rfc9380.original.xml   rfc9380.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!DOCTYPE rfc [
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.4.14 --> <!ENTITY nbsp "&#160;">
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> <!ENTITY zwsp "&#8203;">
<?rfc toc="yes"?> <!ENTITY nbhy "&#8209;">
<?rfc sortrefs="yes"?> <!ENTITY wj "&#8288;">
<?rfc symrefs="yes"?> ]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-irtf-cfrg-hash-to-curve-16" category="info" obsoletes="" updates="" submissionT <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.35 (Ruby 3.0.
ype="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" versio 2) -->
n="3"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" number="9380"
<!-- xml2rfc v2v3 conversion 2.42.0 --> docName="draft-irtf-cfrg-hash-to-curve-16" category="info" submissionType="IRTF"
consensus="true" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true"
version="3">
<!-- xml2rfc v2v3 conversion 3.17.4 -->
<front> <front>
<title abbrev="hash-to-curve">Hashing to Elliptic Curves</title> <title>Hashing to Elliptic Curves</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hash-to-curve-16"/> <seriesInfo name="RFC" value="9380"/>
<author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z"> <author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<code>94107</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>armfazh@cloudflare.com</email> <email>armfazh@cloudflare.com</email>
</address> </address>
</author> </author>
<author initials="S." surname="Scott" fullname="Sam Scott"> <author initials="S." surname="Scott" fullname="Sam Scott">
<organization>Cornell Tech</organization> <organization>Oso Security, Inc.</organization>
<address> <address>
<postal> <postal>
<street>2 West Loop Rd</street> <street>335 Madison Ave</street>
<city>New York, New York 10044</city> <city>New York</city>
<region>NY</region>
<code>10017</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>sam.scott@cornell.edu</email> <email>sam.scott89@gmail.com</email>
</address> </address>
</author> </author>
<author initials="N." surname="Sullivan" fullname="Nick Sullivan"> <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<code>94107</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>nick@cloudflare.com</email> <email>nicholas.sullivan@gmail.com</email>
</address> </address>
</author> </author>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby"> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
<address> <address>
<email>rsw@cs.stanford.edu</email> <email>rsw@cs.stanford.edu</email>
</address> </address>
</author> </author>
<author initials="C.A." surname="Wood" fullname="Christopher A. Wood"> <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<code>94107</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>caw@heapingbits.net</email> <email>caw@heapingbits.net</email>
</address> </address>
</author> </author>
<date year="2022" month="June" day="15"/> <date year="2023" month="August"/>
<workgroup>CFRG</workgroup> <workgroup>Crypto Forum</workgroup>
<keyword>Internet-Draft</keyword>
<abstract> <abstract>
<t>This document specifies a number of algorithms for encoding or hashing <?line 1121?>
an
<t>This document specifies a number of algorithms for encoding or hashing an
arbitrary string to a point on an elliptic curve. This document is a product arbitrary string to a point on an elliptic curve. This document is a product
of the Crypto Forum Research Group (CFRG) in the IRTF.</t> of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>Discussion Venues</name>
<t>Discussion of this document takes place on the
Crypto Forum Research Group mailing list (cfrg@ietf.org),
which is archived at <eref target="https://mailarchive.ietf.org/arch/search/
?email_list=cfrg"/>.</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve"/>.</t>
</note>
</front> </front>
<middle> <middle>
<section anchor="introduction" numbered="true" toc="default"> <?line 1127?>
<section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Many cryptographic protocols require a procedure that encodes an arbitr ary input, <t>Many cryptographic protocols require a procedure that encodes an arbitr ary input,
e.g., a password, to a point on an elliptic curve. This procedure is known e.g., a password, to a point on an elliptic curve. This procedure is known
as hashing to an elliptic curve, where the hashing procedure provides collision as hashing to an elliptic curve, where the hashing procedure provides collision
resistance and does not reveal the discrete logarithm of the output point. resistance and does not reveal the discrete logarithm of the output point.
Prominent examples of cryptosystems that hash to elliptic curves include Prominent examples of cryptosystems that hash to elliptic curves include
password-authenticated key exchanges <xref target="BM92" format="default"/> <xre password-authenticated key exchanges <xref target="BM92"/> <xref target="J96"/>
f target="J96" format="default"/> <xref target="BMP00" format="default"/> <xref <xref target="BMP00"/> <xref target="p1363.2"/>, Identity-Based
target="p1363.2" format="default"/>, Identity-Based Encryption <xref target="BF01"/>, Boneh-Lynn-Shacham signatures <xref target="BL
Encryption <xref target="BF01" format="default"/>, Boneh-Lynn-Shacham signatures S01"/> <xref target="I-D.irtf-cfrg-bls-signature"/>,
<xref target="BLS01" format="default"/> <xref target="I-D.irtf-cfrg-bls-signatu Verifiable Random Functions <xref target="MRV99"/> <xref target="I-D.irtf-cfrg-v
re" format="default"/>, rf"/>, and Oblivious Pseudorandom
Verifiable Random Functions <xref target="MRV99" format="default"/> <xref target Functions <xref target="NR97"/> <xref target="I-D.irtf-cfrg-voprf"/>.</t>
="I-D.irtf-cfrg-vrf" format="default"/>, and Oblivious Pseudorandom
Functions <xref target="NR97" format="default"/> <xref target="I-D.irtf-cfrg-vop
rf" format="default"/>.</t>
<t>Unfortunately for implementors, the precise hash function that is suita ble <t>Unfortunately for implementors, the precise hash function that is suita ble
for a given protocol implemented using a given elliptic curve is often unclear for a given protocol implemented using a given elliptic curve is often unclear
from the protocol's description. Meanwhile, an incorrect choice of hash from the protocol's description. Meanwhile, an incorrect choice of hash
function can have disastrous consequences for security.</t> function can have disastrous consequences for security.</t>
<t>This document aims to bridge this gap by providing a comprehensive set of <t>This document aims to bridge this gap by providing a comprehensive set of
recommended algorithms for a range of curve types. recommended algorithms for a range of curve types.
Each algorithm conforms to a common interface: it takes as input an arbitrary-le ngth Each algorithm conforms to a common interface: it takes as input an arbitrary-le ngth
byte string and produces as output a point on an elliptic curve. byte string and produces as output a point on an elliptic curve.
We provide implementation details for each algorithm, describe We provide implementation details for each algorithm, describe
the security rationale behind each recommendation, and give guidance for the security rationale behind each recommendation, and give guidance for
elliptic curves that are not explicitly covered. We also present optimized elliptic curves that are not explicitly covered. We also present optimized
implementations for internal functions used by these algorithms.</t> implementations for internal functions used by these algorithms.</t>
<t>Readers wishing to quickly specify or implement a conforming hash funct ion <t>Readers wishing to quickly specify or implement a conforming hash funct ion
should consult <xref target="suites" format="default"/>, which lists recommended hash-to-curve suites should consult <xref target="suites"/>, which lists recommended hash-to-curve su ites
and describes both how to implement an existing suite and how to specify and describes both how to implement an existing suite and how to specify
a new one.</t> a new one.</t>
<t>This document does not cover rejection sampling methods, sometimes refe <t>This document does not specify probabilistic rejection sampling methods
rred to , sometimes
as "try-and-increment" or "hunt-and-peck," because the goal is to describe referred to as "try-and-increment" or "hunt-and-peck," because the
algorithms that can plausibly be computed in constant time. Use of these rejecti goal is to specify algorithms that can plausibly be computed in
on constant time. Use of these probabilistic rejection methods is <bcp14>NOT
methods is NOT RECOMMENDED, because they have been a perennial cause of RECOMMENDED</bcp14>, because they have been a perennial cause of side-channel
side-channel vulnerabilities. See Dragonblood <xref target="VR20" format="defaul vulnerabilities. See Dragonblood <xref target="VR20"/> as one example of this
t"/> as one example of this problem in practice, and see <xref target="related"/> for an informal descriptio
problem in practice, and see <xref target="related" format="default"/> for a fur n of rejection
ther description of sampling methods and the timing side-channels they introduce.</t>
rejection sampling methods.</t>
<t>This document represents the consensus of the Crypto Forum Research Gro up (CFRG).</t> <t>This document represents the consensus of the Crypto Forum Research Gro up (CFRG).</t>
<section anchor="requirements-notation" numbered="true" toc="default"> <section anchor="requirements-notation">
<name>Requirements Notation</name> <name>Requirements Notation</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"MAY", and "OPTIONAL" in this document are to be interpreted as NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO
described in BCP&nbsp;14 <xref target="RFC2119" format="default"/> <xref target= MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"RFC8174" format="default"/> when, and only when, they "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i
nterpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and
only when, they
appear in all capitals, as shown here.</t> appear in all capitals, as shown here.</t>
</section> <?line -18?>
</section>
</section> </section>
<section anchor="background" numbered="true" toc="default"> <section anchor="background">
<name>Background</name> <name>Background</name>
<section anchor="bg-curves" numbered="true" toc="default"> <section anchor="bg-curves">
<name>Elliptic curves</name> <name>Elliptic Curves</name>
<t>The following is a brief definition of elliptic curves, with an empha sis on <t>The following is a brief definition of elliptic curves, with an empha sis on
important parameters and their relation to hashing to curves. important parameters and their relation to hashing to curves.
For further reference on elliptic curves, consult <xref target="CFADLNV05" forma t="default"/> or <xref target="W08" format="default"/>.</t> For further reference on elliptic curves, consult <xref target="CFADLNV05"/> or <xref target="W08"/>.</t>
<t>Let F be the finite field GF(q) of prime characteristic p &gt; 3. <t>Let F be the finite field GF(q) of prime characteristic p &gt; 3.
(This document does not consider elliptic curves over fields of characteristic 2 or 3.) (This document does not consider elliptic curves over fields of characteristic 2 or 3.)
In most cases F is a prime field, so q = p. In most cases, F is a prime field, so q = p.
Otherwise, F is an extension field, so q = p^m for an integer m &gt; 1. Otherwise, F is an extension field, so q = p^m for an integer m &gt; 1.
This document writes elements of extension fields This document writes elements of extension fields
in a primitive element or polynomial basis, i.e., as a vector in a primitive element or polynomial basis, i.e., as a vector
of m elements of GF(p) written in ascending order by degree. of m elements of GF(p) written in ascending order by degree.
The entries of this vector are indexed in ascending order starting from 1, The entries of this vector are indexed in ascending order starting from 1,
i.e., x = (x_1, x_2, ..., x_m). i.e., x = (x_1, x_2, ..., x_m).
For example, if q = p^2 and the primitive element basis is (1, I), For example, if q = p^2 and the primitive element basis is (1, I),
then x = (a, b) corresponds to the element a + b * I, where then x = (a, b) corresponds to the element a + b * I, where
x_1 = a and x_2 = b. x_1 = a and x_2 = b.
(Note that all choices of basis are isomorphic, but certain choices may (Note that all choices of basis are isomorphic, but certain choices may
skipping to change at line 159 skipping to change at line 167
including (but not limited to) Weierstrass, Montgomery, and Edwards.</t> including (but not limited to) Weierstrass, Montgomery, and Edwards.</t>
<t>The curve E induces an algebraic group of order n, meaning that the g roup <t>The curve E induces an algebraic group of order n, meaning that the g roup
has n distinct elements. has n distinct elements.
(This document uses additive notation for the elliptic curve group operation.) (This document uses additive notation for the elliptic curve group operation.)
Elements of an elliptic curve group are points with affine coordinates (x, y) Elements of an elliptic curve group are points with affine coordinates (x, y)
satisfying the curve equation, where x and y are elements of F. satisfying the curve equation, where x and y are elements of F.
In addition, all elliptic curve groups have a distinguished element, the identit y In addition, all elliptic curve groups have a distinguished element, the identit y
point, which acts as the identity element for the group operation. point, which acts as the identity element for the group operation.
On certain curves (including Weierstrass and Montgomery curves), the identity On certain curves (including Weierstrass and Montgomery curves), the identity
point cannot be represented as an (x, y) coordinate pair.</t> point cannot be represented as an (x, y) coordinate pair.</t>
<t>For security reasons, cryptographic uses of elliptic curves generally require <t>For security reasons, cryptographic applications of elliptic curves g enerally require
using a (sub)group of prime order. using a (sub)group of prime order.
Let G be such a subgroup of the curve of prime order r, where n = h * r. Let G be such a subgroup of the curve of prime order r, where n = h * r.
In this equation, h is an integer called the cofactor. In this equation, h is an integer called the cofactor.
An algorithm that takes as input an arbitrary point on the curve E and An algorithm that takes as input an arbitrary point on the curve E and
produces as output a point in the subgroup G of E is said to "clear produces as output a point in the subgroup G of E is said to "clear
the cofactor." Such algorithms are discussed in <xref target="cofactor-clearing" format="default"/>.</t> the cofactor." Such algorithms are discussed in <xref target="cofactor-clearing" />.</t>
<t>Certain hash-to-curve algorithms restrict the form of the curve equat ion, the <t>Certain hash-to-curve algorithms restrict the form of the curve equat ion, the
characteristic of the field, or the parameters of the curve. For each characteristic of the field, or the parameters of the curve. For each
algorithm presented, this document lists the relevant restrictions.</t> algorithm presented, this document lists the relevant restrictions.</t>
<t>The table below summarizes quantities relevant to hashing to curves:< /t> <t>The table below summarizes quantities relevant to hashing to curves:< /t>
<table anchor="definition-table" align="center"> <table anchor="definition-table">
<name>Summary of symbols and their definitions.</name> <name>Summary of Symbols and Their Definitions</name>
<thead> <thead>
<tr> <tr>
<th align="center">Symbol</th> <th align="center">Symbol</th>
<th align="left">Meaning</th> <th align="left">Meaning</th>
<th align="left">Relevance</th> <th align="left">Relevance</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="center">F,q,p</td> <td align="center">F,q,p</td>
<td align="left">A finite field F of characteristic p and #F = q = p^m.</td> <td align="left">A finite field F of characteristic p and #F = q = p^m.</td>
<td align="left">For prime fields, q = p; otherwise, q = p^m and m &gt;1.</td> <td align="left">For prime fields, q&nbsp;=&nbsp;p; otherwise, q&n bsp;=&nbsp;p^m and m&gt;1.</td>
</tr> </tr>
<tr> <tr>
<td align="center">E</td> <td align="center">E</td>
<td align="left">Elliptic curve.</td> <td align="left">Elliptic curve.</td>
<td align="left">E is specified by an equation and a field F.</td> <td align="left">E is specified by an equation and a field F.</td>
</tr> </tr>
<tr> <tr>
<td align="center">n</td> <td align="center">n</td>
<td align="left">Number of points on the elliptic curve E.</td> <td align="left">Number of points on the elliptic curve E.</td>
<td align="left">n = h * r, for h and r defined below.</td> <td align="left">n = h * r, for h and r defined below.</td>
</tr> </tr>
<tr> <tr>
<td align="center">G</td> <td align="center">G</td>
<td align="left">A prime-order subgroup of the points on E.</td> <td align="left">A prime-order subgroup of the points on E.</td>
<td align="left">Destination group to which byte strings are encod ed.</td> <td align="left">G is a destination group to which byte strings ar e encoded.</td>
</tr> </tr>
<tr> <tr>
<td align="center">r</td> <td align="center">r</td>
<td align="left">Order of G.</td> <td align="left">Order of G.</td>
<td align="left">r is a prime factor of n (usually, the largest su ch factor).</td> <td align="left">r is a prime factor of n (usually, the largest su ch factor).</td>
</tr> </tr>
<tr> <tr>
<td align="center">h</td> <td align="center">h</td>
<td align="left">Cofactor, h &gt;= 1.</td> <td align="left">Cofactor, h &gt;= 1.</td>
<td align="left">An integer satisfying n = h * r.</td> <td align="left">h is an integer satisfying n = h * r.</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="terminology" numbered="true" toc="default"> <section anchor="terminology">
<name>Terminology</name> <name>Terminology</name>
<t>In this section, we define important terms used throughout the docume nt.</t> <t>In this section, we define important terms used throughout the docume nt.</t>
<section anchor="term-mapping" numbered="true" toc="default"> <section anchor="term-mapping">
<name>Mappings</name> <name>Mappings</name>
<t>A mapping is a deterministic function from an element of the field F to a point <t>A mapping is a deterministic function from an element of the field F to a point
on an elliptic curve E defined over F.</t> on an elliptic curve E defined over F.</t>
<t>In general, the set of all points that a mapping can produce over a ll <t>In general, the set of all points that a mapping can produce over a ll
possible inputs may be only a subset of the points on an elliptic curve possible inputs may be only a subset of the points on an elliptic curve
(i.e., the mapping may not be surjective). (i.e., the mapping may not be surjective).
In addition, a mapping may output the same point for two or more distinct inputs In addition, a mapping may output the same point for two or more distinct inputs
(i.e., the mapping may not be injective). (i.e., the mapping may not be injective).
For example, consider a mapping from F to an elliptic curve having n points: For example, consider a mapping from F to an elliptic curve having n points:
if the number of elements of F is not equal to n, if the number of elements of F is not equal to n,
then this mapping cannot be bijective (i.e., both injective and surjective) then this mapping cannot be bijective (i.e., both injective and surjective),
since the mapping is defined to be deterministic.</t> since the mapping is defined to be deterministic.</t>
<t>Mappings may also be invertible, meaning that there is an efficient algorithm <t>Mappings may also be invertible, meaning that there is an efficient algorithm
that, for any point P output by the mapping, outputs an x in F such that that, for any point P output by the mapping, outputs an x in F such that
applying the mapping to x outputs P. applying the mapping to x outputs P.
Some of the mappings given in <xref target="mappings" format="default"/> are inv ertible, but this Some of the mappings given in <xref target="mappings"/> are invertible, but this
document does not discuss inversion algorithms.</t> document does not discuss inversion algorithms.</t>
</section> </section>
<section anchor="term-encoding" numbered="true" toc="default"> <section anchor="term-encoding">
<name>Encodings</name> <name>Encodings</name>
<t>Encodings are closely related to mappings. <t>Encodings are closely related to mappings.
Like a mapping, an encoding is a function that outputs a point on an elliptic cu rve. Like a mapping, an encoding is a function that outputs a point on an elliptic cu rve.
In contrast to a mapping, however, the input to an encoding is an arbitrary-leng th In contrast to a mapping, however, the input to an encoding is an arbitrary-leng th
byte string.</t> byte string.</t>
<t>This document constructs deterministic encodings by composing a has h function Hf <t>This document constructs deterministic encodings by composing a has h function Hf
with a deterministic mapping. with a deterministic mapping.
In particular, Hf takes as input an arbitrary string and outputs an element of F . In particular, Hf takes as input an arbitrary string and outputs an element of F .
The deterministic mapping takes that element as input and outputs a point on an The deterministic mapping takes that element as input and outputs a point on an
elliptic curve E defined over F. elliptic curve E defined over F.
Since Hf takes arbitrary-length byte strings as inputs, it cannot be injective: Since Hf takes arbitrary-length byte strings as inputs, it cannot be injective:
the set of inputs is larger than the set of outputs, so there must the set of inputs is larger than the set of outputs, so there must
be distinct inputs that give the same output (i.e., there must be collisions). be distinct inputs that give the same output (i.e., there must be collisions).
Thus, any encoding built from Hf is also not injective.</t> Thus, any encoding built from Hf is also not injective.</t>
<t>Like mappings, encodings may be invertible, meaning that there is a <t>Like mappings, encodings may be invertible, meaning that there is a
n efficient n
algorithm that, for any point P output by the encoding, outputs a string s efficient algorithm that, for any point P output by the encoding,
such that applying the encoding to s outputs P. outputs a string s such that applying the encoding to s outputs P.
The instantiation of Hf used by all encodings specified in this document (<xref However, the instantiation of Hf used by all encodings specified in
target="hashtofield" format="default"/>) this document (<xref target="hashtofield"/>) is not invertible; thus, those enco
is not invertible. Thus, the encodings are also not invertible.</t> dings
are also not invertible.</t>
<t>In some applications of hashing to elliptic curves, it is important that <t>In some applications of hashing to elliptic curves, it is important that
encodings do not leak information through side channels. encodings do not leak information through side channels.
<xref target="VR20" format="default"/> is one example of this type of leakage le <xref target="VR20"/> is one example of this type of leakage leading to a securi
ading to a security vulnerability. ty vulnerability.
See <xref target="security-considerations-constant" format="default"/> for furth See <xref target="security-considerations-constant"/> for further discussion.</t
er discussion.</t> >
</section> </section>
<section anchor="term-rom" numbered="true" toc="default"> <section anchor="term-rom">
<name>Random oracle encodings</name> <name>Random Oracle Encodings</name>
<t>A random-oracle encoding satisfies a strong property: it can be pro ved <t>A random-oracle encoding satisfies a strong property: it can be pro ved
indifferentiable from a random oracle <xref target="MRH04" format="default"/> un indifferentiable from a random oracle <xref target="MRH04"/> under a suitable as
der a suitable assumption.</t> sumption.</t>
<t>Both constructions described in <xref target="roadmap" format="defa <t>Both constructions described in <xref target="roadmap"/> are indiff
ult"/> are indifferentiable from erentiable from
random oracles <xref target="MRH04" format="default"/> when instantiated followi random oracles <xref target="MRH04"/> when instantiated following the guidelines
ng the guidelines in this document. in this document.
The constructions differ in their output distributions: one gives a uniformly ra ndom The constructions differ in their output distributions: one gives a uniformly ra ndom
point on the curve, the other gives a point sampled from a nonuniform distributi on.</t> point on the curve, the other gives a point sampled from a nonuniform distributi on.</t>
<t>A random-oracle encoding with a uniform output distribution is suit able for use <t>A random-oracle encoding with a uniform output distribution is suit able for use
in many cryptographic protocols proven secure in the random oracle model. in many cryptographic protocols proven secure in the random-oracle model.
See <xref target="security-considerations-props" format="default"/> for further See <xref target="security-considerations-props"/> for further discussion.</t>
discussion.</t>
</section> </section>
<section anchor="term-serialization" numbered="true" toc="default"> <section anchor="term-serialization">
<name>Serialization</name> <name>Serialization</name>
<t>A procedure related to encoding is the conversion of an elliptic cu rve point to a bit string. <t>A procedure related to encoding is the conversion of an elliptic cu rve point to a bit string.
This is called serialization, and is typically used for compactly storing or tra nsmitting points. This is called serialization, and it is typically used for compactly storing or transmitting points.
The inverse operation, deserialization, converts a bit string to an elliptic cur ve point. The inverse operation, deserialization, converts a bit string to an elliptic cur ve point.
For example, <xref target="SEC1" format="default"/> and <xref target="p1363a" fo rmat="default"/> give standard methods for serialization and deserialization.</t > For example, <xref target="SEC1"/> and <xref target="p1363a"/> give standard met hods for serialization and deserialization.</t>
<t>Deserialization is different from encoding in that only certain str ings <t>Deserialization is different from encoding in that only certain str ings
(namely, those output by the serialization procedure) can be deserialized. (namely, those output by the serialization procedure) can be deserialized.
In contrast, this document is concerned with encodings from arbitrary strings In contrast, this document is concerned with encodings from arbitrary strings
to elliptic curve points. to elliptic curve points.
This document does not cover serialization or deserialization.</t> This document does not cover serialization or deserialization.</t>
</section> </section>
<section anchor="term-domain-separation" numbered="true" toc="default"> <section anchor="term-domain-separation">
<name>Domain separation</name> <name>Domain Separation</name>
<t>Cryptographic protocols proven secure in the random oracle model ar <t>Cryptographic protocols proven secure in the random-oracle model ar
e often analyzed e often analyzed
under the assumption that the random oracle only answers queries associated under the assumption that the random oracle only answers queries associated
with that protocol (including queries made by adversaries) <xref target="BR93" f ormat="default"/>. with that protocol (including queries made by adversaries) <xref target="BR93"/> .
In practice, this assumption does not hold if two protocols use the In practice, this assumption does not hold if two protocols use the
same function to instantiate the random oracle. same function to instantiate the random oracle.
Concretely, consider protocols P1 and P2 that query a random oracle RO: Concretely, consider protocols P1 and P2 that query a random-oracle RO:
if P1 and P2 both query RO on the same value x, the security analysis of if P1 and P2 both query RO on the same value x, the security analysis of
one or both protocols may be invalidated.</t> one or both protocols may be invalidated.</t>
<t>A common way of addressing this issue is called domain separation, <t>A common way of addressing this issue is called domain separation,
which allows a single random oracle to simulate multiple, independent oracles. which allows a single random oracle to simulate multiple, independent oracles.
This is effected by ensuring that each simulated oracle sees queries that are This is effected by ensuring that each simulated oracle sees queries that are
distinct from those seen by all other simulated oracles. distinct from those seen by all other simulated oracles.
For example, to simulate two oracles RO1 and RO2 given a single oracle RO, For example, to simulate two oracles RO1 and RO2 given a single oracle RO,
one might define</t> one might define</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
RO1(x) := RO("RO1" || x) RO1(x) := RO("RO1" || x)
RO2(x) := RO("RO2" || x) RO2(x) := RO("RO2" || x)
]]></artwork> ]]></artwork>
<t>where || is the concatenation operator. <t>where || is the concatenation operator.
In this example, "RO1" and "RO2" are called domain separation tags; In this example, "RO1" and "RO2" are called domain separation tags (DSTs);
they ensure that queries to RO1 and RO2 cannot result in identical they ensure that queries to RO1 and RO2 cannot result in identical
queries to RO, meaning that it is safe to treat RO1 and RO2 as queries to RO, meaning that it is safe to treat RO1 and RO2 as
independent oracles.</t> independent oracles.</t>
<t>In general, domain separation requires defining a distinct injectiv e <t>In general, domain separation requires defining a distinct injectiv e
encoding for each oracle being simulated. encoding for each oracle being simulated.
In the above example, "RO1" and "RO2" have the same length and thus In the above example, "RO1" and "RO2" have the same length and thus
satisfy this requirement when used as prefixes. satisfy this requirement when used as prefixes.
The algorithms specified in this document take a different approach to ensuring The algorithms specified in this document take a different approach to ensuring
injectivity; see <xref target="hashtofield-expand" format="default"/> and <xref target="security-considerations-domain-separation-expmsg-var" format="default"/> injectivity; see Sections <xref format="counter" target="hashtofield-expand"/> a nd <xref format="counter" target="security-considerations-domain-separation-expm sg-var"/>
for more details.</t> for more details.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="roadmap" numbered="true" toc="default"> <section anchor="roadmap">
<name>Encoding byte strings to elliptic curves</name> <name>Encoding Byte Strings to Elliptic Curves</name>
<t>This section presents a general framework and interface for encoding by te strings <t>This section presents a general framework and interface for encoding by te strings
to points on an elliptic curve. The constructions in this section rely on three to points on an elliptic curve. The constructions in this section rely on three
basic functions:</t> basic functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The function hash_to_field hashes arbitrary-length byte strings to a list <t>The function hash_to_field hashes arbitrary-length byte strings to a list
of one or more elements of a finite field F; its implementation is defined in of one or more elements of a finite field F; its implementation is defined in
<xref target="hashtofield" format="default"/>. </t> <xref target="hashtofield"/>. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_field(msg, count) hash_to_field(msg, count)
Inputs: Input:
- msg, a byte string containing the message to hash. - msg, a byte string containing the message to hash.
- count, the number of elements of F to output. - count, the number of elements of F to output.
Outputs: Output:
- (u_0, ..., u_(count - 1)), a list of field elements. - (u_0, ..., u_(count - 1)), a list of field elements.
Steps: defined in Section 5. Steps: defined in Section 5.
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>The function map_to_curve calculates a point on the elliptic curve E <t>The function map_to_curve calculates a point on the elliptic curve E
from an element of the finite field F over which E is defined. from an element of the finite field F over which E is defined.
<xref target="mappings" format="default"/> describes mappings for a range of cur <xref target="mappings"/> describes mappings for a range of curve families. </t
ve families. </t> >
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve(u) map_to_curve(u)
Input: u, an element of field F. Input: u, an element of field F.
Output: Q, a point on the elliptic curve E. Output: Q, a point on the elliptic curve E.
Steps: defined in Section 6. Steps: defined in Section 6.
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>The function clear_cofactor sends any point on the curve E to <t>The function clear_cofactor sends any point on the curve E to
the subgroup G of E. <xref target="cofactor-clearing" format="default"/> describ es methods to perform the subgroup G of E. <xref target="cofactor-clearing"/> describes methods to per form
this operation. </t> this operation. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor(Q) clear_cofactor(Q)
Input: Q, a point on the elliptic curve E. Input: Q, a point on the elliptic curve E.
Output: P, a point in G. Output: P, a point in G.
Steps: defined in Section 7. Steps: defined in Section 7.
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>The two encodings (<xref target="term-encoding" format="default"/>) def <t>The two encodings (<xref target="term-encoding"/>) defined in this sect
ined in this section have the ion have the
same interface and are both random-oracle encodings (<xref target="term-rom" for same interface and are both random-oracle encodings (<xref target="term-rom"/>).
mat="default"/>).
Both are implemented as a composition of the three basic functions above. Both are implemented as a composition of the three basic functions above.
The difference between the two is that their outputs are sampled from The difference between the two is that their outputs are sampled from
different distributions:</t> different distributions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>encode_to_curve is a nonuniform encoding from byte strings to point s in G. <t>encode_to_curve is a nonuniform encoding from byte strings to point s in G.
That is, the distribution of its output is not uniformly random in G: That is, the distribution of its output is not uniformly random in G:
the set of possible outputs of encode_to_curve is only a fraction of the the set of possible outputs of encode_to_curve is only a fraction of the
points in G, and some points in this set are more likely to be output than other s. points in G, and some points in this set are more likely to be output than other s.
<xref target="security-considerations-encode" format="default"/> gives a more pr ecise definition of <xref target="security-considerations-encode"/> gives a more precise definition of
encode_to_curve's output distribution. </t> encode_to_curve's output distribution. </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
encode_to_curve(msg) encode_to_curve(msg)
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, a point in G. Output: P, a point in G.
Steps: Steps:
1. u = hash_to_field(msg, 1) 1. u = hash_to_field(msg, 1)
2. Q = map_to_curve(u[0]) 2. Q = map_to_curve(u[0])
3. P = clear_cofactor(Q) 3. P = clear_cofactor(Q)
4. return P 4. return P
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>hash_to_curve is a uniform encoding from byte strings to points in G. <t>hash_to_curve is a uniform encoding from byte strings to points in G.
That is, the distribution of its output is statistically close to uniform in G. </t> That is, the distribution of its output is statistically close to uniform in G. </t>
<t> <t>
This function is suitable for most applications requiring a random oracle This function is suitable for most applications requiring a random oracle
returning points in G, when instantiated with any of the map_to_curve returning points in G, when instantiated with any of the map_to_curve
functions described in <xref target="mappings" format="default"/>. functions described in <xref target="mappings"/>.
See <xref target="security-considerations-props" format="default"/> for further See <xref target="security-considerations-props"/> for further discussion. </t>
discussion. </t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
hash_to_curve(msg) hash_to_curve(msg)
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, a point in G. Output: P, a point in G.
Steps: Steps:
1. u = hash_to_field(msg, 2) 1. u = hash_to_field(msg, 2)
2. Q0 = map_to_curve(u[0]) 2. Q0 = map_to_curve(u[0])
3. Q1 = map_to_curve(u[1]) 3. Q1 = map_to_curve(u[1])
4. R = Q0 + Q1 # Point addition 4. R = Q0 + Q1 # Point addition
5. P = clear_cofactor(R) 5. P = clear_cofactor(R)
6. return P 6. return P
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>Each hash-to-curve suite in <xref target="suites" format="default"/> in <t>Each hash-to-curve suite in <xref target="suites"/> instantiates one of
stantiates one of these encoding these encoding
functions for a specifc elliptic curve.</t> functions for a specific elliptic curve.</t>
<section anchor="domain-separation" numbered="true" toc="default"> <section anchor="domain-separation">
<name>Domain separation requirements</name> <name>Domain Separation Requirements</name>
<t>All uses of the encoding functions defined in this document MUST incl <t>All uses of the encoding functions defined in this document <bcp14>MU
ude ST</bcp14> include
domain separation (<xref target="term-domain-separation" format="default"/>) to domain separation (<xref target="term-domain-separation"/>) to avoid interfering
avoid interfering with with
other uses of similar functionality.</t> other uses of similar functionality.</t>
<t>Applications that instantiate multiple, independent instances of eith er <t>Applications that instantiate multiple, independent instances of eith er
hash_to_curve or encode_to_curve MUST enforce domain separation hash_to_curve or encode_to_curve <bcp14>MUST</bcp14> enforce domain separation
between those instances. between those instances.
This requirement applies both in the case of multiple instances targeting This requirement applies in both the case of multiple instances targeting
the same curve and in the case of multiple instances targeting different curves. the same curve and the case of multiple instances targeting different curves.
(This is because the internal hash_to_field primitive (<xref target="hashtofield (This is because the internal hash_to_field primitive (<xref target="hashtofield
" format="default"/>) "/>)
requires domain separation to guarantee independent outputs.)</t> requires domain separation to guarantee independent outputs.)</t>
<t>Domain separation is enforced with a domain separation tag (DST), <t>Domain separation is enforced with a domain separation tag (DST),
which is a byte string constructed according to the following requirements:</t> which is a byte string constructed according to the following requirements:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Tags <bcp14>MUST</bcp14> be supplied a
<li>Tags MUST be supplied as the DST parameter to hash_to_field, as s the DST parameter to hash_to_field, as
described in <xref target="hashtofield" format="default"/>.</li> described in <xref target="hashtofield"/>.</li>
<li>Tags MUST have nonzero length. A minimum length of 16 bytes <li>Tags <bcp14>MUST</bcp14> have nonzero length. A minimum length of
is RECOMMENDED to reduce the chance of collisions with other 16 bytes
is <bcp14>RECOMMENDED</bcp14> to reduce the chance of collisions with other
applications.</li> applications.</li>
<li>Tags SHOULD begin with a fixed identification string <li>Tags <bcp14>SHOULD</bcp14> begin with a fixed identification strin g
that is unique to the application.</li> that is unique to the application.</li>
<li>Tags SHOULD include a version number.</li> <li>Tags <bcp14>SHOULD</bcp14> include a version number.</li>
<li>For applications that define multiple ciphersuites, each ciphersui te's <li>For applications that define multiple ciphersuites, each ciphersui te's
tag MUST be different. For this purpose, it is RECOMMENDED to tag <bcp14>MUST</bcp14> be different. For this purpose, it is <bcp14>RECOMMENDED </bcp14> to
include a ciphersuite identifier in each tag.</li> include a ciphersuite identifier in each tag.</li>
<li>For applications that use multiple encodings, either to the same c <li>For applications that use multiple encodings, to either the same c
urve urve
or to different curves, each encoding MUST use a different tag. or different curves, each encoding <bcp14>MUST</bcp14> use a different tag.
For this purpose, it is RECOMMENDED to include the encoding's For this purpose, it is <bcp14>RECOMMENDED</bcp14> to include the encoding's
Suite ID (<xref target="suites" format="default"/>) in the domain separation tag Suite ID (<xref target="suites"/>) in the domain separation tag.
. For independent encodings based on the same suite, each tag <bcp14>SHOULD</bcp14
For independent encodings based on the same suite, each tag SHOULD >
also include a distinct identifier, e.g., "ENC1" and "ENC2".</li> also include a distinct identifier, e.g., "ENC1" and "ENC2".</li>
</ol> </ol>
<t>As an example, consider a fictional application named Quux <t>As an example, consider a fictional application named Quux
that defines several different ciphersuites, each for a different curve. that defines several different ciphersuites, each for a different curve.
A reasonable choice of tag is "QUUX-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;", w here A reasonable choice of tag is "QUUX-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;", w here
&lt;xx&gt; and &lt;yy&gt; are two-digit numbers indicating the version and &lt;xx&gt; and &lt;yy&gt; are two-digit numbers indicating the version and
ciphersuite, respectively, and &lt;suiteID&gt; is the Suite ID of the ciphersuite, respectively, and &lt;suiteID&gt; is the Suite ID of the
encoding used in ciphersuite &lt;yy&gt;.</t> encoding used in ciphersuite &lt;yy&gt;.</t>
<t>As another example, consider a fictional application named Baz that r equires <t>As another example, consider a fictional application named Baz that r equires
two independent random oracles to the same curve. two independent random oracles to the same curve.
Reasonable choices of tags for these oracles are Reasonable choices of tags for these oracles are
"BAZ-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;-ENC1" and "BAZ-V&lt;xx&gt;-CS&lt;y y&gt;-&lt;suiteID&gt;-ENC2", "BAZ-V&lt;xx&gt;-CS&lt;yy&gt;-&lt;suiteID&gt;-ENC1" and "BAZ-V&lt;xx&gt;-CS&lt;y y&gt;-&lt;suiteID&gt;-ENC2",
respectively, where &lt;xx&gt;, &lt;yy&gt;, and &lt;suiteID&gt; are as described above.</t> respectively, where &lt;xx&gt;, &lt;yy&gt;, and &lt;suiteID&gt; are as described above.</t>
<t>The example tags given above are assumed to be ASCII-encoded byte str ings <t>The example tags given above are assumed to be ASCII-encoded byte str ings
without null termination, which is the RECOMMENDED format. Other encodings without null termination, which is the <bcp14>RECOMMENDED</bcp14> format. Other
can be used, but in all cases the encoding as a sequence of bytes MUST be encodings
can be used, but in all cases the encoding as a sequence of bytes <bcp14>MUST</b
cp14> be
specified unambiguously.</t> specified unambiguously.</t>
</section> </section>
</section> </section>
<section anchor="utility" numbered="true" toc="default"> <section anchor="utility">
<name>Utility functions</name> <name>Utility Functions</name>
<t>Algorithms in this document use the utility functions described below, <t>Algorithms in this document use the utility functions described below,
plus standard arithmetic operations (addition, multiplication, modular plus standard arithmetic operations (addition, multiplication, modular
reduction, etc.) and elliptic curve point operations (point addition and reduction, etc.) and elliptic curve point operations (point addition and
scalar multiplication).</t> scalar multiplication).</t>
<t>For security, implementations of these functions SHOULD be constant tim <t>For security, implementations of these functions <bcp14>SHOULD</bcp14>
e: be constant time:
in brief, this means that execution time and memory access patterns SHOULD NOT in brief, this means that execution time and memory access patterns <bcp14>SHOUL
D NOT</bcp14>
depend on the values of secret inputs, intermediate values, or outputs. depend on the values of secret inputs, intermediate values, or outputs.
For such constant-time implementations, all arithmetic, comparisons, and For such constant-time implementations, all arithmetic, comparisons, and
assignments MUST also be implemented in constant time. assignments <bcp14>MUST</bcp14> also be implemented in constant time.
<xref target="security-considerations-constant" format="default"/> briefly discu <xref target="security-considerations-constant"/> briefly discusses constant-tim
sses constant-time security issues.</t> e security issues.</t>
<t>Guidance on implementing low-level operations (in constant time or othe rwise) <t>Guidance on implementing low-level operations (in constant time or othe rwise)
is beyond the scope of this document; readers should consult standard reference is beyond the scope of this document; readers should consult standard reference
material <xref target="MOV96" format="default"/> <xref target="CFADLNV05" format ="default"/>.</t> material <xref target="MOV96"/> <xref target="CFADLNV05"/>.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CMOV(a, b, c): If c is False, CMOV returns a, otherwise it returns b <li>CMOV(a, b, c): If c is False, CMOV returns a; otherwise, it returns
. b.
For constant-time implementations, this operation must run in For constant-time implementations, this operation must run in a
time independent of the value of c.</li> time that is independent of the value of c.</li>
<li>AND, OR, NOT, and XOR are standard bitwise logical operators. <li>AND, OR, NOT, and XOR are standard bitwise logical operators.
For constant-time implementations, short-circuit operators MUST be avoided.</li> For constant-time implementations, short-circuit operators <bcp14>MUST</bcp14> b e avoided.</li>
<li> <li>
<t>is_square(x): This function returns True whenever the value x is a <t>is_square(x): This function returns True whenever the value x is a
square in the field F. By Euler's criterion, this function can be square in the field F. By Euler's criterion, this function can be
calculated in constant time as </t> calculated in constant time as </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F; is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F;
{ False, otherwise. { False, otherwise.
</sourcecode> ]]></sourcecode>
<t> <t>
In certain extension fields, is_square can be computed in constant In certain extension fields, is_square can be computed in constant
time more quickly than by the above exponentiation. time more quickly than by the above exponentiation.
<xref target="AR13" format="default"/> and <xref target="S85" format="default"/> <xref target="AR13"/> and <xref target="S85"/> describe optimized methods for ex
describe optimized methods for extension fields. tension fields.
<xref target="appx-sqrt-issq" format="default"/> gives an optimized straight-lin <xref target="appx-sqrt-issq"/> gives an optimized straight-line method for GF(p
e method for GF(p^2).</t> ^2).</t>
</li> </li>
<li> <li>
<t>sqrt(x): The sqrt operation is a multi-valued function, i.e., there exist <t>sqrt(x): The sqrt operation is a multi-valued function, i.e., there exist
two roots of x in the field F whenever x is square (except when x = 0). two roots of x in the field F whenever x is square (except when x = 0).
To maintain compatibility across implementations while allowing implementors To maintain compatibility across implementations while allowing implementors
leeway for optimizations, this document does not require sqrt() to return a leeway for optimizations, this document does not require sqrt() to return a
particular value. Instead, as explained in <xref target="point-sign" format="def ault"/>, any function that particular value. Instead, as explained in <xref target="point-sign"/>, any func tion that
calls sqrt also specifies how to determine the correct root. </t> calls sqrt also specifies how to determine the correct root. </t>
<t> <t>
The preferred way of computing square roots is to fix a deterministic The preferred way of computing square roots is to fix a deterministic
algorithm particular to F. We give several algorithms in <xref target="appx-sqrt " format="default"/>.</t> algorithm particular to F. We give several algorithms in <xref target="appx-sqrt "/>.</t>
</li> </li>
<li>sgn0(x): This function returns either 0 or 1 indicating the "sign" o f x, <li>sgn0(x): This function returns either 0 or 1 indicating the "sign" o f x,
where sgn0(x) == 1 just when x is "negative". where sgn0(x) == 1 just when x is "negative".
(In other words, this function always considers 0 to be positive.) (In other words, this function always considers 0 to be positive.)
<xref target="sgn0-function" format="default"/> defines this function and discus ses its implementation.</li> <xref target="sgn0-function"/> defines this function and discusses its implement ation.</li>
<li> <li>
<t>inv0(x): This function returns the multiplicative inverse of x in F , <t>inv0(x): This function returns the multiplicative inverse of x in F ,
extended to all of F by fixing inv0(0) == 0. extended to all of F by fixing inv0(0) == 0.
A straightforward way to implement inv0 in constant time is to compute </t> A straightforward way to implement inv0 in constant time is to compute </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
inv0(x) := x^(q - 2). inv0(x) := x^(q - 2).
</sourcecode> ]]></sourcecode>
<t> <t>
Notice that on input 0, the output is 0 as required. Notice that on input 0, the output is 0 as required.
Certain fields may allow faster inversion methods; detailed discussion Certain fields may allow faster inversion methods; detailed discussion
of such methods is beyond the scope of this document.</t> of such methods is beyond the scope of this document.</t>
</li> </li>
<li>I2OSP and OS2IP: These functions are used to convert a byte string t o <li>I2OSP and OS2IP: These functions are used to convert a byte string t o
and from a non-negative integer as described in <xref target="RFC8017" format="d efault"/>. and from a non-negative integer as described in <xref target="RFC8017"/>.
(Note that these functions operate on byte strings in big-endian byte (Note that these functions operate on byte strings in big-endian byte
order.)</li> order.)</li>
<li>a || b: denotes the concatenation of byte strings a and b. For examp le, <li>a || b: denotes the concatenation of byte strings a and b. For examp le,
"ABC" || "DEF" == "ABCDEF".</li> "ABC" || "DEF" == "ABCDEF".</li>
<li>substr(str, sbegin, slen): for a byte string str, this function retu rns <li>substr(str, sbegin, slen): For a byte string str, this function retu rns
the slen-byte substring starting at position sbegin; positions are zero the slen-byte substring starting at position sbegin; positions are zero
indexed. indexed.
For example, substr("ABCDEFG", 2, 3) == "CDE".</li> For example, substr("ABCDEFG", 2, 3) == "CDE".</li>
<li>len(str): for a byte string str, this function returns the length of str <li>len(str): For a byte string str, this function returns the length of str
in bytes. For example, len("ABC") == 3.</li> in bytes. For example, len("ABC") == 3.</li>
<li>strxor(str1, str2): for byte strings str1 and str2, strxor(str1, str 2) <li>strxor(str1, str2): For byte strings str1 and str2, strxor(str1, str 2)
returns the bitwise XOR of the two strings. returns the bitwise XOR of the two strings.
For example, strxor("abc", "XYZ") == "9;9" (the strings in this example For example, strxor("abc", "XYZ") == "9;9" (the strings in this example
are ASCII literals, but strxor is defined for arbitrary byte strings). are ASCII literals, but strxor is defined for arbitrary byte strings).
In this document, strxor is only applied to inputs of equal length.</li> In this document, strxor is only applied to inputs of equal length.</li>
</ul> </ul>
<section anchor="sgn0-function" numbered="true" toc="default"> <section anchor="sgn0-function">
<name>The sgn0 function</name> <name>The sgn0 Function</name>
<t>This section defines a generic sgn0 implementation that applies to an y field F = GF(p^m). <t>This section defines a generic sgn0 implementation that applies to an y field F = GF(p^m).
It also gives simplified implementations for the cases F = GF(p) and F = GF(p^2) .</t> It also gives simplified implementations for the cases F = GF(p) and F = GF(p^2) .</t>
<t>The definition of the sgn0 function for extension fields relies on <t>The definition of the sgn0 function for extension fields relies on
the polynomial basis or vector representation of field elements, and the polynomial basis or vector representation of field elements, and
iterates over the entire vector representation of the input element. iterates over the entire vector representation of the input element.
As a result, sgn0 depends on the primitive polynomial used to define As a result, sgn0 depends on the primitive polynomial used to define
the polynomial basis; see <xref target="suites" format="default"/> for more info the polynomial basis; see <xref target="suites"/> for more information about thi
rmation about this s
basis, and see <xref target="bg-curves" format="default"/> for a discussion of r basis, and see <xref target="bg-curves"/> for a discussion of representing eleme
epresenting elements nts
of extension fields as vectors.</t> of extension fields as vectors.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0(x) sgn0(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- p, the characteristic of F (see immediately above). - p, the characteristic of F (see immediately above).
- m, the extension degree of F, m &gt;= 1 (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above).
Input: x, an element of F. Input: x, an element of F.
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. sign = 0 1. sign = 0
2. zero = 1 2. zero = 1
3. for i in (1, 2, ..., m): 3. for i in (1, 2, ..., m):
4. sign_i = x_i mod 2 4. sign_i = x_i mod 2
5. zero_i = x_i == 0 5. zero_i = x_i == 0
6. sign = sign OR (zero AND sign_i) # Avoid short-circuit logic ops 6. sign = sign OR (zero AND sign_i) # Avoid short-circuit logic ops
7. zero = zero AND zero_i 7. zero = zero AND zero_i
8. return sign 8. return sign
</sourcecode> ]]></sourcecode>
<t>When m == 1, sgn0 can be significantly simplified:</t> <t>When m == 1, sgn0 can be significantly simplified:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0_m_eq_1(x) sgn0_m_eq_1(x)
Input: x, an element of GF(p). Input: x, an element of GF(p).
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. return x mod 2 1. return x mod 2
</sourcecode> ]]></sourcecode>
<t>The case m == 2 is only slightly more complicated:</t> <t>The case m == 2 is only slightly more complicated:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sgn0_m_eq_2(x) sgn0_m_eq_2(x)
Input: x, an element of GF(p^2). Input: x, an element of GF(p^2).
Output: 0 or 1. Output: 0 or 1.
Steps: Steps:
1. sign_0 = x_0 mod 2 1. sign_0 = x_0 mod 2
2. zero_0 = x_0 == 0 2. zero_0 = x_0 == 0
3. sign_1 = x_1 mod 2 3. sign_1 = x_1 mod 2
4. s = sign_0 OR (zero_0 AND sign_1) # Avoid short-circuit logic ops 4. s = sign_0 OR (zero_0 AND sign_1) # Avoid short-circuit logic ops
5. return s 5. return s
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="hashtofield" numbered="true" toc="default"> <section anchor="hashtofield">
<name>Hashing to a finite field</name> <name>Hashing to a Finite Field</name>
<t>The hash_to_field function hashes a byte string msg of arbitrary length into <t>The hash_to_field function hashes a byte string msg of arbitrary length into
one or more elements of a field F. one or more elements of a field F.
This function works in two steps: it first hashes the input byte string This function works in two steps: it first hashes the input byte string
to produce a uniformly random byte string, and then interprets this byte string to produce a uniformly random byte string, and then interprets this byte string
as one or more elements of F.</t> as one or more elements of F.</t>
<t>For the first step, hash_to_field calls an auxiliary function expand_me ssage. <t>For the first step, hash_to_field calls an auxiliary function expand_me ssage.
This document defines two variants of expand_message: one appropriate This document defines two variants of expand_message: one appropriate
for hash functions like SHA-2 <xref target="FIPS180-4" format="default"/> or SHA for hash functions like SHA-2 <xref target="FIPS180-4"/> or SHA-3 <xref target="
-3 <xref target="FIPS202" format="default"/>, and another FIPS202"/>, and another
appropriate for extendable-output functions such as SHAKE128 <xref target="FIPS2 appropriate for extendable-output functions such as SHAKE128 <xref target="FIPS2
02" format="default"/>. 02"/>.
Security considerations for each expand_message variant are discussed Security considerations for each expand_message variant are discussed
below (<xref target="hashtofield-expand-xmd" format="default"/>, <xref target="h below (Sections <xref format="counter" target="hashtofield-expand-xmd"/> and <xr
ashtofield-expand-xof" format="default"/>).</t> ef format="counter" target="hashtofield-expand-xof"/>).</t>
<t>Implementors MUST NOT use rejection sampling to generate a uniformly ra <t>Implementors <bcp14>MUST NOT</bcp14> use rejection sampling to generate
ndom a uniformly random
element of F, to ensure that the hash_to_field function is amenable to element of F, to ensure that the hash_to_field function is amenable to
constant-time implementation. constant-time implementation.
The reason is that rejection sampling procedures are difficult to implement The reason is that rejection sampling procedures are difficult to implement
in constant time, and later well-meaning "optimizations" may silently render in constant time, and later well-meaning "optimizations" may silently render
an implementation non-constant-time. an implementation non-constant-time.
This means that any hash_to_field function based on rejection sampling This means that any hash_to_field function based on rejection sampling
would be incompatible with constant-time implementation.</t> would be incompatible with constant-time implementation.</t>
<t>The hash_to_field function is also suitable for securely hashing to sca lars. <t>The hash_to_field function is also suitable for securely hashing to sca lars.
For example, when hashing to the scalar field for an elliptic curve (sub)group For example, when hashing to the scalar field for an elliptic curve (sub)group
with prime order r, it suffices to instantiate hash_to_field with target field with prime order r, it suffices to instantiate hash_to_field with target field
GF(r).</t> GF(r).</t>
<t>The hash_to_field function is designed to be indifferentiable from a <t>The hash_to_field function is designed to be indifferentiable from a
random oracle <xref target="MRH04" format="default"/> when expand_message (<xref random oracle <xref target="MRH04"/> when expand_message (<xref target="hashtofi
target="hashtofield-expand" format="default"/>) eld-expand"/>)
is modeled as a random oracle (see <xref target="security-considerations-hash-to is modeled as a random oracle (see <xref target="security-considerations-hash-to
-field" format="default"/> -field"/>
for details about its indifferentiability). for details about its indifferentiability).
Ensuring indifferentiability requires care; to see why, consider a prime Ensuring indifferentiability requires care; to see why, consider a prime
p that is close to 3/4 * 2^256. p that is close to 3/4 * 2^256.
Reducing a random 256-bit integer modulo this p yields a value that is in Reducing a random 256-bit integer modulo this p yields a value that is in
the range [0, p / 3] with probability roughly 1/2, meaning that this value the range [0, p / 3] with probability roughly 1/2, meaning that this value
is statistically far from uniform in [0, p - 1].</t> is statistically far from uniform in [0, p - 1].</t>
<t>To control bias, hash_to_field instead uses random integers whose <t>To control bias, hash_to_field instead uses random integers whose
length is at least ceil(log2(p)) + k bits, where k is the target security length is at least ceil(log2(p)) + k bits, where k is the target security
level for the suite in bits. level for the suite in bits.
Reducing such integers mod p gives bias at most 2^-k for any p; this bias Reducing such integers mod p gives bias at most 2^-k for any p; this bias
is appropriate when targeting k-bit security. is appropriate when targeting k-bit security.
For each such integer, hash_to_field uses expand_message to obtain For each such integer, hash_to_field uses expand_message to obtain
L uniform bytes, where</t> L uniform bytes, where</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
L = ceil((ceil(log2(p)) + k) / 8) L = ceil((ceil(log2(p)) + k) / 8)
]]></artwork> ]]></artwork>
<t>These uniform bytes are then interpreted as an integer via OS2IP. <t>These uniform bytes are then interpreted as an integer via OS2IP.
For example, for a 255-bit prime p, and k = 128-bit security, For example, for a 255-bit prime p, and k = 128-bit security,
L = ceil((255 + 128) / 8) = 48 bytes.</t> L = ceil((255 + 128) / 8) = 48 bytes.</t>
<t>Note that k is an upper bound on the security level for the <t>Note that k is an upper bound on the security level for the
corresponding curve. corresponding curve.
See <xref target="security-considerations-targets" format="default"/> for more d See <xref target="security-considerations-targets"/> for more details and
etails, and <xref target="new-suite"/> for guidelines on choosing k for a given curve.</t>
<xref target="new-suite" format="default"/> for guidelines on choosing k for a g <section anchor="hashtofield-exteff">
iven curve.</t> <name>Efficiency Considerations in Extension Fields</name>
<section anchor="hashtofield-exteff" numbered="true" toc="default">
<name>Efficiency considerations in extension fields</name>
<t>The hash_to_field function described in this section is inefficient f or certain <t>The hash_to_field function described in this section is inefficient f or certain
extension fields. Specifically, when hashing to an element of the extension extension fields. Specifically, when hashing to an element of the extension
field GF(p^m), hash_to_field requires expanding msg into m * L bytes (for L as d efined above). field GF(p^m), hash_to_field requires expanding msg into m * L bytes (for L as d efined above).
For extension fields where log2(p) is significantly smaller than the security For extension fields where log2(p) is significantly smaller than the security
level k, this approach is inefficient: it requires expand_message to output level k, this approach is inefficient: it requires expand_message to output
roughly m * log2(p) + m * k bits, whereas m * log2(p) + k bytes suffices to roughly m * log2(p) + m * k bits, whereas m * log2(p) + k bytes suffices to
generate an element of GF(p^m) with bias at most 2^-k. In such cases, generate an element of GF(p^m) with bias at most 2^-k. In such cases,
applications MAY use an alternative hash_to_field function, provided it applications <bcp14>MAY</bcp14> use an alternative hash_to_field function, provi ded it
meets the following security requirements:</t> meets the following security requirements:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The function MUST output field element(s) that are uniformly rando <li>The function <bcp14>MUST</bcp14> output one or more field elements
m except with bias at most 2^-k.</li> that are uniformly random except with bias at most 2^-k.</li>
<li>The function MUST NOT use rejection sampling.</li> <li>The function <bcp14>MUST NOT</bcp14> use rejection sampling.</li>
<li>The function SHOULD be amenable to straight line implementations.< <li>The function <bcp14>SHOULD</bcp14> be amenable to straight-line im
/li> plementations.</li>
</ul> </ul>
<t>For example, Pornin <xref target="P20" format="default"/> describes a method for hashing to GF(9767^19) that meets <t>For example, Pornin <xref target="P20"/> describes a method for hashi ng to GF(9767^19) that meets
these requirements while using fewer output bits from expand_message than these requirements while using fewer output bits from expand_message than
hash_to_field would for that field.</t> hash_to_field would for that field.</t>
</section> </section>
<section anchor="hashtofield-impl" numbered="true" toc="default"> <section anchor="hashtofield-impl">
<name>hash_to_field implementation</name> <name>hash_to_field Implementation</name>
<t>The following procedure implements hash_to_field.</t> <t>The following procedure implements hash_to_field.</t>
<t>The expand_message parameter to this function MUST conform to the req <t>The expand_message parameter to this function <bcp14>MUST</bcp14> con
uirements form to the requirements
given in <xref target="hashtofield-expand" format="default"/>. <xref target="dom given in <xref target="hashtofield-expand"/>. <xref target="domain-separation"/>
ain-separation" format="default"/> discusses the REQUIRED discusses the <bcp14>REQUIRED</bcp14>
method for constructing DST, the domain separation tag. Note that hash_to_field method for constructing DST, the domain separation tag. Note that hash_to_field
may fail (abort) if expand_message fails.</t> may fail (ABORT) if expand_message fails.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_field(msg, count) hash_to_field(msg, count)
Parameters: Parameters:
- DST, a domain separation tag (see Section 3.1). - DST, a domain separation tag (see Section 3.1).
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- p, the characteristic of F (see immediately above). - p, the characteristic of F (see immediately above).
- m, the extension degree of F, m &gt;= 1 (see immediately above). - m, the extension degree of F, m >= 1 (see immediately above).
- L = ceil((ceil(log2(p)) + k) / 8), where k is the security - L = ceil((ceil(log2(p)) + k) / 8), where k is the security
parameter of the suite (e.g., k = 128). parameter of the suite (e.g., k = 128).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see Section 5.3). (see Section 5.3).
Inputs: Input:
- msg, a byte string containing the message to hash. - msg, a byte string containing the message to hash.
- count, the number of elements of F to output. - count, the number of elements of F to output.
Outputs: Output:
- (u_0, ..., u_(count - 1)), a list of field elements. - (u_0, ..., u_(count - 1)), a list of field elements.
Steps: Steps:
1. len_in_bytes = count * m * L 1. len_in_bytes = count * m * L
2. uniform_bytes = expand_message(msg, DST, len_in_bytes) 2. uniform_bytes = expand_message(msg, DST, len_in_bytes)
3. for i in (0, ..., count - 1): 3. for i in (0, ..., count - 1):
4. for j in (0, ..., m - 1): 4. for j in (0, ..., m - 1):
5. elm_offset = L * (j + i * m) 5. elm_offset = L * (j + i * m)
6. tv = substr(uniform_bytes, elm_offset, L) 6. tv = substr(uniform_bytes, elm_offset, L)
7. e_j = OS2IP(tv) mod p 7. e_j = OS2IP(tv) mod p
8. u_i = (e_0, ..., e_(m - 1)) 8. u_i = (e_0, ..., e_(m - 1))
9. return (u_0, ..., u_(count - 1)) 9. return (u_0, ..., u_(count - 1))
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="hashtofield-expand" numbered="true" toc="default"> <section anchor="hashtofield-expand">
<name>expand_message</name> <name>expand_message</name>
<t>expand_message is a function that generates a uniformly random byte s tring. <t>expand_message is a function that generates a uniformly random byte s tring.
It takes three arguments:</t> It takes three arguments:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>msg, a byte string containing the mess
<li>msg, a byte string containing the message to hash,</li> age to hash,</li>
<li>DST, a byte string that acts as a domain separation tag, and</li> <li>DST, a byte string that acts as a domain separation tag, and</li>
<li>len_in_bytes, the number of bytes to be generated.</li> <li>len_in_bytes, the number of bytes to be generated.</li>
</ol> </ol>
<t>This document defines the following two variants of expand_message:</ t> <t>This document defines the following two variants of expand_message:</ t>
<ul spacing="normal"> <ul spacing="normal">
<li>expand_message_xmd (<xref target="hashtofield-expand-xmd" format=" <li>expand_message_xmd (<xref target="hashtofield-expand-xmd"/>) is ap
default"/>) is appropriate for use propriate for use
with a wide range of hash functions, including SHA-2 <xref target="FIPS180-4" fo with a wide range of hash functions, including SHA-2 <xref target="FIPS180-4"/>,
rmat="default"/>, SHA-3 SHA-3
<xref target="FIPS202" format="default"/>, BLAKE2 <xref target="RFC7693" format= <xref target="FIPS202"/>, BLAKE2 <xref target="RFC7693"/>, and others.</li>
"default"/>, and others.</li> <li>expand_message_xof (<xref target="hashtofield-expand-xof"/>) is ap
<li>expand_message_xof (<xref target="hashtofield-expand-xof" format=" propriate for use
default"/>) is appropriate for use with extendable-output functions (XOFs), including functions in the SHAKE
with extendable-output functions (XOFs) including functions in the SHAKE <xref target="FIPS202"/> or BLAKE2X <xref target="BLAKE2X"/> families.</li>
<xref target="FIPS202" format="default"/> or BLAKE2X <xref target="BLAKE2X" form
at="default"/> families.</li>
</ul> </ul>
<t>These variants should suffice for the vast majority of use cases, but other <t>These variants should suffice for the vast majority of use cases, but other
variants are possible; <xref target="hashtofield-expand-other" format="default"/ variants are possible; <xref target="hashtofield-expand-other"/> discusses requi
> discusses requirements.</t> rements.</t>
<section anchor="hashtofield-expand-xmd" numbered="true" toc="default"> <section anchor="hashtofield-expand-xmd">
<name>expand_message_xmd</name> <name>expand_message_xmd</name>
<t>The expand_message_xmd function produces a uniformly random byte st ring using <t>The expand_message_xmd function produces a uniformly random byte st ring using
a cryptographic hash function H that outputs b bits. For security, H MUST meet a cryptographic hash function H that outputs b bits. For security, H <bcp14>MUST </bcp14> meet
the following requirements:</t> the following requirements:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The number of bits output by H MUST be b &gt;= 2 * k, for k the <li>The number of bits output by H <bcp14>MUST</bcp14> be b &gt;= 2
target * k, where k is the target
security level in bits, and b MUST be divisible by 8. security level in bits, and b <bcp14>MUST</bcp14> be divisible by 8.
The first requirement ensures k-bit collision resistance; the second The first requirement ensures k-bit collision resistance; the second
ensures uniformity of expand_message_xmd's output.</li> ensures uniformity of expand_message_xmd's output.</li>
<li>H MAY be a Merkle-Damgaard hash function like SHA-2. <li>H <bcp14>MAY</bcp14> be a Merkle-Damgaard hash function like SHA -2.
In this case, security holds when the underlying compression function is In this case, security holds when the underlying compression function is
modeled as a random oracle <xref target="CDMP05" format="default"/>. (See modeled as a random oracle <xref target="CDMP05"/>. (See
<xref target="security-considerations-expand-xmd" format="default"/> for discuss <xref target="security-considerations-expand-xmd"/> for discussion.)</li>
ion.)</li> <li>H <bcp14>MAY</bcp14> be a sponge-based hash function like SHA-3
<li>H MAY be a sponge-based hash function like SHA-3 or BLAKE2. or BLAKE2.
In this case, security holds when the inner function is modeled as a In this case, security holds when the inner function is modeled as a
random transformation or as a random permutation <xref target="BDPV08" format="d random transformation or as a random permutation <xref target="BDPV08"/>.</li>
efault"/>.</li> <li>Otherwise, H <bcp14>MUST</bcp14> be a hash function that has bee
<li>Otherwise, H MUST be a hash function that has been proved indiff n proved indifferentiable
erentiable from a random oracle <xref target="MRH04"/> under a reasonable cryptographic ass
from a random oracle <xref target="MRH04" format="default"/> under a reasonable umption.</li>
cryptographic assumption.</li>
</ul> </ul>
<t>SHA-2 <xref target="FIPS180-4" format="default"/> and SHA-3 <xref t arget="FIPS202" format="default"/> are typical and RECOMMENDED choices. <t>SHA-2 <xref target="FIPS180-4"/> and SHA-3 <xref target="FIPS202"/> are typical and <bcp14>RECOMMENDED</bcp14> choices.
As an example, for the 128-bit security level, b &gt;= 256 bits and either SHA-2 56 or As an example, for the 128-bit security level, b &gt;= 256 bits and either SHA-2 56 or
SHA3-256 would be an appropriate choice.</t> SHA3-256 would be an appropriate choice.</t>
<t>The hash function H is assumed to work by repeatedly ingesting fixe d-length <t>The hash function H is assumed to work by repeatedly ingesting fixe d-length
blocks of data. The length in bits of these blocks is called the input block blocks of data. The length in bits of these blocks is called the input block
size (s). As examples, s = 1024 for SHA-512 <xref target="FIPS180-4" format="def size (s). As examples, s = 1024 for SHA-512 <xref target="FIPS180-4"/> and s = 5
ault"/> and s = 576 for 76 for
SHA3-512 <xref target="FIPS202" format="default"/>. For correctness, H requires SHA3-512 <xref target="FIPS202"/>. For correctness, H requires b &lt;= s.</t>
b &lt;= s.</t>
<t>The following procedure implements expand_message_xmd.</t> <t>The following procedure implements expand_message_xmd.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
expand_message_xmd(msg, DST, len_in_bytes) expand_message_xmd(msg, DST, len_in_bytes)
Parameters: Parameters:
- H, a hash function (see requirements above). - H, a hash function (see requirements above).
- b_in_bytes, b / 8 for b the output size of H in bits. - b_in_bytes, b / 8 for b the output size of H in bits.
For example, for b = 256, b_in_bytes = 32. For example, for b = 256, b_in_bytes = 32.
- s_in_bytes, the input block size of H, measured in bytes (see - s_in_bytes, the input block size of H, measured in bytes (see
discussion above). For example, for SHA-256, s_in_bytes = 64. discussion above). For example, for SHA-256, s_in_bytes = 64.
Input: Input:
skipping to change at line 788 skipping to change at line 795
- DST, a byte string of at most 255 bytes. - DST, a byte string of at most 255 bytes.
See below for information on using longer DSTs. See below for information on using longer DSTs.
- len_in_bytes, the length of the requested output in bytes, - len_in_bytes, the length of the requested output in bytes,
not greater than the lesser of (255 * b_in_bytes) or 2^16-1. not greater than the lesser of (255 * b_in_bytes) or 2^16-1.
Output: Output:
- uniform_bytes, a byte string. - uniform_bytes, a byte string.
Steps: Steps:
1. ell = ceil(len_in_bytes / b_in_bytes) 1. ell = ceil(len_in_bytes / b_in_bytes)
2. ABORT if ell > 255 or len_in_bytes &gt; 65535 or len(DST) &gt; 255 2. ABORT if ell > 255 or len_in_bytes > 65535 or len(DST) &gt; 255
3. DST_prime = DST || I2OSP(len(DST), 1) 3. DST_prime = DST || I2OSP(len(DST), 1)
4. Z_pad = I2OSP(0, s_in_bytes) 4. Z_pad = I2OSP(0, s_in_bytes)
5. l_i_b_str = I2OSP(len_in_bytes, 2) 5. l_i_b_str = I2OSP(len_in_bytes, 2)
6. msg_prime = Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime 6. msg_prime = Z_pad || msg || l_i_b_str || I2OSP(0, 1) || DST_prime
7. b_0 = H(msg_prime) 7. b_0 = H(msg_prime)
8. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime) 8. b_1 = H(b_0 || I2OSP(1, 1) || DST_prime)
9. for i in (2, ..., ell): 9. for i in (2, ..., ell):
10. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime) 10. b_i = H(strxor(b_0, b_(i - 1)) || I2OSP(i, 1) || DST_prime)
11. uniform_bytes = b_1 || ... || b_ell 11. uniform_bytes = b_1 || ... || b_ell
12. return substr(uniform_bytes, 0, len_in_bytes) 12. return substr(uniform_bytes, 0, len_in_bytes)
</sourcecode> ]]></sourcecode>
<t>Note that the string Z_pad (step 6) is prefixed to msg before compu ting b_0 (step 7). <t>Note that the string Z_pad (step 6) is prefixed to msg before compu ting b_0 (step 7).
This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2 This is necessary for security when H is a Merkle-Damgaard hash, e.g., SHA-2
(see <xref target="security-considerations-expand-xmd" format="default"/>). (see <xref target="security-considerations-expand-xmd"/>).
Hashing this additional data means that the cost of computing b_0 is higher Hashing this additional data means that the cost of computing b_0 is higher
than the cost of simply computing H(msg). than the cost of simply computing H(msg).
In most settings this overhead is negligible, because the cost of evaluating In most settings, this overhead is negligible, because the cost of evaluating
H is much less than the other costs involved in hashing to a curve.</t> H is much less than the other costs involved in hashing to a curve.</t>
<t>It is possible, however, to entirely avoid this overhead by taking advantage <t>It is possible, however, to entirely avoid this overhead by taking advantage
of the fact that Z_pad depends only on H, and not on the arguments to of the fact that Z_pad depends only on H, and not on the arguments to
expand_message_xmd. expand_message_xmd.
To do so, first precompute and save the internal state of H after ingesting To do so, first precompute and save the internal state of H after ingesting
Z_pad. Then, when computing b_0, initialize H using the saved state. Z_pad. Then, when computing b_0, initialize H using the saved state.
Further details are implementation dependent, and beyond the scope of this docum ent.</t> Further details are implementation dependent and are beyond the scope of this do cument.</t>
</section> </section>
<section anchor="hashtofield-expand-xof" numbered="true" toc="default"> <section anchor="hashtofield-expand-xof">
<name>expand_message_xof</name> <name>expand_message_xof</name>
<t>The expand_message_xof function produces a uniformly random byte st ring <t>The expand_message_xof function produces a uniformly random byte st ring
using an extendable-output function (XOF) H. using an extendable-output function (XOF) H.
For security, H MUST meet the following criteria:</t> For security, H <bcp14>MUST</bcp14> meet the following criteria:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The collision resistance of H MUST be at least k bits.</li> <li>The collision resistance of H <bcp14>MUST</bcp14> be at least k
<li>H MUST be an XOF that has been proved indifferentiable from a ra bits.</li>
ndom oracle <li>H <bcp14>MUST</bcp14> be an XOF that has been proved indifferent
iable from a random oracle
under a reasonable cryptographic assumption.</li> under a reasonable cryptographic assumption.</li>
</ul> </ul>
<t>The SHAKE <xref target="FIPS202" format="default"/> XOF family is a typical and RECOMMENDED choice. <t>The SHAKE XOF family <xref target="FIPS202"/> is a typical and <bcp 14>RECOMMENDED</bcp14> choice.
As an example, for 128-bit security, SHAKE128 would be an appropriate choice.</t > As an example, for 128-bit security, SHAKE128 would be an appropriate choice.</t >
<t>The following procedure implements expand_message_xof.</t> <t>The following procedure implements expand_message_xof.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
expand_message_xof(msg, DST, len_in_bytes) expand_message_xof(msg, DST, len_in_bytes)
Parameters: Parameters:
- H(m, d), an extendable-output function that processes - H(m, d), an extendable-output function that processes
input message m and returns d bytes. input message m and returns d bytes.
Input: Input:
- msg, a byte string. - msg, a byte string.
- DST, a byte string of at most 255 bytes. - DST, a byte string of at most 255 bytes.
See below for information on using longer DSTs. See below for information on using longer DSTs.
- len_in_bytes, the length of the requested output in bytes. - len_in_bytes, the length of the requested output in bytes.
Output: Output:
- uniform_bytes, a byte string. - uniform_bytes, a byte string.
Steps: Steps:
1. ABORT if len_in_bytes > 65535 or len(DST) &gt; 255 1. ABORT if len_in_bytes > 65535 or len(DST) &gt; 255
2. DST_prime = DST || I2OSP(len(DST), 1) 2. DST_prime = DST || I2OSP(len(DST), 1)
3. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime 3. msg_prime = msg || I2OSP(len_in_bytes, 2) || DST_prime
4. uniform_bytes = H(msg_prime, len_in_bytes) 4. uniform_bytes = H(msg_prime, len_in_bytes)
5. return uniform_bytes 5. return uniform_bytes
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="hashtofield-expand-dst" numbered="true" toc="default"> <section anchor="hashtofield-expand-dst">
<name>Using DSTs longer than 255 bytes</name> <name>Using DSTs Longer than 255 Bytes</name>
<t>The expand_message variants defined in this section accept domain s eparation <t>The expand_message variants defined in this section accept domain s eparation
tags of at most 255 bytes. tags of at most 255 bytes.
If applications require a domain separation tag longer than 255 bytes, e.g., bec ause If applications require a domain separation tag longer than 255 bytes, e.g., bec ause
of requirements imposed by an invoking protocol, implementors MUST compute a sho rt of requirements imposed by an invoking protocol, implementors <bcp14>MUST</bcp14 > compute a short
domain separation tag by hashing, as follows:</t> domain separation tag by hashing, as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>For expand_message_xmd using hash function H, DST is computed a s </t> <t>For expand_message_xmd using hash function H, DST is computed a s </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST) DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST)
</sourcecode> ]]></sourcecode>
</li> </li>
<li> <li>
<t>For expand_message_xof using extendable-output function H, DST is computed as </t> <t>For expand_message_xof using extendable-output function H, DST is computed as </t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8)) DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8))
</sourcecode> ]]></sourcecode>
</li> </li>
</ul> </ul>
<t>Here, a_very_long_DST is the DST whose length is greater than 255 b ytes, <t>Here, a_very_long_DST is the DST whose length is greater than 255 b ytes,
"H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and "H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and
k is the target security level in bits.</t> k is the target security level in bits.</t>
</section> </section>
<section anchor="hashtofield-expand-other" numbered="true" toc="default" <section anchor="hashtofield-expand-other">
> <name>Defining Other expand_message Variants</name>
<name>Defining other expand_message variants</name>
<t>When defining a new expand_message variant, the most important cons ideration <t>When defining a new expand_message variant, the most important cons ideration
is that hash_to_field models expand_message as a random oracle. is that hash_to_field models expand_message as a random oracle.
Thus, implementors SHOULD prove indifferentiability from a random oracle Thus, implementors <bcp14>SHOULD</bcp14> prove indifferentiability from a random oracle
under an appropriate assumption about the underlying cryptographic primitives; under an appropriate assumption about the underlying cryptographic primitives;
see <xref target="security-considerations-hash-to-field" format="default"/> for more information.</t> see <xref target="security-considerations-hash-to-field"/> for more information. </t>
<t>In addition, expand_message variants:</t> <t>In addition, expand_message variants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>MUST give collision resistance commensurate with the security le <li>
vel of <bcp14>MUST</bcp14> give collision resistance commensurate with th
e security level of
the target elliptic curve.</li> the target elliptic curve.</li>
<li>MUST be built on primitives designed for use in applications req <li>
uiring <bcp14>MUST</bcp14> be built on primitives designed for use in app
lications requiring
cryptographic randomness. As examples, a secure stream cipher is an appropriate cryptographic randomness. As examples, a secure stream cipher is an appropriate
primitive, whereas a Mersenne twister pseudorandom number generator <xref target primitive, whereas a Mersenne twister pseudorandom number generator <xref target
="MT98" format="default"/> is not.</li> ="MT98"/> is not.</li>
<li>MUST NOT use rejection sampling.</li> <li>
<li>MUST give independent values for distinct (msg, DST, length) inp <bcp14>MUST NOT</bcp14> use rejection sampling.</li>
uts. <li>
<bcp14>MUST</bcp14> give independent values for distinct (msg, DST
, length) inputs.
Meeting this requirement is subtle. Meeting this requirement is subtle.
As a simplified example, hashing msg || DST does not work, As a simplified example, hashing msg || DST does not work,
because in this case distinct (msg, DST) pairs whose concatenations are equal because in this case distinct (msg, DST) pairs whose concatenations are equal
will return the same output (e.g., ("AB", "CDEF") and ("ABC", "DEF")). will return the same output (e.g., ("AB", "CDEF") and ("ABC", "DEF")).
The variants defined in this document use a suffix-free encoding of DST The variants defined in this document use a suffix-free encoding of DST
to avoid this issue.</li> to avoid this issue.</li>
<li>MUST use the domain separation tag DST to ensure that invocation <li>
s of <bcp14>MUST</bcp14> use the domain separation tag DST to ensure th
cryptographic primitives inside of expand_message are domain separated at invocations of
cryptographic primitives inside of expand_message are domain-separated
from invocations outside of expand_message. from invocations outside of expand_message.
For example, if the expand_message variant uses a hash function H, an encoding For example, if the expand_message variant uses a hash function H, an encoding
of DST MUST be added either as a prefix or a suffix of the input to each invocat of DST <bcp14>MUST</bcp14> be added either as a prefix or a suffix of the input
ion to each invocation
of H. Adding DST as a suffix is the RECOMMENDED approach.</li> of H. Adding DST as a suffix is the <bcp14>RECOMMENDED</bcp14> approach.</li>
<li>SHOULD read msg exactly once, for efficiency when msg is long.</ <li>
li> <bcp14>SHOULD</bcp14> read msg exactly once, for efficiency when m
sg is long.</li>
</ul> </ul>
<t>In addition, each expand_message variant MUST specify a unique EXP_ <t>In addition, each expand_message variant <bcp14>MUST</bcp14> specif
TAG y a unique EXP_TAG
that identifies that variant in a Suite ID. See <xref target="suiteIDformat" for that identifies that variant in a Suite ID. See <xref target="suiteIDformat"/> f
mat="default"/> for more information.</t> or more information.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="mappings" numbered="true" toc="default"> <section anchor="mappings">
<name>Deterministic mappings</name> <name>Deterministic Mappings</name>
<t>The mappings in this section are suitable for implementing either nonun iform <t>The mappings in this section are suitable for implementing either nonun iform
or uniform encodings using the constructions in <xref target="roadmap" format="d efault"/>. or uniform encodings using the constructions in <xref target="roadmap"/>.
Certain mappings restrict the form of the curve or its parameters. Certain mappings restrict the form of the curve or its parameters.
For each mapping presented, this document lists the relevant restrictions.</t> For each mapping presented, this document lists the relevant restrictions.</t>
<t>Note that mappings in this section are not interchangeable: different m appings <t>Note that mappings in this section are not interchangeable: different m appings
will almost certainly output different points when evaluated on the same input.< /t> will almost certainly output different points when evaluated on the same input.< /t>
<section anchor="choosing-mapping" numbered="true" toc="default"> <section anchor="choosing-mapping">
<name>Choosing a mapping function</name> <name>Choosing a Mapping Function</name>
<t>This section gives brief guidelines on choosing a mapping function <t>This section gives brief guidelines on choosing a mapping function
for a given elliptic curve. for a given elliptic curve.
Note that the suites given in <xref target="suites" format="default"/> are recom mended mappings Note that the suites given in <xref target="suites"/> are recommended mappings
for the respective curves.</t> for the respective curves.</t>
<t>If the target elliptic curve is a Montgomery curve (<xref target="mon <t>If the target elliptic curve is a Montgomery curve (<xref target="mon
tgomery" format="default"/>), tgomery"/>),
the Elligator 2 method (<xref target="elligator2" format="default"/>) is recomme the Elligator 2 method (<xref target="elligator2"/>) is recommended.
nded. Similarly, if the target elliptic curve is a twisted Edwards curve (<xref target
Similarly, if the target elliptic curve is a twisted Edwards curve (<xref target ="twisted-edwards"/>),
="twisted-edwards" format="default"/>), the twisted Edwards Elligator 2 method (<xref target="ell2edwards"/>) is recomme
the twisted Edwards Elligator 2 method (<xref target="ell2edwards" format="defau nded.</t>
lt"/>) is recommended.</t>
<t>The remaining cases are Weierstrass curves. <t>The remaining cases are Weierstrass curves.
For curves supported by the Simplified SWU method (<xref target="simple-swu" for mat="default"/>), For curves supported by the Simplified Shallue-van de Woestijne-Ulas (SWU) metho d (<xref target="simple-swu"/>),
that mapping is the recommended one. that mapping is the recommended one.
Otherwise, the Simplified SWU method for AB == 0 (<xref target="simple-swu-AB0" format="default"/>) Otherwise, the Simplified SWU method for AB == 0 (<xref target="simple-swu-AB0"/ >)
is recommended if the goal is best performance, while is recommended if the goal is best performance, while
the Shallue-van de Woestijne method (<xref target="svdw" format="default"/>) is recommended the Shallue-van de Woestijne method (<xref target="svdw"/>) is recommended
if the goal is simplicity of implementation. if the goal is simplicity of implementation.
(The reason for this distinction is that the Simplified SWU method for AB == 0 (The reason for this distinction is that the Simplified SWU method for AB == 0
requires implementing an isogeny map in addition to the mapping function, while requires implementing an isogeny map in addition to the mapping function, while
the Shallue-van de Woestijne method does not.)</t> the Shallue-van de Woestijne method does not.)</t>
<t>The Shallue-van de Woestijne method (<xref target="svdw" format="defa ult"/>) works with any curve, <t>The Shallue-van de Woestijne method (<xref target="svdw"/>) works wit h any curve
and may be used in cases where a generic mapping is required. and may be used in cases where a generic mapping is required.
Note, however, that this mapping is almost always more computationally Note, however, that this mapping is almost always more computationally
expensive than the curve-specific recommendations above.</t> expensive than the curve-specific recommendations above.</t>
</section> </section>
<section anchor="interface" numbered="true" toc="default"> <section anchor="interface">
<name>Interface</name> <name>Interface</name>
<t>The generic interface shared by all mappings in this section is as fo llows:</t> <t>The generic interface shared by all mappings in this section is as fo llows:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
(x, y) = map_to_curve(u) (x, y) = map_to_curve(u)
</sourcecode> ]]></sourcecode>
<t>The input u and outputs x and y are elements of the field F. <t>The input u and outputs x and y are elements of the field F.
The affine coordinates (x, y) specify a point on an elliptic curve defined The affine coordinates (x, y) specify a point on an elliptic curve defined
over F. Note, however, that the point (x, y) is not a uniformly random point.</t > over F. Note, however, that the point (x, y) is not a uniformly random point.</t >
</section> </section>
<section anchor="notation" numbered="true" toc="default"> <section anchor="notation">
<name>Notation</name> <name>Notation</name>
<t>As a rough guide, the following conventions are used in pseudocode:</ t> <t>As a rough guide, the following conventions are used in pseudocode:</ t>
<ul spacing="normal"> <ul spacing="normal">
<li>All arithmetic operations are performed over a field F, unless <li>All arithmetic operations are performed over a field F, unless
explicitly stated otherwise.</li> explicitly stated otherwise.</li>
<li>u: the input to the mapping function. <li>u: the input to the mapping function.
This is an element of F produced by the hash_to_field function.</li> This is an element of F produced by the hash_to_field function.</li>
<li>(x, y), (s, t), (v, w): the affine coordinates of the point output by the mapping. <li>(x, y), (s, t), (v, w): the affine coordinates of the point output by the mapping.
Indexed variables (e.g., x1, y2, ...) are used for candidate values.</li> Indexed variables (e.g., x1, y2, ...) are used for candidate values.</li>
<li>tv1, tv2, ...: reusable temporary variables.</li> <li>tv1, tv2, ...: reusable temporary variables.</li>
<li>c1, c2, ...: constant values, which can be computed in advance.</l i> <li>c1, c2, ...: constant values, which can be computed in advance.</l i>
</ul> </ul>
</section> </section>
<section anchor="point-sign" numbered="true" toc="default"> <section anchor="point-sign">
<name>Sign of the resulting point</name> <name>Sign of the Resulting Point</name>
<t>In general, elliptic curves have equations of the form y^2 = g(x). <t>In general, elliptic curves have equations of the form y^2 = g(x).
The mappings in this section first identify an x such that The mappings in this section first identify an x such that
g(x) is square, then take a square root to find y. Since there g(x) is square, then take a square root to find y. Since there
are two square roots when g(x) != 0, this may result in an ambiguity are two square roots when g(x) != 0, this may result in an ambiguity
regarding the sign of y.</t> regarding the sign of y.</t>
<t>When necessary, the mappings in this section resolve this ambiguity b y <t>When necessary, the mappings in this section resolve this ambiguity b y
specifying the sign of the y-coordinate in terms of the input to the mapping specifying the sign of the y-coordinate in terms of the input to the mapping
function. function.
Two main reasons support this approach: first, this covers elliptic curves Two main reasons support this approach: first, this covers elliptic curves
over any field in a uniform way, and second, it gives implementors leeway over any field in a uniform way, and second, it gives implementors leeway
in optimizing square-root implementations.</t> in optimizing square-root implementations.</t>
</section> </section>
<section anchor="map-exceptions" numbered="true" toc="default"> <section anchor="map-exceptions">
<name>Exceptional cases</name> <name>Exceptional Cases</name>
<t>Mappings may have exceptional cases, i.e., inputs u <t>Mappings may have exceptional cases, i.e., inputs u
on which the mapping is undefined. These cases must be handled on which the mapping is undefined. These cases must be handled
carefully, especially for constant-time implementations.</t> carefully, especially for constant-time implementations.</t>
<t>For each mapping in this section, we discuss the exceptional cases an d show <t>For each mapping in this section, we discuss the exceptional cases an d show
how to handle them in constant time. Note that all implementations SHOULD use how to handle them in constant time. Note that all implementations <bcp14>SHOULD
inv0 (<xref target="utility" format="default"/>) to compute multiplicative inver </bcp14> use
ses, to avoid exceptional inv0 (<xref target="utility"/>) to compute multiplicative inverses, to avoid exc
eptional
cases that result from attempting to compute the inverse of 0.</t> cases that result from attempting to compute the inverse of 0.</t>
</section> </section>
<section anchor="weierstrass" numbered="true" toc="default"> <section anchor="weierstrass">
<name>Mappings for Weierstrass curves</name> <name>Mappings for Weierstrass Curves</name>
<t>The mappings in this section apply to a target curve E defined by the equation</t> <t>The mappings in this section apply to a target curve E defined by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y^2 = g(x) = x^3 + A * x + B y^2 = g(x) = x^3 + A * x + B
</sourcecode> ]]></sourcecode>
<t>where 4 * A^3 + 27 * B^2 != 0.</t> <t>where 4 * A^3 + 27 * B^2 != 0.</t>
<section anchor="svdw" numbered="true" toc="default"> <section anchor="svdw">
<name>Shallue-van de Woestijne method</name> <name>Shallue-van de Woestijne Method</name>
<t>Shallue and van de Woestijne <xref target="SW06" format="default"/> <t>Shallue and van de Woestijne <xref target="SW06"/> describe a mappi
describe a mapping that applies to ng that applies to
essentially any elliptic curve. essentially any elliptic curve.
(Note, however, that this mapping is more expensive to evaluate than (Note, however, that this mapping is more expensive to evaluate than
the other mappings in this document.)</t> the other mappings in this document.)</t>
<t>The parameterization given below is for Weierstrass curves; <t>The parameterization given below is for Weierstrass curves;
its derivation is detailed in <xref target="W19" format="default"/>. its derivation is detailed in <xref target="W19"/>.
This parameterization also works for Montgomery (<xref target="montgomery" forma This parameterization also works for Montgomery curves (<xref target="montgomery
t="default"/>) and "/>) and
twisted Edwards (<xref target="twisted-edwards" format="default"/>) curves via t twisted Edwards curves (<xref target="twisted-edwards"/>) via the rational maps
he rational maps given in <xref target="appx-rational-map"/>:
given in <xref target="appx-rational-map" format="default"/>: first, evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstras
first evaluate the Shallue-van de Woestijne mapping to an equivalent Weierstrass s
curve, then map that point to the target Montgomery or twisted Edwards curve curve, then map that point to the target Montgomery or twisted Edwards curve
using the corresponding rational map.</t> using the corresponding rational map.</t>
<t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B.</t> <t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A and B, the parameter of the Weierstrass curve.</li> <li>A and B, the parameter of the Weierstrass curve.</li>
<li> <li>
<t>Z, a non-zero element of F meeting the below criteria. <t>Z, a non-zero element of F meeting the below criteria.
<xref target="svdw-z-code" format="default"/> gives a Sage <xref target="SAGE" f <xref target="svdw-z-code"/> gives a Sage script <xref target="SAGE"/> that outp
ormat="default"/> script that outputs the RECOMMENDED Z. </t> uts the <bcp14>RECOMMENDED</bcp14> Z. </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>g(Z) != 0 in F.</li>
<li>g(Z) != 0 in F.</li>
<li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F.</li> <li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) != 0 in F.</li>
<li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.</li> <li>-(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.</li>
<li>At least one of g(Z) and g(-Z / 2) is square in F.</li> <li>At least one of g(Z) and g(-Z / 2) is square in F.</li>
</ol> </ol>
</li> </li>
</ul> </ul>
<t>Sign of y: Inputs u and -u give the same x-coordinate for many valu es of u. <t>Sign of y: Inputs u and -u give the same x-coordinate for many valu es of u.
Thus, we set sgn0(y) == sgn0(u).</t> Thus, we set sgn0(y) == sgn0(u).</t>
<t>Exceptions: The exceptional cases for u occur when <t>Exceptions: The exceptional cases for u occur when
(1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0. (1 + u^2 * g(Z)) * (1 - u^2 * g(Z)) == 0.
The restrictions on Z given above ensure that implementations that use inv0 The restrictions on Z given above ensure that implementations that use inv0
to invert this product are exception free.</t> to invert this product are exception free.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. tv1 = u^2 * g(Z) 1. tv1 = u^2 * g(Z)
2. tv2 = 1 + tv1 2. tv2 = 1 + tv1
3. tv1 = 1 - tv1 3. tv1 = 1 - tv1
4. tv3 = inv0(tv1 * tv2) 4. tv3 = inv0(tv1 * tv2)
5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # can be precomputed 5. tv4 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # can be precomputed
6. If sgn0(tv4) == 1, set tv4 = -tv4 # sgn0(tv4) MUST equal 0 6. If sgn0(tv4) == 1, set tv4 = -tv4 # sgn0(tv4) MUST equal 0
7. tv5 = u * tv1 * tv3 * tv4 7. tv5 = u * tv1 * tv3 * tv4
8. tv6 = -4 * g(Z) / (3 * Z^2 + 4 * A) # can be precomputed 8. tv6 = -4 * g(Z) / (3 * Z^2 + 4 * A) # can be precomputed
9. x1 = -Z / 2 - tv5 9. x1 = -Z / 2 - tv5
10. x2 = -Z / 2 + tv5 10. x2 = -Z / 2 + tv5
11. x3 = Z + tv6 * (tv2^2 * tv3)^2 11. x3 = Z + tv6 * (tv2^2 * tv3)^2
12. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1)) 12. If is_square(g(x1)), set x = x1 and y = sqrt(g(x1))
13. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2)) 13. Else If is_square(g(x2)), set x = x2 and y = sqrt(g(x2))
14. Else set x = x3 and y = sqrt(g(x3)) 14. Else set x = x3 and y = sqrt(g(x3))
15. If sgn0(u) != sgn0(y), set y = -y 15. If sgn0(u) != sgn0(y), set y = -y
16. return (x, y) 16. return (x, y)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-svdw" format="default"/> gives an exampl <t><xref target="straightline-svdw"/> gives an example straight-line i
e straight-line implementation of this mplementation of this
mapping.</t> mapping.</t>
</section> </section>
<section anchor="simple-swu" numbered="true" toc="default"> <section anchor="simple-swu">
<name>Simplified Shallue-van de Woestijne-Ulas method</name> <name>Simplified Shallue-van de Woestijne-Ulas Method</name>
<t>The function map_to_curve_simple_swu(u) implements a simplification <t>The function map_to_curve_simple_swu(u) implements a simplification
of the Shallue-van de Woestijne-Ulas mapping <xref target="U07" format="default" of the Shallue-van de Woestijne-Ulas mapping <xref target="U07"/> described by B
/> described by Brier et rier et
al. <xref target="BCIMRT10" format="default"/>, which they call the "simplified al. <xref target="BCIMRT10"/>, which they call the "simplified SWU" map. Wahby a
SWU" map. Wahby and Boneh nd Boneh
<xref target="WB19" format="default"/> generalize and optimize this mapping.</t> <xref target="WB19"/> generalize and optimize this mapping.</t>
<t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0.</t> <t>Preconditions: A Weierstrass curve y^2 = x^3 + A * x + B where A != 0 and B != 0.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A and B, the parameters of the Weierstrass curve.</li> <li>A and B, the parameters of the Weierstrass curve.</li>
<li> <li>
<t>Z, an element of F meeting the below criteria. <t>Z, an element of F meeting the below criteria.
<xref target="sswu-z-code" format="default"/> gives a Sage <xref target="SAGE" f <xref target="sswu-z-code"/> gives a Sage script <xref target="SAGE"/> that outp
ormat="default"/> script that outputs the RECOMMENDED Z. uts the <bcp14>RECOMMENDED</bcp14> Z.
The criteria are: </t> The criteria are as follows: </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Z is non-square in F,</li>
<li>Z is non-square in F,</li>
<li>Z != -1 in F,</li> <li>Z != -1 in F,</li>
<li>the polynomial g(x) - Z is irreducible over F, and</li> <li>the polynomial g(x) - Z is irreducible over F, and</li>
<li>g(B / (Z * A)) is square in F.</li> <li>g(B / (Z * A)) is square in F.</li>
</ol> </ol>
</li> </li>
</ul> </ul>
<t>Sign of y: Inputs u and -u give the same x-coordinate. <t>Sign of y: Inputs u and -u give the same x-coordinate.
Thus, we set sgn0(y) == sgn0(u).</t> Thus, we set sgn0(y) == sgn0(u).</t>
<t>Exceptions: The exceptional cases are values of u such that <t>Exceptions: The exceptional cases are values of u such that
Z^2 * u^4 + Z * u^2 == 0. This includes u == 0, and may include Z^2 * u^4 + Z * u^2 == 0. This includes u == 0 and may include
other values depending on Z. Implementations must detect other values that depend on Z. Implementations must detect
this case and set x1 = B / (Z * A), which guarantees that g(x1) this case and set x1 = B / (Z * A), which guarantees that g(x1)
is square by the condition on Z given above.</t> is square by the condition on Z given above.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. tv1 = inv0(Z^2 * u^4 + Z * u^2) 1. tv1 = inv0(Z^2 * u^4 + Z * u^2)
2. x1 = (-B / A) * (1 + tv1) 2. x1 = (-B / A) * (1 + tv1)
3. If tv1 == 0, set x1 = B / (Z * A) 3. If tv1 == 0, set x1 = B / (Z * A)
4. gx1 = x1^3 + A * x1 + B 4. gx1 = x1^3 + A * x1 + B
5. x2 = Z * u^2 * x1 5. x2 = Z * u^2 * x1
6. gx2 = x2^3 + A * x2 + B 6. gx2 = x2^3 + A * x2 + B
7. If is_square(gx1), set x = x1 and y = sqrt(gx1) 7. If is_square(gx1), set x = x1 and y = sqrt(gx1)
8. Else set x = x2 and y = sqrt(gx2) 8. Else set x = x2 and y = sqrt(gx2)
9. If sgn0(u) != sgn0(y), set y = -y 9. If sgn0(u) != sgn0(y), set y = -y
10. return (x, y) 10. return (x, y)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-sswu" format="default"/> gives a general <t><xref target="straightline-sswu"/> gives a general and optimized st
and optimized straight-line implementation of raight-line implementation of
this mapping. For more information on optimizing this mapping, see <xref target= this mapping. For more information on optimizing this mapping, see Section 4 of
"WB19" format="default"/> Section <xref target="WB19"/>
4 or the example code found at <xref target="hash2curve-repo" format="default"/> or the example code found at <xref target="hash2curve-repo"/>.</t>
.</t>
</section> </section>
<section anchor="simple-swu-AB0" numbered="true" toc="default"> <section anchor="simple-swu-AB0">
<name>Simplified SWU for AB == 0</name> <name>Simplified SWU for AB == 0</name>
<t>Wahby and Boneh <xref target="WB19" format="default"/> show how to adapt the simplified SWU mapping to <t>Wahby and Boneh <xref target="WB19"/> show how to adapt the Simplif ied SWU mapping to
Weierstrass curves having A == 0 or B == 0, which the mapping of Weierstrass curves having A == 0 or B == 0, which the mapping of
<xref target="simple-swu" format="default"/> does not support. <xref target="simple-swu"/> does not support.
(The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.)</ t> (The case A == B == 0 is excluded because y^2 = x^3 is not an elliptic curve.)</ t>
<t>This method applies to curves like secp256k1 <xref target="SEC2" fo <t>This method applies to curves like secp256k1 <xref target="SEC2"/>
rmat="default"/> and to pairing-friendly and to pairing-friendly
curves in the Barreto-Lynn-Scott <xref target="BLS03" format="default"/>, Barret curves in the Barreto-Lynn-Scott family <xref target="BLS03"/>, Barreto-Naehrig
o-Naehrig <xref target="BN05" format="default"/>, and other families.</t> family <xref target="BN05"/>, and other families.</t>
<t>This method requires finding another elliptic curve E' given by the equation</t> <t>This method requires finding another elliptic curve E' given by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y'^2 = g'(x') = x'^3 + A' * x' + B' y'^2 = g'(x') = x'^3 + A' * x' + B'
</sourcecode> ]]></sourcecode>
<t>that is isogenous to E and has A' != 0 and B' != 0. <t>that is isogenous to E and has A' != 0 and B' != 0.
(See <xref target="WB19" format="default"/>, Appendix A, for one way of finding E' using <xref target="SAGE" format="default"/>.) (See <xref target="WB19"/>, Appendix A, for one way of finding E' using <xref ta rget="SAGE"/>.)
This isogeny defines a map iso_map(x', y') given by a pair of rational functions . This isogeny defines a map iso_map(x', y') given by a pair of rational functions .
iso_map takes as input a point on E' and produces as output a point on E.</t> iso_map takes as input a point on E' and produces as output a point on E.</t>
<t>Once E' and iso_map are identified, this mapping works as follows: on input <t>Once E' and iso_map are identified, this mapping works as follows: on input
u, first apply the simplified SWU mapping to get a point on E', then apply u, first apply the Simplified SWU mapping to get a point on E', then apply
the isogeny map to that point to get a point on E.</t> the isogeny map to that point to get a point on E.</t>
<t>Note that iso_map is a group homomorphism, meaning that point addit ion <t>Note that iso_map is a group homomorphism, meaning that point addit ion
commutes with iso_map. commutes with iso_map.
Thus, when using this mapping in the hash_to_curve construction of <xref target= "roadmap" format="default"/>, Thus, when using this mapping in the hash_to_curve construction discussed in <xr ef target="roadmap"/>,
one can effect a small optimization by first mapping u0 and u1 to E', adding one can effect a small optimization by first mapping u0 and u1 to E', adding
the resulting points on E', and then applying iso_map to the sum. the resulting points on E', and then applying iso_map to the sum.
This gives the same result while requiring only one evaluation of iso_map.</t> This gives the same result while requiring only one evaluation of iso_map.</t>
<t>Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that i s <t>Preconditions: An elliptic curve E' with A' != 0 and B' != 0 that i s
isogenous to the target curve E with isogeny map iso_map from isogenous to the target curve E with isogeny map iso_map from
E' to E.</t> E' to E.</t>
<t>Helper functions:</t> <t>Helper functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>map_to_curve_simple_swu is the mapping of <xref target="simple-s wu" format="default"/> to E'</li> <li>map_to_curve_simple_swu is the mapping of <xref target="simple-s wu"/> to E'</li>
<li>iso_map is the isogeny map from E' to E</li> <li>iso_map is the isogeny map from E' to E</li>
</ul> </ul>
<t>Sign of y: for this map, the sign is determined by map_to_curve_sim ple_swu. <t>Sign of y: For this map, the sign is determined by map_to_curve_sim ple_swu.
No further sign adjustments are necessary.</t> No further sign adjustments are necessary.</t>
<t>Exceptions: map_to_curve_simple_swu handles its exceptional cases. <t>Exceptions: map_to_curve_simple_swu handles its exceptional cases.
Exceptional cases of iso_map are inputs that cause the denominator of Exceptional cases of iso_map are inputs that cause the denominator of
either rational function to evaluate to zero; such cases MUST return the either rational function to evaluate to zero; such cases <bcp14>MUST</bcp14> ret urn the
identity point on E.</t> identity point on E.</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E' 1. (x', y') = map_to_curve_simple_swu(u) # (x', y') is on E'
2. (x, y) = iso_map(x', y') # (x, y) is on E 2. (x, y) = iso_map(x', y') # (x, y) is on E
3. return (x, y) 3. return (x, y)
</sourcecode> ]]></sourcecode>
<t>See <xref target="hash2curve-repo" format="default"/> or <xref targ <t>See <xref target="hash2curve-repo"/> or Section 4.3 of <xref target
et="WB19" format="default"/> Section 4.3 for details on implementing the isogeny ="WB19"/> for details on implementing the isogeny map.</t>
map.</t>
</section> </section>
</section> </section>
<section anchor="montgomery" numbered="true" toc="default"> <section anchor="montgomery">
<name>Mappings for Montgomery curves</name> <name>Mappings for Montgomery Curves</name>
<t>The mapping defined in this section applies to a target curve M defin ed by the equation</t> <t>The mapping defined in this section applies to a target curve M defin ed by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<section anchor="elligator2" numbered="true" toc="default"> <section anchor="elligator2">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>Bernstein, Hamburg, Krasnova, and Lange give a mapping that applies to any <t>Bernstein, Hamburg, Krasnova, and Lange give a mapping that applies to any
curve with a point of order 2 <xref target="BHKL13" format="default"/>, which th ey call Elligator 2.</t> curve with a point of order 2 <xref target="BHKL13"/>, which they call Elligator 2.</t>
<t>Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where <t>Preconditions: A Montgomery curve K * t^2 = s^3 + J * s^2 + s where
J != 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F.</t> J&nbsp;!= 0, K != 0, and (J^2 - 4) / K^2 is non-zero and non-square in F.</t>
<t>Constants:</t> <t>Constants:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>J and K, the parameters of the elliptic curve.</li> <li>J and K, the parameters of the elliptic curve.</li>
<li>Z, a non-square element of F. <li>Z, a non-square element of F.
<xref target="elligator-z-code" format="default"/> gives a Sage <xref target="SA GE" format="default"/> script that outputs the RECOMMENDED Z.</li> <xref target="elligator-z-code"/> gives a Sage script <xref target="SAGE"/> that outputs the <bcp14>RECOMMENDED</bcp14> Z.</li>
</ul> </ul>
<t>Sign of t: this mapping fixes the sign of t as specified in <xref t arget="BHKL13" format="default"/>. <t>Sign of t: This mapping fixes the sign of t as specified in <xref t arget="BHKL13"/>.
No additional adjustment is required.</t> No additional adjustment is required.</t>
<t>Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^ 2 == 0. <t>Exceptions: The exceptional case is Z * u^2 == -1, i.e., 1 + Z * u^ 2 == 0.
Implementations must detect this case and set x1 = -(J / K). Implementations must detect this case and set x1 = -(J / K).
Note that this can only happen when q = 3 (mod 4).</t> Note that this can only happen when q = 3 (mod 4).</t>
<t>Operations:</t> <t>Operations:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
1. x1 = -(J / K) * inv0(1 + Z * u^2) 1. x1 = -(J / K) * inv0(1 + Z * u^2)
2. If x1 == 0, set x1 = -(J / K) 2. If x1 == 0, set x1 = -(J / K)
3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2 3. gx1 = x1^3 + (J / K) * x1^2 + x1 / K^2
4. x2 = -x1 - (J / K) 4. x2 = -x1 - (J / K)
5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2 5. gx2 = x2^3 + (J / K) * x2^2 + x2 / K^2
6. If is_square(gx1), set x = x1, y = sqrt(gx1) with sgn0(y) == 1. 6. If is_square(gx1), set x = x1, y = sqrt(gx1) with sgn0(y) == 1.
7. Else set x = x2, y = sqrt(gx2) with sgn0(y) == 0. 7. Else set x = x2, y = sqrt(gx2) with sgn0(y) == 0.
8. s = x * K 8. s = x * K
9. t = y * K 9. t = y * K
10. return (s, t) 10. return (s, t)
</sourcecode> ]]></sourcecode>
<t><xref target="straightline-ell2" format="default"/> gives an exampl <t><xref target="straightline-ell2"/> gives an example straight-line i
e straight-line implementation of this mplementation of this
mapping. mapping.
<xref target="ell2-opt" format="default"/> gives optimized straight-line procedu res that apply to specific <xref target="ell2-opt"/> gives optimized straight-line procedures that apply to specific
classes of curves and base fields.</t> classes of curves and base fields.</t>
</section> </section>
</section> </section>
<section anchor="twisted-edwards" numbered="true" toc="default"> <section anchor="twisted-edwards">
<name>Mappings for twisted Edwards curves</name> <name>Mappings for Twisted Edwards Curves</name>
<t>Twisted Edwards curves (a class of curves that includes Edwards curve s) <t>Twisted Edwards curves (a class of curves that includes Edwards curve s)
are given by the equation</t> are given by the equation</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
a * v^2 + w^2 = 1 + d * v^2 * w^2 a * v^2 + w^2 = 1 + d * v^2 * w^2
</sourcecode> ]]></sourcecode>
<t>with a != 0, d != 0, and a != d <xref target="BBJLP08" format="defaul <t>with a != 0, d != 0, and a != d <xref target="BBJLP08"/>.</t>
t"/>.</t>
<t>These curves are closely related to Montgomery <t>These curves are closely related to Montgomery
curves (<xref target="montgomery" format="default"/>): every twisted Edwards cur curves (<xref target="montgomery"/>): every twisted Edwards curve is birationall
ve is birationally equivalent y equivalent
to a Montgomery curve (<xref target="BBJLP08" format="default"/>, Theorem 3.2). to a Montgomery curve (<xref target="BBJLP08"/>, Theorem 3.2).
This equivalence yields an efficient way of hashing to a twisted Edwards curve: This equivalence yields an efficient way of hashing to a twisted Edwards curve:
first, hash to an equivalent Montgomery curve, then transform the first, hash to an equivalent Montgomery curve, then transform the
result into a point on the twisted Edwards curve via a rational map. result into a point on the twisted Edwards curve via a rational map.
This method of hashing to a twisted Edwards curve thus requires identifying a This method of hashing to a twisted Edwards curve thus requires identifying a
corresponding Montgomery curve and rational map. corresponding Montgomery curve and rational map.
We describe how to identify such a curve and map immediately below.</t> We describe how to identify such a curve and map immediately below.</t>
<section anchor="rational-map" numbered="true" toc="default"> <section anchor="rational-map">
<name>Rational maps from Montgomery to twisted Edwards curves</name> <name>Rational Maps from Montgomery to Twisted Edwards Curves</name>
<t>There are two ways to select a Montgomery curve and rational map <t>There are two ways to select a Montgomery curve and rational map
for use when hashing to a given twisted Edwards curve. for use when hashing to a given twisted Edwards curve.
The selected Montgomery curve and rational map MUST be specified as part of The selected Montgomery curve and rational map <bcp14>MUST</bcp14> be specified
the hash-to-curve suite for a given twisted Edwards curve; see <xref target="sui as part of
tes" format="default"/>.</t> the hash-to-curve suite for a given twisted Edwards curve; see <xref target="sui
<ol spacing="normal" type="1"> tes"/>.</t>
<li> <ol spacing="normal" type="1"><li>
<t>When hashing to a standardized twisted Edwards curve for which a corresponding <t>When hashing to a standardized twisted Edwards curve for which a corresponding
Montgomery form and rational map are also standardized, the standard Montgomery form and rational map are also standardized, the standard
Montgomery form and rational map SHOULD be used to ensure compatibility Montgomery form and rational map <bcp14>SHOULD</bcp14> be used to ensure compati bility
with existing software. </t> with existing software. </t>
<t> <t>
In certain cases, e.g., edwards25519 <xref target="RFC7748" format="default"/>, the sign of the rational In certain cases, e.g., edwards25519 <xref target="RFC7748"/>, the sign of the r ational
map from the twisted Edwards curve to its corresponding Montgomery curve map from the twisted Edwards curve to its corresponding Montgomery curve
is not given explicitly. is not given explicitly.
In this case, the sign MUST be fixed such that applying the rational map In this case, the sign <bcp14>MUST</bcp14> be fixed such that applying the rati onal map
to the twisted Edwards curve's base point yields the Montgomery curve's to the twisted Edwards curve's base point yields the Montgomery curve's
base point with correct sign. base point with correct sign.
(For edwards25519, see <xref target="RFC7748" format="default"/> and <xref targ et="EID4730" format="default"/>.) </t> (For edwards25519, see <xref target="RFC7748"/> and <xref target="Err4730"/>.) </t>
<t> <t>
When defining new twisted Edwards curves, a Montgomery equivalent and rational When defining new twisted Edwards curves, a Montgomery equivalent and rational
map SHOULD also be specified, and the sign of the rational map SHOULD be stated map <bcp14>SHOULD</bcp14> also be specified, and the sign of the rational map < bcp14>SHOULD</bcp14> be stated
explicitly.</t> explicitly.</t>
</li> </li>
<li>When hashing to a twisted Edwards curve that does not have a sta ndardized <li>When hashing to a twisted Edwards curve that does not have a sta ndardized
Montgomery form or rational map, the map given in <xref target="appx-rational-ma Montgomery form or rational map, the map given in <xref target="appx-rational-ma
p" format="default"/> p"/>
SHOULD be used.</li> <bcp14>SHOULD</bcp14> be used.</li>
</ol> </ol>
</section> </section>
<section anchor="ell2edwards" numbered="true" toc="default"> <section anchor="ell2edwards">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>Preconditions: A twisted Edwards curve E and an equivalent Montgome ry <t>Preconditions: A twisted Edwards curve E and an equivalent Montgome ry
curve M meeting the requirements in <xref target="rational-map" format="default" />.</t> curve M meeting the requirements in <xref target="rational-map"/>.</t>
<t>Helper functions:</t> <t>Helper functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>map_to_curve_elligator2 is the mapping of <xref target="elligato r2" format="default"/> to the curve M.</li> <li>map_to_curve_elligator2 is the mapping of <xref target="elligato r2"/> to the curve M.</li>
<li>rational_map is a function that takes a point (s, t) on M and <li>rational_map is a function that takes a point (s, t) on M and
returns a point (v, w) on E, as defined in <xref target="rational-map" format="d efault"/>.</li> returns a point (v, w) on E. This rational map should be chosen as defined in <x ref target="rational-map"/>.</li>
</ul> </ul>
<t>Sign of t (and v): for this map, the sign is determined by map_to_c urve_elligator2. <t>Sign of t (and v): For this map, the sign is determined by map_to_c urve_elligator2.
No further sign adjustments are required.</t> No further sign adjustments are required.</t>
<t>Exceptions: The exceptions for the Elligator 2 mapping are as given in <t>Exceptions: The exceptions for the Elligator 2 mapping are as given in
<xref target="elligator2" format="default"/>. <xref target="elligator2"/>.
The exceptions for the rational map are as given in <xref target="rational-map" The exceptions for the rational map are as given in <xref target="rational-map"/
format="default"/>. >.
No other exceptions are possible.</t> No other exceptions are possible.</t>
<t>The following procedure implements the Elligator 2 mapping for a tw isted <t>The following procedure implements the Elligator 2 mapping for a tw isted
Edwards curve. Edwards curve.
(Note that the output point is denoted (v, w) because it is a point on (Note that the output point is denoted (v, w) because it is a point on
the target twisted Edwards curve.)</t> the target twisted Edwards curve.)</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards(u) map_to_curve_elligator2_edwards(u)
Input: u, an element of F. Input: u, an element of F.
Output: (v, w), a point on E. Output: (v, w), a point on E.
1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M 1. (s, t) = map_to_curve_elligator2(u) # (s, t) is on M
2. (v, w) = rational_map(s, t) # (v, w) is on E 2. (v, w) = rational_map(s, t) # (v, w) is on E
3. return (v, w) 3. return (v, w)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="cofactor-clearing" numbered="true" toc="default"> <section anchor="cofactor-clearing">
<name>Clearing the cofactor</name> <name>Clearing the Cofactor</name>
<t>The mappings of <xref target="mappings" format="default"/> always outpu <t>The mappings of <xref target="mappings"/> always output a point on the
t a point on the elliptic curve, elliptic curve,
i.e., a point in a group of order h * r (<xref target="bg-curves" format="defaul i.e., a point in a group of order h * r (<xref target="bg-curves"/>). Obtaining
t"/>). Obtaining a point in G a point in G
may require a final operation commonly called "clearing the cofactor," which may require a final operation commonly called "clearing the cofactor," which
takes as input any point on the curve and produces as output a point in the takes as input any point on the curve and produces as output a point in the
prime-order (sub)group G (<xref target="bg-curves" format="default"/>).</t> prime-order (sub)group G (<xref target="bg-curves"/>).</t>
<t>The cofactor can always be cleared via scalar multiplication by h. <t>The cofactor can always be cleared via scalar multiplication by h.
For elliptic curves where h = 1, i.e., the curves with a prime number of points, For elliptic curves where h = 1, i.e., the curves with a prime number of points,
no operation is required. This applies, for example, to the NIST curves P-256, no operation is required. This applies, for example, to the NIST curves P-256,
P-384, and P-521 <xref target="FIPS186-4" format="default"/>.</t> P-384, and P-521 <xref target="FIPS186-4"/>.</t>
<t>In some cases, it is possible to clear the cofactor via a faster method than <t>In some cases, it is possible to clear the cofactor via a faster method than
scalar multiplication by h. scalar multiplication by h.
These methods are equivalent to (but usually faster than) multiplication by These methods are equivalent to (but usually faster than) multiplication by
some scalar h_eff whose value is determined by the method and the curve. some scalar h_eff whose value is determined by the method and the curve.
Examples of fast cofactor clearing methods include the following:</t> Examples of fast cofactor clearing methods include the following:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For certain pairing-friendly curves having subgroup G2 over an exten sion <li>For certain pairing-friendly curves having subgroup G2 over an exten sion
field, Scott et al. <xref target="SBCDK09" format="default"/> describe a method field, Scott et al. <xref target="SBCDK09"/> describe a method for fast cofactor
for fast cofactor clearing clearing
that exploits an efficiently-computable endomorphism. Fuentes-Castaneda that exploits an efficiently computable endomorphism. Fuentes-Castaneda
et al. <xref target="FKR11" format="default"/> propose an alternative method tha et al. <xref target="FKR11"/> propose an alternative method that is sometimes mo
t is sometimes more efficient. re efficient.
Budroni and Pintore <xref target="BP17" format="default"/> give concrete instant Budroni and Pintore <xref target="BP17"/> give concrete instantiations of these
iations of these methods methods
for Barreto-Lynn-Scott pairing-friendly curves <xref target="BLS03" format="defa for Barreto-Lynn-Scott pairing-friendly curves <xref target="BLS03"/>.
ult"/>.
This method is described for the specific case of BLS12-381 in This method is described for the specific case of BLS12-381 in
<xref target="clear-cofactor-bls12381-g2" format="default"/>.</li> <xref target="clear-cofactor-bls12381-g2"/>.</li>
<li>Wahby and Boneh (<xref target="WB19" format="default"/>, Section 5) <li>Wahby and Boneh (<xref target="WB19"/>, Section 5) describe a trick
describe a trick due to Scott for due to Scott for
fast cofactor clearing on any elliptic curve for which the prime fast cofactor clearing on any elliptic curve for which the prime
factorization of h and the structure of the elliptic curve group meet factorization of h and the structure of the elliptic curve group meet
certain conditions.</li> certain conditions.</li>
</ul> </ul>
<t>The clear_cofactor function is parameterized by a scalar h_eff. <t>The clear_cofactor function is parameterized by a scalar h_eff.
Specifically,</t> Specifically,</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor(P) := h_eff * P clear_cofactor(P) := h_eff * P
</sourcecode> ]]></sourcecode>
<t>where * represents scalar multiplication. <t>where * represents scalar multiplication.
When a curve does not support a fast cofactor clearing method, h_eff = h When a curve does not support a fast cofactor clearing method, h_eff = h
and the cofactor MUST be cleared via scalar multiplication.</t> and the cofactor <bcp14>MUST</bcp14> be cleared via scalar multiplication.</t>
<t>When a curve admits a fast cofactor clearing method, clear_cofactor <t>When a curve admits a fast cofactor clearing method, clear_cofactor
MAY be evaluated either via that method or via scalar multiplication <bcp14>MAY</bcp14> be evaluated either via that method or via scalar multiplicat ion
by the equivalent h_eff; these two methods give the same result. by the equivalent h_eff; these two methods give the same result.
Note that in this case scalar multiplication by the cofactor h does not Note that in this case scalar multiplication by the cofactor h does not
generally give the same result as the fast method, and MUST NOT be used.</t> generally give the same result as the fast method and <bcp14>MUST NOT</bcp14> be used.</t>
</section> </section>
<section anchor="suites" numbered="true" toc="default"> <section anchor="suites">
<name>Suites for hashing</name> <name>Suites for Hashing</name>
<t>This section lists recommended suites for hashing to standard elliptic curves.</t> <t>This section lists recommended suites for hashing to standard elliptic curves.</t>
<t>A hash-to-curve suite fully specifies the procedure for hashing byte st rings <t>A hash-to-curve suite fully specifies the procedure for hashing byte st rings
to points on a specific elliptic curve group. to points on a specific elliptic curve group.
<xref target="suites-howto" format="default"/> describes how to implement a suit e. <xref target="suites-howto"/> describes how to implement a suite.
Applications that require hashing to an elliptic curve should use either Applications that require hashing to an elliptic curve should use either
an existing suite or a new suite specified as described in <xref target="new-sui an existing suite or a new suite specified as described in <xref target="new-sui
te" format="default"/>.</t> te"/>.</t>
<t>All applications using a hash-to-curve suite MUST choose a domain <t>All applications using a hash-to-curve suite <bcp14>MUST</bcp14> choose
separation tag (DST) in accordance with the guidelines in <xref target="domain-s a domain
eparation" format="default"/>. separation tag (DST) in accordance with the guidelines in <xref target="domain-s
eparation"/>.
In addition, applications whose security requires a random oracle that returns In addition, applications whose security requires a random oracle that returns
uniformly random points on the target curve MUST use a suite whose encoding type uniformly random points on the target curve <bcp14>MUST</bcp14> use a suite whos
is hash_to_curve; see <xref target="roadmap" format="default"/> and immediately e encoding type
below for more information.</t> is hash_to_curve; see <xref target="roadmap"/> and immediately below for more in
formation.</t>
<t>A hash-to-curve suite comprises the following parameters:</t> <t>A hash-to-curve suite comprises the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Suite ID, a short name used to refer to a given suite. <li>Suite ID, a short name used to refer to a given suite.
<xref target="suiteIDformat" format="default"/> discusses the naming conventions for suite IDs.</li> <xref target="suiteIDformat"/> discusses the naming conventions for Suite IDs.</ li>
<li>encoding type, either uniform (hash_to_curve) or nonuniform (encode_ to_curve). <li>encoding type, either uniform (hash_to_curve) or nonuniform (encode_ to_curve).
See <xref target="roadmap" format="default"/> for definitions of these encoding types.</li> See <xref target="roadmap"/> for definitions of these encoding types.</li>
<li>E, the target elliptic curve over a field F.</li> <li>E, the target elliptic curve over a field F.</li>
<li>p, the characteristic of the field F.</li> <li>p, the characteristic of the field F.</li>
<li>m, the extension degree of the field F. If m &gt; 1, the suite MUST also specify <li>m, the extension degree of the field F. If m &gt; 1, the suite <bcp1 4>MUST</bcp14> also specify
the polynomial basis used to represent extension field elements.</li> the polynomial basis used to represent extension field elements.</li>
<li>k, the target security level of the suite in bits. <li>k, the target security level of the suite in bits.
(See <xref target="security-considerations-targets" format="default"/> for discu (See <xref target="security-considerations-targets"/> for discussion.)</li>
ssion.)</li> <li>L, the length parameter for hash_to_field (<xref target="hashtofield
<li>L, the length parameter for hash_to_field (<xref target="hashtofield "/>).</li>
" format="default"/>).</li> <li>expand_message, one of the variants specified in <xref target="hasht
<li>expand_message, one of the variants specified in <xref target="hasht ofield-expand"/>
ofield-expand" format="default"/>
plus any parameters required for the specified variant (for example, H, plus any parameters required for the specified variant (for example, H,
the underlying hash function).</li> the underlying hash function).</li>
<li>f, a mapping function from <xref target="mappings" format="default"/ <li>f, a mapping function from <xref target="mappings"/>.</li>
>.</li> <li>h_eff, the scalar parameter for clear_cofactor (<xref target="cofact
<li>h_eff, the scalar parameter for clear_cofactor (<xref target="cofact or-clearing"/>).</li>
or-clearing" format="default"/>).</li>
</ul> </ul>
<t>In addition to the above parameters, the mapping f may require <t>In addition to the above parameters, the mapping f may require
additional parameters Z, M, rational_map, E', or iso_map. additional parameters Z, M, rational_map, E', or iso_map.
When applicable, these MUST be specified.</t> When applicable, these <bcp14>MUST</bcp14> be specified.</t>
<t>The below table lists suites RECOMMENDED for some elliptic curves. <t>The table below lists suites <bcp14>RECOMMENDED</bcp14> for some ellipt
ic curves.
The corresponding parameters are given in the following subsections. The corresponding parameters are given in the following subsections.
Applications instantiating cryptographic protocols whose security analysis Applications instantiating cryptographic protocols whose security analysis
relies on a random oracle that outputs points with a uniform distribution MUST N OT use a relies on a random oracle that outputs points with a uniform distribution <bcp14 >MUST NOT</bcp14> use a
nonuniform encoding. nonuniform encoding.
Moreover, applications that use a nonuniform encoding SHOULD carefully Moreover, applications that use a nonuniform encoding <bcp14>SHOULD</bcp14> care fully
analyze the security implications of nonuniformity. analyze the security implications of nonuniformity.
When the required encoding is not clear, applications SHOULD use a When the required encoding is not clear, applications <bcp14>SHOULD</bcp14> use a
uniform encoding for security.</t> uniform encoding for security.</t>
<table anchor="suite-table" align="center"> <table anchor="suite-table">
<name>Suites for hashing to elliptic curves.</name> <name>Suites for hashing to elliptic curves.</name>
<thead> <thead>
<tr> <tr>
<th align="left">E</th> <th align="left">E</th>
<th align="left">Suites</th> <th align="left">Suites</th>
<th align="left">Section</th> <th align="left">Section</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">NIST P-256</td> <td align="left">NIST P-256</td>
<td align="left">P256_XMD:SHA-256_SSWU_RO_ P256_XMD:SHA-256_SSWU_NU_ </td> <td align="left">P256_XMD:SHA-256_SSWU_RO_ P256_XMD:SHA-256_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p256" format="default"/></td> <xref format="counter" target="suites-p256"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">NIST P-384</td> <td align="left">NIST P-384</td>
<td align="left">P384_XMD:SHA-384_SSWU_RO_ P384_XMD:SHA-384_SSWU_NU_ </td> <td align="left">P384_XMD:SHA-384_SSWU_RO_ P384_XMD:SHA-384_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p384" format="default"/></td> <xref format="counter" target="suites-p384"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">NIST P-521</td> <td align="left">NIST P-521</td>
<td align="left">P521_XMD:SHA-512_SSWU_RO_ P521_XMD:SHA-512_SSWU_NU_ </td> <td align="left">P521_XMD:SHA-512_SSWU_RO_ P521_XMD:SHA-512_SSWU_NU_ </td>
<td align="left"> <td align="left">
<xref target="suites-p521" format="default"/></td> <xref format="counter" target="suites-p521"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">curve25519</td> <td align="left">curve25519</td>
<td align="left">curve25519_XMD:SHA-512_ELL2_RO_ curve25519_XMD:SHA- 512_ELL2_NU_</td> <td align="left">curve25519_XMD:SHA-512_ELL2_RO_ curve25519_XMD:SHA- 512_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-25519" format="default"/></td> <xref format="counter" target="suites-25519"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">edwards25519</td> <td align="left">edwards25519</td>
<td align="left">edwards25519_XMD:SHA-512_ELL2_RO_ edwards25519_XMD: SHA-512_ELL2_NU_</td> <td align="left">edwards25519_XMD:SHA-512_ELL2_RO_ edwards25519_XMD: SHA-512_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-25519" format="default"/></td> <xref format="counter" target="suites-25519"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">curve448</td> <td align="left">curve448</td>
<td align="left">curve448_XOF:SHAKE256_ELL2_RO_ curve448_XOF:SHAKE25 6_ELL2_NU_</td> <td align="left">curve448_XOF:SHAKE256_ELL2_RO_ curve448_XOF:SHAKE25 6_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-448" format="default"/></td> <xref format="counter" target="suites-448"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">edwards448</td> <td align="left">edwards448</td>
<td align="left">edwards448_XOF:SHAKE256_ELL2_RO_ edwards448_XOF:SHA KE256_ELL2_NU_</td> <td align="left">edwards448_XOF:SHAKE256_ELL2_RO_ edwards448_XOF:SHA KE256_ELL2_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-448" format="default"/></td> <xref format="counter" target="suites-448"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">secp256k1</td> <td align="left">secp256k1</td>
<td align="left">secp256k1_XMD:SHA-256_SSWU_RO_ secp256k1_XMD:SHA-25 6_SSWU_NU_</td> <td align="left">secp256k1_XMD:SHA-256_SSWU_RO_ secp256k1_XMD:SHA-25 6_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-secp256k1" format="default"/></td> <xref format="counter" target="suites-secp256k1"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">BLS12-381 G1</td> <td align="left">BLS12-381 G1</td>
<td align="left">BLS12381G1_XMD:SHA-256_SSWU_RO_ BLS12381G1_XMD:SHA- 256_SSWU_NU_</td> <td align="left">BLS12381G1_XMD:SHA-256_SSWU_RO_ BLS12381G1_XMD:SHA- 256_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-bls12381" format="default"/></td> <xref format="counter" target="suites-bls12381"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">BLS12-381 G2</td> <td align="left">BLS12-381 G2</td>
<td align="left">BLS12381G2_XMD:SHA-256_SSWU_RO_ BLS12381G2_XMD:SHA- 256_SSWU_NU_</td> <td align="left">BLS12381G2_XMD:SHA-256_SSWU_RO_ BLS12381G2_XMD:SHA- 256_SSWU_NU_</td>
<td align="left"> <td align="left">
<xref target="suites-bls12381" format="default"/></td> <xref format="counter" target="suites-bls12381"/></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<section anchor="suites-howto" numbered="true" toc="default"> <section anchor="suites-howto">
<name>Implementing a hash-to-curve suite</name> <name>Implementing a Hash-to-Curve Suite</name>
<t>A hash-to-curve suite requires the following functions. <t>A hash-to-curve suite requires the following functions.
Note that some of these require utility functions from <xref target="utility" fo Note that some of these require utility functions from <xref target="utility"/>.
rmat="default"/>.</t> </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>Base field arithmetic operations for t
<li>Base field arithmetic operations for the target elliptic curve, e. he target elliptic curve, e.g.,
g.,
addition, multiplication, and square root.</li> addition, multiplication, and square root.</li>
<li>Elliptic curve point operations for the target curve, e.g., <li>Elliptic curve point operations for the target curve, e.g.,
point addition and scalar multiplication.</li> point addition and scalar multiplication.</li>
<li>The hash_to_field function; see <xref target="hashtofield" format= <li>The hash_to_field function; see <xref target="hashtofield"/>. This
"default"/>. This includes the expand_message includes the expand_message
variant (<xref target="hashtofield-expand" format="default"/>) and any constitue variant (<xref target="hashtofield-expand"/>) and any constituent hash function
nt hash function or XOF.</li> or XOF.</li>
<li>The suite-specified mapping function; see the corresponding subsec <li>The suite-specified mapping function; see the corresponding subsec
tion of <xref target="mappings" format="default"/>.</li> tion of <xref target="mappings"/>.</li>
<li>A cofactor clearing function; see <xref target="cofactor-clearing" <li>A cofactor clearing function; see <xref target="cofactor-clearing"
format="default"/>. This may be implemented as />. This may be implemented as
scalar multiplication by h_eff or as a faster equivalent method.</li> scalar multiplication by h_eff or as a faster equivalent method.</li>
<li>The desired encoding function; see <xref target="roadmap" format=" default"/>. This is either hash_to_curve or <li>The desired encoding function; see <xref target="roadmap"/>. This is either hash_to_curve or
encode_to_curve.</li> encode_to_curve.</li>
</ol> </ol>
</section> </section>
<section anchor="suites-p256" numbered="true" toc="default"> <section anchor="suites-p256">
<name>Suites for NIST P-256</name> <name>Suites for NIST P-256</name>
<t>This section defines ciphersuites for the NIST P-256 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-256 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P256_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>P256_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e 27d2604b</li> <li>B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e 27d2604b</li>
</ul> </ul>
</li> </li>
<li>p: 2^256 - 2^224 + 2^192 + 2^96 - 1</li> <li>p: 2^256 - 2^224 + 2^192 + 2^96 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -10</li> <li>Z: -10</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_, <t>P256_XMD:SHA-256_SSWU_NU_ is identical to P256_XMD:SHA-256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-256 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-256 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-p384" numbered="true" toc="default"> <section anchor="suites-p384">
<name>Suites for NIST P-384</name> <name>Suites for NIST P-384</name>
<t>This section defines ciphersuites for the NIST P-384 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-384 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P384_XMD:SHA-384_SSWU_RO_ is defined as follows:</t> <t>P384_XMD:SHA-384_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f 5013875ac656398d8a2ed19d2a85c8edd3ec2aef</li> <li>B&nbsp;=&nbsp;0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141 120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef</li>
</ul> </ul>
</li> </li>
<li>p: 2^384 - 2^128 - 2^96 + 2^32 - 1</li> <li>p: 2^384 - 2^128 - 2^96 + 2^32 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 192</li> <li>k: 192</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-384</li> <li>H: SHA-384</li>
<li>L: 72</li> <li>L: 72</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -12</li> <li>Z: -12</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P384_XMD:SHA-384_SSWU_NU_ is identical to P384_XMD:SHA-384_SSWU_RO_, <t>P384_XMD:SHA-384_SSWU_NU_ is identical to P384_XMD:SHA-384_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-384 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-384 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-p521" numbered="true" toc="default"> <section anchor="suites-p521">
<name>Suites for NIST P-521</name> <name>Suites for NIST P-521</name>
<t>This section defines ciphersuites for the NIST P-521 elliptic curve < xref target="FIPS186-4" format="default"/>.</t> <t>This section defines ciphersuites for the NIST P-521 elliptic curve < xref target="FIPS186-4"/>.</t>
<t>P521_XMD:SHA-512_SSWU_RO_ is defined as follows:</t> <t>P521_XMD:SHA-512_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: y^2 = x^3 + A * x + B, where <t>E: y^2 = x^3 + A * x + B, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = -3</li> <li>A = -3</li>
<li>B = 0x51953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489 918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00</li> <li>B&nbsp;=&nbsp;0x51953eb9618e1c9a1f929a21a0b68540eea2da725b99b3 15f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b50 3f00</li>
</ul> </ul>
</li> </li>
<li>p: 2^521 - 1</li> <li>p: 2^521 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 256</li> <li>k: 256</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-512</li> <li>H: SHA-512</li>
<li>L: 98</li> <li>L: 98</li>
<li>f: Simplified SWU method (<xref target="simple-swu" format="defaul t"/>)</li> <li>f: Simplified SWU method (<xref target="simple-swu"/>)</li>
<li>Z: -4</li> <li>Z: -4</li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>P521_XMD:SHA-512_SSWU_NU_ is identical to P521_XMD:SHA-512_SSWU_RO_, <t>P521_XMD:SHA-512_SSWU_NU_ is identical to P521_XMD:SHA-512_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to P-521 is given in <xref target="straightline-sswu" format="default"/>.</t> to P-521 is given in <xref target="straightline-sswu"/>.</t>
</section> </section>
<section anchor="suites-25519" numbered="true" toc="default"> <section anchor="suites-25519">
<name>Suites for curve25519 and edwards25519</name> <name>Suites for curve25519 and edwards25519</name>
<t>This section defines ciphersuites for curve25519 and edwards25519 <xr <t>This section defines ciphersuites for curve25519 and edwards25519 <xr
ef target="RFC7748" format="default"/>. ef target="RFC7748"/>.
Note that these ciphersuites MUST NOT be used when hashing to ristretto255 Note that these ciphersuites <bcp14>MUST NOT</bcp14> be used when hashing to ris
<xref target="I-D.irtf-cfrg-ristretto255-decaf448" format="default"/>. tretto255
See <xref target="appx-ristretto255" format="default"/> for information on how t <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/>.
o hash to that group.</t> See <xref target="appx-ristretto255"/> for information on how to hash to that gr
oup.</t>
<t>curve25519_XMD:SHA-512_ELL2_RO_ is defined as follows:</t> <t>curve25519_XMD:SHA-512_ELL2_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: K * t^2 = s^3 + J * s^2 + s, where <t>E: K * t^2 = s^3 + J * s^2 + s, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 486662</li> <li>J = 486662</li>
<li>K = 1</li> <li>K = 1</li>
</ul> </ul>
</li> </li>
<li>p: 2^255 - 19</li> <li>p: 2^255 - 19</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-512</li> <li>H: SHA-512</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Elligator 2 method (<xref target="elligator2" format="default"/ >)</li> <li>f: Elligator 2 method (<xref target="elligator2"/>)</li>
<li>Z: 2</li> <li>Z: 2</li>
<li>h_eff: 8</li> <li>h_eff: 8</li>
</ul> </ul>
<t>edwards25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA- 512_ELL2_RO_, <t>edwards25519_XMD:SHA-512_ELL2_RO_ is identical to curve25519_XMD:SHA- 512_ELL2_RO_,
except for the following parameters:</t> except for the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where <t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = -1</li> <li>a = -1</li>
<li>d = 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca 135978a3</li> <li>d = 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca 135978a3</li>
</ul> </ul>
</li> </li>
<li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards" <li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards"/
format="default"/>)</li> >)</li>
<li>M: curve25519 defined in <xref target="RFC7748" format="default"/> <li>M: curve25519, defined in <xref section="4.1" sectionFormat="comma
, Section 4.1</li> " target="RFC7748"/></li>
<li>rational_map: the birational map defined in <xref target="RFC7748" <li>rational_map: the birational maps defined in <xref section="4.1" s
format="default"/>, Section 4.1</li> ectionFormat="comma" target="RFC7748"/></li>
</ul> </ul>
<t>curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA-51 2_ELL2_RO_, <t>curve25519_XMD:SHA-512_ELL2_NU_ is identical to curve25519_XMD:SHA-51 2_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SH A-512_ELL2_RO_, <t>edwards25519_XMD:SHA-512_ELL2_NU_ is identical to edwards25519_XMD:SH A-512_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Optimized example implementations of the above mappings are given in <t>Optimized example implementations of the above mappings are given in
<xref target="map-to-curve25519" format="default"/> and <xref target="map-to-edw ards25519" format="default"/>.</t> <xref target="map-to-curve25519"/> and <xref target="map-to-edwards25519"/>.</t>
</section> </section>
<section anchor="suites-448" numbered="true" toc="default"> <section anchor="suites-448">
<name>Suites for curve448 and edwards448</name> <name>Suites for curve448 and edwards448</name>
<t>This section defines ciphersuites for curve448 and edwards448 <xref t <t>This section defines ciphersuites for curve448 and edwards448 <xref t
arget="RFC7748" format="default"/>. arget="RFC7748"/>.
Note that these ciphersuites MUST NOT be used when hashing to decaf448 Note that these ciphersuites <bcp14>MUST NOT</bcp14> be used when hashing to dec
<xref target="I-D.irtf-cfrg-ristretto255-decaf448" format="default"/>. af448
See <xref target="appx-decaf448" format="default"/> for information on how to ha <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/>.
sh to that group.</t> See <xref target="appx-decaf448"/> for information on how to hash to that group.
</t>
<t>curve448_XOF:SHAKE256_ELL2_RO_ is defined as follows:</t> <t>curve448_XOF:SHAKE256_ELL2_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li> <li>
<t>E: K * t^2 = s^3 + J * s^2 + s, where <t>E: K * t^2 = s^3 + J * s^2 + s, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 156326</li> <li>J = 156326</li>
<li>K = 1</li> <li>K = 1</li>
</ul> </ul>
</li> </li>
<li>p: 2^448 - 2^224 - 1</li> <li>p: 2^448 - 2^224 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 224</li> <li>k: 224</li>
<li>expand_message: expand_message_xof (<xref target="hashtofield-expa nd-xof" format="default"/>)</li> <li>expand_message: expand_message_xof (<xref target="hashtofield-expa nd-xof"/>)</li>
<li>H: SHAKE256</li> <li>H: SHAKE256</li>
<li>L: 84</li> <li>L: 84</li>
<li>f: Elligator 2 method (<xref target="elligator2" format="default"/ >)</li> <li>f: Elligator 2 method (<xref target="elligator2"/>)</li>
<li>Z: -1</li> <li>Z: -1</li>
<li>h_eff: 4</li> <li>h_eff: 4</li>
</ul> </ul>
<t>edwards448_XOF:SHAKE256_ELL2_RO_ is identical to curve448_XOF:SHAKE25 6_ELL2_RO_, <t>edwards448_XOF:SHAKE256_ELL2_RO_ is identical to curve448_XOF:SHAKE25 6_ELL2_RO_,
except for the following parameters:</t> except for the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where <t>E: a * v^2 + w^2 = 1 + d * v^2 * w^2, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = 1</li> <li>a = 1</li>
<li>d = -39081</li> <li>d = -39081</li>
</ul> </ul>
</li> </li>
<li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards" <li>f: Twisted Edwards Elligator 2 method (<xref target="ell2edwards"/
format="default"/>)</li> >)</li>
<li>M: curve448, defined in <xref target="RFC7748" format="default"/>, <li>M: curve448, defined in <xref section="4.2" sectionFormat="comma"
Section 4.2</li> target="RFC7748"/></li>
<li>rational_map: the 4-isogeny map defined in <xref target="RFC7748" <li>rational_map: the 4-isogeny map defined in <xref section="4.2" sec
format="default"/>, Section 4.2</li> tionFormat="comma" target="RFC7748"/></li>
</ul> </ul>
<t>curve448_XOF:SHAKE256_ELL2_NU_ is identical to curve448_XOF:SHAKE256_ ELL2_RO_, <t>curve448_XOF:SHAKE256_ELL2_NU_ is identical to curve448_XOF:SHAKE256_ ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>edwards448_XOF:SHAKE256_ELL2_NU_ is identical to edwards448_XOF:SHAKE 256_ELL2_RO_, <t>edwards448_XOF:SHAKE256_ELL2_NU_ is identical to edwards448_XOF:SHAKE 256_ELL2_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Optimized example implementations of the above mappings are given in <t>Optimized example implementations of the above mappings are given in
<xref target="map-to-curve448" format="default"/> and <xref target="map-to-edwar ds448" format="default"/>.</t> <xref target="map-to-curve448"/> and <xref target="map-to-edwards448"/>.</t>
</section> </section>
<section anchor="suites-secp256k1" numbered="true" toc="default"> <section anchor="suites-secp256k1">
<name>Suites for secp256k1</name> <name>Suites for secp256k1</name>
<t>This section defines ciphersuites for the secp256k1 elliptic curve <x ref target="SEC2" format="default"/>.</t> <t>This section defines ciphersuites for the secp256k1 elliptic curve <x ref target="SEC2"/>.</t>
<t>secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>secp256k1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="defau lt"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 7</li> <li>E: y^2 = x^3 + 7</li>
<li>p: 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1</li> <li>p: 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-expa nd-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 48</li> <li>L: 48</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" forma t="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)</l i>
<li>Z: -11</li> <li>Z: -11</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A': 0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c0 1a444533</li> <li>A': 0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c0 1a444533</li>
<li>B': 1771</li> <li>B': 1771</li>
</ul> </ul>
</li> </li>
<li>iso_map: the 3-isogeny map from E' to E given in <xref target="app x-iso-secp256k1" format="default"/></li> <li>iso_map: the 3-isogeny map from E' to E given in <xref target="app x-iso-secp256k1"/></li>
<li>h_eff: 1</li> <li>h_eff: 1</li>
</ul> </ul>
<t>secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA-256_ SSWU_RO_, <t>secp256k1_XMD:SHA-256_SSWU_NU_ is identical to secp256k1_XMD:SHA-256_ SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to secp256k1 is given in <xref target="straightline-ss wu" format="default"/>.</t> to the curve E' isogenous to secp256k1 is given in <xref target="straightline-ss wu"/>.</t>
</section> </section>
<section anchor="suites-bls12381" numbered="true" toc="default"> <section anchor="suites-bls12381">
<name>Suites for BLS12-381</name> <name>Suites for BLS12-381</name>
<t>This section defines ciphersuites for groups G1 and G2 of <t>This section defines ciphersuites for groups G1 and G2 of
the BLS12-381 elliptic curve <xref target="BLS12-381" format="default"/>. the BLS12-381 elliptic curve <xref target="BLS12-381"/>.</t>
The curve parameters in this section match the ones listed in <section anchor="suites-bls12381-g1">
<xref target="I-D.irtf-cfrg-pairing-friendly-curves" format="default"/>, Appendi
x C.</t>
<section anchor="suites-bls12381-g1" numbered="true" toc="default">
<name>BLS12-381 G1</name> <name>BLS12-381 G1</name>
<t>BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>BLS12381G1_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="def ault"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 4</li> <li>E: y^2 = x^3 + 4</li>
<li>p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b 0f6241eabfffeb153ffffb9feffffffffaaab</li> <li>p:&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 a0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li>
<li>m: 1</li> <li>m: 1</li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 64</li> <li>L: 64</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" for mat="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)< /li>
<li>Z: 11</li> <li>Z: 11</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A' = 0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981 <li>A'&nbsp;=&nbsp;0x144698a3b8e9433d693a02c96d4982b0ea985383ee6
aefd881ac98936f8da0e0f97f5cf428082d584c1d</li> 6a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d</li>
<li>B' = 0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c <li>B'&nbsp;=&nbsp;0x12e2908d11688030018b12e8753eee3b2016c1f0f24
14fcef35ef55a23215a316ceaa5d1cc48e98e172be0</li> f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0</li>
</ul> </ul>
</li> </li>
<li>iso_map: the 11-isogeny map from E' to E given in <xref target=" appx-iso-bls12381-g1" format="default"/></li> <li>iso_map: the 11-isogeny map from E' to E given in <xref target=" appx-iso-bls12381-g1"/></li>
<li>h_eff: 0xd201000000010001</li> <li>h_eff: 0xd201000000010001</li>
</ul> </ul>
<t>BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_, <t>BLS12381G1_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G1_XMD:SHA- 256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Note that the h_eff values for these suites are chosen for compatib ility <t>Note that the h_eff values for these suites are chosen for compatib ility
with the fast cofactor clearing method described by Scott (<xref target="WB19" f ormat="default"/> Section 5).</t> with the fast cofactor clearing method described by Scott (<xref target="WB19"/> , Section 5).</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to BLS12-381 G1 is given in <xref target="straightline -sswu" format="default"/>.</t> to the curve E' isogenous to BLS12-381 G1 is given in <xref target="straightline -sswu"/>.</t>
</section> </section>
<section anchor="suites-bls12381-g2" numbered="true" toc="default"> <section anchor="suites-bls12381-g2">
<name>BLS12-381 G2</name> <name>BLS12-381 G2</name>
<t>BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows:</t> <t>BLS12381G2_XMD:SHA-256_SSWU_RO_ is defined as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>encoding type: hash_to_curve (<xref target="roadmap" format="def ault"/>)</li> <li>encoding type: hash_to_curve (<xref target="roadmap"/>)</li>
<li>E: y^2 = x^3 + 4 * (1 + I)</li> <li>E: y^2 = x^3 + 4 * (1 + I)</li>
<li> <li>
<t>base field F is GF(p^m), where <t>base field F is GF(p^m), where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>p: 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a 0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li> <li>p:&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf67 30d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab</li>
<li>m: 2</li> <li>m: 2</li>
<li>(1, I) is the basis for F, where I^2 + 1 == 0 in F</li> <li>(1, I) is the basis for F, where I^2 + 1 == 0 in F</li>
</ul> </ul>
</li> </li>
<li>k: 128</li> <li>k: 128</li>
<li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd" format="default"/>)</li> <li>expand_message: expand_message_xmd (<xref target="hashtofield-ex pand-xmd"/>)</li>
<li>H: SHA-256</li> <li>H: SHA-256</li>
<li>L: 64</li> <li>L: 64</li>
<li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0" for mat="default"/>)</li> <li>f: Simplified SWU for AB == 0 (<xref target="simple-swu-AB0"/>)< /li>
<li>Z: -(2 + I)</li> <li>Z: -(2 + I)</li>
<li> <li>
<t>E': y'^2 = x'^3 + A' * x' + B', where <t>E': y'^2 = x'^3 + A' * x' + B', where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>A' = 240 * I</li> <li>A' = 240 * I</li>
<li>B' = 1012 * (1 + I)</li> <li>B' = 1012 * (1 + I)</li>
</ul> </ul>
</li> </li>
<li>iso_map: the isogeny map from E' to E given in <xref target="app <li>iso_map: the isogeny map from E' to E given in <xref target="app
x-iso-bls12381-g2" format="default"/></li> x-iso-bls12381-g2"/></li>
<li>h_eff: 0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff03 <li>h_eff:&nbsp;0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad768998
1508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0a 6ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a3598
debbf6b4e8020005aaa95551</li> 94c0adebbf6b4e8020005aaa95551</li>
</ul> </ul>
<t>BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_, <t>BLS12381G2_XMD:SHA-256_SSWU_NU_ is identical to BLS12381G2_XMD:SHA- 256_SSWU_RO_,
except that the encoding type is encode_to_curve (<xref target="roadmap" format= "default"/>).</t> except that the encoding type is encode_to_curve (<xref target="roadmap"/>).</t>
<t>Note that the h_eff values for these suites are chosen for compatib ility <t>Note that the h_eff values for these suites are chosen for compatib ility
with the fast cofactor clearing method described by with the fast cofactor clearing method described by
Budroni and Pintore (<xref target="BP17" format="default"/>, Section 4.1), and s ummarized in <xref target="clear-cofactor-bls12381-g2" format="default"/>.</t> Budroni and Pintore (<xref target="BP17"/>, Section 4.1) and are summarized in < xref target="clear-cofactor-bls12381-g2"/>.</t>
<t>An optimized example implementation of the Simplified SWU mapping <t>An optimized example implementation of the Simplified SWU mapping
to the curve E' isogenous to BLS12-381 G2 is given in <xref target="straightline -sswu" format="default"/>.</t> to the curve E' isogenous to BLS12-381 G2 is given in <xref target="straightline -sswu"/>.</t>
</section> </section>
</section> </section>
<section anchor="new-suite" numbered="true" toc="default"> <section anchor="new-suite">
<name>Defining a new hash-to-curve suite</name> <name>Defining a New Hash-to-Curve Suite</name>
<t>For elliptic curves not listed elsewhere in <xref target="suites" for <t>For elliptic curves not listed elsewhere in <xref target="suites"/>,
mat="default"/>, a new hash-to-curve a new hash-to-curve
suite can be defined by:</t> suite can be defined by the following:</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>E, F, p, and m are determined by the e
<li>E, F, p, and m are determined by the elliptic curve and its base f lliptic curve and its base field.</li>
ield.</li>
<li>k is an upper bound on the target security level of the suite <li>k is an upper bound on the target security level of the suite
(<xref target="security-considerations-targets" format="default"/>). (<xref target="security-considerations-targets"/>).
A reasonable choice of k is ceil(log2(r) / 2), where r is A reasonable choice of k is ceil(log2(r) / 2), where r is
the order of the subgroup G of the curve E (<xref target="bg-curves" format="def the order of the subgroup G of the curve E (<xref target="bg-curves"/>).</li>
ault"/>).</li> <li>Choose encoding type, either hash_to_curve or encode_to_curve (<xr
<li>Choose encoding type, either hash_to_curve or encode_to_curve (<xr ef target="roadmap"/>).</li>
ef target="roadmap" format="default"/>).</li> <li>Compute L as described in <xref target="hashtofield"/>.</li>
<li>Compute L as described in <xref target="hashtofield" format="defau <li>Choose an expand_message variant from <xref target="hashtofield-ex
lt"/>.</li> pand"/> plus any
<li>Choose an expand_message variant from <xref target="hashtofield-ex
pand" format="default"/> plus any
underlying cryptographic primitives (e.g., a hash function H).</li> underlying cryptographic primitives (e.g., a hash function H).</li>
<li>Choose a mapping following the guidelines in <xref target="choosin g-mapping" format="default"/>, <li>Choose a mapping following the guidelines in <xref target="choosin g-mapping"/>,
and select any required parameters for that mapping.</li> and select any required parameters for that mapping.</li>
<li>Choose h_eff to be either the cofactor of E or, if a fast cofactor <li>Choose h_eff to be either the cofactor of E or, if a fast cofactor
clearing method is to be used, a value appropriate to that method clearing method is to be used, a value appropriate to that method
as discussed in <xref target="cofactor-clearing" format="default"/>.</li> as discussed in <xref target="cofactor-clearing"/>.</li>
<li>Construct a Suite ID following the guidelines in <xref target="sui <li>Construct a Suite ID following the guidelines in <xref target="sui
teIDformat" format="default"/>.</li> teIDformat"/>.</li>
</ol> </ol>
</section> </section>
<section anchor="suiteIDformat" numbered="true" toc="default"> <section anchor="suiteIDformat">
<name>Suite ID naming conventions</name> <name>Suite ID Naming Conventions</name>
<t>Suite IDs MUST be constructed as follows:</t> <t>Suite IDs <bcp14>MUST</bcp14> be constructed as follows:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_" CURVE_ID || "_" || HASH_ID || "_" || MAP_ID || "_" || ENC_VAR || "_"
]]></artwork> ]]></artwork>
<t>The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are <t>The fields CURVE_ID, HASH_ID, MAP_ID, and ENC_VAR are
ASCII-encoded strings of at most 64 characters each. ASCII-encoded strings of at most 64 characters each.
Fields MUST contain only ASCII characters between 0x21 and 0x7E (inclusive) Fields <bcp14>MUST</bcp14> contain only ASCII characters between 0x21 and 0x7E (
except that underscore (i.e., 0x5f) is not allowed.</t> inclusive),
except that underscore (i.e., 0x5F) is not allowed.</t>
<t>As indicated above, each field (including the last) is followed by an underscore <t>As indicated above, each field (including the last) is followed by an underscore
("_", ASCII 0x5f). ("_", ASCII 0x5F).
This helps to ensure that Suite IDs are prefix free. This helps to ensure that Suite IDs are prefix free.
Suite IDs MUST include the final underscore and MUST NOT include any characters Suite IDs <bcp14>MUST</bcp14> include the final underscore and <bcp14>MUST NOT</ bcp14> include any characters
after the final underscore.</t> after the final underscore.</t>
<t>Suite ID fields MUST be chosen as follows:</t> <t>Suite ID fields <bcp14>MUST</bcp14> be chosen as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: a human-readable representation of the target elliptic c urve.</li> <li>CURVE_ID: a human-readable representation of the target elliptic c urve.</li>
<li> <li>
<t>HASH_ID: a human-readable representation of the expand_message fu nction <t>HASH_ID: a human-readable representation of the expand_message fu nction
and any underlying hash primitives used in hash_to_field (<xref target="hashtofi and any underlying hash primitives used in hash_to_field (<xref target="hashtofi
eld" format="default"/>). eld"/>).
This field MUST be constructed as follows: </t> This field <bcp14>MUST</bcp14> be constructed as follows: </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
EXP_TAG || ":" || HASH_NAME EXP_TAG || ":" || HASH_NAME
]]></artwork> ]]></artwork>
<t> <t>
EXP_TAG indicates the expand_message variant: </t> EXP_TAG indicates the expand_message variant: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>"XMD" for expand_message_xmd (<xref target="hashtofield-expand <li>"XMD" for expand_message_xmd (<xref target="hashtofield-expand
-xmd" format="default"/>).</li> -xmd"/>).</li>
<li>"XOF" for expand_message_xof (<xref target="hashtofield-expand <li>"XOF" for expand_message_xof (<xref target="hashtofield-expand
-xof" format="default"/>).</li> -xof"/>).</li>
</ul> </ul>
<t> <t>
HASH_NAME is a human-readable name for the underlying hash primitive. HASH_NAME is a human-readable name for the underlying hash primitive.
As examples: </t> As examples: </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>For expand_message_xof (<xref targ
<li>For expand_message_xof (<xref target="hashtofield-expand-xof" et="hashtofield-expand-xof"/>) with SHAKE128,
format="default"/>) with SHAKE128,
HASH_ID is "XOF:SHAKE128".</li> HASH_ID is "XOF:SHAKE128".</li>
<li>For expand_message_xmd (<xref target="hashtofield-expand-xmd" format="default"/>) with SHA3-256, <li>For expand_message_xmd (<xref target="hashtofield-expand-xmd"/ >) with SHA3-256,
HASH_ID is "XMD:SHA3-256".</li> HASH_ID is "XMD:SHA3-256".</li>
</ol> </ol>
<t> <t>
Suites that use an alternative hash_to_field function that meets the requirement s Suites that use an alternative hash_to_field function that meets the requirement s
in <xref target="hashtofield-exteff" format="default"/> MUST indicate this by ap pending a tag identifying that function in <xref target="hashtofield-exteff"/> <bcp14>MUST</bcp14> indicate this by appe nding a tag identifying that function
to the HASH_ID field, separated by a colon (":", ASCII 0x3A).</t> to the HASH_ID field, separated by a colon (":", ASCII 0x3A).</t>
</li> </li>
<li> <li>
<t>MAP_ID: a human-readable representation of the map_to_curve funct ion <t>MAP_ID: a human-readable representation of the map_to_curve funct ion
as defined in <xref target="mappings" format="default"/>. These are defined as f ollows: </t> as defined in <xref target="mappings"/>. These are defined as follows: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>"SVDW" for or Shallue and van de Woestijne (<xref target="svdw <li>"SVDW" for Shallue and van de Woestijne (<xref target="svdw"/>
" format="default"/>).</li> ).</li>
<li>"SSWU" for Simplified SWU (<xref target="simple-swu" format="d <li>"SSWU" for Simplified SWU (Sections <xref format="counter" tar
efault"/>, <xref target="simple-swu-AB0" format="default"/>).</li> get="simple-swu"/> and <xref format="counter" target="simple-swu-AB0"/>).</li>
<li>"ELL2" for Elligator 2 (<xref target="elligator2" format="defa <li>"ELL2" for Elligator 2 (Sections <xref format="counter" target
ult"/>, <xref target="ell2edwards" format="default"/>).</li> ="elligator2"/> and <xref format="counter" target="ell2edwards"/>).</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>ENC_VAR: a string indicating the encoding type and other informat ion. <t>ENC_VAR: a string indicating the encoding type and other informat ion.
The first two characters of this string indicate whether the suite The first two characters of this string indicate whether the suite
represents a hash_to_curve or an encode_to_curve operation represents a hash_to_curve or an encode_to_curve operation
(<xref target="roadmap" format="default"/>), as follows: </t> (<xref target="roadmap"/>), as follows: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If ENC_VAR begins with "RO", the suite uses hash_to_curve.</li > <li>If ENC_VAR begins with "RO", the suite uses hash_to_curve.</li >
<li>If ENC_VAR begins with "NU", the suite uses encode_to_curve.</ li> <li>If ENC_VAR begins with "NU", the suite uses encode_to_curve.</ li>
<li>ENC_VAR MUST NOT begin with any other string.</li> <li>ENC_VAR <bcp14>MUST NOT</bcp14> begin with any other string.</ li>
</ul> </ul>
<t> <t>
ENC_VAR MAY also be used to encode other information used to identify ENC_VAR <bcp14>MAY</bcp14> also be used to encode other information used to iden tify
variants, for example, a version number. variants, for example, a version number.
The RECOMMENDED way to do so is to add one or more subfields separated The <bcp14>RECOMMENDED</bcp14> way to do so is to add one or more subfields se parated
by colons. by colons.
For example, "RO:V02" is an appropriate ENC_VAR value for the second For example, "RO:V02" is an appropriate ENC_VAR value for the second
version of a uniform encoding suite, while "RO:V02:FOO01:BAR17" might be version of a uniform encoding suite, while "RO:V02:FOO01:BAR17" might be
used to indicate a variant of that suite.</t> used to indicate a variant of that suite.</t>
</li> </li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="iana-considerations" numbered="true" toc="default"> <section anchor="iana-considerations">
<name>IANA considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA actions.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="security-considerations" numbered="true" toc="default"> <section anchor="security-considerations">
<name>Security considerations</name> <name>Security Considerations</name>
<t>This section contains additional security considerations about the hash -to-curve mechanisms <t>This section contains additional security considerations about the hash -to-curve mechanisms
described in this document.</t> described in this document.</t>
<section anchor="security-considerations-props" numbered="true" toc="defau <section anchor="security-considerations-props">
lt"> <name>Properties of Encodings</name>
<name>Properties of encodings</name> <t>Each encoding type (<xref target="roadmap"/>) accepts an arbitrary by
<t>Each encoding type (<xref target="roadmap" format="default"/>) accept te string and maps
s an arbitrary byte string and maps
it to a point on the curve sampled from a distribution that depends on the it to a point on the curve sampled from a distribution that depends on the
encoding type. encoding type.
It is important to note that using a nonuniform encoding or directly It is important to note that using a nonuniform encoding or directly
evaluating one of the mappings of <xref target="mappings" format="default"/> pro duces an output that is evaluating one of the mappings of <xref target="mappings"/> produces an output t hat is
easily distinguished from a uniformly random point. easily distinguished from a uniformly random point.
Applications that use a nonuniform encoding SHOULD carefully analyze the securit y Applications that use a nonuniform encoding <bcp14>SHOULD</bcp14> carefully anal yze the security
implications of nonuniformity. implications of nonuniformity.
When the required encoding is not clear, applications SHOULD use a uniform When the required encoding is not clear, applications <bcp14>SHOULD</bcp14> use a uniform
encoding.</t> encoding.</t>
<t>Both encodings given in <xref target="roadmap" format="default"/> can output the identity element of the group G. <t>Both encodings given in <xref target="roadmap"/> can output the ident ity element of the group G.
The probability that either encoding function outputs the identity element is The probability that either encoding function outputs the identity element is
roughly 1/r for a random input, which is negligible for cryptographically useful roughly 1/r for a random input, which is negligible for cryptographically useful
elliptic curves. elliptic curves.
Further, it is computationally infeasible to find an input to either encoding fu nction Further, it is computationally infeasible to find an input to either encoding fu nction
whose corresponding output is the identity element. whose corresponding output is the identity element.
(Both of these properties hold when the encoding functions are instantiated with a (Both of these properties hold when the encoding functions are instantiated with a
hash_to_field function that follows all guidelines in <xref target="hashtofield" hash_to_field function that follows all guidelines in <xref target="hashtofield"
format="default"/>.) />.)
Protocols that use these encoding functions SHOULD NOT add a special case Protocols that use these encoding functions <bcp14>SHOULD NOT</bcp14> add a spec
ial case
to detect and "fix" the identity element.</t> to detect and "fix" the identity element.</t>
<t>When the hash_to_curve function (<xref target="roadmap" format="defau lt"/>) is instantiated with a <t>When the hash_to_curve function (<xref target="roadmap"/>) is instant iated with a
hash_to_field function that is indifferentiable from a random oracle hash_to_field function that is indifferentiable from a random oracle
(<xref target="hashtofield" format="default"/>), the resulting function is indif (<xref target="hashtofield"/>), the resulting function is indifferentiable from
ferentiable from a random a random
oracle (<xref target="MRH04" format="default"/>, <xref target="BCIMRT10" format= oracle (<xref target="MRH04"/> <xref target="BCIMRT10"/> <xref target="FFSTV13"/
"default"/>, <xref target="FFSTV13" format="default"/>, <xref target="LBB19" for > <xref target="LBB19"/> <xref target="H20"/>).
mat="default"/>, <xref target="H20" format="default"/>). In many cases, such a function can be safely used in cryptographic protocols
In many cases such a function can be safely used in cryptographic protocols
whose security analysis assumes a random oracle that outputs uniformly random whose security analysis assumes a random oracle that outputs uniformly random
points on an elliptic curve. points on an elliptic curve.
As Ristenpart et al. discuss in <xref target="RSS11" format="default"/>, however , not all security proofs As Ristenpart et al. discuss in <xref target="RSS11"/>, however, not all securit y proofs
that rely on random oracles continue to hold when those oracles are replaced that rely on random oracles continue to hold when those oracles are replaced
by indifferentiable functionalities. by indifferentiable functionalities.
This limitation should be considered when analyzing the security of protocols This limitation should be considered when analyzing the security of protocols
relying on the hash_to_curve function.</t> relying on the hash_to_curve function.</t>
</section> </section>
<section anchor="security-considerations-passwords" numbered="true" toc="d <section anchor="security-considerations-passwords">
efault"> <name>Hashing Passwords</name>
<name>Hashing passwords</name>
<t>When hashing passwords using any function described in this document, an adversary <t>When hashing passwords using any function described in this document, an adversary
who learns the output of the hash function (or potentially any intermediate valu e, who learns the output of the hash function (or potentially any intermediate valu e,
e.g., the output of hash_to_field) may be able to carry out a dictionary attack. e.g., the output of hash_to_field) may be able to carry out a dictionary attack.
To mitigate such attacks, it is recommended to first execute a more costly key To mitigate such attacks, it is recommended to first execute a more costly key
derivation function (e.g., PBKDF2 <xref target="RFC2898" format="default"/>, scr derivation function (e.g., PBKDF2 <xref target="RFC8018"/>, scrypt <xref target=
ypt <xref target="RFC7914" format="default"/>, or Argon2 "RFC7914"/>, or Argon2
<xref target="I-D.irtf-cfrg-argon2" format="default"/>) on the password, then ha <xref target="RFC9106"/>) on the password, then hash the output of that
sh the output of that
function to the target elliptic curve. function to the target elliptic curve.
For collision resistance, the hash underlying the key derivation function For collision resistance, the hash underlying the key derivation function
should be chosen according to the guidelines listed in <xref target="hashtofield -expand-xmd" format="default"/>.</t> should be chosen according to the guidelines listed in <xref target="hashtofield -expand-xmd"/>.</t>
</section> </section>
<section anchor="security-considerations-constant" numbered="true" toc="de <section anchor="security-considerations-constant">
fault"> <name>Constant-Time Requirements</name>
<name>Constant-time requirements</name>
<t>Constant-time implementations of all functions in this document are S TRONGLY <t>Constant-time implementations of all functions in this document are S TRONGLY
RECOMMENDED for all uses, to avoid leaking information via side channels. <bcp14>RECOMMENDED</bcp14> for all uses, to avoid leaking information via side c hannels.
It is especially important to use a constant-time implementation when inputs to It is especially important to use a constant-time implementation when inputs to
an encoding are secret values; in such cases, constant-time implementations an encoding are secret values; in such cases, constant-time implementations
are REQUIRED for security against timing attacks (e.g., <xref target="VR20" form at="default"/>). are <bcp14>REQUIRED</bcp14> for security against timing attacks (e.g., <xref tar get="VR20"/>).
When constant-time implementations are required, all basic operations and When constant-time implementations are required, all basic operations and
utility functions must be implemented in constant time, as discussed in utility functions must be implemented in constant time, as discussed in
<xref target="utility" format="default"/>. <xref target="utility"/>.
In some applications (e.g., embedded systems), leakage through other side In some applications (e.g., embedded systems), leakage through other side
channels (e.g., power or electromagnetic side channels) may be pertinent. channels (e.g., power or electromagnetic side channels) may be pertinent.
Defending against such leakage is outside the scope of this document, because Defending against such leakage is outside the scope of this document, because
the nature of the leakage and the appropriate defense depend on the application. </t> the nature of the leakage and the appropriate defense depend on the application. </t>
</section> </section>
<section anchor="security-considerations-encode" numbered="true" toc="defa <section anchor="security-considerations-encode">
ult"> <name>encode_to_curve: Output Distribution and Indifferentiability</name
<name>encode_to_curve: output distribution and indifferentiability</name >
> <t>The encode_to_curve function (<xref target="roadmap"/>) returns point
<t>The encode_to_curve function (<xref target="roadmap" format="default" s sampled from a
/>) returns points sampled from a
distribution that is statistically far from uniform. distribution that is statistically far from uniform.
This distribution is bounded roughly as follows: This distribution is bounded roughly as follows:
first, it includes at least one eighth of the points in G, and second, the first, it includes at least one eighth of the points in G, and second, the
probability of points in the distribution varies by at most a factor of four. probability of points in the distribution varies by at most a factor of four.
These bounds hold when encode_to_curve is instantiated with any of the These bounds hold when encode_to_curve is instantiated with any of the
map_to_curve functions in <xref target="mappings" format="default"/>.</t> map_to_curve functions in <xref target="mappings"/>.</t>
<t>The bounds above are derived from several works in the literature. <t>The bounds above are derived from several works in the literature.
Specifically:</t> Specifically:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Shallue and van de Woestijne <xref target="SW06" format="default"/ <li>Shallue and van de Woestijne <xref target="SW06"/> and Fouque and
> and Fouque and Tibouchi <xref target="FT12" format="default"/> Tibouchi <xref target="FT12"/>
derive bounds on the Shallue-van de Woestijne mapping (<xref target="svdw" forma derive bounds on the Shallue-van de Woestijne mapping (<xref target="svdw"/>).</
t="default"/>).</li> li>
<li>Fouque and Tibouchi <xref target="FT10" format="default"/> and Tib <li>Fouque and Tibouchi <xref target="FT10"/> and Tibouchi <xref targe
ouchi <xref target="T14" format="default"/> derive bounds for the t="T14"/> derive bounds for the
Simplified SWU mapping (<xref target="simple-swu" format="default"/>, <xref targ Simplified SWU mapping (Sections <xref format="counter" target="simple-swu"/> an
et="simple-swu-AB0" format="default"/>).</li> d <xref format="counter" target="simple-swu-AB0"/>).</li>
<li>Bernstein et al. <xref target="BHKL13" format="default"/> derive b <li>Bernstein et al. <xref target="BHKL13"/> derive bounds for the Ell
ounds for the Elligator 2 mapping igator 2 mapping
(<xref target="elligator2" format="default"/>, <xref target="ell2edwards" format (Sections <xref format="counter" target="elligator2"/> and <xref format="counter
="default"/>).</li> " target="ell2edwards"/>).</li>
</ul> </ul>
<t>Indifferentiability of encode_to_curve follows from an argument simil ar <t>Indifferentiability of encode_to_curve follows from an argument simil ar
to the one given by Brier et al. <xref target="BCIMRT10" format="default"/>; we briefly sketch. to the one given by Brier et al. <xref target="BCIMRT10"/>; we briefly sketch th is argument as follows.
Consider an ideal random oracle Hc() that samples from the distribution induced Consider an ideal random oracle Hc() that samples from the distribution induced
by the map_to_curve function called by encode_to_curve, and assume for by the map_to_curve function called by encode_to_curve, and assume for
simplicity that the target elliptic curve has cofactor 1 (a similar argument simplicity that the target elliptic curve has cofactor 1 (a similar argument
applies for non-unity cofactors). applies for non-unity cofactors).
Indifferentiability holds just if it is possible to efficiently simulate Indifferentiability holds just if it is possible to efficiently simulate
the "inner" random oracle in encode_to_curve, namely, hash_to_field. the "inner" random oracle in encode_to_curve, namely, hash_to_field.
The simulator works as follows: The simulator works as follows:
on a fresh query msg, the simulator queries Hc(msg) and receives a point on a fresh query msg, the simulator queries Hc(msg) and receives a point
P in the image of map_to_curve (if msg is the same as a prior query, P in the image of map_to_curve (if msg is the same as a prior query,
the simulator just returns the value it gave in response to that query). the simulator just returns the value it gave in response to that query).
The simulator then computes the possible preimages of P under map_to_curve, The simulator then computes the possible preimages of P under map_to_curve,
i.e., elements u of F such that map_to_curve(u) == P i.e., elements u of F such that map_to_curve(u) == P
(Tibouchi <xref target="T14" format="default"/> shows that this can be done effi (Tibouchi <xref target="T14"/> shows that this can be done efficiently for the S
ciently for the Shallue-van hallue-van
de Woestijne and Simplified SWU maps, and Bernstein et al. show the same for de Woestijne and Simplified SWU maps, and Bernstein et al. show the same for
Elligator 2). Elligator 2).
The simulator selects one such preimage at random and returns this value The simulator selects one such preimage at random and returns this value
as the simulated output of the "inner" random oracle. as the simulated output of the "inner" random oracle.
By hypothesis, Hc() samples from the distribution induced by map_to_curve By hypothesis, Hc() samples from the distribution induced by map_to_curve
on a uniformly random input element of F, so this value is uniformly random on a uniformly random input element of F, so this value is uniformly random
and induces the correct point P when passed through map_to_curve.</t> and induces the correct point P when passed through map_to_curve.</t>
</section> </section>
<section anchor="security-considerations-hash-to-field" numbered="true" to <section anchor="security-considerations-hash-to-field">
c="default"> <name>hash_to_field Security</name>
<name>hash_to_field security</name> <t>The hash_to_field function, defined in <xref target="hashtofield"/>,
<t>The hash_to_field function defined in <xref target="hashtofield" form is indifferentiable
at="default"/> is indifferentiable from a random oracle <xref target="MRH04"/> when expand_message (<xref target="h
from a random oracle <xref target="MRH04" format="default"/> when expand_message ashtofield-expand"/>)
(<xref target="hashtofield-expand" format="default"/>)
is modeled as a random oracle. is modeled as a random oracle.
By composability of indifferentiability proofs, this also holds when Since indifferentiability proofs are composable, this also holds when
expand_message is proved indifferentiable from a random oracle relative expand_message is proved indifferentiable from a random oracle relative
to an underlying primitive that is modeled as a random oracle. to an underlying primitive that is modeled as a random oracle.
When following the guidelines in <xref target="hashtofield-expand" format="defau lt"/>, both variants When following the guidelines in <xref target="hashtofield-expand"/>, both varia nts
of expand_message defined in that section meet this requirement of expand_message defined in that section meet this requirement
(see also <xref target="security-considerations-expand-xmd" format="default"/>). </t> (see also <xref target="security-considerations-expand-xmd"/>).</t>
<t>We very briefly sketch the indifferentiability argument for hash_to_f ield. <t>We very briefly sketch the indifferentiability argument for hash_to_f ield.
Notice that each integer mod p that hash_to_field returns (i.e., each element Notice that each integer mod p that hash_to_field returns (i.e., each element
of the vector representation of F) is a member of an equivalence class of roughl y of the vector representation of F) is a member of an equivalence class of roughl y
2^k integers of length log2(p) + k bits, all of which are equal modulo p. 2^k integers of length log2(p) + k bits, all of which are equal modulo p.
For each integer mod p that hash_to_field returns, the simulator samples For each integer mod p that hash_to_field returns, the simulator samples
one member of this equivalence class at random and outputs the byte string one member of this equivalence class at random and outputs the byte string
returned by I2OSP. returned by I2OSP.
(Notice that this is essentially the inverse of the hash_to_field procedure.)</t > (Notice that this is essentially the inverse of the hash_to_field procedure.)</t >
</section> </section>
<section anchor="security-considerations-expand-xmd" numbered="true" toc=" <section anchor="security-considerations-expand-xmd">
default"> <name>expand_message_xmd Security</name>
<name>expand_message_xmd security</name> <t>The expand_message_xmd function, defined in <xref target="hashtofield
<t>The expand_message_xmd function defined in <xref target="hashtofield- -expand-xmd"/>, is
expand-xmd" format="default"/> is indifferentiable from a random oracle <xref target="MRH04"/> when one of the fol
indifferentiable from a random oracle <xref target="MRH04" format="default"/> wh lowing holds:</t>
en one of the following holds:</t> <ol spacing="normal" type="1"><li>H is indifferentiable from a random or
<ol spacing="normal" type="1"> acle,</li>
<li>H is indifferentiable from a random oracle,</li>
<li>H is a sponge-based hash function whose inner function <li>H is a sponge-based hash function whose inner function
is modeled as a random transformation or random permutation <xref target="BDPV08 " format="default"/>, or</li> is modeled as a random transformation or random permutation <xref target="BDPV08 "/>, or</li>
<li>H is a Merkle-Damgaard hash function whose compression function is <li>H is a Merkle-Damgaard hash function whose compression function is
modeled as a random oracle <xref target="CDMP05" format="default"/>.</li> modeled as a random oracle <xref target="CDMP05"/>.</li>
</ol> </ol>
<t>For cases (1) and (2), the indifferentiability of expand_message_xmd follows <t>For cases (1) and (2), the indifferentiability of expand_message_xmd follows
directly from the indifferentiability of H.</t> directly from the indifferentiability of H.</t>
<t>For case (3), i.e., for H a Merkle-Damgaard hash function, indifferen <t>For case (3), i.e., where H is a Merkle-Damgaard hash function, indif
tiability ferentiability
follows from <xref target="CDMP05" format="default"/>, Theorem 3.5. follows from <xref target="CDMP05"/>, Theorem 5.
In particular, expand_message_xmd computes b_0 by prefixing the message In particular, expand_message_xmd computes b_0 by prefixing the message
with one block of 0-bytes plus auxiliary information (length, counter, and DST). with one block of zeros plus auxiliary information (length, counter, and DST).
Then, each of the output blocks b_i, i &gt;= 1 in expand_message_xmd is the Then, each of the output blocks b_i, i &gt;= 1 in expand_message_xmd is the
result of invoking H on a unique, prefix-free encoding of b_0. result of invoking H on a unique, prefix-free encoding of b_0.
This is true, first, because the length of the input to all such invocations This is true, first because the length of the input to all such invocations
is equal and fixed by the choice of H and DST, and is equal and fixed by the choice of H and DST, and
second, because each such input has a unique suffix (because of the inclusion second because each such input has a unique suffix (because of the inclusion
of the counter byte I2OSP(i, 1)).</t> of the counter byte I2OSP(i, 1)).</t>
<t>The essential difference between the construction of <xref target="CD MP05" format="default"/> and <t>The essential difference between the construction discussed in <xref target="CDMP05"/> and
expand_message_xmd is that the latter hashes a counter appended to expand_message_xmd is that the latter hashes a counter appended to
strxor(b_0, b_(i - 1)) (step 10) rather than to b_0. strxor(b_0, b_(i - 1)) ({#hashtofield-expand-xmd}, step 10) rather than to b_0.
This approach increases the Hamming distance between inputs to different This approach increases the Hamming distance between inputs to different
invocations of H, which reduces the likelihood that nonidealities in H invocations of H, which reduces the likelihood that nonidealities in H
affect the distribution of the b_i values.</t> affect the distribution of the b_i values.</t>
<t>We note that expand_message_xmd can be used to instantiate a general- purpose <t>We note that expand_message_xmd can be used to instantiate a general- purpose
indifferentiable functionality with variable-length output based on any hash indifferentiable functionality with variable-length output based on any hash
function meeting one of the above criteria. function meeting one of the above criteria.
Applications that use expand_message_xmd outside of hash_to_field should Applications that use expand_message_xmd outside of hash_to_field should
ensure domain separation by picking a distinct value for DST.</t> ensure domain separation by picking a distinct value for DST.</t>
</section> </section>
<section anchor="security-considerations-domain-separation-expmsg-var" num <section anchor="security-considerations-domain-separation-expmsg-var">
bered="true" toc="default"> <name>Domain Separation for expand_message Variants</name>
<name>Domain separation for expand_message variants</name> <t>As discussed in <xref target="term-domain-separation"/>, the purpose
<t>As discussed in <xref target="term-domain-separation" format="default of domain separation
"/>, the purpose of domain separation
is to ensure that security analyses of cryptographic protocols that query is to ensure that security analyses of cryptographic protocols that query
multiple independent random oracles remain valid even if all of these random multiple independent random oracles remain valid even if all of these random
oracles are instantiated based on one underlying function H.</t> oracles are instantiated based on one underlying function H.</t>
<t>The expand_message variants in this document (<xref target="hashtofie ld-expand" format="default"/>) ensure <t>The expand_message variants in this document (<xref target="hashtofie ld-expand"/>) ensure
domain separation by appending a suffix-free-encoded domain separation tag domain separation by appending a suffix-free-encoded domain separation tag
DST_prime to all strings hashed by H, an underlying hash or DST_prime to all strings hashed by H, an underlying hash or
extendable-output function. extendable-output function.
(Other expand_message variants that follow the guidelines in (Other expand_message variants that follow the guidelines in
<xref target="hashtofield-expand-other" format="default"/> are expected to behav e similarly, <xref target="hashtofield-expand-other"/> are expected to behave similarly,
but these should be analyzed on a case-by-case basis.) but these should be analyzed on a case-by-case basis.)
For security, applications that use the same function H outside of expand_messag e For security, applications that use the same function H outside of expand_messag e
should enforce domain separation between those uses of H and expand_message, should enforce domain separation between those uses of H and expand_message,
and should separate all of these from uses of H in other applications.</t> and they should separate all of these from uses of H in other applications.</t>
<t>This section suggests four methods for enforcing domain separation <t>This section suggests four methods for enforcing domain separation
from expand_message variants, explains how each method achieves domain from expand_message variants, explains how each method achieves domain
separation, and lists the situations in which each is appropriate. separation, and lists the situations in which each is appropriate.
These methods share a high-level structure: the application designer fixes a tag These methods share a high-level structure: the application designer fixes a tag
DST_ext distinct from DST_prime and augments calls to H with DST_ext. DST_ext distinct from DST_prime and augments calls to H with DST_ext.
Each method augments calls to H differently, and each may impose Each method augments calls to H differently, and each may impose
additional requirements on DST_ext.</t> additional requirements on DST_ext.</t>
<t>These methods can be used to instantiate multiple domain separated fu nctions <t>These methods can be used to instantiate multiple domain-separated fu nctions
(e.g., H1 and H2) by selecting distinct DST_ext values for each (e.g., H1 and H2) by selecting distinct DST_ext values for each
(e.g., DST_ext1, DST_ext2).</t> (e.g., DST_ext1, DST_ext2).</t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1"><li>
<li>
<t>(Suffix-only domain separation.) <t>(Suffix-only domain separation.)
This method is useful when domain separating invocations of H This method is useful when domain-separating invocations of H
from expand_message_xmd or expand_message_xof. from expand_message_xmd or expand_message_xof.
It is not appropriate for domain separating expand_message from HMAC-H It is not appropriate for domain-separating expand_message from HMAC-H
<xref target="RFC2104" format="default"/>; for that purpose, see method 4. </t> <xref target="RFC2104"/>; for that purpose, see method 4. </t>
<t> <t>
To instantiate a suffix-only domain separated function Hso, compute </t> To instantiate a suffix-only domain-separated function Hso, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hso(msg) = H(msg || DST_ext) Hso(msg) = H(msg || DST_ext)
]]></artwork> ]]></artwork>
<t> <t>
DST_ext should be suffix-free encoded (e.g., by appending one byte DST_ext should be suffix-free encoded (e.g., by appending one byte
encoding the length of DST_ext) to make it infeasible to find distinct encoding the length of DST_ext) to make it infeasible to find distinct
(msg, DST_ext) pairs that hash to the same value. </t> (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation because all distinct invocations of This method ensures domain separation because all distinct invocations of
H have distinct suffixes, since DST_ext is distinct from DST_prime.</t> H have distinct suffixes, since DST_ext is distinct from DST_prime.</t>
</li> </li>
<li> <li>
<t>(Prefix-suffix domain separation.) <t>(Prefix-suffix domain separation.)
This method can be used in the same cases as the suffix-only method. </t> This method can be used in the same cases as the suffix-only method. </t>
<t> <t>
To instantiate a prefix-suffix domain separated function Hps, compute </t> To instantiate a prefix-suffix domain-separated function Hps, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hps(msg) = H(DST_ext || msg || I2OSP(0, 1)) Hps(msg) = H(DST_ext || msg || I2OSP(0, 1))
]]></artwork> ]]></artwork>
<t> <t>
DST_ext should be prefix-free encoded (e.g., by adding a one-byte prefix DST_ext should be prefix-free encoded (e.g., by adding a one-byte prefix
that encodes the length of DST_ext) to make it infeasible to find distinct that encodes the length of DST_ext) to make it infeasible to find distinct
(msg, DST_ext) pairs that hash to the same value. </t> (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation because This method ensures domain separation because
appending the byte I2OSP(0, 1) ensures that inputs to H inside Hps appending the byte I2OSP(0, 1) ensures that inputs to H inside Hps
are distinct from those inside expand_message. are distinct from those inside expand_message.
Specifically, the final byte of DST_prime encodes the length of DST, which Specifically, the final byte of DST_prime encodes the length of DST, which
is required to be nonzero (<xref target="domain-separation" format="default"/>, requirement 2), and is required to be nonzero (<xref target="domain-separation"/>, requirement 2), a nd
DST_prime is always appended to invocations of H inside expand_message.</t> DST_prime is always appended to invocations of H inside expand_message.</t>
</li> </li>
<li> <li>
<t>(Prefix-only domain separation.) <t>(Prefix-only domain separation.)
This method is only useful for domain separating invocations of H This method is only useful for domain-separating invocations of H
from expand_message_xmd. from expand_message_xmd.
It does not give domain separation for expand_message_xof or HMAC-H. </t> It does not give domain separation for expand_message_xof or HMAC-H. </t>
<t> <t>
To instantiate a prefix-only domain separated function Hpo, compute </t> To instantiate a prefix-only domain-separated function Hpo, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hpo(msg) = H(DST_ext || msg) Hpo(msg) = H(DST_ext || msg)
]]></artwork> ]]></artwork>
<t> <t>
In order for this method to give domain separation, DST_ext should In order for this method to give domain separation, DST_ext should
be at least b bits long, where b is the number of bits output by the be at least b bits long, where b is the number of bits output by the
hash function H. hash function H.
In addition, at least one of the first b bits must be nonzero. In addition, at least one of the first b bits must be nonzero.
Finally, DST_ext should be prefix-free encoded (e.g., by adding a Finally, DST_ext should be prefix-free encoded (e.g., by adding a
one-byte prefix that encodes the length of DST_ext) to make it infeasible to one-byte prefix that encodes the length of DST_ext) to make it infeasible to
find distinct (msg, DST_ext) pairs that hash to the same value. </t> find distinct (msg, DST_ext) pairs that hash to the same value. </t>
<t> <t>
This method ensures domain separation as follows. This method ensures domain separation as follows.
First, since DST_ext contains at least one nonzero bit among its first b bits, First, since DST_ext contains at least one nonzero bit among its first b bits,
it is guaranteed to be distinct from the value Z_pad it is guaranteed to be distinct from the value Z_pad
(<xref target="hashtofield-expand-xmd" format="default"/>, step 4), which ensure s that all inputs to H (<xref target="hashtofield-expand-xmd"/>, step 4), which ensures that all inputs to H
are distinct from the input used to generate b_0 in expand_message_xmd. are distinct from the input used to generate b_0 in expand_message_xmd.
Second, since DST_ext is at least b bits long, it is almost certainly Second, since DST_ext is at least b bits long, it is almost certainly
distinct from the values b_0 and strxor(b_0, b_(i - 1)), and therefore distinct from the values b_0 and strxor(b_0, b_(i - 1)), and therefore
all inputs to H are distinct from the inputs used to generate b_i, i &gt;= 1, all inputs to H are distinct from the inputs used to generate b_i, i &gt;= 1,
with high probability.</t> with high probability.</t>
</li> </li>
<li> <li>
<t>(XMD-HMAC domain separation.) <t>(XMD-HMAC domain separation.)
This method is useful for domain separating invocations of H inside This method is useful for domain-separating invocations of H inside
HMAC-H (i.e., HMAC <xref target="RFC2104" format="default"/> instantiated with h HMAC-H (i.e., HMAC <xref target="RFC2104"/> instantiated with hash function H) f
ash function H) from rom
expand_message_xmd. expand_message_xmd.
It also applies to HKDF-H <xref target="RFC5869" format="default"/>, as discusse d below. </t> It also applies to HKDF-H (i.e., HKDF <xref target="RFC5869"/> instantiated with hash function H), as discussed below. </t>
<t> <t>
Specifically, this method applies when HMAC-H is used with a non-secret Specifically, this method applies when HMAC-H is used with a non-secret
key to instantiate a random oracle based on a hash function H key to instantiate a random oracle based on a hash function H
(note that expand_message_xmd can also be used for this purpose; see (note that expand_message_xmd can also be used for this purpose; see
<xref target="security-considerations-expand-xmd" format="default"/>). <xref target="security-considerations-expand-xmd"/>).
When using HMAC-H with a high-entropy secret key, domain separation is not When using HMAC-H with a high-entropy secret key, domain separation is not
necessary; see discussion below. </t> necessary; see discussion below. </t>
<t> <t>
To choose a non-secret HMAC key DST_key that ensures domain separation To choose a non-secret HMAC key DST_key that ensures domain separation
from expand_message_xmd, compute </t> from expand_message_xmd, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
DST_key_preimage = "DERIVE-HMAC-KEY-" || DST_ext || I2OSP(0, 1) DST_key_preimage = "DERIVE-HMAC-KEY-" || DST_ext || I2OSP(0, 1)
DST_key = H(DST_key_preimage) DST_key = H(DST_key_preimage)
]]></artwork> ]]></artwork>
<t> <t>
Then, to instantiate the random oracle Hro using HMAC-H, compute </t> Then, to instantiate the random oracle Hro using HMAC-H, compute </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
Hro(msg) = HMAC-H(DST_key, msg) Hro(msg) = HMAC-H(DST_key, msg)
]]></artwork> ]]></artwork>
<t> <t>
The trailing zero byte in DST_key_preimage ensures that this value The trailing zero byte in DST_key_preimage ensures that this value
is distinct from inputs to H inside expand_message_xmd (because all is distinct from inputs to H inside expand_message_xmd (because all
such inputs have suffix DST_prime, which cannot end with a zero byte such inputs have suffix DST_prime, which cannot end with a zero byte
as discussed above). as discussed above).
This ensures domain separation because, with overwhelming probability, This ensures domain separation because, with overwhelming probability,
all inputs to H inside of HMAC-H using key DST_key have prefixes that all inputs to H inside of HMAC-H using key DST_key have prefixes that
are distinct from the values Z_pad, b_0, and strxor(b_0, b_(i - 1)) are distinct from the values Z_pad, b_0, and strxor(b_0, b_(i - 1))
inside of expand_message_xmd. </t> inside of expand_message_xmd. </t>
<t> <t>
For uses of HMAC-H that instantiate a private random oracle by fixing For uses of HMAC-H that instantiate a private random oracle by fixing
a high-entropy secret key, domain separation from expand_message_xmd a high-entropy secret key, domain separation from expand_message_xmd
is not necessary. is not necessary.
This is because, similarly to the case above, all inputs to H inside This is because, similarly to the case above, all inputs to H inside
HMAC-H using this secret key almost certainly have distinct prefixes HMAC-H using this secret key almost certainly have distinct prefixes
from all inputs to H inside expand_message_xmd. </t> from all inputs to H inside expand_message_xmd. </t>
<t> <t>
Finally, this method can be used with HKDF-H <xref target="RFC5869" format="defa ult"/> by fixing Finally, this method can be used with HKDF-H <xref target="RFC5869"/> by fixing
the salt input to HKDF-Extract to DST_key, computed as above. the salt input to HKDF-Extract to DST_key, computed as above.
This ensures domain separation for HKDF-Extract by the same argument This ensures domain separation for HKDF-Extract by the same argument
as for HMAC-H using DST_key. as for HMAC-H using DST_key.
Moreover, assuming that the IKM input to HKDF-Extract has sufficiently Moreover, assuming that the input keying material (IKM) supplied to HKDF-Extract has sufficiently
high entropy (say, commensurate with the security parameter), the high entropy (say, commensurate with the security parameter), the
HKDF-Expand step is domain separated by the same argument as for HKDF-Expand step is domain-separated by the same argument as for
HMAC-H with a high-entropy secret key (since PRK is exactly that).</t> HMAC-H with a high-entropy secret key (since a pseudorandom key is exactly that)
.</t>
</li> </li>
</ol> </ol>
</section> </section>
<section anchor="security-considerations-targets" numbered="true" toc="def <section anchor="security-considerations-targets">
ault"> <name>Target Security Levels</name>
<name>Target security levels</name>
<t>Each ciphersuite specifies a target security level (in bits) for the underlying <t>Each ciphersuite specifies a target security level (in bits) for the underlying
curve. This parameter ensures the corresponding hash_to_field instantiation is curve. This parameter ensures the corresponding hash_to_field instantiation is
conservative and correct. We stress that this parameter is only an upper bound o n conservative and correct. We stress that this parameter is only an upper bound o n
the security level of the curve, and is neither a guarantee nor endorsement of i ts the security level of the curve and is neither a guarantee nor endorsement of it s
suitability for a given application. Mathematical and cryptographic advancements suitability for a given application. Mathematical and cryptographic advancements
may reduce the effective security level for any curve.</t> may reduce the effective security level for any curve.</t>
</section> </section>
</section> </section>
<section anchor="acknowledgements" numbered="true" toc="default">
<name>Acknowledgements</name>
<t>The authors would like to thank Adam Langley for his detailed writeup o
f Elligator 2 with
Curve25519 <xref target="L13" format="default"/>;
Dan Boneh, Christopher Patton, Benjamin Lipp, and Leonid Reyzin for educational
discussions; and
David Benjamin, Daniel Bourdrez, Frank Denis, Sean Devlin, Justin Drake, Bjoern
Haase, Mike Hamburg,
Dan Harkins, Daira Hopwood, Thomas Icart, Andy Polyakov, Thomas Pornin, Mamy Rat
simbazafy, Michael Scott,
Filippo Valsorda, and Mathy Vanhoef for helpful reviews and feedback.</t>
</section>
<section anchor="contributors" numbered="true" toc="default">
<name>Contributors</name>
<ul spacing="normal">
<li>Sharon Goldberg, Boston University (goldbe@cs.bu.edu)</li>
<li>Ela Lee, Royal Holloway, University of London (Ela.Lee.2010@live.rhu
l.ac.uk)</li>
<li>Michele Orru (michele.orru@ens.fr)</li>
</ul>
</section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.irtf-cfrg-bls-signature" to="BLS-SIG" />
<displayreference target="I-D.irtf-cfrg-vrf" to="VRF" />
<displayreference target="I-D.irtf-cfrg-voprf" to="OPRFs" />
<displayreference target="I-D.irtf-cfrg-ristretto255-decaf448" to="ristretto255-
decaf448" />
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="EID4730" target="https://www.rfc-editor.org/errata/ei d4730"> <reference anchor="Err4730" target="https://www.rfc-editor.org/errata/ei d4730">
<front> <front>
<title>RFC 7748, Errata ID 4730</title> <title>Erratum ID 4730</title>
<author initials="A." surname="Langley" fullname="Adam Langley"> <author>
<organization/> <organization>RFC Errata</organization>
</author> </author>
<date year="2016" month="July"/> <date year="2016" month="July"/>
</front> </front>
<refcontent>RFC 7748</refcontent>
</reference> </reference>
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
le>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="BCP" value="14"/>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized.
This document defines these words as they should be interpreted in IETF document
s. This document specifies an Internet Best Current Practices for the Internet
Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="BCP" value="14"/>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<organization/>
</author>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying tha
t only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
</reference>
<reference anchor="RFC8017">
<front>
<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
<seriesInfo name="DOI" value="10.17487/RFC8017"/>
<seriesInfo name="RFC" value="8017"/>
<author fullname="K. Moriarty" initials="K." role="editor" surname="
Moriarty">
<organization/>
</author>
<author fullname="B. Kaliski" initials="B." surname="Kaliski">
<organization/>
</author>
<author fullname="J. Jonsson" initials="J." surname="Jonsson">
<organization/>
</author>
<author fullname="A. Rusch" initials="A." surname="Rusch">
<organization/>
</author>
<date month="November" year="2016"/>
<abstract>
<t>This document provides recommendations for the implementation o
f public-key cryptography based on the RSA algorithm, covering cryptographic pri
mitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax f
or representing keys and for identifying the schemes.</t>
<t>This document represents a republication of PKCS #1 v2.2 from R
SA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing
this RFC, change control is transferred to the IETF.</t>
<t>This document also obsoletes RFC 3447.</t>
</abstract>
</front>
</reference>
<reference anchor="RFC7748">
<front>
<title>Elliptic Curves for Security</title>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
<seriesInfo name="RFC" value="7748"/>
<author fullname="A. Langley" initials="A." surname="Langley">
<organization/>
</author>
<author fullname="M. Hamburg" initials="M." surname="Hamburg">
<organization/>
</author>
<author fullname="S. Turner" initials="S." surname="Turner">
<organization/>
</author>
<date month="January" year="2016"/>
<abstract>
<t>This memo specifies two elliptic curves over prime fields that
offer a high level of practical security in cryptographic applications, includin
g Transport Layer Security (TLS). These curves are intended to operate at the ~
128-bit and ~224-bit security level, respectively, and are generated determinist
ically based on a list of required properties.</t>
</abstract>
</front>
</reference>
<reference anchor="I-D.irtf-cfrg-pairing-friendly-curves">
<front>
<title>Pairing-Friendly Curves</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-pairing-fri
endly-curves-10"/>
<author fullname="Yumi Sakemi">
<organization>Infours</organization>
</author>
<author fullname="Tetsutaro Kobayashi">
<organization>NTT</organization>
</author>
<author fullname="Tsunekazu Saito">
<organization>NTT</organization>
</author>
<author fullname="Riad S. Wahby">
<organization>Stanford University</organization>
</author>
<date day="30" month="July" year="2021"/>
<abstract>
<t> Pairing-based cryptography, a subfield of elliptic curve
cryptography, has received attention due to its flexible and
practical functionality. Pairings are special maps defined using
elliptic curves and it can be applied to construct several
cryptographic protocols such as identity-based encryption, attribute-
based encryption, and so on. At CRYPTO 2016, Kim and Barbulescu
proposed an efficient number field sieve algorithm named exTNFS for
the discrete logarithm problem in a finite field. Several types of
pairing-friendly curves such as Barreto-Naehrig curves are affected
by the attack. In particular, a Barreto-Naehrig curve with a 254-bit
characteristic was adopted by a lot of cryptographic libraries as a
parameter of 128-bit security, however, it ensures no more than the
100-bit security level due to the effect of the attack. In this
memo, we list the security levels of certain pairing-friendly curves,
and motivate our choices of curves. First, we summarize the adoption
status of pairing-friendly curves in standards, libraries and
applications, and classify them in the 128-bit, 192-bit, and 256-bit
security levels. Then, from the viewpoints of "security" and "widely
used", we select the recommended pairing-friendly curves considering
exTNFS.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
</reference> />
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml"
/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"
/>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/"> <reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/">
<front> <front>
<title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title> <title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title>
<author initials="S." surname="Bowe" fullname="Sean Bowe"> <author initials="S." surname="Bowe" fullname="Sean Bowe">
<organization>Electric Coin Company</organization> <organization>Electric Coin Company</organization>
</author> </author>
<date year="2017" month="March"/> <date year="2017" month="March"/>
skipping to change at line 2330 skipping to change at line 2211
<name>Informative References</name> <name>Informative References</name>
<reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/"> <reference anchor="BLS12-381" target="https://electriccoin.co/blog/new-s nark-curve/">
<front> <front>
<title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title> <title>BLS12-381: New zk-SNARK Elliptic Curve Construction</title>
<author initials="S." surname="Bowe" fullname="Sean Bowe"> <author initials="S." surname="Bowe" fullname="Sean Bowe">
<organization>Electric Coin Company</organization> <organization>Electric Coin Company</organization>
</author> </author>
<date year="2017" month="March"/> <date year="2017" month="March"/>
</front> </front>
</reference> </reference>
<reference anchor="BR93" target="https://doi.org/10.1145/168588.168596"> <reference anchor="BR93" target="https://doi.org/10.1145/168588.168596">
<front> <front>
<title>Random oracles are practical: a paradigm for designing effici ent protocols</title> <title>Random oracles are practical: a paradigm for designing effici ent protocols</title>
<seriesInfo name="DOI" value="10.1145/168588.168596"/>
<seriesInfo name="pages" value="62-73"/>
<seriesInfo name="In" value="Proceedings of the 1993 ACM Conference
on Computer and Communications Security"/>
<author initials="M." surname="Bellare" fullname="Mihir Bellare"> <author initials="M." surname="Bellare" fullname="Mihir Bellare">
<organization>UC San Diego</organization> <organization>UC San Diego</organization>
</author> </author>
<author initials="P." surname="Rogaway" fullname="Phillip Rogaway"> <author initials="P." surname="Rogaway" fullname="Phillip Rogaway">
<organization>UC Davis</organization> <organization>UC Davis</organization>
</author> </author>
<date year="1993" month="December"/> <date year="1993" month="December"/>
</front> </front>
<refcontent>In Proceedings of the 1993 ACM Conference on Computer and Communicat
ions Security, pages 62-73</refcontent>
<seriesInfo name="DOI" value="10.1145/168588.168596"/>
</reference> </reference>
<reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf"> <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
<front> <front>
<title>SEC 1: Elliptic Curve Cryptography</title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author> <author>
<organization>Standards for Efficient Cryptography Group (SECG)</o rganization> <organization>Standards for Efficient Cryptography Group (SECG)</o rganization>
</author> </author>
<date year="2009" month="May"/> <date year="2009" month="May"/>
</front> </front>
</reference> </reference>
<reference anchor="SEC2" target="http://www.secg.org/sec2-v2.pdf"> <reference anchor="SEC2" target="http://www.secg.org/sec2-v2.pdf">
<front> <front>
<title>SEC 2: Recommended Elliptic Curve Domain Parameters</title> <title>SEC 2: Recommended Elliptic Curve Domain Parameters</title>
<author> <author>
<organization>Standards for Efficient Cryptography Group (SECG)</o rganization> <organization>Standards for Efficient Cryptography Group (SECG)</o rganization>
</author> </author>
<date year="2010" month="January"/> <date year="2010" month="January"/>
</front> </front>
</reference> </reference>
<reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.180-4.pdf"> <reference anchor="FIPS180-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.180-4.pdf">
<front> <front>
<title>Secure Hash Standard (SHS)</title> <title>Secure Hash Standard (SHS)</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2015" month="August"/> <date year="2015" month="August"/>
</front> </front>
<seriesInfo name="FIPS" value="180-4"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
</reference> </reference>
<reference anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf"> <reference anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf">
<front> <front>
<title>FIPS Publication 186-4: Digital Signature Standard</title> <title>Digital Signature Standard (DSS)</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2013" month="July"/> <date year="2013" month="July"/>
</front> </front>
<seriesInfo name="FIPS" value="186-4"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
</reference> </reference>
<reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.202.pdf"> <reference anchor="FIPS202" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.202.pdf">
<front> <front>
<title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title> <title>SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST )</organization> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date year="2015" month="August"/> <date year="2015" month="August"/>
</front> </front>
<seriesInfo name="FIPS" value="202"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.202"/>
</reference> </reference>
<reference anchor="BDPV08" target="https://doi.org/10.1007/978-3-540-789 67-3_11"> <reference anchor="BDPV08" target="https://doi.org/10.1007/978-3-540-789 67-3_11">
<front> <front>
<title>On the Indifferentiability of the Sponge Construction</title> <title>On the Indifferentiability of the Sponge Construction</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-78967-3_11"/> <author initials="G." surname="Bertoni" fullname="Guido Bertoni">
<seriesInfo name="pages" value="181-197"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2008
"/>
<author initials="G." surname="Bertoni," fullname="Guido Bertoni">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<author initials="J." surname="Daemen" fullname="Joan Daemen"> <author initials="J." surname="Daemen" fullname="Joan Daemen">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<author initials="M." surname="Peeters" fullname="Michael Peeters"> <author initials="M." surname="Peeters" fullname="Michael Peeters">
<organization>NXP Semiconductors</organization> <organization>NXP Semiconductors</organization>
</author> </author>
<author initials="G." surname="Van Assche" fullname="Gilles Van Assc he"> <author initials="G." surname="Van Assche" fullname="Gilles Van Assc he">
<organization>STMicroelectronics</organization> <organization>STMicroelectronics</organization>
</author> </author>
<date year="2008"/> <date year="2008" month="April"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2008, pages 181-197</refconten
t>
<seriesInfo name="DOI" value="10.1007/978-3-540-78967-3_11"/>
</reference> </reference>
<reference anchor="CDMP05" target="https://doi.org/10.1007/11535218_26"> <reference anchor="CDMP05" target="https://doi.org/10.1007/11535218_26">
<front> <front>
<title>Merkle-Damgaard Revisited: How to Construct a Hash Function</ <title>Merkle-Damgård Revisited: How to Construct a Hash Function</t
title> itle>
<seriesInfo name="DOI" value="10.1007/11535218_26"/> <author initials="J.-S." surname="Coron" fullname="Jean-Sebastien Co
<seriesInfo name="pages" value="430-448"/> ron">
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2005"/>
<author initials="J-S." surname="Coron" fullname="Jean-Sebastien Cor
on">
<organization>University of Luxembourg</organization> <organization>University of Luxembourg</organization>
</author> </author>
<author initials="Y." surname="Dodis" fullname="Yevgeniy Dodis"> <author initials="Y." surname="Dodis" fullname="Yevgeniy Dodis">
<organization>New York University</organization> <organization>New York University</organization>
</author> </author>
<author initials="C." surname="Malinaud" fullname="Cecile Malinaud"> <author initials="C." surname="Malinaud" fullname="Cecile Malinaud">
<organization>University of Luxembourg</organization> <organization>University of Luxembourg</organization>
</author> </author>
<author initials="P." surname="Puniya" fullname="Prashant Puniya"> <author initials="P." surname="Puniya" fullname="Prashant Puniya">
<organization>New York University</organization> <organization>New York University</organization>
</author> </author>
<date year="2005"/> <date year="2005" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology -- CRYPTO 2005, pages 430-448</refcontent>
<seriesInfo name="DOI" value="10.1007/11535218_26"/>
</reference> </reference>
<reference anchor="BLAKE2X" target="https://blake2.net/blake2x.pdf"> <reference anchor="BLAKE2X" target="https://blake2.net/blake2x.pdf">
<front> <front>
<title>BLAKE2X</title> <title>BLAKE2X</title>
<author initials="J-P." surname="Aumasson" fullname="Jean-Philippe A umasson"> <author initials="J.-P." surname="Aumasson" fullname="Jean-Philippe Aumasson">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Neves" fullname="Samuel Neves"> <author initials="S." surname="Neves" fullname="Samuel Neves">
<organization/> <organization/>
</author> </author>
<author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn"> <author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Winnerlein" fullname="Christian Winne rlein"> <author initials="C." surname="Winnerlein" fullname="Christian Winne rlein">
<organization/> <organization/>
skipping to change at line 2450 skipping to change at line 2343
</author> </author>
<author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn"> <author initials="Z." surname="Wilcox-O'Hearn" fullname="Zooko Wilco x-O'Hearn">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Winnerlein" fullname="Christian Winne rlein"> <author initials="C." surname="Winnerlein" fullname="Christian Winne rlein">
<organization/> <organization/>
</author> </author>
<date year="2016" month="December"/> <date year="2016" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="Icart09" target="https://doi.org/10.1007/978-3-642-03 356-8_18"> <reference anchor="Icart09" target="https://doi.org/10.1007/978-3-642-03 356-8_18">
<front> <front>
<title>How to Hash into Elliptic Curves</title> <title>How to Hash into Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-03356-8_18"/>
<seriesInfo name="pages" value="303-316"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2009"/>
<author initials="T." surname="Icart" fullname="Thomas Icart"> <author initials="T." surname="Icart" fullname="Thomas Icart">
<organization>Sagem Securite and Universite du Luxembourg</organiz ation> <organization>Sagem Securite and Universite du Luxembourg</organiz ation>
</author> </author>
<date year="2009"/> <date year="2009" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2009, pages 303-316</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-03356-8_18"/>
</reference> </reference>
<reference anchor="BBJLP08" target="https://doi.org/10.1007/978-3-540-68 164-9_26"> <reference anchor="BBJLP08" target="https://doi.org/10.1007/978-3-540-68 164-9_26">
<front> <front>
<title>Twisted Edwards curves</title> <title>Twisted Edwards Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-68164-9_26"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="pages" value="389-405"/> nstein">
<seriesInfo name="In" value="AFRICACRYPT 2008"/>
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
stein">
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="P." surname="Birkner" fullname="Peter Birkner"> <author initials="P." surname="Birkner" fullname="Peter Birkner">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="M." surname="Joye" fullname="Marc Joye"> <author initials="M." surname="Joye" fullname="Marc Joye">
<organization>Thomson R&amp;D France</organization> <organization>Thomson R&amp;D France</organization>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="C." surname="Peters" fullname="Christiane Peters"> <author initials="C." surname="Peters" fullname="Christiane Peters">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2008"/> <date year="2008" month="June"/>
</front> </front>
<refcontent>In AFRICACRYPT 2008, pages 389-405</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-540-68164-9_26"/>
</reference> </reference>
<reference anchor="CK11" target="https://doi.org/10.1016/j.jsc.2011.11.0 03"> <reference anchor="CK11" target="https://doi.org/10.1016/j.jsc.2011.11.0 03">
<front> <front>
<title>The geometry of flex tangents to a cubic curve and its parame terizations</title> <title>The geometry of flex tangents to a cubic curve and its parame terizations</title>
<seriesInfo name="DOI" value="10.1016/j.jsc.2011.11.003"/> <author initials="J.-M." surname="Couveignes" fullname="Jean-Marc Co
<seriesInfo name="pages" value="266-281"/> uveignes">
<seriesInfo name="In" value="Journal of Symbolic Computation, vol 47
issue 3"/>
<author initials="J." surname="Couveignes" fullname="Jean-Marc Couve
ignes">
<organization>Universite Bordeaux</organization> <organization>Universite Bordeaux</organization>
</author> </author>
<author initials="J." surname="Kammerer" fullname="Jean-Gabriel Kamm erer"> <author initials="J.-G." surname="Kammerer" fullname="Jean-Gabriel K ammerer">
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<date year="2012"/> <date year="2012" month="March"/>
</front> </front>
<refcontent>In Journal of Symbolic Computation, vol 47 issue 3, pages 266-281</r
efcontent>
<seriesInfo name="DOI" value="10.1016/j.jsc.2011.11.003"/>
</reference> </reference>
<reference anchor="VR20" target="https://eprint.iacr.org/2019/383"> <reference anchor="VR20" target="https://eprint.iacr.org/2019/383">
<front> <front>
<title>Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EA P-pwd</title> <title>Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EA P-pwd</title>
<seriesInfo name="In" value="IEEE Symposium on Security &amp; Privac y (SP)"/>
<author initials="M." surname="Vanhoef" fullname="Mathy Vanhoef"> <author initials="M." surname="Vanhoef" fullname="Mathy Vanhoef">
<organization>New York University Abu Dhabi</organization> <organization>New York University Abu Dhabi</organization>
</author> </author>
<author initials="E." surname="Ronen" fullname="Eyal Ronen"> <author initials="E." surname="Ronen" fullname="Eyal Ronen">
<organization>Tel Aviv University and KU Leuven</organization> <organization>Tel Aviv University and KU Leuven</organization>
</author> </author>
<date year="2020"/> <date year="2020" month="May"/>
</front> </front>
<refcontent>In IEEE Symposium on Security &amp; Privacy (SP)</refcontent>
</reference> </reference>
<reference anchor="F11" target="https://doi.org/10.1007/978-3-642-21969- 6_17"> <reference anchor="F11" target="https://doi.org/10.1007/978-3-642-21969- 6_17">
<front> <front>
<title>Hashing into Hessian curves</title> <title>Hashing into Hessian Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-21969-6_17"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="278-289"/> hahi">
<seriesInfo name="In" value="AFRICACRYPT 2011"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
ahi">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<date year="2011"/> <date year="2011" month="July"/>
</front> </front>
<refcontent>In AFRICACRYPT 2011, pages 278-289</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-21969-6_17"/>
</reference> </reference>
<reference anchor="FSV09" target="https://doi.org/10.1515/JMC.2009.022"> <reference anchor="FSV09" target="https://doi.org/10.1515/JMC.2009.022">
<front> <front>
<title>On hashing into elliptic curves</title> <title>On hashing into elliptic curves</title>
<seriesInfo name="DOI" value="10.1515/JMC.2009.022"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="353-360"/> hahi">
<seriesInfo name="In" value="Journal of Mathematical Cryptology, vol
3 no 4"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
ahi">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="I.E." surname="Shparlinski" fullname="Igor E. Shpa rlinski"> <author initials="I. E." surname="Shparlinski" fullname="Igor E. Shp arlinski">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="J.F." surname="Voloch" fullname="J. Felipe Voloch" > <author initials="J. F." surname="Voloch" fullname="J. Felipe Voloch ">
<organization>University of Texas</organization> <organization>University of Texas</organization>
</author> </author>
<date year="2009"/> <date year="2009" month="March"/>
</front> </front>
<refcontent>In Journal of Mathematical Cryptology, vol 3 no 4, pages 353-360</re
fcontent>
<seriesInfo name="DOI" value="10.1515/JMC.2009.022"/>
</reference> </reference>
<reference anchor="FT10" target="https://doi.org/10.1007/978-3-642-14712 -8_5"> <reference anchor="FT10" target="https://doi.org/10.1007/978-3-642-14712 -8_5">
<front> <front>
<title>Estimating the size of the image of deterministic hash functi <title>Estimating the Size of the Image of Deterministic Hash Functi
ons to elliptic curves.</title> ons to Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-14712-8_5"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="81-91"/> que">
<seriesInfo name="In" value="Progress in Cryptology - LATINCRYPT 201
0"/>
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
ue">
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2010"/> <date year="2010" month="August"/>
</front> </front>
<refcontent>In Progress in Cryptology - LATINCRYPT 2010, pages 81-91</refcontent
>
<seriesInfo name="DOI" value="10.1007/978-3-642-14712-8_5"/>
</reference> </reference>
<reference anchor="FT12" target="https://doi.org/10.1007/978-3-642-33481 -8_1"> <reference anchor="FT12" target="https://doi.org/10.1007/978-3-642-33481 -8_1">
<front> <front>
<title>Indifferentiable Hashing to Barreto-Naehrig Curves</title> <title>Indifferentiable Hashing to Barreto--Naehrig Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-33481-8_1"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="1-7"/> que">
<seriesInfo name="In" value="Progress in Cryptology - LATINCRYPT 201
2"/>
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
ue">
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2012"/> <date year="2012"/>
</front> </front>
<refcontent>In Progress in Cryptology - LATINCRYPT 2012, pages 1-17</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-33481-8_1"/>
</reference> </reference>
<reference anchor="FJT13" target="https://doi.org/10.1007/978-3-642-3905 9-3_14"> <reference anchor="FJT13" target="https://doi.org/10.1007/978-3-642-3905 9-3_14">
<front> <front>
<title>Injective encodings to elliptic curves</title> <title>Injective Encodings to Elliptic Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-39059-3_14"/> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou
<seriesInfo name="pages" value="203-218"/> que">
<seriesInfo name="In" value="ACISP 2013"/>
<author initials="P-A." surname="Fouque" fullname="Pierre-Alain Fouq
ue">
<organization>Ecole Normale Superieure and INRIA Rennes</organizat ion> <organization>Ecole Normale Superieure and INRIA Rennes</organizat ion>
</author> </author>
<author initials="A." surname="Joux" fullname="Antoine Joux"> <author initials="A." surname="Joux" fullname="Antoine Joux">
<organization>Sorbonne Universite</organization> <organization>Sorbonne Universite</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2013"/> <date year="2013"/>
</front> </front>
<refcontent>In ACISP 2013, pages 203-218</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-39059-3_14"/>
</reference> </reference>
<reference anchor="KLR10" target="https://doi.org/10.1007/978-3-642-1745 5-1_18"> <reference anchor="KLR10" target="https://doi.org/10.1007/978-3-642-1745 5-1_18">
<front> <front>
<title>Encoding points on hyperelliptic curves over finite fields in <title>Encoding Points on Hyperelliptic Curves over Finite Fields in
deterministic polynomial time</title> Deterministic Polynomial Time</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-17455-1_18"/> <author initials="J.-G." surname="Kammerer" fullname="Jean-Gabriel K
<seriesInfo name="pages" value="278-297"/> ammerer">
<seriesInfo name="In" value="PAIRING 2010"/>
<author initials="J." surname="Kammerer" fullname="Jean-Gabriel Kamm
erer">
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<author initials="R." surname="Lercier" fullname="Reynald Lercier"> <author initials="R." surname="Lercier" fullname="Reynald Lercier">
<organization>Universite de Rennes</organization> <organization>Universite de Rennes</organization>
</author> </author>
<author initials="G." surname="Renault" fullname="Guenael Renault"> <author initials="G." surname="Renault" fullname="Guenael Renault">
<organization>Universite Pierre et Marie Curie</organization> <organization>Universite Pierre et Marie Curie</organization>
</author> </author>
<date year="2010"/> <date year="2010"/>
</front> </front>
<refcontent>In Pairing-Based Cryptography - Pairing 2010, pages 278-297</refcont
ent>
<seriesInfo name="DOI" value="10.1007/978-3-642-17455-1_18"/>
</reference> </reference>
<reference anchor="AR13" target="https://doi.org/10.1109/TC.2013.145"> <reference anchor="AR13" target="https://doi.org/10.1109/TC.2013.145">
<front> <front>
<title>Square Root Computation over Even Extension Fields</title> <title>Square Root Computation over Even Extension Fields</title>
<seriesInfo name="DOI" value="10.1109/TC.2013.145"/>
<seriesInfo name="pages" value="2829-2841"/>
<seriesInfo name="In" value="IEEE Transactions on Computers. vol 63
issue 11"/>
<author initials="G." surname="Adj" fullname="Gora Adj"> <author initials="G." surname="Adj" fullname="Gora Adj">
<organization>ISFA, Universite Claude Bernard Lyon 1, Villeurbanne , France</organization> <organization>ISFA, Universite Claude Bernard Lyon 1, Villeurbanne , France</organization>
</author> </author>
<author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez"> <author initials="F." surname="Rodríguez-Henríquez" fullname="Franci sco Rodríguez-Henríquez">
<organization>CINVESTAV-IPN, San Pedro Zacatenco, Mexico City, Mex ico.</organization> <organization>CINVESTAV-IPN, San Pedro Zacatenco, Mexico City, Mex ico.</organization>
</author> </author>
<date year="2014" month="November"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In IEEE Transactions on Computers. vol 63 issue 11, pages 2829-2841<
/refcontent>
<seriesInfo name="DOI" value="10.1109/TC.2013.145"/>
</reference> </reference>
<reference anchor="BN05" target="https://doi.org/10.1007/11693383_22"> <reference anchor="BN05" target="https://doi.org/10.1007/11693383_22">
<front> <front>
<title>Pairing-Friendly Elliptic Curves of Prime Order</title> <title>Pairing-Friendly Elliptic Curves of Prime Order</title>
<seriesInfo name="DOI" value="10.1007/11693383_22"/> <author initials="P. S. L. M." surname="Barreto" fullname="Paulo S.
<seriesInfo name="pages" value="319-331"/> L. M. Barreto">
<seriesInfo name="In" value="Selected Areas in Cryptography 2005"/>
<author initials="P." surname="Barreto" fullname="Paulo S. L. M. Bar
reto">
<organization>Escola Politecnica, Universidade de Sao Paulo, Sao P aulo, Brazil</organization> <organization>Escola Politecnica, Universidade de Sao Paulo, Sao P aulo, Brazil</organization>
</author> </author>
<author initials="M." surname="Naehrig" fullname="Michael Naehrig"> <author initials="M." surname="Naehrig" fullname="Michael Naehrig">
<organization>Lehrstuhl fur Theoretische Informationstechnik, Rhei nisch-Westfalische Technische Hochschule Aachen, Aachen, Germany</organization> <organization>Lehrstuhl fur Theoretische Informationstechnik, Rhei nisch-Westfalische Technische Hochschule Aachen, Aachen, Germany</organization>
</author> </author>
<date year="2006"/> <date year="2006"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography 2005, pages 319-331</refcontent>
<seriesInfo name="DOI" value="10.1007/11693383_22"/>
</reference> </reference>
<reference anchor="AFQTZ14" target="https://doi.org/10.1007/978-3-319-13 051-4_2"> <reference anchor="AFQTZ14" target="https://doi.org/10.1007/978-3-319-13 051-4_2">
<front> <front>
<title>Binary Elligator squared</title> <title>Binary Elligator Squared</title>
<seriesInfo name="DOI" value="10.1007/978-3-319-13051-4_2"/> <author initials="D. F." surname="Aranha" fullname="Diego F. Aranha"
<seriesInfo name="pages" value="20-37"/> >
<seriesInfo name="In" value="Selected Areas in Cryptography - SAC 20
14"/>
<author initials="D.F." surname="Aranha" fullname="Diego F. Aranha">
<organization>Institute of Computing, University of Campinas</orga nization> <organization>Institute of Computing, University of Campinas</orga nization>
</author> </author>
<author initials="P.A." surname="Fouque" fullname="Pierre-Alain Fouq ue"> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou que">
<organization>Universite de Rennes 1 and Institut Universitaire de France</organization> <organization>Universite de Rennes 1 and Institut Universitaire de France</organization>
</author> </author>
<author initials="C." surname="Qian" fullname="Chen Qian"> <author initials="C." surname="Qian" fullname="Chen Qian">
<organization>ENS Rennes</organization> <organization>ENS Rennes</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<author initials="J.C." surname="Zapalowicz" fullname="Jean-Christop he Zapalowicz"> <author initials="J. C." surname="Zapalowicz" fullname="Jean-Christo phe Zapalowicz">
<organization>INRIA</organization> <organization>INRIA</organization>
</author> </author>
<date year="2014"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography - SAC 2014, pages 20-37</refconten
t>
<seriesInfo name="DOI" value="10.1007/978-3-319-13051-4_2"/>
</reference> </reference>
<reference anchor="T14" target="https://doi.org/10.1007/978-3-662-45472- 5_10"> <reference anchor="T14" target="https://doi.org/10.1007/978-3-662-45472- 5_10">
<front> <front>
<title>Elligator squared: Uniform points on elliptic curves of prime <title>Elligator Squared: Uniform Points on Elliptic Curves of Prime
order as uniform random strings</title> Order as Uniform Random Strings</title>
<seriesInfo name="DOI" value="10.1007/978-3-662-45472-5_10"/>
<seriesInfo name="pages" value="139-156"/>
<seriesInfo name="In" value="Financial Cryptography and Data Securit
y - FC 2014"/>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2014"/> <date year="2014" month="November"/>
</front> </front>
<refcontent>In Financial Cryptography and Data Security - FC 2014, pages 139-156
</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-662-45472-5_10"/>
</reference> </reference>
<reference anchor="TK17" target="https://doi.org/10.1007/s10623-016-0288 -2"> <reference anchor="TK17" target="https://doi.org/10.1007/s10623-016-0288 -2">
<front> <front>
<title>Improved elliptic curve hashing and point representation</tit le> <title>Improved elliptic curve hashing and point representation</tit le>
<seriesInfo name="DOI" value="10.1007/s10623-016-0288-2"/>
<seriesInfo name="pages" value="161-177"/>
<seriesInfo name="In" value="Designs, Codes, and Cryptography, vol 8
2"/>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<author initials="T." surname="Kim" fullname="Taechan Kim"> <author initials="T." surname="Kim" fullname="Taechan Kim">
<organization>NTT Secure Platform Laboratories</organization> <organization>NTT Secure Platform Laboratories</organization>
</author> </author>
<date year="2017"/> <date year="2017" month="January"/>
</front> </front>
<refcontent>In Designs, Codes, and Cryptography, vol 82, pages 161-177</refconte
nt>
<seriesInfo name="DOI" value="10.1007/s10623-016-0288-2"/>
</reference> </reference>
<reference anchor="BF01" target="https://doi.org/10.1007/3-540-44647-8_1 3"> <reference anchor="BF01" target="https://doi.org/10.1007/3-540-44647-8_1 3">
<front> <front>
<title>Identity-based encryption from the Weil pairing</title> <title>Identity-Based Encryption from the Weil Pairing</title>
<seriesInfo name="DOI" value="10.1007/3-540-44647-8_13"/>
<seriesInfo name="pages" value="213-229"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2001"/>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="M." surname="Franklin" fullname="Matthew Franklin" > <author initials="M." surname="Franklin" fullname="Matthew Franklin" >
<organization>UC Davis</organization> <organization>UC Davis</organization>
</author> </author>
<date year="2001" month="August"/> <date year="2001" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2001, pages 213-229</refcontent>
<seriesInfo name="DOI" value="10.1007/3-540-44647-8_13"/>
</reference> </reference>
<reference anchor="BLS01" target="https://doi.org/10.1007/s00145-004-031 4-9"> <reference anchor="BLS01" target="https://doi.org/10.1007/s00145-004-031 4-9">
<front> <front>
<title>Short signatures from the Weil pairing</title> <title>Short Signatures from the Weil Pairing</title>
<seriesInfo name="DOI" value="10.1007/s00145-004-0314-9"/>
<seriesInfo name="pages" value="297-319"/>
<seriesInfo name="In" value="Journal of Cryptology, vol 17"/>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="B." surname="Lynn" fullname="Ben Lynn"> <author initials="B." surname="Lynn" fullname="Ben Lynn">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="H." surname="Shacham" fullname="Hovav Shacham"> <author initials="H." surname="Shacham" fullname="Hovav Shacham">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2004" month="July"/> <date year="2004" month="July"/>
</front> </front>
<refcontent>In Journal of Cryptology, vol 17, pages 297-319</refcontent>
<seriesInfo name="DOI" value="10.1007/s00145-004-0314-9"/>
</reference> </reference>
<reference anchor="BLS03" target="https://doi.org/10.1007/3-540-36413-7_ 19"> <reference anchor="BLS03" target="https://doi.org/10.1007/3-540-36413-7_ 19">
<front> <front>
<title>Constructing Elliptic Curves with Prescribed Embedding Degree s</title> <title>Constructing Elliptic Curves with Prescribed Embedding Degree s</title>
<seriesInfo name="DOI" value="10.1007/3-540-36413-7_19"/> <author initials="P. S. L. M." surname="Barreto" fullname="Paulo S.
<seriesInfo name="pages" value="257-267"/> L. M. Barreto">
<seriesInfo name="In" value="Security in Communication Networks"/>
<author initials="P." surname="Barreto" fullname="Paulo S. L. M. Bar
reto">
<organization>Universidade de Sao Paulo, Brazil</organization> <organization>Universidade de Sao Paulo, Brazil</organization>
</author> </author>
<author initials="B." surname="Lynn" fullname="Ben Lynn"> <author initials="B." surname="Lynn" fullname="Ben Lynn">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="M." surname="Scott" fullname="Michael Scott"> <author initials="M." surname="Scott" fullname="Michael Scott">
<organization>Dublin City University, Ireland</organization> <organization>Dublin City University, Ireland</organization>
</author> </author>
<date year="2003"/> <date year="2002" month="September"/>
</front> </front>
<refcontent>In Security in Communication Networks, pages 257-267</refcontent>
<seriesInfo name="DOI" value="10.1007/3-540-36413-7_19"/>
</reference> </reference>
<reference anchor="BM92" target="https://doi.org/10.1109/RISP.1992.21326 9"> <reference anchor="BM92" target="https://doi.org/10.1109/RISP.1992.21326 9">
<front> <front>
<title>Encrypted key exchange: Password-based protocols secure again <title>Encrypted key exchange: password-based protocols secure again
st dictionary attacks</title> st dictionary attacks</title>
<seriesInfo name="DOI" value="10.1109/RISP.1992.213269"/> <author initials="S. M." surname="Bellovin" fullname="Steven M. Bell
<seriesInfo name="pages" value="72-84"/> ovin">
<seriesInfo name="In" value="IEEE Symposium on Security and Privacy
- Oakland 1992"/>
<author initials="S.M." surname="Bellovin" fullname="Steven M. Bello
vin">
<organization>AT&amp;T Bell Laboratories</organization> <organization>AT&amp;T Bell Laboratories</organization>
</author> </author>
<author initials="M." surname="Merritt" fullname="Michael Merritt"> <author initials="M." surname="Merritt" fullname="Michael Merritt">
<organization>AT&amp;T Bell Laboratories</organization> <organization>AT&amp;T Bell Laboratories</organization>
</author> </author>
<date year="1992"/> <date year="1992" month="May"/>
</front> </front>
<refcontent>In IEEE Symposium on Security and Privacy - Oakland 1992, pages 72-8
4</refcontent>
<seriesInfo name="DOI" value="10.1109/RISP.1992.213269"/>
</reference> </reference>
<reference anchor="BMP00" target="https://doi.org/10.1007/3-540-45539-6_ 12"> <reference anchor="BMP00" target="https://doi.org/10.1007/3-540-45539-6_ 12">
<front> <front>
<title>Provably secure password-authenticated key exchange using Dif <title>Provably Secure Password-Authenticated Key Exchange Using Dif
fie-Hellman</title> fie-Hellman</title>
<seriesInfo name="DOI" value="10.1007/3-540-45539-6_12"/>
<seriesInfo name="pages" value="156-171"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2000
"/>
<author initials="V." surname="Boyko" fullname="Victor Boyko"> <author initials="V." surname="Boyko" fullname="Victor Boyko">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<author initials="P.D." surname="MacKenzie" fullname="Philip D. MacK enzie"> <author initials="P." surname="MacKenzie" fullname="Philip D. MacKen zie">
<organization>Bell Laboratories, Lucent Technologies</organization > <organization>Bell Laboratories, Lucent Technologies</organization >
</author> </author>
<author initials="S." surname="Patel" fullname="Sarvar Patel"> <author initials="S." surname="Patel" fullname="Sarvar Patel">
<organization>Bell Laboratories, Lucent Technologies</organization > <organization>Bell Laboratories, Lucent Technologies</organization >
</author> </author>
<date year="2000" month="May"/> <date year="2000" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2000, pages 156-171</refconten
t>
<seriesInfo name="DOI" value="10.1007/3-540-45539-6_12"/>
</reference> </reference>
<reference anchor="J96" target="https://doi.org/10.1145/242896.242897"> <reference anchor="J96" target="https://doi.org/10.1145/242896.242897">
<front> <front>
<title>Strong password-only authenticated key exchange</title> <title>Strong password-only authenticated key exchange</title>
<seriesInfo name="DOI" value="10.1145/242896.242897"/> <author initials="D. P." surname="Jablon" fullname="David P. Jablon"
<seriesInfo name="pages" value="5-26"/> >
<seriesInfo name="In" value="SIGCOMM Computer Communication Review, <organization></organization>
vol 26 issue 5"/>
<author initials="D.P." surname="Jablon" fullname="David P. Jablon">
<organization>Integrity Sciences, Inc. Westboro, MA.</organization
>
</author> </author>
<date year="1996"/> <date year="1996" month="October"/>
</front> </front>
<refcontent>In SIGCOMM Computer Communication Review, vol 26 issue 5, pages 5-26
</refcontent>
<seriesInfo name="DOI" value="10.1145/242896.242897"/>
</reference> </reference>
<reference anchor="hash2curve-repo" target="https://github.com/cfrg/draf t-irtf-cfrg-hash-to-curve"> <reference anchor="hash2curve-repo" target="https://github.com/cfrg/draf t-irtf-cfrg-hash-to-curve">
<front> <front>
<title>Hashing to Elliptic Curves - GitHub repository</title> <title>Hashing to Elliptic Curves</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date year="2022" month="June"/>
</front> </front>
<refcontent>commit 664b135</refcontent>
</reference> </reference>
<reference anchor="jubjub-fq" target="https://github.com/zkcrypto/jubjub /blob/master/src/fq.rs"> <reference anchor="jubjub-fq" target="https://github.com/zkcrypto/jubjub /pull/18">
<front> <front>
<title>zkcrypto/jubjub - fq.rs</title> <title>zkcrypto/jubjub - fq.rs</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2019"/> <date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="L13" target="https://www.imperialviolet.org/2013/12/2 5/elligator.html"> <reference anchor="L13" target="https://www.imperialviolet.org/2013/12/2 5/elligator.html">
<front> <front>
<title>Implementing Elligator for Curve25519</title> <title>Implementing Elligator for Curve25519</title>
<author initials="A." surname="Langley" fullname="Adam Langley"> <author initials="A." surname="Langley" fullname="Adam Langley">
<organization/> <organization/>
</author> </author>
<date year="2013"/> <date year="2013" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="SBCDK09" target="https://doi.org/10.1007/978-3-642-03 298-1_8"> <reference anchor="SBCDK09" target="https://doi.org/10.1007/978-3-642-03 298-1_8">
<front> <front>
<title>Fast Hashing to G2 on Pairing-Friendly Curves</title> <title>Fast Hashing to G2 on Pairing-Friendly Curves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-03298-1_8"/>
<seriesInfo name="pages" value="102-113"/>
<seriesInfo name="In" value="Pairing-Based Cryptography - Pairing 20
09"/>
<author initials="M." surname="Scott" fullname="Michael Scott"> <author initials="M." surname="Scott" fullname="Michael Scott">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="N." surname="Benger" fullname="Naomi Benger"> <author initials="N." surname="Benger" fullname="Naomi Benger">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="M." surname="Charlemagne" fullname="Manuel Charlem agne"> <author initials="M." surname="Charlemagne" fullname="Manuel Charlem agne">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="L.J." surname="Dominguez Perez" fullname="Luis J. Dominguez Perez"> <author initials="L. J." surname="Dominguez Perez" fullname="Luis J. Dominguez Perez">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<author initials="E.J." surname="Kachisa" fullname="Ezekiel J. Kachi sa"> <author initials="E. J." surname="Kachisa" fullname="Ezekiel J. Kach isa">
<organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization> <organization>School of Computing Dublin City University, Ballymun . Dublin, Ireland.</organization>
</author> </author>
<date year="2009"/> <date year="2009" month="August"/>
</front> </front>
<refcontent>In Pairing-Based Cryptography - Pairing 2009, pages 102-113</refcont
ent>
<seriesInfo name="DOI" value="10.1007/978-3-642-03298-1_8"/>
</reference> </reference>
<reference anchor="FKR11" target="https://doi.org/10.1007/978-3-642-2849 6-0_25"> <reference anchor="FKR11" target="https://doi.org/10.1007/978-3-642-2849 6-0_25">
<front> <front>
<title>Fast Hashing to G2 on Pairing-Friendly Curves</title> <title>Faster Hashing to G2</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-28496-0_25"/> <author initials="L." surname="Fuentes-Castañeda" fullname="Laura Fu
<seriesInfo name="pages" value="412-430"/> entes-Castañeda">
<seriesInfo name="In" value="Selected Areas in Cryptography"/>
<author initials="L." surname="Fuentes-Castaneda" fullname="Laura Fu
entes-Castaneda">
<organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization> <organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization>
</author> </author>
<author initials="E." surname="Knapp" fullname="Edward Knapp"> <author initials="E." surname="Knapp" fullname="Edward Knapp">
<organization>Dept. Combinatorics &amp; Optimization, University o f Waterloo, Canada</organization> <organization>Dept. Combinatorics &amp; Optimization, University o f Waterloo, Canada</organization>
</author> </author>
<author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez"> <author initials="F." surname="Rodriguez-Henriquez" fullname="Franci sco Rodriguez-Henriquez">
<organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization> <organization>Computer Science Department, CINVESTAV-IPN. Mexico</ organization>
</author> </author>
<date year="2011"/> <date year="2011" month="August"/>
</front> </front>
<refcontent>In Selected Areas in Cryptography, pages 412-430</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-28496-0_25"/>
</reference> </reference>
<reference anchor="BP17" target="https://eprint.iacr.org/2017/419"> <reference anchor="BP17" target="https://eprint.iacr.org/2017/419">
<front> <front>
<title>Efficient hash maps to G2 on BLS curves</title> <title>Efficient hash maps to \mathbb{G}_2 on BLS curves</title>
<seriesInfo name="ePrint" value="2017/419"/>
<author initials="A." surname="Budroni" fullname="Alessandro Budroni "> <author initials="A." surname="Budroni" fullname="Alessandro Budroni ">
<organization>University of Bergen, Norway and MIRACL Labs, London , England</organization> <organization>University of Bergen, Norway and MIRACL Labs, London , England</organization>
</author> </author>
<author initials="F." surname="Pintore" fullname="Federico Pintore"> <author initials="F." surname="Pintore" fullname="Federico Pintore">
<organization>University of Trento, Italy</organization> <organization>University of Trento, Italy</organization>
</author> </author>
<date year="2017" month="May"/> <date year="2017" month="May"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2017/419</refcontent>
</reference> </reference>
<reference anchor="BHKL13" target="https://doi.org/10.1145/2508859.25167 34"> <reference anchor="BHKL13" target="https://doi.org/10.1145/2508859.25167 34">
<front> <front>
<title>Elligator: elliptic-curve points indistinguishable from unifo rm random strings</title> <title>Elligator: elliptic-curve points indistinguishable from unifo rm random strings</title>
<seriesInfo name="DOI" value="10.1145/2508859.2516734"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="pages" value="967-980"/> nstein">
<seriesInfo name="In" value="Proceedings of the 2013 ACM SIGSAC Conf
erence on Computer and Communications Security"/>
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
stein">
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="M." surname="Hamburg" fullname="Mike Hamburg"> <author initials="M." surname="Hamburg" fullname="Mike Hamburg">
<organization>Cryptography Research, a division of Rambus, USA</or ganization> <organization>Cryptography Research, a division of Rambus, USA</or ganization>
</author> </author>
<author initials="A." surname="Krasnova" fullname="Anna Krasnova"> <author initials="A." surname="Krasnova" fullname="Anna Krasnova">
<organization>Privacy &amp; Identity lab, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands</organiza tion> <organization>Privacy &amp; Identity lab, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands</organiza tion>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2013" month="November"/> <date year="2013" month="November"/>
</front> </front>
<refcontent>In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Com
munications Security, pages 967-980</refcontent>
<seriesInfo name="DOI" value="10.1145/2508859.2516734"/>
</reference> </reference>
<reference anchor="BLMP19" target="https://doi.org/10.1007/978-3-030-176
56-3"> <reference anchor="BLMP19" target="https://doi.org/10.1007/978-3-030-176
56-3_15">
<front> <front>
<title>Quantum circuits for the CSIDH: optimizing quantum evaluation <title>Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation
of isogenies</title> of Isogenies</title>
<seriesInfo name="DOI" value="10.1007/978-3-030-17656-3"/> <author initials="D. J." surname="Bernstein" fullname="Daniel J. Ber
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2019 nstein">
"/>
<author initials="D.J." surname="Bernstein" fullname="Daniel J. Bern
stein">
<organization>Department of Computer Science, University of Illino is at Chicago, USA</organization> <organization>Department of Computer Science, University of Illino is at Chicago, USA</organization>
</author> </author>
<author initials="T." surname="Lange" fullname="Tanja Lange"> <author initials="T." surname="Lange" fullname="Tanja Lange">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="C." surname="Martindale" fullname="Chloe Martindal e"> <author initials="C." surname="Martindale" fullname="Chloe Martindal e">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<author initials="L." surname="Panny" fullname="Lorenz Panny"> <author initials="L." surname="Panny" fullname="Lorenz Panny">
<organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization> <organization>Department of Mathematics and Computer Science, Tech nische Universiteit Eindhoven, The Netherlands</organization>
</author> </author>
<date year="2019"/> <date year="2019" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2019, pages 409-441</refconten
t>
<seriesInfo name="DOI" value="10.1007/978-3-030-17656-3"/>
</reference> </reference>
<reference anchor="SS04" target="https://doi.org/10.4064/ba52-3-1"> <reference anchor="SS04" target="https://doi.org/10.4064/ba52-3-1">
<front> <front>
<title>On equations y^2 = x^n + k in a finite field.</title> <title>On equations y^2 = x^n + k in a finite field</title>
<seriesInfo name="DOI" value="10.4064/ba52-3-1"/>
<seriesInfo name="pages" value="223-226"/>
<seriesInfo name="In" value="Bulletin Polish Acad. Sci. Math. vol 52
, no 3"/>
<author initials="A." surname="Schinzel" fullname="Andrzej Schinzel" > <author initials="A." surname="Schinzel" fullname="Andrzej Schinzel" >
<organization>Department of Mathemetics, University of Warsaw</org anization> <organization>Department of Mathemetics, University of Warsaw</org anization>
</author> </author>
<author initials="M." surname="Skalba" fullname="Mariusz Skalba"> <author initials="M." surname="Skałba" fullname="Mariusz Skałba">
<organization>Department of Mathematics, University of Warsaw</org anization> <organization>Department of Mathematics, University of Warsaw</org anization>
</author> </author>
<date year="2004"/> <date year="2004"/>
</front> </front>
<refcontent>In Bulletin Polish Academy of Sciences. Mathematics, vol 52 no 3, pa
ges 223-226</refcontent>
<seriesInfo name="DOI" value="10.4064/ba52-3-1"/>
</reference> </reference>
<reference anchor="S05" target="https://doi.org/10.4064/aa117-3-7"> <reference anchor="S05" target="https://doi.org/10.4064/aa117-3-7">
<front> <front>
<title>Points on elliptic curves over finite fields</title> <title>Points on elliptic curves over finite fields</title>
<seriesInfo name="DOI" value="10.4064/aa117-3-7"/> <author initials="M." surname="Skałba" fullname="Mariusz Skałba">
<seriesInfo name="pages" value="293-301"/>
<seriesInfo name="In" value="Acta Arithmetica, vol 117 no 3"/>
<author initials="M." surname="Skalba" fullname="Mariusz Skalba">
<organization>Department of Mathematics, University of Warsaw</org anization> <organization>Department of Mathematics, University of Warsaw</org anization>
</author> </author>
<date year="2005"/> <date year="2005"/>
</front> </front>
<refcontent>In Acta Arithmetica, vol 117 no 3, pages 293-301</refcontent>
<seriesInfo name="DOI" value="10.4064/aa117-3-7"/>
</reference> </reference>
<reference anchor="SW06" target="https://doi.org/10.1007/11792086_36"> <reference anchor="SW06" target="https://doi.org/10.1007/11792086_36">
<front> <front>
<title>Construction of rational points on elliptic curves over finit <title>Construction of Rational Points on Elliptic Curves over Finit
e fields</title> e Fields</title>
<seriesInfo name="DOI" value="10.1007/11792086_36"/>
<seriesInfo name="pages" value="510-524"/>
<seriesInfo name="In" value="Algorithmic Number Theory. ANTS 2006."/
>
<author initials="A." surname="Shallue" fullname="Andrew Shallue"> <author initials="A." surname="Shallue" fullname="Andrew Shallue">
<organization>Mathematics Department, University of Wisconsin-Madi son. Madison, USA.</organization> <organization>Mathematics Department, University of Wisconsin-Madi son. Madison, USA.</organization>
</author> </author>
<author initials="C." surname="van de Woestijne" fullname="Christiaa n van de Woestijne"> <author initials="C. E." surname="van de Woestijne" fullname="Christ iaan van de Woestijne">
<organization>Mathematisch Instituut, Universiteit Leiden. Leiden, The Netherlands.</organization> <organization>Mathematisch Instituut, Universiteit Leiden. Leiden, The Netherlands.</organization>
</author> </author>
<date year="2006"/> <date year="2006" month="July"/>
</front> </front>
<refcontent>In Algorithmic Number Theory - ANTS 2006, pages 510-524</refcontent>
<seriesInfo name="DOI" value="10.1007/11792086_36"/>
</reference> </reference>
<reference anchor="U07" target="https://doi.org/10.4064/ba55-2-1"> <reference anchor="U07" target="https://doi.org/10.4064/ba55-2-1">
<front> <front>
<title>Rational points on certain hyperelliptic curves over finite f <title>Rational Points on Certain Hyperelliptic Curves over Finite F
ields</title> ields</title>
<seriesInfo name="DOI" value="10.4064/ba55-2-1"/>
<seriesInfo name="pages" value="97-104"/>
<seriesInfo name="In" value="Bulletin Polish Acad. Sci. Math. vol 55
, no 2"/>
<author initials="M." surname="Ulas" fullname="Maciej Ulas"> <author initials="M." surname="Ulas" fullname="Maciej Ulas">
<organization>Institute of Mathematics, Jagiellonian University. P oland</organization> <organization>Institute of Mathematics, Jagiellonian University. P oland</organization>
</author> </author>
<date year="2007"/> <date year="2007" month="July"/>
</front> </front>
<refcontent>In Bulletin Polish Academy of Science. Mathematics, vol 55 no 2, pag
es 97-104</refcontent>
<seriesInfo name="DOI" value="10.4064/ba55-2-1"/>
</reference> </reference>
<reference anchor="BCIMRT10" target="https://doi.org/10.1007/978-3-642-1 4623-7_13"> <reference anchor="BCIMRT10" target="https://doi.org/10.1007/978-3-642-1 4623-7_13">
<front> <front>
<title>Efficient Indifferentiable Hashing into Ordinary Elliptic Cur ves</title> <title>Efficient Indifferentiable Hashing into Ordinary Elliptic Cur ves</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_13"/>
<seriesInfo name="pages" value="237-254"/>
<seriesInfo name="In" value="Advances in Cryptology - CRYPTO 2010"/>
<author initials="E." surname="Brier" fullname="Eric Brier"> <author initials="E." surname="Brier" fullname="Eric Brier">
<organization>Ingenico</organization> <organization>Ingenico</organization>
</author> </author>
<author initials="J-S." surname="Coron" fullname="Jean-Sebastien Cor on"> <author initials="J.-S." surname="Coron" fullname="Jean-Sebastien Co ron">
<organization>Universite du Luxembourg</organization> <organization>Universite du Luxembourg</organization>
</author> </author>
<author initials="T." surname="Icart" fullname="Thomas Icart"> <author initials="T." surname="Icart" fullname="Thomas Icart">
<organization>Universite du Luxembourg</organization> <organization>Universite du Luxembourg</organization>
</author> </author>
<author initials="D." surname="Madore" fullname="David Madore"> <author initials="D." surname="Madore" fullname="David Madore">
<organization>TELECOM-ParisTech</organization> <organization>TELECOM-ParisTech</organization>
</author> </author>
<author initials="H." surname="Randriam" fullname="Hugues Randriam"> <author initials="H." surname="Randriam" fullname="Hugues Randriam">
<organization>TELECOM-ParisTech</organization> <organization>TELECOM-ParisTech</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>Universite du Luxembourg, Ecole normale superieure</ organization> <organization>Universite du Luxembourg, Ecole normale superieure</ organization>
</author> </author>
<date year="2010"/> <date year="2010" month="August"/>
</front> </front>
<refcontent>In Advances in Cryptology - CRYPTO 2010, pages 237-254</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_13"/>
</reference> </reference>
<reference anchor="W08" target="https://www.crcpress.com/9781420071467"> <reference anchor="W08" target="https://www.crcpress.com/9781420071467">
<front> <front>
<title>Elliptic curves: Number theory and cryptography</title> <title>Elliptic Curves: Number Theory and Cryptography, Second Editi
<seriesInfo name="ISBN" value="9781420071467"/> on</title>
<seriesInfo name="publisher" value="Chapman and Hall / CRC"/> <author initials="L. C." surname="Washington" fullname="Lawrence C.
<seriesInfo name="edition" value="2nd"/> Washington">
<author initials="L.C." surname="Washington" fullname="Lawrence C. W
ashington">
<organization/> <organization/>
</author> </author>
<date year="2008"/> <date year="2008" month="April"/>
</front> </front>
<refcontent>Chapman and Hall / CRC</refcontent>
<seriesInfo name="ISBN" value="9781420071467"/>
</reference> </reference>
<reference anchor="C93" target="https://doi.org/10.1007/978-3-662-02945- 9"> <reference anchor="C93" target="https://doi.org/10.1007/978-3-662-02945- 9">
<front> <front>
<title>A Course in Computational Algebraic Number Theory</title> <title>A Course in Computational Algebraic Number Theory</title>
<seriesInfo name="ISBN" value="9783642081422"/>
<seriesInfo name="publisher" value="Springer-Verlag"/>
<author initials="H." surname="Cohen" fullname="Henri Cohen"> <author initials="H." surname="Cohen" fullname="Henri Cohen">
<organization/> <organization/>
</author> </author>
<date year="1993"/> <date year="1993"/>
</front> </front>
<refcontent>Springer-Verlag</refcontent>
<seriesInfo name="ISBN" value="9783642081422"/>
<seriesInfo name="DOI" value="10.1007/978-3-662-02945-9"/>
</reference> </reference>
<reference anchor="CFADLNV05" target="https://www.crcpress.com/978158488 5184"> <reference anchor="CFADLNV05" target="https://www.crcpress.com/978158488 5184">
<front> <front>
<title>Handbook of Elliptic and Hyperelliptic Curve Cryptography</ti tle> <title>Handbook of Elliptic and Hyperelliptic Curve Cryptography</ti tle>
<seriesInfo name="ISBN" value="9781584885184"/>
<seriesInfo name="publisher" value="Chapman and Hall / CRC"/>
<author initials="H." surname="Cohen" fullname="Henri Cohen"> <author initials="H." surname="Cohen" fullname="Henri Cohen">
<organization/> <organization/>
</author> </author>
<author initials="G." surname="Frey" fullname="Gerhard Frey"> <author initials="G." surname="Frey" fullname="Gerhard Frey">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Avanzi" fullname="Roberto Avanzi"> <author initials="R." surname="Avanzi" fullname="Roberto Avanzi">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Doche" fullname="Christophe Doche"> <author initials="C." surname="Doche" fullname="Christophe Doche">
skipping to change at line 3042 skipping to change at line 2932
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Nguyen" fullname="Kim Nguyen"> <author initials="K." surname="Nguyen" fullname="Kim Nguyen">
<organization/> <organization/>
</author> </author>
<author initials="F." surname="Vercauteren" fullname="Frederik Verca uteren"> <author initials="F." surname="Vercauteren" fullname="Frederik Verca uteren">
<organization/> <organization/>
</author> </author>
<date year="2005"/> <date year="2005"/>
</front> </front>
<refcontent>Chapman and Hall / CRC</refcontent>
<seriesInfo name="ISBN" value="9781584885184"/>
</reference> </reference>
<reference anchor="MOV96" target="http://cacr.uwaterloo.ca/hac/"> <reference anchor="MOV96" target="http://cacr.uwaterloo.ca/hac/">
<front> <front>
<title>Handbook of Applied Cryptography</title> <title>Handbook of Applied Cryptography</title>
<seriesInfo name="ISBN" value="9780849385230"/> <author initials="A. J." surname="Menezes" fullname="Alfred J. Menez
<seriesInfo name="publisher" value="CRC Press"/> es">
<author initials="A.J." surname="Menezes" fullname="Alfred J. Meneze
s">
<organization/> <organization/>
</author> </author>
<author initials="P.C." surname="van Oorschot" fullname="Paul C. van Oorschot"> <author initials="P. C." surname="van Oorschot" fullname="Paul C. va n Oorschot">
<organization/> <organization/>
</author> </author>
<author initials="S.A." surname="Vanstone" fullname="Scott A. Vansto ne"> <author initials="S. A." surname="Vanstone" fullname="Scott A. Vanst one">
<organization/> <organization/>
</author> </author>
<date year="1996"/> <date year="1996" month="October"/>
</front> </front>
<refcontent>CRC Press</refcontent>
<seriesInfo name="ISBN" value="9780849385230"/>
</reference> </reference>
<reference anchor="WB19" target="https://eprint.iacr.org/2019/403"> <reference anchor="WB19" target="https://eprint.iacr.org/2019/403">
<front> <front>
<title>Fast and simple constant-time hashing to the BLS12-381 ellipt ic curve</title> <title>Fast and simple constant-time hashing to the BLS12-381 ellipt ic curve</title>
<seriesInfo name="ePrint" value="2019/403"/> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<seriesInfo name="DOI" value="10.13154/tches.v2019.i4.154-179"/>
<seriesInfo name="issue" value="4"/>
<seriesInfo name="volume" value="2019"/>
<seriesInfo name="In" value="IACR Trans. CHES"/>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<author initials="D." surname="Boneh" fullname="Dan Boneh"> <author initials="D." surname="Boneh" fullname="Dan Boneh">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2019" month="August"/> <date year="2019" month="August"/>
</front> </front>
<refcontent>In IACR Transactions on Cryptographic Hardware and Embedded Systems,
vol 2019 issue 4</refcontent>
<refcontent>Cryptology ePrint Archive, Paper 2019/403</refcontent>
<seriesInfo name="DOI" value="10.13154/tches.v2019.i4.154-179"/>
</reference> </reference>
<reference anchor="FFSTV13" target="https://doi.org/10.1090/S0025-5718-2 012-02606-8"> <reference anchor="FFSTV13" target="https://doi.org/10.1090/S0025-5718-2 012-02606-8">
<front> <front>
<title>Indifferentiable deterministic hashing to elliptic and hypere lliptic curves</title> <title>Indifferentiable deterministic hashing to elliptic and hypere lliptic curves</title>
<seriesInfo name="DOI" value="10.1090/S0025-5718-2012-02606-8"/> <author initials="R. R." surname="Farashahi" fullname="Reza R. Faras
<seriesInfo name="pages" value="491-512"/> hahi">
<seriesInfo name="In" value="Math. Comp. vol 82"/>
<author initials="R.R." surname="Farashahi" fullname="Reza R. Farash
ahi">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="P.A." surname="Fouque" fullname="Pierre-Alain Fouq ue"> <author initials="P.-A." surname="Fouque" fullname="Pierre-Alain Fou que">
<organization>Ecole normale superieure</organization> <organization>Ecole normale superieure</organization>
</author> </author>
<author initials="I.E." surname="Shparlinski" fullname="Igor E. Shpa rlinski"> <author initials="I. E." surname="Shparlinski" fullname="Igor E. Shp arlinski">
<organization>Macquarie Universit</organization> <organization>Macquarie Universit</organization>
</author> </author>
<author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi"> <author initials="M." surname="Tibouchi" fullname="Mehdi Tibouchi">
<organization>Ecole normale superieure</organization> <organization>Ecole normale superieure</organization>
</author> </author>
<author initials="J.F." surname="Voloch" fullname="J. Felipe Voloch" > <author initials="J. F." surname="Voloch" fullname="J. Felipe Voloch ">
<organization>University of Texas</organization> <organization>University of Texas</organization>
</author> </author>
<date year="2013"/> <date year="2013"/>
</front> </front>
<refcontent>In Mathematics of Computation. vol 82, pages 491-512</refcontent>
<seriesInfo name="DOI" value="10.1090/S0025-5718-2012-02606-8"/>
</reference> </reference>
<reference anchor="MRH04" target="https://doi.org/10.1007/978-3-540-2463 8-1_2"> <reference anchor="MRH04" target="https://doi.org/10.1007/978-3-540-2463 8-1_2">
<front> <front>
<title>Indifferentiability, impossibility results on reductions, and <title>Indifferentiability, Impossibility Results on Reductions, and
applications to the random oracle methodology</title> Applications to the Random Oracle Methodology</title>
<seriesInfo name="DOI" value="10.1007/978-3-540-24638-1_2"/>
<seriesInfo name="pages" value="21-39"/>
<seriesInfo name="In" value="TCC 2004: Theory of Cryptography"/>
<author initials="U." surname="Maurer" fullname="Ueli Maurer"> <author initials="U." surname="Maurer" fullname="Ueli Maurer">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<author initials="R." surname="Renner" fullname="Renato Renner"> <author initials="R." surname="Renner" fullname="Renato Renner">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<author initials="C." surname="Holenstein" fullname="Clemens Holenst ein"> <author initials="C." surname="Holenstein" fullname="Clemens Holenst ein">
<organization>ETH Zurich</organization> <organization>ETH Zurich</organization>
</author> </author>
<date year="2004" month="February"/> <date year="2004" month="February"/>
</front> </front>
<refcontent>In TCC 2004: Theory of Cryptography, pages 21-39</refcontent>
<seriesInfo name="DOI" value="10.1007/978-3-540-24638-1_2"/>
</reference> </reference>
<reference anchor="MRV99" target="https://doi.org/10.1109/SFFCS.1999.814 584"> <reference anchor="MRV99" target="https://doi.org/10.1109/SFFCS.1999.814 584">
<front> <front>
<title>Verifiable Random Functions</title> <title>Verifiable random functions</title>
<seriesInfo name="DOI" value="10.1109/SFFCS.1999.814584"/>
<seriesInfo name="In" value="Symposium on the Foundations of Compute
r Science"/>
<author initials="S." surname="Micali" fullname="Silvio Micali"> <author initials="S." surname="Micali" fullname="Silvio Micali">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<author initials="M." surname="Rabin" fullname="Michael Rabin"> <author initials="M." surname="Rabin" fullname="Michael Rabin">
<organization>Harvard University Department of Applied Science</or ganization> <organization>Harvard University Department of Applied Science</or ganization>
</author> </author>
<author initials="S." surname="Vadhan" fullname="Salil Vadhan"> <author initials="S." surname="Vadhan" fullname="Salil Vadhan">
<organization>MIT Laboratory for Computer Science</organization> <organization>MIT Laboratory for Computer Science</organization>
</author> </author>
<date year="1999" month="October"/> <date year="1999" month="October"/>
</front> </front>
<refcontent>40th Annual Symposium on Foundations of Computer Science (Cat. No.99
CB37039), pages 120-130</refcontent>
<seriesInfo name="DOI" value="10.1109/SFFCS.1999.814584"/>
</reference> </reference>
<reference anchor="NR97" target="https://doi.org/10.1109/SFCS.1997.64613 4"> <reference anchor="NR97" target="https://doi.org/10.1109/SFCS.1997.64613 4">
<front> <front>
<title>Number-theoretic constructions of efficient pseudo-random fun ctions</title> <title>Number-theoretic constructions of efficient pseudo-random fun ctions</title>
<seriesInfo name="DOI" value="10.1109/SFCS.1997.646134"/>
<seriesInfo name="In" value="Symposium on the Foundations of Compute
r Science"/>
<author initials="M." surname="Naor" fullname="Moni Naor"> <author initials="M." surname="Naor" fullname="Moni Naor">
<organization>Weizmann Institute</organization> <organization>Weizmann Institute</organization>
</author> </author>
<author initials="O." surname="Reingold" fullname="Omer Reingold"> <author initials="O." surname="Reingold" fullname="Omer Reingold">
<organization>Weizmann Institute</organization> <organization>Weizmann Institute</organization>
</author> </author>
<date year="1997" month="October"/> <date year="1997" month="October"/>
</front> </front>
<refcontent>In Proceedings 38th Annual Symposium on Foundations of Computer Scie
nce, pages 458-467</refcontent>
<seriesInfo name="DOI" value="10.1109/SFCS.1997.646134"/>
</reference> </reference>
<reference anchor="S85" target="https://doi.org/10.1090/S0025-5718-1985- 0777280-6"> <reference anchor="S85" target="https://doi.org/10.1090/S0025-5718-1985- 0777280-6">
<front> <front>
<title>Elliptic Curves Over Finite Fields and the Computation of Squ <title>Elliptic curves over finite fields and the computation of squ
are Roots mod p</title> are roots mod p</title>
<seriesInfo name="DOI" value="10.1090/S0025-5718-1985-0777280-6"/>
<seriesInfo name="pages" value="483-494"/>
<seriesInfo name="In" value="Mathematics of Computation vol 44 issue
170"/>
<author initials="R." surname="Schoof" fullname="Rene Schoof"> <author initials="R." surname="Schoof" fullname="Rene Schoof">
<organization/> <organization/>
</author> </author>
<date year="1985" month="April"/> <date year="1985" month="April"/>
</front> </front>
<refcontent>In Mathematics of Computation, vol 44 issue 170, pages 483-494</refc
ontent>
<seriesInfo name="DOI" value="10.1090/S0025-5718-1985-0777280-6"/>
</reference> </reference>
<reference anchor="SAGE" target="https://www.sagemath.org"> <reference anchor="SAGE" target="https://www.sagemath.org">
<front> <front>
<title>SageMath, the Sage Mathematics Software System</title> <title>SageMath, the Sage Mathematics Software System</title>
<author> <author>
<organization>The Sage Developers</organization> <organization>The Sage Developers</organization>
</author> </author>
<date year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="LBB19" target="https://hal.inria.fr/hal-02100345/"> <reference anchor="LBB19" target="https://hal.inria.fr/hal-02100345/">
<front> <front>
<title>A Mechanised Proof of the WireGuard Virtual Private Network P <title>A Mechanised Cryptographic Proof of the WireGuard Virtual Pri
rotocol</title> vate Network Protocol</title>
<seriesInfo name="In" value="INRIA Research Report No. 9269"/>
<author initials="B." surname="Lipp" fullname="Benjamin Lipp"> <author initials="B." surname="Lipp" fullname="Benjamin Lipp">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<author initials="B." surname="Blanchet" fullname="Bruno Blanchet"> <author initials="B." surname="Blanchet" fullname="Bruno Blanchet">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<author initials="K." surname="Bhargavan" fullname="Karthikeyan Bhar gavan"> <author initials="K." surname="Bhargavan" fullname="Karthikeyan Bhar gavan">
<organization>INRIA Paris</organization> <organization>INRIA Paris</organization>
</author> </author>
<date year="2019" month="April"/> <date year="2019" month="April"/>
</front> </front>
<refcontent>In INRIA Research Report 9269</refcontent>
</reference> </reference>
<reference anchor="RCB16" target="https://doi.org/10.1007/978-3-662-4989 0-3_16"> <reference anchor="RCB16" target="https://doi.org/10.1007/978-3-662-4989 0-3_16">
<front> <front>
<title>Complete addition formulas for prime order elliptic curves</t <title>Complete Addition Formulas for Prime Order Elliptic Curves</t
itle> itle>
<seriesInfo name="DOI" value="10.1007/978-3-662-49890-3_16"/>
<seriesInfo name="pages" value="403-428"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2016
"/>
<author initials="J." surname="Renes" fullname="Joost Renes"> <author initials="J." surname="Renes" fullname="Joost Renes">
<organization>Radboud University</organization> <organization>Radboud University</organization>
</author> </author>
<author initials="C." surname="Costello" fullname="Craig Costello"> <author initials="C." surname="Costello" fullname="Craig Costello">
<organization>Microsoft Research</organization> <organization>Microsoft Research</organization>
</author> </author>
<author initials="L." surname="Batina" fullname="Lejla Batina"> <author initials="L." surname="Batina" fullname="Lejla Batina">
<organization>Radboud University</organization> <organization>Radboud University</organization>
</author> </author>
<date year="2016" month="May"/> <date year="2016" month="April"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2016, pages 403-428</refconten
t>
<seriesInfo name="DOI" value="10.1007/978-3-662-49890-3_16"/>
</reference> </reference>
<reference anchor="RSS11" target="https://doi.org/10.1007/978-3-642-2046 5-4_27"> <reference anchor="RSS11" target="https://doi.org/10.1007/978-3-642-2046 5-4_27">
<front> <front>
<title>Careful with Composition: Limitations of the Indifferentiabil ity Framework</title> <title>Careful with Composition: Limitations of the Indifferentiabil ity Framework</title>
<seriesInfo name="DOI" value="10.1007/978-3-642-20465-4_27"/>
<seriesInfo name="pages" value="487-506"/>
<seriesInfo name="In" value="Advances in Cryptology - EUROCRYPT 2011
"/>
<author initials="T." surname="Ristenpart" fullname="Thomas Ristenpa rt"> <author initials="T." surname="Ristenpart" fullname="Thomas Ristenpa rt">
<organization>University of Wisconsin-Madison</organization> <organization>University of Wisconsin-Madison</organization>
</author> </author>
<author initials="H." surname="Shacham" fullname="Hovav Shacham"> <author initials="H." surname="Shacham" fullname="Hovav Shacham">
<organization>UC San Diego</organization> <organization>UC San Diego</organization>
</author> </author>
<author initials="T." surname="Shrimpton" fullname="Thomas Shrimpton "> <author initials="T." surname="Shrimpton" fullname="Thomas Shrimpton ">
<organization>Portland State University</organization> <organization>Portland State University</organization>
</author> </author>
<date year="2011" month="May"/> <date year="2011" month="May"/>
</front> </front>
<refcontent>In Advances in Cryptology - EUROCRYPT 2011, pages 487–506</refconten
t>
<seriesInfo name="DOI" value="10.1007/978-3-642-20465-4_27"/>
</reference> </reference>
<reference anchor="W19" target="https://github.com/cfrg/draft-irtf-cfrg-
hash-to-curve/raw/master/doc/svdw_params.pdf"> <reference anchor="W19" target="https://github.com/cfrg/draft-irtf-cfrg-
hash-to-curve/blob/draft-irtf-cfrg-hash-to-curve-14/doc/svdw_params.pdf">
<front> <front>
<title>An explicit, generic parameterization for the Shallue--van de Woestijne map</title> <title>An explicit, generic parameterization for the Shallue--van de Woestijne map</title>
<author initials="R.S." surname="Wahby" fullname="Riad S. Wahby"> <author initials="R. S." surname="Wahby" fullname="Riad S. Wahby">
<organization>Stanford University</organization> <organization>Stanford University</organization>
</author> </author>
<date year="2019"/> <date month="March" year="2020"/>
</front> </front>
<refcontent>commit e2a625f</refcontent>
</reference> </reference>
<reference anchor="p1363.2" target="https://standards.ieee.org/standard/ 1363_2-2008.html"> <reference anchor="p1363.2" target="https://standards.ieee.org/standard/ 1363_2-2008.html">
<front> <front>
<title>IEEE Standard Specification for Password-Based Public-Key Cry ptography Techniques</title> <title>IEEE Standard Specification for Password-Based Public-Key Cry ptography Techniques</title>
<author> <author>
<organization>IEEE Computer Society</organization> <organization>IEEE</organization>
</author> </author>
<date year="2008" month="September"/> <date year="2008" month="September"/>
</front> </front>
<seriesInfo name="IEEE" value="1363.2-2008"/>
</reference> </reference>
<reference anchor="p1363a" target="https://standards.ieee.org/standard/1 363a-2004.html"> <reference anchor="p1363a" target="https://standards.ieee.org/standard/1 363a-2004.html">
<front> <front>
<title>IEEE Standard Specifications for Public-Key Cryptography---Am endment 1: Additional Techniques</title> <title>IEEE Standard Specifications for Public-Key Cryptography - Am endment 1: Additional Techniques</title>
<author> <author>
<organization>IEEE Computer Society</organization> <organization>IEEE</organization>
</author> </author>
<date year="2004" month="March"/> <date year="2004" month="March"/>
</front> </front>
<seriesInfo name="IEEE" value="1363a-2004"/>
</reference> </reference>
<reference anchor="MT98" target="https://doi.org/10.1145/272991.272995"> <reference anchor="MT98" target="https://doi.org/10.1145/272991.272995">
<front> <front>
<title>Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator</title> <title>Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator</title>
<seriesInfo name="DOI" value="10.1145/272991.272995"/>
<seriesInfo name="pages" value="3-30"/>
<seriesInfo name="In" value="ACM Transactions on Modeling and Comput
er Simulation (TOMACS), Volume 8, Issue 1"/>
<author initials="M." surname="Matsumoto"> <author initials="M." surname="Matsumoto">
<organization/> <organization/>
</author> </author>
<author initials="T." surname="Nishimura"> <author initials="T." surname="Nishimura">
<organization/> <organization/>
</author> </author>
<date year="1998" month="January"/> <date year="1998" month="January"/>
</front> </front>
<refcontent>In ACM Transactions on Modeling and Computer Simulation (TOMACS), vo
l 8 issue 1, pages 3-30</refcontent>
<seriesInfo name="DOI" value="10.1145/272991.272995"/>
</reference> </reference>
<reference anchor="P20" target="https://eprint.iacr.org/2020/009"> <reference anchor="P20" target="https://eprint.iacr.org/2020/009">
<front> <front>
<title>Efficient Elliptic Curve Operations On Microcontrollers With Finite Field Extensions</title> <title>Efficient Elliptic Curve Operations On Microcontrollers With Finite Field Extensions</title>
<author initials="T." surname="Pornin" fullname="Thomas Pornin"> <author initials="T." surname="Pornin" fullname="Thomas Pornin">
<organization>NCC Group</organization> <organization>NCC Group</organization>
</author> </author>
<date year="2020"/> <date year="2020"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2020/009</refcontent>
</reference> </reference>
<reference anchor="H20" target="https://eprint.iacr.org/2020/1513"> <reference anchor="H20" target="https://eprint.iacr.org/2020/1513">
<front> <front>
<title>Indifferentiable hashing from Elligator 2</title> <title>Indifferentiable hashing from Elligator 2</title>
<author initials="M." surname="Hamburg" fullname="Mike Hamburg"> <author initials="M." surname="Hamburg" fullname="Mike Hamburg">
<organization>Rambus Inc</organization> <organization>Rambus Inc</organization>
</author> </author>
<date year="2020"/> <date year="2020"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2020/1513</refcontent>
</reference> </reference>
<reference anchor="I-D.irtf-cfrg-bls-signature">
<front>
<title>BLS Signatures</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bls-signatu
re-04"/>
<author fullname="Dan Boneh">
<organization>Stanford University</organization>
</author>
<author fullname="Sergey Gorbunov">
<organization>University of Waterloo</organization>
</author>
<author fullname="Riad S. Wahby">
<organization>Stanford University</organization>
</author>
<author fullname="Hoeteck Wee">
<organization>NTT Research and ENS</organization>
</author>
<author fullname="Zhenfei Zhang">
<organization>Algorand</organization>
</author>
<date day="10" month="September" year="2020"/>
<abstract>
<t> BLS is a digital signature scheme with aggregation propertie
s. Given
set of signatures (signature_1, ..., signature_n) anyone can produce
an aggregated signature. Aggregation can also be done on secret keys
and public keys. Furthermore, the BLS signature scheme is
deterministic, non-malleable, and efficient. Its simplicity and
cryptographic properties allows it to be useful in a variety of use-
cases, specifically when minimal storage space or bandwidth are
required.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</abstract> g-bls-signature.xml"/>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</reference> g-vrf.xml"/>
<reference anchor="I-D.irtf-cfrg-vrf"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
<front> g-voprf.xml"/>
<title>Verifiable Random Functions (VRFs)</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-vrf-12"/>
<author fullname="Sharon Goldberg">
<organization>Boston University</organization>
</author>
<author fullname="Leonid Reyzin">
<organization>Boston University and Algorand</organization>
</author>
<author fullname="Dimitrios Papadopoulos">
<organization>Hong Kong University of Science and Technology</orga
nization>
</author>
<author fullname="Jan Vcelak">
<organization>NS1</organization>
</author>
<date day="26" month="May" year="2022"/>
<abstract>
<t> A Verifiable Random Function (VRF) is the public-key version
of a
keyed cryptographic hash. Only the holder of the private key can
compute the hash, but anyone with the public key can verify the
correctness of the hash. VRFs are useful for preventing enumeration
of hash-based data structures. This document specifies several VRF
constructions based on RSA and Elliptic Curves that are secure in the
cryptographic random oracle model.
This document is a product of the Crypto Forum Research Group (CFRG) <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7693.xml"
in the IRTF. />
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr
</abstract> g-ristretto255-decaf448.xml"/>
</front>
</reference>
<reference anchor="I-D.irtf-cfrg-voprf">
<front>
<title>Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Gr
oups</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-voprf-09"/>
<author fullname="Alex Davidson">
<organization>Brave Software</organization>
</author>
<author fullname="Armando Faz-Hernandez">
<organization>Cloudflare, Inc.</organization>
</author>
<author fullname="Nick Sullivan">
<organization>Cloudflare, Inc.</organization>
</author>
<author fullname="Christopher A. Wood">
<organization>Cloudflare, Inc.</organization>
</author>
<date day="8" month="February" year="2022"/>
<abstract>
<t> An Oblivious Pseudorandom Function (OPRF) is a two-party pro
tocol
between client and server for computing the output of a Pseudorandom
Function (PRF). The server provides the PRF secret key, and the
client provides the PRF input. At the end of the protocol, the
client learns the PRF output without learning anything about the PRF
secret key, and the server learns neither the PRF input nor output.
An OPRF can also satisfy a notion of 'verifiability', called a VOPRF.
A VOPRF ensures clients can verify that the server used a specific
private key during the execution of the protocol. A VOPRF can also
be partially-oblivious, called a POPRF. A POPRF allows clients and
servers to provide public input to the PRF computation. This
document specifies an OPRF, VOPRF, and POPRF instantiated within
standard prime-order groups, including elliptic curves.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8018.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7914.xml"
</reference> />
<reference anchor="RFC7693"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9106.xml"
<front> />
<title>The BLAKE2 Cryptographic Hash and Message Authentication Code <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"
(MAC)</title> />
<seriesInfo name="DOI" value="10.17487/RFC7693"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"
<seriesInfo name="RFC" value="7693"/> />
<author fullname="M-J. Saarinen" initials="M-J." role="editor" surna
me="Saarinen">
<organization/>
</author>
<author fullname="J-P. Aumasson" initials="J-P." surname="Aumasson">
<organization/>
</author>
<date month="November" year="2015"/>
<abstract>
<t>This document describes the cryptographic hash function BLAKE2
and makes the algorithm specification and C source code conveniently available t
o the Internet community. BLAKE2 comes in two main flavors: BLAKE2b is optimize
d for 64-bit platforms and BLAKE2s for smaller architectures. BLAKE2 can be dir
ectly keyed, making it functionally equivalent to a Message Authentication Code
(MAC).</t>
</abstract>
</front>
</reference>
<reference anchor="I-D.irtf-cfrg-ristretto255-decaf448">
<front>
<title>The ristretto255 and decaf448 Groups</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-ristretto25
5-decaf448-03"/>
<author fullname="Henry de Valence">
</author>
<author fullname="Jack Grigg">
</author>
<author fullname="Mike Hamburg">
</author>
<author fullname="Isis Lovecruft">
</author>
<author fullname="George Tankersley">
</author>
<author fullname="Filippo Valsorda">
</author>
<date day="25" month="February" year="2022"/>
<abstract>
<t> This memo specifies two prime-order groups, ristretto255 and
decaf448, suitable for safely implementing higher-level and complex
cryptographic protocols. The ristretto255 group can be implemented
using Curve25519, allowing existing Curve25519 implementations to be
reused and extended to provide a prime-order group. Likewise, the
decaf448 group can be implemented using edwards448.
</t>
</abstract>
</front>
</reference>
<reference anchor="RFC2898">
<front>
<title>PKCS #5: Password-Based Cryptography Specification Version 2.
0</title>
<seriesInfo name="DOI" value="10.17487/RFC2898"/>
<seriesInfo name="RFC" value="2898"/>
<author fullname="B. Kaliski" initials="B." surname="Kaliski">
<organization/>
</author>
<date month="September" year="2000"/>
<abstract>
<t>This document provides recommendations for the implementation o
f password-based cryptography, covering key derivation functions, encryption sch
emes, message-authentication schemes, and ASN.1 syntax identifying the technique
s. This memo provides information for the Internet community.</t>
</abstract>
</front>
</reference>
<reference anchor="RFC7914">
<front>
<title>The scrypt Password-Based Key Derivation Function</title>
<seriesInfo name="DOI" value="10.17487/RFC7914"/>
<seriesInfo name="RFC" value="7914"/>
<author fullname="C. Percival" initials="C." surname="Percival">
<organization/>
</author>
<author fullname="S. Josefsson" initials="S." surname="Josefsson">
<organization/>
</author>
<date month="August" year="2016"/>
<abstract>
<t>This document specifies the password-based key derivation funct
ion scrypt. The function derives one or more secret keys from a secret string.
It is based on memory-hard functions, which offer added protection against atta
cks using custom hardware. The document also provides an ASN.1 schema.</t>
</abstract>
</front>
</reference>
<reference anchor="I-D.irtf-cfrg-argon2">
<front>
<title>Argon2 Memory-Hard Function for Password Hashing and Proof-of
-Work Applications</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-argon2-13"/
>
<author fullname="Alex Biryukov">
<organization>University of Luxembourg</organization>
</author>
<author fullname="Daniel Dinu">
<organization>University of Luxembourg</organization>
</author>
<author fullname="Dmitry Khovratovich">
<organization>ABDK Consulting</organization>
</author>
<author fullname="Simon Josefsson">
<organization>SJD AB</organization>
</author>
<date day="11" month="March" year="2021"/>
<abstract>
<t>This document describes the Argon2 memory-hard function for pas
sword hashing and proof-of-work applications. We provide an implementer-oriente
d description with test vectors. The purpose is to simplify adoption of Argon2
for Internet protocols. This document is a product of the Crypto Forum Research
Group (CFRG) in the IRTF.
</t>
</abstract>
</front>
</reference>
<reference anchor="RFC2104">
<front>
<title>HMAC: Keyed-Hashing for Message Authentication</title>
<seriesInfo name="DOI" value="10.17487/RFC2104"/>
<seriesInfo name="RFC" value="2104"/>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk">
<organization/>
</author>
<author fullname="M. Bellare" initials="M." surname="Bellare">
<organization/>
</author>
<author fullname="R. Canetti" initials="R." surname="Canetti">
<organization/>
</author>
<date month="February" year="1997"/>
<abstract>
<t>This document describes HMAC, a mechanism for message authentic
ation using cryptographic hash functions. HMAC can be used with any iterative cr
yptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared
key. The cryptographic strength of HMAC depends on the properties of the under
lying hash function. This memo provides information for the Internet community.
This memo does not specify an Internet standard of any kind</t>
</abstract>
</front>
</reference>
<reference anchor="RFC5869">
<front>
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)<
/title>
<seriesInfo name="DOI" value="10.17487/RFC5869"/>
<seriesInfo name="RFC" value="5869"/>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk">
<organization/>
</author>
<author fullname="P. Eronen" initials="P." surname="Eronen">
<organization/>
</author>
<date month="May" year="2010"/>
<abstract>
<t>This document specifies a simple Hashed Message Authentication
Code (HMAC)-based key derivation function (HKDF), which can be used as a buildin
g block in various protocols and applications. The key derivation function (KDF
) is intended to support a wide range of applications and requirements, and is c
onservative in its use of cryptographic hash functions. This document is not an
Internet Standards Track specification; it is published for informational pur
poses.</t>
</abstract>
</front>
</reference>
</references> </references>
</references> </references>
<section anchor="related" numbered="true" toc="default"> <?line 3251?>
<name>Related work</name>
<section anchor="related">
<name>Related Work</name>
<t>The problem of mapping arbitrary bit strings to elliptic curve points <t>The problem of mapping arbitrary bit strings to elliptic curve points
has been the subject of both practical and theoretical research. has been the subject of both practical and theoretical research.
This section briefly describes the background and research results This section briefly describes the background and research results
that underly the recommendations in this document. that underlie the recommendations in this document.
This section is provided for informational purposes only.</t> This section is provided for informational purposes only.</t>
<t>A naive but generally insecure method of mapping a string msg to <t>A naive but generally insecure method of mapping a string msg to
a point on an elliptic curve E having n points is to first fix a point P that a point on an elliptic curve E having n points is to first fix a point P that
generates the elliptic curve group, and a hash function Hn from bit strings generates the elliptic curve group, and a hash function Hn from bit strings
to integers less than n; then compute Hn(msg) * P, where the * operator to integers less than n; then compute Hn(msg) * P, where the * operator
represents scalar multiplication. The reason this approach is insecure is represents scalar multiplication. The reason this approach is insecure is
that the resulting point has a known discrete log relationship to P. that the resulting point has a known discrete log relationship to P.
Thus, except in cases where this method is specified by the protocol, Thus, except in cases where this method is specified by the protocol,
it must not be used; doing so risks catastrophic security failures.</t> it must not be used; doing so risks catastrophic security failures.</t>
<t>Boneh et al. <xref target="BLS01" format="default"/> describe an encodi ng method they call MapToGroup, <t>Boneh et al. <xref target="BLS01"/> describe an encoding method they ca ll MapToGroup,
which works roughly as follows: first, use the input string to initialize a which works roughly as follows: first, use the input string to initialize a
pseudorandom number generator, then use the generator to produce a pseudorandom number generator, then use the generator to produce a
value x in F. value x in F.
If x is the x-coordinate of a point on the elliptic curve, output that If x is the x-coordinate of a point on the elliptic curve, output that
point. Otherwise, generate a new value x in F and try again. point. Otherwise, generate a new value x in F and try again.
Since a random value x in F has probability about 1/2 of corresponding to Since a random value x in F has probability about 1/2 of corresponding to
a point on the curve, the expected number of tries is just two. a point on the curve, the expected number of tries is just two.
However, the running time of this method, which is generally referred However, the running time of this method, which is generally referred
to as a probabilistic try-and-increment algorithm, depends on the input string. to as a probabilistic try-and-increment algorithm, depends on the input string.
As such, it is not safe to use in protocols sensitive to timing As such, it is not safe to use in protocols sensitive to timing
side channels, as was exemplified by the Dragonblood attack <xref target="VR20" side channels, as was exemplified by the Dragonblood attack <xref target="VR20"/
format="default"/>.</t> >.</t>
<t>Schinzel and Skalba <xref target="SS04" format="default"/> introduce a <t>Schinzel and Skalba <xref target="SS04"/> introduce a method of constru
method of constructing cting
elliptic curve points deterministically, for a restricted class of curves elliptic curve points deterministically, for a restricted class of curves
and a very small number of points. and a very small number of points.
Skalba <xref target="S05" format="default"/> generalizes this construction to mo re curves and more points Skalba <xref target="S05"/> generalizes this construction to more curves and mor e points
on those curves. on those curves.
Shallue and van de Woestijne <xref target="SW06" format="default"/> further gene ralize and simplify Shallue and van de Woestijne <xref target="SW06"/> further generalize and simpli fy
Skalba's construction, yielding concretely efficient maps to a constant Skalba's construction, yielding concretely efficient maps to a constant
fraction of the points on almost any curve. fraction of the points on almost any curve.
Fouque and Tibouchi <xref target="FT12" format="default"/> give a parameterizati Fouque and Tibouchi <xref target="FT12"/> give a parameterization of this mappin
on of this mapping g
for Barreto-Naehrig pairing-friendly curves <xref target="BN05" format="default" for Barreto-Naehrig pairing-friendly curves <xref target="BN05"/>.</t>
/>.</t> <t>Ulas <xref target="U07"/> describes a simpler version of the Shallue-va
<t>Ulas <xref target="U07" format="default"/> describes a simpler version n de Woestijne map,
of the Shallue-van de Woestijne map, and Brier et al. <xref target="BCIMRT10"/> give a further simplification, which
and Brier et al. <xref target="BCIMRT10" format="default"/> give a further simpl the authors
ification, which the authors call the "Simplified SWU" map.
call the "simplified SWU" map.
That simplified map applies only to fields of characteristic p = 3 (mod 4); That simplified map applies only to fields of characteristic p = 3 (mod 4);
Wahby and Boneh <xref target="WB19" format="default"/> generalize to fields of a ny characteristic, and Wahby and Boneh <xref target="WB19"/> generalize to fields of any characteristic and
give further optimizations.</t> give further optimizations.</t>
<t>Boneh and Franklin give a deterministic algorithm mapping to certain <t>Boneh and Franklin give a deterministic algorithm mapping to certain
supersingular curves over fields of characteristic p = 2 (mod 3) <xref target="B supersingular curves over fields of characteristic p = 2 (mod 3) <xref target="B
F01" format="default"/>. F01"/>.
Icart gives another deterministic algorithm which maps to any curve Icart gives another deterministic algorithm that maps to any curve
over a field of characteristic p = 2 (mod 3) <xref target="Icart09" format="defa over a field of characteristic p = 2 (mod 3) <xref target="Icart09"/>.
ult"/>.
Several extensions and generalizations follow this work, including Several extensions and generalizations follow this work, including
<xref target="FSV09" format="default"/>, <xref target="FT10" format="default"/>, <xref target="FSV09"/>, <xref target="FT10"/>, <xref target="KLR10"/>, <xref tar
<xref target="KLR10" format="default"/>, <xref target="F11" format="default"/>, get="F11"/>, and <xref target="CK11"/>.</t>
and <xref target="CK11" format="default"/>.</t> <t>Following the work of Farashahi <xref target="F11"/>, Fouque et al. <xr
<t>Following the work of Farashahi <xref target="F11" format="default"/>, ef target="FJT13"/> describe a
Fouque et al. <xref target="FJT13" format="default"/> describe a
mapping to curves over fields of characteristic p = 3 (mod 4) having a number of points mapping to curves over fields of characteristic p = 3 (mod 4) having a number of points
divisible by 4. Bernstein et al. <xref target="BHKL13" format="default"/> optim ize this mapping and divisible by 4. Bernstein et al. <xref target="BHKL13"/> optimize this mapping and
describe a related mapping that they call "Elligator 2," which applies to describe a related mapping that they call "Elligator 2," which applies to
any curve over a field of odd characteristic having a point of order 2. any curve over a field of odd characteristic having a point of order 2.
This includes Curve25519 and Curve448, both of which are CFRG-recommended This includes Curve25519 and Curve448, both of which are CFRG-recommended
curves <xref target="RFC7748" format="default"/>. Bernstein et al. <xref target= "BLMP19" format="default"/> extend the Elligator 2 map curves <xref target="RFC7748"/>. Bernstein et al. <xref target="BLMP19"/> extend the Elligator 2 map
to a class of supersingular curves over fields of characteristic p = 3 (mod 4).< /t> to a class of supersingular curves over fields of characteristic p = 3 (mod 4).< /t>
<t>An important caveat regarding all of the above deterministic mapping <t>An important caveat regarding all of the above deterministic mapping
functions is that none of them map to the entire curve, but rather to some functions is that none of them map to the entire curve, but rather to some
fraction of the points. This means that they cannot be used directly to fraction of the points. This means that they cannot be used directly to
construct a random oracle that outputs points on the curve.</t> construct a random oracle that outputs points on the curve.</t>
<t>Brier et al. <xref target="BCIMRT10" format="default"/> give two soluti <t>Brier et al. <xref target="BCIMRT10"/> give two solutions to this probl
ons to this problem. em.
The first, which Brier et al. prove applies to Icart's method, The first, which Brier et al. prove applies to Icart's method,
computes f(H0(msg)) + f(H1(msg)) for two distinct hash functions computes f(H0(msg)) + f(H1(msg)) for two distinct hash functions
H0 and H1 from bit strings to F and a mapping f from F to the elliptic curve E. H0 and H1 from bit strings to F and a mapping f from F to the elliptic curve E.
The second, which applies to essentially all deterministic mappings but The second, which applies to essentially all deterministic mappings but
is more costly, computes f(H0(msg)) + H2(msg) * P, for P a generator of the is more costly, computes f(H0(msg)) + H2(msg) * P, where P is a generator of the
elliptic curve group and H2 a hash from bit strings to integers modulo r, elliptic curve group, H2 is a hash from bit strings to integers modulo r,
the order of the elliptic curve group. and r is the order of the elliptic curve group.</t>
Farashahi et al. <xref target="FFSTV13" format="default"/> improve the analysis <t>Farashahi et al. <xref target="FFSTV13"/> improve the analysis of the f
of the first method, irst method,
showing that it applies to essentially all deterministic mappings. showing that it applies to essentially all deterministic mappings.
Tibouchi and Kim <xref target="TK17" format="default"/> further refine the analy sis and describe additional Tibouchi and Kim <xref target="TK17"/> further refine the analysis and describe additional
optimizations.</t> optimizations.</t>
<t>Complementary to the problem of mapping from bit strings to elliptic cu rve <t>Complementary to the problem of mapping from bit strings to elliptic cu rve
points, Bernstein et al. <xref target="BHKL13" format="default"/> study the prob lem of mapping from elliptic points, Bernstein et al. <xref target="BHKL13"/> study the problem of mapping fr om elliptic
curve points to uniformly random bit strings, giving solutions for a class of curve points to uniformly random bit strings, giving solutions for a class of
curves including Montgomery and twisted Edwards curves. curves that includes Montgomery and twisted Edwards curves.
Tibouchi <xref target="T14" format="default"/> and Aranha et al. <xref target="A Tibouchi <xref target="T14"/> and Aranha et al. <xref target="AFQTZ14"/> general
FQTZ14" format="default"/> generalize these results. ize these results.
This document does not deal with this complementary problem.</t> This document does not deal with this complementary problem.</t>
</section> </section>
<section anchor="appx-ristretto255" numbered="true" toc="default"> <section anchor="appx-ristretto255">
<name>Hashing to ristretto255</name> <name>Hashing to ristretto255</name>
<t>ristretto255 <xref target="I-D.irtf-cfrg-ristretto255-decaf448" format= <t>ristretto255 <xref target="I-D.irtf-cfrg-ristretto255-decaf448"/> provi
"default"/> provides a prime-order des a prime-order
group based on Curve25519 <xref target="RFC7748" format="default"/>. group based on curve25519 <xref target="RFC7748"/>.
This section describes hash_to_ristretto255, which implements a random-oracle This section describes hash_to_ristretto255, which implements a random-oracle
encoding to this group that has a uniform output distribution (<xref target="ter m-rom" format="default"/>) encoding to this group that has a uniform output distribution (<xref target="ter m-rom"/>)
and the same security properties and interface as the hash_to_curve function and the same security properties and interface as the hash_to_curve function
(<xref target="roadmap" format="default"/>).</t> (<xref target="roadmap"/>).</t>
<t>The ristretto255 API defines a one-way map (<xref target="I-D.irtf-cfrg <t>The ristretto255 API defines a one-way map (<xref section="4.3.4" secti
-ristretto255-decaf448" format="default"/>, onFormat="comma" target="I-D.irtf-cfrg-ristretto255-decaf448"/>); this section r
Section 4.3.4); this section refers to that map as ristretto255_map.</t> efers to that map as ristretto255_map.</t>
<t>The hash_to_ristretto255 function MUST be instantiated with an expand_m <t>The hash_to_ristretto255 function <bcp14>MUST</bcp14> be instantiated w
essage ith an expand_message
function that conforms to the requirements given in <xref target="hashtofield-ex function that conforms to the requirements given in <xref target="hashtofield-ex
pand" format="default"/>. pand"/>.
In addition, it MUST use a domain separation tag constructed as described In addition, it <bcp14>MUST</bcp14> use a domain separation tag constructed as d
in <xref target="domain-separation" format="default"/>, and all domain separatio escribed
n recommendations given in <xref target="domain-separation"/>, and all domain separation recommendations
in <xref target="security-considerations-domain-separation-expmsg-var" format="d given
efault"/> apply when implementing in <xref target="security-considerations-domain-separation-expmsg-var"/> apply w
hen implementing
protocols that use hash_to_ristretto255.</t> protocols that use hash_to_ristretto255.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_ristretto255(msg) hash_to_ristretto255(msg)
Parameters: Parameters:
- DST, a domain separation tag (see discussion above). - DST, a domain separation tag (see discussion above).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see discussion above). (see discussion above).
- ristretto255_map, the one-way map from the ristretto255 API. - ristretto255_map, the one-way map from the ristretto255 API.
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, an element of the ristretto255 group. Output: P, an element of the ristretto255 group.
Steps: Steps:
1. uniform_bytes = expand_message(msg, DST, 64) 1. uniform_bytes = expand_message(msg, DST, 64)
2. P = ristretto255_map(uniform_bytes) 2. P = ristretto255_map(uniform_bytes)
3. return P 3. return P
</sourcecode> ]]></sourcecode>
<t>Since hash_to_ristretto255 is not a hash-to-curve suite, it does not <t>Since hash_to_ristretto255 is not a hash-to-curve suite, it does not
have a Suite ID. have a Suite ID.
If a similar identifier is needed, it MUST be constructed following If a similar identifier is needed, it <bcp14>MUST</bcp14> be constructed followi
the guidelines in <xref target="suiteIDformat" format="default"/>, with the foll ng
owing parameters:</t> the guidelines in <xref target="suiteIDformat"/>, with the following parameters:
</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: "ristretto255"</li> <li>CURVE_ID: "ristretto255"</li>
<li>HASH_ID: as described in <xref target="suiteIDformat" format="defaul t"/></li> <li>HASH_ID: as described in <xref target="suiteIDformat"/></li>
<li>MAP_ID: "R255MAP"</li> <li>MAP_ID: "R255MAP"</li>
<li>ENC_VAR: "RO"</li> <li>ENC_VAR: "RO"</li>
</ul> </ul>
<t>For example, if expand_message is expand_message_xmd using SHA-512, the <t>For example, if expand_message is expand_message_xmd using SHA-512, the
REQUIRED identifier is:</t> <bcp14>REQUIRED</bcp14> identifier is:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
ristretto255_XMD:SHA-512_R255MAP_RO_ ristretto255_XMD:SHA-512_R255MAP_RO_
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="appx-decaf448" numbered="true" toc="default"> <section anchor="appx-decaf448">
<name>Hashing to decaf448</name> <name>Hashing to decaf448</name>
<t>Similar to ristretto255, decaf448 <xref target="I-D.irtf-cfrg-ristretto <t>Similar to ristretto255, decaf448 <xref target="I-D.irtf-cfrg-ristretto
255-decaf448" format="default"/> provides 255-decaf448"/> provides
a prime-order group based on Curve448 <xref target="RFC7748" format="default"/>. a prime-order group based on curve448 <xref target="RFC7748"/>.
This section describes hash_to_decaf448, which implements a random-oracle This section describes hash_to_decaf448, which implements a random-oracle
encoding to this group that has a uniform output distribution (<xref target="ter m-rom" format="default"/>) encoding to this group that has a uniform output distribution (<xref target="ter m-rom"/>)
and the same security properties and interface as the hash_to_curve function and the same security properties and interface as the hash_to_curve function
(<xref target="roadmap" format="default"/>).</t> (<xref target="roadmap"/>).</t>
<t>The decaf448 API defines a one-way map (<xref target="I-D.irtf-cfrg-ris <t>The decaf448 API defines a one-way map (<xref section="5.3.4" sectionFo
tretto255-decaf448" format="default"/>, rmat="comma" target="I-D.irtf-cfrg-ristretto255-decaf448"/>); this section refer
Section 5.3.4); this section refers to that map as decaf448_map.</t> s to that map as decaf448_map.</t>
<t>The hash_to_decaf448 function MUST be instantiated with an expand_messa <t>The hash_to_decaf448 function <bcp14>MUST</bcp14> be instantiated with
ge an expand_message
function that conforms to the requirements given in <xref target="hashtofield-ex function that conforms to the requirements given in <xref target="hashtofield-ex
pand" format="default"/>. pand"/>.
In addition, it MUST use a domain separation tag constructed as described In addition, it <bcp14>MUST</bcp14> use a domain separation tag constructed as d
in <xref target="domain-separation" format="default"/>, and all domain separatio escribed
n recommendations given in <xref target="domain-separation"/>, and all domain separation recommendations
in <xref target="security-considerations-domain-separation-expmsg-var" format="d given
efault"/> apply when implementing in <xref target="security-considerations-domain-separation-expmsg-var"/> apply w
hen implementing
protocols that use hash_to_decaf448.</t> protocols that use hash_to_decaf448.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
hash_to_decaf448(msg) hash_to_decaf448(msg)
Parameters: Parameters:
- DST, a domain separation tag (see discussion above). - DST, a domain separation tag (see discussion above).
- expand_message, a function that expands a byte string and - expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string domain separation tag into a uniformly random byte string
(see discussion above). (see discussion above).
- decaf448_map, the one-way map from the decaf448 API. - decaf448_map, the one-way map from the decaf448 API.
Input: msg, an arbitrary-length byte string. Input: msg, an arbitrary-length byte string.
Output: P, an element of the decaf448 group. Output: P, an element of the decaf448 group.
Steps: Steps:
1. uniform_bytes = expand_message(msg, DST, 112) 1. uniform_bytes = expand_message(msg, DST, 112)
2. P = decaf448_map(uniform_bytes) 2. P = decaf448_map(uniform_bytes)
3. return P 3. return P
</sourcecode> ]]></sourcecode>
<t>Since hash_to_decaf448 is not a hash-to-curve suite, it does not <t>Since hash_to_decaf448 is not a hash-to-curve suite, it does not
have a Suite ID. If a similar identifier is needed, it MUST be constructed have a Suite ID. If a similar identifier is needed, it <bcp14>MUST</bcp14> be co
following the guidelines in <xref target="suiteIDformat" format="default"/>, wit nstructed
h the following parameters:</t> following the guidelines in <xref target="suiteIDformat"/>, with the following p
arameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>CURVE_ID: "decaf448"</li> <li>CURVE_ID: "decaf448"</li>
<li>HASH_ID: as described in <xref target="suiteIDformat" format="defaul t"/></li> <li>HASH_ID: as described in <xref target="suiteIDformat"/></li>
<li>MAP_ID: "D448MAP"</li> <li>MAP_ID: "D448MAP"</li>
<li>ENC_VAR: "RO"</li> <li>ENC_VAR: "RO"</li>
</ul> </ul>
<t>For example, if expand_message is expand_message_xof using SHAKE256, th e <t>For example, if expand_message is expand_message_xof using SHAKE256, th e
REQUIRED identifier is:</t> <bcp14>REQUIRED</bcp14> identifier is:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
decaf448_XOF:SHAKE256_D448MAP_RO_ decaf448_XOF:SHAKE256_D448MAP_RO_
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="appx-rational-map" numbered="true" toc="default"> <section anchor="appx-rational-map">
<name>Rational maps</name> <name>Rational Maps</name>
<t>This section gives rational maps that can be used when hashing to <t>This section gives rational maps that can be used when hashing to
twisted Edwards or Montgomery curves.</t> twisted Edwards or Montgomery curves.</t>
<t>Given a twisted Edwards curve, <xref target="appx-rational-map-edw" for mat="default"/> <t>Given a twisted Edwards curve, <xref target="appx-rational-map-edw"/>
shows how to derive a corresponding Montgomery shows how to derive a corresponding Montgomery
curve and how to map from that curve to the twisted Edwards curve. curve and how to map from that curve to the twisted Edwards curve.
This mapping may be used when hashing to twisted Edwards curves This mapping may be used when hashing to twisted Edwards curves
as described in <xref target="twisted-edwards" format="default"/>.</t> as described in <xref target="twisted-edwards"/>.</t>
<t>Given a Montgomery curve, <xref target="appx-rational-map-mont" format= <t>Given a Montgomery curve, <xref target="appx-rational-map-mont"/> shows
"default"/> shows
how to derive a corresponding Weierstrass curve and how to map from that how to derive a corresponding Weierstrass curve and how to map from that
curve to the Montgomery curve. curve to the Montgomery curve.
This mapping can be used to hash to Montgomery or twisted Edwards curves This mapping can be used to hash to Montgomery or twisted Edwards curves
via the Shallue-van de Woestijne (<xref target="svdw" format="default"/>) or Sim via the Shallue-van de Woestijne method (<xref target="svdw"/>) or Simplified SW
plified SWU (<xref target="simple-swu" format="default"/>) U method (<xref target="simple-swu"/>),
method, as follows:</t> as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For Montgomery curves, first map to the Weierstrass curve, then conv ert <li>For Montgomery curves, first map to the Weierstrass curve, then conv ert
to Montgomery coordinates via the mapping.</li> to Montgomery coordinates via the mapping.</li>
<li>For twisted Edwards curves, compose the Weierstrass to Montgomery ma <li>For twisted Edwards curves, compose the mapping from Weierstrass
pping to Montgomery with the mapping from Montgomery to twisted Edwards
with the Montgomery to twisted Edwards mapping (<xref target="appx-rational-map-edw"/>) to obtain a Weierstrass curve and a
(<xref target="appx-rational-map-edw" format="default"/>) to obtain a Weierstras mapping to the target twisted Edwards curve.
s curve and a mapping
to the target twisted Edwards curve.
Map to this Weierstrass curve, then convert to Edwards coordinates Map to this Weierstrass curve, then convert to Edwards coordinates
via the mapping.</li> via the mapping.</li>
</ul> </ul>
<section anchor="appx-rational-map-edw" numbered="true" toc="default"> <section anchor="appx-rational-map-edw">
<name>Generic Montgomery to twisted Edwards map</name> <name>Generic Mapping from Montgomery to Twisted Edwards</name>
<t>This section gives a generic birational map between twisted Edwards <t>This section gives a generic birational map between twisted Edwards
and Montgomery curves.</t> and Montgomery curves.</t>
<t>The map in this section is a simplified version of the map given in <t>The map in this section is a simplified version of the map given in
<xref target="BBJLP08" format="default"/>, Theorem 3.2. <xref target="BBJLP08"/>, Theorem 3.2.
Specifically, this section's map handles exceptional cases in a Specifically, this section's map handles exceptional cases in a
simplified way that is geared towards hashing to a twisted Edwards simplified way that is geared towards hashing to a twisted Edwards
curve's prime-order subgroup.</t> curve's prime-order subgroup.</t>
<t>The twisted Edwards curve</t> <t>The twisted Edwards curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
a * v^2 + w^2 = 1 + d * v^2 * w^2 a * v^2 + w^2 = 1 + d * v^2 * w^2
</sourcecode> ]]></sourcecode>
<t>is birationally equivalent to the Montgomery curve</t> <t>is birationally equivalent to the Montgomery curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<t>which has the form required by the Elligator 2 mapping of <xref targe <t>which has the form required by the Elligator 2 mapping of <xref targe
t="elligator2" format="default"/>. t="elligator2"/>.
The coefficients of the Montgomery curve are</t> The coefficients of the Montgomery curve are</t>
<ul spacing="normal"> <ul spacing="normal">
<li>J = 2 * (a + d) / (a - d)</li> <li>J = 2 * (a + d) / (a - d)</li>
<li>K = 4 / (a - d)</li> <li>K = 4 / (a - d)</li>
</ul> </ul>
<t>The rational map from the point (s, t) on the above Montgomery curve <t>The rational map from the point (s, t) on the above Montgomery curve
to the point (v, w) on the twisted Edwards curve is given by</t> to the point (v, w) on the twisted Edwards curve is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>v = s / t</li> <li>v = s / t</li>
<li>w = (s - 1) / (s + 1)</li> <li>w = (s - 1) / (s + 1)</li>
</ul> </ul>
<t>This mapping is undefined when t == 0 or s == -1, i.e., when <t>This mapping is undefined when t == 0 or s == -1, i.e., when
the denominator of either of the above rational functions is zero. the denominator of either of the above rational functions is zero.
Implementations MUST detect exceptional cases and return the value Implementations <bcp14>MUST</bcp14> detect exceptional cases and return the valu e
(v, w) = (0, 1), which is the identity point on all twisted Edwards curves.</t> (v, w) = (0, 1), which is the identity point on all twisted Edwards curves.</t>
<t>The following straight-line implementation of the above rational map <t>The following straight-line implementation of the above rational map
handles the exceptional cases.</t> handles the exceptional cases.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
monty_to_edw_generic(s, t) monty_to_edw_generic(s, t)
Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s. Input: (s, t), a point on the curve K * t^2 = s^3 + J * s^2 + s.
Output: (v, w), a point on an equivalent twisted Edwards curve. Output: (v, w), a point on an equivalent twisted Edwards curve.
1. tv1 = s + 1 1. tv1 = s + 1
2. tv2 = tv1 * t # (s + 1) * t 2. tv2 = tv1 * t # (s + 1) * t
3. tv2 = inv0(tv2) # 1 / ((s + 1) * t) 3. tv2 = inv0(tv2) # 1 / ((s + 1) * t)
4. v = tv2 * tv1 # 1 / t 4. v = tv2 * tv1 # 1 / t
5. v = v * s # s / t 5. v = v * s # s / t
6. w = tv2 * t # 1 / (s + 1) 6. w = tv2 * t # 1 / (s + 1)
7. tv1 = s - 1 7. tv1 = s - 1
8. w = w * tv1 # (s - 1) / (s + 1) 8. w = w * tv1 # (s - 1) / (s + 1)
9. e = tv2 == 0 9. e = tv2 == 0
10. w = CMOV(w, 1, e) # handle exceptional case 10. w = CMOV(w, 1, e) # handle exceptional case
11. return (v, w) 11. return (v, w)
</sourcecode> ]]></sourcecode>
<t>For completeness, we also give the inverse relations. <t>For completeness, we also give the inverse relations.
(Note that this map is not required when hashing to twisted Edwards curves.) (Note that this map is not required when hashing to twisted Edwards curves.)
The coefficients of the twisted Edwards curve corresponding to The coefficients of the twisted Edwards curve corresponding to
the above Montgomery curve are</t> the above Montgomery curve are</t>
<ul spacing="normal"> <ul spacing="normal">
<li>a = (J + 2) / K</li> <li>a = (J + 2) / K</li>
<li>d = (J - 2) / K</li> <li>d = (J - 2) / K</li>
</ul> </ul>
<t>The rational map from the point (v, w) on the twisted Edwards <t>The rational map from the point (v, w) on the twisted Edwards
curve to the point (s, t) on the Montgomery curve is given by</t> curve to the point (s, t) on the Montgomery curve is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>s = (1 + w) / (1 - w)</li> <li>s = (1 + w) / (1 - w)</li>
<li>t = (1 + w) / (v * (1 - w))</li> <li>t = (1 + w) / (v * (1 - w))</li>
</ul> </ul>
<t>The mapping is undefined when v == 0 or w == 1. <t>The mapping is undefined when v == 0 or w == 1.
When the goal is to map into the prime-order subgroup of the Montgomery When the goal is to map into the prime-order subgroup of the Montgomery
curve, it suffices to return the identity point on the Montgomery curve curve, it suffices to return the identity point on the Montgomery curve
in the exceptional cases.</t> in the exceptional cases.</t>
</section> </section>
<section anchor="appx-rational-map-mont" numbered="true" toc="default"> <section anchor="appx-rational-map-mont">
<name>Weierstrass to Montgomery map</name> <name>Mapping from Weierstrass to Montgomery</name>
<t>The rational map from the point (s, t) on the Montgomery curve</t> <t>The rational map from the point (s, t) on the Montgomery curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
K * t^2 = s^3 + J * s^2 + s K * t^2 = s^3 + J * s^2 + s
</sourcecode> ]]></sourcecode>
<t>to the point (x, y) on the equivalent Weierstrass curve</t> <t>to the point (x, y) on the equivalent Weierstrass curve</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
y^2 = x^3 + A * x + B y^2 = x^3 + A * x + B
</sourcecode> ]]></sourcecode>
<t>is given by:</t> <t>is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A = (3 - J^2) / (3 * K^2)</li> <li>A = (3 - J^2) / (3 * K^2)</li>
<li>B = (2 * J^3 - 9 * J) / (27 * K^3)</li> <li>B = (2 * J^3 - 9 * J) / (27 * K^3)</li>
<li>x = (3 * s + J) / (3 * K)</li> <li>x = (3 * s + J) / (3 * K)</li>
<li>y = t / K</li> <li>y = t / K</li>
</ul> </ul>
<t>The inverse map, from the point (x, y) to the point (s, t), is given by</t> <t>The inverse map, from the point (x, y) to the point (s, t), is given by</t>
<ul spacing="normal"> <ul spacing="normal">
<li>s = (3 * K * x - J) / 3</li> <li>s = (3 * K * x - J) / 3</li>
<li>t = y * K</li> <li>t = y * K</li>
</ul> </ul>
<t>This mapping can be used to apply the Shallue-van de Woestijne <t>This mapping can be used to apply the Shallue-van de Woestijne
(<xref target="svdw" format="default"/>) or Simplified SWU (<xref target="simple -swu" format="default"/>) method to method (<xref target="svdw"/>) or Simplified SWU method (<xref target="simple-sw u"/>) to
Montgomery curves.</t> Montgomery curves.</t>
</section> </section>
</section> </section>
<section anchor="appx-iso" numbered="true" toc="default"> <section anchor="appx-iso">
<name>Isogeny maps for suites</name> <name>Isogeny Maps for Suites</name>
<t>This section specifies the isogeny maps for the secp256k1 and BLS12-381 <t>This section specifies the isogeny maps for the secp256k1 and BLS12-381
suites listed in <xref target="suites" format="default"/>.</t> suites listed in <xref target="suites"/>.</t>
<t>These maps are given in terms of affine coordinates. <t>These maps are given in terms of affine coordinates.
Wahby and Boneh (<xref target="WB19" format="default"/>, Section 4.3) show how t Wahby and Boneh (<xref target="WB19"/>, Section 4.3) show how to evaluate these
o evaluate these maps maps
in a projective coordinate system (<xref target="projective-coords" format="defa in a projective coordinate system (<xref target="projective-coords"/>), which av
ult"/>), which avoids oids
modular inversions.</t> modular inversions.</t>
<t>Refer to the draft repository <xref target="hash2curve-repo" format="de fault"/> for a Sage <xref target="SAGE" format="default"/> script <t>Refer to <xref target="hash2curve-repo"/> for a Sage <xref target="SAGE "/> script
that constructs these isogenies.</t> that constructs these isogenies.</t>
<section anchor="appx-iso-secp256k1" numbered="true" toc="default"> <section anchor="appx-iso-secp256k1">
<name>3-isogeny map for secp256k1</name> <name>3-Isogeny Map for secp256k1</name>
<t>This section specifies the isogeny map for the secp256k1 suite listed <t>This section specifies the isogeny map for the secp256k1 suite listed
in <xref target="suites-secp256k1" format="default"/>.</t> in <xref target="suites-secp256k1"/>.</t>
<t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li> <li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li>
<li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li> <li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li>
</ul> </ul>
</li> </li>
skipping to change at line 3862 skipping to change at line 3542
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li> <li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li>
<li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li> <li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e3 8daaaaa8c7</li> <li>k_(1,0) =0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38 daaaaa8c7</li>
<li>k_(1,1) = 0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff104 4f17c6581</li> <li>k_(1,1) = 0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff104 4f17c6581</li>
<li>k_(1,2) = 0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0 b53d9dd262</li> <li>k_(1,2) = 0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0 b53d9dd262</li>
<li>k_(1,3) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e3 8daaaaa88c</li> <li>k_(1,3) = 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e3 8daaaaa88c</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b7 45781eb49b</li> <li>k_(2,0) = 0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b7 45781eb49b</li>
<li>k_(2,1) = 0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56 612a8c6d14</li> <li>k_(2,1) = 0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56 612a8c6d14</li>
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
skipping to change at line 3886 skipping to change at line 3566
<li>k_(3,2) = 0x29a6194691f91a73715209ef6512e576722830a201be2018a765e8 5a9ecee931</li> <li>k_(3,2) = 0x29a6194691f91a73715209ef6512e576722830a201be2018a765e8 5a9ecee931</li>
<li>k_(3,3) = 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda1 2f38e38d84</li> <li>k_(3,3) = 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda1 2f38e38d84</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffff fefffff93b</li> <li>k_(4,0) = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffff fefffff93b</li>
<li>k_(4,1) = 0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425 d2685c2573</li> <li>k_(4,1) = 0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425 d2685c2573</li>
<li>k_(4,2) = 0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf81 92bfd2a76f</li> <li>k_(4,2) = 0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf81 92bfd2a76f</li>
</ul> </ul>
</section> </section>
<section anchor="appx-iso-bls12381-g1" numbered="true" toc="default"> <section anchor="appx-iso-bls12381-g1">
<name>11-isogeny map for BLS12-381 G1</name> <name>11-Isogeny Map for BLS12-381 G1</name>
<t>The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 11-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,11) * x'^11 + k_(1,10) * x'^10 + k_(1,9) * x'^9 + ... + k_(1,0)</li> <li>x_num = k_(1,11) * x'^11 + k_(1,10) * x'^10 + k_(1,9) * x'^9 + ... + k_(1,0)</li>
<li>x_den = x'^10 + k_(2,9) * x'^9 + k_(2,8) * x'^8 + ... + k_(2,0 )</li> <li>x_den = x'^10 + k_(2,9) * x'^9 + k_(2,8) * x'^8 + ... + k_(2,0 )</li>
</ul> </ul>
</li> </li>
skipping to change at line 3909 skipping to change at line 3589
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,15) * x'^15 + k_(3,14) * x'^14 + k_(3,13) * x'^13 + ... + k_(3,0)</li> <li>y_num = k_(3,15) * x'^15 + k_(3,14) * x'^14 + k_(3,13) * x'^13 + ... + k_(3,0)</li>
<li>y_den = x'^15 + k_(4,14) * x'^14 + k_(4,13) * x'^13 + ... + k_ (4,0)</li> <li>y_den = x'^15 + k_(4,14) * x'^14 + k_(4,13) * x'^13 + ... + k_ (4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b <li>k_(1,0)&nbsp;=&nbsp;0x11a05f2b1e833340b809101dd99815856b303e88a2d7
56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7</li> 005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7</li>
<li>k_(1,1) = 0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e3 <li>k_(1,1)&nbsp;=&nbsp;0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a
3c70d1e86b4838f2a6f318c356e834eef1b3cb83bb</li> 8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb</li>
<li>k_(1,2) = 0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e50 <li>k_(1,2)&nbsp;=&nbsp;0xd54005db97678ec1d1048c5d10a9a1bce03247329598
1ec68e25c958c3e3d2a09729fe0179f9dac9edcb0</li> 3e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0</li>
<li>k_(1,3) = 0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b332 <li>k_(1,3)&nbsp;=&nbsp;0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8d
89f1b330835336e25ce3107193c5b388641d9b6861</li> bf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861</li>
<li>k_(1,4) = 0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb6 <li>k_(1,4)&nbsp;=&nbsp;0xe99726a3199f4436642b4b3e4118e5499db995a1257f
5982fac18985a286f301e77c451154ce9ac8895d9</li> b3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9</li>
<li>k_(1,5) = 0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab <li>k_(1,5)&nbsp;=&nbsp;0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952
9097e68f90a0870d2dcae73d19cd13c1c66f652983</li> 799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983</li>
<li>k_(1,6) = 0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e21 <li>k_(1,6)&nbsp;=&nbsp;0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8
8f9c86b2a8da25128c1052ecaddd7f225a139ed84</li> ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84</li>
<li>k_(1,7) = 0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c6 <li>k_(1,7)&nbsp;=&nbsp;0x17b81e7701abdbe2e8743884d1117e53356de5ab275b
2ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e</li> 4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e</li>
<li>k_(1,8) = 0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c <li>k_(1,8)&nbsp;=&nbsp;0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5
928c5d1de4fa295f296b74e956d71986a8497e317</li> 574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317</li>
<li>k_(1,9) = 0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314 <li>k_(1,9)&nbsp;=&nbsp;0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c
baf4bb1b7fa3190b2edc0327797f241067be390c9e</li> 5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e</li>
<li>k_(1,10) = 0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af <li>k_(1,10)&nbsp;=&nbsp;0x10321da079ce07e272d8ec09d2565b0dfa7dccdde67
36003b14866f69b771f8c285decca67df3f1605fb7b</li> 87f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b</li>
<li>k_(1,11) = 0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf <li>k_(1,11)&nbsp;=&nbsp;0x6e08c248e260e70bd1e962381edee3d31d79d7e22c8
1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229</li> 37bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c95886 <li>k_(2,0)&nbsp;=&nbsp;0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b4
17fc8ac62b558d681be343df8993cf9fa40d21b1c</li> 8ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c</li>
<li>k_(2,1) = 0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2 <li>k_(2,1)&nbsp;=&nbsp;0x12561a5deb559c4348b4711298e536367041e8ca0cf0
588c48bf5713daa8846cb026e9e5c8276ec82b3bff</li> 800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff</li>
<li>k_(2,2) = 0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e0 <li>k_(2,2)&nbsp;=&nbsp;0xb2962fe57a3225e8137e629bff2991f6f89416f5a718
0b11aceacd6a3d0967c94fedcfcc239ba5cb83e19</li> cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19</li>
<li>k_(2,3) = 0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8a <li>k_(2,3)&nbsp;=&nbsp;0x3425581a58ae2fec83aafef7c40eb545b08243f16b16
bc28d6fd04976d5243eecf5c4130de8938dc62cd8</li> 55154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8</li>
<li>k_(2,4) = 0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44 <li>k_(2,4)&nbsp;=&nbsp;0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a120
e833b306da9bd29ba81f35781d539d395b3532a21e</li> 62bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e</li>
<li>k_(2,5) = 0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bce <li>k_(2,5)&nbsp;=&nbsp;0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9ca
f24b8982f7400d24bc4228f11c02df9a29f6304a5</li> d4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5</li>
<li>k_(2,6) = 0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073 <li>k_(2,6)&nbsp;=&nbsp;0x772caacf16936190f3e0c63e0596721570f5799af53a
062aede9cea73b3538f0de06cec2574496ee84a3a</li> 1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a</li>
<li>k_(2,7) = 0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1 <li>k_(2,7)&nbsp;=&nbsp;0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca
cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e</li> 68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e</li>
<li>k_(2,8) = 0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da <li>k_(2,8)&nbsp;=&nbsp;0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d71613
67f39883503826692abba43704776ec3a79a1d641</li> 66b74100da67f39883503826692abba43704776ec3a79a1d641</li>
<li>k_(2,9) = 0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533 <li>k_(2,9)&nbsp;=&nbsp;0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d
978f31c1593174e4b4b7865002d6384d168ecdd0a</li> 03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a</li>
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(3,0) = 0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6 <li>k_(3,0)&nbsp;=&nbsp;0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a86
c956543d3cd0c7aee9b3ba3c2be9845719707bb33</li> 9522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33</li>
<li>k_(3,1) = 0x134996a104ee5811d51036d776fb46831223e96c254f383d0f9063 <li>k_(3,1)&nbsp;=&nbsp;0x134996a104ee5811d51036d776fb46831223e96c254f
43eb67ad34d6c56711962fa8bfe097e75a2e41c696</li> 383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696</li>
<li>k_(3,2) = 0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b <li>k_(3,2)&nbsp;=&nbsp;0xcc786baa966e66f4a384c86a3b49942552e2d658a31c
91400da7d26d521628b00523b8dfe240c72de1f6</li> e2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6</li>
<li>k_(3,3) = 0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3e <li>k_(3,3)&nbsp;=&nbsp;0x1f86376e8981c217898751ad8746757d42aa7b90eeb7
c03251cf9de405aba9ec61deca6355c77b0e5f4cb</li> 91c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb</li>
<li>k_(3,4) = 0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd <li>k_(3,4)&nbsp;=&nbsp;0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce5
221351adc2ee7f8dc099040a841b6daecf2e8fedb</li> 0b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb</li>
<li>k_(3,5) = 0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c <li>k_(3,5)&nbsp;=&nbsp;0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afad
3d3ad5544e203f6326c95a807299b23ab13633a5f0</li> b7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0</li>
<li>k_(3,6) = 0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413 <li>k_(3,6)&nbsp;=&nbsp;0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be18
c4d634f3747a87ac2460f415ec961f8855fe9d6f2</li> 4cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2</li>
<li>k_(3,7) = 0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da <li>k_(3,7)&nbsp;=&nbsp;0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd
6c26c842642f64550fedfe935a15e4ca31870fb29</li> 81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29</li>
<li>k_(3,8) = 0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6 <li>k_(3,8)&nbsp;=&nbsp;0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc
a1f20cabe69d65201c78607a360370e577bdba587</li> 26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587</li>
<li>k_(3,9) = 0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7 <li>k_(3,9)&nbsp;=&nbsp;0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af
ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30</li> 6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30</li>
<li>k_(3,10) = 0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183 <li>k_(3,10)&nbsp;=&nbsp;0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6ca
e416389e61031bf3a5cce3fbafce813711ad011c132</li> f493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132</li>
<li>k_(3,11) = 0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bf <li>k_(3,11)&nbsp;=&nbsp;0x18b46a908f36f6deb918c143fed2edcc523559b8aaf
e7f911f643249d9cdf41b44d606ce07c8a4d0074d8e</li> 0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e</li>
<li>k_(3,12) = 0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710 <li>k_(3,12)&nbsp;=&nbsp;0xb182cac101b9399d155096004f53f447aa7b12a3426
e807b4633f06c851c1919211f20d4c04f00b971ef8</li> b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8</li>
<li>k_(3,13) = 0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e663 <li>k_(3,13)&nbsp;=&nbsp;0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c
2d3c40659cc6cf90ad1c232a6442d9d3f5db980133</li> 158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133</li>
<li>k_(3,14) = 0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f <li>k_(3,14)&nbsp;=&nbsp;0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e8
5d396a7ce46ba1049b6579afb7866b1e715475224b</li> 6568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b</li>
<li>k_(3,15) = 0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add <li>k_(3,15)&nbsp;=&nbsp;0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f849
4fa95af01b2b665027efec01c7704b456be69c8b604</li> 65a3957add4fa95af01b2b665027efec01c7704b456be69c8b604</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec323 <li>k_(4,0)&nbsp;=&nbsp;0x16112c4c3a9c98b252181140fad0eae9601a6de57898
2b5be72e7a07f3688ef60c206d01479253b03663c1</li> 0be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1</li>
<li>k_(4,1) = 0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a103 <li>k_(4,1)&nbsp;=&nbsp;0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4
56f453e01f78a4260763529e3532f6102c2e49a03d</li> d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d</li>
<li>k_(4,2) = 0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5d <li>k_(4,2)&nbsp;=&nbsp;0x58df3306640da276faaae7d6e8eb15778c4855551ae7
d279cd2eca6757cd636f96f891e2538b53dbf67f2</li> f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2</li>
<li>k_(4,3) = 0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da4 <li>k_(4,3)&nbsp;=&nbsp;0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbc
89e726af41727364f2c28297ada8d26d98445f5416</li> d30e123da489e726af41727364f2c28297ada8d26d98445f5416</li>
<li>k_(4,4) = 0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0 <li>k_(4,4)&nbsp;=&nbsp;0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69b
fc9dec916a20b15dc0fd2ededda39142311a5001d</li> bb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d</li>
<li>k_(4,5) = 0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87 <li>k_(4,5)&nbsp;=&nbsp;0x8d9e5297186db2d9fb266eaac783182b70152c65550d
b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac</li> 881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac</li>
<li>k_(4,6) = 0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365 <li>k_(4,6)&nbsp;=&nbsp;0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0c
bc400a0051d5fa9c01a58b1fb93d1a1399126a775c</li> f8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c</li>
<li>k_(4,7) = 0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34f <li>k_(4,7)&nbsp;=&nbsp;0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f
d206357132b920f5b00801dee460ee415a15812ed9</li> 4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9</li>
<li>k_(4,8) = 0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc575 <li>k_(4,8)&nbsp;=&nbsp;0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af
0c4bf39b4852cfe2f7bb9248836b233d9d55535d4a</li> 5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a</li>
<li>k_(4,9) = 0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb530859 <li>k_(4,9)&nbsp;=&nbsp;0x167a55cda70a6e1cea820597d94a84903216f763e13d
2e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55</li> 87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55</li>
<li>k_(4,10) = 0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b <li>k_(4,10)&nbsp;=&nbsp;0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61
36e636a5c871a5c29f4f83060400f8b49cba8f6aa8</li> a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8</li>
<li>k_(4,11) = 0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a <li>k_(4,11)&nbsp;=&nbsp;0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce
88cea7913516f968986f7ebbea9684b529e2561092</li> 42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092</li>
<li>k_(4,12) = 0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5cee <li>k_(4,12)&nbsp;=&nbsp;0xad6b9514c767fe3c3613144b45f1496543346d98adf
f9a00d9b8693000763e3b90ac11e99b138573345cc</li> 02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc</li>
<li>k_(4,13) = 0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748d <li>k_(4,13)&nbsp;=&nbsp;0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e729
f27942480e420517bd8714cc80d1fadc1326ed06f7</li> 27c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7</li>
<li>k_(4,14) = 0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efc <li>k_(4,14)&nbsp;=&nbsp;0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273
d6356caa205ca2f570f13497804415473a1d634b8f</li> b853324efcd6356caa205ca2f570f13497804415473a1d634b8f</li>
</ul> </ul>
</section> </section>
<section anchor="appx-iso-bls12381-g2" numbered="true" toc="default"> <section anchor="appx-iso-bls12381-g2">
<name>3-isogeny map for BLS12-381 G2</name> <name>3-Isogeny Map for BLS12-381 G2</name>
<t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t> <t>The 3-isogeny map from (x', y') on E' to (x, y) on E is given by the following rational functions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>x = x_num / x_den, where <t>x = x_num / x_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li> <li>x_num = k_(1,3) * x'^3 + k_(1,2) * x'^2 + k_(1,1) * x' + k_(1, 0)</li>
<li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li> <li>x_den = x'^2 + k_(2,1) * x' + k_(2,0)</li>
</ul> </ul>
</li> </li>
skipping to change at line 3996 skipping to change at line 3676
<t>y = y' * y_num / y_den, where <t>y = y' * y_num / y_den, where
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li> <li>y_num = k_(3,3) * x'^3 + k_(3,2) * x'^2 + k_(3,1) * x' + k_(3, 0)</li>
<li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li> <li>y_den = x'^3 + k_(4,2) * x'^2 + k_(4,1) * x' + k_(4,0)</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>The constants used to compute x_num are as follows:</t> <t>The constants used to compute x_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(1,0) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 <li>k_(1,0)&nbsp;=&nbsp;0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a0
3c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6 + 0x5c759507e8e333ebb5b7a9a47d7ed8532c 42a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6&nbsp;+&nbsp;0x5c759507e8e333
52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6 * I</li> ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d
<li>k_(1,1) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 6&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71a * I</li> <li>k_(1,1)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
<li>k_(1,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71e + 0x8ab05f8bdd54cde190937e76bc3e447cc <li>k_(1,2)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d * I</li> 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e&nbsp;+&nbsp;0x8ab05f8bdd54c
<li>k_(1,3) = 0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d610 de190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe3
8f142b85757098e38d0f671c7188e2aaaaaaaa5ed1</li> 8d&nbsp;*&nbsp;I</li>
<li>k_(1,3)&nbsp;=&nbsp;0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e8
10aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1</li>
</ul> </ul>
<t>The constants used to compute x_den are as follows:</t> <t>The constants used to compute x_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(2,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 <li>k_(2,0)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
a0f6b0f6241eabfffeb153ffffb9feffffffffaa63 * I</li> 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63&nbsp;*&nbsp;I</li>
<li>k_(2,1) = 0xc + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf <li>k_(2,1)&nbsp;= 0xc&nbsp;+&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd76
6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f * I</li> 4774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f&nbsp;*&nbsp;I</l
i>
</ul> </ul>
<t>The constants used to compute y_num are as follows:</t> <t>The constants used to compute y_num are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(3,0) = 0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439 <li>k_(3,0)&nbsp;=&nbsp;0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f
d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706 + 0x1530477c7ab4113b59a4c18b076d11930 649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706&nbsp;+&nbsp;0x1530477c7ab41
f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706 * I</li> 13b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d
<li>k_(3,1) = 0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b5842 706&nbsp;*&nbsp;I</li>
3c50ae15d5c2638e343d9c71c6238aaaaaaaa97be * I</li> <li>k_(3,1)&nbsp;=&nbsp;0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a0
<li>k_(3,2) = 0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c 42a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be&nbsp;*&nbsp;I</li>
6b4f20a4181472aaa9cb8d555526a9ffffffffc71c + 0x8ab05f8bdd54cde190937e76bc3e447cc <li>k_(3,2)&nbsp;=&nbsp;0x11560bf17baa99bc32126fced787c88f984f87adf7ae
27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f * I</li> 0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c&nbsp;+&nbsp;0x8ab05f8bdd54c
<li>k_(3,3) = 0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977 de190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe3
c69aa274524e79097a56dc4bd9e1b371c71c718b10</li> 8f&nbsp;*&nbsp;I</li>
<li>k_(3,3)&nbsp;=&nbsp;0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e2
6286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10</li>
</ul> </ul>
<t>The constants used to compute y_den are as follows:</t> <t>The constants used to compute y_den are as follows:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>k_(4,0) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 <li>k_(4,0)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb + 0x1a0111ea397fe69a4b1ba7b6434bacd76 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb&nbsp;+&nbsp;0x1a0111ea397fe
4774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb * I</li> 69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa
<li>k_(4,1) = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2 8fb&nbsp;*&nbsp;I</li>
a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3 * I</li> <li>k_(4,1)&nbsp;=&nbsp;0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f385
<li>k_(4,2) = 0x12 + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512b 12bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3&nbsp;*&nbsp;I</li>
f6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99 * I</li> <li>k_(4,2)&nbsp;=&nbsp;0x12&nbsp;+&nbsp;0x1a0111ea397fe69a4b1ba7b6434
bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99&nbsp;*&nbs
p;I</li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="straightline" numbered="true" toc="default"> <section anchor="straightline">
<name>Straight-line implementations of deterministic mappings</name> <name>Straight-Line Implementations of Deterministic Mappings</name>
<t>This section gives straight-line implementations of the mappings of <xr <t>This section gives straight-line implementations of the mappings of <xr
ef target="mappings" format="default"/>. ef target="mappings"/>.
These implementations are generic, i.e., they are defined for any curve and fiel d. These implementations are generic, i.e., they are defined for any curve and fiel d.
<xref target="samplecode" format="default"/> gives further implementations that are optimized for specific <xref target="samplecode"/> gives further implementations that are optimized for specific
classes of curves and fields.</t> classes of curves and fields.</t>
<section anchor="straightline-svdw" numbered="true" toc="default"> <section anchor="straightline-svdw">
<name>Shallue-van de Woestijne method</name> <name>Shallue-van de Woestijne Method</name>
<t>This section gives a straight-line implementation of the Shallue and <t>This section gives a straight-line implementation of the Shallue-van
van
de Woestijne method for any Weierstrass curve of the form given in de Woestijne method for any Weierstrass curve of the form given in
<xref target="weierstrass" format="default"/>. <xref target="weierstrass"/>.
See <xref target="svdw" format="default"/> for information on the constants used See <xref target="svdw"/> for information on the constants used in this mapping.
in this mapping.</t> </t>
<t>Note that the constant c3 below MUST be chosen such that sgn0(c3) = 0 <t>Note that the constant c3 below <bcp14>MUST</bcp14> be chosen such th
. at sgn0(c3) = 0.
In other words, if the square-root computation returns a value cx such that In other words, if the square-root computation returns a value cx such that
sgn0(cx) = 1, set c3 = -cx; otherwise, set c3 = cx.</t> sgn0(cx) = 1, set c3 = -cx; otherwise, set c3 = cx.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_svdw(u) map_to_curve_svdw(u)
Input: u, an element of F. Input: u, an element of F.
Output: (x, y), a point on E. Output: (x, y), a point on E.
Constants: Constants:
1. c1 = g(Z) 1. c1 = g(Z)
2. c2 = -Z / 2 2. c2 = -Z / 2
3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 0 3. c3 = sqrt(-g(Z) * (3 * Z^2 + 4 * A)) # sgn0(c3) MUST equal 0
4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A) 4. c4 = -4 * g(Z) / (3 * Z^2 + 4 * A)
skipping to change at line 4085 skipping to change at line 3765
27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3 27. x = CMOV(x3, x1, e1) # x = x1 if gx1 is square, else x = x3
28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not 28. x = CMOV(x, x2, e2) # x = x2 if gx2 is square and gx1 is not
29. gx = x^2 29. gx = x^2
30. gx = gx + A 30. gx = gx + A
31. gx = gx * x 31. gx = gx * x
32. gx = gx + B 32. gx = gx + B
33. y = sqrt(gx) 33. y = sqrt(gx)
34. e3 = sgn0(u) == sgn0(y) 34. e3 = sgn0(u) == sgn0(y)
35. y = CMOV(-y, y, e3) # Select correct sign of y 35. y = CMOV(-y, y, e3) # Select correct sign of y
36. return (x, y) 36. return (x, y)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="straightline-sswu" numbered="true" toc="default"> <section anchor="straightline-sswu">
<name>Simplified SWU method</name> <name>Simplified SWU Method</name>
<t>This section gives a straight-line implementation of the simplified <t>This section gives a straight-line implementation of the Simplified
SWU method for any Weierstrass curve of the form given in <xref target="weierstr SWU method for any Weierstrass curve of the form given in <xref target="weierstr
ass" format="default"/>. ass"/>.
See <xref target="simple-swu" format="default"/> for information on the constant See <xref target="simple-swu"/> for information on the constants used in this ma
s used in this mapping.</t> pping.</t>
<t>This optimized, straight-line procedure applies to any base field. <t>This optimized, straight-line procedure applies to any base field.
The sqrt_ratio subroutine is defined in <xref target="straightline-sswu-sqrt-rat The sqrt_ratio subroutine is defined in <xref target="straightline-sswu-sqrt-rat
io" format="default"/>.</t> io"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_simple_swu(u) map_to_curve_simple_swu(u)
Input: u, an element of F. Input: u, an element of F.
Output: (x, y), a point on E. Output: (x, y), a point on E.
Steps: Steps:
1. tv1 = u^2 1. tv1 = u^2
2. tv1 = Z * tv1 2. tv1 = Z * tv1
3. tv2 = tv1^2 3. tv2 = tv1^2
4. tv2 = tv2 + tv1 4. tv2 = tv2 + tv1
skipping to change at line 4127 skipping to change at line 3807
17. x = tv1 * tv3 17. x = tv1 * tv3
18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6) 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
19. y = tv1 * u 19. y = tv1 * u
20. y = y * y1 20. y = y * y1
21. x = CMOV(x, tv3, is_gx1_square) 21. x = CMOV(x, tv3, is_gx1_square)
22. y = CMOV(y, y1, is_gx1_square) 22. y = CMOV(y, y1, is_gx1_square)
23. e1 = sgn0(u) == sgn0(y) 23. e1 = sgn0(u) == sgn0(y)
24. y = CMOV(-y, y, e1) 24. y = CMOV(-y, y, e1)
25. x = x / tv4 25. x = x / tv4
26. return (x, y) 26. return (x, y)
</sourcecode> ]]></sourcecode>
<section anchor="straightline-sswu-sqrt-ratio" numbered="true" toc="defa <section anchor="straightline-sswu-sqrt-ratio">
ult"> <name>sqrt_ratio Subroutine</name>
<name>sqrt_ratio subroutines</name>
<t>This section defines three variants of the sqrt_ratio subroutine us ed by the <t>This section defines three variants of the sqrt_ratio subroutine us ed by the
above procedure. above procedure.
The first variant can be used with any field; the others are optimized versions The first variant can be used with any field; the others are optimized versions
for specific fields.</t> for specific fields.</t>
<t>The routines given in this section depend on the constant Z from th <t>The routines given in this section depend on the constant Z from th
e simplified SWU map. e Simplified SWU map.
For correctness, sqrt_ratio and map_to_curve_simple_swu MUST use the same value For correctness, sqrt_ratio and map_to_curve_simple_swu <bcp14>MUST</bcp14> use
for Z.</t> the same value for Z.</t>
<section anchor="sqrtratio-for-any-field" numbered="true" toc="default <section anchor="sqrtratio-for-any-field">
"> <name>sqrt_ratio for Any Field</name>
<name>sqrt_ratio for any field</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio(u, v) sqrt_ratio(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1, the largest integer such that 2^c1 divides q - 1. 1. c1, the largest integer such that 2^c1 divides q - 1.
2. c2 = (q - 1) / (2^c1) # Integer arithmetic 2. c2 = (q - 1) / (2^c1) # Integer arithmetic
3. c3 = (c2 - 1) / 2 # Integer arithmetic 3. c3 = (c2 - 1) / 2 # Integer arithmetic
skipping to change at line 4187 skipping to change at line 3867
18. tv5 = i - 2 18. tv5 = i - 2
19. tv5 = 2^tv5 19. tv5 = 2^tv5
20. tv5 = tv4^tv5 20. tv5 = tv4^tv5
21. e1 = tv5 == 1 21. e1 = tv5 == 1
22. tv2 = tv3 * tv1 22. tv2 = tv3 * tv1
23. tv1 = tv1 * tv1 23. tv1 = tv1 * tv1
24. tv5 = tv4 * tv1 24. tv5 = tv4 * tv1
25. tv3 = CMOV(tv2, tv3, e1) 25. tv3 = CMOV(tv2, tv3, e1)
26. tv4 = CMOV(tv5, tv4, e1) 26. tv4 = CMOV(tv5, tv4, e1)
27. return (isQR, tv3) 27. return (isQR, tv3)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="optimized-sqrtratio-for-q-3-mod-4" numbered="true" to <section anchor="optimized-sqrtratio-for-q-3-mod-4">
c="default"> <name>Optimized sqrt_ratio for q = 3 mod 4</name>
<name>optimized sqrt_ratio for q = 3 mod 4</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio_3mod4(u, v) sqrt_ratio_3mod4(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m, - F, a finite field of characteristic p and order q = p^m,
where q = 3 mod 4. where q = 3 mod 4.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
2. c2 = sqrt(-Z) 2. c2 = sqrt(-Z)
skipping to change at line 4220 skipping to change at line 3900
2. tv2 = u * v 2. tv2 = u * v
3. tv1 = tv1 * tv2 3. tv1 = tv1 * tv2
4. y1 = tv1^c1 4. y1 = tv1^c1
5. y1 = y1 * tv2 5. y1 = y1 * tv2
6. y2 = y1 * c2 6. y2 = y1 * c2
7. tv3 = y1^2 7. tv3 = y1^2
8. tv3 = tv3 * v 8. tv3 = tv3 * v
9. isQR = tv3 == u 9. isQR = tv3 == u
10. y = CMOV(y2, y1, isQR) 10. y = CMOV(y2, y1, isQR)
11. return (isQR, y) 11. return (isQR, y)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="optimized-sqrtratio-for-q-5-mod-8" numbered="true" to <section anchor="optimized-sqrtratio-for-q-5-mod-8">
c="default"> <name>Optimized sqrt_ratio for q = 5 mod 8</name>
<name>optimized sqrt_ratio for q = 5 mod 8</name> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
sqrt_ratio_5mod8(u, v) sqrt_ratio_5mod8(u, v)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m, - F, a finite field of characteristic p and order q = p^m,
where q = 5 mod 8. where q = 5 mod 8.
- Z, the constant from the simplified SWU map. - Z, the constant from the Simplified SWU map.
Input: u and v, elements of F, where v != 0. Input: u and v, elements of F, where v != 0.
Output: (b, y), where Output: (b, y), where
b = True and y = sqrt(u / v) if (u / v) is square in F, and b = True and y = sqrt(u / v) if (u / v) is square in F, and
b = False and y = sqrt(Z * (u / v)) otherwise. b = False and y = sqrt(Z * (u / v)) otherwise.
Constants: Constants:
1. c1 = (q - 5) / 8 1. c1 = (q - 5) / 8
2. c2 = sqrt(-1) 2. c2 = sqrt(-1)
3. c3 = sqrt(Z / c2) 3. c3 = sqrt(Z / c2)
skipping to change at line 4267 skipping to change at line 3947
15. isQR = tv2 == u 15. isQR = tv2 == u
16. y2 = y1 * c3 16. y2 = y1 * c3
17. tv1 = y2 * c2 17. tv1 = y2 * c2
18. tv2 = tv1^2 18. tv2 = tv1^2
19. tv2 = tv2 * v 19. tv2 = tv2 * v
20. tv3 = Z * u 20. tv3 = Z * u
21. e2 = tv2 == tv3 21. e2 = tv2 == tv3
22. y2 = CMOV(y2, tv1, e2) 22. y2 = CMOV(y2, tv1, e2)
23. y = CMOV(y2, y1, isQR) 23. y = CMOV(y2, y1, isQR)
24. return (isQR, y) 24. return (isQR, y)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="straightline-ell2" numbered="true" toc="default"> <section anchor="straightline-ell2">
<name>Elligator 2 method</name> <name>Elligator 2 Method</name>
<t>This section gives a straight-line implementation of the Elligator 2 <t>This section gives a straight-line implementation of the Elligator 2
method for any Montgomery curve of the form given in <xref target="montgomery" f method for any Montgomery curve of the form given in <xref target="montgomery"/>
ormat="default"/>. .
See <xref target="elligator2" format="default"/> for information on the constant See <xref target="elligator2"/> for information on the constants used in this ma
s used in this mapping.</t> pping.</t>
<t><xref target="ell2-opt" format="default"/> gives optimized straight-l <t><xref target="ell2-opt"/> gives optimized straight-line procedures th
ine procedures that apply to specific at apply to specific
classes of curves and base fields, including curve25519 and curve448 <xref targe classes of curves and base fields, including curve25519 and curve448 <xref targe
t="RFC7748" format="default"/>.</t> t="RFC7748"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2(u) map_to_curve_elligator2(u)
Input: u, an element of F. Input: u, an element of F.
Output: (s, t), a point on M. Output: (s, t), a point on M.
Constants: Constants:
1. c1 = J / K 1. c1 = J / K
2. c2 = 1 / K^2 2. c2 = 1 / K^2
Steps: Steps:
skipping to change at line 4311 skipping to change at line 3991
13. gx2 = tv1 * gx1 13. gx2 = tv1 * gx1
14. e2 = is_square(gx1) # If is_square(gx1) 14. e2 = is_square(gx1) # If is_square(gx1)
15. x = CMOV(x2, x1, e2) # then x = x1, else x = x2 15. x = CMOV(x2, x1, e2) # then x = x1, else x = x2
16. y2 = CMOV(gx2, gx1, e2) # then y2 = gx1, else y2 = gx2 16. y2 = CMOV(gx2, gx1, e2) # then y2 = gx1, else y2 = gx2
17. y = sqrt(y2) 17. y = sqrt(y2)
18. e3 = sgn0(y) == 1 18. e3 = sgn0(y) == 1
19. y = CMOV(y, -y, e2 XOR e3) # fix sign of y 19. y = CMOV(y, -y, e2 XOR e3) # fix sign of y
20. s = x * K 20. s = x * K
21. t = y * K 21. t = y * K
22. return (s, t) 22. return (s, t)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="samplecode" numbered="true" toc="default"> <section anchor="samplecode">
<name>Curve-specific optimized sample code</name> <name>Curve-Specific Optimized Sample Code</name>
<t>This section gives sample implementations optimized for some of the <t>This section gives sample implementations optimized for some of the
elliptic curves listed in <xref target="suites" format="default"/>. elliptic curves listed in <xref target="suites"/>.
Sample Sage <xref target="SAGE" format="default"/> code for each algorithm can a Sample Sage code <xref target="SAGE"/> for each algorithm can also be found in <
lso be found in the xref target="hash2curve-repo"/>.</t>
draft repository <xref target="hash2curve-repo" format="default"/>.</t> <section anchor="projective-coords">
<section anchor="projective-coords" numbered="true" toc="default"> <name>Interface and Projective Coordinate Systems</name>
<name>Interface and projective coordinate systems</name>
<t>The sample code in this section uses a different interface than <t>The sample code in this section uses a different interface than
the mappings of <xref target="mappings" format="default"/>. the mappings of <xref target="mappings"/>.
Specifically, each mapping function in this section has the following Specifically, each mapping function in this section has the following
signature:</t> signature:</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
(xn, xd, yn, yd) = map_to_curve(u) (xn, xd, yn, yd) = map_to_curve(u)
</sourcecode> ]]></sourcecode>
<t>The resulting affine point (x, y) is given by (xn / xd, yn / yd).</t> <t>The resulting affine point (x, y) is given by (xn / xd, yn / yd).</t>
<t>The reason for this modified interface is that it enables further <t>The reason for this modified interface is that it enables further
optimizations when working with points in a projective coordinate optimizations when working with points in a projective coordinate
system. system.
This is desirable, for example, when the resulting point will be This is desirable, for example, when the resulting point will be
immediately multiplied by a scalar, since most scalar multiplication immediately multiplied by a scalar, since most scalar multiplication
algorithms operate on projective points.</t> algorithms operate on projective points.</t>
<t>Projective coordinates are also useful when implementing random oracl <t>Projective coordinates are also useful when implementing random-oracl
e e
encodings (<xref target="roadmap" format="default"/>). encodings (<xref target="roadmap"/>).
One reason is that, in general, point addition is faster using projective One reason is that, in general, point addition is faster using projective
coordinates. coordinates.
Another reason is that, for Weierstrass curves, projective coordinates Another reason is that, for Weierstrass curves, projective coordinates
allow using complete addition formulas <xref target="RCB16" format="default"/>. allow using complete addition formulas <xref target="RCB16"/>.
This is especially convenient when implementing a constant-time encoding, This is especially convenient when implementing a constant-time encoding,
because it eliminates the need for a special case when Q0 == Q1, which because it eliminates the need for a special case when Q0 == Q1, which
incomplete addition formulas usually do not handle.</t> incomplete addition formulas usually do not handle.</t>
<t>The following are two commonly used projective coordinate systems <t>The following are two commonly used projective coordinate systems
and the corresponding conversions:</t> and the corresponding conversions:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A point (X, Y, Z) in homogeneous projective coordinates correspond s <li>A point (X, Y, Z) in homogeneous projective coordinates correspond s
to the affine point (x, y) = (X / Z, Y / Z); to the affine point (x, y) = (X / Z, Y / Z);
the inverse conversion is given by (X, Y, Z) = (x, y, 1). the inverse conversion is given by (X, Y, Z) = (x, y, 1).
To convert (xn, xd, yn, yd) to homogeneous projective coordinates, To convert (xn, xd, yn, yd) to homogeneous projective coordinates,
compute (X, Y, Z) = (xn * yd, yn * xd, xd * yd).</li> compute (X, Y, Z) = (xn * yd, yn * xd, xd * yd).</li>
<li>A point (X', Y', Z') in Jacobian projective coordinates correspond s <li>A point (X', Y', Z') in Jacobian projective coordinates correspond s
to the affine point (x, y) = (X' / Z'^2, Y' / Z'^3); to the affine point (x, y) = (X'&nbsp;/&nbsp;Z'^2, Y' / Z'^3);
the inverse conversion is given by (X', Y', Z') = (x, y, 1). the inverse conversion is given by (X', Y', Z') = (x, y, 1).
To convert (xn, xd, yn, yd) to Jacobian projective coordinates, To convert (xn, xd, yn, yd) to Jacobian projective coordinates,
compute (X', Y', Z') = (xn * xd * yd^2, yn * yd^2 * xd^3, xd * yd).</li> compute (X', Y', Z') = (xn * xd * yd^2, yn * yd^2 * xd^3, xd * yd).</li>
</ul> </ul>
</section> </section>
<section anchor="ell2-opt" numbered="true" toc="default"> <section anchor="ell2-opt">
<name>Elligator 2</name> <name>Elligator 2</name>
<section anchor="map-to-curve25519" numbered="true" toc="default"> <section anchor="map-to-curve25519">
<name>curve25519 (q = 5 (mod 8), K = 1)</name> <name>curve25519 (q = 5 (mod 8), K = 1)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for curve25519 <xref target="RFC7748" format="default"/> as specified in <xref t arget="suites-25519" format="default"/>.</t> for curve25519 <xref target="RFC7748"/> as specified in <xref target="suites-255 19"/>.</t>
<t>This implementation can also be used for any Montgomery curve <t>This implementation can also be used for any Montgomery curve
with K = 1 over GF(q) where q = 5 (mod 8).</t> with K = 1 over GF(q) where q = 5 (mod 8).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_curve25519(u) map_to_curve_elligator2_curve25519(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on curve25519. point on curve25519.
Constants: Constants:
1. c1 = (q + 3) / 8 # Integer arithmetic 1. c1 = (q + 3) / 8 # Integer arithmetic
2. c2 = 2^c1 2. c2 = 2^c1
3. c3 = sqrt(-1) 3. c3 = sqrt(-1)
skipping to change at line 4421 skipping to change at line 4100
30. e2 = tv2 == gx2 30. e2 = tv2 == gx2
31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
32. tv2 = y1^2 32. tv2 = y1^2
33. tv2 = tv2 * gxd 33. tv2 = tv2 * gxd
34. e3 = tv2 == gx1 34. e3 = tv2 == gx1
35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
37. e4 = sgn0(y) == 1 # Fix sign of y 37. e4 = sgn0(y) == 1 # Fix sign of y
38. y = CMOV(y, -y, e3 XOR e4) 38. y = CMOV(y, -y, e3 XOR e4)
39. return (xn, xd, y, 1) 39. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-edwards25519" numbered="true" toc="default"> <section anchor="map-to-edwards25519">
<name>edwards25519</name> <name>edwards25519</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for edwards25519 <xref target="RFC7748" format="default"/> as specified in <xref target="suites-25519" format="default"/>. for edwards25519 <xref target="RFC7748"/> as specified in <xref target="suites-2 5519"/>.
The subroutine map_to_curve_elligator2_curve25519 The subroutine map_to_curve_elligator2_curve25519
is defined in <xref target="map-to-curve25519" format="default"/>.</t> is defined in <xref target="map-to-curve25519"/>.</t>
<t>Note that the sign of the constant c1 below is chosen as specified <t>Note that the sign of the constant c1 below is chosen as specified
in <xref target="rational-map" format="default"/>, i.e., applying the rational m in <xref target="rational-map"/>, i.e., applying the rational map to the edwards
ap to the edwards25519 25519
base point yields the curve25519 base point (see erratum <xref target="EID4730" base point yields the curve25519 base point (see erratum <xref target="Err4730"/
format="default"/>).</t> >).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards25519(u) map_to_curve_elligator2_edwards25519(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on edwards25519. point on edwards25519.
Constants: Constants:
1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 0 1. c1 = sqrt(-486664) # sgn0(c1) MUST equal 0
Steps: Steps:
skipping to change at line 4456 skipping to change at line 4135
4. xd = xMd * yMn # xn / xd = c1 * xM / yM 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
5. yn = xMn - xMd 5. yn = xMn - xMd
6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d) 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
7. tv1 = xd * yd 7. tv1 = xd * yd
8. e = tv1 == 0 8. e = tv1 == 0
9. xn = CMOV(xn, 0, e) 9. xn = CMOV(xn, 0, e)
10. xd = CMOV(xd, 1, e) 10. xd = CMOV(xd, 1, e)
11. yn = CMOV(yn, 1, e) 11. yn = CMOV(yn, 1, e)
12. yd = CMOV(yd, 1, e) 12. yd = CMOV(yd, 1, e)
13. return (xn, xd, yn, yd) 13. return (xn, xd, yn, yd)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-curve448" numbered="true" toc="default"> <section anchor="map-to-curve448">
<name>curve448 (q = 3 (mod 4), K = 1)</name> <name>curve448 (q = 3 (mod 4), K = 1)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for curve448 <xref target="RFC7748" format="default"/> as specified in <xref tar get="suites-448" format="default"/>.</t> for curve448 <xref target="RFC7748"/> as specified in <xref target="suites-448"/ >.</t>
<t>This implementation can also be used for any Montgomery curve <t>This implementation can also be used for any Montgomery curve
with K = 1 over GF(q) where q = 3 (mod 4).</t> with K = 1 over GF(q) where q = 3 (mod 4).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_curve448(u) map_to_curve_elligator2_curve448(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on curve448. point on curve448.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
Steps: Steps:
skipping to change at line 4502 skipping to change at line 4181
18. y2 = y1 * u 18. y2 = y1 * u
19. y2 = CMOV(y2, 0, e1) 19. y2 = CMOV(y2, 0, e1)
20. tv2 = y1^2 20. tv2 = y1^2
21. tv2 = tv2 * gxd 21. tv2 = tv2 * gxd
22. e2 = tv2 == gx1 22. e2 = tv2 == gx1
23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
25. e3 = sgn0(y) == 1 # Fix sign of y 25. e3 = sgn0(y) == 1 # Fix sign of y
26. y = CMOV(y, -y, e2 XOR e3) 26. y = CMOV(y, -y, e2 XOR e3)
27. return (xn, xd, y, 1) 27. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="map-to-edwards448" numbered="true" toc="default"> <section anchor="map-to-edwards448">
<name>edwards448</name> <name>edwards448</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
for edwards448 <xref target="RFC7748" format="default"/> as specified in <xref t arget="suites-448" format="default"/>. for edwards448 <xref target="RFC7748"/> as specified in <xref target="suites-448 "/>.
The subroutine map_to_curve_elligator2_curve448 The subroutine map_to_curve_elligator2_curve448
is defined in <xref target="map-to-curve448" format="default"/>.</t> is defined in <xref target="map-to-curve448"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_edwards448(u) map_to_curve_elligator2_edwards448(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on edwards448. point on edwards448.
Steps: Steps:
1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u) 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
2. xn2 = xn^2 2. xn2 = xn^2
3. xd2 = xd^2 3. xd2 = xd^2
skipping to change at line 4556 skipping to change at line 4235
29. yEd = tv2 + tv1 29. yEd = tv2 + tv1
30. tv4 = tv4 * yd2 30. tv4 = tv4 * yd2
31. yEd = yEd + tv4 31. yEd = yEd + tv4
32. tv1 = xEd * yEd 32. tv1 = xEd * yEd
33. e = tv1 == 0 33. e = tv1 == 0
34. xEn = CMOV(xEn, 0, e) 34. xEn = CMOV(xEn, 0, e)
35. xEd = CMOV(xEd, 1, e) 35. xEd = CMOV(xEd, 1, e)
36. yEn = CMOV(yEn, 1, e) 36. yEn = CMOV(yEn, 1, e)
37. yEd = CMOV(yEd, 1, e) 37. yEd = CMOV(yEd, 1, e)
38. return (xEn, xEd, yEn, yEd) 38. return (xEn, xEd, yEn, yEd)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="ell2-map-to-3mod4" numbered="true" toc="default"> <section anchor="ell2-map-to-3mod4">
<name>Montgomery curves with q = 3 (mod 4)</name> <name>Montgomery Curves with q = 3 (mod 4)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
that applies to any Montgomery curve defined over GF(q) where q = 3 (mod 4).</t> that applies to any Montgomery curve defined over GF(q) where q = 3 (mod 4).</t>
<t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve448" format="default"/> <t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve448"/>
gives identical results with slightly reduced cost.</t> gives identical results with slightly reduced cost.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_3mod4(u) map_to_curve_elligator2_3mod4(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on the target curve. point on the target curve.
Constants: Constants:
1. c1 = (q - 3) / 4 # Integer arithmetic 1. c1 = (q - 3) / 4 # Integer arithmetic
2. c2 = K^2 2. c2 = K^2
skipping to change at line 4609 skipping to change at line 4288
24. tv2 = y1^2 24. tv2 = y1^2
25. tv2 = tv2 * gxd 25. tv2 = tv2 * gxd
26. e2 = tv2 == gx1 26. e2 = tv2 == gx1
27. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2 27. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
28. xn = xn * K 28. xn = xn * K
29. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2 29. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
30. e3 = sgn0(y) == 1 # Fix sign of y 30. e3 = sgn0(y) == 1 # Fix sign of y
31. y = CMOV(y, -y, e2 XOR e3) 31. y = CMOV(y, -y, e2 XOR e3)
32. y = y * K 32. y = y * K
33. return (xn, xd, y, 1) 33. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="ell2-map-to-5mod8" numbered="true" toc="default"> <section anchor="ell2-map-to-5mod8">
<name>Montgomery curves with q = 5 (mod 8)</name> <name>Montgomery Curves with q = 5 (mod 8)</name>
<t>The following is a straight-line implementation of Elligator 2 <t>The following is a straight-line implementation of Elligator 2
that applies to any Montgomery curve defined over GF(q) where q = 5 (mod 8).</t> that applies to any Montgomery curve defined over GF(q) where q = 5 (mod 8).</t>
<t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve25519" format="default"/> <t>For curves where K = 1, the implementation given in <xref target="m ap-to-curve25519"/>
gives identical results with slightly reduced cost.</t> gives identical results with slightly reduced cost.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
map_to_curve_elligator2_5mod8(u) map_to_curve_elligator2_5mod8(u)
Input: u, an element of F. Input: u, an element of F.
Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a Output: (xn, xd, yn, yd) such that (xn / xd, yn / yd) is a
point on the target curve. point on the target curve.
Constants: Constants:
1. c1 = (q + 3) / 8 # Integer arithmetic 1. c1 = (q + 3) / 8 # Integer arithmetic
2. c2 = 2^c1 2. c2 = 2^c1
3. c3 = sqrt(-1) 3. c3 = sqrt(-1)
skipping to change at line 4677 skipping to change at line 4356
36. tv2 = y1^2 36. tv2 = y1^2
37. tv2 = tv2 * gxd 37. tv2 = tv2 * gxd
38. e3 = tv2 == gx1 38. e3 = tv2 == gx1
39. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2 39. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
40. xn = xn * K 40. xn = xn * K
41. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2 41. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
42. e4 = sgn0(y) == 1 # Fix sign of y 42. e4 = sgn0(y) == 1 # Fix sign of y
43. y = CMOV(y, -y, e3 XOR e4) 43. y = CMOV(y, -y, e3 XOR e4)
44. y = y * K 44. y = y * K
45. return (xn, xd, y, 1) 45. return (xn, xd, y, 1)
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="clear-cofactor-bls12381-g2" numbered="true" toc="default" <section anchor="clear-cofactor-bls12381-g2">
> <name>Cofactor Clearing for BLS12-381 G2</name>
<name>Cofactor clearing for BLS12-381 G2</name> <t>The curve BLS12-381, whose parameters are defined in <xref target="su
<t>The curve BLS12-381, whose parameters are defined in <xref target="su ites-bls12381-g2"/>,
ites-bls12381-g2" format="default"/>, admits an efficiently computable endomorphism, psi, that can be used to
admits an efficiently-computable endomorphism psi that can be used to speed up cofactor clearing for G2 <xref target="SBCDK09"/> <xref target="FKR11"/
speed up cofactor clearing for G2 <xref target="SBCDK09" format="default"/> <xre > <xref target="BP17"/> (see also
f target="FKR11" format="default"/> <xref target="BP17" format="default"/> (see <xref target="cofactor-clearing"/>).
also
<xref target="cofactor-clearing" format="default"/>).
This section implements the endomorphism psi and a fast cofactor clearing This section implements the endomorphism psi and a fast cofactor clearing
method described by Budroni and Pintore <xref target="BP17" format="default"/>.< /t> method described by Budroni and Pintore <xref target="BP17"/>.</t>
<t>The functions in this section operate on points whose coordinates are <t>The functions in this section operate on points whose coordinates are
represented as ratios, i.e., (xn, xd, yn, yd) corresponds to the point represented as ratios, i.e., (xn, xd, yn, yd) corresponds to the point
(xn / xd, yn / yd); see <xref target="projective-coords" format="default"/> for further discussion of (xn / xd, yn / yd); see <xref target="projective-coords"/> for further discussio n of
projective coordinates. projective coordinates.
When points are represented in affine coordinates, one can simply ignore When points are represented in affine coordinates, one can simply ignore
the denominators (xd == 1 and yd == 1).</t> the denominators (xd == 1 and yd&nbsp;== 1).</t>
<t>The following function computes the Frobenius endomorphism for an ele ment <t>The following function computes the Frobenius endomorphism for an ele ment
of F = GF(p^2) with basis (1, I), where I^2 + 1 == 0 in F. of F = GF(p^2) with basis (1, I), where I^2 + 1 == 0 in F.
(This is the base field of the elliptic curve E defined in <xref target="suites- (This is the base field of the elliptic curve E defined in <xref target="suites-
bls12381-g2" format="default"/>.)</t> bls12381-g2"/>.)</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
frobenius(x) frobenius(x)
Input: x, an element of GF(p^2). Input: x, an element of GF(p^2).
Output: a, an element of GF(p^2). Output: a, an element of GF(p^2).
Notation: x = x0 + I * x1, where x0 and x1 are elements of GF(p). Notation: x = x0 + I * x1, where x0 and x1 are elements of GF(p).
Steps: Steps:
1. a = x0 - I * x1 1. a = x0 - I * x1
2. return a 2. return a
</sourcecode> ]]></sourcecode>
<t>The following function computes the endomorphism psi for points on th e <t>The following function computes the endomorphism psi for points on th e
elliptic curve E defined in <xref target="suites-bls12381-g2" format="default"/> elliptic curve E defined in <xref target="suites-bls12381-g2"/>.</t>
.</t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
psi(xn, xd, yn, yd) psi(xn, xd, yn, yd)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point on the same curve. Output: Q, a point on the same curve.
Constants: Constants:
1. c1 = 1 / (1 + I)^((p - 1) / 3) # in GF(p^2) 1. c1 = 1 / (1 + I)^((p - 1) / 3) # in GF(p^2)
2. c2 = 1 / (1 + I)^((p - 1) / 2) # in GF(p^2) 2. c2 = 1 / (1 + I)^((p - 1) / 2) # in GF(p^2)
Steps: Steps:
1. qxn = c1 * frobenius(xn) 1. qxn = c1 * frobenius(xn)
2. qxd = frobenius(xd) 2. qxd = frobenius(xd)
3. qyn = c2 * frobenius(yn) 3. qyn = c2 * frobenius(yn)
4. qyd = frobenius(yd) 4. qyd = frobenius(yd)
5. return (qxn, qxd, qyn, qyd) 5. return (qxn, qxd, qyn, qyd)
</sourcecode> ]]></sourcecode>
<t>The following function efficiently computes psi(psi(P)).</t> <t>The following function efficiently computes psi(psi(P)).</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
psi2(xn, xd, yn, yd) psi2(xn, xd, yn, yd)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point on the same curve. Output: Q, a point on the same curve.
Constants: Constants:
1. c1 = 1 / 2^((p - 1) / 3) # in GF(p^2) 1. c1 = 1 / 2^((p - 1) / 3) # in GF(p^2)
Steps: Steps:
1. qxn = c1 * xn 1. qxn = c1 * xn
2. qyn = -yn 2. qyn = -yn
3. return (qxn, xd, qyn, yd) 3. return (qxn, xd, qyn, yd)
</sourcecode> ]]></sourcecode>
<t>The following function maps any point on the elliptic curve E (<xref <t>The following function maps any point on the elliptic curve E (<xref
target="suites-bls12381-g2" format="default"/>) target="suites-bls12381-g2"/>)
into the prime-order subgroup G2. into the prime-order subgroup G2.
This function returns a point equal to h_eff * P, where h_eff is the parameter This function returns a point equal to h_eff * P, where h_eff is the parameter
given in <xref target="suites-bls12381-g2" format="default"/>.</t> given in <xref target="suites-bls12381-g2"/>.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
clear_cofactor_bls12381_g2(P) clear_cofactor_bls12381_g2(P)
Input: P, a point (xn / xd, yn / yd) on the curve E (see above). Input: P, a point (xn / xd, yn / yd) on the curve E (see above).
Output: Q, a point in the subgroup G2 of BLS12-381. Output: Q, a point in the subgroup G2 of BLS12-381.
Constants: Constants:
1. c1 = -15132376222941642752 # the BLS parameter for BLS12-381 1. c1 = -15132376222941642752 # the BLS parameter for BLS12-381
# i.e., -0xd201000000010000 # i.e., -0xd201000000010000
Notation: in this procedure, + and - represent elliptic curve point Notation: in this procedure, + and - represent elliptic curve point
skipping to change at line 4773 skipping to change at line 4452
2. t2 = psi(P) 2. t2 = psi(P)
3. t3 = 2 * P 3. t3 = 2 * P
4. t3 = psi2(t3) 4. t3 = psi2(t3)
5. t3 = t3 - t2 5. t3 = t3 - t2
6. t2 = t1 + t2 6. t2 = t1 + t2
7. t2 = c1 * t2 7. t2 = c1 * t2
8. t3 = t3 + t2 8. t3 = t3 + t2
9. t3 = t3 - t1 9. t3 = t3 - t1
10. Q = t3 - P 10. Q = t3 - P
11. return Q 11. return Q
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="paramgen" numbered="true" toc="default"> <section anchor="paramgen">
<name>Scripts for parameter generation</name> <name>Scripts for Parameter Generation</name>
<t>This section gives Sage <xref target="SAGE" format="default"/> scripts <t>This section gives Sage scripts <xref target="SAGE"/> used to generate
used to generate parameters for the mappings of <xref target="mappings" format=" parameters for the mappings of <xref target="mappings"/>.</t>
default"/>.</t> <section anchor="svdw-z-code">
<section anchor="svdw-z-code" numbered="true" toc="default"> <name>Finding Z for the Shallue-van de Woestijne Map</name>
<name>Finding Z for the Shallue-van de Woestijne map</name> <t>The below function outputs an appropriate Z for the Shallue-van de Wo
<t>The below function outputs an appropriate Z for the Shallue and van d estijne map (<xref target="svdw"/>).</t>
e Woestijne map (<xref target="svdw" format="default"/>).</t> <sourcecode type=""><![CDATA[
<sourcecode type="sage">
# Arguments: # Arguments:
# - F, a field object, e.g., F = GF(2^521 - 1) # - F, a field object, e.g., F = GF(2^521 - 1)
# - A and B, the coefficients of the curve y^2 = x^3 + A * x + B # - A and B, the coefficients of the curve y^2 = x^3 + A * x + B
def find_z_svdw(F, A, B, init_ctr=1): def find_z_svdw(F, A, B, init_ctr=1):
g = lambda x: F(x)^3 + F(A) * F(x) + F(B) g = lambda x: F(x)^3 + F(A) * F(x) + F(B)
h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z)) h = lambda Z: -(F(3) * Z^2 + F(4) * A) / (F(4) * g(Z))
# NOTE: if init_ctr=1 fails to find Z, try setting it to F.gen() # NOTE: if init_ctr=1 fails to find Z, try setting it to F.gen()
ctr = init_ctr ctr = init_ctr
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
skipping to change at line 4810 skipping to change at line 4489
continue continue
# Criterion 3: # Criterion 3:
# -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F. # -(3 * Z^2 + 4 * A) / (4 * g(Z)) is square in F.
if not is_square(h(Z_cand)): if not is_square(h(Z_cand)):
continue continue
# Criterion 4: # Criterion 4:
# At least one of g(Z) and g(-Z / 2) is square in F. # At least one of g(Z) and g(-Z / 2) is square in F.
if is_square(g(Z_cand)) or is_square(g(-Z_cand / F(2))): if is_square(g(Z_cand)) or is_square(g(-Z_cand / F(2))):
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sswu-z-code" numbered="true" toc="default"> <section anchor="sswu-z-code">
<name>Finding Z for Simplified SWU</name> <name>Finding Z for Simplified SWU</name>
<t>The below function outputs an appropriate Z for the Simplified SWU ma <t>The below function outputs an appropriate Z for the Simplified SWU ma
p (<xref target="simple-swu" format="default"/>).</t> p (<xref target="simple-swu"/>).</t>
<sourcecode type="sage"> <sourcecode type=""><![CDATA[
# Arguments: # Arguments:
# - F, a field object, e.g., F = GF(2^521 - 1) # - F, a field object, e.g., F = GF(2^521 - 1)
# - A and B, the coefficients of the curve y^2 = x^3 + A * x + B # - A and B, the coefficients of the curve y^2 = x^3 + A * x + B
def find_z_sswu(F, A, B): def find_z_sswu(F, A, B):
R.<xx&gt; = F[] # Polynomial ring over F R.<xx&gt; = F[] # Polynomial ring over F
g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B g = xx^3 + F(A) * xx + F(B) # y^2 = g(x) = x^3 + A * x + B
ctr = F.gen() ctr = F.gen()
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
# Criterion 1: Z is non-square in F. # Criterion 1: Z is non-square in F.
if is_square(Z_cand): if is_square(Z_cand):
continue continue
# Criterion 2: Z != -1 in F. # Criterion 2: Z != -1 in F.
if Z_cand == F(-1): if Z_cand == F(-1):
continue continue
# Criterion 3: g(x) - Z is irreducible over F. # Criterion 3: g(x) - Z is irreducible over F.
if not (g - Z_cand).is_irreducible(): if not (g - Z_cand).is_irreducible():
continue continue
# Criterion 4: g(B / (Z * A)) is square in F. # Criterion 4: g(B / (Z * A)) is square in F.
if is_square(g(B / (Z_cand * A))): if is_square(g(B / (Z_cand * A))):
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="elligator-z-code" numbered="true" toc="default"> <section anchor="elligator-z-code">
<name>Finding Z for Elligator 2</name> <name>Finding Z for Elligator 2</name>
<t>The below function outputs an appropriate Z for the Elligator 2 map ( <t>The below function outputs an appropriate Z for the Elligator 2 map (
<xref target="elligator2" format="default"/>).</t> <xref target="elligator2"/>).</t>
<sourcecode type="sage"> <sourcecode type=""><![CDATA[
# Argument: # Argument:
# - F, a field object, e.g., F = GF(2^255 - 19) # - F, a field object, e.g., F = GF(2^255 - 19)
def find_z_ell2(F): def find_z_ell2(F):
ctr = F.gen() ctr = F.gen()
while True: while True:
for Z_cand in (F(ctr), F(-ctr)): for Z_cand in (F(ctr), F(-ctr)):
# Z must be a non-square in F. # Z must be a non-square in F.
if is_square(Z_cand): if is_square(Z_cand):
continue continue
return Z_cand return Z_cand
ctr += 1 ctr += 1
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="appx-sqrt" numbered="true" toc="default"> <section anchor="appx-sqrt">
<name>sqrt and is_square functions</name> <name>sqrt and is_square Functions</name>
<t>This section defines special-purpose sqrt functions for the three most common cases, <t>This section defines special-purpose sqrt functions for the three most common cases,
q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16), q = 3 (mod 4), q = 5 (mod 8), and q = 9 (mod 16),
plus a generic constant-time algorithm that works for any prime modulus.</t> plus a generic constant-time algorithm that works for any prime modulus.</t>
<t>In addition, it gives an optimized is_square method for GF(p^2).</t> <t>In addition, it gives an optimized is_square method for GF(p^2).</t>
<section anchor="sqrt-3mod4" numbered="true" toc="default"> <section anchor="sqrt-3mod4">
<name>sqrt for q = 3 (mod 4)</name> <name>sqrt for q = 3 (mod 4)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_3mod4(x) sqrt_3mod4(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = (q + 1) / 4 # Integer arithmetic 1. c1 = (q + 1) / 4 # Integer arithmetic
Procedure: Procedure:
1. return x^c1 1. return x^c1
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-5mod8" numbered="true" toc="default"> <section anchor="sqrt-5mod8">
<name>sqrt for q = 5 (mod 8)</name> <name>sqrt for q = 5 (mod 8)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_5mod8(x) sqrt_5mod8(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
2. c2 = (q + 3) / 8 # Integer arithmetic 2. c2 = (q + 3) / 8 # Integer arithmetic
Procedure: Procedure:
1. tv1 = x^c2 1. tv1 = x^c2
2. tv2 = tv1 * c1 2. tv2 = tv1 * c1
3. e = (tv1^2) == x 3. e = (tv1^2) == x
4. z = CMOV(tv2, tv1, e) 4. z = CMOV(tv2, tv1, e)
5. return z 5. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-9mod16" numbered="true" toc="default"> <section anchor="sqrt-9mod16">
<name>sqrt for q = 9 (mod 16)</name> <name>sqrt for q = 9 (mod 16)</name>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_9mod16(x) sqrt_9mod16(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input: x, an element of F. Input: x, an element of F.
Output: z, an element of F such that (z^2) == x, if x is square in F. Output: z, an element of F such that (z^2) == x, if x is square in F.
Constants: Constants:
1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
skipping to change at line 4934 skipping to change at line 4613
2. tv2 = c1 * tv1 2. tv2 = c1 * tv1
3. tv3 = c2 * tv1 3. tv3 = c2 * tv1
4. tv4 = c3 * tv1 4. tv4 = c3 * tv1
5. e1 = (tv2^2) == x 5. e1 = (tv2^2) == x
6. e2 = (tv3^2) == x 6. e2 = (tv3^2) == x
7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x
8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x
9. e3 = (tv2^2) == x 9. e3 = (tv2^2) == x
10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2 10. z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2
11. return z 11. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="sqrt-ts" numbered="true" toc="default"> <section anchor="sqrt-ts">
<name>Constant-time Tonelli-Shanks algorithm</name> <name>Constant-Time Tonelli-Shanks Algorithm</name>
<t>This algorithm is a constant-time version of the classic Tonelli-Shan ks algorithm <t>This algorithm is a constant-time version of the classic Tonelli-Shan ks algorithm
(<xref target="C93" format="default"/>, Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley <xref target="jubjub-fq" format="default"/>, (<xref target="C93"/>, Algorithm 1.5.1) due to Sean Bowe, Jack Grigg, and Eirik Ogilvie-Wigley <xref target="jubjub-fq"/>,
adapted and optimized by Michael Scott.</t> adapted and optimized by Michael Scott.</t>
<t>This algorithm applies to GF(p) for any p. <t>This algorithm applies to GF(p) for any p.
Note, however, that the special-purpose algorithms given in the prior sections a re Note, however, that the special-purpose algorithms given in the prior sections a re
faster, when they apply.</t> faster, when they apply.</t>
<sourcecode type="pseudocode"> <sourcecode type="pseudocode"><![CDATA[
sqrt_ts_ct(x) sqrt_ts_ct(x)
Parameters: Parameters:
- F, a finite field of characteristic p and order q = p^m. - F, a finite field of characteristic p and order q = p^m.
Input x, an element of F. Input x, an element of F.
Output: z, an element of F such that z^2 == x, if x is square in F. Output: z, an element of F such that z^2 == x, if x is square in F.
Constants: Constants:
1. c1, the largest integer such that 2^c1 divides q - 1. 1. c1, the largest integer such that 2^c1 divides q - 1.
skipping to change at line 4978 skipping to change at line 4657
8. for j in (1, 2, ..., i - 2): 8. for j in (1, 2, ..., i - 2):
9. b = b * b 9. b = b * b
10. e = b == 1 10. e = b == 1
11. zt = z * c 11. zt = z * c
12. z = CMOV(zt, z, e) 12. z = CMOV(zt, z, e)
13. c = c * c 13. c = c * c
14. tt = t * c 14. tt = t * c
15. t = CMOV(tt, t, e) 15. t = CMOV(tt, t, e)
16. b = t 16. b = t
17. return z 17. return z
</sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="appx-sqrt-issq" numbered="true" toc="default"> <section anchor="appx-sqrt-issq">
<name>is_square for F = GF(p^2)</name> <name>is_square for F = GF(p^2)</name>
<t>The following is_square method applies to any field F = GF(p^2) <t>The following is_square method applies to any field F = GF(p^2)
with basis (1, I) represented as described in <xref target="bg-curves" format="d efault"/>, i.e., with basis (1, I) represented as described in <xref target="bg-curves"/>, i.e.,
an element x = (x_1, x_2) = x_1 + x_2 * I.</t> an element x = (x_1, x_2) = x_1 + x_2 * I.</t>
<t>Other optimizations of this type are possible in other extension <t>Other optimizations of this type are possible in other extension
fields; see, e.g., <xref target="AR13" format="default"/> for more information.< fields; see, for example, <xref target="AR13"/> for more information.</t>
/t> <sourcecode type="pseudocode"><![CDATA[
<sourcecode type="pseudocode">
is_square(x) is_square(x)
Parameters: Parameters:
- F, an extension field of characteristic p and order q = p^2 - F, an extension field of characteristic p and order q = p^2
with basis (1, I). with basis (1, I).
Input: x, an element of F. Input: x, an element of F.
Output: True if x is square in F, and False otherwise. Output: True if x is square in F, and False otherwise.
Constants: Constants:
1. c1 = (p - 1) / 2 # Integer arithmetic 1. c1 = (p - 1) / 2 # Integer arithmetic
Procedure: Procedure:
1. tv1 = x_1^2 1. tv1 = x_1^2
2. tv2 = I * x_2 2. tv2 = I * x_2
3. tv2 = tv2^2 3. tv2 = tv2^2
4. tv1 = tv1 - tv2 4. tv1 = tv1 - tv2
5. tv1 = tv1^c1 5. tv1 = tv1^c1
6. e1 = tv1 != -1 # Note: -1 in F 6. e1 = tv1 != -1 # Note: -1 in F
7. return e1 7. return e1
</sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="testvectors" numbered="true" toc="default"> <section anchor="testvectors">
<name>Suite test vectors</name> <name>Suite Test Vectors</name>
<t>This section gives test vectors for each suite defined in <xref target= <t>This section gives test vectors for each suite defined in <xref target=
"suites" format="default"/>. "suites"/>.
The test vectors in this section were generated using code that is The test vectors in this section were generated using code that is
available from <xref target="hash2curve-repo" format="default"/>.</t> available from <xref target="hash2curve-repo"/>.</t>
<t>Each test vector in this section lists values computed by the <t>Each test vector in this section lists values computed by the
appropriate encoding function, with variable names defined as appropriate encoding function, with variable names defined as
in <xref target="roadmap" format="default"/>. in <xref target="roadmap"/>.
For example, for a suite whose encoding type is random oracle, For example, for a suite whose encoding type is random oracle,
the test vector gives the value for msg, u, Q0, Q1, and the the test vector gives the value for msg, u, Q0, Q1, and the
output point P.</t> output point P.</t>
<section anchor="nist-p-256" numbered="true" toc="default"> <section anchor="nist-p-256">
<name>NIST P-256</name> <name>NIST P-256</name>
<section anchor="p256xmdsha-256sswuro" numbered="true" toc="default"> <section anchor="p256xmdsha-256sswuro">
<name>P256_XMD:SHA-256_SSWU_RO_</name> <name>P256_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P256_XMD:SHA-256_SSWU_RO_ suite = P256_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91 P.x = 2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91
c44247d3e4 c44247d3e4
P.y = 8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9a P.y = 8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9a
b5c43e8415 b5c43e8415
u[0] = ad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba1 u[0] = ad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba1
1582515009 1582515009
skipping to change at line 5132 skipping to change at line 4811
Q0.x = d88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815 Q0.x = d88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815
412e926db8 412e926db8
Q0.y = bb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f01 Q0.y = bb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f01
1ba32f4f40 1ba32f4f40
Q1.x = a281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6 Q1.x = a281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6
a2571c5a4b a2571c5a4b
Q1.y = f6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922 Q1.y = f6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922
961206e184 961206e184
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p256xmdsha-256sswunu" numbered="true" toc="default"> <section anchor="p256xmdsha-256sswunu">
<name>P256_XMD:SHA-256_SSWU_NU_</name> <name>P256_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P256_XMD:SHA-256_SSWU_NU_ suite = P256_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = f871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5a P.x = f871caad25ea3b59c16cf87c1894902f7e7b2c822c3d3f73596c5a
ce8ddd14d1 ce8ddd14d1
P.y = 87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4 P.y = 87b9ae23335bee057b99bac1e68588b18b5691af476234b8971bc4
f011ddc99b f011ddc99b
u[0] = b22d487045f80e9edcb0ecc8d4bf77833e2bf1f3a54004d7df1d57 u[0] = b22d487045f80e9edcb0ecc8d4bf77833e2bf1f3a54004d7df1d57
f4802d311f f4802d311f
skipping to change at line 5211 skipping to change at line 4890
cb16f7ef7b cb16f7ef7b
u[0] = 0e1527840b9df2dfbef966678ff167140f2b27c4dccd884c25014d u[0] = 0e1527840b9df2dfbef966678ff167140f2b27c4dccd884c25014d
ce0e41dfa3 ce0e41dfa3
Q.x = 5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b Q.x = 5c4bad52f81f39c8e8de1260e9a06d72b8b00a0829a8ea004a610b
0691bea5d9 0691bea5d9
Q.y = c801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccd Q.y = c801e7c0782af1f74f24fc385a8555da0582032a3ce038de637ccd
cb16f7ef7b cb16f7ef7b
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="nist-p-384" numbered="true" toc="default"> <section anchor="nist-p-384">
<name>NIST P-384</name> <name>NIST P-384</name>
<section anchor="p384xmdsha-384sswuro" numbered="true" toc="default"> <section anchor="p384xmdsha-384sswuro">
<name>P384_XMD:SHA-384_SSWU_RO_</name> <name>P384_XMD:SHA-384_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P384_XMD:SHA-384_SSWU_RO_ suite = P384_XMD:SHA-384_SSWU_RO_
dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_RO_ dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_RO_
msg = msg =
P.x = eb9fe1b4f4e14e7140803c1d99d0a93cd823d2b024040f9c067a8e P.x = eb9fe1b4f4e14e7140803c1d99d0a93cd823d2b024040f9c067a8e
ca1f5a2eeac9ad604973527a356f3fa3aeff0e4d83 ca1f5a2eeac9ad604973527a356f3fa3aeff0e4d83
P.y = 0c21708cff382b7f4643c07b105c2eaec2cead93a917d825601e63 P.y = 0c21708cff382b7f4643c07b105c2eaec2cead93a917d825601e63
c8f21f6abd9abc22c93c2bed6f235954b25048bb1a c8f21f6abd9abc22c93c2bed6f235954b25048bb1a
u[0] = 25c8d7dc1acd4ee617766693f7f8829396065d1b447eedb155871f u[0] = 25c8d7dc1acd4ee617766693f7f8829396065d1b447eedb155871f
effd9c6653279ac7e5c46edb7010a0e4ff64c9f3b4 effd9c6653279ac7e5c46edb7010a0e4ff64c9f3b4
skipping to change at line 5321 skipping to change at line 5000
Q0.x = 42e6666f505e854187186bad3011598d9278b9d6e3e4d2503c3d23 Q0.x = 42e6666f505e854187186bad3011598d9278b9d6e3e4d2503c3d23
6381a56748dec5d139c223129b324df53fa147c4df 6381a56748dec5d139c223129b324df53fa147c4df
Q0.y = 8ee51dbda46413bf621838cc935d18d617881c6f33f3838a79c767 Q0.y = 8ee51dbda46413bf621838cc935d18d617881c6f33f3838a79c767
a1e5618e34b22f79142df708d2432f75c7366c8512 a1e5618e34b22f79142df708d2432f75c7366c8512
Q1.x = 4ff01ceeba60484fa1bc0d825fe1e5e383d8f79f1e5bb78e5fb26b Q1.x = 4ff01ceeba60484fa1bc0d825fe1e5e383d8f79f1e5bb78e5fb26b
7a7ef758153e31e78b9d60ce75c5e32e43869d4e12 7a7ef758153e31e78b9d60ce75c5e32e43869d4e12
Q1.y = 0f84b978fac8ceda7304b47e229d6037d32062e597dc7a9b95bcd9 Q1.y = 0f84b978fac8ceda7304b47e229d6037d32062e597dc7a9b95bcd9
af441f3c56c619a901d21635f9ec6ab4710b9fcd0e af441f3c56c619a901d21635f9ec6ab4710b9fcd0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p384xmdsha-384sswunu" numbered="true" toc="default"> <section anchor="p384xmdsha-384sswunu">
<name>P384_XMD:SHA-384_SSWU_NU_</name> <name>P384_XMD:SHA-384_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P384_XMD:SHA-384_SSWU_NU_ suite = P384_XMD:SHA-384_SSWU_NU_
dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_NU_ dst = QUUX-V01-CS02-with-P384_XMD:SHA-384_SSWU_NU_
msg = msg =
P.x = de5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e7292725 P.x = de5a893c83061b2d7ce6a0d8b049f0326f2ada4b966dc7e7292725
6b033ef61058029a3bfb13c1c7ececd6641881ae20 6b033ef61058029a3bfb13c1c7ececd6641881ae20
P.y = 63f46da6139785674da315c1947e06e9a0867f5608cf24724eb379 P.y = 63f46da6139785674da315c1947e06e9a0867f5608cf24724eb379
3a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca 3a1f5b3809ee28eb21a0c64be3be169afc6cdb38ca
u[0] = bc7dc1b2cdc5d588a66de3276b0f24310d4aca4977efda7d6272e1 u[0] = bc7dc1b2cdc5d588a66de3276b0f24310d4aca4977efda7d6272e1
be25187b001493d267dc53b56183c9e28282368e60 be25187b001493d267dc53b56183c9e28282368e60
skipping to change at line 5400 skipping to change at line 5079
5327943eca95d90b23b009ba45f58b72906f2a99e2 5327943eca95d90b23b009ba45f58b72906f2a99e2
u[0] = 7b01ce9b8c5a60d9fbc202d6dde92822e46915d8c17e03fcb92ece u[0] = 7b01ce9b8c5a60d9fbc202d6dde92822e46915d8c17e03fcb92ece
1ed6074d01e149fc9236def40d673de903c1d4c166 1ed6074d01e149fc9236def40d673de903c1d4c166
Q.x = af129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9 Q.x = af129727a4207a8cb9e9dce656d88f79fce25edbcea350499d65e9
bf1204537bdde73c7cefb752a6ed5ebcd44e183302 bf1204537bdde73c7cefb752a6ed5ebcd44e183302
Q.y = ce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b Q.y = ce68a3d5e161b2e6a968e4ddaa9e51504ad1516ec170c7eef3ca6b
5327943eca95d90b23b009ba45f58b72906f2a99e2 5327943eca95d90b23b009ba45f58b72906f2a99e2
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="nist-p-521" numbered="true" toc="default"> <section anchor="nist-p-521">
<name>NIST P-521</name> <name>NIST P-521</name>
<section anchor="p521xmdsha-512sswuro" numbered="true" toc="default"> <section anchor="p521xmdsha-512sswuro">
<name>P521_XMD:SHA-512_SSWU_RO_</name> <name>P521_XMD:SHA-512_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P521_XMD:SHA-512_SSWU_RO_ suite = P521_XMD:SHA-512_SSWU_RO_
dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_ dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_RO_
msg = msg =
P.x = 00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35 P.x = 00fd767cebb2452030358d0e9cf907f525f50920c8f607889a6a35
680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef 680727f64f4d66b161fafeb2654bea0d35086bec0a10b30b14adef
3556ed9f7f1bc23cecc9c088 3556ed9f7f1bc23cecc9c088
P.y = 0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460 P.y = 0169ba78d8d851e930680322596e39c78f4fe31b97e57629ef6460
ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c ddd68f8763fd7bd767a4e94a80d3d21a3c2ee98347e024fc73ee1c
27166dc3fe5eeef782be411d 27166dc3fe5eeef782be411d
skipping to change at line 5550 skipping to change at line 5229
4ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c88 4ac9ae7e80dfe7abea11db02cf1855312eae1447dbaecc9d7e8c88
0a5e76a39f6258074e1bc2e0 0a5e76a39f6258074e1bc2e0
Q1.x = 0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e Q1.x = 0125c0b69bcf55eab49280b14f707883405028e05c927cd7625d4e
04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec05891 04115bd0e0e6323b12f5d43d0d6d2eff16dbcf244542f84ec05891
1260dc3bb6512ab5db285fbd 1260dc3bb6512ab5db285fbd
Q1.y = 008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69 Q1.y = 008bddfb803b3f4c761458eb5f8a0aee3e1f7f68e9d7424405fa69
172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c 172919899317fb6ac1d6903a432d967d14e0f80af63e7035aaae0c
123e56862ce969456f99f102 123e56862ce969456f99f102
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="p521xmdsha-512sswunu" numbered="true" toc="default"> <section anchor="p521xmdsha-512sswunu">
<name>P521_XMD:SHA-512_SSWU_NU_</name> <name>P521_XMD:SHA-512_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = P521_XMD:SHA-512_SSWU_NU_ suite = P521_XMD:SHA-512_SSWU_NU_
dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_NU_ dst = QUUX-V01-CS02-with-P521_XMD:SHA-512_SSWU_NU_
msg = msg =
P.x = 01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97 P.x = 01ec604b4e1e3e4c7449b7a41e366e876655538acf51fd40d08b97
be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8c be066f7d020634e906b1b6942f9174b417027c953d75fb6ec64b8c
ee2a3672d4f1987d13974705 ee2a3672d4f1987d13974705
P.y = 00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd P.y = 00944fc439b4aad2463e5c9cfa0b0707af3c9a42e37c5a57bb4ecd
12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da 12fef9fb21508568aedcdd8d2490472df4bbafd79081c81e99f4da
3286eddf19be47e9c4cf0e91 3286eddf19be47e9c4cf0e91
skipping to change at line 5654 skipping to change at line 5333
e1b274d968d91c02f00cce91 e1b274d968d91c02f00cce91
Q.x = 01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d Q.x = 01801de044c517a80443d2bd4f503a9e6866750d2f94a22970f62d
721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c68 721f96e4310e4a828206d9cdeaa8f2d476705cc3bbc490a6165c68
7668f15ec178a17e3d27349b 7668f15ec178a17e3d27349b
Q.y = 0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a Q.y = 0068889ea2e1442245fe42bfda9e58266828c0263119f35a61631a
3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2 3358330f3bb84443fcb54fcd53a1d097fccbe310489b74ee143fc2
938959a83a1f7dd4a6fd395b 938959a83a1f7dd4a6fd395b
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="curve25519" numbered="true" toc="default"> <section anchor="curve25519">
<name>curve25519</name> <name>curve25519</name>
<section anchor="curve25519xmdsha-512ell2ro" numbered="true" toc="defaul t"> <section anchor="curve25519xmdsha-512ell2ro">
<name>curve25519_XMD:SHA-512_ELL2_RO_</name> <name>curve25519_XMD:SHA-512_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve25519_XMD:SHA-512_ELL2_RO_ suite = curve25519_XMD:SHA-512_ELL2_RO_
dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_RO_ dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_RO_
msg = msg =
P.x = 2de3780abb67e861289f5749d16d3e217ffa722192d16bbd9d1bfb P.x = 2de3780abb67e861289f5749d16d3e217ffa722192d16bbd9d1bfb
9d112b98c0 9d112b98c0
P.y = 3b5dc2a498941a1033d176567d457845637554a2fe7a3507d21abd P.y = 3b5dc2a498941a1033d176567d457845637554a2fe7a3507d21abd
1c1bd6e878 1c1bd6e878
u[0] = 005fe8a7b8fef0a16c105e6cadf5a6740b3365e18692a9c05bfbb4 u[0] = 005fe8a7b8fef0a16c105e6cadf5a6740b3365e18692a9c05bfbb4
d97f645a6a d97f645a6a
skipping to change at line 5764 skipping to change at line 5443
Q0.x = 02d606e2699b918ee36f2818f2bc5013e437e673c9f9b9cdc15fd0 Q0.x = 02d606e2699b918ee36f2818f2bc5013e437e673c9f9b9cdc15fd0
c5ee913970 c5ee913970
Q0.y = 29e9dc92297231ef211245db9e31767996c5625dfbf92e1c8107ef Q0.y = 29e9dc92297231ef211245db9e31767996c5625dfbf92e1c8107ef
887365de1e 887365de1e
Q1.x = 38920e9b988d1ab7449c0fa9a6058192c0c797bb3d42ac34572434 Q1.x = 38920e9b988d1ab7449c0fa9a6058192c0c797bb3d42ac34572434
1a1aa98745 1a1aa98745
Q1.y = 24dcc1be7c4d591d307e89049fd2ed30aae8911245a9d8554bf603 Q1.y = 24dcc1be7c4d591d307e89049fd2ed30aae8911245a9d8554bf603
2e5aa40d3d 2e5aa40d3d
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="curve25519xmdsha-512ell2nu" numbered="true" toc="defaul t"> <section anchor="curve25519xmdsha-512ell2nu">
<name>curve25519_XMD:SHA-512_ELL2_NU_</name> <name>curve25519_XMD:SHA-512_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve25519_XMD:SHA-512_ELL2_NU_ suite = curve25519_XMD:SHA-512_ELL2_NU_
dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_NU_ dst = QUUX-V01-CS02-with-curve25519_XMD:SHA-512_ELL2_NU_
msg = msg =
P.x = 1bb913f0c9daefa0b3375378ffa534bda5526c97391952a7789eb9 P.x = 1bb913f0c9daefa0b3375378ffa534bda5526c97391952a7789eb9
76edfe4d08 76edfe4d08
P.y = 4548368f4f983243e747b62a600840ae7c1dab5c723991f85d3a97 P.y = 4548368f4f983243e747b62a600840ae7c1dab5c723991f85d3a97
68479f3ec4 68479f3ec4
u[0] = 608d892b641f0328523802a6603427c26e55e6f27e71a91a478148 u[0] = 608d892b641f0328523802a6603427c26e55e6f27e71a91a478148
d45b5093cd d45b5093cd
skipping to change at line 5843 skipping to change at line 5522
94f4d6d0b8 94f4d6d0b8
u[0] = 1a68a1af9f663592291af987203393f707305c7bac9c8d63d6a729 u[0] = 1a68a1af9f663592291af987203393f707305c7bac9c8d63d6a729
bdc553dc19 bdc553dc19
Q.x = 3bcd651ee54d5f7b6013898aab251ee8ecc0688166fce6e9548d38 Q.x = 3bcd651ee54d5f7b6013898aab251ee8ecc0688166fce6e9548d38
472f6bd196 472f6bd196
Q.y = 1bb36ad9197299f111b4ef21271c41f4b7ecf5543db8bb5931307e Q.y = 1bb36ad9197299f111b4ef21271c41f4b7ecf5543db8bb5931307e
bdb2eaa465 bdb2eaa465
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="edwards25519" numbered="true" toc="default"> <section anchor="edwards25519">
<name>edwards25519</name> <name>edwards25519</name>
<section anchor="edwards25519xmdsha-512ell2ro" numbered="true" toc="defa ult"> <section anchor="edwards25519xmdsha-512ell2ro">
<name>edwards25519_XMD:SHA-512_ELL2_RO_</name> <name>edwards25519_XMD:SHA-512_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards25519_XMD:SHA-512_ELL2_RO_ suite = edwards25519_XMD:SHA-512_ELL2_RO_
dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_ dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_RO_
msg = msg =
P.x = 3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47 P.x = 3c3da6925a3c3c268448dcabb47ccde5439559d9599646a8260e47
b1e4822fc6 b1e4822fc6
P.y = 09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d7953 P.y = 09a6c8561a0b22bef63124c588ce4c62ea83a3c899763af26d7953
02e115dc21 02e115dc21
u[0] = 03fef4813c8cb5f98c6eef88fae174e6e7d5380de2b007799ac7ee u[0] = 03fef4813c8cb5f98c6eef88fae174e6e7d5380de2b007799ac7ee
712d203f3a 712d203f3a
skipping to change at line 5953 skipping to change at line 5632
Q0.x = 21091b2e3f9258c7dfa075e7ae513325a94a3d8a28e1b1cb3b5b6f Q0.x = 21091b2e3f9258c7dfa075e7ae513325a94a3d8a28e1b1cb3b5b6f
5d65675592 5d65675592
Q0.y = 41a33d324c89f570e0682cdf7bdb78852295daf8084c669f2cc969 Q0.y = 41a33d324c89f570e0682cdf7bdb78852295daf8084c669f2cc969
2896ab5026 2896ab5026
Q1.x = 4c07ec48c373e39a23bd7954f9e9b66eeab9e5ee1279b867b3d531 Q1.x = 4c07ec48c373e39a23bd7954f9e9b66eeab9e5ee1279b867b3d531
5aa815454f 5aa815454f
Q1.y = 67ccac7c3cb8d1381242d8d6585c57eabaddbb5dca5243a68a8aeb Q1.y = 67ccac7c3cb8d1381242d8d6585c57eabaddbb5dca5243a68a8aeb
5477d94b3a 5477d94b3a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="edwards25519xmdsha-512ell2nu" numbered="true" toc="defa ult"> <section anchor="edwards25519xmdsha-512ell2nu">
<name>edwards25519_XMD:SHA-512_ELL2_NU_</name> <name>edwards25519_XMD:SHA-512_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards25519_XMD:SHA-512_ELL2_NU_ suite = edwards25519_XMD:SHA-512_ELL2_NU_
dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_ dst = QUUX-V01-CS02-with-edwards25519_XMD:SHA-512_ELL2_NU_
msg = msg =
P.x = 1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a P.x = 1ff2b70ecf862799e11b7ae744e3489aa058ce805dd323a936375a
84695e76da 84695e76da
P.y = 222e314d04a4d5725e9f2aff9fb2a6b69ef375a1214eb19021ceab P.y = 222e314d04a4d5725e9f2aff9fb2a6b69ef375a1214eb19021ceab
2d687f0f9b 2d687f0f9b
u[0] = 7f3e7fb9428103ad7f52db32f9df32505d7b427d894c5093f7a0f0 u[0] = 7f3e7fb9428103ad7f52db32f9df32505d7b427d894c5093f7a0f0
374a30641d 374a30641d
skipping to change at line 6032 skipping to change at line 5711
4245891a37 4245891a37
u[0] = 3cb0178a8137cefa5b79a3a57c858d7eeeaa787b2781be4a362a2f u[0] = 3cb0178a8137cefa5b79a3a57c858d7eeeaa787b2781be4a362a2f
0750d24fa0 0750d24fa0
Q.x = 3e6368cff6e88a58e250c54bd27d2c989ae9b3acb6067f2651ad28 Q.x = 3e6368cff6e88a58e250c54bd27d2c989ae9b3acb6067f2651ad28
2ab8c21cd9 2ab8c21cd9
Q.y = 38fb39f1566ca118ae6c7af42810c0bb9767ae5960abb5a8ca7925 Q.y = 38fb39f1566ca118ae6c7af42810c0bb9767ae5960abb5a8ca7925
30bfb9447d 30bfb9447d
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="curve448" numbered="true" toc="default"> <section anchor="curve448">
<name>curve448</name> <name>curve448</name>
<section anchor="curve448xofshake256ell2ro" numbered="true" toc="default "> <section anchor="curve448xofshake256ell2ro">
<name>curve448_XOF:SHAKE256_ELL2_RO_</name> <name>curve448_XOF:SHAKE256_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve448_XOF:SHAKE256_ELL2_RO_ suite = curve448_XOF:SHAKE256_ELL2_RO_
dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_ dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_RO_
msg = msg =
P.x = 5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdf P.x = 5ea5ff623d27c75e73717514134e73e419f831a875ca9e82915fdf
c7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6 c7069d0a9f8b532cfb32b1d8dd04ddeedbe3fa1d0d681c01e825d6
a9ea a9ea
P.y = afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced P.y = afadd8de789f8f8e3516efbbe313a7eba364c939ecba00dabf4ced
5c563b18e70a284c17d8f46b564c4e6ce11784a3825d9411166221 5c563b18e70a284c17d8f46b564c4e6ce11784a3825d9411166221
28c1 28c1
skipping to change at line 6182 skipping to change at line 5861
a806b8adb3e1a75ea48a1228b8937ba85c6cb6ee01046e10cad895 a806b8adb3e1a75ea48a1228b8937ba85c6cb6ee01046e10cad895
3b1e 3b1e
Q1.x = 126d744da6a14fddec0f78a9cee4571c1320ac7645b600187812e4 Q1.x = 126d744da6a14fddec0f78a9cee4571c1320ac7645b600187812e4
d7021f98fc4703732c54daec787206e1f34d9dbbf4b292c68160b8 d7021f98fc4703732c54daec787206e1f34d9dbbf4b292c68160b8
bfbd bfbd
Q1.y = 136eebe6020f2389d448923899a1a38a4c8ad74254e0686e91c4f9 Q1.y = 136eebe6020f2389d448923899a1a38a4c8ad74254e0686e91c4f9
3c1f8f8e1bd619ffb7c1281467882a9c957d22d50f65c5b72b2aee 3c1f8f8e1bd619ffb7c1281467882a9c957d22d50f65c5b72b2aee
11af 11af
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="curve448xofshake256ell2nu" numbered="true" toc="default "> <section anchor="curve448xofshake256ell2nu">
<name>curve448_XOF:SHAKE256_ELL2_NU_</name> <name>curve448_XOF:SHAKE256_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = curve448_XOF:SHAKE256_ELL2_NU_ suite = curve448_XOF:SHAKE256_ELL2_NU_
dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_ dst = QUUX-V01-CS02-with-curve448_XOF:SHAKE256_ELL2_NU_
msg = msg =
P.x = b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afc P.x = b65e8dbb279fd656f926f68d463b13ca7a982b32f5da9c7cc58afc
f6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aa f6199e4729863fb75ca9ae3c95c6887d95a5102637a1c5c40ff0aa
fadc fadc
P.y = ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4b P.y = ea1ea211cf29eca11c057fe8248181591a19f6ac51d45843a65d4b
b8b71bc83a64c771ed7686218a278ef1c5d620f3d26b5316218864 b8b71bc83a64c771ed7686218a278ef1c5d620f3d26b5316218864
5453 5453
skipping to change at line 6286 skipping to change at line 5965
70a9 70a9
Q.x = 08aed6480793218034fd3b3b0867943d7e0bd1b6f76b4929e0885b Q.x = 08aed6480793218034fd3b3b0867943d7e0bd1b6f76b4929e0885b
d082b84d4449341da6038bb08229ad9eb7d518dff2c7ea50148e70 d082b84d4449341da6038bb08229ad9eb7d518dff2c7ea50148e70
a4db a4db
Q.y = e00d32244561ebd4b5f4ef70fcac75a06416be0a1c1b304e7bd361 Q.y = e00d32244561ebd4b5f4ef70fcac75a06416be0a1c1b304e7bd361
a6a6586915bb902a323eaf73cf7738e70d34282f61485395ab2833 a6a6586915bb902a323eaf73cf7738e70d34282f61485395ab2833
d2c1 d2c1
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="edwards448" numbered="true" toc="default"> <section anchor="edwards448">
<name>edwards448</name> <name>edwards448</name>
<section anchor="edwards448xofshake256ell2ro" numbered="true" toc="defau lt"> <section anchor="edwards448xofshake256ell2ro">
<name>edwards448_XOF:SHAKE256_ELL2_RO_</name> <name>edwards448_XOF:SHAKE256_ELL2_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards448_XOF:SHAKE256_ELL2_RO_ suite = edwards448_XOF:SHAKE256_ELL2_RO_
dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_RO_ dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_RO_
msg = msg =
P.x = 73036d4a88949c032f01507005c133884e2f0d81f9a950826245dd P.x = 73036d4a88949c032f01507005c133884e2f0d81f9a950826245dd
a9e844fc78186c39daaa7147ead3e462cff60e9c6340b58134480b a9e844fc78186c39daaa7147ead3e462cff60e9c6340b58134480b
4d17 4d17
P.y = 94c1d61b43728e5d784ef4fcb1f38e1075f3aef5e99866911de5a2 P.y = 94c1d61b43728e5d784ef4fcb1f38e1075f3aef5e99866911de5a2
34f1aafdc26b554344742e6ba0420b71b298671bbeb2b773661863 34f1aafdc26b554344742e6ba0420b71b298671bbeb2b773661863
4610 4610
skipping to change at line 6436 skipping to change at line 6115
8031cd607c98edc2a846c77a841f057c7251eb45077853c7b20595 8031cd607c98edc2a846c77a841f057c7251eb45077853c7b20595
7e52 7e52
Q1.x = 69583b00dc6b2aced6ffa44630cc8c8cd0dd0649f57588dd0fb1da Q1.x = 69583b00dc6b2aced6ffa44630cc8c8cd0dd0649f57588dd0fb1da
ad2ce132e281d01e3f25ccd3f405be759975c6484268bfe8f5e5f2 ad2ce132e281d01e3f25ccd3f405be759975c6484268bfe8f5e5f2
3c30 3c30
Q1.y = 8418484035f60bdccf48cb488634c2dfb40272123435f7e654fb6f Q1.y = 8418484035f60bdccf48cb488634c2dfb40272123435f7e654fb6f
254c6c42e7e38f1fa79a637a168a28de6c275232b704f9ded0ff76 254c6c42e7e38f1fa79a637a168a28de6c275232b704f9ded0ff76
dd94 dd94
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="edwards448xofshake256ell2nu" numbered="true" toc="defau lt"> <section anchor="edwards448xofshake256ell2nu">
<name>edwards448_XOF:SHAKE256_ELL2_NU_</name> <name>edwards448_XOF:SHAKE256_ELL2_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = edwards448_XOF:SHAKE256_ELL2_NU_ suite = edwards448_XOF:SHAKE256_ELL2_NU_
dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_NU_ dst = QUUX-V01-CS02-with-edwards448_XOF:SHAKE256_ELL2_NU_
msg = msg =
P.x = eb5a1fc376fd73230af2de0f3374087cc7f279f0460114cf0a6c12 P.x = eb5a1fc376fd73230af2de0f3374087cc7f279f0460114cf0a6c12
d6d044c16de34ec2350c34b26bf110377655ab77936869d085406a d6d044c16de34ec2350c34b26bf110377655ab77936869d085406a
f71e f71e
P.y = df5dcea6d42e8f494b279a500d09e895d26ac703d75ca6d118e8ca P.y = df5dcea6d42e8f494b279a500d09e895d26ac703d75ca6d118e8ca
58bf6f608a2a383f292fce1563ff995dce75aede1fdc8e7c0c737a 58bf6f608a2a383f292fce1563ff995dce75aede1fdc8e7c0c737a
e9ad e9ad
skipping to change at line 6540 skipping to change at line 6219
06ea 06ea
Q.x = 0fd3bb833c1d7a5b319d1d4117406a23b9aece976186ecb18a11a6 Q.x = 0fd3bb833c1d7a5b319d1d4117406a23b9aece976186ecb18a11a6
35e6fbdb920d47e04762b1f2a8c59d2f8435d0fdefe501f544cda2 35e6fbdb920d47e04762b1f2a8c59d2f8435d0fdefe501f544cda2
3dbf 3dbf
Q.y = f13b0dad4d5eeb120f2443ac4392f8096a1396f5014ec2a3506a34 Q.y = f13b0dad4d5eeb120f2443ac4392f8096a1396f5014ec2a3506a34
7fef8076a7282035cf619599b1919cf29df5ce87711c11688aab77 7fef8076a7282035cf619599b1919cf29df5ce87711c11688aab77
00a6 00a6
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="secp256k1" numbered="true" toc="default"> <section anchor="secp256k1">
<name>secp256k1</name> <name>secp256k1</name>
<section anchor="secp256k1xmdsha-256sswuro" numbered="true" toc="default "> <section anchor="secp256k1xmdsha-256sswuro">
<name>secp256k1_XMD:SHA-256_SSWU_RO_</name> <name>secp256k1_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = secp256k1_XMD:SHA-256_SSWU_RO_ suite = secp256k1_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = c1cae290e291aee617ebaef1be6d73861479c48b841eaba9b7b585 P.x = c1cae290e291aee617ebaef1be6d73861479c48b841eaba9b7b585
2ddfeb1346 2ddfeb1346
P.y = 64fa678e07ae116126f08b022a94af6de15985c996c3a91b64c406 P.y = 64fa678e07ae116126f08b022a94af6de15985c996c3a91b64c406
a960e51067 a960e51067
u[0] = 6b0f9910dd2ba71c78f2ee9f04d73b5f4c5f7fc773a701abea1e57 u[0] = 6b0f9910dd2ba71c78f2ee9f04d73b5f4c5f7fc773a701abea1e57
3cab002fb3 3cab002fb3
skipping to change at line 6650 skipping to change at line 6329
Q0.x = b32b0ab55977b936f1e93fdc68cec775e13245e161dbfe556bbb1f Q0.x = b32b0ab55977b936f1e93fdc68cec775e13245e161dbfe556bbb1f
72799b4181 72799b4181
Q0.y = 2f5317098360b722f132d7156a94822641b615c91f8663be691698 Q0.y = 2f5317098360b722f132d7156a94822641b615c91f8663be691698
70a12af9e8 70a12af9e8
Q1.x = 148f98780f19388b9fa93e7dc567b5a673e5fca7079cd9cdafd719 Q1.x = 148f98780f19388b9fa93e7dc567b5a673e5fca7079cd9cdafd719
82ec4c5e12 82ec4c5e12
Q1.y = 3989645d83a433bc0c001f3dac29af861f33a6fd1e04f4b36873f5 Q1.y = 3989645d83a433bc0c001f3dac29af861f33a6fd1e04f4b36873f5
bff497298a bff497298a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="secp256k1xmdsha-256sswunu" numbered="true" toc="default "> <section anchor="secp256k1xmdsha-256sswunu">
<name>secp256k1_XMD:SHA-256_SSWU_NU_</name> <name>secp256k1_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = secp256k1_XMD:SHA-256_SSWU_NU_ suite = secp256k1_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-secp256k1_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = a4792346075feae77ac3b30026f99c1441b4ecf666ded19b7522cf P.x = a4792346075feae77ac3b30026f99c1441b4ecf666ded19b7522cf
65c4c55c5b 65c4c55c5b
P.y = 62c59e2a6aeed1b23be5883e833912b08ba06be7f57c0e9cdc663f P.y = 62c59e2a6aeed1b23be5883e833912b08ba06be7f57c0e9cdc663f
31639ff3a7 31639ff3a7
u[0] = 0137fcd23bc3da962e8808f97474d097a6c8aa2881fceef4514173 u[0] = 0137fcd23bc3da962e8808f97474d097a6c8aa2881fceef4514173
635872cf3b 635872cf3b
skipping to change at line 6729 skipping to change at line 6408
ecc2a51718 ecc2a51718
u[0] = a9ffbeee1d6e41ac33c248fb3364612ff591b502386c1bf6ac4aaf u[0] = a9ffbeee1d6e41ac33c248fb3364612ff591b502386c1bf6ac4aaf
1ea51f8c3b 1ea51f8c3b
Q.x = 17d22b867658977b5002dbe8d0ee70a8cfddec3eec50fb93f36136 Q.x = 17d22b867658977b5002dbe8d0ee70a8cfddec3eec50fb93f36136
070fd9fa6c 070fd9fa6c
Q.y = e9178ff02f4dab73480f8dd590328aea99856a7b6cc8e5a6cdf289 Q.y = e9178ff02f4dab73480f8dd590328aea99856a7b6cc8e5a6cdf289
ecc2a51718 ecc2a51718
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="bls12-381-g1" numbered="true" toc="default"> <section anchor="bls12-381-g1">
<name>BLS12-381 G1</name> <name>BLS12-381 G1</name>
<section anchor="bls12381g1xmdsha-256sswuro" numbered="true" toc="defaul t"> <section anchor="bls12381g1xmdsha-256sswuro">
<name>BLS12381G1_XMD:SHA-256_SSWU_RO_</name> <name>BLS12381G1_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G1_XMD:SHA-256_SSWU_RO_ suite = BLS12381G1_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 052926add2207b76ca4fa57a8734416c8dc95e24501772c8142787 P.x = 052926add2207b76ca4fa57a8734416c8dc95e24501772c8142787
00eed6d1e4e8cf62d9c09db0fac349612b759e79a1 00eed6d1e4e8cf62d9c09db0fac349612b759e79a1
P.y = 08ba738453bfed09cb546dbb0783dbb3a5f1f566ed67bb6be0e8c6 P.y = 08ba738453bfed09cb546dbb0783dbb3a5f1f566ed67bb6be0e8c6
7e2e81a4cc68ee29813bb7994998f3eae0c9c6a265 7e2e81a4cc68ee29813bb7994998f3eae0c9c6a265
u[0] = 0ba14bd907ad64a016293ee7c2d276b8eae71f25a4b941eece7b0d u[0] = 0ba14bd907ad64a016293ee7c2d276b8eae71f25a4b941eece7b0d
89f17f75cb3ae5438a614fb61d6835ad59f29c564f 89f17f75cb3ae5438a614fb61d6835ad59f29c564f
skipping to change at line 6839 skipping to change at line 6518
Q0.x = 0cf97e6dbd0947857f3e578231d07b309c622ade08f2c08b32ff37 Q0.x = 0cf97e6dbd0947857f3e578231d07b309c622ade08f2c08b32ff37
2bd90db19467b2563cc997d4407968d4ac80e154f8 2bd90db19467b2563cc997d4407968d4ac80e154f8
Q0.y = 127f0cddf2613058101a5701f4cb9d0861fd6c2a1b8e0afe194fcc Q0.y = 127f0cddf2613058101a5701f4cb9d0861fd6c2a1b8e0afe194fcc
f586a3201a53874a2761a9ab6d7220c68661a35ab3 f586a3201a53874a2761a9ab6d7220c68661a35ab3
Q1.x = 092f1acfa62b05f95884c6791fba989bbe58044ee6355d100973bf Q1.x = 092f1acfa62b05f95884c6791fba989bbe58044ee6355d100973bf
9553ade52b47929264e6ae770fb264582d8dce512a 9553ade52b47929264e6ae770fb264582d8dce512a
Q1.y = 028e6d0169a72cfedb737be45db6c401d3adfb12c58c619c82b93a Q1.y = 028e6d0169a72cfedb737be45db6c401d3adfb12c58c619c82b93a
5dfcccef12290de530b0480575ddc8397cda0bbebf 5dfcccef12290de530b0480575ddc8397cda0bbebf
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="bls12381g1xmdsha-256sswunu" numbered="true" toc="defaul t"> <section anchor="bls12381g1xmdsha-256sswunu">
<name>BLS12381G1_XMD:SHA-256_SSWU_NU_</name> <name>BLS12381G1_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G1_XMD:SHA-256_SSWU_NU_ suite = BLS12381G1_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-BLS12381G1_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = 184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea P.x = 184bb665c37ff561a89ec2122dd343f20e0f4cbcaec84e3c3052ea
81d1834e192c426074b02ed3dca4e7676ce4ce48ba 81d1834e192c426074b02ed3dca4e7676ce4ce48ba
P.y = 04407b8d35af4dacc809927071fc0405218f1401a6d15af775810e P.y = 04407b8d35af4dacc809927071fc0405218f1401a6d15af775810e
4e460064bcc9468beeba82fdc751be70476c888bf3 4e460064bcc9468beeba82fdc751be70476c888bf3
u[0] = 156c8a6a2c184569d69a76be144b5cdc5141d2d2ca4fe341f011e2 u[0] = 156c8a6a2c184569d69a76be144b5cdc5141d2d2ca4fe341f011e2
5e3969c55ad9e9b9ce2eb833c81a908e5fa4ac5f03 5e3969c55ad9e9b9ce2eb833c81a908e5fa4ac5f03
skipping to change at line 6918 skipping to change at line 6597
89ccde29ac7d46c53bb97a59b1901abf1db66052db 89ccde29ac7d46c53bb97a59b1901abf1db66052db
u[0] = 0dd824886d2123a96447f6c56e3a3fa992fbfefdba17b6673f9f63 u[0] = 0dd824886d2123a96447f6c56e3a3fa992fbfefdba17b6673f9f63
0ff19e4d326529db37e1c1be43f905bf9202e0278d 0ff19e4d326529db37e1c1be43f905bf9202e0278d
Q.x = 1775d400a1bacc1c39c355da7e96d2d1c97baa9430c4a3476881f8 Q.x = 1775d400a1bacc1c39c355da7e96d2d1c97baa9430c4a3476881f8
521c09a01f921f592607961efc99c4cd46bd78ca19 521c09a01f921f592607961efc99c4cd46bd78ca19
Q.y = 1109b5d59f65964315de65a7a143e86eabc053104ed289cf480949 Q.y = 1109b5d59f65964315de65a7a143e86eabc053104ed289cf480949
317a5685fad7254ff8e7fe6d24d3104e5d55ad6370 317a5685fad7254ff8e7fe6d24d3104e5d55ad6370
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="bls12-381-g2" numbered="true" toc="default"> <section anchor="bls12-381-g2">
<name>BLS12-381 G2</name> <name>BLS12-381 G2</name>
<section anchor="bls12381g2xmdsha-256sswuro" numbered="true" toc="defaul t"> <section anchor="bls12381g2xmdsha-256sswuro">
<name>BLS12381G2_XMD:SHA-256_SSWU_RO_</name> <name>BLS12381G2_XMD:SHA-256_SSWU_RO_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G2_XMD:SHA-256_SSWU_RO_ suite = BLS12381G2_XMD:SHA-256_SSWU_RO_
dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_RO_ dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_RO_
msg = msg =
P.x = 0141ebfbdca40eb85b87142e130ab689c673cf60f1a3e98d693352 P.x = 0141ebfbdca40eb85b87142e130ab689c673cf60f1a3e98d693352
66f30d9b8d4ac44c1038e9dcdd5393faf5c41fb78a 66f30d9b8d4ac44c1038e9dcdd5393faf5c41fb78a
+ I * 05cb8437535e20ecffaef7752baddf98034139c38452458baeefab + I * 05cb8437535e20ecffaef7752baddf98034139c38452458baeefab
379ba13dff5bf5dd71b72418717047f5b0f37da03d 379ba13dff5bf5dd71b72418717047f5b0f37da03d
P.y = 0503921d7f6a12805e72940b963c0cf3471c7b2a524950ca195d11 P.y = 0503921d7f6a12805e72940b963c0cf3471c7b2a524950ca195d11
062ee75ec076daf2d4bc358c4b190c0c98064fdd92 062ee75ec076daf2d4bc358c4b190c0c98064fdd92
skipping to change at line 7108 skipping to change at line 6787
Q1.x = 16ec57b7fe04c71dfe34fb5ad84dbce5a2dbbd6ee085f1d8cd17f4 Q1.x = 16ec57b7fe04c71dfe34fb5ad84dbce5a2dbbd6ee085f1d8cd17f4
5e8868976fc3c51ad9eeda682c7869024d24579bfd 5e8868976fc3c51ad9eeda682c7869024d24579bfd
+ I * 13103f7aace1ae1420d208a537f7d3a9679c287208026e4e3439ab + I * 13103f7aace1ae1420d208a537f7d3a9679c287208026e4e3439ab
8cd534c12856284d95e27f5e1f33eec2ce656533b0 8cd534c12856284d95e27f5e1f33eec2ce656533b0
Q1.y = 0958b2c4c2c10fcef5a6c59b9e92c4a67b0fae3e2e0f1b6b5edad9 Q1.y = 0958b2c4c2c10fcef5a6c59b9e92c4a67b0fae3e2e0f1b6b5edad9
c940b8f3524ba9ebbc3f2ceb3cfe377655b3163bd7 c940b8f3524ba9ebbc3f2ceb3cfe377655b3163bd7
+ I * 0ccb594ed8bd14ca64ed9cb4e0aba221be540f25dd0d6ba15a4a4b + I * 0ccb594ed8bd14ca64ed9cb4e0aba221be540f25dd0d6ba15a4a4b
e5d67bcf35df7853b2d8dad3ba245f1ea3697f66aa e5d67bcf35df7853b2d8dad3ba245f1ea3697f66aa
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="bls12381g2xmdsha-256sswunu" numbered="true" toc="defaul t"> <section anchor="bls12381g2xmdsha-256sswunu">
<name>BLS12381G2_XMD:SHA-256_SSWU_NU_</name> <name>BLS12381G2_XMD:SHA-256_SSWU_NU_</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
suite = BLS12381G2_XMD:SHA-256_SSWU_NU_ suite = BLS12381G2_XMD:SHA-256_SSWU_NU_
dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_NU_ dst = QUUX-V01-CS02-with-BLS12381G2_XMD:SHA-256_SSWU_NU_
msg = msg =
P.x = 00e7f4568a82b4b7dc1f14c6aaa055edf51502319c723c4dc2688c P.x = 00e7f4568a82b4b7dc1f14c6aaa055edf51502319c723c4dc2688c
7fe5944c213f510328082396515734b6612c4e7bb7 7fe5944c213f510328082396515734b6612c4e7bb7
+ I * 126b855e9e69b1f691f816e48ac6977664d24d99f8724868a18418 + I * 126b855e9e69b1f691f816e48ac6977664d24d99f8724868a18418
6469ddfd4617367e94527d4b74fc86413483afb35b 6469ddfd4617367e94527d4b74fc86413483afb35b
P.y = 0caead0fd7b6176c01436833c79d305c78be307da5f6af6c133c47 P.y = 0caead0fd7b6176c01436833c79d305c78be307da5f6af6c133c47
311def6ff1e0babf57a0fb5539fce7ee12407b0a42 311def6ff1e0babf57a0fb5539fce7ee12407b0a42
skipping to change at line 7238 skipping to change at line 6917
+ I * 0eef4fa41ddc17ed47baf447a2c498548f3c72a02381313d13bef9 + I * 0eef4fa41ddc17ed47baf447a2c498548f3c72a02381313d13bef9
16e240b61ce125539090d62d9fbb14a900bf1b8e90 16e240b61ce125539090d62d9fbb14a900bf1b8e90
Q.y = 1260d6e0987eae96af9ebe551e08de22b37791d53f4db9e0d59da7 Q.y = 1260d6e0987eae96af9ebe551e08de22b37791d53f4db9e0d59da7
36e66699735793e853e26362531fe4adf99c1883e3 36e66699735793e853e26362531fe4adf99c1883e3
+ I * 0dbace5df0a4ac4ac2f45d8fdf8aee45484576fdd6efc4f98ab9b9 + I * 0dbace5df0a4ac4ac2f45d8fdf8aee45484576fdd6efc4f98ab9b9
f4112309e628255e183022d98ea5ed6e47ca00306c f4112309e628255e183022d98ea5ed6e47ca00306c
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
</section> </section>
<section anchor="expand-testvectors" numbered="true" toc="default"> <section anchor="expand-testvectors">
<name>Expand test vectors</name> <name>Expand Test Vectors</name>
<t>This section gives test vectors for expand_message variants specified i <t>This section gives test vectors for expand_message variants specified i
n <xref target="hashtofield-expand" format="default"/>. n <xref target="hashtofield-expand"/>.
The test vectors in this section were generated using code that is The test vectors in this section were generated using code that is
available from <xref target="hash2curve-repo" format="default"/>.</t> available from <xref target="hash2curve-repo"/>.</t>
<t>Each test vector in this section lists the expand_message name, hash fu nction, and DST, <t>Each test vector in this section lists the expand_message name, hash fu nction, and DST,
along with a series of tuples of the function inputs (msg and len_in_bytes), along with a series of tuples of the function inputs (msg and len_in_bytes),
output (uniform_bytes), and intermediate values (dst_prime and msg_prime). output (uniform_bytes), and intermediate values (dst_prime and msg_prime).
DST and msg are represented as ASCII strings. DST and msg are represented as ASCII strings.
Intermediate and output values are represented as byte strings in hexadecimal.</ t> Intermediate and output values are represented as byte strings in hexadecimal.</ t>
<section anchor="expandmessagexmdsha-256" numbered="true" toc="default"> <section anchor="expandmessagexmdsha-256">
<name>expand_message_xmd(SHA-256)</name> <name>expand_message_xmd(SHA-256)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA256-128 DST = QUUX-V01-CS02-with-expander-SHA256-128
hash = SHA256 hash = SHA256
k = 128 k = 128
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348413235362d31323826 722d5348413235362d31323826
msg_prime = 0000000000000000000000000000000000000000000000000000 msg_prime = 0000000000000000000000000000000000000000000000000000
skipping to change at line 7459 skipping to change at line 7138
435330322d776974682d657870616e6465722d5348413235362d31 435330322d776974682d657870616e6465722d5348413235362d31
323826 323826
uniform_bytes = 546aff5444b5b79aa6148bd81728704c32decb73a3ba76e9 uniform_bytes = 546aff5444b5b79aa6148bd81728704c32decb73a3ba76e9
e75885cad9def1d06d6792f8a7d12794e90efed817d96920d72889 e75885cad9def1d06d6792f8a7d12794e90efed817d96920d72889
6a4510864370c207f99bd4a608ea121700ef01ed879745ee3e4cee 6a4510864370c207f99bd4a608ea121700ef01ed879745ee3e4cee
f777eda6d9e5e38b90c86ea6fb0b36504ba4a45d22e86f6db5dd43 f777eda6d9e5e38b90c86ea6fb0b36504ba4a45d22e86f6db5dd43
d98a294bebb9125d5b794e9d2a81181066eb954966a487 d98a294bebb9125d5b794e9d2a81181066eb954966a487
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexmdsha-256-long-dst" numbered="true" toc="de <section anchor="expandmessagexmdsha-256-long-dst">
fault"> <name>expand_message_xmd(SHA-256) (Long DST)</name>
<name>expand_message_xmd(SHA-256) (long DST)</name> <artwork><![CDATA[
<artwork name="" type="" align="left" alt=""><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA256-128-long-DST-111111 DST = QUUX-V01-CS02-with-expander-SHA256-128-long-DST-111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 1111111111111111111111111111111111111111
hash = SHA256 hash = SHA256
k = 128 k = 128
msg = msg =
skipping to change at line 7670 skipping to change at line 7349
616161616161616161616161616161008000412717974da474d0f8 616161616161616161616161616161008000412717974da474d0f8
c420f320ff81e8432adb7c927d9bd082b4fb4d16c0a23620 c420f320ff81e8432adb7c927d9bd082b4fb4d16c0a23620
uniform_bytes = 78b53f2413f3c688f07732c10e5ced29a17c6a16f717179f uniform_bytes = 78b53f2413f3c688f07732c10e5ced29a17c6a16f717179f
fbe38d92d6c9ec296502eb9889af83a1928cd162e845b0d3c5424e fbe38d92d6c9ec296502eb9889af83a1928cd162e845b0d3c5424e
83280fed3d10cffb2f8431f14e7a23f4c68819d40617589e4c4116 83280fed3d10cffb2f8431f14e7a23f4c68819d40617589e4c4116
9d0b56e0e3535be1fd71fbb08bb70c5b5ffed953d6c14bf7618b35 9d0b56e0e3535be1fd71fbb08bb70c5b5ffed953d6c14bf7618b35
fc1f4c4b30538236b4b08c9fbf90462447a8ada60be495 fc1f4c4b30538236b4b08c9fbf90462447a8ada60be495
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexmdsha-512" numbered="true" toc="default"> <section anchor="expandmessagexmdsha-512">
<name>expand_message_xmd(SHA-512)</name> <name>expand_message_xmd(SHA-512)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xmd name = expand_message_xmd
DST = QUUX-V01-CS02-with-expander-SHA512-256 DST = QUUX-V01-CS02-with-expander-SHA512-256
hash = SHA512 hash = SHA512
k = 256 k = 256
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348413531322d32353626 722d5348413531322d32353626
msg_prime = 0000000000000000000000000000000000000000000000000000 msg_prime = 0000000000000000000000000000000000000000000000000000
skipping to change at line 7905 skipping to change at line 7584
00515555582d5630312d435330322d776974682d657870616e6465 00515555582d5630312d435330322d776974682d657870616e6465
722d5348413531322d32353626 722d5348413531322d32353626
uniform_bytes = 05b0bfef265dcee87654372777b7c44177e2ae4c13a27f10 uniform_bytes = 05b0bfef265dcee87654372777b7c44177e2ae4c13a27f10
3340d9cd11c86cb2426ffcad5bd964080c2aee97f03be1ca18e30a 3340d9cd11c86cb2426ffcad5bd964080c2aee97f03be1ca18e30a
1f14e27bc11ebbd650f305269cc9fb1db08bf90bfc79b42a952b46 1f14e27bc11ebbd650f305269cc9fb1db08bf90bfc79b42a952b46
daf810359e7bc36452684784a64952c343c52e5124cd1f71d474d5 daf810359e7bc36452684784a64952c343c52e5124cd1f71d474d5
197fefc571a92929c9084ffe1112cf5eea5192ebff330b 197fefc571a92929c9084ffe1112cf5eea5192ebff330b
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake128" numbered="true" toc="default"> <section anchor="expandmessagexofshake128">
<name>expand_message_xof(SHAKE128)</name> <name>expand_message_xof(SHAKE128)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE128 DST = QUUX-V01-CS02-with-expander-SHAKE128
hash = SHAKE128 hash = SHAKE128
k = 128 k = 128
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348414b4531323824 722d5348414b4531323824
msg_prime = 0020515555582d5630312d435330322d776974682d657870616e msg_prime = 0020515555582d5630312d435330322d776974682d657870616e
skipping to change at line 8092 skipping to change at line 7771
61616161610080515555582d5630312d435330322d776974682d65 61616161610080515555582d5630312d435330322d776974682d65
7870616e6465722d5348414b4531323824 7870616e6465722d5348414b4531323824
uniform_bytes = 9d763a5ce58f65c91531b4100c7266d479a5d9777ba76169 uniform_bytes = 9d763a5ce58f65c91531b4100c7266d479a5d9777ba76169
3d052acd37d149e7ac91c796a10b919cd74a591a1e38719fb91b72 3d052acd37d149e7ac91c796a10b919cd74a591a1e38719fb91b72
03e2af31eac3bff7ead2c195af7d88b8bc0a8adf3d1e90ab9bed6d 03e2af31eac3bff7ead2c195af7d88b8bc0a8adf3d1e90ab9bed6d
dc2b7f655dd86c730bdeaea884e73741097142c92f0e3fc1811b69 dc2b7f655dd86c730bdeaea884e73741097142c92f0e3fc1811b69
9ba593c7fbd81da288a29d423df831652e3a01a9374999 9ba593c7fbd81da288a29d423df831652e3a01a9374999
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake128-long-dst" numbered="true" toc="d <section anchor="expandmessagexofshake128-long-dst">
efault"> <name>expand_message_xof(SHAKE128) (Long DST)</name>
<name>expand_message_xof(SHAKE128) (long DST)</name> <artwork><![CDATA[
<artwork name="" type="" align="left" alt=""><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE128-long-DST-11111111 DST = QUUX-V01-CS02-with-expander-SHAKE128-long-DST-11111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 1111111111111111111111111111111111111111
hash = SHAKE128 hash = SHAKE128
k = 128 k = 128
msg = msg =
skipping to change at line 8281 skipping to change at line 7960
61616161610080acb9736c0867fdfbd6385519b90fc8c034b5af04 61616161610080acb9736c0867fdfbd6385519b90fc8c034b5af04
a958973212950132d035792f20 a958973212950132d035792f20
uniform_bytes = 945373f0b3431a103333ba6a0a34f1efab2702efde41754c uniform_bytes = 945373f0b3431a103333ba6a0a34f1efab2702efde41754c
4cb1d5216d5b0a92a67458d968562bde7fa6310a83f53dda138368 4cb1d5216d5b0a92a67458d968562bde7fa6310a83f53dda138368
0a276a283438d58ceebfa7ab7ba72499d4a3eddc860595f63c93b1 0a276a283438d58ceebfa7ab7ba72499d4a3eddc860595f63c93b1
c5e823ea41fc490d938398a26db28f61857698553e93f0574eb8c5 c5e823ea41fc490d938398a26db28f61857698553e93f0574eb8c5
017bfed6249491f9976aaa8d23d9485339cc85ca329308 017bfed6249491f9976aaa8d23d9485339cc85ca329308
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="expandmessagexofshake256" numbered="true" toc="default"> <section anchor="expandmessagexofshake256">
<name>expand_message_xof(SHAKE256)</name> <name>expand_message_xof(SHAKE256)</name>
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork><![CDATA[
name = expand_message_xof name = expand_message_xof
DST = QUUX-V01-CS02-with-expander-SHAKE256 DST = QUUX-V01-CS02-with-expander-SHAKE256
hash = SHAKE256 hash = SHAKE256
k = 256 k = 256
msg = msg =
len_in_bytes = 0x20 len_in_bytes = 0x20
DST_prime = 515555582d5630312d435330322d776974682d657870616e6465 DST_prime = 515555582d5630312d435330322d776974682d657870616e6465
722d5348414b4532353624 722d5348414b4532353624
msg_prime = 0020515555582d5630312d435330322d776974682d657870616e msg_prime = 0020515555582d5630312d435330322d776974682d657870616e
skipping to change at line 8469 skipping to change at line 8148
7870616e6465722d5348414b4532353624 7870616e6465722d5348414b4532353624
uniform_bytes = 09afc76d51c2cccbc129c2315df66c2be7295a231203b8ab uniform_bytes = 09afc76d51c2cccbc129c2315df66c2be7295a231203b8ab
2dd7f95c2772c68e500bc72e20c602abc9964663b7a03a389be128 2dd7f95c2772c68e500bc72e20c602abc9964663b7a03a389be128
c56971ce81001a0b875e7fd17822db9d69792ddf6a23a151bf4700 c56971ce81001a0b875e7fd17822db9d69792ddf6a23a151bf4700
79c518279aef3e75611f8f828994a9988f4a8a256ddb8bae161e65 79c518279aef3e75611f8f828994a9988f4a8a256ddb8bae161e65
8d5a2a09bcfe839c6396dc06ee5c8ff3c22d3b1f9deb7e 8d5a2a09bcfe839c6396dc06ee5c8ff3c22d3b1f9deb7e
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
</back>
<!-- ##markdown-source:
H4sIALnTqWIAA9y96XbbSJIw+h9PgU8+Z0qqJmgu2muqv6E2W7ZkqUW53O3x
lA5IghRKJMACQEm0quZZ7rPcJ7ux5A6QomrpnrmenhJJJHKJjIw9IoMg8Iq4
GEf7/tswv42TkV+k/vF4HE+LuO8fzrL7KPfCXi+L7vf9W2gSFGnQx5+9QdpP
wgm8OcjCYRHEWTEM+sNsFFjNgua2NwiLaN/rw39HaTbf9+NkmHoPaXY3ytLZ
dN8/PLl643nxNNv3i2yWF61GY6/R8u6iOTQa7PunSRFlSVQERziS5+VFmAxu
wnGawOhzmOA03vf/s0j7NT9PsyKLhjl8mk/ww395XjgrbtNs3/MDz4d/cZLv
+526fxJ+Dd5Cv9BX9JWe8HI62QR+Siuep9kIJjtOZ4PhOMyiGkysX6cnOQwa
Fft+s9H0r9OHJI+Sgd8t6Fk/LmDN3TDxT7Iw6cd5P+Xf01lSIDg+JnERYXMA
UO6nQ78zibK4H1KraBLG430/zCbD8Ovtf/TV6PV+OrGW1K373X5aFMZSuuHE
+I2nnwIkx2P/OurfWlNv+Z+ivPDP0nTqXw2MmX+IHvx/wGbV1CdYZmNz8+WL
yMNJPcfp/EefZ1GPBjNrDR9gDTPAvvswMZbxIe7f2b//C3cigcks24arOu7E
p/C2NzeWcBWHA/t3WgKMBGchG+DI91GWwwTNsbL84T/6eT0XrUrgOqwjIn9K
04Ex1OFtFudFOr2NMuvpvxBm/fDhP26jcAr0pRcXeR3OsuclKRy0ApYNJ9M/
Pj3a3Gk39umtIsxGOJ/bopjm+69fPzw81LNhP4gGcZFmdVjI6yjLwiJ8HcUD
fI3fYjq2dnVy6O/sbO7W/GNq5J8e+dhojVoRLfLfzcbzmt9qAHHCHxWFoH+B
+KtJxVmYjMbRXP0uCMUAjpd85CFRMxZ0cNZttoL2brN6SdE46hcApn4aJ4BC
r3vjdPQ6iR6CPAmzOyadr61l6Q7pHH69C7ofOlfvHWIN5zuB7Zz1izhNzBWf
hxkteOf5BQOaHqQPkbPabgQ4YP1OCHUsFgIDxwn8ZzINEwTUwdVee9/eF6Sq
E3gr7I8BUwAF/Sl8hqmHSOD8aZiFg3g08QGO/iDK41GC/CgaDuN+HCUFtE6B
xqfjnNeVA5pBKwC7XMfaabK2719maT8CVElGhI7FbeQ39/bafufwHKEzjLIo
6Ud+yrOdAWvxYWb4ZTKDwx0i5HJYLuyBPI7Q9TQcRTn0vt0Kdtrix6OLUzw0
9WZzc+t1c3t3a3e3jn/2tiv3fJDGhLuL3+CtOoqAkeGUn9+qc9gqoKMAS2e3
zuPbOCs9ox37eEjH+SgGblzd62Xdv0pH4UPoYvzlbYzYVnoq+z0K7+Mcfu0e
HzbtzYdf/OZ+CVmz+bRIR1k4vZ2vlWAmTn4e9UcEN/jQDO5b9elgaCE2neTG
3lJoKWo7CLNBTih2rBDLnIb/BmUSfx0m/GaDl9IqL6UFFD0Cyj8BSgnEz1nW
UQpkL/EvAaEnEeBXvtLaWuW1vQsTOrSNP2dtJ6eX3eZuI9h0FoioH5FAqLqF
l952N8rrQLxO7sfTWQ+oOrCd+ii9f40f8JfXOMDrD6fd6zp+qtNYzhI7sxEt
cev5JX6goxmOgXHlMFc4uXi+9cLxFKNYk6RATOf+Og6sl7ntLhN/9i9nvbE4
8z63gYMxigsYpQsEKCwQEnKI37387dLygRHR8pef9d+9/FbDReK3naCtXoaT
HWWTWUEjBAdhDjhN2499Hj8WgOVhbxwFFzNYWOGfzBLiLxV4/SKAwKz++dhw
cHT5Q2PXgsZFQlziNBnEQ2IPRRz24jFQf8lAutM0GdnMdQEPklyoMwBZtQ98
DrkinUGaRuAff7y6OLz6x+U1Eq1d/ZZkMM3dZtDc21EPFJNpNHZe7+3sBu1g
a7MR7Ozube8E7Ztm81les/RFhruaylJu8wa5TVakSVxzGMObWQwak3joEKbr
87ifpSzwwNN+Xt35uzqwjwgIqtP1uxSZlf3kRR0Dj7yMiAyXeGT/NozGpaeM
Xn+/BBlgEvfTZAAbnmYLegeY/AAT7OR5/9Zlwm+AWwIGVDxfvIDDo/PLxpZ9
WM+j7A5O31E4GYVIi68iYLModYPWnj6gxq4QE+QoOrjyiC4SlZ5FU0LRC0SM
rTKObraBkG/uVuNos7nV3mo1d29az4tBVe0VRi4nAow0AQiroNKmJawBaTXo
Rr0QaEOUOE1YXFEaFx7ys9ljNOmls2xUPdA/ADvTQeyi0D+i+1GUxHPnIWOQ
1JYd3a7UN2hx5+E4TsLZwOn+MOrH46j89DcsAGS6SxBv56Er0mWALiEICs7T
JUs4OOu8P2793cJR8VvlhvfG4V3UQqVPfHx0qD4JvKspY+8CWEhnNgnzvHrP
UUSNp9PIbVTWcT5EaNuyu+iGkxlQBPOR8+Jn0KjjcT99DC6+eRuFmTuJz2l6
l1Y3KW/7pzhJomwcxW4vrMPHQDisJqf9MCsaexbkBQWgUx8nFdY7bPu7CMBe
mQC0G+2gLfYL/1Uwqe3NVtBot7e2g92b5u4LmFTFi4okLBfyCazXdQaTA9Hr
WxDKc+cRk2FY00TqexHJDQrdI38ws4/WwcG7s0tHfrh+gM1CNWDwQKJHfyXA
n1ydHnaWSQLt3b1g0yC/CySB7d3m9mawtyq5XfjiSySBozrya+D3wHbK2HsU
JjGcosoWBPKjCJT9YoL6CZAupYZ3UWXpRzWHtJ0CQidpDCIdqDO3IK2PUmjS
7SwkdAdxdgeHxqV0yOVLzyrmcx6CyIeWnH4uLQPO/EiujJGjG6gSF/5xnAxu
0/sItLZrePYhgo6yMfSxWDR5l85LunuY9e3faZKIwUDP/Kt/O2JbXLTwAKBR
yu31Okx+Cp0n/9LFH9Z5S1warGhf5D7/50338H3TNmBgk1GUgjqfEU4Ox9Ej
HDUAZlLkSH9DOPU9ILp09mkqMTyYShNA/JXtSs8QhXdAZVCnQU1mDjRnTIY1
XBK9XvPv07G/uePHeT6L/HaZZrS2t4PWbrOCZjS3X/9U/ynvg9bVbNbhf41G
+3mCsfAtSS2arRWYNspos/sIFOoSxyWmTRhf0cSWcyL/IM0GUTh7XDjM+3Ay
AQXOPfo0yJuwlyFZKrVxRxlEIGEnPI8frloNWxg/yoD+JL1xmoL43YHNmn8l
txkgCD8ajufAjQGPbkHWwZ38dNlpsybduQymD4PnZPLT4+Nj3P5pmsezCRoq
pTHS/zeQ1+L7sA/6bPdyo3L7omkGYkA9DvtsKYct2nvd3rV3rbXcoiSJE2gu
t2k0LNGn4nZeerZIYPQ7vZl/dAsKdfUwx2hsTEpq3/EcjoH9gKkg7GDnPr43
R0DYvv/on0WAQNj8xDm80rVJ4tHbKM9RsPoNTLrZrDhwwE5bu3sVB84SaFrN
ve29YPtG2N9Xl4ScF9Wxaz6/gVd1/N9JSBL+bewA+Cr6GlY/Jzifh/2fZyHA
RQMaIdv9wRE/LxJyCyvwRlL6XAm+Br3TlBy+a0mUSV7bT1J/s0JE2gI5dLtR
hv5Wc+v1u/PDOsqM9Uar9SzUK194idz5J0C7YpTTOh6Y7i0wFhCK8jt3nNMR
Wn+rW7xsJKCmJ0ABYBOEo1gPgo8i2ObIfVyhl15HjyFiwcl10yakx8DjcbsF
7czjr5G0tsHvI/oyQNY5idF+CBiFeOYPpe3RLyNb/Rlsu8zSUQbHv6TrnHWu
Tz+oU94o49luM9irYqrWUW1u7jRboLRsvfCI2++pE74Cib4MMI4hnf08c6W9
yzjKsijojNER4bRgv10/HYPUgy5L+NudTRFqaOxGYnr64eq0o5lgxcjAHK5j
0In6JUw/j24Hcfkhs4fra194Fy7HYYEOU5BIe2kWFiluGuOJbaq2rbLjyAxU
OQhhkUUafAgjEBpHq2m8K2JBq4wFzWCpWRb3st3eBFwBxfWFOGC/9xLh6v+P
OPDuutl2kOCnqI+udR+E+pR9uy9mNp3D0+6ldrZYW9tqtIHVLrBoGtu019ja
Q+P55kv3135RbfAKPt5/3QZ3UD1V0rYKewA2H4NyZj1iS0qa9VLozhCm/8mY
8/7symUzAl/8KUwaNDKQpm/nAAcHdXzQBDN/GGMwC/yJxgOiDzYDmqbjeZJO
YhBQgHdFz9GZzunV6Yc3CzgKyY3L3TzEG3Y2t7aC5sstaM6LL+Eqf4YeVTEM
SENnUQZqujvKVTQHmXBQevrC/t/U8XE4G7umwDcz+BkW4D51++fj5UcFWmRA
YALuEuOmd64c6tRFiQomk6aFqa0zTh2DTsI+1Bx/OyHcWkUDvM7CJA+FsGNE
q+R1Eom328IKUKmV7Lb2QC3ZrJBZmo2919co5zbb9ebm87JKVXvGpg/pPZnt
N8soVd6KzuAndxvg4Fo/E/xPuyedmrkLh+NwBjuNlkT0fZ3N0VNf839A39os
64WAADXLHuaMfYL65QCkg1mE8ZxJFgOZ/OrMRcW2LW3LEXSnH3447l53fghO
Lz/UKJTmMhpkqf85xAhXIDc1oGKPMfR1CDKw/IKy6cEHx7N3GcagrI+CE0CE
ZDCeu7Z7lIFB4Z9E/kU2ECdhMdZ0yZMYDfxOFoWGeCOCP6pdee0msKX2Atm2
2dzea7d32zcrKFBV7ZX+tIJnB+22LM65XA4OaYoOm7M6xTs5jZjRwdaNQ/8y
HQPK9DGKS+PQIBwQreiGKfdVMz8eZOHXeLyQTQnJ0uVSwnPsPqW5nMFveTG7
HYOukqHhMIX5sgHyVMYIoruW7JJ3Nf/qNorJQBlgAO4wHHNbw275FnQs+DAD
Ht4J4Yekpv6+iTBaGb1ynZO/XX9u2jEuBzGcGcaqETJJPydKNfh9iBT43c6h
PvgWOrUaQXspU0N8a7YbW81g82Y1pFr0nmJpFfSnwl8BdKADp/zWdYBSHFzF
U6ZGZmwJE2A4r66D4jCcTAHSC/jQJQXp/jYBrorb+U0W38TUdBsgJtRsmXPg
sO7/LQ7L7kbgUdbvfKo+dP81CkDFWGhDrgONnYbj9CHuuwScJBMd+VzVkDcU
hV746do5KWulM0LAp8lpybEkNA79KZFntEtnPpyVmXgn42DXvED6vjBgVR64
E8Ae4D/K8CUOGm7zEUYwK/tv4J8sOnnNNhyQreUu2e1WsLm1udMKtm6EILii
QFl+8SWn70/Dk+v3zR1bT5xMM5C6Bs5OKRMlQpS208+iaRblUcKi2jP7c0TR
yHkNSMAggj/kaTJ2io2Uu1Umg+0miOILKGLebGy32kGjuR00WrugD6y0JdVv
qf1YIcD7n3lur0GZiCfOMNchMDcQnMwnq45xcNKwrfunAzQNFfOgR3GLIIHh
zqCsPczgCKJB8VMUj/0pC1vPbPUK8RBV8nazHbRaC7wA7G3f3Nze3EELzwpe
t0UvWUGSjRVcAEcYyp9ErgH3iEL5zd+XZqNUIRAymbtxyfV/HhYA8IfyYzdE
/OCs6+xjF5ZR+LmMus1/0/YZDgXXh9Dcqdi3vR2ULBYcTwDx5lbQaGwGjXZz
M9hb7XhWvmVF+zZWk1j+jJ07ADF6nri7dgDs3/r5ZZ2+RX8DCKShe87fpvfh
fenZks4RK2zdWofcAvl21aOHuLgFBSnK+1ncwwCcCfyXrD1H0SiLnrUIKr7K
qSs6/wPDATBBMa9Ama2doLW9gKLzqW1vbwI92LlproYxlS8p1WkVC+HvUZ2W
qEnLdKM/BZHOzRRG3atUt+xnHA2C8fsJadpG7zX/NIswlgNR6nzPiX0/Zg4B
+HIXzf3oEVnRiKCV55hwKhiJSjcCBCKOFI5ATM8LfxCTUQY1K6B2Yf/uWflu
iUcfRQnp0w/8i/AOp43ZPxXCBMhfu5tlxEMLzdVp97KOb9WBFbW2n0e8hS8x
4qkJPJcpJjKQ0vsSK+gWEZq+qhrQ1nWu/+2aHq0gRUAn56AqxQtRw326fISD
88uGbSa+BLEx7I3ncq+nEhdw/ShfoG3HRhh/lhOliYfDOArewjCT8I/JCqgw
F4NkD3LkAjONkBW2ttoUKbCaGFn5kp1StYKt+AdkU/M7l/D8EGPIvPOI/c+n
13o35pSs5MZsLSRyRxgo3X8fJV/jkiZNYb/VLWjcEhrU/LNZH6PIVJLIQuwD
NL8EwIxdBA+z+zBzHr1ssHd727YMhIkAI419aQIouRgFn2Nvp28OL87PNYBt
HodpBNEDC0etbWFNrjARbgWtCrUSMxhbm63dve06/Xk+sKX6DUVvVrARwvYC
GryDg1oK/ka5clDxVJhxCpAHkNwKFMs5+5lS3mGX0GTbQQst6oktrlsACmJa
GUVUDrGG8/smLt7OeqhVAolHzK6ExgjklVkPU8ZfY6WE10srJ9hqHRLnn2Y9
+F8w/Nma19c7Ymfpa34Mkxn+XBdRk0sm4LyGGci915MwBzx5nWf917oTaw5n
rmd2Mh1jbo6Sz9iIQucaV9Ha2logBmH+YzxBl2Q4vo/TcVTIeLX262brdWvr
dSS7q98Wk7E9lxXEotUSt32/e3B49N4JazoBQJg7/qaFXLtkr18t4EC8xXl1
jilVPFwQZ99stIKm4a9eGGff2tsNmjcvD7M333tJtNPLJbVu/zZNx5YddaH0
dhCOx3OgVHXRQslz9erZfEAZA+ih60n8EKaT2H30p88GYHN4G2ZwLMJRUg7u
TjDDpKrBnz6xM4raPwKYJOjhwqTPkifsbBbny1r96ZM8rrMDun8b566t/vhr
dCcyC9wGf+y8Tt5fOTGkfyRBWO5fKVOBzWYr2GxXRDk6oaK7m3vbQeOm9dIA
NOfF1WJMJUadzID4R3lwGGKZkmigtkTgUzjLwsWNRE0aWwA0Yvxrtr+1Lryp
C1HnfRJOpy7WUFqO80jmEhQYmz7pxQlJav3c/zf/Alj7RATsu66eTwCbbJyC
wHAYJqFahw2V5S7n37fkFR3WB5eOZVxXBKAwykk4zTUaH5x1nw2hii4xrnyN
bcyvNxcw9Yroc93Y0i6WG6olAz+YDTIjpVjw73GU53BSs9R9XhGAehDBDGEf
P6TZQ8j69vnpVefwDAV0FMzTZID7fAziAFsMKjALdvQSw5tLdTZOogFWu0lL
j6tCYTGGETDntAjHZOx6+96VprQbal+5MFgalF6oOBlgMBKQ5ji/pXhIMpP+
Nr9TRakUFK2oVAooD+jm/c0VUwz6hQnne7sV9Is0gq3G7u7WXr211dzeaT8f
V7foHTsmZQXx8H9wDhtIEG/DSU8n82r56i4qPWKCYoqVV1EehVn/tuaH/iDG
ZHGMRhr6V/hmvmRgOHHvszBP0nuX9XaSJCw/o6Gl+erflCvGH4e9muE811q+
dMIZkRCGTnYVDnrpzLQT+h/inybRaOWksv+RyW8HZ+eXTVu/WPvbLEyK2cTv
x1l/hqliCCM8gIfd06O3+37KTAjh9bNoGt2H45mILBuCup5i6nn07CFfyea0
yAfCQkKj3QiaO9tb28Fqzqvqtyw98n/v4fwfiWIV86SyAhmcuEE4did7eDtO
o6rH/9IZn6GdLUlcdf0M+Gry1Xn0z5tot9uwY0UuEj/6eSa43vzHlv+9//hj
4v/Fv8MjFlpRxM+lpBzMxuOowGJR6RgYut/phwNUreM6LYdDPbdaNcx/qgpb
b6HfuWyd22xsb77uhVstOIbPpiKUGytLwAqOyg5OF7SiryX7aAcktK/RT+XH
C/cuwr0ri9xZHj4sNkPcheOey60wYHeWf3UfLkeahQN33bDNxQFBpSjy54hz
vwhBDYyLW1p8KFzVzZ1FG77XDtqNsh+A9jAM4UXYxGdNsRWtX1J15Z8E9U8N
2zhuVl/ClpmsALUkQOvF+zEepbQb0MeH2aQXiQjOed3vfLjuUixrvbwtW81G
sNWq8M1xVOzOXquxu33TXrUgjt3+JVG0HXLFj8elUEM8jNFD6aHICdSE09RD
nY1BdTMBqAXnIeggaYIkij4Qs1xgzgEuBOIHOpY/pRHIgz+VLGIy3x9aLWxp
TxMIuBQuZ+Y0kZSfRTEIoXXxt0TPcZYfG7ZqfFXGo36UFRiTuWKqyB9C5LeI
yFe4ffd2gmajjFuSbG8FrdVpvG6ssGq1gLGP4zAvHXfgqz/ZT8pRs9ZRfxeO
YnQGJ5iBrdGrjpAR7vrD0/OrUq6oMl4szAak5OOLbKAjnv/IGjiVGTztnaC1
teDMm9mdGK23s2rc18IXX5LBcwyCcVZOrDnGOq32A7FfqEkssqr9ETW2ynV0
KgZ6ceWel3VPvuFB2YTDnkPnEdcaOD47Prw4Dy6Br+WqYHZV+BPWts3icvzT
bDQDtCo9fUnvvy1YcxFoaiInMBE5gbnKCYT3Pzl1jdaObcq3L1liQSyRhOx+
qYRr1TnDys1AYwF/E13FbIp29xwoM/KAcDoBkoA9vgUO5b+Gs3eoWp52Dz4g
HdxtbiLBgpNRLeKgS7Gf9TGyNycnZ/mVl1Q5OqOY809MYYoS/p+FD2wYcxsd
uqWPO1jcJMsjEWcmE8SA5YC8EfWy0JU2FkPSAFoXba2jKAt+QOY2KkOrDWSk
gQB4SaIFxno3WnubW4ETD7SCSe0tEorbUi0PMkyrJ4cnnaOzDz84MjVWTOml
6R2yDIV2hA4WCy7XDV4FUiuj19bu5u7uVnO32gxZiV72Ky8Ro1eCVsV7bzD6
tuTUfhNlt+jmMB6VEy47wOi+lmpTpD0s3Gk/LItxR2m5wqWRcWE+/q0WE+e9
93X/w2g2L0HofTyxH5St9XAk+iEq/6WXAT5osr9zmpxf/ODE4pgY2ZlOx7Hj
vF8J8a4OKT41L+NaY3dzr7271WqXEzEA1froQJk9CG9TvR++vg37r+0DuZo6
8A4dSEn0tVR5qTMeAijKz8txV0KGv0gzkLxTlz9jsOiCJuU4qg4VFQKUKakB
FDLgPP900KwIy8BTnMcYd+KjQlKESRFgPrbK8gBcRkuqqpjvqIXPSIOnncMr
Tr6Flb897urHIKbPJtHavm0vXaPAKXTTlkXBdnNr83UBByOv3+NL9XizDj8F
oOHp903P2t7rzQVluSrrOm1a1bhk9eTVqtVYt1HofSjfVIH/XhbH+0cEr5+c
dK9/KJWBcKT/coEYsf+RyUKqtLhnkID1MuTV9YW5PZt7zWDLqBOiFYC9xutu
o9HaCrZ2mrsB1vEAlrrd2A5WCNB55t2XBED9c0oS/Z78xiXCaMVI/7ziR79N
6H7Zav7gAkvnV28dO/VaRUHzmh9jFHoei/rmwJtmY7Z5ADNg25pIcAuR50nn
riCpmXmHhz+JAPkGpCwvv5Jj7frwkMzJ+0K+1fk5puZgJVQFbUkiF9Q9bW1u
tzF47SXCbfk9Pk8nUW/VxJyPqEbOyrUxPsKGuU8YK67f+p9noHovUPCu6pxk
Wy6DgTEp7rOVugRu/BZQsdJ3dkjhmnlVg3Lf51c/7NkcGKSmeMjEV1zoom4D
WIoCVvYDohKQg2QgsKvCR2fuvcpy6J6cHHYxY2GvDmrN1gIx3U1zqH6LN/6i
X6D0S/etrMA2MeEBC9S5VKEbYwir++z3Bbyfo1mhV86wEyGW9jMa6i0FpFvu
c9vsLsXYpeN2UQQb3JaSxLuwtLH76AVL/HC1Z9td11jlDQpRIqHP4pyw8BNW
GJf/5NFskAaCAA3tGyj+DKTT2MPIs1Pf3txurhKgsuilMsatZnr9EKYubThP
k9j+nTbiUxR/BT030RbY6k4vkOSApJSO3YrzFxOARunZ4s67u7Ya70bGX6Ct
/IRt5Vz6hngLBTqYlXKGZhGd3J+kA3+6gogmvRZqL7k7qpK7Kevj7FQYbzd3
28HmXpXx1pa/mnu7W0FjZ2entdsIVnDfPPu2kNSnhAC7K1gJruoc1upWYQW+
EOkn3c6bYzuTBBaKEKrx/SVYUNEEWDcdFg8I7+4ceMBk6TTYWil7OYruo3E6
jRZkGNCtRlhRHQXoVNhi7QyCA1er64BUhQktMcbHX2awIhmN9inOojczpGk/
xFkxC8ccbFREMkETm1OW3nNKnSh2xnFR8GGKycYf0rq/tyhb7jYc1+Mki8P6
MMMvIIaDJNHe3HrtbuRqKhdmTMal4NSDKPkpBA3GfqZrVfhkHl7Y48E4TEC9
dHXyg2yWpOWHq3X7Hrq9BWCE9yUe8B6YyW18F81Rkyu1qej+6vCgaZtV1vCg
jiOstD9gqzAyjMlsHHIMlFlQw9HZlhP71eKcZKyEpgQNoAQtWflvUdWMvd29
Bpbve0mN/YoX7QjYVe67IOGwXDU7TfPCeULQL0fQLZQQD6EL9MW58mEWYiVN
9yEzeryvJgfSoU5Sde9nmGtcxIkbIHAW/TQO3UeL533V7TpR+GuHQLOGszFn
fiMmYboVeRbO4klcaNa+6EKnEyzIjpTjj0CmZgmZdneCrcb2EmTCcPvG5vYW
ljF6cS1o+0UbmVaoBnENyIQ3VSTThV62iucVOmcpFKB6vN9SF+D52wmvsVcg
EtOyR0YsovyY41SB5FN2Nd1VaqPaJ5clJX70iPpvXNT8EZwzdJ261fxVzKaI
qggCN4AB4+wrN/lFmYCvs/BBpuYN0v7r/H7wcEOTyZ2bdP7pxr9ps73drjsJ
9pzuLm8O7E6jPqiMfQ0ylWjPGXF8B1/wPprbUcwcrffzLFpwz1wu73qrx1EU
8TWK4qfXOK0bPDGNXTd5sBtNQeIhEfxZNyBzNFyOVhVS0BX02sOVl87sbcFi
gyDo4GWSpKk1kf4wbwzHvxsMIUJh04XCOceHP2vzWAqB8+s9x2N8DpiBBgu/
oDtxMhTuMIxhEE+4ACZmXWH4ZIxpDFncm2EelMxesJW8hD2idPpQs3yGYh+e
l0pmnqeDaCxDzvX8Y5Q2CBvXry/OO4fdjRoa2mYgd+zW/FPWGlzSjnF3Jf0Q
cxF2Wnt7zTr9MfOn3oUJCK5z0vMqkUxXNgiLfDZJVWGOQNG5D3F+C5PNwueV
zoqZXLpXV+gwGufC0otplAkcvUiYywN9L7J0PIb9BHIPzNZU4nQ90wU4WXZW
tBqvZWLpSy6huMbQoCwpWUEEpXeecQ2pw0O+6BR+fuuCoORBkD4DyqLR+cut
F6yrueWE6Kx4u8ZLUzw4ewMT1z0P6IUf9uAEAbZ73vVtnPvAGWZEPnKmOnjH
sjxDwLNDGdnIdEjW0YaujepoXpj1Yug0m4sUIr7ahkumpehAd2Tyum+PjUH0
WDkFTcmeEMOYzvknaTabaBVM3EV7eHL1ZgOlLBLYrq5P6ry4STwYjCPPe4XJ
+9wfHtinV7Hx9VfPOw+TuRmEgmxaFW7JkNBg5Rb8rR8NsLJHcRsWvHoEECxJ
rThOgD7UvKg+qtfoPmrmUrUVYaCHgC93SfoA0MxNn1TpxZr/cBvRlDQe6l6w
kl2Mk4SljCmFx8uA8CFt73MF7wGIGX6SYjG7+wiLUkM/QFb7GWpXIK+GtN9S
Gk758lZaR90DvRm0Ttyy6DFEhYykZgZkTjaBnEFF6YLlWusArf54Noi8FSql
5P7TE5bh+fVX+PBub5v+Ug0W+iRkiF9/relabiQZeMe6lhu8cNJoYhvyIAZY
ZSgQEqRZNAzaYWUx6vj/ngZHdS1T9cZ5oFpCT94SWza8Tbbvqn7usyHOA3fg
Apj5fZzCqbwk1sWcyzO7QbNnZS/pFPsBdP+IclUxS7COCFtPY1lUIc1yNuBM
MzjTeWTfgcEbBNiWz0D1gWV4+HLoj2IsvCOPge4NOS3VrJFNnCqJMeIAEHbg
x/0xnFJPVWCTfX2T483s/SymTcHIgTB5uI3HEYIDUSLNYKKF379N4z6Ff+KE
PTXhfojXxdwTmoI8myHkUJOAc0opYLT6XCQS1l3CFsYT8kT1sngwwmMDD0fh
1O/NxWHhtYFQDeC6RQYFI+URmr7h6Ojruh1SGKJbiy8cYTgU8yleJnIMyKXb
4jxRSJG3fUFvKS4ZJIph2AfCHRfALu6QqORMSizqEoyjZFTcer05nE1BW6ka
JREzfkuc0KW0xvukKIPeWBZmBlERxmNB3q2518Su9SKP7lqRxadkBH3k9yKg
PgN+TYFKZEDjNBFf/BFIbUR8YATPpQeEi2hRRIIkdSfA5z6GS0cDrLUCE8pT
X9TdlBlucMztdfACCLAo/uoLX2aoLMBewxLyyNhEwJOrKBygpPIQK2oLlL9/
hwWdiBvOffNY0f7RbmJj60x5+W06AwkHsXI2LuDc4uGKcjzxgOkAHqDFRe6b
+GQpaz6394hAC6jnfi8FEeqWr+o0poFaJqfz8mscrsDNxMQ9YOLRAyBDVDoP
iv4TjGFKdEkGYEKOFB07ZQ8t0JAcr64DGRwnPkSn/ACGQP60VgBuwqgBHN6M
ZrWGoFq7nSUF/Q6zuKutAYL0Q9gAogajFPYlpoOg8Mo4U4QJeNKnY3glxqpa
vYhOJQn7wOtl2A5do1D3P+by6h/4oFbhicnjSB8urv0rjJY9P/5wdHxUM6cz
Z4rSiyJMvsJIjyTBUrrcAI5+DmclQE6URGP/fjZGdYKsQSAigSYcyYvb6E43
2HC88w0oNh5IUGQEe+QJxrkHhw8o7QSXMUXpK+5HfERy6OjpCWtIwCrhfSYt
w1mGyQcm2WRytGivSrusKtXmBHwil4Cbysr1vHgFXb56BY9IGJpQTx9SUfjW
Q8M+Mmvk4YAO5x+712s1/otgx89Xx3/7eHp1fISfu287Z2fqgydadN9efDw7
0p/0m2rP8KuzjWs1b+288481ht/axeX16cWHztkai4MW5UcpKUU0IrowRQkH
6HjuDVTtR3jn4PDy//1/mpuwC//n6uSw1Wwy+8Yvu82dTfjyQEXTcTSqrMVf
EYe8cDoFwFEC3xhxZwocdYyREMBd4UAC2wLEAkCCQHoQ9u9GGXoSQRztqS+/
EpSdkGlsMWLCkP/KwB6COJc+UM4CCst4mQbedEUJJcIX5tDWGps7kVpMpkBs
kE8nSDVBbMBTpOxSyrkWIzUQOi7AzRBC5U1ZJ1ikSeAmkQSZ4l8aW1NCFbkL
kITXn54+NXZJgjkDHnuCu4P4aGbG+G9O1n/e0HWy4RTimYkycaGK/1e/XffW
F5K1BM9uyQ8gM3DInYhc2+61hZNr1ze808SfoJ28D8JkDhMUyglOhF5Gsuj/
7H/vT+veBUIC2AdeJkENkTTLSzuc1j9O+HAz+x/BXCawkGbdObgPeJ9wDpMX
Zw431u4y9yhhFKcU8+1GgjGgH0RfNtPDLa/5cT2qE0KG/n2E9fVQwZpY/QO4
pxs0MIpx2HneBx7Feh5CEtjngEqj1gkX4T20pkjiJvql4wbiQPTI58rtBGh3
ViiluVnzeGaPAJv1xy83Tfj45aZV8+v1On2cbDC+CVIKKxkKQLaUN7gMA1o1
bsU6dHi6UUPRJeFBQmAAGz4Jm/k0TQYqPilS/P0vfs//1j8VKpaH04I3QxoP
ZwdfeoB5QAeFSkjHnsRWAgePToAA3plmqFnCqCCeydww2XgSzj0Oo+L0X2gc
GYELtnDznUPYFK5PQHT0UJdF23vcn41DrCefzyZTFn7CXjoz5WqaH+C41ymJ
8cekEggjAElMoc5YJtr6kPr3oByiysAkI/SsU4u3IZS6VT2wlIu8EeaRg+qZ
AY5KkyM583JACVIPEUnWEWi4xDHuMAkeGxhMAOQKJOMcEPs8TYoRCChoLaN7
Uvke7TrTS7WoRAjKSKJl1sSI2Bw6jAkzgZpPQCXhSwVhU0laIVsQkEA/8bl2
Cigo8tCUiM8MSQV7Ju9JlrUt/Q5MxPDSfAb7cWycxpL0LtojVolcQybsgCwJ
cvaU8teQaKw/1vz5hpdjtuNwLi9JtDdCmg8eCWhz6tYkBid1pIDSy1ojDK+a
T84CVOgblWWohH7EaaB0JaNQzD2atxSFgeiS4mK2UGdQgsyFkXeh8ysFPV/X
2GIgBtfqUbghGm9UTQjFTUSxXqTFJRIQcA8YlgZ4qZY4YNeJoWz6WIqLYh9t
YxLhQ5klC6s0GrOFkcmTqvV6PuttKLw03Nl14pNvcJL5DKEHf3qqod5f51aJ
TO5zAjTrFohaRvtKdESjwq1gWpIj9WFu0UBIjKCgYhVFpBVan+UDslhj1Vpo
YZxCzNJcorMKQ55a2BvK5yGCFMZ49P01Ni1YE1vzuzNTX2XCi6asWZ4zD3p6
kq0D6gBgTaLHoczUtXQwoydABuBxfaYF5GWwgK0hCL95jiQhWgr2L/DZkLbM
njAEmvVurQv5ChVrDt1nJZJCauG83Ick5/NEkdwL0kdGHcAXkBcBpJMJLPsr
gJ0KwpD6ot+ukvL2Pe8XcY+4/wvZavDxL6AJ0EvASH7xftkP6N/+L4H8pz/B
Z+jhpPZzbQqvdWzR7qRC9JrSmX11ApgqJKU6vHiiwjpY6qnxw+/8VAtdUrDC
9yd/bdZxaoA4vzgCNXa3nL8RO9N8DLtJ4KUPyhCus7wrCPoxDqAOWo2I2C31
mbGMjgPifnDPbwgstLZAyEbOkdajUddH6BhOeKbcDnaLialhGWL8ZyP1gEfK
4GW6BIzEPOwqs+RZOhr4DOjdLJ8hZWJCOUYXBgjBRHK42QZ3eQudHIpDhQTk
r9/7CHdk/ZKKGPxHUx94+Wnff6VVloDxlHws3691CVEpTiAn3DO1Ev1SXl9j
jemaMjgovsJThC1n7RhIXyTg7mt9B3M+hDmouAUgjm5RNiLrtzhfpPG+8s9B
qyNwPr3Cd4IJf4dxO774zEC080iUuZLkW+LikQyhVfQA8F/7BbwqWx0gqkQZ
UljQtQHrE5yDd4etk8SaBaawMKqmR3YUprfcCzT1OIJ/HDHVJhEUuQpXi0YU
FN3aCFiaoLfOgjs2k+NhV4KT5rNM3Lq64UoSVnPBAmg5QBkFJyD2D4Im/CGJ
WIlePOdnxo4TPbSlOiidUM+Bdumk0sOCkg0jL4Nh34sZKtovZklMiA1kv/wZ
Yw2hx0SoHYSUxp6IafZieS+tWA7Z+dTk2S6kweiBiNCPrDUjUxBIwgYOCxXr
6OASOIzQIQMqgQdQoUAUKAu87IBCUCgdRDEkDxvVhPYqOfyl3EG2rcqp1cTP
1Ncj8uATJiLYB9pLxkoulYuBFTyqty7rXjedqEu9J3Id7Hogli5/Q2tbZq+q
RxgV515ZVRJyATcnZdqyBePBP1a3BIuTL92dcPT1MxyzP07ziKQ4stvhEuSs
QF5DX2yoAYJAlX5Tohu2J0bBa6kB/5TsnyjhFkxBVPe36QNqU0LAJYFMILU5
6HKnQsl8qGLqc4fK6ZuUe3OyzqZCgLV9TG+HHispzuti1rQerbPWoP1SodJw
fRjoZRDYE7ZMVA4memYXrlT19TCD6h3wniXLXTqWeuYOfB3WLAZEi4ypeKhT
v+8ZlF1QaNgRYsQoQoaJSfrFlMm6xKd3MssLr1eimLxscsQoUisOrqal4nU2
uAu3cb6BIJ1RWtdc41JvFo8LJp5vh4RZSFxwMWolaNrDIyBPRM1AGsFzXkaJ
PFv9eI4SydEMUiQRKPcULfItWqTWhy4Ukxhd06Eiv0Ossg5g5dKtROqxWp6W
L0vG6PWnJzwiRUpywK+/bniCa2hYYEjATLhuI4veGEBWjUksQA+NnXMnvKdu
Rqu0y8bk+jWkIiTLerABDwO6Epal09U2hcTkIxf1hVcESJ1ye8SVbg/yieIX
7A/TAOCvhHKolWjTuzKHc0UuEfk0kLyb1xdIL5DwlShPCZN3MhUQMb+ykg4j
l7QDApNAx773wGkmRFiOhsnF9RoZWiOK+b44wIjHfG+gF7vxQSwCOomPGBzw
toEOhVnCsoj0wBs2O5j9AUoDdlKT5bB4esrScACnSzHAitE9a+zcGBzdFwZK
RwPDt0CWl1lM8W8cxmwhMR8HZ2o0tlDhQVYXZ1EF6mGjfUIOJEIITxG3h+yT
Ax/KJgM+A6Toqde4FTm+cM4M4SRNZBigOWJ9ydYKviRfq5ivGRxBSAaHHW3u
k2VRQ4QKibwJSFg0nMxXDCx8Dr8RzfLnkLtL91/IgGKB0rn5IyG3DgsyBBVT
LBCuQSkRVVofGe50YoHBKYGB5AX4nzAZWYOzQZbPPyY3wlYTvcQ1ocwAyiP6
2LF2OseSFRiCOYkL8g+w0C1JL84t0oZACkqwx+IFEJnXE6wW7EUYk6UbPD11
jw8x9AfnLOKKQvhKPFMZqKVbmUNNTOgLl735G+zSkf0LSezylDLy6n2QgiAq
YtLGKeQGbx3j+1grT/PI4XT2EGq3NyR50tOKBpYI6RqWYgqogbFRvqEDogkm
nzRHFMu9EnMx9m1JuIE95TSrAB0i+FE6IShgIqqF5AN6EOgHgOiHv/NIEhXl
GKYwCcdzjC5hEo0vaNqsvQN2J6xBJ/kDWvd+nlGoMb6W9om+siRM76roKsN2
LV+Y4FV6KFEMEOWx3kC+gYFpV3tttFmempEDtHvGxBSQb9PxAB1lqENrQIiY
B4+kP619pCYbKK+r7h2mCYUFIv4pFVp3e8l3Sl+2eHG4kHmJ611dkPqs25Ky
y22vLiTVp5lhperIf5Q2DnXXHWwJea+HHrmPMu5Cz0MLlYBGGE47IPovgq2w
fj8StsEAS+owlyPShQHbmoANXIyrecJdgcyR5IAY7/5xlofyIkeGoww9LmJ2
VQL2TDHMh7yyxIE1xQS5li/y6KFcDYq+kn4pkEp2N5BD5FGk0UoGTHlKzhfh
dkgdcoxmEUIpM0+3s9whfub02e7C4sLVBe/X1UVLqN5q/Wpfa7Qdk3h0Wwjd
yKPQY3h3/XHD3/8ePq2vwbc1/5df/McN8bBlPWzJhx67K7788uUXgzNhWKgw
fDILSE0/hlwFD0LhINQjqegLthW0tVH+nUchQAT9SGMvATi1Fi80Ne2qZRcS
9O5Zbzh6DIvZeTgkDCmyCH4zuw3RiV+BI5aprzx34TUS1h9WvA2FTyhgSp7X
QX1i03oRCbcSKQQoI/QT30eL4UmePnVMhXrL5tlZLt2NvCeZjhdiSZMYf4jE
GKb8GAm+brhaluhMqFjTCiXjBE0HZN8+hxaLo+PJdQOx+E7EUxmaVhA9TmGq
ir8vkrtKjAVfnOSj4D7Mfv2VYmTZIsnxksinlMHIVvUrwp6fXkmRXRhahKXa
V0Faodx2OM8i15CFKBkqasffmwMiK15ir637ZaE9tg3mKB7OmRRnUeRhlIC2
Z6NDKICTS1FIkncggL/cFOmXGzZr4/dnbSAkQ6IPiygBWjGYnHPsg+kCd3xG
3/l414ETuGrYQEUyh6Nh15kc/fd//7dIEULHCP2EzWDyPPd12GRkb7Ok2OA3
TslywikYgU+PQ3MlJEaFcaIMmXixzCiS3rS6eJG6rC01HMMbLNGJuV6w4UEO
vT67aYiAmNnNOvUHvzY3NmoCkNgLw0iHJtC73SKagtqlAYQXrRDYtuoSKhXb
ChjKu8oSHVC5PlEKyzZW5QCjPhc6Pmz/H4qBzFqPjU2siy00rLs6EFaZgSsj
r4fhJB7HUb54w+F93G9qvj4zt3nfn9WcOUsvoLEj+/7fas+BoP4M4LeXAZ68
0wB24ViDg5lQ0YsF/nSR9VXhNK9X+7xNWApNBqkGkBbQgUVfKGLpeItFoKQ+
1UTX/2YDc1UwSbBe6vYAqjfPwXDHgCG5uh9SQ1NZf3qyzfa/bpidWBRPsjSW
iTWVJUcwkCMSMastCHogNCL9ulFniw2ZYoykCQq56+tkc3kciMb6Do1lDiyM
2ILd9ZFfFw9RxIDEtca50kGUqYUthKZdxNMM0zbDIOKxf9g85eSTMAwpWnrA
8+xScHWjFO/WNSeTMJmzjChoxi5UqIcwdrq2H+oHyZ1h21Z+Srk+JJtVsxae
y2EW9g0AY46tnqOIsk4nxl1YEhM4Qpi4zzi+QxbIzjTlmgS6QGI0FYBfLDrw
5ITJIJfBfDL5xgrShX5KS/kmrzJC0QksnT9+WdMyYE50AMXxY15V9vX4lq9n
yfHz5OmDD826P0P3fZlZNlGWb9X9v8Fjm7T+Z+O/8Fm77l/CszKt8P3NOkgb
xSxL/EtPUUMtThgo+WfjY46CRF4IAxW59LBDOawCCAlsilK7tkGKFbYs8CwC
s3BuKYvQFy9dW7kEjpZtsiJ2e244Qg0AQU+adDjGYc1AER6/09hYgYISH/6V
CNiSCNhYgoF/a5YfNv9L4OAVPIO3/4KtrH+v+KIWFbcAzbcqsfkKe9ouYzMl
gFUk9/DuyLwgc7dVWCznskh89/QWs9jDmlK/5Bv2Kg1mmZm58fSqynDWGY9V
qKLlBTORy+afSjejVA+ZzlnWVCWLLA8LTBkVgfs0ltpNlEm7vMdWCzknUFRj
DGmW0wnZQeR1rCKTdOINQ1a1GYZbiDjtKMZxPJfsSA3LYjS00Ah9Yf2orJJ7
mkWneaRHEeYeUx0mIiGzuoQ1EpMMcEJyzsY0OYsc8UBp3iJMMRm85HVDfZZp
HOvSFGXmZ6ncOVe300H2ZR+mNkiU7SypP5rBF+g2sg1izNYxDL2MtWjWYVhL
GlhtwvHXj7rXG9JGxzkxtobG6i4KYv0+xfCqEs/a32WeEZCOgOBch8BWaMsp
lkmUPhTRyjCkDuSU6p4BKsyzQAHVociuVtoyhyFBFKSvr1GWCtNK3e/4GMQw
mU2ksQX2uLlNK6QBYL1GRhTOhOqw8kaie5bD/bUzn2FJpwvfN/kVTKgtJiTS
sHrRCOYtoI9Gm4Gweql6LAxlj9QGTiaeUbERCWGjf+h+0+5eEA1KSGG/E6vH
0HKL42HD0vkW0XwKz/vxFOUyIqY1NnEZP31DQEIskTupzgAPQKRsOstA1Iyk
T9wGKEFZTdToW4GCnZ40NIwEk99eNHk8YWrmSouoCSokYaZPuEe1GyhR0jm6
YqmKTtPysHvTSEazgS5WW6hapckAGIBdWu/pEZ57ybdU1YXKU6nGNc+7ETJE
lXtMkz91W1NQFChCKIohD3oHtJVTgR9eo6ILa8cfDqW5Ej621pBDiFyscvzf
MBasxNwoqqIx8P82mz16Br7lKlHF2Igy5jF3dvaqjh5oyg4gUVHn4OAyYRfW
/vbx49+DH778++Pjl78Gh90v/z6fw4cv/05dnx59+euaTEPiNrRAbsWZjQ9p
MIhHsKd8fPiWX1yPMEupOLdk4BmzrqExe8qW4rHInTFGlcZ3tflCq1I4NxOx
9eaZ4GlJuDMTfynwD8KvfFwkT/FI4zUQyQlpKJ2bOmZ02wDPBcTVTal5pN5H
L8raQefz0k0IDORapW1rrebZ8BV+DXqtJiBVhjpF+ZiyvDAIcMKdCKuhhQh3
DFns+a18NlGBoJ3u4emp0EgHtpkYCTqGPCczEPs4Tk5lBAkmivA0yQMHANX9
C95ReZA94V9GVOCgS5UBm0e5LUqSGUSWaqAcNGRikjB72vo/AzToxaNZOsvH
czKvfyy4+p6WRp9ezfg3El6VC6EknEqZZlbqQQOYAvJr3nQ8y7WbP1SXKmpb
WO6v6yBmQccF6tbQgYwRjJ6qgw40oejXN2iDKyMpzH6nlqpBJzUHdRREXnuc
DSfvqOa71Q+U9qCXqri5nTm/j6EslD8s/MjouJLhkY8wABNzzA+gtIpoQrc2
9eEwASsJC5QSVecfLq49PqCSrJMTl6X3CJ3HOuwR5UtAVJLRuRVlx0hxkBeI
4Xn2/RzOSjkjTe9TjSNKsjiXNeg9OBHxKGHFh/BMBUAb5rlSQQFvpZgzAtx4
rtKMcme2ym1N/mUUrt7I+hco3coJ4MkA9APtGIiEhRLuvAhEMuOFggZ70TwV
+a95P53qaDuJ/t8h46HKFk5ZCoXmKnfbm+BlMZgu/PREl9lQ7ruRsl1nY/Uh
PKQEWgD3xr5/CrIl0osTgCxQeHwq9GA47TU9X5Q45O89tt2eUAzQ0g22TdEc
mprNEunm4ZdMhWKoMY/EXjHpzoejmn9xVUMsZYr794srtpZKQPTiguY5Tkdo
B1JO5nzlyQKIsyIQF3Lr95XkSYouRSQEJLh/ucmpZvX648a+Y1qSkLrOYB1o
EkLhw1jaI+k5XM+O614LWUzlLR3M/ePZOMq+AbTEPPJM5KiZozDtZlu+9O+U
jwNqMotcAHGu14Ce/Ceacc3HwJPHH9fXfyYnlf/ab23gjBuIwk1KBfhO1SYz
/z1JPFJ4Y5j52bmg4qLcXPiaAVIZ9lRVNERjDhlnZZ0XsvGKaCrpBJ+mSSSj
faVXqnPVbCsXcnd3y/Co6JI0VpCYO1HZEwg+j0H+M+AMUIiftdE4MfrBTFYM
qwjGpPRQr9QpZur/2NoQyIS9CDSK6ItxaEgjJiYSEPIMFALIkgAcak2VZBg4
IG1lVEcdjtCjg1oaHQkJBbzXo8d+NBWOfsyxb2zwMq8xHyJOOFsXyXMhrw4J
sRaw68vNfSoHxaE2FBJnlLKiDsdRhHE8CAMBJotYlKPNZBE3gtEGa8hkp+Pz
Y+TLE3jqVJ8eqCaVSsBCRKE0ez09EZemImBcwWtuZ3DIozTOeROI2+hyeqIw
j0xNEDq6KHmFABe+tmsu2CXq7IioJUZlCtpgkPMOcRkdUM3dBAsuIagzSfUy
sdgLlVPiuEah14SWEGVgp6L8+ShpLKFVQodVZ9zSQNYQZmuETzWaGcvCokv/
++/hlZ+QugsEQrUoiUYhis5rjEnrp8IHw6VmXGIWjgFQuVIxkNiwHMxeN5Cg
N8S5w0ED+R4dX9bwnP4wmFOx9nLUgSTjyf0yoJDB3hDg7o1AVnG2ThggRCUG
LL1T1BZGBQA9gq3l0FAYp0GQajA8Ooo4wFnAggeEKVZ9KHypTM8ZZQRpXEza
eWFI1YGSIyFvbTjE+EOKMYgyZFWk0TRExLZyrjTwHIlDKHz7MulalGDhzDRM
Uh5SkWIjM0vQ0e9EsE00MJwSMnaEJEWj2NOzUpHYutPWRfeSy/B1W6eXRDwt
sRlPGWeJpjK02DEuCu879qHD0AOJuCoNNiy5ZqimUKO5w64ZQG5dSMQV3pmS
k9BoebxQdo9HAVZWCfkRA4RKBWzwEkOOouuhCx1oYVQZTTd08pNoOT2Rjy5U
d+p6rXNwuMY9rh0dn6whMuJv+FnSiBkWFV2H/wd5iKyH8HccJXBA2DZiQo9a
FVXnRsc0wLsBv0M982uifAyG0UqXOg/2nfqBdw9NqQKbqRqNluWUTULMWKzj
zVrNb9X8Nh20NfhFLgzmgat64TpoDdpwCw3FbFj3tWFMYxCMafS2BGmRPaYE
0mYNv7TEHKxNw6fs34YGtYp3aFxzVlLeRUFYxiMA3xcdVgGK+1wLe32sxfX3
f3zmea7tfbe35q/TbmnUNMMy+YxkwiThj1EcpeJYaC/gbs0YLgKwijI3lykI
0Kmj5NeMTjgSQBjryaapAgcoJ1fY1Tlz/JY5kN62p1c2c3Bi9CSnCFVJd3rd
CUdTOWUiJJTEBCE8fc+CG1Y0OhXyAUt9dCGlCH6sKGcoXTy56oPtCqpHEgU5
8dGsBFaUllglkWLUH5VxSsjD5JaOQo4uKjup6iiKdthBZ6x20wYXstAWG4EK
lMEW9qIzVkVPdTIgimjbGq+B9TxVekF7o4wJS3otwpCrliNDQ5UDVkV0mnlu
XDCJUohF/SxdpE+XZPtVmXwlV8LVqPUhdZCg8SrqdyFnYJigfcDhwkI48rxL
VTFkHyjCSc2NilxUR4MrSshCGvDqtCbdQk6VkhN/HVcWT4RVBs8Q6kAb+NZE
5CGquXMFMHqvhqXLUHhb+L4n4gEe3eC6k7onff8sM0Jb4fBv1qkkL6oR6CIj
hxgMgt4pqu2JBAareskaYZONfXQt+fTWTQxtH+G/eAlUCx1JPvWgfkcRCl00
vhyE/gAZXKeBOh+ORD8b/iu/Q95pW7UnEwHw5dzbkZ1DL+plHszbVQEB2JtH
UtMnlG4nJO4KnBaKKjYhp1pC+VCKGOxXYsXN5Cb6+aZJyLEIvEQjloJYzO5R
AEqF0pErmSbZUhQ1H6OgCR/onKDsOOZCzcsm2Hp2gkS2nsGCmwbtW0NMU+CD
+pV2sy2aNunHpmgKKJGL7YWGcoPho9ri5vNbvKW3kUH0yn9r1OS2T+LTK9PD
y+B0nehW5HTkuqsn+YjinhX/E9IDiJKptyxKWkSq2moIBo/nsmRbzsGUsLph
nOWFHF+TXmMeFEkuyoaU8zTNljVZnUUUM8bamkKXMvsT1VCrZn8iTNpsZMCZ
4UxrJcCxYo0hRbPHeBwjcNRCObT/y40IwC6lnkkVT1auU/UUrdc4O5VSC4C5
AHpTsL9VzyCnAEG/+7YTtIATnJxedpu7jWCTS1riz23xc6vRkmW+hSPMM3rW
fHiATqpA6Et6GC7xheb1zvvjZmvX7BUzR4Vx2bZP6zQPZ2Vy1XZhLI9LQ61X
pUkEj5MBzr/6WTqkcFfv1DDP+LLmKzldKirUYhwIX8ZRhVSeyRtqKq9Da0WL
TxKauOBVriKUesvstBxYy+5YFURbMVeVQilriWEJArScmwq25+rWvN1oR838
h2g8DmQq0Jplq1ojlTcHfZbIfYaKP2BH4kqSqExaixF4bfhpULhcCBflZS8v
0HsgfwAly0m7HECPQj2Ww285UZN1IKzISM67HM/NegTs3XKz0Mj849zDLvxg
YiAunOr403TNPE6xdOrfYS7wDDeQBXIzRMxdCGdoUsQUj+gBn8o2Vlg2aPjA
UpT7dUElAG9RJQBauXtqK0+mqBhBCasyutzudT1fGuspQxJFHBIROVn8ncVe
MneVbz8DMBzLNMWKxzoprQ9n5jva5Qj9F3PL9U+b401VwJCKt22/3vS/9Vs/
tra20YEPzMcKnYWfA0zrVkVz0eGaisAWfy4EauEhkZ3HrNJwnsiX/2zUoOlr
v/3lv3yBKGlPzR7rWgCSNl+3SrVIsLYt9uuVooWHiJq4tUa0sBgn8Jtf/gsx
J/XFdTigdYd5mbPFbHHmaEcVDk+rRIM4gMeTYkCOVo9xhMV/+lE8XgdBpQWC
3ob/F/8OdfpchhncSS++QGaJDB47GqVSqQJS8V0D6sR+1BzoPlWhqeIScBIU
7tz6MbjTRVhEdVpsgYAy2R2ht45EvKOd1Dc1yNqH1rhlQBGA3EOCqVM9tCd6
Z2oTyLwio2ZIbjvDuF2E2HoJbuig2t1QAjAgo9UNx9hYAo6qDSpx8T4O2Yro
0DPWDltbW7ReJktT5hJ3qNK0di1A1IxpwkswOWjB04PfN3eF2cjztLnwTtTI
mU2nWJ+ZyorLuCopJFhb7um6xxQfyfEyy6PDeeMsXVkQDFb4n56S6CEgXBJt
jNohKdU65upQAllE6IoRtSzvluqXRJoKV58tZwf4eDh8Tty2LLBWBhCRCV3t
jGpTsIXaK/nu9J1sYxHSY/Grcs6b6sFTFc3R/lPGbUU8Gb+lMoCCP2hj3/pn
AhvXcX5nbFNmg5lUtU+qTDtMDQS6k8fOVjUnmB1tlZWy6MSdLDEg821tYO2z
X9+auX0ySa71JG3Fhci5/IW+WVQLFmW3uBOLNti3p2XIsj452WC6XiJS6NYT
MSVoRqt5VnDmeecfHDyJfiQKfia70iJcqskrVACXCm8SRaIWqw4nNsoCW3HF
gZ3sRxKzFP1NQ9p6vuGrG1FK6pd0tlavtHqUxXJ5+QUdL2SI1crd5I9FOU3T
Sil0OEX4+GY1ICmXVBVKJx2GphfbODmwfXs72zs/NvfEygmsXiEu9TAyGNhD
zOWSh9FDpCoNISKJiiouIuKd8yVRjyRgpoqhgD8ToxJ/tsVym/rgw9LVDMZl
XvLd3O1WhfTZc7XCym2vAm2kuHlGSscmaDyjNmKV3IgpoRVpGIafk8P++LoO
z9gonTQOizvqXteWRP76mjk5K/ZQ7RkC2/DXgWZlxQbGibjrH4qkesestCRT
27aP0uwW5gqgQCpzSNv1Jhk4/5dZVAP/WVmmJAQqqu4b+CX9AyQCrnMItZBK
aBjeGbkxtVK9Sn7uWrBQHvAXgJ+Y2XJ7ErxrbdJWva2syLS/vyEL/8UZ+Cr7
/rdm3msTJgjuN3Fyw2zse54IsDji6GjMFLBQDWygM6ITSpsdbdimcDlBPTth
D8cmP1lNJuIxmcV9mPLkJh0OMQP2e0Crb/31nwCLYpzgBtvIfb+4RyMqu0mt
2daM12v+2Qabw6HTm5/gDRKH14v7DdYe0B7uAwjRCr8eKZhGN+s8pQ1vT1la
F8JcWGBflYiGKxASvfM8t1lF0VUpTVTVo7NzFU8LVT8UDyuIxDMjXejFaFnD
3RfEyoopILYvbkZYQMdY6m4Tdn0BrPgiN8RGcMYptkfIdQ7K14Cp+BeTgz1n
KvUUgVC/fbl5nAyWWRNJ/nSNoFhST2QYPWBNSVXSwba71nxdKKvC+lpj26tn
2V4Pzjrvj7Hh/706OdzZxvJZ4vYmkctduQYYesEayOq5dA3LLLrrf784yTeM
ZehHIsSObL3mEtCmzIv4O91MSZ9Qw9J1LlhhVTsl4nyFvKzU/Hs0GEzCn9JM
XMGOoiBLwuSFZ/u06oVvGOHk+++qTcD0hiU7mJKIKN5WiSBVZ5Xwo1Ie4nfU
mdV3Ryw9rSweeqFTpNEpTexbZZd7bAPx7fD6tyx1oTTqLU0ZZBnaOHxGjnlv
LvvBot/I31uo+rB94M4w03iOzi4MM4y1PSOJ7T7mygjQ8y7btNl1YqaZsv08
F8YWlQLo62tgv5PCQQrkRDYXcBWIUrUdqk4BnaC3pD6hsuCfR9kdoP5ROBmF
GJFmw1t7TnTlLsTBmlaXsGpdLoxFmLWBhnGuzcu3crKL3TC7ekvMoE9Ph0fn
lxS77q93o2hJXL9JpWhTjNz3DWeRaDoZRQEb1xessK1P7qprjZMkyiyLsrk0
aTem+pg6SiHNrIVPo2wyk1rK08HR5Q/ihrXANy4o06joFuuWQjvfhsg1bUuW
bG/FmrZmzpt1Cq0at1WeNET2kiuNzXBcRpSrpxnpSSLHq+6m+0n65xra+HjV
xFnc2ubTSpk6HMZK04Lf0wxn2KbPymWCZgKDA/DghovAJDGyPCM7BqiaVw/N
AtMImfEYr40eRXyFJyXYqprs47R/R5x3EBYhl+5SvmBBXGSmj2irSxgaPl18
5OXxV/QKbNT9jorKwowFFPYbrU0CE654q1m1Fdhsa2ebrm0lYOhm7I4U2REU
yAySRI4opoxCPf/fQXysr6QhVxGbsipoi8jYZqGY7OiGb2sllCdlw7IvaD2r
p3pCTAHFigPvzABXgiwWAtc2dCdujl8hLKsZPcIv7RYOkhuDOPumeyeHBJLn
gQoepJmjpqVDj8TMy+MLbK4Zg8H425sqPKdSr6prbdpkrRhwIO1NW1vSJM0F
RtihTJqJEUuVJsJcM0bKmWGnOXZu7lXNiZWUtg04G9FAhROLtWM8Ksb2j7Cc
omm9BLTOmf2S/fxbA+AbSCxbPza3g6bS8HDdjkrjQMDQ5NDpKBVvS6t7bY6C
Ur3fObi4uibjBrzyVwITDG699Fd/e2urLX+nGgbcEsV6hNANewu+p1oDv/zC
4crrsi2V3kEd7/PNNBxAK37cMLd4g7S88U1807uB9ahGNthbrOjB9qsRuU8Y
Ew3Q8Ed3oebRwAngVzVT0v56FJfzdl31tkF6X48ic96u42PVRbPUBemAhl4r
47sAiqCyNhukXvZIhXy7LuJRe6gq9m7WY9YQdfdxRffNZlnhxrlBKxgI//Ru
YDCv2dJRP5WKb8MlNKSYWkHc8rh8/kLQXMegFn+b1AdRAZNvCwEQ96KhDKvi
FI/eFwAUv7GzoevFJhGmXlLgi3n1HIkQzGkqJTCZHk9UwHvGOWzpa3VPxTqR
E0Ckp2IaPDAlMw6B48rZGuKsA168jUeoX6hjKltSoNvceIEwh68LIgKTR1QJ
XAQUYTjpLTpKCRajcTwSl70YxUtk1xH6aykBxSPQTND2j+RBEwvOJsEX6DKY
dMzSjuXPUT6qU3InS6XIvGwlFdGtaKKjUDJ7rphTFt6RZWyAV60By/JkPcSw
z/cuSCTREa5chfMtC/5I6oRPT1kd0BNSzS6vU7y8IU9rQiWY0l3jmOzB3FyW
cFVlXtChLZhYOOT8CyGSeDwvkj4S4e2ydxfVcsAJqiwO789yae3AYQbcdd07
UbdYiyiDzHUg+CqJU+g6KyRxVGuY0LBaw0yHCzVMNOG9UMOU9zUmS3R+Uvk3
/Ld1b6FO6VhdRK5mqPTJKq2Nt0rJ8DIe4E7IH6ytyKeJD3NYTbCvvKzCe5k4
fy3NGJbojlMgm8WcqdRyMb5Sii+5ynVk3Epy+Yslz3T4vOSZDleWPNcnNX+w
UXsGYWRteKTzXOBH/mOxUNoQ+aJDmc8xUHEB/yulud8mjikZa0Wxiq2tK0hV
7bolDAkZqFp0siWgzbJ0YYhCLoboyGLrJWnjfuV/zIW3LZegJtaltqmazg3y
oprOaSPholKoWNphWlSUNqNyI9WYcjqsqnkYLfTAVa5ESiiCkXuUQ2GoZHhL
kbxmKSFefSdOMhX+r1lpwtJNKlgeR3ZXFKbD2fRUTCKl+zKRYGseK1EVtkhG
fkfPJxrAt2eIlHNOmy9lVmIzRIu1t63D4OKH46vu6efjAH4NqP59eANyw/wG
oXSDGKkrY1bPh0y5lGaymKj8WZOrsS5EpkxyO6rZvgWmAgD9Qu2/0AtfbsQc
ClE+jeLafB3XZulyGjO8qrkQE2nucGYgZ5UJciaSy9hBsigGzjauyotGZCF9
WbRoweGpPHRsDRcJHkZJ/iR6WNSTuLsSj5O+hMsSxj0Zn+zGI5BhsBxuUzaB
yovbrOMhojtICKgM41wmBtgc1rh4ROZL2UZb5z4WkbCVf+e9KEK1MkOLr0jQ
9XgWbRgdZiIJlO9eKVDhBSFk/qZQRb6kpRQ/lw49A5dKpTcDbeCnm/FIlJQL
1tHBwl1EdZIqa8V6NtB4F9Cq5hjvQnmdTY6XSkxEFS55xaORw6BmoYOsSE/M
owRrEDzElHPNdEDsufBiCJ8hzPjp6fx6b5evd0vSQi/3mbAiDXezTIuoDCTs
7FzNzRakgCZsiNzNunceRYXSQU0HB1Xg7RVjITGaSZRKdpTKHLJxSl1G2qOK
Q6A9tuZJ/TE2DPUVM9ugi99FRK6dRS1uXMYUU+8hHo8lZy9kWTJ50yLzOUzz
xSRaSp3mTE7O/K1xZvXGBvt0FnJsq75VyO6+x2CIfmlVbwtYA0zaUyVW9WU3
emuk1lzNHRFUTh4G8l59waC36IBjSDM6c8sOJE6nsIaLBuxSsPqGna/uwImw
jWWYZXW+C0UMl+4kta5i9RhQWmUaYGCf8AOEfEc22mt8Lr1LoLZzVhFGFBup
FoB9voUDOxgIEU5UP+OXK+qryfhK2hpBobF2E+EtLJbuScOLuVgbinS4LCnl
FCnKYmKJLi5LB6I1c4WSOSu8WLvz+O+XX26uO2+4AqKqsyi4kXwXKZgqDliX
9aW5jh1T6cWUG9ltxQWtyF1V1WoWYtWTkrCaRXaWiVVSS2yfLmbvId116ojn
hr2idC2Kcbli3ZMVK9RsgHmAwNGX+jteH8gYoeoHo4dGxVrlRoi7vIxW5Ahj
4Tz7TGNUUS5UJmA9CGs5nAi11IbGpeDhe0JheCwEO4oQUvtGdUr5LlOscEyy
iIh8Hs91KXrZXhQq50wVNq85RTzpOMD8METnUMZ8Gzdt6zx7GRFu3KlupdqL
XAOssbYolrzcr2cGl7sM2jHOUvK3eZm0Sgen4joRiwRICRSYpDNRV3VUdZRR
DVooHAjLbJoUo3SCt52JpKWnp4n67ddfN+iqcP8YXh0Rz23JSFloGMlfWyIC
xZgg3j9M1bExID1+dh7M8Af+8QCLxuR6MuJBEPEDNSP3hYUzbOk3S1MUaXcT
EQ/FtQwQ0p+iGI4H3kWYK2iSO5HvS8LCyyAbs+5HMTKax3c/fTQmQMw/CvKH
mZi5Ph2S4Jq7miaAE4ZTfHHfuO2dA0o0tscJOgcNkYxl9iy2YJSGYy5HgzZY
vl8lJAJOAcwE2u5tOAZRKIAzDize/5Si2fUnXekLh7sfPJQB6jmDsOTTFzEb
bsreupHzOJS1gKV8ExuJkCsBQZf6tiguKuZ5CiLjHMFO3EFWsxShyu5xfQkk
pMSG0RjXL4McJ0GraxT4WlmPKlrydYGqji0hJUfO6hIfBg7pKkZITKwL12WW
mNFaEFRRmGqiPTwh+1DGc7QnYgTwfaSdEjS9QBQN6+s9l2KmKAaLFPZU3lXD
IJET1lfY5Ldhpi+nXsgqKETBsH1UVINaf6z5843SLQo6aUpIQjPrGvVH+jZn
2dgItuVMb5WxDtAeUlHvfkrl2SkaU4yoZRPjRnaXrgnp2BP3sfvVuyPLroqe
WZOpsvKLu2ERxNATy3OiHAldfU38qOZa7rFAVOIUjgJIa0CSItqxSpaa9T4p
5o7JhLxaXuX112CS6LvCe18e+aDTtbnMgAtVKxHtp/u2YFp18OryLhNWFs3E
a+n+UPR2UQ4MDcagBH0GDb749x7O9AbPoGJPxdaLnbQusBVTrNMFIlSrieXM
HtZnFlrTYxNGY5/whoYxpSdgwtRAl5OlyRX30L645xf24STNck5lidDcgl5U
NQK170Pzvmyt0rplfVqujFxRV5K8en15JrtYS0QZvLF4TSyveAGpx6gfaF/w
6F4TSHcBoDopNS0tZ85/bME5HK0/Ch1x4bFm75+Q3slw+uirS+897EAXcCRs
TuQ1i0aFQa4uiKcYJPw44YsFssgTdcftYoQkGVLH/+d7LgQXc3U3fWkm2iao
uDMmI2TRKBT3MdxyDRRcKZZ8JjuacnfXTBSpurMwR9+t8FHL3gGzRE3puTsC
fkabk8RM6hG0kbyk1hnjehrzrx+4qqXgqUpK8a1UuX3eAQEGuvQ4dzeaSZau
EEU6lVRTgG/IqkMYoEl57CwXW/Y8roiJtQhEkYFYFYkMaAvLqVqYcEk5ZOzM
Z8ZHqlcQyd9RATuXIMdNZJx0X5NFREWhrZmHZUforJiUJ87JLMj3+4lCezwq
1fTtIZ1JBmOg4Zg6PpxRciWJ2TFnWT9Xflfmn5kKloMncIZV7QthM3BBQMAG
vuGJUp08KWw8KZeJNvKckL26ZbuEEs83xt+T6ChLlvPFN9JDUV0fMq/py3GM
iXqysHqorqJlc22BZK0QYQuya8ZlVW+ywVuvdhWhWpa/AREe9I/PquHTKV+X
FkqlQ15NKG1WgsJLalYpX2iihhV8fmz7f/E7/rdAsP7iH7CMwWIZFgjo0OPW
Dnw8gNf+z/diXa+eFQqfXpFM6HmiIe13qfHTU/dTY9us66s1Tae2m4duWrSc
j+ne73lJ6VxfRVDkijhaFEyVdk1ioadjVUq7oKIhhFisDA7yXnVWcNmRGy/a
8e+8mGyMWXxv3KgqCm6ScvypuYdmEBIaSmNQwQ+WsrF/Q9F1VVzyyrj6ZKXq
KXERE+uJlwqhGUFg5TlSnVr5NCBzzb7HrM+A4jKFQW4tZ2+DhA+voThkwMlj
pYGZJGo37Kcnri64hEB+Y/GoaFXp2p5pdDJT8c01AkZfZkT2uZzlPpyH0saJ
Y+OcF3j1UBAqdn50CM8PmIuW0v9KvZIw9LkmiplSWTNLQpwoc7yMEJBRK+Jy
RDhjwdfAuQmxS2laT93Om2P4FQ/WVMQ+SW3BNYl+rvPNb6P1zyxQULXcOt/3
Fqy3Yb2fYf1/YaKAiY/r+AmbO+3bz7fXpazlS5t1vyNDa8StbDQThOVoPfis
qppb73lSAJzvi9uDhU4UzNgPomxlj6YAQmZSJCD60oSZdN498H2YVA5wTiU3
6eMM0yIVF8+59neZpZG/yU/7sLUkn3nrTQDB7MeWWvq3PvwUWD9xlWG2GmjD
Iypfn61bRyzPgMP/1IVHyP08KrtDFXS5XgtpGZzerubso/8Cg0GUUlRWRgEf
QK4HpNfTxcgOEPMxlh1WBk8xgoMb4brwh038oQ0/UFVjfPYtvkIxGMX9JuY3
YnXwgDYY4OHiygbyqFdS+tcBdQMMnT0d8oZARxuytB8GdlG/Af4R/14Z7fgu
OSpJ2sDI2eJ+CxdF8+LZtem/mxg/W9xvY1cSWxFzS9jsL5wixtQ+IjQYZwkk
WxRN+9jSv/6FfwX4PiKgPtMP2wgMABTBGqa08WOLYmNhybr0P3BtSofFRWPp
98emUPsFVPm514RdOR4DPrgvt6yXW6WXW/jypnhZtWuX2rWx3ZbejxlRAXFs
eARsHsy9pr6skTVYFjGAdIkSB2hsDth+pKvyy7t37Jr8ThijCFP0lD7Lgolh
U1vAh4KP4zA3BBVtzRTxa9U3c3+54Zbw92GGSzZi2rRDVDullrFCMQXBD5+e
PjZ2DCmIBLmDDG87iwovHGMxgYPD0/Or62YD8yqV0D+nLBQaaS23jIlrxNn8
T+EtBfIATwLCegtw/3SA8oVUhzGUlMxI4hoES2D6HYxRmPY6zBxofCk9rsIw
8+c5ZvJCTolG5D+KU1K0qOge6aq4N/UzG7qSwGBTNeahn3H1QVP9hGTz1qqX
SwJ5wH3EGd1sxPcxk6GtJnL9N5FHHyBV+iyo5R/DFf8YBoizMLiqYQL5TGRt
9uMmIMdn+tRizieMY3zlHE71ezJnSJOxvOuUZXLRN0c3kN8duCRQIYcdkp6L
NzT0MY9UBhmwdl8wfTZAKI+TujdT8FOipZ4Gr9Ct1HEosehV2SkxxgqAcD4L
TW89wAl2hMBAnJaCJZHgUicEpKrVIP8d0Y+PTX0km6TcYYoK8SG5A/gE2eqI
fn1s6Rda9MIOj2iwEADJEu6DAMMcFJt9uGwGuAwxyhWYR2Ml5kF+KHWmBWWz
yJp7u0uJk3gW3aMAwFKZ6tSy+pgv1ESxakFbRT0Nb9MXXkzJzhAPQErEumGA
YJzr3WIvRBZNU0ofdXnYp4+WV8xkV+QU8zyHxut5oHlF3oQSDsKpcMc6Tiel
k3kV9onb8B4fdnhwTLQVuFe2OwEQbc+gDv0RNjvhHaPTSD2KNVH5ejrnA5Vf
ormKdB6U3MwbnizRSYzcKAMvJk8pwnnUn7a2tu+aSOePD1si0RKL7oYUBBYM
gdEmg/HcE6+JCgEHIVDhIg3O5kkSdPtpUVBdgG6DShvIpx/C6DaLkYUffMD0
Z6PogV06QE9U+fTQ2MvuPBEHabtajr+RJoVVrDrfsFnnm/XHb8iw8w0f5m/w
NH+Dp/kbPjyqWiM5ENMZAeyYZo1JC/CCZtnfCJ693jXQu+Z3pkR/H/0OR8ig
yiauzpFLgrmz6i2ZK+yWcIOw31LX9ycPZg5CFnyAycMxhwWohYe0TVTpXars
qpZD3ZPviWohYS7MyYYLC2aCa9GpJqpSgNkIaTda3EVr1S/xVRmUM6hZp17Y
YQx/nrqaxZvJjCBhs1t27nw0ZlgzFtYPepdMUqa3l4wgpknEfd0KWlEroYAE
qtsKJGEC/5dNYS0Tp/ymfTeihw7RGbqTyKUr+1LCAk5SWlhMO1viuLMYn82w
H9xQI+qnRvW2UaGKhkO8oinkannWvVN8RU+W61iDGePprEk4DGALKQjMq/AI
5RKyoSyhTdBls6BEIlEEdzYR5jdmKUpgEkZgLoqmgkhlBlmk8uB4eRpaJSm6
5FUFtCMIV5w+uY2edWANM5i0Acst0mEBcl1otfZgCARSHSPGx1Oj/AHL4UtU
HRnSoQm97xB6gj50YiKbi7ZkOheTsIRUFSUBrWrad8R2Ub69i/ShJTPEIAFY
Dye+0dvhAK+4EroZhmdJ/5Yjxy5bNnsk+EKqkqxb98peHWPTmXAkQoWADdRZ
k3g9EN0Ci5Rz6InouRJ1s23TKVXi/84oq8hmDR376jGZKuYOVVsukSqCa4cb
CDhIRZfMHappLM4Sias6XAGWbpFw+98rIxYA30ZptkK0Y0ZTkot8iou2xSvQ
hdq+WU85da76dDCwwiHjxomRY04b0S13zOJMHuP6GftMnr/IL/Me7T7ExHNi
3e/ge05mJyNPqSIg7OmVEbHmeQd4U2wR4W1Qb8NJb5aBdPoeRLokvQ+Z+p1R
1SfSBRd6W9DDwvKQvJJeYNVQFObDqhQHb9+fNdtVBgljmlVGhFJ83pK1i8LC
74Sf+734S3Hc735EE9smWune/9iS2jeZ0TmX11LFS7aHd9Tq/SLbQ0XagTLV
i27tO1bQzqD24g8yNihKWezbTBaz2nPb1Y6iiL7amVw2couIQho55Zo+2sFW
zyr52NxQ4IOmdEo3Xc3eW6KW+wvU8mD9He7lhh1CSk0T5rO3IQqfLHpgcci2
v4417zY3nqd19hAwVVLEm64CDmrpY0nDlm8h2bLUa90b/IAICw8JG6liBFt9
H9E2LjvYctRto4MWd9ASHWw/p33XbNWbT6phumnWSYN3tPGarYqX3oKdo/qB
mFL5CNN6T8q6j1UL5/TV1MopGKlSK8cg1d9v0uVg1wDEQNXXIp3euEZCETPy
lssAP68/DnPBpwW5p/R3xEJ5XWyJRVS6FZFPuH5UYBbVTddDnwY2hhXpHcLm
ZbffoHif1RW/EPbknhDn4UfpmBmI377F34RPn6k4E8+BQUTpN7xg9+Dg3dml
qGElokYEkDCaEi8OoPsz+OZiAKsm4lJxdl3Q+z564ucLwqCper0Ue6Br7Q6m
PJrKIG41xxoSpzSLJn673pJlO1QPoMjJOwoSX1cbFzqqVXOicm7Cq80ZTWVv
tTszGdEl64WROKbisGgYJZNVRXnz8tD9HjqOadNssNLMof9Zri0MMiKNrAxO
NfoSfCnN3Rr+U6QDM4QdScW48aU5xqsk9xs1dMkKLwxaV2ZIAasCxvCozyw6
Zla4ASFmxnlNGBFH0b509cWYlcZn1+TJnMBSNXlx5Conwv5ZHgWePTuKym/S
3DikYI5CZjbKrEt+n8sCmxkVldNwb9OrUzXUT6WVyIvWiUhWowmOxUJbaEdG
eMbiCJdLa0Pg870zxjBCcRO/PN+JLnsubxEU/m3r4mpZ6DPmom15OixgEVG9
dEG5CI/j2FVBkVtbW809cf/rzs4mEQ03MlHOifpTWuriM4oHoMj95QdJXNfO
VbM4P0YFEtu3anKVQjUpiTVcsEg5T7Slwo3O4btb08UT/iZn9sbkR9BEbO3O
+RsugGE0FtcT8Y3ZOD1xey6F/hkQlrZvDWZxYfvx6dHmTrtBpj961U7YxnTt
6lNfsw+yQXhNNFJbJlCJUNI8csrUU7njDhZyfLe4HVpvFgqE5fO1iPKGxlXo
FMFpH8XSqUgzazoq9NZfHnPl2YenvlwzbGkBpaSHVS/kWFykVs3yPKnbmh5X
u4IEJfRZU17V6qQ12Uqjk5maJfFeTAerosgxDYOnXe1FWIllcgIJr8iUz4V3
VRZ5US0oxp7sFTXzFpDqFSpNDUQ+DHbc+O22Lb3Q501bqyhv+mZbC00EbImi
6wQ9zwZ03VvQVZkrWEl+LnxgHbLcg+rKLH68WvGgRWtg5ikQ2nO4t33lt7T/
8x7TXuCF3QO53SpFvWAckrKbWZKgWkzYKEnollFNQ/VGHEpM65G3ds6W3NrK
M6u5Zn404DESO+Y7PZIw35EBjpuyAe4cSZtY8PdqK8mAx81c6x03rbDe0QN5
X+fhOAozHXKJVdfQdPdKfgz6ooEb60znW+Uj/ypTucqumrJlpuaxBUI2osB+
9nQoc9Ut6EIZahDGfcIbdf+iJ6vGGy+/8TiPQhbXgTMfjnX6EFWwIFuEqAC7
1q9adG2NBSzPdU0lc3sxWoRc4qNilwrVl4gCXpK+iM9/U1qZuF5WbkCfbtsh
iGJKDc4Xs35A4xA3/pmB8expuRVp1E62DMf13PoUe8dwV4vIla2Q6jnp+tzs
gal5SWqA0bQ7cRSIMD+KtHtZdUDQ+Q+nWGmIh7mkCqveZdDe3WQ2fxlstZqq
nu421tPl5PwcmJbKnrDqCpKjGCFh4yqrYcOQKnUIRkqh4csgxfoyt1b1KSTv
hHHWsfD7LJ+Ja+xyWXxno9ydRzMWg90CKxgORRUMvm2vxDuISwoXuBB4BNk7
FgVMyDFL19gpfJAYK6csjBF+YVJgVZtJitmux9yJEgCEFPjYEkl1xn1iwF7J
yFLz2ZeOTksKbOseHB69b+w5SQA6FbZ65tCdvBhlnHJBaa3pjzHjiNI/cZ8j
zDQU7s66fzLDQgB5cBiibBYNQkz0k3M5eX/VbMJMsKJLWr6kSqMDF0RJMbNw
Esm0Ajk8SsoHs0GWJjEjJxoBMhSSDy6bO8KQRUVN8H47445MIwFNo5PHZVor
whEWbYcKU1DJh2LihDsyxFBdSyjzX8kcC6PDy80WHC2MViObNsE8UCS8N86b
LXgcjFqi4LkbgbKuYwXU3TIb5vZinPOdP5jRIeTFYMVrfxGaUiqqm/JhKLFk
wKe6cL7P70qfMVpNtCJA7meUKCpN/IJp0P0DvtYtlcgsqSrOCkQ1OUuzjryR
sCGyge2jXPesS+0qLXrUv+p+/XLD3//evyVC8K1/aabofPkWq5tzbYu8mpTX
Ob9PGmrckBxB6hZShpokQTADT5EX2VgqrM8yFJlmqOxFgwmd2ecGd0DtiYsB
dEUM4T3l1BW6yYxtZdniuXjaqiopNK/xO3Hu0LIk6aIdMck2PdM5YZUxWsgh
LKDdqk0Q1+shT6gaB8UAosd0oYiACO6BqgZlaIBcHSa3rnp7eiUsRU7BDy56
YtZRyMsvF9rA4woBMF6n2oKFyYRKA8/FsZRSvNm7UWkypwvQVYxGqAlS1elE
lwDPNrhNH4rUuvBO2iilukBlgGKMbu2Y9b9ERh/Ld+6NktaQ4ooX1AYY0zxi
adIeRYsmxQOtGfzVMvlZF2FaN3ciDDE/3ZyXKHNbCVoutIj1WHS9R8+9cY0K
Z8VUXBJkRCq3piqsGZVdaC4Vl9PV7WpG1txYBHHvWixfBCJgS3q0V53unys7
uOUslzWyxJ6JEVWJrWI+pSuBnagiaRNVoUQcv+XaoRcVR6rGY7oAJZaX9Bka
qVFnFmtHiYJMNVn50k/w9EqLZhYN+WZBadQVuOhX1G6yrwWEbtw6B1SFXIxH
JWAtwNQkIZT5zOsOmKgiv67Q5K/T65HZQlaiNWHJ4RV0X58tm1ij03yOa+ae
OufILrGw9DY/grhut+T+PrMlOkon/l9RKeEQLnVm2FTNyekkNFpR970wx3xp
tWOCmbp3uxr3zQV8T+uiQpfWRX/GPRXrL7n117oRJ/DPrBK/OqtQElSzZoR9
nRapgqWLt2oyyQ571ddZ2ZEDVZda4pWG41nOOqyOl5BqnCtSysISaEmzVLq3
NbETRv1Kq2wczXpYq6pnRRZ601SATZmBi71nLmyDyZXZAExlk8SvG3ZBN6l6
cgKeXrBVI8Ef+oa5wDNiLAwIfa755zXbPlmjaEQsXqbiBD/JsESgulT4ns9a
yZkk5FAmbKzjMEsXbNwMISG6gRpliYdfl5JijQlrH7QI5jTu2531hCCRO3zV
UGQqCpJy/eASJwkBIHM4hF4WUewRiQAVPEXGyMjKaGxpkPQMKywBo53RtlnV
MkPPIHuSbNW9c+AFKeWJhyXRgLlQxWvSYaAKJ3g0+69CdJNL4gJRWp3TPdEF
7J/kNVTq3Kj+hdeIMNKZma5xAEsqTcy8pALLo/ziH5v2u1+kePiLUsh+8X4J
rH+/lD4E0IbtLmRwoX4u4cOXm7+fH+2Li26+3HS7nz5+ubm6+HKz+OkH+H94
W8luGJIPxM4YoL27yQPAB90FfTEHWPS0NAA8swdAAxENAB90F1vNlj3Aoqel
AaChGIBOFLsbcQD91eno+OysJYZ5po07GLUUo1nuTfvr4vGebbVsRJrs5uau
QCX5Ffq5ONmnqwFop93lLWzijrVJXkNjbTyW+XXJWM81WjyaTg2h0dTXxfi9
vIk7kmotxtOGlTdNX3yFb2+WDPhMG3dEaZopD9gyB2ytMGB1m6UDPu37rHEG
zJSKuBhH369VaKbo73f40dqvXGjNqnNXKZ1LtVYogIuEeKWi2OzLyB7Rajxx
SCXcStVQ1JAxLg8VwocqLsM+mAMVQbag3piUiyqFYxG2gKYfrXvZNgRRmkjX
f2LP9LEtZAuvwsJh3dHsXA8eYoHxps2X4i0qUCaVMEvydFM7WYy3BFGchZIQ
q0XODeGMnnP6SFzMyGBj1RiGZcLBh2lu8jQZB7UQ6sqQPN2iJP9oycZ1R0Hf
W3W/U2GpckFQIVUKQIgKiMo4wVcDYKDlQscCm97kxZPCb2DYrdgoBJPb5oVj
5XNLnnBnp8vsqqJ0QnF0k3XIGuuXtESOkDROtCEeqHNJzN2xOcl8Ly6dbtib
lG+HO3EUR9ejs1z8iLWL3rlhwtJX90urXTdAgxrX8X51Wrso646gwdT17/2g
zZ8P4HPjcSvsb7e3Brth2A732tFOrx31eoOtrZ3tvd3d7V5/e6s5aGz3Gv3+
VrvXGG63e/2o3W9HrZ1Ba7ux2UO9eN9v/YiACPBvC9ODWz8291r0dw9/bqJW
vE9/7vbxrp6ygrf/8uui8d6cfXl5Ieqc+/4m9jzcX7EMLEbH7/tBs6HUMZzj
4g0jThLLEEW8oQiYwtLtrXkcOaAd+dauEjK7+GrvLBp8EiOAWMYkV0Uhl6uz
itp0OE1C1diuaVxOSV50WFDU1YcFBdXfcFiwk+cOy1JR+p94WIyzIo9Kr91u
tobhTtRqR9FOtAkHJGpsbfei9nC3NWjuNXebg73+djSMdpubzWar0W5uNnZ3
h1uNZnt3Bw/a1nZ7bxfOWiuC5oNWuLvV340Gg3bUb4XR/8feu7fHUWR5wv/n
p6iBPyhBlTrvF/OyOzbY2IAbY9N0D8viJy+Rco2lKlFVsiW8zGd/f+eciMjI
S0myMUzPzvLMuKVUZlxOnHucS2tIicBEpETNq5ZCQkRJUTimpCJ8z5SEuYWS
svBdKCkcUNK1ps+Ikq47+38mSqIDemdK4kv/D12L7B0oiQa5iZKutRn/cykJ
dloCOVOkQa6CuiiDtgiLMgxKv0rzJPaVKsOmzMKkKooqCpI2qvIqzguQmGoD
v1BBkgZFVCSBqjNVRFkVpElY+1UTVVVQtX4WJVnUtHkeNWEdxW2g2jgJ2iZO
q8SPWt83tEaAHFKVSJP3SVUJEwaoqngX+RQPiOpac39EVNehwT8TUdFJvD1R
OX4Mbs/di6P+sOcYuC2ZXTukEzM86BlAySfuUMMbz1H4Pt0fbNV+v6H2c2/e
/M9Hyy+OV9t9u6zb7cnS/euyUXXZxjKpOOUlxtZ5R7vhB8U/bKFSyQmRIjFy
J+ndxufzPtnENQmTLrP4Ci/EeZqmIf/6NYVtdUpmQtRa/MHqpCVXo07eouuC
0Kor/3LPu52ja0iytzgYS7hGLhy88APgb0y3csFfEq8O+MdGeDX0mLRWKqzS
tlVZlNd1FvtZkWVZofIi9/3M98u4iaHzQLWpskRVcVOXQZQUWV5GAsFhotlt
ukRQF6I7Ljn2YpndHIkuvToYxlRLtfEua4sjf2810E0EMslu3+bsfg/TvZ1z
dLi6W+Hje1nftzdIBJuxLBdVNqbWvcTx2J1hfWTGvSupGvov7o4OiQdyzTqc
nH61ooGY6lsJhqnB3qNQMJwee397edA9fidZcL3P+j9JFEDTi8J0LAoI8Mbf
MFLgwvh2EgE4eEAibFpXIjA0RCSwffQ2ImEZODIhtpR7I7DHbOXaT/5YidAJ
hGVU+HnwXpg69rO4DSsOp3l6vHRrtdxqnBvw/DBHvx3o3wNDf7u13QaX/lnZ
eezk3fWZuWZsA1buFEX7cHRZ9TYmdDfQyIKWYmuY+hb3an+UBZ0NPars9wl/
LvhfYXoZ/yt/HrO/P9+/emMPLM0JaYH3P7pjKr9NFHzruQ3wpn8ZtXkWBWXV
NGkalFAs/bxMkiRv/TZpwixURRI1URrV0E99lTSxn8RxVvtBGcdxEmm3A4YK
sixwCj4JE4mWhwo+jTIa8aJ7Pdo3ym9xyzok3ptx7J/HPO+SfgCdXlWvjpre
3njv7notSdvL2dtSNGswO7qdJlZCWRySrd6NPaJy+yeTKKjvIrtQomG9JChR
OmJ/s+YijTvp7gOW9i99NW2Y32Dzm5wShJ/r9Nfe3foIAssTAsJtLtz/KE4U
CyfyL4PSD4JAlVGRtSotyrgKqjKr0jiKq7JusjSGsK3yuI1y2BJVm2aR34Sl
36Z0YxTG+LRqYTxWQRLhf9uqaFWr/yvLsvqzuFca/w7u9dbMi63nII7TAlZw
lasijqImLaLSD+sibeIiDytflUWeRHmkVJqWeZOTRR2Uqm1y/E9d5EWUtnlT
+spvAfykbuMw9/OwSfK4DhrN22SmUIVQzZogSPPcj3w/yCs8y7MEg6uoCv0g
rQNwzTBuYb/7pV8VdRC3tWqjRLVJUoZRGCRlhNdUWSZNUNcxVp2rIAsr5Y9Y
ZxC8He90Edvlnv5lg7X58h/9b3Aj2k/y01uQynthqP3EXH3h7fSsFrNPsygu
REPRg2vdpGhUKsKmSxxKKemXWJfMo/moslzyJ/D6HsO6Hbv/sB/QM8HlQpfL
XRPl84dxOVOw+hH9sausNHtAU375YH7+89mRS9l/Dkukmc7IoUg/zIMFlmfq
C0gAOKHTA72u2SM25gJdm3g9e/DPzUuX89AA/C05ahj7+OujjvEFfhD2TrDP
pN6RQ4UDDlXVadH6eRsqlSVVRNw3LYl5B/glzPNchSV4ZRAnJc4+L4o8bVs/
ChJ806ogCos6bIOMNNmmKpK0Ae9v/QBMNgR2+KGqfYUpmgxoU4P/F0lcV7Wf
Yqg2LaMEgiCu/bJRFVCpilXuh2CUCTClgC4c3EhB1zPMw1T3X59helNZrXOT
1trz+B7pmLWLs7NSkiEZPW5IJf3zeG54WxX7C1OwRpK8pgMSu8QubzJrnoK6
taKrTndK+EyvFfZianxPpyNJo5mumOgdDju8vyCeda6bJfBhjzPDBwo7J0ft
dw5rllDCl7o/6cU5FWmpuER9P0vrmjwXCoGa3yK3hVOMZnd1K0cOEQV2rmoO
veQV1Gp1Oj/dnITz7RE3fTI8mdIk6GM2G7j8gV2AyTnvd4W/P1ESITqWTukD
wlscjoG7BUHGGFS3APxmIuWvHxLJYYR6DZxJ2JMdNhZSh5lOxUPaBByChpM+
M8y2AA3tuVyibuhaDmImHx5J2KBZjFNIxbg6p7IGR73kf5PAVS7iKUXY1ldd
YoNjBgpz6hqFY/rMTq/52J4rOOnT6CXN4mzv4zy46foga9gzKdMO01rt9Fh0
L0Cbl9oJ3C4UsNEllZ2MYd7EzqbhGW41EczpUXXMz00pcyrrqrPyboDcIOPP
sd/p24mMP63e2U88z7y96xKvzTqGihxFtH/+t6c/3H+Owf/P/5l98PwD+p+H
d5897D95fPdJ/8H9v37+/Ie7T/UTXZNHCofxgD89p4RHGkh+wgDyA+EAPv6J
vwYz8u4++/zRo6VQUGOSfekkCerUrjuNu/y/HfcTPfYeyFSS7rpZcwY+F1vh
0dz3K7V/rcC+/ctQ/BX+ZQaq53hjau541BO3TCq7mgWWlC3xL5O2a01NgOPM
qrt0Xg1F4RJMyQO7kFanOr9O4pnNKZ8CE4+k26OMwDn/a2c6b/7BT88/WOj1
86S6ruMLdXq+c0rf8Tq7M+baSFvw/EvdrG1w/L2SHVyixtljL03cvMlR1BaA
XtnuNZkNPz/ucM2cvcU4UScGVoPFDLoOeXFxVq6XYPINs3ibVNkT35Oh8FxM
wqDWrYcaclHD47yZjR0f5hk6/NE0D79FIqUupiF/vxUJ0n/3//Hk+fd3v2SC
utNR4V/vPr5PL+HPP/HfDdZNRsob0aDHXc4+gJL5gS6U85YGyLEd4tsHh4a4
4TKPKzDKQdE+pE7W4LA4F9rcExw8AFrM3Z3R9QzcAmnB89brkrRAvrmBubYw
Z2BQitb5gb3bwRsf6FKS4aH5bgClnS+SikST84k1wG/IfNpr2+Ua9qvMHMqy
MPJK6TJobtE9jDqRtbuHUIXKoNmFoJc4Y4lLnZsuWiVXD3BrxfJMDh1prdru
S1fy0cUDTKWTenOKVc6B5R27i+4eMVVrMXFrou5XxOvR9KAOn5OlobtdiyY8
4d7QeP/shy/+LoiP/7u2P/FcWqy6RPOMm+vRxwMLZBBwuJhNWOx2FLpSlFHc
e97BpfdiNrzwZVAaIXuH60uy2qMP10ilvl3ZNSTq1T6QNnbSUIVKnjiiVZfh
HozORXOtamY0f6cATTmlQZOaO1KibZKSN+sr1IupA3vUdopFpU5Wa53++8HT
bz9w8/0vdmpUH+L4pjH++rfxGBNpLzKKHcKJPcFYOhsZgkbgLHDTvKX75u6/
2SqlXdVb7gk2Oh77gqFKHsrk6g8qpEG9xanRV1JyTVZLp+tmglP1awqK2cyw
BFGQy6aRUgC6NgaMKS3uLWVLWdgroe2djPzAnRyHcOcHH8gsBqSrYtudi/bt
3Blv1jKwWTcphbNRUjOfyEL329Hz3Hnw7bd+cOfe3adB9sHsjEx2wJMHsyAz
6Fpag4oRmvL8pAKH9+Hs0d2/3p31DVV9S2b6fHM7rPVG3ixNziBV2jGWcP9z
UtinLeDh/ZvWa3duQ4bdgUGhgV5oX0/P83CmQK/r1e5s5/Uszn6rcjYynmyJ
3PYrKQRnoHvNepd0hLTq+6T39plJj1qp0Aw0bDn4bbXab8vtlVvbxxQG33mr
/WxcCF07URiTGrF6y34qvxTV5X6PpmyM11vQsfdI2pmdUTmrUsrtra2TzJTU
mUrm50IbVN749MozrZu41phyhNB0dcquUuPaVGo0bZpUuVvBXGmkRtDFavei
29p0PZyp6kS3L0EwmypB4P3hJQjMXuxpANfubfYvHPxya8HaijK1CzHTW21/
5dY9ZetZfDpypQxoV6V4LQU62kMwSnPsNVIZDU01JjYXJy8As+AvW10xVh8E
1+Y0fWwIBOoEcpjLRLLn1PWucMEuAAHg90ZVNR5IqV5TbFKXIRQiP6V+pi0h
iC4/Sd3yCIWkMiiJgwMb86RoRj9dVYNxNb3dY2/O52Gzms87NvBic6qjJXva
QpfnLC1zTDUPCq1kAeddr5pquU3G9Mj90feDHXlPbD0Qi++DykLdajTekbgl
iaUrhOmGNB4Heu7F9dTMPoC9/MEBgHRoP9RT7D767G21ewcorMSB0LZqSwtg
HVfTf6+siTeyMBeaJE3jOrew4PVDerpSCoZ8/PShH4vu6LaMfvPmwYNn3/8g
7ZrevPnmnq7P+ObNw1A000cUmkEeAu4upts72CVoH/SubJVgP0ubAzVevAM1
XqDc7S7ODlUNM8Q75JKeUxxu1ASU/DVPybO+5vYKupKn9uMJ6j199oyKei4o
aFdxyRft8ekWiJVv2p2ni5dxO7/+CncstFdrqVjp0g9t1Lwj5bjPT8sailN1
NXFoGpwleNlKivCsKAQGXFnUPl1wTvsVSCSbuGZh80bDtyun6roW7LR0XS7z
OiwXteChDpQ+x6G83lDI6TUKgXnnN01EL0Yfa0m77solzA4rJlzqumxI/YPG
QOgyI3mzFlamGZsWBX2/9Rzc+BzinSAq0o/ATLceUvBNdM2FJ17v/mgDuj0y
KfmlqQZcbqG+bLjsMlRIPig8KPf7sn6Js9rMyGdxQrMIefAfbGFht6AiM3ey
rNQlQMq6KGvY9WYHdWP2Ul1BbduuXsmpd7uTZT+59/UXD6jD2v98+uDzMC84
9nbHxKYfZkXARE43xNuTzTocJz2V/JzYmEYHc1a6XY3Erg/AXe49twHhNZ46
rgsMhr9iBR5Ma0WMstb9LHhwx+lDz7Dp2cSmPQfntXORyxfqIP6BL92Gi03e
j4hbRvDb9HpbUonefoeCw4he649+63rFyfcTIbrEQTohNURxZgbPvn/67V+/
/ObfvGFJLvr2gotSk1b8arNqiABeirXdWYFcxBTLI+N8vVanO6PuKi0CT6/6
mq/oZvU1SxduYlpTbjxjn690IwBAZovjlivlT2lbXc/JxbUj77hz1dP73/3t
0VNTecxKgBMyeLDEFd9zaMox+P7mzQ9PtRRi7nLtLL2mBwuGJAVx9AquUDuH
cfUWbkA3KMGx6majxanF8BrI65V7MRXFe3qx3oWC7d3wVccVcPRsB3lOZ0re
2/0L1jyNewAn6pkTNV+fQzixQ4qv0SDcy5M115Hpnb/lWazKrVmt+UK1xpGn
ocwnZuZecTF5HoUlRw04WQ9Px5B11wOO91yXbpFkM5Ap/+ua+A3NvVPaRDOc
xoGO0OLIoXLHcJ2etce30z2ZKUd4mF5lYN1MYOxnOqDXmT4fWrHoG6De2ABl
Vxhm3O219t+WW3lb6ypakPe+JC8r3aNjYGN2uL4t3WFs5TSCw0yA9W4vzYTJ
tWHUd7NS6k6gAyvYicLM1nPtI1tt3xTu662J/CFKvL/6Dq6cdTes7eZia2rZ
89JdS2EM3GnteH2l1+wdcOHuRm5bXc5QZpSkB3HhQlaYY9mR5gaVX3pu671h
x4QJF3Rj5dbVluqs1zl237x59nc/1TkTDzYXv+gXv19hGfWLFenL3wchl7yU
dZj1aRTXoy9HI5t7dNd1zGX0D8zh60U4T78n2T6YVjvP6PZguo/47dzPWIlt
ENuVvTddQqfnnOq3In7bG53VjyaI2fig+oSqTUchQfImnYgUxR5Wp+XWxPUQ
ZdjeiPeAzFtnF9bc+XT2GpvAX1sqR/1S7elm+XPNOdjgbhRwqW+DPKznR9pL
qNsm2GZgfbpek+unMWXED2C5aQ6Ct0a71Y0X2RbiuvfSGr62/o2Dahf7JG1Q
REC9JTWALMQ808S3lYq/S7AodivKRzu29ManQoS+m1FnIQqxGHfKcHor0JQX
1AaSZcUHKwim7QcDYK4mGMaCrwRPrxZDRVy315NRqaY/07jLLLkoaAsl88UM
VASd/Gx3Yvopma/oD7RvnCP+KnXDoJIr3X2XuaL3xLCO1RmJtE07PL85do/P
jVeFy7Fz9S0IPD3J1cLrz8xQMzKF/qQ7dexnJ9QFbMXq8fmG5KSJOuFxjoYb
34vyw9FEunq6OYLzreIls+b5RFTrwdpNHxxTq3h2wV2EnEZy/fepNdBnn82e
ePMR74FK/npncFG336UINBZMDiYYDuFwQ6/HDekQxgxrJxQw4kQ7Tqs1YCfK
cFjPCFoScLRjnsB7NDAi4abRUZDAnAx2wkfjlTsXebCwvsk5idPH3j2QydU5
6XAwdhbCMG7FK8YtvgSjR/5gcQS6PaAWdFvTrZzwcuQf0WoTO6T3pqpdbRpc
PRH5TdYfGaZaE+0vR7S0oV/Lau+H9S9zKSEuLBHkB91jvWvbnutrysPlTTnN
ZtbBpbWSQZjEoSqCVDn+DOzoVK6Ey4mjJbrb7BwpNaWJiqNoISfCl3nCOGkx
3nAxxEK3m1dqqNQecAhKc12wK096ETjmsw2XsProdZthG+r6aLQpIMEGIIex
uWT0SFAPduScoEhKk9OllOYUjp3tzanoIAPpcHDoIDKFWs5yz+C+9BaWPXEe
Vk+YqIXO5QMoulTuDOguizxFJ8Q4N83sXJ4PsdVwCx0lxp9pgvRMyXTF4ncc
uPDgSCJhzpTpfOV2UaxV1whaWwRe+PNLsyh+rmu8cwjs+dHsk9lLriAvZu6m
NT1bpcEUFeDYNBenm9m5btb1dnscSlDNyzxiqN0W9sPWyrKJPo91L16c+z9P
ZhIO+Cj89tkTacZnT2VvqlDudtalJ2dNvkHl+gDdDdimItRyj+zLqcCdW7Av
B/u0CTk10I0MrIfFdM90O3of8DLn4rEjXmYvEu/98NZXCwsK6X4ouEiKx4la
UsB3M/ClipeeZZ0bYHOIvdj+1qWpumpuMdX2TF9ykRr+xZMfpEU35Hdk1/FY
bV/CGPmiPDspqafM1FK474ba7Xo+UQn8PszvMOXnXzx+4idsSbJbkm8w5oHo
gPNQX6xM8Y8xj9NHLpqnZy6IO/l+YJSHztyzeXRkmuMRX3p40/YXU6N6PZuo
26Tb+jxhjxTdfKxqEPF2Mb0bq1JWPz33iRQlrtQIB1ONlw14wsLqdFO/pF35
SyLmnQ46v7jEwsgj7roo58KyyDV4QX54Ue2oEw3ra2vNQjViaz2LJ+DlrLD3
2f+gqhmrkTSXxYsmbvqps1x+tWFP6cOZ0aKgTi/0ppYULOtc8re8ae2gobG2
9K72vphWn+LmYtarF2qvZPme6IL56quN9vh5whHBf2mv0q7ZtHmyCQ0PDSAY
Ip5x2JgpGSp6YJrqBWO27AXPW4r7nZuX7aI4thlUanIdBObCcpm/zgHQ4Mg0
gLRsdWbQq1Y2cFoG0NGrtuixQTNe9OED0VYqBMdeZ06wlWUWJMGFfBHiYYLL
zXZOx7Cgw5ivqMrC0dFsDuX/fBb4R1SR5IVuiciB+92JsbNRxFpNeSNaxX1Y
nrEjudG3DnZT1rFtd7z3nJPjgzH3/FvV6cynq5fQj15sTHs/WM7sJOB7OsLN
h16J8er9WMnXZ0HIrN3mosd0USjTRCk2VRe1ZF1p1DBIOoMtzy+21IhwQqA4
N4lX4npjxQ1/WxpM1rTGnF930KOD6m54TAtnR/KI+63ekmdtVR4KTZnckPEy
j2/a9LWmpwPdpfXUzOleRSxpVb+UWB0Jnan3TtgYqEhnY40+nYhf7nraHJb8
o/ZXJMNh+MOE3f7GWQCDXBC6Yhx/ZZrK63OivY92561GUf6Dm3Gx6g81TOkc
Bp6uEc5SiD3upPoOLqohGWh+AG/VzBSH4LRGfZQQi17MwESwh8UYwgvHCumS
h44ntaUO7qPLsIPV3QUq3iRKuBHKwhGZuduUkvFH+/LEA6789Fw60Br2rVNP
mEsxp364GBhYLI6hr3DfJ45LXmry6S7N599KcM6hTTsxMGOby5tUGPk+iHjt
loGpOIuAM5e4f7z27VGjyOrC1EDrrkt15JcQN2seENdL1kA4rRnK8QPnEu5Q
q5vO4WLP16XlYc1+Pb8iHaCeJGYrX4giLjR2izgcdqJi34Ue0cSc9pFVrlns
IJQOxMfg7uV4EGC5uzg5UdQQiW40bC9H5hS8apYcIzLlmQ6dLmtWpxy1SU4q
lt6m6279YqXIyTjqyie6kPRmElNrf2F7JWkhJDbbzr1VG/YT3r3g7uqzF6uT
F0tJv7SdTO8ML9y4CcAJq/TQS3YS3C9EAeTumCvv1qEVdklfnIjnkJzXzLQe
imgxnx9LSKjZ+MTrVkyRn5dPnD8o5Z5612uQ1buTx8q7WQYAuEZUWo7YP0/V
WW07T9+wPpQ0sYfhEbEA8R4aHYJBYoHk5FPT8s0A5u9B9yN5Jck2m82fCYPi
XLURboESJSS714tXYgjF+Bt8wnEAfa2FR5jCUS19p9NlJGJbggY47Mm5vOVW
c6N5R+lUNOXDx3c/X8oSdFRKQIbrp11ap5aAC+40ofcY6xD474fqze4gsJyD
mz3cbRbGdunyqfBUHPyfzR7SD5RRheOg0ziSt+w5dqzSER8zIz70qfYEDVs/
V5LS7EQ+98wDM/wR4eJZ+VLJJe4osNPgFY815xuL7lOqbbTrvDMm0oX5MKOf
AZ2DMiIrd5MsV+wE4pwWnfsIxKM9nLFcsa8IWCiwY7ciLdpCTl9mT3EKSRif
zZ+IuaVNldugvEvG+hqG9yv2uvHJO6hh+5tMItH5NQvoodH5bgqNzncdGmn8
IVTSGCXGlM/G1EGsGlmcfaxqtO4CpGI7Wr/Po4ldwN/s/svgF3/REYt19jnA
soPo9sjGGiPJzRoF4C7DbNUAxfbaHcWvDbiQsLFe72xxlHHmKi/CQE7E2UHQ
auOPx1s5vSslXxxm369quyF9dVLXd0QWVycodSKLMzNfDLwur3auETzi5gf3
SS4zS1xvI034XS1Spjn720kUKzlsz3BuUj1GjoMZpOT6YrlxAwXfJAbOJ8XA
+eYQ/WqCfbTWpSJERnXAwnFMb2UxJHLJflJdZE7F7vjZ6WZ9YkpTVOauWJKv
2ONE7xjz+0rHbcyGFRiOzSqdlstuBJBtcbvtJjYhbBpPdT7Wai0U8c4siocZ
sKnfx6IEt1w29QezqC5cwACFPXwDudalXrmQNlQPEM/Ksw2RChkPDuAltVfC
Ik4uMOd6ryzTGLIxEwDwI1hCKTh0TRIx1khusPjIuKV6HJQkusNFD7JO47E0
OrI4kPZKXL4HfKuaq2rP5FgFmEZ7gUJ5yvFjtdoSQE8lQfEAJLTjmW29A87A
hQkvBO5ttlrS9Pd+3b53kxu3zmU5PjZlyIhyM4qkhMts/o/HXyyJW72l8n47
Tqu5vehgzBLN/SJP6arUEzF1w8otvHfRUK/j23zzaqKBCIBff/EAE8tkSZ5y
/kcv2pU7CmuqG8rabvNmSLZb9G5W+gB0W16KO5JAYh6LIr9HLs7+JU7npRxu
V+jnFs7UXm6t5fnaLuEOeNp+ueVdNL3MV+mS2qB3qnfItji0ABhTVyZmGttc
THAmsbx4uLWqadXbK2nI1/X57oH+e0rG1mV5OkgKqhAomUQZpsKhD7DE68X7
hEglKYphn9s4ms9mH3xx/+mjH+4zZSy/vv9vyw8cc2ugJw/HsZLZHfPI8HS6
GRrgBGc/9WPytpse9Kf0gG2nB/A7ZsqFowqQs5IKfJ3SUMLqr6Q/u4HlT92u
e/zXCRrSGmOfA01ouNNVJBwTjUfqrn52YpRpO6bTJI08AG6T9kXx1Rr57A6E
TbokzP77o+OOY92o1C9kVGqGDYo+PZN4E8sfF5OsWG+VeJuQhZxSDzt5V6JL
aGheI720nBCRyZLBX1wrMOQ41ge8lJoT2nR160CU1WrjpK+LUmLKEAGhI8lF
qSz9bcj+IOUZRKJDtQzBOTEKHDdHYz3ARjti764uSzR9KK6QkVMx5Zf1Ykei
e+AUMEfW8Y8Dp38dzI1Kuj9g/zPOTUikAcRFITzdd/ex/M39yz3VqqDfDbpZ
1iAxAgShW1EBX9C7Y+qLXIn8NEG1ms5aa9Jo0JrZZSqnqTwF99pKKjTeo68f
H9gE3fwy8euoSrEVSE0xiDbflbK/M94Hl+Iw1Ru7HEZTa03CHQQNZJ5zISRo
mashCLqb696G9WZdXLpe8GGNrD4+efo1x/Nclhw2Qds/kqu776fqCF53RWfq
Buo6BE618pnp7Svu7an6hHNskXTWo4kSRNK5QrfAtWBz+P4w03p4ndlxDh2g
QitX21dSv4eArUMwj2d/51AoEIgjTropjdk+qrzo9Y62V3LRCSHnRHVJGS87
swSMhTbTbLY7G0cKSHAxSROxIsnvEknvZuvMHtNNPIV21Dq6oX8rWTav6Lpd
ag6RV1/u0Hlhiu/HCQKDhfNklFlsQk1nd+uX683rU9Wc6KH4OrG8AJuASfia
jVe6kdfx0uuXs7tNeTb7plyfnCpZPV8vKjAwigp6TffVF+dcJtBJViCU9T7v
el69ecNpDp96XwDg92D5vVjMPn9B3YA2hFuzJ+V+T2b4PbX+dyrIN/tmda7r
a36jKCBg9lRRDq64PLBx0werU+R2n7JP6Ivy1aqx48DqLdfAHMx5sW226tfF
7MGWdvWFWlMk8TOF9XyhXp3Sq19dEB+efbGFWY2l/PtGbaEFlyWJg8cEk4fl
WXWxPVnwLh6W25crCuX7AtZ0OXu4OX+92TQUIwQy380e1eUWVvDddXM1e7I5
vSpfbl7ZPz7ZbNc04+Py7Gr2tNxD2FTlr2V7RRPVL0osmCtkL7wHwJrz883s
B9Kxt00pMCFcucKz9YuNauVQ1Ok5WUVb9WqlXu8kPAaGcsUJtB4nZUrgBM7Z
8z4mO+NFuQURfbk5bSqFXQFGOI717G/rFVeHARbNT/iP/1rvjquLY8D9iL+8
f1riWACVp5srnMFDtv6JUTqfAiG+ARFTnBJeP8brx1Qf/V9PqfTY9sXF6XFZ
H1+8lAFp0wpC/9vt9mI2P5PfjkHJF/8K3nDcbqFNLpdU17p+6dFuniqJHqeE
BTCyrfyqQwlJhzpVZzrH4FzyK22NFBjR5lqaYgMmOrnvqM4A5KWO1NldVP9O
4SfkXqIw3XOSHZZK9xwSJr9TUGq5pZSX3qWoiag1Wdmm/nX9koptcCGKxn6r
qxDolHjNOkVBN1nO3UXmoOZMb1YdA71qtE3mhI5hqdo4Ey5IxRdn65ITkCAm
dQgMF81ghmKvlVyImkIz5LanbNauwMyoVsDsPik69PLa5sjtukxtUr5LGzPP
6qrxJeiSfP3RuESJTuUZ2qxa+3NO2WNbRwf6nmp5sJ6tP525SR/4UoyZj2dP
jH+Rpv5YJ7dCIjv1tiYbx0sneCmxq8PUbQjVrgPlSh/tvldxQnYvoWjEodfM
2YBYikKSdYA6Tv3F6pz7odJhX/DdOFfapGRavssxK+95TIzQthqHCXFZUHUg
9mySSqw1xE+BUVwEipt7vqRL4H25I7WD5JCVMC0EAEltLj8Dhu6kg33zzA84
p03wfeZmOhtP8At1xbfX4GXn32++5CP1xOySLKSJ1E0TPGhiJ0Sr03jIx7yi
kLvVr5jSO9+pC0hiMSq0h1ijFZWz3Yt/QQayz2kUXWIIQ4gz8ZKg++DYe9TS
j4KRl1CZOFO+lPuPQXmlPsIu3EpFUlPjeMYhLa9XJFus40wKUbuzCovZ6jTu
Y+8Zq3rWhdN7lZDHTUiVAlbBX0IOceqpVX16dXSb/QsnHKZzq+85v2ul09T2
rzfH3kNT0oPx+GLNlbo5a9xErstJO6V9Or4CO0dhPQ3nW0iOl143JfrShpfk
D+LIQ1GKT082wLoXZ4tBTaoeDnBNEjLvjauUsJoKp5gEfcCpi+4CKe90asdG
p8d7vZRv9tG9LkmnVjaRSlMQlISTzbo6pbBFyam3ufRUw7V+sVr/qkRCPHtZ
nlYlJb4+027GvcEwh6928aBYxqRUsjXGbTb0wpRSUrR/PjOb5yBlkTxhkpzY
sTsjcusOVUYFTtn1cfSpPiUQkU7c6kWq0q0Dl9OQ8upcZYx+14JzY4KPTFWm
2+UCt1K7yZlbPBCSv3all/hRfy2L2RXZBLp6M/NKoJZNkuN0Nyl9ZuoMeO22
tAG3+y65m2SWWOaOsnxdbrLcYpWdPbH61amhSbivk3W5P1QJVN9vln8tFTTe
k9mwuZKBJRjnX3Us/d9wivj9b37msFHOKeDE4q1bvm+QBTjKiZZIr4MZu2Yr
5gg0zLVMM9S774wEj7k2J+vtevmFH9BsJJfK/cz5C/WsMI5rNrlY7nOtQ0JT
U/tSKP989tksggZIISxHn3p/L19wVedGbIaZ7RfjIEpvuF6hZR5Sbop5k2aL
utGBjWCTsTkfnWwD2AIGKD2K65iQVYKodI34cmDjndOZrE8oG8AcKbkkrt9s
KJuNjuhQHvjczItNB14CEZgE3R1aiRyPRXWDvh7PXOqKyTdPzVP6hXRilXx/
DsjcmaIeHcS19mnDLVc7FtiLma3P7YFMnv3g6ypXD2wdrK+/eWpLYkldqJL7
Jn7+dRDoFBI3c451e8rtwsp3L0ohP/lO06ZF5wdffa+z6I3G4blHdNvDsJhn
1NVyxC69ZvVqJVetwEy6v7ouq9+01OgxBUbIbqUzbbx0SKW1Q60ffeDY1YsP
TB6avVzy7JnPhme+aZrhLu2+tPBv9UV9aNI0TEUMx3anQ/rcdjqtdGm7Lh/u
8wdPv1w6JZg8y8+chsKTYPrm8ROmZon95UMfVDzwhH8bofaORGbPVRqddHV7
6vKV4sJjJ6WUPeoCYHU8fp/uLFvvKmrsbNaCiRtg9mC8xpQ2sLXqFVlXJuNi
w/VsDoikY3PpWa53PYRYO4q6LaJJaGAl4/Ul3jqJZ7U+4oDXSwcqUrzbnF7o
8GWdFq3N7GPdqIA1c8GK3nCciOvehjKv+cjqh57NkWrnD302wij9Er8E+hf2
I77edH7yns238x7KBffDYGT70XQPtKFo22zIWw/sCQ1MVZ3srq/mh+TWy5fk
oL8pBNnRSUvmsy09tphNb/Rh6BietNUnNgtFV4chn/KUCayDaq0RPLF5a/jq
dNWtVFDoNXKZGhrqj+W6HZc1dQyJgvhUmU5MicFe1Iw5XCosYJnaav/2kMRx
GO2Ltvv1ijLyvv+a2h5Zgb7l7ND+aujljsna0GdvKPyphYwucrW1dz0THqQp
6PYhp6slLq6VCLv9RXN17RxmUK+n+5MBM6xZ4KxmQYQqRrshUzENDOs0TLlr
ovF4s96fgANtRcHaD7pgGwV+VKGCXr6LFbwou+3dffDd9z/yX13FTFJexJ11
PCjxbEPbuB6MvlPRZVu747AsxuuqJu7ZLWG7yM/efMidz9xnv3le/5XbdaE3
/jJddORMLZlOPCE2GyfRc2s7Im7Y6tVo7d0dhjuvtYvNfrv02qUuU9pFQWuO
KwsxcVtO4e6pkl5znTkFnKIyDNpXKZdNbvlNU5pWalngk7aslYkJPlTI0hs2
Y2LXlwvzu08e2Xa3EohLZdBJMs5veRwLr+tqFh3DHLDXqfyQfQi7rpsQmRm7
3hq4gd7xsDRGb5XWcWiaikzV1Rol4vTLzkJQ0CHsDPPoJVc4pZin0rA4i7iL
QgRB80KkmOBkltWw7Ykt9enxJJOxsywAicOOBhz6lHm5MtI75e/9xgz+Spc6
NKhNKtP5uOzw9JngwP7jP/5jJu47CoHkqr94rffWXEJMntg2V3e8pU75PQC3
+SDux8RrmM6SNjPKLb7rxD0RGg8KrFOJssm5qEHfVJUZt0DD7JoVuTslJNb1
VB0isuEbQ6Lj2l9gBnekUpNbH96kpzqrOPa+ZdZxh5QP9tv3ioH3BteKgfds
r84B7uDY7O+5pKp/NgCkjTpdzNL4iFIXnuCd4dbmvUGOKAhbSlfMnhAeeNrl
eYB+TW7NVHdAJicjZzyOtOh6hrE7t6vhpZs9rORmeK1UQxUuDTkOmg3ZGhHe
KNlw3G5s0QUMdLUlzh207Tdx+sDd3gf9pkyjFneDqdxmLx88xff47YNe2xLq
26H7JJouEqtxrRmOIpiIpJLAC+qvmQShhDrYmqM9AOr+Ib2jNq058elzvbbn
T799PpDshvsbqW6lAeGBHNVA/i+cb95SzHs9MT+bEvMy7FsJeTPR/4UC3kL6
fQr35PbC3Xw+Ldjt6v6fUP+nEOrmPA4LdPPG/93C3OzyBkHuEtd7FeJ24N8h
wIMgtBLc3c9bS2+7mHeX3LN3ltzeWzUKfVvJbbb2e6T2F/j+fUptoICV2l/f
p055N4tte762Xx++e65XZmT2UxNIwlcPxgbXD6lH7bD1klxnbHufCad1Y1Pd
Dgf7jTd0SgAEjtvCuCi8LyWabtqHsTC90d3VLRUVCPak2ibXvtyYErzl4K68
m9DrOjnrTxwCpp3wn03x/qm1aPXB+Ht0RfGprR/wx3hjdNIvLm35XwcgQ2BN
w+IMb5nSo971wPi7AqpQx+7dbnY9NLweNIYLGQBiUGbAJKU5X7ELeBIiVKn/
2jvQrh707MbegUeeiVoY9Fl9MIV6C+Ps7Pz9IwAtTJgR1dXbe/1ddUEku5nZ
R9elWWad3vZCV81Uo1n7M5gbC8vKnL9NYJl5fX6QZjjxcFNxe+DyAD5YZ7sp
Hq0jhQ/QxGMDPmDEDfCj9+zXHfC8MfA+/HD2JfkiV/XNW57iX7zbSR6mvfMY
uFq5/Kwrv9KfgTXzKbb1vSzYBvI5kXule4M+uOynT4wG6r15c+/eV988kbJ/
39vydGG/LPuiN8FHsukXWBdVIZIQMtmGBJHR0XrOAriBoS5/eqJKSdoW6Dkc
a8R/hQV8tOtZWaZtvN7/JEqMFEZJAfl49urncPbJ7DX+pbp1n8wa/exjeiYK
B+Vw2GOheBBTP3N/iBdNzvY1xtzzPLufI8z0FX7f8ew7mUeMuxfajGIjzWa0
6xihiertUunNrd4u1031xsat2IuU4Tq5tTeYwld8d/8xlSAHBI5mf6GfoGYe
4W9f42+x80T8si6SWn1TboDnVIvUNqqRO88RgMytiHzxCoqR/WLy/BhPdK14
WvErAiNWtcfPr/HzfMeZRLTOHfYQHHl9ccCllk3JT+n2RPWyfeLfO/ppGZgq
j1z+V7Tc9eaMuIHcmeng/N5droVD7/pWsrkfDVqdsPaou5uNCaS0xa1nNoXK
04DB9jgpzwl84zg10xStC5OlMJoDty5yp2q1TmKI1JViSdrqsK3M9B7p8txQ
uET1DTYxNstID7giuwys77nmcYIf1hyRXxfT7SSvoZnORBEo9UZwS/UeFBJk
ruxfBYxJQBkyRvavaC56iHlNVuKHBqfoIdkj8tZq/cqf48cj81ZA2Oe8esTJ
yIyq9MXHPK7z7t5LzN9f0b5ms25Gwe2U/v66+777e+BgetZtAzTg5eaj1+6U
ehsDIinoXaUnIHrwAv9Yvv788bc/zF8D7RYzdURfy9GPTt0LAmuhyUkIN5Oe
UoRXe5z7Dqf8WheQlgCAF11hYBuKLAWF3XLCLMzErrO88HZ67fHRQTY4zWFG
8ayH2ZfhmyWR5lcAZUhA/Zosc3myNE9u5pbX8b6+xjvFXkcrG/BJMsHnJNde
87EHWNlr4ur7/nPCP/3HI6tFHGCcryzjfE0/BU4H0pMNNilx+KKF2MvvsbQe
yyRPa2crXcuolkt9hyuOOd6k9NX1iKb4E3S4azXbSb2NrZm3FXzvRyfoH/3l
YnZlJ3AY3EjFnZzsiie65InuYqJL/O89q+IYrGHb5C6hRwR8+OpnRmT8/PHs
a/xMPWfob8SOvvqZ3ijoJ34nzPiliF66lAE+Ztb6VTcE/Y2SyfcddRguwL6s
IUhlxxMEsJjEdJ6Dt7aUWSON61f0B+9aE1E8ktfZfd5b2X1dhRpvSlX/cPZo
t4FIvBLHBXdYIzeOdX2sdpuhtdClSjI1DL/fS5TReZikL6U+3r1vngXhMsoD
T4/tttyTR6Znk5yAVBC13mi6DZAo2JbjYRwD6XgUSjs3sbSUBGev2Y+kE4g2
6HVvZhPKIe2k1xKu/+8649DJg5DuazRy93fJk9hxj1UdS0U993YeBySR/26t
zRsC81Ny+xsEarZlS4IEVu4KWt2V9raHfChLek4hQBzl8owcYG/ePLv75X1y
ZNTb1fneM3588f7t9CbkHFaGv0RL52BM5zx9Jt3RLu3DWx/yxBlLBu34UJ3R
TUuuwbKIzuaXH4G8PmKOcv8jAlLHYe679DXwWI61XmYaRPOXPz1fX5yB8C7J
MbvWeU9gP0vzp89mL396Pg8WEelIlx8xN5InoX4S2ieBPLG/+0dmJIxNs3Uv
h4OXQ3pZM5urj/CXK7Oyq9HKrtyVRaOVRaOVRYPJIrOyK2dl5vN49Hk8+Dzm
tYq2IvdKXQkck0ymocfFQ/t+JAMazOpf5ip6l/9rSvovrzM7XiDjZU3UxHXu
V3UUBk1SFW0UJLUqs7aJ4zppkiJpwrb2qzaNqiJs2rYN/Dhug6xOE7CdZXe2
NFwSxRgob8KoDaNYpSos4yAi93CY1KWqVZz4aRDHfpTV+CeIVV01fpVETdE0
YRra8aL3sd28vgXU6TwPQD00UG+iJMuCoMAy4yLIy6IusdG6qrIqjf2mydO6
if0iicM2j/OsKVqVVlmcZHmgqrio7Hga6qopmzpt0zjKo6YOmhbQqMImCSoM
ESaxnzZRiqGDNlFxUFV1EpZJmgYhjjBtgvimbV1di0yR2VZcNWUQtmn+lj8w
lMOotuPpbdVZonycf5PUVVb7bVk0fpnEFdbtl2mTpHFWVn6cNmmeNmXaApvq
wm/r0A+aLCgjO57GprAo06CI0yJoi6DMoixIQr9QbZoEoUqyNAvDPPJLfF4p
/JOXWZqoPCkLIJoqosCOp7HpHbbKPwhO5bcB+zXYFBuwt+/2n+J/i6iy4xka
Lv0UhFdVedUA29omUYVK0ygEfOqwyAHBrA6qts5V3hRZ3rRVHIKs0zypwySL
7Hga7Gmcx2WZBWkSg2jDuo3KDMfalnmroihTfhk1YRCkYes3aVgUZVa1eVCE
VduEOIKWpWQQjMSkVVZmX/YkZXW6C0I8Xp4EWgsffvyfLswCzdB/DoJOePnm
mW+fFfpRgSfHx8fXCTb7Vdj7Sp7k+kneG+d3yLwgMYtNOhkXm2dx98wIxyDq
TT0pAe1Y8cRY8cGx3qM4DILST9qwClQeRVHsV7lfBOAmTVHkQZInaRX5kcrz
MmwyH2+2kDFZlYBdV7EKa7wQ+DX4VRuqNGxSVaqyDlK8E8Up+PZIXAZZWMSq
iVQRR2UFAkjyvMIPYQDWlgc16CxTWYK/pGUeB1mbgCNFUZ35DZaYVnEe5W0I
1hcFeR0lKZYdK9UGVVRXeVRVQ3naQBb4SVMVYHa5gqSA8M0hlgO/LMqgqpUf
hXEWhUVS5JFK0hxvJX6g6hQMOqmLBLMoUGvpF1h5q/wgK9qiKetCNXXlD8Vt
kOF7EH7a1pAzkGDKT/2iifxMJUkcAIgkkNIEm2uqNkxo4RD3Bf+vn0dJFKU0
r4oCP4O4rJMqynPIsaaowPM7dSHWcrDAstIyCoqijeMoTeOwiqsIMi/APuKi
wM6LBCw4ydoqav08VapKsdewxTnlBXh9mAOY2HEGEZoEQRLXqijrPIfeUtjp
Er29NCLxlPhNFgVR2wJRAhIebVZmcVkBzjiGIAP2JGFWFBWAhFMuADuV5m3h
l36OgwwbaDJZ1ARF3QRRHdQAV5qAz0Z2vlSfXqqaNEmiVsVxExbYKHZbR3mp
8H7VVlhunoZp3PptXqug8H2cWoCZaqAKZH0DrSkI8zrwkxAqVNMA/lAPyiDC
yiCOzHSZOb0qJ0D4QQlBoEKVZ1Aw8rgJAmAlziZJG5UAW4GgcVMFZZqHdRoq
TI9HoB8gfJ1jKXkbZ0mJZdQgFZwEIA+IKjtfrpUzv4nqFrK5zPK2jjNAqqJJ
ogrn6jd1HFUZSE0B5ZIEAA7rpEjrImQEblTclsDbFnAhRCuwOKBMTnQDeEdB
R3uFOb2iCtpcAe3bEqcdkq6RJQEGI6IKoUBCm8z9qPRroH6RZikUzKpsIRmD
KmsJzfwqBOKDaLKsACzjwE+zSkWFD4LoaN0wF5904tLPCtBZpiBOG9Ag6AGG
V1L5DVbR1HXTKNBm1hZQcPyyjVLfj6ogzgkrANAMS67DPIEOXJdp1rRRG6Tg
RFAduwk1d0mVj3djIEHqq8yvwDOKlCSjahSoOIKWVDRYCBhXlFU1NDDo5QBH
GNfQFulTbBS6fBo3EXQmqKlgTkAD/NOEYfGelOG8BmYmYEMwBYpSBXlFzBNQ
bqAipERUicJvZQQsw9QFcSHQfgb9owS6VUmSQwGEyhbFUdPmBdhEW7Ql9Ogw
qIJ6qCuD+NOgBPzwYQGcwpgxdHHQG1A6jdLMj8Faaxw6+IPv134AGgsxZY03
2ySD+UGmQJyC34UpNKOkzsMsVfi3iqq2tfNpllsBIcMW6mUZgdZUHkDjgZaD
N6HqBG2KFcdB2iZQkHIwgBanCjbpg5hL2E11AypvfCBfXcQtcA2cNARhlQkx
eNC4nU6z3AiqGAypMgFXwLQ42bKEqkfmEXYcA8/yMCacqaCPJcTfAP4SZw4g
to0PWgHe4Q2l6japYWz5jcoLqKsAdd3kdjrNcYOoBAWloQ98COIyh17e4sBa
DAA1EugJpRxqPIRL6OOsKsxSxTFJV0hSKO1FBUZWQdS1EVk3TRJBPBRg80kU
lmGg7Hya5YJRJgmIFrYgKK0AM4TCn0Fu+mmNw8CneEGBwGBSNTHMBTCNWoEy
q5y4fAbx1+AXUHuYt0FQ+zBBC/ANmKN+XCZ2Os1xsyysyxJMKS0imA5+G4FJ
pPgHnCcLgyTzgRHQWNskKiE/oAOAsrGxsASJFWT3RrSVHJotRF+tSD+O4wJi
BypxVNrpDMeNy6ysQ9g5KWBZhREYYIsjy2IgI4RaqjIstAZeA0tyQI0eBTW2
kIOIkxwmEkzuOC/AolUIAg9aGI9FVYGvJGXSQVNz3DLwccxp2cCqanNgZxFi
xqbEkZVRTVyqzRuypdIAwhRsNQD4wHXaqMghnf0oD9O0CMuqApxBOBnRAbR7
HDd2ENjpNMcFd64DkoCYB6cTA9VSFakqImMUi4f8gBoFHoVVw6LHnwHXCBYG
1Js6SGCBgbHHkOhZniY+ji6NSBpBNwHX9Mv3ZMVC1BSQWwG4HBbjhwmg2fow
1CGfIClAlyQgVAz4pxDsYEBh2UIOgYmDAUV14wN62AW4AYAYQnjlsNyDIvOz
CvJsaOQGEfSSFCeByUC4IAHICcguGD5VnOZREIZQD4kFxS2Z9z4UhxSsDopL
VjZR3KR1kpIzAVwGOAOdrCCVEXw6hipRpEMjuK4BvaosizQFDbVAwzyGflBG
MPUKYh4hMCcF+wDModJGcVwB5iBuOvoMVh7YAwg+r6BIhhEIulVhjC2HjQI3
G5rIkFZpBKwA9QXA2wz/CxFbNlAl0izJmjiEZQhBDz0sK0COhcKCFEnUJAAb
h1T3oWGQBZ4G5PZJQf51llW+Ao+pKztdbGQJPm0bBShAmkQJhRFifeAkUKjA
zYhhAK4qqqHWVnkGJQuvQ92OaFF1qBRhPJZR+LFPGncFHgUSgdAD8+2mswpg
iulqyBqcSJWWGChQOMIKBF+m4H+g58Zv4rItof1WTQa0TWogSdlA/wW3wNew
qwl5wDqhUReg+bICsUWgida382l2BKXSrwrSV2ry4lRhXWSYgLQPWCY1WQoV
RBdwLsChAjGhsEClBI5EQJ6MbAriL3Hqt3GQqLpIcT45GKoCx2lDO51mRzir
GqIZmlxZQS0GRyvCFAwbx1CnYAYZNNgEGBdVTQMODvFBrjKgalrnMfRQWC1x
kviAHCaIoGdC2a+BV9B6W4hFO53mRgWUPh/ivwFq5sA6iNwCykmg4ga2CWCK
ZYDaUygtNAWkdAUULoM29OuyUin2kED9Jvz2wb9wNBnQBMjSQFzmmZ1OcyMo
fhXYLUwD7AmwIsg3kFqYDLoloAYrpwYvC6C6pkCoFOaBylRD64FUAX23mZ8k
TROrClIvhGZYlgqcGcZAHXVnZ9W/ArqDirMiyiDnKwWFrwEOQlxCHlfQWsgx
ikNNCWkLoCVWRqYLmFyhYFdGMCyAFWDLeB0smlUJ4kY+5FgQdadn1D+AMk7L
wgfgoDtC4SmgYQSYTDWktdZAD6hAVQ4FwSekgNqFw4TmCbGRxjAEiwYmCTAF
ErtJSXz5wIcSUhWI3Vj9HRMaVSeAAQDUhAkESQy2icMvoL/GYOOwxzIi9SAs
oaKkUENA5WEGAQTExzpBh5ghB9UHRVCAjnCqTVzjW+hCgJxq824+43+LkzIq
YvBjcAboxuRY9mFLgb6hxUPtyMCDocRhHFhGPqBPXiywaNArdL86rckIa8CY
oGykcRw2UD5aMo/pZYdTa+6S1FATgdIwv6ASBH4IjC6gU0A1LMEGEijuEQgB
KjXkU5o3BcgVw0Vg71kNO7ciLg/LFSpD2ZIQgxIG8ziBdRRCKenmM+wFI4L5
kvXT+iDvWJXgWmDUUFpCaHMwLjEbLCxoFAQJ6JjARujpwFicQVil4DdhBm5Y
E1lAQFdxkhKlQJFP/fflf4R2EIR1DMEP3RxaC+QD5FgMZaTxVQnZBQOSLEVi
/j5mh2oZAeJVUqksZDURCAp7sE2BhlAK/QBEEiY4OigdMIiH/kkSdU2W1GTJ
gN5VADqtIAbjqCZtHgwN7KdtiQzjBudcxoA77Mg2TqC5QSUCDsMigjkHoaBI
02xBXiG4f1yUftQM/ZewL9oISh255kuo+iBzIBlUl1xVUAEzsgwS/BfgKTQV
WJHQtWA9ws4jE7IkQQc9HkRYkLYPzQwaId1RVC1UqdBOZ0QmFK0mzEk4wSIh
ixYqKywLcIEGdnYAvpDA4gXPreom8lUQQmODzqfI9QFqzcIsSuMW+8nDgthZ
TkIbSkictAnYiZ1PYzU4EQi7gG1AWnsMuV7XRRBCH4RN0JDjJsC5wqiH+VlV
fgJDGUZsW0M44z0IPdgqoDa/Ja6imgaIGMSQPLBBfBhvdjqN1CALBbjD2kmb
ChQHSQBNBEp2Bl0HCmDmQ1bXsE0Sv8mhNEBMQVuoYAjCRgKRFtCCQKENmaNQ
UHBuKfROnEkLDlDWdrq0E9FgW35ekvcHHAJaWZ5FMYwrKM1xlZChg8FyqG2w
K0CuTQRrHCwCws1PyJbBRD4ZVFVAbLoJyF8CAIGogYR2PqPCQ5NSsBzBg6D9
K+ATTgnjVyQjWuB+QqoyLFrIrbhtshbqL/4XeB+RbRlWUMFJ5QfbgsIDpgHV
CLIanAbIrqwPKjZCE2AE21RNFEEmAxWwukpBVSS1HbZdDFO48sE6auBGgrFh
6iVZ4tcxhEkBgxqwhoLUQjUtwhhKfQoNhG7PAP8ogeZi57Nek6yECgZVEBoO
bA9V5iGsIZgZMXlayMUB9R0mEuxkHBvQ3M8xLwQnVKG4reosghiFTQscgGkE
oz2FdZ9DvBcBeG/SEbu5VIJYhA6uFLSspGpiqFYBjgZyDxZnAAmVQvfHVipY
9bCrIfGLoIqgGEQphGWe4eRq2Hewb0DC0Or8FmKxqIEFMHzKvJtPc5eS7uGg
3YCz+hBKbUIggszPa4IaMA12eAvjGgIYfDjMgfgFXQ0qUhWgRhKVg9EBCKqq
FNRsqDLEZ8jt4BcdtRuhWcIiLpIgrjMwAyimsDOhtRGnbgPi63EEEIF8y6aF
kZ1mTVIrhSmhjkN2wy71fWJlUMIgy2ron1AiYZ/ADo5iKAvdfEZopgwFVYHd
tVFFmjwACC2vhnoKLYZczLAhwU2KMKuDGlYf+B+YWQz88LFnEAVUKgAW6AXZ
GoDNk/qRqsbHprv5jE8WcgBCKsAxQTeHQAvJyID2A3O/qIMMTBqsJVHgWlUO
XRNGV0vcMoEeBN5CN0Yt2dlkJ2W5H8ckLyMyMKFy5+2BEArnbiicvhsKf/t/
cQ7/feIcEnJCJT40MwVzBpSZQFgUZZxBWWuAdiG0YShqLUwzH4p/DvkMEyYC
zZcK0g0sJKVbWxj4RQ2UJS9qqf8D70ux4D9+jo9nj0b3R0GSks82I4O+4KCL
MAVnAnFBVc9bSP0WJl/TZqWCjU6uLj+v0wrqgV/GUNPiLKTha9jxpMJAqBXm
fhhrKHtzhn/KnIphmUN1TlpiTUlcN3SXAbNJZSmmg/ad1TV4UwSbFTY1JCcY
BjRr8AzwYB82YO2TNgwTWyWQezRZBJFo7r2hP/T2ZS+rwFOgILVllNcwsVUD
pbWkYIGkhXCBPR2AK0PFi2F5+eBNYQOODvstDsG4oOP5Bd/rg5vh9KDf5Co0
55fAbHxP7nJouwG4PDYIcZECvaoAZmwFgy2uSuLhkFFgjOQsSoKQVMzIpwu7
FjZXm4YxPq0IClDaIgJHVehIAPxXlmnkgMb6zGs+kz925qLlmd+PDw8zkDey
zsoqDoKoSrDaGvYwJGVDcTd+mzUlqTewPehiFopxHBUQatDaFdTWts7rMFFQ
uuuCAjdg3xBuMlkSxgk8/uhJupOw3sI/lMdUqjfln0Pv9Z9A721vX4bew7gu
SnLlpHWb4XiqFhZy1OB99qpkaQC8jbISBhu0JCCxKnDaQHwYgXECPSWjq9wy
SRto07BqoHbK6YH2q8B/X9b1H0l1eVv98aRNk3Tw78z4P3LOool6cxpcDv8M
TlYIJ/M+nD27JmuK46QP1G5886HJt6IPp5NAr8vI2jmZmjIiZ/2Z33TO3278
GUdzS96VyW/jsp/cuEtndfRaukibDyo+cuy9ebPj4gCUQaALd+5shcThTNLh
EsOaCrUysI5mrj0uG6icQuLdTDpw+nDJaQmk7wNxyZH4B9Jpb5PdNqgj7k1N
aUAzTko2pSkpS9NJnX3dvSiVjymIXHIGhi0zbKZbn6OY1N0u79hNiepen9WR
NBrsylJQmfS1NKPj13cna39eC3vkCjJS+Pk1hc9zwQcOJv/lAqe23G42e83K
TMkXSrshYEpLgPqyG9mTkS9p5IC6xPNqPpst68tPZRJpQ2D/UF9O5AaW55QZ
yOB8TiCaX3RZgRfDsiMPnHw/Nt56+X73ueymhiPXIakpIe5k/iPXGKkp8WX5
I4yikPL3eEm7X7b7+ZLeoNwn4i4/suES46e7R0cmD8+AkIGsAKvTmU95fXVM
Q9LLPMRfxkO4VVF0gt7FzyH3W5ffJM2wDrhLtOQUUvQgHnPioLxESVn0JOEn
kf0M73N6oDzTuYgRJwPiGS3uQtL/OB9QntC/9CzivD/3WR1J4t8lTQlo0Zwx
Z/ad8KPLACsPQvMr/fvJ7K4XRO4TWHqBF8T9l+55AS1d0ZPV7rlg2xx/O/IC
Wv9lKDN+IjNm9DWnKYU0Y25+pX95xsJ9ghkBUL//0j0vJIircDAjRMbdv34x
++u339Nq6HDvUt4Ipads98t6ta0vVntqjQLGvTnfeSGd1KVAnBYTRub3y0iD
MYy7R/RG0nujjr0wdZ58MvvRC+l82IPA+ZWX0QJAW2BBR7widi0ERJoEPWJs
vHq8cLpT8lfMmvfHwBAh3pBEVD1GKGOE3RhScl1GpRo4IeHACb+MpUe++e3k
kgEdBc4DwNmLwt4b97yI4MF+Byalk8sjLyJ4KKYuopuLI0oQ5B+v8MfEvM/L
Xl6BirHs6Mjmpz4Dvdd7029ttludMLO+8qK0SzFl4pesNZIZ/RysA5KCErJ+
h6To6hZ4ziRvJxtmh2SDkzL2zhKCd2bl7mKwqfPtBto9NQpySiXTyqkwnZH1
37Mo2O6fs9OLsjS3m4s9w2RnNQXJMBqCdknfScYkZxtdy+d5u8/x1e/k9jfw
1h818+tYK37DG7Hze6iZrctaQ84E7xjrPU3pHVtl5P1xMVvi5QV/8S8Qr0cO
m73L38SaycpcxB6Iw+5fpcJ06XfOP0/sFylz2P7qEuax3TNZDTFZM1KqZyM2
K6PdM6OlE6NZ/mPESMRcdg5OCebw3PCbK1bqO4SY692mR8yChY5liAvmwPKE
0iyvAmHAPQ6FeShj05njSBhsxxCIHwTjlyIjPSZYCvPfMUuBbGFWLKyQMulf
CSue5CEfTuP9UGkfofqAoZjihfsXW0X1G7ar0kk5nyYtJmdxO3uSaW5p1amB
bwYb91wlImb6/VSKwJHmtRso4SYX0nO18U7v5qRms+Mu77O/M2qPNGRGIDGb
rLsbcGEqpSj5/8zJJf3fAQH3+JlmC11hQ1t5UvRPWv6PbCj0T8ywYd7RiPk4
GAwm82pUEvABl/OjLl/qms4mtF7JXv8FGHX+8xkV4ftx0YfHtdCwnE7MjYVh
dowgD0x7uFfMSxzeVwnvMy78CrN/v9U2i5W8F8DwV0ck8O2PVuhTG6+FrkVI
Xz8oSZHofU6sUn941CnvEwq17PeUCi/t9qYPgGNuhD9D6aZmJlTv/BcqNXFs
le/5L7b0BL1mZD6E/iM9TsndZ6jtoVXR56yJ8lfhzPlv8iOjk/Mq8NVs8N/k
R+ASdcIfzeWro1t8BEZSE+/98ec6JMFQZ/zLfM5qrCyXEM2Q8p2u0EiddlVG
Xv0MBZGZe6djxt2vpEG+8ixTv9DMOjUP8O/PdSTFP/Tv2izIO7af8CBFN2rC
DFskUWznoa86aUTSqU5YGK123z3V31Gph54wYhU307IoccyLQMuiyPBlLTtY
Anz39EgLprj7c0J/ju2fsSfWhAh754R3cjYLyhFaALZ3WGTNZnpeaiIearGk
H4U/k7ATueTsih+ybBKRYvcloqi3NdoHC5++ucaP4/645nGiH09snGVSqv8+
sXP+e9ZJKIIEf9qJqQ8dpj7gf8SVohk3pLmGAz6P8Eb8XvkgNZQX1uUs4b8l
czQ8LiLyjw8zD8MQxf3w4wE+8UqUWcHHCybi6HiAh8wtrvQTMD3iFfzrleMf
uArNA+FVgpxXpArnQ15TOPQeEV0Io+gUtNBoaEylwRBbr26NqwkjSn4driZ4
I/8DcVUv4b81riaEq/kAJYOjvouMvGZ12PNmTeCoIGUfS40862yXC5FnfSxO
+1icDbE4N58YNC6cSa1Z1U3yilFT8/dQ43GoRxVEJlXmlbhdHJHGVBHEo9ES
hy7MeH3Silhm6VWGssogHyyzGA4c+oYCfxQzipYddtOwhynUE1kKlIWHYhkd
oE0SUIdos19DcNJfok5Pw9/jL3Fm8AbOklG9qgO+kjP7XucqcWscvrOrhIcJ
l2BP9kbDYVXTfhNzuSEFgjY33Wl0bpWd08JQ3uj639XTzQCu9Z50ELi192Rc
Xe/xiCPMhCd8xTWZWBOqxRn9F6r5dFtfS19vZpT+md3tVtkKpNCi+9qwRtcd
86G86jjCtcIEHPc7fyndYZhh5bpBXvaltN6lmdc4deQJe8svpXKefrSsxX/d
24P8Zc5w0eXTPjHrE4eP8Y7jOVhXYZ907nC/7w6vQ8erbt7qTWod7uQwNnN/
zB54PLg0hxKExnm+vCTtuA60N77jxifaHT92hQfmeuNRO3LKJ33XTagd1KEA
fCa1c7WjejETx7T2OYtHv2NXJ/T1ifncfnwlvvpAe7X1r6H2TVlxdgUYs57f
OZSvjrQZUgw9R+T6wTb/8e1T41H+kJvAdz5kMQZ27BGiWmBiB3S1wYjTGp4p
FSqFYUrXjqX1nDjcgi9HZ0SmxEG7q9Lp6115e3Sv278t3Zhu18P+fIdKdz2T
YfvlqnhJNJ6iVvFda1dyIHEJxor+fLHWDFJ5tymMJZe0j7p2H/j8uqpd5EAb
V+0Sj5MLuqG76YLLoc6aVdtCWVrvnQ4jYMNSmvXwNXi/RjHv3/bCM10bhjN2
JXdNFx5Cm3LPOvlUJb355Rpk0UCsUsvohlylLp8m5szIw8417lbHHSGkhlqv
sp0bfIpRKaCUh6X4zcZ2QVPlDsuU8l/cArIRrbSDjGkautrP1LqsTruL+n57
QinhSH1waUXsRNTtAA9XYfPkPE0/Vy4Xv9rSJNJd0rYQeG3qQHZ7ls2+Xp2e
Aue81dmZaqhnCuToGb1B1xHsAYVigSMrt2Di3N6BW2fLI/um9I/2LDoT8UiX
+83aXbnpQk6W1Xg34h9lKgCmtRen4yYk/W6ntqfObjboYPPt2p6Nhj/Je9Ow
cKE3b9q20DttCUhudQOFbsler67eXd2geTg0wXp02QRWNXloO8CJggNkKlOI
tVsMaU4X0hP86ef3gtQ2IqKmD8zsuNY1F0lfc/PzMZi6NuhLoBh1phVALbxK
1SX5cAkdT1dnGvCEGtROQ5fY07Ow3JfRv/OJv38X6MJ+HlDh8MIvdhe8xGbD
5WGlPO2ozjEdNnV6pf413Cuc9cJr+Zbte9SvCCv14nc2DPyuoeR/LGb/tpj9
eERn/2JzRsHnanOxO3Auzqg7MBNdmXCKN8BK+wf4AMzTf6P/OfrUm/XK5nYL
6rMRu57PZCQqHX2Mb7/f2Jr3IwZGLRJuXDpZ0CbarT/Lmu59hHF9zONeNvzk
6LgPqY/wEf7/x48YWF+V9aZalev3AqmPCEYf/RzSDPJjdHuIOet6O6DdsIU+
xAazCKwYTrTsq7X+kR//HPWAOLDb3nxorRi5wnKMi7m4N7g/dQ7Vnwq4Q+F7
8yGVsjVdcfjV34bEsrqNhedad0TIztSuKUNBkKaUZb82pcz9m7m3Hszg6ihM
q4dMR2lAwbuTht1fPpj/ctRz8WgY3Nqqet7t5fbX0wOk6O5DxvKcAewZXd9a
ZN2sB501n4hjMb/uXsL4cegGZBDmFBzZ+xHH83PdYDcZfaFzwU6Iau0sx5T5
62ZNpfDvkM3XebL4UM6P2JNhglE4jiaghJLlV8MbGG0PCSzlDW2KhcYUS+xN
OwhH4qJO9JqEmlzzqpHX5E5frK2vBhbshzyflGO+bBxLz1hsa/dFNsy+0s/5
g74h+Akv47oPyLBrtCvruomi7jvNJtgklEFsREHE3zfaSHQiEAZ2ZvNzrL1f
nRf4xMJK3jCxBu4bgfOG2Jn8XjKKU5h4LxPXWaC9cz/XsbumufPi0c/z+blF
VbkVku/o30Pj0wqvHSWnUUI7Crnuis4BSI66cOBPxDg6osxxKZJtzZdGrleR
fXAmmouN6xNyM7hxXHutYq32OyZN9uJdhmuN4kNHyoczHQxnsV/jvEYOesje
vquwg8wF30TpJ6F2mobssQy7RxHfN5nAuWBiaiyew6zpnb9owumm561xLJoG
XsjAK8bA49gy17FJxj7Hl7meTQJeaDwNBnjh9cCLwp7vNoomJrchac7JcSja
5bpzchAPD9Y6Go0nVyR/tZOjC74LORRtNva7WqeD/pSDYayHg8HjRcRwVDxw
ZnTwftDzV0T5pI8jEh9HfORFhRPQYoQQqS1dYItu4KWFs1EA3KfvRwXoz/N2
SgC7A7qQGKzRaR76kyOcf3KkszcMShvrNr+NIqcNbPtR1IGOoqZO8RJA7a5Z
elz2utD9ZgLp2R9sOv/1GgNoVdUFi8deYRH5V+wb7tqcCNycF7jzo9pizIsz
TH//0RdxFvnSNfWWmow795+py7jzTmszopFQAbw0PrIh1sEgxNrVP+aXj2lh
j2l2+unq8cjlcliJCw2pYxBSpx83rLPIo7UEYLP6wXrBY1a5H68187VsV9zD
j2nrj1nduDJDLukjVjmuGv3oEx5HJBqN0NjYF/mNg0Q+o9+WutvSmvsudZ1c
tOYvvVxU5zz3WbVwONda3OFHrDrwSuV5oxu3sEpwZd+ng9XP6WLJvn/VvR9N
cBVBh46v2LuLuVz7s0oXH7I1pNny+7I0hlcmh1lMrG9U/lgrw+7+La0MalL7
Z9sY0jr3FqELWpa9jVnQu+QxgbfTFzcsJXv3PP27m9jaFG72g7EPdHSu1faz
g9r+QN/v1PjlUOEfavzjm5x1/9Wxzj+86el0/hu1/tGF0HCyG/X+cKD3W0XI
qsI9kOhnI92+v+ahdm+u6SOKsOtpio7GHRmNW7BJZ3n0bvRnU3P09fbxKJlR
k5dyueUAaawkL4OxlsxXSd2d/YVcIvXv1n0diOX31MowmDAIwpFOq8PFJtVK
q9OqcFqtHEQyW7UydNTKcFqt5LCz0R3ZIbUyTCfVSnt11otCu16tZE48UCrf
G69353gbbv+26iQ+u1aZjN/qWv55t+z/BKVL2HvHoW+4pjokkkRjYpJa6xv8
y8ayW9GVYv6VQlZFGWJiWWvfyxW/fWWY8+V90bUomBff6EwJHvD+Wj8ruvfu
C1sTb4j7DPoQscreozXzPvdRPMqYwMyjsJ4rGt9GqcY8VKgDUzWXA4vlt7Lu
GTOeJmZecnm/c3px/GwxnFXzkdgomvQl8ZIrXi3NsOQZOMaHn13dFxdALME9
9tmSZwhjqx6uORagEeLvr05M/f4zJmr3EW02tIFVS+PMI+v96r4RpZIdEzmx
wrGGXBSY9+hfSd0TW5xXd5+11/uNThHr6a9kj8txCY+8bzVYMsoFqPovVicl
m/uq++bqvtViyaS+6r65cr7JHTZGH/B4/CnecpjZqDeX3Ir2VDvjb9eMgeNo
fz+bs0FFTkrWKD7KMKYbdc8HRkHe6RdYZ5XQxsE63DirIavzJFpBOu3VMMXk
LldDZXfKQWJXeNpc1FhWvdntb88ddQDyn8cY912naNP083ba77UO9uuDom6v
CL+bHqwt1YajVtJJx/khpzm1xut5zk2+sOXu+UiZ1rpwI8olOxOHmvXsYwlJ
8rt04TWvrvNH85df9RRVYZyRVb6pc98n9sVBZrF58Wuj1Flt+uueEh5PKeE3
fWYV8WRKEXe/jvpfTyvj6UAZz6aU8Z4ank+p4QMFvJhSwMeq9y+O0swhTyPV
+3qlu/d9MKV0307dFue4o26zcjytbsd9dTuZULfTKXU7e3d1O++5gL6WbOh3
07/FvX1b/Zv93tfp35HNipS4tGjKIdPXx6+TYfYSdCDDOL7+n0GGube0v1+G
ad/vHyrFdGrCP6EUG9wS3yjI3vam+OCAJo/uNuHC198cv+2tcU8aJr9XGt7o
WnIEpJaGyQFp2LmQrDT0h9IwuK00DN9NGka/SxrG70UaJgNp6CSld1fS9jo6
60vCTlayDMyHfw0m5eT4Grp/BU1ycXwFPb5+/sW5OGbDbXT9fNPVc2+EcHT1
HDq5Jyz64gnRZ8unuKLPOtV+z9Vz9vuvnvPR1XMxunomATm4eo6C33/17Fz+
htff/g6vnpP3cfWc9pSWKJuY3Aavu1fPxSGl5car59gfKC1xMK203OIuOg7f
5i46jiaVlu4uOo77Skuc3KC0zD7ftGVNOkR9qiBIKDx7XOaX/7as9asTxX5F
v7BfUdzohm5Rbb5gr9CZ6y50x/pt4ZXNGR0tiXHqPE8Br6dXS10Pqzql2NZm
c7bZngMPzqAkrESE91uIe7tzim69OJ/Vk7ujPb15du/zL772oaPg5wdfPw0C
/unekyDDD3zxS/dS3ps3dttmDL7/7WUWWJ1ILpNHa6RA1pKDjscrMplZjaLm
1pWEYd+7aLabtXz4BNrHZqvs4kxoramFPAqjd6OxJaZcTmMQe+1t1TnUMawa
c5Y7uTnfmUv1kb7kBIH2+sB7Y/Xp09mOE8UmeoUz/E3puma1qy92O1FnvenI
zWPv7xSRrDdCWOQum4LlRx3RF9i5YpTgxNGrGegHAOSEBSiiGw6D3gAn58TP
iNw4fVN+PhpFLtt0BR1AKmf8YLup1Hp1seuftlxfGh3UIx0UxAhd+xx6jWi9
VbnDYc1BJI9MJursEWsA4prjFNNjb26iwGm2LpXNBE70s1Jm928mruOjkWbd
mk3MLzst+nKoRevVd7p0efANivRgu+COMEvqnfqIBZXZKR4RtCFt6CzdpF0a
5KjnNy9liKUewusyg8our+OmgxoRIx2RRifR6b13gOUIlBh5dE9vIPqky/ub
sDVMxqSeW1gPFaFxIP5dL3PQVmS5xgoJTHDmI3OFx5EP0VFPvmOD+uysLXLg
w/Dgh86B/cJSkWM0HNRa8+C/sPLgPG44wfkXDoqow94nV2u2fn656n9CMHUE
2i8E718Ilr8QxH+xoREH0MKRKB2K0LnR/z85mggcwB/Cf7pTDQ+e560Ph+5E
DOiXV2svGgDVwvQmkMI037GvobeLET3Np6noyCPRJqJkuzpTS6kTsLuoTrYb
SO8vQy1n7XxdMUyZUKKUKGnip+c4XmztiWE0+olmoFYT8RyHxe0omwX1cyO3
n5u3n5+EQJo/BhtWGhs6QBCDtOrVNG4sgySIwihLwzCk1pdxmCWdXUfjYYAO
EH09zxuh0cR/H2rdYOlfNqEf+PIf/6/L+Y0+YvO2F+AmxPSXnewe4oioEja5
iN7G7vdUSgK/L8hvdC7KAaUT0p8/7gbb6Qw1r5+hNqhOFxjsfyJOEGJ2Qvly
NxBp2+aJJDtH8udwvo90YDtbEHRZuNclP9nMYINeXBT8gKfY69tV/Qm/UfTH
kJzk2XfmwRO3ksd3Jun1GXTC8/1OhJY9OslsY0i9+ZAf48l0ums/IXWnhzM1
s/VAPU1d0huvy+0ku+HBSrKxfrTvHy4bXJ5TXu6r5vXy16VNzFU63tPS9obp
gHV/zLXdgCXQykYTmELB40nmpsSvZuU77B0wvLs9uWAt4w5+sWVLWJeqSOOE
BXV8ArTWmlr4cxJKDSp+/S7Pd8/UJrFCxJaUEwS++pmtdPbFUBlBqc0JRYIq
pDTPf5XKupj77oIGo6opz+v99rPg6A7T3gm+Pi3PqqacXd6ZPYBCxkM9mN+l
rHP6nX+7d8Rvv+je/vHObDl/MOcmIlL29sGcm7zf5YhG/QsVx5VPP6TKq/fv
UMp+twjYJqtT1utptVyJZXtFd2CcX7ja018eHANb5jIIPpp9Zr/nR69frGCe
UTGVO5aZcK2453UpCc5YC16GzvtgvqQfju54fe7y+XZFhWOAC8HwTzMp7/sv
nX7s/p1qrM5lIjagH8z9weC86A2lS16og7OG41mXo3LCBFRTbvi6Bb14DwuK
3n5B/Uo1o1VRhmZXacCu8V0WF48Xd3c/g7Dc7dkA27RyZlzvdi5Vn29cn1MF
wa5tRiVGnOdLjVJ/AVjDo6m1ay4q79m/EtJ+QlfBxvfR52GDErbgWFRo8vdx
rFHhIuZRTqnZf0pORVVhNafSwH16/P9dXv4PfPbgf/3vIbDt+T/ZnF6RdU3X
PARWvmZ6YLnb5aXL0S4vNT/rvpeFncy5nPlwfeYAP+vxoffMdHB0fKWxXt4O
RzWGvhOrwVz/wle2k3PoDTDrWAbvxjsElEvZ1GrLl2wr8qHJwUzyhvkJfSDb
OsZGnc/m78YksIp7xKJ+nEk997dgAPKdQII/fl+kPkrhld9+H7H36jkJpbuV
kqYp/baEHiYJEXpx5BIq3SPPH2ig/CHE8ePs7ALsvILS9YeRxa1OkJ39zN9W
u5/0PI4LVHeio5cO1QPWVQ6W5xfbc/KG8oDdCOYUpWwwl72QUgVcFmG38AYZ
FoPkbloZPSrkUZAeLbzz0wuyVHXbj0GNhq4YDDuwqRLIziY/sDVM5UUuMATX
urN1FxakjekiYGunao0DFqfUV+eY08V6nTKVXUwdF1M2wXRTpQAlXuzy/VXt
PehrdG7sfx39zb2z/5X8qWCPl9xA43LEVg7ezAc3FIYc1IHU2HlJN/SGmfQA
6QZ2MCBNRMcUICVk4b88IE2Igq6GqG8M6kAPpYWaW3S4FxFxG7jrEFYq7Tso
bqgbdXA465xr+sn6JQzh15kN8LNF+lyv4a/Tp9jRrTnGAr8H6YFzlD/+tztI
fr0evR7q12v9ej+SZfx+ZIY3HziRLp/MMkKUIHWk0FtgS9xhS23KBNvU+tqE
vMQmlLo2FYbt5f6cC0BrjLLRbnMOktBPbQx3F0jKyKbv/HX3DFoEVRB1x7NJ
2vrL2FQlDvtfRvrLbs7CXGH3xmMP0q8TK4l6470w0o4Lqr6S+y5Ta3pEF5/3
5NT3MOWgxSyfvSjXkFCd2NJkst8Zgdv9iaPX+uLOlHsxlggVbAQpHBrdg/L0
eRFRju9dO2xwnBwDxM2FInfEMwVauLd5rRZU/OXl7Mvt6uREBPH91Xb1cvbt
yer01Uot/746OVVUSe3fLyr837L9RS6ay3O++CRStFK0upo9XoFc1ensWb3Z
749He3Ni7PjCqpPZx5zmvJi9wJqw3YWT8DxQPZzKWU6lf3aCU+05VdueYZ4U
qupKel1JtvPYS81sab97Xu/fP1d6d6b0qwRU35ol/Rcobb/oq8LSFIG5mAm+
q2NILXk0YFNMq5dULp490PjlV/CfX8X/TAKOzF2WY7/qv10yZ6JCw3vmRjWN
n7C3+YbS7FKZnV76d34Jfwv1n7lQO16RSu0yPLUSrIShsGStdIVHDm351Sy1
lnqXHc/5FabKrzZhWa9PXmRxvDfbqnVFy73lVvhyL19yKpzsMcgmOJKr8mM/
7o26o/gvV7vdLxORtEO9eBAlK/TgjOmNbulng0iJLlSDr5GqE4l53dmSBJ5D
EXQPPr/86TlGwr8cTUW/UXQefgVkHoEOvuV4iH6FQGaVdH11da74shy8Y8f2
+8p0kFOXe7UmvupJmVsOvDC245s3d58GkQ65ONsw0dk6vWMG0plv0/xj3c32
FjwkpGLfQ3jeTtvhutwTbEN4vNTdvqm69vmYuN9CnXgeuKW1OQjheei54W2m
tLbJNJEEMTcXjOyG9NhJRvmXYeldkhp3rKrV4b/SBgfdAtFF5WxPPPGVqjl2
5c2H9Kv+bfrqp/e+rULKl55TEQ4ma7P32TC26LUyjSxLIgZT1bDR5T1WO698
Va5OOVSL1Y3pAqb3aSXORKN5qMjqTpjrzlzWdy16HP+LqXVoTfmF4Bv36qFV
rIHHXV5pudOVREz5SGmQY0tn6oqIDCOJmrITMB2udv2ilAuOKnJ3omH/wu2X
c7aDZnKxmH3nL7iqoi5s6IlPSV/6PhEr/a+Pnn0/e7IMk1SSCp7gp5+e/+Px
F3eePby75F+ePfv73356/vTbn54zFXuy3BkQjF523+VX8eZzr8EKZ/zOd3/7
2z+WP/jB8vNnfrgkYC0Pf+Zh6fKd9+T4Uo8Q1kESRn4Vpk1Vp21dlFHmJ0GQ
5HWRVFmRJqkKsjIoi9CvgiAq4ros3CvmOo7DOGsiFWPUKz1qXmZlFhd5UtdJ
nWVp3bQqroI2KPI8LjI/TqIiCFXRRJg9r/3Ur1RROqNWSR1HKo+DxLv4X/7/
llHLJonisE7TMm0av2393G/aoCl9VQa1H1dFqvwo8psmL2I/jdNEqap014pd
hUmQ+H6BUQM9KqbHIHEUYoQmbVNVZn6pcj+IfPwQJEFexVGeRVXd5Ilflm3p
l4Xr9gpDX4VKlUnpfecLYLHWKo3xdYg/NlHbhnmUBFhy1AIMRRI1ftGWTZRk
RRLEAGydNGncRu5aoyLNiihuEhr1SkZt6rpKkjxPo9yPyzzHulsMGidJFqR1
HqW1anGaKgn9IinipmmiqMmdUZM6SROsoAq87wKz1iSoa5VSA+ymyMIyVXiQ
BlEUt34b51kCpKiDugmbKIxwJGGbxypy4dqUWVPkvmoTGlWvtYqTJiijtPH9
simwJlVnOWCS+mXcqDgIiiBrK5XVeVgDrQrMmxaFM6pKyqDCYZe1g7oAbO2g
r19VeZVncZ4kSVCWwJkmwbL9AlCIE7+Ki7BVwJsWWyyCNMmzLGnKHvqWUZTn
pd866AvkCyqcURYFZQhMpq72tV+1fl03CnAATII2j2Icjx/XOZ2EylyAtG0D
qgiB4i76ggayNlRlWFFnbtBGmJZ17EcBTqqt0rzKWqBsjr80ZRqooo2Unzmj
lkmUAZ/KNnDQN8oKrDGPogoLVGmbVU1d+rkKVB7VGXUlL2iHZRVFSRKHoD3V
1I0zalrUqlAxaMdB3yQMirIBKak2quu4qLIgDuJEFUEVtlmjgGg+0XhTZyA1
kHiIf1yiiDLgU15Xce6gL7DdD+JYUf91v6wrYESVhnEd+hFwskhr/H+QNX6V
BnUIvhIlceS7cMVbQVNEqm4d9PWBzhlmUm2Ns26jos2iHKCgJu5BE2VJ2aR5
BNjmZY6Z/Shs29R3cSAtlAKJJ62DvkkOjAybsAqxjKwlvIqps3vug4AAVxCY
qlRaQhDnceVTB3gFHuiwhSTMAnyUqgH6AqZ+EIJo0ywvHFxOEx/nVOct8IPe
icMyaVofBwfOGau6TKu2xUb9tqhTYttpHgQucaeALKDb5L6Dy3XZxHFDdIcF
ZmXbxr4flnmjwjzDYvJS+XEeVglYXgj2GIKgMr+HH01bVElal5GDyz64V9EE
YVIWcZY1SVK3BcAU+EnlqyoqQUFhApZQVG2eBTnYph80qcuIghZcMArC2sFl
0EBSZFGWRUVYN1EcFE3e1nXWZGnqF3EOSDOmgEXnVVVTT/Ioqp1RiwZ4m4Kh
Vy4rDkATbQhRpqo89zOiZRxXplICVuwXTVkXWQ3s8cH2gIO5gnRx6Q6In4FE
ytDB5bj9/9l7l2XNbi0775Um7sADyB0r5GBDbQWufdkNv76/sVglAgzykFVR
hyWG80gKMTP3/v+1gHkZY14dp2eTw8KWdbSEFyyIw+aYfcZ0Bucywrh3yvzY
ST3nWz7Qxh1mm9iIX2S5rB55tYyep+l48hWTnw3xbVw23qNsnNGO3jxvihdE
xM4tA5zZ8CWunG9TXLj8lodvLmws8kCr8uSz1mhte45xdbxGya7XHrxLa9q+
zzVyD3jXfNoty//T+fo//ue/9X/Xx/6bf/dPf8ClVhEtdXt7S4iQR9R5R3y9
HzJOq1ZM70C6OBLsXO91WKnp9sRhzZy6jbQutWr18JuYhG7Fc5TeLR8Rg4Fm
5xVmx1Pj6sLB66C5FU8K5rl9ph9nhOnb7SICUo3jihkrhtvZaJnpV3Fgwe+F
QA3AQ8weTxmWB10BeG5RzTxVtdTcjXBKHsP8wkg1wBsP57Z5hB3/W0c/mNwx
Vt8JNxw6mAKH4NxjzMd2A5AUwqVWOJfOcfmAzC90/gRkzBr2CVkpe8ulzIGe
TVQ988Aj7XN/6lhYN8x0e1wEn5o5qwMuBNjV5bHDXCGGIp4+UN8MCOGTUd4+
MJXnjDbuE/BSkeQfhBMdhhUklDBMuLMt+zddPAVAF0BzExCRHDi1JdCf9xy/
q/7+1NLixkiWG+EctMziwXs0jKEfWBaEYTk+H/AImhqIRgu+ugTG5m/maPtW
ViugEuDROY+LSM7/j/5v/d9tr/5d//vxAf8/+4DbRiY8l8fFnGITlLQqXgFL
VEG+a0gfwEfZz7QByhmP1EMd6cbqsU0YzJjpspGof0PD+4JAbHBz8AvEkWAR
KeQ6PzJZ0ERLa7VcwXUYvBskeLBOLAmUedlI9FBqmsG30JiOD81hVFAIfhvC
iU11wMvqCjaCH3WoF8jsgR6dd8Ix39Ajbu/6Acd7ADrkL2W0sjTDQjjvLKTx
PV3Hi4JsOqAGwHzDJOgxnyEkedlI3Mtolb8TVmqguegCcAw0lSZkEu7iD++Y
osmWT45jYywedw5LFje/beQYsbsNRDwJ7H1c5j+bnpePHw4SXzBKawiVgRJg
XqOeB0a7gZc/ESh42ciOndoh7uzrCVA00Gc4vOjBmnNhBRANlDxj+rpwCAnb
3M59W90DAGfCWt82MoNHFQ7oYEiwTXWGzT/O8YwdgePUygLGQXvGbuB/XKq/
LS+MwFversZfhjP8bhzlv/33PxtH+W///d8VR9Gv/WYcRTB39r48KhJGahO3
z99NV6G2eNuyy/BQXbjuChCUBExNDxHlPBe+Y7k7jlIGqoPvQP42esIf24CM
b4AyouVQwtyQ2yivGEdtBVB6g0zu3S30Dxf5iwah0AteD0E+kPYGHwS0z1lX
HKeISm7cqkMIkEuLqyjIkm4iemIFT4BvIUz/lBP46Z9yAr8bRTgznLQKwl/X
3JGfh5c3PnPh1WtPBclOHtYENXce0mB+tFtIB/79g2t3EAy6vxxIaAr6+xzT
aACkBOJ2YDToFujNuIsOhxC+jN6dfqPugm6AnypY/pfLg0mAxDtPWHLYYJbs
2zAuETwHh/YQB/GvjjLF0iCqGWB7A6QF4ccs7FTvy/sPPIGf/ikn8Oc4NMYw
zpxL7KA4Awm6OHn0uUsC+KaNJMDEEKW8CtYybeyuu0W7bJwfdr7eNxl6h1Mp
3BYE6iDMnwOzmMtuRQHIgtfBoy2D9kXFmHi6+3Qwyntzc+UG+wBFhDgdxVZz
xcF0dGP0AeVbOJkycLLbTeMrEpwFRUJlb1AKe4DWojH3Tf4HnsBP/5QT+Nsx
yODhbt4sB+fHhvgjyy7CRCIED/5dMJSQlgqjj6uX8hHGm+v12flBJ1p52fZV
nYIdgKbFhW+04OwzUbZ4uBT+eeyBFw6NL8Q3joIrvy0b4AfvCma5AzNoKeCt
g8/mgsf20loPbuWwGmrfd+TR4WwgiJCLwidDAfUbxyAVFbHs4xKq/8gT+Omf
cgI/+NOPD/iLP+CyEED30ZHhA4MKbUJE1nY+A666YWdxoQOab9W3jnICqnoG
+d6RAEDM2D2tdodu4SG7TCvVd/AYiNlHHDVarXQHRjdVbwH9mNsC35hDmU9o
f4oNlH3Kjf5su+SViRltHb/OEHnAYdSDlhW0+vjhy4yLz6pVzsPkYa5P3SaE
cHq4LMR/5An89E85gX+tQPmXpGzAv/1MJvivX8jE94d/kJTl3++f/bNJ2d/9
td8kExvevN2AoG0wgu6kGu4VE76st8C9+AAuMx8tKhtguXCq92t3B+RSUhLq
vbJFUThfekj5QOpChztyiaveDsmmd8XqPCdUP3ADOQaOfjiDR+6+p5/gzhZ6
c4UnSABLDvz+1noAcLmP1YBoXrGvibtY+cD4W4oDUVJ02/VLHD1MGIoxXZ8r
7p1dAdLmBkPArvsWGgg2LQ4jlr1hiinBM+6QJ6+yGj4MB1UaSHIjipBOQArU
n5c8B0DUDi7vovtJoWA8GQ/XHP7xJOR0Zk7R1bqAX3vucNxAtMBR2YBZfsQH
JQF1VxGaBdY6oahqI2Q8b4JsxORMR85bXeGADZot27e9OeJV+ci9xY16WV5v
uM9IlaePG2R/bCHT7VE9/rSDs4OuTlh/RWvzWvxw6i6J/MPh9vA15itcoJix
kquhQb5w4L7VHsEJeYxSOLpVxjzQp8gxNTcFHOzJOyalt/OuMDHH2wEdypZk
AADLVChk2twjhRXvpLI1JG6eqRAKNzcTeLeAOkELVdyvwhJLwELAUOr2pw9L
NxAJHXNkIN9V++Y0uUMDKZwGcWixctU7ZT76rCvcAE8MgjVzAHVdCWftHr+w
65y7OZBtyOfAKCysAboAHtXH5se2kO7j0Y82+P6APAYLTQl75DqYTjpncczf
pZOKriPP6cTYS3JNeawltM/J53BA0ABwUApQya+cEmi5P237K7pgaHzkNstZ
yObBcmZMbocYYEdnPtk65OBWX1QPqYKw8y1cbE6y7JDn47rzKmrgICBtBa6f
ko9C70+ew8Bb0yFbDQHr6ALfq+C96PPcS/+QVy7p3HQ0QczNwzEGCO3YSK4j
VphyN3nS1tGa6bJ0q2z+CVPm7KEbp69S4lxhhINvAAqi+RkhXauuBSssCSOu
PMulvjw6t1JRj8pLY/uPz8fFWkrHJpaxlHFLHFbDfSyf55h53sQyTQXacuKH
0555ZD5plo5b41l2P8VbdzbN39E8oGkKI7cYSt84Nq41AVlb7hiuONO2iCKh
CNG+u8JnjXWrb+kLS+iU509xx6GKm7RGRMYWdx1PC6HXL1x5ZUT4WJ9QHXM1
oKIWAyb58IOweJSxlqY0S0Y7eOxx5kST7nflrHowbAqeXfktvzFoi4+KqXlU
N4S1uJ9Y/a2+3CGXEApqEFLKI4YusOB4dxD/wvyvVMKo4PblPGrI+d25DSQb
nbUknVkt1Z0MGcHOzxmxlIg0fpxHOO5S37VbqNDJgcVAmNAPh2kHl1Q4co6o
ScTQT2AAzzGdyhnOY5Z9HCUpwV9jxXuFBRECHMCsed2C5+MvvS9j1D8ZUBhr
w4/xvbUYJrJlHrglQ7fwZWLUOcziekbR+MeuzO15KpnSygMrDVVSVUo+g6fZ
kGHMTLWDCd+4Ad3Ljfzg68CdL2W2RainN9VejTAUUlHxBO7OcTsF64hq9DkR
v/vOv0xx3pIy0BJeCrTk22yxoY/VRQgZEIOzuQtUOpI5avFczMk8lNL+6H5H
9nxtqQ1kpydQSIgn64R5plu+8UjSphQxH1va6HjLlnLEu+GQP28J+ktfWcy/
6rLHs2CWETIPY4U/Yvb54+yKss+QMPmd/8Y64YZDLNhh/4CdNCVqidcC7FVF
LhHPrygs5mUIcoHmZqyJu3QZj4WLx3XjI9D9GIG+C1X2qGgLHtnftVT+4FPb
uBmlXP0taVum2QWfaguYDaUTq+2BiR0bk4gbcXjzYqNcunz6WUgLTDh5mS4Q
iPKuWIuJR0RCJr+TSrYDVR5lYNiAa7d7Skcp5T3ARB6fXUdQ7IzLxPDnzOdD
nqtE/tJlfCDQui5+ky+c4yiT2niQlXB3a+PISxpoKnefawAjAHpuXQ57VrdV
qQesQ9ocx9oy0jiHDeh+xSE630Buly5vjNIBvGaMuYuHd+GhASknYny2Mjvz
pBl43wZCQ+kdYnfHDHjagoxhLniaIqDgcSVHQU7efI6iI0SY5vn7hZRw7uBo
jgJnUPFNAEe4kyltDruavEM7TvJ3pBL1YH1hPbeC4xWSvMcqYDeZ8IDeZCiC
bYyeBzv3EWueTy0QOhKWLdXDLGW+j6UDhMJB40EXwohLSl4VIAOQNFHx9ZiV
zmWqWqgCC2JYmG/eIoyGFzJlqVI9iiOjOTfhjNPMcHu2fq6NQakqrnRA5jBo
wCRMrqCvU7HViHhiUO71rdW7hbzy5YXLV5pduABwglsJKE/gKcLAjd4JvVYS
9tU7iEpCw9tpHmg04ALLpc0LO0QIBqRoWIFg7KRShftbjyov3MrddbwKlhEt
X20Jds7goZ6D0/Hm71ojXrMr5wYWqE58a+XsGvdTFc5KPDh2hAvAlIKiA3yq
9nqj3gV6gz44DYACrR1wOhYK5xyCahMqTmx4B72Jt1nB7vmGBeT6QLcHru24
p93WmLUKoi2QW4d07w6fUn0cWOE2K3ngUdAvGAoY3UenmlCsd2jQTPDql6ME
D+XLrOQu5lA3sBFPAA5HXCEF8LkOPcXF57qhnx2M32Ft0Ers4l13p1A1tt1E
gzJmLPLoYHRgA2BKmSQkZiakK1xmBeAHvJ+Gcwgd21XgwBxOBU5EfAb/iBUf
Axq6lVjIWxnk20nVdAD/HkfiF4zvjA5oHiB1cKlNsW4OSFar/Qgq/viAv/oD
Lh9RROexJcPBRU05Mhge7Msgf7O7ClRbppy9yI24aZnpqWuNoJPj5keBXVIl
BKwD+hm6KqfAYZXfarCDO9e14X3FgxmhIgObnEvwKCVADKSRJuBknOrBm6Bd
zGmYpjrzp2y7mslE8b1nNQilSqeFeXPIScUFsA3M2PJ3UUeFHYQ+PaQAq1XO
V5Q5A4wT3A/dalFFEBHIrRTvxIm4fkeB1tdRAORryoJiHlIDszon/GuNnwdx
Q13M3VGg5SEJaY8QM9gNADdOaKbU1o4KlczR23aYS2zJzArUeGzKbUt4VugI
uLqs4WHIHRoHHOXX48D+zwyJGRj7fPmI6HfmfzjeBF6OTgWy2F9QPVa/1QW8
qbi7vANY3ydBBWjjnfcL1XWISlQVW5KRnl9gB37g4zoq23BREdxz+Yi68XAL
ShUzsB37iGvEK82Gc0DOMmijOrhWAHLyDzjXWfJTfY6LzK7uEFUQBD2M8MFi
iChyhp+aJeSMW3c3jYwHWjXVh5Ex01h7N6YpeAj52GnzTavyWYc/DJDQTni3
fIeFS1f0NkHWww6Q+e9kTNlMCE/wqobNbcX987f+y7sa9G+0wnXMOoFDBfo7
IESKKmQLZeG+s9+pqX69t9EgGetJV50IUA3o08R992YORcwB9wS96UpK496Q
KNtXUcrvxZF/syjlNwPCf1yU8ru/9ptx5LXhUC3MGiy7Ab2aAB+FeSw2nCBK
Ad3papyBmBegGaLnnwwzqD3skwE0ALwGylIEAD5cIE/IOaKE1KAdN8rM4aCs
PSOXpUpMlyIG0zXFMLISAtDhg6mCZeKGfUQBy336QdHrEdDbvaF64B3FjyK8
agBVFTmAlvLv844jj6kg8vAQ1rRShYFmUCRMAaaBhDpb4rwRkgJS6WVlXnU/
vQXbJ3QRuIMRQeNyUcxySObDbDwI/ycAaTCxP/2nnPBP/ykn/LtRTrxSdabu
m12wUVCNWuAcUDvXanft+IF1AFz3yQenAOj17TbZQzieZwbEixMaBChgUjKY
DK4po6qArcIel3C5gLqDpWEPxvNDVkNWiR1+rJaIfS7GgeOYMBxngtNBc/WJ
S6lI0WFxAYo4VZUfxu4MoN/snNpTXwnGAB2/hKup4wUyAH+BZRiGWawXgUrC
19AI/AymBYFrBiNX3NI9hSzwtAq/B20GqFcZWDnslle1R8bUBDheOFygz5dw
/ZUn/NN/ygn/uRgc4j2x/fCK6rcyD350qVrD3QYn39HO2ZkHRruH+kRSe1Qb
lhcmv9EUrBsbfepqgmhbSc+g5IlcL47pNmMVchu4SwVxUGL8jYc3KiKDnkIl
QRTw46IKV8AUCupif1yXC2CgoPTSUKW4OrMK1smvNqfq7I4hPA3Ecy5Jq3H7
FQP4BXMEOIEjJnxurrgkqKqb6jQBbiA4eMamskrXnwYQfkv0+Ms1wMT8F28E
QEJdc8T+OAdOQvvLJWl/5Qn/9J9ywn+7CJGcANA5eXyWoNopE0uNGce1lBQx
8A6QtsHMbh1QffM1jNvGT4EpLrIEFXVnPg3Ts41Pkc/ZSqjzf/1y6wk8b26q
yuJg5Gz3URW9UMWf4yO+Vq/N351qEXK/joGcb0FIpVV119hIKWZuthkQ8XgX
E3av2EmYTdBrvM1r4sMiQpt8QyBG85bw1Z03ckrmcLsHpp++dA+EP7oMKH8C
z66Nnoo6ebqizZipbbYWXtxhFnFmiadQ39NtXv/CE/7pP+WEf8QvfnzAX/wB
lwWT7LfiS0dWS6/Kwit6mlNe9SN9Exe315i7ByxAwz+lfevX4AOUo8YELNWX
Aq7PKEkd6gsdmStGpbDwFneMe+Mr8YDgWAA5aFxhyLhWh8qr9z/25ZLLeyra
V1SJMV+n8tWRxLBnbwnEMgBpZpgX9aRVJR1MoF59k3fZ5RDNbQNzAtNdTW0S
5kGEa2M2PDw1f9UHfKuy1ZyFB9/frmwriRWXuQ39OLOpjXALteUS+JCv/kep
9Bsg/pUn/NN/ygn/qmgrefcvZJv/+oVsY9v+YdEWP3z/7J8t2vrdX/tNsm2G
+c2cIOA+Jm/BQqrLdlPJCmzMK9WCa5v1cNNV7eXcyk0Fq3GXJ8ej9t0hJwdO
hykk0D2kkitUk8xUZQKebODlkJCb1aXEvbVT1JrsA/xxtmlg87tIJHPQyhqv
mtxuQd4lKMmZ4S4TyBTPBk61slPJvsFM4xNTxKfmemqBgiqNxAv3uL/8z4Iz
qw8apNZqEBNVrR5ObrubCXnF1heQbCeA6SlVBcUOF3kljMCbx1orkYfgQ3zy
SqDDJhT4Uf/nLF2zPpYChNk4aHs6vPyEUuGbnSi8at2VnYeF980dcS8rwoFW
A2vzDtzC6KE+b9mClKCmBIDAH6M3INnd7rS1WQcVhxH9BGycBkyItfIz1nri
5bo/GbYXbLkKQi0h/mrqgEfGC3cM0DmIBheAJx9zJjWNOpABPPNkwP4M6DJ8
3sEPn7IsdUysgiw0EC9/moiPqpmudJQNDTNpbQAxgPAHLNMwE8Bl4HRT4uaU
tJOpo4YrzJ1/fPrPNtYh6gElyLGnUXubTmVRo25BrVR0rv4rJeeqhrKZT5oc
Uc1hddifU91A9yMgJVdk0tAOCM5SWRoY7YTqOLikISG2o+al7BjGcCpjKrVA
ReLu90GMWDFGQ4QjABNNGSQrziMVQKyI5ewd8+qOB5qpTG6gUU/oB8pZNTuk
O2Wt98T6jJD3M2TCwat0CGtN2BJHBflSleY8itJX1PLMmNTdB4dtG6527pNU
P51GKSDuLXqkdmAGVfiRGieaQ+o7c1RblZ4RJwJxLu4uOFANvlfbk1KKWGY3
Ty6gvjvuCb8uCRsMHJSlb3mJWQGcTd2Cpw8HLfMyDh6ePVX495YXiI4hQqVx
BTB3vgLBw4S4CgbvJagXK5USRsDjBA+E7o9D6aoxaq4gmi6Y6z56HIP9owku
5g+20GWIpa/GzSRThhZoLp+YsVfokib3QFxd3YM3qfcz542VKQB5FEnphQw8
dshtiOZS6ipp64bJOlCBfTCaFsMzrAWJwZuVrYhfKk6zLBTbiY/ZtG1jpzWr
eMjC1+LqrLlmclhKU+CkQfCx4xWzrAtPeqc6DTNZDNaMc8SYqKW9L+Me1NYg
qhJUPorXbIHbPQs68zTHGTYPncDCB2wtVm/PMWp+zCavgYUMGCoVKR3cDw5i
9x6LxzJhK1tDutoMXkOdsNQ9ztsiWS9zZGx4nHCSxq+1zBla9xgWFfE22wNr
gVIVRAmultz0j4wvtWrgDdLMXSMnVsOf1NtsKqw+OC3UHJsZZSfd2VIpGCBo
RQXbIaaPQMFzsLxqKv7lOyoEZ6JDE47kWj5LtXqyv6gNFlMG9WzfWsTU2xrW
03rRR4ezjb1hYJCn2uQqVNSVbrMJrkkgn9narBxjyApkbTx7L1AsBAZbH747
wHaNnMA/j7KPkpVsQKVnV6EOJscMVHPmjF5cz6HhHAJ2KdUCPogNg3yf5FAE
GUGth8834SV+Pd1lvZBIAFNUreKZ2N+uo9xN0tebamOyi9y7bNv8uWY++vRM
SqjKyfCmsyUPdVYg2URP9zA8n+pLNJqrqGJfWhxQwnXbdoeRUsIK27z0dqlj
47m522yazMdWdCh7zaUqs4EaiytHbcq948k5lNE0cAzACW54W02xZV8XczxN
g1B4OiQKuIA5XsIcUVaiZJ7EwKQ48i06fr/lOU1fED5cagPM8jU/PWbT+wiq
UYWIqu6KFGGaT1+J1MgR6+LVMrF8m72o7gnE+hSogBBQx8TDFHXVLgN6LV65
NJ2j7aLSdD5DPd4hWzWU5L5urF9zVkFmCsev1qDvff+6ZfX3AqQcPu7cNloK
zqnuG0/U+MzKKfHwSA9/n/CyqUYssoZ9PZODFgegho+Wyswa8xQl2UmHjjrh
7nFUu58WQWo1lumVtbxlqcJ4SlT1XEBgLAM3sCXzsaHmVNJ7EM7CoZoALjgM
e4ERbYtHtQVYwOlDaiJW3x9k61YqLycWNkiiDCVl3ZduDWU5XPIJAjmZg0+u
yvpyg6r7ue2bw6BgMSQw4Bdw9RHMfmqVVGQLYsX/D9BlcdWpuXYqBo5/wac0
1ajIjwxhdJAHnOwWN6xR8pi3UZGdGTUeCB2dQ3iyqHMSOobGDeRDA9M8MOex
oZqQh8Xma3BEoFj1Eox+wgM9IVlI0FngymN5VofAKgyPQmH9/QBJLNRe+aqj
rpsT49PimVVvikagQV2uFdq5RFE4Rc4SWrI13gsLmZCquZWk3Q92VRMKWEoT
EmZT4hjXolKxG3qitNXvmj0gZ6rYPZuoKe6XXwPgOGcT6KgBCx5GmbExzzgB
l4Tj1V8BIQZAoyB74GOVf9gVzKssSzvgIUxox7uCgW/AlLmAGgAG0Te1KPaj
1obVHxta8PvQcvBXHmUpewYwAzuuqkLk5KH0SnvUnaKK03Vlt3VxsaQuTwe+
0Kw5eb6AnZlJHQ8icOi1w2BxkQPsC4Rdfj/AAIOEuODPwCrLDWdu1md4janS
H6+FY8TU4iGbeiswAby/2rGPClYB12d5bGBRln/bAz0NccYp8s0ILkrc4CcS
ag+YlWVA0lFszgKVQQZwnO7p3tT8Q8v8XceRLeO7V9N8vMeGYjJzwthonkNb
aJcQvxq4SnSWTS2ofeBg8lIBaUDyH4+H08FNyPAhbJguNdKE78swTb0ix+gm
pBKAM3fFgasG7q0S5M6WosN1rCjxVki2+r9f6F/wA/+Q4fhqD1GteVBe2kZT
N53GdHHjaaYAjOegsVSQmqewDuOP2DWVZ+C0A3Z1NDuKF+Vo0xcc7kSPYEoa
dwbDxZ7cF14xdpppKI4IqZuq8tD4shsSbxWwRo1lcE3d6xvYiHirBcJkI0Ub
Dl4U9jVAkBqGedsQd1bVABd8TgjIrmrosaW8EOwJb4k7wkCvCY9OwDo0MY8H
U2NIIFOQjF6hGMgt0LQpBHlHEsAnxYHFsDD8G4a/4efwwZi+HoHDZTgkaYHz
5hB4H949U7qwvclxCbsrX769gB7WNQ+NxFldHT4wnVYBcHAPvo0zuE/yY4gF
q6U6cRXO4Bnxvq85j/j1qZmRKK9ytAAJFTgCW5YsLILtMWa9eaR7Y2hVGX1/
R/9wboJJAVAUJdrCnxOLhFUSTYMMdY0ZVRDQaRrVfPqosQCQCxWIcmlAR3Ac
9uA8kBins0FrYGeVnPFTBd4FC9hBHUHCN8hDhFzgwHHeQTr+lA9h/DD3sFpc
VO7IEwZ5qMYG/ucPfmx7p+YDkPlMat4a5eGm3k2eju/Y0EF1vsDmBfaeSEJ3
cFOoR+glQh7QH4eF8/KPnBAAonSoCR8EGHIaJrjfOtiiJMwUMO6mEWxYoAVX
0gGCXtNH/DHGCIIQ7Ojy8090q/l+AKHqHDxwB/zc3GWMJ5JQdYIT/oTIqwlT
ffCII25Mxc3qdTXJDM7Hh7Cbiplun1OOKwspcRx2BrPqOXw+bafSncrC5ywa
s6JuITibglT5SdZG6RrHb2qS4kbXKE3zfG5zrj5LPM4Sta0wnYhEYYBxDwtg
WFWCn5ImrFbVXkGfOMzbnE9AolLAmlzITS2ZCiQnIs8KWnmN+pkKyuw9uSMR
RoT/DnfgEc/ZARkxYDiXDS2GcP1Iav34gL/6Ax6qNR3+UMEJjC4kYmhSFvTb
5dJH2yo0/RkGFjH4quGjFh4Ts/FUXtlkoBDos456eulSLIvZqQY0GcAVjlQ1
Ogfb9cwNrQpVaepKhMwBbkP+ctPp8c1C5wU/gYeHduI5gsN5Rr43iqHA2PFD
OK8IUlWneNz1GXnJl6ulDNwMwdKQ26pBHQP45DpKiHfYqHYCvbbQTH22ynL/
8gFL6XwPIt4iS/BtTPrAnb3hKiBkBs+LTjeM5pnGxxuAPlX12fJrMJ1ugFTs
bIQY5dtCwPFUdIoT7wm3x9dByKrG/C4I/VJrnqkL01ex01EHjKI9V5EBqeoF
kefHk1TVFXMsj29u3jcAONgknK28Otc1vCoJT00qisJrwj520ADRffoIz9wb
sJdXUof7VaclZvmUXLObuUPOcC9dNy9TCY1YUOE889NUDyUB59XBzSFpttXg
gJDE1zdHdzLEAKdTi4YxYzIreMz74KtiVjhDdV/g+jggLPJqL8op3K9ireAF
iAo4Olmu2PgC6TAHgWohbtWvhaUwrKrAnkGW4ABTeaMPIEWNHUpBuarHN4M4
8RQi4VWj/zzOHgABysTLFU0n5Z8zqgE9b5o7FRDwB6RojGBRmuLgxvHCDqZj
HKirKXHqG/gWxT66El+oFljseciewEWaJpN90hxgQTO/n3CVA1bbUMzxCPNp
fnhVpu0UpewAAYCsCnqYOEDIJB+04tN3qc4dWMvWYFOvabDwUyUOVoZ9acIG
9P/AaFL8xqhPNP0Zp6+ZGdCxIf6kBsw1RLPHeqhW1ejUUU0903HCBzgplOHU
bpJElayfrPYf7j3yzAd/f38H7tepoi9oAntWfQuCFzp4ekEcNMDUTtXcxKDC
Qwhu309HsfNhp6yBkFtx4gT4aMeZv4qhfy8/+5vF0L+ZaP3jYujf/bXfzs86
kIbqwLdTWmgWzfNWy/dWJLci/lAtDeA+8Palcsk6nnwbXEM1ZhgXy2gDqjqc
usE9ZKdEdXGbwpuqw+TGvhG1Lzjc22vqkl9RixCKCi+Be/ZYboOeH4w6KEkd
UJErQNjmARIaMogCogXRbzV7dMAbr/MMPEHg9lGLLFgfB1O7pr0v0bdmka8+
cQw1oTZMrZo6ubj4DMTHYGQIEU84AH1K+k3l/tybn40tlrOz71EdY01Fhr4g
Uny9OqAPkN6GT5B3aDnsKDxd2iNmMc6lbtPeKuITpmYQqqVeiSfTMoAifqpx
kIZ5VJvs/ZZoBcZDqoxdXs3Z6LnHexzh/8bX/dPf4br/QcJuajqCxnn2BHCJ
k+cssMyuHJcbzdrGkHBootMJmKTk8X2waVs7onJVzEazMODxB29czzftr25o
zTdNTo1Hy8Kvyj5bq5o9Cb9VT/bcOesDWn/0KKRiW7kVh1yECe/DH/kJLzMl
VaaTh1JudPE4nPrq68ngAH/y/OJ/o0N6i7IcqUTNLoTmanJMH6IkSUkFVTFM
92RCIxRW4Si4J/ROHawc23jrHLS5oKb980AUTT6D/IUV0aQmN/clux3OToZ5
K+6t7PkTx01fcQHEeXMBXGP+ZrYiEz1ALPMZRTg1ZQ0qGIC6vZ4h5BBUXIcm
84Ba1Q2paKayRD/9Ha77p7/Ddf/ZDM6YKLtXLZXmDhc3wACaxF63RnTx4Zyz
R2BWOQqGTzVp3aKg1NEwwPPUcg5lGg/PDK1ODs0HEICQTohBg0OwlwoUPQ3l
Qn572+DDuW2E4MzWbM7XOWl8CTgva8jGqpxv1WD8hlWDx/sB9mxfcKU57E1Z
6W0f9whi3EcZLu4y62l4b18MsBnU6wYyUfkFBxCr71VB6Sevqv5cVSAYVhN9
UC42YuHe4iEAILqDqigF7feu6t/S1Gg/ge2qE19tbaWKQYMTbZnuRmD7+KQm
cVXwIbEgTTyR7rPLHGviwsnmvnIUKBGH2VJ5UvVJk+Xj0gALdRypDiMkbXL5
6e9w3T/9Ha777xfSN9fVQepihVzkqYhr77B3zaNJCQAgA21bsy6OYnJh5WdZ
QlP3UM6aMQ7PARG1APFWcj5NPmVoKpsGioU4MnQcF64A4I0UNFfHPBe+hkB+
ValiiU9xoK2UVQsTNBtOH2aSK5VuKYoAHEpRJq5pHs6ALMOF81Okkhz0A/Q3
PRePNOTjwXG5fiORoEUadDszLs6QOwylphbcbBnwUVtXTRtceKsrXzPC4gM+
TTNicCa8PDZXU8uGt7bmCRuXBC+c8K4ln6Y1Sip6A+Hcpj70OYMKmqBlki9c
r4bXw6SSxpgl7uI0lH2pvQnt5bMe+pTBUqM3FBDlspPhS8C7HR79/t/2un/6
O1z3jxjvjw/4iz/giRRUHP7G60xcVK/8h8ZtwuOSaVtMrhnbAy09Tf2QuMOT
/TPnzTsNaVfX8Y5djcOWNWhxYwMOfBCHauixtv3A03p2Gcf9uHeBY7lGzQDC
A/P16MXTCCsnWmvb3Svq5X1MZ0f0fakKv3o+QIsVfQY6qxRQXxLcw/xU2IbK
8xRY1KimhAQXXV/qzpqM39CwyViVlQKS6EeeSpWgmWC9qhCnqJAAYBVaembN
KvcLo9dQzoXZAn7xMP4b2FPDhFCPtocG2WMjRuCMV3p2SigkWTlgr6nxvM9W
MU3eHpKRARaacYOB1YCcNr9VIH3EN3zqvnVYTfXFbmrtkX2TIJ9Iwf+21/3T
3+G6/7VH49sLi3dz7ecY4C9//lUk8L/81//qf7tT45dfeQJ7+oU/7tf4o1/+
7f2na4dSgcD40V3zN3hLvG8p9/lzlrcX7Vrz/I0guroRH3a6nPNDsnkvDMCh
qby21RbhCcp0OO1g0zq3UmF/oYACVK+pGVGm8a99PHEdkO9SmOotTuPSay9D
BN+62gUB4nn2pf0KRRoUMphIneW9TUs86RN3W03tJSouv1IcLnyL4DTYArVa
kiIgfa2uVQWFtoP+lDJ5T00Q3QgvOv2McVrmk/fZ3Z0HQYkx9d9qG0HkE+Y4
GYwG1trwckX4VJQ51OMZprpStn86D7Jsg8XzbAdTI2fTUIRvUK7GjTSvaXfL
NMrVa+9pSr5+7cyNY11FkytvbrY0yqbVsK6ov+alOIVeejKF/7228mgAJbwJ
LDO1RjQCbFI5vqtW0VS4e+vvXg3OOfy9+aZoD+EuZ2sFWFexQ+UzR1R38sDW
bV5fe3YV1oDjKdN1nt0/qgIfULv2D0bN+hEjCq+8fFTqq6i4UzO7YJ4Fvgu0
7NnUeiaUtbBRfr+LzUbWTiaf7y5gNyo2Gh6cINGqIMxaBISVbmUPjJN2nDXo
3IoaK+lcNj3mfSCayLp0AfeMH+4YUYEo9gASPVqBW+c6s09MLueqZiDtqMAK
qaC3gVefqsPGLSDUEM17kvPUVKE0Mo+nOWsNmKlpGto2sVdxPniQKXB9Z434
sa9v/qlU2Np9mdwzo8epghLeYCoLlMXvQHoNXzqxqmVNU2FWBmQ3l1XPPFC7
Z2Ni0eoO2326e2dkH17TMOHS8jUKkZeqIp8ZtzafzDQ6yozITFgx4tI0kOjJ
WHI0K9ns985IGE/7Gme0YlDEQUW2FQMfVOSXVQQay1FvycGHTC2ZyndBSVza
/jp9vntJnC2n5gncqtewWJUYa32ti5AfZQvVbq3NDNrCrJ27igTcDudgS2Es
s/xafH93/2md3WmNMnd/4m4tKSmqccHWVKWFpVMdvbYRbZWz8dTm3wpAjZlQ
E8Aly14lkQPb69UShB02vC0+He3T+iCn3ELOPkETASQqYuVwnkiJejWsIpaX
LOfotO+vJpXeLD51aBmLaX54DGlgyjT+BWBQ8SWhDRxJfTDDcSXoafI91tir
JSfymhP80L1bweOMrCBKQT6Kj9A09ngWSlyzSuPbMylROOf4Woa/ZLnovBZC
sVFmTXf1eYIQJIAu8wpWs0o6+/62uGgEw2gPdNCuSyWh+7pk2WdM4dCwGeCT
xDlLNso4SZPI41A1NvbMe3Vm8a8R9V5PEsiCh1xm1OYeO6zK5maaI++2BiM3
wF7niYJK+AJeOStbflT+3FoBj52nB5IfQIbQu37v8tWIwFkSPFSuI0bE18lB
2vETC61KJuVi4dEFKm94zRieeucd1Lfhnf0NQ09ffKMONaPAynnXiTJlxB8o
qCVMPmtqEO+X1ZmnaexvTnthp0roWtZ1uQhtw9QWGD811MYP0EgIgOMWtedJ
Uxu1H65izBLoWqvxxjNUPnBvGpiT7g3vCuiE1uw4NF2bzrOGyBywkTILUeiF
vz5eDjthIHtd72a7WjFkTYmI20VsFQjsYRaDApgYk6KZwm0BehbSW05TobLa
TnHSYLwTnp5VBPgbHwWyvdSqNwynStAraGRp5Y7T4lIv34BhbyrWPGvVsfhM
tflg3p8VyCvPDfg+diOcojngNa1QsFK8bcGHAd2TDzax8aoqVKdaPkAbXhYN
3E+tdlAJUe6q+LsQDqKuZJCW+4as4j9VRuLFXChKY9raQ92s/KdC0l2Ffk+P
HGaNxzF1jVwI5+dptQWpijYRLaeO3eQitiFr1ZMm/ajdA8THNW0e3J79jjwD
RKbCjH5EfH58wF/9AfewnTGz2uk0g3qriMGiIB2eQPNyM06+R83JxIuqrR0V
POEZegkVL5qdfPY9CE9jcNOOavuBmKovfyWt1surqD9frhPQpDHZIWEuvybw
x/HuAMsBBN4BcG9HTW+YiF40Li6D9e0MrNfSXG4IxcxwBqc4tyLXGvn/LNbY
E8qEG31gNChrJQ3lTJoqVZRVbg0MApPFwqvFJ5X+NUPxoVE7gYD3zxoW3ATE
M+analxbALLWojYwBYA2gBKq04r7yUcE+Ai4vHAUhx+Ya3IW63a8MwGCVThx
20j/jblQYR5gxm1wh8zIGhwXLLuosjipMuuMAydU3YOVBySAgiANC8h+20i4
pIG4eVchX9WLcK4dogobdt+mBGw6zG1FD72MGk0QbkAD0e+cVIn3jmivtjql
59Xeqg54HkV7/BpHvTXIH+7RvufvMBecsy40PNADvq2R6euX6qo/iKz8Vo3V
PwqO/GGl1R/98m9GVsTfNQFuttW3CloCQPxraO0pxLE6TD3Ppr6ulrzm6bX9
jFfCAS6tO7A7RwVQqx+hOZB4LgCOWEYGESovZJ1zdqurLlQ4wn2OtD9lPblq
hUDYM95w3rRHwQ9gvaY2yttW40O5iujR1Yxb24hu2cV1lRios/JpoBTmMXXF
3TuxuFcAsF9f4WFQ9CVMpyQLYtnVfjvUmjqQBFXWauzuSb9qJnRadZruSKB4
t/cGSNCeY7hjUmtrAsZMwZTKA1pQ17FS1ar/813zFi6rot5ytYr9ujjhnj08
0a6kOohmKEFVQydu3UPWd5cljK6ngsmKYdQWIS1qI35KvADXTbuT7uliicua
ZhuS1jTJ4NvLMkAzSZ3KoWahpTlUdyweuEPL7SmvrIpUwoBugxjha8P7yGOc
3TscNWgb09IsAc1LyK6fBFPU9oilZlGu4ilWbkoaqokoXZeHORSV4FSHqX8Y
FgLpaKpTiQ0Q2m1NjerdEEf1PCWspH/rCLjuDTy7Ly9qPU8va+q4ICBTW+wb
SDI1gJRKjP2C+xdNxkNlNEW4PtMO4HxL9PhX08l/n1UH19EgfAAYbw/8mIaT
Ki+nnL9o34haMFM4xdL8iQp3PA3UGn5sMqn3lCUVwhZNOtNEXg31UGFcmYp9
FwHgphEyasTLE/aRNG11laf7CyMwtUv0cW1BUW1TmhSSPnfZEHTnIBY140lg
GBgR0RWkw5YEDEz5DtnQNDeTc7+WVx7EAAapRlXNyNwYiuLUlD19xzvkat8e
Lh5VW6h2FIC/TYYfYfL30JI7IF8xISq9LVMLWILGHPpvuIxaJEvWGiQsJpRi
wrFGrFp+dAeOYwhqFO9l/A05pQaxFG2UdSkNrrssLE9UOWdwasHn5keEsxe3
mpoJVET/jCbnV9WF1m9OmaK2sZUg2RgYLVVAHi04Uj1VcrmJZ0Gklrb+mEcl
U31o+vri2Fpw81bZ7eY7qCVm1du3oR1Z/CAYSFvpYz1aYqRQC1QYe4NFXe++
Q8zRZ2QuofJoPkyywiGLWcCWucZXw6dTWZCy3BWORH1n0O44ldks/zQG1njU
p1nvjahw2qz1e6BErwHFBWmHswEgjvqtukHe9M6na8ZThchqEcZ9AjVhUvOO
/Qej+vEBf/UH3BtR1d2rPE8Smi64mqiiGwxuXSo5xtCWqqSKZidDPqBYZ9xh
+eRbq0qj3TvuipIkAQFXVDiU6DVBxmnrI65rtG/531L2siSHcq0e53FPXc03
XG3ZuC2EA4uB3U87wJwkXqE/1KKeGS2itBJM/VzaSFCFHnIv/gE7GjMW1hcf
+sXt4JOzKmQwa3C/keE7VdsGh9ff4j6mcroaFzS3nCQM8Knxi8WfPLAr+Z7O
PLRkcoGZ1UOpTiD8NwwISzu1W2l829Y1AxjzAJDCHMM4nmfVEq8unvavidu9
/t/+f6//50rd3n/zp5O39y/9O9K3f/zrv0kzviVvufkEyA0gda1LWrjrEbUK
dqvWSgPcWoIWxtyrdtI+wzAworF6kO2NVL/85AcdtZ9+7KPN13GmCmGP4ISt
PHiYFc+XQz8eNt3eZYoQT6ck8FO7pqBn1DAcUGVCxABHWl99+lboLG9A5zer
S6WdRau7NT/xpkQaH6EByXcCt4BfFv9zQaMT1eBVNXsGB92gjnw2qCoDslVx
DWIVKYYnPZl93NW3MfGi7jmpVbweyMfQtBRg04jasTv3mjD2qFjFXvx/1fIK
Q/nM51lhN4rGCkpdywyDw0Hx+tpPt/jVqH6xoR212kOuGVhB/c/aLAp1g160
l74B5tDpdvbdUq2hJXhtrqdr05kOkm8/yq1tLQvRrK36DWaEUWiw/lePdn/q
6g58CBq4w5u1ZI2lKYiHlpBiGTBIHLDX8F0PjECdtcIc3eWvE/8wn2zdmVCt
06XAv0u0NAso2oiwtYRBWMUrOdzUDz0sajtH0BRNzbWK2s4HYH4v79TpOsak
PwlcxLMlzl+LkTR9FAw2vgUjFcZ8IH9I39o5qpewVpneUN4IiUayqK3uGdPM
yyY4i4tO6+8WQj5tBw2lhNXzohAs7Gvp2stYVK747oQ8YK8kalneaTbYT6c9
HAHcKNiTinAk76/XhgKHooFcWeAehf5qXB6nBI/2aZQ7gZumU1YYtqQWIGh8
+qYKLaedgm3FuusEsXqx46iG9vSBpl8+FSHXLL/0DBhAeWDBsD2nHHhXY+jk
OJem9IMbPdrttFp0+gVl0sIuqMZT8aiOVEXX2y2+KgAdQ5VDNSuQLnS8ugqH
JvcFzVFwoBaxLA165iRce/pANsLHX9q8I0817YHbdWo0hGesr3vIqSMJnTpn
8SHAaTVgBgRPm1vc0+W3obsqTwj+zyZwVXXPCamZWcMrkZBYVCu0tMYI7VB6
BYRboio2PEp4xjPi8Ju/J0p1U82klFSHsgOuUQAV9SJ+K4gET8hxSepGzlEu
fCnh7/jOmxVoXMOUKb/31n6nA8fAQGgHn6aEjDk0tS2pe3SoGm2do/ildvlg
+pUiu80bblgjeMY9ysNvn2RMDYfB0UFH6o6QYA03cjCQAyLQ4jGNwgjahTk1
S+Q2xTJc1Y1w76rUaFFQB6e7tEUzDMUhEhbI3DRMu6pt0fME7oHgNL9iwp09
EV9UP43k7wTuJ3Td7arA6dQUUVM+2bRslTcYxYklZy2znlwZTuDstw56qqU8
Y+LuDtqSikalapnbrnnhr6BwaAwgb/KUvmj0qHqzsXG9q7XJPaNnjgLXcLU9
nwSuKVaYWzB1lWcY3aq59+a+LZ+JDzsqB/S85sYoudPD4zZWdJqLx3n9/ci2
hsyrtRvHuzQcUVs3QQ3hCJMqC5kzYAIUrb4/pxakWp4Fqeo0z6cmf8/v4ZQ6
hxWSJrxxWsu3quZNRMz2/hIhmqJ4kizjCprGUp7JVbtzwfzaKXcsDplfWlzx
oVGFZbEhaEWLaSMQSHIzDSKcyuQCKBb0/glOphDGQSb6uV2EP6reyIpyQnsB
BbVYK10d6kPzSZrH2wlxoX5A/6/26Y7FWVsqOUr9SeAaqtqwqxsb4iNmBAKx
cWDuNK2p7kgTUCU67SzeWTWoKNLtJJNTjzpE4VKr4MdQtiAe9d1kLWW1WrTa
cGnCzuKBj2Z8oV9R/TO46PBMzNWYrYZHLelWK86tAIngUBp3qfk8oStli7lt
GopcsU9OMEVD1fDeUW3bt2HRUkMtGnpK1FbqmEY0UJvc6kzhWLLUClB5FBEl
7S7aSZWi3xItB3h8KrImdqxqv/aPcMOPD/irP+AOSIK+cCxJBBvoq3nyDbCw
oym5spXKmBWo67SSXQujB06kPl8lNcQb3g2PWdPHJq7M54zueaUWoJDfQAhU
HBCTNAryHNM/od0aQ/yUxgZfVj2t3UUueQeF3NES7ericbT/uA/tD8e6HWyV
h04VbZJXW00Gw+7HRWKietw88LjLeLFSXqkTHhg91rSlrE1oW8t6W8J/q+pp
WTC8LxDwHLXBP9A0V1mpdsNoryHHok28b4KUrcNLpl3A4S4ESHeLQLPafd1u
YNSCmoxvIqFhLrnAwG8bGR0Pv4IS6aq2tq1hI3Npf88oFUflVVd6vrqynNvx
2jZ5Qw9ftWs9Kbt07RqcBreLdWqxbvhy12LlXBWnzMtuzedJeztfGodTNCMz
PJtVeq9OpWDnspG5zAkNn19xIF7RaaR11YgaLcPkMwGdQ3Gqjg8JiiTV/oyp
A/AV7DWo5pcE7h/GV34rhfuPAyR/mMT941//7TTu+daMqR41f43pDrgMBQWh
haiZeqbJvdXS4kK1DVq17c+OzAgEwEOtO9TvIaXBQUuQZEA/oJtb7ucbZdBx
kW0ffYzTJG/cqaqGOepbAr6pn1Cju91ECTe0vkWPGwz955GmAPmjii6PZ9Ps
X2lkE55XaK/bufUVkKAKuOjuNC6fFgCPTdUVXoOPZgbMVAyOAboOntNr0fGM
JShVrOGs5Qk6wpuldv7JBHqtn8aIpQRiDeMrZoUleBc0hj/MppUevQ6NFYYA
Kfawx0tA8M/QV2zL70YXgIVhTtgCWOSDSarfRss0kTZDBEM2De7M4WilB4hC
EdXwmEXTIG3f7xx8Vvv/l37T3LkCHXcg042dGh3+BIHT+J/UtBy1jv4VOfRb
0Y5iJXDFeK9QMY29COKpn02EXSYNVzrK4BfOH8AED9GCxrh24zQw4/5XKUWg
KgjwztOArnZUpdsEzESF6rxNp/oNUHEOWy39oWCh4TEYlC5DEe4TmFH1exDn
dudpnFAcKHtYnVG92LyQbURn8J88ROEsvdhgXQ0sukwb8W6mqxrdHmIMf5Jb
c8KqdJ1bg5hwdcjGzvsbu6tBmwvcbiEAkbsGNGs/ID/1MMs2+ldNecfT/YHr
TR+5vv5tgGncQl+apQIDgMpplKcroGcOC4MXkbZ3LL0qnrsGTdwkoKQ50eUm
Mn207vzbM6vSKjhYHqMMjaguU5leTHko2u51Ozjh8IFvudu0sFtVz+on514W
FklDyngeQCtuom/tKgHQ76kWhxhVARLvPF4PWiU8Fei9bhKfoKUlqLR2/gLR
69HOEfVPqWooVAU6oa/IsRrI5MzPLR9jf90R9fwNmaV2pGhMcQwaklC6lqO0
rCUe/I0VjdbfLo2jDSf9fPMpz0OrFaMNGQoYnor7k0EX4ntjYMLrgLpElSzA
EzSTrDRABKydf6gBr4qDba95KF2VN8lu8xCbkvVaaDk01kMzubkJzdU5RzWn
FdqjxLtao9GjI1J44xunAWIJLbltu/mo4ZjZO5gqPrxCMztHMWJYE/QYbX4z
2YGA+PeyNADEnhWbp08/NPvsMQ+mHsev3AAwumZDz7A9OameaLgvSOW0YHbi
RI9mppTHlOFPNM95HP+DV/34gL/6A+6Q7tYmFq0UaT+HOs50WsSSSuK/Jjg7
a8YURnxoWBHMpZ8npLtK+Sbln3NbiNlsQgDa1sDGo+HlmkbpBgYJI62x5EHx
HuF+kDekaM4nXxNVNt5gEXfsCYRuaqCteC5NYkwDQxN6KrPihlWs3vvnd0t1
MEP8v+/+1mX7unwjFOcGEFsNVFMGrdaeqsaRTOjUwhrwHiBg2EXoc2BARAIT
ntQ/63A7DAz8um4AEerPzVMJYtnhpWrOwP5+wHXaGE2LtXaCEXbVmlWsUHv2
RgcbArqxrLf/NsZ61YjyJ+jF//V/COv/n/8F7/aHzbf8xvML/5be29//3d9k
FpqpzbF6dTtPkcpQXMGSOxCOdmM6rGYAXHyldbj0puLg+75msdw03P5ULVOa
P/ehQM6+Ah8NiN9q7dTwxYrrhtz79K4YwPdfYtlP1+y0XbR989QdtMXuDLVF
A0GFALIyciCM0c2WUh1z3wgDRpgDIr2LwYjjdCL/2tHJ70XN6XFOm4WCnkMT
tl3O/qkZ9HD1S6J5QXWEoSkD/OWiZpxsAT2EdGflV1w0D5XZR3Orz6mi9U+2
VDRHBMJrWQpuPYLFDCGO2nHkDyRuq2kF0AtzbgDh9VbLqsz1lyDD9En8Ca08
B/KUuurXak5xg3o1Vt5NB70eifuYcG+beOf7hDRrzhfjIPPwKHt0u3ybk84e
R1NbsQTae25ezcFQw4qU3B8AMCx3aoRLcbVa5tW12oxbbqABIPweYPFpoS5t
WAUSiqYWZeuervY+U80O4MCbZi1uO0HTDVHFhrlbcYU1tOPLNBBAa7/55Geu
ueV0Z1W0mI97mp4biautqJUfSa3AaWYt/tMaqYQYVHDvUuyDY3r6nqG93k7W
Flmt5chbAxAP3EShLCXQtJJxDe2kydDDpqzwE0FvT+T4aLAn9su0TS6MDROC
svOis0rrDJFYwLGufqrelUQM9VkirjG3MQx0IUcEKKiXbP9cLjNTcejGCmnr
EUfRmqI6wPb3A8X5jC8VLA8KXnntepApLSrL8P58W6l5uagUgTtKxGVsvwMi
Pi1+WpaBqloqguhwqzI0gkEdfdq/rjaD7rVWBX5b+GmoyLMP46xefp8ztwGe
FS6rBa8xt/pqZ/paLyUTAe3pKFVWdfDk4xHl+HA7rQLTcsCs0nWwYT6gSBza
0nxjrQYt4FenhTU2lddAevt6ivhs35kap6Y1taP3iBeGbrTsvim5a3x7kNeI
G7eh40hNC4h4tGdQMjxLvWKz7896KYQZlzZ68WJRvft5VTkyNQoqATk1tejp
AMzhbn71a6mmRsuONe96m/bf8daqg8WaNxihSsXVjqLdVREYbPXplEjeaVPf
VnRGDS6Gs561bSVhNQdR5fvLj9x1Qlr86HGqD4ApT98sPAVDCUFQAcz8VtxF
tQgsYQfFgRsq2IOFiTICObDD61mIM00ZRa3DyAdU4zafMJq8Erfdl7ahOsB7
+PbdNUyOSleeD2jrDpvm8g0U0JpnOG7UpoDdVIlja/Lq3+qWyCdm3LrWsVnx
z2gljGLImg2+Ui5ZvToGWWptFZWgOa0159PCN4oOLcT7nfPk0dSQfU9frho2
hZXUcAvTXIHqg6HT8JvRxGGiVjt41cku5GttjTx5ImOT44Pp5oq8YzsQb1xJ
4Dck7Jgh7dDUSNisQhstsuzxdkVo9d3oa/iZ6JazCPVqqmAZs5RSNdhFHcqG
q6/gyq5B66VoOuZ4kpq20vmmJCvSe9QOjVEFP2rFmOZz+9gVzp51V61RCxEH
F25PAtO9zVJCYCYKpolZaSgM7Jz6V6RsYzV0X5O80tSeKy0TFzx7glpZdUAt
Sbt1pl27oSDRQ7s2fN7IwFYAEXuM4+VZXNCUyTuhypv8yWiQcv241jhq6tp9
qj7Mr4FNG5x6SWMX4KEGZMMZXQWD9/309Gq74PSmRXThlOJrWtihGbXlTon2
DuhJpXSBUcNlfctJb/nSHqHLRjXt84G1x6/qypmQGWZ+FvDF1Ip17gRbCvZB
7KIVrdUrzyx2l+XqvSxbVUlfC9+6prK6G5i4pHL6NrNSD0XF4NDzp52cV7jD
Bbn3AZUPNTSXQdq+4NV331VZCsUStZDmqI+nacOVxzCmp06yzDVwVdjTObVs
JLtWEFqNIMD/8A8pai8r1wq1GBpvxP95Qnyc5Q2dKp4pcMZqn1EO/xRMEneF
wTNNSBUMRqj31vqjzNU79wwZUWJaAyUzejPU5lOlKEMBmDlHBBt0GNUBj0SM
l6kFF3l9UsDtXtDVYkash6ZJcASqclXQZy0udnxbftGuYKCNXHYCjWln4VN1
1PgnjYRUFjyq7Q7rBoBvyWspVVT4wpTrXkrlCPgWbZl5C4zurJCrScOYHb5j
a7rqUEHnWEC6hD7hbaKK+bBcmAP1CSytHXs6VaAMK9ZPvkBzXnX02oMSG94b
lKMG5oAi9Dm3YU23htI9HdmQ3GcafNFCZHX9IS8aEVi/tS0DLVNBhmJGcIKN
aedKwGxdc1duEVDvjbbmqJWoaBq1epdCA/wh1w3wotVYCfykjZ1Q113tYaTe
arlsFMiyFy9fsHptWJetISec0wAtFmene9CittZodWNXzz0I5v480LY2AmPx
rZ+zncJ9BnhwGrNle/Ew4FKQb1YPg2lV0tORpsLSv1+cEwOeiyoyal9HW6Q4
qoKsg5k0iRx5wh5CakbVrr86gsrLn9lXnBQCzRVr3Y0FlZvj488CQ08lU3wC
QweVyhxli6v6U54gAFTmMpcYNW0xddoA7osWHE9wYlRV7OCG8ae9FIy5ARVw
ZWpn9Y+oI+mq+8axFbmAftQzs5a6uRa6iP7xhN9mqqFV1kBr357+vKyyvotp
DqW3dxK2Vp9uPaivJih/FkCLnUEI2MqsHVZoSQVfPMsZu/cqlDknwZ2tlbq1
vl4rCAwo3Yfq+9Fd7QcL2rLsFTpej2jG/phL5Lt2aMpWF3Pe2g0B6jtTOw4r
ns+saej04TJxMtiS1zoB/l1VPB87icrarBgx7fb1qsETS1gF4+6heiIYCXg4
HhiPCb6Z5vTYZ01aW6D1lNDc/n2FSqt9tOOUH0X/+DunnUww2/669xlwIZq4
KQ+3tf27a0Od9iSijtnwm+XMrsEnU/10vb7TvlHLcZlLLKLHb4DjtXw7QfSB
WOgsJtAFD1vkHnBYDUPjVh0KYlt+uktnB9N9E8i88ay9R2HMcdYETPGUUH2k
Tov8YObylT6ZfzCAvyFd0K55OdOipROa9NUj1FHbgFNrpyEW+HPEsoDRPbZX
W+vuz8O9qfyTs9WUOqsa1oK/g99rup7GhwmJ+e2y+q5UQ7bdOzNMo9l+MZfa
hLUj6t6yBntpWW3RXCc0N6iGtAGwRFxwFWOMiAIh2k/iVu2MGsQKJZ4H9JAd
BzWVQPVqMdYycQATYEY9va1p9fF5dnbD239E8H98wF/9AZfv2+rVxsoMDQJT
8wamTqEIzT2GieC+bG1QsnUlv6N2vqIKN0+qeCuvMBlmb81WnVdiGJUCesyu
2cHu241raFHWIGbV7j+wLN0554Ot1jjF2LSiF+CyWoolB1UvKQMNsoJmSW23
MmgV0p7jMxdAiyTn0T5ZaBZ611erWOuGBTWNFoA94s6OCKjiaEOF5o+dAT5d
vq/OAdvoBlfDLanCFKzWtoGe3AHkaXFi1FL0wys2RSxw/E+UVYsZkyY4T3CF
5kclrazLWg9p0D91BG9R2bhVYYDNBU08HQxA1cv3RRxLidrqY1oQOLQ6wWlo
dYQtq+cWRACtOqq4qNBw1by1ZxpJAnALNrTNORt4B7JsZ39TDidvOXgID/5f
nLDGMHp1B9xZzRDs8n0q0gbb+q49lyA+0DfGU3u3ZkqauBG6IkAbylvTWetb
6P2E7BRH4yTz5pi7r8hJX6qlcQfnB8wO0Gy/xjeMEw/axjpPv3DL9Q5n4LF7
GQnABXZSDwqItnDdHU6miWN5Kl3Pn1oJYWnkA87mNsy9qlQDpwetgYOhJFX7
SXGTLQDB1H6jbgAk1XhoB2sDFz/5l/EMD3HqANNc8gzv5wR+loTe8A4xwVrk
keEBGo2VtWMa3un3myfTzDNN7YsFfBm4PDGWWdSGmJWDUzQZ7ol4Nz9zdWoU
eBLRT5TVBU0e+KqWj9dUxBhr03+0Llbc4+TtS9Sae8sVXw3HfUY4wnS+JIjm
kLp2FLXU9jfAZa2aLgpd1iDIBCZGCkbxysnfztOphvsdWfK76ajfnVjy2yml
Pzew5Pd/9zfTUZBl9UJocpfaNDIIGvNRl7rGXdD2B2ikiskSiGqC+xPw9AmJ
aO7BjmCmmnH8X9pKM4mbpv1C+FpSyafPIB83sXCARHuMOgT+rj7dmoaIkgBZ
m4r1HdatHNW2VFddak7br7Pm+C2tAgw9q9npFok6FFCt/EucBbSrhUsZTe0e
fH54iJXVhQMgQpdUBAHve6alxmfo4Vd7g1xHKC2PEB16VlQns5TsOlU7V49a
VbQ4OOmZypuOikvTlTIkvsETGgCq8zBBio9JKDOMrWeKs2GxYFhzbbT8DiLW
eldvbL47Rq1QhwGFk5Jm9qJjqFgKNlPQIlttpcJcoi7dolvP2heVvWmBodOc
1Yq1xkapXBOCg8ryWtuXcebSXvkYFcKJmj56vdHc9x6aiFZq5rMpwxGLAyAq
ENNhVnCiMJpwOP5g4SO9tYEnmE9BvYN8wWe0qtGwFdY05lKdPsU4KJMYlHU0
4jMhWM5Qbns7HUb8B+NiE26Ez4BvtG/tz+ijp6+3cWvyddZuH0wdxFLNFPiG
jpt9ig69Jsg5mIXh2SZ3VGbBTGl+Yto2v2DpkrWAaHeNvLK3HgBfcVcC4KJs
NlwRjFDlQAvqqRmPhnxq+W1PyOwO2nOCPCmOic+4ZXxBOUL9hkhF776dKRUm
2ZOyJbEqTMjFV1C8Ai1d46bmM97Ti8T8IuMaSjiHJoY2hMmnA25aGSRg2GXN
Ho0Kk8LUcDlOlxNVWHDf4C5bAlxOyJhr7RMSp+d3hiYg4rRdRtlUg6iGvh7g
N8+IYpBavGR8bQN0fRvilSoM6u3yhlzaty97F+0kTmqcm15OqJwUnu3QOj0N
Gj2qjMAJm9t6KY+GbmRyqv8vaHxuP9yNqX3EjXeQq8DA/7qyirXX4MTTc25w
cCWPz2mckcl/Jb4lazywxmxoqWSNKz6jcTUl0WlHaomasasxSP4cBQSyFpAB
ew5YLh/FFnE8eMqZn8FQoMLzJwPlk8vTCnDuDX+/eLkEcYxKoRZN8YL88zQw
za4xjbBSnuSpih9tGTZE8ZeesJsnJM2aXk0zAQCwWpUYalD4rQbFrndwz2wA
hRnuwTkaI68yfyVvtLc9KCwRudKVVPL7lUiqwlOd5orrOM24vh8oaoeyZtjy
3bDOkw35BDXjbmrTpg2Mp5LOUcOOFePXFp3H5qV2V81wbhiB1bSBCPyv8Te8
EIguK2P4QaQ6K6YC4cVYdQXn38wQELB5GHJUtnxyrQWThcQWVRaAwiyYZkEA
jhRzxTS+GoN9vI36mh4x9yVrFJdqU5NE2jTLwSt0q27EDG9PGtrEK0O97Vl9
4rW4REsHjlM0AjOJiuQPwUMUxOhz0FAjXPBSOcbeWgx+G3VM4SXwmLGsKdde
+Yd2/NZBbIz6yIpPRS1GWX6dqglZ8CI01Z4GVFV6YEZVpGpJg4vQfLQfR1eh
VAdUqGFGY6PPTXkGzSv1Ty8yP/73i7o2KZwBKYL6RLtpQgcU6GyNvsMmZ6Xv
z3BgKU0A0e7jtN7Rd26NlByYDFtVtcZRe6g4PnUNopU9f9P5NHmHWy7VNML5
1r0W78LUAEFwooVJQ0fAG9krN6iNVN/w3wkcVnVyUXWNdk18w31u0xzBM5q9
gZ+ZCq3VU7T8q+UOFIzI/tJIacwn3icGV5JGwt6mL5S7vudsTb6bhrkEbUY5
jK49tn4n9aVjz088CBNyiiGM2Sti9pxQ0bRW6DHODsPbtep9ChOpzr3IHKp8
DD6UpxKQVcDqSeNh8vYzsc7jTpe6ctpM5ZtBm4rhYFTApN5g5YhQ9fVtfU2c
UO9PwAseUEdCD5rsOg+HYd3Anf6t8ThK5WRryP3xyXNf8Pd3vhnPeNfJLSVd
m4qJFHDVylDhR0hMgTqCqope3Cqm4otpyG49KZigtoomq9Y1asawjgkpUaw0
8ALNNAslaMSx1rUtzfEaTz2O4pU/Qng/PuCv/oDLkOJRAaXwiaZJoctpfgfe
VLsBi/coAwayac1OHuCHnbQ0550khB81pQKb6qa8g11M1XMNLOb6NlQLEFWw
0PoSRULh7wQ8IO09hmm6n5NA+KuK/dSae2UwwP+qMMS9Vzy2VuvmMFfVukCo
65Os11IeTeBwJtykVAWm6wRNjktqdAJIDj1TD6uMqeUKT98JpvI2pOpcWAW2
t76dJSVlBz7mSwHoJ2CHFBW0AFHA/PDdoQX89MNrpkr1g5Jtx/FgEKGwgIdV
PffqMMFSlajhJXuAUPFn6amxUlL17ivQJl78u8F3oNUW4lERJwwHy4i90fA4
LQ3A+WvHeFMPT3p4jUrHBJ2jNm04BTtDVVJEQHRpadJKrmpCxYSKJG2ae31V
j+tuN9uQl+C1eDw77WMc6UQl/bV9Aw+mnrc8tnUtnsGBwLshvfcLgtJyUuQv
aS+LVyHH7gf+gH0M+m5tutcEAdW9BIyyVrs8uwnUkv+rkVP/q1r5lz//+Xrl
X37n31Ox/Ie//ZtBoqIiKA0tAGqr3FBzzTUJ09J0iFeNmnSOEAJ7W+KysgYT
P3lSjZ/EqZeqbqYg/9lVKwbQBt4ghiAMgwUhsYanUmlFtWds5HLlLryJ2t6O
RuN561YVT1QKemIOgkIJJR2w7tES0qqqCadYyc0nkEwHegF1f7sB+L4S/c4K
lmjuvxsKZ/H/SSk1fCTDV58NW9pJcvfp1FimJs8oQBhCsfGFNRdoqsE7wROt
Qa2bhiNpt4WWsD7ou2iphnrmlOTtKTVZG2CL1ySCk1TlwA9omhdwSLNSTzhP
czAHec8XOtqwgjnrojEqNeY7j0aqqKZF7WADw6dFLVkx/Kbg3zuHrbqpWlU4
UjAt9kIjIXWzr+g0trhrLorjVrlaFDW1r2nsKXo+7V6NBF1RxDtoXDZ4EQhc
XU8776Qy7+WbaQ6uZXBLyXZke/tDyGFUjpNYA3LGc4i+NVXtKQug+qKjreIR
rgXTD6oy1jC4J6XT8rmLA6GtmkCr9IliTwUKclJpTlUF5+ewCXaqKLeyg+iK
ypfu6LwCj7IMy3vVSCaFZIBZSoPwEsAznM/YWsurNQlpqbD32QWCxN8bbfiV
UmQx80wqu2waPy40qb2ZBjqtmC/j/ZDKxaVpkcUTTVcxageJN2gx7uAj21qL
g0MYMJKuips2J//vHE29Kc6eteiajnsX3kD8sZZFBdIBR6sttinU04Uf4d19
qFRjQCo83wPJQQOeNUs8isKbWh6MPAbNYwJaf7D+aNOY0l4w0bqXqjoDYjTi
E4rVhMPfj+tFTZGvPInmcKWYEAzsC1+xtCICB7y15QkufbAWE++v0cwPyt1N
fdq8FZoJE3K5rgwixrlojxgmAWHfW+EejJvTSGmU+haB80xOQJ5WOCDrMjxs
z+NRef2jUloLWBn74igzeV5c2yNke55FHjg8qJbK0Y8qbZzaUivyoB1UuBaI
HIw7r62xVSuP842reTI8Urq7fXC1kuAtgcvSJqqw0ULtXVWDEFcYOSsV2vOh
UfVaAQb1rF5CT5Nqp4ZJBCC2Wmk2ojRQVVWqAFN5dR4B1hUrd9ie+tCI+71r
lhN2Ej9SFFDRAimV73XTgMhYVPRvReUv2v3Rz7dFNZfyq1YKzfDSKmkzhaE0
AT9q+g5GY6ahQnXUkYuDhccKr5rvXnXb51kTlCKm3PdWjnaKTS0J0aZD1zWt
cmr9+sywwYFIlaKOdw14vgNLUYcwtaO5attrWVrbBBLjjdBbAMkKmtKIaZkr
oDkDWPVUWWk77C9miV8Z34weGFxBVZATXANOsYMOm0bIGz63Z3DUWN/2a1+e
IXYdkBqcja3G+oIhC+pYQUNUaxPKXiiCKmY4qBS7y9v18DzQRmEus5RV1f71
isSBu3cIs4bwDhCjlnihQUc1ZiqpVWAO11zf4d0I/foqh9B0/DYflhseDu+k
UklVTGXN9Qqgxp04Q8jweapkQR/7nk2xkkbXiZh3UC+uCYgfJKGTzwAmGi5u
aWfjHtoUU726D+7P423gwAEXp3HgmhXggdy5N487W5gL/k78vaEeR9O3636I
QYFG/8lQrFecLGLNleZq4PFv8n8IaD4avdTsYUqUboDtTBwFHObRaI4XZ6aR
4t6DBBqX2gYnB1Jv+LmjgmMNu+NV1E0IDtnuWdV4wBp3EZ5G+ifs0MEebe3B
xNjI5HF7SnFmkEHWgCQl/kyriz0Q+tZA04qqaRrCsHBxZ+yDNwbZf9Zucn3y
DUXhk6wREFWU4n6jFJ85tAY4mlq0UKuaOjS+/hQsv+sIxEATy/GaGTE7oEkN
DQOTeH+egeQ09DOgISqTzsr2ThVfTUyFLIYKl1fxGeTqeh0NNbzdQLJ52SjF
pLa67MGgXAeeMshsnqhtDSG2Hr6tb6IyOaBtW60Ez1qEoXGkEJyoGar8smnk
u3dyU3NFsU+VVn9QTNMOgTDpyYft0m/oBPPSIF1UZ2uLgKoKwtSaJA2dm2Gq
az9HWTIolgHTt9LSN9Cwn51a1Lg75CVBewSZpfwNHjYxEsPpAtGlyu/zxs8q
KKV0nyI8OUxAdumGLA4Q/RSJkj/wELSt2ThYC14T2AFb/zzGfUKcZSwaNwxq
8AlHWZAztzV8UIxKpZMxqAQBUsWPzq6RrrcK7x4uGzUijk7byjQY2BAD7L8r
8HENrNkaZxorOq31d9parkx0e4aWzprxFiXwQnVVVUSfb0qhhls2bfkTMVQZ
JQw+fuBUQ9QeKt3vPYLoOprkIA6omYNL1FNb0Xq7MpXh9HiFwRfgDOU4LWjh
zlOEF1X/EDSJ9+taQReBUb4M7HbS4IIDUUh1iCoB6C1FFOgpz4Gq/v2i5x2a
5TTcD1io2cMANuWwNfEAYK7ZJZqIEDS9pDbV5cjMP95UsxvUG6PhrNhS9ejM
rAawpGkZYIxhJcJi8EaKiqqGYz6zPUZ7pvNjXXxpSv9puqNKqTWCY8mnAKiU
VJna+DbxuukL+IMT/z/2zqXXkuO60nP+igI8kbtNId6PQQ/6YRhC90SQGz0U
4mkVTJECSandMPzfe315i2RGsR4ssVhiSYeEreKte/JkRkbsvVbE3msdLxLx
KKeZWKgTdZWtdlZc0NSmSDkKYC0cTRTmtcR99jYc5QNGvOdes1xo9zNOsTsX
AbK6oGRZV15CcQP7+aSQXhW2hRtbr2ji3m/IK2RPaqhait0qcpfL0HToEVHW
46zPaiXQY7eH0V21IYZ9j06KI4cEV5hAJPQrI9atjn5iS9GDueSkCeQK7XoT
NCVjj2jrfcSpgQ7JoNktJJVFfDtcUasMYeSiaDQUJ5XsBIcEr6jQiQfvEdq7
h0vMVCNq4y7o9zq5Fd2wBQrT+96VvknBeYXKLFLMeYu48LHpE8Xuh7JXV8zO
hibfsRTDFYaU1NiIop8BvaOBd1GhdePgzmhB3dztUqFRLDV0d8Xa2xCTmNRl
TxsXbRq1oxzKMba4rxLKzidExEdvXX7iSwGo4qDDMwhXaOpVRTmKA3Ngv18U
E8nUfNwQyeoWLkegu1rzZjo8ShRik6uF80dlg2E1+ktPF5CCVLTRJBdZa3fi
lHFS6cUFisxZCcJP+mUqixMVaCiGj+CxOS9C4n1QJHMfYjZu792xWOEIlrAF
uzmJCXSP19mI4ApzCxg8NmbqgXrzUugIPfaHkMgVVjA0Yelt79UApELAqRqF
SkMDG6BRc5CNimxtuScADeRDzfFxgQ9+gfvJsbh1xG5zot5NW2dI4ummKz5s
emPo6RL1KiU2AzOJWVj/nmoaooG1sOm/FLKmYh6t4ddBX1dmaleb7xqLxnqn
PGrzYSVMKdg996HoJTKkvNKvOuFEOV01kf6L2BQ7XxQG4Sk6nS6eu73j2JS0
Lg3qgFjEdbZVEA0KdWwTqaRVTAZ7ikVMG5C1Fcw6zMBHv5cpKbjQ7yz4hCt7
p2WCLmNbMdQTdYkofwszdYqoRDOFqfaxjWyUATb9R0TTifRBS/Qilg38qsMR
eRfwV5SUqivsAA5xe+vvEr0oqKXUr21eahuRnvdQteyVPQRA0RcwrSrfT6GA
EShjO2QSrXJ2VUKZ6BkDOpV2awHYIDJmJl2o1eRrU2kZ8nU+ztYpG7/lvsme
am+hIVNpQ782U2sQXISztIVqowL2DGyVW2VCCM3ZK7dwGlioWIviV7R8haeE
a2JKW0NERa5enADzNkVUkM7uI3kqmd1yX0QrQ5nX2DC8S/o8TCNONKdMunZt
heQ0WnZupQAfOWC7ow3BHTsmumkiC1OZs4Q0ctb/WE0i8UQyPQxb5Az5DU3+
eNQsK2u6+3YGagaazsIs/VKXTmJlmCQZDBo4A5tsdaDQCSGdmEwem6RN7G3R
KOQEcjQAfrs4Bq4Nhg5kKjwFNfUUCFVsTS3BqqMQHwewW+7Tg5TAwXzUJBQH
GzuU0SFOPgx6LkVolOydF2/beaWoGX+IjboYhFCCW3l5TjNFm9tVbpvYM2J3
RauVplkBHvwP9EiCGXc2Jtr3PZXOd6pafuOx0g/V6HzHymWsmK3iWU5COzRY
t+0mdWk+B7YpET3J4m6ClhYRGcCovb8HHHFCGBY/5qB46aMZVx9F35Zux8t7
CnUPhMTrNE9lrfdggODlbWdF+EVrDHlKvfVwbfbUhoKJIJ3QlSKkSLgRR4+D
/TuLG8NZBdI3ail6bbRwb1fd1lSLySMryMW1ktZcll61hZBgPg09Vm3zHi51
420h5aupkBQhHX4hGJWnPvqifEjr2FJR1/ElG8Kkh4QnxZYiwWIEIlGiJ4gN
YmOA1QEHz51TKz0S+20G3+c166GfoCCS75qiWnEdsWDKkTSimExSnrmzx7Wn
mmUiYqYJ2yH0rIbpB0rDZ2LMyOmGopelk0aMX6FJ/zuu4KC3NNkBEp/OVZdr
mFPebmjOda/qdGhIiI+j4bu73jCbXQ4XReWSJSJF68vVQN+Qex072YMqZERc
i0bROeD9FlsVVIeYKWiIuiBpDN9R/PSiD3pnSlNHtbom6BtOOJKjjL0jA0vt
tMIBTfI40PvZRE1sClspuuOui8Ky2fnYJ6FFH0n2YBAvoXAiOlTZFydnBTPy
rhihDLxFkQxKk4jhn0c45i4W1Vsb9MVwwiWmDqVtCB9NawxeCdiy+JGyUWLX
nIl0OR3FZMIcSrBIV+juxWLNckI9znbrmiZ0m/p7oYDg6dwyYfDwx1bUngcd
nk3RnLYgQ7WWsoCQiuKBwYlEixp9ixxELSmHMJRF6q3cX0DrOO+1RaV04rTH
Abe06LPXrdaNv4mlqn409J2EfnJr9/CLWvZtjosy6hfFgsVzc8r0CJmNoYRy
jtdkEh2nXQJRHUUXSjTR+zqiirAdzHKLOVNhyg6h4plh31vrWJ8RqQ/4guS2
y1MGv78yhUF3aH32jbauxmRGi//FYMti6VEV99u2DttjIqBhAerG9MSHE6Dy
4KIXXGknabA1I0U22c8YmH3NVjlfUDRmbirmCK8Gd4qWnIWcb9gu1/eI+TmE
k7vCCt25lylORgBMtxhEnAd7qqW2LBYcCxZG94fX8lPQ8xiPKEsLAXX4P10Z
4qBIZClM22qwzypWtLfhyHBATncP6ix57BycZqYmpo1CRbbqHXrgbJhTVxWb
tpcbEYaio5yHF5daRjLxUhJ0evGcaSajH7lisMDWZBcUpYBI77sERJ6ONKVB
vpv2Tg1wW1XsQHHFDV+cFg3aPagQB2EPfZ3VQtwUMFBzDWQ8ViASfA113umF
qIK/WgkafbzYeQumBq3DgCmCQA6F1uIZh8iOPcRENZEbmy3bOOHVPX3FwlLf
rA9eBfh0vfU6CxqzQ7kYi+Lj0BNfVmcG54GgnaWXhH5y5ESmKpGitdpy0qsz
O9At7utxjr6Xs7cJz8FGZrulp0TFvcaEWtOsGYcvFS0pfqCMJqzmY4xW66Ed
ewEbq0lFBMw2OPdn50XvfXCKKhzlfM+haHC3or7dVNaP40Ri6/4/vr1X6676
pjAvEDQU4IWCxaRiChH/tEgPhTK/6AQ+pksTW/Ps/tiaOkIrs07lZiW8hn6V
hoainy2MoPSlvIrRVVTyQQZXk+K+VvRm7orbU0s1rowSQxCCcxjcKAAorwga
hCaOjAOtEDxikdvi95UPF3FTuya14LJFxFeLV8RGwGNkxXlxIAc3EUtMnMwL
KU52vA78Es0hr4M+N/2OjmZcpVXlHrJwQn8Ca4VEzwl6zI6qmYVF7ik+oNSX
MkU9yiJ12Ikx1BXNkrK4UpX1l5wjuwBBtG1GjuBO7cZ8V4fGKxgjLh9F8TRA
ha6tkDDrU/IUVWC706fotOzEIRaVx8dMTYFya+hUcZ6+WLsseCNRL66n11xP
1KBjyU3AwmLpUNRoc8Xb2ssAcGySBepc1Ior/TKhGWghIUU+0Pyys+BzzYmM
lp896uWCpolSvwZUtLNkjRAGBkrvZMWt2CAaXdCEC3oaXbKhBnSfQ8KMj428
xwU+9AXuZ/6Os4UaFH1E31qnmjaHKQhYRkxsqCklC1uKpoxVHQqO4xBAWpYz
88mBvm9CtULGgmsV/xalQBrbNyIB2H7g8ZGtVsa5HW4uVPVtGSyFBpDGbMPl
4AcACh2PxLHbFDRRqCqK6NRlBQxYmlD5cX6ArJlwH5ZZCcM13c1WYoxC6Kio
02xxHbTFyu0Kb9qjqaULuN6ZqYAtTe8GmGEvb03RD2coGxY6c1YwU1iI2rnC
PgyE9RCLxFPXJ7rmhXwWLZlKAGI6Au7dsWEiWEfZtxNIFaNDb1SY/KC26+6W
bii7Ezb3CspZ+N1bJbHJITKcXwm/tqV3lSkDFVu2gp32GHFPWUVXFnBKI4qC
4RKo2WKkA4HoXZSc9O5QB1Jw3FGQ4ewx9bPfjdY3Q4AbItpoHW0dF6jGDr46
pIY0wL6mDbIRy2k+Isp1tJwKAhYc2bNTEvER6oodbFdurjRXK7kOVMUs6rWp
YNGbD4lXowf8pnL5qzX+4GL6V/u0R/Ttf35n43LtEP3mN//nf7+6bPnbT9w/
cP3+24uW3/LZV+4ODYsSmAgNtsaLeiwB5LVtp/5Q+dYGJeBQOJ6CW1dq0Y5q
UTdR5xWDuBfPiKw1zbolfLk0aKgzGQEZASeYVJqcPZd4nf1fgvwoIJszfyez
sEC6S3hfPaQVyTjXBUhGLlvkjK2riaiZGCwtxSOLTOar5omN6aOgaTSxSwGd
uyujRV3bUTMini+KK0a7RdzcriI9bgwBD7a6e82ovILHBPTva6zuWbZhad/r
5XCexr0XIBwQAKtxCaFhGTcLT7xoE3OJulnBK04ebDtWbhRxqxhUf7dLPLTO
aA53DcEFzvD1g9IXzE0xBguNSTA1QWPMPr0W9bF6hNN7sAjU3q2RArAIJWNR
Dpf8XFOsSRBUCK70gD+uomChLNTnTmVdn4f2FN0EokYr+dt+bU2rl0XAMXH5
VFjRNWaqcLIxCN5x+pD0MsURoiJXSKd3LS2YaPGNNxjkep/xjlx408xO1QBH
vNUrEAibrZVdVxzaNNAJSrJvXPexMWU3AnmiJv3ewSIQXypbpLrpjgypwD7G
w2KJ/apzxdhHE3vXkNCBLnqsQ9pPlLt45H/vwdwRO4R4E1q0nGBbHDmpBASy
BQ7vr4iXEzrHjTqbfcL+zp6nvvk2fXWjKDmyvRPp8rOwvzlGjoikzRG9bjlT
OhMFMnkSJeHDhcytQOutuWu6mMxmt2eHIpUQOTvSfJy4b1YhZLoR2XQavfem
6FuiQv9R8QsHFC928+7vrI+wR7Kj9WjmL+9y7tj5mC6AS9340qp3uN0SgWZQ
1D4aCBOEYnXv74WXWki7ZrEAGyee8VjViGiLLCv7adGaq7m7DRM3B4OalSUf
1dObszWnN1Ju05cTuLHErZHd9BYUgGiKu8BBRMudvd2kv2nIURurAHqI8IkO
5C340n9oCWRvIwqQsJ/ttyC8QapAgUykIpmGIKRoSRz0/bDVXAKx5ahrNzix
muXvhTnKhkkziv1eUcyBOm2nBFjzjaZsc3VYsGOeMJYWAELU4thIRJeuzOLu
xYhL4Z1d2kuGIyIgpwQZh2X/P0Z8nhxSILPhgWSUVpSK473SwuunCrGiPXev
cuTGDWdz9COh7qR1gcSuvoh42EahWLKKMUW9Dgyo6zyEFAUDM4pU5W72nBPe
Tko/CjmZPTjEZ9DOsN40wSbHgU+mpC85TQ08NMuxO6+fa1n2Q8o9IRnc8qbv
ANUIKPicV9dcxdLTo59BsbyhBaUKg6JpdYd6wlApOT/uBXqQ5TTF/FrUglTE
1HuiWSAjGkV7beIooGKirFVe28w0rR77ep1cvvd9LlOZGxHgwNhK61eYblY7
SL7CaI3/h3VUmhgUDETrsEw/VkihkmXH/PFt1yynhNMHp57eK4G1pqW70VMS
zy92opofUQKmWji6RttkP0RTFCAt+qd3qiCYaSxK5xrTWFJWNKOZMFHOy3pT
8K9bQF9BcNWkP+IUdeT3hWfWVIy/LyuUWzX7sRkZphVc3jgeR0kCQ2RPs6NB
TkyAtnkzFcxeEkruCE8Is96WlQBaFrwHvdqy2R9KqFKgNkL1O9ucohGOU4HV
hgCvyNYh8tbxJrqkhO7lY6OKg/gxrj51M6jVu2qTtRQ2+qP1soWihBA7tDG1
rA4JZP19v7Z67zVgHNVp8lG8HzAnp9qVbZ8yE2eFCqniM1u0TEkSayavy5vT
1KJvsQ4N+F2Ay7Aj4qhnErAl41gXjdhKdnuwaRcQlAiK7FRG2ajbTYe8svBL
KHjk3RUkTef79ajKDVZJRYHWC+1hmsGWTTa7mUhHg+KBd4AGEb/7HKDIcgkL
5oeR0+MCH/wC9xip6Ur7TRNY71XkJGNnhOgjh5AzCospb3rqq5FgD+Lws5yq
PWWIktR635cuISAzp+SPT4fbMTVR/EDDjZY1mxFmhIxW6vKXByaV2kd9qL5c
39naHUazDKnhyMt5Glq9WFsSpbJTpCcv2qqtyy3hFSuYCcQcR6sV4lNajOJK
txiZ8HabLnqz8bQ0qBwV5F9Hps9cGF0fIdDjLm9tXBul9qOmoM8isuzv0APy
Z4T5UZHuSrBKORVhn1RoTc2R+piAAoedXckefZF+SCNmTFXF2Iq9xUiNpLfZ
1OJFaOga0FUEBBjewAH75Wgpdo3o8GXqUoXL7uOaTbNOEGgdMTIU4bFczLZ6
iEKzBi2wYhBKn9R/+RX3ECDNCHyM2ba+8xBecsjd6GncLUYKU1ZaZwVdFRz7
EB4ydnvBcbSVi6IuTVp7Cq+HHbrirEjPmXsU9lHNuxnkvnlb5VWFN2/YGnlr
2c1bPvvKbRVNjiqIn+iwXo0T6OG7N4KgG10u3MyQcUpJPH1SXxadOxAXIqcD
mnHnpelJtLNhZykuJqKk9VH8Kt4roQlpd+VCsT166GgTp97cHxr4l9sBJhD3
5kcxjD2wlb6cFbS4SsHJEqWmydleGiKuTlhpCxkizxXsATqSEFDW7R/Wqu9z
BH79k4zA6zcV9CSiV0hCbJojstCW0LxoumtI2Gx0r1AlDM3iQ5OpMzlOajN2
oexC33vxjWPviiNnS1fBcsYkAevLPLLlPhtVBQb/LPESPahWTD29Zjd4UZDy
jhiN35SBB3rO6cjGH7gF9KxdFoAaNBY10RfEtVBRE2Q8rVvQjqc/66708z5H
4Nc/yQj8MEoNZ2Ir0hUBOrEmmsM5DHPsLlTR016rPmNFtAHI9al04p5CsfND
9PyQJcxVeNTOy4wYuXg9aVUYxmqrcmDpjTJH02NqWQkTO05X7xhVb4Atx5Xv
vrhLCy26qKViEnpOdGDpkvD1gIvPLgbBFI0eltMRzWZ30P8gVK+oroV137B/
jyPw659kBD46QtmzD+xpVtEHU0VuaOZO2GugBVk1fIp3jc6spAkeONgNRy2y
cmGrKDbf5ce0jjmvZSGURNXs0pouAf0+4tV14OJiDpdtZVwBWYajJ367KULC
qdO9CqZmxWXsRRqeFBy+s6ekaHGV0nhKEDjabnSqKFSMONiQ+O6qFSnk4Z0f
99qt9zgCv/5JRuBBpx4X+MAXuFcIIX7dIQvszrN3Z9zsq0yzMP8s49IAp8Mk
mi1esH2y/uhlzOzuKWwfis+IGO5t3CZsawkKqpd5degjH99EvuKlO8mZlQD7
oFPgEBsV5dJqEKG5i2Oh3r3Y8UtoD2hJ4uWyu8eFU6SN6kq6YLyCg2hcatQW
HurtS9dEtuSedt7nCPz6JxmBb05s/9v/+o11n4rXPvunF4e210/0g3/64ae2
333kzzi2fduHX0kwTHRVYVuJ3JncMQtTlo/sFrJvplguEBXp7MSmSiiQtqFy
HlsLQeNSGZbeBmoJw9TZFcSHkIfePI5qi5Oqe5JCr9iXIAix16TdO4p0987R
hP7Ht7itaH7SlWmD4jinjLOwS0HbtjBEgdcSq7O+K57XoFe3vbLGtY/YaNa5
EZTebOizIlqhpGIoR9XUyZfpTuoFemG3oJMyTaDMQbDCHMXZddu8cxy6Q1pS
C92fnODNJCTVNIHQtYsp3HcEjEiJOH2uwjpWN4SsLkYNJSDvvmzV/HZDozsK
1dkjGY5a7vECZdoiXmUjxn7z0rXKvSFUhZ1QRe6HGrZ61zCwzevqWeuxintR
7G9S6iRv+kQFtXYLyojibKLql+tZPFUjTBRry1F/2T0qtxuFpES/VUDYCPjt
Mz1Kd42nxVatnjUs0Tbko2ezZl9Fe4hNjJo6W8D58sccernK6geLqC7nGKjT
TshnZZSFg5J2XeJglMS13YwiSb7vOCRjjJDAFifDpUi3iWoVwghbv21EPWg7
0MBOfBj2cKYc9T8bY6xGrSXOU0Ip2AGuLX4CkBHopXkpu/0kH/XNs87Su5s2
LHxCUEj2T46pni6MasWmbOy462K1i4bM6Ic7osH5EUWmS45abEu3TB92SUlr
biYhIl0xC6K8nmIaz67KiGujGmwUlbrTSCm81oT2vr6Apg699hLmaEZoKR9y
J8jJNVr8KdpIGvjotVZpxZlea6tiy+jY5zowZtcdx+03cmJjIwOx8TfKQlbd
2KEliND60ufFyrQkigbiHjTadprMSFBpWmG8q4e3EX7Ri4YA7RUtpVLivb1G
M99Z5RW9l6ZFgDNoMx5BB0x6LzeP6oQQc4x5NavoEfuhaKalp/lZu3h+1duO
OEnFrDyF44TV66u7T+9qvJ+La2YJK2oWdasXMi/4y+lPtVtrYOFzuvcsk+4H
M/Sy7KoHRhUZG1nzkeYWfbEiLQ03DDBGbq4zcPo7van78hXTJqKMVRayPxYZ
AkUn57eCZmVCioYj4+YU8hD+iOM4F0WPPO6JyHBBAGkht4lgmAg9MitmGqSD
ZzHH8i1FiS4UHOeJVQr9y5sVNoo/3EfS12ejOZlc2BOWebTaKabY6beIGwok
QbGVUm6c5ZdWQIOfdy2Gvu8dgqgF7spBV8GCggoEVoOQAO1mCmt0iYmrYoxR
2KysCPffCSsPSDxcV6dir5hPaDGNgiY+8jcW44W27oohChl6qKFF4twYmwJl
Ry8pAhaKTIjcKCno5XXFTYwmizNHBVrEQtxika3lUaqI7NIvl6V4bjQwbJk4
J+ywXi47ed0mg7XLKAPWuZqrLaE2rJm6akDNX2HCoFyVHadrSnbVIvx/kOEy
KLoRjslNqU+hE9v0gG1jwJ92ayJrPilDl4MvNkpuHLs+yF/rITDoaw5Vt6XZ
Yygz10tXpG5hYnaQDjirRG0zS4mC9Xk1/yiV7Kv2Tbe8+ugIl4vg3deyYqot
Ka5eUOgSGJhjaxLPbhu1ImKYCv+UJ+IVrfVWTTuMaGZ0tFvvSwyP6sVcr+og
TRWrSWeYeQnzoXBfyygmLewkLIk6bOVyo2TAuCSsAlHpGrWH4i+b2CsDHPpz
mv9IV83V8UNS+PFDQ6Jn0ZVL97oN6uypnLjVwJRyCUWVrBek4IZ8qTAPDdUW
BUXBUIUHP7N4J+UEvmFmen9WZrSWod43bbybpLYaBd9Z8VZfr0lhcdo85BY7
toGZBmcU8pthOq10vQhNTKtX0vug81F5ihL6pXBej/mtlymWT/GXEL2bZaNv
ZoZRcBekSxrx5igWu6/lSHstLQJOEC2GKnofvW0KK5ZDWoU7ZIu215Ojo6Z5
fKqpKZAubAk154cG2ViLKJBAjl6GXl0L+JRMi3jPzYaI5hCFOg1z0KttI+4i
xOAQvRWkrOmqg1f4d1i/NN6hYvJx2Ivyt0JPbC2j+aM5gX+nUrsysKVmLw8N
U90f3zaTEnXCXvySDokDK10lXyUQoceirEfqEhDeolMYPGM/evYfbacEGfF6
jljVi41dcUEhs/aBf3IvlBmEcg8rVhO1WWx/dengleQH4vUCN/rCrTRMW9jl
zZWMA+4XvbujlySnTAOJRQi4BREGK7xpmBapLU0At+O6vMWOIwgKgYV+DCVi
eumEE9OTgxQgq+yN5gU6XCKb+MB3vdejbjriearsqwEy15GARwZOsLAERWUw
v9Nl11Vd/W1Y6ZR4a6qIC1Dt2C1IPgv0rowpyNZlGs4ueEsLsVgw8EEnNTqr
UqWUsvGGvVsteY7gECLcuhXlVQ1jujsrG6VjgcVAfzw6tUiwZNw+y44A2Ykc
P5afs6IirRQQy2lwgiqNcvhSdrObqoUY9IAeqZ169UlSkdiyPSCC0AyiaIsA
bLD+1Hu3+gKRoYVDnaLyHmhPCJYaRKCiOYR3DVjKgLKpIUJyqGCACUxXUNDc
EBgUWigp3j2SUxC37+REwXoBCRHIZXymzruKLSnPZSK+schYja7hEEI82IxD
wLNhVUxfuEciQ8yelnBn9WNBId01Bbk3iIBe6QYdiAUpq0cFXlES0Qf6bDiC
FLCe/J2IcsBJIcd56AiJCQ+chybCEmLSikCQ7aUv0myq3kcvQtR7eGw0Pi7w
oS9wp5FagK3Tdp/nml3oSau5JyvCo2Q9IeUNiwrBaaT9zVKIbYeQPEWAlvNX
VtXE5JCySodweKEAuyN6L4x39PpGouqKjaMDxaclLMJ+hZISBb4UlUZOEFMM
rWNROHM+6p4mullovYlTDIXmVaZA50DoFGEZdN8U3AiJ9xzRitZxFlLApNvS
DL/Y8YmI0Sp4ixYtfRC/H4PFfRS4OnZG6og97KpQkEQDFS5txw9+WrwEsCDQ
DZhybVjdckSkuttc2xCK1zS8Joe49l5mBzHwpf+fulAbVgQihRzdHVlYmcmI
7+EKqjsqGJatTMm2FXIuttqFh3Dp+cgRu2ZlyY69lJhQvtIg3pfT5I6uZhJH
mbQsKKxTB7y3P2rn2S6bKP6kLNSXPA7EeQaRkIprIWRywdzL3TfTARPnFDsR
bI24LzQRCMs2C7oeolNo9jSLyC/qw4J743xWxLMdH/MFXTSkDzgfmhlT1lTE
yET7W7+XvJqK2OjgjJJQXSM7bAkZw97Ezzon/IhmrOTjJZ+AVd6pL46VHySO
koPqBIrpJMhmd/1Z4FUsf4gbuXbkCDzIDRK7lC5o8WSf+4LJJCYwsm+7X862
Q+tJnLDXYzbFqWd/oqEa6RUFlYxmU1QqUUbyNQuVoknZbzaXb9lZflXhyps2
h99aufK2D79yZ1mIrncR6OHFWCLaFehD6DEnahO4yxkmxEDbKCxEesQ8jx1I
xRMxJ3ZIkW811KSzvTZHC4uyzYEsKMjwHlOYmv0qQmNzf2h+VoUv1PiHCfoK
kSKr90KQQkGBZrdDnBZRP3NpLw+aMvrCREppfuRIAwT4EsFlUZh7S0aktkVh
SNFOvL5OpgPRhWpvUUNKXUS4HLvry19l/goy91mwfE0KLBGxw9rR511Xe5yw
VUU5mk5s0Rrj74cj1teC4QdenUbLyQgkiXyKxBSc+gbyMIWeZoGjHSC8M59b
U8lU8XmLfqwimqAt1lJoaFuxISGmBDSEun93eGKrtwItWhTKBpn9yTijfvPy
GKzodazLp0A890LbqJQdiiKD7mLUaIToxMR9t6JWcY+NX2g3w1dNFUXY/AYp
elZvYougXzUFMYpqcGpQQurolFJqoDiVSnDdGUyKUzzdDSwWKRp23Qf7CzFi
36LFWNZQxGyDDkoq8u+lN0pHoF9a+5oIuxkLlUuSj8faVGS66x0rYjT2K4h+
xR6mcbhM67WarclI0dLwAoLbeyu8rxVPiRxefPMwi8S3wy4UUA2d5lGhV2HU
KmbiT6+3O5Ffr6gsD6vBVg7vx0KidVP8Q5EL5Yy9+1yUWCo7K7tpztVGnTJy
1PfJpWH0zuJBgFp9pgfWaAkgVc1xXsheHOPylKj40u0Y92F+HPR4TRNvJq1E
Hm1rqFEQcZihpbR2hHC7GI6ze7r9w6XSjKqEYrZSrVJcoVRT0xquKSAgQhdm
Ckw/dyjYJZFK/HTQBxYUcMkvNGmVwZPGe2Ovpzhvw3p5U/21u3JVnEY8cSVM
HQ1dM6iCiTY5gYxFz9fsUYFkxqXb3Zh4HPqviCd5rH1X8YQVx3EEe4lDMVRX
90rC4gY9tWOmbeUsvXe9mEDLZMOOUPFEIzGLgmUW/iq0Imek0/VyZjr9TQKC
V8lSqTEVCejn1ahVgRYRr3hlHXqC2j2MKUAq2NjrJEsYJiGhPLUW9Z4KHiHx
quAKq1yFlJr9dqXjNEG5DzOZ6TPfqokVsxM6qLyFUS9xPzqglUrPM95oHIp7
XXMlDAFM9LnRIsaAfOnRUHAQqKx90aGmoHF0c4lTtzowytC3i6rrQWm5nq5D
tPS6OEvpl7LgLYwhmVLxGFqVLVCvxat709vJequT4mTNd6aOQiB70I61eZ9p
SvD6kkUPWnYaEAFKp6l1ubTr7YbEufG0H6OpogIYGxbjckAUUAwhYRMfHLoS
4tb5ctTA3XRUQaQWqzLskbs3y9ZsQT+lahws2fzDm4qaSfEKjlHpG78XJuAI
KtrBTk/w+quhdzHo1HWU9E32FARVA37Ta5eB06w9lW1o+cAZZlHrva7WVS36
qG93tLoMBU8Ej8exFS1UN4RKy2hKAkrsfdSEYCeGkJrDDltBIf2iwCrEK8bR
yoFWNQbKdFrKBuMr75amDOpAncaYmjPYpl/ieUfuVoKvjhZkapjG9E/GxKEj
ASR4tOtWLsSd0VDDmIR/3Uv2odAf3K8FouOaltPYwUmpVgJalJx2+35I9VgN
uhO2UIDUZwJ2uEI3YmcKiNZ0nNa12EXzllNa0jhENBqPOnKtKCtMz8nswu6+
CJwPzJZgjo76/BCqOMFjR+NxgQ99gXsEWwhyokWFjLwVZL0s0bvxHLsabNCK
s4FOE/q4TLC5HXIMVqvReqpfcjQGc5KEFLZHgvQqCBgz0Ixuj7oWJXlORlB5
mMJWnp1rZeYcOfNt+KKYTUdxmuig1iKM6c8KE8Wi5SrGvSGNyEEf4VUMHCWC
bUUrk1jM7MfB+CwOAdOJbGmr6drbEOJSGPS7if+AVDhkEs4UZvBUKxywdG8l
ZqVtdMHr7F7AY4jtiKYJz3ea3t1SsC5n2hZFDQbeIZpl8aSACgjyiVJwIqbE
ocgWvBm4IudE4f89lkQ0jpTkra5vd0SlLQutiDBUURWGt8+sqHymbeVtAbFY
MZhOwVs8XKLSlWLdKmk1dmy8Rb0Is+gtKl3DfddbWLvFVDBCysKee9NeLZjv
9Ph8TNcW/kk+m1eVdrmXCLh799Iu92NKu17z4VeXdgktLqUz+LIRm1RyQ49m
0a3cKc1I+CoK19nmlUjEWb2Ph/NMEuSfGCwHIv3gsEhgf0xxLTHNJgB/OWC/
cB/6z89+9ew/PTNXZzlHwELIkJzd8DSLFG3gXiSET1EKxV8uRJH3tfaxlehF
b5rFoAF56amc3vO14XUZCCAeijMB+p7HVqKoprP4LzXchbXeBMiM0K8f4mua
fjAjJ7oRBEuYU3Ee0EEpdi0t02GEs1G2FVL38UqNolVmUL8s+jxfuKQ/Paty
HWbhHiDPAYUXuR9MY1MahW8joYTTlxFdrYpFCJXV+3KfWuZWa7FSLl1gftMi
1VFm33onl4hQR9Do3rimJ8fqZSyrC1atvioK0NnCE/e1WWOM/qlDX3SyCZCj
qPphvjLqdgqIdRb8WuslQJQQfOBApBcjzDy1ol+s1m/eK57HS+jP2qCXpwjX
OCyrqwlziPiKWvXmUXjFv6wicJAOmUzBBoQBcGfpsB6tsmu99ypKp2GPnPV2
fxmqfbttKhxUcy2r4KiDr6JiN6oWiwM3RRBNFVHRS0sTbzm8tg+9VxFHRQhL
7WnPT/c+gJIioRnijxOlX1RZ3N9rQACDbm2kIwx1Z5mCDMWYinEp1g/EeYpQ
G8p0Yjn5/q1u05KL+aMyjLXxMtdJG9sNhcfYtNoWucHftcTNtd2u6CdshdKL
UtPMrYv8mZUuU3HRGI64af9N9BaLpx0mPZrVLesDmm2YLOJpzxbHbpd275WG
JrYM4/6sWhlF2LMbVOqx3yzok7a6qB0Svm4i8jT/aJZMIWLBx1iOozU22qhX
6htFI7Sv4kxsHwk2iw7vRSm+8sk8qhOa5YxWqbRrUekFdKQMUc5LCLvgEqOn
F341FPYSe+yhjOIpJo4YBOs2c6J9SUuOzQZdxlkfc6p0a78QPnkxh/V4yHfG
gNwXvuM1CyQEHEooUVVMrMqUdT95C+NqdvoyCcb77CeS0OBkTaeJRt/C/duj
FC5mgt6zaUd9kxcwFsSn9rQ05O5DFtjWux0plqkphVgqqp7sdnhcLo/WKs7j
dy9E6To0NRwt9klhTnPLUeeXehCmKX3d3ytSDfp7ryyrkJwrtWcoFWya4H1Q
hEO6T2tBjM5SZ6R4crSq629FARQLIC/65eH1IqJ9KldR+l2aMbT939s00fVi
J6Wji9oYHWCEAieKUDZhN7/QcVQgD+kqQKu6+h3hKey2J8NWr9ClJUj5TLts
l1sG3TQlnjHHmXPS1vVFwHTHVDBoMPU2kWkOvjlqTjl2QbyXJiOtylSPslMF
lS6aW4QCMRhFF7LpMyVjuGvYfG9wXGWCN2xJihxPBSbjvdKObslheTSa0BQu
VFgjF4Oadm8BaghCdac+BFt06F8PanLHGBk1Zxc3euJtsz8qZKlAcrxmTSy0
UqdYb2W7x3lBPa/MVXexTS/bb9E+DtppktNymeusPcBQcW78XzVWXlDXseTW
5XG/s2+osuU9j+qOzIYJXqk2XktIlw0KwBHHga1Z3MdlU8rxh4ii60vI7BD6
FMDT5AlBfN9WBWYX4+UPHTXRM4d3FCtrpI4UZMTqhTCvLnN9/7SGnRpK/wso
VGjFWFya8tWjpjdR0mHyVVlcwtZapAMvafSYM4fwYggmTXx+9fh4cR97+8jo
tqaFgzBU61HAXfmXk4OmeR2Q9Uqb1nTx7nhpWB8bocjACxnvFim30DuPWD8N
Sg7yiEoVFHaKZmR7f1YqPhUHd9AybHRH4aPH6lBOXxriqjUUNdvqwpxLg5FE
Le7QouAzlJ1SlYJ4b24PPKAxIhK2EpFpZhTQ/rxrmAllKaZFjMK70IQmwBRQ
NoLhHKaw86q4noWfMidZSxgvH2JFOF46So203qiOw8sImTLjlDRCM7pWxMR9
3dOtIhfCTwq1CmYKkQhYKY+MS3tMkWQRcysqwGgjhQZkP/z2dM3VIqKukZr8
1TX5iBv6puIwS8STttJQcJTYdse+0FWZphTmnFIGm5uA3R300hC07jSqOFeS
03/lw8bBKBChuRUzUuF+P8FKp7yMVi+mszQXwyaOUIVLtO5HsJlPchpkqCQR
SaIgK1AELnQtyhfM5UhszxNZFIKUKbSIr011HxQnNQdQZo1JK1CYJCIWk/Pp
vdyIEDFRh4J6fNHzbid+i1n8pKBuIAIkVJQ5/+B89ygTR+IFZxvRsyUQpAcT
810U7zVddlPGvsVB6x1a0OrL+Rw1MlbhvujL60IZ4ZKz4nh/grQEnhXkNLd1
2UODRZNvLJ98ufQx9UZtiUuTq+mLNRE1sYugPdWJ93QrAF0GKwyVTxMjDo7I
5iuBYeBshtccvWoGikF7Z9nQj7M45Zc1LW2wWeB2Kg9ZCktxUxeW1lCgNiBu
nu9xOF7ykeO6sGhNoDFF2UeJ4PKCFbkUwaDsfYhqp5CDLnREf8VKj4I21XHC
PVomXcw76b8SrRIGNUpdPN4Fmcz1cIrGAgPKCxY9f6X4HNkyJUh18eRgJvqh
gvOIfvZ2B+UOFb4F5tH7qRSTNsJaT+w/4CJGjWp25UWN5otnreIYwoI7YAgy
Lz0OjZheKXuCVav2ct/V/NaiTRqX4exhsYeenlNEq1lscbHZsZUMtf4Fw+hS
YLFnLYr6g0unHcXjaHc4tO+0OBQzl8acvggFSowibERbTQQR78DyUpH+MLSW
XNbBi53egp/5MGXsQZ24ILWJmeNRc4yDEYlEaJ7Z35HA1xCKsNVw+Qp1jT+K
FBaX1HYdbaVxSHdh67BFeZJuHtfuRqkBqtldGRx4izyl324cVFfcq9Gwxg1S
2AHWvfxSfS9LX9QUHznvnrSviQC2fUg+63UpqAEKrjacNmiiRsy7JwIPHpyW
bd1x5F7BNDHJTI0bx5SBTi+KPOfKGDmI/xoRMj067g5Jubjr2e77aQiToNNp
HWrdTYxxK7UK1pRk6IzRDQ3cy9dBdYWdq6fK2EIQNJwBLT39dsN1Hj1doFzJ
oSbqOdBsPPqJRBVtmix14RTBbr2WZtGoEu5B8h54lxVVjtybqCsc3dmFNR7n
YJqM5K2lHMyxLWe1G6Fu4b2BSUM7KZEgp2liBRGxJ089uQC4QiHrstAUoGsm
5HPvuRenYse+CEblytV9aaQpqKeKOdqO0U2kh4ki9eQj2e5QOOnYgdMVo5wS
tBRTRr9RKViJTmD4au0Zo9V84AwML4Sq6MGbemcU2wiLJGpOmgCoVi7tckXz
DUMTkZl9qAV0xTb2HwetIEHEv1OBkyszRdRdKUGjbrFFv1PdHcSmV7NYQysV
Wq+3lw1WDk7YFzFNfL8rDUUOm2hkU+9z2FKJiVyoxkmPFC4XsOADUmfDla73
QizSez/eq4YxJE3sXQQjaUXRWKNPEvXNzaKEXoXzEXMLQWEEjYjD1rEhciAq
5Kw1erdUbAgwikEpITS63pOQlhfPuVdDJa3syds2Jgndd2qEbJhBWEx4kgLl
FIZGSxgRXKo1MY72Fn2VKLUwEX6VBqurlNFdo6VAS8hdYAm7hjvVtT7QNAmo
wle9W7rXnJBccPrydVFurIfDTJcadRVDOjy3r52OLF6/Jil8YBbfNx55YqGV
EobEQRoaj7caLCOqh7kuGhCjVjoZNKE1iYIeEWmAIMQB9jEZE3IlN3f0xAnW
snOEWAXNNAVVxKqAgV8X59x6pVPTW3d7f1ZMkvAMd1cSUBhjxndkD3WjxEgR
TQXqyCE5OhLKC4djukU3VQhB8FYMSFwiN60vtmgy5cKU9k7FFyWSo/9PaUsz
+LLro2Jc7LEu06hJ1Hj5odiWlDMKm39VoFDLYx1sJOhOnQC9oVNyiX65Wgug
Ua+2seFihMSVQY/tGvzUUHoK+MBZ42eJ3gVaMzSPEbKplO20FS+fdsUOagPv
54bsxaMkOHD/qykLVNOc2bC9V7op+jO9UtN9fMfWtjKhFTI0fkK0SeEko1UZ
hX+XCCbeL4Jfm2647gVxNPCH+d1ISL9qzmvoxZuVLTjsXDjHilaiMT7Rj8jz
2H0QAmiKroqd0SFHo/GtCiSVEhq90pGF/mjDHMiCC3rTrHyfCApcXowuL71E
CsTo1HFsLmq1LzETc+0kUIpwp+BB9F6T2dlktaiLmKHAnu5dGEKcyaIy37Qe
ldGxBlc0UJo+YAC9ClpoGjAt6lxJxz5ZYwVbqhKF0LniBZZIx7P2MTSzjZaY
4g9lRNGwmrGP8sIZSQ9d6SAYTisDbZlTKV95UAtF/EokMHsFaVeISkjZp0Cs
wph3iam5OwxwFLENSskULNndEOqY5eoHEeou17Z+EcbtQi+dAy+thMMpJUIm
hcQEbUTQFFe6EiPn9mKlpQjM45KpwTt2C0mjmXqBJcbQ6IurirgJq6SOG0oj
shS6Mi1awxR71ftS62wWUC69LysPdJo1vhoZxloo9LIy1h/y3d5Zs0nhKiqd
2l2bPiNMpHlQRNbEU1qjEcwOfDERG+4aYz3/IUsnsDKzETe99s4UX4ROO2a9
bFon9id90pp/Ydr4IqwYEXzhTOFCjOs0it6itG5wrpzmgqi6LZHywql/50/r
VClWJul07MyVUl8Io2pu2DWWo1ecSkwNoVn7DgPqwnH0MnEhty144vJChKJ0
C8pIHbkCU8BrqYv4olx8T8graF3RsrUBpTj8WQU/rTGzBY5cWqxCkZgD8gzm
auVw005FW9004n4TgSMtY4G0BEUX95qiekFXbkJlx/nJEsAvYqUoIcNn2YcZ
nL5yhDb1ssRPglnj6K2lYOaqw8szKmFMi5anmyFcvpU9c5ZJv5ER+/JsI4jH
3eewx/GP6Z1pBO2XXnSJotwdo6VMhof3xuO9KiUpEylDijcvwTsqBIumEEG+
lJhI7iwLFmuD9Qu+33e8p8PEjlQz9QIo1qTiBElyxQwfM26Fw4ju3hvy9awA
/CFyjaFi3rR3CT0KjepOxJPGSj0JG4xKu21EBCrcYbtWVw0UNupplJDQaZhG
hFxELAibJzZQFSC14g46Vjq11sJJlMwpULWkRL8VxEXwNQmB/ikGZfSh+S7A
JdB1yKh65M4ws6ZaICGPvyikFbbiHSOxXzGPL4d4K7oDorzUeeN8RkF8KJxs
d9rQNTBKILaX6WIvmGIN+rAPoEXvYtHIiFXsimPj1jfTRU/RuQhS7vQ+xCMO
T8PJgUkUhmaIQRUaVEwd9UmyoFSnNynCWRHVSFERpJwuZ7RVTs4vSzauC/Gs
BWRsk6zFBn8JHgHfRyHP4wIf+gJHFUPDM1O50CqLRI6QAVljcUZhaIQe2BYo
z3RaP5XYO/or9wim0JOH2/RlLhxZU/JLKUUgWnBx4zm7k1L/cQJs92iIFjkM
1Oh0xnt5XWaZ1mWF3ZKVt5PfwgctuL5CGkd5HiRcdDzTfySgI/KxyGxWMYX+
8Vx6QBok1UNXQzhMkYDaRq3rgPXh6O6SBFE+qJcMHuU4YsdI2Ch2x8MdTKne
cNZI/Sky5NhxDEuvrYavkUvDEtKLeR04h+M42liIdL0ZTubFWHHxNcrbVCQi
+lAcG8+Ch1Gv5NgIF+lXFFMsEXkJS4PShtdr8pMK3lpwhVjYlt4xnRWdjFa/
4oUX9kCKrQhsFdCyJTd2q7yMj5NBsEOoW/dzmp376mIWK0P8W/RKtE3cvCnK
CnRPTN3F8cG/R8VG63rXcEODI4cXlV6VPezc+2XLgydkEoXtIGuNZA3m/q16
55ygORReXFLoROBYSF1YTqxCuaJpZsyx/d2PwKykOUIlwcZUuserYurazEUv
pF19cgN7a81i0TWRkvMEOBhRWzHJjv+swrXLyvturHlZwDgxVfxqxUPP3C+C
IwYu0BBz4zTbCe27q19b83/gCQdKyZhnYw6vvzu6FUqlwUBEMjfDoYvXYuic
2LuI9a/ohCbbZPfnfqySNX2oLw2acTabrUlHgtKvx8uzd1yV0R2/n4l646YZ
5k6LcQjUkqyaq55qUtFZOuY06jEEA81yHeuU4whJr7KjyaL7EmqlJ85r2VI6
ofnYKt7rQ2uJnQyRCK0+Qdyj8E63tUXERIFdugADNp0CPkLE+jpTlfvF4Z2/
yx0pGujCgUaTqZeWdqsBzJLjYH/WKKXibMHKC/Rk0KZ8bChxSqpV1dH6F8lg
46mgX4pz9UTI2LJ9iR3uMYeFOivPG5YICJ67JutLOO3tK2OuKHhvFSta2VrT
7LQfvpGhivpncSqTcXXBTxUTsidRqyr2RadmRz/lEFlaLBIOroVpOKXwARPa
yaON6zO9o5loShQgYgMoH1vscVHtWDOH0EMhhC0oTGGdAGmidppAnenmObax
rPGKoA1jt8WuJpOYncydJ6WOIqquXEYbAvsaw0At0vFepyL7sMw/3gJiZnnT
8+5RjdMaEi2O3ve7RTweI3j5YHFgNsetiqd0FC1a0diaMRtG7pSEtP7AhO2w
SxvUnpV9Ue8mjNuvTXyh4oFoFupKHQHhPk9eMqjEAl9Ohd6W2KZjZ9w0vGZt
X6h2aT1OQyu7jU0E5P6s1N2I1epr58amgkQ56eDVqkMppbHLKv7a2itaCV9d
yfjGVsJXFCP+8FbC13z41ZWMhv61KFomZCrsr5y2NUJIZnG+h5QEyoKWyikv
IjsUmQ9Z+cxWIFuQos3RovJnipJo0ucynsXpOhGgdepYZwk7oVVFnbrdCR10
rQKcP9mtTokZOxH+YcNJN2fRPrlnqJAqUS6g4iUGVkMEq/dM61YSPAiis7v7
Q5tb2VcY3OypTIMSlrEBWRs/lLe9iVos/dqXbGzYbgyg9cTHxu2lp5TEuZa5
rEgUvbVQFb82enAie3RIiuwdlYwBORvlLaSAFA40cTW9FVEW9ZA4rZVA1xC9
HF0reDZOi+/sVD/WPOWkoVclE0VqE/zglnGWnsIe+Egtfyh6Xc2DyiZ6EL1h
dPwVd/UuGqZtWh4s6qlPK06IMmcqsQ+7dfZ1AzUQpDnFA4EUoQxFwek1Rrso
aYRetbiPXOEKjeEeMyDPxlznBjgp0uJgS8miTs0oDqoPfNKfD0dnJZTuwG4K
TUKIw2uJ1aJMgJs70X/VSit9uWvdoorjcw0NU9ZciOukk4zFYZlL8wArJKFJ
b0tV7LBU8ByVjIqCBZEarBPQntzsSSHG0/zlbwtu0H+u+9a4EkNG8LBEheOq
Ga75jp/rNemNFxghhdAfl/EbV1pViLpH7Spgo2WysLlNk+qOsvBQiqLGzmGa
omBvkrDbvYsPtegWr5OynUibA0WlS8Z9dUpPlTgoiry4sWIcRvCHZ3ZSCutC
UzBmilCsoh51ipl6Sl1TQV33HdyRK4T7DPXyNSveDztBSQJkyqY0cgne6Ad6
bFrZxNGVX8W673mxD8dxejTdJ6AVPvCK/GbQQap8WDhe6kIr7fVVYNboPcd6
aY6yP9E4AVa4pulmUovijPj+BhZhQUMTtDtcADmcScp0UWlVqGaJOWQNWdU4
ahXsjfAJ0N8er9lR91WW7m8kvRR2tzXiYhxaUIx6qEJQnV5f49AXUNY/TmfF
G8QkHKJ9Wo7J5b7FV9h2oHjbz6hZ5q5uukM6jP4AzNY1yLMpcOWKYX3TACpa
Ke5pwQ7xlsBxCnvFFOIdC4ljUSzTdsSb3SAJaKrVjKG7blHCTP1DPCreIlbL
I1gM3NGXtR3LQI1wQPVh4DZPE5jCrXFUtCqgHcuXesRxKXeyYX0Zm3LKBVUo
QdNKD5DwXfb7Tle8Jh/HZNgGUCim0VEWEKDUaHuqsed1mlwai4keZK28Q0mB
DnLf9KKyvsuwPaZ1Wb3ufXdF24rjAA1qRwWNMLQGlSJrbKXo5LzMIAtmCj0t
DlGd8mdSNBLERsS1H1N6ITWxWzaNOnO8pqiMnNaKgGpCC2kgMbnrdoc5q1gB
2k0aFoEfPGF1v9iy964fKPhZUVicpDTsVMrmYuI9VJmaKs3CW9OG+xr6NSEz
TkojRdR4yiPtHo7tduzsL393zjEEFntRmmaj1Ws6e0P5mrgT9BtDVSojxkG5
NWu8RjkofgtGGtrxCyf401O343QfCWEiwdd7qBqobyjzadYnlBbG1YE6cdzK
a6B7Lt6rNQN5KbQ9l3VowiqAEsppnrGdjh/6eRONjJUSyOabL2Ieph3FudRu
i8sJh3sxAt1ThyA7ja9AhrKev2QFd9nIK2kYh+8HcYhKkNQD5+Wg6LGgezwo
vqTWeCtbK3KKQPX+Qx0ONHOpn1ybQqccqyaY4FWg3Cp55UeBdWQV9XooYUcm
NR/jUMX2kB/0GRTqjbjAJXM1B4Ydivb6Rk2VfhZkT71TUUpsMDXDBLU8fTzB
jKComCgyo1eHrzf6QVMIbYeQ6KBPhO5wRBWgY0Jb+Kxt26hG0LLRZNZ91DvE
QuErUB2MYOzYplC7VrWIkObsCBskzpYUEUTKPSUnSaz3qBaiuABjTU5r3KIg
ke1wobVFPZCjH0pQZx+wI1S30bXLmKvhgqNoLQ6mkIW3SCUUcqymtdr1l9Yq
oseDVCwwahZ4MCXpFV+WCaPlJn6t1aXUWLxIwYj3ChrBCKtfVohDFmDuZhke
ZbM9UULUo9lK0UgNHHHVKbrRD2CXaNfghAOZMHcZxYueTyrwBD7RoKSYvPt+
VFpgNq0cvKxGOrGjPNna7hP7JzQHrT6mybJx3lY+FXNPR5Vjj6RFMR2Kmzxn
Ok08OK6QcCYpk8PYSzTu7jZC18Kkolc8QdlsVyqKFHkSFtWVcy+MoUQZK4V/
eh8Vm+k7WZy56c7y7pSri2EpjSpjJoOwBh3oBcInGH/kI9F+Su4uTRK9QIUJ
jWPa4rr4Kia6mJpFl1Txz+WgUDqOTTt6Kq5OOyi/IGn2u5Nwe9boFpqsRJzx
ez0gFkpMmbobzm71vdVXem80LVJELY6yUsKmxpgGRAXOcLTjJCVLQ/YQdy7o
KilnJo1VFsWg+1tEPvauHHOs1yGCb5mhIgKTDVmqzyDIXt+9nSi2oY947C3m
zKxAB+qotOhVdEKc3U4tPc1lYWWaAzViiUYvQVroeJkfX/WBGQj3YSWkMJo4
tV3M74B+H0csaAgJzmAsq6mlcG+Fde4ToSlO0giOtg1vF09cITZhSRBpcIsG
B4el0rkbVJDxUL5GaYUSYnHlqamBjFXgMLY20SJO6jlqoqutnvsy9hIIXpO6
V9pI9OVzYnQq8LiQ4xSeQUjxkNm5noNi2KVwJpwgBKPYpfk7pxbzQkKXLV0R
M/0wauWL592ZW0QuYVMaZ6Jz2NBWbHb19uceSnjYUhdKms+0mdjqTbNzjK2k
jIwMSu2YhnQ/nwrJ2a2v8yoiD+XcR/UIli+gaXIo0LQdFD1TQgPfUZSE77Hg
dToFAkRzqsBencKF2EDXQPeOpquGTi8Kz9eKNrqoidgRkh2HtTkSiNmyi02t
4J67sKGOR6feUKmLUQsg/SOsjK78g8GqQFwUXsTKQKuVHrSksKRoPQRV0AXO
+PtYCPf9LIByw6jlNDmzb6u5TOfWJhLiVW49ltMM1R36CXF3WhJqQSNk8kFh
IMf8tdQpOeo70VHnHEY3OK07Coqr0Ckq0JQuFDa4df+4vsa5lBAo0eo4OuVx
nGYG9NiUl9ig1f9qUIPYjrCu8qrg/9IweEQhBSmNMq1AXo5HwSWSdXhWB0vR
pgFMxyD04QTNNbFCEcpObsx2D6ForPdr8tMLQL8ilqi0j0xUvzTQ2SsP09G5
dTkKck7pLrEZ5Xrsnavyk5BxQvPKNZwCkbYbYnwCBWe/nYGSRoq1FAWiAWI7
kkZC7qEOzvE1xhSH0DKOJEsY928NKDiESOcL1dsxBt7CZQJr0IkWV07zIiOP
k9vHBT70BQ4JBnTaBoYRXqBBLMUm6mrwn84j9C0MIBy32E5tl3aAYuOxKZFt
15qm8HiyET/pF18W3baWFX9QG0Ab/ije1uyP7MPhy+umo5DGW3ehjeuAmD3Y
i6Y1ww6MFpqQ6T2CNbymzHBs0S4hO6VR0SYU0RRZkDIYhkNLxc4jH4qgITQT
1rXZRcjBM1Bk1mMiryc09AQrRxktTyUY9GiOaG0V3jRQ47IF0NMK8OItMKso
qxH9HZSYTnfA7C2MacWJlJwTZqbcQ7m0MlEjEjxTRKMCx9HlotEcNEneszB+
zdhpJFTb2H1Z7HXyoJt2gC6sHpN14fB59KKo7LbQ8eQ2tuhCoE2p1ZDgIiDX
CYArZCpZiujT9HKIyCiP6G+Vo2nBLWAIK/zrqXpSUGakyqaT995sgSZfEbDX
1IlIzCsLUKpq11Ya9kigYzWiTKGBVKoUFIjnpgQ8ts8hvkfXijHKRHS2TXaW
I+7T6RJDduYQuaiRemQNYLwM7JK5lKcb2joj03OXNWBUFFOuhRqUoMzRmtb0
N5n0rYTLtprjRI498YyVexJsaFf3x51SkGnC5aWgeZ/XJFcAVBrJDD+D7Yeg
MmZKlg4J6kmPlSMAJsqjr+Tds/Vvqpl0bLB/EhquHhv1TU2Gm7SGwyJtmUqf
0NJ90YeyomYvwkRItwvooLMneNnFVafQ11kyLposKEXWpN24iI0IO1Jagdlg
m5dhJy6b5xaAQO8S1jAoHCI3v7F53VcRsvLcpTUgDDzBlGFXNtgONQMOSZ2Q
tCi6CFCEURqHyQES35hRZWVRNJTG06nXJ3/37B//7Q/t8/ns6/XV18/+tMbX
X3z51bN//7t1/fRTfvrih//xySf//LvnX+H6+vXzLz5/9i/P/7S+Oj+2v/jy
2dMHf/v79dVX7V/Wsz+1L5+3z7/Wx/6wxvP9fM1nzz9/9u///rv21e++/kL/
/dn89Okj//Efv9QXrPOK+t2v71/6f9eX69m/rM/Xl+1rXeqPXz3//F+ejS+m
Pva79vWz51990v7Unn/W+mfr2f7yi9+/+CY3/vjln9anX64/fMHXfPKPbfzu
/kXf+57Pnn+le/5at/PS83zefr/+4RnXfLb/+Pn1y//wjPH7H7/553/4pH32
he6Hs71nTdf68rlG6Iv97Os//uGzF3/SFb/5nL70D3/Ut/wCYMIlPluf//b5
57/t/0939vf/8MkXf/xaf//sF3/8/LkG9vff/Pz61eeff72+/P2azzUMGuPP
/qjL/2J+9fVv//Dl89+v61d01af/+vtffqKb++Znz5pGUAPx5fpqfc4Ytq+e
/dff/Pdf/erZV19/qdH86pef/Op+cT724k5efM8rLsCtffN5xvJ369/a1Pv+
ffvsl5dqzDmKv/23389fvDjt/PunE9VPGNinpff9373u/+kvX3GK+vT768tP
dUVd8FPx40+uF3R94OmHn/zriwXCyi73g9X7oBPP/80Zvu7FQP6XZ9AGCi8V
9BLFyE4JXLlB+ZQug1QVe/V3Shklm6RQQza7h3dkxOhOsWgzemrm+VNx6ZNv
X9B1SPTu/9wD65/1zw+4ANn/9SNw7Oi/bjDeMALHzH6GX3irlzLP6okzmSgu
UqqlkCWIzFA5YFyrUN0kXn6k0Y2AwCzKxyajgvnSodTjNb/+AgkfWf/6l31n
eW8ZklePwz0tvuq9zyJuT7sOPk30aBbB1kQ/FbZVxUcRWnZvjO+BI837E+Hb
3thZQWXCvtnD+DEJ3jYJeKJ0PbtuHPcLTvyzF4Y/LvDmsPDqwTprQd4lLKx9
uWHkS0y4VMiLT7talNwGVvZCXynZnK0Ab3eHRo1YC4KXwdNVNOzHspH6mKmv
v0C2TzdLA+6r/r0/5yt/4W3//rVf4Ies3+PQ60emdUX2y9E+zEor2s65RBSB
8iqiOxldkKvOgwPc2o6eJhrl/Yayc2YvWvfYxXtc4ANf4BGM33CBZD2VPo7S
tlf9e48jr/yFt/37uMDjAo8LPC7w4S/wOph0HKH/OYT4TodfjZhCcvTj9jGQ
afK9XMqLCDDMdik2zTUXtEzEZo7DPrH66fAh5OS/jDDeuNdVHonsu3/KK9/2
T7XX1VBVunwdZogz2GrDRuZ5bhf1ypfDugU1gNKma+MouZ+Rfhu95ChY3PEp
tQgpanr45vVfM0yk4ZYu0/OYgasePfvTGkr8C4rX4zKSGp76QhSzSswUFLtu
y949xbIoAlnHoVW4RENrrjOEMLZQfaoWgcFFDaHHDXxwMpUN6qr6qxJCPooG
nWZx7zlUuuFSNyaM1eNaV4HObrFrOLHloUV8vnUz7zGPv/0nvdjMe91s/sk3
81pHAKwlBa5FhdHQvGwN7RM8pvHZcWaWWnEOa+sw/tordMQ7aSamBDOFTO2Y
TX4G03Nql0Z7Q3Ft0VZXza7HsWZKYeGi16LHbwehl1zpzYwUayPuG2emQlQx
UvRzIEB2yM7il03lyRyl2TbsMHm11OxKJhatuYEdckRSriPLjMhSOEq5xuVO
jm/30petwho2HLA7N3S3FQnn2gPtPzuYd9utfMzyl2b5D9ytfHNgf/+7ldVg
j9w12RUb61rFkagjvR+poW2/i+bQpduJmP1330Rfs205DL6wT5QPzdzpEkra
ziDjhsSOYnaoNeDsJhBw7yExM8bVKpIZu9ATm/3lwBf6qNdhcDQ7B8Ospo8d
qfx6HqNUi9gTZRpFnM6svrYWAt2WDtVDh40fRhK1+7yXvUpY7ohoIUSM5SNF
8ZVHcGZkSiGUY+gfSq7aXNDjKvOjMRB/LMXXX+CxHfujt2PfHqDe53Zs0fq0
JuPyFehnKpZyeL5om4AZQOnT6XK99Kv/60AM1rWEsWuoQx/Th/fMcaLGbYRH
00gkMDorpnK1HSTvezDOySrFBkTgRhI21SWyy/T3K7fW4HaYs6YmyNmQHExl
utTvmAX16SWMsDItI6MLBVcUQZrpxYxYrEWYfIMhe/er5YnO1j1A6UmXGS72
0bbRfceFciqOEkj++GqnHTTxF4q2H/vNjwt86As8ss0bLvDYb35c4HGBxwX+
Ci/wOhz4Afabo4jp3jHg0N5zbQgCCP0Vi9uBCQPANXr2NOVhFHXHUzkWmpJn
netSv8DIzO0i5GUdVVuVzj8uhWq0M8J7pdwvkBo+SoUNH8QlMpskM9AxtZp1
NtOGTRF+yXrguJbH6P7Qs805I54kshmXwGs1A+/DtDudgtGEjjZQFKZdJe2E
48e5D4YRlXBkX2LDFm/cft33dHjqFrSTV8evWSgzlPzJt1aIbyhqffaLqxJY
WfsnqW/9lKt/qk99au1Ltr/2z/rno7zAe6zyDQgpMMFw4wrT7DKCM9vr/3ax
qwTv2hRfqSjIiBYhvXSfgj1Mm4ZpTivOfAQw6uls6/VPfX+21w7AS0/9vY2w
MoeWYk9YHC6kEgK9+n3SCEh3DPbS06M8kPM+HA1ERHvNYyWL0dv071rN+7f2
OtOtgvdVz34n0G8Zhre8VNx2d6CRc8dk9mgRq+s1dKGKpH8dLiUfaGbzU0nl
ninQacoeL5SOcsmPKtX923zD71Ce+64DdLvAD5gGeIuh7OlcwnYKISwEolKo
+qIevN3o+pmO/EGyh8/PuOzmDMpF9B/+1ZTk/q3NyMe+74+8wA9Zp/fw+eeE
a4MBTE70zuAHEHD26oLkphXv0Rmw+tfMuQwqAuFeOm8rZirD45IWXB+PrdDH
BT70BR5B96V/Htufjws8LvC4wF/hBV4Hh+7U4a2x/S1wyJkB+fA4kY8YkDjy
lvNwZOtaG7GhsH4ZASGaf6/NqfqFgW8Z7t7e9nepq/1by1JPO9k/7e6SRch3
ohIjhll6jpe+2SilhtkRqa7V4fWwzLJimvcKCuT2S9651GY0D1zJAr+FDfWy
RGhKM5RPJXyzp/XBrYjAyx3LC5qY3LB9R83G7rSx2BUncmuNYdEGXb2XuhEY
Memq5r7v48c1O57kFFjhzGVsiANpzbBzKCPOTcFhysu6pMdEQcu2+wbZWg4h
vVyswZcJeelpg6urD7Nb6tu26IeeG+Gy8a71s39r8zXdamZ/2u0zvUXT4vJs
g/aS9QZjxKLGll63aWvZtIqxxc7Ya7T3OWNC1k/R7E7IA4a2dsmzd31PWg1t
+7lwmsBNl6kTjbj5MWe0OsJwET24tQeuERZ1JtzwXN2r2LZnWyPr3hTnNB/H
6XtOpY7NA9eJrZnb0Jfxpc5Ui5vWBTu6FkyKOEP24TX7zXlSExhRR9FPwL4A
f+nY3XZGy6tGPOlbd2HMtJdL+UcVx/5tTuF3KIj9afcHp0Ms22Mciz/T9qFR
phV8mTlrdti696rsGLvS7CHpt3F3wss3Gcq+XdnBlGpNCJrAeXkcRKoivPe1
Zl3G+xYOE+bqTNopz9DsyiOniAjWwAy9zYy3ni5i0HattmjubZfGOtRgs3H4
pWccwd3aEedHzC6ixTAH2+7oq2L2bqGsfdWIh2OhdLwBTMTuJK2h5d2nVi0i
7X7qgesMW7e8I2Im5aOxln0sufOfxwboj7zADwlEP3YDFF2BMrTc567GWqtY
EJBVt/p9N4PyMdqGy2lVmzjDvRtFC35jERcpEjXTe+Uq+qJQprHLtDRxnZ64
nQbcpyces0fGbtlspObK5VwUfDeaK2vFpfilCNAUQfS8IhNtpIYTm++H32g0
y7NRa5XyfE+BAgcFoOm7pYBe+VYhJHSayILRw0yboz0E98JoxkeFwKLbhvns
AbrtEX1+E1dZyqfGRPq03GOH93GBD32BR1Z56Z/HDu/jAo8LPC7wV3iB1+G9
97nDi+ed38JpWLGnUrbJmLxZwybedJUNjNRsesLsdR+pYomeVvqP6xpChAJX
q9dSKs2UDQsGtOWd7kuUcPoRReIOxxSsFLeY48Tcdne3C5UwVhhSd7sD92NF
/hTjsaxdYQRrjz3maXpMS6gvCmwuu3FM7t2U3rMZsUeR5lmjx2wm9I1bXj8c
Rfaw+prQMQ8rGqAe9OFRd6cnNTlUk0ubLdGhWeNbK1mFAd9v+aouSHnsWbip
H94KN/nrv4g865V13XxRNv0x9ML8XC/wnWzKncu80yv65r3cNw+//4q+px+L
eAQ2yVb8yO2K+8hORZSnJ19M9ljIhVmLGxGX4ONMoJqawvA1KCz075kaPubh
x3aBdKuJvc/DP+NF5VP95TUv6nu1V7PlUDcypUsE3K9uUmpxxyrmHVNGQCWt
6ltflRPI+1Pu5BXbhxLHaGW+fIDzl1K1fUzN93OBdNusv13gVfv2b9fqvL+q
tzcFvXXSlrxCbNeWmEe7olcr4Na2jcUPXEGX2XGzBzaFLu4h1ORedO+pj5ry
juWj3dd+rJ+f+QXuO+8/8z3un+cFXo4q9/z4zhiNiX2PYm8OMNnrx55OkUp4
EydRsutDfAcH+OgM/i1jinWJjLmzgWRQeWMHdCwiC/HYr35c4ANf4JEtProL
3HfUP6LdsscFHhd4XOBxgTf9C447YuJPl32+1wicO8UMWF9jWl8oOl02YxY/
XM/bOle6R9DT+lAPg9o5s2+xoqmAK2T4y0gUP9Lr+7rAd7IlH3i/N9hufJ42
+9DiLnM7F+csI8/lyy7Rrj17iIP+5JL7IeoZMRebJrtoe3W6UHQ9uYXDc+0h
7ey2WztQ79d32y6G1e9tzCIpptplm+91hd3jij3ZOt0yKB8HDUqzojFctXcU
PHMuxx5fLb2snkb3tc44KQLeccYS3ND/Wj/z6rpIHluPUnvCDfS+jLLWl0Wj
D1Povnc2uqeip4++21gbPtNulDpirMn+5TSUHwvt/Vwg3arU/yIb2grqE+9f
P0zpMXgtEKf1120Ya3cXYw9hFD+Gr3nYfF/MadYcU/TLJyUKa7tyQPZuagqX
pjXazJrDpWZ0pdA7ugDZHlrVIaYVy+6j2Wz8mAhWjq7cktfKznTkgfSYfvft
hPWRLfL3BT9dNZYd9UuzwAwTrG7JDpNida6HwlmtQoZ+7q1pGjAt6/uCd2xO
KMNl17qrc0ykbY3TP80ndMpdt0P3oKSnRPgzUXZ+rL33c4H0Ljv2b5Nzfb87
9l6p6kkdWumn7lWN12KhrykNDKKXUsFIu4WYvd/2PqVb20zgXXpuo5vgQrFh
D3T4x07DTmVRk1adpqUxtLJKbOv+/FZroWQf5567jlUCqbblPMquyw67akRB
INmu1Z/nNKl6c0DetqOdLgeNFMIxU8vIJ/Siw1Y6m8XlTUuV063WMmqourmj
xnZ65fdtjfMzhTZtMLm6oHw/fUqrKRHukFzJGp02PtojiUeA+Jlf4HEk8aOP
JM6w+QGPJHrGl0ExM5ZR8ClUPBcEDz0Xl0xHdFCQPuy6nXB+n0cA3B1B6SYQ
YmbP3mZFSZNHUNx0ZATARe6lOrObqzY4oZeDC4t3iLjo4YtYRF47YSRfGp7v
pvtYkq+RW5riysIRJpR2R2+xrJDxxFCwFSRpGgzTdhCC2d6MpJheR1PoXS3X
opsSTVmHZXzTPaGiTXuhS7mLC4lFiNHrwkbhtORmujBSTzW+ZMXyOHN5XOAD
XOCRDj+6CzzOXB4XeFzgcYG/wgsAVP9CZy4mdtP32i7FOdYq9LaLcGfcyEYI
Nufl2grD+ibebO+3KUhrZh3T2lHS6GLIae/RpuBsTQJ54t3CsDVv47uYe7Nl
+cP65epjwJLS2tW7HscIX0aX6qC/wE66FHbV7Y1ce3BNzL+H49Sn7WKNj3Xp
Ij4FfbaEXEJL4dolCH5EtwQpA25XAqN0hxxe4Lq7haSLbdXp31GBzHtZa9kx
X0t4tDp2wjX4/fXNDV9smhv+5z+K/7+9u+GL/cO7G65Lnr0NTz/6s2Wp39vU
CmIxL1w+wkugxr0/b7TjW75nO5SiLUNTUH8oNpS0MLBsLYcmmtObjWbakZHw
EXPqd8EetnKDZl8bM/vYXlYO/hkMY/q22PyHf9f9G17BYN8ymJWtM9eChtMF
VFly8jEmk/0OWmC11960pMRsozlkYEwc3a5hQqtNK7T8PGrL3zKyrxc2edWY
H4cb77Jr8M1d3APnq4a/KuLEIk49QnF2+GjqxCnP1DDZOPChc5ZnbLP4Sd13
DLw1IvCjVJNzG6N9tFuSH3wmvE1v4+exj/Vzu8BB4N491v+w1/R9mavZhxBJ
aQIrHOr1gXW1kEKOqTvSPMJTutDSPRxHCr57L4AheNFW234/NpweF/jQF/gZ
BLu3yUD8/HjR4wKPCzwu8LjAWy/wLizpHjTfiNhfCUPm9iHkMeL2q7acZ7Nm
F1udLVN/h7brEB7PWTBkhXVIvLre2xpr5ZJa2OsvUqP6BtZePhBrz96GvcVj
onj37rU2I1A5Bed6EX9My3fX84x1+aIHuUsv2dpLT06UyPi91+Io0m5rfTYu
2R18cs6srfvbZee0Yxftv1OlMUvkZL06IUjj/PbiW2wa5RB2wNSiZBvmRbV6
8ZpV3R1Y0sVZY9szz9zD9LAz3+dcxUZxZ12892AXasCCpKZs58YO90k7k41N
Q9rNrPpc9qKiYs6aS70WfYoza9+yr02Q9mXB0p/BPEnflgx+mG2JUaPbZpQV
XR2t6FdEcbV+RutGK8ltNv7K0C3MiarmHZJpFKvIwrrk6nYoyayRNNW6o9lP
I96a5iBCojPvXG3NPd25zZxtcbM5lebzTJqqWZPCh5pm9yVztp/CrKLq5rIn
XKG6+y7T5C6nn/0qnerOtFAVAbqJ3mBpNOa1s1JQWPYL4+wd/b2cimrclNG9
XUy5pK/OYdsehy9pJufNyHofRiPp88sKE3+hCsEfse/y/Un1k++7KKSkqJjc
No7dw6RmFQp0XYXybcpaa9gSFa5KNXv5ezRaqWyzPFvlkwErhZVcpoJUszOt
MXyPSBiHWrImwA5xmbsYY3GpKlg4dtSojqi97xVLtZoeNs1iPXy7N33U5OEH
cfMoOd9WaWjvmtnm7kkMWDFQEUzT1FlN1ogtltmXGGRGSlzxzd/vIFfTfItK
SxSLh75y3XXPsLstpib9Zc7EsVTMpe7zkW4sffCp/thY+tEbS+8OR/68jaXR
FE5TwZ7WdV2lLbODlpyzzloUwfYY+r40xyhm1Pu+9wi2uDVTGlEYZK+AF6H+
u/QljOKUWYpit+J83grPtUSFgHLUybdk9Zm4ohF4aMpPuQlLLGWEbFM2xKSU
7HIjCiXVNRUqyx2ORE73rEJH93GOkJcX+rR2raJEt7fWrFY4eurJjqZAM7td
+1DYWAJcbQhqxL79HFdBF7VmVsCJA7lhlu4yFF0z/f/2rmRJjtyG/socfZkI
EtyAz8FC+uKw///mh5Y9kTWaHqmlXiRF9kFRqqhEMkEQfA8JAneq1i3g3QX8
AN78jpzdAm4Bt4BfUMBLiPz3Rc4k6asOzyN3c3iSnGodA/BFc0ZfoiMkE490
QfQ1n7wF4JF65MFcEOiluNqXgKoVA2v3WF2HVK07yQ/IslR7OI9YGkDMaeBa
oGTnrK1BXjOQs8C5jc1LVjEFAKobjMgEdPuhf0c8HUCfI88CT19g7wGgqMx9
r7bwFLJqJxdKQnjAGGu1h0cQwwjbUyMcrqHgionGOrU43OoEf2taqgqEicjX
ZRr99o9//eff//wNe+EbJB39nrJ/xzW/1//9XeNw3/T3Uwp41eQrdZPVpoNQ
rxOwBcD5MaqYlJNRoNYNNpl5NIMlW4GRXFddwdqK0oDps8PRZ0lXL5V+1QZu
9Cfpn+UH0XKQotmy5Cnl0dWWnSuyfx0HOIPWDh5EYyl8RjxEXUUDq39kCS6M
ZLSXJlu9ndrmH0lWX3+PK/3643ZfUN6U1BITfF1t1gmfpsP7eYG/gFuqAQ9V
yjjSNHDTyz3szNBeTk0q5+P7Cne+tSb/Pqnqz3d/CIt/eSBf0LEsgROto8yu
x8yPyJkE+5Sj4jwKGPbx0w7T2FYe2vfV7PHnx+mMVR7D7j9VoOvdpvsOcH13
gOvlDvvvp+ezwNZQISoyKSRLIVTyMvMU9Bw2AVjGAGAKAYijI2FXyVFPTMV3
WSl4kN1xn1vAewv40L3sjvfcAm4Bt4BfTsBLqM7VV389DD/LZOqQUvWMWOy7
Rlk1xEEDXH1OsJ2T4KIwmNf1dbZPzahK9jeMgX9ekiH1ltSa35haN5YSplma
jaAT2014ZBfG6gSgbbbPOFlOSp32PFcQuYoVoX1ONsClkoXqjvQG1BZuundm
KCkmgebahxa4Ge19HZ4zFO4leZpLt9l6Zkgd3R3SQCsjWl/jbPDX1p1sq69z
3cbz/B7XiSezRVCFjhYMzuVca81zeES+y2ncJ2eZru1Wx0OOC5VZqPImHj6W
zgIq6eRsBqBqsaM26NSj4z7y0oyot48dvMQ6viV20Kutc3RpK5n4U3tPtWbL
4rXyBNvI/KLT9+gmWh/Km0+lciIT0oDnZefShBKHZAG/PqxmBh1lT+XZyUqN
DmEPCXcCGHQmh7bdJSJMPGhYhoRHBVNuK3paGoyOmtQsZXLO9RV579nTIUA8
atUyLAuHeLRZbLpu5y5OIrW1nSFh6XiOOq4+oW1qflStl9KO2lrzZJ6OwUQF
uvC5aVeftFd8li/3sgyojwyOfG5ErxscGQC0a3cl8HbuizCNJMVbYVy7diUY
QoeT3iUKJuHhqGSmH7XMCOgYecUHuHPoVbXgWdhocdtLcuqVtWXGU33oXa1w
5nvh8Zxo5FRT1zOzR+7qHNsyeWmWMcVi9H16aD7i1YwHXIk27d3K1g4tWJtr
YVXAeUnmZsE+GUPfMJXCXGBydF0HHPnuoCmD0BpTWwOusR8tW+CpZM3WoN0x
Mm131Z82+vNu9nxHf747+vNyTPGy6E+VEwGnI1gQtFt1rJeab87MSiOF2z8F
ghuTEfaPq88WYEQPX3xKaG+tfCo+O9WOZFUoxxWlAFBgkWH3H713flhua2Q/
jsY7unWAmYBfye4/BZ94sAWfCmftgQfdFC3PactVOapzWe/CWccqskwfnE6J
qJqFeds0HVHiTAO23MeKAWI8lAp2+LfTD3DNNngewvXAnyNGyxK5Q8PnyrA6
bNh83eGtW8B7C/hQNHKHt24Bt4BbwC8n4CVs/NvCW9JBetspBhwCOFJA5Jrp
1KKtn7rBUGkV2icyG3z062GL7gbYQzXbWxQVAsjpg0MmAy8ZKNLRmYXCuR1w
+tAKajivh6eK0poZIgK2isG+t2VcwDJliroI+HvbEWBWZQi8e3NpD/0UfWyw
H1Coehw0KiTJJyvNMGLsBjzWFCirbcEjjtW3sT/uKsvOjom75ck7AXXCXsZB
LbL0TmvizsO1kYBafjmNicZ87dylz5pBf/rq49tBP2XHfarD9dYFk/5/lz8b
L0A/ILF3IPNGJiMWbS7rzK2WhTRaYmwnkPsmtfvV9rIJOWzB3Svg85ofWzDp
r9Q436hg0nPKtCY7u5eCCGFZLqxruAyoYtdDYBdeZXmZ+GoHRD+0qymZgDgq
U+XCu7wwbPVBmn3Pgkn0WGz5L20ZP2Px0zsc5Sl7FT085zg7z0Jup/CAB2Up
ZkseSsR718CVTwcxu82f91zbu1vCHfj57sDPaxdMes49LSAeePF0MpBArGPn
ydQ9SzmEhWJ+qDmfHM4eD9XRp88MmGhpp04srTs+cgt4bwE/gLO74yS3gFvA
LeAXFPD6BZOegyFSOevhDKJiVWa2ixoy6mlj9AVMojyVMZhJxCvmNV6ifREo
Rou63M384wom/TVrf+2CSc8iORCcWQMiA9KW7NKGMXPxoS1rbw89CrjXF3sp
6+HkDZ7MmVdb2s5sNfKoHOGbOEu0Z1+uEcn8s7zH8lViTnlMycp4j7e6S91k
6t7Padmby6YWTCmmpnIe7yH1jQk0rn7NL9qdq/Wz2mn9ZEmSMgKzufmMDhrR
grK5ZRGD+kqRlolf/ZonQ7G178qq0Kd4YtatIzAe6H3LZJmV8sAHtBfnYwsm
/V1Y4rULJj1nLTo6RO6Jqck3rosbfqhguvsUjrylYgyYUVlhxa/+oVFtHdpf
GZQwyXe3PQt0mZDKlk18vJ5sQTpLvsiVpfjhda5ANRrTaXtrLWOtg/k5Z8aZ
3sHMMV7fc7jSkEZnpg3SFRT20rOSO1zGgZUfj45hr4bJVYbFmi7uh8sZ6Thg
/G2uXh7CVJmSUklgFOuM4uyHYRtUo5y6a2S+HDisLptZSufHKZj0bXGX1y6Y
9BVxl91p95DRWCtLg5xWR7csWl0N6xDDOostg4iZrHM1j76fKiy1yLBy4UE5
wZV2Ed4EF9Nbp2VBtmvW27e+rD+0thJsJMta0V2PS5qnZIR70jk9splUx9PI
0yliGCBH4yzHdM2kam06jaB8SdA0XANOB1Q4E9t2NpiGrdJcGk+ZmDnU8tCj
t8J/jZlV4Wy65OE977ww/kyYgFnVNaaCdRd4ydV+2sDSu5v6HVj67sDSaxdM
em6D6VjDo0fkKy/WOaJsP0tPNCe4Xmx1hZYzXOiEm35IJVT8sm4gBs1uIdih
eu++OpOL7CElpWCLH9hzqggwCRafXCHh5Hl6Zhta71hu1HSVFt0KZTAL2CWR
DrYnzQAwWyaskl89iAoH9qhtBwPUbLOro1SdBcs6i7cZ/EblXhziF/6z137M
l8bO6Qe7FqcjitpKZXwE+MJQDOhqxeZWDSCmd+yNd+TsFvDOAn4Ab35Hzm4B
t4BbwC8o4PULJj2Hs4ro8TVjVCd3NwetddCkATY98yQW+P3QrMJSmrFeWQpF
gHoPp7XIJ+9RinmWfy0+S+YogB93cEpbWhpQnIBx0ZVG+8BTVN+M561ajLOU
7Im6GGM3iQzF4CZnJgSro9rp6wGMLvHMbwDB3wd4bcxaQcSZWKSrCPPpIPA0
JiAaG/jcrPtBYRx4Nn3iZgBU4rPJDH/qNuwMcuXZ1c7qyQ7Fa3/KIfovvgmS
Ij5GBQA=
<section anchor="acknowledgements" numbered="false">
<name>Acknowledgements</name>
<t>The authors would like to thank <contact fullname="Adam Langley"/> for
his detailed writeup of Elligator 2 with
Curve25519 <xref target="L13"/>;
<contact fullname="Dan Boneh"/>, <contact fullname="Benjamin Lipp"/>, <contact f
ullname="Christopher Patton"/>, and <contact fullname="Leonid Reyzin"/> for educ
ational discussions; and
<contact fullname="David Benjamin"/>, <contact fullname="Daniel Bourdrez"/>, <co
ntact fullname="Frank Denis"/>, <contact fullname="Sean Devlin"/>, <contact full
name="Justin Drake"/>, <contact fullname="Bjoern Haase"/>, <contact fullname="Mi
ke Hamburg"/>, <contact fullname="Dan Harkins"/>, <contact fullname="Daira Hopwo
od"/>, <contact fullname="Thomas Icart"/>, <contact fullname="Andy Polyakov"/>,
<contact fullname="Thomas Pornin"/>, <contact fullname="Mamy Ratsimbazafy"/>, <c
ontact fullname="Michael Scott"/>,
<contact fullname="Filippo Valsorda"/>, and <contact fullname="Mathy Vanhoef"/>
for helpful reviews and feedback.</t>
</section>
<section anchor="contributors" numbered="false">
<name>Contributors</name>
<contact fullname="Sharon Goldberg">
<organization>Boston University</organization>
<address>
<email>goldbe@cs.bu.edu</email>
</address>
</contact>
<contact fullname="Ela Lee">
<organization>Royal Holloway, University of London</organization>
<address>
<email>Ela.Lee.2010@live.rhul.ac.uk</email>
</address>
</contact>
<contact fullname="Michele Orru">
<address>
<email>michele.orru@ens.fr)</email>
</address>
</contact>
</section>
</back>
</rfc> </rfc>
 End of changes. 875 change blocks. 
4381 lines changed or deleted 1780 lines changed or added

This html diff was produced by rfcdiff 1.48.