rfc9497.original.xml   rfc9497.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.23 (Ruby 3.1. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
3) --> -irtf-cfrg-voprf-21" number="9497" submissionType="IRTF" category="info" consens
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft us="true" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes=
-irtf-cfrg-voprf-21" category="info" tocInclude="true" sortRefs="true" symRefs=" "" xml:lang="en" version="3">
true" version="3">
<!-- xml2rfc v2v3 conversion 3.16.0 --> <!-- xml2rfc v2v3 conversion 3.16.0 -->
<front> <front>
<title abbrev="OPRFs">Oblivious Pseudorandom Functions (OPRFs) using Prime-O <title abbrev="OPRFs">Oblivious Pseudorandom Functions (OPRFs) Using Prime-O
rder Groups</title> rder Groups</title>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-voprf-21"/> <seriesInfo name="RFC" value="9497"/>
<author initials="A." surname="Davidson" fullname="Alex Davidson"> <author initials="A." surname="Davidson" fullname="Alex Davidson">
<organization>Brave Software</organization> <organization>Brave Software</organization>
<address> <address>
<email>alex.davidson92@gmail.com</email> <email>alex.davidson92@gmail.com</email>
</address> </address>
</author> </author>
<author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z"> <author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernande z">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>armfazh@cloudflare.com</email> <email>armfazh@cloudflare.com</email>
</address> </address>
</author> </author>
<author initials="N." surname="Sullivan" fullname="Nick Sullivan"> <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>nick@cloudflare.com</email> <email>nicholas.sullivan+ietf@gmail.com</email>
</address> </address>
</author> </author>
<author initials="C. A." surname="Wood" fullname="Christopher A. Wood"> <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
<organization>Cloudflare, Inc.</organization> <organization>Cloudflare, Inc.</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>CA</region>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>caw@heapingbits.net</email> <email>caw@heapingbits.net</email>
</address> </address>
</author> </author>
<date year="2023" month="February" day="21"/> <date year="2023" month="December"/>
<keyword>Internet-Draft</keyword> <workgroup>Crypto Forum</workgroup>
<abstract> <abstract>
<t>An Oblivious Pseudorandom Function (OPRF) is a two-party protocol betwe en <t>An Oblivious Pseudorandom Function (OPRF) is a two-party protocol betwe en
client and server for computing the output of a Pseudorandom Function (PRF). a client and a server for computing the output of a Pseudorandom Function (PRF).
The server provides the PRF private key, and the client provides the PRF The server provides the PRF private key, and the client provides the PRF
input. At the end of the protocol, the client learns the PRF output without input. At the end of the protocol, the client learns the PRF output without
learning anything about the PRF private key, and the server learns neither learning anything about the PRF private key, and the server learns neither
the PRF input nor output. An OPRF can also satisfy a notion of 'verifiability', the PRF input nor output. An OPRF can also satisfy a notion of 'verifiability',
called a VOPRF. A VOPRF ensures clients can verify that the server used a called a VOPRF. A VOPRF ensures clients can verify that the server used a
specific private key during the execution of the protocol. A VOPRF can also specific private key during the execution of the protocol. A VOPRF can also
be partially-oblivious, called a POPRF. A POPRF allows clients and servers be partially oblivious, called a POPRF. A POPRF allows clients and servers
to provide public input to the PRF computation. This document specifies an OPRF, to provide public input to the PRF computation. This document specifies an OPRF,
VOPRF, and POPRF instantiated within standard prime-order groups, including VOPRF, and POPRF instantiated within standard prime-order groups, including
elliptic curves. This document is a product of the Crypto Forum Research Group elliptic curves. This document is a product of the Crypto Forum Research Group
(CFRG) in the IRTF.</t> (CFRG) in the IRTF.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>Discussion Venues</name>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/cfrg/draft-irtf-cfrg-voprf"/>.</t>
</note>
</front> </front>
<middle> <middle>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>A Pseudorandom Function (PRF) F(k, x) is an efficiently computable <t>A Pseudorandom Function (PRF) F(k, x) is an efficiently computable
function taking a private key k and a value x as input. This function is function taking a private key k and a value x as input. This function is
pseudorandom if the keyed function K(_) = F(k, _) is indistinguishable pseudorandom if the keyed function K(_) = F(k, _) is indistinguishable
from a randomly sampled function acting on the same domain and range as from a randomly sampled function acting on the same domain and range as
K(). An Oblivious PRF (OPRF) is a two-party protocol between a server K(). An Oblivious PRF (OPRF) is a two-party protocol between a server
and a client, where the server holds a PRF key k and the client holds and a client, wherein the server holds a PRF key k and the client holds
some input x. The protocol allows both parties to cooperate in computing some input x. The protocol allows both parties to cooperate in computing
F(k, x) such that the client learns F(k, x) without learning anything F(k, x), such that the client learns F(k, x) without learning anything
about k; and the server does not learn anything about x or F(k, x). about k and the server does not learn anything about x or F(k, x).
A Verifiable OPRF (VOPRF) is an OPRF wherein the server also proves A Verifiable OPRF (VOPRF) is an OPRF, wherein the server also proves
to the client that F(k, x) was produced by the key k corresponding to the client that F(k, x) was produced by the key k corresponding
to the server's public key, which the client knows. A Partially-Oblivious PRF (P to the server's public key, which the client knows.
OPRF) A Partially Oblivious PRF (POPRF)
is a variant of a VOPRF wherein client and server interact in computing is a variant of a VOPRF, where the client and server interact in computing
F(k, x, y), for some PRF F with server-provided key k, client-provided F(k, x, y), for some PRF F with server-provided key k, client-provided
input x, and public input y, and client receives proof input x, and public input y, and the client receives proof
that F(k, x, y) was computed using k corresponding to the public key that F(k, x, y) was computed using k corresponding to the public key
that the client knows. A POPRF with fixed input y is functionally that the client knows. A POPRF with fixed input y is functionally
equivalent to a VOPRF.</t> equivalent to a VOPRF.</t>
<t>OPRFs have a variety of applications, including: password-protected sec ret <t>OPRFs have a variety of applications, including password-protected secr et
sharing schemes <xref target="JKKX16"/>, privacy-preserving password stores <xre f target="SJKS17"/>, and sharing schemes <xref target="JKKX16"/>, privacy-preserving password stores <xre f target="SJKS17"/>, and
password-authenticated key exchange or PAKE <xref target="OPAQUE"/>. password-authenticated key exchange (PAKE) <xref target="I-D.irtf-cfrg-opaque"/>
Verifiable OPRFs are necessary in some applications such as Privacy Pass .
<xref target="PRIVACYPASS"/>. Verifiable OPRFs have also been used for Verifiable OPRFs are necessary in some applications, such as Privacy Pass
password-protected secret sharing schemes such as that of <xref target="JKK14"/> <xref target="I-D.ietf-privacypass-protocol"/>. Verifiable OPRFs have also been
.</t> used for
password-protected secret sharing schemes, such as that of <xref target="JKK14"/
>.</t>
<t>This document specifies OPRF, VOPRF, and POPRF protocols built upon <t>This document specifies OPRF, VOPRF, and POPRF protocols built upon
prime-order groups. The document describes each protocol variant, prime-order groups. The document describes each protocol variant,
along with application considerations, and their security properties.</t> along with application considerations, and their security properties.</t>
<t>This document represents the consensus of the Crypto Forum Research <t>This document represents the consensus of the Crypto Forum Research
Group (CFRG). It is not an IETF product and is not a standard.</t> Group (CFRG). It is not an IETF product and is not a standard.</t>
<section anchor="change-log">
<name>Change log</name>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-21">d
raft-21</eref>:</t>
<ul spacing="normal">
<li>Apply more IRSG review comments.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-20">d
raft-20</eref>:</t>
<ul spacing="normal">
<li>Address IRSG comments.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-19">d
raft-19</eref>:</t>
<ul spacing="normal">
<li>Fix error.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-18">d
raft-18</eref>:</t>
<ul spacing="normal">
<li>Apply editorial suggestions from CFRG chair review.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-17">d
raft-17</eref>:</t>
<ul spacing="normal">
<li>Change how suites are identified and finalize test vectors.</li>
<li>Apply editorial suggestions from IRTF chair review.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-16">d
raft-16</eref>:</t>
<ul spacing="normal">
<li>Apply editorial suggestions from document shepherd.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-15">d
raft-15</eref>:</t>
<ul spacing="normal">
<li>Apply editorial suggestions from CFRG RGLC.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-14">d
raft-14</eref>:</t>
<ul spacing="normal">
<li>Correct current state of formal analysis for the VOPRF protocol va
riant.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-13">d
raft-13</eref>:</t>
<ul spacing="normal">
<li>Editorial improvements based on Crypto Panel Review.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-12">d
raft-12</eref>:</t>
<ul spacing="normal">
<li>Small editorial fixes</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-11">d
raft-11</eref>:</t>
<ul spacing="normal">
<li>Change Evaluate to BlindEvaluate, and add Evaluate for PRF evaluat
ion</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-10">d
raft-10</eref>:</t>
<ul spacing="normal">
<li>Editorial improvements</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-09">d
raft-09</eref>:</t>
<ul spacing="normal">
<li>Split syntax for OPRF, VOPRF, and POPRF functionalities.</li>
<li>Make Blind function fallible for invalid private and public inputs
.</li>
<li>Specify key generation.</li>
<li>Remove serialization steps from core protocol functions.</li>
<li>Refactor protocol presentation for clarity.</li>
<li>Simplify security considerations.</li>
<li>Update application interface considerations.</li>
<li>Update test vectors.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-08">d
raft-08</eref>:</t>
<ul spacing="normal">
<li>Adopt partially-oblivious PRF construction from <xref target="TCRS
TW21"/>.</li>
<li>Update P-384 suite to use SHA-384 instead of SHA-512.</li>
<li>Update test vectors.</li>
<li>Apply various editorial changes.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-07">d
raft-07</eref>:</t>
<ul spacing="normal">
<li>Bind blinding mechanism to mode (additive for verifiable mode and
multiplicative for base mode).</li>
<li>Add explicit errors for deserialization.</li>
<li>Document explicit errors and API considerations.</li>
<li>Adopt SHAKE-256 for decaf448 ciphersuite.</li>
<li>Normalize HashToScalar functionality for all ciphersuites.</li>
<li>Refactor and generalize DLEQ proof functionality and domain separa
tion
tags for use in other protocols.</li>
<li>Update test vectors.</li>
<li>Apply various editorial changes.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-06">d
raft-06</eref>:</t>
<ul spacing="normal">
<li>Specify of group element and scalar serialization.</li>
<li>Remove info parameter from the protocol API and update domain sepa
ration guidance.</li>
<li>Fold Unblind function into Finalize.</li>
<li>Optimize ComputeComposites for servers (using knowledge of the pri
vate key).</li>
<li>Specify deterministic key generation method.</li>
<li>Update test vectors.</li>
<li>Apply various editorial changes.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-05">d
raft-05</eref>:</t>
<ul spacing="normal">
<li>Move to ristretto255 and decaf448 ciphersuites.</li>
<li>Clean up ciphersuite definitions.</li>
<li>Pin domain separation tag construction to draft version.</li>
<li>Move key generation outside of context construction functions.</li
>
<li>Editorial changes.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04">d
raft-04</eref>:</t>
<ul spacing="normal">
<li>Introduce Client and Server contexts for controlling verifiability
and
required functionality.</li>
<li>Condense API.</li>
<li>Remove batching from standard functionality (included as an extens
ion)</li>
<li>Add Curve25519 and P-256 ciphersuites for applications that preven
t
strong-DH oracle attacks.</li>
<li>Provide explicit prime-order group API and instantiation advice fo
r
each ciphersuite.</li>
<li>Proof-of-concept implementation in sage.</li>
<li>Remove privacy considerations advice as this depends on applicatio
ns.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-03">d
raft-03</eref>:</t>
<ul spacing="normal">
<li>Certify public key during VerifiableFinalize.</li>
<li>Remove protocol integration advice.</li>
<li>Add text discussing how to perform domain separation.</li>
<li>Drop OPRF_/VOPRF_ prefix from algorithm names.</li>
<li>Make prime-order group assumption explicit.</li>
<li>Changes to algorithms accepting batched inputs.</li>
<li>Changes to construction of batched DLEQ proofs.</li>
<li>Updated ciphersuites to be consistent with hash-to-curve and added
OPRF specific ciphersuites.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-02">d
raft-02</eref>:</t>
<ul spacing="normal">
<li>Added section discussing cryptographic security and static DH orac
les.</li>
<li>Updated batched proof algorithms.</li>
</ul>
<t><eref target="https://tools.ietf.org/html/draft-irtf-cfrg-voprf-01">d
raft-01</eref>:</t>
<ul spacing="normal">
<li>Updated ciphersuites to be in line with
https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04.</li>
<li>Made some necessary modular reductions more explicit.</li>
</ul>
</section>
<section anchor="requirements"> <section anchor="requirements">
<name>Requirements</name> <name>Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"MAY", and "OPTIONAL" in this document are to be interpreted as IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
only when, they RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
appear in all capitals, as shown here.</t> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section anchor="notation-and-terminology"> <section anchor="notation-and-terminology">
<name>Notation and Terminology</name> <name>Notation and Terminology</name>
<t>The following functions and notation are used throughout the document .</t> <t>The following functions and notation are used throughout the document .</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For any object <tt>x</tt>, we write <tt>len(x)</tt> to denote its length in bytes.</li> <li>For any object <tt>x</tt>, we write <tt>len(x)</tt> to denote its length in bytes.</li>
<li>For two byte arrays <tt>x</tt> and <tt>y</tt>, write <tt>x || y</t t> to denote their <li>For two-byte arrays <tt>x</tt> and <tt>y</tt>, write <tt>x || y</t t> to denote their
concatenation.</li> concatenation.</li>
<li>I2OSP(x, xLen): Converts a non-negative integer <tt>x</tt> into a <li>I2OSP(x, xLen) converts a non-negative integer <tt>x</tt> into a b
byte array yte array
of specified length <tt>xLen</tt> as described in <xref target="RFC8017"/>. Note of specified length <tt>xLen</tt>, as described in <xref target="RFC8017"/>. Not
that e that
this function returns a byte array in big-endian byte order.</li> this function returns a byte array in big-endian byte order.</li>
<li>The notation <tt>T U[N]</tt> refers to an array called U containin g N items of type <li>The notation <tt>T U[N]</tt> refers to an array called U, containi ng N items of type
T. The type <tt>opaque</tt> means one single byte of uninterpreted data. Items o f T. The type <tt>opaque</tt> means one single byte of uninterpreted data. Items o f
the array are zero-indexed and referred as <tt>U[j]</tt> such that 0 &lt;= j &lt ; N.</li> the array are zero-indexed and referred to as <tt>U[j]</tt>, such that 0 &lt;= j &lt; N.</li>
</ul> </ul>
<t>All algorithms and procedures described in this document are laid out <t>All algorithms and procedures described in this document are laid out
in a Python-like pseudocode. Each function takes a set of inputs and parameters in a Python-like pseudocode. Each function takes a set of inputs and parameters
and produces a set of output values. Parameters become constant values once the and produces a set of output values. Parameters become constant values once the
protocol variant and the ciphersuite are fixed.</t> protocol variant and the ciphersuite are fixed.</t>
<t>The <tt>PrivateInput</tt> data type refers to inputs that are known o nly to the client <t>The <tt>PrivateInput</tt> data type refers to inputs that are known o nly to the client
in the protocol, whereas the <tt>PublicInput</tt> data type refers to inputs tha t are in the protocol, whereas the <tt>PublicInput</tt> data type refers to inputs tha t are
known to both client and server in the protocol. Both <tt>PrivateInput</tt> and known to both the client and server in the protocol. Both <tt>PrivateInput</tt> and
<tt>PublicInput</tt> are opaque byte strings of arbitrary length no larger than 2<sup>16</sup> - 1 bytes. <tt>PublicInput</tt> are opaque byte strings of arbitrary length no larger than 2<sup>16</sup> - 1 bytes.
This length restriction exists because <tt>PublicInput</tt> and <tt>PrivateInput </tt> values This length restriction exists because <tt>PublicInput</tt> and <tt>PrivateInput </tt> values
are length-prefixed with two bytes before use throughout the protocol.</t> are length-prefixed with two bytes before use throughout the protocol.</t>
<t>String values such as "DeriveKeyPair", "Seed-", and "Finalize" are AS CII string literals.</t> <t>String values, such as "DeriveKeyPair", "Seed-", and "Finalize", are ASCII string literals.</t>
<t>The following terms are used throughout this document.</t> <t>The following terms are used throughout this document.</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>PRF: Pseudorandom Function.</li> <dt>PRF:</dt> <dd>Pseudorandom Function</dd>
<li>OPRF: Oblivious Pseudorandom Function.</li> <dt>OPRF:</dt> <dd>Oblivious Pseudorandom Function</dd>
<li>VOPRF: Verifiable Oblivious Pseudorandom Function.</li> <dt>VOPRF:</dt> <dd>Verifiable Oblivious Pseudorandom Function</dd>
<li>POPRF: Partially Oblivious Pseudorandom Function.</li> <dt>POPRF:</dt> <dd>Partially Oblivious Pseudorandom Function</dd>
<li>Client: Protocol initiator. Learns pseudorandom function evaluatio <dt>Client:</dt> <dd>Protocol initiator. Learns PRF evaluation as
n as the output of the protocol.</dd>
the output of the protocol.</li> <dt>Server:</dt> <dd>Computes the PRF using a private key. Learns
<li>Server: Computes the pseudorandom function using a private key. Le nothing about the client's input or output.</dd>
arns </dl>
nothing about the client's input or output.</li>
</ul>
</section> </section>
</section> </section>
<section anchor="preliminaries"> <section anchor="preliminaries">
<name>Preliminaries</name> <name>Preliminaries</name>
<t>The protocols in this document have two primary dependencies:</t> <t>The protocols in this document have two primary dependencies:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>
<tt>Group</tt>: A prime-order group implementing the API described bel <tt>Group</tt>:</dt> <dd>A prime-order group implementing the API desc
ow in <xref target="pog"/>. ribed below in <xref target="pog"/>.
See <xref target="ciphersuites"/> for specific instances of groups.</li> See <xref target="ciphersuites"/> for specific instances of groups.</dd>
<li> <dt>
<tt>Hash</tt>: A cryptographic hash function whose output length is <t <tt>Hash</tt>:</dt> <dd>A cryptographic hash function whose output len
t>Nh</tt> bytes.</li> gth is <tt>Nh</tt> bytes.</dd>
</ul> </dl>
<t><xref target="ciphersuites"/> specifies ciphersuites as combinations of <tt>Group</tt> and <tt>Hash</tt>.</t> <t><xref target="ciphersuites"/> specifies ciphersuites as combinations of <tt>Group</tt> and <tt>Hash</tt>.</t>
<section anchor="pog"> <section anchor="pog">
<name>Prime-Order Group</name> <name>Prime-Order Group</name>
<t>In this document, we assume the construction of an additive, prime-or der <t>In this document, we assume the construction of an additive, prime-or der
group <tt>Group</tt> for performing all mathematical operations. In prime-order groups, group, denoted <tt>Group</tt>, for performing all mathematical operations. In pr ime-order groups,
any element (other than the identity) can generate the other elements of the any element (other than the identity) can generate the other elements of the
group. Usually, one element group. Usually, one element
is fixed and defined as the group generator. Such groups are is fixed and defined as the group generator. Such groups are
uniquely determined by the choice of the prime <tt>p</tt> that defines the uniquely determined by the choice of the prime <tt>p</tt> that defines the
order of the group. (There may, however, exist different representations order of the group. (However, different representations
of the group for a single <tt>p</tt>. <xref target="ciphersuites"/> lists specif of the group for a single <tt>p</tt> may exist. <xref target="ciphersuites"/> li
ic groups which sts specific groups that
indicate both order and representation.)</t> indicate both the order and representation.)</t>
<t>The fundamental group operation is addition <tt>+</tt> with identity element <t>The fundamental group operation is addition <tt>+</tt> with identity element
<tt>I</tt>. For any elements <tt>A</tt> and <tt>B</tt> of the group, <tt>A + B = B + A</tt> is <tt>I</tt>. For any elements <tt>A</tt> and <tt>B</tt> of the group, <tt>A + B = B + A</tt> is
also a member of the group. Also, for any <tt>A</tt> in the group, there exists an element also a member of the group. Also, for any <tt>A</tt> in the group, there exists an element
<tt>-A</tt> such that <tt>A + (-A) = (-A) + A = I</tt>. Scalar multiplication by <tt>-A</tt>, such that <tt>A + (-A) = (-A) + A = I</tt>. Scalar multiplication b
<tt>r</tt> is y
<tt>r</tt> is
equivalent to the repeated application of the group operation on an equivalent to the repeated application of the group operation on an
element A with itself <tt>r-1</tt> times, this is denoted as <tt>r*A = A + ... + element <tt>A</tt> with itself <tt>r - 1</tt> times; this is denoted as <tt>r *
A</tt>. A = A + ... + A</tt>.
For any element <tt>A</tt>, <tt>p*A=I</tt>. The case when the scalar multiplicat For any element <tt>A</tt>, <tt>p * A = I</tt>. The case when the scalar multipl
ion is ication is
performed on the group generator is denoted as <tt>ScalarMultGen(r)</tt>. performed on the group generator is denoted as <tt>ScalarMultGen(r)</tt>.
Given two elements A and B, the discrete logarithm problem is to find Given two elements <tt>A</tt> and <tt>B</tt>, the discrete logarithm problem is
an integer k such that B = k*A. Thus, k is the discrete logarithm of to find
an integer k, such that B = k * A. Thus, k is the discrete logarithm of
B with respect to the base A. B with respect to the base A.
The set of scalars corresponds to <tt>GF(p)</tt>, a prime field of order p, and The set of scalars corresponds to <tt>GF(p)</tt>, a prime field of order p, and
are is
represented as the set of integers defined by <tt>{0, 1, ..., p-1}</tt>. represented as the set of integers defined by <tt>{0, 1, ..., p - 1}</tt>.
This document uses types This document uses types
<tt>Element</tt> and <tt>Scalar</tt> to denote elements of the group and its set of <tt>Element</tt> and <tt>Scalar</tt> to denote elements of the group and its set of
scalars, respectively.</t> scalars, respectively.</t>
<t>We now detail a number of member functions that can be invoked on a <t>We now detail a number of member functions that can be invoked on a
prime-order group.</t> prime-order group.</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Order(): Outputs the order of the group (i.e. <tt>p</tt>).</li> <dt>Order():</dt> <dd>Outputs the order of the group (i.e., <tt>p</tt>
<li>Identity(): Outputs the identity element of the group (i.e. <tt>I< ).</dd>
/tt>).</li> <dt>Identity():</dt> <dd>Outputs the identity element of the group (i.
<li>Generator(): Outputs the generator element of the group.</li> e., <tt>I</tt>).</dd>
<li>HashToGroup(x): Deterministically maps <dt>Generator():</dt> <dd>Outputs the generator element of the group.<
/dd>
<dt>HashToGroup(x):</dt> <dd>Deterministically maps
an array of bytes <tt>x</tt> to an element of <tt>Group</tt>. The map must ensur e that, an array of bytes <tt>x</tt> to an element of <tt>Group</tt>. The map must ensur e that,
for any adversary receiving <tt>R = HashToGroup(x)</tt>, it is for any adversary receiving <tt>R = HashToGroup(x)</tt>, it is
computationally difficult to reverse the mapping. This function is optionally computationally difficult to reverse the mapping. This function is optionally
parameterized by a domain separation tag (DST); see <xref target="ciphersuites"/ >. parameterized by a domain separation tag (DST); see <xref target="ciphersuites"/ >.
Security properties of this function are described Security properties of this function are described
in <xref target="I-D.irtf-cfrg-hash-to-curve"/>.</li> in <xref target="RFC9380"/>.</dd>
<li>HashToScalar(x): Deterministically maps <dt>HashToScalar(x):</dt> <dd>Deterministically maps
an array of bytes <tt>x</tt> to an element in GF(p). This function is optionally an array of bytes <tt>x</tt> to an element in GF(p). This function is optionally
parameterized by a DST; see <xref target="ciphersuites"/>. Security properties o f this parameterized by a DST; see <xref target="ciphersuites"/>. Security properties o f this
function are described in <xref section="10.5" sectionFormat="comma" target="I-D function are described in <xref section="10.5" sectionFormat="comma" target="RFC
.irtf-cfrg-hash-to-curve"/>.</li> 9380"/>.</dd>
<li>RandomScalar(): Chooses at random a non-zero element in GF(p).</li <dt>RandomScalar():</dt> <dd>Chooses at random a nonzero element in GF
> (p).</dd>
<li>ScalarInverse(s): Returns the inverse of input <tt>Scalar</tt> <tt <dt>ScalarInverse(s):</dt> <dd>Returns the inverse of input Scalar <tt
>s</tt> on <tt>GF(p)</tt>.</li> >s</tt> on <tt>GF(p)</tt>.</dd>
<li>SerializeElement(A): Maps an <tt>Element</tt> <tt>A</tt> <dt>SerializeElement(A):</dt> <dd>Maps an Element <tt>A</tt>
to a canonical byte array <tt>buf</tt> of fixed length <tt>Ne</tt>.</li> to a canonical byte array <tt>buf</tt> of fixed-length <tt>Ne</tt>.</dd>
<li>DeserializeElement(buf): Attempts to map a byte array <tt>buf</tt> <dt>DeserializeElement(buf):</dt> <dd>Attempts to map a byte array <tt
to >buf</tt> to
an <tt>Element</tt> <tt>A</tt>, and fails if the input is not the valid canonica an Element <tt>A</tt> and fails if the input is not the valid canonical byte
l byte
representation of an element of the group. This function can raise a representation of an element of the group. This function can raise a
DeserializeError if deserialization fails or <tt>A</tt> is the identity element of DeserializeError if deserialization fails or <tt>A</tt> is the identity element of
the group; see <xref target="ciphersuites"/> for group-specific input validation the group; see <xref target="ciphersuites"/> for group-specific input validation
steps.</li> steps.</dd>
<li>SerializeScalar(s): Maps a <tt>Scalar</tt> <tt>s</tt> to a canonic <dt>SerializeScalar(s):</dt> <dd>Maps Scalar <tt>s</tt> to a canonical
al byte array <tt>buf</tt> of fixed-length <tt>Ns</tt>.</dd>
byte array <tt>buf</tt> of fixed length <tt>Ns</tt>.</li> <dt>DeserializeScalar(buf):</dt> <dd>Attempts to map a byte array <tt>
<li>DeserializeScalar(buf): Attempts to map a byte array <tt>buf</tt> buf</tt> to Scalar <tt>s</tt>.
to a <tt>Scalar</tt> <tt>s</tt>.
This function can raise a DeserializeError if deserialization fails; see This function can raise a DeserializeError if deserialization fails; see
<xref target="ciphersuites"/> for group-specific input validation steps.</li> <xref target="ciphersuites"/> for group-specific input validation steps.</dd>
</ul> </dl>
<t><xref target="ciphersuites"/> contains details for the implementation of this interface <t><xref target="ciphersuites"/> contains details for the implementation of this interface
for different prime-order groups instantiated over elliptic curves. In for different prime-order groups instantiated over elliptic curves. In
particular, for some choices of elliptic curves, e.g., those detailed in particular, for some choices of elliptic curves, e.g., those detailed in
<xref target="RFC7748"/>, which require accounting for cofactors, <xref target=" ciphersuites"/> <xref target="RFC7748"/>, which require accounting for cofactors, <xref target=" ciphersuites"/>
describes required steps necessary to ensure the resulting group is of describes required steps necessary to ensure the resulting group is of
prime order.</t> prime order.</t>
</section> </section>
<section anchor="dleq"> <section anchor="dleq">
<name>Discrete Logarithm Equivalence Proofs</name> <name>Discrete Logarithm Equivalence Proofs</name>
<t>A proof of knowledge allows a prover to convince a verifier that some <t>A proof of knowledge allows a prover to convince a verifier that some
statement is true. If the prover can generate a proof without interaction statement is true. If the prover can generate a proof without interaction
with the verifier, the proof is noninteractive. If the verifier learns with the verifier, the proof is noninteractive. If the verifier learns
nothing other than whether the statement claimed by the prover is true or nothing other than whether the statement claimed by the prover is true or
false, the proof is zero-knowledge.</t> false, the proof is zero-knowledge.</t>
<t>This section describes a noninteractive zero-knowledge proof for disc rete <t>This section describes a noninteractive, zero-knowledge proof for dis crete
logarithm equivalence (DLEQ), which is used in the construction of VOPRF and logarithm equivalence (DLEQ), which is used in the construction of VOPRF and
POPRF. A DLEQ proof demonstrates that two pairs of POPRF. A DLEQ proof demonstrates that two pairs of
group elements have the same discrete logarithm without revealing the group elements have the same discrete logarithm without revealing the
discrete logarithm.</t> discrete logarithm.</t>
<t>The DLEQ proof resembles the Chaum-Pedersen <xref target="ChaumPeders en"/> proof, which <t>The DLEQ proof resembles the Chaum-Pedersen <xref target="ChaumPeders en"/> proof, which
is shown to be zero-knowledge by Jarecki, et al. <xref target="JKK14"/> and is is shown to be zero-knowledge by Jarecki, et al.&nbsp;<xref target="JKK14"/> and is
noninteractive after applying the Fiat-Shamir transform <xref target="FS00"/>. noninteractive after applying the Fiat-Shamir transform <xref target="FS00"/>.
Furthermore, Davidson, et al. <xref target="DGSTV18"/> showed a proof system for Furthermore, Davidson, et al.&nbsp;<xref target="DGSTV18"/> showed a proof syste m for
batching DLEQ proofs that has constant-size proofs with respect to the batching DLEQ proofs that has constant-size proofs with respect to the
number of inputs. number of inputs.
The specific DLEQ proof system presented below follows this latter The specific DLEQ proof system presented below follows this latter
construction with two modifications: (1) the transcript used to generate construction with two modifications: (1) the transcript used to generate
the seed includes more context information, and (2) the individual challenges the seed includes more context information and (2) the individual challenges
for each element in the proof is derived from a seed-prefixed hash-to-scalar for each element in the proof is derived from a seed-prefixed hash-to-scalar
invocation rather than being sampled from a seeded PRNG. invocation, rather than being sampled from a seeded Pseudorandom Number Generato r (PRNG).
The description is split into The description is split into
two sub-sections: one for generating the proof, which is done by servers two subsections: one for generating the proof, which is done by servers
in the verifiable protocols, and another for verifying the proof, which is in the verifiable protocols, and another for verifying the proof, which is
done by clients in the protocol.</t> done by clients in the protocol.</t>
<section anchor="proof-generation"> <section anchor="proof-generation">
<name>Proof Generation</name> <name>Proof Generation</name>
<t>Generating a proof is done with the <tt>GenerateProof</tt> function <t>Generating a proof is done with the <tt>GenerateProof</tt> function
, defined below. , as defined below.
Given elements A and B, two non-empty lists of elements C and D of length Given Element values A and B, two non-empty lists of Element values C and D of l
<tt>m</tt>, and a scalar k; this function produces a proof that <tt>k*A == B</tt ength
> <tt>m</tt>, and Scalar k, this function produces a proof that <tt>k * A == B</tt
and <tt>k*C[i] == D[i]</tt> for each <tt>i</tt> in <tt>[0, ..., m - 1]</tt>. >
The output is a value of type Proof, which is a tuple of two Scalar and <tt>k * C[i] == D[i]</tt> for each <tt>i</tt> in <tt>[0, ..., m - 1]</tt>.
The output is a value of type <tt>Proof</tt>, which is a tuple of two Scalar
values. We use the notation <tt>proof[0]</tt> and <tt>proof[1]</tt> to denote values. We use the notation <tt>proof[0]</tt> and <tt>proof[1]</tt> to denote
the first and second elements in this tuple, respectively.</t> the first and second elements in this tuple, respectively.</t>
<t><tt>GenerateProof</tt> accepts lists of inputs to amortize the cost of proof <t><tt>GenerateProof</tt> accepts lists of inputs to amortize the cost of proof
generation. Applications can take advantage of this functionality to generation. Applications can take advantage of this functionality to
produce a single, constant-sized proof for <tt>m</tt> DLEQ inputs, rather produce a single, constant-sized proof for <tt>m</tt> DLEQ inputs, rather
than <tt>m</tt> proofs for <tt>m</tt> DLEQ inputs.</t> than <tt>m</tt> proofs for <tt>m</tt> DLEQ inputs.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar k Scalar k
skipping to change at line 426 skipping to change at line 291
Element D[m] Element D[m]
Output: Output:
Proof proof Proof proof
Parameters: Parameters:
Group G Group G
def GenerateProof(k, A, B, C, D) def GenerateProof(k, A, B, C, D):
(M, Z) = ComputeCompositesFast(k, B, C, D) (M, Z) = ComputeCompositesFast(k, B, C, D)
r = G.RandomScalar() r = G.RandomScalar()
t2 = r * A t2 = r * A
t3 = r * M t3 = r * M
Bm = G.SerializeElement(B) Bm = G.SerializeElement(B)
a0 = G.SerializeElement(M) a0 = G.SerializeElement(M)
a1 = G.SerializeElement(Z) a1 = G.SerializeElement(Z)
a2 = G.SerializeElement(t2) a2 = G.SerializeElement(t2)
skipping to change at line 452 skipping to change at line 317
I2OSP(len(a1), 2) || a1 || I2OSP(len(a1), 2) || a1 ||
I2OSP(len(a2), 2) || a2 || I2OSP(len(a2), 2) || a2 ||
I2OSP(len(a3), 2) || a3 || I2OSP(len(a3), 2) || a3 ||
"Challenge" "Challenge"
c = G.HashToScalar(challengeTranscript) c = G.HashToScalar(challengeTranscript)
s = r - c * k s = r - c * k
return [c, s] return [c, s]
]]></sourcecode> ]]></sourcecode>
<t>The helper function ComputeCompositesFast is as defined below, and <t>The helper function <tt>ComputeCompositesFast</tt> is as defined be
is an low and is an
optimization of the ComputeComposites function for servers since they have optimization of the <tt>ComputeComposites</tt> function for servers since they h
ave
knowledge of the private key.</t> knowledge of the private key.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar k Scalar k
Element B Element B
Element C[m] Element C[m]
Element D[m] Element D[m]
Output: Output:
skipping to change at line 503 skipping to change at line 368
Z = k * M Z = k * M
return (M, Z) return (M, Z)
]]></sourcecode> ]]></sourcecode>
<t>When used in the protocol described in <xref target="protocol"/>, t he parameter <tt>contextString</tt> is <t>When used in the protocol described in <xref target="protocol"/>, t he parameter <tt>contextString</tt> is
as defined in <xref target="offline"/>.</t> as defined in <xref target="offline"/>.</t>
</section> </section>
<section anchor="proof-verification"> <section anchor="proof-verification">
<name>Proof Verification</name> <name>Proof Verification</name>
<t>Verifying a proof is done with the <tt>VerifyProof</tt> function, d <t>Verifying a proof is done with the <tt>VerifyProof</tt> function, a
efined below. s defined below.
This function takes elements A and B, two non-empty lists of elements C and D This function takes Element values A and B, two non-empty lists of Element value
of length <tt>m</tt>, and a Proof value output from <tt>GenerateProof</tt>. It o s C and D
utputs a of length <tt>m</tt>, and a <tt>Proof</tt> value output from <tt>GenerateProof</
tt>. It outputs a
single boolean value indicating whether or not the proof is valid for the single boolean value indicating whether or not the proof is valid for the
given DLEQ inputs. Note this function can verify proofs on lists of inputs given DLEQ inputs. Note this function can verify proofs on lists of inputs
whenever the proof was generated as a batched DLEQ proof with the same inputs.</ t> whenever the proof was generated as a batched DLEQ proof with the same inputs.</ t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Element A Element A
Element B Element B
Element C[m] Element C[m]
Element D[m] Element D[m]
skipping to change at line 604 skipping to change at line 469
return (M, Z) return (M, Z)
]]></sourcecode> ]]></sourcecode>
<t>When used in the protocol described in <xref target="protocol"/>, t he parameter <tt>contextString</tt> is <t>When used in the protocol described in <xref target="protocol"/>, t he parameter <tt>contextString</tt> is
as defined in <xref target="offline"/>.</t> as defined in <xref target="offline"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="protocol"> <section anchor="protocol">
<name>Protocol</name> <name>Protocol</name>
<t>In this section, we define and describe three protocol variants referre d to as the <t>In this section, we define and describe three protocol variants referre d to as the
OPRF, VOPRF, and POPRF modes. Each of these variants involve two messages betwee OPRF, VOPRF, and POPRF modes. Each of these variants involves two messages betwe
n en the
client and server but differ slightly in terms of the security properties; see client and server, but they differ slightly in terms of the security properties;
<xref target="properties"/> for more information. A high level description of th see
e functionality <xref target="properties"/> for more information. A high-level description of th
of each mode follows.</t> e functionality
of each mode follows.</t>
<t>In the OPRF mode, a client and server interact to compute <tt>output = F(skS, input)</tt>, <t>In the OPRF mode, a client and server interact to compute <tt>output = F(skS, input)</tt>,
where <tt>input</tt> is the client's private input, <tt>skS</tt> is the server's private key, where <tt>input</tt> is the client's private input, <tt>skS</tt> is the server's private key,
and <tt>output</tt> is the OPRF output. After the execution of the protocol, the and <tt>output</tt> is the OPRF output. After the execution of the protocol, the
client learns <tt>output</tt> and the server learns nothing. client learns the <tt>output</tt> and the server learns nothing.
This interaction is shown below.</t> This interaction is shown below.</t>
<figure anchor="fig-oprf"> <figure anchor="fig-oprf">
<name>OPRF protocol overview</name> <name>OPRF Protocol Overview</name>
<artwork><![CDATA[ <artwork><![CDATA[
Client(input) Server(skS) Client(input) Server(skS)
------------------------------------------------------------------- -------------------------------------------------------------------
blind, blindedElement = Blind(input) blind, blindedElement = Blind(input)
blindedElement blindedElement
----------> ---------->
evaluatedElement = BlindEvaluate(skS, blindedElement) evaluatedElement = BlindEvaluate(skS, blindedElement)
evaluatedElement evaluatedElement
<---------- <----------
output = Finalize(input, blind, evaluatedElement) output = Finalize(input, blind, evaluatedElement)
]]></artwork> ]]></artwork>
</figure> </figure>
<t>In the VOPRF mode, the client additionally receives proof that the serv er used <t>In the VOPRF mode, the client additionally receives proof that the serv er used
<tt>skS</tt> in computing the function. To achieve verifiability, as in <xref ta rget="JKK14"/>, the <tt>skS</tt> in computing the function. To achieve verifiability, as in <xref ta rget="JKK14"/>, the
server provides a zero-knowledge proof that the key provided as input by the ser ver in server provides a zero-knowledge proof that the key provided as input by the ser ver in
the <tt>BlindEvaluate</tt> function is the same key as it used to produce the se rver's public key, <tt>pkS</tt>, the <tt>BlindEvaluate</tt> function is the same key as is used to produce the se rver's public key, <tt>pkS</tt>,
which the client receives as input to the protocol. This proof does not reveal t he server's which the client receives as input to the protocol. This proof does not reveal t he server's
private key to the client. This interaction is shown below.</t> private key to the client. This interaction is shown below.</t>
<figure anchor="fig-voprf"> <figure anchor="fig-voprf">
<name>VOPRF protocol overview with additional proof</name> <name>VOPRF Protocol Overview with Additional Proof</name>
<artwork><![CDATA[ <artwork><![CDATA[
Client(input, pkS) <---- pkS ------ Server(skS, pkS) Client(input, pkS) <---- pkS ------ Server(skS, pkS)
------------------------------------------------------------------- -------------------------------------------------------------------
blind, blindedElement = Blind(input) blind, blindedElement = Blind(input)
blindedElement blindedElement
----------> ---------->
evaluatedElement, proof = BlindEvaluate(skS, pkS, evaluatedElement, proof = BlindEvaluate(skS, pkS,
blindedElement) blindedElement)
evaluatedElement, proof evaluatedElement, proof
<---------- <----------
output = Finalize(input, blind, evaluatedElement, output = Finalize(input, blind, evaluatedElement,
blindedElement, pkS, proof) blindedElement, pkS, proof)
]]></artwork> ]]></artwork>
</figure> </figure>
<t>The POPRF mode extends the VOPRF mode such that the client and <t>The POPRF mode extends the VOPRF mode such that the client and
server can additionally provide a public input <tt>info</tt> that is used in com server can additionally provide the public input <tt>info</tt>, which is used in
puting computing
the pseudorandom function. That is, the client and server interact to compute the PRF. That is, the client and server interact to compute
<tt>output = F(skS, input, info)</tt> as is shown below.</t> <tt>output = F(skS, input, info)</tt>, as is shown below.</t>
<figure anchor="fig-poprf"> <figure anchor="fig-poprf">
<name>POPRF protocol overview with additional public input</name> <name>POPRF Protocol Overview with Additional Public Input</name>
<artwork><![CDATA[ <artwork><![CDATA[
Client(input, pkS, info) <---- pkS ------ Server(skS, pkS, info) Client(input, pkS, info) <---- pkS ------ Server(skS, pkS, info)
------------------------------------------------------------------- -------------------------------------------------------------------
blind, blindedElement, tweakedKey = Blind(input, info, pkS) blind, blindedElement, tweakedKey = Blind(input, info, pkS)
blindedElement blindedElement
----------> ---------->
evaluatedElement, proof = BlindEvaluate(skS, blindedElement, evaluatedElement, proof = BlindEvaluate(skS, blindedElement,
info) info)
evaluatedElement, proof evaluatedElement, proof
<---------- <----------
output = Finalize(input, blind, evaluatedElement, output = Finalize(input, blind, evaluatedElement,
blindedElement, proof, info, tweakedKey) blindedElement, proof, info, tweakedKey)
]]></artwork> ]]></artwork>
</figure> </figure>
<t>Each protocol consists of an offline setup phase and an online phase, <t>Each protocol consists of an offline setup phase and an online phase,
described in <xref target="offline"/> and <xref target="online"/>, respectively. Configuration details as described in Sections <xref target="offline" format="counter"/> and <xref tar get="online" format="counter"/>, respectively. Configuration details
for the offline phase are described in <xref target="configuration"/>.</t> for the offline phase are described in <xref target="configuration"/>.</t>
<section anchor="configuration"> <section anchor="configuration">
<name>Configuration</name> <name>Configuration</name>
<t>Each of the three protocol variants are identified with a one-byte va lue (in hexadecimal):</t> <t>Each of the three protocol variants are identified with a one-byte va lue (in hexadecimal):</t>
<table anchor="tab-modes"> <table anchor="tab-modes">
<name>Identifiers for protocol variants.</name> <name>Identifiers for Protocol Variants</name>
<thead> <thead>
<tr> <tr>
<th align="left">Mode</th> <th align="left">Mode</th>
<th align="left">Value</th> <th align="left">Value</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">modeOPRF</td> <td align="left">modeOPRF</td>
<td align="left">0x00</td> <td align="left">0x00</td>
skipping to change at line 710 skipping to change at line 575
<tr> <tr>
<td align="left">modeVOPRF</td> <td align="left">modeVOPRF</td>
<td align="left">0x01</td> <td align="left">0x01</td>
</tr> </tr>
<tr> <tr>
<td align="left">modePOPRF</td> <td align="left">modePOPRF</td>
<td align="left">0x02</td> <td align="left">0x02</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>Additionally, each protocol variant is instantiated with a ciphersuit e, <t>Additionally, each protocol variant is instantiated with a ciphersuit e
or suite. Each ciphersuite is identified with an ASCII string identifier, or suite. Each ciphersuite is identified with an ASCII string identifier,
referred to as identifier; see <xref target="ciphersuites"/> for the set of init ial referred to as identifier; see <xref target="ciphersuites"/> for the set of init ial
ciphersuite values.</t> ciphersuite values.</t>
<t>The mode and ciphersuite identifier values are combined to create a <t>The mode and ciphersuite identifier values are combined to create a
"context string" used throughout the protocol with the following function:</t> "context string" used throughout the protocol with the following function:</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
def CreateContextString(mode, identifier): def CreateContextString(mode, identifier):
return "OPRFV1-" || I2OSP(mode, 1) || "-" || identifier return "OPRFV1-" || I2OSP(mode, 1) || "-" || identifier
]]></sourcecode> ]]></sourcecode>
</section> </section>
skipping to change at line 744 skipping to change at line 609
Parameters: Parameters:
Group G Group G
def GenerateKeyPair(): def GenerateKeyPair():
skS = G.RandomScalar() skS = G.RandomScalar()
pkS = G.ScalarMultGen(skS) pkS = G.ScalarMultGen(skS)
return skS, pkS return skS, pkS
]]></sourcecode> ]]></sourcecode>
<t>The second way to generate the key pair is via the deterministic key <t>The second way to generate the key pair is via the deterministic key
generation function <tt>DeriveKeyPair</tt> described in <xref target="derive-key -pair"/>. generation function <tt>DeriveKeyPair</tt>, as described in <xref target="derive -key-pair"/>.
Applications and implementations can use either method in practice.</t> Applications and implementations can use either method in practice.</t>
<t>Also during the offline setup phase, both the client and server creat e a <t>Also during the offline setup phase, both the client and server creat e a
context used for executing the online phase of the protocol after agreeing on a context used for executing the online phase of the protocol after agreeing on a
mode and ciphersuite identifier. The context, such as <tt>OPRFServerContext</tt> , mode and ciphersuite identifier. The context, such as <tt>OPRFServerContext</tt> ,
is an implementation-specific data structure that stores a context string and is an implementation-specific data structure that stores a context string and
the relevant key material for each party.</t> the relevant key material for each party.</t>
<t>The OPRF variant server and client contexts are created as follows:</ t> <t>The OPRF variant server and client contexts are created as follows:</ t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
def SetupOPRFServer(identifier, skS): def SetupOPRFServer(identifier, skS):
contextString = CreateContextString(modeOPRF, identifier) contextString = CreateContextString(modeOPRF, identifier)
skipping to change at line 784 skipping to change at line 649
contextString = CreateContextString(modePOPRF, identifier) contextString = CreateContextString(modePOPRF, identifier)
return POPRFServerContext(contextString, skS) return POPRFServerContext(contextString, skS)
def SetupPOPRFClient(identifier, pkS): def SetupPOPRFClient(identifier, pkS):
contextString = CreateContextString(modePOPRF, identifier) contextString = CreateContextString(modePOPRF, identifier)
return POPRFClientContext(contextString, pkS) return POPRFClientContext(contextString, pkS)
]]></sourcecode> ]]></sourcecode>
<section anchor="derive-key-pair"> <section anchor="derive-key-pair">
<name>Deterministic Key Generation</name> <name>Deterministic Key Generation</name>
<t>This section describes a deterministic key generation function, <tt >DeriveKeyPair</tt>. <t>This section describes a deterministic key generation function, <tt >DeriveKeyPair</tt>.
It accepts a seed of <tt>Ns</tt> bytes generated from a cryptographically secure It accepts a seed of <tt>32</tt> bytes generated from a cryptographically secure
random number generator and an optional (possibly empty) <tt>info</tt> string. random number generator and an optional (possibly empty) <tt>info</tt> string.
The constant <tt>Ns</tt> corresponds to the size in bytes of a serialized Scalar Note that, by design, knowledge of <tt>seed</tt> and <tt>info</tt>
and is defined in <xref target="pog"/>. Note that by design knowledge of <tt>see
d</tt> and <tt>info</tt>
is necessary to compute this function, which means that the secrecy of the is necessary to compute this function, which means that the secrecy of the
output private key (<tt>skS</tt>) depends on the secrecy of <tt>seed</tt> (since the <tt>info</tt> output private key (<tt>skS</tt>) depends on the secrecy of <tt>seed</tt> (since the <tt>info</tt>
string is public).</t> string is public).</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
opaque seed[Ns] opaque seed[32]
PublicInput info PublicInput info
Output: Output:
Scalar skS Scalar skS
Element pkS Element pkS
Parameters: Parameters:
Group G Group G
skipping to change at line 826 skipping to change at line 690
skS = G.HashToScalar(deriveInput || I2OSP(counter, 1), skS = G.HashToScalar(deriveInput || I2OSP(counter, 1),
DST = "DeriveKeyPair" || contextString) DST = "DeriveKeyPair" || contextString)
counter = counter + 1 counter = counter + 1
pkS = G.ScalarMultGen(skS) pkS = G.ScalarMultGen(skS)
return skS, pkS return skS, pkS
]]></sourcecode> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="online"> <section anchor="online">
<name>Online Protocol</name> <name>Online Protocol</name>
<t>In the online phase, the client and server engage in a two message pr otocol <t>In the online phase, the client and server engage in a two-message pr otocol
to compute the protocol output. This section describes the protocol details to compute the protocol output. This section describes the protocol details
for each protocol variant. Throughout each description the following parameters for each protocol variant. Throughout each description, the following parameters
are assumed to exist:</t> are assumed to exist:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>G, a prime-order Group implementing the API described in <xref tar <dt>G:</dt> <dd>a prime-order group implementing the API described in
get="pog"/>.</li> <xref target="pog"/></dd>
<li>contextString, a PublicInput domain separation tag constructed dur <dt>contextString:</dt> <dd>a <tt>PublicInput</tt> domain separation t
ing context setup as created in <xref target="configuration"/>.</li> ag constructed during context setup, as created in <xref target="configuration"/
<li>skS and pkS, a Scalar and Element representing the private and pub ></dd>
lic keys configured for client and server in <xref target="offline"/>.</li> <dt>skS and pkS:</dt> <dd>a Scalar and Element representing the privat
</ul> e and public keys configured for the client and server in <xref target="offline"
<t>Applications serialize protocol messages between client and server fo /></dd>
r </dl>
transmission. Elements and scalars are serialized to byte arrays, and values <t>Applications serialize protocol messages between the client and serve
of type Proof are serialized as the concatenation of two serialized scalars. r for
Deserializing these values can fail, in which case the application MUST abort transmission. Element values and Scalar values are serialized to byte arrays, an
the protocol raising a <tt>DeserializeError</tt> failure.</t> d values
<t>Applications MUST check that input Element values received over the w of type <tt>Proof</tt> are serialized as the concatenation of two serialized Sca
ire lar values.
Deserializing these values can fail; in which case, the application <bcp14>MUST<
/bcp14> abort
the protocol, raising a <tt>DeserializeError</tt> failure.</t>
<t>Applications <bcp14>MUST</bcp14> check that input Element values rece
ived over the wire
are not the group identity element. This check is handled after deserializing are not the group identity element. This check is handled after deserializing
Element values; see <xref target="ciphersuites"/> for more information and requi rements Element values; see <xref target="ciphersuites"/> for more information and requi rements
on input validation for each ciphersuite.</t> on input validation for each ciphersuite.</t>
<section anchor="oprf"> <section anchor="oprf">
<name>OPRF Protocol</name> <name>OPRF Protocol</name>
<t>The OPRF protocol begins with the client blinding its input, as des cribed <t>The OPRF protocol begins with the client blinding its input, as des cribed
by the <tt>Blind</tt> function below. Note that this function can fail with an by the <tt>Blind</tt> function below. Note that this function can fail with an
<tt>InvalidInputError</tt> error for certain inputs that map to the group identi ty <tt>InvalidInputError</tt> error for certain inputs that map to the group identi ty
element. Dealing with this failure is an application-specific decision; element. Dealing with this failure is an application-specific decision;
see <xref target="errors"/>.</t> see <xref target="errors"/>.</t>
skipping to change at line 876 skipping to change at line 740
def Blind(input): def Blind(input):
blind = G.RandomScalar() blind = G.RandomScalar()
inputElement = G.HashToGroup(input) inputElement = G.HashToGroup(input)
if inputElement == G.Identity(): if inputElement == G.Identity():
raise InvalidInputError raise InvalidInputError
blindedElement = blind * inputElement blindedElement = blind * inputElement
return blind, blindedElement return blind, blindedElement
]]></sourcecode> ]]></sourcecode>
<t>Clients store <tt>blind</tt> locally, and send <tt>blindedElement</ tt> to the server for evaluation. <t>Clients store <tt>blind</tt> locally and send <tt>blindedElement</t t> to the server for evaluation.
Upon receipt, servers process <tt>blindedElement</tt> using the <tt>BlindEvaluat e</tt> function described Upon receipt, servers process <tt>blindedElement</tt> using the <tt>BlindEvaluat e</tt> function described
below.</t> below.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar skS Scalar skS
Element blindedElement Element blindedElement
Output: Output:
Element evaluatedElement Element evaluatedElement
def BlindEvaluate(skS, blindedElement): def BlindEvaluate(skS, blindedElement):
evaluatedElement = skS * blindedElement evaluatedElement = skS * blindedElement
return evaluatedElement return evaluatedElement
]]></sourcecode> ]]></sourcecode>
<t>Servers send the output <tt>evaluatedElement</tt> to clients for pr ocessing. <t>Servers send the output <tt>evaluatedElement</tt> to clients for pr ocessing.
Recall that servers may process multiple client inputs by applying the Recall that servers may process multiple client inputs by applying the
<tt>BlindEvaluate</tt> function to each <tt>blindedElement</tt> received, and re turning an <tt>BlindEvaluate</tt> function to each <tt>blindedElement</tt> received and ret urning an
array with the corresponding <tt>evaluatedElement</tt> values.</t> array with the corresponding <tt>evaluatedElement</tt> values.</t>
<t>Upon receipt of <tt>evaluatedElement</tt>, clients process it to co mplete the <t>Upon receipt of <tt>evaluatedElement</tt>, clients process it to co mplete the
OPRF evaluation with the <tt>Finalize</tt> function described below.</t> OPRF evaluation with the <tt>Finalize</tt> function described below.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
PrivateInput input PrivateInput input
Scalar blind Scalar blind
Element evaluatedElement Element evaluatedElement
skipping to change at line 923 skipping to change at line 787
def Finalize(input, blind, evaluatedElement): def Finalize(input, blind, evaluatedElement):
N = G.ScalarInverse(blind) * evaluatedElement N = G.ScalarInverse(blind) * evaluatedElement
unblindedElement = G.SerializeElement(N) unblindedElement = G.SerializeElement(N)
hashInput = I2OSP(len(input), 2) || input || hashInput = I2OSP(len(input), 2) || input ||
I2OSP(len(unblindedElement), 2) || unblindedElement || I2OSP(len(unblindedElement), 2) || unblindedElement ||
"Finalize" "Finalize"
return Hash(hashInput) return Hash(hashInput)
]]></sourcecode> ]]></sourcecode>
<t>An entity which knows both the private key and the input can comput e the PRF <t>An entity that knows both the private key and the input can compute the PRF
result using the following <tt>Evaluate</tt> function.</t> result using the following <tt>Evaluate</tt> function.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar skS Scalar skS
PrivateInput input PrivateInput input
Output: Output:
opaque output[Nh] opaque output[Nh]
skipping to change at line 959 skipping to change at line 823
I2OSP(len(issuedElement), 2) || issuedElement || I2OSP(len(issuedElement), 2) || issuedElement ||
"Finalize" "Finalize"
return Hash(hashInput) return Hash(hashInput)
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="voprf"> <section anchor="voprf">
<name>VOPRF Protocol</name> <name>VOPRF Protocol</name>
<t>The VOPRF protocol begins with the client blinding its input, using the same <t>The VOPRF protocol begins with the client blinding its input, using the same
<tt>Blind</tt> function as in <xref target="oprf"/>. Clients store the output <t t>blind</tt> locally <tt>Blind</tt> function as in <xref target="oprf"/>. Clients store the output <t t>blind</tt> locally
and send <tt>blindedElement</tt> to the server for evaluation. Upon receipt, and send <tt>blindedElement</tt> to the server for evaluation. Upon receipt,
servers process <tt>blindedElement</tt> to compute an evaluated element and DLEQ servers process <tt>blindedElement</tt> to compute an evaluated element and a DL EQ
proof using the following <tt>BlindEvaluate</tt> function.</t> proof using the following <tt>BlindEvaluate</tt> function.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar skS Scalar skS
Element pkS Element pkS
Element blindedElement Element blindedElement
Output: Output:
skipping to change at line 1030 skipping to change at line 894
unblindedElement = G.SerializeElement(N) unblindedElement = G.SerializeElement(N)
hashInput = I2OSP(len(input), 2) || input || hashInput = I2OSP(len(input), 2) || input ||
I2OSP(len(unblindedElement), 2) || unblindedElement || I2OSP(len(unblindedElement), 2) || unblindedElement ||
"Finalize" "Finalize"
return Hash(hashInput) return Hash(hashInput)
]]></sourcecode> ]]></sourcecode>
<t>As in <tt>BlindEvaluate</tt>, inputs to <tt>VerifyProof</tt> are on e-item lists. Clients can <t>As in <tt>BlindEvaluate</tt>, inputs to <tt>VerifyProof</tt> are on e-item lists. Clients can
verify multiple inputs at once whenever the server produced a batched DLEQ proof verify multiple inputs at once whenever the server produced a batched DLEQ proof
for them.</t> for them.</t>
<t>Finally, an entity which knows both the private key and the input c an compute the PRF <t>Finally, an entity that knows both the private key and the input ca n compute the PRF
result using the <tt>Evaluate</tt> function described in <xref target="oprf"/>.< /t> result using the <tt>Evaluate</tt> function described in <xref target="oprf"/>.< /t>
</section> </section>
<section anchor="poprf"> <section anchor="poprf">
<name>POPRF Protocol</name> <name>POPRF Protocol</name>
<t>The POPRF protocol begins with the client blinding its input, using the <t>The POPRF protocol begins with the client blinding its input, using the
following modified <tt>Blind</tt> function. In this step, the client also binds a following modified <tt>Blind</tt> function. In this step, the client also binds a
public info value, which produces an additional <tt>tweakedKey</tt> to be used l ater public info value, which produces an additional <tt>tweakedKey</tt> to be used l ater
in the protocol. Note that this function can fail with an in the protocol. Note that this function can fail with an
<tt>InvalidInputError</tt> error for certain private inputs that map to the grou p <tt>InvalidInputError</tt> error for certain private inputs that map to the grou p
identity element, as well as certain public inputs that, if not detected at identity element, as well as certain public inputs that, if not detected at
skipping to change at line 1081 skipping to change at line 945
inputElement = G.HashToGroup(input) inputElement = G.HashToGroup(input)
if inputElement == G.Identity(): if inputElement == G.Identity():
raise InvalidInputError raise InvalidInputError
blindedElement = blind * inputElement blindedElement = blind * inputElement
return blind, blindedElement, tweakedKey return blind, blindedElement, tweakedKey
]]></sourcecode> ]]></sourcecode>
<t>Clients store the outputs <tt>blind</tt> and <tt>tweakedKey</tt> lo cally and send <tt>blindedElement</tt> to <t>Clients store the outputs <tt>blind</tt> and <tt>tweakedKey</tt> lo cally and send <tt>blindedElement</tt> to
the server for evaluation. Upon receipt, servers process <tt>blindedElement</tt> to the server for evaluation. Upon receipt, servers process <tt>blindedElement</tt> to
compute an evaluated element and DLEQ proof using the following <tt>BlindEvaluat e</tt> function.</t> compute an evaluated element and a DLEQ proof using the following <tt>BlindEvalu ate</tt> function.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar skS Scalar skS
Element blindedElement Element blindedElement
PublicInput info PublicInput info
Output: Output:
Element evaluatedElement Element evaluatedElement
skipping to change at line 1170 skipping to change at line 1034
hashInput = I2OSP(len(input), 2) || input || hashInput = I2OSP(len(input), 2) || input ||
I2OSP(len(info), 2) || info || I2OSP(len(info), 2) || info ||
I2OSP(len(unblindedElement), 2) || unblindedElement || I2OSP(len(unblindedElement), 2) || unblindedElement ||
"Finalize" "Finalize"
return Hash(hashInput) return Hash(hashInput)
]]></sourcecode> ]]></sourcecode>
<t>As in <tt>BlindEvaluate</tt>, inputs to <tt>VerifyProof</tt> are on e-item lists. <t>As in <tt>BlindEvaluate</tt>, inputs to <tt>VerifyProof</tt> are on e-item lists.
Clients can verify multiple inputs at once whenever the server produced a Clients can verify multiple inputs at once whenever the server produced a
batched DLEQ proof for them.</t> batched DLEQ proof for them.</t>
<t>Finally, an entity which knows both the private key and the input c an compute <t>Finally, an entity that knows both the private key and the input ca n compute
the PRF result using the <tt>Evaluate</tt> function described below.</t> the PRF result using the <tt>Evaluate</tt> function described below.</t>
<sourcecode type="pseudocode"><![CDATA[ <sourcecode type="pseudocode"><![CDATA[
Input: Input:
Scalar skS Scalar skS
PrivateInput input PrivateInput input
PublicInput info PublicInput info
Output: Output:
skipping to change at line 1218 skipping to change at line 1082
</section> </section>
</section> </section>
</section> </section>
<section anchor="ciphersuites"> <section anchor="ciphersuites">
<name>Ciphersuites</name> <name>Ciphersuites</name>
<t>A ciphersuite (also referred to as 'suite' in this document) for the pr otocol <t>A ciphersuite (also referred to as 'suite' in this document) for the pr otocol
wraps the functionality required for the protocol to take place. The wraps the functionality required for the protocol to take place. The
ciphersuite should be available to both the client and server, and agreement ciphersuite should be available to both the client and server, and agreement
on the specific instantiation is assumed throughout.</t> on the specific instantiation is assumed throughout.</t>
<t>A ciphersuite contains instantiations of the following functionalities: </t> <t>A ciphersuite contains instantiations of the following functionalities: </t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>
<tt>Group</tt>: A prime-order Group exposing the API detailed in <xref <tt>Group</tt>:</dt> <dd>A prime-order group exposing the API detailed
target="pog"/>, with the in <xref target="pog"/>, with the
generator element defined in the corresponding reference for each group. Each generator element defined in the corresponding reference for each group. Each
group also specifies HashToGroup, HashToScalar, and serialization group also specifies <tt>HashToGroup</tt>, <tt>HashToScalar</tt>, and serializat ion
functionalities. For functionalities. For
HashToGroup, the domain separation tag (DST) is constructed in accordance <tt>HashToGroup</tt>, the domain separation tag (DST) is constructed in accordan
with the recommendations in <xref section="3.1" sectionFormat="comma" target="I- ce
D.irtf-cfrg-hash-to-curve"/>. with the recommendations in <xref section="3.1" sectionFormat="comma" target="RF
For HashToScalar, each group specifies an integer order that is used in C9380"/>.
reducing integer values to a member of the corresponding scalar field.</li> For <tt>HashToScalar</tt>, each group specifies an integer order that is used in
<li> reducing integer values to a member of the corresponding scalar field.</dd>
<tt>Hash</tt>: A cryptographic hash function whose output length is Nh <dt>
bytes long.</li> <tt>Hash</tt>:</dt> <dd>A cryptographic hash function whose output len
</ul> gth is Nh bytes long.</dd>
</dl>
<t>This section includes an initial set of ciphersuites with supported gro ups <t>This section includes an initial set of ciphersuites with supported gro ups
and hash functions. It also includes implementation details for each ciphersuite , and hash functions. It also includes implementation details for each ciphersuite ,
focusing on input validation. Future documents can specify additional ciphersuit es focusing on input validation. Future documents can specify additional ciphersuit es
as needed provided they meet the requirements in <xref target="suite-requirement as needed, provided they meet the requirements in <xref target="suite-requ
s"/>.</t> irements"/>.</t>
<t>For each ciphersuite, <tt>contextString</tt> is that which is computed <t>For each ciphersuite, <tt>contextString</tt> is that which is computed
in the Setup functions. in the <tt>Setup</tt> functions.
Applications should take caution in using ciphersuites targeting P-256 and ristr etto255. Applications should take caution in using ciphersuites targeting P-256 and ristr etto255.
See <xref target="cryptanalysis"/> for related discussion.</t> See <xref target="cryptanalysis"/> for related discussion.</t>
<section anchor="oprfristretto255-sha-512"> <section anchor="oprfristretto255-sha-512">
<name>OPRF(ristretto255, SHA-512)</name> <name>OPRF(ristretto255, SHA-512)</name>
<t>This ciphersuite uses ristretto255 <xref target="RISTRETTO"/> for the Group and SHA-512 for the Hash <t>This ciphersuite uses ristretto255 <xref target="RFC9496"/> for the G roup and SHA-512 for the hash
function. The value of the ciphersuite identifier is "ristretto255-SHA512".</t> function. The value of the ciphersuite identifier is "ristretto255-SHA512".</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>
<t>Group: ristretto255 <xref target="RISTRETTO"/> Group:</dt> <dd><t>ristretto255 <xref target="RFC9496"/></t>
</t> <dl newline="false" spacing="normal">
<ul spacing="normal"> <dt>Order():</dt> <dd>Return 2<sup>252</sup> + 2774231777737235353
<li>Order(): Return 2^252 + 27742317777372353535851937790883648493 5851937790883648493 (see <xref target="RFC9496"/>).</dd>
(see <xref target="RISTRETTO"/>)</li> <dt>Identity():</dt> <dd>As defined in <xref target="RFC9496"/>.</
<li>Identity(): As defined in <xref target="RISTRETTO"/>.</li> dd>
<li>Generator(): As defined in <xref target="RISTRETTO"/>.</li> <dt>Generator():</dt> <dd>As defined in <xref target="RFC9496"/>.<
<li>HashToGroup(): Use hash_to_ristretto255 /dd>
<xref target="I-D.irtf-cfrg-hash-to-curve"/> with DST = <dt>HashToGroup():</dt> <dd>Use hash_to_ristretto255
"HashToGroup-" || contextString, and <tt>expand_message</tt> = <tt>expand_messag <xref target="RFC9380"/> with DST =
e_xmd</tt> "HashToGroup-" || contextString and <tt>expand_message</tt> = <tt>expand_message
using SHA-512.</li> _xmd</tt>
<li>HashToScalar(): Compute <tt>uniform_bytes</tt> using <tt>expan using SHA-512.</dd>
d_message</tt> = <tt>expand_message_xmd</tt>, <dt>HashToScalar():</dt> <dd>Compute <tt>uniform_bytes</tt> using
DST = "HashToScalar-" || contextString, and output length 64, interpret <tt>expand_message</tt> = <tt>expand_message_xmd</tt>,
DST = "HashToScalar-" || contextString, and an output length of 64 bytes, interp
ret
<tt>uniform_bytes</tt> as a 512-bit integer in little-endian order, and reduce t he <tt>uniform_bytes</tt> as a 512-bit integer in little-endian order, and reduce t he
integer modulo <tt>Group.Order()</tt>.</li> integer modulo <tt>Group.Order()</tt>.</dd>
<li>ScalarInverse(s): Returns the multiplicative inverse of input <dt>ScalarInverse(s):</dt> <dd>Returns the multiplicative inverse
Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</li> of input Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</dd>
<li>RandomScalar(): Implemented by returning a uniformly random Sc <dt>RandomScalar():</dt> <dd>Implemented by returning a uniformly
alar in the range random Scalar in the range
[0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme [0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme
ntation guidance.</li> ntation guidance.</dd>
<li>SerializeElement(A): Implemented using the 'Encode' function f <dt>SerializeElement(A):</dt> <dd>Implemented using the <tt>Encode
rom Section 4.3.2 of <xref target="RISTRETTO"/>; Ne = 32.</li> </tt> function from <xref target="RFC9496" section="4.3.2" sectionFormat="of" />
<li>DeserializeElement(buf): Implemented using the 'Decode' functi ; Ne = 32.</dd>
on from Section 4.3.1 of <xref target="RISTRETTO"/>. <dt>DeserializeElement(buf):</dt> <dd>Implemented using the <tt>De
code</tt> function from <xref target="RFC9496" section="4.3.1" sectionFormat="of
" />.
Additionally, this function validates that the resulting element is not the grou p Additionally, this function validates that the resulting element is not the grou p
identity element. If these checks fail, deserialization returns an InputValidati identity element. If these checks fail, deserialization returns an InputValidati
onError error.</li> onError error.</dd>
<li>SerializeScalar(s): Implemented by outputting the little-endia <dt>SerializeScalar(s):</dt> <dd>Implemented by outputting the lit
n 32-byte encoding of tle-endian, 32-byte encoding of
the Scalar value with the top three bits set to zero; Ns = 32.</li> the Scalar value with the top three bits set to zero; Ns = 32.</dd>
<li>DeserializeScalar(buf): Implemented by attempting to deseriali <dt>DeserializeScalar(buf):</dt> <dd>Implemented by attempting to
ze a Scalar from a deserialize a Scalar from a
little-endian 32-byte string. This function can fail if the input does not little-endian, 32-byte string. This function can fail if the input does not
represent a Scalar in the range [0, <tt>G.Order()</tt> - 1]. Note that this mean s the represent a Scalar in the range [0, <tt>G.Order()</tt> - 1]. Note that this mean s the
top three bits of the input MUST be zero.</li> top three bits of the input <bcp14>MUST</bcp14> be zero.</dd>
</ul> </dl>
</li> </dd>
<li>Hash: SHA-512; Nh = 64.</li> <dt>Hash:</dt> <dd>SHA-512; Nh = 64.</dd>
</ul> </dl>
</section> </section>
<section anchor="oprfdecaf448-shake-256"> <section anchor="oprfdecaf448-shake-256">
<name>OPRF(decaf448, SHAKE-256)</name> <name>OPRF(decaf448, SHAKE-256)</name>
<t>This ciphersuite uses decaf448 <xref target="RISTRETTO"/> for the Gro up and SHAKE-256 for the Hash <t>This ciphersuite uses decaf448 <xref target="RFC9496"/> for the Group and SHAKE-256 for the hash
function. The value of the ciphersuite identifier is "decaf448-SHAKE256".</t> function. The value of the ciphersuite identifier is "decaf448-SHAKE256".</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>Group:</dt> <dd><t>decaf448 <xref target="RFC9496"/>
<t>Group: decaf448 <xref target="RISTRETTO"/>
</t> </t>
<ul spacing="normal"> <dl spacing="normal">
<li>Order(): Return 2^446 - 13818066809895115352007386748515426880 <dt>Order():</dt> <dd>Return 2<sup>446</sup> - 1381806680989511535
336692474882178609894547503885</li> 2007386748515426880336692474882178609894547503885.</dd>
<li>Identity(): As defined in <xref target="RISTRETTO"/>.</li> <dt>Identity():</dt> <dd>As defined in <xref target="RFC9496"/>.</
<li>Generator(): As defined in <xref target="RISTRETTO"/>.</li> dd>
<li>RandomScalar(): Implemented by returning a uniformly random Sc <dt>Generator():</dt> <dd>As defined in <xref target="RFC9496"/>.<
alar in the range /dd>
[0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme <dt>RandomScalar():</dt> <dd>Implemented by returning a uniformly
ntation guidance.</li> random Scalar in the range
<li>HashToGroup(): Use hash_to_decaf448 [0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme
<xref target="I-D.irtf-cfrg-hash-to-curve"/> with DST = ntation guidance.</dd>
"HashToGroup-" || contextString, and <tt>expand_message</tt> = <tt>expand_messag <dt>HashToGroup():</dt> <dd>Use hash_to_decaf448
e_xof</tt> <xref target="RFC9380"/> with DST =
using SHAKE-256.</li> "HashToGroup-" || contextString and <tt>expand_message</tt> = <tt>expand_message
<li>HashToScalar(): Compute <tt>uniform_bytes</tt> using <tt>expan _xof</tt>
d_message</tt> = <tt>expand_message_xof</tt>, using SHAKE-256.</dd>
<dt>HashToScalar():</dt> <dd>Compute <tt>uniform_bytes</tt> using
<tt>expand_message</tt> = <tt>expand_message_xof</tt>,
DST = "HashToScalar-" || contextString, and output length 64, interpret DST = "HashToScalar-" || contextString, and output length 64, interpret
<tt>uniform_bytes</tt> as a 512-bit integer in little-endian order, and reduce t he <tt>uniform_bytes</tt> as a 512-bit integer in little-endian order, and reduce t he
integer modulo <tt>Group.Order()</tt>.</li> integer modulo <tt>Group.Order()</tt>.</dd>
<li>ScalarInverse(s): Returns the multiplicative inverse of input <dt>ScalarInverse(s):</dt> <dd>Returns the multiplicative inverse
Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</li> of input Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</dd>
<li>SerializeElement(A): Implemented using the 'Encode' function f <dt>SerializeElement(A):</dt> <dd>Implemented using the <tt>Encode
rom Section 5.3.2 of <xref target="RISTRETTO"/>; Ne = 56.</li> </tt> function from <xref target="RFC9496" section="5.3.2" sectionFormat="of" />
<li>DeserializeElement(buf): Implemented using the 'Decode' functi ; Ne = 56.</dd>
on from Section 5.3.1 of <xref target="RISTRETTO"/>. <dt>DeserializeElement(buf):</dt> <dd>Implemented using the <tt>De
code</tt> function from <xref target="RFC9496" section="5.3.1" sectionFormat="of
" />.
Additionally, this function validates that the resulting element is not the grou p Additionally, this function validates that the resulting element is not the grou p
identity element. If these checks fail, deserialization returns an InputValidati identity element. If these checks fail, deserialization returns an InputValidati
onError error.</li> onError error.</dd>
<li>SerializeScalar(s): Implemented by outputting the little-endia <dt>SerializeScalar(s):</dt> <dd>Implemented by outputting the lit
n 56-byte encoding of tle-endian, 56-byte encoding of
the Scalar value; Ns = 56.</li> the Scalar value; Ns = 56.</dd>
<li>DeserializeScalar(buf): Implemented by attempting to deseriali <dt>DeserializeScalar(buf):</dt> <dd>Implemented by attempting to
ze a Scalar from a deserialize a Scalar from a
little-endian 56-byte string. This function can fail if the input does not little-endian, 56-byte string. This function can fail if the input does not
represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</li> represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</dd>
</ul> </dl>
</li> </dd>
<li>Hash: SHAKE-256; Nh = 64.</li> <dt>Hash:</dt> <dd>SHAKE-256; Nh = 64.</dd>
</ul> </dl>
</section> </section>
<section anchor="oprfp-256-sha-256"> <section anchor="oprfp-256-sha-256">
<name>OPRF(P-256, SHA-256)</name> <name>OPRF(P-256, SHA-256)</name>
<t>This ciphersuite uses P-256 <xref target="NISTCurves"/> for the Group and SHA-256 for the Hash <t>This ciphersuite uses P-256 <xref target="NISTCurves"/> for the Group and SHA-256 for the hash
function. The value of the ciphersuite identifier is "P256-SHA256".</t> function. The value of the ciphersuite identifier is "P256-SHA256".</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>Group:</dt> <dd><t>P-256 (secp256r1) <xref target="NISTCurves"/>
<t>Group: P-256 (secp256r1) <xref target="NISTCurves"/>
</t> </t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Order(): Return 0xffffffff00000000ffffffffffffffffbce6faada717 <dt>Order():</dt> <dd>Return 0xffffffff00000000ffffffffffffffffbce
9e84f3b9cac2fc632551.</li> 6faada7179e84f3b9cac2fc632551.</dd>
<li>Identity(): As defined in <xref target="NISTCurves"/>.</li> <dt>Identity():</dt> <dd>As defined in <xref target="NISTCurves"/>
<li>Generator(): As defined in <xref target="NISTCurves"/>.</li> .</dd>
<li>RandomScalar(): Implemented by returning a uniformly random Sc <dt>Generator():</dt> <dd>As defined in <xref target="NISTCurves"/
alar in the range >.</dd>
[0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme <dt>RandomScalar():</dt> <dd>Implemented by returning a uniformly
ntation guidance.</li> random Scalar in the range
<li>HashToGroup(): Use hash_to_curve with suite P256_XMD:SHA-256_S [0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme
SWU_RO_ ntation guidance.</dd>
<xref target="I-D.irtf-cfrg-hash-to-curve"/> and DST = <dt>HashToGroup():</dt> <dd>Use hash_to_curve with suite P256_XMD:
"HashToGroup-" || contextString.</li> SHA-256_SSWU_RO_
<li>HashToScalar(): Use hash_to_field from <xref target="I-D.irtf- <xref target="RFC9380"/> and DST =
cfrg-hash-to-curve"/> "HashToGroup-" || contextString.</dd>
<dt>HashToScalar():</dt> <dd>Use hash_to_field from <xref target="
RFC9380"/>
using L = 48, <tt>expand_message_xmd</tt> with SHA-256, using L = 48, <tt>expand_message_xmd</tt> with SHA-256,
DST = "HashToScalar-" || contextString, and DST = "HashToScalar-" || contextString, and a
prime modulus equal to <tt>Group.Order()</tt>.</li> prime modulus equal to <tt>Group.Order()</tt>.</dd>
<li>ScalarInverse(s): Returns the multiplicative inverse of input <dt>ScalarInverse(s):</dt> <dd>Returns the multiplicative inverse
Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</li> of input Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</dd>
<li>SerializeElement(A): Implemented using the compressed Elliptic <dt>SerializeElement(A):</dt> <dd>Implemented using the compressed
-Curve-Point-to-Octet-String Elliptic-Curve-Point-to-Octet-String
method according to <xref target="SEC1"/>; Ne = 33.</li> method according to <xref target="SEC1"/>; Ne = 33.</dd>
<li>DeserializeElement(buf): Implemented by attempting to deserial <dt>DeserializeElement(buf):</dt> <dd>Implemented by attempting to
ize a 33 byte input string to deserialize a 33-byte input string to
a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac
cording to <xref target="SEC1"/>, cording to <xref target="SEC1"/>
and then performs partial public-key validation as defined in section 5.6.2.3.4 and then performing partial public-key validation, as defined in Section 5.6.2.3
of .4 of <xref target="KEYAGREEMENT"/>. This includes checking that the
<xref target="KEYAGREEMENT"/>. This includes checking that the
coordinates of the resulting point are in the correct range, that the point is o n coordinates of the resulting point are in the correct range, that the point is o n
the curve, and that the point is not the group identity element. the curve, and that the point is not the group identity element.
If these checks fail, deserialization returns an InputValidationError error.</li If these checks fail, deserialization returns an InputValidationError error.</dd
> >
<li>SerializeScalar(s): Implemented using the Field-Element-to-Oct <dt>SerializeScalar(s):</dt> <dd>Implemented using the Field-Eleme
et-String conversion nt-to-Octet-String conversion
according to <xref target="SEC1"/>; Ns = 32.</li> according to <xref target="SEC1"/>; Ns = 32.</dd>
<li>DeserializeScalar(buf): Implemented by attempting to deseriali <dt>DeserializeScalar(buf):</dt> <dd>Implemented by attempting to
ze a Scalar from a 32-byte deserialize a Scalar from a 32-byte
string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the
input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</li> input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</dd>
</ul> </dl>
</li> </dd>
<li>Hash: SHA-256; Nh = 32.</li> <dt>Hash:</dt> <dd>SHA-256; Nh = 32.</dd>
</ul> </dl>
</section> </section>
<section anchor="oprfp-384-sha-384"> <section anchor="oprfp-384-sha-384">
<name>OPRF(P-384, SHA-384)</name> <name>OPRF(P-384, SHA-384)</name>
<t>This ciphersuite uses P-384 <xref target="NISTCurves"/> for the Group and SHA-384 for the Hash <t>This ciphersuite uses P-384 <xref target="NISTCurves"/> for the Group and SHA-384 for the hash
function. The value of the ciphersuite identifier is "P384-SHA384".</t> function. The value of the ciphersuite identifier is "P384-SHA384".</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>Group:</dt> <dd><t>P-384 (secp384r1) <xref target="NISTCurves"/>
<t>Group: P-384 (secp384r1) <xref target="NISTCurves"/>
</t> </t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Order(): Return 0xffffffffffffffffffffffffffffffffffffffffffff <dt>Order():</dt> <dd>Return 0xfffffffffffffffffffffffffffffffffff
ffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973.</li> fffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973.</dd>
<li>Identity(): As defined in <xref target="NISTCurves"/>.</li> <dt>Identity():</dt> <dd>As defined in <xref target="NISTCurves"/>
<li>Generator(): As defined in <xref target="NISTCurves"/>.</li> .</dd>
<li>RandomScalar(): Implemented by returning a uniformly random Sc <dt>Generator():</dt> <dd>As defined in <xref target="NISTCurves"/
alar in the range >.</dd>
[0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme <dt>RandomScalar():</dt> <dd>Implemented by returning a uniformly
ntation guidance.</li> random Scalar in the range
<li>HashToGroup(): Use hash_to_curve with suite P384_XMD:SHA-384_S [0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme
SWU_RO_ ntation guidance.</dd>
<xref target="I-D.irtf-cfrg-hash-to-curve"/> and DST = <dt>HashToGroup():</dt> <dd>Use hash_to_curve with suite P384_XMD:
"HashToGroup-" || contextString.</li> SHA-384_SSWU_RO_
<li>HashToScalar(): Use hash_to_field from <xref target="I-D.irtf- <xref target="RFC9380"/> and DST =
cfrg-hash-to-curve"/> "HashToGroup-" || contextString.</dd>
<dt>HashToScalar():</dt> <dd>Use hash_to_field from <xref target="
RFC9380"/>
using L = 72, <tt>expand_message_xmd</tt> with SHA-384, using L = 72, <tt>expand_message_xmd</tt> with SHA-384,
DST = "HashToScalar-" || contextString, and DST = "HashToScalar-" || contextString, and a
prime modulus equal to <tt>Group.Order()</tt>.</li> prime modulus equal to <tt>Group.Order()</tt>.</dd>
<li>ScalarInverse(s): Returns the multiplicative inverse of input <dt>ScalarInverse(s):</dt> <dd>Returns the multiplicative inverse
Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</li> of input Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</dd>
<li>SerializeElement(A): Implemented using the compressed Elliptic <dt>SerializeElement(A):</dt> <dd>Implemented using the compressed
-Curve-Point-to-Octet-String Elliptic-Curve-Point-to-Octet-String
method according to <xref target="SEC1"/>; Ne = 49.</li> method according to <xref target="SEC1"/>; Ne = 49.</dd>
<li>DeserializeElement(buf): Implemented by attempting to deserial <dt>DeserializeElement(buf):</dt> <dd>Implemented by attempting to
ize a 49-byte array to deserialize a 49-byte array to
a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac
cording to <xref target="SEC1"/>, cording to <xref target="SEC1"/>
and then performs partial public-key validation as defined in section 5.6.2.3.4 and then performing partial public-key validation, as defined in Section 5.6.2.3
of .4 of <xref target="KEYAGREEMENT"/>. This includes checking that the
<xref target="KEYAGREEMENT"/>. This includes checking that the
coordinates of the resulting point are in the correct range, that the point is o n coordinates of the resulting point are in the correct range, that the point is o n
the curve, and that the point is not the point at infinity. Additionally, this f unction the curve, and that the point is not the point at infinity. Additionally, this f unction
validates that the resulting element is not the group identity element. validates that the resulting element is not the group identity element.
If these checks fail, deserialization returns an InputValidationError error.</li If these checks fail, deserialization returns an InputValidationError error.</dd
> >
<li>SerializeScalar(s): Implemented using the Field-Element-to-Oct <dt>SerializeScalar(s):</dt> <dd>Implemented using the Field-Eleme
et-String conversion nt-to-Octet-String conversion
according to <xref target="SEC1"/>; Ns = 48.</li> according to <xref target="SEC1"/>; Ns = 48.</dd>
<li>DeserializeScalar(buf): Implemented by attempting to deseriali <dt>DeserializeScalar(buf):</dt> <dd>Implemented by attempting to
ze a Scalar from a 48-byte deserialize a Scalar from a 48-byte
string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the
input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</li> input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</dd>
</ul> </dl>
</li> </dd>
<li>Hash: SHA-384; Nh = 48.</li> <dt>Hash:</dt> <dd>SHA-384; Nh = 48.</dd>
</ul> </dl>
</section> </section>
<section anchor="oprfp-521-sha-512"> <section anchor="oprfp-521-sha-512">
<name>OPRF(P-521, SHA-512)</name> <name>OPRF(P-521, SHA-512)</name>
<t>This ciphersuite uses P-521 <xref target="NISTCurves"/> for the Group and SHA-512 for the Hash <t>This ciphersuite uses P-521 <xref target="NISTCurves"/> for the Group and SHA-512 for the hash
function. The value of the ciphersuite identifier is "P521-SHA512".</t> function. The value of the ciphersuite identifier is "P521-SHA512".</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>Group:</dt> <dd><t>P-521 (secp521r1) <xref target="NISTCurves"/>
<t>Group: P-521 (secp521r1) <xref target="NISTCurves"/>
</t> </t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Order(): Return 0x01ffffffffffffffffffffffffffffffffffffffffff <dt>Order():</dt> <dd>Return 0x01fffffffffffffffffffffffffffffffff
fffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e ffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47a
91386409.</li> ebb6fb71e91386409.</dd>
<li>Identity(): As defined in <xref target="NISTCurves"/>.</li> <dt>Identity():</dt> <dd>As defined in <xref target="NISTCurves"/>
<li>Generator(): As defined in <xref target="NISTCurves"/>.</li> .</dd>
<li>RandomScalar(): Implemented by returning a uniformly random Sc <dt>Generator():</dt> <dd>As defined in <xref target="NISTCurves"/
alar in the range >.</dd>
[0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme <dt>RandomScalar():</dt> <dd>Implemented by returning a uniformly
ntation guidance.</li> random Scalar in the range
<li>HashToGroup(): Use hash_to_curve with suite P521_XMD:SHA-512_S [0, <tt>G.Order()</tt> - 1]. Refer to <xref target="random-scalar"/> for impleme
SWU_RO_ ntation guidance.</dd>
<xref target="I-D.irtf-cfrg-hash-to-curve"/> and DST = <dt>HashToGroup():</dt> <dd>Use hash_to_curve with suite P521_XMD:
"HashToGroup-" || contextString.</li> SHA-512_SSWU_RO_
<li>HashToScalar(): Use hash_to_field from <xref target="I-D.irtf- <xref target="RFC9380"/> and DST =
cfrg-hash-to-curve"/> "HashToGroup-" || contextString.</dd>
<dt>HashToScalar():</dt> <dd>Use hash_to_field from <xref target="
RFC9380"/>
using L = 98, <tt>expand_message_xmd</tt> with SHA-512, using L = 98, <tt>expand_message_xmd</tt> with SHA-512,
DST = "HashToScalar-" || contextString, and DST = "HashToScalar-" || contextString, and a
prime modulus equal to <tt>Group.Order()</tt>.</li> prime modulus equal to <tt>Group.Order()</tt>.</dd>
<li>ScalarInverse(s): Returns the multiplicative inverse of input <dt>ScalarInverse(s):</dt> <dd>Returns the multiplicative inverse
Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</li> of input Scalar <tt>s</tt> mod <tt>Group.Order()</tt>.</dd>
<li>SerializeElement(A): Implemented using the compressed Elliptic <dt>SerializeElement(A):</dt> <dd>Implemented using the compressed
-Curve-Point-to-Octet-String Elliptic-Curve-Point-to-Octet-String
method according to <xref target="SEC1"/>; Ne = 67.</li> method according to <xref target="SEC1"/>; Ne = 67.</dd>
<li>DeserializeElement(buf): Implemented by attempting to deserial <dt>DeserializeElement(buf):</dt> <dd>Implemented by attempting to
ize a 49 byte input string to deserialize a 67-byte input string to
a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac a public key using the compressed Octet-String-to-Elliptic-Curve-Point method ac
cording to <xref target="SEC1"/>, cording to <xref target="SEC1"/>
and then performs partial public-key validation as defined in section 5.6.2.3.4 and then performing partial public-key validation, as defined in Section 5.6.2.3
of .4 of <xref target="KEYAGREEMENT"/>. This includes checking that the
<xref target="KEYAGREEMENT"/>. This includes checking that the
coordinates of the resulting point are in the correct range, that the point is o n coordinates of the resulting point are in the correct range, that the point is o n
the curve, and that the point is not the point at infinity. Additionally, this f unction the curve, and that the point is not the point at infinity. Additionally, this f unction
validates that the resulting element is not the group identity element. validates that the resulting element is not the group identity element.
If these checks fail, deserialization returns an InputValidationError error.</li If these checks fail, deserialization returns an InputValidationError error.</dd
> >
<li>SerializeScalar(s): Implemented using the Field-Element-to-Oct <dt>SerializeScalar(s):</dt> <dd>Implemented using the Field-Eleme
et-String conversion nt-to-Octet-String conversion
according to <xref target="SEC1"/>; Ns = 66.</li> according to <xref target="SEC1"/>; Ns = 66.</dd>
<li>DeserializeScalar(buf): Implemented by attempting to deseriali <dt>DeserializeScalar(buf):</dt> <dd>Implemented by attempting to
ze a Scalar from a 66-byte deserialize a Scalar from a 66-byte
string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the string using Octet-String-to-Field-Element from <xref target="SEC1"/>. This func tion can fail if the
input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</li> input does not represent a Scalar in the range [0, <tt>G.Order()</tt> - 1].</dd>
</ul> </dl>
</li> </dd>
<li>Hash: SHA-512; Nh = 64.</li> <dt>Hash:</dt> <dd>SHA-512; Nh = 64.</dd>
</ul> </dl>
</section> </section>
<section anchor="suite-requirements"> <section anchor="suite-requirements">
<name>Future Ciphersuites</name> <name>Future Ciphersuites</name>
<t>A critical requirement of implementing the prime-order group using <t>A critical requirement of implementing the prime-order group using
elliptic curves is a method to instantiate the function elliptic curves is a method to instantiate the function
<tt>HashToGroup</tt>, that maps inputs to group elements. In the elliptic <tt>HashToGroup</tt>, which maps inputs to group elements. In the elliptic
curve setting, this deterministically maps inputs (as byte arrays) to curve setting, this deterministically maps inputs (as byte arrays) to
uniformly chosen points on the curve.</t> uniformly chosen points on the curve.</t>
<t>In the security proof of the construction Hash is modeled as a random <t>In the security proof of the construction, Hash is modeled as a rando m
oracle. This implies that any instantiation of <tt>HashToGroup</tt> must be oracle. This implies that any instantiation of <tt>HashToGroup</tt> must be
pre-image and collision resistant. In <xref target="ciphersuites"/> we give pre-image and collision resistant. In <xref target="ciphersuites"/>, we give
instantiations of this functionality based on the functions described in instantiations of this functionality based on the functions described in
<xref target="I-D.irtf-cfrg-hash-to-curve"/>. Consequently, any OPRF implementat ion <xref target="RFC9380"/>. Consequently, any OPRF implementation
must adhere to the implementation and security considerations discussed must adhere to the implementation and security considerations discussed
in <xref target="I-D.irtf-cfrg-hash-to-curve"/> when instantiating the function. in <xref target="RFC9380"/> when instantiating the function.</t>
</t> <t>The <tt>DeserializeElement</tt> and <tt>DeserializeScalar</tt> functi
<t>The DeserializeElement and DeserializeScalar functions instantiated f ons instantiated for a
or a particular prime-order group corresponding to a ciphersuite <bcp14>MUST</bcp14>
particular prime-order group corresponding to a ciphersuite MUST adhere to adhere to
the description in <xref target="pog"/>. Future ciphersuites MUST describe how i the description in <xref target="pog"/>. Future ciphersuites <bcp14>MUST</bcp14>
nput describe how input
validation is done for DeserializeElement and DeserializeScalar.</t> validation is done for <tt>DeserializeElement</tt> and <tt>DeserializeScalar</tt
>.</t>
<t>Additionally, future ciphersuites must take care when choosing the <t>Additionally, future ciphersuites must take care when choosing the
security level of the group. See <xref target="limits"/> for additional details. </t> security level of the group. See <xref target="limits"/> for additional details. </t>
</section> </section>
<section anchor="random-scalar"> <section anchor="random-scalar">
<name>Random Scalar Generation</name> <name>Random Scalar Generation</name>
<t>Two popular algorithms for generating a random integer uniformly dist ributed in <t>Two popular algorithms for generating a random integer uniformly dist ributed in
the range [0, G.Order() -1] are as follows:</t> the range [0, G.Order() - 1] are described in the following subsections.</t>
<section anchor="rejection-sampling"> <section anchor="rejection-sampling">
<name>Rejection Sampling</name> <name>Rejection Sampling</name>
<t>Generate a random byte array with <tt>Ns</tt> bytes, and attempt to map to a Scalar <t>Generate a random byte array with <tt>Ns</tt> bytes and attempt to map to a Scalar
by calling <tt>DeserializeScalar</tt> in constant time. If it succeeds, return t he by calling <tt>DeserializeScalar</tt> in constant time. If it succeeds, return t he
result. If it fails, try again with another random byte array, until the result. If it fails, try again with another random byte array until the
procedure succeeds. Failure to implement <tt>DeserializeScalar</tt> in constant time procedure succeeds. Failure to implement <tt>DeserializeScalar</tt> in constant time
can leak information about the underlying corresponding Scalar.</t> can leak information about the underlying corresponding Scalar.</t>
<t>As an optimization, if the group order is very close to a power of <t>As an optimization, if the group order is very close to a power of
2, it is acceptable to omit the rejection test completely. In 2, it is acceptable to omit the rejection test completely. In
particular, if the group order is p, and there is an integer b particular, if the group order is p and there is an integer b
such that |p - 2<sup>b</sup>| is less than 2<sup>(b/2)</sup>, then such that |p - 2<sup>b</sup>| is less than 2<sup>(b/2)</sup>, then
<tt>RandomScalar</tt> can simply return a uniformly random integer of at <tt>RandomScalar</tt> can simply return a uniformly random integer of at
most b bits.</t> most b bits.</t>
</section> </section>
<section anchor="random-number-generation-using-extra-random-bits"> <section anchor="random-number-generation-using-extra-random-bits">
<name>Random Number Generation Using Extra Random Bits</name> <name>Random Number Generation Using Extra Random Bits</name>
<t>Generate a random byte array with <tt>L = ceil(((3 * ceil(log2(G.Or der()))) / 2) / 8)</tt> <t>Generate a random byte array with <tt>L = ceil(((3 * ceil(log2(G.Or der()))) / 2) / 8)</tt>
bytes, and interpret it as an integer; reduce the integer modulo <tt>G.Order()</ bytes, and interpret it as an integer; reduce the integer modulo <tt>G.Order()</
tt> and return the tt>, and return the
result. See <xref section="5" sectionFormat="comma" target="I-D.irtf-cfrg-hash-t result. See <xref section="5" sectionFormat="comma" target="RFC9380"/> for the u
o-curve"/> for the underlying derivation of <tt>L</tt>.</t> nderlying derivation of <tt>L</tt>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="apis"> <section anchor="apis">
<name>Application Considerations</name> <name>Application Considerations</name>
<t>This section describes considerations for applications, including exter nal interface <t>This section describes considerations for applications, including exter nal interface
recommendations, explicit error treatment, and public input representation for t he recommendations, explicit error treatment, and public input representation for t he
POPRF protocol variant.</t> POPRF protocol variant.</t>
<section anchor="input-limits"> <section anchor="input-limits">
<name>Input Limits</name> <name>Input Limits</name>
<t>Application inputs, expressed as PrivateInput or PublicInput values, <t>Application inputs, expressed as <tt>PrivateInput</tt> or <tt>PublicI
MUST be smaller nput</tt> values, <bcp14>MUST</bcp14> be smaller
than 2<sup>16</sup>-1 bytes in length. Applications that require longer inputs c than 2<sup>16</sup> - 1 bytes in length. Applications that require longer inputs
an use a cryptographic can use a cryptographic
hash function to map these longer inputs to a fixed-length input that fits withi n the hash function to map these longer inputs to a fixed-length input that fits withi n the
PublicInput or PrivateInput length bounds. Note that some cryptographic hash fun ctions <tt>PublicInput</tt> or <tt>PrivateInput</tt> length bounds. Note that some cryp tographic hash functions
have input length restrictions themselves, but these limits are often large enou gh to have input length restrictions themselves, but these limits are often large enou gh to
not be a concern in practice. For example, SHA-256 has an input limit of 2^61 by tes.</t> not be a concern in practice. For example, SHA-256 has an input limit of 2<sup>6 1</sup> bytes.</t>
</section> </section>
<section anchor="external-interface-recommendations"> <section anchor="external-interface-recommendations">
<name>External Interface Recommendations</name> <name>External Interface Recommendations</name>
<t>In <xref target="online"/>, the interface of the protocol functions a llows that some inputs <t>In <xref target="online"/>, the interface of the protocol functions a llows that some inputs
(and outputs) to be group elements and scalars. However, implementations can (and outputs) to be group Element and Scalar values. However, implementations ca
instead operate over group elements and scalars internally, and only expose n
instead operate over Element and Scalar values internally and only expose
interfaces that operate with an application-specific format of messages.</t> interfaces that operate with an application-specific format of messages.</t>
</section> </section>
<section anchor="errors"> <section anchor="errors">
<name>Error Considerations</name> <name>Error Considerations</name>
<t>Some OPRF variants specified in this document have fallible operation s. For example, <tt>Finalize</tt> <t>Some OPRF variants specified in this document have fallible operation s. For example, <tt>Finalize</tt>
and <tt>BlindEvaluate</tt> can fail if any element received from the peer fails input validation. and <tt>BlindEvaluate</tt> can fail if any element received from the peer fails input validation.
The explicit errors generated throughout this specification, along with the The explicit errors generated throughout this specification, along with the
conditions that lead to each error, are as follows:</t> conditions that lead to each error, are as follows:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>
<tt>VerifyError</tt>: Verifiable OPRF proof verification failed; <xr <tt>VerifyError</tt>:</dt> <dd>Verifiable OPRF proof verification fa
ef target="voprf"/> and <xref target="poprf"/>.</li> iled (Sections <xref target="voprf" format="counter"/> and <xref target="poprf"
<li> format="counter"/>).</dd>
<tt>DeserializeError</tt>: Group Element or Scalar deserialization f <dt>
ailure; <xref target="pog"/> and <xref target="online"/>.</li> <tt>DeserializeError</tt>:</dt> <dd>Group Element or Scalar deserial
<li> ization failure (Sections <xref target="pog" format="counter"/> and <xref target
<tt>InputValidationError</tt>: Validation of byte array inputs faile ="online" format="counter"/>).</dd>
d; <xref target="ciphersuites"/>.</li> <dt>
</ul> <tt>InputValidationError</tt>:</dt> <dd>Validation of byte array inp
uts failed (<xref target="ciphersuites"/>).</dd>
</dl>
<t>There are other explicit errors generated in this specification; howe ver, they occur with <t>There are other explicit errors generated in this specification; howe ver, they occur with
negligible probability in practice. We note them here for completeness.</t> negligible probability in practice. We note them here for completeness.</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li> <dt>
<tt>InvalidInputError</tt>: OPRF Blind input produces an invalid out <tt>InvalidInputError</tt>:</dt> <dd>OPRF Blind input produces an in
put element; <xref target="oprf"/> and <xref target="poprf"/>.</li> valid output element (Sections <xref target="oprf" format="counter"/> and <xref
<li> target="poprf" format="counter"/>).</dd>
<tt>InverseError</tt>: A tweaked private key is invalid (has no mult <dt>
iplicative inverse); <xref target="pog"/> and <xref target="online"/>.</li> <tt>InverseError</tt>:</dt> <dd>A tweaked private key is invalid, i.
</ul> e., has no multiplicative inverse (Sections <xref target="pog" format="counter"/
> and <xref target="online" format="counter"/>).</dd>
</dl>
<t>In general, the errors in this document are meant as a guide to imple mentors. <t>In general, the errors in this document are meant as a guide to imple mentors.
They are not an exhaustive list of all the errors an implementation might emit. They are not an exhaustive list of all the errors an implementation might emit.
For example, implementations might run out of memory and return a corresponding error.</t> For example, implementations might run out of memory and return a corresponding error.</t>
</section> </section>
<section anchor="poprf-public-input"> <section anchor="poprf-public-input">
<name>POPRF Public Input</name> <name>POPRF Public Input</name>
<t>Functionally, the VOPRF and POPRF variants differ in that the POPRF v ariant <t>Functionally, the VOPRF and POPRF variants differ in that the POPRF v ariant
admits public input, whereas the VOPRF variant does not. Public input allows admits public input, whereas the VOPRF variant does not. Public input allows
clients and servers to cryptographically bind additional data to the POPRF outpu t. clients and servers to cryptographically bind additional data to the POPRF outpu t.
A POPRF with fixed public input is functionally equivalent to a VOPRF. However, there A POPRF with fixed public input is functionally equivalent to a VOPRF. However, there
are differences in the underlying security assumptions made about each variant; are differences in the underlying security assumptions made about each variant;
see <xref target="cryptanalysis"/> for more details.</t> see <xref target="cryptanalysis"/> for more details.</t>
<t>This public input is known to both parties at the start of the protoc ol. It is RECOMMENDED <t>This public input is known to both parties at the start of the protoc ol. It is <bcp14>RECOMMENDED</bcp14>
that this public input be constructed with some type of higher-level domain sepa ration that this public input be constructed with some type of higher-level domain sepa ration
to avoid cross protocol attacks or related issues. For example, protocols using to avoid cross protocol attacks or related issues. For example, protocols using
this construction might ensure that the public input uses a unique, prefix-free encoding. this construction might ensure that the public input uses a unique, prefix-free encoding.
See <xref section="10.4" sectionFormat="comma" target="I-D.irtf-cfrg-hash-to-cur ve"/> for further discussion on See <xref section="10.4" sectionFormat="comma" target="RFC9380"/> for further di scussion on
constructing domain separation values.</t> constructing domain separation values.</t>
<t>Implementations of the POPRF may choose to not let applications contr ol <tt>info</tt> in <t>Implementations of the POPRF may choose to not let applications contr ol <tt>info</tt> in
cases where this value is fixed or otherwise not useful to the application. In t his cases where this value is fixed or otherwise not useful to the application. In t his
case, the resulting protocol is functionally equivalent to the VOPRF, which does not case, the resulting protocol is functionally equivalent to the VOPRF, which does not
admit public input.</t> admit public input.</t>
</section> </section>
</section> </section>
<section anchor="iana"> <section anchor="iana">
<name>IANA considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA actions.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="sec"> <section anchor="sec">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>This section discusses the security of the protocols defined in this sp ecification, along <t>This section discusses the security of the protocols defined in this sp ecification, along
with some suggestions and trade-offs that arise from the implementation with some suggestions and trade-offs that arise from the implementation
of the protocol variants in this document. Note that the syntax of the POPRF of the protocol variants in this document. Note that the syntax of the POPRF
variant is different from that of the OPRF and VOPRF variants since it variant is different from that of the OPRF and VOPRF variants since it
admits an additional public input, but the same security considerations apply.</ t> admits an additional public input, but the same security considerations apply.</ t>
<section anchor="properties"> <section anchor="properties">
<name>Security Properties</name> <name>Security Properties</name>
<t>The security properties of an OPRF protocol with functionality y = F( k, x) <t>The security properties of an OPRF protocol with functionality y = F( k, x)
include those of a standard PRF. Specifically:</t> include those of a standard PRF. Specifically:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Pseudorandomness: For a random sampling of k, F is pseudorandom if <dt>Pseudorandomness:</dt> <dd>For a random sampling of k, F is pseudo
the output random if the output
y = F(k, x) on any input x is indistinguishable from uniformly sampling any y = F(k, x) on any input x is indistinguishable from uniformly sampling any
element in F's range.</li> element in F's range.</dd>
</ul> </dl>
<t>In other words, consider an adversary that picks inputs x from the <t>In other words, consider an adversary that picks inputs x from the
domain of F and evaluates F on (k, x) (without knowledge of randomly domain of F and evaluates F on (k, x) (without knowledge of randomly
sampled k). Then the output distribution F(k, x) is indistinguishable sampled k). Then, the output distribution F(k, x) is indistinguishable
from the output distribution of a randomly chosen function with the same from the output distribution of a randomly chosen function with the same
domain and range.</t> domain and range.</t>
<t>A consequence of showing that a function is pseudorandom is that it i s <t>A consequence of showing that a function is pseudorandom is that it i s
necessarily non-malleable (i.e. we cannot compute a new evaluation of F necessarily nonmalleable (i.e., we cannot compute a new evaluation of F
from an existing evaluation). A genuinely random function will be from an existing evaluation). A genuinely random function will be
non-malleable with high probability, and so a pseudorandom function must nonmalleable with high probability, so a pseudorandom function must
be non-malleable to maintain indistinguishability.</t> be nonmalleable to maintain indistinguishability.</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Unconditional input secrecy: The server does not learn anything ab <dt>Unconditional input secrecy:</dt> <dd>The server does not learn an
out ything about
the client input x, even with unbounded computation.</li> the client input x, even with unbounded computation.</dd>
</ul> </dl>
<t>In other words, an attacker with infinite computing power cannot reco ver any <t>In other words, an attacker with infinite computing power cannot reco ver any
information about the client's private input x from an invocation of the information about the client's private input x from an invocation of the
protocol.</t> protocol.</t>
<t>Essentially, input secrecy is the property that, even if the server l earns <t>Essentially, input secrecy is the property that, even if the server l earns
the client's private input x at some point in the future, the server cannot the client's private input x at some point in the future, the server cannot
link any particular PRF evaluation to x. This property is link any particular PRF evaluation to x. This property is
also known as unlinkability <xref target="DGSTV18"/>.</t> also known as unlinkability <xref target="DGSTV18"/>.</t>
<t>Beyond client input secret, in the OPRF protocol, the server learns n <t>Beyond client input secrecy, in the OPRF protocol, the server learns
othing about nothing about
the output y of the function, nor does the client learn anything about the the output y of the function, nor does the client learn anything about the
server's private key k.</t> server's private key k.</t>
<t>For the VOPRF and POPRF protocol variants, there is an additional <t>For the VOPRF and POPRF protocol variants, there is an additional
security property:</t> security property:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Verifiable: The client must only complete execution of the protoco <dt>Verifiable:</dt> <dd>The client must only complete execution of th
l if e protocol if
it can successfully assert that the output it computes is it can successfully assert that the output it computes is
correct. This is taken with respect to the private key held by the correct. This is taken with respect to the private key held by the
server.</li> server.</dd>
</ul> </dl>
<t>Any VOPRF or POPRF that satisfies the 'verifiable' security property is known <t>Any VOPRF or POPRF that satisfies the 'verifiable' security property is known
as 'verifiable'. In practice, the notion of verifiability requires that as 'verifiable'. In practice, the notion of verifiability requires that
the server commits to the key before the actual protocol execution takes the server commits to the key before the actual protocol execution takes
place. Then the client verifies that the server has used the key in the place. Then, the client verifies that the server has used the key in the
protocol using this commitment. In the following, we may also refer to this protocol using this commitment. In the following, we may also refer to this
commitment as a public key.</t> commitment as a public key.</t>
<t>Finally, the POPRF variant also has the following security property:< /t> <t>Finally, the POPRF variant also has the following security property:< /t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Partial obliviousness: The client and server must be able to perfo <dt>Partial obliviousness:</dt> <dd>The client and server must be able
rm the to perform the
PRF on client's private input and public input. Both client and server know PRF on the client's private and public input. Both the client and server know
the public input, but similar to the OPRF and VOPRF protocols, the server the public input, but similar to the OPRF and VOPRF protocols, the server
learns nothing about the client's private input or the output of the function, learns nothing about the client's private input or the output of the function,
and the client learns nothing about the server's private key.</li> and the client learns nothing about the server's private key.</dd>
</ul> </dl>
<t>This property becomes useful when dealing with key management operati <t>This property becomes useful when dealing with key management operati
ons such as ons, such as
the rotation of server's keys. Note that partial obliviousness only applies the rotation of the server's keys. Note that partial obliviousness only applies
to the POPRF variant because neither the OPRF nor VOPRF variants accept public to the POPRF variant because neither the OPRF nor VOPRF variants accept public
input to the protocol.</t> input to the protocol.</t>
<t>Since the POPRF variant has a different syntax than the OPRF and VOPR F variants, <t>Since the POPRF variant has a different syntax than the OPRF and VOPR F variants,
i.e., y = F(k, x, info), the pseudorandomness property is generalized:</t> i.e., y = F(k, x, info), the pseudorandomness property is generalized:</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>Pseudorandomness: For a random sampling of k, F is pseudorandom if <dt>Pseudorandomness:</dt> <dd>For a random sampling of k, F is pseudo
the output random if the output
y = F(k, x, info) on any input pairs (x, info) is indistinguishable from uniform ly y = F(k, x, info) on any input pairs (x, info) is indistinguishable from uniform ly
sampling any element in F's range.</li> sampling any element in F's range.</dd>
</ul> </dl>
</section> </section>
<section anchor="cryptanalysis"> <section anchor="cryptanalysis">
<name>Security Assumptions</name> <name>Security Assumptions</name>
<t>Below, we discuss the cryptographic security of each protocol variant <t>Below, we discuss the cryptographic security of each protocol variant
from <xref target="protocol"/>, relative to the necessary cryptographic assumpti ons from <xref target="protocol"/>, relative to the necessary cryptographic assumpti ons
that need to be made.</t> that need to be made.</t>
<section anchor="oprf-and-voprf-assumptions"> <section anchor="oprf-and-voprf-assumptions">
<name>OPRF and VOPRF Assumptions</name> <name>OPRF and VOPRF Assumptions</name>
<t>The OPRF and VOPRF protocol variants in this document are based on <xref target="JKK14"/>. <t>The OPRF and VOPRF protocol variants in this document are based on <xref target="JKK14"/>.
In particular, the VOPRF construction is similar to the <xref target="JKK14"/> c onstruction In particular, the VOPRF construction is similar to the <xref target="JKK14"/> c onstruction
with the following distinguishing properties:</t> with the following distinguishing properties:</t>
<ol spacing="normal" type="1"><li>This document does not use session i dentifiers to differentiate different instances of the protocol; and</li> <ol spacing="normal" type="1"><li>This document does not use session i dentifiers to differentiate different instances of the protocol.</li>
<li>This document supports batching so that multiple evaluations can happen at once whilst only constructing <li>This document supports batching so that multiple evaluations can happen at once whilst only constructing
one DLEQ proof object. This is enabled using an established batching technique < xref target="DGSTV18"/>.</li> one DLEQ proof object. This is enabled using an established batching technique < xref target="DGSTV18"/>.</li>
</ol> </ol>
<t>The pseudorandomness and input secrecy (and verifiability) of the O PRF (and <t>The pseudorandomness and input secrecy (and verifiability) of the O PRF (and
VOPRF) protocols in <xref target="JKK14"/> are based on the One-More Gap Computa tional VOPRF) protocols in <xref target="JKK14"/> are based on the One-More Gap Computa tional
Diffie Hellman assumption that is computationally difficult to solve in the corr esponding prime-order group. Diffie-Hellman assumption that is computationally difficult to solve in the corr esponding prime-order group.
In <xref target="JKK14"/>, these properties are proven for one instance (i.e., o ne key) of In <xref target="JKK14"/>, these properties are proven for one instance (i.e., o ne key) of
the VOPRF protocol, and without batching. There is currently no security the VOPRF protocol and without batching. There is currently no security
analysis available for the VOPRF protocol described in this document in analysis available for the VOPRF protocol described in this document in
a setting with multiple server keys or batching.</t> a setting with multiple server keys or batching.</t>
</section> </section>
<section anchor="poprf-assumptions"> <section anchor="poprf-assumptions">
<name>POPRF Assumptions</name> <name>POPRF Assumptions</name>
<t>The POPRF construction in this document is based on the constructio n known <t>The POPRF construction in this document is based on the constructio n known
as 3HashSDHI given by <xref target="TCRSTW21"/>. The construction is identical t o as 3HashSDHI, given by <xref target="TCRSTW21"/>. The construction is identical to
3HashSDHI, except that this design can optionally perform multiple POPRF 3HashSDHI, except that this design can optionally perform multiple POPRF
evaluations in one batch, whilst only constructing one DLEQ proof object. evaluations in one batch, whilst only constructing one DLEQ proof object.
This is enabled using an established batching technique <xref target="DGSTV18"/> .</t> This is enabled using an established batching technique <xref target="DGSTV18"/> .</t>
<t>Pseudorandomness, input secrecy, verifiability, and partial oblivio usness of the POPRF variant is <t>Pseudorandomness, input secrecy, verifiability, and partial oblivio usness of the POPRF variant is
based on the assumption that the One-More Gap Strong Diffie-Hellman Inversion (S DHI) based on the assumption that the One-More Gap Strong Diffie-Hellman Inversion (S DHI)
assumption from <xref target="TCRSTW21"/> is computationally difficult to solve in the corresponding assumption from <xref target="TCRSTW21"/> is computationally difficult to solve in the corresponding
prime-order group. Tyagi et al. <xref target="TCRSTW21"/> show that both the One -More Gap Computational Diffie Hellman assumption prime-order group. Tyagi et al.&nbsp;<xref target="TCRSTW21"/> show that both th e One-More Gap Computational Diffie-Hellman assumption
and the One-More Gap SDHI assumption reduce to the q-DL (Discrete Log) assumptio n and the One-More Gap SDHI assumption reduce to the q-DL (Discrete Log) assumptio n
in the algebraic group model, for some q number of <tt>BlindEvaluate</tt> querie in the algebraic group model for some q number of <tt>BlindEvaluate</tt> queries
s. .
(The One-More Gap Computational Diffie Hellman assumption was the hardness assum (The One-More Gap Computational Diffie-Hellman assumption was the hardness assum
ption used to ption used to
evaluate the OPRF and VOPRF designs based on <xref target="JKK14"/>, which is a predecessor evaluate the OPRF and VOPRF designs based on <xref target="JKK14"/>, which is a predecessor
to the POPRF variant in <xref target="poprf"/>.)</t> to the POPRF variant in <xref target="poprf"/>.)</t>
</section> </section>
<section anchor="limits"> <section anchor="limits">
<name>Static Diffie Hellman Attack and Security Limits</name> <name>Static Diffie-Hellman Attack and Security Limits</name>
<t>A side-effect of the OPRF protocol variants in this document is tha <t>A side effect of the OPRF protocol variants in this document is tha
t they allow t they allow
instantiation of an oracle for constructing static DH samples; see <xref target= instantiation of an oracle for constructing static Diffie-Hellman (DH) samples;
"BG04"/> and <xref target="Cheon06"/>. see <xref target="BG04"/> and <xref target="Cheon06"/>.
These attacks are meant to recover (bits of) the server private key. These attacks are meant to recover (bits of) the server private key.
Best-known attacks reduce the security of the prime-order group instantiation by log_2(Q)/2 Best-known attacks reduce the security of the prime-order group instantiation by log_2(Q) / 2
bits, where Q is the number of <tt>BlindEvaluate</tt> calls made by the attacker .</t> bits, where Q is the number of <tt>BlindEvaluate</tt> calls made by the attacker .</t>
<t>As a result of this class of attacks, choosing prime-order groups w ith a 128-bit security <t>As a result of this class of attacks, choosing prime-order groups w ith a 128-bit security
level instantiates an OPRF with a reduced security level of 128-(log_2(Q)/2) bit s of security. level instantiates an OPRF with a reduced security level of 128 - (log_2(Q) / 2) bits of security.
Moreover, such attacks are only possible for those certain applications where th e Moreover, such attacks are only possible for those certain applications where th e
adversary can query the OPRF directly. Applications can mitigate against this pr oblem adversary can query the OPRF directly. Applications can mitigate against this pr oblem
in a variety of ways, e.g., by rate-limiting client queries to <tt>BlindEvaluate </tt> or by in a variety of ways, e.g., by rate-limiting client queries to <tt>BlindEvaluate </tt> or by
rotating private keys. In applications where such an oracle is not made availabl e rotating private keys. In applications where such an oracle is not made availabl e,
this security loss does not apply.</t> this security loss does not apply.</t>
<t>In most cases, it would require an informed and persistent attacker to <t>In most cases, it would require an informed and persistent attacker to
launch a highly expensive attack to reduce security to anything much launch a highly expensive attack to reduce security to anything much
below 100 bits of security. Applications that admit the aforementioned below 100 bits of security. Applications that admit the aforementioned
oracle functionality, and that cannot tolerate discrete logarithm security oracle functionality and that cannot tolerate discrete logarithm security
of lower than 128 bits, are RECOMMENDED to choose groups that target a of lower than 128 bits are <bcp14>RECOMMENDED</bcp14> to choose groups that targ
et a
higher security level, such as decaf448 (used by ciphersuite decaf448-SHAKE256), higher security level, such as decaf448 (used by ciphersuite decaf448-SHAKE256),
P-384 (used by ciphersuite P384-SHA384), or P-521 (used by ciphersuite P521-SHA5 12).</t> P-384 (used by ciphersuite P384-SHA384), or P-521 (used by ciphersuite P521-SHA5 12).</t>
</section> </section>
</section> </section>
<section anchor="domain-separation"> <section anchor="domain-separation">
<name>Domain Separation</name> <name>Domain Separation</name>
<t>Applications SHOULD construct input to the protocol to provide domain <t>Applications <bcp14>SHOULD</bcp14> construct input to the protocol to
separation. Any system which has multiple OPRF applications should provide domain
separation. Any system that has multiple OPRF applications should
distinguish client inputs to ensure the OPRF results are separate. distinguish client inputs to ensure the OPRF results are separate.
Guidance for constructing info can be found in <xref section="3.1" sectionFormat ="comma" target="I-D.irtf-cfrg-hash-to-curve"/>.</t> Guidance for constructing info can be found in <xref section="3.1" sectionFormat ="comma" target="RFC9380"/>.</t>
</section> </section>
<section anchor="timing-leaks"> <section anchor="timing-leaks">
<name>Timing Leaks</name> <name>Timing Leaks</name>
<t>To ensure no information is leaked during protocol execution, all <t>To ensure no information is leaked during protocol execution, all
operations that use secret data MUST run in constant time. This includes operations that use secret data <bcp14>MUST</bcp14> run in constant time. This i ncludes
all prime-order group operations and proof-specific operations that all prime-order group operations and proof-specific operations that
operate on secret data, including <tt>GenerateProof</tt> and <tt>BlindEvaluate</ tt>.</t> operate on secret data, including <tt>GenerateProof</tt> and <tt>BlindEvaluate</ tt>.</t>
</section> </section>
</section> </section>
<section anchor="acknowledgements">
<name>Acknowledgements</name>
<t>This document resulted from the work of the Privacy Pass team
<xref target="PrivacyPass"/>. The authors would also like to acknowledge helpful
conversations with Hugo Krawczyk. Eli-Shaoul Khedouri provided
additional review and comments on key consistency. Daniel Bourdrez,
Tatiana Bradley, Sofia Celi, Frank Denis, Julia Hesse, Russ Housley,
Kevin Lewi, Christopher Patton, and Bas Westerbaan also provided
helpful input and contributions to the document.</t>
</section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.irtf-cfrg-opaque" to="OPAQUE"/>
<displayreference target="I-D.ietf-privacypass-protocol" to="PRIVACY-PASS"/>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
le>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized.
This document defines these words as they should be interpreted in IETF document
s. This document specifies an Internet Best Current Practices for the Internet
Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<organization/>
</author>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying tha
t only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8017">
<front>
<title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
<author fullname="K. Moriarty" initials="K." role="editor" surname="
Moriarty">
<organization/>
</author>
<author fullname="B. Kaliski" initials="B." surname="Kaliski">
<organization/>
</author>
<author fullname="J. Jonsson" initials="J." surname="Jonsson">
<organization/>
</author>
<author fullname="A. Rusch" initials="A." surname="Rusch">
<organization/>
</author>
<date month="November" year="2016"/>
<abstract>
<t>This document provides recommendations for the implementation o
f public-key cryptography based on the RSA algorithm, covering cryptographic pri
mitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax f
or representing keys and for identifying the schemes.</t>
<t>This document represents a republication of PKCS #1 v2.2 from R
SA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing
this RFC, change control is transferred to the IETF.</t>
<t>This document also obsoletes RFC 3447.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8017"/>
<seriesInfo name="DOI" value="10.17487/RFC8017"/>
</reference>
<reference anchor="I-D.irtf-cfrg-hash-to-curve">
<front>
<title>Hashing to Elliptic Curves</title>
<author fullname="Armando Faz-Hernandez" initials="A." surname="Faz-
Hernandez">
<organization>Cloudflare, Inc.</organization>
</author>
<author fullname="Sam Scott" initials="S." surname="Scott">
<organization>Cornell Tech</organization>
</author>
<author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization>Cloudflare, Inc.</organization>
</author>
<author fullname="Riad S. Wahby" initials="R. S." surname="Wahby">
<organization>Stanford University</organization>
</author>
<author fullname="Christopher A. Wood" initials="C. A." surname="Woo
d">
<organization>Cloudflare, Inc.</organization>
</author>
<date day="15" month="June" year="2022"/>
<abstract>
<t> This document specifies a number of algorithms for encoding
or
hashing an arbitrary string to a point on an elliptic curve. This
document is a product of the Crypto Forum Research Group (CFRG) in
the IRTF.
</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hash-to-curve />
-16"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8017.xml"
</reference> />
<reference anchor="RISTRETTO"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9380.xml"
<front> />
<title>The ristretto255 and decaf448 Groups</title>
<author fullname="Henry de Valence" initials="H." surname="de Valenc
e">
</author>
<author fullname="Jack Grigg" initials="J." surname="Grigg">
</author>
<author fullname="Mike Hamburg" initials="M." surname="Hamburg">
</author>
<author fullname="Isis Lovecruft" initials="I." surname="Lovecruft">
</author>
<author fullname="George Tankersley" initials="G." surname="Tankersl
ey">
</author>
<author fullname="Filippo Valsorda" initials="F." surname="Valsorda"
>
</author>
<date day="13" month="February" year="2023"/>
<abstract>
<t> This memo specifies two prime-order groups, ristretto255 and
decaf448, suitable for safely implementing higher-level and complex
cryptographic protocols. The ristretto255 group can be implemented
using Curve25519, allowing existing Curve25519 implementations to be
reused and extended to provide a prime-order group. Likewise, the
decaf448 group can be implemented using edwards448.
This document is a product of the Crypto Forum Research Group (CFRG) <reference anchor="RFC9496" target="https://www.rfc-editor.org/info/rfc9496">
in the IRTF. <front>
<title>The ristretto255 and decaf448 Groups</title>
<author initials="H." surname="de Valence" fullname="Henry de Valence"> </author
>
<author initials="J." surname="Grigg" fullname="Jack Grigg"> </author>
<author initials="M." surname="Hamburg" fullname="Mike Hamburg"> </author>
<author initials="I." surname="Lovecruft" fullname="Isis Lovecruft"> </author>
<author initials="G." surname="Tankersley" fullname="George Tankersley"> </autho
r>
<author initials="F." surname="Valsorda" fullname="Filippo Valsorda"> </author>
<date month="December" year="2023"/>
</front>
<seriesInfo name="RFC" value="9496"/>
<seriesInfo name="DOI" value="10.17487/RFC9496"/>
</reference>
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-ristretto255-
decaf448-06"/>
</reference>
<reference anchor="KEYAGREEMENT"> <reference anchor="KEYAGREEMENT">
<front> <front>
<title>Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography</title> <title>Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography</title>
<author fullname="Elaine Barker" initials="E." surname="Barker"> <author fullname="Elaine Barker" initials="E." surname="Barker">
<organization/> <organization/>
</author> </author>
<author fullname="Lily Chen" initials="L." surname="Chen"> <author fullname="Lily Chen" initials="L." surname="Chen">
<organization/> <organization/>
</author> </author>
<author fullname="Allen Roginsky" initials="A." surname="Roginsky"> <author fullname="Allen Roginsky" initials="A." surname="Roginsky">
<organization/> <organization/>
</author> </author>
<author fullname="Apostol Vassilev" initials="A." surname="Vassilev" > <author fullname="Apostol Vassilev" initials="A." surname="Vassilev" >
<organization/> <organization/>
</author> </author>
<author fullname="Richard Davis" initials="R." surname="Davis"> <author fullname="Richard Davis" initials="R." surname="Davis">
<organization/> <organization/>
</author> </author>
<date month="April" year="2018"/> <date month="April" year="2018"/>
</front> </front>
<seriesInfo name="National Institute of Standards and Technology" valu e="report"/> <seriesInfo name="NIST SP" value="800-56A (Rev. 3)"/>
<seriesInfo name="DOI" value="10.6028/nist.sp.800-56ar3"/> <seriesInfo name="DOI" value="10.6028/nist.sp.800-56ar3"/>
</reference> </reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC7748">
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"
<title>Elliptic Curves for Security</title> />
<author fullname="A. Langley" initials="A." surname="Langley">
<organization/>
</author>
<author fullname="M. Hamburg" initials="M." surname="Hamburg">
<organization/>
</author>
<author fullname="S. Turner" initials="S." surname="Turner">
<organization/>
</author>
<date month="January" year="2016"/>
<abstract>
<t>This memo specifies two elliptic curves over prime fields that
offer a high level of practical security in cryptographic applications, includin
g Transport Layer Security (TLS). These curves are intended to operate at the ~
128-bit and ~224-bit security level, respectively, and are generated determinist
ically based on a list of required properties.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7748"/>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
</reference>
<reference anchor="PrivacyPass" target="https://github.com/privacypass/t eam"> <reference anchor="PrivacyPass" target="https://github.com/privacypass/t eam">
<front> <front>
<title>Privacy Pass</title> <title>Privacy Pass</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/> <date month="March" year="2018"/>
</front> </front>
<refcontent>commit 085380a</refcontent>
</reference> </reference>
<reference anchor="BG04" target="https://eprint.iacr.org/2004/306"> <reference anchor="BG04" target="https://eprint.iacr.org/2004/306">
<front> <front>
<title>The Static Diffie-Hellman Problem</title> <title>The Static Diffie-Hellman Problem</title>
<author initials="D." surname="Brown"> <author initials="D." surname="Brown">
<organization>Certicom Research</organization> <organization>Certicom Research</organization>
</author> </author>
<author initials="R." surname="Gallant"> <author initials="R." surname="Gallant">
<organization>Certicom Research</organization> <organization>Certicom Research</organization>
</author> </author>
<date/> <date month="November" year="2004"/>
</front> </front>
</reference> </reference>
<reference anchor="ChaumPedersen"> <reference anchor="ChaumPedersen">
<front> <front>
<title>Wallet Databases with Observers</title> <title>Wallet Databases with Observers</title>
<author fullname="David Chaum" initials="D." surname="Chaum"> <author fullname="David Chaum" initials="D." surname="Chaum">
<organization/> <organization/>
</author> </author>
<author fullname="Torben Pryds Pedersen" initials="T." surname="Pede rsen"> <author fullname="Torben Pryds Pedersen" initials="T." surname="Pede rsen">
<organization/> <organization/>
</author> </author>
<date month="August" year="2007"/> <date month="August" year="1992"/>
</front> </front>
<seriesInfo name="Advances in Cryptology - CRYPTO' 92" value="pp. 89-1 05"/> <refcontent>Advances in Cryptology - CRYPTO' 92, pp. 89-105</refconten t>
<seriesInfo name="DOI" value="10.1007/3-540-48071-4_7"/> <seriesInfo name="DOI" value="10.1007/3-540-48071-4_7"/>
</reference> </reference>
<reference anchor="Cheon06"> <reference anchor="Cheon06">
<front> <front>
<title>Security Analysis of the Strong Diffie-Hellman Problem</title > <title>Security Analysis of the Strong Diffie-Hellman Problem</title >
<author fullname="Jung Hee Cheon" initials="J." surname="Cheon"> <author fullname="Jung Hee Cheon" initials="J." surname="Cheon">
<organization/> <organization/>
</author> </author>
<date year="2006"/> <date year="2006"/>
</front> </front>
<seriesInfo name="Advances in Cryptology - EUROCRYPT 2006" value="pp. 1-11"/> <refcontent>Advances in Cryptology - EUROCRYPT 2006, pp. 1-11</refcont ent>
<seriesInfo name="DOI" value="10.1007/11761679_1"/> <seriesInfo name="DOI" value="10.1007/11761679_1"/>
</reference> </reference>
<reference anchor="FS00"> <reference anchor="FS00">
<front> <front>
<title>How To Prove Yourself: Practical Solutions to Identification and Signature Problems</title> <title>How To Prove Yourself: Practical Solutions to Identification and Signature Problems</title>
<author fullname="Amos Fiat" initials="A." surname="Fiat"> <author fullname="Amos Fiat" initials="A." surname="Fiat">
<organization/> <organization/>
</author> </author>
<author fullname="Adi Shamir" initials="A." surname="Shamir"> <author fullname="Adi Shamir" initials="A." surname="Shamir">
<organization/> <organization/>
</author> </author>
<date month="April" year="2007"/> <date year="1986"/>
</front> </front>
<seriesInfo name="Advances in Cryptology - CRYPTO' 86" value="pp. 186- 194"/> <refcontent>Advances in Cryptology - CRYPTO' 86, pp. 186-194</refconte nt>
<seriesInfo name="DOI" value="10.1007/3-540-47721-7_12"/> <seriesInfo name="DOI" value="10.1007/3-540-47721-7_12"/>
</reference> </reference>
<reference anchor="JKKX16"> <reference anchor="JKKX16">
<front> <front>
<title>Highly-Efficient and Composable Password-Protected Secret Sha ring (Or: How to Protect Your Bitcoin Wallet Online)</title> <title>Highly-Efficient and Composable Password-Protected Secret Sha ring (Or: How to Protect Your Bitcoin Wallet Online)</title>
<author fullname="Stanislaw Jarecki" initials="S." surname="Jarecki" > <author fullname="Stanislaw Jarecki" initials="S." surname="Jarecki" >
<organization/> <organization/>
</author> </author>
<author fullname="Aggelos Kiayias" initials="A." surname="Kiayias"> <author fullname="Aggelos Kiayias" initials="A." surname="Kiayias">
<organization/> <organization/>
</author> </author>
<author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk"> <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
<organization/> <organization/>
</author> </author>
<author fullname="Jiayu Xu" initials="J." surname="Xu"> <author fullname="Jiayu Xu" initials="J." surname="Xu">
<organization/> <organization/>
</author> </author>
<date month="March" year="2016"/> <date month="March" year="2016"/>
</front> </front>
<seriesInfo name="2016 IEEE European Symposium on Security and Privacy " value="(EuroS&amp;P)"/> <refcontent>2016 IEEE European Symposium on Security and Privacy (Euro S&amp;P)</refcontent>
<seriesInfo name="DOI" value="10.1109/eurosp.2016.30"/> <seriesInfo name="DOI" value="10.1109/eurosp.2016.30"/>
</reference> </reference>
<reference anchor="JKK14"> <reference anchor="JKK14">
<front> <front>
<title>Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model</title> <title>Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model</title>
<author fullname="Stanislaw Jarecki" initials="S." surname="Jarecki" > <author fullname="Stanislaw Jarecki" initials="S." surname="Jarecki" >
<organization/> <organization/>
</author> </author>
<author fullname="Aggelos Kiayias" initials="A." surname="Kiayias"> <author fullname="Aggelos Kiayias" initials="A." surname="Kiayias">
<organization/> <organization/>
</author> </author>
<author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk"> <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
<organization/> <organization/>
</author> </author>
<date year="2014"/> <date year="2014"/>
</front> </front>
<seriesInfo name="Lecture Notes in Computer Science" value="pp. 233-25 3"/> <refcontent>Lecture Notes in Computer Science, pp. 233-253</refcontent >
<seriesInfo name="DOI" value="10.1007/978-3-662-45608-8_13"/> <seriesInfo name="DOI" value="10.1007/978-3-662-45608-8_13"/>
</reference> </reference>
<reference anchor="SJKS17" target="https://doi.org/10.1109/ICDCS.2017.64 "> <reference anchor="SJKS17" target="https://doi.org/10.1109/ICDCS.2017.64 ">
<front> <front>
<title>SPHINX: A Password Store that Perfectly Hides Passwords from Itself</title> <title>SPHINX: A Password Store that Perfectly Hides Passwords from Itself</title>
<author initials="M." surname="Shirvanian" fullname="Maliheh Shirvan ian"> <author initials="M." surname="Shirvanian" fullname="Maliheh Shirvan ian">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki" > <author initials="S." surname="Jarecki" fullname="Stanislaw Jarecki" >
<organization/> <organization/>
</author> </author>
<author initials="H." surname="Krawczyk" fullname="Hugo Krawczyk"> <author initials="H." surname="Krawczyk" fullname="Hugo Krawczyk">
<organization/> <organization/>
</author> </author>
<author initials="N." surname="Saxena" fullname="Nitesh Saxena"> <author initials="N." surname="Saxena" fullname="Nitesh Saxena">
<organization/> <organization/>
</author> </author>
<date year="2017" month="June"/> <date year="2017" month="June"/>
</front> </front>
<seriesInfo name="In" value="2017 IEEE 37th International Conference o n Distributed Computing Systems (ICDCS)"/> <refcontent>2017 IEEE 37th International Conference on Distributed Com puting Systems (ICDCS)</refcontent>
<seriesInfo name="DOI" value="10.1109/ICDCS.2017.64"/> <seriesInfo name="DOI" value="10.1109/ICDCS.2017.64"/>
</reference> </reference>
<reference anchor="TCRSTW21"> <reference anchor="TCRSTW21">
<front> <front>
<title>A Fast and Simple Partially Oblivious PRF, with Applications< /title> <title>A Fast and Simple Partially Oblivious PRF, with Applications< /title>
<author fullname="Nirvan Tyagi" initials="N." surname="Tyagi"> <author fullname="Nirvan Tyagi" initials="N." surname="Tyagi">
<organization/> <organization/>
</author> </author>
<author fullname="Sofía Celi" initials="S." surname="Celi"> <author fullname="Sofía Celi" initials="S." surname="Celi">
<organization/> <organization/>
</author> </author>
<author fullname="Thomas Ristenpart" initials="T." surname="Ristenpa rt"> <author fullname="Thomas Ristenpart" initials="T." surname="Ristenpa rt">
<organization/> <organization/>
</author> </author>
<author fullname="Nick Sullivan" initials="N." surname="Sullivan"> <author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization/> <organization/>
</author> </author>
<author fullname="Stefano Tessaro" initials="S." surname="Tessaro"> <author fullname="Stefano Tessaro" initials="S." surname="Tessaro">
<organization/> <organization/>
</author> </author>
<author fullname="Christopher A. Wood" initials="C." surname="Wood"> <author fullname="Christopher A. Wood" initials="C. A." surname="Woo d">
<organization/> <organization/>
</author> </author>
<date year="2022"/> <date year="2022" month="May"/>
</front> </front>
<seriesInfo name="Advances in Cryptology - EUROCRYPT 2022" value="pp. 674-705"/> <seriesInfo name="Advances in Cryptology - EUROCRYPT 2022" value="pp. 674-705"/>
<seriesInfo name="DOI" value="10.1007/978-3-031-07085-3_23"/> <seriesInfo name="DOI" value="10.1007/978-3-031-07085-3_23"/>
</reference> </reference>
<reference anchor="DGSTV18"> <reference anchor="DGSTV18">
<front> <front>
<title>Privacy Pass: Bypassing Internet Challenges Anonymously</titl e> <title>Privacy Pass: Bypassing Internet Challenges Anonymously</titl e>
<author fullname="Alex Davidson" initials="A." surname="Davidson"> <author fullname="Alex Davidson" initials="A." surname="Davidson">
<organization>Royal Holloway, University of London (work completed during an internship at Cloudflare), London , UK</organization> <organization>Royal Holloway, University of London (work completed during an internship at Cloudflare), London , UK</organization>
</author> </author>
<author fullname="Ian Goldberg" initials="I." surname="Goldberg"> <author fullname="Ian Goldberg" initials="I." surname="Goldberg">
<organization>University of Waterloo, Waterloo , Belgium</organiza tion> <organization>University of Waterloo, Waterloo , Belgium</organiza tion>
</author> </author>
<author fullname="Nick Sullivan" initials="N." surname="Sullivan"> <author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization>Cloudflare, San Francisco, California , USA</organiz ation> <organization>Cloudflare, San Francisco, California , USA</organiz ation>
</author> </author>
<author fullname="George Tankersley" initials="G." surname="Tankersl ey"> <author fullname="George Tankersley" initials="G." surname="Tankersl ey">
<organization/> <organization/>
</author> </author>
<author fullname="Filippo Valsorda" initials="F." surname="Valsorda" > <author fullname="Filippo Valsorda" initials="F." surname="Valsorda" >
<organization/> <organization/>
</author> </author>
<date month="April" year="2018"/> <date month="April" year="2018"/>
</front> </front>
<seriesInfo name="Proceedings on Privacy Enhancing Technologies" value ="vol. 2018, no. 3, pp. 164-180"/> <refcontent>Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 3, pp. 164-180</refcontent>
<seriesInfo name="DOI" value="10.1515/popets-2018-0026"/> <seriesInfo name="DOI" value="10.1515/popets-2018-0026"/>
</reference> </reference>
<reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf"> <reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf">
<front> <front>
<title>SEC 1: Elliptic Curve Cryptography</title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author initials="" surname="Standards for Efficient Cryptography Gr <author>
oup (SECG)"> <organization>Standards for Efficient Cryptography Group (SECG)</o
<organization/> rganization>
</author> </author>
<date/> <date month="May" year="2009"/>
</front> </front>
</reference> </reference>
<reference anchor="NISTCurves"> <reference anchor="NISTCurves">
<front> <front>
<title>Digital Signature Standard (DSS)</title> <title>Digital Signature Standard (DSS)</title>
<author> <author>
<organization/> <organization>National Institute of Standards and Technology (NIST )</organization>
</author> </author>
<date month="July" year="2013"/> <date month="February" year="2023"/>
</front> </front>
<seriesInfo name="National Institute of Standards and Technology" valu <seriesInfo name="FIPS PUB" value="186-5"/>
e="report"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-5"/>
<seriesInfo name="DOI" value="10.6028/nist.fips.186-4"/>
</reference> </reference>
<reference anchor="OPAQUE">
<front>
<title>The OPAQUE Asymmetric PAKE Protocol</title>
<author fullname="Daniel Bourdrez" initials="D." surname="Bourdrez">
</author>
<author fullname="Dr. Hugo Krawczyk" initials="H." surname="Krawczyk
">
<organization>Algorand Foundation</organization>
</author>
<author fullname="Kevin Lewi" initials="K." surname="Lewi">
<organization>Novi Research</organization>
</author>
<author fullname="Christopher A. Wood" initials="C. A." surname="Woo
d">
<organization>Cloudflare, Inc.</organization>
</author>
<date day="6" month="July" year="2022"/>
<abstract>
<t> This document describes the OPAQUE protocol, a secure asymme
tric
password-authenticated key exchange (aPAKE) that supports mutual
authentication in a client-server setting without reliance on PKI and
with security against pre-computation attacks upon server compromise.
In addition, the protocol provides forward secrecy and the ability to
hide the password from the server, even during password registration.
This document specifies the core OPAQUE protocol and one
instantiation based on 3DH.
</t> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.irtf-cf
</abstract> rg-opaque.xml"/>
</front> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-pr
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-opaque-09"/> ivacypass-protocol.xml"/>
</reference>
<reference anchor="PRIVACYPASS">
<front>
<title>Privacy Pass Issuance Protocol</title>
<author fullname="Sofia Celi" initials="S." surname="Celi">
<organization>Brave Software</organization>
</author>
<author fullname="Alex Davidson" initials="A." surname="Davidson">
<organization>Brave Software</organization>
</author>
<author fullname="Armando Faz-Hernandez" initials="A." surname="Faz-
Hernandez">
<organization>Cloudflare</organization>
</author>
<author fullname="Steven Valdez" initials="S." surname="Valdez">
<organization>Google LLC</organization>
</author>
<author fullname="Christopher A. Wood" initials="C. A." surname="Woo
d">
<organization>Cloudflare</organization>
</author>
<date day="30" month="January" year="2023"/>
<abstract>
<t> This document specifies two variants of the two-message issu
ance
protocol for Privacy Pass tokens: one that produces tokens that are
privately verifiable using the issuance private key, and another that
produces tokens that are publicly verifiable using the issuance
public key.
</t> </references>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-protoc
ol-08"/>
</reference>
</references>
</references> </references>
<section anchor="test-vectors"> <section anchor="test-vectors">
<name>Test Vectors</name> <name>Test Vectors</name>
<t>This section includes test vectors for the protocol variants specified <t>This section includes test vectors for the protocol variants specified
in this document. For each ciphersuite specified in <xref target="ciphersuites"/ >, in this document. For each ciphersuite specified in <xref target="ciphersuites"/ >,
there is a set of test vectors for the protocol when run the OPRF, there is a set of test vectors for the protocol when running the OPRF,
VOPRF, and POPRF modes. Each test vector lists the batch size for VOPRF, and POPRF modes. Each test vector lists the batch size for
the evaluation. Each test vector value is encoded as a hexadecimal the evaluation. Each test vector value is encoded as a hexadecimal
byte string. The fields of each test vector are described below.</t> byte string. The fields of each test vector are described below.</t>
<ul spacing="normal"> <dl newline="false" spacing="normal">
<li>"Input": The private client input, an opaque byte string.</li> <dt>"Input":</dt> <dd>The private client input, an opaque byte string.</
<li>"Info": The public info, an opaque byte string. Only present for POP dd>
RF test <dt>"Info":</dt> <dd>The public info, an opaque byte string. Only presen
vectors.</li> t for POPRF test
<li>"Blind": The blind value output by <tt>Blind()</tt>, a serialized <t vectors.</dd>
t>Scalar</tt> <dt>"Blind":</dt> <dd>The blind value output by <tt>Blind()</tt>, a seri
of <tt>Ns</tt> bytes long.</li> alized Scalar
<li>"BlindedElement": The blinded value output by <tt>Blind()</tt>, a se of <tt>Ns</tt> bytes long.</dd>
rialized <dt>"BlindedElement":</dt> <dd>The blinded value output by <tt>Blind()</
<tt>Element</tt> of <tt>Ne</tt> bytes long.</li> tt>, a serialized
<li>"EvaluatedElement": The evaluated element output by <tt>BlindEvaluat Element of <tt>Ne</tt> bytes long.</dd>
e()</tt>, <dt>"EvaluatedElement":</dt> <dd>The evaluated element output by <tt>Bli
a serialized <tt>Element</tt> of <tt>Ne</tt> bytes long.</li> ndEvaluate()</tt>,
<li>"Proof": The serialized <tt>Proof</tt> output from <tt>GenerateProof a serialized Element of <tt>Ne</tt> bytes long.</dd>
()</tt> composed of <dt>"Proof":</dt> <dd>The serialized <tt>Proof</tt> output from <tt>Gene
two serialized <tt>Scalar</tt> values each of <tt>Ns</tt> bytes long. Only prese rateProof()</tt> composed of
nt for two serialized Scalar values, each <tt>Ns</tt> bytes long. Only present for
VOPRF and POPRF test vectors.</li> VOPRF and POPRF test vectors.</dd>
<li>"ProofRandomScalar": The random scalar <tt>r</tt> computed in <tt>Ge <dt>"ProofRandomScalar":</dt> <dd>The random Scalar <tt>r</tt> computed
nerateProof()</tt>, a in <tt>GenerateProof()</tt>, a
serialized <tt>Scalar</tt> of <tt>Ns</tt> bytes long. Only present for VOPRF and serialized Scalar of <tt>Ns</tt> bytes long. Only present for VOPRF and POPRF
POPRF test vectors.</dd>
test vectors.</li> <dt>"Output":</dt> <dd>The protocol output, an opaque byte string of <tt
<li>"Output": The protocol output, an opaque byte string of length <tt>N >Nh</tt> bytes long.</dd>
h</tt> bytes.</li> </dl>
</ul>
<t>Test vectors with batch size B &gt; 1 have inputs separated by a comma <t>Test vectors with batch size B &gt; 1 have inputs separated by a comma
",". Applicable test vectors will have B different values for the ",". Applicable test vectors will have B different values for the
"Input", "Blind", "BlindedElement", "EvaluationElement", and "Input", "Blind", "BlindedElement", "EvaluationElement", and
"Output" fields.</t> "Output" fields.</t>
<t>The server key material, <tt>pkSm</tt> and <tt>skSm</tt>, are listed un der the mode for <t>The server key material, <tt>pkSm</tt> and <tt>skSm</tt>, are listed un der the mode for
each ciphersuite. Both <tt>pkSm</tt> and <tt>skSm</tt> are the serialized values of each ciphersuite. Both <tt>pkSm</tt> and <tt>skSm</tt> are the serialized values of
<tt>pkS</tt> and <tt>skS</tt>, respectively, as used in the protocol. Each key p air <tt>pkS</tt> and <tt>skS</tt>, respectively, as used in the protocol. Each key p air
is derived from a seed <tt>Seed</tt> and info string <tt>KeyInfo</tt>, which are is derived from a seed, denoted <tt>Seed</tt>, and info string, denoted <tt>Key Info</tt>, which are
listed as well, using the <tt>DeriveKeyPair</tt> function from <xref target="off line"/>.</t> listed as well, using the <tt>DeriveKeyPair</tt> function from <xref target="off line"/>.</t>
<section anchor="ristretto255-sha512"> <section anchor="ristretto255-sha512">
<name>ristretto255-SHA512</name> <name>ristretto255-SHA512</name>
<section anchor="oprf-mode"> <section anchor="oprf-mode">
<name>OPRF Mode</name> <name>OPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 5ebcea5ee37023ccb9fc2d2019f9d7737be85591ae8652ffa9ef0f4d37063 skSm = 5ebcea5ee37023ccb9fc2d2019f9d7737be85591ae8652ffa9ef0f4d37063
b0e b0e
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1"> <section anchor="test-vector-1-batch-size-1">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = 609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa BlindedElement = 609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa
2dc99e412803c 2dc99e412803c
EvaluationElement = 7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2 EvaluationElement = 7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2
d8cc917ea0869c7e d8cc917ea0869c7e
Output = 527759c3d9366f277d8c6020418d96bb393ba2afb20ff90df23fb770826 Output = 527759c3d9366f277d8c6020418d96bb393ba2afb20ff90df23fb770826
4e2f3ab9135e3bd69955851de4b1f9fe8a0973396719b7912ba9ee8aa7d0b5e24bcf 4e2f3ab9135e3bd69955851de4b1f9fe8a0973396719b7912ba9ee8aa7d0b5e24bcf
6 6
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1"> <section anchor="test-vector-2-batch-size-1">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = da27ef466870f5f15296299850aa088629945a17d1f5b7f5ff0 BlindedElement = da27ef466870f5f15296299850aa088629945a17d1f5b7f5ff0
43f76b3c06418 43f76b3c06418
EvaluationElement = b4cbf5a4f1eeda5a63ce7b77c7d23f461db3fcab0dd28e4e EvaluationElement = b4cbf5a4f1eeda5a63ce7b77c7d23f461db3fcab0dd28e4e
17cecb5c90d02c25 17cecb5c90d02c25
Output = f4a74c9c592497375e796aa837e907b1a045d34306a749db9f34221f7e7 Output = f4a74c9c592497375e796aa837e907b1a045d34306a749db9f34221f7e7
50cb4f2a6413a6bf6fa5e19ba6348eb673934a722a7ede2e7621306d18951e7cf2c7 50cb4f2a6413a6bf6fa5e19ba6348eb673934a722a7ede2e7621306d18951e7cf2c7
3 3
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="voprf-mode"> <section anchor="voprf-mode">
<name>VOPRF Mode</name> <name>VOPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = e6f73f344b79b379f1a0dd37e07ff62e38d9f71345ce62ae3a9bc60b04ccd skSm = e6f73f344b79b379f1a0dd37e07ff62e38d9f71345ce62ae3a9bc60b04ccd
909 909
pkSm = c803e2cc6b05fc15064549b5920659ca4a77b2cca6f04f6b357009335476a pkSm = c803e2cc6b05fc15064549b5920659ca4a77b2cca6f04f6b357009335476a
d4e d4e
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-1"> <section anchor="test-vector-1-batch-size-1-1">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
642ddc439b945 642ddc439b945
EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
9c7669a9a014267e 9c7669a9a014267e
Proof = ddef93772692e535d1a53903db24367355cc2cc78de93b3be5a8ffcc6985 Proof = ddef93772692e535d1a53903db24367355cc2cc78de93b3be5a8ffcc6985
dd066d4346421d17bf5117a2a1ff0fcb2a759f58a539dfbe857a40bce4cf49ec600d dd066d4346421d17bf5117a2a1ff0fcb2a759f58a539dfbe857a40bce4cf49ec600d
ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
81aa6f61d645fc0e 81aa6f61d645fc0e
Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3 a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
c c
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-1"> <section anchor="test-vector-2-batch-size-1-1">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = cc0b2a350101881d8a4cba4c80241d74fb7dcbfde4a61fde2f9 BlindedElement = cc0b2a350101881d8a4cba4c80241d74fb7dcbfde4a61fde2f9
1443c2bf9ef0c 1443c2bf9ef0c
EvaluationElement = 60a59a57208d48aca71e9e850d22674b611f752bed48b36f EvaluationElement = 60a59a57208d48aca71e9e850d22674b611f752bed48b36f
7a91b372bd7ad468 7a91b372bd7ad468
Proof = 401a0da6264f8cf45bb2f5264bc31e109155600babb3cd4e5af7d181a2c9 Proof = 401a0da6264f8cf45bb2f5264bc31e109155600babb3cd4e5af7d181a2c9
dc0a67154fabf031fd936051dec80b0b6ae29c9503493dde7393b722eafdf5a50b02 dc0a67154fabf031fd936051dec80b0b6ae29c9503493dde7393b722eafdf5a50b02
ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
81aa6f61d645fc0e 81aa6f61d645fc0e
Output = 8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a Output = 8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a
6df60356f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b 6df60356f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b
6 6
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2"> <section anchor="test-vector-3-batch-size-2">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0 6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
e e
BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b BlindedElement = 863f330cc1a1259ed5a5998a23acfd37fb4351a793a5b3c090b
642ddc439b945,90a0145ea9da29254c3a56be4fe185465ebb3bf2a1801f7124bbba 642ddc439b945,90a0145ea9da29254c3a56be4fe185465ebb3bf2a1801f7124bbba
dac751e654 dac751e654
EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f EvaluationElement = aa8fa048764d5623868679402ff6108d2521884fa138cd7f
9c7669a9a014267e,cc5ac221950a49ceaa73c8db41b82c20372a4c8d63e5dded2db 9c7669a9a014267e,cc5ac221950a49ceaa73c8db41b82c20372a4c8d63e5dded2db
920b7eee36a2a 920b7eee36a2a
Proof = cc203910175d786927eeb44ea847328047892ddf8590e723c37205cb7460 Proof = cc203910175d786927eeb44ea847328047892ddf8590e723c37205cb7460
0b0a5ab5337c8eb4ceae0494c2cf89529dcf94572ed267473d567aeed6ab873dee08 0b0a5ab5337c8eb4ceae0494c2cf89529dcf94572ed267473d567aeed6ab873dee08
ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
cf037f9ea84bbe0c cf037f9ea84bbe0c
Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d Output = b58cfbe118e0cb94d79b5fd6a6dafb98764dff49c14e1770b566e42402d
a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3 a1a7da4d8527693914139caee5bd03903af43a491351d23b430948dd50cde10d32b3
c,8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a6df6035 c,8a9a2f3c7f085b65933594309041fc1898d42d0858e59f90814ae90571a6df6035
6f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b6 6f4610bf816f27afdd84f47719e480906d27ecd994985890e5f539e7ea74b6
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="poprf-mode"> <section anchor="poprf-mode">
<name>POPRF Mode</name> <name>POPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 145c79c108538421ac164ecbe131942136d5570b16d8bf41a24d4337da981 skSm = 145c79c108538421ac164ecbe131942136d5570b16d8bf41a24d4337da981
e07 e07
pkSm = c647bef38497bc6ec077c22af65b696efa43bff3b4a1975a3e8e0a1c5a79d pkSm = c647bef38497bc6ec077c22af65b696efa43bff3b4a1975a3e8e0a1c5a79d
631 631
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-2"> <section anchor="test-vector-1-batch-size-1-2">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
dd8f3d461f715 dd8f3d461f715
EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
5693e2078450d874 5693e2078450d874
Proof = 41ad1a291aa02c80b0915fbfbb0c0afa15a57e2970067a602ddb9e8fd6b7 Proof = 41ad1a291aa02c80b0915fbfbb0c0afa15a57e2970067a602ddb9e8fd6b7
100de32e1ecff943a36f0b10e3dae6bd266cdeb8adf825d86ef27dbc6c0e30c52206 100de32e1ecff943a36f0b10e3dae6bd266cdeb8adf825d86ef27dbc6c0e30c52206
ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
81aa6f61d645fc0e 81aa6f61d645fc0e
Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15 Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22 2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
1 1
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-2"> <section anchor="test-vector-2-batch-size-1-2">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706 6706
BlindedElement = f0f0b209dd4d5f1844dac679acc7761b91a2e704879656cb7c2 BlindedElement = f0f0b209dd4d5f1844dac679acc7761b91a2e704879656cb7c2
01e82a99ab07d 01e82a99ab07d
EvaluationElement = 8c3c9d064c334c6991e99f286ea2301d1bde170b54003fb9 EvaluationElement = 8c3c9d064c334c6991e99f286ea2301d1bde170b54003fb9
c44c6d7bd6fc1540 c44c6d7bd6fc1540
Proof = 4c39992d55ffba38232cdac88fe583af8a85441fefd7d1d4a8d0394cd1de Proof = 4c39992d55ffba38232cdac88fe583af8a85441fefd7d1d4a8d0394cd1de
77018bf135c174f20281b3341ab1f453fe72b0293a7398703384bed822bfdeec8908 77018bf135c174f20281b3341ab1f453fe72b0293a7398703384bed822bfdeec8908
ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98 ProofRandomScalar = 222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d98
81aa6f61d645fc0e 81aa6f61d645fc0e
Output = 7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b Output = 7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b
56a52de2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae50 56a52de2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae50
7 7
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-1"> <section anchor="test-vector-3-batch-size-2-1">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec4c1f
6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0 6706,222a5e897cf59db8145db8d16e597e8facb80ae7d4e26d9881aa6f61d645fc0
e e
BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f BlindedElement = c8713aa89241d6989ac142f22dba30596db635c772cbf25021f
dd8f3d461f715,423a01c072e06eb1cce96d23acce06e1ea64a609d7ec9e9023f304 dd8f3d461f715,423a01c072e06eb1cce96d23acce06e1ea64a609d7ec9e9023f304
9f2d64e50c 9f2d64e50c
EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f EvaluationElement = 1a4b860d808ff19624731e67b5eff20ceb2df3c3c03b906f
5693e2078450d874,aa1f16e903841036e38075da8a46655c94fc92341887eb5819f 5693e2078450d874,aa1f16e903841036e38075da8a46655c94fc92341887eb5819f
46312adfc0504 46312adfc0504
Proof = 43fdb53be399cbd3561186ae480320caa2b9f36cca0e5b160c4a677b8bbf Proof = 43fdb53be399cbd3561186ae480320caa2b9f36cca0e5b160c4a677b8bbf
4301b28f12c36aa8e11e5a7ef551da0781e863a6dc8c0b2bf5a149c9e00621f02006 4301b28f12c36aa8e11e5a7ef551da0781e863a6dc8c0b2bf5a149c9e00621f02006
ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb ProofRandomScalar = 419c4f4f5052c53c45f3da494d2b67b220d02118e0857cdb
cf037f9ea84bbe0c cf037f9ea84bbe0c
Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15 Output = ca688351e88afb1d841fde4401c79efebb2eb75e7998fa9737bd5a82a15
2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22 2406d38bd29f680504e54fd4587eddcf2f37a2617ac2fbd2993f7bdf45442ace7d22
1,7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b56a52de 1,7c6557b276a137922a0bcfc2aa2b35dd78322bd500235eb6d6b6f91bc5b56a52de
2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae507 2d65612d503236b321f5d0bebcbc52b64b92e426f29c9b8b69f52de98ae507
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="decaf448-shake256"> <section anchor="decaf448-shake256">
<name>decaf448-SHAKE256</name> <name>decaf448-SHAKE256</name>
<section anchor="oprf-mode-1"> <section anchor="oprf-mode-1">
<name>OPRF Mode</name> <name>OPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29e skSm = e8b1375371fd11ebeb224f832dcc16d371b4188951c438f751425699ed29e
cc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e cc80c6c13e558ccd67634fd82eac94aa8d1f0d7fee990695d1e
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-3"> <section anchor="test-vector-1-batch-size-1-3">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = e0ae01c4095f08e03b19baf47ffdc19cb7d98e583160522a3c7 BlindedElement = e0ae01c4095f08e03b19baf47ffdc19cb7d98e583160522a3c7
d6a0b2111cd93a126a46b7b41b730cd7fc943d4e28e590ed33ae475885f6c d6a0b2111cd93a126a46b7b41b730cd7fc943d4e28e590ed33ae475885f6c
EvaluationElement = 50ce4e60eed006e22e7027454b5a4b8319eb2bc8ced609eb EvaluationElement = 50ce4e60eed006e22e7027454b5a4b8319eb2bc8ced609eb
19eb3ad42fb19e06ba12d382cbe7ae342a0cad6ead0ef8f91f00bb7f0cd9c0a2 19eb3ad42fb19e06ba12d382cbe7ae342a0cad6ead0ef8f91f00bb7f0cd9c0a2
Output = 37d3f7922d9388a15b561de5829bbf654c4089ede89c0ce0f3f85bcdba0 Output = 37d3f7922d9388a15b561de5829bbf654c4089ede89c0ce0f3f85bcdba0
9e382ce0ab3507e021f9e79706a1798ffeac68ebd5cf62e5eb9838c7068351d97ae3 9e382ce0ab3507e021f9e79706a1798ffeac68ebd5cf62e5eb9838c7068351d97ae3
7 7
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-3"> <section anchor="test-vector-2-batch-size-1-3">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = 86a88dc5c6331ecfcb1d9aacb50a68213803c462e377577cacc BlindedElement = 86a88dc5c6331ecfcb1d9aacb50a68213803c462e377577cacc
00af28e15f0ddbc2e3d716f2f39ef95f3ec1314a2c64d940a9f295d8f13bb 00af28e15f0ddbc2e3d716f2f39ef95f3ec1314a2c64d940a9f295d8f13bb
EvaluationElement = 162e9fa6e9d527c3cd734a31bf122a34dbd5bcb7bb23651f EvaluationElement = 162e9fa6e9d527c3cd734a31bf122a34dbd5bcb7bb23651f
1768a7a9274cc116c03b58afa6f0dede3994a60066c76370e7328e7062fd5819 1768a7a9274cc116c03b58afa6f0dede3994a60066c76370e7328e7062fd5819
Output = a2a652290055cb0f6f8637a249ee45e32ef4667db0b4c80c0a70d2a6416 Output = a2a652290055cb0f6f8637a249ee45e32ef4667db0b4c80c0a70d2a6416
4d01525cfdad5d870a694ec77972b9b6ec5d2596a5223e5336913f945101f0137f55 4d01525cfdad5d870a694ec77972b9b6ec5d2596a5223e5336913f945101f0137f55
e e
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="voprf-mode-1"> <section anchor="voprf-mode-1">
<name>VOPRF Mode</name> <name>VOPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104f skSm = e3c01519a076a326a0eb566343e9b21c115fa18e6e85577ddbe890b33104f
cc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e cc2835ddfb14a928dc3f5d79b936e17c76b99e0bf6a1680930e
pkSm = 945fc518c47695cf65217ace04b86ac5e4cbe26ca649d52854bb16c494ce0 pkSm = 945fc518c47695cf65217ace04b86ac5e4cbe26ca649d52854bb16c494ce0
9069d6add96b20d4b0ae311a87c9a73e3a146b525763ab2f955 9069d6add96b20d4b0ae311a87c9a73e3a146b525763ab2f955
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-4"> <section anchor="test-vector-1-batch-size-1-4">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb 1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb
EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4 EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467 c9d203bceffa46c86406caf8217859d3fb259077af68e5d41b3699410781f467
Proof = f84bbeee47aedf43558dae4b95b3853635a9fc1a9ea7eac9b454c64c66c4 Proof = f84bbeee47aedf43558dae4b95b3853635a9fc1a9ea7eac9b454c64c66c4
f49cd1c72711c7ac2e06c681e16ea693d5500bbd7b56455df52f69e00b76b4126961 f49cd1c72711c7ac2e06c681e16ea693d5500bbd7b56455df52f69e00b76b4126961
e1562fdbaaac40b7701065cbeece3febbfe09e00160f81775d36daed99d8a2a10be0 e1562fdbaaac40b7701065cbeece3febbfe09e00160f81775d36daed99d8a2a10be0
759e01b7ee81217203416c9db208 759e01b7ee81217203416c9db208
ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853 Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c 5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
1 1
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-4"> <section anchor="test-vector-2-batch-size-1-4">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = 88287e553939090b888ddc15913e1807dc4757215555e1c3a79 BlindedElement = 88287e553939090b888ddc15913e1807dc4757215555e1c3a79
488ef311594729c7fa74c772a732b78440b7d66d0aa35f3bb316f1d93e1b2 488ef311594729c7fa74c772a732b78440b7d66d0aa35f3bb316f1d93e1b2
EvaluationElement = c00978c73e8e4ee1d447ab0d3ad1754055e72cc85c08e3a0 EvaluationElement = c00978c73e8e4ee1d447ab0d3ad1754055e72cc85c08e3a0
db170909a9c61cbff1f1e7015f289e3038b0f341faea5d7780c130106065c231 db170909a9c61cbff1f1e7015f289e3038b0f341faea5d7780c130106065c231
Proof = 7a2831a6b237e11ac1657d440df93bc5ce00f552e6020a99d5c956ffc4d0 Proof = 7a2831a6b237e11ac1657d440df93bc5ce00f552e6020a99d5c956ffc4d0
7b5ade3e82ecdc257fd53d76239e733e0a1313e84ce16cc0d82734806092a693d7e8 7b5ade3e82ecdc257fd53d76239e733e0a1313e84ce16cc0d82734806092a693d7e8
d3c420c2cb6ccd5d0ca32514fb78e9ad0973ebdcb52eba438fc73948d76339ee7101 d3c420c2cb6ccd5d0ca32514fb78e9ad0973ebdcb52eba438fc73948d76339ee7101
21d83e2fe6f001cfdf551aff9f36 21d83e2fe6f001cfdf551aff9f36
ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
Output = 862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380 Output = 862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380
c959baa8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c94 c959baa8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c94
1 1
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-2"> <section anchor="test-vector-3-batch-size-2-2">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce 3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043 48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
a070e5f953d80bb464ea369e5522b a070e5f953d80bb464ea369e5522b
BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac BlindedElement = 7261bbc335c664ba788f1b1a1a4cd5190cc30e787ef277665ac
1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb,2e15f3 1d314f8861e3ec11854ce3ddd42035d9e0f5cddde324c332d8c880abc00eb,2e15f3
93c035492a1573627a3606e528c6294c767c8d43b8c691ef70a52cc7dc7d1b53fe45 93c035492a1573627a3606e528c6294c767c8d43b8c691ef70a52cc7dc7d1b53fe45
8350a270abb7c231b87ba58266f89164f714d9 8350a270abb7c231b87ba58266f89164f714d9
EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4 EvaluationElement = ca1491a526c28d880806cf0fb0122222392cf495657be6e4
skipping to change at line 2483 skipping to change at line 2174
Proof = 167d922f0a6ffa845eed07f8aa97b6ac746d902ecbeb18f49c009adc0521 Proof = 167d922f0a6ffa845eed07f8aa97b6ac746d902ecbeb18f49c009adc0521
eab1e4d275b74a2dc266b7a194c854e85e7eb54a9a36376dfc04ec7f3bd55fc9618c eab1e4d275b74a2dc266b7a194c854e85e7eb54a9a36376dfc04ec7f3bd55fc9618c
3970cb548e064f8a2f06183a5702933dbc3e4c25a73438f2108ee1981c306181003c 3970cb548e064f8a2f06183a5702933dbc3e4c25a73438f2108ee1981c306181003c
7ea92fce963ec7b4ba4f270e6d38 7ea92fce963ec7b4ba4f270e6d38
ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23 6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853 Output = e2ac40b634f36cccd8262b285adff7c9dcc19cd308564a5f4e581d1a853
5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c 5773b86fa4fc9f2203c370763695c5093aea4a7aedec4488b1340ba3bf663a23098c
1,862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380c959baa 1,862952380e07ec840d9f6e6f909c5a25d16c3dacb586d89a181b4aa7380c959baa
8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c941 8c480fe8e6c64e089d68ea7aeeb5817bd524d7577905b5bab487690048c941
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="poprf-mode-1"> <section anchor="poprf-mode-1">
<name>POPRF Mode</name> <name>POPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22d skSm = 792a10dcbd3ba4a52a054f6f39186623208695301e7adb9634b74709ab22d
e402990eb143fd7c67ac66be75e0609705ecea800992aac8e19 e402990eb143fd7c67ac66be75e0609705ecea800992aac8e19
pkSm = 6c9d12723a5bbcf305522cc04b4a34d9ced2e12831826018ea7b5dcf54526 pkSm = 6c9d12723a5bbcf305522cc04b4a34d9ced2e12831826018ea7b5dcf54526
47ad262113059bf0f6e4354319951b9d513c74f29cb0eec38c1 47ad262113059bf0f6e4354319951b9d513c74f29cb0eec38c1
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-5"> <section anchor="test-vector-1-batch-size-1-5">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0 BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42 9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42
EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4 EvaluationElement = 06ec89dfde25bb2a6f0145ac84b91ac277b35de39ad1d6f4
02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c 02a8e46414952ce0d9ea1311a4ece283e2b01558c7078b040cfaa40dd63b3e6c
Proof = 66caee75bf2460429f620f6ad3e811d524cb8ddd848a435fc5d89af48877 Proof = 66caee75bf2460429f620f6ad3e811d524cb8ddd848a435fc5d89af48877
abf6506ee341a0b6f67c2d76cd021e5f3d1c9abe5aa9f0dce016da746135fedba2af abf6506ee341a0b6f67c2d76cd021e5f3d1c9abe5aa9f0dce016da746135fedba2af
41ed1d01659bfd6180d96bc1b7f320c0cb6926011ce392ecca748662564892bae665 41ed1d01659bfd6180d96bc1b7f320c0cb6926011ce392ecca748662564892bae665
16acaac6ca39aadf6fcca95af406 16acaac6ca39aadf6fcca95af406
ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e 971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
d d
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-5"> <section anchor="test-vector-2-batch-size-1-5">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112 3833a26e9388336361686ff1f83df55046504dfecad8549ba112
BlindedElement = 12082b6a381c6c51e85d00f2a3d828cdeab3f5cb19a10b9c014 BlindedElement = 12082b6a381c6c51e85d00f2a3d828cdeab3f5cb19a10b9c014
c33826764ab7e7cfb8b4ff6f411bddb2d64e62a472af1cd816e5b712790c6 c33826764ab7e7cfb8b4ff6f411bddb2d64e62a472af1cd816e5b712790c6
EvaluationElement = f2919b7eedc05ab807c221fce2b12c4ae9e19e6909c47845 EvaluationElement = f2919b7eedc05ab807c221fce2b12c4ae9e19e6909c47845
64b690d1972d2994ca623f273afc67444d84ea40cbc58fcdab7945f321a52848 64b690d1972d2994ca623f273afc67444d84ea40cbc58fcdab7945f321a52848
Proof = a295677c54d1bc4286330907fc2490a7de163da26f9ce03a462a452fea42 Proof = a295677c54d1bc4286330907fc2490a7de163da26f9ce03a462a452fea42
2b19ade296ba031359b3b6841e48455d20519ad01b4ac4f0b92e76d3cf16fbef0a3f 2b19ade296ba031359b3b6841e48455d20519ad01b4ac4f0b92e76d3cf16fbef0a3f
72791a8401ef2d7081d361e502e96b2c60608b9fa566f43d4611c2f161d83aabef7f 72791a8401ef2d7081d361e502e96b2c60608b9fa566f43d4611c2f161d83aabef7f
8017332b26ed1daaf80440772022 8017332b26ed1daaf80440772022
ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0 ProofRandomScalar = b1b748135d405ce48c6973401d9455bb8ccd18b01d0295c0
627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b 627f67661200dbf9569f73fbb3925daa043a070e5f953d80bb464ea369e5522b
Output = 8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf63 Output = 8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf63
3126de0c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8 3126de0c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8
d d
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-3"> <section anchor="test-vector-3-batch-size-2-3">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa Blind = 64d37aed22a27f5191de1c1d69fadb899d8862b58eb4220029e036ec65fa
3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce 3833a26e9388336361686ff1f83df55046504dfecad8549ba112,b1b748135d405ce
48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043 48c6973401d9455bb8ccd18b01d0295c0627f67661200dbf9569f73fbb3925daa043
a070e5f953d80bb464ea369e5522b a070e5f953d80bb464ea369e5522b
BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0 BlindedElement = 161183c13c6cb33b0e4f9b7365f8c5c12d13c72f8b62d276ca0
9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42,fc8847 9368d093dce9b42198276b9e9d870ac392dda53efd28d1b7e6e8c060cdc42,fc8847
d43fb4cea4e408f585661a8f2867533fa91d22155d3127a22f18d3b007add480f7d3 d43fb4cea4e408f585661a8f2867533fa91d22155d3127a22f18d3b007add480f7d3
00bca93fa47fe87ae06a57b7d0f0d4c30b12f0 00bca93fa47fe87ae06a57b7d0f0d4c30b12f0
skipping to change at line 2568 skipping to change at line 2259
Proof = fd94db736f97ea4efe9d0d4ad2933072697a6bbeb32834057b23edf7c700 Proof = fd94db736f97ea4efe9d0d4ad2933072697a6bbeb32834057b23edf7c700
9f011dfa72157f05d2a507c2bbf0b54cad99ab99de05921c021fda7d70e65bcecdb0 9f011dfa72157f05d2a507c2bbf0b54cad99ab99de05921c021fda7d70e65bcecdb0
5f9a30154127ace983c74d10fd910b554c5e95f6bd1565fd1f3dbbe3c523ece5c72d 5f9a30154127ace983c74d10fd910b554c5e95f6bd1565fd1f3dbbe3c523ece5c72d
57a559b7be1368c4786db4a3c910 57a559b7be1368c4786db4a3c910
ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec ProofRandomScalar = 63798726803c9451ba405f00ef3acb633ddf0c420574a2ec
6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23 6cbf28f840800e355c9fbaac10699686de2724ed22e797a00f3bd93d105a7f23
Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b Output = 4423f6dcc1740688ea201de57d76824d59cd6b859e1f9884b7eebc49b0b
971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e 971358cf9cb075df1536a8ea31bcf55c3e31c2ba9cfa8efe54448d17091daeb9924e
d,8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf633126de0 d,8691905500510843902c44bdd9730ab9dc3925aa58ff9dd42765a2baf633126de0
c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8d c3adb93bef5652f38e5827b6396e87643960163a560fc4ac9738c8de4e4a8d
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="p256-sha256"> <section anchor="p256-sha256">
<name>P256-SHA256</name> <name>P256-SHA256</name>
<section anchor="oprf-mode-2"> <section anchor="oprf-mode-2">
<name>OPRF Mode</name> <name>OPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 159749d750713afe245d2d39ccfaae8381c53ce92d098a9375ee70739c7ac skSm = 159749d750713afe245d2d39ccfaae8381c53ce92d098a9375ee70739c7ac
0bf 0bf
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-6"> <section anchor="test-vector-1-batch-size-1-6">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 03723a1e5c09b8b9c18d1dcbca29e8007e95f14f4732d9346d4 BlindedElement = 03723a1e5c09b8b9c18d1dcbca29e8007e95f14f4732d9346d4
90ffc195110368d 90ffc195110368d
EvaluationElement = 030de02ffec47a1fd53efcdd1c6faf5bdc270912b8749e78 EvaluationElement = 030de02ffec47a1fd53efcdd1c6faf5bdc270912b8749e78
3c7ca75bb412958832 3c7ca75bb412958832
Output = a0b34de5fa4c5b6da07e72af73cc507cceeb48981b97b7285fc375345fe Output = a0b34de5fa4c5b6da07e72af73cc507cceeb48981b97b7285fc375345fe
495dd 495dd
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-6"> <section anchor="test-vector-2-batch-size-1-6">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 03cc1df781f1c2240a64d1c297b3f3d16262ef5d4cf10273488 BlindedElement = 03cc1df781f1c2240a64d1c297b3f3d16262ef5d4cf10273488
2675c26231b0838 2675c26231b0838
EvaluationElement = 03a0395fe3828f2476ffcd1f4fe540e5a8489322d398be3c EvaluationElement = 03a0395fe3828f2476ffcd1f4fe540e5a8489322d398be3c
4e5a869db7fcb7c52c 4e5a869db7fcb7c52c
Output = c748ca6dd327f0ce85f4ae3a8cd6d4d5390bbb804c9e12dcf94f853fece Output = c748ca6dd327f0ce85f4ae3a8cd6d4d5390bbb804c9e12dcf94f853fece
3dcce 3dcce
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="voprf-mode-2"> <section anchor="voprf-mode-2">
<name>VOPRF Mode</name> <name>VOPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = ca5d94c8807817669a51b196c34c1b7f8442fde4334a7121ae4736364312f skSm = ca5d94c8807817669a51b196c34c1b7f8442fde4334a7121ae4736364312f
ca6 ca6
pkSm = 03e17e70604bcabe198882c0a1f27a92441e774224ed9c702e51dd17038b1 pkSm = 03e17e70604bcabe198882c0a1f27a92441e774224ed9c702e51dd17038b1
02462 02462
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-7"> <section anchor="test-vector-1-batch-size-1-7">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499 BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
4013648c01277da 4013648c01277da
EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
2e9ba29b90ae83e4a2 2e9ba29b90ae83e4a2
Proof = e7c2b3c5c954c035949f1f74e6bce2ed539a3be267d1481e9ddb178533df Proof = e7c2b3c5c954c035949f1f74e6bce2ed539a3be267d1481e9ddb178533df
4c2664f69d065c604a4fd953e100b856ad83804eb3845189babfa5a702090d6fc5fa 4c2664f69d065c604a4fd953e100b856ad83804eb3845189babfa5a702090d6fc5fa
ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
645a1 645a1
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-7"> <section anchor="test-vector-2-batch-size-1-7">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 03cd0f033e791c4d79dfa9c6ed750f2ac009ec46cd4195ca6fd BlindedElement = 03cd0f033e791c4d79dfa9c6ed750f2ac009ec46cd4195ca6fd
3800d1e9b887dbd 3800d1e9b887dbd
EvaluationElement = 030d2985865c693bf7af47ba4d3a3813176576383d19aff0 EvaluationElement = 030d2985865c693bf7af47ba4d3a3813176576383d19aff0
03ef7b0784a0d83cf1 03ef7b0784a0d83cf1
Proof = 2787d729c57e3d9512d3aa9e8708ad226bc48e0f1750b0767aaff73482c4 Proof = 2787d729c57e3d9512d3aa9e8708ad226bc48e0f1750b0767aaff73482c4
4b8d2873d74ec88aebd3504961acea16790a05c542d9fbff4fe269a77510db00abab 4b8d2873d74ec88aebd3504961acea16790a05c542d9fbff4fe269a77510db00abab
ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c Output = 771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c
24f18 24f18
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-4"> <section anchor="test-vector-3-batch-size-2-4">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
1 1
BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499 BlindedElement = 02dd05901038bb31a6fae01828fd8d0e49e35a486b5c5d4b499
4013648c01277da,03462e9ae64cae5b83ba98a6b360d942266389ac369b923eb3d5 4013648c01277da,03462e9ae64cae5b83ba98a6b360d942266389ac369b923eb3d5
57213b1922f8ab 57213b1922f8ab
EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f EvaluationElement = 0209f33cab60cf8fe69239b0afbcfcd261af4c1c5632624f
2e9ba29b90ae83e4a2,02bb24f4d838414aef052a8f044a6771230ca69c0a5677540 2e9ba29b90ae83e4a2,02bb24f4d838414aef052a8f044a6771230ca69c0a5677540
fff738dd31bb69771 fff738dd31bb69771
Proof = bdcc351707d02a72ce49511c7db990566d29d6153ad6f8982fad2b435d6c Proof = bdcc351707d02a72ce49511c7db990566d29d6153ad6f8982fad2b435d6c
e4d60da1e6b3fa740811bde34dd4fe0aa1b5fe6600d0440c9ddee95ea7fad7a60cf2 e4d60da1e6b3fa740811bde34dd4fe0aa1b5fe6600d0440c9ddee95ea7fad7a60cf2
ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
51943c8026877963 51943c8026877963
Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a Output = 0412e8f78b02c415ab3a288e228978376f99927767ff37c5718d420010a
645a1,771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c24f 645a1,771e10dcd6bcd3664e23b8f2a710cfaaa8357747c4a8cbba03133967b5c24f
18 18
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="poprf-mode-2"> <section anchor="poprf-mode-2">
<name>POPRF Mode</name> <name>POPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 6ad2173efa689ef2c27772566ad7ff6e2d59b3b196f00219451fb2c89ee4d skSm = 6ad2173efa689ef2c27772566ad7ff6e2d59b3b196f00219451fb2c89ee4d
ae2 ae2
pkSm = 030d7ff077fddeec965db14b794f0cc1ba9019b04a2f4fcc1fa525dedf72e pkSm = 030d7ff077fddeec965db14b794f0cc1ba9019b04a2f4fcc1fa525dedf72e
2a3e3 2a3e3
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-8"> <section anchor="test-vector-1-batch-size-1-8">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0 BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
db0b2bd9dd4e2c0 db0b2bd9dd4e2c0
EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
67e125db024a2c74d2 67e125db024a2c74d2
Proof = f8a33690b87736c854eadfcaab58a59b8d9c03b569110b6f31f8bf7577f3 Proof = f8a33690b87736c854eadfcaab58a59b8d9c03b569110b6f31f8bf7577f3
fbb85a8a0c38468ccde1ba942be501654adb106167c8eb178703ccb42bccffb9231a fbb85a8a0c38468ccde1ba942be501654adb106167c8eb178703ccb42bccffb9231a
ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24 Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
5c592 5c592
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-8"> <section anchor="test-vector-2-batch-size-1-8">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 021a440ace8ca667f261c10ac7686adc66a12be31e3520fca31 BlindedElement = 021a440ace8ca667f261c10ac7686adc66a12be31e3520fca31
7643a1eee9dcd4d 7643a1eee9dcd4d
EvaluationElement = 0208ca109cbae44f4774fc0bdd2783efdcb868cb4523d521 EvaluationElement = 0208ca109cbae44f4774fc0bdd2783efdcb868cb4523d521
96f700210e777c5de3 96f700210e777c5de3
Proof = 043a8fb7fc7fd31e35770cabda4753c5bf0ecc1e88c68d7d35a62bf2631e Proof = 043a8fb7fc7fd31e35770cabda4753c5bf0ecc1e88c68d7d35a62bf2631e
875af4613641be2d1875c31d1319d191c4bbc0d04875f4fd03c31d3d17dd8e069b69 875af4613641be2d1875c31d1319d191c4bbc0d04875f4fd03c31d3d17dd8e069b69
ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c ProofRandomScalar = f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5f Output = 1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5f
fce8c fce8c
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-5"> <section anchor="test-vector-3-batch-size-2-5">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a Blind = 3338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b d364,f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
1 1
BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0 BlindedElement = 031563e127099a8f61ed51eeede05d747a8da2be329b40ba1f0
db0b2bd9dd4e2c0,03ca4ff41c12fadd7a0bc92cf856732b21df652e01a3abdf0fa8 db0b2bd9dd4e2c0,03ca4ff41c12fadd7a0bc92cf856732b21df652e01a3abdf0fa8
847da053db213c 847da053db213c
EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b EvaluationElement = 02c5e5300c2d9e6ba7f3f4ad60500ad93a0157e6288eb04b
67e125db024a2c74d2,02f0b6bcd467343a8d8555a99dc2eed0215c71898c5edb77a 67e125db024a2c74d2,02f0b6bcd467343a8d8555a99dc2eed0215c71898c5edb77a
3d97ddd0dbad478e8 3d97ddd0dbad478e8
Proof = 8fbd85a32c13aba79db4b42e762c00687d6dbf9c8cb97b2a225645ccb00d Proof = 8fbd85a32c13aba79db4b42e762c00687d6dbf9c8cb97b2a225645ccb00d
9d7580b383c885cdfd07df448d55e06f50f6173405eee5506c0ed0851ff718d13e68 9d7580b383c885cdfd07df448d55e06f50f6173405eee5506c0ed0851ff718d13e68
ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba ProofRandomScalar = 350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
51943c8026877963 51943c8026877963
Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24 Output = 193a92520bd8fd1f37accb918040a57108daa110dc4f659abe212636d24
5c592,1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5ffce 5c592,1e6d164cfd835d88a31401623549bf6b9b306628ef03a7962921d62bc5ffce
8c 8c
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="p384-sha384"> <section anchor="p384-sha384">
<name>P384-SHA384</name> <name>P384-SHA384</name>
<section anchor="oprf-mode-3"> <section anchor="oprf-mode-3">
<name>OPRF Mode</name> <name>OPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test=vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = dfe7ddc41a4646901184f2b432616c8ba6d452f9bcd0c4f75a5150ef2b2ed skSm = dfe7ddc41a4646901184f2b432616c8ba6d452f9bcd0c4f75a5150ef2b2ed
02ef40b8b92f60ae591bcabd72a6518f188 02ef40b8b92f60ae591bcabd72a6518f188
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-9"> <section anchor="test-vector-1-batch-size-1-9">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 02a36bc90e6db34096346eaf8b7bc40ee1113582155ad379700 BlindedElement = 02a36bc90e6db34096346eaf8b7bc40ee1113582155ad379700
3ce614c835a874343701d3f2debbd80d97cbe45de6e5f1f 3ce614c835a874343701d3f2debbd80d97cbe45de6e5f1f
EvaluationElement = 03af2a4fc94770d7a7bf3187ca9cc4faf3732049eded2442 EvaluationElement = 03af2a4fc94770d7a7bf3187ca9cc4faf3732049eded2442
ee50fbddda58b70ae2999366f72498cdbc43e6f2fc184afe30 ee50fbddda58b70ae2999366f72498cdbc43e6f2fc184afe30
Output = ed84ad3f31a552f0456e58935fcc0a3039db42e7f356dcb32aa6d487b6b Output = ed84ad3f31a552f0456e58935fcc0a3039db42e7f356dcb32aa6d487b6b
815a07d5813641fb1398c03ddab5763874357 815a07d5813641fb1398c03ddab5763874357
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-9"> <section anchor="test-vector-2-batch-size-1-9">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 02def6f418e3484f67a124a2ce1bfb19de7a4af568ede6a1ebb BlindedElement = 02def6f418e3484f67a124a2ce1bfb19de7a4af568ede6a1ebb
2733882510ddd43d05f2b1ab5187936a55e50a847a8b900 2733882510ddd43d05f2b1ab5187936a55e50a847a8b900
EvaluationElement = 034e9b9a2960b536f2ef47d8608b21597ba400d5abfa1825 EvaluationElement = 034e9b9a2960b536f2ef47d8608b21597ba400d5abfa1825
fd21c36b75f927f396bf3716c96129d1fa4a77fa1d479c8d7b fd21c36b75f927f396bf3716c96129d1fa4a77fa1d479c8d7b
Output = dd4f29da869ab9355d60617b60da0991e22aaab243a3460601e48b07585 Output = dd4f29da869ab9355d60617b60da0991e22aaab243a3460601e48b07585
9d1c526d36597326f1b985778f781a1682e75 9d1c526d36597326f1b985778f781a1682e75
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="voprf-mode-3"> <section anchor="voprf-mode-3">
<name>VOPRF Mode</name> <name>VOPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 051646b9e6e7a71ae27c1e1d0b87b4381db6d3595eeeb1adb41579adbf992 skSm = 051646b9e6e7a71ae27c1e1d0b87b4381db6d3595eeeb1adb41579adbf992
f4278f9016eafc944edaa2b43183581779d f4278f9016eafc944edaa2b43183581779d
pkSm = 031d689686c611991b55f1a1d8f4305ccd6cb719446f660a30db61b7aa87b pkSm = 031d689686c611991b55f1a1d8f4305ccd6cb719446f660a30db61b7aa87b
46acf59b7c0d4a9077b3da21c25dd482229a0 46acf59b7c0d4a9077b3da21c25dd482229a0
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-10"> <section anchor="test-vector-1-batch-size-1-10">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9 a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9
EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612 EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6 46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6
Proof = bfc6cf3859127f5fe25548859856d6b7fa1c7459f0ba5712a806fc091a30 Proof = bfc6cf3859127f5fe25548859856d6b7fa1c7459f0ba5712a806fc091a30
00c42d8ba34ff45f32a52e40533efd2a03bc87f3bf4f9f58028297ccb9ccb18ae718 00c42d8ba34ff45f32a52e40533efd2a03bc87f3bf4f9f58028297ccb9ccb18ae718
2bcd1ef239df77e3be65ef147f3acf8bc9cbfc5524b702263414f043e3b7ca2e 2bcd1ef239df77e3be65ef147f3acf8bc9cbfc5524b702263414f043e3b7ca2e
ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0 Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
26b4a622beab60220bf19078bca35a529b35c 26b4a622beab60220bf19078bca35a529b35c
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-10"> <section anchor="test-vector-2-batch-size-1-10">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 02f27469e059886f221be5f2cca03d2bdc61e55221721c3b3e5 BlindedElement = 02f27469e059886f221be5f2cca03d2bdc61e55221721c3b3e5
6fc012e36d31ae5f8dc058109591556a6dbd3a8c69c433b 6fc012e36d31ae5f8dc058109591556a6dbd3a8c69c433b
EvaluationElement = 03f16f903947035400e96b7f531a38d4a07ac89a80f89d86 EvaluationElement = 03f16f903947035400e96b7f531a38d4a07ac89a80f89d86
a1bf089c525a92c7f4733729ca30c56ce78b1ab4f7d92db8b4 a1bf089c525a92c7f4733729ca30c56ce78b1ab4f7d92db8b4
Proof = d005d6daaad7571414c1e0c75f7e57f2113ca9f4604e84bc90f9be52da89 Proof = d005d6daaad7571414c1e0c75f7e57f2113ca9f4604e84bc90f9be52da89
6fff3bee496dcde2a578ae9df315032585f801fb21c6080ac05672b291e575a40295 6fff3bee496dcde2a578ae9df315032585f801fb21c6080ac05672b291e575a40295
b306d967717b28e08fcc8ad1cab47845d16af73b3e643ddcc191208e71c64630 b306d967717b28e08fcc8ad1cab47845d16af73b3e643ddcc191208e71c64630
ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
Output = b91c70ea3d4d62ba922eb8a7d03809a441e1c3c7af915cbc2226f485213 Output = b91c70ea3d4d62ba922eb8a7d03809a441e1c3c7af915cbc2226f485213
e895942cd0f8580e6d99f82221e66c40d274f e895942cd0f8580e6d99f82221e66c40d274f
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-6"> <section anchor="test-vector-3-batch-size-2-6">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5 889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc BlindedElement = 02d338c05cbecb82de13d6700f09cb61190543a7b7e2c6cd4fc
a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9,02fa02470d7f151018b4 a56887e564ea82653b27fdad383995ea6d02cf26d0e24d9,02fa02470d7f151018b4
1e82223c32fad824de6ad4b5ce9f8e9f98083c9a726de9a1fc39d7a0cb6f4f188dd9 1e82223c32fad824de6ad4b5ce9f8e9f98083c9a726de9a1fc39d7a0cb6f4f188dd9
cea01474cd cea01474cd
EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612 EvaluationElement = 02a7bba589b3e8672aa19e8fd258de2e6aae20101c8d7612
46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6,028e9e115625ff4c2 46de97a6b5ee9cf105febce4327a326255a3c604f63f600ef6,028e9e115625ff4c2
f07bf87ce3fd73fc77994a7a0c1df03d2a630a3d845930e2e63a165b114d98fe34e6 f07bf87ce3fd73fc77994a7a0c1df03d2a630a3d845930e2e63a165b114d98fe34e6
1b68d23c0b50a 1b68d23c0b50a
Proof = 6d8dcbd2fc95550a02211fb78afd013933f307d21e7d855b0b1ed0af7807 Proof = 6d8dcbd2fc95550a02211fb78afd013933f307d21e7d855b0b1ed0af7807
6d8137ad8b0a1bfa05676d325249c1dbb9a52bd81b1c2b7b0efc77cf7b278e1c947f 6d8137ad8b0a1bfa05676d325249c1dbb9a52bd81b1c2b7b0efc77cf7b278e1c947f
6283f1d4c513053fc0ad19e026fb0c30654b53d9cea4b87b037271b5d2e2d0ea 6283f1d4c513053fc0ad19e026fb0c30654b53d9cea4b87b037271b5d2e2d0ea
ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
eca27405420cdf3d63cb3aef005f40ba51943c8026877963 eca27405420cdf3d63cb3aef005f40ba51943c8026877963
Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0 Output = 3333230886b562ffb8329a8be08fea8025755372817ec969d114d1203d0
26b4a622beab60220bf19078bca35a529b35c,b91c70ea3d4d62ba922eb8a7d03809 26b4a622beab60220bf19078bca35a529b35c,b91c70ea3d4d62ba922eb8a7d03809
a441e1c3c7af915cbc2226f485213e895942cd0f8580e6d99f82221e66c40d274f a441e1c3c7af915cbc2226f485213e895942cd0f8580e6d99f82221e66c40d274f
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="poprf-mode-3"> <section anchor="poprf-mode-3">
<name>POPRF Mode</name> <name>POPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 5b2690d6954b8fbb159f19935d64133f12770c00b68422559c65431942d72 skSm = 5b2690d6954b8fbb159f19935d64133f12770c00b68422559c65431942d72
1ff79d47d7a75906c30b7818ec0f38b7fb2 1ff79d47d7a75906c30b7818ec0f38b7fb2
pkSm = 02f00f0f1de81e5d6cf18140d4926ffdc9b1898c48dc49657ae36eb1e45de pkSm = 02f00f0f1de81e5d6cf18140d4926ffdc9b1898c48dc49657ae36eb1e45de
b8b951aaf1f10c82d2eaa6d02aafa3f10d2b6 b8b951aaf1f10c82d2eaa6d02aafa3f10d2b6
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-11"> <section anchor="test-vector-1-batch-size-1-11">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0 BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3 93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3
EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09 EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91 373e190c19ce5b185914fbf36582d7e0754bb7c8b683205b91
Proof = 82a17ef41c8b57f1e3122311b4d5cd39a63df0f67443ef18d961f9b659c1 Proof = 82a17ef41c8b57f1e3122311b4d5cd39a63df0f67443ef18d961f9b659c1
601ced8d3c64b294f604319ca80230380d437a49c7af0d620e22116669c008ebb767 601ced8d3c64b294f604319ca80230380d437a49c7af0d620e22116669c008ebb767
d90283d573b49cdb49e3725889620924c2c4b047a2a6225a3ba27e640ebddd33 d90283d573b49cdb49e3725889620924c2c4b047a2a6225a3ba27e640ebddd33
ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165 Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
27303ed449a08caf84272c3bbc972ede797df 27303ed449a08caf84272c3bbc972ede797df
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-11"> <section anchor="test-vector-2-batch-size-1-11">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364 889d89dbfa691d1cde91517fa222ed7ad364
BlindedElement = 03f7efcb4aaf000263369d8a0621cb96b81b3206e99876de2a0 BlindedElement = 03f7efcb4aaf000263369d8a0621cb96b81b3206e99876de2a0
0699ed4c45acf3969cd6e2319215395955d3f8d8cc1c712 0699ed4c45acf3969cd6e2319215395955d3f8d8cc1c712
EvaluationElement = 034993c818369927e74b77c400376fd1ae29b6ac6c6ddb77 EvaluationElement = 034993c818369927e74b77c400376fd1ae29b6ac6c6ddb77
6cf10e4fbc487826531b3cf0b7c8ca4d92c7af90c9def85ce6 6cf10e4fbc487826531b3cf0b7c8ca4d92c7af90c9def85ce6
Proof = 693471b5dff0cd6a5c00ea34d7bf127b2795164e3bdb5f39a1e5edfbd13e Proof = 693471b5dff0cd6a5c00ea34d7bf127b2795164e3bdb5f39a1e5edfbd13e
443bc516061cd5b8449a473c2ceeccada9f3e5b57302e3d7bc5e28d38d6e3a3056e1 443bc516061cd5b8449a473c2ceeccada9f3e5b57302e3d7bc5e28d38d6e3a3056e1
e73b6cc030f5180f8a1ffa45aa923ee66d2ad0a07b500f2acc7fb99b5506465c e73b6cc030f5180f8a1ffa45aa923ee66d2ad0a07b500f2acc7fb99b5506465c
ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62 ProofRandomScalar = 803d955f0e073a04aa5d92b3fb739f56f9db001266677f62
c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
Output = ff2a527a21cc43b251a567382677f078c6e356336aec069dea8ba369953 Output = ff2a527a21cc43b251a567382677f078c6e356336aec069dea8ba369953
43ca3b33bb5d6cf15be4d31a7e6d75b30d3f5 43ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-7"> <section anchor="test-vector-3-batch-size-2-7">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562 Blind = 504650f53df8f16f6861633388936ea23338fa65ec36e0290022b48eb562
889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5 889d89dbfa691d1cde91517fa222ed7ad364,803d955f0e073a04aa5d92b3fb739f5
6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1 6f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b1
BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0 BlindedElement = 03859b36b95e6564faa85cd3801175eda2949707f6aa0640ad0
93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3,021a65d618d645f1a20b 93cbf8ad2f58e762f08b56b2a1b42a64953aaf49cbf1ae3,021a65d618d645f1a20b
c33b06deaa7e73d6d634c8a56a3d02b53a732b69a5c53c5a207ea33d5afdcde9a22d c33b06deaa7e73d6d634c8a56a3d02b53a732b69a5c53c5a207ea33d5afdcde9a22d
59726bce51 59726bce51
EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09 EvaluationElement = 0220710e2e00306453f5b4f574cb6a512453f35c45080d09
skipping to change at line 2946 skipping to change at line 2637
f861505e596c8645d94685dd7602cdd092a8f1c1c0194a5d0485fe47d071d972ab51 f861505e596c8645d94685dd7602cdd092a8f1c1c0194a5d0485fe47d071d972ab51
4370174cc23f5 4370174cc23f5
Proof = 4a0b2fe96d5b2a046a0447fe079b77859ef11a39a3520d6ff7c626aad9b4 Proof = 4a0b2fe96d5b2a046a0447fe079b77859ef11a39a3520d6ff7c626aad9b4
73b724fb0cf188974ec961710a62162a83e97e0baa9eeada73397032d928b3e97b1e 73b724fb0cf188974ec961710a62162a83e97e0baa9eeada73397032d928b3e97b1e
a92ad9458208302be3681b8ba78bcc17745bac00f84e0fdc98a6a8cba009c080 a92ad9458208302be3681b8ba78bcc17745bac00f84e0fdc98a6a8cba009c080
ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c ProofRandomScalar = a097e722ed2427de86966910acba9f5c350e8040f828bf6c
eca27405420cdf3d63cb3aef005f40ba51943c8026877963 eca27405420cdf3d63cb3aef005f40ba51943c8026877963
Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165 Output = 0188653cfec38119a6c7dd7948b0f0720460b4310e40824e048bf82a165
27303ed449a08caf84272c3bbc972ede797df,ff2a527a21cc43b251a567382677f0 27303ed449a08caf84272c3bbc972ede797df,ff2a527a21cc43b251a567382677f0
78c6e356336aec069dea8ba36995343ca3b33bb5d6cf15be4d31a7e6d75b30d3f5 78c6e356336aec069dea8ba36995343ca3b33bb5d6cf15be4d31a7e6d75b30d3f5
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
<section anchor="p521-sha512"> <section anchor="p521-sha512">
<name>P521-SHA512</name> <name>P521-SHA512</name>
<section anchor="oprf-mode-4"> <section anchor="oprf-mode-4">
<name>OPRF Mode</name> <name>OPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a9 skSm = 0153441b8faedb0340439036d6aed06d1217b34c42f17f8db4c5cc610a4a9
55d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fcc 55d698a688831b16d0dc7713a1aa3611ec60703bffc7dc9c84e3ed673b3dbe1d5fcc
ea6 ea6
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-12"> <section anchor="test-vector-1-batch-size-1-12">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 0300e78bf846b0e1e1a3c320e353d758583cd876df56100a3a1 BlindedElement = 0300e78bf846b0e1e1a3c320e353d758583cd876df56100a3a1
e62bacba470fa6e0991be1be80b721c50c5fd0c672ba764457acc18c6200704e9294 e62bacba470fa6e0991be1be80b721c50c5fd0c672ba764457acc18c6200704e9294
fbf28859d916351 fbf28859d916351
EvaluationElement = 030166371cf827cb2fb9b581f97907121a16e2dc5d8b10ce EvaluationElement = 030166371cf827cb2fb9b581f97907121a16e2dc5d8b10ce
9f0ede7f7d76a0d047657735e8ad07bcda824907b3e5479bd72cdef6b839b967ba5c 9f0ede7f7d76a0d047657735e8ad07bcda824907b3e5479bd72cdef6b839b967ba5c
58b118b84d26f2ba07 58b118b84d26f2ba07
Output = 26232de6fff83f812adadadb6cc05d7bbeee5dca043dbb16b03488abb99 Output = 26232de6fff83f812adadadb6cc05d7bbeee5dca043dbb16b03488abb99
81d0a1ef4351fad52dbd7e759649af393348f7b9717566c19a6b8856284d69375c80 81d0a1ef4351fad52dbd7e759649af393348f7b9717566c19a6b8856284d69375c80
9 9
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-12"> <section anchor="test-vector-2-batch-size-1-12">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 0300c28e57e74361d87e0c1874e5f7cc1cc796d61f9cad50427 BlindedElement = 0300c28e57e74361d87e0c1874e5f7cc1cc796d61f9cad50427
cf54655cdb455613368d42b27f94bf66f59f53c816db3e95e68e1b113443d66a99b3 cf54655cdb455613368d42b27f94bf66f59f53c816db3e95e68e1b113443d66a99b3
693bab88afb556b 693bab88afb556b
EvaluationElement = 0301ad453607e12d0cc11a3359332a40c3a254eaa1afc642 EvaluationElement = 0301ad453607e12d0cc11a3359332a40c3a254eaa1afc642
96528d55bed07ba322e72e22cf3bcb50570fd913cb54f7f09c17aff8787af75f6a7f 96528d55bed07ba322e72e22cf3bcb50570fd913cb54f7f09c17aff8787af75f6a7f
af5640cbb2d9620a6e af5640cbb2d9620a6e
Output = ad1f76ef939042175e007738906ac0336bbd1d51e287ebaa66901abdd32 Output = ad1f76ef939042175e007738906ac0336bbd1d51e287ebaa66901abdd32
4ea3ffa40bfc5a68e7939c2845e0fd37a5a6e76dadb9907c6cc8579629757fd4d04b 4ea3ffa40bfc5a68e7939c2845e0fd37a5a6e76dadb9907c6cc8579629757fd4d04b
a a
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="voprf-mode-4"> <section anchor="voprf-mode-4">
<name>VOPRF Mode</name> <name>VOPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f2 skSm = 015c7fc1b4a0b1390925bae915bd9f3d72009d44d9241b962428aad5d13f2
2803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9 2803311e7102632a39addc61ea440810222715c9d2f61f03ea424ec9ab1fe5e31cf9
238 238
pkSm = 0301505d646f6e4c9102451eb39730c4ba1c4087618641edbdba4a60896b0 pkSm = 0301505d646f6e4c9102451eb39730c4ba1c4087618641edbdba4a60896b0
7fd0c9414ce553cbf25b81dfcca50a8f6724ab7a2bc4d0cf736967a287bb6084cc06 7fd0c9414ce553cbf25b81dfcca50a8f6724ab7a2bc4d0cf736967a287bb6084cc06
78ac0 78ac0
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-13"> <section anchor="test-vector-1-batch-size-1-13">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2 BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679 7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
5b4b3628a4f6380 5b4b3628a4f6380
EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e EvaluationElement = 03013fdeaf887f3d3d283a79e696a54b66ff0edcb559265e
204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40 204a958acf840e0930cc147e2a6835148d8199eebc26c03e9394c9762a1c991dde40
bca0f8ca003eefb045 bca0f8ca003eefb045
Proof = 0077fcc8ec6d059d7759b0a61f871e7c1dadc65333502e09a51994328f79 Proof = 0077fcc8ec6d059d7759b0a61f871e7c1dadc65333502e09a51994328f79
e5bda3357b9a4f410a1760a3612c2f8f27cb7cb032951c047cc66da60da583df7b24 e5bda3357b9a4f410a1760a3612c2f8f27cb7cb032951c047cc66da60da583df7b24
7edd0188e5eb99c71799af1d80d643af16ffa1545acd9e9233fbb370455b10eb257e 7edd0188e5eb99c71799af1d80d643af16ffa1545acd9e9233fbb370455b10eb257e
a12a1667c1b4ee5b0ab7c93d50ae89602006960f083ca9adc4f6276c0ad60440393c a12a1667c1b4ee5b0ab7c93d50ae89602006960f083ca9adc4f6276c0ad60440393c
ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1 Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954 a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
b b
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-13"> <section anchor="test-vector-2-batch-size-1-13">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 03005b05e656cb609ce5ff5faf063bb746d662d67bbd07c0626 BlindedElement = 03005b05e656cb609ce5ff5faf063bb746d662d67bbd07c0626
38396f52f0392180cf2365cabb0ece8e19048961d35eeae5d5fa872328dce98df076 38396f52f0392180cf2365cabb0ece8e19048961d35eeae5d5fa872328dce98df076
ee154dd191c615e ee154dd191c615e
EvaluationElement = 0301b19fcf482b1fff04754e282292ed736c5f0aa080d4f4 EvaluationElement = 0301b19fcf482b1fff04754e282292ed736c5f0aa080d4f4
2663cd3a416c6596f03129e8e096d8671fe5b0d19838312c511d2ce08d431e43e3ef 2663cd3a416c6596f03129e8e096d8671fe5b0d19838312c511d2ce08d431e43e3ef
06199d8cab7426238d 06199d8cab7426238d
Proof = 01ec9fece444caa6a57032e8963df0e945286f88fbdf233fb5101f0924f7 Proof = 01ec9fece444caa6a57032e8963df0e945286f88fbdf233fb5101f0924f7
ea89c47023f5f72f240e61991fd33a299b5b38c45a5e2dd1a67b072e59dfe86708a3 ea89c47023f5f72f240e61991fd33a299b5b38c45a5e2dd1a67b072e59dfe86708a3
59c701e38d383c60cf6969463bcf13251bedad47b7941f52e409a3591398e2792441 59c701e38d383c60cf6969463bcf13251bedad47b7941f52e409a3591398e2792441
0b18a301c0e19f527cad504fa08388050ac634e1b05c5216d337742f2754e1fc502f 0b18a301c0e19f527cad504fa08388050ac634e1b05c5216d337742f2754e1fc502f
ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b Output = fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b
54b6604d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf47 54b6604d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf47
4 4
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-8"> <section anchor="test-vector-3-batch-size-2-8">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7 d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b 39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
1 1
BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2 BlindedElement = 0301d6e4fb545e043ddb6aee5d5ceeee1b44102615ab04430c2
7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679 7dd0f56988dedcb1df32ef384f160e0e76e718605f14f3f582f9357553d153b99679
5b4b3628a4f6380,0301403b597538b939b450c93586ba275f9711ba07e42364bac1 5b4b3628a4f6380,0301403b597538b939b450c93586ba275f9711ba07e42364bac1
d5769c6824a8b55be6f9a536df46d952b11ab2188363b3d6737635d9543d4dba14a6 d5769c6824a8b55be6f9a536df46d952b11ab2188363b3d6737635d9543d4dba14a6
skipping to change at line 3092 skipping to change at line 2783
9b3f95dbb1ff366e81e86e918f9f2fd8b80dbb344cd498c9499d112905e585417e00 9b3f95dbb1ff366e81e86e918f9f2fd8b80dbb344cd498c9499d112905e585417e00
68c600fe5dea18b389ef6c4cc062935607b8ccbbb9a84fba3143868a3e8a58efa0bf 68c600fe5dea18b389ef6c4cc062935607b8ccbbb9a84fba3143868a3e8a58efa0bf
6ca642804d09dc06e980f64837811227c4267b217f1099a4e28b0854f4e5ee659796 6ca642804d09dc06e980f64837811227c4267b217f1099a4e28b0854f4e5ee659796
ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24 ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba 27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
51943c8026877963 51943c8026877963
Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1 Output = 5e003d9b2fb540b3d4bab5fedd154912246da1ee5e557afd8f56415faa1
a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954 a0fadff6517da802ee254437e4f60907b4cda146e7ba19e249eef7be405549f62954
b,fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b54b6604 b,fa15eebba81ecf40954f7135cb76f69ef22c6bae394d1a4362f9b03066b54b6604
d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf474 d39f2e53369ca6762a3d9787e230e832aa85955af40ecb8deebb009a8cf474
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
<section anchor="poprf-mode-4"> <section anchor="poprf-mode-4">
<name>POPRF Mode</name> <name>POPRF Mode</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a Seed = a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a
3a3 3a3
KeyInfo = 74657374206b6579 KeyInfo = 74657374206b6579
skSm = 014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c442 skSm = 014893130030ce69cf714f536498a02ff6b396888f9bb507985c32928c442
7d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7 7d6d39de10ef509aca4240e8569e3a88debc0d392e3361bcd934cb9bdd59e339dff7
b27 b27
pkSm = 0301de8ceb9ffe9237b1bba87c320ea0bebcfc3447fe6f278065c6c69886d pkSm = 0301de8ceb9ffe9237b1bba87c320ea0bebcfc3447fe6f278065c6c69886d
692d1126b79b6844f829940ace9b52a5e26882cf7cbc9e57503d4cca3cd834584729 692d1126b79b6844f829940ace9b52a5e26882cf7cbc9e57503d4cca3cd834584729
f812a f812a
]]></artwork> ]]></sourcecode>
<section anchor="test-vector-1-batch-size-1-14"> <section anchor="test-vector-1-batch-size-1-14">
<name>Test Vector 1, Batch Size 1</name> <name>Test Vector 1, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00 Input = 00
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849 82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
d5ebb2238f2f0e2 d5ebb2238f2f0e2
EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119 EvaluationElement = 0301408e9c5be3ffcc1c16e5ae8f8aa68446223b0804b119
62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a 62e856af5a6d1c65ebbb5db7278c21db4e8cc06d89a35b6804fb1738a295b691638a
skipping to change at line 3132 skipping to change at line 2823
Proof = 0106a89a61eee9dd2417d2849a8e2167bc5f56e3aed5a3ff23e22511fa1b Proof = 0106a89a61eee9dd2417d2849a8e2167bc5f56e3aed5a3ff23e22511fa1b
37a29ed44d1bbfd6907d99cfbc558a56aec709282415a864a281e49dc53792a4a638 37a29ed44d1bbfd6907d99cfbc558a56aec709282415a864a281e49dc53792a4a638
a0660034306d64be12a94dcea5a6d664cf76681911c8b9a84d49bf12d4893307ec14 a0660034306d64be12a94dcea5a6d664cf76681911c8b9a84d49bf12d4893307ec14
436bd05f791f82446c0de4be6c582d373627b51886f76c4788256e3da7ec8fa18a86 436bd05f791f82446c0de4be6c582d373627b51886f76c4788256e3da7ec8fa18a86
ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548 Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733 82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
b b
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-2-batch-size-1-14"> <section anchor="test-vector-2-batch-size-1-14">
<name>Test Vector 2, Batch Size 1</name> <name>Test Vector 2, Batch Size 1</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364 d364
BlindedElement = 030112ea89cf9cf589496189eafc5f9eb13c9f9e170d6ecde7c BlindedElement = 030112ea89cf9cf589496189eafc5f9eb13c9f9e170d6ecde7c
5b940541cb1a9c5cfeec908b67efe16b81ca00d0ce216e34b3d5f46a658d3fd8573d 5b940541cb1a9c5cfeec908b67efe16b81ca00d0ce216e34b3d5f46a658d3fd8573d
671bdb6515ed508 671bdb6515ed508
EvaluationElement = 0200ebc49df1e6fa61f412e6c391e6f074400ecdd2f56c4a EvaluationElement = 0200ebc49df1e6fa61f412e6c391e6f074400ecdd2f56c4a
8c03fe0f91d9b551f40d4b5258fd891952e8c9b28003bcfa365122e54a5714c8949d 8c03fe0f91d9b551f40d4b5258fd891952e8c9b28003bcfa365122e54a5714c8949d
skipping to change at line 3158 skipping to change at line 2849
Proof = 0082162c71a7765005cae202d4bd14b84dae63c29067e886b82506992bd9 Proof = 0082162c71a7765005cae202d4bd14b84dae63c29067e886b82506992bd9
94a1c3aac0c1c5309222fe1af8287b6443ed6df5c2e0b0991faddd3564c73c7597ae 94a1c3aac0c1c5309222fe1af8287b6443ed6df5c2e0b0991faddd3564c73c7597ae
cd9a003b1f1e3c65f28e58ab4e767cfb4adbcaf512441645f4c2aed8bf67d132d966 cd9a003b1f1e3c65f28e58ab4e767cfb4adbcaf512441645f4c2aed8bf67d132d966
006d35fa71a34145414bf3572c1de1a46c266a344dd9e22e7fb1e90ffba1caf556d9 006d35fa71a34145414bf3572c1de1a46c266a344dd9e22e7fb1e90ffba1caf556d9
ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07 ProofRandomScalar = 015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e07
3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c 3a04aa5d92b3fb739f56f9db001266677f62c095021db018cd8cbb55941d4073698c
e45c405d1348b7b1 e45c405d1348b7b1
Output = 27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af Output = 27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af
5762c3638afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e 5762c3638afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e
3 3
]]></artwork> ]]></sourcecode>
</section> </section>
<section anchor="test-vector-3-batch-size-2-9"> <section anchor="test-vector-3-batch-size-2-9">
<name>Test Vector 3, Batch Size 2</name> <name>Test Vector 3, Batch Size 2</name>
<artwork><![CDATA[ <sourcecode type="test-vectors"><![CDATA[
Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a Input = 00,5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a
Info = 7465737420696e666f Info = 7465737420696e666f
Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333 Blind = 00d1dccf7a51bafaf75d4a866d53d8cafe4d504650f53df8f16f68616333
88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a 88936ea23338fa65ec36e0290022b48eb562889d89dbfa691d1cde91517fa222ed7a
d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7 d364,015e80ae32363b32cb76ad4b95a5a34e46bb803d955f0e073a04aa5d92b3fb7
39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b 39f56f9db001266677f62c095021db018cd8cbb55941d4073698ce45c405d1348b7b
1 1
BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f BlindedElement = 020095cff9d7ecf65bdfee4ea92d6e748d60b02de34ad98094f
82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849 82e25d33a8bf50138ccc2cc633556f1a97d7ea9438cbb394df612f041c485a515849
d5ebb2238f2f0e2,0201a328cf9f3fdeb86b6db242dd4cbb436b3a488b70b72d2fbb d5ebb2238f2f0e2,0201a328cf9f3fdeb86b6db242dd4cbb436b3a488b70b72d2fbb
skipping to change at line 3191 skipping to change at line 2882
de5cdfa275152d52b6a2fdf7792ef3779f39ba34581e56d62f78ecad5b7f8083f384 de5cdfa275152d52b6a2fdf7792ef3779f39ba34581e56d62f78ecad5b7f8083f384
961501cd4b43713253c022692669cf076b1d382ecd8293c1de69ea569737f37a2477 961501cd4b43713253c022692669cf076b1d382ecd8293c1de69ea569737f37a2477
2ab73517983c1e3db5818754ba1f008076267b8058b6481949ae346cdc17a8455fe2 2ab73517983c1e3db5818754ba1f008076267b8058b6481949ae346cdc17a8455fe2
ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24 ProofRandomScalar = 01ec21c7bb69b0734cb48dfd68433dd93b0fa097e722ed24
27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba 27de86966910acba9f5c350e8040f828bf6ceca27405420cdf3d63cb3aef005f40ba
51943c8026877963 51943c8026877963
Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548 Output = 808ae5b87662eaaf0b39151dd85991b94c96ef214cb14a68bf5c1439548
82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733 82d330da8953a80eea20788e552bc8bbbfff3100e89f9d6e341197b122c46a208733
b,27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af5762c36 b,27032e24b1a52a82ab7f4646f3c5df0f070f499db98b9c5df33972bd5af5762c36
38afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e3 38afae7912a6c1acdb1ae2ab2fa670bd5486c645a0e55412e08d33a4a0d6e3
]]></artwork> ]]></sourcecode>
</section> </section>
</section> </section>
</section> </section>
</section> </section>
<section anchor="acknowledgements" numbered="false">
<name>Acknowledgements</name>
<t>This document resulted from the work of the Privacy Pass team
<xref target="PrivacyPass"/>. The authors would also like to acknowledge helpful
conversations with <contact fullname="Hugo Krawczyk"/>. <contact fullname="Eli-S
haoul Khedouri"/> provided
additional review and comments on key consistency. <contact fullname="Daniel Bou
rdrez"/>,
<contact fullname="Tatiana Bradley"/>, <contact fullname="Sofia Celi"/>, <contac
t fullname="Frank Denis"/>, <contact fullname="Julia Hesse"/>, <contact fullname
="Russ Housley"/>,
<contact fullname="Kevin Lewi"/>, <contact fullname="Christopher Patton"/>, and
<contact fullname="Bas Westerbaan"/> also provided
helpful input and contributions to the document.</t>
</section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA+y9a2PbRpIu/B2/Asf5EGmGZHC/OJM9a1u240liay3HszvZ
nKgBNCSsKZJDUJY1nuxveX/L+8vOU9XdQAMk5fsk2RPPRRIJ9KW6Lk9VV1dP
p1Nn02zm8rb7pJg3L5vlZeset/KyWq7FolpeuA8uF+WmWS5a9+DJ8dMH7aF7
2TaLM/d43VzI6ZN1Jdfuw/XyctU6oijW8iVaouecalkuxAUartai3kyb9aae
lvX6bPpyuVrX08B3KrGRt50S/3+2XF/fdptFvXScZrW+7W7Wl+0m8LzcC5wX
8vpqua5uu48WG7leyM30iFp0nHaDIf4k5ssFermWrbNqbrs/bJblxG2X681a
1i1+u76gX350HHG5OV+ubzvu1HHxr1m0t907M/dIvGyqdrngD9WI78zlq+Hn
y/XZbffuWryU7smy3lyJteTP5YVo5rddgRdmlX4hD/71jD6elcuLcWcPxN+n
X2MSGLj8u93j+oLIveN77vnefHlZ1XP0OgEVyhl/02KGcnPb9T3ffba8WrRy
UbknG/6ubDYg6IlYuA+wjmXTlkv1+fJysSFaf79oNpIeB/Vbd1m7dy7kuinF
YFbri1r8/fxfy673rSk9nrknl3MwjrDp97gpXww//wVnscBgbprCvRktzF+W
y8qawb3zddNulqtzcLf97S84j1Jc/eu5FCsIX9Fs2hkEwXEWSzDOpnkJOXLd
pw/uBb6f34YMQZKGX6RplNGvENuXorw+Fm17m1vX0q8/d+kL9blYn9F8zjeb
VXv7iy/Oms35ZUHU+2Klnl3h0S82Ulzw8yzMbi3mLUnG3YdeNGj/2bnk6TWl
e9TUdSPB5vM5mB49L4u5vNjZqURXi82sEeV6BtJ/AY0QfRF6yY4eXbeTb/43
1T/1Kh/NIL5Ylu5TtZJyjRFByz2VrRTr8nz3y09n7kMxn4vF5s2v3zsXlxfH
EmoRHIB+nzya+R7+66VfhNM48qZR5qX+NPop5YflcuElw8d8P038JM1/8vHE
gxPP29lKmgb+NP3JD/DQn7/55t99qxXfy7+4f7lenhzPAs9PZqGnHvKjYVN5
mk3DaZIE0yhOvGya/eSHePLkz9+c+Olt9zNXVBXYEqt0ielfu4UsxWUrqQ33
JSYIs+Cei9bdXK+W7cxe7lsnx18/evzvUGzMUaS/sfzLtXQ352LjHst1LcsN
mvy6qcDx5pnWrdcg56NNK+f1rZ0sUS0bZgUzz0f3ju6d0DTTWRJZfPHnywXE
kz5X4gl5ki3JhWGQW48WtzBQesJ9dP/+fTdMN+faxgiyeGLu3lsuarmWi1K6
mOoRVMK6KS5JVO8tL1aXGzKEJ9ftRl7APPJIDm/p5kEjUgb7BrmPWZX6+U7M
m3N57p6cN2uo0EYs9jwIkVo07VxcuX+GOipfNHue+/rybOl+sxZX5d+vX+x5
5jF0UIs+xSu5IM3z7N7Tk2d/CfxdPOOF/tRLvSyehj8FxDNHD0+ePfez/tnY
j79YLVdy004x72zqeQGJ7cn9e/7tIafcv+eij/uwFitSD/cu17Cy99bXq83y
bC1W59e7GeHq6mrWyvKMuQG/+NOXwWxV1e+uG4iIlWDuW67d+9BOZSMXm8EY
FMZxDzDah4d4/fGjk2c80rabcuIF2Rf0+ezBo+OTmZ8l08hxptOpKwowjiih
r+8s3oSzFMw6dJvWFe7majldifXm2l2tlwA2yzlkcHMl5cIp5zxGvEy8DWnk
wZcdW26gcJeXG/xF9kTs64z6mjmknXUr6OglyyQ1gG9d1vYb6QKGTbg7+kL3
Pn4YhgcdwqBu+BMygeicfjXjn9ivz6E0F31PerhXsDT41eFvaSpicb05518K
fH7zwPQsdMsLibbk2jGv8PBcGE3dF0a6YLgK67oAimuXbgvZb+trUGyxZBJh
Ap+jyaZuRNHMYck/nwCzzudQAsJ9Ti+jFfULJtxerkEONb+WW+V3r5Xes0YI
PYoGnHYlSzRd2rNxq8u1WUL5SpaXZhw2IftOzdCdAt+CWRrS1dOlYbOJ2432
2IyWf8FL8+VVP9ielVpnszRr664u0VKpSYfPDS0Vq7GmnMG8g1+B+C8vaF31
pCS1yeSdODxUtUyqc0gexA6DJW1KS94s3FYLIhEDzsWSnYszdi4meKGcX1ag
iyONqihZAMe9s+Rg9NVluTFUU6LsPliuL3trrWTaObj34OlDCNyCn3z09NmD
mRLbi6aq5tJxPiOroNrDZCHENwmT++DgxcR9pQR44UqjTWDrNMWAdpzavLMR
L5izB+v/gukk3JdifindVy5MrBYsnmn3cgOXxx5JoyaLJkDT7qlvDv7zp0P3
KzUw+rWh5ioYM/R82bTnakRkeIWrWsJgW3GxmtvNQH/RSJeKTPhaguSApgse
LN47kxio883BoZKqXs1htd9OqeFLxYCOmr/izIl7BRmWtvCcL+cVNUVN9wSz
NAs/4LRLDFIx7qsZQ9CuR837xRI2n4WGlNgSSwSTtaZ1wLw6ZeqYNW0vwTWd
JA+1mHlGqy93S305Sn29+HKsrKolOoe2Ua+M1d0rYE3T+Ay891zrorlUmuvg
eU9brcyYXpqfdR+s20ikJQu3NXyeTjd4sJoSHSx9cW3YCQQul2tottVywSKo
m1CNf94aJcGq+Oq8YSp1PbxYgNSsdjrtNOIOVgmHDrPHS7EG3tFW6/lgPts2
ryG4Bs7ctVwT9/pwwlaR+YAaesCro1+eag1XqRlOdPPdx47mHKW1BmpQGxw9
HgAvCU+LKbesHYugNASmqRobulLBkxE5jVrtqeiMmaynoaIITaNuXqFFPSLX
UgxEYkf+7RIaZc5LvOxMleNwdAawHSBLEVtCEonYqxU6Z31ua9vb7kqDcyLM
BqhdEvXLNdxPqA42VG15Li8w/9evlSfy888TVzuJeEkSuekx0xD0/HLNjytP
gx4HOZ2uI0JrGDeNRq+OfFWes4bBah7f+eY+3v3fT47v/Nv39796ND2a9cGl
5Ur87VL+/PPMGckJWAs6ZIGlaluxviaGYbawp63kG8s18IbR1fHTR8/v3PuP
4zsnJ6o/if4sN3hq9Ao6HguooTUJYEFKji0/2NLZS1h3TFgzLuYKrBUT2o9o
ms4+06sM7pbdNSOF7rts5hv3EjzobNtbpS67ZoHxSrg+aFYKDKVTo1pYJw5F
4c4UW1oUBZsvWsjS2rCV1nzNmmYKlKOMwEqyAt6azFoy9xA4YVFYUlSlvWxv
tOqORups1WfwJUkySLtCOz66/+xBBw1oLOarDnpgDJ99Rk48Mdt8eeY4P6j4
ZeD/eGBcj80S9GMmYOfjfHMx/2JflPPwNsCEewc0uXYvyAF+9PTkIWb2spFX
pBZoojRz0433Xt14upuqAsFa1cd2437+Po37uWr8QfPKlev1cm01mL1Xg5lN
FFk1UAcwC+DyszPZKklkOEJL6ELwwS6KYFbP6Xv1nKqe9fqeL6/QKbm9rBzA
qFA6EJ6KeaNuoEibvwN4YFCA8SWGCWK+xbgJQ+4bd/Je407ekmK9HjiXFLys
rJ7j9+o5fpe1evrw23tWj9F79RjpNSILCTGFmljzjCg4SpLPoU0gOKzOddso
p520wfOBfjOqyRpO+F7DCdVw7ndTby4YR7FsuYUgbQ5Np3XRsVjIOXTRaNWD
9+o6UF2fYLpzi/Zk99u+7fdSTL4/kIT75GoQfTGFu3N4B+YDpbJFVfWPEL3Z
2VUfsEtkxvJe2sv3biJx17j3XtrL09rrBEYJTHS92IhXPIU99rHHUI2ySVP3
O/FCKqr03lCNJWnIxFNTzQKkaKrOhxvjRW7lhC3zNcOZM7nQNpG+eSovMFkO
UZLCUZaz3ciVFq2SzEbH12YIrXq1FqSX+q+1xVSNcEhoLsjO8hBA1zmNoTO+
Q/tMz3y/qngKlhFnkI1+5P7HhyqyW7H3Mg+eMQ/VcrXZFdHQ4YdFu1lf6tUg
Mr1+bSKWhIu6oR1PwyxSap64m+LXJ1/f4Q8pBiEFx6joo9gP9k7JaEDSKjSE
XhoVMLVn/V6mydOm6S6xWUHMRgDwQlLzTXtBQ79YVtI9gCw2tLHDi/uyx5r8
LcFo1724nG8avX76QdJT/MjhTOEEQGp6AjLBNl2p0UoOmJAePTIWZfw8Mfmd
40c7eEItHCj6zf1pECe65VLUUZS5ZUN2iZeDnn3Mypys7NeiPX+2PCkF+HUg
hdfcAKlA690h99NYlExxU0ff3v835YyNGqLndNCileAspb0otnymCEDcgS+X
FDXsofJH4Yr3MvxeYrSXUh6YEeNzV85ZOypfWNFsa+m0XqFNDxIjcSE3FCYm
WbEjibyK1M6lmuIWgdyzy6YSi5IX7MFyXrnfL4qhOoSKAA7XgIkee7LaNBe0
FmqjRNKPZctQiz1yFWd0D7Q/DO92Lqsz2Uc5u2jYoa08K5rCRbOg4FU5UqUQ
ls35svooi/VeWMnTWOk7ojroQVvI8OY2yyCOFevtEAIe2L25hHeCZbW+wNNA
oE0nVcdYk+2lAecOVSH65dGZDbqZGdCIWEuYJQrvguB4fyNfbUYq1TYz928g
1XuBPE+DPBNYBZ/0sZ0TFdvRw2r1xgY9CZsLbhlE47XKW1O4Y23FK1ngmbbL
BXA95BpsbklFITYlR9lYHrrI81BfHKgwCDkEKpr7aoOm8PWhVqK8BYTl9XMF
IVjf2aurdJcdY2AfHlb6peTtZFAcnvP06Gt3uRYl9LjYbET5Qi25DsF3qnfL
T+9ktw+nc6y2etmUrPjRA3vsI7V7TMpxiv+CrqWEtiZkwBrFmHy3FWfSopeO
dozUvemJYxPkusuVXFQtAWJ70ha7vBcI9zQI5w13qIE+UGb2Svqgi62FurFr
TUdI5mxt08hYQxaAqmnLy5Y1ErmGtAkC4AMLtS14bBrXyxXDyJ++YBj5Ey0r
wLliKTE/g8hszi94e7UHkttrKNr28mLFgzIrPeugOYelu7ZA8JLWi4bIHGwC
gO3ojYEsQ8bNw71ptKxaNWTZDQWq1EIDHy3Ujhxt9J9PN8spb7oYr0CS7DFu
7jayhrqtW/f38oC8oItrqOAYT8daprLfokXXHaxlq6izTYxgDeZryKFAQk9e
a8Dv5VZ52q26ga5gI2gxyUQF8d6lj8ESQIcqnoKC4EhmH9sEzrskRAB9eKmT
9zj01HMXBbmeKpWpnaxnOtKv0jBufff9ybNbE/XTffyEf396/9++f/T0/hH9
DnT37bfdL45+4uTrJ99/e9T/1r9578l3391/fKRexqfu4CPn1nd3/uOWcsNu
PTl+9ujJ4zvf3lJbcnZAkKI0hooAAhC3Detmx8QnSRrcu/eO////z4/gEPwv
nRL188/6j8xPI/xxdS4XqrflAohA/Qncce1Aa0lBHp0CnGLVbMScApet20In
LFzaigD9iICPl1pbUkPPGJcs58uza0XMeklbTGxhuhRKenDRvYXJcCx4cw41
cHZu9rbNbGccdGN0C+BX/BcFQ05fnU7cKzDPmhDC6VwuDl4dnrLRl2gYdIG9
xKdnEFjMobjWAIOa2Vwt+QN0vBbXLbXFAzq9pjZVg6/cf/zDvbYb5GitQ7lq
CwrHLzrt9yh4cnJ88GrivvpWLg5vk52FYaZ9ZExxMV3IM+V9sM6FrqPuGCYK
axRoGPJngtaVGfoptXlKRB8srF5Dj7YMZkR+lU5EAH6wLwq2uKQtObsnJkdz
NoV5aoSijMtKmOZC69Wty+kz9/sfHv94imZqwqg05IVuRG+lf894BBaBlvcx
iE4JQARdr1eUb/JMRc/pL/dU7UicAp2KBRlGSCvegqFXQ6jdy4XNzNAbgqLW
qkWempkBMczf5Xo5BfSWr3SUkge5Vgjl9Psf/gvj7ncpPfdPX7n/5f7JfQxm
ujOfDwzJgtVfCR1BmzEDQm9L3Vw0FWFGhyTDPb4G0l5M5w3ZM96BLuFaztz7
BDXsvW2KrEIt86aFslOqX+ONtI4eBmFA61mdCsIb4O2MNg7185SDRsqO7Rtt
E6pHXIIxRCpnHP/rd4YtaE0z4t2zmZLV02PlbzyiIZ7yGqjV61lAj57JSq+T
y7JQ6mOwn+rofdc+4YV3L4Xawjg9ZuTy9v04qh9SerRVvWsHdJQWcpeeG02I
MPKwa5qC4kzFh5TZtjhjJhbrotmsyY5oaVwssfxrkmGMauEGf2ovV//iJ3/6
gn66U9c3eoZ3b/RL4Ck0WWpUAyDRdumDo5GQChoOV62pw3zHrU0VsNKZIp0m
oybrpVKjYy3aEcRxTnhuhlPMXtqtI0DGl/IbeX0smjXbLCmrqbFCBkbeYlLd
Obn36JEmEsw3bTrP29lY0ZNv2u7R65ZAsWIHZrq9O4+E3Wf++g2pYvTgc/Wk
vef45peO1UvddvzbvKP8M0oU7rB0Q+7Gcj1zv1UZEINclE4L9GFiMtTuKDFt
uFRT7fvdNmEDJTW7G1ahg0HmjBkKuoE6H+WMKdn5XOfSuH0SGGX4HK/lvIEB
p/1wjYb6ndItjcg7usSFBOZJUpTfIxcl3mYAeMq7kKeUALsN+Dtny2R5kRfX
K+BCgp+UvVstzyiY6YIuEn/acBIwhiMpBncrD7BU+eN6E5cGQnE1HscQKxOW
7Gl5db5su2Ux+AEG5fH5qRFuZ6v7fq95AHNVukPRLLSLiOFoaihZ5wEpCLp1
iMR9/RlN2XEejUjOqIcdJdntBdv+DVloHRid2BR3FMXNAIhi2qdj5oBJvBBo
j3LlYdtdlf3DLquLIezIQ3MIjZno24EKFLJapFGpHcTN9SEn5eloixqwelK/
aHaw1ehm7vctJ1hPGB7oZygbRuk8FTqq4TRUrrYjala6AxLBE9JqaohsNgAq
oNvnfcSsz+cpz5fksveRNpD0FLRhk6P64U4cNW/9nB7pwTPOxboQGCzwsISw
TpR+h1tWc7K0tW+vSOnYTaiAiMFA6He2zddzNhcdZ+tpcV6RQ4FxAqLKHqoh
Khxk9zk71Lr5clEJDmvMdffdCnPCFLMMYb4/nirTYlawW4XTRxihQeHd8p3e
0cx893RAoAm+cf/o3nW/wv/+6OKpBnaMUj8EAOBFsUXPO/hOJSlR+9SsNui6
uQ2TWxtQikCZYU3v2ECPez2Y3qE8P/6BvvErjV1H1O09gSXhX/d0zaMb5glR
1yClZO/V3gQarGFPRPZ+HCMPdzQROX8fHUx9sBX4q50oaeYIEbkVCq6u/0CD
pKHPZjMm18wZkZpIAqKu/nDnK5oMrWlJWxnksqkUtJ3To8xIJeZqd3aHzIwH
o+j0Hdp5CK9qfYixPIQ2WbCe7xb+Di/7XZXGTIEIQu2UKCJUrGelTrNQ46Am
ZKmCwuh8oBfWkhGPvPjDHZoTJem+4Fd2Nwo/4K6iLOWMkR+oV4p3de6Y/G02
qIoerZVgxiM5ffjgYHUIUgot8dDbc975UiK00hu9UB2dJPXqpkPwPI2200bE
Ra+9ietPaAWheKf+z6ezURYPsBAfEYFdPb2v6KiFR5Hc9jZH+tEEyCjASRqB
h+HoKU4MNbBK82sYlL+QE3dFGk80c3JDL43AadHrHXFeAdLRHEp4uXyh2ERs
Z0IxWGMLdQAn9wlbSEWUbfXoHjQzeEFQarxp8UjrkvGLYx2zs41Hqo2Hhl3H
jfR8vKsVelVtqLHhO3iFt4/svROGfRdiRVCp824pTsiwmnx15fZajWsbqoQQ
r0LmoPVVyjsTdIK2jCYTFe0/EDRS2ZFkbU+fguWHowJDNpSgxQGGLp+cB0fm
pCkhjryVQoamVZYUXdMhuO1kaKilLvvR7X1MgHjmVLFn++Tg6OTZ4Zf4dBth
KeS1laimSG13Tpi/A3COq4MVw9TEQfRObVHbe54fvkbolKX8PSgDEuyhwE3z
p/XeSYE3z39C7fKLvjeLFTWeMsDX1KCI0vlySboDoqqxvwotUQxke9LkPPCr
jxbMKwctmniqI0EsdurzLhTR65/T9pSkX+tI7YbwXqrUCuvgziGdylqxDe61
GIwTeTRk3aFMlgvGkFbM6bS4rBkgKCBnoluPJXdy1O22d93geXR0Z7ORF6sN
K24SNLHd5mapmGIwFqXDa2i/1pwFUDPVaY70gcpUGY6W988GiSMKUe/ULCPm
IiW6Fg3oSmfG7ClRmgANY5RUoMeH7xjt7FWJ2lXkTnfzJisb/n5qeUE6btRU
Vh7NYEk1g7Xdig4ZYbiaGMVbrGc7Xk/dxzss52gYpHn2EvrtycyEQ1MfQrpt
x08HP1ttavsUvNEuolGTXQKRw6kgnZ+w7V4NjwUtX7LLNDrt82jhcFJQSXsc
VoK/8mtYOY3egYcyO5sRZiMvVw2alRSmps9GUw66Origd5Jpo42OZ3MAnzeg
Va4JGhvTw+mzo7ttaJW+1W/JYIE7S0kIuyW8iqZ1QIBjvQqY6aA0ucdHBgp+
20HB+watw4PjTdwWLnM1l3/7mc4lqe0s/LdPqNAHXYQ6/LHWe4OwxyXn/3Pc
SLmwGyajw3mW5iAVXGyAkUddnIb35W3XVug+zakXcyCD8mpUrI50ju5lYpoh
FUwqadE9/rLvphuTOljjmEiO5WsD/es/pNuPt5yL5qL3c/Vw9SxAV4fPg44G
wQH1jlwmBb3bauxWVoyGO3rRpBsxf6tVc3oAL61VO6At2EPDbeiLY4Xa6xuH
NVROK4Vvu7N7VnJTJS/4eaECZXRihGJSolkzPw0yhfQxhP7s1rabYdaQwJaY
69iUs/2gjntaAyHTcQG/RylzPgI/NWfgIS6DM/HQH/zSxDj0ZmdNbeyNyIq1
1CebIcQbcPOsP/ygM/id0cKImtKcyHe9NvG1B9An05NzcdGAZ4AlWt7Uf/2a
TtcT9nhwuSZ+ok3SSVf4w+pQn26mmBcFPaqO7Vs+/M2JFl1CibXFrhblnCNi
SrFNW0qK0t/ucOmc3mkx+/rs3BklbRFd9907aypuqMLROh9jLmB71s6ArboQ
+sWyojZVkOa2e+AfMrGYQOD61UaHsZeduDvKGWR+5cQYvbFsMoi6uhNLvb16
EBxqGFLBB6guVQbRnAwn3EGSFs5OscDcQDgrDtFXOqGCe+63AgyeVO6gQ26c
9v7XolcVheSDNOY0Y98Q/jp++vihoq+S85WByy0nC9NupUOEai+LqdYIoBPF
6Nh86mQqzWM2U/PY6bniujtSq+dmZWx2AWbtey+UhuvyOq/3NO2Yps3J3fEe
EBmPz5R5MA4kZ2k/7EcsLCIvdTaC2qHSD0l+/bTDH5Pe6Sc2M8GRHYEREIxQ
OkGeax3KY5OsH7zHDx7RZwo/OacXGrkKE8158eXIv7J2CNW4VdTrBQWQvnLv
nvI2Iv6890PzI31yhJ8q2sv8ddpwXO30B08HKi5o2+rHU7X4OuytTx/SkVu9
latIaK2pcDeX4CP+HtNUeM0xu5R/MRtR9mYyD/cH70cd8lB/ous+6MFCVUNn
m309SFPV08tsPnDPWzGP8XKp9KC2p7vZTwTAhKhu+DwLG5qWcb06smjlo3OS
ZJesRraetnHJn4f2EiZDc3DYkHA7JEWvURfcnQyVXmWZSKy40mRqdBMtsQ5L
LH2pFeSOZzHn//7v/7Z2nR3eNLztkKuuuQe/3jcRSev3u9bv9364+NH684j+
dFR8hZtSwqOo4/Tbz/yd2ql46AD3dfKl6E+HPu9MSAruwY5QnYiD7ybuXykq
u5UH+0C0G3q+e5i8MDz4cDb0g8kPCvD52v0Dz2YT6j++ozfuXvArW/7qXXpP
eLu//I6/9Hd/+Vf+Mtj95Sbgb8M934Y8i07DP+styVdcckPljFDWyt0LQCAY
h3/8g6bwj3+MvhZe9zUmsf2133/t7/g66L8Odnwd9l+H5utb98yob/EceIaD
+MyOaRExWl6OKd74AziPXWmKObg/UBmyH4lZFVw6l/OVFYPczRCsZNqhqp2Y
k4pi4SxVWvUgJL8jw7o7pWKlWreNTpG4ZiTo3JRz/Y5C9i6CZb74zvr9r3tF
DILY5woYmKH285X4vVGsbr9JSAgLHJ08wxM6AYD4YtiTeuj9uVl30T2j/9bt
6qDowbAPlqTveNx9HFkHWBsyClxx4eDiUBW1udfsniIZxEN+4mjPE0fdE6Uh
4tZMx5MZzIR+qq8b/fHWO/ea7g0MdMcDR/0DR9YDt7p1ZaF04bXskMvtYav5
EPXwwh9cRgV/VArzr7TtYrSnFlWlpJWo/uXcHNEeoapxdLM/8q09yu6ExemA
e9QWYC/T/PKyrikJlA9w91hNZXGUGq097zDgfrCmnnkTVBsGklRa1nsDN6cD
bq4F3NQENHpSeIqx9gif8Hnspd7GEI7JhFsu+QCEel3v8NLEjZ8Pnjfxy44S
KpCpI0/OGaNRGyeY/MBxDE3X49EIY7kYQyWHthblSx1d0NENrJ/xgdRZgB0J
1f2ysIP9ZrjyPhhlhEwsxdoRUYVPqpthi8U4Bz1imah2WafsRy4HFr4hO2kg
rjaGBuI6BrkcHLSEXWhT+oCs5N3DQ4Nj1FffdV/99fDwd1Tz6VCNfLXiOhP3
3hrdGG6itbLe/sotDy0F2vFch3b6w0u8dbjFQxz5V0KrldSb5eTXBDMO/qfi
i7/+Djk+KuSgT/9qPj1Sn/7114M9+nzO1591rfbpdzrqxdl3qhGdjaaGQymu
0hqmzrlu+6x0ijuobLI95+3pTHKrM8eVI9LKvh0K6s11ruUFbaWccdLvvhKI
xaVJQ3PbeXN2TlXXiJScl6vdnB2FZ9QuGZNVf6J3yDi4aQU1Kf5+jnYBgF7K
+SBqqFsfREUIKnH8ic9m68DsTFNXl++iryZdrbOdta14y4b1j3uqsRVVc2tf
nEwUyjg8nTiqRtppozKo9bZql/JqfDv+euKe4t3uob6Il1VQUQXUVG/dk0/6
Ko2gBIfZ6eO9NQqZOZ1hmbSuzT0VG9Vmj8as1m6S2+0TWPZC6SFu/0BRwn3L
fyrPmGhIgjv98H+EwOhM9ET9kJWxOl+p0hF6fI5z47CG7978rD3sf9luV+dd
bw3E1PFQ/DPs8E3DG7f5pgH+yaIPnu2ZVyfXH2h+1JQbN6/U4uvb7md1Q6W9
1rWqGvvVrWGpF9rno4Irt37uZOu5JVy9JHQJn5xaM6zb5u6q0OloSbGqyw3E
fOY+g4Irzxvog+G55Imq2tjvVilhGFdZFbv3Ebux0JG8rk6dqQNpdjg7RcEh
5NPB8p4O8n86r4Tao2b6vR0Tth2qAque3+kKJCAFMyrr15GvG5YpY9edRWEh
1nuVpsih2l0cdOfYxS8Hp2l0E++sB+DIQLJtLqQPtMAY7ux1gHr8f6QiGMuU
dvF2awNQYfKmvt5qwDdNb8+IPrEu2T2v4agVAbQPPNA9L23l83y39tHV7zoN
o9ohnUQOUY92VBWBqh3pqd3FRWnrX4t52Z1x0PrLVOgVw+KUpwRYdDq/lV7Q
l8fc7DtSQ9LGL01GQ7gBkji7IcmEYdMhn+F8e4nVb+2Q2JGs6gc/rcRSSEyK
F7L6BmppIL2qe601Pr0gv5MMj+bw7uKsKPsblV+1YatWp1+9oTCvbGE+flth
tkSMZPr+oA6mLpbQ6sRJ7WJRwvrlyl2dU5q+2uKnE6P0DX82cUZ+Xeea8dP4
e6H+HG378r0EzdmlTmLWWXiOycIzvet+txNzS/t1HYMetfn6s+FDesIa4O9z
+0ZVFBUNKWFiyhmPKr6LhXbP5StRybK5EHMqmPAP9zvSgP2/f7jP+dl/OP+4
/dXwn/kAX7He5PUzb3mvPM91zVfP++/4K7//6nj0VUBfEYNsRDFln9QwyCMz
H10ja2vWM2KHO5Zinuwukqrqbo+qnpPn1ycTThzasOMiLcojtg8t0+tj2i6G
J1O779cTZ+SC91/dkEw7OOtBxzvnjj0CneigDJqpNzYcY9eLOW4rOD2IjgOq
oZRryXmDzi2TNKTGfmtnLYSOhl1sfbuswu2t0CFH7Life3Y05EC5A/0YOZCl
4zDsUjz3VXhORYnU4z6HiG6pL/p3VcQGckPGoU+yYYroXmG0Nnyk0Yh1553s
0A8TG9GbvQbyD2qI/vnEZMBTbWhK8HMP2DPR6JxT/sn/5wIZV0v3igo8WIlb
KprDzgReVmkvKuWE9i36TETj33TbNvp4tOVNjM6p7gvcuo8h9oOQrN44xrCt
mCxG/3b5FXogB7xmaGN3psRKfzE8zKW9fL3SBkP0wWqdcgOijWgmO5LxjlMj
1AmtcREyK3+mp9Pp4Hz56VgHq9S2Kd6eUvukhQeZN7znP0inVtk4lGGkbrXQ
9c6ouRU7R1TNyKEDhfYFEjtZjc9O7oZ4nXwa8TTlqk2Yx7Rr2bFx3MekYJ7B
Sug7A4TzBn2hz/apTifdKf1TEksF/rRUwRVVpe6H1Onz2Lmqgkp3NCeTTMVx
4Q6VDsNrlZA9l5TgxOt9ITZSFVo1+WN8XYHWe2w4jEo31fX7YvBd1TJWfGtp
dgx19G+3smJF0c/0wNLjxK7M84PALm3L7VFwKsBqKbme87doeTBoVPXlDEdk
MPpQaX6kwajGdw7msBfP55+M5M8/Es2f3zDP5+9K9ec7ya6cjY86qBuor12b
bgmOP9kSHH+kJTi+YbbH77oExx9pCd44qLdcAkoRGRwNHKOO15+N7ckNBxlu
LKLZJ5GMDNjMebTp0ktVCjVv7T5udYkIK0NCp1kPKk5wyII3X6SjwYzOde+P
shofSZ9WdA9Wy7ZtCqo8Tkkphya2obS3gjFdJSAeyejYM2Mqynk1xbDUtSLd
6anK5PDqFLvBRpkqvtHXmaKwK+jYnC2GBUtPiRY6v5fHRwZqcPTHbN8MslFM
XrEqDGVFnyE/5bWpEKH9ZDtCqqDfoV1scfSiHtFBl/NnBmb8BBPhPbxp313X
B6K2fnjc/jjaJVe3tX4Ivrtx153PtdHlajYT8odKTgef8w6xjgmRfCphUO1+
Ndoxpr1fftDs/vJE9GWckjJwvQ5h0m9YpLlUf+MDtfXd1N3j/+IGcWwullPn
83YMmb40oHWwk2yPtBuibpt8j5viNzqrYFjHaCu7wGy0m9mZ3/7o+u8FmMnn
eaLAn7V3rCMVvYdjhzn2QE25OKOEcq4oZm3wdjDSGUiOBS/NFuQeDTfaOe+D
Izvdcmqm8zn5CXtbd+hy2nXL1qYeDbu1XKGDK/887Gos6JOND9+m5o9d7Wfq
jgyBGAjKG4oAUw05Bf87rMvQnw4hacO8Owg0ZQ7lemy04MIINH1ixLk7Jtwf
TdkqeQ8VxeeduHXtO+ysWzZMRRh4P52C7pdrvP2/o006hsWnly6almsfm3G3
Vp1shVEsC7AZlEVUuQm6AtngHMj4PdHdStMXRjQnQ6zHdK8zpz+0q4nXmogK
O3Z0XpdUmLYKXOWE2reLsHA1TlEs1xtnwOSkd1Si6On4aPApN3zJRSsHJOa2
ynNZvtBbBcxcZqH1wPQenz6KS31eNbDffJWSTsjUJ1hHB7i1cKr2Gzp8uKj4
EkL2DCubFM6wzxvCU+N0DF34xypjyqWLR8eYO8kf1EBmTMWo1tZiq3X9s+Xm
dQQu5Bmdd+6iUJr3ujr9zaY1+x520UpHb9SqrVkriKJCJxa02M5TpWUzUT7n
9JG6YoI1gF5XrsOvpEuu6Tz2oHYgHTTXAGi4Qk63Qkf6lKeeFQ1AsYq+S87i
PMu7xk+SrS8dtUzqNgCW4L1Awq7upwa5CzgwMS3oMNo52RslMkhhi0QKKNib
rrfNVs/u6BE/1G/XGlOtipXobVs2/sMHhwlzCgsoJLA9pPGWBbpRA/rDoFEr
QWzn1pQyxff0+T+ObrinhWKy+bJUUWilGQmVDl8+7ZBxf3FsX6Vv5ny/4hqq
kPwVRWL0+RGuFdq2241ZUcN9GQiWQLwp2XMnihyzwo5Ez63UlH7xb8x4oeXa
kSpDpvAP25t3ek22OuPlODEnbaRObdLY/XT8OC+AObyp9xSItuzTPJW0fDps
pVu8ENcd/XWlq04HaaGnMi7WkWdn71oQWOEzkeN1NLp+otUqzVTFyBxVqqLX
foPLC3dMr9sosFmJHZOtZycdIcwEm257eS4V8nOeDO8bsg5AmN3Ddw9Q71FM
e9XRNoNZXKhdJbXgPzw+//HmoPbb5j8Rcz628LkpbcPPH4JBdyRkXS62NMyO
FNzHvMNLR6iNl2R7R6TpevdI+SYjR6R/fNxh9+bWSLYa6aus9rLFucrdwHQA
5A5kTuELhY74Osw+jG17xyavUI2bLKntQ9Al1ar6hqW3eoB/ui0wb62s3mDl
3oFF3mDRhvqst2z/FPO1V1cOzBe6gW/0Bh7cTvf7WCw56Lx/bTCk92dGQo7P
x9DxpYUdn783eOx5krL1nC3caHIKubOfZ+4QAdg2ZwgGnPfEAu4ACzhvxAKW
xy4sMzm4rohOTDkqgWWnCO4xXO8MGlYfDCHe4Rj4nmS6D0Mbww/obNUPw49+
ZMb94gs+w9ZXVODIzrgbfn384Y97Xjb5RcPT7TythzOrJuEbUgZHE9i2cK0V
ZtqXV8Qyp8NKdmgGfjDVkesLHGzVQqAa5ws5pfL8Dp/yo0q7XMFblTNXJ/90
hSTD2xQOoLN9KrW9xxxURlJDL+NCtTo4qFJolQNujjRuHw/UCRamfI4WuJZD
uGzJdgCpvmbEKZokV32QHTuC6pZy0RIqddPanR/hKq2orMqLjgXmd0CrTwuo
9grrWKb3HYF8DxOrzkFaxvX90tFuyCO9/YsKcjM86rlDeLeEdFuat0Zg5kbg
gYtq2ahhQNLf8avCr2y3R6ZtoLsGJ7ltzeVqzWVMPRCto88wd66guVpjo+7B
GJxg7k8cUJp/tfPosmPpJp6SCh98Ssy9A2mPw+Ea5OgT8mPAtbIA1/GHAy6n
RyCqLpastsJ2XBNenYvbyNVwW4Ovd29IlwunyxWtl0rzmq2+voyRncrtnvaZ
qqe6DBpn3cwpEWV8ochHjxoOzobtiR464/guxzmvJF0p0/Yt2XfeckMTUkAU
KaY9Z96bEBS6pv3HZcNV/Ru+ZomymsyuUG9yqYI25jOKVOrsJx2rdN4mVul+
UKxyx77naIPznYOZ/Rf90n+MCKedmE46uaYG8QIY8Sv3Fv289ead0Ivtbcq+
HQJsz3ZsGV7wmX47X/6Z+0dtr6kWrfXNuzicv3jA9mNFbO109F3R2953azvn
jdGfrRu0N3djZNd5W2/uzZFdNPZW3pz7T/DmtgToxlyED3XpLIkjwDIWthtP
XPRpCJ9G+ozD+Ef3QsuWlZnQsbE17J0u5xiSbQ63PdCxRI9lnqXrg+DpBwHj
3U7qZstF7eew31PdAXFHY7PrXfw/5KqOBXizbs74DohTm8lO+ws57GOn+vIl
qBExp3LNGhBaldjV+Ve9SW5gUndWVF0so9Hlmu/6cq7p4gpOjDeblePql7zz
zDezLcvyUh/b0JljxhEegRwbzHZ1AojI+noOx2xS6IsjVJ1HdKPgVHu+vJzT
foOdEkJ4eYjArXuqvqZawBPHakPfRkHLcrbQycfW23wJwmouSnXH47BY268l
nnD8W4kn2EbgRnhnw7NfKNJw84m+fSfedkUa/3mq+eawg6WQdyjebR29FUb8
HxR92IIAv/1QhWOFKtwPClU4N9umjxqqcHSown3HUMW7ZTS8nXv5sfcNJzuA
7I5dRAu6/nM8q18HQH57fPyr2uN8F8XxiTdE3Xv2BZCvPxvk7tHFFPaZrwOO
lY2Op37O333eVbs2t4cddjioywq+WtOtLTbUVCWou7s3xm8wyKEi1gyf+KDZ
4Firhd5eAlNybXZz4e7OzGVd9JKOtzEnmAT84VWcdMrX4GCDCrtM49mYKt2d
KoOXu6pV28deadJvuG1UKQb5imqVDbKOuwtQTNLxpAuWYqm3rxazjkVs5//w
SvLVFl2mpb4piI4wU3vqEjda9f7KUEufTAb3YJm8NesuG8cdz5qvZMTHg1bY
69p/xRcthJ0lTXnnJaZS0a2paKsLF6/pimnMu9JL8A6XWYUzX90aRtcYDmfV
E8aignU3oFqyUdUOFjztsJkHe+w9vlNyuC66lj5f9PfBN8E+PtfnZ+ZLSlIb
Hi7qLoPg6fC5cXOMfHAzLFO4vVytlmtaAHXlD6cmDMbQcpVY5peu5dHNQvbF
Q+Pc3olTQ3m0+uDpOB0YnHPJ50KNhlEwRS3JtR2Vt4dORfQW6tKIrhrThkpp
X0i50UzTpyErjuE3p/bnHHl+sGvIO+r2KVbozmZrlNLJoDpb3pNslD+vVBpr
PXirepU0phmsyYbiC5zOfzwN4kTl/gHGQd9vlkEczxx99TDxjABdrtvG5GOv
5ZzjgXRFzKXKuFfHQwCjDuxGICBf35nGfnCoOcfWfHw/pP00env66OTZ0/vP
nj2xChM87O6C1I113xBjO3YRG2nd43Au91UowDhu2f1O0S6avcVXPnJvt8fj
+l/dwL4a6oNBO5UsRR3RpVKQX+v2SHUbnRv8nyAOgE6CNI2C0E/xL0yDMKb/
ZLGfh2mae1kWJlEW5aF7oDYvLJJw3ZvB9ZJ3RkfXrIdn/PDgHsk3Pm2DPTz/
PTQCSehPm+VP9kQZL7zpnkMl9XxWiZ+/ZTW+oxiqUv+nMFr4+ZM+9HEKoDT6
6KdXF9UpN6iYWvOEPX7rJkFTPvFy0dDpgZ9Yl5nU5bfsTDmm+tCV3cPeWQy1
aBJNVAGlFejHbY2Hw4WlMYlpoW6fYXXfUIXqzWYup7BIDZ2OJHYySbqmdBu3
Z165gP80X2pUMNPsd6pIc/MdifY1ui93XJmofRm6Jw+d7O5hfI3jI6O61dVc
VmKxq+dPtfjUiVDdvtZxXG+WZ/afdHPL6cOuJ7q+5T9/nGHstYqNvX6tWtC3
AWm1MbIaZ5cNG3tNiV13PNqD7T3Az+8vyKn73LpZgU64GqsfzcJZQESyFcTP
P3/pPpbglVAz5d7rHvf0eSTf1Ke/3eeMyTWsRjPcJdamUFpHTvvr6Azgsy6M
VPu/zF5bZ3wemYKtfM6n1WeYxjcRrjWDgXfZa3jeGWN1eSHHP0drYl3SOOIf
JVTdAbShbISBqjQkab0YAai6VGwxFW8py9CBvc1y5apyRoW5YhjsREFpLF+7
e/kGtzuOhifUZY88vKVFCtkfqFOno3lcu0evjzfvuACSt/cHV3uaWLlybs3x
vL4zW5T2itEoo8CcSFayN6LQ0u6dD5HpW9vMhba3jS7+klDjV9B7FiowppER
wTf3CXLsxQTm2bfBA6qpj4EITK9TbhWNDvCANSZb7PbY+ShKiMRh5mdekmRe
nuWx78PMB56XhlmSRrD3cRQkWeaFYZLkQYSPssBPs4QejuIojb0wy+JPbfF/
K0r7BmRiluaXRSXLeoRKFGd+KlyC7n7HJW+HSz6evY9vtPdmsT+uvY9/t/c7
7H2cvJ2917Z8x9J8KltuRvbPtuW2EVaqZ5cZZl9feeU3WWAVEnj9+jEY7h5f
pbzXH/9I1vcY7ZDlHdtdNRK4wuUKv6z9w9Godhpg71Wt/3n6Xz36V5QyqYWo
ROqnucyiOizyUpRBXSYhHFx/9ka7aw/iLQzv9uP/Aywv21QT3aNFpVX86d+/
O7qtOeOnk5O/fP/T0yf/+dPbGWdOLHtb27zbtNrj4xCoEtU3dW3Z7m8hNARU
d8UC1GT17N7ZAPPz6rZvNomXLd0QLeYqM+jXbhwpErmmXBAqC6LuWZ8yS0+P
KaeXiPmk3MjNtLvdxjWlClW8XevT169P7t/zyWxqPzl8B7v5Bu0chqqmhyKA
rnq0WfJYhFWoZPe07OHTdHZN88YpKY7QW80LdyXXJLct1xFsumLCVKzLLlQx
vKil7Qx/Mgtg/CNj28DC39z/jzsPn96//939x8++OnryaOZ7s8QLsi9IvcxO
jmeZ503j5M46pEOCuoS+jqSz6VaTVnCAGy2XPAuhS2QNUQLnaqvivtYGULlR
GmfSAwv1IGdfdWZY75AoYoyfe0MREW7knw46ep54QIpjqrlwzNgk2CRpjZ7s
Hub+pEEEEzLgAWg2V8Mf8/BgKkYXqjG+AZxoCG8DlI8BTixoQtSxoEmYRQqa
4JcboAm+fTtoQg9+DGiCdgia4McImlAHDE3wyztDk7f9V6ZJGFWZX0dhGlRV
HWe+8KoiiLLCE2kqZClLP0/AhWUc5Gn4O3R5P+iCNeygC/3+W4UuafAm6EJy
9jt0+TDowsglyj8econyaV+NzP0ds/x6MYvugVP2KOvhenZTHIbbfq9YzP9g
WBRlnwgWRdlvFhZBK2tYRNSxYFEc+G/Oo+DH3g4WfaQMimN0uCtzQo2EYRF+
eWtY5PnvCoy2/onYz5IszcKiDuo8SYq0LkvPj7I69XIRV15YFHGZF1mW52UE
5FQUSV2kvsz9MEsiL/8dOr0fdMI6d9AJ7PCbhU75G6M+mN3v0OljQKck/ZjQ
6fegz+8A6v8pAJV8og0tNPybBVDbmSc643d0SGFHfi4n5a/BgejazuhlrTou
4G1n2is+Ywo5UisOJQR8/aEwimOztPL71ZnJjr9PLYN3quXrgo469EevVDfm
SK8uRyJd06OjTHIrebtUy8/gtgeuHmA3eiBau/r1IenLHnCUlAy+UILa3TPA
nfS3WNv3aYNMXSq6TrSnhaeJERnoSoy5qpwtNJhxlmtRzqXRV6BxY4RbLK5H
JymogKhNJNjAduMW0gHTTJsLqh3Pd5IsQY9WCS/dysdF3h8ttmtKX0FBwHY6
u45cWIyrjpcUgqzEcnjI2ar1TNn6b8IZfHNfC77C8qlza9eq0PQQgzk8L1Hx
lV76hO4IpakzEpryfPtgpW/waE06tqycN55cICKQsbIoML7hWJ0u3rbPCq6N
9Y5FmcFddwQ0hcOmkA6Cr3dIz/D0Ah9vsN0OVfvc0IRP69lH7O0bO7S8D/Lc
+fXu3vrz5ZU+fWeZYj52tFDHWN52vrPx1X/1jr55OXUu/lqdeSTR6k7lON1K
qnvltQzpUzQq/37eXDQb48xZpxT0SQil6J4OHITB/TBD5I9FvVpCrle8FmJ+
tkT35xfqQIW5DYa9D+1zmBSeXjdUlAjeFPpMgjPS0Z2KdqdQ0K66LcG6DohK
Oj2V/6XhzokgwadrP0xdhL5nKxrG8Lu/cEYfw1I2jRhGH+g3poOqr5PG41yq
rZXTt3rry2M24EbOb2k2dPdYKWXVTsyhN1oiBTPMI2TG6JbcNWzqGR040iWX
lhsqTbQ18gnotmn40muHT9JXxCOmHzCsLmVA5sHI+VsN2SGbOpfihTsoi1+Y
+xMvF1gEVRR6KF4997bmxp0LDXkmJilFiaUSUbr+TmK25ZyOBzGRV8srPnrk
BBMiCZk5vh3InJ9bXjQGoZl1xqJtuooBdJEp1LKlFPb1vDJIUna16Q0/Fk5/
bfI/VoADwZ/ay9W/FH/6gn7QEUeQp2WLstDfHRRfBIfqez4zBstre+On6jwQ
rYPxw3c54d2xrZpKWl0syRBxgqyuV6ZF8bG64sgSRVXW4/6rzVqYh+7itbdi
fXJOS9nMDw4OQvcP6tf58iw46MQN/9wv6HjnF252eOpYctKl+NFiCZuIX1r5
etu5ej3W6suCDyRC6ae3Oh4XW8EoizX5EpzexH97SjR0rQNNbDYtC/f6M7Fq
2v13XI0MIqtM63jURDtG7DS8AllIkTJ9alHSxAbn/yZ0ghLvgmyqUseGrlFR
pRmsa08Uku0AbH/3BNFqVKDOXD3DSludBP6W9fvgjg6N0bh/7aRi3QYnyNG8
fXhcHQ2cdGnZ7QXUn1w7Fvf7iWL9qa8P9FEeJyeCztzBETIWKY2B+dQf53wy
aDT3UI5u+HKGJwmNQmYfa9gA64+6eSWrqTliyOPnPmvKMid+V8jfsSdI87Xn
r9+GvluQHu3z2NvlhbzpnGOLwb40oQLdCmgMi1aa6cuLVs5fEjkLpU1pGrxK
quhBvYEZ5/I8rlzQsV6CJeTEcBUXuhYGjOXat3PyqVD5ioyd7JLvaFxKGHko
1AFJQfB/Er1CikvuGz59ZPgU9nPAp4zI7TujjTirp8d3dPZATVcV6ummVsk5
6HOF2TGgiQ09EPtanZn7NQwCn47ecW8pY2wp0N5KKTm+UGZ/a2rgi/4iC67n
w0eZCa/rSelBmzbNncg7iwEq88i1kfRNQpqwLNNbCkbXCnScE6KIff1h253f
rbaOq7vMVTWBDrKCamDqSOtg7ftiOHz8dVxkyfaUyUcwkY3uOh72s3k5pS6F
2G6fdGXgPtRd9iV9g6uWm25WpQYBgkS2PxZON+Q2lmaY02KauySkKjKxhfKm
pliIKhKli+A0jBCMRsSCcI0Qo/RqPpv+JThZlVQ3d6GvTDnQ6Y5Ljm7rvQ2D
1UFrDYLH8RxdNepL4y2Mblrn5ncFemjwvauAQVvGWWu1fuRDP1O5UPp2ZoUQ
96+K4ajBanxJDouSrQ2dOua6Vrw2zkKezZsz5jYQsxBFw97qQO38hW9rYvt+
4fJIuP6nxmELiANv3OwoF3pbLROzp2Ywu4Zpo14wBwo0m37Z1W7dsXSDqmF0
GF0XAxoUaeHQpWqaik1g9HvC3Yf715G0oSLrXKlCTeotkaVVoRNPChXx/scQ
iS/p9q5nRHdz7xXVm3l1LuDW0VhM/SN1bUvX0dYVxe5Fc3YOKkHDz5yBOhgr
TPXg+nJBlFUq62K5vrYRmBgBeh2HdPpSuQqWPFIXUTzoYhkqsGpqf1OLx0Pt
VjV1LXXcTcdYB084omIjaOMeqtwGvtJXog0v7DXBvZkZkuIjZXW6wmp9dQ1V
Vmzr6lAqrjtwfOmaZx0cUePT1wI6d/TfrLsYZQwx2iC0Q1YFGAfMRrzAwISH
b5kz9jv4zjNFGqp10Zq4pAVjOy+ey32s9FIKuva66C4X1FQx12ftOlbP15z1
fj1j3PEEqMLRoqtSwi6U5KpKHJLb4O+xweeiCnjz6f17T7777v7jo/tHTn/k
b9B+YcXvQDy1xUdmkC/DQ7vn4E+5nqpoxVbJDbq3UbxcQnjL9bJtrWvBNxtB
kXardACXoBlbR/OCvpFeVckbRBS1JC3a7oZvnqo9Cd4OZ8ftb5fcpgQrTGs6
x2hOi5jaBm/lu/jeLNILVF+uWYv3dQ9o76MfILk0W3VIujuRHo2EXa+T4lm6
6YlDQ6yCSNdARQ+cF95ZXIOap6qiYYOeBc31SoXGiFZq7574nLkfQ2azc0Wl
j6hN0Ka+nBvpsVrvKlxzm5PxlpBZyJslqFMB43qOSnMMlok9vUd3Ht8Z+2yv
P4OYCOPiWfiKrQG/IUzpCzRxYmRvC8hBKrccRR0gbYcB7JHADDbm9iIkp5eO
9vIMqFJjaopXrCH702Vdm4D2mujfQbdRzHeMzzt9PDZYw+O66PYaTbwasJFj
dG/TdjprY3oWnWroLMDzEb7la4ObTtMPq5UP9b72jfi+mr0Rab6ZTBmnbqGO
14SOWW29/mzV/fGzqWbZ7yqYx8jELkYXMyodPwjUU6XaBwcvJu6rQ0dvgGKE
S1NvlIJnlVhXLiv5E7OkYGMGrMdcwk0FYAgZ3WbV1IVkWh2ppLbQxQMOT1mv
mAiWskWOa4/G5bi9hovuK4VyKIyK9i6b9pxhMS9SH23q+sOLaK3b4ly4Dz5v
VcBVQR2FK6+Wa4pbGvKrlSObyhdR09KvGtLAGrG+6rjR0QoL01IsYQqXtfgb
49YzOCB6ky0bXICtpj6/dni0EJgXh5xDtLBI0ceLSQINRXaRwOkkZNebvIam
Q7NB1VcvMsf6+fokPSdGTZpSSs/wDozyidtzVVZLSeigeu1wXbUQc6TTMbd7
NxjDAl4mx1l4/Q6aGRD3FYX6F6RquwLa7kJejYr0PlBTZTSpaGA9ABLeIQB7
CRXUhx2tmc7pogNn2DvPn6yz7Qzoilocs7Wn1LVF+xNOIUcz4fhNs9A3iw4W
iZtln+H7RecYcgyNMy/UReS3XSXIXNOx2+FF42sWA4rvnClk5OikAetCQ/cV
lQaVekUvFxzhkZVdW3YH3xO7M8aQyjsymQVSv6fyGihsrVeHQn0vWU6und0R
dDWoz/uKu0Z6zdLBE1mW/eW/KsKvKxE791u+LFmh7gF1FENJo9+UdOo5N3YF
YkWx1rlxMCZyo3MszCYlbUVN7LbUtB1olBesiqwNudEVi1j9V3pXthsiGJ+r
cinwCUt8Sd7WC+Nzvn599PDk2XM/Y/frrrxe0masvag8dy4z2dsfQ63J9pyJ
YSwusVRCZ6wND0/wrOYyi5V2MZvecKNuPh/UUXZf6Opcu7yjLbM8GWxH9ObR
GVsuZVb6wIcSCz1A3hnk0FZXR1m+QgMWO1moi1KBGlW0lPeO2hYobs7+Bjrq
EYEmUtNpH0pCcFyTwWM221vek9QiRq4kZffsKIh9Tnl06iZjNKLrYtOdjNea
TBSV5V9UCBEM1NaNXonPX3Yz/3zLql93rgwVWLMfZSBqIhiKNcAMmirmucau
+6j0s337AUVHGxVtpk9pKgXXEFeot9xQ8l1H3Z7uRJXW6YtFLmyWUn3bCUi6
N0KmXLXP9KXD110HJv1HFXPDyPSZ+tEl8xMyHuQG9GUy1QwIlHfvqVhFn9Nm
V8Pd8thVU+faO+9LSe5m1WOdr7ZE2y+b5WWrYJDFtdaV6zoDwzUWQ2e9aV5h
5ljsU1vjzZOZe5ec2e1OiEO0jdgGn21z0ZD+0qs8wrQdmLfVC9rapWBu0vda
LWjJGisfp8v7G2ieXe3v0jydk2+koqDIvmyNn8YJA5V9Bw7x1wX8ozMd7uzi
zC5vhwplLjD3zjB1/eLVwU7JatdyK53EjiFEYRBlMTyFMXIZ/IW+j6cjPini
kUOhNob14jl6r8coms5YnrDbsd0Tb5BYfox2eHhT6wY3ZuIQFJtYCFzXN1as
sBoB/YFO0oHD5u+y+sRegR7T0DdYiWbdugfdl2/hKZBmtnyFfZ6C7YHdscJU
rz8bRqLIfkNLsDLS7rJi78GWmu06c3RrbCYdnRBoPqdtKQ79UNxUc4DB0tej
xq0omgpUUQFOvQ1FUTW90T5afWtSypPcoxD2+9cc5e2yvV6//vM33/gRQRqy
SFauQg8TBqEpihMMVVLXxOBBp/NVeoVsLbGOt2jfF0zoa7PdDbOD1OryLBWH
6g9nsN3rhIbTDXsRUrlZZZ/3a8jyJWeqb/Wli7a26rIQth1LpT66wu49dlQb
xOfQHnJhFXpv5j3W6SNlDmVcWeXdl8V/DSCKXBCzm+RZcpVayjABhSil1Yxm
I8tzDvSNQOizXYIuur0Mg8V5p3OAKg4HMRL63uG1PrTCQ43FHUOm4RcXcvod
gY2HYqULPQkNEY+wDo10v5bz+QWBx45lXVP+t7Sf52QrvFFSWXosarucvxxm
ZXe7AFtZdTO1KaxHOdHb2FZQhcZNJW2lSlag1TDMoXzZCX8Gq0EkcXqm73E7
Ec/EBcyKMHBS8BgqYs35jhS4MxrDMZrGqrldD7B3J6iDWwGHktoAN5p0V2UY
O3Y00AHWjox3Ny77NsEtXXG8Q5y3+myH6zx4usOyIeWpnhx9/YgzTBcEn1+/
fnbv6cmzvwQ6NVpu6Q0lvCUfCXG6Fij/g81nH60HSZozlVC9XHVMYrBXRwMV
C7QFkyI8C33lz2SvTLq7ZdL5ODI5tqUjx3gyFESdY7MbpNQ70AJg8mB9xtK1
JZsnmzXtdCuhnBqhfGRy8N0DWoRDx2pHG7V+OT9AZJ1tkXWfXYuzxqW4/3w2
7IeiVWoaXXX6/XrG3atnHINWh4QgdrWmabLClBX72/ToW/fgCFhgTW7qt8uz
Q7tFPTcxP5PFWsB8q9wOTvmesGhzgOJv7uLSlCwfZz2AVdZU2905ePae83Kv
tI9zLtaV0vX9d8o5Wxp5kLuwoxKsdof5n/SluAVtJlWMWpbr3eBYZyOrbe9D
pXNOaPzlePB3OF6lDmUaNKVywYDJdNIvhS0pnjuVsN/lMHz/Fnim6Z3Va7Xt
6mzl1XP9PsrE16kBljJo9bi/VgBTtuY6zbsPvajbeL93LpcLLyEJf8Y2xmz2
9dvrfIWVircd6FKih7YHPfCI7kKnTHWgSbdkZSlu79mMs8mHM4T6nS/PfgoO
/u3wi8ChzvWOtftvJhC3ny9pc0Bv5KooSBdk1Pmz5soYc3CgnAulnfTIJ322
99ZAdVV84fpBxvUVOwupdletLPq22/7QryiCWAcBuvRxaowyQ/9TT/mwq91q
np05JFxL3uBWPqO1XmwRVktAyt4u0waKueh1sB9p9h2l0281kGUicb7uGbVq
KPZESb+DNEN6EkzenHHmK+VSt2ZLeg1tLy9IswjmbqnW+0pcU07k7AzQhI7K
4sUpCwpnOSv3W6sSPlo5Wk0CA9eOco3VghimUwdqdsxN0aeTEH2+TO3sG/Si
Nqn7laCN7w6hm/0vNM+Zwrxhy1nTV1yn36RZcjiZbDilepLZIxPUbtgpMXFt
aLC5uFzQiDjSr9Li5KIll0o9pSSNhaUbEO3JmzjoBebj8L1Fru9526yxIxFU
7dwy71MEjc9BASVUjtEa9hacdfBPx9k3y7lK0auM/QBzCj5z0DM8XSHGwXn2
7MHCrhJU4kgra4HTQ9QWuZYgpd34IgNXOCo5YSQUhsmtqsIHbBDojIB1ymSr
+u/hxNEFfnY9btUEOpxwHFSdet/5bH9Q/lB54kdqf+qkTxJ4/Znas5r2iQM/
O8OrHU6+fvL9t0e9inZ3hlM4FqduqtC5CE7fJBZ4ce221y3d2aXMGsVYOtyo
jOL2fRKO5Z8OAvssaF02hm5AKUWlUHTf8Nkf6uPl23aG7zDStyDWtN3jvvvF
K0TVZ9AFdJBbihcE67uBLZaDQxJ8MoAzz6rL9SC7oYsE0xb/3LGCa8xoyt0m
LlY5SJxsTbla2+dJBodwHcoP2zZUVvMs8oS4+6zVUedOlz67sMdgJ7RvXS26
nV+q0uvLbg+Xs2/HmRZq+exc06vl+kWHuUltwnM+Jku3keLCef1af0YfGQ9H
XMJwrFut5jgMPW9eqAMkff+0w7CqL+eOPvlqlC9Zua8vz5buN2txVf79+sXM
vT9vpifnAs2538DbWGLpuhtZHCtJYS1fNvJKHwe8UOnF5J9JnZtASrWEpjsS
iwYm8y4aqtby7xPnGTqHb+reXYtqThcUnizhi7j35LyZuA/gtbxwj+SigVr6
8+UcX3xNifkT9ykFyL6GY0LvON+g9wU48Arv3DunKzOWpAdArc2G2QrDuguJ
+wtAjlwXgkAs0aabiSaIFSjnrB+9Cd5taXQpIY4znU75Rk9a2md0zOY5JAOk
33dVDx/Feame2b4xazvV2dlOQ9l1k80wN3qcCUsXnppNM3ND0M0D4dA3CZdR
KxNHpxb1e3PkY7Tqtim7NX1nLr2obslt6aBzTZD9XA6uxd56s8uf4kwxc2L1
XL4SdKX8hZg7o9q+Ul2z1HaBULs1zhzcui9wShfeYXVvqa0Vg0NstTpRR7P4
/j+7Q/VuvTSvmj0RugJ09xvwpgjR6bPVdb9hh2HSOWxNf26ZdYVuWt10rkvB
qL0PWDWlTg4OTye8jDoTG2pGn6BCiwSju4N6+tIo03Z35ZzdiXzrbtD6aXeh
Lfcjt/oxqm7U0/YV5uPeulsRD7mu+nB6b+qVNe6tLu+he09rYt0X69OhlqbT
VRQ/WLLXSdu8m6vlLsqay7+Yx3bQeGud0dR4K9sWuH7Y9hE4PQWzuaELiaxP
B5dQbc1gwnWwdw36bQY6HibRYDxQdStmJzBaRSiy7uF8617a08fnp92Jmme2
1mFDY+mIu+6/uL7bHxBqO/yiqiiwSRHOrcmtDirz9uewTVh7buKuFXfXy2eO
hWkNMDFCN9mSkEnHy3QQofuQ4tGGHFr1DK+BVhuEG16MiXu6enFyoaFAS78q
UE0KksJ4i0rv35EmZa4Zq3W9NbvVDjezGbK7niPYmB7vnz6dmCQDeCp8rKe7
5m64E6j0Mc2A9sEcjneu+2MvJJPMXfj/Ux3MB3LU6336jbwm3XhqAjYYoaMn
ig6v5Bz0sO52PeKm8dIx+jodFd9//XpZ192BAmDLHdeFWbtQ39HFr3wlJo3N
/coV4Qf8x8H/OXo2VM8xSuI0TKPASwr8lju0AFTTXhalFLGUYeoFYVkWeV0G
VeD5eZ1XdLNYIbM4zn0hsyQO6lrksvbqqMLjSegUntR3eNIsLODg+hNAFBKJ
ExIJX83L3FrqeY46E0JFNtCUkFUQiCCtYz/3K+mXfpXktaiKLM+rLEuCIs5k
EQWB5wW59MJEllHp106CQThDlqcmvVx4QiZZ6cciLOsk98I0SaLED71UxmVW
FEGdxzKVSRx70seknKAq81xG8Bq9sHS2ZIYIKEvQLRMSi+blNJ6gKvw0itM4
q+swzWWalkUS1fhZeEXgVFlZ5n4qhZcleZlKfSsv0TxI0zgvwyoPk6TGH3g0
8QIv8rMqT4oizMNCBKIuAq+uc6+qg7Au0tTLgsSJZFCHosj9MJZhATLlMd36
Vsmo8Ou8lpnw8jQM8yT18yLN/aDAiuFTkVZeEcsgKkrQbc+iBTctWize9J9P
uagVWpJ1lCRZ6tVx7cdBngR5nsWeAIEz+j2KhZ9Wfh0X6LOuPScK6zQpwtJL
QNmdi1pEZVHHIqp9SBxmkISlTEHqMq1Ac3BMVYQ11LNXVUEmI+n4aSlLKv/m
VV5QBnG/qHUk0qjMyzgPIqxACv7KEyGyMJW5lxa+8KK4CqPQS/BcXkHOQszd
r1OZOrFXFlEdCIwzFElRJzUkEuuH8USgUZKCI9A8yJnKSgYyTQLwclL5dCGQ
TMs6KFMn7BZVG8NfRJ/IpE5DTC0C8xWQiprKDIMbpJfWdRLIECxep34YxaVM
AiFDkRdg/sKLyrJyci93VqqhEpIog7JMCi+uIclYxDjKC5DXSyA8AvRIC3wv
ktqLaixznHpeHoZxlCbCqaJfoWLKElAm9MrSF34Q57KC0ICFRRCKskZvdRGF
sS/SPBQxsW3uFU4SBVVVRmFegL938jB4rAZzZSlGHCdBmCVZkuaRB2Wd+F5W
BXHgZ1lUCz/MyiqtHSijJMkFlKQfBQkUE0MwkrFK1nR9ZJDkgYzDuPJFHEJ5
UpnoEEwYx2UJiqdZJaGhwkLG6LrGEkEMnarykqSKwggj9is/hVz5fgo1Bv3q
1WUB3o3zOs6oyaomq5KKyIPxico6yqFcPa9ytrAkRhVgBWKZ5WDzGHKT+ZCj
Iqv8RMZ5KjH3ssig7lMseZBUeeZkvgBTQHbBMXXpWYoXq1Wia9/PJCQujyrw
aFxXiUgqaNucSVhjNKUfSR8Kt4iTREYBaFk5AgtTiajKoL2TPMx9yCrYUMq4
qDyikqijUESkmH0oDyyll0dZVUG2wTheFQZF6JS/PcVbljBmIow93wMb+VUm
oDPxv8wLIr9KI1imCkoUBkgkPn7AtDp+FIVlUNSEFXZb08QD64s4DcCgUSZK
QfUzwRMehp6kUZH40IxxAI83yoowqZ1U5D70SVBUqaiiJOuYNvJIw4gkgOnF
6kYxWfcYfxVl6IPwuR/H4K1CwK6W4JFY1DAS4JGgzJ2q9AQsZQzpKGovxPhh
kj0yp5gfrHgiZJCXeeyFUR5CPEgRF9DDUtQV7EaMZ4JPzbQZJBU2v0xrL4uh
a0nH5cRdwAtQjFkOCgYVvsvQNuAC+hIwOXHqCyep6sQL44RMmVfUmU9wA2Ov
oA+iFBBBRhkaSioY17KCCYUkZ7kn4xpSCoAEU1XsRQvhgGmDsSad/DP5dvKu
BB/R25GfQF1Pco90bCxFDviSB3FU4tGkkACJfhbDgkowZQHD72ce+N0HOisK
GC9RprDrSRx9GoU/KctYlAAfYGxoLOB/kYZlVhWRX2RANYDLAUl4lYQyBtdX
QLoO7G6RSvgJCXR6J30lPZ1DNaRxlQLngo+wRJEUWZSGANNRmuV03UAWg6tS
OBho2ovLAvDBcyA9YIIiDsO0pJXFQKQX5RGMTA1kE+RVWYOMaYARQCmkIaYL
LpFQ2EWGv6T0sp3SF/l5CQavYy8OyjgsscQhdDcUfgAwVYCDgN7YCsAKlZhc
CeFPoa4w7KKAbfg1mYzJBygALf/OBymAXv51COgXAZaQozIFmTHPMAPEEKWf
RMDi0g/9HH+HSRUDAhZ+UmVFHUG/R0AjIRYgz3wH8LMDlkkEp7ZGI3kK6ClL
D3gf2qNOQNw8kbWIIJM1lkP4eQoPUmLphQ+RSfPKSUL/PYHl9vzQWQIH8JNa
7wxYGwojJ2MNnJaDbFFQB5BoEXpxnlRFEoKwaQAbHsSQihpILoO4gGGgkXZD
Tl9ERZZ4VeYB//lwxCCb0FcpHMy6DrySfGMwLHRiWIC5aicG+8vAS7MIFj5L
o956+wIoM8ihjeFPkc2Fva6Luig8mGaoMOjcFDYY2B6iDye5gucEdV4lRer4
gIwyDKQvS/jJECUABTCAJyHsMimgNBIIUpEJ6J8grjKsbZBWWHPYV+j1GDRM
PrX1hn+SZZBvmWXQF4BPEYGkCKgF3CxrGIBAFuws5miXHMcCdiaDSYgdaJGk
CjNMJK+TzIs9oJeorqI4gxsI3QilAICdAGWXQU1P5XB4iwoYKIoCAU8WnOTs
Y9cPhZy/CDvDkwAa9fKqgumr/SyKYCth/AS8kjTxC/ARvGOyjXkSJzAzZeB4
oH0g8hxefFrtZOcMnJrDfYF5DiN4MzmwaF4H4BfYeg/OTIGBk2qPPC+E0nfK
CI9VIHVCnmnk9exchnkOgxfHdQ0By4IwKDHCLKtlnEHdZwJmHxwg6wogtIpE
RoYgKvG7dGA9fKguWIPSB64OvCAD5A0hIoWPNQ1rGFDgTcANwNAs9UKoMADk
LAgIfgOx5nvM4Udk57RMoGUL2DOgizRHw3Dh6jIQArYKWCHNQgwHFswLQqCb
BHKa1EDuZVxACYg4gINQYWl80MgLgxB+O1ROXHmFLEo8BfscFfA+gVNqQt5F
Bp1c02s5hd48J/10YPSfwNGfAqZ+sIqfREC00EcegJaXyMIvS4m3COaW9IEv
RQLnDlIHjJADWQTAxV7kQEQwLCzKbhfvg43ERAi/BmUAlKA1iZBh5gFnCrig
CdiwzKO6zAMISAaFCKr7ee1EMNABFH5J6rKXy7CugDMLCfEsiwoeEQAdnDuA
nxBDIe7N6zApSwHoAwjhlZhwmoL7CjQJHVAEWe0HZUgRPYBBeJGprGPANoHx
QsEkIbBWmZGvTAFFH4AQa+8lILYHRthtZj4iTP3lzczkA1SD1gzOB6mGTjNs
Z2H90pssMitAkjhMsShgHkwoCKIa9KjgXIL2qV8QE+exD9cxq+H8RRh1DpcT
GsQpgYuAWXw4Y3BGyiqhq9xq6H0pIAJgyApMBj9PwmpBZ8WV/0vFPpO4Bkmy
MAS7yDwER4ZJmPjwT6EBMN8KIuOBRh58JqwRHKMoL4TvB9taDZBbgnkjL4/h
9qD5guLh8FnquiohN0UK7UhGFcIKICfgHjnwyiB/vu/DkwnhsyfQE0VKXm0K
uAcKgVwhaVZylDxZYZwySuMsi+tktw6DbpORTDywCoRYBgQughSMX8Sk3eB5
YCkLyD18Ug+/O/RBKOCPQQhBlASzCyBbUL0SBA0hL9A2FYBF5ck6A/vXnlcU
8OwwZADeoJdoeC4QM4hRRYSEnEJKsAxxFuRQSkkcgTYZOATGpMQovTqEk11A
SwjPySV1CRJC8LxUksqHMwcQDdFMoQBqcE6CxavikmLykMY8C7MS35MOqXIa
6l5L+0vHKj8ik8EEZFlVxmUShuRElNCcuYANjj3oU/iUtBsY0a5FmsbwEmEQ
HQ9uCRgIXooHX6TEd1VKXnUNf7kGs4YSkgoPPICfWeWRJ2AmIZMwH2FR7DaU
6ABzxmSqOEhhEKs0jEToAwoSY0cV1gkaMIUOD5MY1ttPk0ykIgcnQn/4CVnQ
GHqftkIwPzJyZK89uD9QFaknKRQDzk2CuiIr2TOZCEQC6ck9D+a08OqkhiWD
so9yKaOYfCvacoPP5BUU8QWHpl7F+1SJE1WeHwfgoEpUmF8KkuVwyFPwGaxp
gZWKqwDwA6o9gOrCKuV+SPEc3wPXQx9inRz569i0AgjxwYEw5okIoTc8SXGc
MAplDoUCGoPnYIcT2gtPU6w7pM4DNve9qIZ+DjIycBD5CIsChgphttK8yMGu
foo1KKDKPQitAJd6eQhArWMROaG62M/KKIXihjDGAZlZ6RF0EmUsIyiOIIF1
j4g5wMoF0ElJMTIJMYe2h86raNMYWCEqoDND3xdZWubwESR0IBQg1ghcIHjP
O/7tG4YUSKQo4KlBagEIRArnyi98AbhZVhiRV5YgcArsQjvrwImidPwKEllj
aL4k8aTYawm5hRcZeFg5DLKOS/wJhicfMKgyuGzQnqUHRtgpsyVBPB+snWDx
MWkv8xKgs7rwILP4F+YBbWvF4LICbBM5cDDRV1EC+8IqlXRRGJa1hpJJM3gC
cCshK16aCkAwGVewWZCXHLA3pTtbk7SDsjVjP4gnrUMdhcAEFcxYkcdFmMUg
awyNU/oCKDElgFDAWkEVgVhl5FCgsgIkDFIYScJzMFGwBL4EzIb4hnBcyR7B
tY3hcMRYlqBOCMgWYOIIFjVPfAe6jzRJIaApI48SE3wvgfqACypDgpq19Ogd
WOY686E5qzDBECviDtoPBKCDHxfjEZ8iypkPGoA20CkgEhh5txNb4OEog3Nc
RV4Mq5zBUYeehHsOIYqLgpAR3Gf8Da6L4Sol4FBAJeBJz6sKMD+YNAWdC6wN
nAjhRfB6Ugp15nEIL6UoIngzAmQHzgJS7bWkDHiihLrIRygBvcDkkEb4GTVk
jVAc6BoCpsNRimvg58yvIIdx6EBdhJBlLDrQB5wyj0LgUDMhyXsMZSAkbWUL
OhEGyEpAEV2JENoCQhuEXp6VnyyG8ysS6ywLILJxHOZhTjspGQwzgF4MmyF9
uH0VVGScBn6MfxhbKKC9QS5ZQ+HFeZTCI0hrysCAnwvdFxRwI4k5qySpPCFC
GGasPAw1+AUtFsFusfa8PAUQophvJKVfRRCzwqsA6fw0BuPBgwqAx8FfGdSr
51AKEIabi7xMfPjXmLYPSwt7EQCchfBcYVXB2jWWGTYhhQ31Q5IXkpgg9Dux
htEFnBRQ5GEKB5Oi23GK7r2qzqE2wPEelFQcSEoUElgRuL8xyFzCDDsQVwHl
JeESlFUJfQ87D1iSBBTDD0MKX4egYwatByEr4V0HEB2oLC8PWOxTmTkVoA58
YUBVPAKLDqAaBvBEapBS5gCsEDdARoAjuJKC/BTQifYrwMzoR6aw604A1xNO
fC0BRQDfaZc09kVdk3f9axNrShqKA2A8CYxcZiA1/F8MHMtZxgKNgVbwxzHh
LKmyHAAAbhptlWUe1HkMThYw3JlXg1mgRSO46TDHmSRp5nAE+dhBVBF0zD3g
90IUtGsHtIVp5tFesf4VbKy+t2RPRgvqvHFF32JBnZtX9JfHCJOAHILQySma
BVJQXCUNMTOMEn4jkFsJZoNyStIyqyJYBBDFlzVAc0wZNRX+6xcU4o1iB2AS
niC+Kih+DT8gSwsBvy8BOs/9JKpTH57FrwOWTDJZOvgqz1Lo1BwA2S9jWMG0
lDCFHmVDQo7yPAxqP4KXEWEBEg+wlDIe6zyH1GVFUcSRk+DjCm4LuC8D5k1p
caFbPAAbIhnsZ+JneVD06Uo+HBP4xzUcD4w+g78CLz2tMyHytAB6Btqvci+g
PcLCzwj6QLuLqvQAsh0pCl9GVZDGYFcRQGvSTa/CxyJh5YHzJYUUgeexgmGa
UECRnBtYEQrul8BBsMshXGqohygDjALvCIwFn4ciTilMH8I9DIHggxg6g/Rl
4MNqSD8HjUJ60Pco2RQoLQ9qCrmC79IC7BqBKz1JMbmdKhPjAbmDhJxTcqfw
ggdv1IMthLKCMoYr4pEuj2lmtD4U+M1qojWeojSuvIbyKmGG8hwiXYHcQURK
goIEAoYGs4RV8D2MvA7CXxMSmnyA1tZK2/kgre3/KnbDU1IxXkWxbCw/BF5A
tuC+h7mfJbD7ASUdx0AaMoWeB2tFYHO6v7gIgsqREfgzh97yKTCelglcAbA/
ZFUSJki9GFBegFlydCPKDDxrPFbC6D7YhXJeirIOPVLBgBQRiBxCLZVgI+kT
lgFreD7RtYirso6jmLKXMRpwjO/TxkQBxQQdBH0ZQkOAjwFq/LCkra+8LDy4
E2FW/vp22z8i6PVpGyIEIiwhomGIOUd1XsBwxHUGyOcHFdEjqLMiCaCqoJnh
9IdJBiwWVtAYGBi0SUABBplzCKYMKd1GxKGsK1gAcrCgT2FkPQDDaDfohYEq
IQOUu0fJcxRF8iOYRDiasCUlLCTF72UI3Qnq1JHjBQLwOIlga2IKM8I4EsCE
dQXbBIT/YG8oVg3xhqGPvLIW0FFVlYRFCKHrNDh8UggdVHAdRIkX0f5DAJ4Q
FbCq75MYlgXcgCqLMgBOCpWQRNdQDmnqCIqCYuySdkihkwAiygBgtKRNE0lb
KX4Jfpcx7EENUYG7CTc0pWMAcS0rzrB3Il9iUviG2LGCTvYomFKCbjVtDEG7
JznxsQ8skEOXlmiABAzqjYyRAEvFjg9jAzHBZEAjaMKkxnN5jIHu2fj5BUFv
FAVhnZCeTjE6OFAi8CisnIJyGdReDPWdFLD90q/zDCxACV0lONgrnDzFkLOy
JumEWa/9OEzACRSqhIDHMHahX9KBA6w3PDMJaw/3gBwkH/5/AWUSSaf6zeUj
fEyBh14OgE1CQICkpO06+FleHQgsGjBiBVQSAmYWfk5hkpyunXcANqFKU9hT
rEVa1kVWRDV4LPL9oqoK3oNNAgEXWNQ+LDLtJRcpdDRgbrJT4KFf6XAIrBWw
kCjgXVMyICBIUPhBScljUPgyIYsa0W6sAwyNv4Dj0oC2/6JSwMQApISihu3A
KkNCYbw92qaDW1hhpBTZDAOCohDeTuAF2DlJ0zKOoJqgjzKgFbjPaV0GUe6J
FAuSwHgHMOeQ1xCQFBOL4U4K6K6AyAIlBQEVHvxZiGxYJBlEOMooWAXAQw94
ZO/LqPZosxDILSxruP2FBE4MaycFXYBHIGvA/oCXgCdYSxkDJ1IUFag0ASIF
R8RgnYj3yMHTaIEcWwF1Uqe1k3k+3GoAn4S0hwBe9uCpp2ngBbvTgX9RLxeL
7VFcLwb8jEIgYsArcA4GABcDkI2aFIJOMVFeDawJYFQBwB86oR8AHHplSBgi
xNxjOgMW0r5bAIgdEt4HY+InNCiltno12KdEy3COKhnJSGR7Bf5XnbHx2/Z/
/+m4YlLDGY5SB65tzXm8WHovq2O4AQmkjXKp0jgMawH6BxTEg7MN5xjOm58B
wXoecGFFoDytQsfzCphPPBylAOlYPS+BR1WklQczDt/bg5aqvV8HlIHjnzoR
nPsEric4Pi/8MispCgYN7AFbw8mDGwR3EuQFTsAyUKAOZCwkVAk+i0PgiyRw
6ioMacULgCLwDWTQq+EgAiRTWnHpwz/O4TB7fe51DYaqaFXrPCWK11grEAgI
G76nR6d4UpEUcH5DTATMmBZBKCu4aSnwMSAREFYtKKSa1h60p4jJDhToEB4t
WJoy5iAfEkg98EvaQwZ6qsgxjYtSllXhOeBIAR8jjmgxwTcZoXe4jRgZzFeM
ZmKZx3VSVD40R135AGUYUFjCgQN9Y/BgBb9QxFDlKWXyJrQTBr+NnIkSbfza
/N9fHj1NPkCfa3XufJA+79S5ewwUTCk2v4IEGz/O6VBlChb2AUpkEIGhqzAv
SVxlRnArDsGgATRcBt0CR1dCovEA+NaBkH3gvihEN6tFArcZxsOj/XToZTq6
GSdBBoWE/xb4HisJhCZzP/bTGtovkFUqHACQaFuH0yGMUACZlB6lOuUlNKUP
h78EhpLg45Qky6cs/pBSRKKkipzcq+vShytN2XLZ7mRXL/TAAwGVAoQ37tNO
gQRkw8CSWtRxUUFLenRuOANFZZo5kGl4PVCnkPI8hiW0klTgd8Hph2USEPUi
oWw4STg0DcuS1ElJp0GyPINvDwUeZHDhKA8K2BCGMY+rT+UMfNJ1gfRDi2Y+
0HYQRJ4Axvi/5Z1Zdi23sUT/MRZ+oEdiOGjnPwTvKMkilx6p7ooi5WdLSzYv
dU4VkE0EkBnJ/+IFkzgnqSDiWCQqwvdzzWIO+F4WP8fVPcb4wb4AatlSle6Q
MHPT5Q4RMysSeLVaspApyqpNIdSplY1gQAa4KnQmfb0pBwSCANL3TlG1RdCM
m9VrC8WoKp0makyQiM+LSBWfNptrOn4GsIAA1vcoy1ijbJ3Hmk6bnxYmgn3o
daX8MHQjHKvKMak5OkA2Ds4ATMsEuut4//8eWvl0QlMBjM/4z9QRrFlcHvOP
qqPJcIjG9ysJEBLgAiVshd5kM4ARoCHfMEAAyMjNPugpp+4Or0rmZD0bJAcW
IdWNbHWWhTnO3LsDhfJZ4LYg1YHxviFGgEZKrBPg7tqFCMZEBhtX5Zw7Augu
679KBbnEfB3MaRKUJtiEUEuOiL9AlCNEQbpfHSzg1bbUgc8NwgqE4OUwxJFU
4dJ2ADQDYHShiiUCsIFVsdZ8q0rzC8RMdwAbCHwEi0CWoO6ECYNvoH/BeAiW
kIytF/AqzReGfw9AkBeBnCTDChe9FUPoKovmhwEHsTWBLj0HADzmpFPnk8sC
Y4CaswFUwqujeYLisStsSBoOsGkYA7ggRuvNEk6sfoDWapNGxCotqFmLLwfH
VQkW/CsDoJB4SoClsNQQB4zsCypM+r1x6JaF3FLXzqQi9edvmBTchu2dZm3P
jxNTVPuZNht0cpvKPQF3O+m8JBEBVMgE94LlS94Br75tql58eEyBePuL3cXG
96gmoLSTsBkVYY5B3oTwD7UYA8rsALCbWnjZHTj8VaxmE12eBsdpaWOnBB+w
104QvY7hw2xCbWrrxKcyeffOqwgN1h6tAchkWAND/Gy7a029zVtoc7FN8MGY
JmmDOPhQlGGpENEa8E2f+5yXSBSEWODw2WCff/X8w6b38mfX61fL5cKnBM0X
n1QS2sep0KRTpiVAu0G1UoU/kkUqVtqhzJWYCNGZaRen2hXVMEN5bbxfU/Y3
BN4XD4Hjj7JCY1YfKNQOint9fhoaQkwej1Spsc7h1Lp0ZfgGUghzwhjbqxMB
BVdiVyC20OQGPc6ClgsPhofC7HHXXaExY+tm2uLFtdQTvatMd7Ma4FeWRXU5
3nRceUCLG3/xY4QJ1qlSfdDZ2SLyHxDtgXCNrU6/dd8/SsMVgb/ZX/Zs3goT
HZGPL6pd2QCwmhYxmPcW7/ZzuBJ6TpIrqNZar+lvDN4vP+CG2sA3bviVl4lk
0hga0XRU6+dGnZM0WB0/l2jLifs5agV5saoxiHPfGZepSHi7ceIrzlIfwvV4
q7Zz9VrI55KCyVd99PiJD1g0lkrU5Afk61i2DiXicXFAgT/tuu9TMmHAFwHQ
EKaOk9UAogmHjTtEIbYdtgz1PgkflSmGq4IxtQhtMfNDQPsgEKxySvJ+kWFw
IHwigd9xKFj/UG+DDyQ2PfdhMaerjYdgqUGqI+oIJr4pFx2qvAYwNYLkU9ug
7qgxVDHOtpr6DhKL0CGNs94ULm6ly++b3IUjQDKGX0STqoPLoz3MvFPRnRnP
NIOvoT79+wC3JnY0+XOI91XwC5+OwALL0WOJfm57Tphg9Gv2oBgxcFnPHowg
JwVKFl0IRr43EbyyK1Jr+rL7qE/hBGEQTcEpon/ELZLGIlytVg1vXrh0kEEG
slz0mEEKTgc+Q1bbiWP5A2wWPR8YfF8TkvVIB+C/LPkGaelMeE3DPmYukWQX
gyNUNMUKD68ichL4f7FIXV3YFWslSjxPovPNMffIrcAV5vWH0HDMVrXdwF6j
xsmb8LvOmq5VqxJyYCd34AcrsUIpdHAheHTOpZTCzwkxW0UmYQMZ296q0unk
uE+3yFN3ABuAKMiFAMgUgBCwf90R3DqJpb6yxeQolbHW2PkeXhG+4q527isv
TL4navvxQAtqW/DHm/EHARUe18+lcjiYpOqFeUK1XwAGSZxzX3+HOcsAPl+k
gBU+0AX8G4I1qO0Se4EQuapSjLexUoqqfFdUUVsMZTUJffBVezZWGlKDRW/4
xti52Xm9YsW1+LdHiivwHtKsmMDYRzMOZgYG2lW3TIuN6G1G9k6l/oRM6W/p
CNU8hBrAZAU8pVsNtVLuotKgC8GrQZdZhcUvxUtJQcojARCp88l06vs1a38j
avvhgP/yAw6Kf7pXB30r4P/VR+D7nibpIRJAzST8ECxfwXFSAHl/jrp1k96x
Ms/KEEdLYFP4FXzXeXV6eZ0zx1uhE0WNubhBU4NYMAjjR4zxj56A/XRdevEl
qE2ol4QUqqKNqU1qxN8KPO73Is9H2XAkvKqrlnJitCqD46uuwgwh55wQdCWj
+0g+Qf2R3qV1asgLwxjWMs7YPPnjxn0m9ga/a2sSsfapp9xwPzrKhQKozJE8
CSIebYKrrK3RF0s/MNkUfVbzJkaZo8OXPG6rC1aezUt0rD/aoC1mnH7ztHjW
jVL7yeOe5N+UZG5+xBMCtQr763PhyVjTAr72I/mkAID731QqaTrFIUuwRrxx
BufBwYs9+fTOkPg2n3iO+Ry1sADls9tAv8Qu9nkKaAw+ipfUBipSMAbdqm93
nzZY5lKNHQIxsfUuNj1S1BEPGSVt4lScgXViX3lQ1p49lOrVwIf8B7g+ZRh7
h7JXP0tiQ3G6tk0VJ1FXWLrJ9LvoHDPwXe7Cy3jtCZaBh16YI4bU1CdVA9wb
+iQVTH6ZHEBE3+1N3Yd4Nr+jK4IxMQdYOUidbYeVe0mcRCxhSNlx4BW+epXR
6GbSCmkgrBIrq8dDEUBumN2AaeLKQU2M2FP5FlcEvhDIVaZQ2bMW8JwGdAxb
fIfYZ8AOXqN05Su2SxJn/NtDGRDkfzPw9RIrFRXw1ny21AoyzppUCSzBp1+o
LSnAdFu8agisHyjmshbkoJx8UVv+mo2klTHhKsfjm8NsgzAyXa5Dgh+zLV3Q
q6B+qswpLIAAzoi19uH/jQF286FLgm4HBoBbBVI5YfSKKWidyPCk0NmAYDoQ
vssN3EqdXiphsVhLmlj25gssdZ3/VAnrXtVTnPhRm4OOo6Z6IsjUxypJaoRH
FSoWkz5uHRiCBCvlE7gK688LqRoCO+i6mCtXutckx6Z+31gkFF2lI5tIf2TF
+noKdnnym4yMqAqie/jlDDjCISRhIe8DxJUOghP6iMPASWBeYKR3XnUIm+Sb
BD1VETeAmOCe9BTSDLVemJoK4CoSR/XRIhkGOMPfwcYBVTmAx1a1mnRTWztp
HjbxhtxU70AyW6z1XQT/TO6IQJ0cMnkg8ZuknHjeBWTmdS5ersrogah56K4t
TglNJ56k/hrFuz8J49/wIQwvxSSRZpnavdPA6YTJ4+2qyjyWVkpqEYfTkRHB
J+QdIg/oXawzQ//A9joVjYC+i1E1XnqQoQt4P5XPFlX9Ese6wGN13mJnRqKI
sF0yjgRq0obWLNUslqjOWTIEXiCNP51QH4AuUIBfNlV3Gpy9PBKoONbcugGu
HTSRPjiCTnrBLk2qpkYmXKHLxgsfmdSF4wHbxuYB5Hmv6gYZ01snW0BXYDMq
R0i6eBkSWAPns1VkSfAm1rVVuvqqNgzWh4uQhNRrETBaIrdf5DqiQ7tqEgAw
XRWGH8uCcYDXUyIprfOyUug7J3dADS4/Hml2HASm6BNhgPf3OqUMuLX5wVIQ
JmYk72FtQ/0PxQnm765jcYiQVHaATDbYJB5Yda9bBVvtKfQi4z+9LSrgxSkX
SSe9X530DzoWpGc1f0baWfSEDYhSu2vbJ/N96FYb41htXCxgzYXJVdWiwWXd
MewiR13lGXEHhNz7VSKCHFW+b2N/H1XF/I2XRJ/uWy+/sx/u/2zIn96Pr0iL
OjIYPmbRixskqSHXktJdlMiqTjhUj0Ym3HmWddhb/u7mYfZ9NNWB9RHuIqe0
oS6Hq0tB2yTcdaQT2/L66Cjw03MvL2eqQZfOAJQ7L5Cah0PBoI76ldKVykhX
s5hXLY5C4sAfVUVPJk5ej5HAqWUqlXTSDMi7ujCrbZbHS9/ltQllm/qoIFeY
CX+AhYWgpudxt4cRJamdNZA4/NpKmX6Gsz2BwXxz/MshYWkgZ4XCoTBDAI4k
486jTdB+IVxbmKrta5PX49nXlU6W4Z3E2etqNOLuzquoL4q38wQhYj/eOr1a
BaU3lNRbJdEhPiRJwGGWHU/EHt4/YtcciCOpaihmbJut6hU3IRQSKG5Zvz6R
cb93JPPxicynJ/iX34507jdD3Z+LdF95D1dmVJtF7ey33TmhhFe9s6TJHDBD
3T/75b2aHiJ+01d9eueAmC06ncF1iKDOG0r3VYXS0DU7ywNfSeLz9Z4uXgUj
bO4YCRHqgvMHliJ3lu3u1edz2pjxDDJskR6UhAGfgw+nU6ISxpDWgV+Et3jG
E5/40eApveTrPu0e7yvQmND/hIcTiCsR+kLqyiI0+xBaOdL2zr15kscYvma8
V+X0gHLVmoDqdfYKSuIJZiRKZAko9ZJYrizoHqS29X6ojb4FRTPvk+ZfpFuA
UoXYPCv+GPUT3CMXIM7GD1JLR93tgVBB7BNnyXdeaDy7pBEc0g9qyzCgFH3B
q16PjXkyDVghbE/QVzgpkEkCT7v1qp34qjNxdftAXZ5BNQE8plEcwVWi/SGM
EsczGItQ7mWXS74vDQwMiyCZVW17se/IKxFj2Va1ZLM1s9Xm1KttabPvUyo1
U6UYjaQC6Y6+R6mC5+mzRkoQL0gaUyNhWO6jk7OUvhqNaTwCeXtd9a2S40dd
be/WdapC+orYrdfRgldrRMzH8wdXy16LTpd8OjvnPnTRdvHvFsH1oF6pn6ss
fX+Exj7/ovJLXA4WcJc6twlV5BxdYm8bUtSEHdcpaVwe9XRJsIsAQLYfxcS8
1PChszLV4h9suMdQEjlAXSewIgPHL4j6R0d0BNxF2JTOAfbVssYBSfi31bt1
wNSlLVBX3bqJcQqdaq9RQVl7gBsPtq6Xm60B+IhPUlKByyH/rPN6slB7yk8a
v5L/w6ElJaEm6iblNyGErtMtjXmahRdSMfjZd+qaxeGGE7ygM721yzSZDtwL
JznqUt3keEghrpz8I1HHL5+IhxprkqQLW09wB1+THkxic4M4nYa1jKyO2ZjO
UYUPsQzSB2B6SvsgeLP3qZsfTGJ9tcvdq/OUpoM0OO2MZCVd5qldsuFycN2T
ikxnkASxH8DIVN8UwdeBZQghEOH5U/4r82QxZ0IKfBRqiLF8JJf2j9zE/m9S
o89PpS8qgqhFzdyPanIYgEp10U7YvkZdYPW7Am8zZL9UMKWPwOtHNEol5uoU
UfdVwxdJR7AArd6QbkIhGqtyuYSvyte8nH8KYWcKRW2Kx13sovhySn/0W1Qy
X016u8DptbcknrAfYp4HKbLD5B0YGDiRZ928kO4w3HPPJTnJKKv/RTZZeqpX
YtBAUwyk8rea8nzrxD61Od0Q1PSuapJdJQFSIzu3O2S0aVJOFoMRs+wqpgUz
sD6k71B5qAQtPBALDagjYGlqXfNqZoGQ6M/Am45ANNQ3aRHm6nXFX4n8Jkmf
qS6slstUxTEZ83gBVxtVpXbDQ7VZ5a+mRp8OCl5+Owa63wyCfyoGvp1A/9WX
3Z6MnjWt5o5DNErZqxEu4dX8fw3GiwEPAQrES9DTZJtV1qpscR7d6S5MhmJm
ZOsAddmQ8pAGpCbVEDSMDEuc90qZqS9si32oOgnc84Stq1V3xl/lOP8N8CqJ
32vdprYWqNNtRRMByLpq82XD2YyPkoD7I1ngL5c1eoljYYe5Tn9g1kNHSuqc
TKoPKZYI/tJEKqyoZ9dAEmLlmgvWvJRsdcHISk3caOqEuvhV7vZLZ7Cj1ZyL
ijaCVLE8S51PJ+67qzZNyU513vGjGJs8xCG1sHCTtghPs0u15/bW/dMEFFSw
KqWQCTs9anSVr1y1aA5Vhil6tlQOGQVgs/YwaQ80naFn4hpUeul6eJqGOFVJ
by1X+LBgoKwt8XGiS3t1cfV1xX10Im3gS6nP678PsCoAL4l1lr3Ux72l3ipz
NRsTIOUsAK/CkYxnuGOXuPn+A30nq42rs6dst83eSI61LsWPyQqxtRkTTq0Q
dFz/5PuP72ynS1reQulJAg2kE4yKTFPIRGS8RTDe4qkAYp4wNichIo0OICIU
rDepTTJHnbX2LKGpqxmFwv+qGFE9ejXMOABo2L1aB+A3OXWnjPko7fMhH92k
+DA2CZ9QohY7lT/jR0nTm6KkMtKIqsUl5lxYc3S9lqgyqykRMwK0mpEjPBkq
MyVIXdrTVp2kN3abTpIDxOJCOpp2BMDUrlPRgmQ4JlkU18IT3/Rq7nBb1YTH
zlIIbeF6JIru4TOelZgwC5XVSYiTrFxVRDSmegid5AbEDLwuGgmc5J7UWftc
lHXh9vxQWhvjaQ0ABUgj86mcahKjzFuFb+N7VAyolu4uiYR4Fbx49dwPWdzc
cCbcH+hA0t2apzE1tiLakMJ1SDc6zQdOZAhgDJw0Cvvs5zJOZbfGD2NsfEEH
rGJ3pO+Ro4CPRrjA3hJhq7uY7E3FvMAbQLVKC0s976DEcGZSO/fKc0gDn2Ab
gHaBXLcl91W9QYFJ7oqpXTdnUk59xntAjLfkh1SMcgm3Uo0ZcUomFA8m7Vcp
jRKV+Azgnq8gBLb/fzeVBQgvKLTIVHWLp5mOxGOYOP/BCrJ2Ur0fQFtWPDrw
GU8JQDA+SorwVzLoyTIPDVPCzHUrX/3TfQ0+sohLPSfcG1SC/VeMDdwPy8Fy
dK1hH5UDeWxqqyBNNQA77WiqNzxVoul5Eo2Uu5ZIVhTSBy2OXkyX/pkn6c9s
wtwOJEi6/dm2hd6lOBClCX+6Rgt1GBNGRELeG5DpJpnosiVQlHNA5/kV7ise
6AoU/KMmqa0p1dNrrKc1jRkOWyXkhX2SXI5XO24H+EZSVHcaaqf4RrbipVnV
AU/xwlNxRXZcyZq/APgac0EaBo8RMFSOVKSn0maEMxwWH8j8jCToi7TXyYNB
hXeqUpfZaCaYTnh2BzSkRycFAEHcBEODfhucIQg/1yYf16w9jwssaVurTarX
Zx4L/7i6CxsShGSPJILiVbSLG5N23z/ZwFWPpvNoOAlYMPJCz/1aV7pM+QCX
5ltO7f7I8ccPFJorgvNtwkCF0Jx4lKGuqo0h5h5izFUdWCxmKRr6Z8oOkrIH
sGEE0mysONHWMe05pCNY4NHhreBQBhmFjK1P3e89EwHYI9Wu8NlXIozZzf/H
yAO7eo4woPZe9P1eFvZ6DEPDLcEKEcZASiUbekixxIR6lZ469hWDqb8Nnr/A
gf6sI4lFuB8EeQNNz1CEusMa0NKkyGMbtlgdEavk/TQ6ELPOh2Flhn7XzRZJ
OwSR3IqmnsTY9VapAsafsel+46lO/YprpyEB9lrU5JWCNCbw8LqtNmWuKfUv
4x3w5hLCllaOhGzDyY+ajfM1SEyJ9yHlaijpfg0rEKouaYGc8wJXSB6VkMrL
6krhwO6jVWLgnZp0j6P8NCGC/HsbNMukQqaZU4C6eCORT18VpJczog4jZzKd
+RZg/w6jqiU4HsLX1fW0N1BBUVN/0OxxVbart5AA0DN7BemVyDWgS3X0alQL
96nQ0plGVz2spGglEOC8CrKS5mSxV1eTOh5QeYckHTQ2aaxKEAhTvcFRY32S
NAUIfCx+ADf5eP8VYUURliQyh2kmiibwSHI4aWpr1TSACyitQCayC+sN8lZV
uQ68gMJP2vJ580zxp5kfix2pErjr0luOyR9TDbLpPF4KiaqQ2Po6ifNqgHNz
+fPrTr5HZHn5s1v/q513f2nr/1DDzffATS96kKz+RIhEsgmigbiBeVOxqvu/
Au8PQYT8ZNaQBLiC26VhdxJkGjbFqFiiARPbV4rQhaAIr9GM5GfRdbDTqiS+
i/T+ANgBhO3OM1V24vtl3vfHoH4XAKdVImJ2aGTOvR3Fw7rIJ5plEHHnqpC/
2ETVxbAoxW1TERCrqua8dTSlbrVTpXueWyfXYKtEUlWx9rWU53gwU12dKp+3
sNWUMApxt5MJsJR03oZ8P/NW15KpVai01YZKWNReAEVV44TabcZ4BqGRSDTU
VVNgJQbpoNi3F52V3JuqJMUJ5LiPXYIKKAaP4A+TpMTVHdFzV0UJ7sc3Wcmh
AYvcIzDuyVxsTzBSBHGrrofxRKwHVi4hvqkCHSx0qgVIg7Q17Rc8eojq87pn
8I6mWG8o4dJto/lbs6VmfCEZQOO0saR2gxrTlGOn5xGke32Olre/LwCrlBjD
Eg0jdLaUF3Fj310tS76spwk8e3NK7f7IMfUP9FR9PZJ8+YGs83PScT+UdfK3
KAEi2pFc8APeDLfrS2L/pKCKpY9nwvsERhpgqRPWfeuGHQDr8PisEAzq6Jod
fm7hxZZOH3h1orLEn3hjNcdKyJg1ClNj8rC8Pvcu/ILqy0FcM7a3pxPY3YKM
3Su6BU7QDrXnOHg8kxnvSs+dkAaL2yPUs5QD6na1R/llBVWpYiljp70/zcmA
No1BxQ4t8oZrrq6yXEwQBx06XU65mIa6uOdA9dOKib4HDHivghS7LJpqrZmr
mkwOmj1ZkwJIy41YUf1UGxPRfBOUer7OIo4nUEwwKCQmwtuKS6PtChghjN62
Rg0Q5pa0RfO+VTqaOaxsRc2AljupU6NCo4YVkLo+qpFQTrbTF6k1Xek4LIkO
w641fEFbXfkIIqHPpNruapQJEvhHlcycvoIcMltsj1QmLN0Ul6XtnQqmAqie
oSWTWjABktW24W5rRJsUWyzpqYMNbwiGr9CEUX/qYideEooirzNA76Gq9oF4
hQecXXSOGdOJgP5AyJlO4+5UNiJFYkmAE7F2x+/4l8pzP3zgDjhYlECI1Twi
ASqTDoqGnOowLhkxUEomKaugHBBysFkWeB2di0IFMxZWK7k9qLxKGWer0zTE
LW9PGmQQsiOmTfWVNcgNX0cK9yR80MvSdXB65omo3wyy1Kp0MsnHVbPONQdB
HWM83r+CYJi3RzeHNVHp4CXhyCv2JjwDL4R5NKo9EJsExWTPrE8iI5jTSiSv
HoCCpfsjBc6mA6OiOZwYlhoDgifodZ64Shw+6CqZ7JErv2sNz/2sc4t/ccDB
p0N8yPblr2JdeleApiEZtX5mSHD4rjHoLCqf2hZYvQttBHZpEAvWleKLt1nb
uSeoREsgdZPHcEI2QjpIIHAeHB4OhmCNSBItTLgF4Qfn9B9II0bN2Fk43Q3k
GR1ISrmnLsxGg6ZaVqPK2qoQwTE04MOne/xlBVSsxK9rOmIBvvK1PUABiDig
HfNqwLpDYzVZnpLVwZWXXn47CYpHgeAE28FZ3/SEeW8qYVgtjNaqpFiXit5x
57lD1jXhAGgvdoa1UFk0nqrqNOkRuJ6H5peN5aXlBOJlZ1gvDd1RV67qK7fu
VjWcb+oiVWoFGlmdV0urFU1ndaRuEYCpcWNJatW6B7NBKNWIoTulzCKoHXR0
oSqYvCLhTzix4ZG6HqrOa+4zII7XUM8YW8l7Qsnikkq25gHh7fxRBpE+s28J
y0cao7qVEI6HTf0rAk58Dpwi2UiTUiyO2a665G+C/VwVYvgrFjG7hFb5kUpR
NKt6XFcknJCUgu6Q4h1cbYWx9lQtoKZqgjQ9v5rVGQod8oQiWSeshlwsabp6
3EeyRv9IIdn3iDnf96zjm2Ctp7RrpCiJ6KtjhUngqHvGHDe4eE7hAyzKJBEw
NYnhwsG3Rp0UvxtwS712BQ4gJL7q4KX45ZueuoJqEIhM1CJKGPGmAeo9NJ2v
PA6ODB9sJUZ+9eOzju8A+l6e65unaG0oilp8JrPNphHw8AlpaV81//CaSZUo
240Cs4cmGla+2BbsVmMjb9bQo558TME2VAYLVOc2eWRoiro6GKPKadVE6wj/
3fJo0eMquv56e2uW9OBiOEQuHc9o/MsW1BM6AcFtKRH5SMZT0rOnmb7irIGV
l8qKDrJC0eJPMMpVm2/X2Rn/uHziEBtin4GS8TbTvIEi+VtvSedrrqsAELfL
mEjTeXZa6gPuUQX2ujeYQTPIj8Z19aTgDh8E2nYCxn3GPbfmFBSl9icRd3LK
VlGNqQBRajrsKmGQXGi+kOAzUBZ0jUfUtVWHoPkb97wv2Pfdzjq+Hn2+/EA+
+jkduR/KRz+no/8AfukqWr+xAQA=
</rfc> </rfc>
 End of changes. 306 change blocks. 
1843 lines changed or deleted 784 lines changed or added

This html diff was produced by rfcdiff 1.48.