<?xml version='1.0' encoding='utf-8'?> version="1.0" encoding="UTF-8"?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.40 (Ruby 3.0.2) -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lake-traces-08" category="info" submissionType="IETF" category="info" consensus="true" docName="draft-ietf-lake-traces-09" number="9529" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3">

  <!-- xml2rfc v2v3 conversion 3.18.0 -->
  <front>
    <title>Traces
    <title abbrev="Traces of EDHOC">Traces of EDHOC</title> Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-08"/> name="RFC" value="9529"/>
    <author initials="G." surname="Selander" fullname="Göran Selander">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>goran.selander@ericsson.com</email>
      </address>
    </author>
    <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <author initials="M" surname="Serafin" fullname="Marek Serafin">
      <organization>ASSA ABLOY</organization>
      <address>
        <postal>
          <country>Poland</country>
        </postal>
        <email>marek.serafin@assaabloy.com</email>
      </address>
    </author>
    <author initials="M" surname="Tiloca" fullname="Marco Tiloca">
      <organization>RISE</organization>
      <organization>RISE AB</organization>
      <address>
        <postal>
	  <street>Isafjordsgatan 22</street>
	  <code>164 40</code>
	  <city>Kista</city>
          <country>Sweden</country>
        </postal>
        <email>marco.tiloca@ri.se</email>
      </address>
    </author>
    <author initials="M" surname="Vučinić" fullname="Mališa Vučinić">
      <organization>Inria</organization>
      <address>
        <postal>
          <country>France</country>
        </postal>
        <email>malisa.vucinic@inria.fr</email>
      </address>
    </author>
    <date year="2023" month="September" day="22"/>
    <area>Security</area>
    <workgroup>LAKE Working Group</workgroup>
    <keyword>Internet-Draft</keyword> year="2024" month="March"/>
    <area>sec</area>
    <workgroup>lake</workgroup>
    <keyword>test vector</keyword>
    <keyword>lightweight</keyword>
    <keyword>authenticated key exchange</keyword>
    <keyword>LAKE</keyword>
    <keyword>AKE</keyword>

    <abstract>
      <?line 109?>
<t>This document contains some example traces of Ephemeral Diffie-Hellman Over COSE (EDHOC).</t>
    </abstract>
  </front>
  <middle>
    <?line 113?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>EDHOC <xref target="I-D.ietf-lake-edhoc"/> target="RFC9528"/> is a lightweight authenticated key exchange protocol designed for highly constrained settings. This document contains annotated traces of EDHOC sessions, sessions with input, output, and intermediate processing results to simplify testing of implementations. The traces have been verified by two independent implementations.</t>
      <section anchor="setup">
        <name>Setup</name>
        <t>EDHOC is run between an Initiator (I) and a Responder (R). The private/public key pairs and credentials of the Initiator and the Responder required to produce the protocol messages are shown in the traces when needed for the calculations.</t>
        <t>EDHOC messages and intermediate results are encoded in CBOR Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> and can therefore be displayed in CBOR diagnostic notation using, e.g., the CBOR playground <xref target="CborMe"/>, which makes them easy to parse for humans. Credentials can also be encoded in CBOR, e.g. e.g., CBOR Web Tokens (CWT) (CWTs) <xref target="RFC8392"/>.</t>
        <t>The document contains two traces:</t>
        <ul spacing="normal">
          <li>
            <xref target="sec-trace-1"/> - Authentication with signature keys identified by the hash value of the X.509 certificates (provided in <xref target="certs"/>). The endpoints use EdDSA Edwards-curve Digital Signature Algorithm (EdDSA) <xref target="RFC8032"/> for authentication and X25519 <xref target="RFC7748"/> for ephemeral-ephemeral Diffie-Hellman (DH) key exchange.</li>
          <li>
            <xref target="sec-trace-2"/> - Authentication with static Diffie-Hellman keys identified by short key identifiers labelling labeling CWT Claim Claims Sets (CCSs) <xref target="RFC8392"/>.  The endpoints use NIST P-256 <xref target="SP-800-186"/> for both ephemeral-ephemeral and static-ephemeral Diffie-Hellman ephemeral-static DH key exchange. This trace also illustrates the cipher suite negotiation, negotiation and provides an example of low protocol overhead, overhead with messages sizes of (39, 39, 45, 19) and 19 bytes.</li>
        </ul>
        <t>Examples of invalid EDHOC messages are found in <xref target="sec-trace-invalid"/>.</t>
        <t>NOTE 1. The
	<ol type="Note %d.">
        <li>The same name is used for hexadecimal byte strings and their CBOR encodings. The traces contain both the raw byte strings and the corresponding CBOR encoded CBOR-encoded data items.</t>
        <t>NOTE 2. If items.</li>
        <li>If not clear from the context, remember that CBOR sequences and CBOR arrays assume CBOR encoded CBOR-encoded data items as elements.</t>
        <t>NOTE 3. When elements.</li>
        <li>When the protocol transporting EDHOC messages does not inherently provide correlation across all messages, like CoAP <xref target="RFC7252"/>, then some messages typically are typically prepended with connection identifiers and potentially a message_1 indicator (see Sections Section <xref target="I-D.ietf-lake-edhoc" target="RFC9528" section="3.4.1" sectionFormat="bare"/> and Appendix <xref target="I-D.ietf-lake-edhoc" target="RFC9528" section="A.2" sectionFormat="bare"/> of <xref target="I-D.ietf-lake-edhoc"/>). target="RFC9528"/>). Those bytes are not included in the traces in this document.</t> document.</li>
	</ol>
      </section>
      <section anchor="term">
        <name>Terminology and Requirements
        <name>Requirements Language</name>
        <t>The
	        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.
<?line -6?>
        </t>
      </section>
    </section>
    <section anchor="sec-trace-1">
      <name>Authentication with Signatures, X.509 Certificates Identified by 'x5t'</name>
      <t>In this example example, the Initiator (I) and Responder (R) are authenticated with digital signatures (METHOD = 0). Both the Initiator and the Responder support cipher suite 0, which determines the algorithms:</t>
      <ul spacing="normal">
        <li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li>
        <li>EDHOC hash algorithm = SHA-256</li>
        <li>EDHOC MAC Message Authentication Code (MAC) length in bytes (Static DH) = 8</li>
        <li>EDHOC key exchange algorithm (ECDH curve) = X25519</li>
        <li>EDHOC signature algorithm = EdDSA</li>
        <li>Application
        <li>application AEAD algorithm = AES-CCM-16-64-128</li>
        <li>Application
        <li>application hash algorithm = SHA-256</li>
      </ul>
      <t>The public keys are represented with X.509 certificates identified by the COSE CBOR Object Signing and Encryption (COSE) header parameter 'x5t'.</t>
      <section anchor="message1">
        <name>message_1</name>
        <t>Both endpoints are authenticated with signatures, i.e., METHOD = 0:</t>
        <artwork align="left"><![CDATA[
METHOD (CBOR Data Item) (1 byte)
00
]]></artwork>
        <t>The Initiator selects cipher suite 0. A single cipher suite is encoded as an int:</t>
        <artwork><![CDATA[
SUITES_I (CBOR Data Item) (1 byte)
00
]]></artwork>
        <t>The Initiator creates an ephemeral key pair for use with the EDHOC key exchange algorithm:</t>
        <artwork><![CDATA[
Initiator's ephemeral private key
X (Raw Value) (32 bytes)
89 2e c2 8e 5c b6 66 91 08 47 05 39 50 0b 70 5e 60 d0 08 d3 47 c5 81
7e e9 f3 32 7c 8a 87 bb 03
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key
G_X (Raw Value) (32 bytes)
31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 63 2a
48 81 a1 c0 70 1e 23 7f 04
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key
G_X (CBOR Data Item) (34 bytes)
58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32
63 2a 48 81 a1 c0 70 1e 23 7f 04
]]></artwork>
        <t>The Initiator selects its connection identifier C_I to be the byte string 0x2d, which is encoded as 0x2d since it is represented by the 1-byte CBOR int -14 is encoded as 0x2d:</t> -14:</t>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte)
2d
]]></artwork>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte)
2d
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>The Initiator constructs message_1:</t>
        <artwork><![CDATA[
message_1 =
(
  0,
  0,
  h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48
    81a1c0701e237f04',
  -14
)
]]></artwork>
        <artwork><![CDATA[
message_1 (CBOR Sequence) (37 bytes)
00 00 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28
ef 32 63 2a 48 81 a1 c0 70 1e 23 7f 04 2d
]]></artwork>
      </section>
      <section anchor="message2">
        <name>message_2</name>
        <t>The Responder supports the most preferred and selected cipher suite 0, so SUITES_I is acceptable.</t>
        <t>The Responder creates an ephemeral key pair for use with the EDHOC key exchange algorithm:</t>
        <artwork><![CDATA[
Responder's ephemeral private key
Y (Raw Value) (32 bytes)
e6 9c 23 fb f8 1b c4 35 94 24 46 83 7f e8 27 bf 20 6c 8f a1 0a 39 db
47 44 9e 5a 81 34 21 e1 e8
]]></artwork>
        <artwork><![CDATA[
Responder's ephemeral public key
G_Y (Raw Value) (32 bytes)
dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62
3a 36 0b a4 80 b9 b2 9d 1c
]]></artwork>
        <artwork><![CDATA[
Responder's ephemeral public key
G_Y (CBOR Data Item) (34 bytes)
58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c
]]></artwork>
        <t>The Responder selects its connection identifier C_R to be the byte string 0x18, which is encoded as h'18' = 0x4118 since it is not represented as by a 1-byte CBOR int is encoded as h'18' = 0x4118:</t> int:</t>
        <artwork><![CDATA[
Connection identifier chosen by the Responder
C_R (Raw Value) (1 byte)
18
]]></artwork>
        <artwork><![CDATA[
Connection identifier chosen by the Responder
C_R (CBOR Data Item) (2 bytes)
41 18
]]></artwork>
        <t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_2 = H( G_Y, H(message_1) )</t>
        <artwork><![CDATA[
H(message_1) (Raw Value) (32 bytes)
c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64
d3 49 a2 38 48 03 8e d1 6b
]]></artwork>
        <artwork><![CDATA[
H(message_1) (CBOR Data Item) (34 bytes)
58 20 c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c
9d 64 d3 49 a2 38 48 03 8e d1 6b
]]></artwork>
        <t>The input to calculate TH_2 is the CBOR sequence:</t>
        <t>G_Y, H(message_1)</t>
        <artwork><![CDATA[
Input to calculate TH_2 (CBOR Sequence) (68 bytes)
58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c 58 20 c1 65 d6 a9 9d 1b ca fa ac 8d
bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 d3 49 a2 38 48 03 8e d1 6b
]]></artwork>
        <artwork><![CDATA[
TH_2 (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d
]]></artwork>
        <artwork><![CDATA[
TH_2 (CBOR Data Item) (34 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d
]]></artwork>
        <t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>First, the ECDH Elliptic Curve Diffie-Hellman (ECDH) shared secret G_XY is computed from G_X and Y, Y or G_Y and X:</t>
        <artwork><![CDATA[
G_XY (Raw Value) (ECDH shared secret) (32 bytes)
e5 cd f3 a9 86 cd ac 5b 7b f0 46 91 e2 b0 7c 08 e7 1f 53 99 8d 8f 84
2b 7c 3f b4 d8 39 cf 7b 28
]]></artwork>
        <t>Then, PRK_2e is calculated using EDHOC_Extract() EDHOC_Extract(), which is determined by the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
PRK_2e = EDHOC_Extract( salt, G_XY )
       =
       = HMAC-SHA-256( salt, G_XY )
]]></artwork>
        <t>where salt is TH_2:</t>
        <artwork><![CDATA[
salt (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d
]]></artwork>
        <artwork><![CDATA[
PRK_2e (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da
]]></artwork>
        <t>Since METHOD = 0, the Responder authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t>
        <t>The Responder's signature key pair using uses EdDSA:</t>
        <artwork><![CDATA[
Responder's private authentication key
SK_R (Raw Value) (32 bytes)
ef 14 0f f9 00 b0 ab 03 f0 c0 8d 87 9c bb d4 b3 1e a7 1e 6e 7e e7 ff
cb 7e 79 55 77 7a 33 27 99
]]></artwork>
        <artwork><![CDATA[
Responder's public authentication key
PK_R (Raw Value) (32 bytes)
a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62
c0 0b 3a c5 5d e9 2f 93 59
]]></artwork>
        <t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>Since the Responder authenticates with signatures signatures, PRK_3e2m = PRK_2e.</t>
        <artwork><![CDATA[
PRK_3e2m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da
]]></artwork>
        <t>The Responder constructs the remaining input needed to calculate MAC_2:</t>
        <t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t>
        <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t>
        <t>CRED_R is identified by a 64-bit hash:</t>
        <artwork><![CDATA[
ID_CRED_R =
{
  34 : [-15, h'79f2a41b510c1f9b']
}
]]></artwork>
        <t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 certficate, certificate,
and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t>
        <artwork><![CDATA[
ID_CRED_R (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b
]]></artwork>
        <t>CRED_R is a CBOR byte string of the DER encoding of the X.509 certificate in <xref target="resp-cer"/>:</t>
        <artwork><![CDATA[
CRED_R (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65
70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f
74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34
33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30
1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72
20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47
b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a
c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92
8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45
37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d
ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        <artwork><![CDATA[
CRED_R (CBOR Data Item) (243 bytes)
58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03
2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52
6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38
32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31
20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64
65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1
db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0
0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea
b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa
f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65
d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_2 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t>
        <artwork><![CDATA[
context_2 (CBOR Sequence) (291 (293 bytes)
41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 5c 15 4c
56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c
90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4
30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48
4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33
31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30
5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73
70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70
03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0
f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7
23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32
47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a
bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        <artwork><![CDATA[
context_2 (CBOR byte string) (294 (296 bytes)
59 01 23 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40
5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52
ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62
31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12
45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32
32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30
30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20
52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03
2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac
e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03
41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69
87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18
37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        <t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorithm, see algorithm (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t>
        <t>MAC_2 target="RFC9528"/>):</t>
        <artwork><![CDATA[
MAC_2 = HKDF-Expand(PRK_3e2m, HKDF-Expand( PRK_3e2m, info, mac_length_2), where</t>
        <t>info mac_length_2 )
	]]></artwork>
	<t>where</t>
<artwork><![CDATA[
info = ( 2, context_2, mac_length_2 )</t> )
]]></artwork>
        <t>Since METHOD = 0, mac_length_2 is given by the EDHOC hash algorithm.</t>
        <t>info for MAC_2 is:</t>
        <artwork><![CDATA[
info =
(
  2,
 h'a11822822e4879f2a41b510c1f9b5820c6405c154c567466
   ab1df20369500e540e9f14bd3a796a0652cae66c9061688d
   58f13081ee3081a1a003020102020462319ec4300506032b
   6570301d311b301906035504030c124544484f4320526f6f
   742045643235353139301e170d3232303331363038323433
   365a170d3239313233313233303030305a30223120301e06
   035504030c174544484f4320526573706f6e646572204564
   3235353139302a300506032b6570032100a1db47b9518485
   4ad12a0c1a354e418aace33aa0f2c662c00b3ac55de92f93
   59300506032b6570034100b723bc01eab0928e8b2b6c98de
   19cc3823d46e7d6987b032478fecfaf14537a1af14cc8be8
   29c6b73044101837eb4abc949565d86dce51cfae52ab82c1
   52cb02',
  h'4118a11822822e4879f2a41b510c1f9b5820c6405c154c56
    7466ab1df20369500e540e9f14bd3a796a0652cae66c9061
    688d58f13081ee3081a1a003020102020462319ec4300506
    032b6570301d311b301906035504030c124544484f432052
    6f6f742045643235353139301e170d323230333136303832
    3433365a170d3239313233313233303030305a3022312030
    1e06035504030c174544484f4320526573706f6e64657220
    45643235353139302a300506032b6570032100a1db47b951
    84854ad12a0c1a354e418aace33aa0f2c662c00b3ac55de9
    2f9359300506032b6570034100b723bc01eab0928e8b2b6c
    98de19cc3823d46e7d6987b032478fecfaf14537a1af14cc
    8be829c6b73044101837eb4abc949565d86dce51cfae52ab
    82c152cb02',
  32
)
]]></artwork>
        <t>where the last value is the output size of the EDHOC hash algorithm in bytes.</t>
        <artwork><![CDATA[
info for MAC_2 (CBOR Sequence) (297 (299 bytes)
02 59 01 23 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6
40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06
52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04
62 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c
12 45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d
32 32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33
30 30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43
20 52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06
03 2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a
ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70
03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d
69 87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10
18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 18 20
]]></artwork>
        <artwork><![CDATA[
MAC_2 (Raw Value) (32 bytes)
36 9c a4 39 2c 83 ed 63
86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 1a d2 18 42 0e a3 67 06 00 84 78 d5 bc 6c d1 7a 72 72 07 2b
fe 5b 60 2f fe 30
49 fb 8c 59 42 44 4b 13 33 7e e0 e9
]]></artwork>
        <artwork><![CDATA[
MAC_2 (CBOR Data Item) (34 bytes)
58 20 36 9c a4 39 2c 83 ed 63 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 1a d2 18 42 0e a3 67 06 00 84 78 d5
bc 6c d1 7a 72 72
07 2b fe 5b 60 2f fe 30 49 fb 8c 59 42 44 4b 13 33 7e e0 e9
]]></artwork>
        <t>Since METHOD = 0, Signature_or_MAC_2 is the 'signature' of the COSE_Sign1 object.</t>
        <t>The Responder constructs the message to be signed:</t>
        <artwork><![CDATA[
[
  "Signature1",
  << ID_CRED_R >>,
  << TH_2, CRED_R, ? EAD_2 >>,
  MAC_2
] =

[
  "Signature1",
  h'a11822822e4879f2a41b510c1f9b',
  h'5820c6405c154c567466ab1df20369500e540e9f14bd3a79
    6a0652cae66c9061688d58f13081ee3081a1a00302010202
    0462319ec4300506032b6570301d311b301906035504030c
    124544484f4320526f6f742045643235353139301e170d32
    32303331363038323433365a170d32393132333132333030
    30305a30223120301e06035504030c174544484f43205265
    73706f6e6465722045643235353139302a300506032b6570
    032100a1db47b95184854ad12a0c1a354e418aace33aa0f2
    c662c00b3ac55de92f9359300506032b6570034100b723bc
    01eab0928e8b2b6c98de19cc3823d46e7d6987b032478fec
    faf14537a1af14cc8be829c6b73044101837eb4abc949565
    d86dce51cfae52ab82c152cb02',
 h'369ca4392c83ed63d61ad218420ea36706008478d5bc3049
   fb8c5942444b1333'
  h'862a7e5ef147f9a5f4c512e1b6623cd66cd17a7272072bfe
    5b602ffe307ee0e9'
]
]]></artwork>
        <artwork><![CDATA[
Message to be signed 2 in message_2 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 59 01 15 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50
0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 33 36 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47 b9 51 84
85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9
2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b
6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af
14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf
ae 52 ab 82 c1 52 cb 02 58 20 36 9c a4 39 2c 83 ed 63 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6
62 3c d6 1a d2 18 42
0e a3 67 06 00 84 78 d5 bc 6c d1 7a 72 72 07 2b fe 5b 60 2f fe 30 49 fb 8c 59 42 44 4b 13 33 7e e0 e9
]]></artwork>
        <t>The Responder signs using the private authentication key SK_R</t> SK_R.</t>
        <artwork><![CDATA[
Signature_or_MAC_2 (Raw Value) (64 bytes)
41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da 71
c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3
62 9b 50 2d a2 e3 da 5f ce ee c4 e3 f7 98 c6 81 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6 6a 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d
64 38 91 54 89 ac f1 96
6a ea 07 02 2b 48 2f 9a 5e 57 22 cd c9 98 70 63 31 59 f2 b1 7e 0e eb c4 03 74 e8 fa 6e 09
]]></artwork>
        <artwork><![CDATA[
Signature_or_MAC_2 (CBOR Data Item) (66 bytes)
58 40 41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da 71 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96
8c c3 62 9b 50 2d a2
e3 da 5f ce ee c4 e3 f7 98 c6 81 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6
6a 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 64 38 91 54 89 ac
f1 96 6a ea 07 02 2b 48 2f 9a 5e 57 22 cd c9 98 70 63 31 59 f2 b1 7e 0e eb c4 03 74 e8 fa 6e 09
]]></artwork>
        <t>The Responder constructs PLAINTEXT_2:</t>
        <artwork><![CDATA[
PLAINTEXT_2 =
(
  C_R,
  ID_CRED_R / bstr / -24..23,
  Signature_or_MAC_2,
  ? EAD_2
)
]]></artwork>
        <artwork><![CDATA[
PLAINTEXT_2 (CBOR Sequence) (82 bytes)
41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 40 41 e6 91 27 5b
84 04 24 25 5a cb 87 e6 33 d7 5d da 71 c3 b5 bd 44 d1
e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3 62 9b 50 2d a2 e3 da 5f ce ee c4 e3
f7 98
c6 81 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6 6a 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 64 38 91 54 89 ac f1 96 6a ea 07 02 2b
48
2f 9a 5e 57 22 cd c9 98 70 63 31 59 f2 b1 7e 0e eb c4 03 74 e8 fa 6e 09
]]></artwork>
        <t>The input needed to calculate KEYSTREAM_2 is defined in <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
            =
            = HKDF-Expand( PRK_2e, info, plaintext_length )
]]></artwork>
        <t>where plaintext_length is the length in bytes of PLAINTEXT_2 in bytes, bytes and info for KEYSTREAM_2 is:</t>
        <artwork><![CDATA[
info =
(
  0,
  h'c6405c154c567466ab1df20369500e540e9f14bd3a796a06
    52cae66c9061688d',
  82
)
]]></artwork>
        <t>where the last value is the length in bytes of PLAINTEXT_2.</t>
        <artwork><![CDATA[
info for KEYSTREAM_2 (CBOR Sequence) (37 bytes)
00 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd
3a 79 6a 06 52 ca e6 6c 90 61 68 8d 18 52
]]></artwork>
        <artwork><![CDATA[
KEYSTREAM_2 (Raw Value) (82 bytes)
fd 3e 7c 3f 2d 6b ee 64 3d 3c 9d 2f 28 47 03 5d 73 e2 ec b0 f8 db 5c
d1 c6 85 4e 24 89 6a f2 11 88 b2 c4 34 4e 68 9e c2 98 42 83 d9 fb c6
9c e1 c5 db 10 dc ff f2 4d f9 a4 9a 04 a9 40 58 27 7b c7 fa 9a d6 c6
b1 94 ab 32 8b 44 5e b0 80 49 0c d7 86
]]></artwork>
        <t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t>
        <artwork><![CDATA[
CIPHERTEXT_2 (Raw Value) (82 bytes)
bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 79 4b 1c c6 2b a2 ad 56 69 fc 07
55 c2 a1 6b 7e 42 ed 14 22 5f ef 1e 45 1e 2f 05 45 9f 8d
35 8c 8d 12 27 5a c4 2c 5f 96 de d5 f1 3c 21 42 1d 4d 37 3f 25
6b 81 b1 93 7f c9 08 4e 5b 19 9d 67 33 05 21 d0 25 a0 be 4d 26 a3 c2 0b 82 8e
9e 0e f5 65 a9 34 20 18 89 a4 5e
5a 60 a5 56 2d c1 18 61 9c 3d 81 aa 2f d9 bb bd a9 88 f4 c9 f4 d6 ed ad 10 9d d4 ed
f9 59 62 aa fb af 9a b3 f4 a1 f6 b9 8f
]]></artwork>
        <t>The Responder constructs message_2:</t>
        <artwork><![CDATA[
message_2 =
(
  G_Y_CIPHERTEXT_2
)
]]></artwork>
        <t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
  the raw values of G_Y and CIPHERTEXT_2.</t>
        <artwork><![CDATA[
message_2 (CBOR Sequence) (116 bytes)
58 72 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c bc 26 dd 27 0f e9 c0 2c 44 ce 39 34
79 4b 1c c6 2b a2 ad 56 69 fc 07 55 c2 a1 6b 7e 42 ed 14 22 5f ef 1e
45 1e 2f 05 45 9f 8d 35 8c 8d 12 27 5a c4 2c 5f 96 de d5
f1 3c 21 42 1d 4d 37 3f 25 6b 81 b1 93 7f c9 08 4e 5b 19 9d 67 33 05 21
d0 25 a0 be 4d 26 a3 c2 0b 82 8e 9e 0e f5 65 a9 34 20 18 89 a4 5e 5a 60 a5 56 2d c1 18 61 9c 3d 81 aa 2f
d9 bb bd a9
88 f4 c9 f4 d6 ed ad 10 9d d4 ed f9 59 62 aa fb af 9a b3 f4 a1 f6 b9
8f
]]></artwork>
      </section>
      <section anchor="message3">
        <name>message_3</name>
        <t>Since METHOD = 0, the Initiator authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t>
        <t>The Initiator's signature key pair using uses EdDSA:</t>
        <artwork><![CDATA[
Initiator's private authentication key
SK_I (Raw Value) (32 bytes)
4c 5b 25 87 8f 50 7c 6b 9d ae 68 fb d4 fd 3f f9 97 53 3d b0 af 00 b2
5d 32 4e a2 8e 6c 21 3b c8
]]></artwork>
        <artwork><![CDATA[
Initiator's public authentication key
PK_I (Raw Value) (32 bytes)
ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f
23 d8 cc 20 b7 30 85 14 1e
]]></artwork>
        <t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>Since the Initiator authenticates with signatures signatures, PRK_4e3m = PRK_3e2m.</t>
        <artwork><![CDATA[
PRK_4e3m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da
]]></artwork>
        <t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_3 = H(TH_2, H( TH_2, PLAINTEXT_2, CRED_R)</t> CRED_R )</t>
        <artwork><![CDATA[
Input to calculate TH_3 (CBOR Sequence) (359 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d 41 18 a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 58 40 41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da
71 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11
c5 72 a1 96 8c c3 62 9b 50 2d a2 e3 da 5f ce ee c4 e3 f7 98 c6 81 60 74 48 6f 87 e6 6f 2a ca a1 bb
d4 8c e0 e6 6a 8d 3d 1d e7 93 d1 c4 0e b5
dd 5d 64 38 91 54 89 ac f1 96 6a ea 07 02 2b 48 2f 9a 5e 57 22 cd c9 98 70 63 31 59 f2 b1 7e
0e eb c4 03 74 e8 fa 6e
09 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06
03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20
52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30
38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22
31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e
64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00
a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62
c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01
ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec
fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95
65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        <artwork><![CDATA[
TH_3 (Raw Value) (32 bytes)
e0 91 12 1a
5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13 ac 98
91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57 f6 78 69
b1 67 77 99 65 92 e9 28 bc
]]></artwork>
        <artwork><![CDATA[
TH_3 (CBOR Data Item) (34 bytes)
58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13
ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57
f6 78 69 b1 67 77 99 65 92 e9 28 bc
]]></artwork>
        <t>The Initiator constructs the remaining input needed to calculate MAC_3:</t>
        <artwork><![CDATA[
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
]]></artwork>
        <t>where</t>
        <artwork><![CDATA[
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
]]></artwork>
        <t>CRED_I is identified by a 64-bit hash:</t>
        <artwork><![CDATA[
ID_CRED_I =
{
  34 : [-15, h'c24ab2fd7643c79f']
}
]]></artwork>
        <t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 certficate, certificate,
and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t>
        <artwork><![CDATA[
ID_CRED_I (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f
]]></artwork>
        <t>CRED_I is a CBOR byte string of the DER encoding of the X.509 certificate in <xref target="init-cer"/>:</t>
        <artwork><![CDATA[
CRED_I (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65
70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f
74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34
30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30
1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72
20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8
ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc
20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7 70
99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae 48
b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9
e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        <artwork><![CDATA[
CRED_I (CBOR Data Item) (243 bytes)
58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03
2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52
6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38
32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31
20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74
6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed
06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23
d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3
a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75
ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff
27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_3 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
        <artwork><![CDATA[
context_3 (CBOR Sequence) (291 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c
e2 14 5d 48 25 8f 24
0c e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57 f6
78 69 b1 67 77 99 65 92 e9
28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05
06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43
20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36
30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30
22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69
61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21
00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e
0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41
d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3
92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05
ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        <artwork><![CDATA[
context_3 (CBOR byte string) (294 bytes)
59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12 1a 5b 7d f9 b4
f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22
56 b6 b5 ca 57 f6 78 69 b1 67 77 99
65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e
a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44
48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30
33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30
30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e
69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65
70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3
02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00
52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df
29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22
67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        <t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorithm, see algorithm (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
MAC_3 = HKDF-Expand(PRK_4e3m, HKDF-Expand( PRK_4e3m, info, mac_length_3), where mac_length_3 )
]]></artwork>
        <t>info
	<t>where</t>
<artwork><![CDATA[
info = ( 6, context_3, mac_length_3 )</t>
        <t>where )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
context_3 = &lt;&lt; << ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t> >>
]]></artwork>
        <t>Since METHOD = 0, mac_length_3 is given by the EDHOC hash algorithm.</t>
        <t>info for MAC_3 is:</t>
        <artwork><![CDATA[
info =
(
  6,
 h'a11822822e48c24ab2fd7643c79f5820e091121af5ac6ce2
   145d4825e09012f29798e8f713ac9891432d2256b6f678e9
  h'a11822822e48c24ab2fd7643c79f58205b7df9b4f58f240c
    e0418e48191b5fff3a22b5ca57f669b16777996592e928bc
    58f13081ee3081a1a003020102020462319ea0300506032b
    6570301d311b301906035504030c124544484f4320526f6f
    742045643235353139301e170d3232303331363038323430
    305a170d3239313233313233303030305a30223120301e06
    035504030c174544484f4320496e69746961746f72204564
    3235353139302a300506032b6570032100ed06a8ae61a829
    ba5fa54525c9d07f48dd44a302f43e0f23d8cc20b7308514
    1e300506032b6570034100521241d8b3a770996bcfc9b9ea
    d4e7e0a1c0db353a3bdf2910b39275ae48b756015981850d
    27db6734e37f67212267dd05eeff27b9e7a813fa574b72a0
    0b430b',
  32
)
]]></artwork>
        <t>where the last value is the output size of the EDHOC hash algorithm in bytes.</t>
        <artwork><![CDATA[
info for MAC_3 (CBOR Sequence) (297 bytes)
06 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12
1a 5b 7d f9
b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57 f6 78 69 b1 67 77
99 65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31
9e a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45
44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32
30 33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30
30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49
6e 69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b
65 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44
a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41
00 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b
df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21
22 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 18 20
]]></artwork>
        <artwork><![CDATA[
MAC_3 (Raw Value) (32 bytes)
51 c9 68 a7 f9 fd ea 19 c7
39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d 4b 01
25 84 45 a8 ee 02 3f 70 22 b4 d9 f2 14 77 2e f5 88 59 05
24 05 76 f6 2d 03 6e 69 dc da a3 bd
]]></artwork>
        <artwork><![CDATA[
MAC_3 (CBOR Data Item) (34 bytes)
58 20 51 c9 68 a7 f9 fd ea 19 c7 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d
4b 01 25 84 45 a8 ee 02 3f 70 22 b4 d9 f2 14 77 2e f5 88
59 05 24 05 76 f6 2d 03 6e 69 dc da a3 bd
]]></artwork>
        <t>Since METHOD = 0, Signature_or_MAC_3 is the 'signature' of the
COSE_Sign1 object.</t>
        <t>The Initiator constructs the message to be signed:</t>
        <artwork><![CDATA[
[
  "Signature1",
  << ID_CRED_I >>,
  << TH_3, CRED_I, ? EAD_3 >>,
  MAC_3
] =

[
  "Signature1",
  h'a11822822e48c24ab2fd7643c79f',
 h'5820e091121af5ac6ce2145d4825e09012f29798e8f713ac
   9891432d2256b6f678e958f13081ee3081a1a00302010202
  h'58205b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f6
    69b16777996592e928bc58f13081ee3081a1a00302010202
    0462319ea0300506032b6570301d311b301906035504030c
    124544484f4320526f6f742045643235353139301e170d32
    32303331363038323430305a170d32393132333132333030
    30305a30223120301e06035504030c174544484f4320496e
    69746961746f722045643235353139302a300506032b6570
    032100ed06a8ae61a829ba5fa54525c9d07f48dd44a302f4
    3e0f23d8cc20b73085141e300506032b6570034100521241
    d8b3a770996bcfc9b9ead4e7e0a1c0db353a3bdf2910b392
    75ae48b756015981850d27db6734e37f67212267dd05eeff
    27b9e7a813fa574b72a00b430b',
 h'51c968a7f9fdea19c7023f7022b4d9f214772ef588590524
   0576f62d036e69dc'
  h'39b127c130129afa30618c751329e637cc3734270d4b0125
    8445a8ee02daa3bd'
]
]]></artwork>
        <artwork><![CDATA[
Message to be signed 3 in message_3 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 c2 4a b2 fd
76 43 c7 9f 59 01 15 58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90
12 f2 97 98 e8 f7 13 ac 98 91 43 2d 41 8e 48 19 1b
5f ff 3a 22 56 b6 b5 ca 57 f6 78 69 b1 67 77 99 65 92 e9 28 bc 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 30 30 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8 ae 61 a8
29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30
85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7 70 99 6b cf
c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae 48 b7 56 01
59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7 a8 13
fa 57 4b 72 a0 0b 43 0b 58 20 51 c9 68 a7 f9 fd ea 19 c7 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13
29 e6 37 cc 37 34 27 0d 4b 01 25 84 45 a8 ee 02 3f 70 22
b4 d9 f2 14 77 2e f5 88 59 05 24 05 76 f6 2d 03 6e 69 dc da a3 bd
]]></artwork>
        <t>The Initiator signs using the private authentication key SK_I:</t>
        <artwork><![CDATA[
Signature_or_MAC_3 (Raw Value) (64 bytes)
fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0
96 e1 eb 18 37 c0 f2 1e 00 cd 5f ce ad fa c1 b5 af 81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 94 43 f7 09 24 f5 71 f6 4c 6e 9e e9 32
0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 99 55 95 7f d0
26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e 57 4f 06 a6 83 f0 8f 8d 03 dc ec b9 cf
15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork>
        <artwork><![CDATA[
Signature_or_MAC_3 (CBOR Data Item) (66 bytes)
58 40 fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0 96 e1 eb 18 37 c0 f2
1e 00 cd 5f ce ad fa c1 b5 af 81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 94 43 f7 09 24 f5 71 f6 4c 6e 9e
e9 32 0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 99 55 95
7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e 57 4f 06 a6 83 f0 8f 8d 03 dc ec
b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork>
        <t>The Initiator constructs PLAINTEXT_3:</t>
        <artwork><![CDATA[
PLAINTEXT_3 =
(
  ID_CRED_I / bstr / -24..23,
  Signature_or_MAC_3,
  ? EAD_3
)
]]></artwork>
        <artwork><![CDATA[
PLAINTEXT_3 (CBOR Sequence) (80 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 40 fc 10 7e c0 0f 74 ba
31 47 40 04 da 60 c5 b0 96 e1 eb 18 37 c0 f2 1e 00 cd 5f ce ad fa
c1 b5 af 81 6f bd bb e9 75 a8
05 68 3d 12 69 5b 1f a4 dc 94 43 f7 09 24 f5 71 f6 4c 6e 9e e9 32 0a 19 19 85 57 41 e2
7a 16 02 97 8a 13 4f 99 55 95 7f d0 26 55 be b4 77 5e 1a
73 18 6a 0d 1d 3e 57 4f 06 a6 83 f0 8f 8d 03 dc ec b9 cf 15 4e 1c 6f 55 5a 1e
12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork>
        <t>The Initiator constructs the associated data for message_3:</t>
        <artwork><![CDATA[
A_3 =
[
  "Encrypt0",
  h'',
 h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891
   432d2256b6f678e9'
  h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
    6777996592e928bc'
]
]]></artwork>
        <artwork><![CDATA[
A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d
48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 41
8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57 f6 78 69 b1 67 77 99 65 92 e9 28 bc
]]></artwork>
        <t>The Initiator constructs the input needed to derive the key K_3, see K_3 (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
    = HKDF-Expand( PRK_3e2m, info, key_length ), )
]]></artwork>
        <t>where key_length is the key length in bytes for the EDHOC AEAD Authenticated Encryption with Associated Data (AEAD) algorithm, and info for K_3 is:</t>
        <artwork><![CDATA[
info =
(
  3,
 h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891
   432d2256b6f678e9',
  h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
    6777996592e928bc',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7
13 ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca
57 f6 78 69 b1 67 77 99 65 92 e9 28 bc 10
]]></artwork>
        <artwork><![CDATA[
K_3 (Raw Value) (16 bytes)
95 65 a2 09 f6 7f d0 e1 62 9e 6f e7 c0 cc 3e 4a
da 19 5e 5f 64 8a c6 3b 0e 8f b0 c4 55 20 51 39
]]></artwork>
        <t>The Initiator constructs the input needed to derive the nonce IV_3, see IV_3 (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
     = HKDF-Expand( PRK_3e2m, info, iv_length ), )
]]></artwork>
        <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algorithm, and info for IV_3 is:</t>
        <artwork><![CDATA[
info =
(
  4,
 h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891
   432d2256b6f678e9',
  h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
    6777996592e928bc',
  13
)
]]></artwork>
        <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7
13 ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca
57 f6 78 69 b1 67 77 99 65 92 e9 28 bc 0d
]]></artwork>
        <artwork><![CDATA[
IV_3 (Raw Value) (13 bytes)
b6 a7 79 c4 b0 e7 40 fd 8d 77 4d 0a d6
38 d8 c6 4c 56 25 5a ff a4 49 f4 be d7
]]></artwork>
        <t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data
A_3, key K_3 K_3, and nonce IV_3.</t>
        <artwork><![CDATA[
CIPHERTEXT_3 (Raw Value) (88 bytes)
25 c3 45 88 4a aa 96 6a 1a a4 fa 44 9a 17 eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69 b6 2a
0d 43 92 81 50 42 72 03 c3 16 0b 96 e6 44 f6 a3 33 29 f2 7c 6a f5
bb ef c6 11 58 d0 ad dd 99 06 9b 9a 19 7f f7 c9 0e 62 f3 b5 56 64 c5
83 74 7b 9a 40 2c cd 68 90 7f e4 58 b1 51 4e a6 e3 83 b5 66 eb 29 76 3e
fe b0 af a5 18 77 6a d5 2d 63 a0 0e 5a e1 c6 5f 85 df 95
ee 7b 1b 49 8a c9 83 42 00 8c 6d 84 bf 32 af 3a 78 36 97 04 71 c1 ae 8d 75 82 50 44 66 dc
b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c
]]></artwork>
        <t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t>
        <artwork><![CDATA[
message_3 (CBOR Sequence) (90 bytes)
58 58 25 c3 45 88 4a aa 96 6a 1a a4 fa 44 9a 17 eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69
b6 2a 0d 43 92 81 50 42 72 03 c3 16 0b 96 e6 44 f6 a3 33 29 f2 7c
6a f5 bb ef c6 11 58 d0 ad dd 99 06 9b 9a 19 7f f7 c9 0e 62 f3 b5 56
64 c5 83 74 7b 9a 40 2c cd 68 90 7f e4 58 b1 51 4e a6 e3 83 b5 66 eb 29
76 3e fe b0 af a5 18 77 6a d5 2d 63 a0 0e 5a e1 c6 5f 85
df 95 ee 7b 1b 49 8a c9 83 42 00 8c 6d 84 bf 32 af 3a 78 36 97 04 71 c1 ae 8d 75 82 50 44
66 dc b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c
]]></artwork>
        <t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t>
        <artwork><![CDATA[
Input to calculate TH_4 (CBOR Sequence) (357 bytes)
58 20 e0 91 12 1a 5b 7d f9 b4 f5 ac 6c e2 14 5d 48 25 8f 24 0c e0 90 12 f2 97 98 e8 f7 13
ac 98 91 43 2d 41 8e 48 19 1b 5f ff 3a 22 56 b6 b5 ca 57
f6 78 69 b1 67 77 99 65 92 e9 28 bc a1 18 22 82 2e 48 c2 4a b2 fd 76 43
c7 9f 58 40 fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0 96 e1 eb 18 37
c0 f2 1e 00 cd 5f ce ad fa c1 b5 af 81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 94 43 f7 09 24 f5 71 f6 4c
6e 9e e9 32 0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 99
55 95 7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e 57 4f 06 a6 83 f0 8f 8d 03
dc ec b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07 58
f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b
65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f
6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32
34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20
30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f
72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06
a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8
cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7
70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae
48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27
b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        <artwork><![CDATA[
TH_4 (Raw Value) (32 bytes)
6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 64 15 ea
a4 ce dd 62 b5 b4
0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 7b b7 37 50 d5 99 be 42 d5
a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork>
        <artwork><![CDATA[
TH_4 (CBOR Data Item) (34 bytes)
58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 64
15 ea a4 ce dd 62 b5 b4 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 7b b7 37 50 d5 99 be
42 d5 a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork>
      </section>
      <section anchor="message4">
        <name>message_4</name>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_4 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>The Responder constructs PLAINTEXT_4:</t>
        <artwork><![CDATA[
PLAINTEXT_4 =
(
  ? EAD_4
)
]]></artwork>
        <artwork><![CDATA[
PLAINTEXT_4 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>The Responder constructs the associated data for message_4:</t>
        <artwork><![CDATA[
A_4 =
[
  "Encrypt0",
  h'',
 h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4
   cedd62b5b49d7bb7'
  h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
    1a5a37c896f294ac'
]
]]></artwork>
        <artwork><![CDATA[
A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 6b 13 32 5a 49 bd 9f 97 0d 31
91 ee 31 79 62 df 1d 44 38 c6 64 15 ea a4 ce dd 62 b5 b4 0e b8 68 f2 63 cf 35 55 dc cd
39 6d d8 de c2 9d 7b b7 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork>
        <t>The Responder constructs the input needed to derive the EDHOC message_4 key, see key (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
    = HKDF-Expand( PRK_4x3m, PRK_4e3m, info, key_length )
]]></artwork>
        <t>where key_length is the key length in bytes for the EDHOC AEAD algorithm,
  and info for K_4 is:</t>
        <artwork><![CDATA[
info =
(
  8,
 h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4
   cedd62b5b49d7bb7',
  h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
    1a5a37c896f294ac',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6
64 15 ea a4 ce dd 62 b5 b4 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 7b b7 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10
]]></artwork>
        <artwork><![CDATA[
K_4 (Raw Value) (16 bytes)
c9 f5 87
df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d dd 4e 25 68 f6 94 46 c3 06 52 5f ef 1e 2e
]]></artwork>
        <t>The Responder constructs the input needed to derive the EDHOC message_4 nonce, see nonce (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
     = HKDF-Expand( PRK_4x3m, PRK_4e3m, info, iv_length )
]]></artwork>
        <t>where length is the nonce length in bytes for the EDHOC AEAD algorithm,
  and info for IV_4 is:</t>
        <artwork><![CDATA[
info =
(
  9,
 h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4
   cedd62b5b49d7bb7',
  h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
    1a5a37c896f294ac',
  13
)
]]></artwork>
        <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6
64 15 ea a4 ce dd 62 b5 b4 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 7b b7 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 0d
]]></artwork>
        <artwork><![CDATA[
IV_4 (Raw Value) (13 bytes)
a8 e0 4c e7 56 ee
12 8e c6 58 d9 70 d7 38 e8 23 b7 7b 3e e0 0f 74 fc 6c 27
]]></artwork>
        <t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data
A_4, key K_4 K_4, and nonce IV_4.</t>
        <artwork><![CDATA[
CIPHERTEXT_4 (8 bytes)
ee 12
4f 0e 8b 5e 2a 00 8f de e3 66 e5 c8 83
]]></artwork>
        <t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t>
        <artwork><![CDATA[
message_4 (CBOR Sequence) (9 bytes)
48 ee 12 4f 0e 8b 5e 2a 00 8f de e3 66 e5 c8 83
]]></artwork>
      </section>
      <section anchor="out-and-exporter1">
        <name>PRK_out and PRK_exporter</name>
        <t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <artwork><![CDATA[
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
        =
        = HKDF-Expand( PRK_4e3m, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for PRK_out is:</t>
        <artwork><![CDATA[
info =
(
  7,
 h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4
   cedd62b5b49d7bb7',
  h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
    1a5a37c896f294ac',
  32
)
]]></artwork>
        <t>where the last value is the length in bytes of the output of the EDHOC hash algorithm.</t>
        <artwork><![CDATA[
info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6
64 15 ea a4 ce dd 62 b5 b4 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 7b b7 37 50 d5 99
be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_out (Raw Value) (32 bytes)
45 06 92 9a d5 95 d5 d4 e5 9b 5f 21 ea b6
b7 44 cb 7d ea b6 4a 3b d2 c7 d9 d6 8a 87 7d 60 61 81 9c 2d 02 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab
b9 22 b3 03 07 e5 c3 68 f0
]]></artwork>
        <t>The OSCORE Object Security for Constrained RESTful Environments (OSCORE) Master Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specified in <xref section="4.2.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <artwork><![CDATA[
EDHOC_Exporter( label, exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, exporter_label, context, length )
]]></artwork>
        <t>where PRK_exporter is derived from PRK_out:</t>
        <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
             =
              = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for the PRK_exporter is:</t>
        <artwork><![CDATA[
info =
(
  10,
  h'',
  32
)
]]></artwork>
        <t>where the last value is the length in bytes of the output of the EDHOC hash algorithm.</t>
        <artwork><![CDATA[
info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes)
ad 33 a8 f2 e0 6f ff 3e 5d 7e e1 10 9e db f2 b6 d2 56 4c
2a ae c8 fc 4a b3 f4 08 68
e6 46 11 e4 20 92 4c e4 09 bc 32 95 de f6 b5 51 05 1a 2f a5 61 42 4d b3 01 fa
84 f6 42 f5 57 8a 6d f5 1a
]]></artwork>
      </section>
      <section anchor="oscore-param">
        <name>OSCORE Parameters</name>
        <t>The derivation of OSCORE parameters is specified in <xref section="A.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>The AEAD and Hash hash algorithms to use in OSCORE are given by the selected cipher suite:</t>
        <artwork><![CDATA[
Application AEAD Algorithm (int)
10
]]></artwork>
        <artwork><![CDATA[
Application Hash Algorithm (int)
-16
]]></artwork>
        <t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipient IDs is defined in <xref section="3.3.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x18, which as C_R is encoded as the CBOR byte string 0x4118, is converted to the server Recipient ID 0x18.</t>
        <artwork><![CDATA[
Client's OSCORE Sender ID (Raw Value) (1 byte)
18
]]></artwork>
        <t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x2d, which as C_I is encoded as the CBOR integer 0x2d 0x2d, is converted to the client Recipient ID 0x2d.</t>
        <artwork><![CDATA[
Server's OSCORE Sender ID (Raw Value) (1 byte)
2d
]]></artwork>
        <t>The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application
application hash algorithm, see algorithm (see <xref section="A.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork>
        <t>where oscore_key_length is by default the key length in bytes for the Application application AEAD
algorithm,
algorithm by default, and info for the OSCORE Master Secret is:</t>
        <artwork><![CDATA[
info =
(
  0,
  h'',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the Application application AEAD algorithm.</t>
        <artwork><![CDATA[
info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10
]]></artwork>
        <artwork><![CDATA[
OSCORE Master Secret (Raw Value) (16 bytes)
fc 9c fb 05 63
1e 1c 6b ea c3 a8 a1 ca 3e 28 f8 80 48 3b 9c 06 bd 03 c4 35 de 7e 2f 9a e7 ff
]]></artwork>
        <t>The OSCORE Master Salt is computed through EDHOC_Expand() using the Application application hash algorithm, see algorithm (see <xref section="4.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, PRK_exporter, info, oscore_salt_length )
]]></artwork>
        <t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t>
        <artwork><![CDATA[
info =
(
  1,
  h'',
  8
)
]]></artwork>
        <t>where the last value is the length in bytes of the OSCORE Master Salt.</t>
        <artwork><![CDATA[
info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08
]]></artwork>
        <artwork><![CDATA[
OSCORE Master Salt (Raw Value) (8 bytes)
0e
ce 7a b8 44 c0 9d 45 3b 08 98 34 10 6d 73
]]></artwork>
      </section>
      <section anchor="key-update">
        <name>Key Update</name>
        <t>Key update is defined in <xref section="H" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <artwork><![CDATA[
EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
        = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash function, and the context for KeyUpdate is</t> is:</t>
        <artwork><![CDATA[
context for KeyUpdate (Raw Value) (16 bytes)
d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
]]></artwork>
	<artwork><![CDATA[
context for KeyUpdate (CBOR Data Item) (17 bytes)
50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
]]></artwork>
        <t>and where
        <t>where info for key update KeyUpdate is:</t>
        <artwork><![CDATA[
info =
(
  11,
  h'd6be169602b8bceaa01158fdb820890c',
  32
)
	]]></artwork>
	<artwork><![CDATA[
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_out after KeyUpdate (Raw Value) (32 bytes)
0c 1d e2 f0 6d 9a d7 5a 21 32
da 6e ac d9 a9 85 f4 fb a9 ae c2 a9 29 90 5f 95 c6 96 40 42 76 af 81 f1 14 4a
a7 61 af bf 78 d6 8c a1 b4 22 97 6b 25 b1 4e 89 fa 15
97 94 f2 8d 82 fa f2 da ad
]]></artwork>
        <t>After the key update, the PRK_exporter needs to be derived anew:</t>
        <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
             =
              = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where info and hash_length are unchanged as in <xref target="out-and-exporter1"/>.</t>
        <artwork><![CDATA[
PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
f0 4e 4c 40 1d e8 db 34 f7 b5 06 b2 33 10
00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 24 c4 9c 4b 1c e9 a0 1c 30 54 6f 09 65 d0 7c
6e 47 7b 23 a3 7b 53 c2 35
30 c0 44 d3 8d b5 36 2c 05
]]></artwork>
        <t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t>
        <artwork><![CDATA[
OSCORE Master Secret
=
= HKDF-Expand(PRK_exporter, HKDF-Expand( PRK_exporter, info, oscore_key_length) oscore_key_length )
]]></artwork>
        <t>where info and key_length oscore_key_length are unchanged as in <xref target="oscore-param"/>.</t>
        <artwork><![CDATA[
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
50 48 6d 75 82 3a 59 2d 1e fd 28 6a 70 7f e8 7d
ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5
]]></artwork>
        <t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t>
        <artwork><![CDATA[
OSCORE Master Salt
= HKDF-Expand(PRK_exporter, HKDF-Expand( PRK_exporter, info, salt_length) oscore_salt_length )
]]></artwork>
        <t>where info and salt_length oscore_salt_length are unchanged as in <xref target="oscore-param"/>.</t>
        <artwork><![CDATA[
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
61 95 cb b1
80 ce 03 1c ae de 2a 1e 5a ab 48
]]></artwork>
      </section>
      <section anchor="certs">
        <name>Certificates</name>
        <section anchor="resp-cer">
          <name>Responder Certificate</name>
          <artwork><![CDATA[
        Version: 3 (0x2)
        Serial Number: 1647419076 (0x62319ec4)
        Signature Algorithm: ED25519
        Issuer: CN = EDHOC Root Ed25519
        Validity
            Not Before: Mar 16 08:24:36 2022 GMT
            Not After : Dec 31 23:00:00 2029 GMT
        Subject: CN = EDHOC Responder Ed25519
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41
                    8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f
                    93 59
        Signature Algorithm: ED25519
        Signature Value:
            b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4
            6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b
            e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce
            51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
        </section>
        <section anchor="init-cer">
          <name>Initiator Certificate</name>
          <artwork><![CDATA[
        Version: 3 (0x2)
        Serial Number: 1647419040 (0x62319ea0)
        Signature Algorithm: ED25519
        Issuer: CN = EDHOC Root Ed25519
        Validity
            Not Before: Mar 16 08:24:00 2022 GMT
            Not After : Dec 31 23:00:00 2029 GMT
        Subject: CN = EDHOC Initiator Ed25519
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f
                    48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85
                    14 1e
        Signature Algorithm: ED25519
        Signature Value:
            52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0
            db 35 3a 3b df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85
            0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7
            a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork>
        </section>
        <section anchor="root-cer">
          <name>Common Root Certificate</name>
          <artwork><![CDATA[
        Version: 3 (0x2)
        Serial Number: 1647418996 (0x62319e74)
        Signature Algorithm: ED25519
        Issuer: CN = EDHOC Root Ed25519
        Validity
            Not Before: Mar 16 08:23:16 2022 GMT
            Not After : Dec 31 23:00:00 2029 GMT
        Subject: CN = EDHOC Root Ed25519
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    2b 7b 3e 80 57 c8 64 29 44 d0 6a fe 7a 71 d1
                    c9 bf 96 1b 62 92 ba c4 b0 4f 91 66 9b bb 71
                    3b e4
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
        Signature Algorithm: ED25519
        Signature Value:
            4b b5 2b bf 15 39 b7 1a 4a af 42 97 78 f2 9e da 7e 81
            46 80 69 8f 16 c4 8f 2a 6f a4 db e8 25 41 c5 82 07 ba
            1b c9 cd b0 c2 fa 94 7f fb f0 f0 ec 0e e9 1a 7f f3 7a
            94 d9 25 1f a5 cd f1 e6 7a 0f
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="sec-trace-2">
      <name>Authentication with Static DH, CCS Identified by 'kid'</name>
      <t>In this example example, the Initiator and the Responder are authenticated with ephemeral-static Diffie-Hellman (METHOD = 3). The Initiator supports cipher suites 6 and 2 (in order of preference) preference), and the Responder only supports cipher suite 2. After an initial negotiation message exchange, cipher suite 2 is used, which determines the algorithms:</t>
      <ul spacing="normal">
        <li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li>
        <li>EDHOC hash algorithm = SHA-256</li>
        <li>EDHOC MAC length in bytes (Static DH) = 8</li>
        <li>EDHOC key exchange algorithm (ECDH curve) = P-256</li>
        <li>EDHOC signature algorithm = ES256</li>
        <li>Application
        <li>application AEAD algorithm = AES-CCM-16-64-128</li>
        <li>Application
        <li>application hash algorithm = SHA-256</li>
      </ul>
      <t>The public keys are represented as raw public keys (RPK), (RPKs), encoded in a CWT Claims Set (CCS) and identified by the COSE header parameter 'kid'.</t>
      <section anchor="m1_1">
        <name>message_1 (first time)</name> (First Time)</name>
        <t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t>
        <artwork><![CDATA[
METHOD (CBOR Data Item) (1 byte)
03
]]></artwork>
        <t>The Initiator selects its preferred cipher suite 6. A single cipher suite is encoded as an int:</t>
        <artwork><![CDATA[
SUITES_I (CBOR Data Item) (1 byte)
06
]]></artwork>
        <t>The Initiator creates an ephemeral key pair for use with the EDHOC key exchange algorithm:</t>
        <artwork><![CDATA[
Initiator's ephemeral private key
X (Raw Value) (32 bytes)
5c 41 72 ac a8 b8 2b 5a 62 e6 6f 72 22 16 f5 a1 0f 72 aa 69 f4 2c 1d
1c d3 cc d7 bf d2 9c a4 e9
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate
G_X (Raw Value) (32 bytes)
74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 f3 26
20 b7 49 be e8 d2 78 ef a9
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes)
58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65
f3 26 20 b7 49 be e8 d2 78 ef a9
]]></artwork>
        <t>The Initiator selects its connection identifier C_I to be the byte string 0x0e, which is encoded as 0x0e since it is represented by the 1-byte CBOR int 14 is encoded as 0x0e:</t> 14:</t>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte)
0e
]]></artwork>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte)
0e
]]></artwork>
        <t>No external authorization data:</t>
        <t>EAD_1
	<artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes)</t> bytes)
	]]></artwork>
        <t>The Initiator constructs message_1:</t>
        <artwork><![CDATA[
message_1 =
(
  3,
  6,
  h'741a13d7ba048fbb615e94386aa3b61bea5b3d8f65f32620
    b749bee8d278efa9',
  14
)
]]></artwork>
        <artwork><![CDATA[
message_1 (CBOR Sequence) (37 bytes)
03 06 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
      </section>
      <section anchor="error">
        <name>error</name>
        <t>The Responder does not support cipher suite 6 and sends an error with ERR_CODE 2 containing SUITES_R as ERR_INFO. The Responder proposes cipher suite 2, a single cipher suite thus encoded as an int.</t>
        <artwork><![CDATA[
SUITES_R
02
]]></artwork>
        <artwork><![CDATA[
error (CBOR Sequence) (2 bytes)
02 02
]]></artwork>
      </section>
      <section anchor="message1-second-time">
        <name>message_1 (second time)</name> (Second Time)</name>
        <t>Same steps are performed as for message_1 the first time, <xref target="m1_1"/>, time (<xref target="m1_1"/>) but with updated SUITES_I.</t> SUITES_I updated.</t>
        <t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t>
        <artwork align="left"><![CDATA[
METHOD (CBOR Data Item) (1 byte)
03
]]></artwork>
        <t>The Initiator selects cipher suite 2 and indicates the more preferred cipher suite(s), in this case 6, all encoded as the array [6, 2]:</t>
        <artwork><![CDATA[
SUITES_I (CBOR Data Item) (3 bytes)
82 06 02
]]></artwork>
        <t>The Initiator creates an ephemeral key pair for use with the EDHOC key exchange algorithm:</t>
        <artwork><![CDATA[
Initiator's ephemeral private key
X (Raw Value) (32 bytes)
36 8e c1 f6 9a eb 65 9b a3 7d 5a 8d 45 b2 1b dc 02 99 dc ea a8 ef 23
5f 3c a4 2c e3 53 0f 95 25
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate
G_X (Raw Value) (32 bytes)
8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34 73 0b
96 c1 b7 c8 db ca 2f c3 b6
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key, one 'y'-coordinate
(Raw Value) (32 bytes)
51 e8 af 6c 6e db 78 16 01 ad 1d 9c 5f a8 bf 7a a1 57 16 c7 c0 6a 5d
03 85 03 c6 14 ff 80 c9 b3
]]></artwork>
        <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes)
58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34
73 0b 96 c1 b7 c8 db ca 2f c3 b6
]]></artwork>
        <t>The Initiator selects its connection identifier C_I to be the byte string 0x37, which is encoded as 0x37 since it is represented by the 1-byte CBOR int -24 is encoded as 0x37:</t> -24:</t>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte)
37
]]></artwork>
        <artwork><![CDATA[
Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte)
37
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>The Initiator constructs message_1:</t>
        <artwork><![CDATA[
message_1 =
(
  3,
  [6, 2],
  h'8af6f430ebe18d34184017a9a11bf511c8dff8f834730b96
    c1b7c8dbca2fc3b6',
  -24
)
]]></artwork>
        <artwork><![CDATA[
message_1 (CBOR Sequence) (39 bytes)
03 82 06 02 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8
df f8 f8 34 73 0b 96 c1 b7 c8 db ca 2f c3 b6 37
]]></artwork>
      </section>
      <section anchor="message2-1">
        <name>message_2</name>
        <t>The Responder supports the selected cipher suite 2 and not the by the Initiator Initiator's more preferred cipher suite(s) 6, so SUITES_I is acceptable.</t>
        <t>The Responder creates an ephemeral key pair for use with the EDHOC key exchange algorithm:</t>
        <artwork><![CDATA[
Responder's ephemeral private key
Y (Raw Value) (32 bytes)
e2 f4 12 67 77 20 5e 85 3b 43 7d 6e ac a1 e1 f7 53 cd cc 3e 2c 69 fa
88 4b 0a 1a 64 09 77 e4 18
]]></artwork>
        <artwork><![CDATA[
Responder's ephemeral public key, 'x'-coordinate
G_Y (Raw Value) (32 bytes)
41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 42 2c
8e a0 f9 55 a1 3a 4f f5 d5
]]></artwork>
        <artwork><![CDATA[
Responder's ephemeral public key, one 'y'-coordinate
(Raw Value) (32 bytes)
5e 4f 0d d8 a3 da 0b aa 16 b9 d3 ad 56 a0 c1 86 0a 94 0a f8 59 14 91
5e 25 01 9b 40 24 17 e9 9d
]]></artwork>
        <artwork><![CDATA[
Responder's ephemeral public key, 'x'-coordinate
G_Y (CBOR Data Item) (34 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5
]]></artwork>
        <t>The Responder selects its connection identifier C_R to be the byte string 0x27, which is encoded as 0x27 since it is represented by the 1-byte CBOR int -8 is encoded as 0x27:</t> -8:</t>
        <artwork><![CDATA[
Connection identifier chosen by the Responder
C_R (raw value) (1 byte)
27
]]></artwork>
        <artwork><![CDATA[
Connection identifier chosen by the Responder
C_R (CBOR Data Item) (1 byte)
27
]]></artwork>
        <t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_2 = H( G_Y, H(message_1) )</t>
        <artwork><![CDATA[
H(message_1) (Raw Value) (32 bytes)
ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75
94 b3 9f 50 cd f0 19 88 8c
]]></artwork>
        <artwork><![CDATA[
H(message_1) (CBOR Data Item) (34 bytes)
58 20 ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87
52 75 94 b3 9f 50 cd f0 19 88 8c
]]></artwork>
        <t>The input to calculate TH_2 is the CBOR sequence:</t>
        <t>G_Y, H(message_1)</t>
        <artwork><![CDATA[
Input to calculate TH_2 (CBOR Sequence) (68 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 58 20 ca 02 ca bd a5 a8 90 27 49 b4
2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 94 b3 9f 50 cd f0 19 88 8c
]]></artwork>
        <artwork><![CDATA[
TH_2 (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b
]]></artwork>
        <artwork><![CDATA[
TH_2 (CBOR Data Item) (34 bytes)
58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02
8f f3 9d 52 36 c1 82 b2 02 08 4b
]]></artwork>
        <t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>First, the ECDH shared secret G_XY is computed from G_X and Y, Y or G_Y and X:</t>
        <artwork><![CDATA[
G_XY (Raw Value) (ECDH shared secret) (32 bytes)
2f 0c b7 e8 60 ba 53 8f bf 5c 8b de d0 09 f6 25 9b 4b 62 8f e1 eb 7d
be 93 78 e5 ec f7 a8 24 ba
]]></artwork>
        <t>Then, PRK_2e is calculated using EDHOC_Extract() EDHOC_Extract(), which is determined by the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
PRK_2e = EDHOC_Extract( salt, G_XY )
       =
       = HMAC-SHA-256( salt, G_XY )
]]></artwork>
        <t>where salt is TH_2:</t>
        <artwork><![CDATA[
salt (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b
]]></artwork>
        <artwork><![CDATA[
PRK_2e (Raw Value) (32 bytes)
5a a0 d6 9f 3e 3d 1e 0c 47 9f 0b 8a 48 66 90 c9 80 26 30 c3 46 6b 1d
c9 23 71 c9 82 56 31 70 b5
]]></artwork>
        <t>Since METHOD = 3, the Responder authenticates using static DH. The EDHOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t>
        <t>The Responder's static Diffie-Hellman P-256 key pair:</t> pair consists of a private key and a public key.</t>
        <artwork><![CDATA[
Responder's private authentication key
SK_R (Raw Value) (32 bytes)
72 cc 47 61 db d4 c7 8f 75 89 31 aa 58 9d 34 8d 1e f8 74 a7 e3 03 ed
e2 f1 40 dc f3 e6 aa 4a ac
]]></artwork>
        <artwork><![CDATA[
Responder's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes)
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
cb ac 93 62 20 46 dd 44 f0
]]></artwork>
        <artwork><![CDATA[
Responder's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes)
45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0
10 8c 22 4c 51 ea bf 60 72
]]></artwork>
        <t>Since the Responder authenticates with static DH (METHOD = 3), PRK_3e2m is derived
from SALT_3e2m and G_RX.</t>
        <t>The input needed to calculate SALT_3e2m is defined in <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length )
          =
           = HKDF-Expand( PRK_2e, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for SALT_3e2m is:</t>
        <artwork><![CDATA[
info =
(
  1,
  h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
    5236c182b202084b',
  32
)
]]></artwork>
        <artwork><![CDATA[
info for SALT_3e2m (CBOR Sequence) (37 bytes)
01 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 18 20
]]></artwork>
        <artwork><![CDATA[
SALT_3e2m (Raw Value) (32 bytes)
af 4e 10 3a 47 cb 3c f3 25 70 d5 c2 5a d2 77 32 bd 8d 81 78 e9 a6 9d
06 1c 31 a2 7f 8e 3c a9 26
]]></artwork>
        <t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>PRK_3e2m is derived from G_RX using EDHOC_Extract() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX )
         =
         = HMAC-SHA-256( SALT_3e2m, G_RX )
]]></artwork>
        <t>where G_RX is the ECDH shared secret calculated from G_X and R, or G_R and X.</t>
        <artwork><![CDATA[
G_RX (Raw Value) (ECDH shared secret) (32 bytes)
f2 b6 ee a0 22 20 b9 5e ee 5a 0b c7 01 f0 74 e0 0a 84 3e a0 24 22 f6
08 25 fb 26 9b 3e 16 14 23
]]></artwork>
        <artwork><![CDATA[
PRK_3e2m (Raw Value) (32 bytes)
0c a3 d3 39 82 96 b3 c0 39 00 98 76 20 c1 1f 6f ce 70 78 1c 1d 12 19
72 0f 9e c0 8c 12 2d 84 34
]]></artwork>
        <t>The Responder constructs the remaining input needed to calculate MAC_2:</t>
        <t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t>
        <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t>
        <t>CRED_R is identified by a 'kid' with byte string value 0x32:</t>
        <artwork><![CDATA[
ID_CRED_R =
{
  4 : h'32'
}
]]></artwork>
        <artwork><![CDATA[
ID_CRED_R (CBOR Data Item) (4 bytes)
a1 04 41 32
]]></artwork>
        <t>CRED_R is an RPK encoded as a CCS:</t>
        <artwork><![CDATA[
{                                              /CCS/
  2 : "example.edu",                           /sub/
  8 : {                                        /cnf/
    1 : {                                      /COSE_Key/
      1 : 2,                                   /kty/
      2 : h'32',                               /kid/
     -1 : 1,                                   /crv/
     -2 : h'BBC34960526EA4D32E940CAD2A234148
            DDC21791A12AFBCBAC93622046DD44F0', h'bbc34960526ea4d32e940cad2a234148
            ddc21791a12afbcbac93622046dd44f0', /x/
     -3 : h'4519E257236B2A0CE2023F0931F1F386
            CA7AFDA64FCDE0108C224C51EABF6072' h'4519e257236b2a0ce2023f0931f1f386
            ca7afda64fcde0108c224c51eabf6072'  /y/
    }
  }
}
]]></artwork>
        <artwork><![CDATA[
CRED_R (CBOR Data Item) (95 bytes)
a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32
20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2
17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b
2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea
bf 60 72
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_2 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t>
        <artwork><![CDATA[
context_2 (CBOR Sequence) (133 (134 bytes)
27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4
c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 6d
70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb c3
49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb ac
93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31
f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
]]></artwork>
        <artwork><![CDATA[
context_2 (CBOR byte string) (135 (136 bytes)
58 85 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8
3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78
61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f
09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
]]></artwork>
        <t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorithm, see algorithm (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t>
        <t>MAC_2 target="RFC9528"/>):</t>
        <artwork><![CDATA[
MAC_2 = HKDF-Expand(PRK_3e2m, HKDF-Expand( PRK_3e2m, info, mac_length_2), where</t>
        <t>info mac_length_2 )
	]]></artwork>
	<t>where</t>
<artwork><![CDATA[
info = ( 2, context_2, mac_length_2 )</t> )
]]></artwork>
        <t>Since METHOD = 3, mac_length_2 is given by the EDHOC MAC length.</t>
        <t>info for MAC_2 is:</t>
        <artwork><![CDATA[
info =
(
  2,
 h'a10441325820356efd53771425e008f3fe3a86c83ff4c6b1
   6e57028ff39d5236c182b202084ba2026b6578616d706c65
   2e65647508a101a501020241322001215820bbc34960526e
   a4d32e940cad2a234148ddc21791a12afbcbac93622046dd
   44f02258204519e257236b2a0ce2023f0931f1f386ca7afd
   a64fcde0108c224c51eabf6072',
  h'27a10441325820356efd53771425e008f3fe3a86c83ff4c6
    b16e57028ff39d5236c182b202084ba2026b6578616d706c
    652e65647508a101a501020241322001215820bbc3496052
    6ea4d32e940cad2a234148ddc21791a12afbcbac93622046
    dd44f02258204519e257236b2a0ce2023f0931f1f386ca7a
    fda64fcde0108c224c51eabf6072',
  8
)
]]></artwork>
        <t>where the last value is the EDHOC MAC length in bytes.</t>
        <artwork><![CDATA[
info for MAC_2 (CBOR Sequence) (137 (138 bytes)
02 58 85 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86
c8 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65
78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58
20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a
fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02
3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 08
]]></artwork>
        <artwork><![CDATA[
MAC_2 (Raw Value) (8 bytes)
fa 5e fa 2e bf 92 0b f3
09 43 30 5c 89 9f 5c 54
]]></artwork>
        <artwork><![CDATA[
MAC_2 (CBOR Data Item) (9 bytes)
48 fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54
]]></artwork>
        <t>Since METHOD = 3, Signature_or_MAC_2 is MAC_2:</t>
        <artwork><![CDATA[
Signature_or_MAC_2 (Raw Value) (8 bytes)
fa 5e fa 2e bf 92 0b f3
09 43 30 5c 89 9f 5c 54
]]></artwork>
        <artwork><![CDATA[
Signature_or_MAC_2 (CBOR Data Item) (9 bytes)
48 fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54
]]></artwork>
        <t>The Responder constructs PLAINTEXT_2:</t>
        <artwork><![CDATA[
PLAINTEXT_2 =
(
  C_R,
  ID_CRED_R / bstr / -24..23,
  Signature_or_MAC_2,
  ? EAD_2
)
]]></artwork>
        <t>Since ID_CRED_R contains a single 'kid' parameter, only the byte string value is included in the plaintext, represented as described in <xref section="3.3.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>. target="RFC9528"/>. The CBOR map { 4 : h'32' } is thus replaced, not by the CBOR byte string 0x4132, but by the CBOR int 0x32, since that is a one byte one-byte encoding of a CBOR integer (-19).</t>
        <artwork><![CDATA[
PLAINTEXT_2 (CBOR Sequence) (11 bytes)
27 32 48 fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54
]]></artwork>
        <t>The input needed to calculate KEYSTREAM_2 is defined in <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
            =
            = HKDF-Expand( PRK_2e, info, plaintext_length )
]]></artwork>
        <t>where plaintext_length is the length in bytes of PLAINTEXT_2, and info for KEYSTREAM_2 is:</t>
        <artwork><![CDATA[
info =
(
  0,
  h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
    5236c182b202084b',
  11
)
]]></artwork>
        <t>where the last value is the length in bytes of PLAINTEXT_2.</t>
        <artwork><![CDATA[
info for KEYSTREAM_2 (CBOR Sequence) (36 bytes)
00 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 0b
]]></artwork>
        <artwork><![CDATA[
KEYSTREAM_2 (Raw Value) (11 bytes)
bf 50 e9 e7 ba d0 bb 68 17 33 99
]]></artwork>
        <t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t>
        <artwork><![CDATA[
CIPHERTEXT_2 (Raw Value) (11 bytes)
98 62 a1 1d e4 2a 95 d7 85 38 6a ee f9 e0 e7 e1 88 6f cd
]]></artwork>
        <t>The Responder constructs message_2:</t>
        <artwork><![CDATA[
message_2 =
(
 G_Y_CIPHERTEXT_2,
  G_Y_CIPHERTEXT_2
)
]]></artwork>
        <t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
the raw values of G_Y and CIPHERTEXT_2.</t>
        <artwork><![CDATA[
message_2 (CBOR Sequence) (45 bytes)
58 2b 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 98 62 a1 1d e4 2a 95 d7 85 38 6a ee f9 e0 e7 e1 88 6f cd
]]></artwork>
      </section>
      <section anchor="message3-1">
        <name>message_3</name>
        <t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_3 = H( TH_2, PLAINTEXT_2, CRED_R )</t>
        <artwork><![CDATA[
Input to calculate TH_3 (CBOR Sequence) (140 bytes)
58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02
8f f3 9d 52 36 c1 82 b2 02 08 4b 27 32 48 fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54 a2
02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20
01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17
91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a
0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf
60 72
]]></artwork>
        <artwork><![CDATA[
TH_3 (Raw Value) (32 bytes)
df e5 b0 65 e6 4c 72 d2 26 d5
ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de d0 96 5e
9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03 9d f0
bc 1b bf 0c 16 1b b3 15 5c
]]></artwork>
        <artwork><![CDATA[
TH_3 (CBOR Data Item) (34 bytes)
58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de d0
96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03
9d f0 bc 1b bf 0c 16 1b b3 15 5c
]]></artwork>
        <t>Since METHOD = 3, the Initiator authenticates using static DH. The EDHOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t>
        <t>The Initiator's static Diffie-Hellman P-256 key pair:</t> pair consists of a private key and a public key:</t>
        <artwork><![CDATA[
Initiator's private authentication key
SK_I (Raw Value) (32 bytes)
fb 13 ad eb 65 18 ce e5 f8 84 17 66 08 41 14 2e 83 0a 81 fe 33 43 80
a9 53 40 6a 13 05 e8 70 6b
]]></artwork>
        <artwork><![CDATA[
Initiator's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes)
ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66
0a 41 29 8c b4 30 7f 7e b6
]]></artwork>
        <artwork><![CDATA[
Initiator's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes)
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8
]]></artwork>
        <t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derived
from SALT_4e3m and G_IY.</t>
        <t>The input needed to calculate SALT_4e3m is defined in <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length )
          =
           = HKDF-Expand( PRK_3e2m, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for SALT_4e3m is:</t>
        <artwork><![CDATA[
info =
(
  5,
 h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b
   df89d24a54f2e59a',
  h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
    1bbf0c161bb3155c',
  32
)
]]></artwork>
        <artwork><![CDATA[
info for SALT_4e3m (CBOR Sequence) (37 bytes)
05 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 18 20
]]></artwork>
        <artwork><![CDATA[
SALT_4e3m (Raw Value) (32 bytes)
84 f8 a2 a9 53 4d
cf dd 78 dc c7 f9 51 5a 7e 46 e7 6e b4 db ff 31 cb d5 6c d0 4b a3 32 25 0d 4d f6 0b fa d7 cd 3a d6 e9 ea
5d e1 d5
31 c7 f3 73 ca f9 f6 d1 39 14 a7 ed a5 2d 1c
]]></artwork>
        <t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derived
from G_IY using EDHOC_Extract() with the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
PRK_4e3m = EDHOC_Extract(SALT_4e3m, G_IY)
         =
         = HMAC-SHA-256(SALT_4e3m, G_IY)
]]></artwork>
        <t>where G_IY is the ECDH shared secret calculated from G_I and Y, or G_Y and I.</t>
        <artwork><![CDATA[
G_IY (Raw Value) (ECDH shared secret) (32 bytes)
08 0f 42 50 85 bc 62 49 08 9e ac 8f 10 8e a6 23 26 85 7e 12 ab 07 d7
20 28 ca 1b 5f 36 e0 04 b3
]]></artwork>
        <artwork><![CDATA[
PRK_4e3m (Raw Value) (32 bytes)
e9 cb 83 2a 24 00 95 d3 d0 64 3d be 12 e9 e2 e7 b1 8f 03 60 a3 17 2c
ea 7a c0
81 cc 8a 29 8e 35 70 44 e3 c4 66 bb 5c 0a 1e 50 7e 01 3e e2 d4 92 38 ae ba
13 8d f9 46 35 40 e0 72 7c 0f f7
]]></artwork>
        <t>The Initiator constructs the remaining input needed to calculate MAC_3:</t>
        <t>MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )</t>
        <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
        <t>CRED_I is identified by a 'kid' with byte string value 0x2b:</t>
        <artwork><![CDATA[
ID_CRED_I =
{
  4 : h'2b'
}
]]></artwork>
        <artwork><![CDATA[
ID_CRED_I (CBOR Data Item) (4 bytes)
a1 04 41 2b
]]></artwork>
        <t>CRED_I is an RPK encoded as a CCS:</t>
        <artwork><![CDATA[
{                                              /CCS/
  2 : "42-50-31-FF-EF-37-32-39",               /sub/
  8 : {                                        /cnf/
    1 : {                                      /COSE_Key/
      1 : 2,                                   /kty/
      2 : h'2b',                               /kid/
     -1 : 1,                                   /crv/
     -2 : h'AC75E9ECE3E50BFC8ED6039988952240
            5C47BF16DF96660A41298CB4307F7EB6' h'ac75e9ece3e50bfc8ed6039988952240
            5c47bf16df96660a41298cb4307f7eb6'  /x/
     -3 : h'6E5DE611388A4B8A8211334AC7D37ECB
            52A387D257E6DB3C2A93DF21FF3AFFC8' h'6e5de611388a4b8a8211334ac7d37ecb
            52a387d257e6db3c2a93df21ff3affc8'  /y/
    }
  }
}
]]></artwork>
        <artwork><![CDATA[
CRED_I (CBOR Data Item) (107 bytes)
a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32
2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5
0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30
7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52
a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8
]]></artwork>
        <t>No external authorization data:</t>
        <artwork><![CDATA[
EAD_3 (CBOR Sequence) (0 bytes)
]]></artwork>
        <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
        <artwork><![CDATA[
context_3 (CBOR Sequence) (145 bytes)
a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc
48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a
0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d 35 30
2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01 a5 01
02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95
22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20 6e 5d
e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 3c 2a
93 df 21 ff 3a ff c8
]]></artwork>
        <artwork><![CDATA[
context_3 (CBOR byte string) (147 bytes)
58 91 a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7
22 00 c1 2d 49 be
e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d
35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01
a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99
88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8
]]></artwork>
        <t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorithm, see algorithm (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
MAC_3 = HKDF-Expand(PRK_4e3m, HKDF-Expand( PRK_4e3m, info, mac_length_3), where mac_length_3 )
]]></artwork>
        <t>info
	<t>where</t>
<artwork><![CDATA[
info = ( 6, context_3, mac_length_3 )</t> )
]]></artwork>
        <t>Since METHOD = 3, mac_length_3 is given by the EDHOC MAC length.</t>
        <t>info for MAC_3 is:</t>
        <artwork><![CDATA[
info =
(
  6,
 h'a104412b5820dfe5b065e64c72d226d500c12d49bee6dc48
   81ded0965e9bdf89d24a54f2e59aa2027734322d35302d33
  h'a104412b5820adaf67a78a4bcc91e018f8882762a722000b
    2507039df0bc1bbf0c161bb3155ca2027734322d35302d33
    312d46462d45462d33372d33322d333908a101a501020241
    2b2001215820ac75e9ece3e50bfc8ed60399889522405c47
    bf16df96660a41298cb4307f7eb62258206e5de611388a4b
    8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3aff
    c8',
  8
)
]]></artwork>
        <t>where the last value is the EDHOC MAC length in bytes.</t>
        <artwork><![CDATA[
info for MAC_3 (CBOR Sequence) (149 bytes)
06 58 91 a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62
a7 22 00 c1 2d 49
be e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32
2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1
01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03
99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58
20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6
db 3c 2a 93 df 21 ff 3a ff c8 08
]]></artwork>
        <artwork><![CDATA[
MAC_3 (Raw Value) (8 bytes)
a5 ee b9 ef fd ab fc 39
62 3c 91 df 41 e3 4c 2f
]]></artwork>
        <artwork><![CDATA[
MAC_3 (CBOR Data Item) (9 bytes)
48 a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f
]]></artwork>
        <t>Since METHOD = 3, Signature_or_MAC_3 is MAC_3:</t>
        <artwork><![CDATA[
Signature_or_MAC_3 (Raw Value) (8 bytes)
a5 ee b9 ef fd ab fc 39
62 3c 91 df 41 e3 4c 2f
]]></artwork>
        <artwork><![CDATA[
Signature_or_MAC_3 (CBOR Data Item) (9 bytes)
48 a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f
]]></artwork>
        <t>The Initiator constructs PLAINTEXT_3:</t>
        <artwork><![CDATA[
PLAINTEXT_3 =
(
  ID_CRED_I / bstr / -24..23,
  Signature_or_MAC_3,
  ? EAD_3
)
]]></artwork>
        <t>Since ID_CRED_I contains a single 'kid' parameter, only the byte string value is included in the plaintext, represented as described in <xref section="3.3.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>. target="RFC9528"/>. The CBOR map { 4 : h'2b' } is thus replaced, not by the CBOR byte string 0x412b, but by the CBOR int 0x2b, since that is a one byte one-byte encoding of a CBOR integer (-12).</t>
        <artwork><![CDATA[
PLAINTEXT_3 (CBOR Sequence) (10 bytes)
2b 48 a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f
]]></artwork>
        <t>The Initiator constructs the associated data for message_3:</t>
        <artwork><![CDATA[
A_3 =
[
  "Encrypt0",
  h'',
 h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b
   df89d24a54f2e59a'
  h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
    1bbf0c161bb3155c'
]
]]></artwork>
        <artwork><![CDATA[
A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18
f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c
]]></artwork>
        <t>The Initiator constructs the input needed to derive the key K_3, see K_3 (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
    = HKDF-Expand( PRK_3e2m, info, key_length ), )
]]></artwork>
        <t>where key_length is the key length in bytes for the EDHOC AEAD algorithm, and info for K_3 is:</t>
        <artwork><![CDATA[
info =
(
  3,
 h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b
   df89d24a54f2e59a',
  h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
    1bbf0c161bb3155c',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 10
]]></artwork>
        <artwork><![CDATA[
K_3 (Raw Value) (16 bytes)
ab 3b 2b 52 a0 4b 6a a3 2f 96 31 19 16 88 3a dd
8e 7a 30 04 20 00 f7 90 0e 81 74 13 1f 75 f3 ed
]]></artwork>
        <t>The Initiator constructs the input needed to derive the nonce IV_3, see IV_3 (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
     = HKDF-Expand( PRK_3e2m, info, iv_length ), )
]]></artwork>
        <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algorithm, and info for IV_3 is:</t>
        <artwork><![CDATA[
info =
(
  4,
 h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b
   df89d24a54f2e59a',
  h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
    1bbf0c161bb3155c',
  13
)
]]></artwork>
        <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07
03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 0d
]]></artwork>
        <artwork><![CDATA[
IV_3 (Raw Value) (13 bytes)
05 55 cf a1 6e 40 8d e5 e1 52 3d 04 7d
6d 83 00 c1 e2 3b 56 15 3a e7 0e e4 57
]]></artwork>
        <t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data
A_3, key K_3 K_3, and nonce IV_3.</t>
        <artwork><![CDATA[
CIPHERTEXT_3 (Raw Value) (18 bytes)
47 3d d1 60 77
e5 62 09 7b c4 17 dd 71 d6 5b 56 e6 bd 71 e7 a4 9d 60 12 59 19 48 5a c7 89 1f fd 90 a9 fc
]]></artwork>
        <t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t>
        <artwork><![CDATA[
message_3 (CBOR Sequence) (19 bytes)
52 47 3d d1 60 77 e5 62 09 7b c4 17 dd 71 d6 5b 56 e6 bd 71 e7 a4 9d 60 12 59 19 48 5a c7 89 1f fd 90 a9 fc
]]></artwork>
        <t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm:</t>
        <t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t>
        <artwork><![CDATA[
Input to calculate TH_4 (CBOR Sequence) (151 bytes)
58 20 df e5 b0 65 e6 4c 72 d2 26 d5 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 c1 2d 49 be e6 dc 48 81 de d0
96 5e 9b df 89 d2 4a 54 f2 e5 9a 0b 25 07 03
9d f0 bc 1b bf 0c 16 1b b3 15 5c 2b 48 a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f a2 02
77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33
39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc
8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e
b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87
d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8
]]></artwork>
        <artwork><![CDATA[
TH_4 (Raw Value) (32 bytes)
ba f6 0a db c5 00 fc e7 89 af 25
c9 02 b1 08 ad a2 27 55 75 05 6c 52 c1 c2
03 6a 2d e3 a4 32 6c 93 c5 55 1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06 76 56 12
e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork>
        <artwork><![CDATA[
TH_4 (CBOR Data Item) (34 bytes)
58 20 ba f6 0a db c5 00 fc e7 89 af 25 c9 02 b1 08 ad a2 27 55 75 05 6c 52
c1 c2 03 6a 2d e3 a4 32 6c 93 c5 55 1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06 76
56 12 e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork>
      </section>
      <section anchor="message4-1">
        <name>message_4</name>
        <t>No external authorization data:</t>
        <t>EAD_4
	<artwork><![CDATA[
EAD_4 (CBOR Sequence) (0 bytes)</t> bytes)
	]]></artwork>
        <t>The Responder constructs PLAINTEXT_4:</t>
        <artwork><![CDATA[
PLAINTEXT_4 =
(
  ? EAD_4
)
]]></artwork>
        <t>PLAINTEXT_4
	<artwork><![CDATA[
PLAINTEXT_4 (CBOR Sequence) (0 bytes)</t> bytes)
	]]></artwork>
        <t>The Responder constructs the associated data for message_4:</t>
        <artwork><![CDATA[
A_4 =
[
  "Encrypt0",
  h'',
 h'baf60adbc500fce789af25b108ada2275575056c52c1c203
   6a2da4a643891cb4'
  h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
    2b5d99e6059d6b6e'
]
]]></artwork>
        <artwork><![CDATA[
A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 ba f6 0a db c5 00 fc e7 89 af
25 c9 02 b1 08 ad a2 27 55 75 05 6c 52 c1 c2 03 6a 2d e3 a4 32 6c 93 c5 55
1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork>
        <t>The Responder constructs the input needed to derive the EDHOC message_4 key, see key (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
    = HKDF-Expand( PRK_4e3m, info, key_length )
]]></artwork>
        <t>where key_length is the key length in bytes for the EDHOC AEAD algorithm,
and info for K_4 is:</t>
        <artwork><![CDATA[
info =
(
  8,
 h'baf60adbc500fce789af25b108ada2275575056c52c1c203
   6a2da4a643891cb4',
  h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
    2b5d99e6059d6b6e',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 ba f6 0a db c5 00 fc e7 89 af 25 c9 02 b1 08 ad a2 27 55 75 05 6c
52 c1 c2 03 6a 2d e3 a4 32 6c 93 c5 55 1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 10
]]></artwork>
        <artwork><![CDATA[
K_4 (Raw Value) (16 bytes)
22 9d 4c 1d 6d 02 33 7b 1c e3 81 a2 bf a7 9b 2e
d3 c7 78 72 b6 ee b5 08 91 1b db d3 08 b2 e6 a0
]]></artwork>
        <t>The Responder constructs the input needed to derive the EDHOC message_4 nonce, see nonce (see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>) using the EDHOC hash algorithm:</t>
        <artwork><![CDATA[
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
     = HKDF-Expand( PRK_4e3m, info, iv_length )
]]></artwork>
        <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algorithm,
and info for IV_4 is:</t>
        <artwork><![CDATA[
info =
(
  9,
 h'baf60adbc500fce789af25b108ada2275575056c52c1c203
   6a2da4a643891cb4',
  h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
    2b5d99e6059d6b6e',
  13
)
]]></artwork>
        <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
        <artwork><![CDATA[
info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 ba f6 0a db c5 00 fc e7 89 af 25 c9 02 b1 08 ad a2 27 55 75 05 6c
52 c1 c2 03 6a 2d e3 a4 32 6c 93 c5 55 1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 0d
]]></artwork>
        <artwork><![CDATA[
IV_4 (Raw Value) (13 bytes)
98 4d 59 ab 25 5e 3d c6 f8 e0 65 5c b6
04 ff 0f 44 45 6e 96 e2 17 85 3c 36 01
]]></artwork>
        <t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data
A_4, key K_4 K_4, and nonce IV_4.</t>
        <artwork><![CDATA[
CIPHERTEXT_4 (8 bytes)
89 07 43 64 70 a6 e1 9f
28 c9 66 b7 ca 30 4f 83
]]></artwork>
        <t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t>
        <artwork><![CDATA[
message_4 (CBOR Sequence) (9 bytes)
48 89 07 43 64 70 a6 e1 9f 28 c9 66 b7 ca 30 4f 83
]]></artwork>
      </section>
      <section anchor="out-and-exporter2">
        <name>PRK_out and PRK_exporter</name>
        <t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <artwork><![CDATA[
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
        =
        = HKDF-Expand( PRK_4e3m, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for PRK_out is:</t>
        <artwork><![CDATA[
info =
(
  7,
 h'baf60adbc500fce789af25b108ada2275575056c52c1c203
   6a2da4a643891cb4',
  h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
    2b5d99e6059d6b6e',
  32
)
]]></artwork>
        <t>where the last value is the length in bytes of the output of the EDHOC hash algorithm.</t>
        <artwork><![CDATA[
info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 ba f6 0a db c5 00 fc e7 89 af 25 c9 02 b1 08 ad a2 27 55 75 05 6c
52 c1 c2 03 6a 2d e3 a4 32 6c 93 c5 55 1f 5f 3a a6 43 89 1c b4 c5 ec c0 24 68 06
76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_out (Raw Value) (32 bytes)
6b 2d ae 40 32 30 65
2c 71 cf bc 2e 4f af c1 a9 33 8a 94 a2 55 fb 9f 1f 3f b2 0b b3 52 9c a6 a7 34 b8 86 f3
79 fe c9 89 d4 fa 90 dc f0 0d 1a ba 0b 4d c5
1b ee ae ab df ea 9e cb f8
]]></artwork>
        <t>The OSCORE Master Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specified in 4.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" sectionFormat="of" section="4.2.1"/>.</t>
        <artwork><![CDATA[
EDHOC_Exporter( label, exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, exporter_label, context, length )
]]></artwork>
        <t>where PRK_exporter is derived from PRK_out:</t>
        <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
             =
              = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash algorithm, and info for the PRK_exporter is:</t>
        <artwork><![CDATA[
info =
(
  10,
  h'',
  32
)
]]></artwork>
        <t>where the last value is the length in bytes of the output of the EDHOC hash algorithm.</t>
        <artwork><![CDATA[
info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes)
4f 0a 5a 82 3d
e1 4d 06 d0 00 5e 1b ec da 8a 6e 61 f3 c8 c6 7a 8b 15 da 69 9c ee 24 8c 5a 04 bf 92 27 bb cd 4c e3 94 de 7d
44 d3 58 5e c5 85 4e 91 e2 cb 56 db
43 55 54 74 17 1e 64 46 db
]]></artwork>
      </section>
      <section anchor="oscore-parameters">
        <name>OSCORE Parameters</name>
        <t>The derivation of OSCORE parameters is specified in <xref section="A.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>The AEAD and Hash hash algorithms to use in OSCORE are given by the selected cipher suite:</t>
        <artwork><![CDATA[
Application AEAD Algorithm (int)
10
]]></artwork>
        <artwork><![CDATA[
Application Hash Algorithm (int)
-16
]]></artwork>
        <t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipient IDs
is defined in <xref section="3.3.3" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x27, which as C_R is encoded as the CBOR integer 0x27, is converted to the server Recipient ID 0x27.</t>
        <artwork><![CDATA[
Client's OSCORE Sender ID (Raw Value) (1 byte)
27
]]></artwork>
        <t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x37, which as C_I is encoded as the CBOR integer 0x0e 0x0e, is converted to the client Recipient ID 0x37.</t>
        <artwork><![CDATA[
Server's OSCORE Sender ID (Raw Value) (1 byte)
37
]]></artwork>
        <t>The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application
application hash algorithm, see algorithm (see <xref section="A.1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork>
        <t>where oscore_key_length is by default the key length in bytes for the Application application AEAD
algorithm, and info for the OSCORE Master Secret is:</t>
        <artwork><![CDATA[
info =
(
  0,
  h'',
  16
)
]]></artwork>
        <t>where the last value is the key length in bytes for the Application application AEAD algorithm.</t>
        <artwork><![CDATA[
info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10
]]></artwork>
        <artwork><![CDATA[
OSCORE Master Secret (Raw Value) (16 bytes)
8c 40 9a 33 22 23 ad 90 0e 44 f3 43 4d 2d 2c e3
f9 86 8f 6a 3a ca 78 a0 5d 14 85 b3 50 30 b1 62
]]></artwork>
        <t>The OSCORE Master Salt is computed through EDHOC_Expand() using the Application application hash algorithm, see algorithm (see <xref section="4.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:</t> target="RFC9528"/>):</t>
        <artwork><![CDATA[
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, info, oscore_salt_length )
]]></artwork>
        <t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t>
        <artwork><![CDATA[
info =
(
  1,
  h'',
  8
)
]]></artwork>
        <t>where the last value is the length in bytes of the OSCORE Master Salt.</t>
        <artwork><![CDATA[
info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08
]]></artwork>
        <artwork><![CDATA[
OSCORE Master Salt (Raw Value) (8 bytes)
61 63 f4 4b e8 62
ad fa a2 4c 7d bf c8 5e eb
]]></artwork>
      </section>
      <section anchor="key-update-1">
        <name>Key Update</name>
        <t>Key
        <t>The key update is defined in <xref section="H" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528"/>.</t>
        <artwork><![CDATA[
EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
        = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where hash_length is the length in bytes of the output of the EDHOC hash function, and the context for KeyUpdate is</t> is:</t>
        <artwork><![CDATA[
context for KeyUpdate (Raw Value) (16 bytes)
a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
]]></artwork>
        <artwork><![CDATA[
context for KeyUpdate (CBOR Data Item) (17 bytes)
50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
]]></artwork>
        <t>and where info for the key update is:</t>
	<artwork><![CDATA[
info =
(
  11,
  h'a01158fdb820890cd6be169602b8bcea',
  32
)
]]></artwork>
	<artwork><![CDATA[
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea 18 20
]]></artwork>
        <artwork><![CDATA[
PRK_out after KeyUpdate (Raw Value) (32 bytes)
5e 5e fc ae
f9 79 53 77 43 fe 0b d6 b9 b1 41 dd a8 d1 85 bb 7e 26 1d f1 91 59 1c d9 f7 c9 20 49 e7 0c
23 f6 b4 34 e3 6d fc 1d 1c bd 79 65 6c 52 e6 dc 7c 50 ad 80
77 54 d7 4d 07 e8 7d 0d 16
]]></artwork>
        <t>After the key update update, the PRK_exporter needs to be derived anew:</t>
        <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
             =
              = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork>
        <t>where info and hash_length are unchanged as in <xref target="out-and-exporter2"/>.</t>
        <artwork><![CDATA[
PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
bb b3 b7 72 6e 97 9c 1b b3 46 a3 f9 2b f4 e0 28 8d 52 62 7f b5 e7 9a
fd b3 b2
00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 fd 2e 48 97 83 0f ac
23 d8 6c 35 9c 75 2f 0f 17
]]></artwork>
        <t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t>
        <artwork><![CDATA[
OSCORE Master Secret
=
= HKDF-Expand(PRK_exporter, HKDF-Expand( PRK_exporter, info, oscore_key_length) oscore_key_length )
]]></artwork>
        <t>where info and key_length oscore_key_length are unchanged as in <xref target="oscore-param"/>.</t> target="oscore-parameters"/>.</t>
        <artwork><![CDATA[
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
c9 1b 16 4c 81 0b 29 a6 3f cb 73 e5 1b c4 55 f3
49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74
]]></artwork>
        <t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t>
        <artwork><![CDATA[
OSCORE Master Salt
= HKDF-Expand(PRK_exporter, HKDF-Expand( PRK_exporter, info, salt_length) oscore_salt_length )
]]></artwork>
        <t>where info and salt_length oscore_salt_length are unchanged as in <xref target="oscore-param"/>.</t> target="oscore-parameters"/>.</t>
        <artwork><![CDATA[
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
73 ce 79
dd 8b 24 59 40 36 80 f2 aa 9b 01 1a
]]></artwork>
      </section>
    </section>
    <section anchor="sec-trace-invalid">
      <name>Invalid Traces</name>
      <t>This section contains examples of invalid messages, which a compliant implementation will not compose and must or may reject according to <xref target="I-D.ietf-lake-edhoc"/>, target="RFC9528"/>, <xref target="RFC8949"/>, <xref target="RFC9053"/>, and <xref target="SP-800-56A"/>. This is just a small set of examples of different reasons for which a message might be invalid. The same types of invalidities applies apply to other fields and messages as well. Implementations should make sure to check for similar types of invalidities in all EHDOC EDHOC fields and messages.</t>
      <section anchor="encoding-errors">
        <name>Encoding Errors</name>
        <section anchor="surplus-array-encoding-of-message">
          <name>Surplus array encoding Array Encoding of message</name>
          <t>Invalid encoding of message_1 a Message</name>
          <t>message_1 is incorrectly encoded as a CBOR array. Correct The correct encoding is a CBOR sequence according to Section 5.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="5.2.1" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (38 bytes)
84 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
        </section>
        <section anchor="surplus-bstr-encoding-of-connection-identifier">
          <name>Surplus bstr encoding Encoding of the Connection Identifier</name>
          <t>The connection identifier</name>
          <t>Invalid encoding 41 0e of identifier C_I = 0x0e. Correct 0x0e is incorrectly encoded as the CBOR byte string 41 0e. The correct encoding is the integer 0e  according to Section 3.3.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="3.3.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (38 bytes)
03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 41 0e
]]></artwork>
        </section>
        <section anchor="surplus-array-encoding-of-ciphersuite">
          <name>Surplus array encoding of ciphersuite</name>
          <t>Invalid array encoding 81 02 Array Encoding of the Ciphersuite</name>
          <t>The element SUITES_I = 2. Correct 2 is incorrectly encoded as the CBOR array 81 02. The correct encoding is the integer 02 according to Section 5.2.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="5.2.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (38 bytes)
03 81 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
        </section>
        <section anchor="text-string-encoding-of-ephemeral-key">
          <name>Text string encoding of ephemeral key</name>
          <t>Invalid type String Encoding of the Ephemeral Key</name>
          <t>The third element (G_X). Correct of message_1 (G_X) is incorrectly encoded as a text string. The correct encoding is a byte string according to Section 5.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="5.2.1" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (37 bytes)
03 02 78 20 20 61 69 72 20 73 70 65 65 64 20 6F 66 20 61 20 75 6E 6C
61 64 65 6E 20 73 77 61 6C 6C 6F 77 20 0e
]]></artwork>
        </section>
        <section anchor="wrong-number-of-cbor-sequence-elements">
          <name>Wrong number Number of CBOR Sequence Elements</name>
          <t>The CBOR sequence elements</name>
          <t>Invalid in message_2 has an incorrect number of elements. The correct number of elements in the CBOR sequence. Correct number of elements sequence is 1 according to Section 5.3.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="5.3.1" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_2 (46 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 4B 98 62 a1 1d e4 2a 95 d7 85 38 6a
]]></artwork>
        </section>
        <section anchor="surplus-map-encoding-of-idcred-field">
          <name>Surplus map encoding Map Encoding of the ID_CRED field</name>
          <t>Invalid encoding Field</name>
          <t>The element ID_CRED_R in PLAINTEXT_2 is incorrectly encoded as the map a1 04 42 32 10 of ID_CRED_R in PLAINTEXT_2. Correct 10. The correct encoding is 42 32 10 according to Section 3.5.3.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="3.5.3.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid PLAINTEXT_2 (15 bytes)
27 a1 04 42 32 10 48 fa 5e fa 2e bf 92 0b f3
]]></artwork>
        </section>
        <section anchor="surplus-bstr-encoding-of-idcred-field">
          <name>Surplus bstr encoding Encoding of the ID_CRED field</name>
          <t>Invalid encoding 41 32 of Field</name>
          <t>The element ID_CRED_R in PLAINTEXT_2. Correct PLAINTEXT_2 is incorrectly encoded as the byte string 41 32. The correct encoding is 32 according to Section 3.5.3.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="3.5.3.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid PLAINTEXT_2 (12 bytes)
27 41 32 48 fa 5e fa 2e bf 92 0b f3
]]></artwork>
        </section>
      </section>
      <section anchor="crypto-related-errors">
        <name>Crypto-related
        <name>Cryptography-Related Errors</name>
        <section anchor="error-in-length-of-ephemeral-key">
          <name>Error in length of ephemeral key</name>
          <t>Invalid length the Length of the Ephemeral Key</name>
          <t>The third element (G_X). Selected (G_X) has an invalid length. The selected cipher suite is cipher suite 24 with curve P-384 according to Sections 5.2.2, <xref target="RFC9528" sectionFormat="bare" section="5.2.2"/> and 10.2 <xref target="RFC9528" sectionFormat="bare" section="10.2"/> of <xref target="I-D.ietf-lake-edhoc"/>. Correct target="RFC9528"/>. The correct length of the x-coordinate is 48 bytes according to Section 3.7 of <xref target="I-D.ietf-lake-edhoc"/> target="RFC9528" section="3.7" sectionFormat="of" /> and Section 7.1.1 of <xref target="RFC9053"/>.</t> target="RFC9053" section="7.1.1" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (40 bytes)
03 82 02 18 18 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
        </section>
        <section anchor="error-in-elliptic-curve-representation">
          <name>Error in elliptic curve representation</name>
          <t>Invalid Elliptic Curve Representation</name>
          <t>The x-coordinate in G_X is invalid as x <contact fullname="≥"/> ≥ p. Requirement  It is required that x &lt; p according to Section 9.2 of <xref target="I-D.ietf-lake-edhoc"/> and Section 5.6.2.3 of <xref target="SP-800-56A"/>.</t> target="SP-800-56A"/>, which is referenced in <xref target="RFC9528" section="9.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (37 bytes)
03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
00 ff ff ff ff ff ff ff ff ff ff ff ff 0e
]]></artwork>
        </section>
        <section anchor="error-in-elliptic-curve-point">
          <name>Error in elliptic curve point</name>
          <t>Invalid the Elliptic Curve Point</name>
          <t>The x-coordinate in (G_X) G_X is invalid as it does not corresponding correspond to a point on the P-256 curve. Requirement It is required that y<sup>2</sup> <contact fullname="≡"/> ≡ x<sup>3</sup> + a <contact fullname="⋅"/> ⋅ x + b (mod p) according to Section 9.2 of <xref target="I-D.ietf-lake-edhoc"/> and Section 5.6.2.3 of <xref target="SP-800-56A"/>.</t> target="SP-800-56A"/>, which is referenced in <xref target="RFC9528" section="9.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (37 bytes)
03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7
f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e
]]></artwork>
        </section>
        <section anchor="curve-point-of-low-order">
          <name>Curve point Point of low order</name>
          <t>Curve25519 the Low Order</name>
          <t>The Curve25519 point is invalid as it is of low order which and fails the check for all-zero output according to Section 9.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="9.2" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (37 bytes)
03 00 58 20 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff 7f 0e
]]></artwork>
        </section>
        <section anchor="error-in-length-of-mac">
          <name>Error in length the Length of the MAC</name>
          <t>Invalid length of
          <t>The third element (Signature_or_MAC_2). (Signature_or_MAC_2) has an invalid length. The length of Signature_or_MAC_2 is given by the cipher suite suite, and the MAC length is at least 8 bytes according to Section 9.3 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC9528" section="9.3" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid PLAINTEXT_2 (7 bytes)
27 32 44 fa 5e fa 2e
]]></artwork>
        </section>
        <section anchor="error-in-elliptic-curve-encoding">
          <name>Error in elliptic curve encoding</name>
          <t>Invalid encoding of the Elliptic Curve Encoding</name>
          <t>The third element (G_X). Correct (G_X) is incorrectly encoded. The correct encoding is with leading zeros leading-zero octets according to Section 3.7 of <xref target="I-D.ietf-lake-edhoc"/> and Section 7.1.1 of target="RFC9053" section="7.1.1" sectionFormat="of" />, which is referenced in <xref target="RFC9053"/>.</t> target="RFC9528" section="3.7" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (36 bytes)
03 02 58 1f d9 69 77 25 d2 3a 68 8b 12 d1 c7 e0 10 8a 08 c9 f7 1a 85
a0 9c 20 81 49 76 ab 21 12 22 48 fc 0e
]]></artwork>
        </section>
      </section>
      <section anchor="non-deterministic-cbor">
        <name>Non-deterministic CBOR</name>
        <section anchor="unnecessary-long-encoding">
          <name>Unnecessary long encoding</name>
          <t>Invalid 16-bit encoding 19 00 03 of Long Encoding</name>
          <t>The element METHOD = 3. Correct 3 is the incorrectly encoded as a 16-bit integer. The deterministic encoding 03 is correct according to Section 3.1 of <xref target="I-D.ietf-lake-edhoc"/> target="RFC9528" section="3.1" sectionFormat="of" /> and Section 4.2.1 of <xref target="RFC8949"/>, target="RFC8949" section="4.2.1" sectionFormat="of" />, which states that the arguments for integers, lengths in major types 2 through 5, and tags are required to be as short as possible.</t>
          <artwork><![CDATA[
Invalid message_1 (39 bytes)
19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea
5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
        </section>
        <section anchor="indefinite-length-array-encoding">
          <name>Indefinite-length array encoding</name>
          <t>Invalid indefinite-length array encoding 9F 06 02 FF of
          <name>Indefinite-Length Array Encoding</name>
          <t>The element SUITES_I = [6, 2]. Correct 2] is incorrectly encoded as an indefinite-length array. The correct encoding is the definite-length array 82 06 02 according to Section 5.2.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> target="RFC8949" section="4.2.1" sectionFormat="of"/>, which is referenced in <xref target="RFC9528" section="3.1" sectionFormat="of" />.</t>
          <artwork><![CDATA[
Invalid message_1 (40 bytes)
03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>This document contains examples of EDHOC <xref target="I-D.ietf-lake-edhoc"/> whose target="RFC9528"/>. The security considerations described in <xref target="RFC9528"/> apply. The keys printed in these examples cannot be considered secret and MUST NOT <bcp14>MUST NOT</bcp14> be used.</t>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <t>There are
      <t>This document has no IANA considerations.</t> actions.</t>
    </section>
  </middle>
  <back>
    <references>
      <name>References</name>
      <references>
      <references anchor="sec-normative-references">
        <name>Normative References</name>

<reference anchor="I-D.ietf-lake-edhoc"> anchor='RFC9528'>
<front>
<title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<author fullname="Göran Selander" initials="G." surname="Selander">
              <organization>Ericsson AB</organization> initials='G' surname='Selander' fullname='Göran Selander'>
<organization />
</author>
<author fullname="John initials='J' surname='Preuß Mattsson' fullname='John Preuß Mattsson" initials="J. P." surname="Mattsson">
              <organization>Ericsson AB</organization> Mattsson'>
<organization />
</author>
<author fullname="Francesca Palombini" initials="F." surname="Palombini">
              <organization>Ericsson AB</organization> initials='F' surname='Palombini' fullname='Francesca Palombini'>
<organization />
</author>
<date day="25" month="August" year="2023"/>
            <abstract>
              <t>   This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a
   very compact and lightweight authenticated Diffie-Hellman key
   exchange with ephemeral keys.  EDHOC provides mutual authentication,
   forward secrecy, and identity protection.  EDHOC is intended for
   usage in constrained scenarios and a main use case is to establish an
   OSCORE security context.  By reusing COSE for cryptography, CBOR for
   encoding, and CoAP for transport, the additional code size can be
   kept very low.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-22"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract> year='2024' month='March'/>
</front>
<seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/> value="9528"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/> value="10.17487/RFC9528"/>
</reference>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>

      </references>
      <references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
            <author fullname="K. Hartke" initials="K." surname="Hartke"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference>
        <reference anchor="RFC7748">
          <front>
            <title>Elliptic Curves for Security</title>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="January" year="2016"/>
            <abstract>
              <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7748"/>
          <seriesInfo name="DOI" value="10.17487/RFC7748"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
        <reference anchor="RFC8392">
          <front>
            <title>CBOR Web Token (CWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="May" year="2018"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8392"/>
          <seriesInfo name="DOI" value="10.17487/RFC8392"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9053">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"/>

        <reference anchor="CborMe" target="https://cbor.me/">
          <front>
            <title>CBOR playground</title>
            <author initials="C." surname="Bormann">
              <organization/>
            </author>
            <date year="2023" month="August"/>
          </front>
        </reference>

        <reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.800-56Ar3"> anchor="SP-800-56A">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
            <author initials="E." surname="Barker">
              <organization/>
            </author>
            <author initials="L." surname="Chen">
              <organization/>
            </author>
            <author initials="A." surname="Roginsky">
              <organization/>
            </author>
            <author initials="A." surname="Vassilev">
              <organization/>
            </author>
            <author initials="R." surname="Davis">
              <organization/>
            </author>
            <date year="2018" month="April"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3"/>
	  <seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/>
        </reference>

        <reference anchor="SP-800-186" target="https://doi.org/10.6028/NIST.SP.800-186"> anchor="SP-800-186">
          <front>
            <title>Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</title>
            <author initials="L." surname="Chen">
              <organization/>
            </author>
            <author initials="D." surname="Moody">
              <organization/>
            </author>
            <author initials="K." surname="Randall">
              <organization/>
            </author>
            <author initials="A." surname="Regenscheid">
              <organization/>
            </author>
            <author initials="A." surname="Robinson">
              <organization/>
            </author>
            <date year="2023" month="February"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-186"/>
	  <seriesInfo name="DOI" value="10.6028/NIST.SP.800-186"/>
        </reference>
      </references>
    </references>
    <?line 3026?>

    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors want to thank all people verifying EDHOC test vectors and/or contributing to the interoperability testing testing, including: <contact fullname="Christian Amsüss"/>, <contact fullname="Timothy Claeys"/>, <contact fullname="Stefan Hristozov"/>, <contact fullname="Rikard Höglund"/>, <contact fullname="Stefan Hristozov"/>, <contact fullname="Christos Koulamas"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Lidia Pocero"/>, <contact fullname="Peter van der Stok"/>, and <contact fullname="Michel Veillette"/>.</t>
</section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9293XLcSLImeB9PEau6EDXLpIDAP62rz6FIqsRRqUpLqrqr
rKdNFgACYraSmdxEUhKPTHu3trY2Ns8wMxf7CnO1V3tmX2SfZN098I8A8k9U
1ZlqNpVEAoH48Z/PPdw9JpMJ+3DMHcZW09VMHfM3S5monC8yfn724udTli6S
ubyBL9KlzFaTqVplk5l8ryYrunFihUzG8VJ9OGZsers85qvlXb4SlhVZgsml
ksf8SiV3y+nqnn18d8x/PHl5zv+6WL6fzt/xH5aLu1v2/uMxv5iv1HKuVpMz
fA1L5OqYT+fZguV38c00z6eL+er+Frpxcf7mOWPJIoXnj/kd9CZkt9Nj/h1P
5Jzf5YrL5VLe84NpxuVsxu9V/oQvlvxa5tf8Wi0V43y1SI7xC/iYL5arpcry
6u/7m+afcGeqblfXx1wwJu9W14vlMZtwPSM//Ot/W8I7r9RMzlO1xKfvlvqr
xrXFEvp5vpwmeb6Yw9/J4m6+Wt7DPR9VqvCKupHT2TF/t4DWjvLiyX9WxSNH
yeKmeuW/X1zP+euluvvX/8xfydWqaHM6n66mcgbd/vfNXvRv3Lgz/4AXHd0U
D5r78gpW9z2MFBZs2u7Eq/ZUlDfQy0+urk74ybMff/6t+frXCxx1/fobbBvm
gh79Z5nnUsazxX33/cmCv5nOFokcfn31Pb398uLqfGzYN9jm0Yqe+eflFHrQ
eN1s+v/+V8n/cvff/xO867//H7130hsu5supbL7iOaxqopqvmE1zefThLoGn
k3+e4v1H2ZKx+WIJEz79oICTOL+YnB3VzKbSa6BZ4DBgieZdl89PA+GJ4+Jj
4IbFx9ByyquhE1UfIzcqPkaW51ATp/Fi+UrhVSB3uXyngPOuV6vb/Pjp0wS+
O7pRT/WXWkCcPvv5kt/O5P07YF5aM85LzuD036T4F+cHpub0iD/DTs/ndD2V
K2jl5O4dF5ZwsAdXryehZU08/8Tci3QxPYK5fWpbR74lwqc/XVy9Obp6fVQ8
tHSa3btUQCM3ag6vAZnBYbr4azldTv46BdHwUt1PzvMV0NI0v4abVvwquVY3
IO9+yVEenU3zZKlWiv+4eCdBZF3f8NPl/e1q8W4pb6/v6T1AlFOV40KU432E
HXp0zB9d3aoEyIG/voMXJLoDRSehXx+mKMW482j9lJ3DlMnle5Ifhq9/POKn
12pu/vLkiF8u3sHH9/eDN/wFOGo6Ux/MN1we8TMJvW0u1+1yOoMFs8PGgtmh
v/2CwUPN5XrUXq+cFqy/DJNY5iptLQbM0mw2vV1NE356t/yg+NkCGAyko1wC
v4I2yR/tul7Qxw0WaXQVzo74q8UiHViCl7BGIO9APw2voXqn5jlQ5zQdWecY
Pi6afPVcxcs7ubwvmGsymXAZ56irV4y9uZ7mHBT6HZF+AioVJiwHHXijuPok
b25niq9q/X+LrLGE+TmbZtlUTV6o2QzYmP/8QS356c9X5/yAMMKTI/2im2ma
zhRj36E2Xy7SuwRnlDG6iX/+bBBpX75w6JLks+m769VHhb9p0qF/uCCw5O/V
PfQtuZbzd4rfLhegkRcznsKKvpvD10gu1/DY7B7HgwOd4uVcrVbA0PkRHxgz
SKPFil6wagMeeJTQRn7IPwLlwVzf3q0O+eJuRf/CqsEloK4blU7heexSgk+A
9Fiq/G62ygE08HwKkznN7vlK5dgRbB4vKeyFpnTsWjXd1xIIOFZqzmFupzDZ
KY/h4Y8LeBkAEGAP7H23BZjq70C/rgBDFZMMY13ezaElmExoDBbrglTUCqbp
4OIJdV8CbeW3CwQZ/ODyie4H8PcHGM7TW2IFmvVbEJs5PQHMiO9HTYcDgeVp
NIs34JW60aX6X++mS5zaBU4P0IGiO6rVA4Gby3cwbNDyPL9efJzDMOmWYjo+
AgHwuYK36hXGrxI5S+5m1cj1eOuWuutSLga+Qs0BLyq8QWuvz58LXQjkR+OT
9HYAfoslLgNPpzlquMYj0Oi7+SJHaUOEg6LiDlf9kKujd0eH1MWOaoT3aOX6
5QsQ0/U0uQbl/x46C/fecCXze5ohuQTNRHR8B9wFdHHamG7sGvy7wF51hqHf
rF/6VxXzN4v3IDH4welf3zwphgia/8uXI2R8ZeABJC894QAE/h08kqtEw/qJ
DTMzASVdcSKOl/gB+U6u7mCegEZyPqWeVgQL7yGg/UHO7lRJK78eeVbEE7XE
G5GroZNACx+mxWA+f8bv8i9fCloEar9dwGLmBOfP0zNAjHo8AGqgYzhXst01
XMVfhefZkb4TkVBxpyrF2EQNCbSmjDnqToUYngqkg8TQWHdagMSXK3pLdR04
ayZjeASFA6wYP53J6Q0yM67g6VXeXkLDvKAS468nwvPhzlojF6OOF9BB09Bx
pnTHN5wPLUFpLjQlTmezOxS0K03JPJlCO0tA3FNgu7l6t0DBAJOkhWWx0Mih
lY4BupgtPtbyYAFC71rJtBC5FVPn03/RkvnAiQ656x1yO3oCEwpvRgmgW6Mb
pnOguGnKu1JhiZx1Ny/IrF7U4n5ijp9+fnPObT3FOUAHwvsoSe/yUsFAx1OA
CgDd6e0wgUvULqXsmy41FxKDlmqnEmYFv+klwQlbyo/GZuDO5VJLUaKKqkno
Bmh3yWGCb/Kyx+KIX2QojHgyU3LJs+XipmgF5OAn0FVLWN2bWKH4lCvdXA6i
GZosBCZdInMZ/s5zEA9DL4WvudK6p+qAc8T/inK6JdphzHMYwZKUXmc10gX8
wg5P5yhs5ytQ2gV56KHPCmZOlos8J+u9fPYQEMJ76N3i5HXB4GD1oFhFrtQA
pnrN6v4W2HQGjePy3y61+kw1bcHkzBXhkhYvEqUuVlrq4pNlc29t1MDI9qhB
c6WQ2XQDOcyAe2TTsydHAsnQiHBIqi2AY4lwqVN6EpLZXSEBG6qP/mpAFpht
1PJvQLNN54vZ4t09vfBS61haEP4jMOoddJZ//g414Bct8JGLPy6Wac4fvfoF
AO+h/pfD4uHny/P/5ZeLy/Mz/Hz14uTHH6sPrLjj6sXPv/x4Vn+qnzz9+dWr
85/O9MNwlbcusUevTn57pNn/0c+v31z8/NPJj496I6OZWJFmI819i5Af4EnO
QFwky2ms5+bZ6ev/57/YLsz7/wTrLmwbtbb+I7QDF/5AtKDftpjD2uk/YUrv
mby9RdaYzomYEnk7XYEIO0Rq1rAD6fCI/emfQAwrPvH/6c8Mp9so7a9KxQfP
a4122tRoFy2J//iTt3rMv4MFaepUxi6KOajQdgtKlQithc9omtqYmPqTTt/h
aGqFDIrj1fmbFz+f8e+59QSN7kLejGG1/O4WubUtxK0SrqRoRwHdFZJezt4t
yBzTgEGz98n5yVn9Dbz75Pxqcnr6amL7E9+d2CKsbiVo0LwVyA0VWHXDq5NT
PlPzd4S7C345uCrU7Isn8ETdWMswqBs9OD89e8ETtAjxfg0Kqodq9NLsBkEM
uOfk9rayAzcaVvOBwcERM9a4WksAkEqwYrCk5XIaQFIfW5HRhZoSluq2tHM1
sWljoJJajNHy15BhgIryBlVPjxQA2ZqGYJH/t+I/Vlw9IP1whnrhAvTCE35g
0zI9YZZV3/z5GF4H6HL5fgJa9t38+0czla0eFXKpJsccVEoCfWsT3xE/4Yis
Zx1ogWxTKCZJcALG1ezi1S8Xb86v3l5s2MlOX8DGoUlHmFLhotIMIhSAoIvm
DFdijAabnape8DhvtFtYW/g8+xWYHADBXxAxQ1cdoen+CQsjLmAKBA8V9xIe
+9z3eWRzK+RuwC2POxH3LG7FPLC4p7hv8dTCb1MHb0g8HtosANgY8czh0G6Q
8FDyMOBxzC2nMRPrelvRLvvh7WB3HZtnIRcJD2LuxTxK8DWZxTObRy5PI247
PEm4LbjKuO1hh6CjIsQ/4bMPnyVzQ+g0lzZPLByVrbhweJBxy607uWVve8Tg
uGWXPeivxffrOKOO8006PkT+01VuxiX8FKhZa0ikuQZm5NYnkZZSGpgFsPl0
RdZ/Q64UQsOe0IM0D8AyfALKtM1L2FiTaE+NnUkQxKBUrofAsIMteig5TaSG
Bduy3UE2bjbOfloAC+LmERo35K+b/ouWyAhfm8MCiQ5wTjd7VQBhaNUqyWFQ
NJBj6Q6XqpKv5DrnDZT4Pf19oH101mH73+vHjp2FIgliL46SOM6szI7cNLKd
JLGFymzPEakjQpU5wneEdMPS1xfa0k6swLKVcILMch8XLcIi0ocnjfHVnemN
0QnKQVogIkBc7EX5rMGyI5TPW+vU0E5Cz3APhWiUcbPIVwjbM7VEJxIZrMQp
8EcXpoA5Wol9dCQmibpF97466r7igeR79YJB+f7bkMBUPs44TFYW4zLYMU9c
7ng49cLlrs9DmkcFKwSrl+GC+SDBM5xrS6L0T2MGgt51eQQaQuIygGwTNlfw
Exr4b6CzTYE52NsUXg2qBSjA4zasisdhOfyAZwl21fax5z4MIQSYzQMXKSYi
X1oYcyfkoId8wRzoto8aS7o8BL6LeCx4lHI72bm3a8X7fh1n1HG+Scd7RL2B
eL8cFO92aBLvaDg2RTwCoZ6Abwv368d2+Bjh3CfXtsNtxHw1FIYdNYp520Rm
W7bbW8GK5lybN1/ACqfKHK3D25VG3G9evBU44tI9DIMmv2yDi9vIHGaAnvme
vzjgQEKH8G8lOZ+0BGrriwG+SGzuezz1uYyIIGIko0yCKOJhSmwbI4WBoPQz
HqQ8AFnpICW5DrI/POK7DBFbxKVATgF5ajmI+VJoOTahtHa31jLAfj1k1EO+
UQ9xfWi/BKm6WpBqiSoXeemFgqXoLUALjZqb6mk3P/ymLM83mFe22cpvNq/V
Jz38AUL0uWuhoQCK2oU++jgysBhkjHOQCWzb1xYDaAsXf0eg1YFYUhxrEHFf
MsvnnsBxgHICZROByoG+hDigwe6sJ8C9esaoZ3yjnrHXly/fCjIVc9zbJduZ
XL+Fz467Rzb+b9BZB7jh+XSZr/SGDvkS8mu5pC1F3JMGifHrbyRvFjdAnegg
Rr8rWhoIVICYAUmgYqIdiaa0pQdba9dvvY0PPJ6kaLoBfYU+fgbKApgWEEZz
yRZUcLeFhh2YfSrgdsY9IK4IGRuAQugyoEH41sl4DLQWImhIMmxBdOTq/JDX
c9eTpSRH355/on3kgye1X6gyMgYkLULUot3vO63wXM5gmmlanhTwufgPRPOr
k9NJ4UBp38nYR3Ta0TXsK9Jgc5rp+h+HRYrBD4EqsNFdXFa4xYP1TRHGBQEK
ADfGpVQxLit8C5Acbk5BuoRIDFaKSxkBQHRI0iQIGS0SP7C4cA+g71Q2OnRF
IKL27Rx2/IBN11BerHrtGzri+nl8xozFYSWKNocdbXAPedq62Pxx3t5V1JC8
oDx8YAhwlzC7sxmI2PDqZReyNBiL1tTKeBahLQQMJNEhglwFNgyyTlDYQiks
vYMmjQzwt68Qx8KCZBlLYvwMJOF5uGIBaAsHgXoUrYGyBYA19Pn1SJ8B86cx
unVAD3k2Uk0INCyRUkDBWEDSEpWNqziAppCUkHKQaKWFhA2UD/A7IW8RXEw8
JDcVcZEhEXmNPhPFOkrcrBWiwzseRyW9jdFYx/3Iq/d+X0iMow4b0Ze/OyN1
zcraN0BbexjkN0fC1TioiGFoYRgQbSSy6N9KLL48e35QzcEhF4flPt5b+Hgj
k7faLw5PPMHw1+IrePxPf+IXZ29PL8/P3l4ekjg85OVf/8TR5yH4n//MmL6G
q9r2KwM8cSfxVMPpQmRXDRZy+XMhnUGzH/O/TWzvEMyKIMqEdO3Ys63EzqL4
8d/pri+lhO46rHVMADRxQA7rJ+XGGhrlWnMAPYF5XnvCtSP8kJXbFtRaLU+g
H402qtiD+oZCgWBI8lz7vGEhAHTBaPMmddXDNfic3AYL2oBnBA8FEhKgNeB+
4C3Ah4D9gCmRC4GfmsitnnSpoW/TyCvCI87O653jwZAJzYC4OzyBq1++tOy4
ou9N1hCuXTlmLfQMKJh6q/DUgEwAcWeBvrPpt0AqR8hrIw5GL4SF/mXQdHAb
IAjfY4GFF0FLwj0wWvwcFTeAAITHsUFyFbkeeiRgdtwMkS7gP1CXgID9jIG2
hT/hBlgD4F2QV/hjIwc65DmyA2JIQT8WSlT81qfPIV10GV70kb3rmyO6TZT3
6w9W/QM3w29BA0S3l8XgXYbOBwOdBwnvoG8LR6Gw83hFsJGxCNmfQ2wBP9uo
dEp5zvaQ57yU56wnzwff7tLb4wD9TnGCBKAkasBIsJDsH7wZUA2YTwqXOElw
5uFmUIWo/lIESLiFYOGoQR8BzFQJiksQrK7HnIAIjDQsPAsNov8qwg7DS6FX
ML22hYwEd4JQhiFDNyKXRx5ZUyH3UwaaA+YEgKpUOP+gnYHlwNxC3AWaWpiA
1iADC1jH2hyBXu7HD6yazT34gRE/8P34gRE/8P34gQmreNce/MCIH8bGsgE/
sL3xDfADG8A3W/EDI37g+/EDI37g+/EDI37gW/DDdrshBl+KYTdkF7RRPV0/
3HuViOytdSsfdimwLS05o0uBkSXH95MUrENnO0kK1tCcO0sK1tCcO0sK1tCc
O0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCc20iKYRZtYFTi
0tqdFyHdw5D2YFe2q+Olya6s7XjZjV2ZCehuy67MBHS3ZVdmArrbsiszAd1t
2ZWZgO627MpMQHdbdmUmoLstuzIT0N2WXZkJ6G7LrswEdLdiV+0uaHqeV9fL
xd2768qvegt28sGTNdtfh7wVxEq+nGFPTsNN8eLl2fNJ8ZLaT4F5VW3/xBPc
t8Q8W0pWhAcP1jgz+q7J1h0w4nfTD3rncGhQR8XLcBu/nKfClaE70QzOEFVQ
hrTtUAj4UW7Y9WZ4obAS37W8xPbcxPMD1/dLH7WM7TQTluNHnmUpz7VUlNlu
nDoyiHxp+Z5IpPL9JLJ82w/DMoELxFRmO1ZoK4W/pS0ty7GEZcP/heX6wrEj
lbiOZXmWbzkiLp/zvQButFPHtmP4N8JvPc9y4WJiC9dzXTd0M9cRlif8DHRt
8VzgQrOeD184HvzPdiJ4WtmBlcIV4ViOA9d8+DeEv1zHKZ9zfE8Wd0Vwh6D7
8Lel/+dJ6Db0VmCvlFXNS6NXQadXXuAEFvRN+S58Frpf1fsa/ROyHj+OG/61
LUvaaewGceTZoRt65XOuTG0h4W3S8Vzl2qGUiXIcKa1MJL4vEsuKHZl4Xqoi
kUXV+Lyo+w4X3hEHwokTGJCMrUiEKozh2yQKU1U+Z0dJ4oTCSV1fBakfhUEM
TbhBmKkkk0ACnhPAqsKHJAljVQXxiCjx48CxXHiNHTqBil0ZJ5Ebeb6Xhn6a
KM+GBpQnZByKxK76KZLYEmXIjyPKiJ/avzaT+apwrBUbrDpRjVInSmeSMfi2
jK9t+sE6PGQA7HUYkeB7owG2xzZMhQZYbxtmBzTABtxeW6EBNuD22goNsAG3
11ZogA24vbZCA2zA7bUVGmADbq+t0AAbcHtthQbYgNtrKzTABtxeW6EBNuD2
WosGiMssk/Or4NeBwFyKMwNmhDUSCUaVYTSEg5ELMNspNesK5DLpYJQEzp6F
SxOEuFUC/QSKciMMUwsTnGS4GaklxvBAxxhH3JQfo6G3e3WNUdf4Rl0zwYwq
o+PtYvm2glcoMR9X+1KPSyGKew9v8QmbL+J/AHjqRxi2t4KKkJYiwEunKxeY
5G/8UfVu+9Fhy6nC//znQt7D1SH/ymEhof8OyEa3qB9pNbsJynlc3WXCO2M4
p8ImBrwzhnMqrGDAO2M4p9LBBrwzhnMaGKOHd8ZwTvWcAe+M4ZwKexnwzhjO
qTFUH++M4ZzyORPeGcM51fsMeGcM55TPmfDOGM4pnzPhnTbOuX4MBJdI14lE
Ejoq9Z3Ut2UqYCqEpaTjw8RaVgjdSb04gbdVtJjFYeJFroAViW1Yxsf0xd+b
gsnAlNwsqSrfJIgbwBseYRKQQagKbdTpAWlDn9QfKKxRFMRaKIiAE4CfLcOj
2Ja+TCMcYnvsAlZwiO2xC1jBIbbHLmAFh9geu4AVHGJ77AJWcIjtsQtYwSG2
xy5gBYfYHruAFRxie+wCVnCI7bELWMEhNgSHtsEQbBTebIYhOuHdIDzyhrNl
OBiJYzBSM1Gtjzta0M13GwHQiuL8RICRf9Bpi5IDhIfUDLMAawA3AKGnAa59
KjHKFAwnkWJMKdBKKpmX4VQqYmm4kgWYKRYQfQMp6xbgAxAciA9YNh33BHOh
LPoKZF9KvBpiTzx6EClMYtKZFyBHIVcQ13kk8mIbY6MsZYiEMo29J3xB+NUw
EWTjftPAaBr4ftPAaBr4ntMwAhlf/3hy8dOb81/fUGwQ6q3GlbYD6xTAoP5U
o8anHKv8wD8T4R4dCae4oT/dxRcFluzlEDVf2rP/w3Zk/naGf28d2U7k3FlH
thM5d9aRbb2OdaS7KcLr5flvV28uz09eaYsiVRmFyvZi6Ib9roedwNvCtdtJ
TzKG2zZf3gsuE+oQLR9tV9zO5FR7ZYuc604YLv3XdvxWjWi/b7+F0jnV+6aw
rLrZ3TABTZIrr5eFlgp/VHtCBz27dbrdNpYMWjANj1vLkikxabiR7218cEZP
W3Nk41l7e8fSs03AIvCzZ4yvaXW0qa1qoZABDlNFuDlwrB8jlyKnwXXKdwA2
Ezp52UEmBDilBOIGgBFZiEjISxhAHxhjSKAHRENIHYZx2TbmdMSCgKmL30KH
I8qPjshJAIo/JS2e+AwAgbIRD0GbNuWDZBk24qYY8wviCbgdRI+MaDIpwS6A
BwNEMPAVQAdoJKYsSJhYgDiAYAATgICAroYEF0C0gZAK/UF8UImDnJ9evH5x
flmQuMz5r7jJWpToalI/0nxjnlsxfs0mBuYfoIzweZricKwM/WIADQESQc9B
YiIkdZEAENkkOMmACEGqYqysjzSTARAMEArDlErMQEGpBxMLkgvoB8QiSF4M
nVaI8PRvWFYAsnAP0B7MLdArLj0g+xhtDJxASmEEnW1TjgzALxDuAEnhqdRC
uQ9AFgwxeBZ6DvgMXm0RzgsV+mSBejNChJI6D4QEzcIqg0wH4wfzIrrpYUbd
WuWddrJ2O3r1h7e/vW3Oc8nyXG9o9b4v2Z40bzeCE16PcZtzjQIXuCdT1v4h
mUHSoUwUabZ6ZMjoNcgG226CJLBDHjrpaQPqYuuoi29AXWwddfENqIutoy6+
AXWxFnU1E5idoYSKRqmVb59Q0ayHsHlCRfOp8YSKiyEPs0t5STDfIVmCHmUk
wSrBmkiS0xlhMNQPlHQRBehOgfnG1IuMTFHBPLLi0ZFC6+PT4jtIsOsqVYxm
VAx2GiYc9KAMqYs2fgADNSZ8CbwD5AfjSSIUU0BjAC6B8oHUJXlMMhc1nZUx
NIlDNHGFVVi2oLmAnu0mWETM5CpnfUaFs1lGxRCRmTIq6L3fV4kF3ZwK+vp3
z6kYyOt1dsjrdSivV+Pbhmotnejr00sdAwwDM+BbJjTyDawrts662sRKZuus
q02sZLbOutrESibX5r7R2WzvmEvcXts75pI2YPeNuYSJYnvHXHJfsb1jLjGM
6oGzzzb3U7K9Yy7B3mB7x1zyyGO7BHFVn7SgGVBMFrIO0CZMKuATmEsYIhhK
0EeYNuQnD7kNBAbcA7ML2hQmADoOzGo7eH8UMmgBKSIlZOVj8ajMR4+nioa7
s3a7dr+eMeoZ36hngwV4tkmycwq4T5/7vhDUfYfcr2PTnFbkmVNZ+7qV6q52
FPwFeVOcQsFclLu0Tp1zd7Fdzt1FO+eulXKXCFfGIksD33WSIMr+7afcGcs8
jaTcAYRHJhQIJgMfKQms9ijrptxdfLWUOzziYSDl7uKrpdxJ64+dclfqpW+T
cudGtMEWEaqKit1WVMj7pdyVgJ/tAfh5CfhZD/CvUWKwIrhSNj4eO5hQHlgs
isgkz/C9oFpBuYHiAkytrKKgVkolRNAqBwsqww6DOoLHQQEGHiocN8QYZ2A4
i/AUEBv0xyIjHZ5Fi5hwHIwIPsM8wIrABxgadBXoM8uouFTE4KUwIaA+QDcC
TAOAD5BBWkW5EstYjWSQgfdOuWvzwx8v5W4vftg65c7ED4z4Ya+UO5WyvQ1g
4Ac2YABvxQ+M+IHvxw+M+IHvxw+M+IFvwQ/bpdwZ7MuRlLttwEb1dP3wdil3
A7qVD4M/tiUsNYI/RuBvR/OvlBR/1JS7HSXFjil3bUnBGppzr5S7vV1lrKE5
d5YUrKE5d5YUrKE5d5YUrKE5t5EUgxy6S8bdxtzKdjUim9zK2qbajhl3Jpz7
R8q4245b9824I25lJpy7V8bdrtzKTDh3W25lJpy7LbcyE87dlluZCeduw63a
bfDtE+6aLotu0p32WfSS7hxD0t0Gjo2dfBrj+XrOTvl6zlhUh2+MZO+6QjB+
XVmRbQtbZp5M/ERVsdG266VuKDz43rJFJqIgClWYBbYjkyiMbNcRqRCeH/uZ
H4SqiifeJF9PWr9bvl4jRv3r5uu5ka/8KHD9yIcv/Gz7fD2VWr4MpfJtGYpq
PmPpZdJzPeElUWoFmRumqeti5+C1ysqEk4ZJIiyMIQ89u3qfrUxx7J6AubTT
MHZkEFhR5MdJlkQxLEkVa+6qQFlYQDuNob/SiVNYfNuKnUgEngQqigPPt2wv
Cu3Qs6o8TRGksR84wGwBEAS8RvhBmlqeUlkmAnhDIEPbgaEEbhwIWcfux7Ao
8e+Ur2dE+3UAkT+Wr7cZlmB7OKQrLMF6bt8d8/X2xhIPnK+3BZb4Cvl6bsQG
fGZ75evthCXYgM9sKyzBBnxmW2EJNuAz2wpLsAGf2VosMZ6vN7j/g5tJEe4E
w3izCFkSxoibWwHOqpPhJECXYqrQnxEbBnob3sMIIGRzj+GOu4e8DFwGAB43
pIk80mSkP2s3gPbrGlkzHt+oaxtk6znD2XpsKFtvcE9pt2y9i262nhEzHRby
eetsvd52Tytbr4t2xlBOqaFMaGebbL0m2vnG2XrWGMrZJVsPUU6F2AxoZ/Ns
vTbaGUM5VT8NaGcM5dTZc320M4ZyKmRpQDtjKKdGQn2000Y5QIt2EvmhDLIo
S5W0oySwhJPBLxG7aZQBXQaBUADQQy+C4VRzYHkBkINILQfRZppsmK1nllP7
Z+s1MBBrYaB2tt7Ge+BsSzeoEQxtmq03Cob+ANl6Bb75Rtl6wxuIe2Xr9cAQ
22MDsQJDbI8NxAoMsT02ECswxPbYQKzAEBsCQ9sgCDYKbjZDEJ2ztrbK1rs4
HkvXc4bS9bIEZzdQlJJJrAPUgfImwPg8inrEcLrEw4AkPKQnLkKLEgqTQgIH
crCRVOMUw5BBHuAqhThcmDMnRRLAyMIYI/+ki0HfgY3T4CY4BxGd9gZq1KJJ
hR9YTFwNOikgkBgGbpFMCiVKI+AYh8Ly4IPlm5ChafBr8/X2mweKFCCxt8c8
MJoHvu88DIPGOrjU6eXrOW0HVo0WN83Sc1pZes5Ilp7B6g+tnbb4BtaNbUm/
xnVjW9Kvcd3YFus2ivVlni+SKQUn0QnH6EGpIvuLxTypFrEE6+fzZHl/u7Jq
qF5DoG2gOELwqoBVB4r3IdCJkeFA15Rwx8GJRZWmMKoWZG4QoQwNSOm61iao
he2xebtd5F43Xi9VIIa1Zwwl70u0n7bxlh+ujwnHCX1pCv/T9euc0tUN76+T
GIvlMSU/NsveNZ85LN18jYuFfYpD66YGIs3VvW4fNttNfhx3jztfnwqLFm1/
EwfmtqM7YsY8SGPgfaVXELLuG4LKNoHfdtNf08h+7Cr9OvtKlyyQILMiaiZD
AAjCEbA5iDMQhYrkI4Ymgwjupj3swirzBfpGLv7yQNyCDQ+xi1uyy/RDn1vW
sUvjmYpb6msFOenB7cEu1P0RfnEfjl+cTfhl+wEaXf40zDGOcb8Rx1jGc490
91ocU8UEwtNovUSYu4FAgtAFAJIwRazvpqj90xFtbkysdTCx9rFOocM9TXIF
khuwVNxc4mndKmVdLugc9U1pVFX+ehPWAaWl6RQ5Tc4IOqB6PixVF5FhzZtH
5uzdzqyE1dF1UvKIEmhgnQAZgRnlUp4yWLhCA58Yb1A+Xs8onxFPHCIrCdPt
cHUZYq4M0xdsG5cfJJFM0ViLyPCPYmowQiEFih0MMYuyPjNYGo/yNF0Ad4gp
0GFCN7uU45mklG1Nhq0iwoptfGPqUaK3Q4aePoPUQzMzohAZaMGO0RgHsAbv
gmaxlpuF2UJAnYD7EhstUFx2DyGqh/kWjWWvMFnr8MBetm1zco8NybMGNoms
hsECP/vNPaO55/vNPaO55/vNPaO5519h7gdS8twdUvJcfdSm1hstbiqsovVJ
ea4pKS/g3zI5ZZNdU7bOmNrECGbrjKlNjGC2zphaawTDKNjekdv1juJ+mQxs
78ht2qrdN3Ibd/P2jtymrIx9I7fR2t07cpunIds7chtUOds7chsGwvaO3IY7
2Y7xmFrEmLdjfV0ITCAhwHoCLwKLR5p8bDqDU+EHTOoVODKbJhsoLiF9ant4
ooykIgnQWbgHxH3sYm48yOg4GO7O2t3Y/XrGqGd8o541ax+420a8G4S3IeJ9
g8JYbs/R5rahvXaXuSPusj37ss575FbeI3cL75GPxSqFJ90oTqMswi1OO8Lt
WDuIfJFmduq6Tpj4vmt7SspqAy1RaeqL2IvdKA3iODB5j0x0tLX3aJTQ2GYs
sBmhjc78iEms0Ue1DAjJH8iT5JKda0wlDck4dgd8SUbz2P3kGL1JddGZr+BO
grY6DiV3zEAOvz5hPrRDqW8evzRixto6Djch7XEZyjYg7bY/qfr0sqtuancS
6M+MCqlEZDxgFSyCewDrIhcr+SROUTqCCuY8AO+QCfsg3KP/A+PYHWKhqGQh
o39pIzZqPllx0d4+pi4P0SBGmCh6OCb6xl6mcT6KvhEfDXqZuoxUeZkABAL4
dBMEhIAq8f1k7mEpCSr3BjBYWcP8Y/QyuQ/vZXJNXia39DK5bS+T2/Kmtzp6
UHmWYOg2FdEPY6zCghU7LDx9rB56zfybelpck6fFQCpV5RyA9+v7ATAT2XkB
ogqHiZ/Vp9sFTPWSf/4OLk/g8qS8ZH/RtZXw9vHSSqOFlQhSFs0MiKWgFEso
1oaqZZrkUiNdo/1syb3Ni8NVJBuB4iMx4h1HeD01g1IqeDAptVnw+85DNQqr
csBjdTSDb6X3h0J/q04OlFIjuxuM4og8fJFHlbXA8vWo0FOGli/WwPGxuI3+
4GqbWuBWfhqh5xzQA5a+oYpSYEdHCUXJiLYQJXn389Xpz5fn/BWsDLAYsMxS
adbrfCFncBmWUcOGtFOIFlOhNJPKETYUR/Y6Nmy3dgAUE6tZlcd0yFuQoMer
pVw4HH6uoMaWYKEKvXpY2XJxU5JRiVla9/beCTceAsg7JINuVDwMCglq4neS
EXhbZzIGhYVt9WzX34vLq+72WL1ykVjkPx9lw7oVMy/KFH2BgCMygVDCz9DJ
5FAxvEChy9a20OWZxlTGzEcW9CiSJXbQzQY2hh/i8VQubQko8l8CZyMkgW+j
jn+l4LjXcilvFPQqR42XJ4ulmtzitS+aY4lUy6Ki5UO39UPDivBknP+wcY1R
gEBetNYhR4vhLqeKOMUbURi00vyMVSybIOEEcVERZkfvOamw0AGAoCfMbCo1
H6NedR+b2N2twhuAYIhYiJs1XYEkmBfTUFViWtKwivFcKUR9Ty9h5m6ncAO/
OMsHa3c7R844pDh9e4kPY0e0ubUibFm3XVJ9rpYfUGBNj9SRrvapO9K4JZnh
M0ccR9YsZWR9skPM+pwm1yh2i1cSXIN3yiaOaz3l2vgcpbXOPyCKrTqoO9Pu
J76ltZNJvXmct+cN72zDcHoprGmzeOepLsu0flb0kEdnRffVNCsibc3KxdCs
IPB+B23iE8bp0L3oTodIW5D7ivqx8XyIzTTwNknHLQ4ZTz0ekwCF2Dd25/ue
Yi4VnhZQb3sOrxHdXD468mxPRdZPF3rS9CwrtVD/S5hPEFPAy/IOgMw6J1NX
UrEx7TmwfhvUqP96XrGeaB3XoMYu90Fzo/Y8alKjdDY3ZfZsZQki0Sym/UsH
64eCLhUhln7Hkuoholi4AeBvjDHdHaFuAKRbpeZvziXu+vR8Q2f6PGK3eSSH
uzZmkg2eHXWCGZ9rs0fzu3Gg1h/tej7Q6zOMJXtcEO6BJPvv3oTusYsjVG/T
Nr2x+LSpoVZQT9UI7f6DUYi1RmNEhFGIBfXayO8lsPYvt6lcKcbw8x19HkQf
LzazoqAl3ehBaQfxJ8fjzg5tzNgNw6ltj2xuyDyUHZPdzWkSNAGW4yKHfzlc
aLpfaadzy4CESn3MM4O/I4qMiEOs9qqoiq2O6clSvAgwPsQDIAzHGw28rl/i
sg5esfjOr2VUprMIpCyp/H2TgoYZsObA1I+V7Ue+JeIwTpSUlm17YZbGobDC
yEr6xl7fmyEz5ISBCa4tKoyTSDH6JLOwci76OAL0wAgKvIgsdHBEHm4bRlRi
2xUYWCMz9GJkNkYnuBJLxflUtDfO6AwvH4OasBR1k69OqEP1XBz2TV3cDMmL
3MLSASDn6iPM2R/F8qd1wzVufoumF7DBtZy/05CWpEPfOfrlqLtS6wxeWBUs
4ZyQvk/RWY5RGy5GSMXkl4opOgbNXolJWImLCtuNMfQZyyFbFAynMMQpiKnS
hIMfPDp5wfE2hb49J5NewrY/eBSvGlSkCUb2gGJ/4hsgcmDemyb6l6N12GiU
URpHehAg8svoPEdiSAzYKbZCYQCgyZe0T5/hIgXpRlhpj2nVAGfddDYQRX8i
m3Bjz5kkZ+TYPFb6F+QEipMYQyYThSFMdoKxRm39e1rX/EWnC5YAzr8w+u67
xo5Q4za4awnXqS5wo58lq/9FLXNQUseYqwwWY604wVqcyhn/6e4mhqkGke8G
rh1ZIOPgvvI83Mbt1SEeldPjGMSQ8Dy7qqnDL/L8Dhs7/amUUfxysVjx87R9
H0zONJ2u7lui6Se48ZkCtaGOYXqXFBIYHgv32PFB3wjBf3j1pveAlq3H/Ewl
FBTnHFsW/OADUeuBqzuqvdDuWzWf3Q4Wd/PX+jgPREIXQD3Hrfc3vhyZk/K/
4nrx1ASeOu7dc3sX9y/if9sUvTc2sPGBnVxkxgaoOP521FDfRMzQHtlO55+3
Wtjm8M+qqH6rhZ0OAm21sGmxfeTeOmugzb1VVe+vwL2gLCvuldYfgns1Mz4A
99bz+Ufn3m0qFxkb2DiBH+PuTQ3oY4Cq+dmbe3eqhtRqYZtiAFUMbquFnQoD
tFrYNDaX2Pd0cXMDFi9xREf9wqWvw8BhFDXUb/BHUL/Osf1g6tfUtz8a74Iy
0vE5oYVkkoQYRQqDA2YEfsVsG4X5CwGwglnzIjNkaEPaMeVhCuR8nW3mZri7
71NCTgzvMTcADKJqzferZ0UfHIp5niNl5e1uF1+TGwfjYI55ArMDlDrrtd0k
YiQvUzvPZA7zfErxexgelI+1d3L85vKX868oZYAnwdaDFYAJtD3MSMBoBoma
GVS6S/kiAW2J4tanxJ3QsD2Hro/rhhghQ4KGaQ/pwChfJ6noM3Y8FGQJGTdW
gGUGmi3AqsEKJnQ+HFiOeCinS3lTMToO4Aco36LsFugYXgcx1G4hovoh8Bab
xD00ldHpWEA1VjPgCMQMP2mXACHz6GoFfyT87MUhPz294het01sev5+mj/l3
IIVylUxgkRI1ESCILuZgVuFu0yd5czvrndVWnKhSA2A0g5onuBWmmbq9Vjdq
KWeTvOjFNINXT16o2exGzvlBVRXNeaI3wBplTu5u0SbLW7uwOffp7QJ3TPli
ie9eZPx2qTIw0cjv2e/cYj67NzfHxVEhg6AzU3r1jM/VuwX2AWewrKWmPmkT
77DzOBqjd7mq9ulS3Lm+mc6LE2XqbWcwRv+dOXrue7hwNTk9fTWx/YnvTmwR
Vrd2Cmd+X55JU93w6uS053g8qFb8CTxRN4YepHIcjUYPzk/PXvDkbvlB4f2v
W+2bjmoE+Xul7xnerBkY1fDORWNsZPcXByFCn3MirqWCNc6BvLSVjWePNm85
uHz98slhtTkKcyH56V/f8NOZnN7koC3RP356pamjfYDR6rp90FAVgKCZ44i1
c0ZsfpBNl/mKr6Y3MGGfv7ux32L03rMF0vs8vV2gnBtiiLxmRr0jXDNAM8Cg
uGpwthabr709pQbfUPRCzqervOCLZfdATh+onuN2EnB296TOxv4y8cSqVT/o
l4s351fmk47Kno1kOy+VPq9pXguG+kxPdPhiYEbnYHAz1Q6d+lm3W1ZFwrMz
fx2sT5mg7EbgliCaQ890jE5cULT6cEDMbhMo+jEN06bkR4EptngKrIsprXbK
7ISnDqLoNEBNkwr0JIJ6aNYSWdfZipQP+eNPjyfJAkTbdI7bKD+8Hex94KLS
sOkQxJhOgQbtBEAAbARPod5wyLkGoD8m+ACI2ovpbNgMLVJQNcIvDv/BuEFF
XlJBOaIZnhn7tXq/Nvtrv4EwGgjfZCAjrGIMq6GgC+1WX/WiMyxVSv2cKnxO
yTXZFFSFdLEn9GAZqoHWVJvRsK3WkVzGviTXi1wHKVUjoDgUY3SGpQzLt2W7
wzzedDuuzaDDRDZ7JFltuHhIJXM7h13b5rIxdXV1sIWk7aRBLC03zOLYtz0V
uU7oS+nAH7GSXuykYeZ7mSN8UZmWceBGsVJhKoJQZbIuh9FPxGvog5EYXZ3g
sheRswa3jhA5t7q+YBD8sJKdXIB0AQJ4DoZTgYc6ikH7t0GNaSmNLWiBfH55
+fb057NzgDy4MVgcWljog0skYrzj4qfnP2scV7/xdrm4BQLrAq9D0NAmFbS6
vjMooaO+Erpk5vModaf7BcSrNRFt31pPvQMSXiCGRP3O2BWAAeB5dat1+q1a
gqK60X1r5kvaxOo1NDjknz8TNPhyyOO7lZ7Fcpui1KNHvydu+HwMb1t9XCzf
T8Cgfzf//tFMZatHX4akZAf56rCJ5vmJNwucICPkOMif4NaKNioSCWreBwKY
zbrhbHK5lPf8P/wNvhX/4e8bQo8q0AEtML+9un90BOL46LVOqNZBJNFv7FN4
PG430inVIUVcxAJFQppQlQOsDkmb6sT6wmFehgfMSwIkysFNSos2n4VnYpCv
CUFCiR3PKMcWz9C2sb+g3m2qG2EHKJgkVUoAAGXb6P9IMwyTyjB4BE/3tWIW
+TgBMXlHwKZOJJ6mm6Ac3AmCLOaKP75vjWC4PDkIUZnhfoFP0c8gTW1yGcoU
t40ByKGTNaT9eTok2gvIEUB1sOiEaJTxmN3vULkUF52FoUVeG+frTf5aBLXf
OjBaB77JOnxVBOUEOyKoiehDKCf4yhDKCR4QQjUb37IIwRiWGhR8O4MqEsV/
r5BVKDM/cx1LxcoOU8e1Q9eyAxlJ244zz7aTMM2yMAsdN3CsOKrOZ0nsOIDv
4kSKLAEMViKridgOWkUNaFWKe74rD7CeLBrhAd5asgZkEF2MVbmaBpMJCvWJ
OExzRcfBNq5JUXfmiwpE0PnASaJuVzKeqaNe9ufD6LzqBYM677fBU8FpC8qm
TRasiGwhAA4prNAltQeyWFIcFKxhFlDQTVpUHQQNh7a3ZGFI0TpU58rHHBRs
SuFqm8TuQG/HxO5g912bsutsBPKZhV0AYJ4IVMpAiKAmQKenFO6CruEIkTtY
BBgmHOI2uCtgECyk+kJZhIV3YKCORG9+hilyBqGzvvdb6DxFRZFS3HoDkJFK
pHpJFZTiCB0ZoPk8HzsHfBD6ODywTeB3RiWrQcNFNjYCY4MpAKSCpb1cZC8V
8SjdqfemuV+r8vZbBkbLwDdZhh57b6DzLgd1nthZ54U9lSe2UnnVCCin5wBd
qB+6OR27qLxOu4MqT3SroxiKsokdirIJXZQNqOYQ/q2Ux5OWTml9McAaIOxB
mcDvOMWdFkml6oQ2t13UAwHlyXkWmu1uirfhRrZH23sBfg48hgdeOlQ6zaK9
GioQBsIqNMXYtnu1luT36yCjDvJNOkjLMzXWrxOtvPq8UM2wEr35X1sKT/T1
ux9+UybnG8wr22zhN5rX6oMe/YBJSDWMshT1Hug0kLi63J8V4vAyhQMAwQwj
dDJUpBiAZOMjHh08EOImIouoiw6hGcBJsa5uhzpzsDdryW+/jjHqGN+kY7oW
glBrSiHY41mgz9EXo4OlaYsrv5YIpnIdvQp21W+ttBtKsURrC5EZkDIAI1RE
+NevTTFLD7aWrt96az2BfqwEISXYmr5FgTsO+f6AVDCmDOPUUquouSzI+ndp
rx+D0aiYYpAy0CWAHdDZ51GEGlWGE1TVvsW180Nez11PkJZ5PbjRuzp4Um9X
VlpnpORN0e73nVYoHPZQz2cnXBzk8quT00mxsde+s4yqzYuQXqTB5jTnvVSU
34FD2jHnYjAZwKOoyNRH9geZ4FB0Myy6S0U0AWCBbYJB0D4KFqxhaqEcAzsF
LAvXpwoOKZZLEg7VM42ojKlPVRuAYJpYpHOYmHPY3Yhv+A7LQ0Iq56F2zY7u
BmN6ocyBHhZzbb6g+5M2h0uHJ15tGRJ5CWjgWdo9PiygzbD5A3eKrqEC6NAc
JEBtVhbLkA0yfAoKu3qJuGRgD02gYeFSHgbYe6mLvh0gEAxWp3KaAI1B+kVk
SYY6aj1EX74M0NUGVqhKyaChHCtQS0CAysenMMrEeEJdq9caBfc73QPFA/0H
hYQ0FKFkwfqiigJTHCzrirA9QTgvJBIWqFIdBwjqE9B6RBVQ4assZklMtbEd
FDqodP0iXDAzJkpu2v+NzBHXQzUJE+hRQC9wgg5IVqI4RMeiVYDphYlFnpao
9YH1pY9aHBStsphNxYAF1SPwdDxwhhMSiB7njHFL29PeCk45rCrAN9IPGKmM
q5Mf3+hvUFX88Pby16MmfqrrlNXYp35kKDFusxplnQzRjg1vFOL1q/tpQEJR
tiZK4rVZQIYUIHz8YVPmhpKXm/NZpjyNJWo6nq+y1HOCwHaxRr4VZk6mHBn6
SehkmZv4se0rL7BEmGVOVB2m6wnHT+xQxHhocugajsc1pGrWnRvbKLT53hiL
laptBGN1q4hUHxq9HKggkmF6AHAawucAI9QdEnaCKuoClE6oABHuSAYYTB9T
EfzQLktO++gcsHzMWkGpKjDYDYA57ltEGIfQAX8ld4zCv2EOOWq30iqKgyw6
gIc24aCq3R4QqubwUL+jxzZdPNR7oOQV+qtgEgN2beC6Fmq9LFDrpUatRy3U
evnrVqhV14FRZDoJUguYO6Lwikc+o4Tssow2thWZZiHFlUvyB8EjmY+1KYE+
shjRTkRhsDZtkgjHQILVxA5nXKLDysFATqDqyEd7K7HwT8vCfI+A9seB5m06
7g+kPeaVhUhyNlUYtyPU97g3RsnMIdXpFil1vJXJPF6Acqluiv3vYRGPR18h
nqV/h44gEfW59qJ19LxAUqi+ap9of1lK6PIvXSpY0In2+hqSTjvITRaRnkTg
TYeUzkm3PjmiPDKlfE1BvJ81Cbv8GAWn0IV5m6Hq9QOG8ryN47ssFyGI01TJ
dW8B5l2+ftna98do1aJPn/lW/z2FJ58WnCeg34+KKNYjld49Ohx7ML+LywdD
eHDj9z5N5tnTitftzR99SgUXX6r7pw1Jgc+LsX5WT79ftR4U5SKte/gpEEPj
wQm+0d7ojcnyQ/NB/cZnz04dN/LxUNzzE/fMEeeRa52enIkT4bi2G/Zivc/O
ToUdRPaJLU6ePzt9dnIaOT6eVeufnbnucwsG8PRT8z0Ovcf17OhceAGo4Wfi
xDo9Bz3sPLcix35uP3dCv/ee05Pg5PnZie8+Pz07t2wrPBXCPfXs85Nnz30r
EI9hRI0Z/MKa/zaJfJDCo6oAtSQt6+sa8yHaE5jzatHesod43Kca+WBYgFRE
frDR11SdPKB5A+QXHmxfooGd0D1ro3s+jO7paIiwqN/fhuFsexjOezCcGWD4
dnudBhehYa9zF0lZPV0/3HuV7TgGAbYzUmM9J8QYUhugJ7YNPfEBemJ7WIsV
PbFt6GnIrGPb0JPJrBtcx4aWo6X0Gs7MUEfz7r6gbMCrtNWCsu0FRH9B2d7m
Pywo215A9BeUbS8gTAtaYqatSiKZjcRt6n43sFq3OEDz4LcmSHtyqAuWMG3s
fc8P1iC6vvOudQeMuFWHsJviccRqq7Kco8GqKKKydqVtua7tCC8U1iaWb6kO
mxZw1/KV8K+PR7uHvu2ngeUnfpVdKZTv+W7gWSG82ZYe6F24G3sgLMsWNvYj
jpMSMVR5pdJNHaEAOSQyFVIjhzRNCChIW8gsTmKZlEAhraxy180sQaNDfKA0
PoiFtBKF+CBDfJDZGeCDRAYyq56TvpslqUJYkAAsSDxbyTgjWLBNIafBRBxj
4Sa9bgZNU7sCiOX2k1Bs2O+9uYRiO0GYjoR6aAfl5hKK7QRhKgk1UD+rWE9j
yQ7MDFaY8gdjxRxOgWZzZgwLbJJFC142ao6vb64vX3rHMZOUKY3T6knDbXsP
ydTmnuMbtMrrkvOlGdu40paLpwAE9afacN30LOtSphY4spQOetrr5ooA+byO
cNfGd5VZdqhTErvBIZVYgfZmd0UeG95U1dY/7ObBpQoDKGJTVdcR5xhtA9Fa
3MhbMFUr455/0VLtjiJSZjLBzEaMUivz5Ew1WB2hI9yb92DACjoV6q0gSbt8
kiKVqIVmNX7ZrmN6MLGjJ+2ST43l7AtPu9pqJdfjxrQ07L55ef7b1ZvL85NX
mmG+rY+++XKjk94qDZuKMMbqdY266vstVLVHe18Ne+0by9M98bk1kRuUEv3a
vnnbrnzzW5ZjbAzKfC5PY2hj54pY38i1b5lCO1qdbEU5V0wTU8iKouPmYomh
CJiVFKIOBvs36qbPrTtXRKBc+hXlhFp9VIBmm7yLtNHoUit8rdnEQFejEBEA
BvGmVIRc0qkCAQWPYvbUJrqiCtvtxD939MQPb3972+zSYRsLdr8u6ah30AiV
X17McYdxXtY6Z+RFLuPviNjKUJNmm0eGmGgDqblNy1bEDx4ztcUiNMOkHTYY
9efsEPXnVEexisO2/Cm08Pr4M8NpurbbPE734WOe+DqNBZic7e1WRBy+t1sR
5AHb260Iz7K93YowP2zQDaTX1byDlGYYPhVbOGeKjjcAXJ8K5A+ga4v2jkRa
plf6yDEw+tAuIrQiH5aIRVRwKIzwQRcWzaUzFYAtpEH8NqhsLLJuv44x6hjf
pGNDAUSN2h7/1gKImhlV2wYQNZ8dDyC6GCw0SqfvAMPo1D07xH1HmHUsBU5h
8b5PrE4lX4HBQoe2Sm2SHQ4mPIQWkxHKF5dSyqA1LDsVEpMbY9Favd43gAh4
GGQHan/KHYSeo9whBZDSqbkRRbFiNqGgYzQpWiqmejgpFSbyfTqhxMayRsCo
MSXgBBmW02lljm3d/40CiHw6xETRuSSgfjDQjsLtQM7iFQdZAU8Tcuj86pgq
7TkYtZuSVEJmipmTkBpzqJSYTWejSPydhH3Wudg2aghPzjJHDdE3Omro4rfN
oobqxr551BC9emgr2zssTkXfPm6o6V79XSKHijkdNE68ur50przY8j3lu0kg
UiH81LOsxBYp1Q3w08QNQxtWzorgpqgqF5lmYZQKV3puJpQXyc0Dh6hvY4FD
ZQz7HiqElbptRIWMBw7pXg6kCLsoC6XghZCjs0Cx2HWCfAk2B3CwleL1zCfZ
Q5W0QfUDC4IEUjYm4wBIgJuxOBZVC1QUp49FhFslxJvcNho4NHrizddkc2Ts
PWONqN1urFE164f0inWRRt3bayvm4ret4owuDNHxF+04o4vtouNBN1pUjM2j
U9vjBPEkUCkeMEBpgFh6zSJ7xEcMCfQMtwV0/qKMseJaGuC2uQgRPdp0sBwg
bYTobisHu/pQTepQemKEegL0tKDK4Bhb5KH+wHp9LsZ2x/RyRcAWbWYb+wia
EjApqBZQ+SJhipBsQr5wPJ2TdKfqbnUNJuluE2bkFFtXztCRj369KdXecnKa
YUZOe/P8ohTo5V/a6enUYUYXO4QZibgTZnRhCjMScRVm1I8zMmVV9+OMRBM5
1d192DgjV0w8a+LYk+eg4Z5PnGDiiIkT9WKO/seIM4JV+sZxRiengXcenZ+e
O+ee9ez5aXh+5ltOFIVh5AnhWl2wwb1TN3j23PbPnke+71snri2i8PSZ61jB
8+D8mY/xP4Y4I//cOzv3bdsJwxP3WXgSCvjsuPD6Myc4P33Wf484ccLgTHjB
uX/2zDkVJ5Fz9lzYz587J8+hn+vijDqBRsbCAVal8/U2XUBlax0KYMRSuBZ9
cKiOaormOPwIKh6iPzjk5ik+CFZ8iAbdBiLuBhv0TAW2vanAe6YCK02F2m2w
PaZnPUzPN8L020UjGRxGI9FI2wjU6un6YYNvyjOIuZ3hH+u5Nsbg3wDNsW1o
jg/QHNuG5obMU7YNzfEBmmP72ZGa5tgamhtc607Ekhs0nETa87bHorMBf9ZW
i862FzT9RWfbC5r+orPtBU1/0b+l80AjtG8f1EQqpoSH3cim5qHeTVxYRzbV
oU3jKHI0tMnZOrTJGbPH/U5ok4gx+GcT27zUwE0bvWubY2hTEDiuI0TqeI4F
v53yOQdb810ffnv423GcgH4L+h11Q56qkKi4Dn2SSQCvVYlylGfFWRKqtAVi
vMStyszHme2nGWEXSdgliRG7ZIGKfR3y5CsvVRqqSLfyN4SygCzwstQJVBJ7
QgJCSQGhwEzETiJk5KSZsLPMkVl1akASPnDok1Gt1TV9qFbifqKODbvuNxd1
bCdM1RF1bCdM1RF1bCdM1RF1bCdM1RF1bBRTjYRHOQOxRJIOV8BjFTLa8qFx
O9FIM6PhQ+ub2yA8yinDo5zR8KivMCRTm3uOb9idUO+POr34KKctXGsze9Oo
KKcVFeWYo6Iu/q1GRYGVu1NUlIiHoqLwmx2josRQVJRJrlamCcYEbEI/o94o
meeLZEq+QDSNWrVPS6I6qYjpb5okHp3Pk+X97cp61Dsk9Ss60+mLvzcPWjcy
U20+hQ7Gt7i0te87qEmCiHIFSXa61iY6h222XbzZruzozHe9f9rBXJ2k/BLh
2Dag8HB9fAVO6EuTQ1Hv1TilKds78Br/W7PF03zmsMQX7QOuy6ENHRJtOkeh
G3c2DiGdB9vSqY/A5nzXQ7BN4zOHoJkYvxF65nyrzSHTztDLrpqsz4QE4ePQ
QW0enZmE5W6o8rUgRANoy44Q4ADwwU2g7pmQu3DKfEHa6C8PxCzY8BC3uCW3
TD8Yzh9ewy2NZypmqa8VtKQHtwe3UPdH2MV9OHZxNjE0th+gkV1omGP84n4j
frFSEyTU3WtxTH2Gt4eReHhYIEWXgY4KU6oFRecFOinaS73DUxuMYgzVdBAs
PdaBNQikHiMb0E5Bqbe5xBNbVMq6XNA57oU2fCpA1kSXQGlpOkVOkzNCDqid
D0vNVZRBLXnzyBwP2p2VCm+DKQRDT21K0aAT2/AgLR8L53s+LkxMV1SAAW5R
irfZzQ24CsC0itr1YjibXTk2BGWa0FcF3T06WHKvbg6ETbo7hE26Vdikc9he
pgKmrw+bdA2j9eyGr/LhA9r4KKTVxjzbb4NEf2D7bZBoY57tt0GijXm23waJ
NubZ1hsk1Se98ANFqKjyMnQcKybT8sI6ADXD0skMA2Zjm2YxxZURAUoyjFf1
MIjVozNPE4FgBUAAzDrwAIZ/Ovi4nbTPQu90Z21g5X49Y9QzvlHPmqHO7oan
ohg4qX0qyppkJ7dnzLttva1N8qrCdvO+Xd68zg50KzvQ3cIOjGXmWzKNEwAS
WaKCMJKZ8GLbCmUqhQg8L/Asz088kdiJsCpnrC9FKl3pu04Y2UnsmuxAE41s
bQeOEhHbjLw3I6LRmR9Bt1reV8ug4ycfxCZ0uSEEUG8jhIRz3QGr0Ih0m/sP
rae+nlnIOmahO4Zzw69PlD2z8BsYhQbuboDccBOyHpeNbAOyHjIK3SGjELQb
YB+XijX5KSUIOHh4qk3KNKSiYaArZYDAQKgHYBsCog/COPo/gLjuEPdEJfcY
rcSNOKj55Fc0FVnXVBxloejhWOgbm4rjXBR9Iy6yTCX1de/MlmIUYiytFyEc
htd7VI428TEIVxEeB9TZO9FlXVKf+/CWomuyFN3SUnTblqI7YCm6jc0YmEIr
wLnE9CgL5xWM5SgzmH/uxuafazL/DITS3LhZ3w8Cj8jNC5BUOE78rD7hISKw
Ip+/g8sTuDwpL+EJveXt46HOo4HOBB2LZgakUlBKpbGw/jVi6ZsH9ddTMyil
ggeTUnVI/5bpxpsN1SisygGP5QkE30rrt/ME2mHX1MmBPJ6Y2iPXFlx1SFRh
MewMY8IFnVoSudgpjypKRhmWeXQyzKbE81Z9TO8H+J4pqp8dYSlnPG1bF2Vu
9ogE3s9Xpz9fnvNXsDLAYlc63h2pqPMFViHHM/nKCqLtqH2M2tFMKjts6B4J
XZ3+8+cx9mu3cgCUEqtZFWhzyFtIoMejpTw4HH6uoMKWQOkWRC1WpoQqrXt7
74QbDwHaHZIJty7bxywcqInfSTbgbZ3JGBQSttWzVn8v7q6628/+rjhc0jFX
Y+xXtzJQjDtDweCRHwldyj6dS0DHM+GBpAmeFhRKspYpYzcJEVgEEg8xsD38
NkiZS6nEIGzgKRAwoYd1gyObq/6hmwWvvS4jAHLNm0ScZa58eVMVJpCPqLyT
8RMhsHENR4AkXrRmPkfTAA/CgvaKNyLbt4LWjKmoTUDQOw/9pD5lHfDOE2Yb
l6b5GPWq+9jE7uK1G0BbiE6IfzUlGY8iomEV47lSCPCeXsLM3U7hBn5xlrOh
VEKMlRgFD6e6cCt2RNtVK4KRddslnedq+QFFlD63FK/ojjRuSWb4jA7AGDot
CQRs8crOkaGtGAn9BEVZzj8gVK26prvR7iHe3QKS1I/HeXvG8E7jAYGtA41O
dYLJ+vnQgx2dD91X03w47fm4WD8fljJOh+5Fdzqc1nRcUTc2no7W+XjDSnab
ENgWa4wHwo6xfiHhjd35vqeDS922yJPFUr3tebNG1HD56MizPW1YP12oRNOz
VfWa/peYcH+PTCzvZqu1XqSuiGJjinJg/Tao4vP13F49mTquLI1d7uPiRnEe
VJpGsWxuyuy7ChNsJ5LossJq6VQRALAncB+WxKA8f7DKAeHSEb0daW7AnFsF
im/OJe54sLiBS7AzfR6x2zyCh/VszCQbPNu3Jz/V9qTxuTZ7NL8bx2T90a7n
A70+w7CxxwVVMPUuqLH/8iNjurihkyN0T8fVmGN2TQ0Zo12xFo2DRW/cmM62
Ekj0Wbf+z0tg7l/o3HPG8LM+A32whsGLdR6Lgq7UvW70oDR6+JPjcY+Gtlzs
hpXUNj42t1oeymjJ7uY0CVUXtT+/HCo0288e6twyFHBl4cYwgPIs5bE+LTfC
Qj+pT9nMPu49WwK/ivFocYPLceB1/TzFOmvJ4ju/lpHTufBhlxT+vkk9w+xX
85+0bNsLszQOhRVGVpL6sbL9yLdEHMaJMpRhqDpQeeMyZIKB+W2dqorVmxJ0
YKQpns2W2pTOHuMOvPBxTyOz0QzyyFGSRniEG574ZWEQhApgVhhojcynPX8X
dzz8FBu0O0UOTqhDjanoWbS41ZEX54+Wdr6cq49lMtAfwMCnVcMVbn6L9hYw
ABUUIjRLcqHv+/zSjoHewK6FVYgdPIEvoGJXUYAeI5suuj5GRmQRRnNkdJCJ
CDG0Csti0Rk1sYerE0mGJOygtymkABD4E51SIbS2Kezt+ZD0CrbdvaNY1aAe
TRCyBxL7E98AkAPzTm1MyOymKR/HRaN8UsshoHiYd5sigkIbw2MEnQ3kZBim
ElDMDNyQuOTl2wwn7TGtGtysm84GmuhPZBNq7DmT5Gscm8dK88JE4ek2Edan
AIGCLlMf60jV0/Udv5gDupim/M1SJqB7+OfvcpVMsHyImkz1d19wWtGbUuje
KkWjODCFNFZxb7lNWhXrkgRQZ1MJxuMU774BM1Jj0I/T2YwSJPCORa5oom7u
APBgsIi850v1D3glnlpO5Z3eobQacJQewheXz0/DyI2qPyLLc/APbBaQw+tJ
aFkTzz/RSRxT8hD9A18neX4joS+5InXbHFY6zTJYSOj8Usl8QXkpxRD5zfTd
9QrFZzF2bYlTJbPV/W1rWqarKZ6tTntfJHQXK3QNZVM1S3M97mLekB4+qtns
iF+0Zgum/3pxN4MbYdQ8v0N8uODJtUrek9bLpzfTmVwOvBkoDAd4/uIMQITh
rUeEwc7L3azz5XKBbrbv4OLV3fJ2dge3L5ewJM0Nr+JhxkoaMnz51qbqGfjs
ET9dLJe4oNV9lNTSOiG4vdgl2vPWu8krmr5oEyJ04MCpN/tc3JSwygC5wMVz
4W0HSwnFEoNj8cDVGP2WHhU5pEqVKPpjn3ybknsxc1K8zffoXDM6TCoOyhjF
kI42CzHUUAKGaYYfNCezt3lodMsZZta10VjE3UasiUKOG/O8WgNTWWU37TuV
e88jd1K24TzSqNsGwxhhascr+V3rKezcFlKIJtx89cvFm/Mrmk0xMJVimCq/
1lTq7vwOVElT+QYhe+E9bE5kq/5iPZUoY0q7ZHU9XQJ9aknFD354++uTIUZv
+igfhM2DNm0GNJsYBwsWaISoDifXoYqJXlEQFb99jvG0+ja8Aa6fc/+U7FaX
bjsvH6TzX/1T+nmOf2Jkb282/7pcwLjmdzcxiHhk1ZaAK6Yqr6ezvrP8rsxd
bD1ZT6vpgZzbQ5Pq7Dypgh+4FSj7Nketu8+2rBxcCwLMx2xSb5FUqvWdQZYW
6eMCN5Jtq/EEbiC0ClKbKbp6ckDQejuI2lYFe7sKQRVBt7cbVa8fVTnrpkfX
BN56VpwBafk15kM05kN3b6NpQGxziuFHi8lS6SSIEuHoOaK/cHQFQh8WffUN
g8LvaqgUbetvgORkieiat68nDkAT07zlWs1oFGtb4xNYLUjdzU+N4qhEtIXW
GVqkYKR96kN5a4AlEvXNFdZeI6Drqtmo8cg+tkP82UnvsRJF7K73qnUHwD29
xZqNejmqRHGC3vXqtydzrk9UzfknmIPP/9//+X99gSm6PeKXILCnS00TlLv9
if+J35onPBpd0NaEe0c+UIKjb29ZM9upRT3ZWVb/WFb5Yzc+m39wL6T57NBP
D/oOzfXtYjpfDU8xMVVhJQJtU/xhMYdSP1uWkNb1m6lRwxrc/ym/u/2z+NNT
/Eev13/F9fpE153i+v8MjeJ3//F/p+/g75gf3CxSfvvkD7Z+mA+rEJRgFliK
ytOl0+ZB9mHlU4lH0GNxeQfrZgYpOt/h/jhgmY9PgZSEP6EpVLkJPhKQGA2o
xKor++t3Wq8WDmG2+AhmeopGCn0jPM+ODF8XboBMTmfa212brGCRTv5FLRel
p3uHCd5q6spEDQxo2oCCez9sk9uCMdKvxfKrk1OzUmkplP7RQk+0k6F+wnx0
UysgpaV3kCLxYrMcDygDVBm41TSqHaKSendT30FDe6Pqdpuqe0NpUSINs9Nh
Y2OEVC+MmP5GGvxd9GErBV9ztp2h0x+tlQABNKgvAMd+SKFTAncLsBiyPuxA
YgBmQjsEoDZDD3dvooR2T2xUgIFPsd02nV6tkVLS04H8p8V8kmLA1M10Ps1x
otHoKPTjL+iUwP4u74GjG8ZhPf22P4mnjcm16ZhtiwilrqFTr0Kx59V+ZfU0
PDewDmMmTGsdGiGVDYeglkJYmBn9b6gQKEtt+e5O208ZURtFw+RlXCSZYTfy
H4vSqyaqPXZP47GVfJeTO3ep1U1a7KdI8tYtV/jhdpHn03im1tFCFQtezeAe
DgG2OzDCdb+Y06YryItJ5bNuek/q5Z+uuZNHzzFAEIby/HnH2/I3/5CLv5v5
E8Gh/1COlxYMbfbvd4Ch3+Gg7pbT1T3MwzyfgsYs3L3kiKdvSv97ukiIWs0O
eL1BPMQhH6/RwV62SMlPjXehY/peaxY8aAMPuaAiSdoNAQ9WL0rknEoaqaqJ
ug44csSrX67e8J9+foN33OUqPaI9hpOfTvrDm8q5pKHhRgky0Xyh72x3DlqY
TCawEsl7lEr8JHk/X3ycqfSddqN8Pi78ISr9/tF88Ug3WWTTgqTHjQeKZpPz
9+QEv1ULGAr/oJbT7L4quc6BIFZwMVnhUzCUp7pwyGo5je9WBQHqRDGQXItb
6F48neFc4oO6/DYWnoJPxwghT6+XKNvknJ/c5P/6f+f5F70v8fnN9Gaxuobl
nkmY6vLq1UplcO8LfGjxL4sP5fXL6XsJKu3Fv/63d7O7eVpe1q2D1nq5uJvJ
G1m183wp5yCxE8lfy9niJgbWLL/6cZpO4fIige6X116jGOYf4M0I1a5Wi/df
6h2Tz69AZqoZ/4uazmZqtVJfiLVwNbLZHeCh/x9fLpTNS3MBAA==

-->
</rfc>