/>
<date month="March" year="2005"/>
<abstract>
<t>This document is part of a family of documents that describe th
e DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection
of resource records and protocol modifications that provide source authenticati
on for the DNS. This document defines the public key (DNSKEY), delegation signer
(DS), resource record digital signature (RRSIG), and authenticated denial of ex
istence (NSEC) resource records. The purpose and format of each resource record
is described in detail, and an example of each resource record is given.</t>
<t>This document obsoletes RFC 2535 and incorporates changes from
all updates to RFC 2535. [STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="4034"/> <seriesInfo name="DOI" value="10.1145/359340.359342"/>
<seriesInfo name="DOI" value="10.17487/RFC4034"/> <refcontent>Communications of the ACM, vol. 21, no. 2, pp. 120-126</re
fcontent>
</reference> </reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
090.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
391.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
554.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
446.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
034.xml"/>
<reference anchor="NTRU" target="https://ntru.org/index.shtml"> <reference anchor="NTRU" target="https://ntru.org/index.shtml">
<front> <front>
<title>NTRU</title> <title>NTRU</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="FrodoKEM" target="https://frodokem.org/"> <reference anchor="FrodoKEM" target="https://frodokem.org/">
<front> <front>
<title>FrodoKEM</title> <title>FrodoKEM</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="ClassicMcEliece" target="https://classic.mceliece.org /"> <reference anchor="ClassicMcEliece" target="https://classic.mceliece.org /">
<front> <front>
<title>Classic McEliece</title> <title>Classic McEliece</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="FN-DSA" target="https://falcon-sign.info/"> <reference anchor="FN-DSA" target="https://falcon-sign.info/">
<front> <front>
<title>Fast Fourier lattice-based compact signatures over NTRU</titl e> <title>FALCON: Fast Fourier lattice-based compact signatures over NT RU</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="RFC8235"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<front> 235.xml"/>
<title>Schnorr Non-interactive Zero-Knowledge Proof</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<author fullname="F. Hao" initials="F." role="editor" surname="Hao"/ 180.xml"/>
> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<date month="September" year="2017"/> 881.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<t>This document describes the Schnorr non-interactive zero-knowle 242.xml"/>
dge (NIZK) proof, a non-interactive variant of the three-pass Schnorr identifica <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
tion scheme. The Schnorr NIZK proof allows one to prove the knowledge of a discr 370.xml"/>
ete logarithm without leaking any information about its value. It can serve as a </references>
useful building block for many cryptographic protocols to ensure that participa <references anchor="sec-informative-references">
nts follow the protocol specification honestly. This document specifies the Schn <name>Informative References</name>
orr NIZK proof in both the finite field and the elliptic curve settings.</t> <reference anchor="Serious-Crypt">
</abstract>
</front>
<seriesInfo name="RFC" value="8235"/>
<seriesInfo name="DOI" value="10.17487/RFC8235"/>
</reference>
<reference anchor="RFC9180">
<front>
<title>Hybrid Public Key Encryption</title>
<author fullname="R. Barnes" initials="R." surname="Barnes"/>
<author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
<author fullname="B. Lipp" initials="B." surname="Lipp"/>
<author fullname="C. Wood" initials="C." surname="Wood"/>
<date month="February" year="2022"/>
<abstract>
<t>This document describes a scheme for hybrid public key encrypti
on (HPKE). This scheme provides a variant of public key encryption of arbitrary-
sized plaintexts for a recipient public key. It also includes three authenticate
d variants, including one that authenticates possession of a pre-shared key and
two optional ones that authenticate possession of a key encapsulation mechanism
(KEM) private key. HPKE works for any combination of an asymmetric KEM, key deri
vation function (KDF), and authenticated encryption with additional data (AEAD)
encryption function. Some authenticated variants may not be supported by all KEM
s. We provide instantiations of the scheme using widely used and efficient primi
tives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based ke
y derivation function (HKDF), and SHA2.</t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9180"/>
<seriesInfo name="DOI" value="10.17487/RFC9180"/>
</reference>
<reference anchor="I-D.ietf-lamps-dilithium-certificates">
<front> <front>
<title>Internet X.509 Public Key Infrastructure - Algorithm Identifi <title>Serious Cryptography, 2nd Edition</title>
ers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title> <author fullname="Jean-Philippe Aumasson">
<author fullname="Jake Massimo" initials="J." surname="Massimo"> <organization/>
<organization>AWS</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>AWS</organization>
</author>
<author fullname="Sean Turner" initials="S." surname="Turner">
<organization>sn3rd</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="26" month="June" year="2025"/> <date year="2024" month="August"/>
<abstract>
<t> Digital signatures are used within X.509 certificates, Certi
ficate
Revocation Lists (CRLs), and to sign messages. This document
specifies the conventions for using FIPS 204, the Module-Lattice-
Based Digital Signature Algorithm (ML-DSA) in Internet X.509
certificates and certificate revocation lists. The conventions for
the associated signatures, subject public keys, and private key are
also described.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-ce
rtificates-12"/>
</reference>
<reference anchor="RFC9242">
<front>
<title>Intermediate Exchange in the Internet Key Exchange Protocol V
ersion 2 (IKEv2)</title>
<author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
<date month="May" year="2022"/>
<abstract>
<t>This document defines a new exchange, called "Intermediate Exch
ange", for the Internet Key Exchange Protocol Version 2 (IKEv2). This exchange c
an be used for transferring large amounts of data in the process of IKEv2 Securi
ty Association (SA) establishment. An example of the need to do this is using ke
y exchange methods resistant to Quantum Computers (QCs) for IKE SA establishment
. The Intermediate Exchange makes it possible to use the existing IKE fragmentat
ion mechanism (which cannot be used in the initial IKEv2 exchange), helping to a
void IP fragmentation of large IKE messages if they need to be sent before IKEv2
SA is established.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9242"/>
<seriesInfo name="DOI" value="10.17487/RFC9242"/>
</reference>
<reference anchor="RFC9370">
<front>
<title>Multiple Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)</title>
<author fullname="CJ. Tjhai" initials="CJ." surname="Tjhai"/>
<author fullname="M. Tomlinson" initials="M." surname="Tomlinson"/>
<author fullname="G. Bartlett" initials="G." surname="Bartlett"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
<author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-M
orchon"/>
<author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
<date month="May" year="2023"/>
<abstract>
<t>This document describes how to extend the Internet Key Exchange
Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while
computing a shared secret during a Security Association (SA) setup.</t>
<t>This document utilizes the IKE_INTERMEDIATE exchange, where mul
tiple key exchanges are performed when an IKE SA is being established. It also i
ntroduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purp
ose when the IKE SA is being rekeyed or is creating additional Child SAs.</t>
<t>This document updates RFC 7296 by renaming a Transform Type 4 f
rom "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a fi
eld in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange
Method". It also renames an IANA registry for this Transform Type from "Transfo
rm Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exch
ange Method Transform IDs". These changes generalize key exchange algorithms tha
t can be used in IKEv2.</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="9370"/> <refcontent>ISBN 9781718503847</refcontent>
<seriesInfo name="DOI" value="10.17487/RFC9370"/>
</reference> </reference>
</references> <reference anchor="Grover-Search" target="https://link.aps.org/doi/10.11
<references anchor="sec-informative-references"> 03/PhysRevA.60.2746">
<name>Informative References</name>
<reference anchor="Grover-search">
<front> <front>
<title>C. Zalka, “Grover’s quantum searching algorithm is optimal,” <title>Grover's quantum searching algorithm is optimal</title>
Physical Review A, vol. 60, pp. 2746-2751, 1999.</title> <author fullname="Christof Zalka">
<author>
<organization/> <organization/>
</author> </author>
<date/> <date year="1999" month="October"/>
</front> </front>
<seriesInfo name="DOI" value="10.1103/PhysRevA.60.2746"/>
<refcontent>Physical Review A, vol. 60, no. 4, pp. 2746-2751</refconte
nt>
</reference> </reference>
<reference anchor="Threat-Report" target="https://globalriskinstitute.or g/publications/quantum-threat-timeline-report-2020/"> <reference anchor="Threat-Report" target="https://globalriskinstitute.or g/publications/quantum-threat-timeline-report-2020/">
<front> <front>
<title>Quantum Threat Timeline Report 2020</title> <title>Quantum Threat Timeline Report 2020</title>
<author> <author fullname="Michele Mosca">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Marco Piani">
<organization/>
</author>
<date year="2021" month="January" day="27"/>
</front> </front>
<refcontent>Global Risk Institute</refcontent>
</reference> </reference>
<reference anchor="QC-DNS" target="https://www.icann.org/octo-031-en.pdf "> <reference anchor="QC-DNS" target="https://www.icann.org/octo-031-en.pdf ">
<front> <front>
<title>Quantum Computing and the DNS</title> <title>Quantum Computing and the DNS</title>
<author> <author fullname="Paul Hoffman">
<organization/> <organization/>
</author> </author>
<date/> <date year="2024" month="April" day="22"/>
</front> </front>
<refcontent>ICANN Office of the Chief Technology Officer, OCTO-031v2</ refcontent>
</reference> </reference>
<reference anchor="NIST" target="https://csrc.nist.gov/projects/post-qua ntum-cryptography/post-quantum-cryptography-standardization"> <reference anchor="NIST" target="https://csrc.nist.gov/projects/post-qua ntum-cryptography/post-quantum-cryptography-standardization">
<front> <front>
<title>Post-Quantum Cryptography Standardization</title> <title>Post-Quantum Cryptography Standardization</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="Cloudflare" target="https://blog.cloudflare.com/nist- post-quantum-surprise/"> <reference anchor="Cloudflare" target="https://blog.cloudflare.com/nist- post-quantum-surprise/">
<front> <front>
<title>NIST’s pleasant post-quantum surprise</title> <title>NIST's pleasant post-quantum surprise</title>
<author> <author fullname="Bas Westerbaan">
<organization/> <organization/>
</author> </author>
<date/> <date year="2022" month="July" day="08"/>
</front> </front>
<refcontent>Cloudflare Blog</refcontent>
</reference> </reference>
<reference anchor="CS01" target="https://eprint.iacr.org/2001/108"> <reference anchor="CS01" target="https://eprint.iacr.org/2001/108">
<front> <front>
<title>Design and Analysis of Practical Public-Key Encryption Scheme s Secure against Adaptive Chosen Ciphertext Attack</title> <title>Design and Analysis of Practical Public-Key Encryption Scheme s Secure against Adaptive Chosen Ciphertext Attack</title>
<author> <author fullname="Ronald Cramer">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Victor Shoup">
<organization/>
</author>
<date year="2001"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2001/108</refcontent>
</reference> </reference>
<reference anchor="BHK09" target="https://eprint.iacr.org/2009/418"> <reference anchor="BHK09" target="https://eprint.iacr.org/2009/418">
<front> <front>
<title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title> <title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title>
<author> <author fullname="Mihir Bellare">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Dennis Hofheinz">
<organization/>
</author>
<author fullname="Eike Kiltz">
<organization/>
</author>
<date year="2009"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2009/418</refcontent>
</reference> </reference>
<reference anchor="GMR88" target="https://people.csail.mit.edu/silvio/Se lected%20Scientific%20Papers/Digital%20Signatures/A_Digital_Signature_Scheme_Sec ure_Against_Adaptive_Chosen-Message_Attack.pdf"> <reference anchor="GMR88" target="https://people.csail.mit.edu/silvio/Se lected%20Scientific%20Papers/Digital%20Signatures/A_Digital_Signature_Scheme_Sec ure_Against_Adaptive_Chosen-Message_Attack.pdf">
<front> <front>
<title>A digital signature scheme secure against adaptive chosen-mes <title>A digital signature scheme secure against adaptive chosen-mes
sage attacks.</title> sage attacks</title>
<author> <author fullname="Shafi Goldwasser">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Silvio Micali">
<organization/>
</author>
<author fullname="Ronald L. Rivest">
<organization/>
</author>
<date year="1988" month="April"/>
</front> </front>
<seriesInfo name="DOI" value="10.1137/0217017"/>
<refcontent>SIAM Journal on Computing, vol. 17, no. 2, pp. 281-308</re
fcontent>
</reference> </reference>
<reference anchor="PQCAPI" target="https://csrc.nist.gov/CSRC/media/Proj ects/Post-Quantum-Cryptography/documents/example-files/api-notes.pdf"> <reference anchor="PQCAPI" target="https://csrc.nist.gov/CSRC/media/Proj ects/Post-Quantum-Cryptography/documents/example-files/api-notes.pdf">
<front> <front>
<title>PQC - API notes</title> <title>PQC - API notes</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="RSA8HRS" target="https://arxiv.org/abs/1905.09749"> <reference anchor="RSA8HRS" target="https://arxiv.org/abs/1905.09749">
<front> <front>
<title>How to factor 2048 bit RSA integers in 8 hours using 20 milli on noisy qubits</title> <title>How to factor 2048 bit RSA integers in 8 hours using 20 milli on noisy qubits</title>
<author> <author fullname="Craig Gidney">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Martin Ekera">
<organization/>
</author>
<date year="2021" month="April" day="13"/>
</front> </front>
<refcontent>arXiv:1905.09749v3</refcontent>
</reference> </reference>
<reference anchor="RSA10SC" target="https://www.quintessencelabs.com/blo g/breaking-rsa-encryption-update-state-art"> <reference anchor="RSA10SC" target="https://www.quintessencelabs.com/blo g/breaking-rsa-encryption-update-state-art">
<front> <front>
<title>Breaking RSA Encryption - an Update on the State-of-the-Art</ title> <title>Breaking RSA Encryption - an Update on the State-of-the-Art</ title>
<author> <author>
<organization/> <organization>QuintessenceLabs</organization>
</author> </author>
<date/> <date year="2019" month="June" day="13"/>
</front> </front>
</reference> </reference>
<reference anchor="RSAShor" target="https://arxiv.org/pdf/quant-ph/02050 95.pdf"> <reference anchor="RSAShor" target="https://arxiv.org/pdf/quant-ph/02050 95.pdf">
<front> <front>
<title>Circuit for Shor’s algorithm using 2n+3 qubits</title> <title>Circuit for Shor's algorithm using 2n+3 qubits</title>
<author> <author fullname="Stephane Beauregard">
<organization/> <organization/>
</author> </author>
<date/> <date year="2003" month="February" day="21"/>
</front> </front>
<refcontent>arXiv:quant-ph/0205095v3</refcontent>
</reference> </reference>
<reference anchor="LIBOQS" target="https://github.com/open-quantum-safe/ liboqs"> <reference anchor="LIBOQS" target="https://github.com/open-quantum-safe/ liboqs">
<front> <front>
<title>LibOQS - Open Quantum Safe</title> <title>LibOQS - Open Quantum Safe</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/> <date year="2025" month="November"/>
</front> </front>
<refcontent>commit 97f6b86</refcontent>
</reference> </reference>
<reference anchor="KyberSide" target="https://eprint.iacr.org/2022/1452" > <reference anchor="KyberSide" target="https://eprint.iacr.org/2022/1452" >
<front> <front>
<title>A Side-Channel Attack on a Hardware Implementation of CRYSTAL S-Kyber</title> <title>A Side-Channel Attack on a Hardware Implementation of CRYSTAL S-Kyber</title>
<author> <author fullname="Yanning Ji">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Ruize Wang">
<organization/>
</author>
<author fullname="Kalle Ngo">
<organization/>
</author>
<author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Linus Backlund">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/1452</refcontent>
</reference> </reference>
<reference anchor="SaberSide" target="https://link.springer.com/article/ 10.1007/s13389-023-00315-3"> <reference anchor="SaberSide" target="https://link.springer.com/article/ 10.1007/s13389-023-00315-3">
<front> <front>
<title>A side-channel attack on a masked and shuffled software imple mentation of Saber</title> <title>A side-channel attack on a masked and shuffled software imple mentation of Saber</title>
<author> <author fullname="Kalle Ngo">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Thomas Johansson">
<organization/>
</author>
<date year="2023" month="April" day="25"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/s13389-023-00315-3"/>
<refcontent>Journal of Cryptographic Engineering, vol. 13, pp. 443-460
</refcontent>
</reference> </reference>
<reference anchor="SideCh" target="https://eprint.iacr.org/2022/919"> <reference anchor="SideCh" target="https://eprint.iacr.org/2022/919">
<front> <front>
<title>Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking</title> <title>Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking</title>
<author> <author fullname="Kalle Ngo">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Ruize Wang">
<organization/>
</author>
<author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Nils Paulsrud">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/919</refcontent>
</reference> </reference>
<reference anchor="LatticeSide" target="https://eprint.iacr.org/2019/948 "> <reference anchor="LatticeSide" target="https://eprint.iacr.org/2019/948 ">
<front> <front>
<title>Generic Side-channel attacks on CCA-secure lattice-based PKE and KEM schemes</title> <title>Generic Side-channel attacks on CCA-secure lattice-based PKE and KEM schemes</title>
<author> <author fullname="Prasanna Ravi">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Sujoy Sinha Roy">
<organization/>
</author>
<author fullname="Anupam Chattopadhyay">
<organization/>
</author>
<author fullname="Shivam Bhasin">
<organization/>
</author>
<date year="2019"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2019/948</refcontent>
</reference> </reference>
<reference anchor="Mitigate1" target="https://eprint.iacr.org/2022/873"> <reference anchor="Mitigate1" target="https://eprint.iacr.org/2022/873">
<front> <front>
<title>POLKA: Towards Leakage-Resistant Post-Quantum CCA-Secure Publ ic Key Encryption</title> <title>POLKA: Towards Leakage-Resistant Post-Quantum CCA-Secure Publ ic Key Encryption</title>
<author> <author fullname="Clément Hoffmann">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Benoît Libert">
<organization/>
</author>
<author fullname="Charles Momin">
<organization/>
</author>
<author fullname="Thomas Peters">
<organization/>
</author>
<author fullname="François-Xavier Standaert">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/873</refcontent>
</reference> </reference>
<reference anchor="Mitigate2" target="https://ieeexplore.ieee.org/docume nt/9855226"> <reference anchor="Mitigate2" target="https://ieeexplore.ieee.org/docume nt/9855226">
<front> <front>
<title>Leakage-Resilient Certificate-Based Authenticated Key Exchang e Protocol</title> <title>Leakage-Resilient Certificate-Based Authenticated Key Exchang e Protocol</title>
<author> <author initials="T." surname="Tsai">
<organization/> <organization/>
</author> </author>
<date/> <author initials="S." surname="Huang">
<organization/>
</author>
<author initials="Y." surname="Tseng">
<organization/>
</author>
<author initials="Y." surname="Chuang">
<organization/>
</author>
<author initials="Y." surname="Hung">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<seriesInfo name="DOI" value="10.1109/OJCS.2022.3198073"/>
<refcontent>IEEE Open Journal of the Computer Society, vol. 3, pp. 137
-148</refcontent>
</reference> </reference>
<reference anchor="Mitigate3" target="https://eprint.iacr.org/2022/916"> <reference anchor="Mitigate3" target="https://eprint.iacr.org/2022/916">
<front> <front>
<title>Post-Quantum Authenticated Encryption against Chosen-Cipherte xt Side-Channel Attacks</title> <title>Post-Quantum Authenticated Encryption against Chosen-Cipherte xt Side-Channel Attacks</title>
<author> <author fullname="Melissa Azouaoui">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Yulia Kuzovkova">
<organization/>
</author>
<author fullname="Tobias Schneider">
<organization/>
</author>
<author fullname="Christine van Vredendaal">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/916</refcontent>
</reference> </reference>
<reference anchor="CNSA2-0" target="https://media.defense.gov/2025/May/3 0/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF"> <reference anchor="CNSA2-0" target="https://media.defense.gov/2025/May/3 0/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF">
<front> <front>
<title>Announcing the Commercial National Security Algorithm Suite 2 .0</title> <title>Announcing the Commercial National Security Algorithm Suite 2 .0</title>
<author> <author>
<organization/> <organization>NSA</organization>
</author> </author>
<date/> <date year="2022" month="September"/>
</front> </front>
</reference> </reference>
<reference anchor="LattFail1" target="https://link.springer.com/chapter/ 10.1007/978-3-030-17259-6_19#chapter-info"> <reference anchor="LattFail1" target="https://link.springer.com/chapter/ 10.1007/978-3-030-17259-6_19">
<front> <front>
<title>Decryption Failure Attacks on IND-CCA Secure Lattice-Based Sc hemes</title> <title>Decryption Failure Attacks on IND-CCA Secure Lattice-Based Sc hemes</title>
<author> <author fullname="Jan-Pieter D'Anvers">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Qian Guo">
<organization/>
</author>
<author fullname="Thomas Johansson">
<organization/>
</author>
<author fullname="Alexander Nilsson">
<organization/>
</author>
<author fullname="Frederik Vercauteren">
<organization/>
</author>
<author fullname="Ingrid Verbauwhede">
<organization/>
</author>
<date year="2019" month="April" day="06"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/978-3-030-17259-6_19"/>
<refcontent>Public-Key Cryptography - PKC 2019, Lecture Notes in Compu
ter Science, vol. 11443, pp. 565-598</refcontent>
</reference> </reference>
<reference anchor="LattFail2" target="https://link.springer.com/chapter/ 10.1007/978-3-030-45727-3_1"> <reference anchor="LattFail2" target="https://link.springer.com/chapter/ 10.1007/978-3-030-45727-3_1">
<front> <front>
<title>(One) Failure Is Not an Option: Bootstrapping the Search for <title>(One) Failure Is Not an Option: Bootstrapping the Search for
Failures in Lattice-Based Encryption Schemes.</title> Failures in Lattice-Based Encryption Schemes</title>
<author> <author fullname="Jan-Pieter D'Anvers">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Mélissa Rossi">
<organization/>
</author>
<author fullname="Fernando Virdia">
<organization/>
</author>
<date year="2020" month="May" day="01"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/978-3-030-45727-3_1"/>
<refcontent>Advances in Cryptology - EUROCRYPT 2020, Lecture Notes in
Computer Science, vol. 12107, pp. 3-33</refcontent>
</reference> </reference>
<reference anchor="BSI-PQC" target="https://www.bsi.bund.de/SharedDocs/D ownloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html?nn=916626"> <reference anchor="BSI-PQC" target="https://www.bsi.bund.de/SharedDocs/D ownloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html?nn=916626">
<front> <front>
<title>Quantum-safe cryptography fundamentals, current development s and recommendations</title> <title>Quantum-safe cryptography - fundamentals, current development s and recommendations</title>
<author> <author>
<organization/> <organization>BSI</organization>
</author> </author>
<date year="2022" month="May"/> <date year="2022" month="May" day="18"/>
</front> </front>
</reference> </reference>
<reference anchor="PQRSA" target="https://cr.yp.to/papers/pqrsa-20170419 .pdf"> <reference anchor="PQRSA" target="https://cr.yp.to/papers/pqrsa-20170419 .pdf">
<front> <front>
<title>Post-quantum RSA</title> <title>Post-quantum RSA</title>
<author> <author fullname="Daniel J. Bernstein">
<organization/> <organization/>
</author> </author>
<date year="2017" month="April"/> <author fullname="Nadia Heninger">
<organization/>
</author>
<author fullname="Paul Lou">
<organization/>
</author>
<author fullname="Luke Valenta">
<organization/>
</author>
<date year="2017" month="April" day="19"/>
</front> </front>
</reference> </reference>
<reference anchor="SP-800-56C" target="https://nvlpubs.nist.gov/nistpubs /SpecialPublications/NIST.SP.800-56Cr2.pdf"> <reference anchor="SP-800-56C" target="https://nvlpubs.nist.gov/nistpubs /SpecialPublications/NIST.SP.800-56Cr2.pdf">
<front> <front>
<title>Recommendation for Key-Derivation Methods in Key-Establishmen t Schemes</title> <title>Recommendation for Key-Derivation Methods in Key-Establishmen t Schemes</title>
<author> <author fullname="Elaine Barker">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Lily Chen">
<organization/>
</author>
<author fullname="Richard Davis">
<organization/>
</author>
<date year="2020" month="August"/>
</front> </front>
<seriesInfo name="NIST SP" value="800-56Cr2"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Cr2"/>
</reference> </reference>
<reference anchor="Lyu09" target="https://www.iacr.org/archive/asiacrypt 2009/59120596/59120596.pdf"> <reference anchor="Lyu09" target="https://www.iacr.org/archive/asiacrypt 2009/59120596/59120596.pdf">
<front> <front>
<title>V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to La <title>Fiat-Shamir With Aborts: Applications to Lattice and Factorin
ttice and Factoring-Based Signatures“, ASIACRYPT 2009</title> g-Based Signatures</title>
<author> <author fullname="Vadim Lyubashevsky">
<organization/> <organization/>
</author> </author>
<date/> <date/>
</front> </front>
<refcontent>ASIACRYPT 2009</refcontent>
</reference> </reference>
<reference anchor="SP-1800-38C" target="https://www.nccoe.nist.gov/sites /default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf"> <reference anchor="SP-1800-38C" target="https://www.nccoe.nist.gov/sites /default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf">
<front> <front>
<title>Migration to Post-Quantum Cryptography Quantum Readiness: Qua <title>Migration to Post-Quantum Cryptography Quantum Readiness: Tes
ntum-Resistant Cryptography Technology Interoperability and Performance Report</ ting Draft Standards, Volume C: Quantum-Resistant Cryptography Technology Intero
title> perability and Performance Report</title>
<author> <author fullname="William Newhouse">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Murugiah Souppaya">
</front>
</reference>
<reference anchor="KEEPINGUP" target="https://eprint.iacr.org/2023/1933"
>
<front>
<title>Keeping Up with the KEMs: Stronger Security Notions for KEMs
and automated analysis of KEM-based protocols</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="William Barke">
</front>
</reference>
<reference anchor="NISTFINAL" target="https://www.nist.gov/news-events/n
ews/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards">
<front>
<title>NIST Releases First 3 Finalized Post-Quantum Encryption Stand
ards</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Chris Brown">
</front>
</reference>
<reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi
les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf">
<front>
<title>ANSSI views on the Post-Quantum Cryptography transition</titl
e>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Panos Kampanakis">
</front>
</reference>
<reference anchor="HQC" target="http://pqc-hqc.org/">
<front>
<title>HQC</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Jim Goodman">
</front>
</reference>
<reference anchor="BIKE" target="http://pqc-hqc.org/">
<front>
<title>BIKE</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Julien Prat">
</front>
</reference>
<reference anchor="PQUIP-WG" target="https://datatracker.ietf.org/group/
pquip/documents/">
<front>
<title>Post-Quantum Use In Protocols (pquip) Working Group</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Robin Larrieu">
</front>
</reference>
<reference anchor="OQS" target="https://openquantumsafe.org/">
<front>
<title>Open Quantum Safe Project</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="John Gray">
</front>
</reference>
<reference anchor="CRQCThreat" target="https://sam-jaques.appspot.com/qu
antum_landscape_2024">
<front>
<title>CRQCThreat</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Mike Ounsworth">
</front>
</reference>
<reference anchor="QuantSide" target="https://arxiv.org/pdf/2304.03315">
<front>
<title>QuantSide</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Cleandro Viana">
</front>
</reference>
<reference anchor="AddSig" target="https://csrc.nist.gov/Projects/pqc-di
g-sig/standardization">
<front>
<title>AddSig</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Hubert Le Van Gong">
</front>
</reference>
<reference anchor="BPQS" target="https://eprint.iacr.org/2018/658.pdf">
<front>
<title>BPQS</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Kris Kwiatkowsk">
</front>
</reference>
<reference anchor="PCI" target="https://docs-prv.pcisecuritystandards.or
g/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf">
<front>
<title>Payment Card Industry Data Security Standard</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Anthony Hu">
</front> <organization/>
</reference>
<reference anchor="I-D.irtf-cfrg-bbs-signatures">
<front>
<title>The BBS Signature Scheme</title>
<author fullname="Tobias Looker" initials="T." surname="Looker">
<organization>MATTR</organization>
</author>
<author fullname="Vasilis Kalos" initials="V." surname="Kalos">
<organization>MATTR</organization>
</author>
<author fullname="Andrew Whitehead" initials="A." surname="Whitehead
">
<organization>Portage</organization>
</author> </author>
<author fullname="Mike Lodder" initials="M." surname="Lodder"> <author fullname="Robert Burns">
<organization>CryptID</organization> <organization/>
</author> </author>
<date day="7" month="July" year="2025"/> <author fullname="Christian Paquin">
<abstract> <organization/>
<t> This document describes the BBS Signature scheme, a secure,
multi-
message digital signature protocol, supporting proving knowledge of a
signature while selectively disclosing any subset of the signed
messages. Concretely, the scheme allows for signing multiple
messages whilst producing a single, constant size, digital signature.
Additionally, the possessor of a BBS signatures is able to create
zero-knowledge, proofs of knowledge of a signature, while selectively
disclosing subsets of the signed messages. Being zero-knowledge, the
BBS proofs do not reveal any information about the undisclosed
messages or the signature itself, while at the same time,
guaranteeing the authenticity and integrity of the disclosed
messages.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bbs-signature
s-09"/>
</reference>
<reference anchor="I-D.ietf-sshm-ntruprime-ssh">
<front>
<title>Secure Shell (SSH) Key Exchange Method Using Hybrid Streamlin
ed NTRU Prime sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512</title>
<author fullname="Markus Friedl" initials="M." surname="Friedl">
<organization>OpenSSH</organization>
</author> </author>
<author fullname="Jan Mojzis" initials="J." surname="Mojzis"> <author fullname="Jane Gilbert">
<organization>TinySSH</organization> <organization/>
</author> </author>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson" <author fullname="Gina Scinta">
> <organization/>
</author>
<date day="15" month="August" year="2025"/>
<abstract>
<t> This document describes a widely deployed hybrid key exchang
e method
in the Secure Shell (SSH) protocol that is based on Streamlined NTRU
Prime sntrup761 and X25519 with SHA-512.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-sshm-ntruprime-ssh
-05"/>
</reference>
<reference anchor="RFC9528">
<front>
<title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<author fullname="G. Selander" initials="G." surname="Selander"/>
<author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Ma
ttsson"/>
<author fullname="F. Palombini" initials="F." surname="Palombini"/>
<date month="March" year="2024"/>
<abstract>
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDH
OC), a very compact and lightweight authenticated Diffie-Hellman key exchange wi
th ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and id
entity protection. EDHOC is intended for usage in constrained scenarios, and a m
ain use case is to establish an Object Security for Constrained RESTful Environm
ents (OSCORE) security context. By reusing CBOR Object Signing and Encryption (C
OSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding,
and Constrained Application Protocol (CoAP) for transport, the additional code
size can be kept very low.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9528"/>
<seriesInfo name="DOI" value="10.17487/RFC9528"/>
</reference>
<reference anchor="I-D.draft-ounsworth-cfrg-kem-combiners">
<front>
<title>Combiner function for hybrid key encapsulation mechanisms (Hy
brid KEMs)</title>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
<organization>Entrust Limited</organization>
</author> </author>
<author fullname="Aron Wussler" initials="A." surname="Wussler"> <author fullname="Eunkyung Kim">
<organization>Proton AG</organization> <organization/>
</author> </author>
<author fullname="Stavros Kousidis" initials="S." surname="Kousidis" <author fullname="Volker Krumme">
> <organization/>
<organization>BSI</organization>
</author> </author>
<date day="31" month="January" year="2024"/> <date year="2023" month="December"/>
<abstract>
<t> The migration to post-quantum cryptography often calls for p
erforming
multiple key encapsulations in parallel and then combining their
outputs to derive a single shared secret.
This document defines a comprehensible and easy to implement Keccak-
based KEM combiner to join an arbitrary number of key shares, that is
compatible with NIST SP 800-56Cr2 [SP800-56C] when viewed as a key
derivation function. The combiners defined here are practical split-
key PRFs and are CCA-secure as long as at least one of the ingredient
KEMs is.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ounsworth-cfrg-kem-comb <seriesInfo name="NIST SP" value="1800-38C"/>
iners-05"/> <refcontent>Preliminary Draft</refcontent>
</reference> </reference>
<reference anchor="I-D.irtf-cfrg-hybrid-kems"> <reference anchor="KEEPINGUP" target="https://eprint.iacr.org/2023/1933" >
<front> <front>
<title>Hybrid PQ/T Key Encapsulation Mechanisms</title> <title>Keeping Up with the KEMs: Stronger Security Notions for KEMs
<author fullname="Deirdre Connolly" initials="D." surname="Connolly" and automated analysis of KEM-based protocols</title>
> <author fullname="Cas Cremers">
<organization>SandboxAQ</organization> <organization/>
</author> </author>
<author fullname="Richard Barnes" initials="R." surname="Barnes"> <author fullname="Alexander Dax">
<organization>Cisco</organization> <organization/>
</author> </author>
<author fullname="Paul Grubbs" initials="P." surname="Grubbs"> <author fullname="Niklas Medinger">
<organization>University of Michigan</organization> <organization/>
</author> </author>
<date day="20" month="July" year="2025"/> <date year="2023"/>
<abstract>
<t> This document defines generic constructions for hybrid Key
Encapsulation Mechanisms (KEMs) based on combining a traditional
cryptographic component and a post-quantum (PQ) KEM. Hybrid KEMs
built using these constructions provide strong security properties as
long as either of the underlying algorithms are secure.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hybrid-kems-0 5"/> <refcontent>Cryptology ePrint Archive, Paper 2023/1933</refcontent>
</reference> </reference>
<reference anchor="I-D.ietf-hpke-pq"> <reference anchor="NISTFINAL" target="https://www.nist.gov/news-events/n ews/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards">
<front> <front>
<title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms f <title>NIST Releases First 3 Finalized Post-Quantum Encryption Stand
or HPKE</title> ards</title>
<author fullname="Richard Barnes" initials="R." surname="Barnes"> <author>
<organization>Cisco</organization> <organization>NIST</organization>
</author> </author>
<date day="30" month="June" year="2025"/> <date year="2024" month="August" day="13"/>
<abstract>
<t> Updating key exchange and public-key encryption protocols to
resist
attack by quantum computers is a high priority given the possibility
of "harvest now, decrypt later" attacks. Hybrid Public Key
Encryption (HPKE) is a widely-used public key encryption scheme based
on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
Function (KDF), and an Authenticated Encryption with Associated Data
(AEAD) scheme. In this document, we define KEM algorithms for HPKE
based on both post-quantum KEMs and hybrid constructions of post-
quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
that is suitable for use with these KEMs. When used with these
algorithms, HPKE is resilient with respect to attacks by a quantum
computer.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-01"/>
</reference> </reference>
<reference anchor="I-D.draft-connolly-cfrg-xwing-kem"> <reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf">
<front> <front>
<title>X-Wing: general-purpose hybrid post-quantum KEM</title> <title>ANSSI views on the Post-Quantum Cryptography transition (2023
<author fullname="Deirdre Connolly" initials="D." surname="Connolly" follow up)</title>
> <author>
<organization>SandboxAQ</organization> <organization>ANSSI</organization>
</author>
<author fullname="Peter Schwabe" initials="P." surname="Schwabe">
<organization>MPI-SP &amp; Radboud University</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="7" month="July" year="2025"/> <date year="2023" month="December" day="21"/>
<abstract>
<t> This memo defines X-Wing, a general-purpose post-quantum/tra
ditional
hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML-
KEM-768.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-connolly-cfrg-xwing-kem -08"/>
</reference> </reference>
<reference anchor="RFC5652"> <reference anchor="HQC" target="http://pqc-hqc.org/">
<front> <front>
<title>Cryptographic Message Syntax (CMS)</title> <title>HQC</title>
<author fullname="R. Housley" initials="R." surname="Housley"/> <author>
<date month="September" year="2009"/> <organization/>
<abstract> </author>
<t>This document describes the Cryptographic Message Syntax (CMS). <date/>
This syntax is used to digitally sign, digest, authenticate, or encrypt arbitra
ry message content. [STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-cms-sphincs-plus"> <reference anchor="BIKE" target="https://bikesuite.org/">
<front> <front>
<title>Use of the SLH-DSA Signature Algorithm in the Cryptographic M <title>BIKE</title>
essage Syntax (CMS)</title> <author>
<author fullname="Russ Housley" initials="R." surname="Housley"> <organization/>
<organization>Vigil Security, LLC</organization>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>Amazon Web Services</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="13" month="January" year="2025"/> <date/>
<abstract>
<t> SLH-DSA is a stateless hash-based signature scheme. This do
cument
specifies the conventions for using the SLH-DSA signature algorithm
with the Cryptographic Message Syntax (CMS). In addition, the
algorithm identifier and public key syntax are provided.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cms-sphincs- plus-19"/>
</reference> </reference>
<reference anchor="I-D.ietf-pquip-pqt-hybrid-terminology"> <reference anchor="PQUIP-WG" target="https://datatracker.ietf.org/group/ pquip/documents/">
<front> <front>
<title>Terminology for Post-Quantum Traditional Hybrid Schemes</titl <title>Post-Quantum Use In Protocols (pquip)</title>
e> <author>
<author fullname="Flo D" initials="F." surname="D"> <organization>IETF</organization>
<organization>UK National Cyber Security Centre</organization>
</author>
<author fullname="Michael P" initials="M." surname="P">
<organization>UK National Cyber Security Centre</organization>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author> </author>
<date day="10" month="January" year="2025"/> <date/>
<abstract>
<t> One aspect of the transition to post-quantum algorithms in
cryptographic protocols is the development of hybrid schemes that
incorporate both post-quantum and traditional asymmetric algorithms.
This document defines terminology for such schemes. It is intended
to be used as a reference and, hopefully, to ensure consistency and
clarity across different protocols, standards, and organisations.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqt-hybrid-t erminology-06"/>
</reference> </reference>
<reference anchor="I-D.ietf-tls-hybrid-design"> <reference anchor="OQS" target="https://openquantumsafe.org/">
<front> <front>
<title>Hybrid key exchange in TLS 1.3</title> <title>Open Quantum Safe Project</title>
<author fullname="Douglas Stebila" initials="D." surname="Stebila"> <author>
<organization>University of Waterloo</organization> <organization/>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<author fullname="Shay Gueron" initials="S." surname="Gueron">
<organization>University of Haifa and Meta</organization>
</author> </author>
<date day="21" month="July" year="2025"/> <date/>
<abstract>
<t> Hybrid key exchange refers to using multiple key exchange al
gorithms
simultaneously and combining the result with the goal of providing
security even if a way is found to defeat the encryption for all but
one of the component algorithms. It is motivated by transition to
post-quantum cryptography. This document provides a construction for
hybrid key exchange in the Transport Layer Security (TLS) protocol
version 1.3.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design- 14"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-pq-composite-sigs"> <reference anchor="CRQCThreat" target="https://sam-jaques.appspot.com/qu antum_landscape_2024">
<front> <front>
<title>Composite ML-DSA for use in X.509 Public Key Infrastructure</ <title>Landscape of Quantum Computing</title>
title> <author fullname="Sam Jaques">
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth"> <organization/>
<organization>Entrust Limited</organization>
</author>
<author fullname="John Gray" initials="J." surname="Gray">
<organization>Entrust Limited</organization>
</author>
<author fullname="Massimiliano Pala" initials="M." surname="Pala">
<organization>OpenCA Labs</organization>
</author>
<author fullname="Jan Klaußner" initials="J." surname="Klaußner">
<organization>Bundesdruckerei GmbH</organization>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author> </author>
<date day="7" month="July" year="2025"/> <date/>
<abstract>
<t> This document defines combinations of ML-DSA [FIPS.204] in h
ybrid
with traditional algorithms RSASSA-PKCS1-v1_5, RSASSA-PSS, ECDSA,
Ed25519, and Ed448. These combinations are tailored to meet security
best practices and regulatory guidelines. Composite ML-DSA is
applicable in any application that uses X.509 or PKIX data structures
that accept ML-DSA, but where the operator wants extra protection
against breaks or catastrophic bugs in ML-DSA.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite -sigs-07"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-cert-binding-for-multi-auth"> <reference anchor="QuantSide" target="https://arxiv.org/pdf/2304.03315">
<front> <front>
<title>Related Certificates for Use in Multiple Authentications with <title>Exploration of Quantum Computer Power Side-Channels</title>
in a Protocol</title> <author fullname="Chuanqi Xu">
<author fullname="Alison Becker" initials="A." surname="Becker"> <organization/>
<organization>National Security Agency</organization>
</author> </author>
<author fullname="Rebecca Guthrie" initials="R." surname="Guthrie"> <author fullname="Ferhat Erata">
<organization>National Security Agency</organization> <organization/>
</author> </author>
<author fullname="Michael J. Jenkins" initials="M. J." surname="Jenk <author fullname="Jakub Szefer">
ins"> <organization/>
<organization>National Security Agency</organization>
</author> </author>
<date day="10" month="December" year="2024"/> <date year="2023" month="May" day="09"/>
<abstract>
<t> This document defines a new CSR attribute, relatedCertReques
t, and a
new X.509 certificate extension, RelatedCertificate. The use of the
relatedCertRequest attribute in a CSR and the inclusion of the
RelatedCertificate extension in the resulting certificate together
provide additional assurance that two certificates each belong to the
same end entity. This mechanism is particularly useful in the
context of non-composite hybrid authentication, which enables users
to employ the same certificates in hybrid authentication as in
authentication done with only traditional or post-quantum algorithms.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cert-binding -for-multi-auth-06"/> <refcontent>arXiv:2304.03315v2</refcontent>
</reference> </reference>
<reference anchor="I-D.draft-bonnell-lamps-chameleon-certs"> <reference anchor="AddSig" target="https://csrc.nist.gov/Projects/pqc-di g-sig/standardization">
<front> <front>
<title>A Mechanism for Encoding Differences in Paired Certificates</ <title>Post-Quantum Cryptography: Additional Digital Signature Schem
title> es</title>
<author fullname="Corey Bonnell" initials="C." surname="Bonnell"> <author>
<organization>DigiCert</organization> <organization>NIST</organization>
</author>
<author fullname="John Gray" initials="J." surname="Gray">
<organization>Entrust</organization>
</author>
<author fullname="D. Hook" initials="D." surname="Hook">
<organization>KeyFactor</organization>
</author>
<author fullname="Tomofumi Okubo" initials="T." surname="Okubo">
<organization>DigiCert</organization>
</author>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
<organization>Entrust</organization>
</author> </author>
<date day="16" month="April" year="2025"/> <date/>
<abstract>
<t> This document specifies a method to efficiently convey the
differences between two certificates in an X.509 version 3 extension.
This method allows a relying party to extract information sufficient
to reconstruct the paired certificate and perform certification path
validation using the reconstructed certificate. In particular, this
method is especially useful as part of a key or signature algorithm
migration, where subjects may be issued multiple certificates
containing different public keys or signed with different CA private
keys or signature algorithms. This method does not require any
changes to the certification path validation algorithm as described
in RFC 5280. Additionally, this method does not violate the
constraints of serial number uniqueness for certificates issued by a
single certification authority.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-bonnell-lamps-chameleon -certs-06"/>
</reference> </reference>
<reference anchor="I-D.draft-ietf-pquip-hybrid-signature-spectrums"> <reference anchor="BPQS" target="https://eprint.iacr.org/2018/658">
<front> <front>
<title>Hybrid signature spectrums</title> <title>Blockchained Post-Quantum Signatures</title>
<author fullname="Nina Bindel" initials="N." surname="Bindel"> <author fullname="Konstantinos Chalkias">
<organization>SandboxAQ</organization> <organization/>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author>
<author fullname="Deirdre Connolly" initials="D." surname="Connolly"
>
<organization>SandboxAQ</organization>
</author> </author>
<author fullname="Flo D" initials="F." surname="D"> <author fullname="James Brown">
<organization>UK National Cyber Security Centre</organization> <organization/>
</author> </author>
<date day="20" month="June" year="2025"/> <author fullname="Mike Hearn">
<abstract> <organization/>
<t> This document describes classification of design goals and s
ecurity
considerations for hybrid digital signature schemes, including proof
composability, non-separability of the component signatures given a
hybrid signature, backwards/forwards compatibility, hybrid
generality, and simultaneous verification.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-hybrid-signa
ture-spectrums-07"/>
</reference>
<reference anchor="I-D.ietf-pquip-pqc-hsm-constrained">
<front>
<title>Adapting Constrained Devices for Post-Quantum Cryptography</t
itle>
<author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy
.K">
<organization>Nokia</organization>
</author> </author>
<author fullname="Dan Wing" initials="D." surname="Wing"> <author fullname="Tommy Lillehagen">
<organization>Cloud Software Group Holdings, Inc.</organization> <organization/>
</author> </author>
<author fullname="Ben S" initials="B." surname="S"> <author fullname="Igor Nitto">
<organization>UK National Cyber Security Centre</organization> <organization/>
</author> </author>
<author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkows <author fullname="Thomas Schroeter">
ki"> <organization/>
<organization>PQShield</organization>
</author> </author>
<date day="4" month="July" year="2025"/> <date>n.d.</date>
<abstract>
<t> This document offers guidance on incorporating Post-Quantum
Cryptography (PQC) into resource-constrained devices, including IoT
devices and lightweight Hardware Security Modules (HSMs), which
operate under tight limitations on compute power, memory, storage,
and energy. It highlights how the Root of Trust acts as the
foundation for secure operations, enabling features such as seed-
based key generation to reduce the need for persistent storage,
efficient approaches to managing ephemeral keys, and methods for
offloading cryptographic tasks in low-resource environments.
Additionally, it examines how PQC affects firmware update mechanisms
in such constrained systems.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-hsm-cons trained-01"/> <refcontent>Cryptology ePrint Archive, Paper 2018/658</refcontent>
</reference> </reference>
<reference anchor="I-D.hale-mls-combiner"> <reference anchor="PCI" target="https://docs-prv.pcisecuritystandards.or g/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf">
<front> <front>
<title>Flexible Hybrid PQ MLS Combiner</title> <title>Payment Card Industry Data Security Standard</title>
<author fullname="Joël" initials="" surname="Joël"> <author>
<organization>AWS</organization> <organization>PCI Security Standards Council</organization>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author>
<author fullname="Marta Mularczyk" initials="M." surname="Mularczyk"
>
<organization>AWS</organization>
</author>
<author fullname="Xisen Tian" initials="X." surname="Tian">
<organization>Naval Postgraduate School</organization>
</author> </author>
<date day="26" month="September" year="2024"/> <date/>
<abstract>
<t> This document describes a protocol for combining a tradition
al MLS
session with a post-quantum (PQ) MLS session to achieve flexible and
efficient hybrid PQ security that amortizes the computational cost of
PQ Key Encapsulation Mechanisms and Digital Signature Algorithms.
Specifically, we describe how to use the exporter secret of a PQ MLS
session, i.e. an MLS session using a PQ ciphersuite, to seed PQ
guarantees into an MLS session using a traditional ciphersuite. By
supporting on-demand traditional-only key updates (a.k.a. PARTIAL
updates) or hybrid-PQ key updates (a.k.a. FULL updates), we can
reduce the bandwidth and computational overhead associated with PQ
operations while meeting the requirement of frequent key rotations.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-hale-mls-combiner-01"/> <refcontent>PCI DSS: v4.0.1</refcontent>
</reference> </reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
bonnell-lamps-chameleon-certs.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
connolly-cfrg-xwing-kem.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
hale-mls-combiner.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-hpke-pq.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-lamps-pq-composite-sigs.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-pquip-hybrid-signature-spectrums.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-pquip-pqc-hsm-constrained.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-tls-hybrid-design.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
irtf-cfrg-bbs-signatures.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
irtf-cfrg-hybrid-kems.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ounsworth-cfrg-kem-combiners.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
941.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
528.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
652.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
814.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
794.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
763.xml"/>
</references> </references>
</references> </references>
<?line 855?> <?line 1459?>
<!-- [rfced] References
a) Update -01 version to -02.
Perhaps:
[PQ-MLS]
Tian, X., Hale, B., Mularczyk, M., and J. Alwen, "Amortized
PQ MLS Combiner", Work in Progress, Internet-Draft,
draft-ietf-mls-combiner-02, 20 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-mls-combiner-02>
.
-->
<section numbered="false" anchor="acknowledgements"> <section numbered="false" anchor="acknowledgements">
<name>Acknowledgements</name> <name>Acknowledgements</name>
<t>This document leverages text from an earlier draft by Paul Hoffman. Tha <t>This document leverages text from an earlier Internet-Draft by <contact
nks to Dan Wing, Florence D, Thom Wiggers, Sophia Grundner-Culemann, Panos Kampa fullname="Paul Hoffman"/>. Thanks to <contact fullname="Dan Wing"/>, <contact f
nakis, Ben S, Sofia Celi, Melchior Aelmans, Falko Strenzke, Deirdre Connolly, Ha ullname="Florence D"/>, <contact fullname="Thom Wiggers"/>, <contact fullname="S
ni Ezzadeen, Britta Hale, Scott Rose, Hilarie Orman, Thomas Fossati, Roman Danyl ophia Grundner-Culemann"/>, <contact fullname="Panos Kampanakis"/>, <contact ful
iw, Mike Bishop, Mališa Vučinić, Éric Vyncke, Deb Cooley, Dirk Von Hugo and Dani lname="Ben S"/>, <contact fullname="Sofia Celi"/>, <contact fullname="Melchior A
el Van Geest for the discussion, review and comments.</t> elmans"/>, <contact fullname="Falko Strenzke"/>, <contact fullname="Deirdre Conn
<t>In particular, the authors would like to acknowledge the contributions olly"/>, <contact fullname="Hani Ezzadeen"/>, <contact fullname="Britta Hale"/>,
to this document by Kris Kwiatkowski.</t> <contact fullname="Scott Rose"/>, <contact fullname="Hilarie Orman"/>, <contact
</section> fullname="Thomas Fossati"/>, <contact fullname="Roman Danyliw"/>, <contact full
name="Mike Bishop"/>, <contact fullname="Mališa Vučinić"/>, <contact fullname="É
ric Vyncke"/>, <contact fullname="Deb Cooley"/>, <contact fullname="Dirk Von Hug
o"/>, and <contact fullname="Daniel Van Geest"/> for the discussion, review and
comments.</t>
<t>In particular, the authors would like to acknowledge the contributions
to this document by <contact fullname="Kris Kwiatkowski"/>.</t>
<!-- [rfced] Would you like to make use of <sup> for superscript in this
document? In the HTML and PDF, it appears as superscript. In the text output,
<sup> generates a^b, which was used in the original document. (Note that if
you would like to use <sup>, we will make the update once the file is
converted to RFCXML.)
Instances in document:
2^{64}
2^c
2^{(128−c)/2}
2^64
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers. For example,
please consider whether "tradition" should be updated for clarity. While the
NIST website
<https://web.archive.org/web/20250214092458/https://www.nist.gov/nist-research-l
ibrary/nist-technical-series-publications-author-instructions#table1>
indicates that this term is potentially biased, it is also ambiguous.
"Tradition" is a subjective term, as it is not the same for everyone. -->
</section>
</back> </back>
<!-- ##markdown-source: <!-- ##markdown-source:
H4sIAAAAAAAAA+S96XIbWZYm+J9P4cWwtiI7AXDVQsVkd1EUFaJpCYagyKiZ H4sIAJWz/GkAA+y96VojWZYg+F9PYU18/SV0yQQSiwMZkVm4wB3SHRxHREbm
6WmlA3CQngTcEe4OMhBMjeXP+T31Y6zNep5m3iSfZM53lrs4HJSUmZ1V3a3M 1JftaZKukCUmM4Ut4ArS+3Xm6z/zEvVic7a7mUwCInN6anrKqzIAyewu5557
kEjAl3vPvffs5zv9fn+ryZtZ9izZvizrpv/DMi2a5Tw5q1aLpryq0sX1KpmW 9iUMw1YZl4k6Djaus6IMP1dRWlazoJ8v5mV2l0fz6SKYZHlwlt7FqVJ5sdGK
VXJeXOVFllX19lY6GlXZLe744az93ThtsquyWj1L8mJabm1NynGRzunxkyqd hsNcPeAbn/v170ZRqe6yfHEcxOkka8Xz/Dgo86ooezs7Rzu9VmucjdJoBvON
Nv08a6b9xc/LfEF/j/uZ3dif0X11s1UvR/O8rvOyaFYLuuvi/MPLrWI5H2XV 82hShrEqJ+H85yqew39HodIjhd29VlENZ3FRxFlaLubwxsXZ7btWWs2GCgY9
s60JXfNsa1wWdVbUy/pZ0lTLbIsGcrSVVllKAxpm42WVN6vtrbuyurmqyuWC Oto/bI1htuOgt9M7CHf2W6MsLVRaVAVNqVqwxN1WEqV3x4FKW/P4OPi3Mhu1
h/njxeX21k22ok8nz7aSfkIj39raus2KJT0xSexKHtk2fSBv3/6JnpIXV8l3 g2Ixy9WkgF+yvMTf/tKKchUdB4Ozfusxy+/v8qyaHwe0rNa9WsBn4+NWEAaw
+B6fz9N8xteN/wlTGZTVFT5Oq/E1fXzdNIv62d4ersJH+W02sMv28MHeqCrv 4VarVZRROv4SJVkKky9U4Q4tI7qTlHk8KtvBKJvNVFrCJwCCWTSfx+ndX1qt
6myP7t/bpgHUTVpMPqazsqC3rbJ6a5E/S/73phz3krqsmiqb1vTTaq4/NFU+ qCqnWY6jtwL4N6mShOFzksdlHgVvo1Tlf1OKvs3yuyiNf4lKgMlxcJXdxxF9
bnrJuJzPs6KhT4i683SxoCH+H1tb6bK5LitMj0aUJNPlbCakPyWSVGnyPC2y PopLgPjHLB1nKX+QVWmJp/BjGpdqHHyAycbZjL5TsyhO4PQimqAzlAn+NcXh
6g9Zxt/SiNIi/zVtiNTPknflTZ7y52Oi3rPkTVlMykI+KJdFg/X8scibbJK8 OrDMjeXF3MZ5NYsSVTxGeXCjxuNF58MLVgSLvwM45bz6XN3RUx+iPI3K6D7y
ppdNyjl/lyk5Un7BYKQv+KcCjxvQMLfXB/Mhr5bzdJbVd2mVvM8mk9UXjIeG l3qRjuVlvcL7TunM+yXHedcu8zSewZ7irAgGo2kWp3GURvdx8YKVnpRTQB1/
fkVUqmTsVXbFV71OqyJt0ps0HuhFMdGbbXw3gyZ468cKb31wkC/yOc0oL+tk Qe9zpUbKW9FYT9Ap3Al4UeFQJUmYRMNiJRRnWQn36TxLEjVU6r5hYafxXdxX
OL4u8yJPi/Qmr79gpKfNNW3OeEDfVVk2zqIRTewFgzp8gQyqP8pmMzoRo3oj eems7Touy2JY5XdTD4zXJ41HPSjhUhRBNglOZgpQzwdpGc86Uz39v45hshFM
DedlQ+fyVTmbZaMsu+kY2Iv8Kj/LqiYY22XeNPVoWV1dt1Z2eBoNrsnng2t7 5q03TuECXXaCT1VaAOaXPCvv4DK+V7UvYPnHQAHokgcfET5qTF9oMiHf0Wdw
9D9N6EFjelA0lryg4/d2kHy/LGo6VI08UUb3Nr/JWl/Q0J4Rl6DzWjfJG8w9 GZQq4cru7+wEgwwu57gMbrJo3A4GFbwZdHd2nJ1/KsvoMWoHn9ISsDXz99sH
m/AXxkr0O/6MtnmWNc+Sw0f7+8mwnNERaZL3ZTpJ/vynf0mGS7o5OdjfDyb2 2I81Do1hcR96H4Ld9/vufmew3n/N9Ho7AIxWK83yGQD7QcGlCy4/hh/OLo/p
fdOkd2kv+b5oaCuW8ezOiLQT2yITGt/rw9fJ0XePwinPaciD0ob8T5mMBjOm HU0IL7NxlajwY1SWAJ3wbVTgDVKL8CwdRfOiSuiogks1msLBFTMEeTqO8vEG
Q1qU1ZyIesuc4u2b/uvzt8/45sQ458uLy2H/cP+I5l5OlrOs/yZtGiJaf5TW DxPld7jHaVnOi+Pt7fQhmVeAE/Bo2bnLHrbxF/xk+93F9WD76mJw28HfOr2d
ODLZqn9ejNNFvZzx6iRvs/E1rVU9T4bgAGk12dYnptUV5m6cpLidLZa0D+ja 3c58PGFAwdGpAmkorw3/4ZMBPokkb9d8fPrp4hjg1jnY6R3S2J1JPC86+hFD
ZnBV3u7hB3yyh3fuvbsYfhjgpwG9fbCYTOUpzCiTaTqrMxnyi+Fp95CP14b8 YOhfaF6jc8Mh6RNDSffCnUOGy+ngRN5aCxhE2DJKgkF8B7e6ylUNHP8IPPYM
nIeM3dOks2SYX9ERW1bZ33Cgx5sGOnzzavNIHz3DEJqMznCdvErr67/DSB9t PJYW2AwjD0R7+lMPQt74/IQPIgdGHpAGH88bYELXDQhUEZxHxfR/AUz2/yGY
HCkx2lrG6aXnbFWU8zyd9en8ZEk6IzGYN9fzmkXkosKH03Tc0KdyRhMaZjLJ 7D8Lk/1XwQSeKfzbc50lizSbxVESAr1TwUkC8kBcTmcFyQrXOX74LhqV8CkT
63GV0Y6elVepXo+vkp9VENMeXCybrJLZtCeTVr/ktyxeaKR7fE9/cb138mj/ vQBAAyArRrkCCvAxu4vkefwqMBJJNptXpcqbL1mUf40fOrC0bYDO9s/4Tjif
6f7hE7qFJNdt1h7rKQ2EDqK9Yi67cUxUdKPmQdOkU2zhpM4gvbqHMJkN0vGc bh/t7xzu9N6svQiWPl/D/HnwU4e2Zb4nenjtfAh8HUSNEpj5cfA7eSzK/xQ/
xzAp872D/cHBwfGjvcOjJ08Pjgf45/FjuvH92sKe0jEgiTXhV30/alJigyRr HNfnfeg5l6t7dARiSjfsIYTf59mDqoPuJJhEQER/lh3PmMCMAJEiDUSCIYwX
1xa0ZkJdLkezfNyns6S6Sb2qm2xe/2bDMreGBfLY0I4enRwd7w/4n8Ou5X3/ DQHR4LSjfDRthsg46USjGYFknMXbcNTd7t7+dm/3zWF3r4M/Dg5eCJeP2X3w
8uzx/sn+M/nx6dHJgf346NGx/Xh8/Fh/PN4/4k/ffXj/Y0xofNJNNXAYHlxe oSNrXtrRG9jUSrgMbj/1g98cHQAE82yk1BgEEWJOwG+D8hGeXYQqvpuWU8CC
TLJfBvV1M5/RhS+rclI6BuOOgH7a/agpvr3JZK50xdksJQ1q/HZ8PstJ7sSP tIKtnvQvUXiaZ0UMMAAUuJ0qECjxHUYBGKEdzOedoNfthb3u0Qp6qRG8cdc3
0i8T+7b7kWO5ajAfZ3yVPfrlu64Dir30siTFK6uSWcT5sHlpyye1X0tsx8TT S/f4BOg5wGFMAP40LCNg7und8k0uCFuvq2ESj0JgCiIpF4uiVLNixfWunQWi
ZX026Yw0vD7uGECF3PuCBTo8evSMGDUud6za7f2+bN7WoM8Gyf+Wzm5IaPz5 qF7Z7v7R7t5Oh370nrt69khusjRKxsHHTnADnEy4q/8w4e0J4m00i/NVD8AI
T/9VLvzzn/5L7c6E3IT96I9ETqNf0OFOZ70//+n/TS6vVzUfmvfZbZ7dJae9 J+ME2GXq0pR3aphXEUC9e/RGKEvT6eKJzCpEUbzH5lzhCNvBQ5bgEbWDNIOf
5LacDZLH+71ksRgkh0+OH/cPnzw66CUHJycng3jCXdP6cE1qbNN/ny1IDLUG fGLd3k7Y7R2sJFXemfmQwUN71z8AJeKYfz3cPerqX/f39/Sve3sH8uvezi58
bIq5XAMVgJamyBK5ODncP9zfQNGrWTlKZ1Vekypb0+OImwjH4BPFrKje03n3 Cr9f3d786F80/GQFswZZhc4pTsfqa6eYlrPEwfhJlBQoEb7Ls3G2JDjoT5uH
GxlCo4/vV/z4Ph7fuRI/nPVfvBtuGOsZ8y4mIp1g0owSunbDKO/u7gY0mqLg nuC394rRoGHMfhKBsjO6HJ0lMcid/tDyZaC/bZ5ixE91ZiNFT62a6t1VAyd7
sZXEJ/v7RwdkIWziwWDUrfdutmBMJijr3TCGcV2NvVxYVOUfsnFT7y3wWCPQ d/Kx/+kKzh5p0LusgtPJg0R4/ZD4GoiJc6DcQWFvA5KEwMJzeddRAmgT4hsd
OHjs5m/6dfzCrgmczcrlZEqGQtaaBmbGm3Exy9KaHp6E70nqZUXSpM42TGJE POttF814PctH29vdh5Nr4fOOrDYAhMmqIqQbV2fD/J2nt7aDHlzVs3GMyLnx
kmQwds+GEsMirh8N1h7Suahnw/2D1pheZDiRvI6nRTqjnU+HYZpcVnS8+RAE 8rv1BxWl4fU0TuL5HJAZFJCiyLzrcVLdobSLnHf5clwM3l4FcG26b7qH+zu7
/Jl0HZACIo7U52xOp54NMxKKVyn2YHI6SRc4psnZdUnGXHKWL65Jxcx+oa9I h3tvDL0PB0Swa2vn735TGMLPZB3Jj6X7MYB6DtJ7lKwAdBKn9x0QT32Kv7O7
lxvfbJhbRmMumkGejiveJof7+wfE1p92TeL5q9f7J61ZDJcj+qHJaUR5IRsy fT1dFDfq4QRYfaf3Zu/g5YDoT3MQQ+BS/x9RItqaAOATsG9Qw5EDHC1DAGck
m5LY4bHSdC7eveifnZ0+S34iLZ4n+6q8g7RfziY01pR04uIq67/I3ARH9Ii8 tgXTxuoxOBFqcLDD1GBP6DcsJuy92e++gB407+N2Cnp7Gd6oOYj3NahquYGf
pi/Ku2zyH7982Cd7xwedw/7u7funT9ck5USFomOkSc2UJT4VETY1wo6ZsH2i Qd0L7kSqAn4Yz25nBSTvkmwYJbD1e6CQMBxIHSxZENFnUrctZxWWvIRShg9z
fZ1e0fdM1XqwYYCLrKS9NhjXpA0PSDsfZJPlXp3PbvNyb0gq15j09X93uD8c Gj7E4bdfDunLeDQFKTK4zApR2FY+CaiRgUoIgsEy4N/TyoElFPegTsvaa7Ji
56Qa59N8TL9cpgtSLPZUXONbx+T3Tj/qxx/dhx9lK3yUnfDxVAb80XbCR9kJ l2QQxMnP/fD0arACbIbXEr9Dqg7PrgDY4+NjBwCTpgSmDHAj3Nnthiq1oupL
/bcy4I+yDTadfTLfTy8v2qf/hzOy7OnzpCibrP6iM342fH+2N8/IYNy7tOMe gHAdVQnoxpNJjRmxgLsX9noNl61/cnUVfJpMgEhp9tOfxmoS3IL0lGZJdreQ
cpF+yEVIkRgv2fLey35J50Sx/jQnfXQvXeR9fuem8ZLy8/TV+zabxN5qSlUK r3PQI/u3n3BpJJehCFvb/GoTmJbfRWRdAYhRkY+sDD/Ps7+pUVlsz3FYjTAj
iYMfP01GeYOLaXc22RWRF9v0aUL7j35c1uCkh/tkrcxm2HtFmdcrklh006bZ Z9jV34SFP+FrhPJgmbNk1XiSRLmq7RdfALozT1RUwBoCdzlBUeVzuARqxV6H
ev2QrMm9gxNSafdPnhyfbBjkwf7wrDXI5yQP2AeCYQUnu0/HI/lxgUdAYcVZ ANrOyIyMJgTSWkJvT3qQV9wFUKGCn0CkUfkwWkKEHsmbDSKJ3WPwFlaGux7s
Yv28X05JiGT906p5gNP/vMQMa1px0jDU0GXOtTfS9/WrOiXub+/rL/lV4Kv0 dGv7PVXIhwijT0B+AipFMst1DkyNCJYj14Gyj+eB+skALucMeN1AjVCXi+4i
d6p27foMhuICiUR9Xo3JaGQ1E18za/VSXcla/OboS0kZqdokGB/tn2y0FN5c JAwgN0Vz5E2AcFmh0qAfz6cqL9VX+Koso9H9CsgpgEhaduJolNOF6e3sdIFa
PP/+h/bCv8lH9CGR8PsFsRkTWMN0uomn01m6Xo6YSCXd4rk43bI3y0flz3XX H75a+uvn8FeTZGef/GOMihbqLtXcB6UI7T4QCQPpzqhrXGRwgozoQbXhcs6B
y1+vRlk1zCdtAXOa4MM+MbSiyGbKcsXseEUy647ERnKB/Y3NnhpzPHv/vw4/ 3jtLfXv+YeeozoWrIfxSAhkH4ZKJhpqAIE1QBEBfXJ2G/f7JcfDTVPExnGeP
nL4Z9vmxX8zqDg/3SOnu1LOH6abx1RjfWMeXBuObp/UNKZZgzfX1cjqd0S91 tDjczTRKEpXeqfBUGdAPFWqG8EX2qMa/fzlAj7b3uq8A6GU8jfPgrUoQgdY+
OW14zPnamPkNG4ZK+s3NoMZ46aQxbWlb5eNZxobC/v6Tvfrg6OjpSX//8Ki/ eapSwHIkU1MVp7+sffYMrWUf4qT8pQb6Bp75EtDrTb2/vDk8XNJfxqKqGOEs
T8rIo/5R5yxorGdt/bKDwGzYxWY26fR1ckojf1c2JEuzWxo7fTxaJa/yK5KI KAhvgbF6aBtptB0R2oaA2UV0B98Tzq5SYeYqAzLRGRVRnHRmcdlR42q7iJOH
/e+rCanLb1PobldfQ/KTg84zrq/voPl3WZFVZBgM1ynPAyex2FdhE+v4l6/P ONseAOsalWr8X3s7g1EM24mB3sIftPBiW3Qo/NbIjdsnX+TjL+bDL3zPvvA1
eTloLiqUNp2g9YEenOydHHeKwbckk6/ok7Yecvn9m9cknz+UtOCTOnlDzILE +3LC6/2ir9kXvmbhJa/3C9+x17EY0IUmcfA+S8aPINQ9c3cGtDvkzVES/wpt
BanMpJA0UJViHZAGraqH6CdJrJ98DUWfPulcfRvoYfuMByObQWwm8MZBdoKB TGRFQM4EBKXDBqI1uDi5DP4Aoja8jqquo+CSwNR946lPvcNuuLvG0mPFpd03
yfKfLuEtbPijiQztF5CeBDZJo6Ycl7MNI8yzLPtlAY/oAD+qmSvSae+EzNTD 28Dp3+x0kc9ff+6fXF/UWd3nfhAG8DlMUKpVp+4ztP7gpr89Ax0+2r7WvM1l
w8cPjfboIc05HlbA803LUFkdaG1d2/3rtmvncM/eDU8P+/tt9lAU5bIYg21D maHLMkEGHVXk8dhWX6MZIE84iRM4+WgehzTnS45uLV8DLf7w/KYuwSBJKTN4
7JzBHV6Nc1KP3vHBh/NAAwHJqePz4jg8HGwyk1gLGEyyaVbUGSsHNLJHe2/T iChfb2fvMBjGJT4MRKlUd4CSSJ0OAyA78GtVoJDT2wlmcZIgyUmzuFiALA4v
1d7RPlS2oyeHT58cH+z1+f/7pDucfsQAP9IzP56++e779xcfXr0dDi5fvNx0 rQKLtTZFw2K7e7Sz39k5erN39ArROo/iu+B9PE7V4jl5DxAiOLtXeeRTEZTk
9F6SfrWuWTv64mvs1YBfqEZqCnTMPoYPHrd1/kZ7a9FkleNvJ0+e9om1He33 9sLu7jJasTHKLuthl4HV3Rn0a8B6C9LrPQIAweOwvBCoc/DjHOdCxERSTpbO
D54cPjrpP/54cPKNXtTn+M0D82hv+J3vi2zXTeGiZp5GOsL3C3FIPy/Lpm4q MJuAyKvCk7xcIwz+XCGk4YKloIiKP4QEhu2hzBfmRQQCop4vrGgqlHrgv5G4
CVeIvsA2NstlvY31nXiO68bEJiX2a+Z7/OjJ4ZP+0ceDTstheNEnZbLbqGWZ P+qQJGT47Iz9Ecb2gdI9CncOGCiwo4F92yjScT6qAB0mzBVR7bJKluBC+i+7
m4S2Hrulp0sy91j0zOpeQmtV4chPiKPPygXrjMwkq0yCNxMxux/QkEZ1PhjR Lz1/z9oIMv/+ztH+K0lSqebTCBSTtyoCsncHMl+NW+yGO2joWnXO9enptD9e
Q2lH7g2vSbpNXpRjUrfLu2JWppN67/zdHg107zK04p9X5fia6LgXKgiRYTqA vP30uX4zPsZD+BDO9tMc2K+WcwfRZJWMBwR6Wg3p9DJ4xUp18AoonMPsZw/8
o+k/FsVv6cQ9jnnEwdMBqYc4jqxhrzvsLkMrlL7epGFXg9Vi0JR7C7EQFj9D V6DHoncWkXN/ebnoAQXIH72ZHAwPUX37sICHB/G4LpaeBPhhCAJBmqpEhCm2
lSNm/2T/+OCkrSjh88H+8YDl1fCy/3R/v//ocZv47yO68ZaBV/0Fiaxbc6nD Bp8DeB5RyLtAioLkJdLCRf/mz4Pbk4+DkIZ9sajQ62139/ZfYXr7M6wK0eQP
l8gbiP3tJA2IMPU1aP+Zg7LZIzxcZOArEY3ZQTy8HOhAq8ONqt9q6QxQN5Hf z/CEKv5FBT9F6d3axz6g0BNc3WXrJQkQjKLgtBrm2cN6/fBjnFYFyNCj+6RK
DfA5Sc7r7La+WbH76WWeNn1a43leJT8Rr0pOR2XV1M+S08XCvReWgp4M3kkv a5jUpEC9QO6wEBpEqw6swAMbyYFFzoHNouJejUnWK6bVZJLAH0U2KekQ46VD
xZVMirLyAmd90RN7yenw4pQUtssPCYzNbRtFl9PFGLFGLPfSGh/RlmEz9dHJ pBnWWTgKPECg4YSUSBtHiSJTx87Om+2iu7t7CBSgB1cG1Lz9cPflx/rPPojb
AWm4J4/dD366bT3osn8Aohw9PWvP+m1Ou4+XiWax2UtjH77P0klekHnwzD4K aQZ7B+4OQKnbj3q0wr2w6ZYYcWDiaqDxyERZOOLBLssFe3u74d7BzvNywUoY
BHx0x4dsfF2UZDeskgtSnSrSjqt0RAKXWD97jbOKfYJkZqin7CFSFONxmflt 4Zn263aphktIPpmaY/TssgCcAdBlJWhS6gF2AR8PF8F5fAf6UPgpHwMaXUZo
UJPAqPdIIqTLWbMnpt4hlMGDQ0Rw+3ObVZ/9K/XC5j/uL6psls/zIq1WfY58 Trl7zbU86r6Cob7s+F54KV9+yldxUpDhosirf9pt440LmBuu23uVomefqaR/
b6Ta6/Pzy4t33/14GftpX2cZ88kfF8kdtgT4JbRFREGqEhzOyzhitLxD+FRA 6eiAQMUKRej37bfXH87oJsKZiXKwisMtH0j3aPto7xUqFSjVBawsCm6ih/WU
o8TM02VTzlmAp4G/hr5WtW2hCkbd7QHukNJHZD8eHann7eXFu9M3LWc3fUxE clD9LVvAZtIpPJytF4dO0moezVBXLMtsHo2ni2j9CwOALrzwdhrBnajLCr/q
hs+KGPnLvCJN4Yj+pdfnv0JRDNc9ZOvqKtswEl4YdzKzu7rPanLNP2Ncx3v7 gAwgLkGvvYOx6laG608fP4COe5sBjRsXwUeQeEBfCW/gVqJVB26JZ2aCwxLD
T8XDVenLySynlxOrn9rLY+dXYFaanw720+m74fCiFSnBRwncu7VZuZu3Lwm3 AlsfAt/68Jobc/jmFQSvn/z7/0Taq01u6dqn36o0+/f/CyM8hjo6ZeXA0ygH
os69XrnGGGE30TSWt4Np1bm7nAo3LeFR+rhcfKSB8yM/Mjf9iB9oAB91Kh8j QT+4zGbx+kGFRpLftVj75Ls8Sv/9/wTJPPwToBOcAxvkzFL+8UvHsNNn2quL
3i577JWJLudn+OFsfUDw+tAevv55bM795xevz+Mb8cmX3MkJFv2fvovujuj0 Ts4hJqjiBhikg3ouCqxMCU8qDCIq6aMxn+JXvJ2gW4O6VGajbJXtPlZKfZ1j
Y00qQeG02jrZ4VSL3STKsOikGoJQRNnxDdHOJVNwwsYePyPwytD9ztjWUaxZ oFQHfxUTPqtP20eH+/u93rNme/Lm3XaCEP53C1r6qkcG8Aj877xqJoL0zJ/h
2In6eTrfBeNaKQvJ6SIq7384E797K5jiPu9e8Dqd9/+Q/rwknYXUnnpRckjZ mUscRq1/5rwDh/3cQOc4mX5k3TldnJ2dsWjq8EAy6IrrPxhko1iVC2F/wv1A
hPNHRLbrMS3rR+xiONPxhbfNIs0DH39JDPDwiITp/hFZq9jRkwnJhdaW5s82 2Q27ey/RineOtj/9oY9BDr1eZxdU8h3vzHfXWYP9w3U0JW1WEeuEYwRs4p+v
7NDIOeY8YljuSX6FoMzeumP7+WWL5tv45EvZysHTvcePnurWvTxrnb/LdMUC 43+v8NVcqiQuiig4+SWroqxaT3H/XCVxFHyofske7p+VY7JhHFFAXapgQ+tN
/IzeiMSOJWmQq+QFbQnP/uJ479r2Ia2J2PHtYDHOa73FHXoeA7303x3uvxgO JuwxQjfLA+iPf8zVWMEtjZJ/HmdEkPSvBie9cKcuhKZpVqUjFM0FaWYqH8WA
9+xJ+KhPH/Rvjz/ufzzgwW1t9fv9JB1BhaXds/WBWEE6AScCX01DjRD+8Nkq RlckXqIXH+lsXC5sUIqEnfU6q5xBZO7ojNVEpYUiKwgqN9uX0WJ7dwctjbtv
ATe6hcRqh3KTHWyc3eSO3cqkKMLGr0PnWVo1PbCTSa72jMRqkhsyEYPA8iQj eodv9rrbIf3/znZ/cPIFF/gFxvxy8vH9p5uL2/PLQef69N1zp8nGjsGJC62B
E3BFrLUpJ+kqKUd1OcuarJekNbMq4v+k96TioE/rejlfiKRY4pUkXwpVxUnx mpdGqeqJWPAuipNl27ZBSfwa+Ykjs4nlVZuwfRFusFYUWBa7gajBonIjdh+9
MNroqIoymYmYuS5nkwEZ3DTbSYXge3Odk4rr5AdLGzIWqpRIsxyzc3qOPA/P OQxBmtzdCbtvevtH4cGX10huf0Bva0yhN6e/OUkfnmMFn2NArffVekGvWfpe
DiH1oxCGn0MvuSN6XSdw30w4xsDTIapA3iejErIvIARe5p6iTu3kA40oMTaQ JVQk6itwE3Rkgzj33NPvEKvz+D74I6BXhHRJrX/hIr3L4zE+Poyqxym8XZdD
wDCGnUpPXiUuwyyhv/nJI1o39hZh2ehpTAveEfEYIxV/h+yB3R6NsCFDxeyX UBfYOVi+FEthJuKNCkGS69ObbRAvRmTsvUKTGhq2LLVEW+xIaWWhC2oCU8z9
XIKb7Br74YwFRPYLjRrfa3TaBb7GFjyAhnpbzm6zCYcgHI34oRvJNEh+LGbI g/1w/+gFFHPN4Wo0rDPKzU+p2jIYeFGQWgAH9mnO8a1vs6wsypzjn9muRN5u
qyHF4jYvl3W83xLxjhI1sThJfZ1PG1p97EFikYgWEGHZ94Bgkq4cfSkUTybL MsjIa7QNH0WXvTH/BGzd23/TexPufunWyNNOuLOvg5r+H0Hhy3//n0ytb7Ki
DO/GOJdFTvwK1yzgrshYa9g0KDkT83wymWVbW99ABavKCe0BMIatH6Jtj/nR WE+q3ynghOk4C/4Y5zo+2sORkzGQ2pEcvSWiYXD2482n/s2fr29pS69AlF53
0Py++gP2SIqXllUmW3Rckp62aEAYucnM+RqBB1V8Fxx2rb9N8kYeeAcrE2Go 5w0jym64u/taLHGB+nZwEV5/rtscPztWpGDk4/WkAn5BFoGkaAdAq3KUtcag
2wzbKMWIafuIccnK08JFqeAhNI16kJzR38RWSWOcZf6WbDqF+s0vy5D8w+Qu VSbZnKzJpMDkisPpx+yNX2OKHBZxZwiDAgnfHoBgqsan2ajYPs0e0ySLxsX2
K9Ie4ezGx1eIFxe822D4YW5QvkDAwORj0rlX/7xGDrdHaIHUYiS2McqYVMVt 2dU2LHP72nXuv82z0RRgte0avDz/bAcDg36fpj8ARzp4Xjgjyg7T1PkgIhq5
Rt/SyTtt+LmcVNJEG51+Zr5AtsSk9zUMqBYOVO/SA9MmoV2RsNudqDXJ6MYl dK4/L4ekXbveWPh6lY0+7yzmnTLbnrO7Zf4z2laBOLzZ2esevc4YeRqlMQgr
FMS0XpHFhZTDkOXskNpaJjdE9QJcppMv7fKMCjL/Vxkt8S2yIYnCAwTTiDoV f+iAvJ+DVKOeEeCvIsDJ4FyldN3W64Po3f+YVWsf+ljdq+CPUYIIUCOSb8ja
dmkGdy2OzFWJ6Tric05MQEIN003zjJgS0XONij2vH1+VRGa6ZrTMZ7wmc9pZ jaRncB0e7uyE+wd1xLrxsIIoCoZtnwLuPuiYbYzxI+yngG7Qx+DYiynpQesJ
tHnvyAhYCusgcctjWScJbebvi4xzK+kcz1f0zLwW+qyTD/NDCk2GNU+xWwtI y+oQ3cFcoZjhYRBF1A6uO7LQvPe6czhLIhSi3kb5/TNg/RgnwBymz7Cgmxio
AtmsZ5c/yub5Dj/QBGgxeGMap+JdK6s6JnX1W2KXmHktN5TLZiFWS3IFn2w6 YD6G832IPZOtjWRabT6iAOLB9XFgNlMnATaI2N0ycolFZZzENtAsjsqQoxKD
6y+WtPlIg+InlwWtEA2xhm1KR5pzVeWYViVNDTyVlugun7X3HI2cSF+WveQ6 n0AIC06GWV5isOJ8biCILhxhAXTjJWI4vdMyi3Elbujhm6JStEAdsTC5HRX4
xVlJCuK8CCE24d14tvBkGiAx0F/G2QzsB4diWSADSxKCg/3GD9aQ1ZflOPXW EdxjcqfuH3V7O/tHB+YXe0r1Y3Lh6vrX4QLMcJvDqJiqh+JeWyN8TxX+84j2
5ZN7fyScmDQ0Os1IiUVhyKIxqQWUPY6o0dyxLXT3yDwfWEsSGRzjxM08YZIt 4OJE0+YdwekuAm73sF8H12UMJIewF0CyOkJFf3ijYEmpKlAbVAVF8JxiqpUJ
dPJ8Okjj7UwS+jAn62AX4x2k3GEH0ABBnOmS5eD62+gFSvyQJZskKZznKGbv YQG6+scsAd0y6B/rtxzjhDeoE0RzAUvPM6Aw0RA0YJChKQ5W5RSiB9xDAqvW
yikGiBFM8nFjEkiib9Mkm2ek9YBDsi6Cw41xpU7s8A1pfdMzgRQfv2WBDE8S nUY6GmXKXqACJO9iG0RroAzlNjsHyTLa7W1jMthMbzykuJJirkE0Cuc5qDuz
mg24xhXUO/r0DkFw3gS8mUbwwWSeo2Ef0KbOcZzu770u/OkTnaXzX4gcNViy OI3yRUiJZK8+uJ/Q2xfNgiv1OM0qc0irHr+s8uoujqagglbzebSIXjg83eBn
O9rX4BcsHxCzASPAam4QuTHX4aUrp9OsatEa61XUIHW4F/6xRpLEbX4Lji9b niWlKQCe85g+8+R1lGZF8CGazZ3EptWP/wFQ832WjU081eonKzRqoM2ufObJ
YJ370utDjtQWxGk8tJaCo0c4RbJqml9dN7ToiEisEZk5IbHrioWIVwLoDZAh G1AHUTjLgUxUz42aTUFSz62FbhVwl7OK1kArUYB5OQpEAIRnHj6v0FoFog9c
oOgguWhMUPOalfMR2a0WwjINhscsoom1L5N4NRm8NfNKFlg056W71/Fev4Fz VFhKZi0VK174gEfx4REo1H32WNw/8/RJCqiWLmCa56GG63hb5elzhyYqNCz3
7Fx2EBDzqTJmjAt+3DXrHyLAIx4sPBmqJn6lxb2U7VXT4CGWaho9LU0l54dW OkI/6nMwRtfh+zhxrXIrHn0P9wVlPcNbVz55VqX3iwoox4d49hwBzBJgUQC3
edsMbXpaOd3u+Q9gVdHvdELcR5V5draZEHqcWmJ0484IdUYNT4GFLwuV8jJ4 CjivR/tAITWKq85WWpnWhOxFE8AGenlt7ztTM3jmw9nZ9cXV+x+v/UjpD0qR
2AtgxKTcViRH7nhpulmBExck+pdXTBORjaEW2nk6ie0qH0eofOd9Dgn+5z/9 avHjPHhE5oIqBvoo0NOaZyimWDMAiMLEa0hSQD8G0jSgH6A7luS0sjFi8LUY
i3j26IdTUpPmabHLYzo/O0t2zmeznFTycXJG2zWLvAm7A2Q5hFPlCCcxWWKP 0ediyyuaY7AbTDm7292j3fXZWM75RxjFDIKI0SGanrIq62n0dc1zV/F9AgNe
psg62jHhNWowWnXxfWHpJNnty36Q9kksvKDFLFImI7TTDbyZD6IMxJ19FgaO UuKFl7xhTuW1VhizGzy4dxdXJx9rwfV4njcKYwpBz3gX5yBf7MJPAGb8Czoh
PYcC9VTWUnLKvJ48qdI76OP0HDp5XkOn2SygkdlDZW1Zxs/BmyRBVHavmCt0 XBbm6nWaPzXDlRiIkb3UYxGSq6mg3xHKe9s7nP8W5jJ5OMHJQS+Z6Mn94EQn
JDqXQgwQ0pUXLKlVNQs5roTZdEL4kjV3Y6EyTuF6eMvAl7g4OyKwG64lkcOF /kCHWxZrT2lNzhzHHJxcDQYXtaQe/CjAOOhCR1KsZuKgGKcFh8ttIqgBMzH0
nzcpzLwHA59uz+7UU5sJuWijwRKc0lJmzV1GTNgZZ6wAe5+m0MIeIoxwRJuA LajmWysi/tHXDSCpHjqTvJGjGjsyD/Wlmn/B3Bqc4wtpDF/wF1jRFwHLF0/P
WREnXza5ekNZSzLpYmSSg4AZQdMMlRPiWBD0pEwXWZ9e16d/aYHIshpndij9 0Xx1LUhojzXcCrsStHCuFUAToPO5v7wZDDEDnj/9ebQqaeHtxYczfyD8pBks
xL7FzGhEK1ZoVLqLFQKHL+1jpqVaPs7wwPo9aEdiV49ZJZsYdcJFnOQQCVg0 Q+AoBVr2Vg12/fnHi+vwp/f13DXnYH4sFAg9xnRfBJuUEC4HsRYelKnetC7M
Ji3tn3JZ0QoSg5+FCgh0hTr/NfMEbZuU8VEbJC+8RQSduE/SgWWoJl/R5Omr 3IIzHgHJ7GDqOy2P0s23aXAnaKph0SaiQ693KY4jkLisZqhgDIccMiq0KxNR
2kxAVOKQjrPkwiVTxcTGsn1mhxceY+yf6wrchXS9lk5f4dipVimWAOmW01w5 bj73OWren+0jXJFiBCiD9HApTrx5yiKahX8DPqaKTjSfF/OMco21Xv0l0UN+
HLSG4mrGaV8Y/QB+iPD2NJ/XysZvadymQSZXy3zCTnDeJ7aV79T5Br0jOkaz MbkUz1PIAchVf6AxGxZP67I+U732M3KvmDCDelIhXMlHZAyOxX4FGfJDf3q7
fFSRpoaVLIhidJnbgr2udQq4dU83Fay8PvGBud+8tHlEqcthvi4RWcGmy/zw O3udnd3d7v5LqTu6S36Ogz9Vax56p/JpVAZnsN5ozWN/iO6rYTD4RU2WCDsZ
x5ysToNckIXn2GnNGWicRgpJtahybIZ4yXrBeXTaUbA9bOFxF7ZDFtVjzK0e sI6WyDsHDNlFUxz8yXgMytSai+BSKLQ3cUJNlDSluboq9PpgQhNBiNd+HN9h
gwwceNCFRYeb5AU9K8/6r7LZbJ7KrgKXr5sVrcaN6Mmy1EIgXQDsyxr6AX5g itB2U9T7a4ixoRXX9avyNslG96AEg2pUY0F1TfIFrvDD7YP9wxee+AcQMFCx
5VIVTbqFTDYXQFem5rP7eLfqg2j8nKPEJuCmSbUHHO7m04l9PKO35o3t1qyt ilF0xxjn+zhax9n/EGGouasNND1FIvO5ivJ1D91ms9kCLQSJmkZ3at2jF3cZ
uiqnhhBwxl/kB2F2k9bXMHvHGnWoyrkwTNqNIsDpVJCaomKpIn6B+j2VHX+l Wr/LMls3HhvV4ZDzDI2dv0Z8MLC77tcY5XW0IDNMHw0VF+m4KkqU9uAOWIHN
VTmDe89MVDD2LqHvKRPWRNVQO0h6LkjlbZTzw0cCdsc6uflW6PE4qtBzYVjX T6Neixkw/vJ7cALkI0qaqXM2KkC1fOjMR3EhrxrBgM4eBv2vvZ3TwWBbj4gf
ZUtbT+eoLWK1pCyhKqeaCtrxTllYtUXwo11FyrRxYfDfWiV6k97Ql7xXwPno hfBB+LD3ZedL1/DLuv7flD6JS4RXj4MHuI8d5JUwVGeYIfnBQhKzeYHhHTMQ
PYNkiHPgFVRhJlC+lA+RnVs3zO5nmrOhSi+UPvpZvaYykNnMO4Wa9IoudmEs Z0BEwUINkjA8jot5EsFlPLvqh9cnFzdh/+zmdiADwDygsyeLcDTJ78Kvj2g0
ZqKqJyyuIIVIS7zi2LUJvXHZZ0HJD/M0z0S8FJynF9+ZspZMmgHkDHL/R9kU uVez2qt/Cn8C6VleAbRU4SyB6bIZ6Hcqrz18/Tm8/KjHp5ot0/m9Cuc/Lz93
ZjkfV57tQJypHbkbMGlWyc674emuTVWrEDnVsE404DNhD5Akb4GZqfUVcQib fv3hzH2QtzH/GYcmwUPhTa9vhOsNhH/q7BPZMm9zaZjpYpjH49BEtofFHEgH
tcTisXN+HCaFczDZO21NyKCR3JNPnxIJmGn4xygBDk9H2eXEeAW59hqEeS94 qBz1Yc7//Pbm4jQcXLwPB9dn/dvloUjIKGYhFosBTozkoDZG/9PV4Pbm5OIq
PMLrvssgupOX2YQZ8/fEVsaiolxY+QJiYjaenefDi102nfiI+Anz7NzSdSUX PD37Y3jd/+wOUgKMZDVjSiapvXz7cRDCIsIPZ38Oz/7UP9fv5vAuHcdwWNh9
eLZ6f68pDTQZWV87RumM9nUtqxeT1i3HhRUNcD6dec75hUH0dQfRP2GbRDcn 1Jf/9u2A194/P7s8W3pXJoazrL8IcAcFRV4w9S74LXjcHGv9PdRq+p8u315c
b3rJaGlyWtQfuC2agLebFyNeLKIuR8Robwgl2f+RBgyKPcMBMykij1VLK9TE nd20WmEYBtEQwTIqW/Dv+/8CH2DYb0UqEIxNltMcGY4inwPcEnLrtFr/9izq
kcgBFTyr+8YV2zj+3BO5rnAH7WF1mCKb9B+xV7gejIjrJmD6dtu11me+FfA3 /qXFJX/WPhTuvGldnA3ec7TxMc4ZnH0FngG6GS2i293uHWz39mXGFbiu51rx
HVrCzl1IFLUN6NR/OQdO4RpNkIJeJajzEJ4sVS08Pq0Ci0eYzpprMXG8L5tm NfLG18yydD30+EtfoNvoRgFwRxwD51Q5ch+Tcd2bpId0Pwt3dl+1znUXzht/
zAV2bJ6LrxNTaFYLtfiJRc01h4zzFCcl5kLCiZk1O3tIBjYJzNzm2jRMvIEH xTOoxNB8Bc/nmLRBo0OJi9TilVM/d1u9NTz3sEEFWczNu35wNgbRTVXq2TU0
xtovVkIEhWoBTkMnSiEWEmvXzKjNFwGdZcK53tt4wFy8bp7l2Z5nMTfPUnDL XPOGyRueCnd6rwd5UUxnIaaOz7G6Bf7pTbb8NXp7CbjFlAGKmzs62uu6oy7R
Dau7g7K8bmfSrrBtNvGLVdIpsxxXQL1qOldhTgx/NCvHN/7XeLF6ydvTM/o7 Gm/QpW/D7sFr4bWCKpl5Vnz/2uvTSMGWJ3G+fC0ZWEfy9ETrnsHyYe58oC7E
a8aDMPbBVL9dzgr1RhMJ1l2UrUDHpMxEWWe1SY6Uqk5prRTr1AjAN64bc+gE +TKqh+HvhCr+Wz6BG/6X4N2fL4Iw+EkFjyBlBeOM9HvWtNEI9Yh5bo8qAAR7
b92RhUiJfHXmiemP6/29FPxgJxGBSiirNZmqW21FtDW2ZUGcSzTfwBEhu97m QAMgfQtqOZry4Xz+dPkRSGe0BVJJngPai0RDxZZ8UhsoLHrE1T9egMWdVqvP
iUUgxYToTDwDPG3nh9cvdiG0wytEo8X3HTYtEVvTl0XXmpW5d/llxITAegLm vlMi+C+6HYH3T4p8tYPbTjv4iWKOT+G3QTt4Cz8oiLTjGErjdu39DU7bAhj0
3dIa2LUvz2eljtYJNmnGnpbZSizyPFj6yO8LiznZwZzpm3ZtpaqULlXZThaM 7STBqXqIkW9QJRhHCK+97GocGzB9lt8jNEBluAP0K9rsjEhVGZIxsC0wqY3y
+GXBuc3Fyqnr5vC1pV/T8x15r0pRFsRnki0Cu531HSY3G+bGaZ1ziJMZWko0 7EVvB91Dk8qOYT31TXy/Vm8HcXEb3cDbSydSG6Z59t/BIQ23dJINYoZW/hE7
uLWaIE6DpVFiDbnGLTIfVCKaUan81EW1XezLxSE2+G2us9mClS95CiYuz4Lq 4nSUVGMVfF9U898FisPk0QYBSz3ZOwywvtUWjDAyI6zmSDjeCkYE6wiKGBEM
SlJP2HXLBQR+b4+j352Bc0VLVQg3CAlWSw2P07DSmrUVwUzIGy4aTPIpuAYM n3sEfM8199rEJC2WzgMOY4T57A0A3KVjtCjKOTzB5ksQdAvw/nv7apSOAO9/
LmIKjYpF9q1aDVsGAxa/uPcxq8X4Lt5/eEnMVnw4ycuy4kQm9X1yekOyc/by 2HgeTzdEav9h41eeTfNhbJBM/v0kBxldi+ff095/9ypE9lD3+20eQY8nt5sS
/Xe7A4TKPpAakIvsbEfKsupZcuqDxcz+1Oavw7iYVYQ86M9xcnZJj7BcEg1t YkEx+GHjtrOBadZ43X/YoBu3YdQt+Lah6N7G7yxufe9WjvsdVbT7ftv7TE+8
EXe9EocFH2BXz8hlEM9YW6GdTsRd2Dd0VhpxpLWZkx3GnH28BR9A1KfILsiq zTOvXsipuxC87e46TqOUKMDquftYFO/rr538rTv5IEqwyJMz/VsgofLpygX8
qmSP0NYbOvjBO1CJvJw1/aac0cbnUNVIlkCMSyj5IPCcLsoXxKEW0SBbJJD3 +MEG+fXRJGpVvz5STvVr1/bBXZtD7twF1nxG8eplXn8eTGOVjF+4GrpOM8DI
IFZXiX1sQUJ28PDxxzLzLMDpkKTVEQ1K1bTe2pzqw/HgZ+Fnm92So7UqLecZ 6Q8bQqY2QLFc/LDRPdwIFqD9/7CBZGsj2Gb03bb4+z27Wi7SSRbwMn2auRE8
AhNwnjMLZ5PKsxbKe29HKC6tdLkEoORamgFv33oJDZMT0Gch7etuz+ZGHSq0 REkFH7/0guAc32+bK/u7VsjEoHULlCsaoy0eeWXkRvRg5myyCNAe/4C+ZR3M
1rLBFQkvaCsAfzlDKoMaOEG8E9bqtErnGRzGPvk+JiMrtZgisuH9qyNHKJ8G MtJmt020NW4Fj5QADuOiQ6Nw8wyjHKg7rMLYnLgIR3CvFjZvrwjGQLSyBdzL
UOlBR7AzXWo4/YyBs2x1tmIWpLKzT9t+ZY80W5PqlcLXxPMcv4To7fbYqC6Z MgP4BNmwyBJVqjYycKSsswj+i5VkqJhWUVSzOXt+KpxyHnNGFzwT54HW/GVV
4XBumiZXTXbPzg+QTU7xIdCeXOFIfmjHabyXKUlHGAoJefEXlSwGbSjJduiB aRYk7DaaZsm4E9xmsNsxsiF4PgZeZPxBxBXjdJJHALeKg61mGF3hWPWBEntF
DBzwrGGt4g/M/R655XXLbiNgiN08JqmcrYVkNEuDVXQXVTB8HrZaLAo8gs1L Fuwe2iAsxKNpgHlRLNDRdgAq6JkPhhn6shxA4GRmFA70hMXBiiwbwZhyDE6G
Lyd1dzLgDEL+elyKa6t73OI+mMr8cE37/Qs2+vKFGb3Y1tj+WcP7uc/6hbqP kReBKa0awH9p5CGcG6Vh4bHBaAQLsnf4a/RCtDav4cBYAIgxMKuMMAMGYRxz
iGbqS/nWiQcaq3hf3ABUJvNiLBC05CMMRTLZbnywtD2QdvoKKYUSMguE3xRn bSDKxPvcJ2eH+hpzBIKUxzK1REY61x+lnIcseVBjqhhgAEXHsRJWneDHNEEL
cj3owPb0dqBwSiqQuPNGst/CBJ2Br6/2a9e1dLxxRubRCAPk4rsM5f61GEbi 2DwHOox1fzykE04EIMUTCoppPCkBBRARAcMxMR6gS7H7WPNCji/AsE4qDzGu
VZBqUPGJVGkuhfyIEBY621kKhBo+J/5khpGKumt/dY5xzGKZjFp1LxTTJW9v SD7DdVZpDFoPPjPHcH+uq7lqUaxAz+LxOFGt1ncopOTZuCINudX67OE+7g+W
EsWQInQLB/F50GU0aHUHgajTclkYqyUGK8y2rEQGuV3aEe+pXeid01BW0EIQ ZpHrb4goEU6a5YrxFC7gSM1LBAy/pClcwfF6BM051dopfounQQM+YrQl1rN4
X8UeDaiMI8PUpCUs5LSGOzNFyERU1n4fvtCcPfMwdcQGBmMxxa/mWja6jimJ UIhLEa4YcIiDLMkjOjflLjD/TgfcdIi/YYR3NASOb15RkwlG59BkCmtnEriz
M6CnApqbZmCBb0sYlrm0+Y293lbDD3G3kRmCW9HD6zSfyNYWNadmDwExuF8z fI7mdF7DHdYvSgnlMH4P94Z8kUQaG7lHoDNT/7wEDoMjcEAS+Ae0Y6gIVOkD
F/cQ/sJ2bXKbVrklT9MJ4bACv0u4m3GqthmyrFlJXPmxyfUthhaRTNSSMJPo 6Z6d4ISFaKy3w6drsB1+n2uVqv0aKlQwGSq2YMCoDAArAkpTBmiNFbxYFaQJ
g+Oi26pQ9raT7bWsuG0+J9vKEPFrbeyzzZfdy+C/7rk4dE9za2DDikUWuG54 LGYzhbV8XbqzCUwiC+4B6imSmkbitEU7AmEKKDYc8QNcGIRwB2tfAHRyxFKF
raKqDXe8NXADdSENUnLg7PflAdAavjGMhjAxLOT5W1tcXj7W7CNzVzsfFCxl yZB4Ze4y3K4BPkLXBaFU1ZggE0F4LkGxbZ3edxlnUAyrOKEzmQFmAfI+qhx4
bM66HOfM2VyGi60OR/nX5L2LAW6KVYrzt+2gnUjK2jInO9XFR4L0tqLb/mXn F2dkAmTotJdAAsj8KVWUsgv3eLaAMeOC4bMMPtwfVi5UeOZRytpOqtnx9Y+M
tDef6bQiblKRkZRhMHCJ8DX46E15q+4IIy6O0F25xkdlu4hAuEtXZvHP8Ele PO/xF9gAHAYhpiZXhLV8qqOoUL8Fmok7L/iFrCrnHGQU3GHaW5SE8wqQr1A8
3DCjcXRiH4F4sLG4UfrDYF2r5h3cg9NCGKq42on3rUZVPqnjLJMwzzDORYP2 cpbCCcES0WyAVzrAWtF8TfMMtoaEtWHFeGzTCK9IkGLtJaD6pfsSDsn0GNYF
SDN9CX1CqsB75gjy/ite21pcgWsR/W71r5Xx1mQLPsfLOpBOjn0i87Sq04r4 xPPrSCVIdfAuVCmW/GRlzEEzGLetKwxI9QG3wOVYF7hMTIHL9jJvMvN7jIkg
UmDZsDtH5FMQhM+Ka7ChSXBTjyWabryVZqSMx5zdqa61LyGFGJec37y19YIs AquT+m4+G3TJcxs2NUenIBVAAEAjNgjS8D5jva/mYwSWQaU8cADZ9IktTFba
5bzJTEJUV1lf3L7rfHdSOr1AvMkaGQFGEhzrhTnofGpgnJDYMRw+ozQ/Yp8k cLBIwo4d7MVJ5hmauDHpAqEzqYgJLk9VGui7pFhzkNQE/vpkXShEB8NBxvGo
m8x/VJbEroRfMUZDHZiv4jIVpqCpOUjScroVp0MuFgC1AWJZ+GJP02AEFhmb 1BHkXKVgEmDQxB1RRhJE8FLjuiLDbuiFqLhva0bkX7sqRRskcMwSqQVm4hsd
qIdYkysfTmrBqOMoPoKokLb5baqB8Hk0ZTzOSjpgSn4TeAojzfL+G3duP21t nrCAdPwhBpkqS8kQEQCZY7xGT0/Wd/rtG9yhs68AjgJJsbnSU6QTxBcwExoJ
Yb8uCxey06QIZx66R6iObBfEiV70PdxZHOQy76GwOOhNta/nc25dk4xE7nFV AB7nCn7rUxu6ftlkovIarPGw0gJB7SLDbwoUXR/iB6T0jAPLVBemdylRnQFH
1rwMcOZKlD8viHjh8XDGhXNeOoLt9pA8uhZUBzuTwJG3Z641vDBbcZqliz9G /tJq0o1c3SggQfFuWsKhY9LjEpCJAgKZzol5WOYPMyDvQIh2gotSM2g6M9JQ
e0hEFW/zrKXABM7X/nqemRq6xXi2hHuELuByGuwRpHw4mkZ+QJvX6flQPEEO jcdW2exnzZJI9NKcrihAIiMaSYwKhVvzrqG5FoFjxFyK9gGiA0ItEsQ5DTcl
mcMX27YjkXLHq7enZ/3hq9PDR493e2yyZixRaFp0OMTKqblAMOLetaSVa1yA uYMZt0d7mRajnIl/wuFeM3oVsHhkRwWrwjlfHjjlDR1nAqNlk422/QC97/A3
dpP7Zc7J0aolZeotaaU7Mc/d7IOG1eYI0PJG67BpxH0M2W/zdsjOKCAeY044 3BDzUa4DMDcIEHKdauxzJWa4AqNk/o7c0py8eHSlIQEGyTYH/vFIR9NMBwyb
yxs2sNjnKlMC+VHGVHGwGLSQxDa3wZyrgPPM8S6J/ksq1drWdQNVa8VT8UuJ AJZf3RFMmCe6Imjj7WwD0jH9xpIim1wQR8J9Qyk1ukXrOev3g82zJIlBFh8F
6JKk4HPfsIoAGqSzub6JZfAxyFTwrRg1zvEWcUC6aQIlcIy5Z5PlQmnpcKqK fUBV5anPWx0sXeNuk2oGoBNtbCRYAzcCuiQ8DRfL29LyNXBz/WXoVNgF+p3C
9fMNR2VPEkE0OyvUDNqvJ3bCnBJK6Uwvv/YpsWR7Sn62o7TnGqCfufyDRHuO QaYRgRAl0hWEmS4hL8Tce+IEhja7TPSEz5GrBFrZGJSuRxTEYRy4dVY0h93M
DuiqR5o/2zGsBa3KpdOENClUKoTpRPKCITVGEuZEbLN3B4lCHOfnS5iNrEeR UQrTg/K5El+fIV3iqrSMuaynwHVoPAbWPEA+nhN3FnHMpbZs05EN4ZckrWvy
q6yfz2l1dlmrg3j3Bet8OGs/xfCZXD4QXMX1FJvJi5VPAgixcDnd8s1cLn7t yetkioezdGyXB6NAOArDlIvumIIOq4Rkwj8nzLut35Qby4YwRDJUASdwlKp8
YyZ4tc9NUZdsp7LlDpHPE3fFH5u1UTGplkWjpF3fQsyJNLfKZwcZw5xBV/N5 VECAjVZGQq8NO2ZY6EGYCA4BCYgMUb3SMpaAZZKMNGfRYOJLgDtC6dIVSIBa
QaNsnMLL0DlXoslyrAkFPkDO9ZiuflXY88Hh0z6cfBvCMnTd4X++f3z8ye0Y IZcHATpVIUwXwk9tHdMX0m7st7gzWNGChBhh7ax5YNg24DHBUrQdo2zg+a1V
/xBjvhK/qNnsi1SSICc1iPatP0gyuH3NNuipiRWNeBy9/gPNFjtARxV84R+n IBGrRySGGTOhe4jjeGKccWQvLrIqR1tcCXt2pA8UFIr4F2UBWtcl/avWCU6t
boPMfG30PHihZrOMyw97m6ckqWqjzFy8nBsLbodUjblA78CjH2bcsSuju65A FoRycAicgfinRHpwam6h1T5sawECTkXtOrT4xXqVxjN9eTGoG/FnmiNlAfmu
Eu+6Gc81UW22Yr+3H5wYNOzazpzZLXsLUx53ab8QGPYEWVd6MbLEmCdiR4tb JsfneO1EkmTpH+TJSSzUDSWG9C5R2vXYQQOE+3oUzwoh4Q+wbi01BndVPKY4
dn0YbIBwEgKnKyApHIZbPpeSEzJKVLPkTbBDW+XP/9f/Pd7dO/yEM9xLoC7U dcITjcrY7gOnQJnDu0ZJPMyjnNhEChBDC7RGwXbTOTmUui1IhZpdCHRgZpEX
yLMj4ihwz6PHHRomv4Iz5WVfIsjCbxkhp00Rl2h/HjzuJQf7h8d/xSOODjWy kIcluhhV1grTRhDpHNPviOqCwyLnoNUZUlpQhTWqxolcap7HiAx16ujp8EY4
Ay6HCBAiZ/f3cHFplOz+3kO9ffq0G2SX4VwV17LrWMlURZKdNRoLYsW4Cdxq cjBEnz2+KFUGmhoagF6D0bBMpV08OYWxYhWeqyQBVA82T8/5GaD0YVEu4FTu
VpZAqkSfCJTsnEpG+qSrqHa3LfBzt3c0e9AzIFXLiwyGQFrl2CtrvFySfO7M WVjmIzdmAjkLRNECxQT8hQRMETZrWAyDYPKXyaRuuzXtEIl54DlWFC+oZBPz
5mAjShYsrW+cP1IzMIIyHCKmmn6QuohG5DAQY9En3qCgAqJrIxcReZBwGBz1 X3d79aW7qG1DmBI4TDRjMOqqugwrZBs5gtH+PGsI0Z6omKLeO5JY4jybMfUE
s2uynhtaFkZ3ZFFGBtKdCqyOx6UkPbNbZVwjhK6ddipb9BdwQomLgvKrRSZG 1GRODlcE5BXhURjaS2HRzEj+QbUyQWO41lGRyjdxfwsZ1+xYoPwBrHQOsm8p
qPgSzI4i1TROFdDyEKevWo51XvskMAvMK0TlJ6jpuWVpFSrvgozuMQ0ZvIGH bACNJEj7SDjXxhUYHu8tCryoWRdZTWyPZtiSg+STLEOZOZLSjQ1z8smJVoK/
c/nDWU8cqXmtWeBrngRm4JaQiIjiZGNq6mileoJjOBat4OAJiS4aBwfoNlTj 6qdAqjYCBFLjQvh7Gd3Dt4QuSAdhok4wwFthRVUmLSiG6YIBM2A+RPwTydcX
uZfS23Rr9uSHk0PZafiFjqsJFBK2Y0414aWxmXC64yQo/WEgh2yTFk/P7Dkl 8RfFP/hdQot4JUlizUJldAcPm7yTwmpL1fwOeRLIi3fkh9EscJQR16SxLMwV
tu0K+LLqwVNoWnTXctb0nHAKKKO83ZSUzD1CoEAsdwFZTXT0xWjThB+3LTlH 85qUCpv5L0YkLoOYgEwHa2cP1QT1crq4tNkOm1QbktZRt1kEm1eDky29U7/p
mhO0OGio8V2u1IHUjjPGau+TTF4i1e/aZ+NoTpS9dBgQPcof0jSmHS5g36Wd iwQ+j8kExLWRkLKJGuaRC71pdish5vw4CFJjYdJzajYJmg0n3X/7FnAYvMQy
xj8oQ0JqE5Bwkp2vxc7ZDROjej7jSGyuOrPFxzKzbboh7LG19ec//dd1MDbA a0AguScPppRDsJJyYcUJbb6g9TDhe6+QjwfvMKcaJpZKvrieC139G2PD9Xo2
qoYylFPRhRDd5UWamE6qn481s8tsvebIrt11eQNaZ6Srt3R5U6qI3QLXdp7+ 3w4utkiHoitiN0y7MyfXlCRqaezTkySmwmYI7fUtihJA64IPz4esOQ1TVpmq
oTQCb0gWcb5U9VSxP5Qrcm2nzznpRRMr8rBCx3nDenKHwH52Fvv6qFuvKxs1 VZmwMpzPSZbaxLhEpo0ANst7hpVm2SwJUbCDQ+a1EcM/KoAtxXKjV5fgSOaP
s1KCMZcSxCYr0kHgFUk1vUdUektHYr9vmOVxPvsundNOuL9XoF3dN0OkblRV yCFPZB12SEnqGaxqAiLHaPr2J2es5hcXpOrYWw/QusM3AIPFXrpUTe/pidqD
COfLlwCAlwSb5atqPrcWEnsJounjnDfUdiS6u1xFopT7eHcH5maekrGPpUrm fPumRe9my5pD3WRpAdl2UX0QNQGu/Mvpb4SW0SChgF4s4s0U2RRZd9cnXThw
KTAw1PXUAfEHWFnEAZYFdlQm9XNpR9ECqydBKY56EiNfX90sJ1jNWvzj8ZJK hVFSTlnTsaZs2DF1diEtnU2duIVyMRfFH+jTTIqHcLRPhnsBfkSkmow+wAYB
FcGkJ3kELCNZ56VV6zPAI/vVgeaIR95Kaj+ZHVzLnYn5gbEFtdrijGpHtkF4 v0DgKKda2MQZaGEkCONJMJsQgcAI6wAp9If4gjbhK5kksITnBr43Y1ubJXMa
QTv89Il/BL6k/ggUx0+fYF/lYJxY1DnEXKF56MR9MokIOeOyZUPcEd241EJU 0Ym3zVSEFHLFoW7CXCtsSYy+pN+ni6CRTxlKgH2dopmwbKDgQ4y2tX/6R9QO
lNkMGaTKq8Vn0CzpLsscck5phIRprS0bGHTb5HHym7yOc5+JAXqXEnoeKBto pISrW1QlpvKnKCNsXp70iy3QispRx3WK0FE8VEkqFmqAy7LZsuYBGWeKhXkS
u3WQ6hMUDVoMYIPnW9Sytp+WdLHnatSkkCBjOAAzJ3kQKFFmQOMkpZnEsZXH q+pSFVt2GoUEJCXTUht7nFk3+XQiFEqUBbUd9OmJ66oDbUH4ZSjMFqDKtuqC
OztdnAictG1RoB3aG1VjBOEpOgOOqySu8qt0tGqkbIFfc3/PiEt0inriMBbl am1tVQrEjCVjx0jBV0HvE48IZBU4BiAklCTy+cPpFvJx9wmWePH7Bp03mOoK
uFVxEcVAuVTDlW6QYIIE6sUCfhPLYqOj0pOwXt3TsoXwWraCuqi86RU7+SAb iiyAJVlsTboKKBPSI4ee1wQJMvfz+ErkNNRZFVlhkgVr7LGDGZ4tGDVqiivA
9D7Pu+USRuEFnirqfDczb1da5/hdX/jdA/xeBJHDAAnxDRVorZVx0YU+Wbt0 b+ptbkTe1MUBjfBIVANuQ5VSRcF0sWQI1se/pAsYEN9lLEKwTUXNHd2exCAC
MpeBEqNNhnIbyD9XPSklY71BDzP7ITgaTVRNrwocPsQ+ARQo7mfN5POuPY2M OSnvmgQb4xEl7PiCNlJx0VKMZAuLxGOkfgeehiF8UuudQmdN4oNxiRn3xAqz
ufrn8ecH6tL5cXJgBrDtDXZJO2tUIlccP/LVyPPiUcKz02K23rvvzFvzenNA zlQlcxLJeBTcN4+FAi3wQibjNQsR8gE9HPxt+NAdnFbK5MKFV8GVuI3YFRUk
qssJH9xzf+9wSzwzSvlEh3kMgWs7mk3wJHY9rEpd+HpcLvRYRuE+txycmtam w7BbOi6pE0cQT+hUQCcDqlEKtyTTq+4WoFDHxT/MfESCcX0XN7fvfqPbdATv
lEsM9OESQYEQeaOeD+j/fTOPas0ICQYVyB+rHEB2j0+xWcvw0ZBLziGSb5IP spwylsU0+h4TYYLN/rub9xja8h1w1HwWM0utO9AwRPk4OLGuZCKMYhgoXIeZ
wcGJ99yldyDzkM54mM8ZtspJTW5bdEoM5PNpOj5JsfP09fTEJZtOXK2bNdIq LvG71uhjOHAFQ+j8KPF5Ad29Y6sG3WLT3YJKxB4HrWMSZADjAcJz/SXcmZKN
urpVaG1wK3nVNqMY6WvxMZa/LF1bweQp/VBnLrcQcDHI75gFDmYOb3X6jp5t bXUipS9lTHbglC4i1hxmVFB5npHlqPURCIA/DfaHqpIyLLME8J88WUM+CtZD
bf17zr5Jr6osc7WrYE1cPsGw+q0LNAG7F+Q4t6pZW8rWzotXnJTaqt1sX3V+ UQVAQM/goXgOxGruLbUGCJ4KXXk5q9Lah0i2IKIEeNy0EQ70SeIGZ1EkWnhr
RtdFmlc0jPB9QiOICp+g1PMucwTHDM0Owkbc1PGy49mbqmFYOkiiEadUaM2I dVYb+YxpB/2XGDCHSyXLjR0JObCxs2mvN0hFS86+G32bljJ9OORA4LkUkEDI
DzR4EIhYR2MLU+wQud1tKQdzson5s3NdEr9FLrW2R3tDkBUmChSGkc3hfVrf XFQohVKVt8Q9hKLZDLpS0nI1OtW5A26GMg02TO1j0IMoQY5TFNXYCRb1R+uy
NCBEYBzQBp7YJnG9VTTiyvHHcHQ7KtPhLlDBvOtDOQkpHoXjcsLoLYhX5ap7 LQboA5MEX9wllpyzU3uWU9kewWqt4dgoOAUaCjVRJ35rVErlFDsjG7j5E108
LBhrkFWBAcCswsfFq98zdfA6Xauw4nS3MQrP5KkdgktXyLSIytfS7ba3mZ+h qHOKIQu/BRpoyCdy42Yjj8icCq/qqo1Sl4bm/dn1kWLK5gbAzQVe0Nu6W8ca
HKSeTabn0IVuMy7sykyqqHrbnt1aBBDMGc/FmXrRhp+vn61/5moZwp0bBEbk poJoiEsBvs8mpow4o15KsOEaLR17PUliC/8Dba33rPiCtxsUcKeKEfBpteTA
PWzbuxwGCbAwsA7ysZeFJuQCL25eTlz+HYsw6I89j9nDpht3lGLJJpU7AxLw kYAOkuSND0K3riXVRvuKh6gYw9wgFY87nCeNX48yNoY1L5ttDBPeHj5Tn39O
c3Rfww034UnvhWYLRwpE5RZeJITsB2ucsLoX1f7U6TyLEqxTkRE3D7McrdIV mmE814ox4jXivyoJoUOSOMTgBCATK8tvDbegNJavzhFqDk1nMUcfJ11jFDyD
BBs1CPIvOETMWXmkKeeuRmrXWkcAZHHxKzR3gxM8xA+iVia/K9QO15/Bq/38 jdL6VusLqUe6gBTJDjaHF07wUi67KEjp3rACKgcNsf1vyNjmhvJ0bF8be3KN
+TBaafy+85x4x3X/ebnKCmBVEvOg3RhSFCkyckbGqz57YSrOlF5rWeDBHOrk B4doM9RWD9eLzsZO19471eoTWR64PwIbTvIo5m5Z6E9MC61jDhXpBpG9lq7x
16wq+4jYzLLJFfuAy2lfgY6cm4fNxVl5J8HcmWbx4uDMylrLcX3AWXLwSP5w rmjCrsY1johJg+IrFoh0UhFyA2NGdgKvkKefFp15ixaTEcJ0klWpprZAY5ne
HUFWu6iiHAXzkWEXVi6fT+/CDpMyrdCbFdMjCMHiOVAsAFVpp/Yh3TV0538F ZjkzI4OkDc6hwvjnS27MN2dnLKKoA2W8MARNOMGU76qLmBH6WFiGDUM0nsZk
P/RRbbag3JHierWWW8wNGJn8hjLDtznHGrEhriwbqiX5eHCCm+7v/+NF/8Ug ykeFiK36SFZ0meiCyknDcwTIKQWp0qVAMU5itZBus8+Wo2fZzmxluAJNFY8r
r5ppfzytrvqjUd3304bjGpvjDCmTQNlyXOJZx2dtaeoibcElRjAMTkRgHE8M CSGSKhi7iOIxIzbLPAUZEYC6/aKMn4SJCym/wUOUx7oeCtwPckPQXEzaNJmq
8xNNtWZ3XwD6Ec9Jlu6zRazQN7QAlq2Z+3ufKPGJ1TR2RqI2wrnAyEYAEFPb qyWVmBrNgzUy5oGKRRM3zOgiXU1NN0TQRGpVj6TbYHKzIYRxw86B9u228VG3
PtZE1tss8bh4Ut6drRdXsNbM6Ywh3swouNclspkLMdmRSALDbXLs4EMrd9Nh Jd4GFVtW2BxrDh2NV5DLXGZx7KCMEDlhOugMsIkkKCp8p7tyucFiLoFvtahD
LYVu+wlthj5XxDvzUTjVV6Z6S5oTNFpJZISOwi4GdQgBxCJ0EqkEVfwo8b+m zEgikrQt25ilUH1GXCyyUUx0zES96NOgCIAl9m58hKv8mGwPrttsxxzGVsWg
nfXW3PgLtda7WrqnNbYhp9BScpGhkqjow5/FJqw0r85YEIGH4fRHjTtLnWqE xhr/iRPyljarx2Sktso1XE70q+QdaTSK1hHufQoffcwexEahgYs35jFbopqM
QNCZHacklM1rHFs9nRuqq6RsJOdAiNRpAhu/tF/8NIUMvdj3o2mX3Q9P7iSw JUz+HyMmUuzPRXHinuiKgRMZDtiojYfrhUZ0lkVqwtg2WjKYfrLNHfR3yswo
bVm9AhEgWZlxlTfK2Fl7s+Rt3er4HK5b8ZMj3dgb++idwsgDOvhYrqmgc2It /BAUNwDRj09DkRF2+g5lB2790V62DtHZFmwdXPL2Nwt8tSi4Us3p3laFw4sM
yHlpOdFZYQzh54zEfQ5IMCk8DIZ+aEgJOSqotQqQ83kd9NpELHk+c2eo82fM tcSQ1LyIciBDjlpDNh7mRo6DXqVTpDpj56U28S9BvIVEq4xGFPYp9raXgIIV
u8Qa1EiDjxY8Jd3wjSyBAP93NWG0on+wt/t76fD46dNf0cwx2bGOkMQz8cxX S8p/b7VOtI2J7I0hW4GXSew4MxIAG5fFVYLJQ2hnT7XFzoYK+gGKDUuh+wl7
KL19lrxK5/AMwBdR5/2z1XjGCSyTuM2YK6SJdI+2nKlXBZ1yAAJk+gTzhWuy A0qpkkQblLIMSBPTJmqxVDh6K1tQmSBIyA4GbRkhisIj55iOgJVZSndiC09v
Bb1hbG8ooH4V7Bh/n2WT/lsywjWvhX8flrMSOR4779++H+5y+oorXrZBC6sY BcxvJMhyfZALrtb37KNjFflp/BCJc3zmbRWH0/VaUHf8zjEZeqLj03fmrn4D
RA+g6+1qkf8uG1ySn9hr2TevJYNZ4FpzPzt/0l1eSWNHKcvIFv16gUMX1+ex UoRIWqXGjydREkYdNGOIEKwf8EO/4Hs0cZFjSp8x0zUUjQpb4NIYeDX3AziP
vj7L2kMehkMIEexYwZUibc4T4FG4UiIO82hhEjBzWVkfCdqKbiictbRynjfe 8qwg+KNZl13/cQpQc++EUSCWzZhb2CLIXhi3YSQ7kKzOMhU3Q7KgeEvjlPSQ
eJsxIrVfGEvetdKHUDwM/K70qN1u870Ad/3qtpxuyx3rltNmmnjUF/bNtCc8 h9kS4baqCSmOGTZcjjwTrZbzVgqkeFQsB5EDY0AMTD3boN7XydmAzT+mG5Vv
0idIsz88QH6S3CVt/rGu1tntj3chtKIeIS4OXgNEli8XdeKb5GL4/Ref5dMN Gpw5vkl+4/zypB8Ozk96+wdbbVJOFbER2BbcClZjCir46JHsgoPMxT8A6GT+
Tmo849rhhETiF4w3LkwY+5exwRy/IyzJXastFlBmVlSWI4/A8hUMhsmqzRxB mFGotEhCSuwjtfgnIrSrrdGomRkA1OzSsmxYcYhLtnhed91pCLDtmCLQ4pJU
2PV7nFm++fTPsrQqLF1Od7DADF5loyo1p0KYrKSrUcvCthpEYiDPN71snc3Q KLLD8pYQ/FikKCcPMrYehw/XmFWDTYTXFofDGSw0lgMKTccFcdwAB2At4bfZ
h9+Vi0Uqh24Q/tJmAhuOvxPQdiTpFoGfS6TVt7tX5iUih0QN1lYz7hQ4ps37 jWgtFtQvhbQJrUIT/YqjHsFy4QY3GOxp8X6TVOdbVm6MPc6jj/DSGMXBEe5d
FGGoNleqafu0Aa5yLtLVhD3n19a8vol208IIUWIulEKfSlunDYgx8Tptv+vT jau5ANz0WU2XiQCaMNscQiIxXa7MUJ8eiA7RUZROE3l8agNoQQXlaG4DaUta
mkwyCM3kQ7UsBI9j4ZrDJu8Z1R1ZNNvJDp6/61cn+Z1F4jS5EmDvWTqfcZEU EH7aQ+DE5pMzQVDDUwFIoSH5aJFVRkaSWFKuqwvXlg6McjwKWUwsxh4MMaLw
LmY3IVwD6B+6ePL4YDcovJwxpt6Vnp6lBDKGw1dOtUfz9bq+nvf5bjwJv6rO AHqEaM2yyzlXYTyD0yHrMvJ9W9ecLnBhd+gOSQkH7lNRsQa4eO5Nnhnn6BIT
6zpK4uYPHrv3/htrBvlJqzT0VzFrJ2TxCdZmY60YVNG0Bxj6Qz1D1hYrLZJh tV9Y9wrOayNaxEjbKIKZW2Yjyk2uyGoZlfWqKi0FrMvoQ6RKIrI8+66hqglK
2W2WSJjT2wm7HsKtlWWplzpOtIs59xmBSoNPXW/osRdMMg1Q0xTWV9RlX4sR cTaiaKhGERobGnYLMKlGEntgfelUatGUwmQK3u0dhmjxW+HMged6//3pYO+b
t+kQoEoE+LI9qxSUciNat1fvXrzZtWILgThAayoStozNK7lB/NR0QipQypEc wRc7iKbP7NcoSPvzRBUnjtVxDS4PxNHetkwvQlTCN0o2P1q5CCVeysGRZTnf
AacSZ/osXRaMduoqNshaaUo2SJlut1k7E1swni3WvCI9cZGJiJOxleJecNiP 2PHEeqC0zQ0GRFNUkiiuF4bW9pXb4jC3odKWX4qpRaKIkR0zbm2Gln43Wo+M
Hna1IwidcaY8PbC3+YVAv1jWnPCpViqHn2S8I/F+O6d7WIjMaRESMFS4wVri Gs15CBy010x6pgC5ZEEGcbs+VnbI5q2MBs4YhrseNUnGyFf0CHy2MDFGmBFV
oZZk6bw5lmtjiizNhVM022aQLme8/qauS1WW88ZJZqo31xVukycsHrVZPs0k RLxmO+3yMkg5oZAFCm7AaHJEv3jGKSqgsIjUSYiwiegy2trufUOdrR2gTFFg
k8vg1dpVnxxg3DGjcyJIc2ny4c2QHkfjv05vaLdB0HP+Rmtful2IjCpTgeHD hB6ARjqd7R80yJ80AcXVM2ai64XmGGI0nPTVw7Tog3bQ3ent/QND7PYkljFD
c28OLFp79zSv5gJLHRSLCfSFOtgV8FGQ8ca0seqeu3uWXcEnZHgNUnKm3419 MofOIXSqPT2hrUscaE9PtrXrt29bTmAaXqx0yohHMqj4vMhsI1FfJDeXjn1N
36k6fiJwmSYTqT0tfYhEKtgCjJY5KUFjxktPzhGzZsEJUvZnzDoDaoPrBBhw ZzGAwBECfOp8Pza4oWpxcyKVpwp1AFD7ERWWiDWH/DxqdYP0Jz6PqLg3dkeJ
LZwwWSrvQGHHpjyjKktNZg+QUyQSmY9JZeMSV203WDmrjMMbFjWUYdNe+T/x x3CycjB3nLU+ZKvog4hRN/R5G9t9nISIJjxNve1jLKJzm/2G3sSrQDd6FI7U
J0nT+vZqa+s3/Q1/Nn7BX279MdnwZ+MX/GV032rzfb+07/uSca5f88A4o1f/ MFwE7FE9CG0aoivbyKiMgV+R1LFLFCG74OJg2oygVSgQUP3QAckWMVKrDr2O
L637/sPafb923pf4dKCrdLF5kNGQZAG27p8l37wt63EqcP6/3ZZf5iRiZ9si CxsUpt3z0jSd4umpiiAFbaXC0ZxI7xGsGe8+J+V+7rfZZBoXEh2+ZEUgEq2D
TOoIGZ1B8lyywQS4vVDmpWIrYM7Bc9qenKiFMuKOF/iUb4DVu/3LNu0T7tXp FdGTOF4ZtjpciCRgCIr2TZC3BBjUA1WtXpmiZyaF2QT32vzLkdwB/AMupGYZ
dUnNZfeA7cyaLHFF8ic1skJPWG3znV5TWZE+xhxNkhUEk0mCYAIYEp0BkZrb wE9HFHpCZ6N3QqGQYycViCpYq1XCPIzZNrJs3QzwspTCE5Sl4K0qKduGATmQ
v2779yOvdGasu4XI3YEHvFpj75nSgtNGaGZqvvOjWkw9rG8Ga8+0lyJkz8Sw EfKtxRBlhuD67jqYAYOc4G6z8ibxPwYvKX6awrXIWyh+3UJMq7UAssKaH7EX
uTg+5KCl8trlIzCRQQGeM3OZNrtl3hJWP+d013KhagHoL/SScmhN6ceaaaQK Qwp/megcCZHSkw4coHvhRBLVtEmFC7cA1egXoTjl89FXmxgNhV1DttzIqLYN
zjkM1NJWAz+pJb257Aj/NLHQ8spxWLCfpawx0YSu/A2N+orDq0tO5kfJyVzh OWJlq1D6uPFgSStd4dFotTbqFpINjyVSSLokWjbmGEmAOghy1qEccXBlPfFI
k0XQzALMAplWMBBXVxzSmxuYaqQ9Rc0mfDeqXQj4KPjvxQe3uVSSSCmzoyMH P7tl4gMk2UhOqjIhUyJaPcB1BW76t0wDc0XIiLGRikWK7ZyYkquxekYRLxJA
pxhKh9GNFBYUz8FqkfGdz6VkN7prlwvT/ZdZqHMtrlkUdm/BIBwR3S91p4gX EbtZOsbq1eY3frMi7tFxpbVrAaltHS9EMgcZOiIJ4WE5XIcckdnWDdo4S95H
YN4ikbNfJG10TRxbnqqM24JvQRYv6glnAqWjOSCuN0CAUq3heI2kc1ynb0sz Mzjtp6ebd/2DnaMdQQXsegPyrY0/LfiRw97uPjAjHYYq4duSMGy5Qu5UAqrb
6QlA0NSnX2labR9eqr7zohokN0a5DvTMNQ7sdXVhegTlLZbckS8mMpulcnbH Bc1bJumQM3usJQPlTW0EGVlnKMeWUhsHfnfZtBalZMOvUkQbxQlyUUOGAnl8
Sbwjrvm8KIry1so4Gy7hnctb70jJENx1BRwpddKCvcfPH2VFNs2bgKfcklEy nZwbMQt6hruirMZ4ZAUbt/1z45SBcZsjAojrkaCKAcHUeZeM4thmF4d84Dh+
SzVkZGi1JHBpeXlHuVRkpCmlFYOs5gx8U5cqydkhEr4q4V45tacJWzoaYnL5 UBUoY1uxyoBrczKy2bpU900j2LmfK5wM/Y6df/Xv2NgW+AMoRVhbhQ51hqwr
2NYJnolgcn5Z5EwYDroowN+CjBxTG7TZgJ40cfaFMOgSqtJi8kkmWANSCTpa lbBzICiK/TlGI6wJ/48AOcqsYLEiSTBEVMgvWwPKCt7SgUDGxowOXThrHe+L
Tq4ynxbhxuEgTicC9qLxN2H6yEuEOu1Q+phr0e6oo4Qn2frLTHAT1stD4egS kFtlS7LYzBhgcartGIuwrIDc9rrBhir42wTBwuRMNxqyWZSq48YWdnZgTSRC
YljXBOwqJMcoBrkypGuAECg3EHphERyCtm9R4IIq2pAh7MOANgIR5qRucAE6 pjBCm54yzAT9HHLn8dbNI+CwOg3eKNes+VMwtvbhbAJ25KUGCG3RaF6UFHEX
sTonRd6eKZwbcqtgGN2pck/U9ezXzC0++XTMlsxucmzHKVdPcWW0tgWYeqli 30XDhTQeoWmenqjnBdyiNtt/WZ6tJVh4DkzKzDCZGsBrkKm0fZ69ijKRnpDL
yq0YuKLALtIGBZrYEXRnFcLak143QYUF17qVM42TMcYG7imXjVY6YRhaf5Mh XVhO5qmpMDgtKi+NUF41xWbcUZ328ySaH5lgkQnsiY2pvKtptMmiC5RkSoUj
S7xWrZpd+HReEnrrTYy1l8MeV4ezdqbJC5dW66fKiuO3hvhAB6y3hnMY4Qij ypRaQ9aZ09j6lsttyGohE03tWwsTHWaiSPx2rUCJDSvG2tx3bc4aI1FArjM5
0DhDlq5o4a7qyGmyQfyjVbEdgCj3vQUUgjPLq1gL4L4LbM5dsp9Qn+44HIsu i8iVDFCN7lK8fOi5vCfLApmUOfrNsdpJ/LPJcR49v1ITsY9XB8MkSWdGegmo
05M+/zg85MMl3PMfzs/pb+3teU42v7ARB63WCsyMy75CmLDTcmh6eceLzOzo NcwwGhx/pacxaIuWifaYGrW11nqjlWpLNjmYmgzrzjtPT6b6rKVGEV1pNwjB
SCAcC36jT0zRzwV8L9S/GR7OkJ1Brr7y+WdJky4YFpqeC0Oy1GJ/pB5A+Lun MVt7u3FGIoPBIpOTL0bZXO6l5/Uz50FxZnVImUA/6/7gcg/McMRewUK9qDyF
9ZLLi3e0hyYuBZWYekpzWihF0ayjQazKWRn+VqlOA7IEiMH4suIXcXqIolXz hHM4i3IYkE4OwPgcGyGzFKMjLpSYXB7fBbfOzfGR7trahsn52qdlvqVOEoZt
5udD6aAcEtECYKPx2RP26o/UsxBWgzaplKDSO5cTdStK1Wffm08queI1yYrb ghzfap0ABXk+ysYGHTZev7ZcuWDVlSsEW5+5ZjorTtWCUTUysmq9xJSJBROD
vCq5F0zQUUbeuVwoNqCDnhPxWGhsGqJgG9X44u4RQy6d9AVUH2KPT6kcTQOu rTmDJ/BLoUygIFabxeiMxLEdk7uq0eZz3Gph4Ex0lytlslSRMlF6BFoEMEzO
41ok2kJ9xiUxwH5fGpeuAIOTzabOiWRTEp4eTYe0mBQwd8wxBBLril1cdPWo f0SirNtOIHMtc7UpzwfDlvxczfpTZ314zhO9vIW48zGMkFfY4KK2tYajw0u3
5DxnKBGTctHwtl2U8HFk4R38dB2eIgpO03k+y9PKO1aAVhICsAoAonGwOR3i 5kFuw8Zl/9hx7FUJL8QeOEqIIiIkK8T6EGyhB19II62RdQt+3aCUKWWyivqT
peqdrIfF3I9XmpnWnVaMepqMsisoZ6EbAuO0aJ96fAACYsWmNQ2Ke4pM5Umz SZyju5kx1dCjjhCgWbEMhctQM7QYLSMNAsJRAgCBxxpJZkrQWzyo5FN0V7ep
lL08BfBRycBYMLM3EBfH8VRv/pkLIWC2fmtSRAfPW1IkydRyuxmXF6pixTKt LZMRqyEAbS3ws/5c5QBzTeeY1itx0eWxiB9zap1E0kAnuPAHPD1vazlwGi2l
X3NwuFXtweyRvQPoLRUqRDBtaIRwV6pGYC7nWMS0cfMV3ZC3kzewPVuywn4t TlGM2ghzy6S42TK/knNh4SFEDDMpc1swurMZvjPOsnXFoAdFaVpKMxARZuvb
QmQQ/Vz7I8WKoudZvLhXax2r8jm3TcbseorGRNunYgTlpB5nBUS4oYCaVylO WPLjIR3GcVstXcTaLcp6HCx9anITXCR1PBc8D6nmJvyAPSAYPUGh1FUqgbRo
fYAvzRfjXP6w94GToVE8x1VOEbp2wqJklgogIzz+0z7OUwoPaZzDZyqcxRWF 1ZxlYxMnR9wKZcW2zeEjbSyvhHNJHk4HmPkshpPGF+7dS912VRQy5bOAzWSH
R2i9bwfauXM9omXgcPhml21HPqxEkZ7tyY42XTxMGvZ6Oo33R4+qkqFNHexz ARk6h8minZfJU0Qz5cVFR8wO7tfTFytQCoNCpGAtIH7BtSFaSguOKOTUk7TG
4uDC/eHXLl6cJBY4bXrJ2Sn+8h8lb9OCtgXzuUsfvn41fKtcU/KiSLpdM+7e S2fTDqZkvpDoCwrRYGuG6I80lysQLo8Bh/4WyMI0fJstVIqp6ViENth8+3aw
sMHSQJ3nteFjKbAnMXVDEGPFy4gRtC2R2NWvWoEi9+eyAB2He7EWynMc8PvU VUMD+MgDLAa58J0YLUKypeQU6FxHk8CWaiiCX1SehehZSdT4jiy12SSU8kXG
SCUru0awCOoIsJC15otNV55yfcT4DHlfZqSGI1s9E19rZzXJHoveMxYF2WEg WEMaolSNlOA74T5JVkjCrfUec8wccBzKBFCFcRHyjdCWLkTG3MTfyVuIaJx7
xFrzerTrLA+TlRCtALSFYT852MsZXJslsnrFJf5AFxtLiovyQ0i55WCilZbp 5dqkaju1/lQcB0UJbCmlb+w6cdU1ur+CAloXNSlN5mZRElrNuGUWjK4BXTuG
4341V5wEsNhG4E6XJHCjgJqgytrPoqpP9LtB8r1kHigVQmdjXpdXWbGyGzkU XjPmMSBBlC729DQQBfKgcyRFjFfWPUXzMkjGXKbboRSICcuf1tmn8Yg5j2h4
ytU/TRY+7O3lGUlkxlx6BXkkIY5WSREUIAg5ZyfOSuWCUTOvVoDNWtjw4Uo1 4dqY5/luP7f8lxamyWbnVPTwt8Qn92xiKgoYktRK+svTk416+EZyGVkUMbHB
Y8HVMdbLTBrTzAQTOJ1sznfTksZ0Vit8jFUGWD+rcE1CDyVDOgRVlff30hJT 9MIFreBkhVZsYk9tgX5O4Vb15AgpQEQRiG4xmaHy3/VSAV2zP3WUIUP/bS3k
4iDftPqPb8L0u/8mDnFubcV5ApuS+ixIo74JllwxiAUbTRIRsiKKVOUyqglm 0tRRcm3wY0CJkDLfjd7IZOuVEdocrhSnLOtypDbZFsQShMUqXOuQ8E2pDcW2
hmbHc8wlWkRXnC/HMzoYwGFZSMKKFnNAFIFX4tMJew3Y30JiFd3YobptuxIQ 1AjraWvfeI0iSFI480kOIbQuyXRVpTMrqGibP01kJEPxA3OSqVdLoDGOTYDE
yy9yJSFpZDczngDbVKh5gjSFhSpNIV2CaR7UIUL9inpQ+QewTneXo3r3XLRy WKopsybdzXlQnN0Rk9+Ckyxxj5n+w25zRq0V275hRwIimwencqNOkjEn+3O8
CThiq7rXmwrDj4eZgZDMbQYltJcg/S/8XewQS3e3apxeZ8C0B7m8nGUbvsRe pJ+ijdnoJJfpoGrBafwcza5s1cY4YKvHn1xfBFRDQBbvszHha4aLOYEqNZM3
ir+pSm3050l1OgvQ9NyQp5mGxblPs6Q0Cku5K9GVuCn7qWwBiVcwk5KBOohS iYJu8TgN4pDcBwQKW9BCPtQ1D2KMkZckPgq0NYXTxqyk08XqY7o+VawLBkT6
ad6Xuj5f7eSP6AHWpwRPl3LozXuxXWvleypozxFxMkVQWI6DBd2NBPdT1OsA xes/qHXD8EsPX1BaLMsP+51up9umH+JNOMC/cdmPpjArHkRCIXdl1hqqEj0w
HHwl5YX8pNTyeGDipVdF3mAhpxHoNjA7uLzt8Z//9C8H+//f/yPBPnoOg21y 2s1gA+j4FMaKKi78HksbF9UdZTEi7mjOQo9yDlSLoEyCobjgdE4zhwckKI8P
eZJM8K6Up9Xrjwtmo0872OfH4Xm9uKOKN/o7nhYnaDZWD+5dAK3cgXZ7PsQ+ lAhiPBZluX1l2QaE0qFUFBxtwbqACQJsflJOkS5yA0S28QhVIqeN2zJNms4T
jEhid9n6LV3SOc7q5euLf44EPFDjwjMg2JQdwIp2HCRHqaeJGb1E0kaYdpZe DEAtCtG9oHXfjXdXGzgZ/MQ+Axsi8mIHLdjjNfZbmXMM9rsI7uG7DPgNQOcW
4JpxwNl9B2QCDR5GbCvMx7R1NtMx9XseaGTmvPSoqWpxcHMC1qCRzcsHISgJ 0QOvXYuMFFe3Nz+Gfl/i5RYohpxu/B7WgMSa55QKziY8iNLuhWuYczzsdAkQ
3HYP4U3KZ+IuXW3bEZu4fmvBg6dEcfaVe5gyxickBheMuFbYTXNwc6oYEgqg 3R08R2Rv3BgBP2wNPp7z77nAppb4ibHewOqZLgx44yyUL8/UcmciBKbwAYxC
EERQ/7D85plVBrnszmA9GVvFeWXGOAUoFnXx1va0ZJ1toIJl3wbtLbKrGUmt w3UC78fV/6S02xPpswHeUsLpjzcfCbMEb/+NH/xLJ7im9OwW3nH1qPPUCr20
EfwN07RSgH49ZmtPJL16gpwEyXWQ4ihNgmBcsajajA7elcjQAHAX6Ik9ZUdV uHCqBw9JRnh3cT0IejsHHABu90DODFz4NJ63dJSRflgahAKKysFtvwPVIzOK
QJqAoq6Uq2ERMPFp7UDbSwXHcZpC0Po8Px7FM+24wMhEAsHhEiyJDvToa0lz DZfs9dNqf49Jt7Ar4HpEY81YmOZccqkWLppMsYYdKtPt4li31fqUw+mn3N3+
NM2w56Da2fXEeJUef4fZkFSyiNhg4z5GN+sJD0nH7E6wLGLL9FcBF1SyYWo/ vwXBv8FZAUX6y3FwmY2rRBlUYTGbGs42F9yQgq/6vgebuJqwt7OL8ogMfv65
LxHnpcuYezs8ioAStHJjrppkzF8iC1SmC1tR90LO9ZQh+BewaRbjPCg4SNPK DyOfRzM0taFxr4jD/mKUUBgX3QCHsOoEM1fAl0nqslyxwG6KM4xakHG0J0kC
GY9PmR0txfzkgHRgxgCYxW0l2Iot5AC2I8MkNDbFTf3pteJRrsBDZwKSqCFv j2CeEc0jA2AgE1CMlJxLN0qNw8sqSSTSi/4ewJ3HqKfNm8sbEKlHGZf+cBah
EC3rG4P9t6PyNujvqLB3HL73uXEMpsGhNsiYl3T3AcJsb8tKcmmKhvE2Ne5O t8FMuRN448Br+iUWuE2+BMUUyRDkIQi1h4CqxOAbvqMH05tizCYpCsldUvOw
+wQIFxoBEi8Tu43XHsHi+86ddYnzyLQ9xlVLJ5xqM2a/ryyuFGLHCr1n4i7h mAMPNJtx01tJPU5UfRcDdzlu6rrpliMaHleB4FLuOgmP/KWS1UfN0EiOGnJN
SXCxf8+OQr3g8aEtnfa7oyXxYzvE9N5hMWhMEG+9qFr6oZa8uKjFZ0zzT6sI IyH2piEQ5ubogyHWsLoQ65z7JxGRcJKGZCAe3xG4MKOMyRxVhGdUPQ7qqPpW
UULrthyiZZ25CjrR7gsBCJyT2Y0iPhypOj4tgXPfAUaLQhtk/W3WZr1BQaos o+qq2jBEymUSuTO7hPl04QlbseFb0IipzAcIlVmOXcLc/0TY/0RYg7BYHt9j
7tDEpsvXQWZkyswcTch0yx+cPNln1xMAOBrOTvYAnzTXNynnUotVkVU3s8xa 65bkch8bIbqIektEdxV/rhFZXaq7t7MnxJZGFV77l2MuAELngVG2K4fVJHvf
f1iGpuqi6+p9CyEAsEPugLWTY8OT18Rl4g9AwA1gRq88/IEijtmZDdSKV8+H HUX44LEWASiANZGu1ks2Az3EwZZe1KbevebW+m/k2lvLVxrmWHWl1wgqfCtx
u7KPmAx+ip4SRIfAkrfMMlqyf347HCpMwtEJb/RXw+Hem7f24aNHx+LqeH75 8paBRe1KCzheDI11Y+9b6PLgDBxYeLPsFTwje2nmuW5y4uxGLOFZdZ5c7ASG
Az7DP/SB61mjjb+9H7SDVr5YtifMomseUX0Wx0pI2Dm3IbdKccFchrThgoK8 mNQGjE4l/2mTZIaoObKoeeDKAseaX7/Ls3HG4sAyOTWmaN8E55A62VWCLd50
cXX/mn4hrSukdSgHmzQrsLkOQjCBPcDFaZfspuREMYPyj7JGHHQNZFEIytdo DLjcSi6ie6eGeaTN6W54reBXYUWHPjv+L0dnSQyqM6zo7YpZG4irWcr7bD6P
8pQxjVlZxyiw4iReJXjsXGJHWSGQMW7mxDeuIBfcmXLQNmmjRW5DJciGLcA2 mK50vL/qRK+Z0MkoRqHVZAde5KKrWCAU62LpEXifrKKBagZkR4aQuHHKXGng
AHvpuK6JFt3l8niFyXOm0D8SwAg5JD5+nKxmsIpo5NyKU7iQUZoc7vfhX3SZ AlJir9C+Ra2yZI60Zkex/l4JUh9TMv6CFv0IypsFI6KgnKZ6yWluXIVwZmOF
Mt8GkbdCS0pSD853uK/uSHUvhqqHi5y6VChdMt8/RSnDWWCSHGAIp42r6WwE SqdMeptXKVekmmfJIs1maCq/oXbFGBm6EWziJFv2DIPgjxKrIiPoviADqriS
GKHtJrQUCP4Vct9HTDRUw3brIHmR1xLO1WzN1ZrLsNHyTrjnihIKP3FkX9J1 kGSL75A3DQ0p1GfozUF3y6kzkFCZ2TsWgmWgit3+g8F5sLaRUY3KaLQ+DsgQ
pxaacXIp/YOfr8rHN+YWcoAetmvD1bE4pyLzGL0dfp5WGjE9UHMSFAjK3nSF sAp9VyGuTP4S9GVZwVwjPgdB5UDj8nPL+E98XsJnhmudJjB4EZOaQOqi8mok
s1L1IiincQYFMrZ0qombKqNoDBI0HXcOK5Zvt2VuPAQpnHCK1BpTtqR5d3wT lpU8i8rPILEM8wJU9pD45l0fO2j9RTZIt1Ua1nz33XcvrXnYamnRuLVCpFij
4kxBOhb7uFwKliYxGAi6bFKuroTHdMZd2TjSEQbYXS4ccVjxk/vUNEZTrG0T x3kMZzd4euKxyOJKUnGrWYPj956ezj9TGNOzkvE/IBP/Y9Lwkhz8CjH4HxWA
wNHT5B6+Wm+U4wSvmKagr3fFgpjo8of1Wt6RV9+/J1G5w0wbsx9xjrAqypyD /2HR98VC7yqZ958g7TbKuRo9bSdawkISilZh4YtkLpLkCAtP0ZANV7DVMqJc
3WiIocoyJEQYG4yQTjn/tzAwBHvltRdx3RWKvPE1cV6zScKl8ceao+UtsG7Z 6x+R5kiOe3qSwWRoLcjByL9OlFs959MTD/7t22+D1EQ+GrcEdrgRi5K9McZe
GnPnpR04YshpDQPSgGu6fHXx7myo5AmhFNstIXN/sTC+m4yTK527kpQ3kfpn xeXwxP21oeXBDbobmI/h1Xxis1stPNALvDGRqfJ83HDCujChxAS+QtB8ekpc
8Ah+Tup7t+EnbTGERvWtKBdTrgr6CrLU5/c/3V+TxHPOs+aeofQYSzKXznA5 s9G3b0/HAb/3w4bkJG18a8NjmL21/hlOnyiwtzJpGM3PkTfoYvDpxWboVU4i
ut5VWc7dSXiurXp/gOus/Ostb8YXnndmlBN1hass2EcWY+W4tHMznsOE9R2r HGNqitV6/iHyi3jFLkZ2Mori8Of4LYOG4wfr1kbbXq+ohrYM8GtovJViWse/
QHHjjF68y4nIWqAjHUPkF5cWL4+xp1itTFR+s/PqhzOBII0+trgQ8tFqruBM So55uQQDmCuTERuo8d3nF9Akwfiyy6tFl39IaLHiyq+SVl4pp2D2jwcwAiKL
WZ7RFhzfJDs/nPXfvrg809qWQeAgcGG92UyVnVFVoqcRK5bvWUM7RnU8nW4y KU2Qe5mgslJEeaGE8lrZ5Onp9yKdIKXkfeFo4oq9hSFxCnrt1jaLevqulG++
YZ4lmu/v5tjjcpcdVy5hOmlHPYQ2QiOt5OL1uSaKo5SBtg4Xkm1tnT5U+KAV cUyk/pM5Yx4/cFuXEsM68AXxe+r32RkWFAnm/JGDje3mza5yDqu3zust2zSg
fvk6Fq8/qi1Y4JkLR6xXhBoQsMfovSsl6oQdJAjHvgGEgna4XnPtoiMNgKx7 lqErjxoDxhbtleqeC71rmqFNsVicw4J1cdyqHUUWSkWrDcB9rD2CnYzautYU
QHoupbsF3B5UTO54J5Z29uqqnwfY31xgWiVvDBZyXEgQqDZkRue/ZJO+AOm2 16yB8zq/Ov24pUt4cDXNKJjB8CPqAsV5ZTRqNFY/Uz15XRKdQzqTqEqpr46p
5h6CNPAMJL28Cy42jIOlEQw1wwMYCMRdGZT+kflfM3zGC4EESCVaF2MBJDsv A5IB7ckoSILA9qDqqf7cUkxnNiyCKQZjkjTBa6M4UqfbiG3w05DyoKgGAwzY
zl/vilSUpHNNhEnDG7XcM7rvNe4zlf+O9gBdR8+yHNAA7CUN0oTjpvK6XoFj Xj0heiCqgpKFJXKCoqB5vUOOwTShn25lO0q44bh1aXBRcGC+ztA1gUY6jWth
PXjLzqvL1+e727RT/4GU6pODpyhHdUUaQX+JZDuiP6cQqLuHm6s7HFluvDEx 3H2c31t3zMtx+uevXctc2sdEhHFWsw0hkQYvtGEOD0/iieIsQF3Uv144jOLc
4AIifquWaJSxQeBICGILQVBGKTWNrsqks5IyK2RV+LO9VnFlG59DGkhLlx/B TVjxmPsbRNhVG4aD9U+je7XFHJp9gj5iGjREt5X212JMmZnaibPQk0/ifMZt
luvEMUnEM8O3sMPGjkeQdWBoB/TONbwDK9PWiKBF9D473I7XNxGqRHR+Pc1H 0JySQ1xmVeI8pccIN2QYAWYVbfN2ou4wUEmXAWW/lXyHNJXlCk1z9YhYAXw8
4uLFKEWV33YJq9IwBptlgV8s+1O0Zr5hoFWuKjzkGyTo92x10EO3MhdjE9Vw JmhTKxyJ1B1LV0mzxBkKnCNqPx+cYfrEhN1ieRkmRDOtEdHsXUege+Xp+axs
YZUC1HbEnM/os0+f+BhMsikNeU40/i4rdnaT/n+gI3/TS+qbXf+tcD36XL6H VA8F2vEQeZaVUsrTKdPLIfHxCORjqpPGLmQqA8gxBBRmq8PXed2ALf8D/gVR
njBugu9fZPz9uOH7cE1db20Jc/n94ub31prMb+le8vvaf+7tIPp83LjPAz+a VDzctVr/Eq74t/IL+rL192DFv5Vf0Jfee4vV732tv/eSdS4/s2ad3tTf1977
y6tSCHC/uTNtMg2i/r6u/UMjrxtzJU+UaX61jJKwuS5bUy9nyEpF5iZRXS2k 3dJ7vzS+F9jUs7tovnqR3pII/i2Q8r67zIpRxN1bf9jgP0CPUMkGs5LC68FH
MHr8LE68785E9wnkvwl/3nD1H0l2ceCJfvpjMiTLixY4+eNXP3tD2vpvopx8 rRlMzssYW0Wh3sR1gBzizOPMcJx6eBEXdApvFEZTIJe7wE/pBYzQ2Pi6AViC
PPaPiSxy8tto9f/Yb1/4xU/c+OcrLlzcfNmFQXr/l79601Q2Lsr6I4g6sveF knthhUepg2BbAxJp0vlTnJkr8b0wwmKD3rQCCjbAJIrGOTNc/JtDsbkMrXcF
bP5Y/F1H8SUXjpvPXRgUSjxUk9F6NQggk2+d+fbO+eInfvGsfa1Fk476NAL6 pPbVLxt2fsxJTjTprvV+a+hAtVgi70pgQflLsDMJNaGhakTdrZGHpB0VSkwC
zwouILLWDypqLxibNcDmmYgap1eQWrfxu2TnlCStqB+sCgo/2yxsMIhAaCsj Qt4zdgMmbA3zuDBpMQRkhADtmYhMndwSaXEr6MXwVjUXqQDhz/Diknoll4PA
LjkMhyYEEupQX4M1XmdVogVeYIAlJ4NjBSyBqH90+BQeWucwhytplvVhxU8S M5N4aVRwcKE6IdqJ3dOec5OkY0djZTjODYFFyV0XZAKgwKP/Asu+oyj/impB
jpJZTI69lCxtMpYTtQ6OX11oFapl2Fg2gYob3HHHXsJA+4FIIttrJxW7bO/t YOjGTDp2MadJnMqXvC9vJbo8nQtxECJNxkeEtcAw0kjkC256gwT44tagl/AS
xdtzCC1kEF1+d5nAAJ3tOkezQk1P1N2FiFk4XWgw4hMU9eULeDMG2AVP9vq/ jpIwkKQgaSrRjBmLY2lHg+Pgec3iNJ5x6TfvLcpccb5UrtA1nxIzbEZCLlhO
a7bcyZffuByesbybVu0Zv799pf2pbw56xDoP9LsvZeFfcxK/6ko3lM9d6Yfy 8Q7e+1zPDKNYcePMk9VXTkleYsg6B5rXrYPAnRRxrFOVcIlmSUYyfSidzmgS
MBv/Qg76MAtd4+Se0LUsLBP6a+gQrcEh1uDQvvqqhzBLpa18/gvJkgPw08Pd XSEZHRR0rI9mzCm5JgeQ07VDDPQJTVCf7gCHC1zuK0YFMigI0GSKYF6ITmdY
r3zI34ImX3YlTfIzV36ZZNkkWowOh6DDwa68u32lMibFYyKFdFe/+1Ip9JWb inRnbk38WD1SaviQiohdpGn2oOuClVQTTnqjP4J8QSnCumxtJrvl9g6/QftN
3xeXfZ5KYwWJ+re7+el/GhhtE/BvNJJYVE+u+6kX1S02LlKbJC2E9U9kTv1j qiZx6RCTB1BCkkjCmHVzJGC0cKqESCa9XceqDOEb6uwT29rr1L/dmSmg7tOF
C5cIaR1Bo7JQR5c4rrWJWNP5nTUg6H8mjiIDjQ1Xgc+n25Xbm0gUhm/OXEkU BQipNhLwbJL8Y2kcQBDQDL5KY4IKhQBLD4k56KpaXpCGlnLHOCTNbbnHgdNS
mubih5ROOTRuLdERf6cK0QCiLI00kp71AH5HMvEikImx4vHugjUPdZJaQoDr jHCsuFQlVxcbVuM7ZdNyzDpMS50xVwyWoHAm95gYi4K0aQRB9ArQovAy7hjl
gXvtGjZp8QLnmW2Yv2R+ihy3remR4ix5WIfhxDQ8DRxs0SHRTIqsYWenIkvU K8VlN5dLjqE1kYGhO3NiuDMmZ0m/OyFFU6xhKWSA4YWnYLq12TaYJsR3XdNP
uz7rvUI5e87u3/t7v+SI7l0jtzZtC+8oGdfhOghBexpsjBQtgVp0md7MtltF 7Fnp9TcRDJeCudTlLZGeAZjchyqRqZ7zKPI9gNlSYKNv4dWHe1YRvYkRLSdU
1GwHOwDRzHKDd6ZhmOk2j7QfOD6R2pVbBhENFcTvBQFPFcMI+8gypNpVW/L9 fIfsllR3T2/Dk29ZtWUZdh6VWAQMUQPezN1eiiDYjaUUYJ4lEr1NlVrxlawq
hSgh4QTgODPASWuo9Y8R4D2ZxYe/tzrUvPnSlZTc9PEaDl2gFxKxX8UENrWM pVIOrkLqtyisQFCIXI01dvDaBDDpvd/YgUKsJDxSWiHHqUnjtjslyfG3unAo
yav9wDBL8+NwLJKjY/n0gSGHDeiCPZg7L39QyMJ7m4gTAN4bCjcnEoRH5MWr 3LP2UksNr38VFjRVGHHFYripWmNEWScet1YJ0GneFVodyG0KxlORHEA9Pkmh
DiO7Xd7ezZH+Z1TnNmkuDz3TayZCh/Uru2Vv15XdsvffhNrZ+7Ir/8eS5v+j uyajrIxuKFzMwYUsKD0/HA5ye43BpLeYWwGfnH2Fl2l/Z+lDnGcpRxBv3p6d
qbL/GspJv8g/r6FIaA98s86R3JEWGYMTKsSDRtfHVr9pbgPTT8QG/706jXZ/ YRMCXQ4sHSVMbkxN/1ok8SgLpVIumZAHRnJvWIrWTBpyXUemmwiHqfG903+I
LxKn6AO6rUJ9et3k429ZFDlwJ44Ac0K0dyMHrJeTGdImwoqyauEQXtDlL6qA zWamTLMxsqoKCzgOymhOnco41HCcCVJhygxKBmacdnB9cQXoNTZp0m2gGrCb
DcQaN0iIRJpuIVTASF5jppKOcwmDIXHFiz45mFbYTsnzPNOiQvTOoAGJyVHO uQAbe8aWGFZtNRD7Ltc+gsm5twEVJCVriZFSpIOa3A5dEIf2yfcDLax4K0su
u+o3Vb6IJhO6Yk2iCIS2IEB46cbokyLCOSdfOqKMVJ1oCzwpZKRhcFyj5+C5 SUGlp/WFO3artwIOcxE0mLYai6FRlxTT2pXwNf9AlHOcTM3tZa/m0rDCNDxg
OsSX5n64VCHObNTWtwjcjDnu5oulpdu0JbzrMFcOHkBqSZqqa+rcNGW0clna 5plKPgVyjA2sAclmINbzsNwutZlC1shXVndKoBI3gFsh1b3V3SNtzaVogXZm
VTpBb/CpdNFY7w/1b1ZUfoVbUbnFwWcc0n97t+JDF3pPxt/VIf05/r/ukz6A lUyMXUlvhom+txMQbyJUxghSXHj9jkyZ8PQwo1x8lC7G2bwkfJ5naP5Q7hs0
U/qg5ZU++Bq3NFaAxf5hawW+hph/mxl99kKaau9zboi/wr990HJwy8bcDbei uixPWlhMolmcxFFubS5YDtdtAsQdNzRlm8HtrkQkJQnNp4p0zETMHqUQmYXJ
XHgIqh+2qH642+nWOOMIe1bt8GLRvbtt3ervu7Ux8C+68F97ax+2VkM26ddt UN1hWWnXQoHr1EHrbG7CorO6hFkBa6IGtxMeKInI/pNiix5QPebEDHSNYEMJ
7Q0r8Lfb2uuxibQrOKFujlcZZNrv1wf0+153SoCoDnZ9ryvPZL09dCMpU5I8 RaKGDZSs5Lc1l5G1Ezoyp5no8gPUGQpFyJx5XkHJCF6FERGGyWyA3c1dQQmV
EpmT1hKeQQwYjxqRBE0Cydr1CgITz2UZtfUwh9lXB3i7eOnvcXL+yEv2exW+ Hlgh2i9FZNDWZ5/z1Ps4SjcNQiSreVtypWtKSmErauoYS49uX4C0tIzO9m6p
eq0UY9witzEvwjTRCA96vV45gMa3XP9W1qjaq2H6itaVKzB/lly8e9E/Ozs9 a3o8m6lxTLtrS61vwJ6cmngFxUilyOJ1Kxptb/ITddDKZgvAXHuZCbW2apvX
TO7v6Uf8hCzkqYlk6cxuPWF9IMRH7h3cIRQETgdM46JZR/okDwd6qt6gONNS n7dvtyiZHws2UeEdrwlcQBwoibg/CPoGJiFeNIrJ9VNQtQCog+eZfEiVuYbm
GyQKDVV9QAaeB2Qc5a7+Tme/7bQGD259fnnx7rsfL5Fm7fEQLPcxjp3bcquP fMZm+Wmu0sHg4xYpnXSLAWBtjbENneRpmdu3Dblh1n49zDNqv2MakwWmq52l
JipLc9jTDm3C0zOrOO/ADzdIRdZUfMFBqAN6aCDNpx3VWYOYfZjoig3JqrEL CtJonrIdHWNP2/0r0O0z8OZu9k+QrfSdry+jFPCJiOO1zd44H1wKqeUsQGCX
6gcJOiGQfOS6kfsVdUoKw1rBK/oc3Whkj+giocsGSuxarZjCeaFumFvZRlRV U2oMMSjxTFE/oEOl68z1eX24uw24pLir3/1NZ8ibYmq6XBY1l9fuVcp2wFMS
LNFJlU6bPqlmNdeWSccAHHB3Ny6W3LFWXwEhAC6ureTWYcxdRs09QQyxIbq6 WmU6GE40EPnMl0Dp1eDG5iWFZEdOFhamIXpodQtJ3pFcP1KjxrYylC6SZ5sq
f0axQdYtFZM32XGbm31DsnF2HVI+O/CuU9Lw4YtCkpyU2c1861fQwb0z2qm1 WoIk1aCpWUch6WuYDoMelIn2vkm9Kn1kZHhHstRHa2mGEe9sY1/TilmngHqJ
ttO5yxis01LotItcY61ygt7SHDHUcmPav/zoJenKWvrFDXlVddeNb91zXMpa TCA1kxtS10GS4X7Rxj12gpH2cYf9TYBNew4+7o6kf2cdYCzfdYJPnHgjUHDN
BHJnkHCoLIGGrHDS/kB/Ywd6a8t9CJIIeP0yJz6m75Z6k3SSLpgUZ3yy+2c+ l3GR3al0oV8kRzbVtSmVO9jldR/4OFUAPwegSCy6X7nVJBQYxTPJhHx6nehr
vUQapO3GWasTTxoip53e9Tw6zryz6no5PzHWq4EtuX7rciDXejwKx+mH5WOu Tjrdh5munc7OMEW3ikpxd+WEO1o56RvLuML1t6KkkFrHuuaF7srunolzWbm8
eWsh2dMLLmJH4g3aWuludrN348VA+Yip748rgYR3nA33DxxQ9fNXr/dPuK5J tVMC7OnpZDwexHfsWPku8L3MqzpNPH3nu1xbLT9yf1Xuqvb3sGBNpfWUX1OV
DpSHhZcGqq2MStcLcO2NtDg/gsicV8locGtjQpKgAclJSJmupKctUdquNi+P tDF2LunyIJHwc6yTkegmC7THmB1P8MRZNUrgYmDt4Dnna0mZEuRhSEXx0zGZ
UXYHi4UqhjxpQQ4EUIbeUAsNX92O6lJtKkk4bDcY7GlbYam9CbYsZ2taw5UA IciEA+wYaN4cBb4NU9xEJ9CZYieRp41TiUtS1rCeD7Jh1H2pvrVNp3Zd1ii0
8dOjKSQeP6+96JwsaXMPMWEUdLtByctnKaa1t7NV1PtipeioUp5DAjYC7RBH eY3U7QAkCD7GWGvujMV8dl0iqprptehDw6Pegl6eB4WiK9DLBAt+2b9ZsdF1
OS38xfmHl/3brGnMuWrecU5ti5pTwF/BuQHADgxOKmoHZ+XdwI+OlQ+Fnwcy HHSdmXajO7aNDL1K1IovEZf8b3KscOU4LUk+dLo8mCVPlATolnnGj2cTJimP
FDvSug5KdwKjz/dzZch5o1RXXJdUUETga5DQQwj7pG0tdHZueQzmZyrdP7kc MDQ24gkjRgF2gRCR4oWaBjrE2kR8awrd8QbQDXdxdC7etxoX61WEbD9QaZ7L
g5MionqqmMOZriC1sMZm1QM+o70T41FGGkkIZ2KkGSTCoZ4LI97a4hPI4BGS ViuvZruhYE6Lbu5Hw04Vp7Xdggtn0UiRTmNDnTG6S+MSD3Li9Y7DErIU1HAQ
pIedSTS/4oIMg2/wjL4JkNM4h8MfBL+9tTQNpdvPjOXHskurQfTkbwfcRC/f dne+svMQBqH+L1R1h3f3mPFQxfJYzlZkqO4OjIWDeT2BrRmhYSQ/ARmBSRVO
7iXbweIEn7K3M7qQ8a6sIMt57a1woB2pky6BI8HcY3Eh+ctgLTjhbg0vCtvZ rFGhFnhQ7yVWUUCGgIcVNH1ylamjgLf0+sPFnzymD0flIj/3Smno9KHvAceG
6txRfdLqBKGXMAKgc8ngJHOAwj3f9daRkumldKwPylgDl405nJCDLDkwXuOI tSX8uS3x24yvOmTAtJBFy/kjVsgUT6RHsNyMY33CWseMLLZjwXxtB7VNfLSS
Qy0G0MwhQ+n3UUQKZ7sS16t/caZxqIBpOYg0h3eJiy6QwrVg4Si+Bd3jh6dh Qj01SerGfHW6A06dqw0zCuEnXYfHaLGhb9dYKELktgeaAMzJ8m5L6VPPDKBt
NuTXPs8KLqMBBnpgz97nF4/eUaqC4GIyEi6FCmbZTIzionFP1Y5VAHprRCNr zpILaQSjzeWUJIlRCSgLeD0qUU2cKV3txiQwOydKlX6NpWeEFwBroBnvbX1b
6/uwl6zvQhlJvA0Z+MkAI1zjM0ZiihUK5oQp6rSkkIa3kLtGalVC1A5LmFLk fNB6odyEsd5KKlV3CTCsIRtCc+ksaZIeayOCLD7GwAYOmOCCPxJJQf3svBJK
fY3fXbzAGArGGbfKeFrxbL6QrCiGPFhF69tBl1pa5gbbTL8yUGrOV0clVdNh cOfumH06PaCwjUdbKFHugMaBqClPVBL1F16J1nPsCEEll7HGJvJYm+FKqzgO
+khadaBtmVtWNmb9wAbmItJaCnlQf1oYAJUBqOsCwbeu+eKuoa/SjJlyKHtc 3lKrUKqRzcVgTWoxwAGGnnKCrxYK26adIFmxqIeKLQVNFIirszDH4O4kXjX+
RpcHCYgUOR7uMy1AcM3S1X5FMVFQ+cjF88sGZlc88EkumAYuPO1AkkRG6F6L NpOPaET2B50or0taCG9zqjPh1n6u0GsMjxHhNoVTHUjAyY2oFBg1oQKwoLR0
9CAbiPVdbeWum7rCVWx4y3ilXXu0Wiwvri2pXQW6oNdHzcd6hjTmFDXdAqqd oU/UTEhZzrwEOwGpc35BUilTW9aqIvjXTN8taUND7m1Ht8ECwQaVUL+sVbgk
8Z69Wqa0h5osE4wAeMgNZKZLqQ/as04mVcY6L7uHrQtQSC6Zuae6ltdbsTKs 3dONHiTtXUs+7Zp3y1QykZ0gSET316WClxGDbMLDjJo3a4Ti9gztwBR7JX8d
sV+tuERhZZrMukAxkjkIenUttTiFaIa2+VXzM8Q9CENGOywXq5bbwIDoBfWY cpV38BJFpFxmOcfhpCW1ghHnPaAHVmAVNxLH6pAFemkIYtiP5oqzs4h3a4us
lOS8djLbH9W0VgCtRcoqFb1bLDBJheANrLaw1ieTCvLipfbHgrAMC3+YsWsE 16RAXDKpewadtHPK7WLEYE7YsEKhddy5SC5AMaflYaYmVS2hG2uX1sPdXeER
BTg84dH+VhjOVCB69evZzIAH4t3lat0A2s9KUra2m3kbay05Jyl+c724QTuI wJKQn7W9yL7VtmQ+jRp10aJ+lHv1TsVGaHqtFDpYo9DyfMp9LGagoWM9KrxJ
t0K3qFYM9OdCWSn3uM5M9wEYyFrNzbbV2hRhdU3U47qrCarLbFfHw0O38jIs hX9JHD+BaVzGIqwTmblafnViAVutc/PHyjc2rz/0t2yMa0TUHa6ELq3SPXqz
Zzed6QEfeJ7ST8vsR+n1zJBygSTv2q1qo/oU03VdNbBAVUGeA6ZM28QJpeuo Q+YrrBxbUqK+7UoDYPgYUVkB1jBUfo8OE2ZUOtZW5NJlUd8tFcEdPgt75Wop
3SGHnlhhWODdcgDk+zaDkfJRVToFvM2hTSiDFg5VJ4ZUywu480rWISgMPA8a q95dJBZsqyGuaU/QQZ16Yat8SjV8fYsdMeP87aDYYhwjQNhNLsHCKv06aA1O
boRJqFtbcsdD1TfRHQr/oOVJrQoqoRZta7FOTs9PXyQ7aZRrHOjE2kHDY4CR 9E+Xg4FUBN09ontwPhhsf7zUH+7v732j6tvB2+vP+CH++PbN9mD+MaVCMNac
PbHrrUsemB4KTBCYafGzrLQ/1EoZUYhJE1xaG5CVQ6emTdHXk8LFO9hrACFa 2gAxWxeuzTSkaTNefSJyywAPNAZI6gFsPMZUkplqaMSlqXEpER6EsMxB2a8l
WIV3YccvanHafkxX77u4OC5qK8tTcn1oGycsdC+Y8yjCNhP71Hd4wdnsL34O EYd0GqXjtrUV+zpotwDyScFouvWkq6XZysvIotyuEaVEaGmikmSF38CIbc2L
rNdJmYmuYY+xUv183M8WoCYQkaLcGJmZQADyoFwJ5otX+rNo8QrN4OgSL8Bc AIedsclOpVzx2Owc6ModsgtdgM1WZo5KKfI0EICswAPSCsjgRwV9RsrGC1lB
2gK1Gi6an+Zg8CjoPCkuJTqkRUlsS3xFvyDzGa4irT1s98xCL+x1OITwAKio ylIu12LilMF2W0XwWTpnuJirekskY46Ogt5OiIZKE4vzW8fFl0odFTG+4qZ6
Y89wqH2Jp4Dr+fWkqjOkBRwnbrpkSrSoHT4HmxGM2cdOjKirX/2gS6s9AdhF O2LXFDulK48Y/6yJtpIDs41/BS6c6k6aPvJ5McfjFzUjow6toD9RArB+GHEA
5z++7J+9Ffimofy8tWUf7jAQjXoHlgUjGcTuG/PHamejVF029/ffvX3/9Ckd kfLaCU7jgj3FEvy5WDI4ssQER5ljHBsK/kClbfmiR1HTNHXnaldoBszj0b22
SLZMuyzRTZQTz42T3LbPC9fOfNUT17Ac0PGYQb9KbeEoDgpAz/QszsyjRhMW DZmKtRpR3QPRXlSpJa2BbPo6SFkdAgLWXXFqYjE6mrJwXNuF2/P4kRkYCCZb
RnCKcBn4sdUobxiC00Xsbfpu+Tycmopwp3S0wB16orGYniDKknHiqHcqkO7X DcxWqUhsJ/iUKmu1Ipb3kMWabmBIKFpGCnFY67wHc2MDpEhOlBdZumxYGwdH
ITuZ2XJxPkNybu5IDBdAlS6BIleELRAGCsfl4bl4YbX+21Qvm2DgKBrakutc 6BZ9jJhUUQwtqqjeUe2nmvfeRNkBbWU7u415ox4fha4xivaeMrbt1uRFvkNo
v2a1AaM8qQVmxx49CmFQ15bQ1sYUnFBz7lwn906nZkWgOtpC1zIxoo0wSN4g HDMlKGxHAqYwj/XaQMIr2zUjyfmnG2Cgm8iicP+fhhR0fMNC8wDDuUu+jbe5
kUQH1rNd7le3KkcMWFrTyils/UP7s0c6UsWmd1YQvzKctTzwxeMUc7uGhxZD UhhooWmf16SHAopTXexTT0k8oJksMuAI3yXjoU1xKt7h2LtM3vhaczlGjpkx
EOtFRLpBbXTddZzTB7x4X+uti/xzhcNDthf0uJeG7gWDaQfRDBfwgcMs6rYc 1nYMMPiSug5vLDF+fX5x1R8E0vLTdvhwlkZ9BWL7LBO7e0VRm8ZoCXIcSwLY
fAV2VUcjbL6M69pzyKy+eJ56DqI3n4VxjV6IlGE4B1wurs4/P2ebVciDv/wM x+dZScAaD79JN2w45qjmHiPA5aUNLiEex/mtR4fyGx5pjRnPKIIbJUQcUIdk
S6jiq/x4cWdVlQCf8d71GAorW8jRcutMxHxwqWFKq1PHOR4ZJYvXSwthdVh0 09NXMQjjoLbFTofjWmVLrCS9sCvRkTm2xGJjsDrAmSnMnIxmKyLatVLtxsJv
HNgfl04kzFOqvkekoFdloV7paDnw3D98fxsySojpbh+RmnE9T6F7tbyMXZhK 6oQis1Bv4i0KdpY0K+5ry3+YiHseRo9yjrUh69lU2pWEwW0FlSiLiG8B1o3u
MdZh5GZkAKHYtdjhUhS26Ay20DYJ3YrosOZaiW47oXgWORy3nUbgoOjVzUha g83P/fDy9LovOUmuhcA4ApNEJJthnmHPbZIwb0ge28OCjxGV7DleynxsU5rS
pULFOVRsaXKjdosdK+yRVBsrV1JN38IbuM5IWItofpE1jCJDL4sBFGPmcP9N pkm20MJpQzaFVNd5C1j1Lom5Q9BymsTm24sPZ+jKwZ8SmY7pEoBUVGep1TpZ
0K6SbB3BWPQ9OkWuPgBc9UALR22i6UBDGbzAEElb4K+4WbqBJm8iSNJzQQe0 l1xBuRXSYMqXzewdrrW6Soy7Yrkymm5uZVtKPWbszkKE4q5dtnGpVKvVQuhS
3oc7b9/8dL67a50R2QHRdumvIWdtv8zTBg3d57nCtZ+OgM+LSvo3qyWCIAl3 Spk4SBrsJDqIvNaA0KkYtmltXNKhvqmYJHaumHFjIXbZ+ynChkNxABaq2I7Y
xLF0bou3AtxrtaRnXWe39Q27D7gdg+G3VNkfdE25NEGPbiUJejE6XjiEnZdD A5p3/FWNQ+4CVYOEW6uU9sPx7U39jlx/WuQ1WqPSmboW6mPm1Ml6jBbFcav1
p+EbnokPGTh2njBoyLLIwcBIWURWmRQcWiqeAeK5tzOJ63k6mxlEbB3C0Y5L 34JbUzEzYr+gXyoz2Dw9+7DFHJQD3yUkJ6q9e8/50d6rH/BVrRo8Al7AczCc
B3PL20dARARaNgDXv8nCY56QVZ8Ly3ZbsQXypL1TfTtVfRRP4LsUode0iMYv DkV1Kh9HTrCyV5OWuAcfo0P9zuxEm+fXjL//BXMtuodYpc1kZgv/4haR3tFQ
A6d3+qw6U2YMYwlGOjEw+YLBlBLpNZ8RWQ2o0+9IA2Jk7HglYClNGTn9L0q1 tIJYimKq8Sdlx7iPrCmPBYdQy2IaKlIcDCgR6AwVrD3GhcBMlktj+TGV8uk0
FNHCNGSlJ2yOxwWajEQXYN0ceXhNqMvmXWJ3ceDl05PPvoTat8tomdOGZAr0 V9ZcKlgbcYMa6lnNTRUaC/sGbNahV6hcnL42ToDD6pqguoih+BG1H/AFy22Y
ytBkcLWfYjD8g7N2ZrS+NdFvBla/nPfDKgY2GtYXoH0Gvrv8naB+0RT74reL nsh+8722UB+ydRhXyQL/homd5QbIiDBz/EMHorJ0TS90pDic8Bj+BnMF2vp8
0Ru9HrThJHzHbTB6yWVGak7VCB/5XZrfLAvg8wF3K+jTmQbP4VMTJHyaW9+h ohFwC22fLL38MTwnp0MherH78Nm3b3QhxmoCS54BjN+rdHMrCH8HtOAe5Kn7
vzpuIPUJBtmsBT+Vh85QnyWDhuvpJ9MSmA2zzLM66+ZFx6pgYCPhMQ67T7U4 LfstU0P4nL9HwWJUOt+fKvp+VNJ7+ExRtFpMdf46v/8rNyRyC/e2g78W9nOr
Fpp31m/SORG4XRRHtBvupTqHATSikd3lE2Ak+2hessOnBOj4U6cQeiCjZDFb LcHno9J87hjhTIAXczKH8qgxv4hA/WtR2EE9kx2RKwuUSXxXefHg1DKQ2FYw
trEP+Itda1fpmx/RfnYu/GDojOSKlqi+fapOkbU63d8CteUArNc6PZo4474q STA8ViiY6FGu1/nYywBoDom3kez/4v6+4um/A+MjfxX89vdgAOoZnG/w91eP
E1HfHRkXpRlek/KuEOhTT0lORrKBIWO5QStUF9nOm7qNYeiO8FQUkA3n16z0 vSJ+/l+85AAc9u8Bn3Hwg3f4fw/rD754xJX/XvHg/P5lDzp5Bi+fetVWVh7K
UCO0zzo5xgaO5zNLJEzlWjcrezUXOmM2exohRcnzNXvx1/BaYLmGktnTLACJ 8hAAHUZ9Bpu9Ff9LV/GSB0flcw86GRvrkkNqUyMAePO1K1/HnBeP+OJdm6SP
Sz3OnH5pi0NrD0RUIHbF/UexAn2F9fHm3rLgCRhGJndPSR4fc39vI3JfiOyA MhqGsAD4n878wGvq1PSSa4pJINSMyKlf7T8Bwt7K74LNE2S0JIaQgMjUbDWr
36xySnB5fH6SgXgiBZl+AcYtUY1b30hSFn3Pqh7K7/iYADnpHzllh6ikZzBo Qb7p+NCFDGfkw8NOmuwlEYsERRxLxtVyxU9dc+eos4d0iNIq93uHaOY1tnYs
LgQUIhRA0V4Dc414HNCaZebQKIVXttC0LMjeQv/lrlEGqmcjHIANSWDCIUK7 vpreJSpExX8ckJNNe/TIokncRhGfKGR5NHkqebAmcEeiEITd4BuPZFB0hCDO
2iQpVY+aZ0y5c1KHkDDQFx0c3FGmwbf6qPm7w8MkJ4gMVWw2nhqTLimLqFYv IQ82I9bkti8vLs+QaWFM0vX76wA11mTL1FmXhmpjMYqhu83dMIowbDpkAeYF
UDE9B+QXTCtJPe8cnbU2XX9vsjPkfKU3F8+/B4bmrpgRZioSSxWMUKUt46lF tBkXeHrOVWn+v0qFG8nwRxPpM+K54YyOaf76k/pfcd9tA6XsyncvpdivuXiv
2Qgim3pE0UyQ2YMDzvqxwta+z8YmvlzGyBlL/RxOfhY7Tov0ndiTZUNi6lef etIs5bkn7VLWU+0XEsz1FHOJcFtAF3ywBOjXwME7gx6eQU9/9apBiIICJp99
DIO9zViWrkF7J/ik5XhlgAgMemWwAmRod8uCl1ZjS8Uq8Gr7Du9tR9z9fQD7 BdbRRfLZ23rlIP8MmLzsSdjkM0++jJGs4iQaDj2EQ3eL564/KWRIqpOD+Lkl
+sl4rwtnZ0AALhzSgGNdYI6QUgIN3o4eTpZrmIDatcqj4EXChk82iavlAj8e 372U6bwS+W1W2/NQGknJ9P+4yA//Jz7UOgD/SSvxOPN4GkaWM5+eC2MGZor8
/ufHx66Y0jnlxIAzmKKe+h2Ny4vvd03H4LPoob85Sykdu0SX1vWS0qX+Fem1 +MJ0YTCCNnlyGwt52xIoS+K8EfRZIdecxtO9SCvl9o+oSjB5tTF3+YO14XHs
xHv+4PBpMsqbCHW0lxycHHZ8imEdPnq89o2fuY6YFdGsaos/7o7FaPwt4L9e 0CRmoyR3c4YVSzoQ2z6FPzrF+SNPK2gHkj96BezuwmF3vlRxhfanNm/LiRTQ
Ugt8ePeB5W0sF0QngtMlnEJKk1rjPX5kzkvsdBvNF3GWC5te4pofZauSJVrJ zn9eGzlZJQ2CYs9WAICjQZlHa0S0TRJ0qLGsw7BgNCOQw0XWBFtJVUkGT6lb
bcYlWmhnJYDfjQB3xa8YuqrCulTOxVLuHNtvqzAlJlVHyCwLnCCbncDiuop8 UWzZCPocs+ZjsgU/PdkTRv/eFONtI2TMPiBMrQgGo7gZPdGJG4yYUHEizLaj
uqR4zdCoL+rfEJrGD7mMXEeKuzJ4Gfu5n9Fq6s+9QPhChahcaJljbbLvLbDb Gm6d1FrTIEfpEOFNz+r/EHvCTCFp87EOJ4LVIcAdR6fgAfp9GPBRXBqVW4PB
00ytrM/UCu9n+zLz6N9rD1mzaBluGM9783Yo0ij7Z40jCACzdz8nQyHRDu7Z BRX371K6yYru8u53bgQlt/dXneAaly89Ow5tHy11XfDkvBp4jZDFsOVC/LRJ
DTGK+QGvSANg4G1gga/f9Ar37JFJil6ApP28xXV5cOEOjcCeKiDHIfDwgxDF fVEowRR9YvFkzZIBQNwIXSRVwbrYGPl1vwJ75mEa48FvOdkxhOgANqfVo+4/
IfnWwIBdQycux+JqpYtC0entdqCxCorp+u0lMMnnOeyvlifOdTp2nm8ib0jQ R3EH7n0BYrCsTNfy6ZtJ0f8f5bhVIsu6Ma1IwnBYfrKZ6TY92cx0/0PIm+2X
CIDPek/Ie5yuSJKVjzDrUQzoF2CzO77m1EH3lfMWeh1F5GbtwdNZdbYmj8Ty Pfm/Fxv/302G/X9BKiH6pUWTQYxhHFGqMBXYlVPY03fBAsut9pjqxDVrENBN
BtFyO44VT6vDx+0L3eWUli49BUY7dzML3RVztNBQbHTns+ixKYiemWr0G9OP 1lm3/qtYg7b+yqwnDbEQX44J8EUZj6gJrS0bRa5gCpC25mGHCFMwQ1R6Vah0
DboH8LfhKQdqcx9TiWeirg981n/7QbbjcNiLMl52JVadXK8W6AiLZ8h2ug43 WrLbbcMENRIvaLsMjlqBesxNcAYzYjjYUQnPowBDZ0mUASMjO9tye4FbIqe5
rsPW1YCkHgK+HO2R8ZVklRgEst69GkQnwtLgauuDwChD8hhUd/uJhHjimICp vduuxmm2qzkqxV6FZR7Pvc24JlbNQbhXHBeZsHyOmrHgqRgOLw2AhyJZ1Llf
U+FJ8E/DK9tn6Psi63+AFhsdpv73H+AbkeYHQftGfsLboREpeScacHCoxBeL B7sZFbASclq0Te2vBo4lkSAmVogiHscKndjklxmRq81JzKamMjoGXla6MCUI
oj7TUdqcIsnrbnv7YF8Mbjd0VXH9vuU5z9IVpBp6RXasKEYVxOFc4Z7Lg2sZ OL2kzGu7x/COOfUIHi5M/HYejVWYTSbcMna5v/lLuONr+eNrOeSv4ZErbM5E
h4bnh8QhThcqJAgbKIHWxoZVkEXmVWYD1Z4wWwC6vMuw8WPW4RrQbuvZTD40 Krq/1ur8OqbyqketFePZR1/MA15Kq55jAw1G6C5aobs1M3R3vR16mQCLBNCr
Pi58d+fgdfw1OrJKT764V0Eev7I1MbtrwCTR8CqXPpAMg7/FBcpF11uOmJDM ncfrAPvP2tcLHoUtt581SLzYItFokujWrNuMsFvLNomi6OEZ9Gpn0NuqY7Mw
DGml7TiYpO4lnH/OglHPojqHfLqb6+XntB99Ki3ki9iwdmjGPrOeoUTEBRlt yz653lW+SYcHbzeIXa9Y6/PAeuGjuIUXPvofAfF7tfNhBH4t4q8+kX/avpbc
F5dK713HYadRrpmlVbbA/ToGPWPau05CrIechk1MpXc5w5TTSzifJMQqT/0j FVGTv8I3i4jhWywif11e4F/bzWEDLIKM5Pl2U3yKl7HHRhUOwuKgE09B1bUZ
rUm0gVQrSr0DlKXzCkqlArDOPMEjZJuYgRbjvI4KJr7kuKa26cXYVNp+wxR4 qKSC8TTo8evJENxlkXI+MJ9LFqFrIHIVZpz0r3i7/k6H+Fdm4vpZzvR4iKhz
rUkBgWCEnianAxeo/sEFM2YCKtb1FH0nrRC25T179qAGRSbOq9PDPlRMmiD9 lBts6rVZW86QdjpL6kSCWvSpaMBu3IskuktfSxVcXJ2G/f5JT6u78Df+CWou
/Pocv+z21JAP87hVc9g5PMa1R6SurgTZwxgG761r5j3BIHyPUk6rJeb/C/t8 1Qdl7h6n84oLG6Z6TLYHWQe/KdCIwgaFGUZ+Tq45gSB213siliU/hhOFNgNK
YkmlgiRoj+OBRNVgxNlySTqJeIh0aD8xLkiRN7/GftcdKThxzKbnAgPHg4Pd EUW0X9uWkRzGJsVPALFhpBBl2sedXV9cvf/xGmO0bakGHVjpu9n1yYvJx8t8
ZA0DF5vXMZPofEaNofjwDZJLbwroQ+YQz73AYfl037udHElc90OzG3hlzdYX M93dTBUMC1qVdzwUdGObJfafSzQUDkzE62YjlwpVonvfDaNF3CRp2/j/nage
BX7n8vWuqnFCiJ0hfWBqvZPkyqS6F+rtrhWVRUyjda9c3WvT0S/gzk8b1njn N8reMwvx+1Ipi1PQan4u+Bw7OTO6yEFhAjsm8tXamLv7KriOcQ2qgDThaQdk
1a5fj64hyOvlOI8yRAkd17YcmDYeOYeaWoTyADg6M57G29/SFmxT8I/J5WsU vIKy17jrJt5589o3U6jYb83JG8dnC53NawriXVvs5lVI7naDlOg7EElGlZLB
UuOvn1BZ+Oq3j+ifV78lucP/yG+H8tvhIxSOcumq/aV1mA/+Q2+h80J/HdJf wabBbzI4McJsmS6TZAecRqAsoIELo/A4kS8xRaJo/2ZOD0sLaUH9qKi0qI7R
B/Tf08dPj/HP02P8c7K/z/8cPOZ/jui8xLfgv+PjxxjD8WMeyvGTp/zPyTH+ k065pW4vPQHhN6J0MOqYrDOZMT4Ph65A5pbUsji1WoAgve44baLdvJJ8uoAd
eXSwv9+6BU86PDp+in8e7fM/jx/zP08P+Z+Tp09bt+Djg8MTHuOxDPXxAf/z 5rCgpC11xs2en77T1xmIrLno8Bu3haxiIGUyN2e2RONoTqDo060O+zYC5YQi
5An/QyOjW1xDFyQy9MF9trZ+kjCnRJnsK/EAp+DCV3PZEBbAz8XRwInoDLTj 77f8SNixBQ2AU9/c5RA8CtrTift8b/zKtLpAFPZxM1lnTl96rX0xtQnd9DRd
PG+0BZ6vnCnCoWCRxMtaWgu52hzuuegzUySAC+FhtW/XWXoryeUIGDdex5zN w+Ik5ZjsOeXHc3fDWIfjmd2b9eJC6WqJQZFTjohm9Ac7XWkJ+vT09vzDzhEl
JNYcPMx1nwhZnaAdy57cMC3OQmBfkkaqJRCDlkOReyl0yI20Z5MX0aJTq1Hm UPFFsgX/6YF6yCae4AMWPFiaEQ7nRwQyBW5S5bqlNWGAoS56x15neBJGqzBr
NHTp+OD9ldqYqwnz98N3cCOJSNmVeJ6h/9xs0AmI2JN83DiDVpoG4FfJsgeQ XtRnWiNjB3GG3K/CUqtm4BRetAqfq0MLOoqdtsw5OlHnLdugw4jzximTx0FZ
PdGMY8y6KK61wRwR46bUbhK+EURsZ6BW6YorWp0rjINe1gIj9H2WhSoE4kZA CvTULYud8qS2UENgi/3VD50CLfXe3TI1UhO8xNyZZyEm2b3Jwusbu5BSrpzr
rSP7hHzkK6SldczxK2NCVCsfi1q2iBS+hqU62BqxNxH5Fmq0xRsh6HttEOnC AzzWqxTCtnc4+Iuz23fhg6Ki13i6aN+gGAGsZuhcR0xAxKaVdgkkZEjzASxV
GJ1p7HNTfLmZYVqE/jL2hIg7Wc0B7iXrCmo6K6dgdVyRNTQLGjA6x6y9V3ZR RZa2ptvgGJ2di2Hj/kw2Myj1DFopKBNxfRK0TbCbwq0yJV1hZQt+eXvp7FlI
lYgbjFRtUrtEdcSiOF+tzyHgvYGevdFZlthFV4cx3eeuxz3XVrk9WndsUp3E LicFR3gpWD4Z0zIBJ9RqWiq28wQQxC+R6Ukebs6UBo1QobdMbFstumW20Scl
2CVRp/QyHYeLvmlgmax5SB/Xvtz3YfG1AArIkUGff0sqmatoDTOHpOSL/f4e bgKzuaNUDl39wRLz0iniRKEcFtktCks2GyaAH2uy7vMlySOR273hUAx5fKMd
/RwlvLywwXFhtwz3fOeG9NgrhdRSCpB/8uPwucCHTUmrZBNfHDVaayad1WW7 bDhn43xK1lDvQSqypbO3jFFfJxzU3XaU1lINuRYgsQQOb0YEw1tsjhAEX8Fe
RIlJ2Ky0XqzscAJ6br+wFgnJ7+tdaEfywTOwEXhQCyTDMwAN9/kx3mit0q25 sQWJ2KizDlHmiMnDoc03eFvJs2HGj3ULak67hm+xzbiTCuuYd7R9CoOSORTG
N9JtM9cZwPWI9DdKeIx29bvSIOT5YMHtPk//UFrDqg5QFdeHSV0J/jhrxpXh ShO+j0aXjCb3InfLTT25sp7Na8U7P/TYFa5seeSxMuGLxgFDeWPuItq1gSM3
y3A3Hf4JprY6h4xLdKZx96R2A5UQrFVox56yUr1aczbkfEhBQdZwuli74stO IPKVY+nMTW9tjnhHR4zT2XMD5MuE/xtvDXtVUbLSEU1U/0XcoyL4Cn+z+oY4
R1xmyIuOaJjkjFhOi3aTH/h21aK2f3gzTA4GR/yQF++Gw/MzZ7+0TobxfN4K 45ZRsB0sIyCvxMfANhWb0rUmOsFA50y16wIDUTrsCBxz8g2hj3mG81vcgh86
dpvoiiScyaYO+mP/DszLZRNqhzwjj+0S7sMD+ENruhb1oXZZxXqoyCBaCGmt ZkrK/4vT7+IUF5FS1XOdWQ+nrWZzDoyimgkL72wbAINY7KOYfKUrZFPwOuZf
SmNn6HRT0k69mcyj2TWrXyfFXx3vH8H459B/3oQ+ZtoMALALkmdNpAT5i5Yc lQ3aDcdWO9KUtuAyUhZrkJdSTgtO/sF01VQXvdLl3OWE0O4uQeO6+oiGGdFj
Zy2oRPuiF/CpiwqAMOyzaMHe6hkZroom/SXZORPnHCCUHz1+hOJ/N+c0kCt2 l7eYoC5bZMAT1Gi5x5KbgPlisxkas1lFxQQkJ0WSku+rcl7VFz6OuSaC8WKb
tEyTQyNQQ+crbssOoeYcqdLRUc6/9D81v6oUrdAuYwbpaztcnMGqOYXcQdCu +krMHgTZPDlHLwQZQiz46gSwa3GEct9wltFC+l1LilmcTnVkuzBsrqVv665T
ZuRDC68675t7pfm3Xc1M4+SWkJjD1jylnhp19Zq88WMLagyWtT5HmIezzKTC XX+pbmYEMUEBkwSNZTaqCHCoVIprDKAxXdenaRLahesMKe0yVyTTkhlZ9892
zoFEdQWsXPSjRQ51KbfpoWe7DpMwbBnYean55ebhJNU8m7RFpllK+u4gxVYV wcU7t1CX9Hyd24xa1i8670Qq0pRK90+nquoI0LspJ/OkLPlp5BfJThf5Qz5I
fzsba6Mypzc+cwZmm0JaWhGsRzx7ey2XV1lDkciTbTOSukLnzP7gwa0e8sJz 5RWz+aJmGdCBGlyDGYTguDDsWqMNNoCX2lvzqGgIxoZPWNHiCArCZ1F7Jbk5
FEWTP8MyW/EJy5l13ocNjMSVka3VF01WBYmWds8K04ziI9HTWgHNI9KFcFqu 2Pxw+o4TUYhvuolEROOFlmJFH/em/5aTiZAu8FdJomsY1FcgqXLYTYDkIbWE
qb1ORJXSqIx1zaK0zmyrPENMJHBrWEpkyy8SJvTGuhgXmrhUjBFtv6kGoVrz 2ITRHQ4i5ZjF76bze2xTcckw9JLN8Cwou5YzQKZKi0BYWGQpNWdD5+SkbhaO
R0RWSpVcyKFTUsCULSW3yU56e0ngg7BNDAWvo+4wKOjyAf9JyYuOfLC+izbJ rRTsJJmbGAgBl0ljbMyOMW/SiVTJfWN4wS2XpKSm9FpVLJw20pahNyGuqKM2
8brL0ptCm0g3LWLW/lwzwdaoxRJmaH6Aa6naIgbfl7UKDlKrHk+jLSGlcXqa 4HRZLHWUTZGFZ1jsjFIYdUgPFyHSg5LDiuSGOc7Nd4G/r9Mazj8V0ZNLwJnC
ciZIbzk31dIOS3afXoiz7/SpveQyWJMPcE4wQtn9N2HQWHtthVFTzgsiciBn FUKrmVgVrAvD/78sqcaGpLZa9ShVqRkheUm1TCoGB+CsSP5+XLEzFb1+YrMu
Rz2J/ksVEw6IJGwCC489MXJ8hBCLU1E/051U7KoPrLMcogdVaex3iuPajo26 T1Et2Dw5OzndsqoiTW16qHNttcgbUWf9u9InFR+izTuPFrrglcnKgmMP5S4Y
EYTNojACHzdDl1QBj+ELCmWJrAfAfOCotFOcqxYVBcpYcqTil6tPMy6ObgHQ bMJ6RXOd953qy+WOszQM0wuTViOLFmETGKKh/XKe2sbjVTljddI0ZsTbFc5/
+fRTS3SU9IMaW9t1nNS5WPEqPVRdQXRx6ZJh8MqwllKOfV4lixKIN2pUiaKr dnTNcaZYdNCj6Az9eBSqOYILKyR54TG8dK4FSGvSV92kYJo4FJbLpTyDAYAP
2MdjDcNqA0Lcco1mKdVVWjjvEbftsVfpRNX2hCNUeyM4k7e9AtLQecpVaWnI 6Rl3HCrqrQBMk9rOPqnXsAe4aGkGtIdNO18xlhktO5JlWO99dpIuGsoguEgs
CNrGnFRqqrFTWZUrNGFutaptIF25NjjU6fkw2Tk4fCphbQ1iiz8L/sY9+uso nItsua40xYo95fHLbRPbRa2EHFvTggkAozCFO0gjoOp9ZHPAVdkaAWstUPUN
ipBKeCZAUcHoXWtD7A08EvejMGjOXTCNI2qX2qk4MOXhgAj4I+0nf5De8DqE oIpz9uO7sH95wm17+fdWS3+4SXVpRJmvUqpg4FtbtOlUuiVFYmF5enp/eXN4
WFN4JC7eOdw72vXxqQfQqewP9ump2xkPQVvRINZgrJKOzx7+8/V3RDdv+Tkc CHeOdMwmnXIV5NjQYhixxmSy14BoCGqxWHH5Ho9GVP6LKvUYewJWomlr9zKt
+KFh+n3kIuxsIPtuJyWkBKz/6ODQ2Lb8rHy7b0tAcp4ePt2rPSXsz2HwSLoS Gju8UEEnrx4DDZsP45LKdBpfvd6+OT5bWE04spEhakUd2iyAaLbPso+mpq40
+gAvGisGO+2F3e0YxNofEST94+OHViMaxFGbErRR/yJKPHn81HSL/uNH3YQ4 QkX0l8t6EsGkDH0q25lKTc5fGI2Ndkw+6EkeVVhPLnX7K3RMfS5dr4sOVlLA
OXSEiAZxHDwSlDh6eiyUoB/+Ekq8KwOO1YiEYlmMnq18ADoG8ahFCV6FL6aE tSSlN+jYdQb6yGWvrzltLMM8Lrj8jh566JZKXTpCfTZaXnEF4cZzMnMaqckr
UuFg//DYbQj5RWny9EknTegtoMkfo9ae/V/6K3y6TX9tm3AS+Hmxq02uWN5X tiNN83QMhocIneAjBo3Iwtoay+3p5tmQSpcWcHJSGX8dfrZBxslJi1YpECxd
0AVT1Fd+uMYy+ocKH78x+rH9yzYzFXuc1F2z0EoZ03yX4z6c5L1T78KJVVux dy12TOZ4i6kTxLrD4KL4zObMolZa2hru6Rqj22uNa545LTUVlfUEbWrUIbgg
2/ZqG2k5zJhi3jogka6ZXmEdpWQWj+d1vyYLqhjXfSStIh8+SCqbWOZFsd7u ha0JaLpC4JrLzNIzX3wp8Sp2QVThFCW0x8SV2IbUNlV+48R1P7Tdchm61AGl
tNYQgW/hIkTRfJzuBp9S92TulLVnWt1hLqINQoAskI4M614ALbAtMHXbRg9N jwvHtnvWu3Jp8MvvMHsUVpndagY3j/pq2v+MBa5NNbHUnC+VOWEA49pDRp1Y
0PNPMvG5TRSUTmsPJAdylzairlxoiUwtryYumkrH2zAhie6eac291A9tTmoa LDPGQtjWKcc6qVWWBReBbGrRmP0wmUhrAASYSrlSoYFix9J9d/56FSkGo3l9
JM8RaFeGY7JIzZH12Ix5CH3ks0VYA9VqXPtiB+9GVrLup8Ln+g02SSQvSf5o CELpdBahYFWzFDbXUnLLHnqmQioZ5JsHT4j6EYItWwiN9uVqFq55EJu3mYaw
BdQuzrOTFxpmw5dhr+C1b4cxwcLvuqTQFwmVh6/5a74NLtuSIIqxgHswiR4v G4Yl9j3D4YZxs2Q61FbMhSA2St04U1ab++eIOKIvFWIIlSzFmsScJ1+rKzBV
zScWIfQdIhUJh1MOnuxrpOOhe+ronidPERWhW4423kIMGlEWxExOEEE5evT4 wKqZMZ+qkgrJwGRN9RQ1aXj6zumGqZusOh1SmauuKVq1plEkl4qzxUOpSIGu
8fFn76mjew4eH1qoZ9M9YHpuJhy4OT6xwT10Ux3fdHjy5OTQWGebG7T7OeVS TForAosvc1vX4KNXmvSMSwVuXn78CcRuGWtL91oka0Ld/r5UNGvjHQjQ4WAa
8wIIpNDTXmwupuBtm8FjwLhJ8aarex05hhyrcDgte62jsmHnt5Sxlj714Fn4 zWIp934yxDq9G1gYbVGhxyKgXjs6oFs7RbGw16KCsabqobjXlSZN/ZZc/U2O
zGEArPKm0fyVB+OvOhFfcyTsz0EobN0fr4W1v3y6v9+hGAS3Hjw+Onzg6yQh lJIU5N7mHJfnV8pzV7D5bmAEeF3QxJr3DS0PqFRIlcZIvdiZJRmEOgJPF8cz
habjCXzZZ8flNcK1cZ08+cy4Dp8ePPB1kjx+/PgLxhXMLbx7TUG0Lw+ODtbI sxOEi1mUJLpSbOFWpR1lptotYQ+VDpEKs05t/nvl3vQANPSY6bXBRK+yE6OX
Ed1Kx2+NotG4Do8Pu0iebNI3O9YxILkb18HTDmU2HNfx+kpH4zoAp/wLx+UV 05BWj8QbeB+hezRKQ3f9vHCY00bSaUlGV1lCLRtoGH0RUjmlIKLjVQBWXbXT
2rVxnTx6mF7H+5/ZX0dH+yefH9ej4GP/Y6Bgtsf15CSYSseth0f7jx74mjfg IqQuyki15wWA2YRSJijkz4uwZL5CMCSJx227RxmXVJ7OqXXDepUpt4nysrYW
F6xj97gCLbg9rkddxym49ehg/YJ4XI++ZB27x+WV8PaXh49OPrOOT0/Wzls0 kenXsdrJ5SeDQGFbcdR0YlkhVbNsVhaO8DGq3HB42CW9YAnQS4j+/vqPXNAL
ruPHh11HmscF55ZmB5Jggr0MdI89j1SR3CKfPnCqMvrHzuvzf653w8vuvwkL NhKypc2v12hFnRXo/p46ZbSDawWSTF4ysfhjFN9XKZbmw6Jabs6GM47U9THR
IdTPZUk8LpsEydNaUKHAv0FeopdzDmEkyDgKM0B7TmELBsbhqAjCw2KZVgjv nNoIbyq+mivPaQi6PrMk+OS25oVYGalCuFxx0B6x1EKiLD3T3cDg8qRUvogJ
3jxe+sbzQZrwXyY1XQwg9opZBCGPM+LGiONmFbznUiignqN2DYPqDHmFzhEt iSnOJ4IaccdH3a/S6PrUbIp8zCW1YJ2hjjOElT3GYyyIbP1rwSbdBSySPzEy
6yF4HFbHVi1SB3xpgs4nzFHaOLcH9YD/lmqA/TmLhxJd9Rd4af6+WkB4TPyc n61XFMyTql6wgL7Y0u0ubQ8lwFpjdXeWTrVbsZWqbbsqWyTBTbCYS2qZatVL
LkkwfXz1+sXLj2bSBAf08Rqrax3fdR7dlradT0iS5LPjenR44MelmoCXth1M nSK1O4uaroxZQjdgnGdatxpnjykXO7WQpAghvTAMRy6xk6rxNcdl4RpJdXAE
Onxxl4yPuWHnEz4/rn8+fPTo4KRNMPu2ixxfR6/uJ0Tj4uF33fyvr815NaBj XdQJSxorbqnWxF2hT3/WSBdW0DUb48FOJc1aNBHVRm8q0GxhhHFDlnrpiV9D
XP+K2kmypn8E4/pvJG03EUztrQJM5AtY53qO8kN8tLeJiX6ZLfX34KGbHQzJ UbF6q8t+LcycYnCRLSInX+rDgbPHGqhYl8vvX4onEEqNHlOmr0pp/bo6Zkh5
f688VP68H54e7h8/ddSSP8pRN++Vrgtiw6DzCUatzwyLk9j7l+4ZjrN3uri/ OQd71Im9BmNTPUdnR3GRHRsspOt3Ymwx/IFFbQFouO+QA6XgexLpMHGObgnW
irNvdJJ/nlOtGXh/b/MuWWOR/Kdt3v29rbtu/rlmRf29jahu9rlmRf29bagN SvoNxc4gkJ6e8G8iO2T/sy2KsLQQ5jsBziEp9agZFmpmCKAIKd12/ZJZ2v1d
w2rbKn8nU+WU0SHGsywNUgyDoEPPa8Ithqx8XctAZitBRI2zLbX8lruAxEpx q/tLPah0ET291A6SI3YpaOnFpiLpXuVOvdkJ9V9qYAm6ZossDi1PWlivtWSz
vReYIRxDfVitN3NDS4ICIMngOWI6jBVDyepuHS5Q0ByiXgPdvnh9fnsoiUk/ b7uXim8S6KSIdLQ1giFuyk3Gc2RKSwlpgknOweWNq9MdUpfn1XFmHy/efsIy
vri0UjDOVmPIBqv596k+QAsdX8Nhzw1m4YEPwYRTo5wku8jzrU8fGvxNq/TK mVusMWitEEgr1wIV2FL5NC9OgLlQGyCquBy7c9FJIOYkfdtq/UaNNMdqbo4u
oxD4JnJa2O7yE7gHA5GD7vk4PP148e7ig4OWJLKUBu6bKCppvczQWeQfACJK gR59EgBitN2vbKJuZMwn+Q04VlWCrvWLjWvBS0H1LXUZuuaClDpMS2ENQaej
B5iT0VxWSOpxmEcrj9sotclBM1duE8PhDs6onGcTDt9b++DtoCfuKHNTyUIM BslHuhhelRIuiBspXThWa/PG5rJ1zm0br4m28VorLBacmroChuYhVUX2xmXE
5vU5OrTOgY3v6AlATsOcMJpC5xsZXiitgBGpXZpB3ghmM502mrAUkIyI7i8o 647CcbVUMlB6YdkieR6XIpIAfK6a46+9/36wZ9IrjcGOVTxdlkjXitXsgSWU
XJK+DvDj6Y8fXgXUtH46ui3kSNzfDy/7B6SN9o+enqHfsFrgjwdHgyPtPix5 JfGDLq+tEk4BR9HIxKzUnufoLLG9cCcnuiTd3mEwjEuvEmk76B71Gj7FZfX2
kJs3p+1NzpFymT3R8H2yfJnUCyIs55FaMu0CYPCNZF9WrqOv5M/VkjgMnA+O D5a+sTuXFZOcqvI636TOW1Szv1YYsB0UXGm8+YYT3vMD3hWiqAhXXl0iVnZl
vKFAdVbWgmZl2fyMeMsP4eQPfL9yTx+XhRw7fkEuCOc2HUnlkGReS4gJRy5g xoRshCKJCjF6DSlmbJ4fqkVGrDCjvubsGNSXy6nL61XiZZuja8Zy01YprEro
ovAS/KBeAkw9lO6KkDtUnnH/zeUPH7ShpYLRSWY6ltQjMVgVRl43ig2q0NJW uq/dLdzAl0iMJIlyDCSrDcRs1vLsvSCxJdge0Ovy4PD4zTXmpC3buOIxc2Yj
hBtBJeeFZXBL3syaK8N7ESybJvJshF6GKtN+DdzeWaoWDJ6bc1XMPWGdmFw9 6/cxHKf83nbYNgofuXEjkzONEV87cdsSdaVCApf7PqmfylYKXxpkSeGlIsQ4
nQIldL/YQxu/V9gAtBLqSdYNQFHxHhsPT86DBUoC7EOjRmo3kU5Bj5Dj6hqa 3sfLAfMv9SdxMnBtZmubDgYMo018Z8utXEwDnIPsQNW6sW748kvn+M42aKzY
BzFgX34cIxAy32AAGME4CUELc9PHXeo97+1y2vAvMZ6KSza7larG65QuXTqU gxDkpkt8LnYe3IQV6FGp9LFXjXht3WIXfEsVgk1HKMrSogymi5QVHfM61mvl
kzmOg6ssA4oZUuZ5oCHrd5NnEC1Bp5EU3hi8ZbS8qrn40qXxMcuWrjUi0ILH KqfLr2dYyHwWo35WM9OZFsvGLA7gdQHqVd7TXSp4HiNlAi+mO0wSGFXyc+q4
Yhm7qafnivf9iBMssxpAA5xZH9Z0cI1WnFvOaY/c+dOnH6wW2AphBHxBz1jQ a8LWtpKk+c7YEq18w6y2sCXXSerWzSWB6HW88zY0y99XgwXcJr/zPc1MMApq
3431bBKYsHJWXq24iFm6ivAU/Ddup8XjhhssmNfO5Q97H3ZdNyyFquTyJnxj 9dQuzTVnzLDjhpRUNzaNNumK2AlPrAKa7Pva3prS3GhHx1rOIW7F34mYRvCz
5+8s7h4jB/CBCzx4SatOcE4vvgJ35mlv07a4RTZqARRI6wBAv0h+wat3L964 8PKW8XEw8MNbttgbHUwXc+xHC2MIPk1dzDXld8UjKbeApsTOzPgVh5Do0sjy
JYz6TN3fYxOgjhf4yhdTZesJBC6XvinKo2KtT2fpXW/tXO/QxIMuOw4YTAtW 9qLjXQkd7iY6tVQV4mEwy9tuxC01jhvQEph7FexoOGX9En1KVXiLErB3m8JP
XadYJIz9+U//pXaNNeCWFGxa9BgxeaPD5/LQzRPbdcP90MIDrMqbrDDWNV0y t2g84U4JWL5IYWiBjHA50EAKrlh6dm4VW2ox009LLnVSEcSrPXc71OhEL12k
7ydJe/b+hzNNnfcT7AkIiGJxWB2SDDwY3IwTzT4/ML4OQzu1ndBq2GeCw7mO You3tOckWiBfw06UDSeKq3K8dCabzwS81fRKXb8Po4QoNkjKCzpyo253Q0LI
19oJaV1HyvkQAO5puHAcfIILuFuDJGYH5zM2O5cvyVtZ+F1VmRwYUxRjFDqu XFkpWxfbHhNdwMrzJpzGrlmWq0vx1sYm8GHH5dS2lXamo6+xEyw3/fM7HMT+
iKQd+u+x57TBH/J9Nz/hWSLOWy6BXkfdt44XlkqdFtp2LxBYXW0B8jARPUAG lLWN6bc6BBLxvlIOA3AxNMgYTzlLe9UQASnkEI5a3wfNrNsBRZMTb5TLKOYj
CZoOeoQb7msYwqyw1seF4F1DbjcSLCKG0MxqYwWS4YsSXX67dMV1SfKoz/D4 G91mugUaAUiGhZM89ZVyU+/YxslLko2HKzoo3liWnd6lvB23K+ByVXqqcm+6
9VdVuVzUAmheq9xkHOImrx3OvSK18NmOuIKvWdVeH9yQhSvfRfDz49GCJncI DZEUcuL2ReWW6VS6HLCFgkXc+uWRHZK7PNoK1lK33hSVhbuKQIq46DrRA1s/
5yFIo1YQyrAlCVmHK+BP/MywuYDr0CeNb1YhbY1jr/WODI6xrScPIVp2PWNc W/MYlGGMSVJqjVfk8ZQewbg2YbXfEQA+SECAwxVRSuObgQ+I9EFZL1pjlELY
OIlHWRkLe3JosKjFkh2W1uN08pfuLq10WyoALdKaWZCmXDFIekfjKio+s9V0 E2xqqTNja2a147XyU7A5OD/phShgwgbh9w9n+MdWW/R/NyBbxIbN3h4+uwvC
Fr72u/ug8GFzWvQDY25tL6k/UZVa8O7lha4milsTmLpptUPJ7zSvC33toC/v 6oLLfmhiQRd0SnTHWYRtfUqxs0D4v5KpyOdSwkScPjq2bKjol3ivLJNjw5Is
8o5iXGOcfQaxrdYiMdA4tZmAQ/XqUnqCqoXGURimgWTp1oHBMJZ1sp5hadQ6 7SeqGpLG5S++UVb0PSE0ba2ZBXudLiYZLVW+Rbw1hMS7m17/KLp4neDaKgIy
wqNoHA7ofwp17yZMC/07xKWWIahmsCi1bLMvY1UsbxiHGwMoudMmrD1rJkF2 yAx5c9uxZB7uWGuVAYnpkKi1BjpZbRpg8X3z+sOWyHAMiM0BfKCFesPFhUA1
CKPuMCBU7WAjZM9Gxy1KQlY0rABLadFdv/UZLsGFuq45hgeuxlu4Gqu3oc2b H9Tllk4Q8whG7V1+ul2Hoz3AzZ9WnPHm+ZY9j6Yl8PR8n4cK/YeGYuv4l3q1
IfFMfImNjGUT33fs0Nh/uAHaDTqydYXjNCrBCvQNJVKrRMupGx7KnKYM9hL2 cnJF1QBlC+LIzmgblz8ACtYh+Pfg+gOmVeN/fsKcwfMf9uHH+Q/AcegH/9Xj
LyT9G3DNXIg1IgPlhisTGd+dljlbU12xd+LN25PtHUJrB40xTDGtpUXfr5nZ v3r7mCRKyar6P5JpufYHzAL3Bf7Tg/904X+HB4d7+ONwD38c7ezQj+4B/diF
jB43W42DUjCqSKBLuxDuvDfQOK0HftMq2tZkreKok0d/Vg7789WWyBFPiB8f +nF0eFh7BT/u9o5ojXu81IMu/Xjzhn7AyuAV0wIGQxxCpD6t1k/sBmUPlP6K
wLl2JGcufu4r62ky1B8jO9O6Z8y1GwpNmcwMEFa60z+8mNo16VV5B1Cj9mg2 DccRUuG7GSOEdu3HbGagaHMqw2MMdoACbxdGDyEnMXPhquAeRCbJhvoy2pgV
XO+h00KA3o0T+ZYmjgRGgFEFaLXqBQrhpXwnyO4N3ZGuSg/sa7+ZPj2iL3g8 du0i39DJa1MVPXAEObqSSytfJgl5oUNnMNORwiV1XNmYcXLFtig+gUxP4sNm
GDgU1p/k+He93QAxuRxNbQqHhcGy2ZRQZp7cyBnY4alUgAHKrpFPwnTKZSEg Lw02KfKsUa79bijNnSx7ZnlaNDJjd+CGENbMKR28SjdI352D+kx4gq74+qSK
LlA8uHzWN2LJ0IFL8PDpNX1HTIcB/4FFJZLhqry+UU+LdsaV8SpMqIPmtGi+ /wpxAGA9jkel0Wa5oQD+yZH0ADDsAU8uaDkT0/Zghg7lMpNeE7ZLhN0E+RoK
fxaQEbVomCtfUykJWm/Zi25stHjgm8+hpi4A2eKKLIOWEsCzT3NBNV0jIHdr nJK8FdpwRg4x3SDDNZlmqYgCbEPAXEUyCFmvmAtK3UfHHozmoZK5mBaMIZzD
NfkP1xpXF62hGbN0ktRhbT76/dvL74cXH84dnuT78x+H59KSOSrisYwAgcgc 6qbcIGb4tkcMxBCFzccDp6W2rovOdNGoxTZoxaaN6RoXrrGMzCBshBZNgNrN
i89msqyc3qcAUcvFFYqPPNIY8whm/6zYm/YJsAbXttJVMQe4B3cAD5HfDCc6 mpyZxgwoVDjuQBFKnB6Nxoyr52UkysUOCFI2CFwsNeKhGMuuDTEg1CjadfiR
cwnYmoxdhEixTctCO+3mmNpPSq24qFbVB8TOfPug+lkLNV46CCm8l/VS6Xxe x6OpE5mg+QztixQHgsGQBkWLBhyVTYxMsHQEdEPWYbxy4nMGTR6Zj/bYO11a
+JStLenGxoX2bn/rkdXWyKk0Bw8OWril0zbrY436VkW5aAIur2WUWy3aXPhc bMy/FOhQKMpfgkRmMlLdkCJO3SJvgS11jim4dLDObSGbjNNMHgMCOSeSa/kH
ZBQHhj+xZfrK1ypHbZPSDT4AQzHoVmPUTmA8f2SYAgSGhnWHcvtUWl9bAZwc Pw7ecm2xCUiVpN6zlUZyxrhfO6OLF7GEyArnRbIOBZrH+g8SIpHx25wWwEi6
tqVUgLp6qU1uG36rT9OJ4OFGjKsk3UHqUlQS37VgoGsRVe3WLbhpBwbLprrs eLr4CJpPUwx6p5o01PhHk0bdhV03DsdYWmUK+JtukvZFdqoBVl95tfke0Eg/
QjXjdRVMPkkPhKAFtzmdAvrVVnLIDNpagfOj+QjU6Zjz04OKq9FSkUUVTcwV i/6W6TZWDUVWTGMmMSPY6yyhWLrkDPXaod9QyxbDkKYSjTHa0tYHMx5IqJB+
U7LKMyLudMc17QYnkbvGtuLeI8HPHzECmXK7eJFYiYO81HaIEaXxpfS7BxkN PlkuYrWEc/D94MQBVVIcWT2pSydXedmCdOboQuMwEh3xIn3qO7ahNQvttx8H
c9vXdkqGsGJRnZn8g6rMlFzzXHrmsrX1kwKC6hrc6D2047fp+dsKPqkSgKv2 QbezS4OcXg0GZ32juKyg+IQJ+jWWFIE1gzbtdND+I9KuhWNocc1mGkmoSQ9W
+EwQy62zqBGrcnrxPAkaXuJksfRnM0wysDA6TniXoon4DopurafZHXe3EWxH Q9Rd2rxO1SaeWO4UaEJzhqxOxti02vFeB+RTrSDTarZE3Zc90Tr3dnZR66eg
erAdKCf4pH/S64uEtq3qQD2xZ+hzUWQNloyEhEM8nWREPEEk0kFAWLFMDXv2 gLh0zcuACljbzgmm1fzECWvUMXO6IxWLXjAB3TkvzQdX3feO61JuyGCRltHX
fIBBUAae7j470nxFaJ9B41B5ULMjJkVbWJ3vdligwR9mbtrbbgLbLV2UqzJW YLPPZjmslrx/sN9DV7recuRwFX2xtBiH/UJ14b70IWtgacaG2jGVGqiPrXGS
GsgIuy7DLA2N4gnvoOiqqAulgkKwWclpepnofO4gh2OQyFbtVy2chuxLbswb tSU1BXCMyKPN4DAuBp2TydB2PH0FlUTULlljdzNTatO2yYwpDddiEJOrm7bU
tAfmvt8NO/rNGxy0SGqJb0BvOjW8U4FxsbWgw5Q4fumhUmhMsyZDVuob4WRu Fo2uWOI2dm1GVk750DhoCUmHUcs4h85UjWpybhnHRw0cYk2uw0NuduGGZ+hj
3ewYgYG8oOADAq6XcHqgIK/kgSnAuxIMkWsgJxEByhHX0LIzGxXIQKyGP9lV ILOlBJZr2ybI5WpcZ5haTZK5nchbkfr11VhalbZ342dGu6xDSLImnPPwd6+n
fHfB+ih+7BoCywRKb16rNs7gF9DH2ZDkel6x5chSNT8Cz8gFMluCR9vAj9Si Ld0GIp4NW++IMweNGfvWVrtaF89JDhSJCXXzaNkazFfWmB5WSY6SLNZeTiMa
1CZbPGz26jt8P/V2B8/1QAVBvNH6nz/wXB8AkotFNpCgulPfy4itL6kpwk+R L1LgLPXuFFow8u9EW7IEJMRITsLIuFroNRwq4y5mJGmmme7VtogV+kMco4YO
66lnZBecAY1MMAwqAxDWOStsqkigk3DzJeXKvbBnuFaQ5sjevCrVs2FNfrv7 laxZRdxAX18UoyQSE78xBPybxE6nQwsAdN9yRpLxNjQyClRkMw570le9fiZo
SkRjVNhZvzECAoGKTCHkBQnvg91WW0e7AOhCrjQyVhpwyAtlRu5EaNveWhmM gdBYjPJdQ3qhk7dlowTGGZ06hooZRxNfr0cV3afSZbqswbKw95rgtQQsYjAD
EK7y9wku7jLAQYLlPoMFFTXmNoHuaqidHhpqKgFGni0w3Ksk7Bn8BB1YorCy bQSYcm4W0PeQj8q5SLWsO/GzuIDG21NmCZd+i6nfljRi0u/Jg3j3B24mz7Vz
blbWXMWFkmoFnff6bEuA5aosSUSwB/ZqWYXSlSUFC4meii4GT1cW3EJzlsOn KLe2ZNnTd65rWTpxuT5TCifCyh1xKkZE+50wClNIxG0Wi8Z6E66Ad1K7Btb3
DbiBH5ltR8LCWboetCKS51wcH/CVYDiu7FtHtRJgDdgQaIsB4VJBqMAWUQ/H M0XDtr44IXs/Q5KFyDCNURF8IhO8vnU3qVmP22MK12NdaNhllevB0AOpkEgS
spK21PRkqBW1C3g7xuIgZD2WgRTxqJXmxWnMKCLrvdB2nxEpZQH9Y+G7QW86 C1iZQA+1kaPzGli53TcHWvmzi3HTz4eu1aezgao6JJJjFwpEddORUjajc1Zh
5CHkHMXb2bbP/Hbd3o3I9QfunPZ5mkFSgi9sGiS9i2UKfRi8ylohgxCtNvHs UDEMwcOZiajBKd0USiYDcR7MMyxiIzoWy71SGnkkLlnpVoivTLFNSn4XpcaW
VxT1XzwDTt5EdpGANGpOQspzFiw5gasX9mfOHa7cWzJDHiTnMP6QpgGuhpGH RA179FSyUdFE0SwqfRGMAlw/Au4DPaEMtMglDHXdjhM0RffJdXIrCsbUkFUa
j/VUE8S0SdQvQ7orMzySiqJF3kgTR27DVhaGbhp07iU9iDPLcSBT2WYIWSBu RZoMbaRYJ2eDYLPbOyQXt/Fos3kLzY/b8J9dL9aYPTVOdRRcvmmEiNiBY+L7
xAWJAk+2NpKbLFsopn/grWjKcibMV/hkMWkr4YKZYT5hDr2zQjAvbw1rzfJA mDo0ozaZmkRKm9sJ2zN58E5ApqHP9mp9pINwi0rhkPjwZm97d8u6qtaUodL/
WH9pNfNjFXbM7a44pFn4dqFhUEEB89kR6IokQ/Bya8MeuAqrnJ3J4iYwGBx+ EFNPDGqsq2EFi1iqVxU0fLb+3+vf8F5u2T107dJw+yEGJmyuAPtWIyQ4WSzc
H1/E7QHpm55Djw3mLavBDJw1JgdlLikfag3VWdQdLDUcdwhf5V4wMPIxbSmI 7/Y0HeffhZCH+giA88Pgk+3CQkL/6zlDwpMoIdChkaiwWT/YrYZFLP1jzhLu
2tClpB5A1+gZnL6UZsO+aSmTT7daezuyohSpAOEEeEMLLA1HmCcBLJ+umQLE 7a07DW8Ru3VIHPV+HSTeHBxqaSM82G8GxFHPAMJbxJ4zJEJi93CPIQG//BpI
sJZR0/HUJtwhVwpfyU8U70KyE3U7HQH1bDYz5801bf9ZRgKKlxUdGUTJhxf8 XGUOySqZZxFzxraudAEaFrFfgwSdwoshIVDo7vT2DELwHwKTwzeNMIFZECZ/
PetVXfq9uArQDLWrXTEKsHsM0wNiMmZxcGTNlHVSTdreY5KsB7JiAOQ7zjAR p7ptzYzE6xAafg0X+MIG/GdD87H/u7prW24jSa7v+Io25mHFCIAUSYm67Hoc
eDG5BaJPLs5rrTk3lI61sLiD8XcbGmtcjmmIWgdc9jWBZ7vbG7StbgbjEYYz FCWNtJJmKJIz2oi9TDSBBtkrEI1FA6Q5tJ5tP/jFf+Bv8fpH/CXOk5eqrO4G
G3rLvN1qsu1bcd5oZozBRcFnTXbGpL5mcKgQ23m49/bi7XkC/yQSrqR5ulSZ qd2J1YY1DyMB6O7qumRlZZ48R5TJ5Qhum44BypyYpvi6/FzNegx3lHl+bZ6k
S6oTmWnmGZJ+ZlgUZmF3HoSTR2iD6EVj8KEDN41o6DqAaPtEzBGgJb1gSN4M /899tjd2OynF5h0tZ2r0Dc4QMVb8Xr2BeFdtBXP96z7gO2yzUru7Sfu/Qsjk
iLzM09IbxYE7062Tg+lMFWIu1Ju4nZzOR1YbLmIHDkhk/0/3733bvP/0KYxN 9PTk8TYOdROHShsbEGPWVketNWkQBVzk5RWf0y0IKjVSFmFp3dNqFEvZ3rAR
eOR+QzWRLpuLBWlttW/JqAjqgeHk56ygVNxmt2bV1nkf1UtqAHikR6Ab0WIh 0LGkA4ztSAX6wkHXt9dWgF+8ke2g/YmIrK2FFoo+Wy2/MkhTI8SJn0xEHNdD
gHe4ZtsPQfC/RAws8kwQK0VvFgQmh1TbnhAbsFU2LzUIpLhisfanvki+gJ8K k2hnmWqhvVQZrYc3bWbPkHBXa2MbkZ5O2nkaCxfGBGijS40pa2kHjsjVRodm
p9/Ummk5hmzrx3DXULOimX4QsId0Yi10syZMONeEN8MkkjMCfD1hz5Yp5ZTd nTGzCBPcXLcdxW3kX6xgOuR87pUzTbnhSy8r3Pr2OO0w/13XFvRZO8rtv/k5
bQtEsgJWGxQNg8U3Md6AsFGBYa0je9shgYNcpK6wKzHZS9qkdh5o4WZB0ojG 37qf9SShYov8BhZiwEPzifcP+g5Zi4xTK9uP7mvW47Zr6uSaR4+RIaFLdtde
f9zb+ly1VS3n6I4DxctQvmQnh1hM650dNT1KNq4IS26pEUbEsJPvrktEEOBl QtYZGRfkT54gm7L7cG/vwZ3X1Mk123s7lvZZdw0sXngTTuI8eGKNu+2iOr1o
0+0xpdldt/HdRcVs25RINlsqMBwD+tcCWNoIdJEP2lqinAwnV0Hin8b+Ohna 58mjJ5zH6bIDTR2nUopjwHnkw+6z9RUXPG0LBBCYKCmddPWgA23IeYtAzrLV
YEv490tJqnjB6FXOd/m9Gi/v1aDZegsVLWVKhRG/WHfmHho5w1pN2CEZqShv WCprZn7DE2s4U7euhTsWAwiX17XmZy6Mn7Ui/pIlYX+2/U4b/kQXrPnl4/v3
Tt9eDpOfvoNlzMhLcHVquZyGBh0D6raUTDh75VEIookhHtGRvWe0jBqIp1W5 O7wCd+n23u7OLV9nGXkzHXfgn93ZrugOttr15NEd7dp5vH3L11m2t7f3Ge1y
LWe3gkhkunRpqJ2Sq8Vpdxda4F6wPxcqEU7ii+zWtbl7Jyl+9dZWK4LrmR3H 7+avbnmH9uX27narO5JLafm1ejRp186Dna4uz9Y5mx3j6Lo8tGv7cYcn69v1
O4Nc3V6QqNtZiKFu3UAyBQV+IYgVn8drRbYTkelq8gtNT5EhT3TIvGEFpVCT oD3SSbu2YSn/ynZFb7bVricPb++vB/fvmF+7u/ef3N2uh+7j+FfnXTbb9eiJ
atE3CbotMwUu7XcwexflB6RKjgVVX9QgeWKjUVxJHlTtYlJx46MgR1kQlQxq e5WOS3d27z+85WuegJ8xjt3tci5ws10Pu5aTu3R3u/2DtF0PP2ccu9sVPfDm
O5tOS2142hjY1k42uBr0aCu8Pu8Rjd+fS3h8ki6aaNEtIax0oFH9cHpZcZtX lzsPn9wxjo+ftNZb0q4HeztdS5rb1fvKQIK0L+GsDO6PrUhnwTvGiQuxNr+/
ZWERwtMgvdjF0BWD7Aqanfqu6yy60zIFGUlVahxdBjJR5Y0sYQijK8qBy+R0 +cqXR2isy6p/A6IE6GmtwVAGX4dLjPtbIB7x1RAeAjoInpprEmelEoYPy2ha
ktqDs9IA+S1ZdcXJGdaVSNsiq4s3TuSdlVf5mCQ6N2/0joOQbuyyWU7E3sDM nXx49GgVBekdUPiv2y5DLiCNhlkmoUxhcVotgii61ApowKhZxqDOQrmApETj
TBHNNJSYd6+/otav582N+9f1PKSpanS+GiiOaHBE5CxMoiTjqzPFsM4l06CE wNB4aRuvxA+I1Qn6Ph6otPbdbnUA/pb7v/05SJuS/OqviM182e3fL5D4Toe0
V9og8yRu7AWqBN97sX9+LUky7E6t2R+z9K7Whq7aVBcvSh1sssCe4Wncp4Xh I/346s3zlz/aWcatzL2WjWus27Zxbm6znXfIsuzOdj3c2Y7tUhcgbrMd1tk/
XtV5vesSLnuubUVneiiu00FLruCduBokOIWlIGYSAi139aBpIUijsYalQxso uGtzT81g5x3ubtdvdh4+3H7S7DD7tqs7/rL+6r5D0i5uftfFf383Lu7/He36
bvfL6f/brj446Cq47aOPdF7F2Wl9BlNdcAcYC1eiNE75/xu7liW3jSu6n69A O7olWcvxcO36G22z6zpMD1ozpgG923S2gcq32dHBOiP6eYeoL2FD10cWsv+v
eZHEVaQqsuNIViqLeXg0Y1nyWLSldQ8JzsADAiyAkIuaytrlhT/C3xLnv3LP NlT+HB3v79x/8Dj0lvxRi7p+rnT9ID0RdN7BeuuOZjGSfXgY7hEse2dg+y+y
fXTfBsE4K5U4JNBAd9++j3Pu0aaEqYcxn+Tx1oLF6exkRjmMZupHNvN463CE 7GtD43dbqtbJ7kuf67KWieQ/zXPdlz7WddvP1vHpS5+eus1n6/j0pQ9Pa5rV
OD3WD2RFKs0fW36vDBuNWngaEqJVFHf5GJ6Q1J56vF6b6myl2x0e4DBxdiDa PKR8oTPKPjNLjKZF7oCGLp8wiJ5wwyCrXddakOm1kJ6mmEutwGUtj9QprqPH
kzV+iwUNSWYNWtGk7fIENhyC3SawGVYwVZq5Ppp1MLzELuEeBfuiw4MTKM20 X0vq9Ha33o4bWhPkmCTdfeToMFKSJSu9DcRBTuqhbtFrc1bdIISJfq5h7bIf
80osqicMSHWAEYUwBnH0OG29jHmZOPlRMhVm7a3kxcyfiUJLTmlyDBYWH56F NLcBOYc3Ly53NgTP9P3zQysdY4wbEx8EDIfxC0SoEIhE6dZTYIgUQOsph3Pr
w2sTZJaMoqxit8SRS+CO3vdI+shB0ZRZwngZwG0Yeq1cZUrxGV77EM1kK0Ew ccHK8JOC8B80VyeL/CwyHkRJOq2JD+gGVmKgbqRrfjze//H1t69PAmUldWdl
jdZYFeU+zfbxKRq7O+HOqeefkDLJbr3a35bdgh5Ya8/51xYBOcDHR/5XvoVN FMCZEpbWqwK6IswVQwufwWwBVZJHtubT60gHKWXNTieWRWI4NcKdeVGMOdtv
lg573Qc1zPQybEvRM43Lah2WO1upIj+qydcMCI9BrlBz5g1tNuq46qeU1zEs ndkP8scqAKHvUniq5vZLBuL+TWvg7iPwo3pQGb1D5yOZuShfgHtytQxnyoS/
+uP5PWCIj4/fyA1skLCtoiOpHZG7UuC5HA4oHpjPsbgeVDZkJSJj/n4JIJ6n M58sFfHk+ox6Pf5gFiD+2sAf978/eeW60yR1dD7JWjJg497m7uYuHJ+bm+PD
HGwcrxVe/FSGYv/9DP+Vgr599Dkjv8zQp5q3lAwpzMo3inw89pExTqmOjjof 4Tb5tcPdxwdBzliglOsnts1rJuUOEyt5g4i2r7J6Tn3LSFSD485BGb8M1EwC
TJu7wP2mGXDBNYC8LaW6BjAxGzpS06TC6GEPpzqrNwUcKOw1fjevUNuB02rg vqsFcwxiEc7Eoax1WtWc9Tm1OgBmwuWrGSiC76/DbUfVTNYqQ0NLIUG39xDY
Mf7xJk1OY4afd3NiAAYgRsW95jMCGpssPFYLfddhdhOO4UDEgXvs/SNffSYa h+CADUvjmywEpQgtvNfQQjMccu/w/dbJhtHoHqu9ufnq8P2J5kSV506w7RjV
HzooEEoNCBKBfK3tIM3ULYi7ZXCI4QaMmdQnkKr0akhucoL6RmKKkZssGuGd SORgZRxlvVTaUSWhtgrehEi5nBkGXLA2rTBIjEAYAieJivgIxaJQUQcWj5ay
3VkvZCteslhiJU2d0O6MO/9bgkcb/gYOCQUrtEFBBaZMrovPspmeaQ92GSqH ByPyZniLhTZMjykU5CnPQveDI/PxkbIOQExoIEAd8K3iOdYefrnIQygg2tta
VtuOZfCkVtXRCkE364hyrbqx1ZbFyBhwYW854SgRPfbWi6kxTWqfKs/MGHZR DXA4dZ2SLQGCdWqrxaWGY+1ySm7ItoM+Ws2EU8XzIZbmywfwPs/tarLkf6T8
JTDKtBVzGcoiZwiakEeaDS+nXIlaLpkU+9pQR5OTT5FkrZ6M0mNs6LhQgT6J LQGwdilVkec5/XQVWFUusBxCaRo40gC654b6bSO8PFN0KSsOw4BTspjT1VnN
ddtC14C7m8OF4rtMJPTTZvQSqGH0NYRkDfg/TyCvAPZP5J30Yk1cy/MDRlAz hZsBCcj2W/RrZDN0t8UwdvfeQPKfPP1PGaRZ1KApYGy+rwrhIq8UnY4lLVqi
bKRGwXJavZe+NMeZ56ctBAa/5rKNQkiXyuax6Hp6/FKm0kH6hK2guugsYX0C EbBwPcdU0MT4oydS4yziItxIJiCrptXZtQLGtk6CnJWSWHJ5E3+hy+cglYGR
9qH6F8UlVvQsU2/QWRIRtX4LL9ZgYvFZ+RWRzeGO9ZKsj5Go6wEbBy5qIt2K 9XPLDyJ1SaNO8IL64wz2lVvdp1G9BCB1BpZIo/qnfwhq4NW3z9+GEUgEo25u
HOZVOdZSGaFPqkx7pVdgm835THI/elMVQ9/dR01iXzGzsq1kdGdJf9k/blZj MIao4QX18uuJGuYMmyeXvikLpDKpT6b51aC1LO+ReXByOYFPTAtWg3osIGK/
Yu36tlnBOAKcwc3bWuZmoEEw9gHgJFYPdISlHbtyOix+10jOWm0mvQhNmOdj qIN2BuKRwlkLGRHbL7TxXBy6/rU2QmNPGkyBi+pjMTO7M1mx4aat8uDo/YFC
gCDdoWZlXoxLlFO71GGVJHLNOm7D6E3EnNVQfuqgH9KMBR+s+TEACcOu3XDx 5+PrDYQARHk4rAxJmu0aN2VgmW+YAMTQrdSQfRv1htCe5eJDiLilAaRFHDkj
ZuI7+6g3eHLyxtYyn1wdO3HRZI5MdTzSUBxeaoP9P14NFXYXYtcCX4xvvIJH HcDps+QCcSxpLtRuNInsEoLMmJeMhJWn8j51tihkbps/mFLRcfUjzcaDIMsH
jQxGJxYvySUmsa/JwbvdoCJobH4iDtCspslemBkfRct0vn9NpqmHtI+czpc+ bO/6659mvaeZBGm53rlNoG86FgadzmeilOf3mC52/9IDzx0HiFMLjGQ2LEjo
HIU1kjglacxn6iiW/EGJA2lTLVqxIhPLj2gXzZQIjlEImd25FtcivDrL9rOh GVXYS+OC765WNxUAZ55hfDmtTXNN8LxgNuSHix5uwMSjGiMy0Z8tqtW8Flrz
bMIH4UNxgXT+Yz7Yg0XWlCbZeRCQOifOkCiOXHu7L/y1X3gEUdip08s+q/9a Wrc4ZiNelnVgrFdOlrYFiPWpKuDBMitc4C5bNd8emjJlIDr3bI1aLSjNFsix
HwEwX9V1tYVHcD50H5BCo81Vzq9oMmmmZoUJEPP2/qHhrMtiJ1UXbXG/VmYl Nld4ofieXiUgyOmJks2171ozri3NR7dkbTi5Ccmo64riIkncyopWOGBDjUXh
dyVf4ip9pCbqj1+WHQOJxj85Q9i+bVHD59+RU0mmJ8yKtwNZmiAbXOYxHz17 FWZYXo/y8c+YXVrXtlI2WsCYedPLuT6QfIRlqKC4Y6rpa8RC7+6VwqstOL23
inJGwfFvwtQLiz6CJp36ajfE6Xev8K5ub4/+VsinAKbVmfwVu2UclV2vHbbL NLsxvXRjEA9YaO9rdVgxR5ivGKuZKWoXrRQKvL6xmNBA4dXlcbiyg2XoMrjm
LStGfjqMSkpUI2rHU4wqpTOJXAXVzYT1DVRfy5EALJvUJeNssiK/dAhWoFYs IfpmmgJST7+/Iee86MePZEggKnZe8eg6tQdPi7GzSf+ho+KL0Yj+gDzTytNo
vGULLUp9IFc01DS2kqwHzgv6tF9XmizIf+SojnyGsBEhN1nikAxmmrFJMvVG us6vZT59nk3iTYRpt9GAijUwcQoz/Qc6HjCPDnM81YEGQiZnsq4SLLESXDl6
OubO6BtRxPZl2BZnqvL1P3nCzl0n5/3mCGJSGBcmGhzfucq8dKVUw+VsZJyX pHl3Wdbt1oCLb4OcRaSpxkO4xmqwRoPNqHXGsXJGmrLOvgerZ2beT4umpEah
OJP7xEnlsEMr4zFkR0FoVW5Fx09yV6E/wuSVLjfjWJZXvCI1/Z2VdsfhWFpc MiTeSdhPSqucE6Gd1Ci9Cj5EZC6nd4Yd8eqC5BODo5kLrE7p7PCR6w2Zzp2G
sIi0I6YYrYV1RKATdLeDNK60s1ZE5CThVh+8UvVW0B0572LMhlmhzGBPVmBU uWi5k5g76ZweyKz3TNo2xeG4qbNYi4DeT4Ud5SJNtjrslbBO0T4tCh9MwrGp
h7n0Xcl/PkKaXg1apLsbapGzccnWvC53eX2zENY8SPNf/B2keSgcnF/7A/zx idfI5aa1sY2XtUqitjH+jP02rrrmzpss/fTuo1iq56fYlH5cD+d/GqqBWRao
kT5AbHmVKg+RDD8uY7SmT+KAdCnDcYSCKoRIDTsp0I4cD8Sw42JtlGWQnWvs WKlpoplUxoXKl9ALk+OPbhUF+tuHUhWPXlVX4ChqNmbN7yMXmifkXfsev6T3
5FLhLkpQiggItGsA2XoTqxTkxgWoYqeKThwi4yobp6hg0FosRhVFBSS1FXzz Bg4R5FLxU4vpeLqoqNLYPZ/Nfd7bhYP5QVZ2162N+JIryNSFD9wVvL+a28jm
waGQnICpdxU1boSE7DKKEtUc4GHTWxYBF/KDaw6QIu/G4cNWEJJnbLw+TDpk kjWVwQWeS9EWiOeW8omHPK5mQroC34HrXaNoSgFpLGG2p8cMQ08FNvcT3u4A
81zpJMemVyYiil4o5buMN8sdozA09Vt4hOixpPDguRObExeUvmQhuF1bUmQq WFuU9UeNbagUrbRX2UADBacl3uO9wGOoVb5cqppLFU9bIxc6aTQyMInP4PHO
mQkEJLODTNUhYYuFtGkVqCjofOn8Z7650rFmCaSevTzWuhBQmGrfwbZGnqab QbES6iKdOASY6fNSyEtbHcgyqbaHI5rFBUEtWmLejwTY2yCMPPju3eF3x69P
hTTrhviUhmwzg5wfAaQzQlpSS3qq6Tuty7tAMyLMy96MSdUMviY+MQBddZEs XtxKF3n04vvjdb9g4+bKdCzbL5SZI4mpjFeL4Osp+9NqfobyokhIy/aCtwL2
oryGlb8Sx5NWzZ14bjYq7M0FBDKI+O7JT5n3W7grDgah85RaQ2ZKkTffxZ+O 3c3jBBtD0J4MdcqO2OAK7CDyL2OJLgJuWjHUM88gu2wcwfa7racc5uyYltSj
OUuRhSAvQByLEXGc6wMUwZXzTd3PDf2HpNsG3OqPfAPoSPdwmpSjxydCJHDS xmTXQRQHqp82KONFHki5u0xGpfN+/i69nuiqcSl9WBC6gFW8OBclb7fs/BrI
F0TemFdvvqNcTD1miiHECfXIFCEHoInz5d48EO5DfecIYKNWmkJQt+SYTA3g mz4pe9GXuq2LVxBAK6el1ZtdiNFLDtvuYE4mmr6K5ciJKFK+5oxuPAXdno6e
T/aK7P04FUsfwGYolKgcLRi6o4UnAWFw0m5qTcsG6l33HEeMy7VRcokkG6sw DZjQH7BRsLxQs65QUJ+LOLUVucnqXEmVZyiBWhdW4adGDE7C/XbKxEkiDFJX
LlLb7TFOP/VicVA5KbFZB7ZPGTQY2woxfJLMdVlvNVTHO4ovSMJ1LW9VTay+ 4p5E2YJNHYukMrdu0FAHclg+i8ss1HO6joLtVSKC4ESyLSjk+q+2qkI21ybW
SfnZvTqBhjB9w3Y8LWQlPR17YzOUrwTtIctw6qWl6p8yveA2MqyFHnoVZcHJ zbfmJVDnIwaduyKq05UShypVWKiXZPfnlMzZFZetG2FEGSRoJfxGTgB/xPRi
fdUOLXGMmbelDfVWkVeYrZaRCHj+LuOOceiUo3Ns+xKa2bSjhl2pG/LczWKS ah7TQWKHDpunChsmPY0vRZwe3Whc3LF8U2C/SjZ1YLshovvck63IYjRCvd4H
WN0ocPf/WmDGc9XEwPHbj4WYY2lKGVfZmzkgnvEB7FSFIqgUE/AhdMqHOudq 5fvUMfio19CM79P9+0otqVsGKvFkTZCNrotETlW3BokMRVl7bQtewejGYMFo
AIVJrgMqfIpqJ5DohnFXwCZfXAky03VtVYyDqX1yI6f+QHU1BopkTx9URPuQ NeFRShcSpRDDUE+KK9a1EeJGuq+tp7ALinLSm9cZzVp1hwZyhKHPxac11jHa
qR7BgnQrQYwzNjgDK7neWOLuLMO2h6vlZRj8Za0CZsfgGplDPeLUoLn4287E VAKf6bigvhPGIW0ENjfeYL1azwmODJULRA85zhWLPodMCIdqgppDLTm0XfV1
EjzZpWTaMP9ciScHs51LKNJJCmrFnFuT5vVj4yRjxtbPzyYFS+G5BdQRGITm +77cgj8swmv3wwv0G34pF1lca67ByyPjKOoPwmOeQMmvEjlJZX3goyReBZV7
KE70xqptJdurF/09KZ3GiCU4nLcNHC+hMe4ynGvrx8CeJyZ/4NUB57ha7w1c HNe0dezbIEmrOg6afw2Zlqyu6yR+WaB7KVwJFq116kiN/R7EmsEn73RnQt7M
Eld5pRqQ8RTKzVk6jLLjLY+OLC/O51IePdMrv+fH07UghdiEitCFIVT41Xgm iUtJYJZuKrXE9Np0eJWSRQSBGxcHQ2A0LqjiwAY3yBj6J9wqpTsX8KyEQeSy
N2WQ7GezL5JvNrpE1uzJCRj4Swko5PTN6UE1/PuMDgBMRtPKN3MkMl/hUhVZ xnHSA9UpV8lysBlVxmCwRrw3FHV38fYoPWyLY2UMD7is1TNnfgv45nzW5M1d
3uqR/ifgakQK6+TklAHX5G22XNTSpkzj9MWiFAiUj+lmxWdoemQBCW2sr+nB znV0mLXgAb9RSFI2Nh4VbD/V06Xqa3GzOeoeufs4GO1uG7kIXCrRhMpvuW3M
5zd0KFXbbVmcDhvyWfCn68XZm+LLZ8+fPnv6/Iu/fv78b88UO/0tmY3C4sdF z8iPZWugfepK4y2n7PlLiRD+lkabtNOFSUDzBkxxytSCdcn+nboRUANefk45
WJfFX779bvEp2hmoeBv9Fz3PuAUIrahmrsbW5N0kWqrkKPc8yxyNoYY3Kmvv 8sBre2tFaAlc5lmlsQxT6+3Wk0iaqBSgcVrUKXaVOwiVTyslKqpxiKtNxs6x
sifU0QDq8OeebOcP1zcMh8DLesktNCi8wafz9y9pNJbhZohgJcKNLrWU6A3c WciPrSMXKduJCe+yfRX7pESCpSg6uMvwkJVjOsIpforjVKKubRt6KIsOjqv3
jcuhH3EDuhfaecIXxtycLoF6r8uV7Oz+5PGFkAvK1T8/WVP4WX7yr/F0a1IB VBwJno0wYqq02TO/CfRXkpSxTlZ2dSXKkmvhW4z09CUBclZVtEVw2PVstfC7
IT9sGxNkAMMi36FCbxkgzjAdN2Go6QhZr2lFc76reeDXdEFffs/5skv0Q4Bt K+8UvEkMdOtiMnW1wQ2yZll8KqMNhkjkT91uEU69kZgi2c+5/N3ZFdecUMmt
uJjR3+ky76u7O87PLgCWDPT0FDCQ6ZyfDxSkkm8zo6s2bV+8Iv+O7NED+hOc rboW8gwcOiCXgd1lgV0FhxeNdqwWIi5Nd4ZbUYekdDAsgR820hVIZY6e2eJ2
0SQu8JM1/eKcotZZ8bqsl/fQSDwtsZ/oS5ehfmiLBVgWHx9oa1/QEbqio4hW mhqKFsCXbpr0pIxfvCvCOFClA8Sg5CTbvb59Fudrf8N31h9ZMu3uHsNGCbOw
dtNyDHdFu6b46uNH8mFLus8Zkq0QZoajtFi2u13xtoVRuAJUpqLF03GeC+Om ton3+ryl0IfuSSZpjG5oKL1zJFGcf4kRhO0mOUYJB6PCB3J+ZaGKEy56MX4W
9X9JZonW/Iy+hA1Mz7ivKwofX2N3n1X9fbul/4S6+s9voXg3/P5r1VS//zwr 5+FivBWb483sBc6KAGDAqKHl/rax04QRbZyoaIhKMtMf6UY0L5ei3sj6a9XM
/v0LYP3v9s1SRnVLI2prYBwvKpq9d7R+roa7VmR4aYTk3L0LyIshQLW0kFKY eEudAi95QYwZx3LMZZIhWYK0ENcYCv1YqyUfi2KuhP0ucLGsqqnYXjGTs3HT
eR905YdKswUS8rKrdt04F0/8KjDPW+A+OWMk3jHdJy0IrSI10eRpHcevBZrm BRdSDAsDz8aabFav4KKCDkvAeGiGJPw7UCj6PBxPMHZskwb6rIKS48v89vzk
Vx198OonOjsfyGQ/VE9O/guh4D18vIYBAA== tmJi6HBRchBZYguR7sYeweqA9M1GYId1by9jwo1itymQlQs0Q09EdZHIg+VG
1Y4NWC0YDhnliCYWtlsfY9IQVJBthr2vRC44ipbywOuEa05K9pYSN8C/AE9r
oZ/hLPDYke+NeeCUBoYdjZqWqCpqe8Pkn8g3lIiE0ZgisnUKXrPpVINb5P5e
FNOCtihcW0NwQZx8AHeO2K/q8u8lfAAd1C61YdRND5iKBx3JhMRu0dpRNmxq
omCPN2RHkD0DcNsxCEQIxOQS7Hzy47LWKnIj3milrQNLf5jAGN9qRE3U4t5q
qCCbfnf4qK9hBrMSRiTrY2fx3Gp72y8l2mNxRuOEQgCbThrj+lypRiJz8/HW
u9fvXmSIVgJNJTroUh0ueCQXSxI5M4wKW7GrSLPJTbRWkE+6eUaLN2YQwhsk
rdZHJ9MmsYygIBm4xsQjQBJsnlTxPOzimmGIAgVnrvxx3mnC6NibtJLvgQCQ
Ov53N0dRNe93n3ymIjLzG1WJSGzO5+S51VGVUQnS3dkpvrpST7HGbs15vxCw
1KipkdyRJwGdovlcSO3wm35sgrB8yVYwLwthpRTPWWiWgiVtvhC1G5VEF5Vm
ipQ9zBFLqyZDLbZXHXIECiemsxVChjaOTGkNTyt51RNhcMjHJqBbLD2eXHFp
Rj0kywQsemKdDdMUPN5+RERNNL6LPZTJ4Jcpg4BYUaFarZMzdyD6Rn+Ry8LR
xK1mT9c+Qj+nrWhuaaDwkCHXYi1WFzUi1ieRw0smsmdaags6KnBJ5q1slCyV
4fNimMhX59WUDyw2Kyb0TudN1nbxLZuHSYDBVsr6xjT9tXCR8sRhLKWmaA3B
Jq0pdfeId+NAXWyZ2u6Xgpl4zuxUIW75nR5djvQ403sHBy3nvvKZv9RvZnWM
kmmrxhyMTBwUeGpv998dHmcfqgUfo7/hdDgAliBWQtRTq+I0YxgMUvexyfbo
6ElKFykMJPI3ciCNxlUT8TRMl9X0UviGzK2ujKJTYFUMlHutBewzDu3CP8KS
fF5cBiW8bwWUV/d6jXxvNH6cBnWQ3IHD43bWW2iE121Sro7Pc1TxujxXIjvZ
PUPN/UzhKdLksTaZZ7CQEioGFgpJcHTZOHDpfmDVe12dANU4EpiueENyx6Um
dwXnp17GeMESRw6KLHRJRqtdTCaVCp8ujUvrnmw9+tFbUKSgQw6qoxfpJKk3
BImRz5fJbDBQVxW4oob+vYvZZbmoZpZR3Hd44ZCKVyayM3h+Gt+ui+RKQ/sx
n6rUOAYkMXXXWxlbT6YrDkQAZYbNPFK0UgP5KcXijFEbJkykqskaBk7xuNPq
rBxtcsf48ILvUA7rrMZyKsGbmaNaaPKx7J4YzudztnL+p9HwvL7wXapOX4Qj
pEkPTpoceBwkndA6UYJ1KcCECoFrY86TNHPccSVZP0hD+C2co9euVlDINDeE
r2ru4jl5oE4WrjPcTE8u2K40vr0RMJNRtaIT4YnfaaMF5Hkl0QjJX2EkyMh4
tuUuDZoGjTSENQyZ2ykzKFBOifsbdW5n63gZSzjUNOdzHe7AGotgo+imKDVh
5DHmjT7cWBA6i0EIFDHm7o+8GaDT4ShxCK1ekXEpNcRsEcAiv9AzDQ9DxKSK
Ii+/V4fe9p9cP2TaD7Vy6cyF4g4v0A6utTR7ErK3kPKQcNdKk6S0WFjdCy6d
0F9LeJ7lvYVyZ1wBjlhcrQ9SGNBiGVGQApqJLVXZdCRXhogzOnCJghhz8QI5
rD0KYZsw64LSKizakYTNbHYEkSU3c5pYX/HzWVh8qmLNGnKUGeymN4INTOl9
jqCQbB6zIoknj3KUJyBkJUcRryGfwK3beCibBoJzNG5VZAM1GMg7ayBzwpMj
y5/UY5LJenN9WiyO6YVV9Cv92XGOEOHNDf9ffoWqgegA6CKYwkKP8jmWMe9v
Oqcm+Whp09Rr8aY4djRyjJQ0L2azT7eIhbLvjWbRlwfnnyzR/laeYe2EaRXl
ScQ3+IygOGDeusI8ULmQjudECJYFIAD1gKV/p4DibeAi4z938E9pjH20y7Aw
M+sxCS45RDp1pYtBPm66zmihpEsbZavdljVnkmmGbHBWIKWeVD8Ai+mC9s84
jLBxvEhD4tWvfD42XOuB3nxDPSbR+HMb716W0XVMAO9uNAzRANyouN28I0BT
k2XGplKr65C7EdjQkm1gGr1fpvPNJOTzBRQHJSkESUC+13wl/Ol2pJOQgAEJ
rJzI6bcJMUN0liPeNxSUWEWSnVJ4LS+MANnSmVEyGeRNoDVjun+L+SjNLzPF
wmMUPNEFEi2wYHJzfJYM90DJ16W9fOyaL1j6TjJYC5om4LEOgNdy0TTPMiMZ
/C11V04qSiSSvdHigpZZ5EmVF2fwuqgRWJG05XgZ4GLbhCuO4TmV6lbLLaNK
X5VPg6VJx0liWZuNoBnbN05fgA9xWlXQM2Bec3hN/JSOMH9ckV73NG/8DIe1
Gap2NiGrgJqdUC1SizFxZOetOp7Z6kIyFyyjVXu9S3OVeXyqTBDxE07mKMh0
pDU4dvLubr8wymsjfQhXwGG0hbAuAXtFEOHGtB4kqg06SqKbVs/huBraLLwr
dxEZHuaqlyB+OJQ6rtfQcOGoXozJRx4XTQmVBialTCRXasXH2ZgPJB6kD1Xp
9OV5UC72eTRL5kqQdxBVmv3rJpkn1rKvEMbPx4BsME9bxUUZYALGOgDIZGE8
KrHMaMnumzaL+xohW8vZxI7QEHraBmjQtXUq0xRdLDK1W7WzJ2TfmWpRAy7e
RAxZBeVqAd2QWVPowViOgVNYLasLTup0/OY6SAz2et/aXObta8GuYLCbDXvN
7JbFUqHLnzMRSiwsHFQz/DB0dgkHGnGMhRi7KI4Y5b062+0WgsqeseUJSEIz
mJb8NTPeOBrT/v5rsko11Hxkd37pz54wRHLoiGL0iSDKpBGOpcFDMFXTWSzF
xMIjSpkZo8Th7OHkn8kGP00SAGwlZ/ml1EBxznT4x7S5rRk2K0yis3UAdY6b
oVNcSezpdebv7YRlZGtkR5f9VP+zOoBipELQlIV5CX8/4yDL8VKSLcpfP9Ga
R+YYpz3hsqhD0aBe/E2xYAxR85JnOI3PK6Tx+TpqJJmXfJAdrcia5LKIZcDS
RrJHKPsQfPpZ3tUvwRnQLb0ul6swzq6nzqbV6dprpSwUkLRpomzF/pectiYO
1dWePwz9dCCVGKbGmRwv00iWDuRgKhhvrka/gKZr0ZB3Zes5YqBN5pL8DggR
c27JpApqHggDrabUsoLMBDYG+rSelBoISC9yGVDeLNgLJqdYzhkJyjSpf0/U
GeunNOLlOAjUfpPPs2eq4sVYVueEk0t+uAYYKUUWpvwbelapcBeFrEHZ7BjP
xQWkWhXKxwjNfocjN/I+42IuUnwSecrrNbW0m+JbNY6jPLMVixkeugzVdHyi
ipMIJo5mfldNaWZ8BrQbLpdQthUKasU8dpa86juXKr6KikWOm1gdwyDT2lxf
msC4DfPRFwV/vaZsebzSLNzZaiqiNC6Gaom3l68Pj6VGHSXqD/dQoo4C05wf
lx0AD/t6Nga16nV27/Dg9Ybfnm9u6BOcFl/FnEMoUG8mMCrTHXHouRio8IWj
dEoOtRw4fTYTsUFGQRalVQYXCmXRQqSAbwBdAgqdL0IigpyxHHrWMVkTmsKg
yZkTQDDYLKahKpoCbloJdrll3eNW3tUnQaNGCoBdLJCDPG2sa+xNEWAhb3bK
oaJQX+PQX2NowDPuXV8m7pdpkLOzlqbW0kJks5Cjd5Fq1ilG7qfrWvh14EZS
6O/QScWJI4nJpqdpuzeflEvVuwS6kauATIQh4oalCNOSTEGJ+aXzgvnhWnY1
SJJMnqTCgL2FKtfBcIbCSzcKcdQNzSlEagODk68BmzP6WeJCum9pn06Ls5xG
REopazMj5WxV+LK5dgN01oXKEa1ZGPs78anQ8rQd783mhB2zHMcRnNvOyeEY
1nP4HQ7ioOMUKR0TmcfD9+HSZnFSqDCQDhDXoVH1jbg+HcOK4cW0HhqwD2Gn
C1RG/8T3h/5zDedHS/F4Fwj1mPQDkSbmyZsuKHcwbhaE4ZySTxsWBwd5DXiP
rs3FYN7oM1fn1WDAlOJyC3DJyADbZD1k3eMkKP0pNAGYBNlngcetzRcJvIID
b11TWtZP7UhvXP1bqmSSChxZW6WYItJkNyH4kQnF4eBk0zDitA3GAwY2IEZG
krUupnM9b6OPQgfJmVuzUuUsJM0kwey6TqAfXJlhC57msRZAreuxAbJOguaQ
WdjVaTFpp1Vf8AsZsEIvPQ5q3uSfKkdKaGPiSSkP3jiUDyazpSHgnfZlWDAO
fbJ2jG1ZQu+aFtRqWeh6PHCjGPVRLxSS+1kTzMpZ9XS//vFNEeWQUtJiqqRn
WkVovP86DaCAF8UAXOYLLXU64Ej+7KknLj0g16FcCt55xpCqS2r281cCu3Rk
q4piMKlO5lGqW5Kp4axH5vSjCmC3K8+XpoBAjxI0OMN+EzCSo7QSr2aUz2v4
WF42wd/WUle2C04Q/tMdTg2aO0nblligHHYk4TKMP2fWybOshnLIWEgcacyl
tSar69vGkcKk+j7dmhQMhfcW2EbO+DJXvUQ9Vs5LWV61yOdJyjOcRnKH5baG
oxNmVqMMr9roFTgogMFn9ThGc5aTa4OPhFleqjZG2IRScxb3omR3S08+dpLj
bek5kJLF8FUxnV5wavycX0/ngiRQI8pBJ4YUwo+bI3lR5BLCnF1n0TVr3CKh
W3KCA/5WAvLY/3a/lcU+SbD+wFjMKvllrlEFXPpSRVOOdCtHjx2ZZlWvt884
avIzK85FKRVSMwLRPy4E1uTPcINsB1xDYsH6WFS/ppceHtKGVM7nRba/uiB3
pZJyfr58yJdzrgZr8zsyGCGTfJxPiuzed++PN0Crpppr9E+QjTGXB82l2VDN
rKmyyQGplE3cF0+m8Ak1uUEPe5m8oLYG2IRf1GQ1v3992ED/0PkFnw4/fEOt
sQA1g/9KUVwkUzu02FCAXTITlkM04gH0LPBvwgnu9X71D/TX3y4mo2L8e5G9
wRqte/lG9j37Mdnw/nbQzaH3GN7f2exlvUOa2GRKnvayLPvt4fvhu7fHv++l
/H0ndPAaZL8BI0wOJ+MZ/e0dPIvRT9cf6a+bEn35NR2hplcF/bS/r27WuHEn
cqro/lpzWCz6A8V2zDBMDEgZBHa84fNFPlkOGncY48MhQza8a0cvQzPofvbd
aFkhAbpzf+dh89JfnS+X9KJbW0jT05gCu8jgj81qcbZFc3/rfHkx3Vr/hK83
qb+/xjrYH6FsYFqMxXzWvZunUpxRjP+xP6HDfdH/1FxTGpNBzAQbCBcYAc1G
DlpJLU5fGwvghmZKvprSnj2ZkAn5JHC9fPaxFkGjm+d0+QeaWJ8kpXnzEpwT
MMzP7ZOTc3rIh/LsjIbdPjsGKjWnyUgHN7zXwWpa0O1n9v1hPqvq7A1527Q9
fCzDdc9ofR3Hm0zoHgfFtLRP3hXT0TkkKPcLGLxw2ct8+rHKjlHn8tPHwj59
Tv7OmPwGMkOzivw4+/wVGbrsxU8/0amjCC16hlB3zpMvPH9ULZfZEflc4UrA
lEqyAwvpq/D+ZMpe0g5Dhs4+Papgkan3rqflVWg/jPazsj6v5uGjfFr+z3/l
2Q+rP/9HOSv//K/2xX//O8oyfriejfwbndLbVNMivMvzkqb2D7TYXq3Oqk8x
z4xxK8ml/yFHuLOoyYZ9CpE+rWPnUMyiuCw1PiQhDfbRX8+cby8ONUgRKiB5
OQgop6KKDHeYpJoDnIW9TrNwfn7KjHuzoM/eXJHf9JG264/os82GcfnAT7mu
VuFJXG2kVYa/Isv5tWzzgMaoFHMp4OGePe2fDHP36uTdW6Fzfv6SIaiGSs5r
f4OA0eO1I5rOg548y1wxuuYPp+b2AO1rSBc+DJiicKjbz+5Fpe9y0sP7pP2H
F+In0D0LCdtdKC2DHg2zajYy2hpgQeoe9TG4k8TVO3p58Jt3bzc3MGaW6UFk
TVtAJnfnDzd7Dz7h/yP+B2Qc//ff/nO0sbXDn+49EIuT9P/hlE8zOjvw9D6X
NdeolXlL3sGKrEw/UJxpQKqagQWtd7y8ppZ+s0IgKxjEq6urTbr5sKDtt1qw
OazxuzP8bAuzbWfrq9Ke8eNUn/F1DwM3LUAulWGuAWkdfRRJHRnrg+5CdSBQ
UARoOMr1os77hdCKkSNYA0EoT3MsTjjtgUhnwmWpZCsWdRok6M2lj0J1tPEj
9MMpqe+SbjKaWjwGMwKg/gdjM+xxuuKqOEUJVi92WnG6ifQo9Qj3GP17C9vO
/Z3tB/ef7Dx4+HjL9y8ykJtn1eUW/jK0qsnhtDxFeZh8KpgK6o1hzfq4Q3Hv
xEcbyioflpGErf6KD13bX/dQ5qKlNOcmQcioDlRtWkCOfM/TMjcOEuNcyGl/
O1uRQ7XZ65/E3mHYgka/mZyJ7jZQnIqedMLBg31sCBbSIYFGmqds7/8A5eFa
G5zOAQA=
--> -->
</rfc> </rfc>
 End of changes. 273 change blocks. 
2488 lines changed or deleted 2438 lines changed or added

This html diff was produced by rfcdiff 1.48.