<?xml version='1.0'encoding='utf-8'?>encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.4.4) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-x509-slhdsa-09" number="9909" updates="" obsoletes="" xml:lang="en" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3"><!-- xml2rfc v2v3 conversion 3.29.0 --><front> <title abbrev="SLH-DSA for X.509">Internet X.509 Public Key Infrastructure: Algorithm Identifiers forSLH-DSA</title>SLH&nbhy;DSA</title> <seriesInfoname="Internet-Draft" value="draft-ietf-lamps-x509-slhdsa-09"/>name="RFC" value="9909"/> <author initials="K." surname="Bashiri" fullname="Kaveh Bashiri"> <organization>BSI</organization> <address> <email>kaveh.bashiri.ietf@gmail.com</email> </address> </author> <author initials="S." surname="Fluhrer" fullname="Scott Fluhrer"> <organization>Cisco Systems</organization> <address> <email>sfluhrer@cisco.com</email> </address> </author> <author initials="S." surname="Gazdag" fullname="Stefan-Lukas Gazdag"> <organization>genua GmbH</organization> <address> <email>ietf@gazdag.de</email> </address> </author> <author initials="D." surname="Van Geest" fullname="Daniel Van Geest"> <organization>CryptoNext Security</organization> <address> <email>daniel.vangeest@cryptonext-security.com</email> </address> </author> <author initials="S." surname="Kousidis" fullname="Stavros Kousidis"> <organization>BSI</organization> <address> <email>kousidis.ietf@gmail.com</email> </address> </author> <date year="2025"month="June" day="30"/> <area>sec</area> <workgroup>LAMPS - Limited Additional Mechanisms for PKIX and SMIME</workgroup>month="December"/> <area>SEC</area> <workgroup>lamps</workgroup> <keyword>SLH-DSA</keyword> <keyword>SPHINCS+</keyword> <keyword>PQ Signatures</keyword> <keyword>post-quantum X.509</keyword> <abstract><?line 128?><!--[rfced] For clarity, may we update this sentence? Original: Digital signatures are used within X.509 Public Key Infrastructure such as X.509 certificates, Certificate Revocation Lists (CRLs), and to sign messages. Perhaps: Digital signatures are used within the X.509 Public Key Infrastructure, such as X.509 certificates and Certificate Revocation Lists (CRLs), as well as to sign messages. --> <t>Digital signatures are used within the X.509 Public Key Infrastructure such as X.509 certificates, Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) in the X.509 Public Key Infrastructure. The conventions for the associated signatures, subject public keys, and private keys are also specified.</t> <!-- End of Abstract --> </abstract><note removeInRFC="true"> <name>About This Document</name> <t> Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-slhdsa/"/>. </t> <t> Discussion of this document takes place on the LAMPS Working Group mailing list (<eref target="mailto:spasm@ietf.org"/>), which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/spasm/"/>. Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/"/>. </t> <t>Source for this draft and an issue tracker can be found at <eref target="https://github.com/x509-hbs/draft-x509-slhdsa"/>.</t> </note></front> <middle><?line 134?><section anchor="introduction"> <name>Introduction</name> <t>The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) is a quantum-resistant digital signature scheme standardized in <xref target="FIPS205"/> by the US National Institute of Standards and Technology (NIST)PQCPost-Quantum Cryptography (PQC) project <xref target="NIST-PQC"/>. Prior to standardization, the algorithm was known as SPHINCS+. SLH-DSA and SPHINCS+ are not compatible. This document defines the ASN.1 Object Identifiers (OIDs) and conventions for the encoding of SLH-DSA digital signatures, publickeyskeys, and private keys in the X.509 Public Key Infrastructure.</t> <t>SLH-DSA offers three security levels. The parameters for each of the security levels were chosen to be at least as secure as a generic block cipher of 128, 192, or 256 bits. There are small (s) and fast (f) versions of the algorithm, and there is also the option to use theSHA2SHA-2 algorithm family <xref target="FIPS180"/> or SHAKE256 <xref target="FIPS202"/> as internal functions. While the fast versions are optimized for key generation and signing speed, they are actually slower at verification than the SLH-DSA small parameter sets. The small versions are optimized for signaturesize,size; see <xref target="tab-strengths"/>. As an example, id-slh-dsa-shake-256s represents the 256-bit security level, the small version of the algorithm, and the use of SHAKE256.</t> <t>NIST <xref target="CSOR"/> has assigned separate algorithm identifiers for SLH-DSA for each combination of these securitylevels,levels: fastvsvs. small,SHA2 vsSHA-2 vs. SHAKE256, and pure modevsvs. pre-hash mode.</t> <t>SLH-DSA signature operations includeas inputan optional context string(ctx),(ctx) as input, defined in Section 10.2 of <xref target="FIPS205"/>. The context string has a maximum length of 255 bytes. By default, the context string is the empty string. This document only specifies the use of the empty context string for use in the X.509 Public Key Infrastructure.</t> <t>SLH-DSA offers two signature modes: pure mode, where the entire content is signed directly, and pre-hash mode, where a digest of the content is signed. This document uses the term SLH-DSA to refer to the algorithm in general. When a pure or pre-hash mode needs to be differentiated, the terms Pure SLH-DSA and HashSLH-DSA are used. This document specifies the use of both Pure SLH-DSA and HashSLH-DSA in Public Key Infrastructure X.509 (PKIX) certificates and Certificate Revocation Lists (CRLs).</t> <section anchor="notation"> <name>Notation</name> <t>The following notation is used in this document:</t><ul spacing="normal"> <li> <t>a<dl spacing="normal" newline="false"> <dt>a ||b: concatenationb:</dt><dd>Concatenation of a andb</t> </li> <li> <t>id-slh-dsa-*: Ab.</dd> <dt>id-slh-dsa-*:</dt><dd>A shorthand to refer to all 12 OIDs used to specify the different parameter combinations for PureSLH-DSA.</t> </li> <li> <t>id-hash-slh-dsa-*: ASLH-DSA.</dd> <dt>id-hash-slh-dsa-*:</dt><dd>A shorthand to refer to all 12 OIDs used to specify the different parameter combinations forHashSLH-DSA.</t> </li> </ul> <!-- End of introduction section -->HashSLH-DSA.</dd> </dl> </section> </section> <sectionanchor="conventions-and-definitions"> <name>Conventions and Definitions</name> <t>Theanchor="conventions"> <name>Conventions</name> <t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t> <?line -18?>here. </t> </section> <section anchor="sec-alg-ids"> <name>Algorithm Identifiers</name> <t>The AlgorithmIdentifier type is defined in <xref target="RFC5912"/> as follows:</t> <sourcecode type="asn.1"><![CDATA[ AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= SEQUENCE { algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), parameters ALGORITHM-TYPE. &Params({AlgorithmSet}{@algorithm}) OPTIONAL } ]]></sourcecode> <aside> <t>NOTE: The above syntax is from <xref target="RFC5912"/> and is compatible with the 2021 ASN.1 syntax <xref target="X680"/>. See <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t> </aside> <t>The fields in AlgorithmIdentifier have the following meanings:</t> <ul spacing="normal"> <li> <t>algorithm identifies the cryptographic algorithm with an object identifier.</t> </li> <!--[rfced] To clarify that the first "parameters" refers to the field rather than parameters in general, may we clarify this text as follows> Original: * parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field. Perhaps: * parameters, which is optional, identifies the associated parameters for the algorithm identifier in the algorithm field. --> <li> <t>parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field.</t> </li> </ul> <t>The object identifiers for SLH-DSA are defined in the NIST Computer Security Objects Register <xreftarget="CSOR"/>,target="CSOR"/> and are reproduced here for convenience. The same algorithm identifiers are used for identifying a public key, a private key, and a signature.</t> <t>The Pure SLH-DSA OIDs are defined in<xref target="I-D.ietf-lamps-cms-sphincs-plus"/>'sthe ASN.1 module in <xref target="RFC9814"/> and reproduced here for convenience:</t> <sourcecode type="asn.1"><![CDATA[ nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { sigAlgs 20 } id-slh-dsa-sha2-128f OBJECT IDENTIFIER ::= { sigAlgs 21 } id-slh-dsa-sha2-192s OBJECT IDENTIFIER ::= { sigAlgs 22 } id-slh-dsa-sha2-192f OBJECT IDENTIFIER ::= { sigAlgs 23 } id-slh-dsa-sha2-256s OBJECT IDENTIFIER ::= { sigAlgs 24 } id-slh-dsa-sha2-256f OBJECT IDENTIFIER ::= { sigAlgs 25 } id-slh-dsa-shake-128s OBJECT IDENTIFIER ::= { sigAlgs 26 } id-slh-dsa-shake-128f OBJECT IDENTIFIER ::= { sigAlgs 27 } id-slh-dsa-shake-192s OBJECT IDENTIFIER ::= { sigAlgs 28 } id-slh-dsa-shake-192f OBJECT IDENTIFIER ::= { sigAlgs 29 } id-slh-dsa-shake-256s OBJECT IDENTIFIER ::= { sigAlgs 30 } id-slh-dsa-shake-256f OBJECT IDENTIFIER ::= { sigAlgs 31 } ]]></sourcecode> <t>The HashSLH-DSA OIDs are:</t> <sourcecode type="asn.1"><![CDATA[ nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } id-hash-slh-dsa-sha2-128s-with-sha256 OBJECT IDENTIFIER ::= { sigAlgs 35 } id-hash-slh-dsa-sha2-128f-with-sha256 OBJECT IDENTIFIER ::= { sigAlgs 36 } id-hash-slh-dsa-sha2-192s-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 37 } id-hash-slh-dsa-sha2-192f-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 38 } id-hash-slh-dsa-sha2-256s-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 39 } id-hash-slh-dsa-sha2-256f-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 40 } id-hash-slh-dsa-shake-128s-with-shake128 OBJECT IDENTIFIER ::= { sigAlgs 41 } id-hash-slh-dsa-shake-128f-with-shake128 OBJECT IDENTIFIER ::= { sigAlgs 42 } id-hash-slh-dsa-shake-192s-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 43 } id-hash-slh-dsa-shake-192f-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 44 } id-hash-slh-dsa-shake-256s-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 45 } id-hash-slh-dsa-shake-256f-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 46 } ]]></sourcecode> <t>The contents of the parameters component for each algorithm <bcp14>MUST</bcp14> be absent.</t> </section> <section anchor="slh-dsa-signatures"> <name>SLH-DSA Signatures</name> <t>SLH-DSA is a digital signature scheme built upon hash functions. The security of SLH-DSA relies on the security properties of the underlying hash functions, such as the presumed difficulty of finding preimages.</t> <t>Signatures can be placed in a number of different ASN.1 structures. Thetop leveltop-level structure for a certificate is given below as being illustrative of how signatures are frequently encoded with an algorithm identifier and a location for the signature.</t> <sourcecode type="asn.1"><![CDATA[ Certificate ::= SIGNED{ TBSCertificate } SIGNED{ToBeSigned} ::= SEQUENCE { toBeSigned ToBeSigned, algorithmIdentifier SEQUENCE { algorithm SIGNATURE-ALGORITHM. &id({SignatureAlgorithms}), parameters SIGNATURE-ALGORITHM. &Params({SignatureAlgorithms} {@algorithmIdentifier.algorithm}) OPTIONAL }, signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value( {SignatureAlgorithms} {@algorithmIdentifier.algorithm})) } ]]></sourcecode> <aside><t>The<t>NOTE: The above syntax is from <xref target="RFC5912"/> and is compatible with the 2021 ASN.1 syntax <xref target="X680"/>. See <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t> </aside> <!--[rfced] May we update this sentence for clarity? Original: The same algorithm identifiers are used for signatures as are used for public keys. Perhaps: The algorithm identifiers used for signatures are the same as those used for public keys. --> <t>The same algorithm identifiers are used for signatures as are used for public keys. When used to identify signature algorithms, the parameters <bcp14>MUST</bcp14> be absent.</t> <t>The data to be signed is prepared for SLH-DSA. Then, a private key operation is performed to generate the raw signature value.</t> <t>When signing data using the Pure SLH-DSA signature algorithm, Algorithm 22 (slh_sign) from Section 10.2.1 of <xref target="FIPS205"/> is used. When verifying Pure SLH-DSA signed data, Algorithm 24 (slh_verify) from Section 10.3 of <xref target="FIPS205"/> is used. When signing data using the HashSLH-DSA signature algorithm, Algorithm 23 (hash_slh_sign) from Section 10.2.2 of <xref target="FIPS205"/> is used. When verifying HashSLH-DSA signed data, Algorithm 25 (hash_slh_verify) from Section 10.3 of <xref target="FIPS205"/> is used. All four of these algorithms create a message, M', from the message to be signed along with other data, and M' is operated on by internal SLH-DSA algorithms. M' may be constructed outside the module that performs the internal SLH-DSA algorithms.</t> <!--[rfced] Is "M'" part of the expansion of "PH_M"? Should the abbreviation be moved after "M'"? Original: In the case of HashSLH-DSA, there is a pre-hash component (PH_M) of M'. Perhaps: In the case of HashSLH-DSA, there is a pre-hash component of M' (PH_M). Or: In the case of HashSLH-DSA, there is a pre-hash component of M' referred to as PH_M. --> <t>In the case of HashSLH-DSA, there is a pre-hash component (PH_M) of M'. PH_M may be computed in the signing/verifyingmodule,module; in whichcasecase, the entire message to be signed is sent to the module. Alternatively, PH_M may be computed in a different module. In this case, either PH_M is sent to the signing/verifying module, which creates M', or M' is created outside the signing/verifying module and is sent to the module. HashSLH-DSA allows this implementation flexibility in order to reduce, and make consistent, the amount of data transferred to signing/verifying modules. The hash algorithm orXOFextendable-output function (XOF) used to generate the pre-hash when signing and verifying with HashSLH-DSA is specified after the "-with-" component of the signature algorithm name. For example, when signing with id-hash-slh-dsa-sha2-128s-with-sha256, SHA-256 is used as the pre-hash algorithm. When pre-hashing is performed using SHAKE128, the output length is 256 bits. When pre-hashing is performed using SHAKE256, the output length is 512 bits.</t> <t>Section 9.2 of <xref target="FIPS205"/> defines an SLH-DSA signature as threeelements,elements: R,SIG_FORSSIG_FORS, and SIG_HT. The raw octet string encoding of an SLH-DSA signature is the concatenation of these three elements,i.e.i.e., R || SIG_FORS || SIG_HT. The raw octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping. For example, in the Certificate structure, the raw signature value is encoded in the "signature" BIT STRING field.</t> </section> <section anchor="sec-pub-keys"> <name>Subject Public Key Fields</name> <t>In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:</t> <sourcecode type="asn.1"><![CDATA[ SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE { algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}}, subjectPublicKey BIT STRING } ]]></sourcecode> <aside><t>The<t>NOTE: The above syntax is from <xref target="RFC5912"/> and is compatible with the 2021 ASN.1 syntax <xref target="X680"/>. See <xref target="RFC5280"/> for the 1988 ASN.1 syntax.</t> </aside> <t>The fields in SubjectPublicKeyInfo have the following meanings:</t> <ul spacing="normal"> <li> <t>algorithm is the algorithm identifier and parameters for the public key (see above).</t> </li> <li> <t>subjectPublicKey contains the byte stream of the public key.</t> </li> </ul> <t><xreftarget="I-D.ietf-lamps-cms-sphincs-plus"/>target="RFC9814"/> defines the following public key identifiers for Pure SLH-DSA:</t> <sourcecode type="asn.1"><![CDATA[ pk-slh-dsa-sha2-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } SLH-DSA-PublicKey ::= OCTET STRING SLH-DSA-PrivateKey ::= OCTET STRING ]]></sourcecode> <t>The public key identifiers for HashSLH-DSA are defined here:</t> <sourcecode type="asn.1"><![CDATA[ pk-hash-slh-dsa-sha2-128s-with-sha256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-128s-with-sha256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-128f-with-sha256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-128f-with-sha256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-192s-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-192s-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-192f-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-192f-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-256s-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-256s-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-256f-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-256f-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-128s-with-shake128 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-128s-with-shake128 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-128f-with-shake128 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-128f-with-shake128 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-192s-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-192s-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-192f-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-192f-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-256s-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-256s-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-256f-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-256f-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } ]]></sourcecode> <t>Section 9.1 of <xref target="FIPS205"/> defines an SLH-DSA public key as two n-byteelements,elements: PK.seed and PK.root. The raw octet string encoding of an SLH-DSA public key is the concatenation of these two elements,i.e.i.e., PK.seed || PK.root. The octet string length is 2*n bytes, where n is 16, 24, or 32, depending on the SLH-DSA parameter set. When used in a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contains the raw octet string encoding of the public key.</t> <t><xreftarget="I-D.ietf-lamps-cms-sphincs-plus"/>target="RFC9814"/> defines the SLH-DSA-PublicKey and SLH-DSA-PrivateKey ASN.1 OCTET STRING types to provide an option for encoding a Pure SLH-DSA public or private key in an environment that uses ASN.1 encoding but doesn't define its own mapping of an SLH-DSA raw octet string to ASN.1. HashSLH-DSA public and private keys can use SLH-DSA-PublicKey and SLH-DSA-PrivateKey in the same way. To map an SLH-DSA-PublicKey OCTET STRING to a SubjectPublicKeyInfo, the OCTET STRING is mapped to the subjectPublicKey field (a value of type BIT STRING) as follows:theThe most significant bit of the OCTET STRING value becomes the most significant bit of the BIT STRING value, and so on; the least significant bit of the OCTET STRING becomes the least significant bit of the BIT STRING.</t> <t>The AlgorithmIdentifier for an SLH-DSA public key <bcp14>MUST</bcp14> use one of the id-slh-dsa-* or id-hash-slh-dsa-* object identifiers from <xref target="sec-alg-ids"/>. The parameters field of the AlgorithmIdentifier for the SLH-DSA public key <bcp14>MUST</bcp14> be absent.</t> <t><xref target="example-public"/> contains an example of an id-slh-dsa-sha2-128s public key encoded using the textual encoding defined in <xref target="RFC7468"/>.</t> </section> <section anchor="key-usage-bits"> <name>Key Usage Bits</name> <t>The intended application for the key is indicated in the keyUsage certificate extension; see <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/>. If the keyUsage extension is present in a certificate that indicates an id-slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA) identifier in the SubjectPublicKeyInfo, then at least one of the following <bcp14>MUST</bcp14> be present:</t><artwork><![CDATA[ digitalSignature nonRepudiation keyCertSign cRLSign ]]></artwork><ul spacing="normal"> <li>digitalSignature</li> <li>nonRepudiation</li> <li>keyCertSign</li> <li>cRLSign</li> </ul> <t>If the keyUsage extension is present in a certificate that indicates an id-slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA) identifier in the SubjectPublicKeyInfo, then the following <bcp14>MUST NOT</bcp14> be present:</t><artwork><![CDATA[ keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, and decipherOnly. ]]></artwork><ul spacing="normal"> <li>keyEncipherment</li> <li>dataEncipherment</li> <li>keyAgreement</li> <li>encipherOnly</li> <li>decipherOnly</li> </ul> <t>Requirements about the keyUsage extension bits defined in <xref target="RFC5280"/> still apply.</t> </section> <section anchor="private-key-format"> <name>Private Key Format</name> <t>"Asymmetric Key Packages" <xref target="RFC5958"/> describes how to encode a private key in a structure that both identifies what algorithm the private key is for and optionally allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below.</t> <sourcecode type="asn.1"><![CDATA[ OneAsymmetricKey ::= SEQUENCE { version Version, privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, privateKey PrivateKey, attributes [0] IMPLICIT Attributes OPTIONAL, ..., [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]], ... } PrivateKey ::= OCTET STRING PublicKey ::= BIT STRING ]]></sourcecode> <aside><t>The<t>NOTE: The above syntax is from <xref target="RFC5958"/> and is compatible with the 2021 ASN.1 syntax <xref target="X680"/>.</t> </aside> <t>Section 9.1 of <xref target="FIPS205"/> defines an SLH-DSA private key as four n-byteelements,elements: SK.seed, SK.prf,PK.seedPK.seed, and PK.root. The raw octet string encoding of an SLH-DSA private key is the concatenation of these four elements,i.e.i.e., SK.seed || SK.prf || PK.seed || PK.root. The octet string length is 4*n bytes, where n is 16, 24, or 32, depending on the SLH-DSA parameter set. When used in a OneAsymmetricKey type, the privateKey OCTET STRING contains the raw octet string encoding of the private key.</t> <t>When an SLH-DSA public key is included in a OneAsymmetricKey type, it is encoded in the same manner as in a SubjectPublicKeyInfo type. That is, the publicKey BIT STRING contains the raw octet string encoding of the public key.</t> <t><xref target="example-private"/> contains an example of an id-slh-dsa-sha2-128s private key encoded using the textual encoding defined in <xref target="RFC7468"/>.</t><t>NOTE:<!--[rfced] Is "new" accurate in this sentence, as RFC 5958 was published in August 2010? If not, may it be removed? Original: NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in [RFC5958]. Perhaps: NOTE: There exist some private key import functions that have not picked up the ASN.1 structure OneAsymmetricKey that is defined in [RFC5958]. --> <aside> <t>NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey, which is defined in <xref target="RFC5958"/>. This means that they will not accept a private key structure that contains the public key field. This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.</t> </aside> </section> <section anchor="operational-considerations"> <name>Operational Considerations</name> <t>SLH-DSA uses the same OID to identify a public key and a signature algorithm. The implication of this is that, despite being mathematically possible, an SLH-DSA key identified by a Pure SLH-DSA OID is not permitted to be used to generate or verify a signature identified byana HashSLH-DSA OID, andvice-versa.</t> <t>CAvice versa.</t> <t>Certification authority (CA) operators will need to decide in advance whether their CA certificates will use Pure SLH-DSA or HashSLH-DSA and assign the appropriate OID to the public and private keys when generating their certificate. Some of the following considerations may affect this decision.</t> <ul spacing="normal"> <li> <t>When using an external signing module, such asan HSM,a Hardware Security Module (HSM), the size of data that can be transferred to and processed by the signature module may be limited. SLH-DSA performs two passes on the internal M' message, so it must be held in memory. Using HashSLH-DSA reduces the size of M'.</t> </li> <li> <t>Large CRLs might also exceed the size limits of HSM signing operations when using Pure SLH-DSA. One way to limit the size of CRLs is to make use of CRL Distribution Points and Issuing Distribution Points to create partitioned CRLs in accordance with <xref section="5.2.5" sectionFormat="of" target="RFC5280"/>.</t> </li> <li><t>EE<t>End Entity (EE) certificates with manySANssubject alternative names (SANs) might also exceed the size limits of HSM signing operations.</t> </li> <li> <t>Potential verifiers' environments might need to be considered. The entire certificate or CRL needs to be held in memory during SLH-DSA signatureverification,verification; it cannot be streamed. In particular, there is a randomizer (R)whichthat is extracted from the SLH-DSA signature and fed to a digest function before M' is. Thus, to stream a message for SLH-DSAverificationverification, the signature must come before the message. This is not the case for certificates and CRLs. Using HashSLH-DSA reduces the size of the M' being held in memory.</t> </li> </ul> <t>An SLH-DSA private key has a very large(2^64)(2<sup>64</sup>) number of signatures it can safely generate (see <xref target="sec-cons"/>). If an operator might conceivably generate a number of signatures approaching this limit, they should mitigate potential harm by tracking the number of signatures generated and destroying the private key once an appropriate limit isreached,reached or by setting the "Not After" (expiration) date of the certificate such that thethelimit couldn't possibly be surpassed given the rate of signing.</t> </section> <section anchor="sec-cons"> <name>Security Considerations</name> <t>The security considerations of <xref target="RFC5280"/> apply accordingly. Moreover, the security aspects mentioned throughout <xref target="FIPS205"/> should be taken into account;seeforinstanceinstance, see Sections 3.1 and 3.2 or the beginning of Section 11.</t> <t>The security of SLH-DSA relies on the security properties of the internal hash and XOF functions. In particular, it relies on these functions being preimage resistant, but it does not rely on them being collision resistant. Since HashSLH-DSA performs a pre-hash before signing, it relies on both preimage resistance and collision resistance of the pre-hash function. In order to achieve an appropriate level of collision resistance, the output length of the pre-hash functions used for HashSLH-DSA is twice the length of the internal hash and XOF functions.</t> <t>Implementations <bcp14>MUST</bcp14> protect the private keys. Compromise of the private keys may result in the ability to forge signatures.</t> <t>When generating an SLH-DSA key pair, an implementation <bcp14>MUST</bcp14> generate each key pair independently of all other key pairs in the SLH-DSA hypertree.</t> <t>An SLH-DSA tree <bcp14>MUST NOT</bcp14> be used for more than2^642<sup>64</sup> signing operations.</t> <t>The generation of private keys relies on random numbers. The use of inadequatepseudo-randompseudorandom number generators (PRNGs) to generate these values can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys, searching the resulting small set of possibilities, rather than brute force searching the whole key space. The generation of quality random numbers is difficult; see Section 3.1 of <xref target="FIPS205"/> for some additional information.</t> <t>Fault attacks can lead to forgeries of messagesignaturessignatures; see <xref target="CMP2018"/> and <xref target="Ge2023"/>. Verifying a signature before releasing the signature value is a typical fault attack countermeasure; however, this countermeasure is not effective for SLH-DSA <xref target="Ge2023"/>. Redundancy by replicating the signature generation process can be used as an effective fault attack countermeasure for SLH-DSA <xref target="Ge2023"/>; however, the SLH-DSA signature generation is already considered slow.</t> <t>Likewise, passive power and emissions side-channel attacks can leak the SLH-DSA private signing key, and countermeasures can be taken against these attacks <xref target="SLotH"/>.</t> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name> <!--[rfced] Regarding the IANA-registered description: 120 id-mod-x509-slh-dsa-2024 Please confirm that "2024" should remain, i.e., the year should not be updated to "2025" (or "2026") to match the publication date of the reference (this RFC). --> <t>For the ASN.1Modulemodule in <xref target="sec-asn1"/> of this document, IANAis requested to assignhas assigned an object identifier (OID) for the module identifier(TBD1)(120) with a Description of "id-mod-x509-slh-dsa-2024". The OID for the moduleshould behas been allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).</t> </section> </middle> <back> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name> <reference anchor="FIPS205"target="https://doi.org/10.6028/NIST.FIPS.205">target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf"> <front> <title>Stateless Hash-Based Digital Signature Standard</title> <author><organization>National<organization abbrev="NIST">National Institute of Standards and Technology (NIST)</organization> </author> <date year="2024" month="August" day="13"/> </front> <seriesInfoname="FIPS PUB"name="NIST FIPS" value="205"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.205"/> </reference> <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> <front> <title>Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/> </reference> <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> <front> <title>Information technology -Abstract Syntax Notation One (ASN.1):ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <author> <organization>ITU-T</organization> </author> <date year="2021" month="February"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ISO/IEC" value="8825-1:2021"/> </reference> <reference anchor="CSOR" target="https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration"> <front> <title>Computer Security ObjectsRegister</title> <author initials="" surname="NIST" fullname="NationalRegister (CSOR)</title> <author> <organization abbrev="NIST">National Institute of Standards andTechnology"> <organization/>Technology (NIST)</organization> </author> <dateyear="2024" month="August" day="20"/> </front> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC5912"> <front> <title>New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)</title> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <dateyear="2025" month="June"year="2010"/> <abstract> <t>The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="5912"/> <seriesInfo name="DOI" value="10.17487/RFC5912"/> </reference> <reference anchor="RFC5280"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"/> <author fullname="S. Santesson" initials="S." surname="Santesson"/> <author fullname="S. Farrell" initials="S." surname="Farrell"/> <author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <author fullname="R. Housley" initials="R." surname="Housley"/> <author fullname="W. Polk" initials="W." surname="Polk"/> <date month="May" year="2008"/> <abstract> <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference> <reference anchor="I-D.ietf-lamps-cms-sphincs-plus"> <front> <title>Use of the SLH-DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)</title> <author fullname="Russ Housley" initials="R." surname="Housley"> <organization>Vigil Security, LLC</organization> </author> <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer"> <organization>Cisco Systems</organization> </author> <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis"> <organization>Amazon Web Services</organization> </author> <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"> <organization>Cloudflare</organization> </author> <date day="13" month="January" year="2025"/> <abstract> <t> SLH-DSA is a stateless hash-based signature scheme. This document specifies the conventions for using the SLH-DSA signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cms-sphincs-plus-19"/> </reference> <reference anchor="RFC5958"> <front> <title>Asymmetric Key Packages</title> <author fullname="S. Turner" initials="S." surname="Turner"/> <date month="August" year="2010"/> <abstract> <t>This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK]</t> </abstract>day="13"/> </front><seriesInfo name="RFC" value="5958"/> <seriesInfo name="DOI" value="10.17487/RFC5958"/></reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <!-- [I-D.ietf-lamps-cms-sphincs-plus] [RFC9814] Published 7/19/2025 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9814.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5958.xml"/> </references> <references anchor="sec-informative-references"> <name>Informative References</name> <reference anchor="NIST-PQC" target="https://csrc.nist.gov/projects/post-quantum-cryptography"> <front> <title>Post-Quantum CryptographyProject</title>(PQC)</title> <author><organization>National<organization abbrev="NIST">National Institute of Standards and Technology</organization> </author> <dateyear="2016" month="December" day="20"/>year="2025" month="July" day="28"/> </front> </reference> <reference anchor="CMP2018" target="https://link.springer.com/chapter/10.1007/978-3-319-79063-3_8"> <front> <title>Grafting Trees: A Fault Attack Against the SPHINCS Framework</title> <author initials="L." surname="Castelnovi" fullname="Laurent Castelnovi"> <organization/> </author> <authorinitials="" surname="A, Martinelli"initials="A" surname="Martinelli" fullname="Ange Martinelli"> <organization/> </author> <author initials="T." surname="Prest" fullname="Thomas Prest"> <organization/> </author> <date year="2018"/> </front><seriesInfo name="Lecture<refcontent>Post-Quantum Cryptography (PQCrpyto 2018), Lecture Notes in ComputerScience" value="vol 10786"/> <seriesInfo name="PQCrypto" value="2018"/> <seriesInfo name="Post-Quantum Cryptography" value="pp. 165-184"/>Science, vol. 10786, pp. 165-184</refcontent> </reference> <reference anchor="SLotH" target="https://eprint.iacr.org/2024/367.pdf"> <front> <title>Accelerating SLH-DSA by Two Orders of Magnitude with a Single Hash Unit</title> <author initials="M-J." surname="Saarinen" fullname="M-J. Saarinen"> <organization/> </author> <date year="2024"/> </front> <refcontent>Cryptology ePrint Archive, Paper 2024/367</refcontent> <seriesInfo name="DOI" value="10.1007/978-3-031-68376-3_9"/> </reference> <reference anchor="Ge2023"target="https://doi.org/10.46586/tches.v2023.i2.80-114">> <front> <title>On Protecting SPHINCS+ Against Fault Attacks</title> <author initials="A." surname="Genêt" fullname="Aymeric Genêt"> <organization/> </author><date>n.d.</date><date month="3" year="2023"/> </front> <refcontent>TCHES, vol. 2023, no. 2, pp. 80-114</refcontent> <seriesInfoname="TCHES" value="2023/02"/>name="DOI" value="10.46586/tches.v2023.i2.80-114"/> </reference> <reference anchor="FIPS180" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"> <front> <title>Secure HashStandard</title> <author fullname="Quynh H. Dang" surname="Dang"> <organization>Information Technology Laboratory</organization> </author>Standard (SHS)</title> <author> <organization abbrev="NIST">National Institute of Standards and Technology</organization><address> <postal> <country>US</country> <city>Gaithersburg</city> </postal> </address></author> <datemonth="July"month="August" year="2015"/> </front> <seriesInfo name="NISTFederal Information Processing Standards Publications"FIPS" value="180-4"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/> </reference> <reference anchor="FIPS202" target="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"> <front> <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title><author fullname="Morris J. Dworkin" initials="M." surname="Dworkin"> <organization>National Institute of Standards and Technology</organization> </author> <author fullname="Morris J. Dworkin" surname="Dworkin"> <organization>Information Technology Laboratory</organization> </author><author> <organization abbrev="NIST">National Institute of Standards and Technology</organization><address> <postal> <country>US</country> <city>Gaithersburg</city> </postal> </address></author> <date month="August" year="2015"/> </front> <seriesInfoname="FIPS" value="PUB 202"/> <seriesInfoname="NISTFederal Information Processing Standards Publications"FIPS" value="202"/> <seriesInfo name="DOI"value="10.6028/nist.fips.202"/> <seriesInfo name="DOI"value="10.6028/NIST.FIPS.202"/> </reference><reference anchor="RFC7468"> <front> <title>Textual Encodings of PKIX, PKCS, and CMS Structures</title> <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> <author fullname="S. Leonard" initials="S." surname="Leonard"/> <date month="April" year="2015"/> <abstract> <t>This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate.</t> </abstract> </front> <seriesInfo name="RFC" value="7468"/> <seriesInfo name="DOI" value="10.17487/RFC7468"/> </reference> <reference anchor="RFC8410"> <front> <title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure</title> <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <date month="August" year="2018"/> <abstract> <t>This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t> </abstract> </front> <seriesInfo name="RFC" value="8410"/> <seriesInfo name="DOI" value="10.17487/RFC8410"/> </reference> <reference anchor="I-D.ietf-lamps-dilithium-certificates"> <front> <title>Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title> <author fullname="Jake Massimo" initials="J." surname="Massimo"> <organization>AWS</organization> </author> <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis"> <organization>AWS</organization> </author> <author fullname="Sean Turner" initials="S." surname="Turner"> <organization>sn3rd</organization> </author> <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"> <organization>Cloudflare</organization> </author> <date day="26" month="June" year="2025"/> <abstract> <t> Digital signatures are used within X.509 certificates, Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using FIPS 204, the Module-Lattice- Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and certificate revocation lists. The conventions for the associated signatures, subject public keys, and private key are also described. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-certificates-12"/> </reference> <reference anchor="RFC8411"> <front> <title>IANA Registration for the Cryptographic Algorithm Object Identifier Range</title> <author fullname="J. Schaad" initials="J." surname="Schaad"/> <author fullname="R. Andrews" initials="R." surname="Andrews"/> <date month="August" year="2018"/> <abstract> <t>When the Curdle Security Working Group was chartered, a range of object identifiers was donated by DigiCert, Inc. for the purpose of registering the Edwards Elliptic Curve key agreement and signature algorithms. This donated set of OIDs allowed for shorter values than would be possible using the existing S/MIME or PKIX arcs. This document describes the donated range and the identifiers that were assigned from that range, transfers control of that range to IANA, and establishes IANA allocation policies for any future assignments within that range.</t> </abstract> </front> <seriesInfo name="RFC" value="8411"/> <seriesInfo name="DOI" value="10.17487/RFC8411"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7468.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"/> <!-- [I-D.ietf-lamps-dilithium-certificates-12] [RFC9881] Published 10/29/2025 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9881.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8411.xml"/> </references> </references> <?line 752?> <section anchor="sec-asn1"> <name>ASN.1 Module</name> <t>This appendix includes the ASN.1 module <xref target="X680"/> for SLH-DSA. Note that as per <xref target="RFC5280"/>, certificates use the Distinguished Encoding Rules; see <xref target="X690"/>. This module imports objects from <xref target="RFC5912"/> and <xreftarget="I-D.ietf-lamps-cms-sphincs-plus"/>.</t> <aside> <t>RFC EDITOR: Please replace <xref target="I-D.ietf-lamps-cms-sphincs-plus"/> throughout this document with a reference to the published RFC.</t> </aside>target="RFC9814"/>.</t> <sourcecodetype="asn.1"><![CDATA[ <CODE BEGINS>type="asn.1" markers="true"><![CDATA[ X509-SLH-DSA-Module-2024 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)id-mod-x509-slh-dsa-2024(TBD1)id-mod-x509-slh-dsa-2024(120) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS FROM AlgorithmInformation-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } pk-slh-dsa-sha2-128s, pk-slh-dsa-sha2-128f, pk-slh-dsa-sha2-192s, pk-slh-dsa-sha2-192f, pk-slh-dsa-sha2-256s, pk-slh-dsa-sha2-256f, pk-slh-dsa-shake-128s, pk-slh-dsa-shake-128f, pk-slh-dsa-shake-192s, pk-slh-dsa-shake-192f, pk-slh-dsa-shake-256s, pk-slh-dsa-shake-256f, sa-slh-dsa-sha2-128s, sa-slh-dsa-sha2-128f, sa-slh-dsa-sha2-192s, sa-slh-dsa-sha2-192f, sa-slh-dsa-sha2-256s, sa-slh-dsa-sha2-256f, sa-slh-dsa-shake-128s, sa-slh-dsa-shake-128f, sa-slh-dsa-shake-192s, sa-slh-dsa-shake-192f, sa-slh-dsa-shake-256s, sa-slh-dsa-shake-256f FROM SLH-DSA-Module-2024 -- in[I-D.ietf-lamps-cms-sphincs-plus][RFC9814] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) id-smime(16) id-mod(0) id-mod-slh-dsa-2024(81) } ; -- -- HashSLH-DSA object identifiers from [CSOR] -- nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } id-hash-slh-dsa-sha2-128s-with-sha256 OBJECT IDENTIFIER ::= { sigAlgs 35 } id-hash-slh-dsa-sha2-128f-with-sha256 OBJECT IDENTIFIER ::= { sigAlgs 36 } id-hash-slh-dsa-sha2-192s-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 37 } id-hash-slh-dsa-sha2-192f-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 38 } id-hash-slh-dsa-sha2-256s-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 39 } id-hash-slh-dsa-sha2-256f-with-sha512 OBJECT IDENTIFIER ::= { sigAlgs 40 } id-hash-slh-dsa-shake-128s-with-shake128 OBJECT IDENTIFIER ::= { sigAlgs 41 } id-hash-slh-dsa-shake-128f-with-shake128 OBJECT IDENTIFIER ::= { sigAlgs 42 } id-hash-slh-dsa-shake-192s-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 43 } id-hash-slh-dsa-shake-192f-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 44 } id-hash-slh-dsa-shake-256s-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 45 } id-hash-slh-dsa-shake-256f-with-shake256 OBJECT IDENTIFIER ::= { sigAlgs 46 } -- -- HashSLH-DSA public key identifiers -- pk-hash-slh-dsa-sha2-128s-with-sha256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-128s-with-sha256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-128f-with-sha256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-128f-with-sha256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-192s-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-192s-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-192f-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-192f-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-256s-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-256s-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-sha2-256f-with-sha512 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-sha2-256f-with-sha512 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-128s-with-shake128 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-128s-with-shake128 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-128f-with-shake128 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-128f-with-shake128 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-192s-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-192s-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-192f-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-192f-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-256s-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-256s-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-hash-slh-dsa-shake-256f-with-shake256 PUBLIC-KEY ::= { IDENTIFIER id-hash-slh-dsa-shake-256f-with-shake256 -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } -- -- HashSLH-DSA signature algorithm identifiers -- sa-hash-slh-dsa-sha2-128s-with-sha256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-128s-with-sha256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-128s-with-sha256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-128s-with-sha256 } } sa-hash-slh-dsa-sha2-128f-with-sha256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-128f-with-sha256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-128f-with-sha256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-128f-with-sha256 } } sa-hash-slh-dsa-sha2-192s-with-sha512 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-192s-with-sha512 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-192s-with-sha512 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-192s-with-sha512 } } sa-hash-slh-dsa-sha2-192f-with-sha512 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-192f-with-sha512 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-192f-with-sha512 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-192f-with-sha512 } } sa-hash-slh-dsa-sha2-256s-with-sha512 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-256s-with-sha512 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-256s-with-sha512 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-256s-with-sha512 } } sa-hash-slh-dsa-sha2-256f-with-sha512 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-sha2-256f-with-sha512 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-sha2-256f-with-sha512 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-sha2-256f-with-sha512 } } sa-hash-slh-dsa-shake-128s-with-shake128 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-128s-with-shake128 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-128s-with-shake128 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-128s-with-shake128 } } sa-hash-slh-dsa-shake-128f-with-shake128 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-128f-with-shake128 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-128f-with-shake128 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-128f-with-shake128 } } sa-hash-slh-dsa-shake-192s-with-shake256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-192s-with-shake256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-192s-with-shake256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-192s-with-shake256 } } sa-hash-slh-dsa-shake-192f-with-shake256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-192f-with-shake256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-192f-with-shake256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-192f-with-shake256 } } sa-hash-slh-dsa-shake-256s-with-shake256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-256s-with-shake256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-256s-with-shake256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-256s-with-shake256 } } sa-hash-slh-dsa-shake-256f-with-shake256 SIGNATURE-ALGORITHM ::= { IDENTIFIER id-hash-slh-dsa-shake-256f-with-shake256 PARAMS ARE absent PUBLIC-KEYS { pk-hash-slh-dsa-shake-256f-with-shake256 } SMIME-CAPS { IDENTIFIED BY id-hash-slh-dsa-shake-256f-with-shake256 } } -- -- Expand SignatureAlgorithms from RFC 5912 -- SignatureAlgorithms SIGNATURE-ALGORITHM ::= { sa-slh-dsa-sha2-128s | sa-slh-dsa-sha2-128f | sa-slh-dsa-sha2-192s | sa-slh-dsa-sha2-192f | sa-slh-dsa-sha2-256s | sa-slh-dsa-sha2-256f | sa-slh-dsa-shake-128s | sa-slh-dsa-shake-128f | sa-slh-dsa-shake-192s | sa-slh-dsa-shake-192f | sa-slh-dsa-shake-256s | sa-slh-dsa-shake-256f | sa-hash-slh-dsa-sha2-128s-with-sha256 | sa-hash-slh-dsa-sha2-128f-with-sha256 | sa-hash-slh-dsa-sha2-192s-with-sha512 | sa-hash-slh-dsa-sha2-192f-with-sha512 | sa-hash-slh-dsa-sha2-256s-with-sha512 | sa-hash-slh-dsa-sha2-256f-with-sha512 | sa-hash-slh-dsa-shake-128s-with-shake128 | sa-hash-slh-dsa-shake-128f-with-shake128 | sa-hash-slh-dsa-shake-192s-with-shake256 | sa-hash-slh-dsa-shake-192f-with-shake256 | sa-hash-slh-dsa-shake-256s-with-shake256 | sa-hash-slh-dsa-shake-256f-with-shake256, ... } SMimeCaps SMIME-CAPS ::= { sa-slh-dsa-sha2-128s.&smimeCaps | sa-slh-dsa-sha2-128f.&smimeCaps | sa-slh-dsa-sha2-192s.&smimeCaps | sa-slh-dsa-sha2-192f.&smimeCaps | sa-slh-dsa-sha2-256s.&smimeCaps | sa-slh-dsa-sha2-256f.&smimeCaps | sa-slh-dsa-shake-128s.&smimeCaps | sa-slh-dsa-shake-128f.&smimeCaps | sa-slh-dsa-shake-192s.&smimeCaps | sa-slh-dsa-shake-192f.&smimeCaps | sa-slh-dsa-shake-256s.&smimeCaps | sa-slh-dsa-shake-256f.&smimeCaps | sa-hash-slh-dsa-sha2-128s-with-sha256.&smimeCaps | sa-hash-slh-dsa-sha2-128f-with-sha256.&smimeCaps | sa-hash-slh-dsa-sha2-192s-with-sha512.&smimeCaps | sa-hash-slh-dsa-sha2-192f-with-sha512.&smimeCaps | sa-hash-slh-dsa-sha2-256s-with-sha512.&smimeCaps | sa-hash-slh-dsa-sha2-256f-with-sha512.&smimeCaps | sa-hash-slh-dsa-shake-128s-with-shake128.&smimeCaps | sa-hash-slh-dsa-shake-128f-with-shake128.&smimeCaps | sa-hash-slh-dsa-shake-192s-with-shake256.&smimeCaps | sa-hash-slh-dsa-shake-192f-with-shake256.&smimeCaps | sa-hash-slh-dsa-shake-256s-with-shake256.&smimeCaps | sa-hash-slh-dsa-shake-256f-with-shake256.&smimeCaps, ... } -- -- Expand PublicKeyAlgorithms from RFC 5912 -- PublicKeyAlgorithms PUBLIC-KEY ::= { pk-slh-dsa-sha2-128s | pk-slh-dsa-sha2-128f | pk-slh-dsa-sha2-192s | pk-slh-dsa-sha2-192f | pk-slh-dsa-sha2-256s | pk-slh-dsa-sha2-256f | pk-slh-dsa-shake-128s | pk-slh-dsa-shake-128f | pk-slh-dsa-shake-192s | pk-slh-dsa-shake-192f | pk-slh-dsa-shake-256s | pk-slh-dsa-shake-256f | pk-hash-slh-dsa-sha2-128s-with-sha256 | pk-hash-slh-dsa-sha2-128f-with-sha256 | pk-hash-slh-dsa-sha2-192s-with-sha512 | pk-hash-slh-dsa-sha2-192f-with-sha512 | pk-hash-slh-dsa-sha2-256s-with-sha512 | pk-hash-slh-dsa-sha2-256f-with-sha512 | pk-hash-slh-dsa-shake-128s-with-shake128 | pk-hash-slh-dsa-shake-128f-with-shake128 | pk-hash-slh-dsa-shake-192s-with-shake256 | pk-hash-slh-dsa-shake-192f-with-shake256 | pk-hash-slh-dsa-shake-256s-with-shake256 | pk-hash-slh-dsa-shake-256f-with-shake256, ... } END<CODE ENDS>]]></sourcecode> </section> <section anchor="security-strengths"> <name>Security Strengths</name> <!--[rfced] FYI - To improve readability, we have changed this list to a bulleted list. Please review and let us know if you prefer otherwise. Original: These categories describe any attack that breaks the relevant security definition that must require computational resources comparable to or greater than those required for: Level 1 - key search on a block cipher with a 128-bit key (e.g., AES128), Level 2 - collision search on a 256-bit hash function (e.g., SHA256/ SHA3-256), Level 3 - key search on a block cipher with a 192-bit key (e.g., AES192), Level 4 - collision search on a 384-bit hash function (e.g. SHA384/SHA3-384), Level 5 - key search on a block cipher with a 256-bit key (e.g., AES 256). Current: These categories describe any attack that breaks the relevant security definition that must require computational resources comparable to or greater than those required for: * Level 1 - key search on a block cipher with a 128-bit key (e.g., AES128), * Level 2 - collision search on a 256-bit hash function (e.g., SHA256/ SHA3-256), * Level 3 - key search on a block cipher with a 192-bit key (e.g., AES192), * Level 4 - collision search on a 384-bit hash function (e.g. SHA384/SHA3-384), and * Level 5 - key search on a block cipher with a 256-bit key (e.g., AES 256). --> <t>Instead of defining the strength of a quantum algorithm in a traditional manner using precise estimates of the number of bits of security, NIST defined a collection of broad security strength categories. Each category is defined by a comparatively easy-to-analyze reference primitive thatcovercovers a range of security strengths offered by existing NIST standards in symmetric cryptography, which NIST expects to offer significant resistance to quantum cryptanalysis. These categories describe any attack that breaks the relevant security definition that must require computational resources comparable to or greater than those requiredfor: Levelfor:</t> <ul spacing="normal"> <li>Level 1 - key search on a block cipher with a 128-bit key (e.g.,AES128), LevelAES128),</li> <li>Level 2 - collision search on a 256-bit hash function (e.g., SHA256/SHA3-256), LevelSHA3-256),</li> <li>Level 3 - key search on a block cipher with a 192-bit key (e.g.,AES192), LevelAES192),</li> <li>Level 4 - collision search on a 384-bit hash function(e.g.(e.g., SHA384/SHA3-384),Leveland</li> <li>Level 5 - key search on a block cipher with a 256-bit key (e.g., AES256).</t>256).</li> </ul> <t>The SLH-DSA parameter sets defined for NIST security levels 1,33, and 5 are listed in <xref target="tab-strengths"/>, along with the resultingsignature size,signature, public key, and private key sizes in bytes. The HashSLH-DSA parameter sets have the same values as the Pure SLH-DSA equivalents.</t> <!--[rfced] FYI, in Table 1, we added "Size (in bytes)" to the column title. If you prefer the original, please let us know. Original: +==============================+============+=======+======+=======+ | OID | NIST Level | Sig. | Pub. | Priv. | | | | | Key | Key | +==============================+============+=======+======+=======+ | id-(hash-)slh-dsa-sha2-128s | 1 | 7856 | 32 | 64 | [...] Current: +==============================+============+======================+ | OID | NIST Level | Size (in bytes) | | | +=======+======+=======+ | | | Sig. | Pub. | Priv. | | | | | Key | Key | +==============================+============+=======+======+=======+ | id-(hash-)slh-dsa-sha2-128s | 1 | 7856 | 32 | 64 | [...] --> <table anchor="tab-strengths"> <name>SLH-DSAsecurity strengths</name>Security Strengths</name> <thead> <tr> <th rowspan="2" align="left">OID</th> <th rowspan="2" align="left">NIST Level</th> <th colspan="3" align="center">Size (in bytes)</th> </tr> <tr> <th align="left">Sig.</th> <th align="left">Pub. Key</th> <th align="left">Priv. Key</th> </tr> </thead> <tbody> <tr> <td align="left">id-(hash-)slh-dsa-sha2-128s</td> <td align="left">1</td> <td align="left">7856</td> <td align="left">32</td> <td align="left">64</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-sha2-128f</td> <td align="left">1</td> <td align="left">17088</td> <td align="left">32</td> <td align="left">64</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-sha2-192s</td> <td align="left">3</td> <td align="left">16224</td> <td align="left">48</td> <td align="left">96</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-sha2-192f</td> <td align="left">3</td> <td align="left">35664</td> <td align="left">48</td> <td align="left">96</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-sha2-256s</td> <td align="left">5</td> <td align="left">29792</td> <td align="left">64</td> <td align="left">128</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-sha2-256f</td> <td align="left">5</td> <td align="left">49856</td> <td align="left">64</td> <td align="left">128</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-128s</td> <td align="left">1</td> <td align="left">7856</td> <td align="left">32</td> <td align="left">64</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-128f</td> <td align="left">1</td> <td align="left">17088</td> <td align="left">32</td> <td align="left">64</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-192s</td> <td align="left">3</td> <td align="left">16224</td> <td align="left">48</td> <td align="left">96</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-192f</td> <td align="left">3</td> <td align="left">35664</td> <td align="left">48</td> <td align="left">96</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-256s</td> <td align="left">5</td> <td align="left">29792</td> <td align="left">64</td> <td align="left">128</td> </tr> <tr> <td align="left">id-(hash-)slh-dsa-shake-256f</td> <td align="left">5</td> <td align="left">49856</td> <td align="left">64</td> <td align="left">128</td> </tr> </tbody> </table> </section> <section anchor="examples"> <name>Examples</name> <t>This appendix contains examples of SLH-DSA public keys, privatekeyskeys, and certificates.</t> <section anchor="example-public"> <name>Example Public Key</name> <t>An example of an SLH-DSA public key using id-slh-dsa-sha2-128s:</t> <artwork><![CDATA[ -----BEGIN PUBLIC KEY----- MDAwCwYJYIZIAWUDBAMUAyEAK4EJ7Hd8qk4fAkzPz5SX2ZGAUJKA9CVq8rB6+AKJ tJQ= -----END PUBLICKEY----- ]]></artwork> <artwork><![CDATA[KEY-----]]></artwork> <sourcecode type=""><![CDATA[ 0 48: SEQUENCE { 2 11: SEQUENCE { 4 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 20' : } 15 33: BIT STRING : 2B 81 09 EC 77 7C AA 4E 1F 02 4C CF CF 94 97 D9 : 91 80 50 92 80 F4 25 6A F2 B0 7A F8 02 89 B4 94 :} ]]></artwork>}]]></sourcecode> </section> <section anchor="example-private"> <name>Example Private Key</name> <t>An example of an SLH-DSA private key without the public key using id-slh-dsa-sha2-128s:</t> <artwork><![CDATA[ -----BEGIN PRIVATE KEY----- MFICAQAwCwYJYIZIAWUDBAMUBECiJjvKRYYINlIxYASVI9YhZ3+tkNUetgZ6Mn4N HmSlASuBCex3fKpOHwJMz8+Ul9mRgFCSgPQlavKwevgCibSU -----END PRIVATEKEY----- ]]></artwork> <artwork><![CDATA[KEY-----]]></artwork> <sourcecode type=""><![CDATA[ 0 82: SEQUENCE { 2 1: INTEGER 0 5 11: SEQUENCE { 7 9: OBJECT IDENTIFIER '2 16 840 1 101 3 4 3 20' : } 18 64: OCTET STRING : A2 26 3B CA 45 86 08 36 52 31 60 04 95 23 D6 21 : 67 7F AD 90 D5 1E B6 06 7A 32 7E 0D 1E 64 A5 01 : 2B 81 09 EC 77 7C AA 4E 1F 02 4C CF CF 94 97 D9 : 91 80 50 92 80 F4 25 6A F2 B0 7A F8 02 89 B4 94 :} ]]></artwork>}]]></sourcecode> </section> <section anchor="example-certificate"> <name>Example Certificate</name> <t>An example of a self-signed SLH-DSA certificate using id-slh-dsa-sha2-128s:</t> <artwork><![CDATA[ Certificate: Data: Version: 3 (0x2) Serial Number: 43:85:63:a2:69:01:99:2c:39:cf:bc:40:57:1b:5f:a3: cc:c7:88:45 Signature Algorithm: slhdsa_sha2_128s Issuer: C=FR, L=Paris, O=Bogus SLH-DSA-SHA2-128s CA Validity Not Before: Oct 16 13:42:12 2024 GMT Not After : Oct 14 13:42:12 2034 GMT Subject: C=FR, L=Paris, O=Bogus SLH-DSA-SHA2-128s CA Subject Public Key Info: Public Key Algorithm: slhdsa_sha2_128s slhdsa_sha2_128s public key: PQ key material: 2b:81:09:ec:77:7c:aa:4e:1f:02:4c:cf:cf:94:97: d9:91:80:50:92:80:f4:25:6a:f2:b0:7a:f8:02:89: b4:94 X509v3 extensions: X509v3 Subject Key Identifier: CD:59:36:AA:FE:C4:11:C7:A4:72:69:3F:0B:E8:B3:8B: 21:7B:19:ED X509v3 Authority Key Identifier: CD:59:36:AA:FE:C4:11:C7:A4:72:69:3F:0B:E8:B3:8B: 21:7B:19:ED X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: slhdsa_sha2_128s Signature Value: aa:a0:51:de:b0:c3:14:d0:cd:fb:12:46:a2:31:20:c9:ed:ab: 3f:dc:57:a5:fb:45:f6:f0:3b:7f:e3:5a:8c:b5:87:1e:1f:0b: 15:9f:aa:56:68:43:7e:ea:23:05:21:d1:33:cb:84:61:55:7e: 39:74:18:3c:ea:8e:01:a4:8d:9a:fb:35:74:69:c9:62:35:7f: 0e:34:01:1c:90:41:97:13:ff:c5:a4:65:ae:0f:bf:9b:32:d2: 2a:2c:97:86:2d:49:eb:ba:ae:9a:70:e7:35:67:3f:0a:7e:3a: dd:0b:66:4e:f8:45:b2:e6:d8:70:ab:fb:72:60:eb:85:ae:62: 3c:a4:bf:3c:7a:e5:dd:4a:24:e2:4e:d0:b5:3b:c3:ac:e9:26: f8:6c:ca:3b:e1:46:15:7f:18:c5:41:40:90:73:b9:19:63:86: 23:3a:b2:7f:12:3a:5f:bb:c3:10:6c:4e:b2:62:ee:3b:4b:c5: e2:69:24:74:3e:6e:81:e2:68:48:c8:27:25:bc:b2:ac:da:a8: ae:75:5a:5c:09:22:1c:be:95:0a:0b:5e:0c:08:49:42:3a:0d: 2d:fb:89:3b:b3:15:de:ee:e7:b2:5e:1f:a6:f0:4a:f6:65:c1: 5d:5e:05:7a:6d:2a:e7:c2:c3:20:37:ce:ab:0f:6c:ea:c9:39: f3:28:d1:75:81:31:7f:01:e2:09:c8:56:81:50:cf:4e:fa:82: 1a:60:3e:87:bf:61:ca:a0:40:27:95:bf:f8:4f:04:b1:fd:1f: 7f:ce:29:fa:15:5c:ef:94:9a:f6:f0:0c:7f:09:7f:ec:b6:36: 26:83:69:aa:2d:69:9e:17:7a:15:aa:9b:51:43:c1:90:7c:c9: 69:3a:5a:b1:ee:77:c9:28:e7:21:d8:93:0a:80:19:9c:5e:b7: 61:5f:14:6c:9a:00:22:aa:4d:b8:86:03:b5:83:4a:e9:f3:5a: 76:cc:a3:3b:e4:13:94:f7:56:96:56:33:dd:19:d9:3d:8d:55: ab:99:e5:00:24:f7:ff:f4:ee:08:47:8d:43:b3:f4:e3:3a:d5: 12:ef:04:00:99:62:a1:5e:cd:5f:9f:90:f3:c2:8e:35:9b:8a: 46:ec:54:4e:13:20:59:5f:63:d9:61:b1:e2:c4:36:d2:e5:27: 56:1f:53:59:9c:24:ec:6a:79:2b:1d:6a:f2:93:38:d8:eb:7a: cd:d7:8a:c8:98:d4:87:61:bf:79:3c:2a:64:42:0f:5b:15:b4: bd:c0:c7:c4:de:20:4c:bb:d8:0f:61:2e:aa:67:e1:a7:ff:0d: b7:dd:05:cf:5c:cb:0c:46:26:e0:d9:48:cb:45:76:27:88:51: 49:df:4c:16:65:8c:1a:84:82:09:f3:d4:ee:c4:2a:17:a9:7b: c0:77:24:fd:4f:00:98:12:ed:10:e7:67:c3:7d:54:78:0f:c8: 67:7f:f4:f2:80:2b:1b:34:0c:fa:5f:c4:12:85:1c:5f:e6:84: 8d:ce:12:e7:ae:f5:ef:eb:96:5f:62:6f:87:3a:35:67:ca:d8: ad:b5:55:0b:0d:06:91:d3:9d:1a:96:2e:67:d8:b1:0e:8f:07: 3f:7b:d6:fe:b5:76:62:19:83:f6:d2:08:35:3b:9f:1d:0a:f7: 14:d2:45:50:70:5c:91:cc:b5:0f:4b:ef:79:ef:d3:c7:bd:02: 7a:fa:8b:83:cd:31:07:b0:f7:8a:79:c4:68:19:de:01:f8:73: 1a:6d:8a:c7:54:c8:4b:9a:40:53:e3:4b:e4:bd:3a:52:50:c6: de:de:19:d7:9e:a8:88:70:f1:70:a6:11:55:b0:46:5e:40:37: b2:90:5c:91:76:bd:20:1d:24:db:71:33:81:b8:47:ef:ec:7e: 78:d2:25:2b:4b:e2:6e:01:81:d4:12:ff:40:ff:e0:d7:90:29: 85:80:e6:4a:f5:5b:32:6c:b7:05:1c:20:27:e0:98:57:80:e7: a2:97:cb:91:ce:d9:c1:a3:5f:dc:24:7f:b8:f5:5c:da:91:83: e5:ae:8c:65:73:84:6a:5b:c9:3f:97:51:7d:cc:3f:d6:39:e1: 71:f1:54:8d:1f:4f:33:70:cc:07:f8:03:70:be:8c:81:e1:5d: 73:c1:9c:be:7c:3d:69:c0:cc:72:90:cf:65:38:35:71:16:ae: 1d:e2:a6:08:c8:7b:dd:c0:30:f4:b4:2a:45:fc:05:e6:1c:ef: af:f3:53:03:2f:76:b5:7b:f1:a9:7d:16:33:b1:b5:c2:4f:9b: 55:7b:0d:22:f6:08:4b:38:b2:67:4e:d9:f8:f1:65:03:d6:5a: 1f:1f:8b:cb:da:78:fc:7b:52:a5:d7:1b:35:b2:cd:06:7e:1e: 1d:8b:60:40:91:74:2f:91:c9:c6:c7:c4:01:f5:2f:10:c2:ea: ab:84:f6:f6:2e:fc:77:c1:85:28:90:a5:11:dc:ed:07:78:c2: 74:9c:60:86:69:40:3c:17:9b:3a:e5:e8:65:22:c2:7f:d9:88: be:43:6a:31:90:d5:23:37:eb:93:70:e4:bc:34:94:4f:af:a4: c1:6f:f3:30:1b:c6:e1:f5:f1:d8:7b:a4:4e:6e:69:be:82:d0: 80:a8:ae:99:44:e1:d6:fa:45:e5:05:a5:52:0a:5d:60:17:3a: 1e:2e:dd:2e:b4:86:93:31:93:0f:ca:5f:05:52:8e:31:15:e8: 8b:30:88:33:d7:da:91:52:40:3c:d7:18:bc:72:8d:88:b2:65: c5:fe:0a:7c:50:44:7e:0f:b6:52:53:8b:28:fc:5b:fa:93:54: 36:ca:e1:c1:6b:7f:46:13:de:05:7d:be:33:8d:67:52:ba:6d: af:4b:ee:01:0b:c7:56:21:7d:16:bd:19:83:90:c8:14:51:8b: fb:83:c1:a5:ca:69:5a:ae:d9:f1:a7:dc:f7:53:9f:f6:a3:43: 94:fb:38:86:1f:2a:0f:50:cf:8d:bc:36:51:ce:8e:af:80:fe: b5:80:f8:43:73:ea:3a:d7:a2:a4:b6:73:3a:5a:6b:48:a7:31: a3:d3:42:3a:fc:2e:b0:29:d2:67:8a:9a:d1:26:95:08:0b:61: 3f:71:ee:b1:96:f4:49:0c:d7:3b:50:61:6c:15:ca:31:31:dc: 0d:fc:d8:5f:a1:26:d3:e2:43:cd:13:39:4a:50:2d:64:57:bf: 02:a8:5c:54:4a:d4:37:45:f2:09:fd:cf:53:67:19:e9:92:a4: cd:1b:82:09:2c:4d:29:30:80:c1:23:8b:ca:1c:38:c6:11:8f: a2:3c:2c:7f:86:25:c9:fe:a3:1a:fc:82:ab:69:e9:b5:37:b1: 0e:9a:99:10:cd:a7:b6:52:9f:c6:e4:6e:08:f1:90:cd:14:b8: c2:e0:a9:58:2e:8a:4c:52:df:d5:ee:8a:57:ce:82:57:a6:89: 0f:74:20:4c:22:1d:02:c9:04:52:68:78:f3:59:c9:c3:60:85: 92:01:30:75:a0:eb:29:2b:66:55:b7:48:4a:df:8f:ba:df:a8: bc:d9:45:5c:eb:04:a8:c3:94:b6:bb:1d:05:19:48:9b:ae:8d: 63:2d:ba:d6:d3:5e:e5:7a:40:b6:05:74:a1:b0:7a:b7:d7:b4: 67:d6:d6:ac:f5:05:6f:53:45:a6:ed:e0:0c:b3:0c:32:c6:89: fb:42:7b:11:74:94:25:dc:01:7c:bb:4e:4f:4f:97:54:28:b0: fb:48:66:87:3a:d0:da:18:bf:aa:13:0c:6a:d3:c7:3e:11:26: 43:e8:40:b3:57:29:00:70:00:af:58:b0:75:83:9e:b9:4b:5b: 39:f1:7f:3f:89:8d:1d:0b:1a:78:4d:e5:8c:e6:07:86:75:23: 1b:14:1f:cd:04:4d:98:d1:cd:f5:4f:1d:00:55:fb:f8:c7:92: f5:ee:5e:c5:f3:24:84:22:ee:11:48:91:4b:51:f7:87:a8:9c: a0:9a:48:bc:93:f5:3c:1c:7e:d9:ac:15:1c:1f:b7:f9:b9:66: 9f:f4:e5:58:4a:f9:7e:5c:3f:a3:5a:20:54:be:57:74:74:65: 80:0d:f4:30:a9:0d:53:e6:71:52:f9:7e:f4:02:24:e5:b4:21: 0b:bc:13:2e:67:00:bd:64:54:8b:82:b4:64:f8:52:46:b2:f2: 37:5d:32:49:8a:be:19:4e:21:a7:cc:9a:19:29:c9:57:aa:fe: db:4a:ef:e0:a1:06:1a:5f:58:4c:97:ae:fe:ac:16:a0:e3:a7: 60:ef:b6:bf:80:67:35:c8:6c:fe:11:16:18:bd:04:90:32:b6: 75:64:13:55:b2:2e:c6:df:2f:b7:35:d6:3c:f1:ab:4c:1e:da: c2:4f:fc:24:f2:92:ce:64:dd:ef:70:7a:ae:26:07:01:61:9f: e6:2e:fe:e4:35:8c:d5:ee:e2:be:fd:3b:8f:c4:dc:5c:50:4c: 5a:2e:aa:14:c4:0e:b5:81:13:55:d0:85:81:16:3d:ce:03:f0: 2b:25:39:b6:f9:ce:ff:c0:f5:4d:77:60:86:03:25:ff:dd:57: cb:fd:28:fd:e2:8e:bb:7c:fb:49:46:9c:2c:0e:34:74:cf:d2: b8:45:be:fd:c1:2a:6b:8e:30:48:c3:a7:41:67:04:78:68:9d: 81:1c:35:f4:93:5a:1f:47:ab:3a:34:5e:4e:2d:43:2b:f4:52: bc:58:34:52:15:53:36:19:c9:b0:bc:57:7c:95:b3:86:ee:7e: 68:9f:73:b2:09:30:4f:f8:90:ae:0b:8d:f4:f4:d1:47:1b:e8: d1:03:85:92:2d:8a:60:ab:30:f3:ea:26:5e:37:e9:90:b6:2d: f6:08:1f:bc:fd:13:5a:fd:a9:29:7c:ab:58:10:d9:6d:3b:27: 75:31:f4:74:a8:e8:70:00:a3:63:f1:8c:b4:97:22:2b:d0:f8: e0:b2:6e:4f:4a:96:d5:f0:3d:fe:73:e1:c8:ba:fb:a8:96:bf: 01:c2:63:70:fa:dd:97:e5:c9:8f:00:04:5d:fa:c0:39:68:ba: e5:dc:aa:7b:3d:bd:25:aa:43:e2:02:a1:57:2b:78:74:80:f8: d6:ea:a2:44:7f:1e:35:46:cb:7d:2f:83:dc:7a:25:87:e0:27: ce:df:12:15:83:b6:26:2a:f9:4e:22:18:ca:69:7d:e3:68:86: 08:40:fa:45:1b:a5:3d:63:a1:aa:19:ca:83:3d:2e:4b:13:4d: 58:26:62:f2:ef:3c:6b:13:cc:99:95:21:c2:c7:f5:af:08:ef: a0:21:1a:4b:e9:f4:1c:4d:46:72:88:22:8b:aa:b5:dc:fe:3b: e6:8d:b9:51:8d:45:f4:70:13:68:a2:2b:0a:9c:82:16:64:fc: 3a:5a:2a:19:a6:fe:92:34:65:e2:6a:9c:a5:93:24:21:b4:b6: 50:b8:04:31:02:1c:df:4f:b8:9c:b6:3b:19:66:26:aa:c0:33: fd:9b:fb:02:2f:c8:07:8c:1f:66:8a:f6:f3:c5:0b:74:ce:75: c4:94:34:80:60:53:c1:42:09:2d:21:fb:25:b4:ff:c1:00:30: f1:c8:ad:ce:62:c6:1d:d7:94:cc:0f:7b:2a:00:be:b3:f3:c8: 3f:e5:88:af:6d:19:90:31:71:96:d6:8c:5b:34:b8:85:b5:42: f2:fb:17:a0:83:bb:6a:61:86:f0:ef:1f:db:ce:00:2f:90:aa: ee:07:97:59:56:85:96:1c:97:6b:ca:d4:7d:9a:bd:dc:01:52: dd:1c:bc:82:5e:81:08:91:36:85:7f:3e:12:63:59:aa:03:10: b3:03:2d:ad:17:7d:61:91:d6:e1:b9:2e:39:54:27:8a:a4:91: 87:ba:33:54:28:52:0d:46:f0:e7:63:40:6d:15:76:11:51:28: 1b:5f:94:ea:30:6f:00:34:a6:d8:42:c4:32:a0:36:1b:55:04: 90:87:8e:2e:04:47:f1:25:c8:fb:d4:58:79:36:5c:b9:81:18: c5:ff:16:ab:fe:b8:01:0a:fb:4a:93:3d:9b:c5:82:d5:1f:bf: 95:ea:aa:36:ef:c5:f8:d8:ab:f7:ca:c8:49:dc:30:fb:34:9d: 81:e2:7c:6c:06:78:34:a9:aa:44:74:9f:42:a5:c5:91:9f:41: c4:f1:79:7e:0d:cd:36:d5:21:32:5d:82:4d:b3:80:0d:72:19: ab:2a:0e:de:f4:22:ce:48:b7:b2:44:02:f1:99:b1:bf:79:dd: 49:0b:bf:3e:f8:b9:a5:e3:28:8d:8f:89:b3:d8:bc:97:cb:2e: f8:c0:8f:f0:10:cd:00:2f:df:bc:bb:ab:e0:77:de:d9:44:17: 8e:70:f0:07:e1:9d:c5:a5:fb:91:ee:3d:ee:f4:98:9d:67:10: 04:3a:a6:f2:03:fc:e8:05:53:ee:00:29:3c:84:ff:35:f4:df: 93:74:82:16:ec:58:25:43:81:01:b2:68:d2:a7:51:ed:97:ed: c2:06:1e:eb:8d:75:cf:11:30:b0:f7:0f:c1:d2:c1:f1:43:5d: 42:70:fa:c1:f9:2a:eb:a2:af:00:07:cb:99:ca:cb:9a:50:85: c3:63:76:d3:ad:f5:ef:d4:f0:c9:75:a4:4b:88:4b:32:81:c3: 43:97:bf:a8:0b:c0:5a:23:b4:28:46:4c:04:70:36:88:ee:eb: f5:26:b2:99:05:cc:6b:0a:0e:f9:06:73:fd:c3:be:37:c7:26: 29:11:62:d4:20:e0:06:f2:68:c3:57:db:bf:85:e6:2f:cb:f1: 81:96:88:70:9e:a2:6a:42:02:fc:79:90:f6:c9:b0:fb:b3:6e: a5:68:c4:ee:bb:8c:87:6c:81:20:15:a8:7f:1b:ba:f7:2e:b2: f7:5f:a3:c0:03:44:ce:e2:27:f2:04:d0:c0:b2:7d:be:b3:11: 4e:e9:77:7c:be:83:94:03:13:75:2f:c4:d4:8a:e9:bc:a3:fa: 6d:5c:72:fa:62:86:17:e2:db:97:88:ca:6c:4c:ad:68:2b:57: cf:f5:b6:92:2e:02:2e:82:d1:5c:9f:3b:8e:e9:e5:8d:76:7c: 65:9d:57:e5:2b:df:c9:ca:b1:8c:ec:86:e7:09:95:de:73:57: 4e:ec:af:62:47:45:79:c6:fd:09:32:d9:5b:73:de:67:44:39: 28:a3:ff:1d:8f:22:61:04:48:84:fb:f0:44:04:0f:01:1b:ad: bf:9f:ff:34:2c:83:3d:d6:85:3c:9b:82:ef:47:c7:ab:a2:e2: 9e:ac:71:eb:d6:5e:a7:d8:e0:79:53:39:29:15:0e:a6:b9:56: 39:93:16:7f:0a:48:00:6d:36:0a:2a:4a:11:ef:80:d7:43:c4: f0:06:e2:a2:49:9a:e6:2d:c5:fd:46:96:a8:83:45:22:b5:c7: 55:dc:cf:3f:84:8e:0b:69:7c:dc:e0:30:1a:1f:a6:14:d6:42: d3:0f:91:4b:6c:3f:2f:f9:64:25:bb:e4:83:b9:44:80:b3:6c: c7:f2:3e:58:a3:61:7a:1a:04:61:d8:a2:8c:e7:43:d7:eb:f4: 90:48:90:30:dc:c1:55:b3:eb:4b:68:09:af:62:79:d7:f6:09: 61:89:b7:6b:37:3e:09:4e:d5:d7:e3:05:b1:4b:f0:e5:1f:6b: 3e:f0:6b:eb:2a:8d:1d:ae:f6:87:c6:70:f2:74:fa:92:46:1d: d6:7e:d6:ab:1a:d3:de:11:71:be:f0:a1:e3:05:82:4e:3a:a1: 2e:d2:2b:c4:92:0e:a3:70:10:3f:df:c4:cc:52:97:f7:4c:a6: 5a:7b:cc:e8:74:5a:47:12:42:73:d8:5b:09:7e:31:a9:68:33: 77:f6:d1:72:72:a3:22:e2:d9:6e:c5:fc:f2:30:d5:85:c5:c2: 50:79:10:a6:9f:15:50:31:a4:87:d7:cb:da:b9:5f:37:ab:fe: 7f:09:25:e5:c3:1e:c0:d6:78:20:a0:21:20:10:6f:3c:d0:bd: 46:fe:bc:ad:df:25:27:8d:f4:0d:0c:4d:b2:30:b1:70:8e:aa: 25:9f:80:b9:60:b7:79:b2:25:be:a5:df:ee:ed:8c:ac:87:c9: 69:3f:ea:e5:cf:4d:d1:44:73:7f:a7:4e:9b:69:64:df:da:8a: 57:53:11:0e:54:fd:af:ca:4c:6d:e0:ad:56:1f:7f:c5:07:00: 8b:e4:b3:09:53:af:a4:db:e1:a1:c4:e1:c0:d6:70:d4:2d:e8: d4:bd:38:94:c7:93:39:64:71:50:6d:a5:30:7d:fe:1e:61:d0: a1:26:bb:6a:f8:32:63:05:37:65:bb:23:97:06:13:c6:d6:46: b5:83:fd:d3:9b:a3:94:ec:67:8e:9c:bb:9e:af:0b:df:e8:28: ed:45:ff:a4:8c:d9:f9:e3:30:dd:20:f2:3d:ad:4f:d0:b9:2b: 17:bf:d0:4a:8e:03:8d:a2:1f:16:fa:fe:87:eb:3c:57:7d:f8: 78:f9:2d:74:d4:82:d8:53:e0:91:b6:83:6f:73:79:ca:d9:ca: 83:ed:84:75:10:e0:5e:fa:a7:0f:a1:9b:67:21:d0:9a:b0:90: 83:68:3c:99:97:69:42:11:2c:51:b9:6f:5c:03:1f:2e:ee:78: b7:3a:14:db:d8:9d:17:69:9a:ad:9e:80:d5:d7:de:fe:3b:18: ee:a6:7d:9f:3b:6f:30:67:74:a1:f4:ff:fb:68:ad:e4:ec:8f: 7f:5b:02:46:62:26:10:6a:88:b1:a7:89:d1:87:00:a4:95:84: 96:9e:b4:1f:bf:f1:6f:67:b6:3f:d5:c2:5c:1f:41:10:cd:06: a5:e8:fe:e2:1e:52:e3:5c:46:b9:c4:e9:18:aa:78:e0:4b:78: 82:78:ac:3d:59:fd:24:40:44:01:d6:ad:6b:87:bd:11:a1:c1: bd:f2:a9:cc:be:ae:05:52:7b:bd:86:63:d6:9e:bd:52:3c:25: dc:a4:bb:73:bc:0c:04:04:c1:0c:e9:6e:d1:26:c3:50:ac:98: fb:4b:49:c5:69:ed:d8:30:bb:7c:d2:6e:d3:76:5a:13:0c:82: 28:cf:40:5c:0e:16:24:e8:82:5d:2a:f0:87:89:23:99:2d:7e: 6a:85:a1:dd:ab:78:1b:e6:cf:76:bc:fe:26:b2:26:a5:a7:e1: d4:44:a3:ff:20:ad:84:73:5b:26:b2:3a:15:c9:c4:02:9d:fb: b2:2b:cf:b5:f2:a3:7e:99:de:f9:d9:93:f7:8b:16:e3:04:4f: c4:bc:4d:67:9b:3f:ba:2d:79:7a:47:f1:ea:d8:36:cf:5d:eb: f7:b3:ae:0c:e0:62:f8:f6:2c:d0:29:91:8a:fa:68:bf:20:57: ef:79:0d:71:62:f7:a7:25:c7:77:f2:03:48:2d:95:73:7b:ba: c0:f5:62:7b:bb:0d:06:b6:88:74:a4:b4:7e:48:b9:a6:6d:92: 78:3d:87:4e:68:44:d6:45:23:c9:7b:04:02:7e:c7:40:7f:a0: 41:fc:24:8e:e5:43:19:f4:65:b2:a5:e7:73:27:03:b4:52:0e: de:33:12:62:ed:b6:c3:2b:19:cd:a0:69:0b:cb:63:eb:85:83: a1:16:a9:2b:72:c1:e7:c6:63:7f:a4:41:6e:19:61:3b:78:ba: db:6a:18:5c:f4:b1:5d:a5:5d:df:38:fd:5f:80:cf:cf:f0:95: e1:b1:bc:7a:2e:2c:ff:04:00:5e:c7:79:1c:47:e0:a7:57:de: 1b:e6:69:13:7a:3b:cf:a0:d8:69:16:f2:9e:45:e6:b1:7d:9f: f7:47:25:d9:1f:50:0a:6e:dd:da:53:e0:4d:52:91:33:87:8a: 3f:37:ef:7a:eb:1a:98:a0:55:e0:f9:e5:f2:03:1f:e2:eb:e5: 30:6c:0c:4b:75:a4:cf:40:87:da:30:49:25:e1:25:fd:38:ce: 44:20:e3:75:7f:25:2b:7b:dd:b2:02:d7:e2:0f:96:a4:bb:cf: 0c:df:16:e7:5b:91:46:31:bc:4d:18:b6:ca:33:a1:5b:e6:70: 95:03:40:79:a9:12:a9:1d:09:e8:38:d7:d4:7d:c3:a8:25:6c: c2:aa:0b:78:19:5b:16:cb:8a:24:4f:b2:7a:ca:87:68:85:9b: 22:17:50:ea:fd:28:ae:45:f7:b6:ba:76:de:49:ce:9f:a4:48: b1:bb:f1:ba:f8:88:8e:14:1e:2f:2d:53:79:bf:32:0e:fc:19: 20:b1:ba:12:68:5d:8c:d8:3c:3c:d6:63:8a:2e:8b:e4:7c:75: 05:27:a8:e9:e0:5b:be:87:77:d5:b3:88:74:db:cd:5f:59:10: 5c:9c:44:e1:d4:7d:bf:36:ec:fb:70:95:bf:a7:1b:d9:a8:ee: fd:d7:91:4d:72:b1:d1:72:87:0b:02:58:22:23:cb:b1:72:36: 04:47:33:a6:39:99:34:fa:73:6a:e1:b9:21:17:7a:04:5b:23: 64:65:9f:bf:14:e6:8d:4e:70:1b:9e:19:af:9b:98:3e:6f:13: 2e:35:a5:90:a7:c6:24:8a:b6:d0:0a:a1:60:eb:40:cf:7b:c5: 03:87:e2:a7:76:8a:10:5b:4e:75:c1:3e:ad:37:1e:ff:46:59: a8:b1:6e:c4:fe:65:81:61:67:6d:83:51:9f:22:58:1f:a2:e1: 39:dd:d4:33:74:22:90:cb:93:bf:65:a6:5a:8d:92:db:9e:9a: 60:1e:96:5f:5d:66:13:b8:f3:82:fb:13:5a:ea:3c:e9:1f:5d: d7:b4:7f:18:99:38:d3:1e:49:83:26:a8:ec:c0:13:98:af:a2: cf:2d:2a:4a:4a:7e:32:fc:20:b5:84:c0:2f:d6:0c:40:5a:ad: 34:db:fc:d5:f3:8c:5e:ce:cd:15:fb:68:d4:60:c4:0e:fa:9c: f1:7e:0b:c2:95:cf:e1:1f:6b:4b:b4:8b:7d:1b:05:45:8e:65: 62:d8:24:4f:c9:31:f5:9e:1b:3a:d3:cd:47:05:93:e0:91:89: 9f:7e:87:50:a9:0a:4b:28:df:00:55:01:7f:58:f6:d4:8a:17: c2:60:1a:56:2a:49:9c:8d:11:25:7e:42:e7:60:90:20:f7:3e: 12:25:7b:82:05:49:d5:2f:88:cf:73:db:09:7e:0f:f1:7d:c6: a4:0f:dc:3d:5f:25:a4:2b:e1:74:7d:70:5a:a5:b4:67:6c:66: 74:c4:86:01:30:af:d5:e9:fa:49:72:38:3b:00:95:de:fb:c6: ae:ee:c8:d0:af:b2:14:8f:9d:da:32:5f:9e:e7:85:76:a9:1a: 7c:d3:69:8b:02:4b:3c:ff:51:3b:a0:80:69:f0:95:01:10:ae: ba:94:a9:59:ce:a0:90:af:8d:f5:db:45:63:0b:4f:8a:fb:96: db:26:66:da:b8:e2:cf:7e:15:47:c8:10:03:46:8c:3b:bf:46: 0c:29:e6:7d:80:42:3a:c2:8d:38:b4:48:2d:2c:96:a1:37:71: 13:9c:72:00:02:ff:a4:79:ff:74:5a:31:ba:a6:3a:24:08:bf: 8e:41:b4:48:6f:bc:43:85:31:7d:b9:ca:06:60:76:fb:a7:d1: a3:af:ad:d0:a7:cb:07:02:08:ba:b7:ce:ab:06:56:28:5d:31: 79:2c:db:10:52:55:4c:65:53:10:ce:1e:5f:0e:e5:15:25:c4: e0:78:12:3c:d2:0c:89:f3:60:dd:f1:ef:8b:ec:7e:8a:9b:2c: 58:9b:1f:7b:f0:d3:dd:47:d7:49:5f:11:fa:ed:7a:72:1c:84: 6c:06:0f:76:44:a8:e6:2f:24:1b:3f:66:46:3c:e7:c6:7f:e3: 06:1b:5e:7c:e6:d6:67:08:34:f3:64:2c:fd:30:9d:d8:e2:75: 14:95:91:d0:0f:4c:d9:f0:95:43:42:b2:15:db:4f:3d:15:cb: 60:6c:22:f8:fb:e0:c4:43:1c:d0:71:9d:10:9b:f6:76:c3:d4: e8:f1:d8:62:b3:b3:8f:f4:e2:69:a5:fd:e3:0a:23:e6:4e:9b: 0f:a5:2c:a1:09:01:ce:27:26:94:a7:90:c0:e8:0e:82:98:43: 44:87:9d:34:57:73:b5:b7:35:fa:a3:af:47:cf:09:48:27:79: d3:c6:1b:04:7a:08:df:a6:78:0f:6a:2e:5c:e5:c6:a6:16:ac: 4f:4d:6d:06:d6:45:de:68:3a:2c:f2:22:32:61:8c:e6:d0:e5: 62:a9:49:fe:ba:86:ad:cb:c6:be:29:6b:0b:4b:cd:4c:59:4e: bd:17:6c:9b:c9:d6:d9:cd:9f:aa:01:8c:c9:a3:dd:af:6b:5f: e9:f5:18:24:6d:90:e1:14:9e:56:86:04:2e:3b:a2:42:21:f8: 0a:ee:05:71:31:55:f7:56:99:5f:72:18:87:22:ff:6d:4f:7c: c2:c2:32:84:5d:4c:1d:da:59:12:71:48:98:37:68:c8:6c:14: 8c:b6:8c:d4:49:e5:f6:2b:0f:04:ac:66:1b:f7:c4:d0:18:6d: e3:5d:12:4d:9d:34:c6:4c:36:cf:96:2b:5d:ae:d7:b1:74:c9: f0:44:b6:f0:c6:45:32:4e:b7:42:42:d3:f9:b5:c3:51:54:3e: b8:4a:70:0e:82:2e:39:07:bc:66:a9:91:93:43:f2:7f:ed:a4: 61:f2:35:fa:e0:9f:86:00:c9:87:5b:69:7e:3b:f8:d1:fa:e7: 78:e6:d0:46:27:d5:80:d4:34:0f:8f:bf:1c:27:47:60:3f:a7: b5:c4:ed:b3:c2:15:37:37:b3:8b:d1:c1:a7:1b:47:24:73:ce: 22:74:da:fb:c8:3f:a1:65:4d:79:67:d1:8a:db:71:79:d4:5d: 7d:a1:ae:05:93:78:31:98:d3:f6:cc:a3:42:93:e1:11:06:51: 2c:3c:4c:b7:6b:5d:07:fa:a8:08:72:4c:9a:26:0b:af:28:1c: 70:55:b1:1d:c8:82:98:3d:a5:b4:62:ff:77:07:13:84:b0:10: 7e:f3:33:37:21:41:2e:cd:3b:da:4e:e6:fa:ad:3f:ee:f3:05: 39:8d:65:20:dc:94:49:98:e4:e9:a1:26:b3:3a:3d:c9:69:1f: e4:9c:29:7d:1b:91:02:70:27:8b:77:df:18:7e:50:50:58:06: 1b:fc:37:6b:4c:00:71:ea:ee:82:4c:e2:8b:a4:a7:81:f8:87: 57:07:50:d9:d0:bf:f4:85:c7:4f:9b:cf:e4:51:ee:d1:6b:0a: a3:a7:79:a9:7f:e4:6a:eb:83:59:82:f8:e5:32:c6:6b:93:57: 18:61:e7:89:b1:ff:a7:f7:31:8b:54:31:df:30:c8:0b:2f:7e: 5c:4d:1d:99:e2:cd:61:97:b5:28:14:36:3f:36:0e:b4:27:38: c8:61:68:e0:95:8d:26:3c:d4:83:5d:96:9f:a6:37:96:59:db: 10:a4:5f:90:b6:44:f1:7e:6c:86:44:25:40:0a:fc:ef:d7:5c: 97:ba:1b:4c:95:9e:e3:9e:90:b9:02:58:30:1d:60:b7:94:30: f5:78:b5:a4:ea:37:82:7a:f5:73:6c:0d:d3:81:ca:72:cc:8c: cd:bf:6f:fa:7f:cb:39:27:1a:59:9a:71:51:d8:f3:b3:40:d3: da:66:83:f4:f2:94:a5:8f:b5:a0:7f:72:c2:c8:e7:1b:41:36: fe:fb:6d:81:d8:ab:8a:33:41:18:bf:42:c9:1a:8a:22:fa:25: 9e:e0:b7:45:46:ee:ab:3b:57:3a:8f:64:96:51:7a:1f:66:95: f9:52:95:40:77:51:69:f5:6e:bd:3c:97:95:53:90:09:b0:fc: 5f:8c:ca:d5:2d:40:ab:29:c2:21:31:80:75:b9:0c:c9:57:46: f9:7e:e1:fc:95:63:c1:91:ad:10:90:af:2d:a2:85:02:55:d1: a1:10:76:db:24:ac:37:1d:35:bf:8a:09:29:21:b7:da:d5:26: 6d:00:6e:77:3f:64:e0:88:6b:09:37:e9:82:f8:c7:ad:bc:05: ea:1d:75:a4:ba:c3:d4:fb:43:ae:99:28:3a:19:fd:84:53:4b: 84:8a:b3:76:ae:a6:dd:a9:bb:fe:56:c2:7d:14:05:62:3a:a4: af:7d:3b:cd:80:c4:dd:87:58:54:21:9e:21:f2:60:a3:42:a6: de:55:31:8e:c9:7c:01:ae:fd:87:67:52:43:ba:7a:a4:ee:23: 9f:6f:0a:52:db:38:12:41:18:c4:2d:4a:85:84:36:59:a6:23: 9e:38:8e:51:c2:88:23:85:3a:dc:60:52:56:79:99:84:b0:a5: a9:b3:1b:ac:27:c8:5d:4d:82:8d:3c:ee:e7:84:c7:0d:72:ac: 80:c8:82:55:bb:05:7b:1e:33:f4:a3:0c:39:5b:2b:ed:a4:f6: cf:a5:15:8f:58:be:a0:bb:9b:35:27:cc:7b:78:aa:ee:ab:0f: fa:de:aa:bb:95:94:37:b6:44:ff:21:e1:64:41:73:46:22:d9: b0:89:61:24:b4:53:01:99:17:4b:79:e9:dd:e0:3d:0a:c9:3d: d5:02:1c:49:4e:bd:26:d9:9b:b0:32:2e:6a:22:b8:70:f5:c6: ed:51:4f:ee:a0:37:29:75:f3:17:5d:35:d2:a6:3b:71:43:8b: 6f:22:9b:1a:7d:a0:c5:f7:7f:7e:24:7a:93:67:b9:0b:4c:84: 61:f2:dd:6d:6f:60:7b:63:56:47:c6:cd:1c:ae:25:18:a9:cf: 21:aa:bc:d5:70:48:75:38:a7:10:5e:bc:bc:a1:e0:27:4f:6c: 18:b4:40:f8:80:01:74:1f:fc:d2:82:58:b3:c4:f3:1c:f1:e5: 66:61:c0:6c:63:4c:3b:b6:61:7a:15:9d:be:75:4b:c3:04:35: a3:a7:03:f9:cc:50:62:d0:38:74:c1:e2:c8:ce:46:1b:76:42: a0:3b:ff:5c:3c:04:c7:73:3d:ab:36:b4:1c:ef:47:7e:99:79: 0c:87:9d:54:c9:45:4a:61:29:43:34:72:4e:a6:d9:24:2c:30: 74:75:3d:16:87:91:03:58:3e:79:3b:f3:d1:8b:6a:10:87:18: 92:c9:0d:e5:aa:63:45:0a:60:83:c2:81:11:38:b6:c3:cd:f8: b0:71:d8:e0:5b:04:c5:57:2a:55:3c:db:3f:82:26:eb:db:09: b7:0b:f2:68:90:34:be:79:41:25:97:9d:d1:97:0e:af:4c:ae: 40:21:61:5e:f3:be:99:da:a3:82:31:98:96:5b:1c:86:20:48: 6b:af:92:df:e7:2d:f5:0d:97:55:04:4b:3d:6f:10:47:98:69: f3:06:8b:a0:9a:88:7c:0a:a2:84:8d:71:4a:5f:23:74:2e:ed: bb:28:32:d2:33:34:ab:77:40:e7:f8:d4:16:fe:b0:73:e4:14: a5:f5:3c:3e:a0:f0:e0:42:1d:cf:c3:c3:f8:bb:07:5a:56:20: 6d:4f:8e:ac:63:f6:3c:fd:f6:11:2b:97:2c:86:66:66:11:16: eb:51:c2:29:06:30:84:ba:e4:81:98:56:68:70:43:31:5d:c2: ef:eb:e6:e5:86:cb:9b:e3:37:8e:a3:fa:ad:46:cd:63:9d:d2: a1:6d:5d:df:65:cf:7c:39:cd:24:ae:86:40:b0:3f:d3:77:1d: 58:54:4a:11:b9:7d:25:c0:88:79:d7:36:c7:aa:2c:d8:3f:db: 86:82:ff:f9:0f:22:d0:5a:71:8c:5b:b2:23:ea:ca:cb:ee:b6: 51:2d:5e:43:da:fd:18:84:47:22:95:31:e0:e5:68:2d:65:6b: 0f:f9:94:40:e8:45:4d:16:d0:6b:ac:57:24:de:e2:c1:eb:99: 65:91:9e:7a:6c:6c:6e:c7:37:ab:2e:4e:80:80:09:60:d5:10: 0b:51:9b:24:7f:20:b2:7d:77:b5:e1:33:a2:2e:c0:7a:62:fb: aa:bc:a8:ba:07:ef:27:c4:69:c0:4b:da:ff:89:80:13:82:1f: 25:59:3b:40:dc:11:f4:5d:de:c5:a4:a0:d5:47:c0:19:ed:1e: d3:67:4a:b0:76:db:85:2d:df:4f:eb:6e:17:ac:9e:cc:67:0d: 74:03:10:5b:88:d3:de:c7:e0:05:55:48:01:bc:be:7a:82:2c: fb:5e:3d:f7:ca:2c:42:20:ed:50:ff:3c:2b:07:c4:8d:d1:13: 57:aa:26:67:83:02:1b:79:88:04:c5:ef:0a:6e:c8:f8:a4:cd: 93:57:bb:4a:39:4b:9e:c1:17:67:54:9f:85:5e:8b:a4:15:f3: 81:ba:2d:85:64:a8:99:ea:11:0c:9b:83:52:80:03:18:c0:1d: 72:9e:d2:0b:d4:8c:e5:59:08:28:a5:cf:8b:46:ef:e9:82:9b: 54:f0:e2:09:70:b4:2d:f4:31:d1:f1:ea:da:57:1c:1b:bb:de: b3:85:47:f4:19:e4:c4:06:85:87:54:23:76:6c:e1:3d:28:c1: c0:25:00:b3:34:d3:51:af:d9:df:0f:8b:b8:b5:6d:c8:53:fe: 8d:59:ba:f1:0e:00:05:4e:bf:51:9b:59:10:59:07:0f:5f:27: 99:9f:7c:6b:a3:14:40:32:da:e4:89:8d:b5:c6:d3:3f:ed:e3: f9:2d:15:ac:d1:a8:11:41:2d:2c:72:ab:a4:d5:f4:9c:ae:d7: af:7d:39:e2:1c:8f:a8:ff:3e:92:7d:e4:76:38:d4:fe:a2:99: 6e:1d:6b:11:70:e3:de:f2:4d:1f:4d:e5:cc:44:43:f8:42:c8: 99:11:c6:29:22:ee:f9:13:d5:08:15:71:fc:0e:ca:82:97:b1: 11:fb:b9:8c:27:3c:be:a4:d7:d8:4f:3c:0d:3c:82:5d:cf:18: 01:09:28:ca:1d:f0:f7:ba:71:80:eb:76:7a:58:e9:91:b8:86: 71:d0:71:d2:13:3c:b7:65:e7:c4:ff:27:f7:2f:f2:3f:24:d5: c6:df:6c:d0:dd:0a:ee:de:4b:16:66:6f:68:ce:94:b1:f9:69: 67:0c:c4:19:20:2c:29:74:f8:a7:e2:00:06:13:c9:2d:1d:4f: 76:74:03:28:46:79:b7:80:b2:da:d2:39:0a:56:47:5f:c3:81: 9a:ee:17:91:0d:49:f4:23:3f:36:db:55:48:d8:16:43:ff:6c: 6f:fa:ca:ac:17:ca:a3:62:4d:de:60:5c:ed:f5:a3:96:33:35: 53:24:06:99:8f:30:d6:a4:b8:07:3d:e1:d9:ca:07:9b:54:70: 50:c6:0e:d2:4b:93:9c:07:16:b7:9e:1e:d7:42:8c:c6:fd:41: cd:aa:4e:fc:2c:11:1a:6e:00:db:5b:25:6e:96:c8:29:43:ac: 68:be:c0:d3:2c:3c:1b:d4:b6:9c:2a:a0:9f:9b:16:a3:2a:dd: ed:00:2c:b9:9d:93:59:65:81:de:a9:a9:b8:96:ac:c4:43:30: 93:21:4c:3c:42:06:8e:ab:fa:37:96:72:c8:ec:22:19:1b:8b: ca:22:73:be:08:df:6a:1d:d7:ef:13:0b:43:ae:fd:a0:d6:a1: 10:8a:f7:5e:13:e5:5d:a1:81:c0:81:06:3f:5f:ea:b3:e1:78: 99:f5:2d:1c:56:0b:df:c3:1d:4e:1f:f6:ea:22:9e:d8:33:13: 2b:bb:e9:3f:b1:17:cf:33:0e:80:85:72:72:72:c0:ad:70:b4: 81:9b:d8:57:d6:a4:9f:f7:92:15:e3:72:d0:ee:22:a1:47:b0: 90:e3:f1:14:b6:99:ff:fc:c3:cb:34:03:f8:00:76:dd:7d:c4: 4d:1d:c2:eb:48:73:4d:41:40:9d:e1:80:5c:37:cc:65:a7:6a: 8a:b0:9a:35:d5:2c:cc:f3:a3:cd:43:f7:e7:5c:46:7a:e1:5f: b2:a0:93:d7:00:ca:9e:3a:15:4c:61:ab:fc:62:e4:39:79:d6: 22:2a:d9:7e:8f:a4:65:1a:e9:1d:89:2b:9c:ef:d7:3f:36:fc: 93:9c:ec:e5:a6:93:ce:ec:32:91:48:46:b0:0a:b2:e3:33:19: df:a1:fb:78:20:e3:13:54:13:f3:fb:8a:5a:f2:9e:ba:34:e1: fe:eb:58:e2:c4:af:b6:63:56:32:42:cf:e3:7d:c5:f0:d5:6f: f6:64:53:40:17:c0:88:f0:54:8d:9c:05:8d:52:39:63:68:23: 86:86:91:34:f2:9c:a4:dd:17:ba:26:5a:7f:73:77:19:5b:93: 5a:2c:89:07:5f:27:45:2b:aa:86:1a:98:98:59:2a:46:c8:8e: 4f:75:30:dc:3a:e9:f6:1f:c0:33:ef:0a:13:30:5c:32:45:88: 19:67:4e:4d:a8:f1:fa:89:b0:ef:e4:42:3e:26:60:80:93:21: 7b:46:b9:f4:6c:be:9f:c6:7f:c6:49:c9:e1:49:c8:2d:07:36: 93:69:14:18:e3:fb:3b:6b:79:37:00:bd:f2:e1:f6:06:7b:2c: 07:ea:86:e2:1e:62:64:48:43:59:7d:2f:fd:24:c8:a1:4f:94: ac:8d:1e:7d:15:a1:32:01:25:ba:3f:35:d6:16:57:24:28:f6: 68:35:d3:80:21:cc:91:76:bd:15:7f:a1:42:6b:8e:a5:90:7b: fa:5d:01:7a:2e:02:21:b4:31:f9:2c:40:88:34:75:01:cb:83: 39:1b:3c:38:a2:c2:5d:33:e3:83:55:7f:fa:f0:d7:cf:c9:64: 9f:06:39:b2:18:f3:41:81:60:ff:50:5d:50:12:37:0e:82:c0: da:2f:6a:f8:fc:16:5f:bb:22:29:83:14:46:a4:01:ca:f8:d8: 2c:79:ed:cf:40:37:46:a8:48:7f:66:7d:0e:a0:ff:2f:07:c0: a3:58:ec:2c:3a:27:33:e3:3f:52:ac:94:99:10:2b:15:84:11: e9:71:c0:35:c3:79:f7:25:bf:f3:5b:42:46:17:44:5d:c1:c4: ac:fc:01:60:6a:69:5d:cc:65:08:e0:31:c0:db:01:ed:78:70: 18:1b:93:af:f7:b1:2c:0b:1f:b5:68:96:b8:f9:69:9f:e5:e6: 35:cb:bc:06:65:64:11:d5:ab:d4:e6:d3:79:31:a1:b0:e2:d3: 80:78:c2:f6:87:74:e3:34:48:ab:8b:5e:30:52:d6:3b:02:72: cd:3e:a4:f9:da:ca:6d:da:6c:59:07:39:73:da:08:f0:d0:3c: 9d:f9:52:83:77:60:67:58:9f:67:11:24:13:f4:86:86:8d:29: 89:c5:4e:86:22:12:86:11:94:0e:f4:c6:26:3e:0f:8e:06:8d: 5a:60:30:d0:a9:a8:bf:76:3f:88:34:79:a8:da:78:1b:71:9f: 8c:33:59:8d:fb:6b:cf:96:45:4f:be:54:e5:15:c6:d3:9b:7d: ea:d9:61:53:75:91:3d:c5:10:7d:a2:5d:00:cd:4a:77:ba:96: 6c:51:57:a4:68:75:43:27:ec:0b:49:4a:4d:25:c9:38:fd:cc: 33:1b:da:70:bf:1b:c3:d4:59:dd:8a:05:fe:87:c5:8e:59:16: ef:33:4b:88:14:f4:8e:3f:65:43:eb:ea:a3:9c:5c:eb:dc:81: d7:df:7b:a5:1e:4d:84:5c:cd:31:e2:02:a6:37:cf:81:4f:b5: 91:41:87:04:92:f3:c1:5d:62:2e:52:f1:86:ae:8d:13:bf:b6: c7:56:36:ef:e6:97:b6:05:cc:39:db:49:af:b5:3e:ec:ca:37: 2e:a4:51:c6:d7:03:2d:c8:69:3b:58:f7:91:ed:d4:88:0e:9c: 05:7f:fe:8c:5f:0c:18:31:39:4b:ad:3c:25:4d:26:24:42:45: 99:18:df:0e:ac:93:47:0b:47:60:58:53:63:0f:0b:b0:67:a5: 07:12:ca:a1:64:e9:a3:be:16:de:f6:70:8e:23:8d:61:d7:8d: 4b:31:6f:79:48:8c:b0:be:01:48:f2:4e:3d:2a:4f:e0:55:90: 72:3e:d3:0c:5c:f7:f8:15:45:e4:10:df:ad:9c:d0:23:c3:bb: a3:52:70:08:e2:fa:ae:ba:b0:74:35:dd:a6:4b:fb:9a:b7:3c: 28:17:87:08:70:47:42:5e:58:3a:a6:84:ac:94:34:41:5c:3c: d1:ac:0a:b4:bf:a1:c6:da:c2:59:a3:22:cc:a6:e3:e9:d5:92: 15:80:bb:2e:24:91:d3:8a:02:13:e5:51:05:f5:55:4a:78:41: d5:e7:62:1d:b7:d5:1f:e5:34:f7:b1:ae:c6:0f:ec:38:c2:a8: 23:8e:ff:5d:b6:87:8a:4f:bf:77:d6:c1:ae:a1:c8:88:d5:66: e1:77:06:ca:91:10:db:14:20:4c:a0:8f:d8:8b:1b:71:66:b8: 96:09:08:6a:ec:df:c1:4b:d6:91:03:8c:66:e2:c8:1d:c9:0e: f3:99:3e:0a:b4:60:83:8a:bc:3d:ca:19:00:b3:fd:b0:5e:84: 61:b7:23:04:db:64:35:06:9a:ab:4a:03:47:a2:79:6c:d8:0b: 9e:c9:77:bb:47:5e:db:66:e4:f3:33:eb:8c:e2:49:a4:d6:a1: c9:61:97:4a:e6:3a:ab:16:64:b3:df:16:5a:de:e5:f9:ba:5d: 7d:eb:04:f5:f4:f0:f0:7d:e4:1a:74:fc:7d:03:16:a4:ca:f6: e0:05:95:e0:fa:9d:80:07:58:b4:12:5e:34:43:04:ad:90:9f: 3f:be:31:ca:3d:d3:c9:d0:b7:91:c7:5c:d0:2b:81:73:34:bf: ca:a5:6e:23:4f:b3:f3:b4:bf:03:f4:bd:af:fd:d7:09:8b:65: a3:0c:76:dc:1e:7c:97:d2:be:85:d4:65:6d:f9:3d:6e:ae:6c: 57:f4:10:40:21:d6:04:2d:9b:9b:e5:95:90:9c:52:a8:ad:61: 8b:cd:b0:12:c1:13:26:c3:4d:8e:22:82:82:9b:fe:6d:01:e7: 3c:65:79:b4:79:9f:9e:b0:10:dd:5e:6a:57:43:8c:6b:41:d5: e6:ab:94:ba:c7:67:a5:b4:41:d8:10:0c:fd:29:77:e2:0b:cd: 29:80:2e:ae:5e:a5:85:a3:a2:09:31:51:82:98:0b:2c:7a:6b: 96:ef:8d:c0:f5:1f:98:b4:f6:22:b6:21:6e:36:e3:bb:18:da:1d:24:46:0d:65:28:b6:6a ]]></artwork>1d:24:46:0d:65:28:b6:6a]]></artwork> <artwork><![CDATA[ -----BEGIN CERTIFICATE----- MIIgLTCCAWegAwIBAgIUQ4VjomkBmSw5z7xAVxtfo8zHiEUwCwYJYIZIAWUDBAMU MEIxCzAJBgNVBAYTAkZSMQ4wDAYDVQQHDAVQYXJpczEjMCEGA1UECgwaQm9ndXMg U0xILURTQS1TSEEyLTEyOHMgQ0EwHhcNMjQxMDE2MTM0MjEyWhcNMzQxMDE0MTM0 MjEyWjBCMQswCQYDVQQGEwJGUjEOMAwGA1UEBwwFUGFyaXMxIzAhBgNVBAoMGkJv Z3VzIFNMSC1EU0EtU0hBMi0xMjhzIENBMDAwCwYJYIZIAWUDBAMUAyEAK4EJ7Hd8 qk4fAkzPz5SX2ZGAUJKA9CVq8rB6+AKJtJSjYzBhMB0GA1UdDgQWBBTNWTaq/sQR x6RyaT8L6LOLIXsZ7TAfBgNVHSMEGDAWgBTNWTaq/sQRx6RyaT8L6LOLIXsZ7TAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjALBglghkgBZQMEAxQDgh6x AKqgUd6wwxTQzfsSRqIxIMntqz/cV6X7RfbwO3/jWoy1hx4fCxWfqlZoQ37qIwUh 0TPLhGFVfjl0GDzqjgGkjZr7NXRpyWI1fw40ARyQQZcT/8WkZa4Pv5sy0iosl4Yt Seu6rppw5zVnPwp+Ot0LZk74RbLm2HCr+3Jg64WuYjykvzx65d1KJOJO0LU7w6zp JvhsyjvhRhV/GMVBQJBzuRljhiM6sn8SOl+7wxBsTrJi7jtLxeJpJHQ+boHiaEjI JyW8sqzaqK51WlwJIhy+lQoLXgwISUI6DS37iTuzFd7u57JeH6bwSvZlwV1eBXpt KufCwyA3zqsPbOrJOfMo0XWBMX8B4gnIVoFQz076ghpgPoe/YcqgQCeVv/hPBLH9 H3/OKfoVXO+UmvbwDH8Jf+y2NiaDaaotaZ4XehWqm1FDwZB8yWk6WrHud8ko5yHY kwqAGZxet2FfFGyaACKqTbiGA7WDSunzWnbMozvkE5T3VpZWM90Z2T2NVauZ5QAk 9//07ghHjUOz9OM61RLvBACZYqFezV+fkPPCjjWbikbsVE4TIFlfY9lhseLENtLl J1YfU1mcJOxqeSsdavKTONjres3XisiY1Idhv3k8KmRCD1sVtL3Ax8TeIEy72A9h Lqpn4af/DbfdBc9cywxGJuDZSMtFdieIUUnfTBZljBqEggnz1O7EKhepe8B3JP1P AJgS7RDnZ8N9VHgPyGd/9PKAKxs0DPpfxBKFHF/mhI3OEueu9e/rll9ib4c6NWfK 2K21VQsNBpHTnRqWLmfYsQ6PBz971v61dmIZg/bSCDU7nx0K9xTSRVBwXJHMtQ9L 73nv08e9Anr6i4PNMQew94p5xGgZ3gH4cxptisdUyEuaQFPjS+S9OlJQxt7eGdee qIhw8XCmEVWwRl5AN7KQXJF2vSAdJNtxM4G4R+/sfnjSJStL4m4BgdQS/0D/4NeQ KYWA5kr1WzJstwUcICfgmFeA56KXy5HO2cGjX9wkf7j1XNqRg+WujGVzhGpbyT+X UX3MP9Y54XHxVI0fTzNwzAf4A3C+jIHhXXPBnL58PWnAzHKQz2U4NXEWrh3ipgjI e93AMPS0KkX8BeYc76/zUwMvdrV78al9FjOxtcJPm1V7DSL2CEs4smdO2fjxZQPW Wh8fi8vaePx7UqXXGzWyzQZ+Hh2LYECRdC+RycbHxAH1LxDC6quE9vYu/HfBhSiQ pRHc7Qd4wnScYIZpQDwXmzrl6GUiwn/ZiL5DajGQ1SM365Nw5Lw0lE+vpMFv8zAb xuH18dh7pE5uab6C0ICorplE4db6ReUFpVIKXWAXOh4u3S60hpMxkw/KXwVSjjEV 6IswiDPX2pFSQDzXGLxyjYiyZcX+CnxQRH4PtlJTiyj8W/qTVDbK4cFrf0YT3gV9 vjONZ1K6ba9L7gELx1YhfRa9GYOQyBRRi/uDwaXKaVqu2fGn3PdTn/ajQ5T7OIYf Kg9Qz428NlHOjq+A/rWA+ENz6jrXoqS2czpaa0inMaPTQjr8LrAp0meKmtEmlQgL YT9x7rGW9EkM1ztQYWwVyjEx3A382F+hJtPiQ80TOUpQLWRXvwKoXFRK1DdF8gn9 z1NnGemSpM0bggksTSkwgMEji8ocOMYRj6I8LH+GJcn+oxr8gqtp6bU3sQ6amRDN p7ZSn8bkbgjxkM0UuMLgqVguikxS39XuilfOglemiQ90IEwiHQLJBFJoePNZycNg hZIBMHWg6ykrZlW3SErfj7rfqLzZRVzrBKjDlLa7HQUZSJuujWMtutbTXuV6QLYF dKGwerfXtGfW1qz1BW9TRabt4AyzDDLGiftCexF0lCXcAXy7Tk9Pl1QosPtIZoc6 0NoYv6oTDGrTxz4RJkPoQLNXKQBwAK9YsHWDnrlLWznxfz+JjR0LGnhN5YzmB4Z1 IxsUH80ETZjRzfVPHQBV+/jHkvXuXsXzJIQi7hFIkUtR94eonKCaSLyT9Twcftms FRwft/m5Zp/05VhK+X5cP6NaIFS+V3R0ZYAN9DCpDVPmcVL5fvQCJOW0IQu8Ey5n AL1kVIuCtGT4Ukay8jddMkmKvhlOIafMmhkpyVeq/ttK7+ChBhpfWEyXrv6sFqDj p2Dvtr+AZzXIbP4RFhi9BJAytnVkE1WyLsbfL7c11jzxq0we2sJP/CTyks5k3e9w eq4mBwFhn+Yu/uQ1jNXu4r79O4/E3FxQTFouqhTEDrWBE1XQhYEWPc4D8CslObb5 zv/A9U13YIYDJf/dV8v9KP3ijrt8+0lGnCwONHTP0rhFvv3BKmuOMEjDp0FnBHho nYEcNfSTWh9Hqzo0Xk4tQyv0UrxYNFIVUzYZybC8V3yVs4bufmifc7IJME/4kK4L jfT00Ucb6NEDhZItimCrMPPqJl436ZC2LfYIH7z9E1r9qSl8q1gQ2W07J3Ux9HSo 6HAAo2PxjLSXIivQ+OCybk9KltXwPf5z4ci6+6iWvwHCY3D63ZflyY8ABF36wDlo uuXcqns9vSWqQ+ICoVcreHSA+NbqokR/HjVGy30vg9x6JYfgJ87fEhWDtiYq+U4i GMppfeNohghA+kUbpT1joaoZyoM9LksTTVgmYvLvPGsTzJmVIcLH9a8I76AhGkvp 9BxNRnKIIouqtdz+O+aNuVGNRfRwE2iiKwqcghZk/DpaKhmm/pI0ZeJqnKWTJCG0 tlC4BDECHN9PuJy2OxlmJqrAM/2b+wIvyAeMH2aK9vPFC3TOdcSUNIBgU8FCCS0h +yW0/8EAMPHIrc5ixh3XlMwPeyoAvrPzyD/liK9tGZAxcZbWjFs0uIW1QvL7F6CD u2phhvDvH9vOAC+Qqu4Hl1lWhZYcl2vK1H2avdwBUt0cvIJegQiRNoV/PhJjWaoD ELMDLa0XfWGR1uG5LjlUJ4qkkYe6M1QoUg1G8OdjQG0VdhFRKBtflOowbwA0pthC xDKgNhtVBJCHji4ER/ElyPvUWHk2XLmBGMX/Fqv+uAEK+0qTPZvFgtUfv5Xqqjbv xfjYq/fKyEncMPs0nYHifGwGeDSpqkR0n0KlxZGfQcTxeX4NzTbVITJdgk2zgA1y GasqDt70Is5It7JEAvGZsb953UkLvz74uaXjKI2PibPYvJfLLvjAj/AQzQAv37y7 q+B33tlEF45w8AfhncWl+5HuPe70mJ1nEAQ6pvID/OgFU+4AKTyE/zX035N0ghbs WCVDgQGyaNKnUe2X7cIGHuuNdc8RMLD3D8HSwfFDXUJw+sH5KuuirwAHy5nKy5pQ hcNjdtOt9e/U8Ml1pEuISzKBw0OXv6gLwFojtChGTARwNoju6/UmspkFzGsKDvkG c/3DvjfHJikRYtQg4AbyaMNX27+F5i/L8YGWiHCeompCAvx5kPbJsPuzbqVoxO67 jIdsgSAVqH8buvcusvdfo8ADRM7iJ/IE0MCyfb6zEU7pd3y+g5QDE3UvxNSK6byj +m1ccvpihhfi25eIymxMrWgrV8/1tpIuAi6C0VyfO47p5Y12fGWdV+Ur38nKsYzs hucJld5zV07sr2JHRXnG/Qky2Vtz3mdEOSij/x2PImEESIT78EQEDwEbrb+f/zQs gz3WhTybgu9Hx6ui4p6scevWXqfY4HlTOSkVDqa5VjmTFn8KSABtNgoqShHvgNdD xPAG4qJJmuYtxf1GlqiDRSK1x1Xczz+EjgtpfNzgMBofphTWQtMPkUtsPy/5ZCW7 5IO5RICzbMfyPlijYXoaBGHYooznQ9fr9JBIkDDcwVWz60toCa9iedf2CWGJt2s3 PglO1dfjBbFL8OUfaz7wa+sqjR2u9ofGcPJ0+pJGHdZ+1qsa094Rcb7woeMFgk46 oS7SK8SSDqNwED/fxMxSl/dMplp7zOh0WkcSQnPYWwl+MaloM3f20XJyoyLi2W7F /PIw1YXFwlB5EKafFVAxpIfXy9q5Xzer/n8JJeXDHsDWeCCgISAQbzzQvUb+vK3f JSeN9A0MTbIwsXCOqiWfgLlgt3myJb6l3+7tjKyHyWk/6uXPTdFEc3+nTptpZN/a ildTEQ5U/a/KTG3grVYff8UHAIvkswlTr6Tb4aHE4cDWcNQt6NS9OJTHkzlkcVBt pTB9/h5h0KEmu2r4MmMFN2W7I5cGE8bWRrWD/dObo5TsZ46cu56vC9/oKO1F/6SM 2fnjMN0g8j2tT9C5Kxe/0EqOA42iHxb6/ofrPFd9+Hj5LXTUgthT4JG2g29zecrZ yoPthHUQ4F76pw+hm2ch0JqwkINoPJmXaUIRLFG5b1wDHy7ueLc6FNvYnRdpmq2e gNXX3v47GO6mfZ87bzBndKH0//toreTsj39bAkZiJhBqiLGnidGHAKSVhJaetB+/ 8W9ntj/VwlwfQRDNBqXo/uIeUuNcRrnE6RiqeOBLeIJ4rD1Z/SRARAHWrWuHvRGh wb3yqcy+rgVSe72GY9aevVI8Jdyku3O8DAQEwQzpbtEmw1CsmPtLScVp7dgwu3zS btN2WhMMgijPQFwOFiTogl0q8IeJI5ktfmqFod2reBvmz3a8/iayJqWn4dREo/8g rYRzWyayOhXJxAKd+7Irz7Xyo36Z3vnZk/eLFuMET8S8TWebP7oteXpH8erYNs9d 6/ezrgzgYvj2LNApkYr6aL8gV+95DXFi96clx3fyA0gtlXN7usD1Ynu7DQa2iHSk tH5IuaZtkng9h05oRNZFI8l7BAJ+x0B/oEH8JI7lQxn0ZbKl53MnA7RSDt4zEmLt tsMrGc2gaQvLY+uFg6EWqStywefGY3+kQW4ZYTt4uttqGFz0sV2lXd84/V+Az8/w leGxvHouLP8EAF7HeRxH4KdX3hvmaRN6O8+g2GkW8p5F5rF9n/dHJdkfUApu3dpT 4E1SkTOHij8373rrGpigVeD55fIDH+Lr5TBsDEt1pM9Ah9owSSXhJf04zkQg43V/ JSt73bIC1+IPlqS7zwzfFudbkUYxvE0YtsozoVvmcJUDQHmpEqkdCeg419R9w6gl bMKqC3gZWxbLiiRPsnrKh2iFmyIXUOr9KK5F97a6dt5Jzp+kSLG78br4iI4UHi8t U3m/Mg78GSCxuhJoXYzYPDzWY4oui+R8dQUnqOngW76Hd9WziHTbzV9ZEFycROHU fb827Ptwlb+nG9mo7v3XkU1ysdFyhwsCWCIjy7FyNgRHM6Y5mTT6c2rhuSEXegRb I2Rln78U5o1OcBueGa+bmD5vEy41pZCnxiSKttAKoWDrQM97xQOH4qd2ihBbTnXB Pq03Hv9GWaixbsT+ZYFhZ22DUZ8iWB+i4Tnd1DN0IpDLk79lplqNktuemmAell9d ZhO484L7E1rqPOkfXde0fxiZONMeSYMmqOzAE5ivos8tKkpKfjL8ILWEwC/WDEBa rTTb/NXzjF7OzRX7aNRgxA76nPF+C8KVz+Efa0u0i30bBUWOZWLYJE/JMfWeGzrT zUcFk+CRiZ9+h1CpCkso3wBVAX9Y9tSKF8JgGlYqSZyNESV+QudgkCD3PhIle4IF SdUviM9z2wl+D/F9xqQP3D1fJaQr4XR9cFqltGdsZnTEhgEwr9Xp+klyODsAld77 xq7uyNCvshSPndoyX57nhXapGnzTaYsCSzz/UTuggGnwlQEQrrqUqVnOoJCvjfXb RWMLT4r7ltsmZtq44s9+FUfIEANGjDu/Rgwp5n2AQjrCjTi0SC0slqE3cROccgAC /6R5/3RaMbqmOiQIv45BtEhvvEOFMX25ygZgdvun0aOvrdCnywcCCLq3zqsGVihd MXks2xBSVUxlUxDOHl8O5RUlxOB4EjzSDInzYN3x74vsfoqbLFibH3vw091H10lf EfrtenIchGwGD3ZEqOYvJBs/ZkY858Z/4wYbXnzm1mcINPNkLP0wndjidRSVkdAP TNnwlUNCshXbTz0Vy2BsIvj74MRDHNBxnRCb9nbD1Ojx2GKzs4/04mml/eMKI+ZO mw+lLKEJAc4nJpSnkMDoDoKYQ0SHnTRXc7W3Nfqjr0fPCUgnedPGGwR6CN+meA9q LlzlxqYWrE9NbQbWRd5oOizyIjJhjObQ5WKpSf66hq3Lxr4pawtLzUxZTr0XbJvJ 1tnNn6oBjMmj3a9rX+n1GCRtkOEUnlaGBC47okIh+AruBXExVfdWmV9yGIci/21P fMLCMoRdTB3aWRJxSJg3aMhsFIy2jNRJ5fYrDwSsZhv3xNAYbeNdEk2dNMZMNs+W K12u17F0yfBEtvDGRTJOt0JC0/m1w1FUPrhKcA6CLjkHvGapkZND8n/tpGHyNfrg n4YAyYdbaX47+NH653jm0EYn1YDUNA+PvxwnR2A/p7XE7bPCFTc3s4vRwacbRyRz ziJ02vvIP6FlTXln0YrbcXnUXX2hrgWTeDGY0/bMo0KT4REGUSw8TLdrXQf6qAhy TJomC68oHHBVsR3Igpg9pbRi/3cHE4SwEH7zMzchQS7NO9pO5vqtP+7zBTmNZSDc lEmY5OmhJrM6PclpH+ScKX0bkQJwJ4t33xh+UFBYBhv8N2tMAHHq7oJM4oukp4H4 h1cHUNnQv/SFx0+bz+RR7tFrCqOneal/5Grrg1mC+OUyxmuTVxhh54mx/6f3MYtU Md8wyAsvflxNHZnizWGXtSgUNj82DrQnOMhhaOCVjSY81INdlp+mN5ZZ2xCkX5C2 RPF+bIZEJUAK/O/XXJe6G0yVnuOekLkCWDAdYLeUMPV4taTqN4J69XNsDdOBynLM jM2/b/p/yzknGlmacVHY87NA09pmg/TylKWPtaB/csLI5xtBNv77bYHYq4ozQRi/ QskaiiL6JZ7gt0VG7qs7VzqPZJZReh9mlflSlUB3UWn1br08l5VTkAmw/F+MytUt QKspwiExgHW5DMlXRvl+4fyVY8GRrRCQry2ihQJV0aEQdtskrDcdNb+KCSkht9rV Jm0Abnc/ZOCIawk36YL4x628BeoddaS6w9T7Q66ZKDoZ/YRTS4SKs3aupt2pu/5W wn0UBWI6pK99O82AxN2HWFQhniHyYKNCpt5VMY7JfAGu/YdnUkO6eqTuI59vClLb OBJBGMQtSoWENlmmI544jlHCiCOFOtxgUlZ5mYSwpamzG6wnyF1Ngo087ueExw1y rIDIglW7BXseM/SjDDlbK+2k9s+lFY9YvqC7mzUnzHt4qu6rD/reqruVlDe2RP8h 4WRBc0Yi2bCJYSS0UwGZF0t56d3gPQrJPdUCHElOvSbZm7AyLmoiuHD1xu1RT+6g Nyl18xddNdKmO3FDi28imxp9oMX3f34kepNnuQtMhGHy3W1vYHtjVkfGzRyuJRip zyGqvNVwSHU4pxBevLyh4CdPbBi0QPiAAXQf/NKCWLPE8xzx5WZhwGxjTDu2YXoV nb51S8MENaOnA/nMUGLQOHTB4sjORht2QqA7/1w8BMdzPas2tBzvR36ZeQyHnVTJ RUphKUM0ck6m2SQsMHR1PRaHkQNYPnk789GLahCHGJLJDeWqY0UKYIPCgRE4tsPN +LBx2OBbBMVXKlU82z+CJuvbCbcL8miQNL55QSWXndGXDq9MrkAhYV7zvpnao4Ix mJZbHIYgSGuvkt/nLfUNl1UESz1vEEeYafMGi6CaiHwKooSNcUpfI3Qu7bsoMtIz NKt3QOf41Bb+sHPkFKX1PD6g8OBCHc/Dw/i7B1pWIG1Pjqxj9jz99hErlyyGZmYR FutRwikGMIS65IGYVmhwQzFdwu/r5uWGy5vjN46j+q1GzWOd0qFtXd9lz3w5zSSu hkCwP9N3HVhUShG5fSXAiHnXNseqLNg/24aC//kPItBacYxbsiPqysvutlEtXkPa /RiERyKVMeDlaC1law/5lEDoRU0W0GusVyTe4sHrmWWRnnpsbG7HN6suToCACWDV EAtRmyR/ILJ9d7XhM6IuwHpi+6q8qLoH7yfEacBL2v+JgBOCHyVZO0DcEfRd3sWk oNVHwBntHtNnSrB224Ut30/rbhesnsxnDXQDEFuI097H4AVVSAG8vnqCLPtePffK LEIg7VD/PCsHxI3RE1eqJmeDAht5iATF7wpuyPikzZNXu0o5S57BF2dUn4Vei6QV 84G6LYVkqJnqEQybg1KAAxjAHXKe0gvUjOVZCCilz4tG7+mCm1Tw4glwtC30MdHx 6tpXHBu73rOFR/QZ5MQGhYdUI3Zs4T0owcAlALM001Gv2d8Pi7i1bchT/o1ZuvEO AAVOv1GbWRBZBw9fJ5mffGujFEAy2uSJjbXG0z/t4/ktFazRqBFBLSxyq6TV9Jyu 1699OeIcj6j/PpJ95HY41P6imW4daxFw497yTR9N5cxEQ/hCyJkRxiki7vkT1QgV cfwOyoKXsRH7uYwnPL6k19hPPA08gl3PGAEJKMod8Pe6cYDrdnpY6ZG4hnHQcdIT PLdl58T/J/cv8j8k1cbfbNDdCu7eSxZmb2jOlLH5aWcMxBkgLCl0+KfiAAYTyS0d T3Z0AyhGebeAstrSOQpWR1/DgZruF5ENSfQjPzbbVUjYFkP/bG/6yqwXyqNiTd5g XO31o5YzNVMkBpmPMNakuAc94dnKB5tUcFDGDtJLk5wHFreeHtdCjMb9Qc2qTvws ERpuANtbJW6WyClDrGi+wNMsPBvUtpwqoJ+bFqMq3e0ALLmdk1llgd6pqbiWrMRD MJMhTDxCBo6r+jeWcsjsIhkbi8oic74I32od1+8TC0Ou/aDWoRCK914T5V2hgcCB Bj9f6rPheJn1LRxWC9/DHU4f9uointgzEyu76T+xF88zDoCFcnJywK1wtIGb2FfW pJ/3khXjctDuIqFHsJDj8RS2mf/8w8s0A/gAdt19xE0dwutIc01BQJ3hgFw3zGWn aoqwmjXVLMzzo81D9+dcRnrhX7Kgk9cAyp46FUxhq/xi5Dl51iIq2X6PpGUa6R2J K5zv1z82/JOc7OWmk87sMpFIRrAKsuMzGd+h+3gg4xNUE/P7ilrynro04f7rWOLE r7ZjVjJCz+N9xfDVb/ZkU0AXwIjwVI2cBY1SOWNoI4aGkTTynKTdF7omWn9zdxlb k1osiQdfJ0UrqoYamJhZKkbIjk91MNw66fYfwDPvChMwXDJFiBlnTk2o8fqJsO/k Qj4mYICTIXtGufRsvp/Gf8ZJyeFJyC0HNpNpFBjj+ztreTcAvfLh9gZ7LAfqhuIe YmRIQ1l9L/0kyKFPlKyNHn0VoTIBJbo/NdYWVyQo9mg104AhzJF2vRV/oUJrjqWQ e/pdAXouAiG0MfksQIg0dQHLgzkbPDiiwl0z44NVf/rw18/JZJ8GObIY80GBYP9Q XVASNw6CwNovavj8Fl+7IimDFEakAcr42Cx57c9AN0aoSH9mfQ6g/y8HwKNY7Cw6 JzPjP1KslJkQKxWEEelxwDXDefclv/NbQkYXRF3BxKz8AWBqaV3MZQjgMcDbAe14 cBgbk6/3sSwLH7Volrj5aZ/l5jXLvAZlZBHVq9Tm03kxobDi04B4wvaHdOM0SKuL XjBS1jsCcs0+pPnaym3abFkHOXPaCPDQPJ35UoN3YGdYn2cRJBP0hoaNKYnFToYi EoYRlA70xiY+D44GjVpgMNCpqL92P4g0eajaeBtxn4wzWY37a8+WRU++VOUVxtOb ferZYVN1kT3FEH2iXQDNSne6lmxRV6RodUMn7AtJSk0lyTj9zDMb2nC/G8PUWd2K Bf6HxY5ZFu8zS4gU9I4/ZUPr6qOcXOvcgdffe6UeTYRczTHiAqY3z4FPtZFBhwSS 88FdYi5S8YaujRO/tsdWNu/ml7YFzDnbSa+1PuzKNy6kUcbXAy3IaTtY95Ht1IgO nAV//oxfDBgxOUutPCVNJiRCRZkY3w6sk0cLR2BYU2MPC7BnpQcSyqFk6aO+Ft72 cI4jjWHXjUsxb3lIjLC+AUjyTj0qT+BVkHI+0wxc9/gVReQQ362c0CPDu6NScAji +q66sHQ13aZL+5q3PCgXhwhwR0JeWDqmhKyUNEFcPNGsCrS/ocbawlmjIsym4+nV khWAuy4kkdOKAhPlUQX1VUp4QdXnYh231R/lNPexrsYP7DjCqCOO/122h4pPv3fW wa6hyIjVZuF3BsqRENsUIEygj9iLG3FmuJYJCGrs38FL1pEDjGbiyB3JDvOZPgq0 YIOKvD3KGQCz/bBehGG3IwTbZDUGmqtKA0eieWzYC57Jd7tHXttm5PMz64ziSaTW oclhl0rmOqsWZLPfFlre5fm6XX3rBPX08PB95Bp0/H0DFqTK9uAFleD6nYAHWLQS XjRDBK2Qnz++Mco908nQt5HHXNArgXM0v8qlbiNPs/O0vwP0va/91wmLZaMMdtwe fJfSvoXUZW35PW6ubFf0EEAh1gQtm5vllZCcUqitYYvNsBLBEybDTY4igoKb/m0B 5zxlebR5n56wEN1ealdDjGtB1earlLrHZ6W0QdgQDP0pd+ILzSmALq5epYWjogkx UYKYCyx6a5bvjcD1H5i09iK2IW4247sY2h0kRg1lKLZq -----ENDCERTIFICATE----- ]]></artwork>CERTIFICATE-----]]></artwork> </section> </section> <section numbered="false" anchor="acknowledgments"> <name>Acknowledgments</name> <t>Much of the structure and text of this document is based on <xref target="RFC8410"/> and <xreftarget="I-D.ietf-lamps-dilithium-certificates"/>.target="RFC9881"/>. The remainder comes from <xreftarget="I-D.ietf-lamps-cms-sphincs-plus"/>.target="RFC9814"/>. Thanks to the authors of thoseauthors,documents, and the ones they based their work on, for making our work easier. "Copying always makes things easier and less error prone"-<xref target="RFC8411"/>. Thanks toSean Turner<contact fullname="Sean Turner"/> for helpful text and toMarkku-Juhani<contact fullname="Markku-Juhani O.SaarinenSaarinen"/> for side-channel clarifications.</t> </section> </back> <!--##markdown-source: H4sIAAAAAAAAA9y96XYTW5o2+F9XEUWuVQfq2CbmQVmZlfIAGPCAbcb8snPF aAtkySjkCc6pa+nffRndN9bP++wd0g5JNj6G6v5IkuTYUuzp3e88xerqamfS nwzKrvVgezgpx8NyYr1bC+zE2j/PBv3celFeW9vDapzWk/F5Pjkf49He4Hg0 7k9OTq3tohxO+lW/HNdWNRpbhy+frW4e9h500iwblxeYVX/Cbznxg06eTkpM cN216knRqSfpsPhnOhgNMTPWKK0/WUcn/doalJPaOq+tYmRV6TC/ttLzyWj1 uByW43TSHw2tUWWNy6ocl8O8rDv9szHH1xPXthPb7XSKUT5MTzFrMU6ryWq/ nFSrg/T0rF69wj5W68FJUaerdtKpz7PTfl1jzsn1GZ7f3jp60sHmvU46LlNs s8w7l6Pxp+Px6Pysa73s7ewfWqvWy/5pf1IWVq8o+rKhdGDtlPlJOuzXpwoc +y+231k4nnW4s72z1flUXmOaotvBYA0X/rj/bHt34/BX+Xn/lXXYPx6mAuha Pjgb1ZPVz+fpcHJ+qgDYuSiH5yUmscz94Fe1+bfYaH94bD2VL/Hpadof4Ahn aX36NwHB2mh8jI/TcX6C6zmZTM7q7uPH8pR81L8o15qnHssHj7Px6LIuH3OC xw9kVdz8eYaxhOJJVj9W8DWA+qDTwWWdjMbdzipGWFZ/WHetF2vWelqf9Md9 fqbu5kV6UZ60PsfKXWv9cJu/lGr7n+SptUw9xQ3+7Vi+WctHp+YSh2vWk8H5 ybgcG0sc5qPJpPU5l9jo1/nIOryuJ+VpbS5WV+rRv+XyxJIlnqZfivTYXGFS AkVXX55/SmvzW64DjD1Praen2TNzEXUGPrpWlOYCm2vWm3RoPS3LemKssQm8 KgdzX6mDjK/PJqPd8mpiHZb5OSjz2lyp4MC1i3R4LOP+lvPxIR5frfXjS874 YnRe94t+3TplejEe1e2vlt6WfmD+ojrD0fgUtHtB7H2yvX/o2kGXIyfp+Lic dK0GH4tRnyjo2Guh7caPd7cPj9ZkxBqGqBGabWFXk3JQ1rX1DOixCkwCSW72 gaWgxyktyeaHRTouHnBwg53y86o6w26qaXh7WGPu80kpDKYZVpOMj0Dew9Fg dHxtPZQdPeIEBTbQtVzb9VfteNXx+GFdjvtl3R9WI7WKZT2Q7Vv7r9cfYNc4 hezkXRjbywFweXm5hl2s9YeTx+Myf3y0erC1sfpuDQPM4/9VTw4WrWALvjiZ 7XLV6mVg3GkO1LgeTtIra3c0UU/tDUvrYe9wd8151Ozw8KzMwczzKXsFwUEE DPWQ9mGdVfDYRVgqYG4fvV49ugEO/M46KIERpyWAK1N3rdnJ8MTh3uPtrY2u FceAqdOV1Qis5I8CK/mfAxZ/syB7RoWw2/E5cLC7CMJ1gnCreexAHrMerm8d PFrRE22kw9EQIwYLT23gKeLdZh8oOTw+79cnQO75xzbx2P/03STL7iaY3c3G 4d7B8rvJ63G+BpE4WTseXTw+G48+lvmkfowVzkBj4ykPWh1l/GZ1XB7j6XL8 OG3UDP3ReIaF+kI39CRTvmftqUlwBDXJAhQaZvbHyF0PJXMUwl9C967d6fQb xFIcTp5c3X+18YcAYwr8VcWrj8fp2cm1efB9eeiV1go2jIesfTXPknPfi8+1 DuqEq44rB8V97+zj97i7BMsIpJdrwGtcwGA4uui3AP8yBTseTua/1uN6K9ZO Ogayl4NBe1wP4mv+Oz3oaA3HbkRi8/zRyegU0nj2hTrFL7LtX25A/5clNVyh exBWf2ggWN4XNbNrXYwGlmNHcaiH4HoJ/tbM1s0X1LXOztYsJwTtxP5SvBj0 h5/W6rMxKLwci9x8DJ3yTAgCwtCx7ehxEsWr3qrnJKtRYof46Z+xiRy/PBV9 TBjE0bgUptSznqTng4nVm0zS/JPVO04Btok1OSkb3dN6MgbQRMeVAxy+HE2e LbtaBdmd1edr1mGaYoflsA1a1/9l6ZlKOc5krZ/mY4p1efKxF0ZrZ0XV2nov zyHMhdKx/cZ2yK6to8uRtTcuxM4Atu6kx0OgblFal+APVgo5PzwelNQArNf4 SnbxtMQq3s3H6F2fAgFyPDf8f/6vybe0ED8M4vDxJD8p67ULmXit767F9qrj +OYB9oZCgRAq6gBas5+C3LyH+gYkPNp4tnVIvuI9FjNmdXXVSrVg6nQazaae WglQ5UvYSRAMAgwg7TfsN6s+zwGzWj+Xl+OJklhlvWJtzH4DD70YaUH2EmxK BNLBy/rRClnEZMQtWKfQvNJjAMVSVhuMrvNToe9aSULsT/AsHw0vxFQcDZVl BAUR8CEG3k1/m9mcDzVaPLK+fVbuanF1WTet61HeT8WAm8FyBcChBLHO1JQw 2Wp1YGDwhUBFPiHI00E9mp6yWOt0/vPfcFNbeBQYOtUkVlf/qq7wtF8Ug7LT +RO2OBmPCmxQpFnn6DthgM1YjbjACfpiT0+sYh5NrBqoe4r/aEbf/4IlAMCv X7Ue/vvvQmcCmdeH91OGhRdaWo5h3kb6/f67sOe+gH1kLM8VVtRVTM91CbT8 NBxdDgU/G+pZmzICmtINTckdQDW1RJPAZNkAt91GwaKswKIUAip1TakHLbfF w73tzVqpWcvQZKrgyfn1NhaACxQx8GURXQBnmetbyNrpNCuMqkr2NoEZWlqN hmQNyotyUGucPkuFZU8az0uZgqixR1lnboB1WQJU+cmoLodyBxkgPsF3WFnA zKeFHoBI9K5gc9lgBEGR989OIPswq+PGK5aTuCvQISw3CK2sP6kF3DKzXER9 mg4G1kMNyEqmflg9si6wPYJT72x605qJ4KPRmdLDR8LDFEd41nMNnKjS0/7g Ggj1X4KpTmz/ZWYM4rdVH5grrqdnvRdbsjX9IPjnX0yr0cVjqVyFeLlwedX5 kBSIY7w96Q/U0tz4dNNyMNneKYlFoIzbtAwPlJxBkEDwA5ygLIjP14o94E4B k2urHoxwAQJyTDyzDSYnqcKK5s4VCKfXinvRINbf3LItg8rxGZgYsObr10ma rQK5yuHx5KQWKuwJalrlVXp6NsBT/ULcNaviBKtP0k/lKqBXW2PI6hKYMlF0 g89WcdlzOKXotrWvW65YLlbIR98Q8FwuBjsUqwHXciK4V8shhBmXAoKJyRX6 y72M8nOHeA8WkPWHU5sLa9YLVLCiL7dW215RaHZRd5ptaTYvUDwdQbXAk4DE 6onoFPKBQZ4zeI/ONC4IZuUDUUmIZNAaBdYKuYFtYC0TcdDgPgRZHuaTKwhS xaDIhw9LYiN0yzVXzmDw5ZkQM6cg0KzT9Kp/ChVzwFuWgW4QgJFPKJHXr2UJ 0TlWGilsTtFXV1yengFK6rN5FjoaCga3RLm+zdnIuVmVeC/vz/QuRwaABfJQ YafXsmJdkuko3jzpj/WpsFfsW+NQgY/zyeC6kdzGLTbjU+HiMA2aoyxMsqDQ 4EwKACDO0ykOgm/RCS0/tGUZzq9YxQBTvT0B703VMQCf1pasIThHrTlz0a/o 0p5QNVmZLghLhm4sQxKKrjD9XeuAa53btDB9ddkIqHLrdNj7zfqjutGH4tx+ 1FIfOc0dNEjc+Z/+NHWuKBWoGg3AJwV/GneTXAXVWiKScahup/MfgOX/+u1/ /WZlXbk5WWxG/in3kclTBov7D7GDalgBwniL1r0JF3NcSxQBteKkUeyUQjS9 E4M7GyxH+/oNeK7pteWK/z/bgHF/c8po31A4hS3yv1RM/wQLd6bz0NUkLInh jFpdjIg8iVrU1oOd14dHD1bUf63dPf58sPXq9fbB1qb8DE768uX0h45+4vDZ 3uuXm7OfZiM39nZ2tnY31WB8arU+6jzY6b1/oEj4wd7+0fbebu/lgwVsIOor 2qFsB2mJTp/WHTCOfNzPFAatb+z/3/+n44Ov/tvBkw3XcRIIHvVL7ESiQ4Av DNVqZHrqVxHnnfTsrEzHMotcVJ6eifYnZkEt9wllVTiK3PnfBTL/6Fr/meVn jv9X/YEcuPVhA7PWh4TZ4icLgxUQl3y0ZJkpNFufz0G6vd/e+9bvDdyND//z vwYQWtaqE/8XMAgotDwc+PVPwLRVsMPVflH/rnBp+uTsQUathNQNWfh3XEqQ OO4/BMKKMdQg+v/+7//GB8M1p7Nknq+9l0/3DraPnu2sHr3f31qx2r93p0MO y8nvVrf7F21tW9YhbmNrd2PL+jr9iC6D6amsubnW/r1fPPzamnDqzFV/DN18 fmzrOf3n3/fl+Xpuzq9/m27h90dWcxHT8b8LPEDnaQ31CHrA+FMBVPzLA6ru D/4q1LfVpeKQZqMLqEPKpQ1IV+PRqUZ9gbLoxUB6fDGzpJRfhfqf7TraeNIz fP0qUQuoJZ1Dqpmcx5VPpkaTk8Rxa9Ba5z8fc6N/1dy+Xw4K2kXLUOIkvdDq +FQonJapaNm14v2LmqH2MswcbRBdhllJLxGEgzL/ZvokGfXstkQ56ItzZFxO VbcVxWDaHoM542tO8M9OonUgw5iRg68pICzspq3dyrIGUcg8VJu/7fSeataK nclEotWLCMBcVH9kIWXu0q+5xg3VONMNavfUxyQD9RfXcjGpYfmuyG8zu1ev PlPm9Llbmgdl3txR/769urlmhOvz03q1xpUO83r1bHBe/+OXWmMX1KdzYKus 840TtviHOIkBqSnu1dbe+vOtjSNre3Nr92j7yfbWgbAI66v1cQShstqvR6v9 yfnq5KGrIi2Y+RxC9fqhEz4CXB7Gvv1I3OtAUuXYeOg8so5HFw8dGz/k9Wj8 0Htk+SBaGQ6AYOmbF53bm6eHte01dxVG+c1zNGu49s2jq2+Pdm4anbh3WNu9 efQd1r7p3DRTvznav3n0HdYOlo6GjXw3oIe3DL/D6tGNw+8E9viW4XdYPblp +J0A7y1HODX826t7TiPZhFWYNknDKf41KLllGkzJeVUkFX8Nwpsm1RrAFGDB Nyat7jNpeOukwMLppIEYLnebNPrGpNV9Jo1vm1Qw9j6TJt+Y9D479e2bJ9WM ZTrrpxK/3nVe51vzVveb1719XhMJPpV3xy3/FirQPOp+8/q3zttChT807y0E prna/eYNTU6n/U9TT7mhYYpaPhqKqTt19M+UNBqY4tHPxGcrnpWpamUkEk59 bAwX3Rgcys77g4l1jtUseqcMH/mRGVcwYiHjciDa92jYjjxAFzsTR1A5PdD5 sCjHg2vtujTmXpkGJHlubBd2fUGfRz8/H6jloBsyCoOv+6eMN+JMsxBoDuUe QDgbpLlSIVNreH6aqeDFzHuiTZLGk1UrtXcyOlM+4tk3hHRqOrcEcsd9aJNY BzaJbDcrsaNOfwCNlLkpF3SuneDLueBsNS4/n2P9wbUKJ+lQLdTWzlKrQanN g8Z11lgYph5tSkDT40ZMsw63n+5ubX61jtYPzS+Jxvq7o9F6eUhHJ63hBSt4 Mv3eMFRng7S9my6x3pYa1KY1zT+yjd7R64Ot1amBvNQ2nv6h0T298plQbdne puF9z2UaW3zZUreOtCzDYp/BY82w4r8x3pqz8n/XJ5vR6fr2kXV4dLC9+9R6 uLG3e9Tb3pWfl53y39+kg/Py4be2/D9xTDnnt9wTtzgm/usHOSbu4Ze4qwVs Evjsq458ZQSCG79/49Jt7GbjQqdr1fQ1dgwEXuDsssEinaTa26ljHX2GqTBO b61xATNoNJwzyTvTeBXHlWPJV1Ob02FN5eoYpwYTsy4Ek7ABHqaJd3InszSO llG/5HwrhpsQduFDCNF/ymOPeOsdM/yF22kHwJpIwJoCJ8OoFCQLi4rcwL5W OsZivlpMjVLLmdE276bFbj2uaZh867Se9VAk3j9vO/J8zO/GI88vvOzEgbHg Hz92bzAAIp2PZ5HUGZJa+bhkbLbJ+1mxdn5ZUZMLWPSnbQyV2o5jRbijiSQU qA0Lbe/8IusqpCzF8S45KNMQ/dQTNl0fWI0hp+m1TA+VSQlsGXk+IaMRGtJO oclJOmlQXOkWt03c6WwrFSZPVZDMADRJc1wq5WkaupupZQ/3n/1z5xET035Z s+SX2Rbpqys62oGnsenx7D7VZldEZ1G+R65vRDeXglSilLKyCjrqE68B6XhA UUUk+LlsJ0o5mqlEzVBrW8dVZP0Vq+zzpmSGTnuxW86gD0AUqYkY4EfqitWH 7Xu6aaKG65uLNttsxTwZGFC77ktKg4SDVEixGpRX/aw/EFUUBx5J5qCKuImH UDkmT6GtE4fEZzrUEfL0VNwB1BrJacfpsAakxuSRN+64yckhXszEh5Q87T2Z sv8Wh52i0aXJZWRfs8mFZDqtsGw9Sziz0kpcvTLXA2V/PDBQsskEWmRNzH5c s56IKdFkgrT2wFXv5KFgDoUYQNNQ7UyJX23DQvOx5gsqzqYAUpyVqRjMNWJm 0PlE0ih0akO/NhKP5iezFicz8jqWTiaGOyfrTDlxssiGmxQy2BdL2H2ToVUq 3KtXOgcrooz988newaHKVsMvz46U+SRCdQRuNc2UMHPLZgt0Zgv0p8mT7Qi3 Ystza1v9NdzrgfXbb7Mt6J+xg87SHUyTfRq51lpbGyudJp2iCUMYWqhgw0hy XYpC4e81f9RZL1S1Opfj9OyMuSVtrNOzmRbK1ABbWVRDOlRDjH01EzyYPvLA 3FoTaoFBrHM6jZSGJyoApYKUUNlWRV/7fSoEFlJjdcKTmkjNg2mkkEStw3Qc ZnMte0RinA17bB6cxbZMhXTOubl0tq/7r9dfbm+svth637W295qA5qLdtWB0 LQu2GbOtWF/VdI3hsXBgE74/p4Y/izwuhe0fCD3WN4f9mHW0GCKcmQZQSUsN nUeMQS4AWvxBkjPOgZLPJbRRpqdT/9B0Loz/+vXfvhEyM1hZ+3TGnuYDkaZ2 Pe90P/u0JBY1w6SWw8vwgy0LYTXlKauWDByO9PU1XANfNIVSWwdHMvnq68Pe 062Zkfq1cWhNbdkVTDM8KM/Oi75OM8b5hM/IEytWfvBSfrB+ny29f7D9pne0 tXrTFrQLcMmxq/sdu/qpjy1hqHscG8N+8mPf67Yx7Gc+NsN+f/zYMuwnP/Z9 bluG/bzHbiLcf/TcetzPfvA/fuF63M998Puwcz3uZz/4/W78p+boTSbHPQ7+ c/P0Jgflfgf/qW5cq+2rM4NCTrq3cbTV2G/tx1SIYOlz0xD1LabCfClCk8wn btMlpsMdkl/udEffnudnurObAFP9IMBU/1qAmU9Cui9g5ub5VwBM9YMAU/1L AWYhGeyegJmf518BMD8EY+bn+ckBszwp716wWTrVvwR45nMLvwM81b8ceBZT JO8NnoWp/iXAM585+R3gqf7VwLMkYfW+4Fmc6l8CPD8Kexan+lnAQ9tsFr5e SJxaEr42rLhUFdsPVxlfmgWx91+s1aVE84eFhZ/Ho9Hkj0WwTUvx9hA2lp8L YDeL//Zbe22u29HrGjkB/zFU7Q6awn5mtjnhiuX6zD/xXOmzcFaq/OFRu+fG NEjXqcvJmpGtxyyZW2K5y6LBRnC00wrf3Qq27w/mLdr6zDxYNO1VON407nka th44G48uJI47bVqhks2bjabtXDu9YXYymCYXEmjDTjm86I9HQ9ZmMweLjRPm 2iVm5xOrGJX18JemTY/Vl+T3y6F1qhGcKDVNXF+A4URTRDsnSG9soQOPJIhL 94MFWHVugFWTsCUJoZfptST4jGRrBpobAG/DdNRZjjsKbVrPAlflvCpBaBlS dVR6wcNUZWESY6RieoZrj8wqaZ0sVU9UOo8kLwwnHWngolGttbqaMpN2jxqX 5odaxlAs2TEHqjSqegSi+jMfUC2Fbhjd8imZS946anbMtZtLyJmsv5TDMYeW XS+G06YlZk8Ii9Wsc30alhbmqsQFs6T997WFPky8Kr3MTRttsZ+5nZrZvl+/ 6kSZVfUUiH7KVGZdfDTjXVoaqsZJ1+lpxswsgVU6tpyngxlFGvW3KkEj8sNY Ui06f2LGzGtmIa6DStVFSDLlUOYE+g76c6UKmvNL0UaeTmapOvhczWNWVmAn 5VBaCP1ZNy5qBJovucAqU3Wa6SGZilV7rul4nQvNvEEycHMVsqJmQ/Uc0P7D emjyt0fL8eKhwWkeLSnzvpHmh7OGWwYizpIwmsvXm1ceUyoC81oEP2wrEvzI 0CX4u1YnlILwMwJsCYCkb8VSIOFgW0PVrEykjkpekvzNxU/xaO94XJazT0r9 zN5Q9wtSo8vZp2sKigfl5/P+WOkqkrpzPrkJqpJW2KanWaJSPekPBqSZa5KW FjkqKY3NYzudB736+hQ8ZayT1fbT/JPUPD2Ydm0IYuoAqr9JzZojyA9F5bOM /04jlI3CJt4qGwAZvRMu5cNZJpNK4TSmqDWLLaZdEQbXTfrtkuQm1i/NsgDT CU4CgV/WnRbYpl1b2DeLyaOX5WCg0wRndVVNm0ClvsyOsjcsZ4B6ofY5LhUz wnSs05orlVocszRxrmlp9kb9t8mGO5uqB7Nk+/3Fz2YMf3Gg8Xzz5Qw81t/t f1jbO/swYiD2erPPm7KgZsja2lrz49//7nY17GX6vzvGDIZ+oiew/vEPYw75 SZlYt8V/+H0rjGToud+ZAkg8vmcK4Cyv7w8aQIbGSs3pfKxNoM7MFDlUVgh/ OBtXK9ZSm2ipUdRZbhS1NeVbrSLZUmfOLDqcmUVqS9pAWrCVZsZSs5+ZseT/ SGNp3lpaIK2ZpTTD/7b18QetpBkAm2Kk5Vpfv54xldu21pd2b525bGJq/Kfp cCh5nPU3DEFRAUVKNtVby/Jk72MKdhpTcKoDqrPfQwk0+Ph3aYHTfkJjEXV9 Udmhwrex+vRsNJ7MKnuVsGFK7XA06Zz180+y+hmXHpaX8/W4S+5JQdfYVkcJ U3KOpkWfZOjqxSbSfvNSRKy0hk3zvDybzJXAzcnC1vUYSKTSx1srpFaWDlLo CyAq6e3b6tsnil1WTi5LlgjTZhZWhm+LkWhWTaFJfm3lJ2X+CdTVaQThWdpX 4vUSDE26surSFakZVDDVT1Jl2Gtq+HBxGzJt0fSgnNV5T5sVEp33tjdb9Yfp grQ2ig6Mmg3yEimtMV5ooMptFLiFWdRn/Umpa6GhvZyU0v8+p4ZwNqpr4ecr Jp220gcKqfdKFzoCSW2I3B8OetqfTJR1nJWLlTRgWapcxmwz1J4eBv58GxFl uF7083JVJH0KqG70dBXaCHacwp9SrSWaYMFulmlxgcsvhXWyOAr/4Now0uyB 2OFgMTlbh5rPkRCYs+OpSiI/k3r5sfSW0nfVMbBxwZnBcp2mDa2iZGzE2AVu 7lCIc97Q6OQtdGFtWFpVYuyqnno4qyg8TEnX7F2VdVC7Ze1cUybUFH01xfsC 5sMd7RnrfylnNVRAlI4u0G/XU+mTjfKyrhUqtEtQdDmYrmAbqNctrU1xfFbb dzkCCdX1rA/BtNJPqgWbSsV6JBz/FFqlTHcC8payvNPydDQW/87rer6+UlWL 1a0j7fxC4LyUTvGWdLO0TvvHJxPVDby8yok1zfPcMjsgADRTyBk9Yy+nMO60 +kfyhSOXKTkAJ2ntgcv2yXlYxKbbeuJjvimEWqMYhvvS8ka1ddyu63NZ2/ze 0t9jGl3WeSavV5CvcAi1yFB46GhcKMSXyrCZeR7APA/axrmAZmur3RSUytyp VAYd9na/C1ycfn80YXfUgW6nDAL+xTJ8js0KDf3qQlHBeimnPZpVVprG7mjc EfCZHF0QxJoiiFWcU14vVoGZXZ2pUwDXhXllZUeVbMiy20MF3Px8kI5b9aSg iGIkrZzH1sODR7pISIqcrthAXqq6m+raJRVoMFcrTUtNQ9tG/GIDII9SFWDK wc9FSxk1dSTTEt5W07m5FtWlIRdIOOK2ayY2Cn5122DNtqdltOzBttAgFoi1 pqit8y1qk5+xfyVP2xcCZOgtV65VZ2Sc5NoakEwfuv9H6D8yOoIY5fvqvjp1 WpWD65lgeag8UeLvE+z5/fdHyvFE97iSExrPRIcvsXhmDk87Sxcjn0/zE8W0 5R13gvG6aXh9MjrHAfFB/5jEOEX0k3R8KpJMEOJTo7otXaDZgLJTRJcYj66b ESaMZNMiGU3JoxgNjWjsUYwfHBJMGdr+tD7wwS7utyeVpw+sh+XVWV+R5iO+ AgSbodwyCYvioVHNlL+Xy+RyWPH+ayWBLL4+H5OPF7rViiCgkvNVww5UQV/T Zqat/uhyPl6Y7ufQPDgn+GglzpwydMdoToc1BhAHO8BwGK5jLdCaeVKpv53U nVPVM5fcazw6P2YRpGl46tsUmQcWPRSJNOIK58OJ8nOyk+JQXogA1qp5am15 aw5DEp7UoirPSlYe94dDbSNMS/idtbkj3qcpz1ROqmpdrPtu70nHaPszx7dw ca25hcan2r6i0qZDjzV9GcUKoz39SUcCPmQQY6E1NcOpHpZDR6HuMRu3Jq91 ydu9FqYyf1aI39HsSCPI3Cbp6lrYU17qFz7ML5o3bKczrWFuDkhgTCvJhYrL C8bLWjTEPkKYYtnUK6SOdiXy1LadW62eNRuZqwCfXEJx1ZETPUXnxrs0Wjh1 OtutInndYeRMva5mnkNISbt0GoXs6dcGUAw1VPQy6dY0mEz7nM7sFmz82NDl 6sZiN9TWOaNAjCBaCu1afrXLhrGpfv9Tm6k/VN4K1VxJzGAo36rJRPPM9O0b TXD65FqIYFyWbQkin7T8zFP4nyphh52JHGnwrNPSS4QS268mbYFqho9K3Gvu 3fQNUAoctNG0KD+fk/nX5XkxWm093SwgJsrD/YPdp/Wj+bYCta6SVgHP2eXg ViYDmkvD0ZQfYPGeRCbkZUSYXa5T2mwJpZ4K1y7Tut+0TdC9VQlIWdpaiPJO u69qU7Ve6dQlXymqRYfajfym3hsBsUI4kf8L3vTFLzVOtW0lBsP4HDeOK8iF iZlzXZ6MBkqQ1Wdp3rzmp30BAKQgY6cNcXoTmtZiihE3LNVbdB+y1w9Uno7h zu7P3h6Ii1dvdFJAVFAflGkxpYCxZraNrmXI6q9f9UvUtAv061f1xipRo99M e0CYdq1mdEAmuZqFin3efIdK5eT6jG8UrIzdqU6XEgxJIWfLP0vUoNQSrl93 2t82qlxJ61Bam5laorFVyzqA3jYs+IZe6CiNA35xe8btaJuvadvWtI6Q5IHZ ejdv/Ya9zE7UWa4tGzsQKA2g5xTXhnXAV7XgTl/2P5WXfWmDItqIbOZMvcIF t1TqNwXLayKKclVe9zssB/MI8KnFcRpW0Fg0097I7WNN4aE0hnT2mjbpwaMX gPklb2fTgdnt3m5vwQf0ROsNyru2o4xoOvQYvq6HjrwxR3tymjb6K2ouIAKb 1dXa6aKdFMt6Z/PNSY+m8R9lrHfM74/WN51HzSvaNhmtOmuo80G/WMWQ6VuD 6baU18I9oI3WETdIe2pDpZLQUyuu/OBwZ3umFTavXu7os88CMg8s/SrJa+uh s+athWvOWoD/RWu21OHLe7oygJld7U3o6Wb2ArqOesOGJG0Mi/5V42k23zKl 99uEKubacsnLBZVTJGXTElMTXWmbS80bkW57/yd5WEfWSmyVkyD+Sn3pdB7W +u6msZd294WvX7+ZbrS2GONhiOevHUxlbW1uH+0ddK19YUtsNS5tGL/dxdtU nduvdNAoM327d5McQ4cYYYB1zQjQLMb3nxt7m1vW+tbT7d3Dv3beCXY16Trq LolkHcnQ69cjae478xautvr+ejBqRsXD8JHWrMqJPN0Iz4eB6uZ3On3jNz6x zj71rx5GMqcg90O7+WkRzTVxAJ02t55s725LfO5wFro76j09VLE2OUmns/Vu f+/g6NDqvXz5ZyhyO/wNGzCbdyzpArii3jy+utHjG8It68nB3o6RmjITZavy 1nSmHZovYOioXMb7QEqHGQ14fQtWeoSGWLpsk7b7MIgfqaDlshYUK0s7NKws ezpxlz2duEuflgTaxaclb3TxaZ3rP/+4znFf/vySzeis5qXPL9uOzmOV5+WD Rcgs+XT509zMkk+XPq22suTTJU9PIbPs4xueX7IZAzILXyzbjlm+SfxfwhCm mP8tptWmiNNSlMrVbFRcP3Rn/cPHdVrU/YeO4wV+Ipie1/K0/Dd5mBiIXp/2 T0u2Hl/gGC1mEQursP4sEgp/WxbhTclqf5dXQPxDBnS+p0P6/duj1/fojf69 jdHrVlP07+2IXre6oX9vK/S61Qb9e3ug163+59/b/LxuNT7/3q7ndavj+Q9o d163Wp3/gD7ndavH+Q9ocF63mpv/gM7mdaur+Q9oaV632pn/gF7mtdnHfAlj Wl4uToZ07xLwe5R/317DsbR+47uKN+5Y13LvYu97FHr/VCC4Q1n3PUq6fzIQ fLMc9x7F2z8TCO5Sqn2PMu2fDATfjQVLCrJ/HhDcufz6fqXXPxsg7lBofb8i 658LEHcqqb5fOfXPBog7lL/er3D6pwLE3cqk71ci/bMB4kdgxNJi6P9NAbFo dCxJY12wPnDUO1gfS7yp32OG7PcOejuHVu9gS5f4tZy3hwDX3Ywigc7Mp6sr Vqb72bTW39/x7XK/00dzAyiqHwmKeXPk/qCofhQoqruCYt4a+S5QLJol9wXF /LbuDYqFiW4DRfUjQTGvmN4fFNWPAkV1R1AsWCffA4olZso9QbGwrfuCYnGi 20Dx47Biiblyf1D8GKxYnOgGUCy3Vu4PjZvMlnsBZPnm7geTG+a6FSzztsv3 gmXRiPkOsMxv7nvAsjDXLWBZtGS+DyzLTJp7g2Vxc/cHy5K5bgXLvBb7vWBZ VGe/Ayzzm/sesCzMdTNYllg53wWWpebOfcGyZHP3BsuyuW4Fyw/FlqXGz3eA 5Ydhy7K5ZhbQ1tUZ29g0xo8RVmUsWLJ0JJ9DHl/20G0wW5ZMYP22/Itq+RfS XvyGL5aPYHvqG75YNqLpWn/TNzeNWb6xpjH40m9u2FrTWlp/cwf767Ynqzs+ Oa+93/ZkdbcnF3S/256805zLFYZbH54Xo7c8vChcbn14nohufngJI7r14bmZ JTtlbW1NaPRwp39abqRntUn6t5HX2r8zL4RDbqK0bz4DwNzhmW/OI2C4wzPf mEfjwF0eusNM3zyavutvPvTtw+m7XfLQt0n8roOqPz5ojvDvOqj6w4Pm2cFd B/3RlZYyiTuPq+41boF13HlcdZ9xiwzlzuNuXs9gMy1VYNqq4jZVYNlDS1zG S9/19dvyL6rlXzSCdukblZZ9MRWzS9/Ks/iFqQEsf7HL8m+Wb8zUAJa/O+Om b6Zj7qgB3M3TefOTyzSAu/nJbnxyqQZwNy/LDU/erAHc2Si/5eHlGsCdDbib H75BA7irss9GS5o2t3Y3dWY6fjr8q2qbZNSxHk7GrOWr5Q2U9UQqiKR9gnQ9 mRbS6EdY5SbFTcPJ+akZ5ZBGNZNxOq1T0j1sVAeHs7G0diitsp70T1lboAsP Z2XEma69bzK2V6zd7cOjaeuVlCWNulRKHh+PsMtpbel0e1K5IHviS3G30nz6 ybXZyIVtP9jxaaxfVyzlZterk9Fqis1ffymN7P+zsZQM9y+mHVsupBhHSumO S3PH003IOSpW9GAdNqsRGPA4UolZpGP1CshZm7V8fH02GR2P07OT6+ZNnXy+ vGLBr1QgcM5Wo0qjahTfN3fCuXiKuq8r/OrSgMu0cZt6XaqqcFJ92cZl+kk3 CioH5YWsMT2cwgZdmJ/qRhZj1ZROv9656QqDfY3Ox1JMr0GsO9GMxtYxOz3o ArvJyYgFG5yDxY5d6yUrWB1rVZXXsexOChdTiyUfluqL15RogDZXpV0n32lZ rh2vrVi9rUN8+mhFz+RiplkxrDkfaIRjW3WvzSyHz3r4/rH81xPims7n3XVn ibtsZ4k7ncm/cWde7N+0M4s7iv3H3Bh+mE4X3HFjzbHbG5OPH+lC0oWGW1Ir OaMdKSdSuNygBquOa8tZAXRE+gd8Cc+gX0+aVk6TNFudUofUGRkvZZ8rzpxG UKUJw4qRxrky34mGT5CQ2FRMV2G2ckDbJ5i+XZVdiXSlqn4fbqtdjmAkvpZ2 HoDJb2yKc+Of3xQ01C38Jl6QNfkQ2s2aJU2kfmN7O/1z5zcp8rplMvPr5hfj Q/N7TCbumocUB48WdSSs7JjbjGKIEPzXc6cfhf7dJqsWJnMiO47vM5moPDKu NVnouj7+68fTj5LwbpNVC5N5QRjeZzIqVng4MCdzkyhxzbP9JjznTpNVC5P5 idzAH51sqlv+iNucqqM/4janGuyPuM2p0vsjbnOqJ/+I25yq1n/oNr92rT+1 2J416U8G5V8eTHNFFtSGB7+LVraluurV85We005xuu1ebbbcmLFJqcwya/9Z 6GtUdUrh7nQR853kX/801/GZ/QnaPf6WJNcrBW9Z8z/dIndV/rCOUFt3ksvD Dzs7m73Ljcv3z99vf9juvX29ud7bed273uq98LeeR8+K+PMnv+p9+rL/JTh8 53542nv9/EUv2XjzOR6vh7/2XjzvTJ6/+otaAIrtwvRUc1WXXtsCBnXbrVaB 647TxWW1PpXbTLq8xMXig19cYLcV+zbIx7EdoKqP/7v2Lx1972rg7x3LAa54 nvxqtCttPeSuW7Fj2Ym1tWFFkRVtWL2e5W9ZzhPLdi1/w9p4In8T30oiazNp D04cK7atwLaAz/jhiQ8BboU964lrrdtWhB9imSVOrHWM983B+rUNJhIYTYAN LNA9H29DA0MYiyxvuuveFz1UzpWBH0+2N3qvFnFkfWuj//zjxYuD9++3dwfb V+97h2+2k/cnH7xfJ592X5eT4w/hztDf7Tw7PRz0Ds/XN8orr3pxtvfs8vnO l/jX14Pk9OD4ycbh8f6rQXrx4rK8ON7oZ4evDVya30sbmWJ3EZksItP27tHW U6CKjQ+DpRgW/SAMA68Jffm11S+39VjPtdzQ8talTaAfWHFo2bHUkwWu5TlW aFs2sCOwXM/aDC3XaQ8OgZRPrN6mldjWZmA5W9Y6xoeCXZAT0ZZlb8qH4H+9 wLKd/12xe2PG/BZQGUx4UK2KzllOX8PQ6h/1TfQ1Zu9yH5vpJO02O2paOHdx hw/tK/fR9IvDciy9tXZp/86elz++142Dbuh1U7cbJl3b6SZJ1827XtLNq26W d327G0RdJ+sGVTf12oPzvJtH3Tju+sFsralOPfW0dS0cCOf5p5znn8a7ky32 6sOWrI2/PDmAcfGX/XQsDWb3/rI+Oj6vp9WrYiEpxWSjNztuOugX0vXE3JL0 7Fpn75CutZdPBL8dr+u7Xce1WPz6dOdoYQCbfFl6gG8O8NoDdHPc++1XDzbF oNR7t0FqfHkX+DV/5h8wuGJ34eH9V+SW4hsRvFh8QP64WTd2unbSLfNuFHWj vJumXb/sOlXXdrt+LuiBv4nfTaLlMxRJN3G6MfDH7iau/FD5XRfIlnYrt5vZ 3Qg/xDJbnCyfIcPkU4KzpMHBhTfrPV+3B+mvGygTvNNs2MX5Nza7QdL1wm6v 132y1d3wu+CeG1G353cjkoL3pGuvd7fi7jpIZH1xAtfpRutdJ+lubS7bR+8c Iooq1//fO1lPa2CCdE6ZjFPpgtm1cmxMmuYs7qXXPTp4vbVsmumLMW4bbnAz leksnSanb2q4O2+YPflGLOfZmYGEKTDK6RaloFDudR2/W+CHoltloNmuHwor 85yuiw+BvUU3zWbDvapb5MLQ0kCe9/Fv2K3srpd1o6pbet0g7cZ5Nwu6MZie wnZjuBN0k0oIIQi7Idie143Kbpl2Xa9rB13cQ+F0oYjloB2/GzrdIJAHZqsn 3Qi3G3e9XEbFpfDb1O/GRTdJZT9eIA/gyrHz0OWv1Wy4XXY9X4Y4eTexu74j pAdmVYESA5knxL+YE3wbhInZ3G7hzoa7qTB2DInDrlt0fQAn62apDMHqkd0t I1kxxL84dSo79wzpUhQCijAUJlAJy+9mbrcMu0UsYwFk7F/w1ZZpY+4kNFbH kbFDbAw/gPDLoIsJfWzJ75auzIlLBNhxEbjTFPCBGApnw7FiCJ6TygOlI7fs EDgAJs4OUEBOASaR180SIQVItNgYjgvCWbBhGeLKzxBnGddybJkZG8C32HBZ yhJ+JtNOh5ekQ2wVt+PhXKXwRvkQcMAG4q4bCWeDuMQk2HwBqMYG0pbdKBDU CnLhqK4rN5gB7IHAGVANcGv4KpZL8bk9uzA2T9wGk8TGMk8ODuTHPnFfWC4g lqZEY8AT+Aw0yJ3Z8KDg/IGAPSy6QAMMzF05O2jEw8+lXB/QJiRaAvc8gyFX eCwWxMYRcGpQFmBo8/g4C84OWsDnYPIQB4IbQGzj3p1UUAJAA0Hh9kEUOUkY 9wWgAQL4UNAJcwI9nG5VyHGmw7EWtucmMi0ODgCWSuikmnIBN9lPQvoFVEPh pDPQYW+e3B1oFmDEDwnAFQkoMBs+BJmAmYCQATHBn1yOPx0uzDeVi8PGAHDI QXwLaACAQuxxN/HkBiHagHJJLnDODGkoHKASBgXAYsO2LVcvYrToZrHgp+2R 1XhycUD4ivxndvawCw0LSpfgvC+UjoNXkQA8CeVfsBoQEZaGqPUKYSOBgbS4 U+hyIDRZlwPBKCCCcRDBtEiex8GBUfIhCaQwhoNMSl4KhidkR6kjBwSnxaHA BgEubBiIBD4GvgFIxsbmQaG4jsCnzkBMg5DDQBAmdgvIZESh3Jf7ApvCPl0D dDgd0CDwZBQAK1wiF80hAvzB5wutRQD+XiwXAZ4TGatjk0Uk+wF+JnjAF/ST RSuZASwIVAB7BrQGtA8yQQYoG9PhWdHNbdFtsT3QGjYPhQfsAgvZxGG3lHsE qwQvSglYk2CBA8ItA6EIYCzEAbAUAAE2lrYcX5gGpQ+u2KUGHRgECyZQVLKi Q1qGPAIRQaDEpDjAvOAlYm84BZA5BfIbQgo7B6LKjRckK1sgILdZCK8D6mLb oP2okNuJeKLcYFb4NiKeVNTZBNoZ5U4uNIgbxLqYDRweTAy/QgTEBuiAVCBY WS4SEVAFgkW4HcHYSrAorOQugGxK1oAbFCarLIQigMbgigCpHYoOWQDzCwEC JgHkMQpDgD8QiDEOGLXkO0BRgDOUMg/AixVBICCximgGzPcoZYDAwCIQb2UM F13ClXsBN4NQw91h9Zz6AKAEoVASf/AvtgT0AJ7YBq8ThRY3lclywECwSuwN WkpFVMRAgA4iQwiWoh98L/LarLIg0kZyNbgUrAi+ISaYJxTqkw9gUWFKLlmu weswJ/7K5JFwOQigmKK5ciigQ1ErAVjsB6gIQvbJ/GdI6wpFqyMDblgFaA8Q AZEKEBcVG/D5jKyjJLM1dRsgEkAHIehSeopw5BkxpCDCgEawIv4VEohkLdfg tEAnIBtwSURYICQJ7QVsE6RkE9NcyouSyAz9LSYmz9DGFcUGNCX3VQqJgZ+D cwbU90RwV7LzihIE0lkMEwPyJdUVEBrIDTciylsqexBRWMnMIE/QCzBBFMhQ 5GNpECyAAyAHVOTAtUB0gBVgjueBAGLj8NeMS4jmgIcNdhEp6UOVAALIo5zK OTzipYCNYGMeURdrgS2kBuRxR4A27temKiL4T/bl0eDKyCVE0c0FkoCwQxk6 A11FuePJJt2KVx/IJDiRMJZClsNxQG74HNzep245Y9R8GKQK0VZxD7h9bFW0 qYh6XSIQwGw4ApYA9EwZB3DhL0gGd4d7ARZhn5gQ6A0VvaDnwaOqmZMbAOWc 9tkxNqQ6IXjryxEEBxIhDcXAhdAC+RzcD/sv05aIxF2LIkHGUtHUxV0AGyHl AXnsAVQDFALzxFVie7lJ777cGlaHKMeVCUHlwpBF96aKW8ZyakAmp+YJUMQG r8N1Q/4C0zzqHhC+oqZG5JZEGCH2XHgv5D7AjptKDU6LfYa8O1w0oITzljxp Rc0EMEwpfEGG2Jvgnis69ozibGERovxj576MFbZJVBGdIZCz4xbAIYGrOKMT tcwB3AIgBkzDv8AxQEBksUONqBKuDtKzOYOoB45I2NI4O24N2wY0RIeJNEni YQVDufdYzg78B03FCp0M5QTKOTi8GCm5sEHsP1KGT0jG6AlWuMQlUDEOhV0F BuigcmCHOLLAkKafGBQe2XIgOA9wCbsrBIcxYUbObJKMsDjyN8ipnCqZ62hi yQotcYRyY1H/wD1ig2QqJSAcgTC2gdsJaIUJpVCdAL6JmueJkAJmgo/5BrMS JZAkFlNHAnWLDkMugQ0LwoSyItggII+tiuPFIJmMnLZS1qsn5CCKXyRWsxho oXyolF5ABooK9uMZvA6bKTxtpAC8Ls1wcPKC9A7hBYEFYwGqjlg3MW1Gpy2g qUuDn0Cag0FB27F54xDKOAUeBtt3CBmP5gagMTOBC1kU6C3eSK6CzYj9SIGL GwRnhgTBPKLt+yIpMtOCdgXnA6WXpiKYQG7CG5VmVVBh8+QguEEo5InbprhC CE2pYTClocbj4ILGttymS6zDtsFgcTs5BW5ctYSUaJ40WMQGD4RN4WoAUofA xMzgSCGXFls4EiiZ5j9gC2p16O7AvShsB5II7fsUuOS0CR8A4mUGxQnrs4Wl B7HcGm4KGiaGQ9UE5yn5SUBjENsQD0nY8ssBx4S7UhMWA5aaD/YPAyGgISys m+q68F6PXNEgWEASxAJYwYpM6SJwqcmHIXWSSDBNbqQSiGX8wbSggdWiNisD MJNF8W1OgwhAyGgRiJ5A1RrsV6S5QbAwOoAPMi0RBspPSXMY3AbDbXpdgE7K Jynae9QyB0ThDOUvTPuKvDEknmA/gBJEQ0k7FJYU/oXekrdBJ44mVxiyQwmV 0AsKrAZAIpoV4NI+1YaEih8YV2a3h8cCKKU2g4eDWwp7pCfK4aIQIkojhaHt OC3PCUgDjFdO6sm1Auw2lVv8C+YQcK2IRiiUxiwRzhaYHjMyJWAsKBeHEg2H jiCHwhokUNJCgV5h07MUUYrNxEQmeAg2JeLbl+cTOhPEXxfIkWU2W3AAxwRT whESQ8JWxEyxOgPBLihykNcuvTQ4pty1ww071LEjwYrEYBfANNGfKUogAjCb CGgqrkCnlHwGv2J7uPQqkeOHBugSZS8HAiXRSxMZGFAJTGmqi1Xri7AAYCN6 h0whBbYg/MoXtAfd4WdR40NhgCAZNRu+BR25XEVUNZPeM9m22M40eQClTPE0 nyaGK8/jVwAtoNsTIrIyHW6RCG5gIxgsSDujaQBMcylicnok8IlLghV6T1ti Ajq/OCWoroM0oHo5lOkCCnoRxbgrCcOQFO3JtDOSsWWs0CYFUEjXYk4nXsW7 wyjBYWIF+BX2mRmQBxaF9HgE1P0AAdAUeILLm8JUooTnFJcZLeVSiMLkdUCt ipq/eAlcYWuYEOqKWHAkc+zfJdKCDCF0EoNRl0obLIWpekRvxSEhaABGiAmI qpiGsDiTlQZiYJ0gBv0DwHzRP2mKQu1XxynIGGNCwKOxDK24MugdXBH8AXQH gABJ8IA4eG3SSyEKqlI4RV0P5CscKjAgD0UaOxTlh3YBdABwGPAZYSOJ4ElC GaScycBYiDzTS5wp1y6PKUKNaoCocDa9Frxl3yFC0nsAzp8YnDamdxpAA2In pBExiCK5JjH5fRqeJf3PnvD/iuLD5PNAMI8firvPE2XGIYqCTWV03eMs4jak g1eccgbSymYqOoEpo2XP9C6KJl8K14pJj/gLFuTTuDCVUnxoMx4KhHFpiYf0 bHv0dImfn4azqOiJzJnRkT5jVjR/HIZNK2ojOD5+SEllEkHL5HQOXUAhsch0 eQHnoe1UvBTwsTJuuLQnTjOgugQmGG4DAwToCmpxM6S1qSQrUUJXCZBWQhuF YLJoeo4QYMZAg/DJsK0aOWKkhLQ7oDADqbBQSRUlphNJBH0hX4lpmci9ZwbF lZRowHmIOawo3gP6V32qZ7ZyHkaybeAMDhi3Nw9yBnihIPk01R16FIGrQGYo 1aB6iKeCgQOXoZnSboFOTH469h0KsoyuNpccW5DNZZiAmjZmA6cK41Z0wKZ8 VLYPUAJqudjgnuw5JZPEWEzr0diBuJEAsXHvolDR0VTRZQq+FPIZ4bGJ4KpL 2EK0gYQhc7FcywC35QFwV7EpEkEAh7olji/mTyz7B8PHTjICuWKEwmRWovYn tDIKarO+XKLDY6ZEFRhKCdVL8Sj6whhnYoKqvstjpvSbAfk9CjLx4XAgAJJQ +GKfmd9i1GB94BjADXF2Ma5RUJPJKIjFG58xHMMbSRXyGOoBqCNh5EiEIP2Q okVQIovCo5z8nkh/EK8wK0ZSZvdObcojOoX0koFl+Uo/L2S3FXkp9iws1BE0 9kzNihSRkgmHVNsc+o0xp7hu6Et06bcHPxQ/udfylEINEOUnljsNafSJIHNE vidUF2Oanx71cHAVXJ9v6jYuQ5aRSE9B2kygDUkUM65R0jECKSwCwqZbwxYA zu69FFiJxpgwBBPIog5Fc0gzBNZNxMAiiFFpmyanlcBBLpwqZghJYv3UpjxO JfoevbghVXqsazNSNmPUyl9UCPQknlJQhtKHAD4DbASlgEuINkurEGZUYug2 EgxKBROUuit+BiJ8pRzUntCjgJQuXPFbOvKYqVUGDAOJ9WqLNi436wsCwzb0 VVjBFcCK+MjoTzb0eUASG4jpwRClNBLu6lI/wY0AbqDoiCF5CHecRYSaaUlR 7Irak9HPHNMPQL7q09XgEavxmLhcAkoEg97BEITXpTJ/ydBtxRCGzEZ/eM44 IK5M5A7xZ07CgjAhTaBKiUOM4jLlHfmUHZCAPr1nmDmhYuM7LZIRfZ7KJ2Au bmpKChALIAYOjz1LfMrrKvU1ov/c9JgJRdDVXFEVB36Kgs1YpE9ttmISUdZE Wwpj82LsZ4wCM4gM2GKfJSOM4uehiYGlC6Wx06PrGvJdDARbHgOeKCtYkUZB mQsKwvZKhj8KavjYj2OICdy4SDdbCAdYCqjmgc4ESOiUwMWVPFdCrUb8AAbO C5dLySRd6my5yGibWkqpiJShpZjcRqlAhXnvHgUfmXBJPQco59OpDvzJaERD E0vpbS6V/DVABwkiSnjJ8HohbBCam0ObWoUYbLI4zJDTHY2ZTSezWKCUcfJt wihwRp+PEu7KeU5JlzPoELTt95xKSETzOS10WAeUUjHLImL6AeRXrNy/rhwq N/g8NpPQFZPSI4RLDJg1kZH8QfjQn22KLeE/MZVt02MWiPiQCEXCsBolrE08 xFls+qxEX/XouItE1JomMO4FgAKHL+jBEGudlxhSoYVaUhAnY7rHRQzR+21S XBLqYIoEVigWfWo14jEm24ecUjpqxRh9aKasBFyIMTugqIQAIiHemDkqEoaO qfMwGQP36DIVYXb2SKfeAWjAOp9CEBwAfFXwUGW/UPdTfkvJEDCDiaUoFSqD S5zA9JkIM/doqisrxhcWLU4nhpsrQ8qACQd0w+JDAFBcjpGsDoglDFyKWpXL 9QErcEwoGy1jpBJUgRqQ0Iiz+a9wRYeRpoqWFHcokrQQBIsM5QRKSELrpmRc CdSUE0UzKsMgIjEBIhH3CZMiIq+1upw9p3R2hclLvJVxAaCKWAeusAgI6IiO X4lW+K3MB2Bmyuwah6wJvA4yTuRFTBrPmHHhM0TOjAhRHc0oMKPkwgp8MbiU AllQvIJLJDThSxpHOe0j4FVp3HtC41qcpQxoQkanjHsKf0toGdGsAP6ACsCU MqoBpt8GDAesJmIyD/ZsU6SCvmzqexBVwJOS5jl0HvGgGiKyIo1IXIkOBDCE ksaOSCtKalCERBjpBANkJDZkhu+pqebKa+Qz04mOTVyuBFOohjmpTlyRqGvY Uo0KBhGUbyekvwWICkoP6TrLGAaNmerjU/cTijPQJidpQMQEvEHcmuR7pHJT IYMjOJTgD09dMOBStdUDnzYjNimnUGFTTx6T/cSCPAqpIgZbxe4zk0YcSjGq YR49cjbNkILxrJKpYhmPJtoO1YPQdLiV8jk+KSlqlcNNnC10AAJ7hY27Ikok rkHPj2NgXcEYWUHlxKFXsKC/BYiUcWYYNWoPMdOuRKIZ7EJiOjQZRLV2iVo0 CSEHPcrZnLpxwHgrWJMQvmkO0ADMKRmxQ/wqVrZL/yfFOsjNpu7hMbwYxi1z ICIwJdfIlb9Y2iVRiL2sfIA5b5bBspgajhmPC0gaDoPdEt9nHN9TKXZ06qog Y8ZEFC/S+ttsdeYRuYx/SWJYKXy1oIoFRq3MNJegCGnlFfTIzbiNyjogJxRX FRNalMNBMhlo02XcfMaIfFy29HmXuYWCzInYMsAfnCVjSB0XJ8HQimKxENRN KUTmU5UqUSxLKgZYS1wcvoAd50oZik1IgyHVEsDBTNcJGG9ymFMRMHUkZRQP 9xvSv41DqZyciCqrTYekGc6TYKUnAMQ8KlJZMFUP2JUzvKiBaVMKF23Hi8pq iGl5RVShuc+IeWXYgJjktgi4ivFfoWJjdRUJUgYUVESPZovNAEpIduFS/bAZ 48tpmvkG0qoULBxZ8kwywbpEpRvRRkioWCYMpdmUQdi5aYyUyujmkWPGKcCp SoZlCyZRCMbSUIJdXPB+XTOnlHpRweS9mM5A4AwYlEMTo6JXNiaP8pT7q2h5 TiTsQms3UnLcJZV5zJRwRPJK/ht9YhFFZ8F/ZxfnEaN8UQYcqkYBU/hS6pMA rOCMynajLz1jmqU5PGQ6qzg6IgbBXQYgclFiBZOZASX6RiWiX/x1ZliHEQ2H qFJQ5XY4CRYCuADz2NZssyi138M0xEoKPjFyqUgIVdLVrKI5FfXwihwbs5W8 07idWxjQ8+DTewMUEtJOGW6mkxxsHEQUE9XFgA1amU6QgAlj38q+qxiODxmV 8xhTA2sK6MqA/aWtFQPrUgbEK+pyQGlwVEk/Zp5YxkwhKEU4bMo4C+7Fz1qg w0Xj15TpIgFjl64vVrPPhAfh/wU9t0xSchQZGnweHwItwYFzqoVpqYP14N74 SvIZmKohByzkcwlcGuZAobJ5qTuB49nU3vFXfCzM3QW7VlFgUbBt2WdibL6i JIVeAU4SMkkbty+MkZ7qgm7MguZG0ES4zJxSUF/ObKKAfmyQiQRQYroymOBa KQM/IeEr6jC9xCnzkx0hz5RQFT9wKHNK9gs9bMrcEJ9VIJhgZvuAygBkpRm6 ZIwx2SxwSY3ymFya8xKBXQnTd2eQV+K1EpWpooyLmINR0JYpqLZJMCujnehR 4TSQNmdOiE/jVPJMGC2VAyYMaNKVUTKnzuOJAJCWJRUJl06ZbwykEqdlzOwX ijNXlWwwjS1khNG1Wxq1yn8TtwDtKcyWMvMZTDuKtF0M3Qn7SZhJFWUtL7GK YoQKzZoEv0zZVj4xiokcvvIMhML5zWig+DoKuVlJa4nlFoSTM+CYMwfSJsAx A/YD9BDBZzArkKEKCcWM/0L3c+huDRljEnqMZM+Q2jYt04D6z+zemRPiqCzx QradM4Qh/uFCFgrp3ICOEXo6B97MMUtV4haZf0QjvaQ6FyoB7TOqwiAdpJtH tDRBV1C6OcxeqJgpHVAsBlQ2PIZ7AuoPqjAHJJCYGexMuM2UC72U666a5N6A 4BLFKWdqn00XBFmu6XArmeMkZiOT8HPCFmgmH9KaBq/waUFnjubJJtb5xBOg t8NkFdggIdOHoIcoaeWTzyQqzzBqKScetTXBPXotJBE0ZhlIIAMrGo8K9zA5 2CmeKY2ze8zwFwUs054KxT1i5h1JkEhpffQBVtRDcuPsvnIa0F6OKp3iqLLs MjoBClrEYrCEmivmZmCFLnGHhmpARxM4vOdoKpYYKJORPIYbAsI5MpA2Ydac T80WyOOQaTs0YMHxJPk50p5eic3Rp9QyhZhwbisuR2vXYVQlZuWFOOpdgaoE OCKGRYJWdp+ETiK5rzLVUcWUt1xRzAE/xSNUkpOXLI2hdTzjdY5AAxwpo2IG MgfpST5AKQady4C4aLmV6Gw2E/BMZ6NLVRljHfpqAqq+BfUNUb9JOzHxWemf kB1mdMCmBi6htISKTUYHCDlVoQKIZDviYyftBEnL3ScOirxJjSOEZZ/03Ump i62LF1KGESWdgG4rM7QhoQSHQVtXDqLsGlEnqHUEjOy4LBfK+JVZuaD80oIV TDeFgPBo8UXMGNQ+dkfXMkhsLmvlXYRkawk1EwBcBYl8+j8darMObVjcNUhJ SloqIW3TDPToGk3IDXJKWMkiCEVM2LQZVaWPT4YTtetlbJJwSWdmxDiOQ/j7 DN+A9WFFyE2PNVYVs+8C08lMBSxkijtkcchwecigsyRIe6JbJnTIBIy3iufE zDGjz1mSu+hxdVUOLZMqM2bSptQrYgqXgtBITJeXLbtS+eqS+kirIWN2U6xC NgzsSuiBqo5TtRytKndIlSbJrcWiyTikEezcpdsEKJQzQpcweJQaMi4nXSj/ jK+KsOhmdFkeBU0jVx7vkAyNflTT6eQRnytmLMiGWZOSs2rDCbQyDMjgjCoz oUpbCTMSGqCvBnwjoSEJwCoHBZhnxsyTiFlwIC7wgbhsZbyEtD4UY5Hcaeaj CrIx+l8wSc9nRnfSWChmopTE7kmhgUqYYUhUio8qnSNkMxMpoMainJamez9n 9ZnD6jwBICtHYmq/LgvxfFYlhDRhXPrMPVPG0daOVIJfwBAMHaQxtU1xXzS+ C5vavrBcU5+nG7BQCjnFBD5xaQJH5B6RuiyGI0N6gM1co4i5IpLXQZd+qrLy WPeEnQhziEXs2rZ2dVZZe3XaVnks5JmSq4PqYewklLAS2ankInD8mDE1ESJm qVEutwNRHiuDiMYmCDOgKpIyxRHfKqXCpjljpqCDRScMQgUUBCkhnDIfFQhQ sNRFTPJMECNmpCwxKxeoOQMa4pyJWRZETADGineUKRMiBBlR9eirN+13EAIU 15KWIPapclNzZg5LIrqvNVIpfgyFcYHtRAa7EDKki1viIK425CGVqkq7sDzK IOHDFJp23ArngQR8R68SqpJ55pB4xJCM5ja0XGAdwC6pF5EIgtnFKW9JwYuj h0pcKyxUyZiLqKvzWPDlUgia6bgRM1EBQGGwrtCIzyqGgOHanN4SycSmxgt4 iq5u2LDiTGZxkEezS+wsVhiF9F1Uyj+c6VqPmOVyrpnpxGRLh/wfuFGwHs2n q82nkw2kBwSGtgwhFTE9wLSgVQTTptnlq6QXxl8AZIemTUhHjZdrVVmV6M7u XcV2WTRR0qsjWUmMh8oR6HUXdc4mFRCvTPXAoUWf0LNhs96qaDDcZ4ZzxnyS gkjrkX/mWUtMhEyFrRg1LslRxaagJRUxvIgrkPSGUA6Ys25rBvlYJ+qDZ2as wotVtiFLTVMqoiWrC10mDSr33ezslTyDA6Ys0reZ7+0y7CWUyPoaSAoJUDLg ksStHHKfHlHs0GOOdMQ6RJVZJ84f4qSQHj2iPutbI4NRF3SjOTS4RP0gi05D XU0WUiWTTN1AHhMPP1NnZ6vTPxnS+lMWXEGDzmOFMjR5QNVjtEVllhZ2S58P qQP7zJ0GjcT0deTkhxlrRSU4qGp4CyY50/1uuj4cst+EBT6S2UsLTlV221wU n6dE5pSyLzCTAxPhaQ7FnNinNkWkL9xV0jBCgYlLV1VKv7frtPx1uNBSVRkw uT0ImopO0kvEVKWYKV4Vs0oAq6itz+cETsx0LEl9VDYUTYNI5cTG9HzGOt/S MavzmJMjWjQT70vWv7ss/pWcaookR+UhMLCIzZiFDyVjyg4zBBTy5AzdKldD wqkCRisK5q6LUDMToemeypjmkfPePcYgJP2bsAJeVUx9z6njBX5LQGfMwpWk OKK0yjCRCjtuO6XvImGtRMVyG6n9N7mNQ08sMVx0Dybh24xfxzTNQhWYYB5y oRiXmZ4Xa1T0WbNZsIyiYPaRrbLWK9ap0dQNGS4xE2IzMt6SmRU5GYvEhuiN AYMt6J1TpoTP4k0pCjPO7jLiU1B04lo9+mZDlRGasCKSfhtVqSdhKb9dYlYw ma3Uqpc4UhxmYrMuUlUZ+yynFWRmuq9ZkerS4PJzHdUKWAxVscgdtB+xH0jC 9EjQHUgGcsoxkDai8gZ8AK7msWZHXtHoQkR1GGU2uxkAsTO7ZYhJmrQnyrxH R7TP8tuc+ZMFe5KU9JOLQcEQSUXnv2kOSCFPICof1LOEmI8NlHSx6tgBa14k HTehQ8OkdxZ5uYnWexPmuUXMPxRlOKJ1HzMznK1OIBNNN69Dbdwj3CTJgaKh JBOICbdSZfeRacfkFbEZSCVYAqaMSuyAMiKmw00V4omKzgqjkh5XlRfR0i4i 7TqI+GRIF0rMtK6YwqsMdM1CSBPJdPcJ+dNPFTOfpyJKVywIwp4DZv0V9Lrn zOtwq5ajNVAujoJ16KzgC9mzImN5ncPSb482tU1HOkDqmXlWXD2k9ztheoBL ZaBg8BdImDDMJ4pZRHstEfyfbZ5O+6DSmbq+SnwqmXrBXyX9hsZsxYpIsKzA QNqEKWoOby2hFVOyRCJhBEfZ7x4rZFW0LvHbuYUBPXi0AsRUjATaEYtbI0ar bcabYvZDEH9gLmx5dnZ6G6S+L2XELWO4P6J1w/hIxKS4gmZpRgdRYch30EXI 0I+q4xaVICCPYvVNREEjooStDOSMTsv5UNG+EFvb0ZlpMT1UvqMLT3zW/jiM IbpMDjGjAwIrwsRnEm9JDdZjZgioDNuAbpaQw0SpTvU0fZUQAQHNT5+pXHgs pMwNGYzwmBiWUMXFXdgq68ZUSitKcHYzkDxzpnBLmQNlsceWRNADM9adqdoH 05pQdRklfcUJzZacmY2pUudo17iM0IEMbarcLX2expG4xTJh4ylpH0ji0VkE cNlM25BMWrofi6CVqhQypS1krwmPgCpZJhnS9lSZ54psJWmE5X4mrwOmOYV2 cgJ7lc4p0RZPV3q61LIcBoxEhWBR+Uw9UE4eRl5SBtcKpq9nDJRDS8mZZQTK tenG99KWhAVkIrLlnIZYzoILka0x8zwdIR+XUji0tcRJ2wXsAe0mmFQ5c0Vs yqyKk6hKTGlYkbJ8g/lUpssrIb3YLI0vWCApigoxNmfE2WfcJybbCRhfaA0v WVNZsnZS5V0rOy4VqREq8ypkuleihVRqdttg4qKkAFEHyGmp+UynjIm0qmFL zAC3yqs0VeLY1pIxYMDapiPCYcShYrDJZk828fJlWrGpDNDlNAcc0riUdNEG l7A1q6dd1vtEdAKnqaZH2/TPp6KBS4Z5Rl7HukjNMyu5MpBDyAhFRDPcZUrG TLexRUBIWwxGcKSWnCmgULPF5c56xoJZBB5bLuRsVzK790CnjvtU1DPyeQmE ZQJkj5peSD6TqYYGQcv1AWhICxeK/pQ9DVxmJIIxOqoGKmBeJXPRIyZGmtW4 IR2JiapoYxwnp04eUZa5NHAS1oRmjO/4czYs8bmgOSPxX1vgLFnTIQ2okJ63 nNVGtBrSpBUdcFlikNFfFzHvKGKlf8rU04D5JBmtPFXy4Fct976j/BssppB8 XarcDkufcOSYQipjZldFy1QsetOSCtmQh5asJF0r70rYZEwx+y6jz9ZnrySb 9VBz2oVNpT1nGVTIGnOPfvVcNXhhMMWnWRG1s7xS9t2qmCHgMYKc0xT1GJYF kWa+blYASKogqWmE2rm2YQNaGSJrmD+P28cVe+ye5ismxt5Nbt4S0BFzHjyW bMd01OMgAZ3hEVstSaMV6jkh3ddx1Mo9SFT1K+sfpRUME+FsVgzFqisOFWkv 1oHCvJ22kVEPVOl8Ae1oYJ0UyKTkgXTpSO4cY9CSAZi1cswyBhFUCmvC1PeM 2/bp6kwIloK6ls3EFT9v+et85jKF7OdTMWlWAtA0/GNXmwYioDN6bEKW/Zot YqjkJ6wdllZI9PLZzFhWmfY+i4BCtlzA3SWMEs64jScacky/YsJ0C2H1LP+J 2UNDiJTFhq5y4JetROiMPmHV3MzjRafUw33WDlT0bzsqF4sNwaR1kimkAl0H 6pFdVEx68VnRLJFTT/5KajodcYFyJtstAS0+TCZnhrSePHqZKtYpuEyLdQm0 kH9VqeOMWWVavrjMW5bicUpqSWgk2FVnOWEFbKcA9mVmuKleOrB3JF2WgTww rpKWUVzq3N2U+Zk5K5gEDUyKc4RNqZBxSPd+pFp9MntEiqZDVgqrZD9PoOq0 C51U4bzD8FPEIq+c+onKhPTYcyOlG6eglWoq5Jg8pq0nOdvkugVd4pGjK2Uy hsPKVGehS760mVvoMGLIphkFw5EOE3F9eksSag4lPUUh/b04YNj2mGHdhNyy ZJGjT9ovmGyZMrfKZbunUkXnmQ8/u3dVTFGyixqLL0LGzVUaocuqxph+cpv5 e0XQrh3gvSeZ7kXjNgnbEa2hklHvVBW6sjo1dFtJI0pGpPQJ2wyFu3TRqEYx Pg3hShVoM64Uuy0bFtcUkKf5NIEdJkcJGpS6c2DKDYvAYiszaRVlZj5Q/PnM /lKabUzVWpV6AVAhm6pJkk/J5Pyo1Q4r8nX1UMACAZWSmjPTwGavJ58VNJlq gMP2caaTuaKPV8oYWR0jjRdcRuQLkTgVUzFdUmtO7lE4rVCmKm126RwGZxZN gzpJHGuuW1Y6G0HKf2KmBxibVxZxxtIej9XxckYGXkNW6ycsHAhKbcU7VDxm OO/o/JyYFc0pY4IlKchWSeAee6QwwOGwvMWkuIhpFeKZZ11STJ8qrtJmCmJK Esa6PiuJlGnQas7DAg3VqU8aEFENrpTZ7jSZQmz7IFXwzMkxsz4yKsCSU+QT K1Q5MzPYY9WpgJaCtA10WB0Zt3LMJFLJ7nMZuXRBn17KNjgS0ePOM9rIIf1C 0BvNdNyYiW2SOcCsVJvYIvphpUlJxesD+gClBUrVqgmVjETyt5ApnQ4JX6SG YrZ0CmXUJLExj95CM7igkiqlOiMXWOHiHOV6YiApYqcOyXFVlc659nnOm0L0 ezhMO8QMFeueEhK+pCuEjA4zxp26bW5T0rGgWkYw+URCfvS7OpXuupAzOcGn tPLdVmViwoIXidonultCxdSdgi1ZHDqfK+bO5SS3pN1pxGHhpBS+0ZbxVIqg z1QTtmr06L7wcp1xl1ct1chmSMJlbQhOUTHSmik+z5wBqfJIRdcq6bPN2tW4 kaMDKEB76eiivI7MzsqVPUIflFQEuCwN8Ft9C1WjgJBRmILmRslqNZ+pLyKU K/rGSzYPYTGUqZwI78rZ4y5hzzHl+mObhVTl+dhNIrHCkKKVnidHI7tTZU0R CwFicnsx9l26rFNtHQTUN2ID8gl36yh1lD1aK1KZ8pIVmeaWuAWcxWcKomkO KH+RNNhkH6qcGl1ItJEICxMmS2prkuTMvl6mPh+wyNdmMCKmW69QGU0sy5Xi OEfnD9tMPgz8VqqS6kdnk1/59CUmbIAmPZHYks4hjfgsvlBlOK3KxEK3mK7Y oMBhTXRIwi/Yk8SlCwjbloarVPJNCzqk2ZvTD6b81Q55ZqY6HrDpaEKXqcOW Sm7aqkwsVS0h6z2hNSV0kKrMEzGN6UHNqBWnuY70mdaE1Ec7NKAonoRJ0squ Uu2cjJS3TTXPSdhHyOzZSPM2oiquomlhqouRS2bm2I0Pp6KJWoStqg0xT1g7 FrDZZsm0wJTN90Q9oz/fI4cs6d6RnIQ2u6go0KWjY6iz3KUCotAdvyuW57tK GLFko5UsRMFRsgAho2TM2QHPVhpRoKs5BAJMl1WSyBSRCdO/g0jjm5RNsQ+M w+LQiIpiyUL+lH0bzPY4CdljxRhcRtStaP/mTKzySIwVq58iurMkbcNYXTmo cyYN+uzH6BdNP2EifEyq8ehCCZkMHJr58yolnt0sCwZk8RgUgFTlujCVt4x0 XnfExC0zmJixSDlhFZKEolKBsMofljg+25vgLJJxytq0iPFKMyrkMqU/YidM 1QLaYSmf1Kwx1zRpnNuKh5ieUkWhJZWKlA3cclbMeczD9MnBMnrIM2ane14r Pa9gEKrKdIFMSawI2LYFEKjoNA5SnRqasfuHmaZVscYziHUb2JTtYpTnxGM0 MGe4P1JFZ1RQQ9NnxVYGAV3fTqTNkMrWbRgT+kVjlbvOdtBh3HL3xYzVSrqp 8pAzob1gaDhTjT7oeI+UEUTPW2JqlVREY+oeSvHwmReaMh6tMlTFmmOlrU+W FZsGeEXnA7VxT/X+ZXGNao+gNFKHHCbgdfhBq3Ogk+jmisDVlIkE0neUnvCS UR6f5W8u005iIpjZWSjKdJVBxdbEWal7iEX812e7FWmyzfbOLoN9ZnQgYaaQ w07mJS9aii+oVHtNn6KKKXlSGReyi4LZwy1i8/NQFz5IS1gmz/hkuardhypn kOYM9Owlpv2ucrpKOqKZxu+xt5jUSaVEcnYHApNXBp0btzylIbtoFixvd9nc ddrvVHUUT9lBQjW9UQmQZnPdiu0QbUfnUduu7onhqapqpuTFTEGJmCiVZ60k cI+c32ODuJQhGPFPsrlrzO5AESV4xZLMnEl0oVlyUpGTsy7MYejHJ5MPaQdJ 8JE2keTzRDpKnhusEhqIW+kiqYqNm1QXdJfuiFgpyeTANsNSqi+BGQWOaBuq 9GmPcZOULdAjBnFwI7ZyqrBg045aq6d0r5UU7pLpEemDi2CiM1zaelOld9mQ OfZbhcxSxUxx5jE9QBK0VNN11b+UPdZ8lif7tG1zp8XnpXUbAwoha3yk6WKh WbpNL5ynKtQy9jYv2KbG2LzDIpGEiTEVtWXpocTcp4wOB2mnE2tlMmFjkNKs xmXuUMZ8p1D1tnKEoaVUUUraIBETJlUbutJthfNiW7ceVUWgkerXTapJqUgE bNAkgQ96uW1KW1Oz8qjAV/Ty5exmWdCPoawnkSx0qthkoQWbcM6wruiqkFzs 6fZTIWM6CcudHLr9HcYpFFONi3ZrX5b5+HQuifKjqsgd1qGz2ULO5jAe8yql Ai5s9e4LVAN57ipllnXGhDGvagiNH6rmsQ49/GbpgWQMqmA3y3DCTGeq+Ow+ l7HaUaXGKUswYYKrGVBT7coD5v8ntHNz+nYiBgED6o05o0sRZYeZ2RiyDk5c EOz8HDG1TPoYE3l8Nqv0C90KUhVx5GZzHkaUCia9ZGwRoCJ6AeMpEkwMdHlg zlzcIGk7G6mGqbYMDtteSSMvuv58lqiUNBCSXLdVLPKWMVIwtyFiQySHskYi hrluba3bOjH4Ll4IMurMjALTXo7ZKAy6XMVAqiRU080VsE9IHOpWjQ5zs013 n+qqqnqkgECSSLdqzOmxLAi9lCt6VFrytNXO2iXCB7SCi0g3q8npiPaodVQ0 skomisdMkzMToW3FitmxWfInc762w9EuoLTQBXE+Y1UuBa5vnp21ewUTL1P2 HvTpsVepQQF9HSGL3G0GucKoFUy0WTSdqzR7laZC08BhtUUV6vJhV7Woddjr 3qxEzmSrIWu1pFlBzuZpbFeLXytV962SzNnfLwhaRZ0RlYeCMceArWgrOg2k usdn+zImrCaqZIwO8yxr83lmyNhU7Sq22suU85DxI4kph6x/Z6eRLGpxG8kM YS9HW7nBaTAGrOVX3VdiXwsLjxFJFTyaIa0j34rKyreNpAoBmA8cJLqiPGfR OlhoyRxvs8TMYVpXRo+u6+vm80JobmNYOSQ65bdUPTBNkqGbImQ0IYt08x9J sPG11EjZydBm+3SPLN1scyoXyoKIgPVlqgzKZ2pZROMo5wwp+1aJKzVo5ZCL Wccy55ztlB2KM6fp2pqycw4EepxpPhmGrQ6xCfsYAOySI8SqpZxtCopQR8di JtqpoJ7DXCmzPq5iraVXauCrQFhMx7XwTGYdKGcguFzG4OZcIBUQcxlklGI3 oor4IlL2eGQHKp9tiiXhjfEF89U8icoZUK5aGsIFu8uWvk4eK9l6pWQ7i9Sf t6DzROcm+ex04XFR1S1N+hGxgCtglFxyJumWnMuvU21pK/oDK8aVlJdPwsps uSbaETtyiIc5bSmlyhOeqHK2VAzPmD15AoZ3HeK/R5+DZGky6dSUcR4FmUed zWNaUa6yxcjicpqfBdWqmBF8z29lsOesSgjJTwTZaL4p8rEp1jPmwaqCJps1 AmE7CiwvYQkZWWAyNsBYsFUmbP+CNmlIFUJigqw1Nn1WgXIvqzfCsHLZpps6 UbEtgkXOy6YTKUu5zYbSMbNNMiq9OT3/quhYpBU9BrGrveJSSUTV3czq9FTP /4Q1O9TcklLnHxYMNoV0j/sK+ZkoZTobS/bZSFSyTaTZeEa+VKiyBQYHXWJm STe+GVxwGa9xCZOA5kZM11yq2lcyxUtlS9q0oaK0FdJKKBzjQncHBatJiDAV Fa2MPckBcI+8LmPtvNklVb3cATqzrdIjGaoO09nbJ43XZW5sHchLIzd6R1v6 dZnb28cvjzY2em/L497l9nrvePv1K//Nx9Hpp/XTw8vgS3TVe3M1qUbxl2f9 rdcLr9Xs7GxtX2186T1fP959s957f9T79OFw55V/udl7v/nm1atnm703r96/ e36Wf9n6uLOx9bTnvN7aOL5MX50mw+LdznHntX21/fL1wdGrQ+focGvr+uXR 1vXes53jV/bW5bOTfHfn46urnc0td+dox975uHX9Vj77ws9s+azDDz+ub+y8 qi83XnHVp1uXz5++/ri1t9O75Irrl5dPXj99cp2+27na/tI7Ubsd7Tz99Pyi 88F782X7ye7O4Yaz9dremry2T9Z3+vbVzseTL9tbu+vfeuVs51vvnJ08P/z4 /sv6yc66LbspNo9fvV1fP9p9e5R+fly/OuhchQfX6VH8Mny593L7Xf0hOupV ssVnhztbTzd7b4+Nh5c8u9/hwwc7670q3lo/6m32Xj17vNPz1WqXW+uPL19t yfWuf+y9XD8eHJ98Ol7/8Gpnq3f1avP4JLzq9F58Pn5dhJeXV0evvlT14cHn 7avtneHk85fH+ZvwXXRQZZd73uOPb0fXzsmVX21cva0+Dz6MXnnR5+3L1ycd +2j/5cnTJ2+qjwP76eaXzx+Pn376+GEc7b47OLt+u+1Ul77dO7h+9epDfvQ4 fvvpQ+rvXwT1td0f1QP//aRzWJ6H47MzoNyb4f7l2a97E/vlh0+Rf5C9PHWf bYx/9Z4fh/7b8/cfrz9dfLkKg8J58Xzv+Z798nV0GX456zy/OKmvP16cHJy8 efx05836q+frX84PBh9P+jthPYwP9wa/RpdX6/XR+Hk/+jh5eVU+P3v+7NWv 2ehZP936uN15fv02rj9/ST+/CJy3g8vn2yfXvw5ejV6+O77cPny9HW4eelH/ 6PzLkyI6D6Ln5bMwuzy8+DC4fOOU6+/OJp0X59XG5XXP+/K53s/2xs/3qp2R /e7t+s67eN0/Hm6/GT159cWOwuOTs+P9Ufn4ff75+NVG+ebi8cn++stnSeeZ 93jvRTV6827v19enF9nl5rP4efXrtbvbTzfTdDRJP/jvypO3n0+dJ5uXH9bj 67efwrfjZ+dF/GkUXD973/l0+bn39MNVOXGfVE+eXqe9jRefj7L+0170dvPw fPjl7TDbGX25+LQVHHlvzj683UnsD+6Ru/smPf8QvOp96iSPH9vR8cmzj6/3 viR7O6Fz8PJivbfx4f3nJ+WXN79Wn/b3Nz5+fJv1P2X1my0fzGRQvU8GJ3X5 cmt38nLQee68r147p/nzvavP5WFdpBcvjvZ2P47L2nvXr/vvne3i5ML7FL84 PdjYdOo3k5de7yo+Kre3riO3l5x0Xn4+G/pp9Xgzq4r1PMmvL6+ePj/fBFeZ PCn65fbr18PqaP3D4OP6563j4+EXZy/aenFSnpXxuvd839nv9J4fH0YHm8MP 8W7y5tnx/vXT4nGy/6L34qq2N/fPqqv1F0+ePXl8erLt7W2dl+dJ+Xg8GCT9 zM/D3bfVi477wnXevKp318+eHQ0PPr99eVq9r1+F++tfksi5CJ3idPvD8ePs cGPzdTS8sl8kV0eHB2/WL989f7YzeZW87ETe8MKOy6Q3HId9f39351V5mfhn wdXT4w/e8TM/vzqb9Ovi9fXWefrqyf7Hw18Pk73B81dXk6h8WpRl5/P2yWX8 buN0683by4NB0NuNXrx69/yJe3HYK57vTq52/Kf+wa+P62r48fD54eSlf+qv HxevDh/bm4/93fJV58X7t73g09h5++V5Pbl8nW9vVMenT8peEL54dx0823Pz px/fJZefquij827388Hxr2/PPz598+Xk6Vl2ffTru87rd97OfvI+8N89u3qz bVdHX3Yvv/Qqv+dt/Ppx+9nJu3f768OXQbz/dtj78uzFqy/ua3/33dbb8YnX PzsGMZX/b5lmtsMsk63nc67iS+fQ+2/AzJGiiHkwYObBZ8zzPLPV9x66e0tR kiNjyrWqKGq963mtohBaM2zo0zybPwsTAgdv99D2dPYIMmopof6ea6IYHewR nK2+WX5Bly79vvP6/JmGD/glmVfkHmXGSbhTEIi3f93m7yWVbzXkWStlX9aV xNJJS7B6ciw+bTy1hxso5UxpVyYwWlJCmCl69HbySPdockfQ3XOLi2519OCv UjEuqkUTtjUEx/QDUw+o5V/7qAk7edMxcG4STKYlMfLYFsU4C8nsMI8tj6Yx bmWuMHryJ/Dp4FuiG2LjUDlqZ3OAn+Dw7LrmPQCXl6PijOA9CrbJ3YGonlcd VtcvCV5sf5qWhBprqzjVVZM+ODkeF3/QRJhzKHSQwqOAvf7qP/iDxxGlEgWv nnBY5lZEieHXvBjLqsCNO6LgE3nT9s7FHjFSpwej2sQc4iuHOfApKPNG36Te St96etHg7NMvXr/xeg6GyX4n9xhFUNVrkeGY9UyqMz1CXfbpVr5rzUIFQoc6 iVn0Kb7R4Hs1Q//wrpo/ERoh38KrVFajMknI+bqjqfpWsB+fIRCsD8ylAln0 FHDDei9mnT1qUFwUzeLYzVFofF2RQ/LVQqvGZVKVXqKS9K/hnMliWkc8dpEn 4aLO4nRgJH52T8ZNXNRno0HupqnF5BVb1Zw2QgVb1ebfos26yqQgmT8qyVQV RlCGzNB/V6IXQPmTGU3yC/xq5l/rIzY/5zUx55N6/yzvnplPzbVqREim+7OV bat9bd3W2Ak2DzfVUADSj3hkcx6sYu7D0w0zPuVYUbyi9HVznCpW+cpmpwC1 bJDQwUU4DWW0sDksxir/hgQHIH0Id3xwOHF2zhu1lMYYTFUPPiZz0B8qXCSf 6+dW9e/+zO+XUluQKvaljoV3x6A/GJDPxZVIiHd+tXXnniGZjPcCa6nZgy1Y gluRzYooBblxV4tCs6H/sJGtXg7lHEm+dgsgWEe+gh32G0EI88rPK8ASA9cj WbBfHmJBv5DWKY4dOc/oEk/F8t1kla8PyeZG8hfWA7QKN568savooG4TXWSd plrTffay/cpRrnVlM15eNoHr+iFebMmUY+7zVzDv+CJMXA2Mb25f5xf9uwM5 NlBLKCuKUehr7b2Gh/1LXeJcJRIYru9zgo7svSgGyDpXs2ANklEHkE1oxxxC 2b+eHN9MuNaDDZ0J6ouCPCKcpiMM21Q6PDf7DA8HZhnyvpGgHMku7TeOMeDe QZpyYSSUQ07JwdQjd+pjIFU9r+QLasWePb665BjQXAr7jjCfbvs+G5UbIaFn pHIA+pBP9Nx2/JKSpvup7A26mtcOufMZ6oLsuXf4u2KW9JDLW9B4y7sqTwhZ 0XgQbT6oCtS5A0FuEuM6zz27cq06dtYMY1JaFMF/7FvNQ1kiboqHZ2qyW3KC C/PtQ4SCuCcl2QOASzQ9vI2zVu1Arnbz9WWvuKE+7RocRo7daFLhL7zy90Ni Q4TDkV/eXiFJMwKCH1w7ANsWJFO/ULvtT+br0TMvmTPJpl96PA2NBUq1J14I tBfUiSthXigkkfOlz61VOL1ctAJEbRzzTB/KoqRfjRuPDlwP0fC7Bo1Sn+x2 vKILd3U3xMW5lc6Tk4drIlImcLoUm30EKObUrf4jy8/bWtP79X1F+uaJupVb B/+uqs8xJUX5a0BujD5l14GjDP0yZeo/vqOwIgSsLYsyHM9KOmVsyvX+nm2n TDOtge/4dcj7RWea9I4+1G4ILOJ808R2dZkpXFJgWRsqgdflQyDJP9VJkucE q84SCVrtMLJroPfZuC8ObKsPtYo/+kx+sV8LC7TJPmzuKiHgLAds77Esd26X qP1Lsy9z2lCphVu//IVJ+94/8DP8nh6Mu0LJLitZYVaWPnigUSq1Hw0cwKsa p0ZQkPuiBW8iptatq6BT04QZrj3C4RawSH7T2hQhLy0fNWXWvP0OR3zQ0LiW LHByn0IvV49RWKmuUN4C+fYydteXmnegdoyoBaAw7a+N5j8vaHKM3y4Uq5vv WDBNdbwDZ16HE5h/Lr5PNGOB+lCqcvEQM84ep8aCeujTnj8xNxPnzAJUv53Y kx0lLZr3XdDwBYjRMnErAckLJq+EwtO7+FtiCkPcRt1vAt2ioP7Ib6OKjXBX clXda7oGafM26R0hLgKYXgyCrC0voNhB0nnZJ377wqTNyAioU+Cep0183GUO /BaC+0Lpj3Px4B1ACKZDRRkvgM96j496GFf/9G72DohEFqVt09OEtDSVQzhS so9c4AJXOV6LhH22rZoPWnrU7HNhowk8PrJO1+/68J9Lai088pts3x/mgL7B jhfqIQz1ypaiQ1uHPtQbDrrdMjbCLS4fbm9EIAERbq9zSakaK1zNAqXjK9L0 4E28BKwCVTIU/Upis6EbWXo/scaIlcXY7njyhvOLE0Atp0th094kkfG2J9uy p4/RpjlLIyoFlB9/y155jN+8S4wpcr0KzOR4xN1P3X6Y4KqBVwcnyT5WZZlX byyTr+7UZr+YPRKE11He6OqhFu/KvygxYiH8IIKfei93Rsj+s4T3ApRborTp Y7kgYpnfimQFvQiazfX21hvpUv5rVzV4vg2543lbdgiSN/nHT8Zz/MrB21yA 4kb80rniYqOkE98qdMSXJNv9YMrDJyucr9143BRhXt05Qk9+bJpZ9eJBj1La Cz3lgNOgRXRSlG4L1zOHxXaqOMv+wCccJPf94utiHXP9LjRmyMfS8c1VM54y txgXiP1YnwAw+YtZMnvHWn4ZbVWHwRAxohQOw92bVD5TCiM3HJccnn/j0Dqw EVVlaf5mfVFZ3wsCGEX7hdO8ZmJBJb9uHt3EEb2WqbbeGzXkYmIo0GtURCn9 veBpiSAKtZKYOIZME4oGxYHBJuwPadvcpB88B+andtotmGpjOxL3t4T8JrHN 3njQqX1pUTtoSP6GAuUaLrV6+4QAgIZ8wGEgHC2D8Z8oFzz6HOU8uKgJC+5s BntSUbKAkxbOz1i2kG3ajO/b3N34tX+QHFDsTKdoSHNi+VgC9jtVfl6obbEi 3aXEeIu8iLX+XNLjF0F8CwwnFfgEefXOuI4/HYyAqk0d3sRcMAI/jog8OyjM c9KVaHlvlqN1ZtyJ0Uji0YTzE91ccf1xLIojNXfbJB6zAqPDUGCJldCH77b3 jGqdJujPw8lYIvJk7Fuzz4HpNx4wZ/mheLJh+M5S4PD5wgKI2xrwfryM9qQ2 Wb9Xh2Kxz5mBED99afRdSWeMg0M+G0JKvaQaUwPHLdbSQRXxXbypO0vmH3AN xlpKrokKBD4er7J7JyWkTEcj64OhdEHkypYqiFgMP7b6IrZMTXBB38PeSsdu emdAoQcBsqOE+MW7/EcS8c306UeCQHAd5sxZaoSK6eZXKSUzVQ+fVako0R/b K5UoW5kXCJA+1a816B3tkZsPujJTMICbnLmbnlhzz+NWNWVfRs1kBZ05+Afa Fm3Rkj/7m7RbYgkcMXJNyfWaC8/OiLcYUlG2ezKppFezIV+So03+MO8xfuj8 gNmlM1bVTryRSItjQ24biNdnzUtNK6raMIXjK1TOULTQRMqZImPNmneTMKTv OWP27kYiEqyiS5n8Hk0tfgDJAphD67FZ0fUtA+WkP+mLkOebCK7h4RNk75+y nKnCpvEOaZOOn8UGMaxZMEpkNof6QqUADmb3XNxFuNdvVafHJpzxSCUL70Vh XCBUFJ60J5JfNFSsbaAT28LBYb8RnBk979lugFXC5C36rU1fUCWEDZb+E2Sy JRhaeZ0QAw68RCoy0ZpnD/3iT4shWk8Tls2t6M136gqsizaLybuInnodvjah wHl/stfryHIxRF6N6aO/0FnRbV0nUbihxXu3QUqioPeibxI8gDYTz10aNtV4 IEEgpMw6JfSTBki5d5Gl41/yVbzFxidHTMBmgerBVFLSJnfpcUPS0QFQHrYb 5ytVNYkQyDyLY1V4GYdhucxJL3XGHGbh+BUeNYouqeGw7aBUcgi9m6eGIB74 pPNKILHMwi/ZaCebuI87F7Y0btzw3HkoXJfhHry9SxSXM6Vu5KcmZbMChSmL OvCiBWLtM7FI8fPPWK0qy1j6+VO+K6G75MD9ztTngwkUEeHpiin3+GpsVSTI eEYrGXWlilwBF+lArSBI0WbPrVSGILxDg7v9EB226mWRqen207cvfAKXUsq/ K8mJb4/68cKVWF/JBfKYfBPGerTxqxepbiB2JGhc+FpS4SqPhfVZub4I4dIL S9LwEOscB0/ec7nZfJAVVgzIb6vtCdLFBvibMFsmRq+447Cdv1B4/D3uubI/ 60p/Bp+bTY0iTvMroVP6rkomdvqAAYwJQqSdEv2oOuPFef1Cofy935z7Iyuf eVWo06cwp0PyyKkNQbVjO+nNumVdR2dt+2zlX/lFSVQlHhqfjG+TB2kG5Wf1 ++paZodaN31vmseqfVjI9dOMn7xWSVn1+YMFfY5nImB2nBjUg7sWiO9tBUSk W8VJE3hvCC+W/HhPdcsjaIMqBIoZ1//+fDVUeFDRcj8T79kBbjcRmhdrVT/q VcLsyDbLgByMRwdUSK32RyCVQmzDyf5dOm97L3N7AI3lEKOU2wyVBcBO3b3S qPv9VB4OFKhzMg2Eg3MlMmc0sKhEmNpVTJdf7/BlwR8zFTy7ob2+3EK3KUEA 50Rsl87uS2kbfTpcAUb0ZRCNYn87Ubiw9n2DrrMVhdgfrcmb8zy5k9d/B4V9 yCiIAcvXVOexae26dL91QtGFegluLvO0LtbcBlrFMWL9mzbrma2dCrJZaGkn Hnl2UZIUNAuAuIWBiBVp8dR9K1PeUYxZ+XLf+a+gBW/sKn5Fum89FH33OWX7 60hYVp3++R+s6FVlCmhBs7xPxvbcs3VP7iu15AMMbnt+GZSvb5uT+zvUkZNA 9yUfplgVqlhC9gOiYAmG2hzg83nNejkpHz7mkN9Tkx6iZRbw14QkRv5A9Ajj oL87uEtk3dAb1YCOPq2r1LK9JqUNwNGfxXF1dimD2LkfHnszi7zXBKpZnKQz Z2+xMdXHHPytz7f4uRcUhNCua8FM+8iv3xfojlerfniFTtBeGe2+0biBGz6h CdlS71hBQviInk/1DOUG6xZ9lhqieFg4q7+6jKYmQG3v9pxCf+YpPTafapxi w7e6L7lWyvobm5j/Ge0cx8sJUc8ZHaNjVW/3/DkzFMTKrgDw2us9PjC11tVI RM3Bq4dF1lqbL+/2bSQyLEoMjVy+6HljAv708tTvPOoS5aQC37AB5JrKaoOV OgwS+ZZy2kqBRFq5CPL1rnVLwfJw5g57+ZU7cup0GGd6yjfvVNd+mr68fOAD vzeYEKArZ/h150TLUb4rpLAQ2MEHLLjGXH4SGmfVupF2MRqbn86RPbiOonTp +VwAPRrSV5jGUYASL13CMaTuID7s4ZBzdfpl7OfRW28aHImAJ2KDFZwEWdDd OqIkti7rBu5Kgd77Lhu40DpB20PhHCdB7wbBu5wL38k4MYTAWBugj4NavOja B+mo6RyYOT7R5QU4ytCxODlIEuMtFiIXY0GNsVWBSPKQlX3wj/fX7qQ0bUL/ UuMX26fVeBE343T6z+YSoOW7EPt2pTJruJG0o/Syk08AxY2pHAq6IshZvlyB CZlyJ/X3qtGSNBGDoj2i3YyohAIlnEiu3ps7aAsn9Irvl2URqzCzj5ZnUQti 4jwXcMe+vu51dpvjnWWJod0J4jmihasLaCl5XPSy5+2pS7++un0xWO3C1Wvy /ehw/9XKMvqyXm2HJCzraTu+Oh37/d4n2wQY+wasR/ti+ccrLv0Bv2AQKBku QpfXb9+sURvW5+g0VDNXMzx0jZxJRxWcCvSFS7/M1asaUGtvMAZH8LqbXmy7 KPGkkCR0GqLGrgCdq/34xhoxYLKoMnaujL4TRBxK4YQOt/msNWAuTVRVKq78 iGKFPJGYFsK7J+On/KyspLo2b+3WZRDX7+F4hsgW85yG7g5QeGnX6q6A+VnG o+LPQvIxTmsDa29faH55ISlas8Wa8/UUIVPxoIg303VpZi5J9fj1Ye2mXKnZ A5QOouM+AX9fVo6OBsFDFT3xN8lkQ5pGNn5QDmHi+O/DDT8wtBwbtT8LEm3j +h43EPOBo4dcxpfx8UNRX/JNn/pb8gWz7CvpCj86O66Yp4WEktPiBoZp7zZf PJucTcaonW3VGPgyCiNq5moPPq+3XSdjKFq3EluxX+G7noXb/rAutI8x6m4R P/pLgB/TBpEPNfPn8dj/WebkovUJJlgyDbRrjmvjz+vdUMurFUIq3CeW6G63 v6UVnTZ85sA5m+bNa7nsbRlkCaC+xSRQWL1jVgltG3IP8SdAK4anSGGYs2Kk Livx7Xe3419H0JfaDdUmcfC5wZbzwgtAv1qYPNNUTz/dFxG46k1W3TlSgxYg OYI22aj322MWyyf/ER/eQ2mtvSYXb+vaFKsagfsSp133Dlty0fFksl29SpRN jZipINOoaPrJW1D/sL5q8OR5n5j/Kw/xrB1uez8e0wP6GINtUuP16NvTYK+5 ovowiMOgS/21yvVtTjQBwgfJaOltRMt7Ze7dejg6My+p9xwFsNyx/LgalDR4 97bNRZMs2LAiqTH10OgbgqRENSpZSVRUhcv8KYTcTygbbGHx6GOAdeClMuf7 y8SM5gWf1iXf94tVtj1m40Qlu8rUVQwzbT/oUzHgJkqbG7oMPeLexz4aUPkE OuUXS3JY2OK2NyvYq7mrt7DL2ze883wWRrkmVjgbVdLxGQZbT9wxlxFzI+Jl 0Fb5BvTPipjfHIWZ+LVIRiN8Atjg8IL8MqyUgNwBVgQDj74swkY9nTVV3xRV 8nN7XeKvCy1A2FbrqBpRk20ck8XQ68rH4QjpsYEztvnihe21juL1a4LF2/+m 0CSsQUq1N3Jgt21vQNmwh0HpiOSVrl2KWG4HdCX1j2Rkk6oX4BuNWBBsDHll oiR8SLAypmvZt7Xl16AxIgC0Kt66Pp6WcW3Ewm10gFjLc4PlQj4kbot3ORm6 SHPn+1bfj0ssEpKOL5szsPQjVx7A06vVXRYoqwqVEkGp4fJ2SGP1widyUgeJ uHI+Shj1vb+Ugvmy0uX9vhCX8LmVIovfAIPuSQfTr9Kq9/bMvN+ouyIQOMdl tvTL2XOByfHCJkMUIaG059m0SO79xKrGmhl5/gFUXi4IjwMNdpFOGbF4OJuU LuPocsUq2hGIY9wuo2runx5s0IDZGMEI79TtUS+rcNMDSFTE1dBrJqWfePOK C/hD02dNS8Eng4rdrb/ej2Wr9kZXkXh1bAc7B1q0x8oikJZKJ4CvYyAx2+N2 voIFmj9MM8UyTF0Z+S2oAw1HQre0qkEQLO7vlDQqooLjpHTAAf5tD8oBNO19 d1h80IT5MQeVK1iX5+JWCzx9vTdbqeNAhG5wRcFmFaLbmhiBUe3zmnDHo5Rr A2D80cJMTmq8Bo1RoTApRGEDrzofTaNTOFCKuByL0rHk5E2wZC+lsc6qqYi9 cWCz8IAkP77X8AkWSyK28OgNFW9gqjQMGiKLFjFEmlc+2vBMPsOTkJvTfgzx n4iWvWQmqewAhpq2GOmACpjsZE02cBLnsc6l7EZk9vnr4nf9bVUJi/xEO5mm UNkWen3yR2lC57KhFHCQH0RfpZjFGb2ss/01R9+CQa74zZuA8bqdm7Vxx7Hn 1qHQGGAsgvg1HcE16ZWTYgUQfBF4wMJb97SGGTtD06NmoxMKTfsPg62Pm+BE blXUBjskYc4yaU3ZWospM3lPzn4sAG+NG62vseLj/sW23CxWr0PXFoPZ3XU8 pkF5xcKkTUgG0arapQ3ctkWKj1Nc+fNDs4CmaKXDnSwz4POrzvxkqRe5bOKK HKqEQGXkPaTwi3RY6LuBEecPFvuhYNTBvHdZJCwDMDWV47NRZkoPq9bpsxTI PQKdU9tQ9Wtx89dG4M7rFEjy5gZWSHrlOj7wscpi/BZyHxgVEGnKoE5WbpMn QVoUriYt+93lIHmQC0SDBZ2uMHXy0CMyq5xAMGMqSFkIB3KLfg9Ew3R0deCp 2n0PJMxRrzSx+rkMiE/RUAl9jSguuGc5gWeFcS0GV/L0DnBjFN0It94K8MHu Hb7JN6h8E+Lrdw1JLNooyNZMf5ZNu8X0Vb6QokBP3eVBg6ja+ernAUJzYva/ Kg/MxK/2aoW9Xzp15pwXP1bDhejgkOvDk98JE8L219cHGY3ExnGu/uOkAjF0 fk/d6dnGQAMPS2WmuQK58zSEUaeUv08Ty3VDwZp+4Hge5gdn7GypHQGnCBXT 9k7zHsh8UpYv2ABmjXahzDpysIpbbi37CIo5+VOuTFAuFpL0UR8Fpq5f9zpn TkLvuVpSxY9Q6XwqNzkDws6STbilVBBqro9gtJ9Ll3rIGxyZUeIB1NPQ9y5z oLoChlC6vP95uMHywMFV5nryTSADx5QOho2uREjLm8WUCyg1JbW4m9jgqupo oRtFdS8H5wMmQeWnkOI3lkMSEpnQoEwg8Gj7eVT20Ic92mtSaF+EXHWcwEcN nczomz0xIqFoHYoGW6K63MQL8CKfQqeHBHvggHIbtQF/llZpzM/pP+WwPQ8u 4LI8aXfwsVFNGFgCwpyfm6R9Zoo8RPuZdaElXExnMAokTBE3OIgs9qFKhDe0 c41FP7DF6kDd6V/7YyRvopwOQppziLkKQhn02CMp/WqQ/dlUIKgZG64XNlmg 12j00dUhUSw00jcwItbgTENBMHfQkVBMw/6dWApjQOUQ6Z+wF5whrAB+CK2W JqCzCl8cioq1Nxbag4eTSr0NtICyqI4yZj179Lj9ECEi8uVb7uvlfV3vXL8x kGfzL/R0uHEQgZfe1VOIdLvP8LY7LQ+3htTVeoJeFbuB2supqZvT4nfPgiJp uH76/gBMjktniP2EjbxttHApGQV/j1fDp28SfPekSPM8w93MCa3kdqSKnkLk RgVj/QlMedg2QJJCGlaYTYbRVltfcF1SX9/AriVC4eb62I5esLHdH/3CGzeJ A/pC5MhZw0f/V1guvkBPeyA4PGnEFOfX3VaD9XSlsljrse/IgS8NlKjWmwnd t2awBNOPZmJfk9Dg0fclrMQbSGS0rn0pqN3ljJFWrlX2Rbv187jQ5LwYr5Hk F3ScCQUWnpWZJoK/E+h5PRuu2wldV8BrwvFFMmEk+qkvbEIegAvKozwsSMl8 burKz+XqvJAYuriwsw0OSRwdbVfLy9Whr94DmtKntwttmvT7oUujdc0A9twR NdOgD8s3AltgqxvZOS+hQXA1O7HfLwi/3yU6GjvyaOIR4eXj9b3f9uzXZbJ4 fXFl/ipqqlJFROg2JVRYcV4QUlDhkedqMa4uBlG4/fszigkCQvn72TnkI5rs DcZMVooiIh9O/ONcsZvWDw1lVebfIYsRSkqsUrCuHWZoN47elR05PjAkbdlC c/edFv+nGrnQzhmWd3gQIDNjBBBpMBTGjBAoQZwwOR9qo4U24/A+pCVfNe0n FyyO+bzN/n69tGSgILI3V0ySAp2ei0CDdnJq40o3FvAL7YcB7RFIwUen/iJN S9cjA3Ilt/chcH8+ghk+vsVCDvE8XcKF+cx1b9sfm7hTtYbhri+MyvBXzDkh WhXDJwY7iAGw+2yz2MJ6DD94HX7scvos1Mo8V3OrztIP9yEzLUzOgMb0Jau3 3dHqhGVj6NdD0ZyAG35C9jrxCIv3OuFgCasgqvq8ZR99o8QSvkuosQq4/ai/ 6d9ndnmd+/9P7P7rWO9//0MnTT8cbZYWXdavC/Cf/6Pfujibs/R//i2P2iX7 2z8AQNuS8s+Q/1nL7M9DFFuybnP2J+rTP2t2rv9uqZY/6ZBs/4zy57mOoyVL /wz9n//8z/9lCSyJwtA//vGvLs8N+S/u71W25n+1UTcuf6VVWz0Btu6vJJvX Kq+SaM2Wf/zj73+cZ8A566KqT7P5TzJ02fInn4fuCfLf/p8gSbf8tYxl1SfL X2O7/Vf3qG+WP+vwzG9Ynhlvz+e8/Me/p/7EHvon4HNx/dd8n8tq/nMMc/M0 /ceffJj/dFFT9cWfYfuv+1m0VNn89z9/Y4fx+mdL1B7Rtfzzd/+K9dxa/utH /xqmzZbn+zw/ocb5Ge9vf/76P2sC/9+ztLOo/+Nsc//0/efYZdaO+db+e5X/ NefhjxbNTbP9pWxPr+rP9+9/7Ciaqz7r/9VjqdLsr+Rp6rP2T9I+Lf9azWro l78D/xvkJAbG9FgBAA==[rfced] Please review the "type" attribute of each sourcecode element in the XML file to ensure correctness. If the current list of preferred values for "type" (https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types) does not contain an applicable type, then feel free to let us know. Also, it is acceptable to leave the "type" attribute not set. In addition, review each artwork element. Specifically, should any artwork element be tagged as sourcecode or another element? --> <!--[rfced] Abbreviations a) FYI - We have added expansions for the following abbreviations per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. certification authority (CA) End Entity (EE) extendable-output function (XOF) Hardware Security Module (HSM) Post-Quantum Cryptography (PQC) subject alternative name (SAN) b) Both the expansion and the acronym for the following terms are used throughout the document. Would you like to update to using the expansion upon first usage and the acronym for the rest of the document? Object Identifier (OID) --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. In addition, please consider whether "traditional" should be updated for clarity. While the NIST website <https://web.archive.org/web/20250214092458/https://www.nist.gov/ nist-research-library/nist-technical-series-publications-author-instructions#table1> indicates that this term is potentially biased, it is also ambiguous. Original: Instead of defining the strength of a quantum algorithm in a traditional manner using precise estimates ... --> </rfc>