From nobody Mon Jan 2 21:07:29 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7EFD1293F0 for ; Mon, 2 Jan 2017 21:07:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMHCh-pQfky0 for ; Mon, 2 Jan 2017 21:07:27 -0800 (PST) Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 93B521293DB for ; Mon, 2 Jan 2017 21:07:27 -0800 (PST) Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 546BC10224054 for ; Mon, 2 Jan 2017 21:07:27 -0800 (PST) References: <148341961917.21855.12696727221580481006.idtracker@ietfa.amsl.com> To: "cfrg@irtf.org" From: Dan Harkins X-Forwarded-Message-Id: <148341961917.21855.12696727221580481006.idtracker@ietfa.amsl.com> Message-ID: <502ff23e-72d3-88ce-7f03-92e6aecde717@lounge.org> Date: Mon, 2 Jan 2017 21:07:26 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: <148341961917.21855.12696727221580481006.idtracker@ietfa.amsl.com> Content-Type: multipart/alternative; boundary="------------DEED00776CC2543121A26FCA" Archived-At: Subject: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 05:07:29 -0000 This is a multi-part message in MIME format. --------------DEED00776CC2543121A26FCA Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit New version of the PKEX protocol... changes include cleaning up of how proof-of-possession is accomplished and some new role-specific (SPAKE2) elements for some popular FFC groups from RFC 3256. This protocol allows for the establishment of trust in "raw" public keys to be used, subsequently, in protocols like IPsec or TLS. Comments are solicited! regards, Dan. -------- Forwarded Message -------- Subject: New Version Notification for draft-harkins-pkex-03.txt Date: Mon, 02 Jan 2017 21:00:19 -0800 From: internet-drafts@ietf.org To: Dan Harkins A new version of I-D, draft-harkins-pkex-03.txt has been successfully submitted by Dan Harkins and posted to the IETF repository. Name: draft-harkins-pkex Revision: 03 Title: Public Key Exchange Document date: 2017-01-02 Group: Individual Submission Pages: 30 URL: https://www.ietf.org/internet-drafts/draft-harkins-pkex-03.txt Status: https://datatracker.ietf.org/doc/draft-harkins-pkex/ Htmlized: https://tools.ietf.org/html/draft-harkins-pkex-03 Diff: https://www.ietf.org/rfcdiff?url2=draft-harkins-pkex-03 Abstract: This memo describes a password-authenticated protocol to allow two devices to exchange "raw" (uncertified) public keys and establish trust that the keys belong to their respective identities. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat --------------DEED00776CC2543121A26FCA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
  New version of the PKEX protocol... changes include cleaning up of how
proof-of-possession is accomplished and some new role-specific (SPAKE2)
elements for some popular FFC groups from RFC 3256.

  This protocol allows for the establishment of trust in "raw" public keys
to be used, subsequently, in protocols like IPsec or TLS.

  Comments are solicited!

  regards,

  Dan.

-------- Forwarded Message --------
Subject: New Version Notification for draft-harkins-pkex-03.txt
Date: Mon, 02 Jan 2017 21:00:19 -0800
From: internet-drafts@ietf.org
To: Dan Harkins <dharkins@lounge.org>


A new version of I-D, draft-harkins-pkex-03.txt
has been successfully submitted by Dan Harkins and posted to the
IETF repository.

Name:		draft-harkins-pkex
Revision:	03
Title:		Public Key Exchange
Document date:	2017-01-02
Group:		Individual Submission
Pages:		30
URL:            https://www.ietf.org/internet-drafts/draft-harkins-pkex-03.txt
Status:         https://datatracker.ietf.org/doc/draft-harkins-pkex/
Htmlized:       https://tools.ietf.org/html/draft-harkins-pkex-03
Diff:           https://www.ietf.org/rfcdiff?url2=draft-harkins-pkex-03

Abstract:
   This memo describes a password-authenticated protocol to allow two
   devices to exchange "raw" (uncertified) public keys and establish
   trust that the keys belong to their respective identities.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

--------------DEED00776CC2543121A26FCA-- From nobody Wed Jan 4 13:55:50 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19988129713 for ; Wed, 4 Jan 2017 13:55:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnHWdN0EQNC1 for ; Wed, 4 Jan 2017 13:55:47 -0800 (PST) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F15A12966A for ; Wed, 4 Jan 2017 13:55:47 -0800 (PST) Received: by mail-qk0-x232.google.com with SMTP id n21so414952076qka.3 for ; Wed, 04 Jan 2017 13:55:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=lUmbzXCeczozERq5bvP2sDwhHiZaP8JVqmARKxFvN2A=; b=cC7Nrw/bEsqL7KAJAvscPsGbnhtVQ6y7iOaBxG7pQMRyyPT7tIZCCwy7Z2m/jMjbLB cOghk3HVe7K/VkOxcqMEaZQ7QGCZ999xWhaqfVQQmqY5/LZ+nqTMrgx22qaboiP4SJBF qIjsvv8codyZl9P24F4ratkimrqAaUdZxvvaQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=lUmbzXCeczozERq5bvP2sDwhHiZaP8JVqmARKxFvN2A=; b=DgdDHsJh9u+3GV0DOZVZFOPhpOTdqCmLJ2CM+aNhdwDfk4sX8FKXsNFE8VC0Bz0QuA VcM2yKqXOJXHSbu+jqNZ5OZlUUSQSC3DmLR0THD/GDbhGXUmMhf9xMadi3kPMGdUyDxh vEN9jUGkrW29o6cyMOXqNamwJb/+aL2TAjuftL0PK4wtIyE9g2hbVXU0IQmQUTFWOcpN v55Qzyx9BfEEsKS0rHp1M0xb5A/EVhHzMbXhn5Dq3VrNVH8jkyhjcX60eyA0FT/tsepy 7qnRLtAniTAW+9PFn0swdAdrnh8eGcHfuH4bdmDd2PKmTv2NzAmHjA8LrwHw/TXR8rty ypdg== X-Gm-Message-State: AIkVDXKoeANwjdeRXK7v5L0SZCNzcZdERfDT/0m5QNGuVRlisfwwypmwmAUUNfWqWrl4Ng== X-Received: by 10.55.103.85 with SMTP id b82mr5121253qkc.24.1483566946401; Wed, 04 Jan 2017 13:55:46 -0800 (PST) Received: from [172.16.0.92] (pool-173-73-120-80.washdc.east.verizon.net. [173.73.120.80]) by smtp.gmail.com with ESMTPSA id j9sm25422549qtc.23.2017.01.04.13.55.45 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 04 Jan 2017 13:55:45 -0800 (PST) From: Sean Turner Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: Date: Wed, 4 Jan 2017 16:55:44 -0500 To: IRTF CFRG Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Archived-At: Subject: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 21:55:49 -0000 Hi CFRG, The TLS WG is nearing the end of our journey moving EC-based algorithms = for TLS 1.2 (and earlier) from Informational to Standards track [0]. = While we were doing that we also added in 25519 and x448 as well as = EdDSA. I=E2=80=99d like to get some input from the CFRG on the use of contexts; = the "context label" is a way to provide domain separation between = signatures made in different contexts, avoiding cross-protocol attacks. = s10.3 of draft-irtf-cfrg-eddsa includes the following: Contexts SHOULD NOT be used opportunistically, as that kind of use is very error-prone. If contexts are used, one SHOULD require all signature schemes available for use in that purpose support contexts. This is great advice for new protocols because it=E2=80=99s easy to make = all the schemes the same, but for existing protocols like TLS where = there=E2=80=99s zero chance of obsoleting the existing signature schemes = and defining new signature schemes with contexts it makes you wonder = what =E2=80=9Copportunistically=E2=80=9D means. I.e., would setting a = context parameter for Ed448 and no other already defined signature = scheme be considered opportunistic? spt (as document Shepherd for draft-ietf-tls-rfc4492bis) [0] https://datatracker.ietf.org/doc/draft-ietf-tls-rfc4492bis/= From nobody Thu Jan 5 06:04:42 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6486A12954A for ; Thu, 5 Jan 2017 06:04:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.101 X-Spam-Level: X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgvZ5uazaTgI for ; Thu, 5 Jan 2017 06:04:39 -0800 (PST) Received: from astral.shiftleft.org (vpn.shiftleft.org [52.40.228.30]) by ietfa.amsl.com (Postfix) with ESMTP id 27A1F12955B for ; Thu, 5 Jan 2017 06:04:37 -0800 (PST) Received: from dyn-160-39-206-110.dyn.columbia.edu (dyn-160-39-206-110.dyn.columbia.edu [160.39.206.110]) (Authenticated sender: mike) by astral.shiftleft.org (Postfix) with ESMTPSA id A1050A1659 for ; Thu, 5 Jan 2017 06:04:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1483625076; bh=tIEsQdXnH5wAfXFRBW0wq4WrjZONdIlIeqqgl7h3VFI=; h=From:Subject:Date:References:To:In-Reply-To:From; b=i0FKRIOTubHdPm81VoaFTq+LUv90vy7o3u3H6cX8wrKsxYA3QqVuVTKnlidNgmLeX Yrrm8kFzqmS7++dEpXYmasBhhHEcXfuf2OMZRZtyZznZYAjWhOGATY49WI3sjQw0NM ZV3qEp2a1czW5TJubfZaX0QroGQQ2EUXR5MZAzRM= From: Mike Hamburg Content-Type: multipart/alternative; boundary="Apple-Mail=_FDD8586A-CDF4-44D0-9A2E-D6E8ABC3EC50" Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Date: Thu, 5 Jan 2017 09:04:34 -0500 References: <333749FB-4D07-455E-9646-7A8C571E6226@shiftleft.org> To: cfrg@irtf.org In-Reply-To: <333749FB-4D07-455E-9646-7A8C571E6226@shiftleft.org> Message-Id: <25C0679F-A9DE-4F09-91A4-7E586C22B082@shiftleft.org> X-Mailer: Apple Mail (2.3259) X-Virus-Scanned: clamav-milter 0.99.2 at astral X-Virus-Status: Clean Archived-At: Subject: Re: [Cfrg] Removing the magic constants from SPAKE2 X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 14:04:41 -0000 --Apple-Mail=_FDD8586A-CDF4-44D0-9A2E-D6E8ABC3EC50 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jan 8, 2014, at 6:19 PM, Michael Hamburg = wrote: >=20 > =E2=80=A6 The goal of this post is to suggest that a SPAKE2 variant = might be a suitable standardized PAKE now that SPAKE2 itself is out of = patent=E2=80=A6 I have been reminded that I am not a patent lawyer, that I am not aware = of all patents in existence, and in general that I should shut up about = patents. If you are thinking of deploying SPAKE2, a variant of it, or = some other PAKE, please consult your legal team to do a patent search. = Please do not rely on my statement from 2014. Also, the "Elligator version of SPAKE2=E2=80=9D that I=E2=80=99d hoped = to deploy is actually something very old: it is an elliptic curve = instantiation of PAK: http://www.iacr.org/archive/eurocrypt2000/1807/18070157-new.pdf = Happy 2017, =E2=80=94 Mike --Apple-Mail=_FDD8586A-CDF4-44D0-9A2E-D6E8ABC3EC50 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On Jan 8, 2014, at 6:19 PM, Michael Hamburg <mike@shiftleft.org> = wrote:

=E2=80=A6 The goal of this post is to suggest that a SPAKE2 = variant might be a suitable standardized PAKE now that SPAKE2 itself is = out of patent=E2=80=A6

I= have been reminded that I am not a patent lawyer, that I am not aware = of all patents in existence, and in general that I should shut up about = patents.  If you are thinking of deploying SPAKE2, a variant of it, = or some other PAKE, please consult your legal team to do a patent = search.  Please do not rely on my statement from = 2014.

Also, the "Elligator version = of SPAKE2=E2=80=9D that I=E2=80=99d hoped to deploy is actually = something very old: it is an elliptic curve instantiation of = PAK:


Happy 2017,
=E2=80=94 = Mike

= --Apple-Mail=_FDD8586A-CDF4-44D0-9A2E-D6E8ABC3EC50-- From nobody Tue Jan 10 16:22:27 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C67C129883 for ; Tue, 10 Jan 2017 16:22:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cg6FaJM2XVl5 for ; Tue, 10 Jan 2017 16:22:25 -0800 (PST) Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 1827D129880 for ; Tue, 10 Jan 2017 16:22:25 -0800 (PST) Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id AF05C10224058 for ; Tue, 10 Jan 2017 16:22:24 -0800 (PST) To: cfrg@irtf.org References: From: Dan Harkins Message-ID: <8ea394a8-1823-cdcf-4b4b-d313cf16b38f@lounge.org> Date: Tue, 10 Jan 2017 16:22:23 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2017 00:22:26 -0000 Hello, On 6/24/16 10:10 AM, Gueron, Shay wrote: > Hello everyone, > > I start a new tread. > > It is a branch off the one entitled "AES-GCM-SIV security of the > additional data" and initiated by Daniel. > > It combine Kenny's inputs about having two separate keys and the AEADE > interface (which he raised at the CFRG meeting in > Vienna in May and also mentioned, in the previous thread, that > concatenating 2 separate keys does not solve the problem that Daniel > raised). > > It also address a comment that Bart Preneel made at that CFRG meeting. > > **** > > It is possible to define AES-GCM-SIV with a standard interface that > has a single key (say, MK for "Master Key"), which can be 128 or 256 > bits. Basically, by adding the following key derivation step: > > Using MK, derive two new keys K and H: K for encryption and H for > authentication. > From that point on, apply AES-GCM-SIV as it is defined now, where > (K, H) are the keys. > > Note that K and H are derived statically from MK. The "record > encryption key" for the encryption depends on the nonce N, via another > derivation, as it is currently defined in AES-GCM-SIV. > > Note: the derivations are different for the 128 and the 256 bit keys, > but such derivations are already in use by AES-GCM-SIV. > With this, AES-GM-SIV could be used with the protocol Daniel > described, and would address Kenny's comment on the AEAD interface. > (I guess that it could be better viewed as a drop in replacement to > AES-GCM) > > The cost is the additional key derivation. this cost could be low if > the message is long, or if many messages are encrypted (so that K, H > can be cached). > > An alternative would be to incorporate the nonce from the beginning, > during the derivation of K, H from MK. This will modify the record > encryption key and also the hash key per each nonce. In that case the > extra derivation of the record encryption key (per nonce) could be > skipped (but also could be not done). > > I would appreciate any comments on this. Why not just have a single double-wide key the way AES-SIV (RFC 5297) does? It's 256 bits or 512 bits. KDFs are good at generating streams of any length so why not just let the KDF give you all that you need instead of doing additional derivations inside? regards, Dan. > > Thanks, Shay > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg From nobody Thu Jan 12 02:01:22 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83071294C8 for ; Thu, 12 Jan 2017 02:01:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71EnYdyHS7JB for ; Thu, 12 Jan 2017 02:01:18 -0800 (PST) Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AA281293F8 for ; Thu, 12 Jan 2017 02:01:18 -0800 (PST) Received: by mail-yw0-x236.google.com with SMTP id l19so8863140ywc.2 for ; Thu, 12 Jan 2017 02:01:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YE544rX5ia9CNu0iQHEXmOvU0EkgGGEgHAnClAohYu8=; b=QBeICDbhJi4/U8hhcrDxOnT1yGZ9AH4ZVeqIXTwos0DIMVI0a4GivzCojny/bDCmcm KecGPyCqheiB8qF+FW+vqMxCEh7tw7/R2QdfcDbLLGAsQgqiarPwNaU61bd+LC92puqj 3qm/zsMV7CH4Z7I5QfAnfWW/2XfTp30IAqGIEK9S+enG5SdSVCq5/NTYFdkwAtkaSNkt LG0l8UWwjpC4WI/pCa3sIouqmoOT4dpKlQ1nExOKSjRKbUHd1Gd/wxMuqqWSaIHf7vvc Ykx2a+VlbYPWXOiFbuQIn/wLRZcwCX2c2oKNh1x7/WuhWhPFtJvJQi3Qcvy8qVERdWG4 hq+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YE544rX5ia9CNu0iQHEXmOvU0EkgGGEgHAnClAohYu8=; b=b9KTt42rEzYDiRMM4Dezq4P1Atet3FyxlDtcfv5acCuXNMIZlfiWEhiCmc1iiflVsF P06EddZISnEYyor7AdcXCcUdm0yVuwOrpFrAudFmHuwfx8bsVMpfG9IdgntwDTXTpJL3 PwPNE27OhB3Uyzdv81wMBcb3g0w4eZUPllnCgjA518ev89SQGf+0qXg4xWZYQ4KyG+8R rrO0Kgtjf9Tq5gPT19FEIVtrsrj5zOzP6cnIAxQco02Y1qQoxpn10Aa3oUVUoAgtnEWK OeV2wStW6AYZE+Vxr1V0G5iVkpAqU7DLULDU8OXiUrMW4UB/HK8OCX0lrxKcjBH9cXM+ 1YRQ== X-Gm-Message-State: AIkVDXKEDCVz5F3kEf0cusaNR6Q8fybh8CRylICWCDsd3g8BeycCXXxkqIhdaQOuFHpPU5aqEiLOnqnOs9Uqpg== X-Received: by 10.13.246.134 with SMTP id g128mr11910198ywf.320.1484215277588; Thu, 12 Jan 2017 02:01:17 -0800 (PST) MIME-Version: 1.0 Received: by 10.129.160.141 with HTTP; Thu, 12 Jan 2017 02:01:16 -0800 (PST) In-Reply-To: <8ea394a8-1823-cdcf-4b4b-d313cf16b38f@lounge.org> References: <8ea394a8-1823-cdcf-4b4b-d313cf16b38f@lounge.org> From: Shay Gueron Date: Thu, 12 Jan 2017 12:01:16 +0200 Message-ID: To: Dan Harkins Content-Type: multipart/alternative; boundary=94eb2c0327c46417830545e2cc8c Archived-At: Cc: Yehuda Lindell , cfrg@irtf.org Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 10:01:21 -0000 --94eb2c0327c46417830545e2cc8c Content-Type: text/plain; charset=UTF-8 Hi Dan, Thanks for your question. In general, some KDF is needed, in order to increase the number of times that the algorithm can be used with a given key. So, we start with a KDF that has a master key and derives a new key(s) per nonce. The "cascade" method we use now is also some kind of a KDF, and there can be others. However, your timing with this question is fantastic. Indeed, we were not satisfied with the serialized nature of the current KDF, and are working on a different (better) one. This work is coming to an end, and we expect to post the revision of AES-GCM-SIV next week. Thanks, Shay 2017-01-10 16:22 GMT-08:00 Dan Harkins : > > Hello, > > On 6/24/16 10:10 AM, Gueron, Shay wrote: > >> Hello everyone, >> >> I start a new tread. >> >> It is a branch off the one entitled "AES-GCM-SIV security of the >> additional data" and initiated by Daniel. >> >> It combine Kenny's inputs about having two separate keys and the AEADE >> interface (which he raised at the CFRG meeting in >> Vienna in May and also mentioned, in the previous thread, that >> concatenating 2 separate keys does not solve the problem that Daniel >> raised). >> >> It also address a comment that Bart Preneel made at that CFRG meeting. >> >> **** >> >> It is possible to define AES-GCM-SIV with a standard interface that has a >> single key (say, MK for "Master Key"), which can be 128 or 256 bits. >> Basically, by adding the following key derivation step: >> >> Using MK, derive two new keys K and H: K for encryption and H for >> authentication. >> From that point on, apply AES-GCM-SIV as it is defined now, where (K, >> H) are the keys. >> >> Note that K and H are derived statically from MK. The "record encryption >> key" for the encryption depends on the nonce N, via another derivation, as >> it is currently defined in AES-GCM-SIV. >> >> Note: the derivations are different for the 128 and the 256 bit keys, but >> such derivations are already in use by AES-GCM-SIV. >> With this, AES-GM-SIV could be used with the protocol Daniel described, >> and would address Kenny's comment on the AEAD interface. >> (I guess that it could be better viewed as a drop in replacement to >> AES-GCM) >> >> The cost is the additional key derivation. this cost could be low if the >> message is long, or if many messages are encrypted (so that K, H can be >> cached). >> >> An alternative would be to incorporate the nonce from the beginning, >> during the derivation of K, H from MK. This will modify the record >> encryption key and also the hash key per each nonce. In that case the extra >> derivation of the record encryption key (per nonce) could be skipped (but >> also could be not done). >> >> I would appreciate any comments on this. >> > > Why not just have a single double-wide key the way AES-SIV (RFC 5297) > does? > It's 256 bits or 512 bits. KDFs are good at generating streams of any > length so > why not just let the KDF give you all that you need instead of doing > additional > derivations inside? > > regards, > > Dan. > > >> Thanks, Shay >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --94eb2c0327c46417830545e2cc8c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Dan,=C2=A0

<= /div>
Thanks for your question.=C2=A0

In general, some KDF is needed, in order to inc= rease the number of times that the algorithm can be used with a given key. = So, we start with a KDF that has a master key and derives a new key(s) =C2= =A0per nonce.=C2=A0

The &q= uot;cascade" method we use now is also some kind of a KDF, and there c= an be others.=C2=A0

Howeve= r, your timing with this question is fantastic. Indeed, we were not satisfi= ed with the serialized nature of the current KDF, and are working on a diff= erent (better) one. This work is coming to an end, and we expect to post th= e revision of AES-GCM-SIV next week.=C2=A0

=
Thanks, Shay


2017-01= -10 16:22 GMT-08:00 Dan Harkins <dharkins@lounge.org>:

=C2=A0 Hello,

On 6/24/16 10:10 AM, Gueron, Shay wrote:
Hello everyone,

I start a new tread.

It is a branch off the one entitled "AES-GCM-SIV security of the addit= ional data" and initiated by Daniel.

It combine Kenny's inputs about having two separate keys and the AEADE = interface (which he raised at the CFRG meeting in
Vienna in May and also mentioned, in the previous thread, that concatenatin= g 2 separate keys does not solve the problem that Daniel raised).

It also address a comment that Bart Preneel made at that CFRG meeting.

****

It is possible to define AES-GCM-SIV with a standard interface that has a s= ingle key (say, MK for "Master Key"), which can be 128 or 256 bit= s. Basically, by adding the following key derivation step:

=C2=A0 =C2=A0 Using MK, derive two new keys K and H: K for encryption and H= for authentication.
=C2=A0 =C2=A0 From that point on, apply AES-GCM-SIV as it is defined now, w= here (K, H) are the keys.

Note that K and H are derived statically from MK. The "record encrypti= on key" for the encryption depends on the nonce N, via another derivat= ion, as it is currently defined in AES-GCM-SIV.

Note: the derivations are different for the 128 and the 256 bit keys, but s= uch derivations are already in use by AES-GCM-SIV.
With this, AES-GM-SIV could be used with the protocol Daniel described, and= would address Kenny's comment on the AEAD interface.
(I guess that it could be better viewed as a drop in replacement to AES-GCM= )

The cost is the additional key derivation. this cost could be low if the me= ssage is long, or if many messages are encrypted (so that K, H can be cache= d).

An alternative would be to incorporate the nonce from the beginning, during= the derivation of K, H from MK. This will modify the record encryption key= and also the hash key per each nonce. In that case the extra derivation of= the record encryption key (per nonce) could be skipped (but also could be = not done).

I would appreciate any comments on this.

=C2=A0 Why not just have a single double-wide key the way AES-SIV (RFC 5297= ) does?
It's 256 bits or 512 bits. KDFs are good at generating streams of any l= ength so
why not just let the KDF give you all that you need instead of doing additi= onal
derivations inside?

=C2=A0 regards,

=C2=A0 Dan.


Thanks, Shay

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--94eb2c0327c46417830545e2cc8c-- From nobody Thu Jan 12 08:01:48 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5432F129415 for ; Wed, 11 Jan 2017 22:25:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.158 X-Spam-Level: * X-Spam-Status: No, score=1.158 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LONGWORDS=2.035, MPART_ALT_DIFF_COUNT=1.112, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4S3hafQB_Mc for ; Wed, 11 Jan 2017 22:24:57 -0800 (PST) Received: from mail-wj0-x232.google.com (mail-wj0-x232.google.com [IPv6:2a00:1450:400c:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2EF812941A for ; Wed, 11 Jan 2017 22:24:56 -0800 (PST) Received: by mail-wj0-x232.google.com with SMTP id ew7so5283412wjc.3 for ; Wed, 11 Jan 2017 22:24:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:references:to:date; bh=Jj3cMio1Thk6lrzdGm77GNyrNOiyVkkPLVDsLg66nQY=; b=KWLxBGkOAz/D6QVj2UPRsQzBECtd3lvuxMLtjhv6gVoDrpffpdSm7AnTRHCbCDgxjl kUmJf3eO3lHyIOCXTW8mhx9D7yM3YMORzf3pgFSlLWbndAFgVjcSyTrK8H44Cbq2sJQu IKFMd1EehP57uejLPinkgL3uhAfI/KKZzUlXPO85nq+1oioP65b04C7d8Z8uQiS2vrCb t2jx9Pn6HmJxOyGH69xVDe5nuJq/rTrgy8bJbhrB/pKEwqKUtVRHK2ZbqD0jwFgi/lTy Z1PEElLAPHW3yFlr6gJQ624IvMLBiqVE2eprcSvboPhyJ6G3PBzj8E00/MeCB1g0z1ez I8Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:references :to:date; bh=Jj3cMio1Thk6lrzdGm77GNyrNOiyVkkPLVDsLg66nQY=; b=goiH90Sj7321dGpNT5tWQW0EDz0LIIKSj2wDkOZT/v100BnOUFV+4g9zB8M5qkY8B3 bOEFnYIi/gMFzx3wtIu7cVlFq9P7oZmEc4QtUnROHU68cDRuC+A6iBER3GatI8VR/wAF N5XTbM3i+lzxOCzCFEJWXWWxKh3B95kmi7/eYSUUP65b/jR7R2yfIfblFVibLiikhfmc VSOOurvSy871/LqzVw4P55t31NFG8kcr6Xrzv1gQxor+XOQryVT16ohGjGqNdBGWdLL7 3mE6gzLmOye/dX0LEhMlaS95zNtP/lWBCXb/EnJveaJ5GXIVymcQabex0cRLhSIJxRof +jhw== X-Gm-Message-State: AIkVDXLV96ePyafbPQTyduuVHZFVX0BsynwfbnWc7kYH/w5iNA3Nm1iE1y+PI1sygDtdNw== X-Received: by 10.194.40.38 with SMTP id u6mr393837wjk.205.1484202295238; Wed, 11 Jan 2017 22:24:55 -0800 (PST) Received: from [192.168.137.50] ([176.12.243.222]) by smtp.gmail.com with ESMTPSA id yy7sm11835888wjc.3.2017.01.11.22.24.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jan 2017 22:24:54 -0800 (PST) From: Yoav Nir Content-Type: multipart/alternative; boundary="Apple-Mail=_719BD5CD-5FCF-46C5-8A03-91A419D480DF" Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Message-Id: References: <46ECD4D0-07BB-4082-82AC-4B2AE656AE09@gmail.com> To: IRTF CFRG Date: Thu, 12 Jan 2017 08:24:44 +0200 X-Mailer: Apple Mail (2.3259) Archived-At: X-Mailman-Approved-At: Thu, 12 Jan 2017 08:01:47 -0800 Subject: [Cfrg] Fwd: Rev RFC 7539? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 06:25:06 -0000 --Apple-Mail=_719BD5CD-5FCF-46C5-8A03-91A419D480DF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Reminder. Is there interest in pushing this forward? Yoav > Begin forwarded message: >=20 > From: Yoav Nir > Subject: Re: [Cfrg] Rev RFC 7539? > Date: 16 November 2016 at 9:09:11 GMT+2 > To: Sean Turner > Cc: IRTF CFRG >=20 > Cycles found. >=20 > Attached please find two files: > 1. rfc7539_long.txt is RFC 7539 with page breaks and page numbers = removed.=20 > 2. draft-nir-cfrg-rfc7539bis-00.raw.txt is the unpaginated form of = the new draft. >=20 > Couldn=E2=80=99t do much about the boilerplate, but this makes it easy = to compare. >=20 > Yoav >=20 >=20 >=20 >> On 16 Nov 2016, at 10:06, Sean Turner > wrote: >>=20 >> +1 - if you got the cycles. >>=20 >> spt >>=20 >>> On Nov 14, 2016, at 15:55, Eric Rescorla > wrote: >>>=20 >>> This seems like a good plan. >>>=20 >>> -Ekr >>>=20 >>>=20 >>> On Mon, Nov 14, 2016 at 3:32 PM, Yoav Nir > wrote: >>> Hi >>>=20 >>> RFC 7539 (=E2=80=9CChaCha20 and Poly1305 for IETF Protocols=E2=80=9D)[= 1] is now implemented in many places and referenced by 3 RFCs and 8 = Internet Drafts ([2]) >>>=20 >>> However, the quality of the document is not where we=E2=80=99d like = it to be. There have been 7 errata filed against it. Most of it is = editorial or insignificant, but still no errata is better than some = errata. >>>=20 >>> So what do the participants and chairs think about spinning up a = quick[4] rfc7539bis that has the same text, except that the errata will = be merged in? >>>=20 >>> I think such a document should be fairly easy and quick. >>>=20 >>> Yoav >>>=20 >>> P.S: and yes, of course I=E2=80=99m volunteering to write it. >>>=20 >>> [1] https://tools.ietf.org/html/rfc7539 = >>> [2] https://datatracker.ietf.org/doc/rfc7539/referencedby/ = >>> [3] https://www.rfc-editor.org/errata_search.php?rfc=3D7539 = >>> [4] My spell check actually corrected =E2=80=9Cquick=E2=80=9D to = =E2=80=9Cquic=E2=80=9D. The contents of my mails are veering far away = from regular English. >>>=20 >>>=20 >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>>=20 >>>=20 >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>=20 >=20 --Apple-Mail=_719BD5CD-5FCF-46C5-8A03-91A419D480DF Content-Type: multipart/mixed; boundary="Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E" --Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Reminder.

Is there interest in pushing this forward?

Yoav

Begin forwarded message:

From: = Yoav Nir <ynir.ietf@gmail.com>
Subject: = Re: [Cfrg] Rev = RFC 7539?
Date: = 16 November 2016 at 9:09:11 = GMT+2
To: = Sean Turner <sean@sn3rd.com>
Cc: = IRTF CFRG <cfrg@irtf.org>

Cycles = found.

Attached = please find two files:
  1. rfc7539_long.txt is RFC 7539 with page breaks and = page numbers removed. 
 2. draft-nir-cfrg-rfc7539bis-00.raw.txt is the = unpaginated form of the new draft.

Couldn=E2=80=99t do much about the boilerplate, but this = makes it easy to compare.

Yoav
= --Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E Content-Disposition: attachment; filename=draft-nir-cfrg-rfc7539bis-00.raw.txt Content-Type: text/plain; x-unix-mode=0644; name="draft-nir-cfrg-rfc7539bis-00.raw.txt" Content-Transfer-Encoding: 7bit Crypto Forum Y. Nir Internet-Draft Check Point Obsoletes: 7539 (if approved) A. Langley Intended status: Informational Google, Inc. Expires: May 20, 2017 November 16, 2016 ChaCha20 and Poly1305 for IETF Protocols draft-nir-cfrg-rfc7539bis-00 Abstract This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm. RFC 7539, The predecessor of this document, did not introduce any new crypto, but was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 20, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 1.1. Conventions Used in This Document 2. The Algorithms 2.1. The ChaCha Quarter Round 2.1.1. Test Vector for the ChaCha Quarter Round 2.2. A Quarter Round on the ChaCha State 2.2.1. Test Vector for the Quarter Round on the ChaCha State 2.3. The ChaCha20 Block Function 2.3.1. The ChaCha20 Block Function in Pseudocode 2.3.2. Test Vector for the ChaCha20 Block Function 2.4. The ChaCha20 Encryption Algorithm 2.4.1. The ChaCha20 Encryption Algorithm in Pseudocode 2.4.2. Example and Test Vector for the ChaCha20 Cipher 2.5. The Poly1305 Algorithm 2.5.1. The Poly1305 Algorithms in Pseudocode 2.5.2. Poly1305 Example and Test Vector 2.6. Generating the Poly1305 Key Using ChaCha20 2.6.1. Poly1305 Key Generation in Pseudocode 2.6.2. Poly1305 Key Generation Test Vector 2.7. A Pseudorandom Function for Crypto Suites based on ChaCha/Poly1305 2.8. AEAD Construction 2.8.1. Pseudocode for the AEAD Construction 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305 3. Implementation Advice 4. Security Considerations 5. IANA Considerations 6. References 6.1. Normative References 6.2. Informative References Appendix A. Additional Test Vectors A.1. The ChaCha20 Block Functions A.2. ChaCha20 Encryption A.3. Poly1305 Message Authentication Code A.4. Poly1305 Key Generation Using ChaCha20 A.5. ChaCha20-Poly1305 AEAD Decryption Appendix B. Performance Measurements of ChaCha20 Acknowledgements Authors' Addresses 1. Introduction The Advanced Encryption Standard (AES -- [FIPS-197]) has become the gold standard in encryption. Its efficient design, widespread implementation, and hardware support allow for high performance in many areas. On most modern platforms, AES is anywhere from four to ten times as fast as the previous most-used cipher, Triple Data Encryption Standard (3DES -- [SP800-67]), which makes it not only the best choice, but the only practical choice. There are several problems with this. If future advances in cryptanalysis reveal a weakness in AES, users will be in an unenviable position. With the only other widely supported cipher being the much slower 3DES, it is not feasible to reconfigure deployments to use 3DES. [Standby-Cipher] describes this issue and the need for a standby cipher in greater detail. Another problem is that while AES is very fast on dedicated hardware, its performance on platforms that lack such hardware is considerably lower. Yet another problem is that many AES implementations are vulnerable to cache- collision timing attacks ([Cache-Collisions]). This document provides a definition and implementation guide for three algorithms: 1. The ChaCha20 cipher. This is a high-speed cipher first described in [ChaCha]. It is considerably faster than AES in software-only implementations, making it around three times as fast on platforms that lack specialized AES hardware. See Appendix B for some hard numbers. ChaCha20 is also not sensitive to timing attacks (see the security considerations in Section 4). This algorithm is described in Section 2.4 2. The Poly1305 authenticator. This is a high-speed message authentication code. Implementation is also straightforward and easy to get right. The algorithm is described in Section 2.5. 3. The CHACHA20-POLY1305 Authenticated Encryption with Associated Data (AEAD) construction, described in Section 2.8. This document does not introduce these new algorithms for the first time. They have been defined in scientific papers by D. J. Bernstein, which are referenced by this document. The purpose of this document is to serve as a stable reference for IETF documents making use of these algorithms. These algorithms have undergone rigorous analysis. Several papers discuss the security of Salsa and ChaCha ([LatinDances], [LatinDances2], [Zhenqing2012]). This document represents the consensus of the Crypto Forum Research Group (CFRG). It replaces [RFC7539]. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The description of the ChaCha algorithm will at various time refer to the ChaCha state as a "vector" or as a "matrix". This follows the use of these terms in Professor Bernstein's paper. The matrix notation is more visually convenient and gives a better notion as to why some rounds are called "column rounds" while others are called "diagonal rounds". Here's a diagram of how the matrices relate to vectors (using the C language convention of zero being the index origin). 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 The elements in this vector or matrix are 32-bit unsigned integers. The algorithm name is "ChaCha". "ChaCha20" is a specific instance where 20 "rounds" (or 80 quarter rounds -- see Section 2.1) are used. Other variations are defined, with 8 or 12 rounds, but in this document we only describe the 20-round ChaCha, so the names "ChaCha" and "ChaCha20" will be used interchangeably. 2. The Algorithms The subsections below describe the algorithms used and the AEAD construction. 2.1. The ChaCha Quarter Round The basic operation of the ChaCha algorithm is the quarter round. It operates on four 32-bit unsigned integers, denoted a, b, c, and d. The operation is as follows (in C-like notation): 1. a += b; d ^= a; d <<<= 16; 2. c += d; b ^= c; b <<<= 12; 3. a += b; d ^= a; d <<<= 8; 4. c += d; b ^= c; b <<<= 7; Where "+" denotes integer addition modulo 2^32, "^" denotes a bitwise Exclusive OR (XOR), and "<<< n" denotes an n-bit left rotation (towards the high bits). For example, let's see the add, XOR, and roll operations from the fourth line with sample numbers: o a = 0x11111111 o b = 0x01020304 o c = 0x77777777 o d = 0x01234567 o c = c + d = 0x77777777 + 0x01234567 = 0x789abcde o b = b ^ c = 0x01020304 ^ 0x789abcde = 0x7998bfda o b = b <<< 7 = 0x7998bfda <<< 7 = 0xcc5fed3c 2.1.1. Test Vector for the ChaCha Quarter Round For a test vector, we will use the same numbers as in the example, adding something random for c. o a = 0x11111111 o b = 0x01020304 o c = 0x9b8d6f43 o d = 0x01234567 After running a Quarter Round on these four numbers, we get these: o a = 0xea2a92f4 o b = 0xcb1cf8ce o c = 0x4581472e o d = 0x5881c4bb 2.2. A Quarter Round on the ChaCha State The ChaCha state does not have four integer numbers: it has 16. So the quarter-round operation works on only four of them -- hence the name. Each quarter round operates on four predetermined numbers in the ChaCha state. We will denote by QUARTERROUND(x,y,z,w) a quarter- round operation on the numbers at indices x, y, z, and w of the ChaCha state when viewed as a vector. For example, if we apply QUARTERROUND(1,5,9,13) to a state, this means running the quarter- round operation on the elements marked with an asterisk, while leaving the others alone: 0 *a 2 3 4 *b 6 7 8 *c 10 11 12 *d 14 15 Note that this run of quarter round is part of what is called a "column round". 2.2.1. Test Vector for the Quarter Round on the ChaCha State For a test vector, we will use a ChaCha state that was generated randomly: Sample ChaCha State 879531e0 c5ecf37d 516461b1 c9a62f8a 44c20ef3 3390af7f d9fc690b 2a5f714c 53372767 b00a5631 974c541a 359e9963 5c971061 3d631689 2098d9d6 91dbd320 We will apply the QUARTERROUND(2,7,8,13) operation to this state. For obvious reasons, this one is part of what is called a "diagonal round": After applying QUARTERROUND(2,7,8,13) 879531e0 c5ecf37d *bdb886dc c9a62f8a 44c20ef3 3390af7f d9fc690b *cfacafd2 *e46bea80 b00a5631 974c541a 359e9963 5c971061 *ccc07c79 2098d9d6 91dbd320 Note that only the numbers in positions 2, 7, 8, and 13 changed. 2.3. The ChaCha20 Block Function The ChaCha block function transforms a ChaCha state by running multiple quarter rounds. The inputs to ChaCha20 are: o A 256-bit key, treated as a concatenation of eight 32-bit little- endian integers. o A 96-bit nonce, treated as a concatenation of three 32-bit little- endian integers. o A 32-bit block count parameter, treated as a 32-bit little-endian integer. The output is 64 random-looking bytes. The ChaCha algorithm described here uses a 256-bit key. The original algorithm also specified 128-bit keys and 8- and 12-round variants, but these are out of scope for this document. In this section, we describe the ChaCha block function. Note also that the original ChaCha had a 64-bit nonce and 64-bit block count. We have modified this here to be more consistent with recommendations in Section 3.2 of [RFC5116]. This limits the use of a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that is enough for most uses. In cases where a single key is used by multiple senders, it is important to make sure that they don't use the same nonces. This can be assured by partitioning the nonce space so that the first 32 bits are unique per sender, while the other 64 bits come from a counter. The ChaCha20 state is initialized as follows: o The first four words (0-3) are constants: 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574. o The next eight words (4-11) are taken from the 256-bit key by reading the bytes in little-endian order, in 4-byte chunks. o Word 12 is a block counter. Since each block is 64-byte, a 32-bit word is enough for 256 gigabytes of data. o Words 13-15 are a nonce, which should not be repeated for the same key. The 13th word is the first 32 bits of the input nonce taken as a little-endian integer, while the 15th word is the last 32 bits. cccccccc cccccccc cccccccc cccccccc kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn c=constant k=key b=blockcount n=nonce ChaCha20 runs 20 rounds, alternating between "column rounds" and "diagonal rounds". Each round consists of four quarter-rounds, and they are run as follows. Quarter rounds 1-4 are part of a "column" round, while 5-8 are part of a "diagonal" round: 1. QUARTERROUND ( 0, 4, 8,12) 2. QUARTERROUND ( 1, 5, 9,13) 3. QUARTERROUND ( 2, 6,10,14) 4. QUARTERROUND ( 3, 7,11,15) 5. QUARTERROUND ( 0, 5,10,15) 6. QUARTERROUND ( 1, 6,11,12) 7. QUARTERROUND ( 2, 7, 8,13) 8. QUARTERROUND ( 3, 4, 9,14) At the end of 20 rounds (or 10 iterations of the above list), we add the original input words to the output words, and serialize the result by sequencing the words one-by-one in little-endian order. Note: "addition" in the above paragraph is done modulo 2^32. In some machine languages, this is called carryless addition on a 32-bit word. 2.3.1. The ChaCha20 Block Function in Pseudocode Note: This section and a few others contain pseudocode for the algorithm explained in a previous section. Every effort was made for the pseudocode to accurately reflect the algorithm as described in the preceding section. If a conflict is still present, the textual explanation and the test vectors are normative. inner_block (state): Qround(state, 0, 4, 8,12) Qround(state, 1, 5, 9,13) Qround(state, 2, 6,10,14) Qround(state, 3, 7,11,15) Qround(state, 0, 5,10,15) Qround(state, 1, 6,11,12) Qround(state, 2, 7, 8,13) Qround(state, 3, 4, 9,14) end chacha20_block(key, counter, nonce): state = constants | key | counter | nonce working_state = state for i=1 upto 10 inner_block(working_state) end state += working_state return serialize(state) end 2.3.2. Test Vector for the ChaCha20 Block Function For a test vector, we will use the following inputs to the ChaCha20 block function: o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. The key is a sequence of octets with no particular structure before we copy it into the ChaCha state. o Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00) o Block Count = 1. After setting up the ChaCha state, it looks like this: ChaCha state with the key setup. 61707865 3320646e 79622d32 6b206574 03020100 07060504 0b0a0908 0f0e0d0c 13121110 17161514 1b1a1918 1f1e1d1c 00000001 09000000 4a000000 00000000 After running 20 rounds (10 column rounds interleaved with 10 "diagonal rounds"), the ChaCha state looks like this: ChaCha state after 20 rounds 837778ab e238d763 a67ae21e 5950bb2f c4f2d0c7 fc62bb2f 8fa018fc 3f5ec7b7 335271c2 f29489f3 eabda8fc 82e46ebd d19c12b4 b04e16de 9e83d0cb 4e3c50a2 Finally, we add the original state to the result (simple vector or matrix addition), giving this: ChaCha state at the end of the ChaCha20 operation e4e7f110 15593bd1 1fdd0f50 c47120a3 c7f4d1c7 0368c033 9aaa2204 4e6cd4c3 466482d2 09aa9f07 05d7c214 a2028bd9 d19c12b5 b94e16de e883d0cb 4e3c50a2 After we serialize the state, we get this: Serialized Block: 000 10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4 .....;Y.P.... q. 016 c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e ....3.h.."....lN 032 d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2 ..dF............ 048 b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e ......N......P.S. Poly1305 r = 455e9a4057ab6080f47b42c052bac7b Poly1305 s = ff53d53e7875932aebd9751073d6e10a keystream bytes: 9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae: c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5: 4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8: 75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59: fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78: 8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf: 5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22: 15:38 Ciphertext: 000 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. 016 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. 032 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. 048 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 064 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ....-w......(..X 080 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. 096 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K 112 61 16 a. AEAD Construction for Poly1305: 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 00 00 00 00 PQRS............ 016 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. 032 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. 048 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. 064 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 080 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ....-w......(..X 096 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. 112 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K 128 61 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a............... 144 0c 00 00 00 00 00 00 00 72 00 00 00 00 00 00 00 ........r....... Note the four zero bytes in line 000 and the 14 zero bytes in line 128 Tag: 1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91 3. Implementation Advice Each block of ChaCha20 involves 16 move operations and one increment operation for loading the state, 80 each of XOR, addition and Roll operations for the rounds, 16 more add operations and 16 XOR operations for protecting the plaintext. Section 2.3 describes the ChaCha block function as "adding the original input words". This implies that before starting the rounds on the ChaCha state, we copy it aside, only to add it in later. This is correct, but we can save a few operations if we instead copy the state and do the work on the copy. This way, for the next block you don't need to recreate the state, but only to increment the block counter. This saves approximately 5.5% of the cycles. It is not recommended to use a generic big number library such as the one in OpenSSL for the arithmetic operations in Poly1305. Such libraries use dynamic allocation to be able to handle an integer of any size, but that flexibility comes at the expense of performance as well as side-channel security. More efficient implementations that run in constant time are available, one of them in D. J. Bernstein's own library, NaCl ([NaCl]). A constant-time but not optimal approach would be to naively implement the arithmetic operations for 288-bit integers, because even a naive implementation will not exceed 2^288 in the multiplication of (acc+block) and r. An efficient constant- time implementation can be found in the public domain library poly1305-donna ([Poly1305_Donna]). 4. Security Considerations The ChaCha20 cipher is designed to provide 256-bit security. The Poly1305 authenticator is designed to ensure that forged messages are rejected with a probability of 1-(n/(2^102)) for a 16n-byte message, even after sending 2^64 legitimate messages, so it is SUF-CMA (strong unforgeability against chosen-message attacks) in the terminology of [AE]. Proving the security of either of these is beyond the scope of this document. Such proofs are available in the referenced academic papers ([ChaCha], [Poly1305], [LatinDances], [LatinDances2], and [Zhenqing2012]). The most important security consideration in implementing this document is the uniqueness of the nonce used in ChaCha20. Counters and LFSRs are both acceptable ways of generating unique nonces, as is encrypting a counter using a 64-bit cipher such as DES. Note that it is not acceptable to use a truncation of a counter encrypted with a 128-bit or 256-bit cipher, because such a truncation may repeat after a short time. Consequences of repeating a nonce: If a nonce is repeated, then both the one-time Poly1305 key and the keystream are identical between the messages. This reveals the XOR of the plaintexts, because the XOR of the plaintexts is equal to the XOR of the ciphertexts. The Poly1305 key MUST be unpredictable to an attacker. Randomly generating the key would fulfill this requirement, except that Poly1305 is often used in communications protocols, so the receiver should know the key. Pseudorandom number generation such as by encrypting a counter is acceptable. Using ChaCha with a secret key and a nonce is also acceptable. The algorithms presented here were designed to be easy to implement in constant time to avoid side-channel vulnerabilities. The operations used in ChaCha20 are all additions, XORs, and fixed rotations. All of these can and should be implemented in constant time. Access to offsets into the ChaCha state and the number of operations do not depend on any property of the key, eliminating the chance of information about the key leaking through the timing of cache misses. For Poly1305, the operations are addition, multiplication. and modulus, all on numbers with greater than 128 bits. This can be done in constant time, but a naive implementation (such as using some generic big number library) will not be constant time. For example, if the multiplication is performed as a separate operation from the modulus, the result will sometimes be under 2^256 and sometimes be above 2^256. Implementers should be careful about timing side- channels for Poly1305 by using the appropriate implementation of these operations. Validating the authenticity of a message involves a bitwise comparison of the calculated tag with the received tag. In most use cases, nonces and AAD contents are not "used up" until a valid message is received. This allows an attacker to send multiple identical messages with different tags until one passes the tag comparison. This is hard if the attacker has to try all 2^128 possible tags one by one. However, if the timing of the tag comparison operation reveals how long a prefix of the calculated and received tags is identical, the number of messages can be reduced significantly. For this reason, with online protocols, implementation MUST use a constant-time comparison function rather than relying on optimized but insecure library functions such as the C language's memcmp(). 5. IANA Considerations IANA has assigned an entry in the "Authenticated Encryption with Associated Data (AEAD) Parameters" registry with 29 as the Numeric ID, "AEAD_CHACHA20_POLY1305" as the name, and RFC 7539 as reference. IANA is requested to modify the registry by using this document as reference. 6. References 6.1. Normative References [ChaCha] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, . [Poly1305] Bernstein, D., "The Poly1305-AES message-authentication code", March 2005, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 6.2. Informative References [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", September 2008, . [Cache-Collisions] Bonneau, J. and I. Mironov, "Cache-Collision Timing Attacks Against AES", 2006, . [FIPS-197] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, . [LatinDances] Aumasson, J., Fischer, S., Khazaei, S., Meier, W., and C. Rechberger, "New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba", December 2007, . [LatinDances2] Ishiguro, T., Kiyomoto, S., and Y. Miyake, "Modified version of 'Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha'", February 2012, . [NaCl] Bernstein, D., Lange, T., and P. Schwabe, "NaCl: Networking and Cryptography library", July 2012, . [Poly1305_Donna] Floodyberry, A., "poly1305-donna", February 2014, . [Procter] Procter, G., "A Security Analysis of the Composition of ChaCha20 and Poly1305", August 2014, . [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec", RFC 4868, DOI 10.17487/RFC4868, May 2007, . [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, . [SP800-67] National Institute of Standards and Technology, "Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher", NIST 800-67, January 2012, . [Standby-Cipher] McGrew, D., Grieco, A., and Y. Sheffer, "Selection of Future Cryptographic Standards", Work in Progress, draft- mcgrew-standby-cipher-00, January 2013. [Zhenqing2012] Zhenqing, S., Bin, Z., Dengguo, F., and W. Wenling, "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha*", 2012. Appendix A. Additional Test Vectors The subsections of this appendix contain more test vectors for the algorithms in the sub-sections of Section 2. A.1. The ChaCha20 Block Functions Test Vector #1: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 0 ChaCha state at the end ade0b876 903df1a0 e56a5d40 28bd8653 b819d2bd 1aed8da0 ccef36a8 c70d778b 7c5941da 8d485751 3fe02477 374ad8b8 f4b8436a 1ca11815 69b687c3 8665eeb2 Keystream: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. Test Vector #2: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 1 ChaCha state at the end bee7079f 7a385155 7c97ba98 0d082d73 a0290fcb 6965e348 3e53c612 ed7aee32 7621b729 434ee69c b03371d5 d539d874 281fed31 45fb0a51 1f0ae1ac 6f4d794b Keystream: 000 9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d ....UQ8z...|s-.. 016 cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed ..).H.ei..S>2.z. 032 29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5 ).!v..NC.q3.t.9. 048 31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f 1..(Q..E....KyMo Test Vector #3: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 1 ChaCha state at the end 2452eb3a 9249f8ec 8d829d9b ddd4ceb1 e8252083 60818b01 f38422b8 5aaa49c9 bb00ca8e da3ba7b4 c4b592d1 fdf2732f 4436274e 2561b3c8 ebdd4aa6 a0136c00 Keystream: 000 3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd :.R$..I......... 016 83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a . %....`."...I.Z 032 8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd ......;...../s.. 048 4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0 N'6D..a%.J...l.. Test Vector #4: ============== Key: 000 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 2 ChaCha state at the end fb4dd572 4bc42ef1 df922636 327f1394 a78dea8f 5e269039 a1bebbc1 caf09aae a25ab213 48a6b46c 1b9d9bcb 092c5be6 546ca624 1bec45d5 87f47473 96f0992e Keystream: 000 72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32 r.M....K6&.....2 016 8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca ....9.&^........ 032 13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09 ..Z.l..H.....[,. 048 24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96 $.lT.E..st...... Test Vector #5: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Block Counter = 0 ChaCha state at the end 374dc6c2 3736d58c b904e24a cd3f93ef 88228b1a 96a4dfb3 5b76ab72 c727ee54 0e0e978a f3145c95 1b748ea8 f786c297 99c28f5f 628314e8 398a19fa 6ded1b53 Keystream: 000 c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd ..M7..67J.....?. 016 1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7 ..".....r.v[T.'. 032 8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7 .....\....t..... 048 5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d _......b...9S..m A.2. ChaCha20 Encryption Test Vector #1: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Initial Block Counter = 0 Plaintext: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Ciphertext: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. Test Vector #2: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Initial Block Counter = 1 Plaintext: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Ciphertext: 000 a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70 ...}../.O7l.>.sp 016 41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec A`].OOW...,.KyU. 032 2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05 *....r)....7..p. 048 0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d ....G...V.1.^.%. 064 40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e @B.'....KK....D. 080 20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50 ........./B.RyP 096 42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c B..ws....G.)..A. 112 68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a h.eU*....vM^...Z 128 d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66 ...I..r..b..&..f 144 42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d BK.m-....C..7.%. 160 c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28 ......l.9...if.( 176 e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b .5U;.l\..{5....+ 192 08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f .q..c.9.^.....(. 208 a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c ..2.5.vC.. 080 1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77 .U2.W....%h.}??w 096 04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1 .......MP..Km.1. 112 87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1 ....r..6uzyz... A.3. Poly1305 Message Authentication Code Notice how, in test vector #2, r is equal to zero. The part of the Poly1305 algorithm where the accumulator is multiplied by r means that with r equal zero, the tag will be equal to s regardless of the content of the text. Fortunately, all the proposed methods of generating r are such that getting this particular weak key is very unlikely. Test Vector #1: ============== One-time Poly1305 Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Text to MAC: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Tag: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Test Vector #2: ============== One-time Poly1305 Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> Text to MAC: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Tag: 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> Test Vector #3: ============== One-time Poly1305 Key: 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Text to MAC: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Tag: 000 f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0 .G~|.T.....yL1.. Test Vector #4: ============== One-time Poly1305 Key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. Text to MAC: 000 27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61 'Twas brillig, a 016 6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f nd the slithy to 032 76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64 ves.Did gyre and 048 20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77 gimble in the w 064 61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77 abe:.All mimsy w 080 65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65 ere the borogove 096 73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20 s,.And the mome 112 72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e raths outgrabe. Tag: 000 45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62 EAf.~..a...|...b Test Vector #5: If one uses 130-bit partial reduction, does the code handle the case where partially reduced final result is not fully reduced? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF tag: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #6: What happens if addition of s overflows modulo 2^128? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF data: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #7: What happens if data limb is all ones and there is carry from lower limb? R: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #8: What happens if final result from polynomial part is exactly 2^130-5? R: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 tag: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #9: What happens if final result from polynomial part is exactly 2^130-6? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF tag: FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Test Vector #10: What happens if 5*H+L-type reduction produces 131-bit intermediate result? R: 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00 Test Vector #11: What happens if 5*H+L-type reduction produces 131-bit final result? R: 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A.4. Poly1305 Key Generation Using ChaCha20 Test Vector #1: ============== The key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Poly1305 one-time key: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. Test Vector #2: ============== The key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Poly1305 one-time key: 000 ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76 ..%O._dts......v 016 06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39 ..3.lD{..&f....9 Test Vector #3: ============== The key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Poly1305 one-time key: 000 96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b .^;...~.V....).K 016 13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae ...u..?..Y...3.. A.5. ChaCha20-Poly1305 AEAD Decryption Below we see decrypting a message. We receive a ciphertext, a nonce, and a tag. We know the key. We will check the tag and then (assuming that it validates) decrypt the ciphertext. In this particular protocol, we'll assume that there is no padding of the plaintext. The key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. Ciphertext: 000 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. 016 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. 032 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. 048 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. 064 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... 080 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U 096 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 112 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. 128 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... 144 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> 160 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj 176 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. 192 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN 208 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. 224 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 240 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) 256 a6 ad 5c b4 02 2b 02 70 9b ..\..+.p. The nonce: 000 00 00 00 00 01 02 03 04 05 06 07 08 ............ The AAD: 000 f3 33 88 86 00 00 00 00 00 00 4e 91 .3........N. Received Tag: 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 First, we calculate the one-time Poly1305 key @@@ ChaCha state with key setup 61707865 3320646e 79622d32 6b206574 a540921c 8ad355eb 868833f3 f0b5f604 c1173947 09802b40 bc5cca9d c0757020 00000000 00000000 04030201 08070605 @@@ ChaCha state after 20 rounds a94af0bd 89dee45c b64bb195 afec8fa1 508f4726 63f554c0 1ea2c0db aa721526 11b1e514 a0bacc0f 828a6015 d7825481 e8a4a850 d9dcbbd6 4c2de33a f8ccd912 @@@ out bytes: bd:f0:4a:a9:5c:e4:de:89:95:b1:4b:b6:a1:8f:ec:af: 26:47:8f:50:c0:54:f5:63:db:c0:a2:1e:26:15:72:aa Poly1305 one-time key: 000 bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af ..J.\.....K..... 016 26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa &G.P.T.c....&.r. Next, we construct the AEAD buffer Poly1305 Input: 000 f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00 .3........N..... 016 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. 032 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. 048 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. 064 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. 080 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... 096 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U 112 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 128 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. 144 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... 160 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> 176 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj 192 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. 208 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN 224 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. 240 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 256 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) 272 a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00 ..\..+.p........ 288 0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00 ................ We calculate the Poly1305 tag and find that it matches Calculated Tag: 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 Finally, we decrypt the ciphertext Plaintext:: 000 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 73 20 Internet-Drafts 016 61 72 65 20 64 72 61 66 74 20 64 6f 63 75 6d 65 are draft docume 032 6e 74 73 20 76 61 6c 69 64 20 66 6f 72 20 61 20 nts valid for a 048 6d 61 78 69 6d 75 6d 20 6f 66 20 73 69 78 20 6d maximum of six m 064 6f 6e 74 68 73 20 61 6e 64 20 6d 61 79 20 62 65 onths and may be 080 20 75 70 64 61 74 65 64 2c 20 72 65 70 6c 61 63 updated, replac 096 65 64 2c 20 6f 72 20 6f 62 73 6f 6c 65 74 65 64 ed, or obsoleted 112 20 62 79 20 6f 74 68 65 72 20 64 6f 63 75 6d 65 by other docume 128 6e 74 73 20 61 74 20 61 6e 79 20 74 69 6d 65 2e nts at any time. 144 20 49 74 20 69 73 20 69 6e 61 70 70 72 6f 70 72 It is inappropr 160 69 61 74 65 20 74 6f 20 75 73 65 20 49 6e 74 65 iate to use Inte 176 72 6e 65 74 2d 44 72 61 66 74 73 20 61 73 20 72 rnet-Drafts as r 192 65 66 65 72 65 6e 63 65 20 6d 61 74 65 72 69 61 eference materia 208 6c 20 6f 72 20 74 6f 20 63 69 74 65 20 74 68 65 l or to cite the 224 6d 20 6f 74 68 65 72 20 74 68 61 6e 20 61 73 20 m other than as 240 2f e2 80 9c 77 6f 72 6b 20 69 6e 20 70 72 6f 67 /...work in prog 256 72 65 73 73 2e 2f e2 80 9d ress./... Appendix B. Performance Measurements of ChaCha20 The following measurements were made by Adam Langley for a blog post published on February 27th, 2014. The original blog post was available at the time of this writing at . +----------------------------+-------------+-------------------+ | Chip | AES-128-GCM | ChaCha20-Poly1305 | +----------------------------+-------------+-------------------+ | OMAP 4460 | 24.1 MB/s | 75.3 MB/s | | Snapdragon S4 Pro | 41.5 MB/s | 130.9 MB/s | | Sandy Bridge Xeon (AES-NI) | 900 MB/s | 500 MB/s | +----------------------------+-------------+-------------------+ Table 1: Speed Comparison Acknowledgements ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The AEAD construction and the method of creating the one-time Poly1305 key were invented by Adam Langley. Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and Kenny Paterson for their helpful comments and explanations. Thanks to Niels Moller for suggesting the more efficient AEAD construction in this document. Special thanks to Ilari Liusvaara for providing extra test vectors, helpful comments, and for being the first to attempt an implementation from this document. Thanks to Sean Parkinson for suggesting improvements to the examples and the pseudocode. Thanks to David Ireland for pointing out a bug in the pseudocode, and to Stephen Farrell and Alyssa Rowan for pointing out missing advise in the security considerations. Special thanks goes to Gordon Procter for performing a security analysis of the composition and publishing [Procter]. Authors' Addresses Yoav Nir Check Point Software Technologies, Ltd. 5 Hasolelim st. Tel Aviv 6789735 Israel EMail: ynir.ietf@gmail.com Adam Langley Google, Inc. EMail: agl@google.com --Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
--Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E Content-Disposition: attachment; filename=rfc7539_long.txt Content-Type: text/plain; x-unix-mode=0644; name="rfc7539_long.txt" Content-Transfer-Encoding: 7bit Internet Research Task Force (IRTF) Y. Nir Request for Comments: 7539 Check Point Category: Informational A. Langley ISSN: 2070-1721 Google, Inc. May 2015 ChaCha20 and Poly1305 for IETF Protocols Abstract This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm. This document does not introduce any new crypto, but is meant to serve as a stable reference and an implementation guide. It is a product of the Crypto Forum Research Group (CFRG). Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7539. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction 1.1. Conventions Used in This Document 2. The Algorithms 2.1. The ChaCha Quarter Round 2.1.1. Test Vector for the ChaCha Quarter Round 2.2. A Quarter Round on the ChaCha State 2.2.1. Test Vector for the Quarter Round on the ChaCha State 2.3. The ChaCha20 Block Function 2.3.1. The ChaCha20 Block Function in Pseudocode 2.3.2. Test Vector for the ChaCha20 Block Function 2.4. The ChaCha20 Encryption Algorithm 2.4.1. The ChaCha20 Encryption Algorithm in Pseudocode 2.4.2. Example and Test Vector for the ChaCha20 Cipher 2.5. The Poly1305 Algorithm 2.5.1. The Poly1305 Algorithms in Pseudocode 2.5.2. Poly1305 Example and Test Vector 2.6. Generating the Poly1305 Key Using ChaCha20 2.6.1. Poly1305 Key Generation in Pseudocode 2.6.2. Poly1305 Key Generation Test Vector 2.7. A Pseudorandom Function for Crypto Suites based on ChaCha/Poly1305 2.8. AEAD Construction 2.8.1. Pseudocode for the AEAD Construction 2.8.2. Example and Test Vector for AEAD_CHACHA20_POLY1305 3. Implementation Advice 4. Security Considerations 5. IANA Considerations 6. References 6.1. Normative References 6.2. Informative References Appendix A. Additional Test Vectors A.1. The ChaCha20 Block Functions A.2. ChaCha20 Encryption A.3. Poly1305 Message Authentication Code A.4. Poly1305 Key Generation Using ChaCha20 A.5. ChaCha20-Poly1305 AEAD Decryption Appendix B. Performance Measurements of ChaCha20 Acknowledgements Authors' Addresses 1. Introduction The Advanced Encryption Standard (AES -- [FIPS-197]) has become the gold standard in encryption. Its efficient design, widespread implementation, and hardware support allow for high performance in many areas. On most modern platforms, AES is anywhere from four to ten times as fast as the previous most-used cipher, Triple Data Encryption Standard (3DES -- [SP800-67]), which makes it not only the best choice, but the only practical choice. There are several problems with this. If future advances in cryptanalysis reveal a weakness in AES, users will be in an unenviable position. With the only other widely supported cipher being the much slower 3DES, it is not feasible to reconfigure deployments to use 3DES. [Standby-Cipher] describes this issue and the need for a standby cipher in greater detail. Another problem is that while AES is very fast on dedicated hardware, its performance on platforms that lack such hardware is considerably lower. Yet another problem is that many AES implementations are vulnerable to cache- collision timing attacks ([Cache-Collisions]). This document provides a definition and implementation guide for three algorithms: 1. The ChaCha20 cipher. This is a high-speed cipher first described in [ChaCha]. It is considerably faster than AES in software-only implementations, making it around three times as fast on platforms that lack specialized AES hardware. See Appendix B for some hard numbers. ChaCha20 is also not sensitive to timing attacks (see the security considerations in Section 4). This algorithm is described in Section 2.4 2. The Poly1305 authenticator. This is a high-speed message authentication code. Implementation is also straightforward and easy to get right. The algorithm is described in Section 2.5. 3. The CHACHA20-POLY1305 Authenticated Encryption with Associated Data (AEAD) construction, described in Section 2.8. This document does not introduce these new algorithms for the first time. They have been defined in scientific papers by D. J. Bernstein, which are referenced by this document. The purpose of this document is to serve as a stable reference for IETF documents making use of these algorithms. These algorithms have undergone rigorous analysis. Several papers discuss the security of Salsa and ChaCha ([LatinDances], [LatinDances2], [Zhenqing2012]). This document represents the consensus of the Crypto Forum Research Group (CFRG). 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The description of the ChaCha algorithm will at various time refer to the ChaCha state as a "vector" or as a "matrix". This follows the use of these terms in Professor Bernstein's paper. The matrix notation is more visually convenient and gives a better notion as to why some rounds are called "column rounds" while others are called "diagonal rounds". Here's a diagram of how the matrices relate to vectors (using the C language convention of zero being the index origin). 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 The elements in this vector or matrix are 32-bit unsigned integers. The algorithm name is "ChaCha". "ChaCha20" is a specific instance where 20 "rounds" (or 80 quarter rounds -- see Section 2.1) are used. Other variations are defined, with 8 or 12 rounds, but in this document we only describe the 20-round ChaCha, so the names "ChaCha" and "ChaCha20" will be used interchangeably. 2. The Algorithms The subsections below describe the algorithms used and the AEAD construction. 2.1. The ChaCha Quarter Round The basic operation of the ChaCha algorithm is the quarter round. It operates on four 32-bit unsigned integers, denoted a, b, c, and d. The operation is as follows (in C-like notation): 1. a += b; d ^= a; d <<<= 16; 2. c += d; b ^= c; b <<<= 12; 3. a += b; d ^= a; d <<<= 8; 4. c += d; b ^= c; b <<<= 7; Where "+" denotes integer addition modulo 2^32, "^" denotes a bitwise Exclusive OR (XOR), and "<<< n" denotes an n-bit left rotation (towards the high bits). For example, let's see the add, XOR, and roll operations from the fourth line with sample numbers: o a = 0x11111111 o b = 0x01020304 o c = 0x77777777 o d = 0x01234567 o c = c + d = 0x77777777 + 0x01234567 = 0x789abcde o b = b ^ c = 0x01020304 ^ 0x789abcde = 0x7998bfda o b = b <<< 7 = 0x7998bfda <<< 7 = 0xcc5fed3c 2.1.1. Test Vector for the ChaCha Quarter Round For a test vector, we will use the same numbers as in the example, adding something random for c. o a = 0x11111111 o b = 0x01020304 o c = 0x9b8d6f43 o d = 0x01234567 After running a Quarter Round on these four numbers, we get these: o a = 0xea2a92f4 o b = 0xcb1cf8ce o c = 0x4581472e o d = 0x5881c4bb 2.2. A Quarter Round on the ChaCha State The ChaCha state does not have four integer numbers: it has 16. So the quarter-round operation works on only four of them -- hence the name. Each quarter round operates on four predetermined numbers in the ChaCha state. We will denote by QUARTERROUND(x,y,z,w) a quarter- round operation on the numbers at indices x, y, z, and w of the ChaCha state when viewed as a vector. For example, if we apply QUARTERROUND(1,5,9,13) to a state, this means running the quarter- round operation on the elements marked with an asterisk, while leaving the others alone: 0 *a 2 3 4 *b 6 7 8 *c 10 11 12 *d 14 15 Note that this run of quarter round is part of what is called a "column round". 2.2.1. Test Vector for the Quarter Round on the ChaCha State For a test vector, we will use a ChaCha state that was generated randomly: Sample ChaCha State 879531e0 c5ecf37d 516461b1 c9a62f8a 44c20ef3 3390af7f d9fc690b 2a5f714c 53372767 b00a5631 974c541a 359e9963 5c971061 3d631689 2098d9d6 91dbd320 We will apply the QUARTERROUND(2,7,8,13) operation to this state. For obvious reasons, this one is part of what is called a "diagonal round": After applying QUARTERROUND(2,7,8,13) 879531e0 c5ecf37d *bdb886dc c9a62f8a 44c20ef3 3390af7f d9fc690b *cfacafd2 *e46bea80 b00a5631 974c541a 359e9963 5c971061 *ccc07c79 2098d9d6 91dbd320 Note that only the numbers in positions 2, 7, 8, and 13 changed. 2.3. The ChaCha20 Block Function The ChaCha block function transforms a ChaCha state by running multiple quarter rounds. The inputs to ChaCha20 are: o A 256-bit key, treated as a concatenation of eight 32-bit little- endian integers. o A 96-bit nonce, treated as a concatenation of three 32-bit little- endian integers. o A 32-bit block count parameter, treated as a 32-bit little-endian integer. The output is 64 random-looking bytes. The ChaCha algorithm described here uses a 256-bit key. The original algorithm also specified 128-bit keys and 8- and 12-round variants, but these are out of scope for this document. In this section, we describe the ChaCha block function. Note also that the original ChaCha had a 64-bit nonce and 64-bit block count. We have modified this here to be more consistent with recommendations in Section 3.2 of [RFC5116]. This limits the use of a single (key,nonce) combination to 2^32 blocks, or 256 GB, but that is enough for most uses. In cases where a single key is used by multiple senders, it is important to make sure that they don't use the same nonces. This can be assured by partitioning the nonce space so that the first 32 bits are unique per sender, while the other 64 bits come from a counter. The ChaCha20 state is initialized as follows: o The first four words (0-3) are constants: 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574. o The next eight words (4-11) are taken from the 256-bit key by reading the bytes in little-endian order, in 4-byte chunks. o Word 12 is a block counter. Since each block is 64-byte, a 32-bit word is enough for 256 gigabytes of data. o Words 13-15 are a nonce, which should not be repeated for the same key. The 13th word is the first 32 bits of the input nonce taken as a little-endian integer, while the 15th word is the last 32 bits. cccccccc cccccccc cccccccc cccccccc kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk kkkkkkkk bbbbbbbb nnnnnnnn nnnnnnnn nnnnnnnn c=constant k=key b=blockcount n=nonce ChaCha20 runs 20 rounds, alternating between "column rounds" and "diagonal rounds". Each round consists of four quarter-rounds, and they are run as follows. Quarter rounds 1-4 are part of a "column" round, while 5-8 are part of a "diagonal" round: 1. QUARTERROUND ( 0, 4, 8,12) 2. QUARTERROUND ( 1, 5, 9,13) 3. QUARTERROUND ( 2, 6,10,14) 4. QUARTERROUND ( 3, 7,11,15) 5. QUARTERROUND ( 0, 5,10,15) 6. QUARTERROUND ( 1, 6,11,12) 7. QUARTERROUND ( 2, 7, 8,13) 8. QUARTERROUND ( 3, 4, 9,14) At the end of 20 rounds (or 10 iterations of the above list), we add the original input words to the output words, and serialize the result by sequencing the words one-by-one in little-endian order. Note: "addition" in the above paragraph is done modulo 2^32. In some machine languages, this is called carryless addition on a 32-bit word. 2.3.1. The ChaCha20 Block Function in Pseudocode Note: This section and a few others contain pseudocode for the algorithm explained in a previous section. Every effort was made for the pseudocode to accurately reflect the algorithm as described in the preceding section. If a conflict is still present, the textual explanation and the test vectors are normative. inner_block (state): Qround(state, 0, 4, 8,12) Qround(state, 1, 5, 9,13) Qround(state, 2, 6,10,14) Qround(state, 3, 7,11,15) Qround(state, 0, 5,10,15) Qround(state, 1, 6,11,12) Qround(state, 2, 7, 8,13) Qround(state, 3, 4, 9,14) end chacha20_block(key, counter, nonce): state = constants | key | counter | nonce working_state = state for i=1 upto 10 inner_block(working_state) end state += working_state return serialize(state) end 2.3.2. Test Vector for the ChaCha20 Block Function For a test vector, we will use the following inputs to the ChaCha20 block function: o Key = 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13: 14:15:16:17:18:19:1a:1b:1c:1d:1e:1f. The key is a sequence of octets with no particular structure before we copy it into the ChaCha state. o Nonce = (00:00:00:09:00:00:00:4a:00:00:00:00) o Block Count = 1. After setting up the ChaCha state, it looks like this: ChaCha state with the key setup. 61707865 3320646e 79622d32 6b206574 03020100 07060504 0b0a0908 0f0e0d0c 13121110 17161514 1b1a1918 1f1e1d1c 00000001 09000000 4a000000 00000000 After running 20 rounds (10 column rounds interleaved with 10 "diagonal rounds"), the ChaCha state looks like this: ChaCha state after 20 rounds 837778ab e238d763 a67ae21e 5950bb2f c4f2d0c7 fc62bb2f 8fa018fc 3f5ec7b7 335271c2 f29489f3 eabda8fc 82e46ebd d19c12b4 b04e16de 9e83d0cb 4e3c50a2 Finally, we add the original state to the result (simple vector or matrix addition), giving this: ChaCha state at the end of the ChaCha20 operation e4e7f110 15593bd1 1fdd0f50 c47120a3 c7f4d1c7 0368c033 9aaa2204 4e6cd4c3 466482d2 09aa9f07 05d7c214 a2028bd9 d19c12b5 b94e16de e883d0cb 4e3c50a2 After we serialize the state, we get this: Serialized Block: 000 10 f1 e7 e4 d1 3b 59 15 50 0f dd 1f a3 20 71 c4 .....;Y.P.... q. 016 c7 d1 f4 c7 33 c0 68 03 04 22 aa 9a c3 d4 6c 4e ....3.h.."....lN 032 d2 82 64 46 07 9f aa 09 14 c2 d7 05 d9 8b 02 a2 ..dF............ 048 b5 12 9c d1 de 16 4e b9 cb d0 83 e8 a2 50 3c 4e ......N......P.S. Poly1305 r = 455e9a4057ab6080f47b42c052bac7b Poly1305 s = ff53d53e7875932aebd9751073d6e10a keystream bytes: 9f:7b:e9:5d:01:fd:40:ba:15:e2:8f:fb:36:81:0a:ae: c1:c0:88:3f:09:01:6e:de:dd:8a:d0:87:55:82:03:a5: 4e:9e:cb:38:ac:8e:5e:2b:b8:da:b2:0f:fa:db:52:e8: 75:04:b2:6e:be:69:6d:4f:60:a4:85:cf:11:b8:1b:59: fc:b1:c4:5f:42:19:ee:ac:ec:6a:de:c3:4e:66:69:78: 8e:db:41:c4:9c:a3:01:e1:27:e0:ac:ab:3b:44:b9:cf: 5c:86:bb:95:e0:6b:0d:f2:90:1a:b6:45:e4:ab:e6:22: 15:38 Ciphertext: 000 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. 016 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. 032 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. 048 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 064 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ....-w......(..X 080 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. 096 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K 112 61 16 a. AEAD Construction for Poly1305: 000 50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7 00 00 00 00 PQRS............ 016 d3 1a 8d 34 64 8e 60 db 7b 86 af bc 53 ef 7e c2 ...4d.`.{...S.~. 032 a4 ad ed 51 29 6e 08 fe a9 e2 b5 a7 36 ee 62 d6 ...Q)n......6.b. 048 3d be a4 5e 8c a9 67 12 82 fa fb 69 da 92 72 8b =..^..g....i..r. 064 1a 71 de 0a 9e 06 0b 29 05 d6 a5 b6 7e cd 3b 36 .q.....)....~.;6 080 92 dd bd 7f 2d 77 8b 8c 98 03 ae e3 28 09 1b 58 ....-w......(..X 096 fa b3 24 e4 fa d6 75 94 55 85 80 8b 48 31 d7 bc ..$...u.U...H1.. 112 3f f4 de f0 8e 4b 7a 9d e5 76 d2 65 86 ce c6 4b ?....Kz..v.e...K 128 61 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a............... 144 0c 00 00 00 00 00 00 00 72 00 00 00 00 00 00 00 ........r....... Note the four zero bytes in line 000 and the 14 zero bytes in line 128 Tag: 1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91 3. Implementation Advice Each block of ChaCha20 involves 16 move operations and one increment operation for loading the state, 80 each of XOR, addition and Roll operations for the rounds, 16 more add operations and 16 XOR operations for protecting the plaintext. Section 2.3 describes the ChaCha block function as "adding the original input words". This implies that before starting the rounds on the ChaCha state, we copy it aside, only to add it in later. This is correct, but we can save a few operations if we instead copy the state and do the work on the copy. This way, for the next block you don't need to recreate the state, but only to increment the block counter. This saves approximately 5.5% of the cycles. It is not recommended to use a generic big number library such as the one in OpenSSL for the arithmetic operations in Poly1305. Such libraries use dynamic allocation to be able to handle an integer of any size, but that flexibility comes at the expense of performance as well as side-channel security. More efficient implementations that run in constant time are available, one of them in D. J. Bernstein's own library, NaCl ([NaCl]). A constant-time but not optimal approach would be to naively implement the arithmetic operations for 288-bit integers, because even a naive implementation will not exceed 2^288 in the multiplication of (acc+block) and r. An efficient constant- time implementation can be found in the public domain library poly1305-donna ([Poly1305_Donna]). 4. Security Considerations The ChaCha20 cipher is designed to provide 256-bit security. The Poly1305 authenticator is designed to ensure that forged messages are rejected with a probability of 1-(n/(2^102)) for a 16n-byte message, even after sending 2^64 legitimate messages, so it is SUF-CMA (strong unforgeability against chosen-message attacks) in the terminology of [AE]. Proving the security of either of these is beyond the scope of this document. Such proofs are available in the referenced academic papers ([ChaCha], [Poly1305], [LatinDances], [LatinDances2], and [Zhenqing2012]). The most important security consideration in implementing this document is the uniqueness of the nonce used in ChaCha20. Counters and LFSRs are both acceptable ways of generating unique nonces, as is encrypting a counter using a 64-bit cipher such as DES. Note that it is not acceptable to use a truncation of a counter encrypted with a 128-bit or 256-bit cipher, because such a truncation may repeat after a short time. Consequences of repeating a nonce: If a nonce is repeated, then both the one-time Poly1305 key and the keystream are identical between the messages. This reveals the XOR of the plaintexts, because the XOR of the plaintexts is equal to the XOR of the ciphertexts. The Poly1305 key MUST be unpredictable to an attacker. Randomly generating the key would fulfill this requirement, except that Poly1305 is often used in communications protocols, so the receiver should know the key. Pseudorandom number generation such as by encrypting a counter is acceptable. Using ChaCha with a secret key and a nonce is also acceptable. The algorithms presented here were designed to be easy to implement in constant time to avoid side-channel vulnerabilities. The operations used in ChaCha20 are all additions, XORs, and fixed rotations. All of these can and should be implemented in constant time. Access to offsets into the ChaCha state and the number of operations do not depend on any property of the key, eliminating the chance of information about the key leaking through the timing of cache misses. For Poly1305, the operations are addition, multiplication. and modulus, all on numbers with greater than 128 bits. This can be done in constant time, but a naive implementation (such as using some generic big number library) will not be constant time. For example, if the multiplication is performed as a separate operation from the modulus, the result will sometimes be under 2^256 and sometimes be above 2^256. Implementers should be careful about timing side- channels for Poly1305 by using the appropriate implementation of these operations. Validating the authenticity of a message involves a bitwise comparison of the calculated tag with the received tag. In most use cases, nonces and AAD contents are not "used up" until a valid message is received. This allows an attacker to send multiple identical messages with different tags until one passes the tag comparison. This is hard if the attacker has to try all 2^128 possible tags one by one. However, if the timing of the tag comparison operation reveals how long a prefix of the calculated and received tags is identical, the number of messages can be reduced significantly. For this reason, with online protocols, implementation MUST use a constant-time comparison function rather than relying on optimized but insecure library functions such as the C language's memcmp(). 5. IANA Considerations IANA has assigned an entry in the "Authenticated Encryption with Associated Data (AEAD) Parameters" registry with 29 as the Numeric ID, "AEAD_CHACHA20_POLY1305" as the name, and this document as reference. 6. References 6.1. Normative References [ChaCha] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, . [Poly1305] Bernstein, D., "The Poly1305-AES message-authentication code", March 2005, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 6.2. Informative References [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", September 2008, . [Cache-Collisions] Bonneau, J. and I. Mironov, "Cache-Collision Timing Attacks Against AES", 2006, . [FIPS-197] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001, . [LatinDances] Aumasson, J., Fischer, S., Khazaei, S., Meier, W., and C. Rechberger, "New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba", December 2007, . [LatinDances2] Ishiguro, T., Kiyomoto, S., and Y. Miyake, "Modified version of 'Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha'", February 2012, . [NaCl] Bernstein, D., Lange, T., and P. Schwabe, "NaCl: Networking and Cryptography library", July 2012, . [Poly1305_Donna] Floodyberry, A., "poly1305-donna", February 2014, . [Procter] Procter, G., "A Security Analysis of the Composition of ChaCha20 and Poly1305", August 2014, . [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec", RFC 4868, DOI 10.17487/RFC4868, May 2007, . [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [SP800-67] National Institute of Standards and Technology, "Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher", NIST 800-67, January 2012, . [Standby-Cipher] McGrew, D., Grieco, A., and Y. Sheffer, "Selection of Future Cryptographic Standards", Work in Progress, draft-mcgrew-standby-cipher-00, January 2013. [Zhenqing2012] Zhenqing, S., Bin, Z., Dengguo, F., and W. Wenling, "Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha*", 2012. Appendix A. Additional Test Vectors The subsections of this appendix contain more test vectors for the algorithms in the sub-sections of Section 2. A.1. The ChaCha20 Block Functions Test Vector #1: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 0 ChaCha state at the end ade0b876 903df1a0 e56a5d40 28bd8653 b819d2bd 1aed8da0 ccef36a8 c70d778b 7c5941da 8d485751 3fe02477 374ad8b8 f4b8436a 1ca11815 69b687c3 8665eeb2 Keystream: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. Test Vector #2: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 1 ChaCha state at the end bee7079f 7a385155 7c97ba98 0d082d73 a0290fcb 6965e348 3e53c612 ed7aee32 7621b729 434ee69c b03371d5 d539d874 281fed31 45fb0a51 1f0ae1ac 6f4d794b Keystream: 000 9f 07 e7 be 55 51 38 7a 98 ba 97 7c 73 2d 08 0d ....UQ8z...|s-.. 016 cb 0f 29 a0 48 e3 65 69 12 c6 53 3e 32 ee 7a ed ..).H.ei..S>2.z. 032 29 b7 21 76 9c e6 4e 43 d5 71 33 b0 74 d8 39 d5 ).!v..NC.q3.t.9. 048 31 ed 1f 28 51 0a fb 45 ac e1 0a 1f 4b 79 4d 6f 1..(Q..E....KyMo Test Vector #3: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 1 ChaCha state at the end 2452eb3a 9249f8ec 8d829d9b ddd4ceb1 e8252083 60818b01 f38422b8 5aaa49c9 bb00ca8e da3ba7b4 c4b592d1 fdf2732f 4436274e 2561b3c8 ebdd4aa6 a0136c00 Keystream: 000 3a eb 52 24 ec f8 49 92 9b 9d 82 8d b1 ce d4 dd :.R$..I......... 016 83 20 25 e8 01 8b 81 60 b8 22 84 f3 c9 49 aa 5a . %....`."...I.Z 032 8e ca 00 bb b4 a7 3b da d1 92 b5 c4 2f 73 f2 fd ......;...../s.. 048 4e 27 36 44 c8 b3 61 25 a6 4a dd eb 00 6c 13 a0 N'6D..a%.J...l.. Test Vector #4: ============== Key: 000 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Block Counter = 2 ChaCha state at the end fb4dd572 4bc42ef1 df922636 327f1394 a78dea8f 5e269039 a1bebbc1 caf09aae a25ab213 48a6b46c 1b9d9bcb 092c5be6 546ca624 1bec45d5 87f47473 96f0992e Keystream: 000 72 d5 4d fb f1 2e c4 4b 36 26 92 df 94 13 7f 32 r.M....K6&.....2 016 8f ea 8d a7 39 90 26 5e c1 bb be a1 ae 9a f0 ca ....9.&^........ 032 13 b2 5a a2 6c b4 a6 48 cb 9b 9d 1b e6 5b 2c 09 ..Z.l..H.....[,. 048 24 a6 6c 54 d5 45 ec 1b 73 74 f4 87 2e 99 f0 96 $.lT.E..st...... Test Vector #5: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Block Counter = 0 ChaCha state at the end 374dc6c2 3736d58c b904e24a cd3f93ef 88228b1a 96a4dfb3 5b76ab72 c727ee54 0e0e978a f3145c95 1b748ea8 f786c297 99c28f5f 628314e8 398a19fa 6ded1b53 Keystream: 000 c2 c6 4d 37 8c d5 36 37 4a e2 04 b9 ef 93 3f cd ..M7..67J.....?. 016 1a 8b 22 88 b3 df a4 96 72 ab 76 5b 54 ee 27 c7 ..".....r.v[T.'. 032 8a 97 0e 0e 95 5c 14 f3 a8 8e 74 1b 97 c2 86 f7 .....\....t..... 048 5f 8f c2 99 e8 14 83 62 fa 19 8a 39 53 1b ed 6d _......b...9S..m A.2. ChaCha20 Encryption Test Vector #1: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Initial Block Counter = 0 Plaintext: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Ciphertext: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. 032 da 41 59 7c 51 57 48 8d 77 24 e0 3f b8 d8 4a 37 .AY|QWH.w$.?..J7 048 6a 43 b8 f4 15 18 a1 1c c3 87 b6 69 b2 ee 65 86 jC.........i..e. Test Vector #2: ============== Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ Nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Initial Block Counter = 1 Plaintext: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Ciphertext: 000 a3 fb f0 7d f3 fa 2f de 4f 37 6c a2 3e 82 73 70 ...}../.O7l.>.sp 016 41 60 5d 9f 4f 4f 57 bd 8c ff 2c 1d 4b 79 55 ec A`].OOW...,.KyU. 032 2a 97 94 8b d3 72 29 15 c8 f3 d3 37 f7 d3 70 05 *....r)....7..p. 048 0e 9e 96 d6 47 b7 c3 9f 56 e0 31 ca 5e b6 25 0d ....G...V.1.^.%. 064 40 42 e0 27 85 ec ec fa 4b 4b b5 e8 ea d0 44 0e @B.'....KK....D. 080 20 b6 e8 db 09 d8 81 a7 c6 13 2f 42 0e 52 79 50 ........./B.RyP 096 42 bd fa 77 73 d8 a9 05 14 47 b3 29 1c e1 41 1c B..ws....G.)..A. 112 68 04 65 55 2a a6 c4 05 b7 76 4d 5e 87 be a8 5a h.eU*....vM^...Z 128 d0 0f 84 49 ed 8f 72 d0 d6 62 ab 05 26 91 ca 66 ...I..r..b..&..f 144 42 4b c8 6d 2d f8 0e a4 1f 43 ab f9 37 d3 25 9d BK.m-....C..7.%. 160 c4 b2 d0 df b4 8a 6c 91 39 dd d7 f7 69 66 e9 28 ......l.9...if.( 176 e6 35 55 3b a7 6c 5c 87 9d 7b 35 d4 9e b2 e6 2b .5U;.l\..{5....+ 192 08 71 cd ac 63 89 39 e2 5e 8a 1e 0e f9 d5 28 0f .q..c.9.^.....(. 208 a8 ca 32 8b 35 1c 3c 76 59 89 cb cf 3d aa 8b 6c ..2.5.vC.. 080 1a 55 32 05 57 16 ea d6 96 25 68 f8 7d 3f 3f 77 .U2.W....%h.}??w 096 04 c6 a8 d1 bc d1 bf 4d 50 d6 15 4b 6d a7 31 b1 .......MP..Km.1. 112 87 b5 8d fd 72 8a fa 36 75 7a 79 7a c1 88 d1 ....r..6uzyz... A.3. Poly1305 Message Authentication Code Notice how, in test vector #2, r is equal to zero. The part of the Poly1305 algorithm where the accumulator is multiplied by r means that with r equal zero, the tag will be equal to s regardless of the content of the text. Fortunately, all the proposed methods of generating r are such that getting this particular weak key is very unlikely. Test Vector #1: ============== One-time Poly1305 Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Text to MAC: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Tag: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Test Vector #2: ============== One-time Poly1305 Key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> Text to MAC: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Tag: 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> Test Vector #3: ============== One-time Poly1305 Key: 000 36 e5 f6 b5 c5 e0 60 70 f0 ef ca 96 22 7a 86 3e 6.....`p...."z.> 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Text to MAC: 000 41 6e 79 20 73 75 62 6d 69 73 73 69 6f 6e 20 74 Any submission t 016 6f 20 74 68 65 20 49 45 54 46 20 69 6e 74 65 6e o the IETF inten 032 64 65 64 20 62 79 20 74 68 65 20 43 6f 6e 74 72 ded by the Contr 048 69 62 75 74 6f 72 20 66 6f 72 20 70 75 62 6c 69 ibutor for publi 064 63 61 74 69 6f 6e 20 61 73 20 61 6c 6c 20 6f 72 cation as all or 080 20 70 61 72 74 20 6f 66 20 61 6e 20 49 45 54 46 part of an IETF 096 20 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 20 Internet-Draft 112 6f 72 20 52 46 43 20 61 6e 64 20 61 6e 79 20 73 or RFC and any s 128 74 61 74 65 6d 65 6e 74 20 6d 61 64 65 20 77 69 tatement made wi 144 74 68 69 6e 20 74 68 65 20 63 6f 6e 74 65 78 74 thin the context 160 20 6f 66 20 61 6e 20 49 45 54 46 20 61 63 74 69 of an IETF acti 176 76 69 74 79 20 69 73 20 63 6f 6e 73 69 64 65 72 vity is consider 192 65 64 20 61 6e 20 22 49 45 54 46 20 43 6f 6e 74 ed an "IETF Cont 208 72 69 62 75 74 69 6f 6e 22 2e 20 53 75 63 68 20 ribution". Such 224 73 74 61 74 65 6d 65 6e 74 73 20 69 6e 63 6c 75 statements inclu 240 64 65 20 6f 72 61 6c 20 73 74 61 74 65 6d 65 6e de oral statemen 256 74 73 20 69 6e 20 49 45 54 46 20 73 65 73 73 69 ts in IETF sessi 272 6f 6e 73 2c 20 61 73 20 77 65 6c 6c 20 61 73 20 ons, as well as 288 77 72 69 74 74 65 6e 20 61 6e 64 20 65 6c 65 63 written and elec 304 74 72 6f 6e 69 63 20 63 6f 6d 6d 75 6e 69 63 61 tronic communica 320 74 69 6f 6e 73 20 6d 61 64 65 20 61 74 20 61 6e tions made at an 336 79 20 74 69 6d 65 20 6f 72 20 70 6c 61 63 65 2c y time or place, 352 20 77 68 69 63 68 20 61 72 65 20 61 64 64 72 65 which are addre 368 73 73 65 64 20 74 6f ssed to Tag: 000 f3 47 7e 7c d9 54 17 af 89 a6 b8 79 4c 31 0c f0 .G~|.T.....yL1.. Test Vector #4: ============== One-time Poly1305 Key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. Text to MAC: 000 27 54 77 61 73 20 62 72 69 6c 6c 69 67 2c 20 61 'Twas brillig, a 016 6e 64 20 74 68 65 20 73 6c 69 74 68 79 20 74 6f nd the slithy to 032 76 65 73 0a 44 69 64 20 67 79 72 65 20 61 6e 64 ves.Did gyre and 048 20 67 69 6d 62 6c 65 20 69 6e 20 74 68 65 20 77 gimble in the w 064 61 62 65 3a 0a 41 6c 6c 20 6d 69 6d 73 79 20 77 abe:.All mimsy w 080 65 72 65 20 74 68 65 20 62 6f 72 6f 67 6f 76 65 ere the borogove 096 73 2c 0a 41 6e 64 20 74 68 65 20 6d 6f 6d 65 20 s,.And the mome 112 72 61 74 68 73 20 6f 75 74 67 72 61 62 65 2e raths outgrabe. Tag: 000 45 41 66 9a 7e aa ee 61 e7 08 dc 7c bc c5 eb 62 EAf.~..a...|...b Test Vector #5: If one uses 130-bit partial reduction, does the code handle the case where partially reduced final result is not fully reduced? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF tag: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #6: What happens if addition of s overflows modulo 2^128? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF data: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #7: What happens if data limb is all ones and there is carry from lower limb? R: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #8: What happens if final result from polynomial part is exactly 2^130-5? R: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FB FE FE FE FE FE FE FE FE FE FE FE FE FE FE FE 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 tag: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Test Vector #9: What happens if final result from polynomial part is exactly 2^130-6? R: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF tag: FA FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Test Vector #10: What happens if 5*H+L-type reduction produces 131-bit intermediate result? R: 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 14 00 00 00 00 00 00 00 55 00 00 00 00 00 00 00 Test Vector #11: What happens if 5*H+L-type reduction produces 131-bit final result? R: 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 S: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 data: E3 35 94 D7 50 5E 43 B9 00 00 00 00 00 00 00 00 33 94 D7 50 5E 43 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 tag: 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A.4. Poly1305 Key Generation Using ChaCha20 Test Vector #1: ============== The key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 00 ............ Poly1305 one-time key: 000 76 b8 e0 ad a0 f1 3d 90 40 5d 6a e5 53 86 bd 28 v.....=.@]j.S..( 016 bd d2 19 b8 a0 8d ed 1a a8 36 ef cc 8b 77 0d c7 .........6...w.. Test Vector #2: ============== The key: 000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Poly1305 one-time key: 000 ec fa 25 4f 84 5f 64 74 73 d3 cb 14 0d a9 e8 76 ..%O._dts......v 016 06 cb 33 06 6c 44 7b 87 bc 26 66 dd e3 fb b7 39 ..3.lD{..&f....9 Test Vector #3: ============== The key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. The nonce: 000 00 00 00 00 00 00 00 00 00 00 00 02 ............ Poly1305 one-time key: 000 96 5e 3b c6 f9 ec 7e d9 56 08 08 f4 d2 29 f9 4b .^;...~.V....).K 016 13 7f f2 75 ca 9b 3f cb dd 59 de aa d2 33 10 ae ...u..?..Y...3.. A.5. ChaCha20-Poly1305 AEAD Decryption Below we see decrypting a message. We receive a ciphertext, a nonce, and a tag. We know the key. We will check the tag and then (assuming that it validates) decrypt the ciphertext. In this particular protocol, we'll assume that there is no padding of the plaintext. The key: 000 1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 ..@..U...3...... 016 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0 G9..@+....\. pu. Ciphertext: 000 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. 016 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. 032 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. 048 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. 064 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... 080 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U 096 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 112 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. 128 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... 144 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> 160 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj 176 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. 192 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN 208 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. 224 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 240 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) 256 a6 ad 5c b4 02 2b 02 70 9b ..\..+.p. The nonce: 000 00 00 00 00 01 02 03 04 05 06 07 08 ............ The AAD: 000 f3 33 88 86 00 00 00 00 00 00 4e 91 .3........N. Received Tag: 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 First, we calculate the one-time Poly1305 key @@@ ChaCha state with key setup 61707865 3320646e 79622d32 6b206574 a540921c 8ad355eb 868833f3 f0b5f604 c1173947 09802b40 bc5cca9d c0757020 00000000 00000000 04030201 08070605 @@@ ChaCha state after 20 rounds a94af0bd 89dee45c b64bb195 afec8fa1 508f4726 63f554c0 1ea2c0db aa721526 11b1e514 a0bacc0f 828a6015 d7825481 e8a4a850 d9dcbbd6 4c2de33a f8ccd912 @@@ out bytes: bd:f0:4a:a9:5c:e4:de:89:95:b1:4b:b6:a1:8f:ec:af: 26:47:8f:50:c0:54:f5:63:db:c0:a2:1e:26:15:72:aa Poly1305 one-time key: 000 bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af ..J.\.....K..... 016 26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa &G.P.T.c....&.r. Next, we construct the AEAD buffer Poly1305 Input: 000 f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00 .3........N..... 016 64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd d...u...`.b...C. 032 5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2 ^.\.4\....g..l.. 048 4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0 Ll..u]C....N8-&. 064 bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf ...<2.....;.5X.. 080 33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81 3/..q......J.... 096 14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55 ...n..3.`....7.U 112 97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38 ...n...a..2N+5.8 128 36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4 6..{j|.....{S.g. 144 b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9 ..lv{.MF..R..... 160 90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e .@...3"^.....lR> 176 af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a .E4..?..[.Gq..Tj 192 0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a ..+..VN..B"s.H'. 208 0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e ..1`S.v..U..1YCN 224 ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10 ..NFm.Z.s.rv'.z. 240 49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30 I....6...h..w.q0 256 30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29 0[.......{qMlo,) 272 a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00 ..\..+.p........ 288 0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00 ................ We calculate the Poly1305 tag and find that it matches Calculated Tag: 000 ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38 ...g..."9#6....8 Finally, we decrypt the ciphertext Plaintext:: 000 49 6e 74 65 72 6e 65 74 2d 44 72 61 66 74 73 20 Internet-Drafts 016 61 72 65 20 64 72 61 66 74 20 64 6f 63 75 6d 65 are draft docume 032 6e 74 73 20 76 61 6c 69 64 20 66 6f 72 20 61 20 nts valid for a 048 6d 61 78 69 6d 75 6d 20 6f 66 20 73 69 78 20 6d maximum of six m 064 6f 6e 74 68 73 20 61 6e 64 20 6d 61 79 20 62 65 onths and may be 080 20 75 70 64 61 74 65 64 2c 20 72 65 70 6c 61 63 updated, replac 096 65 64 2c 20 6f 72 20 6f 62 73 6f 6c 65 74 65 64 ed, or obsoleted 112 20 62 79 20 6f 74 68 65 72 20 64 6f 63 75 6d 65 by other docume 128 6e 74 73 20 61 74 20 61 6e 79 20 74 69 6d 65 2e nts at any time. 144 20 49 74 20 69 73 20 69 6e 61 70 70 72 6f 70 72 It is inappropr 160 69 61 74 65 20 74 6f 20 75 73 65 20 49 6e 74 65 iate to use Inte 176 72 6e 65 74 2d 44 72 61 66 74 73 20 61 73 20 72 rnet-Drafts as r 192 65 66 65 72 65 6e 63 65 20 6d 61 74 65 72 69 61 eference materia 208 6c 20 6f 72 20 74 6f 20 63 69 74 65 20 74 68 65 l or to cite the 224 6d 20 6f 74 68 65 72 20 74 68 61 6e 20 61 73 20 m other than as 240 2f e2 80 9c 77 6f 72 6b 20 69 6e 20 70 72 6f 67 /...work in prog 256 72 65 73 73 2e 2f e2 80 9d ress./... Appendix B. Performance Measurements of ChaCha20 The following measurements were made by Adam Langley for a blog post published on February 27th, 2014. The original blog post was available at the time of this writing at . +----------------------------+-------------+-------------------+ | Chip | AES-128-GCM | ChaCha20-Poly1305 | +----------------------------+-------------+-------------------+ | OMAP 4460 | 24.1 MB/s | 75.3 MB/s | | Snapdragon S4 Pro | 41.5 MB/s | 130.9 MB/s | | Sandy Bridge Xeon (AES-NI) | 900 MB/s | 500 MB/s | +----------------------------+-------------+-------------------+ Table 1: Speed Comparison Acknowledgements ChaCha20 and Poly1305 were invented by Daniel J. Bernstein. The AEAD construction and the method of creating the one-time Poly1305 key were invented by Adam Langley. Thanks to Robert Ransom, Watson Ladd, Stefan Buhler, Dan Harkins, and Kenny Paterson for their helpful comments and explanations. Thanks to Niels Moller for suggesting the more efficient AEAD construction in this document. Special thanks to Ilari Liusvaara for providing extra test vectors, helpful comments, and for being the first to attempt an implementation from this document. Thanks to Sean Parkinson for suggesting improvements to the examples and the pseudocode. Thanks to David Ireland for pointing out a bug in the pseudocode, and to Stephen Farrell and Alyssa Rowan for pointing out missing advise in the security considerations. Special thanks goes to Gordon Procter for performing a security analysis of the composition and publishing [Procter]. Authors' Addresses Yoav Nir Check Point Software Technologies, Ltd. 5 Hasolelim St. Tel Aviv 6789735 Israel EMail: ynir.ietf@gmail.com Adam Langley Google, Inc. EMail: agl@google.com --Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 16 Nov 2016, at 10:06, Sean Turner <sean@sn3rd.com> = wrote:

+1 - if you got the cycles.

spt
On Nov = 14, 2016, at 15:55, Eric Rescorla <ekr@rtfm.com> wrote:

This = seems like a good plan.

-Ekr


On Mon, Nov 14, 2016 at 3:32 = PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
Hi

RFC 7539 (=E2=80=9CChaCha20 and Poly1305 for = IETF Protocols=E2=80=9D)[1] is now implemented in many places and = referenced by 3 RFCs and 8 Internet Drafts ([2])

However, the quality of the document is not where we=E2=80=99d = like it to be. There have been 7 errata filed against it. Most of it is = editorial or insignificant, but still no errata is better than some = errata.

So what do the participants and = chairs think about spinning up a quick[4] rfc7539bis that has the same = text, except that the errata will be merged in?

I think such a document should be fairly easy and quick.

Yoav

P.S: and = yes, of course I=E2=80=99m volunteering to write it.

[1] https://tools.ietf.org/html/rfc7539
[2] https://datatracker.ietf.org/doc/rfc7539/referencedby/
[3] https://www.rfc-editor.org/errata_search.php?rfc=3D7539
[4] My spell check actually corrected =E2=80=9Cquick=E2=80=9D = to =E2=80=9Cquic=E2=80=9D. The contents of my mails are veering far away = from regular English.


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg



= --Apple-Mail=_1E7E1AB1-22FD-4F92-9C14-085497C6341E-- --Apple-Mail=_719BD5CD-5FCF-46C5-8A03-91A419D480DF-- From nobody Sat Jan 14 11:08:09 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA32C129D06 for ; Sat, 14 Jan 2017 11:08:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K70mRAsw5hgB for ; Sat, 14 Jan 2017 11:08:06 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 3557A129533 for ; Sat, 14 Jan 2017 11:08:05 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id 7DA9643 for ; Sat, 14 Jan 2017 20:08:04 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id d07va9HnhjzK for ; Sat, 14 Jan 2017 20:08:03 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id C2F0442 for ; Sat, 14 Jan 2017 20:08:02 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org Content-Type: text/plain; charset="UTF-8" Date: Sat, 14 Jan 2017 20:08:01 +0100 Message-ID: <1484420882.13637.56.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2017 19:08:08 -0000 L.S., Seeing how AES-192 seems to hold up well against related key attacks (at least the (theoretical) one described in http://eprint.iacr.org/2009/317) I am rather surprised no AES-192 ciphers have been defined for TLS (http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). I feel the cipher is being treated rather stepmotherly. I do understand that the number of slots for ciphers in the above list is somewhat limited and additions should be considered carefully. However, seeing that there are over 60 TLS_DH_* ciphers in that list and well over 60 CAMMELIAs - to be clear, I am not arguing against the latter algorithm - the argument not to include AES-192 ciphers in that list seems somewhat arbitrary. Also there still seems to be plenty of space available (slots 0x01-55,* and 0x56,0x01-0xC0,0x00) until this "definition by permutation" approach can be replaced by a cheaper "definition by slot" where the slots are chained, i.e. using identifiers for key exchanges, asymmetrical ciphers, symmetrical ciphers and block modes separately. Even though I have an interest in mathematics and number theory I do not claim to have anything more than a rudimentary understanding of the mathematics involved so please correct me where my insights are wrong. On superficial reading of http://eprint.iacr.org/2009/317 I grasp that the higher resistance of AES-192 vs. AES-256 is caused by the fact that "the key schedule of AES-192 has better diffusion". What is causing this better diffusion? Is it the fact that the key size of AES-192 is not, and the block size is a power of 2? I seem to remember reading somewhere about DES that the odd key size vs the block size was considered a strength. Have the same analyses been done for AES-128? How is AES-128 holding up against these attacks? Seeing that we live in "a world of 2^50 keys" and the fact that AES-192 seems to be more robust against related key attacks than AES-256 is I would like to suggest the inclusion of a few AES-192 ciphers in TLS, lets say all equivalents of AES-256, possibly reduced by the ciphers that use hashes weaker than SHA256. Not sure if "DH" and "DH_anon" are different approaches, but those could be excluded as well, resulting in something like this list: TLS_RSA_WITH_AES_192_CBC_SHA256 TLS_DHE_DSS_WITH_AES_192_CBC_SHA256 TLS_DHE_RSA_WITH_AES_192_CBC_SHA256 TLS_RSA_WITH_AES_192_GCM_SHA384 TLS_DHE_RSA_WITH_AES_192_GCM_SHA384 TLS_DHE_DSS_WITH_AES_192_GCM_SHA384 TLS_PSK_WITH_AES_192_GCM_SHA384 TLS_DHE_PSK_WITH_AES_192_GCM_SHA384 TLS_RSA_PSK_WITH_AES_192_GCM_SHA384 TLS_PSK_WITH_AES_192_CBC_SHA384 TLS_DHE_PSK_WITH_AES_192_CBC_SHA384 TLS_RSA_PSK_WITH_AES_192_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA384 TLS_ECDH_ECDSA_WITH_AES_192_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_192_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_192_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_192_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_192_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_192_GCM_SHA384 TLS_ECDHE_PSK_WITH_AES_192_CBC_SHA384 TLS_RSA_WITH_AES_192_CCM TLS_DHE_RSA_WITH_AES_192_CCM TLS_RSA_WITH_AES_192_CCM_8 TLS_DHE_RSA_WITH_AES_192_CCM_8 TLS_PSK_WITH_AES_192_CCM TLS_DHE_PSK_WITH_AES_192_CCM TLS_PSK_WITH_AES_192_CCM_8 TLS_PSK_DHE_WITH_AES_192_CCM_8 TLS_ECDHE_ECDSA_WITH_AES_192_CCM TLS_ECDHE_ECDSA_WITH_AES_192_CCM_8 Thank you for considering this request. Regards, Leonard den Ottolander. -- mount -t life -o ro /dev/dna /genetic/research From nobody Sat Jan 14 11:50:31 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6F3129D64 for ; Sat, 14 Jan 2017 11:50:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.099 X-Spam-Level: X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iyEOabteqDSJ for ; Sat, 14 Jan 2017 11:50:28 -0800 (PST) Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id E97051293DC for ; Sat, 14 Jan 2017 11:50:27 -0800 (PST) Received: by jupiter.mumble.net (Postfix, from userid 1014) id 749D960358; Sat, 14 Jan 2017 19:50:22 +0000 (UTC) From: Taylor R Campbell To: Leonard den Ottolander In-reply-to: <1484420882.13637.56.camel@quad> (leonard-lists@den.ottolander.nl) Date: Sat, 14 Jan 2017 19:50:26 +0000 Sender: Taylor R Campbell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <20170114195022.749D960358@jupiter.mumble.net> Archived-At: Cc: cfrg@irtf.org Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2017 19:50:30 -0000 Date: Sat, 14 Jan 2017 20:08:01 +0100 From: Leonard den Ottolander Seeing how AES-192 seems to hold up well against related key attacks (at least the (theoretical) one described in http://eprint.iacr.org/2009/317) I am rather surprised no AES-192 ciphers have been defined for TLS (http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls= -parameters-4). I feel the cipher is being treated rather stepmotherly. I would be surprised if TLS relied in any way on resistance to related-key attacks. The only advantage for TLS's sake would be in situations requiring greater performance than AES-256 can attain, where a security level below 2^96 against future quantum cryptanalysis or multi-target attacks are acceptable. That said, proposals for TLS are probably better heard at the IETF working group for TLS. Also there still seems to be plenty of space available (slots 0x01-55,* and 0x56,0x01-0xC0,0x00) until this "definition by permutation" approach can be replaced by a cheaper "definition by slot" where the slots are chained, i.e. using identifiers for key exchanges, asymmetrical ciphers, symmetrical ciphers and block modes separately. It turns out that handing inexpert users a dizzying array of cryptographic acronym soups and seasonings to combine securely does not tend to yield very good results. The enormous enumeration of precombined cipher suites is bad enough; asking users to make sensible choices to combine their parts is worse. From nobody Sun Jan 15 08:57:19 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E4611294F1 for ; Sun, 15 Jan 2017 08:57:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.2 X-Spam-Level: X-Spam-Status: No, score=-3.2 tagged_above=-999 required=5 tests=[RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8HYQ7yZPkhP for ; Sun, 15 Jan 2017 08:57:12 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 3702F129604 for ; Sun, 15 Jan 2017 08:57:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id 633E543 for ; Sun, 15 Jan 2017 17:57:10 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id Vh6ilijIh2C5 for ; Sun, 15 Jan 2017 17:57:08 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id C7DAE42 for ; Sun, 15 Jan 2017 17:57:08 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org In-Reply-To: <20170114195022.749D960358@jupiter.mumble.net> References: <20170114195022.749D960358@jupiter.mumble.net> Content-Type: text/plain; charset="UTF-8" Date: Sun, 15 Jan 2017 17:57:07 +0100 Message-ID: <1484499428.5117.20.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2017 16:57:14 -0000 Hello Taylor, On Sat, 2017-01-14 at 19:50 +0000, Taylor R Campbell wrote: > Date: Sat, 14 Jan 2017 20:08:01 +0100 > From: Leonard den Ottolander > > Seeing how AES-192 seems to hold up well against related key attacks (at > least the (theoretical) one described in > http://eprint.iacr.org/2009/317) I am rather surprised no AES-192 > ciphers have been defined for TLS > (http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). > I feel the cipher is being treated rather stepmotherly. > > I would be surprised if TLS relied in any way on resistance to > related-key attacks. I would say any encryption scheme worth its salt relies on resistance against any kind of attack. With its constant key regeneration TLS seems amongst the first use cases where related key attacks could be a concern. More so than in f.e. disk encryption. > The only advantage for TLS's sake would be in > situations requiring greater performance than AES-256 can attain, > where a security level below 2^96 against future quantum cryptanalysis > or multi-target attacks are acceptable. Well, assuming Shor and/or Grover half the effective strength of symmetric ciphers and these related key attacks were to be practical the effectiveness of AES-256 would fall below 2^50 against ~ 2^89 for AES-192. Your consideration would disqualify AES-256 in that scenario as well. Although both attacks might improve the fact that the research states "the key schedule of AES-192 has better diffusion" seems to imply it is fundamentally more resistant against related key attacks. If this is true and related key attacks are a concern AES-192 might be favourable over AES-256. Not for its greater performance but because it is actually more resistant against related key attacks than AES-256. > That said, proposals for TLS are probably better heard at the IETF > working group for TLS. > Also there still seems to be plenty of space available (slots 0x01-55,* > and 0x56,0x01-0xC0,0x00) until this "definition by permutation" approach > can be replaced by a cheaper "definition by slot" where the slots are > chained, i.e. using identifiers for key exchanges, asymmetrical ciphers, > symmetrical ciphers and block modes separately. > > It turns out that handing inexpert users a dizzying array of > cryptographic acronym soups and seasonings to combine securely does > not tend to yield very good results. The enormous enumeration of > precombined cipher suites is bad enough; asking users to make sensible > choices to combine their parts is worse. Cipher choices are mostly made by system administrators and software implementers, not so much by inexpert users. Has your browser or SSH client ever asked you which cipher you would want to use for your connection? Also, the amount of choices is not significantly increased (seeing that most possible iterations are already listed), only the way they are represented. So I am not sure the splitting into slots makes the array as a whole more dizzying. Whether the slots are separate or concatenated does not fundamentally change the choices the sysadmin has to make. But we are drifting slightly of topic here. My reason for sending an email is to establish whether or not AES-192 is indeed inherently more secure against related key attacks than AES-256, and thus more resilient against f.e. manipulation of the generated keys. And perhaps some insights whether this is related to the "skewed" cipher vs. block size. Regards, Leonard. P.S. Please reply to list only. -- mount -t life -o ro /dev/dna /genetic/research From nobody Sun Jan 15 12:59:36 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F021296D8 for ; Sun, 15 Jan 2017 12:59:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.2 X-Spam-Level: X-Spam-Status: No, score=-3.2 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMCxzd8tWbSM for ; Sun, 15 Jan 2017 12:59:33 -0800 (PST) Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195B0128AB0 for ; Sun, 15 Jan 2017 12:59:32 -0800 (PST) Received: by jupiter.mumble.net (Postfix, from userid 1014) id 853FB60A6D; Sun, 15 Jan 2017 20:59:26 +0000 (UTC) From: Taylor R Campbell To: Leonard den Ottolander In-reply-to: <1484499428.5117.20.camel@quad> (leonard-lists@den.ottolander.nl) Date: Sun, 15 Jan 2017 20:59:31 +0000 Sender: Taylor R Campbell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20170115205926.853FB60A6D@jupiter.mumble.net> Archived-At: Cc: cfrg@irtf.org Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2017 20:59:35 -0000 Date: Sun, 15 Jan 2017 17:57:07 +0100 From: Leonard den Ottolander I would say any encryption scheme worth its salt relies on resistance against any kind of attack. With its constant key regeneration TLS seems amongst the first use cases where related key attacks could be a concern. More so than in f.e. disk encryption. Only very unusual protocols ever use related keys. In sensible protocols, every key is drawn independently uniformly at random. From nobody Mon Jan 16 06:43:44 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6254712953E for ; Mon, 16 Jan 2017 06:43:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SA6ZCeq4Edd for ; Mon, 16 Jan 2017 06:43:41 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 99BC1129405 for ; Mon, 16 Jan 2017 06:43:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id 70ACC43 for ; Mon, 16 Jan 2017 15:43:40 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id JHEx13gbeBH9 for ; Mon, 16 Jan 2017 15:43:39 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id EDB8042 for ; Mon, 16 Jan 2017 15:43:38 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org In-Reply-To: <20170115205926.853FB60A6D@jupiter.mumble.net> References: <20170115205926.853FB60A6D@jupiter.mumble.net> Content-Type: text/plain; charset="UTF-8" Date: Mon, 16 Jan 2017 15:43:38 +0100 Message-ID: <1484577818.5104.1.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 14:43:43 -0000 On Sun, 2017-01-15 at 20:59 +0000, Taylor R Campbell wrote: > Only very unusual protocols ever use related keys. In sensible > protocols, every key is drawn independently uniformly at random. Protocols that are designed to use related keys? I hope not! Compare http://eprint.iacr.org/2009/317 4.1 Related-key attack model: "Compared to other cryptanalytic attacks in which the attacker can manipu- late only the plaintexts and/or the ciphertexts the choice of the relation between secret keys gives additional degree of freedom to the attacker. The downside of this freedom is that such attacks might be harder to mount in practice. Still, designers usually try to build "ideal" primitives which can be automatically used without further analysis in the widest possible set of applications, protocols, or modes of operation. Thus resistance to such attacks is an important design goal for block ciphers, and in fact it was one of the stated design goals of the Rijndael algorithm, which was selected as the Advanced Encryption Standard." So the question remains if indeed AES-192 is inherently more resistant to this kind of attack (more of an "ideal primitive" in this respect) than AES-256 or do I read too much in the remark "the key schedule of AES-192 has better diffusion" in 6 Attack on AES-192? Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research From nobody Mon Jan 16 07:59:59 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF6312958A for ; Mon, 16 Jan 2017 07:59:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpnD2SGOSmAJ for ; Mon, 16 Jan 2017 07:59:56 -0800 (PST) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F925129586 for ; Mon, 16 Jan 2017 07:59:56 -0800 (PST) X-AuditID: c1b4fb2d-db0c19800000646e-24-587cedfab0f5 Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.183.24]) by (Symantec Mail Security) with SMTP id 46.07.25710.AFDEC785; Mon, 16 Jan 2017 16:59:54 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0319.002; Mon, 16 Jan 2017 17:00:03 +0100 From: John Mattsson To: Leonard den Ottolander , "cfrg@irtf.org" Thread-Topic: [Cfrg] A little room for AES-192 in TLS? Thread-Index: AQHSb3JElGWDey8IokmATVEDzKxmUaE7HjAAgAAl34A= Date: Mon, 16 Jan 2017 15:59:13 +0000 Message-ID: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> In-Reply-To: <1484577818.5104.1.camel@quad> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.150] Content-Type: text/plain; charset="utf-8" Content-ID: <31FD799EF2B5CA458E5E54D760A42723@ericsson.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2K7hO6vtzURBnu/KVl0/zjIZLFj6X5m ByaPg8uOsntM3niYLYApissmJTUnsyy1SN8ugSvjzvlOloI1IhXTmrrYGhhfCHcxcnJICJhI 7O1ZwtzFyMUhJLCOUaJ/wUV2CGcJo8Sqm7uZQarYBAwk5u5pYAOxRQTiJfoutzOB2MICphIL 1l9jhIibSRy80QxVYyXxatZasBoWAVWJlUsPg8V5BcwlTu49ywpiCwlESyx7swKsl1NAW+LM iedgNYwCYhLfT60B62UWEJe49WQ+E8SlAhJL9pxnhrBFJV4+/gc2R1RAT2L58zVQcSWJFdsv Ac3kAOrVlFi/Sx9ijLXE7V2nmCFsRYkp3Q/ZIc4RlDg58wnLBEaxWUi2zULonoWkexaS7llI uhcwsq5iFC1OLS7OTTcy1kstykwuLs7P08tLLdnECIyqg1t+6+5gXP3a8RCjAAejEg/vh/s1 EUKsiWXFlbmHGCU4mJVEeONfAIV4UxIrq1KL8uOLSnNSiw8xSnOwKInzmq28Hy4kkJ5Ykpqd mlqQWgSTZeLglGpg1JWRe/vPK/rT3aUHotJDnrCK13z47HJm658t3TqGq01WZZYKzan9qyt/ 4tiSM9YLl/N96+4/fFxWL+4X+/I5q9oChbbtbjMuL1KW+XGN5Y7MPb5VAZpSByS2fXRhP5iv H9UoX2UXHlYQ42XwhfH67Mwcf4lGZsMZ33xa88/6WCzYbcBQeMVaiaU4I9FQi7moOBEAufr9 raYCAAA= Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 15:59:58 -0000 Tm90ZSB0aGF0IHRoZXJlIGFyZSB0cml2aWFsIGdlbmVyaWMgcmVsYXRlZC1rZXkgYXR0YWNrcyBv biBBRVMtMTkyIHdpdGggI0sNCj0gRCA9IFQgPSBNID0gMl45Ng0KDQpodHRwOi8vZHguZG9pLm9y Zy8xMC4xMDgwLzAxNjEtMTE4NzkxODYxNzQ5DQoNClJlZ2FyZHMsDQpKb2huDQoNCg0KT24gMjAx Ny0wMS0xNiwgMTU6NDMsICJDZnJnIG9uIGJlaGFsZiBvZiBMZW9uYXJkIGRlbiBPdHRvbGFuZGVy Ig0KPGNmcmctYm91bmNlc0BpcnRmLm9yZyBvbiBiZWhhbGYgb2YgbGVvbmFyZC1saXN0c0BkZW4u b3R0b2xhbmRlci5ubD4gd3JvdGU6DQoNCj5PbiBTdW4sIDIwMTctMDEtMTUgYXQgMjA6NTkgKzAw MDAsIFRheWxvciBSIENhbXBiZWxsIHdyb3RlOg0KPj4gT25seSB2ZXJ5IHVudXN1YWwgcHJvdG9j b2xzIGV2ZXIgdXNlIHJlbGF0ZWQga2V5cy4gIEluIHNlbnNpYmxlDQo+PiBwcm90b2NvbHMsIGV2 ZXJ5IGtleSBpcyBkcmF3biBpbmRlcGVuZGVudGx5IHVuaWZvcm1seSBhdCByYW5kb20uDQo+DQo+ UHJvdG9jb2xzIHRoYXQgYXJlIGRlc2lnbmVkIHRvIHVzZSByZWxhdGVkIGtleXM/IEkgaG9wZSBu b3QhDQo+DQo+Q29tcGFyZSBodHRwOi8vZXByaW50LmlhY3Iub3JnLzIwMDkvMzE3IDQuMSBSZWxh dGVkLWtleSBhdHRhY2sgbW9kZWw6DQo+DQo+IkNvbXBhcmVkIHRvIG90aGVyIGNyeXB0YW5hbHl0 aWMgYXR0YWNrcyBpbiB3aGljaCB0aGUgYXR0YWNrZXIgY2FuIG1hbmlwdS0NCj5sYXRlIG9ubHkg dGhlIHBsYWludGV4dHMgYW5kL29yIHRoZSBjaXBoZXJ0ZXh0cyB0aGUgY2hvaWNlIG9mIHRoZQ0K PnJlbGF0aW9uIGJldHdlZW4NCj5zZWNyZXQga2V5cyBnaXZlcyBhZGRpdGlvbmFsIGRlZ3JlZSBv ZiBmcmVlZG9tIHRvIHRoZSBhdHRhY2tlci4gVGhlDQo+ZG93bnNpZGUgb2YNCj50aGlzIGZyZWVk b20gaXMgdGhhdCBzdWNoIGF0dGFja3MgbWlnaHQgYmUgaGFyZGVyIHRvIG1vdW50IGluIHByYWN0 aWNlLg0KPlN0aWxsLA0KPmRlc2lnbmVycyB1c3VhbGx5IHRyeSB0byBidWlsZCAiaWRlYWwiIHBy aW1pdGl2ZXMgd2hpY2ggY2FuIGJlDQo+YXV0b21hdGljYWxseSB1c2VkDQo+d2l0aG91dCBmdXJ0 aGVyIGFuYWx5c2lzIGluIHRoZSB3aWRlc3QgcG9zc2libGUgc2V0IG9mIGFwcGxpY2F0aW9ucywN Cj5wcm90b2NvbHMsIG9yDQo+bW9kZXMgb2Ygb3BlcmF0aW9uLiBUaHVzIHJlc2lzdGFuY2UgdG8g c3VjaCBhdHRhY2tzIGlzIGFuIGltcG9ydGFudA0KPmRlc2lnbiBnb2FsDQo+Zm9yIGJsb2NrIGNp cGhlcnMsIGFuZCBpbiBmYWN0IGl0IHdhcyBvbmUgb2YgdGhlIHN0YXRlZCBkZXNpZ24gZ29hbHMg b2YNCj50aGUgUmlqbmRhZWwNCj5hbGdvcml0aG0sIHdoaWNoIHdhcyBzZWxlY3RlZCBhcyB0aGUg QWR2YW5jZWQgRW5jcnlwdGlvbiBTdGFuZGFyZC4iDQo+DQo+U28gdGhlIHF1ZXN0aW9uIHJlbWFp bnMgaWYgaW5kZWVkIEFFUy0xOTIgaXMgaW5oZXJlbnRseSBtb3JlIHJlc2lzdGFudA0KPnRvIHRo aXMga2luZCBvZiBhdHRhY2sgKG1vcmUgb2YgYW4gImlkZWFsIHByaW1pdGl2ZSIgaW4gdGhpcyBy ZXNwZWN0KQ0KPnRoYW4gQUVTLTI1NiBvciBkbyBJIHJlYWQgdG9vIG11Y2ggaW4gdGhlIHJlbWFy ayAidGhlIGtleSBzY2hlZHVsZSBvZg0KPkFFUy0xOTIgaGFzIGJldHRlciBkaWZmdXNpb24iIGlu IDYgQXR0YWNrIG9uIEFFUy0xOTI/DQo+DQo+UmVnYXJkcywNCj5MZW9uYXJkLg0KPg0KPi0tIA0K Pm1vdW50IC10IGxpZmUgLW8gcm8gL2Rldi9kbmEgL2dlbmV0aWMvcmVzZWFyY2gNCj4NCj4NCj4N Cj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPkNmcmcg bWFpbGluZyBsaXN0DQo+Q2ZyZ0BpcnRmLm9yZw0KPmh0dHBzOi8vd3d3LmlydGYub3JnL21haWxt YW4vbGlzdGluZm8vY2ZyZw0KDQo= From nobody Mon Jan 16 08:27:57 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F32DB12944A for ; Mon, 16 Jan 2017 08:27:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhkfsjtSrmr2 for ; Mon, 16 Jan 2017 08:27:54 -0800 (PST) Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64E671293D8 for ; Mon, 16 Jan 2017 08:27:54 -0800 (PST) Received: by mail-yb0-x22f.google.com with SMTP id 123so35499674ybe.3 for ; Mon, 16 Jan 2017 08:27:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NdIzGD531cXtb0OhkkBmctl9gA748GArI1DOfdf1beU=; b=Ub34jvWklL4jhCl7aV4du49avwuaVEEObiG6hTuAhPuwH4tSGQSUoa8UBonZWaYjT+ 9eAOg4Lgc6uu9eSmPyG9ks087HZ02bIaDI/G8mlRQ8aKugAmXuqS6zMughyt4dE+H16m gfspGaCaSgw3vK435jY0wvyBNJwR+KCklMW3ZoP3YU1mSnmpHqolRlOYDxqUVC0MVxLM in4GPFLnV61T4bjHpqYBcN/FIS8c6Ty83yOCc1HwX83+AEQ4hf/YItv+wCbei7MCokld PXGRVy35meCwNGopiCAiCNCm6ozMbbXftem85NKXXYkLsMdZG06RspnJZY0kdlh8gmqO gyoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NdIzGD531cXtb0OhkkBmctl9gA748GArI1DOfdf1beU=; b=ND+BKwe8UFL5tMQ6MRhUq2s5IyqknzuXk8dGPyFoefd2OO3sKsI0lTrgtwxDh+RWJ/ /VgjXv48dtqOqyJmt02jRlFaLLM/Zajeve4J7nD90mxLQNVL2wcqB3npGmT8goUsd47l +82QW3nIQDLZAqwPiBoLXCxwzfekbRm58ifwTK39LkYDMxYcxdg4kCafRdfOV1lM+lcP kf8Omx6jnGSBcFwKP0mk+WUrQek5E4hiy4jIQ2Q1m14dZFqCdOAhKL+BM6O4VG7MX0cN eyr/q8dOzL6lHNC9E+E1eGsL1RnzVY697aXtSap9M71GXZp32UQHDDLL7BEkbVOTBFX1 TRJw== X-Gm-Message-State: AIkVDXI9BawaEkm64DaJhcdqFFajq49GWKMWnWoLkmbPBRIP8lZD0h92tg9HIC2Kbv/JDPuoYZhzThFolb8/Og== X-Received: by 10.37.69.70 with SMTP id s67mr21306985yba.65.1484584073628; Mon, 16 Jan 2017 08:27:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.13.204.80 with HTTP; Mon, 16 Jan 2017 08:27:12 -0800 (PST) In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> From: Eric Rescorla Date: Mon, 16 Jan 2017 08:27:12 -0800 Message-ID: To: John Mattsson Content-Type: multipart/alternative; boundary=001a1135326e59a4f3054638aa3b Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 16:27:56 -0000 --001a1135326e59a4f3054638aa3b Content-Type: text/plain; charset=UTF-8 Generally, I think the sense of the WG is to try to minimize the number of ciphers/suits. Speaking personally, what would make me be in favor of adding AES-192 would be some statement from CFRG that they thought that it was significantly stronger than AES-256. Absent that, I think it would be better to leave it out of TLS. -Ekr On Mon, Jan 16, 2017 at 7:59 AM, John Mattsson wrote: > Note that there are trivial generic related-key attacks on AES-192 with #K > = D = T = M = 2^96 > > http://dx.doi.org/10.1080/0161-118791861749 > > Regards, > John > > > On 2017-01-16, 15:43, "Cfrg on behalf of Leonard den Ottolander" > > wrote: > > >On Sun, 2017-01-15 at 20:59 +0000, Taylor R Campbell wrote: > >> Only very unusual protocols ever use related keys. In sensible > >> protocols, every key is drawn independently uniformly at random. > > > >Protocols that are designed to use related keys? I hope not! > > > >Compare http://eprint.iacr.org/2009/317 4.1 Related-key attack model: > > > >"Compared to other cryptanalytic attacks in which the attacker can manipu- > >late only the plaintexts and/or the ciphertexts the choice of the > >relation between > >secret keys gives additional degree of freedom to the attacker. The > >downside of > >this freedom is that such attacks might be harder to mount in practice. > >Still, > >designers usually try to build "ideal" primitives which can be > >automatically used > >without further analysis in the widest possible set of applications, > >protocols, or > >modes of operation. Thus resistance to such attacks is an important > >design goal > >for block ciphers, and in fact it was one of the stated design goals of > >the Rijndael > >algorithm, which was selected as the Advanced Encryption Standard." > > > >So the question remains if indeed AES-192 is inherently more resistant > >to this kind of attack (more of an "ideal primitive" in this respect) > >than AES-256 or do I read too much in the remark "the key schedule of > >AES-192 has better diffusion" in 6 Attack on AES-192? > > > >Regards, > >Leonard. > > > >-- > >mount -t life -o ro /dev/dna /genetic/research > > > > > > > >_______________________________________________ > >Cfrg mailing list > >Cfrg@irtf.org > >https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --001a1135326e59a4f3054638aa3b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Generally, I think the sense of the WG is to try to minimi= ze the number of ciphers/suits.

Speaking personally, wha= t would make me be in favor of adding AES-192 would be
some state= ment from CFRG that they thought that it was significantly stronger than
AES-256. Absent that, I think it would be better to leave it out of= TLS.

-Ekr


On Mon, Jan 16, 2017 at 7:59 A= M, John Mattsson <john.mattsson@ericsson.com> wrote= :
Note that there are trivial generic rel= ated-key attacks on AES-192 with #K
=3D D =3D T =3D M =3D 2^96

http://dx.doi.org/10.1080/0161-118791861749

Regards,
John


On 2017-01-16, 15:43, "Cfrg on behalf of Leonard den Ottolander"<= br>
<cfrg-bounces@irtf.org on behalf of leonard-lists@den.ottolander.nl> wrote= :

>On Sun, 2017-01-15 at 20:59 +0000, Taylor R Campbell wrote:
>> Only very unusual protocols ever use related keys.=C2=A0 In sensib= le
>> protocols, every key is drawn independently uniformly at random. >
>Protocols that are designed to use related keys? I hope not!
>
>Compare http://eprint.iacr.org/2009/317 4.1 Related-key = attack model:
>
>"Compared to other cryptanalytic attacks in which the attacker can= manipu-
>late only the plaintexts and/or the ciphertexts the choice of the
>relation between
>secret keys gives additional degree of freedom to the attacker. The
>downside of
>this freedom is that such attacks might be harder to mount in practice.=
>Still,
>designers usually try to build "ideal" primitives which can b= e
>automatically used
>without further analysis in the widest possible set of applications, >protocols, or
>modes of operation. Thus resistance to such attacks is an important
>design goal
>for block ciphers, and in fact it was one of the stated design goals of=
>the Rijndael
>algorithm, which was selected as the Advanced Encryption Standard."= ;
>
>So the question remains if indeed AES-192 is inherently more resistant<= br> >to this kind of attack (more of an "ideal primitive" in this = respect)
>than AES-256 or do I read too much in the remark "the key schedule= of
>AES-192 has better diffusion" in 6 Attack on AES-192?
>
>Regards,
>Leonard.
>
>--
>mount -t life -o ro /dev/dna /genetic/research
>
>
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--001a1135326e59a4f3054638aa3b-- From nobody Mon Jan 16 09:37:32 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11BB61294F1 for ; Mon, 16 Jan 2017 09:37:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.401 X-Spam-Level: *** X-Spam-Status: No, score=3.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_WEB=3.599, SPF_HELO_PASS=-0.001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5SIVXqWSvbo for ; Mon, 16 Jan 2017 09:37:28 -0800 (PST) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20050.outbound.protection.outlook.com [40.107.2.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F621295E0 for ; Mon, 16 Jan 2017 09:37:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TxpwmL3Cz4VRktVC4sJHp3RtmvpECAsPOYVrHpSQHnQ=; b=xq4TxcLyIxd/KBZZ/LBKeFXpM0QgC18o6yRt2FgsWCjRyz+g+MDvetUwE2ABEpxfUwQ+Sg4WYv8l7Oajbr12Vmbw62kj4wyCS5CQZg/TBy1AlXhdUk+Byh9FuumgFdqlCXX29XYS6I7bGLXU6ngAsk9sIEo5VfvjtiJY7/NJ9n8= Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1907.eurprd03.prod.outlook.com (10.168.3.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Mon, 16 Jan 2017 17:37:25 +0000 Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) with mapi id 15.01.0845.014; Mon, 16 Jan 2017 17:37:25 +0000 From: "Paterson, Kenny" To: Eric Rescorla , John Mattsson Thread-Topic: [Cfrg] A little room for AES-192 in TLS? Thread-Index: AQHSb3JEFUtRmW0N/0StAvwY5G2N/6E7LvMAgAAVHoCAAAfSAIAAE/oA Date: Mon, 16 Jan 2017 17:37:25 +0000 Message-ID: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [212.24.209.204] x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1907; 7:zKi6ZUVcadC84t3XQ7/J/NybIAMHfZqP+ZPk4fiZxg00Saa5MFp24Pyt8fQWsKtesU+b7qxghk668eHLbT6m3QIlFQAxqjILjv8Ws7Ijwj2ffIqnxpNnhnZq1Ct0V8z7kN3jH1m0B+uT+9rvMPYO3KvzFJCw6XMrWpu+Y86UnW21dnFJ4fLLsDlXP7F/W2SzzTkapNUXdx7j9xbLITu+mpAmZZAbjtUudbzq6+FbkzBSW2VBgLTaoxYqE3gMarLzDPWruEZuoTL9Zkgq0cJU8+rs436wSQBPALtWDTNGg9NjIH792LzQLCqtAAK9fNREqIvUjIIjV0+CRjjMP2TR0LQZbLhlRvTqjPyzQTJj20GXx52NmLVnzPte/TvmpECwrdymzRPWhG6W6YVB949rMrZqDb0VVYZsiiezsIQwJKtcVsgz8NWw7QfUsVXLvbnHAMG/b8QhI7gn3dMFrt0pEA== x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(377454003)(24454002)(377424004)(189002)(199003)(97736004)(93886004)(2900100001)(81156014)(6306002)(54906002)(92566002)(6512007)(5001770100001)(81166006)(7736002)(74482002)(8676002)(4001350100001)(83506001)(6486002)(102836003)(6436002)(6116002)(3846002)(1720100001)(38730400001)(77096006)(189998001)(25786008)(305945005)(8936002)(6506006)(86362001)(27001)(122556002)(229853002)(2906002)(106356001)(4326007)(105586002)(106116001)(68736007)(3280700002)(66066001)(76176999)(50986999)(2950100002)(42882006)(3660700001)(36756003)(99286003)(54356999)(101416001)(5660300001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1907; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; x-ms-office365-filtering-correlation-id: afbba5a3-e4d0-4320-5427-08d43e3655bd x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:AM4PR0301MB1907; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(37575265505322)(76576733993138)(165104125076784)(278428928389397); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148); SRVR:AM4PR0301MB1907; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1907; x-forefront-prvs: 01894AD3B8 received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: <3FD07D9E55EDC24B81FB3E2EB8864CEC@eurprd03.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: rhul.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2017 17:37:25.1508 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1907 Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 17:37:31 -0000 SGksDQoNCk9uIDE2LzAxLzIwMTcgMTY6MjcsICJDZnJnIG9uIGJlaGFsZiBvZiBFcmljIFJlc2Nv cmxhIg0KPGNmcmctYm91bmNlc0BpcnRmLm9yZyBvbiBiZWhhbGYgb2YgZWtyQHJ0Zm0uY29tPiB3 cm90ZToNCg0KPkdlbmVyYWxseSwgSSB0aGluayB0aGUgc2Vuc2Ugb2YgdGhlIFdHIGlzIHRvIHRy eSB0byBtaW5pbWl6ZSB0aGUgbnVtYmVyDQo+b2YgY2lwaGVycy9zdWl0cy4NCj4NCj4NCj5TcGVh a2luZyBwZXJzb25hbGx5LCB3aGF0IHdvdWxkIG1ha2UgbWUgYmUgaW4gZmF2b3Igb2YgYWRkaW5n IEFFUy0xOTINCj53b3VsZCBiZQ0KPnNvbWUgc3RhdGVtZW50IGZyb20gQ0ZSRyB0aGF0IHRoZXkg dGhvdWdodCB0aGF0IGl0IHdhcyBzaWduaWZpY2FudGx5DQo+c3Ryb25nZXIgdGhhbg0KPkFFUy0y NTYuIEFic2VudCB0aGF0LCBJIHRoaW5rIGl0IHdvdWxkIGJlIGJldHRlciB0byBsZWF2ZSBpdCBv dXQgb2YgVExTLg0KDQpTcGVha2luZyB3aXRob3V0IG15IGNvLWNoYWlyJ3MgaGF0IG9uLi4uDQoN CkkgZG9uJ3QgdGhpbmsgcmVsYXRlZC1rZXkgYXR0YWNrcyBhcmUgYSBwYXJ0aWN1bGFyIGNvbmNl cm4gZm9yIFRMUy4gU28gSQ0KZG9uJ3QgdGhpbmsgdGhlcmUncyBhIHN0cm9uZyBhcmd1bWVudCBm b3Igc3VwcG9ydGluZyBBRVMtMTkyIGluIHRoZSBUTFMNCjEuMyBwcm90b2NvbCBzcGVjaWZpY2F0 aW9uLg0KDQpBbnlvbmUgZWxzZSBmcm9tIENGUkcgaGF2ZSBhbiBvcGluaW9uIG9uIHRoaXM/DQoN CkNoZWVycw0KDQpLZW5ueSANCg0KDQoNCj4NCj4NCj4tRWtyDQo+DQo+DQo+DQo+DQo+T24gTW9u LCBKYW4gMTYsIDIwMTcgYXQgNzo1OSBBTSwgSm9obiBNYXR0c3Nvbg0KPjxqb2huLm1hdHRzc29u QGVyaWNzc29uLmNvbT4gd3JvdGU6DQo+DQo+Tm90ZSB0aGF0IHRoZXJlIGFyZSB0cml2aWFsIGdl bmVyaWMgcmVsYXRlZC1rZXkgYXR0YWNrcyBvbiBBRVMtMTkyIHdpdGggI0sNCj49IEQgPSBUID0g TSA9IDJeOTYNCj4NCj5odHRwOi8vZHguZG9pLm9yZy8xMC4xMDgwLzAxNjEtMTE4NzkxODYxNzQ5 DQo+DQo+UmVnYXJkcywNCj5Kb2huDQo+DQo+DQo+T24gMjAxNy0wMS0xNiwgMTU6NDMsICJDZnJn IG9uIGJlaGFsZiBvZiBMZW9uYXJkIGRlbiBPdHRvbGFuZGVyIg0KPjxjZnJnLWJvdW5jZXNAaXJ0 Zi5vcmcgb24gYmVoYWxmIG9mDQo+bGVvbmFyZC1saXN0c0BkZW4ub3R0b2xhbmRlci5ubD4gd3Jv dGU6DQo+DQo+Pk9uIFN1biwgMjAxNy0wMS0xNSBhdCAyMDo1OSArMDAwMCwgVGF5bG9yIFIgQ2Ft cGJlbGwgd3JvdGU6DQo+Pj4gT25seSB2ZXJ5IHVudXN1YWwgcHJvdG9jb2xzIGV2ZXIgdXNlIHJl bGF0ZWQga2V5cy4gIEluIHNlbnNpYmxlDQo+Pj4gcHJvdG9jb2xzLCBldmVyeSBrZXkgaXMgZHJh d24gaW5kZXBlbmRlbnRseSB1bmlmb3JtbHkgYXQgcmFuZG9tLg0KPj4NCj4+UHJvdG9jb2xzIHRo YXQgYXJlIGRlc2lnbmVkIHRvIHVzZSByZWxhdGVkIGtleXM/IEkgaG9wZSBub3QhDQo+Pg0KPj5D b21wYXJlIA0KPmh0dHA6Ly9lcHJpbnQuaWFjci5vcmcvMjAwOS8zMTcgPGh0dHA6Ly9lcHJpbnQu aWFjci5vcmcvMjAwOS8zMTc+IDQuMQ0KPlJlbGF0ZWQta2V5IGF0dGFjayBtb2RlbDoNCj4+DQo+ PiJDb21wYXJlZCB0byBvdGhlciBjcnlwdGFuYWx5dGljIGF0dGFja3MgaW4gd2hpY2ggdGhlIGF0 dGFja2VyIGNhbg0KPj5tYW5pcHUtDQo+PmxhdGUgb25seSB0aGUgcGxhaW50ZXh0cyBhbmQvb3Ig dGhlIGNpcGhlcnRleHRzIHRoZSBjaG9pY2Ugb2YgdGhlDQo+PnJlbGF0aW9uIGJldHdlZW4NCj4+ c2VjcmV0IGtleXMgZ2l2ZXMgYWRkaXRpb25hbCBkZWdyZWUgb2YgZnJlZWRvbSB0byB0aGUgYXR0 YWNrZXIuIFRoZQ0KPj5kb3duc2lkZSBvZg0KPj50aGlzIGZyZWVkb20gaXMgdGhhdCBzdWNoIGF0 dGFja3MgbWlnaHQgYmUgaGFyZGVyIHRvIG1vdW50IGluIHByYWN0aWNlLg0KPj5TdGlsbCwNCj4+ ZGVzaWduZXJzIHVzdWFsbHkgdHJ5IHRvIGJ1aWxkICJpZGVhbCIgcHJpbWl0aXZlcyB3aGljaCBj YW4gYmUNCj4+YXV0b21hdGljYWxseSB1c2VkDQo+PndpdGhvdXQgZnVydGhlciBhbmFseXNpcyBp biB0aGUgd2lkZXN0IHBvc3NpYmxlIHNldCBvZiBhcHBsaWNhdGlvbnMsDQo+PnByb3RvY29scywg b3INCj4+bW9kZXMgb2Ygb3BlcmF0aW9uLiBUaHVzIHJlc2lzdGFuY2UgdG8gc3VjaCBhdHRhY2tz IGlzIGFuIGltcG9ydGFudA0KPj5kZXNpZ24gZ29hbA0KPj5mb3IgYmxvY2sgY2lwaGVycywgYW5k IGluIGZhY3QgaXQgd2FzIG9uZSBvZiB0aGUgc3RhdGVkIGRlc2lnbiBnb2FscyBvZg0KPj50aGUg UmlqbmRhZWwNCj4+YWxnb3JpdGhtLCB3aGljaCB3YXMgc2VsZWN0ZWQgYXMgdGhlIEFkdmFuY2Vk IEVuY3J5cHRpb24gU3RhbmRhcmQuIg0KPj4NCj4+U28gdGhlIHF1ZXN0aW9uIHJlbWFpbnMgaWYg aW5kZWVkIEFFUy0xOTIgaXMgaW5oZXJlbnRseSBtb3JlIHJlc2lzdGFudA0KPj50byB0aGlzIGtp bmQgb2YgYXR0YWNrIChtb3JlIG9mIGFuICJpZGVhbCBwcmltaXRpdmUiIGluIHRoaXMgcmVzcGVj dCkNCj4+dGhhbiBBRVMtMjU2IG9yIGRvIEkgcmVhZCB0b28gbXVjaCBpbiB0aGUgcmVtYXJrICJ0 aGUga2V5IHNjaGVkdWxlIG9mDQo+PkFFUy0xOTIgaGFzIGJldHRlciBkaWZmdXNpb24iIGluIDYg QXR0YWNrIG9uIEFFUy0xOTI/DQo+Pg0KPj5SZWdhcmRzLA0KPj5MZW9uYXJkLg0KPj4NCj4+LS0N Cj4+bW91bnQgLXQgbGlmZSAtbyBybyAvZGV2L2RuYSAvZ2VuZXRpYy9yZXNlYXJjaA0KPj4NCj4+ DQo+Pg0KPj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K Pj5DZnJnIG1haWxpbmcgbGlzdA0KPj5DZnJnQGlydGYub3JnDQo+Pmh0dHBzOi8vd3d3LmlydGYu b3JnL21haWxtYW4vbGlzdGluZm8vY2ZyZw0KPg0KPl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fDQo+Q2ZyZyBtYWlsaW5nIGxpc3QNCj5DZnJnQGlydGYub3Jn DQo+aHR0cHM6Ly93d3cuaXJ0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9jZnJnDQo+DQo+DQo+DQo+ DQo+DQo+DQo+DQoNCg== From nobody Mon Jan 16 10:09:07 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5561C129600 for ; Mon, 16 Jan 2017 10:09:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.977 X-Spam-Level: X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HMnowzy6-XVg for ; Mon, 16 Jan 2017 10:09:04 -0800 (PST) Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2896D1295F1 for ; Mon, 16 Jan 2017 10:09:04 -0800 (PST) Received: by mail-lf0-x243.google.com with SMTP id h65so13590359lfi.3 for ; Mon, 16 Jan 2017 10:09:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:content-transfer-encoding:message-id:date:subject:from :in-reply-to:references:to:cc; bh=hCAQpiuGUqDHAvA6TFL35HWnLiUznjkDeauk3A8UTEE=; b=j1yCYT2hjU0EB9m8E5IMceK6DbBft6o5mO/JSNHPDhKQPFdJQebwZ4EdbVCPTf/dlA spVCra8Z/dv9SJqdUeIGn5IXKPzIngHVgeEle/AYeRwWuadDYEAUFraYrPFzfN9FUaHz QRmFl9eIh4vYxkcT7g1wevp2z9XJ1Rc1br3Jj2bSXYlwwusZ3r8M6dn2R+idBnEXq50n n62CNcQecjORBL93PJc8bi26wjDkP0KPDKtDDUitJJXkes5v45YBXT85abnW1pX0QwH0 r/UbfeL3/pDxUlg7un1yPqYsIJuxN8+5Q9lmvg2YKnuzrnjZJTDZX/V97j4twYI2/B3a abMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:content-transfer-encoding :message-id:date:subject:from:in-reply-to:references:to:cc; bh=hCAQpiuGUqDHAvA6TFL35HWnLiUznjkDeauk3A8UTEE=; b=WOdgVbCXRTH+YiTnJp7SPmeLCUA3eBTtCKkMA7va8tKENjcRpTVsSRrPZc2cRImljv eXQvtLi9DQxUIfnuztSU1CneXQYirbUodzVMBL9WyjFLNk14ufMF+F20eccJ03j5r7rb rLKtrOQ0/oKdGmu3Qh2LsqXlKCbbaCv5+6e4khjmoPHLnaq6EUH/uvqafLxnyhPTSzB4 yiz6ViODbDHtLNcQuCkf9SeDmvkPTRJMBJzLdWhuFsrZ2lkR7Byj0yCKiGn3qbYTshV3 dScdeSVcBYSw/D45/3ZAkd71Lkl7xmj9hX7IY6I+/+IdmzP817O5nvBQu65ylmLC/wm9 UgCQ== X-Gm-Message-State: AIkVDXLs2WQUKOaWJWcukKUXCl3PdRtvJTTCdmGcoQ/Pp9ittif5pyRtvkXj2zEguUh/EA== X-Received: by 10.25.5.203 with SMTP id 194mr3595293lff.41.1484590142280; Mon, 16 Jan 2017 10:09:02 -0800 (PST) Received: from [127.0.0.1] ([89.169.1.65]) by smtp.gmail.com with ESMTPSA id b62sm7763284lfb.24.2017.01.16.10.09.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 16 Jan 2017 10:09:01 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 X-Mailer: BlackBerry Email (10.3.2.2876) Message-ID: <20170116180901.5943378.68678.11551@gmail.com> Date: Mon, 16 Jan 2017 21:09:01 +0300 From: "Stanislav V. Smyshlyaev" In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> To: "Paterson, Kenny" , Eric Rescorla , John Mattsson Archived-At: Cc: cfrg@irtf.org, Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 18:09:06 -0000 4oCORGVhciBjb2xsZWFndWVzLAoKVGhhbmsgeW91IGZvciB0aGlzIGRpc2N1c3Npb24hCgpUbyBi ZSBob25lc3QsIEkgY2Fubm90IGltYWdpbmUgYW4gYWR2ZXJzYXJ5IG1vZGVsICh3aXRoIGFueSBy ZWxhdGlvbiB0byBwcmFjdGljZSkgZm9yIFRMUywgZm9yIHdoaWNoIEFFUy0xOTIgd291bGQgYmUg dXNlZnVsIC0gSSBhZ3JlZSB3aXRoIEtlbm55IGFib3V0IHJlbGF0ZWQta2V5IGF0dGFja3MgaGVy ZS4KClNvIEkgZG9uJ3Qgc2VlIGFueSBzdHJvbmcgcG9pbnRzIHRvIGFkZCBBRVMtMTkyIHRvIDEu MyB0b28uwqAKCkJlc3QgcmVnYXJkcywKU3RhbmlzbGF2IFNteXNobHlhZXYKCuKAjgrCoCDQmNGB 0YXQvtC00L3QvtC1INGB0L7QvtCx0YnQtdC90LjQtSDCoArQntGCOiBQYXRlcnNvbiwgS2VubnkK 0J7RgtC/0YDQsNCy0LvQtdC90L46INC/0L7QvdC10LTQtdC70YzQvdC40LosIDE2INGP0L3QstCw 0YDRjyAyMDE3wqDQsy4sIDIwOjM3CtCa0L7QvNGDOiBFcmljIFJlc2NvcmxhOyBKb2huIE1hdHRz c29uCtCa0L7Qv9C40Y86IGNmcmdAaXJ0Zi5vcmc7IExlb25hcmQgZGVuIE90dG9sYW5kZXIK0KLQ tdC80LA6IFJlOiBbQ2ZyZ10gQSBsaXR0bGUgcm9vbSBmb3IgQUVTLTE5MiBpbiBUTFM/CgpIaSwK Ck9uIDE2LzAxLzIwMTcgMTY6MjcsICJDZnJnIG9uIGJlaGFsZiBvZiBFcmljIFJlc2NvcmxhIgo8 Y2ZyZy1ib3VuY2VzQGlydGYub3JnIG9uIGJlaGFsZiBvZiBla3JAcnRmbS5jb20+IHdyb3RlOgoK PkdlbmVyYWxseSwgSSB0aGluayB0aGUgc2Vuc2Ugb2YgdGhlIFdHIGlzIHRvIHRyeSB0byBtaW5p bWl6ZSB0aGUgbnVtYmVyCj5vZiBjaXBoZXJzL3N1aXRzLgo+Cj4KPlNwZWFraW5nIHBlcnNvbmFs bHksIHdoYXQgd291bGQgbWFrZSBtZSBiZSBpbiBmYXZvciBvZiBhZGRpbmcgQUVTLTE5Mgo+d291 bGQgYmUKPnNvbWUgc3RhdGVtZW50IGZyb20gQ0ZSRyB0aGF0IHRoZXkgdGhvdWdodCB0aGF0IGl0 IHdhcyBzaWduaWZpY2FudGx5Cj5zdHJvbmdlciB0aGFuCj5BRVMtMjU2LiBBYnNlbnQgdGhhdCwg SSB0aGluayBpdCB3b3VsZCBiZSBiZXR0ZXIgdG8gbGVhdmUgaXQgb3V0IG9mIFRMUy4KClNwZWFr aW5nIHdpdGhvdXQgbXkgY28tY2hhaXIncyBoYXQgb24uLi4KCkkgZG9uJ3QgdGhpbmsgcmVsYXRl ZC1rZXkgYXR0YWNrcyBhcmUgYSBwYXJ0aWN1bGFyIGNvbmNlcm4gZm9yIFRMUy4gU28gSQpkb24n dCB0aGluayB0aGVyZSdzIGEgc3Ryb25nIGFyZ3VtZW50IGZvciBzdXBwb3J0aW5nIEFFUy0xOTIg aW4gdGhlIFRMUwoxLjMgcHJvdG9jb2wgc3BlY2lmaWNhdGlvbi4KCkFueW9uZSBlbHNlIGZyb20g Q0ZSRyBoYXZlIGFuIG9waW5pb24gb24gdGhpcz8KCkNoZWVycwoKS2VubnkgCgoKCj4KPgo+LUVr cgo+Cj4KPgo+Cj5PbiBNb24sIEphbiAxNiwgMjAxNyBhdCA3OjU5IEFNLCBKb2huIE1hdHRzc29u Cj48am9obi5tYXR0c3NvbkBlcmljc3Nvbi5jb20+IHdyb3RlOgo+Cj5Ob3RlIHRoYXQgdGhlcmUg YXJlIHRyaXZpYWwgZ2VuZXJpYyByZWxhdGVkLWtleSBhdHRhY2tzIG9uIEFFUy0xOTIgd2l0aCAj Swo+PSBEID0gVCA9IE0gPSAyXjk2Cj4KPmh0dHA6Ly9keC5kb2kub3JnLzEwLjEwODAvMDE2MS0x MTg3OTE4NjE3NDkKPgo+UmVnYXJkcywKPkpvaG4KPgo+Cj5PbiAyMDE3LTAxLTE2LCAxNTo0Mywg IkNmcmcgb24gYmVoYWxmIG9mIExlb25hcmQgZGVuIE90dG9sYW5kZXIiCj48Y2ZyZy1ib3VuY2Vz QGlydGYub3JnIG9uIGJlaGFsZiBvZgo+bGVvbmFyZC1saXN0c0BkZW4ub3R0b2xhbmRlci5ubD4g d3JvdGU6Cj4KPj5PbiBTdW4sIDIwMTctMDEtMTUgYXQgMjA6NTkgKzAwMDAsIFRheWxvciBSIENh bXBiZWxsIHdyb3RlOgo+Pj4gT25seSB2ZXJ5IHVudXN1YWwgcHJvdG9jb2xzIGV2ZXIgdXNlIHJl bGF0ZWQga2V5cy4gSW4gc2Vuc2libGUKPj4+IHByb3RvY29scywgZXZlcnkga2V5IGlzIGRyYXdu IGluZGVwZW5kZW50bHkgdW5pZm9ybWx5IGF0IHJhbmRvbS4KPj4KPj5Qcm90b2NvbHMgdGhhdCBh cmUgZGVzaWduZWQgdG8gdXNlIHJlbGF0ZWQga2V5cz8gSSBob3BlIG5vdCEKPj4KPj5Db21wYXJl IAo+aHR0cDovL2VwcmludC5pYWNyLm9yZy8yMDA5LzMxNyA8aHR0cDovL2VwcmludC5pYWNyLm9y Zy8yMDA5LzMxNz4gNC4xCj5SZWxhdGVkLWtleSBhdHRhY2sgbW9kZWw6Cj4+Cj4+IkNvbXBhcmVk IHRvIG90aGVyIGNyeXB0YW5hbHl0aWMgYXR0YWNrcyBpbiB3aGljaCB0aGUgYXR0YWNrZXIgY2Fu Cj4+bWFuaXB1LQo+PmxhdGUgb25seSB0aGUgcGxhaW50ZXh0cyBhbmQvb3IgdGhlIGNpcGhlcnRl eHRzIHRoZSBjaG9pY2Ugb2YgdGhlCj4+cmVsYXRpb24gYmV0d2Vlbgo+PnNlY3JldCBrZXlzIGdp dmVzIGFkZGl0aW9uYWwgZGVncmVlIG9mIGZyZWVkb20gdG8gdGhlIGF0dGFja2VyLiBUaGUKPj5k b3duc2lkZSBvZgo+PnRoaXMgZnJlZWRvbSBpcyB0aGF0IHN1Y2ggYXR0YWNrcyBtaWdodCBiZSBo YXJkZXIgdG8gbW91bnQgaW4gcHJhY3RpY2UuCj4+U3RpbGwsCj4+ZGVzaWduZXJzIHVzdWFsbHkg dHJ5IHRvIGJ1aWxkICJpZGVhbCIgcHJpbWl0aXZlcyB3aGljaCBjYW4gYmUKPj5hdXRvbWF0aWNh bGx5IHVzZWQKPj53aXRob3V0IGZ1cnRoZXIgYW5hbHlzaXMgaW4gdGhlIHdpZGVzdCBwb3NzaWJs ZSBzZXQgb2YgYXBwbGljYXRpb25zLAo+PnByb3RvY29scywgb3IKPj5tb2RlcyBvZiBvcGVyYXRp b24uIFRodXMgcmVzaXN0YW5jZSB0byBzdWNoIGF0dGFja3MgaXMgYW4gaW1wb3J0YW50Cj4+ZGVz aWduIGdvYWwKPj5mb3IgYmxvY2sgY2lwaGVycywgYW5kIGluIGZhY3QgaXQgd2FzIG9uZSBvZiB0 aGUgc3RhdGVkIGRlc2lnbiBnb2FscyBvZgo+PnRoZSBSaWpuZGFlbAo+PmFsZ29yaXRobSwgd2hp Y2ggd2FzIHNlbGVjdGVkIGFzIHRoZSBBZHZhbmNlZCBFbmNyeXB0aW9uIFN0YW5kYXJkLiIKPj4K Pj5TbyB0aGUgcXVlc3Rpb24gcmVtYWlucyBpZiBpbmRlZWQgQUVTLTE5MiBpcyBpbmhlcmVudGx5 IG1vcmUgcmVzaXN0YW50Cj4+dG8gdGhpcyBraW5kIG9mIGF0dGFjayAobW9yZSBvZiBhbiAiaWRl YWwgcHJpbWl0aXZlIiBpbiB0aGlzIHJlc3BlY3QpCj4+dGhhbiBBRVMtMjU2IG9yIGRvIEkgcmVh ZCB0b28gbXVjaCBpbiB0aGUgcmVtYXJrICJ0aGUga2V5IHNjaGVkdWxlIG9mCj4+QUVTLTE5MiBo YXMgYmV0dGVyIGRpZmZ1c2lvbiIgaW4gNiBBdHRhY2sgb24gQUVTLTE5Mj8KPj4KPj5SZWdhcmRz LAo+Pkxlb25hcmQuCj4+Cj4+LS0KPj5tb3VudCAtdCBsaWZlIC1vIHJvIC9kZXYvZG5hIC9nZW5l dGljL3Jlc2VhcmNoCj4+Cj4+Cj4+Cj4+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KPj5DZnJnIG1haWxpbmcgbGlzdAo+PkNmcmdAaXJ0Zi5vcmcKPj5odHRw czovL3d3dy5pcnRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NmcmcKPgo+X19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPkNmcmcgbWFpbGluZyBsaXN0Cj5DZnJn QGlydGYub3JnCj5odHRwczovL3d3dy5pcnRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NmcmcKPgo+ Cj4KPgo+Cj4KPgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KQ2ZyZyBtYWlsaW5nIGxpc3QKQ2ZyZ0BpcnRmLm9yZwpodHRwczovL3d3dy5pcnRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL2NmcmcK From nobody Mon Jan 16 10:09:57 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 133081295FE for ; Mon, 16 Jan 2017 10:09:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QynJAsetwOcR for ; Mon, 16 Jan 2017 10:09:54 -0800 (PST) Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B881295FD for ; Mon, 16 Jan 2017 10:09:54 -0800 (PST) Received: by mail-vk0-x231.google.com with SMTP id r136so78003091vke.1 for ; Mon, 16 Jan 2017 10:09:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gVbaFJmomRSGwRrWLZ89/+z5ZztuDMV4ngKyTVsMyJ0=; b=ObxhXFqUdGeWq95ksZG3TsTFz59js78xIJoCvbv2iDuNuCE0TcA032O6GAldCllrn4 5kaXMrAOio48mh/X+v4kQHOin4iVv1w3yVfBrY8ZFNCJ7ZXa6WkYJcjeZf6E0goX2+am 2h/h1geLLqoyWcXwzfB8AZN5Qpv5lAoPcyxzAIZEfkLZTS5nEkIXuDzMfhkB4yA1jOrI HPatFUrHWGHWyslmpP6HNFzvl0lAXbEKQX7dGs2ZCpGA0aTzzG0ABxCQU9/p4W/aSuyM SEewVLVHbsaxL6WtPlDQWp3JEtnbtCNIFjKq7mTilG74ZL8hVqIQI3BKn/Y7+QSzZsab QH3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gVbaFJmomRSGwRrWLZ89/+z5ZztuDMV4ngKyTVsMyJ0=; b=HnmW680sTSo4ReYPtF50oVf21VYzSg3W3Gr3LBZtRgsjOqGNnGLrdakjkexz9/VhIR om/6EH9X4/Ba90dCoVqYpqs65Pl3LaGZJ+jkWPUsHgYQQRXpteq0sIY+QfKke+1VxfME rs1hfiv5SHqLJ5bITYh/I+oihqf86rrR3addfpOJCgi+ID7iTWyqLWq+D7To3KDWep3U UK4FCXnh1yXcy5i687xnHFnJo8R6tmHSV9+GjAgmFp/Zqes/3kQ+s83RLYw+a3HKBSOV 1BHtMfILQyhEBEqR4iWIMYk5ekV3RefXrhBoVADfEe8ldedZOgsMMI02MN4/XekVO7cj q3mg== X-Gm-Message-State: AIkVDXK+/7bOnulRNbH4VbX6t17YXty0zP4H8FDu5c1oLz+o2IpidIIePwf/TvO3bLzLZM+xCV7e5zKa0eSp8A== X-Received: by 10.31.170.15 with SMTP id t15mr1731761vke.6.1484590193655; Mon, 16 Jan 2017 10:09:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.70.130 with HTTP; Mon, 16 Jan 2017 10:09:33 -0800 (PST) In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> From: Tony Arcieri Date: Mon, 16 Jan 2017 10:09:33 -0800 Message-ID: To: "Paterson, Kenny" Content-Type: multipart/alternative; boundary=001a1143225021458405463a17b0 Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 18:09:56 -0000 --001a1143225021458405463a17b0 Content-Type: text/plain; charset=UTF-8 On Mon, Jan 16, 2017 at 9:37 AM, Paterson, Kenny wrote: > Anyone else from CFRG have an opinion on this? I would rate the chances of a related key attack against TLS as "vanishingly small". The use of key derivation functions ensures keys will not be related. In practice, AES-192 is generally not used: AES-128 and AES-256 are used almost exclusively. I think the general trend is to switch to AES-256 in new systems. Adding AES-192 ciphersuites sounds like an awful lot of additional complexity both for specifiers and implementers for something I suspect no one will ever use. Personally I would rather see that energy go into e.g. post-quantum ciphersuites. -- Tony Arcieri --001a1143225021458405463a17b0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On M= on, Jan 16, 2017 at 9:37 AM, Paterson, Kenny <Kenny.Paterson@rhul= .ac.uk> wrote:
Anyone else = from CFRG have an opinion on this?

I would = rate the chances of a related key attack against TLS as "vanishingly s= mall". The use of key derivation functions ensures keys will not be re= lated.

In practice, AES-192 is generally not used:= AES-128 and AES-256 are used almost exclusively. I think the general trend= is to switch to AES-256 in new systems.

Adding AE= S-192 ciphersuites sounds like an awful lot of additional complexity both f= or specifiers and implementers for something I suspect no one will ever use= . Personally I would rather see that energy go into e.g. post-quantum ciphe= rsuites.

--
Tony Arcieri
--001a1143225021458405463a17b0-- From nobody Mon Jan 16 10:37:25 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE771295F0 for ; Mon, 16 Jan 2017 10:37:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.688 X-Spam-Level: X-Spam-Status: No, score=0.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_WEB=3.599, SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0N_IBW022y4H for ; Mon, 16 Jan 2017 10:37:20 -0800 (PST) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0052.outbound.protection.outlook.com [104.47.2.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048A7129609 for ; Mon, 16 Jan 2017 10:37:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=o3NzvodDxOcw+hrerI1VdYekwFq74n1rxfkAmzNjU8E=; b=ENFSTGy6WeVjf2NppSMo1TDCMhnDYvwsXu6oyaGKE4Uy6aS7Sfdq4N5y1AqCX8cWJlhslC0+Z2J57k03WGZncEtaMfo7VU0PCtsJgnlP065LYnDmbcnwQ+bVqFk3OcLzvEmpzO3Z19XikTejBhghP5ANdF84utuAvAh1Ss0caAA= Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Mon, 16 Jan 2017 18:37:17 +0000 Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) with mapi id 15.01.0845.014; Mon, 16 Jan 2017 18:37:17 +0000 From: "Paterson, Kenny" To: Sean Turner , IRTF CFRG Thread-Topic: [Cfrg] Help with the use of contexts Thread-Index: AQHSZtVYp5bZtbgyB0+DnJlqd+YrVaE7gamA Date: Mon, 16 Jan 2017 18:37:17 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [212.24.209.204] x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1906; 7:G+HH4albXK8p+QnrASH9Ib2HySg17dfU7OJ0co5jLevUSCJ8cqM6rFPgiQqTSa1gnnllQgawRhahgmnNzcx0yuElChIIERC/vAMxnV6oNI0qwgj/muURjG4/9qelTsTyEYNSjXhojHwOYgYpaOrmINcRc6/8yA6A0bX52oJzl3sUu2Jjv3OKsEuNjceWpIkG7l7WUPMp6dtl/39uZSswN/WrvaffyE20njphJUE7ftY4VdDUE8kuVecNiI6U6h/f9yOsjH1NyvPj9s+71rW6g80mSKksd35uwZr+faC4AAETFWvb5eyGhRa5n4IydyFS7yj0zURfCvNcvUA4s7gF7vMjQIdi0S2j0d1p0CvBRnOAaN3NwgibP688z1GuH8f+RxVvr3yP8HrLQ39d4CwLcCrXyUFN00qxoqE5X4HyMuRAuoDwjbWAyvEF/8MWJlKVzELccWDIFXqIxfViiIOMow== x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(24454002)(199003)(189002)(5660300001)(99286003)(66066001)(106116001)(6306002)(101416001)(105586002)(76176999)(36756003)(229853002)(54356999)(50986999)(25786008)(38730400001)(86362001)(77096006)(6486002)(6512007)(6506006)(92566002)(2900100001)(106356001)(6436002)(305945005)(6116002)(122556002)(74482002)(2906002)(7736002)(102836003)(3846002)(81156014)(189998001)(3280700002)(68736007)(8936002)(8676002)(81166006)(97736004)(83506001)(3660700001)(4001350100001)(5001770100001)(107886002)(42882006)(2950100002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1906; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; x-ms-office365-filtering-correlation-id: 608cc039-bbe4-4080-0212-08d43e3eb299 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:AM4PR0301MB1906; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(120809045254105); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148); SRVR:AM4PR0301MB1906; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1906; x-forefront-prvs: 01894AD3B8 received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: <54B781F1F93A8043BD8020D7AE028900@eurprd03.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: rhul.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2017 18:37:17.1058 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1906 Archived-At: Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 18:37:24 -0000 RGVhciBDRlJHLA0KDQpQbGVhc2UgY2hpbWUgaW4gYXNhcCBpZiB5b3UgaGF2ZSBhIHZpZXcgb24g dGhlIGlzc3VlIG9mIHNpZ25hdHVyZSBjb250ZXh0cw0KaW4gVExTIDEuMywgYXMgZGVzY3JpYmVk IGJ5IFNlYW4gYmVsb3cuIE90aGVyd2lzZSwgY2hhaXJzIHdpbGwgbWFrZSBhDQpwb3NzaWJseSBp bGwtaW5mb3JtZWQgZGVjaXNpb24uLi4NCg0KUmVnYXJkcw0KDQpLZW5ueQ0KDQpPbiAwNC8wMS8y MDE3IDIxOjU1LCAiQ2ZyZyBvbiBiZWhhbGYgb2YgU2VhbiBUdXJuZXIiDQo8Y2ZyZy1ib3VuY2Vz QGlydGYub3JnIG9uIGJlaGFsZiBvZiBzZWFuQHNuM3JkLmNvbT4gd3JvdGU6DQoNCj5IaSBDRlJH LA0KPg0KPlRoZSBUTFMgV0cgaXMgbmVhcmluZyB0aGUgZW5kIG9mIG91ciBqb3VybmV5IG1vdmlu ZyBFQy1iYXNlZCBhbGdvcml0aG1zDQo+Zm9yIFRMUyAxLjIgKGFuZCBlYXJsaWVyKSBmcm9tIElu Zm9ybWF0aW9uYWwgdG8gU3RhbmRhcmRzIHRyYWNrIFswXS4NCj5XaGlsZSB3ZSB3ZXJlIGRvaW5n IHRoYXQgd2UgYWxzbyBhZGRlZCBpbiAyNTUxOSBhbmQgeDQ0OCBhcyB3ZWxsIGFzIEVkRFNBLg0K Pg0KPknigJlkIGxpa2UgdG8gZ2V0IHNvbWUgaW5wdXQgZnJvbSB0aGUgQ0ZSRyBvbiB0aGUgdXNl IG9mIGNvbnRleHRzOyB0aGUNCj4iY29udGV4dCBsYWJlbCIgaXMgYSB3YXkgdG8gcHJvdmlkZSBk b21haW4gc2VwYXJhdGlvbiBiZXR3ZWVuIHNpZ25hdHVyZXMNCj5tYWRlIGluIGRpZmZlcmVudCBj b250ZXh0cywgYXZvaWRpbmcgY3Jvc3MtcHJvdG9jb2wgYXR0YWNrcy4gIHMxMC4zIG9mDQo+ZHJh ZnQtaXJ0Zi1jZnJnLWVkZHNhIGluY2x1ZGVzIHRoZSBmb2xsb3dpbmc6DQo+DQo+Q29udGV4dHMg U0hPVUxEIE5PVCBiZSB1c2VkIG9wcG9ydHVuaXN0aWNhbGx5LCBhcyB0aGF0IGtpbmQgb2YgdXNl DQo+aXMgdmVyeSBlcnJvci1wcm9uZS4gIElmIGNvbnRleHRzIGFyZSB1c2VkLCBvbmUgU0hPVUxE IHJlcXVpcmUgYWxsDQo+c2lnbmF0dXJlIHNjaGVtZXMgYXZhaWxhYmxlIGZvciB1c2UgaW4gdGhh dCBwdXJwb3NlIHN1cHBvcnQNCj5jb250ZXh0cy4NCj4NCj5UaGlzIGlzIGdyZWF0IGFkdmljZSBm b3IgbmV3IHByb3RvY29scyBiZWNhdXNlIGl04oCZcyBlYXN5IHRvIG1ha2UgYWxsIHRoZQ0KPnNj aGVtZXMgdGhlIHNhbWUsIGJ1dCBmb3IgZXhpc3RpbmcgcHJvdG9jb2xzIGxpa2UgVExTIHdoZXJl IHRoZXJl4oCZcyB6ZXJvDQo+Y2hhbmNlIG9mIG9ic29sZXRpbmcgdGhlIGV4aXN0aW5nIHNpZ25h dHVyZSBzY2hlbWVzIGFuZCBkZWZpbmluZyBuZXcNCj5zaWduYXR1cmUgc2NoZW1lcyB3aXRoIGNv bnRleHRzIGl0IG1ha2VzIHlvdSB3b25kZXIgd2hhdA0KPuKAnG9wcG9ydHVuaXN0aWNhbGx54oCd IG1lYW5zLiBJLmUuLCB3b3VsZCBzZXR0aW5nIGEgY29udGV4dCBwYXJhbWV0ZXIgZm9yDQo+RWQ0 NDggYW5kIG5vIG90aGVyIGFscmVhZHkgZGVmaW5lZCBzaWduYXR1cmUgc2NoZW1lIGJlIGNvbnNp ZGVyZWQNCj5vcHBvcnR1bmlzdGljPw0KPg0KPnNwdA0KPihhcyBkb2N1bWVudCBTaGVwaGVyZCBm b3IgZHJhZnQtaWV0Zi10bHMtcmZjNDQ5MmJpcykNCj4NCj5bMF0gaHR0cHM6Ly9kYXRhdHJhY2tl ci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi10bHMtcmZjNDQ5MmJpcy8NCj5fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPkNmcmcgbWFpbGluZyBsaXN0DQo+ Q2ZyZ0BpcnRmLm9yZw0KPmh0dHBzOi8vd3d3LmlydGYub3JnL21haWxtYW4vbGlzdGluZm8vY2Zy Zw0KDQo= From nobody Mon Jan 16 10:45:41 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A36AB12960C for ; Mon, 16 Jan 2017 10:45:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpr7R0AXtVh5 for ; Mon, 16 Jan 2017 10:45:36 -0800 (PST) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAE3129609 for ; Mon, 16 Jan 2017 10:45:35 -0800 (PST) Received: by mail-io0-x22a.google.com with SMTP id l66so98127900ioi.1 for ; Mon, 16 Jan 2017 10:45:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ZtIhfe7O1K5sRrSAM6TGL2pTCcufR5/t3lEyMl40kNc=; b=UIry+Z4zBzlQci9KTskxeG3bQjMQB7XTBtOPDOTKY34YJROVJ4q4+VWVm2+2FvYo2+ 5SLGhyYb0xa5C+cB3KsSJgZcya9OySnTkGlMwUPXyBdO9evYMMZP/S183ReSaVyiNj88 aaiaUWtChRMlzn6kxFw/DeVEfiU0nQo4poay5QFtpwjZzihqQN2taKeVmmSKC65kMoDV myvrmjiXm1wjHJ8ZTyd+2SwA9EF1Bt7CNiZSl7MdKsExlcMoxkLcMh7zAyADI1884S9M eSPutOgSrR2qMEjJQgJyBCjWqI9q0ozRmw+qRt/bGIhdMgcKZ2Fl4B0ozYwgDUDBrVXj pmEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ZtIhfe7O1K5sRrSAM6TGL2pTCcufR5/t3lEyMl40kNc=; b=lU/RN6l7fZZqfnf+LOXwMytE09CF6RNjNP9An7K8Nze0Dih9ybmsNTqVDDr7Pxolyt 9rukBmPg1vYW6Tf0xt78mB3hU7AuiQn2xu0XsctqTTZ1c8WRTAppSigwwvbzLwtaTdxf jtThgRBRPIkPWD0BcE5NJloLgPTipE+KO7c9D14XV3RB26AIhMxM/eMPV/evMM3R/TlB TnX2X0uByOP/TcxB4Mcm8FtGpiAMUbEZApvDS5bumIz26pR+PePOfEjKHhYlV4xPjS/e e1PqQyIrD0n/6GF2pB/N+tEardjIj/yRWLppP9n6U9s2RJ3ALPun9K+pW/MrBxpyKfBA gagw== X-Gm-Message-State: AIkVDXLd4PeLTYXHi9l/ri9Wr/za56onpYBmjSncgManqsKWbaMr1VB2uqg0JOwbgrMlVrugT0e5lP7xt0WR8Q== X-Received: by 10.107.141.80 with SMTP id p77mr30812670iod.97.1484592335117; Mon, 16 Jan 2017 10:45:35 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.27.136 with HTTP; Mon, 16 Jan 2017 10:45:34 -0800 (PST) In-Reply-To: References: From: Adam Langley Date: Mon, 16 Jan 2017 10:45:34 -0800 X-Google-Sender-Auth: mitSjflYPWgchKHW6TEEmrz2fnQ Message-ID: To: Sean Turner Content-Type: multipart/alternative; boundary=94eb2c061a1cc562ab05463a96b4 Archived-At: Cc: IRTF CFRG Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 18:45:39 -0000 --94eb2c061a1cc562ab05463a96b4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 4, 2017 at 1:55 PM, Sean Turner wrote: > The TLS WG is nearing the end of our journey moving EC-based algorithms > for TLS 1.2 (and earlier) from Informational to Standards track [0]. Whi= le > we were doing that we also added in 25519 and x448 as well as EdDSA. > > I=E2=80=99d like to get some input from the CFRG on the use of contexts; = the > "context label" is a way to provide domain separation between signatures > made in different contexts, avoiding cross-protocol attacks. s10.3 of > draft-irtf-cfrg-eddsa includes the following: > > Contexts SHOULD NOT be used opportunistically, as that kind of use > is very error-prone. If contexts are used, one SHOULD require all > signature schemes available for use in that purpose support > contexts. > > This is great advice for new protocols because it=E2=80=99s easy to make = all the > schemes the same, but for existing protocols like TLS where there=E2=80= =99s zero > chance of obsoleting the existing signature schemes and defining new > signature schemes with contexts it makes you wonder what > =E2=80=9Copportunistically=E2=80=9D means. I.e., would setting a context = parameter for > Ed448 and no other already defined signature scheme be considered > opportunistic? > Domain separation for signed values is important and TLS already defines context strings for signature operations: https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.4.2 The way that this is constructed (due to me) is generic for any signature scheme. (Basically just have the context string be NUL-terminated at the beginning of the signed message.) So for TLS I believe that the issue is already taken care of. It would also probably just add pain for implementers if the context string were to be duplicated as an input to the signature scheme where signature schemes support it. Cheers AGL --=20 Adam Langley agl@imperialviolet.org https://www.imperialviolet.org --94eb2c061a1cc562ab05463a96b4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On W= ed, Jan 4, 2017 at 1:55 PM, Sean Turner <sean@sn3rd.com> wrote:=
The TLS WG is nearing= the end of our journey moving EC-based algorithms for TLS 1.2 (and earlier= ) from Informational to Standards track [0].=C2=A0 While we were doing that= we also added in 25519 and x448 as well as EdDSA.

I=E2=80=99d like to get some input from the CFRG on the use of contexts; th= e "context label" is a way to provide domain separation between s= ignatures made in different contexts, avoiding cross-protocol attacks.=C2= =A0 s10.3 of draft-irtf-cfrg-eddsa includes the following:

Contexts SHOULD NOT be used opportunistically, as that kind of use
is very error-prone.=C2=A0 If contexts are used, one SHOULD require all
signature schemes available for use in that purpose support
contexts.

This is great advice for new protocols because it=E2=80=99s easy to make al= l the schemes the same, but for existing protocols like TLS where there=E2= =80=99s zero chance of obsoleting the existing signature schemes and defini= ng new signature schemes with contexts it makes you wonder what =E2=80=9Cop= portunistically=E2=80=9D means. I.e., would setting a context parameter for= Ed448 and no other already defined signature scheme be considered opportun= istic?

Domain separation for signed val= ues is important and TLS already defines context strings for signature oper= ations:=C2=A0https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section= -4.4.2

The way that this is constructed (due t= o me) is generic for any signature scheme. (Basically just have the context= string be NUL-terminated at the beginning of the signed message.)

So for TLS I believe that the issue is already taken care = of. It would also probably just add pain for implementers if the context st= ring were to be duplicated as an input to the signature scheme where signat= ure schemes support it.


Cheers

AGL
=C2=A0
--
--94eb2c061a1cc562ab05463a96b4-- From nobody Mon Jan 16 11:07:39 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E26E129485 for ; Mon, 16 Jan 2017 11:07:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.377 X-Spam-Level: X-Spam-Status: No, score=-3.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8ax6RG-myaG for ; Mon, 16 Jan 2017 11:07:35 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 70801129486 for ; Mon, 16 Jan 2017 11:07:35 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id 4414143 for ; Mon, 16 Jan 2017 20:07:34 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id ucUktmUYvdTK for ; Mon, 16 Jan 2017 20:07:32 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id 0E51B42 for ; Mon, 16 Jan 2017 20:07:32 +0100 (CET) From: Leonard den Ottolander To: "cfrg@irtf.org" In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> Content-Type: text/plain; charset="UTF-8" Date: Mon, 16 Jan 2017 20:07:31 +0100 Message-ID: <1484593651.5104.49.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 19:07:38 -0000 Hello Tony, On Mon, 2017-01-16 at 10:09 -0800, Tony Arcieri wrote: > I would rate the chances of a related key attack against TLS as > "vanishingly small". The use of key derivation functions ensures keys will > not be related. How about a scenario where an adversary is able to compromise the software in such a way that related keys are being generated occasionally and possibly even used for encryption of known plain text (protocol headers come to mind)? This scenario is assuming the adversary is not fully in control of the source code but is capable to inject subtle bugs "under the radar". Would AES-192 hold up better in such a scenario than AES-256? And how can one extrapolate the attacks and analyses mentioned in http://eprint.iacr.org/2009/317 to use them as an indication of possible cryptanalytic advances? > In practice, AES-192 is generally not used: AES-128 and AES-256 are used > almost exclusively. I think the general trend is to switch to AES-256 in > new systems. This is a circular argument. AES-192 is not generally used because it is not in the specifications. Using that as an argument not to put it in the specs is well, circular. Bruce Schneier wrote about this in 2009: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html & https://www.schneier.com/academic/paperfiles/paper-rijndael.pdf In the blog he states "The attack exploits the fact that the key schedule for 256-bit version is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend to AES with a 128-bit key." He even goes so far as to state "And for new applications I suggest that people don't use AES-256." > Adding AES-192 ciphersuites sounds like an awful lot of additional > complexity both for specifiers and implementers for something I suspect no > one will ever use. A software like f.e. OpenSSL has an AES implementation that does support AES-192. I'm not sure if the GCM code needs modifications for it to work with AES-192, but for the rest all that is required is to add the references to the new ciphers in the source code. I don't see how one can qualify the addition of a few references to a list as "complex". > Personally I would rather see that energy go into e.g. > post-quantum ciphersuites. I thought symmetric ciphers are considered somewhat quantum resistant so I'm not sure the PQ argument is very valid here. Also, if AES-192 is inherently more secure than AES-256 that would probably also be the case in a PQ world. By the way, I'm all for the implementation and specification of post quantum symmetric ciphers. I could imagine something along the lines of triple AES (GCM3 with mask 1 and 2 concatenated and XORed in the middle with either mask 1 or 2 again.) Or perhaps an extension of Rijndael to use a block of 256 bits and a key of 480 :) . So the question remains if AES-192 has certain characteristics that warrant inclusion. The fact that "the key schedule for 256-bit version is pretty lousy" and the mentioned attacks have complexity of < 2^100 for AES-256, but > 2^179 for AES-192 might speak for it. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research From nobody Mon Jan 16 11:14:32 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B5F12961F for ; Mon, 16 Jan 2017 11:14:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.099 X-Spam-Level: X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNoiSMf-37Zy for ; Mon, 16 Jan 2017 11:14:21 -0800 (PST) Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 5A06F129610 for ; Mon, 16 Jan 2017 11:14:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id E5FC214E7E; Mon, 16 Jan 2017 21:14:16 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at pp.htv.fi Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id Ul2m6Hy3xvsf; Mon, 16 Jan 2017 21:14:16 +0200 (EET) Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 9D6F62315; Mon, 16 Jan 2017 21:14:16 +0200 (EET) Date: Mon, 16 Jan 2017 21:14:16 +0200 From: Ilari Liusvaara To: Leonard den Ottolander Message-ID: <20170116191415.GA29514@LK-Perkele-V2.elisa-laajakaista.fi> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1484593651.5104.49.camel@quad> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: ilariliusvaara@welho.com Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 19:14:30 -0000 On Mon, Jan 16, 2017 at 08:07:31PM +0100, Leonard den Ottolander wrote: > Hello Tony, > > On Mon, 2017-01-16 at 10:09 -0800, Tony Arcieri wrote: > > I would rate the chances of a related key attack against TLS as > > "vanishingly small". The use of key derivation functions ensures keys will > > not be related. > > How about a scenario where an adversary is able to compromise the > software in such a way that related keys are being generated > occasionally and possibly even used for encryption of known plain text > (protocol headers come to mind)? This scenario is assuming the adversary > is not fully in control of the source code but is capable to inject > subtle bugs "under the radar". Would AES-192 hold up better in such a > scenario than AES-256? The key derivations are interop-critical, so compromises like that would be found real quick (since essentially nothing would work anymore). And there is at least one place in TLS 1.2 that can be undetectably compromised by a server in a way that lets adversary passively decrypt most connections. -Ilari From nobody Mon Jan 16 11:18:36 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6301312946F for ; Mon, 16 Jan 2017 11:18:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.9 X-Spam-Level: X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMdwDhzhkc14 for ; Mon, 16 Jan 2017 11:18:34 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 21E3F1294AB for ; Mon, 16 Jan 2017 11:18:34 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 6870F43341C; Mon, 16 Jan 2017 19:18:33 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 521C7433401; Mon, 16 Jan 2017 19:18:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1484594313; bh=oBYRgR0AP0LRWVFL+Hx2/g8qt6nb5rwDHQyX2tuCzqo=; l=1692; h=From:To:Date:References:In-Reply-To:From; b=Fcft02tkWEDTq6dWSKLZ9+OLLhSMQuEs4knjveKBsLkhjUjlaU+rQ7yJvosnf+nR8 zNBk+Omt25JqQPBKd4wnFlH/8bUk4aEn8YEwgXziyGCTOr6pLstKuKSpDEVB3qRhSM CgVQpONBBfk31ggfnxycHqmAPmE1J8jWfgM71TGs= Received: from email.msg.corp.akamai.com (usma1ex-cas2.msg.corp.akamai.com [172.27.123.31]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 4E1D11FC88; Mon, 16 Jan 2017 19:18:33 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 16 Jan 2017 14:18:32 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Mon, 16 Jan 2017 14:18:32 -0500 From: "Salz, Rich" To: Leonard den Ottolander , "cfrg@irtf.org" Thread-Topic: [Cfrg] A little room for AES-192 in TLS? Thread-Index: AQHSb3JE35QdAtT7x0CRQruWUbnzSqE7gsUAgAAVHoCAAAfRAIAAE5+AgAAI+oCAABAygP//rfNw Date: Mon, 16 Jan 2017 19:18:32 +0000 Message-ID: <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> In-Reply-To: <1484593651.5104.49.camel@quad> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.34.224] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 19:18:35 -0000 > How about a scenario where an adversary is able to compromise the > software in such a way that related keys are being generated occasionally > and possibly even used for encryption of known plain text (protocol heade= rs > come to mind)? To the best of my knowledge, partial compromise of software is not somethin= g that has been in the IETF threat model. "All or nothing" if you will. > And how can one extrapolate the attacks and analyses mentioned in > http://eprint.iacr.org/2009/317 to use them as an indication of possible > cryptanalytic advances? One simple idea, which I have suggested in the TLS mailing list, is that yo= u search to see if anyone has done anything in this area in the past eight = years. =20 > > used almost exclusively. I think the general trend is to switch to > > AES-256 in new systems. >=20 > This is a circular argument. Not quite. It is an argument saying that we are using AES256 in spite of w= hat one paper says. > I don't see how one can qualify the addition > of a few references to a list as "complex". Have you done much software deployment, especially at Internet scale? This= is about far more than just adding IANA entries. Did you see my post in t= he TLS group that talked to this? =20 > So the question remains if AES-192 has certain characteristics that warra= nt > inclusion. The fact that "the key schedule for 256-bit version is pretty = lousy" > and the mentioned attacks have complexity of < 2^100 for AES-256, but > > 2^179 for AES-192 might speak for it. Has anyone but Bruce shared that viewpoint? It's been nine years. Surely *something* must have happened that you can f= ind? From nobody Mon Jan 16 12:06:06 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA14129659 for ; Mon, 16 Jan 2017 12:06:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whldUNz0RkWh for ; Mon, 16 Jan 2017 12:06:03 -0800 (PST) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE21E1294A3 for ; Mon, 16 Jan 2017 12:06:02 -0800 (PST) X-AuditID: c1b4fb25-9cfc898000002ee9-7b-587d27a899c0 Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by (Symantec Mail Security) with SMTP id D8.BC.12009.8A72D785; Mon, 16 Jan 2017 21:06:00 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC024.ericsson.se ([153.88.183.90]) with mapi id 14.03.0319.002; Mon, 16 Jan 2017 21:05:26 +0100 From: John Mattsson To: Leonard den Ottolander , "cfrg@irtf.org" Thread-Topic: [Cfrg] A little room for AES-192 in TLS? Thread-Index: AQHSb3JElGWDey8IokmATVEDzKxmUaE7HjAAgAAl34D///cQAIAAE5+AgAAI+oCAABAygIAAIPGA Date: Mon, 16 Jan 2017 20:05:25 +0000 Message-ID: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> In-Reply-To: <1484593651.5104.49.camel@quad> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.149] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUyM2J7lO4K9doIg7a7FhbdPw4yWexYup/Z gcnj4LKj7B6TNx5mC2CK4rJJSc3JLEst0rdL4MpY2rCOqeAcW0XTuy7mBsYdbF2MHBwSAiYS s/cZdDFycQgJrGOU+Hd9DQuEs4RRYt6vj0AOJwebgIHE3D0NbCC2iEC8RN/ldiYQW1jAVGLB +muMEHEziYM3mqFqoiROnv0MVsMioCpxcs51RpBlvALmEpO/hkHMf8IkcfXPO7B6TgEdiceX t4DNYRQQk/h+ag1YL7OAuMStJ/PBbAkBAYkle84zQ9iiEi8f/2MFsUUF9CSWP18DFVeSWHt4 OwvILmYBTYn1u/QhxlhL3L16gR3CVpSY0v0QzOYVEJQ4OfMJywRGsVlIts1C6J6FpHsWku5Z SLoXMLKuYhQtTi1Oyk03MtZLLcpMLi7Oz9PLSy3ZxAiMqYNbfqvuYLz8xvEQowAHoxIP74f7 NRFCrIllxZW5hxglOJiVRHg3K9RGCPGmJFZWpRblxxeV5qQWH2KU5mBREuc1W3k/XEggPbEk NTs1tSC1CCbLxMEp1cBY73vX+vVHTol+azE3ZibxXpWLTbzbkv5bl7XdeO99oYxJ/OZNycdN hvE3vytXfsmaxxruFlOrLaAk8JlpRdms6b02Va8DA64fFRJ/WiM/+XfynwNzLpx9abJ6r3/0 0xMq57Jey5jl82dN/s/BvDt01rb0Aid184YL2bLX3C89VFzdcelw/l0lluKMREMt5qLiRADG Xvx9pQIAAA== Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 20:06:04 -0000 PlNvIHRoZSBxdWVzdGlvbiByZW1haW5zIGlmIEFFUy0xOTIgaGFzIGNlcnRhaW4gY2hhcmFjdGVy aXN0aWNzIHRoYXQNCj53YXJyYW50IGluY2x1c2lvbi4gVGhlIGZhY3QgdGhhdCAidGhlIGtleSBz Y2hlZHVsZSBmb3IgMjU2LWJpdCB2ZXJzaW9uDQo+aXMgcHJldHR5IGxvdXN5IiBhbmQgdGhlIG1l bnRpb25lZCBhdHRhY2tzIGhhdmUgY29tcGxleGl0eSBvZiA8IDJeMTAwDQo+Zm9yIEFFUy0yNTYs IGJ1dCA+IDJeMTc5IGZvciBBRVMtMTkyIG1pZ2h0IHNwZWFrIGZvciBpdC4NCg0KQUVTLTE5MiBp cyBub3Qgc3Ryb25nZXIgdGhlbiBBRVMtMjU2IGFnYWluc3QgcmVsYXRlZC1rZXkgYXR0YWNrcyBl eGNlcHQgaW4NCnRoZSBzcGVjaWFsIGNhc2Ugd2VyZSAja2V5cyBpcyB2ZXJ5IHNtYWxsLiBBbmQg ZXZlbiBpZiBpdCB3YXMsIEkgZG8gbm90DQp0aGluayB0aGF0IGFsb25lIG1ha2VzIGEgY2FzZSBm b3IgQUVTLTE5MiBpbiBUTFMuIElmIEhLREYgaXMgc2VjdXJlLCB0aGVuDQp0aGVyZSBhcmUgbm8g cmVsYXRlZCBBRVMga2V5cy4gQW5kIGlmIEhLREYgaXMgbm90IHNlY3VyZSwgdGhlbiBUTFMgc2hv dWxkDQpyZXBsYWNlIEhES0YgcmF0aGVyIHRoYW4gQUVTLg0KDQoNCkpvaG4NCg0K From nobody Mon Jan 16 12:10:01 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA64129670 for ; Mon, 16 Jan 2017 12:09:59 -0800 (PST) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BANNED, message contains text/plain,.exe X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkqigzxS-ry0 for ; Mon, 16 Jan 2017 12:09:57 -0800 (PST) Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id BA59F129667 for ; Mon, 16 Jan 2017 12:09:55 -0800 (PST) Received: (qmail 13541 invoked by uid 1017); 16 Jan 2017 20:09:52 -0000 Received: from unknown (unknown) by unknown with QMTP; 16 Jan 2017 20:09:52 -0000 Received: (qmail 6537 invoked by uid 1000); 16 Jan 2017 20:09:48 -0000 Date: 16 Jan 2017 20:09:48 -0000 Message-ID: <20170116200948.6535.qmail@cr.yp.to> From: "D. J. Bernstein" To: cfrg@irtf.org Mail-Followup-To: cfrg@irtf.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 20:09:59 -0000 Adam Langley writes: > The way that this is constructed (due to me) is generic for any > signature scheme. (Basically just have the context string be > NUL-terminated at the beginning of the signed message.) In other words, there's still a simple sign-a-message layer that uses the standard signature API, that works with all signature systems, and that minimizes costs for implementors and auditors. On top of this there's a universal def sign_a_context_and_data(c,d): if '\0' in c: raise Exception('NUL not allowed in contexts') return sign(c + '\0' + d) layer used by the protocol (and by any other protocols that want it). Everyone can see how this works from a spec perspective and from a software-engineering perspective. For comparison, trying to modify the interface and specification of every sign() function creates a transition nightmare, with nobody able to answer basic questions about how this approach is actually supposed to work. What's the advantage supposed to be? I would really like to see this unnecessary complexity eliminated from CFRG's signature specifications. Please see https://www.ietf.org/mail-archive/web/cfrg/current/msg08167.html for further comments. ---Dan From nobody Mon Jan 16 13:50:56 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0AD1296BD for ; Mon, 16 Jan 2017 13:50:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.276 X-Spam-Level: X-Spam-Status: No, score=-0.276 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4FBRaz3gxcQ for ; Mon, 16 Jan 2017 13:50:53 -0800 (PST) Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0CFD1296AE for ; Mon, 16 Jan 2017 13:50:53 -0800 (PST) Received: by mail-ua0-x22f.google.com with SMTP id 96so90075839uaq.3 for ; Mon, 16 Jan 2017 13:50:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MUXD5hiJFp4JBfjIj7Wlbvi7g7aya5fI5u/MIusBkqI=; b=sCLWHzNny3SQ7kwW42L4zXq4FqQ2aInfggwKKsbsFwbjTFC39gfr7ZRXj8UsqzhPEQ MJPyl6tanXB1oIMawYFNclRB1IM3cMpORKvqfRnAc3U4yXNCxD6XR06dV0Xy5U8QUBdm mnZbgxhqRHHHfCP092G4aeBtEQZ3lTCD9BiByTfIKSXDIsv5EPPU8F+UiV/cYyfurX+o czuadrOLXr99/UigA09nQ2lfqG/alezWCui+X5xGqdvJUrfraE4IQxr1uaLp4OKNgjdn ZqvqxdvvDwEdKGTW0tG4kjJueDulfP01T9H2lywwKheS5zhy69iEfQiTUlTcYZDHWsu3 +fIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MUXD5hiJFp4JBfjIj7Wlbvi7g7aya5fI5u/MIusBkqI=; b=ZMPXz/r/zK5Q631pcoViLjH7a8bov4h4gvfV214uhfl50SsukNBkBT3qVhfZu41pv3 ZRp/guhjQVSWu14+ZPu+9b5OGsZTrtMIZ3bwpjKqL39HiN5QGsImYa0QoKKiZ1jNME3v h0ULxz7eNiwq4bkb4nD8Zm4Uldo25Q8B6DMZNJIOjC9zlgLVVijA2asuxf9Dl3EkbAh1 ORQXUOC2ViMMwFfZQRE+V2UwkupLg2+8PgqFsW/qa2hRNfNxMV2l4AyzgxAV6U/sM+H5 MeFXAt867jnNHsL5iNs6+B/9rOKYABHknoHfvzjkSNnT3B2nTEKAbH+OxqzilsNhfZzq ItVA== X-Gm-Message-State: AIkVDXLl6Dqvid/rrarts9tFjkNBkV5xV+bbHUR3lE1i5L4iZEIL15F8Z8xgi36pyrLj5Iz8JNLa+uX0h1BQMg== X-Received: by 10.176.6.202 with SMTP id g68mr19612462uag.34.1484603452790; Mon, 16 Jan 2017 13:50:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.70.130 with HTTP; Mon, 16 Jan 2017 13:50:32 -0800 (PST) In-Reply-To: <1484593651.5104.49.camel@quad> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> From: Tony Arcieri Date: Mon, 16 Jan 2017 13:50:32 -0800 Message-ID: To: Leonard den Ottolander Content-Type: multipart/alternative; boundary=94eb2c1243ee6f9d7905463d2df0 Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 21:50:55 -0000 --94eb2c1243ee6f9d7905463d2df0 Content-Type: text/plain; charset=UTF-8 On Mon, Jan 16, 2017 at 11:07 AM, Leonard den Ottolander < leonard-lists@den.ottolander.nl> wrote: > How about a scenario where an adversary is able to compromise the > software in such a way that related keys are being generated > occasionally and possibly even used for encryption of known plain text > (protocol headers come to mind)? This scenario is assuming the adversary > is not fully in control of the source code but is capable to inject > subtle bugs "under the radar". Would AES-192 hold up better in such a > scenario than AES-256? > Even in the event an attacker was able to pull off some sort of fault attack and create related keys, as others have already noted the other side will notice these keys are wrong and snap shut before the attacker can pull off the rest of the attack. The next time you connect it will rekey. I personally cannot think of any way to make TLS behave in such a way related key attacks are even possible, even giving an attacker such a powerful tool as precision fault attacks (and with such a powerful tool, they could likely change the client's preferred ciphersuites as well). This is a circular argument. AES-192 is not generally used because it is > not in the specifications. This argument holds not just for TLS, but pretty much any protocols that use AES. In practice, nobody uses AES-192, because there is little reason to choose it over either of the other options. > Bruce Schneier wrote about this in 2009: > https://www.schneier.com/blog/archives/2009/07/another_new_aes.html & > https://www.schneier.com/academic/paperfiles/paper-rijndael.pdf > > In the blog he states "The attack exploits the fact that the key > schedule for 256-bit version is pretty lousy -- something we pointed out > in our 2000 paper -- but doesn't extend to AES with a 128-bit key." > Sounds like you just made an argument for AES-128. -- Tony Arcieri --94eb2c1243ee6f9d7905463d2df0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On M= on, Jan 16, 2017 at 11:07 AM, Leonard den Ottolander <= leonar= d-lists@den.ottolander.nl> wrote:
How about a scenario where an adversary is able to compromise the software in such a way that related keys are being generated
occasionally and possibly even used for encryption of known plain text
(protocol headers come to mind)? This scenario is assuming the adversary is not fully in control of the source code but is capable to inject
subtle bugs "under the radar". Would AES-192 hold up better in su= ch a
scenario than AES-256?

Even in the even= t an attacker was able to pull off some sort of fault attack and create rel= ated keys, as others have already noted the other side will notice these ke= ys are wrong and snap shut before the attacker can pull off the rest of the= attack. The next time you connect it will rekey. I personally cannot think= of any way to make TLS behave in such a way related key attacks are even p= ossible, even giving an attacker such a powerful tool as precision fault at= tacks (and with such a powerful tool, they could likely change the client&#= 39;s preferred ciphersuites as well).

This is a circular argument. AES-192 is not generally used be= cause it is
not in the specifications.

This argument ho= lds not just for TLS, but pretty much any protocols that use AES. In practi= ce, nobody uses AES-192, because there is little reason to choose it over e= ither of the other options.
=C2=A0
Bruce Schneier wrote about this in 2009:
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html &
https://www.schneier.com/academi= c/paperfiles/paper-rijndael.pdf

In the blog he states "The attack exploits the fact that the key
schedule for 256-bit version is pretty lousy -- something we pointed out in our 2000 paper -- but doesn't extend to AES with a 128-bit key."= ;

Sounds like you just made an a= rgument for AES-128.

--
Tony Arcieri
--94eb2c1243ee6f9d7905463d2df0-- From nobody Mon Jan 16 23:58:12 2017 Return-Path: X-Original-To: cfrg@ietf.org Delivered-To: cfrg@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4855C1293FD; Mon, 16 Jan 2017 23:58:07 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.40.3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <148463988729.22474.5347523908294210024.idtracker@ietfa.amsl.com> Date: Mon, 16 Jan 2017 23:58:07 -0800 Archived-At: Cc: cfrg@ietf.org Subject: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-07.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 07:58:07 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Crypto Forum of the IETF. Title : Augmented Password-Authenticated Key Exchange (AugPAKE) Authors : SeongHan Shin Kazukuni Kobara Filename : draft-irtf-cfrg-augpake-07.txt Pages : 20 Date : 2017-01-16 Abstract: This document describes a secure and highly-efficient augmented password-authenticated key exchange (AugPAKE) protocol where a user remembers a low-entropy password and its verifier is registered in the intended server. In general, the user password is chosen from a small set of dictionary whose space is within the off-line dictionary attacks. The AugPAKE protocol described here is secure against passive attacks, active attacks and off-line dictionary attacks (on the obtained messages with passive/active attacks). Also, this protocol provides resistance to server compromise in the context that an attacker, who obtained the password verifier from the server, must at least perform off-line dictionary attacks to gain any advantage in impersonating the user. The AugPAKE protocol is not only provably secure in the random oracle model but also the most efficient over the previous augmented PAKE protocols (SRP and AMP). The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-irtf-cfrg-augpake-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-augpake-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Jan 17 03:21:53 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9BC129A30 for ; Tue, 17 Jan 2017 03:21:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.542 X-Spam-Level: X-Spam-Status: No, score=0.542 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, RCVD_IN_SORBS_WEB=3.599, SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZsRLZ0dDADEY for ; Tue, 17 Jan 2017 03:21:50 -0800 (PST) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40064.outbound.protection.outlook.com [40.107.4.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D7D01295CD for ; Tue, 17 Jan 2017 03:21:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jyBDEaAfcqHV8goaIx2CfGlRIvzo4X4p2XKs6ZBO0BA=; b=coHNVjtm7FCOvTJ9NWjFR6++MPqVnSThH81DlA6KzG6i1jhiConMo9OsM0GpjsV5N/75r8trIN+4fNLmpWu16//xKEOipL4TdobzTWlVPqS6o9VoThTboOn00hvgNCVs/mr+KOT2oWtOGthyneQw+FgNdSPzkfH1NMtVj58JF9o= Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1907.eurprd03.prod.outlook.com (10.168.3.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Tue, 17 Jan 2017 11:21:47 +0000 Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) with mapi id 15.01.0845.014; Tue, 17 Jan 2017 11:21:47 +0000 From: "Paterson, Kenny" To: Yoav Nir , IRTF CFRG Thread-Topic: [Cfrg] Fwd: Rev RFC 7539? Thread-Index: AQHSbO08Cw6gAQBOvEi1erhSW/AlBaE8jjuA Date: Tue, 17 Jan 2017 11:21:47 +0000 Message-ID: References: <46ECD4D0-07BB-4082-82AC-4B2AE656AE09@gmail.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [212.24.209.204] x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1907; 7:elH2N8DO7GxL/EqGDngCm7+a2U/RcA8SE9i9tkt7HXac5Ra7nlxvYvk4CvhvCspsukM1qVYXMeDJxUuy4OP283VGdhRetW08D/XPyamQz4vJwZK5u2SUWMAAx1KN0O+q9tloTZiyRXiFyQGHkDA7AqiOA7LSLq8/Dd+1OJJ/LQdhmUCIpQKTsE+sP+iEU3Sxxa13gPDHgQR1Ba+iwG+PlG6Wr+SWf4CAT4h9nbh+nn1W7K9Tyh2HFDlMvC8A6241hXIbnft9PeiaOiyj6K0JEdtTJ3BkWwX6uSc+kvr98/ZTfElWp963THxnDWsRQEPSzHa+co7vPkSU8ica4Z0z14wLzK+Eg6iR5cErSGplXf3RZXR6e4gNOJxseSiZll0hYG0vPQrDRCEReYd9pQQU8v4ji41fTojQjwtMSSuRAs1XBDXYEUY6IR675MfnK89uavmBvnwlYsjzwSwcchZ9aA== x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(199003)(24454002)(189002)(3280700002)(66066001)(99286003)(2906002)(68736007)(106356001)(105586002)(106116001)(101416001)(5660300001)(54356999)(36756003)(42882006)(50986999)(76176999)(2950100002)(3660700001)(74482002)(7736002)(107886002)(4001350100001)(81166006)(5001770100001)(6512007)(8676002)(92566002)(2900100001)(97736004)(5890100001)(83506001)(81156014)(305945005)(8936002)(6506006)(39060400001)(122556002)(25786008)(6116002)(3846002)(6486002)(102836003)(6436002)(189998001)(229853002)(86362001)(77096006)(30001)(38730400001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1907; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; x-ms-office365-filtering-correlation-id: e2d2c5f5-6f85-428d-2469-08d43ecb06a1 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:AM4PR0301MB1907; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148); SRVR:AM4PR0301MB1907; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1907; x-forefront-prvs: 01901B3451 received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: rhul.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2017 11:21:47.4938 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1907 Archived-At: Subject: Re: [Cfrg] Fwd: Rev RFC 7539? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 11:21:52 -0000 RGVhciBZb2F2LA0KDQpUaGFua3MgZm9yIHlvdXIgd29yayBvbiB0aGlzLiBBbGV4ZXkgYW5kIEkg aGF2ZSBhcmUgYXNraW5nIHRoZSBDRlJHIHJldmlldw0KcGFuZWwgdG8gdGFrZSBhIGxvb2sgYXQg dGhlIHJldmlzZWQgZG9jdW1lbnQuDQoNCkFuZCBpZiBhbnlvbmUgZWxzZSBmcm9tIHRoZSBDRlJH IHdhbnRzIHRvIHRha2UgYSBsb29rIGF0IHRoZSBkb2N1bWVudCBhbmQNCnByb3ZpZGUgY29tbWVu dHMsIHRoYXQgd291bGQgYmUgZ3JlYXQuDQoNCkNoZWVycywNCg0KS2VubnkNCg0KDQpPbiAxMi8w MS8yMDE3IDA2OjI0LCAiQ2ZyZyBvbiBiZWhhbGYgb2YgWW9hdiBOaXIiIDxjZnJnLWJvdW5jZXNA aXJ0Zi5vcmcNCm9uIGJlaGFsZiBvZiB5bmlyLmlldGZAZ21haWwuY29tPiB3cm90ZToNCg0KPlJl bWluZGVyLg0KPg0KPg0KPklzIHRoZXJlIGludGVyZXN0IGluIHB1c2hpbmcgdGhpcyBmb3J3YXJk Pw0KPg0KPg0KPllvYXYNCj4NCj4NCj5CZWdpbiBmb3J3YXJkZWQgbWVzc2FnZToNCj4NCj5Gcm9t OiBZb2F2IE5pciA8eW5pci5pZXRmQGdtYWlsLmNvbT4NCj4NCj5TdWJqZWN0OiBSZTogW0Nmcmdd IFJldiBSRkMgNzUzOT8NCj4NCj5EYXRlOiAxNiBOb3ZlbWJlciAyMDE2IGF0IDk6MDk6MTEgR01U KzINCj4NCj5UbzogU2VhbiBUdXJuZXIgPHNlYW5Ac24zcmQuY29tPg0KPg0KPkNjOiBJUlRGIENG UkcgPGNmcmdAaXJ0Zi5vcmc+DQo+DQo+DQo+Q3ljbGVzIGZvdW5kLg0KPg0KPg0KPkF0dGFjaGVk IHBsZWFzZSBmaW5kIHR3byBmaWxlczoNCj4gIDEuIHJmYzc1MzlfbG9uZy50eHQgaXMgUkZDIDc1 Mzkgd2l0aCBwYWdlIGJyZWFrcyBhbmQgcGFnZSBudW1iZXJzDQo+cmVtb3ZlZC4gDQo+IDIuIGRy YWZ0LW5pci1jZnJnLXJmYzc1MzliaXMtMDAucmF3LnR4dA0KPiBpcyB0aGUgdW5wYWdpbmF0ZWQg Zm9ybSBvZiB0aGUgbmV3IGRyYWZ0Lg0KPg0KPg0KPkNvdWxkbuKAmXQgZG8gbXVjaCBhYm91dCB0 aGUgYm9pbGVycGxhdGUsIGJ1dCB0aGlzIG1ha2VzIGl0IGVhc3kgdG8gY29tcGFyZS4NCj4NCj4N Cj5Zb2F2DQoNCg== From nobody Tue Jan 17 03:31:19 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 553BB129418 for ; Tue, 17 Jan 2017 03:31:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4-b597WyesD for ; Tue, 17 Jan 2017 03:31:15 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13AD12945F for ; Tue, 17 Jan 2017 03:31:15 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id c206so218152295wme.0 for ; Tue, 17 Jan 2017 03:31:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=xX1hGPTHEQVsmA4IVt5ycoA4y96LIQaqEIuMiLO/3JI=; b=kBQEeDwr2RaSe5xW39vN2EUbphS9vPtX5wzQwqnHtPILiuTTe2+1lTdWd+UUfODfho dowuBbFjhewmLMzhBPdPbyho42vF1mV6A5o6QawlfUaysxeSUwimtRatls0EquXdoce+ 7wYfmitTg+dg2Qrphm31Y/bSes/41evLYnx3zTjPSZ97nR5SasRNFpeEffxugCn05wY0 4apEuVSEY0+CoTJvTubA3mljj0/3xEpEkcOkbxawLmrwVyzI0IW5T06ZVIbyeZ1U2n7e Kib5MlJOnHNLTMC1SmPwMBjHyaLM8XEdCFvSNonmIj9oUIRKSHCMo7yjcM5DRfhQXw34 EqMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=xX1hGPTHEQVsmA4IVt5ycoA4y96LIQaqEIuMiLO/3JI=; b=SkCcikVB7e46DfsYjaCDeD8vGWs3ukMT8V7bBKBr46962eZWkNev12+ZmaSuzcYOah YHQAQksOgmIa4RXkRV1x6ClpLAx8X74EJjrFZmsC87cB/NTO6IIu3uDJGeYPhcld7bXW fIs3oCXcKClPiVwktzieaXSsXQNWOv4E35B9mts2uqqS7/QddqnqRrNItRsHCMzkTnDm IxghA0wC3v/lwA/nORE5o+pcqqcGWh3KxhKdaSgFbNHo8fXMSLBt2ruquXk7evxHVT9J ImPmbeSC+REV2NCGr09mo5GesmwnCBvlQMUvTcACaKF3ZJoNLC5mDNudeCx2AEbLutW+ hC+g== X-Gm-Message-State: AIkVDXIzudxoRrIxBvq/BM4VckeHtp1TFFPrHLXj6vUmse9jy7eo6fJi19FI1hPsDPQ9TQ== X-Received: by 10.223.175.36 with SMTP id z33mr26575833wrc.25.1484652673597; Tue, 17 Jan 2017 03:31:13 -0800 (PST) Received: from [172.18.133.122] (cowboy3.intuit.com. [65.204.229.13]) by smtp.gmail.com with ESMTPSA id d29sm36384363wmi.19.2017.01.17.03.31.11 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 03:31:12 -0800 (PST) To: cfrg@irtf.org References: From: Yaron Sheffer Message-ID: <235ec588-9358-eeb1-9fa2-202409854afc@gmail.com> Date: Tue, 17 Jan 2017 13:31:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 11:31:17 -0000 > Domain separation for signed values is important and TLS already defines > context strings for signature operations: > https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.4.2 > > The way that this is constructed (due to me) is generic for any signature > scheme. (Basically just have the context string be NUL-terminated at the > beginning of the signed message.) > > So for TLS I believe that the issue is already taken care of. It would also > probably just add pain for implementers if the context string were to be > duplicated as an input to the signature scheme where signature schemes > support it. > > > Cheers > > AGL Hi Adam, Wide industry adoption of TLS 1.2 took around 10 years. So IMO saying "this is solved in TLS 1.3" is not a good enough answer, if in the meantime we will continue to see cross-protocol and cross-TLS-version attacks. Please note that the original post refers to "TLS 1.2 (and earlier)." Thanks, Yaron From nobody Tue Jan 17 03:48:45 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D469C129418 for ; Tue, 17 Jan 2017 03:48:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.5 X-Spam-Level: X-Spam-Status: No, score=-7.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXdezB-6SAo2 for ; Tue, 17 Jan 2017 03:48:43 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE867129455 for ; Tue, 17 Jan 2017 03:48:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 51923BE7B for ; Tue, 17 Jan 2017 11:48:40 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XD_RQtkq9Mr for ; Tue, 17 Jan 2017 11:48:39 +0000 (GMT) Received: from [10.87.48.75] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9B897BE79 for ; Tue, 17 Jan 2017 11:48:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1484653719; bh=fAm/tA3MLNk5JTgTfPO3zVCrJ6VlYohMmIWsZjmInEo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=rAHL6EeCjldvRTKuAmttpGtcbPRU9o3El41BvfEpz/lAPkZoHFkHh9ssJIJ1T5yG5 9c2HqWkRKxdLXIS0BWHvfBcOhCOrxPxQkPI4p3Cpi7K3BWmNFgCTg6Mh6n+HN+2a27 coW1gSTcq9LXF3f5jmmYby2oNCLd7F1cX2pUEk58= To: cfrg@irtf.org References: <20170116200948.6535.qmail@cr.yp.to> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> Date: Tue, 17 Jan 2017 11:48:38 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20170116200948.6535.qmail@cr.yp.to> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040503020209030907020508" Archived-At: Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 11:48:45 -0000 This is a cryptographically signed message in MIME format. --------------ms040503020209030907020508 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 16/01/17 20:09, D. J. Bernstein wrote: > I would really like to see this unnecessary complexity eliminated from > CFRG's signature specifications. I'm relatively neutral on the use or non-use of contexts, but lean more towards Dan's position that the API changes involved mean that practically, it's better to not demand contexts. However, I really do wish that CFRG specs would not offer both choices - that will simply lead to repeating this discussion each time an IETF protocol wants to use the CFRG spec. And of course, different decisions will be made over time, leading to slightly more mess than would otherwise exist. That's not a showstopper thing, but life will be better if the choice is not offered. So, I'd support eliminating contexts from CFRG specs and saying something like "if you want that, and it's not a bad idea for avoiding cross-protocol attacks, then do it at a layer above the crypto API." Cheers, S. PS: random idea - I wonder if analysis of wireshark dissector source code, or some application calling such code, might be a fine way to spot potential cross-protocol attacks - anyone know if that's been tried? --------------ms040503020209030907020508 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzAxMTcx MTQ4MzhaMC8GCSqGSIb3DQEJBDEiBCDshZLqVZZmNdS594TI7cqRQJ9v314IxzGCeqD+MRDv gDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQBq1RNjqjt84Xh7OKEgq4PA64Pdqm4HvBRrQWZMzRz4t9WD9L3Y7nNB JIiQf49+ZLfbmhpu8gm9gZeTBQ/5+q75d99kvAFSNjygfwoxCOtgS7GOgqoiZ6j4PA1qi5CP wQcWqipXb4rQKhETMY/6REtxyDL+7SjN/7xgK14R1alPk4xzapHfEC50BQbxFDnHvyoqHSig P38sdhC+oePG3toC02PFlJHoykWIwFxSuowS/tLkcvHLHDDxmeF46ladZfpVC6n6yQ+cCN3k 9JPos2cUu9wMh9c3Ls27ai1Xp1Ko4ztGE2syqo4k1Y9HW6H70pi4oCaX4kdgDXHhLoU0vuEr AAAAAAAA --------------ms040503020209030907020508-- From nobody Tue Jan 17 06:08:06 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EAB6129460 for ; Tue, 17 Jan 2017 06:08:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U7vDkl1qZ1l for ; Tue, 17 Jan 2017 06:08:02 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCE7127076 for ; Tue, 17 Jan 2017 06:08:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id B65B543 for ; Tue, 17 Jan 2017 15:08:01 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id ogS_DvCV9qHc for ; Tue, 17 Jan 2017 15:08:00 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id 2FDD942 for ; Tue, 17 Jan 2017 15:08:00 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org In-Reply-To: <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> Content-Type: text/plain; charset="UTF-8" Date: Tue, 17 Jan 2017 15:07:59 +0100 Message-ID: <1484662079.5135.49.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 14:08:05 -0000 On Mon, 2017-01-16 at 19:18 +0000, Salz, Rich wrote: > > And how can one extrapolate the attacks and analyses mentioned in > > http://eprint.iacr.org/2009/317 to use them as an indication of possible > > cryptanalytic advances? > > One simple idea, which I have suggested in the TLS mailing list, is > that you search to see if anyone has done anything in this area in the > past eight years. Are you suggesting that because this research is 8 years old its findings are not valid? So far noone has really answered the question if the aforementioned analysis indicates that AES-192 might be more resistant to cryptanalysis than AES-256. So although I don't think the fact that the research I reference is 8 years old invalidates it in any way I dug around a bit. http://eprint.iacr.org/2010/248 improves the attack on AES-192 from 2^176 to 2^169. The original attack against AES-256 in http://eprint.iacr.org/2009/317 had complexity of 2^119 which they improved to 2^99.5 soon after original publication. And there is https://books.google.nl/books?id=weETxBt-VAMC&pg=PA316&lpg=PA316&dq=aes+256+key+schedule+strength&source=bl&ots=GTfhsVdh7E&sig=y0ZE9_3OBCRbbpLHvq0PAAZqRmg&hl=en&sa=X&redir_esc=y#v=onepage&q=aes%20256%20key%20schedule%20strength&f=false Advances in Cryptology - EUROCRYPT 2010: 29th Annual International Conference... This is only a partial paper, but I'll cite from the conclusions of Key Recovery Attacks of Practical Complexity, 8 Conclusions (page 316): "The main problem seems to be the key schedule of AES-256, which is "not of industrial strength": It does not mix the initial key sufficiently, it is too linear, and as a result it has unusually long key differentials of probability 1. In addition the similarity between the key schedule and the data encryption in AES makes it possible to repeatedly cancel data differences with corresponding key differences over many rounds. Ironically, the new attacks work best against AES-256 (which was supposed to be the strongest member of the AES family), and do not currently seem to work against AES-128." "The most disturbing aspect of the new attacks is that AES-256 can no longer be considered as a safe black box construction, which can be dropped into any security application with little thought about how it is used." > > > used almost exclusively. I think the general trend is to switch to > > > AES-256 in new systems. > > > > This is a circular argument. > > Not quite. It is an argument saying that we are using AES256 in spite of what one paper says. I was responding to the first part of that paragraph: "In practice, AES-192 is generally not used: AES-128 and AES-256 are used almost exclusively." To that I say, AES-192 is not being used because it's not in the specs. Then refusing to add it to the specs is what I call a circular argument. And you cannot argue nobody wants to use it as it is not available for use. If I wanted to I could not use AES-192 except in private use scenario's as noone is offering such ciphers, i.e. there is noone to "talk AES-192 to". If such ciphers were available and nobody would use them then you could draw the conclusion that "nobody wants to use it". > > I don't see how one can qualify the addition > > of a few references to a list as "complex". > > Have you done much software deployment, especially at Internet scale? > This is about far more than just adding IANA entries. Did you see my > post in the TLS group that talked to this? I'm just not entirely convinced by your arguments. Have you seen any breakage in middleboxes when the ARIA ciphers were added in 2011? I acknowledge adding ciphers is not a zero effort, but to describe it as complex is inaccurate. As for software implementation, I already argued that if the cipher is available in the software adding references so it can be used is trivial. And implementers can always ignore the new ciphers in the list. It's not like openssl broke because it ignores the ARIA ciphers altogether. > > So the question remains if AES-192 has certain characteristics that warrant > > inclusion. The fact that "the key schedule for 256-bit version is pretty lousy" > > and the mentioned attacks have complexity of < 2^100 for AES-256, but > > > 2^179 for AES-192 might speak for it. > > Has anyone but Bruce shared that viewpoint? Well clearly the authors of Related-key Cryptanalysis of the Full AES-192 and AES-256, Alex Biryukov and Dmitry Khovratovich agree with him on the relatively poor quality of the key schedule of AES-256 even though their wording is not quite as strong as his. Plus the authors of the EuroCrypt article quoted above (the two previous authors and Orr Dunkelman, Nathan Keller and Adi Shamir). And there's references to that study in http://eprint.iacr.org/2011/710 and http://eprint.iacr.org/2016/025 so I guess you could count those authors too. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research From nobody Tue Jan 17 06:48:06 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1EBA129470 for ; Tue, 17 Jan 2017 06:48:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.9 X-Spam-Level: X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRr44LtAH5Zo for ; Tue, 17 Jan 2017 06:48:04 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id A6F9B12946E for ; Tue, 17 Jan 2017 06:48:04 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id E44C920007A; Tue, 17 Jan 2017 14:48:03 +0000 (GMT) Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id CEA7C200080; Tue, 17 Jan 2017 14:48:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1484664483; bh=Uha9anzgdKS3JwSO2Bb8buTgi8fkfEd+w+M5++nfNWI=; l=1659; h=From:To:Date:References:In-Reply-To:From; b=PSgkCJ84293j3vb9UNv61nvUXHuxlp+nMfy3+0y3sxSL69/oOG+QMrBVqjB3YLiEe Guv9aCY8tH8xftav1xxvY79SqBV8p+ZXzxjV4vcF5QQi3EK3gXqsyqPtc+ktZ4ir+E s4UwdMtS7us2NZU2QjTDDS7ncDHwbd3yVc3W13BQ= Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id B388798084; Tue, 17 Jan 2017 14:48:03 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 17 Jan 2017 09:48:03 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Tue, 17 Jan 2017 09:48:03 -0500 From: "Salz, Rich" To: Leonard den Ottolander , "cfrg@irtf.org" Thread-Topic: [Cfrg] A little room for AES-192 in TLS? Thread-Index: AQHSb3JE35QdAtT7x0CRQruWUbnzSqE7gsUAgAAVHoCAAAfRAIAAE5+AgAAI+oCAABAygP//rfNwgAGQsoD//7Uu0A== Date: Tue, 17 Jan 2017 14:48:02 +0000 Message-ID: <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> In-Reply-To: <1484662079.5135.49.camel@quad> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.36.20] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 14:48:05 -0000 > Are you suggesting that because this research is 8 years old its findings= are > not valid? Yes, kinda. If the sky really was falling eight years ago, then where are = the other papers? > "The most disturbing aspect of the new attacks is that AES-256 can no lon= ger > be considered as a safe black box construction, which can be dropped into > any security application with little thought about how it is used." Well, luckily, that is not the case with TLS. The particular attack about = keys, as has been explained, isn't relevant to AES-in-TLS. Your compromise= , while not only outside the typical IETF scope, has been shown to fail as = the other side will abort the connection. > work best against AES-256 (which was supposed to be the strongest member > of the AES family), and do not currently seem to work against AES-128." Luckily we use AES128. > And you cannot argue nobody wants to use it as it is not available for us= e. If I > wanted to I could not use AES-192 except in private use scenario's as noo= ne > is offering such ciphers, i.e. Yes. > I > acknowledge adding ciphers is not a zero effort, but to describe it as co= mplex > is inaccurate. We disagree. You can write up an individual RFC that defines AES192 ciphers for use in T= LS, and ask IANA to register them, and then "let the market decide." I sug= gest you focus on a couple, and not try for full parity by defining a coupl= e of dozen, as the registrar is likely to reject it. Or you can keep posting here (and as previously pointed out, more appropria= tely the TLS list) and see if you can convince anyone. =20 =20 From nobody Tue Jan 17 07:06:52 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51383129471 for ; Tue, 17 Jan 2017 07:06:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvWULDz_Nhj6 for ; Tue, 17 Jan 2017 07:06:47 -0800 (PST) Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C54126B6D for ; Tue, 17 Jan 2017 07:06:47 -0800 (PST) Received: by mail-yb0-x22b.google.com with SMTP id 123so44044857ybe.3 for ; Tue, 17 Jan 2017 07:06:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N1RmgmRuTE66IToZwjqeSwv3qCm6Wby4mI/eDARjnsA=; b=pdFQZDziCxghMRdyOQ9/OS7IPF9I276XYgQ25NBVf9C3fW4a/SnCd5in+DyO60ot4m g1bdj6RU0jDiTfVYb9SSUMyRoEj1Zfm4IvRDXsY4yCaVZenFcrEjVc7FRnbcUvZ5Biak AOuLN9hZka29Qx2mb0R1Hyzzx7tyUC+yCLGe8Kbcg2tU6BUC60iycrUj9yMqoAQdro9j 2pDCcIolELqUlAfkMNKgYenkqI0AvB4dSicNJdTdX5ICxpRcy5lOW9xMeg7+fuBEtqTI fQyF4eDAFJ3JxVilW7f/qv8KN8zRtFSQy8wbwe2JxTIB/bMoOf3AU06qq+Kyt5DPJB4F qFYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N1RmgmRuTE66IToZwjqeSwv3qCm6Wby4mI/eDARjnsA=; b=Z+fJwXvoWCKNMYZDQZJ8k33T9ynkGzsfECPzAXgK0YV3l0ZKH1rpMGjmRHe59922RT B5evRa/yJkxGJQN81zQbC5aXiJ7kZSJT36qOgHJ6faWpw9q5IJXzEP/zLX6fvS12sp9N otpYkc+w4MdxHoCASRy9k/s3XRXlcLPzoJAI8TEEDeSDVZ8JlUSPLuDxTJz1Ei5ByRCW t0n6/qRhCUf3TBd3L6nVFIpvSMcgxvHCKKmgyGITUN46XzLTJtyr5NyYCKaS0AXp4cAE oUh7nZP7zhAEwdPP3cm8S7wQwbgh9W0TJTlMLyMyRsNtmB13FaIq4HjR15oj47MGobpq knqQ== X-Gm-Message-State: AIkVDXIeseFa/Iv9LUvT0HqRZ5Sv170xJPfmTT/FzlEuQKZvyyk4X/A7/ZLMaz460CJ8SYdZAINOjuEcHUMLQQ== X-Received: by 10.37.165.42 with SMTP id h39mr3882505ybi.132.1484665606577; Tue, 17 Jan 2017 07:06:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.13.235.136 with HTTP; Tue, 17 Jan 2017 07:06:45 -0800 (PST) Received: by 10.13.235.136 with HTTP; Tue, 17 Jan 2017 07:06:45 -0800 (PST) In-Reply-To: <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> References: <20170116200948.6535.qmail@cr.yp.to> <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> From: Watson Ladd Date: Tue, 17 Jan 2017 07:06:45 -0800 Message-ID: To: Stephen Farrell Content-Type: multipart/alternative; boundary=94eb2c1a03d61722ab05464ba64d Archived-At: Cc: cfrg@irtf.org Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 15:06:50 -0000 --94eb2c1a03d61722ab05464ba64d Content-Type: text/plain; charset=UTF-8 On Jan 17, 2017 3:48 AM, "Stephen Farrell" wrote: On 16/01/17 20:09, D. J. Bernstein wrote: > I would really like to see this unnecessary complexity eliminated from > CFRG's signature specifications. I'm relatively neutral on the use or non-use of contexts, but lean more towards Dan's position that the API changes involved mean that practically, it's better to not demand contexts. However, I really do wish that CFRG specs would not offer both choices - that will simply lead to repeating this discussion each time an IETF protocol wants to use the CFRG spec. And of course, different decisions will be made over time, leading to slightly more mess than would otherwise exist. That's not a showstopper thing, but life will be better if the choice is not offered. So, I'd support eliminating contexts from CFRG specs and saying something like "if you want that, and it's not a bad idea for avoiding cross-protocol attacks, then do it at a layer above the crypto API." Cheers, S. PS: random idea - I wonder if analysis of wireshark dissector source code, or some application calling such code, might be a fine way to spot potential cross-protocol attacks - anyone know if that's been tried? What we want is to determine if the intersection of two badly specified possibly context sensitive languages is empty. This is tricky. If protocols stuck to regular languages it would be decideable. _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg --94eb2c1a03d61722ab05464ba64d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Jan 17, 2017 3:48 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wro= te:


On 16/01/17 20:09, D. J. Bernstein wrote:
> I would really like to see this unnecessary complexity eliminated from=
> CFRG's signature specifications.

I'm relatively neutral on the use or non-use of contexts,
but lean more towards Dan's position that the API changes
involved mean that practically, it's better to not demand
contexts.

However, I really do wish that CFRG specs would not offer
both choices - that will simply lead to repeating this
discussion each time an IETF protocol wants to use the CFRG
spec. And of course, different decisions will be made over
time, leading to slightly more mess than would otherwise
exist. That's not a showstopper thing, but life will be
better if the choice is not offered.

So, I'd support eliminating contexts from CFRG specs and
saying something like "if you want that, and it's not a
bad idea for avoiding cross-protocol attacks, then do it
at a layer above the crypto API."

Cheers,
S.

PS: random idea - I wonder if analysis of wireshark
dissector source code, or some application calling
such code, might be a fine way to spot potential
cross-protocol attacks - anyone know if that's been
tried?

What we wa= nt is to determine if the intersection of two badly specified possibly cont= ext sensitive languages is empty. This is tricky. If protocols stuck to reg= ular languages it would be decideable.



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


--94eb2c1a03d61722ab05464ba64d-- From nobody Tue Jan 17 07:51:12 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51613129546 for ; Tue, 17 Jan 2017 07:51:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XbelYmxlSAEi for ; Tue, 17 Jan 2017 07:51:09 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0BFF129541 for ; Tue, 17 Jan 2017 07:51:08 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id c85so205797089wmi.1 for ; Tue, 17 Jan 2017 07:51:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5ei+QcTMx2MzV+qxwfjKpCfWrohrz5vVneJu0dCxCEk=; b=PQ5ltR6SLR+z/h2y2aH3L8lZWR6hrm+BLkLApTopVUodqcwr4R/CHl+Nu4OCoQ+UNk SSk7mQVAgPgCzn5hWM+9bUbYZ1pdTrY7kwlwsfGviNf1sJU6i80CX3l4F/garkTbFoHl metx+jPdpwAxomxp/torgn3dob4wdgsq6nJbMQheFuqvLVMCch65dg6QcKIetG3BcxP+ 0z0m/E3iwIEdK4lzZlczah4KHlxSkTEh1Io5VsH6u8POMCAs7+s9EA2cJfbJrtL9zoIn yoWVJBThRjVWn4aFJleAS746qX4carZ5JnFCEm3Yh3wM4Zqs8gSW+hx9FPonbmG3XD01 cD+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5ei+QcTMx2MzV+qxwfjKpCfWrohrz5vVneJu0dCxCEk=; b=N2BYqA52a8Kl0iU2SEwZVGT62IMiLHDBrvjeS17UcYIgtK1CZHGP6m/cWbJDZ8wygx b2cp3NVET2ric1EiOlVcZ9uMRdjBTyo15m3OKDXAxN29vo6vz0FftilgJNy6EOTwOmfY ZeWbmBD4MPkuniRns1rQlVzizEyKO1lsrhM95fhyL9+Q6X7pK1p2F+8GY2mGuox2Lj1Z oPm67fFo/jV5sgEJkoiI+cXd4CUwQBmL8t8z9856nwZZ+IZpJvUwbYCdU6PUNqkwvThm c8ZzTfKA4NHnKYLSo98cncCHBvlZZGyqHf6ylVH328Fhu01K60+rgV16Jxq0i4DV/zM3 bA5Q== X-Gm-Message-State: AIkVDXLt9ZwNVZ5lZFiCZD4DgOptlTMB7Veo5jZqrSObT8Fj3KNBnyStOVbgXlmcCClDEQ== X-Received: by 10.28.138.136 with SMTP id m130mr16055932wmd.72.1484668267142; Tue, 17 Jan 2017 07:51:07 -0800 (PST) Received: from [172.24.249.163] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id o132sm37728698wmo.17.2017.01.17.07.51.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 07:51:06 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Yoav Nir In-Reply-To: <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> Date: Tue, 17 Jan 2017 17:51:01 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <9DAF192F-1134-4F63-965C-E981B5CD88D4@gmail.com> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> To: Rich Salz X-Mailer: Apple Mail (2.3259) Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 15:51:10 -0000 On 17 Jan 2017, at 16:48, Salz, Rich wrote: >> acknowledge adding ciphers is not a zero effort, but to describe it = as complex >> is inaccurate. >=20 > We disagree. >=20 > You can write up an individual RFC that defines AES192 ciphers for use = in TLS, and ask IANA to register them, and then "let the market decide." = I suggest you focus on a couple, and not try for full parity by = defining a couple of dozen, as the registrar is likely to reject it. >=20 > Or you can keep posting here (and as previously pointed out, more = appropriately the TLS list) and see if you can convince anyone. An individual RFC (or even an RFC from the TLS WG) is no substitute for = convincing people. There are over 8000 RFCs. None of us implement all = of them. So an AES-192 RFC won=E2=80=99t cause universal support for these = ciphersuites any more that RFC 6209 caused universal support for ARIA. He can even donate code to OpenSSL (AES-192 already exists, but you need = the ciphersuites) but he still need to convince people (you?) to (i) = accept it and (ii) make it part of the default or =E2=80=9Cstrong=E2=80=9D= or whatever the recommended configuration is called these days. And he=E2=80=99ll need to convince browser maintainers to add it to the = browsers. And then there=E2=80=99s the other dozens of implementations. If you want a technology implemented and deployed, you still need to = convince a lot of people. RFCs are (relatively) easy. Yoav From nobody Tue Jan 17 07:56:13 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA4B129553 for ; Tue, 17 Jan 2017 07:56:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgEkslwRc16j for ; Tue, 17 Jan 2017 07:56:10 -0800 (PST) Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93C8512954F for ; Tue, 17 Jan 2017 07:56:10 -0800 (PST) Received: by mail-wm0-x243.google.com with SMTP id c85so6919915wmi.1 for ; Tue, 17 Jan 2017 07:56:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PSfuEOjf3SlNrX9ajRh1vybqcLjSIKGuAW/2/1XDkKI=; b=UGNsxg/NeU3Li6Q5dMo/zgJMOkml5OeUVOwBYgsO9K6hoBHH1BD4vlnT2Q1L00IrfU wrPat/Jz1xXuvzdi/BC1OAUX17V0JTYWh7TU2ozPijm9z4CqP+8api9qp/pfHD5/j8F8 qa46YAQSPVAGvUzsHlcEBRwdbY84z5c3ub5LNuZxl6r+4CdCBmjWVmRhdBwMBgHQfqSd k/aN+8VNzcFaj7NHx96kUv8SmKsIlkn46p78Q3bp6+RegMC6+0JFkbSUwODCmjVPa6LJ 5dFQjmZlkWlgb2LoCo7XotCJptLK0Yk17/X4Qsw5ThSA2OdJMUg0leiue6mFvY82twMt T0xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PSfuEOjf3SlNrX9ajRh1vybqcLjSIKGuAW/2/1XDkKI=; b=gOvaOWiJiiPFOEfQM0TffgKh1iCWiHUJUm4oPB5AVAQWr4bKJJkzec2VD32I+IXQv5 HeVE90zr7BPzRcau0jbe0DG5vsELHDrlC14JXdDDv07Wep5IdjPVZKO4xxHcIEQ8XJmc lF0aK75npmXVR9juy8GZbi4Y5P1DE14EcUrflSYhHA9uAsWxPlibdr8YRjt6ChVxJKCp LvppaK39LfkiJ6BSew8/fza229BQwnj93xSetY54M9XN1g4nPPSjJYnujC6sVM2jXss2 LsmEhWEe05aIzURVBS0rwSE6ggX2My5t+VC/L1giY7P++/6RkkvfOsgu5G7PtjNmF1S2 Kelg== X-Gm-Message-State: AIkVDXKimksKoearwjQM9uY21kYXTRElrndqYj9XJaQNnnQHh+vCXzFT37hHTp9gFg/ymA== X-Received: by 10.28.183.5 with SMTP id h5mr16502566wmf.39.1484668568981; Tue, 17 Jan 2017 07:56:08 -0800 (PST) Received: from [172.24.249.163] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id l74sm37866583wmg.2.2017.01.17.07.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 07:56:08 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Yoav Nir In-Reply-To: <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> Date: Tue, 17 Jan 2017 17:56:06 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20170116200948.6535.qmail@cr.yp.to> <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.3259) Archived-At: Cc: cfrg@irtf.org Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 15:56:12 -0000 > On 17 Jan 2017, at 13:48, Stephen Farrell = wrote: >=20 >=20 >=20 > On 16/01/17 20:09, D. J. Bernstein wrote: >> I would really like to see this unnecessary complexity eliminated = from >> CFRG's signature specifications. >=20 > I'm relatively neutral on the use or non-use of contexts, > but lean more towards Dan's position that the API changes > involved mean that practically, it's better to not demand > contexts. Me too. > However, I really do wish that CFRG specs would not offer > both choices - that will simply lead to repeating this > discussion each time an IETF protocol wants to use the CFRG > spec. And of course, different decisions will be made over > time, Not over time. In the next few months the IESG is going to get documents = about EdDSA signatures from TLS, IPsecME and curdle for signatures in = TLS, IKE, and PKIX respectively. If the decision is not the same in all = of them, I think (hope) that the IESG would ask why. > leading to slightly more mess than would otherwise > exist. That's not a showstopper thing, but life will be > better if the choice is not offered. >=20 > So, I'd support eliminating contexts from CFRG specs and > saying something like "if you want that, and it's not a > bad idea for avoiding cross-protocol attacks, then do it > at a layer above the crypto API." >=20 > Cheers, > S. >=20 > PS: random idea - I wonder if analysis of wireshark > dissector source code, or some application calling > such code, might be a fine way to spot potential > cross-protocol attacks - anyone know if that's been > tried? >=20 > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg From nobody Tue Jan 17 08:03:49 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C13129553 for ; Tue, 17 Jan 2017 08:03:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securityinnovation.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IC4TujXwKzZi for ; Tue, 17 Jan 2017 08:03:36 -0800 (PST) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5B7E129566 for ; Tue, 17 Jan 2017 08:03:35 -0800 (PST) Received: by mail-io0-x22d.google.com with SMTP id l66so118139096ioi.1 for ; Tue, 17 Jan 2017 08:03:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qvncIrjmXRxC6c1bwO1AzTyvbann5hPKaX9Ef6n9264=; b=DuBcSFGoIRgj1aXcxJzLlIMMnse9Vv5FwGKv2uOjMjhtqnRQGAfsXYMYD+7YtnNYkP VvEwr80VhJ5lHp/PnVlboHETJpQwGB8hse2u4muZ9tOvJuCwg7eH2aZkG8skab4BkIf3 GUoiuQVwZ71yZCxoxVjZ8iwKUS4BvccPEPY98= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qvncIrjmXRxC6c1bwO1AzTyvbann5hPKaX9Ef6n9264=; b=g6vRWDUC2w11XZDoH6cLkeouzQsBSW/5HpFXtjrSjnkt+Nk6ZD06xMfK5Ai5lrVc8O 4JO+2GE3kV7mq7AkkX3j7VigyVRpvmm9af1K5JNCZhYibna7R4Dc0Bmqg4iU83CWNNiX +1PcgpLfLjqe1kychy5lMpA0qQfmP233nxGOQcGIFBjpfqN8HIfQye9Gkl2tQulQElqc ygIrhwM2VvZ/l7XzJq1YNAG5eZpbLpRFF04CqIQhBE+nz6ry/hKkNTmPpcsJMkpPQEaI FvNsjQpUdlJRmbAS6fGBr3GDjoSBs1srpD4LKZiQvIov7eu3pxb/LzRfKi8dMAeAMLon ai3g== X-Gm-Message-State: AIkVDXI1jJQAUaN+9bQCD9TN0zOOlS6eNK9HPBVCSboM5BEWlKzRmsSGs/Ixd9+BondJGXSja2kSyEDkdcByEiTP X-Received: by 10.107.56.6 with SMTP id f6mr41037817ioa.58.1484669014811; Tue, 17 Jan 2017 08:03:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.27.142 with HTTP; Tue, 17 Jan 2017 08:03:32 -0800 (PST) In-Reply-To: <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> From: William Whyte Date: Tue, 17 Jan 2017 11:03:32 -0500 Message-ID: To: "Salz, Rich" Content-Type: multipart/alternative; boundary=001a114ab93c3d119f05464c71d9 Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:03:44 -0000 --001a114ab93c3d119f05464c71d9 Content-Type: text/plain; charset=UTF-8 It seems like we need a better 256-bit algorithm than AES-256: the related key attacks might not be a concern in TLS, but if use of AES-256 in TLS causes its widespread use in other contexts, it will sooner or later be used in a context where the related key attacks matter. I would support deprecating AES-256 throughout IETF in favor of a better alternative. It doesn't seem like AES-192 is the right choice for that alternative. Among other things, it's not 256-bit :-). What *should* CFRG be recommending as a 256-bit symmetric algorithm? Cheers, William On Tue, Jan 17, 2017 at 9:48 AM, Salz, Rich wrote: > > Are you suggesting that because this research is 8 years old its > findings are > > not valid? > > Yes, kinda. If the sky really was falling eight years ago, then where are > the other papers? > > > "The most disturbing aspect of the new attacks is that AES-256 can no > longer > > be considered as a safe black box construction, which can be dropped into > > any security application with little thought about how it is used." > > Well, luckily, that is not the case with TLS. The particular attack about > keys, as has been explained, isn't relevant to AES-in-TLS. Your > compromise, while not only outside the typical IETF scope, has been shown > to fail as the other side will abort the connection. > > > work best against AES-256 (which was supposed to be the strongest member > > of the AES family), and do not currently seem to work against AES-128." > > Luckily we use AES128. > > > And you cannot argue nobody wants to use it as it is not available for > use. If I > > wanted to I could not use AES-192 except in private use scenario's as > noone > > is offering such ciphers, i.e. > > Yes. > > > I > > acknowledge adding ciphers is not a zero effort, but to describe it as > complex > > is inaccurate. > > We disagree. > > You can write up an individual RFC that defines AES192 ciphers for use in > TLS, and ask IANA to register them, and then "let the market decide." I > suggest you focus on a couple, and not try for full parity by defining a > couple of dozen, as the registrar is likely to reject it. > > Or you can keep posting here (and as previously pointed out, more > appropriately the TLS list) and see if you can convince anyone. > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --001a114ab93c3d119f05464c71d9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
It seems like we need a better 256-bit algorithm than AES-= 256: the related key attacks might not be a concern in TLS, but if use of A= ES-256 in TLS causes its widespread use in other contexts, it will sooner o= r later be used in a context where the related key attacks matter. I would = support deprecating AES-256 throughout IETF in favor of a better alternativ= e.

It doesn't seem like AES-192 is the right choice = for that alternative. Among other things, it's not 256-bit :-).

What *should* CFRG be recommending as a 256-bit symmetric= algorithm?

Cheers,

Willi= am

On = Tue, Jan 17, 2017 at 9:48 AM, Salz, Rich <rsalz@akamai.com> w= rote:
> Are you sugge= sting that because this research is 8 years old its findings are
> not valid?

Yes, kinda.=C2=A0 If the sky really was falling eight years ago, the= n where are the other papers?

> "The most disturbing aspect of the new attacks is that AES-256 ca= n no longer
> be considered as a safe black box construction, which can be dropped i= nto
> any security application with little thought about how it is used.&quo= t;

Well, luckily, that is not the case with TLS.=C2=A0 The particular a= ttack about keys, as has been explained, isn't relevant to AES-in-TLS.= =C2=A0 Your compromise, while not only outside the typical IETF scope, has = been shown to fail as the other side will abort the connection.

> work best against AES-256 (which was supposed to be the strongest memb= er
> of the AES family), and do not currently seem to work against AES-128.= "

Luckily we use AES128.

> And you cannot argue nobody wants to use it as it is not available for= use. If I
> wanted to I could not use AES-192 except in private use scenario's= as noone
> is offering such ciphers, i.e.

Yes.

> I
> acknowledge adding ciphers is not a zero effort, but to describe it as= complex
> is inaccurate.

We disagree.

You can write up an individual RFC that defines AES192 ciphers for use in T= LS, and ask IANA to register them, and then "let the market decide.&qu= ot;=C2=A0 I suggest you focus on a couple, and not try for full parity by d= efining a couple of dozen, as the registrar is likely to reject it.

Or you can keep posting here (and as previously pointed out, more appropria= tely the TLS list) and see if you can convince anyone.



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--001a114ab93c3d119f05464c71d9-- From nobody Tue Jan 17 08:08:04 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BCF12954A for ; Tue, 17 Jan 2017 08:08:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x57OJDp1-TCe for ; Tue, 17 Jan 2017 08:08:01 -0800 (PST) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E854129548 for ; Tue, 17 Jan 2017 08:08:01 -0800 (PST) Received: by mail-vk0-x22f.google.com with SMTP id x75so95333515vke.2 for ; Tue, 17 Jan 2017 08:08:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=amUSQk2BXTy7I0jUUZW7xW8oCWuuMe5F96rkzH0Jmeg=; b=dRLPnlFhqfjI4qUbpnWppY83CGmv3vB2XDJ2EX6Z6yS6bgYHh3RUJwxIvBF/yr5XsE jfftg5PKa9fUka3mqFHqJBRO+pGHoa2creiNOHAX8SFGzTTUriaxhdZTLwDwub1b4jt2 UYv3oYfVdSdbdzyH9lT+F22r4k7K00Es3mY2USdnm5+3zgc4/Qlz891w/UvOBer2Sdeo /rTH8ipLQbBEvxhd68kv04A02mAqMJGjid++X7TfFWGwl+Lq4jZ/QO14mT5ZoKP6m7Lk QjEiV9tAmwbuvIJppi80RTfF+fO+qV0JVqXygOs9S1YnMxXwluT3p4wqqirYP2GyhIQC y6mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=amUSQk2BXTy7I0jUUZW7xW8oCWuuMe5F96rkzH0Jmeg=; b=frLrv0NPTeqLdw9VQjymNdTecTQQCklULlK2PLPWNQn2w8i0bXSoOsoRroRN366MHZ ARCq8974zNWKkFrtb/GNa3IahrtfSdfxFrPE2a2eXboAsbBDE+Ey6AyTa891wclXPB3r DlWRpGIuLn3wm2Tu9Q/Z/GYgxDkU1SmvTqRaQfGLqvmSn4Gmpw0iFzftu3bnPsmEx87+ 2myJJy17Gv0xNMo88wdhcXbWiOL1/3VC8KqBP9Vt7zEw0eYCPNBj4YbKYVoEiD+jtYKa gCcX/L2qc4vhNVbjN+6N30giYda/bGj/RDChS851aNol5uaslh6UMhN6pCOOLQE4k8Nb kuGw== X-Gm-Message-State: AIkVDXJI42RGIiCLXfbwNegCXmW94esLJOdcooBD5k93HvCWAt7AVL2Ae8Z8o5l9k+TOYkUABV3JIiPqgV3p0g== X-Received: by 10.31.213.7 with SMTP id m7mr1382332vkg.48.1484669280760; Tue, 17 Jan 2017 08:08:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.70.130 with HTTP; Tue, 17 Jan 2017 08:07:40 -0800 (PST) In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> From: Tony Arcieri Date: Tue, 17 Jan 2017 08:07:40 -0800 Message-ID: To: William Whyte Content-Type: multipart/alternative; boundary=94eb2c07aadc16b89405464c813d Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:08:03 -0000 --94eb2c07aadc16b89405464c813d Content-Type: text/plain; charset=UTF-8 On Tue, Jan 17, 2017 at 8:03 AM, William Whyte < wwhyte@securityinnovation.com> wrote: > What *should* CFRG be recommending as a 256-bit symmetric algorithm? > ChaCha20 uses a 256-bit key: https://tools.ietf.org/html/rfc7539 -- Tony Arcieri --94eb2c07aadc16b89405464c813d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Jan 17, 2017 at 8:03 AM, William Whyte <wwhyte@securityinn= ovation.com> wrote:
What *should* CFRG be recommending as a 2= 56-bit symmetric algorithm?

Cha= Cha20 uses a 256-bit key:

=

--
Tony Arcieri
=
--94eb2c07aadc16b89405464c813d-- From nobody Tue Jan 17 08:12:21 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1CA129553 for ; Tue, 17 Jan 2017 08:12:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWQdCciiWfpY for ; Tue, 17 Jan 2017 08:12:18 -0800 (PST) Received: from mail-io0-x241.google.com (mail-io0-x241.google.com [IPv6:2607:f8b0:4001:c06::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C747129547 for ; Tue, 17 Jan 2017 08:12:18 -0800 (PST) Received: by mail-io0-x241.google.com with SMTP id m98so16218877iod.2 for ; Tue, 17 Jan 2017 08:12:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=xqOohKL1toadTVnQ0WnEH74MQ/YE6ZOBZzG8bAIyMU0=; b=X0ng7Rsbtl+ddf4ydQcqLqIc6FK9uxzyVJKXjtBRHN+NMk5Bmha+y/ztZNczf6A3rU /ayTypu5yXugGIi/i4uysfyzOGlA1jKwGuOFYRKBy8yHrVzMLjAR46HGNNwgL5XVQrpH yIRuzt8yX8/XFOMdTcyDb5pkPBpoJuTWmyFNI9tPtiMPS6wbTeY4lsGPcvx0cCiuunoZ knMUavluQEz4R5koFyhUMWRpMBNLzc3TZufB+oWn+fwCJpG0GLPBEyklIJKD+iChbiSn ikQvfVgLmuxtUq9XQzUgvPvGkfirzu8x7JhxGhMH8nd9rp0B3Vt7xn8jsF/ztSaQZ8Ci devQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=xqOohKL1toadTVnQ0WnEH74MQ/YE6ZOBZzG8bAIyMU0=; b=eEupult71eZHN/KFzXS4rmTwYmFSidqQ3zBRa1gGCiZUTgKviqFTS0YqiO1A31u9TK WSnKMjJtD6jl/6sonG0a0OXoWvlpHqqvdW1yw6i4eBFOvn7Mb7Zia96hap8yzwlKdsrr gI3JftQ47cyOJyRkFRWdCrKevn2UHnum9zynflHDNUByavg4MRkutuCiovecu9GjTD3R 1RrmZY4MOm+Mxqny4mJwtLJd7aPZD+5soXNR7lHu98btx7AITp1hma31zFx2errUySaO YI+mvLuTokVkLz2cRQZaLaRtZEELuvd9gAKgEGKHQT73Ei1G95dqKhS29I7oaq5hvu1C hPgw== X-Gm-Message-State: AIkVDXLc07xsQI/JMIkOeBzwNkTDL05dyDp25uyDYb2e5zauwL+sT0Ltrj4+gSsl3P06Y56gfgiU05mpbX1bkg== X-Received: by 10.107.9.141 with SMTP id 13mr43360879ioj.24.1484669537476; Tue, 17 Jan 2017 08:12:17 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.27.136 with HTTP; Tue, 17 Jan 2017 08:12:16 -0800 (PST) In-Reply-To: <235ec588-9358-eeb1-9fa2-202409854afc@gmail.com> References: <235ec588-9358-eeb1-9fa2-202409854afc@gmail.com> From: Adam Langley Date: Tue, 17 Jan 2017 08:12:16 -0800 X-Google-Sender-Auth: T05RLZyTfsuR2jID6TBuDDSGPPg Message-ID: To: Yaron Sheffer Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:12:20 -0000 On Tue, Jan 17, 2017 at 3:31 AM, Yaron Sheffer wrote: > Wide industry adoption of TLS 1.2 took around 10 years. So IMO saying "this > is solved in TLS 1.3" is not a good enough answer, if in the meantime we > will continue to see cross-protocol and cross-TLS-version attacks. If there are such attacks then they'll continue to be a problem for TLS 1.2 because only the Ed* schemes have the possibility of a context string. For ECDSA and RSA, the context still needs to be included in the signed message somehow. So TLS 1.2 needs a larger change than wiring up the context inputs of the Ed* schemes if you want to protect it anyway. Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org From nobody Tue Jan 17 08:17:43 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCC61294EF for ; Tue, 17 Jan 2017 08:17:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w48nsGCFt6fL for ; Tue, 17 Jan 2017 08:17:39 -0800 (PST) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0852C12943E for ; Tue, 17 Jan 2017 08:17:39 -0800 (PST) Received: by mail-wm0-x236.google.com with SMTP id c85so206942922wmi.1 for ; Tue, 17 Jan 2017 08:17:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rqTrJ/Fuzk8Ccj+WhrSuPqbThTULaJv6YVKo1Kyk7Xo=; b=uAHq4S4F8bMpDEDdOINOf6lQE2GhWBUzIzHRvvVH17E6MSS65c9v2spFudjvO+nIRx wgxSCZtMpSzrO4mpHvxGY4a1ex9NTDFgaPP7jB7DAPQVxInW7xQmax9xRKZiq53aX3rW eVneK3/mQaFhNtL+HhAcpHoGtT4VjZyOH79XgU04zqxoIuYvkp0ey2c8rSr7lDWTiiaY dBEKMSqbihwR9caen1gZU5mN2qsfuUIbi0btFOf2HteLHQl/DloMpwcWC/rr5RqKDZOL PdeMUFGAUDtAewON82Nzd8V8w3Qso8lOlDWJcZygOLrs6Nl50kvoHt3Z7uAsMkZ6bfLQ KrjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rqTrJ/Fuzk8Ccj+WhrSuPqbThTULaJv6YVKo1Kyk7Xo=; b=NoaCfBzW8YLv2GS8h5iW8Xl/O1V8WheCaX0AK+aRX8+nGRnMHz0SRokT+REzYg4unx N5ngAdbgiHJ2FDWmzrRyQ8W1b5uM/5MF9TEaOZi3qmaF2JPUTZfkjsybGtXvkS1uBnfm fBC/QbMfXh1Kdx+869nBlmU+8fPr7l5JNIDCtOXDjMMU2wVQN2VEasjSKBA+kS3hPBQj 61r2WpgpoZudavM7TzzRwRMYlOl5qvDGpIWv0S9aM2Xtm1Erwldj1M8PIgvqG1t0qsH7 GLPRgQf3mvxgrfCZZB7NMyJZxIWszdarkq2yqs5XkWJGoHqL8rt4YtYmyDtyAZPPGIsM ItAw== X-Gm-Message-State: AIkVDXJLc2tcsXSG/tfNyc9K//lXaLsw2FfnA8qzQaP2hQl3o5u8fusY9ZejoZoB+tOaZEARpwhivkPtkPvxzg== X-Received: by 10.28.217.13 with SMTP id q13mr17772135wmg.13.1484669857405; Tue, 17 Jan 2017 08:17:37 -0800 (PST) MIME-Version: 1.0 Sender: hallam@gmail.com Received: by 10.194.221.6 with HTTP; Tue, 17 Jan 2017 08:17:36 -0800 (PST) In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> From: Phillip Hallam-Baker Date: Tue, 17 Jan 2017 11:17:36 -0500 X-Google-Sender-Auth: 32NgP6maWPtFST0ZaknamQOpqYE Message-ID: To: Tony Arcieri Content-Type: multipart/alternative; boundary=001a11469f9e75aa1b05464ca30e Archived-At: Cc: "cfrg@irtf.org" , Leonard den Ottolander Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:17:42 -0000 --001a11469f9e75aa1b05464ca30e Content-Type: text/plain; charset=UTF-8 Please no, just no. Use 128 bit AES or 256 bits. Please do not create more options. The idea that there is a need for a cipher between 10 and 14 rounds is just not sensible. Either you are on the bleeding edge or you take a 40% performance hit. I am now of the opinion that all Key Agreement schemes should use a Key Derivation function, RSA included. So even if your Key Agreement only delivers 128 bits worth of work factor, you can still use a 256 bit cipher. If you are doing a master key agreement plus an ephemeral, you should use the master key agreement to salt the key derivation and so even with 128 bits of work factor on each you will have a total of 256 bits. Rather than add pointless new cipher suites, I would like to see the key derivation function fixed so that the ephemeral step cannot weaken the strength of the agreed key. --001a11469f9e75aa1b05464ca30e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Ple= ase no, just no.

Use 128 = bit AES or 256 bits. Please do not create more options. The idea that there= is a need for a cipher between 10 and 14 rounds is just not sensible. Eith= er you are on the bleeding edge or you take a 40% performance hit.

I am now of the opinion that all = Key Agreement schemes should use a Key Derivation function, RSA included. S= o even if your Key Agreement only delivers 128 bits worth of work factor, y= ou can still use a 256 bit cipher.

If you are doing a master key agreement plus an ephemeral, you s= hould use the master key agreement to salt the key derivation and so even w= ith 128 bits of work factor on each you will have a total of 256 bits.

Rather than add pointless new= cipher suites, I would like to see the key derivation function fixed so th= at the ephemeral step cannot weaken the strength of the agreed key.


--001a11469f9e75aa1b05464ca30e-- From nobody Tue Jan 17 08:20:45 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7642B129565 for ; Tue, 17 Jan 2017 08:20:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.821 X-Spam-Level: X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=krovetz-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVeVxkfjHvGe for ; Tue, 17 Jan 2017 08:20:41 -0800 (PST) Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5573129553 for ; Tue, 17 Jan 2017 08:20:41 -0800 (PST) Received: by mail-pf0-x236.google.com with SMTP id e4so24703571pfg.1 for ; Tue, 17 Jan 2017 08:20:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krovetz-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=0HaAypCLQfbwk8y5HwWIqNVKzAJFz8+yxleJzZBwdXw=; b=kRH6cdipuYNEFjC2tf1OIOmP68XJeI05MS6e9i+SoT/VVjxrlK+R9rQfTDZ0Yd00hm WK6eOGuT2f4S5+jL5GBivTMqfv6wDkUNr7OzHeoBfaZB4QmKq4fQjwJG6WrfEv5udjmG tcV6kuTFGaJFOTcj/xcUtDvhH3IHobzQu2uUhEH/OQCLTAWeACKRFWrEsPm2yB6hFhQm jzveVN4vLL/+6DSQKlbVA3l0APILNd/fomry8dKQTouLY8YCcC4wE0VV7+iQ4s2d2JXJ KFT4RRFM2hpBknU3OTfu0yNfusJaIBK6XJumz0ZFB4glWtKeqW8KUjNl7OIz+lMaPfbp TlpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=0HaAypCLQfbwk8y5HwWIqNVKzAJFz8+yxleJzZBwdXw=; b=L0gycPL47FCohk8/F/KG9PtRw4jm/ZLTh9RDhLRePJV4GGUCznjkBc070kyRMw0EXo JZgua2fMnRTBPyn4FuqMt+Gjrk9YSD/ZACl98x2oSLJtjHvU1ZZnFcAJ42dYH8gLxVgI hMpCsqnucEOPdRa8scUM3hkcEgOsqB8bgc6+QoYMNHS8vRar9H8aKFlfGqI2lOY90iI7 vFCN3Ij4RdY+4f2zit1pDE13n6AdiyECzroim+oji0M4A/LApw2lx/XvGVNvvDLYfnb2 +wp4/D+6iiMpU4btrjDNBkRY+wBaSyr2vMA5PY/Uj07F37nQdw8VNranh7XBhgAMuU10 qsrg== X-Gm-Message-State: AIkVDXJiPlle80ZFCLIa8aZ/ty1ApO4Enj0J56uVYeO7qIMmzVf/j27BdP0fLU46fB+7PQ== X-Received: by 10.84.241.129 with SMTP id b1mr59828695pll.135.1484670041208; Tue, 17 Jan 2017 08:20:41 -0800 (PST) Received: from [192.168.1.100] (c-73-90-200-227.hsd1.ca.comcast.net. [73.90.200.227]) by smtp.gmail.com with ESMTPSA id e127sm56842340pfh.89.2017.01.17.08.20.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 08:20:40 -0800 (PST) From: Ted Krovetz Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Date: Tue, 17 Jan 2017 08:20:39 -0800 References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> To: "cfrg@irtf.org" In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3259) Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 16:20:43 -0000 > ChaCha20 uses a 256-bit key: >=20 > https://tools.ietf.org/html/rfc7539=20 If you model Chacha's internal hash function as a 48-byte-to-64-byte = PRF, then it is secure against related keys too. Chacha works by supplying 48 byte (Key || Nonce || Counter) to Chacha's = internal hash function repeatedly, each time with a counter increment. = If Chacha's internal hash function is a PRF, then clearly *any* change = in the key produces independent output.= From nobody Tue Jan 17 09:24:32 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A8301294AC for ; Tue, 17 Jan 2017 09:24:31 -0800 (PST) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BANNED, message contains text/plain,.exe X-Spam-Flag: NO X-Spam-Score: -5.8 X-Spam-Level: X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vg8JLG4lMa4T for ; Tue, 17 Jan 2017 09:24:29 -0800 (PST) Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9DD127077 for ; Tue, 17 Jan 2017 09:24:28 -0800 (PST) Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs215cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Jan 2017 12:24:28 -0500 Received: from XCT197YKF.rim.net (10.2.25.5) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 17 Jan 2017 12:24:27 -0500 Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT197YKF.rim.net ([fe80::459a:3e96:7706:5ba1%12]) with mapi id 14.03.0319.002; Tue, 17 Jan 2017 12:24:27 -0500 From: Dan Brown To: "D. J. Bernstein" , "cfrg@irtf.org" Thread-Topic: [Cfrg] Help with the use of contexts Thread-Index: AQHSZtVSCDLXXBN7H0yPl7KrFhIeDKE715cAgAAXiQCAAQgvIA== Date: Tue, 17 Jan 2017 17:24:26 +0000 Message-ID: <810C31990B57ED40B2062BA10D43FBF5010A7486@XMB116CNC.rim.net> References: <20170116200948.6535.qmail@cr.yp.to> In-Reply-To: <20170116200948.6535.qmail@cr.yp.to> Accept-Language: en-US, en-CA Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.65.160.245] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 17:24:31 -0000 I agree with Dan Bernstein's suggestion and reasoning below against CFRG's = currently contextualization of signature schemes, though I would also under= stand if CFRG does not want to reverse its decisions. Further points: Protocol designers should be responsible to enforce uniqueness of protocol = messages (within and between honest protocols), not just for digital signat= ures but for all forms of authentication. How much is this to ask? Isn't t= hat kind of reliability their bread-and-butter? If there hadn't been non-u= niqueness, then cross-protocol attacks would have failed, right? Adding a context to signatures is a complexity that is (1) not guaranteed t= o help (no formal security definition, no security proof? And no, I do not = volunteer), (2) potentially collides with non-contextualized signatures (mu= st signers now also track whether each non-context signature corresponds to= some contextual signature?), (3) blames crypto for too much ;) -----Original Message----- From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of D. J. Bernstein Sent: Monday, January 16, 2017 3:10 PM To: cfrg@irtf.org Subject: Re: [Cfrg] Help with the use of contexts Adam Langley writes: > The way that this is constructed (due to me) is generic for any=20 > signature scheme. (Basically just have the context string be=20 > NUL-terminated at the beginning of the signed message.) In other words, there's still a simple sign-a-message layer that uses the s= tandard signature API, that works with all signature systems, and that mini= mizes costs for implementors and auditors. On top of this there's a univers= al def sign_a_context_and_data(c,d): if '\0' in c: raise Exception('NUL not allowed in contexts') return sign(c + '\0' + d) layer used by the protocol (and by any other protocols that want it). Everyone can see how this works from a spec perspective and from a software= -engineering perspective. For comparison, trying to modify the interface and specification of every s= ign() function creates a transition nightmare, with nobody able to answer b= asic questions about how this approach is actually supposed to work. What's= the advantage supposed to be? I would really like to see this unnecessary complexity eliminated from CFRG= 's signature specifications. Please see https://www.ietf.org/mail-archive/web/cfrg/current/msg08167.html for further comments. ---Dan _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg From nobody Tue Jan 17 10:28:54 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76CC127ABE for ; Tue, 17 Jan 2017 10:28:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.101 X-Spam-Level: X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3qzEO1pBLBq for ; Tue, 17 Jan 2017 10:28:45 -0800 (PST) Received: from ober.noekeon.org (ober.noekeon.org [91.134.133.203]) by ietfa.amsl.com (Postfix) with ESMTP id D3662129424 for ; Tue, 17 Jan 2017 10:28:44 -0800 (PST) Received: by ober.noekeon.org (Postfix, from userid 33) id 0B15222361; Tue, 17 Jan 2017 19:28:43 +0100 (CET) To: cfrg@irtf.org X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 17 Jan 2017 19:28:43 +0100 From: Joan Daemen Mail-Reply-To: jda@noekeon.org In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: X-Sender: jda@noekeon.org User-Agent: Roundcube Webmail/1.1.5 Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: jda@noekeon.org List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 18:28:47 -0000 Dear all, the related-key attacks against AES were interesting from an academic point of view as they broke the security claim we made for Rijndael. However, the attacks require very sophisticated manipulations of the secret key by the attacker. For example, even a protocol that would allow an attacker to add (or XOR) a value of her choice to the key before being used in AES would not allow mounting the attack. If you are interested, you can read the paper Vincent and I wrote "On the related-key attacks against AES" available at e.g. http://jda.noekeon.org/ As for including AES-192 in TLS, I don't see any benefits. Kind regards, Joan Daemen From nobody Tue Jan 17 13:42:02 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0196F129416 for ; Tue, 17 Jan 2017 13:42:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DjCXgqSyCGQI for ; Tue, 17 Jan 2017 13:41:59 -0800 (PST) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BCCD129495 for ; Tue, 17 Jan 2017 13:41:59 -0800 (PST) Received: by mail-wm0-x236.google.com with SMTP id c85so219084357wmi.1 for ; Tue, 17 Jan 2017 13:41:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=LKzNCTuAMqatx08dSu2SswcuUSx9ZVkVylwTCMXJQqU=; b=d20YxthYYIqY+Tih4VF786mNu1lwsx4eB6dkxh/4aL/ixXjY11uSUQzI3eLhRntF/v IN9+NvlvdIidtm13Oxjb7vgKBogi4HeM9cWPajB1eiiehF1t63+11V0AJiRqaGlcTUrk jMRgK7mxj7/eT/JFbrMGldeIvVHmoTfItVAymgf9UfhVeh2IJQN2FA8wqUJ6ZMaoMwzX D+oFUsu8mhLHNaOG2ZAjNUWo9GwStjaUFKiFuBiI32GZSdCHSBAmaBvzpJbiO1dVAP+H dM9Mm/rlsyfDzay5IDv5Eco1e8dX+Arr4zl0rfe+GdkdJrhccA2GUPYT2ePAKZNnmCfW tJlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=LKzNCTuAMqatx08dSu2SswcuUSx9ZVkVylwTCMXJQqU=; b=boD14uYAz+IVUT/v5hSYkWCQlHpmzNMDrbFv9gMnJOAq2X2LtjQUcOD7Jyi62aX0/S t/O2ZlJ0VTTEQLwofGkGlTby080E6nuwfJk+rAsI2legJGP9Mknd50vJxjS3rq5cPGPH 0sFjEhi0sM8WVQV/zs2Ld7AwGOBwbFKedzaA026rAGT2JLatyOfJ/Lcmyrbckq5T5lYp D/lpEwmbe6ejIaq08P0hCLmG5wjJ0/EnG5AVPOJRJTvdb7M2z+4UcbWtpZkJNTjQF0B5 LktrkRvEHm0B2V0m2Bck9uNXILOZ7dHt8Xh+gjlN4As7OrsGG5yNtwmDa5SjFeEkx/5C JuRQ== X-Gm-Message-State: AIkVDXIJkJC6cyCDXnej1AKuMJfj0b+bIV677sePHxCFra6YDPoS1stKa4NVKEod909CSA== X-Received: by 10.223.133.220 with SMTP id 28mr28936910wru.97.1484689317572; Tue, 17 Jan 2017 13:41:57 -0800 (PST) Received: from [10.0.0.13] (bzq-109-66-146-76.red.bezeqint.net. [109.66.146.76]) by smtp.gmail.com with ESMTPSA id 191sm39901237wmo.21.2017.01.17.13.41.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jan 2017 13:41:56 -0800 (PST) To: Adam Langley References: <235ec588-9358-eeb1-9fa2-202409854afc@gmail.com> From: Yaron Sheffer Message-ID: <781458bb-7b95-0eb4-220a-a57d08968186@gmail.com> Date: Tue, 17 Jan 2017 23:41:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 21:42:01 -0000 On 17/01/17 18:12, Adam Langley wrote: > On Tue, Jan 17, 2017 at 3:31 AM, Yaron Sheffer wrote: >> Wide industry adoption of TLS 1.2 took around 10 years. So IMO saying "this >> is solved in TLS 1.3" is not a good enough answer, if in the meantime we >> will continue to see cross-protocol and cross-TLS-version attacks. > > If there are such attacks then they'll continue to be a problem for > TLS 1.2 because only the Ed* schemes have the possibility of a context > string. For ECDSA and RSA, the context still needs to be included in > the signed message somehow. So TLS 1.2 needs a larger change than > wiring up the context inputs of the Ed* schemes if you want to protect > it anyway. Correct, but this would still eliminate cross-version attacks between TLS 1.3 and TLS <= 1.2, for Ed*. In other words, there is (incremental) value in adding context opportunistically. Thanks, Yaron From nobody Tue Jan 17 15:23:00 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3EF41295DF for ; Tue, 17 Jan 2017 15:22:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.099 X-Spam-Level: X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ejt6NB61pVjg for ; Tue, 17 Jan 2017 15:22:57 -0800 (PST) Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id A44E41295F0 for ; Tue, 17 Jan 2017 15:22:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id B835919228; Wed, 18 Jan 2017 01:22:53 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at pp.htv.fi Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id iS668jBomGl4; Wed, 18 Jan 2017 01:22:53 +0200 (EET) Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 6F520C4; Wed, 18 Jan 2017 01:22:53 +0200 (EET) Date: Wed, 18 Jan 2017 01:22:52 +0200 From: Ilari Liusvaara To: Yaron Sheffer Message-ID: <20170117232252.GA6468@LK-Perkele-V2.elisa-laajakaista.fi> References: <235ec588-9358-eeb1-9fa2-202409854afc@gmail.com> <781458bb-7b95-0eb4-220a-a57d08968186@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <781458bb-7b95-0eb4-220a-a57d08968186@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: ilariliusvaara@welho.com Archived-At: Cc: Adam Langley , "cfrg@irtf.org" Subject: Re: [Cfrg] Help with the use of contexts X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 23:22:59 -0000 On Tue, Jan 17, 2017 at 11:41:54PM +0200, Yaron Sheffer wrote: > On 17/01/17 18:12, Adam Langley wrote: > >On Tue, Jan 17, 2017 at 3:31 AM, Yaron Sheffer wrote: > >>Wide industry adoption of TLS 1.2 took around 10 years. So IMO saying "this > >>is solved in TLS 1.3" is not a good enough answer, if in the meantime we > >>will continue to see cross-protocol and cross-TLS-version attacks. > > > >If there are such attacks then they'll continue to be a problem for > >TLS 1.2 because only the Ed* schemes have the possibility of a context > >string. For ECDSA and RSA, the context still needs to be included in > >the signed message somehow. So TLS 1.2 needs a larger change than > >wiring up the context inputs of the Ed* schemes if you want to protect > >it anyway. > > Correct, but this would still eliminate cross-version attacks between TLS > 1.3 and TLS <= 1.2, for Ed*. In other words, there is (incremental) value in > adding context opportunistically. TLS 1.3 server/client signatures are designed to resist confusion to SSL 3.0 - TLS 1.2 signatures[1] anyway.. [1] There's the confusion possibility with RSA key exchange, but one really can't do much about that (other than banning all present RSA keys, but that would be infeasible).. -Ilari From nobody Wed Jan 18 07:39:38 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C106129489 for ; Wed, 18 Jan 2017 07:39:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQUuQ0vJY6-N for ; Wed, 18 Jan 2017 07:39:34 -0800 (PST) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08F8012948B for ; Wed, 18 Jan 2017 07:39:33 -0800 (PST) X-AuditID: c1b4fb25-9cfc898000002ee9-ea-587f8c34aad4 Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.183.81]) by (Symantec Mail Security) with SMTP id 09.12.12009.43C8F785; Wed, 18 Jan 2017 16:39:32 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC021.ericsson.se ([153.88.183.81]) with mapi id 14.03.0319.002; Wed, 18 Jan 2017 16:39:11 +0100 From: John Mattsson To: "Paterson, Kenny" , Yoav Nir , IRTF CFRG Thread-Topic: [Cfrg] Fwd: Rev RFC 7539? Thread-Index: AQHSbO0yanP4VK3KwkmmPh8qpORx7qE8fSmAgAHrAYA= Date: Wed, 18 Jan 2017 15:39:10 +0000 Message-ID: References: <46ECD4D0-07BB-4082-82AC-4B2AE656AE09@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.150] Content-Type: text/plain; charset="utf-8" Content-ID: <9D9FA89B162A1B4991219A2681EFBE0A@ericsson.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLIsWRmVeSWpSXmKPExsUyM2J7oK5JT32EwblFfBbdPw4yWXTdOclq sfTYByYHZo+ds+6ye0zeeJjN48vrVWwBzFFcNimpOZllqUX6dglcGW0dRxgLLmhXTL/dx9zA eECri5GTQ0LARKJ5+hr2LkYuDiGBdYwS257MY4RwljBKrGk6xAZSxSZgIDF3TwOYLSKQJ7Fq w3IWEFtYQF2i6d9hFoi4hkT3xWdQNVYSx+b/BLNZBFQlPhxbwgpi8wqYSyxpnMMCsWAOo8Tp PwuAEhwcnECJXz/UQWoYBcQkvp9awwRiMwuIS9x6Mp8J4lIBiSV7zjND2KISLx//A5spKqAn sfz5Gqi4ksSK7ZcYQUYyC2hKrN+lDzHGWuJY3x9mCFtRYkr3Q3aIcwQlTs58wjKBUWwWkm2z ELpnIemehaR7FpLuBYysqxhFi1OLk3LTjYz1Uosyk4uL8/P08lJLNjECI+3glt+qOxgvv3E8 xCjAwajEw/uhqT5CiDWxrLgy9xCjBAezkgjvmw6gEG9KYmVValF+fFFpTmrxIUZpDhYlcV6z lffDhQTSE0tSs1NTC1KLYLJMHJxSDYzMfifkt7BGHjg6Z1nWZuNZqttPHNc0fsM6P8Wdb+mK V118pv5rjkfXbnlTmlIlva3Mx6mxe+82hobKhRPe/mv606C4btfxSB+9GSvarjxJy1a3F2k8 ZyTbf97j8yKb+VvtObZKHt6Xq7d09ZpD2x78SjMsXM5a2tFpPqVF/bCMYI5WtV2UaLwSS3FG oqEWc1FxIgAry3/asAIAAA== Archived-At: Subject: Re: [Cfrg] Fwd: Rev RFC 7539? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 15:39:36 -0000 SGksDQoNCkxvb2tzIGdvb2QuDQoNCg0KU29tZSBjb21tZW50czoNCg0KLSAiUkZDIDc1MzksIFRo ZSBwcmVkZWNlc3NvciBvZiB0aGlzIGRvY3VtZW50LCBkaWQgbm90IGludHJvZHVjZSBhbnkgbmV3 DQogICBjcnlwdG8sIGJ1dCB3YXMgbWVhbnQgdG8gc2VydmUgYXMgYSBzdGFibGUgcmVmZXJlbmNl IGFuZCBhbg0KICAgaW1wbGVtZW50YXRpb24gZ3VpZGUuICBJdCB3YXMgYSBwcm9kdWN0IG9mIHRo ZSBDcnlwdG8gRm9ydW0gUmVzZWFyY2gNCiAgIEdyb3VwIChDRlJHKS4gIFRoaXMgZG9jdW1lbnQg bWVyZ2VzIHRoZSBlcnJhdGEgZmlsZWQgYWdhaW5zdCBSRkMgNzUzOQ0KICAgYW5kIGFkZHMgYSBs aXR0bGUgdGV4dCB0byB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbi7igJ0NCg0K ICAgDQogICBJIHRoaW5rICJkaWQgbm90IGludHJvZHVjZSBuZXcgY3J5cHRvIiBpcyB3cm9uZyAo bm9uY2UgbGVuZ3RoLA0KICAgIGNvdW50ZXIgbGVuZ3RoLCBrZXkgZGVyaXZhdGlvbiwgQUVBRCBl dGMuKSwgSSB0aGluayB0aGUgcGFyYWdyYXBoDQogICAgY2FuIGJlIHNob3J0ZW5lZCB0byBzb21l dGhpbmcgbGlrZToNCg0KICAgIlRoaXMgZG9jdW1lbnQgbWVyZ2VzIHRoZSBlcnJhdGEgZmlsZWQg YWdhaW5zdCBSRkMgNzUzOQ0KICAgIGFuZCBhZGRzIGEgbGl0dGxlIHRleHQgdG8gdGhlIFNlY3Vy aXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24uIg0KDQotIENoYUNoYTIwLVBvbHkxMzA1IGhhcyBz ZXZlcmFsIGdvb2QgcHJvcGVydGllcyB0aGF0IHRoZSBkcmFmdCBkb2VzIG5vdA0KbWVudGlvbi4g SSB0aGluayB0aGUgZHJhZnQgc2hvdWxkIG1lbnRpb24gdGhhdCBDaGFDaGEyMC1Qb2x5MTMwNSBp cyBPbmxpbmUNCmFuZCBQYXJhbGxlbGl6YWJsZS4NCg0KLSBJIHRoaW5rIHRoZSBkaXNjdXNzaW9u cyBvbiBUTFMsIElQc2VjIGFuZCBQUkYgZGlzdHJhY3RzIGFuZCB3b3VsZCBiZQ0KYmV0dGVyIGlu IGEgc2VwYXJhdGUgc2VjdGlvbiBvciBhcHBlbmRpeC4NCg0KDQpNb3JlIGVkaXRvcmlhbCBjb21t ZW50czoNCg0KLSBPTEQ6ICJSRkMgNzUzOSwgVGhlIg0KICBORVc6ICJSRkMgNzUzOSwgdGhlIg0K DQotIFRoZSBmb2xsb3dpbmcgc2VudGVuY2VzIEkgdGhpbmsgc2hvdWxkIGhhdmUgcmVmZXJlbmNl czoNCg0KLSBPTEQgIlRoZXkgaGF2ZSBiZWVuIGRlZmluZWQgaW4gc2NpZW50aWZpYyBwYXBlcnMg YnkgRC4gSi4gQmVybnN0ZWluLA0KICAgICAgIHdoaWNoIGFyZSByZWZlcmVuY2VkIGJ5IHRoaXMg ZG9jdW1lbnQiDQogIE5FVyAiVGhleSBoYXZlIGJlZW4gZGVmaW5lZCBpbiBzY2llbnRpZmljIHBh cGVycyBieSBELiBKLg0KICAgICAgIEJlcm5zdGVpbiBbWF1bWV0iDQoNCi0gT0xEICJUaGlzIGZv bGxvd3MgdGhlIHVzZSBvZiB0aGVzZSB0ZXJtcyBpbiBQcm9mZXNzb3IgQmVybnN0ZWluJ3MNCiAg ICAgICBwYXBlci4iDQogIE5FVyAiVGhpcyBmb2xsb3dzIHRoZSB1c2Ugb2YgdGhlc2UgdGVybXMg aW4gUHJvZmVzc29yIEJlcm5zdGVpbidzDQogICAgICAgcGFwZXIgW1hdLiINCg0KDQotICJRVUFS VEVSUk9VTkQgKCAzLCA0LCA5LDE0KSINCiAgU3BhY2luZyBhcm91bmQgZnVuY3Rpb25zIGFyZSBp bmNvbnNpc3RlbnQgKHNldmVyYWwgcGxhY2VzKS4NCg0KDQotICAgICAgIGNoYWNoYTIwX2Jsb2Nr KGtleSwgY291bnRlciwgbm9uY2UpOg0KICAgICAgICAgc3RhdGUgPSBjb25zdGFudHMgfCBrZXkg fCBjb3VudGVyIHwgbm9uY2UNCiAgICAgICAgIHdvcmtpbmdfc3RhdGUgPSBzdGF0ZQ0KICAgICAg ICAgZm9yIGk9MSB1cHRvIDEwDQogICAgICAgICAgICBpbm5lcl9ibG9jayh3b3JraW5nX3N0YXRl KQ0KICAgICAgICAgICAgZW5kDQogICAgICAgICBzdGF0ZSArPSB3b3JraW5nX3N0YXRlDQogICAg ICAgICByZXR1cm4gc2VyaWFsaXplKHN0YXRlKQ0KICAgICAgICAgZW5kDQoNCiAgSSBzdWdnZXN0 IGNoYW5naW5nIHRvOg0KICANCg0KICAgICAgICBjaGFjaGEyMF9ibG9jayhrZXksIGNvdW50ZXIs IG5vbmNlKToNCiAgICAgICAgIHN0YXRlID0gY29uc3RhbnRzIHwga2V5IHwgY291bnRlciB8IG5v bmNlDQogICAgICAgICBpbml0YWxfc3RhdGUgPSBzdGF0ZQ0KICAgICAgICAgZm9yIGk9MSB1cHRv IDEwDQogICAgICAgICAgICBpbm5lcl9ibG9jayhzdGF0ZSkNCiAgICAgICAgICAgIGVuZA0KICAg ICAgICAgc3RhdGUgKz0gaW5pdGlhbF9zdGF0ZQ0KICAgICAgICAgcmV0dXJuIHNlcmlhbGl6ZShz dGF0ZSkNCiAgICAgICAgIGVuZA0KDQogIFRoaXMgYWxpZ24gd2l0aCB0ZXh0IGFuZCBtYWtlIHRo ZSBzdGF0ZSBwYXJhbWV0ZXIgdG8gYWN0dWFsbHkgYmUgc3RhdGUNCg0KLSAiQ2hhQ2hhMjAgYmxv Y2sgb3BlcmF0aW9uIiB2cyAiQ2hhQ2hhMjAgYmxvY2sgb3BlcmF0aW9uIHdhcyBhcHBsaWVkIg0K ICBUaGUgdHdvIGJ1bGxldHMgaGF2ZSBkaWZmZXJlbnQgdGV4dC4NCg0KICANCi0gInRoZSBrZXki DQogIFdoaWNoIGtleT8NCg0KLSBPTEQgInRvIGdlbmVyYXRlIHRoZSBvbmUtdGltZSBQb2x5MTMw NSBwc2V1ZG9yYW5kb21seSINCiAgTkVXICJ0byBnZW5lcmF0ZSB0aGUgb25lLXRpbWUgUG9seTEz MDUga2V5IHBzZXVkb3JhbmRvbWx5Ig0KDQotICI2NC1iaXQgY2lwaGVyIiAiMTI4LWJpdCBjaXBo ZXIiICIyNTYtYml0IGNpcGhlciINCkNvdWxkIG1lbnRpb24gdGhhdCB0aGlzIGlzIGJsb2NrIHNp emUgKG5vdCBrZXkgc2l6ZSkNCg0KQ2hlZXJzLA0KDQoNCkpvaG4NCg0KT24gMjAxNy0wMS0xNywg MTI6MjEsICJDZnJnIG9uIGJlaGFsZiBvZiBQYXRlcnNvbiwgS2VubnkiDQo8Y2ZyZy1ib3VuY2Vz QGlydGYub3JnIG9uIGJlaGFsZiBvZiBLZW5ueS5QYXRlcnNvbkByaHVsLmFjLnVrPiB3cm90ZToN Cg0KPkRlYXIgWW9hdiwNCj4NCj5UaGFua3MgZm9yIHlvdXIgd29yayBvbiB0aGlzLiBBbGV4ZXkg YW5kIEkgaGF2ZSBhcmUgYXNraW5nIHRoZSBDRlJHIHJldmlldw0KPnBhbmVsIHRvIHRha2UgYSBs b29rIGF0IHRoZSByZXZpc2VkIGRvY3VtZW50Lg0KPg0KPkFuZCBpZiBhbnlvbmUgZWxzZSBmcm9t IHRoZSBDRlJHIHdhbnRzIHRvIHRha2UgYSBsb29rIGF0IHRoZSBkb2N1bWVudCBhbmQNCj5wcm92 aWRlIGNvbW1lbnRzLCB0aGF0IHdvdWxkIGJlIGdyZWF0Lg0KPg0KPkNoZWVycywNCj4NCj5LZW5u eQ0KPg0KPg0KPk9uIDEyLzAxLzIwMTcgMDY6MjQsICJDZnJnIG9uIGJlaGFsZiBvZiBZb2F2IE5p ciIgPGNmcmctYm91bmNlc0BpcnRmLm9yZw0KPm9uIGJlaGFsZiBvZiB5bmlyLmlldGZAZ21haWwu Y29tPiB3cm90ZToNCj4NCj4+UmVtaW5kZXIuDQo+Pg0KPj4NCj4+SXMgdGhlcmUgaW50ZXJlc3Qg aW4gcHVzaGluZyB0aGlzIGZvcndhcmQ/DQo+Pg0KPj4NCj4+WW9hdg0KPj4NCj4+DQo+PkJlZ2lu IGZvcndhcmRlZCBtZXNzYWdlOg0KPj4NCj4+RnJvbTogWW9hdiBOaXIgPHluaXIuaWV0ZkBnbWFp bC5jb20+DQo+Pg0KPj5TdWJqZWN0OiBSZTogW0NmcmddIFJldiBSRkMgNzUzOT8NCj4+DQo+PkRh dGU6IDE2IE5vdmVtYmVyIDIwMTYgYXQgOTowOToxMSBHTVQrMg0KPj4NCj4+VG86IFNlYW4gVHVy bmVyIDxzZWFuQHNuM3JkLmNvbT4NCj4+DQo+PkNjOiBJUlRGIENGUkcgPGNmcmdAaXJ0Zi5vcmc+ DQo+Pg0KPj4NCj4+Q3ljbGVzIGZvdW5kLg0KPj4NCj4+DQo+PkF0dGFjaGVkIHBsZWFzZSBmaW5k IHR3byBmaWxlczoNCj4+ICAxLiByZmM3NTM5X2xvbmcudHh0IGlzIFJGQyA3NTM5IHdpdGggcGFn ZSBicmVha3MgYW5kIHBhZ2UgbnVtYmVycw0KPj5yZW1vdmVkLiANCj4+IDIuIGRyYWZ0LW5pci1j ZnJnLXJmYzc1MzliaXMtMDAucmF3LnR4dA0KPj4gaXMgdGhlIHVucGFnaW5hdGVkIGZvcm0gb2Yg dGhlIG5ldyBkcmFmdC4NCj4+DQo+Pg0KPj5Db3VsZG7igJl0IGRvIG11Y2ggYWJvdXQgdGhlIGJv aWxlcnBsYXRlLCBidXQgdGhpcyBtYWtlcyBpdCBlYXN5IHRvDQo+PmNvbXBhcmUuDQo+Pg0KPj4N Cj4+WW9hdg0KPg0KPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fDQo+Q2ZyZyBtYWlsaW5nIGxpc3QNCj5DZnJnQGlydGYub3JnDQo+aHR0cHM6Ly93d3cuaXJ0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9jZnJnDQoNCg== From nobody Wed Jan 18 08:59:19 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B24CE129525 for ; Wed, 18 Jan 2017 08:49:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.398 X-Spam-Level: X-Spam-Status: No, score=-7.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvuR6Hwdbzr5 for ; Wed, 18 Jan 2017 08:49:23 -0800 (PST) Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C82F91294E2 for ; Wed, 18 Jan 2017 08:49:21 -0800 (PST) X-Attachment-Exists: TRUE X-IronPort-AV: E=Sophos;i="5.33,249,1477958400"; d="pdf'?p7s'?scan'208,217";a="2377574" IronPort-PHdr: =?us-ascii?q?9a23=3AqroRXhGU5IzwwONUH2dTb51GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7zpc6wAkXT6L1XgUPTWs2DsrQf2raQ6PGrCDdIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbx/IA+4oAjVucUbhYVvIbstxxXUpXdFZ/?= =?us-ascii?q?5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnM?= =?us-ascii?q?VhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1hi?= =?us-ascii?q?gHLTo5+3zJhMJ2gqxQvRatqwViz4LIZY2YMud1cKHActMAXWdPXthfWTFdAo2y?= =?us-ascii?q?bIUPAegOPedEoIbyvFYOogeyCBO2Ce/z1jNEm3n71rA63eQ7FgHG2RQtE9wQvX?= =?us-ascii?q?TTq9X1MLkdUOCtwKLVwzvDaOlW2TDh6IjIchEqvP6CUbxtesfW1EYgCR/KjlKX?= =?us-ascii?q?qYzhITyYzeINs3OB4OZ6WuKvjHAnphh3rzOyyMksjYzJiZgUylDC7Sh5wZg6Jc?= =?us-ascii?q?G2SEJhZt6kCodQuieHPIV1WsMvW3xktDogxrEYpJK2fDIGxIo5yxPdcfCLbouF?= =?us-ascii?q?7gr+WOqNOzt0mm9pdbKlixqs70StyffwWtS03VtEqCdOj8PCuWoX1xPJ78iKUv?= =?us-ascii?q?59/kC81jmRzw3T8eREIVwslarcNp4h3qY8lpoNvkTHGS/7gEL4grKUeEs64+Sm?= =?us-ascii?q?6ubpbqj/qpCSOIF5lh3yPrk0lsOjBuQ4KBAOU3Kd+eSnzrLv50L5QLJUjvEuk6?= =?us-ascii?q?nZto7VJdgDq6KkHwNZyJgv5wu/Aju8ztgUg3sKIEhYdB+El4TpPkvBIPH8Dfex?= =?us-ascii?q?mVSslzJryujbMbL/HprNKX/DkLP/crtm7U5c0xA8wcpQ55JTFLENOOjzVVPptN?= =?us-ascii?q?zEEh85NBS5zPrpCNVn2YMTQmOPArWFMKPcq1OI4fgvI+bfLLMS7Xz2JeIqz//0?= =?us-ascii?q?kXF/nkUSN+H91pUNZ1i5BOhoZUKDbiy/rM0GFDJAlQ05SOH7zBWuViRUe3ajF4?= =?us-ascii?q?92rmU3BYmhCoPOboa2ifqO2zntTc4eXXxPFl3ZSSSgTI6DQfpZLXvKLw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2F7BABOnH9Y/xLj1wpdHAEBBAEBCgEBFwEBBAEBCgEBgkR?= =?us-ascii?q?KAQEBAQF/gQkHtwsqB4VxAhqCPgEBAQEBAQEBAgECfQuCMxuCHAIBA0VEAgEMQ?= =?us-ascii?q?gIYGCUBAQQTCAaJA7ImijkBAQEBAQEBAQIBAQEBAQEBAREKBQkBj3qDMYIxBY9?= =?us-ascii?q?ni1oBg2mCdYx6jnaIHIZAhBOBZwgzD30BAYNyHIFgc4d0gQ0BAQE?= Received: from msht-gh1-uea01.corp.nsa.gov ([10.215.227.18]) by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Jan 2017 16:49:17 +0000 Received: from MSMR-GH1-UEA10.corp.nsa.gov (10.215.228.27) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 18 Jan 2017 11:49:17 -0500 Received: from MSMR-GH1-UEA07.corp.nsa.gov ([10.215.224.5]) by MSMR-GH1-UEA10.corp.nsa.gov ([10.215.228.27]) with mapi id 14.03.0319.002; Wed, 18 Jan 2017 11:49:13 -0500 From: "Cooley, Dorothy E" To: "cfrg@irtf.org" Thread-Topic: AES GCM SIV analysis Thread-Index: AdJxpsd4XptcpHspSrmRb4tIGlxjEwABD2ML Date: Wed, 18 Jan 2017 16:49:11 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.215.228.153] Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="_BA08E5B5-868E-44DA-9C24-34BD41E0BD28_" MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Wed, 18 Jan 2017 08:59:17 -0800 Subject: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 16:49:26 -0000 --_BA08E5B5-868E-44DA-9C24-34BD41E0BD28_ Content-Type: multipart/mixed; boundary="_022DA8CC-6E13-4F8C-9FDF-A1A7599EC682_" --_022DA8CC-6E13-4F8C-9FDF-A1A7599EC682_ Content-Type: multipart/alternative; boundary="_27FE43EB-136B-4342-AA98-D13C0777B120_" --_27FE43EB-136B-4342-AA98-D13C0777B120_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } =20 NSA's Information Assurance organization did some analysis of AES-GCM-SIV, = as described in "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encrypt= ion", dated August 29, 2016 [1]. We shared this analysis privately with th= e three authors of AES-GCM-SIV, who requested that we post it to the CFRG f= orum. The attachment describes the results of the analysis. We believe the = authors will be posting an update shortly. =20 Any comments on this work can be directed to me. But I will note that I di= dn't do the actual analysis (I can't claim to be a 'real' cryptographer the= se days). =20 Deb Cooley NSA Information Assurance Standards. decoole@nsa.gov =20 =20 [1] https://tools.ietf.ort/html/draft-irtf-cfrg-gcmsiv-02 --_27FE43EB-136B-4342-AA98-D13C0777B120_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= =0A= =0A=
=0A=

NSA's Information Assurance organization did some analysis of AES-GCM-SI= V, as described in "AES-GCM-SIV:  Nonce Misuse-Resistant Authenticated= Encryption", dated August 29, 2016 [1].  We shared this analysis priv= ately with the three authors of AES-GCM-SIV, who requested that we post it = to the CFRG forum. The attachment describes the results of the analysis. We= believe the authors will be posting an update shortly.

=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=

 

=0A=

Any comments on this work can be directed to me.  But I will note t= hat I didn't do the actual analysis (I can't claim to be a 'real' cryptogra= pher these days).

=0A=

 

=0A=
=0A=

Deb Cooley

=0A=

NSA Information Assurance Standards.

=0A=

decoole@nsa.gov=

=0A=

 

=0A=

 

=0A=

[1]  https://tools.ietf.ort/html/draft-irtf-cfrg-gcmsiv-02=

=0A=
=0A=
--_27FE43EB-136B-4342-AA98-D13C0777B120_-- --_022DA8CC-6E13-4F8C-9FDF-A1A7599EC682_ Content-Type: application/pdf Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="NSAIA analysis AES GCM SIV mode.pdf" Content-Description: NSAIA analysis AES GCM SIV mode.pdf X-MS-UrlCompName: NSAIA%20analysis%20AES%20GCM%20SIV%20mode.pdf JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFu Zyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDMwIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4+ Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDYvS2lkc1sgMyAwIFIgMTYg MCBSIDIyIDAgUiAyNCAwIFIgMjYgMCBSIDI4IDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwv VHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAw IFIvRjMgMTEgMCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRb L1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDYxMiA3OTJd IC9Db250ZW50cyA0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2 aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0Zp bHRlci9GbGF0ZURlY29kZS9MZW5ndGggOTg3ND4+DQpzdHJlYW0NCnicrV1dc9w2sn13lf/DPM7c lcYEAX7dTanKluXEN8nWbuKbfYj3gZYoa8oTyZkZxfH99be7AZAACTRBx5WKNR/Ng0aj0TjdwJDP nh9Ou9v2+rT65ptnz0+n9vquu1n9+uzNw8f/PHvz+WP37J/t+919e9o93D/7+fHdCT/6rmtvusPF xerFy8vVizdPnzx7JVZCbDO1enP79IlYZfCfWBVqValiW9arN7+BzLc/V6v3x6dPstV7elebd98+ ffLrerX5z+rN/zx9cgVovz998q+nT1ZXP16unkXUe/FwOj38Ftfw1cPDydPQ0Uk22yxXpFO03dWz f2KLP16+frnKnv3Q3r9frbv7jdflPNDlXNTbXKyqrNkWpWni+41adxu5/rw5l+vVT/gvvr3enBfr h40o139szrXEYVMZqeebcg29tWIfNkKuj5vzfL16gM/uAZFErn521He7KYtsK0Z6nEdl5VZVruwq g35VxerN9a/rby9/jF1XldtM+tfRJdGGqmYrG1+pn6EXr7H/v8QuauS2GfXEHTTypt7s1bZUK1EV 2wr60JSrQ/f0ye1/BQZVBAfV8ZKyVts8pwapCa3qI1j+t99wiNpNAeN1bocVh+V2tWnWz0/4HoZO FGbsjpGeCQX2K92G/J5NdM4jjhiZe2UptlVtgN9wwDJkgmY7griDLnasgiqAU6mtykdIl4eNyLXh PgLoCY232pwLka1fPWzq9YHMDOY2H/7UHeHTrj1cb+Dd3SD97eEBQR43GohVrggol4tqK6Sv3Nv1 5aufvn272Qhhm9kd8UXWrK8fD6AZad/dn/Z9L4wcqfeAg34P2hx3N+Aj3WGH0/U9Tlktdbqj6+ld vn7uzeGJ1mVAa9mU26rxtT7nQKoAiMogQhQ+yLeXqNmPHFQdgsrzrSwW6NMEQWDSCh/k59dgtV/I 9vW6Rac43YHddxgNr9tTh6a/2Yjest39tfGsSjvWzgwGiTAKiSwSBFS1zW3UOcLag07JzwEhAlCN 2Bb1CO5X1EpgF/7D4uUBPJHJbZ37eLxWoSkusnKC0qL90N1VsW7vMYjp16/vwZe1xQ/3tKA16xPb YigYiLKByLxA7dCkFVUO1vRRru7fw8jsUMlOKwmvSzvrQP837RE0/oBvyvUrdCByjcM1dkSLvF2/ vsIJ/ObV242WO57gyxa7ewPe1B5wPm9ZfYPTVUGniyW9Ds1XWeQTFBoUrfzpbochxwQt+AC9Fd8Z jz1XlRN4ZAmfw6LbUg+7A34EK1XX8w/4R62/11bYHfEy/RH5aw5itRGDlt6hI+9ORy3xQOsiXcB1 MRRHcMJJ6KXlZjm2UUBjpWksl9CYxLZwnPQHO2MDeLnHYe3AE9Ac24295KpF6es7iiO63zjox2OL 7oHmyAtaQsh63VF/0JpOw79Op7kuhaJaDmNfN3632NCYhyJRDgwtL3wUbQjdQwpw/boDLl0bzf8B pjjTMp/udtd3vakohB7166HrN/hBvv6029Aypd85y5WaeA2geF4DcPjdQ98Qmfi+O5A5TyiqP281 uF5Kr0H3Wr++mY3VeSjAousgB7Q8ylksYKHY9fP9fmOde+zs3/XfvIUBLz0nH/yOIgPMnj4o6Euw NxKCTndNncfAcqNDj1S0Kn3+SP3foZkdRbhuhuK+BIIrK7+r4478MLx8u8aBnMzZ3AY/rTV+VeBX 5XCl7i5qC13e8oqGlhYlKKfwFP03ixJaLlQut1L4KMj+dntNRXEk0JCD62N/aQbDN8e7h8f9jWaR pkvmmseNmTM7VqXQ4lPIeitqX6XfN3oSdWc06XhrhVYI9F69omvAGU6Yh9aHKoPrRzh8pAmFYGDr ovZQVueQDGYlJsyTbHCKGYqBwFaLzMec5onTnCQUCBuIpuVUvbzS2v38+hfW+DIUOgTkAFVIPc36 BbD+fbvb2OBHQVLkmRvnRC7IL9s/KLmnT0xMRQl9nfl0T6uyTvn3hreS/94a3FgwFxpnd3wEyKOF 0wH0uDue2vtrCuL8bJXBsNJALtD4vvO/H03GAg2fbFQz+uZsC3KUnJaYiLu5qaX6EMwM1adRVHVF dpc8vJrNfRWsk2UVGFHeMqHpriQ4r/Ato4cT6UOnPUQANeysqfRqCdaqzNhQPWB3ja/b/R6M+pkW QU6TSIwo6mYr7QJHUDQonzA3vlmd4I8epHegTG2WnRNFxJvVIy6B6FC4aNHSDeqsbnd/djfEGT/o slRjVpL2Hrnu6h61dqIrp3QoKOV1uc2EozgNdAPJKw5Hx3JpGYpPeQMBqnIBU0Y2FJXQnmU58CnL pXGZ1lxavznCmn4eWLrxu0+dTf5B7lGHCMusDztMnv5PM0yuZhKKc6ImzTwFgc1ownXojn2dAZed AzsuKhTzclzFpI9vGJ522t8xyOwOHb7pGTN2nGg+iN0+4KdEAdHpDxTVDAQm4cIp77T37R7g6ANt x2vtf6cT/bn+QCv22Lozq6AKRTJVVdtmZDh2mVFB9lKL7cg6CaURFaIwBUSOYok+QdKBiXrpooyX PRYyGE7ybNt4iAkTSYXmeAEkbTyZNMFygo0gxs9BRxLCAtJeaWEpXGHSKW0igs5kqhKazH7odE2W ayoUDkReoz3c1raImK9fWvc/tbv9UbeOqzqu10qZaYnVEuPN6CfaoyHlbnEVxUnQtQctthty9n1L DBuxDxosHGyO/JJehCKIVGrbFH6H3tzxoagIhQpZqm0pfaCWVpUTTFxYykyx6Pj4DisNf6L5iQth BnY87f7AT/c2P1GFTfnsakXfH1i1QhO9yPREd9XiOxcscotsgnKas1JwmqP7jIB0R2FwMb0tMSOk ahoHHZz8ACurgX6YdX3nLc2rjcy8TBDeOjkq12YoOggltmLU7jS55VBDkQILd5UPyufp0z71y44y 6xJGmj1No91HmFj7jsT8pLA7sqqGIg9On6JxddURNxcUJWcmZCjAYBWwEB6ijrj/psmO1RYINj+w ewHBiV7V22xkVVa7MjjL62yby9HYDP4DJv3OvjABTOqNGCPEtRdcp9HBmiVaB9dpJXHjwUPpPUQi wd1IQSWo3R8dfty71T/YtoK1iAYpp9fUGUFRvMDp5sX/DsLafBm0jE14WFPzqt+QuumOH3d9/R3C aNMYF4fPqKwp1h/uH2CmfNpRIVyLfP92Q1vGrAbB6V9WWOTwtKDSCo22Bjdh6BnOMiradfAebfwR 31it6ILPg9ZUjR5SpwzN1570d0Md0lxsq5dN49Xb4O11e9+/bvfHB91NfGeGH2vAfBgvg5tiuLUw Mn97eIdc+HRoD9gz25m6npaSj7SXwDUaYzlZjcX9CHnK1Yy/BqsuGVVdPGRkNJCjEg9A1NvdgRZp U/F2bIzlC81F0MesNqZ069F2vJCyX1skPUAKbDZMWBpWBSvdEIcwYXS15rc2g+lNTfVyD+V4+mzW B78POHyhCvkRt5vvtMFu+7XWJDyHFoPgjV1lyBH0ZcMW8B6LlLvjzivnHCebFgmEtQoSoLyiJdrr 41bvcbygSaBLEaw/VkFSpCDYKQyslu314633ygrL85DY7vs1m3Yj4Lthw6Co13R2h7aRYKKj6Ml8 3uePQHu7lixdFKFqrpZv9fdo8t3tLc0M+vbeNBoovaOa/YawzUV3bpKpRnteRamLfspsinQ3aNBC mhlDfcPSgNMCGqdG25zpXoIT0e70nb4Q4Tj7B7kk2L9qtrUt9fQaA4tuTG7c5xV71Oe6xZmnK4um hEFHKnK8Um+gcUoEN1mByZalrwg/EYMLSVECafJRzMYVpg7dZ1TweDbojdH0z4/7Te9SdqcPvnvX zyQgS7Dq9sbwxhDev6flCDedxiz5NyzLUS539+AdHsi96CfcXS9pfVjSWjXoivUJe3W/Rwr/0pBg XMG0p7J4bgk119QJL/nDriFGC9omYu0czMGLeit8M/N+F1mHVFnghotG2HctLQ1u/DK7pTYRh9j4 kW0nlmpLvyk92HTEgK0J1sFimaLcywNke18HtwEKAcmJB/LqEUkcegKGm982hYkv3ZmuaJzsOkqD /dmMbr/pSQ6kfVD0y6gW0MzhpHNla99hhfWKa84uONenYF0f6Uzhd4qdxHVoPZBVgSfwPBR393no /dFxbrPS9TbCYKVPa33so/fp87BwOssDONjuVntXaJt4Po+uY2G1yPDgFJtHU1DXsUD0Qd7NUklL 6PKOOjNcZMxQmLfYy5b4Fa9q8FiazLdN5av7Fjd21foM8zA8nJbN4IbCcQ7heIzbRy7QGQxsdrlo tHrL6I0nOjLQ3Zz1da97fGXycH1WyFlI2xsTT3fWxNrC7V6vjOOFd7CXPcSCCrX3wyjYDVxVuau9 rh+BWvoqziTByKloj0f2XoFU5BNt2dBA362oeENq6NWg3+09UHQ3OyUPhrTvP5OQgK9o4uo993fE ArF2XtrNvk8gocPJBz7kBbdBSrmtha853/fIFgju0/dLBrCcyFHVChwmG0mvYrKSNqI9WSfRwKKo JZQ4ZOZIlkNycLSr0T7EUdO/1rJEf4sUIWrkPOdV7yth5XKltnXhK2cY5qH7SIG+JeVsnZmSU1Dn NztydPbFkMF+DGO2kEWBRR+vudMOV5KOuDqAvHHZcs8mdaO0Iv5hW97/gbt6prDstt1PHzxlo/rF RTOdw9FM2ON4gugNVBk+PCyx3GGi/TeZyPJMAMNT8FI8v5DfZFkmLxp41zzPoJP0toK3l5C3F88v RI6CV5moL/HvRe1ckNFL+ESpAj8ZkJx3StX0UgCovLq8OIcmZaE/ywWIlUorlb3KRPlKK3blAMir l3QRgZh2QTPoxUvU8qL0VMFuuHrb7hj1RWYAKgAt4PWLAm2gv84uhBhf5RjgBUnjRcVLCwhABWlA L0vdvKNNXmsA2xxcZTtuNO3bq2lwtDihPKduk22sauVlrxqHfJldnCtzKepZvCSzjvrcaFA7au5F 5SuSwjGjnpke0XuLktf9CFWDYdGFyJWqV2aoC68VREf74//YAulV6JbRrOCaZOGMvsKrxm4eOSMv a4XcxvxQA+lLVZmDH1XgtCM0ak+C0buyz+Txm32H4eg9cYXtXN29CVJZ4Fh16WvlHM/i4IKctqYk zoPjD2YHDxvXlMQ5KFQLlyWVr9+xZ6ia4LljrC54eLoSfjL2HxHKqvCLj3YQOiMerkX0BxpxIFsL pHfs93tW5xB7lEpggdwz5d+tV5QK8/69OU2KOpnN+hJaHI6CfLD+hT5zfYD0qsOl5tj3ySkv4get 0R7zz764YT7TLMImnSDMHpppXJYZPJNT4H4hdK/e1tX0SA5MWxa+HMEH5hqshFIFBv2MnyURziaB kfTM57h7b8jl7nYHg6Crwye76djoFVGbb8jq9eFIOi1pSPXK+hHyUIHeRxVQ7XfvKI8J71527AZI E2Zw2baRfj94SwSPFwMPVIWPQlMDdx1br6AuXZc52V3aru/zwPZ1foZExDegzmidChq2Qklr+45y ITIG/zOLUNBTRU5Ty+0Ef8o+CwU7VSj0Xd6ivz99UjXUGhJBCE/bcgXkTOb0S7F//9fqHgS9pqY/ ujIYwHEJRIRR/IqHjqCqQvGpav8afngI4LhNWlsN4TWsazM6ypCOBJNbHREHNOa0zLMaubEs6GzQ nJaGSWstIaGcYvs6qpCOLogIo3gawthmRaod86bAXYBBQzmjYhFU0UHRKs6YUeYZzck0JaX+gWyy O5YhHQmkSnZH2eR4ODtRQyXB2V0NZ92xCulIMJ6OM3ZUQDtEqpIwIbFHAvLhEsFFDrFxW9dRHevI tFal0jBVBGZ8dDgHfoXlGtnXaY5nFF7fbnxtvwRfKuJvLj4XNySeBDBGqMS2kMWMFZpw4JD4u1Sj JeIoxasJ/jQ2w1Al2XnHL7QhFjeR58VWCdYSgV/iTX+5/WXdE/oCGL2m/320UPoQ61uPeS3sXpCK 5RmekYU4Qmu7oThfwYRZTrHW6YZ7GPdvX70bWPQYdQOLEn8TX8MdJK5RTl9+Dc23L8AtEdDD5ZbA ggZKTzjVbJuZqCOmvzofwVQRGL+KK0jenQv9UYS+TnX4vJrYY3FL4Pl5s3TWBRnT4qbLfDQSc5Mu tYWws4JzqNk5t7gTlSLuMOOmy2GrJV4KBEZ5XjqzKoggnXRhtJIzc0lmDR7V95zHJMMfpiZYjC4F nntY6JphErq8Z8BeikW+mdpE0DmlyKm9wTmZ5PyrNAgtjVeg86/ehubV/oyDwPW309fwDok7XLMT bzluRSQ2beYhLYepnM5KRTADIRiRzholJMLlaOK5x+LMvhVtc9APeW2CTwdkplFvaftKZmSkZVMz mtgs6npd4E0tFszM1BbCPoy/RirGFOev2g9v76Hmyc1y2GYyJ/isr/B8dy6ZENG0r/C0nJlithrk es+ho51pfVbmYH7R9gF3w3SVeGKbxa0WYBUslizz2WAS+QU9HgerOadNbiL880ugVlUzWU4KUdoq /F9oL7SdqMqS0ljH877JMnlltnpe9FtAZkNLXl1dfOUu11iwS8pFlg9fU0NWz86rv25CsM22qccm zC8vXAtWr77cbMNEqCmXT4gS/lyw5Wm6WVZVg7ZYH6VzuNlW1fCPyPvbcfXfq62U9ntVNU09FZGo uRWps0wMIqacolGAwKspihUhFCviodRg2axHgYynnCrTyxBML+PhmNvSRPvcfx/X1oGIaWtTWhbF iHAoaltYkArUzEIwWoZQBhkPB+u3pYj3uf8+rq0DEdPW5kcsihHhUMptIS2KqkNO18sQTC/j4wBp zLw+47d+t60Io/CAElXYsNMZFDXTbWATjdvtIjDWvZDtdxEYbCQcSrId70XiKjsoMZUts5lBaXjz YeVYFvy87mWYeY0hNHO7TQhet3uRuMIOSkxhG6tnUAq+20plmOEP3a4C490L2X5XgfEupD49wHS8 F4mr7KDEVLahXi9SFEWGJcqNi1EBG0TiAma6DQKogC9jPZOTscPYy1BffRnbY05mtG+RCVRZc3i8 c46Kkew8WNK2q1xGRawwjL9vgTfIlBkZDdd4WrR91jllRotbyVWglV/XZxkwL2Z3JBlflkTqJg3M b5Foe5stEt7gwZKtXWK1qqawzOmag5JYSZ3oGq+6z2JHNg8aiuQZxPDqKzXkVvRxE2aBwe26rA2u S5u8vdnqsVY1DONXj/W6mGDuVOho2ViErD2dPYu7UOmQtsTYhg0Mxp5zbrbSO2g64xdYn0x07mTs SCG0Cjn3qBpafXmrQ3GyDvvPfLEvPZQHi9GW2KQGQQmZbRVyk6kHLobGkw9ykRFs1Wgwwmx8DZY8 Lc8ZVJ0ZMIW3fK4DuuJChj+byMNrzvKGgCkvsInfV3tMric8dBaC6IrAu1uPs1ZYpms7UrHMFjBg SoRlet40tIP0LQMGMxGhptisVLcUEVF0wEmjQLKId7uNChFORKhncnGVe5G4yg5KTGVM9fAskUbB n5CVcRmCichYZtkrbLMiT2crxeg8AEV1xsqwp3PIglaoVzog1HNdVuteKq61AxTTWoIV8WCe8eZ8 K6ZW7GW0Nwdleu5tde7zEVfnXiquswMU0xkTJOXpHDBiL9QrHRDqswFPa3+6m3Cgg5AOB/3BKHcG RgWsv8cFjHMNAjjevowdSk7Gmq6X0b3xZGyPORk//8nrCu2RsmgGNxlMLCSYKin/yfEXo3mTbcsm sFrQjVDpB2UZf5IrvUWwmwg0OJuqGNMkpSrB7QjD8o2mSakKnbyY6hrNIOaxI6kKHTTFW/qVRYzN lV/e6JC2FPhwiCXGN2TdGD8lbQmepHNhqqS0RaKKKaZPhQ5bvmywXrPU8ou7U5WYLy4yvGbqjuFn nF4GCyIuTLUghUmyfCo2l8Lwphd/odVRCrPE+CaFSY/GMlgcMXlGcmw0KcxU02gKkw6tU5glRjAp jGOEubgrgyULk1k4qqalMNFFaSaFWdAQpTDJNvH7KkcpDCzyWc/Tw9tzWqTPUIKbZgyMU6aCT028 j21EMThOASYTJnrF9nYGmMz5O951GZAimxiGTTFQTk4etZHDuTKX94Z3DwakgFIONWOgzNgaj7Js 0viTM2pxATMcjIA2tCNguKYjYyzIyhjbDDKWazoyptOszIiPgsuB56ZEwGARx7LDis4JpvNRWC+r yp/6Eqd+nsxHk1vUfHTS4Dwf1aZJ4aMyWNqx9E1ruoCPTnSN89FZbJaP1tm2kpGlWf6FRsd8dIHx LfPSxk/gozJ4nM6FKRbw0QTTp0KzfHSh5Rd3x/DRJYY3tGsw/JzTBxNUF6ZI46NKdy3B8qnYET7a oM1Z0zeBVGBxh3D/c5ntLR1ND8bBBNhyxtTQaOnoRNM4HU2GNnR0gREsHR2MMBt2g6moZYmDqol0 NLAmJdHR9IY0HU21if+Mscyno7jGZw1LR40IS0c5GKf8kDUzdJTDcZLprOHpqAPD0FEHKU5HZ6Cc /CpqI4dyZc0cHXWQ4nR0BsqOrfYoho5GBexwxAWMoQeBOB3lZKxtehmGjnIyIzpaQETKUyKgCibk 1vMLCvUpdDTD2//iT7DqgqWjQt+XhDvOkd6qEnjvk2mr85xU2yeFk6pgrm7ntFZ1ASed6Bqnh7PY LCctS/sr6EWcNL1DhpMuML4NYNr4CZxUhU8bODByASdNMH0qNMtJF1p+cXcMJ11ieBPvB8PPOT33 szdH08QaaYrlU7HZGilneq5Gmt4jUyNdYHxLStNDMvebruTgKPFmCCE3if6iaRY68osm+lklb/pp OrC4O02NtzhZYnhLhAfDz8b6YA5sicmg6hw/LattMVF1lfYTnflmwr9XgaiwfBSWd62W+NOV6TCc rb56j/CeX/VMl6YntxZ3qcgE3mcqwF3iqcoCcDzRmuy1vjdWo1QFlmjh/bBloH9ONU9UHg0Pkt4Y jFOZEpWfqgS5cQzHqbOIyktVggxaVKP8wpdSHlJAI4doM1BO7h21kUPHRTXKL3ypwkMKKOWwdgbK jq32KCZViQrY4YgLGEMPAvFUhZOxtullmFSFkxmlKtCyc/oxfpMgxd2Ah1BEBCZUOFe1F1UwJCvM VOrkwnlyi7pwPmlwPkkhyww5CmMa7q48RtGB0jO389I5ykTVeLowi83mKPiA8tipXDW9RcHyDpkc ZYHtbeQi2/dkPG76InyawEEREZhQipJg+VRoNkVZaPjF3TEpyhK7mzjf233G5YvwjXEcFOHw+fiN zUzVPMXwqdhs1ZyzfJ19eaPjqvkC09sEJTUQF8GKiF1dU8OiLZpPFI0XzZOhTdF8gQ1srtDbYC7k FsHShCUGg6Yzw2Vr5oHlKKlmnt6QrpmnmsTvqxoRUVjdhx/vBg+ZGxH2kDkH45Sj8sIhoqEz2xyO U1zJi4GIho5ROzCZc9RhTEQHpIBGDo1ioJzcN2ojh2x5P6UM/rrTQQoo5XAyBsqOrfYohohGBexw xAWMoQeBOBHlZKxtehmGiHIyIyIqBf7eMiUABgs01vMRpkliorpmLhXKc0xU2puKM2w0uVVTM5+0 Ok9HtX1S+GgRrKPYOa1VXcBHJ7rG+egsNstHZe1XbBL5aHqHDB9dYHwbwLTxUwhp+DiBA9MsIKQJ pk+FZgnpQssv7o4hpEsMb+L9YPg5pw/mpy5Mk8ZIdc08xfKp2GzNnDM9VzNP75GpmS8wvqWk6SE5 mAHbhTY1ONqaeYLtU6HZmjln+sBO0eLumJr5AsNbHjwYfi7Wl8EE2BKTQdU5flrWWCgdqZpaM59t JlIzr6jNZaOwvGs13ZN5OgxnX71DjVmQuB7Jv94jvLdUloeoSzxTWQAucScj1Wl9ZxSjTAVmTPR2 UUMdT878HJaDcYpSUs5lKgyOU2ORciZTGWC4TGVAYjIVHsrJvKM2cti4lLOZyoDEZCo8lB1b7VFM phIVsMMRFzCGHgTimQonY23TyzCZCiczylRg5a6TzjeWsWdRkOcjzJLD5nmGzwL0MpUSMxWVXDNP blHXzCcNzicp2jQpB3vKyDMw9HTWmi442DPRNZ6kzGKzSUqu7A0np8G9VF/e6DhJWWB8G7u08RMO 9pSRZ3sMMEsOmyeYPhWaTVIWWn5xd0ySssTwJtQPhp9z+ugTS5SnaeJh8xTLp2KzZfOlpl/cIVM2 X2B7m6OkB2PuhsXJodHWzSeaxuvmydCmbr7ACDZfGIwwG3a5m/46qiYeNg+sSUmF8/SGdOE81SZ+ X+sRHYU1XgmejmoRno4yME5NSok5OsrgOBUWJWbo6ADD0dEBiaGjPJSTAEdt5FAuJWbp6IDE0FEe yo6t9ihLJp2bddhRiwrY4YgLGEMPAoZqOjLWgpyMtU0vY6mmI2M7zcmM6CgkbE3SycYyWKWxno8w Sw6bZxXeaoejo0o/T5ktnCe3agrnk1bnOam2TwonrbjnDxlVF3DSia5xTjqLzXJSQb8OXsxJ0ztk OOkC49sApo2fwEkr7lE7RtV0Tppg+lRolpMutPzi7hhOusTwJt4Php9z+vANHB2YRYfNUyyfis0W zjnTc4Xz9B6ZwvkC41tSmhySq2AWbBfa1OBoC+cJtk+FZgvnnOkD20WLu2MK5wsMb4nwYPjZWB/M gS0xGVSdPWxOhfORqqmF89lmuML5wlFY3jVTOJ8MA1M4/8IOmcI526Pmr/fIFs6n1CWeqSwAp8J5 qtP6zliMMhWIcXLmrLkW4c+aMzBOYUrOnjVncJwyi5w7az7AcGfNByTmrDkP5aTeURs5bFzOnzUf kJiz5jyUHVvtUUzhPCpghyMuYAw9CMQL55yMtU0vwxTOORn/Ec6iycytbsqZ2Bws1ZhnOHMoXsag n+EsaDFIzRjoQc6mheFJzoymwXKKeZKzg5PPZQy0ZbhEV/MkZtOGfRIzo2n4fMQ8is9H6XnOi/TU j2N2WpAziobvzDeBmTGpearzElXNo52T3bQOpovm2c6pbmqe7bxET/OAZ6eFOTetg8mVecKzgzNj U/2EZ5zxavESV+ejJU6jhItxCSJD/YARoccDahEwcxm9VTIH42TLKn6oFKWKvrEKH0AcL/wxrTkZ ItMaShWVlYKlMlRlHNYCDmnIimakGq+9QO+chYWBcpIBFT8Oi7cXlg0/ds4ixSA5PI7RCqUar71A g86KxzQYcH17Dz5NgCE/GRNgyFZg8mFEwd9cOjPrTfsOi2h7fAwkPv5x5W4zeKtdOUb4df3fUdka hTzZVUwWIj702ZP9CTUhdY4Pj/R8WHyo3zUqqpWE97V++fumWj9iVXAHPSAx+vg3/apZ3+N3p+MK r719OCDY6raXPZ7oi/Z0QrGWWviwwtcP+JIuXj2/gjZ+jqgvC9qu8dQ/j8niY/ZGst9ebs6FWv8Y u6SWRGyS4CF4jmV/3sj1619Wn6ARSSY63ZEJ2hV2339OrBeIFT02M6ldpeqJLDiVKHWDZM4PHf77 2UEIeLFyvNj/3XPUkwIohTcXROjReQrPeKPXacA3dx0oKepqfeyuN7V+WvY9WO4G/qdvSu0i+brd iHx9/YE+rOn7B5w5R/PB/UYoffnJfHLofn/cgCUOuoli3YJMAZY476HvCcU0eU3PsjxGTJ1X9ARl T/vYxMrBdSrpy+LDXakpbLoqYJhgRvWafuzak36U5plRFr9/xGfAGpk7eN0ejd7HHT48FpXewYxS 6+sWX5/2bt/27QG+eb/Bp3QaG6PRdDvtYBLl2to8ExpN/QEUHncw8jxERSV8oXRXv8lEfZkJcQV/ X2TiRXFRwkfFy+HjSn9EL8tMNM/NQydreujkuVL4OMVX9IX+oDAAVXkh8MrLDD6Ev9XLi3P8rnx1 IaTzOSI32UXzjXN98xzfi0uhL6vc7+oGn90oslzrmOUXguALC0eXop5CPyiTxPSDMi9E7kLpvg3v ERPUJpjn2IojWuonRupnbZ5LZdQrnhvraXPpL8tBn15aKWuxqofr4SGODJfKq0vzgM/6YjykoXkq ywrXaHdYo94uYRkZy8LatkfPIx8CdfRtivTLI+4f3dmZ94kWiAqiY6e/PnTooEf6EifA4Rrl6cvK mdPoovSg5O6ePJpQYyqih0LKWFn1zBOYVxuVY8N4/Wojs1GogXhEn4J0aYTpqbftYYeBpNcQeqCE +Qqv3D+awCTNlL/FTwnqLeis1mc4W99uzoZ2j0cEov7s7uHq9xjN6KvvyYTwYnfUKMrc6Ql34Wtt VfgWw8XuhDY4ammIdaX+at9hcxgITnfbHvc1NkOvYF0C4I7UPbWo07vYciOAbzW+KffdGen0qduY 9sgknVXbNS9++OfHQ3c8ggGdyEsA//qVX1zKwBJVKLpnhqfQn2eH/yD6zFpVeWtVLKzhxkduw5pS Us8ogfNLVnqKSvV89LTXQGv1aGWclEmx7FtjgyVuwGKD/qbHswPfnSZgHSAlMvMxM0LjTdNks6ap G8qBfPPkUpJR5NXLTMmXOt5cvbyA2CTLSx1J0V7VK2tFCtkla7lGzFlOSIU5nNNL/8BOADMPGEvI alsoH+ach5FBGCClXzyMjZo1vQDKBzZ3TK8H1VlIjGEjKwk5L46VeZeZtRVWM/OJMGududrBLDJa yGhN02u4XSLhIyMHqyGQW1r3Vb8qCZEZzJe0/Cpn+dNrGGuWeWIpswqzWM8sIJNru+dFyds9FFxk TufkJ5aec4sqiFVTicuZMCZkI/FSktiWeYC6+URzOvOmZ4tK51Z/wv8f4bM9JUu7U3dDX+aGIsKL T/hE9v2eV7UO0f5abKWv6d8trQRNPt3taGXHt1KZZVvI3FLHD+N1ONBsKFjB3GsqevSpbpOWwetD 1x51Nqphz0WhjfEZVj/ztjV/b/WyfbJpBLFeWFj0EmzMknOagQ/PRhu8UyREm0wM1F6ALsBvmnXN g49DWWBy1wqt7hnizHRvlvMrJBCl6XtnPnm7/oHO7H2HC//bDWEV5DrtDvODqbcZAxvqhm8PkJo1 lG0Rx+kO3Q3f0VB8VVmNJ3b8rtlBBQVaJCgtjDqLHAq5StbbqhkjszDBdBf4a1H4MKwf51kRhClw H92DIXtet49HQ4VY0FAowuJsUfugg1vDEPUcrh9eyuFwzPBNdzh9JrrHthwKXDAtIZnFZ2npVi3l 3ml4Q+Ag/Hw8GKf5Q5eELL8jNrhnyw95FopDohCwknqNb3mUUFgRhcJbkHkwEzP8P3LZQr4NCmVu ZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9O YW1lL0YxL0Jhc2VGb250L0FCQ0RFRStDYWxpYnJpL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9G b250RGVzY3JpcHRvciA2IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMjQ4L1dpZHRocyAzOTcg MCBSPj4NCmVuZG9iag0KNiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9B QkNERUUrQ2FsaWJyaS9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA3NTAvRGVzY2VudCAt MjUwL0NhcEhlaWdodCA3NTAvQXZnV2lkdGggNTIxL01heFdpZHRoIDE3NDMvRm9udFdlaWdodCA0 MDAvWEhlaWdodCAyNTAvU3RlbVYgNTIvRm9udEJCb3hbIC01MDMgLTI1MCAxMjQwIDc1MF0gL0Zv bnRGaWxlMiAzOTUgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0v Tm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3Jt YWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBl L05hbWUvRjIvQmFzZUZvbnQvQUJDREVFK0NhbGlicmksQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5j b2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lk dGhzIDM5OCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9G b250TmFtZS9BQkNERUUrQ2FsaWJyaSxCb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50 IDc1MC9EZXNjZW50IC0yNTAvQ2FwSGVpZ2h0IDc1MC9BdmdXaWR0aCA1MzYvTWF4V2lkdGggMTc1 OS9Gb250V2VpZ2h0IDcwMC9YSGVpZ2h0IDI1MC9TdGVtViA1My9Gb250QkJveFsgLTUxOSAtMjUw IDEyNDAgNzUwXSAvRm9udEZpbGUyIDM5OSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlw ZS9Gb250L1N1YnR5cGUvVHlwZTAvQmFzZUZvbnQvQUJDREVFK0NhbGlicmkvRW5jb2RpbmcvSWRl bnRpdHktSC9EZXNjZW5kYW50Rm9udHMgMTIgMCBSL1RvVW5pY29kZSAzOTQgMCBSPj4NCmVuZG9i ag0KMTIgMCBvYmoNClsgMTMgMCBSXSANCmVuZG9iag0KMTMgMCBvYmoNCjw8L0Jhc2VGb250L0FC Q0RFRStDYWxpYnJpL1N1YnR5cGUvQ0lERm9udFR5cGUyL1R5cGUvRm9udC9DSURUb0dJRE1hcC9J ZGVudGl0eS9EVyAxMDAwL0NJRFN5c3RlbUluZm8gMTQgMCBSL0ZvbnREZXNjcmlwdG9yIDE1IDAg Ui9XIDM5NiAwIFI+Pg0KZW5kb2JqDQoxNCAwIG9iag0KPDwvT3JkZXJpbmcoSWRlbnRpdHkpIC9S ZWdpc3RyeShBZG9iZSkgL1N1cHBsZW1lbnQgMD4+DQplbmRvYmoNCjE1IDAgb2JqDQo8PC9UeXBl L0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0FCQ0RFRStDYWxpYnJpL0ZsYWdzIDMyL0l0YWxpY0Fu Z2xlIDAvQXNjZW50IDc1MC9EZXNjZW50IC0yNTAvQ2FwSGVpZ2h0IDc1MC9BdmdXaWR0aCA1MjEv TWF4V2lkdGggMTc0My9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA1Mi9Gb250QkJv eFsgLTUwMyAtMjUwIDEyNDAgNzUwXSAvRm9udEZpbGUyIDM5NSAwIFI+Pg0KZW5kb2JqDQoxNiAw IG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAw IFIvRjMgMTEgMCBSL0YyIDkgMCBSL0Y0IDE4IDAgUi9GNSAyMCAwIFI+Pi9FeHRHU3RhdGU8PC9H UzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFn ZUldID4+L01lZGlhQm94WyAwIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDE3IDAgUi9Hcm91cDw8L1R5 cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVu dHMgMT4+DQplbmRvYmoNCjE3IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDkx MTU+Pg0Kc3RyZWFtDQp4nLVdW3PcNrJ+d5X/A5+2ZjYyTdx4OeW4SnFsJ2e9u9mNKrtbdh4mo7E1 ZVlyZsZxfCo//nQ3ABIgARCUvUlZ0gwbjUaj0f2hARAPzw+n/evN9lQ8evTw/HTabK92l8XLhxe3 739+ePHp/e7hD5s3+5vNaX978/DHD7+c8KvvdpvL3eHx4+Kbb58U31zcv/fwGSsYKytZXLy+f48V FfzPCiWLRqqybouLd0Dz/MemeHO8f68q3tCn1nx6fv/ey1Wx/rm4+N/7954Ct1/v3/vH/XvF078+ KR5GxPvm9nS6fReX8Nnt7cmT0JFJdGXFJckUrRf+7ERZi6Kp6lLVBX4omCilLA67+/f+9efiBigf /oBi/fXJ998W1cMXm5s3xWp3sza1GhZQU4qHKxuTVSk5kHdWZ758//DkY21Tck9AppIispCIxIW7 XEDglJBcyLJSRcOrWQl5W5WtsrwVNC4pHw/Jl8HDlU4AHUqXp0IhWMmV23iRlFCEJJwymdGgaNqy anJllFyWbbugm2VISOLSLBBSNqzMlhH4AfMa2sUZMme84DVKHZZQRcZKW0vNhEeYeIOFtzhY6k6W jZXw1erd+kG9OrtZi9WrtS/uXapQfFJFejxKTwtCJdVQx8ajrF0ZoYuSQnY1FXCF/BXa/wH+7Q77 3fHhWqJa5Gq37uCPenW7fqBWh08T9SyumoON1CypH1KO2+jmizSaQ7ABr1C3rBTWk//jJb97kzCA 1WVXe/GLg4nxDmpRpaBKigcVxDgw9YvtyxXjzRdQoWjLRvgNOfvi7ZANGKPTjpdgB58vOoyOetQH P38JtrUW1mGbCjGAOjo76GRXdmnX04ZjzMCER5h4IqLBN77df4RR1awObycKWMpcsKYUYtmg6r5M q9ioPwuwdiY7svZXq6lV5tYQNEpRVbq6yOBqv3B1TBd2xsCDL12DQBzg1nDzBayhnji6QGRbzJZX ZGR5gwwRjuzcyJYObCwIhl0uWZ5AABzmo2H2+hYj2eHNWkFw+7RuVsXmtH7AVyeIbTq+weP3EPpO x4mSFgsgmSJcs2QosiDKXt72Grxgt2QwZlcRNt5G6fpSIeIzqwAk37CZEfi5VXDqsOQQXN4XbU3A bmYM3oFvV7bZg1ByhXg1H16y4HyK2LAlg0A0JKU7CA677S2gyt8IVR7WrFrBpPztul3tPiG2nA69 xbWqSs1B7+nQC07P7tBg8I2Lhl52FUGjlaLT9aWG3mdWIWXZzQ29z62iwUntKJwrSUq7KT6nNhFI LUkAn9wfO4+qSjx9/EA8qoT6pmIdfFSqgp/w9dPHX7i1DShU/nf7DNwlAuf/Zp+Bu6z5jLv83Cpq LOaYBY4locfSV+zzHYVEmjbpRL+AtXWqbMbGxp88dm2teXZ3G+u9HuNll25M0PFJ4+4oswr1iBaT jhJ5gRHhD4gcWOXrPzvP67Lqn8t2+hyEt49VJd3nmEUx5RmmkMbl9XMsbx575cEUqr48TjrGAlgC ZGCfuxwYGFXXxlvYP49I2D+PSGjmrIny5nm0fFt2TgNB0DEDTWAaqJ+7HDDrWTO3hVXF/Eb2JBEh ++cRIc2UIVHePI+W56UStrxsJ3bUEyAD+9zlgICpSjeyJ7FC1iMpewIjZT0W06CyNAfZJTnAoFQJ e+0JYvaKyVdaSog3tCeJ9Eb/PNIbxtUkypvn0fJ1qVTKZnuKqNEqBn6u9psp/Wb2JBEx++cx36F9 k/GoVBTEaurx0I4TmGHhEGBf+DTGqJI0pkOSNKY1Ho0c0YxS6LUYUujJtZxkDh258AgXL3cMUBfa CXNNE24ogCDIZQjtzxhMsBN59OxqVEU4Y1LPfDJ90IeYWdxKZtMHSeXM6haMk0oFRI3nZGd5h3Oy oPoaZ4uVAUamnhpULuBfiQsZ0xzY8gZJEW7QfE5V614nk5KqD+b0XS48wsVPP8I8s8vSfC7rSN5R YFgaKX42s7+0OYJJTZ+vd5tAGGx+xuSDyWyXS5aFYOpHhLzAFJ0v542rt2KRFmyeI3/kB7PfFntn iyprAN2hgWKdIQ87w+UVgSUtMAxvhbwyDezjYF3WtQ5zDBd2Rxi8bpqykcZDh0A6MmjaEEEfSIca Qhjb1BDF2KaC0HO9fGsk5DCJi1FoEQMUfSzvZYyh5KiYDougmAhi0X3q8oBiuzpCQAwCBD2YiAvZ k1ghIyh3kHJKwPXac6/NiRSGoFdmPYZ3Bs/ExexJIrp0WAR1iQiyalJd3lNEu7yHVI6YcmL7NDb0 gNRjox+OrmlGCaxRDASoC5/GdkmKxiokRWMb5NLIEc0II0Lw4V0GRuTBpQg78oGLyIeIeieE5xV5 DkTMrcUgxEk18whx0MZMnODBfLgFVL2gmQBxImkcIM6xTuJDBWGidevpQOG1BYjizpWO8eECzVso pDU/jw95MC/vcBEL4GGG3jM5J9HhSO3Z8DCzNRYdLtC6xV6Dvc+Ye3AfmMMlyzxEA/oIjf/4AuSd zF00HTZoau5xEJrdBMxyi0W6thg037cEp+MWGuZKKhVExulYzF1+upPiZU2xNkfxi5sDUywMbRPF BzY4fV4bmhbRwLQNd6/HXSJhMhT/4jOBfN6qXOB5PXurRxOBmiOm6pP5iDPGUF+TDFDfpekhUZxN n3no2Rh85xL1yKnno1HkmMrMpYlKe8sxTY+vkpz6CWlKqB6GJVn187gUqx6tOaymVLZTyBASADT2 3Gqxfx6HnwkS2+wEiW2OQzKDPYUqRZODPYM5IWuKyKXNB5+ihXESwJ6RGfniWgz4HFczjz0HbczF h2Cqxg6pQdBM8DmWNI49Z1knwafkyGQ5+MxvkEGf+aq3vkOrPgN8JvdGakHz0ee84nM5J9HnSO8j 9FnfudIx/MxXu3W0g8WnDV4ktwBm24fNTY4FjaPCfNYmNZmvA4sKs0e9CE7AbaDJltRmJqduMCsx mV+PTkxmKsRrKB/BEdmWLU/DEU2ShiMJNv08t2eTgCMDnxQc0VRpOJLm1E9NUkL1cTnJqgeTKVZ9 /HZYxeGINoQEHokSWD0OBHFEkqKxTU/R2Da5NDOghIPWVQYoEcFEhDVI5FLngxJoimr94ShyMmLZ 1RhUMqlnHpYM+phzUMEcgR1ag6SzsETvfJ+IGscls7yjB3IwDMMvNVqqauhfv3Ja3b3mAZtIOpqz oAOsJ9EdMA9ORDBt4HKpF4CTDPXnsk6ik5H2s3Njue2x6GSB4q3jHSx/xvCDuwVcLlkmYrNjGZrP 5p1Mj00M/zMqGufHFqjbIqF8RxOcDtoYly2qTZCNRM1NkN1N9zZDlqH75Q0yKbKJ7hMpsju2wuTI Jq2YzuKWt8IkyaYhMY5KFzCnLFmudXpW145gqZAAcIM7XnXCAB8n1sIjxftZry0eW2Tuy1vAN4Gg RDEg0Cm4inLo5z8xIXrsFWXRTxhiLHpoNrCY7v0lReveTUDNKIHV1UAQh5opGtvcFI1tj0szAzWr BkNgBtQMph2soSEXmQ81WYVDNwA1RRpqZldjoOaknnmoOehjJgLIYELADp1B0kyoORE1DjVneSeh JmCRmt8Raua3ykDNBR1gPYbugHmoKYO5CJeLXAA1M9SfyzoJNUfaH0FNdedKx1BzgeKtox0sf8bw g9sOXC5ZJmIzYRNJ46mwfN4mFbZACxYB5o//5OG8bFFtLizgErOSYfkV6WRYrkq8psoR7OCVc04l gDv08wTwiDHo57Q9gxj0GDhEsYcmSYCPBI9+0hEVpI/HcSY9NIwy6QN25Z8wCCAQ3dEJBBIlsCob COIIJEVjW5yisQ1yadIIRHX4BqAMBCJTJwSIS/4JAdXVuN7pDTeZkezKr0YjkGk9swjE0cecB0qd EHAkzUMgU1GjCGSedxKBVFXZjAEINyAkfUpgQaM0AFmif+M2jP4zAEjqlICRNBuA5Gg/l3USgPjK z011ZTfH4I8lejeu1rH7GbNPnRLItxCT6spRfDbvZKprbPbTPMXyNuhM1xJtG5yzwMukTiPki2oy XWNRMzNdd1S9zXTNq355e3Sia6r6eKLrro0wia5xI+QXaITOcwWiYRRwLmGOea5s2/Tepzc+FgJw oqoTgFM/TwDOGANnZlvVScA5cIgCTk2SAJwJHs4cJyKIA79iTJxJQYSJg8+qOgk4TUfHAWecwKjM IYgCziSNaXGSxjTIo5kBnOCP65zjBip13AC5xPaNBfAmvseHh/CmTOPN3FoM3JxUMw83B23MBAKV Om4wCJqJNieSxtHmHOsU2FRtbd+3sxxtZrfJgM0F2re4Smt/Hmyq1JEDLWg+1szQfSbnFNQcq36E Nafha2FrLNRcoHULsAabnzH51JGDbPMwma6poNFMVz5rnehaogMLAPPHfeooQLakJs8VcoQ5ea78 eijNla0Qr6GjPeiKqoujDvM8jjqiDJzpLJMp1OFwiKEOQxJHHSkezowjIogTg2NMHGQYYeIEaSbT qIP6OQE6Ys+twvrncciRILGtTZDYtjgkM3ijVvhy1Qy8kdpiTlzyt5irGl/I4w0zlZPfyq7FAI5x NfN4Y9DGnN9JbTF3BM0EHGNJ43hjlnUScDTgeeoQ4Oi3mUffsrygUQZx5Kvfegut/gzAkdpmbgTN Rxzzys/lnEQcI91nZ7dym2MhR77arYMdrD5t9HVqm3m+fdjk1rzes1mncltTo5+iu+VtMMmtfGVb aJPtYurUfvZ8SW1uy5c0N7V1N82b1FaO5pe3x+S2xppPpLbu2Aid2po2YroQvrwRJrc1CYRxjLmA N6W2Mi3Ts7jRwQKEEZwnMKZ+nsCYMQbOJJbzJMYcOEQxpiZJYMwED2dOExHEQV0xJs40IMLEwWWc pzGm7ucEyIwSWJUNBHGYmaKxLU7R2Aa5NDNIU9ElEvNIs06dGyAu+ecGlKK34wWgpkpDzexqDNSc 1DOPNQd9zAWC1LkBR9JMrDkRNQ42Z3knwaZq8a29dwOb+a0yYHNBB1i/oTtgHm3WqXMDRtJ8tJmh /lzWSbg50v4Ibk4XmZa2x8LNBYq3znaw/BnDT50byDcRm+KaSBpPceXzNjmuBVqwQDB//Ke28+eL apNcAZeYleTKr0hnuXJV4jV1tIcc44tIABB6nMAfkeLOlFYk0UdfPgo+iCKBPeIcnDlHWAgnDkdY ONgwzMIJ0yINO3TvJmBHlMDqaiCIw44UjW1uisa2x6VJwA5kJ5qyI+WkbxSsY1vI8eo2YiLDTDw0 oK8UVJLhAmY2GuCemDNOsYlu7QZk6Qiad7HgElHN5YBG1NkLBpvIHuiBicy+YXCJmOaGQEej6WsG m+iWYa4WKNTcM7hEUnPZ4IK+j2zrpdsG80XVtw3iIBJLHXQz2m1rmPQuNnASeobEwu0oiSyF7Ek6 XtbTM9eOj4qxcYBliqTzagpU5Xg74e+sDRxyH6iarptWiFSq7wgIInJan+M5E/U5uEXY96GHaLou rUjHBydqcxDBDJXqZtTpOHTh7zF2qaZmqLzrcGHSPYbBjHfEGOYigP0cI7/Y/LJ+IFbXeKcV3mVV uPjbn9qNObxc/U+MtuZlxX3aIkoLFu2T/hMFIWmOtx/oZju82GeLcmoZ4XOr//wVQNoHhGt7aACR 0dfv9F/d6gafnY4Fln19e0BmxXGHXxK7W/xBNJf4A+/zalanzRaLvy3wq4GiOH8KD3+MNAPvzEJ/ 57bjQZS2w/uuHFrKPypFs5HnT/4aK9d2ZEJuOSoSrQjMzC/wEhogVt//VHxcP2CCtHa6Iq1sCmy0 f/WdnzhlNBZyGiiVnND+YnvpRHp9S53g3gM6terasWo3VdjWcdOacmlyropWOE3sDL+Lqx3IyBgD 3exBXYfLNVMr+qpabU5059tmzfhq+5a+5GA9TOqrTXdHsDpDijfB3poWs4qtDrtfP6zr1f5A7Ktu tblZow4avwBwuUF+W+DV2kenW3hm/v4Fb1fV1XQdcH2/25x2l2drENihwDtYT0a+/RHF1fSmAhjz n4xcm/drfW/dNbZ2u8HS1ztb8doU0aVxVqRwTNSxvm84TndcfUbNpKnJpbi0WPf+5DQFDKUBHUGN x5LkbVffr9nQtCtU1eZoe+dGd1W4QjyWBWOoakxlu9+R7+mwAz3j5bS7a6qoWLNudb05gFbewD/Q BGugiwX0/Yae9R2Jde/eIc3NiZ74iwfxnBAjHIf3B1WzF1DGDZfzGuOc0ybjEGIKwFwULim6SvDu 6321PqPWOgbEWvrrxtoHjlyjoxMOFPj9eo+6Op6oKBqMvpCUnoFLRSvabN9SH2p6tEZ9E3Cx5izD qGAmoTpf7rFVRW5PkgLvR3FLPqpY9QyvT2Lq24p153hN12PWwef6yWP8xZ5W7Enz+IF65N7kpUmA nKnzx4xrOvq+gb+fsMct/Gq+1cXaJ8htKEY1VfRZQFEpm76of0FY1GSUNMcKP89kMBHGFlgMVtlI vHxFa/3Val/uyrOCur5dfYR/uiPfFuhkqlVxQ7dkFt59z0SLhnGFowi9XnHC/saPOwrORxpRGxiK EcvFi+qEL0vMr3DJaaeeS3voTc545EZ/eu0IQi61G27TRSd0soQF+qHfrzYfoPjx9GqNpcpk4GkD 4Us0lHXyREuHr+lEfNw9iiP8NKErxautQhwAZ/s8SBfHXZITC3DCO+P4iFeybS0PcYFgID0uZOdV y2oyVPAnKZYiwBJR0IilNvrTBi12+xajh2wgihzR01Ek0N+crjY2FimwzutrtFx4oqzxwE9CUGBc WES1TpC3qAFK9sEDP+wxfB01m+0tJv6BL6h8i2OEnOuljvVAaz3vJTloGl9aFF3zcX8D5ohB6npn 5ASm2IDNUbM64FfSRtGU5mQIbSmFizNelyaNvlVBLi0mdRYYRhD56YStx+V7p3eOV7cfri+h6fqj A5Lw4UnfFApfHI+AldLVN5GRJpoBqFxZrPZxB3Wa20jPyM+B0RTXyQpCroFxTkcS3Er277APyWBO e7SDN2PXCVbbu1lrLKfCzG3QQi81aIG232wPn96fzIWpH27WtbGqgvBscewrAOz3Lil+F/JsdYOB yRMfjBCvRtY1DECusJDyUGyvNtaCe1Mehwa6VnlzxJ62Nm2ue4Xh9Q59tWZGg5B6PCF7F/SB0Ldc DNDiNQxii4puToST6y4A8ut6gOyn/isY+egBtqRp/KrVQCklVcifsq6j14y6kh0/bHFaAJzRgdQN wfYDTVLR4AG6gyKvewxt1I0jAMMedkSttKa3h93muNMTDBCaJEQ67ZG0ttMyh7y3WQDyZO5dJVWj eynFN+TCZdXilNnhi1GBMQ1+0sGqC3o21uCttC7DKRCasgq6N85w6c5rsz9LTLIM+jrZ4i4lv+uT XEIuSyoqPlJaxTmjlpbppoZ8lFTdmKPW2vcUCsVgRicCUTgoNtfY9VLr4p3Oqfi+qjYY8rWepKaE CnkeHL1gHgPUcyKwNOZtArAJoPDFPqlOVoXcBOMKt0B5lSXFhcl1kA3uRfK4kK8gHUyhQJJ/aAyy usPbnZaIGRpyrKEXAXtsNtsDofvjcYAi1KXYnden/Xvo2R6J2Gc9FDE5CPhezyEx83FMh2JWhQav qCR5xkE0TKBxgxDBxyQ5hsawYAL3TXgciZlx4GS8JwpMmy22jzCjalYf99fX2vSPJ/gTQ4Q2MPTU 5OscRJcUK+gHhESw4/UBeG9W96GGAKxzH/r+hrIWJEayuqDD6Gq8z9ir7tXqBS2Hp7mFnIWqaBnC 4/Yd6OHsb2AlMIHqxyJ6iQPYDgDhnTGsZGURJyA6iX5YV+QDZwIgfeJr18/+DoSMRvNUG68ov3E0 UTwlEAs6C4iEbCSUB8xpNLzVSe0ujc0ZC/kRzjvM/ng1pL0aC7kLLkTZMp9NEuMzFnIXXNT4PkaP zYzaphu57PpFMEeLc+ceWn67O27B0g8aH8MPzGESuN1r8ItdDYMA06avi3P87mksd89Ei8sVHv9Y boFJWprxaJ+DOT3BGmKJe1YLPOKUVwHgaOZVQEG7Znp38o/f/xQr2OIyplsuA9CwwF2uyUS5kF3J 7IXt/9LLMesHYMoE4X9DXI6fJc1QwU8iKj3sKU+KEIGZEYkAenugeHHaDylvzaoHjFD+PNprvFK4 9OgJFM0IgQ/qGp/2+RMcgbEu4wJAXZPJHby0Ei6txll4lj7ZZRxgnvIqmcvfKoYXU3pSbY7F8f1u u39N00SY2pHeCOPH2AhWY7Tz2LxkP8eowc9UnU+tU/EQGprV7mQmGaDNv62V+YsmS7sbmpnQJNBa BW2uwoRvdKGJdTiFyNI8AlE2Ek2vIGgpnAUVMUzIUA50DuOg7K8zNbh3xeP8F7O0w7UNQ+Mag9L0 txsDcOAnw29TrTT7wbJaicMOTKweltIidB1e7uyRkiLA+p0pMgrY4c5TkFDR9tOIP6lw35rHLeqz YCjyeiykGGrHUayTYfjpLdrDpxgvnGJwn1eJlm0Kv7ARk7q461Y/6HQzPfza9BC074e8dRiGQFJA CKxt0KoCBQNLL0zixh1PzDMjRV7VMAtgo6pZXtXgmupx1QZzY/VlCbZd0geT4rnpk9+nnV5tRLpN 1Mt07aRttDy42QNnmrWR1f9+GphR0vR43LzZOZI4o0ybgfXx0D9f43cwIM9zlCWFwtn6HfpJ4rpB F+6nvKphEi3YXD8Fl54UeFm/6kf9YhLqAD91tF5E34BIuKh0/phJswjV1HpFSdDCk12bQuKspR6Y 04iR69hcmh7ZU9jVGJn81rUeY3EPxCuMAobNB0RbV7ub036rM+QUd4SwE+0zg+6Fqe236GinU0Ue 8/3lWm/eMJYjTG7wZBYVH3Bh9s6D/DH/yllLcNRlHI3fnBECdmm9dWiQgNbESWMURt7SYjQIYr2P kGbteRD6HH8xWtPq2eAw6vvA6uzjnpZIr/Sn/8Pl5EOfELDVw8jZ640sckie7HHuKbhNq31aW3qv 0t1me2U8v9DAjHMasIFZe7z/wcerUEqP6YVb6plGrxx/6qM+qalufK/ddKunOUOPCQ2bK8eA/5I1 6pnQ0duV+dUKdfpvvXKnZe1BihPH+1xo44YtIMb8OWrxk55toPZRZT280GV7zUAJiweaZt5eEZIB EPAkjm7rYXriN9AS3hQ6/fHLPorjGlz8d4uZZTAdNU3nuVaukx//1vnvj3sy0br2Uvn4GYERdnSj vI6OreUzzAeMpe8aPcH5KlpOVeSIJ+K7IS620YReZuAp10bCBlf5dsZdGRXogf9x7+TH//13bNg/ x9mJ0SDhHc0anEHynvIPm5Gt2HAN9f1JV9E0PqiMy0aLQR9p3nt0np3/DRh9u65dO5ytfBYG4zEd 3vnt+gPo/1iLkdQOzgeT0asIhLo3w8INBZuRNGW0v2FEcOFX/QwByOF4OksZVzOS1yRXlc5Gvrc7 WwYdLxmnilUYVL0Korgdk4o+qRdWoL4+gQfaIu9yOU7djS0MLx9XwTBMluG6I6n8kQqfv+ufIP6S TaYjrhVict4o3FexyBHXLR4I9KTWjtgkAWO5DF4KvxT6Fylwb94N4jfJV/vX+vdf8Bdm9DWF04V9 s7XazZq7mRpjLLze2TXP09WZLk7J1LGl9Iw2OkbPTu9EV6Oz8loQ36XZlXXj0/azJxDysDP2YZYz MKLrtdx9j+vjPf7C/Amlvo7aleB4btWTIMswlGgxWXUHw8CDAX6V/hn876LzZobzZq+cLhKzJaUU jVinRHQVbDzYaj5KzPydlvX0bqFwMagGN+g7RV+uDh/3tKC6i9XFKtrV6hWKuq0HcXfNpG6ry0d7 Nw6MklvscNUIwJZXNDrfh3hajcQ1FnuglOCwnqWNtvf+CKFYHEI56fBEK3lLU2ev+hd2YwH6NZFn vaJq0Wx57TjoPOsVjFNYdCUAm321/gNai7Exr35JO1ruUr+UuKvRs0939ORVDzPbhrnVGyPPlEE1 5OImOoi5uabCczk+/bosLvRuDybNdg97LDqeH1S4wpBlqBJmgYoFDVWv5dF+E4ocPDngCCNtcPdQ NNbX5ahxM4n36WlePwIqGmKis56VljiFPiNwUXxdZPUxr2hVhoOfbjxH9iIv1VTRrktHChu+ad77 9zXlgEE///np/AV0/tk5zpfOfhivGOoaZKiGVmAGzqvhOk+2tp6UjBofbzucQ3rEccxLnThSvaj0 XpM/jYs9fKZCowM8etV5TCjq6CWB6vfmtf9fXjIL7x5gY8n6Yb8eq3woR3uzvHI5a0PTk9bjAAlW r6y9f7zaHSYRLtzrrdJB0i2e1+vg+iclYx2JwLsa0VLaUels1+7mlbZj8Nt/0OozBqFXmKbk8F38 xJLC2aTHdq8PIMRzqoho69ovNIsicQcYdK5XKL7ExTFp69FaFBlLkTU0JrxOcACxzhOZlEBDh10i jPCNAsJnNCAATDTRLjWYrhoEy8WQJ+Hc5FsYYhNQiIzFD1B7p/KUgSesBAsrA5dnAD/3wIPyk3bv 4TEmHZfOiobw9GS63i2Dqb/OT39jqrBOzuwq5s6Rftm9pq02B7u3WDZ+9rCXGS0VJ0BudQD8tYem zRv/gcD10/l6mAzgLMhMl3BGI+Xq+TMy/bzTK0JiIskswPa+bfHpFQCrnLntnoPyZr3U01R0POBE Qfi0tEXySGlXqQGo3nP1ibIuFPb3m2GPtzu9xl7QR1nsxhHU2tHZoKsPDOmSfaoa/yb7gT+efwfP z39cu7Pwvgq9xXcbnaB1NI12G7M53a6lXdKLWhWe4u0RCeIZbD5tEiriBw0Zdhb3y5aFs9h7kWMm ZlsFnkZmcmomncqyEiZpodSRJRC7/DlQUypf9kCOSm9V7EAPNCsqfqH0QGdHMYFS5/DHaQRSod+N wewu95TVsovL6OjewMOr8UbstTkv1dpNkPCt3WaLB2DwTyipZ0K4mi9X282wndtkjiIBHvxd0/qN PsvrJYnHNupoL4mQRwggE71cnt9LeAKpk/Fu2pkO8NVOgegjZUzjFt9we1sn3h5BIdYeWBvSb9DZ ouq7hlerixh4wsVt5XONT+Mb6gaX9qusoYJLdVCO2Rvn7tIHjNOrAJ3a50YKx4MxvrjTocIaJ+Zo N5XM2nnsnOSUqBzDvzSzq+s+Z0kEmeGnRVTEmtreJnsXbWH0kSqgrTN9bHEIpvDpLR2DnK6lR9BH 1eJ6YpbJCEavRvBoISQLZk03vidnXEUUDAnaJOPRxraQCNBtN7J2xDzCJqn7pUdzsAOUQ4c8NoeT 3phKM2p98JOUVumDcsxoks5Wc9Bolm/SL84c97QKbfRN+KaGoHf+uMDTeZ0cK6xfGQNj4K3rOrZ7 3Hyo3dThRAfbf0+tgOGYU5Q47ScPsayzXg74DTW/x2M8LNIN7bCJ9bI/OLOJJStwrsCVL8TMVHD6 gmd/BxxtEWNCWQf2cvUkayxjdG+goLRXHb4MmkZo/LaTKuPb5ugtJQ5t4WSAvy7yNuzUspTMFdWY Uaa8Nd1WmSdvg1bu036Fi7R5OR+dUvF0mpnuARDAR/Wa16HZRb8sTCFYhekmV1V3QH4C56deD+tl 7lbnUGDKnlznHvX2kBzNa4KocZU61oTMICMkvdvZEyXpeoSsMVMz6vmsZC4bywviNoitFoiLu3HE EnFrVvLGF3c8HAZaWhLzjSuaLK5pTSyTGF85weJDK+DOwqeqw/u40F0DPrOe8lEFE1y9L0vqk/60 e6ulo/xPaLOW/qKlc/5ZW7VamAlzv5qoztu2bKoRLW7U6KrVozgwrfF9aF6ZLKyFM8G2xlTg58wO IHzg2pJTfd4SHB64ggJuOW2P5g0tVQWzbjpNfepfh7KlRVGMorRKZ+NxbObEwVXxLk/zHIjaEa2T HtMbOUAESq20zep0oFO22w3tNTCZGXhu3+WCf/ZHx/FFLCYr+YbeyqN59FmltrV5slCrX60+YDpo tL2MMkPwdLJ5s+n3bnbdZNNPYkWUEZBy239xFTp2O0I7XUtvuzKZQYOWxBgsoQVPttnpr93UFipi 80bvNtrQq3TwmwNNlWkSrfM4J4JGl6YnbD5G76jBLzu794Im7ntzfEo/2Vx7Wyk0pMVqzBYol0tg i3li4Up0vjLim19aXCzzaMdKsBIk+h7Iwjs+53Z7tpLenhnaZmJ2e15u0JQ26ZNCvJo92MMkL5lf 38R3/z+YlPFADQplbmRzdHJlYW0NCmVuZG9iag0KMTggMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0 eXBlL1RydWVUeXBlL05hbWUvRjQvQmFzZUZvbnQvQUJDREVFK01pc3RyYWwvRW5jb2RpbmcvV2lu QW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDE5IDAgUi9GaXJzdENoYXIgMTA4L0xhc3RDaGFy IDEwOC9XaWR0aHMgNDAwIDAgUj4+DQplbmRvYmoNCjE5IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNj cmlwdG9yL0ZvbnROYW1lL0FCQ0RFRStNaXN0cmFsL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNj ZW50IDc1My9EZXNjZW50IC0yNDcvQ2FwSGVpZ2h0IDY1Ni9BdmdXaWR0aCAzMjIvTWF4V2lkdGgg MTE1MC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViAzMi9Gb250QkJveFsgLTE1MCAt MjQ3IDEwMDAgNjU2XSAvRm9udEZpbGUyIDQwMSAwIFI+Pg0KZW5kb2JqDQoyMCAwIG9iag0KPDwv VHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GNS9CYXNlRm9udC9BQkNERUUrQ291cmll ciMyME5ldy9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMjEgMCBSL0Zp cnN0Q2hhciA0OC9MYXN0Q2hhciAxMjAvV2lkdGhzIDQwMiAwIFI+Pg0KZW5kb2JqDQoyMSAwIG9i ag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9BQkNERUUrQ291cmllciMyME5ldy9G bGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA4MzMvRGVzY2VudCAtMTg4L0NhcEhlaWdodCA2 MTMvQXZnV2lkdGggNjAwL01heFdpZHRoIDc0NC9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9T dGVtViA2MC9Gb250QkJveFsgLTEyMiAtMTg4IDYyMyA2MTNdIC9Gb250RmlsZTIgNDAzIDAgUj4+ DQplbmRvYmoNCjIyIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8 L0ZvbnQ8PC9GMSA1IDAgUi9GMiA5IDAgUi9GNCAxOCAwIFIvRjMgMTEgMCBSPj4vRXh0R1N0YXRl PDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMv SW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDYxMiA3OTJdIC9Db250ZW50cyAyMyAwIFIvR3JvdXA8 PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQ YXJlbnRzIDI+Pg0KZW5kb2JqDQoyMyAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0 aCA3ODkzPj4NCnN0cmVhbQ0KeJytPWtzGzeS313l/zAfyYo0HrzmUWWrSn4luU2yvosuW1t2Powo yuKZphQOHcX7y/fj9QPAAEOCgny3W7uWyAbQaDT63dCz8+1udd0vdsXz58/Od7t+cbO8Kt4/u7i9 +/3Zxde75bN3/cfVpt+tbjfPfv1yucOPflj2V8vt2Vnx8vWr4uXF0yfP3opCiLLSxcX10yeiqOC/ ojC6aLQp67a4+Aww3//aFB+Hp0+q4iP91trfvn/65P2smP9eXPzH0ydvYLY/nj75z6dPijc/vyqe JdB7ebvb3X5OY/j29nYXYRjgpLqykppwSq5bPHuHK/786sfXRRVtVCY2WnVuo+9nb1fb+ameDfNT OdvNRTUrzvF3+nHXz/VsMT81s0/B0iGKoqpLEU9YJEHb0sSgH2a4qpg3Mzk/VbM2NVK2ZdPGQ09T sEqWYrLFy7kwsxWusCtwwb/BrpZzNfsKC9O+P8xTszViinO4vT3yi2c/9ZuPxWy5medwXN02pZR2 4h83czMrdojmDSC3Gophicgt6CRWt3gMG/iimHez+yWCJSmtdDmd/WouYNPDAmfcri7nNVCgo7l2 N8uip2V38Fu/+FTgz9dzIWe05rYgBABqAfTqh2UB/9A31zj8wdNTFVyrLsYmdXoKKF2ZGPYSiQEH 184+LWGtr7jWUPwtNYOBE5vMUM4FEOvCUXZJG+xxgzvadw8kFjPeN1H7ds6kHlbDbiCW4f3ikKIn uCv4uof7gRdmAbgRwHqN0y92eIFWuKg9tMOoGgmbrWNUU0dqFGyrjWHv8EhxQ3QmiXHABo0sGzuk 3wDrXxETncJe6NcCkGxm19eI+wp5kBkDv7+bK7dAiSTiT9+m2M6YUstovdVfPCwxoDalrKMBeNhI /d0NriWQ7YjEjO6VxX61W3n2xHPq1whQzfoveNNhzGa3WiBEv6MrNO6Yjo1OHo8RTshSBCjJANGC uP91vwIIXAWvx/Ivd1EsOPxEaPCvl3TLiEGiiZCkn5ErcMbd17mDH5A8u+0KkfgI/yt5Hxc3jDyj uBrwt5NjlMRjNm0pnJA6L3DIC3vD/w3XBv8NTl90s3eID/30InlAQpV1HU/97yRsV07RgO1IAbtZ giRrGYXtkvcBy/4JQqhfrzxOHbMfkujLnGQ1iOddYjkpm9I08XJIx5roOPAi3ez6Fne5pYsLv56/ +TU1XwtbFfF8KSkl27rsJmt/jyu++vmIXBNN3uxKyNKoGPbXH2FTv52QJA45FggKJAbpTPpgYL4k 0sKulyiXdnS7PQHwbl2z1F+hgCNoYEhiTebdxjIcQiEtV3/CNMsNrQ0EFnWaC6umnJDwvfg9BQz8 oie8lZxYirKdwAYKirGFjSzB5OJf0tdEE0vzHE6LnXZAKBq5pAso6F7f3+I3Ndg+MLO9s10HSuFf KCSHkn/91YkH0hxWdnasVnGuarZGTbDcfCSxhuqkHfXnaYsru/tB05M4ADFGfMyfwa2xP6y3+BWY tF/9Qj3PSOIF7816t7qDpdb2ouEK4WoCOaUmiYCjL8kOsjJtOZzY/W+cnKRpl2uc6yvbHDhJZX+k CYBtDs4An1vRmD4NUIGy9vpMBSIeRQGSoFixBsZvl9vr8cQZs6vSyo6fEYXx2+UtfM7XYHuCxgOe x5qOyJ5EcbmeWwzp6CL9T4oFNmAtAH9gAoZK+LU9Zn8p3ZINEm7uX2hzbv3kxeVqN7BI9xZfz9Yp GQ5IxnjyZ2/1ASNSS112XbzUem/kIfNTgwCdjkxtSKuqNCKGfYFUqQ4sBbKxjlfSuqxA+CnlbJfi tAJ0WlD6i/czsO7zEDZ6ggR8jBOUKaxNU6ojO9yz3uVB6z1kV/B2vPn19pZs6WKu5Cg8ZBubGLIL OIrNQ+DVBdov1Sww6VUVGFvIFjCX6vzF1ZLlCYAdslt1hR5BWjBLw8oyRL8fPrF9AnNGxn6w1q7/ OJDtTAsPhBhfmBWjsXSmMAwTs/vVzopfAAffLnEslSiViZE5T8I2ZSNi2JN3sNOkx6ZRrUy2mmRr UCsmmr0AvpRSEFslrSINDCW6eBiNSG8ZnFKtYqRSdpRWbammW07BakE3K2teDRdzQnagomMB1BzI ilckZv3HMuuCgz0EWIhq1M5D3pVuu1LpzMPq0BWPQElPDDuynsHpahnlUfGQVkbNOjxgOxuY23kg v+TsuIattDCsKhsXnFll7biWZR2vVxajBYFaXpMVU3j5cF2cF707GVR0bLdvnbVBarAny3coyPO8 GZ2Q2O+AX1iHDwQ3mstFf00+Pirwrde2+7r4BDC5QkNoWG0Wez7nYQ2lgEigDMMt5yko1anpwKTC 7Qzy9gga3+M8LYVBHgVzGGcf2lst5lJbnZ/F0yCAuhjtkwLjF0Bx9kZIDaAhfj/Qp7ubPuXlgI7E O5WiwZ4GU0c1mATJWwFqdTuawMRNf/8JGOGfv53/9GH2Qw6tJAZZGpioGT39LOJIo0qhYgxOzk+Q YQmRqaA7zFKyUaUW8Sx5PCWbem/khzldFXaWE/oTeFiKKeFqpBsg/c/fULxkE0/pihjt0cRTWqLe iYmXNEE1cWEIm9IMylRlOz2UJCxcyi53XlLFASzafULSrTrJupQKiQTbaEBs/h9MR9W0E8o5jZ0y I1RLYcRon0np05J9G83+aPGjuv+XneoqsdOkCSHEBPkHRIx+yEg22oxacbv8iDmELaqS9XLgeEMQ TOX4M5sbNmzRr7/MRYMKTDRTUPifjeA2MPXCBd9gemE4HPJlrl0AsEfT1QfObbzEOvOnDJ53YcGw aeB+wJVq2sfdWCEx7BNRJMlFQpNMDWFfEA3eZCEJ7lzTxEhOY+QJJBXY49HCyL5Cd9amzTKIFFii bUQjy3e5ok2hq5bCYZ5y8ZTu0IKPxtGQJJVBc3UipvIHDJdK4YJoFJIFwrfpKNokqnjU7p+ulnR1 FLipk/OnAAEpxrS/A8J7ukTShAbhrWJqoYzpmu4BhwfMXXGIyumN18DMMVJJv6SpStVO952CVSBY c+dty25y0HMnaDCmBD9SeBOlBJ90VoxTVSigo3nfo3ChuFoy2Amqu63zTgmB5AR2L9iZdmXgNoMC 4GFTT4JCxejbtzbAiVxNInlMrSF5XIjzhOTP/c1qcTNngbmAITU5K9erLW6bvIuBA2wUUS7RnpKY w/Dr9DaU2XIgk8PKy81yuxdECOKRhAdFQjg3uSIRTt6KTVrCfJ/BCKO9DXBjwQFafbSZu9U1OlWL ngZRJmFMI+5sHBznqdxSYVQ9TVxRl7Uz2pabxfbr3c7nbsCKrOsgjFy3oKKGL2tKSfHv9ytOpcJv RtsIcT3VZDSTqf38UaaLFwkj0gD5U5aErioyfYXBiMqjtBi4DV0Tbz4pXytDlnII+4I3n6fGwHtC ZRRimanGpJxgGauxPFWvFJlP4/KPU2NKkxEX7h6UFx/axQ0bJEyN1X6Ed7QnKxK34SwXWdi3hrTh Nxwx+JlV7hGDM6TElNAPRs1U102WsKTN4gtdafIlwq1N2T4MGio8BTVuJo8MaD13e1sbeSgvkCDA EgMekuTmRYEEqpTocgMJsuVtRMyUtB4EEiYCJr7Ts39QCpx5cPD56q3LTpPMWrIgyYr2maomhT3u LzfcZzALqvO4zIDpjFowhN31H59tfAzaRvcSwzFVmLkSYASyUbq9UOgLlBtn34AqH/JuH1yhWupC d2THPYbtWiBLO8EiZQJ1IIv1BDbLQu+4kuwb0BOwlmnDJWPjPF3w1WB9SzSOhenGqy5MXhrQjz0l 44gNWyD44NmU6tCWV6wxQzVoHN9qQ3kKlrNG2TqqGIDtHy5xQSG8sWVAsFhQ44IfBKlZrceb0dt6 uMUnm/mESV0RFv4MdpEeI61UvuC+hdFZ/KNrA0cbH9D/5EmKukFrO2SJpCnfsPkan+XDKY+Gcmj7 R5knvFuNwYVoZ0nhDdfIIBWacTOZVIBrJPe29ljh3bU8iXZW9DeFYUxF4ZR9elGwEZjMepDM1nli V9XkQoyYHdEoo2xrsCQrGpSqOzHoS7cx7FSuj+JVYuImJBPSWjGtv5uGsxNEYhm9R6Mjglq3gU6P 0z9YdmDiCBKH1/19BsWRZSkLRXJLt3K0NfJYUKgWb1eEZVI6aoFXKoL9MLtHoUEiylXADcUZF2pR uRkYAKDMU+EQgdohc/lOI2dEsNZSIMH11x05JUTWTA6VpkLbHW9wYBgA8b/DOt/Wcut+HsWPrzv0 HaLxyRKsRhxYKwWrMekQwB5l1nFYV7ZdPOx40FgCx1QmcwMgE6ebFXiV8zNNEo6wzTxuCfLUqBj2 xSPOVsHySsXo5t1yJaiwLgtLBfaaNEduOSlhStdw2nO34OBx6ugV6IQmd/FOoiCKYEPZERSI6TAC SJgUWZIFg3V1E0uWTM/E7COXDvMBXzQhbJ6OrylYGQ17hI6vW9QI0dbyHHfdCLJ7YkGYNERMOSFD pglSlc03YQf3VE1p+cjguIaL2kS0KR4TVdBdPd1z2g8EG6ueapUUsKkonJrFVKYyk4ljpsrifyNa dB33CZGnXtHlrCabO7Gl4XgTxyoJ/OhoRRTaEqBuhLHTLKjEorhaYhmJreC3ccaBPBBfTmFDxbtj YkfUFV2GcIV0ETyFhiPYS9ucUjg3CD8YuCyH1h+rI3uMbVphiF9TwDfwkMfyQipN9a0K2+1yuIsq ZeKqSy4wo8BtWZxTERhqcXC5e/RuKDLbr8Gc/TxnOVzEFW09ruYmEa6xZblec23xF6xVacKyxzwG MjV5B3U72qiZvEPGZtaJ4AKGAnlWQgOuN8wAXFq6uN26onWylSgSsfUlslRrE/frBOH1a4qgcxh/ Q1pkLB6mNbJEilSaTA2jMNb0qBIMZUgfhztM2ZMSa9GaGPZoctg8lBzGjJg/uV/m1jPfLbkeWSoq honuL37IXRd3vnoybVO36MJEi2SZNwJ2CG6fBh/Ls0eeeSOQI+MVk9gZcqIj2G1P2aarua1d/uz3 zHeaEiQLFEKpEzJk2+asL8GvQXsxhO0HT2ygMFUmuR4USg5RpoblIJZR8wk5O0gaEEr45cBGkbeW pKSNGU6oTDY2FdXSyxRq45GCYHveNccoZViXTTXuVxzjkVZk/ekdvTWn81x7W/qGi2ZUIjjlnVUc WmG21/+cxT5tW7YYW5MitI6b2Xcii4e6FtTaBKV0UI36GyPYA3WQhPtmroJQKUmYwfdxwfcXYfOS VtE8ePBf6PebuQcITWBbNU8FF3xyQlWjWU6Ag4W83nIznLHGMsJK1yEB80bM4nkFv5ncghPbeAXf 3KOitvNTli9uzdJqrHCm36Kcvd2NjYFPz0gd7tbUYC65+NXzSog3lWhq+LeqRPuqEq8a+LerRHde CfP6TEiAaV6fnRr8tz5T8E9XwX8UfFQH38mWYP0XqnkDv8BixlSVac5a/Oit/b6BAS8NTWbnFOf8 zxvCgqA0Tk9onPMXsC78e3YaLoPjhd7HUVRuDMETFjQpwrwS46TtqzMheGWetH1OePMvOJV5HWwZ l6okkwXJVb090w7m3H4kPSVHNPFDQE37rfqvkDin+vmIntaSfslySxuJWazwTNOFbFw+FsEmK1LA 0ehMDJtO9Kk92IsbulAnHDgOBBOGs22+PjtVYzsvMCEmv0Eu2XqRrL1o0INaxbCx/AFp3rqo/9aG 1dmeulv2VHpso/z9oRKH5K1UIHydcWLZHjm6sT8j+9RviVOJT9o2cfXoi+78rLNs3ry2n5vn451G fm8McZ27JF04HrkZmNXEc/KdgfGhDGi74EIgDKx9qizD4yWsX8Hla8eJKvOGJtHhXT0TVXAFm25y K5rmcbfChvBCmiZvhYQTB9Mjgk1lrSRY32B6RLBJMwUcoikOVtinA3ViMmDhOyXTEbF2D32yQlIp RQxkNSpvDwrUsxQx7NgQ3LYTc2bj80WYEWjqsa7lyiaqGrgef3wB3diTZ8FOA/USdnxfhpSFiGml CSaoYxerfre8stqwbYPeHduSeEg1jtdOoX8bTZqXxAADvWsp1ObjMI8QSOzEZZ0ASoZGj2LvD5uW W25XZJageVDc9VvXaGxtV27ox4cXdNQKqNg66bdfaSw5LOne5IoM7Wj9E+eIo6WyXV5+RWHIRvfK 11GRLdvvxv7PwHundfNitbIm5msCJzkzVivbUk8QT7K4guEihnV2XGTrdXF4AhtnL2wdL9234rrf noTvXiQZucPa0izkNGr3GLTfoWXsnrdgxUM3arVdcn9QJgdTRi0ibmb1g6H+qCz8Mb/WhKBRoeZ3 x5jedJPYWt62OuxLUnUQWXvEvazhVlfR2umtwcmYKWx0OU98Z3Oe646ekIxRzzsQISv0x7OwFlJh CDeC5QZk4m8rrbdfR+Snbm72fjqFRz9u54EE9Ch0NGnBehq+T2agsI5HTQmH6bo8YSGFLluTRz4p QLBMYLn6dPvJOqRdFxRm4m+uKtK4Nu5Re+aJwaoqazPl6SwxCD52p/J2poCKZgJ7oDMBN4QFncgU +0FCfn2k65LPLKmuRnETrcJdDAM/bkNkSWdNJPXgRcMvbj1fEquOIZTVFRdA01dYj9rfYVPFNLw4 phywMTOae4y/4BzR7YZPT/hjsumOB2kUlkI7Kculx2H0Bzx/0phU1bYEVBN3FxhVtfFkee4FypbJ SPReX5Lxbd1w5wqjHf6qIRPeO6SBK8+OhrXNwZ+nAaNjbT0R75k4V16piUWv9CMtenDI8OaFm09a 9FVHEuEYocYbLfdg4x5i1LPGBnmUySwhAGMVbX/dYR74McJc1mzOZ+HesOkSwvJtXX3E508oJEsh LS2nTix2EzPrsUFjC9C8be+Kzb5Q4fmwdDGpEztoHTwLpVzdOBaTjaXhYWjKz+dRc3Pwd3nKXdQY Fv8GquIjLVLmUdVIuQcbXf3ygS5spSpsYXJxEHoAzeervCZl25zCfPxwVQFWHJyXNewbq1dGOXFJ oWrb1zP28SyvCgp0Fv3mFkZhgHt8jqO/pH61EwC5Qln2F0DAgEtr/fsw6MEY6wl9MdxGz7n1o5fh GSlK3u1l0Ohxnx2ibjNoRyjHdRM+XQWaJvYtqbGbdzymBH2X+DVXu1ILBfVruN1PvI/RIdpSQHc5 3HlfNM4eAknrsKXdplftUfgEImC0cwdcrG9dOgjbG4ovdwf8n+1yjdeORsKx46lTnnS1oRTdYFXK 2KXyUEcH9jY0PjRmq1BLpP2Ptg3IP5XknpTiErNtSh3iY4VVHU9MgYjdEV0nsF23jQdlJq6ontO+ sRcacXmWu81URwsfy1Q3E1i+4OTTsnLnfrierk1S/mLpuIgnQht6+dk9yAOnmg4kgXSJhmJNZcNG zNa3km5ssnB5tUzZBbbjMprrZNoLlGm1Y7+1MtNzyDI2waEUIu8EbLtjBDt97mLwL63RFaVO2bl9 go4yqD3JFBf78S+IoTm4Q6UnXbtY2HWLb2Gh/Fzh/3vHx98JW9EtbGNW8rrJtkGrYfTIUbotPpXJ EhWAb/Rk3NEMdP1QBlrWetQyf6dnLETnks2d5SAq547cjs6FpbsD7Vr49JjluQWwrn0/w5v3KQuK wpYRPukbQw8uRLBBE1g3+8lWi0w6U+2LPWY8MvwU8+4n/uh2/iduirRvEvbUS4eidxeULNz32+R1 akHwqbz9YA+RnsDarGvniiycYiBnYouNez9gdpptn1QSgvycaNp/2MqKJlA7BSl8q8SbwEpBWFd4 M7Vm00yNgZ2xF4NcE6VZi9odnGqXML+3dgbpsxo7j0+VINKfKrgL20uMSO221CrGwcY6fLcxx2tB x77qIrQOOxEud5FlX0uFNnO016QfISnaH8GWvMH/otNY9Gu0rpUv94jKClQd93VSncGBzk7upQNo 19qJVA9rEKIpp29LJjhIU/NWhPo7eiIFEf8JbRB8JwV/2W8pHD1iaiKIJjk5P3mX97oJFsnVk9F5 r5vgM4nTkdRwIHX0UCmQKatoEluQ4TZpklM83aEqrUNpOarzixBJhzqpDj6CxeuQvm7KBG4Mdwfz piZ7rOw3wFxw6zbMgP5937hZZxV4Y3Ymb3XW2F+ULJGqNMZ/IqSSUrxqsAU3gv3vYbSaeWnnMH/a eFfxfsMM/aevhlhj5Npi51ke7hPqgROeyNVPKZYdy8XWvf90N14dXg35o3cN8TzkwoqeYRizRYwE Zop4sUDWpSSUPzelsMox2vqHGS55nsoZGk1PfUVD3h1hIrCf4+mTZa/GoM0bAFOI1dWylsd4DyzX 1oTRVfJTgS72MYE/l/QOFzEdZzeSQSlZtjKc8H1cWTUGCu4Lam0RnABqZs3I1/T45orfqNaR2cYi lQpk1Jho3N0h39gaGan2RvR8xN+/BVg+nrywTSeIsaUuW5ETtE43mgMx9onshNidc7bXX8lp56RZ v2audcVg/OMPYyEwMyzs68CV8vJgeX29WqyWpFaOhyp0p8ouPrkfr5kHXFGSNPvOMhcV07GyiZHm Mo7M89SuEIsezzll+XAD2rAmAYXviBZknl3vufVBHIqPffz0Onpn/s5TBejqnxsIiHsSvtOz5Vfp 2SYk+7f/suNl6dWd6YsFn1zltH/WAZbsPztn3wteZmMwXm+d8t8N6buIdSZ1TClu/LzuqW+JgzDU SXVd3DsUjhAde6daF8Be3Nzyq+9Y4ZgahGnoajLwnPkg/aI2/b2EaEj6QW2SaRFsWppQh0EE+6BM xj8ToOIxU/ma6I/rsGFDdMEF2LdMD0YbtNhD80UyJNLgCedt36D8jmGz2j3xyfoaFzHOYfgmwSXq yakWxzsZRd2iNozwXWGL3MaXxHrFHLoRtRMuo8eSDpQoPJ1oibiA1wrAQGT5VoNdz6HRUCeQDfER 3WOvosTRR5C5EC5CwJewxC0K+6I7ZZwLTOVlsQSWvmmVvBFEh3svDwtbhuwjmVeEp4v2SxU07AIt fnggqiiaZnxy+MPMRyNtTgwrYqNqVOUe/cSecy/w0X8fQq/GQkf5BsV/AsI76/z9QY9IqdG4nFoE 6Z7GpsaAW7AjesRPy+O2kmwFplDDYXwlvl/5Au0N5zo4dEHJkeB80BK+p4i5S/UdOB0X1rc0Zb1D jxgjIdECmNjCdhrhsi6pHDN89YMnpgsErP7AiDAdzfrrMdZHDuCunqCsLDDzhQu6jR+uOQxl2eKj /SscGAAQTfjkc/ygK71SNo1TKPvGk+jC5ARsecFP6qHVzn+Y4RfcD/21DftWAcXv+p3/Cw2TxAYN Z7oIDhfBJAejNcurfV/34FMp9BqbqLFt+TGJWS0UhltDKtuyTSxztilYgRWW9SuudFZBcvWVOGsD EFegiYWX8DN+LjE5K19hgve1enlm4yaqwrCJ4JENfKYmi2GJaFDjaWfPiq/gyzbgMkd847u2kNyu 9QjVhKsqyCyRxbYYpT2ZcJ8vDdWRhkXiWMvOda5cf2rJ4TcV14lTHKmuLYWB6s0k/03fyZbH6SCl XZsHi88ZDqNT2mAxbXAGNK87hNO69efka2VrhKw1b8ztsxoL2etmn1UYW4dM9ZYrdS1P2KJeYULY sSw9/kycB6XqvrqdpnjN9b12q1yYPKJMle94DkgDhK3dZ+f7q0THx5UDDx3hfjvCsSOMqSmwKL/C k3DLjCfpWMhtz5ZFmIoP2JzHS1nC14cijyHLYrxAepa15IzxV+alv7CnunnwsnOlxcjykxKMkf5U Ax5UYoRHoAMiUP21eH6o/WNk+4DWGHZNXZejVSBa510Z3U6vjOd6WnvK9bwZW0Q+4WgmVjVuCJjV M6yWh7HFY2cC+bp4mqcxeOK+F6WzvGm4L4Vo6OriCT6vxcV+vUeQuCgeOeOAHHH1OYQEXhBilmqs 7XdcrtS4AXehkOgBEyGGQucH05HB8aE7K+cnf2aK39/A8stnlDtfYSacdMGWupO5zwljG900S+H6 nbpmr9TN+x6twgaycH0bBsBx5kC9C7+sJLp6dr5GY8E2BqLDP6bnqTtQtI0PnfoJxzRfOq1J/Skh SmOuZrAbzUvDNjyTVKP9nZmGbTr8cyghDsfee0Y3JAD9jjafWZioqwofu42QfExXDj9Un4Opxso3 EYH+4YpjuNaWiJuLd00vvn0DcXVNz/tmoYx1XBHkZ1tM+NkXKI5VlMx0uQ/XiZaiDzHdcxMrGF/I wN9IU8a8Ebh61E27fSD6JyrtrWF7d2Krnyuk7V9iyKsSwb8SpOkvcLZ1TphjDPWwVRoMPF5UjG8n mWilxxUVC11j9UxIgweavUNQX1KcGNFQqilr8ob+TFgIarvv+A9v7GWnT6N041hG4IOkcy4A/mrL MMIHAuxRUhgV/1IYuXs2klpFkdTGVf0W174EocgO02M/n+jiw8k7Fo1/2rHJohz+1SUUpAHooT5k CvUGDj9XjmCKip5XEA8/xovPkLbugeTo3ffdKiqyDOlGrm34BEPPjz6Hf1ry1tX19eu86yVljfVM HQhbrR9FV5spj7aSbt+nJEsEu1/8kxgLAlhOxiYzmrXByGESJyq5+V88WSuSDQplbmRzdHJlYW0N CmVuZG9iag0KMjQgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwv Rm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAg Ui9HUzggOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4v TWVkaWFCb3hbIDAgMCA2MTIgNzkyXSAvQ29udGVudHMgMjUgMCBSL0dyb3VwPDwvVHlwZS9Hcm91 cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAzPj4N CmVuZG9iag0KMjUgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNzY0OD4+DQpz dHJlYW0NCnicpT3bcty4le+u8j/0Y3eNRBM3XmptVcmynclmksxmVNnZGueBblFWr+WWp5saj6vy n/sredxzAUCAJNi0U3ORmg0CBwfnfoGeXR663W2z7VbPnz+77Lpme9ferH55dv3w6R/Prr98ap/9 2Lzf7Ztu97B/9tPjuw4ffd82N+3h4mL18tXV6uX10yfP3oiVEFmuV9e3T5+IVQ7/iJXRq1KbrKhW 1x9hzB9+Klfvj0+f5Kv39Kmyn/7w9Mkv69XmH6vr/3z65DXM9uvTJ//19Mnq9Z+vVs8S4L186LqH j2kI3zw8dBGEAUyqznKpCabkuqtnP+KKf77646tV/uyHZv9+tW73m2jLMrHlvHZb/mX9ZnfYnOv1 cXMu191G5NF6IVxlkeli8PJltynXXbPR6+3m3Kw/rHCCt2ucS8I3ZnOu1kViPiGrrKzi+c5TY5XM xGDtdxth1jtcoVvhgn8CKNqNWn+BhWk3bzep2UqRmXiycNMj9IoEehMUVVRlJqWd+PquXW2q9ScA 7ND+hpjebYRaPyC6HuHhEb9tCPFAOh9wO6tNvd4dCZVHGCzXH+m1+43Q6+YAz8X69gEfHWjMSURL UWaFiMFKIVrKPKvLeOw7AHMHOBb1+kMLi33BxY6pCYzJchNOsDrPgZqlWF1vf1lnKeqSRZ7JCEh4 jG/8d4tniTi5QQS0R/hte9i925g1YBaojxGMQDbH3ZZQ0iDWug7hRJxOr6iqKstVvNUUdKrOMz0Y ewuMAwAdATMFr7gHGG42fIAA1p6OavcRwaDzf4CBRAIEOKIU4YY5vrhjb393g++ZSoDCu90efrwH 6k5BhzRXyqy0gBFGzmVteFWEjMgNP7WHDha1653LSvNXt/RB4assAuh1meIfOCtTBWuu4IS1LOm8 TJLfgeuqInqLXkjyfGkyEW3MESIB15OiffCeyGPfHkDO+j3vN36jxEUtHY3/+mbjX2/u7wHFj/YI 2xscY7/qHvphbYMIOtzvkP4OSXLWeZ5VZQQ9SYLEaKkyNd4r0jODkXjNgByLX2s6PF8k+tpBfGh/ fQTC2x2AdYAeT5ytUQq4NZozSXaKBHg49P8I18VodpSVRVYXsagEUaGRIIqsKOwEQ7GSELKmGpDG HGvgYCfnfwW0PhIf7NqUCEMmLwbvPQMMegL6CB+IfA5fkrqthjniKc4s9oVchh6hc3y5KEj1WdZe hB6hJSE2XD2FIAHmD4i0aKzVLu+JxJHcPZspp6qQ+QgfKFS645klN/h+D1xk2WrpTiXQcVGHOyWd oSuWKDIpUiS+oaIX52UKnGsm6xinRzzJ75ZhVgLJVWIZZiXIL1PGYz8DZsv1IaWSZF1l0iybXuUA 3QCUDo6BCJPPgkR/uwWBQA9/A7JtD/iVtjKQ9IQZjjvckK7BGdr9Fqn28OUT2K543HsUsuOTxo+P G01aDxVXt9uSFM6dFPZvWbGNJhqxQ5ptterFgrd3zuVCmkLk5zgL2D7yq7inLEGqDdZPwVnlMGYw FlWO1z3bpJQRgpl0yTJCmEwNlgnRr7RV+mp8mPixH+ZPyZ2QivQkjEDN0X7BZ05dwEOLf6sTcR5n 79iPNxaYHdGJoq+ae/xSLDsvZepMmfnz8mMLkBcqHIsGiFA18f53YtExq6LKTB3i1MqOJMOB/aLL 2bMGpKeOW+cqk4O3M8SPBMPA8mLKOKgYM4N1UY2RCH5H+szabcpZdP1ZRTovyXFCkzKPV0GLqsXz JJuIbHCVZloQ43JA0bv0gkDPrCV55I2DEoAuKrS5QFLi74Wl7aJcg5uNNNnZIXdNxwOW6VMjMzhv sG+8CS9ADqH7VMF/oAHMaGsJ/QqUIAbggxNd9zxJR0CHAwAaazo03ZZP+ohQw+iD3RYi9vdPwLM1 KlaLbSSOQq+vAzzw7rfwpCBUIRVYXNx6kxaFZGFQwKdcGTCrRQz87njGbzU2AhBh3fuq3RGFt13x c2uNAhjaU1hoLeAcnzf4ftrUNDEgaVOzQFaPxr5dX579aP38mbAF0hnStlP3aLA04Lrp9dESVSTb AOi24XPiTzGL40otIssABu5wv8JTrPed4K1bXqFjuwge9Mvy591xzrKXRpM3HAL+dp0cXJKhEQ6+ TBpAKqtVPBawWKSDJWjGoHEWvpE2earB7GTI1SVL5hfJ96rhDqwsTu8ZHPJqgKB/JccWI/ycJceC GlLL5lW5GR/Shokh1M7G8RL8cuw1cx8tmKIPig0RdTlpgROYNZ4Vj/i86wIybSxbUtygbY4YmIt4 kK1CAKEXeimGkbifaFspe9roIhtgwDnpaW4E1ziKLd2TxbD9kPTHJIwfvJfhNmE/2qBfve8/gVgq 0nYUyA8TT0R4bpPOkc7qKn4h7UiVo7G9la1Llh0Y0fGimyQoymtlNbmNSQiKEJ0rEEXguqNUdsa3 8kYZbLU5JoNwtSKeDWGhubc7lvDtDa+KNMS/denohCpzCjOEs03TseYgExmHQMspe0aS4bUEqVqa 0dgGGUKz59kcyNtgZEV2D+KHxzEXjcBtwHmv7UhyZ48pc9OAi4yBqyUAG10R80RUQF7Z2LgIeMJU xocy2nsOGVLYzx4XOW0y9NrU0iiCLBB4U9W9URaZPeCmV4vjCgp9zRDYNDdU6LGEQw8NbmhkHUmV O/MIt7q9a48ZPa7Wf9kIe6qIQoeE5v7o3Rb7PuOFRCCjyUcxdT60lZG5Dva9PvYJ40Ifhq0p07sx CM6BLLTYRcb32KWik/FulRw4vjAujJ3Pu74G7EvlsNaCvadt2PjgeRcmCCPHGGrpiUPoOAKOy33g 53eOPY/8EhHZ9gAKI5z69uCiz3xKC6M4RaZrAN70NtrCqIoBpimjbafTBOCEiWhoz17LA05ljUmK AajlUtdRVhVGkUIgstX13Y5wmnvT7tx63s6rUT6QLEIahQ+BX6PYrSGr3zuVPOrt+gfQbWffw1My M+CIwqUONGGKWgIHgV45Pnyc05RIhXCepYssDRxdnNMAf5owqvkZILXkR4GFjz5merPbuMhhe/+F LRPLYWgAdM1uz/zEiFkdSDNuffzIsRsy+YDbcHnSjwndBadXifFeVpRpQ8cr4KDQierQs/jslIZd eyQhLEKIo+759CdCAhl/88e9p1LWXRx/2T5i4qE5nPGoI7OkE/uATDzw1QvCWvqwwGjzpPx6UfS9 zvC1noT/tIj2CxWv9RaoQE2avWB6/uCN0Beka1PRLbDPv2ULQoqs/pZNCDQr9HAj37/d/BPA/yeA v2x5cNJM9S3Lc8w2WJ7iV7q2Ps+y1Ysi3rx1mRaCgDbdCANIdCxeUkdVKTRy49eGg5+9UVMrgo+n 4hWf58qYPM/VBZDI81xciYsKfojX/Mzgh/IV/AI/8zcXCn7Ul/CrzIV5BV8VFwK+8u/n8grHvFIv L3TwWGtxUYfDxNXFEh1RgAVTnjjdqY1KUAt1Odxo+Rrhg59v7OZoU/JCSNxVbsEr7RbNJaLhQuQB 3KK6ItwIkeN+PGbo8aXfsimeM4peGnwWTIcYs59f4Sy8vsMqYfTVBc4IiFXhwgUtfIHAXZUX59F3 suItBNDwl3YioYMveWJaGuarwkPRBpc+eXZ8xP3yuFGYFRcBHAidJIeZmRdlHIFyZZmV4utFLBjg pflqGdsv9g2yASgQUxjB0l8lHMAsUtVgwyQeUw56BZJoOD41uJaZygeDx2HXKcbCwOUALEsBjn+U igmeHzJZMpla/qnS/KP0kH+I28wlk+4kF7nPMSsEbESTJtiIvpMVv6cDFqLdzLIQj5Mj/gmJHacH Yrcflss/JWqSf19PvgocfBSAI/LJOB/k7CDMKzXb7ozzVj6erLS1oQzZX/xkNkyjVZ6pep6k+rGU h4nGdnc7rsTy2ZN3Pvp2IFua3andIFUWpltVYPTaYh/YDqVc58w2QYUffd1OQy4bTtxsP2QpLZwj f8cvzxawyckCtgAOXef9Kf91zwY+WtZkrjqjFGuQ7ltv8AtrMfyAIFu3xPs0Io5o4gPCD/lIWEGT 8GthsaGrwm/TcdjIQcGmsVTsYMfmth1PzoldDDB7aDnaQ4Acg3nBZBXGf7jv2sO+wSfd7jdX79GP DEobhA21Ho/9mn35VrvH0j23PzuHyMMipAcwjt1sCOPpKJEui0xOBwbceSU9FPZOyrETKUQYsztm 1kcBiK7v0Nc6OiR6BsUP22bfg86c0gVfd7SawIg/fJbr3Pp86B3v+xU4LE6Av9vooErBvuarmc7s gzC5bcK953m/V/f2mDrD/RJlur0FR5vAvgTDNz4AFkl2Le/Opw+vAE/UvevoDGTIDpHnqgJFGVPI uQutitoFD2ofhwoQIMKiJAtJTWcNA2DzQIm4+zLMfmVUKmmFcR2GU7H+dItnf99YJNXr4+MnK9lo kSPTdO2c/rKPLPUVjpP1J8jmdVJy1HE6DtblKFTBMwbOtdDeSS6J2ZO1eIh8XfaiEhMGsCcpKZQs 80CIUJwRAJSeIh2SucJJ+A3Lahy+EDVTNPy0W384eLqCh2HxBQUsR1oFS2y5/mIqFz1lFCllsDog 3OCUJyTq3goQ5XIjoADjs4TZC1zka7wgVaisKAdwBV4QmUoOsoH5E39nLZ6RAUTekTOCaE8jH2K0 a8aLMhU9kgIfFWTqOQeLrUd2i9DYw2elYbcoNBjZOXP+KwEau6+4Hph8FxNb4IFf4XpoJTPMoVoz oelWJGzvbFEGxcvkOF5WY/3W4csnIrNlTrqpMi2j9Z571/BcRUZt3Zu09A3YtCV9A/++po32J0F+ 4sBppcdo3k6ebuAh4sHSXIWdC+FxJj8a3CYnSx3tbwIkZ0KytjodRt6HEHrbewLQizq0loli2Qtf yC+Kiiu0CmT9QqMZi2lFiPlv8PsUcJsuw+W/yu9TRhC3h9Q25/epQmMdVjw+PbjM6joefPYzCNO3 mzMU4Z+9jVYv26yWIhPmW3CtpUZr99/DNToSRnwzrrUqmVIW4hpYgOTpIlxro7G1IRqcLiIvMmPi sbb75MMebdTP+9VbsCfRyt1Rt4rtuDjs3lu1380Ed1F6iQpdLpd7BME1V35Q5lklBy+lyg9KTRGB aGzQrUImyf2t06wu2ydzCkyjQSSikDVq976mB2yxn+n/uGtn/tMgl8BH/MBuAEEbcGtP7kxizFUt 25ksVVbVyZ2hKdXcY1l/m9GDa+Se214BYI2S6m12GDFZo4VGSV/JiZ8O76jn5NAcvtADrrKqHLZC pw7RRfUDkQkV+GFLNA7SR66wV8LZLpEWtwqWFUQZxIHzXj2DvDdB2HgcA6IgzrmL67C2IPFfaK8K bCSRQkHGPgIbg/WLVSxVTWsHoSBnMaAOxPmvCl7L6RdwZ52JUNpXrgoGEWZZlGvUTAgBjtiO5L6j QWF3kARWC+tucUmcv/RiLKy9B729MOYjiLZ7MFcnqmlBBucm3lfvXRx3aH3v7tmTpRIo6YvAfyav YdVQ1Q9xLmVLQ1N8i+PJPLItdbcHV33DGe1retrsb9DQvsr485T7naRaVdXeJrYE+dKQrUjBRdMT HBIJkBDRx9WFtUx85oOyHN6CIWquYuPl3GhrOoO5UliesJasTyeUvRVdBDFErT1H9StyrsVbbv1D R+gl28NuExQ05QCnchHXS29+i+JNHNDUobE8nbfRwdCJtI0pEiFRo5c6BITXiayCKQIDj8Y4nyDE TpxWiHA0laRyUeAg4mumMzZmYJ/6cyomItc4h3pNEWP1RvAPucxnwJRqFdHoSNUkKFvUmFYcULc9 RTK8L3vgkCDLk0fn3bmkhaBAkTsbbuaAe8zoqbOtLVlbKBGV7vFwqkBVVC/pEbiAvVBnSgocBcyU BY6cpwlAAM/sjynUKG96WKy7EsIiqwhqp+BcpgJcK/BTl+kI8NK1ibA4Hw9Wp+LBykgM/vNUV/dt c8AaBTIaXMGHVC5u3j/wXa7Y9gISOPgKA4aJaDaW9Mh4yWVSWBRo/0Vv9rQKws1lDqUKeLGq+afP vV72LiyfqwsPnJPjB1abk8v1QC5LGTiIiucI7ZZIsHlRLTnfM502FSJhAdldWLFdhDsLpI9PgMqB FeQc7TE+5mRTn4CWqldB5zpKNInJ7SZ2PSkXaPZ0Bgu/DRPBNHqsNAifE/xPOB1LgAF18D5iMRDE NGZkFzhyVS8p7QSRoIgkvTwh4CaCHmEcZWymogiyEogiFiCCykgC8c4CKVSMpBCptTKmRyeBhOoB wu+rmGmcDHPEZrOhS6NbsqixVDnE4np3S/Xcn13Ul69NaCkbuCwOIiWWIipVoO38dbnLAs3hCJy0 CVvhvQrR2IZFXkMGOAWBg54gZ3x+Yh+TPjyi49Q1VG7mWuewZtQWAOKvYoPt2vAN1uuu3u2645m9 YQDdcJdzwrrWbcfldnOtJUiy2G7uFMV9ix7be4pMcyl4XxUr+7bCrfcat/dciev6r5Svx+M0l8/f htWCimP0NlHq8m8q8BnHX/U5ocekl1xkooz303kolpWCci2nkiX+mPB/ymUloXWFRBBAYv0f3+Pn c2kAmW1SwF+DlCFebNExrgaZ5XdBSwBhhVOP/GAwdiI7hIe1CBm6UtiTGiDjl/WwVzkRzqrY4AxP IhlxAtuSVgnGzjaQppJFaQLPK6z6nGr4whYR3/SwrIIeXGO0MoTEIuWJCvoPVNK50GQB+SJiAEf2 H0le7x6h1iVzIZ8wF6hEhJMM/gWty77Yg+xTFdinLqz9pjdzyEcEfSqCoLlTRstCFIKkbYj0s75N hUUI/HJLKcV7WxKPDRouvYsfi/6iCr7nJSl2wdwrVLzcwhZjCqZFB5nqoMEW41yFY7+pxZhC3gGk p4IiZT54AdZiLl+2w8oMoF7Kv3gZjjDxyunLcMRobNBjzC2uZww2d3b8DhxcLRRBpsTY/KJD0gU1 Jv17h6ThkMzEGZ0tA7c0Wf0tCNfYgiBjJFKBgjLTF43UVKygxze3TJceKo0NSBFg9qKoOnlRlNHU Ax69NNf5h3GCuXNK5TPrrFxGacbIeGjUTvrdjAaQtcY+keA8l6ENjFFNylxNinpqlvowUYqfKKSs 6BKKAJj+CpCz1dQtGlERizRhLVTiOhYUoe1HbAknGzDVxIaXgJUqBiXZZCNzFOjR2OHVIqNmE25I ET1o33H3wjIrDERKYWLEL+MjBJLeXLKvusRB0di+RsYWCEkdWgwpEahlVkczLbvlTOkK7xEbU2fQ 6tZyrZRUzsCm34LrWsjFCAryeMj8pT1EJSRR3J09PBf1LElOALVU/ILew0wdlKbmKe9V2WsauIBv 4qYZXxh1uzsc+Z4+qkb6DwJuj7GiVWPvlZgw//ymBE7or0mLqZ4TkHyR3qFd7VuqhuA22ptV53t4 DpiVGlYdro6P7zauSZS6bdt9t/oeV+HKT86yHVO1mBoUZ1XESJmNvelTsTds5/d28aXtKePkI2Xz fqcbyPxB3rdBC1ZfAkK9wrsbTw2uuSroEeSKrwbx1BedcU9y0FZ27Gd/4WohQYOUa903TlkhJlyT Ft0+9oK+LxAYGupatuH7oBMqjiHiFmwr4plfjArtTl6Cp2oytiLs+RquR6b4xBGCTV6L+M1lyl9J TJ1jT6J3lwpSsiXsFmhzqGgTpgCq3QHkSVixwkPFY+M7zer4TNTC7k2TU09SsJfIDy7MMt0uDLo3 AXgnLF6DaqmK90PVfk5W9XXAYfQ5LZxQMLuJbPabkoG2zHdYKRVIqoYuFO0vO1mR4l/UB0amnNQ+ 2hSjTi/ryCoMtlYFGziBOoEXGMUbHikzFXm/n/31o+AAL9PLQJrSJLcmarWwwVdjkG/53pAepBic prs7jQJsnLn1bbKc8Z6xllDJcD90rAZTch2vyZEqhmBWrpuvu4MXbSxv6vyt7dA3PrDm03yrLf6C FTbcinpnb7dd/QW3x73pwvC1u+nrKyoMykRLze6h+LqLbgWKXIecH0lTk7LneC3p8cdQuFfu+tPD ceer+cNLLWDC+BYHfHD5+qckB9To5ERgpG8TpevWgrFEyXmB9ywDJf7h6s+pN2vyisI3T1xcClas GGDnpz/C+f2dkKDXP/8VUfO3vumhMmE/eF0OAqi+F7iuo273ugxfA+zSGfwVC/z/5++XPwRf9FLt E5o4NkaKE/hy/KoYwNA1753Ghk+oeseXq1qNX5dBzwvm/rDp+YQZia2kquoZwFHLgRig1/bgVbgw NP42LDQiZYfVMCzZ6ev3tsya7zio3dtg5h63d60PvfOUYOLheCwcSXkNOZ5jBO/RtesLin679iEE ML7L2dtm+M09ml+BisF172aaDvASWTBpopV3nZ3txiMiHSrTqsAASTRBUOy+4h4aMokDe5L2Rqrz 3l6RwkfwuTlwJXHw7FTXAyqpyl9Z2JEoS1/JXIms1NFLabdqJLzKCXPaXuUaThjfKo0Rc9/LIlUf cQnvV8OoOweM+2awww67N4IRPmviLtNBT9Lv2F3BobhlwPlmuPqdu2sD/wvtXMqsfObCJB/eJyfp 9tYX8qG3QtMOGeM4h6tqAlc6r4nawhObRXgd6YipaLfG6JCJpvSJ3rjZclxso8LKpZfB8IlEI39h k62Y/sVEs6xGuVdlxllXrl7qI+a+tbx4PrEozoYDMHuthpnh8cXx+bSLhzcHaI8QX2dlc/BYSmY3 VtiPuKTJg+Zsv0tbWBZXILnXg4JJmxRXxlxQjYHL2tr3sNZF+sfBEdkWCpdhqDGVcMU5hOL1Rf8j L2sP8eSB1tFxYgmWr50ZTuS6I8adIb5tgwB37epcrWaLekpOepRhRnz+kMRJWwd7YXUdHVuk/cdz yomDx6x0ZeJZoprePtzA1ccZhjSu3UXy3neHr5xY4NYt0NRHGoI3gjm7arvj9iJ/oSR1a9GdvJj+ mgNeTVGtBB6WMfBv15e4xBmZHdxfNrznYzy5TrCEorozN/G/yI/5F8Jus31Hbo3dHak4gAXotQsI vSDz//XswmZwzBPXidQopoSq0BFjSH6YnbI4KQHxD1eU8e5sIY02UQGnSvCNL1IGrnGcSwzZ1xhf zVJ3OYBxvG3syK/CbbOPpyRqSqpsosXnFqlOspCoKV8QIGLlrnjkC2Sy1eVxdXzc3lHH4W6/svUN rFdvKW1IyrH1fi3V9x/5s7t8SDl1jkao7UnFP0hinYyzDsjpnENZnFamiPVZHlCa9S0pbOCLNj7Z IAt1CM4SRT2lW+tqsPtTHduTmiMX5MOEs1zPzjIUbRNhn2JE8/87O6U87RnmVTbk6PnNTgockY8I pjcFX6xmmV3qkxuXekj1TI+zHC/NpGhEKxOmKvr9zuOwOI1DOSYYxykcT6dbgA/DSp/xWlNmMZ6O DHwCOTvDkLkTWTMh6YKfEy0E4+mn+KXMM5HHU4597nFZ6xTTlJJdgH6qqSv/x3OdtgqqnG5ZiTA5 X3Y7ZRWgb5ZHs8R0Pns2Sp06GxS71RQmOa95Xq/L2QWGjDQh2fMyGxLUPBqmmAgs2Cwv4lnI1zl2 1NJBlVE6MpJc0sd6XrOMq4YsN6kGUVNj6aBcwsWqXKD0NE4WbYrjIlfEvj725TNP4HFXoP586aO/ jYSuBAFMYL5sv2qGVztSstDfhWrvJqCbKVj5uYu9fVQdXE1ShWw/zRPZSQGg8dZTM+SxuSnrk7iz f9xmOVnpKe7XRmFuJ5rlu2FkfzzVSb3JVSPRhu0FkuYElKf1py6rTMUgs33LGbdfMVRMuZ4z2y7b 3L9DeolvXR6vPKllgeLzQPfzH6VyVZhcgdIc3mNZFl1He+/7AMhnweRpYWsYyRrjzrSdjwK3DkZf 3LWz16q+dz2E8ydxUpFLRTUD+Oc06kntMyvf9NArmCpvo/KTAE0TyYvxxMUEtvEP3UgRYzxKa2zq sNAiuEfit9YXFNvaX8fP45sm6ujPtgz+FFZ0wUQ96H4d33BLl1YIY2+toOsqG39jhdAncJCwPVAq Fo5tPszOMBWownTbYBK7H5XH14eo8O/PgDxVfROwChxqWU0F3C17qXz4x92UvbhG5X0ZDNpiN3yR kMrjv7LCfw/H3SZM33+g0+SLUBnmAu8BV9I1Gaup64iDq3zU6OYjmyOArbxd7/wk4RYREkE31gRo 0HK6b3l8ElNmmslrlFHRUcxaaGbSrRGkeaNZXFxE21g931nchVwwt4yYJryypovqLOHZQ3CuIbig s3NOGW92wmjeEWT/D6g1aUgNCmVuZHN0cmVhbQ0KZW5kb2JqDQoyNiAwIG9iag0KPDwvVHlwZS9Q YWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFIvRjMg MTEgMCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRbL1BERi9U ZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDYxMiA3OTJdIC9Db250 ZW50cyAyNyAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJH Qj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDQ+Pg0KZW5kb2JqDQoyNyAwIG9iag0KPDwvRmlsdGVy L0ZsYXRlRGVjb2RlL0xlbmd0aCA4MTg2Pj4NCnN0cmVhbQ0KeJylXVuT27aSfk9V/oP2TaqMaOLG S63tKh/nuicnJ9lM1Xnw+IHWaDxaj8eORGfsqvz47a8BkgBFUNCkUs5IFC6NRqPvaD55sW93N82m XTx9+uRF2zab2+314tWTyw8fXz+5/PJx++TX5u3uvml3H+6f/P7pTYtHP26b6+3++fPFP759ufjH 5ddfPfleLITIcr24vPn6K7HI6T+xMHpRapMV1eLyPbX54fdy8fbw9Vf54i1/q9y3H77+6tVysXq9 uPyfr7/6jkb74+uvfvv6q8V3/3q5eBIB7x8f2vbD+ziE33/40AYQejCpOsulZpii8y6e/IoZ//Xy p28XebBQGVloXncLfbX8fVUstyu13KzWZvlhZZb3K7289mbyIapKBicYYBFrW2dGj9q+aFdrtWwb moLnexfpK0SdqbRphBRZGTa9Wq7WcilW5VJiuirWU4usrsKu62hbk6nRYt6shFnueEELTPhPWtV2 JfTyC54d8OhqFRuv0mOo/QUe7at48nNz/3ax3N6vUki5oI2S0g380z3t6oIxf0sbvTssDttVtdwQ Ea7WBe03gbx4ABks0Oaa2mwPq3q52e/eUE96Wi7b2+2iafGh2byjP4sb7ruPLE8qkwkVghHbQKnK rDBhW5puJfLlYgMkNoeVEBaMDyCamwUBd3J3VW4yU4bDxnZX5VVWj8B9E2srdFbUYdtdCwgX7wDP loCzBLAgJP8zNooRmRL+KIt1TmdLisXl5tUyiyFLmSIzwez0GD1e0HQEw8OuvQV6sF83O+Bwf7DU SbtH33j7CLgLBtijich8uqyyskrbSF3RmsKmzUrIZcvTNBtM+Y5JbANQeC/vafLDDq0OLa2gcDuM B7FpQN6lpNPjpsDqJFNt0/IXGp+J8+4OlL3d0PSazqlQ3ZQxRlIBfG/oKMtRdOaKoOnHlUVkc8Ah kmbZ3IM7ACoLUgO2aj/aJd7cAe/39oChhzdEZht+HzsxhcwKEcy/+xw9XtQK58BH2R7n2hLtvtkD DgDDVBslPHDkcgrzItZDqSwPe0TPnyoyHeL+DQF01+/Z5t2Ao7tmR6gE4bRE6NvPzIDpk8XZe/Cx w6F5C6wSFf06mhIss8jqIuCY2shMEQsqSZR0wjaf6HjMa7UxWZVGNdpUfHR9DFpZ29EIVtfsm/db WkO7xbr2h1mpIANZoKZkgSJSCUj1aS5K83ytn+Z5rp7TtE9zrSv7RWj8WjwX7teZqVWSGKIli06+ PScGVQZoPRpUTyhBRZnpYjTUBQ1Vd9ibGc9MjEdqicpH480iuZgYpBaZqUaDNAciUlFZ5sVUu58d t5wYV0gFCgzGBSufG6eaGodUm1yG45DqQIBt9l8gDT664wMVQFkuPDtJPTVJTbRfhJN0AlqJ4OQd 6zP5iH6OzqQUxD7oTBpPnMwSjxAnSVIKkp7qjL0XcmLdUlRZJcJRPq0sFll52jN5XrNcbXegUrIJ QPxoYVVsklFb1hC5ade73d3Ng6MmwFFkIxRlCM4Bs7yH3JunHTF14lRRsG7iDyhAJpJ0rnJ2uKkD pyqVidFw69lRpk6cqkhEjFYJGbFr5xc4dcp0nmelCce6nB2lOkWtOi8yEVAr63O6Klk7q83s8PVJ ytVijEQeXxETwvh//TULvzx52rS0wikCv5Kzw58+eZoMAhOg3Omt8/Jt6vhpsheq0SH+E6Te3H2y RgydNDJyVlJYdgQyOWz3f0LVuubH86sZi7YjZBkps4q4K6lholMX3s8OqU9LS2if54glOXXWjMqz YsT32917YIFNugwa1fywU4cPolwrKBK9gT03xNSZI8JShT/KgshLaEu+/5nnUnJKxJU6q3MdjsiD NYfDJyj+HftTbA3t6ZOsrRlAtKFyx4wJM/ytuWZlgvrt2kEoNsSPFf35RD/SIPct9980Vjuzmht1 tsYHjBrSibVcvphdzZQsVcSSIJl8LGdXq1m0qHxyICuc/IG+/wBJQ1JJSacvs13GCGKNegtL4IKX sruZn1NMzVkWzE/9OXlwQoZYPiPEV1aAzA89edhz0gJGeHmAfszA2sVgCbDy3MOGtY/99uPWWp88 PRta/PMso1Snzz7cCiC7TqE+g8+rBDYgyFoLiPoMNq/Mac5VwuUVgX6ey6tJzkB8HabwMGACW1fl aTyQRTiiqOam3e7ZzpsbeopVYL9kncnCV1KdVMChZenBFPIWRnrvFWGX0/aeVOaP7a7X6p2yXHnO qFlVV42l+9GuiDrP6DH7HxIUXT2W5sfoE7UiAyVc9Sze9NS5FnXBcHmDjPVcOJbeENIYF/ixXbBj bm4qeVL1N3VW0qFXalIZKfTs8KctU0kKLlx4w8JSqFZP6cqyoDFGOOoFC6v5ILAt0QuR2C+zw588 vErk7Pbx6GQ3O2JxEhOK2I0oQ/Cz2TGnZDtconCfplNbNenO9s8r6dOdl8T6ryNelcJkogiav5Kv I23LkiMSfuML6yUiQVI6l8vgkfRP+5q/83Ffk6xkm3xNqgCbIHuoDe3tNf3efMFz66jasxrRO7K2 79kDGPHSgdOZALRm71xY1pDcQAdhT7h1h19bSB5ud5tbxg+vg5jRoWW/LwtgKCqV++23V59j7rda ZnU4+cX+NU1nvcTcG84CxxPXtNom5uQiBbSug6H+hFK+b8BaXWfgdFDR3gyspOOo636Vd1jREKlQ 9vGMa9jQWnrV13rD16TBkTpwRwA0G4zHPsJ7uMUVTUfbVHbqylppdmsqN9G2tWoLnvfA0Y8xTMqc PbMBENEtJ01ClWFbu16rud7DIQ4IA+/AmnQ4Bs1a+C5oU4x62o7Wm2whZizDX3rvlocOCALR/5iW gCT7pzMYQEt26VfLhruJaMBHlzUcV8FiYt5eDYdA2BTRJL28u7aETDNCfcMqrQp3tQJ1ZHb1P7W2 ye4wRwZ01stu9OEwMi1eL9pb0tYjvn2iXJKcQf95XlbP8jIJpmgWxpjBjUUn0Z6v8QKmfbgStpMK hoDP1nfPzsk6slVH80cpkpjpGNar5f6/jqKY01KbSEAT8kl4+y6KTmqLJ2PaiQBclRAmHhATwjmA mrQnPYL6h+Z9d6ibK7I9iuU3gmjrCX3Yk1U1Pr7T4rbQmSyD9dByjLARuqt43INUgjrEg11ANPpR SgRKvA6vOLz5hP7tiUom0T8hyysJKyy608fe8fyUFEb0oBz822RJ5cvP7OQeZOU1M+XpldUVGQej YaJBNbKA1ahtS4e2tC5SVs9v6P+FC1xxtCpjd86sgiCA1tG4vba65/4bjtqJ0q3tGX+WSTQvapjt sFZc4CikeVmm0Twxibr0YXQk49ZHUkdKB6yFTlu5RIi5Wu6ybXbBLZwUi52TiuWNj4huqTRYNFVB CQMdMehnAzAP2x4KuzPWISLgcGlappbfXkH1ScIltJBS/G1cwmMgzAQuLxhnr9N4rhYlfOD+otN5 roZ/UKWRvZYGjt2gbRK6oGnhuEfQVRdRDa0coxndCpd4oNKQTPY+qXnHSI4uUxtmpv4y/2A1EMrf DgYSnbwHPu945lQBIqU3Vul00ZNt73iDesL+ujktQFSZVCNmsi5LzwPAWt7+T6dIlXWnXK0H7Yoe XqbsiFA19BqiHHnKNTRjuesCDhUP8hkPUByUQmS8/mlY1BSFTcBSVPAm+7DM77IgSSZCrIeeeeDS 6nqO+67LYgl7RbjAPXS8suo4OraK7YZ7OGpIG7yDvVYaYitpLEXmyH2Av17Uj2cpCvkeYgIPF2lQ EF1o5UMRhgtmJtYahlmA0NcWA6PDA8Rag7E8OijXDs10YJy/O5agwHG/YLa5g+LHGNdFlXZIEOfQ xd89JXA7avl3T4kxZKwGoNAYpVDnnBGDUMsZRwSnkiQUceDj88HOTWJ5SVRVmazWGKxE9PccqqoF Z1QEYMTArRVxgFFb2IfGnlUClo6qKCzcjU3bok+J51OYipndsIZHnU/wKePDeNbxFGUBKjgfj4IU bhChj5uY60nQdpHgC9pGc00rq7H6be/6kBS7qFnHat7cccZpbQMbLiwi4AHqjvreplFalcx9VsgC fHuwGmNz5+XFdYNjsF172+9m35U+D6l7+/2WmcJHdnfGtBuJqH2wlM5oGBzuGHd0DmyIzk8GpDa/ dDqBy/wRru/LNMZjELQ1OVtJ5+R4GYlk5GANVi+/vO19chcn3FIaaUf9AYL30AjHPJ1DyuL0C++m FsjI5GXTx+0fn+BZvKM+BlqMso/7XTHSedRU6FAzIkAgdQmExkU3FQc6+4Dg9u4L8nsxaqqUtU5k TbxiiqUnS1nJvjMPU2dKWRbSHhTJUhaxJhNu0euMaY2wc7V8cedOht0inAznunTOSOwRRyLtprUc c7aOWWaNGiamTbPG5/32GmS+sa7Z0U56NLHuZsSg2JSTRFbqrOw0jDdur9lbdqRZE2NYy54edtAc kB1ss7xdQiXTxOadTURctF3Ey/X9yMm1aE3EdR/4y11qE8evSXd2q7NZwAgW3W0XcN5RE8TUF4PG vecYOiksvbt3kSTIkX1j4IRUsLseq1Qgx4aYlYfFxygVyKQhnS0GS6JagXyZWgSwnDCwVAUlMyAB G/Tmnd8jvcF52Z0hBJPd5TD4Ec91orluFO5dcH64Oeu4GcU5RgGkMVFodA5vbNA28BXHz0KRD3yA kwHabPE7GKkN/P7xie2K9s4eLqTEg1g7l0Z9lKOO+YDAanh498VdjeD7FIs0j1HBXn8N56I6C2+y zLOqDhcWT/pW8MUGbWmxe05fcdFITzYM+w+Z4B9Uy3LecP7Lwl5rGQ4rLIt6QMdomOZw6H7d7Jru ZP+J75DzZNBvxxn/aYJcI0VCG49bJ8pxbZD8ECAli1JQBfdIFNnHztTpGzo+Rdq8tSCmCWvNxhLL Lp/Auxdgk9qpSXi7gEwtItO4t7MczRW11gvEYYKmjujNkBvEIsQdinVRkDhM2iQp+PaNJtFalWft ElyquQnBSgxAQNkU4Zz/l+h/1Vlep2FNyhLhhqDtM7srSXcNJG6dPQ4zRL/jmePxZE4DC9p+Y+32 79LYlLIY8aD8eSZsxCvSw1yJeC/46le410gV08u/iO7wL0nmSsQSlQ8tZK4o6nPEP/zjvIwyENxn in/kQvAmDaCc71RQUiCs4INipT80qsGHto/tPvxG5Wj305Rok+MijCYaLScdZtHbdsQoqYff8UTQ q+CcA6/Dq6ObWRHkFFZdTzkGLhYXtB3n5a+rPLA+D/ZRH+4npjem/MglIgOR/gj2A8fbGMoLO/MD Mld7OZDm1cpzuA9Gh+FsD1tehsLhUQ424shQ3/7WYYD5XRQThyGq/eHimQzRyfYGnKCdqRVXHOns 9SI/9F6XcZ0pzdMkODSLkM+Zup+QOYt1H7ao+4iEmQib+t4jWKGdBUfAN2z3YQn2Rq+f4LcgJVDY GyuMiG30WqpUnAYXTPofVopZdfj8EShzObppanJNHKwco6pYfoO73VV3+7eO3/4VRabrsH+UFYlq NBfTurGkfh8PjBKiwaW9fid4nuS8wwCo6Epivgp2VgeIjjI/2hTw5KHtwrti/CxtI5SxRvHRIseE O3SoEBpMw3whEKsN2qYKAQ27Mw0PxTHOghsMYTJGnhUqbPxLEqJKjqtqOqm9XbJLW0tZH8F3kSRy cClqPGeayFFVlal6hJMVs8aPzQ6xucPcHWyNeMcIZKeTcLcHfOSL5Zvb2BDWtEraQU3KQjmCNk0m 09abx+yJJsUhLxKhKxFQCds+g7RI0rQ1KkFUIYzjqgERGLGHVSJd61ocSZA0+OqS1Ynz4YMiEk5p 7/zULoEq6VgZGlcE6HH8J20fcZ9ivOwoQzeiGEvOmbb10aZHtQrJhUZCAoHITaJhQ3aVqR5zyJHj IUaLv1g099fWLR1XgfJicOo9RNoR665l2BRRjXy5iXQoNSeDBT1cVQQt+pQO62vgtFTnG2fV4RB1 eGjJ++CPGnV4kFlkRiCvXOgJ6ba9E/7NUA3ByFPXRQBlQw1Vl3KNNptbeqLnC07ISrGOkgK6rAzr Gn5bh5qo2MslW6J+lzB6xy783n03isnFZKn1bgeD7j6uLLff7jmduC/JcGDkJDmMNOlGYPG5GezB xBIMygoSHyRSVLVyGijvz92hj3Pynvo3x6hRy5Sb5vdGzR4ifJEP4cCYLmSQOqfDtlFXNzLOwqZp qpCRyGJIoiLYY/XoCO4b7Pm1u5n+fjXLGZCjpwZ3P5N7VMJXkqydoI+vf26jSaOS+UTQrUuGNMhF //f9EC57aLpyO/zVy3HBJkedpKgpES7mbtdfSGAnOQdF2629ok9jjdHEiZbF6MzDd0BtYWwWuk84 K6wX9RA/qbTpxAgCeMa06Bs2ZD8HbeOGTX00Ll9HwY0HlFQpuhg0PPUHe0UjNhYxKzr4wVixHYRy SScyaBtdO+6+BTCy6y43TklI8qmquraDCCi1HskkchDc2hjBe5FWOAbaSTDxq6O88FiwUcOLFcwJ 754R3V1VI/tEganaTfgdG9bYnOiBcdNzd5lZje4yjy9/jw936UcCbregEOKKN/uedQ5k30FG+iZB loQrVE0iTQ6XhXv/WBquBGlARRHCd5EkVYRWxFQfM6UuoJUHU7rt4So9uz1nfkT4S6lGncPiXvGq cGQJ1kG/E/mWlUBOSwDlv+83dmseIIp5B/ck42rPjWNzQ6zOYjOEbMEsDhLz9k5ceo15mg3uLgQQ xL3SBTwDQdt3W2JFA//+uf8UVNEx6jgtl9aFfKALy3HbnvGSiDi0+2b3dmUvQLU3g87z0OxjlQ0N 8eBapy0ERkU1osdQ8nQYXxt75Yi+7E/UNFOFGvT7H2NKd55Vo6ZwFJvCFcmzn20FP66dhxJ+iLQi B9TYxJJmj7Sx3XYfi31CPJbhJPEQYs4E6Ld9cQfzoscHCxXnLI0MUvMVqWAQq2ljbdoQs9m5W5hY qCspF4t7FZmsw7GGynOmtNtgM6p2exsJ1+ekExd150+aiI6kpxNDhA8wLs5NJ4bkGKBITye2h9Wb mPlSbf3xR1cjBpeesDOOAQ7yyaLKAOduBDuCe1hTyW82JQ1bnngForLrie1HzDusdYV8Ib/jvOdW m9wuwsN5mnaujYZqkHSaNB08BstraxO3mGpjxVJ1hfIBR0xBm6C+HB2dNPuG1qDlPHn5DhMwTb9t 3L6pM/EYDMJoSWRHLsczaOsECZHXW87gsdmNcTasORjgOEfL6W19Oh5XTeOkFY/d11PytbIaUuX4 zaZLG3Iitp4uK4EfvD2rh8IzUMHa3aZhfW5o/A4jfcETrkgRCE2RaNBCO8qJHRmJogvzG64qywn8 tlHro+KE2aBtonO/4stXwVZEeVNV8yx+27AAA5wAjJ0As932bAPVpz4q9cNFfRjr2mE9Tjqkpqpy UGzWqqsEDMncFcyFFtDcL5rrzuVyrKIn587jnBIPVKe2DZk+OKd+22j4sIATNGiatmuiqHFOfSTM 3ROSMmw72rSYOJG5RrJx0DWmyMi8QBJMFKTjJC4ZKbMcKaSt6GnVMZrHFNIOBjhRSDtoe14h7aRp bCHtoKktpI2yfwbTxa4UukLaQdcThbSDto8ppB27kqHHa5jfcHUqa09W9UA8l7dRHw5MvnzUnOsO bAeXcW9Hf3LqLET0VIVkXfT5/2hjy5FY3xTXNG6QyKtVEHLjmgh8k9fQfsW2SkquIROAGdsqKRUS ooK2XclFTDbYbrhMgid8JczC7KxPlKYYXAeMgdY+7dW+Q9trff51Bav4Ow/3WpdDhKDZ3R0yW02Z 2nyPMfk2Iaq8ve+SNPZIXc1dm92NdX34gNGIXYmP0v1knZ/49MyCpDqe7ylT8zdOZalRbsEiK0gU XotcjLUBWxoF+UZeGu3WtbWuFbaIL35cKZv7JfK8d0AItn7Xdd1d/cFHXDRQ7rNDH0p31FXvg1zX ff0aGsyKnBZbuccCSdb9yWXM0TC3xnaf6sIwOhRggiumQNNTYO3dFcKXG1sahyuQY0lOn3IXCywo rkZLVZ0mXlzBESMcR9VNXAkIm/a0W/eKk7E00KPW3a6Jby/Zu71YZN1B+zqf73cLFDtc3hHTW1q6 /cQ27PlOnVi+iHqWar6RG4ARry8jkEgbtD184mJBF54GdAOF5+6uUzhbRHAabM6ErRzLM8mPJkq1 qDVf3JDIhv87F3SRQBdAcJ5FjZx840ORbFEjJ78Ml/6at/CbcR20Gec1e8CD2cfiPDJ7zXZOEjWo 2kBPDtqmmO/uOkvQj8kHnKH5fLX8DSf6FY55ms1eckHyv7vjtobQYzccyRCP2m8kQ+Sj8/c6bU6T 85sUHrHNsMjrcE7LOOJ3xYYoQZyVkSLWK0lpK6izAv3qztIKdk6aGNsuEc8JO857W4hEkGjqdUjd n7LkorDB2qJqdU72U9DWD09+k2aF1TqyNpvXVy4r+vfNOy6hdlx5ZFKFFVxcOFiCcwK9s8kb1ung ZIvQ7tKW0wXfwvkKL8d6YOhHLoyYxDA5pGUS9qRR0AqDtoNTZM+1xax0LLp7Z0DJ4psOsESPq0IO Q0AJibxRFriAkrQWJWtcdgjaXkFM605Mh4lxkVFKvtIVjBKzTOFzqes4dMeGij7PMoXuPpgtNhtP WxtrbwtDWHdHb0eSMjlvSOY1XAjBuPMQm/NeWSTzHHW/7Mj/u7Vv/rm7c3D2BYUecGN0JcRgG3R1 vuxLZFiRZeeX54HhW+L/RFNEiNgxVjpN01Gj1Q3ZTRRetWdZ92NX18jWS0rKm1M53/NBcKPuEJaW N+feXBQgBNlynb7o+bFigTYuwhgM8HO30vTMRGTnqvpRKyAhFwIQZv7FwluqNKwK+f3cvZe//iJG kgY28eRcPQpsku6FioOdli9JhkeINbeGxKROnLMQBUE+RAx1SA/My0nURXso3BgOyWyVgUZ+x4UH SIqPndEHw7FwBRjq7hQ1+Hyz+9zVIxW562BsPkI7ujIRV0YE3u7QMcIkNJMyormqhpZn7THtbzCZ q3oOfwJXUaMvSfPXiLw/CoLasN4RQNEd775Cx7OuqgdQnnHl9ksXBuDHliP1DbVwe4P65wN7UHl3 7vs67GjW3a0bxkaFOa29yurWYcUlOB+4nEHarUGsrX4MUmTNIjhASjyxUSBeHLRFcUIlugo0tIDJ fC2Vu7IF+/fWDYe6vbaEwa676XLfYc4LtBD2+hegVBah1MDKDK7Iawln8LcoOcgnQjo7AnuHAPrx 9Wp+69auPRGREqVAtoHnUnIVcpvW1iC+wyUe4bwseqQY0h86obZasFs9N+gOKDfww0YYOWmzRc1Z EKJE+uE5e42y4roI1xV1SiOzS4Vt+S4X1o+006G262dXRqzPx0MlE+yVmCp6FSm1WrHL05/uaU6K XVqp1YrT7ZLW5W6sBm1tzc/xO3viwCJtcDRGeo1CVHUsTBqwuCAlQqwscy6/WRD3Ua54AkwcP+As 5FAmG+bH54+4AFa6wn1dk8nKNevOUe4o3ZMxa644FPP54ebb8XmxtH6wxN471n3/3DY7YS0jJ0Z1 73q5vGUSJH5DR+961deBgb+4dZFg9633hir/mLG7Da0edvdvresWrwh03tHNu2wY72dgzLmo6esL O++b3u5zCTF75iftviHLr5+Qf+kv8/Gju23bu7Z/tTMru2PboYYLv1fPG3wxvLaQkRV1MXGxpwBV 0eBwze/NC9oOqamsvi+4hvXojX9Q7z+zzeJeZQPwXZ43Pg4uLYzhlH9Af7V8cfErNetkLBoPRa7i +645Y9oJGWeOgHSSzFf4uiDqkfiWkp8yfVSJJyEh2gNlMZ8WiFpj+Qj2o/DqujsErAU4ZNJX97KY 4ZBsm43Fki2Z4lwLD13hPyJE2EksS7cHW1rEWmvo/KMLFtBHF1NxM/aeDDywSsozt1uuha+lTHKX zS3rJ5t3fYn73Y0Vc9bPThtuC4fbH/nqKypJOunQgbpFhZzq6IJHyKba5u2J7Fm8PrRXei5Z7Iea GIBTik5dp4ps72NXZeADgoT0h0S2yIHfYeTlnihbswkKyoeV96artX3VFakh/uUMTiK2F3JhUjOM LzOG6icLXK9EgsFRb/suHadAKDnYA536IIfXoKhEvcFdIRGSk/DPss/wKlMToqXTvFjrUmO92CnQ cb0YLSf14v/uf29vEQBxKl5XH6jTD4Hxttndz1yZAW0I1etIzaJzxdnQL24KyUDbrEE+RZiu8tJK hJp4li3U1Vtbc3pl5/oQrla2sLWkhRgsOfc+rKp/NyEbbc6yw4+fwXI7MI72X/ivwUnbflubAiTe M6fj7Z/Ud3SFcIeHTNLNjOE3lYr6aS7qF7kw9E98h7eY2ufiaZ7Ll8/V076ZJlMZn0t6pM1zY39B /1zat5/SIyFedH3ol1x993w9fKUR+Kn70Q6iiu/Qw/3pHppqAMMQWObb5+4dqwqT5AwsWhQh/HhU 0aOq5obVy+dCot+3z9eALv+eH+fSPnZfzbe5KIaPGO5l2QOeFGrQC1K4ucpDaG5o3asC2kwbV5Co oxtway09c8T2vbSx97FuQr+8tPNE30WNl2uQvhsAOPdyjVyEbRMruuesF+fqtBIj4aoXftsTEZFY 9SEFe9aD1cl3l8XZ8Rx87nBuv/VCfUihGDTtdbdb9lXUnS403qWtS0QJjUCt7Z4dpdHZtIzGpYDY ksPaeI0HUDq7U6sju/PQK6E+haU5fgwnG9UVe1HOER94MwJJHB/PcK1BlMy9cp3ORKVpymBrXOnP C9KD3CtYorkd3avXF7DTazbTi97T0BXcO5Fhhaw3WftwzFBlzkWVgraDq6IPzdikRyKMRf8qh82+ f7ECh4l2vT8kfLP9gvSrmVooXqYjZ9T8DHp9BhPmFzhxOwl7teKsockStA9DttDtAkYUDTvk0I6u rgodv7vKYYn/B47kGVINCmVuZHN0cmVhbQ0KZW5kb2JqDQoyOCAwIG9iag0KPDwvVHlwZS9QYWdl L1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFIvRjMgMTEg MCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0 L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDYxMiA3OTJdIC9Db250ZW50 cyAyOSAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+ L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDU+Pg0KZW5kb2JqDQoyOSAwIG9iag0KPDwvRmlsdGVyL0Zs YXRlRGVjb2RlL0xlbmd0aCAxNDI1Pj4NCnN0cmVhbQ0KeJylV21v2kgQ/o7Ef1j1k32CZV+8L65y lgiBtKfmrtegSqeoH4hjElQC1Dat8u9vZm0Hm7BtTqcE8M7OPPO6M+vROC9Xy0VakrOz0bgsF+lD dkduRvPt7sto/rTLRh8X96vNolxtN6Pr/W2JpHfZ4i7Lk4ScX0zI+bzfG8044ZyyiMyX/R4nDP44 URExkaLakvkj8FxeG3Jf9HuM3LuVrVeX/d5NQMIvZP5HvzcFtG/93t/9HpleTcjIY975tiy3j34L Z9tt2bGwZZOMKRORs8mrl4w+osaryfsLwkYfFpt7EmSb8DSgYXHj5E2QZ+k2HOogvwsjQB8aEyz2 IVdB+ZBtylUKdoZcBsCjgk0oa5avYRxkT0iDtdbBu+ed3/EnDv4MVUDxUQXzhwwfbLAoQ84CiMnX cNiw5yEXQfZtD+yrPCtCzusN0XK0SZmmse5kTDJJjSGGS6qrCJEhg7RaQ+bpTcCFPYHyMvGSR1Tw dlyAjADkSPwgYKgy3UB+gxDs4ZPlq6yogrDYQEzvXGg8OCaiUnVxXue4iWkc/3/HY0Yj+V8cjyHg cdfgH1AbkMivgzrLB6cxj8U+TTMPWqQNNUf1mN0VVUn9WJUPFcQOwFyduCK8hdUCV/iwWuNX+eRR oJSlvIvv8wzOhY4V5c1BW9yCG04hJrX0iVlBrTgSZVjeVEsUph45zpxAR66t48Wp5idP9WgmTjcy bQQ1Ne6nbJnB+crRrAycwQSlaBwuCq+BEdW6g/NT+4THPk+j1Yo1jrvKFbF0hXfDPfZo2ZGpyvQL FAg3MrimVfPi0G4u9/Cc5c8Na1DTxzRUDc8HDIUr1Hv4rKGTmWBQ9x7cb9cwrv+hbcHVBpBwN1uv K/QoeDOeXnssFwb8U23rb4Khl1fSiL+IDtM4AMDhy8mVTxIqSfMTMfKqii2NTdes6/fg9+e3zifj evhzGNPMUW1w5UKAM6HYF76TLS1YI1/ns7QWe1mH91MW2qBYFW5iuGyUtVHjfagPswmGaxX/6SbF npA/7ZzIaotWot1vBrj+2amXGo5wrRdbjXO5KDNEqGoAOrm3AWAU2RHKA3YMkCp3xVvwYxQOo+oL idsmquuCYvPKyiXF0nO03HcaIZ5xVwlWrgNttD3iYo2JcWQ0PV8sS1/6I0Gl7EJ6SwVvRUfqV3m5 9LGrmPLXQmtBoyPodJnfe89HTNVrobE3nwhaigXhglWsvnsHvKTSvE6P5NqdvAMvwVEsqlHMjuf5 s5gweHfpiDmJARFQInF1R/LIRpoa1TXPHQz0D+dV4Uu7NIbaowB6tVhGxRGvQLMYtEsOH+0GnW+4 w4ST3K/JXaufT08E5S2EpVZD8IwgedbvLX87MWfkr263WkDqqmnvVPxibkW/xIPbQ3xqUr28qMkT sw67YAvBpfiMScsZYzIZchGfMRZFyVACVdmaKhlQ1RQpSXTWEAU8yQnjesY4EwmHNQylZAgcXANd XcBaJ7IREPwMGR0Refj4sOfAuHXCR3rlOOHqBTVSiUKMKeMT7sxF3bqjQSrVgpdqiiLAD/+a8Xhc mYoQBtcMTU440sxFMkT4ynzcarnQbArrfD5oAEiAGDvItlu8ioWdVGAN09h5gOZOTGI7kYBY8/PK HQvm2tgFzNZBRUs5ZmOGHF0vMVy1B4gOILKWrKOO+iBjh3S3/GlwOFot3I5uJZXNHFid18Z4iCNn LZjGSigJVwmzdtp0hM5XteICD0LGCVU0iERVeirhvArJa94c4GCoWFNVH+zPbt6u8TXuEdoQ3hVk IKFFkPdFsc9whEokDchuBy0KrlMw8VwvMcAU+6aetvh+0Fbka8LccBrbDquDt6GpHgbkLxjFaele Vm5DjndEAhSOm3HTzMzPOpqAtwm4yLV1vGgt/wL8BHhxDQplbmRzdHJlYW0NCmVuZG9iag0KMzYg MCBvYmoNCjw8L1R5cGUvT2JqU3RtL04gMzYyL0ZpcnN0IDMzNzAvRmlsdGVyL0ZsYXRlRGVjb2Rl L0xlbmd0aCA1MTM5Pj4NCnN0cmVhbQ0KeJztXNuOXbeRfQ+Qf+Af9CaLVyAIMBgnmIERw5AEzEOQ h7Z9xhYiqw2lDSR/P2vxsNotmSye3gMbGIwfpM19epNFVq1aLF4lusNJcck7qc4fwUlzIUUXDxeT uBhdiniISy27mF3mj8mVA2/VlYy34qrPLh2uFrw11wLegmtVWKw/BK8Rz4Z3cd6jlBicDwfeC54t uZSdF5SXmvPxSC4feCa8o07Je5fxfSr4HflzqC6j3Fzxe3K+oDoZ+UvD75BTITQjX/P4HeU1vOTi whG8Kx7PiuoHFzwaXA48G34XF0JCPZILcrBdLsSjOIgMEZUpFUrxeEc5CZkq8uWAdygr46WivCJU BJ4N79GFSsWg3HbgHeU1NBai5fDUFJ6oVIlOoAiHLIKKuNrwROUa7CABqoRZBIU3fBdhGahQIv4I W0iiqlFePqhrPKG8hnKLh7IOWhWtbyiwBv5AA7Om+LIJ1HjQxj0Box2okKdJaRwPA8SAEjw0EQNt AlVE8TQeYCGF5TVgA4b2kBYj2uVhJiCm0cBIoEYeGWIGEjwsEYv3HV+x0GgeJVdYw0OpaFAiHJCA 3jzUkA6CEdVORyNCPIBEKAWgMaAKPgA6gcYm1ARvHkUkKfy4ErGoGMwDFfFjFEhleaI0o7leUHJB C7ygZGIY4APWqCdoJNVCOOLjJqgY/qE1/Bg4OgBSD0NnNgVQRYJYRLNzQCs9gA1coGIRIBTUxcN1 slC9go8jfvbdiwAO34F78BeUnDvmUXKB/jy8KReg0qPeuaIpHnrMFTiiInKDZA+nyg0G9vCqctC1 4EaFBvHAcfF0CmCuBKoXjlwATbgN0Cy0F+xaiCk4FBK0F1pSEu0FzZZMe0E1JdNeKKsUqN/jpZTC j+ElFZrwhHEFUD38ojRU3AN39QC+PAxcD6oXflxpajgrfIX2QtvQLP6S4SW0F3ytCu2F0mukvQod hvYibhM5AA2o0Dh+CUggh4fH1QILe0CnFqDbw+dqJcGgkbVRvcBrbYkfV3ga7QV7NKLSQ15jpXwl b9Fe9K5Ae6FJTWgvOB/0jYrB+1oklcH9WqI7wP9ayvwYJWe6A/DayAi+0RupXtisFWRFUYARCKN7 FlkxsHIHeTHA5YAo1DpQbwc5EURF5yQlHfROOKnr4D8idB8I3wPegN/ojonU010sA8uBGDoAE9Ic 3TeSAJmqKCvQEkevC3V5tEQ6pIMcKCvAE5GCoYOnE9NXA13DsyndePA/5A1039CYgx4NIkKKjAAW QSp2qmdelpLYXtoJuON3he4IUIJuSQKUS3sADviOtARhTFFuQ40CXRFqZir2zoN56e8HW9kdnn7E moE5qKsrhwA2gVZEUUx18uj0zi6IRBGkMwtrFclDvX6xcwvrR0cN5WCqkwqgHAjOUKkX0gHQEtg9 kGmEqc451BV9UmAupEgtZGX2rUhRV7EzEXXFblCkp8g8Qq2RdiUGpmrvHFFyp5pElJAshF1y6OyV E1OUUTy7JtJWYedGjkQHgJLJBugBKIN/bdBOyL277Sky1UFbkpQj2QaNJp+hVwidiFgC+yYwGu1B 54tCe3S6i7QH/Rmey1QmvdEe5Ap0oZTBv2bao1JG6SnKYPgQKmWQeUOljAZcBNJUbLRH7ZxIe9A1 E3uvcCVD2oPsnIjWQAJIrGUgkyShPUqnyN4Fk4piT3WSBBroaeBNWqZRBpgZKcogD4fWOZT26ERb aQ9SZaqopdB/U4tMUVpjt8x+IR+0Bzkxs8cUencOPUUKpVWEPo0egqnMFPQk9OkMpTrGIEgxDOg0 TFYW+j56CcigT6PDYIrSCuxB9CBVKYN/rcLQgjJaT1FGY+dPPy/sxoTeXXrIR08u7AdoWdAlvu6d aqEd6Tega2GIwnBLerBCdo+wh4RO3Qdl8K8J9mDkAkfuKcqgdwu9DD0HU53jkU/o54WdGu0Ecoc9 hH6O3oMp0vIBewj9vDKu6B1FZd8j9O5KbhFySSVqOltX6amDPQK+FnpZjbTMtU+Adwr9HP0IU5SR aQ/6eWUXJ/Tzyj5O6Oe10h7081ppD3p3JWMKmQbBHXk8sLugZcgCjV4s9PhG+whZoNGnpfcdCFMc WR0phnf0+JZRIyELtMyIjR7fCvIJWaCRs8muSGUGfCwZvRZSLBlZkIrsV2BHIW8fBzxWcu9hAnOQ /dmddmY5yMNCdjjoidKDYtqCgR1SDFIZEB+RNS0sOTIwZTAMczAHSy7UPQPjo6OOofDRiCFyAnoS lNL7pIMtJ3t5BnLCkNizyxVykWdPQIlIsRT6pu91qaWH6NBkZT/VvYJM4MnU0lgymVBa7zkYILPg HOmC7MOgOUAOnRQNzj6ql5XYMSVWtUf4NA9IFYTORmcOfUjX0uP8WNiETsVo6h/+cPclZRzu1d3r uy/v3vzrh8vd68cPP379+Kd3l+/vPv+rO/7m7r781vVv/vjH3//uhiz+5VlQZYdo1SEic4g6HGmB fY8jK5DCHJ2daAY4HKmaakA359gNQAGkcdeJjKqCkoRgdqQJKoHDQakvrxfcgYNGz8Fd7CNHgJpj vcKRYmRUz/Eg/ALAhiekPuwD6FMf92XG0hzoAdRAc+6DOgCXo7fGgRpgCnwCmMAOLFMYkXJgxpjw 4MiLMaFw6MXAL3OMVU80g4Egg0KOwXrAx0EWA77CURZ7gR6/TQ0XbVsfYZopjExvPpvlihyhv5pm TLY0OSMtL6UVW1o8I60upTVbWjohDfhbSAMsTWn5jLSwlLZBSTkjbY0SbdubV1MT9K8HloaRh/aH WkZ9py3Jdkum7peS3ZKylFZtae1EJj/l7F0Vr+rJSzxlG09+Sh67TFPy2NQ0h2tNlxbM0RY65ZBd pikV7Gp6BWBe8k+2+cdPGWGXaerYu5rWa03bqqblsIVO/XuX6Ywrlav/ljUTaf7XP9y//1kJ+vnd 5xx530ooV04YfjdAPRAzzDHayq58pUG7ZwtTpy3RVsYSWcUGSZh6607asmcrds8Wpm6+kVaXTFRt UglT/95JW+Kp2j1bmBLDTtqyZ6sblEwZYSdtjRLNuPWVkG/1lSvOBwAHMobJhi5HIxnMrrSwwdOU bWo1tdCWeGobPE1paidtiae2wdO0x99JW+Kp2XiSKevspC3x1GzWkSnr7KQtWafZKJEp62ykcSC0 AqXm3DqLyK3OcgX6QOCAxrDZUOZoZV/sWlSMq12mIqYUxUkyWxNLUHExzRQ4Zam9wCWuuFZnCpzG PHuBS2hxKdAUOGWgrUC/BBdXGk2BUxLaC1zSEBcyTYFTHtoLNECjWbf+E49b/WdAXxGpQFH7qVq1 tX3VdqkQG2NxSl5cf7UVssaYtzEWp/y1FRjWGAs2xuI0cNoLXGMs2BiLc2LaClxjLNjEFOfEtBW4 JqawAc2cmLYCDdBo1r0XlZu9yA+v8cNrwvCaMLwmDO8K47uwHCdy94GpkDmPyWErRNYY28xFxzmP bQWuMSY2xtI0pNoLXGNMbIylOTFtBa4xJjYxpTkx7QTGNTFFGzRpTkxbgQZoNOvWi1K82YtkeI0M r5HhNTK8RoZ3xfFdXM4V+M00eJrzWLTHgX49Ee43M+FpzmNbgWuMbSbD0zzA2glcT4f7zXx4mhPT VuAaY5sp8TQnpq3ANTElGzR5TkxbgQZobp4+yP5mLxqz9gORChS1n6pVW9t3gy0VYmMsz3ksbUaI 6ylyv5nuznMe2wpcYyzbGMvzAGsrcI2xvMHYnJi2AtcY28x25zkxbQWuiSlvQDMnpp3AYhDTzfMK ud7sRWM5ZyBSgaL2U7Vqa/uuxlX9ygZjcx4rm4FiWWNsM1Ne5jy2FbjG2GayvMwDrK3ANcY28+Vl Tkw7gesZc7+ZMi9zYtoKXBPTZta8zIlpK9AAzc2zCyXd7EVleM2Y0x5AUfupWrW1fXfuUiEbjM15 rG4GinWNsc0cepnz2E7gehbdb6bRyzzA2gpcY2wzk17mxLQVuMbYZjK9zolpK3BNTJv59Donpq1A AzQ3zy7UcLMX1eE1Y7J7AEXtp2rV1vZd5ov6PY3139x/9e4yE3Yd841F4LG+NWbudQZS51B0FKhx rPbEyiWqDbMiC8P0/ZlnMvZNnF1lvu/779sxu8roCVQZAUqVETdUGc3pxxZ8br7nxk1ui+eme27B 77sCuUH+6BvsZ5UKh7n5YcD6qrVnmZ6MMYVZOJ6R4c/y2sA+KbAaAk02DOcEPp/O/zSvPZ8vJwUG Q6CJrHhSYDRU+tRZT91+gEptrSZQzWiFF40xN2GlRSZ750jwxRBobqnKZzKVk7UcagoGuOyJ/Hom UztX2+vkfz9Bs66tvbVqQS+bXAuO2NY3jfpmo76bvTOnci08flvfOurbDOzudjwNb+KawO3uOzrJ AXKFj9pF29vPOi1rJsHUycKPn5YQFjoRA2tio2bhyFuJRlcm9n7RBQtsJRpcJfb2z4X7byUaCIv2 Rr4Fd+wkRm+0UfNuMR2O2zEtg61kYFgGxmVg/NrOfo5urQsTYWHBS3HT0UYDYdFEWFjw0VaigbBo IiwsuGwr0UBYMhEWFuHLTmIyEJZMbgoLbtpKNLjpKe8e0/l2TI/By0CJ2k41qu3sZzTXurARtuCw zU7dkAyE2VvYw4LDthINhGUbYQsO20nMBsKyiTBZxD1biQbC7E3ssuCmrUSDm7a7rZ8wLeF2TI/9 1gMlajvVqLazn/9d68JEmCw47Gm5YaULA2H2dndZcNhOYjEQVmyELThsK9FAWLERtoivthINhBWT m2TBTVuJBjc95d1jut6O6XHEYqBEbaca1Xb2s+XLmlUbYQsOe1ptWOiiGgirJsLigsO2Eg2EVRNh ccFhW4kGwqqJsLiIr7YSDYRVk5vigpu2Ei1u0rxbTMcXjBHrwHIdWK4Dy3VgeUy8hmaMEZuNsAWH tc3YohkIazbCFhy2lWggrNkIW3DYVqKBsGYjbBFfbSWuEcbbIiyJC27aSJTD4KZ28xgxvWCM2AaW 28ByG1i+alTb2e/EWOvCRFiac5hsJmPFmFCXw54wnXPYXuIaYXKYCEtzDttLNBDmTYSleXy1lejX CBNvclOac9Ne4pqbfsq7x/TtY8SBR0WJ2k41qu3s962sdWEjbM5hspnfFGNOXuzp9TTnsL1EA2HB Rticw7YSg4GwYCIsz+OrvUQDYfa8el5w01aiwU23z0/n28eIA4+KErWdalTb2e/yWevCXvVZcFiw xxZizNWLmAjLCw7bSRQDYfYcfF5w2FaigTB7Dj7P46u9RANh9hx8XnDTVqLBTeHmMWK+fYw48Kgo UdupRrWd/Z6oZc3sufq84DCxxxZizNVLNBFWFhy2lWggzJ6DLwsO20o0EGbPwZdFfLWVaCDMnoMv C27aSrS46eYxYrl9jDjwqChR26lGtZ39DrJ1zVTEatvP2Miga6G6fqRz7jpPqXM7Oh7WMYTGXdpX qX+rTuxazQ3E25zO5OP9T2fyWTdG3XwBVN8jxUOVvl/ZmfqhXN+v6qz9UKXvN3P1SzJ/uknlRRV9 ukrlhbkWHdUm1xkT+MWi7S7XGbPxyN3T3R8vyjnyXMOdW6WdyBNO5JETeeKJPOlEnnwij+o6ntD1 S/KEE3nkRJ54Ik86keeXvc7v9tv5TlRdTf4iZ/6V7jE0Gn6i1joZ+LJM7USmdEapOlv2skzhTCY5 kymeyZROZFLl1RMk9JI84UQeOZEnzvM8DV/uPzzOA8prZDYCtBE9XsO5EWuOA7bcEX196vsIQcdR Qkn6PoK/NIoewaKMZWhJQ1bSUPUqTcaytIxlaRmHrGQsT8s4bCV5lDOCTxlLgTKWAmXcaSZjSVDG sRMp2tRRzlgilKL5Rz3GMoyM4ygylmNkHEuRsSwj494lGcszUlWHo5w2ytGgWM9eDOM8M8abD5fL q4eHx7tXD+8uf7n/wY39WjDa5X3/qxvzDn0g7UYM/fTXLy7/fPz88i+nc5h/RlnvHx4vd1/wvz+9 /+anlzf49KuHf969vnz9ePcfl/tvLh+uaebR9H++f/f2/eX1d/esIX/4t/co4f7x7cP78f7h8e1/ 3yPR3/7r4cPfv3p4+PvdZw9f//g96tR/+cd3l8vjFXd/uf/6w8Oz93//Dv8/e//s7f27h2+f/fD6 3dtvLs++vcrBZ99+uP/+7s9vv/3xw2W09Ysfv/8HvNnp8fC+Q7/js9/b2zXf7+3tUO739jJ1vbf3 yR4rR/j//Gi/PX65h3LrL/G4InnMCIwJgbF/bXD0oObBxB9dVvrxhaAfX7r58cWWH18eOe5qHJco jtsNx7WD4z7AcVHfuEFvXFg3bpIbV7yNu9fGpWjjtjK9Rkxv7dLLtPSOK716Sm+E0oua9P4kvadI rw/SW330sh29A0evptEbY/RmFr0wRe8x0etF9NYPvYxD78jQuyj0igi9uUEvVNB7DvT6Ab0VQE/f u3EoHs/x3egCx8luNw5c6zloPW+sx4D1dK4emtWzrHrEVE9+6glLPfio5xH1mKCe3tNDdXrWTc+U PQsJPg0N/k8//+bYIYwTV3oQSs8n6bEhPc2jB2E+PWry6WGOTw9LfHoYQbf+64Z83Savm9d1S7lu 9NZt1brZWbcg68Zg3a6rm2h1y6puJNXtnbrpUrdC6gZF3Q6om/R065xuaNNtZrr5S7da6QYo3Zak m4V0C49urNFtLLq5RLd86EYM3R6hmxZ0i4Au3Otyui5y69KzLgjr8qsuiupSpS4g6rKeLrbp0pYu OOkykC7O6JKJLmTosoFO5usUu05863S0ThLrlOyzePnTuPnT+Pm358fPF44ndPtyj+7ODS4089kR xm/PX/E5jPWzYd1vz1/3+b8aRg8j3jqW/v3v/gc2czT3DQplbmRzdHJlYW0NCmVuZG9iag0KMzkz IDAgb2JqDQo8PC9DcmVhdGlvbkRhdGUoRDoyMDE3MDExNzA5NTQzOS0wNScwMCcpIC9Nb2REYXRl KEQ6MjAxNzAxMTcwOTU0MzktMDUnMDAnKSA+Pg0KZW5kb2JqDQozOTQgMCBvYmoNCjw8L0ZpbHRl ci9GbGF0ZURlY29kZS9MZW5ndGggNjI5Pj4NCnN0cmVhbQ0KeJyFVU2PmzAQvfMrfNweVmFsbIMU IQWSSDn0Q017qvaQBSdFaggi7CH/vmYe3V2ykouUWA/PzHue8TCLcrfetc0gFt/6S7V3gzg2bd27 6+Wlr5x4dqemjZQWdVMNE+L/6nzoooV33t+ugzvv2uMlWi7F4rvfvA79TTys6suz+xQtvva165v2 JB5+lnuP9y9d98edXTuIOMpzUbujD/T50H05nJ1YsNvjrvb7zXB79D5vFj9unROSMUFMdandtTtU rj+0JxctY//kYrn1Tx65tr7bl/B6Pr6ZK2/ulyQXv/wqY4YJ5U/jLhFDkngrOeY/79dg1e9Dz9Yp zJKcUQmkJye2og8CpGEzaWFtZhT6nkJOQVOmkFugjJFaAa2AJssCaANUhsV46ZNmXtZhMRqadcwU GhRaMTKIpJELmwGxbIqRTkNBMRTz6YhQEjNPfnonhginN0xIBDFGM5IojDGM9BTQAk1+kKbXQJxR MsihKYCQbRPOIVlOHlnU1ayDd4bsRLhlihR5snGYIi2YIoU8SzMKdU+R4byWC0MZzmuRpwKVtrNL +qFLqOQQVKIdLPJYGrzELbDpTEVyr6KcxPLtlIrbTmWsSSXQJImRhiYZzrPSXFSls6lzx4rLsZ2e 3uugOx1KF2xH2X+ibxB9C+symGI1XRTJVVQGl8+WjGyCECpMaEFoccnkPJsfTpGiEnodrJvasC61 gSDFjaq27Ku26FClg0yJwgWVRVB+knDQJFGoBntJaWJe/OcqWJRk+uD4r1SYxIIkRfAkqHytuEtk Mav0OBPG0fU6cKqXvvezhucbD5lxvDStex2B3aUbvcbfX0Ec+vUNCmVuZHN0cmVhbQ0KZW5kb2Jq DQozOTUgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggOTkwNTAvTGVuZ3RoMSAy MTA3NDQ+Pg0Kc3RyZWFtDQp4nOx7B2BTR7ruzDmSJatYki25ybZkC9uADQZMMdUCF4ppLiI2YLCx TQkQiOmdNEKckLCb3kkvkCCLEExIIQnpjfTdZFPYZFN2gSV1s4Dt+835NWAIm0vefffm7nse+Tvf N/+UM/OfmTm/wWKcMebCRccmFpaPHnls2fddmOoOMubeWDSisGLGfRdlMx67kbHkl4tGjC2oebr1 WsYtexmLfHFkYVHxl89+d5ypccirh0dOnFA+p37whYz3rWD8FsvI8sCI5z7+rJ0p+2sYGzltQnlO n39+/uFQxvgfcNeauvm1C/fbTVmMDfqJMT2rW7rYG7x531uMze+CfNLMhbPm//jjOAtj+SiPTJxV u2ghS2I+3B/jY/ZZ81bM/HpnNOo3+hmbcv/shtr6L9LbRP9TUd5/NgzWh+xrkb8G+S6z5y9ePm9d pp0xJY+xvCfnNjSeFz82fhpjB3sxFj1q3oK62i+ffHsuY699xVhK8fza5QtTe6dHon0L2nvPq53f kLG09HvG2pYzFhW7cMGixe1utgHj2SzKFzY2LJy7XWljbLQTt7Mz4Vv9bS1zlwemTLcN+YElGJlI e/62+lXBz6XdsPLY0dbLIw8aHkU2kimMEtpFsDbG95m2HDt6dEvkQa2nDsk6VFhsaWwt3DaaqWhp ZzmsgTHHZu2+nKm6LL4ZpUb9jfpcdJlCrO5nGxRmZIpNryiKTlV0B5jS7mfb2rURII0r93oZ/JnW QGMw3KZkeBm/XZSpu/RRYqboPerkaPgbWD534Ln8yqSbzLbpClntGcsOsm0d8+pXp+b/VVIfYtv0 FjblZ/0dP9le0Z1dX1rdTcygte9KbdTqM7eNeB/37X7mMv1YVne299PulUb96GewOl3laX54iI08 Uxv1C2Y75Z5p7MGzvl8TSzOksKE/s2eyXug35Wz76Uz//yX1XTb117bR9WU3qjPY5LOsW3PK/Y6x 6rNpp5zP0n/tuP4nk7qP9TubesJXUvP32CW/5h78r+3vnrjfXaf0c+OZ6kfUsxs73u9nY8n7z5+Z bsjJOrIv8QyVl0/tV01lpf9ZXyIpD7PUs6n3fyNhnNecbV31Vpamb/n5M1SXsW7q7SztZ/ZurOq/ Or7O9N+T1PKzjwc6U2fqTJ3pbJNyMzedbV3ezrorXdgoYI+iZ9frN7DrpF3WUavYRiDr145DjaPf IdXtvOmU8S1iRZr9ePuPZ9OPMp9dAqxUFrOngLOK4X5tUvuxy/VL/jt6/p9P+D15bpjLfuNxjAIe BhqBWUAvoEGMD6gT4/utx/i/PanHWXGYa8I8TWigCigCGsL2ADDpNxxqZ+pMnakzdabO1Jk6U2fq TJ2pM3WmztSZOlNn6kyd6TdMfB+r+K3H0Jk6U2fqTJ2pM3WmztSZOlNn6kydqTN1ppOp83f1ztSZ /p9LahhJ9Jex/AbkoNSLmY6vhqE/8zIdi4WysjSWwbqxYayKTWHVbCVbzbawh9j77Cdlt3q11+6N 8SZ4k70Z3j5po9Jq0hra27U7WNFDBuvKsthwrV3tGdslnWhXj3a8/QeMoVHV/npQTVe7MKZ8216n PKfOZleaLmzb8tmMz2o/G4FP7qHIA8cO/PnAZ+Fvh/YJXys1vvhsPKCOUa/XDVUDuF+lOk89qB5S D6t/V4+o36jfqt+p36s/qOeok3SFuuG6IvjCwaJZPPyVwTJZNsthg9gQ+KSQFbESdg58M5lNY/Vs NlvEFrMVbCVXuI3beSJP4V35RD6ZV/M5fB5fwJfwpXwNv4xfzq/gm/lNfCffy5/mz/MX+Kssgh/U xvbN6d95RV4Jf0NWYb+c+MnZhSd6A7BWXcfYWc9WpF89Y9xlPXBBeBj/J/Nn6nln8eT+S0k34oQa qRt15jp8Q4f6BcRqlbZfwkldDExTp+P6s2/bnu1AOvfZb7XP/CPrp0+rnjplclVloKK8rHTihPHj xpaMGT1qZHFRYcGI4f78YUOHDB40MG9A/345PXtkd81I7+JL88Q7HXab1WyKNBoi9DpV4Sy7yFdc 4w1m1AR1Gb5Ro3qIvK8WhtoOhpqgF6biU+sEvTVaNe+pNf2oOfO0mn6q6T9Rk9u9Q9iQHtneIp83 +Fqhz9vCJ5dWQm8q9FV5g4c0PU7TugwtY0UmNRUtvEXxswu9QV7jLQoWL53dVFRTiP6azaYCX0GD qUc2azaZIc1Qwa6+hc286zCuCaVr0aBmhRmt4rZBNb2otj44sbSyqNCdmlql2ViB1lcwoiBo0Pry zhFjZpd7m7P3Nl3RYmczarIs9b762qmVQbUWjZrUoqamS4OOrGA3X2Gw28rP4zHlhmC2r7AomOVD ZyVlJ27Ag/p0u8/b9APD4H2HDp5qqQ1bItLtPzAhxRRPuAnlUjOMDSPE/FJTxVgub/GzGcgE15dW Ut7LZrhDzJ+TVRVUakTJXlniCoiS9bLkRPMaX6p4VEU14Z+ls+OD62d4e2TD+9pPOn5Q7g2qGTUz 6mYLrm1o8hUWkt8qKoP+Qgh/bXiuRc29clC/tgaTmCPcUFoZzPEtDDp9I6gCDF7xDOaUV2pNws2C zoIgq6kLtwrmFBWKcXmLmmoKaYCiL19p5W6W2/5pc1+ve0cu68uqxDiCsQV4KBlFTZX1M4OeGnc9 1udMb6U7NeivgvuqfJUNVeIp+ezBbp/idqnaHbVWmNtptWVlMXNDutFbqbjVKvG0YPAW4+IbMQQF djwuLSue6Igh3kruZrIa7hKuIdQp/SCjpheMEkWqaFowyp1alUrpF4bkDo9Jnx40dujLDsOJMdF9 /uXQqLYYUDdvUUNhhwGe0qk+PMBwb2cepyJ8Eb4xWhjF4xwli9R07FzYFHSjmcRTjPcG2URvpa/B V+XDGvJPrBRzE77Wnm9Jua+kdHKl9rTDq6TilByV51EuyFJRLDNKAdZgcZZbPlYtP1LLn8iOOq14 tCz2Nhl9JeVNonNfuEPmxQ7CpCMyRtdenhfdF1uzGKebr7jWh9dRcVNtS/v6GU3Nfn/TwqKa2YNE H77R9U2+8sohbm2sZZVr3CvFraJZCS+pGNEjG2fPiGYf31ja7OcbyydX7rYz5t1YURlSuFJQM6Kq uQvKKnd7GfNrVkVYhVFkvCIjeipDxqjVd+/2M7ZeK9VpBi1f18KZZjNKG2d1LQrZ7NKmwKYjm1+z iYSHFD8bLsZxW+StF49nddXsppoqsblYLB4lfniQ+4axoOIb1syVCEvQ5GsYETT7Rgh7vrDnkz1C 2A1YGDyWwzniTGqq8eGcwoKqZG5OS1EVXXpb2tsrKlNfcx+qSsVSmwpMrgxGZuHs16ePQb2RAjUw jwyur6sV42CBStHWkD66rgrLVnaIKqODkeghMtwDahRrbcRyRKM6PBs8QK39emSC66uCVVnippVz qrTlbA+yUb5BeOzUpz5D3Cinqina10fbm9gKpvRLBUVibKy8kixuZHGzKnKSwYKR1/lQVFfjhbd1 rK4cS53OUpObLA04EnUZDRpM7nAhE9NS081WUzCyJzrEj9DmnmJL6tMNVVU0eC13abgC7m0PmjGi jA6uDDeAd1A0WowFP5diqKLq06Kb0hZW5luOk0UMWuvJgOKgNX10LQ5/am+GxZcnGxvFGWEO97GP rAYxcwv8rqZXtLTf51uR2iH1yPaJl4NYmMy9GwubVTWdbghOyeqRbTzdatXMTU1G65kbkL+M1hMs jN4ivDUYC0Wq3hbl4kci4/kYiIukuFCKC6RYL8U6KdZKsUaK1VKskmKlFCukWC7FMimWSrFEisVS LJLifCkWSrFAivOkmC/FPCnmSnGuFHOkmC3FLClmStEgRb0UdVLMkKJWihoppksxTYpqKaZKMUWK yVJUSVEpxTlSTJIiIEWFFOVSlElRKsVEKSZIMV6KcVKMlaJEijFSjJZilBQjpSiWokiKQikKpBgh xXAp/FLkSzFMiqFSDJFisBSDpBgoRZ4UA6ToL0U/KfpKkStFHyl6S9FLihwpekrRQ4psKbKk6C5F Nym6SpEpRYYU6VJ0kcInRZoUqVJ4pfBIkSJFshRJUrilSJQiQYp4KeKkiJXCJYVTihgpoqVwSGGX wiZFlBRWKSxSmKUwSREphVEKgxQRUuil0EmhSqFIwaVgYcHbpWiTolWK41Ick+KoFP+U4icp/iHF j1L8IMX3UnwnxbdSfCPFESn+LsVhKQ5JcVCKv0nxVym+luIrKb6U4gsp/iLF51J8JsWfpTggxadS fCLFx1J8JMWfpPhQig+k+KMUf5DifSnek+JdKd6R4m0p3pLiTSn2S/GGFK9L8ZoUr0rxihQvS/GS FC9K8YIUz0vxnBT7pHhWimekeFqKvVI8JcWTUjwhxeNS7JHiMSl2S9EixS4pHpVipxSPSLFDipAU zVIEpdguxcNSPCTFNim2SvGgFA9Icb8U90lxrxT3SHG3FHdJcacUd0ixRYrbpbhNiluluEWKm6W4 SYobpbhBiuuluE6Ka6W4Roqrpfi9FL+TYrMUV0lxpRSbpLhCisulaJLiMik2SnGpFBukuEQKGfZw GfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfZwGfbwRilk/MNl /MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl /MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl/MNl2MNl2MNl2MNltMNltMNltMNltMNl tMNltMNltMNltMNltMMLdgiBqDmUMsyDmDmU4gJdSLkLQimDQOspt45obSjFAlpDudVEq4hWEq0I JQ8HLQ8lF4CWES0lWkJliym3iKiRjOeHkkeAFhItIDqPqswnmkc0N5RUBDqXaA7RbKJZRDNDSYWg BsrVE9URzSCqJaohmk40jdpVU24q0RSiyURVRJVE5xBNIgoQVRCVE5URlRJNJJpANJ5oHNFYohKi MSH3aNBoolEh9xjQSKLikLsEVBRyjwUVEhUQjaCy4dTOT5RP7YYRDSUaQjUHEw2i5gOJ8ogGEPUn 6ked9SXKpV76EPUm6kWd5RD1pHY9iLKJsoi6E3Uj6kqUSV1nEKVTn12IfERp1HUqkZfaeYhSiJKJ kojcRImhxPGgBKL4UOIEUBxRLBldRE4yxhBFEzmozE5kI2MUkZXIQmVmIhNRJJUZiQxEEaGEiSB9 KKEUpCNSyahQjhMxjXg7UZtWhbdS7jjRMaKjVPZPyv1E9A+iH4l+CMVXgL4PxZeDvqPct0TfEB2h sr9T7jDRIaKDVPY3or+S8Wuir4i+JPqCqvyFcp9T7jPK/ZnoANGnVPYJ0cdk/IjoT0QfEn1AVf5I uT8QvR+KOwf0XihuEuhdonfI+DbRW0RvEu2nKm8QvU7G14heJXqF6GWq8hLRi2R8geh5oueI9hE9 SzWfodzTRHuJnqKyJ4meIOPjRHuIHiPaTdRCNXdR7lGinUSPEO0IxeaDQqHYKaBmoiDRdqKHiR4i 2ka0lejBUCzOa/4A9XI/0X1Udi/RPUR3E91FdCfRHURbiG6nzm6jXm4luoXKbia6iehGohuowfWU u47oWqJrqOxq6uX3RL+jss1EVxFdSbSJ6AqqeTnlmoguI9pIdCnRhpCrFnRJyDUDdDHRRSHXTNCF RBeEXAHQ+pALhzFfF3L1B60lWkPNV1O7VUQrQ6560ApqvpxoGdFSoiVEi4kWUdeN1Px8ooUhVx1o AXV2HtWcTzSPaC7RuURzqN1solk0spnUvIGonmrWEc0gqiWqIZpONI0mXU0jm0o0hSY9mbquohtV Ep1Dw51ENwpQLxVE5URlRKUhpx80MeQUd5gQcorlPT7kvAg0LuTsARpLVUqIxoSciAv4aMqNIhpJ xuKQcy2oKOS8FFQYcq4DFYSc60EjQtHFoOFEfqJ8omGhaLzf+VDKDQk5qkCDiQaFHGJpDCTKCzlG ggaEHJWg/iHHZFA/KutLlBtyZIP6UM3eIYeYWK+QQ+zNHKKe1LwH3SGbKIs6607UjTrrSpRJlEGU HnIIL3Uh8lGfadRnKnXmpV48RCnULpkoichNlEiUELJXg+JD9mmguJB9OiiWyEXkJIohiqYGDmpg J6ONKIrISmShmmaqaSJjJJGRyEAUQTX1VFNHRpVIIeJEzN9um+ERaLPVeVpt9Z7j0MeAo8A/YfsJ tn8APwI/AN/D/h3wLcq+Qf4I8HfgMHAI9oPA31D2V+S/Br4CvgS+iJrl+UvUbM/nwGfAn4EDsH0K /gT4GPgI+T+BPwQ+AP4I/ME61/O+tbfnPfC71nmed6wZnreBt6DftGZ59gNvAK+j/DXYXrXO97wC /TL0S9AvWs/1vGCd43neOtvznHWWZx/aPov+ngGeBvzte3F9CngSeMJyvudxS6Nnj2WR5zHLYs9u oAXYBfujwE6UPYKyHbCFgGYgCGw3r/A8bF7peci82rPNvMaz1bzW8yDwAHA/cB9wL3CPuYfnbvBd wJ1ocwd4i3mu53bo26BvBW6Bvhl93YS+bkRfN8B2PXAdcC1wDXA18Hu0+x3622wa77nKNMFzpWmW Z5PpHs8Vpvs8l6jpnovVPM9FPM9zYWB94IKt6wPrAmsCa7euCZjXcPMa95qSNavWbF3z4Rp/dIRp dWBlYNXWlYEVgWWB5VuXBR5TNrCZyiX+IYGlW5cEdEucSxYvUb9fwrcu4YVLeK8lXGFL7Eu8S1TL 4kBjYNHWxgBrnNi4vjHYqBscbPy0UWGN3NTSvndHozulGOxf3Wi1F58fWBBYuHVB4LyZ8wPnYoBz 8mYFZm+dFZiZVx9o2FofqMubEajNqwlMz6sOTNtaHZiaNzkwZevkQFVeZeAc1J+UVxEIbK0IlOeV Bsq2lgYm5I0PjId9XF5JYOzWksCYvFGB0VtHBUbmFQeKMHmWZE/yJql2MYDxSRgJc/MRvdx+96fu I24dcwfde91qtC3Rk6h0syXwggkJfEHCuoSrElRb/Bvxij++W3axLe6NuE/i/h6ni/HHdetZzGLt sd5Y1SXmFjuuoljj/ELi3v20uY6L9WUU21zc5vK4lCKPizPHp44jDtX1lP0Nu2KzcZut3ab4bahu i/JEKeLSHqX6o3oPKLZZPVZFXNqtaqzfCovoMdMysaLYZvaYlUC+eYJZ8ZvzC4r95h69ipnKvZwz bgepRjEK7vIUY1/viOV6jvd5c0V5VlZJi5GVlQSNE6cE+cZgerm4+ksnByM2Bllg8pTKZs6vrGrm SkFF0Cn+x1bLX7JpExuRXBJMLq8MbkmuKgmuh/AL0Q7Bkptj2YiqrGmLlizKylo8DZdpixZnaT/I 8SUilyWM4mfRYuTFZ4mWZ1m/mKgaaPoipMXSuPiXW/1vT/y3HsC/f2pm4o8MhrcrF7N65SLgQuAC YD2wDlgLrAFWA6uAlcAKYDmwDFgKLAEWA4uA84GFwALgPGA+MA+YC5wLzAFmA7OAmUADUA/UATOA WqAGmA5MA6qBqcAUYDJQBVQC5wCTgABQAZQDZUApMBGYAIwHxgFjgRJgDDAaGAWMBIqBIqAQKABG AMMBP5APDAOGAkOAwcAgYCCQBwwA+gP9gL5ALtAH6A30AnKAnkAPIBvIAroD3YCuQCaQAaQDXQAf kAakAl7AA6QAyUAS4AYSgQQgHogDYgEX4ARigGjAAdgBGxAFWAELYAZMQCRgBAxABKAHdMPbcVUB BeAAY/UcNt4GtALHgWPAUeCfwE/AP4AfgR+A74HvgG+Bb4AjwN+Bw8Ah4CDwN+CvwNfAV8CXwBfA X4DPgc+APwMHgE+BT4CPgY+APwEfAh8AfwT+ALwPvAe8C7wDvA28BbwJ7AfeAF4HXgNeBV4BXgZe Al4EXgCeB54D9gHPAs8ATwN7gaeAJ4EngMeBPcBjwG6gBdgFPArsBB4BdgAhoBkIAtuBh4GHgG3A VuBB4AHgfuA+4F7gHuBu4C7gTuAOYAtwO3AbcCtwC3AzcBNwI3ADcD1wHXAtcA1wNfB74HfAZuAq 4EpgE3AFcDnQBFwGbAQuBTYAl7D64es59j/H/ufY/xz7n2P/c+x/jv3Psf859j/H/ufY/xz7n2P/ c+x/jv3Psf859j/H/ueNAM4AjjOA4wzgOAM4zgCOM4DjDOA4AzjOAI4zgOMM4DgDOM4AjjOA4wzg OAM4zgCOM4DjDOA4AzjOAI4zgOMM4DgDOM4AjjOA4wzgOAM4zgCOM4DjDOA4Azj2P8f+59j/HHuf Y+9z7H2Ovc+x9zn2Psfe59j7HHufY+//1ufwv3mq+q0H8G+e4qdPY8xwG2NtV5/yN90T2blsEVuP zwa2iV3NnmIfshnsIqgb2RZ2L3uABdnT7CX2/q/8m/hfTG0r9POZRd3FIlgMY+1H2w+13Qu06KM6 WK5GLkbnPWlpt7cfPs12uO3qdntbS0Q0M2ltrcpbsH7HW9uP4v2KfHt/kVcuhbZpLb4x3Na2ve2+ 03xQyiazKWwqq2Y1rBbzF3+VPgeemcvmsfnsPC13Hspm4ToTuemohbNE0ydrLWALgUa2mC1hS/FZ CL0onBNl52v5JWwZPsu171msYqvZmvB1mWZZjZKVWn45sJatw5O5gF2oKclkuYhdzC7BU7uUbWSX /WLushOqiV3OrsBzvpJd9S/1plNym/H5Hfs91sM17Fp2HbsB6+Jmdstp1us1+03sNnY71owouxaW 2zUlSh9nz7Od7GG2nT2q+bIOXiOPSL/M1Hy4ED5YjRle1GHE5L9lJ7y1FnMXc2sKz3Q57Bd2aLE0 7EdR8yLUpF7oOYhe1pzmic2YA+mTM6Lctdr8T1o7euWXrNIft3TwzM1aTqjTrf9KX8duxQ68A1fh VaHuhCZ1u6Y72m87UXeLlr+L3c3uwbO4T1OSyXIv9H3sfuztB9lWtg2fk7qjIn6YPaQ9uSBrZiG2 gz2CJ/ko28VaNPsvlZ3JviNsD52w7GaPsT1YIU+yvThpnsFHWp6A7amwdZ9mo/wz7FnkRS3KPc9e wAn1MnuFvcreYM8h97p2fRG5/ewt9jZ7n1uh3mRf49rK9us/Z1FsOGP6x+DnW9g0fPQ4lRapb+EU UZmBDWTj2Hg25XFmxes+lg3iO3e6CguNPQxP4lWuMC+CASPjvMBv0ynWXYmJ+b5d/SI2qY7RLbzH I/mGTQhz81s/bn09p/XjQ9EDcw7xnI8OfHzA/s3rjoE5uQfeOdC7F3ekOjQ4oxSDwRnhS+up9MvM 6J+b22eY0q9vhi8tStFsffsPGKbm9klRVKe0DFNEnqtvHZ+sTmiNUNb68ifl6lMSbU5rhF5Jio/u MSTdXj4lfUjPZINqiFD1RkPXASPSSuYVpX1gcCS7YpOjjcbo5FhXssPQ+qE+6ui3+qhjBbp5x65R IwZPze+i3mAyKrqIiJaU+ITug1NHT7LF2HXmGLsj1miIdli6Fk5t3eBKEn0kuVzUV+s4uMXXflS3 Vu/Uvv10627Wpf2rRyx2PtbXEhYZLe1HHjFDmKUwQfgThUq3i6tVu1q0q78rTxfF2WY+rosvI/17 i9kSn5bsM1l5rM7CLHaLst33lO8Nn+qz+CzRyWXRAX2A5efnRw8cmJNTXe2IG+iAdOTaD/Vx5MLj WdX0KmRZWemxsRGayzPVVDVK9aVlZPQfwMnPcQafmqpbYuT2dI8nPSZSt6D1i3NVU4wvKTndxo08 pLMmZKZ4uydG6VbxT/gzQ2PdUTrVYInkg9teirRG6vRR7lhdyBxlVFWjzbypdZX4fuY28TUxrK4U lsXy2Iv+RE+8nY/z2G3iYsUl3oKLF3MV/0fs75ro8qPc5Ue5y2XOFpWzReVsUTlbVM4WlbMfw++E rH3vTmiWkQtP70BN8JEdtjBbNf5xh0Xjr3aYBSt2v3WLea9ZMSdmft+7t6GL9q/SpX1buLnZUMHy D+Vr63Ygz6k+oDmtzztZJGDOyhpIGk51Rul8qWkZ/Rx9++emwnsusZ5TVN63p+LzOcRijjkpddyT N6Hu/NFtD8d16xbHMxZfU9cnNmt4935Ti7q2tSbmTR4T2ldQ1j9hfPrIuaWvHx1cWZDBFw2dVTas u8uTqbsw05NdsXJcz4qRedGmfmXnKTxnbL+ktmrf4AmtHw2qHOJpy0saUMY4q20/orPoU7CLZ+xI YoOzwl7JCnsFfFB4BXxYeCUr7JWsJ/E7dhSL5zkslWXw7FBMuW4P7876sV68Z3PkJGzpdw4J8Bya vv29fb17pTujIjpsywhXeJuKDexypihi3mJZ6SyK3uj0T181eu0rV40rv+7NdXnnTi52G/Wqzmg2 RvWZcP6ESZvqB/Sr2zxl3KLSvjaDKULdZY+PjnJ2y3RX3P3NrXcc3z7V5e3ujopJjHYmxURm5mQW bXh69aon1g3PyMmIcKRgB4pVdhVWWTTzsGX+5PxUHiNWToxYOTFOzDkmGhOOicdsY/aIlcMSyTeJ Yd8khldMYnjFJIZ9k7gHv/dHwjeWUFSpu4VnNOtplUhfvCNXRLU40U5ZEoYOC+CqSfccubftsPb4 0+//6tbSnX0XPLhhe/PqBxsHKjfdf+yeMnrQ59z11Y1zdl485rhj2PqnxTdhMTN1NWaWzZY2J2aG n2hmeNSZ4VFnhkedGR51Zovi8EdGxnhjvBh8Ygs3+q3rM/jeDL4/g2dkRCSI/6CxlmaCmiNOrPrq 8xsxrRztGLGHV7/2nJWfrXRfquM0qa7WmazG1qvFDJWZRqtRr8elLYKHjDgadJHQ4xVutJp0I6Pd 0UaarTHa7Yx2O4xt50bak2KiE+2Gtt5Gh1ubd/tRtQLzzmRTmw0x4XnHhOcdE553THjeMeF5x2De O63JLCXZgKntiIlJiGjhXXeklSaIAzL8RsrZ5xh4Ynb8Z5ORbxs5XbUCEzO0wXsGDF7TfqPTmxif 5jRiqsWadV9MEmYxymB3u2LcjsjWvxisBr0eF93DYpbJYkZT2g/rluu9LJ/d6U9OSrLFixUaL1Zo vDjb4k0WoTCLePH0rOypTO7N9GfWZKqZtvD8beH528I72Rbeybbw/G3ir8Nz+vK+8S3c9Eha2sCc YXu4Ce94E+8WGljubOHZzTmTxPPGbnaQO8Ln3DvV1ftOHHRhv5yym/sPcIhVIHa75i2HOAFP7n+d brnOaDFY8qZdNHnug0vzi1Y+0DBkVb+2dxwOXSTeETebY6NN0YOmzqjvfd3BuyZVP3Bo85gLG4oS TbppMckxxoyeGeObnlyweu/FhcnJfEVaF7jRaLQnRbfFJGYkp8Vbqrcdueamo8HaRF+3xDRaH7qJ eOfmsJZH8ntznyXsIkvYRZbwErGEl4gl7CKLcG5SXBez8L5ZeN8svG8W3jeL88Es3hFxzO/Ci8Uf Iy52Bx/L/ChnceI/LVAg+FGUxXUvwwsk22/ba+H7Ldxy6tsYG+pQPsdb4x3h1vCSO7mxqtNPLLWO q45OTRdsUuomGp2p8Ylep7F1B1SCWHlGZ1p8QqrTqIzT1iJUIryPJWcxKsNan5Fa94FUrUeVCKnD +4tXwn8uNnFXftyEuO1xKgu7kIVdyMIuZGEXsrAL2WM4E03te3fBEyZ7mTZdTPPEQZj+s8nwSjnu SFdqXELH0Z4coRiVof0w/xyj6soqd+P1fvbDScZwHHxccpSvLHIP74Nfk+Px7tKH313Y9Fkd3txi dBEynNTizpMj/TypcEFZ0oCeaWaDXlHxhjIm+Hp60np57TSFmEhePG795N6RNofF4kiIjkUsaYu2 OXqWDldvE/MRuyB8fv2EmeSyGX5Hb7Gte4nVlSNUqinsaVN4aqbw1EzhqZnCUzOJxWpxZZalmuzu MvvJOC9fvn6wjnAlj2dkZPIzLKRweOdyRhg4j41VfzI409y+7FhDW5fTVxN/OcIel5qY6I0xWKPb yvnrDkOSOMoj7Cbl0tYVJw61k6vqaSU/0mLQ6WGwJsa1trfelBgTfmuVYPaJbNRu5qLJusKTdYUn 6wpP1hWerEt8Y4NF2spcLTwr/FriOa/J59bhPXRii4jjuQTvlsjWfXHdTkxivwhGS5zumEi8ZR6W Qz12R6QjKbzyI7LwZhnCtvntNcMWDlOsvXrF5eSYesbHJ7acZVggHkxKl94Wi0mcIyZxjpjEOWIS 54hJPGmTWJaIUP0JYo126V9qjo+z5sT37hnh6VrqCchjIj8a4XouJirjTMTs9hPKMXBoTm6uiOI7 7CofF5E7YnjuO+VtpQXxPFc8b80/EVlGpychLjXGqLTlqmZXstOV4jQrbSM5zoyEeDzkbPdsb68u 8ZF8mZ5vMCd6MhLm29wxlpObc9axawwmg6pDUIZfk248Yb+3exdLYlf38XPUe1O6J5gjY5Jd4TN5 rd7BhrJLdmTabM6wMzW2hdmq8RHhTGfYmU7NmSmmnj37CGf2ibeJCyr2sVuEQpU+ooqdpeSVmXra MnUJ4o0uVojmPuG8n/kuJze8ZMhT2Bu+2FjXGfyVosblZnRYVbq1VleidUBips/napvtHZ6kKIox xhMf74k2ZieWJWd6kh18UHL/Pv9B2ZfAx1Gdedars7urj6rq+74vtfqQunW0ri7dap2Wbxu3fNsx GB/YxoAdMNg4IcAQjpAxYRI2yUAuDuNLtsPg+a0zJDNrlsxyJLOBhZnJQsh6ZpLscqu171VVt1qy mCQyUlW/lrrf+97/u/7f95oGG4ABjdFrt/gE1aAJ5oWsuzGKv53/YvvQo8Of/aGqLT+IBTTWuHfm p7nNG0rpiR9O4H8DsyYYE0FDgU7izl4l36P80GRFscOiw4RkYEKAMqHA1YQCV5NNFlNWVPuwDHYE 5lUeRbgeBakeJSTwKCGBRxGu5yIM7jWYHQYAhmVBpFnUyvkBbGmBZawm2lL8WhPNk+8NP/zWIw+9 dm/f8CNvPfLAq/f3n4le95d79vzl+nhk7ddv2vvYVAx/9K8+O7l+1ZMfPHHik2fXr/zrP3x/1wv3 ji+/7+L2my7dO7b8gR+jWB1axpeg/rmwOHbLyRCtLIRWFkIrKkcrKkcrC6ERBKy8G4nHjcTj5rQ6 MOpG2aAbtR5jfBhGPadoWguXyZ4yT2prgj4ZINz8uC+4MNgja0J24iXx4NO3PKw2+u3IqtQ5gLlu bMeNo/Ez7atK9d/6xvj2gRDx8MbHd3WUU1W9gFvNWAvrbl01cX1OP/NxbHCzvMPd1JfgDkexduwv RLfGL8TQKmJoFTG0yTG0yTG0yTG4ElGD+VwZ1xEX4WpUhNOoCKdR2eVGZZcbFeE0ovOBgl+jS06D +GnrsjDZgrZah7b61StICPm5/a7GefmGDKVIIErXJnNKNkuBBQiAq9BoadOa/ce6Gh7dXEHCvf/j gSFjvKuuuGsoZlKVf7QQFDdZvTztL6zt8NSvfPLDJx77GCHj9381+cixPcmO3oDBGMTf3vXje8eX 3X/hCze9eB+EyQuYjBOShThpxvqwB0UPl+JbVHCpLUhqLdLetyAptiCxtcD1n4sj5iBe4JGs4B2v yIxXAMUrgOIVmfGokduV4mB2dHaPCETR2glxc8Y/aVVMs5QTXa0KroYJyCu2RSJSUsQ1QLJYPYRC CFiNFgvIRaKRSCUVZGlTyOPwm1jyoDnZtbx9XwViMDU0NnQ7RvaNR4M96/K+XDJm2q9XlWf6ltgL 2Qe/17e5xwtNMwwx1NAwNuRWFYIzv6xCDyYaFKFrXbm7t3v7RJtJn+gYbyj/S8hN3D26w8rQ5VF/ +xJoowdnrxKbIRaL2Lvnse7Z904bODDarYioWxFdt2KhuxVRdU/j9WKiUTSawGijCOOsUGOoUeu0 ob91Irfn5Dj0A/6JE22H8wLegHzfKacUpl06ZVeuJvl61oBCam3qIohiLTA5iYgs72sBLSKrBaM8 6iLSoLsWvoW3dMBM7ky3k4ovs0BsK9YLbsFVHuWpiUSJu8ohBZ+LsQX5iQVmjZwX8OWqAeBC4oIm Nvce/C+l7t2r2q0sDOZU+uySvcOtpd5Q49Idu76wNNu+48HliVVjHUaaxAmaZdh0X6mteUnO0bjs +l3XL8uCG677i82NFl/AFvZa3AITiAU9LUuyLePtDdmu5XsnJu9YmTTYvUaWtxkFl1HtCrrdmZ5w 83hHY7Zz2V64RwZoId+AyA9gW8/ZRJQb8khqp1Hw+yebSxR+8LOXziDk0wJKg92KRWyEwfrvJOH8 JMFdTlST4Ll0pGIJpADrDSl5f6QSK8I7JbknjkmpvZT7fvrNKhA3qXiX0SjToyje+gH0b7fCWDCB nRDdG5LAh7TWh7TYh6DjQxGTD6EGndQV+drMCyINsygLtigLtigLtigLtigLtlzAOZSVoPwMtfOJ avgSmshSbqlzDjdSOqbYwcQcRErg2rDZtDA1IG/tPzJ94Ibnbu+T03+jqn7ZgeLIgcmEJBo/zAze uvn8kZ6uW88eJIIVcXz2+7XH1yTrV9+1irDWZjoBaN2+AKUSwnaJ7hAybLEQcKBrxAFiVhDRgXo7 qLcB+7SipNINMnu2ygi6EQU0ZLfZbZGwd6mNEuR8TMgXeAHIioBWiJVKoFQqJUqJsBQ8kigkam6u CRkbLRaawc+RenvUbfHbeC1DlNeogBALuPyCmgT7ANhBqKDp8oZ0hMqDaF4A435WRT4vEcEqnebT F8kCGkdEMFpjJ4y034Zr7MC2n4p0AOisPhJ7kWKHIQRV6CaWBmFOGgmDgA3dxAPA5kM3yQaQzIBk CCSDoGVp3dJghiVq02sY9xXgzsEvRHAr/8LVyJio3C1c5vwFU0dJzhX3eBMuPVn+Hf4JoXfEff56 l4Eo/4AGfMTnDRkZHAQBMBFqU9jj8pvUBIjjwE3QxqDbE+QAFdHzKJrj9cTPP0tX7skfWh1IKnr2 08tkG2tAiaGB/fTvyHYNvKf0DiuSUAZq+gcSi5ER3fE0iKdAxAYiVhC1gBgG4kuDLO9eytckflBb S9LXHJUPQJXJr1ltdYmA+FcdJcQDvpCZJctvl9+ktOaQxx8xUDqwsfysluGggYpYNDSwABOlMQbc 3ihPasvPdVkcBgqmwGqcmJmBwSpBGRwWfBlesDgNJMFAo+AC/6rSMdJ+z/wErccjxXYmrA5b8+fl 71qouFaJpbkkahFtE17qpIWltIJlUGvP5wzV3HKhl7Vmm5tbjFUkF+V80KwqP8RShqjfE7aw1Cl7 owO3NthPE6wx4AjFOYoFH5arygrexP8JbRvJ6DTl+5r2t+f3toCbNXoGbZgFxiTroPcsEH8Ps3oR e070GXq8PekeglVbc1q4ohyyZzlkynIc0s/cNPhQ1GPRqAEDWgxZPKxN8axtSi7UpgihraLTbdO4 SjTx1p9gOS6Ht1/KASwHcrlUd900cIqGVwIgECDd76eGO3+lHSOxdIW7lei80t6pUiWwv5yYKuUV HrcRBixTMINEgIG5TlNNsJdtUmI8ZYSUbB0jO0MLov2IAudyOrz69gcnB/dNJrv2f2/HYUvDeL5z Y7FBq4KJDOPsWbktt/HLyyPfvb9vS493zZLu3Z02rRZG4tq1hYHwwLbu0T3D4YHckianO+hWcXaD 3e0Iuo31K25fftmaLMQHlvX0QemegNJ9jdoL0QMzyDPQWGv8zQpYmhXwNCvyQo8leTVPg49EpzmB IuiED1U3kPwTyMckOKnogWtENWbWNDf5SSozDaizkWHnADeah7cnqTHJK0ARWvPVLHJOZlW/EDVf 6yBkY1JJkhjeYpHShteym79aShQHBqIqwWmGaSHNGH02O8wRYyNDQ7FN966KPWPOrRR9XWJ/tO9w b9fqFjt498DFYwN8pC2+C0IRwk+rolpVMpmkmvl1vDXIjR997kD/XVs6hbqexvKJZas6Nh+C+rYW SsxH/Axrwu456ZIiLFnh3lYU7b3TSMEWKRv82/xywez7chkBZ0VdWg/09ne9okY35A1NA/y0cZj4 bQOKP9S6oYb6aUCfVI8hXi1xVfpRpZAvVwsGCwpDtBxe0bVlIcKHU4y9Y2R1euOjW5u6955Yk5js a7KpaVzQGaIdK9oO3uEXSx35lYWEFlEQ3+btvM4edgvioVMH7n7xtnbOEbDpjTYh6vXH/OeeWXV0 dSKUCKqMbpQ7bIByeZy6EYtgeexe0VtoB6wzj7Qzj6KNPIpW8wgdeQSW/EXwMYZhaVlqaUVYaUVY aUVj04qw0ghQGqN/gM1HnaS+Dh1dsQ1DVSdP6ceoURRgSXAqLKgQSXiqkji1KgjThSqqiEikNuFq IR5neJcJFZ0HT1y3+b5VscZND66fOCoyJi/ClPrJ3i/2FSCCIKK6/Z3iQNReAdDBsZVjR09u2n/x 2GB/L85W2IiZfoidTYfFvru2Qiz1NiBplaC0TkCrlsBy2DNiXbq50Ly7mTAibTL6ULnF6K9HsX09 kpZciJXsG8TCx2f6Et9N4KjEeAZpW45UwEcqGJMes9JVNnAkkp/fX//SEfKrJH6JBK+QgCRd6V9F hm3vb9Dv0eN69fsuCWCl2rqUrJRvJmSwSdVYSUHpoL8GVub54MPN0WZJoAxxImqfed4zsGdS3FJM axmWJnCCYZtX7hV3P3VTW8feJzZf/7UNySeJWw92rusK4Dge9Y/csjJldpgZvV3QGQ1a1m4zdt02 fdv+83f29+37xmrjXY+kRre2IL8Xnv0EP07dAiOdLc9bOKSAkuI5FavlrFgrp2LOnAqYnOiQbqYu PD37iiigOkNYc7V50BG5mhnyjXJDUhbaiLiaxOXs72Qdy15eUJ0xK+xubRYaVCo12Up1Bj8OYzWa MXviznDOp/8Z9OqUYPiZCpomm8+ouoPjkKm5Izh043CwJ6SFMZzBaNVTalZty062bWJ4hzHk++y3 KNxDZVvC7AsZHTxTmvrSyrjOoDU6Ua2/qfwwcQ/xU6wLG8fWY6+IZiE5iLRsUAWXPOjjjGB0MFuA USASQUHRL3h9+yx6qsBMwFtRZxDA6ISTNGSILMMg9HCSvC6JOniTzDJOJ5NNkkjGYg4JeTV6i9U+ Dv7Z6rqwyMJr2JBhiNbhf9Iue89s3tBK/KZjqM7X88vW4et+6ZtQyp0FuQD2umz6E9krSLhWGDCj kJmHg9yVBPwvUfmBpA5lbLHIriASpaE9s1iVTL+CuRboXnPN0k9Zs/2NKP2vulPUFhCJRvWE8oi4 x2i4M+hqLB0Zb9nsFKzdzb/t3bM0lbvhyb03nthUz/kbfA3pxrA3lFt352h80As4ni+Xt5Yyg2nr 1usahtLWZesnf+OL29THbh7Z2uUk9ge9oVXp8VuW1bstQsoTTOEa3N+5pr1rz4qGsLgm5+9qzdrt o/WdGyLhUs/YbcuTapW//Lt1232txdiabd6WoZmptgKusifjMXN3rzvThfB9AsZ1T0DP3IjderqQ A3VzBVcF2DWVWKUyC92y1SOX1aQCm1Rbk8wGi57TyBU1T52dgx7lXHI4NGAflcynRLxUKzayM87P LytJ3oRZpNYhR4Nm4gmVIPtcW6qY6TrcBx9KhHfFFQ9+tbj20KjfXsEzbhib6gutXjFzb2Wk1v+O FDu33bMRWcq7Zz8Bk1QaM2N+7L5zheBEcHeQsCix3LyM1Chd316QucqZ6kV8L+bCzJ9XBlFEaoZi Oqvxok4YdFz1tJ0rSvJ5/WpCsYaKZ1m85mZEbheBEaIQdC0UgLG+vS2BvqsiII5Vqlcg01YXz8Nv uOLZ18oPgy1wxSEsgx0/NdGIepOkYAFef4/mHa4YdtS0hBYQRp/ckdBiyu/VhPvyuqpxP7R9osZu xxpTaI0puMZTMW/RBD3pSUrSUrhSPputxLPyauFaqXmEjmV+lj5v2ZMeccugL2mD6SvBqBk6aPWn PfqK0UMyqEu0t9cZthxanlBpdLygQz0IlCk5VCR+eK04ZD04DPUgh31N1BaaQbwBNIgCGIPh0SvS 4hoU99eAVq+VrpL7a7iIR7EATHNkGXx+dRqqhsOSTGJIJLKKWAIsFSu6BviKekhkLgy2YHQv+YTG tysoqMLgTyoEHlbBHMgZtBno8rGF+ADLVYId5k8Bs1pnKF8Au3SsRD3CtE8Nfl/WXasmn/0jzJR0 agI6VbXWxpUvlMO8WbEdoAvKzIyJUqV5t1RpXjwVnMMI+Oi0hhuQVqwAYPHK8jXItl87NWUW1Csw xlmCvS86BVSFlbqBIhL7EJWohz1LwcC1HSUyI1rTefJ+1b55PBZUcfE0ylU/qf4nlf4kM6eB+D63 BHFYS7qubdCRX/aaRp6L4CNoZDlAPz8yDINvWtR1D3cNJFuLyVF7zf7XFnDyCi/N5ytFbmQtpWOL /5nJ/DwbalYyagUs1CuyKTWqTPV9qfy+fqQ9Vr+RsdT3pvL7q5aVFlxWi5tjRh8otq7py3DJyZHB 0Kqbi945GxvML7Cx144Qx2BgQhBqVnVwxYQj3R1r6KszQuM7WvFBcAcbsUdEg7yD6Ifijhbu0uf0 B6Fk0cNyXMUrSQ0gNb0f4KNzimNCbknUJIfr7KFiRfQoapjrJeDmSftPcE/mP+aeqkL8+tgfcU/z BAUFtAF5J5QNvgUlhCqJ3xNdhTiICSDOIy4xogURFYgwoE5irxapHr69aPUQBeuetAZoasqSvvll yQu4BnH95wzY2B64TXZ0Xt8wHISZo5JeowxREVm6WmwsVb7+WNWReKtt39M37f7rXc35fT/aB68t zzi7rp8o7ujzOwvXTwxd3+cDv951/vhIz+2nb4LXYXg9XLxrUz63/q6x4bs25nNTd8HYdO3sWuKf ybVYHGvBerF9Z1PZ9h6yTkQMjcHM9ba6SY9BlUmHyZAafWaGwVx3EXwIs0IP2CZ6QhEHxZOYOdOb biWz7e+quLCbpPyO4ex7WrTGy1cLl2HEeJWXWARr/tV3uHe4V9+ROnFhIIluKkF7JMpILExLS4qo xIgtCBcWhvEQaPFRoDAJlVTQYiX+uW3/0/sSo64+JhqoN7PL070JU37/0/vDo4FuVSiYMmsnk731 5u+qzT5b+TVTzjG8czDwginnQtdIRhYQq7mfY03WZ7xrdh7q3j19fFijucegNVl/6F658/BYbLzY aZt5UM3kNhwHTzOqpg3Hlyx7KINwdaL8CPEaxBXiZY4gXsbfvEjHimy551pXUABolikZiZyRqkUy O7MoJ1PkJj6Xk1mMkllEvz6fknloKtbXLYZqFM1kdgpMfHRsMrnpK4iSyUqUzEC077berjUtDvCb m398dJAL5ILlroofIX8D9Y1AjOitdV1x8+ixZw/037mlwxjvbSg/tmx1x5bDEvcApfW4Iq3johOK y8smkLFJaLQVekpyEAnEO9RhWVnlanqX31d6lys9zZXeZY2oMYeLbGfCS3IpxDs4hlsR78CNoXhp cd5hnsyaeJkVr+iatenzeQc1MlFeExMfHipGkYgaNz+4PjbQP1iH2t9NLp65hnson65IClyJ54OG Cv/Ah9vjN1ZEV/5/MgEhk1m9DbJlx5+SWNXNp/c0gYhBAdVcW6MCLoOCOgMCl1BTJEIowxwQc2FR nRiOGMy+onkUU1ylFCwlqnlEbfK8mJGWQETjT+G0WqWyukNme6apLbjQRIe72/JunT/k1pIEIDZZ PLxarVaZUqMtM89da6SPNvdFDYRKo1Hrpe7Wydmr+MtwxUXsZVGbHimMTIzcMfLsCFVTiP1AKcBK oOhG1J5xQYFWKsyCX4leuRor1WERxJRiLKIXkL12XgAfSI1IGhRSakVWodkj8PUK2me1uDb1Zovm t/wSfgO/hyfkouv/RBXXYct7sjJWy61KsbWEymc1xda5POTPLbbiL2en7hrPrOrPWDQkKqYmCitb 6/oanVFxyYpJMRpfemhpaKgtbmYIGFlqaHWguZiuE+PmmLh0xTIxCvT9O+F+W+2mkNcIY3enzykE m8ORXMwbSHSt7GjaWKzXCmZOa7BwvJ1jLHaLMZhxRZtivkBdx3K0F/7Zf8dvJJ/G2rB1p+MYH0wq Mk8qe5FU9iKpKGRSQWUSgVBr1SWvBofcuqvWoQaUuTCyy7uCYJdVmL8rl2ValFycnJlP4VgqVBZ+ o4rzxVPWgS2i+3aDgCquX6wEue8i3l0wvNsyaA25TCpKTZHXuQOcXk2HR/aN43qZnXm90mb0uszf lDWl9WqNmtLb0LofQRwp8WMYTz0kemEUxUYRgqIIQVFUh4xKRirKSeEq+PisrGleRSpeRSrw+pGk m+jmlHSMQ1FWr4JRL8rz1MZkMcpS9iIMaqk5orS2lbEKqUWJ0gWF2eaWOcr0cUZwm61unh57VAqb GJOc31nTQ5muQ/2MyQs1V1BXo6mDK8Y7tt+zCQ9UtHPm/06s7w2vXoEfqIwoFVriEJRPPfYv57Hg LPRmKEnwSnXLsBd45BsPsCjrNCtX01zqIF2Far/J7H+ILahZBUZkPIhyIEaBQAwOdAZAKAD86Lbg ByE/8EmjPhDygagB3OwHfkQQqnnzkN8HtdaP6r5qCEU/YmfRI7QTfvT6WtReGiv6WUeRHZ2rnSXQ 6Z+SFHUl5P+kKqIsd1Q5TUjnsaqNhTUuwmiVi2oenDgEcAIvXyF1jpjHE7PryfLLJIVa4KzuoFFN lkniU1xj9DutHp4hvkWqNVrms++jgjCp0muIVVpBTcB8Goc/1DMOrRb/32qtisBVLJJ2E8zPjkFp 92NvnccGoXnqhEtrRcRhvBW0oGs4BSJ+EPGBiBdEPCDiBlEXiJEgToC2dtDeBtqToAP9n4XMYIxT qBd0FTUQrpwPvgJnUIbRVSozGtCwobso/R4SZoGb4HZzd3AkJwqWIS5bDBfbvloP6tFz9chqckbL 0Pb6g/V4Pxy1jqqRkF9DkixdLhSuQEnK8p4ru8uFd/lLFjRdlTMRZWrq1IuIvOaWOkZS5Q8JnTXm 8dbZtcQLOP4soXPEPd4ofFT+mCJhZmZ1BQQV8UscfwlXCxD2XkGFv4GD13G10e+wudG2MCbD3Kbg 96vVM/vmtshgYtQs3CGY5c841Gq4QzpoeFGjr63yCFdp0H7FoXaMwP1KY8fPYw1QMDyqjSC7kUIW oz0FbBCPZ1Et1Aasim2wVIYsQI3QWodyfvQ3HRhoDYJmFrA+lJqhXWHZhky8iOrfRb6afsldDelq RwMCr4zfRNhiqhxtIxaphxuNc/XwXpUx6vUEzSz5izdI1hxwucM8UANb+UMVMEZ97qBJQ155hdTw Xqc7LODq8sf1eqOWIhiWAVvL34AXgtIa9eAceEpv1JEErWHKJ8EEjTplWZOhPIWsB4wCD0P5hLCl 5zEnXGsT0nwniDuBTSIebCCib9bjUTVwIJfc5gD2ViQ4O/AW7RpjUTNCTmAjSsKPOh0SstIi5fUT 8lJbjKjnO5KrdjgYpYTCYmLw7C10Q6PDx+P0YTVHlF9UcSGPJ2BSUwAQH9F8wOcK8XT5DMdTWpMe 5ElBQ6wz2/QUoTLoZlL460aWgn5CgCtZA4PaN4hzWAJrP49xcCUW1HESkTrw0vD5nLpPjavDPEz4 TtmHDFEp8YMTR4WLRhgrXCmhHvVq+7bEkoN5R0mkVjmAbvE3aJVeNfO62YnwCO4v38EZUX83TrK8 lkFj5QPgSZVOTQ8YnTzj8gf0Foudw6/3hwX4mNZbeJ/eZnVwM48yXPUc0Tilxxzofx/C4PzzGE+j s0GV9lAYHL5zbQdU5ezPuNT7VF8571PnwDuknqeXpJ6nb9T2fapQdzkONLMfgF9RU5gZZpr6M1TY OcYNwPd58+Wa/loiUiUrFxxtfYFBR0tdAsMDlTnocgbNKr3aHvN641D/bHGvN2ZXgwOVKJu4oBW0 FK3ltZ/m/QknyzoTfn/SzrL2JFx5XfktsA97G3NimudZqwvjXr0ity0yjGxzWozV991H6638PZTO aDfyVg0g72ZtIYc9ZGUf8OZSSfvLjEYlmQFgPOL0cTTN+VCmM1T+X+B+4muYEVoB/8mQ6SI+gUXg E4fOaLyJDGXA0lfgm0L//uo7f3dtezG/+FTuR+v1xdB6Yz60Xlpn5b9M6QS7IE3tqNYastvg1Aif rx6tud4XSKJrcmZMmux/U2kYEmUagK9OFscuzn6ozDWKOU9ipmn80DmNJ2gfpQxDWOFK4QoK1xoX n+W8LbpmfgsfXzuvmF8egJsD3Z4jiXD5dTifXXB3WMx6EjX1XTqLmvfUBDR0cCqJv0VbVcNk70p3 daTQ942D6VQ//Eb1tkdnPyT/A3sLvQYWxOpexGz4YcyDafFDmAC34fA52m9WOw3oNbPZK41QGd9B /+a/NPU592BHuqMthb7Bf02hu3boXy9XxnYOpFN9i3wj3BEHwD7qFog7NcTdIFyPLNU/B3ZUxJtN J20vM1rJ/aiB8Q6HT6BpQcLdl4mDREp6hxZMd5oOWBrhu8AFwveZV4tTDpAzi4xKNvJJ1hq02QIW FkKM+xKlhRDjLBpAla2LPAG9BTl4uzILhycLkXZFQhpUi/LVz3kCzTZBHMR/Xp0tG7Vmq7OtSiUS yc2JhVpUWPjP0WS+TOoEG5oMcUxjDdqtQQtbfqzmCTh9UnoGzZ6KeuFsbFdULFIIKEUeSpGnad7n +Lwn4P6B8ruEhvobaMFUJzkKS6cbMlZlMkoFgfkeqTO5zXa/QNJ4idQZPWaYlJDU73QGFcnojDr6 kM6ghus36TAAvlJ+GA9Tj8HXUz/PIaKi5njhXFiPhxnBY7V4BAZeLVZ4LZ+q2Dn6p9WDVXB+/eA0 nsI7MQOmP40x7FUSQw3+Sn3WL8NX8iUpgS9PCfALfBsabQp8HPV4IxEPzTswAK30VRLHb4evAl0C w54HLuzzXojEjcbPCkZBMBJ/qzaoKbw5EgxGwkG1fFL17vJT4A/UvVADA6KZQMEPgdJuQnKQhNnL 3g2XDK2L3LxGwzxPsFZ792QSUAEq+Pf1pfXXUUDvtgsOo5ZoXtrq8uaXZoGac1msLg6nNv2svOb1 N8pr/0HLsxROq6htP//Fm3v3/uqX/7idpGkYiHBoRrfBGb0LZ+THsucxQc5KBCWrRdczaGaC1IjN SryJPMNEY7VfmqlEUM1CUw6PKv7KahHAu67WyWZCa3QIDrcOUOumpqZInHNZzdAh4tsP4Pa9b/7i 59soFY1T0GX/PXjqjdfBUz9Tcxo4O5q8Up6A83uxfAl3UgcxL/SQ9p8aHC8hyaevVgRfgYW/mhRL +Hca9LOY1iKwrGDRAoyG2ZxB/53voGv5M78T+nsTnUBRAc1ZeZ/rkw7aIPVYri1fAmeVd+N+aje8 RCvvRsnHg5RkfC4tl+pKZ1nBqp3VG6AjYb7zHfk6q7UK7CcmJ8c4/bzVQFOXXT7eytEM7zQiTb+X 2IY/Rh2o+H5nZJCDql64UutWiArNvWDEYsaPwokLgs1AWzUmv9XmN6lB+UvzxjIR4niVYvvvlbty w/wxjoNQxmb/jfJSw9hy7AvSZ8KkRU1xX85zi30tY9g1DYgz42PxuCE/DegzfWNb/o9hoHIKXCIR GzJGBMsKRV39eANrF9E0x1rIYzAZl5oi5DxG7i4GJqmCVOktJCq0YoqAvwB2esTtxVg+zNWVHvrC 6jtXJCLLj5YCS1ZdVw8zdy3Dee0WrwlmLA2eZG/aq9EILEST1ucwZcQV+brSjn29hb0bRptgAmjw Jr3FzR1Oc2qgoamYtuwP9m3rjY8Pis7c9g1rwo29caH8DljRsrm0qr559Wh/sGvvqmxkYHNn+6Z1 1zXG16xdFXP2jy2JhzQwqsMZg87eunP7VCyU8Whxlc1u9xg0Kn2wIxVoi1st8a6JTQTubO0cSMT7 RTHkborbnMmOmVhuZSHIu+PW5MZNG1O+QkEk7oZouGH2KvEC5cNy2BB24jw2DHMkqwEf2zAMEgcK YFsB9BZArgBCBVCYxntFk9bl0t7WBK5vAiNNoK0JJJpAE3zi7B4MILOMUle5i/a9c/BlsIwWaKdn PxE18IG2bTaToSLTAHveuKZvGphPUuurn2UBFbv0KsySSu9IOaiAmkKlO3QGOVFD2JELCTpmAZ9e qci8kNv55N7Jw+s6w5yQmjj45K7wqFivZ0gcMKyajTSPZUvHV8QJR/fYyoYdX10TecbavLYnPNxf cPgLUwVxqssNvrPiW7cWY8M7v/LdqWU/+Oa92zvUBoHVGYx6wcGp9Lx+9Mj31xk8NkN+6z0b2tb3 hHRWr3DnMzuSmcmtKPJZCmV7QTpR1YINgrvOY82IdOJROyi8QeataVoZaaqM5CojucqIRLnzc9R7 UTqaAreoCDKV38lU6KzaEamkn5nG7aLdFJPsfEwiy5R7n3yQyyY6PIagx4POM5qkHx6TR9Mq/U4r InTMbjDWKv2hMoj+sPUC3gu199VTaJPnNr16dkbp8Lyk1M8vSY1mPSib1qDX6MnAF+2pTLqnMuke ZdI9CGq8BmWcmqZOKjljX9M/UwVLvnqM+1WZGpp3oAZeuJpqDEJP9cNxa8Pma80Gkav2f1qbm9EH o1Q6oJqJCx17n7xhyzd3tcVGdvV3rBP9DZtPbNv0QKketX8O7h6J/sLduqxp525nflXH1p11gf7t fYX1nd67jx05CkaXH12bqlt6y1jntpUjAW//5LrmvoOrs+nJXYXs1PKiLzi8Yj2+vq4vY9+0Itrb kffmbp/5dmqku9Pv7eop1m+8/gaUxUAsvSSdv0xg74v2BSXTcKVkmkTsTxihIwlqiqGoA8CEOFMT 2jwT+oAamAfBEB/zyXSxTwGXT6nr+BTiFF7fQzF/yAfQ/6dPVGvQ0U4RI6TPBlKjzlPNhAbHJOZP Ol4sA+KSpPGYBtMk653oo9UNy9C5x8qxzrlTH6VECSp6baVa2rL/pO5K1pSASOKl9I3P3XnbU9sS mZ3PHTkEr8/pnYmOscyK6zstnu6tQ60rOmHWg3/lax+c3Ljq+x8+8ciH0vVHGx+7eUWLfcl9P975 4D8caQv1Tt10NzRfz0C1/RZlxVLYr8VQyANCbhBygaAThBwgZFdOPcQl2QuIA8pIHX9I3BmAIdFi cYV/jysCjStMdFwRaFwhmeLooKjeY0N/ZGPRT5ZX9AheJb3iFT2qGb+kHA2Eood/8QQPeKMwDQqn gkvj3DRg5PPojYWZK1L1A31dQc2YlXNUsjLMMX0lhe+oHKSCUQktM3wtYaWzQopqiG/RGh0zs47R sjSt1qmA/hPUd0nQMH2tI7UwpLfBxOJ9lV5N9aH6BsM5jIKDVxO/+JqG1HmsvI3T0i8SJAlIhqU/ fUANg1so7ZugtB+HmO7CHhF18WaQ8IC4G7Gm4nTFDYnAglBskSyPxSexc3jybDYM/2F5Rdb5C/gd GCsLh0UcKYv6JfjWvM+Xh+BLnc1a6NQyDoYRsYqE5FpRWjYm0IBcqX6cjCQjiQ2dJxxEcC44hEBX bQcj0TCPUzDunmnSmw0MoTFoP121Iy+4mpbkpCMIDExicEpla19zQ/vU/aWUZfD47it4VmVgqWF0 vo7hPBaTx2rVAc26h27ZlEiMtQUCsYBK8JgNFk5vDgVtTetu6+869MCzN72uFqSYfju0CQ9B+a0G 1HlsLRSZC4lsLWhQQaE0IMVvkOTWgOTWMI03iZrxZZHxcZsRjImInY/AX4kg0liEo5H/z96ZgMdR XPu+aqpn1zIjWfvitmRL8oIkZLwg2SDbYjEmQQZsa7nWeKwZ24NHmsnMSLaUyAyOoysjBRRCgDgk MYGwJPeGEDAxS4gUHCsQkUAgQAATE8JmMJgt+D1s9f3X6dYGIo+8m/t978vzFP6ruru66pxfVZ3u nu4eqkVSjs01ej+O9sxR6fFffcjmgPw++iKUntmX8zvJGJpJxmhPkh2Xim5IqpKPhlVV09dvVZyG rjGE9SNAlbvKnb5wP3fijO+See+rqnmlfHXSOfbqZNnRM11jb08idJfp8d6I9fQIrHycKOXM8Tg/ /qMZCyfc1dNfrjdOmo01U3ViGo4A15wV+9HWZV+qq0y2WURSon3BJaGa5b6agrmXdHzhy+grq8WZ ZP/S8sDK4uwzVi+o9F5Y4ZDfs+IaJ7VyTai6oafxNPWshqoVodrTeKT+6k2L0vKmJyXhKnRmrjpL LThrTcWiuuoCTI+01Kxka0F1/aKSlQunF5YUmpNz0pMz3Emp6OfSS9vOWxpYfabTZF1QK2O/fP/q SXpfqZR9XF0pbzGcxovn8ZnFfGYRn5XLi3J4IQWoWZl8VgYvSudFabxoGi9ycXTxTDOfqfC5OZyi VYoerU5Lz0QmXXUZT4DqT34e/rl8MjS3tNS1XztRnYcSLjn9XHJEuOSNN5c8iLjk5aNL/uZUMVP0 WKXgADD6IH21Qz5Jr5SXFeeUUgcrc2e4XI4ZFzv096Qw6+YfragwviOfa9x/lD+L8Bj9HZ+Bn/jw yY+Pj01NPh6r0nkhnyGenJZyzeivR5w8kuBKxFWow8r/YE7Nn5ePE3bXNe60kZtMI438Nh6eUTRy bPSmG3dZXPmZqflZGYkiRX53acY1+YmDhaY3TlbKGefHjLvOnISINVidWLyIFy+kB5YERax79YC1 yIhKi+hn9OQL4PLVsRKgL5Gv08t5UZJ0UUWo4vIKUTH1DwXcb5pP76UZx9J99JRl6n75+JJ8ijk1 c6H8PZ+EeZUfqPJNK/O81ZmTps76o3LqlM3lrqeNGXNg/VP65NHhSrpT/sSMfgpUOOmHtHC1azyy LK47N35XcEnw0oW4rJS/O2N1zDkvcP6K8OrS4tVfWbu0rig3c3qeaakt2WGeljKSV7iyPHRr6Ey+ d8sPQpXurMykBHd2ijvHbcvKy1ZrNl9wlufs6QnZs0zJM1Q7guDMkpFvmU0LvFdq2uh1ickiHmWS fDPmwJ0gP509cx9zI3Y53DP4hW6Xy3hVfvIr9K8bx8njNBZjdCvTtX90L5dLv+lGe7mMvWizU94t bXPJiWMxbpTOGO3ZGXzCie2zdEKbZhyRJzwV/brx4zGH92GfNLN7Pz/t7uzVzrFXmumQTL0w17iz OXqDc/zeJt0UmnjvQdwpzHbLSKk5OWNmdkGR22ThR05+MzXV7Eiym95LSnNalAMpeTlZSR//LiHZ LiyJqYnKBSUzU3FcsaTkgqZxJQKaw0x+ByCXb8WRo5wtZ7+oTp1dyueY+Wy6SzmniBc5eI0MFap0 uwaHk8TRI0le5+n8zNNXnh44Xcw9nZ8uX7i3s6QklYWZSb8M0C8H7pEjtkoeN7BrlTxfoReA26r4 wqpzqzZViZlVvGq/aW51UtksPqv6PVW1LvxgziUYxba7rGsnXBTS5SC9tLXeuCKsmDiGaRQrn3yU Y9Gkn4lQJj+rt1DcOq189ZfvCM9dvWzeNMBy2pwlSy+e7+2tm2dacO2G4DfriysuuyWyuuvfqovd dxYs33D2sn+rys1a3LB8VZ/p/kv/4/u9W6qcrpSU6dnp2Unm5JTkVTtu/bfp5VWb+i5Z+532c2d/ oeXKm86N3xksL7vIt6BqY80s+ib9XBYU9yrprIxN+9mcmfnyp+0SLCmsbP5jJx+b//debv/EDwnd a3Ek2Ub229y5adPy3MjZEx0WnJ3Z+EqbO2+a/IILuUSn2VSdmpMi34N3yvfgEdqCtpScVPmrdsgl 2s1m/X15/UxiA9srbhSH2OlMrU7MYumlSl76rMTZBXY3LDxQQY9yP3WAflJCPpQ9+nIJ56Ok6Sam DjyDc+MJ0mkWq2kjLzVbUvPyHRanZeSJkScsidaEvGy3g5ePPGG2TMvNdyQ6eRkvMydYE/Kz5Ve1 S0eetCRYE7FgUaiUeVrOdEeCk5dTKWxwO0ceR94i11sSzBh6TXyx+K5YyRJZDsu7hyVZ05wPcgdT mBuayeQLNLzM+DZ7wrem6e5JS+K7GcknE5LTp7lNH6RMm5gXomT69JKZBQUj6+RDBbMKCnRq54jv KRVsGftidc7pVUtwzDMnz8rJdinJReXJSIvY9Gmnz52JC599GEEOxS0vgZZkgenJigOupytOHphP ZtHJ52Nu+TaP8RAmzBr7dnPR2Hd+i8aCwqLR+8TWsYdy9JPQ76W4Rs5tVxwp2SkZuQncsuk/XW7F 7rS//+8j3XqOPxiRm1PTc53c7P2RFWMhxXVsF4/JHN8xa8YLFrvFZE1OTXhoxqzU7BTbRwWzUJvt D7Q6aVrCPTYszir4CH9kLKlnmrhZbMPI9rBF+8rZ+ZmNFz3AnThGruXOe1Ysmp5qlf+LraK5Sfdh 7XR0xvwXjlbA+6MvyIh44NAB44dKC/RLuwmv+CqjTxm5/w/bxc2OwtIFSwvnnFO5YOHighnzZ6sJ 9oy0JEdB6UKsramSa9UzRtf+A2X5NY6MwsIcd0ru9NyUrPxMV0a2wz55TXo2948WUnPdWXlZspAj vXBmjislRx0tRHcF2HpxvVLE8ljC3RnJWWZW9ph+vxPXXaMPVyziC9P1e80cZ6TXK45k54m3HAnC arcId4ZbWBMTTn7FFE9MtokfZE1PxLHgKnPRTFduSqKJ9zkzy/IKcDwY+fXIo1ZnWqE8Z2FNYr8y A+QT7k7JdVmMNvXDzdj1Hufy+5CFC9Mz5EsX+xWLw3LiHadLft+Y5DR97eTlaM+k2F1OMc2RaDrL nTPNKUZi8i5ARm5BWoKZL+ULLM70wrzsPJg0EjUXy7GxBld4typ3YFaexqrucbHcQly+zalOthYq 6RkiIT2tOjFdFSXy5EXFhdnJp7OzDmUeyn7MLWcCPVfrOnSAxodlSjxj83f0QHlrcvqJNx2J0nyR kp5ssiY6AGsXrl5N6UknPkrIlBeywi6vVHlZeaaD7x5jt9uRVZZL7B4ZecyckFY4cnJ2fv5s+olH eQ/FxNbCm9uUW8ibRfexZFzBu1lumr0wK9lVnWlOSlaTLBN8eQzOuM/U3cE4P3DoqZfGsE+CLpF/ ypPb4IP5xFHdB3TAl6UPyekizZnwSU9MD7tzUhNNI9ud5AE6YxGfb05IL8gpy3KMbDMXnfRO8oSz S0WQf80cYynM/jNTgn73M3U0lKciemeAsfX3tmnphVmJoseSmTZnpRA7UhLcbrPZwh9ITs7JMCsM ZxZGTSaLvZZ+rf8mPcmQ/hnpFdPGCen3ehKrpkj3KI1j6WOZzOdOmX5s/rFlDtL28WSdZR0YT7bF n5Hust1lv9D+kZ4cj4wnZ7mRHpgqJZyW8NBoSixKvO5UmpiSzvnM9GLyZZ9OLm6kH3w6uWf9c1PK VJ/rZEpN/ox0nUzTyilFx1PapWmvTEzp0U+mDDel2zNuz1yWeb+esuJTpBP/Nym7b6qUsyI3Zyz9 OM81lkL/Uum2U+lU+tzpralSfl5+NP+B/EPTS5DqKf1UtX1mKkeqM9KXkfZOkd6YceaM8Iwf/gPp zYL/+J9PhQ2FDTPj/700a/6sI0VXFu8oWVFyfDab/f3Zt83Z8P9YunPOnXOTkS6Y+9i85nnfnff8 vOdPW37abafSqXQqnUqn0ql0Kp1Kp9L/12n4VDqVTqVT6VQ6lU6lf5H01Kl0Kp1K/xqJ7iNzxlJq GBf2BMbsloVMYSnau9Bi0kqWAV2lvQGtJ/VpG6BbtMPQqHYbNKb9FNqpXcYUvkcbhg5oz0GHtGeY ItawZGgdS4A2aj+DNmmroB7KR9CKmynaW1Cf9jg0qr0GjWmvQzu0p6Cd2hBz8xJZBvVLHSA9KPdF K8iLNdpfoU3QFFj+NrQSLabAcpmvJ/UxB0tByY+gjawe2iTLCA/ymbDhL9BK7QjUB08zYcnr0Jj2 HrRDewnaqf2JZaKGR6B1sDYT9Qhok/YO1IN8Luo5Ak3BvrmwROoqsMqFDVKbYG0uN2kvQl2wNpdn o91cnq89Dy3RBqBdlO8m7aWte2Q98Ppx6CDtOyTzoPcKK0KLX4emwMci8r0IXnwTuory9aRN2svQ DthWhNYfgcrWi9D6W9B8tFKEduWabtJeWt+vHWJF8PcMaJ12NlT6W0SeFomg9ktWDFZ/g0ZJY2Bb DEp/YcWw9mXoIFosRk+9Bx3C+nnEqhI2H4J2oJVK1P8KtA52LoEXP4MWY0Qtgf3fh9aTNtHWLahz CVp5kS0hhkvgxbPQbO3PUMlwCRi+Bm0D7SW8nbSL1neT7qY1vVS+j/L9smYQfg66j9YMaN+BDmo3 QYe0H7Ml4PwiOwu2HYEWa09AK1kWdJX2JLSe1IfxfxYsfAoa1VqgMe1KaKdWz86CVW9AZStnof6f QQe1/dAh7S52FuaIG9oo9wKfKqgHecwS7LUKvfkK1IdeW0WzYxVqPgLtwGhZhfqxHoQ/gA6jF1aB 5+PQOtBehf5KgEp6q9BrCWwd6gxAK7UY1If+Wkd9tw61HYJ2ah+ydWD7FNSl/RGaDd/Xge0z0BJZ A3jKfDdpL23tB7d1fA9tHZIKG0zQupGPoY2sHNrEEqEeyge1a6ER7WHMvEo2G+oD1Xryrh7efQDt QD31sOcPrJ7XsipogF0EPcims3oQC0DXyvGB+m1QD2mQ9UAvZ/nQK5jKGmheNKDXjkJXYbw1oL+k NoFqA9qV+SjGfAPalSXl6G2Avy9Au7Snod2kA9qr0EGMnAb0GhQxzcGawPNdaCVINqG296BR0hit 79Deh3ailSbU8AZ0EOO/CTW8xprQ4ygpZExoQo/LfAT1+FDnBmgK2vXB8l9DKzHXfLD/ILSetAm9 5kPKZT70F8qjvy6CZmPk+GD/BdBa9LUPc+EKaDtpF63vJt1Na3qpfB/l+7XN0H2UH9BugQ5qP4Ie 1G6FDmk3Q4e1CPOhf0uha7WroOu0TmidtgAq+9qHvk6Heigf1L4FjcDCLfDrSWgl5uwWithbsNcL LIr1e6Gyp6Lw9zVoJSJAFP6+Aq0nbcKoiCLZWRT+XgV1ad+GZmt3QPO1PdBa7UZom/Y7aDtpF+yP wl+pu2lNL5Xvo3w//IrCX5kfwviPwrufsChsw5iAd9dC12k/h9Zp86GNbAHUQxrUroNGECtisP9m qIwPMdgvtVK7HbqK8vWksr9iNB5isP8+qAtxIAb790PztX3QWu1RaJt2ANpOKu2Pkf0x2C/X9FL5 Psr3w7YY7Jf5AczEGLz4LYvB/hLoWs0HrdMqoI0sCeohjcC2Dlg7BC3GuOqAnTJfTypHYwesegqa j+NdB6z6CNqF2NUBS6T20tY9OCZ2oHW5ZgBRqAOj5ffQIcSNDhrbHTSqO9DinawTlLZAU7RfQItJ K7V+6CrtIWg9qTw6dIJPJ9SleaHZWhc0H6O0E1H0V9BajMBOvh4xp5MH0GIniP0A2k7ahTHcCTul 7qY1vVRDH+X7cazshOVPQffRmgHtAegg1XxQux86BCadGAk3sk6QxJkNSLZD12mboHVaKrSRZUM9 pEHtq9CI1stNsPAD6B7tKBQ9Ah3U3oMepDVD2nPchPn+PE9GyXeg/drfoHu0j6ADlB8kPag9Ax2i /LD2V56MvY5wF8i8A+0i7Ybmo563oXu0D6GyhnyqIR81vAQd0t6HDmtv8Xx5FOAlqOFZqEt7Epqt /Raarz0GxfkVtFY7AO3S/gjtJu2lMv3aK9ABlggdZBboEHNAZc0loLQTWqdthzayFmgTy4J6KB/R HoEiJvNatP4c1AVKtWj9KDQfXtQiwqdCu8CqFu1K7aWtGGO8FtE+A9rILoHiOAL1UD7IVvIGYt5A zBuIeQMxbyDmDcS8gZivRw3pUA80QPkA5YOw6hDUpT0OzdZ+A83XHoJ2aQ9Au0l7aX0/6gyirb9B 92mv8iC8u5u3kQ1tZEMb2dBGNrSRDW1kQxvZ0E4l26lkO5Vsp5LtVLKdSrZTyS5s/Qg6qB2HHkSv dWHrh9Bh9EUXmD/Pu6lMN5XppjLdVKabynRTmd000nbTSNtNI203jZPdNE5200jbTSNtN4203TTS etEjDt4HMk9DXdpfoNnY2gcyr0BrKd+l/RnaTdpLa3DGCB1Ab/ZhnDihcpz0wZJaKGIRtJE1Qptw FtsH/jIfwajrh51HoXu0N6AD6Pd+srAfFh6BDsGXflj4Nu+Hha/wPbDtNaiLNBt77YFtR6BdGJN7 YJXUXlq/R3uZ70G750GbYNUetCvzEW2QD6Cev0BlPQPyfBiaT1qCkgPk6QDqPArtJu2lrf0gOYBz Hgd0gCVAB0mHSIcxNgbgtRdap9VBG+WZJVrHPEfrMh/RnuCDaP0NqAt1DqL1t6H5pCWYZYNoXeZl 64PU+iBal2v6SffgKmuQWh9E6zboEOWH0eODxHwQrWMMUeuD1PogtT6I1v/ID6L156Eu7Q9QxHxo vvYotAtz9iBalNpL6/sxbg+iRQt0H6w9iDrnQz2kEe1XfAi1vQR1wfch1PY6NB9Uh+CLA1pL67to fTdpL6mcU0NEcoh8GSJfhmjkDJEvQ/ClFVqn4eiCdnHeTL4MoXWZjyCaDcsrAqiL8tnwaBitSy3B KBpG6+9Au2hrN2kvbe3HmBmGR7LMAKgOy2sW6JDMo61cqAfXWmvkSy7QSpYO9Wlfhka1NmhMuwza wRzQTq1FrMF4+6NYgyMgjsTyahfqoXxMexRnjQpLgKZoz0GLSStZKhRnC9B6Up+2GbpFexsa1QLQ mBaGdmo1og4ePQuthSV18lgGHdDuhg5qD0KHKD8Me+pgw2XQJm0p1EP5iHY1vFJGjkNTUL4RNtwN rdR2QFdRvp7Ux5KhnSxRNILtVqhLC0KztRA0n7RWw1kRX89s0ID2N2ib9iS0nbSLyneT7qY1vbRX H+X7ta9C91F+QHsFOkh6UHsCirMI6LD2mmhE71dC6+CFPN++FFqsvSDkWfetUMmtibjhDJw1QqNs MTQGAjj3ZnNFE+z/HdSl3QTN1m6G5mt3QGu1n0C7tPuh3aS9tLUfNjSh3eXQOm0ZRoAk5iFiHiLm IWIeIuYhYh4i5iFiHiLmIWIeIuYhYh4i5iFiHiLmIWIeIuYhYh4i5iFiHiLmIWIeIuYhYh4i5iFi HiLmIWIeIuYhYh4iFgSx+6CV2vNCHumkukjzSWu1Q0Ie6aR2k/ZrfxI4w9K+IyLy7AI6QHoQYzUi v28RO+TRARpgZytLFfnbW4ydZipg8rdY5MdHKujbpSRaEvQ2ZJJQjLxg5SLFyCsTyphZplhu5C0T 1lvZ/xYNRt7G5ojHjbydqcqlRt5h2jtW3snWKjEjn8DmKI8a+UTTDcoHRj6JBa198vsv+lRYjxt5 zqy2OUbexKz2TiMvWKb9CiOvTChjZgn2bxt5y4T1VtZl/6GRt7E0+2Ejb2cuR4GRd/DasfJONtdR YeQTWJpjvZFP5Bc6IkY+iS10PgRLuGI3OOt5nbOe1znreZ2znlcmlNE563nLhPU6Zz2vc9bzOmc9 r3PW8zpnPa9z1vM6Zz2vc74DV+MVuCIsZ4uR+wKu35tZhIUwV0NsE+aqylYgF2FhUi/WBJBrZaXY sowFkVR2MdZtxhVkDHvJJT/++lG6HepDyRXYL4gyG7EugBIBKufFvxbU5aOyrViKYl0rbdP3D8AC Ff+8KBdADR1Y2oZcDG3JMm2oMYb1fixJm9uwtw/bW2GNrCVk1BpDiRajTVlChY8halO2EiVfVpKv m7BG+tiG9X7aI0JrgmR1zPCjGVvmUc0ttCZINXrBSF8/2koL6gkSsbBhZSvWtFCrep3Sz9gEC2SL YfJF5z1KW7ddthQCARX+68SlVS0o60X7MVqSHsfG+kNnpreiku2thl8hYruRSo5bPNEjSW077ad7 vRXLpTQeJvZmMdXWQjV0EIc2o+cn8pY9pvvvJ/ul/3q/RGg0yL96i7KvVdQRHvNGt3GzUSaKpU6j 9hi80HuofayXvDRGvFjbMsmv0dHcDEu81H6z0X4pjdjN1Fdyy6fnQOWnvK4cmzUL2FpjFAWM8bYA NS7E1qlHvd8Yv7o3XsP+zbRVt8dvEJM2+mjkSqu2Up+N7jP11k3/0AweHy1636zBUoBskO1fQqM9 NqkfywwLQhM8aDbmXYy89NNYvhBrmlkJ9fFslPFR/eeRVfq+MaQwKJYhbaNUSnN8suWlVHsLysQw tqT9m8mDMGrowFrZg5vIFzlzJtc6ul5GD70Hto7VV08266O2g0ZblCyM0byKUhzQ91bJBzkn/TSi AtSGTmgj7TtK7xzwuxARUd83MmGLPp99xGR8jm6jtpppDk/Vrr4syzZjFLURQ9/YmPfR9jCN2I4J 4zxMnrYaI12vy08qZ+4n/Zbb9QhRgr1m0+hsgV/+sTn7aataP1Xz52c0XvtolFaNOKuPnuZJ8e7T vo+P18l2VU0gID3RfdGj/uioj4wdQXwUQ1splno/01Ods3cSU78x+j85ByRVOfLaaE8fxSPpjX+s HlkySDHt7/XQP2tejM+JMrJGzgH9SFRKfRVm2+9QK8rLF6tfCDRHQtHQppi6IhQJhyLeWCDUWqou CwbViwObt8Si6sX+qD/S7veVrvAGAxsjATUQVb1qS8jnj7SqUW9rVMX2wCZ1k7clEOxQtwViW9Ro 28ZY0K9GQm2tvkDr5qgaQtGYvwV7tvrU5lCk1R+JlqorY+omvzfWFvFH1YjfG1QDMbTRHJ2nRlu8 sKDZG0Ze7tLSFowFwqiyta3FH0HJqD9GFUTVcCQEu6XZqD0YDG1Tt8BwNdAS9jbH1ECrGpN+wDLs ogYDrWgrtEndGNhMFesNxfzbY9g5sNVfqhpuFkfVFm9rh9rcBud1u2Nb0L5/mxrxwpdIAG5jR2+L 2haWzaDGzVgTDXSieCwEh9qlS151mzfSorclMTdv8UZgmD9SerF/c1vQGxnrgcrRpitl1yxYC0Rw Sl1QurBiAno/+KIZL+rfHJB2+GFYxOvzt3gjW9WQ3DJhcdPUHUxY4M2a1kAM+18S88Z0H8tQQYga aEbfxSIBf7T0wrbmEm90turzq+dFQtgai4Ury8q2bdtW2jJaeWlzqKUs1hEObY54w1s6yppjm0Kt sahRVOY3eeHAVlmuPtQGtB1qW9QPI+CS3Kx60ZP+SEsgJg3a2EHmnbPmwmXYGqEF9LOvTe/RbVsC zVsm7Iu/gdbmYJtPsgipvkA0HEQDknk4EkCBZpTyt8ZK1dG2Q60YECWB2aq/ZaPcabyq1tHCU1pE xeWQBv4o8DTr426sdeJq1FVFBpQE0AqGvkQfkRPEF9rWGgx5JzYKm726pQA/1gOhtli4LQbs7YFm vyyzxR8Mf8Khz9MX1BNlPv8mLyZRqTca3j52Pci0TNbNpvpwlMAVBUtlVk3DdaTJuIpivAT/wvrz CX/noyjnJyRwlDHd8HnLJybK8ort85ZPTpblzds/b3mXS5a3vP55y7vdsryt7vOWT01FeUU5h8mr SoXKy6vqtaRulshSWDbLxPlyLjuDFeFMoZh9EVcLjYjRWxDx29gStpOdxa5mNexGnE3cwVaxe9k6 Ju/FPs4a2Iusib2JaH6cbeFmFuUpLMansw5+Buvky7iJf5En83ru4pt4Nv8Sz+c7eAnfzWv5dbyB 38zX85/yAP8FD/JhHuJ/4m38Vd7O3+Vd/ATvNln5btM03muawftMpbzfdCbfY6rh+0y1fMDUyAdN m/hB0zY+ZNrJh01XiwtMe8Qa021irelOsc70oKgzDYl602Oi0fSkaDI9Lzyml0XQ9KZoNX0sIsIh YsIldoh0cbmYJeLiDHGFWCGuFxeLG0SDeEtsFkdR4m2sfUdcJY6J74h3xe3iPbFPvC9+JT4Qvxcf iheUpeIN5WzxvrJMnFRqFLNyjpIMvFmTeSt5/w3ed4H3Q+D9W/B+FrxfBe/3mQ/VbuGJ8n4meBeD 9xLwXgnea8HbC94h8O4E7x7w/iZ43wTePwHvB8H7EfB+FiVeBW95d0HjXSYHeKeBdwF4l4H3EvA+ D7wvBm8PeF8G3m3g3Q3e3wDv74H3HeD9c/D+JXgPg/cz4H0IvF8G7zfB+33w/li0Cid454DmDPAu Bu9F4H0eyK4D783gHQLvLvC+EryvB+9bwPsu8H4IvH8L3s+C9yvg/R54a8rZilNZpqSBdz54Y94r FZN52y6awDsDvGeB93zwXgbeF4H3evDeCt4d4P3v4P0t8L4ZvO8C79+A99Pg/Vfwfo81cCdr4lng XQzeC8B7BXg3gPeXwPty8P46eH8bvG8H73vA+2Hw/j14y/tKR8H7BA+AbdCUw0OmObwNY7jddCF4 14G3D7wj4H0FePeD943gfTt43wvevwLv34H3S+B9FLxPiAuETawRGWKtUEGuVNSJSlEvlolGcb5o EquFB+M2KJrBuw28e8D7KvC+FrxvBe/94P0I6D4H3i+D93viqMLE20qSeEfJFceUOeJdZTEIn4vR fKn4QNkoPlTCylJlB3hfCd7Xgvd3wfs28L5rMu9ENoF3FniXgPci8D4XvNfIZ37AW57z7QTvb4D3 XvC+E7wfAu9nwPtV8NZYPU8C79nyN6PA+zzwXgvefvDeAd7Xg/et4L1P3vME7yfA+xB4HwXv/8Vr TXbeYMrk600l4L0QvM8D73XgvRm8O8G7G7yvAe+94H0neD8E3o+C99Pg/VfwPgbeJ/hBIe8S5PBh MQe8F4L3ueB9EXivB+8AeIfBuwO8d4J3L3hfC963gvd94P1L8P41eD8L3m+C94i4XnGLG5Rs8Zay ALxrwPsS8N4I3l8C7zh4Xw3e3wPv/wTvB8H7t+D9DHi/BN5HwPtvOJaYJvNOMU3gnQPec8G7Sj45 Bt6N4L0VvLvB+ybwvgu8B8H7CfB+CbxPsFU8g63jFeC9HLw94I2rQH45eF8N3vLJgV+Dt7xb/jE3 mZw8GVxdptk8G1zzwbXEdCl4+8G7Dby7wftb4H0beO8H70fA+0XwfhO8j/Pdwsp7RQbvE8W8X5zB 94hlfJ9A/Bbr+aC4DLwvB+8+8L4RvBFPxP3g/TB4/wG8/wzer4L3O+B9XHgULoKKQ7QqeSKinC5i yiKxAxHhcmW1iCt+cYXSAd5fB+/rwPtu8H4YvJ8E75fB+33xrlmI98yp4n1zofjAPF98aF6hLDVf opxt9ijLzFuVGnNMOcccB+++ybwzrprAOw+8S8F7FXhvkc/IgfeV4H0beB8A7z+C96vg/RGr4TZ2 Dp8F3svB2wPeYfD+Bnj/BLx/Cd6Pg/dRFjM5WIepmHWaFoP3GvBuBu828P4qeH8LvG8G733gfRC8 nwXvI+Ct8ZBw8zZRyNtFJe8S5/NusRa8N4H3NvDuAe/rwPsW8L4HvBFPxJ/A+xh4j/BhJUdcoMwW a5QqsVY5R6xT1oo6xSfqla2iUYmJJmUHePeA9zXgfTt4/wK8HwbvR8H7z+D9gbjCbBfXm/PFDeYS 8Zb5PHHUXCfeNgfEO+ZOcczcC944XprvA+9Hwft58H4LvE8qZ1sQvy0ZSo1FVc6xlOLcZ4k8j7NZ 8Z/LVVJS85WdO21mbrMe7u8/1tPTc0wuWMI9cXx6wjYLt9mO9ezCB1sUbDkWj+O/+KSFOBVbXBOP 37irZjEtYIcTci8b5zYlbnxsgtkUVf8MUDs9/XsH9vb398jazEapYzYbtzkefviH+Hz721TbgQO3 3HLttX19tLB9F322UwVkMnayWydssZBDtKm/h+q2bOiPV6uu/g02M7NZjhs2jFqqVyeJ7NxZU1NS 4nLZnMzm3KXuUi+ovqB6NZIaV+El9t11/vnl5eefv4sq6umprZUVWczcYj1m297TQ1ZZ4USPbN2i cIs5LJ0K03qbLIJCVD7cczwe325TwKS8+li1/KCQxbK9v39DPKx3BGr66W/kLjpHphNyCM0mVDZG UjoYj0uUe/snAbfYuMVx7yO78aEm9bqM1vGRVlkttvANt9/+m3DcRl706ERpQbfWZrMIblEO61XC JUs4PlDuOmxVmFXRLS+nOmXpG7ZYzMxi1slY7Mxi74n3xNfgyFSApG/Dltoe23ix6mrZgPkwMvHD ExxgcWFiXGCtzcQsoloe+bBg4dwi4nIhzvERcW7FPtegrE2WFXIs1e7dK0DWXFu712lmdrPN5nKp siXQ4yaJa/TDBeLPYW5hiuWEw4S2ZRn5qa6mRZmRH+woFwdG9xvQF6uNz4AQaHbv3r02ORIxQsov 7uuL0Cgh1AQbCxv2UqcdN7bALrV6bCFssxnFystra/uPYyDSeKVJYWxZXE2DS184Tm7JgaO3Ex7b Eqaecx02A7MF7akq5cC+tkeYmdlynB2nNbbygXIb5eIbMjfE/05gwGyxykkejxuT/H8uMFinDgx2 bnMOxgfjP0C6FkkOrckBAvDti2t24oP2xqKADBC28S1LxD8lQCR8KkBQiRpsLqnZ+VkBwm7mdmt8 YoSw6BGCNtjGQoTcsKH/mNygMDtCxFQxYrSyzwgSyniQsCvcLke9HiXsnNvH6H++MGH9HGFChruf DnwiTFCEq546Tlj+TpywjMcJyxRxYqIL/0igsMtAYTcChd0IFPapAoWTm+wTAsWkSOE0ofXRSIEI QcujoULuK5fHYkV8QF+unhgt7DJa4Lhlt8tosfEaChcYluPhAgvj4YK2jIYLfcEIF1gYDxdYGA8X csKOhQu5ZSxc6O2Ex7aMhgurmVktKsWLCQFDkbnjbOqIYbczu93GpiHJrlvGLqcRaLdwu002fRyT 57j007ZkOcFYvoS8Pr5LTsad2CYH8fG4HjLGl45TLbKk3O+qnTuN/eROI1ImD2I5S8wu43OYWt+l R5GeXbLOsZ48bndwe8IAPjdV31R9DaU+JEQIu2Pwppu+sXv31772VVpasvwK+UHDsjpyhKaWXW5j y9kVY2k5TkJ5fLxYD0IjeSLPpKif7FZmt46MGjjmCUUqQihrXgZ8EqKEaWN2J7cnyiBzpRFmTo/L MAPYdtsVy2fOzJw5c/kVVK8RlVwuq5ypGBrbMcEcFu6wodL9B2DRgf1yk35i1xOmTYqixPqwqS9m tXCrPHs6EY9/xaEwh3ks2lSjpNX6FTlO4iiwfVKdcJG6wIg48QSh2cdDDoKOw8wdMjwZ/eDg3DHe YXGrnVsT7mbDFMb1RIYYdY8aJWOvXQZiZft/EXcu8FEV59+fs7vZ3ewlhMglAZQEELmJEalQCBA0 KjdDxMufYqsrYDCINCBguK9JRKRUES1FaxWpRaoWrWmttna7kDSiBERIYkooCcFFpWtIKLtsacr5 f2fOZrNB/NS+n8/7vjt+d89t5szz/GaembOG2Y3PvvJKRZHXEbuq4l0ph9yNWoJNNotmi0Yhr9yW 4dUjm4RsIO12ZarSVeGYL50mQwwxxuYQNmdOdk72EK9MXXkIMU5zMi9vvSPuUjqSKr8lWYaLFuYV jvahCo9YTMJkkbEg0SSnSdkqJGV7iUA2fCBjktekaSa2TTZybt5sMeEdeYkFr1knbdq0iW7HxqRJ m9xW4bRaLHGxKUkzO23eTi/NrFkSGjWbSLBdcJs1R0J6XHxKV0fkhvHilEseaezI32gciKmX3mix UBHqsclh1xyO0Tk5TGo2lK5bHm3Y0Til9qJxKj0SPaeqmt2xZ3QBuoctddCgSZPWt9nt7R2dWGWP lkKwMqKVurJNGYzFsfsVxs4Z8UoGLGO+kix7VoJN2GwMv4NyLDZhtV0Q4kKCGrmMgMWWCliOROGg D3WErLX0OtWvbZojUXVfGZrapNWJ4yca3pk4XjmhrVhFhEc5K3tCW3ucalNNPRa2vOpilfepRx+N 5pX5dJX7oo6gulxyLHapkkvbZ0ClcrdD6jaHU3O4/R6/h9Fj29PpTxMcNqTLIKHuIeOXEcAIUg7n +Khl7a+JhClVvLTSCGZOxyWvmyCEP+YP4llpabEyUQYQT7JUzGETDnssoCXHTDQipnLy10OaXcj6 J5Wmt8+dOsKag3NGWFNxTRUfi2vJ0WhgWUV/dVo1pwxC8ZHNFo1s6pzl0qHNaRFOGdpisc3GuTUy vniZ7K7qXOx/DG7OBM3ogtHo5tQ0Z5yo/0/CmzS8SA0wLf+3wxuzIWd7ePsv41siWaX5RDhne4Rz 2owIJzf+ywhnFwl2PcmsOeMinIxs6lBHiJMn1aHG+DIajUPpcS8Z55wqzjkTNadztMghTRKZ4jbx hHhMFIMSxdH+BYMcBxNMDnt6LOpFzyoD0rPbYrtFCBYdNFNjgU/trsIPcWezsqPNztiNhb7s2H2L SmNni6Jtwd4io589LvrZ26OfzS6jn021K0KeJ9WituUGu06HcDrkv8CVKYOU7V3rpQbZ3mynTXNG +7wKgk47+1fcZ/g5+74r5L4jss4Ig8XrIqrTyDAYjYMd++rNq1zaV3i82YJWI54yyvF6vH2FOtWh jB6n0sV9SfXc5I4QqWpZHJvfFcu7xjWWNqdbc3bxp/pTtw3aNmjTpE2T5Ej1mP0xe7Fd3dXv3Uba RFrvLSUVkx416tpHzOkUDCey30dE3aLmqyoaOL7h0suJm7GLjbipaodo2J1pl4o7bcIZFzmTL3JE R3HjhVJK6sJ/3gylldTMRVI2FmPRTclGGiSN3ZacnZztTMS5sgAj8NpjU3M8Ke+tnmKNe0e/UiOu 0qRcNs2lgva7FXJiWvFup2d+ddbEa8zN8uzNY6JP9zK2cjZBuBJGdwRX2ZLsHdG1eNVFhRcXG6Ng zH9us+6ID7DpfpdVc6mA3K6zS9Nc8c3Ca3dq9qT3/JXppXFJfQnQfpNO3wg45KzbMnrahs2bt88d rWqY2G6qbGVyv9047FRfDERDrTf6mCQHP8Y+OUXLzo4Ylo5WNzHuh1dkn7zk9wTtEdf4hkPGWEKu M/5yenz7gxp93xtxaSZXxyOoiIu68tunhOzoky7PvZpJfk8iLo67rmjcdbXHXVd73HWpuJtkEy6b ydQeeWU87aKZDa/HvYi8Ce2Rt4tZc8nImx09x1a6Oqa22kNvtlcda+xUTKNxLD74qujrssnoS59y uYzomyMGEX/zqLuMvzeKLKNPGToqKdV+Zt6maBe6oPaLSlHNIkNwxz4x2GSiz8k45urWbUBOTqlO 3FXnjSBsUuflvhGFO8q/EHUMnondP8d466iPbCqWSHwkVtvFKhQX/8dY7HIKlzNJJIneKl3rvdbr 8a9lgifneC675nK0VVZWVrRVlpeXV7a5EjnQVxR6PcIflzwc6SuUAy+Icu9urz/utdtb7r0gVPe7 IPfb1NELHQcuGNep7H29hdlG2R9Es3v8hf6+XnWyo0w9/gZ+l4lm2ukAwcCaGnttLVSGlFdWVdW1 1NVVVVaWy7vb43JccCVpruTGPo19WrIODqtbULdg77SqqoqNH2wsd5W71N0b/S3+g/46UhWpkrTH X+7f7Xc5NZe7r1gU9Vl78vgX+fGJ4UHlPHWjJNc3X+0VjSJTubhNVIpylSqF3Db2dnuV07Ly/f7G oj5JVmtVkcsuXIl6h6mpFzmq43Wfd4JQYhu3k0mKbcguG4Cri+bqutu621q+bs7GORvzq/Krrq8b OTOrKDUzNdNwYHl+flZqalZ+fnm5y6G7Eu/z3ue9Tsh0BckVS+rrhVWVVuuaysoDy9x2ze2QVTh6 sly+Th41vo7JV/XKz1LnzbzGzlPn542V335gZmUlTWN2ltuqua1ZHo8n4om+XPL8Wtpl5Sr/GnKs ufgW5eVuk+a2+P0Mh+2vZIvuTsjMFCKz49XotmnuRHm2kqbRUldVVRnNGPdKdGmJXY42fp5Z2Smp r2hi9zO+sMlX2/lZTvk0YsrK37fv8OHD+VnZrrhrTx6VLVQeiNmL7eohs66x/Zbym5yiCimza2OR nOpbO8wfre4VvS/Okt/eyK+l5wiZrif1ISUm8Z9svHNS522du3XkW1ktqTx+qm9vlI5SRtel86aS MoWqRJsrNTWT9tLmNpnccZ0MvyaYNVMC9fHLZ/lEttRfIakDjNOJCdL7QgogB232TA6KkH2HjG4j YwLut/fLr6qqYvrotufn51et72oTSTar1eXizqlSJHmlP9lkNoSKf2kWLcHaosmvb3VvsoVmYlxs vNjMVAfVVvQlz6uDLZ2LajEOZnZ6tSTQ9OxV8uV2am73eGH4KV9kidH+BYQAGezm+LOMSBmVX7UA dWB0UV17v9TVgVWVSI1tuLTjgDXLytHKVarnJ9GReiDDQG5yM/1e91qFTOrqNVL+VdGr5YErlDSV HXfUKd0a9VysTvmqYtEr1PacCbIW8mtRR2JydNhg3JBfCraPG5otUY4b6hKTK5mBI9llUntqSx6J /kWaQ2w3zRTmOcsXLxDd5i2+/0ExZsF9SxaKaZzRbp9xQzqtSf5Kjfx/6lbhZjZo7GkCpUV3ddw4 YmKu2AXzewjz5Ly8SWLAjOm3povMO2ZMTWcyalwj/yYwWfRUe2bu0DVWOpN05qZp0T2GAHGZ6CV6 zyl8uFC8ot5fU+9vqfd31Pv76n3Pg/cvXij2qvcD6r1avR9R743q/aR6D8q/aRVn5LtmVe+91Ptw 9X6Der9Lvc9/6MGHHtTWqPd16v1J9b5Fvb+o3neo912xv+z7T+/at3y340kzPrDiYfo7fvn/d8yE Du7/+lN2A/lvYuS/migWm8V28bbYIw6JJnFGM4lEZak9am1QyH+PZiZfN2KXJv++QBtjfK5fZ3z+ PBKXh/bWvL3TvuZq67yfNLDzfteUzvuXPd95/8oLnfcHXXR+SK/O+yOJrqb4/bNx561CuyWr8/60 DXw6aNODRJ78N3zkKcZVmaY8sdb0iulTsc38c/PPRbVlieVlUZNw2LpeMztud9ynved4nIfZva5k 102mG113u140LXfPdc83/cm91r3RVJFkSrKbDiWdSzpn+qvQvGHpG2ut+51LpoOkI+7P4tKpaDp4 iXQ2qV8sDSKNIeWQ5qu09eLkPpi0Pem3yVuiaVtcek0m+eByieTomhdLG7o+G0thI6X0uUQaThrZ 7fm49IqR1JmLUre3u+2NpQPdG0knZephuVRKGd4jpcegnhvi0rMq7blkOtjzfHtK7ZbaK5ZyomnK JVOeSndFPzsnb/RdXlepUnUsGbmPpbakDUmbm/Zi2k6ZLi49bdelklF62rtpTdF0tiPJu6SdV/fy Si6f1n9MLE3rPyOW5kbTfJK3//wBI0jZVw6/Mqf/fN6HX7ln4N6ralU6O2gWqXDwQNKwwU2DI9A0 +MKQvUNflGlw09D3h54aemqYZVjSsG7D/kCqHj6elDd81jUvRJPvWu91A6/7YuTm60eSxo9KHTVr VNHot6Pp/dGVo6vHDCGNHrNu7NFxVpU2jdujUtv468e/EU3vjGtj/43xLWqvZYJpgmn8GxOGZT+Z /f7E4TfNJB275YFxm4yr+Wwxrpo8Xl43edqUflMyp4yfsnPqQJXyps5XqWjquqkv8F409SNS47QV 07zTjt1aSNqS6+GqvNwDuQemfsT7UblFasoN5p6f7lVpx/QqlY5ND8Kx6eE8y/Qw54N5s/KO5jXd toS0eUY61+2YHjbOzFgxPTzjsxnNd+bdVTlz5g9SftDnBwPnWebNmlc373z75wPDSG8vTF7Yr7Co sLjQX9hUGCwML7IsGrEoZ1H+osJFKxatX7Rl0RuL3llUsejQ4sLFmxfvXHzmYfFwysOTHp798PsP 1y4ZuWT2kheW3rV0/VLf0rPLrMuGLbt52RvLTj6S88j5oj5FNxd5ihYXvVC0q6hueb/l31/+zvK6 5edXuFb0WDF6xQ0r5q7YsaJu5ZCVOSvvWbl15Wsrj64Mr8petWLV+6utq7NXL1791urK1W1req15 YM2ONcG1Y9YWrd3lzfuGWPXOxfGoc7TxLutIMo6o7+OiyYgg39D3plzc4zr3E6OlXzLqtEeeuNQ5 dngrO5KMDt7qjmTEBRlDk19Lrez5LHH4yPgWoqaKweqTeNs1j/i6NWl78hb3wVjM5Nqu4f5zZV73 O0lbO2Kn4SWic46Kv8ZV/ZK2t3tPHpWxWF17RJ5X10c9SLnvuD8jkm8nxxFV2kFqt4XPIyp1jA6n LhoVcuLGgY6RYLus99ei/2tfi/6OaMzfoOK9ivKqHHIn5bC9tT0SosfOqF7EJiP+GPEtqiMxkQgo VZsbi47tihLjUqd4m2SODo37z/A2eZsoTV51lnN5aU39Z3y9TRAHq+Mi6iXibHxc/XpMjUbuStWa jCg6rT1+yrjOEe7qDabt5MiM1LzrR+Ye6GExxjH1yZjV83z3RlpVSvvo0z6qpPTpYekYgYxWKcc2 dbVFXkHePT1S5Bl5RF4lj6f0cR9sb6mpvVL6MAKmyPxy2zjaMY7Gj6SyLmrUjI6bcSNnCiVcPE4+ 22l0PBgdGbu1157z5427y/tPzevemJpDfTp5X3pN+hil4npsu4+Nnii9abSU/nPx9xSppvREal63 55XeO6U2cb16TNoubG0fYauNUr3BVK83aCR5B/nZf4ZURW4ZLU1+eoNXDh8wwsAY4QaMUKNSXJIj nDG6qfHx/zCpMTUuff0KNdLGpeiIG0tfzyFH2v8uqbH4W6fYiP0N6WJPyRQbx78hqZH9Wyc12/iW 6WLvqDlKXPq6/9TcJS7Jdm8o/d+lr5f8n2v37ZLhZzl3Sdo+zjql37g29xE561FpkzpilTMdtbdp Sj85B4qeIzGDGi1nTcZRGfvllkxqdjRTzazkHKplfIuaHzE7YmvPuE1qduKNzWJk2jHdm3t0ulfO YNTejug8x9jewSyoSR6RMxqZLzea1IxniZobca06u0O+p+3i6h1yNkW0GJh7VM27iqIpTx0ZKGdd ai8v96iMS9FzJGZumczV5AxN5luntkhqnlao5nNcq2Zqsfna1LwJJuWRNumL25YYnhhnVfZQY6Om Uz9SZcs7rVNlqXI798SvKxrfDq6qNfaEVa6obL5Vf1+upizXUpbrJpt9YpSQqwweVOsAy62gWlVT U2scm+Q6xWqVYqd4XW8TFXqb5hGXafeJGdpskabNERnaXNFVe1CtnjxSru+rVvTV1Mq9Fq51cW1X rnVxrUOVF1Cr9CZqcu02j+jP+Ts5fznn+1PWlZSVIVfPVevlOuU6t3JlW/Mq6rFa/z31HWM+of/U /JnINAfECPPnYqj5S/0T8ymedmXpB9WatRa5dqxcOVauEqvWiC0SXcQUkQxyrdixIFeLvR/yQa4Z K1eMXQrL4BEoArl+rFw9diWsgtWwBkrIXwqPwTp4HNbDE7ABfgQb4T1xg/gDRNi+ALoYrAnQIE+M 1W6DGXA73AEFYrpcm1auTCvXpZWr0so1aeWKtHLtQ7karblEXGF5ST9k2QYvwyEx2HIYqqEGauFT qIO/whGoh6PwNzE4IVn/JKFRP5Twd+FKCLL9FbToh6wJYop1MJ/XicHW6/lcoH9ifQgWwg9hqf65 dRngGyu+seIb6wrAN9Y3xVjrW/B7OCfG2oaIvrahcK8YbPPAbFgEi2E5eOFRwEe2TfA0vAQvixts r/P5FTRDC7TCGTgH+NA+B+bC/bBU9E0UYmxiN9FXtd2Taj1dufWlWgW3O622jFZbRmsbSGubSGsr prXdTmubTWubTGvLlqvUyrVo5Uq0ch1auQqtXHFWrjdr9uk7zCdoZwFhNp+kDX4p7lbt7DO16mzX WK+4R1wTV/4kyl9G+TdR/ii5EqxcB1auAivXgJWrvso1Xynvfcq7SyRRymlKOU0pyZRyFaUspJRr KOUaShlKKXIt7GNyTVa5IqtcA1GtwCot/VCtjJpKGX+mjD9TxiDtXv0PlHMN5dxLOSMp53bKmSBX OqWsa7St+rtyzVK5Mqlcl1SuSirXJJWrkMo1SM1N+llq95H5C3rrl+Jq86loj+1KqUMotYBSR1Hq TZQ6gBIHUdphuYIePe9WrLxTOKMR5t9EEhlZnhMlelCUwmOwDh6H9fAEbAC5WvhG+EiPiH1QBfvh AHwMB+ETOASHoRpqoA7+puviGDRAIxyHJjih7xOfQQDO6PXiH/TzsxCCMJyDCNHtn5w/D/+CNvg3 XKAuuh7UBGgqKp4wz6KFfV8/bb6HT49+2nJID1oOQzXUQC18CnXwVzgC9XAU/gZf6BHLl3AK/g5B +Aqa4TS0QCucgX/AWaAulgug6/sSUvR9tmw9YrsJpsBUyNU/t93B550wi/N3wz1wrx60eWA2PMi5 RXwuhiVsPwJFsJz9VXx6+XwU1rH9OKCD7Sk+N/H5NDzD9rPwE9gCP6X8lzi+ne1X2H6d7TfZ/iOg kQ2NbGhkQyNbva7bjgIa2dDIhka2RvIchyZAI9uXer3tFPwdW4LwlX7Q1gynOddC2a1wBs6yj3a2 MJ/n2Ecj+xyYC/ejl0k8KbqpkcssnqTt3inXSkTfBPZ+zd4U9ibTyivMH4uhQuNoWOTQMutpmfW0 zHohV3h/HNbDE7ABfgQb4Ulay99obcegARrhODRBhLtfoDRdD9NiwrSYMPeT63bWm38gEsz3wWxa 0Bz9BK2mnlZTT6upp9XU02rqaTX1tJp6Wk09raaeVlNPq6mn1dSjZBglwygZRsV6VKxHuTCq1aNa PWqFUSqMUvWoUo8a9Xg9gtcjeD2C1yN4PYJXg3g1iEfDeDSMR8N4sR4vhvFiPV6sx4v1qsceETZ8 OZGebGfs/RNj7+/MBxlrP2EUYrRR/j2FhZ9g4XHl31XsyV806IN/iynhUzGTcTKDcTKDcTKDcTKD cTKDcTKDcTKDcTKDcTKDcTKDO13PWDmAsXIAfbaaPltNn62mzx6nz4bosyH6bIg+G6LPhhhPU+iz AfpsgD4boM8G6LPoLaYybo6knx6nnzbQT4/TTxvMs8VA8xz5awOilHG0L+NoX8bR3oydGYydGYyd GYydGYydGYydGYydGYydGYydGYydGYydGYydGfTFAH0xQF8M0Ber6Xsh+lw1fa6aPhdgjMtgjMtg fMtgfMtgXMugrwQY2zIY2wbQVwKMbxm0/2rafzXtv5r2X037P077P077D9H+Q4x/KYx/KbT/AG2+ mjYfos0HGAMzGP8yGP8yGP8yZHvXz+DrM8zPntQfQ4FJxPPjxPOlKDEJJX7J2Y209pvMh5hJVesX zDVitlKvnquPcFUdI+aT+hr2ZpP3EHkPczSbvE+S9wPyTiFvNfm+J6zRfvQ/XFnDldVcOUXNr2Sb eVWVdD/nJ3D+AOdrOT+Wkp7g7FuUdAMlfURJmer6v6p54jH1HhYOrYvoq82CBfAQ/BAKYREshiWw gZG+q1xDWq4XLVeLlitDq7nRNtHT/EfxHfNu9G8S/Rm1b2eWmMLI3YtZYn/zF0SGL6nBKY79XXyH 8XyxvpscPZhT9pNjOvkXiMmMYLPkSqRisvkeNfuaLJKoWW9q1pua9aZmvalZb2rWm5r1pma9qVlv atabnN3IuZCc3ci5UOV0k9NNTjc53eR0k9NNTjc53eR0k9NNTvm7GNeSU/4yxrUqp4ucLnK6yOki p4ucLnK6yOkip4ucrmjOkdGcI7HkbjGErSHKx2VqjnBOruIs14mE22AG3A53CAdzNwdzNwdzNwdz N0ei/P+0Frn6slz7NzrTqFAaHRfV2iC9SRsMQ2AoDIOrYThcA5lwLYyA62AkfAeuh1EwGr4LY2As ZME4GA8TIBsmwg1wI+TATXAz3AKTYDJMgakwDW6FXJgOz8PP4AV4EV6CbfAybIdfwCvwS9gBr8JO +BW8Bq/DG/Br2AVvwlvwG3gbyuC38Dtma34+d+tHtD1QDhXwF6jk+Ad6jbYXPoSPYB/I9Zz3wwH4 mBnELJ5W7tEPWv7CTKISPoC98CF8BPugCvbrNZYD8LFek9BVb0roBt2hB/SEVEjTm6xPwXOAD6wv 6ietO/TT1ldhJ/wKXoPfcrycT2ab1r+wfVCvsR7m+jq2w3qT7XK4AvpCOmTop239oD8MgCthoF5j uwoG6Udsg4G2YKMt2NDdNoL96zg3Vj9py+Jzhn7abtKb7GawQAJYwQZ2SAQHOMEFbkiCLpAM2GtP gcsAu+3YbcduO3bbsduO3fZe0Bv6APW3U3879bdTf3sG9IP+MACuhIHUaYR+0n4dfFevsY+BsRzL hpvhFriX62bzmc+5eVz3ABTAfFjKudWwBtaCF57i+C+4/lWu36kfsf+K/dfgDMdCelOiBtiaeJle k4gdid31k4nptKGVauVwvKPhHQ3vaHhHwzsa3tHIoeEdDe9oeEatL94VUuAy6AbdoQf0hFRIA7kC uVx/vC+kQwb0g/4wAK6EgXCVXHmfp+zBMASGwjC4GobDNZAJ18IIuA5GwnfgehgFo+G7MAbGQhaM g/EwAbJhItwAN0IO3AQ3wy0wCSbDFJgK0+BWyIXpINdOvw1mwO1wB9xJve+C/4GZ8D2Q65uvgbXg hUehGEqgFB4Dufr547Ae5Arscv31p2EzPAPPwk9gC/wU5HriP4MX4EV4CbbBy7AdfgGvwC9hBzAC ajvhV/AavA5vwK9hFxBrNWKt9ht4G8rgt3L1d7niOuyBcqiAv8hVzGEvfAgfwT64OIrcqd8nV4dn HJArbWfJNc3l6uxyZXgLEc9CxLMQ8SxEPAsRz0LEsxDxLEQ8CxHPQsSzEPEsRDzLLp5R3oS34Dfw NpTBb+F38K7+leU9+AP8Ed6HP4EP/gx+2A17oBwqYL9wWQ7Ax8KV0FU4EroJZ0J36AE9IRXShNO6 Uf/K+mM9aH2K7S1sb9U/tz7HmIQGKppt4xy2WH/JOepspc5W6mwlSlvf1D+zvgVvc64MZJR7h+t/ z7H3OP8H+CP77wP1tFJPFf0+YP8jzu3js4pj++EAfAwHhct6mHvzbGfl2c5ay7FP9XMqUh6hbjzP WT8nL88s1iDbzK6tzK6tp4FnFivPLFaeWaz/gLMQgjC2ndM/syXpX9m6QDJ0hVT9nC0NekFv6AOX C4ftCugL6TBQuGxXwSAYDNdybASf1wGjrI3R1Yi6wmU3CafdDBZIACvIP6i3QyI4wAkucEMSdIFk 6AopcBl0Ew57d+gBPSEV0qAX9IY+QD3t1NNOPe3U054B/aA/DIAr4Sr9K/tQntGGwdUwnH1mCvZr 2W6PxCPZvh5GwWj4LnaMgWls3wo859qnky9Pr7DfBjPge/o5+73UM5/rLo7SPO/aed61PwKrqcMa WAtern+Ce9P/VdTewudWyn0OnoefwauUtxPao/jrHENDe4i8/9LPJQr9s0RN/us8PZgo/w2Dg8+u HL9MuFRkZ4RK7MmxVEgD4nFiH/m9pOzp0XnVavnrCWqOtid2fKH8dQL1PYqcbzWLBNMk/fvmW/Vy ZqcO+d0W574Sw0yZ+inTSBgFE2CS/olpsr7PNBVuZVZ+p36M2cVRZhdHHTP1fY5Z8Lh+yrEenoAN 8CPYCD8GnuUcT8EmeBo2wzPwLPwEtsBPYSs8B8/Dz+AF+Dm8CC/BNngZtsMv4BX9lGuofkqYqWnY NJNn4sU8Q4+l/iHqHzKN0QPUP2S6kc8n9OOmDTy73C2uJn5dzZX7HLfrAccdcBd8H+boxx3zYQEs hEJYAo/rIWwLYVsI20LYFsK2ELaFsC2EbSFsC2FbCNtC2BbCthC2hbAthG0hbAthWwjbQtgWwrYQ toWwLYRtIWwLYVsI20LYFsK2kHOKftw5FabBrZAL0yEPbtOPY3sIDUfpn6JQlUnpqO9V3xz2xfad 2L3TdLe+yzQXHoIndD8+kL/qcQTbd2L7Tmzfie07sd2P7X5s92O7H9v92O53FOm7HMthJTwKj+m7 qJefevmpl596+amXn3r5qZefevnFRBQoQIEC6nYCBQqo3zla0Fla0Fnq2UBN6qhJnfnOC2fNMy+E GF3cKHON/OUc1Lkm+oxfQes6S+s6S+3qqF0dtaujdnXUro7a1aFMAcoUoEwByhSgTAHKFKBMAcoU oEwByhSgTAHKFKBMAcoUoEwByhSgTAHKFKBMAcoUoEwByhSgTAHKFKBMAcoUoEwByhSgTAHKFOCB OjxQhwfq8EAdHqjDA3V4oA4P1KFMgbgRL3jwggctPsQLHvT40DRJXI71uVifG/2+9UfR5+kheKGH /MUS+dtk8jdLot8Sfw+tPkSrD9HqQ7T6EG/k4o1cvJGLN3LxRi7eyMUbHrzhwRsevOHBGx684cEb HrzhwRsevOHBGx684cEbHrzhwRsevOHBGx684cEbHrzhwRsevOHBGx684cEbHrzhwRsevOHBGx68 4cEbuXgjF2/k4o1cvJGLN3LxRi7eyMUbHmGjLZzFYhcWP43Fy7A4BQvXYOEjIg0fVeCfCnxTi29q 5S9/yN+y4Owz2F+B/RXYX4H9Fdhfi/212F+L/bXYX4v9tdSjlnrUUo9a6lFLPWqpRy31qKUetfSV Av3Vi+LdWXG16TZi3EwoIM7NJ8Y9CAuAsqlxYyzWrSZmrNX3OVfqp5yrYDWsgbXghUehGEqgFB6D dUBsdBIbncRGJ7HRSWx0EhudxEYnsdFJbHQSG53ERSdx0UlcdBIXncRFJ3HRSVx0EheTEsEBTmKe jOynVN1D9PEAfTxAHw/gN/mcPpCzh+i7AfpugL4boO8G6LsB6h6i7iHqHqLuIeoeou4h6h6i7iHq HqLuIeoeou4h6h6i7iHqHqLuIeoeou4h6h6i7iHqHqLuIeoeou4h6h6i7iHqHqLuIeoeou4h6h6i 7iHqLmPWTP2veLsKD++OxSxpUYMYgUVlnG/i/DnUaEONNtRo49oGrrVzrZOe4sDS4fQUB9YOj34H VIlCbSjUhpVlWFmGlWVYWYaVZVhZhpVlWFmGlWVYWYaVZVhZhpVlWFmGlWVYWYaVZVhZhpVlWFmG lWVYWYaVZVhZhpVlWFmGlWVYWYaVZVhZhpVlWFmGlWXiO1hSgjZ70WavqUD0QZ+9WDCHHvBPekAY S0qxpGf0m5me8psZLPmp/DYL7fai3V6024t2e9FuL1aVYFUJVpVgVQlWlWBVCVaVYFUJVpVgVQlW lWBVCVaVYFUJVpVgVQlWlWBVCVaVYFUJVpVgVQlWlWBVCVaVYFUJVpVgVQlWlWBVCVaVYFUJVpXQ j2eqfjwaKz6O/j+nm6n1M9T6beHE3v3Yux9b92NXd2zqzpmfYM9+7NmPPfuxZz/27BdW01J0Xab/ 0/SIftJUSrv4sd5s+on8pp2j502lelhovP9TDOaKsKmIFrEcSvUa0zphNz1O7o36F6Yt8rc89H+Z ntP/5WR+62R+67wcroC+kA4Z0A/mcs39kA/z4AEogPnwICyAh2Ah/BAKYREshodhCSyFZfAIFMFy WKH/S9lznpqeMK3WP8eWz0zP6qdNPOmJWabFtPaHYSlHi7ByOazVD5q88CgUQ6noblqnv2l6ius2 6Y2mp2EzPANb9few7z2nSa9ymsECCWAFG9ghERzgBBe4IQm6QDJ0hRS4DLpBd+gBPSEV0qAX9Nab 8WEzPmzGh834sBkfNuPDZnzY7ByjH3SOhSwYB+NhAmTDRLgBboQcuAluhltgEkyGudhxP+TDPHgA CmA+PAgL4CFYCD+EQlgEi+FhWAJLYRk8AkWwHFbo7wkLLecYXjyMF4+btuittKVS/Qzt5JzIQ4UI KkRQ4DwKyBZ2nBEnzIgT5oowXo7g5QgjTJgRJswIE2aECTPChBlhwng/gvcjeD+C9yN4P4L3I3g/ gvcjeD+C9yN4P4L3I3g/gvcjeD+C9yN4P4L3I3g/gvcjeD+C9yN4P4L3I3g/gvfP4/3zeP883j+P 98/j/fN4/zzeP88oF2aUCzPKhRnlwoxyYUa5MKNcmFEujHcjeDeCdyN4N4J3I3g3gncjeDeCdyN4 N4J3I3g3gncjeDeCdyN4N4J3I3g3gncjeDeCdyN4N4J3I/S5ZbRu2RdX49M1tO5SkYS3T+DtJrx9 WhTiYx8+9tHSv+DKvfj6BL4+YVrB/mr9S3KdoeUHaflBWn6Qlh9Eh3+jgw8dfOjQanpS/4Ae8Ck9 4FN6wKf0gE/pS1XEhko0qkGjGjTyoZEPjXxo5EMjHxr50MiHRj408qGRD418aORDIx8a+dDIh0Y+ NPKhkQ+NfGjkQyMfGvnQyIdGPjTyoZEPjXxo5EMjHxr50MiHRifQ6AQanUCjE2h0Ao1OoNEJNDpB DwnSQ4L0kCA9JEgPCdJDgvSQID0kSA8J0kOC9JAgPSRIDwnSQ4L0kCA9JIjGPjT2obEPjX1o7ENj Hxr70NiHxjVoXIPGNWhcg8Y1aFyDxjVoXIPGNWhcg8Y1aFyDxjVoXIPGNWhcg8Y1aFyDxjVoXIPG NWhcg8Y1ogAFAygYQMF/oPceVDyNckdQ7u8o14xyzSjXjHLN6O9C/7dRL4h6QdOPOPZjlH5K/zUK foGCX6DgFyj4BQp+hYKttJM/oWIDKjagYhAVg6gYRMUgKgZRMYiKAVQMoGIAFQOoGEDFACoGUDGA igFUDKBiABUDqBhAxQAqBlAxgIoBVAygYgAVA6gYQMUAKgZQMYCKAVRqRqVmVGpGpWZUakalZlRq RqVmVGpGpWZUakalZlRqRqVmVGpGpWZUCqJSEJWCqBREpSAqBVEpiEpBVGpApQZUakClBlRqQKUG VGpApQZUakClBlRqQKUGVGpApQZUakClBlRqQKUGVGpApQZUakClBlRqEJmoFEalsOqNhgpnUaEV FVpRIIwC8rmpFe+24t1WvNuKd1vxbiveDePdMN4N490w3g3j3TDeDePdMN4N490w3g3j3TDeDePd MN4N490w3g3j3TDeDePdMN4N490w3g3j3TDeDeOdVrzTinda8U4r3mnFO614pxXvtIohRIY2IsP/ Enfn8XHX9b7Hf5lfMpNOJqylrILI4sJRZPUIKkcPh4NHxV1Rj3jOAcRWqlSoUGo3ZRFZyk6hlEVq LSBtJVYobVmLhWBK0kzb6SStoQtJppNf0zRp0hb6vc+J1YvnnPu495977x+vx29+v/nN7/v9vr+f NU0nb/H+snyeTd1oFTdZxfDsvb4bM+T7e+Xtw1V1R+BdOBJH4d04Gu/BRe65GN/FJfgeVJC0HqT1 IK0HaT1I60FaD9J6kNaDtB6k9SCtB2k9SOtBWg/SepDWg7QejL5H6y5ad5lx2YzLvKDEC0q8oMQL SsP6/8UD6P5fLF8Fn6r8ZON/be1d9qPLfnTZjy770WU/uuxHl/3osh9d9qPLfnTZjy770WU/uuxH l/3osh9d9qPLfnTZjy770WU/uuxHl/3osh9dFCxTsEzBMgXLFCxTsEzBMgXLvKHEG0q8ocQbSryh xBtKvKHEG0q8ocQbSryhxBtKvKHEG0q8ocQbSv8H3lCyQyU7VLJDJTtUskMlO1SyQyU7VLJDJTtU skMlO1SyQyU7VLJDJTtUskMlO1SyQyU7VLJDJTtUGs7xvcP/Cnm6vSrbq7JoUxZtNtO+TPuKxmUa l2lcpnGZxmUal2lcpnGZxmUal2lcpnGZxmUal2lcpnGZxmUal2lcpnGZxmUal2lcpnGZxpU1lq2x bI1layxbY9kay9ZYtsayNZatsWyNZWssW2PZGsvWWLbGcl3FFsbjx7gS7M0ay3WVv86+n1g88Lc+ w9JuHPb0HWLqjv+dj6jdf6xG1ZnythxvS/O2N3jaQTwtG53314gyXjaehMn68muMdUPoZdm97h7i m72yc79PfYjCOyjc/46qqZd197LuXtbdy7p7WXfv/6No08v6ellfL+vrZX29rK+X9fWyvt7/q1VR pVsZotTyv/Yt/VG899qQXdodfZW2jbRttH899q+HtpXOpmgnaujbSd/O4fg33fmdeoS7VEozXLs3 dNK1k66ddO2kayddO+naSddGujbStZGujXRtpGsjXRvp2kjXRro20rWRro10baRrI10b6dpI10a6 NtK1ka6NdG2kayNdG+naSNdGNtXDpnrYVA+b6mFTPWyqh031sKkeunfSvZPunXTvpHsn3Tvp3kn3 Trp30r2T7p1076R7J9076d5J9066d9K9k+6ddO+keyfdO+neSffOuso6x+PHuBJXYQKuDp3DGu/c 6wlD0YGphdGo1AsqzhfZ5Uthamp5mJvars4YCNNTO0NzLHLGH9S9nhjmx6eGzX/9beWvRfvFXx/+ i7eV3ynsyrWFFXZstufOw4s84KWQTy1j6S9juTFfcXwttKVW6HTzRlvluBpd0YhUN08dUOPuUAkN YlfYFkehI86gFofq/k8MG+OTwvb4ZJyC08KO+MywIfdvoZy7ODTlvg8xIvdDx8tCW24cxITcRMdJ jpOhhs79DDJm7mbwytx079/hmtiXu8f5DNzvGbPDztyjnj8fC8L23G/xpGsNzhc5WlOu2bUWrMQa 5wW0ed2ODvf1hI7cdgyGjvqRIak/CKOgO6zXHdYf6/qY0FSvpq83r/rrQ3/9zWF7/V24F4+EJPqX vaoW7dMQVddQtYeqPVR9i6qbqFqg6hqqbqfqGqquoeYOavZRs4+SfZTso2QfFXdScYCKA1QcoGAP BYsUXEPBNRQsUnANBQsULFCwSMHCf1KwSMEeCvZQsIeCBQoWKVikYA8Feyi4hno91Ouh3gD1BijX Q7EBig1QbIBSA5QaoFQPpfoo1UepPkr1UaqPUn2U6qNUH6X6KLVmr1JFSvVQaoBSA5QaoFRf9J7U Y2FiamFYQKln2eBuCs2hypbU+nAJOxuf6g4Psu6vpfpV2jvDJ9jZH+I4LIvT4ZY4F37A2lfFI8PR 8VHRd+PjwhUs/z3xh8KnqPYI6z+Hzc2MPxEmx58M39r721l/ir8eHorPD2Pi0WFp5feXrOoZMekF WeIlLA/rjPim/VhvxM1G6PbUXk/c4Ilb+dKZfOnjOsLH7NgLocWnKv7yx2Ef6YqO9OmVPvmqT24y t83mVucJ+WF/ODXkffKF8KpPvelTv/eJA33iDeP9adh/ddXDPnwUP/2g8xPDep/qMMtl0btY1vbh Ty5jWS/jFRbzmk+vYFV5VeQqx9VhE+vYxDo2sYxNLOMNlvEGq3iDVWxnFdtZxXYWMcQihljEEIt4 gyUMsYQhlrDJzm2yc9vtWiXyd0X7mE/azGcb7zHjPm2ti/BK2EXXdnpuzl0Vdnh+n+f3eX5f7l7n D4QdntMXVftUv5n/yCc2VOxeJfyYWLLQWl4Kza62pVrEkYqG60OJbi2eu8Zz10TnG3W6u6fyqY3D 1vJ0mGT0ST65jRK7KLHLEzZSIlCif69f9VOiP1UI8zyxgSU1p8qsJ4uR4eJ4lN04GIfgmHB5fCyO C1vi99nn9+ODdo/u8Vne/+Tw7y6fZDYn8b2N1O2nbj/f20jhfgoHCge+t5EKkygdKDGdEtMpMZ3/ baT2LmrvovYuagf+t5H/baT6LqrvotYkyvdTbFLuCZFoHhaHy3PLHP+IJqzAWhSxznt/cnzDMzaE y+uj8If6mjCvPo0MjnZ+PMaIUNPCdD640W7uqr87bKi/BzNwH2aFeVEdi+xjjRvs9Cmiz9uiz9ui z9t2/SM8/W2e/jZPf5tXvx0dYT8qe7mD9r207/WptBi1TYzaJkZts/Z+a++39n7r7rXuXuvutdZe a+0VX7aJL9vElm1iyzaxZRv73ia2bDPXfvPsFSu2iRXbxIptVVkjTmMBd9v95+3+7Xb/9tRSO/os XgjLU8tkxZexPDzCCnanVrqeZ1uFMD61NixJFdGGdqzD+nB96k+OG7DRMzc5bkYnuqJprKUhVfJ6 C8osr8cxwdZweaoX27zuw/YwWmxqFrkLIneBB39NjFqR2u29t/B2WJra4xhk4SqkUIlf1aytxuu0 OJUNU+M6r3Nh7HA829dxP+yPAzAynMlaz2Wt57LWc+XW6+LDwpXx4d47AkdF34iPdnwPjhHzjsVx 4V/j452/F+9z/n58wOu/wwfDP4qR/y6yPGHXptm1aXZtGmv/nHh5c3y6ez6Cvw8/jT/qeAbODFPi jzl+HJ8I3+YV58b/4PUnw494xtf2/sbsEzzkyvib0SHxBRgdXhdff5MbHZpzY3BZ2M1LdvOQ23nI blYyjZVMYyXTctO8/1P8HDfgF7gpGpW7Gbdguvvvcu1u3ON8Bu71nJnOH3B8MIzNPYxHMDtcl/tV uFI2m5J7zPnj+A2eCOfwqnNkuCkscBoLnKY+uE6Wm5L7XfhpbiF+775Fri123xKvl+JZ15c5X+76 K57b6Npr+KNrTViBZs9qwUq0un+NewtY670iRG/WPY3XnpNbH5bw3HNk0Sm891zee05uo2tsMMcG c2+CHea60B2ez7HDHDvMlcEGc1vRi20iQB92eD0UluZ2YpfXb4PN5dicqDC1nt3Vs7v6OCytr3as CeNFifGixPj6WucjRI8s2GB9LjxfX499vN4X+7m+Pw7Aga6PDAWZviDTF+oP9rxD3HMoDsPhOALv cu9R3n83jjb+e1wTYUWjqfVTQjMPn1Z/fTSq3l7X2+t6e11/I27Czd67I1zJ86eJVOeIVOeIVOeI AtNEq3PqZ3rOLPN+0DMf8fzZzn+FOfh1uDw6WpT4kSjx2+HM/OJwPn9ZJOjk8dN59rd59kJeO5/X virnDvDY53jsRl7ZwhsbeeFSXtjK6/6JZ13Ak+bzmJt5zMs8ppOX3MVLWnnBs6z/V6z/86z/edZf +Z8Kp7P416P/EK8eNZPfyFgrU/NlqYViwtOuLcKL8txL3lsWVoueq2Wu58WsHplroRzYY7bdstdC 2Wuh+DXbzF8Wp7rNfIVYtMysC+LNBvFmg5l3itd5M98qZufF7Lx4sszsnxALnhALnjDL3Wb5pUrN I3utzP27SHtxWCiDLZTBVspgC/lmD9/skcFW8s9H+WcP/3yUfz7KPx+VwVbmrvG5a3EjbgqrRfXV ovpqvtkjm62UzVaK8KtF+NV881HZbCHffJQvPcHun2DnT7DpbvkkL5/k2W23nJJnq93sdBm7nM0u Z7PL2Wyxm61tYGsb2NoGttXNtrrZ1QZ2tYFdLZOL8mxqmQy3kE09KsOtlDlWs4/Z7KObfWxQQS5l B8/iBRXa8vA0pTfJDi1s4VOiebto3s4eXqNqB1WbqdrMJp4SuddT9hWRup2yr1D2FbaxhW28KRq3 isatonErG/k7NjIoyhZF2SJbWctONousTSJrk8jaxGZWiaZrRdGCyNkqIraIiC1U30T1TdTeJAK2 iIAtImCLCNgiArZQdpOo1yLqtYh0LSJaQRQrimJFUawgijWJYk0iWEEEWyuCrRWt1opWRdGpKDoV Raei6NQkOjWJTk2i01pRqSgqFfdGpSbRqCgaFUSjVrvzisjSLrK026VX7NArost60WW9CLJetGgX LdpFhnaRoV1kaLdTzXaq2U41iwrrRYB2O9Vsp5p5frudeoXnt/D4Fh7fwuNbeHwLj2/h8U28vYm3 F3l7kbcXeXsTby/y9na72MzL23l5Oy9v5+XteuIu1XGlrj41vBWdxssqfdb3edQMHjWDR71on6fy mp32dY59bbCvDbylZF832td59nSePZ3HI4Z4wZC9mGovpvKAIfsxlcUPsfIZrHwGK59hL6ay8iFW PsTKZ7DyGax5J73m0Wkea95Jq3m02kirjax6J702suSd9GmgTwN9GuizkTXvZM07adRAowb6zGO9 Q6x3Bsvdac0N1vhSuJnFDlrBUmfbzX0gPMY210eHWdl2Z5utrNvKuq2s16qaxIGSlTVZWZPZbTe7 JrNrMrvtZtdkVtvNaLsZdZtRtxl1m812s9luNt1m0202TWZR6WW7o6OMNGCktUbabKTNRuqiYaVH bTZav9GajdZstAGjNRut2WgDRmumRR8t+ow6QIs+Iw8YebORNxt5My36jD5g9AGjbzb6ZqM3G73S H27WI6wXL7eH1636dSP3G7FdLFsk4q4RcSv9wVPDETftrv69PVRp7/9hOjE+Pzp5WLkO77R7p2P4 rNLb7R7WsWbvp/qclT1/tedvUw0X1LRlCu+yziwlItSoSdPI4Gjnx2NW6PWM9cM70+LuNlmkMsf+ 6HjPeNk7T9Ovz7Oeccebf+nvh/NNJL5kUItseMaqvmg1F9Kxj47r6biejpX+ej39+szhGXN42Rxe NoeXafm3fffhOOId/ffR7j+WLx7vOMv9D7pW6bmrrDmJDja/bea0zZy2mNOWvT/B2Wr23ea11by2 msdW89hqDluNvc3Y24y9zbhbjLvFuFuMt8V4W4y11TjbjLElOtbTF1v9H6z8lXdE2TydnzDSjuGo mh3+TZFr9+7lWqsfXfmNnr9EHyt+xaiLjbrYqIv/28hTiTRHu68SZY53rESMWe79zxFjxHAW3a4O 2Km3TtvXr4bL9v52x+tG/sbwb4yebN7r3fmUXWvSF6w2/+eoNP8dEaSSGQqUmmWvK3n3TWrNotYs 63nOU2/0tHl2sUnttpqCsyg4y042UXEWjyjwiIIdbbK+53hFwRrXW+N6a1xvV5vUYKvVYKvVW6v/ U+Qo2OUmu9z018hxtGccG2ZZ+3PWvd4uNw1Hj8Op3kb1tuGfRgyIIjvDS2bdQ/k2M+4x48rPcHqo 3UbtNrPsMcMeKrdRuY3KbVRuo3Ibldso3GakHgq3UbeNum3UbaNuG68aEHV3yX6sh4UNhOeilCy4 S6W0M4pVI8udbXPWGR3tLNHDDKlPEvVJIlMOypSDMuXg3p8RltQsver4IRmvJNOVZLpBmW5QvT4k 25XU6EPqikRNPiS7Dcpug7LboLp7SN09JLMNymyD6o5EZiupPRKZZlCmGZRdBqMRcvlOM7lf7k7k 7Epd96ZREzv4iB18ZDiqjJDt++ORIskHQ9kKut1Vjk+L9hVh9DzRScYpRNWes8lzKj9zHaqswIpz wz9BKFXup8RI/nRaGHK98lNZd/jchuggZ5XV91t9v9X3D6/8m2qFC8Kqd6y838r7h1fd7NiClWhD O6zOyvqtrN/K+qN3G20FfQfou4a+a97ZmRu7bJTNtB0wwmYjbP5rN/7k8E/8NtN2gLZraDvwNx36 GueF4Z8CDnfqtF1j9M20XfPObj2qsvKB6Ni43quR4UHVUqJaSlRLiTn93px+T60BFVO3iqny07Ue Om1RGSV24C078LgdeFwfeYA+svLbkZWqp1vV021ev1fddKtuulU33aqbbtVMt2qm23x+r5LpVsUk 5vR7FUW3iqJbRdGtmuiOMmbzWyNvN+KQEbcbbafRXjPaa9Ex3n2Dbp3muNYc17pzx96fYf/PHTpN ZXcmu/4kHWaHThruouGuv+7Sk641OF/kuFiltdzxnbu2xnkBf9m9de7pcP+GsPZvdnEU1Tqo1kG1 Dkp1UKrDvP+092dSHRTpoEgHNTqo0UGNDmp0UKODGh2U6KBEBxU6qNBBhQ4qdESHWec6a1xnjeus cas15q2x1RpbrbFVpVqxulbraVVVllSVJWtZp7KsWGCrtbRaS6tKsmQdrdbRah3rrGGdNbRaQ6s1 tA7/L8pj4u9Ex0QzoovCvdHF+C4uDw9FV4fboon4CSZhMjaGGdEmbEafe3aGW6Nd2I238Ha4tep9 obnq/fgATsDf4YP4EE7Eh3ESTsYpOBWn4XR8BH+Pj+IMnImP4eP4BM7CP+CT+BT+EWfjn3AO/hnn 4tP4F3wGn8XncB4+j9HRwVXPh+eqXghPVb2Il7AML2N5WFr1Cl5FI14LS6sfDLdVP4SH0eR8BV6H tVbvQQi31uwX7q05IMyoUWXXqLJrVNk1B+MQHIqOcFtN2T096A23pd+P03FpuDc9Fj/ADzE+PJT+ Meienh6a081haVrHkzk+LM28F+8LT2Xej5NxivOP4ZthRuZbuCDcmrkHs9Hh/A1sgD3LdIeHMiVs 9V6/8x3h1tpUaK6NUY0apKFSrFUp1o5AFnXIoR77YF/sh/1xAA7ER8PS2jPwHa+/6zjV8deOc8NT tQOheYRnjThQffzt6ICwIjoQol90EEbhYLwX78P78QGcgM/gs/gczsPn8QV8EV/Cl/E1fAMXhftZ 7v0s936WOzm6IsyKxuPHuBJX4eowlzXPZc1zWfNc1jy3+hdhRfWNuAk34xZMx624DbfjDtyJu3A3 HvS5h/BwmGvX769ZE1bUtGMd/oQO19907ETZ+z3ode3tsCKdRgYjkMUhOBTH4XjQIU0H1jE3farj 6Y5nOv4zvo0L8B38Gy4N97Oc+1nO/SznfpYzmeVMTltv2npZ0NzaH1a0iW4LzdHtuAN34i7cjTn4 NebiUTyGRryGP6IJK/A6mtGClWhFHqtQwMbwpJjwpJjwpJjwarQd/RjADgxiZ5gvTswXJ+aLE/PF ifnVXaG5uhslbEEZupPqBFvRi23og46luh+Vz+1BCPP525MZsSDD9zN8PcPXM/w8c154NfMVx6/i m+75Fi4I8zPfd34FxuNKXIWf4DpcD/6WoVGGRhkaZWjEn+Znfuk423G+42LQIUOHDB0ydOBrT/K1 J/nak3ztSb72Kl97NbMFZWz12X7X6cHv5ld9KKqO9o9qkK78vafKXyDBCFS+vbsOucpXTGIfnBGN is7ERWEiG5/Ixiey8fFsfAwbH8PGx7DxMWx8TDTBE64OY9n5WHY+lp2PZedjo59F+0bX4Fpch+vx c9yAX+BG3IRF0ZHRM9gYrrajV9vRq+3onXZ0rh2da0fn2tG5dnRuVPkG6Z1hkl2dZFcn2dVJdnVS 1X1hVdVM3I8H8CAewsP4JR7BbPwKc/BrzMWjeAyP4zd4AvMwHwvwWzyJBvwurEp9ONo3dVI0KnWq 41k4N0xMfTpcnvoMvuh8dJiWGhMuTX0fl4ZL1Wyfib8VrlC3fSb+juMVoTEeH1ri5qgmbolGxq2q 3lW68tVRNt4Y5sab1CKbo/fFbzp2Vr4byHFLdED1FdH+1ePxY1yJqzABV2MifoJJmIwpeDCMFS/G ihdjq1dG+1a3Io9VWI01KGAtimhDO9aBnqx9EmufJNZMrNk/rGL1V4sxY2u2RFnxZaL4MlF8GVuz O9o/HYNtpQ/AgTgG7w9j0x9wPAmnRKPElLHpj3h9aZgofkwUPyaKHxPFj/Hix3jxY4z4MSbNltJX gy2l7w2r0vcN/w/6VZl34UgchXfjJJwX5vK0q3na1TxtUmZctG/mR5iKabgN97j+oOPD0ZG8aVLm ca873P8GNoDN8Zw7ec6dPGcuz5mb6YlGZBJsdX+/99kfD5qUGYz2rR0ZVtUehFE4GIfgUByGw3EE zLXWXGvNtdZca4/Ge3AMjsVxuNCzLsLFmOR8MqaEVSOqwqrs+eHy7DcxKVyanQJ+k+U3WX6T5TdZ fpPlN9mbcQum41ZYb/Z23IE7cRfuxj2YgXtxH2bifszCA6BP9iE8jF/iEcyO9q2biJ9gEiZjCmhb R9u6n4J/1/HvOv5dx7/rzLPOPOvMs84868yzzjzrzLPOPOvMs84868yxzhzrzLHOHOvMsc4c68yx zhxzJ0T77jMCWdSJD6n4dZ6yUTSqvKp898jBqStFs9zwXxdII4Payl88QbbyV7H2/gWUeuyDA0JR BVBUARRVAEUVQFEFUFQBFFUARRVAUQVQVAEURb4DRb4DVQIllUBJJVBSCZRUAiWVQEklUFIJlFQC JZVASSVQEiUvESUvESUvib4Xkmg0xuD7uBRj8QP8EJdhHH6Ey8NoEfUyEfUyEfUyEfUyEfUy0fRs 0fRs0fRs0fRs0fRs0TQrmmZF06xomhVNs6JpVjTNiqZZ0TQrmmbl3XZ5t13ebZd32+Xddnm3Xd5t jyo/75iLR/EYFkWHiryHyr+J/JvIv4n8m8i/ifybyL+J/JvIv4n8m8i/ifybyL+JaD1OtB4nWo+L OvWyXehGCVtQRg8SbEUvtqEv3COyzxHZ54jsc0T2OSL7HFF9gqg+QVSfIKpPENUnqOkLavqCmr6g pi+o6Qtq+oKavqCmL6jpC2r6gpq+oKYvqOkLavqCmr6gpi+o6Qtq+oKavqCmL6jpC2r6gpq+oKYv qOkLavqCmr6gpi+o6Qtq+oKavqCmL6jpC2r6gpq+oKYvqOkLavqCmr6gpi9UfSEaVfVFfAlfxldw X8jLRHmZKC8T5WWivEyUl4nyMlFeJsrLRHmZKC8T5WWivEyUl4nyMlFeJsrLRHmZKC8T5WWivEyU l4nyMlFeJsrLRHm9RINeYoleYoleYoleYoleYoleokEv0aCXaNBLNOglGqr+GGWrmrACr0dZWSwn i+VksVzqjMr/UXX8R8dzwxTZ7DzZ7LzhbPatUE5dhNGy2zuyWmpsKMtsH5fZxshsH5fZxujFp8eX hyfixeHF+Nlon/gF2e91/XyLPr01OliWK8lycbxGf//nTFcj0x07/B2TJde3yDxXRDlZLifL5WS5 nCyXk+VyslxOlsvJcjlZLifL5WS5nEq6pJIuqaRLKumSSrqkki6ppEsq6ZJKuqSSLqmkSyrpkkq6 VH1PSKpn4F7ch5m4H7PwAB4MZ8ucZ8ucZ+u7GvRdDfquBlk0K4tmZdGsLJqVRbOyaFYWzcqiWVk0 K4tmZdGsLJpVZybqzESdmagzE3Vmos5M1JmJOjNRZybqzESdmagzE3VmUj0QytU7MIgh7MQu7MZb 4BMy8wSZeYLMfInMnJeZx+n/Cvq/gv6voP8r6P8K+r+CLqGoSyjqEkq6hKIMfnbNppDoFIo6haJM folMfkmNOdWYk4x+toye0zUUa/Y4DyFJR6hCCnGUk+lzOoqijqKooyjqKIoyf07mz+ksijqLYvoI 974Lx7h2nPPjIdbqMooqg7NVBrn0h73PBlUHB+o6iiqEs1UIOZ1HUedR1HkUdR5FnUdR51FUOVyi crhE5XCJyuGStDiaFkfT4mj6clyB8WG0amK0auIy1cRlqoiz9bMFlUReJZFPPzD8jUyj0gvwu+Fv ZRqVftmxOTSoMvJpe6nvLaQHo1EqjryKI6/iyKs48nrhBr1wg154iV54iQokrx9eoh9uyJwZZfXE DfqCRF+Q6AsSfUGiL2hXpczRFyT6gkS1Mk61Mi7zr6Gc+TYuCBP0B0nmUq/5VOYH+CEuwzjP/BGs S+/QrndI9A6J3iFR4WRVOFk9RKKHSDK/cP+Nw98qmKh6svqJRD+R6CcS/USiCpqgCsqqgg7VVyQq oQkqoazeItFbJHqLRG+R6C0SvUWiQhqnQhqnQhqnQhqX2eTZm/EmxPqMWK9qukfVdI+qaY6qaY5q aYJqaZxqaY5qaYJqKavXL+j1C3r9gl6/oNcv6PULev2CXr+g1y/o9Qt6/YJev6DXL+j1C3r9gl6/ oNcv6PULqq68qiuv6sqruvKqrryqK6/qyqu68qquvKorr+rKq7ryqq68qiuv6sqruvKqrryqK197 sjmdgo+Ghtoz8B3PvtD5RbgY33XtEsfvYTTG4IehpELLq9DyKrR87VSfme76r907NyypfdTrxzAQ CiOiaJQKLj/C2kYcGBpGHBRls18OG7NfwddwfjhPZXde9l+9viqUsxMwEX+p9KZ5fS2uj3IqvpyK L6fiy6n4ciq+nIovp+LLqfhyKr6cii+n4sup+HIqvpyKL6fiy6n4ciq+nIovp+LLqfhyKr6cii+n 4sup+HIqvpyKL6fiy6n4ciq+3P/Hii/3NxXfQdEt4WNVF0Sfq/q36MtV/x5dVfUf0T9VXRh9rOqi 6Oupc6PzU6Ojr8VfDZ+Kzw+fjJ8Jc+Jnw+fiDeFVteHIWISL3wy3xV1hedwdHR6X9Ftbwo7oqOiW PS9Fj4eV0bKw0tM/sffbYE/39BM8/QRP/4eq0WGH3LrZKLo5XdlXwxlG+bhRxsdLwuJ4KZ7dU46f DwvluDXxi+Hl+KVwi9GvMfJQvDl0Gv0Mo083emz0B4z+UlQbrwiz42Zz0snHK8OFcWtYFOd9anVo kxXXqVMfD38wtz+48xty5wp33+PuifHKPXvc/bC7Py2PLvSJK33ivuHvdjzRbCfJ5u+SvT+d+pxM PjqMTv0gilOPqZNfCv+RWh5mpNZHp6UGZOSR0b7xieFX8ZIoJ0ufaAW/NdJy/Wgcr9Rrrgq/k6Vr PH2PFeVl6ol7M3W8tyeNrawz7raqkutbQk/V16PqsCiqQRoZ1GIEsqhDDvXYB/uGxdF+OCO0RWfi Z2FBdA2uxXW4Hj/HDfgFbsRNuIWGi0JL9ExoqUqFtqoY1ahBGhnUYgSyqEM99sP+OAAHYiQOwigc jENwKI7EUXg3jsZ7cAyOxXE4Hu/FF8K6qi/iS/gyvoJJmIwpmIpp+Cl+hmtwLa7D9fg5bg1rq27D 7bgDd+Iu3I17wtrUh8OC1Kk4C18MT6duCMXUL0KRlX/VrpTZ2VtsbIGdKLOxz7Oxt+Ide7riQR4x FDLxzj2D8a49bfHukI7f2tMZvx3Oive4HsKh1TV7uqrT4VPVmZCprt0zWD1iT1t1NqSr6/Z0VufC WdX1ru/jvivCourx+DGuxFWYgKsxET/BJEzGFPwytFU/gtn4Febg15iLR/EYHsdv8ATmYT4W4Ld4 Eg34HRbi6bCuehGewWIswVI8i+fwPF7Ai3gJy7AyLKhuRR6rsBprUMBaFNGGdqwLC2p2h0XpGOw3 XRMWpw9wPBDH4AM4CaeEtvRHHG8K69J3Y4Zz60z/ymvrSVtP2nrS1pOe79oCPIkGPIVFrj+DxVgC c0+be7rR69fwR6+bsAKvYzXWhLXpovc6sQXb0Ift6McABsO6zD7YF/thfxwS1mYOxWE4HEfg1NCW +QjGhQWZH2EqpuE2PIiHQ0vmccfBsKD2vWFd7QmhrfZDjh92PA+f9/obYW3thd6/CBfjBtdnuH4v 7sNMPI7dYe2IKKwbsb8j/xrBr0YchiNCW/bCUMyOwaX4AS7DFeDvWf6e5e9Z/p7l71n+nr0Zt2A6 boX5Zm/HHbgTd+Fu3IMZuBf3YSbuxyw8AGvMPoSH8Us8gtlhQd2/hGLdZ/BZfA7n4fP4Ar6IieHp up9gEiZjCqZiGn6Kn+EaXIvrcD1+jhvwC9yIm3AzbsF03IrbcQfuxF24G/dgBu4NT+dOCAv2GRGe 3ieLuvB0VC1XLBD5S/Gq6EPi8lvRXdHVYWY0ET/BJEzGzlDUPxf1z0X9c1H/XNQ/J/rnRP+c6J8T /XOif070z4n+OdE/J/rnRP+c6J8T/XOif070z4n+OdE/J/rnRP+c6J8T/XOif070z4n+OdE/J/rn RP+c6J8T/XOif070z4n+OdE/J/rnRP+c6J8T/XOif070z4n+Oal8C1fVH8xzeSjrWct61rKetaxn LetDZ+hDZ+g7W/WdrfrO1tTs0DX8+5F//q2jN1KD4Q3ZrCCLzYxfj46SLztksJv0cDP1cDP1cDP1 cGU9XFkPV+mfivqnov6pqGdK9EyJninRMyV6pkTPlOiRZuqDZupTZupJZuohZuohEj1CWW+Q6APK +oBy5gOhmDlh+Ps4y2r/Si1fVGcX1dZFtXBRDVxU/ybq30T9m6h/E/Vvov5N1L+J+jdR/ybq30T9 m6h/E/Vvov5N1L+J+jdR/ybq30S9WlavltWriRq1XDves6d6/evKt6aFRL2ZqDfLI0byp/PDDDXm DDVlq5qyNTcpdOUmY0roqh8Z3qg/CKNwFN6Naa4/Et6IUrLKb+R1dVz8TPTReHH07fi56NT4+egQ +j4Vv6iSeil6b7wiOo/W5+nra1QMn9DbHxDno5Pp/ieVw5HqnA2ubow+oF44T71wfNwVneO5L+79 WfYJRnohPO7+O4bHXOC9MaqKxdE+rr3q7PXK91L+1+/SrRodnfXff5+u+ZzEOz5m1M/Kh582hz9f OUm2HHT1U7LlYtmyNPwdxVsqf43S1SOcfWL4Z4oHu/c4c6j8LYI3ow+640POXo/OssKR3jvSWivf +vY/qPsO+CqK7f8zZXf23rs3CSGEJLTQwfIEHqJiARUr8tCnWOgqigXURxORYnkqIkpRQZ9IEdSn +NBnAQUEGyoWivQOCRBqQgk1IfP/ztybmJBASODp77/7mb2zU86cnTnznTkzu+fern8Vfag5+P9G Xor5GkfIj7j7GakxNmFOmIW7dbjrQWHcHcXdj1SfJLUgB86FU3AeXAAuCBeC8+HCcDEosR1VEu0x x+sM1wPPNAvzwK8wz/xaL5Z9qIXsC9cP7lG4/nCPwQ2AexxuINwguMFwQ6gFdPkW0NlbQGdvAR29 BXT0FtDJW0D/bgHduwX07Rb2/y/CmN1mo6R1eIqtYi5a0vybydd6Oma3O/HsfVAnM8HXl0iFp8Wz hymeLaLabDE1Qs10Rj1cKdojVQfqIDpbG3MdRA/9tbFKJPrpNDGGmomxdAHKyURL18VMZpq8iJrI 5tQItdWBqiNHdZTTFK3Zh1JR0m5Tvi0pHP1fkx9ER+TuhPRd8XsnfvtAwhbpVZgj78L8+IiVn+Xk IZcg1/wTClInImUiUgaQMhMpsiiR0oGimEPRFsybeqEk06b99BLMu3eh1WOBuIstvaVowWXIBZpm RuzE61zo8LnQ4XOhI+dCR86FjpwLHTkXum8uymynt5kvnkDxLPQUZakt09lUuUiZHYFZXeF64tn6 YCa+UO8Fd1l4jkxIXCWUfQC55qHcEMo9XGq5IZSbZv6bBdTiUa4DigdAcRcoZoNiANT2Rp8iF/2s HUKNvcCOmMl3heuFmD6UjJwBcOwi50HkzEXOMHjJM7WGnDnoFel0DW2G2wJ3BJJ9FC4HLhfuGNCh HTSX23Uj0RFo0Ym6iK74vRO/PaH79AI//fRkMRByMYYuhDxcghpfhBKb27b5Tb9pS1uql6PPJUDL ORqVkSYStGUenKb6Tjxdo9rDdYDrTPXVWLgpcBtxvwkuDQ58qiyEZeP3IHgz9h+zwNkRPPMRcHYW nvsIODsLz52C5zaI4eF5g3jWDLGC4qzUzUaOb5BjM3KkIMdm5EhBjguROg48b7WS95vOAd+HkXOz zbXU/i9Be5TXAZLcGb9d8NsXqJhGtYB4WcCYIJAxGchYAXg32/6jjmm/1UglEJKFdmgH3+22bxhr eImiN6TqUYx3W8H3NpS4XWdaeduIfJuRLwjqHihzxKymZOqm99I9cPfC9Ubrt0N7tgdfneH6QjJN 6nRIyVbUdAZ42g79cgeo7MQ4eSlVduL0XmcX3G691+0B1xPuIbiH4frC9QPdmOh/Aq0E5dWgvFr0 xlP1BeanoR3TIUWb0YPs0wKHt6GOtutfrC5eGfzlgL8c8JcTfXqzprweVNaDCgeVs8BjHKgcApU8 UDGW5j1Q2GT+jwj85YC/HPCXA/5ywF8O+MsBfzl0LnWjG+geuHvhBlArehxuINwguMHUCiXGosRz gFkOavgmYJaDWr4JmPUuavpj1PSXkNMfIKfXQU5vEO/rUXimnzFC1Itwg3HLcLMNs4mLqDlktLm8 VK+UE6iVnAg3iVo5cXSDsxG/u/C7G24PtXIbwjWD60E3uD3hHoJ7GM7w54Grg1G54VG54batTA1u 1xl2NWIa+H4nmioxmioRfGciZRO7ArFdL4Fk9Mj7Frrgbuh+G6Hr7YZut1E2yNsCWeuRl4nQLIRk yQb6MlDtkbdeHEQ95yB3LrDhmF4gHX0IeuFhGdLZSLkAKa+2eb9G7GKELEZI0ObNFEdRXg5q5Zhe Bh0zTwbIRd48pFoGXTIPKVsAl3rkbUUpedBSs8HZLnEEvzkoNReSGcmZi1LzoJ1mg+Nd0sNvEFyE EB6hlIsnOACp6wG99hAxUMkClTxQ0aCwzZbtEkPuLOTOQ26NnNuiPDQ09ZQ3EjykIXdt5F6D3AfF UfRYw30u5PgYJC4P8wStj4GXNFCrDWprQO2gDOil9qlCaGef4qAp7wDlY+DpP2YU1RwUD4OPdSKP OHIdRtnrZBj+BrqmSZG3ECkyUJ6pqdVIkQGappZWg8Ye1O5x7YXWj7YTcpfSPjatbRekLaU98Iyn 2Q7A0zLWP1DmDNc7nvEE9W1jSqxnipEJFJCVwF8SBWUKqFVBnqqYM1SDvzriaiCuFuLq4L4u4uoh rj7GAykTUUIVxKbity7axJcJuIMOISuj/BSUUAUlGVrVEV4D4TURXgfhdREOOmgFk9qUXCWawpRk aMWDL47YLTIRIZXhkqg6+ItHyi2gWR38cfDHkWuLTEV8TbhaCK+DNHURVg/++uZfyUFlHXg1T8hl MnhNISdKxeReB/7NE3JZG3F1EBfJzfG8CXCVIHuJ4DkJdFPwLFXQ+lVRVjXzXIivgfhUxNdCfB2E 1UV8PcTXx/PhKdA2lUA3EaGV4ZL0cvCQh9pJk1XRltXwzNWRpgbSpCK+JlwtpKmNNHWQph7S1MfI ZtrJt/WaRAngw9TYYfCRAD5C4MO3dVsL93VsDR4GDwngIWRahYR99pRoPUe4N7Un7HNHcmRFueYU W16ZQK/NRP0dJxfo7edRuKyygVyNSJ1IPhBblyqeKRkBtXPw1OWUE+RuQBVOV1ZA5SLzRGdGXtAS P9l2LJfM2LEhXFa5sajeQBzM2w4k7QrEqQpUayOO5mUB1a4SuXk7gD7dgGqpQLXm0snbDkTtCjSq ClRrIwN5WUC1q2QobweQqRtQLRWo1lwm5B1EjZyLGmmIGmkok3CfrM9BjcSAq8aolXqolbqyOsJr IF0q0tSEq4X72khXB+nqIl09pKsPqQlAc/Ohc7UQ5n99vqWKmO0mYKZbB7OKCzFXmIfZXqz9b6GZ rDNdzLrS1exOeoHdhd+7obm30+PErdBFbtMzMfMYZ/+pruFJUs2zqcx/IK2wofl3HxXccWjyc9hX +iPrM/9ulwZfLLTkc4moOXTSs+hynI2oNd1MjelWug2hd2AudwndR8PpenqJ3qeHaSbNwd1XOEfR T7ScRtNKnBNoHbSTiZQBiu+xKqwK/caqs3NpCbuBtaF01pbdQltYe9aRdrIurAtlsjtZN8piPdhD tJ/1Za/RQfYvnClsHM4qbDzOquw99j6rxr5iC1kN3og3YefxpvwC1oQ3581ZM34Zb8Eu4FfyVuwi fjW/ml3Mr+Wt2SW8DW/DWvKb+M3scn4rv5214h14B3YN78K7sGt5N34Pu453591Za34/f4jdwHvx fuzvvD9/jt3Gn+cvsu58BB/DevDX+OusD5/C/8v68U/4PPZP/gNfzsbylTydvcu3853sE57F97Dp fB8/xD7nR3gOm8O1IPa14EKwb4USYTZPxIp49otIEAlskUgUKWyxqClqseWijqjLVor6oiFbLc4R 57J14jxxHtsgGosmbKNoKpqxNNFcXMy2iEvFZSxDtBQt2XZxhbiC7RCtRCu2U7QRbdkucYu4nWWJ 9uJuli16iJ4sT/QSj3ISA8VA7orBYjBXYowYyz0xTUzjQfGp+JSHxAwxg/viC/EtD4sFYgVPEmli J68lDgrNz5GOjOHNZIJswFvKS+WlvJ3sI5/jt8ph8jP+gPxczuFj5K9yIX9T/ia38Ilym9T8Uyfo BPkvju/4/FcnzonnC5wlziq+2FnrbOQrnXQnna9ztjpb+Xpnm7Odb3B2Onv4Jmefs49nOAecQ3yb c8Q5wnc6OU4O3+Uccx2+21VuDD/oxrlxPM+Ndytx7Sa51YVwa7p/FUH3fPd8Uc29wL1GVHfbuu3E eW4n9ynRzP2n+6zo6D7vviC6uCPcEeIud5Q7Wtztvuq+Ku5xx7rjxL3uRHei6OFOdieLnu7b7tvi IXeq+4l42J3uzhb93bnuN2KI+737g3jane8uE8+4K9yVYrS72l0tXnHXuxvEq26Gu0OMdfe6ueIN RYqLd5VSqeJ9VU81Fd+pi9SlYolqqVqKlepKdY1Ypa5XfxPr1U3qJpGublG3iM3qVnWr2KLaqy5i q7pbdRO71P3qfpGpHlT9RZYaoAaLY+oJ9aTk6ln1nJRqmHpBumqEek166l/qXzJejVPjZEU1Xk2Q CWqKmiIT1VQ1S1ZW36r5soFarJbL89QatU+er7LVUdlG5Sotb/HqefXk7V4D7yx5h/cX7zzZ0Wvq NZWdvYu85rKLd4l3qbzTa+m1lHd713rXy27eDd4Nsrv3N6+tvM+72WsnH/Du8O6QPb27ve7yIe9h 7x+ytzfAGyD7eYO8QfJR7wnvKdnfe857Xj7uveANl4O9Ed4I+YQ32hstn/TGeG/Ip7x3vX/Lod5U b6oc5k3zpskXvH3efjncO+AdkC95h73DckQAwCdHBmRAytEBFQjKlwN+oLIcG0gOJMvJgSqB6nJK IDWQKv8dvDnYXr4X7BrsKv8b7BbsJj8O3he8X34SfDD4oPws2DP4kJwefCT4iPw82C/YT34RHBAc IGcGBwaHyFnB54IfyLnBr4I/yi3BZcG1MjO4PrhFHgweCaXIvFDt0EgnNTQ6NMl5KTQ9NMcZH1oY 2ue86ys/yfnZP9u/ylnn3+7f5xz2H/QfcQN+L7+PG+v38/u78f4Af4BbyR/oP+Mm+kP9l9xUf6Q/ 0q3vj/ZfcRv4Y/yJ7tn+W/5bbjN/iv+Be4H/of+p29Kf4c9yr/a/9L90W/tz/bnuDf7X/o9uG/8X /ze3nb/UX+p29Jf7K91O/mp/g9vV3+Tvce/19/uH3X7+UT/XHejnhckdEuZh7j4VlmHXfTrshcPu s+G4cKI7PJwUTnJfDqeEq7qvhKuH67hjw/XC9dzx4SHhIe6E8JPhZ9yJ4aHhF923w6PCL7tTw6+G x7jTwq+HX3c/Cr8RfsP9b/jN8CT34/Dk8LvujBgeE+POjomPqezOj6kSU81dGHMo5qj7G/Eg5u9E /hUVbqQGlEpn6NAzdbreSo30NvjXlJgiT7+hP8SZpYfh7kbdAXnmwbctGr9N78B1U/TuYLH8JnaH zsb5e5wqoZz9cK+Uyu/jcF8WCVmPEhJNKSc8oHkh3SqdA7+PkbwjhXGfXpTH/Kcpocxf9EadqX8F hTQ8bUZpPJ7C4YHqmCj1zXqXnqe3RO/2FSt9J9w6vUEv0Yf19RRA3Z1FNQvF55VWmD6AtssGhd85 R/1jxhKJfVu/TT5cQRsel3s33Ba9GjTW49bBPKseXQZfDRv7nV6gl0N+IDvQ20su/339lh6P36Fw LfRfdF/dB75C9Zj/9PDtKpY7T3+vMyBB3+ufwQfawdRe0VwFaX8ppSoIeipRjPW9FA3JBO1f82Wz sFREQ7Lx5PtQ92v0fsz3YxHUFK1QULreaVtoZ37qYvl36e3oY5n5NW5WRu3v2sJpSuM7mm51kbt/ FLn78dRo4Ghs00clTa9A+3l6RSklHyrUtxvThaWk/kD/2/Ro/f0p81Q0/1YjHUZmi8UsO4XceDL9 rPVNP74/67tOIT9kRH9qcWu9abeyHvo9i6bvoV6LH94pUcjSMy1qnqJclEBh36lLVQm5owirfytX 7o/sdYVBjjN+/PUUyt8aGct0DuRof5lL8E8aWx/u77aU/BFvU+SMxtcoIU9DnDVwNizC5TvR34WR 8yT5G5eYP1q7kJIDQKcDJ2IY+Llb7wWCbbR9ykj1YRv+so2urr/Sc/RSM6KfIH9uIf8LlAz8v43a mh4SDVuHsWFWcSwuyJNTyD8SI08sXUdd4Z8WDUtH7S0+8aiaX76V6NeRPwD06RVFchP+sf6QhJ5x wvzHS6GD2VN3hL8Yjf9R/4D6/yl6Vxy/jxbyD0PuZGpDZibUIhr2pf4CFP5zwvI3lxyehxYz+Khv 0n/T3XTbaOoJxfI/BRR7W/9HL9JLCwVz6kRP03D4XqIR5psZ+gCSO41mYHY4i+ZQE7uq0Iy+peV0 Aa2iLdSaMhij21lX1pV6Q6P/O/Uxujz1M1o8Pcof4D3pMejjK2kQX8PTaTDfxrfRc3wH30lDjW5O w/hBfoiG8xyeQy8Z3ZxGGN2cRkE3D9HLooaoQa+JjqITvS66ijvpDTldTiej1Woa78Q78fSL+5n7 Gf3qfunOoQXuGnctLXK1q+k3o9PREqPT0Up1o7qJ1hmdjjZAp7uNNhqdjtKMTkfbjE5HO4xORzuN TkdHjE5HedDpXmAEbW4Uc9XL6jUWMDodizU6HYszOh2roCarKayi0elYJaPTsXrQ6faxc6HNadbW E57DOnieF2SdPd+LYXd6FbyKrJtXyavMunspXlX2gFfdS2U9vdpeXfaId5nXgvWG1nYP6wvtbCjr D+3sBTbA6F/scaMTsYFGJ2KDQo+HRrInjabDxvpxfhKb5X/gf8C+89P9PWye0TXYEqNrsFVG12Br ja7BNhhdg200ugZLN7oG2250DbbH6Bpsr9E1WLbRNViO0SNYrtEj2DGjR3AeE4gJcRVTKaYyD8Yc jjnKzZ7CCisxzEoMh8SMgUYxlv4FmX6DpiDkbZyK3qH3MUpNhTy5Vp5cyNNs9LovIVVBK1VBSNV8 hP9ESylEy3BySNlyzKpX0VrMrtZRGvpYOmSuJmXQXvT4fThr0X46RLXpMM46dISOUV3Kg0RWsBJZ zUqksBLpW4n0IZE9KI73hFz6Vi7jIZfrKJGv5+upIt/AN1FlnsbTKImnQ16rWnmtYuU1ycprJSuv KVZeK3LNNVUUmP5TAqSW44qDKkF2FfxofEoWAchxgpXjKpDjjlRPdII014c0d4X/Tsh0fSvT1SDT 64jJ9XILcblVZpArt8lMCsksmU3V5QF5kGLlIZlLNeQxSH9dK/01rfRXs9JfzUp/NSv91SD9V1KC aqVaUUhdpa4iqa5Gf3DQH65HSGvVGiE3qBtIqTaqDXnqb+gntdFPbkTem9BbAra3hMwKCIXVbegz MegzHaim6qg6UazqrDpTXdUFvaiC7UUVbC9i6EUPIlcP9QjS/EP1Qkhv1Zu46qP6opR+qh8oP4qe FkJPexy5BqqBCB+kBiH9YPS9sO17zKynIM1Q9TzKHaZeQOwINQIhI9VI5BqlRiHNy2oMQsaqseDk NfUaQtA/KWj6J+iMV+ORa4KagPDJajLoTFFTkHKqmoqQD9Q05P1QfYh6+Eh9ipr5TH0BPmeqmaiT WWoWuPpWzQO336v5oLlYQTLVMgWZVCvUalBbozZQqtqo0lEnm9U2lLVd7aBaaqfahZrcrTKpjspS WShxj9oHnrNVNlIeUAcQe1AdRPghdQicHFZHQP+oOgrKOSoHlHNVLlVUx9QxlJ6n8pBXK23+X9Vz qJpBE1yBJrgCTXAFmuAKNMEVaIIr0ARXoAmuQBNiQJPncB3qDSVuMIWkwRRiBlPIB6YMxHVQcAjF GWQhAWRZTn5oRWglhUOrQvsozqAMCYMylAyUSaeK/mZ/MyX4W/wtFPa3+lsp0c/wMxC7zd9GSf52 fztV9Xf4u+HP9DORPsvPQpo9/h6k2e/vhz/bP0Ap/kH/INIc8g8jzVH/KGJz/FwK+Xm+pqSwUa0r GvzCVYYlrk7YpXigmEeVw4FwkCqFQ+EQUvrhMFUFrlVESEI4kVIMulEi0C0F1yrhqkhTPVyDEsKp 4VTQqRmuBX/tcG2krxOuAz+wD+HAPoS8GR6PUiaEJyLXpPAkUJ4cngKab4ffpUoGDUkYNKQ4g4YU B8T6bxQNR+IUFg0doOFr8L8BHBQWB12g4AfwT6PPcf2CIG1Aw6/g/wYYKGgecFAAB5cBMZcDX4Vd v/csDgqLg5UsDiZaHAxaHKxscTDJ4mCyxcEUi4M+i2WxFGbtWXtce7CeuD7MeuHah/XBdRgbRmGg 5E3ELUoGgJLdcDUoGbIoGbAoGWMxMYHv4ruogsXBeIuDFfkxfoxiLQLGCSkkxQP7PPiDIkgVRHvR nqqKDvZNNoN91Sz21RCdRWeEd7FvtxkcrGZxsIa4S9xNVQpwMIMEEDCbPGBfLgUt6qVY1Es0q7bo n5ery9F7r1BXkLAY56lrgHESGNcafoNuwqKba9EtSbVVbRFi0E2om9XNuN6i2iGlwThp0S3RolvQ olsK0K0r+eoudReud6u7kf4edQ+u3VV3XA3SeRbpglGk66P6IKQvkM61GOepx9RjyDtADUD6fKQb An8E455ST8NvkM6zSCcs0gXVcDUcuV5ULyHEoJ5nUc+Pot5oNRrhBvs8i30pFvWERT2p3gTqiSjq TVQT4Z+kJgHR3lJvIb3BQWFxMKUQDgqLgx5wcCb8Eeybrb6G/1u1CFeDfR6wbzX8BvUqWdRLtKgX tKhX2aJekkW9ZIt6KRb1fLVf7Ucug32JFvuSLPalRLEvFxgnLMb5HvMYiQhaBfsHH6NA8PHg47gO Cg6iUHAIsCkUfDL4JEKeCT5DAYtTPDQ69DpxizgJ/m5gTZy/199H8RZf4iyyJABZDsF/2D9CscCU PPRzgykVwiIsKBZooijG4ki8xZEEIEg8/AZBKoYrhysjjcGOhHC1cDWE14hiR01QMNgRb7EjzmJH BYsd8cCON0FzQngCck0OT0b6KUCNeIsanHiTPWbl9YKtVzaj6+n2E83z//849Da93bjo3caS9C6z zmPX+spKe7NZ4bKa91f2fk1+mfa6KKp97jL6p9VFV+s0nVF0Raf0cvNX6PQjZefwzB66NTRP83tC 3btYjm3QtH8o/7pMAZ1dx9/pvfYaDYeumI2aTdOZcAUre4U00YRCuVcj1Uoy6x6V4YuuMOZr13/Q ESzgpnC5Pt1hw3aWtLqgdxRfm9P79Ca9CjHFdiHKe+Svkhe9M/0nKtWF1gvAuyjw7zpRK+sNxVc1 z9RR8g5Oqbmm6En2N9euhv9onFkf0u/BNz+aJl+yTA8+oBfmh5epnM1WRtN+vzerYHpdoRQv2vUg s1a+wfo2g5vCCBWt31NtX7tqnVZ6urIfkLRCdPVBnQt31Kx16WNF0p1sX+r/2PEH9/lTOPS408h8 Ywn00qgBZLD6aVA9+dGALLYaPLWYWuIBbDjlPcTTHyuOo1eEq8J97xTzf6zn6I+i+wMJeoKeY0PT zeheePQu1/xhJbBxo50/ZNi5iUUzMybpjfidGk2VaffbfoKbhzOj6Mq1RbJkyl+b/Q5jwXy9GG4c Qq/XS/TPNnxpZBZhd7TvKDunxTjfXuTOjqH6v4VCHtCTdU/9vFnl170KQi9G2Oem3xXfdSSz51p8 L3SH/grPsvrM9dR8eTDjGBAsf144n6L7s4V5AC4X7I2YPZZSKP96pngs74FaCtvfUWa/uVhsH/1d kbSR33UY3dKNhJSjvGVG6u18y9aT8WF82xitNVz1/XqBbe9DJEoYw8LUqBjNTPSD3dHdJQHkyN91 OhSJPf3x7fd96KL7lfmzFDP3suP2ZpyZxeaeG+zcs4Tejt58hrGrpOM4PFtSLD73+JBo+D9KDqey 7KOX+dD3ljFD5B2LofoZ+5tlEeAT4+D7t54e8dm4/PmZ3e9ES31RDu4+1p8DMT+L3n2n3yfzftAM 44cDcgLFvgNK5M+Cs4C+P0dxIrJ/FlOM5g/6Mz03SjPB3EXDi6CD1mXn1uZDL9WrCu7ydZdNxpev V0Zm4hbR5hv5iLwjEu0/+ywid9I32ru5ZHbzHoF7FL6R+jWMdY9GqRR6twU1MEsPKAe3d+pB+i3d E75v0Kvf0t0tPryI0egt1PNcPU7fh7E1y+wB2iebqafpiZGSo6NGiv7mOJoZejm0ykjPPb/AF513 6iMRd+oz5iK0s21/L3grqOgoZcfpAs3Xznw32vceCr9x8Zeib6z8UUfRXVz7BtPu0jmxT1Ts/as/ 4iiqyZpahQzvLw0/beucMU23LEfh+Qd6g9GyVuD3BDvdBSl3nD6/+k09UP9Tj7X+hZD3SeZNmeg4 FJkvHtCfws05vXIspUaRN1lOi0a63oqR0I6PaNOtkMOCOXek1fUezDn2lDQDLHNZ5ZhzF8r9c6RV wYvBwV+jdxui/SfK9Z/Tn0s69L36Hj1bTydu7wbpfkDrrpEZgZ6hD+NuuP6HvkjXBo421Y/q+0+j rMj8MfW0+I1iUkSnLXjfcFLR2DN56ClngIaR3uURVMf8tljr2/g0/dvvo/Cfe4CbNehzds0TMmw0 xQJNJTLTRewPcCd4V/WPPsDvS4V7LuZXM/9Mfk58oLf1MXOnyJuuujdmR0vR+yJxc+11jf5Cd9DP wzdCr42ElbOsH06f3zKWmF34Pa//u0fBHHff6b9dWdK77mfyiMwOMf/eglHvDKxYlPaO8knznqJE 6Q/t2v7O8pdU6Eg+I1RO6cBc6LRnrnrUmeCklDKiSIfZ7Wmvy5+hViqtlHTMbP/HPeXMHZj1ZJ+x mok/DT7ORH//A/cjyiONmPekRXJGv+zIXxdZYPcZFpw080PRtB+Vvdw/+ijPNxDFaJxwN+Qkeexq vVkpimjCkRWdgr3g4Mn0Y7u2m0w9yS17uTZ/Ob7y0hl27Pj9W7L8NblT1e1CdE3ZS/1Tj8TyZiz7 zhOZtxrMvnSBZq9n2etu4HOpuxH/1w7M+w+c+JuJQukO/+95ObXj1BCyvKN6id9KlVqWfYPg928H 7Y5FgWQFS8yUn9asVVWlDuhzf8JRdO4eQQ1oT6XgrN2J+RPW+/TeM0hrE0VXlEv84qih/crJ7KAv LCG2NNrmO6pN+TnzfXaFf1M0JL/Mi21Zx/FV6O6532nm82K+1yrGlfkqq7HZpSmP1q7H6Xf0zILv wKI+MyOIrmkuLOCjcTF+3yl7eUXyl+NNIf2b3ZX4qeDevgOE+aZ7yjt9p/D13gnKLvHb5FLybLWr VmYkt1hg775D34sgQ/Bk80s7osTSZaf2vWYJ+cvz/sMS872ldQcj9/YaXTU/OTpEn6Vq0feNIF97 9WLrxlFlzEm3R3eTNkb6tJW1B8rOaSnPEdlhK6St6676Uf2uHm/tBhS806Nb64/LSPm7P2bGbHg8 cTk6r6Rd5ciO4nFhe0vfxSnvYd+RiSKz3of5xD7Mj1bq1b8jkd6FMLNnfKG+1d5/AglYrjvpeeZe z9Wv6O/NirmNe7kI7XX54WXiqK3uqZ/U10fvrA8S2N3639GTdS/IwTjM1mZi5DUppuvP9KfRUdus zidSI7vn3F/3sGGR9xHHY179pmkPYyWh4C2gImtB+kj+1/xl4vd1/R50tX9F7xbYssdZnF9g68Ds vn6ks/XXNkHkq/3oGwZRKT6/7KX+Wcf/5Gvs4qVsykesyL7zn3WUZ58KLb2bCq06FFhIOJWxpyKZ 93dutv6q1BS6Z6rNuwWzji12NKlCf9XL0EPNuU6v1xehv3QnX0fG9aieit4Z0akqR+8/ju5UcCr4 YtqGf3CS57DvVugBGOeiK5D6ct0FrrW+lyrqyBicb0NjENxV+mLdTke/bNA/6rX2bQnTY3dgTNoU 1V/PpgZ25Dzbpjr56kbJfE3Sk3F9r+B+ptHlirxZcUvU04H+ThdSE2snpq6NKfzswbzfdCjvkB0p Z+sH9SdmDNOD9dPGB6rDihQbeQfswXLw20M/jOd/2N548PWwuPm0HakXoy0z8iJf0s+wVkHyD1uz uneUxinoeCWWvb30NMXy7LJvBJh5gpUmK83f4V7aaP+k8x2TK5YuAfeclpRix6591I7dU3Qd46wS dbPW6fpb63RDrXW6Yaw960Qj2f3sfnrF2qV7lfVlw+g1NpyNpWnGOh3NNNbpaJaxTkezjXU6+pJ9 zRbSXN6IN6YFvClvRouMdTpawlvwFrTUWKejZfw63ppW8F68N63m/fljtJaP5C/Tej6FT6E0/i6f Rul8Op9BO/kX/AvazWfzOZTJv+PzaC+fz+fTfv4rX0DZfBFfTAf5Er6EDvPlfDkdEb4I01ERJ+Ip 11iYI20tzJG1MOeIOqIOU9bCnGetyoVEM9GMha1VuRhrVS7OWpWLt/bkKor2ogNLEJ1FF5ZovpVj ScbqG0sxVt/YX+QMOYe1N1bf2F3G0hu7x1h6Y/c6cU4F1t1JcJLZ/cbeG3vYWetsYv2MvTc20Nh7 Y4OMvTc22Nh7Y08Ye2/sWeeAk8OeMzbe2EvGxhsba2y8sQnGxhubaGy8sSnGxhubamy8sTnGxhub a2y8sUVuJ/dZtsJYd+PMWHfj0lh3446x7saVse7GPXeiO5nHGLtuPN7YdeMVjV03XtXYdeO1jV03 Xt+d767kDY1FN36RsejGm7sZ7k5+ibHoxi83Ft14G2PRjd9oLLrxB4xFN/6Y+T6OD/a4x/kQz/UU f8ILeSH+lBfrxfGnvQQvgT/jJXnJ/FmvmleND/VqerX488biGn/BWFzjw43FNT7Ca+w15qOM3TU+ 2thd4y8bu2v8Va+ldzkfa+yu8deN3TU+zthd428au2t8grG7xt/y7vW688nG7hp/2+vj9eH/NtbX +HvG+hp/31hf41O9573n+TRvuDecf+iN8Ebyj4z1Nf6xsb7GPzHW1/gXxvoan+V94s3hs72vvCX8 R2+5t4Kv9VZ5a/h6b52XwTd52739fJexysYPGats/LCnA4wfMVbZeK6xysaPGatsggWSA9VF2Nhj ExUDtQINRELg7MBfRJVAk0ATUSNwfuB8kRq4IHCxqBm4NHCFqBdoFWglzglcHbhWnBu4PtBaNAq0 CbQVTQK3BW4X5wceCvQSFwRTg3XEJca6m7jcWHcT1xlrbeJ6Y61NPGKstYnHjLU28aSx1iaeD90S ultMNV/tiVnGWpv41ld+rPjF2GkTy/wO/n1ij7HTJvKMnTYpjZ02qYydNhk0dtpkyNhpk5WMnTZZ 1dhpk9WMnTaZauy0ybP9Kf5UeY6x0yabGjttsrmx0yZbGDttsqWx0yYvN3ba5HXGTpu80dhpkzcZ O23yFn+TnybbGytrsqOxsiY7GStr8i5jZU3eZ6ysyQeNlTXZM4bHePKhGD8mRvaNiY9JkP2NZTX5 eMyhmENycCzFMjmEOEsD6sVA44ulOGJUAaegeIzDkpIwdjsY1esivB5ORfUxCnp0DlAyADy8mHzg ofmfh8vsP2AYxIyxiBkLxLwVuW7DWQG42QkUO9Pd1JK6AUMvB4b2wsyhN84rqA/1p0r0GM5EGkCD UfIQIGwSENanZBZmMZRivxCuwuKAuecCc+sjpAFrQI1YQ3YWws9mZ8N/DrA42WJxY2BxW1xvBCJf Ze2FJrNOwOUmFpebWFz+K3B5IMIHseeoKRvKhoLm80DqKkDqEdSMjWSv0gVsDFC7sUXtxha1G1vU bgTUfg/+94HdjYDd8zAefM++p4vZD+xnuoT9AjS/1KI5B5o3xfV8YLprMT3OYjq3mB5nMT3BYvqV FtPPs5h+ocX0qsD096gGf5+/T9X4VP4fqsmnAeVrWZSvZVE+FSg/G9cvgfXVLdbXsVhfDVj/K64L gPipQPxFuC4G7le3uF/d4n5t4L5PdUUY6F/Pon8Di/71gf5JdJZIFsl0tkgRKdTKjATwYySghhgJ 6uPaQDRELowHdI4ZD5CruWiO68XiYsReKi7F9TJxGdJgbMAVYwNCzLfW19hvra+131dfY7+vvtZ+ U301xokhdJl8Qj5HDKPFSIqVo+QYukiOla9RRfm6HE/N5QQ5iSrLt+R/KFlOk59RCkaUGdTEWBOl pmZcoUvMuEK+GVdwjXPi6HKnglOBGpvRhZpgdFlKwlnmLKNUZ7mznGKdFc4Kks5KZxU5GHXWImSd sw4h6531pJwNzgbynI3ORqrkbHI2UciMSRQ2YxJSbnO2UQVnu7Od4jEy7STm7HJ2o8RMJ4sqOnuc Pf+PsvOBiuq69/2ew8yeAxxAkSgiIYYQQpAQggQpQYMECTGWUGKM11pngGFmgGEYhplhGIYzfxmt sdZYa6i1xhprrbHGWmutdVnrtdZnXJZnrLVea6j1Guv1ea01xhpr3nf/hljbte5a7yVrf2ev39ln nz8zc/bny4KvbJJYq3DEj3Ufs0zdLd0tNlP3ie4TnNtt3W2cz990f0P/ju4O+p/qPmWzdH/X/R0z 3+MSm8ATuJbN4jquYxqscHqGxYLLLIUn8iSWxpN5MkvgCldYJk/hKWwmT+WpGINVUPyr7nwC9s3g D2HfTD4Z47P4FJbOs/nDmDmH5zCRgPooNJfnYobH+GMYn8fzMP5xXoDxT/In2SReyAtRn8anMS0v 4kUslT/FizH/0/xp7FvCSzDbM/wZjCnlpdh3Op/OFLHi4lgz+AzUK3glRj7Hn8MMVbya6fhsPgcj 63gd0/MX+Ys451f4l3BdTfw1zP8VbsTRm3kLjtLKzZjHwjtZNbfxbjabO7gLR3RzD6vhfRxPD97P fWwiH+ADOFs/V3EtAR7EPCEewgxhHsYMER5hyTzKozjKEB/CmBiP4SggADZFEAArAQG8ycr4ar6a TRccwCaDA97C1mE+zLL4tzieA/zb/Nusiq/n63G3N/KN0O/yTaxUZMBiPFgBM7zL34Vu5/iU8h18 B/Z9j+9kc/iP+I8w8y7+Y2zdw/dg35/yn6K+l+/DyJ/z/Rj5C34QW3/JD7FyEMYR1H/Nf82KwRn/ C+OP8WOovM/fx8jj/DcYOcJHcD7/m5/EmA/4BzjDU/y3OOfT/DR7iv+O/47N4Gf4GewLRsFe5/l5 zPwh/xB7fcQ/wmyX+RWM/y/+Xxj/F/4xxtzit3A3PuGf4Nxu87tssuAYNh0ck4J+qn48K9On6yew KfoM/SRWrs/UZ7MZ+of1U9kzoJwnWJW+QP8ke0lfqJ/GntMX6YtQeUr/NJupL9GXYIZn9M9gZKm+ FGOm66dja5ke3hFs9AX2rL5SX4ljPad/DuOr9FXYOlM/E8cSmQIawUysVDATFMwEBTNBwUxQMBMU zAQFM0HBTCxLMBObIpgJCmZiTwlmQh/MxKoEM7HJIquWFcuz5dnYC+SECsgJY0BOUJATKxfkxGaA nOAEZItsYTPBT90sTXbIPRgDisK+oCjUQVEYGZSDmCckh9APy2HUQVQ4HxAVxn9d/jork1fJq7AX uIpNB1etReUtGZ86eVj+Nvrfl7+PY22Vt7KXBGmhAtJiSYK0oCAtKEgLCtKC/ln+C3teviHfwFH+ Kv8V84C6WImgLvQ/kz8T//ZWImNzEjWJGjZZEBibAgLTQ+VEmT2biP9YSWJSYhL6SmIqNC0R62/i uMRxrDxxfGI6KhMSJ7CqxIzEDDY98aHEh9jMxImJk1CfnDiZlSVmJWaxpxKnJE5BPzsxG0d5OPFh bM1JzEEFbIc+2A5nAraDgu2gYDso2A4KtoOC7aBgOyjYDgq2g4LtoGA7liTYjj0PtnuVjUuanzSf 8aTXkl5Df0HSAvRfT3od/YVJi1iGID9UliZtZlLS95K2ow/+Qx/8hzHgP4z5W7KGSclSchZ7QVAg q4hnNwgKZJKgQCgoEPpl5cvsYWWxsphNVb6ifIWNV5YoS9gjikExsMcUo2JkuUqz0swSlBalDX2z YsZ4i2LBGKtixZhOpRN9m9LF8hS7YseYbsWBMU7Fia29iovlgCz7UPcqXtTBl1C/4ocOKirLVgJK kD2qhJQwRkaUCEZGlSEccZnyBiorlJWYGQyKo6xWVkO/oazBmLXKWzjnYWUY83xLWYf+t5VvY/x6 ZT3631G+gzk3KBuw9W3lbfaEslHZyJ4U5MoKQK6b2TTle8r3WK2yRfkB+tuUbRjzrvIutr6nvAfd qfyIFSm7lF3Y+mNlN7b+VNnLCpWfKftQ+bnyc1TAu1DwLvSXyiH2uPLvymGM+ZVyhOUrv1Z+jZFH laM4ynHlN6iMKCcxJ2gY859WTkN/p5zBmLPKf2DrOeUc5vmDch79D5UPWRko+Y+Y7YJygT0hWJnl gJXDLDslkhJluSlDKbhL4OZlrCjlqym4VykrUlawR1K+lvI1VN5MWc2mpXwj5RusVvA0KuBpViR4 mmUInmaS4GkoeBoKnmYZgqdZKciumni6jnhaIpKOc/PnxCz4OJX4OJX9G/5PJTKuJzKeS2ScTmQ8 j8h4IpHxJCLjTCLjyQ/k9+gov0em/B4d5ffoKL8nifJ7dJTfo6P8nhTK79FRfo+O8nt0lN+TRvk9 OsrvSaP8Hh3l97xE+T0vU37PBMrv+SLl9zRQfs8rlN/TSPk9WSD1ZHBziiaFGH0ye1aTpckCQwtS rwCpv8IqicVf1bym+TfUBYs/pzFrzCBst8YN9Wh84GY/iHwGiHwZmwkW/yr6b2jewHhB5DNA5G+x arD4ejYbFL4b+hPNT1iNZo/mF9gqKPx1ovAXiMJricLngMJLWAJReMID/J0A/n6B+Psl8PfLROEi YUhLCUPjKWFoPCUMPUQJQ+OJ0b9EjP4F6avScjZLJPuz+WOkLrh8mvSe9B57UtoLLn+MiPxxIvIn pPel98HfgsUflU5KJ1H/Lfj7UUotelj6vfQHEPmH0odQkWBURKluhdJF6T9R+Uj6CCqy3XIo2ShP +j/SNfRFvlG+9BfpBvoi5ahA+lS6i77IOnpEuid9xnIo8Sg3QZMgoS9yj/ITdAk69EX6US6lH+Ul JCcko5IG+i8m7i8l7i8j7m9KmJKQjbqg/+KEx0D/Tyfkg/6Lif5LEgoTCtEvSiiCPpMwnU2HE5iB fkVCBXsq4QvwA8XkB55JqIIfKE54PuF5zC/8QDE5gdfICSwgJ/AaOYEF5AHqQP9rWSq4fwNLJ+LP JOKfQsRfod0D4n8OxH+YzdT+Snuc1RD31z6QyaSjTKY0ymSaQJlMjeQE5pITmE35TC+TH6iEH/iA cfIAet3v4QE4eQA9eYBUon890X+m7qLuIij/ku4jVAT3cyL+SUT8c4n404n4M4n4J+tu6m5CBdPX EdPrienTienriOklzsH0eqJ5PdH8ZKL2OuJ1PZF6OpH6ZKLzOuJyPXF5JnF5HVgcvpcXg8g5sXg6 sXjdGIWX8TKML+flGC9YvI4oPM7ceuJsPbF1PbH1XGLrdGLrecTWE4mtJxFbZxJbTyZ6nsxX8BVg yq/xr4EmBT1XEjFX8bV8LeqCmJ8lYp7NN/AN4EjByuV8E1i5ilh5CrHyTL6FbwPHvwtKnkKU/Crx 8Uy+m+/GXoKSy4mSXwUl78W+PwMrTyFWriBWnsn/nR/GDL/iv8J4wcrlRMlTiJIriJJnEiXX8pOg 5Cqi5NlEyeVEyTOJkquJkucQJT/L/8D/gK2Cj+Nk/Cy/yq+jIvi4gvi4kvj4VX6P3wOhCjKuIjKe CTKehL5g4mpi4tn6R/WPsxoi41oi49eJjF8gDp5NHPw6cXAtcfAU/Qz9DKgg4DlEwLX65/XPY06R KJZGWWI6yhJLoxSxNEoR01GKWBKliDVQipiOUsR0+iZ9E44ussR0lCWWRiliL1OK2ARKEWukFLEs ShHLohQxHaWI6ShFTEcpYmmUIjbhgRSxNEoRS6IUsTRKEcuiFDEdpYilUYqY7oEUMR2liKVRipiO UsQmUIpYFqWI6ShFLI1SxLIeSBHTUYpYGqWINVKKmI7yw3QP5IfpKD8shfLD0ig/TEf5YY0P5Ifp KD8sjfLDdJQflkb5YTrKD9NRflga5YfpKD/sJcoPe5nywyZQftgXKT+sgfLDXqH8sEbKD8ui/DAd 5Ye9TPlhDZQf1vhAfpiO8sOyKD9MBw8zgVXCsTzOZpM/qZGfkJ+ANyiQC8D60+RprEIukp+C3yiW i1EvkUvGfEu5XCpPZ3PIvZTL5XIFVHiYWvk5+TnMIzxMjVwnvwitl1/GbPPkL2JMg9zAnpVfgZOZ KTfKTXAIr8uvY6vwM9WyQTbgfFrkFuwVT2IUDqcWDqcDxxIOJ1XukZ2Yp1fuxV5u2c1ekPvkPlQG 5QCuQvicSvI2Uyi5sZwcTpW8Ul4JFT5nDvmcKvmbMp4S5HPKyeHMlN+W30blHfkdHF24nVpyO6/L P5C3YS/heWbKP5R/iDHvyTuhP4bzSZbPy3+C/ic8TzJ5nhfJ89TIN+WbmFl4nkr5U/lTXJ3wPMnk eV4lzzObPE8VuZ1ycjuV5HbKE1PgcKrgcMazanI4teRwXiCHMwcOZyJc0KTETIycDIdTQd5mCvmZ GviZJ3CUQviZZPiZMmh5YiV0JjxMMnmYZHiYV6DCvSSTe0km9/Ii3Mv8MccivMpC+JBF5FgWJy1G pTWplc1K6kjqgNqSbFB7kh3qSHJAXUkuqMiiG09ZdOMpi+4hyqJ7iLLoxlMW3XhyPgnkbb6UPCU5 l30heW7yl9isZFOyj82npDotuR0tHM40uAjhYaaRh3lSaYOHeVRpVzpA6sK3PEqOZRocSzf6DqUH zsGjeFARXuUxZUAZQGVQCcClCH/yOPmTaeRPnoQ/WY7KG3ApT5JLeUL5uvJ1jBf+ZJryTWUttr4F f/IE/Mm3MJvwJ4+TP4k7k8fImRQr31W+C31HeQcqnEkZOZMm5QdwJs/AmWxH/YfKDlZCzuQZcibT yZmUwZn8GJXdyk/YU8oeZQ9G/kz5GerCnzyt7Ic/KVYOKAew9TCcSQl5kjLyJE3KMeV9bD2unEBd OJPpygfKBxgpPEmZ8nvlLOr/AU8yHZ7kD5jtPJxJDjmTEmVUGcVxhT8pJX/ytPInBYxH6YBFlEda qFxRrqIikgJzlWvKdfRFXmA+5QXmUl5gEeUF5lJe4COUR5qj/F35O1RkBxYpnykgQEoQzAOYgwAp R/ARyibNoTTBhymbNIcyBfMpU7CIskkLU1JT0lAX+YL5KRNSJqAiUgYLKGXwkZTMlCxsFVmDRZQ1 mE9ZgwWUNZiXkpuSi60icTCfEgdzKXEwL6UjpYM9Sk7scTixEDkxfB5SlqYshUNbBvf1OLmv6eS7 muC7von+2pRhVkLua3rKupR16IvkwnxKLnyYkguLKLmwgJIL8ym5UMs0U25kBwG/SsJy9iFjxkVo RjQzmg3Niea9/6pxbMOrihZFW462Cm0t2nq0TWhb0Xag7Ubbh3YQ7QjacbSTaGfQzjMpeIwaM16k JgVH0E6jfwXtOtottLuMNUtoMloqWgZaFtrU+Dk05/8Pr0XxuZpLx5rYpwJtFm1jzbVoc+PnS/ts il9jcyPaArTF8frYqxQ8R03j2Im2B/0L92vxdhnt2lj/NNrNsf6deAuxscbRFLR0tEy0nPjYUB6N Z80taNb4fWq237/n8bGFNI41u9B8aEG02Ng1rIgfL1Qydq2r0YbRNoxt3zy2vXysVaGG97FZXM9+ tEP3ryV+zXvQ9qMdQjuKdgLtFNpZtFG0S2OvVx94/Xz8DbTbY69nx/a7/cD2e4y1aNGS0MahTUTL /sereP9actEK/p9fpVDNP94rcW0txWPv9f9vy/rnRp/v5fHj0OcqKz6OjvtgK0Or/Mfr/Tni80qh etSr0erGPn/Y1jLvH68tTWgLteOXjHbNHRwxRrsZKSdVoMu706GrujOha7tzoOu786CbugsHR8Re gcXGrd0lgZYll7oaB08vudq1YPCccUd3OWnV/f7u7prBc2JrwLrkRtfiwQvGfd31gxfi/TG93dUy eNl4sLuBdD70CPWPUP949yLoyW4j9Ey3GXq+2zZ4WewVsEOt6N/rsg9eM17sdkKvdHuh17vVwWui HnAZtF2uwZvGW91R6N3u5QGfIanLN3inWepeRbqWdD1Ubq6FpnZvgmZ0b4Vmde+ATu3ePXhH7BUI Nud371PXG8Z1BVXc2e6DKjNM7IqpXGggZsjuWqEqzaXdR6AV3cdVRVQCK+L1Mc3tWq2mGwq6htXM 5lndJ+9rbfcZNVPUA6vHtLhrg5rTPLf7POlFaCP1F3RfgS7uvg5t6b4FtXbfva92hxQYbnY55MAG Q1nXZjWv2edIVfNotsKxStCR8bmKSmCzobJrm1rSHHNkkU79vC/qgW2G6q6dannzCke+Wi76gZ2G akcR+nVde9Sq5tWOUtKK+/1hxyzoBkctdLNjLnSboxG607GA+ovVKrFvYI9hXtd+tcbQ1HVIrW/e 42i5r/sdLYH9zYccVrXesLDrqNpgWNJ1gs7BTuq63z/q8OFMTF2n1PnNJxzB+3rKEVPnGzq6zqqL 2g/2B0ljpCugR/pXQ4/3D0NP9m+AnunfDD3fv01dJPYa8rVf7N85FDQ4ukZVo8HTdUk1t1/p3wO9 3r+fVPRv9R9SzWLrUMzg77qq8va7/UdV3iF1XR1aEVdDuOuGauuQ+0+QnoKmUj+V+hn9Z6FZ/aPQ qf2XoPn9V1Wb2GtoNfQ2+su67qnOjqL+G9DS/tvQin5URH1o2LDSrlW9HbN8Qmt9SUMbDGvsSara Mdc3TmhHjPoToY2+bOgCXy50sa8A2uIrhlp9Zaoq9hra3GH3VQ5tM6wzXFCjHS5ftRo1bLSPU5cL DeUZttgnqqs6fL46aNA3T10lKkM74/Ux3W7PVtcadtlz1fUdMV/TfV3hW4jvDupDe8Z0r71A3dSx 2reE1HS/P+zrgG7wOaCbfR7oNp8futMXhu7xLRva37HftzLQYjhgL1a3dhzyrRk6RLPtGKsc9a2D nhAqKkNHDYftZerujlO+jaRbPu+L+tAJwzF7pbqv46xvu7pP9IdOdYz6dg2dNYzYq9WDHZdw56G+ vff7V30HoDd8h6G3fceg93wj6sFOre80NMl3Tj0o9h0aNZy216lHDOfs89TjneN8F/5FJ/ouq8cN F+xN6knDZftC9Uxntu8a6c37/VzfHfWM4Zp9iXq+s2CA3dfiAa6eN9y0m9SLzWcdK0hXQ0epf8kx DL3q2AC94dgMve3YBr3n2KleFHsFDrVoHXsCRw137B3qFSOzO9TrLUmO/dBxpBNJsx2H1Otia+CE kds96i0jdxwVKvotuY4TgVSjYverd1sKHKdIz/5Lv9gxCi1zXIJWOq5Cqx031Ltir8ApY7o9HJCM mfZlAbmlznEbOs9xD9rUo4Uu7EkKyMYc+8pAassSUlPPuMBZY559TSCjpaNnImk2aW4gw5jXU4C+ o6cY6ukpg/p7KkUd40dbwj3VqCzrqQtcMhba1wWyWlb2zIOu6WkKZBlL7BvVk0IDV1vW9SwM3DCW 27dg/MaeJZihvMckFJXReH1Mq+zbA1ONNfZdOLctPR3Q7aS7ehy4M6J+u2VvjwerJ/WN9fa9gfyW Az1+0vB9PdyzDHqsZyV0pGcN9HTPOui5no3QCz1bAvdaLvdsD2oxz4FAkTGnZxe0xn4Y2mA/hvO8 1rMXelMoVUaN8+0jgdKWOz0H/llFPQjb2nM4kN/Ke44FxxkX2U8HKlqVnpFAhegHJxoX9aBiNNrP 0XXF9cLn/db0nsvQzJ5r0Jyem9C8njvQQieDljg5rl3se9totl8IzDLa7JcDta3lTuVftMqZHqg1 Ou3XAnONXvvNQGNrjWO1UGfmfa135gQajar9TmBBa4MzDzqfdJGzEGp0lgSzBZMEc1vNznLwCdgg WNBqc1YNXm51OmugXmd9fAUPFot1MFjWqjob1JzWqHO+miNWomBl63LnIrEqOY1QrDXB6tZVTrNa 3rrWacP6gu9LsK51vdOpXhSf2+C81k1Or3q3datThe5wRuOfsWCTeH+DC1t3O5cH8o31zlVQ3Ifg ktZ9zrXinjjXQ+NXetC5CXrEuTXQSCvOpc6yAQWrj3jyX+2sHEhXbZ3VA5nQuoGcsefzDfGUG7rd OW8gT91k2DtQCBXPmXudTQMl4pkzUA7FkySm7Vw4UIWnx5KBGvUMffJHW487dwRNrSedu4MdrWec +4KO1vPOg0FP60XnkcFzrVecxwcvtF53ngz6MeYMxtxyng+GW+86LwaXmSTnleBKk+y8HlxjSnXe GrxmmOe8q9aYMnql4DpTVq8c3GhY2JuqNpim9mYEtxgKerOC2w3FvVPVHFN+b37gqKmotyi4y1Ta WxrcG+cNU0VvRfCAaVbvrMERQRTBw6ba3trgMdPc3rniXeht/HxlNzX2LiBdDF2AcxsxLe5tCZ42 tfRag+dM1l578ILJ3usKXja5en3BayZfbzB4M860zVJvDBQX5yiiFFOwdwXYlbjRFOtdDV3ROwyK E5+NO80tvVDT6t7NIWYa7t0W4qYNvTtDimmzGGnQ9u4ZvGna1rs/lB4nN+P63kODI6advUfxHSdG Ne3pPTF4uTmr99TgHdP+3rM4urV3FPfhUO8l6NHeq2qe6UTvDTDYtt7bOJ9TvfegZ13a4ErjLVcS 5h91jQtlmi65JgZHxB0I5ZiuurLjn+1QnumGKxfz3HYVqOWme67iUGGb1lUWKokTZluSqzJU3jbO VR2qEt+LUE3bRFcdKB2sHqqPa1u2a16cwEMND+h80kV0FCOpuS3X1TR4ua3AtXDwWluxa8ngTUHU IVtbmcs01neSesX3K6SO3UnwcChKulycVWhVW6WrI7Qq3idd21btcqjpbXUuD3gYVBxa3zbP5Y8z cGjTA7oVpOpS89qaXGHoQqGCWkM74tq2xLUsTqqh3W0m10q1pK3DtQaKOioO17o4tQar/6GhfeJb HzpIeiSubR7XRrAoiDR0vM3v2gLyBJeGTraFXdvVhrZlrl1Qh2svmPOE6wDYUrwvZ+LattJ1OHS+ Jdd1DN9u8WRObVvjGsHqmes6jf4617nQRWOO64JYEVyXQ1faNrquBW60bXHdDF1v2+66E7rVtsvN Qnfb9rp5WBp7ttPT27jIrYTltgPudDyNve7McGr8Sdh22J0Tzmg75s4LZ7WN9NSFp7addheG8+MM 0NLhLsFaQKtM2znx3I6v0W0X3OXhorbL7qpwads1sdq23XTXYNXDUytc0TLirg9XtN1xnArPalnj bghkmZl7fjhrbF3e4l4USDVzt1GwhNusXjQrbptY091O9a453e0NZJgz3SqOe84dFeuXG89Ac457 Fep57rWBjNYS9/rPVwpzoXtTuNZc4t6KcwNLhNLN5e4dwRFxdeG55ir37viTNnDKXOPeh3nq3Qex CmDNDTeaG+y7wgvEOhVebJ7vPhJuMS9yHw9bzUb3ybBd3Lewi+bxmc3uM+Gg2eY+D4+DZ3g4Fqcd ocElcf2cauye8Aqh8Up4NemwOIfwBtLNZqf7YkAye91XArJZFTQiyCS4xBx1X4/3sd5BsRfWgvA2 8dQNbzMvd9+Kc0V455jiKoJN5lXuu1gvqE/Xtc281iMFpprXe2QQBbgivMe8yZMapwic1X0ND7ds 8WQEisxbPVnQHZ6p8RUf80DD+827PfnxVT58yLzPUxQoNR/0lEJRR+WIpyK+yoePPqAnxDoVPkU6 THrWfNwzC2s3VvDwqPmkpxYrNdbx8CXzGc/cwFzzeU8j9KJnAVaxBs/iwAK651dJb4zdmSuelkCF +brHGqg13/LYA43mux6XetEieXzh252mgfpYUmfHQEO0odMxMB/qGVikrur0DxhVc2d4wKzyzmUD ttg4jHFi68oBb2xi55oBFVvXDURj2Z0bB5bHcju3DKyCG9o4sFZd3rl9YH2swLBmYJOqdu4a2Bor 7tw7sCNW1nlgYHesEivmPnVT5+GBg5FlnccGjsSqO0cGjsfq4u7AcGzgpLqv8/TAmdi8znO+XbGm zgsD52MLOy8PXISPuzxw5T6HXxu4HlvSeXPgFvp3Bu5GdtmYX4qZbNwvxzpsij815rCl+zNiHlum Pyvmt+X4p8bCcQfaMdefD88VdzrkKWx5/qLYsrjLsxWi4rSV+EvhubDWx1Z2bPZXxFZ2FvhnxdbY yv21sXW2Kv/cWEdHkRhpWOlvVL22Gv+C2Ma4z2o/6F/8uZ+Ne0xbPfnKuR2XhOPzt9w/+ja/FUpe ydbgt8MxxT3OPXjMg7b5A9dDVR2z/C7Mv8jvi22xGf1B+Czcgdh2m9kfG2OV1Tabf4W6yeb0r1bP 2Lz+4dgum+rfENsb94O2qH9z7IBtuX9b7LDgnNgx2yr/TnhqOOvYCOlp21r/HqwacNBYL6Cxc0ID 5KljF8RRYpfjalvv348r2gTP5bRt9R9SvcL/xq7ZdviPjvVvkt4RvLSUjd1JuNelfExxVksV227/ iaVKvE+abtvnP6WutR30n4V7hYddmmk74h+NO9alOQ9oXsdR/yXcseP+q9CTQoXHDC6Mq+2M/0bc Vy4ttJ3331Z32y7670FRR+XKoDbuMZeWPKDlguKWVpHWxNV2fTAJzhH+cWm97dbgOPhEuMilDba7 gxPVk13SYDZUHsxVz3SlDhbEloj3Zel80kWGlYPFsWtdGYNl6r6urMFK9XjX1MFqjMwfrFMXWWRP MHyPvAOtR/TsgmexpHpiEa0lw7MikmTkntWhdEuWZ1isHZ4NkXGWqULR3xyZaMn3bItkQ3fe1yLP nkiupdSzP1JgqcBectzTWWZ5DkWKLbWeo5Eyy1zPiUilpdFzKlJtyRLPT9LblgWes6Hr4mkZqSOd 1xL2jAYyLIs9lyJNlhbP1chCY7nnRmDUYvXcjiyx2D33IibSDvGcjDjGvBU04rG4+rQRf9xnWXx9 SZGwJdg3LrLMEuubGFlpWdGXHVljWd2XCx3uK4isE8/MyEbSLZYNfcWR7dCygGTZ3FcZ2WXZ1lcd 2RVfUyw7++oiey17+uZFDlj29zVFDlsO9S2MHLMc7VsSqqKnqGw50WdSzZZTfR2REcvZPkfktGW0 zxM5Z7T1+QO1lkt94cAsy9W+Zeru+AolNHLBqGI1RL9vZdgXJ7e2cX1rIpctN/rWRa4ZWd/GyE3L 7b4tkTuWe33bw/csRX27IrlWbd/eSLE1qe9AlFnH9R2OcuvEvmNRxZrdN6KusuZ6hqPpD85mLeg7 Hc20Fvedi+ZYy/ouRPOslX2Xo4XW6r5r0RJrXd/NaLl1Xt+daJW1ycuiNdaFXh6tty7xKtEGq8mb Du3wZkbTx9ThzVEvWj3evOh8q99bGAlbw96S6CLrMm951Ghd6a2Kmq1rvDVRm3Wdtz7qtG70NkS9 4v2NqtYtRm80at3unR9dbs324plv3eU1RlfF3zvrXq85utZ6wGsLrrQe9jqj663HvF7oiFeNbrKe xq5bree8y8MZxnovHJb1gnct9LJ3fXSH9Zp3U3S39aZ3K/ROX2V0Xzvz7gidb+fe3SpvV7z7ogfb 070Ho0faM71HVFt7jvd49Hh7nvdk9GR7ofdM9Ex7iX0kVNVe7j0fqWyv8l6MnsfIKxhZ470evRg/ Snu991b0SnuD925wpH1+vxS9buTWAvVW+6J+OXrLWNWfGpjabuzPiN5tN/dnDUnttv6pQ3K70+of ko3z+7E6t3v7i4bAcv2lgQXtan/FUEZ7tH/WUFb78v7aoantq/rnDuVbSvsbQ9eFDhXFXX/72v4F Q6Xt6/sXD1UIehmaJShlqFb8FGVobvwbRz/BWDH2k4p//nYcGPtZAf1kYKixfVN/S6RArO9DC4QH H1osPo1DLfGfDtHz4Xb7Vs8w5icSa9/Rbw2csuT32wOnxn56Qz9Xad9tdwxZLTf6XUP2uOtv39fv G3KJ9zrYxCQ2SXNd8xfGNB9rbjFJc0fzKdNqPpM0jEs6ibNEKVlSWLI0ThrPUqSHpIksTcqSprDx Uq70GJsgFUhPsoek70jfYZMS6hNeYpm6Ot2LLEvn1PWybN0vdb9kOan4nz2SOjX1i2xqamPqYtaQ akgdYl9OfTP1FyycejT1KvtR6rXUW+w0zuZLTEv/+kEqS2OJbDybz5LZAtbCXmEm9gZbzL7GVrIo W8U+YDH2W/ZHdoz9SZPEfqdRNCnsM02a5iGNRiP+xkkWvzepmaRZpLFosjXtmpimULNMs0ZTrxnW fEfzmuYnmt9ovpzww4Qfajxal9at6dMGtWFNv3aZ9g2NX/um9k1NUPuW9luakPZt7TuaqHaHdqfm q9o92p9pVmh/of2FZpX2V9pfa96kv8dcoz2p/UDzlva8dlTzLe0l7Z8167X/rf1vzUbtx9pPNN8V v0Wn2ayboJug+b7uA909zVau43maU/wJ/oTmJn+SF2s+5jN4peZT8Rcems/4C7xW0vI6/kWJ81f4 YimVN3OTlM3N3ClN5W6uSk/xr/KV0gy+iq+XZvK3+RZprvjLCamJ7+DvS6/yE/yE1MNH+BnJyc/x c9IAH+Wjkp9/xK9Ig+L3saQQ/yu/KcX4LX5PWqZn+hTpTX26/iHpbf0k/WPSO/p8/bPSTv1svU06 qO/Vr5au6r+p/2aCon9Lvz4hRf+ufkfCBPHvqiZM0v9UvzchW79P/8uEHPH7QAn5+t/qzySU6c/q LyVU6P+s/yRhjpwv70qYL/818dGEP6Z+mvqpVvy9nI0tgyosR/y1cc3OsSajFbF8W0v9bZu1tv6l 07UlNrvNZfPVj9qCtlitrXGVbY9tv+1Q7T7bUdsJ2ynbWduo7dK8pHm5thXzPLbVc+bOsdqGbRts m23bbDvn5c6pxadKi8/4dfqMf8w0ms80nzEJn+hxLAHbHqbfRP2/7H0PdFTlte83M2eGEXGMNI0Y MY0RMcaIGChNUxopjSFk/oAUKaUpTDNn/p05M5n/II8icpGbUkoDRUopIotHaZpSihQpxoDIxUjT PESKiDzKpchFLqYpC3mRspC+vX/nTBhCrHTd+9Z6a7Vrr9/vfPnOd/b5/uy9v30OM4Mw/sL4C2Ew /tL4Szq31fiiMBl3GXcJMz6JajG+aXxTWPFNsFuMvzceFgPxGdRB+PTpbcY/Gv8obPjc6e3GPxv/ TN7BnywdbDKYDL3/a7DZZBF5+ObYEFOeKU/cZRpiGiLy8UnRu03FpmJxD74VVmAaaxorCvEdsHtN 40xfEUX4VswwfGbjfur/IMNgzByzCO0T80L7Qh2hg6EjoeOhU6Gzoe7QxdBlVYQuqhZ1kDpYHQIU qMPUklC3OlIdo45Vx6s1qkudqs5Q3apPVdW4Okedry5Sl6hN6ip1rboBaFa3qNvVVnWP2q52qofU o9kSnqaeUE+r59TzvdKjXgkbw9YssYVzw/nhQqodfp3UhYdT29JwWbhcvZKRcGW4KlxLzDI5XK+e DweobSRcH06G54YXhBeHl5LO4eEV4dXhdeGNNH7DLaoeNfg763dgToaQmMRQEkkMFw8IsyglGSAe IbGKCpJbxFiSgaKS5FZRJR7Hp8vtFHX4e5e3i2+IGSJHzCQZTHFHFp8RAZJckRBJfONyLr5r+TQ+ Uf4vIp/i0XJxt/gRyT3iJyQF4qdik/ic+AXJvWILSZF4meQ+8QrJMLGL5H7xb2If9a+DpBj/G/aD 4qh4V5SIP5CUivdIHhbvk4wQF8SH1PdL4i/iUXGVZJTBaBggRhsGUuyrwOfHv0SxL0eMxefHKw0F hnvFY4b7DPeJr+L7nlUUDSfjG50zRLXhWwa3mGCoN9QLOz5L7sC3O50G1aAKl6HB0CAmGVKGtJhs +I5hoZhCsXOxmE7R87viG4bvGZaKbxqaDE3iW/h250yKpDvFLEOroVV4DHsMrwnZ0G54Q/gMvzX8 VgQMvzN0iiDsN0RRoFio1hJriWjAp/Oi1ketZSKGT+QlrBXWCpG0VlorRQrfJErj83ezrW7rt8VT Vo/VI/4Hre0Z0QPbH8O/LKFsJ7QS9hDaCZ06Duk4Sjghvq60KnuUdqVTOaQcVU4op5Vzynmlh/hK yBiykthCuaH8UGFoeKg0VBYqD1WGqkK1ocmhaaG6UH0oEIqEkqG5oQWhxaGloRWh1aF1oY0kLaGt oR2httDe0P7QgdDh0LHQydCZUFfoQuhS6KraqErqQDVHzVOHqkVqsTpCHa1WqONIqlWHOkWdTjJT lVVFjappdZ66kGSZulJdw/+DqLneHKRN8Fu2mfh9hcf/2+zbSXI7rDwHVn4HrPwzsPJcWPlnYeV5 sPIhsPJ8WPndsPKhsPICWPnnYOWFsPIiWPl9sPJhsPL7YeXDYeUPwMofFJ0kJbD1h2DrpbD1EbD1 R2DrI2Hrj8LWR8HWP0+2bhRjYN9fgH1/0XCPoYDsni17LCz7y7DsSnw/4jFY8zhY81dgzeNhzV8l a/4O+cDThqfJB/hbEhNgzTWw5lrDDw0/JH9gm3bg+xFOWLML1jzZ0El2PMVwwHBAfM36pPVJMdU6 wzpDPGkNWoP8fe2cBTlLaJ0G0dzfKgyxmWR3ZYRyQiWhSq+rJUwmTCPUcZ10hzI6NiZ06G8DbY7G DysVsbHKuNj40InrwXVKdawmdJpwLn6MoThirtD5vw1uo0yJTVWmx2aEeq6B/1ZmxtyhKzG3aoyf VOSYT7X+baCNLX5GUWKqmhtTlWgsDqRjc9R8QmE8gvLweJdaGr+gzIvNVxbGFqll14C/y+OXlMbY ErXyU1AVv6rWJiRlWawJWBlbpayJrVUna+Ayj02ddg0Y6/rYBrUutoGPwKZYs1r/6eB2yubYFmVb bLsauB7KzlhrRm82lN2xPWrkGpR9sfabQXRmeo3SEetUDsYO9YsjsaOMqJxez1COx07cFE7FTitn Y+duQHfsPCOqJJYpF2M9N4NoNL1JuRy7wgiJuBGwxK2MaDq9mY8NkVRLyB2vDw2K20KD47l9EZ2X 3hYaEs//NEQXpndCR0G8EBgWHx4qiZdeh5HxshswJl5+HcbGK28a4+NVoZp47Q1wxSeHpsan3YAZ 8brrwOO+CajJxMCQLx4IqfFIv6Bz6txEjrogkYd28XjypjAnPjc0P77gBrC+xYSliaGhRfHFNwN1 RaIotCS+tBdN8RW94POrCesSxShvTIxQWxKjQ6viq9HfPlC3JipQXhtf92lQdyTGqW2J6ut0bIhv vA7N8ZYbwNfuTThCW+Jb1f2JKTgeSEzvrz+fiO3xHaHWeNsN2BPfG2qP778BnfED2VAPJ2ZmYnt2 LM7Eyt4Ydywh98agkwklO4702kn2umbWJTNHZxLR3rntSqSz+4RY0kgxhXw/ukyLAdGVmv/Cr9bE 87FvkL1H1xM2pXdn7Dm6mY50Hz6vXkjMUy8lFqpXE41hKbGM95fwwMRKruexhXMSa8J5ifUcX8ND E5s4ToaLEpvDxYltvAeERyR2cmzHmMnew6MTuzPxOVyR2Bcel+jgcYerEwd5LsKOxBGOnawTmJI4 Hp6eOBWemTgblhPdYSVxMRxNXA6nk4LnF3sQzyXNYXge7ZP6fhZeSPuPPs/hRtKzLGlhHTi3Mjko vCY5mPed3r02a416dTL0PSWzF3CfeG8Mr08OQd82JQsy64z2HPtp7bEv056HsW1ODuO68Dbawys0 8H7N83sdHNq+zPsV9mO6T2Yv5iNA9oOx9dljcS9CeGdsPoP32My+mkF4d6yJ0btH8p6p743Ze+V1 e6S+T2YQ3kf7IK0x9j7aD8MdsVYG7Jb3ud0aemMWIXwwWYLjkeTI8PHkGNRT/AifSo4Nn02OD3cn a8IXky7Usw/zXsJ+S37E/hS+nJwaEckZHIsilqQbfpHxAz0uwrZID8e5yCCKTbqPYL0obvH1mRh4 g2/18ave+JLpP+nguBkZnPTxmkeGJNXe67k9+VukIBmPDEvO4X5HSpLzIyOTixDDeTw0hsiY5JLI 2GQTrvu0+KP3KzJej+MZH1+c1UbvM8baJx73jofjcAafdK9PiKeRGv3oim/lMfWib5zMjpUcHzMx MjsmUlvo4TZ8juYgMjXhiG5L74vuTHcwOLfh9UZeszt9EHUUsyKHUrbovvSRTP4S7UgfjyxK7kEc o7wjejB9CjkFxbTIluS5yPxkayYniB5Jn0VM4/2f8waOdcfT3bxHR0+lL0bPpi9H9iSvRLtni+jF 2Zbo5dmDYmL24Jhl9pDYoNkFyMn0eIlrOTfT8ybkPJkchXXpOvhcbPDsYRwvuV+9uV0mD7t4LQYD mRxGzz1YF+djsSGzSzjfiRXMHpm5Hu1pPPib5gt+QmOLDZs9BnWcN2ag54nXoW8uqOd+10Gf1755 XS84F8ugb16XydH6yc1iJRo+NTfj3Cs7/+KcK5N3ZeVY3Fdcy230ObnBt8j/IjOSq27wK3dybSbH iviSGyJqspljUaZdJJ7cwnYdmZPcDnvKxAFuwz5H9ofjkmR7pCnZifKq5KHI2uRRRra/RTYkT3CM iDQnT8M+tyfP35DHECKtyR6A7JEBP+S41Z4y4tiZsmZ8kH0icjSVGzmRyu/1P45Bp1OFiDXnUsMj 51OlkZ5UGe89GfB4+RkL/kdjjlxJlTcYU5XQTfGjwZqqwjj19g22VG1DbmpyQ35qWkNhqo5jUcPw VH1DaSrQUJaKNJSnkrz/YQ/k+EQ5QUNlam5DVWoBx+OG2tRiPLPQXtgwObW0YVpqRUNdajXPV0N9 al1DILWRnxMakqmtPE8Nc1M7uH3DglRbw+LU3oalqf2cA3L8z8TmhhWpAw2rU4cB0sf7DNt2w7rU MZ73ho2pkw0tqTNsZw1bU12IYbSODTtSF3CuLXUJOvamrnIsb9iflhoOpAc2HE7nNBxL5zWcTA9t OJMuauhKFzdcSI/g+W24lB6NOMbjv5qu4GNUSo9je4gOTFdHc9KOaF56SnRoenqv/VAOzvlHtCg9 M1qclqMj0grq9ZgbHZ2ORivSaawf+Ul0XHpetDq9MOpIN/baauY5ILNHUTk6Jb2M20Snp1dynTAK g22xrUmIf/4Lyj/Qv6B0iQvX/h1A7hGqN99b6B3uLfWWecu9lVMlb5W31juZeJq3Tu7RxFvI8NZ7 A/IVTbwRb9I717vAu9i71LvCu9q7zrvR2+LdOnWZd4e3bepu717vfu8Br02XFcBh7zFvri4nvWe8 Xd4L3kveqz7JN9CX48vzDfUV+Yp9I3yjfRW+cb5qrzEj1MLhm+Kb7pvptWrik32KL0rt0ugh94hb 8jm+H92B3/Pf1kK2PfG/5T2ok3xjEskdeA86GO9BP4P3oJ/Fe9A8ERCKuFOoJPl4G3o33obeg7eh n8Pb0EK8Db0Xb0Pvw9vQYXgbej/ehj6At6HFeBv6IN6GluBt6EN4G1pKPtcpRogDJI/ibWgZ3oaO wtvQz+Nt6BjxvvhP8QXxAUkF3ol+Ce9Ev4x3oo/hneg4vBP9Ct6JftVQYCgQVXgn+jjeiVbjnegE vBOtwTvRiXgnWot3ona8E3UYvmN4WrgMzxieEU/gnegUvBP9Gt6JPom3odPI038jvm542fCymIF3 ot/EO9Fv4Z3oLGmJ9D3hxi8N1ks7pZeFTH7dLnzSWek/RYD8t4fm0iDmiPnXbNVDI/Yc8Rz3nPKc 9XSTXPRcpom3yIPkwfIQuQDik1U5Ls+R55MskpfITfIqea28QW6Wt0CGySXySHmMPBYyHlwju4in yjNkNwvbjfEhspuHdbsZjPuzxRhpjR4g62FbkWj+y8h62FYssJUBZCmPkw3xO/NbyDpmkA2xfdwK +xiE9+S30bhCZElsDTlkC8vJntgOBpMVbCJ7YgvIFS+SfBYWkAcLuJPWfx/ZLb8Pv4vW/F2yMF71 u7HqQ/EO/B5a+XOiAGtcaMihNb4Xq1uEdb0PKzrMMMvgFvdjRR+gFY2KYkOaVrQEb7kfMiylVSzF Kj6MVRyBd9qPGH5j2ClGCoN1jHVs1nqUSHd4SvqKPFde4BnpGZMRebhnrC7j+4q82FPjcWkiL/VM 9UyVV1BNH5FXy+s8M0jcJD4WeSOOqieeEbnFM+dGkbdCwxzPfF0WaSLv8CzxLJHbiJtuFHmvZ5Vn ba9s4La6NOuypa8EtwS3e7Z7WjPiO+/Zo0t7Xwm2ejoz9wru8Rwi2UA1fcQ72tPjOUrC9zvBEiiW bXQ8jSsg3u4btXvaA9XQ0J6ZWc85TYLtnvOe88Fm4p4bJdhJ47vSKy7Z2CtWTfqZqf3yAdkm5/bK YTkfcuzaTGREPikXysMzghU/I5f2kS7CBbkMUk5ySa+/6pWIK3tH5PLM9w6Uq24Ub45c682TJ8vT WLxD5TpNvEVyhGrq5XpvsVyfpadXvCM85+RAr0TkZEa02fecoBUh+/ZWwHZrvOO81WxjXgfPhHcK 24d3OpVmYrSlXtmroEcKxqppYks5hFXqDB4NnoA1nMbsn8NMd3mj5Dsjaf7GeMZ6055m7zyaZZt3 IfWv0buMbNntXUn2Pse7RjZ615MtN9U3ejfJ5XTfZWQni6jtZu82707PFe9u7z5vB/WY7b/JexCj dNOK7fcs8h6hFi7vce8p0sVeixGhpeYrvLqLPFO9Z6n/3TTmi1S/hNqNIa9b4r1MpZHemT7hGeuz +Ab5BvuG+Ap8w+DLUzXxlfhGsr/6xvjGkoz31ZC3qprH+ly+qbgb3ck3w7PI52af9JFmaqn64r45 vvm+RZ5VviW6/7EHNvuafCrZmg32lk9nV8m1crlvrZzv2+Br9m2R63zbaX1ptbzLfK2+Pb52mrlS uYr6tEo+4Ov0HaLWR0lOyGW+VlggjxJrxe1IyGJ4lnynCefkKvLhJl8P1Sd9V/xG3wm/1U/39uf6 8/2F/uH+UpprxV/G9u4v91f6q/y1/sls4zSzWHP/NG8xWVu5v86n+utJAv6IXMlC55L+Mv9cGkGt PI3OLJDr/IvZTonr/Uv9K/yr/et8w/wbPef8LXLAv5XsMcJj8+/wt9E968lCkzy+4HnP9mBPQKbI sCd4hdbnBI2niuylSTEqVooCzYqNIkW7b5W/S8n1DPG01nf4Jyv5SiH7NdkMzZYyXClVynzNSrlS SRbKkaOHohnPTnOwNdiqtfA0BQ4qVaSL4x0sGC21KEMWTLoOKbWeVcpkzxZlmqddNlK7VurPeaWO Stv9dUq9Z4+3wl8WqFACSkRJIgrqkUyZG0Rk9ZcHDwUPKQuUxRTnTmuxTlmqrMDd6E7Kas85ZR1H M+Lzyjplo9KibA3kKRTR/XVa5ELssgbPKW3KUrlO2cs98e+ldWLbqfPv9x9g+9HEu4z63e4/zDHJ f4zW+KQ8mVbnDNlVKcWDUn8XzfVG/wW50n/Jf9XjCkgBijue04GcQF59R31HYCit4Eaym/OeOYGi QHFgRGB0oCIwTq73neB592yXywPVAYfnfGBKYLrvdGAmec8SCjCKHKH7n6D98UxgHHmwjWJWPZ2J BtKBeXJ+YGGgMbAssNIzX7YG1gTWBzZ5DgU2B7YFdsq2wG7SagvsC3R4jpLmE4GD1Ccb9eVI4Hjg VOBsoDtwkfrYSbqtnvPU8nJQBC2eJcFBFG0Gky+5yG6G0DWlZCvlwQKy367gMM+WQLG/y9/lXeY/ 6TnhOxQsCY4MDqN5MAbHBMcGx/s6gzVBV3BqcEbQHfQFa+RaOqq+nmA8OIdazw8s8x8ILgoukZPB puCq4NrghsCyYLNXRjb18D+fMP+BnjADIopPNeTx/ybjbhaGbxtFrnsjSQvJVpIdJG3uthkk7r3u vbOOzjrq3k9ywH0AdYdJjpFw3UmSMyR03fTu6d3uLpILbn6GNdpctkl0jxw80Qg80RjxLGNCzivh WcaMpxgLct4BeIqx4inmFjy53Ionl0HIeW3IeW9HzpuDZ5Y78LTyGWHIkXMiGBM+d+geLQxuBx0r 6DhFuqNmk7v6ZlBbS8fNhG2fgJ0aaus01Oy+SewjdPSDgxpqk3Q8cnOoXUDH4zpO6TirYeIJ7Vi7 mrCOyt2EizeitoWOlz8dtTsIbaRX6LAQBl0PjK0PJg7ugyF/BwoIw/pBST96GSP7YMzNwUXzPnEs YfwnoEaD64iGia6bxFTCjH7g1uCidZvouzm4aG0nqjriOuZocJ3Vjs6TdDxEmE9YdCNcZAMTl3w6 XBd1HU06VhHW9sGGftDcB1v+DmwntPaDPYT2ftDZB4duDrVn6HjUDf/oF3SutotwQW93+iZxjnC+ HxzVdV6lY8/NwS7R8co11BqvobdNjn7MIwylc9Zr98qGvUi/v+3TYS8mjLj++trcPsjvB3ztaDoW 0rFCP47rvz+fhNrhhNJ+UEYo7weV18NenRW/s+NtJl7qcczucPfGF/sU9/XxI2Mn2euqz3fvHE3P mtuZ1/epN6Zkx4CMD+u+xXtGxuYnDelj0z3aebtMUAhRLUbw/mKfp9XzmOwLCY1afHXzelGctK8k rNH2APt6Pb5f1uzdTnOSic922tPs27Tx2nfq80A6OV6yToD10nraKS7aae7s1Ac76z2rz68+n3wt 9snMHnYqa55Jj0NoOvicg/YLxyC9X33Xqc8a9e4pmXVq1PZGx2Ctb44hWddf1saCv7fpex/97SjQ 6zZnYWc/6LsvH+wHR7L216w9thfdWeizv/bul/+VfbLAff1eWOK+tgdm7Xe9MYvgGK8fad9yuHQf o/jhoD3JQXuQg/Yfh0+vJx/m/QN+W635k4P2GUdci0WOObpf6H6QiYtsW6yH4xziU8ZHGrW4xdf3 xsC+vtXHrzLxpde3GvX+L9LXfMm169Ge/M1Be5NjldZvB+1JDt6DTugxicdAe5Bji37dp8WgvnG8 vzaZPvcTj3vPWa/hE2Pdp8XTwutxQ5zMjpVlWTEyKx6ibaHeplybA47Rk8h+JpVo4NyG15tzmkkj 9TqyFWcVlTmO6fnLJMqNHD16HKM1ncS2tUiLZ06ee54vPSeYVKPHMt7/V+lxju2P9uhJpG8S6XNS fyeR3UwifZPIziaxTrKxSfP1+JmJl1v03CyTN8WvxVHo0nWgj4u0eIl+9Y3DfWJwbw6TicM8TtbF 58imJjVlXb9EH88Ybb6Qc9HYJq3S68ZmoaYf9M0F3f1An9e+eV0v5mehb16XydH+K7nZdvf1+dce 97W8KzvHcuvXtmbNSV/fIv9zdLpv8CvHIXdvjuVgvz6hxaLeeHVas2vHOd2eMvXcpke3Pz5SXHHq fuckH3PaNGT7mzNXixHOfM0+ncP7yWMIzlIdZRoQB1l/uX6svOaD7BNO2uuck7P8j9o5p2n+5qQ9 2llPCGh7TwaIRy3aPPGYnRFCUtdN43DO1cept3fSM51zMWEpYYUbsci5mkDPcM6NhBZt/2MgTlJO 4NxK2KHFY2ebZqe8Fzr3EvYTDujzdZhwTHtOcJ7R5snZpbV30t7hvES4quWAHP8zsdlFe4BroAbW h32GbNuVo827i3JQ11DNzlxF2jzyOrqK9XMjdB2jtVjuohzRRfmhi2MP5WMuysNclFe5KJ9yydr8 uhQ9jtH4XVH9mNbswUW5kItyIBftEa5l1+yHYzfnAy7KhVyUC7nW6/V6zHVRPuDarOlnP3HRHLko B3DtzrLVzHNAZo+ismuf1sbVodXxpzFu23vb6//8NMY/0rsyqUTax/+iauwQvxJiQCFhOKGUUEYo J1RmHasItYTJhGmEOkI9IUCIEJKEuYQFhMWEpYQVhNWEdYSNhBYdWwk7CG2EvYT9hAOEw4RjhJOE M/o9uz7heIFwSQe3vyqEVdLqrQMJOXrfuvQjjcGaRxhKKNLqe4/FhBFaX62jr43ZWkEYR6gmODQ9 1ina/azTCTMJsl6vEKKEtKbXOo+wkNBIWEZYSVhDWE/YRNisH7dlHTPtdxJ268f1+nW7s87vI3QQ DhKOEI4TTl078vxYzxK6/45jZi4uavP49wJrkI3JGlg/1uuk3vZsH1zW/tv5zDFzfUbvLRbCIH29 qf6WwdeOtwwhFIhf2WvsLvtU+wy72+4DVHvcPsc+377IvsTeZF9lX2vfYG+2b7Fvt7fa99jb7Z32 QyRH7Sfsp+3n7OftPfYrDqPD6rA5ch35QKFjOP4uJSlzlBMqHVWOWsdkxzR7k6PO3uyodwQcESDp mOtY4FjsWOpY4VjtWOfY6GhxbKW/dzjaHHsd+x0HHIcdxxwnHWccXY4LjkuOq07JOdCZ48xzDnUW OYudI5yjnRXOcc5qp4PPU/0U53TnTKfsVJxRZ9o5z7kQaHQuc67sF2uc652b7Kpzsy7bSPor7yTZ 7dzn7KDyQV2OOI8Dp0jOknQ7Lzovu4TLAgxyDaY94a5+f3FB6L+4YMUvLgzELy4Mwi8u2PCLCzn4 xYXB+MWFXPziQh5+ceFO/NbCXbZC26PibtsoW5V42OaxBcRjNtUWE4/bkranhN023/a0eMK2yPas +Jptue0V8aRtl223WGDbb/tALMSvL2z6/7hnBsNgQxSfV2nl/02+qEwHRZaiSh1VOmqzygzymqJp epnb1enleh0BHRR1iyjqFlHULaKoW7RYb7tUb891K7L+Xq0f1+nYmHXPFv3vreKh2g6Sg7VHao/X niI5Cz5V201ysfayXdgt9kGa1HbYB9uH2Avsw6i2hOoL7CPtY2pP2cfax5NPwitrL5JfuuxuWqvb 8UsbAr+xYcRvbJhsZbYyIdket1ULs22izSkG4Pc2Btlm2eppHYK2kLjHFrclRKFtru07osi20PYv YritzdYmim2v2l4VD9q6bF2i5P+xdsPVb0pfJZ5B1mG4eivKA1F+FOVHUR4l1RCPNidRX4/6H6G8 lLjM/CLKNShr1z6K8mRc+wjxCNSPliLQw9eWQX+dNIrZ/E3+7JN5LpVzpfHM5hTxNrR5ge/7Mcof 70IfFqI+hPIolEehPFrrrc5zwTG0IZ0f/1F6iPikPqKHcPab6BVGKn0R4wqi5wEum46ibMVZgat+ jpowrrWj5naUH8O1s6HtdvTkMbAZbcagjY94JMojUS6TKlCvoDwGGlAPHoWzZTj7BelLzOYQelKB llweZbqANto8LIW2NmjjtXhEaka9xuXgKWgjQ+cO6KTZMD7BdzQ+bHYTP2sm7zamUX4MfNQcJ57P bQxG8HNoj34aBbPJh5bPmT3Em6DzDq4xvMNlw4c4uxztH0f7H6CcC20fgk+i/WXpd1RvlF4nniId 5rtw2fBn1Pikd4jHchvRw2yoBf8FvIvZZELLidDzJLc3vAcNzSj/EmcnoP1f0b4E5TPgveCX0P4D qYFaOsz/RuVLbLdGi/lVKl/lekO9uYP4lESWYMznNuID8zPE/4fZcEavITaVQU8+eCiu9YKXg++U /oqz36bym8zG4yi3gQ+Cn5PqeI0sH4B3gFvAjeBu5gFD6F6jtRVEy2ct/Bsq9Sg/Br5N5xZwI5iv vRMt9+HsVtQcRc181KzX1p3LxDvALeBGcDeY209Ey3m4Smhs/jFbBcrPoeebUG4Fb9JrWsCN4G5w FY1lj7kRVhRgxt3fAX+Ia5frvAPcAm4Es4blmI0fcBvTavAP0OcPwSeh5yT32fCBuZP4IvgD8/Pg KHgWGJZg7iINd2K9LqHlSfA5nZ+BDexl20DNVWi4Cg1XoeEqrOIUzp5CzSm9ppXYhLHca94Hm+kE R8GzwG8xwxJOajbGZbI01vYWyh9QTs99oBpjhc40FuMbbKXGoagZipqh8O6hrJn4dXArLHMzjXGu Zp/Q3ARerl/LfpGAzd/J/xM33et5cBQ8C/w6uAvMOo/j2uOYjYPQdhDl51B+QWeevQ7084kBrO02 jTVLQ3mTxuZXsLJRrCOf/RDlDyxf5hnWmHslUEPPtMz5qD+IlT2Imm3wkeHgQkShRxHfnrUUEz+N +vcRiy6ivIJ3EMN/IKbdpsVDbmkYaPYTfwbRbBH4TszGFrQphS+8jfIT4GY9BtL+YoB+4wBmy1u8 +pbv8WyYEUslN8+JZSeXLaVcNp2FbTfDTspgvZ24aqd5G18rbUGv+KyixXMLR86HmMk3D8OnDsOP 2DvuR3k5zv6HPsYE+uPDtb9A+19gnhFhzGd5fpgpVjNr6/WwhfZHYxrtb0N5H9rP16NHC+JAI+8O 8EEf6p8D3wG+H3d5B/zXATW8mgM247589nFeZfJcLufqzDo/r8fkdVQeApt8CzWF4GOWu3l9EW9f gD1/HXF7O0dR8yHY5EFuaS6G7Vm5htaObTiX47mhU/NielamHQHrcohnmOJAK2ysFV6p8evwl1bw 69hBOFbn87U0n6/iqmfgQc/ADvkuKe6VaSKfNU3UoopEuYrhHvj4eFy10/IR4gO3L+fekiVzzRn2 dLLwt3lnQc/L9PjzDFryXTaCl4P3Wh7gsuX78NxJvMvAc4/jbJvOmodyearlIZztQk0X+s8zPMby Fsc69PZ53g0N/wt7Yj56+zHqX8Sc34NyIcZyijMl42SJ9R+QbMRnOXs03sVM6/UMogqv2hqMcR37 mulR7IMPMpsKJaox/haaf4KWH0Lzv6P87yhPgP5Onnli1lyLPkeYxVaUz4G/bh4oOK9g/V/CSpVA wwFt/+U8ivKEbyP6sYUvQfZyTlIwCra3+3B2DXr+Fu61C9ryeaTS73k2zJgT6SOsb5r3d1MeazO9 zWXpSyhXY7zdGMVHiBUfwRPz0U9Ee2Mb99A0GmO/Re8t96QI5VKJclfDGxj1byTKBg3j0Lf9uBbW bqyQVPZxXDWVc2DjVNOfiFdKj5PmSqzjdklm+zT+hMqHoe19nVnbC9DzeegskyTi95jJ6u4RnJXR DJgGYB5+hqvi4CbYwFmJZ28LNBSDfwQ9LpRTGPvzmOfxGKOCq94HHwcHecYoy+JRLOSslcq3sFVg DwpDWz36ORV6LOZVHAF0a+TRvYL+XLYMYzZ/CH4bvAv1ReBajglazsktjSPBFeZ3sI9wuVrLQqHn LfAb0PMG9LwBPf8b7X1o7+MaYxQ1Y1Hj0rJWLose7gnx2+BdqC9CmdvfpmW2uMsujZFHTYSeiXyt 8UmUn9TKrId4F+qLwPegZijsB/kGdL4HbRfBzeBfgjdLvANOgM4J0DkBOidA5wTonIBZmsCaTSXc 0lSCGdgLDXtRfgnll3gUNKvr0H/mX2vj5TL1bR30rMNVH0ID15Sjnx/p3AHP4j5MMT8Cb+XVeUbi bHOP/nTAd3ldOgKfxdMBtxRaJn8auf1deAqoAf8W2u6C/h7wEfBmXDsdXI1rd6L+fXCnRFZqKeJx WVqYJYXbSAfML5On416WuJn3qTrMVRQz8Be0t/GsWlrg14+it2/BTt4DN+nPKe9gddphk+9g1d7B zMA+2ctoBobzSpnvJF6LZyIjWhag5VsoL8Ldx2r2hrX4OdeYTFgpE+onov174I/AzeB2ZPLNljO4 C9f8ldeF1pfLZ3TGWqO8U7McriFLqMUK1mLF6TlaLDL9np4rXeZbmS303Prxm+yJH79pplU2/QSZ UgfPifRF3nckL5dNL4J/iPpmzsekFxAV0Z5yY86LPodr7ciLQmj5Gj9vSm9wlDbh+dH0JD8vSzk4 +2tc9VPmAXejPg8aroA3o70bdjKf18L0Es+t6QTKE8CjmKVCXiOpCLbRiPavwqLeZTZvRJtRsIp8 bmn6Llb2TygrOPsgzg6BtVRBg/asuhlcg3s9hqzgBeyA1TxjpvewgzQiNu7DrtHO+YlpPTLSZdiD NiA/nIeaZ5HVdEPPbvBh8Nvgd6HnNPgAeDb2pnexz+5kNr+G8nzwy4iuPdiD/pXzN+khZHHv6uUd 4BZwI7ibz/KTl/kc5n8iWg4Cf9HyDWLtiQxPiKaXdW4BN4JZw4toOQdXvcQ1xFwzmWvMM2EVdch1 Z4Pt4Cgywzjyz2o8kyKDlYbDfl7BvdDS1MixVEINMY/iLDTfr/MOcAu4EUzazA/yM6nlVdjMG+Y8 uupWaFsP9oDxfCrlYuxPobxD5x3gFnAjzvK4nuK5knZxecA9lh+Dp7N+XCXpzPODZwTTZp4H02PI +ubp/Dw4Cp4Fhi1x5mYZiHX/FlpWc2w0329+g8p/Nr9G/GPUH9E5Cp4Ffh38CNsbzrajph013+Vc 1/Qr9lDDd5BLF4C/DJ6N3LIQz0FfRO5aiqx4GSxqNix2GeeBxmpo/jXKT+HpdTv69gfU/4H1SHb0 /wTXSHfr/Dw4Cp4FZv96gHslfY6fYS0/02yePcJ4GtpuBa9HhrAAfpSL/CEG+1+Ls+/q/Dw4Cp4F fh1taD6le/ku5tf4vSIxt3kZV72Mci5moAezdMzcAl8o4LMa44n1DD+xSme5xryLeyLtQPnPKEuw Ewnt55k/wCpozE+vb/LTK80GW8UBaQH6xhYrUH4ZPX8ZZ7UoWgm+1ZxLLHi9zHdZnqDyBq433wtL /gP4KT2WcuRpQyxdjjZL0P7n8Lg/wY9uRUQtRwReg/IrHIHJrugq8x6sSzt04unVtAKaw9D2EMo7 +PmXnnD5bBQt25itu9jCrQJPWz+CZrwzGaBF+9/h6aYRHnoOHvQSvOPzYDwdm34JDT+DNiE9S1e1 Qc9vuG8S3lNJeCKmteA91Itn4QSXSUM3+DD8uht8GN7aDT6M3v6ayt/HHXdilq5wDmD6CaLTG2AJ fXuFn5Gl/wlOMpvw5sTUYVnM+x28eDnKL6H9C7j2+/D0Rq6xBDgaWEKofw3tT4KfBK+39DAPmME7 Hdr8lC1nwN0o54FHQdsVtF+JPg/k3UH6v+yde7xO1db4x5pzrWfvrW2SNrGTs5O73CXkECmXJKSS dHGtJDlsl+QgqZCKUkmopJJbN93cktySJAmp4zgllcqdHPHsd47vWuf3xtvndzq/c/77vR+fz3eN NeaYY8055phzrbmeZz+K6XuqsEaUS/6obLRt0Y86+mEx5s6weL9JPsyN1mieqD78OtlT6xvL2exx GjCvW+g9IqMlY/cZI3WhyqlCUWFfepR71ju6I/bZq2tCcy3NaMmd5RmdTX69WghXsi4thHoPbc17 pKrot6Pfjn4v+p3oP0ffBW9/4SrxzmsYd8ZN8B29brRDe5Tifax9jR33DO5xk9XevK/7a7/K3UiE f6bNui410L12qjCzfg+ze6nSR3Id60wNWqJcT+lpPBedpk8+fj08wVyYxoqhpcPhmGT10FpbWDfe 1X23t5mCfgrtZ71KjfDym7T5kvAsz2eVYR7xf4WefsHoDMLmmsRSNWXYB32gfQxP1z2y5a2yjXdt W9m1rWFNvos4lGbcq7Eve5JsKRn5tSiVSa2feUJ4WffjUe/Q7yzCh1hj+1K3L3XHI8/Sa5kLuGI3 xuVpdv096NH97HA3MSNCNA/qrjysSjuvw34fV6RV0WjkYbo3t3cgxza346EevF6fl/xzo87Kd8Iz 9b5AC78lz+PddFMyoQV9r2EX+351Vj+pfDhUGT4TzmPl1BlxscrRkGgIrdJ4dsQm/rxjCatZpKV2 gN7FogA/RYn/O7Twed13223Ie3W3bmsht9Ddup1DX4poSyJmUHhNWMprptP+kXav5wjrMyHcrZ/y pJ7jmbCr7tZ977Q9Z+me3Y7D54CEGsPC8Brdp0fvwGt1H2F/0b6nShCB1uzBv6LWTbpPt8WRl1J6 iPZ8TwtfQ7+fzzLyNDKpSly9MbyR/vaB9ZJnS72rlqLWOt25m091527vJz6leH+4gxZ2ha0ZnbGM 42U6aj57Pc08NKVp5xR2MRNhk1hmhzKRuTaRnc5E3VX5Ur8TiSryRL0My3vgG9G9rIcqO3hZTDxc hofL8NACyz3s9aqqJqyKZguaKaEf8YC6phy8j/3yleyXr2QX1oD93ZO6V/KZ4O3NLVh+zhVL8PxZ DW/VtG7YHPnumGjuVm+eS9CXhWdzZ/eRiT6hd71Dvyu0U/HZAP9x7xrDu3Tv6dtPL/BZFZ9V6eke erpHYxVeo55TzaON8B7NIjy8EpP4dENuSRyapNoQK+UV7N+36f7d96KNvvsKP+G6bZhBX+DhIN7a 6N1KW+VXHuVTYXnPG8JRXj+EFZX9st9fa+lYWBpN43C0l/uF2rZqaFhvw7MZi5/gfqVdq4zWK8Nq 8G6tG1XnKsXx2Qo2hDPxNiaOFR72wkpE+E54u654Gas1ApltiedR9n238Zb+dpUzUtz1umppVJEI r8WyOXJPlTNWq7fMtvpkEqXZDzagX3Fu1GeUmzMuU5Fz8NAImzn6fsDepPEPcxmFV8iNc/QuZndp 7+w85KLIw7HZDqtRqyzMYTRLaN1oho54NBN9HSxfZJTHqmx+QtMgVQ9O0nzDspSOps+Te1kDlRvw ORe5PG3OIYZ3qd5bHqW1R5mhfFJf8JIEYgs+QJ6nn2XD2gUvIleGY/RT8qT0JTgD+6HIMUvCiejj uvOR5+NtLvwLmr8gb8XG6037An0jWg3eCwfBJnArHK4MjFIOoakNRWl7IT8GX4CnJ7J+arCFugfR TISXUOth5BxKd8BjaLiK6YBmL3LsvxFXPwI/p/TvcAneLDat4FXov05kbcMsNPPQtEAuoFYV5F1w OXwD/oBlG+SjyCnkNCwJv0pX0SdD2oO9HFaNjSNTGuaqJqDXwTXwY/RfIi+GG7CJo9c+3dR7qBuP hcqmCZwOn4lHAbk2FPgYfCGtT6fL4virJngZHqT0IzxPjnuHfGYceWzS2JwT9wXNDlq1C/mTpC9N 6VemrzuUusNUI8QnGIFl7XRbejGFlk+htVNom3IimoPwBzTnKCWWS8NcuJMrVoB5sBb8lmvFGfgI 8jcwN93MsyPyGYzs6DgnVW/mI5+X1t33Z8gN0ZMVJkOZItNSg5XhO3g4oRFI3a5ytJaxfiGOTMFT +mkj9g/EuYG3R2jDz9j8nVi111np51RJ8l85IR7lEwd0xtHTQQkNzPM8EzaBwykdjrfhqvHxVP2l 6GtDSZin9wXkxxKqZVuivSWJfB6jMB2qfInq7cOUHqLW+bQwzvBD9Ij4B9viEaGnT8f5jNwDmwVE aWO8emiswk1ELJ6/Ocilicxy7JenL9K3UsiD8DMQeZrSMottKzLwKHGbSCmjGZyN/geNYXCcNqeI Xi49yiRKaaXPq1jWPhKr4AEY52HXhHnUnY4ftf8YnxspfQkST9lHr3fDafCjgjM8T9DHQmheRT4b OY9Ra4e8npZ/R2kplf2KMctrLqJ0AJxC6XQiQLbbWsjxTM/ViJnK6OMZ8QF8Cs898dATz5uTKKkc r2zrmNcrmK3fMgqsKkFI5C/ET7wSroffF9TRSCKvjddALMdheW68BnKVT9Az+8KRzJ3VyD8XtPDt jO8jM1htPtNYhRciX4p+D35+RmYlNFmwKiwbz1lsVsO3ktXpfE/uFMEabBbEMxqyAphJRKkxNptg vG6Qt4b7go+q31NY5n7wIuwP47WiEnwCDkSfj9wM9iYD70T/UnIv0Hwelcgagfje0QV71hDTLb6n MJop4l8SToQfw8WQ9Tx4lfEqQF4Ej1F3QzxeyEQy2IvcC7YlSkeQC1O6BLkVvCp9RFuI/mt8ToDz 4Nxk/sbX0sxfTeYfYUZcBVugX45cH/u78cZ9J1jJ1dPkBnfGgJXclsJyCdmCHBxhNd6MPBd9J+R4 XWX0U7PJqKLwHlYYnk9SZfAWr0hX0do3CqbqZ0x4KEg/QH89g1XwGOtwB1aSefAGLI+xDmfTl/g+ lZOsq3nktq4MjdA0InqNWFWOoC9MHJYk1LXXYtkqoXqYRem8hHncd/oQwzzaqetSHqXr4BvUbcc7 xkO8wy/Nm8bSqde9ZXby7Rr9dkp9vpNzgnfLlfVbjsHHSjObz39XsvfkDVXwTajfzFnGjoxPW0zz 1Gk60/kEZ73K5j3kA+FW9qp85qXP59LZVNBx0TcStkp4q149fE6fMVQ2e8L9mo1KeyB8QfT9kreU L5XBLdRqqYxm804jBauHw3Ru4mFW6J97bRc8HNfSVEdqdYB1+X7CUZgZ5uqI27s0YnaF2qhsRupf uJg+StvPbsebt5Q1yqBsXAvNRmX4o9L3QjnDPqi9wE9zfatgVsV+KO2kjEbh4SjcDsfB16y+z6mi NIut7u7zdF9vjqIpFnWmnfotsmzVyEaV5Uult1d5jdpHjfCTR62aVr+/V8FO1tG3M2jbXH2nTa3X YEM0ldQ+WkqtnUlLtLQTmul2qK426Bsn1O8RhYm3GRol2vamysEO2mNNoIwO6a/eIBtjVBMspVS/ gVwn+IpvzOq32tqZcZ7V9K2LWWwe1lXX3K8tN8/rvFbZ3Gfu8xxu9NNto/bBRNhBaW/D5jHDdx3N BM8adqznq8jn2Rfx4+XgIJbUNZdQ92HkM/B2ULM0+CtXP2bO0LlsNCs6mZK0s6jmv+FTfpPymqam iM5lU1HnstoHbWF7pRxWWouHlni7ypTSNdN8jE+Vj5iv9a6BPBfLNnhIU/cPyLvge4FGeAFt2B2c 6y2rB/qG06+LXnM80E+ZTwSH9F5gauq6akbyqb3+suwPwQ5tjzJoakqoxrytd67gG73nwtKwutJ7 85SvkSfAYsF2LLfrTEf+MhiqdxN8fhzM9JwUfKH3I22JfIuHw9oSc1xEv4Ue7lOmcpD/hlyYb6ef hnwB+pfReD/hsynvM+wMm8MflfY7OE8ZZaM/rjQhfBBNJWyuV6a2YFkFtqG0LHI35E5Y7kKDPhyn zCiDXJHSd+EhNFzFfojcE3kkbIdmFByiDGitaUzpB8g7aE8Km4lwNqUrkV9F/gleAa9FT4/sCerG 3tbBe+Ct8DMs6yLTL/sLV/wT8grasxnuRvMc3npQqz6Wa9GfgzwfeRoxeRt5MHwaVqbWsxn+7pM6 Kx4dlcMfYUE8RipH2WiOI18UjxGaR+KRUtleD7vBfni7IR4vamXEo4ZMTFJ741HDfh7cRWlZZUYZ NO/SthpYjoe94/hw9Ytp4bI4Jqrx90SV44gR53AGbMQViXawn1IiaRbjgayLJsFV2D8DN8LLIb0O 40ybRjuHY18eD8Q8crSB/DEVyL0s7HdiMwe5CZZxjjWDTpk5R+tmFqedFpsWeHgL5qA/i15XIjJr sX+MUuZIuIla5bgWsbWT4nlHDLdQl9iG42BF/LyOTU38E0/TlLoL0DPLojhXb+Fa8UwsE+cefj5C xtKMpdYP2DwK4wwherZ/nMlc9xxiNV8Z7EfzFNeK8/B8eCFsT90NyHXwUBt+C/+O/j6u1R35SvzQ r4irR/WwfAg/k5GJvGF9CGfCQfAqbOIrfgrjDFlE6W2QcbGluOIdkMhnoAkPcsWh6OM1jTkYxrOb mRsVQVMMsjJYssLizcQrFauK2Yc9dcN8+BKchT5eG5Htx2hWI2/n6uSVZe6YA9Qi66J4NsU9WoJN IeynoonHfSn6DjAX0mbLmpkag8+4VWRF+AVkToXkRkDLUyOodRf2x5CZieEwuBU9Y2qJf9QFPWtU yKoVkg+GVT3sBRdif4icGUn+xOvVbMhaFDGP7D1o4pVzD3XjMWXcLSOVIpfsdZC5ZidAsjdjvTKT rIi4f0Vke4poZ9D3FKUh9pY1yjaAV+jVRXQPEj6b1k+LOsPm8Eel/Q7OU0bZ6I8rTQgfRFMJm+uV qS1YVoFtKC2L3A25E5a70KAPxykzyiBXpPRdeAgNV7EfIvdEHgnboRkFhygDWmsaU/oB8g7ak8Jm IpxN6UrkV5F/glfAa9HTI3uCurG3dfAeeCv8DMu6yPTL/sIV/4S8gvZshrvRPIe3HtSqj+Va9Ocg z0eeRkzeRh4Mn4aVqXsWdQuwuQj5EUr7Id+APgPSl9ReWIPS8bA3vJhay7huaVoYt5z+hjNgI+rS 62A/pfTILKYuox9NgquwfwZuhJfDuIXxiMf9Gg7L44G+Rw6fjKOpQA5kYb8TmznITbCMx7oZpFYm pZnFaafFpgUe3oI5lD6GTGaGm7Aph2ciY2m/fZ3SmvghMqYp+gXoyd4ozoFb8BZneJyrH6HHxoxF 8wOlj0JGxxAH2x8+hbd4HM+HF8L2lG5ArkOt2vBb+Hf09+GzO/KV+KHlEVeJ6mH5EH4mIxMrw8wK Z8JB8Cps4it+CuMxXUTpbZBI2lJc8Q5I9DLQhAe54lD08WpA9obxvCDnoyJoikHmlGUcLd5MPMeZ j2Yf9tQN8+FLcBb6eFVBth+jWY28nauTCZYMNweoRZ5Ecc7HPVqCTSHsp6KJR3Yp+g4wF9Jmy2qT GoPPuFWMe/gFZBaEjH5Ay1MjqHUX9seQmTvhMLgVPWNqiX/UBT2zOyQTDCth2AsuxIasDuOVZA9y PFKMpiX+KTLEXgfJeTsBknsZ68l/xjpiPY/I1RQxzKBHKUpD7C3rg22glC/M56JvRdb70nLxewz7 kNe0ZN/dS9822Bm8SWhF6XT921ibp99Ps5N5l2JUY75H/5Dq9QsWon9toZouymijMqyO/hB1+1H6 nTLVH7kXbIm3PbEl1+2UvM0oJ/qOQveG09Hcm7zxqM7f1ulblNa8PznG+5Ac3o3MRT9T65oNaHpR +jiywcMeOAjOou/ZSjOSCHTUNyRmFW8t6iLXtW9pXbWRAt5XnJG8P/GUv6lNVBs/HajVnDckDVUT nBFO9foSybuRubwDmcv7EM/0IwX6nqpdwXpde5E76d7WbFA5uAS5M6XNkZcgb8VyGHImckNK36fW bjTFYm9ovkrrTv88bIpRqybsRunmmJTmIh+j9Ek8lEP/PPp6yFUoTSHfjHx/3AaVg8/jNlA6ROV0 h4IjPhMqoHlNSnluQ56usi3CXr5AaRvDA2iOIU/G8q/KaKMyDNAbOJfSTGVwCHkPrIm9YPMQrAJH UzqINkxC7oY8iyv+gM1Q5DWU9sFPIfwvhzOTlmtLeqN5G81iOA7SU9uSUodmZHoR/wu7el6a1jeB eXjum7RB9V/qGNnGSvmSuvPhBLzxxsPsRNNRbcIKaf2uWhNKm6Zf9ExLG68vik0t1Zh9cZvxPEPb kDobzRKVgwnoO6Rf1fxU+3AFpZu11PddRycbzx3Ql8Tnw7T/rIJjvp2jaO1h2rZNa0X96Msu9M+Q dcO1VlCPaw1FLoufmunjfIJwXOMJxyn905RyB5rS2OxCLqa0F9OquozaKq41BM+9aOEOZSoktpXi DCm4SrNObUwx1ejv7/gVklkWFtW+pEpiv0vl6FJsstF0jvOQaJfmKtlEpphGLLiPXndK67vZPrRw FnKh9DWaY2l923kGbMvVVxGNS5C7qWVwiFo1kY9guQoPE5DHo99MNNahr4DmIKUT0WzD20Q0TbDc q/QrDuMV5yHtb0Nf/kYbdpAJcSZP0l77XcB2osS4w5GM1CHs03iozrUaUlqT/NmBvr7Sr+86Lq0S G+VOcmAjnjfE8U+ioS1vTl92EKsS6AvDTlj2Sa57nHlxnNw7QCbElhq3Mir73D5AJqvNDXACmmuw zOVauViup9YqbKbAtyltm8zf2r4vKdq8gD5+hL40fJf23BJb0t++ca/V0mcRb63JqFQS1RlkNdHQ yAS34Plx1oGlRG95ci31U5uRKhGvVNTaQ63lWKbJ9ppYLiAzc1ROlZUiZNoiRlzbPzWe0ckcUW9d GKNy8CZa+GOy4pXiXqNXWZfM2cm+9JV4Lqs3v1o+TqtqUyteV9XzaN4S75Ee5FUPvacXtPfy1WTd bmxYB2w8j8ZTt635kMxfxGhqH5fFayOWI9B3JPKTlH5dWsRaoatKPCKzYCalefS6Gf3dDh+Cx/Hc nPG6CJaFrRMbXeWGJ+OoK9ujumb6fFjEbHqRrDjOJ7nHydXj5PNxxkLlo8RtZHIXK4VGez2FnjaK 72KsOXsYncXKDLIog7uM/Q7LHpB7nOzTPPTPwH9hDTzAGqgrTEfa2ZAsrUkObyCrWYu85Qws1f5l 9H2wbIl8GfqZtHwz8lz0l6Y3wX7MvgP6TK5XSU8u+Irx6qCzlTG9nH6Vje9r6ff5vL64tpaWj6Iv eVh2SPPMQ93SUsb7zE1G1ssn5qlnEX7nTUL9O53kTaNSCqEvpHoR1aSv029ZpzvrN+HT/D1IuhBy LeRayHX0e9rpuvpdeq/vh3428o36/TH9Zr6XVyLvQf5RZf0rHl93of7KDfq6+m1A72cOv81ymN+3 WazUvyMQ0b9zT+foX3Okc/TvQdKvpfror9xk3K2/cqPyiSUqp0elHtZfucnYp/5TO5UZe5G/UP8Z 3yH/ghzbtId1sOwKe+jv3mjbTuyI25x6AvsZyHGt3bT5EPpy6IsqMy6id9XhXvo7mtIFMAP9BVg2 41o/ol+Lz9poGhKZWHOM0uuwH8cV1xKlY3AEV2+KZVXqqmVN5JrItVNr0B9FroqfWF+BllyNXBn5 WvxsUWZmIPNLPpmZlF6HZize3tHfwMHDBXiohVwLuY7+vby3/wS5BCxOrUtoc23a3I1RnkZPD1NK 21IvoLkRroSHKD3Ts0bGy8iv4HMp8nhsXoePol+AvBH5oLZQf4XDt1bzsA6fy9sTBcjETT9JT9c6 8b225wRjoZ+8e80BLT2xRCMZa9IjYB6kFh5qnViBJXVP0OsT05B34vN95M3Ieyglo058juZb/Og3 cEQKBWMyd4vtfmf/PpJzc/+et8nwPl3z+8pr4nd+V3Zolid+Z1FQIMUlW1JSWs6VYlJdzpcGcpG0 lmvkeu+jvdwld0t3uVXukIFyf2JfWDLkbCknZ0gNqee9NJXLpJPc4K/aQYbJKL9y9JZ+MkjG8H8M xnWcZPo1o7zkSE25QC6UZn51vlZuFCNXyp/lHukpt8mfZLCMlRJiW7Vr11Jad7ji8jzp1rHDZXky GS9n8puhf/BrcwXvsZY0koulhVwuneUmsVJFOspwGS29pI/0lyEyjjpZkicVRe90f5Tm0laqygPo S0pRH4dzJFcqeb91pL40lkukpVwh10lX3+7z5CoZIffKzXK7DJA7ZXzSgtPlNCkrZ0ll76GuNJFL pZW0ky7STSKpJlfLSLlPbpG+ki9D9bdMu9ce0N1eDW+AvWBfOAgO7961T769D06AU+BMOB++3b3r gJ52OVwD18NNcBvc0b377f3sLnhIGRpYFJaB58GGPfrcenN4KWwDO/Toe8ftYSd4A+wBe8N+cBAc 1qt/1+7hKDgePg6fgbPhArjUO+4aroHr4Sa4rU/fgbeHO+Au+CM8AI/CtDIK+9zRvU9UCBaFJWEZ X9g/KgerwJqwHmwEm8GWd6iftrAj7Axvgr1gH9j/jv49+kZD4HA4up/qx8EJ8HE4Fc6As+D8AX6M ogVwIVwO18D1cPOAW/v2ir6EX8Hv4B54CB4bcHv3fimBhWAOLAMrwdoDBtSslWoEm8M2sCPsAnt4 1k71gflwGBwNx8NJnnVSU+FMOBcugIvhCs+6qXVwI9wKt8OdcPeAgd0GpPbBI/C4MsPATOgGDOw3 ICMH5sI8WAGeB2vn+0hm1IeNYXPYGraDV0N9Gjd+7cn5F47Wz/OzpPT/kxTww6H/d0Z+xYj8Kpoh mf+xs5CzWA78qncqC/9OWr/OncZvLv87UuBX799msd9Nw4gY71XPeNuj9wd9SvzdPP138+z/waK/ m3m01HIMfkXtwa917p/S+jtVCSn5L0pnIhl/fyr7Lx3PlXL/0rG8VPgXjoG/k/5z/vOYBP4O/s9Z 5Hexln/ayPd3/UkyUxbICtkkO+VQEAY5QbmgbtA86Bj0CPKD0cGkYGawIFgRbAp2BodMaMqYNmao GWemmNlmoVlrtpnd5pgtZHNtFdvQtradbW871I6zU+xsPwf1Wplxztq2p5x3O+V8/CnnD/3qPDyl POWn+VbJCH51XqjuyefZM06u746c7D+n88nnxeVk/8VzTjmvcIp9y1POu5xyfkp/im87+bxEpVPO 251yPuTk9pd+5uTysxeffF7+vFPOq//q3M+/8jVPKR/FufHrQ7G4hxXbxcdKcc9Dn3Ml/FpVIdFu SI7bkuPO5Ljvt6yrvJYcFyfHVclx48mtqOpO7mXVhSef1xh1sn2NL08+r7Xu5PPab55y/vbJ53U6 nnJ+9Snn/U4573/K+eO/yjIv1Jt8yvnCk+3rnTJK/6N8/SnnG04533jyKDZY7+l8ZLoHj0mvYCqr bTf/T/xMnSRBVDQ6nXtFMUllt3Krslu6FW6ZW+41qeCn4Cdvty/YJ0FwIDggJjgcHBbrmrqmErqL 3cX+vqn5YOwltqVezxQzxb1G/4LIaXtsYV+zuj8v4Xcj/WWqrJIdcizI8W3I9K3KyW4vJrtldgfP VtlXerb2rS/q1+Q8v1uo6fc8jdx3Yk1R36bvOa5yfqdlivvzHziucpvF+LOtnqvcNs81vq+aoblS 1u3wbV3mS//GcZX7yh+X+/OvOa76leXOxPKbxHJXYvltYvmP9l5Ge9vQ3stp7z9K2lJyBSXtfl3i 1tLCdbRwPS38R8kGSjZSsokSIxnG//PT7DSj39wuaor6qBb3UbXZl2a38FFf5pZJyrdpuY+U9Rb6 aWR81/dTy9fvyngJIxUEx4JjftQKggIfrcj45x78RvhN4TfD5JpcyTRlTVnJMpVMJSlkW/rRPC3q FnWT7KhH1EMKR72iXuKiW6JbpEjUP+ovRaP8KF9OjwZFg6SYy3N5coYr68r6PpVz5aS4q+AqSAlX yfk9n6viqkhJd547T0q56q665Lqaria/y11HSrvz3flytrvAXSBlXAPXQP7gLnQXSp77o/ujnOOa uCZ+dDTfziXfyrkWroWUd9e766WC6+66S0XX0/WUSu5md7NUdn1cH6ni+rq+fqHo5/rJeS7f5Us1 N8gNkupuiBsiNdxwN1xqupFupNRyo91oqe3ud/dLHTfWjZW6brwbL+e7h9xDUs9NdBPlAveoe1Tq u8fcY9LAPeGekIbuSfekXOieck/5/Jzmpskf3dPuaWnsnnXPShP3nHtOLnLPu+elqXvRvSjN3Evu JbnYzXFzpLmb5+bJJe4V94pc6l5zr0kLt8AtkJbuTfemtHJvu7eltVvoFsplbolbIm0Y78sZ77Y+ V1bIFT5XVkk7t8ZnS3u31mdXB7fOZ9eVbr3Pro5ug8+qq9xGn1VXu00+q65xm/0c6eS2+jlyrdvm 50hnt91tl+v4Tewubq/bK9e7/W6/3OAOuoNyozvsDov+zvcoPz9G+UwqEhSREUFucLaM5H9GHR10 DrrIvUGf4HYZw/+GOi74U5AvDwTjgnHycDA5eFImBPuD/fJIcCQ4Io8GvwS/yCRdZOQxkzIpedxk m2x5wpxuTpfJpoQpIU+as8xZMsWca86Vp0xlU1mmmpqmnUwz+WagLDWDzWBZ5p8jhsp75s9muCw3 o81oWWHuN/fLSjPJTJJV5gnzhKw2M80WWWML+/XnuK1r60raNrPNpcC2sq0CY6fZaYEN88NngzDq HnUPakc9o55Bnejm6OagbnRrdGtwfjQgGhDUiwZGA4MLosHR4KB+9GlqTNCg0JWFugZ7C91/WhCk s4tmX2LuzL4ue7p5uXCPwr3NwcIjCo83x5xxmTbTnePOsUXcue5cW9SVd+Xt6a6iq2iLucqusj3D VXVVbY6r5qrZ4q6Gq2FLuFqulj3T1XV1bUlXz9WzpVx9V9/muoauoT3LNXKNbGnX2DW2Z7uL3EW2 jGvmmtk/uOauuc1zLV1Le467wd1gy+p/Tm3Pdb1cL1vO3eJuseXd7e52W8Hd4e6wFd2f3J9sJTfQ DbSV3WA32FZxd7o7bVU3wo2w57m73d22mrvX3WuruzFujK3hxrlxtqZ70D1oa7mH3cO2tnvEPWLr uElukq3rHneP2/PdZDfZ1nNT3BR7gZvqptr6brqbbhu4Z9wztqGb4WbYC91MN9M2ci+4F+wf3Sw3 yzZ2s91s28TNdXPtRW6+m2+bulfdq7aZe929bi92b7g3bHP3lnvLXuLece/YS90it8i2cEvdUtvS vefes63c++5929qtdCvtZW61W23buA/cB/Zy96H70LZ1H7mP7BXuY/exbec+cZ/Y9u5T96nt4D5z n9kr3Ra3xXZ0n7vP7VXuC/eFvdr91f3VXuN+cj/ZTm6f22evdQfcAdvZHXKH7HXuiPvZdkn2Uvrk U5e1trJP5yi4Prjeq3sGPSUI3wrfEpM6kTohNrNxZmM/e/4zq7HP3P9djf8/X43/O/tyyb4q+rQV 3Jr64n9z7H9z7D+UY0HU2z/PFw3Kmrr20rCTlJaG0kxaSwfp7PcLvf3z+1D/PDBOHpEpMkNmy2uy UJbLWtko2+Qr2S0H/JO9BKkgO2uI2KwBWflZd3IcmDWU46CsuzgOzvqzP+Z7aTjH/KwRHAdmjeQ4 KOtujoOz7vHHgd5uNMf8rHs5Dsy6j+OgrPs5Ds4a64+DvN04jvlZD3AcmDWe46CsBzkOznrYHwd7 uwkc87MmchyY9QjHQVmPchycNUyMLx3lOTBrjOegrIc8B/8bEXmMng/IejyJzBNJZCYnkXkyicyU JDJPJRGZmkRkWhKRp5OIPJNE5NkkIjOSiDyXROT5JCIvJBF5MYnIrCQiLyURmZNEZG4SkXlJROYn EXk5icgk3/8BWdOJyEwiMvvfjMirSUReSyLyehKRBUlE3kgi8lYSkbeTXHkniczCJDKLksgsTiKz JInM0iQi7yYReS+JyPIkIu8nEVmRRGRlEpHVSUTWJBH5IInI2iQiHyYReYWIvEmmLCMiq/7NiHyU RGR9EpGPk4hsSCLySRKRT5OIbEoi8lkSkc1JRLYkEfk8ici2JCJfJLnyZRKZvySR2Z5E5q9JZHYk kflbEpGvk4jsTCLyTRKRXUlEvk0iso6IbCQiW8mUr/7NiHyfRGR3EpEfkoj8mETkpyQie5OI7Esi sj+JyIEkIgeTiBxOInIkicjPSUSOJhH5exKRX5KIHE8iciKJSDrJlYI4MoUkjkyhII5MIRNHppBN IvMdEdlDRA4RkWOaKfr/NGq7eZvWSSoHG83Tto29wvayN9ve9jY7wA60g+2d9s92jB1rx9kH7Hj7 oN+7fGW/tjvtN3aX/dZ+Z7+3u+0P9kf7k91j99p9dr89YA/aQ/Zw4Xr6/ygFG4IN/gLT9a9z7WX2 MjG2rW0r1vawPSW0t9hbJWX72/6SafNtvmTZQXaQfxIYYofIaXaYHSbZdri9Rwrbp+xTcoZdaD+S nMLnFz6ftwy5UigsE/4hzAvPCcuG54blwvJhhbCi9sy36DBv1wMp+at3E1V5H9RHLXzNiolF6V9Z nPerMh9J28dbS5gT6m+BVQoryWnJdXPC4mGJ8MywZFgqzNXfvvMW/31dI+WkSFgsPCOMwlSYEWaG WWGh8LQwOywcurBIWDTU912h79sI3wStY8I/ho0lO2waNhXny+pJSfuCnWXn2pftCrvSrrKr7Rr7 gV1rP7Tr7Ee/FXF9W2aft897jy/q3zXbOXaOj/d869dRH7n3/fW+sj/8H+/Pe6s5vnShXWQX2yV2 qX3XLrPv2eX2/d8aY7y/YF/w3mfZWfqNTDvXe3/Z+tXZt/Aj7137od6rS85vev2NfhCzr5KYab3f mV3U02zw9aK+ZoHcI6PlXrlP7pcxMtbP6wdkPP+76MMyQSb6Wf6oTJLH5HF5QibLk37OPyVTZZpM l6flGXnWrwDPyUx5Xl6QF2WWvOTXgzkyV+bJfHlZXpFX/erwuiyQN+RNeUvelnf8WrFIFssSWSrv yjJ5z68c78sKWSmrZLWskQ/8OvKhrJOPZL18LBvkE7+qfCqb5DPZLFtkq3zu15gv5Ev5i2yXv8oO +Ztfcb6WnfKN7JJv5Tv53q8/P8iP8pPskb2yT/b71eigHJLDckR+lqPydzkmv8hxOSFpKfAJHZj2 poO50nQ0V5mrzTWmk7nWdDbXmS7menODudHcZLqabqa76WF6ml7mv9j7DrCqkbbtmUly5pDkhKog INJUVJQDIlIUC2LBggV7B1HBAip2FEGxt7WLKIi9d3FVRKzYy9qwYO8dFUUEvidjWdx1/93//b59 9//+63UuZybJOSHPPDP3fT8zOUkv0puEkXDSh/Ql/Uh/EkEiyQCSTK6QLHKVXCPXyQ2STW6SW+Q2 uUPuknvkPnlAHpJH5DF5Qp6SZ5xInpMXnEReklfkNckhb8hb8o7kkvfkA8kjH0k++UQKSCEpAghS 77bnOJ4TOA1HOS1nwLXgWnKtuCCuE9eZ68Z15/pxA7hxXDw3npvAzeYWconcZm4Lt43bzu3ifuZO c2e4s9w57jz3C3eBu8hd4i5zV7gs7ip3jbvO3eCyuZvcLe4278PXUN/byl/gL/KX+Mv8FT6Lv8pf 46/zN/hs/iZ/i7/N3+Hv8vf4+/wD/iH/iH/MP+Gf8s/45/wL/iX/in/N5/Bv+Lf8Oz6Xf89/4PP4 j3w+/4kv4Av5IkEnmNA6tC71o/WoP61PG9CGtBENoI1pE9qUNqOBtDltQVvSVjSItqZtaFvajran HWhH2ol2pl1oV9qNdqfBNARSKKRekMJoOO1D+9J+tD+NoJF0AB1IB9EoOpgOoUPpMDqcjoAUTUfR 0TSGjqGxNI6OpeNoPB1PJ9CJdBKdTKfQqXQanU5n0Jn0JzqLzqZz6Fw6j86nC+hCmkAX0US6mC6h STSZLqUpdBldTtfR9XQD3Ug30c10C91Kt9HtdAfdqb77lf5Md9M9dC9No/toOt1PM+gBepAeoofp EXqUZtJj9Dg9QU/SU/Q0PUPP0nP0PP2FXqAX6SV6mV6hWfQqvUav0xs0m96kt+hteofepffoffqA PqSP6GP6hD6lz+hz+oK+pK/oa5pDP9A8+pHm00+0gBbSIi3SYrqCrqSr6Gq6hq6lb+hb+o7m0vfi MHG4OEIcKUaLo8TRYow4RowV48Sx4jgxXhwvjZSipVHSaClGGiPFSnHSWGmcNF6aIE2UJkmTpSnS VGmaNF2aIc2UEqRFUqK0WFoiJUnJ0lIpRVomLZdWSCulVdJqaY20VlonbZA2SpukzdIWaau0Tdou 7ZDSpf1ShnRAOigdkg5LR6Tj0gnplHRaOiOdlc5J56VfpAvSRemSdEW6Ld2V7ksPpcfSU+ml9Fp6 I72V3km50nvpg5QnfZTypU9SoVQkIxnLROZkXhZkjXxXvifflx/ID+VH8mP5ifxUfiY/l1/IL+VX 8ms5R34jv5Xfybnye/mDnCd/lPPlT3KBXCgX6ZAO64iO0/E6QafRUZ1WZ6ATdZJO1ul0is5QZ6Qz 1pnoTHVmuhK6kjpznYWulM5SZ6Wz1pXW2ejK6Gx1djp7nYPOUVdWV063SJeoW6xbokvSJeuW6lJ0 y3TLdSt0K3WrdKvZ6jObkWUzozEkiQCCsvnOpVwA8PtFrinw+2WuA9cRZXFduK7oGuPQG1wkF4my gfFi0U1uFjcL3eUWcAvQPcbs9xlvPWC89ZDx1iPGW4+5nVwqesIY4hnvxXtjxOZNiSAKItYLRoIR dmUzo26a25oH+BHVU3f8gs2SvhEniIsIEVeI6cRcPCZ+IG5srjSYzZKuBLbPQQagDuyB85uBAkoA BtgH6Ax/QopHRDnGautZTV2jMUIlkbV0FLYvS5mQZ0nHIL8mnfz22ctQy0Ba0BIWyAYUQMXPq0dS lrpfugb5CekG5Kekm5CfkZ6r31RKqGdUSqpnVMzVM7JzFbCzfl2jMYCtw4oI+VFF+u6IITtixI4Y f3fEgh0pxY5YsiMEGYDX9OA7T6K+LcmH+CBC6pP6iCONSCPEk0ASiARxtjgbacRUMRVR8ZX4Cs5H hNXk3N/Esd8z7P/f/PrvYViVQ/8qb/6dnGlCe9CetDcdCQykMqc/cGYTxmYtgJmmM55sBxypsuNn bgz9i6wY/Sd8+Hs2XAg8+CsDFmeX/9fY8BvbAS8uAP4uzop1QH2o2uOz8lB1R3NQHnlfdEc+qI72 oDiWMM2RBIrjI/TaNtBTu6r98it3kn7f86ZsJBvLJrKpbCaXkEvK5rKFXEq2lK1ka7m0bCOXkW1l O9ledpAd5bJyObm87CRXkCv+kG3jf8y3ioEiKtJfYt31v+ddxVAxUox/x75HpUzpGOPgkz9k4cvA w1nSNemGdPMrHyslFXPGyc//kJULfs/LioVSSrH8l9j5O26WC/4N7NwME1wCQllL7ITMcHMchBzY SqkT7oJDUSXcC/dCVXEYDkPuuA/uh6rhCDwCeeJoPBfVwwl4MeqCd+AzKJgMJFFoFBlCRqExJIbE oolkLJmAppBJZBqaSWaQWWguW/NcSOYRQHsW4y/hZM4EJXFmnBlayZXkKqJVnDPngvZyrlw9tJ8x /gXG+BdZ9HaJT+HPoCeCsWCMLYRcIReXEj4IH7Cl8FH4iK000FzYWjNJMw2X1szQzMb2mrmaBbi8 JkGzGFfSJGnWYhfNes127KPZqTmC62kyNWdxa80lzSXcRZOluYa7am5obuJg0AYFOFRTBNogjnpQ H7yL1qS18D5tBW1FnKF11rrgg1pXrSs+qvXQeuBMrZfWCx9T18/wcW1tbW18QltXWxef1NbX1sen tI20jfBpbRNtE3xGG6QNwme1bbVt8TltB20HfF7bVRuCf9GGacPwFQMI+3GWGCyG4KtiqNgbXxfD xSh8SxwiDsFPgWcX4WfAs+n4HfDsB1woEakjoVJnaQTpLifJd0iMbpougRz8fH8LRKMb2YpLZ9zz y56dxfZg5I00X7RHOdA07nB8BSQ13wiqYAUr1a20L1tpsHUDknqXTSVcCXpNFVwF6M4Te8I5G+AG QC6NcWPE4wV4AbvLJhN1FywFK8FaKC3YCGUEW8FOsBccBEehrFBOKC84CRWEikIlwVmoLFQRXAS9 4Cq4CVXxL/gCvogv4cv4Cs7CV/E1fB3fwNn4Jr6Fb+M7+C6+h+/jB/ghfoQf4yf4KX7GczzP5XLv uQ9cHveRy+c+cQVcIVf039nHgyk8YTMNPPu1gjFbzbKAxCFrSDy0XHmw1Bmp96W5QNJCq3qDTqwB SUS+kCRUD/kjGTWGpKC2kAxRe9QB9GEXSCaoByRT1BuSGRqEolAJNByNQOYoBlIpGJ0EWWJDbISs YIxaotLYBtsgG3ZPQxkYr82RLYzXDsiOreras5HqgPvivsiR3eVQFg/GQ1A5PAqPgjE9CU9CFfAU PBVVxDPxTOQMIzgBVYYRvANVwftxBnLBR/BR5IpP4pOoKptvcmcjz4Np6gA269SFzTp1Y3NhlsXm wiqzu6l8SCdosdLElbiCcvQgHupvxEg9OBJAAkA5tiQtQTm2JW2RAPonFGlA+fQB5ThRnIy04lRx JpLEleIqZCSuEdcjE/GSeBmVFLPE68hCvCneBU0dLY1GdsAi45CjyhCoAjDEUlRJxXPkAnh+CbkC it9A1QDJbyIPwPK7qDrg+X3kCTHWQ+QFmP4YeQOuP0U+gO3PwVe/taUKs6URCQdbbL6zxYt4wRHV Io40h5iGZxYJzCIN6LwOiDK7tKDiBiADZpfI7NIxu0yYXWbiRnEzWLRV3ImsmI22zEZ78aH4GJUT n4ovwS7V0irMUldmqQez1BN4cAXECasg2qjFrPZnVjcAfspFjYGdCiBC+bz6qv7KsQezyEW1UX3S HvL+YqPLl884weidied920fwWrwZtsy+fQ5GwA/aoAaBdmMtwTPfCqw9NKw9KGsPLWsPA9C9nZHI WkVi3pZZ2+jE9mJ7pEBkPhoZQvQ1C3w+R1yErCEG24kcxV1iOvKASOwl8hVfix9QKGiICagfqIWZ aASog/UoDrh/B5oLXJ+FFjOf72I+/xkY/DbazTy/h3l+L/N8GvP8Pub5dOb5/cDsL1EGsPtrdAAY vgAdBD7XoNOgcSzQJdA1digbtExF9ABUiYRegLowRq+B4y0hAgAkhAhpAEJqBInqqrMMqIV6tw1q JY2U/dFp+E5pvPAvf4497fJv+vS3/oCCmVf1rM83L9Yf9L/2BxSEfL/tI6g+W7s3+/Y5gjgxUVwO f3O/mAl9PE9SRw7sZVH+5yuxY9eg/3KVX6/VG9DsX0B3+GYJhoWIYSFmWMgxLOQZFgoMCzUMCynD Qi3DQgOGhSLDQolhocywUGFYaMiw0IhhoQnDQlOGhWYMC0swLDRnWKj+tvkAWCCThtxuVPtP14II FrEJXKU9rojdsDeuiwNwS7i6YByOI/EQ0E9xeCKejufAX03GK/F6vBXvwvvwIXwcn4W2uQ7t8Ai/ wG/xRyAgDZGJCbEgNsSRVIQ29sAVwXonaIvKrOwADKyWnbEXK7tgb1Z2xT6s7IZrsLI7rsnKYOzL yhBci5U9cG1WhuI6rOyJ67EyDNdnZV9gdbWMwIGsTBDM1ZLfKViwMlUopZZKvlZSS8FUK6ulZrlW x8o0rcLKfVpDVhZojVhZqDVmZZHWRC1BQZmyspYhZn8nHFcANDIErUFgyxnyDqA4VP0CmARWQk8E G10h74bdIO+Oq0IejEHLgG3VIO+BPSAPxdUh74nrqvefYD/I+2B/yPuCZiFgVUPII3EjyAfgAMgH 4iaQJ+CmkCfiZpAvEswQAXtLQJ4qqLMv+VpwDFgKvRrs5CFP04LmARs16h1VWgp5oVYLeZHWABGw DRSYthaqAGOrE3B+X+D6aDQOTUVzUCJajtaj7WgvOoROogvoOrqHngG+fFlThJ5kAX3dEfqSHnvg GtCbGuJmOAhaoxtY1RevhdZKgBZax8rOeD0ru+ANrOyKN7KyG97EymBAd7UMwVtY2R1vZWUPvI2V oXg7K3tqS6sl2GijlmBlGVamaW1ZuU9rx8oCrT0rC7UOrCzSOqolWFyWlbXwEua/JOa5ZOa5pcxz Kcxzy5jPljOfrWBeXMk8t4p5bjXz3BrVH1oz1uIlWIuXZC1uzlrcgrV4KdbilqzFrViLW7MWx4g3 ROzOco5hBWIjHRuqPxNRnybcjN3X74TcmA5gs2G4JOtr5qyPWKh/Wz0LLvWt1lvtSSr2Ap7MY32F 5eoqHTYChEK4BMRVmCERYfii8qoFmoRb47a4PW6H2+DeYjtgwA6f56bJYDKaTCRzuQRuDbdV+aQU KIVKEaDsYnGJmCQmi0vFFHGZuBwQN0M8IB4UD4mHxSPiUTFTea8QhVN4RVA0ClW0Yp74UcwXP4kF YqFYJAHsST9Js6TZ0hxprjRPmi8tkBZKO6VUaZf0s7Rb2iPtldKkfdJV6bqULd2S7kj3pAfSI+mJ 9Ex6Ib2ScmQqa2UDWZQlWZZ1siIbypVkZ7myXEV2kfWyq+wmV5Xd5Wqyh1xd9pS9ZG/ZR64h15R9 5VpybbmOXFf2k+vJ/oqs6BRFMVFMFTPlg5KnfFSsFGtFXQctxyJPxKJNAVRXY+C0cNIXlEMURJUy GQVRpY7dN6uwGNKQRYZGbP7XmNvCbUEmmk2azchUk6pJRSU07zXvQTNCvITM1XgJtFW2eB9VUKMm UFITQT94SxtAOfhBxJ+FmkDUfw01ZfqhGdMPgUw/NGf6oQXTDy2ZfmjF9EMQ0w+tmX5ow/RDW6Yf 2kmFoBzay0agFoKZWhjF1MIYpQSohbFg527U4a949F/z4N/ip68eEllrItaaBqwdTVg7WrF2dGSW V2aWezDLWzDLg5hOavs5+hTY2wahHoDUueW6yKZ4//9tL/7j/vi578AZjFlPQayncMzDGuZPhfnT kPnTiPnTmPnThPnTlPnTjPmzBPNnSeZPc+ZPC+bPUsyfluA3c2T15eolQSl29Qpo3i8jVh3zrJ8i 1k8x66eE9VPuy3dlwbDYdy1AlXxDga8jnSEHGwWsJwusJ1PWk7WfI2n8Gufi/C9qwJiUJFbEgVTg GgkhQqjQSwgTBgmDhaGKneKglFXKKxWUSkplxUVxVdwVD8VT8VZqKL5KbaWuUk9pqHRReig9ld5K PyVCGaAMVoYqw5UYJVaJVyYqk5VpygxlljJHmacsUBKURGWJkqykKMuVlcpqZa2yXtmobFG2KTuU VOVnZY+yT8lQDiqHlaPKMeWEcko5o5xTflEuKpeVLOWaclN5rrxScpS3Su5/funxn/s+/8d+6WEE mr+nYKrkA+fX+kv3tcNIxOGa68XuQtaqd+l8u8fn/3Cfzrc7fOAcpCbpUmymQ93TGBDo23wBfove g0avRjzhE36wL5C0IG1Ie9KJ9ACsigTUG6Wuq/0oqWtpxROc5fvk+fukrrwVT+o63Q+T329SfXUV 77sU+PukrugVT2DLHyTgg+8S2Px9av+jBPzxXYJW+j51YenX7R6/Sb0ghf9BivxRkgq/T8Ba36dS v0n236cv9n2+XnaG/8yP/MH8CEbZwJ81gOsbgsoOYs9i+foEFvVpLJPRTDQPop8UtBpthPhnN9qP jkAEdB5dgfbTs/Xm/9vc81/KA/+V/IezIJ/nSGQo5qlxD6qjxgLAdSVZ9KCus2BcAeJoAmw/F+rz 8HyoL8DqG8SXQORF8A78Un0KLX4N8UoOew/HO5wL9fc4j3FmPtQ/4UKoFxH1LSiE8NDnBKKBOiXq k1slAvE30bF3ihgRiLGJCTGDeglSEurm6jtCgFetoG5N7KBuTyByI47q20eAYytAvSKpCPVKpBLU nYkzUt+qUhnqVYj6NqBFZBHUE0ki1BeTxVBfwjVgT5JthDguQDBVn1UngL2CpeCvPl1RaIA4oaHQ XX1WuBAG9XD1zcTA1UOhPkx9apUQL8RDfbywH6lvWc6A+gEtILOWQBRJtOUM+iBs0NcAlJ5BP90a hHVrdRD16tbpMqB+QHcY6kdAqWLFBnQGB2qyiEV4gMqGxNDu8++smWcICv7y6+BfNQhmGgQzDYKL /YoVMw2CmQbBTINgpkEw++0JZhoEMw2CmQbBTINgpkEw0yCYaZDPV0iYEsFMiWCmRDBTIpgpEcyU CGZKBDMlgpkSwUyJYKZEMFMimCkRzJQIZkoEMyWCmRLBTIlgpkQwUyKYKRHMlAhmSgQzJYKZEsFM iWCmRDBTIpgpEcyUCGZKBDMlgpkSwUyJYKZEMFMimCkRzJQIZkoEMyWCmRLBTIlgpkQwUyKYKRHM lAhmSgQzJYKZEsFMiWCmRDBTIpgpEcyUCGZKBDMlgpkSwUyJYKZEMFMimCkRzJQIZkoEMyWCmRLB TIlgpkQwUyKYKRHMlAhmSgQzJYKZEsFMiWCmRDBTIpgpEcyUyNdnlHx7YonVICjN2F5k1UcfZ9VL Y1BxfMPx73WYkuQ4q3awK4hg7CrpDTRCJYUjlgLSd9eIlTSYx3HVCeaTW+lb6J2L7bFOsRljzZaU aqBAFIwGoQgA0VAUBf/VJSZfvV2xk/Fm5emyQM83lSc9rostBjydfPWx356zyXElK+rjeBN9HPmY zBFMABwy0JQaNSYan/PNDXl2s7Ze9+1KMQ/XFOlaSV9Bw7XmJVN7v4jI4QPDevWOsnUKqWDr6uVV 3bZpWMjAiEERPaNs/SIGRlZxtdFbf/5wie+PRAzsHhUW0d/VTl9GPc6ZWvx6vGVERJRtncFRvSMG hkUN19uY67yq611d9frqevjXwVznpnd1q+r6ZfMfuKI4bF+8WdQ3VcUBrMB+kcRhjNaQtIzIBz45 zayckuYP66J/krJmWtmuHwrnNlmWWrg4xdY3ukXKopQZ3dz6nKvbY/iL9UOOBV3NeZo43npG0rie 2w73GRHscKl0jWxDPOvRvEPplXsmJPQut/Cst3O6vKNduYz6D0Vfz3nOa5y8Vj9rNLbu3XGGexL6 tu6+Pi56abfKQ5s8Xri9h09Cc2tXraNZ0pqHP1WyeFBzQYhZt3ZCaFLp6i0nvF/1cg45YvVLemv/ bZPGpHs/C5rTbGPBqhH9opptsjg5z8DJDrWd2S2s+p7GJrRGm6KO+ct7itqV52PbtH2506dLydih /NXcfRvHzC3cfCrm0irLgZ1qHN/7SrvMXr9NE39sm+1Q0/ibhIOOvyx2tT52hT42BVqzNOZjE/Sx 88cYdTwb+TJs4BKHFqPNtjadXnRi6cB/v//i/qSPc6oP5z6S9k97M9+i2vNd2PHKUOM3nbq5JS2R TvgKP02cccz7gV3Oq7aznXckN8gMfvnp8kkfnw5rPILCCh371Tp2cm22EH3DdVrNJKPI8D2FJoEW Yfs/nfW7a9zBNvBJ8MhNa0tlVqpetvK+0KUmk8sahix7H2SdZ3fsUok3Ldf393OjBXHmH+736qtr kZv2uuXRtIeH9J9sXQ0mlp5bwbLpxdJkxesxt7jtHd9uuZHZ9kVoo6Mtg3Zu55xMimZeeqWdMXrX /MPrqjvfG3Fv9dC7Q5LR2fBaGec9Jt+qY7K6WrhV+LVqty9Y8/dW+/OZHap69m9qrQtOFVOm/nIx qFb9U9atV0ZeM/GeMHtw0qrzyYAK3fRxXJPPqCBWWWd8vXlRp8Un9n/FlNL/FBjAuPd0g3+AAG4A Bq5usFntKxgMZwgKJ9GYktatXE31xuqG1lRs231Q77D+vaLgzxjpFXUnNaUtQ3v0i+jf4+uFiX90 YQ56u88XZln8eI9Q21ZhvfrDWW2b+9X5U1RIHT7qUudt/l6r3de7Xs0rW63R0P35ZZYc9R/w8lz9 RxemHuzTpGXw24XkYNMrjfq6OPqGpp92SJUapsYMvuGftnaG0vxw2Uo5yQ91DmXO1XH8GLzwTCn/ FbMDyiw8tc3F/mBA5eiIrBI2PlO9jLxupFV429OnMnYrKizfcOWOvnhCYv7urSExcXmdkmPHxU/f nLNrzrIzniubx5uXn9Dshj4X1Xx7JK9m7L7xz/t6rarinru9yiZxVPBPw3omLhikG78p59Ab258D TaaFnHDOcvMv9WJPwDyf5q0sTvdsMXzthgmZbXyT4ppP7C9sqZYx0jGtZc+aC5udrDS6av9xDTTn lpwNGE/6j0fL90+42eoLKnzUx77Xm6qgUJaX9aJGC4QmCJTj/ndAhaF6jabqaycFPQeFvrS6Q+FL 8mYnS58egiI7bnp99VCzhBb1qiyrF/JKL6mHDXkehtH4YkOHYczIdRtHB5TLOb23WVRKu/JRFQdv G1+wrsmcYajp4+NPLa6HHVZSot8QvyPHJ5z80OrkgaS0NhGvQuqtqYdezMtMuGi9S0oqpZtz+arN hgqjXj5fOWj9jGyv6TUXhO/17Hd+4iaHgpuPL4UZ/DQxrfA22uP+5n10npFJFeFphXmz6/ZxGpDq OeMW1R3r3PtU2pg6fXqu3pO6Z7r78RzOKHrEu/O36t4cWXj79vrC3JsXddsiL826G7jTMyW68oWa 19yl4OokKTbcYVJup5AZmzvs8brcbWrrcZZV3/ksSI6TU7pO2eacunTFiXVXbXem60vF25rpKu5t +bbOrS76u7OcwiZkRN55s2rd6TF1Bw5RAGPCAWNafsGY7obDmjKFxBUfRwLgzD84qr8CTlW9HhCn KgCO3kvvpm5WVTf1UX/LpX05zv3B8T/FmpRr4rQzBzIaLTq11tt9g0P7Ptf67rOzT52T+WRj+pGL 5Q64GU/Ze7Wzc75HG5sSlTbO0N0wW9bfqUlMyVp11k+rvaX+RF1W7JwN8zVn29Yb0unJ60/KnZio ZVVPRN1/ebf70tFcqn/RRV+Ti5uPd9GdHZmTaqr71C3cKX7w1NQNe+MfmW+fue9dyZ3BnZ8b3/R+ YddxyqYxgw763507aWi3RQ83DM2oPq2qmYvpteBjGy3XBC7oteGCrZd+wK1pverfOWL9Vtc8qo7L I8Ex3K5Po82zDm31Olp3Rb9OFgHrZlyePtZ3mNjgyvKt4xwO3skZ2XNLQFRauTqNE7ubdWumz4x7 c1aKjH7RuunQ89rWQ2K/YM0Hfew71valDdURC4NQs7/YgH1jV3t6dIsPQY0X3De/HD7WXahS7tGP oUnFidIOvIW+5JgfD/N66gfK8DX1Pnqv5OrJ1cZX7R0VFent4hIysG+Vfl99WCUkop9LZJ8wda9L 5MCIHoNDoga5+LWCjlYFdukbfv2ToENq6L31nl+39WS885cTDh069EcnDB1Y7ExRvxlADG1qt41o 1WuJ7Vh3rDwwb1xjw9MrsTEvdMOjhgbOb2DxBpUIG30teGZKQa+lifecKnxsfXlhYfP0Lgbbfl75 PO7NApuI9h/fvb4t/zJF61vS3Pbc/h3+DbTlurU1aDznlfbk7qb9X91paOJUbYrdwJtdd24KM3Gc 8+Kxu8G10f0jZoktj1ds0mitm/P4R0tPdi63d2+NWx23jpV2V7MOHOffoGjPnKXt6Zp5N4altY1Z sarZyZwNiQl17pzo5Oh7Pca9QbPcM5kjFz/deSwxxKzVpg0JLy+nn0leum7u8RGVJjjvP5r1qS93 Nd1zw+tznUqZG+5/f3zMSiOt5Y2ZDg83L23i+2SzcblhSobzz8v7HJ1RA9BmMaBN/Fe0aRT9nKGN 8M+hTVBYv9BBUd37RRZHGw+9l6uH3rVaNTcmb1zZppte3dTHrvxbrq28vuxnorTp7xcW2Tt0oG29 Vv62/q2aebvq63lWrubpXr2yX936nl8/yJna/IERrUIHDgkLCf1TgHqyWwjJzBq+cVw93xXbDj1v ssTxptcQG4NLbgHthp2vlLWCznz5sGZ+WrnoZfn3R412O5NVc4pX9ZwPV3zcS16YFZfv/qx3/EDL Gbd2Nbm1K/5NVZFkpAwZVK1J59eptwNGld41Z9i1Ipv4EnXrDzgdU76tybmxgT5nPmbnTnleC929 mN09z3xa4+WxNd6F1X5ye1I6DdwdNfKxfL/Bk3V9X1/sFav9UPL4KNM9g+4YNPkYnP882SvBu/Cp cWZ3m+B2V8SgsRd9Gje+0zrNpZvl9FmC39XOT+NEh/kGyYJr6JTZzWzq2KXMmlngX88/otoW/+ob wtaE5rn7bTE/4ON122hqjuWEu0HNy/gsdt1QHKB+BaTRA19VqdWmwq2y73vvwp8a3x595q7vd9gT 8ahZrfk/u69rPH7G3sQn633q+B05+9/CnqhBkSHd/0ew5+uZon6EoNrfofAPACpsRJyBXPJc9pn6 k6qkn3MfERtT3qlOxTe/2M1S5m/o2qpLhbznGUEBq0e9Nz0rmeU1zRlfAvW/O7a0k/8qZy+3GxEJ 1Tu8cGg5I4ibVmtVYg/PXI9MM7+d3r4LjukODoh1etNzleudTp1n5LVsebvT09kzF4cZNJl07tyQ Ju668NvR9VZV6jg2KMbfsVTZQ5PrHy57t9SYsApmueZHXtk7x9bvUult3sojQ30dIvJW9oifnhKs W1PZZvX9mb4xRZunf5r/7HUBv+lUo9MdotZ/fGNaxsrr9LLtl/a+3f4ic0NOG5v8Gq8zL1Wstzc9 sdaonhanttqGiMdr1wx1KxW9dVfNjHINm9mXWth/qj7j9U/fA5RRuLQwcD8qu874mn+ZdiN6pfwW pv6Z4OsLOund3aur6OQFm/9A8PU74PwzvLlevX/+psy6AQMsMk839G21/+M6s93ObntMAltmjn3u WzWrkessp50/9bhVpvm43Qcan4sRPrwcvG/K0dUXN4ZF9hxWvuejnakv438+9WJtgclyqb19BZcz tbPa8FZDdvTr0S8g6NqN19npSWOPjrkZ04RUn/Nu/xJtG5veDU5l7R/SyWXUzrL89jYdw61DisZE 13hxkS/b1GtoFO18oNOV8dWdBx9Tnth4GUQPKVzct/+IW898Z8xfMkDpWjHQIrib25LzY5tVsu/U 239Ktss4o+Zb83ZYTuv7ouwi0w8njC7HK2/jhgzyODJ3RMrJbppnwubxVVM/zOk4rs64dvFz+m8u 49zwZESi363wRzHlpvf5jDdx2AlaxPHHI/R/RfhlpDH4MgFaAqsxFSqGnj8Ex1LfvmBGeNlGRK3Q YBSM/FCd70Oz38V1PwCoOU2NXQ9EN99jPH1pd4qVqZH+014OCkqrZSBULtrVolW89XOvn1KXtZGy p+70sTqXv37VsdQtLeysIrRho/twKfb1n/fd3i/aflf9X8a9mWa4j072yHg6+nFkZ/+kWedPnr4x ff/t9Iqnop8d2+h2ccLPJ0IOeZyzsEsfku2TsM1q0BK7iVe2bzcJmvo28UBoQIJTucRukw19jpqG Dmu458yGsd6Bm4PbZesfP/YqfXdSzlWv2DxTu6k9xoRo+Hk5CcTPZWT9ibuLSFZoXkD2VS5q9jah v3xy8XWn7tENX5snGtt5EusJ6zWH57ntul/7SKuaaWsmZT/qWX3aW/t5iSc3Dw1q4X1pYL2tDrmu cfwmAKl1BGN97IR/MCr7Llb8dY47Ofaq3uybv52wK+UEdvey2gu+ONOAc5WLT6vD1fy6Jbkq+uJH S+gdfv0i7wp97P2MABrb+KfsHdqE5psnpRc4Bf60Q9+j2Fdk1zb6oOSKY5xQUxSGQtBA9F/LB4/M pzGUMCgwhDBUMhQAeelA8UQgK4OhcqFagwrO6rWksiA/vSixIKNSAa14Y2liZFDY/2xHpCSDlcgs qQ7fc5+nbpgz2WHRKz7jcJZ3FsVuf/5sXDfz/QODx3VdX19/Ya7+ejXm59eSuQ3ceZtvrdNnzmMp eMV87Zt4p+6BlqnmS8/btcSG81WevCF5Y/9f4+55dzYrLNru9npn3fy36w/YHXu13+X+Rcc9P16K SHZ5f5zM6Ho+3pinu35dz2Ln3hN//P4nr510+KyhemjxloTtE1m+n+QtW+dRsY5pVsOpdRNNzNSO PUvhWdDHdDJXvnZdXZjpkcvCNZuclKbOPF/lV1C2eJ32UaXnVcXXYxf0L3wf7m/IpC1Q5vJriptM 0hTh6v6aJy3KDxbP9jNnOeaTturF0ltLI5RrOw0uyossbGKSN2hikkbEEZthExMPUIiD7kkUvUZC 6WCwQ5PoglgDCeSUyI2YBWIE2gmXYTXkB1a1FoYGRsCK1sjS2DQKIyEy/Vfhu78tsTdWL96gw1Xq 6/oHb36glVmgJHJ/+mEvDt37O05KL7upyHqc501am8p/J6bzzh/2nlioUDbt0Z6Hk/uEHB6paS1a NrE7sUfi5xmtjQFS7T+qJ74KPurwYrdubP85l0kpeWEJqk7cx9uYGhzfKc2sPmpUFfAup+PJLzPx r8e6JyXJhsy68lRYaOG1ueu+/w+3YnZ/efVdxOc0O8d077jt+/bebNV9Er7jxMTVSYVZ9suFOQ6d 1z5Tem9mV2VFQfNat1mHNjd3+rlbaTcHKxqt+PfquH1JGdOBdauKgmN3ZByve21omzFLveHzFrYN zy/vENRpupSzf/39wk0vmpNWbGMsM7jF5xC8KZr18/ctZimswYqi3elueQJZuZHCQXlbeBkAScCf uQ0KZW5kc3RyZWFtDQplbmRvYmoNCjM5NiAwIG9iag0KWyAwWyA1MDddICAzWyAyMjYgNTc5XSAg MTdbIDU0NCA1MzNdICAyNFsgNjE1XSAgMjhbIDQ4OF0gIDM4WyA0NTkgNjMxXSAgNDRbIDYyM10g IDQ3WyAyNTJdICA1OFsgMzE5XSAgNjBbIDUyMF0gIDYyWyA0MjBdICA2OFsgODU1IDY0Nl0gIDc1 WyA2NjJdICA4N1sgNTE3XSAgODlbIDY3MyA1NDNdICA5NFsgNDU5XSAgMTAwWyA0ODddICAxMDRb IDY0Ml0gIDExNVsgNTY3IDg5MF0gIDEyMVsgNTE5IDQ4N10gIDI1OFsgNDc5XSAgMjcxWyA1MjUg NDIzXSAgMjgyWyA1MjVdICAyODZbIDQ5OF0gIDI5NlsgMzA1XSAgMzM2WyA0NzFdICAzNDZbIDUy NV0gIDM0OVsgMjMwXSAgMzYxWyAyMzldICAzNjRbIDQ1NV0gIDM2N1sgMjMwXSAgMzczWyA3OTkg NTI1XSAgMzgxWyA1MjddICAzOTBbIDUyOV0gIDM5M1sgNTI1XSAgMzk1WyA1MjUgMzQ5XSAgNDAw WyAzOTFdICA0MTBbIDMzNV0gIDQzN1sgNTI1XSAgNDQ4WyA0NTIgNzE1XSAgNDU0WyA0MzMgNDUz XSAgNDYwWyAzOTVdICA1NjNbIDQxNl0gIDg0MlsgMzI2XSAgODUzWyAyNTAgMjY4IDI2OCAyNTIg NjkwXSAgODU5WyAyNTBdICA4NjJbIDQxOCA0MThdICA4NzZbIDM4Nl0gIDg3OFsgNDYwXSAgODgy WyAzMDZdICA4ODRbIDQ5OF0gIDg5NFsgMzAzIDMwMyAzMDcgMzA3XSAgOTE5WyA0MDEgNjgyXSAg MTAwNFsgNTA3IDUwNyA1MDcgNTA3IDUwNyA1MDcgNTA3IDUwNyA1MDcgNTA3XSAgMTA4NVsgNDk4 XSAgMTA4N1sgNDk4XSAgMTA4OVsgNDk4IDQ5OCA0OTggNDk4IDQ5OF0gIDEwOTVbIDQ5OCA0OThd ICAzMzg3WyAyMjFdIF0gDQplbmRvYmoNCjM5NyAwIG9iag0KWyAyMjYgMzI2IDQwMSAwIDAgMCA2 ODIgMCAzMDMgMzAzIDAgNDk4IDI1MCAzMDYgMjUyIDM4NiA1MDcgNTA3IDUwNyA1MDcgNTA3IDUw NyA1MDcgNTA3IDUwNyA1MDcgMjY4IDI2OCA0OTggNDk4IDQ5OCAwIDAgNTc5IDU0NCA1MzMgNjE1 IDQ4OCA0NTkgNjMxIDYyMyAyNTIgMCA1MjAgNDIwIDg1NSA2NDYgNjYyIDUxNyA2NzMgNTQzIDQ1 OSA0ODcgNjQyIDU2NyA4OTAgNTE5IDQ4NyAwIDMwNyAwIDMwNyAwIDAgMCA0NzkgNTI1IDQyMyA1 MjUgNDk4IDMwNSA0NzEgNTI1IDIzMCAyMzkgNDU1IDIzMCA3OTkgNTI1IDUyNyA1MjUgNTI1IDM0 OSAzOTEgMzM1IDUyNSA0NTIgNzE1IDQzMyA0NTMgMzk1IDAgNDYwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDQ5OCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgNTI5XSANCmVuZG9iag0KMzk4IDAgb2JqDQpbIDIyNiAwIDAgMCAwIDAgMCAwIDMxMiAzMTIg MCAwIDAgMzA2IDAgMCAwIDUwNyA1MDcgMCAwIDUwNyA1MDcgMCA1MDcgMCAyNzYgMCAwIDAgMCAw IDAgNjA2IDAgNTI5IDYzMCA0ODggNDU5IDYzNyAwIDI2NyAwIDU0NyAwIDg3NCA2NTkgMCAwIDAg NTYzIDQ3MyA0OTUgMCA1OTEgMCAwIDAgMCAwIDAgMCAwIDAgMCA0OTQgNTM3IDQxOCA1MzcgNTAz IDMxNiA0NzQgNTM3IDI0NiAwIDQ4MCAyNDYgODEzIDUzNyA1MzggNTM3IDUzNyAzNTUgMzk5IDM0 NyA1MzcgNDczIDc0NSAwIDQ3NF0gDQplbmRvYmoNCjM5OSAwIG9iag0KPDwvRmlsdGVyL0ZsYXRl RGVjb2RlL0xlbmd0aCA4Nzg1OC9MZW5ndGgxIDE4NTcxNj4+DQpzdHJlYW0NCnic7JwJfFNV9vjP fS9Lsydd0qRpm6Rp0yVt0h3K1lDa0lIKlDbQAoWWsqkgWCiIiuKuFQbHfYdxHQeVNCwWYRQVcRzX mXF3dHBk3Ku4j0Cb/7nvJLXg8nMcZ/l/prc573vvufu55913X8gHYACQgBcZTKtsrJ3YVNypBWH3 hwC2S6oqKpvY0heuAnjkEgBTcVXF5AnpB3xzAfZOA1CMnFhZVf3Oo58dA2HnMQDxo4nTpjYeamHX APxpL7Ab3pjYGKh47OAhBsKpNwFMnDu10Vd4LPa1dAD2Mvba1rGsfcX19puuAMhaggNI7li9yuGr LakFqCvG9mMWrVi87FfvV9wDkHsBgCpucfvKFWABF/bvx/rGxUvXLjpz1WkWgIYxACM+X7KwfcHb ioFqbH8O5pcuQYVuozIF0zgHSF+ybNXpT+TEzgIQRgK4809Z2Hmqd9qI+wHuOh3761y6vKP92vYN OJdL8wFSq5e1n77CFjavwfq9WN9xavuyhZv2b7gR4F60j754xfKVq8LT4AEcj4Pnr+hcuOLxw6u8 ACXXoVFvAm5b+S29ueL78+cZxnwB1hjgYc8HZz3F+VjadZ1HX+3fqPpQ+RiWVYEAFLCeAgaA7Vdv OfrqkYtUH0otDQnil1xjSIM2kEMtiFjTCD5MgbZD6peBKJsk7MXcGPn18iJsMpUoPgcPCBADgkEp iDKZKMjeBCHsh3vC2KyKt13f6HAAzsdhpDEobxHcDmCbpX73yfV8pti6/pvRsGdx9V6BRPgJQTYG pn6XXq6BjcfN+J3j098XxHtgo9yKNvmBIKT9uLaGBlnbD9dRDGC/Vf94u/9nv+eeYIffQfl3lUOP 0P7kPvaA+afWHQ7/20H8DCb+o3VkdXC22AI1P7Js3XFpJUz6MfWES8D6j47r3xnEJ8H2Y8pxW0Xj 7Cs45Sf399Jx7Zz9XWUU58HZQ/v71ljqf9yaDZaPtMXXUHj5+HbFgh/eo6NBOPDTnis/JeA41/7Y suITYJZ/yc8i35H3++H9dDgMh+EwHP7Xg3AjvP0P1ymBLf+CoXx3Xyth9D9U/mw4BaX9XzUeHsTz fvxz+L894HtyU4Rj/wvGchVK85B023/T+IbDcBgOw2E4DIfhMByGw3AYDsNhOAyH4TAchsNwGA7D YTj8fxnEiCTTr9mYG1MYE2NBxtSo8IIDZMB/V6aDNMiGPCiEUhgJo2A8TIRaqIMp0AQz4CRYA2th C9zrMIbDUss6rJmF5QugJFJ+glS+HqZj+XY4ZUh5Fv4C+5whVol7pb+U8KMA4bfDn4S/wpZSpJFN CXcIj701P/Kru5wT5uGIMA0lHYqHzlCcJF4LsWDBObohE2bBXFjABGZgRpbEUlkWm8ZmsVa2lC1n XWw1W8cuZZexDexydgPbyfaxh0HBPpRa+uTEX/xhWoj8PlCAHw5syFi+GdrZ4jmRWGeEfeJHEj8R P8Xr5ygzj2tHhvLNXAB8KGNQKqEqUkKaH3Lldw7jW/NG3ffPHNjj/8e8/vNB/FlbG/b6yNr7q+fN bZ0ze1ZLc6CpcXrDtKlT6ifXTaqtmVhdVTmhYry/fNzYMaNHlY0cUVri8+blZrkz0l1pdku8yWjQ adSqGKVCLhMFBrlVruo2R9DdFpS5XTU1eTztakdF+xBFW9CBqurjywQdbVIxx/El/Vhy0Qkl/VTS P1iSGR1jYExerqPK5Qg+Xely9LJZDc0Y31jpanEE+6R4vRSXuaWEDhNOJ9ZwVFmWVDqCrM1RFaxe vaS7qq0S2+vRqCe4JixU5+VCj1qDUQ3GglmuFT0saxyTIkJW1ageAWJ0vNugmFHVviA4raG5qtLm dLZIOpggtRVUTAgqpbYcJ/Exw2WOntx93Rt6jTC/zaNd4FrQPqc5KLZjpW6xqrv74qDJE8x2VQaz zzhkwSkvDOa6KquCHhc2Vjd9sAMWlGcYXY7uLwAH7+r78HhNe0SjyDB+ATzKpzhoJsyPxgHHhiPE +TmdfCyX9fphPiaC6xuaKe2A+bYQ+H2elqDQxnP2RXMSAjxnfTRnsHqby8mXqqot8lm9xBJcP9+R l4vWlz4Z+MF8R1B0t83vWMLZvrDbVVlJdmtqDvorMeJvj8y1qiffh+Xb23ASJ3EzNDQHfa4VwXhX BRVAhYOvwUmNzVKVSLVg/IQgtHVEagV9VZV8XI6q7rZKGiBvy9XQvBuKwgd7ih227UV4W7XwcQTN E3BR3FXdzQsWBe1ttgXon4sczTZn0N+C5mtxNS9s4avkMgazD2J3TqlHqRbO7YTS0cJ85sqMGEez YBNb+GqhwlGNF1fFGMww4nJJSb6iFWMczcwG0WLYS6QEjx3XDibEjAk1PEvkVSfU2JwtTgo/MCRb ZEzyjGDMkLaMqBgcE/XzvUOj0nxA2Y6qhZVDBnhco/LIACOtffc4BW6LSMdYI4YvZ000S8zAOxd1 AjYjqfgqWhxBmOZodi10tbjQh/zTmvncuK2l9a1rdNU1zGqWVjviJU3HpSh/JKWC4MTsaEKYgD5Y 7bFFl1VKT5TSg8maE7Jro9mO7hhXXWM3b9wVaRAceAfhpBXu2vbLRsYW461Zjbubq7rd5TA6qrvb e8Pr53f3+P3dK6ralozibbhqF3S7GpvH2KSxTm9eZzuDdxULdayuqSIvF/eeih4Xu6Shx88uaZzV vNuID4hLmppDAhMmtFW09KRjXvNufGb4Ja3AtVzJEw6e4C1Nx0SMVN622w+wXsqVSQop3dHLQNLF RHUMOnoF0hmjOgF1MtL5JR0PuEiWJWhi3G6rHAv48pzVsqS7rYXfXGDGpcQPCzLXOAgKrnE9TFBo g2rXwoqgxlXB9eVcX056Bdcr0TGYmaFx+J7U3ebCfQodqhlsjFxR5E06esPhpmbn07a+Fie62hyU Wc1BlQf3fnnGJCw3kUsbqicG13e083FAoJnXVWbUdrSg20YbxCK1QRW2oIq0gCWqpTrcHbFSB64N LqBUfz0mgutbgi0e3mnzSS2SOxuDUOMahctObcrdvCNfS3esq1C6N/FWUGdczKHCsUFjM2lsmMTO WshISi2OvMOFWR1tDrS2DDoa0dVpL1XbSLMQt0SZe6EkalskE/i0xAyNTh1UebFB/PC4xstvSXmG sqWFBi+lLo4UwL6NQQ2OyD3ElJEKaB3MquVjwc/FOFRe9GHeTEMvTHedjjsLH7TUkhKzg7qM2nbc /Km+BjWukdHKMXyP0ETa2E9aJZ+5Fu0uZjT1hu9yrXUOCXm5Lv5w4I4Jtt3o2NDSfaIiONuTlxtz olYnqbu7Y3TfXYHsFaMbJCqhRyX2Cl+HUlPsvcLfQ6kexFeh1FzEl4QvCJ9T3meU+pTwCeEw4WPC R1Syj/AhKT8gvE94j/Au4R3C24S/EQ6FUlWItyj1V8KboZRYxMFQihXxl1CKD/EG4XXCnwmvUZFX KfUK4WXCS4QXCS8Qnif8ifBHwh8IzxGeJTxDg3ia8BThScLvqdsnqOTvCI8TDhAeI+wnPEp4hPAw YR/hIWrzQcJvSbmXsIfwAGE3oZdwP2EXYSdhB2E7IUToCSUXIoKEbaHkIsR9hHsJ9xC2En4TSi5A 3E34NdW7i3An4Q7C7YTbCLdS9V8RthA2E24h3Ey4iZq+kXADVb+ecB3hWsI1hKup3lWEKwlXEH5J uJywifALanojVd9AuIzQTbiUcAlVuJhwEeFCwgWE8wnnhWzFiHMJ6wnnEM4mrCOcRTiTcAZhLeF0 whrCakIXYRVhJaGTcBphBWF5KKkEcSphGWEp4RTCyYSTCEsIiwmLCAsJCwgdhPmEdkIbYR5hLqGV MIcwmzCL0BKyjkA0E2YSZhAChCZCI2E6oYEwjTCVMIVQT5hMqCNMItQSaggTCdWEKkIlYQKhgjCe 4CeUE8YRxhLGEEYTRhHKQpYyxEjCCEIpoYRQTCgiFBIKCPkSRBayeDHlI6WXkEfIJXgIOYRsQhYh k+AmZIQSRyPSCa5QInfotFDiKISTlA6CnZBKSCEkE2yEJIKVYCEkEsyEBOohnnqII2UswUQwEgwE PUFH0BI0BDVBRW3GEJSkVBDkBBlBJAgERgAJLEwYIPQTjhGOEo4Qvib8nfCV1C37UpoR+4KUnxM+ I3xK+IRwmPAx4SNCH+FDwgeE9wnvEd4lvEP9vR0yuxB/IxwKmdHB2FuEv4bMIxFvEg6GzBMQfwmZ KxFvEF4n/DlkrkK8FjJXI14lvEJ4mZp+ifAiNfYCNfY84U+EP1Jjf6B6zxGeJTxDeJrwFOFJqvd7 avoJwu9o8I8TDlB/j4XMFYj9VOFR6ugRGvXD1Ng+wkOEBwm/Jewl7CE8QE3vpqZ7qen7qeldhJ2E HdTRdkKI0EPdBgnbCPdR0/cS7iFsJfyGcHcoAfdd9utQwnjEXYQ7Qwn1iDtCCVMQt4cSpiJuCyVM R9waSvAjfkVFtlCRzVTkFipyM+XdRCVvpNQNVPJ6wnVU4VrCNaGEaYirqfpVhCsJV9CQfkklL6eS mwi/CCU0IDZSyQ2EywjdofhmxKWh+BbEJaH4OYiLQ/GtiItC8ZMQF4biZyMuoLzzqeR5VORc/zbk YUOV/WN9jf2gdor9EZSHUfahPKSZYQ+h9KAEUbah3IdyL8o9KFtRfoNyN8qvUe5CuRPlDpTbUW5D uRXlVyhbUDaj3KJeYr8B5XqU61CuRbkG5WqUq1CuRLkC5Zcol6uW2Deh/AJlI8oGlPEq4ZhwBGaA XTiKXAJ2dk4ojt+OZ4diuWutIqwMmbhrdRJOI6wgLCecSlhGWEo4hXAyYQxhdMjIMYpQRhhJGEEo JZQQiglFhMKQgftpASGfEEswEYwEA0FP0IVwUXqZlqAhqAkqQgxBGdLxpVb4ZyM/QulD+RDlA5T3 Ud7D5fwLyhsor6P8GeU1lFdRXsFleRnlJZQHUX6LshdlD8oDKDfjUtyE0svWk6XPCJm4y68l45xO WENYTegiTCBUkB3GE/yEcsI4wliacgIhnhDHsVsURSHkt9/+oCjADpT9KKIINJYzCY206tNpZA2E aYSphCmEesJkQh1hEqGWUEOYSKgmVBEqCWkEJw3eQbATUgkphGSCjZBEsBIsNM1Egtl/I7If5RjK UZQjKF/jAv8d5SuUL1G+QPkc5TNc1U9RPkF5B+VtlL+hHEJ5C+WvKG/i6j6N8hTKkyi/R3kC5Xco j6McQHkMZT/Koyi9KPfjiu9C2YmyA2U7yo189YV+svE6wlmEk0ImPAqxJYTFZJZFhIWEBYQOwnxC O6GNMI8wl9BKmEOYTZhFaCE0E2YSZhAChCaCj+AlU+cRcgkeQg4hm5BFyCS4CRm0NukEF0FOkBFE gkBgdEeC/1ZkGGUA5V007IsoL6A8j/InlD+i/AHlOZRnUZ5BQ+9GuVDMsF8geu3nM6/9vJr1gXO3 rg+cU7MucPbWdQHNutHr6taJmnU2xJnrtq57bZ3irJozAmduPSMgOyP+DEG9tmZN4PStawKaNUy7 uqYr0NR1qOvzLjG+q6lrQdeqrqu6nkeF8vauHV37u8Te8D5/bNfI0dXruy7vEuIxX4AuZuBqZ5dG X72qpjOwcmtnQNZZ3CmM/ryTHexkQn4nm9bZ1ilgqe2d6VnVvHRJpzmp2tiZ3+nvFE+rWR5YsXV5 YOry5cvPWb55+UPL5ecs37Rc2IYxwb9cpas+tWZZ4C/LGOwVwmBE2SeEQ6J6+R5hABh8LAz4w+wU NMDJaIiTvIsDS7YuDizyLggs3Log0OGdH2j3tgXmeVsDc7e2BuZ4ZwVmb50VaPE2B2Zi+RnepkBg a1Og0dsQmL61ITDVOyUwBfX13rrA5K11gUnemkDt1prAtBo20VsdqBJL7fgEgVT8rEhdn3o4VaZp S1mRIqxIOZhyOEVckXw4WTjHxgxJ5yRtShINeBHoYrVbN1k3W7dZ5QYpImpXxK6PFVaY1puEfJPf 9JzpoEkGpi0mwbDJsNmwzSBONcwzfGwIG2TbDGyb/iH9s3pxqn6efrleNOh5WjT69d6CaoPOrvNP 9OnEMT5duW6qTtykY36dt7Dar0vPrC7XTtXO04qbtcyvdWdXf6wOqwW/GjM+VoVVQljFQGQOxoAZ EWIMXyOWYK9Gf9xuZnKGR4uepkaPp65XGZ5eF4yZNjvILglmNPKrv2FWUHFJEAKzZjf3MPaLlh4m TGgKxvMvjqX0hRs3QkVKXTClsTm4JaWlLrgeI34eCWMEUnrMUNHimbuya+XKVZ6VHrygzF2JmlVd +JHA8IrsWsVzVq0ELOL5nsBLrOTokgqt7JrXhW1gBqpXSmqemisV+b42/q3he2fy7wjsP9n5/3aw zJsLoLwFYODKIf8Gfi7+3QRbYSc8AA/D7+FP8BlTQxtcCA/BW/A+fApH8TZVsgSWzLL/id8MnBAG zpcvA524DxT8f8kIHwm/N3B3+D0AuX6I5kpMJcrc32jCseG+E3UDVw70Djyj0IBRqmsUnkTtYdYX PiKU83S4lKeFi3lcqnFYecvAtoHNxw1nBXRCF5wOa+EMOBPWwdlwDpwPF8HFcAlcirY4B+OXwQbY CL+ATXA5/BKugCvhKrgaroFr4Tq4Hm6AG9GON8MtsDmSx9O34N81Ui7PuRXuhLvhHuRtcDvcAXfB rzH9G7T+PXAf6khD6XtRswV+hdo7UctLcd02/AtCD4RgO+zANaN0NNUL+2AX3I/cjau5B/bCb+FB XMd9uLKPSDquiaa/vyRdH4X98BgcgMfhd/AEesaT8BQ8Dc/Asz8p57FBDU89B3+AP6KvPQ8vwIvw ErwCr8Eb8Bc4CH9Fr/vwW/kvY4lXsczrkVJvYqm/wXtYsg9LUjkq82cp912pheex7kE4xGLgCybA UQhjjK/eNdIKXS+tI189vjq3S3bm67EN03yF7hpcm3vRxvfievIUj98QWY37sGwPWjBqv++22jOR 1SF778Uy3BY85+mILR6PrARv58HBuk9KeSGp3iODrX5jUZrhC0Os8+chNvwbvC1ZhqxHud9Yj5c4 hGW4lXkbx9v2r1iXrM/rcv3QOjzvVUy/h7vDh2hpzg+klfgA3hmMvxPJ74OP4GP4Qroehk9wP/kM Psf0l6g5jKlva0/UfIV/f4ev4Qiu4DHoH5LqPyGnHwZwjYExJjARBr6JfaOVRIZHDAXuaTFMxdRM y3RML/3mR3lCjmYwx/StHO135KkkTSyLY/G4XyYyC0tiNtw3U1gqszMnSxuSZx3McWCOi6WzjEie WappHaxrxxKJQ8pms3y2Bq8e5mU+jBewYlbCRrAy1ORhuhDTozAvX2IFTIP5sBSOyN8VnsL243FX 6QE57sArxddwxxRBCWVQz3+rtRd07GbcVkexJ3dUVsbkKR/EpAAO9iTEoPlu9sfJBJ3NVu4qUWwQ G0y15coNQhOU97/x+gG8PB1b5nua+V7ve7HP2H/AVObre76vIJ+ZnCZJ4vWCUqlQuNK8Qkmmu7So qHCcUFLsdqXpBUlXXDpinFhUmCqI8VHNOIGnmfjasaliVX+6sNY5urFAzjwZifa4mBjRnqrLKHIY 6updpVlJclmMQpTHKDNLK1yBNZPSnlFbMpNTMi1qZEoysv8Ruf7Ip3L90ZmyyqN7hXfLmselK9bq NIJcFXNzVmpCekHy2DqdQSfX2xKTkpUxJr06p6a9//qkjES1OjEjKTmDt5XRPxotkhg+IntUHg9p 4IY3+fEz0Lwb0sPv7tAY2GRXb/hdfyqPZWh1LosOzExvdmvUrjQ1OGQuZnK5M/CVzp/q14CWxYpa bWZKusuVqtaZwZVmUcamTI8NyANgKS8vj00sG2kqMqFl581tLUqq7ytkVt/c1iTL04VF6y7ev59Z 9s9tpWhBPh5SbccPYyeP/DO9FeR7PC0ZZjOtW6boVOpFV5rbXTqC0WIlKl2iU9ajVZhHFhSVpWpl MweSpst0KSUeb3G8Qss2KYyucUWjqzNNikfY/Wz5/PScBLmoMuqYrF8fp5EpEnNcsrNMCRpR1Jjj DvS/im9WU8MfyLRyF3rlZWTbUDJ4HhQeBz1YWDs4wR2Zopu/l8c1yvCl+/6SfAtX5fMXd79qBs4n qb7f83xfOb8w9EU0kG3vT22gIL8lI15PzlscW1qKU1ckRPyUe3BCfKrAHZqbRKYVFWpz+eyuygtf vGZa8y2vX1i6IFBpUytEmVqvMnhrF1bXrw3k+maeWV+9qNanU2tjZPutLmtsYrrTPP22z2+9g8F9 s2JT3LbYZHdyak6S1uVxlXfduaTzrqUlzixHjMXDf0m7EUDG/0/LWLDDaWSnhyBOuBEPM0nCFaAC S2SSll7m9av0DTZpfjb+vYNf3iTNr89T3udhdKOi6/zYGmgNfju7nGnuElNxaZETZy0vRku4TNwI sn2t9319z8CTzrw8J5t87yd3zBg47Jl39doLL116VUeBcEOof0tdZq5sSW5mw+b3b5tzy6rxxy4f edqvceVxTuIGnFMuBGlGPUmZvcIVfoMqzhHnwDklWXQ4oqQH8CSKa7hLx+rdboW1NzJuqzRuXUOm NO5M/p2KXzFk3OjYHj5fX2xZmc9n5O5t2/VzNEnucbxBJPdwmk6I4vTUBlX/am4b4SKVXi2Xo1MM FLKLVQYeN6gG1rI/8vhi3Lw0ZCa1NTMVtzDNwH5NIm5q7kT1wJUaSyb/vfTG8BGxAy2WCbsjFlPG 9QpX+c26FEhNUWYZWL3SotWxyUqjBqMPsJkQFz68C+NxcVZFb/jgdiyhkGarZ5MVvWz2Dn9ag1Xa D/gUIxP0cKvtN5VJJvObfsZ2B31pqKWiT4CoLXGKGrRSC9uo0mvkUnyl1l6Y6S5K1aEd27lWdmtq tkU7cLvakpWampWkGUjVGDUKBV5kV+dmaqw5aK3a8PuyG+XpUA6vkbW2JycbLPwf9yHTsEe4Hor5 PcCHbsGhb9dJPLxdy8kyd6SllfnG7WE+fHqqI/6hxpn5VWWN8ZJ/xPNvCP2+GVH/4FsH307JgLgH 9WEieqv9a7qJ2vO4jal0hAl3bemBKlkZDSwb8oiVoVFUOpVuVNuFzXOvWzpq9MlXz8qdkfFFbDx3 TrbTaI1TJ4xvW3xSyY1f/GZWW/Dr65u6F1fatLKqlByrOj0nffyauxYuv7tzVHw8y80rTXYnajRm e3x/f2peUnK8uuXuz27Y3N8zN9HpTi4in2VX49MzAXKiz04QrtrpVxun04OI+XBaaKbtUUX0/iKf oG02gV2tSyUX0NkL3ZmFqbp0tVGtUOBFdiAai9wjsnHYXxHMj+6T+cJV+BhQC1fiINKEA9tzcxNU vcJTfr0fEjKnO9VG23Tj4FOxrAxH9DwOiZvY2F/Ih+bXfFexwXG63ZnM9K0RmyIPzYR4hZIxs1k2 TmMvzR5fZlUOrNVG55JaxOeiZWcq4x2FmVnFdm2sdeBmdr5ZlakxaRRqbHVR/w2Dvv2ohmaq6X9F cOtMahlq1ab0zAFf//3ZNpq94jTcIcbAKzR7v0aXn5/o86m9FktSr7BgR3qBVqvGyP2QXtpg1Wos e1ge+MEbPrzD6BImF6Bv+h08lmjkVx1dE335BV6FPavBHhg8QPATBP+mgR8dCgu51foKTUVGfjGV jfUVFZmK0HY7f95ejnMOF+MHFDyqMNdxu4h0VmFFfAGkFVCcpknJz0jPT9YKA5fKYu35aWn59lhx 4BpBk+pDfYqmNO8eb0W+Q8ssMpams2ePzOixZVqH+FjK0UNob1HOVyH56FuD+nOLSg2uspxj/SLL GZVu0GOtqBf2ymNhLOykddiVaVB7DYZ4/kuOVG8hYgekjpyezQ0Ra3ALk7OzvGlaI49pNQpDL1t3 Pz4J+Cbq5f+4MfgYklyvz1RW5sE9oMxDVkeb+0xk7tDP0GbUxmRa9G6X2ZzwbQPHpYqJRW73Nx4v 6zXaMuJWuIo8WdaBB5NHJQoymcbmTXd5k9Qjsja6i7PT446ZPVnuWCaK2mRveprXqp6TmG7R6DPK C4XW0nWjazZN7p+tJndXyy7z+XSpJZkDmZ7GxmlZ1ddVCfPURq1crsVbXZBsXI++XgqVcDNZeYfR a8pW7xEO4LlohHBjKLvcJP2my2uMPuKNvSxju9+fODaqGNvLsnf5nQ2JUYfjm6y0vZbhJl74fJ+0 25ahaXt+WitDPDZT9Iou1wkPPHNiqsifhEo0Z6LZzIrdmW539HBVH5M6qjCnMEUrW5WQVeDPmR7Z BbV42JpaVGGbsm6m1+mfOyalKC8rbplBPXDvqIr4orzVF41sGpmcpjGocQVMWuYsmFyUNBA36LXX 5mbKRE3pzDX1409pGhenzyqr9YbdLnGBvzlWrhj4pa2gkntxefg9PMJkQC3sie7d44Vrd6YXphdq bfy3dqD18ht7BKhZ3i7TCPwzj4maZEwvy/Nrx9vk2Y1m6UFm5v9A5pcPPsi403lMdDgz9nFHlk5q fdLR3fszNfvNE1IWfcWkd1GvIpI+8WivEDdMPu++jgkrm0cnaWR4ONMXTVtemz+5JDm/fv6S+fX5 VV2bW7xzpo2LV8oFUanTaPKr54zw+D0JvqkLliyYks8uWHTD4mKzPS2pwGvPSdI4s5yJOePcueUF nvyxgVUNrRtbvXpLarw+0ZWUkpWkTXbaEjKKUzyUvxLtrsVz3vvo2WkQiJzzQIHnvO0WkyI2aodY 6ZSV0qAdPGUVMt/+/qe5o/5gqW/OYIN+6IyeDqTj1/vSwXQvfzbxZ9TAXjUdXNXi5fyoKrs1Jduq Pdo36ExxWmt2SmqOVcOPXTh6M96Xd+ITOB0aI290YMVHT/0uf7rVobUm8hOrxq+z2qdb5LGRZ34s PnWtPgs9d5OMrychcCb3n1CG30vSli/j+5L0Zhbd6AvxvVUpmuTG9HGFWWVZVpNKNnCOVm4dU+ot TtbI2WjGSmTalFKftyhOqfXyl1Ami9GadLIz+VuqTB1vOJYkvmlK0Eqvqbi/TETvXy2+hCcJP8uO zESVWNwrzN4BmZkwqleo8htNYiL7LJEl9mqL2bFiVsz/3VHFj8rFxd7xOb3M4rcdTGPiurSNaYI/ bVpaW5poSLOnCVpZWposBY/Ofr0W1ynFYmT1KUe8k/iO4ldhYuwhv7ZeBhZf9OXDQ2/qra3zWqXz n6f1tL7W03CP2l/G3264ufyG//BopL2Of32Aj4WSyNc/3K+KSorp/opoZNLzQkl3nJkfWcXV8Z6c vGzTiI0zJq6ZmT927Y41M02Z4/PLOyYXGaWjUHL13OWjT7q6LfertrEzSq0Ty0tavHa9Uak06ieO rsioXVozZWVdemlOeU58clqyPsmdaE9PcaXGZQcumvNqbHqRc6S/tJi/S58dfk8G8hWQg0/nayLr qnaW7hHa8HzoES7wqyBBXVrilMnzo7dRfi+r8+vck2zVxsll0q5Txn+e4ZfXR3edcv56mFjGd7HI Yuz6qW0MOdRnJnz7WEmnSnnEoEqT2Sw9KaB4/qbZeVMmVqXjbZhqz7aqtXjmychP0aZVVtZkdXTP zBo4asqZUGTNLypNLWkvKajMi2cfrnnwohqTe1R2u/SsUBs0clf08TsQh6ck/dSLtneVnTy9QJ9W mjXwcuXEwmmL8B6vCb8vOsUXoST65A0lQ+aDwirpWxs72Ae/mErnP0CJmyR7gNVAAXqjBl8aC3Kl 6efyX7H4VfXRL188g1/f7C+MfH3zz7V03Pc40b1eQVu9YuiXODgVudIyatJM7+LNS0dMOP32+Vn1 E0rMKrkYbzS5i2sK5y9JKqovKq4b6daptEpZMMllMSQ6k4z+dTtWXfTo+nG4nZsNFpd1lA9d79or ak6dlGF329W2HO5vdbiPPCVfBm4og6sj1tLYyvYIc/GU4hM6/eo4Z7WmLNMm0+dEnQXv1Vq/yjKp WJpfMaZ2+PX18snRXZw8pVz6NodufdVPbWPoiXroPYsHk0GnE93uoV98jRCfUluyUx1ZVk3VtXMW bWzJKpp/xby6M8ZoJJdL1h4p7SgtmOhJiM2uLE4qKCp1pEXdq2PSdPSoDu52Y0ezt6K+1l9cWVMw fWHJyJMbCw1pI7K43Sah3Xbh/uuBYiaPvMHHxTlz+a+uPcWyXm45p5gblyvYch+V8a0uEV+uQWaU CZOnydpkwhZZUIZH0GRfL71/c/odWMZ3yD3J8iXojXrBJOpVFnwXV1mwgOprf3LUiTzP4/bWF9np Wk+b2+rpm9vKT4SvR17r/ap/b9/StqBwOYf4bcLx3i0kZJZK66QUd2Wn979pG906vmJBbb5BpY0R BVmMbtSsVRVrtp8+etzqu09esXlR/ufi7Hn5E31WgR3x5pa1jk+LS4xTxjqtZrvZoLckmsac8cC6 NQ9dWF3RtWWu4+S16WMbfXjvW8NHhOvkp+M75srIqpiNgMfBedvzczLUvSxle+nEpP/H3rfHR1Xd +66197z2nklm8phk8iCZvN+TISFPQhhAHgkEIi8rCmTyAKYkmTQzgYCAac+tLUKVc3pOtZzeU/t+ eM+VSsVcte2k8Em0DeqVHk0LtqBWqxVPsN6Wapg537X2nskkoNLHvf/czE9/s177t37f3/r91l5r 7T0kf3j61DXzlMu5yr7GsiqyMq5YjDA/U3ntTOUZfkAi3+RFs887rOoGO3pRHT77qAyfdwgPagyy Th+Xkp2cVpBq+gZbxCQmfMOUXpGbO3+esS8hQYsib27L3lsLVhTGShrNu/NyEvR6gz4ub2HJejm5 cF5N+TWHrBzZycIL5TXzCpPl1XccvsMRY45JKSAiSQt+Ufy6eI40krVkOxXUvfc6s1Mv1uY0Vzaf bhYzm2nzpWewwzRR0zMbaMYGattAN1w5a6XJVkqsFqtgtlrbasU/N6wqtpcufWqpQJbSpWdrm813 UIt4x7jLvk65UcA3Fl/euhXLIX7nZTdhZLe+yL/4/SPNtSm6Z2Mz/fjOp/tuWDq+VNAspeaP7H/b tAYzFNgavoNhULBtVA5ICnSYb5OS1Z1O2GVrsEpYUM25Mt9gM0QX5EdWBY1CAjZDBbGimhO/nmTx JCUscB/eWLLWakqodPxyzd5bS+r9jwz0f21neVyWM7OkvLokp7im/fPri1uyaFqcNfij1qa82rz4 1pX5tXkJC1ctPpmamaDrurNurTNRbHM6bIuy1u7bUGKNjclNmpcnGMS8Zdsalg5srsh13V6V1VBT kZy8rnyhuyCnvWntXZvKZKk0+OdVrSkldZm3rLMV11zbXOYUtAk59gxLxYLk/HK2/j2E1fsLWF9U kJ7wrskobH+0ohib/7aTWChHbyNbXJKrrDl3RcoaZWIO7xyVvSfb0N9c+5mHZvwOp7/BmZSyZLaK L5jS5+fmzU83JeTW5Tvbq8JrhfD3ks813XGwJTs77PT02pLmqnkrll17JFwSvU5wLW7YdaSDzdm7 Q+/TL2jXYiGVRZaHz9+ShJ+QdGLF+kommfSux1wpliZF+xeh/PQTievrbngUmMDu4cxz4DJ0/2zN Exo3blq4aNPGhoju4n7cd6ApUDjX1Nc2rVlYp47SkxilBdPnhPOhYTYxgSeRHOHUybKyJHlYeJyd EyZlG7WFTekr4iJmxzZzxjnha/yc8EbNog8AbuKcUHzSOK+isKgyK14ffGk2OmowJGbNz8+rzDSZ zcEPqMNkzMJuTathD9leDBZePzpTV2iHKZ6XGs3ZCcGJYFniPAU/3Q/8VrJYna3MMVaKRZVRpjGE GjUE3sqOaVcoUNRjWr7m35p2Mlx848Pa60Yl+3rFFB10Eu7wreRhdZ+7IoHdRzIyKmT2+7DWxgK2 Kq8glqgAeHR1c+7w9JqwBcOzpLlxRVltU9malGi7Rz3yqvvFZfaIuo672d8k7GPi7MMCz6ruVdWh 1kmmdGdevnOeMS6nKq/szmrYKZfZKS67OtdxZyQc5dSiTHtxstz8xdaaTyyviCtsWb264Pb9q+0R ewpxZbMC8/oS8UA4tbO1NbmkIa+ksSChYee9LZHZCmNQQT6tjkFxAjN6Bp+0SIaFPazAUptPQqbw JGTEJFScktsUsVG8YqESZQMUNvRfcuXNzWDWj5vBIib78oaPmcFmmAXmcGP+WoW9oQbWSCAF089Z E4UBrNQzwGUsfiKPClNdkrk5x6Y8fqfp0Tu56OesN3tF1NomvJ4Lb/LC626NpmH/8F17T/hrF+1/ /K7BE77a4DVrxYbFtRur05Lmb2ys21idSt/sf+rzzUsPDe/p/9HnmpccGv70Uu96R9E670p8lxWt 9bIdcPBfNOwvbUXvgLOq5fAO+LMftQNusqz7m3fAHycjegd8Axf4sB0wNiHbCpYsarBHfCGlKDMD O+GC1Ws3lLezHfD7cUXLKlLmsx1w24L5y0ut9PLen9yzypzpyAzeGTl3/nXYMTyFi4oSW+55dG+d Z/18M9sB/2pZU8WtO9iuLvgv4rhqw/CuLtNYwnZ1xaSS7U2seU3GRSWZGosjbAAH35GlNtdy8LV8 R2Zp0a77iF3dXysj2pvilKckYa9KrvrwbR2blmA5Yy47M2AWW9D5T215t9zSVGpMKbRnFNnk67Z2 wUDYbvS7WfP5gQHf3pmxeHaHDRmcUPd3u9er+zs+8whP8vO1PnXmyTfjnuMykVSznCmXy2KMKLPt E+YQbCs2uGRXSXO+2Wpvsq5RzgOVmWM725edUecc+ePbz9pE3GiS4R6mE57Enkk2JKZkxFuLyzDV zJpichpra9NjMuw2o1YjiKtzHaky2zTkNpRe+8X1k4y3Ykm+WdRLssmqPJ1+U3gX6JvIm9Nn647I 2fotLqxENA7qeK0GN2T5jbgaF5tKa+w1gsgPxM0NtIE96Enjh+KvsQPx5iQLO+sjSdSiSXo3Elaw j3oqvpUfi2/fWmK5vBX/zThyd9n/L/f2V5zEC+/W7bpvQ8Udq5xJJo3BJBlLXJuqs6sKEvMWtdza siivYtvnNhavc5UmGDSiqDcZpPy61c7sCrslv3Hdresa82nGGv/aAnOyzVpWOi/Hqk/JSI1NLUzN KLGnZ5e6tix27V5TbIq3ms3WzOS07ES91WaNTc1JzCy2p2eVum7HKCWH3hbu0/yA1JMvKqP0eFxc zMIiklPG1ifJMWXhsCzDjvVkzqp5MeGCGHZclbxqPvvFlkuvGgfBeZbfHCqvVZypiAu/H1D21whR 7peaG296Z26Nk8IHBsJ9xvic8pr01b2rsncnJDK3/KRxnnIf/anM98WnHQsT7Slxep1Rp91fWp6A pXP+usH19Bll1zuGYNdqEexjyr44uLWpSS/p9dZcWGsfO+kSR7GW2K1GtLFAOebKFLa7zAllTQVG bUpTri283Jp1IKU8fMfkx+e+2JtpfqPTq+mldfh9iMiEN85uCVmYxpq/vP7Ogy1ZHDxCOj4Piwh3 Tfj8Kjt6ZbDr8A4hUhA0rODLCOHWcInyxEM8Cdyl4ec1j1qyMoeF/3bKZc2y67JyhoWtLpOL2LMK m7KMqU3GNdOPPFJtL89+5jGrkRo3+siz7qiZPCG5JkF9j/IkFbWa4HvauIJl1VXL8uO0wfewnzCm z88rYo8Pf67TPS3GpJfn55WnyuJXtbFxSbFTv2RPO7Qmq0UsSLTH6gBGo5XiTNc+lZIi3G+Kw7ZC NrOZOif0vvYc8C0nD6hRkD4v3lFaaikeFpa5jPMstbEWjVhfb2kYFkpcMS7RsqSpssniNJpX1Q+H nj+J71J8u2JZot4iJuc1Ja+R1oRfQywpwZ1/+vFPSnl8HYbWZvkFz9TVxSvPNpjMG1y9WLGQTi+q BhILppPhs4UZtopKas/pDO9oLVmL5s9vzLFoviQI92rMuY3zKxYh97akhX/kFVakG8UfCMK3xZjU 8rw8R5pRfFQUvi/we2V5miw+ZLRnTNtSyJCka69MW3ZelhE7NI1GZoY1mZhhmZnN8rVuo5rTSGbm RVhR/BBWziW71HcGqCTFklTcDZaecuWm2uVU27Dgc5ldsamZTSlyQpO8WrOOrA7vUa5/gsbe0WWm M92wOcyWJSohU5PA3mHJX6DuUhIqE/iBTFKiXviHbqm1pdBpE/R7Y6za4NkYW115SUV6rP4FMaBL KK0pqUszBM+kJOkttjhaokuJFRfk5FkNoikl+drDgjs1zmBIykthZwOvh64IRLsLS8wikvkUSRKG iZ1YhftOGbV5aS2WFWTx4pefVdfNYWcXpzf9s94TvkTllBLchlNkmmrKrCosXJAZo43Jqi4qqrHH xNhrioqqs2Lod8NrE/FoTGKMTh+TEPPBuqLabLM5u7aouC7HbM6pY7o9FPoDfUJ8hK/7035AEoeF 4cfljBxsUsyryOKzi89iymavw81eocfNVuuJWKZCdZbJpHzHzs6LScW1uWZzbm1xSX2uxZJbf21V cR0rqCsuXsi+F7KIW0jvF2qFrcRM4h4leuP/ollEQ8ovUzae/BRYOQBhz2uF2iRbsC0lKSmFPmSK M2npn+od5XW1DtnGV1m7g18V0rXHSA7J/glJpe9jMrbQPxMdEQX/SWum8bNkcTktv/bi5ReZ2XW4 ZcQnJyWqrwA7RH5Op8SKkLxx823rdUllhemFaWaxurUqNa16XZVgshXZcx02UfuJ00H3r84HO0Yt yRaDRm/U7zr30vlP9Z1/6RcerUEv6mOToI8b+sRDnyySy94E8z0ab9U+CbXMJJN+cNKaKisKsffK uUZs6lNeQ15QUx1ftUAoyFcDOileiE+tWlctmtMK04vKknQbbtu8SSumlOVlFqYaxV3dQuqnzr90 bhcU0Rig0hn61fO/ol89HZMUC2UM2heCGzDy+8RO4VfavWGvtAo6YiRZgu5UkTYtf6VlJbzybAXX J2r0I24Z2aaIXKskq3BasmanpuUkSjZTWqndXpomB7ulxJzUtGyrgSZTVrhkvnhf+Ok5/Un4hhpc MrPMaoV2G3FHfV7L/h3TVeS18DqxORR43Cy0kGZasnhYePiHpvR0U9UTwqcJYQ9wWQ37t1FN1Cya 6sMrifph2njS6dTmq9v56KP2xS4p4fZb+F32FvZDeJd2+/S2VHmLhbKHvb/YWsJOu/irtFtL0h6D Ambx79UDrIsuopeImtlLQv2sjZ+6bRGfb/B/37vlnvbGvFhzydq7HhnMb1nqMBu0gmiIlU351U3O W/tW2GlS3bK1pe1Hby8OBuMLl5anVy9wWm3lK8sdyx02eqL9O/uWF7X03vv1O9Z8+6F/7HFJsfEx loT0xMyiZDnGYmrY+fk1semJMdWd9/VVtlSlyfEpsbvv35iT3biB/Xu7i/g45WH2qCEraUZ4pJpC gVNsPJqo80nBSxJJoeB1yRnmnIxEkFz7hPAwHzRZGTSzSJYOC5/5oVy1SBu9skxwSSm3L+fmW87+ NYIZ5uMHkZfZE6MSZTUPprz5gjFyNUnLqLSUSkuowUVlDdWtpLoVVLec6m6huhqqq6a6KqpbQHWV VHJQqYxKpVQqoVIx1WVR0U6N0N0s/oX6KGNJ+FFh9IdyPuOYo0aZYtSnWewlKLog8nw2ubo6Abnw E4Bq8flFe0/4er/dV5u1xL24cn19Rk3PN7t3f7m9PLN2/YJFbUtzgr9OLFlcsnG9tXSFs2ldRkpV a5VjhSO5q7PdTe/4xL3b55duOnhrjXtDU1b6kpY7q9fevbXCsXFgZfntrSvn2Vdt2CYsyqktSGy5 xV7tdKSWtF87lbeouiI1paJmUc7a9RtZXP0zhvuENpk4wm/2uWKkIioVUkMBpfHUyV+5wHC6nFQk RcPCP53MsBnjhkO/fgyFcQnxw/SgS8pZX2S2UKPWwn70H3kPDzarWHwNt5qSs2cq2Zs82DsRbrQ0 l62okBahn6iuWA83I4+NxlYSNr766nr4xQws9HXKIqkmTz2cjOPryRM6Y6x0rdoQi30AUleeT54X pxMMsSaapDXbCjLzy22Gc5LZqO1ML2C/meG/vzGKzT6jNq4435aZFGv4oUYrUuzLpA/OsRfYKfuL nuJTiJJGGq/aLlZTSjVwt3oq1VGja1iNFxdNGhbeOVWZByJ1TwjvEGPoLSVKjHBHY/Ew9ZyKq62z 2+vS1BOCtLB/pqHOFVOZpHNssEROmW6PepG/QtmelsTVsVC5zKe2kstnlTfGWNQwx6XM6AkztINW ZvHv2fN0mNDZA1ODe+6sd2Z0kRjR89e0ntLiVnHNlmRPlHSWlMSLy9Y74qxFjcUL71juiJFiDFpR J6csa9/j6nqgc75tzb39D9Ag1qC63fOKUo2G5NKcrPK8HOvkCt/21tyshaUpGXmZpvTy7OTM5Dhb Xo6t8o6Dqxbv/8LDn/pXU0oRxq4NM9wJbSxpJL9T9wDaaqqtmjFoNcOC6bHCisKK2HlPCGf4zGbk M1ssLBdbz16azM7WVoftVc3+FY7SW6Vh2v54gs2m/hhlc+RlPv6DHOU1SuX+UxI5rlAGCSNUXE2L a6iqCh+hv6WbmSOizlO6WccVbHbKmfHbD6zH1Cdr4ommzz7Z39C9uSYO9x+NZDLIRcvaltVvX5qb 4drRVL+9eF5KZrbQJbEbfGJwQc7yfM83vPX0m55vfarBnJxsjk/JT2U/YEtOT7ZVtdY6Vy9INc0r ECoKc0ypJRkN1cHfa4T5279AQqHw2kDQiT8jLK/eg5Af579y/jeFaMtH0MVpEppVevV6EvdrFs2i gQ+l92aSdlj3yZslfZpKL02Tofoj6fgcfThJ93wYyYXyj68n4xaFTPk3oBN/X4o5dT3FLuB0+KPI LHFaPU2WGMs/R1Oc/kPoe3Hfi2+Of0ahhK9cT4mVfxU9ciOyZlpfmKakpXM0R//f07EPpYm/iq7d mJKXJ3/hL6QL/y/IdsJ2IuVbfyulLkvL4vRW2rug9+dojuZojuZojuZojuZojuZojuZojuZojuZo juZojuZojv4y4s+RKSG6XkKpRUeIgbQRDYkP/Q68IPQGeGeIlfhCDxANPR4aAQ+EngUfC50mGrEf beLR8gp4J5GJjWhCz4N3hl4F94VeIekoeQM8nqcLON8WepukUyH0W3ALq6WprJxmhH4NXhh6Bvwg Tx/h5cc5D4R+Dj4SmgAfY2n0PkHyIf8oeDx0yOea5EP+b0k+5D8NzuTnQ/7b4BmQkw/JrOQILzmG dAG0/SO4j3H08lvwkdBb4GNo3wDJj4EXhE6Ab4P8Bkh+HdwSegk8NXQePIPzwtDL4AO4toHu4fxg 6Dfgh3n6CG9zlKePcTnHQ2fBH+MlgdB3wEdCD4OPhf4naeDotnBcW9D7JPt75tB5C7Rl3AfNt3BE W9DLBfBA6B1wpvkWSHiLbOOW38bbb0P735NtaPMm+EjoMvgYxmgbermKkdOEtoPHh86BF8Bunejr j+CdJIX9DfVQF7gltBY8NdQNnhFaB94a6gEfgG90Ai/jB3n5YZ4+wlse5eljoUHwx3g6EAqAj4TO gI+xtHhb6Pvg/SE/8UGTL4LHw24+aPIy+DZg94Ek4oMm94NbWBto8k3wDMj0QZOvgA+ERsH3cH4w 9DXwwzx9hLc8ytPH0JcPmrA0s4APvZ8B7w89TAWM4P8BPx66DB4IvQo+EpoEHwudp2Zea4aEP4If D10FD/D0COdjqLVAw/fAD6IkA+2vgB8PvQse4CUjnI9BfiFa/gbcEnoZHF4EnhG6wP5KfWgC/GDo EvgRXn4s9DZ4gCSCjxA9+BiRaSF0Pgd+N8mgrZD2MrgFPbZC2pvgGaG3wFtJHPhBSGiFNFZ+HG22 cCxbONItHOkWjnQLR9oNaW+AWyC/G9JeAM8IPQ1+MDQKfoSXHAv9J/hxIOqGPdEe+jxBB7jkAS55 gEse4JIHuOQ9vHYPr93Da/fw2j289iBK3gcfCU2Bj8GSh3n7w9zmh7nND3NLHuaWPMxtfgQYJXoU Op8Dt0DmUej8BngG8B6FPX8HfpCXHOH8GOcBEg8+QkzgY0wCizh6DD3+J/hxXHsMfb0Gzvo6hr4u 0ePo5W1wS+i34MzOx9HLG+AHefkRXnIcPR6HtGdpAO1fAccsBI5ZCDwD2AO0kMSCt6J9ANeykiO8 9hgsEKDHMb4BaAgPg4aMjzEOmS/REch8C9yCq0Yg8wp4Bmw4Apl68FaePggUI5DJao+F/gB+nOjA mcwRjnqEyxyBzFfoGGReAreEXgdnuMa49cYgUwZvhW5jkPkW+BFezmSOcT3HuMwxLnOMe+YYZL4s 9jP/Bw9wPhZ6WzyEkZL5PadMyCbsvVr26eRc5HeiWJ5jaYEYxGI1LZJ6UaOmNcQmpqppLdKNalqH 9GY1rSfvi71q2kCKxdfUtETsml1qWhYeivRlJJs1n1fTJlKs+bWajhEe1BrUdCzp1j/E7pX8U2Ew qWlK9IZGNS0QjfQ1NS2SedJ9alpDTNKX1bQW6YfVtA7px9W0nhyUTqtpA7FKQTUtEYvsUtMybY30 ZSQlcquaNhGrfJeajqFr5GNqOpZUGy9AE6qRVDsracXOSlqxs5JW7KykFTsracXOSlqxs5JW7Kyk FTsracXOSlqxs5JW7KykFTsracXOSlqx8/eInVQQJ6gWqRbiIR2kn3hxF/CSHcSPsmVI9ZM+zt0o 8SDVSxyoWUK6QXayHmU7yS7C7ios14XvLrTeA96JlstwXTfatKPMgxYe3s6N/3sgq5O37UXOh7Je Xqdc74EGdvzvRjsPJOxDbi9SfvTF2gxAoh/lXcgxnQdwdSfqe6ENk+JVpfrRokftk7WwA6OX98l6 8XEsTRzrDpQwjAMo7+JX9POSbq61X8XRgZpSLrmHl3RziW7YSCkP99IDOd3cYn2qlr0o6eG9KjIZ Tn+UBqzHPo5FsXfY2orurCcvLGAHfsXiTKsetHWjfz/PMcT+yHgoNlN6sXPde1VcXm7bdt5yWuNo RMxqg/w6BfVu5B3cH6JHs4BL6+ES9nE7DKgjH21vNmIK/i6uP8OvjEs/9wb2rfTIxtoOGX0RNIqO O9U2PuT2q9L9QKGM0J7IKLm5j7hR2jMDV9ibO6CJm/ffofbvuIHX11+H006Wog7rLF6nREwV2ax6 kEf1tSpIq0btzGvLItfeOBK6VJ9WELpVTDt5raJjl2pFpncn92aGYTcfx/A1N67d8RdF9bQHKeO1 CTkP14H1v4FHgH/G2JarGnijEHSosejnKLu4f69BSQcp5ONehDadXP5KrpVyrR/UB+uWg/ZycvC4 n6m5g0vvQRs//I3pv5Mj6IOEfShlo7qDY2HRNFNquJzNKMoI7I7Iu53rrHjyPu6BPq6hn8eaj88N ytV2joHFaRf3Mg/vQ7FQO782bL3lsN8azJLKtf1RNUqMd3KbTMftXt5XB4/rG/Wr5FnbDnjRALdh ZyQOOnk9m2kUBGHf7+NIe1XvV2R1cc6ieTZuVq/MGoW4qoh7Zw9wdUXi+Hqteq+TfPM2mpYenrnt 6tyreE/HjDnweuzT/jpTr4VRFmBIFCzKnSDs9f2Ru0onn1d7+fzq/lCkip3dM2zapXr/7BhgVmWe N8Cv7ORzFEPTFZHDWnbzee6jRujvFRfTMVHOtWExoNydHHys+sjg9+wVTmetvcXT0e/1eXf47cu8 /X3efrff4+112Jd0d9vXe3bu8vvs67t8Xf17ujody9zdnvZ+j93js7vtPd7Orv5eu8/d67Oj3rPD vsPd4+neZ9/r8e+y+wba/d1d9n7vQG+np3enz+5FU39XD67s7bR3ePt7u/p9DnuT376jy+0f6O/y 2fu73N12jx99dPhK7b4eNzTocPchzS7pGej2e/ogsnegp6sfLX1dfi7AZ+/r90Jvpjakd3d799p3 QXG7p6fP3eG3e3rtfoYDmuESe7enF315d9jbPTu5YKUjf9egHxd7dnc57CrMAp+9x927z94xAPCK 3v5d6L9rr73fDSz9HsDGhe4e+0Af6wYSd6LE59mP5n4vAO1hkNz2ve7+HqUvZuaOXe5+KNbV74iY vj7cp32pt7uzng1M1WYYCJDsVY7qCrW2jNVGDUIXLI0O3ehpp4dp1AUV+92dXT3u/t12L6uJyu64 8VBzAwHXpl6PH9dv8Lv9CtpyCPDyDjowiv5+T5fPsWago9DtK7J3dtlX9ntR6/f31ZeX792719ET Fu7o8PaU+/f1eXf2u/t27Svv8O/w9vp9alOW3uEGgN2s3e3eARh5n33A1wUlAIlV290Y067+Ho+f KdS+j6u3fNOaJajt5xmMeOeAMrZ7d3k6dkVdi29Pb0f3QCezhdfe6fH1daMDZv2+fg8adKBVV6/f YQ/37e2FaxR6iuxdPe3somlRveHGN9SIN2fODfP7YJ4OxQMjvXO7qrIWcgUKPegFQcBM389CpdO7 t7fb647uFDq7FU1h+MgIeAf8fQN+mH2Pp6OLtdnV1d03C9DNjAUfifLOrh1uhJPD7esbVPeKJNRC npj91wfVfZiIfYdMzEQfCoEL6g6LYAdLyIRyzvkRH434nslEKVEuvKn2MTG8/cTNtjebWXvxxM22 t1hYe74zvan2cXGsvbbtZtsnJKA9vgnbcWp4e7bLdnIeT2KIjaSyM1uSTxaAL8EcvZY0kDvILZi9 l5ODZAu5l2wjD2Dm/ibm6h9QgfyYmskz1EJepKnkEs0g78D6f6atVEe30AS6ldppN3VQL11IB+gq uoduoAfpNnqYeugR5I7Sf6DH6H30OP0yfYx+iwboCTpCn6RjdFRspufE2+hFsZ/+XjxEr4h3C0R8 QDCLl4Vk8R0hV7wizBffFRrF94TVGJNPzMQl3Pl3wvUScL0CXJPA9QFwScCVBFy5wFUBXC7gWgsk 24Hrk8A1AFyfAa772YkS6FvA9Shw/Qi4ngauXwLX68D1HnCFxEOCFriswJUHXGXAVQ9cK4FrI3C5 gaN3Ji7Nz6JwJQNXHnBVAtcS4FoHXFuBazdw7QOuY8D1b8D1P4DrCeB6Grh+A1y/B673aSrGKINa aSHNAi4ncC0GrrXAtRW4uoHkLuC6D7iOA9e3gesx4DoDXM+j5AJybwHXH+mIINAxYGjGmNwmVIr9 wmLgWg5cm4FrJ3D1Adch4DoKXMeB67vAdWomLv1QFK4U4CoErhrgWgFcm/haoQEIbiGfAa5/Ba4f AtdplL6A0kvA9T41A48FY5NKs4GrArgagWstcG0F9QDRAeA6ClxfAa5HgOtJdp4IXC+i9LfAdQW4 rtHHBCMNCMnAlQNc1cC1HLg2AZcbuHYB113AdR9wPQBc3waux4DrDHCdA65XZuKS26NwpQFXCXCt AK7NwLUDuD4NXP8IXF8DrqeA6yXgegO4/kR8VE8FYDHTcuByAVcLcG0Drt3AdQC4jgLXfweufweu HwPXc8D1GnBdAa4gPSLE0qNCBj0mlNDjQi1wrQSujcDlBq49wHUPcD0AXN8Aru8D14+B6wXgOg9c vweuD8R3RaP4npiGOaxkJq6YL0Thmgdc9cB1G3DtAi62zvsScH0HuM4A1yXgCpJtNI100lLgWgRc W4BrF3DtB67PszNz4PoucD2BmpeA603gep96BRMdAIY9QhU9KCyjh4VbgasduHzA9Wnguh+4vgpc /w5cZ4DrPHBdFW8TZbFfTBYPiRni3WKl+IC4SrwsrhffETvEK6IfuD4LXF8Cru+w6d+gDxn0NltD 7o5DO3YYtMSg63s6gM/TfQY9MRiujo/iM36V11wNBPBfYEYmwJsd+Gkg8Ozo6AEDO2ELqB+DDtLH JyYmJycmxg0SMcgjQ6+C/jT0H0MvDz0D4teOvv76iy8+++wob351fPzqxPj4eFiTyUHbg32sRjfl VD6K1PHxVYODTqdOS3S6SdvgxMQgvyIQQF/oUachOm0fU6KPl9tYEzTi7fsmoPigQRMyaJxtk23s A6E63YGJib7A4MRktKQJSSASEBEVklKlYJoBVmcgOvmP59lHUYpfrfaHD9NDLZ3kcnQ6RSWbTScS neaiIkXR+2Kf86JeE9JrFPUUmBPTCJBo7etjXUrobwcfOLXUCTACNWi4OGitE4iO6Y8kFYlGc1EW iUFjb3OxelebnWeHkMLHFRgSRWrQPvTQQ9zkzr4TzOJTymA8aLM526YHf9JmsymmGlRspVgaYPt4 hg1tbW13d3dwFENLDfrBM6zLM4MsA7/iH0ij0X5Fo/yKNWPXXBgfn+1XNNqvqMF4vV9RgzTtV/Sm /Ir74ugoNK6tjfIrSUckPdOO6xvlWLzCZDIdYBUHdPAg/eD4VCBwQNKGJE1t241ca4aw8Zm+JWmJ BN9SnUutC3uXTHTGD4bGA2Hi3SlS1J7xGTRESq/y8NPpFeVMJq735GwfM2iIQdsWdjLWflwBE+Vk Evz6Gdj1P4b2Yn/bQWa4miRQSXG1sK9pon3NiGVq2NeYs/G86mzc2xhkyOIxHfE2lhk8ajLB3ZQM jHrVZDo6yDO1bdx6SgawGfJBSSKSlI55uBrEtLybjAyNDEl6Khka2nn37Q0sJykTGmY0SUclJpl7 29SMXEAyUEludAcCz50+3dEYBZLVMZmj4+MTk/CnUclIpZiL+Fy5+L/bzoN+1vYsiAs4/eofzp3/ +XNjp5lw7vHcBSUtuoILXuyrhQ9yjwj7oJPjYJp3cBQMDUOl1xE9MwlG84Cso7Ih4kJX9VqqV6bs p/t4Vdgjxw/odVRvgHmmEHSylsjaiE+2oaVef2CCeyXMN1PmuCxQWRPxywCrZU47rkScWhv+6GWq N0W75niAd6zKCisxrnQTLr+qyNUbVF2htV5D9aqLBlhax33UeZHFBZz0Kle8lssbVwHqYRY1YvVG ojeegel7A58M3BWYPzR/SI6qtjmdTG9tIOKseoHqubNyb6Ua7UWTBg3g1EoTRIRJA6OxBP+gQqOF JfhdgY2a6rDOKZ5TPTag5BSXhc/ynOqz40qOeyy3h0xk2UQyQJUg99DdIG5xPcaj4dArLP3KoQbZ QGV5Kjh2Gp+x4BQfrSnWA6w4xbP6cBbXssaNd18KPPfc6Vfvbpw1WqxWOj327IWrVy88O3ZaNlE5 9mLfJD6/PMHoOedzzlGQLFHZeGnoCuiXoLOgMdDpIaaaNIU5fQqIRke5LoNTZwJXD5iOTg3KBiIb QiGb+pGxSZ3lzmGHZp4wBU+dOmDUU6PEdLsAqaPBC8yj9YP8hjDI63T47OF1exRvmoJL4zotMWpr B+EZimtAM73hELNr4ACWIjPFQtOZTs2qmcsHRnkkjxoFaoyyE3frmPNDoWi3RgeSKo2nD3ClDsiR 8uAFZfD0kqovNOcBOnE1yq0nA23OSe7WOlX5wVouj0sGSAPRG06f3rGjocGmNxG9iQ2It83bVheo C6QMyVHVcGumeNitZ/u1IFKt9uLFWA2awH8jnt3mjNXAeDyl+jZ3biN3bj6mzslJxbmnEEay4UDw Hh1z72CQZ4NBeF5Qdw8Dj2zjoYvczGqW2eXAAZY1SsQoh+flaj4vKzPzyJDRgPFhfso+l+5uNErU aAySEDk9NBKh00MhLJ/5WPEu2QwdDBp1yPM0ZwF+6WJy99DFIViAPDf0HC69hFhaTGZYhzVlvXL/ n7x6YfzZMWMMNZov1l6snRyc5Ouxsw+effC5B8dsYzYudToEnokKAiZFZkEwOjU1Onr6NFeIRcHF wXQWBkYDMUaFgc0owwyse/cQo0oe7izsTURZ5kwdxTw41W3SU1OUzwYvKAsnCA6cmRrktZFggKPw ZQ6MHQz8NHjApCWm6HBog9UMhkPB8anBwNQhjEWU8Ne5p6kuH46IAGswHRKICZNATdExETCYqCH2 wsXQ5Bt8klCIaxGWGVaJB4ZRqRkNRwbPh5UHDr7em7h6UZGtZVCvspXZ1Ul2uwoHB6JDWc+p4WEw YKHG/J8FgAEWjFH08LZ52vZddAacGOSoFggRkyCYdBEQaoxop2NEhxgxa6gpKkZ4aJg1MOl0kISj xMSjxKgTjFI4ShAmfL5hYfJfxJ17fFNV2rZXkjZtk7QFDNBWBhAUAQERUDpQEU+MciwIDOA7kkGQ o8gxNlgKKIIiIiI6qIinjCL4Ijo68yozjgU5lAp0oA2tQzEUTFPdpE27CRrmZX3X2gmlIP7G+f74 vlm/K9nZp6znvp9nrZVIM/E6MV6r/KROVKEYr3PyXfFhLj9+fqxSlD124XCkiTQ+KqumJrAlXyz5 gv64vnA5UkwOWzsy3GVk+IXmIsfbCYfN5HBQOSR9U7MKl8ql54XhuqqdC8Vz2Q5sV5e3481YkXHP vV/sjQnAm7dbqlKgaf18YfREFeZecVAcEz/QjrF1UOylcB1pJkdzfxt/m7qcupzyWeWz1KS3d/Xe 1bscuxwOu8mR6mcFUucqdx1zfeXa49rr2uUq9Bf6v/Cr28aq32jnxb/EHmNLjQJGl3MKdlJeOWnW FVRCsnCkNKmvDCWeXQnlUg/G7B+TUQlqrPuUMwUqfVKTTam2WBlUM59Wnz9mLM+y80+x71R+tnHc wv/6LzGOL+lvLOZyCqp3STVOpSaaUq1N6wxzWLQx/IiHaAV8+HfxqCKRIl80vt1xeXKX8b+4pI1l 94U6xSjMxmk51WxKvUT1L1IcppT0yytvT0+ja413buwo3S7IcahXjUEq69SOxqiI0FiJXqi/LwwZ GGsYw9QQpmaDxiDzsmMrWuN/e+VjP7NOTUHsNOX11A1TN0zeQBLUZbgyYgJdfraDlkFLNZtTLxan kkV9fo1VpyrPBBOfxOqaJaB6k/I0qtLY2aQ+jeOJ+JNsfFYmXoctI++HDbEckdLYEStRVaPxHbG5 LMliWUkRqh1tC1yx5IiJ6LAVyF27AvkDpu7aJQuMb45t4i3zOGF50DNvlnBOnTdlpug36/cLZouh HDHdN+qO9sSlfsVKfUdkFanCGX9lEknkY0tjf2wPn2tFumhFs9ybm3uPuHbUiGHtRc/Ro4a0FwPi 56jv+puJ1sYrC+/QvPHuTOLGd4axV0wA4iqRJa5+cM78OcJrPG4xHrcbj382Hv9qPO6cOWXebLHP eDxoPJYaj18bj37jMWA8auq/VIl69WiyGo9ZxmMP4/EO43Gs8Tjj4ZkPzzQVGI8rjMc1xuNLxuMm 4/Ed43Fb4zf2/+7R9Asfk1GSj5yozcd4of711f+/fWZ8SP2Pn9NYDvQQo4x/FfG4WCfeEh+JneKw qBL1JrNIMSJNjkerCfVv0Cxc56SSTOp7PFO/2PNTpbHn115pcg35Vp11yWtT4oJLX1s3Xfo6ZdWl rx0tLn3d1n3p62suO95h3aWvu20WKeYmr7vPanLcKky3fXzp67vNPNvI6c4il3jSuOZxpOppzhVL zF7zUfGG5TXLa6I0YUHCm6Is8Yj1KZPFdp/t96ZPbSvtJtM+RzPH3eY7Hfc7Npk9qZNTZ5j/lrok dbX5yzRzWrL5cNrZtLPmCmFalqu0sR5J3X7Ftp9Wmnq8STsVb/uv0EJpbRpbB5r69a8BtMlGW3d5 S92ftjFtW7O18fZKk+Y1WvRKrXlC88GNbXnzNY2tLtZatLpC60zr4VzfpG2KNePIZc35vnNnY9vX 8mua32jnr9RadG7laNWh9fJ4W9WkrTfaziu2ktbRCy3DmZHV2O6Kt8FXbLlGGxt/vrQtjT+q8/YY rbSxxa4+nlGX2TVzcuamzM2qXX73zG1XarG7Z/5PZlW86RebepfMqPFeSxW/GtqxR2Mb2HFQYxsX bw/QFnR84NpOtD7Xdbguu+MDPHa47s+d/nr9fqMFOw+nTe6SRWvfxddFA1+X+q5/vWGdal18N2y/ 4Tjth27mbsndttH29ehFu6vH8BvXxttHNy3ondX7WJ8Vt3Sm9err6Du876zsd+Jte/Zn2fv6taV1 6+fu/1VORLVb82/dZrTggLYD1sfbpluDvF4/oNx4VT7gO9r625wD3QO9t7e6eyBtz29yb82Pnc1z eeysezup8+7tM9iGqJ0Grx2SZrTsIaOMpg81D80Y2mGIzlYu7aFhYph12ORhkWGR4W2GBzgve8To EaOH5vI4SW3Rpo2YN2JprtVo3XKHG82VOxtcuXm5j+fmcXxebvnICSNdI+tH1o9qNmoT53XjmHFk 1A+5efdNum/WmIO/vWuc73drf/fK77xTH59aPm3stLwLz9O2TNsyvefsNbPfmBOZK+YOmOuaO2Pu grmPz90+d+fcU3NDc3+YZ53nnNd1Xp95d8zLnRea32x+p/lz5hfMXzt/z3z/gn4LRi/4aIF/YdbC 0oVRd0/3Q+489yvujx/NenT0ox/lTctblfdx3sE8v8fmaeMZ5Fnr2b/o2kWDFk1btGjR8kXvLNq+ 6PBjzscGPbbhsY8e+yrfmp+RPzh/cv62/ODirosXLN622F/QtqBPwYyCpwp8S5xLJizZvCSwtM3S z39m1Np++ch06biz9NTFpkaUZWkXW2ws+ZnqG3x5zV1aKbFcv+L4c2EMatIuHUWW9bnY1Piw7I6L LTYyqNG0mTdjT+v1jMilA8oZP43R2Hhm5G0+mJF2XdrGZmtT918YPZuvSS1tXtdxnLo2dXvauouj aEwlxukBxkgcO6tN2sYL6qm9xqiszi1Vx43z4wpy3+2pxxnTN3JFqXG3/fRuLc+lRrs4T5y6bH4Y 0GRGuDgnbFT9/sk84L18HmDsT4iP+8svjPjGfbg6bQDb6y6MhfixOe4Xo1NsBIqNcHEfGRUZA5Vr 4xrHxwuOMsplDFbnX3S44yDuo47r7M/NrOL1T7KBMbC0yWh6hTG26Zj60/E0PmrvMfIoNoIOvDB2 qjGdPYPUfXk9KCP3ls4jRrc8H5vJjGdmrdZR5qrzrRzMQ/GZ58KM0qJVy/MXZ59YPqr5TZ3f8rw6 g6t3tnKoI2qPMZexRx1r0Sp1/4U8zcjiuJ934B6tlxuvjP0XZ9Smc6rqkzF/XphBG+dQ5kzHFebM 9T+ZM0tiMyVzpPNCLByPxvph9GT5kOyWX2fcRd8ucUOpeHnlXlA8VpFK21jGdByH+oOVt0qXjFzn esP5zcqpJtXdI3Nbi1aNc21p/K5LY/mgfInlV+a26zpc2ylGbFa7tpMxEzVpalaLzWjGnPh/2Yx5 tEn76RnG7NqkxWfZxvbTK4zZ9T9qxvz7i1vjLP0z7XKlVGucu3+mGbP5L27GCuMXtsvVMdYlTdpP 9TPWK02ayvSY0/9Z++md/33vflmL6azWK2kbcyKDbbcGU0vVSsdo+WpPTkStbtSrW/MH29S6J3ZM NVZN3dRKKbbXmIu+izVjRTTQWE2pdVP5gHJjTaTWTeVckW+sR6yN6xbVuuVaR0zKtao1i/GqW3xl E9vuxrpnmtpjrG64Tj2rps7nCqtxN5dxtJt6zNzG2d3U+qmVY0jaiElqraXWWUbLNvakqXWW8Sp7 xCQ1EsWP0dQwoVZkxgrNbKzNaOp8rlArOM5Uq7GL67Mh2QO+M/QIKiVG1sd0yIkY0dDfWD+H5qo7 G+s9s7pX7L6X1uFP/WyaBdfvj70SVvX32JZh8n3LGJFpGSfS1d9kWz4XXYT6C9Zi46+I1ZZmGSOr hYnHH4WZxyOWcfIIn823yoj4UkZMLtHR9HsxxjSJ5wdFZ9Nk0dY0U7TlzJGcOdEySxYJk/HX0Qmc m865bTk3nXNtxv00zgqLFNMDIovj3Tk+keM3crw79+rFvTqrv3E2+mNn6yP629aSLwsti+Xr9Le3 5aR803JKdLd8K3pZqjlWI8st3/Fp90Jv1b+lGiPbsdWW3mxVf/0q8kS6uFk0g37iGtEfJnP/KfAQ zJeVYgG9WghueBTywMMn3EVyt3gM8mExFMATIlMshydhBayEp+BpWAXPwGr4lE/gn8EPbJ8HKTJN AkyQK7JNI2EU3AejYboYYdojWhPxRMtYkWO5XzgsE2GWmK3+eteyTHS0PCHaJrwudye8AW/CYZGZ cARKoQx8cBTKoQK+hn/CMagUmYnNZHmiX+5O/F4kJGpsn4Y6uduaKG62duG5t7jGegvPs2S59WGY DY/AQllpdQPaWNHGijbWRYA21g9EtnU7/AXOiuykrqJ10g0wUWQmuWASzIV54IGlsAzQKGktPA+v w5uic9JWnk9DCOogDPVwFtAw+UGYDFNgoWidIkR2ilO0NnI3RF7bjK0a4+/VW5K1+8na/WRbR7Jt CNn2ONk2gWybSLblkm33qL8zJ1/usIwlV34rt5A3Y8ibp9TfmVs+l69YTpJn3wqbJSD/bqkRQ4w8 q+asgGjeWBUPiJwm95/I/edz/zHc/3bOnhS/95dcdSv3fkP9FXn8frkircldbNylL3eZzV1yuEtO vCb60stq7nQfd3qeu+Ryh78bkf7F2MrgHn/jHn/jHp1NE+Vn3CeH+0znPkO4zwTuM8g0XR7mXjmm DfITrtzB/VpwPw89m889s+iZh7uts1TJML370hKksmrIue/iFZvapGK7c9de8epXFVum/paXyhsm XyN/7bERRn2ny/4K8bJ4QmpiOTwJK2AlPAVPwypQv7OwGvbLc6IYvoIDcBAOQQn8Aw7DESiFMiiH SnleHIdvwA8noApOyhJxCr6FenlUNMgTQoczEIGz8IMsEz9S01E4B/+C/4Xz9EVKzSTAZIyKAcsE WWf5LxmxPMCzS0YSDkst4QiUQhn44CiUQwV8Df+EY1AJQXkuoQa+g+9Bg9MQglqogzDUQwPoQF8S zoOkZlvIkqSB8lzS3TAYhsBweSJpNM9jYALH74cH5O6kiVJLcsEkmMmxuTzPgwVsPwp54OF1Ps9L eV4GK9heCfiQ9BzPa3l+Hl5gez28CC/BH7j/6+x/i20v21vZ/oDtHYBHSXiUhEdJeJT0T3k+6Rjg URIeJeFRkp8+noAqwKOkGnk06Tv4nlg0OC3LkkJQy73ruHcY6kHnXLxLirD/LK/xKPlBmAxT8Mss 1ggnTkWFRayRFY2zVyKvPuXVal4tJsvLLYdEB2Fib0TcRWb6yEwfmekjM31kpo/M9JGZPjLTR2b6 yEwfZx8n086RaefItHNk2jky7RyZdo4s0siYCBkTIWMiZEyE9zvA+/ktv6MSfg+T5LeWB+W3ZI2P rPGRNT6yxkfW+MgaH1njI2t8ZI2PrPGRNT6yxoeTEZyM4GQEF3246MO5CK75cM2HWxGciuCUD1d8 uOFD9XOofg7Vz6H6OVQ/h6oaqmooGkHRCIpGUNGHihFU9KGiDxV9RsUeEElomU0lW5l7X2Pu3WAp EddY/iFaWJhtDH2r4/qeMPR9mle/5tWd6Jtn/N7LOOZJJ/Okk3nSyTzpZJ50Mk86mSedzJNO5kkn 86STd+rOXJnFXJlFzR6nZo9Ts8ep2Upq9gw1e4aaPUPNnqFmzzCfplOzFdRsBTVbQc1WULP4zWg7 VnSmTk9Tpxp1epo61SyTRDfLgzBLTI7Po+2YR53MnU7mTidzp5O508nc6WTudDJ3Opk7ncydTuZO J3Onk7nTSS1WUIsV1GIFtXic2jtDzR2n5o5TcxXMcU7mOCfzm5P5zcm85qRWKpjbnMxtWdRKBfOb k/w/Tv4fJ/+Pk//Hyf9K8r+S/D9D/p9h/ktn/ksn/yvI+ePk/BlyvoI50Mn852T+czL/OXFqnDyt sp4YqW1WaWsYvccwd42VxxnVX+X4U/jxCUffIed7WQ6zTVVaypjHlIdHObuSs8oZqdfIAl55uLaC a9XeyfF58ADXdufag1w3SFg58x3OXMyZVZz5DWfOMFZZKnO2GHe6n+PDOH6Q4ypH7uBO6ncz3uRO nbnTl9ypm3G+ZqwWTxqPEea/dNaCE2AWPAyPwByYC/NgAawSN4rm6ndOeJeN3H2denfD2Tdgh+hj KYQq1rknxSDWiunM307WipmWIM81rKy+Y9/3rMws6tc3uKIVK8tMNbNz/SyRwzw2gXXX/SLX8oCx BstV/9dFzHMTYBY8DI/AHJgL82ABrFLZx3vcz4rtAZ4nitnGlU6udHKlkyudXOnkSidXOrnSyZVO rnRyZS+uvJ0re3Hl7caV6VyZzpXpXJnOlelcmc6V6VyZzpXpXJkev3JI/Eq1RrkfxyZSV0rjz4yV QhS1qtRvQzCXj4RRcB+MFims4FJYwaWwgkthBZeSon5PIkH98gnXzEDhocZ6XHl0SpSaOsuTpi7Q FW6AbtAdesCN0BNugl7QG/rAzXAL9IVs+DX0g/6QA7fCALgNBsLtcAfcCXfB3TAIfgP3wL0wGIbA UBgGw2EEvCKrTK/CRtgEr8Mb8Ca8BW+DF/4I78C7sBnegy2wFd6H/4Zt8AFshw/hI/gTfAyfyAYU qTIVykrTTtgFX8Ju2KN+LUX6TPugCPZDMXzFeuIAHIRD1O0EMvcBeSRht2xI2AN7YR8UwX4ohq/g ALPBQTgkfYnNZVWiU55MbAmtoDVkQKY8aX0OXpZVVjSwbpKa9R3ZYH0XNsN7sAU+Zv8unr+E3WyX SJ/1COezbrFG5MmkX8mqpLbQDtrDNbIhqQN0hGvhOujEzHE9dGbc6gJdOe8GuAl68bo3x/oz2+Tw PEo2JJvlyWQLJEAiWCEJkiEFbGAHB6RCGqRDM2gOLeAqcMqq5JbQClpDBmRCFlwNbYD+J9P/ZPqf TP+Tr4EO0BGuheugE33qxbqhN/yama8f9GffQBgEv4GJvN8knh/i2FTOmwbTYQYs5B6LoQCWwFLO fY79b3P+u5y/WVYmv8frLVDPvjPyZIpJVqUQa8pV0pdCHCktpZbSnhzKM379xwIJkAhWSIJkSAEb 2CEV1G8ENYcWcBU4oSW0gtaQAZmgfkVI/YZQO2gP10AH6AjXwnXQCa5XvzLFWNMFusIN0A26Qw+4 EXrCTdALekMfuBlugb6QDb+GftAfcuBWGAC3wUBQ49kdcCfcBXfDIPgN3AP3wmAYAkNhGAyHEaB+ /2gkjIL7YDSMIb6x8FsYB+NB/UJSASyBpbAMHocnYDk8CStgJTwF6reU1C8pPQ/r4AVYDy/CS/AH UL9d9CpshE3wOrwBb8Jb8DZ44Y/wDrwLm+E9YDY0bYX34b9hG3wA2+FD+Aj+BB+r33FSv7IEO2EX fAm71S8mwT4ogv1QDF/JEKNIiFEkxCgSYpReySj9CPNAJiN/DvNAJqO/+m24owmMeAmMeAmMeAmM eAmMeAmMeAmMeAmMeAmMeAmMeAmMeAmMeAnb5OmED2A7fAgfwZ/gY/gE/gc+hc9gB/wV/gafw9/h CyiEnbALvoQDIj3hIBwS6YnNhS3RKdISW0IraA0ZkCnSrKvlaeuzjELPsf0S2xtktfVlYbPiAaNZ yPoGx4jF+keO0WcrfbbSZyujtPUDWWPdDvTXSn8Z5ULWP3P+X9j3Kcc/A/prpb9W+mmln4x+Iete ztnPsWJefwUH4CAcghKRbj3Ce/MJz8onPKuPfUdllJEyZP2avvGpzlrNtd+zrbHNGtvKGttaC3xy sYY5vx4aQIczECG2s7ImKU2eTkqHZtAcMmQ0KROy4GpoA78StqS20A7aQydWhddDZ+gCN7GvF8+9 oQ8jb1/oL0NJOSI92SzSki2QAIlghSRIhhSwgR0ckAppkA7NoDm0gKvAKWzJLaEVtIYMyIQsuBra AP1Mpp/J9DOZfiZfAx2gI1wL1wHjTPIN0I0RsTv0YLsnI+dNbPeSIUbiUHIftm+BvpCtRmbi6AdD 2R4Gw2V18giuGy+jyRPp20Mcm8p102A6zAA+6Sazrkx+FBbzvgWwBJZy/tO8HzXPSB1KfonnDdzr ZXgFXoV3ud9meI/jW2Ar+3TOO8O152Q0RciaFJOwpSQzcqNhio3n5uy/SqQzmodSmJVSWrMvAzLl 6ZQsaKO+kVTVHV9LPa1+Sc1Yl/29cf9y9j9hfIOi1lhhkWi+R461DFPfTAmb+lbLONbN3FMGzH2g r6w238bzPbLUfK/cbR4Cw2QJdypnRRFgRRGwjZO7bRNgJdtPwdOwCp6B1fAsrIHnYC08D+vgBVgP L8JL8AfYAC/DK/AqbITXYBO8Dm/Am/AWvA1eGXDcIAPCQk8j5nF8Glb970//dfqvm/vJcvqvm+/k +Wl5wrxKnmDcas+Y1Z4zd9vuk+W20TAW/gselCdsM2AWzIY5sABWSp3YdGLTiU0nNp3YdGLTiU0n Np3YdGLTiU0nNp3YdGLTiU0nNp3YdGLTiU0nNp3YdGLTiU0nNp3YdGLTiU0nNp3YdPtgecI+BIbC MBgOIyAXRsoTxK7jYV95FIfKzYaPcofxXUQ7Yt9K3FvN98sd5snwMDwti9CgSH0aIfatxL6V2LcS +1ZiLyL2ImIvIvYiYi8i9iJbntxh88BjsAyelDvoVxH9KqJfRfSriH4V0a8i+lVEv4rE7TjgxgE3 fQvggJv+RcmgMBkUpp9f05MqelJlGXP+LP1Nj3+a6R7/NNM9/h1hOdkVJrvC9K6K3lXRuyp6V0Xv quhdFc64ccaNM26cceOMG2fcOOPGGTfOuHHGjTNunHHjjBtn3Djjxhk3zrhxxo0zbpxx44wbZ9w4 48YZN864ccaNM26cceOMG2fcKFCFAlUoUIUCVShQhQJVKFCFAlU44xZ3ooILFVx4cQgVXPhxyHyP yCL68UQ/Hrd68On1zfhn6N7xefXG+Lx6Y/xzsQuvDuHVIbw6hFeHUGM8aoxHjfGoMR41xqPGeNRw oYYLNVyo4UINF2q4UMOFGi7UcKGGCzVcqOFCDRdquFDDhRou1HChhgs1XKjhQg0XarhQw4UaLtRw oYYLNVyo4UINF2q4UGM8aoxHjfGoMR41xqPGeNQYjxrjUcMlksiFMBF3IeICIl5MxC2J8BEivF9k otGH6PMh2pSgTQk6pKOB+u9HW4j/Q+L/kPg/JP4Pib+E+EuIv4T4S4i/hPhL6EcJ/SihHyX0o4R+ lNCPEvpRQj9KqJXpKH3peFcvuptHkqXjGOumM87NYIybCbNgtiwzvrm4MNYtZsxYInfbH5MBez4s hgJYAkthGTwOT8ByeBJWAGOjnbHRzthoZ2y0MzbaGRvtjI12xkY7Y6OdsdHOuGhnXLQzLtoZF+2M i3bGRTvjop1xMS0FbGBnzDMZ336pvuvUeAU1XkGNV6CbHd3sRvXkyQpqt4LaraB2K6jdCvqu03ed vuv0XafvOn3X6btO33X6rtN3nb7r9F2n7zp91+m7Tt91+q7Td52+6/Rdp+86fdfpu07fdfqu03ed vuv0XafvOn3X6btO33X6rsascfIYapej8I7GMUtFdEz0IiIvx7/leBQ3IrgRwY0I537NuT05N4dK sRFpZyrFRrSdyaNn1diPQxEcihCllyi9ROklSi9ReonSS5ReovQSpZcovUTpJUovUXqJ0kuUXqL0 EqWXKL1E6SVKL1F6idJLlF6i9BKllyi9ROklSi9ReonSS5ReovQSpVfcTCQevDmANwfM00Ur/DlA BFOoAI0KOEkkzxJJGyLpSiRtiKQrkawhku14dwDvDuDdAbw7gHcHiMpDVB6i8hCVh6g8ROUhKg9R eYjKQ1QeovIQlYeoPETlISoPUXmIykNUHqLyEJWHqDxE5SEqD1F5iMpDVB6i8hCVh6g8ROUhKg9R eYjKQx2PM+o4mygOE8XH8f8eq9YV7wg78RYRbxGxFhFXS2JqyZEPiKeIeIqIp4h4ioinSFjNC/HY TQY/KmvMy7n6WeaHF9V37Oz90bxcRoSJx7OiC2ecNeexz2PsP2ReIVLMK7matbz5JdHMvIH9L8sf 7VdDG/gVtIV20B6ugQ4wGabAQzAVpsF0mAEzYRY8DLPhEZgDc2EezIcFsBDon/1RoE92+mRfJH80 4vmRngbMi2UtsVSb18uQ+Q/0f4J5HuPafFjI3jyi9MASedi8FJbB47Bc/Mq8Qn5ufo7z1spK8/Ow Dl6ADXIf8e2zmxnLLJAAiWCFJEiGFLCBHRyQCmmQDs2gObSAq8AJLaEVtIYMyIQsuFqG0TCMhmE0 DKNhGA3DaBhGw7C9nzxs7w85cCsMgNtgINwOd8CdcBfcDYPgN3AP3AuTiWMKPARTYRpMhxkwE2bB wzAbHoE5MBfmwXxYAAvBDY9CHnhgkdwnEsicE6joR8Ua80vyHLm0XH5HnpwVubig44LeJJPKmHFC zDghzgihsm5Wq7QHZYgZJsQME2KGCTHDhJhhQqivo76O+jrq66ivo76O+jrq66ivo76O+jrq66iv o76O+jrq66ivo76O+jrq66ivo76O+jrq66iv/9sMHkw/hsBQGAbDYQTkwkiYzD2mwEMwFabBdJgB M2EWPAyz4RGYA3MBbVBXR10ddXXU1VFXR10ddXXU1UUy6n5DhkfIcM1cQA4vF07UrkLtKtQOizlo XIjGhWR6gDMPonUArQPmRVTqYpwo4Molso7MryPz68j8Ou5ixYdifCjGh1rzGkbMtfIkFXCSCjhJ BZyklkoZG4rwqAyPyvCoGI+K8agYj4rxqBiPivGoEI8K8agQjwrxqBCPCvGoEI8K8agQjwrxqBCP CvGoEI8K8agQjwrxqBCPCvGoEI8K8agQjwrxqBCPCvGoEI8CeBTAowAeBfAogEcBPArgUYAKqaNC 6qiQOiqkjgqpo0LqqJA6KqSOCqmjQuqokDoqpI4KqaNC6qiQOiqkDo+L8bgYj4vxuBiPi/G4GI+L 8bgYj8vwuAyPy/C4DI/L8LgMj8vwuAyPy/C4DI/L8LgMj8vwuAyPy/C4DI/L8LgMj8vwuAyPy/C4 DI/LxHQc1HBQw0Edv3fgoo5zx3CuFufCOBfGuTDOKf9b4/+nuKfhnmZ+hn3P4vRzchsOnsbB0zh4 GgdP42AdDjaQJ0dwMYiLQVzUcFHDRQ0XNVzUcFHDRQ0XNVzUcFHDRQ0XNVzUcFHDRQ0XNVzUcFHD RQ0XNVzUcFHDRQ0XNVzUcFHDRQ0XNVzUcFHDRQ2XwrgUxqUwLoVxKYxLYVwK41IYl8K4FMalMC6F cSmMS2FcCuNSGJc0XNJwScMlDZc0XNJwScMlDZeCuBTEpSAuBXEpiEtBXAriUhCXgrgUxKUgLgVx KYhLQVwK4lIQl4K4FMSlIC4FcSmIS0FcCoqeuBTBpYhRjctFOi6EcaEBFxpwIIID6nNTA+o2oG4D 6jagbgPqNqBuBHUjqBtB3QjqRlA3groR1I2gbgR1I6gbQd0I6kZQN4K6EdSNoG4EdSOoG0HdCOpG UDeCuhHUjaBuBHUaUKcBdRpQpwF1GlCnAXUaUKdBdGVkiDIyRBmFTzGf28zPEMVqI3/oPdsvwQaO vyyjVFyUiotScVEqLkrFRam4KBUXpeKiaB1F6yhaR9E6itZRtI6idRSto2gdResoWkfROorWUbSO onUUraNoHUXrKFpH0TqK1lG0jqJ1VExDaz9a++mxRo/V+FVNFVRTBdVUQbWh/4UKeI4sX8to+Dys gxeAFbxZfbPx89nuxw8/fvjxw48ffvzw44cfP/z44ccPP3748cOPH3788OOHHz/8+OHHDz9++PHD jx9+/PDjhx8//PjhR0ENBTUU1FBQQ0ENBTUU1FBQVUM11VBNNVRTDdVUQzXVUE01VFMN1VRDNdVQ TTVUUw3VVEM11VBNNVRTDdW/oBoCOBTAoQAOBXAogEMBHArgUACHAjgUwKEADgVwKIBDARwK4FAA hwI4FMChAA4FcCiAQwEcChhzfC2r0hPilsbRaz0jDmtJtNfQ/v/NiDIZpsBDMBWmwXTAc2LUiFEj Ro0YNWLUiFEjRo0YNWLU7CoXFoIbHgXyjRg1YtRY47qJ6GLNaFS8znirKj3CmBr5dzXC2t3NGns5 ebyCfH2G7dWslZ7j0/dLooUYjnIhlAsZq/LFUMBZy3l+mnF/FfC5j9pUs3OYq7oYq9sX2d4g61G4 nuyuJbtrye5asruW7K4lu2tRPoTyIZQPoXwI5UMoH0L5EMqHUD6E8iGUD6F8COVDKB9C+RDKh1A+ hPIhlA+hfAjlQygfQvkQyodQPkT21ZJ9tWRfLdlXS/bVkn21ZF8t2VeLM/U4U48z9ThTjzP1OFOP M/U4U48z9ThTjzP1OFOPM/U4U48z9ThTjzP1OFOPM/U4U48z9ThTjzP1xqeVsyhV3Pi5JSwsxuca Pknj0jkxBm19aOvDv1r8q2UuPcPRYzhhR98g+gaN8e85XFrPiPIiK6UNrGBfljXoGkTXILoG0TWI rkGbmhvM0oeuPnT1oasPXX3o6kNXH7r60NWHrj509aGrD1196OpDVx+6+tDVh64+dPWhqw9dfejq Q1cfuvrQ1UdO1ZJTteRULTlVS07VklO15FQtOVWL7kF0D6J7EN2D6B5E9yC6B9E9iO416F6D7jXo XoPuNeheg+416F6D7jXoXoPuNeheg+416F6D7jXoXoPuNeheg+416F6D7jXoXoPuNYbGSvfv0fgH 0cL8CZlcKHebd5KXu+QC8175trlBfm0+I1eZf5T/sKTKKkt3+b3lRrnZ0kf6G/+d8liRZfmtSI// e+Uq3PLixjYqbCfZv4s17Jc4sRv2Umn7cKaY7YOsRUtxsoxnHwRFS3MNs9gZrotw/VmI8m5CfmNJ gmRgbuTdqy03sb8X9IabZZ2lvzzpcEnNMUUWOWYC44PjEZ5Rw4EaDsYDx2M8L5ZBRwEsgSfYt5p9 z8Ia4POO4wX2rYc/sE32ODZyD6+MON7j/h/Advm940P4iH1/4vWnPBOTo4R9/4DDcJTX5fBPto+B n/NOy28cDXBWfpPqlMHUltAK2kF7uJb9M2RR6jK26VfqSlmT+qz8PvVFeBneZsUyOK7qCTw6h6pH UbUSVStR9X9R9RiqVqPqUVStR9WjqHoUNUOoqaGmhpIaSmooqaHiWVQMo2IYFcMoWIuCJ1DwKAoe RcETKHgUBatRsBoFT6Bg9WUKnkDBShSsRMFKFKxGwRMoeAIFK1GwEgWPol4t6tWiXhj1wihXi2Jh FAujWBilwigVRqlalNJQSkMpDaU0lNJQSkMpDaU0lNJQ6mhcqRMoVYlSYZQKo1QYpTRxjXmLnG7+ RL6PUnvIwX+h0DZUCZqPy3nk2VJzjXyHzJ5u1uVnZPYE8qzSYpHlFqt81eKQTxmZ7pQ3WtqJGZbr 5Eqy/g5LD/kgqu0k84eSczssA+Tbltvl5Pg3UpXxf5U8wzJd/p0q2CEcvLsPn3y8+1e82ym8OMi7 VXF3jTs2/B/izj0+ijLN9293VXcnlU4aIVwCCGIQUIdR4m28rcvuWRnXcbzMOIdFZXRFz+CgzmhA BAE1eAE1gEAA4wXGEISwyCpxJh0lIhgDaBHSXCpOmkAI3YnppH1zJQT6Pd+qRD/omfnscXY+5/zx /VR3ddV7ed7nfZ7f06QLWjtEa5I9dC17aKJIY9yd3FXFXd3cZe+PTsabxd1W3w5sYFzNjGs4LRyi hQgtHBSpzkx3opw+U1u54zLuOEZ/NdwVYkY93HmMu0b23WVxV604F4+Kc1cLntSGJ7XhRU14UTte 1EjfHXhRI17UiFc04hWNeEQjHtGOR7TjDe14QxxviOMNcTyhDU9owxPa8IR2PKAND2jDAxpZsUZW LM5qtRHjG8RoxpLKfAvQdZvo90+MoQQq1Ennb3gn4wGzVQvtR2g/QvsR/xrev6laaCcidO7qZuQP csdBe2WJG5vUHta8lrMHOWu68S7HfkeIF+nY7k51kHYPisn0msvVT7OXItyxld7n0fs87uzCEh1Y ooMWDrv3Upub9HMAixzkeAgsVUSLxXhQlTuGNxiQrmZr5FSNnKqRU7VMlaONhgtY43G8vxDGo68u Z91v4PVE1c5obmI0N7HnIli3G+t2s+ciWLjb/zuR7v89oNSwwjz/XF7PU7lYIhdL5LLvIli7A2t3 YO0O/xI+X865FbCK96thDfe9TltvcvwPLLcFSlWOfxfHz+ELMKEavoQwn9VyPAZ1KidVqE9SPaoo 1Qs+GMX7MfCQ6mYFctl7EVazIzWPFVkFq+E1eEMVkZF3OJ5Yx0rfSNRJEHUSRJ0Eq/7P7PAEOzzB Dk+wmxNiOOshsX0M20ewfYS7Us+OTcxdMnfJ3CXzjjDvCPO25xphrpFv48pfiCmMVTLOyNkxwmXQ 40w84DlWP8jq57D6Oe6PWNHtsIPduksMcn8KnxFD9uKnVZy344dFVqym+v4S/gw1EIYj6gV3Lcc6 OI7/1XM8AVFoEM/gLe+5v+J1E8Roo5ljC8Tp92uQvG6FNjWbmBQiYkeJ2FF273Q7Nrl7OHcazqgD 7gRHxa52gRvsuKXjbR5ee9W7eGS2luLs+gXs+qNaQK3Q+sE50B/S1US8dQreOgVvnUJO3awNVWu1 YXw2HEaKe7RRHM+HTHULnnwLnjxfG8P7sTBOTcajJ2sX8fpHMF7dQWzMJqp8waptYtU2sWqb8Pbb iJNB7UquuQp+ot7XruZ4DVyrCrTrOF4P/6By2RVTtH/k9UT1NDvjQeLpMeKp/ZfZc7QpYoQ2Faar ffZ35P7pqsr/EPxOpLFL0tghOeyQNLxkJl4yEy+Z6X+Gz5+FF2ERLIaXxSD/K5ALS7h+JefyYBXv V8Ma2snn/Zsc31Ir/OvgbShQm/3r1VqyWIF/E++LYDP8h5rMrppMZivAAzfhgZvQBZvJbgX+bep9 fzF8wHUlnCtVt/g/5PVHsJ3zu7gP3/JX0O4ezu2Fzzn3BZhQSVv7oQpCXH+Yay2o5rMv4c+cr4Ew 7R5RIXbuZLJnAbt3Crv3Fv9xzuGDfnzQHwH80N8AjeqgHz/044f+GOCD/jh8DZJ5t0Inr0+qA/5u OMXrM4DP+fE5okJ2Kn6Xit+laupAqs7Rwzkv+CCJ98lEDwPwwVS/OpiaCmm8DkA/zp8D/WEA59NV lAwfJcNHUwfT3hCuyYChMAyGw7lcO5LPz4NR9HE+54iwRKPs1AWqih0+M/UFMSiVtU5lrVNZ69SX 4GV4RW1KXa7WsvM3EakmE6kmE6kmEwU2Ea0mp+bTzhu08xZtvk37BbxfD4WwQeU4SuI3RIn3iQq7 URK1RISPiAR/ZscvYmc/zs4uYtduZtfuIN+2s2P/yI6tZ1ceZjfuYhduZRdWsetuYmc9wE56mx3z EjvmfXbMMXbJS+ySveyC7Xh/ft9vnD7A+z9w/k37MbVP/DvxqpCRFJKxKtzvkqOL1V7i1tvErbcZ lR09/0T03En03Enm2tiXw3eQAxsYbT3ZawfZawfxayMj/5Q4FWHkpp3BGHWUeFNPvKln5EeI12FG 3knMDhOzw30ZbgOxYCOxYCOj7GCUj9q/0iB7VfjvQ+M+oHaQwXaQwSrIYDu+1QizeD9bvd2nFQrZ n4Xsz0IyWIWfusP/HLwEL6udRPWdRPWdjnZYzucrYBXvV8Ma2niddt/kWKo24vcb8fON+HSEfBIm n4Tx2wg5JYyvRvqy10b8ciN+uRFfjOBr9fhaPb5Wj29F8K0IflWPX9U72W00SrI3w+3ApwrJcBVk jp34x0b8I4J/1IuZZIlyskQ5/lCGL6zH0nGyQzm+cCvRPEQ0t6P4p1g1jFWrsGoVPvEekbsWy1YS qUNYthLLVuIb0onQg9QBovEBovEBfCQLH+kmylYTZav79FolkbWUyFpKZC3FZ/YRTfcTRSuInAeI iOVExHKsHsfqcawdJwKWEwHLiYDlRMByImA5lo0T9cqJeuVEunIiWgVRrJooVk0UqyCKlRLFSolg FUSw/USw/USr/USraqJTNdGpmuhUTXQqJTqVEp1KiU77iUrVRKVqolIpUamUaFRNNKogGh1gdSqJ LCEiS4hVqmSFKokutUSXWiJILdEiRLSwI0OIyBAiMoRYqSpWqoqVqiIq1BIBQqxUFStVxc4PsVKV 7Pxydnw5O76cHV/Oji9nx5ez40vZ7aXs9mp2ezW7vZrdXspur2a327u8il0eYpeH2OUhdnmIOrgB ZWxr6svVKXEFu6ydHXUvO2olO2olO+oz1rmAXdPFuhayroWsayG7Jcq6trCuRaxpEWtaxI5oZxe0 sxYFrEUBO8BWygV4fDtevhIvX4mXr2QtCvDydrzcVsor8fKVeHMX9irCTkV4cxe2KsJWLdiqBa/u wl4teHIX9inEPoXYpxD7tODNXXhzFzYqxEaF2KcI723He1fiuV3MuZA57lTP47EdzOBd3rUx9g71 Jr5piaHMLM67amZWy8xqmVmEWe0hDkSZ2R5mtofR2dXZHka3h9HFGd0eRhVnRHFGVMuIahlRLaOJ M5o4o6llNLWMZg+jiDOKWjGSntqcuqST3rrgFCrxDDpZOOpF0luI3uxs1UZvts+E6K2N3uys1IYt 2ui1DVu00XMbPVfTczU9V2OLNnpvo/c2eq+m92p6D9F7G71XUyMcUa8z833Meh89S3qMEMv+QMQ9 TMQ9TEx7g4i7V3i5qrOvfpJ9v1gar00WmWIcuzzKLo9yRS1X1H9TXXNlLTPpZCYmu9y2m8lMTGZh sgOi7IAoszGZiclMOplJJ7PoZAdE2QFRdkCUHRBlB0S/U/kO5ppzOfdNBZzJ69HKxJujdrWLN0fx 5ijeHMWbo87a/pmRnXTW1sO7Vuc7lW44RSTx2r9GQlVdiaq6Eq1uMYeYauazGLG+mdjZTOysJ3bW Ezvt2NhMXGwmDtbT2hHHbw44LWmOBaUYQxvFfFLC6jbRVpArvv7WLmgIbNKEPZqwRxN9BPv+xvJJ VrkJ+zRhlyZWuQnbNLG6TYwhyBiKGUMxYyhmpZu+Y5NhvB8O39hkFNeP5v0Yjm9w/VvOdyYx4WL2 UgxmfE19ea6GMdXYO5cx1TH6E4yrjnHVMY46xlHHGOrou4m+m+jb7reGfmvot4b+auivhr7q6Mfu o0aMpvUNzD7IzEvPygF2rR+kpxYn5hvOX+os7/O0GkfZPkZ87IuNzLiUXjfQ6wZ63fAX46IdB0dx nR0Dx3C049kbXPv9eJbMaP7ICI443zZ4nd/FPkTP++h5X9/vhMpFFuO2uHInq2ZStUQYfwVWKsNK Qaxkj/0/8WjbUttYa1sVtGCtbVhrG/OpoNV1tBZkFU2UpZ2Jt2HBbayk7eXb8PIoXh5lRU3mV4G3 R5mjxRwt5mixqiYKMYJCjKAG7QwdxNJBLB3E66Ossskqm1g9iNWDzL0Cy29j7hXM22KVTVYgKIZh 9UqsXsmcdzODOPP+mFHblq9kxC2MuIXRtWDtSqxdyShbGGELVq7EypVYuRIrV2LlSqxciYUr6akF C1di3UqsW4l1K7FuJfurQ72KbaqwRyMeRkZgP11Czr5CnRQaWukL59u1K9QRMYp3Hc63lpnEuNEw QbWSx1vJ461c0UkOb0JRxfu+ZWwiDzeRh1vJw6193zI2Od8ylhL3er9pbCX3tpJ7W8/6prGVvNuK Kmoj7zahjNrIg63kwVZyX6tIRml0MZLXURbS+Qb3ctVAr/YvEt5hBd9xvrVNQotILZ0xj3e+Hzzu fF9xBXffKf6F+DdC6LRx3GnjEtVjf+/KbFk/rq/j2mNYIZ0ZXaG6HHts51WLGMgr+b1vGlu0KSjf qeoYM25hxi1nfTPY8le+GWw5u4IX59GT/W1wM3atx6713/tGuIFemrFpMz0000PzWd/cNtNLMzZt xqb12LT5e9/eNmPT5m+/vQ1zzVHe1xEJz/pGVriYdbsYraU6K74eDdeGhmtDw7Uxpg8Y0wdYqgsd F0fHxbm61fmu7wY+n+j8yq8YyxcTh88jDtt/Tx1Fi8XRYnHG9QGaK47miqO54miuOBorjsaKM54P 0FdxtFUbY/oAnRNH58TROXE0Tlz4GM179NzufMNor+BEer5T7aC3HSKTT49htyOMsYYx1nCl/Y36 V9ivEfs1Yr9G7HcU+3XZ31NhwyPYsAsbdmHDRmzYiA2PYMMubHiEsdZgwyPYsBEbNmLDRmx4BBse wYaN2LCRMddgwy7GW4MNG7FhIzZsFIOwWi1Wq8VqtVgqjKXCjLuGcVtYqhaLhLFIGGuEsUYYa4Sx RhhrhLFGGEuEsUQtVghjhTBWCGOFsBjKPBuYYwNzbHCscQktTyAjZ8Fl8BP2y1bi1H/CNl4XQ6lq QO+2MheTuZjMxUTftjIPk3mYzKOBOTQwB5M5mMzBdH7Daf+1cYZYLaYRCR6AB+Fx9Y6Yo5aKufAU zIP5cFytF/VwAlq5plstEaegB07DGbXENU6FXBfCRXAx/AjGw4/hErgUJkAWXAaXwxVwJVwFP4Gr 4Rq4Fq6D6+Ef4Ab4R5gI/wT/DP8D/gVuhEnwU7gJ/hVuhp/BLfBzuBWmixGuj9Vu1w61y/UJ7IRd 8Cl8BhWwG/bAXrVLf0st1dfCOviC9ybsA+aqJ0CpJZ5+qtDTX633pKuQZyAMgsEwBDLgqFrqiXFN M3ytlnovhCthhir0PgyPwKMwU73jnQXY3btEhbyVape3U4V8Y9Qu31gYBxdCFlwG18EUtd53F0xV S3yroACO8v4Y1AFr5mtU7/i+gjiftfO+Uy1JcqtQkgbk9yQPeAH9moR+TSJ/J5G/k1LAD6mQBgEg pyeR05PI6UkD4Gq1K+ka+DWvH+T4NMcNHN+BDhVKpq3kAWqXuEf0x+MGQDoMhEEwGMbCOLgQLoKL 4Wb4GdwCP4db4Ta4He6AX8Cv4N9gmtqM527GczfjuYtFNjXCTJgFT8BsmKO24M1b8OYtePMWvHmL vliZ+kvwMrAr9FxYAkthGbwKy2EFsGP0PHiL+9bCOrWFVd/sOaxMD7vLE4ZaOMr5CMcoxPi8Gb7m 3Bller2ArvYmgwFDIAMugDGAHbzYAe/Y4r2c45Ucr+U4Ce6BqfBruBdmqM14zmY8ZzOesxnPWYzn LPYyXy/zxYO2JD1q20YsQ1O9CsthBayEPEBvCVtvvQMbYRPsgb3wOXwBJuyDStgPVRCCA3AQLDiu iokJxcSEYmJCSFDziHZg7QW+K6h9iBNlxIky4kQZcaKMOFGmN6iQ3ghfQRPEgJpJbwF0qI4O1dGX Om3qtKnTpm7flwClythvxT5igY+972Ov+9jrPva5j33u+yXcCVO45i6Yqsp8v+V9NsyEJ2A2PAXP wwvAfvNhIx828mEjHzZiP5X5/sCxgOO7HEsBO/iwgw87+LADe62YvVbMXitmrxWz10LstZCPOfmY E3uujD1X7MMe7Lsy14+FjhrxgBd8kATJYECK899OjBCpYD9z+hoxXlwL01Q+Pp6Pj+fj4/n4+Fp8 fC0+vhYfX4uPrxVPiv74+UL8fCF+vhA/X4ifL/wBz5LKEkE4rvJY0TxWNI8VLWJFt7Oi21nR7azo dlZ0uzgpzmFVc1nVXFY1l1XNZVVz/1/9Lt59qchwTxDj3ZdzvAF+qvLdN6k8981wuxjinq42uR9S z7p/CzPUs2i2R7S71Ivotke0X3PMppKZSZ6uFAFtv0jXQnCQLHtIjNCOqzKtnvcnxDgt4jzVIVP7 imOTCOjZYoQ+E2bBEzAbnoQ5MBeegnkwHxY4z9FaSLxYSLxY+EOfo4W35+LtuXh7LrEm3/lNfn+V R4xZ6GkS/Ykv+cSXfOLLQk+PGOHVAN/y9ocBkAkXqoXeizhOgMvEeGLKQu9VvJ6h8okf+cSPfOJH PvEjn/iRT/xYS/xY68WXvHMAX/r2t/4hVfd//G7f/i3+z9V2dloeOy2PnZb77XO4vnkGl/3srVWc 733+Vha7Kdd5BtdRrj8GdYDPsXOK2DlF7Jzt7JztvmZxjq8F4lzfzuf4Hzso135O19/tN/pnP+vr rN/a27+jNyarPIN5GfPUs8YCYN8Y7BuDfWOwbwz2jcG+MV6BXFgCS4H5Gq/CclgBKyEPVsFqWAOv QT68Dm/Am4B9jLWwDv4Ab0OByEiZK4akPAXzYD4sgKfhGXgWcmAhPAfPwwvwIiyCxfASvAyvQC4s gaXwKiyHFbAS8mAVrIY1Yoj/YpGRliyGpBmQIoagFvexC447TzHZ5zz5ZIT7CaJZgGgWIJoFiGYB 539MSAb7/z9OAT+kQhr0R90OgHQYCINgMIwFFDQKIIwCCKMAwkS+TCJfJkogihKIogSiKIEoSiCK EoiiBKIogShKIIoSiKIEokTJbKJkNlEyW/yGSms6PAS/hRnwMDwCj9p/qw6/h8fgcfXkX4yoc9Qk oukkoukkoukkoukkoqlBNDWIpgbR1CCaGkRTg2hqEE0NoqlBNDXIuxHyboS8GyHvRsi7EfJuhLwb Ie9GyLsR8m6EvBsh8mYSeTPJv5L8K8m/kvwryb+S/CvJv5L8K8m/kvwryb+S/CvJv5JovYxovYxo vUxEVUw0QCN8BU0Qg2ZogTh8DRJa1XtE9hIiewmRvYTIXkJkLyGq5xDVc4jqOUT1HKJ6DpreQtNb aHoLTW+h6S00vYWmt9D0FpreQtNbaHoLTW+h6S00vYWmt9D0FpreQtNbaHoLTW+h6S00vYWmt9D0 FpreQtNbaHoLTW+h6S00vYWmt9D0FpreQtNbaHoLTW+h6S00vYWmt9D0lus2keG6He6AX8Av4TVl kolMMpFJJjLJRCaZyCQTmWQik0xkkolMMpFJJjLJRCaZyCQTmWQik0xkkolMMpFJJjLJRCaZyCQT mWQik0xkkolMaokgtUQZtUQZtUQZtUQZtUQZtUSQWiJILRGklghSSwRdnwvD9QWYsE8YZLEAWSyN LBZwU++QyQJuahqyWQnZbBrZbJqTze5SMfc0mK5WnZ3V3A87T3eZRGZ7iMw2icxmPyXpXe1xtUEr JYttF6naDvWCtk9tJcsFyHIGWS5KljO0w6qOTFfU9+yiEc5zLr/ifJPwkOUCZLkAWS5AlguQ5QJk uQBZLkCWC5DlAmS5AFkuQJYLoKSjKOkoSjqKko6ipKMo6ShKOoqSjqKkoyjpKEo6ipKOoqSj+iol 9dWwBl6DfHgd3oA34S01icw5icw5iborSN0VpO4KkkUNsqhBFjXIogZZ1CCLGmRRgyxqkEUNsqhB FjXIogY6U6IzJTpTojMlOlOiMyU6U6IzJTpTojMlOlOiMyU6U+odKqZ3QhechG44BT1wGtgTZOYc MnMOmTmbzGySmZdR/1nUfxb1n0X9Z1H/WdR/FlVCmCohTJUQpUoIk8EneeqVpFIIUymEyeTZZPJs D2PyMCYy+iQyeoCqIexJ8F4p6RXgAjdoIkCmD1BRhKkowlQUYSqKMJk/QOYPUFmEqSzC3uFcey5k cu4C3o8BYi1VRhhlMAllEPBeyucTOF4mMqk6wiiESSiEAJVHmMojTOURpvIIU3mEqTzCKIdslEM2 yiEb5ZDtJY56iaNe4qj3cciGmepJ1MST36oJYij1rIWSMFESpvdNYXjfFRnerbCN13/k+CnHShVE ZZhe1pK61/LaT+Q8V5koDhPFYaI4TGrhILVwkFq4jFq4DAViUg+XUQ8HfdcKg5o4SF0gqQskdYGk LpDUBRFUSgl1gaQukKiVZaiVZb67Vcx3D0xVOdQH0jeD1+wp3yPwKPwOfk+bjwHzonaIUDtIagdJ 7SBROAYKx6CGkNQQ0reY619ynmwoUT0G9YSknpDUE5J6QqKCclBBBiook7pCooRyUEIGtYWktpDU FpLaQlJbSGoLiUJahkJahkJahkJa5qun7RMQAWK9j1iPanoP1fQeqqkE1VSCWspBLS1DLZWglnJQ Swa1vkWtb1HrW9T6FrW+Ra1vUetb1PoWtb5FrW9R61vU+ha1vkWtb1HrW9T6FrW+Ra1vobpMVJeJ 6jJRXSaqy0R1maguE9VlorpMVJeJ6jJRXSaqy0R1maguE9VlorpMVJeZlMWYLoOrVTDpGvg1bd/P +2nwADzIuf/F8TcwHR6CR1UUhWai0EwUmpn0NPcs4fwGrn1HlSVt5PUm6FBWshAZKDgzmbklD1DB 5IHCMH6hQgZ1ofErmKymoeymGXfzeraKGU/CXPhG6T3D6+fgBRFA8QVQfAEUXwDFF0DxBVB8ARRf AMUXQPEFUHwBFF8AxRdA8QVQfAEUXwDFF0DxBVB8ARRfAMUXQPEFUHwBFF8AxRdA8QVQfAEUXwDF F0DxBf4/Kr7AdxTfQJGrbnRNFVNc98J9Yrbr38V9rvvFba5pYpr7p+Kf3NPFddqd6lfaZHW7FlRB bbuaptWpENowXat3nvG6TmtQptZILfUV9VaT6hQjRW6iQRSperFL1dP69X1PpL2N1ifS+sS+J8l2 2s+KppcMejHo5Xp6mUQvS7UP1R7tI9iuDO1jjjvUce0TWt+p3qL3dfTco51wer+V3l+nd4Pei+k9 JJI0kysqGROVvFbF2ENqt3aAc4fIiIe5ws/Y9jK2vVx5L7nT5Op1XP0iVw/k6iKu/hV5tIw75nNH jhhlP1+S0a4lm/+I7D3dfQuZfLp62f2I/bedYpR7p5rp/kytcx8R17o7qEfT0c+XqA+0D8m+28Wl zKCCnoLUo4ZW5dSiJlk6QOs9zOgomfrFvkxt9NWkBjOTWiOzcp40qOKu/yl0VSg84AUfJEEyGPav s8EPqZAGASr7fnCNMsW1kKMWiYXwHDwPL8CLsAgWw0vwMuSqj0WJ2iaCapvLjf7RQAcPeMEHSZAM BqRAKvQD8qSrPwwAYomLWOIilriIJS5iiYtY4iJ2uIgdLmKHi9jhIna4iB0uYoeL2OEaA2PhNhVy 3Q53AHvbxd52zYP5sACehmfgWciBhfAcPA8vwIuwVO12LYNXYTmsgJWQB6vUbvelapH7crgBbmf1 FinTvZiV2a7uYFVi+FknPraVlYj1PvOR952JT7Qula6dTIS17kRIO5XYpPUkLO10okQ7o1K0BOdV IqZ7Ep/oXpWu+xJhPSkR0pMTm3QjYekpiRLdr1L0VM6ncV22KtRnwix4AmbDkzAH5sJTMA/mwwJA 2+poWx1tq6NtdbStjrbV0bY62lZH2+poWx1tq6NtdbStjrbV0bY62lZH2+poWx1tqxfDn1RIL4Eg lMKH8BFshzL4GHbAJ7ATdkGVWqSH4AAchENwGCyohi/hz1ADYbXI06MKvRrgv16PKvL25zgAMuEi mACXoQuu4viyCnnzYDXvmad3Pa+Zj5f5eJmPl/l43+XcVngP3oc/Qgnng1AKHwJj9zJ27x5e74XP ef0FmLAPDsFhtdv7JZ9FoQkktEIbtEMHdKmQLw0C0A/OgSFqty8DhsIwGA6Xo1Ougt+rRb7H4Gl4 BpbBW7BObfMVcexSi5LGqlDSxeS4H3O8lOPP4VZe/5vanXQ/n0+DBwB/TFrN+TXwGuRDEfSo3clC hZLP4cj+SmZfJZOjk8nPxv3wEMyAR+B3kA3sd4P9brDfDfa7wX432O/GK5ALS2ApMF7jVVgOK2Al 5MEqWA1r4DXIh9fhDXgTmKOxFtbBH+BtKFCLUv5VmSk3w8/gFmCuKbfCbXA7zFXrUp6CeTAfFsDT 8Aw8CzmwEJ6D5+EFeBEWwWJ4CV6GVyAXlsBSeBWWwwpYCXmwClbDGrXOf7FalJas1qUZkKLWCZ3o v5XIH9UOkssOk8dWijnEz7nwFMyD+dBNLD0FPXAazhCrxilJ/SypnyX1s6R+ltTPkvpZUj9L6mdJ /SypnyX1s6R+ltTPkvpZUj9L6mdJ/SypnyX1s6R+ltTPkvpZUj9L6mdJ/SypnyX1s6R+ltTPkvpZ Uj9L6mdJ/SypnyX1s6R+ltTPkvpZUj9L+3lgrnIVpmaNUbPGqFlj1KwxatYYdeh66tD11J1h6s4w dWfYXaDqyGiFZLIGd6dqdnepZueXTTuoO/eRjSpVmAxWSA1XRA1XRA1XRA0Xo4aLUcPZ9ZNJ/WRS P5nUTJKaSVIzSWomSc0kqZkkNVIRdVARdUoRNUkRNUQRNYSkRrCfICqpA2LUATHfRSrsu9h5Gqj9 JFBby5vobBNtbaKFTTSwif6V6F+J/pXoX4n+lehfif6V6F+J/pXoX4n+lehfif6V6F+J/pXoX4n+ lehfiV6NoVdj6FWJRrWf0BlGh0o0aAzdKdGbEr0ZS05XYTTmejTmejRlGE0Z9s9Tdf75sEDVpaar 5tSBMAhGwnnwDOffdv66qV4VktfRmFpQXKaVivu1MjFa+1gMxb6fa5+IgdpOMVYzxc3Y+manrq8S E6ntA9oBkYXdY/a32OicOs4eF+PRCzc732Hbv2doRLX0fpedRU87VAnXlzh9buWz+UKjv3GcC9lX ihTXbcJw3Q53wC/glzBdZFG9GVRvduVmUKUZyfb/uqoznhHsjuucZyKTDxlD75kRZMsoZ8eRLYvI liFHD1KN0/NxlFCjmOh8p2hfm8UY7P8PIcKIe5+f7DxV2tZE9r+bOM+fm6z2a9nYZgc+dL0IcO9k VcW7Gq7+CC34sergXR3vZnDfx6qbd1VirNBp3QNe8EESJIMBKeCHVEijxzvFOdoU9Zk2FWZgxVJ1 iJZqaalSzxZZ+kyYBU/AbHgS5sBceArmwXxYILKo5bOo2bOo2bOo0bOo0bOoybOov7OovbOotxmL M9Ygmq4UW32kjmll7KKPVTU9lqJuW5h7trgYnziHT6XtC8w9XfR3VYpzXfvFBX1/l/aANoWrep/U fLH9pGZthvObrr3aLPRtnrhQWwVB1chKn4+SeU+/WlykXyMuwFp3iTTuSKOfS1jNbFbgI9VCT3ud nlLpoYkeTO1u+r8HBXovx/s4ZtNLpapBI8fQx6cd/zkkPNxlCK/9v7FwdQZXZnBlBldKrugQg8Rx oigaSpzofXqf0+MsjsQJVt1DxLVor52o28Ed0m7TVsSe/qqTGr6TGr6TGrmTGrmTGrmTGrmT2reT Pu9krpNpJZuVM7nLbs3+xnTwd/q8m/bvhYeFy+l7H5av5Px++qvCziE85yDK/JBI+b/qN6Wv3zpa CzCLHlqso8UYLUpa9PZ9++Zx8kcaV0ttsjOOMOMIa485a5zJiH2a/eTm3rF0cmcKY+nhbrtCkeLH 4ri4StTDCegWY8Qp6IHTcEaMoeV7nWrpbvbZPeJO7V6O93F8mErmMVqepXZqT7GSeXj6KnYsqgcb jXbWpkq95/R2QB1mz6VT5ZzGR7LwkSydtvUEKDHG019c5ZsCd8FUMca3CgrgKO+PQR0wTl+cc+0c OxlbMiPrZETjGc145pretzpkV3aAvcaH8Rnb08oYfxmWiXJ1OtaJckc6d2RxdTLjbMYybYxVMtaT tl2du0zHP1kjfDmTvduJP2dqM4mEdWJwr17HX6Osjv07rUa10/mffOw1C3OVwZkOxvHNE+L6/jpG exwfeYL934A/NGJ/b98z7aPcQ2xjBhFoVGGRIaYxkgfgQXjc+R8MOhmPyVhMrk53rj5Oj04Vx2eN RETne1fy4vVihKefinpi0Kyi3hnwMDwCj8JMmEW7aX3/L4L9JM4wLYe1x5nRTGZax7odV18x0+7e maouRt1DL7ud2nsw45OMTzI++e0umUJLU+FxxjaTdanjzuOM3a6je6tNe3ZH7f8DifFJxicZn2R8 kvFJxie99r+pjBdU7uIBeBDm8H4uPAXzYD4t9/6vSRcSo9L6nkNvR5yJxKhVWLkYK+/CL4P45XX4 5Y3aJvy1jpEdZ27OaMhTUdasQYXxyavwyav065WlvyXG62thnRjv6Sdu9BzlGOPYDF+L8d4L7X/7 hBniRu/D8Ag8Cvb4kvrWyPYZT5/PeJy1ijgeIZ1vH4oYd2HfVRl9V2UwbsmVWc7Y7PX3ajMSG7ST Kk6tF9Z9Kk4tF9bHJSoY84zEUc52cqZTH6d+RKszEoe1Tlaqh7tP09IZVad7VLduqB4dPcKVdVw5 wbl3C59anLForcO519ROESfse8/gDYp7koXPuddPDZbGcZwaIfpzZQW99FCVSkYW0+y/Cu+h19Pq FHfu585Oeu2hGpWMOKajimilmxGcoqX9tMR4E8dYqRnUsb2tdNBKD60k7DE7fffe3cHdPdydcMbe OwaPGMSdMxhDndaFzU5y7MZ+qOS+mVvaGfZ0Qp2gpW7GUqd7RQat1dFap55Mlu+1CPMXyXqqOkHL 3YzpFTtrJupo0bZBVEuQc3zO/KN6Kq/HKeFc8a6zIqecq3pXJdm5yl6ZKqz7vfVCT/StE3f/F+vj XOusC9f+F+sh+v1310H4f6j98eK/s93x8b9ib+eTv2hnkaaniyR9IK0OEYY+FIZxz3DuP5fXqFV9 JJ+dz+vRcAGfjeGzsbaq1AfRxjA+PY/jBbYN9HTeUTPog7lmqPOpdNoawfmRvB7F69HO1dJuR3id q4c4vXY4V5zv9NIh+jMuD5/G9EGcGQxDxAjGF+DKGG2OYHy0CyN5fx6fj4LzOT+aay7g3Bhej6WP NFqJMlZ7hh49g96HCq2vFfvuKOO3Z+jRM/lsNJ/13u0R/RiDwd3NzkyH0O5QrhqG9YZzvrd/gxaa HQucz+ejOXcBn4/hvN03s6D9gXw6SH2tD7bnisc5Y2Ath9PvuZwbwTUjOXce14yybcA1zli4ZgzX jCXS2esUcOw6RKT3rVMP40hnHGmMI+DY9nze965TD2NIZwxp9qo41vP03dX+ndHb8+69o/3bUQf+ Vp9g1x7g1ff8gt0+UqT+UN/grkx26V/xDz51iwF/Lx+htYGc+Rv9hLv94pz/rq/QyiB7Rn8ff2El Cpx1/Jt8xplR6g/1G/o8iZrtTOwnFo4n4uhEtQnaqcR2otow7XRiJ9Hnai2R6CGq9dM9if3ExvFE I52oNkFPTmwnqg3TUxI7iUz/m7rvgJOq1uI+Se5N7szk7i6wy+7C0osU6dgogmJ5ioo8OyhgRUWf iqiIIIIiIChFBRREFNSnINgQpYg+BMEGihSRovTeO0i+fzLDMghLWZTv++78biaTe1Imc/LP/yT3 njnPCw/sA6phDB74FT1SBD0SokdCL+vAdPRIhlfkwEq0qix6xUOvcK845EpAriRkSuEsDbkykCsL uXKQKw+5M6A1EVhqqbCxLhH2X4SmOFafDpZbHKyipl23B9vLdv9kNJ61oLqsFV3CbqVe7Da8345c 9n+HrjdTxQ1gQzeaIe7f8SoeQ2qqkzr4j0tDcj99kPuJsxAWcBUiqkMNqBJs7guoOjWma6gGXU83 IPUm8LZ6dDf1psvpBXqPHqDx9AU+fYlXP/qW5lJ/mg+b43VaxVLpfVaUFaW5rDirQvPYFexKpDZh 19Ia1ozdTJtYS9aStrJb2R20jd3H/kO72CNsEO1lr+JVnA3BqwQbildJ9i57j5ViX7KZrAyvzmuy Wrw2P4edzevwOqwOP583YHV5I34Rq88v4ZewBvxfvDFryK/kV7KLeFN+DbuYX89vZP/izXlz1pi3 5C3ZFfwOfie7krfmrVkTfg//D7uat+WPsut5e96dNec9+fOsDe/DB7AH+SD+CmvPR/APWQf+MZ/K evBv+Fw2mM/ny9hIvpqvY+P4Jr6ZTeBb+S42ie/h+9gUbgSxaYILwaYLJUL2rUgVBdlPIl2kszmi sCjC5opSojT7TZQV5dgicYaoyJaIM0UVtlRUE9XYclFD1GQrRG1xNlsl6oi6bK2oL85n60VD0ZBt FBeKC9kmcZG4iG0WV4ombIu4VtzItotm4na2R9wn7kfVbcVj3BcdRUceE0+KJ7kWA8RAHorRYjRP FZ+IT3iaGCfG8QLiczGFFxQ/inm8mFgq1vEzxE5heA3P91J4XS/dq8Av9up79Xkzr53XnTf3nvPG 8ge8z7wv+GDvB28mf9P72VvB3/JWe4Z/7kf9KP/J177mP/tpfkE+25/t/8rn+gv93/kif5m/jC/1 V/or+TJ/tb+GL/fX+Zv5Sn+rv5Wv93f4u/gGf4+/h2/29/n7+Bb/T+nzrVLJFL5Ppsk0IWRBmSE8 mSWLi0CWkrVEqjxLniVKy3PkpaKMbCKvE7XlLbKrqCufkc+KW2VP2UvcIfvIPqK17Cf7i7vly/Jl ca8cKIeINnKYHCYeksPlcNFWviXfEg/LkfJj0U5+KieKTnKy/J94Rk6T00QPOUPOEj3lbDlH9JPz 5HzxklwgF4gBcrFcIgbKVXKteEVukfvFa4oUF+8qpUqKUaq8qi2mqTqqvpijGqqG4lfVSF0qFqjL 1VViiWqqmorl6lp1rVihrlc3iJWqmWopVqvb1R1io7pH3SM2qzaqvdiiOqgnhVFPqS6ep55VvTyp +qhBnlavqle9wmqIGuJlqqHqdS9LDVcjvCJqpJrg5agpaoZXRf2ktnq11XaA3PVB+aC8d1tQIajk 3R5UDap5dwW1g9re3cF5QR3vnqBeUN9rE/wruNy7P7giuMJ7MLgqaOI9FFwTXOc9HNwU3OQ9Gtwe tPYeCx4IHvI6Bh2CDl7noFPQyXsqeCro6nUJugc9vWeCXkFvr3vQJ+jj9Qz6B/2954IBwWCvV/BO 8F+vXzAyGOm9GIwORnsvBVuDbd7LwY5ghzcw2B3s9gZFAGbeKxEv4nmDIyqivCERHN5rkdRImjc0 UiiS4Q2LZEeyveGRopEcb0SkeKS493b0mmgz751oq2grb0z0jugd3gfRu6P3eB9G20TbeB9H74/+ x/sk+mD0Qe/T6KPRR71x0Q7RDt5n0Y7Rzt7n0e7RUd6k6JfR6d6y6JzoQm99dHF0hbc9uidWxNsf KxPr6xeP9Y+94feOfRr7wh8Smxnb6r+llc7yZ+jK+mL/N32jvtvfqdvoB6XSbXU7GepHdXuZpjvo DrKQ7qi7yXTdQ78gi+u+uq8sp/vrl2R5PUAPkxX1m/pNWVuP0KPkWXqM/kSer8fpCfIiPUlPkpfp yXqyvFx/pafLxvp7/bO8Rv+if5HN9Fw9XzbXC/QS2UL/oTfLO/Q2vVu203v1ftlBHwhJdgp5yOVT oRdK2SWMhKF8JkwLC8ueYVaYJfuGRcIc2S8sHpaVL4Xlw/JycNg57CyHhF3CbvK1sEf4vHwz7Be+ KP8bvhwOkCPDV8JX5Pvh4HCwHB2+Fr4hx4TDw3fkJyk8JUV+nlIwJVNOSymaUkx+n7IrZa+cSTzS FTMKxcanTaQzqAT9LYdZbJZQFVhWZH466vV95gUzGq+dpj0+tTR3mlFmLGJL3dWlZhXCPxKyO4/I ba+uMlvwOnQt/QipTTifOW5Le+D8MOnzfJSeYWvI84iavbZ1Zhvi9h7ZS6k8Pi/KLWF1bmzpUer7 ySw0a8x3eC01m8HWT/XIRJnDXMnLzHoz42DtZv0RNa93vbbeLELv30pF0WMVbcsTV/cdryKzw2w0 W81qsyI3qRBSN7prn+DXSzWfIrb8qHkhZTag9p1mDdleK05lqGG89bgy18yFtiyxsTzqHmqG2G9p HsF5lbnQdDHdEVuSe31d8rf8S9596OvFqPsrMxXffgt+KT9x5de/SE47bh9sp4Smmb4u3GI2ofSE Fib1zEH5HeixrWa3mQO5y923rYueT7TSrDVrEa5JyO4+Ivcm9NlKqyOJcbGTirj32Xl/2zzaveiw T22S4hNPrAQcVQ/ViF9sNvlmznFqtSNwbeJDJap9TNm3zatWT6wOnfxhVthvCO1aeMSVP46bdzPO p11s1F9/QYtOx8m9DOd4h0gLDo38Ez2g1TtcOPsoF1NPqIStOH8/2XoTeb9MvI/NR97XXDjNfv+/ +ahz3LpXx39XswdYuvEkSz92r56D8zpXxx/xMP5KXD3a7FgRrxJ4VTyshW+7cGb8dYzcNY6ae6UL N5jtwK7teTUV1yyqrTW/2XFo88QxPD7nAe2+Nt+ab/LMnTSrmp5UCoh8JTVB/F2XMhvz1EQzP8/c SfOW6Y95IJsuhuWJEeRSfsNY+PoQOudVt51BoUc2d21YrYl087kZhzk2T1w6hPWJIxX91wzpj7ur k8xn5kvzRUJ2wxG5k2Z29FSqm4fsrHKFS/katY834/OsOw9ecMAygu/MTaapaWOuS8gegWSmJ/p1 uvnBLDkMZzi1oKdhoRPs9T72qRMaRZpG0ziqQBNgu9d0tvvZNAW2+zn0K2z3xrDSGd3IWrFW9DCs 539TO2s306PWYqbH+L38fnoctu986sR/44vpSb6UL6OusINX0zN8LV9H3aw1TN35Tr6LevJ9fB/1 stYw9bbWML0AazhGfYX1SfSyuFncQgNEK3ErDfI+9T6lV2FHGhrsF/QL0gw5Vo6lb+Uk+QV9J3+T C+kHaaShmdZ+olnWfqI56mrVlBZY+4kWWvuJFln7iZZY+4lWWPuJVln7iVZb+4l2WvuJ9ln7if6E /dSPCfWiGsSktaKYtlYUC60VxVKsFcXSrBXFCloripWxVhSrZK0odkUgAp/dGARBlDUPdJDCWgQF gkLs1iAjyGR3BEWCHNY6KB6UZPcGZYJy7P7g/KABexCW052sLSykHuwRWEi92GPWBmLtrS3CHre2 COsQeyLWlz1pLQz2kk7TWewzPUqPYl/pZXoz+5/l+GyW5fhsruX47FfL8dlCy/HZIsvx2e+W47MV luOz9Zbjsw2W47PNluOzXZa/s92Wv7M9lr+zAymRlBgXKRkpmVym7E7ZyyPQmzlOb5jTGw69GQAm P5BeBb8ZTCOQ8hZeit6m9yigkdAq6bRKQqsmUoQmQbeiTrei0K0ZSP+WfqEYSp2DvHPxCqFtCymF FtFSjLFl0LyStIq2YNRsxasUbaNdVJp241WG9tCfVJYOQC8LOL3McXopnF5qp5caenkfpfH7oZ3a aWdBaOciKswXQ0cLQUeXUiZfBk0t6jS1iNPUTKepGU5Ts52mFuKGGyokCPqaDn3lCHFQBrRWIY6f nbJEBBqc7jS4CDT4ZionboEel4cet0L8VmhzeafNOdDmRcS8xd4K4t5KbxVJb7W3kWLeJm87FfN2 eDsp1dvl7afi3p/Q+7JO70s6vc9xep/j9D7H6X0O9L4RpauL1EUUUxeri8lTl2Ak+BgJlyOlsWqM lCvUFaTUlepKCtRVGCGlMUKuRt6mGCcRN05iGCfXU6huwGhJwWhpTiXVzeoWSlUtVAsqq1pi/BRw 46eAGz8M46cNct2nHoTMQ6otUh5WDxNX7dQjqOVR9ShKfgxjLIYx9gRydVQdkd5JdYL8kxh1oRt1 DKOuO2R6qJ6o9zmMwFSMwD5I6av6Ilc/1Q8yL6oBSBmoBqIlg9QgpGBkUtSOTLIjcyhyva5eR/pw NRzljFAjIDlSjUTKKDUaeceoMeiHD9Qn6Jmx6nO0c7wajz6ZoCagVVPUVLR2mpqBMn9S0Ek1R0Eb 1Ty1AKX9ppZQCfW7WoY+Wa5Wo641ai2VUuvUevTkBrWRyqhNahNq3Ky2os3b1XZI7lA7cHWn2on0 XWoXWrJb7UH5e9VelLxP7UPJ+9V+KqT+VH+i9gPqAPIaZShmcYRyLI4gBI4gBI4gBI4gBI4gBI4g BI4gBI4gBI4QA450R9gj6EHcogl5Fk2IWTQhDTTpiLBTtDOlWUwhAUyZSzo2Lzafwtivsa2UZvGF hMUXygK+LKNCerleTul6hV5BoV6pV1JhvUqvwtXVejVl6jV6DRXVa/UGxDfqjZDfpDdBZrPeDJlt ehvi2/UOytY79U7I7NK7IbNX78XVfXo/xfQBbSgzxPCnQha5EHqhh9APJRUEfkUpI4yFMcjoMKSi wLJCSEkPC1O2RTQqDEQrgrBomAOZ4mEJSg9LhiVRQqmwNOJlwjKQLxuWRRx4h3TgHVJeC4ei/NfD Ycj1RvgGSh4ejkCZb4XvUIZFQHIISGkWASkNKPV+AgH74iVyEXAQ4oOBfcJhnw/kG4X4aPoM4ec0 3iHgl4j/D7gnaCqwTwD75gAr59I8xOfjpRz2CYd96Q77Mhz2RRz2FXbYl+mwL8thX7bDvhhLZamk WTPWDOF9DEjHHmBtEbZj7RA+x54D9jXlTYk7ZAyAjHcgtMgYdcgYOGQMHRoW4uu5/d8Ii4AFHAIW 5H/yPynFYV+q8IRHBYB6AeJREaU00Uw0o6KiuWhOxRzq5TjUKy5aiBZIbylaIt0iYI5DwOLiNnE7 FclFwFUkgH3bSQH19lPE4V22w7sMuyqK8XmhupCEwzUFRGuM0GKZcFjmOyzLVE1UE6RYLBPqGnUN wmvVdZC0KJbhUCziUCwbKNYKY/s2dRvC29XtkLxT3YmwtWqN0CKacogWSSBaO9UOKY8A0XyHZUo9 rh53iNYB8hbRFBCtM+JxLOuqnkbcIppyiCYcokVUb9UbuZ5XLyDFopty6BZLoFt/1Z+EwzjlMC7b oZtQrwHXRALXhqlhiL+h3iCp3lRvQtIinXBIl52EdMIhnQLSjUfcoptSE9VXiE9RsxBadFNAtwWI W1xLd7iW4XAt4nCtsMO1TIdrWQ7Xsh2uxdQ2tQ25LLplOHTLdOiWnUC3/UAx4VAsFrCAkYjjUbR9 9HEKok9En0DYKdqJotHOQJ9otEu0C1K6RbtR4JCIx/rHXiHuMKWQ3gA0SdVbNPDUIUiqw45CwI5d iO/WeygFqHEAI9miRlooQkEpwAtFocOLAg4vCgEpCiJukaJgmBlmQsZiRKGwWFgM6SWAEQWBEaVQ gsWIAg4jUh1GpDmMKACMeA1lvh6+jlzDw+GQHwF0KODQgROvcqNdzayxt94zsEiuzYvH/798mK1m qT1dfMvhKze5MjvNimOuUeZVtl2RXYxzhvu0+GCatV7c6uA+u0IWXy9CK7YcvoKZtz2YuP5z4v2u k2/Z33WY5maIe996QtJLzY/W2jvRdbQ8y1l/eNyus+aulW2F1bfULLK9aeblSh369RIr167PrTeA 4pRqpV3aEWvf/+gRTbQkudZUOt+l/f7XX99sPHK9C9rzg5lhduVHN49/mFmJ92UJTd6cdG3bwda7 Vhzl9zQLjz6W/paWnXTJZpgZ6N53mlnQjJk4R5uXzM+J3z23/W5lcRZ0aHq+xvt6StqFiO+bJF3t bTYDR9YnenS1bUlS5oPasOME6tlNR93tONUDv+Sh1m9HX23EaVeNdh0mtfbInP+vHblrXmtOTFdO FZGOWfbRVpvzlp5mxpqvzQcWpxCPr2zOTqxRrsmVWnkI206i7N/s+mUC+9a6HaAtQBC7KzI6Xj4+ T8H7N/ZE/LD1TDOSLD7VPPitgLqzgVINqJSZF98JMMvMj+79hYMrfKd2JO9uxXePzPu5n18z95qe ppWZjPjNuakXmvvM526m+UuvHw2l8A3Gm8nQ8TzXTvPZ7q0OaRKtty1xPZ48a21JXhk3C45Z2vS/ t3UncwCNEvtvpt1frnxtuuXGc2cwaITFi+WYWY/5nfKozSKm/S1c3zj9XJvoJ4TmEVePcvvBf52p 091dWsllWQawGHNW1JaU4AZ7Ete2HK/PT6Cth5AyaRfsIDbG+QgwfpWr6zDNc+Nt1RHz+/r87ivl 94iz0qTPebKf5B3MpNQJf297kkq+7iSE3T6P6ZHYU9yJEb3S7hCaD8zI+E7hYfP7loSWfWo+yke7 JoIXjEvEpwOj3X6uHZ9WB8Axlib2VHY6ZJ2fYBdxFA3/UtZkhz1jHc5Pju+BmG8Pk/jz5FuYyPkz Je22J5DzZ4dBk10cWOhw86u4FsR3JOOjI3HlYnOR+zTJ3IWevBdnV/M83j92qV8fVtvH6PV25t/5 aOcDZojFbnz/PxBrjlgXWAhDzHuYA/uapqa/tRiQam2GMWZ4fMyY1i5z+sH91ERZszHawfypgovH rawE+7K7eu7+Easf+bgHxGlN7s52fC5OxBdRwvY5ZMfR4dys5F/ve/jnj2QOaffkzAY76x8zx1/4 /ek5DtvXdDvrZsOxmZjr5dNrpVFyf0J/djsetePY9oHDmHy0M+/955Mo47T2jxlqnjEvmEddfCms 0bfNK4kr680v7n0DkHjDIeaWr1ouNENPsZ2/wfb6MbESs9zMNd8n3UPmeDUsnplmW+79A/mr5Thr NsfMu8xyb7wfwPk9+HliNnD3G9h7exzjz+uerdN3ALVbGevTOMt9egyfH4al4ixn2wNmnxln+pk6 mEN+BIYPy98vZwa5tzKn1NL47zol8SlhxcZXAijJmjr14yTu68qrhM2uBy0OrwFfPeJXxvUF1ur7 u22Vkz3ArNagFXF7dC30dHPSNTfLQI+/xwj79qjZT9uBdo5MvncFuDTl/15rjnaYO83NFiGtPYPw BXz+wPzg4gmLD3owzlxtepO1v37Pn46d7t8B2rHn9NZ4csdB1Dfrjrx/9CRK+UfXwBKMcj3mrE2n ts6X37UDuz9xgpJj3N3Gf71L7GSPUqeY/4QPzPGnsNZn+v19LcmjhgS+m42n8sv/nXNbnnUsMntP 95rFyR/mM2cznGp/nPG3NOYfO071yQbMNPnYrXFrybmrX+4e4YNjK5r3KHMcuQw1I5WPGtfnB7Xt r3/IXkusBZ7Y3ePa3aP8/8ORnZ9Mdg0/H7l+Tp5Z7HMcmKd2/jO7kP/EAf66/fgzltmfj5Jn5+cO fcf81xz26WBfRo6Ry2pwNjWGjp7mw1qjufE1zg7449gI5NbDT/O6TXIrT6mcPxLn1CMuVUw8S5Ce 9NzByZQ8E/0282AtNubOg89CHKyvrqvpsPYkfep+qLTE+Xb8PemwzzzUsO9mfPx+jZNs59vI93Yi 7mJu7Xt84jscbEGNv7Tz7ZOvKTfv70d/kvE4uX5N/ua2hCN3X/I88rXSgF9p5fGljsi1JjHe3Z6/ 2w86eD9F9BhPoNjvkU0X5Ge8m5XHWwE+aq4FiTO+q2FXtzdSYnfjGLniq6XZh48/M9+sdk97VqQc vLu9Ucw+jnU4bbrp5Nt3zLZ/5cJcm990MK3MG2ag2x0+NGaamzfd+74j77s4yhOCW8yGf2Y1390R Et+rmg+OMxvW6Xzw69wnY9yOjV3Jb2iud5+/NW0hda+Zjm80zjyYWNc8bE/LzSN3mqvy0Zr7UGqT RNzF3HPDA81Y86V52bQ0XzuNyHY72z8ftKjM/TaNytndIfOwecCl7USfLzHD8F3Gmg/Mu4kdnMPW sNzc0Me8mI92jjDTclfzppk3EL6X4CPLzEfmRaRtTohGkiz/OAKWPfn6TvdxOnZknFbF71c4Qt9P Q+2L8rUft4aSVmAS2nf8cgrgLEiXuHhZ8PoyVNp+f4ws+w8/51IF4NFSnKsw+lZh5FwBnEg1tZx8 LLe2TuaSRDS+8/x17vOcKn73S0LuszzaHke8gcB7N+OYzqapeQhnNypt6jqRBL67J7DrmwtNa3ML YpPsifYNM++ZGe7em3htJak8peDdPVsOjR953H44sk0fxM/Ep/H4Tkn7GIm7a2qCaZYg+198B58j /yJJpvCBrUabRmY5cGmyeQBlDDIv4HuNN88n9wodfJ67axwfTrKdj0Nf4s8I+4g9YO4xzzsdmu/u +AzjmJ9kCbknz+N3BpwwDzi8xrVHPtN4Arm2JMaus3Dd3s02ku5S6jHmd5sjm+rh9+c09Th+h5ol /A51pcsYZxl0h/Mp1N75FOrhfAo9x5qxW6gvu4fdQy85b0Ivs0fYczSI9WYDabT1KUTjrU8hmmB9 CtFE61OIJrGv2EyazKvzGvQjr83PplnWpxDN5g14A/rF+hSiOfwy3pjm8bb8YVrA2/PHaSHvy1+k xXwEH0FL+Tt8NC3jn/JxtI5/zj+nDXwi/4I28q/5VNrCZ/AZtI3/wH+k7XwW/4l28tl8Nu3mc/lc 2iO0CGmvSBMFab/1C0TG+QUi5xfIF2VFWaacX6DA+QKKibPF2Sx0voBSnC+gNOcLqKDzAlRINBPN WbpoIVqywvbZC5ZlffWwItZXD6vqjfO+YM2srx52m/XPw+60/nnYXX6aX4C19tP9bHaP9dLDHrBe etij1ksPe8J66WEdrZce1sl66WGdrZce1s3f4e9jz1rPPOx565mHDbCeedhQ65mHvW4987Dh1jMP e8965mGTrGce9oX1zMNmWs88bK71zMP2W888zFjPPJxbzzxcWM883LeeebiUw+Rwrq1PHp5mffLw AtYnDy9iffLwUtYnDy9nffLw8nK2nM+rWm88vLb1xsPPkqvkOn6O9cbD61lvPPxf1hsPb2y98fA7 rTce3s4+jcHbBzzg/PFABop3CGJBjHcMUoM03ilID9J55yAryOZPBcWCYrxrUCoozZ+2/nN4N+s/ hz9r/efwnkGNoAbvZb3o8N7Wiw5/3nrR4X2CC4ILeD/rS4f3t750+MvWlw4fYH3p8EHWlw4fHNwV tOZDrC8dPjRoF7Tjb1iPOvxN61GHD7cedfiIoGfQk78T9A568/8GfYK+/F3rUYePtB51+CjrUYd/ ZD3q8E+sLx0+1vrS4eOsLx3+mfWlwz+3vnT4BOtLh0+0vnT4JOtLh39hfenwLyPZkRw+xXrR4d9Y Lzp8uvWiw2dZrzj8J+sVh++yXnEEWa84IrBecURa7NrY7aKmfZJDXGi94ojLtdKp4hrrD0fcrJvr u8Vj1h+O6Gb94Yhe1h+OeMH6wxH9rD8c0d/6wxFDrD8cMdz6wxEjrD8c8Y71hyM+0iP0SPGx9Ycj Jlh/OOIr6w9HTLP+cMQ31h+OmG794YhZ1h+OmGf94Yj51h+O+E3/oZeKP6w3G7HMerMRy603G7HG erMRm6w3G7HVerMR21N4SiB2pOiUFLE/pWBKujDWg43HU3al7PL8VEplniTOvgJCpQCJUimNGObW AiQwu2YiNYuKAnlzqBzSy+Ol6AyqTAGdCUSLIEddzH31qD7m1POBbtqhm3boFgLdrkeuG/BKBcbd grJb0O3IcUcC79qinofxqk/tqD0VosfxSqcO9CRlUGegYWGgoaZMFrIUynJPh2WzNOBjEeDjGUip wCpQFVaRVUJ6ZVYZ8TOBm5kON6sCN5sgvBro2dB5ZMtktwBDqzkMreYwtDowtCPSO7HuVIP1YD1Q Zk+gajZQtQ/VZH3Zy1SLDQDCVnUIW9UhbFWHsFWAsO8i/h5wtgpwdipdxKaxaXQO+4Z9R+ey74G8 5znk5UDe2gjPAv5Kh78pDn+5w98Uh78FHf6e7/D3TIe/tR3+FgX+vkvF+Xv8PcrhI/n7VJKPBiKX cohcyiFyCSDyRISTgMvFHC6XcbicA1z+AeGPQOcSQOdZCH8CRhdzGF3MYXRpYLSmsiIEUpdzSH2G Q+ryQOosqiiyRTZVEkVEEWpgURtxoDZVAGqfgbCCqIhcwG6qbLEbueqIOgjrirq4Wl/UR3i+OB8y wHGEwHGk2OfsLnTP2TVyz9Zd6J6ta+Sep7sAmN6Z6nhPed2JAdn7Uuj18wbQWd5AbxAV8F7xhtLZ 3uveG5Thvem9T5neaG8sZQH9x1E166+Natg5gM61cwBF7RyAMM1Po3p+Ab8AVbUzAVXDTPALCX+O P4dK+HP9uRT68/x55Pnz/V/JxwyxECmL/EVIWewvJuUv8ZdQ4P/u/06F7MxBMTtzQGa1v5pS/TX+ GkrD/LGOmL/e34C6NvqbqIC/2d9MGXZGQV07/B1U2N/p76Tz/F3+LrRqt78bLdnj70F8r78X8X3+ Pqrj/+n/iZIPSE4FpJAe1ZG+9IlhHlIEGJcBxWRERimUMRkjIbXUVFiGMqTzZIpMgQzmKkrFXFUI edNlBvJmyWzIF5FFKU3myGIoubgsjrylZCmEpWVplFBGloF8WVkW8uVkBchXlBUpQ1aSlZBeWVYm T54pzyQtq8iqKL+arIa81WV1lFZD1oBMTVkTeWvJWhS18yLqOkeeg/RzZR1I1pV1UUI92ZB8eYG8 GJKXyEtIyUvlpWhzE9kU3+vf8jqUf4tshdpvlbehltvlXSintWxDdeV98gGqJx+U7VDjI/JRqi8f k8AN+bjsQOnyCfkEWttRPonv0lk+hXK6yC4ooavsihKekc+g/G6yG64+K59F+ZibKdvOzVQFc3M/ qiH7y/5U3c7QlIkZeiCuDpKDKEu+IjH25WA5mM6VQ+QQ9PMwOQzhG/JNqmY960EeszhKGClHIhwl oZlytByNvGPkB9RQfig/RMkfyY9x9VP5KfKOk+OQ/pkcD8kJciIkJ8svcfUr+T+qaed+pM+QMyD5 rfwW8e/kd5D5Xs6EzCw5Cy2ZLWejVb/IOWjnXDmXish5ch7VkvPlfOQCV4D8YrkYpS2RSyC/Sq5C OavlWsivk+sgv0XugMxOuRM9sEvuQnt2y/2UafkEVQefCBFPUQWohiqoClG2SleZVFNlqRyqpYqp klQVbOMMOldVUBXpIlVJVaZz1JnqTKRUUdXoPFVdVUcJNVQNSNZUNSFTS9XC1dqqNtLrqDqopa6q C8l6qh7S66v6qMU+Q8osa6FqlrUgBGtBCNaCEKwFIVgLQrAWhGAtCMFaKMuyFsq2rAUhWAsVsawF cbAWOteyFsq0rAXyYC2Ig7XgKlgLQrAWqmlZC9UCa7kL8q2D1nQeuMsDFAYPBg9BBgwGecFgkA4G A8mngqdQTpegC+Jdg65IB5tBS8BmIN8n6EM1gr5BX+QCp6Hq4DQDkDIwgHYFg4LBiL8TvIO6/hv8 ly6yLAcpW4OtKGFbsA0y4DpUxXIdyo7YhY+GERZhlGkZD1LAeBDioCpgPJgfI2mRNKoJ3lOIzo2k R9KpeiQjkkHnWX+CVCNSJFKEikSKRooinhPJQTlgRVQDrOgaSoleG72WZPS66HWIXx+9HvEbojcg fmO0GRW0nAkp3aMjiEffio5CHMwJcTAnyIA5QWZPjBGP8VgROt/yJ6odfxLW8ifilj8hBH9C2Fw3 pxx9s76ZSuhb9C2UqlvoFlRct9QtqbRupVtRKX2rvpWEvk3fifhd+i7It9atIXO3vhsybXQbxO/T 91MZ/R/9H8g8oB+ETFvdFlcf1u2oGDjZY0hvr9sjHcwMYUfdEWEn/SQV1Z31U1RSd9FdIfm0fhqS z+huqLGH7oWU3voFlAz2hlr66/4IX9QvQWaAHog2D9KDUM4r+lXEB+vBkB+ihyD+mn4NZQ7VQ3H1 df06ldfD9DCqYDkfnQHON4Iq6bf0W9RAv63fRfw9/R5kRuqRuDpGj0H4gf6QKuuP9Ee4+rH+BFfH 6c+oov5cj0fKBD0BKWCKCMEUEX6l/0dl9RT9NWSm6mlUTn+jv4HkdD0dtXyvZyJllv4ZZYJHovy5 ei7CeXo+ZBbo33B1oV6IchbpxYgv0UuoBvjlHyhtqV5K5S3LpGJgmV2paPh0+AyVCruF6CUwzh5U OewZoq/C3mFvKh4+Hz6PlH5hf6oUvhi+SA0sE0UKmChVtkyUClomStwyUYRgouSYKBW0TJSqgROd 6ZhoI8dEueOgccYZ55qxJGYZ0k14hY5TXuw45aVJnPIyxynTHafMcJyysOOUWUleD3zn9UA6rwe+ 83rgJzy+WK8HvvN64DuvB1Hn9cB3Xg985/XAd14PtPN64DuvB9p5PfCd14OLnNeDS5zXgzTn9eBf zuvB5c7rQWPn9eAK5/UgExw3BsYZstCx22ywW7yotuO4Z4PjNgGbtCy2CbuO3YR0y2LPY3exu+gs 8NdHED7KOlAd1hFc9ixw2R5UFyy2J+K9WC/IWy57FrjsQKoPFjuEzgd//QThWDaWGrBP2WRctfz1 GsdfGzr+eoHjrxeCv1Ynz/FXzzHXVMdcPTBX/EJgrpdRId4Y/LWQ88sQ91iT4vwypDi/DAWdX4YU x26vdOz2HN6TP0f1rNdhutpx3BzHaCvzMXwMVeSfgdGWcVy2nOOyZ/Dv+HdgrpbFluI/85+RPgfM tZTz9VCU/8oXgcsu4UsQWr8PlZwXnAp8OV+BlFV8FULrC6eY8wdRmm/gGxG3XiHK8i18K+LWN0R5 vo/vR9x6iCjOD3BDxZyfiJKCCY649RZRVvjCR9z6jCjpfEaUFjERQ0oqeHMVx5hrOMZcyzHmq0RR kYN0y5uriDLgzVVFefDmKo43VxOVRCXEzxSwpMCha1FNcOhzED9XnEtnivPApKs4Jl1d1AOTriIa iAYo3zLpKo5DN3Uc+t+OQzd1HPrfjj03Am8eAN48EFy5gOPKhR1XznZc+WzvU3Dl88CVv6a63lTv e2rgGPMFSZ4sfOfJQjtPFmnOk8UVjkNf6jj0+c6rxSWOSZ/reLNyjFk5xhw6rqwcVy7sL/eXgwev 9FchxfLjDMePL03ix4UdP87yt/vbEVoG3MgxYJXEgBs5BsylBANWjvsqx32zHMdt5NitSuK1WY7L NnIsVjkWW9ix2EZgrlVw9RBnbeTYakzWlrUhebY8G5KWszZybDXOTZXjo8px0IsdB700iYNe5jho +v9h7Xyg2rqvPP97QohnIhPiOJgQQgkhhBCXUMIQFhNCqEspJcSlrstQ1wgQQsh67wn9eRJCSE9C SDKlDGEopSylLmFZxiUswzIsZV3qelyXoRzqQzxehqVe6vowHh+Oy7qU8Toesvd3BcROOm32nD2/ 8/28H7/39PT03tXv3qvz3gVj0KcwBo3CGDQaY81oRZuiDSLXbyu+TTIw1szC+DJb0a3ohnEaX8Zg fJmr6Ff0k3yMLDMUAxBZZmNk+TRGlkcUQ4pz5A2IL0dhhMaUb2M0eUQxoZiAV9GYMgNjyrchppyC 1/4YIsunMbLMxMjyiOLvFZdgDz9X/By2/4XiF7A9jSyfxsgyEyPLIxhZvqlYVCzCHmh8mYvxZQbG l0cwvnwd48t8jC9jFL9W/BrW0shyN6ZcV2zACI0sMzGyzMLI8m3FtmKbZGNMmY0x5RGIKQ9Bn0aT r2M0mRv2XNgL5A2MKd/EmPKrGFPmYQSZixHkVzGCfBMjyKfDXgt7DUgjyHyMIN8MeyPsDdgnrbei xHoroVhvRYn1VpRYbyX0odpRRVhvJRTrrYSGlYaVwrvTqiuhWHVFiVVXCrDqSiRWXSnGqiuHsOrK Iay6EopVV0Kx6kooVl1RYtWVyIeqriix6gqLVVeUWHXlEFZdCcWqK0qsuhL6UNWVUKy6osSqK6FY dSUSq64cwqoroVh1RYlVVw49VHUlFKuuKLHqSjFWXQnFqiuhD1VdCcWqK+FYdUWJVVdCsepK8UNV V0Kx6ooSq66EYtUVJVZdCcWqK6FYdUWJVVdCserKUay6UoBVVyKx6kohVl0pwqorX8aqK8VYdeUQ Vl0JxaorBVh1pQirrhQ/VHUlFKuuHMKqK6GQA0AUCxH/CyQX4/s32BfZF8kRiPKTSTb7MvsyyWQP s58lGRDxp8J4Gpu2E/dnsOnsqyQfo/8MNpPNAtIc4E32CHsE9pPH5gEL2C8CC9kvw96K2bdgmxK2 BHKGtyEfOMJ+nf06jNN84HW2gq2AI6liq2D7YG0qmiG8CRmCDt4lmCHUs0bYg4k1wassrIXksVbW CiNNrAuOn+YJWZgbPI21rDIwQ8hm29l2IM0T8jFPyGa/w8L8gHlCBmYIR9gfsD+AkXfZd+Hdabbw JmYLX2X/hj0Hr6I5wxH2PfY92Oa/sGNAmj+8wW6ym7AHmj9ksR+wH5DXMX94G/OHXMwfsvex+1iS gflD1r7wfeHQ3w/5Q/a+J/Y9AdvTLOJNzCLyMIvI3xe1LwpyjEP7omHLpyGXyMQs4ul98fviyRuQ RRwnj2Pm8DjkDGXkyfByyByeDD8ZfhJGqsOrSU64LlwH1IfrgXw4DzSEG4DmcDOQVtiJwAo7EVhh 5wBW2DmAFXYisMJOBGYgcswx3nrsmccSyGuPFT32FZLzmPoxOzm2UwmMZh0hkGm8TOSYS7yMucRL yhrMJeqUOoh0af7wHGYOL0PmIEDfoKyHCF5UijBCc4bnlY3KRhhpUrogmqd5wguYJ7yMecJLkCe0 wsi3IFt4CbOFF5V/pfwr2J7mCS8rv6PshrXfhTzhRcgTvgd7o3nCC5gnPIcZwvOYIXxW+UPlD4Hv Kt8F0gzhVcwQSpR/AxlCGmQIIzD+nnKUvIIZQhpmCOmYIbwKGcJ/hZEJ5d+Rw8pJ5SRs+WPlj2Gc 5gmpyvOQJ3xWOaOcgbWXIEN4BXODVzE3KFHOKX8Ja+eVCzBOM4R05fvK92FLmhu8qvwn5TKM/0/I DdIhN/g17O06ZAjPYobwinJVuQrvS/OEz2GekKr8rRJiLax5lIJ11JKVt5XrMELrH8Ur7yg3oE+r ICViFaR4rIKUglWQ4rEKUhzWUXtW+W/KfwPSikgpyg+VEIlhXaQECJAhEsPqSHFYU+1ZrJH0zH52 Pwt9WikpESslpWBlteT9Efsfh3FaNSlx/5P7n4QRWjspCWsnxe2P3h8Da2kFpRSsoJSIFZSSsIJS wn5osJbWUUrEOkrxWEcpYb9uvw7yH5oRvQAZkZvEQkYE9rDfv99PXoSMqA3GaRaUjvlPCeQ/34F+ 9/4e8gpmQen7e/f3Qp/WY0rEekzPYD2mFKzHlIT1mBKD1doI88zdWAmWypBW8r8IUZWDVCANSA8y gmx7S6Z+CJbOnTEvqBXUAeoG9YEGQMOgUdAEaBp0AXQZNA9aBC0RmYdHEdV1lMxjBtmhfxN0G7QB 2gI9IKRSBmJBEcH3rjwIigHFP7RMeujvw8F9VaaDskC5oKMPLYtAx0Andl5DlydBVSAtCI6r0ry3 lHkkFFM/AhqHvm9vLKg2UOdO3w7q2en372hwR+dAY6BJ0HnQxZ1tZ3F7UkmPmS59oDZQJx5XcNsF 3I5U9oD6QYOgc6Ax0OTO+12F/nnQRRDddgFEx5Z31i/vaBXGqNbg80yBZvY+C6lcB90F3QNtE1Il B4WDIoPnvSoKFLuzTPhoubd9ctAG6BK3jwz+vbc+FZQBygblgQpAxR8t6fWrKgWVPbQ8BVI/tNSB DHtLmWcteNxVYvCzVTl29uP5fxPa9cPyBkWP45H9lX5MAVD7zjLwif3IPPTYukC9wWtTdRY09NBy BDQuf6Iimy9wmVXXhQeUBhmSBd40RABvGw4CNwwxwC1DPPCBIcllpq+SNitlhsPS/Yo8vthlryjg S11SJWtIR2bt9SMMuS6JrnWTimK+zOWrPGg46vIF+zss5U+52ipjDEXIYx/rxxtOAJMMJ4GHDVXA dIPW1UZf5VZUlPFqV2fFKV7n6qnMMvDAXIMZeNRgd/XQcbeyQs0bXP2VRQYJeMzgcx+o0PGia7Dy hKEN2YnsAZ409AOrDINAreEckDeMAc2GSaCdF93RlZLhvDuuwsA7XOcqfYaLrnMVIu9xjVW28R53 YoWDD7gmKzsNs8AewwKwnw+4UyoHcbyfssLDt7vOVwT4LtfFynOGq3scMyy7LtJxd9oO2/le12zl JKylXN3rnzesAS8a1oGzhrvABcO9PV41bLszK5fr5e6cii7+rGuhcrU+3LWAe7u6M7JWHwlcp6Qj 7vyKXn7ItVx5F845ZdFun467CyvO8iOu1cp79VGuVdp3l1Ru18dCf4gfd61VyesTkMl7/fD6VGBk fQYwqj4bGFufB0yoL8B+MTCZH3cfrxjhp1zrFeP8jOtuVWp9qbv8EWbUl7nLK6b4S657FTP8nGu7 Krv+FFK918+r17m2Ky7xVyR5VUG9YY/F9aIkr5jjr0nhujH7HeQm8j5wspEAzzcqgBcblcDZxgPA hcZoKZy+yluiu9oY5x+uuMKvSJEV1/gbUpRuuTERuNqYgqT9tcY0KYqu9Y9WrPC3XGO69cZM11iw v8Mb/B0pVne3MQeZ/7H+vcZC4HZjiRR7Wt54HBjeWC7F0lf5Jypu8ZtSQsUd/r6UfDqyUQWMatQA Yxv1UjId909XbApESj2d0GgEJjfa/Bcq7gsKKeN0aqMT6UW2AjMaO4DZjd3AvMY+YEHjALC4cVjK oK/yXz5d2jjqu6EiqkIp+3RZ44SUrVIISimP0j+vUgoHpILTpxqngerGC1IBHfEvBsd3eECIlopV 0UKcVHpa13h5j4bGeamUjvuXdhgnJEplp8XGReTSXt/ReB3oabwJDDTeBrY3bgC7GreAvY0P/NdP n3XI/DdViUKKdOr0kIOVTuHe1DsjI46IXdIR/21VipAm6U6Pw7UDOg7u9um4f0OVJmTSz+WIgeOH vn/x9JQjHvqZQo5kOD3jSEIe3utfcqQD5xxZwCuOXOA1x1HgiqMIeMNxTDLQ1/q3VDlCviSq8oVC yXH6luPEHu8gNx0nJQec2xI4w4XCcclz+r6jCqnd7euJg5c8FbeEcilBr3CY96h02KUEVYmgkgJV pfUOpGevX1YfAJ6qbweq67uAuvpeoKH+rBSgr3KrqsT6IbdGdVzQSO2qckEvdVU56keAHmQA2V4/ LnXRtW69SiUYpV6Vqn6KkvaruupnpBGVRrC5Oqt66y8h5z7WP1t/BThUfw04Ur8CHK+/4eqkr3Ib VXrBKZ1VGQWvNFQ1VX8LOFN/B3ipfhM4V39fGlLZhFZppOoK8pqRuG0qp9AhjVetGBVIJfKANK5y GqOhf8MYB7xlTATeMabQcaHD7azaNKbByH1jptur8grd0lQ1MeYAFcZ8aUrVKvRJM9VKoc/dWn3A WCjNqDqEAWm8OtpYAowzHof9wIjbiewIrlV1C8PSJVWfMCqNVCcay/eYYlTBmYFxd3d1mlHj7gv2 VQPChDRXnWnUI417zDHagPlGJ7DQ6AWWGFuBx40dwHJjt3ugWmXscw/DfqalK9Ua44B0BfoXgMPC ZThCvXEYOQpHBSNwnKPCvHSt2miceJR03D1abTNOuyeqncYLUoZqQliUVqq9xsvSCu27p1UTxnno TwtL+IkWkR/1U4zXga3Gm8AO421gt3ED2GfcgmvUZXwAnx1eC5/3gnDdtay6LNyUblQPmGR7HEaO mljphmpeuC3dUi0KG9QGTBHIg7usnjDFgA0sCVvSneppU/weL5iSgJdNh90Xquf5Avfl6kVTOsQn NDaYr14yZbnaqq+bcoE3TUd3PPgi9YPuperbpiLXbPWG6ZhrFj3R9eot0wnqlUwnXWvVD/g59021 zFTl2lazJq1rG78vt9URJh6+O9RuN9QHTWZXpzrGZAfGm6QdG9ui19f9QJ1k8klzqgFTGxDOg0em PmzqpOfE1APET6pON/UDs0yD0hD1OP4H+gMOCbwPzPwBmT7a4ZNi9XGONmCiozM4PwdYOssFIvQp jh6pTJ/m6JfK6DwTOKjPdAzSOcdxDggzSSBGn+MYg9kj3zEpeajlu53qXNM5qVh91DTmYdVFpklP hPqY6bxrVX3CdNElqU+aZl0+dZVpwXMQtrkK22hNy54YNW9adR9Qm01rUpfablr3xKsl011Xj9pn uudaV7eZtj1J6k6z3HNY3WMOd42p+82RnnT1oDnKk6U+Z451zarHzAmeXPWkOdlzVH3enOopCsYb 6ovmDM8x9aw523OCRhTuEvWCOc9zUn3VXECvgrnYUxX07Oplcylw1VwGXDOf8mjV62a1h1ffNes8 ZvU9s8FjV2+bRY9UIzc7PL6acLPH0xaMaStPmANw9TF2CkYpNZHmds9e3GjucvXURJl7wVODbXh6 KmfNZz09NbHmIU9/TYJ5xDNYk2we95hrUnHLDPOU62JNtnnGc64mz3wJ+gXmOZe5pth8BVhqvuZq qykzrwBPmW+4BmvU5ltAnfmOa7bGYN4Eiub7roUah4UAPRYFHE/AogS2Ww54xiqLLNGu/pouS5xn sqbXkgixB5wBz/mas5aUHdtW1QxZ0mA/I5ZM13bNuCXHc7FmypLvma2ZoRFmzSVLoWehZs5S4rlK vxee5ZorluMQpUOs7llFrtVcs5QHI3DPOvIu8h5ym75LszzImhWLytVZc8Oigc9+y6KHY7vDG5rD azYtxp1+JDKKfr+aY2vu0zNJ4+HmBGQyjXubUzXEYmtOxX4GMlujsDhd5zVKixfiYYiKm/M0Byyt wRi4uQBZjCytXLN0uBY00ZZuYBwljVqby5CnNImWvmCk2qzWpFgGXMuaNMswEMZhJNMyGoxam3VI A1Kk3/pmB9ITpCbHMuFa1+TzU80BTaFl2nVXU8LPNLdrjlsuuO5pyi2XgSrLvGtbo7EsQmwJ16W5 C9mr0VuWPBHVGgvMihqj5WbzWY3Ncrt5CEZgVtQ4LVtw5F7Lg+YRTasoax7XdIisNKPpFiOapzR9 4sHmGRiPab6kGRDjm+c0w2ISzOo4e2tGxcPNVzQTYjrMxotiVvO14EyomRZzm1c0F8SjzTc0l8Wi 5luaefFY8x3NIsYAK+IJ8AVBL4PzdtBHa5bEk+Dxwds2b2quU2+ruSlWgaeDWav5fnWhqG2+r7kt 8l6i2RDN0pRmS7Q33wj65epEUYLP8kD00VhCbJMCtTKxk/p0scfVWcuK/bvetjZCHKT+SzwnzdUe FMdgJEacBMaL53c9RW2SeNGrqD0szkI/XVzwKmuzxKveA/TTeaNrc8XlnZnWWHtUXIX9FIlr0lDt MXHdG1d7QrzrTYQzc8+bUntS3Pam1VZZ5d7MWq013JtDz5s3H/dTWE2skdJULW+N8pbQOdx7fCfa AXrLkardqEYwejVIjHO8RqSNHoPXifTWmq2x0tnaImsCHImdRiO1ktDqkdX6rMnBvrcV2UF9gbeb zrre7to2PMMQXXj7kAMYP2zVdlpTwV9A3zuM7K7tsWZIl2r7rdkQUUBc4R2tHbTmBaMIj4zSO4Hs qE60FkhXYG0x8Jy1dMfjb1F6p2vHrGVBL++9UDtpPSVdqz1vVQNhHEYuWnVBL++9jJxHLlI/5V1C diCv185aDeC7wYM3q2sXrCJ4avDj3pu1V60O6VbtstUj3aq6ZA2AbUxb26U7eM5vIzfwPEzUrlq7 pJXaNWuvdKN23XoWfDpGobV3rUNShr7QcT4Qry9xXPQ+0B93zAaS9OWOhZZZvcpxNXBYr3Esu8b0 escqbrMG2xgd6xD32hx3A+l6p+NeIEvvdWwHcvWtTfLAUX1HUzjsobspMlCk72uKChzTDzTFSnn6 4aaEwAn9aFNy4KR+oikV/OZ0U0agSn+hKdu1rr/clBfQBrMD/XxTgVSgX2wqDvD6eUe8f1G/1FQa MOuvN5VRr9p0KmDficNvNqmROuDtJkNA0m80iQGffqvJEWjTP2jyBDo5WVMg0MOxTe2Bfi6iqSsw GMxAT6c29ULOFcx0MKfgDjadDZwLZnlcTNMQML5pBDIC6uvHTgeaxgNjekXTVGCSS2qaCfi4w02X Am2nI3HL9KY53ziX1XQlcD6YZ+nGmiDn5XKbViCfvdt0Q4rljjbdgrwytemOlMEVNW3uvjt3rOk+ HANmSdwJJ4GMKXg8J50KYJVTGbh4OsF5QErltM7owCzHO+NcnfQMBBY4szMxGKv4Jzi7MwX2JjnT JA/nc2YGrnJtzpzAcjAf5Dqd+YFVrsdZGFijcU5gnet3loBfg8w6cBd5jxt0Hg/my4FtyuZkSnci 5Rk5fZcz+F5nIvVKJ5x/7pwTcmFuzKmRUmn+eyaKm3Tqd/qxyAQaL53ZPZOQvZ5JRWbQozqTzZ13 Gs9kYz8PWcBddNqkYm7W6YTsFXLYM8XcgtMbzFjPBFmGhLzS2Qpn7KqzY5c0x3Q/oDyj5pad3cG8 8oyOW3X2STpuzTkAhHEYWXcOB3NMeHfKPCRmmmcwZzwjIh3cXecoZI6QP57xcPecE5AnQhZ5JsBt O6elPF7uvAAMd16GGE/hnJcS6HU5047sqth0Lp7p5SOdS1IBH+W8Ljn4WOdNycMnOG9L4bX3rCNS QNNqHYdZa9s6BTGqDWbFEa3cOtO8og23XvJuaSOtc+5ubZT1itumjbVC7rbHFe8DbYL1RosMeAt5 B5hs3WxhtanW+y0R2gzrFYjYMafTtNoI7Dnbpmg5qM2zKVtitAW2Ay3xmmE6f1LCuxTboluStKXG tJbD2jJgetWmDTI47SlbYkuWVm1LacnV6mxpLUe1BltmS5FWtOVIlyhbjtF5suXETm6F1Dps+a57 Wo8w0XJSG7AVtlRp220lLVptl+14C6/ttZW3mLVnbSpgr03TYtcO2fQtEtKnHbEZW9qANuC4zekZ A3o9Y3QubenUTtlaW3q0M7aOln7tJVt3y6B2ztbXck57xTbQMkZn0ZZJ7TXbcMt57YptVDJob9gm Wi5qb9mmXcvaO7YLMAcW2S63zGo3bfMtC0EPRdlyVbUkXmxZVi3ZFltWg5FbzZxtqWVNe992vWW9 jthuttytaLfdds3WKWwbLffqlLatFrbugO1By3ZddIPMc6IuroH1yesSGyJ84XUpDQd9kXVpDTG+ qIf3VpfZEO+LBSb5EupyGg77kuvyG9J9qXWFDVm+jLqShlxfdt3xhqO+vLryhiJfQZ2q4ZivuE7T cMJXWqdvOOkrqzM2VPlOAbU+dZ2tgffp6pwNZp+hzttgd2vqWhskn1jX0eDzOeq6G9p8nh32NXT6 AkFrqdps6PG11w009Pu66oYbBn29daMN53xn6yYaxnxDddMNk76RugsN533jsJ+LsJ/LDbO+qbr5 hgXfTN1iw1XfpbqlhmX3cN31hlXfXO12w5o0V3ezYR14u+Gu70rdRsM91ypwG7hll/uu1T2wh/tW dDJ7pO+GjrVH+W7pIuyxvju6g/YE36Yuxp7su6+Lt6dKOl2SPcNPdIft2dI1Xbo9r+WeLste4Ffo cu3FnjHdUXspHBu+i67IXuZX6o7ZT/kPqI7b1f5olcquk3p1J+wGf5yq2y76E1V9doc/BeiRruhO 2gP+NGC7P001au/yZ+qq7L1SgmrJftafo9Pah/z5Ot4+4i/Ume3j/hKd3T7lP143YJ+BswT0lwez fp1kv+RX6Xz2OT/+buPHWMVv1LUJTr8t+I2jMYY7ZeeXike/HdPB3wqCvwy0dOo67Vf8Turf/V6a g/tbd2wSfx2ivy24u3U99mv+jmAkpuu3rwAH7Tfcxp1fb/B3Fa1c0Pu76bfD3xfM+nXn7Lf8A5h1 bhEZOcRsMP+bEOYPDPzF3Gc+IHLmQxlDFLJQmYLskz0mU5LHZJGyJ8h+2VOyKPK4LEb2DHlCliB7 njwpS5a9RJ6SfV/2fXIopDDkSyQ6tCD0iyQm1BhqIrGhPwv9GYmLgEY+ExEf8RaJjzgWcZKURFRE tJBvRLwT8VPiiZiNWCd/G3EnYotcg6P5CpHj86sR5HGyjzxBjpPHyAlSRd4mavItcpJ8m7QTL+kg 7xMf+UfyGzJHfsuEk//BKJn95EPmceYphmFimGSGpfcvMoeYcqaWiWXqGB+TwgSYLqaQ6WG+z3yN +TvmV8w3Qt4LeY8R5Wa5hbHKJbmHaZAH5N9iHPJ35O8wkvy78u8xbvkP5O8yXvmofIw5I5+U/5hp k/9U/lOmQ/5z+S+Yd/Dpvy75ovx95rvy6/JV5nvyNfm/MH3y38l/x5yV/0H+r8wP6d1szGDok6FP Mv859P3QbWZYEapIZK4qXlS8yGwqXlKkMn9QvKbIZj6gTyowHyo+rzgqkysKFG/JFIq3FSdlEYpK hVoWq9AojLJ4hUXhlH1WcUbRLntN0aHok72u+IFiSFZEnwOQlSpGFb+UfVWxoFiQ1SuuKJZkRsWK YkXWqFhVrMocin9W3JY10fulZG7F7xWbMp9iS7EtC4SRsP2yd8IOhD0l+0HYobDnZe+GJYX9hWws 7M0wvexCmCmsU7Ye9p2w74TQe336QvaH/ShsNORJ+v/gQg6F/bewqZDYsOmwn4XE0ft1QpLC/jFs KSQjbDlsLSQr7F/C/jXkC2wSOx5ynP39vudCfhPxQcQHcvrEl54EgEoSR58IfnMD9ICQ/HRQEkni B76k44f5UX7iSyP8NH+Bv8zP84v8ksB+xSxECAeFmK9MCvFCknBYSBeyhNzi+2/FfXGg5Dx//S3C 3+Rv8xv8Fv9AkL0V9+U2sCo52PgG2vgfCMN8yHxIZGDRkSQE1j2Ld4QS2Y9kPyKM7D3Ze7BuTPa3 JET2E9lPSCjeEaqQ/Ur2K8Lis0z7ZO/LrpJwvBdUiXeB7pf9RvYbEoH3fz4u+53sd7v//SuECWH2 /tthaIiCROGzT9EhUSFR5OmQ6JBoEoN3bD4TkhySTJ7F55riQnJCckg8PsX0XEheyJskAZ/xSMR7 Nl6A41cyB/DMURI+lkD8wCfwyXwqn8Fn83l8AV/Ml/JlwFO8mtfxBpDIO3gPH4B17XwX38uf5Yf4 EX6cn+Jn+Ev8HH+Fv8av8DeAt/g7/Cas2+TvC0SAqEyAeEuAaFeAqOmRdkGAWEiAuGevlQjHhXJB 9VDTCHrBKNgEJ2z7UbsszAO9QqvQIXQLfXttQBgWRoUJbNOwv0UYyxSWoHdduAm928IG7DNT2BIe GGRCK3x+Zp9+Z9agz5U/geckGloIiYUmJ0nkRRJKDkMLI69AY0k2tH0kB1o4yYX2GDlKvoDPD34Z Zp3gk4N/ScrxycFTsD81tCeJFtpBYiJm8hRpIHZyiLigPU2aocXAfPQOeYZ8F9qz5D9CiyP/iQyR z5AfQXuOjEJLID+G9jz579ASyU+gvUD+nlyC45uDloz/v/MlskT+iaSQX0M7TH4L7bPkn6Glkrvk 93Ds98j/IZ8j29BeZWRMGMlgwmHuy8b7uI/A3BdJcvA+7lwmjnmOvME8zzxPPo9PLB6F2fAY+QL+ n7sC5puMinyRqWKqyJfxnu5ifD7xLUbP6EkJIzACeZuxMCI5xjQxHlIKc6ePlMHseYb8JfMtpo18 g+lgOsg38fnEUzCTTpEKZpqZJtXMBeZnRM1cZn5BNMw/MP9AtMwvmXlSh/Z7GmaBZKJnU9gUIuDd cwb2c2w6qcc75kxsNptNzGwum0ss+LyMiPfHWVkVW0ka2Gq2mjTCtV0jW2j7mbTeDXcAFA2KAyWC UnaUtqNMUA75OhfNxXGJXAqXxmVyOVw+V8iVcMe5ck7FaTg9NCPIxjk5L9fKdXDdXB83wA1zo9wE N81d4C5z89wit8Rd525yt7kNbot7wMugsXwEf5CP4eP5JP4wn85n8bncZf4oX8Qf40/wq/xJvorX 8jxv5u28xPv4Nr6T74HWzw/y5/gxaJP8ef4iP8sv8Ff5ZWhr/Dp/l/5ftNCq0Dpwgt+MOAUWKwP7 /P9l329BexytPBKt/Am08ifRyg+ilT+FVh6FVh6NVh6DVv4MWnksWnkcWvln0Mrj0coT0MqfRytP RCt/Aa08Ca38RbTyl8g8tBS09ZfR1g+jraeirb+Ctp6Gtv45tPVX0db/AmxdRjLRvl9D+/4PzLNM HNg9tewctOzX0bJz8TmFN9Ca89Ca30Rrzkdr/jxYcxN8B1yMC74D9GmFL6I1F6I1FzF/zfw1fB+o TRfjcwpvoTWXoDUfY+bBjkuZBWaBfJX9Gvs1cpwtZ8vJ19g6to4+cRwpRbbCdVLCuX+MMOZxQvSt oA5QN6gPxqZgOQAaBo2CJmBsRv6Evs3czSf+aeE2KWKqvtPcp+8xD/Bpj4qO6fvNw3wmKEfMoNIP mkf5/D8tuo3+nHlCP2ae5gs/Ev1bP2m+wJeAjovZ+vPmy3z5nxZuoxLz9BfN87zGPK+fNS+iFsxL vB5kFAuwbxOLeadYqr9qvq5fNt/kvR8J/24Vy/Sr5tt8x59Rt3gK97Fm3kCtm7f0d80P+L6gaF9/ zyLjBz4S/Vu/bWH5YQtLl1Sc3BLBj/550e24cMtBLtISw088Ki7KEs/FWpL46UfFJVgO8xc+Epds Sf80MnXZ57lUSxaXYcn9o8q2HKUy9doXqbg8S9GnUoHlGFdsOfHvyXTWvsSVWk5+GhkHG1a4MksV 6pRFi1JbeCrTkP06XRqv2pWmEftNTmcxcwaL/eMyjjXc4kSL9OdkGrffNk3ZNziHxYfyWNq4gKXz EbVbej6hLkv/I+q1DH5qnbWc44YsY5/QiGWSG7ec/4Q+fq6nLBc/jfjLopqbscxylywLf1Swjp8X dfyiaMDt5ixXP5WuWJb/qO3Q/S2Brosid82y+mnE3xQd3IplbU83LOt7outvgzZED/a3xAD/QGzn blnu4vF+TIJM7ML+Hcu9PyeBFXuFCPHsI/vYtGw/ovui/OMSDopDQow4whMxXIgXx3GZJE79seP5 98QrxEheKUZ9QgfEWD5aTPiE4sTkhyUcFmd25/ZH5uKduXJ3jhPSxUu7c5CQJc49PI/s2cnD13X3 uuyeo1zxyt65PSpee/iYcC6ZgTkF7NF0KWiXprmd7zD9Xl0BXbNvUXs3rYBu2B/s2rPpFizhfYQi cUU4Jt4QToi3hJPiHaFK3KT+RdCK9+k4fjbwEQJvJdSXCGarQrBblYJkPSD4rNFCmzVO6LQm0rmd fmahx5oi9FvT6PwsDFozhXPWHGHMmo/zMszp9FwIk9ZCOncK560ldL/CRetxYdZaLixYVcJVq0ZY tuqFVatRWLPa0EdSH0R9Aj2H62KqcNfqpH5MuAf+Z/c8b1tLDHKrl+6DrjOEW1sNkdYO9D27vvah a7S3T6odn7LrC+hxUd9oiLJ2G2KtfYYE68Dedabbw7Wj196QbB02pFpHDRnWCUO2dRrH8sCHdwZF /TX1249oMOiXDQXmCfTH8D67vpguUWA/+Nk+5mPpkspQbL5ORf3jrl/dlaHUvEG15yOpz9zxjQ/7 yod95K6f3JWhDPwg+EL0feAPDacs8VRot9TPJQRlUFsvULs06Kz/l72vgY6qutq+M3PvJEQcQxr5 MyI/IcUIAcOPGBERA0UIk/lJI9KAmODMnTszYTJJw8wEA6YYkdIUKIWUUsybFykvLwWkiIiISBEp pUgxpZQiIo15ARERkUZ+xm/v59xJQsAlXe/3rfWt1a6z9jObfffZ95x99tnnJ7OGPYHAzP3gy2ce CsyaeQQxS/kjUDXzeGDezEY8q5l5Bp9LZp4PLJ95iedtoG7mVZ5P6NfqkDGwLhQf2BSyYF7E5oGe FzmXBraGkjnPBXZQbtLnSGB3qDvnLa4fy4E3zK1286olv+hzi21w3gzsK78YOBjqyW1sqU/6PN8C h0NpgWOh/oGToczAqdDwwLnQSG435yTuQ+BiKDtwOSTWhm/LQXq7SiQ9j8fy0pE2Onqb0dd2+bil P5yHY/RN7/qGfFpi1j87lifwWMTohjzZNldyfozlyDb5kHVhh3U4N5EPSpLK15WeqzDyGJderIjn fpZerrCUSRXJZeaK7ixHzgpE1pR1rOiJ/QvFHeuWJVWkYb9B+46yrhX9saegnFbWoyIT+zR9T1CW WjG8LL1iJK//ZYMqsjnXlQ2rQC4sG1FhY+I5Wja6Ir9sXEVBmbWikPNwWV6FWja5ohh7MsqXZdMq ylDXVRFp2TPxnkffo8CWboOflfkq5pQ6IvPRrtjeLrY3cLTmYFBsD6PvPdgWbAQrqoPdww7UidVn fc7R/G+OC/YB9y1UsQAy3jfGSN8nXke3shfktsX2dG32dS3E+7kYtd/XxfZoN9mblVUK+ta9Ge+9 2u6/eM8V23e13WNxW7ku68R8os+tkq4hGz57hPJLUkMFiFXe88TmVXqosGRQSAUNCxWXjAiVlYwO RUrGheaUWEPVoLzQgpLJocVt471kWqgW5Aqt5PlV4gutKgmG1paEQhtLKkNbbjrf6HxQMje0vWR+ aFfJwtDekqWhA7H5VrIi1NDC14eOgtaETjBh7q0PNZVsDp3F57bQhdgcLNkZai7ZE4qW7A/LLfOP 5lXJoXAC2nMknMg5q+R4uDOvPTHiPWVJYzil5Ey4N/p8Ptyv5FI4g3MX54+Sq+EhvKbE9IPGcFYw PjwqaAmPDSaHczgegz3Dk4Jp4anB/uHpwcywxvuC4PBwgO2w/4Ijw+XB7PAs7G1p/IPjw1VBW3ge KD9cwz5n3wULwkuCheHlQTVcFywOr+bcHSwLr4N+JLwpOCe8NVgd3sF7wOCC8O5Ybg4uDu+LrUvB 2vDB4MrwYT6PBNeGT/KZIrglfC64PXwxuCt8Obg3IrEfgwciZj6P8NodPBpJYhvBE5GuPM7BpkgP nlfBs5HU4IVIerA5MigYjQwrlSMjShMio3l952eliZFxPOegR+0u7RyxlqZE8kp7RyZz20v7RaaV ZkRcPOalQyK+0qxIkPtVOioSKh0bqSzNicxFTtBzLufJ0kmRhbxWlk6NLC2dHllRqkXqOd+VlkfW l86KbObYZX8xX1oV2YZ4plgonRfZWVoT2cN+lIySwVJtWShJ//4Lyr/QX1DOShda/w7gyZF8noCn 3DPLU+WZ56nxLPEs99R5VnvWEW7ybPXk6KUctMOz2+PQyz7PQc9hzzHPSc+p/O2ec56LnsuapJnz m7SOWtITnbWu+Se0Hp7popAGkZaqpXs0UfL3PpGoDdKG5W/RRmijtXGaVcvTJmvTNJfm04JaSKvU 5nomxQppzNcWaku1FZ6pomj12hptPeltRvu4RazJz/iN9Aa+5799LcX24/9X7kEn0tzIpdIJ96BJ uAf9Du5B78Q9aGdJlTSpi+Sj0h23oXfhNvRu3Ibeg9vQnrgN7YXb0D64DU3FbWhf3IZ+F7eh/XAb ei9uQ9NxG3ofbkP705zbL2VIB6jcj9vQTNyGDsZt6FDchg6T/kc6LT0gfUIlC3eiD+FO9GHciT6C O9FRuBN9FHeijxl6GHpI2bgTHYM70bG4E/0e7kTH4U70cdyJjsed6ATcieYYnjXMlqyG5wzPSXbc iTpwJ+rEnej3cRuaTzP9NekJw+uG16XJuBP9Ae5Ep+BO9Cl5vvxjaRp+K69Q3iq/Lk2neb1Hcsmn 5NOSSvP3ksTjF5IqW2NVTZYy1WS1u9pTTVP7U8lUh6sj1Wx1vGpT89UClMVqrbpSXaWupbJR3aJu V3epe9UDaoN6FKVQVdVitQz1+6sR4By1mrCQygIuHDfG+yhuBuhxk4T3c8QYaYy+S9HDsSKT/zMp ejhWzIiVOIqUMRRDfGfegaJjMsUQx8dtiI+OuCe/nfrlpUjiaEikWFhE8cRxkERRsJriiSMgWXqF yp2IgM6IgC40/rspbvk+vBuN+V8pwnjU78Kop+AO/G4a+TNSD4xxT0MijXEvjG5vjGsfjGiq4SnD NKkvRvS7NKIBqZ+hnEY0Hbfc9xkW0Cj2xygO0H9Hku+0BxpeM2yVBkmG+GHxI1rHw50vd3Lnty9q lTrPXeAudC8QRa1xF6hLuLjV9kVd7i52l4mi1rkj7oi6miTtirrOvdI9h0o1FWFzEz4Xu2tjRd1K OjcUdYd7FVlY696oly2iqLuB+wi331jUg+5d7r0tpdq1J1ZaLFe3LzN2emvcB9wNsTJjj/uoXk60 LzP2U6uaRJlxyH3WfVZNIEm7MuPIjOPuCzMa3c1UolxmnCk+6I6qspoQKzPOq4ntC3lnnnuVZ4S7 Qe0siuuQKDMuqSlqyowzakprO9u0+Kprodo7VtzNar9YIYvCdoZ6uF05pp6k9wxpKafULC6uhTf2 Wj3n7q6Oaims11kd265cJLqs5qA4VIdHEnKP2dORPicJ61w8SZ6u6tQbi6eHOt2TqmqIlzmedO4x F88gzzDPCNdVz2jPOI+11U4bi3muQ23iKaCWeyaLos4SxTON49vjQuwWe3yeIMeCJ8Qx46nk+PDM VQ975qO3Yz0LPUvRoqWwvkItV8s5UgJG+GNVID5gYa8Gktn7ge7saU+9Z41nvWezZ5tnp7vAs4fq 7SfbhzxH3GWe455Gzxl3tec8tW+l55LnqmbU4jWLlqx113pqaVp/90rXTi1TG66N1LK18ZpNy9cK qMXF1MrtWiFmWbWmasVamRbRst1l2hytmmzxrEWPoLkS84R6pC1wR7TFWq220p2vrSLbe0ivkObS Fm0tcQXaRm0L4XZtl7ZXO6A1aEcxlyOiaCe0Ju6tdla7oDVrUa9Ms5VLrTfBm+jtjBinN3lT3Fu8 vXk2evsRZXiHeLO8o7xjvTnuXV6He693Elvhmeed6p0uIlUd4tW8AW+5d5bq8Fa5y7zzvDXqdDXF u8S7nLw8y1vnXe1d591E8TqWRiDLu9W7w7ubYs7h3UfloJrjPYwIzFAzxFhBbypHDI+V9xjRSe8p 7zk1w3uRnpR7L9OibvZ19CWpQ3xdtZW+Hr5UX7q7wTfIN4xr+Eb4RvvGUbEixrM88yHN8032TVMd PpfP5wtSCfkqKYa5ZPnm+ub7FlKrp7vn+Jb6VqgpvnqOU98a33rfZt82307fHt9+H81a3xF3re84 xWOA++Zr9J3xnfeMpggtVzN8lzw7yTdbPKNpxh0N9KTcNbX4YCAt0N/dFMikeI66mwPDKVMkBkZ6 GgPZNJcbXHsC44sPFh/kee3ODtjUfoH8QEGgUBvv6TGjI3l7FUclZTPOT838WtIiDfrX3kAxZSrO d4hgockZBuOS7T4bKHMtDEQoxueQvB/pNVC+SglwjQOBBYHF1MbawMrAqsDawMbAFmTBs4HtnAED uwJ76W0HAosDDShHKc/JItdpWwJ4G0dwoNZ1KNDE2SzQRJZZ82zgQqA5EHXvCiwQmQu5KzFgpFJL Pu3NLfGe8l3180+8xfst/mTKUGv83f3dXWsoVur8Pf1pnJPchf7+Wpk/U83yD/eP9Fb5s9Wx/vF+ mz/fX6BO8hf6VXpS7C/znvJH/HP81Txj/Qv8i/217jne5f6V/lX+tf6N/i3+Wv92/y7/Xv8Bf4P/ qEfynyBq8p/1X/A3+6PFsta/OKE40b3Wf9R7yr29uDNpF7hPeOfhCb6T4y7jb+V4N3nW8Ddz3Ctb vpsztXi6+0Sxhm/n6N/NcUf5uzn+Bk+j/v2cGveum35H51TxOX9D8UWaa82ejvwtHU/HGWaKUwfF q5VGfqNaPiOJcmM/157Wb+54aLWYMUxNnNHVm6h/a0f/to46fUZecYb+TZ0e+K5O6zdzYt/I2eYL Yjc14N8nzH+hE6YqBfCths6EkqtRMrgzpWTXCSpNrqYpBVMKXGep1LpqwV9wXZhyYsoJVzOVqCvK MrdMJcGdwLKCyoJKdyKVzu7OU4dMHeJOodLb3ZveY7RYLbn0jkScaCScaIw4y5iw55VxllFwijFj zxuHU0w8TjEdcHK5DSeXjtjzWrDnvQN73kScWTrhtPIdyZA4PbEYfcL3Dl3TJYNrHn3SGcVVI3ca H3VV3QrlrHBVTZCJEr6BEgXlrBc0ofMtUgpR75tQP0E5e+gz49Yo5xB9DtEpS6dRglxTxWfOGaLz xI8lyrmRcq7Sp+PbaWK8bmOSTmx/ejvSbkKBdlT+T9Asoqqb0DyimpvQkna0/NbIYabPOqLV30Dr BDk6Cpqw6RZpK9GObyZHEn3uvjWyc+zs0+mgTocFObqKTzuNj6MH8ceITt5Ido6zU99OjlSidOLP 6XSR6PL1lCPdhMztqOM/QeSLnK43IepPTuqN1N7XOem3RhOH0+cgomHfQPRs4kiibF1vxC3S6JvH DmywTRt9jrs1mphPn1bQPHzmtaGYTqH+qRIVEz+59V1taWKZzk/7dpoYIZrTzoarHflupInVRAuI D1LemS4+J9bevD3fSCGiypvQXKL5N6GF19PEla25+7p8G8uXsTy2qjW/TFx7ff5oiZO24xobl5iP Nrbx7Zbr29SSU9rGZmwOx+YW29Jj3pHXLq55PLcT7SLaS3TAVZXLbaD1ZeJRIec+8Rox8YQLa4mL cuzEs0QXiJqJqP9WXrdyRH+ttFZZea2icbFSXSvVsXIeCOg5nfxg7SfypTVD2LXSeuKi51ZaP6yU U6xky8q2Jun+jfmT6vI6aeXczzazWv3MtqzlwgY/s1Iut1aJdt0wTu3GqGU90ceJbfHaaKW8b6Vx si5pU98hxo7/bSXfWymPW2neWdfpOnIbSrwJtV+X+92EMlyt62ubNbaFxrah9mtsbL3836yTs1zX r4XzXK1rYJv1znpYxKWV8r/1pM5TzFnP6TFL8WalXG69LP6dK+mflKtzO4p5m5sk5hP3K5fyby7l 39xUfV7E5oGeFzmX5qbreS6vdY7kDhP5i+u35MD2c6vdvGrJL/rcytVzMcd/7mjRxpb608R8y6X6 ufweencu5b/caaLdyEvUh1yyl+vT631b/mmXx2+qE2vzTfJxC01uQ9/0rm/JpzwO11H7PNk2V85t kyPb5sRBet1K/Vm6yNGOaWKMHS7RTwe9z0F6jpCQc86yU+w4qB72L7OEroPegf0G7TscnOtO6vls oR6b+p7AsZSIcgKv/456Pc+tEXYd6wXxHHVsJtpGtFPkYQflNMd+PX9SvnQc0usecbXumQ62yaPr W21gL3Wc2r1bb1f7PNwuB7fsYWJ5eL1uo9FVZVug14nVPyVyM/69WvgAfTujy+ra0Lqb0K3sBXe7 Wvd0B10t+7oWOtaG2u/rYnu0/83eLMl1/f6rh6tl33XdWrZDr9u11SexuZU7X//kebfU1brn0edV LsVEbr1OFA+55PNcGr9cGr/cnTpRDOTuvz7ecw/pdETMr1wa51wap1zyf+75m883zo25l4jobGMz EsW3zjebpQ2frFN3QTz3bD2J0vTP/q1z0JZJRPnONrLN/KM+27JFe2zjRc6y2cTaEyPeU9poP2cr EH220b7NporcxfnDVizWlJi+jfZrNtqH2WgfZqsW8WhbTET7KRvtcWyrxL7Atla3Q/6z0Z7EtkXk Yx5/G+0hbLt02it8zr6zcb0GItpL2E6I3G1r0vVpD2GjPYStWewBbVFXS262y63rkp32E/ZEcR6x p4gzhZ3WSDutkXbaN9izhB/to8R5hNdue46wYXeIcbZPEvPKTmdIO62Hdlr/7Gyb1jr7LLG+41mV mHPMc7vtNK52WvPsS0Tb7RR/9jox5nbWWyf6ZeccRvPNvkPkhJacSznMvk+slXaaZ3Y+Mx0T+c7O 7TknYpf9xbz9oohnjgU7+dUhCT/ytzFu33X7O//+Nsa/0l2ZnC7v5r+oGvdJGyQpridRGlF/okyi 4UQj23xm65/jiWxE+UQFRIVEKlExURlRhGgOUTXRAqLFRLVEK4lW6bSWaCPRFqLtRLuI9hIdIGrQ 33WU6ARRU5vPs23+fYGomSgqSfEyUUKbz0SizkQpQp8/43sT9SPKIBpClNXmcxTRWKIcIgfRJF1/ KtF0Io0oQFRONIuoimgeUQ3REqLlRHVEq4nWEW0i2kq0g2g30T6ig0SHRb/ijxGd1D9PtfmM6Z8T PsXnUb2e2ub5RaLL+C++pQ5mIpqvHZJaP9k/HboS9WjzmUqU3uZzENGw1k9uc4cRRKP1+uP+OcKY taXxgvj919nr2o6sRHn6p/VGOx0mE00T/u7gIvK1+QwShaQN9vn2hfal9hX2evsaJnPIvt6+2b7N vtO+x77ffsh+xH7c7LM32s/Yz9sv2a86jI54KhZHsqO7o6cjzdHfkekY7hjpyHaMd9hA+Y4C/LvQ oTqKHWWgiGOOo9qxwL7fsdjsc9Q6VjpWgdY6Njq2OLY7djn2Og44GhxHqd4JR5PjrOOCo9kRdcrO BGeis7Mzxdnb2c9R5sxwDnFmOUc5xzpznA7nJOdU53Sn5gwQlXMd5yxnlXOes8a5xLncWedc7Vzn 3ATa6tzh3A3a5zwIOuw8BjrpPOU8Zw45L+rlcgvH/OU8SS9mKh0dzXlJJD8mSl7XvB5EXfNSqaRT GZQ3LG+E82LeaKa8cXlWWhO63fQXFyT9Fxfi8YsLCfjFhY74xQULfnEh0ci/uJCEX1xIxi8udMYv LnTBby10s/S03C/dZRlsyZYGWIosqvSIxWcpkcZYyixhaYKl0jJbslvmWp6XnJZFljek71vetOyQ 5lj2Wj6RqvDrC6v/P26ZwZBkCOD7Ktuk+ySpz2GdaKb3OanTKZ3OteGZaHb3uazzJ/k/bhd8qlmn jjrRTE+lGZRKszuVlFLThW7qIF2fZcPa/HuE/jlap3Gt70y1in+n5kn32c1UOtqT7F3tPaik2tNR BtmH2UfYR9vH2a32PJTJ9ml2l91nD9pDJK20zyVuPtVI12ejmI88E+vt22is7sAvbUj4jQ0jfmPD ZMm0ZEqyZYxlrKRYHrdMlOLwexsdLU9ZCmkcPBavdLclaCmVeloilmel3pYqy4+kNMt2y3apn+Ut y1vSvZazlrNS+v9j64boD+SHCCcrGuFt4BPADwE/BPxg8PfLVkZlDvgywkxlGfiHwGvg7wM/AbX6 E2bo1pywVslPoV8g92NUHPytJyVCfLKcyqj8kHATdF7iutfAX3sTdqog94pW6W0bCcul4MdBDl55 mtG8DPKHISkiOx9xC6+dUCahtSPRI1H3Puj8AK0dCptF4B8E70HLH0PvVNRl/n7T15AMAP8RLNyG p+Mg98PyY5CXgL8D/CPQycDbC/CWO/CWR8A/Bl7oD4O+i3AQ+EHgM+Us4DBYgAQ4GPIH4KUHFC/e kgUd5gebalFrDzTLYLkefB34A+AXgN/ObYiOgv5IyIcC5xIOBA7GeA2WxwAfRK3peK8H+LpkMPqU GsKRyjzC5xV6u7EcfBegCXhEWU5YzZqGTsDlqJUJlBhNs6FZr/yYcLPyS8JeLDE0Mm+4gqcroD8F +nXghwCTYfM0dPrIfyBMkd8hdMgN/BbmDX8Cvgu5S/4LoZU1DfHAqahlBP8moykVmkWQ+1nfEIWF 18C/iaf5eNod+mNQtwn4lTyD5DkKazbLxcSblffZGyw3FCr7CD+WKXKMfVlHuqK8SRIL8BNdQmh6 FHb6AtNQ1wesBfZSvounT7OXGI1XwB8GfgxcJhfwGMXdDTQymq8CGyDpC5xC76oUIwjN583XeBzB dxGIWl1QqwtqdYHORjzdCMkRSKoh+Q+OBEMn5gmNjGyBsAGSvuCvIR4oPo3ToT8LdTMhkcBLykkg S/oB6yGvR182g98seLRwM1q4Ge3ZbKbsYXoP/eqFCOwF/aFoVSPwikBlMUcXnq6AtRWwtgLWVsDa CvYSRSC1wYT3msQbk1ErGb07DWun0a+vaLkjVBqBe4EbgFfxlOaaqRvGsRmaR4HngM3KIcTGJY4Z ltA82gvcALwKPMSjDP2PYfNjIeFahtvRqkHMS1dYhyJqL3AD8CqjTNnAaBCxx7zBAmufKL9jZIl0 JW4y9D/i9qAlfblHxqtoQxokaZCkoYVpaGGaeIr2p8nnqKdPiUhWLnIM4y21qDscLdeAvczl0NkL 3AC8ivcO5dhmfZMiEP78GLgM1pbBY/t4ZlFGqkdU70CsCkQEgt8sEJZXgE+GfjLGPZklNDp+eB7I vSMf+tFfzFlGensj/M+SdYifB4GPIwd2U35NeNqcQ1gD+ReMBiDNjl9jlP+LZyskR6A5BbMgGTgE djIZTTXg65WlaDnVMg2F/Z+i7ijofwQ+A/i6iGdkzteQRT/ELIhjufkyx4Z5DftNuZvryl72nvlD 5s1W5k1bEfljEc9/ZoyTub/mJfIJbi2iay78Vsrtoflohc8HArvB5wOB3eD5gcBu8P9AYDfMx4HA bhiLgUDW/xLtXwTLKei7D7llMzBZ5C7zfchUQwh7cEsMV5g3vI2RHRl3L2cw6JvAH0GtapGj0PJq zN9MkWf4qWk25vVs6NQDewEfwYxuFBj3KiOd1fmN/HQKImcKMkMdS2htYvvj8HSIyBKoezruCUQI zQLjQGCW/FdkJ9Z5GJK+8oeYg/8gHIX5csFMK6/xdyynGfEPZH6aEYYi8K9whleaMC8k1lfykAc+ g6Qbcs67mGsd4igfGt7CfJEx+pd5NCkjfYY4/wwz/TPM3M94nuqIOQi+QcbcZDtGv/I54R2MZOEQ aon8wxnmHPpSyW02WZW3CHNFrsP66Ee/CuNoB2WcLXrNOYcsP859Z/uUefryCohePKrnw0NoD2Ot QPPPgBeRPeqwW+BcdAVPD+vIWcJp/hFyyFDMWcbH4npjpf4QOepDeJJWasNu+Tje9Tny5z/YM3j6 KjTvAp+OzDlQeYH4M/J4wvOyF2PHWXQo3jsUfBzwZ+jvAaBR+ZJ6FK8EsL6znSHYpaTCV9l4y/vA /dD/Ayz8QWROvN0G/JLHwtAPmXMK8vk74BcDixTaYRonwX4+Rq0n7DRCgsxvOAqsgP467rXhslyK PlYQpsuHOZ9A52X06BNup2ElLNRx35Wh7CUljdG0jGOS8hJZM33GvDwT/ExuucmOUe6GTPUPPVNx XH2HrZnu4RbSasi9TkK/PpCPEX+//HviN0IyDC35HPgs2nAU/coCn4e6Y+RNhNkyr9RLmKd1h311 DJpppjuJ/xTWrgDXQv4YLDwgVxN+Dpyg0Bw3ymjb3Xjja9BfL7/L8Qabl4HVkH8JC1mwdgj805Dv UY6jzRz5z/NujXZlMwmXciYneTbZf8I8mPRLZJ5TGiPtD7nWGPhntfJ7zLsKRCDjO7x7N/YxPwF8 CJgOTAA+CVxEKPa6DmgOATrM/TnjMW/4k47pwATgk0DWcUG/BtZqILFCMk3hHBuPuvH8dsJ0YALw SSDrPwDNqdB8UyD2ckWwU4SW+8H7dT4dmAB8EpiPPDOVvPQI9t5R2IzC2mvCpryWIxx28mEnH3by YScfdvLhjXy2ZhrDmqZc4JNoeRPsNIF/F/y7aH8f8/vwhkDR0/fRKqDSETbfR92HgCyvUOjEZ7QA 76QzPefDx5DlKEsYcyH/BaPhXfAeJRuzm3EdJIeheSd6miJvJKxk3mhkNI0DXwT0cy1TJ0Zafbhu Emq9CftnIQnwTDTmK8MRw+zDhewx8yjuqXk3o/wrriX/g3fIyifMm+di1/EAfBiBb43QH4W6RzB/ h+HsY+PzLPmqCF4qgpeK4KUijFQRvMT8O2jP09A3ge8DP/sZyXuIXiWXo5RP7tQLXgt+Ie8kSYoe tyIyExCNIibTEV0JfF7DmKZCXgSbUeBrOvJK91pcOfRZpzuPGsVDf/ROoIiH/tBJx9NFkCxCa39I OXauieZj1Gr6glHpJRmuvcf3HtfeU54j/V/yCd20T5lG/nyQM7z8DPOmV4A/g3yNEiR8iTUN0KfV n1C+B3UnMJq90Hybbyfkd/nuwnQCFr7P9yFyIp7+FrVeZoy7C/LOsHAVuA7603AyreRxN73K2dt0 HPz3gIMZ5Z58npV7Y12eB/23MLJ/ZVRWQWcw83J31jS9iKzyKXgNT+/F066M5mxYECfodcBxeNcj nANNL/GNh2ksr7Omv2NXMA/ngt28bzft4RMx7Z1Ix1DD/jTUw6uzIHmedwjKOdjZAWwA/hn4V9hp BB4AzpS/hvxp3s0yKm+DrwS+jvPyJZyOf8u7PvkR7P3e0HkjI+/cCBsg6YuntLKYH4D//dDsCHzQ HCbcCQsLgJ8KZAuEDZCwhVeg+UvUusoS+Sok2HkqP8f6+HPsSHcDK4BHscP8E3aSu7GPfQkn6Cjv KimWeIfchDfmAV/lTKt0g81uXFeJgI8Inu0QNkBCdpQf8Uk5zoh+mZTOhBNh5wzaOYHnu/wbWLDo yHYssGOBf36DvvyG/aM8yHzcD82/AIY4NmAnLBBe7QD767jvpnLs8f4ikPdvhHuBG4BXoUN5zPwY xroKmmMVOnEoy8z3kLWH+aRp2sJyuYtAtkC4AXgVaOXe4SlO0KY9LDHVo+4pnpWGY9gnPwtcCtyF /eQcnElfwJn0OeyXarA3wDndcI53gMY6WO4K/iCfmk0jlSjPHcgHsx35JLdfxt5bfkYg5M+gtc+g tc+gtTXcKrmUz87mP6KWhB1jCvqOc7fJCdyKfcJv0aOlOEEvwk5sP+wPEIi3DMBbBuAtA6C/n70q v8DvMg9RZgH34maDa90pEJJceOMSPNasfIi5kIWoFsjxmcFnZ4o3kpgDCmIDvAc9CmNOhaH/F+U0 RkQge7gHn6NlmSVKobwdLWR+Dvg70f47IUlCNNYCJynJZK2Rz8LKo+YakrzPcmUFno5hNL0B/gvW kTvh7LwbOg2sryRg7twDfBJn4d/gFHyeUenG+zQlwrXMI/GWUbD5e6yPH8DyK7BWBbTwiVvegqcv YzYlA7/DTzvgpih+Mk5eX3OWVoo4v8W9jRw+lnnj33A2fwBz6irmy0tiFkNihoUrbDN+srySanXC KvAVt5A8z6Nzjc/RlK+6YVwGAvl8vRLn6/9mnjQHArthpg8EdsN4DQRy3ZfNnAdOoA24qZDzzCm8 xiFfvQsMI4ek8klc/ohP3/ImRloHObr2mV9GnPMc3w3+KnrxEuqeQG58lSXmQ5wrzF7I3wZOR344 gbrfB34adz+wmldAlihxHFFxd0G/M/Bl2ERGNa3hs7b8PT53yE8Dk7EiP6G8hOi6CJ70zZMgfxrn rzdw4ivCXPu7uRvWPpIrOMnSHOTz0TvYU33GmvJzyANzebcftxzzsZnH0ZyD0fw5S8yPKeyfFD7V UoRzTsNdn/ElxrjlvAaZDvHsM5XzKZuQe7EF/BbM7nnMU12B/HQAnt6DmSX4MLdBHsxvobWVTmTy CJzL/oL7nAZGmkEbsJJexBrKJ6aZ3BflAK+w5jxk18+xE6jHKUbFqe0rPqfLuHs01fEJ3fgCZ3iz xm1WziEn7EB2fRoe+DPzxkbgATx1mu8ABviNHEU0Fo28IuNpJfAc8szrqIVbUFMXPrNTRnoFLX+F s5yZYl6+HWMxAFiIUZslc759B/g1+v4xRqcHdHC6Ny0Cvgi0Q56PE1wD91R+HJI+4IfK78E+n/vg N8Pf4I2O8MbdOInP5VO8XCGfpRY+g1oTeH+lnEK07JZ/gFzE/X0Ddd9A3QmIlhR4/hPgPLRnG8bu Lpwff4IRfx2rzBqM9UhINvA5QsZpVN4B/bGw9ltG5X3wm5HbzeArcaYWFrKAVXzGlz/AXP4O71pl G7dTUZQVnDHQzuWIlm3YK8427SF5I3vS/GeOUlqJGKsZ5b/LPC4vI89XMK+cVnitfxWr1YfQUZEJ LyNPFuJpEqPpF7xKKvO5heaJ8MAHaO0RPvXLt/Gp31SKE/SnaJUVvb4H/RrDrVL+AA88Afkm7oVp l0ynBvlX/Bc3eYXpr2gD8ea/wP5h6D+DUX6G7wEozvmNf4K8D/hf6jpscwHfA5glRrmObwNkB8vN M9GGRdBP4dsA43nYnwp0QP4RLNiYV34Gvq94C27nBmBWYn00/w2+2gbETti0FjgLKObjndjHvgl/ muS/EZ/Oq5JpN7y3DPefSXhLDnAUPLYPmeEaslkz/PMi8HuIsQyclbYBh+n8Q8B0YALwSTyls4/y E+zhz0Lzx8BXlTVkPwv8AGCNjunABCBb+B40e+CkOZsl8mxIOkNyDifc+Thj1gGfBB7EWR7tMf4a J77FuFu4yKczmmtUy7gamhfx3md5xyvXw2Y915WfB9+k40PAdGACkFvyOd8J0Ml3KnlyAPr4Gv9F 2/Q/sJkOnAZ8m0++cj9Ye1HHh4DpwAQ8fRJIHpPfY8vmnfxXP8LVZOF3qJWqI3tpEyyPY2+Qn3Ph Mcafou89+D6BekES5QO+baC3MH8MfCrensoSeT3aNoLR9IVM52tTifwWzwtlATIbP23G0y+BGiTP 8snatB7oZYmSDf0QfHsP8CIjZYaNvDqDrwc2cS3lGqN8GDaLWG56AZZ7As8iP7wobyacjKdD4eE6 4CLWiU9jD8TDD8pPcd78AqvnYebjZmANXY+nP4GHZ8N7DwOfR4wthYU0thm/iXdE5sU4jb4hv0FP Q3ps0znatEGPzyKcoThyXmCe7BRhxIvgYeaH8u2EPBNvWcl2aN+YwZGAuO0OTEV7XsK7piudCDMZ TVb4sxJjehzohf5s6PcGPxOj/32WmFM5QpRVkA8GdkU7X2Te+Cks/NhcALzAYwedZ3n0zdl4+iYk I2BzHSR2tHwmfP42y807zbejzbfDG/zti8Ff0yogmb7+Pfjf8PcHgJlf/xr8vcB5/G0E/el/AfFd gq8j4AV2BS6CXNRdD349rK0DfgDJB+CPQIfkRt/XfOc5Evg8sBzYBWgCHgFWMxo6MUpRSDKBEqNp Nvh64GZgL8FH+b66EXWvQLICOAW16sAPASZD5zT4PsAUoAPyPwHfhcQFtEISj/Z8CokRkjdhORWS IqAfctFmP9rzGvh8YHfoj4FOE/AryHPAN4M3g+8P/DjK+bAv3oseGSwsMXwCO49CPw3YF/Ja6IiW CP3DwGWQ+KIPcKwK/zNv7AI8AvwP4XPw04XPwUvAeuDmKM/l94TPWWJYAryCpytgf7PoF/hu4Dfh qQk4SPQFvEH0BRbu0HvB8o9Ev6J/JAtPwYIL8uGid9DPjPYkSWE0H73IR8vz0cJ8tIQxGfKvwPdi pPfmw3I+3sX4IN71OPx5F+x/AeyOt4g4QcyYaoD3ol9DUeunwFFR2p8YRJszgK8DE4FxjHFdGc1L GOU/Ah/kvpv/E/J45k1b9Rh+AJH5DP8FVkRmlP9u9SX4RdFU4i9Fh2E0mzCOTfA/Y4UY5WtHeZah dyOjJTzLwJcL/to+8LfBb4zVeFoddQJvgydZboM8E7Uk8JLO38ZzEJJ6HUuAXMsJiZMlhkb4/4qO JcDbMDpjgcxP4aemOuic1pGtDYTnL6JHD4u5E+UbsFGQX9CjhTxj/J2IimtXiJ+JiHqFJcpl6Gxj idIV8+jxa/jeAjy8LJrIu/3ocJ6n13ivjgg0/Ip9a9gCSSUjWebTEzKAKRf2m+HtWmguQ2T2gc2v rvFfBDKivNbkoBdmeMMseHi+O3p9O9AE7Bt9HHgb4pMlHeCHT7iWBL+ZHtUjln34FLAWOs8BiyCZ qVtj394FXnh+mY6ssztKa4rRgp6+Cv+ImE9H+8/AJ+d13z5IPOKckG/REcmGn/0f9r48uopie3d3 VfWpJH0oBgMiIjILiMgQRhUVAZkEjIiIgEIgDAYIEAIiAiKzCKhMIpOIgBBQEBGZRJSAzEJkiMgM Ms+TDCev9td930+4rne97/7+vCtrfb17165dVV/t2tWnu88JcAtQYOxrmEPbw6pA1iAfyprwswO4 Cd6Q/509bENnEclFIkUsNoZ+IvRrWUPHoc8ODGMWxgVrn+erGXwW9DMkMBN4MnILI60C5Oc12EGc 74Fp0PtR4efJeHg+hZ5Mhb4sx5hC/KgjbO8Wz7KcSD9//sz9keeYQ9ULci+M9HmU+rnump8HeLwW ubf3wOZB6HPB5jfI5SB/GeRD21unEjQXgH4OwbhENWATIPYO4XOLfOLsBWJXcuZC/wywMhDeRP2I vVISyCfyAVguAGKfFduBrYHDoB8DS78Py6F5H3gL+FOwN/HsjPf7zLKaD7kvanUDdvJ3N0RFCDFW GhhC3SOQd6K0IuSFQQywDBT+LlwQmp+hqQ58DW1FQZ8JXAk9dge7826z/UdWdyIofRP6psFqbQpv TeGhKfJGU5Sy5hhkf9fODfSvNzrC20agvyd2h4wrB2cZGKsDy9+wR+T0Z5x3B1EAcjIs9wMPIPN3 AOKaR70OxN7qgvkQrpSkP4+dMYp1WYlY3bWYH3/WfH0wLt4R4pGdVgKfhE2R28exjzQFdkNWZ7k2 sv1R4M/IGA2hbxh5EuiBHw/8s74UcshKsLQykHkveBSlCQF2Q289rCa2+SbgtjaQ9a8B8yHzN4K3 dQFy3WeASXgycglPQD7G3dqPNe/4ZSGXDZ2ydctBfgjXwLPx7lADPKms5mbxuHA/5yjLYg/k7/CZ 3X+7I4J3MIrg+ek6fOpshmeszUIvck6A/hTLwpcvubU4p+HZ63386YDKi2pWHuHynas41ZE/46tP LW5gWWxT/D7JIkZ5UfHnwQy2pGOMTgfUqsPormJUIWAZxXcF68BbPPzMwb2R6vBzi21CTVA33m+X UWQCa6p8Fq/LN4H2qlsmQk6FvhmjTJb7WM8ybWd0SqM0k9GNhc0gYJp8z6KAh5rKwVhY3wcIb+54 v0XgPuAA4CLJd1NLMYqxkAu6za18hGXnMr9RbHtoPxHIMGtovbSfHGkvo1jBelrP9m5t1M3je2C9 iJLLeU3JJZzt5QzoudZZLnVjYDMHeBb64oxWzx7iGN3p6NV1YDXgAPYjmgV9tvaOYlS7GWU8MA09 lMJh5Ls6JCALIVjjrEIpPmc5h/DW9GmOYTGC85UYyuMS/Ex5KsvOJcHv6e0UfG95pOhncYiw+dnJ yfbOeOAkoGSU/eFhhhhucbHgCC8k+e2jp+RwzqKscW7CZjJabIla0yHHAWNFlLU5AZsigqM9v7iH Z1bw08Y6LDvrgGn8PxxFQxEDzMMZANgdOAZoGGVReEhgWXQWBXhNCRuroivLIpf4jdc+9Cth2RSW +VC3lsNXYgLejjnz+NrJKW41xZyTVs5w7OoWOR1+81Cy7JQWZdFDOxa6oWJ5x+RSxwWOEJVYI5Za z/VRtxiweCBnWtSMdAXeJgLLwn8x5zA4tPyIm05fnhdojsLzBNhoRjrLtega90TsIcJ3HMoxhloy 8vvzVvMl5J8gX4HcEfI4G1F7QjMt9gU+zuh6jPJ3YBo09wHDjKIwcBbsX4NNG8ZQBDa1gB1RWgPy W5DfhuV64FXoq0K/nFE/BbkDsARsdkB+FlgFmo2Q34c8GtgMmsnoTw6g364L+RZ6VQeadcBM1LoN eR+wGDRdgW9Cg/Gqiqg7ArJC6WbgJWjqQ34ZskZbwxida5B99nbBw0DYPAf9bujLQU6H/BN4ABty PnADsAxq7dFJ/NzBnxeWXQ/4gD87kO8DhoHP+LPDsvrJnyOWZRtgN2AqvPXzZwq1CvnzBbm7P1Ow XA+8Cn1VRv0UPJeAfgf6VgH2GIt6z2cGNq0hS58T1oge6E9+9NwvvQFsDpZWQU6GTU7gcdTaCXt/ HgsA70VvMdcuWHL9GPB7/iHQ79Wv6Lkfwxdg2QN9Wwb/iUA/3toiAtG3UCdYoi25FbgGNi2A7aA5 BdkwRu1jn1GI5FBJ1O0Mb7DRjaGPQ09K+usF7J1CrbWwiYX+GOoWgQxv8jTk2pAHQ46B7EdUX/hJ wyxEMK4awOXADsAPYPkqai2BjAgJdcHY/fV4BO0OhVwN+jOwBBv6DcgCtZpCTvFjG61/7vMMfBB1 Z0LGfAmwF5oCnAaNnyve99cLPJTDLKcDc6LPDWCTAMSacotCxryoRsDK8PAi5FbAerDJAB5A6etA X/8QEDlEYC2recC68P89cDZwImyQD8V01DqJGD4LDeZCYCxqIRBrVj0Ny8XAX4AL4O0RyFdg0wTY Ehrk2BDsQ8hF+hXYI6+qEGS0EkJeVZeBWCPyHGSMyO0FDfKngqUEwwIRKA9Bxipzv4bNHKCf04ZD 72fab4GYR+mzOgSIrOgehjwBGI1ePQZLRJHEupDoocTuoHqilh8J+6EHDxoZwI2HfgX0WIPyCSDW fugL9DkJiMhRGIXCzCqwKvxR+POL3SGETKv8+UJdhcwg/baWArcD/SjyM4yfCf396F30DXuK8vc1 RIXMBjk3ECsl5GfmZxG9oxG3ORC3mVjj8KOwKl3wLDejFBlePQz08wDm10U8y/HoT2/4HwNEJMg+ QH93Pgj5DyA8RyG7RqHP7leohRWn/Zw2F3rMTgil6gfURW6UXblXRFnVgHmB83nHifDTvb7Axxld j1H+DkyD5j5gmFEUBs6C/WuwacMYisCmFrAjSmtAfgvy27BcD7wKfVXolzPqpyB3AJaAzQ7IzwKr QLMR8vuQRwObQTMZ/ckB9Nt1Id9Cr+pAsw6YiVq3Ie8DFoOmK/BNaDBeVRF1R0BWKN0MvARNfcgv Q9Zoaxijcw2yz94ueBgIm+eg3w19OcjpkH8CD2BDzgduAJZB3TiUPgB8Bn5gL7sBU6Hph9JCwO6o VQF6+FfvAVsDJdrtAcwPD77+BrA56q6CnAybnMDjwJ2w9/ksALwXLYJzF711/blAH9SHQL8nv6LU j6ULkNEHtQyeE4H+vLdFJKBvoU6wRFtyK3ANbFoA20FzCrJhjMJsRiGiQiVRtzO8wUY3hgb6qLXQ xKLuMeiLQEZdeRpybciDIcdA9ufxA+Cr0CyBjHkJdcEo/Ag/Ap9DIVeD/gwsMS79BmSBWk0hp8Dy c8gPwn4mZLAtMPbQFOA0aPwVh1WgGkBOACIC3aKQwZ5qBKyMWi9CbgWsB5sM4AGUvg709Q8BseIE Il/NA9aF/++Bs4ETYYPsIaaj1klG5yw04FCgz2ohEBGunoblYuAvwAXw9gjkK7BpAmwJDTJSCPYh rFz9CuyRhVQIMloJIQupy0BEsjwHGSNye0GDbKNgKcGkQJzIQ5CxFtyvYTMH6GeA4dD7eelbIKJa +qwOASKHuIchTwBGo1ePwRIRIhG9Ej2UyKWqJ2r5M74fevCgsUbceOhXQI+VIp8AYoWGvkCfk4CI EIVRKMysAqvCH4U/v8ilIeQl5c8X6iqsX+m3tRS4HehHkZ8H/GzjZ+930TdkYOXvAogKmQ1ybiBW QcjPDL69zyRynXoYiPWoMHcuYlWOR1u9UXcMELMs+wD9feog5D+A8BmFzBaF/rhfoRZWjfazylzo wXwIpeoH1EV2oq1SEt8T43dXiroxuBvD3++ugztCiZKfes/AfaS6KJ3qusR3kGItTsSdNMEacQL6 UaxXIba0m5DLd06gb8HobmdUZaC/DA/JKD3OGOoOORFYBz7P+pZofQR/F16G+Y6ZmArN4OB+F9/9 u4K7Z/VwJ+2Gf8cMmplcS2yDRsD+LHAOxhhmFAMw0ia4J5aOu1VxkOPkN1yLbSiL9c49wV0yi3QQ 98TKw088atXEnatqrHHuUZOJ75Wl8apB6VRgM8ZIchZ/M7dxFr8ptCKL70w24zsYYhvLTmnIzVFa E/JKyLth2ZdlJwIPxVH6A2rthJzL9wbNocgMaLhuWWAb6CNs6dyA5iPYF0Xdz1BaCXIplIYgt4c8 FJbV0PoeWJ5EaW+WI/HcH9XAHwXx+67XWZbZ0VZhyMmEO6vQKGg2wD6TMaSIYwM9kaVgkxeyAO6D ZRTkMOSGjDaGWJ6DFhdBHgt5DizzAGfg7tAxyImwSUXd5tyiXBL0mUv7oN1N6OduyJeDFjkay0Ju Afs2keV85431tD3Cd3HrwOd4lA5A3Wjm32Y83BeFZgxmJAn+G0Rmow9s35plkc49l6VZtjFdmXdD 1KrFGlt3ii2dElliuUKEOEsjfHd0AZfa3DUb4+URlYKHQxSDe/hLkAP5e5qF/Vb4LQjbW+75XOjz gvncGOM29un2hn8TGWdtFsNmTIQj/374NChdAyzHvXIm+ezx6JwhwPJsL4pHVqPdDTw7LIsVkIsD o4BlGW1bKyCvRlvTOA7R4iCK5bXD7YoVlJ3vTIKxs2gxHvojwHTM8nTUSkPfDgCfQnQhlty20ETY Xu7L4qcJ+bNOW7wEn0l+K/58YX1dD1YZMzMCsmbk3/6y2RVRpIYBa3AMhCpxqbuL++A2zrqBuVgI TMNK5Lr3+z1h2TLDXF3JOoGro7FYoWgXXOXnuXOGoG81oUnluRMjwNscyNUi1ZmfSCJsElE6CKMY xP5vn4PmOJ67sYcwsCZrREl+sqOqgOGz0KRH+nD08lick5iLA7CPAhaL8K8QuHgeNJn7JmMjn6Kt ZKyIDH5GgN4SevhAhJ8KJWbxmwBRGOOXGHU0x5VTD7GayAyoL/354tadpX50sWUIMWZHtxo7O3NY FHnmkJ83eA3a0TGHl7k0tIBbcTLgswF61Qx85kLdslgLuVhvP7XhiQOjG8M9lI2wNpvxfNENZsBy koZZeA6WPKKGkV3Ag2ixFCKZ/bwZGY26zHl35sTifNTdh7rHEeEc5/mYEydvBM9xUPpK5Apkfhaj wPka2CyA/UwfwckkvL80AaXj4KEqRjQcbVUN3vFYjSsr9rPIf98J/hPQ5yhw/hJmZA6jMwb8bKJ4 y0kO5Iey0AxgpPXMhmVsFPLYOF5ryDlPsR87RzfRNxe7D+Mm2J9lJt3pwPKYu3zITq+xvWWbIyGE VjLB+VjkN8Xxb3MashnmtxmyzRDWEN4lo73AxeBqAVZlccThKNiv8Guhlbboz0mMt3qQgR8Ht9zK SsTMGH8U8BPFertDuXhThVdxbW439AH/gpONcP6e3Vqqzp8B0coRrO5kRFpR+E/jdm2E30R8ZkfW isVeE4tdCTsL4t8gThSyUCvYX0U2G4WeZFJ55L2R6DPLE+2OZOMcbORFrAr2L1uA/6V+dgqyYm3s wpWRwapgv2b/k2F5GWy8Dg+DglFYOeTn8zH+Wgt2N/6O4QCxETLvCOvBVSWMNCOyFVl6A1bfcvDA 32xtwuiexztpS+BhLCI8CZrq4HAYe7NreSF447k+DhyFuOoLfQ6suwGIij4s0zXsaFug6Qv7jGBF p2HP8nN+ec4qiIcwc057Ma5W/uxjv57plyKv7sTqyIssOgCYBE0E+2MeXEVUw56yChrkfHcuIqQ8 mOyDp/mpiOH82BFwtaZxPWN3cFxXoK28zJXMCKI9A9ljCXIgYRR+Js9AHmBsBZvVkUnEz+iT0SvO My/AQ0PYzEEMd4CmOOw3BZiMeUlGtGdgpMkY3RLswjPQZ6uJ/JF1CJEQj/F2sZaf+zsmanUPrsr8 KzeOw7WoO4AKWHk1xrgM/d/PGCnH3rKu8m9hWWxjbbrh/t5x3JHDXdAoPHuiGLax2AZP61hD8PCK y++mNg9d4d9JgxwDuRzkcpDjQpnQTIcmA/JQfq81lAY5A/JtlGZjWVfkX0iDJs7OHnv4BTYKv422 izF0nfug2U9sqBajHs+/kMbf5otM03P4F9JYvr2S5cjA0CT+hTR9jp8s63uB1/FLaEfZvy/zr1tY +Q/o8etn+nPINSB34N9Jc9fx76T5YwwdYfuoXCzrGFjeQm8rwE9r2ORDaR2MqwrwD4x6FEpXQL4O fXFotgD5u9LlowrB5+NovROeiWdAFrB5B54XgqUMtCjQ+nDI36BuNX4b2Ufuv+XwAOujDORq8ODr y6MPr0GuCrk9PByEfXb0B4j+lPf7ExqL/qzhXzbDqCsHo64Az61h8wrsh0OuAtSo9SRk/Aadfh0y xqsbYRTcShyhJ/jVtQohF6XNICu0cgacDIWmAkrt7EQeBVbQEjgSNkeBO2CZBX059HkZ+oy5w9uD 8vZZyJWBTbmV2+nch9tbIe9njLQBNofmOFveXswMB/qeQA+YG35yQ34TWBm1lqHWYcjroAc/t6eh rW+h38hyRMADZjzow0XY7EOtQv5TdIpxhkWdJJnwRvckim3fvd3r1C+pdUoXWsQ70AvxNQqSzYtZ WZSbwhSi/FSEclEZqmj5fYrq0UvU0vp4nt6ktymBOlJX6klDA/tspOkBKkr30KNUyXp5mupTM2pl W42nvjSQ2lInSqZUGob/X+vXMRRlM04xm9HL2n3tMapBDehlepUEvUBv0TvUjl6nbtSLhlMeknUb N65D9eIbPVeQ2jSJr1+QJsLLvfg96gdtTi9uPZazVwLP0LP0HDWn10jaHb4J9aNBlEhJ1J160wjU iaaC9JD1WZ6eoJrUkB6md6HPSzksD4UoH5WwfitQFXtVUIvqUCN6hVrbfpemF6k/Dab21Jl60Bt2 H/d7kJM8Kkz3U0nrIY6etDt1XWpMLaiN3UseoaY0gIZQB5uFU6gP/052QvkeCbIpsBUwEdgFmArs l9A6KUUOAY4BTgLOBC4ALk1o3aOdXANcD9wCzABmAg8kJHROlseAlxmVAOYAFgCWBlZrm9SxvaoN bACMb9ula2fVDNgK2BbYCZgMTAX2TezeOkENBI4EjgdOB84FLgauso5bq/XALcAMYGZSl56d1QHg MeBp4EXgdWCE0VVJXROS3BhgDmBeYAFb2N0tCiwFLAusBHwcWANYpyv7aQhsAmwOfA2YCEwCdu/a vW0XtzewH3BQMutHAMcAxwMnA2cA5wAX9LBz5C4GLgOuAa4HbgHu7NGxS6K7F3gIeBx4FngZeKNH 54TkEAFjgLHAAsASwPI9epQtF3ocWBPYANgE2ALY1mL5UBIwBdgXOAg4EjjWYoXQZOBMYBpwMXAF 8EeLcaFNwO3A3cB9wCPAkz16tukROg+8CrzFqAUwCmh69EzuoWOB+YAFgcWBpYHlUyyTugqwOrAm sB6wMbApkO/cCJt7Yv+No7Tr/H7K//8lOfiR7f83usT3vUI2L0b9r50pnPmyQw/+E2b7myhtnvPw e/7/ieTY7P3XmOtvo8CMCOuVz5xgn2KM+duY82/jA/+EOf42FkRPJY7On5BH8Ged+Zco7U6Vh/L+ m9K9kITdnwr/W8ci+Pnnv38sRsX/jaNjd9J/jf+aE8fu4P8as/8tLGevNlLsrj+WZtJi+pEy6Ahd dpQT6xR14pyaThOnrZPiDHLGOjOdxc6PToZzxLkslCggGog+YoSYJOaKZWKDyBQnxQ0ZI/PJUrKa rCeby06yjxwhJ8m5dg1yW1F+zMqGd523uet85F3no/50ru4qD9llvpu086fzmLg7z8Mz7qxvrt7p P7b5nee56U7/uWPvOi9+l32du85b3HV+13hyZ955nqfEXeeN7zrvfWf/80+/s/yBFXeeFyt913mZ P53b9Ves7F3lA3EubH7I5Y/wocb+sYQ/cmVjLo/NVcUD7bbgmBkcjwTH839lXWpRcFwRHNOD4/Y7 e/GwuXOUDy+78/zRgXfaP7r3zvNym+48L7/krvOld55XaHLXedO7zpPvOu9+1/n4P0WZFSpNvOt8 2Z32le6apX8q33LX+ba7zrffOYtVt1g0lpkEZxwlOpORbdvYP7IrdSy/keHmxF6Ri0LhuiY9XMf8 aFabNVYTcs44Z6zdeec8Oc5F5yIJ54pzhaR52jxNyjxjnrH7JseDkLVkHW5P5BK5rca2LQ33R2az NcvY8zz200h3mkzpdIBuOLG2D1G2V7Hh50mE64TjLdYNv2Cxnu19DpuTC9pPC2XtZ57HzXGSIoft 0wkc0439pCVy2/NTOKabnSTs2W6L6SbT4npSiNB8VNgcsH1dbUsP4phuDtnjGnt+GMf0P1keCSyP BpbHAsvfA8t/9Lc++tsA/X0O/f1HSUOUNEJJ4z+XmA3o4Sb0cAt6+I+SbSjZjpIMlAjSwv7ZZeYJ /pZJDpHDsprbsirDtcPPWtZXm9UUsn1aY5myn7IFP5P2d327tGz91pgvwkw5zg3nhp21LCfLsuUK e90Dvy78huBXi3wiH0WJwqIwRYsSogTFyLqyLnluG7cNhd22blvK5ia6iWTcDm4Hyu52d7tTDjfF TaGcbqqbSrlMQVOQ7jGFTWE7pqKmKOU2xU1xymNKGPuZz5QypSivKW1K032mjClD+UxZUxb/86EC 5TcVTUV6wFQ2lamAqWqq0oPmMfMYFTRPmCeokHnSPGlnh+OtCOKtqHnWPEvFTEvTkoqbBJNAD5l2 ph2VMO1NeyppkkwSlTJdTBebKJJNMpU2KSaFHjGpJpXKmN6mNz1q+pl+VNYMMAOonBlkBlF5M9QM pQpmuBlOcWakGUkVzSgziiqZ9837VNl8aD6kKmacGUdVzQQzgaqZj8xH9Jj52Hxs43OKmUJPmGlm GlU3n5hP6EnzqfmUnjKfmc/oaTPbzKYa5nPzOT1j5pl5VNPMN/OplvnSfEm1zSKziJ41i81iqmOW mCVU1yw1S6meWWaWUX2z0qykBpjv5zDfDW2s/EiNbKykU2Oz3kbL82aDja54s8lG1wtmi42uJmab jaoXzXYbVU1Nho2ql8xOu0aamd12jbxsMu0aaW72mX30Cv7fQgtzzpyjluaCuUCtzCVziV41V8wV +zlf0EC7PgbaSMruZKf+Tj7nARqA/7o9yGnutKDBTpLTmYbhP22PcLo5KfSuM8IZQaOdic5HNMa5 4FygD5yrzlX60Lnp3KSxnGRonAiJEI0XYRGmCSKnyEkTRR6Rhz4S94v7aZIoIorQx6KkKEmTRVnR mKaIFNGTVoleohetttcRfeh78ZboR2vEIDGIfhRDxVBaK8aKsZQuJogJtE7MFLtovcxm888tGSfj KCJryJqUxTHtCDlFTnGkSlGfOMpNcBOc8m47t51TwW3vtnfi3I5uR6ei28Pt4VRye7o9ncpuL7eX U8XdERrmVI15Iaa1cy5mqOc4kXCOcC3xRviV8FTxRba22TqJS9n6ZxspbhhhomSUKWQKyeymiCki c5hippjMaR4yD8lcpqQpKe8xD5uHZax5xDwic5tHzaMyjylnysl7TZyJk3lNJVNJ3meqmCoyn6lm qsn7zePmcZnfVDfV5QPmKfOULGBqmBryQVPT1JQFTR1TRxYyrUwrWdi0NW1lEZNoEmVR08F0kMVM Z9NZFjddTVf5kOlmuskSpqfpKUuaXqaXLGXeMG/Ih01/01+WNm+bt+UjZrAZLMuYYWaYfNSMMCNk WfOeeU+WM6PNaFnefGA+kBXMWDNWxpnxZrysaCaaibKSmWQmycpmspksq5ipZqqsaqab6bKamWFm yMfMTDNTPm5mmVnyCTPHzJHVzVwzVz5p0kyafMosMAvk02ahWShrmK/MV/IZ87X5WtY035hvZC3z rflW1jbLzXL5rFllVsk65nvzvaxrfjA/yHpmrVkr65t1Zp1sYH4yP8nnzEazUTY0m81m2chsNVtl Y/Oz+Vk+b3aYHTLe/GJ+kS+YXWaXbGL2mD3yRfOr+VU2NfvNfvmSOWPOyGbmvDkvXzYXzUXZ3Fw2 l+Ur5qq5JlsEn6X4yicOubakDWfXaem0tOp2Tjty1DfqGxKh26HbJKOqR1W3q+e/2fi/2fh/Jxv/ T/TlQ/SV4qstp2Po1//G2H9j7H8pxhy3k72ez+EUFnGytmpG+aka1aB6FE/N7eeFTvb6vY+9HhhB H9AkmkFzaREtozW0gbZTJh2ik3TRXtmTE3LC0b1JRveITol+A8ee0X1wTI1+E8de0W/ZY4qV+uGY Et0fx57RA3BMjX4bx17R79hjT2s3CMeU6ME49owegmNq9FAce0UPt8dUazcCx5Tod3HsGT0Sx9To 93DsFT3aHntZuzE4pkS/j2PP6A9wTI3+EMde0X1J2NKBFntGD7OYGj3KYq//gJFxGHmP6PEBMxMC ZiYGzHwUMDMpYObjgJHJASNTAkamBYxMDxj5JGBkRsDIpwEjnwWMzAoYmR0wMidg5POAkXkBI2kB I/MDRhYEjHwRMDLWjr9H9FQwMhOMzP0PGVkYMLIoYOSrgJHFASNfB4x8EzCyNIiVbwNmlgXMLA+Y WREwszJgZlXAyHcBI98HjKwJGPkhYOTHgJG1ASPrAkbWB4z8FDCyIWBkY8DIl2BkCSJlNRhJ/w8Z 2RwwsiVgZGvAyLaAkZ8DRnYEjGQEjPwSMLIzYGRXwMiegJHMgJFfg1jZGzDzW8DMvoCZ/QEzBwJm DgaMHA4YORIwcjRg5FjAyO8BI5vAyHYwshuRcug/ZOREwMjJgJFTASOnA0bOBIycCxg5HzByIWDk YsDIpYCRKwEjVwNGrgWMXA8Y+SNg5GbAyK2AkdsBI5EgVrJ8ZmLIZybG8ZmJET4zMTJg5jgYOQtG LoORGxwp/D+Aud+4m9aMSjrbxTTZQDaSibK97CRflz1kT9lLviHfksPkcDlCvitHyvfsZ5dD8rA8 Io/KY/J3eVyekCflKXlanpFn5Tl5Xl6QF+UleVleyVaJ/0efs83ZZhuYyt/Nl/VlfRKyoWxIUraV 7UjJDrIjhWR32Z2iZIpMoWiZKlPtlUBv2Zs82Vf2pbDsJ9+hbPJj+THdI5fJzRSbrWK2irjLkI9i VAH1oCqoCqnCqogqqoqp4uohHpnt0RXcXXco75/uTTyM+0FJbGFrPhRY5P+TRek/lVkmZZK1JhWr +Bd9S6gS5AXtxqrcKo+6V+VV96l86n6V31r8T7uCilJ2lUvdo1wVUlpFqWgVozwVVtmUUdlVDsX3 u5QdW3/bBa4j1BOqOoXV0+ppMrasEuWVs+QcmSa/kD/KtTJdrpPr5U9yg9woN8nNf8U43y2Tn8nP rMfZkt+3mifnWb4XSJtHLXM/2PYOyVP/1/tn1mqeLV0ml8sVcqVcJb+Tq+X3co384a/mGN5nyVnW +xzJvxaSJtOs9y+kzc62h5utdx4Hey9DsX/p9S/GAc4OBZxxvb8ZXajH0WDruV3EYnqHBtFgGkJD aRgNt+v6XRqJ/1w9msbQ+3aVf0hjaRyNpwk0kT6ya/5jmkxTaCpNo+n0ic0An9JM+oxm0WyaQ5/b fDCP0mg+LaAv6EtaaLPDV7SYvqYl9A0tpW9trlhOK2glraLvaDV9bzPHD/QjraV0Wkfr6SebRzbS JtpMW2grbaOfbVbZQRn0C+2kXbSb9tgc8yvtpd9oH+2nA3TQZpzDdISO0jH6nY7TCZt/TtFpOkNn 6Rydpws2G12iy3SFrtI1uk5/0A26SbfoNkUoywa0I54X8eIF0US8KJqKl0Qz8bJoLl4RLURL0Uq8 Kl4TrUUbkSDainYiUbQXHURH0Um8LpJEZ9FFdBXJopuYLnaLPSJT/Cr2it/EPrFfHBAHxSFxWBwR R8Ux8bs4Lk6Ik+KUOC1jxBlxVnrinDgvLoiL4pK4LK6Iq+KauC7+EDfETXFL3BYRkWVTEH8XQ0ol XRmSWkbJaPm8jJcvyCayhWwpX5OtZWfZTQ6Sg+UQOVR+KD+Sk+WXcqH8Si6WS+W3covcKrfJn+V2 uUNmyF/kTrlL7pZ7ZKb8Ve6Vv8l9cr88IA+qx9Tj/D/BVYb6Re1Uu9RutUdlql/VXvWb2qf2qwPq oDqkDqsj6qg6pn5Xx9UJdVKdUqfVGXVWnVPn1QV1UV1Sl9UVdVVdU9fVH+qGuqluqdsqorLcbG4u /bSuoZ/RNXUtXVs/q+vourqerq8b6Od0Q91IN9bP63j9gm6iX9RN9Uu6mX5ZN9ev6Ba6pW6lX9Wv 6da6jU6wf+3sX3v711F30q/rJN1Zd9FddbLuprvrHjpF99Spupfurd/QfexfX/2W7qf76wH6bT1Q v6MH6cF6iB6qh+nheoR+V4/U7+lRerQeo9/XH+gP9Vg9To/XE/RE/ZGepD/Wk/UUPVVP09P1J3qG /lTP1PN0mp6vF+gv9Jd6oV6kv9KL9dd6Cf9fcf2tXqaX6xV6pV6lv9Or9fd6jf5B/6jX6nS9Tq/X P+kNeqPepDfrLXqr3qZ/1tv1Dp2hf9E79S69W+/RmfpXvVf/pvfp/fqAPqgP6cP6iD6qj+nf9XF9 Qp/Up/RpfUaf1ef0eX1BX9TX9R/6hr6pb+nbOqKzoijK0Z/pWXq2nqM/13P1JX1ZX9FX9bWY3jFv xPSJeTOmb8xbMf1i+scMiHk7ZmDMOzGDYgbHDPHe9Pp6b3n9vP7eAO9tb6D3jjfIG+IN9YZ5w70R 3rveSO89b5Q32hvjTfI+9iZ7U7yp3jRvuveJN8P71JvpfebN8mZ7c7zPvbnePG++t8D7wvvSW+gt 8r7yFntfe995q73vvTXeD96P3lov3dvgbfQ2e1u8rd4272dvu7fDy/B+8XZ6u72D3mHvqPe7d8I7 5Z3zLniXvMveFe+qd8277v3h3fBuere8iJcVprATFmEZVmE3HAofDh8JHw0fC/8ePh4+ET4ZPhU+ HT4TPvt/2vsOsCiSdt2qnulh6Olucg6SJcoMkkEUCSoiGDChIllBFETMKIKCusZVTIiAmHMGV0VA XUXFtLsGxOy65oQuigHO1yUq7rp39/7n7L/33OenHqqqu2d6+quv6n3fr6qnh33KPmOfs3XsC/Yl +ytbz75iX7MN7Bv2LfuOfc82sk0c4jBHcSJOzNGchFPipJwyx3AyjuU4judUOFVOjVPnNDhNTovT 5nQ4XU6P0+cMOEPOiDPmWnEmnClnxplzFpwlZ8Ut5/K5FVwBV8gVcSu5Ym4Vt5pbw63l1nHryeoz mZElM6MZVCEFCErmO1eKgoDfz4u6Ab9fFIWLBqAaUYRoMKolHHpVlCJKQdeA8TLRddEC0QJ0W7RU tBT9TJj9DuGtXwhv3SW8dY/w1n1RiagUPSAM8UjsIfbEiMybUjRDM1hOq9KqWEFmRp0kNyW/4HtK ciVn/ITMkr5gpjPLKYpZw5RTOsxx5jXlROZKo8ks6Vpg+zqkDOrADDg/BBRQHjDAQUBn+AhZNqL4 46S2mdSENRpVpI0MZcdg+6KsCvIa2XHIa2XVn157EWqVSApaQhcZgwKw/bB6JKsR9stqIT8puwr5 Kdl1yM/IHgvv5LWEM/Lawhl5HeGM5FzvyVk/rtEow9b3PAP5MV72xREVckSVHFH74oguOaJHjuiT IxRSBq/JwXfulHCfuRflhSgqkApEIqoL1QWJqVAqFNHMQmYhkjClTClSYp4xz+B8FL2eOvc3ceyX DPv/N7/+exhW4NC/ypt/J2eqK8UqxSsNVZoIDCQwZwBwZjBhsx7ATHMJT/YDjhTY8QM3xv1FVkz/ Ez78PRsuAx78zIAt2eX/NTb8xHbAi0uBv1uyoi+oD0F7fFAegu7oDsqjoVl3vAXV0R8URwHRHIWg ON5Ar+0DPXWw0C8/cic1/EveZFVZNVad1WA1WS1Wm9VhdVk9Vp81YA1ZI9aYbcWasKasGWvOWrCW rBXbmrVmbVjbr7Jt9tf5llfmGV72l1h38+95l1fhVXm137HvMVmV7Djh4OqvsvBF4OEaWa3squz6 Rz7mtXkdwsmP/5CV3/+el3ldXo/X/5fY+QtuZt//G9g5BFNYC0JZfWyNNHF3HIbMyUqpNY7AccgO D8FDUFucgBOQMx6GhyMXnIwnIHecjhchf5yHV6AIvAefQdFUKpWGJlFjqEloCpVBZaIZ1FRqOppF zaTmoPnUPGoBWkTWPJdRiylAexLjF4hYkToqFGmKNNFakbbIFq0T2Ysc0QGRQuSPKgjj/0QY/zyJ 3i6Ii8Vn0ANajVbDunQ9XY/16Nf0a6xPv6HfYAMJNBc2lMyUzMFGknmShdhMskiyFLeW5ElWYDtJ oWQjdpRsluzGXpISyVHsL6mSnMW9JRckF3CEpEZSiwdLrkqu42jQBu9xnKQJtEGWkquSF96r1E6p PT4otZHa4kqpvdQRH5YqpAp8TOoqdcVVUg+pBz4urJ/hE9IO0g74pLSjtCOulgZKA/EpaRdpF3xa GiwNxmekYdIwfFbaV9oXn5OGS8PxD9LB0hj8ozRBmoAvKUPYj2uYaCYGX2bimKH4CpPIpOEbzBhm DH4IPLscPwKeLce/As++xo0ySjaAUpINkk2gothC9haVwc3h8qjDH+5vgWh0K1lxGYTjm/eUtNiD kSeSNGsPK9A0znB8DSQh3wqqYA0pha2y5q0y2LoKSbjLxg7bQa9pg4VfQXTH7nDOTrgTkEtX3BWJ 8VK8lNxlU4WiaH3agDakjWhjuhVtQpvSZrQ5bUFb0lZ0a9qatqFtaTvannag29COtJxW0E50W/wj /gmfxxfwRXwJ1+DLuBZfwVfxNXwd38A38S18G/+M7+Bf8F18D9/HD/BD/EgsEotF9aJXoteiBtEb 0VvRO9F7UaOo6b+zTwymiCky0yAm31ZQI6tZupBEyBCSGFquNVhqj4T70hwhSaFVPUEnekNikA8k GfJHAYhFXSHxqC8kFdQfhYM+jICkjmIhaaChkDTRKJSGtNB4NAHpoAxIejA6KaSPVbAqMoAxqo+M sDE2RsbknoZWMF67IxMYr+HIlKzqmpGRao6TcBKyIHc5WOLReAyywpPwJBjTM/FMZINn4dnIFs/H 85E9jOA85AAjeA9qgytwJXLER/ExpMDVuBq1JfNNzmTkuRJNHURmnSLIrFMkmQvTbzEX5kDupvKi BkKLGVEKSgHK0VV4TiTlT/nDkSAqCJRjT6onKMe+VF9Eg/6JQxJQPsNAOc5gvkFSZjYzH8mYtcw6 pMpsYDYjdeYCcxFpMzXMFaTLXGdug6ZOl01GpsAi05CFwBDIBhhiJbIT8Bw5Ap5fQApA8avIBZD8 OnIFLL+N3ADP7yB3iLHuIg/A9PvIE3D9IfICbH8MvvqtLW2ILV2oRLDF+AtbPCgPOCJYJKK6Q0wj JhbRxCIJ6LxwpETskoKKG4mUiV0MsYsjdqkTuzSZrcx2sGgnU4IMiI0mxEYz5i5zH1kxD5mnYJdg aRtiqYJY6kosdQceXANxwjqINtoTqwOI1Z2An+pRV2Cn9xChfFh9DYbxGUsschRsBOwWxj36tEeo WcPonY8Xf9pH4Y14O2xpfnodjICvtIE3Be1GWkJMfEuT9pCQ9lAi7SEl7aEMuncQYkiryIi3WdI2 HNOf6Y94iMwnIxWIvhaAz3OZ5cgQYrASZMHsZcqRK0RiT5EP85x5jeJAQ0xHw0EtzEcTQB1sRlnA /XvQIuD6GrSC+Hwv8fl3wOA30T7i+f3E8weI58uI5w8Sz5cTz1cAsz9FlcDuz9EhYPj36DDwuQSd Bo2jiy6ArjFF10DL2KJfQJXI0BNQF2roOXC8PkQAgIQQIY1ESIggUUdhlgH1EO62Qb1kE9kAdBre Y4SX/eXXkWfd/k2v/tQfEPlOJsSaQp/v3qI/yD/3BxQmfA+6eR+FAsnavean11FIxOQzq+EzK5gq 6OMNMmHkwF4S5X+4ElNyDfLmq/x4rZ6AZv8CusM7tQgWIoKFmGChiGChmGAhTbBQQrBQiWChlGCh MsFChmChjGAhS7CQJ1ioQrBQlWChOsFCDYKFmgQLtQgW6hAsFJ7acQgsYKnOon2ow5+uBVGYwepw lWbYFjthT9wRB+GecHXROBGn4DGgn7LwDDwX58KnFuG1eDPeiffig/gIPoHPQttcgXa4h5/gl/gN EJCEYil1SpcypiwoW2hjV2wL1ltDWziQMhwYWCgHYQ9SRmBPUg7GXqSMxN6kjMLtSBmNfUgZg9uT MhZ3IGUc9iVlPPYnZQIOJGUSsLpQJuNQUubROkIpLqF1SVlK6wkl/1YqE0paQ8oKpWS1lCNlmZQn 5UGpCinfS1VJ2ShVI2WTVF0oQUFpkLK9Ciafk4htAI1UQGtQsGUPeTgoDkG/ACaBldATwUYF5JHY CfIo3BbyaAxaBmxzgTwWu0Ieh90gj8cdhftPsB/kw3AA5EmgWSiwqjPkKbgL5CNxEOSpOBjyPNwN 8nwcAvlyWhNRYK8W5KW0MPvyVgqOAUuhV4OdYsjLpKB5wEaJcEeVVAnyRqkU8iapMqLANlBg0vbI BsbWQOD8JOD6dCQ8AyAX5aPVaDPajQ6gI6ga/YSuoJ/RI8CX5jVF6Em60NctoC/JsSv2ht7UGYfg MGiNSLAqCW+E1sqDFtpEykF4Mykj8BZSDsZbSRmJt5EyGtBdKGPwDlJG4Z2kjMW7SBmHd5MyXmok lGCjsVCCla1IWSY1IeVBqSkp30vNSNkoNSdlk9RCKMFiS1K2xwXEf4XEc0XEcyuJ54qJ51YRn60m PltDvLiWeG4d8dx64rkNgj+kmqTFtUiLa5MW1yEtrktaXI+0uD5pcQPS4oakxTESqyByZ7mIYAUi Ix2rCF8TEZ4lHkLu67dGTkQHkNkwrE36mg7pI7rCZwtnwXqfakOFniRgL+DJYtJXSC6s0mFVQCiE tSCuwgSJKIIvAq/qopm4N+6L++N+uA8eyvQDBgz/MDdNjaYmUzOoRaI80QbRTv4d/55v5JsAZVcw BUwhU8SsZIqZVcxqQNxK5hBzmDnCfM8cZY4xVfwrnuJFvJineQmvxEuZBuYN85Z5x7xnGpkmGcCe 7FvZAtlCWa5skWyxbIlsqWyZrERWKtsr+062T7ZfdkBWJjsouyy7IrsmuyG7JftZ9ovsnuyB7JHs ieyZrI5VYqWsMsuwMpZlOZZnVVg71p51YNuwjqycVbBObFvWmXVhXVk31p31YD1ZL9abbcf6sO3Z Dqwv25H1Y/3ZAJ7lOZ7n1XkNXpN/zTfwb3gD3pAX1kGtSOSJSLRJg+rqCpyWSCWBckiDqJKlJkFU yZH7ZnkSQ6qQyFCVzP+qiXaIdiB1yTbJdqQhKZWUIi3JK8kr0IwQLyEdIV4CbXWNuYNshKgJlNQM 0A+esi2gHPwg4q9BwRD116JuRD+EEP0QSvRDd6IfehD90JPoh15EP4QR/dCb6Ic+RD/0Jfqhn6wR lEN/VhXUQjRRC5OIWpjCa4FamAp27kPhf8Wj/5oH/xY/ffQQQ1oTkdZUJu2oTtrRgLSjBbHcgVju SizvQSwPIzqp74fok2ZojozCICTMLXdExi37/2978R/3xw99B86gRnoKIj1FRDwsIf7kiT9ViD9V iT/ViD/ViT81iD81iT+1iD+1iT91iD91iT/1iD/1wW86yKD56mU03+LqedC8zSNWGPOknyLSTzHp pxTpp6Lm97K0Sov36oIq+YQCH0c6QQ4yCkhPpklPViI9WfohksbPcT1+26wG1ChtyoAyp2xEXegY Oo4eQifQo+jR9FjelDfnLfnWvA1vxzvwjryCd+ZdeXfek/fmffgOfEfen+/MR/CxfDw/lB/OJ/Mj +dH8WH48n8Fn8tn8DP4bfg4/j1/A5/KL+aV8Hp/PF/BFfDG/ml/Lr+c38pv5rfwOfhe/hy/lv+P3 8wf5Sv4w/z1/jD/On+RP8Wf4c/yP/Hn+Il/D1/LX+cf8M76Of8nX/+e+z//c9/k/9k0PVdD88bQG /xY4v/1fuq8dRiJOlFxpcReyVLhL59M9Pv+H+3Q+3eED56DaUREtZjqEPV0BgT7NF+CXwi9WUC6U O7zCD/aFUj2oPlR/aiAVC1iVAqg3SVhX+1oS1tJaJjjLl8n990lYeWuZhHW6rya/36RAYRXvixT6 +ySs6LVMYMsfJOCDLxLY/GXq/7UE/PFFglb6MkWQ9Hk79jdpCKTEP0gpX0uyxi8TsNaXSe83yezL 1Gzfh+slZ/jP/MgfzI9gdA340xu4vjOo7DDyLJaPT2ARnsbyDZqPFkP0U4zWo60Q/+xDFegoREA/ oEvQfnKy3vx/m7v/S3nov5J/dRbkwxwJC8ViIe5BvkIsAFynTaIHYZ0FYxuIoylge+EZiYvxEqgv xcIzNgsg8qLwHvwU6s/wc4hX6gBNMLBlPdRf4QbCmW+h/g43Qr2JEn4DiaLEwjMbKQnUlcivCMko iL8pjlIh38aEGJtSp4Qn1GlR2lDXoYTnnulTBlA3pEyhbkZB5EZZUK2hbk3ZQN2W/GKRHWUHdXvK HuoOlAPU21DC88qWU8uhnk/lQ30FtQLqBaJO5HnCXZBIFERrCE9tpcFeWl/4DS86kO6ERHRnOgrq 0XQC1BPpkcKz3OmxUB9HT4N6Np0N9Ry6Qnj+Nl0J9UNSQGYpBVEkJbVSHoawcpIyKD3l4dwGhLmN HES93CauEuqHuO+hfhSUKuaNQWeIQE02kQgPUFmFUjH98D1r4hkKRTd/O/izBsFEg2CiQXCLb7Fi okEw0SCYaBBMNAgmGgQTDYKJBsFEg2CiQTDRIJhoEEw0yIcrpIgSwUSJYKJEMFEimCgRTJQIJkoE EyWCiRLBRIlgokQwUSKYKBFMlAgmSgQTJYKJEsFEiWCiRDBRIpgoEUyUCCZKBBMlgokSwUSJYKJE MFEimCgRTJQIJkoEEyWCiRLBRIlgokQwUSKYKBFMlAgmSgQTJYKJEsFEiWCiRDBRIpgoEUyUCCZK BBMlgokSwUSJYKJEMFEimCgRTJQIJkoEEyWCiRLBRIlgokQwUSKYKBFMlAgmSgQTJYKJEsFEiWCi RDBRIpgoEUyUCCZKBBMlgokSwUSJYKJEMFEimCgRTJTIx2eUfHpiicEoKDXJXmQwTJ5lMESibJvT OecVh5WooiyDfrArjMJYIZMrS2g7XkTp00geJWHsJFiMs9woLC7qJe8ht2+xx7DYeIohWVLyRqEo Go1CyQCicSgN/oUlJh+5aYuTiTUjp/nsDG0/463LiE4Rktdzu0QUlvcrytK2lWeJ1eVZ1JsiEYUp AIdKNMvbe4baOZ/6mEfXO8i5T1eKxXBNKQo7uY1E1Fss0zDzS04Zn5owZGiaiXWMjYnCw8PNpFtC TGryqOT4NBO/5NSUNgpjueGHF2t9eSQ5NSotIXmEwlTeSjgu0tD9fLxncnKaie/otKHJqQlp4+XG OpyHm1yhkMvd5PAXrsM5yRVObRXNm//AFWVhs5bNgmkkygJYgf0MlYUx2kCVVab84lUXYmBduGRc hPxB8YY5loNfNy4KXlXauKLYxCe9R/Hy4nmRTsPOdYwd/2TzmONhl+se5ucYziucFr/r+2ETos0v GHlfU8EL7i0+Uu4Qn5c31GrZWU/7cnZPP6vKwLuMj/ti+w3WHusfdZna8fY0lf15Sb2jNmelr4x0 GBt8f9nuWK+87oYKqYVm4Ya739rp/tJuaYxmZD86rtDIref0V+ue5lJHDX4s7x2wa+aUcs9HYbkh W9+vmzA8LWSbbvViZWtT1Hd+ZILb/q7qSt59mga8XR3PSNf+kNmn79MSrwjtzLHiy/UHt05Z1Lj9 VMaFdfqpA71PHHgmXWUm3yXJPr7LZKxG9nVKBB1/VeZ6eeYaeWYxtKYRFmfmyTOXTFEdcDblaUJq gXmPyZo7u81tOrky9d/vv6w/6eMiwYeL7skq5rxYouvyeC+2uDRW7cXASKfCAtlJH/rbGfOOe/5i Wves70L7PUWdqqKfvrtY7eUVvsE1LKHRYnj749Ubr9HpVxVz2hWqpiTub1QP1U2oeHfW77ZauEno g+iJ2zbqVdm5WTocjFup/o2lSsyqV2GGDabHL2i96Ll5hJ+T0vssndd3hiRxPerLnvc8Vnb3iPyd iUJ5htEiG/1u542oNc+n3BDtHvByx9Wqvk/iuhzrGVayW2St3jT/wjPpvMl7l3y/yc3+5wk/rx97 e0wROpvYvvIH129u+Kqvd0k0SKx1ufmTofjn9QHiqvC27iO6GXLRpUzx7B/Ph7UPPGXYe21Krbrn 9IWjC9f9UASoECnPEgV/QAWmzSa1K92bBq44WfERU4z+KTCAce/uBH+AAE4ABgon2HT5CAbjCYLC SSQaVO9eCg25mrAh1WD6Ro0amjBiSBp8jKqcF3YqaSj1jIsdnjwi9uOFMX90YeZy0w8Xpt/yeGyc Sa+EISPgrCbd/Xz/FBVKx0+6MGhXgMd6582Kyw2WLl3GVrxtVXAsYOTTc4H3fpp9eFhwz+iXy6jD 3S51SXK08IkrP21eKutcmjH6akDZxnl89+8t7eqK7nLmrc75WryJXnZGL2DNwqBWy07tcjQ7HOSQ nlyjZew120PV42qZzct4Lwfs1NTYuvPaPUl4ev7bfTtjMrIaBhZlTsueu71ub+6qM+5ru2frtJ4e clVej9q9PNrQLvNgzuMkj3VtnOt3t9nGTIr+dlx8/tJRXM62uiMvTL4LVZ8Tc9K+xilA78n+oMVe 3Xvpno7vMX7jlulVfXwKs7rPGEHvcKmcaFHWM77dspBqu8ltR0zrJDlXcDYohxqRg1ZXTL/eqxkV 3sgzX8k1BFCwFLNyRiIFQqNpJZHofwdUqAjXqAHSUEzLRVDIjYQdvFhbrFltdHoMShmw7fnlIyF5 PfzbrPKPeSaXCYdVxGIYRjkthg7BmImbtk4Osqo7fSAkrbhf6zTb0bty3m8Kzh2Hut0/8VD3SsL3 fHH6C8rv6Inp1a97VR8qLOuT/CzGf4M/erK4Ku+84V5ZoR6Xe/Gy8RabSU8frx21ed41j7ntliYe cB/+w4xt5u+v37+QoPztjLLGm2i/84tX6Q2q6m3ohzaLF3YcZj2y1H3eDSXu+KChp8qm+A6LX7+/ dP9c5xN1ItX0Cb/+cKPj9YmNN29ubqy/fp7blXJhwe3QEvfidIef2tU6y6LdqMLMRPOZ9QNj5m0P 3+9xMXJ272n6bX/1WlqUxRYPnrXLvnTlmpObLpuUlMv1sk00OdsDPV/63oiQ315gnTC9MuXWi3Wb Tk/pmDqGB4xJBIzp2YwxUSrjuhGFJGo5jmjAmX9wVH8EnLZyOSBOWwAcuYfcSdhsK2zK0/6WS2s+ LvqD43+KNcW1zJwzhyq7LD+10dN5i3n/YbVJB03NSnOrHmwtP3re6pCT2qwDlwfZv3XtY6xlt3Ue d1Vz1Qjr4Azt9r6b53TYETiDq8nM3bJEcrav/5iBD56/429lpK1qezLtztPbUSsni0oDms77qJ/f fiKCOzuxrlSDexeZaJ09enbplgPZ93R2zz/4q3ZJ9KDHatc9n5gOmLVtyqjDAbcXzRwbufzulrGV bnPaajpq1EYf36q/IXTpkC0/mXjIR96YMyTw1lHDl1z3NF/He7RFoumwLtsXHNnpcazjmuEDdYM2 zbs4d6rPOKbTpdU7p5kfvlU3MX5HUFqZlW/X/CjNyBB5VdaLs7KU9Ce9u439Qdp7TGYz1ryWZ/5K 2t5IRRixMAglFS0G7AvTDnPTe7wO67r0js7FxKnOdBure1+HJgEnjMzFunLtKV8f5v7CC1qJ28m9 5B5FbkUuOW2HpqWleDo6xqQmtRn+0YdtYpKHO6YMSxD2OqakJseOjkkb5ejXCzpaG9gl7/zxI0GH eMs95e4ft+VUjn3zCceOHfu1E8altjhT2m8GEEGbDn2Tew0pMJnqjPlfdLp6b3l4KTPjCTc+bWzo kk66L5BWwuTa6PnF74eszP/Z2uZN74vLGruXRyjv+m7t46wXS42T+7/59flN9sdZUh9tHZNzFXsC OkmtIvsqd819Jq3e123Es1ud1a1dZpmmXh9csi1B3SL3yX1n5drJI5IXMD1P2AZ32ehkn3NvZfUg qwMHvG8M2DlVts/FMHRaQKem/bkr+yttWHx1XFnfjDXrQqrrtuTn+d46OdDC50qGc6eQ+jNVE1c8 LDmeH6PZa9uWvKcXy88Urdy06MQEu+n2Fcdq3iWJLpe7b3l+bqCejkrFqxNT1qpK9a/ON7+7fWWw z4Ptalbj+Er771YPOzbPG9BmBaBN9ke06ZL+mKAN/c+hTVjC8LhRaVHDU1qijavcQ+EqV7i4OBF5 oyCbTnJhU5659m+5ttZyyw9EaTzCLyFlaFyqiX+vAJOAXiGeCrm/u4OLu7Obg1/HQPePLxRpGP+B Eb3iUsckxMT9KUA92EfHVNWM3zrN32fNriOPgwssrnuMMVa+4BTUb9wPdjVrlOY/vdvubZlV+qq3 dyZNdjpT026Wh1vd60tezto/Lch66/xoaHaq/rwbe4Nv7M1+0ZahKovHjHIJHvS89GbQJKO9ueNq m4yztToGjjyd0bqv+rmpoV5n3lyrn/W4Pbp9/lpUg86crqszvX9N6PDg5sxypdB9aRPvs3c6PdiU 9Pz8kEzpa+0TkzT2j7qlHPwm+u3jIo88z8aHalVRxtH9LjFhU897de16q3eZY6T+3AW03+VBD7MY 8yXKRbQibtbCEGNf0+IF898H+Acku+wIcNuSsCGuwdlvh84hL4+bqrPr9KffDuveymuFYktLgPoM SJNTn7Vp38fmhuWroXvxu643J5+57fMF9iTfC2m/5DvnTV1z5h3If7DZy9fv6Nn/FvakjUqJifof wZ6PZ0r7GoJKf4fCXwGohAlZyqz2uWtnAme2KT/nPCEzo7W1r+2LH00X8Eu2DO4VYdPwuDIsaP2k VxpnZZoN3epytNCI21ONrAPW2Xs4XU3Ocwt/Yt5zXphoTvt1+bHu9a5Vmn4lnj5Lj3OHR2Zav4hf p7g1cNC8hp49bw58uHD+igTl4Jnnzo0JduYSb6b7r7MbMDUsI8BCz/LIN4HfW97Wm5Jgo1mvc/SZ mX1mYITdy4a1R8f6mCc3rI3NnlsczW1wMF5/Z75PRtP2ue+WPHr+XrztVJfT4Wmb37zQaGXgcXrV 7gsHXu5+UrWlro/xW+/nVRds/Q+U57efFK97aqdJDHOiQ7s4J730nXvbVVp1DjHTWzZitrzy+bdf ApRqomxZaAWy3KRWG9Cq34Qhxb+FqX8m+GpGJ7mzs5uATh6w+Q8EX78Dzj/DmytuI95uq+oYNFK3 6nRnn14VbzZp7rN32q8e2rNq6mOftjVdFAusS76NvdGq+7R9h7qey6BfPx19cNax9ee3JqTEj2sd f6+k9Gn2d6eebHyvvlrW38zG8UyHmj5igzF7hscODwqrvfr8Wnnh1GNTrmcEU265v1YUSPsYD+10 qqZizEDHSSWW4t19BiQaxjRNSfd+cl5s2c1jbJrSoEMDL+W42Y8+zj8w9lBOH9O4ImnEhBuPfOYt KRjJD7YN1Y2OdCr4YWqIndnAoQGzrjlOU+2+s2GP/pykJ5bLNV6fVL2Yzb/MGjPK9eiiCcXVkZJH 9PactqWvcwdM853WLzt3xPZW9p2rk/P9biTey7CaO+wD3mRha2gRi6+P0P8V4ZeqRLl5AlQLCzEV aoGeXwVHvU9v0KTErDGDeqHRKBr5Id8vQ7PfxXVfAajcbmqKQ+nd96vNXRmlhPnZKQFzno4KK2uv TDs07e3RK9vwsce3pav6yK7NLvEyOPd287rjpTt6mBokSxMmDxMVmwU+Tto9PN1sb+CP017MUTmo 9I1r5cPJ91MGBRQu+KH69NW5FTfLbU+lPzq+1en89O9OxhxxPadrWj7mmlfeLoNRBaYzLu3erR42 +2X+obigPGur/MhvVLyOacSN67z/zJapnqHbo/tdk9+/72F0e2bdZY/MBg3T2bFTYiTixXV5lJ/j xMAZ+5qomriGoGuXRWkLd9Ej2OoVV6yj0js/18lXM3WnDKdvlny/2GnvnQ5He7Ur2zDz2r14tzkv zRbnV28fG9bD80Kq/07zekWWeBuA1CYKY3nm9H8wKvsiVvw8x12UeVmu+cnf1lihJKLJ3ctCL2h2 prJIwbacVoer+bwlU/Dylke15Oaf3yhWQB97nJQa2n/WkBHDtL0lzPtCzdgTWRvksS3ewir6yMOK bKdYo24oAcWgVJRMZubjURoyQWFoPEqBrSGwPwpqQ9H4lVZTLP6QXtPGpyQPSY1KGTre5DfwJs7C SBZ9L3PcnB/z5+rXBwXlP7i44nx1Qadom45HLnd4KA6rDzm+qPLlu6aYlQ9voPGHzVe1XhJ/5Bvf bOOByx5OvGwpengm5W7ZofCgisB+tyLrXHID3zyY7OK67kRcxaYJ+uEViZ4FzDLNKN1Bd17+2uHo aZOTHfzONtYZHhwaMdmX39gpFMfccW1952JyTmh5ts8SapJH17lXrSPKdMq6Bi+sMmm1ou52+e6N 1Y/DctfMP6KTMf2xwZSRr87yFSW+99xDb1fvjV5+reOY9LxWSoc3lO7d6Dg88NI1JW52yfjb4QOG n3z4/P5p14f7Osc/HVf1zruw5KiG/WY195vfvFmvG68UdXPWNDy4f5f9ISuzqFbyLMrgs48kiiyK hV3Sf3sX/S0jfRFgKDV30aJBct2WPVH2eRUIw2d+OkIrVIBq3RVyJyBaJ4+2ruG/64i7PPOWhGTf 76EhnRX0sthzrlW0QfJvMEvoIr4df+QXH5lU67AmCnvr8aln2owLG5BsnhP8mPm2p4N+hn9cw4qb q04vMQjc/6yPs7nBjknbE+eLv+2V/So48YjTiW6yUbMfe00W52wfp6f/i6R9x8LrU8umXTJaY0vr 9rVKOuS2cMK1A/s26t9OPXhiUU5oat6tono1m5cXFJWTlyyh7heMHrsAlabvCmx/4tWanZckVl2r Dw8L7r7wwKuVlmvOj+iS4j9nQ8bFB3dUq411i8N/Gh3Ljho7ys/S5jvd6zdmNJRaBimUm86aravd Y1yw/Y29+wGZXvb6gp27+4eGhWTnvrhy8uZL9/fuA08eCD5UOygqe+imnAP3h6wq3TDhEL3BQ6uh 1CE9Gv0XOEqhlg0KZW5kc3RyZWFtDQplbmRvYmoNCjQwMCAwIG9iag0KWyAyNzVdIA0KZW5kb2Jq DQo0MDEgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggODMzNi9MZW5ndGgxIDI4 MzIwPj4NCnN0cmVhbQ0KeJztnAl8E9X2+M/MZCZbkyZtmnTvpDtdk9IVKnRLS+hKN1o2m7ahLXYj ScviQtungAUUFRFZFFdExNciKCgqKiIi8EAUEBVUfIr7rohIfmcmKQRoffJ7PH/v///0TPLNuecu c+fec8/cCTRAAIASIQBFTpkxb3npc98AVO8EUL1XUF42jqKo1QDCtwDI+4rL4hPmdrU/CkCswFqV lTmFVSdb9uwGkNgApM/WtZjaJ+9bdRRg7GksM6mu08Zq3qDcAAxYnlg2vb2hJTFiigQgsxzbW9DQ PGe65/qtKQB5MQDimxvrW2YXls2eB6DWAYzY3Wg21b/mOUeGdf3xfMmNaHA7IrgN01gfQhtbbLO9 zxGfYvpbAPqj5rY60wtTn8P6JX2YTm4xzW4Xfk01YP5sLM+2mlrMdYlfKgAqTgFQ29vbrDZ7FCzH 632Yy2+3mNtbjm96BCD7PazzHHBjQ/qPUP3+8qxr3dN/Am8RcLJxVPRa7vOp459az+37vVMEwqmY FAMJDsF6jPCcEEA0A/NfFfGWi2QiZyFXwn3OOiQoIIPriWADucDRBrmMWAo0iMh8qpovwn9SRVBN fICfYiFJCYSkgOJG0rXpitKJLLalBQudgX14TZhKLmAB7j9xhMsVAHQ7TugQshGWUzsu7d5/rwh2 QPp/qm0qx/7eH+WTiYPnk6v+uN6wDMuwDMtfJ+RKgiCAuIKwPkRR4qLP/3duE8Py3y0kkAQnNEWB B/0JnBbZQQQi+++4ixIjJTylIEG6gdR+FmTghpTzdAe5/TfcMXFUgjvSAxT2M+DJUwVKpBd42n8F NaiQGp7e4GU/DT6gRvqCBukH3vZfwB98kAE8A8EXGQR+9p+BBX+kFgKQwRBo/wlCIAgZCiwyDPkj hEMwMgJCkJHIH2AEhCKjeEZDuP17iIEIZCxEIuNghP07iOepgyikHqKRCRBj/xZGQiwykWcSxNu/ gWTQIVN4poLe/jWkQQJyFIxEjoZE+1e4H+J4DSQjxyC/hLGQiszgmQlp9i8gC0Yhs3nmQDrSANfY P4dcnnkwBjkOxto/AyNkIsfzzEeeggLIRhbyLIIc+6dQDAZkCeQiJ0Ce/RMohXHIMjAiy2G8/Z9Q wbMSCpATeVZBof1jqIYi5CSek6HEfhKmwATkVJ7ToMz+EVzLswbKkSaosH8ItVCJrIOJyHrkB2CG KuR0qEY2wCT7CWiEycgmmIKcAVOR1yGPQzNMQ7ZADbIV+T60gQnZDrXImVCHuzcL1COtPG0w3f4u dEADspPnLGi0H4PZ0IScAzOQc+E6+ztwPc8boAV5I8+boNV+FOZBO7KLZzfMtB+BHrAg/wZW5M1g sx+GW3jOhw7kAui0vw0LYRbyVpiN7IU59rdgEcxFLobrkUuQh+A2uBF5O8+lcBPyDphnfxPuhC7k XdCNXIY8CHfD35DLed4DN9sPwAq4BXkvzEeuhAX2f8AqWIhczXMN9Nr34/MIx/thEXItLLbvgwdg CfJBuA35EHIvPAxLkY/wfBTuQK6DO+1vwGNwF3I9LEM+jtwDG2A58gm4B7kR+To8CSuQf4d7kX2w 0r4b+mEVchOsRj4Fa+yvwWaeW+A+5NOw1r4LnuG5FR5AbuP5LDxkfxWeg4eR23k+D4/Yd8IL8Cjy RViH3AGP2V+Bl3i+DI8jX4EN9pdhJ89XYSNyF/IleA2eRO6GvyOxX/YdsAf6kW/w3AubkPtgs/1F 2M/zH7AFeQCetr8AB+EZ5JuwFXkI+Ty8Bc8i3+Z5GJ6zb4cjsB15FJ5HvgMv2J+DYzzfhR3I9+Al +7PwPs/j8DLyBLyC/AB22rfBh/Aq8iOeJ+E1+1b4mOc/YTfyE9hjfwY+5XkK3kB+hnwaPod9yC9g P/JL5Bb4Cv6B/BoOIL+Bg/bN8C28ifwODiG/h7eQPyCfgh/hbeRPcAT5M3IT/AJHkafhHeSvcMze D2fgXeRvPM/C+/Y++J3nOTiOtMMJ+9+dMV1oP/dvxnTlXxjTtXxM1/IxPZiP6aFDxPTwfxHTvx00 psf9iZg+8k/F9C8viemj/+2YnvunY3r+n4jpJf+RmH78X8b0ustiupmP6WY+pk//FzH92H8ops+6 SjG957KYfvNlMX3BFcb024eI6XdcYUxfOWRM331JTL8feSUxfd1lMX29S0x/nI/pTwwR0590xvSX /hcx/Rk+pm8bIqY/92/H9F1DxPTX/1RMf/qymL7lX8b0w5fF9KNXFNM5UeD2fbWYpnETTwn+/Jaf Htw80ILjC0nqf/9IMSzD4hAJQ6MjUUM43GDCDG4e8E3KhcMyLP+GSIXMFfqmcHDzxb55BXF4WIZl cHHjfVMwRDAcTIbwzQHvHvbNYblKIhMJr9A3RYObB3xT4MJhGZZ/Q+TomwIQDBEMB5MhfHPAux1e eQV7hGEZlsHFXSxCd6KvwDfFg5uHfXNYrrIoJLxvDhEMBxPJ4OYB7x72zWG5SqKUiK+ubzq88gr2 r8MyLIOLh1SM7nQlvikd3Dzsm8NylcVTKkF3YobYRA4mQ/jmgHcP++awXCVRuV2pb7oNbh7wTYdX XsGz1bAMy+Di5SblfHOITeRgMoRvDnj3sG8Oy1UStUyK7iS8At+UDW4e9s1hucqikbtxvjnEJnIw kQ9uHvbNYbnK4n21fHMg8jq88gqe+4dlWIYU0vn3fCqgOI3wxTfj8id/JFz4M/EB4TIFV/AFu25w c57zs5hnxZ9v768QAWQAt70W4dULIBgKoR6awWK3o1V7IWU/OXBc+neRGT7eGrWXytNDqXCXy9yk ErFIyNACiiQgppcy9PYu6COi+/JCcvry5n7sHRvDNvVlmPpgEdtP7uhdvFUBtTXRbvUh9aYpVX2U qTo2Rqvlkou2ZkAtJvq6JlQ50izU+m2CDDq6uo+s4XJ2DOR4VXA5XQM556vXhGhjY6AvN6S9n8gd Q/AKmWsY1U+CSBYbYwhh+6MEYb0lVaZFfjWLq5uwc6zBuzGH7SNqWENfbmdjr6EmB619VNj4+n4h HR4S3asY5TCEXLCYnaa8kLwQE9svZNDK9pq22rtq+wThLKvoHcXmsnipdRNrxmm15wsPlMVKfV21 pt5LSw6cefAm40edz2/qo8MXDZKdG5Jb09ubG8Lm9tY4ckNYRUhvf25ub7uhhu2Dkqo+Au07Fvn1 ZSyubiSwDtHHZPcJs82S2Jj80ipDjp9WW82PlYHtF9DcaIWbehf5hdf0Lq7GsSEUbDqk42e/VJId wldzHS7szaLLh8xhNY+65AKHuIr8siq2t9fE9rK9NX2CMJZl3UOw2+w2+ymA3gmzq7U4ppCREioK FrGiQJG/yFfkLVKLVCIPkUIkF7mJJCKRiBEJRKQIRPxfCqtwvYsgN5dz4Py+HXWQX8v2/VwWspWQ TJjUR4dkEX0e+ZBfngXbgBDuuGWJWq1oH9PnkV21TZ48psHvWThJfQIMOpwkJKtPGpIFY8d6RyvS iXjGrY9BkzAkq59hDH2impzoy8Wb6B83zoALYVFOv9HoVMaPdyr5+U6loMCpFBY6laIip1Jc7FRK SpzKhAlOpbTUqZSVORToLy93mioqnEplpVOZONGpVFU5lepqpzJpklOZPNmpTJniVKZOdSrTpjmV a691nqyPNDT2WfGdsaimjw3RavsYTNichmDOAJjodBo60AB0l/05epb9J/pGiCG3Q7n9W1BhBJLb LZBwjrEvo58A2v6w/be/LCquG8I+40obsrvIYLb/ToH9FIv3g24Aqpvh/pukEFIzWJIQ0sAIy0Eg LhcSMpBQJM0IBTCOIWXjQCCLjlZ6pCnTPNJgLKqoYVKvG6nUKsO0Sm03Bb/PI+EcMMyvZ7ppBttf bv+eFNOrwQPMEJLhrsvPAJlE0FXSoFBMH9lAKA4rDmMTvvtg7Pu+e+P1urAEtUYoJ/AVEsyEBIcn JSZ7jiGSEsMjmJB4IjE5nghPThlDnH+NTMAbE+Oowb1c9JDwiMTwpBRkcgpXJyk8SYVaYtIYgvAJ ChXgtVG0t5cizV2jqVZL3WiCESqpAJIghSKRyo2WMZ7Bcp8RCpkU0xKCUCikrBdNkQxNShiqTiml SIkAb4IMQwkIgiCl4u3uskJ5AN4h3UdERxaR7doEpTgghZTKNVVeSfIQD7WfgKJJdz+5UuXj465n tTp3tXVS+ra50kA14y4SGrM9JxI07S8cERqsiVJp5BK10FdDq73FSklQKuDtljxGjafbIQYmg+fT sZCn8R0/FQdxL8Qfjj+s1xHBEeERySkROEbnLzvCdZDUHN0Jfny0EeFJjrLJ4Sn8GA9anlG7E5xO eNASgmQENCVzJymKFAkFAiKjTOUmlcuVnhRJErSEFsup0Uo/olhGCRiGoBiRkKQUQkpM0x5EhgHL uikUKppUEQIxI5GPUfqSxxi1SuVtCC2K9fb2jXTz9ZP7yZJSpTK3rOT0fKXIRyn2VmRfK0hWeDoK KiM12jChMJzmCytCZElxWHhccrpBKfJSiv2x8CiFJ+5g0sFX8BTdD2ugOiPSFhY2QT1Br5+wQG0L q/WRXa9e7OPjk7hYr0+srZ0wYXFi9+LFK+5LvJ/g3TH+dYRP/A6e3pwB32mcr6dBfHxaWnw8X0iv 8wyPUPHuGEckJV/ik14qtSaQwNfIhIuzXLyVcbosI2QGnD486SL/xlnBhcCXdU4bFomIIyIc5b0c 7eDpUyKcXp7IrZmkcJzG1TgJtAhHH7drhDZAE6PykzAKpZKiiABN0Ljo4PaCUZP9fXNj5R60hycj EIf4y1UCUiiQuElkNElovEmhTOvh4c2g+5NyLzERGCCQSYRioZBhveUBCj/NeEmAyrMsJKowVBHk QdN+XljHSy2N9KdFjIRhBBQhY0IoAa2mTqjU4rhUqVIodaevSXEPV3v6isRuLKtMlzMl+clzsyor qqpyOvUxuQEiSXKSXpf/4MSYLI0swtfHR5UaJlS7Ta8RywW+GpWnxE1EB3dNU/Wt9jHGe4eIJOKg IGW4h7/PeMbDLTA6KcUv2Y9glt9x9+M+wWEUIRbimgoLDwpIT5ImyoR+wpSjqRpNaDOQ9vfsJ6gi eizMgdsgJyNsyuK5i8k8cf2tN9AWb+8RFpizu6xy94K50nGCOZUwp+P2ssqYpYRi5+G93FvpocEw uHfs3vj4OE7H5TeVGkvw0+b8uGgmz+vJl8YtFc4to7qQ1ghdfQcV14nHSHjBgRweg/MdQSRGuLiV SsOfKpShPHyFdHCATBjqQ6uk3jovcapOGBogk4nchRIppRwVqfJTRmk8lG4KSkASGJtJOSmXKzwJ gUxMZZA0rfGQBio9I1RuXkJa66eID86f5ilgKKFSKHALcKcUcjZLG1vgn6ALZoh/CNxjAoUJsbIY VuomCpyYPiadiBJK1D5CWuEmkkb5MXKpRu8tjo+iPWWMn5cszCcoQhg7p2hEgo+Pv190UbDQXyX3 lQo9ZR6MUsyEsMGRNK2Wqz8JT1Yo9f6eSi+1b5yKCmE9lUVFCm+Jp1pCiwI16IVh+aEJ8fEJmjKV gphLS9wjvRWGke7GJK9ARiieWFhqBW6+YTSZTy+EKpgJYzK0Y9OF5mrap8CnIA+qdhtydwvTx5ZW m5kqf6iyGPxzrRgOdu5VuEx1Z7x3vGOuKcckJ/FxNuKyOxL3YoQal4lyXfUqtTMonJ9Z5+RikoOX yhERvDQuDYeKPdyz8E5DeggZWXygRC1XpobEGwNGRUvVhIAQKGRCtTvjKaXkboxKzsjF0lBNkLaw kE6IkYVqInwT/YIyghRZylSjOykUy0J8iC3C1DSZTKH0VDFiX6Uo0FORi8uFiJIEKEdRErFMpGmW embfP1WhD0q0pBeXxI5RZCuVY3xFIrk80t8nK0IS4CEL1rj5qyWBnsqE4JQEU53cXRSgmqLRaXz9 hJMmieViPDfVIkiuiRVqfYPCUnPdRUSw1kOnVT/to4oAAtegnVxLvgAGiMvwplM0VKRYHCmhUxKV 0RqGzYbs3AA2j7vHnZ+HgRngR9Bxu9Jw68URdJ0jO7BqcBz5FXI+nEa4TkUcEapQGKd6SWQNbHC8 WkpHRo7B0Q31SlIrRGqJWKMIbilQ+UZFiUWMnFZrtFp1ol9AnLs4UkuKxCIVEeWlSW/T6XxyItVC QeCMgsi7w2lGo0qUylRxviK13CcvTiby8ZcGKGV+8rHN0UmpArcYbWicCCOgQCHRxAL3nYLjOEK0 /CcOct6VHNSsiw9Bpsvx8vAxfAwfw8f/9cE/ZIcT+89/U1kEF37TTYgph06iXuHUKRe7wEWnwQ2m OHWGt1NACCis6waNvE7zv2Y6m9cZ3r6Q14W8fRmvi3j9YV7n/uVtNWx26gTIiRKnTqI+zalTLnaB i06DN9Hs1JnzdolLf6TcuYibed3NxS7ndMLRHwV/Lkd/PFH3IDbxusqlvBffZ4eudrH78HV38rof fy5HmwEuZYJc9FC+/Ju8HsvrH3C6yKXPIpf23Vzsbs7+r2ez29rnWJoaGm1s7Ry2onRiDKtPS0uI Y0vaLLamtlYru543sIVNdZY2a9t0G9awtMexmc3NLF/PylrMVrOl01wfV9hktVlMzaXmho5mk6XS bLFiC2xCnF6Hs9sGFmgBEzRDK+7726AW5hAyMMMMTH+G7wv5ZWDDz1aoR1qgnlpJ9VPPUy/iexv1 LPUErAcWsrF8O7ZjgSZowGuyoQ1bRFZAKUzEJ3UW9JDG/SIOxKFewrdvw9Jt2LIVLetdSrBQiDl1 WKIN89pgOt9eNl+nna+fif1qxs8L57PyKTP3uzD42Ymsx5JcO1bMtfBXUorWBuhAjbuSSr6k1dkH lu+ZHlzHhqvTdD79IT9W5ovGznzR6PDjIwgU6AX5gjzBNcg0LG3C3pgwnxvTTCxhwR608rWcvzxg j+B+IXhQIfiDX9Oq3cD9mw4vqh26HtV2Rhw1f9z8X2SEkFzbo9qIpvUkQejlOjdG5MjB5xbQ1TCS aAZ3xj0pJCFYW6or0cW4WPwfDOzyh3T+KMY548abuy4bvsdwh469uD2BouqT77eF7pqx7idv9oTX wazRa3sUd+h6yAxdD7GeVFCv3Z7y7p2RJ9Kf893Yc6ZBoZOd7ydBYndMeqXOnaEqBEJPkbHVZra0 mm16jc6LM0k85eimTWVNDa0xrLG1Lk4/UqfnMqSeUQMZ6PAtLWZLXZOpmS3DBTDLZDGzJR21zU3W RnRxNjtTF6iRpSXrEnVpOl4maWSY0OtSEkYmpSWlTforutB9v+t1EzRQ3UtA130r2d0NrxxqMpcS y8o3RO6q9X6qvOLVnAWG8aNfvunooSO7u+YvOer2nXr13uvWj9h0e6f1zt2v1j6a/lUg3fGtJzSr Ct9asVT4QpO1e2ttkT7w4NnX3b64cemLT27Om/Bl2/76JPLwjQ30rI9uf2fCkd/u8dk+5sis7l3Z 73///ok9D/1t0RuZL10TPG7coz4khU51ybRQ2K8t2/s6Ztz64Pzn62e/si6hw6J8PJzU1OgKTo5L 9NlWOn6Cd9e5stjr39YvftV8b2Zm/PdP1s09Zb3Xa6lv0NxFmQduG3VgX2pizoGO05/P3Nntk6pJ Gv/kq2MSPtFupXfc9eFrqVOO/nJXav3Sr8r37zl06MC13whWHSd73l84ov+V4kf2zazXp6ejD6Ff kyNIleetmw/2nlq38/mk11YtWbgnaE9Z5R2uHcZ7ka77Pn2QLsAxZerzM1Nu6bDa2CKzbVab5bqB OZVeNqcxuihHRsiFmk0tZrbMZmppb2ptYMswhDbVmdnStjabPlGX4CgdXVTMFhgzs4wFxvJqNjM7 21BSbsiJYSPrRqSlsBefg/fCFF2SPkGX4vTCtDR9wki9M/nffwF/5MOH4thvG2+IiY3r9u9nNq2T PqOUTTxWdrTj5Osjoza99bN4cuIPny09J3Y78K7fpG37Pv15Yf+aHQvCvrixSmGdMfuNmV6/76r6 ecSGqmnLBb/H1iqruv33zFz2dnBV/Nt7VfTNyc8ue3xz4fjPvh4dvLHy3pu0q5vn7xifd8+MzY8m v31WHHtoc9qqy3xY4PDhUcrVt9Bj3vys67fr317/4xNzztJn775mZsj66MgTiz3Nt56LWUDcPmll 7R7luq4fn3lB9czBynuvE9Uadj34yLGkeXTwcUusYD697gax+i5V9re/qAsPC29bpWiuOidJumfP rfefELSvjrrRdNtLp6QzVz722vTarGvuXhacsCL41t4z9aLQn948g/67D9/JpBc8r1x5LPsr7W+5 VTffuid34dKwr1U1//858RP6CF2Yo+HAP+7GwJVKh7zS/1UXhw7clwd5Xfeay1x6Ec7CAs6lN5i+ 2rxxydK8pe9tVk5rek8yr3Ypo9+3377wjtwjxlHLPnuLGbtm44OzJ33569k6Q/FWaavumweTN8SK T3zXFrFBNqGGTiqet7+8+MAzMVlHpQeWbJ1mf7rrwMnlm+cFG7MUzYdW9BGVD73yj7j7R/0477Gq R48Em/+5eMPs1dvfyctqnBx74+9bSIIaxKFban6799qHm546dH17dG1IYA474e8hXq/ZyF+N30f4 Tnli/swkUfTPtx//YMvyU4vW5Z+07h4nXtN3bNExrzv3UP8Uh1UynxY9nPfIwYm5b6VW/qTd90r4 6NiwhP2rPnoxI+/zoy15nf/coXvIvWv/vKOjb1r7691R+mivM7tVX73f91lFZntubMxNuh7RZnwH rKVIgiQVFbKFP42tVx9xs8JRw53qxP+ju3uabqTe5e6u0yXqkwfu7j3E1P94J/S5uhxHpWtmzZoV 14kVrVgxrq6tJd5ibm+zNtnaLHPiS0syuXPwO3Tcz5eap8fFcH4dV1Cew/lyqn6MLt3RTlJOU0OT DU9ozGGzm01WKzuSjXXZ5p/vR6WpuanexD0MsJ0JeqlOzNVnPMmKMr2nTsklRJ6SiSZrIy49W1ur XqGTO4ZCWGqub2lrrdcH6vw5C6Xyuvgpos3CNzuQLx0i/w8X0cNBdVTe7MWPba+896PKSrVwkqZk l+74NyN+PLP1uO2Bticnj5DkBd10YF35y8fz9j1ri2beuiVYH3CaqV4pTZl83685z4ydcnzjmoya iEneE8f7WFM7k7/uT2PptdGvl6frt0o2Bf+227z6oS/zsk7tvW1vw9jmwmDL6+MPHz1+59av/UWn Z32Ki+ihHrpN10Nfx49MgKeA1IFOyqnu3D9T0mt13cu4FCHoXow3sy7F9cs/Ppj9e+OKH1L3to7+ XtrzQN1f4MU9l++TtVyvBARhF2h0Kh23i7+wS1dTpLALcNixiETA6Lh/b8X9tiDZpYyEq9ojCEFz 0NoRXRGNNlu7dVR8/B85aHZJ2QM91NbuHmpzeWOTla0z42Pm9KY6k83MNvGOy0262cp5r8U83Wwx t9aZY1hTaz3bhI+aHVYsZmXxMbOpztY8R2LtqJ1hrrOxtrYY1tZoZi+Mx/l2Ob8tsZjqbNyNCW8R NnOLudXGRmJPRkg6nc+o+jgdnqTT1NRsqm3menJxaxcugDXZRkmGutDRXK8NsS3YDJZj8QyxFvPM DrPVZs24uFybRYJFBwpePL0xbEJS2kicURPeqTI7zWgobOtotZmwV5VN5lkxOJtsWqIucaSkoizT 5QEeFzg+qidf0hzLP6qXOh7VSwce1dlsQ2l5prFIMjGztDSzqNxoKGNzjGXZBZnGQkMOm1mU43I/ LDAWGvF2GCfhShcZi/JGseXjDGxFmYEtzkXVWMY3Z8w1ZmeWG1hMlpWXGrPLC6rZsoqs8Ybscra8 mKsiqTSUGsuMeUUu5Y3FRWxJaWZ2uTHbgPWwgUJDUTl2mzuFsaysAs/HZlaUjysuxb5IBjpZNnAF rLGwpMDo7LOhqqTUUFbGXrgqHISi7IKKHK6VC1YJ9rvQUJo9DpMDV1lcyuYay4u46rmoZ7IlmdjH 7IqCzFK2pKK0pLjMEMOfZKKxoIAtKi6XZBn4QSow8BWyi4vKDBMqsPPGzIIYrFJkLDdWOusMdLYY r6qUzckszMwzlMWxZQaDhLtOdBW+jRwDlioow5HObsMw0IpT1jb9Ul9saLJihDDXs61trZxbTW8y 15c5FkKmDVdGbQcuIIl5NtbnnbvT1NxhZq2NJvSD1jYbW2tm69owq55vxGRlTXV1HRbHCpzeZmnh 14yk0xH2sQR6KtcDY2ac5KHkrsQ/s8wH7M1tDW1xDU3TdclcIKEE8bpYXfTaEWsj5odxzWArVlyR HdaLG6rjbkf6uDpLs07tEm/8BCIdgzEHX4M8TFYcWbGvfPxZ3VebD751mtj7+BL1L5/O/G58++kp qXFeH+e6/1ya9eS649BiMSVO31nxasVLB7ZPJgof8vh+7OoVO5snTEs5cd/GjPaF6fD5Y+luUd/F tT3+zect8xas+XLlKt/Up55s/jjfv/iDKv/97yu3HL3n3ISes4e//Gz/h8unaZ//+cP3nphbpe+h Vul6qHtIgtB1/AUBfZCt0UVfm6ztflTnc36UxJTeNbwL8I57ISXVXxL8dUEXKgr0HgJFRECU4cQ9 yvXU7Xt9bR+23qQb71LcTZ+uG7VW0SW/+NuvB8K7Qp2TzLlKy8CtnZ9i25z2tgaLqb1xDnvJvV3Q 3ZW6YP4H+mWfdQem5D/6gPa2V3p/T39Ke/ezls6zaZrYkg2P3U/tywhoeO/rmrCXX5p6zbow+RnL p0vm/jw3cOWRZ6J3jX7+zVGT8//+Q93hkzFn4PBdXz0dYThzRnnD6zd+EfLLgafTtoxtrjXum7Lo xY9U0ak7/e0++x6YNK7y4Ve+2Jjz7vdr6jtzTj3QQxzAXd3eC4PA6HuI59G0jZvd7q3/9Y9RQz0N Xuwh1TpvVweRXvh+j0D/OJ9D6935HXCqPlWfpk9MwKewS/3jiAgfGn6Zt+varCdCY1bcc8vlc1rV eSxDffqXwB9rd18nnj9tvdhH3WnMSQzecfqpg2t+HPlG1wZfr5E5t36b26efsr756b9l7Lth9Ns/ nKpftuKX1bWvt34cdaBvy+lddamrO1JOThGt2dR79qn9h1bOm/WO5Jve6uaKvZ2wpPfjO/a93LJK G0N+bj7yMvPTaOv749e/esh97YTe0+H/Az6BubINCmVuZHN0cmVhbQ0KZW5kb2JqDQo0MDIgMCBv YmoNClsgNjAwIDAgMCAwIDAgMCAwIDYwMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDYwMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjAwXSANCmVuZG9iag0K NDAzIDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDI2NDIwL0xlbmd0aDEgNTg0 MjA+Pg0Kc3RyZWFtDQp4nOx8CXiURdbuOfV9nXQ6WyeEkIUk3TRZoBN2EEJDOiRhi+wBEkRJAoEg MqABRBSIOrgEFHBFYQD3JSKdgJIAQhhwB1FkcZvBBcQRERdwGUi+/63q7hBQR+9z/3uf/7nX7+S8 VV/tderUqVNNN8RE1AqgU5fcMUMGhVT3qiN6bQVR/OODcvMGRllCxxItiCESlw8aOWJM3ANbzhHd NIWo9+hBY8YOCDDtPEO0GXVaHR4xpnO38PQrQokY71Q8LndYYbfaYaloq5Io4r7JM0tmP3NoRyNR RhTKHJg8b47t2bAyxLPmEAUumzp72syayF7diDp9QWR6b1pJxWxyUhD6N6M967Rrbpjaq/7h7USD 8BqeWV5WMuXdzwOuRlsuJPQqR4LleYE4oz1qXz5zzvwOp1o9irFj/LFTr5k1uWThufm3E41DmdjS mSXzZ1t/Dk5B+VUob/tLycyyO9+7HOOftZ7Ikjd7VsWcphTC/G/4QubPvq5s9vb1y5OIejQgv4ak 7ExtO1wZdmvbSeGus+YgOUyix5JHlcjw5bWjUo3Af6/Qz5mdeA1S5eWDMOCZxocg9H1GoHFAP9ec 4380mRLioVwS6l2QlTrLkWifoF+Vou/jFWQis+lhU3c0meANtRKaKiJNJhGoBQlhErr+MXU0Gmh+ jhoBnoJhOTZyk53m6yeaFsmRiGluYsMwULtUv0fOlHR9H02TpRHKAZ9kC22jY+Am/kRcyRn0Ka1g J23lffQ5HUdONe2mw7SHI+ldOsGteB/3plIqo/u4FR2hCBpPi2ktFdI6qqQZqFFNRYjFUCcqp03g Qqqn5TQG80ymkTSZDol+9BnW9Rh6304rKAM1FqHGEVoIObxEm2knRtOarqGVyKtE7n66h66gvtQb vd5Pp/h+4eL7UCYCtBjty57GoKULVI16XtrqI9man67w0XkehVHcRMt5lhq1Egtv4yz0E4mxzkRL pXQfeAJ5oK+96Cn6hNM4hfphNrPpcz6Jed5JNRjLGMxsMerJMZWDI2ml8S3m/yE3cjLaWY2RT4bk A2mGKKAwakXnIEknfYy2IjAHyYWQnpfKFY1RtJVd6NPFmYK4hrdyXz4I6Y1Dn/WQzCE6JVxGI92M 1u9HfxlYvTCex2N5sk/j5LosRJuy9GLMU/Ii47jYgz5XKF6L90b0Xqm4Ei37uRPkJrkcUitEPcmy neVYEcljIEXJGIXixZjhBMjrBY6nVfQ23Wgc50jEw0jwQj9LpGcgq4dohUiQG0QkiASJXvY/vBC5 srR3W/xG/LcfMc0fAYX7+Hmsdwp2oYaRZFMdZikwv3UcjnEHYVWQjPXahjzB03k6PQ/dkDLyS84v Ja+kFjbzDOjuDOoPOW9rwS+hxmZo1k7Iyi/PSp88/TL1ynNBsyz9nAx9l2t6RPUfCY0bSbOxK2W6 n5EP/XLRHRh9CMoFU7wwQz+2sZncxnnMJ9v4AWbiIH2ndmoZejykdmkRpCH36L0YxxTozR6MYTJ6 SCAXcidTKVZtKW+j8azTQB5HS2mTCIemZFMBDeU8jP0NjHs81jCP5nIaYivBc5UmLwbVKz2uJgfk H0HXUzp6kSOQ1mIoFRrn6DpKA12PEjEYkXcUizGKdDWOIuqAk0tXazce2h2N8a6A7G6EXk1AGIW3 TNB86k5JqL8SLC3Jkxj/9ZjnMBoIS2infLT+JN1C7elW1LobtaU9eQkWYTN1N77Gis1HjRnoeRV2 eFcqF8k8lIfwENGet4BW8SrE8kV70QtavUq4tKVUz3uh22u5NT1G6/l6HoLVLecKrNVmaoDVWIL9 15ZGIP4d/Zv+SY/Sy/Qc7aX1WOUlyN1JP2J9v0D5+5V+NiCvXvHbivwtl8HSXmh3iWpTttjcHl+P FdmMlOdEDi/jYm7Pr/KrdE5gU/FH/CD4I34M/AZ/yO/zFFi2M7yYC/gyNnMgp9IDKP25GMrv8Pcc yqkcgZW9sP/eEJpgofGj/DhX80wejbQ1XMrF0L1kVSSYAlRJK8YhnxWQvNxb8rGA5PMsLOU39CD4 G5Rai70AwkiknfamP8i38iGM/Gl+A+UTsA7O5tAf/294MPY16oQjisIut9CbkNCD0PwG3s4/qXEq Y4G4b378Gv+1ea7+NN9cfxGu5VGSlQwkB3hl0xxe+oT45OMLOQ7r2yL0yxbae1iFm7HfZb6ZrlVh Ldeq9CZotXz/HmOVD+aj5vIszVPv07BHb6FHaA0sCVjEYrWhF1RCl0MiH0I3QqEBj0ESV8I/MGEd 3gAdwmrcilzZyxpaw1/yWT6L/T2DX+Az/BmniMmQmgf7JptS+GOkfMZf8y60+CqksBZ9HYHf8Bbt 46vhs91N+2i78ubupzuhgRH0NbR9O+hVehj24za+ErQDtJ0f5qMXpN0sBakpUs4JSh+IB4EK6Xv6 gH/Cer2FJGlPYTcxhoewa/fwm9wAO/gyNLeendgZMXwV52oL6TVVfx2/xE/wbrXHnYrSFBnNtAcS aPl+gQagNLj5/Pyj3PLs+DU+Dqskzwz/6fBH+dKToyVPVn6Hl+UYZB+/UYc7cxSdBcMWwj5HwY7O VzwDVIr6kkdCszvAtsrzbgDGjLagD8v4Ch7MO0GDFV2vdpHURL82XrKL/mj4m7vtd3bhr/KD4NUt duhv8aU793d28C927O+Fckf72QSSj99q+nb5L0K/Nf2dsNk6/Ebotxa/FzbLE1YFXuf3Ko4Q/Frz uv4Wh2OX+qypb/29lkiGE7wkTxzcJgpxqjTwemHBKRdFFhEv2vIMpFTwXp4D2kBdpVUQ8dxw6Sr4 pQ5LXqukp+GkX0Nb/HauJaO9TPhyS0SkiMcY7qafOVT5Ig8qX6U1/KBI6NsoeB86WHrR0cjNUCxL VMM/limV9AJ26nXothL3kdbYTZ8p724brGBrpErPzoXdFY16m5Rntwe+0z2wrNJfdmGX9UMp6Sk/ ouhDeCN7oHP3UAbuNCeoDDcKM8iC8ZixXwNBFvSFncudm/1Av88pe/bbgEdoGXTFW1fmWTAC6W1e anu8NmbrRR6oZL8d8Hv31SCvT3sbnVAj9rcid3zaRfZH2pZy3OE6Kg/sasTkfW64OuHL6XbQQlA1 PY6yY3EeTaOX4EtKD3kbbpURkFxrn/QyUWI4TpmVVKGoGhL6CHg3aD/uWZLewejkfbAO6yHvhNl4 O4Wb2TLaAA3bDK5GrzeiVzmDevoLPLtKlWPxUWlz7BncJiNBMzmDO4Iy6AuchgzfCLc2bhRhIgz3 Lbe6BS6gBaIXTpTtQBfOqe3yLFAlVily8XrcvLrzMC7inuzGuwu3PyDuQPLuloW905ddqH0IYSZI 9pGsxaq2vC2cuNCanKusA39+Kx9Ufdpla6pmmvxcxHsvhNyegg8XhrdnOZF3C0J/2zHONLRulvWg VYfQovd8u5q3+DZQKt668EhO4TbchzWsxDuQQl+cAD29s4QGD4I3S+CV1A1ntVzrZViHdSA3bgTL cCrLlfPqylzIuh43kd3qzn4ztGa7im1GvWr6GbqThvdM7PMH4Jf3UfYzQt64YAE74FyR4Q3YkQm4 Ucie4rC6khPh37tpEupFYaay9mK0uRlSdolQEUoMSkO742mq2rnJ1AM7dIU6udrA75c3cgv20Xjs b3mDWw67GwKSp5gJtkry8ebzzoH7xAwfyRIxlMSZzbtI7j65B3DyqRqyn92Qg+xfsn9H3AyPKx27 ws+yJYG25mBnWDEjuatHwQ5a1H6NUnLCuOCr5PNHuIHUwTd5j/sBj4Gf0IbQpxTF43gR1hEp9Am8 rSfwXo23VXgn/ga3lM4gucb/4Bt91sJvw7x2rFre9H/Bv+aJrIPdvHCrvZilhyItiLQ+fm75mYHk GGiFn/2fIbT8LKElb1K2MqPZErX8nOFS9n/ucOnnDy3ZCp2R7L8jS49FsrRS/s8pJI9F/d5IW4G5 ll5CLR4j3ojnFtQyD3vgYrqkngjl47AKDyi2XPJRoNTblS1I1lkD2mPsUWdTSyJjDigee+xiIuMr YxxoESjeCJRjV2PEWLiSq1W749W9fO7vzfH35vJH+m5BctfJu3sE9mgvyAF62aJt4aMZyudPgwWO UtKVH47Kzw2Q581plsAbIBlOBsma8Ghg3dJajMffpkukwSo8BF31P/IzxRTYt0z6XH4mgPvso9g3 x2CPt8MS90X/+/hfPpIWdggfgz3NxA1BlooRYb52pJb2xf0jGZooP0WQtIK2MGMf7YeVkqfXLeBq aJuD2yvpP0m3gp6kcRhRDE4heWKdQi0P8lbhbQbyEmBzPqHDuH1HcDSscRt1O58KT/wct6GD9C08 pUhYhsu5Fzs4mP6hdrlGB6gJdrsL7HVXkAZbngYb3hcW3QVOQW5ftHU59PssahZRIzxzG065kbDz bZAmU7rKlAsrrdngV93G9/ANqHsl7oU7RBx8e/+91v9kUijsViJO/AT4OonIO0q1GJETMspqLiU9 0sXSgsLzHQSKUDaoEjt3P2QwX1uKdYjn9SjlUF6WpFXQ2nrYsut5FX2Eu+Cn6laxD7rwAcb533WL aHlX9/mVl96/f9Or93vql4T++/il9/JfeNZ+T/zS2wbh3NsBlCf6apx3RdD2UzScY+FzEvzMY9C+ cdQLuAgrGt78KXmG0sUa6FIZyk/AmizCGvRG24Hq80f5rwrLoB19OBy34K48BaTBUxgpuvBcUCm8 YxfWbw88q0NIj4LuRHEBD1faM5hb4bZ+lq9V1INzpGbxV9Cwfcp/SIH29cSaynNxMU6FS6wMWvJS iJcutWxsArVMlx77S9gdHWHLw9VZJD2IAoThiEkbXq1om/rEzm/b5TmMk5vHe4l20S6sL/Yu5i73 6hyUnw3fpFD52vIUk6eWPAW8t9sb+RX+GDcPl/LaKnFOVfJi76foPJ/LYUvngyo5GSdWpTpV5uJE LofMTRQHSWTwJ6CFoJOKXH7NYPmYNI3hVFKM6avgBvrJbODUDzCaKIiCcK+wKAymYCD8EmAo8DyF USgwXKGVwoARFA6vI1JhK7IqDyQC2Br4b+zDSGAbagWMoSjjZ4qlaGCcwnhqA2wL/Al7NgaYSLHA JIU2ijd+hG2U2I7aAh2UYPwA70lissIUSgSmUpJxFr6OxA5kB3YEnsHObwdMJwcwQ2Enam98T50p GdhFYVdKAXajVOM7WLyOwB7kBPYEfgvNTgdeRhnA3gr7UCfjG9gaiX2pM9BFXYH9gKepP3UDZlF3 oFt9lptNPYADqCcwR2Eu9TJOYV9dBhxIvYGDqA9wMPArGkKZwKHUF5gPPEmXkws4TOFw6g8cQVnG l9AxiaPIDRxN2cAxwH9BLwcAxyocR3nGF9DgQcBChUU0GDiBhhgn4JdInEhDgVcqvIryjc+xzy8H FtMwYAkNN45j14ww5CfwEqfQSGAZjTKOwbuVOI1GA8sVTqcC4zPct8YCZyi8hsYZn8JfHw/8i8JZ VAicDfwEdqcIeB1dAawAfox9MRE4l64EzlN4PV1lHMWuKAbeQCXABVQKvJEmG/+km2gKcCGVARcB /4FdOBVYSdOANyu8hcqNj3DmSfwrXQ1cQjOAtwE/xK3sGuAdNBN4J/ADqqK/AJcqXEazgHfRbON9 WMtrgcvpOuAKqgDiVmi8h/07B3ivwvtornEENmEe8AGFD9J84Cq6wTiME1fiw3QTcLXCNbTQOER/ o0XAtQrX0WLjIK2nm4GPKHyUbgE+Rrca7+LGKvEJ+ivwSYVP0RLjAD1NtwGfoduBz9IdxjuwMXcC n1O4gaqAzwPfpo20FOihZcAahbV0t7Ef5+Ry4GaFL9AK4y16UeEWWgmso3uA9cB9sKn3ArfR/Yb8 DPVBYy/s4yrgDnoIuFNhAz1svAmrJ/HvtBq4m9YA99DfjDfoZVoLfIXWAV8Fvk6v0Xrg6wrfoEeA b9Kjxmu0V+E+ehz4Fj0B3A98ld6mJ4HvKDxATxmv0Lv0NPCgwkP0DPAwVRsvw3pLfI+eA76v8APa AI/2Q3oe+JHCf9BGYzf9k2qBR2kT8GPaDPyEXjD+Drsq8TN6EXhM4XHaYuyC71YHPKHwC6o3Guhf tA34pcKTtB34FXAnrPpLwK9pB/C0wm9op7EDflQD8DvaBfye/m68RGcUnqXdwB9oD/BH4Hb6iV4G /kyvAf+t8By9bmyj8wob6Q1gE71pbCVDYUubblE23fL/pU1P+9Om/2nT/7Tp/xs2fdWfNv1Pm/4/ yqb/v+Sn5/4v2vT8P236f7Tp1/5p0//00/+jTd/6P8qmk/qsTnJb3zdz53i/kcsLSIc1IPUvPBoJ WNcusHHDsLOnYifOl9+hhd29JM347GL6xbd91cMBdOELwkKQ75u/LQqAddNFSa28QdyvtYdR/Ooz CIbywjNW4RW/XvT//vN/TLru7AJ3Vv9+rr6ZfXpf1rNH925du3TulJHu7NghLTUlub2jnd2WlJjQ Nj4uNqZNdOuoVpER1vCw0JBgS5A5MMCka4IpPc8xsNjmSSn26CmOwYMz5LujBAklLRKKPTYkDby4 jMdWrIrZLi7pRsmpl5R0e0u6m0uy1eYiV0a6Lc9h8+zLddjqeMKoQsTvynUU2TynVHyYiq9Q8VDE 7XZUsOXFlOfaPFxsy/MMnFdelVeci+Zqgi05jpwyS0Y61ViCEQ1GzNPGMbuG2/RnFRFt8jJrBJlD MShPnCM3zxPryJUj8GjJeSVTPCNHFeblxtvtRRnpHs6Z7Cj1kGOAJ9ypilCO6sYTkOMJVN3YpsvZ 0FJbTXpD1bI6K5UWO0OmOKaUTCz0aCVFso8IJ/rN9bRZcCzmwisaj8wpvL1lbrxWlRcz3SZfq6pu t3nWjypsmWuXWFSENlBXJA8srhqIrpdBiPljbOhNLCkq9PASdGmTM5Gz8s6vzJEnU4qvtnmCHAMc 5VVXF2Np4qo8NPoGe21cnLseR2lcnq2qoNBh92TFO4pKctvWRFHV6Bs2xbptsRfnZKTXWCO8gq0J C/dFQkJbRsqa81RMFZex/NHNkmU5IscQKITHNtmGkRQ6MKfeEsp6U9Xk3iiGp4hRyzMFKzLdE5RT XGXNlOmyvseUbHXYqs4SNMBx6quLU0p8KQHJ1rMko1JPmlUN+f64x+n0dOwoVSQwB2uKMfZX7z0z 0ufViemO2VYbAoiPRkK2JUWZnSF+u10u8NI6N5XixVM5qtD7bqPS+Fpyd3YWeUSxzGnw57QeK3Mq /TnN1Ysd0OTNaku39phTmv/CrdGt8sozPRz9H7LLvPn5Yxz5oyYU2vKqin2yzS+46M2b37s5zxfz tMop1OKFLybiNZULpZzYXFi+FIZ49GT8BSilnlIXaIZWqhS2DfRYiwd7schit//BSnXGN7KWCi5U 8w3Tk+m8+L3vRe8XDS+kSsOA9RSRXzChqspyUd5AWKCqqoEO28Cq4qqSOqOy1GGzOqrqtRQtpWp2 XrF/ReuMrUvjPQOXFWES5ZwJbRU0oMbBd4yqcfMdYyYU1luJbHcUFNYKFjnFA4pq2iOvsN4Gm6tS RXOqfLPJN8pnaHqtMKus+Ho3UaXK1VWCep9cx6TSzP40psl1wptmVWl4MrbCaW7QGmrHdnfXIchU waaw9t0qZRgcqsLaoO5Z2Z21BpoN3gjeD9ZpEnCxL0WjJGAWWKYuV/nrtW3kATeA3wbLlK1I2YqU rUjZipQsrY5Y26K9WNs+CV1v3hTbvtvp7DhtExlgoa3UluLIStKu8oWTfOFyhB0RrvCFd2lLa/sm hWcH4Z3pNNAAC8xtTe2gEd3qVeQyl4qs9qes3oSUpOxYbQ1GtQajWoNRrcGoTgMZra5G+mqkr0b6 apW+mlg1Ze/ga8oXWVMbHu1LQSTbohVp43C3S9IKfeF4bVxtt6Sd2cXaWDS9UeF6rQC4XOEkhSMU Lla5i1V8lorPUvEsFc/yxSV2boFJCsMlaqO1MbiPJmmjtKEqHKnl4d6apI3AuwyHa0NUOEwbpMLL kR6DMB/lIhEO1dR3crQheM9FOBjvMhykDazNTeqSPRvvk5An0J9Mz8UYcjGmXAhJpiwHrwcfVSmT gIvB+8GaKslaLigHlK1lo4YbbbiR4yZNc4OyQP21/sjph7L9gG7NpeboQikXenJBVi607MLyuLA8 LgrUXECb1pO6gN3gkeBisAntpKNeOsaVjh7StQzc5ZM0u1hGUQhtvjBJLJXfg9ISxdLaxCR3dpDY TCPBxeDZ4EqxudYUGZ4dhXKybGfwCPAk8GLwOvBGsJmyvDnuYJElsrQRYoSmQ7s7bHK5uqmwey9v 2DbBG4bEdQvPvk7rADF1oHVgDUPugCF3wFT9b0lgAdVJpZ3g/eCjYCnwVAgjFcJIxQRTUT9VlQpQ 5U6DDbAGJUpF+xeXManaSeDOLVqRqWlIScNbGuqkoWwaUo8CWdWQ+SPBy8E7fXntlDK3U8rZDm21 w2g7A7NULByYpLWrFUHhdZAvZ4ZnXwa5jwAjU9wFad4Fud0lNUTITdwZOVm+EsvBG8EmrR7UAZQK SgO1A9lBNhBWUEvE6q0ALQfdDboLtAy0FKsRtdG50ykm9ZzVc3HP5T3X9dzYc2fPwG2iBFQsit0W io6W3nOEOS7bKnSaSKH8b4UbFF6n0K2wjTtuYuixiaGvTQx9aGLo/RNDCyeGDp8YOnBiaOeJoXVc 6m7jDP3QGbrCGTrOGdrLGdrTGdrdGdrBGZodwUU8nkJph8IBCrspbKcwgcfXhlLQdr6C7GZoPKdu tt+cdNxep3Nt0q32OjOCW7xvV3iDvjLxxaQu9mlJ6d6UFG/Q3v6SjhZoLD9Hgex0pwe+Hjgp0B3Y J7BTYEZgWmBqoCMwKTDKHGm2msPMIWaL2WwOMOtmYSZzVJ3xsdspb01RAVYZBOgSdRW3ym8GqQsW y68GmwUNJU8rLV/kjxnA+Z6GyZRfavP8MMZRxxacqSbHAPZE5lN+wYAYz2XO/LpAY7SntzPfEzTy isIa5ruL8OYRd+DIKiisY0MmLYmX7ms9MacvuSveFxYVyTqFNTrfdVcRRc/LismK7B/RZ2Dur0Cx D50XnhhnyxeMJMHzQP6YQs+zCUWebjJiJBTlQ3LS260XvUWvvNx6cZkMigrrLZWid95omW6pzC26 UI5sSM+tJ7sMVDmyyXJku6RcorhMlkuWgbdcoiqXeFG5mn72vNwau91fpp8q0+/iMtMuLjNNlZnm K6N5y9hblAn8mOyqjD3w41+USfwDZZJ/tUwLaZYNcP6Hh+tpKB+uyVkgrwrFjrwycLFn6bzyGE9l qc1WTzl82HeLSCkunVwuw5KyOj7sKMv15DhybTVDF/wy37NAZg915NbQgryCwpoF7rLc2qHuoXmO ktyiTYNKOm64qLs7/d3VdCz5lcZKZGMdZV+DNvxK9gaZPUj2tUH2tUH2Ncg9SPWltB5qaaYBRfBN VbhJBFugwMXx9qIB0dbZ/ZU297XHLIrfqhM/TcFw1UNw7QsFy6yM7IxsmYVdJrPC5I3QlxWzqK89 fis/7cuyIjnCMYBi8qbn4q+iwhf5g38VFRVzrqq4qkKG6q9izlywXCb5ZfA5hBlkh6jzLQnWWNrm peBlykZrFRVFc0itacVckq3NkXCh8ebYXLTMFS2VgCoufaRmOMnLaK5iLqOULDjXpzYV8idDaIbk IH2tEOknwPdQPMJErRQnNhlHffyp/EW2zG9qNAxxBIULfOx9CkD3KyzgYd6QptBB9d3rB5HWnd+i Z8hN4Ug/SBoTF5KL7qXr6RCNNb5Fqp0eo9OUTn2o3GhS37Vr4oX0GHt//dqb3pXfNxMuzamfhHHs yF20ar6FMtBKAT1AbWg/WuxoWPC+SSQIF2oV0JvaJHO60cX4jhv0141SepRd4rD+PO2lU9xOp6Zb jaXGamMNhdEZLaFxt9HVmIlaY6mY5tJNGEElraV9XCT6iZ3Gneo3zmVI3UJvshMKVQyPbjRK/5VW UT3toP30Hh1n5nBO40p+lw+aqHFP0x5jiFFqzKI8Gk4jqRK5CZzM2WKCNkHboB1p/KzpYyMRbRfQ PJpPN9Jy9fvvI/Q+fciasIgCMVbbQPHUT/0yeSVkthaSfJ2Ospl7cCa7+TZ+TszTtcY9OOF1ag0J DlbSX0mrIdMnaCPtobfpHbT5rfrGZSwWfyxP5IW8hO/m+/gJfo6f55PCJN7TNO1m/RX9ZNNhw2I8 bDyDfuOpLdng66ZjDS7Heu6jLzG/jpzOWXxAOEW6xnpIY1NTd2OQsdh42ThCDkpF2X7wa/NoGI3H qG+gW2kbvYK6++gt+px+hJQ0tnAkZGFjB4/mMTwXo9jAp7lRRGP9eotrRK04qDm1ffp4/fnGzU2t m2qbTjcZRrXhMXYbe9X69kI/OViBK2k2tphcsRfQz8t0jP5FZ9FHACdhrIM5H/NdhfaP8nmok1ks Es8JA97vCu11PVZf1TS8aWbTqqZNRg9jGHRLg9MVSz1AmdAm+V27CvW92MfUbzM2QXsO09ccw4nc hYfwOC7kYi7nWTybr+Ub+SZI9RnezNv4MH/IX+PqGCBaQ05OMVncIu4Vm8UecVgc00gbgzvMtdqN 2r3aZu1t7QvdqqfrXfRherF+g77ABJcsINq893yb8zMbSxsfbtzd1Kkpt2lG09KmXU2Hmz41go2d xnG4ol0wxiKahjEuxPxvo7tpHfTjWYzxEzpBJ7Hm30EWGgdxHEacpNYtB+MehpGPh8s0FVTOV0P+ lVzNtbydG3gXv85v8gH+iE/j8txadAL1xS4YK6ZiDg+LauER74POip9xLU/Xumndcasoxmxu1+7A fB7UPtKO60JvrXfVx+iL9VdNmmmK6QHTatMe02umLwOsAVf4bMQFC4JH2yt26f21a2g9bgea9qU4 IFy8UJzjp0QC70JvCbhvjRQ5oi98o23Q8pkUFbg6wB5gF1FkDSyWbYiHRIY2Xk/RQmiO/FWGmCBu E8X0JG+nc2IwNG2etk+sF5O01fo9en8+gvvFLp1EKP9A2ZTN/bF279K1WKEMbaMuf5dJJrN23jRT hBq36ydMQjsAO9iPhfYGT+BTPFJEQ1p9xd3kwLuVTyEcgh34PjS/Hm5nb/1jbZkYKj5E2jV0L+/C HLfRNWIbP4p16Y39eB2P5DVaV1rE10IafehqcR+1E7NFO+jzWPqeb+HW2LnnsDbtxVTStVAxmQ6K Iqz62xwpOvEi6OlMWspVlM6N3EB7xUrqxWXajvOxjWmCz5/iGm0w1fA5/XX9dTjf5yDJBGiuGQ73 J9Dp1ejlFbJrKdCa3mQSuMdhPxVjr0eIs3yTuIam8yrtX/yEyKYRVKZViIH8QNNZPVvrDolthTXJ CehjJpPLlKD3wIqfoP7qN1IUUK4fNd0i49q72hmjyLA3TTKFNX1ECyCdwbBuS7GXBtMHHM1X8Sjd EPm6YYyjarFR/8howyFsp3cM7LCmF9jF7Q0bX2sE8yho+FXy/yjRl+pL9Ln6TTibzsFq3kb30MP0 d5wmj+PcSoUcL4c0J8L2TMcZ0YW6UU/Mrj8NgFUagryRNA72tFh9Wv8XuhaW92/0HNXghMqHPK5C val0NdIrcELdSIuw/2+nZbABD9CT9I54VqzDHfcO8bKYJ6bTB/SB9qrm5nF0UL9TX0xjcAcexa3Q 82VYpSTUW2a8i946UDysfw/sUui9cdI4bDzduB/tPSl/ERYwgE4G5FAajeAf9Dg2wb5Bhvo0k/z3 nkAaWBMQWMchmwWTSZcRjSwBJkRe1DQRFxQo015kijWPuDHGOdx6xjWs0TXc+oNrmLURl3pXo0ty 1y7dI+wRyfYI+zSdztu0hvNuE50jm96A/XTS+FR8ajLhJEqiEe7ww8HHg4U50EJWbjUnDs1vcbcK pbjg6Oet/dnSP+F5XKMCOXC7GILToYmHU4zT+sOVp44dsx47RllZp6ynOCKyD/66doFZ1AICHO1S UrWUnj16de8W3TpKUxjgQCqSxJYU0SYiso1IFp0djk5lqc5+/TtK0O9pnGCLi7OJJ2OC23Xq5LCc N/dzprv6dcxwyfuRRTyl7dIPqN8aFteEmerEbW4LW4Lk/2hjORK0VTxOwWKHO8QWsTNif8TRiNMR poitHE1C7Nhkxt6vE4+/0MU8C/ey7eIhnObf8kjvPM6csjZiNmdOQXYuqwvyxDTsvllciKCvgQG2 2FhbAE9T0Zg4m0k/0BSXkpSUwp97Q6zkceNT7QuTPFU684ZNkcLi2Gp8R5pxpjbD3CE7CPE04wyl Gj9SNLi18eOLbcOCwsxhYqvxE1mN72oTwjJkjY7Gd25HB1PbsKSwdpEzzYltI6kTp5pC2znC7P0i 0/uZIk2m0Lh+mNfeF7u27xcW2+WRrRxAMbjiSaUYdsr6A2aUZcXqRPaRixMhAUuUc4N7guhkTYmJ bRMbHds6NirWFNA2PiE+MT4pXg9ITUlL6ZDSMUUPCA6xhASFmEMCQ0wBWkq7iPZusrWKc7MzINlN GXpnNzvC7W6OjwWkhKS7qZMAKJdTOZkd8Thvpt6+h3u3fOAfu1tHJLaKzYpKjGiTFSEhOjExMqtd nXHO7UYkNaptBCDeCogNB7QJy3JISI2KDkUMoEWhnJYYGZyVYQFEy1hC1H+x9+3xURZX/zPPLZvd TbLZ3DaXTZ5skt2Qy25IQggEIRpEBAKISAMVSiBBgiEJIYBYiqBWLUWMFClFaqmlFClFCkqRUrSU 0vyQImKklFKKlFLkg1Zt5LW8kvy+c54nyYaLr9qL/SMM58yZM2fO3M6Zy5N9duNThZKLpXEgIqLj UkSplCGS1RE5OE4gfp27lWj2RB7jCKG59uJ/v36O/sJ842LxP6QQHJ83zSPFxEQjHRdbkO/sJ59f Wr12xEN+960RcaBGPuhPHuqIHV+WFZ854LbH15dluzIHDF++XvrDkfb3n1lU0i915U0T5h7hDkF7 Vg6a8MCC396UFp/WfvqVlxYcvskTn85TXxEPA97oaJePYW2NYUt+Girvlp5jGp9amiVpmiztDbWH hd0Tw6JjYlgMTN8eZ4uxM9nBpXts1sgIh1Vx2G274a9c2vRCXGh87MUgozhb7mgjmxB2fmVQZNwA 4bfCMh4N92eHf82x38UdV25yDgi4mOPDtv3wg36pwnPhuCA4eUK/wv7y0isb46KcLllu32qJDXe6 NKXWOyI5ISH5e4/8b0tCpMthdaIfLqxpr+COUSz5SgeecZ9LloaxEcWv4Hz6Bj+e9Lr7ErvEL7mt Gczn9iV7i29L+lLSpuSXkltZK291X+Dn3WEVydzuhOOWRn0vgkdEpERIEX2iIiKcUW57SobgO5hn rEfy9PF6PBled0qgn2Da8guK8vP7FbkDNpXSlgLFYlEVty0xxlDm4hGuFJfk6hPtcsVEuxP9mYIf zrLH4uzWx5ednelz+3d1fLM0yc2ZnuR2J3MpmgucXMxYsjs5Gix4nrvUlpwBv09OTnJ7uUiPSEpK LO4vyTHeRMkf8BV5AwGbza5Eee0Wr6+42J2c7O5flOwrxRUmxfcVX73ved/LPtVX6utT6Ct19ovw PeE74jvtew+8XdJbpTHuFP4VLj3BXxNvZShJSYokKe5d0sLS2ChdVqKV5DFRr0X9KepvUUpU/IB9 9bQfTC5/B/ObEO94xxU5IGD8nzwHycnZ2XNcjnMJ2CcMrgP7xRWx5g1yiAj0IFoCr7xDPCwdj6r+ 7Ee/tv9Ri9+VrcJAsmEZhoVwx4eT2/YHp+b0SN44cW0xGFrjnMlsDq4HaZHmbpFKu0VBQWSaSXDe uY9cKyI9M7X9F46nhQm2HxT4tn4CH8YZb8DhlISElMJhAre/mpyYkPK0k39F+tPHscKEXc6oOPlC XFRU3JUcqVXEwXzx+YfFHX9SfixuySyLvbXz9qyZWbhU7JK2wlxUrga4qkrcY0l2CZYjMRCXmOiK 8yRbYz2ZoZOtu/j0HZmp9ljEpbonNTqZ2W3RIeKRX1xKqL5E3B85T8jJSF3i4I5dfPmO7Kwlrl3C Wx2X5ryDTX3yHGzug8Q8Cbd1vHMW/9vEOn7jse2bN3Jb7J0jt6XfMaliR7jFaSkunshGbrObrJew s1zcrkf7xH7j7fjrjjRLeryxKE9kk3nn2Kb1E84uxherYFznJEQVYhHUsAYW5BcpUoMY01+vfKvx 9YULX597cjWlG44/tfr48dVPHVf++r+zxVD+qGXh6QX3/en+Fn7CheTHLetPnlz/vT/+ESvE77BC TMLYFrJXSzNK7WPVJepD9qV919u321/I3pfdmm2Ns0SE2lscDk9ooZ/15X13ScpOxjx+yYIDUWlp AsfYp2d6WMbkPqluxpx6vD/XpYVarB6MZqm1CAdlPeE1GtynSsMCMaUxDTFHYpSY+H7zxFcjmf7S NnmQGOVzOAHgDCBOUFfOiqVxAMPRxvFh6yAjntxJtA6ibTQ8KzsxKSspJ4VlJ/ZJ4eIhzNKlHGOY egMTphMRdhRaU300lDGmrBTgc4TJXqkX+NWdAu/csmLBowUxrmhL1Ldn1i3g3xBMOezKbZ0WKr0k RvSBWetiLbFOZ5wcV3vrA4IjdpEfi7GVF6BRMaXRi8J5TugY6yznQuc3nKu170aFJHmEwdpSWtJS UjxpnqTEmN3SVmwUpaWhtCh6ErMzhMSYzNHpmZkZ6Z5sW3g0fRRFDQnDgTc63GFNzyhh2Zp1iCNV CYkpSfSUYPGzRoS8FyKFJOSyaD09Im1s2pK05rT1ae+laWnxOVdWGANunFjPTcZ4l4tVZsg774gz q3GIBIiNSQz+p1hM2vb/VJPKxouH3B2v7EhML+S7Ok5vj0woxJY+sW8eDD/SNPwXo6LDY51JZOfi BcGYoiLT1mnLx2SE3GjiJGnDD24duTQ+yhoelVYY3//pl3mTsPUrs5MT4lNefVpgeVrrqruqE6Li Q6LSEip+3F4oJinOGRkn7aEp4eKdVGWWPI2VSStLn0qJTHFKzuLIL0VKieJlzxTPVD7bWZ9anza1 7Ff8V47DzsOph9IO5e8r3FcWYcFeusYjs3zuLIt0lqU5PGmO1MKCfJ5amJ/mcDp0nh/NeX5hmdPp 1FMLo1NTC6USXhJR4iixRpU4S1JL9JKEviX5JeklaSVZt5SUlfQrKSwpKS0rG1JcPCQtzef3+4ZM VAt3cf8LetnaIfCW06WJnKv21NRYu11lsTw21s3XRqj1qqQm3JqP/B1pa31Okktd65sY4Q64x7i/ 4q53q+74oVZrgjVLK9HO7eYhxuFDrF9DODnb2fg21zvxDiCxvsWXn3VhKidjN4oXm5KYVuSeTXjH 5TgrmIJhxgnM5XgH/65C6qP+7DLxxwFnx8Ed8flDnLs6WnfE5Yp4y47oTBFf2uFME/GZHeFxIj61 PXHQYOPoN1Fsb9jdxIk0zVGE8o4cFHaUoiTOMWlDHMko40gOix3i8HSVomIR+GdY34uRrrCIwoJd Hee3IzZMj2NHmzyHGlbQcaY0FIfTyGSbcwikzpSOABFpjY0bHGmNdA4uuxkHWS5QWX+cerlAZf1x 9OUClYnzLxco1erWBxdGAOVHxycOdkQ7Yobk46y7A7HTjMt2dezf4YgeDD/YXxoGIm0QUKpA1zn5 Go+hxcLP82N72H7XdmswisAw9oOCzh2C8851jRhYw9bzpd7oCOyzHwjv+Gb7S+0/X0578t+SEyKi vHxp++b0KOT/JSU+PqWKJ3J3ldiQ/yJy0/mv258IiQ0zVjY+oP03xioXFhsCZx1uoRxw2v/GI0Xs irLHGl912t8MT3Z9J+V1gqT1CLM+fZB/+1mC8lXlq2qfG4QPukPId3tDb+gNvaE39Ibe0Bt6Q2/o Db2hN/SG3tAbekNv6A29oTf0ht7QG76oQH9jGSiJ73s1vkV2lvEBXnpxKZZSgpZYOM9jnd9aMYkP NmklSEZlLvqVO0FrLIlvM+kQdqBLxsLy2EaTDoXMIZMOk9by813fq9BPedCkObMpPzNpiYWoCSYt s1w11aSVIBmV2dXRJq2xcHWSSYew6V0yFuZS3jTpUMjMNOkwXq7OF9/CoYhvhrBrvyJafH7Tob1B tEb8PxMdQvy/EW0huoPoUHMMDdoYQ4M2xtCgjTE0aCVIxhhDgzbG0KCNMTRoYwwN2hhDgzbGUNDW oPbbRNtCIoi2B/HDBR2SQrRDtC0kQHQUaGfITURHB8nHUB8NOjaIH09lxxCdSHUZOt1BMilBdDrJ TyY6i+h7ic4leqGgLUHttwTVZQ/i2zv78hzTWT5GJI8VgxrPZrJqxOWsntUBmthC1kCcMqQaQQtc CX4NSfiRczOrRdDZOPDuQfkmNpdS1YjFN/rOB66CpNAwD+ka4upsNOIFiGtIvhLQRLqrwJ+NuJHd C149m/E52iW01pFGo9xdSNUgJVqisztBVVLKqLkO3ABp0En3TLOF06nFddSuGpL2U7/uAbeWWnh1 ewbeoJcDaRQaoaGzff2gqy+CzjKhpQZ1NSJnLvW3ifVhE24g31O/oX0seiTeNRqOvAXULtHLkchr QqglyYlUTqeRXYh4Hs2OMULGDMygmppoRES6gcrNpnHrHLlpVLZzVG/FuI7C/BtlG4NyGqg3Vahl Omk0ZmMB1TUd+Pr1GmkhOx2tnkeWUEWy9cBVlN9AI7+wa96MumpMDdNNXdWEhXXq1/RcSNQSlYly fRALe5vWVdf12lV3je5PP0rd2qtI0z3gNZI1GXY1vctqr9/7bkvu2a6SoDEQPTH60kT1dfqD0G/0 tYpsQ/S8nnzs+j01Rrqyx6hWm35xtXeIUW2C3DwqKVo7n3pT3aVHSNZC4hPn6Dk9Py+vWB8/s1ov r6+rb1rYUK2X1Tc21DdWNtXU1/n1m2tr9XE198xsmquPq55b3Ti/uspfVj+vsaa6UR9dvUCvmatX 6k2NlVXVsysb79XrZ9xQl15Tpzch7666mqbqKv3OpsqmahSuqwrUN+r1yGnUp9fPq2uC6rn+cdX3 zKutbOzUMzCoyoHzqxvnCn39/H376pnlNdMb6+fWz2jqMyGIb8pDfOyd5eOH1y+obKzSR1Y3NdVW N06sn6fPrlyoz5tbjQahAzPq65r0yrl6Q3Xj7Jom0bhpC6mpt9416mbkNlKiobG+at70JtGNBTNr ps8MKou4pm567bwqFG2q16tq5jbUogL0DaVqIDAdUtV1TX5d76y8vq52oZ5Z00evnj1NlOrWVdcp fd0mkXhVTd09emP1XIzVdDG0QdXTIJu6SqgFmTWopal6tpiHxhrUWlW/oK62vjK4UjS60mgqxrhr OurnNTXMa9KrqufXTK8WMjOraxuu6hEWwXpywUoYWx2MvV44IA+Dgc1C+m1aoDvzjaVfOA0tk/Ja +afyL+SXAS/Ju+UtQbqEdE1X+i3SXd2jruoe2kifkqz0VUYqtyk3AQ+AdCWcQribsUnM5Nv493Fe E4vAzZBvNLeXys4zI/61p9G7YNf7jiyZiZNSuvgpYOPbzpgdx7qhdLabAnyMPjX6O+Qdl5YzLj0u fYfJ0lppLeinpadBr5PWgf6u9Azo70nvgX5f+gj0P2SVcVmTQ5gsW2QL6FAZpyzZKttBh8mRTJKd ciw4cXIcOC45AXSinAg6SU4C7ZaLQPeXh0HyNnkkOKPkr4JeJH8N/MXyA6CXyG2gP5Q/Bn1FQX8U rkjivChOdIpVnK+UMJyUZCVWiQPtUlCLkqgkgXYraaDTFS9on4KzlpKn9AWdrxSC7qcUge6v4Nyl DFZKQd+s3A56hDIS9ChlNOgxyhjQY5UvocYKZQboe5Ra0LOVryJ3kfIA6CXK90E/q/oYVzPVbCar OdrNjGu3aMOZrN2ujQA9UrsT9HhtPOi7tArQEzWcgbUabRaTtHs1nMe0Wq0W9GxtNug6bT7oBdoC yNyn3QfOQm0J6KXag+A/pD0Buln7NvhrLAdxYnvV8jaTLRdsYYzbwm0Yc1ucDe2xZdqyQGfb+oLO txUwyVZouw30cBvaZrvdNgp0uQ0nSdtY21jQd9juAD3Odifo8baJoCfZR+LkN8peziT7aPvz4ssW TEsTYIW7tDK5srFyGoueWT2tkeXXVjbVscHI4XeNG6qzaMZgeZJhq0Rx+m1XRilOv4EtjRo/XGex 48aU6yyJ+KwHVsUizXTCWYQLZ987+142ifC0rruT1IOKxMlewyneIr7Dldlg92EsnEWgPvELzVFo WQx5gUytMeJktHwYXHACfEO82zafLaa3QlezZ9gWtpcdYqfYOfYuu8TtPIcX8kF8KB/Fx/O7eRWv NUaFF0EPR/wR6kds19EKxOGDjNhh3Ke4Y5MhF1mKFiJ2RiMdgrjU4DunmvFRI47eTXJKXG3ckrhV cZsopblOuT6I1+IT4v3xtxj5CfsSjiVcSGg38hO3Je5PPJ54MYklRRt63KuMOHmJEadMIkmLXqgP 16foTfoyfb2+Uz9E3LD0PelH0s+mf5Rhz9AzCjOGZ9yd0ZDxcMaajC1Gq71V9FtG3LvM0OZdacS+ WiPuc78RZ20z5HL2mvEBsgSe006/wayw/P8t+PcH+t4AsXoxWrcstGJZsUpFMRutQGGKhhunE36c yaLIg6Phu2NYojYOHqzDdycwj1YBD06Hn8WwDHjJBJZrq4Cv5DEeOjT0WXFHwqqaz1jOMAA8zH8Y 8ThABehWxFh3c6oA8wGPAfYyloeV0H8CdIOZPxBQagLutgW3IF4EWAFYBXgQsBawHrDRjLcAtgN2 QddpxPsBWB385xAfQXwRejYBhgNGA7BnFOC2XjAV8QxALWAr4AXAbsArgANSYo7dn5n7TGBGTrrf T5DlL83JCjTm3OKvCtwXWJxr8V/OOeW/nJvgnyIgp9b/YM5UglU5UwMP57zg3ysgN9//LkG4f0pg mSGb6wWc85/JbQ3ckpMM3QJcJmxFOQFO/0BAYe5pyJ2A3CSUb0Y9Tsg4O9vjH4X2TAnc56/K3Qyd e5Cf5x9GMBz81UgXgRYwGul1Pdr5GNr5bFB6BUEj6BkEK3KOAhb7txA87N+SuxPxJrRtk9nGVwAH /PtNOEhwCLSAo6CPEu8kwSnQp4LSZ0ELeO//gFP+8yYcRL0Hc+4DLeBj0FtJhzEPGN/caPTvLNp0 CuNuzktuzlXjPyHgzL0b0BRIzr0f6WcCeQQb/AcD0J+7OVCUszWwNWe8MX6524IhYO/sf+65wHAx f4hH0zwadvEC5mQYwSmzXTrKAbrm15jXgV3zGDyeW7v15gzyDwvsDpq3q+dRzL0x/7NQ7yuY83EE 4/0NgQNIXy1/bfkK2PMhlJ+P8kcxpg+asMKEnuluO1lLINKNlF4P2BgsD5sNlt9I8stgOwKa/dtN 2EWwzITVyFtN+QZ/nX9L4DjSzyJeZ8anEO/GOO02be8Vc+w+CTrlTH/sss/j/iOAY0H2e4yg236P ERzwnyE4BXkBnfZ7AbZ3IchOL5FNns+VQH9Mdttz/s+STQwjm4QtXpN/ATTWFFobvJRPdtxlzxaD hj23EVy9rnTa+WCkzyINOnAB6aFIvyfyAyw3P3ApNzxgDywLfEyyxYDO9Qh0noT0CP+UPItIB7Q8 KaDlJgTsuV5AcYDlSXnhhrxIm/JjIQ+/y50WcOYlwK+WwK9WIj0TaR3pR5Beg3Qd0l6klweS84rJ D13wQxf8MD33/kCW4Xd5ObDfRYEDefnwtaKcTYGtuTsDRbmHEW8ODOrOx/pLfKS716u1sLu1Yg0k 2Ie6uv3WKeAa29h6fchtuQoOm9Dp8xcRf0BrclWgGW3plDvnL0X+eMhNQjw19yOMn4B2A4Js60gP 2zqLtIDOtQ3zBptto3Wp2Jin/OP5q4U/kE907i2H0bedmAszzskq8BLcElgcWI21vQjrg4DRBTnw oSpjzSjIp7VqdWAx1otROXlIj0caY1pQ7B9VUNyVfuEaebEmNcOOO/eiGebYX3eNwB64rGAwYGjB iIKxiCd0jfvVe8THhu90+lTBNP95grtB392db9LX+tZV6ev5AkGnLwg/IF8omBlYVlBXsCSQR9CE +u7HHtBzT7icu7PgkdzDBY90jkvB8kBRwco8MaZTCjYA1iD9THf66j2ma+25eg0y+/9vPqFJLE76 G+6wDHdPpOQC3EBj5aW4YybglncHW6GMx12vWc1Rf8BWqRvV57hd3aru5w71gHqA+9QWjfNMNEDl 0zSLFsarNIcWy2dpLi2Bz9GStCTepCVr/fk8baA2hD+BW14Vf0qboc3k37fOsc7hG3AvS+Y/tH3Z 1sJ/gjvCNim8+7zoiQUkMZ7+DGIPIBP0BvFyJqAQgPOkpwKAM6AXd4n0zaBLzXwrwGECzo59nIhH AXCW9OCs6cH504NzpAfnS898M8Z50oNzpOcx6NqGGOdKD+796eKF0PWI90DPfQAXIBmQDsjCmT4P cRFgEGAx4GHAMkAzYDXuVl6M9EA2FPeoCtzOanGLWsKWsVW4Q21i29kedoAdYZL3Y5/FJ/nQf5/V 2+5z+BRQdm+bz+m9DEryXvCFe9+D3Ec+K3JjQb3rPeZz+lygznoPeT/2HgV1wrsPpa0ooXl3ec97 91LZrd4L3kvIbfdu8LZ6N4O67F3rPeY9A+qSt9n7inc1qA+8j6D0YVCroHuLF3dr7zKU3OrdDWqJ d6Z3jbcO1HzvFJTe+G+3TZmeczCtHrd/C925HbARJ1+Em5Kd7WbZjKV8AEALUtoZ03Fv1THvOuZc h73osBEdc5x2BnGSkZeCs3/KRQN02Jf3XcSZANiIDtvRYTs67EqHrejjzBg2psNudNiNDjvRYS86 bMWH+4K3DXAZNK6wPg0AO8OMMN8kAO4RPtwjcPdjvkaWnbEhY3PGtoydGXsy9mW0ZBzOaM04kXE6 41zGReCdGR9450Pio4z2jA1eRWBAe8Y2r9Xr8MYCDnoXeR/0PuZdgdlZ6z2C2TvpPeM9T78r+76E cZDapA+ZJP0PZkShGdFoRiyYEScLpRmx0oxE0Iw4aEYiMSOjmYtmJEmbgBlJxlw4WYotGjOSTjPi pRnp8x+sidPvR4tZzmIhGG14oo7bnY5bnY7bnY6bnY6bXYaXhaQfSD+UfjT9ePqp9LMZCeIvtNLf pb+jjZekS4zLUbBGSRsDq5Nhb3cxhexNtUXZopj2maWH42au/wtu3eHS49JTqPXb0ndYKD1XtNNz rTDLIctrLNzyuuUoc1qOWY6xaMtxy+9ZjOUPlj+wOMtblreYy3LW8hcWbzlvOc8S6YlWEj2nSsF4 bWUv0KiJb8cQa2a5x+PJ9Pg9hZ6BnlWeUs8wzyjgcZ6K1A2eKZ4qzyxPg2e+Z1Hq4dTDngdTt3ke S92G0O5Z66nwrPCsh+S41A0I2wzwGP+CNXbrqxK6hKYgPauQXwFqJTgrewbxtEPCqsM0ab30C4zF L6Vfs2TpN9I5lqbdr93PysQOwYbaUmxedis9qxXvODvNJ22xXeUVlMeuIG2UdjNV2gNdCVRG/KpF AvPQeIi/4LJ0O2AG4/pi8USMnuBCB+oQ1lbaPW76VBalT0I4qh8HnBIhfQnCiPSx6RPS706flj4z vS69Kf1+asMa6A6VfiT9CG34iYRdTHpeeh76t0vbmSy9KL2IFv4crVLRtxZmoV5ZqYU2rGaP8Rba 8caxSHN1+vzA0w6y8pT1CBsBW4gyQjB9vbQI26/ib7+OjAi7bsD/rOGT2nh1+27Uluu1Z+Nnbwtm wEpeyMgLOXmhRF6okRdayAtDyQtt5IV28sIweOHbLOJTWzGXhkkrYct2nAESGHNjzQkCdh24Ef9G ssG6pNTTFJe7l18TNiN00tsQrpVY7l6JsNy90336urlG2OM+B7wGoSd/n/twF93ivhiU8wFxPvoE ncGtOuxuB24l/M+HT+610V+jxhM9WrL8qj4G9+6z9uufDmK96No/vo215zvYRayWVy2vwjaPWI7A Nt+0vAnbPGk5jb3kz5Y/syjaJ6Jt5bZyFmcbYxvDXLRnxH+m9bcCMBZQRytwHP16zQa2AqlB5qoc R3L7AeIryE90y3EHu4xUdJecWIGfhq/hlGfUT7UlU23iszoW8kFGPqiQD2rkgyHkg6Hkg1byQRvt hGH/Yk1iNBiNhkqjkfEFaxLjKv5WgNWJtdIYuognPrEm/ubQ3s3jmjFPPCmIl0yzxHlhEK/ImCc+ Kog3nmaJ81kmT2K2f8rWhJW5bjg3GmlipImTJok0yaTJQjpCb1haEd8bj5Y9ifZxaplG9YXcsIQs rZCazb7I1E7lhnP0WWQ/uSXXK/Hpei48bC17mObT8Jx4mnXD5zi8r5Mn4ey3huYzWO5ZYzbZLpP3 r/OrT/bf4Nxre//pckWfWk2bN/qUQLwP2Emy+SAet7K2oDEyeIWmzQfzRpk2H8ybZdp8J+/fa/H/ Opv95/zpv9XiOdvJDtFZXMwOc+Gu7cJdO2YvK48+8N8aRJ8tb1jeQO/OWM6gd3+1/JVJn/5UyLaz 3d33lCic2uIWsfKoYwgnBY4bT3RXbOacDEpdFbolo28xIKhcV36Qvmt1BXGid/cMwkctv7Oc+Lw9 dLYTlMcuRngYYXGUM8opUlHHCU8lnGfEJo0Qu6wzLUoYkt0yXeHhqEOdGrv1dcqRniANsYudbc62 qMU9A/Ww1XLuM5yPJJ5Ot+8t5kqSCJ7Mn+XreA7Sa4K5kkWSuLgBP9iDWyfN5B8hXduD2yodlqYg PSGYKw+UCyVxzirtwV0vr5WzkM4K4koKk5uDVrjEoL45pWelH6BvP5Q2YtV9TnoOfr1F2oK76jZp G3q+S9rFQtDzXzKLtB/9D5Vek45gfTwqvcHCpDelN1mEdFw6zhzSCekEi5ROS6eh88+SWBN1m441 Mc2WxmJsGbYMmvlPWjX+s20RN/fHCT/5Bdb9nS+k7ie/wLpXfoF1r/oC637qC6z7O7Q65Yt1iHd+ Wi2JeFlYszh7rwfPQ/eGkz14CVycIlt68JzcjtQLPXhWLj7dtL4HT2IfI7U8mIe7YFvQuS7JPNdd DDrXGbwL7GzQuc7gnaHz36AevBN0J8rswTtK54joLp5YycWKw+gcwukcItE5RMY55BROw6dxGgnp 4SFdFms52cN6Bf5WEN+gW7utTJxxumb98SD6yW46WMYs+1SQToP+Yw/rEf3KZOKHumLFJwOpZ+5u OfRCyG1nxrNRzqz06xPWrnSPXTj8LGMRxazcVvffGoJuCp/ynME38XfpeWoj+o3jOePh4V0g0leD wZeC4O6r0tO6aB4+E1BHscGzsHJr3hcYTn2htX/u8C+7Y33a0+cZHkt2P4xhtu1+QCFjoQ3XB7vV pCu6wR7Lyi3DPn+ws3+m9P8VPue9/nP5VMhWxkMWd4FIXw09+VOvlbEkdMuC7oROXrl28r84nDHh vyz8x31KfN75ctBdQvx1ztLecOVscPgMu644YXDyUrGPtXQUd+5rUqUaQzgZuIrwXDWPaE78TOBZ xK8Qb+RKHqWc+D7gGnU6cKlSCbxTGUX8CFFWuQP4bmUc5QqZ2ZT7ZWUV5Qq6v/Jlos8KmvSPI8kv m/Iid5+8GThPvOUr5Wn7iH6P6CkCy60CK8WE91MuWivbBV+2K+sEVpcTZoTF89h98hqBlalEFxL+ mDhCwx7SViFK8Ta1RdAm5z5gr+CAf1LQVLuXSnnVKsLLCYvP5U8RuXyKaAPwfsJGja1UV7HAJLlP uUT0fYSphVT7PlFWGkr6h4qy0lCai6FU9jRJNhOdY+J1xBc6m0nDBnU98CKBpYeVh4B1wverZ4A/ Un8AvE29gpFpUGEf0jIxznKrliOwGGfQzYIvOMgVI2+hXu8hvIzatsygqW3LaASWSZtoZKbSaFA7 BYc3yw3U5v1EtxK9jWi7aD/J5JC2r3T0JSxsrLFjAPD8jjuBZ3aIeR/X8Rzwux1PixkXliytunJC 0AKzy+3iuexlsvAWolvaxflvtcCSU/D5VsGXnO07CZ8Xc2pyRKsar8BKebjI5Y0kH97eQHiw4BA/ h8pWUO0VVLZC1M73mW3QBU1lp1Dtl6n2PaS/mfTso1pySKbZkKQ2X27fIvjUI6eBhTxo4TsnqEYn ybgElrykZ0o7jaHA7DJxmkWreLOgoRMa2Dkajc2kzUJ6qtR4Ghkh2UYzMsIcMdHC0zRTbTSDbWRd bWRX4UZ/DQunXueQhkMkOYLGp03YIVtO/XUZ+smDKoTvcBfltgi7ZSeFTtS4hVp7gvjriL9ePMMR fPYCWfJh9TfQ8JD6InAfYbfo6QnqKVmgsFUm/vGOdYS30Rk+n+j9RBt3LLrJdMySoKHDQfRxgXGD E/RjhJuMUh3/A6wJyXZ68sQ3kAbjHnWZZEYJjBawznsTxk6sBhXE+ZDwy1S2keifEP49cRYRbdwG jXvdjwhvJ/wa4aMk2Uz4NHFWE6Z7JXcRfYHwDoEl4/nWL0watxP5VhrhA+TdhR0TUGqXwOCPJX60 oJUWQWse4uwVa4KQYQcU3MqkpCsHiB4lygoaGnC3ld7SKgiXCixmVo4VK6Ssi/fNgCuEHiEvrxFY qtLGEN5BttdC9AYxVrTCjNYWCU5IHK3wYuUZqoWL3JAK4h8hTLR2iNbD+4huJm1kXaRhqMk5Sbmk 84rYZara7wVee0Wsq/Ov/EzsMlf+H+UK+nblTtqD2mkP+gntTcLHn1Sxf0oPdHwX2K98SJpvorLf Iv0zRK72Q6FBE9rmE35RWyr2PuJXET1OjLA0TvXQ7vY66T9BuIVq/JDwyyJXfEpCmq+Kln9ZG0n4 FuAo7Q9CgxZDPktrAnnrevLHPPLQpe2RwKWED9FuFSXWLvY7WsH2iX0KWNz93qM1YTnp2SPWYex0 AlsEZi3kWVOER7PL5NdTxAiDFvtUlLAo1CrsXyObH274lHlrzhX+TvY5hfA+ktHJJr2EhxKfnq8a T02wHgmZFYTvFxgtEPgs4T2kebjQzFhHLNWylzBOCx1T2t8WmPQcJPxLwu8ynENQRtDPk4YhhDcb 6wQT7xQ+wutY8DuFw+mdwgld7xQm03uB4ldfNJzKIlgkchTiiTNaCAvFmcrBnMzG1K43DSV6ltDz XcPkoLcMOW4IRhzOoqZPn93AmgjfT3hJVW3NPeyxGTV1lWwF4VU1dTVNbC3h9TVz62vZRsJbIFjJ thPeVVs/vZbtJbyf8MHZ1VU17AjhY41C50nCZ6jvUheW6J1FRqdDgdUgHBKElSBsC8KyOZaMTpgC a0HYYuJwjICX+VnRdd96NMo1mPF84z0+ttw4tfK7gUMRzzfjZiPWjhqxNQfyiMMOGOXCL5pvP241 +JHm24iR5nuCkYvEnY5x+2jS3yQ+M8iUEHtIWEh4SAT9bekfYnXnKVynNwf3QYuLeVgOWl/KRrDx aLHwEkV2ik9qEnVbFzW8i7q9ixrRRY0kSkON0SyB6RiTHNLyPmn4gEr/nUq2UakPqcQl8c03sDIX RjFdxk1C+kiOo1IJVCqW5OOFvLgVMLscQ3qiqaz4q+H7qJXJIXIIC6FPYlro1ilrS7QHJLJY2fjy H6tspTO0ncYBEvLbWrT8LSGhxWqxcIMEDTdK8flzIcEnsE1ysqzL6XKmnCP75Xy5SH5Qflh+RH5M XiavkJvlVfJqea38jPysvFHeLG+Rt8rb5O3yTnm3vFfeJx+QD8qH5aPyMfmEfEo+I5+TL8gX5Xfl 9+QPlDuUu9RcNaD2VQvUfmp/dYB6k3qzeqt6u3qHWq7epU5UJ6uVarVao85W69U56lx1nrpAXah+ Vf2a+oC6VH1I/br6qPoN9Zvq4+oT6rfUb6tPq99Tf6D+SH1e3aH+TP25+rL6S/VX6q/VFvW36uvq m+rv1T+qb6l/Ud9W31HfVz9U/6Fe0bimaqFamBapxWgpWqqWpmVoPq2Plq3lagGtr9ZP66+VaDdp Q7RJ2hRtmjbT5rIl2JJsd9um2qpsM221tgZbk+0+2yLbEtvDtkdsy2wrbCttq21rbc/YnrVttG22 bbVtt+207bbtte2z7beJv3hukt2yG7ORIqdgNtLkNCbJPtmH2ciWs2FFuXIuU+W+cl+myf3kfpjT pfJSZpEfkh9iofLX5a8zq/yo/Cj7/9WdB1jUzLrHZ3d2QgkgAiJI70WQ7IJ0QUAQkQ6CUpQivRdB EGnSLIgFLAiC+KkgdhBQRLFiQRR7oyj2hooNUbzZUfn0O5577vPce8/3HPYh+04ymWST+f3nfSfJ hISL4WK6NhTCQiAIi2AREIKr6bM5CpbAEiAM18P1YDQsh+VABG6Cm4Ao3AK3ADFYA2vAGFgLa4E4 3Al3grFwN9wNJOBeuBdIwv1wPxgHD8ADQAq2wBYgDY/Co0AGnoR0VAvPwDNAjvs2DSAPO2EnUIBX 4VWgCG/Cm0AJdsEuugbfhXeBCnwAHwBV+AQ+AWrwGXwG1OEL+AJowH7YDzTha/gajGc5s5yBFsud 5Q60kRbSAhMQ/QE6iKKjVApxEAewkR7SAxykj/SBLjJEhkAPmSJTMBFNRpOBPpqCpgADZItsgSGy R/bACDnTno8xckfuwATNRDOBKfJBPmAS8kN+wAzNpVtJcxSKQsFkFIkigQWKpltMSxSLYoEVikfx YApKRInAGiWhJGCD5tNt4lSUilKBLUqjW+1pKB2lAzuUiTLBdJSNsoE9ykE5wAHloTzgiApQAXBC S9AS4IyW0S2pC1qOlgNXtAqtAm5oDVoD3FEpKgUz0Ea0EXigKlQFPNFWtBXMRLvQLjAL7UP7gBdq QA3AGx1EB4EPOkz7bL6oFbWC2egYOgbmoBPoBPCj6/Vp4I/aUTsIQBfRRRCIrqArYC66gW6AIHSH 9pGCUS/qBSHoProPQtFj9BiEoefoOQhHr+iILwK9RW9BJPqIPoIo9Bl9BtEEV9hjCBbBArEEL8EL 4ggBQgDEE8KEMEggxAgxwH0uRRbMI+QJeZBEKNJeZTKhTCiD+YQqoQpSCHVCHaQSmoQmWEBo0b5f GjGBmAAWEhRBgXRCj9ADGYQ+oQ8yCWPCGGQRpoQpyCbMCDOwiJhFzAI5hC/hC3IJf8If5BEhRAjI J8eSY0EBKUlKgsWkDCkDlpDepDdYSs4h54BlZCAZCArJEDIELCcjyAhQRMaQMWAFmUAmgJVkMpkM VpELyAVgNZlBZoBichG5CJSQuWQuWEMuJheDtWQhWQjWkSvJlWA9WUKWgFJyPbkebCDLyXJQRm4i N4Fycgu5BWwka8gaUEHuJHeCSnIvuRdsIveT+0EVeYA8ADaTLWQL+IM8Sh4FW8jj5HGwlTxJnqT9 fiYdB0RARagKNSEF9eBbuAyugutgGayEf8BqWA+b4CHYCk/A07AdXoRX4A14B/bC+/AxrZfP4VuW G8sTmSBzZIWmounIDTkhT+SN5qBAFIIi0EpUgtajcrQJ1aC9aD86gFroMlRRGzqHLqDL6Dq6jXpQ H3qEnqF+NIA+oCH0FT4mSKhIiBKSBIfwIfyIuaQsOZsMIIPJcDKajCeTyFQynSwgl5EryGJyHVlG VpJ/kNXkDnIPWU82kYfIVpJ7D3YEVjKAlYyBlYyJNQxiDWNhDUNYqwisUjxYn3ixPvFhfeLH+kRi fRLAOiSIdUgI69AorEPCWIdGYx0SwTokinVIDOvQGKxD4liHxmIdksA6JIl1aBzWISmsQ9JYe2Sw 9shi7ZHDuiKPdUUB64oi1hUlrCvKWFdUsK6oYl1Rw7qijnVFA+uKJtaV8VhXtDDx2pj4CZh4HUw8 hYlnY9Y5mHVdzLoeZn0iZl0fU26AKTfElBthyo0x5SaYclNM+SRMuRmm3BxTPhlTboEpt8SUW2HK p2DKrTHlNpjyqZhyW8z3NMy3HeZ7OvYB7DGpDphFR8yiE2bRGZPngslzxeS5YfLcMXkzMHkemDxP TN5MTN4sTJ4Xps0b0+aDafPFtM3GtM3BtPlh2vwxbQGYtkBM21xMWxCmLRjTFoJpC8W0hWHCwula +BwkQAWoAjWgDtSFA3ApXAnXwg2wAm6G22AdbITN8Ag8DtvgOXgBXobX4W3YA/vgI26tYLnCAZYr ywMuRcbIDFkiG2SHXJEj8kBeaDYKQMEoHK1AxWgdKkOVtGpXoz2oHjWhQ/Q6l6EKOoXOog50CV1D t1A3uoceoqfoJXqD3qNPaBg+QsYEP1QgRAgJgoMsacubmEMEokukFOlL+pNBZBgZRcaR88gUciGZ Ty4li8jV5FpyA1lBbia3kbXkbrKObCSbySNkG/1bE/7DiOO2+TKYO1nMnRzmTh636gqYPkVMnxKm TxnTp4LpU8X0qWH61DF9Gpg+TUzfeEyfFqZPG9M3AdOng+mjMH1sTB8H06eL21s9zOBEzKA+ZtAA M2iIGTTC7a0xJtEEk2iKSZyESTTDJJpjEidjEi0wiZaYRCtM4hRMojUm0QaTOBWTaItJnIZJtMMk Tsck2uP21gHz6Ih5dMI8OmMeXTCPrrjNdMNtpjtmcwZm0wOz6YnbyZmY0FmYUC9MqDcm1AcT6osJ nY0JnYMJ9cOE+mNCAzChgZjQuZjQIExoMCY0BBMaigkNw4SGY0IjMKGRmNAoTGg0JjQGExqLCY3D hMbju6sF6AjHD1SBHaABtIKz4AroBo/BG/CZjli+xz9AE1B0JGYK6ViHjjU+0NMcOEhPC+AQPV1O ZNFTWSIMMJE2EUFPdYgoesr+TQnvcQkfcQmfcAmfcQnZuIRwXEIkLiEal0BHcEQMNwe2YkesuBEr fsRKGLESR6x5I1bSD0vAfsRywBYdv9Gq0wsArQ799FbfoAHAolWCjhpppRgCvDThrdz+CUYZkASG wBLY09G0H61wiXQsXTBy7G6B+9xHsBhiDFmGOoPDMGXYMJzxnXEsUp2OC9djS2PE0vxhMc/T1jps dYxYF0asiyNWJ7Ygju7FmJe4KeZRwCQdmX20vQbnuTyS+8qIdfWX9a7h9Y7R00LmcXpagvNc/ymP OPMEtzzmSTqOXUd/3xgp6eaIdWvEuj1i3Rmxukas7hGrZ8TqxRYPEKZrh/z3XgpT5hl6a+X09s7g rZYz2/BzbWfp1EY6fRbP3cikvRt6enekrHvY4j77+O1+30rmVjpnNXMH4GfuYu4Co5h7mHuBMLOO WQ9EmA3Mg0Ds+wi8YtxRffCzcgBfQeY+e7eJXlDLrKXLrKfzQ2YLswXfN8xkFuOrkdznqrhxOg9d BsL9WUrfR1STwWOpydJlHAFy+OqiOb66yC3fDj8lpQr0cF+BMMmh2wO6xsGnPyxCHNcIXTo1QMfw XTifEMygWw962bdv+BT3GnAjS4BjRAa9Zg/uLxEB365gspiP6D3l9uAzmJV4u4g+xj/6UXA/BfMc /i3tI+f9PveuFGw9GLEe/rCIVG7u//bY/OiH+j5qmBS3R1EMzwVSeVS2VDbBp5lnm/dBkMHDrMyW SqBnxTAZDDZJ8RFovBBkjkOA8if4xxMMFiPbgMlgVbpRLpTWT3Okq2QzpYEp/jiBADwoaiQezDQI mHE/lMJPhbHE7NOrMySfhSjG7b83Y1vX9rPtBtPDK7PFp1LZLBEqm/mpEjIZTOYocBQsNTUtGN1p 9j7wec9kSnBkT7mjFFOx7PGUBgFnsEhRRauY2JR47pCT8uqBGvJsIyMD+ZFBHvGAkhPYspT0t8xj fl3yfahJtgIlx10ORSX+XO4aE5MobzEvMTQmPiwxhZIdK2hkQLHZFGVA0X9eYwU5FJujy/6e/Bv2 KJuh+PNhYSAAsxmjAD2fn5nNYIAaZsvR2Icmbxyl1CvWzp9NPa2qKVSZ83G4xH5z43B5lbxZmkvV hqoiP05Ep+XclJc7ks6433rzrCxPuqgiJ7juZERqgNI1GdPuUYxVj9ecOKIdXFoaqrr+orHWEYH9 M1WP2jziNzNco1WjblT9fNoiy76cUc2lkTP8d2SnbfLTTrZ/sr5+rkmpszSbV1msoubRyvESDyet CxTzm4mCKmQMXPM/bOsvZp6SunxkhnXd4swjxs/dix13fdmWGpXouFuifQ2fugLwXOEXZtA8XYTH 1OOr99Afwfy8Wy9leXj2N5jMFs9KZt16f3hXZsnwnvMZ17aNi/cxPXvoFe9mRaqOyD1TJ58smtvD hHTF35xVTWVtobKq6KMpw2BllVJZazOFvS/G9ofFb1RySRfb57D867lN8f/+85f9L+o45J7Dksdk a+HAWomJL5oYyjeSRw/4+HEqNpLnzNDKgqIzxg8V3rzyXK21v3Lq6YD+z9fbTUy8avTdw4aVo8zP tG/vRmld7MJJFcKx4c3DIk4SYa2fL1r1jfaSd3oasGD3dsnT4w1UtA8HbRJZojIqcPMHd+lBhTPX xgy47oi24vB8yR778UFIpKDL+5bXrm0tj05Qn+XZfAUyJRrjHK7KMLe8zuyF9d5v93ad9nwZNK3N 1b2hHqqLfF1x7RVvUXrT2pO1Blr3U+9XJ/clVYKL4eZHL+kv6bUQqZ4YLhV+e+LdK9Ks+9XWrNNe uobRDtKCAY38VcsuX3U3tzkvPWNr7G0R4/zV8yq2XaqkVcGPyob231SBf0Lt6DvOX33Kz7X+0BSZ v0sMaO4NOfQfrQAcWgzYHDo58YcYpGAFpQshRJkz3Nii1GhugleU39M/ITQsOiSR3owwJcSdySPK 4xo0Nyomeu6PHeP/ZzumRCl827FxPy+fGyTvFhYSzR3i1dnK4l+qQmPKwmu+ddZG1Xo72LcGVSZO S24dktvYZh3X32nz+Mqy4xH2rgFv1zOPO9yYFqmjbBZ0pEOpkbRtzJjXZd2yvUjI+aTK+DeVjwSV 5DotlD8FrL8gab1ltZ3c+vN1OorH7bTTYm6OkTVZZiRs1NWi8TbYRJvB+TqsZrt1fyQjv2zo4L7A jOxBn8qsnNzle940FW++YLjVOXesWr5jF/UeTHp7anBS1uG8F5FG2ybova+fsJt/YcDK+cFl6xIE 83a/OTEgf8BJpDDwnNZNjrXky2a7NSbObhIdwS4p23fmn/Ywq8h2LohGeyceXaDc4ho8ab1j+/h0 3eicqUTnxot2eczoPPBHa36P23dV+ERlfaBEuaKgwhKg+AleukFDiAfC/wypGMXdR1EG4ysLUZD+ omS4M4RY4iyxdpmOJBDrvfv1rROOpS5TJmyeEviKIrmLR7FYNEZ5P6GDNWZB7a50O9U3HYccE6tm qiVqzqvL+1JrXzwfODw5+0ziTthJoaq0AabVqbP57R/d2o9VtHjEvAqcUjMFvFxzuvSqdBNZISlY fP2W7E6Nhf0vtibsKOo2Wj5pXfghw6hLBbuVvvQ8uRbGt7KgZfguaNYb+JA2KCwyAT3TWLPaMkI9 rtGwqJdH8Ixv6PmWTIuI4OrmxublemffQOG01HeXei17Fgzfvbtj+H3PVcG62Gur+pwaDKvStK9M uq1HBhgwK7LClRa/9wks2uPVbHTdb9mMnHG670zWVWYLVM1ZWqfVuGnLudpb8g1HKMlceTFBzUOu by16Z1N9q9TD8o/G3hvYVtuRaRmfJERrTCqtMQHfNcafUMvCHhLvzxwhWmf+Rqq5gmNIKw2Hw+bo TZzIFRyKdj/opC43SWUt+n/ZN0Fcceiqy3Jwcnb9kR3+k+z/Unta4usXP5KuyG1LbPLzgfqTyr6s Ty3VsFHcsy3f7cVLG+M2b0R6VjeeRe2X7ZOnxubWPTjXE/Jo85dEtdUhFdeXwCnUqQ9nDp4xluH1 mOI0lldwsF4ydLuy9BDyzH1y0pFHwWDbsw4tnQbL8wpo27WHl9U926RSOzT0ec5vnNHe/FrxWbXS H4Iax4YuHvcyC5zUpjWNXJCS+6qgP67Fyqtvc53gwIwhld578pcflc4u3qKrrZ7hKTUjXIAzpT84 MuaVYVk/c2fppq51PMJCphJh91IcbcR6Dyy7OC+qbAco07Z859Lk9Xa+9aInE9LGN/uel/RX31ls xX8y3PLrfs6uPzQUu8UfX/6uPR+prHe/154/KVbqTNC0bxl6oPApTnb9mM6xgye2LsGnT2YUl3oa ZJ5MrBsySiwJSjzz99hP4WaQY02iTCijSoPKiXm6oYmJscY6OoHxkROifpzDCYExUTqxEWHcuTrf hy1P0LFyoyveBHoWZftjD2m/xJQypgx/pClmntb3ApOTk39XYFD8TyUl/gUorD5WGhcCWyL7EqKO r78eJVBgcso2IVWlQ+uewYJyvYoWpY7DPTd8UkZHiLrIMwIPxH/g7Tu10EVTXP1K56MNmhckBC+J xq3UeO7RMnjtpKDO7iDtKAdrDY/4HCfzS+EyFgE1KT7LX7UlLznHVJ9Q3lY2/sEBTb6u52vvPUgt nC1c4Lapy88peV2cX7W30crLtSJy6Mlx65rLx1wO7G6685nIAW8TN9/+2i5TqYR47qtNPLZ2heT2 bD+1x0M542U7WeeWX8gWvF7tYDV53qXuruT+JT4Ro/LnFtUfbDxYG+KuYL3dLvSR++ylYj4h85+v 8IHCK3nLleXXPu4Bo2NrBvfFxzbuunesQpxJq085rT6539RHOJxc79QKVGpH37aWm5kaUvVXDfp7 fB19yoitT7EpPT0DrvQY0cm/wddxD4sKSkj0j4r9n/o6dwyih3aftrSLkzjdYWvm1vqpVuygFqdZ xMn19KIXZro3p7FXqTesnNsr55xz8Nj0zgz0sX/e4aVt1Vd3hcUGz1cLftzQ2J974PzL7V9E/iBn KWroXJh804MllbQ/am6UnfvtrtfdRyoWtWX2ZNgzDYrftW7k9ZANnXr+ZmuSj87CBhVWvYd3uHTg 18w005dXWSoORsmJPL7HfG7kGWjNOyP0VNaILy1puDwyOrX3uVnR2o1xQnM0nSQC/DgbLy1yHK/o E2q9tFsnR9h53+D+cYWRL1U2iH48J3w9V+htdlKC/qmS1Kp2P+I52pOn2/ix2DvHImdmbnH0Hjkt 2/aYMqve8McZqssjvulNNkOdPiLKv1Mc3v8Mb0eY4Pve3zCGwXVhwE9CGfPY0XztAb3a6XlFh8qe 7jCxsDp1kZIcWUGMyRKQ5QduYB4IAFbA4ldP6B/cqN8IVLHDaPaxNOfm0cs3+fMwhJbFWhf2J7i3 mPMh7a9NLm650i+MVjZu9iC7lzWYSHUO7dh2pnGvi4JUDG9YegSsUrR5EVkflabYZHM5Z6Bw1GGe JfpHn6U/ifW1rlh1qb2ja3nr3SOa59Oen9nFuZp/4FzgCf1OCYUjSd0mpXVSCRsVCm7U14u4L3tb dizIrlRdtcxvySiTNtGg+bbNF3YuMnbaEzCzm3ryxEimb/GbW0ZZg6IKy+ZmBhKsNW9KmVY6C2wK Dn5l3gwatOu+BRNX16FogfbyO+r+abavx5aNVjBkSufvIE6u4TQ9mHzKbVJLzeLux8EGhW8V15S1 70l2dzG+Fj9ln9J7WqC20wK1asQ9KtbG7hHf3+ce/YMQYPeIMuBMpKWJw8YapfstyeYmqay6f4d7 pEapfEvKRluFxXLfiDHFzVre2s3R2MDCkKOtb2hooW1kY8Rhq1BK336T9K+/SduN+6Pk3YLiuW/Q +JfyVpLFL28p4ZJ6s+TFhi938juHhIpEn243UBdJGnZwrk1aq7l6am+NRxjzQXG6Q+7tjLj+eeB2 s1XkUMyOuFfjO9NWdRSPLd908uDgh/Qu/7valGyZqnaS+UObNct33VhscKO9f+CC9/HPob1v5hZt eHxcZHDz4ZzP15Z2oEktjCRnNfgxp1E8r9DvsK+GlumFLV/WeU2UcRJvNbwh628+Sb/OQ2xMcomJ 8CewZ/U9X4NateZALVuxrBl9kU9rxpcUFgilbwZbkpV51mnGwiZN5RWl3SerFKcfsZ9FJLvHW+0x m9u1Ood3ZsPwk/xpfPp1dR91a9Ltq1IyOLM0hDbuf9drutH8uY3Jz+7Un4KgXlJwhGny7FbxwYU2 oz6de5te/rXzF0/pt4rxv/GUEhNiA/3/TzylHyUl/l6sf/H/iNbfqRV4uePzvUsFwWc1+rwOnAfZ 6WN9TirPEmmu/hBxPX+48Nz+JDkpxfcf7p6tP2DBGGew09ZgTeyndt1t6suayIZEUfXGunl3Nfnu LXXqWWe+tlFPJOupcJfMnYNzLzg6m9gv+SLZpbLr6pr8p9NPPHg1aDHWl/HMs2BhUuqDmOF8+R2r y5aVHpkzrnIMpdxble6/UkZD4/i0FcZWixa/7L66qMtJa6LJIwsLxnYgQL65Nk2qw7JwwZ4B7UJf jbuHCzNWjkmq9xsSU9seIxJoqT7TeInJ0sn3G0+2r/KUtvGIKDq3ysEDgbMfqcnWjj2SBS3vhF91 jetRl613eZPcq9rXzJclckfW+KI1O5u1k1asGiaDQWXl/40h2y+B5J8d4JVZNyixkdZJncHmgQhf 8uC2Wd9PJh9kC/zc507vzZ8pki1E/bx0DK0lIyuy2DQAoXHub5y6fUsJaTEziRXqBeUiO4upgJ9W EWC7U66V6pmq//Qtb7+8N22TaqbyP627iSmxMSHx/rGhKfJ/0SpWNgOYveE5nWEOOfv6XFQ+HH/q /unsarcV7oNGTeUM/k9HDGdVSGpkJA+sumFWYZcqdOChxqknLvPU8l5YKyUuSeFTUsy8lN18slik qPSQ8tTQXW3CH0Per96nf6wpPXPeg90u/OKsh5dtmjZ+TbVZPuVxdav7J3HPkohmlaTlDiUTikGZ 6uxralHTdKduKU7gt7vxaN3wPCcBqdQP6jdzg65ZvWcv9PG6/O4DS1GZf3hy7NYTnKdnCdv86uei taaxHxduvh7lFyc3pGJ+LGqbi9jSKPPdmgtUG+pdSoyt+zVsP6y5d8wFnPlSkZ0T61RXOKA2c2rr sgMSby3MLaq+XHMQD7W7O+WroPfOgU3ZTDkqmyn15xki2NlMAXoW77+9gv610fylKef5XkErfSmJ n+sh+ecFIga9zZEliD2KbnKNuFdA6H99vYle/1ANZ653C2mKW1s4406kWlOywTb7ac9P/EWxuFUk eBNPbuqGtr1vi9g6DomLNz6b63Rw3waZ8FWfY852hHV09tzyH7b1DBlSCGjtURwnwprjstQu0Uj8 FOuEh7Kho3mwkWixxf7WS1r5a+6olFy2jS6tGIzZsueU7ZLxZcqDTM5xwQ+SNl7P7N+tCNpd5y26 Wj2osG/hcx7Lg/n6icdvN4B+o8UJA/eVk4ca1JOsHxQyb77SFUxpj50vfmG43vVFH5/vuCSVgzUp kkLXHRo5kiklTF+Hni9OC6KzY5bxlfPIyKX1CR+9KZIUkyXnRRW6OJ44V7BgzJGvOxkrD3/m936Q YmElAG06ziX0P5w2s21hQIlKqKTS0bCpGaE278Ki4l7XntgKwH8BcxwiDg0KZW5kc3RyZWFtDQpl bmRvYmoNCjQwNCAwIG9iag0KPDwvVHlwZS9YUmVmL1NpemUgNDA0L1dbIDEgNCAyXSAvUm9vdCAx IDAgUi9JbmZvIDM5MyAwIFIvSURbPEEwNTVCQ0QxODIzRkExNDdBQTg3REIyNkRBM0U5NzNCPjxB MDU1QkNEMTgyM0ZBMTQ3QUE4N0RCMjZEQTNFOTczQj5dIC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVu Z3RoIDgyNj4+DQpzdHJlYW0NCnicNdZ32FBjHMfh8y2yJZvIqrRlb7LKHmmJFGVEZqiQkZW9k5C9 M0OlyN4j3qQiIXsTspK3536dP859Pc855zp/nN91fU5V1R4LFqT23KiqFjIU0wuZW2gxpdBySKFV f4xGTaH1sEKbwZhfaNsYkwrtGmBeoX2LQpeGmFjoOqbQrVehe+dCD68dNKoweFxhxJzCyKowvmNh Qt+qqle70zSH4FD0RZ/C/7f0q31gcoe6VRXUQ30sgtvRCA2wKBbHYlgSS2BpLIVlsQyWQ0M0xQpY HitjRayE1bAKVsUaWB2NsRbWRBOsi7WxDtbDRmiOZmiB9dEKLdEGrdEObdEeG2BDdMAm2BibYVNs gc2xFbbENtga22FbbI+9sSN2wM7YCR2xC3ZFJ+yO3bAn9sBeOAj7Yh90xn7ogv3RDV3RA93REwfg QByFg9ELdbPbG+a6MuVVP5jy6nAchiNxBPpjMAbgaByLY3A8jsOJOAEnYSBOwckYhPNxKobgdJyG MzAUZ+FMDMPZOBfn4Dxcg+G4ABfhQlyCi3EZLsUVuBxX4UpcjdswAtdiJK7DKFyPG3EDRuMm3IKb cSvuwJ2F1E35w7gbd7lW9zXvxT24H/fhAYzBQ3gQz+BRPILHMRaPYTyewDhMxAQ8iacxCU9hMt7A c3gWL+B5vIQX8Qpexmt4Fa9jOt7Cm5iCt/Eu3sFU1GAa3sP7+AwzMQMf4gN8hFn4GLPxKT7BHPyE L/A5vsKX+AZf4zt8ix/wPX7EP/gFP+NXzMXv+A1/YB7+wp/420jVletfzLdZV8MFVmoYbYwaRhsj g5HB6F+0KjIYGYwMRgYjg5HByGBkMMIXoY0aRquihpHBCF9kMMIXbYwaRgYjfJHBiGKUK2oYGYwI Rw0jg5HByGBkMDIYGYz+Rbkig5HByGBkMAobNYwMRgYjg5HB6F/0L4oX/YviRf8ifJHWKF70L4oX RYgMRvgigxG+yGCELzIY0Yj+RQ0jgxHa6F/UMPoXzYkoRgYjipHBiGJkMKIYGYwoRg0jWZHdqGG0 Mb1rf+Fq/FxObVKYNnsh9Xo2L/TqVOg9ttBn1kLqjx+A4YUZAwszm1XVf+KM8akNCmVuZHN0cmVh bQ0KZW5kb2JqDQp4cmVmDQowIDQwNQ0KMDAwMDAwMDAzMCA2NTUzNSBmDQowMDAwMDAwMDE3IDAw MDAwIG4NCjAwMDAwMDAxMjUgMDAwMDAgbg0KMDAwMDAwMDIxNiAwMDAwMCBuDQowMDAwMDAwNDk5 IDAwMDAwIG4NCjAwMDAwMTA0NDggMDAwMDAgbg0KMDAwMDAxMDYxNyAwMDAwMCBuDQowMDAwMDEw ODU3IDAwMDAwIG4NCjAwMDAwMTA5MTAgMDAwMDAgbg0KMDAwMDAxMDk2MyAwMDAwMCBuDQowMDAw MDExMTM4IDAwMDAwIG4NCjAwMDAwMTEzODQgMDAwMDAgbg0KMDAwMDAxMTUxNyAwMDAwMCBuDQow MDAwMDExNTQ3IDAwMDAwIG4NCjAwMDAwMTE3MDggMDAwMDAgbg0KMDAwMDAxMTc4MiAwMDAwMCBu DQowMDAwMDEyMDIzIDAwMDAwIG4NCjAwMDAwMTIzMjggMDAwMDAgbg0KMDAwMDAyMTUxOSAwMDAw MCBuDQowMDAwMDIxNjkxIDAwMDAwIG4NCjAwMDAwMjE5MzIgMDAwMDAgbg0KMDAwMDAyMjEwOSAw MDAwMCBuDQowMDAwMDIyMzU0IDAwMDAwIG4NCjAwMDAwMjI2NDkgMDAwMDAgbg0KMDAwMDAzMDYx OCAwMDAwMCBuDQowMDAwMDMwOTAzIDAwMDAwIG4NCjAwMDAwMzg2MjcgMDAwMDAgbg0KMDAwMDAz ODkxMiAwMDAwMCBuDQowMDAwMDQ3MTc0IDAwMDAwIG4NCjAwMDAwNDc0NTkgMDAwMDAgbg0KMDAw MDAwMDAzMSA2NTUzNSBmDQowMDAwMDAwMDMyIDY1NTM1IGYNCjAwMDAwMDAwMzMgNjU1MzUgZg0K MDAwMDAwMDAzNCA2NTUzNSBmDQowMDAwMDAwMDM1IDY1NTM1IGYNCjAwMDAwMDAwMzYgNjU1MzUg Zg0KMDAwMDAwMDAzNyA2NTUzNSBmDQowMDAwMDAwMDM4IDY1NTM1IGYNCjAwMDAwMDAwMzkgNjU1 MzUgZg0KMDAwMDAwMDA0MCA2NTUzNSBmDQowMDAwMDAwMDQxIDY1NTM1IGYNCjAwMDAwMDAwNDIg NjU1MzUgZg0KMDAwMDAwMDA0MyA2NTUzNSBmDQowMDAwMDAwMDQ0IDY1NTM1IGYNCjAwMDAwMDAw NDUgNjU1MzUgZg0KMDAwMDAwMDA0NiA2NTUzNSBmDQowMDAwMDAwMDQ3IDY1NTM1IGYNCjAwMDAw MDAwNDggNjU1MzUgZg0KMDAwMDAwMDA0OSA2NTUzNSBmDQowMDAwMDAwMDUwIDY1NTM1IGYNCjAw MDAwMDAwNTEgNjU1MzUgZg0KMDAwMDAwMDA1MiA2NTUzNSBmDQowMDAwMDAwMDUzIDY1NTM1IGYN CjAwMDAwMDAwNTQgNjU1MzUgZg0KMDAwMDAwMDA1NSA2NTUzNSBmDQowMDAwMDAwMDU2IDY1NTM1 IGYNCjAwMDAwMDAwNTcgNjU1MzUgZg0KMDAwMDAwMDA1OCA2NTUzNSBmDQowMDAwMDAwMDU5IDY1 NTM1IGYNCjAwMDAwMDAwNjAgNjU1MzUgZg0KMDAwMDAwMDA2MSA2NTUzNSBmDQowMDAwMDAwMDYy IDY1NTM1IGYNCjAwMDAwMDAwNjMgNjU1MzUgZg0KMDAwMDAwMDA2NCA2NTUzNSBmDQowMDAwMDAw MDY1IDY1NTM1IGYNCjAwMDAwMDAwNjYgNjU1MzUgZg0KMDAwMDAwMDA2NyA2NTUzNSBmDQowMDAw MDAwMDY4IDY1NTM1IGYNCjAwMDAwMDAwNjkgNjU1MzUgZg0KMDAwMDAwMDA3MCA2NTUzNSBmDQow MDAwMDAwMDcxIDY1NTM1IGYNCjAwMDAwMDAwNzIgNjU1MzUgZg0KMDAwMDAwMDA3MyA2NTUzNSBm DQowMDAwMDAwMDc0IDY1NTM1IGYNCjAwMDAwMDAwNzUgNjU1MzUgZg0KMDAwMDAwMDA3NiA2NTUz NSBmDQowMDAwMDAwMDc3IDY1NTM1IGYNCjAwMDAwMDAwNzggNjU1MzUgZg0KMDAwMDAwMDA3OSA2 NTUzNSBmDQowMDAwMDAwMDgwIDY1NTM1IGYNCjAwMDAwMDAwODEgNjU1MzUgZg0KMDAwMDAwMDA4 MiA2NTUzNSBmDQowMDAwMDAwMDgzIDY1NTM1IGYNCjAwMDAwMDAwODQgNjU1MzUgZg0KMDAwMDAw MDA4NSA2NTUzNSBmDQowMDAwMDAwMDg2IDY1NTM1IGYNCjAwMDAwMDAwODcgNjU1MzUgZg0KMDAw MDAwMDA4OCA2NTUzNSBmDQowMDAwMDAwMDg5IDY1NTM1IGYNCjAwMDAwMDAwOTAgNjU1MzUgZg0K MDAwMDAwMDA5MSA2NTUzNSBmDQowMDAwMDAwMDkyIDY1NTM1IGYNCjAwMDAwMDAwOTMgNjU1MzUg Zg0KMDAwMDAwMDA5NCA2NTUzNSBmDQowMDAwMDAwMDk1IDY1NTM1IGYNCjAwMDAwMDAwOTYgNjU1 MzUgZg0KMDAwMDAwMDA5NyA2NTUzNSBmDQowMDAwMDAwMDk4IDY1NTM1IGYNCjAwMDAwMDAwOTkg NjU1MzUgZg0KMDAwMDAwMDEwMCA2NTUzNSBmDQowMDAwMDAwMTAxIDY1NTM1IGYNCjAwMDAwMDAx MDIgNjU1MzUgZg0KMDAwMDAwMDEwMyA2NTUzNSBmDQowMDAwMDAwMTA0IDY1NTM1IGYNCjAwMDAw MDAxMDUgNjU1MzUgZg0KMDAwMDAwMDEwNiA2NTUzNSBmDQowMDAwMDAwMTA3IDY1NTM1IGYNCjAw MDAwMDAxMDggNjU1MzUgZg0KMDAwMDAwMDEwOSA2NTUzNSBmDQowMDAwMDAwMTEwIDY1NTM1IGYN CjAwMDAwMDAxMTEgNjU1MzUgZg0KMDAwMDAwMDExMiA2NTUzNSBmDQowMDAwMDAwMTEzIDY1NTM1 IGYNCjAwMDAwMDAxMTQgNjU1MzUgZg0KMDAwMDAwMDExNSA2NTUzNSBmDQowMDAwMDAwMTE2IDY1 NTM1IGYNCjAwMDAwMDAxMTcgNjU1MzUgZg0KMDAwMDAwMDExOCA2NTUzNSBmDQowMDAwMDAwMTE5 IDY1NTM1IGYNCjAwMDAwMDAxMjAgNjU1MzUgZg0KMDAwMDAwMDEyMSA2NTUzNSBmDQowMDAwMDAw MTIyIDY1NTM1IGYNCjAwMDAwMDAxMjMgNjU1MzUgZg0KMDAwMDAwMDEyNCA2NTUzNSBmDQowMDAw MDAwMTI1IDY1NTM1IGYNCjAwMDAwMDAxMjYgNjU1MzUgZg0KMDAwMDAwMDEyNyA2NTUzNSBmDQow MDAwMDAwMTI4IDY1NTM1IGYNCjAwMDAwMDAxMjkgNjU1MzUgZg0KMDAwMDAwMDEzMCA2NTUzNSBm DQowMDAwMDAwMTMxIDY1NTM1IGYNCjAwMDAwMDAxMzIgNjU1MzUgZg0KMDAwMDAwMDEzMyA2NTUz NSBmDQowMDAwMDAwMTM0IDY1NTM1IGYNCjAwMDAwMDAxMzUgNjU1MzUgZg0KMDAwMDAwMDEzNiA2 NTUzNSBmDQowMDAwMDAwMTM3IDY1NTM1IGYNCjAwMDAwMDAxMzggNjU1MzUgZg0KMDAwMDAwMDEz OSA2NTUzNSBmDQowMDAwMDAwMTQwIDY1NTM1IGYNCjAwMDAwMDAxNDEgNjU1MzUgZg0KMDAwMDAw MDE0MiA2NTUzNSBmDQowMDAwMDAwMTQzIDY1NTM1IGYNCjAwMDAwMDAxNDQgNjU1MzUgZg0KMDAw MDAwMDE0NSA2NTUzNSBmDQowMDAwMDAwMTQ2IDY1NTM1IGYNCjAwMDAwMDAxNDcgNjU1MzUgZg0K MDAwMDAwMDE0OCA2NTUzNSBmDQowMDAwMDAwMTQ5IDY1NTM1IGYNCjAwMDAwMDAxNTAgNjU1MzUg Zg0KMDAwMDAwMDE1MSA2NTUzNSBmDQowMDAwMDAwMTUyIDY1NTM1IGYNCjAwMDAwMDAxNTMgNjU1 MzUgZg0KMDAwMDAwMDE1NCA2NTUzNSBmDQowMDAwMDAwMTU1IDY1NTM1IGYNCjAwMDAwMDAxNTYg NjU1MzUgZg0KMDAwMDAwMDE1NyA2NTUzNSBmDQowMDAwMDAwMTU4IDY1NTM1IGYNCjAwMDAwMDAx NTkgNjU1MzUgZg0KMDAwMDAwMDE2MCA2NTUzNSBmDQowMDAwMDAwMTYxIDY1NTM1IGYNCjAwMDAw MDAxNjIgNjU1MzUgZg0KMDAwMDAwMDE2MyA2NTUzNSBmDQowMDAwMDAwMTY0IDY1NTM1IGYNCjAw MDAwMDAxNjUgNjU1MzUgZg0KMDAwMDAwMDE2NiA2NTUzNSBmDQowMDAwMDAwMTY3IDY1NTM1IGYN CjAwMDAwMDAxNjggNjU1MzUgZg0KMDAwMDAwMDE2OSA2NTUzNSBmDQowMDAwMDAwMTcwIDY1NTM1 IGYNCjAwMDAwMDAxNzEgNjU1MzUgZg0KMDAwMDAwMDE3MiA2NTUzNSBmDQowMDAwMDAwMTczIDY1 NTM1IGYNCjAwMDAwMDAxNzQgNjU1MzUgZg0KMDAwMDAwMDE3NSA2NTUzNSBmDQowMDAwMDAwMTc2 IDY1NTM1IGYNCjAwMDAwMDAxNzcgNjU1MzUgZg0KMDAwMDAwMDE3OCA2NTUzNSBmDQowMDAwMDAw MTc5IDY1NTM1IGYNCjAwMDAwMDAxODAgNjU1MzUgZg0KMDAwMDAwMDE4MSA2NTUzNSBmDQowMDAw MDAwMTgyIDY1NTM1IGYNCjAwMDAwMDAxODMgNjU1MzUgZg0KMDAwMDAwMDE4NCA2NTUzNSBmDQow MDAwMDAwMTg1IDY1NTM1IGYNCjAwMDAwMDAxODYgNjU1MzUgZg0KMDAwMDAwMDE4NyA2NTUzNSBm DQowMDAwMDAwMTg4IDY1NTM1IGYNCjAwMDAwMDAxODkgNjU1MzUgZg0KMDAwMDAwMDE5MCA2NTUz NSBmDQowMDAwMDAwMTkxIDY1NTM1IGYNCjAwMDAwMDAxOTIgNjU1MzUgZg0KMDAwMDAwMDE5MyA2 NTUzNSBmDQowMDAwMDAwMTk0IDY1NTM1IGYNCjAwMDAwMDAxOTUgNjU1MzUgZg0KMDAwMDAwMDE5 NiA2NTUzNSBmDQowMDAwMDAwMTk3IDY1NTM1IGYNCjAwMDAwMDAxOTggNjU1MzUgZg0KMDAwMDAw MDE5OSA2NTUzNSBmDQowMDAwMDAwMjAwIDY1NTM1IGYNCjAwMDAwMDAyMDEgNjU1MzUgZg0KMDAw MDAwMDIwMiA2NTUzNSBmDQowMDAwMDAwMjAzIDY1NTM1IGYNCjAwMDAwMDAyMDQgNjU1MzUgZg0K MDAwMDAwMDIwNSA2NTUzNSBmDQowMDAwMDAwMjA2IDY1NTM1IGYNCjAwMDAwMDAyMDcgNjU1MzUg Zg0KMDAwMDAwMDIwOCA2NTUzNSBmDQowMDAwMDAwMjA5IDY1NTM1IGYNCjAwMDAwMDAyMTAgNjU1 MzUgZg0KMDAwMDAwMDIxMSA2NTUzNSBmDQowMDAwMDAwMjEyIDY1NTM1IGYNCjAwMDAwMDAyMTMg NjU1MzUgZg0KMDAwMDAwMDIxNCA2NTUzNSBmDQowMDAwMDAwMjE1IDY1NTM1IGYNCjAwMDAwMDAy MTYgNjU1MzUgZg0KMDAwMDAwMDIxNyA2NTUzNSBmDQowMDAwMDAwMjE4IDY1NTM1IGYNCjAwMDAw MDAyMTkgNjU1MzUgZg0KMDAwMDAwMDIyMCA2NTUzNSBmDQowMDAwMDAwMjIxIDY1NTM1IGYNCjAw MDAwMDAyMjIgNjU1MzUgZg0KMDAwMDAwMDIyMyA2NTUzNSBmDQowMDAwMDAwMjI0IDY1NTM1IGYN CjAwMDAwMDAyMjUgNjU1MzUgZg0KMDAwMDAwMDIyNiA2NTUzNSBmDQowMDAwMDAwMjI3IDY1NTM1 IGYNCjAwMDAwMDAyMjggNjU1MzUgZg0KMDAwMDAwMDIyOSA2NTUzNSBmDQowMDAwMDAwMjMwIDY1 NTM1IGYNCjAwMDAwMDAyMzEgNjU1MzUgZg0KMDAwMDAwMDIzMiA2NTUzNSBmDQowMDAwMDAwMjMz IDY1NTM1IGYNCjAwMDAwMDAyMzQgNjU1MzUgZg0KMDAwMDAwMDIzNSA2NTUzNSBmDQowMDAwMDAw MjM2IDY1NTM1IGYNCjAwMDAwMDAyMzcgNjU1MzUgZg0KMDAwMDAwMDIzOCA2NTUzNSBmDQowMDAw MDAwMjM5IDY1NTM1IGYNCjAwMDAwMDAyNDAgNjU1MzUgZg0KMDAwMDAwMDI0MSA2NTUzNSBmDQow MDAwMDAwMjQyIDY1NTM1IGYNCjAwMDAwMDAyNDMgNjU1MzUgZg0KMDAwMDAwMDI0NCA2NTUzNSBm DQowMDAwMDAwMjQ1IDY1NTM1IGYNCjAwMDAwMDAyNDYgNjU1MzUgZg0KMDAwMDAwMDI0NyA2NTUz NSBmDQowMDAwMDAwMjQ4IDY1NTM1IGYNCjAwMDAwMDAyNDkgNjU1MzUgZg0KMDAwMDAwMDI1MCA2 NTUzNSBmDQowMDAwMDAwMjUxIDY1NTM1IGYNCjAwMDAwMDAyNTIgNjU1MzUgZg0KMDAwMDAwMDI1 MyA2NTUzNSBmDQowMDAwMDAwMjU0IDY1NTM1IGYNCjAwMDAwMDAyNTUgNjU1MzUgZg0KMDAwMDAw MDI1NiA2NTUzNSBmDQowMDAwMDAwMjU3IDY1NTM1IGYNCjAwMDAwMDAyNTggNjU1MzUgZg0KMDAw MDAwMDI1OSA2NTUzNSBmDQowMDAwMDAwMjYwIDY1NTM1IGYNCjAwMDAwMDAyNjEgNjU1MzUgZg0K MDAwMDAwMDI2MiA2NTUzNSBmDQowMDAwMDAwMjYzIDY1NTM1IGYNCjAwMDAwMDAyNjQgNjU1MzUg Zg0KMDAwMDAwMDI2NSA2NTUzNSBmDQowMDAwMDAwMjY2IDY1NTM1IGYNCjAwMDAwMDAyNjcgNjU1 MzUgZg0KMDAwMDAwMDI2OCA2NTUzNSBmDQowMDAwMDAwMjY5IDY1NTM1IGYNCjAwMDAwMDAyNzAg NjU1MzUgZg0KMDAwMDAwMDI3MSA2NTUzNSBmDQowMDAwMDAwMjcyIDY1NTM1IGYNCjAwMDAwMDAy NzMgNjU1MzUgZg0KMDAwMDAwMDI3NCA2NTUzNSBmDQowMDAwMDAwMjc1IDY1NTM1IGYNCjAwMDAw MDAyNzYgNjU1MzUgZg0KMDAwMDAwMDI3NyA2NTUzNSBmDQowMDAwMDAwMjc4IDY1NTM1IGYNCjAw MDAwMDAyNzkgNjU1MzUgZg0KMDAwMDAwMDI4MCA2NTUzNSBmDQowMDAwMDAwMjgxIDY1NTM1IGYN CjAwMDAwMDAyODIgNjU1MzUgZg0KMDAwMDAwMDI4MyA2NTUzNSBmDQowMDAwMDAwMjg0IDY1NTM1 IGYNCjAwMDAwMDAyODUgNjU1MzUgZg0KMDAwMDAwMDI4NiA2NTUzNSBmDQowMDAwMDAwMjg3IDY1 NTM1IGYNCjAwMDAwMDAyODggNjU1MzUgZg0KMDAwMDAwMDI4OSA2NTUzNSBmDQowMDAwMDAwMjkw IDY1NTM1IGYNCjAwMDAwMDAyOTEgNjU1MzUgZg0KMDAwMDAwMDI5MiA2NTUzNSBmDQowMDAwMDAw MjkzIDY1NTM1IGYNCjAwMDAwMDAyOTQgNjU1MzUgZg0KMDAwMDAwMDI5NSA2NTUzNSBmDQowMDAw MDAwMjk2IDY1NTM1IGYNCjAwMDAwMDAyOTcgNjU1MzUgZg0KMDAwMDAwMDI5OCA2NTUzNSBmDQow MDAwMDAwMjk5IDY1NTM1IGYNCjAwMDAwMDAzMDAgNjU1MzUgZg0KMDAwMDAwMDMwMSA2NTUzNSBm DQowMDAwMDAwMzAyIDY1NTM1IGYNCjAwMDAwMDAzMDMgNjU1MzUgZg0KMDAwMDAwMDMwNCA2NTUz NSBmDQowMDAwMDAwMzA1IDY1NTM1IGYNCjAwMDAwMDAzMDYgNjU1MzUgZg0KMDAwMDAwMDMwNyA2 NTUzNSBmDQowMDAwMDAwMzA4IDY1NTM1IGYNCjAwMDAwMDAzMDkgNjU1MzUgZg0KMDAwMDAwMDMx MCA2NTUzNSBmDQowMDAwMDAwMzExIDY1NTM1IGYNCjAwMDAwMDAzMTIgNjU1MzUgZg0KMDAwMDAw MDMxMyA2NTUzNSBmDQowMDAwMDAwMzE0IDY1NTM1IGYNCjAwMDAwMDAzMTUgNjU1MzUgZg0KMDAw MDAwMDMxNiA2NTUzNSBmDQowMDAwMDAwMzE3IDY1NTM1IGYNCjAwMDAwMDAzMTggNjU1MzUgZg0K MDAwMDAwMDMxOSA2NTUzNSBmDQowMDAwMDAwMzIwIDY1NTM1IGYNCjAwMDAwMDAzMjEgNjU1MzUg Zg0KMDAwMDAwMDMyMiA2NTUzNSBmDQowMDAwMDAwMzIzIDY1NTM1IGYNCjAwMDAwMDAzMjQgNjU1 MzUgZg0KMDAwMDAwMDMyNSA2NTUzNSBmDQowMDAwMDAwMzI2IDY1NTM1IGYNCjAwMDAwMDAzMjcg NjU1MzUgZg0KMDAwMDAwMDMyOCA2NTUzNSBmDQowMDAwMDAwMzI5IDY1NTM1IGYNCjAwMDAwMDAz MzAgNjU1MzUgZg0KMDAwMDAwMDMzMSA2NTUzNSBmDQowMDAwMDAwMzMyIDY1NTM1IGYNCjAwMDAw MDAzMzMgNjU1MzUgZg0KMDAwMDAwMDMzNCA2NTUzNSBmDQowMDAwMDAwMzM1IDY1NTM1IGYNCjAw MDAwMDAzMzYgNjU1MzUgZg0KMDAwMDAwMDMzNyA2NTUzNSBmDQowMDAwMDAwMzM4IDY1NTM1IGYN CjAwMDAwMDAzMzkgNjU1MzUgZg0KMDAwMDAwMDM0MCA2NTUzNSBmDQowMDAwMDAwMzQxIDY1NTM1 IGYNCjAwMDAwMDAzNDIgNjU1MzUgZg0KMDAwMDAwMDM0MyA2NTUzNSBmDQowMDAwMDAwMzQ0IDY1 NTM1IGYNCjAwMDAwMDAzNDUgNjU1MzUgZg0KMDAwMDAwMDM0NiA2NTUzNSBmDQowMDAwMDAwMzQ3 IDY1NTM1IGYNCjAwMDAwMDAzNDggNjU1MzUgZg0KMDAwMDAwMDM0OSA2NTUzNSBmDQowMDAwMDAw MzUwIDY1NTM1IGYNCjAwMDAwMDAzNTEgNjU1MzUgZg0KMDAwMDAwMDM1MiA2NTUzNSBmDQowMDAw MDAwMzUzIDY1NTM1IGYNCjAwMDAwMDAzNTQgNjU1MzUgZg0KMDAwMDAwMDM1NSA2NTUzNSBmDQow MDAwMDAwMzU2IDY1NTM1IGYNCjAwMDAwMDAzNTcgNjU1MzUgZg0KMDAwMDAwMDM1OCA2NTUzNSBm DQowMDAwMDAwMzU5IDY1NTM1IGYNCjAwMDAwMDAzNjAgNjU1MzUgZg0KMDAwMDAwMDM2MSA2NTUz NSBmDQowMDAwMDAwMzYyIDY1NTM1IGYNCjAwMDAwMDAzNjMgNjU1MzUgZg0KMDAwMDAwMDM2NCA2 NTUzNSBmDQowMDAwMDAwMzY1IDY1NTM1IGYNCjAwMDAwMDAzNjYgNjU1MzUgZg0KMDAwMDAwMDM2 NyA2NTUzNSBmDQowMDAwMDAwMzY4IDY1NTM1IGYNCjAwMDAwMDAzNjkgNjU1MzUgZg0KMDAwMDAw MDM3MCA2NTUzNSBmDQowMDAwMDAwMzcxIDY1NTM1IGYNCjAwMDAwMDAzNzIgNjU1MzUgZg0KMDAw MDAwMDM3MyA2NTUzNSBmDQowMDAwMDAwMzc0IDY1NTM1IGYNCjAwMDAwMDAzNzUgNjU1MzUgZg0K MDAwMDAwMDM3NiA2NTUzNSBmDQowMDAwMDAwMzc3IDY1NTM1IGYNCjAwMDAwMDAzNzggNjU1MzUg Zg0KMDAwMDAwMDM3OSA2NTUzNSBmDQowMDAwMDAwMzgwIDY1NTM1IGYNCjAwMDAwMDAzODEgNjU1 MzUgZg0KMDAwMDAwMDM4MiA2NTUzNSBmDQowMDAwMDAwMzgzIDY1NTM1IGYNCjAwMDAwMDAzODQg NjU1MzUgZg0KMDAwMDAwMDM4NSA2NTUzNSBmDQowMDAwMDAwMzg2IDY1NTM1IGYNCjAwMDAwMDAz ODcgNjU1MzUgZg0KMDAwMDAwMDM4OCA2NTUzNSBmDQowMDAwMDAwMzg5IDY1NTM1IGYNCjAwMDAw MDAzOTAgNjU1MzUgZg0KMDAwMDAwMDM5MSA2NTUzNSBmDQowMDAwMDAwMzkyIDY1NTM1IGYNCjAw MDAwMDAwMDAgNjU1MzUgZg0KMDAwMDA1NDIwNCAwMDAwMCBuDQowMDAwMDU0MzAyIDAwMDAwIG4N CjAwMDAwNTUwMDcgMDAwMDAgbg0KMDAwMDE1NDE1MCAwMDAwMCBuDQowMDAwMTU0OTUxIDAwMDAw IG4NCjAwMDAxNTU1NzEgMDAwMDAgbg0KMDAwMDE1NTg2OSAwMDAwMCBuDQowMDAwMjQzODIwIDAw MDAwIG4NCjAwMDAyNDM4NDggMDAwMDAgbg0KMDAwMDI1MjI3NSAwMDAwMCBuDQowMDAwMjUyNDUz IDAwMDAwIG4NCjAwMDAyNzg5NjUgMDAwMDAgbg0KdHJhaWxlcg0KPDwvU2l6ZSA0MDUvUm9vdCAx IDAgUi9JbmZvIDM5MyAwIFIvSURbPEEwNTVCQ0QxODIzRkExNDdBQTg3REIyNkRBM0U5NzNCPjxB MDU1QkNEMTgyM0ZBMTQ3QUE4N0RCMjZEQTNFOTczQj5dID4+DQpzdGFydHhyZWYNCjI3OTk5NQ0K JSVFT0YNCnhyZWYNCjAgMA0KdHJhaWxlcg0KPDwvU2l6ZSA0MDUvUm9vdCAxIDAgUi9JbmZvIDM5 MyAwIFIvSURbPEEwNTVCQ0QxODIzRkExNDdBQTg3REIyNkRBM0U5NzNCPjxBMDU1QkNEMTgyM0ZB MTQ3QUE4N0RCMjZEQTNFOTczQj5dIC9QcmV2IDI3OTk5NS9YUmVmU3RtIDI3ODk2NT4+DQpzdGFy dHhyZWYNCjI4ODI1Ng0KJSVFT0Y= --_022DA8CC-6E13-4F8C-9FDF-A1A7599EC682_-- --_BA08E5B5-868E-44DA-9C24-34BD41E0BD28_ Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJpzCCBKow ggOSoAMCAQICAwDZWzANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5T LiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEYMBYGA1UEAxMPRE9EIEVN QUlMIENBLTQ0MB4XDTE2MDYzMDAwMDAwMFoXDTE5MDYyOTIzNTk1OVowezELMAkGA1UEBhMCVVMx GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxDDAK BgNVBAsTA09TRDEoMCYGA1UEAxMfQ09PTEVZLkRPUk9USFkuRUxMRU4uMTI0MjcxMTI0MjCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKq67WuBy/HLMqo2ENdFhRqUuYth6vbuH09tMgG4 AnhACIfcyTNTipXDMfaVjehu2Kwx3jdW9TPKwnDMOM/i5NTTz8MeFqzxn+kPbVJ6P4yc2H37ZV6a 7BIk33bH156xjrU92w4RJCELFhFj9HsX17zxyWcD7RBTWgcyrC0XH+3g2VdoQT53L5R/bRqMRfDY sGVJoGa4WZw6XAp+YcDH9JXxon+hJBoWXp7gfckEL1OZPC5hN04XUx7pnyMGZAK/oDsgQwDHxnz9 O+U2kFL2nf//mWnlfcfPfPUTVDOCGoKMRTVWGs1JonQSZ5opnY0pJXga4LnPOC9D+/jlv7PrUZUC AwEAAaOCAVMwggFPMB8GA1UdIwQYMBaAFKCLZ9HhYGR1pzmsybg1jZiSdHOlMDoGA1UdHwQzMDEw L6AtoCuGKWh0dHA6Ly9jcmwuZGlzYS5taWwvY3JsL0RPREVNQUlMQ0FfNDQuY3JsMA4GA1UdDwEB /wQEAwIFIDAWBgNVHSAEDzANMAsGCWCGSAFlAgELJzAdBgNVHQ4EFgQUdzvJkb9EpMPGvHMA9TzH MIHHMWEwaAYIKwYBBQUHAQEEXDBaMDYGCCsGAQUFBzAChipodHRwOi8vY3JsLmRpc2EubWlsL3Np Z24vRE9ERU1BSUxDQV80NC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3NwLmRpc2EubWlsMCIG A1UdEQQbMBmBF2RlY29vbGVAcmFkaXVtLm5jc2MubWlsMBsGA1UdCQQUMBIwEAYIKwYBBQUHCQQx BBMCVVMwDQYJKoZIhvcNAQELBQADggEBAK6N7+LKZB6DKkRBLPCMPAH2vyUOrFSD+DvecwzEhbhz Cwu/n7HxZmIpi00su1tngKxl/t+LJjGyQADD2lPMtrZJwLQ8Ika5EAHN5e1M3exS4SDSuyxuRvbu 45RnmExEL49yd+/NjgKwVyLXDeQRJcoa1dzjYuZmQdTTG8M/ImZMyXdxRurLXGUAXedGopcR1DcS dcKB48NCnWGXW2WSUmHkDBPNTNK14vGGMFUg/5Aaz0qfXLdU10gMBm8YeIZeBdOSZ8mlonhW5jWm 64yLRZ7EUneYF1mjy5qpsWWOpVCbD+MNzmk9hv0B7nMkawv6g+ih8Ic/wv6RIgZCcdMzsc8wggT1 MIID3aADAgECAgMA2VkwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu Uy4gR292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxGDAWBgNVBAMTD0RPRCBF TUFJTCBDQS00NDAeFw0xNjA2MzAwMDAwMDBaFw0xOTA2MjkyMzU5NTlaMHsxCzAJBgNVBAYTAlVT MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMQww CgYDVQQLEwNPU0QxKDAmBgNVBAMTH0NPT0xFWS5ET1JPVEhZLkVMTEVOLjEyNDI3MTEyNDIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYNoq313/Clj0VBoWSwMLasqgKrx1V1hSYMr+N DoWTgQsUPHHl39XFm9uXvYw0WgeEm1SJTk0g5Qk9K8rl05FTGEXR3hNuH+HdfSOgqRS1HTzOyBjY hvK4qe7BqCSZdAVlWN9AzI4SZUNupOUnhC6hoChuV+ZpjkzKqQiRvHghh8GptLIL98mJmlmi2ezR 2Y6v00VuEr+5iVTrGMJAsZiZnjRSORnUwt/BD/6h/LsR1Dk8BVDYym6aPK8FJBDMjT4wyQ2lLfUs gIFjkJQCzSfGWX/EGeOPrOFPiHCj1D0HjatXCkKchl0V8zS3i6p8zowcjgClcJ1O4gfM9eqC4HNV AgMBAAGjggGeMIIBmjAfBgNVHSMEGDAWgBSgi2fR4WBkdac5rMm4NY2YknRzpTA6BgNVHR8EMzAx MC+gLaArhilodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RFTUFJTENBXzQ0LmNybDAOBgNVHQ8B Af8EBAMCBsAwFgYDVR0gBA8wDTALBglghkgBZQIBCyowHQYDVR0OBBYEFGgHBol2Hu0K83TmpS5L VHMelm5HMGgGCCsGAQUFBwEBBFwwWjA2BggrBgEFBQcwAoYqaHR0cDovL2NybC5kaXNhLm1pbC9z aWduL0RPREVNQUlMQ0FfNDQuY2VyMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5kaXNhLm1pbDBC BgNVHREEOzA5gRdkZWNvb2xlQHJhZGl1bS5uY3NjLm1pbKAeBgorBgEEAYI3FAIDoBAMDjEyNDI3 MTEyNDJAbWlsMBsGA1UdCQQUMBIwEAYIKwYBBQUHCQQxBBMCVVMwKQYDVR0lBCIwIAYKKwYBBAGC NxQCAgYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBgT6WOjmsxUNM6TOGX sL/6oL+l0EGauoBmBRbNQmflILqW0eZHvseh4VtEuw86WJmd323L3V+CasbBYUrGR53ihaJaMGxa F49aTQSNde1A0VXnODBYpetleLOybgcKS2xuEx4CR/h0KKos9BIdNM9N5eLwuiG6ww+3kXKC2Bg5 Zz7veaJufFrbX4dcpa5IzGrZXPzcVfK5dNEssOb1o3/CER1V4mN5D0mulOsEifNfXoMjaTTpoFnm FQ4h/u0bvOArowSpssoWWVllNBkvSsF5gqzTkhKOmfOAVP8P0RxTrS9VHEy2qnUVxZgw3p+kCKmN pzf35koVxdcdF0Mma7/UMYIC2DCCAtQCAQEwZDBdMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5T LiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEYMBYGA1UEAxMPRE9EIEVN QUlMIENBLTQ0AgMA2VkwCQYFKw4DAhoFAKCCAUkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTcwMTE4MTY1MDQ4WjAjBgkqhkiG9w0BCQQxFgQUQPqU2B+aDofoMzRd EyM51E0ZOhwwcwYJKwYBBAGCNxAEMWYwZDBdMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBH b3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEYMBYGA1UEAxMPRE9EIEVNQUlM IENBLTQ0AgMA2VswdQYLKoZIhvcNAQkQAgsxZqBkMF0xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9V LlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRgwFgYDVQQDEw9ET0Qg RU1BSUwgQ0EtNDQCAwDZWzANBgkqhkiG9w0BAQEFAASCAQAOJp9B8i9FDucoFMnyk0HVzIm7L3st QbRlRyF2vflAVmUwkA+NRvMMzhOpSZVCwqqt3Cl04JDpEgNGceq7qAqIdMRYr351/zXlI8vemmCY PSKcnkNnlyt4fNjebfUd1t2xzUsueVgGd54PPHzRPNRLTnM/AYJOw8hu1DMN/yfhaZUT4u0NsIUp hO35b/a6ZYGy80tv4w6499APJu6VDcmfDammDUZ77o+w6MkP63jW196Pq5clEK8tnY5ZqHStq+sU 9Lc4A263flb0YtGVL02BGV1xIwTFH26USuxVBWbSpU4tVQKe2U2iuGkazERgZZ9unevAQX77InCl zapQPvuiAAAAAAAA --_BA08E5B5-868E-44DA-9C24-34BD41E0BD28_-- From nobody Wed Jan 18 09:12:58 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2EFF1294ED for ; Wed, 18 Jan 2017 09:12:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNgziyMuNa_V for ; Wed, 18 Jan 2017 09:12:45 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 60D90129426 for ; Wed, 18 Jan 2017 09:12:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id A250643 for ; Wed, 18 Jan 2017 18:12:44 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id hVFskGpRYAlD for ; Wed, 18 Jan 2017 18:12:43 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id 15FA342 for ; Wed, 18 Jan 2017 18:12:43 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> Content-Type: text/plain; charset="UTF-8" Date: Wed, 18 Jan 2017 18:12:42 +0100 Message-ID: <1484759562.5121.70.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 17:12:48 -0000 Hello Joan, On Tue, 2017-01-17 at 19:28 +0100, Joan Daemen wrote: > the related-key attacks against AES were interesting from an academic > point of view as they broke the security claim we made for Rijndael. https://books.google.nl/books?id=weETxBt-VAMC&pg=PA316&lpg=PA316&dq=aes +256+key+schedule +strength&source=bl&ots=GTfhsVdh7E&sig=y0ZE9_3OBCRbbpLHvq0PAAZqRmg&hl=en&sa=X&redir_esc=y#v=onepage&q=aes%20256%20key%20schedule%20strength&f=false A better link to the above research is https://eprint.iacr.org/2009/374 . This research is rather condemning even though the authors do not claim these attacks are entirely practical yet they do state: "While neither AES-128 nor AES-256 can be directly broken by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES-128 along with the larger key size from AES-256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems." This criticism is valid for all AES versions. However: "The key schedules of AES-128 and AES-192 are slightly different, since they have to apply more mixing operations to the shorter key in order to produce the slightly smaller number of subkeys for the various rounds. This small difference in the key schedules plays a major role in making AES-256 more vulnerable to our attacks, in spite of its longer key and supposedly higher security." AES-256 appears to be more vulnerable than AES-192 (or AES-128) to these attacks. I pointed out the example (http://eprint.iacr.org/2009/317) because the remarks it makes about the AES-256 key schedule seemed to indicate structural weaknesses. Because Richard insisted I dug a bit deeper I came up with the above which seems to confirm the "hunch" I was having that the weak key schedule in AES-256 is a problem in itself. > However, the attacks require very sophisticated manipulations of the > secret key by the attacker. Please don't use arguments that might be valid for one report to disqualify another. (This is a request made in general, Richard seems to be doing this in his last post also.) The argument related key attacks are mostly hypothetical applies to http://eprint.iacr.org/2009/317 but not so much to https://eprint.iacr.org/2009/374 . I quote: "The attacks are particularly well suited to counter modes of operation (AES-CTR), since the attacker can get all the chosen plaintexts he needs by starting from just two chosen initial values and running the counter mode in a natural way." This kind of manipulation seems not to be that far fetched... > As for including AES-192 in TLS, I don't see any benefits. AES-192 has been specified as a valid cipher just as much as AES-128 and AES-256. The exclusion from TLS was entirely arbitrary. The motivation for its exclusion is unclear. The wording in RFC-3268 is vague at best: "The AES supports key lengths of 128, 192 and 256 bits. However, this document only defines ciphersuites for 128- and 256-bit keys. This is to avoid unnecessary proliferation of ciphersuites." The fact that AES-256 appears to be not quite as strong as AES-192 might render the "proliferation of AES-192" much less unnecessary. Though AES-192 is not a 256 bit cipher it seems still to be significantly stronger than AES-128 and does not share the weaknesses of AES-256. This I believe is a strong argument to include it in TLS. I do not see how the fact that we now have ChaCha20 is an argument not to include AES-192. AES-192 has been specified just as much as its siblings so it's exclusion from TLS is nothing but arbitrary. Why should we only have one algorithm to choose from? (Again, like I wasn't arguing against Camellia or AES-128 earlier so am I not arguing against ChaCha20 here. But until we are all chachaing, salsaing and elliptic curving I would like access to decent crypto that is well established, well scrutinized and readily available.) Implementations are available in many cases (eg. openssl) and need only to be "unlocked" by making entries available in the spec. From the research I put forward AES-256 seems to have major flaws in the key schedule that AES-192 does not suffer from. On the one hand people argue against inclusion of AES-192 because it is not PQ-resitant, on the other hand people argue I should use AES-128. It all seems, again that word, rather arbitrary. And in general, the PQ argument does not hold for the current situation: We need decent crypto not just PQ but now as well. To sum up: - AES-192 was excluded from TLS for arbitrary reasons. - AES-256 has known weaknesses in its key schedule that some researcher consider severe. - AES-192 offers better security than AES-128. There is serious doubt AES-256 can offer the same level of security. This makes AES-192 a valid alternative. - Implementations of AES-192 are readily available. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research From nobody Wed Jan 18 09:30:32 2017 Return-Path: X-Original-To: cfrg@ietf.org Delivered-To: cfrg@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DA38129556; Wed, 18 Jan 2017 09:30:31 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.40.3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> Date: Wed, 18 Jan 2017 09:30:31 -0800 Archived-At: Cc: cfrg@ietf.org Subject: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 17:30:31 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Crypto Forum of the IETF. Title : AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption Authors : Shay Gueron Adam Langley Yehuda Lindell Filename : draft-irtf-cfrg-gcmsiv-03.txt Pages : 45 Date : 2017-01-18 Abstract: This memo specifies two authenticated encryption algorithms that are nonce misuse-resistant - that is that they do not fail catastrophically if a nonce is repeated. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-gcmsiv-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Jan 18 09:34:38 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39141294A9 for ; Wed, 18 Jan 2017 09:34:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htmP9ZGyh_Zv for ; Wed, 18 Jan 2017 09:34:33 -0800 (PST) Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2151294EF for ; Wed, 18 Jan 2017 09:34:32 -0800 (PST) Received: by mail-it0-x241.google.com with SMTP id e137so2369224itc.0 for ; Wed, 18 Jan 2017 09:34:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=vcW8TXW5uP7WppYnxFg3suDHrEu9mtuRqgixxvHNcgk=; b=lwEPpR6ZANvUmlie72yA7e7FVstjrFoRcNcAnqaIXYNisbYefS/ktxWDTP7wWUppSp m340SX96fUhdhu0dHUvab1qJF2li4Hfzo0DTt2Z/PldO6meSek+Ckgsf8LLwyl/vWjzo TCNLYcrKaJxh07RqYwSjTKGcLIS97X5Kngpx5vEmp1BOngs+3Ser/n7j1BchkyoDS6ZF My+/Y038gdDtaVp08eIH/vH2Ht0qNaJMbvmTD4rIeZ/drgXU4NR5/kKsPwyDfVn0Au/B nwCAYMN9aX3HTFQ5iqnUJBOawzJzodv2I7yQ3JQfECr/TCTbTLz6BLahVdawjbSfCa6s WXog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=vcW8TXW5uP7WppYnxFg3suDHrEu9mtuRqgixxvHNcgk=; b=npP0htExakBMoA7GXloW88Z81heTuTMBH89yDDTTm8wToxQkX+UjwPwBch4tseHFpa qz3tnCMGc9qPd/NDIbXrVJflKyhbM7heOCrelghbH+rjgpy9JlhsDxljKyGgDVuSJx21 UM/uDre6D983m57pob4giPdcTLkAZJYgR0+exaOTbrjUf24ryE/UlSFWdgfoQpXDrfeE 3E4yc4PQuubx7a04XiSey/Id41s7gswG/BooCHljHYWJpHOyKwSk2l5xtJhIMEEO4vtv hZbZMriPWvLWIeMjgNpdgwH5k2OeE/wco4tiKyNqJqrXvrRtEa4a/YFVlfXyV+oB4ZZB Ztbw== X-Gm-Message-State: AIkVDXLQPoTpg14Lstz/b7x9DWV8D8RqsDTXr+W0zl43Wgy40jAh+DBX8Phzcs4/ONGp2wS054iB3RcxM1eiSw== X-Received: by 10.36.52.203 with SMTP id z194mr27625723itz.121.1484760872147; Wed, 18 Jan 2017 09:34:32 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.144.4 with HTTP; Wed, 18 Jan 2017 09:34:31 -0800 (PST) In-Reply-To: References: From: Adam Langley Date: Wed, 18 Jan 2017 09:34:31 -0800 X-Google-Sender-Auth: XO6O6vZFmrt-XK8g1qt9M2YLtYs Message-ID: To: "Cooley, Dorothy E" Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 17:34:35 -0000 On Wed, Jan 18, 2017 at 8:49 AM, Cooley, Dorothy E wrote: > NSA's Information Assurance organization did some analysis of AES-GCM-SIV, > as described in "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated > Encryption", dated August 29, 2016 [1]. We shared this analysis privately > with the three authors of AES-GCM-SIV, who requested that we post it to the > CFRG forum. The attachment describes the results of the analysis. We believe > the authors will be posting an update shortly. > > > > Any comments on this work can be directed to me. But I will note that I > didn't do the actual analysis (I can't claim to be a 'real' cryptographer > these days). > > > > Deb Cooley > > NSA Information Assurance Standards. > > decoole@nsa.gov Dear CFRG, We thank Deb Cooley's team very much for doing this analysis! As she mentioned, they shared their results with us prior to posting here so we already had an update ready and we've just posted https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03. This update contains three noteworthy changes: 1) We now XOR the nonce into the result of POLYVAL before encrypting to form the tag. This was in the original paper, it was even specified for /decryption/ in -02, but it was omitted in the specification for encryption. This was a mistake. Without it, an attacker can build a lookup table of encryptions of zero under a variety of per-nonce keys and then attack them in parallel (as pointed out in the comments from the IAD), under a single-user-multi-key model. Draft -03 fixes this omission and reintroduces the nonce. 2) A different KDF. As I mentioned at the previous CFRG meeting (in Seoul, 2016) , we had this design in mind but didn't feel that it warranted a new version of the design. However, since we needed a respin because of (1), we have included it. Previously, per-nonce key material was generated by repeated encryption, E(nonce), E(E(nonce)), and so on. This cascade leads to impractical but needling issues including those noted by IAD. We now generate keys by using counter mode and discarding half of each ciphertext block. This solves those issues and also gives improved indistinguishability bounds. In order to make room for the counter, the nonce size has been reduced to 96 bits. 3) A much more minor change is that we now suggest a limit of 2^8 as the maximum number of plaintexts encrypted with a single nonce. We previously noted that AES-GCM-SIV with a fixed nonce is similar to AES-GCM with a random nonce, and that NIST recommends a limit of 2^32 messages in that context. Note that we do NOT recommend nonce reuse by choice even inside AES-GCM-SIV. This is for two reasons. First, encrypting the same message twice will be detected. Second, the security bounds when using different nonces are better. For example, when encrypting 2^{32} messages with the same nonce, the probability of a bad event is 2^{-32}. However, as we have shown, when encryption with different nonces, it is possible to go up to about 2^{50} messages without any problem. If nonces repeat mistakenly, for which providing protection is the main aim of this mode of operation, then very strong bounds are still obtained for a large number of ciphertexts (much more than 2^32) as long as a single nonce is not repeated more than say 2^8 times. In practice, such an event is highly unlikely. Cheers AGL From nobody Wed Jan 18 09:53:09 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDDD12954A for ; Wed, 18 Jan 2017 09:53:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Msn6Z0Xz57i3 for ; Wed, 18 Jan 2017 09:53:05 -0800 (PST) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F74A1294C8 for ; Wed, 18 Jan 2017 09:53:04 -0800 (PST) Received: by mail-wm0-x22c.google.com with SMTP id r126so255735553wmr.0 for ; Wed, 18 Jan 2017 09:53:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UQdj+zsacwnAAPSOPhdAttAK+wVrJswtvHEWTDYlGpk=; b=MMdxNURHR04nEv1NlMDuqumvxjw8yvetwJy2vD6WmDUJIJLU0NH4knasQijT+wu6zQ Tnj26IK+2DwhFHlt240+M1+xZH5Jo06beb9YuDi+RWGUPy1B8fItnuBXbyRjeMiW4Zkv PC2S2FR0WZb3F+gYLNu/5gvPGpD9h+4SzHnO6YbDTERrxG0Y2EgDcWDODDe3vRPvkdl8 HnfpgBD6VymveeQS5Y8zRjQCdiLJ+ft74z73Z8olJKEAYcygwA6e2LuTwm4l6B++lhZj AocOMxsEOmHQ+8s7kO2PSWYhIvcbptECtAkfk1P4yp86NEu4lSGaGmQHAxdyiLm2Aj40 65tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UQdj+zsacwnAAPSOPhdAttAK+wVrJswtvHEWTDYlGpk=; b=A7XN7wQcqLP6ziigVyUMAfW1LV7t0sTNHs8XWqiu8Deqp3sNCQVAN9XcRgRz8KoiUZ FzAS1vBLdlD6XY4DHq3X7Gglzku6ZJ0J3nCu/KQYdpvigdvQL4odZYQmJjNxiOhHaUA3 I5zYC92hH1fkNgb4tjsNeFeATCyqPRaDGXUhaosn6NkZFUPHWfwRFSIqDspUJPHGQsGW twrrtLxDxOHXJTWKr0UvE2cHbbajO8RFjsRXscuwVw8y61jL1o9UmcPP5dJinirD1kiS iLQkJBIJrmzN9QJ4HJfCj+W5YJSP2/IvlHHmYPW+5wDnJQnD8HhawX9hp3VcakMZLIWl WCOw== X-Gm-Message-State: AIkVDXK5oRNxBKw9XVT3WIwlyu7cLTbXA+rYv89WEgsJ5x3kayY/N5RWSWHR6I4MoMzVDOqmVTDjMh5hBcLrqQ== X-Received: by 10.28.211.200 with SMTP id k191mr3597234wmg.137.1484761983114; Wed, 18 Jan 2017 09:53:03 -0800 (PST) MIME-Version: 1.0 Sender: hallam@gmail.com Received: by 10.194.221.6 with HTTP; Wed, 18 Jan 2017 09:53:02 -0800 (PST) In-Reply-To: <1484759562.5121.70.camel@quad> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <1484759562.5121.70.camel@quad> From: Phillip Hallam-Baker Date: Wed, 18 Jan 2017 12:53:02 -0500 X-Google-Sender-Auth: rSFZ9uyCvN6Q2WTilwGz0dL25A4 Message-ID: To: Leonard den Ottolander Content-Type: multipart/alternative; boundary=001a114743749463bd0546621694 Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 17:53:07 -0000 --001a114743749463bd0546621694 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander < leonard-lists@den.ottolander.nl> wrote: > > - AES-192 was excluded from TLS for arbitrary reasons. > - AES-256 has known weaknesses in its key schedule that some researcher > consider severe. > - AES-192 offers better security than AES-128. There is serious doubt > AES-256 can offer the same level of security. This makes AES-192 a valid > alternative. > - Implementations of AES-192 are readily available. > > =E2=80=8BAES 192 was excluded for the perfectly good reason that there is n= o compelling argument for inclusion. I would like to see the number of suites reduced because the strength of a cryptographic system depends on the strength of the weakest cipher. Thus adding ciphers to a system invariably weakens it. The only way to improve security is to eliminate ciphers. AES 128 is necessary, so is AES 256. =E2=80=8BI have never seen a point to 192. If the AES key schedule is bjorked, time for a new cipher comp. At one point there was the possibility of a really fun itinerary, but the governments that might have sponsored a non-US cipher standard are not exactly crypto friendly right now. --001a114743749463bd0546621694 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Wed, Ja= n 18, 2017 at 12:12 PM, Leonard den Ottolander <leonard-list= s@den.ottolander.nl> wrote:

- AES-192 was excluded from TLS for arbitrary reasons.
- AES-256 has known weaknesses in its key schedule that some researcher
consider severe.
- AES-192 offers better security than AES-128. There is serious doubt
AES-256 can offer the same level of security. This makes AES-192 a valid alternative.
- Implementations of AES-192 are readily available.


=E2=80=8BAES 192 was excluded = for the perfectly good reason that there is no compelling argument for incl= usion.

I would like to se= e the number of suites reduced because the strength of a cryptographic syst= em depends on the strength of the weakest cipher. Thus adding ciphers to a = system invariably weakens it.=C2=A0

The only way to improve security is to eliminate ciphers. AES 12= 8 is necessary, so is AES 256. =E2=80=8BI have never seen a point to 192.

If the AES key schedule is= bjorked, time for a new cipher comp. At one point there was the possibilit= y of a really fun itinerary, but the governments that might have sponsored = a non-US cipher standard are not exactly crypto friendly right now.

--001a114743749463bd0546621694-- From nobody Wed Jan 18 10:11:53 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE81B1294DB for ; Wed, 18 Jan 2017 10:11:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSOHTht2aDHg for ; Wed, 18 Jan 2017 10:11:50 -0800 (PST) Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id ADCF61294AC for ; Wed, 18 Jan 2017 10:11:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id E6F5143 for ; Wed, 18 Jan 2017 19:11:49 +0100 (CET) X-Virus-Scanned: amavisd-new at ottolander.nl Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id T7AJvvRcqRCp for ; Wed, 18 Jan 2017 19:11:49 +0100 (CET) Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id D457B42 for ; Wed, 18 Jan 2017 19:11:48 +0100 (CET) From: Leonard den Ottolander To: cfrg@irtf.org In-Reply-To: References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <1484759562.5121.70.camel@quad> Content-Type: text/plain; charset="UTF-8" Date: Wed, 18 Jan 2017 19:11:48 +0100 Message-ID: <1484763108.5121.77.camel@quad> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6) Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 18:11:52 -0000 Hello Phillip, On Wed, 2017-01-18 at 12:53 -0500, Phillip Hallam-Baker wrote: > On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander < > leonard-lists@den.ottolander.nl> wrote: > > > > > - AES-192 was excluded from TLS for arbitrary reasons. > > - AES-256 has known weaknesses in its key schedule that some researcher > > consider severe. > > - AES-192 offers better security than AES-128. There is serious doubt > > AES-256 can offer the same level of security. This makes AES-192 a valid > > alternative. > > - Implementations of AES-192 are readily available. > > > > > ​AES 192 was excluded for the perfectly good reason that there is no > compelling argument for inclusion. > > I would like to see the number of suites reduced because the strength of a > cryptographic system depends on the strength of the weakest cipher. Thus > adding ciphers to a system invariably weakens it. It appears AES-256 is a weaker link than AES-192 so your general argument about more is less seems invalid in this case. AES-256 shows weaknesses that are not so prominent in AES-192. > The only way to improve security is to eliminate ciphers. AES 128 is > necessary, so is AES 256. ​I have never seen a point to 192. I'm trying to make exactly that point :-) . AES-192 does not suffer from the same weaknesses as AES-256 so the former is probably a more robust cipher choice than the latter. > If the AES key schedule is bjorked, time for a new cipher comp. At one > point there was the possibility of a really fun itinerary, but the > governments that might have sponsored a non-US cipher standard are not > exactly crypto friendly right now. The problems with the key schedule are with AES-256 specifically. Not with AES in general. I forgot to mention that AES-192 profits from the hardware support (CPU AES instructions) that exist. This is not (yet) true for new ciphers. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research From nobody Wed Jan 18 10:16:05 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58711294E3 for ; Wed, 18 Jan 2017 10:16:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id revoGOSyh3kl for ; Wed, 18 Jan 2017 10:16:00 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BAF31294EF for ; Wed, 18 Jan 2017 10:16:00 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id c206so38610612wme.0 for ; Wed, 18 Jan 2017 10:16:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=m8+9eo+lSibOqexRNCTZP4MrhQDinMgUQHRo2Ra3Vwk=; b=c29fFFlpBZC0rkVq2dXyGj3EEwQH8LpPBNqM6e2aMeqaryO/iRPhgWSaxW3Xu5jeiD qdXRmf51XMTuMQV0B1na0ajW3AhOiaEEqwtzeVaoHjdkOciT9d058Nk3+lzO9Q54CXyk G/uoubLeV3AjaSTLmnqITwV9dsAwoSJMQbI4ftKm7oF+CeDJX8Z3OP+51kNimEVRB241 bl+YRt41HxzPaDabRr2rQARNW37pUBWp/fxlBgsLAJPLkXjQveRS7bHz1mZyMjSWz12S DZjFQWyd9a698TyFs/Dicc3Vhcturp8XzrMOIGjbtFXvGQObbl2uTdm3xzlbrtWPP7XD Bpdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=m8+9eo+lSibOqexRNCTZP4MrhQDinMgUQHRo2Ra3Vwk=; b=OgEMoOmxJ8JV3Qob7gpJ2mJMdqRNkarWXpqZtcKcoHhsNSJF1a7QS7RjcTDkUvGEy1 8WtcDt5T4+rL3nDYOHsKZSapvC6MqL+PaAMP0EiNrlfyIOWwPWTbOyjt4kKzuKaN72bP +AVBKen2k6LWKmdrKqox11DC6/cWd5VEboPOXM0ISomx2JurQ6eNQSwho/H+Qy84DnP9 PZgTy93c0BAl8za4xfZebVeDfC12SQ+7CXEJHRmNoD1iaac34NTWto3eAFOE4b3rPpF8 /fkuyG2pBoz2LaU1wClkgBtbubiE6wnWKQ3QjhuHCQ3nu/Robj2ALFFzpxNeR1n1g/kj xR7g== X-Gm-Message-State: AIkVDXKynNzcE42jgPGMwoYf15fuz5WJqQDig2ZILmXICrP0OVifXsGt9Udps3DJ81qEXzJlLOrY3U8pqpsyaQ== X-Received: by 10.28.226.67 with SMTP id z64mr20313161wmg.137.1484763358886; Wed, 18 Jan 2017 10:15:58 -0800 (PST) MIME-Version: 1.0 Sender: hallam@gmail.com Received: by 10.194.221.6 with HTTP; Wed, 18 Jan 2017 10:15:58 -0800 (PST) In-Reply-To: <1484763108.5121.77.camel@quad> References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <1484759562.5121.70.camel@quad> <1484763108.5121.77.camel@quad> From: Phillip Hallam-Baker Date: Wed, 18 Jan 2017 13:15:58 -0500 X-Google-Sender-Auth: zE0QkCrF09ZuE0g_iPhk4i9vFlY Message-ID: To: Leonard den Ottolander Content-Type: multipart/alternative; boundary=001a114b0d089501f605466268bc Archived-At: Cc: "cfrg@irtf.org" Subject: Re: [Cfrg] A little room for AES-192 in TLS? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 18:16:03 -0000 --001a114b0d089501f605466268bc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 18, 2017 at 1:11 PM, Leonard den Ottolander < leonard-lists@den.ottolander.nl> wrote: > Hello Phillip, > > On Wed, 2017-01-18 at 12:53 -0500, Phillip Hallam-Baker wrote: > > On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander < > > leonard-lists@den.ottolander.nl> wrote: > > > > > > > > - AES-192 was excluded from TLS for arbitrary reasons. > > > - AES-256 has known weaknesses in its key schedule that some research= er > > > consider severe. > > > - AES-192 offers better security than AES-128. There is serious doubt > > > AES-256 can offer the same level of security. This makes AES-192 a > valid > > > alternative. > > > - Implementations of AES-192 are readily available. > > > > > > > > =E2=80=8BAES 192 was excluded for the perfectly good reason that there = is no > > compelling argument for inclusion. > > > > I would like to see the number of suites reduced because the strength o= f > a > > cryptographic system depends on the strength of the weakest cipher. Thu= s > > adding ciphers to a system invariably weakens it. > > It appears AES-256 is a weaker link than AES-192 so your general > argument about more is less seems invalid in this case. AES-256 shows > weaknesses that are not so prominent in AES-192. > =E2=80=8B\ > =E2=80=8B Oh really, the work fact of AES 256 is lower than that of AES 192? Please show me the paper. If AES 256 falls then AES goes completely. There is no middle ground. =E2=80=8B > > The only way to improve security is to eliminate ciphers. AES 128 is > > necessary, so is AES 256. =E2=80=8BI have never seen a point to 192. > > I'm trying to make exactly that point :-) . AES-192 does not suffer from > the same weaknesses as AES-256 so the former is probably a more robust > cipher choice than the latter. =E2=80=8BI see no evidence that the work factor of AES 256 is less than 2^1= 92. =E2=80=8B --001a114b0d089501f605466268bc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Wed, Ja= n 18, 2017 at 1:11 PM, Leonard den Ottolander <leonard-lists= @den.ottolander.nl> wrote:
= Hello Phillip,

On Wed, 2017-01-18 at 12:53 -0500, Phillip Hallam-Baker wrote:
> On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander <
> leonard-lists@den.o= ttolander.nl> wrote:
>
> >
> > - AES-192 was excluded from TLS for arbitrary reasons.
> > - AES-256 has known weaknesses in its key schedule that some rese= archer
> > consider severe.
> > - AES-192 offers better security than AES-128. There is serious d= oubt
> > AES-256 can offer the same level of security. This makes AES-192 = a valid
> > alternative.
> > - Implementations of AES-192 are readily available.
> >
> >
> =E2=80=8BAES 192 was excluded for the perfectly good reason that there= is no
> compelling argument for inclusion.
>
> I would like to see the number of suites reduced because the strength = of a
> cryptographic system depends on the strength of the weakest cipher. Th= us
> adding ciphers to a system invariably weakens it.

It appears AES-256 is a weaker link than AES-192 so your general
argument about more is less seems invalid in this case. AES-256 shows
weaknesses that are not so prominent in AES-192.
=E2=80=8B\
=E2=80=8B
Oh really, the work fact of = AES 256 is lower than that of AES 192? Please show me the paper.

If AES 256 falls then AES goes comp= letely. There is no middle ground.=C2=A0


=E2=80=8B
> The only way to improve security is to eliminate ciphers. AES= 128 is
> necessary, so is AES 256. =E2=80=8BI have never seen a point to 192.
I'm trying to make exactly that point :-) . AES-192 does not suf= fer from
the same weaknesses as AES-256 so the former is probably a more robust
cipher choice than the latter.

=E2=80=8BI see no evidence tha= t the work factor of AES 256 is less than 2^192. =E2=80=8B



--001a114b0d089501f605466268bc-- From nobody Wed Jan 18 10:25:43 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF3C2129551 for ; Wed, 18 Jan 2017 10:25:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yf4vSCrTOEsd for ; Wed, 18 Jan 2017 10:25:39 -0800 (PST) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9C441294DB for ; Wed, 18 Jan 2017 10:25:39 -0800 (PST) Received: by mail-io0-x231.google.com with SMTP id j13so18684920iod.3 for ; Wed, 18 Jan 2017 10:25:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-transfer-encoding; bh=gY57brPH7WuA3k+tKUFRCOFdci7lqOKp4EEjBVkE3ZM=; b=Q2fafGxPzsP0ACfQ0cPuHpMyUjcvTLQ7KmG00UOHTBla5RG4jcNhdrqRA81G12O9HO tkRvMsl35HGVs9hnHt5CjA39yKiCfMnWx6IAcAvMI1z4nhzHDQhUepQVykCnO3YlgunW u3J46jV5Rxxpvs5NWZWLtWbd7Ba41/0gufj89K48HG135T5PFLqyXysBL8o+idYVETeM UBqZCjoBSjAikmBkNlYjuRbk0/pPgWa9eLI3aI1hgB62nVjveTjfeAsaQdfmjIvLYkvG 8riQdnZm+orHX5JtNRpG/8TBvRKjyb88YBRWqE5n9dQOHW46ZtafEa69mRcDZOnR7cma cLpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-transfer-encoding; bh=gY57brPH7WuA3k+tKUFRCOFdci7lqOKp4EEjBVkE3ZM=; b=loXnjmVRWJyw16/6NCxa33ZiaD2ZwnHVKzc9oyca3o8mrrL40RwokEUlqlO7e70ENy 4j+vnnFPdRMHgWQrZtLol9Vt7+GtdnOtPuRFJE+dYSSrJbdUNUKq/UdAKOmjZ8Y8ZdHO 7mJpcadP/jXzd4tRlhspKwgm8e0vbeZ92yrsFRWwzB/t8Eey1dkuY8rF/Y1aGIywMa/K IMEWwoxpwpNj4oQYbx109U0K9JkZ1vhgLVNBaHnXrYfMMJOyjILrZOFN0hSN1uK+ZFlY LrTA69Kx8iLQkM7UbjcwiC+VMHHjVtbaQaduzSoOw05YR9tq/qI6boGgLk0+YKMuzSeB Ftog== X-Gm-Message-State: AIkVDXLVq5UODPbc2+hw6v0SqZEYwvw5/d2KSzmWEqfobRpDdxt2ePrj3Z3ck4WX/Qfj91nsYYqExj/jDuzOBg== X-Received: by 10.107.9.141 with SMTP id 13mr5689176ioj.24.1484763938635; Wed, 18 Jan 2017 10:25:38 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.144.4 with HTTP; Wed, 18 Jan 2017 10:25:38 -0800 (PST) In-Reply-To: References: From: Adam Langley Date: Wed, 18 Jan 2017 10:25:38 -0800 X-Google-Sender-Auth: 3GJkyLVSn9lTbilDgOYtZxgfxPI Message-ID: To: "cfrg@irtf.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 18:25:42 -0000 Also, in the interests of keeping things on the working-group mailing list, I am including the two follow-ups that Shay and Yehuda sent, previously, in response to this. (The discussion took place in two back-and-forth iterations. Hence they sent two replies, which are attached here.) -----Message one----- We greatly thank you for your interest in the AES-GCM-SIV authenticated encryption scheme, and for your work on analyzing it. We begin with the first attack. It is well known that in the model of multi-key security, if there are M different users with M different keys, and the key-space is of size N, then it is possible to find one of the keys in time M/N. We cast the attacks you describe in this light. Specifically, since our CFRG essentially changes the keys in every encryption, we obtain a multi-key setting even for a single user. Considering, for example, attack number 1: this attack works since it is possible to obtain encryptions of a single known block under many keys. Thus, the original multi-key attack of [1] is applicable. Having said the above, we find that the tradeoff between the CFRG and original GCM-SIV paper to be favorable toward the CFRG. This is because as with all counter modes, the original GCM-SIV and GCM with a random nonce (counter) has the property that after 2^32 different encryptions, the probability of a collision on the nonce (counter) is about 2^-32. Now, if less than 2^32 encryptions are carried out, then neither the multi-key attacks nor the collision on the counter is a concern. However, if more than 2^32 encryptions are computed, then the amount of work required for the multi-key attacks is still extremely large, whereas the probability of a collision on the nonce becomes a very real concern. We do not dismiss the threat of multi-key attacks, and it has been recently noted that this may be a real problem in TLS sessions. This has prompted recent work, one example being [2]. Indeed, [2] explain that in TLS it is preferable to use a random nonce for GCM even though a fresh key is used in every session (and thus one could always start with a fixed nonce of 0). This is exactly to prevent/mitigate multi-key attacks. We stand behind our proposal to change keys in every message, and were surprised that changing the nonce does not solve the problem (Ref. [1] in your document). We then noticed that in the original GCM-SIV paper appearing in ACM CCS, we XOR the nonce with the result of POLYHASH on the AAD and message, and then encrypt it (using AES). While our intention was to mount some nonce-based key derivation on top of GCM-SIV, we forgot (in one of the versions of the proposal) this XOR in the CFRG specification. By returning this XOR, we mitigate the risk of multi-key attacks since different nonces would now not enable an attacker to obtain many encryptions of the same (known) block under different keys. Regarding the other attacks: Attack 3 requires 2^128 chosen plaintexts. We do not consider this to be realistic. Furthermore, when the block size is 128 bits then everything breaks well before that (with repeating inputs to AES). Attack 2 is just a type of time-space tradeoff and these types of bounds are always possible on block ciphers. Note also that in order to reduce the work time by just two bits, the number of queries required is already 2^96. As stated regarding attack 3, with a 128-bit block size everything breaks well before this anyway. Once again, we thank you for your interest in GCM-SIV, and we will make the change to mitigate the first attack as described. Although we think that users of GCM-SIV should not be concerned with the other attacks, as described above, we appreciate the feedback and we will document them for full transparency. [1] E. Biham. How to Forge DES-Encrypted Messages in 228 Steps. Information Processing Letters, 84(3):117-124, 2002. [2] M. Bellare and B. Tackmann. The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3. In CRYPTO 2016, Springer (LNCS 9814), pages 247-276, 2016. Shay Gueron and Yehuda Lindell -----Message two----- We thank you very much for your response, and greatly appreciate your feedback and analysis. We would like to point out what we recommend (and plan to post) a maximal number of usages (q_max) of a single master key, with AES-GCM-SIV. This would better put things in context. As we promised to the CFRG community since we posted the specifications, we are working on a paper that analyzes the scheme and derives this recommendation. Hopefully, it will be ready in a few weeks. In order to explain our bound, let us first denote the 2-key specification in the CCS paper by GCM-SIV (K1, K2, N, AAD, M). The CFRG proposal can then be viewed as a two step protocol: 1. Key derivation: Compute (Record_Encryption_Key, Record_Hash_Key) =3D KDF (Master_Key, N) 2. Encryption: Compute (Tag, C) =3D GCM-SIV (Record_Encryption_Key, Record_Hash_Key, N, AAD, M) We now consider the recommended restriction regarding the number q_max of times that the Master_Key can be used (which actually translates to how many different nonces can be used, but since a different nonce should be used for every message this is the same as the number of different messages, but messages can be long). Our calculation is that q_max ~ 2^47 is an appropriate recommendation in order to preserve the 2^-32 security margins recommended by NIST. This 2^47 limit is based on a failure of indistinguishability of the generated nonce-based keys, unlike the deeper failure that AES-GCM would suffer by a nonce misuse. This number shows that the additional key derivation increases the number of allowed usages of a (master) key for AES-GCM-SIV, compared to the CCS version that was limited to ~2^32 usages(and the security margins). We are working on a way to increase q_max even further, and this will be announced in the upcoming paper. >From a practical viewpoint, we comment that if a user sends, say, 1 million messages per second, then a key replacement after 2^47 usages would be necessary after ~4 years. Since AES-GCM-SIV is designed for cases where a user needs to encrypt multiple messages, but nonce uniqueness may be a concern, we suggest to compare q_max to the number of times that a key can be used with AES-GCM with a randomly selected 96-bit IV (i.e., 2^32). With this limit on q_max, we conclude that your mentioned attacks do not apply. We understand that you agree with this analysis. The last question that remains is regarding the current KDF that uses a hierarchy of keys, and this cascade generates some relation between the derived keys. We are not extremely concerned with 2^128 work to extract additional keys /after/ one key is compromised (with no cryptographic method know so far). However, we agree that for 256-bit keys, this should not be possible. This brings us to the question about the KDF. In fact, we have been contemplating amongst ourselves about a better KDF that not only has better indistinguishability bounds, but is also faster than the current one. Also, some CFRG member have very recently asked about this. Therefore, we do intend to replace the KDF, as follows. AES-GCM-SIV will receive a 96-bit nonce. The KDF will compute AES (Master_Key, IV || IntToString32 (j)) for j=3D0, =E2=80=A6, 3 (128-bit key) or j=3D0, =E2=80=A6, 5 (256-bit key). Fro= m each of these 4 (or 6) generated blocks, 64 bits will be discarded, and then pairs will be combined into 2 (3) 128-bit values. These will be used as the Record_Hash_Key and the Record_Encryption_Key. The indistinguishability advantaged of this KDF (assuming AES is a close approximation to a random permutation), is bounded by 6q/2^96 where q is the number of times that the KDF was called with a single (master) key (see [1]). Now, for q different random nonces, the probability of an r-multi-collision (i.e., at least one value appears at least r times), and hence also on the pernonce keys, can be bounded by 1/u^{r-1} * Binomial (q, r) (where u=3D2^96 here). Note that if for different nonces, there is a collision on the derived keys, this will not be a case of nonce misuse. We can require a limited number of allowed nonce repetitions. Based on the above calculation, the probability that selecting the nonce (uniformly) at random will show r-multi-collisions (for a large r), is negligible, when staying with the bounds of q_max. Assume now that for the q_max (randomly) generated nonces, each value appears at most 4 times. Using some bound on the (intentional) number of messages encrypted by one selected nonce (and the lengths of the messages and AAD=E2=80=99s), we can apply the security bounds that we have on GCM-SIV. We plan to post the updated specification next week. Thank you again, Shay and Yehuda [1] S. Gilboa, S. Gueron, =E2=80=9CThe Advantage of Truncated Permutations= =E2=80=9D, https://arxiv.org/abs/1610.02518 (submitted on 8 Oct 2016). [2] K. Suzuki, D. Tonien, K. Kurosawa, K. Toyota, =E2=80=9CBirthday Paradox for Multi-collisions=E2=80=9D, Proceedings of the 9th International Confere= nce on Information Security and Cryptology, 29-40 (2006). http://dl.acm.org/citation.cfm?id=3D2172962 From nobody Wed Jan 18 10:30:06 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E1C81294E3 for ; Wed, 18 Jan 2017 10:30:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcjTF1ytAE9m for ; Wed, 18 Jan 2017 10:30:04 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34834129401 for ; Wed, 18 Jan 2017 10:30:04 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id D24B9300290 for ; Wed, 18 Jan 2017 13:19:47 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Csr3xij9hwFq for ; Wed, 18 Jan 2017 13:19:45 -0500 (EST) Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id A04ED300258; Wed, 18 Jan 2017 13:19:45 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Russ Housley In-Reply-To: Date: Wed, 18 Jan 2017 13:30:04 -0500 Content-Transfer-Encoding: 7bit Message-Id: <78E7520D-B2AA-4C0F-8581-52D6E7637674@vigilsec.com> References: <46ECD4D0-07BB-4082-82AC-4B2AE656AE09@gmail.com> To: IRTF CFRG X-Mailer: Apple Mail (2.1878.6) Archived-At: Subject: Re: [Cfrg] Fwd: Rev RFC 7539? X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 18:30:05 -0000 Document: draft-nir-cfrg-rfc7539bis-00 Reviewer: Russ Housley Review Date: 2017-01-19 Summary: Almost Ready Major Concerns: The Abstract says that there are additions to the Security Considerations; however, I do not see a difference between the Security Considerations in this document and RFC 7539. Minor Concerns: In Section 2.3.1, please add a sentence to define the "|" operator in a manner similar to the definition for "+" in Section 2.1. Nits: Abstract: s/any new crypto/any new cryptographic mechanisms/ Section 2.1 uses "rotation" and "roll" to describe the same operation. Please pick one term. In Sections 2.1 and 2.3, I do not think that the line numbers aid the reader. I think that simple indention would be better. In Sections 2.1 and 2.1.1, I do not think that the bullets aid the reader. I think that simple indention would be better. Section 2.5.1 includes: r = (le_bytes_to_num(key[0..15]). I think you want to drop the leading parenthesis. In Author's address, please capitalize "st." From nobody Wed Jan 18 12:51:49 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AA3129564 for ; Wed, 18 Jan 2017 12:51:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgplPh8cfPeq for ; Wed, 18 Jan 2017 12:51:46 -0800 (PST) Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F423F1294DF for ; Wed, 18 Jan 2017 12:51:45 -0800 (PST) Received: by mail-io0-x22a.google.com with SMTP id v96so22044352ioi.0 for ; Wed, 18 Jan 2017 12:51:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JNVPZ+RkkJIvfYTsI+JtLYOuvYjS2Ll+1ol/IKeS3U4=; b=NaFLU2Ei05CajUy3B4NXLvBuQea9Au7HtNig0Om4MQzZ/EMkE96s9DY39xDe5vN3yC t7ufpqxjptgNYiKCbypIiSTWVrm5gPXbXiK1RfiRwgIV9LEahfgplaq9/qLoW1hvEVm9 08QHZmQ9ggWCRT/P3izFBr42Zr9ws4zH2iv4mX2mx1xj+MRJljdzL0CKVi1i3bpBh+yJ uR8te97LThTkgcD92aVPmz9q0xalH3Gz1V+Syrzc7p8IsgSm8RyRagMwfTz262nsPg3q D5bTvUvfjo7jEUjNvmR/rX0JRvNxUDe2u+krMw4De6YXL8iTnTBI/7sughlAbtDey+zB ltAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JNVPZ+RkkJIvfYTsI+JtLYOuvYjS2Ll+1ol/IKeS3U4=; b=WHF56vFrKUTD8ySo0CALSJhzbnkw2sKEDKcjagKjt0/HUix2OABbLDvepC6yTvZ95w 02IvZ68UQPXoPg6JTXbI8ua7HqVZxy1iywHisnnYCM0viBDlnLuGmEOIEhuFiFxYQMzE Gaw2Zn/K4ogHaa+ABuHGRyHAfQbOSc1mOzNAYXAdcwbyeoRQV4QTJW7MMTN3GYvRPGiR Sgy6nPd8cmh/36MyeigdrkGb+9eEvQs6aO+tPyukRM4DXiGFl3oTdk7KfGuqOUgmbiC/ i2NwkuJAPNAr7eh7jlF0yQbkC86nOwdZ4RlShVK8E0SkIKsmWZp9cZ0OHNVTFa5mz45o s76Q== X-Gm-Message-State: AIkVDXJDapJCBS2uy0lAeuqnMRJb2x49Gcy0NAxWDB9Ft9JOfPcMAoRWQRJ8W/QMncWdEUfGBQkHiVyaA9C0tw== X-Received: by 10.107.173.95 with SMTP id w92mr6301234ioe.136.1484772705225; Wed, 18 Jan 2017 12:51:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.65.206 with HTTP; Wed, 18 Jan 2017 12:51:44 -0800 (PST) In-Reply-To: References: From: Brian Smith Date: Wed, 18 Jan 2017 10:51:44 -1000 Message-ID: To: Adam Langley Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "Cooley, Dorothy E" , "cfrg@irtf.org" Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 20:51:47 -0000 On Wed, Jan 18, 2017 at 7:34 AM, Adam Langley wrote: > 3) A much more minor change is that we now suggest a limit of 2^8 as > the maximum number of plaintexts encrypted with a single nonce. We > previously noted that AES-GCM-SIV with a fixed nonce is similar to > AES-GCM with a random nonce, and that NIST recommends a limit of 2^32 > messages in that context. The actual text in the draft is "Thus with AES-GCM-SIV we recommend that, for a specific key, a nonce not be repeated more than 2^8 times." Is this a meaningful recommendation? How would one go about following this recommendation in a practical implementation? In particular, AES-GCM-SIV is mostly interesting in implementations that cannot reliably and/or consistently save state, and it seems like any attempt to write code to enforce this relies on saving state in the manner. Is the idea here that one would, every 2^8 or so messages, force some kind of "sync state or force rekey" operation that would be too expensive to do on every message? Do we really need a 32-bit counter for this mode? Why not have a 16-bit counter? This would allow single messages up to 1MB. Then one could more safely use a 96-bit random + 16-bit fixed ID nonce or an 80-bit random + 32-bit fixed ID nonce. In general, super large messages don't work well with AEADs because it's hard to verify the integrity of a giant message before using the plaintext, so 32-bit counters seem excessive. I expect protocols would limit the maximum message length such that a ~16-bit counter would be sufficient. Cheers, Brian -- https://briansmith.org/ From nobody Wed Jan 18 13:06:40 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFE8129485 for ; Wed, 18 Jan 2017 13:06:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKZYP8F5z1D8 for ; Wed, 18 Jan 2017 13:06:38 -0800 (PST) Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D20127077 for ; Wed, 18 Jan 2017 13:06:37 -0800 (PST) X-AuditID: c1b4fb30-f2fff70000003c8a-ea-587fd8d91d16 Received: from ESESSHC008.ericsson.se (Unknown_Domain [153.88.253.124]) by (Symantec Mail Security) with SMTP id F6.54.15498.9D8DF785; Wed, 18 Jan 2017 22:06:36 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC008.ericsson.se ([153.88.183.42]) with mapi id 14.03.0319.002; Wed, 18 Jan 2017 22:05:38 +0100 From: John Mattsson To: "cfrg@ietf.org" Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt Thread-Index: AQHScbC0p4x0I5wsw0aH69/GsFzxwqE+udeA Date: Wed, 18 Jan 2017 21:05:36 +0000 Message-ID: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> In-Reply-To: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.148] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgkeLIzCtJLcpLzFFi42KZGfG3RvfOjfoIg9m7WCyO7mpjcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxtqr/5kLdulUnH29namBcYV2FyMnh4SAiUTz31msXYxcHEIC 6xkl3i6fxgzhLGGUeHWohw2kik3AQGLungYwW0RAWWLqvodMILawgK1E95E1rBBxO4nrOxax dzFyANlGEq1NkiBhFgFVida/vSwgNq+AucSLe3vBxggJ+Eis7l4E1sop4Ctx485rsJGMAmIS 30+tAbOZBcQlbj2ZzwRxqIDEkj3nmSFsUYmXj/+B9YoK6Eksf74GKq4k0bjkCSvICcwCmhLr d+lDjLGWWHFsGSuErSgxpfshO8Q5ghInZz5hmcAoNgvJtlkI3bOQdM9C0j0LSfcCRtZVjKLF qcVJuelGRnqpRZnJxcX5eXp5qSWbGIHxc3DLb4MdjC+fOx5iFOBgVOLh/dBUHyHEmlhWXJl7 iFGCg1lJhNfvClCINyWxsiq1KD++qDQntfgQozQHi5I4r9nK++FCAumJJanZqakFqUUwWSYO TqkGRuXN9y+/P57nfqR6at3nWRlTQ6eEiFbubLz9SYHDqkQhTPKhxaUdzrNPfF+ed8L/nirz qqVCPyYumm96/szPFJ5J1/7M/rP7uDi7zK+mKDfPSZ8Py2bcOBqyKvH9a5+tnAunGqiVzdyT pBrlc29LguWkgNrI4we74v8/Plnslvv9765Vl7nvRR1RYinOSDTUYi4qTgQAlcA8JZsCAAA= Archived-At: Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 21:06:40 -0000 SGksDQoNClZlcnkgd2VsbCB3cml0dGVuLiBTb21lIGNvbW1lbnRzIGFuZCBzdWdnZXN0aW9uczoN Cg0KLSBJbiBhZGRpdGlvbiB0byBsaXN0aW5nIHRoZSBwZXJmb3JtYW5jZSBwZW5hbHR5IGNvbXBh cmVkIHRvIEdDTS4gVGhlDQogIGRyYWZ0IHNob3VsZCBhbHNvIG1lbnRpb24gdGhhdCBjb21wYXJl ZCB0byBHQ00sIHNvbWUgbmljZSBwcm9wZXJ0aWVzDQogIGRpc2FwcGVhcjoNCiAgLSBOZWl0aGVy IEVuY3J5cHRpb24gbm9yIERlY3J5cHRpb24gaXMgb25saW5lIGFzIGVuY3J5cHRpb24vZGVjcnlw dGlvbg0KICAgIGNhbm5vdCBzdGFydCBiZWZvcmUgdGhlIHdob2xlIHBsYWludGV4dC9jaXBoZXJ0 ZXh0IGlzIGtub3duLg0KICAtIEdDTS1TSVYgcmVtb3ZlcyB0aGUgcG9zc2liaWxpdHkgdG8gcHJl cHJvY2VzcyBzdGF0aWMgaGVhZGVycyAoQUFEKS4NCg0KLSDigJxUaGUgcmVzdWx0IG9mIHRoZSBl bmNyeXB0aW9uIGlzIHRoZSByZXN1bHRpbmcgY2lwaGVydGV4dCAodHJ1bmNhdGVkDQogICB0byB0 aGUgbGVuZ3RoIG9mIHRoZSBwbGFpbnRleHQpIGZvbGxvd2VkIGJ5IHRoZSB0YWcuIg0KDQogIEkg c3VnZ2VzdCB0aGF0IHRoZSB0YWcgaXMgcGxhY2VkIGZpcnN0IGluc3RlYWQgb2YgbGFzdCBpbiB0 aGUNCiAgY2lwaGVydGV4dC4gVGhpcyBtYWtlcyBkZWNyeXB0aW9uIG9ubGluZSwgd2hpY2ggbWFr ZXMgYSBsYXJnZQ0KICBkaWZmZXJlbmNlLiBTdWdnZXN0aW9uOg0KDQogIOKAnFRoZSByZXN1bHQg b2YgdGhlIGVuY3J5cHRpb24gaXMgdGhlIHRhZyBmb2xsb3dlZCBieSB0aGUgY2lwaGVydGV4dA0K ICAgKHRydW5jYXRlZCB0byB0aGUgbGVuZ3RoIG9mIHRoZSBwbGFpbnRleHQpIg0KDQoNCi0gIndp dGhpbiA1JSBvZiB0aGUgc3BlZWQgb2YgQUVTLUdDTS4iDQogIFNob3VsZCBzdGF0ZSB3aGVuIHRo aXMgaXMgdGhlIGNhc2UsIGUuZy4gbG9uZyBwbGFpbnRleHQvYWFkLg0KDQotIEkgdGhpbmsgdGhl IGRyYWZ0IHNob3VsZCBnaXZlIHBlcmZvcm1hbmNlIGRhdGEgYWxzbyBmb3Igc2hvcnQNCiAgcGxh aW50ZXh0cy9hYWQgb3IgZXZlbiBiZXR0ZXIgbGlzdCB0aGUgcGVyZm9ybWFuY2UgaW4gbnVtYmVy IG9mDQogIG9wZXJhdGlvbnM6DQoNCiAgR0NNOg0KICAgIEJsb2NrIENpcGhlciBPcGVyYXRpb25z ID0gcCArIDENCiAgICBHRigyXjEyOCkgTXVsdGlwbGljYXRpb25zID0gcCArIGEgKyAxDQoNCiAg R0NNLVNJVi0xMjgNCiAgICBCbG9jayBDaXBoZXIgT3BlcmF0aW9ucyA9IHAgKyA1DQogICAgR0Yo Ml4xMjgpIE11bHRpcGxpY2F0aW9ucyA9IHAgKyBhICsgMQ0KDQogIEdDTS1TSVYtMjU2DQogICAg QmxvY2sgQ2lwaGVyIE9wZXJhdGlvbnMgPSBwICsgNw0KICAgIEdGKDJeMTI4KSBNdWx0aXBsaWNh dGlvbnMgPSBwICsgYSArIDENCg0KICAoaWYgSSBnb3QgaXQgcmlnaHQuLi4pDQoNCiAgV2hlcmUg cCBpcyB0aGUgYmxvY2sgbGVuZ3RoIG9mIHRoZSBwbGFpbnRleHQgYW5kIGEgaXMgdGhlIGJsb2Nr IGxlbmd0aA0KICBvZiB0aGUgYWRkaXRpb25hbCBhdXRoZW50aWNhdGVkIGRhdGEsDQoNCiAgSSBk b3VidCB0aGF0IGVuY3J5cHRpb24gb2Ygc2hvcnQgbWVzc2FnZXMgYXJlIGFueXdoZXJlIG5lYXIg NSUgb2YgR0NNLg0KICANCi0gVGhlICIrKyIgYW5kICJbOjhdIiBvcGVyYXRpb24gc2hvdWxkIHBy b2JhYmx5IGJlIGRlZmluZWQuDQoNCi0gV2hhdCBpdCB0aGUgc2VjdXJpdHkvcGVyZm9ybWFuY2Ug dHJhZGVvZmYgd2l0aCB0cnVuY2F0aW9uIGluIHRoZSBrZXkNCiAgZGVyaXZhdGlvbj8gV2hhdCB3 b3VsZCB0aGUgc2VjdXJpdHkgcHJvcGVydGllcyBiZSBpZiAiWzo4XSIgd2FzDQogIHJlbW92ZWQ/ DQoNCg0KDQotIFRoZSBkZWZpbml0aW9uIG9mIFUzMkxFIHNlZW1zIHVubmVjZXNzYXJ5IGFuZCBv bmx5IGFkZHMgY29tcGxleGl0eS4NCiAgSSBzdWdnZXN0Og0KICAgIE9MRCAiVTMyTEUoMykgKysg bm9uY2UiDQogICAgTkVXICIwMyArKyAwMDAwMDAgKysgbm9uY2UNCg0KLSBUaGUgdGVybSBLMSBp cyBvbmx5IHVzZWQgaW4gVGVzdCBWZWN0b3JzLiBJIGd1ZXNzIGl0IGlzIGFuIG9sZCB0ZXJtDQog IHRoYXQgc2hvdWxkIGJlIHJlbW92ZWQuDQoNCg0KU29tZSBlZGl0b3JpYWxzOg0KDQotIE9MRCAi VGhlIHJlY29yZC1hdXRoZW50aWNhdGlvbiBrZXkgaXMgMTI4LWJpdCBhbmQgdGhlDQogICAgICAg cmVjb3JkLWF1dGhlbnRpY2F0aW9uIGtleSINCiAgTkVXICJUaGUgcmVjb3JkLWF1dGhlbnRpY2F0 aW9uIGtleSBpcyAxMjgtYml0IGFuZCB0aGUNCiAgICAgICByZWNvcmQtZW5jcnlwdGlvbiBrZXki DQoNCi0gIn0gZWxzZSBpZiBieXRlbGVuKGtleS1nZW5lcmF0aW5nLWtleSkgPT0gMzIgew0KICAg ICByZWNvcmQtZW5jcnlwdGlvbi1rZXkgPSBBRVMxMjgoa2V5ID0ga2V5LWdlbmVyYXRpbmcta2V5 LCINCg0KICBTaG91bGQgYmUgQUVTMjU2DQogIA0KLSBTcGFjaW5nIGFyb3VuZCAiKyIgYW5kICIq IiBhcmUgbm90IGNvbnNpc3RlbnQuDQoNCi0gInRoZSB0aGUiDQoNCi0geWVpbGRzDQoNCi0gcmVt YWluZGluZw0KDQotIFJGQzczMjIgc2F5cyAiQSBjb21tYSBpcyB1c2VkIGJlZm9yZSB0aGUgbGFz dCBpdGVtIG9mIGEgc2VyaWVzIg0KDQoNCg0KQ2hlZXJzLA0KSm9obg0KDQoNCg0KT24gMjAxNy0w MS0xOCwgMTg6MzAsICJDZnJnIG9uIGJlaGFsZiBvZiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmci DQo8Y2ZyZy1ib3VuY2VzQGlydGYub3JnIG9uIGJlaGFsZiBvZiBpbnRlcm5ldC1kcmFmdHNAaWV0 Zi5vcmc+IHdyb3RlOg0KDQo+DQo+QSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxhYmxlIGZy b20gdGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzDQo+ZGlyZWN0b3JpZXMuDQo+VGhpcyBkcmFm dCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgQ3J5cHRvIEZvcnVtIG9mIHRoZSBJRVRGLg0KPg0KPiAg ICAgICAgVGl0bGUgICAgICAgICAgIDogQUVTLUdDTS1TSVY6IE5vbmNlIE1pc3VzZS1SZXNpc3Rh bnQNCj5BdXRoZW50aWNhdGVkIEVuY3J5cHRpb24NCj4gICAgICAgIEF1dGhvcnMgICAgICAgICA6 IFNoYXkgR3Vlcm9uDQo+ICAgICAgICAgICAgICAgICAgICAgICAgICBBZGFtIExhbmdsZXkNCj4g ICAgICAgICAgICAgICAgICAgICAgICAgIFllaHVkYSBMaW5kZWxsDQo+CUZpbGVuYW1lICAgICAg ICA6IGRyYWZ0LWlydGYtY2ZyZy1nY21zaXYtMDMudHh0DQo+CVBhZ2VzICAgICAgICAgICA6IDQ1 DQo+CURhdGUgICAgICAgICAgICA6IDIwMTctMDEtMTgNCj4NCj5BYnN0cmFjdDoNCj4gICBUaGlz IG1lbW8gc3BlY2lmaWVzIHR3byBhdXRoZW50aWNhdGVkIGVuY3J5cHRpb24gYWxnb3JpdGhtcyB0 aGF0IGFyZQ0KPiAgIG5vbmNlIG1pc3VzZS1yZXNpc3RhbnQgLSB0aGF0IGlzIHRoYXQgdGhleSBk byBub3QgZmFpbA0KPiAgIGNhdGFzdHJvcGhpY2FsbHkgaWYgYSBub25jZSBpcyByZXBlYXRlZC4N Cj4NCj4NCj5UaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBp czoNCj5odHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pcnRmLWNmcmctZ2Nt c2l2Lw0KPg0KPlRoZXJlJ3MgYWxzbyBhIGh0bWxpemVkIHZlcnNpb24gYXZhaWxhYmxlIGF0Og0K Pmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pcnRmLWNmcmctZ2Ntc2l2LTAzDQo+ DQo+QSBkaWZmIGZyb20gdGhlIHByZXZpb3VzIHZlcnNpb24gaXMgYXZhaWxhYmxlIGF0Og0KPmh0 dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pcnRmLWNmcmctZ2Ntc2l2LTAz DQo+DQo+DQo+UGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVz IGZyb20gdGhlIHRpbWUgb2YNCj5zdWJtaXNzaW9uDQo+dW50aWwgdGhlIGh0bWxpemVkIHZlcnNp b24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCB0b29scy5pZXRmLm9yZy4NCj4NCj5JbnRlcm5l dC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAgYXQ6DQo+ZnRwOi8v ZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8NCj4NCj5fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KPkNmcmcgbWFpbGluZyBsaXN0DQo+Q2ZyZ0BpcnRm Lm9yZw0KPmh0dHBzOi8vd3d3LmlydGYub3JnL21haWxtYW4vbGlzdGluZm8vY2ZyZw0KDQo= From nobody Wed Jan 18 13:33:43 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF062129569 for ; Wed, 18 Jan 2017 13:33:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h3ekJSrgeEY for ; Wed, 18 Jan 2017 13:33:40 -0800 (PST) Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40DBD129494 for ; Wed, 18 Jan 2017 13:33:37 -0800 (PST) Received: by mail-yw0-x230.google.com with SMTP id l75so18441392ywb.0 for ; Wed, 18 Jan 2017 13:33:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=e+19vhOa25zw5o1r+I6LjMv5Omr5myXFjxFX+gnJ2C8=; b=VlBSLaSYBtbLVUNWwnZkZsM7sYoU2xyWR08Jhl/x2FxpO1SKgb6hBZfry/8XBoC8j0 66Ht4farw8J/Z+HD3AYw8JZVK36yQaUA50G7xAmLXGQ8wlQ8ilVsXwC3rOevzXzcp8q4 pEZAbhgPNK0vCNTLWB4uQfvCHBYod6vAMc9eGhkRPKP4tKPb4yLiN7ZSf2iruJitw5MF SC1WRlCUiuZ9CElSPFU7vy5Ishc+vcNveMck0oIF1Mb+G6hxW2bJFaYHuBuvUnr8bDyN afIErRKdP/Ow1yL0Md9kCcNTnh4Xf3t0irxyLeqMGanqI6cs9QsuYYAlQejoxT8pe1bw M5zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=e+19vhOa25zw5o1r+I6LjMv5Omr5myXFjxFX+gnJ2C8=; b=jMq3nMvgPXgWQRU02U9pVIaYtOpcB+NPqv+Sh/S8XWD+j3pDpQhJuLALk3Ha4JIji2 6OumQbO4gKsDvCShvcDzF6fUySDt30yqK0Po7egptFu2aY0Z/pcM9XR0OcJBLkPwCpE6 Kx1g14iKQwHnp0+KBgEKyBvY7BDE+rljGDaCNegMxezWn7x40EdDwzlB7pkHWGZ0RMQt oJKe1nxgNrpINeyCH8+dQhvZLnpSpkqNu+RxTfPaXTuFiAs+m+J9bvcWlI8xoxRk4pJp aEEMk9vpw9Av33S/2+7t0cL9nRJjbLuduNnwyaomXIhjYDlM5PY53OWKGgvy21AgCVf1 1fQQ== X-Gm-Message-State: AIkVDXI5Hra0TzemgPQJ3mNBOZe+Pnm2fujHF8TpGNBSWOazJxAUORqDA3WxBbh8YFVEVQ58kC2+NwvDc3mIfw== X-Received: by 10.129.81.12 with SMTP id f12mr4246011ywb.80.1484775216465; Wed, 18 Jan 2017 13:33:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.129.160.141 with HTTP; Wed, 18 Jan 2017 13:33:35 -0800 (PST) In-Reply-To: References: From: Shay Gueron Date: Wed, 18 Jan 2017 13:33:35 -0800 Message-ID: To: Brian Smith Content-Type: multipart/alternative; boundary=001a114630185979c20546652b94 Archived-At: Cc: Adam Langley , "Cooley, Dorothy E" , "cfrg@irtf.org" , Yehuda Lindell Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 21:33:42 -0000 --001a114630185979c20546652b94 Content-Type: text/plain; charset=UTF-8 >>> Is this a meaningful recommendation? >>> How would one go about following this recommendation in a practical implementation? This is a very valid question, that is answered in the specification. But perhaps it is worth clarifying on the mailing list. It is rather easy to adhere to the recommendation. Simply choose the 96-bit nonce uniformly at random. After, say, 2^{50} encryptions, what the probability that a nonce repeated, even 5 times, can be bounded from above (see the "multibirthday" reference in the spec) by 2^(-134). (To this, you need to add occurrences where the keys also collide. All this analysis will be posted soon, together with the matching bounds). >>> Do we really need a 32-bit counter for this mode? >>> Why not have a 16-bit counter? Also a very valid question. The answer is that you don't really need a 32-bit counter. It is possible for a usage to specify a shorter restriction on the allowed message length. This will improve the security bounds, which are also a function of k, where 2^k is the largest number of blocks in a message. You can choose any k <= 32. Thanks, Shay 2017-01-18 12:51 GMT-08:00 Brian Smith : > On Wed, Jan 18, 2017 at 7:34 AM, Adam Langley > wrote: > > 3) A much more minor change is that we now suggest a limit of 2^8 as > > the maximum number of plaintexts encrypted with a single nonce. We > > previously noted that AES-GCM-SIV with a fixed nonce is similar to > > AES-GCM with a random nonce, and that NIST recommends a limit of 2^32 > > messages in that context. > > The actual text in the draft is "Thus with AES-GCM-SIV we recommend > that, for a specific key, a nonce not be repeated more than 2^8 > times." > > Is this a meaningful recommendation? How would one go about following > this recommendation in a practical implementation? In particular, > AES-GCM-SIV is mostly interesting in implementations that cannot > reliably and/or consistently save state, and it seems like any attempt > to write code to enforce this relies on saving state in the manner. Is > the idea here that one would, every 2^8 or so messages, force some > kind of "sync state or force rekey" operation that would be too > expensive to do on every message? > > Do we really need a 32-bit counter for this mode? Why not have a > 16-bit counter? This would allow single messages up to 1MB. Then one > could more safely use a 96-bit random + 16-bit fixed ID nonce or an > 80-bit random + 32-bit fixed ID nonce. In general, super large > messages don't work well with AEADs because it's hard to verify the > integrity of a giant message before using the plaintext, so 32-bit > counters seem excessive. I expect protocols would limit the maximum > message length such that a ~16-bit counter would be sufficient. > > Cheers, > Brian > -- > https://briansmith.org/ > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --001a114630185979c20546652b94 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


>>>=C2=A0Is this a meaningful recommendation?=C2=A0
>>> How would one go about following this rec= ommendation in a practical implementation?=C2=A0

=
This is a very valid question, that is answered in t= he specification. But perhaps it is worth clarifying on the mailing list. I= t is rather easy to adhere to the recommendation. Simply choose the 96-bit = nonce uniformly at random. After, say, 2^{50} encryptions, what the probabi= lity that a nonce repeated, even 5 times, can be bounded from above (see th= e "multibirthday" reference in the spec) by 2^(-134).=C2=A0
=
(To this, you need to add occurrences where the keys also = collide. All this analysis will be posted soon, together with the matching = bounds).=C2=A0


<= div dir=3D"ltr">>>>=C2=A0Do we really need a 32-bit counter for this mode?=C2= =A0
>>> Why not have a 16-bit counter?=C2=A0
Also a very valid question.=C2=A0
The answer is = that you don't really need a 32-bit counter.=C2=A0
It is possible for a usage to specify a shorter restriction on the allowe= d message length. This will improve the security bounds, which are also a f= unction of k, where 2^k is the largest number of blocks in a message. You c= an choose any k <=3D 32.=C2=A0

Thanks, Shay=C2=A0



2017-01-18 12:51 GMT-08:00 Brian Smith <brian@briansmith.or= g>:
On Wed,= Jan 18, 2017 at 7:34 AM, Adam Langley <agl@imperialviolet.org> wrote:
> 3) A much more minor change is that we now suggest a limit of 2^8 as > the maximum number of plaintexts encrypted with a single nonce. We
> previously noted that AES-GCM-SIV with a fixed nonce is similar to
> AES-GCM with a random nonce, and that NIST recommends a limit of 2^32<= br> > messages in that context.

The actual text in the draft is "Thus with AES-GCM-SIV we recom= mend
that, for a specific key, a nonce not be repeated more than 2^8
times."

Is this a meaningful recommendation? How would one go about following
this recommendation in a practical implementation? In particular,
AES-GCM-SIV is mostly interesting in implementations that cannot
reliably and/or consistently save state, and it seems like any attempt
to write code to enforce this relies on saving state in the manner. Is
the idea here that one would, every 2^8 or so messages, force some
kind of "sync state or force rekey" operation that would be too expensive to do on every message?

Do we really need a 32-bit counter for this mode? Why not have a
16-bit counter? This would allow single messages up to 1MB. Then one
could more safely use a 96-bit random + 16-bit fixed ID nonce or an
80-bit random + 32-bit fixed ID nonce. In general, super large
messages don't work well with AEADs because it's hard to verify the=
integrity of a giant message before using the plaintext, so 32-bit
counters seem excessive. I expect protocols would limit the maximum
message length such that a ~16-bit counter would be sufficient.

Cheers,
Brian
--
ht= tps://briansmith.org/

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--001a114630185979c20546652b94-- From nobody Wed Jan 18 13:35:20 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB9B1294C4 for ; Wed, 18 Jan 2017 13:35:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19gfKOZgXDWS for ; Wed, 18 Jan 2017 13:35:17 -0800 (PST) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC1101294C9 for ; Wed, 18 Jan 2017 13:35:16 -0800 (PST) Received: by mail-io0-x234.google.com with SMTP id v96so22955836ioi.0 for ; Wed, 18 Jan 2017 13:35:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ygcK+nuQxHzq44YE3SdMqoWB60+dAlFEuXancUnvADM=; b=g4ezcSa68zdEJLZ3GhZUbUNptpRqpO3tC4GPa39KlmIPaDMU0siYJpblNiV/D87XDd /z6gpIbAskrdfjOMMzvZpk3H/MeRk1FnNJKVaAtizWtRgZ6raO2wjqpkNMGGEsSqsot3 YXOsqpzSqYzGyCJoqzNbiTCVZX4e/fDduuBWg2TI6rUp13LkWv7j4TjBqdcTGwPCS8VB TNELy3kPHkOBTTo9gCYQJn5JNGayIMowMYXBN17LScuzNVJ3G+TWnDH+zDtMwU4f2IiM 9oJrqKOHfPIZqc38QvWy+FBEegfPvQX9IiFHahZcBM96CrQhF0vcNjeV3C4I8VsDKi2L auHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ygcK+nuQxHzq44YE3SdMqoWB60+dAlFEuXancUnvADM=; b=sfxsgHtvP3mKBUQjZOXK1wJOISjCTKwPh3bZg4J4sh335iBi0INoKj6IEVHpYsSybh 0o0jTiFpMGS5URu7Rq+skvBBklBbuIoHAV95neOl/Ts7wsWs0EgVYFUdT0U618m0e0hD 6Jr2yenYEnxTtAsKRvKM7jxrOiz0mis5e7hwLZpZtmkgubMX4R2Pyhiq36xUQexc0iI5 F7XOcYiEYWoO3bkRTHO+xsajaEWAMC5MK1Nr5apbs9z54SxdAM80J3TW5lA5Hpngi8xI fMkPER0IqGzxTXHPfMKecRLb8KEiNM00Pj7hfIw0j7kfB7oH4LC5ywNsO3e/jiponvKq 8qgg== X-Gm-Message-State: AIkVDXLorlIxcPRMVET/DmtKK4y6MYSr9rAcZLa9zCX8ctz6MiBAc6kCsZ30ChQk3J/q+HW9ZD6gZMBme0jBlA== X-Received: by 10.107.134.36 with SMTP id i36mr5609100iod.168.1484775316244; Wed, 18 Jan 2017 13:35:16 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.144.4 with HTTP; Wed, 18 Jan 2017 13:35:15 -0800 (PST) In-Reply-To: References: From: Adam Langley Date: Wed, 18 Jan 2017 13:35:15 -0800 X-Google-Sender-Auth: qBu9maR1nAbU6Q89LixDWvm6cq8 Message-ID: To: Brian Smith Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "Cooley, Dorothy E" , "cfrg@irtf.org" Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 21:35:19 -0000 On Wed, Jan 18, 2017 at 12:51 PM, Brian Smith wrote: > On Wed, Jan 18, 2017 at 7:34 AM, Adam Langley wrote: >> 3) A much more minor change is that we now suggest a limit of 2^8 as >> the maximum number of plaintexts encrypted with a single nonce. We >> previously noted that AES-GCM-SIV with a fixed nonce is similar to >> AES-GCM with a random nonce, and that NIST recommends a limit of 2^32 >> messages in that context. > > The actual text in the draft is "Thus with AES-GCM-SIV we recommend > that, for a specific key, a nonce not be repeated more than 2^8 > times." > > Is this a meaningful recommendation? How would one go about following > this recommendation in a practical implementation? In particular, > AES-GCM-SIV is mostly interesting in implementations that cannot > reliably and/or consistently save state, and it seems like any attempt > to write code to enforce this relies on saving state in the manner. Is > the idea here that one would, every 2^8 or so messages, force some > kind of "sync state or force rekey" operation that would be too > expensive to do on every message? No, nothing like that. Perhaps this part of the document isn't clear. Basically, before we noted that AES-GCM-SIV with a fixed nonce like like AES-GCM with a random nonce (except that it also leaks when plaintexts are equal). We noted that NIST recommends no more than 2^32 messages be encrypted with a given key in that context. So someone could, not completely unreasonably, say that they're not worried about leaking when plaintexts are equal and use AES-GCM-SIV with a fixed nonce for 2^32 messages. We're now clearly saying that's not a great idea. Instead, generate nonces at random. With a random, 96-bit nonce you don't have to worry about the probability of having repeated a single value > 2^8 times until you have a staggering number of plaintexts: greater than 2^100 of them. Since that vastly exceeds our current recommendation for number of plaintexts per key (2^50), it's basically not a concern. If that makes sense, what could we have written to be clearer? > Do we really need a 32-bit counter for this mode? Why not have a > 16-bit counter? This would allow single messages up to 1MB. Then one > could more safely use a 96-bit random + 16-bit fixed ID nonce or an > 80-bit random + 32-bit fixed ID nonce. In general, super large > messages don't work well with AEADs because it's hard to verify the > integrity of a giant message before using the plaintext, so 32-bit > counters seem excessive. I expect protocols would limit the maximum > message length such that a ~16-bit counter would be sufficient. I agree that large AEAD messages have several problems. But I don't think that we have any need for a larger nonce (see above). (And the nonce is used with a counter only in the KDF phase, so it's unrelated to the maximum plaintext size.) Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org From nobody Wed Jan 18 15:46:19 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12908129410 for ; Wed, 18 Jan 2017 15:46:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.58 X-Spam-Level: X-Spam-Status: No, score=-1.58 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbNg6SvNwuiH for ; Wed, 18 Jan 2017 15:46:15 -0800 (PST) Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A40A1126D74 for ; Wed, 18 Jan 2017 15:46:15 -0800 (PST) Received: by mail-it0-x229.google.com with SMTP id 203so129321807ith.0 for ; Wed, 18 Jan 2017 15:46:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc; bh=GQ11WW88rczSbfsdG6ygSJ3U7YSL5Be3b4JW0dNjkWA=; b=Uryu+mYmjUzqVd6Mkic88KBO1MRmpNoTrdESbS43loQzNS94PF1fbgjGj6/ke+u4vD v4Z3fOnhQsJVNFl6EINnqnfDIrMKhNkTaP0bbRv7RDyDcbbxTIJi/OFHajEA9MxexD1K 6Q1VDpT9khLNqRC8Ydvr7lEWAfUaMdLMEIUgQOROD/rGtG1vZuzprt7Zc5/BQQZg5UpY b4IZk/vP3AW40WI0jqqUaDKKPWDDQWSHYNThPhweS53jQhUVUjnXJ7gcLGvlQcThwWc4 opPLVp5+sMkk7VNrr4Gb1K66vKbHF73HiXX3RV3hGLTwDtGapp68utrHLvesBTvosb+m epvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc; bh=GQ11WW88rczSbfsdG6ygSJ3U7YSL5Be3b4JW0dNjkWA=; b=ZNx5NiRW4uP4uOX6Zh00RTQENRrYp9QoDH/2fwVVjSvIGxIqAulM3lxqmB40u3eaSI 2GUHyOYoqabObAUr2zJeGQ/PPZ22a8K9O1UvpDGd7PP8e8Dge2K5DaJoqhrfLb8Oth+s e/Tu2F/6O+OF0OxEdrBgx9ac0q5Vhi8XSmPSYn+g5WiMpAOgWYXZtna/4+GnX6CnYPVF E54vR+4Kiqp4lE4fiXFuBmZdhua0RgbjIRra4jPO/GxjGW+iDUzI7oZXvrF+IpqqCVxP qHZSyQ6hBucunbnjVA5qiQdqu+V1KUtkG7rKfukIibOO5IF6A/C3eifMqpDGQxTiWxRl 2Ftg== X-Gm-Message-State: AIkVDXIhAqEHf8hxkRSdx4zhBEibi3rysCwsY4XEmunI7gvmxGnR4xM7vyTj+Te4YTEA+eP/84vmoX6BfAgmIQ== X-Received: by 10.36.60.208 with SMTP id m199mr5738347ita.117.1484783174893; Wed, 18 Jan 2017 15:46:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.65.206 with HTTP; Wed, 18 Jan 2017 15:46:14 -0800 (PST) In-Reply-To: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> From: Brian Smith Date: Wed, 18 Jan 2017 13:46:14 -1000 Message-ID: Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: cfrg@ietf.org Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 23:46:17 -0000 > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03 The intro defines nonce-misuse-resistant AEADS as ones that are safe(r) to use when "two distinct messages are encrypted with the same nonce". However, in reality we usually don't care only about the case where *two* (==2) distinct messages are encrypted with the same (key, nonce), but rather we care about the case where *multiple* (>=2) messages are encrypted with the same (key, nonce). In particular the new draft makes a distinction between encrypting <2^8 vs >=2^8 messages with the same (key, nonce), not a distinction between 1 vs 2 messages with the same (key, nonce). The practical motivation for POLYVAL is unclear. In an email message in an earlier mailing list thread, Shay said "We chose to use POLYVAL so that 128-bit blocks can be viewed as field elements and as AES ciphertexts in a consistent way (with respect to the order of the bits inside each byte))," and I think that this should be included in the spec, along with a more plain explanation that this is done (IIUC) simply to avoid byte byteswapping on little-endian systems that GHASH requires. It isn't clear how the nonce length of 96 bits was chosen. I can see some advantages, e.g. it is more of a drop-in replacement for AES-GCM, which is almost exclusively used with 96-bit nonces in IETF protocols, but is there any other reason? Since nonce-misuse-resistance is not a binary property, but rather a gradiant, it seems better to optimize for minimizing the chance of accidental nonce misuse, or minimizing the number of times a nonce is likely to be misused, which AFAICT means choosing a nonce length that is as long as is practical. The rationale in the other thread says "In order to make room for the counter, the nonce size has been reduced to 96 bits," but the counter for the key derivation only needs to be 3 bits long, IIUC, so it seems like the nonce length was reduced more than necessary? The email also said "We now generate keys by using counter mode and discarding half of each ciphertext block." The motivation for discarding half of each ciphertext block should be added to the draft (maybe in security considerations), along with a reference of how discarding half of each ciphertext block achieves that goal. The draft makes an argument about safety when "nonces are selected uniformly at random." However, isn't a key motivation for AES-GCM-SIV our lack of confidence in our ability to select nonces uniformly at random? I personally would like to see discussion of the case where we can't assume nonces are selected uniformly at random. (While I can't come up with one off the top of my head right now, it seems likely that there would be simpler and less invasive ways of defining a nonce-misuse-resistant AEAD based on AES-GCM if we can also assume we have a good random number generator and we're willing to accept the birthday bound analysis in the draft. Thus, based on intuition it seems like AES-GCM-SIV must be useful in contexts where nonces aren't chosen uniformly at random in order to justify its complexity.) Cheers, Brian -- https://briansmith.org/ From nobody Wed Jan 18 16:13:53 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2CFE12941D for ; Wed, 18 Jan 2017 16:13:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6OeNiKOhHqp for ; Wed, 18 Jan 2017 16:13:49 -0800 (PST) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB2F1293FC for ; Wed, 18 Jan 2017 16:13:49 -0800 (PST) Received: by mail-io0-x235.google.com with SMTP id j13so25615069iod.3 for ; Wed, 18 Jan 2017 16:13:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=fXs15z9NDM7mPTu7z/PXBf6V5iQNwo0/vvQqEDBSX/c=; b=ln6APj4p2LRPW+RG/RhMx8mooPHaPmvaBz2z2MWLP8DdtD32O2JzA8B2qjhE9hRiY/ 1pS2T/VDOi1dqMsajBiN62IK3m5X4MibWGrq0SWymB/P/tlxUVxziSmMZbvPnicD13By qwgvCL+H5vRJTQ/eNRu626SLwNYSKYExBzJV0xA1LAp7jwRw/mCCEP2ZtC7LKIrfXTSK Uj3IELm0LHj0TSP9XlhiHueOL8TROGcGrocsAYsEpiphn21I/btootLFbIVpZBW0zAvm Z8NKmRPLQX0KYe6+RRaaSdDQUIo5imao6V3kQhE9bIx/sLN3aTB6IhQddX7eX5SrSIcQ MpaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=fXs15z9NDM7mPTu7z/PXBf6V5iQNwo0/vvQqEDBSX/c=; b=TMsNA8sGKs+TQ1xpsGg3yWsY3AnGMJkhl6qLX4/fZRahiNEfGzqj0ltlmajTJ+53a1 i+Uei9n4KbeS0jL4zjknoE8Ko2kWaVh8yXFaACnCsEbgcMP5Y7YWF/hwND4L2dNKd7kH H1iIb+6xFm/L0YK1M8CvLf+ZCmx1P59zGGdMlsTqbbr6mKtN8MQcDSSaAz45TcDHGrrb qIGHr0WqkCaD1/MqfwCHP+saQpbAU1eThqf57WWJ8LLOT4YLcdkSF17Mv7ojIVNKxIgt nTe9+jcoZOiqo145rSTVu3udMZR7cezs8lZ1ble3n10CxPY9ItUc/YrD7vXDJduTrc7S DiQw== X-Gm-Message-State: AIkVDXLyehGDBOBF/noLvkAkKoLku7hUiuJL7E4+tAqKIxBUne3wetajJsHyJDGAxU+cPMYW2LP3Z/4IcVzSSQ== X-Received: by 10.107.134.36 with SMTP id i36mr6135006iod.168.1484784828890; Wed, 18 Jan 2017 16:13:48 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.144.4 with HTTP; Wed, 18 Jan 2017 16:13:48 -0800 (PST) In-Reply-To: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> From: Adam Langley Date: Wed, 18 Jan 2017 16:13:48 -0800 X-Google-Sender-Auth: oYhpFViWZnZEAeFr7Uv0PJxXnzg Message-ID: To: John Mattsson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "cfrg@ietf.org" Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 00:13:52 -0000 On Wed, Jan 18, 2017 at 1:05 PM, John Mattsson wrote: > - In addition to listing the performance penalty compared to GCM. The > draft should also mention that compared to GCM, some nice properties > disappear: > - Neither Encryption nor Decryption is online as encryption/decryption > cannot start before the whole plaintext/ciphertext is known. I agree that this is true for encryption, but I don't believe that AES-GCM should be *de*crypted in a streaming fashion, but rather that records should be sized so that this isn't a problem. (At which point the benefit for streaming encryption becomes small or moot.) I've a long spiel about the dangers of processing unauthenticated ciphertext which I'll spare you :) But, even for small machines, the memory needed to safely buffer the decrypted plaintext to avoid releasing it before it's authenticated is equal to the memory to buffer the ciphertext followed by decrypting in-place. So I actually quite like that the tag is at the end of the message with AES-GCM-SIV because it makes it harder to do what I think is the "wrong" thing. > - GCM-SIV removes the possibility to preprocess static headers (AAD). Indeed. (I wasn't sure where to put these points in the spec so, for the moment, I've added an appendix for "Additional comparisons with AES-GCM". I'm collecting changes in GitHub before making a new version. For this message, see https://github.com/agl/gcmsiv/commit/c6c7fd388dd122251264222b7491c6212e8183= 19.) > - =E2=80=9CThe result of the encryption is the resulting ciphertext (trun= cated > to the length of the plaintext) followed by the tag." > > I suggest that the tag is placed first instead of last in the > ciphertext. This makes decryption online, which makes a large > difference. Suggestion: > > =E2=80=9CThe result of the encryption is the tag followed by the cipher= text > (truncated to the length of the plaintext)" (See above.) > > > - "within 5% of the speed of AES-GCM." > Should state when this is the case, e.g. long plaintext/aad. Done. > > - I think the draft should give performance data also for short > plaintexts/aad or even better list the performance in number of > operations: > > GCM: > Block Cipher Operations =3D p + 1 > GF(2^128) Multiplications =3D p + a + 1 > > GCM-SIV-128 > Block Cipher Operations =3D p + 5 > GF(2^128) Multiplications =3D p + a + 1 > > GCM-SIV-256 > Block Cipher Operations =3D p + 7 > GF(2^128) Multiplications =3D p + a + 1 > > (if I got it right...) I think that's correct and I've added that to the new appendix. > Where p is the block length of the plaintext and a is the block length > of the additional authenticated data, > > I doubt that encryption of short messages are anywhere near 5% of GCM. > > - The "++" and "[:8]" operation should probably be defined. Done. > > - What it the security/performance tradeoff with truncation in the key > derivation? What would the security properties be if "[:8]" was > removed? I'll have to let Shay answer this, but the rough idea is that, since AES is a permutation, not two ciphertexts can be equal given that we're encrypting different plaintexts using the KDF phase. However, ideally we would want a PRF where outputs can be the same. By taking only the first eight bytes of each ciphertext block, we better approximate a PRF. > - The definition of U32LE seems unnecessary and only adds complexity. > I suggest: > OLD "U32LE(3) ++ nonce" > NEW "03 ++ 000000 ++ nonce Good point. > > - The term K1 is only used in Test Vectors. I guess it is an old term > that should be removed. Done. > Some editorials: Thank you for all these. They should be taken care of. > - OLD "The record-authentication key is 128-bit and the > record-authentication key" > NEW "The record-authentication key is 128-bit and the > record-encryption key" > > - "} else if bytelen(key-generating-key) =3D=3D 32 { > record-encryption-key =3D AES128(key =3D key-generating-key," > > Should be AES256 Indeed, and record-authentication-key is wrong too! > - Spacing around "+" and "*" are not consistent. > > - "the the" > > - yeilds > > - remainding > > - RFC7322 says "A comma is used before the last item of a series" I think I've leave this one to the RFC Editor! Cheers AGL From nobody Wed Jan 18 16:24:12 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8EAE12946F for ; Wed, 18 Jan 2017 16:24:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y_thEAZdbQ4g for ; Wed, 18 Jan 2017 16:24:08 -0800 (PST) Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 955FA129445 for ; Wed, 18 Jan 2017 16:24:08 -0800 (PST) Received: by mail-it0-x242.google.com with SMTP id e137so3411485itc.0 for ; Wed, 18 Jan 2017 16:24:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=eeatx9+EFacJALjIllKCvXmna7B83k1mrkoJAg29FMA=; b=O2Tg8XlnU7RirtCf0yedz6oer0boPBk5yf8FRwsA2GsO+H72jjGzy+ZE1HgqZ3NFkG sZaxR1V0lB9IiIAqRb1WM+KL2/ys2IeM9hQlOkQXedBkQXJlIAaFC4L2iDDHpv7WlAqa xN5GcgqhfWAPgl89fzAHqW2kMq1ciutgWgV2brqMUwHM02ziHLS9DeFP/NlQaXDJheog 3jVRoMnQtx9FSZALUI4LyJ5owQrwiuaTWOWHIZ8QbajinsmsXHOanL6x9zCePBeKGv2J ka7sz4h+sV4tqltApBfgl4v8eoPAqWkahh+eB7mhtEHqzHWhpFDocZUldyJNpoymVarI +pHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=eeatx9+EFacJALjIllKCvXmna7B83k1mrkoJAg29FMA=; b=l8C1ZbBWeaDqonraEFi6sQF+7D87QRs9k09V7ZKixBaIaUQy0Ct0UfX3G7z7m7pyTC /kX7vUOeAKVSc0UYSMSMpfRD1RniVfmhG4TnIja95iJPKVw9CEydDFUzhC7XdycgylSj fiBiG+jmozBuaaEom5tfViW2VOtz3dPRXBhqsMYy63gjCKVnIlv3A8TSyF/Ggcg4DKfV zcoccPdiw/56vsDV0zvqAGMAmqmJYOLSyQQ2ATf/dLo8Y6lrt/JX8qrFP22R+n3ofP+e vAT8FwFQh2z7bZhmxwtPeLOuAd/RLSTKGrXd46uO+WamdouHfhVMqmpG7RNrBUSZLQKi 4ciQ== X-Gm-Message-State: AIkVDXJG6L/h0J06GHlv4cAuS+6BcIUbgyb+L4vowNH0HARDKrCWvALa4Yc1tzNylYIoKNOlULu2rvWaAaLagQ== X-Received: by 10.36.178.74 with SMTP id h10mr5890521iti.82.1484785447878; Wed, 18 Jan 2017 16:24:07 -0800 (PST) MIME-Version: 1.0 Sender: alangley@gmail.com Received: by 10.36.144.4 with HTTP; Wed, 18 Jan 2017 16:24:07 -0800 (PST) In-Reply-To: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> From: Adam Langley Date: Wed, 18 Jan 2017 16:24:07 -0800 X-Google-Sender-Auth: TBR_8kGQw8civ29whcXPQMW284Y Message-ID: To: Brian Smith Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: cfrg@ietf.org Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 00:24:11 -0000 On Wed, Jan 18, 2017 at 3:46 PM, Brian Smith wrote: > The intro defines nonce-misuse-resistant AEADS as ones that are > safe(r) to use when "two distinct messages are encrypted with the same > nonce". However, in reality we usually don't care only about the case > where *two* (==2) distinct messages are encrypted with the same (key, > nonce), but rather we care about the case where *multiple* (>=2) > messages are encrypted with the same (key, nonce). In particular the > new draft makes a distinction between encrypting <2^8 vs >=2^8 > messages with the same (key, nonce), not a distinction between 1 vs 2 > messages with the same (key, nonce). You're correct that the problem is multiple messages (potentially) encrypted with the same (key, nonce) pair. But the number is very small since the number of random nonces that need to be sampled from a 96-bit space in order to expect at least one to appear > x times, rises *very* fast with x. As noted in the draft, for x=256, it's about 2^102. The main thrust of that section in the spec is to say "pick nonces at random". The 2^8 number was picked out of the aim to emphasize this over fixing a specific nonce and not encrypting too many messages. > The practical motivation for POLYVAL is unclear. In an email message > in an earlier mailing list thread, Shay said "We chose to use POLYVAL > so that 128-bit blocks can be viewed as field elements and as AES > ciphertexts in a consistent way (with respect to the order of the bits > inside each byte))," and I think that this should be included in the > spec, along with a more plain explanation that this is done (IIUC) > simply to avoid byte byteswapping on little-endian systems that GHASH > requires. I'll let Shay add something about this if he wishes, but I think the bit ordering in GHASH is weird and it''s not just a big/little endian thing. I know, having spoken to other people who have dealt with GHASH, but I'm not unique in this either. POLYVAL straightens this out :) > It isn't clear how the nonce length of 96 bits was chosen. I can see > some advantages, e.g. it is more of a drop-in replacement for AES-GCM, > which is almost exclusively used with 96-bit nonces in IETF protocols, > but is there any other reason? It used to be 128 bits, but we wanted to change the KDF to use counter mode. Thus we needed three bits for the counter. However, a 125-bit nonce would be too weird so we rounded down to 96 bits. An analysis of the probabilities of repeats shows that, even with 96 bits, there is a vast security margin so we're happy with that length. > The email also said "We now generate keys by using counter mode and > discarding half of each ciphertext block." The motivation for > discarding half of each ciphertext block should be added to the draft > (maybe in security considerations), along with a reference of how > discarding half of each ciphertext block achieves that goal. Agreed and I'm hoping that a more concrete comparison of how the new KDF affects the bounds will come from Shay and Yehuda soon :) > The draft makes an argument about safety when "nonces are selected > uniformly at random." However, isn't a key motivation for AES-GCM-SIV > our lack of confidence in our ability to select nonces uniformly at > random? No. The motivation is that selecting nonces at random with AES-GCM isn't very comforting. NIST recommends a limit of 2^32 plaintexts for a given key in this case, and that still has a 2^-33 chance of serious failure. > I personally would like to see discussion of the case where we > can't assume nonces are selected uniformly at random. (While I can't > come up with one off the top of my head right now, it seems likely > that there would be simpler and less invasive ways of defining a > nonce-misuse-resistant AEAD based on AES-GCM if we can also assume we > have a good random number generator and we're willing to accept the > birthday bound analysis in the draft. Thus, based on intuition it > seems like AES-GCM-SIV must be useful in contexts where nonces aren't > chosen uniformly at random in order to justify its complexity.) Off the top of my head, I think we would need a cipher with a 256-bit block in order for a scheme that doesn't depend on nonces being (mostly) distinct to have comfortable security margins. AES-GCM-SIV is not such a scheme. Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org From nobody Wed Jan 18 17:05:10 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 373F4129516 for ; Wed, 18 Jan 2017 17:05:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-iBFq9BySTI for ; Wed, 18 Jan 2017 17:05:06 -0800 (PST) Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A50F1129538 for ; Wed, 18 Jan 2017 17:05:06 -0800 (PST) Received: by mail-yb0-x22c.google.com with SMTP id j82so9731815ybg.1 for ; Wed, 18 Jan 2017 17:05:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9TXjWeCcrEIpNQDnYOf/++/og6QXIf6D/VxkEoOXBNY=; b=XLgk+RTn+TQxN3eZGEiwMOz1QNTNnnydZpc2kIXqnO1iFfru9y6Naylfp0lTTjSI2Q vftu8PBRYAmMF2Syq3dlGqc9O4JSlfMp6L8g7Ce9uRCFFDp8sksx2hl3dFJoLJd+Hf0O QggftSI5ACgyF7KY2/tvKgAi7WTp9KUkEJ9xTvCLR0JxPVKiktB1UnGS9SZrvIGOKLYe yaSqYH8IkjpYwepQMJDeYoMA8CwXOrQSYH/j8abfUHOSW1BaX27OWS7MIZTsF3RX1alw o1xos+hKqMqnA2e+Y4PHa5M84l3vozPP/ydJU6AAKZWZAsAUtUvsGeuRFv/YgHeaL8W/ Z1Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9TXjWeCcrEIpNQDnYOf/++/og6QXIf6D/VxkEoOXBNY=; b=bqhGt/bglQQ94pIoMPY3eCZ7rKfxz7v8CpBJxuqoD3Hbn/B8XFBN/WPlu7zxg3yCO/ 2nSD4vlWJa48bVe7y4Dd7XkRiyOdfCXOqUXIBhLDzZrfjAJPepiq4Y3qfvY95oil2H7f P+H64Ko8fbDRx6MSXF1fIDlZHqCHCGeaUqajT7O0bMCDWnFTyC9XRd27pwXua38ff5yT +nfHJgQo5tmHyiWRor+HF5tFbIkGP1YoRQEDurdRe39qXXh/RhmMLbz90gh30Oh4pW4h jrt5vUsqrjaxBb63GBvS43lzVUmWKeNxK+q2GsbHUgAt7qHjRuQ96WvcHT8TlFYXUpCq hPOA== X-Gm-Message-State: AIkVDXKX4IPHnlwwO18GyvxLPDZwF61J816/JphrcRs5xOMClVDFuHb6OtV1MAFgydAUIuJvgblmnd9m5YCCDA== X-Received: by 10.37.173.1 with SMTP id y1mr4433367ybi.140.1484787905783; Wed, 18 Jan 2017 17:05:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.129.160.141 with HTTP; Wed, 18 Jan 2017 17:05:05 -0800 (PST) In-Reply-To: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> From: Shay Gueron Date: Wed, 18 Jan 2017 17:05:05 -0800 Message-ID: To: Adam Langley Content-Type: multipart/alternative; boundary=f403045dc5d2b0efc90546681f85 Archived-At: Cc: "cfrg@ietf.org" Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 01:05:09 -0000 --f403045dc5d2b0efc90546681f85 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello everyone, I will try to address, really briefly, two of the points raised here and deferred to me. The definition of POLYVAL: there is an inherent discrepancy in the definition of AES-GCM. 128-bit blocks need to be viewed as polynomials, and also as 16 bytes for input/output for AES (AES is defined over bytes). The way that the polynomials are defined leads to bytes that have the reverse order of bits, compared to how AES views a bytes. I will publish a detailed paper on this issue. For now, there is some explanation in my talk at RWC 2011 [1]. POLYVAL is defined in a way that is consistent with AES. The other topic is why truncate the AES (throw away half of the bits) when generating per-nonce keys. The idea is to get indistinguishabilityle bounds that do not have a term that is quadratic in the number of queries (like the ones we would get if we used all of the bits). Roughly speaking the truncation gets us a term that looks like q/2^(96) instead of q^2/2^{129}. The bounds and discussion can be seen at [2]. Anyway an organized paper with a statement on the security bounds, is going to come out in a paper that we are working on these very days. We will post it soon. Thank you, Shay [1] https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf [2] S. Gilboa, S. Gueron, =E2=80=9CThe Advantage of Truncated Permutations= =E2=80=9D, https://arxiv.org/abs/1610.02518 (submitted on 8 Oct 2016). 2017-01-18 16:13 GMT-08:00 Adam Langley : > On Wed, Jan 18, 2017 at 1:05 PM, John Mattsson > wrote: > > - In addition to listing the performance penalty compared to GCM. The > > draft should also mention that compared to GCM, some nice properties > > disappear: > > - Neither Encryption nor Decryption is online as encryption/decryptio= n > > cannot start before the whole plaintext/ciphertext is known. > > I agree that this is true for encryption, but I don't believe that > AES-GCM should be *de*crypted in a streaming fashion, but rather that > records should be sized so that this isn't a problem. (At which point > the benefit for streaming encryption becomes small or moot.) > > I've a long spiel about the dangers of processing unauthenticated > ciphertext which I'll spare you :) But, even for small machines, the > memory needed to safely buffer the decrypted plaintext to avoid > releasing it before it's authenticated is equal to the memory to > buffer the ciphertext followed by decrypting in-place. > > So I actually quite like that the tag is at the end of the message > with AES-GCM-SIV because it makes it harder to do what I think is the > "wrong" thing. > > > - GCM-SIV removes the possibility to preprocess static headers (AAD). > > Indeed. > > (I wasn't sure where to put these points in the spec so, for the > moment, I've added an appendix for "Additional comparisons with > AES-GCM". I'm collecting changes in GitHub before making a new > version. For this message, see > https://github.com/agl/gcmsiv/commit/c6c7fd388dd122251264222b7491c6 > 212e818319.) > > > - =E2=80=9CThe result of the encryption is the resulting ciphertext (tr= uncated > > to the length of the plaintext) followed by the tag." > > > > I suggest that the tag is placed first instead of last in the > > ciphertext. This makes decryption online, which makes a large > > difference. Suggestion: > > > > =E2=80=9CThe result of the encryption is the tag followed by the ciph= ertext > > (truncated to the length of the plaintext)" > > (See above.) > > > > > > > - "within 5% of the speed of AES-GCM." > > Should state when this is the case, e.g. long plaintext/aad. > > Done. > > > > > - I think the draft should give performance data also for short > > plaintexts/aad or even better list the performance in number of > > operations: > > > > GCM: > > Block Cipher Operations =3D p + 1 > > GF(2^128) Multiplications =3D p + a + 1 > > > > GCM-SIV-128 > > Block Cipher Operations =3D p + 5 > > GF(2^128) Multiplications =3D p + a + 1 > > > > GCM-SIV-256 > > Block Cipher Operations =3D p + 7 > > GF(2^128) Multiplications =3D p + a + 1 > > > > (if I got it right...) > > I think that's correct and I've added that to the new appendix. > > > Where p is the block length of the plaintext and a is the block lengt= h > > of the additional authenticated data, > > > > I doubt that encryption of short messages are anywhere near 5% of GCM= . > > > > - The "++" and "[:8]" operation should probably be defined. > > Done. > > > > > - What it the security/performance tradeoff with truncation in the key > > derivation? What would the security properties be if "[:8]" was > > removed? > > I'll have to let Shay answer this, but the rough idea is that, since > AES is a permutation, not two ciphertexts can be equal given that > we're encrypting different plaintexts using the KDF phase. However, > ideally we would want a PRF where outputs can be the same. By taking > only the first eight bytes of each ciphertext block, we better > approximate a PRF. > > > - The definition of U32LE seems unnecessary and only adds complexity. > > I suggest: > > OLD "U32LE(3) ++ nonce" > > NEW "03 ++ 000000 ++ nonce > > Good point. > > > > > - The term K1 is only used in Test Vectors. I guess it is an old term > > that should be removed. > > Done. > > > Some editorials: > > Thank you for all these. They should be taken care of. > > > - OLD "The record-authentication key is 128-bit and the > > record-authentication key" > > NEW "The record-authentication key is 128-bit and the > > record-encryption key" > > > > - "} else if bytelen(key-generating-key) =3D=3D 32 { > > record-encryption-key =3D AES128(key =3D key-generating-key," > > > > Should be AES256 > > Indeed, and record-authentication-key is wrong too! > > > - Spacing around "+" and "*" are not consistent. > > > > - "the the" > > > > - yeilds > > > > - remainding > > > > - RFC7322 says "A comma is used before the last item of a series" > > I think I've leave this one to the RFC Editor! > > > > Cheers > > AGL > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --f403045dc5d2b0efc90546681f85 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello everyone,=C2=A0


I will try to addr= ess, really briefly, two of the points raised here and deferred to me.=C2= =A0

The definition of POLY= VAL: there is an inherent discrepancy in the definition of AES-GCM. 128-bit= blocks need to be viewed as polynomials, and also as 16 bytes for input/ou= tput for AES (AES is defined over bytes). The way that the polynomials are = defined leads to bytes that have the reverse order of bits, compared to how= AES views a bytes. I will publish a =C2=A0detailed paper on this issue. Fo= r now, there is some explanation in my talk at RWC 2011 [1].=C2=A0
POLYVAL is defined in a way that is consistent with AES.=C2= =A0

The other topic is why= truncate the AES (throw away half of the bits) when generating per-nonce k= eys. The idea is to get indistinguishabilityle bounds that do not have a te= rm that is quadratic in the number of queries (like the ones we would get i= f we used all of the bits). Roughly speaking the truncation gets us a term = that looks like q/2^(96) instead of q^2/2^{129}. The bounds and discussion = can be seen at =C2=A0[2].=C2=A0

Anyway an organized paper with a statement on the security bounds, is= going to come out in a paper that we are working on these very days. We wi= ll post it soon.=C2=A0

Tha= nk you, Shay=C2=A0


[2] S. Gilboa, S. Gueron, =E2=80=9CThe Advantag= e of Truncated Permutations=E2=80=9D,=C2=A0
https://arxiv.org/abs/1610.02518 = =C2=A0 (submitted on 8 Oct 2016).=C2=A0

2017-01-18 16:13 GMT-08:= 00 Adam Langley <agl@imperialviolet.org>:
On Wed, Jan 18, 2017 at 1:05 PM, Jo= hn Mattsson
<john.mattsson@ericsson.co= m> wrote:
> - In addition to listing the performance penalty compared to GCM. The<= br> >=C2=A0 =C2=A0draft should also mention that compared to GCM, some nice = properties
>=C2=A0 =C2=A0disappear:
>=C2=A0 =C2=A0- Neither Encryption nor Decryption is online as encryptio= n/decryption
>=C2=A0 =C2=A0 =C2=A0cannot start before the whole plaintext/ciphertext = is known.

I agree that this is true for encryption, but I don't believe th= at
AES-GCM should be *de*crypted in a streaming fashion, but rather that
records should be sized so that this isn't a problem. (At which point the benefit for streaming encryption becomes small or moot.)

I've a long spiel about the dangers of processing unauthenticated
ciphertext which I'll spare you :) But, even for small machines, the memory needed to safely buffer the decrypted plaintext to avoid
releasing it before it's authenticated is equal to the memory to
buffer the ciphertext followed by decrypting in-place.

So I actually quite like that the tag is at the end of the message
with AES-GCM-SIV because it makes it harder to do what I think is the
"wrong" thing.

>=C2=A0 =C2=A0- GCM-SIV removes the possibility to preprocess static hea= ders (AAD).

Indeed.

(I wasn't sure where to put these points in the spec so, for the
moment, I've added an appendix for "Additional comparisons with AES-GCM". I'm collecting changes in GitHub before making a new
version. For this message, see
https://github.com/agl/= gcmsiv/commit/c6c7fd388dd122251264222b7491c6212e818319.)=

> - =E2=80=9CThe result of the encryption is the resulting ciphertext (t= runcated
>=C2=A0 =C2=A0 to the length of the plaintext) followed by the tag."= ;
>
>=C2=A0 =C2=A0I suggest that the tag is placed first instead of last in = the
>=C2=A0 =C2=A0ciphertext. This makes decryption online, which makes a la= rge
>=C2=A0 =C2=A0difference. Suggestion:
>
>=C2=A0 =C2=A0=E2=80=9CThe result of the encryption is the tag followed = by the ciphertext
>=C2=A0 =C2=A0 (truncated to the length of the plaintext)"

(See above.)

>
>
> - "within 5% of the speed of AES-GCM."
>=C2=A0 =C2=A0Should state when this is the case, e.g. long plaintext/aa= d.

Done.

>
> - I think the draft should give performance data also for short
>=C2=A0 =C2=A0plaintexts/aad or even better list the performance in numb= er of
>=C2=A0 =C2=A0operations:
>
>=C2=A0 =C2=A0GCM:
>=C2=A0 =C2=A0 =C2=A0Block Cipher Operations =3D p + 1
>=C2=A0 =C2=A0 =C2=A0GF(2^128) Multiplications =3D p + a + 1
>
>=C2=A0 =C2=A0GCM-SIV-128
>=C2=A0 =C2=A0 =C2=A0Block Cipher Operations =3D p + 5
>=C2=A0 =C2=A0 =C2=A0GF(2^128) Multiplications =3D p + a + 1
>
>=C2=A0 =C2=A0GCM-SIV-256
>=C2=A0 =C2=A0 =C2=A0Block Cipher Operations =3D p + 7
>=C2=A0 =C2=A0 =C2=A0GF(2^128) Multiplications =3D p + a + 1
>
>=C2=A0 =C2=A0(if I got it right...)

I think that's correct and I've added that to the new append= ix.

>=C2=A0 =C2=A0Where p is the block length of the plaintext and a is the = block length
>=C2=A0 =C2=A0of the additional authenticated data,
>
>=C2=A0 =C2=A0I doubt that encryption of short messages are anywhere nea= r 5% of GCM.
>
> - The "++" and "[:8]" operation should probably be= defined.

Done.

>
> - What it the security/performance tradeoff with truncation in the key=
>=C2=A0 =C2=A0derivation? What would the security properties be if "= ;[:8]" was
>=C2=A0 =C2=A0removed?

I'll have to let Shay answer this, but the rough idea is that, s= ince
AES is a permutation, not two ciphertexts can be equal given that
we're encrypting different plaintexts using the KDF phase. However,
ideally we would want a PRF where outputs can be the same. By taking
only the first eight bytes of each ciphertext block, we better
approximate a PRF.

> - The definition of U32LE seems unnecessary and only adds complexity.<= br> >=C2=A0 =C2=A0I suggest:
>=C2=A0 =C2=A0 =C2=A0OLD "U32LE(3) ++ nonce"
>=C2=A0 =C2=A0 =C2=A0NEW "03 ++ 000000 ++ nonce

Good point.

>
> - The term K1 is only used in Test Vectors. I guess it is an old term<= br> >=C2=A0 =C2=A0that should be removed.

Done.

> Some editorials:

Thank you for all these. They should be taken care of.

> - OLD "The record-authentication key is 128-bit and the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 record-authentication key"
>=C2=A0 =C2=A0NEW "The record-authentication key is 128-bit and the=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 record-encryption key"
>
> - "} else if bytelen(key-generating-key) =3D=3D 32 {
>=C2=A0 =C2=A0 =C2=A0 record-encryption-key =3D AES128(key =3D key-gener= ating-key,"
>
>=C2=A0 =C2=A0Should be AES256

Indeed, and record-authentication-key is wrong too!

> - Spacing around "+" and "*" are not consistent. >
> - "the the"
>
> - yeilds
>
> - remainding
>
> - RFC7322 says "A comma is used before the last item of a series&= quot;

I think I've leave this one to the RFC Editor!



Cheers

AGL

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--f403045dc5d2b0efc90546681f85-- From nobody Wed Jan 18 19:53:13 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A231294A7 for ; Wed, 18 Jan 2017 19:53:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7lYitFbdOlu for ; Wed, 18 Jan 2017 19:53:11 -0800 (PST) Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48159127071 for ; Wed, 18 Jan 2017 19:53:11 -0800 (PST) Received: by mail-it0-x230.google.com with SMTP id 203so132318151ith.0 for ; Wed, 18 Jan 2017 19:53:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pnPzCYDQaq5MNGYp2OEg7+HkdBLwkHXeKMAqb36klzk=; b=a/3PMMlIq4cOTSyw7snr8ADOB0DlNd04bTMtqUY1Y4lhKZXztFyHjyeKBcuM7tepmW 6wQBSZzhPbEk9YnCXFUaWjcqP0IoYpBw/kCGLblDXs13Iyu/dJiFIZ+hc9vUeBj/ZrJN cF5JmTTP+OHy0H/U1UrBPNsgB4t8Ae6MeCgWubk+gEx0A1HoV2v+qQuJidnm81rzz5tL FgtlaBog8Y3V3GbSoiDfUevhGOmvpooQOuYswEyzs3dWUNjJQtm+b0wLEEfXyzRNgCS3 3a3GCBzEorlVgLaFM+zeVh2qDrGQff8vNKx+nib365E3/URX5pzE1Y3P8ASsegU98/N8 bWYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pnPzCYDQaq5MNGYp2OEg7+HkdBLwkHXeKMAqb36klzk=; b=oRYMKw/k3YaW8ihhStOzzeaSZj/0EDW03+lwlsRkO4PO7pzSJvUk6u0G9pJ9RxCIIi yHZ3/zqd3g6SqOSQ/0gDiU7kB6+salgdD0WdhucWhgpil+g4iI6pmQCQYg3NSSEt59ny DeXy5XvNxXxU8aWF+J6fhtvEqrdDsA3r3mMgGKPuB7Ahn1SanfLAsa+9CJnKCnXgGH3C 0ezKzJiuCrninMY/c/mUtA6e2SRqZL8PlsUBcjmH/a5+p772x+SJHKD707tLV5OvLde/ ujut0dq3gVHzkjaJeZGxbM487/flkiTgZAL1ECVn3Tf0cE5FfSJ/FokLjRt2ztFCSpci YxJQ== X-Gm-Message-State: AIkVDXIxGkocgCEBZkf6WzPUe/1ofy/+wgVmHwtqSFr//oGLtSoxvMaVD0cJPZVrXN5YW4EppFaszaoVPqhq0A== X-Received: by 10.36.40.195 with SMTP id h186mr14331709ith.117.1484797990491; Wed, 18 Jan 2017 19:53:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.65.206 with HTTP; Wed, 18 Jan 2017 19:53:09 -0800 (PST) In-Reply-To: References: From: Brian Smith Date: Wed, 18 Jan 2017 17:53:09 -1000 Message-ID: To: Adam Langley Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "Cooley, Dorothy E" , "cfrg@irtf.org" Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 03:53:13 -0000 Adam Langley wrote: > Brian Smith wrote: >> The actual text in the draft is "Thus with AES-GCM-SIV we recommend >> that, for a specific key, a nonce not be repeated more than 2^8 >> times." >> >> Is this a meaningful recommendation? How would one go about following >> this recommendation in a practical implementation? In particular, >> AES-GCM-SIV is mostly interesting in implementations that cannot >> reliably and/or consistently save state, and it seems like any attempt >> to write code to enforce this relies on saving state [snip] > [snip] With a random, 96-bit nonce you don't have to worry > about the probability of having repeated a single value > 2^8 times > until you have a staggering number of plaintexts: greater than 2^100 > of them. Since that vastly exceeds our current recommendation for > number of plaintexts per key (2^50), it's basically not a concern. > > If that makes sense, what could we have written to be clearer? Perhaps: "We recommend instead that an implementation try to avoid repeating a nonce for a specific key, just like it would it would do for an AEAD that isn't nonce-misuse-resistant." This shifts the emphasis away from the 2^8 number to where it belongs, IMO. Note that "256" and how it is derived and why it is safe is explained in the next paragraph anyway. > I agree that large AEAD messages have several problems. But I don't > think that we have any need for a larger nonce (see above). (And the > nonce is used with a counter only in the KDF phase, so it's unrelated > to the maximum plaintext size.) Is there any way that a larger nonce (e.g. 120 bits) hurts, other than being inconsistent with existing IETF AEADs? Cheers, Brian -- https://briansmith.org/ From nobody Thu Jan 19 00:22:41 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E59212940E for ; Thu, 19 Jan 2017 00:22:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAxH2qR6WbCa for ; Thu, 19 Jan 2017 00:22:37 -0800 (PST) Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A3D1293EE for ; Thu, 19 Jan 2017 00:22:36 -0800 (PST) X-AuditID: c1b4fb30-3136f98000003c8a-81-5880774a8d69 Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by (Symantec Mail Security) with SMTP id D3.07.15498.A4770885; Thu, 19 Jan 2017 09:22:34 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC024.ericsson.se ([153.88.183.90]) with mapi id 14.03.0319.002; Thu, 19 Jan 2017 09:22:33 +0100 From: John Mattsson To: Shay Gueron , Adam Langley Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt Thread-Index: AQHScbC0p4x0I5wsw0aH69/GsFzxwqE+udeAgAAj0wCAAA5UgIAAivwA Date: Thu, 19 Jan 2017 08:22:33 +0000 Message-ID: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.149] Content-Type: multipart/alternative; boundary="_000_D4A63083582EBjohnmattssonericssoncom_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyM2J7lK5XeUOEwdvP2hYvnjWxWhzd1cZi cfbPLWYHZo+ds+6yeyxZ8pPJ4+e3nADmKC6blNSczLLUIn27BK6M+evOsRXcuchYceCKcwPj 1DOMXYycHBICJhL33r1n6WLk4hASWMco0Tr7NiuEs4RR4njHLHaQKjYBA4m5exrYuhg5OEQE /CQa3wuAhJkFlCWOL90KNkhYwFai+8gaVhBbRMBO4vqORewQtpvE0l9djCCtLAKqEi+e2YOE eQXMJQ7t+84EsaqDSWLhwrtg9ZwCgRKLNx4EsxkFxCS+n1rDBLFLXOLWk/lMEEcLSCzZc54Z whaVePn4H9heUQE9ieXP10DFlSTWHt7OAtEbI/FmfQ8TxGJBiZMzn7BMYBSdhWTsLCRls5CU zQI6m1lAU2L9Ln2IEkWJKd0P2SFsDYnWOXOhbGuJ2V3XGJHVLGDkWMUoWpxanJSbbmSkl1qU mVxcnJ+nl5dasokRGJkHt/w22MH48rnjIUYBDkYlHt4PTfURQqyJZcWVuYcYJTiYlUR4lUoa IoR4UxIrq1KL8uOLSnNSiw8xSnOwKInzmq28Hy4kkJ5YkpqdmlqQWgSTZeLglGpg7JXkjeuZ cZvD5fp7m1ssL4UOHH1mXCMhmP92mbmy7obz548n2jKzvJLRaF/U6XK2mtf6e/r8sN+398lk Bl3fv+phd8PDaD7xm3kiDipPpeRs2ZTddv9ymady5oNu1w+9vsbQtXy7gqMvbll5Qv7aDMO3 uc+fviyb3aNVIT3jKNMM498pTSpeSizFGYmGWsxFxYkA7FpohcgCAAA= Archived-At: Cc: "cfrg@ietf.org" Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 08:22:39 -0000 --_000_D4A63083582EBjohnmattssonericssoncom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIFNoYXksDQoNClNlZSByZXBseSBpbmxpbmUuDQoNCkNoZWVycywNCkpvaG4NCg0KRnJv bTogU2hheSBHdWVyb24gPHNoYXkuZ3Vlcm9uQGdtYWlsLmNvbTxtYWlsdG86c2hheS5ndWVyb25A Z21haWwuY29tPj4NCkRhdGU6IFRodXJzZGF5LCAxOSBKYW51YXJ5IDIwMTcgYXQgMDI6MDUNClRv OiBBZGFtIExhbmdsZXkgPGFnbEBpbXBlcmlhbHZpb2xldC5vcmc8bWFpbHRvOmFnbEBpbXBlcmlh bHZpb2xldC5vcmc+Pg0KQ2M6IEpvaG4gTWF0dHNzb24yIDxqb2huLm1hdHRzc29uQGVyaWNzc29u LmNvbTxtYWlsdG86am9obi5tYXR0c3NvbkBlcmljc3Nvbi5jb20+PiwgImNmcmdAaWV0Zi5vcmc8 bWFpbHRvOmNmcmdAaWV0Zi5vcmc+IiA8Y2ZyZ0BpZXRmLm9yZzxtYWlsdG86Y2ZyZ0BpZXRmLm9y Zz4+LCBTaGF5IEd1ZXJvbiA8c2hheS5ndWVyb25AZ21haWwuY29tPG1haWx0bzpzaGF5Lmd1ZXJv bkBnbWFpbC5jb20+Pg0KU3ViamVjdDogUmU6IFtDZnJnXSBJLUQgQWN0aW9uOiBkcmFmdC1pcnRm LWNmcmctZ2Ntc2l2LTAzLnR4dA0KDQpIZWxsbyBldmVyeW9uZSwNCg0KDQpJIHdpbGwgdHJ5IHRv IGFkZHJlc3MsIHJlYWxseSBicmllZmx5LCB0d28gb2YgdGhlIHBvaW50cyByYWlzZWQgaGVyZSBh bmQgZGVmZXJyZWQgdG8gbWUuDQoNClRoZSBkZWZpbml0aW9uIG9mIFBPTFlWQUw6IHRoZXJlIGlz IGFuIGluaGVyZW50IGRpc2NyZXBhbmN5IGluIHRoZSBkZWZpbml0aW9uIG9mIEFFUy1HQ00uIDEy OC1iaXQgYmxvY2tzIG5lZWQgdG8gYmUgdmlld2VkIGFzIHBvbHlub21pYWxzLCBhbmQgYWxzbyBh cyAxNiBieXRlcyBmb3IgaW5wdXQvb3V0cHV0IGZvciBBRVMgKEFFUyBpcyBkZWZpbmVkIG92ZXIg Ynl0ZXMpLiBUaGUgd2F5IHRoYXQgdGhlIHBvbHlub21pYWxzIGFyZSBkZWZpbmVkIGxlYWRzIHRv IGJ5dGVzIHRoYXQgaGF2ZSB0aGUgcmV2ZXJzZSBvcmRlciBvZiBiaXRzLCBjb21wYXJlZCB0byBo b3cgQUVTIHZpZXdzIGEgYnl0ZXMuIEkgd2lsbCBwdWJsaXNoIGEgIGRldGFpbGVkIHBhcGVyIG9u IHRoaXMgaXNzdWUuIEZvciBub3csIHRoZXJlIGlzIHNvbWUgZXhwbGFuYXRpb24gaW4gbXkgdGFs ayBhdCBSV0MgMjAxMSBbMV0uDQpQT0xZVkFMIGlzIGRlZmluZWQgaW4gYSB3YXkgdGhhdCBpcyBj b25zaXN0ZW50IHdpdGggQUVTLg0KDQpUaGUgb3RoZXIgdG9waWMgaXMgd2h5IHRydW5jYXRlIHRo ZSBBRVMgKHRocm93IGF3YXkgaGFsZiBvZiB0aGUgYml0cykgd2hlbiBnZW5lcmF0aW5nIHBlci1u b25jZSBrZXlzLiBUaGUgaWRlYSBpcyB0byBnZXQgaW5kaXN0aW5ndWlzaGFiaWxpdHlsZSBib3Vu ZHMgdGhhdCBkbyBub3QgaGF2ZSBhIHRlcm0gdGhhdCBpcyBxdWFkcmF0aWMgaW4gdGhlIG51bWJl ciBvZiBxdWVyaWVzIChsaWtlIHRoZSBvbmVzIHdlIHdvdWxkIGdldCBpZiB3ZSB1c2VkIGFsbCBv ZiB0aGUgYml0cykuIFJvdWdobHkgc3BlYWtpbmcgdGhlIHRydW5jYXRpb24gZ2V0cyB1cyBhIHRl cm0gdGhhdCBsb29rcyBsaWtlIHEvMl4oOTYpIGluc3RlYWQgb2YgcV4yLzJeezEyOX0uIFRoZSBi b3VuZHMgYW5kIGRpc2N1c3Npb24gY2FuIGJlIHNlZW4gYXQgIFsyXS4NCg0KQXN5bXB0b3RpY2Fs bHkgeWVzLCBidXQgaW4gdGhpcyBjYXNlIHdlIGhhdmUgcT0yIGFuZCBxPTMgYW5kIGFueSBkaXNh ZHZhbnRhZ2Ugb2YgdXNpbmcgYSBQUlAgc2hvdWxkIGJlIG5lZ2xpZ2libGUuDQpJbiBmYWN0LCBp ZiB0aGUgYWJvdmUgdGVybXMgd2VyZSB0cnVlIGZvciBzbWFsbCBxICh3aGljaCB0aGV5IGFyZSBs aWtlbHkgbm90KSB0aGUgdGhlIHRoZW4gcXVhZHJhdGljIHRlcm0gaXMgcHJlZmVyYWJsZSBhcyAg Ml4yLzJeezEyOX0gPSAxLzJeezEyN30gPDwgMi8yXns5Nn0gPSAxLzJeezk1fQ0KRmVlbHMgbGlr ZSBkb3VibGluZyB0aGUgYW1vdW50IG9mIEFFUyBvcGVyYXRpb25zIG1heSBiZSBvdmVya2lsbCBh bmQgbm90IHdvcnRoIHRoZSBuZWdsaWdpYmxlIHNlY3VyaXR5IGluY3JlYXNlLiBHQ00gaXMgcG9w dWxhciBmb3IgaXRzIHBlcmZvcm1hbmNlLCBub3QgZm9yIGhpZ2ggc2VjdXJpdHkgYm91bmRzLg0K DQoNCg0KQW55d2F5IGFuIG9yZ2FuaXplZCBwYXBlciB3aXRoIGEgc3RhdGVtZW50IG9uIHRoZSBz ZWN1cml0eSBib3VuZHMsIGlzIGdvaW5nIHRvIGNvbWUgb3V0IGluIGEgcGFwZXIgdGhhdCB3ZSBh cmUgd29ya2luZyBvbiB0aGVzZSB2ZXJ5IGRheXMuIFdlIHdpbGwgcG9zdCBpdCBzb29uLg0KDQpU aGFuayB5b3UsIFNoYXkNCg0KWzFdIGh0dHBzOi8vY3J5cHRvLnN0YW5mb3JkLmVkdS9SZWFsV29y bGRDcnlwdG8vc2xpZGVzL2d1ZXJvbi5wZGYNCg0KWzJdIFMuIEdpbGJvYSwgUy4gR3Vlcm9uLCDi gJxUaGUgQWR2YW50YWdlIG9mIFRydW5jYXRlZCBQZXJtdXRhdGlvbnPigJ0sDQpodHRwczovL2Fy eGl2Lm9yZy9hYnMvMTYxMC4wMjUxOCAgIChzdWJtaXR0ZWQgb24gOCBPY3QgMjAxNikuDQoNCjIw MTctMDEtMTggMTY6MTMgR01ULTA4OjAwIEFkYW0gTGFuZ2xleSA8YWdsQGltcGVyaWFsdmlvbGV0 Lm9yZzxtYWlsdG86YWdsQGltcGVyaWFsdmlvbGV0Lm9yZz4+Og0KT24gV2VkLCBKYW4gMTgsIDIw MTcgYXQgMTowNSBQTSwgSm9obiBNYXR0c3Nvbg0KPGpvaG4ubWF0dHNzb25AZXJpY3Nzb24uY29t PG1haWx0bzpqb2huLm1hdHRzc29uQGVyaWNzc29uLmNvbT4+IHdyb3RlOg0KPiAtIEluIGFkZGl0 aW9uIHRvIGxpc3RpbmcgdGhlIHBlcmZvcm1hbmNlIHBlbmFsdHkgY29tcGFyZWQgdG8gR0NNLiBU aGUNCj4gICBkcmFmdCBzaG91bGQgYWxzbyBtZW50aW9uIHRoYXQgY29tcGFyZWQgdG8gR0NNLCBz b21lIG5pY2UgcHJvcGVydGllcw0KPiAgIGRpc2FwcGVhcjoNCj4gICAtIE5laXRoZXIgRW5jcnlw dGlvbiBub3IgRGVjcnlwdGlvbiBpcyBvbmxpbmUgYXMgZW5jcnlwdGlvbi9kZWNyeXB0aW9uDQo+ ICAgICBjYW5ub3Qgc3RhcnQgYmVmb3JlIHRoZSB3aG9sZSBwbGFpbnRleHQvY2lwaGVydGV4dCBp cyBrbm93bi4NCg0KSSBhZ3JlZSB0aGF0IHRoaXMgaXMgdHJ1ZSBmb3IgZW5jcnlwdGlvbiwgYnV0 IEkgZG9uJ3QgYmVsaWV2ZSB0aGF0DQpBRVMtR0NNIHNob3VsZCBiZSAqZGUqY3J5cHRlZCBpbiBh IHN0cmVhbWluZyBmYXNoaW9uLCBidXQgcmF0aGVyIHRoYXQNCnJlY29yZHMgc2hvdWxkIGJlIHNp emVkIHNvIHRoYXQgdGhpcyBpc24ndCBhIHByb2JsZW0uIChBdCB3aGljaCBwb2ludA0KdGhlIGJl bmVmaXQgZm9yIHN0cmVhbWluZyBlbmNyeXB0aW9uIGJlY29tZXMgc21hbGwgb3IgbW9vdC4pDQoN CkkndmUgYSBsb25nIHNwaWVsIGFib3V0IHRoZSBkYW5nZXJzIG9mIHByb2Nlc3NpbmcgdW5hdXRo ZW50aWNhdGVkDQpjaXBoZXJ0ZXh0IHdoaWNoIEknbGwgc3BhcmUgeW91IDopIEJ1dCwgZXZlbiBm b3Igc21hbGwgbWFjaGluZXMsIHRoZQ0KbWVtb3J5IG5lZWRlZCB0byBzYWZlbHkgYnVmZmVyIHRo ZSBkZWNyeXB0ZWQgcGxhaW50ZXh0IHRvIGF2b2lkDQpyZWxlYXNpbmcgaXQgYmVmb3JlIGl0J3Mg YXV0aGVudGljYXRlZCBpcyBlcXVhbCB0byB0aGUgbWVtb3J5IHRvDQpidWZmZXIgdGhlIGNpcGhl cnRleHQgZm9sbG93ZWQgYnkgZGVjcnlwdGluZyBpbi1wbGFjZS4NCg0KU28gSSBhY3R1YWxseSBx dWl0ZSBsaWtlIHRoYXQgdGhlIHRhZyBpcyBhdCB0aGUgZW5kIG9mIHRoZSBtZXNzYWdlDQp3aXRo IEFFUy1HQ00tU0lWIGJlY2F1c2UgaXQgbWFrZXMgaXQgaGFyZGVyIHRvIGRvIHdoYXQgSSB0aGlu ayBpcyB0aGUNCiJ3cm9uZyIgdGhpbmcuDQoNCj4gICAtIEdDTS1TSVYgcmVtb3ZlcyB0aGUgcG9z c2liaWxpdHkgdG8gcHJlcHJvY2VzcyBzdGF0aWMgaGVhZGVycyAoQUFEKS4NCg0KSW5kZWVkLg0K DQooSSB3YXNuJ3Qgc3VyZSB3aGVyZSB0byBwdXQgdGhlc2UgcG9pbnRzIGluIHRoZSBzcGVjIHNv LCBmb3IgdGhlDQptb21lbnQsIEkndmUgYWRkZWQgYW4gYXBwZW5kaXggZm9yICJBZGRpdGlvbmFs IGNvbXBhcmlzb25zIHdpdGgNCkFFUy1HQ00iLiBJJ20gY29sbGVjdGluZyBjaGFuZ2VzIGluIEdp dEh1YiBiZWZvcmUgbWFraW5nIGEgbmV3DQp2ZXJzaW9uLiBGb3IgdGhpcyBtZXNzYWdlLCBzZWUN Cmh0dHBzOi8vZ2l0aHViLmNvbS9hZ2wvZ2Ntc2l2L2NvbW1pdC9jNmM3ZmQzODhkZDEyMjI1MTI2 NDIyMmI3NDkxYzYyMTJlODE4MzE5LikNCg0KPiAtIOKAnFRoZSByZXN1bHQgb2YgdGhlIGVuY3J5 cHRpb24gaXMgdGhlIHJlc3VsdGluZyBjaXBoZXJ0ZXh0ICh0cnVuY2F0ZWQNCj4gICAgdG8gdGhl IGxlbmd0aCBvZiB0aGUgcGxhaW50ZXh0KSBmb2xsb3dlZCBieSB0aGUgdGFnLiINCj4NCj4gICBJ IHN1Z2dlc3QgdGhhdCB0aGUgdGFnIGlzIHBsYWNlZCBmaXJzdCBpbnN0ZWFkIG9mIGxhc3QgaW4g dGhlDQo+ICAgY2lwaGVydGV4dC4gVGhpcyBtYWtlcyBkZWNyeXB0aW9uIG9ubGluZSwgd2hpY2gg bWFrZXMgYSBsYXJnZQ0KPiAgIGRpZmZlcmVuY2UuIFN1Z2dlc3Rpb246DQo+DQo+ICAg4oCcVGhl IHJlc3VsdCBvZiB0aGUgZW5jcnlwdGlvbiBpcyB0aGUgdGFnIGZvbGxvd2VkIGJ5IHRoZSBjaXBo ZXJ0ZXh0DQo+ICAgICh0cnVuY2F0ZWQgdG8gdGhlIGxlbmd0aCBvZiB0aGUgcGxhaW50ZXh0KSIN Cg0KKFNlZSBhYm92ZS4pDQoNCj4NCj4NCj4gLSAid2l0aGluIDUlIG9mIHRoZSBzcGVlZCBvZiBB RVMtR0NNLiINCj4gICBTaG91bGQgc3RhdGUgd2hlbiB0aGlzIGlzIHRoZSBjYXNlLCBlLmcuIGxv bmcgcGxhaW50ZXh0L2FhZC4NCg0KRG9uZS4NCg0KPg0KPiAtIEkgdGhpbmsgdGhlIGRyYWZ0IHNo b3VsZCBnaXZlIHBlcmZvcm1hbmNlIGRhdGEgYWxzbyBmb3Igc2hvcnQNCj4gICBwbGFpbnRleHRz L2FhZCBvciBldmVuIGJldHRlciBsaXN0IHRoZSBwZXJmb3JtYW5jZSBpbiBudW1iZXIgb2YNCj4g ICBvcGVyYXRpb25zOg0KPg0KPiAgIEdDTToNCj4gICAgIEJsb2NrIENpcGhlciBPcGVyYXRpb25z ID0gcCArIDENCj4gICAgIEdGKDJeMTI4KSBNdWx0aXBsaWNhdGlvbnMgPSBwICsgYSArIDENCj4N Cj4gICBHQ00tU0lWLTEyOA0KPiAgICAgQmxvY2sgQ2lwaGVyIE9wZXJhdGlvbnMgPSBwICsgNQ0K PiAgICAgR0YoMl4xMjgpIE11bHRpcGxpY2F0aW9ucyA9IHAgKyBhICsgMQ0KPg0KPiAgIEdDTS1T SVYtMjU2DQo+ICAgICBCbG9jayBDaXBoZXIgT3BlcmF0aW9ucyA9IHAgKyA3DQo+ICAgICBHRigy XjEyOCkgTXVsdGlwbGljYXRpb25zID0gcCArIGEgKyAxDQo+DQo+ICAgKGlmIEkgZ290IGl0IHJp Z2h0Li4uKQ0KDQpJIHRoaW5rIHRoYXQncyBjb3JyZWN0IGFuZCBJJ3ZlIGFkZGVkIHRoYXQgdG8g dGhlIG5ldyBhcHBlbmRpeC4NCg0KPiAgIFdoZXJlIHAgaXMgdGhlIGJsb2NrIGxlbmd0aCBvZiB0 aGUgcGxhaW50ZXh0IGFuZCBhIGlzIHRoZSBibG9jayBsZW5ndGgNCj4gICBvZiB0aGUgYWRkaXRp b25hbCBhdXRoZW50aWNhdGVkIGRhdGEsDQo+DQo+ICAgSSBkb3VidCB0aGF0IGVuY3J5cHRpb24g b2Ygc2hvcnQgbWVzc2FnZXMgYXJlIGFueXdoZXJlIG5lYXIgNSUgb2YgR0NNLg0KPg0KPiAtIFRo ZSAiKysiIGFuZCAiWzo4XSIgb3BlcmF0aW9uIHNob3VsZCBwcm9iYWJseSBiZSBkZWZpbmVkLg0K DQpEb25lLg0KDQo+DQo+IC0gV2hhdCBpdCB0aGUgc2VjdXJpdHkvcGVyZm9ybWFuY2UgdHJhZGVv ZmYgd2l0aCB0cnVuY2F0aW9uIGluIHRoZSBrZXkNCj4gICBkZXJpdmF0aW9uPyBXaGF0IHdvdWxk IHRoZSBzZWN1cml0eSBwcm9wZXJ0aWVzIGJlIGlmICJbOjhdIiB3YXMNCj4gICByZW1vdmVkPw0K DQpJJ2xsIGhhdmUgdG8gbGV0IFNoYXkgYW5zd2VyIHRoaXMsIGJ1dCB0aGUgcm91Z2ggaWRlYSBp cyB0aGF0LCBzaW5jZQ0KQUVTIGlzIGEgcGVybXV0YXRpb24sIG5vdCB0d28gY2lwaGVydGV4dHMg Y2FuIGJlIGVxdWFsIGdpdmVuIHRoYXQNCndlJ3JlIGVuY3J5cHRpbmcgZGlmZmVyZW50IHBsYWlu dGV4dHMgdXNpbmcgdGhlIEtERiBwaGFzZS4gSG93ZXZlciwNCmlkZWFsbHkgd2Ugd291bGQgd2Fu dCBhIFBSRiB3aGVyZSBvdXRwdXRzIGNhbiBiZSB0aGUgc2FtZS4gQnkgdGFraW5nDQpvbmx5IHRo ZSBmaXJzdCBlaWdodCBieXRlcyBvZiBlYWNoIGNpcGhlcnRleHQgYmxvY2ssIHdlIGJldHRlcg0K YXBwcm94aW1hdGUgYSBQUkYuDQoNCj4gLSBUaGUgZGVmaW5pdGlvbiBvZiBVMzJMRSBzZWVtcyB1 bm5lY2Vzc2FyeSBhbmQgb25seSBhZGRzIGNvbXBsZXhpdHkuDQo+ICAgSSBzdWdnZXN0Og0KPiAg ICAgT0xEICJVMzJMRSgzKSArKyBub25jZSINCj4gICAgIE5FVyAiMDMgKysgMDAwMDAwICsrIG5v bmNlDQoNCkdvb2QgcG9pbnQuDQoNCj4NCj4gLSBUaGUgdGVybSBLMSBpcyBvbmx5IHVzZWQgaW4g VGVzdCBWZWN0b3JzLiBJIGd1ZXNzIGl0IGlzIGFuIG9sZCB0ZXJtDQo+ICAgdGhhdCBzaG91bGQg YmUgcmVtb3ZlZC4NCg0KRG9uZS4NCg0KPiBTb21lIGVkaXRvcmlhbHM6DQoNClRoYW5rIHlvdSBm b3IgYWxsIHRoZXNlLiBUaGV5IHNob3VsZCBiZSB0YWtlbiBjYXJlIG9mLg0KDQo+IC0gT0xEICJU aGUgcmVjb3JkLWF1dGhlbnRpY2F0aW9uIGtleSBpcyAxMjgtYml0IGFuZCB0aGUNCj4gICAgICAg IHJlY29yZC1hdXRoZW50aWNhdGlvbiBrZXkiDQo+ICAgTkVXICJUaGUgcmVjb3JkLWF1dGhlbnRp Y2F0aW9uIGtleSBpcyAxMjgtYml0IGFuZCB0aGUNCj4gICAgICAgIHJlY29yZC1lbmNyeXB0aW9u IGtleSINCj4NCj4gLSAifSBlbHNlIGlmIGJ5dGVsZW4oa2V5LWdlbmVyYXRpbmcta2V5KSA9PSAz MiB7DQo+ICAgICAgcmVjb3JkLWVuY3J5cHRpb24ta2V5ID0gQUVTMTI4KGtleSA9IGtleS1nZW5l cmF0aW5nLWtleSwiDQo+DQo+ICAgU2hvdWxkIGJlIEFFUzI1Ng0KDQpJbmRlZWQsIGFuZCByZWNv cmQtYXV0aGVudGljYXRpb24ta2V5IGlzIHdyb25nIHRvbyENCg0KPiAtIFNwYWNpbmcgYXJvdW5k ICIrIiBhbmQgIioiIGFyZSBub3QgY29uc2lzdGVudC4NCj4NCj4gLSAidGhlIHRoZSINCj4NCj4g LSB5ZWlsZHMNCj4NCj4gLSByZW1haW5kaW5nDQo+DQo+IC0gUkZDNzMyMiBzYXlzICJBIGNvbW1h IGlzIHVzZWQgYmVmb3JlIHRoZSBsYXN0IGl0ZW0gb2YgYSBzZXJpZXMiDQoNCkkgdGhpbmsgSSd2 ZSBsZWF2ZSB0aGlzIG9uZSB0byB0aGUgUkZDIEVkaXRvciENCg0KDQoNCkNoZWVycw0KDQpBR0wN Cg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkNmcmcg bWFpbGluZyBsaXN0DQpDZnJnQGlydGYub3JnPG1haWx0bzpDZnJnQGlydGYub3JnPg0KaHR0cHM6 Ly93d3cuaXJ0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9jZnJnDQoNCg== --_000_D4A63083582EBjohnmattssonericssoncom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsgY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1zaXplOiAx NHB4OyBmb250LWZhbWlseTogQ2FsaWJyaSwgc2Fucy1zZXJpZjsiPg0KPGRpdj4NCjxkaXY+VGhh bmtzIFNoYXksPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj5TZWUgcmVwbHkgaW5saW5l LjwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+Q2hlZXJzLDwvZGl2Pg0KPGRpdj5Kb2hu PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJmb250LXNp emU6IDExcHQ7IG1hcmdpbjogMGNtIDBjbSAwLjAwMDFwdDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHNwYW4gaWQ9Ik9MS19TUkNfQk9EWV9TRUNUSU9O Ij4NCjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OkNhbGlicmk7IGZvbnQtc2l6ZToxMXB0OyB0ZXh0 LWFsaWduOmxlZnQ7IGNvbG9yOmJsYWNrOyBCT1JERVItQk9UVE9NOiBtZWRpdW0gbm9uZTsgQk9S REVSLUxFRlQ6IG1lZGl1bSBub25lOyBQQURESU5HLUJPVFRPTTogMGluOyBQQURESU5HLUxFRlQ6 IDBpbjsgUEFERElORy1SSUdIVDogMGluOyBCT1JERVItVE9QOiAjYjVjNGRmIDFwdCBzb2xpZDsg Qk9SREVSLVJJR0hUOiBtZWRpdW0gbm9uZTsgUEFERElORy1UT1A6IDNwdCI+DQo8c3BhbiBzdHls ZT0iZm9udC13ZWlnaHQ6Ym9sZCI+RnJvbTogPC9zcGFuPlNoYXkgR3Vlcm9uICZsdDs8YSBocmVm PSJtYWlsdG86c2hheS5ndWVyb25AZ21haWwuY29tIj5zaGF5Lmd1ZXJvbkBnbWFpbC5jb208L2E+ Jmd0Ozxicj4NCjxzcGFuIHN0eWxlPSJmb250LXdlaWdodDpib2xkIj5EYXRlOiA8L3NwYW4+VGh1 cnNkYXksIDE5IEphbnVhcnkgMjAxNyBhdCAwMjowNTxicj4NCjxzcGFuIHN0eWxlPSJmb250LXdl aWdodDpib2xkIj5UbzogPC9zcGFuPkFkYW0gTGFuZ2xleSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmFn bEBpbXBlcmlhbHZpb2xldC5vcmciPmFnbEBpbXBlcmlhbHZpb2xldC5vcmc8L2E+Jmd0Ozxicj4N CjxzcGFuIHN0eWxlPSJmb250LXdlaWdodDpib2xkIj5DYzogPC9zcGFuPkpvaG4gTWF0dHNzb24y ICZsdDs8YSBocmVmPSJtYWlsdG86am9obi5tYXR0c3NvbkBlcmljc3Nvbi5jb20iPmpvaG4ubWF0 dHNzb25AZXJpY3Nzb24uY29tPC9hPiZndDssICZxdW90OzxhIGhyZWY9Im1haWx0bzpjZnJnQGll dGYub3JnIj5jZnJnQGlldGYub3JnPC9hPiZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmNmcmdA aWV0Zi5vcmciPmNmcmdAaWV0Zi5vcmc8L2E+Jmd0OywgU2hheSBHdWVyb24gJmx0OzxhIGhyZWY9 Im1haWx0bzpzaGF5Lmd1ZXJvbkBnbWFpbC5jb20iPnNoYXkuZ3Vlcm9uQGdtYWlsLmNvbTwvYT4m Z3Q7PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtd2VpZ2h0OmJvbGQiPlN1YmplY3Q6IDwvc3Bhbj5S ZTogW0NmcmddIEktRCBBY3Rpb246IGRyYWZ0LWlydGYtY2ZyZy1nY21zaXYtMDMudHh0PGJyPg0K PC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgaWQ9Ik1BQ19PVVRMT09LX0FU VFJJQlVUSU9OX0JMT0NLUVVPVEUiIHN0eWxlPSJCT1JERVItTEVGVDogI2I1YzRkZiA1IHNvbGlk OyBQQURESU5HOjAgMCAwIDU7IE1BUkdJTjowIDAgMCA1OyI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXYg ZGlyPSJydGwiPg0KPGRpdiBkaXI9Imx0ciI+SGVsbG8gZXZlcnlvbmUsJm5ic3A7PC9kaXY+DQo8 ZGl2IGRpcj0ibHRyIj48YnI+DQo8L2Rpdj4NCjxkaXYgZGlyPSJsdHIiPjxicj4NCjwvZGl2Pg0K PGRpdiBkaXI9Imx0ciI+SSB3aWxsIHRyeSB0byBhZGRyZXNzLCByZWFsbHkgYnJpZWZseSwgdHdv IG9mIHRoZSBwb2ludHMgcmFpc2VkIGhlcmUgYW5kIGRlZmVycmVkIHRvIG1lLiZuYnNwOzwvZGl2 Pg0KPGRpdiBkaXI9Imx0ciI+PGJyPg0KPC9kaXY+DQo8ZGl2IGRpcj0ibHRyIj5UaGUgZGVmaW5p dGlvbiBvZiBQT0xZVkFMOiB0aGVyZSBpcyBhbiBpbmhlcmVudCBkaXNjcmVwYW5jeSBpbiB0aGUg ZGVmaW5pdGlvbiBvZiBBRVMtR0NNLiAxMjgtYml0IGJsb2NrcyBuZWVkIHRvIGJlIHZpZXdlZCBh cyBwb2x5bm9taWFscywgYW5kIGFsc28gYXMgMTYgYnl0ZXMgZm9yIGlucHV0L291dHB1dCBmb3Ig QUVTIChBRVMgaXMgZGVmaW5lZCBvdmVyIGJ5dGVzKS4gVGhlIHdheSB0aGF0IHRoZSBwb2x5bm9t aWFscw0KIGFyZSBkZWZpbmVkIGxlYWRzIHRvIGJ5dGVzIHRoYXQgaGF2ZSB0aGUgcmV2ZXJzZSBv cmRlciBvZiBiaXRzLCBjb21wYXJlZCB0byBob3cgQUVTIHZpZXdzIGEgYnl0ZXMuIEkgd2lsbCBw dWJsaXNoIGEgJm5ic3A7ZGV0YWlsZWQgcGFwZXIgb24gdGhpcyBpc3N1ZS4gRm9yIG5vdywgdGhl cmUgaXMgc29tZSBleHBsYW5hdGlvbiBpbiBteSB0YWxrIGF0IFJXQyAyMDExIFsxXS4mbmJzcDs8 L2Rpdj4NCjxkaXYgZGlyPSJsdHIiPlBPTFlWQUwgaXMgZGVmaW5lZCBpbiBhIHdheSB0aGF0IGlz IGNvbnNpc3RlbnQgd2l0aCBBRVMuJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Jsb2NrcXVvdGU+DQo8L3NwYW4+PHNwYW4gaWQ9Ik9MS19TUkNfQk9EWV9TRUNUSU9OIj4N CjxibG9ja3F1b3RlIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIiBzdHls ZT0iQk9SREVSLUxFRlQ6ICNiNWM0ZGYgNSBzb2xpZDsgUEFERElORzowIDAgMCA1OyBNQVJHSU46 MCAwIDAgNTsiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2IGRpcj0icnRsIj4NCjxkaXYgZGlyPSJsdHIi Pjxicj4NCjwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+VGhlIG90aGVyIHRvcGljIGlzIHdoeSB0cnVu Y2F0ZSB0aGUgQUVTICh0aHJvdyBhd2F5IGhhbGYgb2YgdGhlIGJpdHMpIHdoZW4gZ2VuZXJhdGlu ZyBwZXItbm9uY2Uga2V5cy4gVGhlIGlkZWEgaXMgdG8gZ2V0IGluZGlzdGluZ3Vpc2hhYmlsaXR5 bGUgYm91bmRzIHRoYXQgZG8gbm90IGhhdmUgYSB0ZXJtIHRoYXQgaXMgcXVhZHJhdGljIGluIHRo ZSBudW1iZXIgb2YgcXVlcmllcyAobGlrZSB0aGUgb25lcyB3ZSB3b3VsZA0KIGdldCBpZiB3ZSB1 c2VkIGFsbCBvZiB0aGUgYml0cykuIFJvdWdobHkgc3BlYWtpbmcgdGhlIHRydW5jYXRpb24gZ2V0 cyB1cyBhIHRlcm0gdGhhdCBsb29rcyBsaWtlIHEvMl4oOTYpIGluc3RlYWQgb2YgcV4yLzJeezEy OX0uIFRoZSBib3VuZHMgYW5kIGRpc2N1c3Npb24gY2FuIGJlIHNlZW4gYXQgJm5ic3A7WzJdLjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9zcGFuPg0KPGRp dj48YnI+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2PkFzeW1wdG90aWNhbGx5IHllcywgYnV0IGluIHRo aXMgY2FzZSB3ZSBoYXZlIHE9MiBhbmQgcT0zIGFuZCBhbnkgZGlzYWR2YW50YWdlIG9mIHVzaW5n IGEgUFJQIHNob3VsZCBiZSBuZWdsaWdpYmxlLjwvZGl2Pg0KPGRpdj5JbiBmYWN0LCBpZiB0aGUg YWJvdmUgdGVybXMgd2VyZSB0cnVlIGZvciBzbWFsbCBxICh3aGljaCB0aGV5IGFyZSBsaWtlbHkg bm90KSB0aGUgdGhlIHRoZW4gcXVhZHJhdGljIHRlcm0gaXMgcHJlZmVyYWJsZSBhcyAmbmJzcDsy XjIvMl57MTI5fSA9IDEvMl57MTI3fSAmbHQ7Jmx0OyAyLzJeezk2fSA9IDEvMl57OTV9PC9kaXY+ DQo8ZGl2PkZlZWxzIGxpa2UgZG91YmxpbmcgdGhlIGFtb3VudCBvZiBBRVMgb3BlcmF0aW9ucyBt YXkgYmUgb3ZlcmtpbGwgYW5kIG5vdCB3b3J0aCB0aGUmbmJzcDtuZWdsaWdpYmxlJm5ic3A7c2Vj dXJpdHkgaW5jcmVhc2UuIEdDTSBpcyBwb3B1bGFyIGZvciBpdHMgcGVyZm9ybWFuY2UsIG5vdCBm b3IgaGlnaCBzZWN1cml0eSBib3VuZHMuPC9kaXY+DQo8L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+ DQo8c3BhbiBpZD0iT0xLX1NSQ19CT0RZX1NFQ1RJT04iPg0KPGJsb2NrcXVvdGUgaWQ9Ik1BQ19P VVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiIHN0eWxlPSJCT1JERVItTEVGVDogI2I1YzRk ZiA1IHNvbGlkOyBQQURESU5HOjAgMCAwIDU7IE1BUkdJTjowIDAgMCA1OyI+DQo8ZGl2Pg0KPGRp dj4NCjxkaXYgZGlyPSJydGwiPg0KPGRpdiBkaXI9Imx0ciI+Jm5ic3A7PC9kaXY+DQo8ZGl2IGRp cj0ibHRyIj48YnI+DQo8L2Rpdj4NCjxkaXYgZGlyPSJsdHIiPkFueXdheSBhbiBvcmdhbml6ZWQg cGFwZXIgd2l0aCBhIHN0YXRlbWVudCBvbiB0aGUgc2VjdXJpdHkgYm91bmRzLCBpcyBnb2luZyB0 byBjb21lIG91dCBpbiBhIHBhcGVyIHRoYXQgd2UgYXJlIHdvcmtpbmcgb24gdGhlc2UgdmVyeSBk YXlzLiBXZSB3aWxsIHBvc3QgaXQgc29vbi4mbmJzcDs8L2Rpdj4NCjxkaXYgZGlyPSJsdHIiPjxi cj4NCjwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+VGhhbmsgeW91LCBTaGF5Jm5ic3A7PC9kaXY+DQo8 ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+WzFdIDxhIGhyZWY9Imh0dHBzOi8vY3J5 cHRvLnN0YW5mb3JkLmVkdS9SZWFsV29ybGRDcnlwdG8vc2xpZGVzL2d1ZXJvbi5wZGYiPg0KaHR0 cHM6Ly9jcnlwdG8uc3RhbmZvcmQuZWR1L1JlYWxXb3JsZENyeXB0by9zbGlkZXMvZ3Vlcm9uLnBk ZjwvYT48YnI+DQo8L2Rpdj4NCjxkaXYgZGlyPSJsdHIiPjxicj4NCjwvZGl2Pg0KPGRpdiBkaXI9 Imx0ciI+WzJdIFMuIEdpbGJvYSwgUy4gR3Vlcm9uLCDigJxUaGUgQWR2YW50YWdlIG9mIFRydW5j YXRlZCBQZXJtdXRhdGlvbnPigJ0sJm5ic3A7PC9kaXY+DQo8ZGl2IGRpcj0ibHRyIj48YSBocmVm PSJodHRwczovL2FyeGl2Lm9yZy9hYnMvMTYxMC4wMjUxOCI+aHR0cHM6Ly9hcnhpdi5vcmcvYWJz LzE2MTAuMDI1MTg8L2E+ICZuYnNwOyAoc3VibWl0dGVkIG9uIDggT2N0IDIwMTYpLiZuYnNwOzwv ZGl2Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+PGJyPg0KPGRpdiBjbGFzcz0i Z21haWxfcXVvdGUiPg0KPGRpdiBkaXI9Imx0ciI+MjAxNy0wMS0xOCAxNjoxMyBHTVQtMDg6MDAg QWRhbSBMYW5nbGV5IDxzcGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOmFnbEBpbXBl cmlhbHZpb2xldC5vcmciIHRhcmdldD0iX2JsYW5rIj5hZ2xAaW1wZXJpYWx2aW9sZXQub3JnPC9h PiZndDs8L3NwYW4+OjwvZGl2Pg0KPGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHls ZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1s ZWZ0OjFleCI+DQo8c3BhbiBjbGFzcz0iIj5PbiBXZWQsIEphbiAxOCwgMjAxNyBhdCAxOjA1IFBN LCBKb2huIE1hdHRzc29uPGJyPg0KJmx0OzxhIGhyZWY9Im1haWx0bzpqb2huLm1hdHRzc29uQGVy aWNzc29uLmNvbSI+am9obi5tYXR0c3NvbkBlcmljc3Nvbi5jb208L2E+Jmd0OyB3cm90ZTo8YnI+ DQomZ3Q7IC0gSW4gYWRkaXRpb24gdG8gbGlzdGluZyB0aGUgcGVyZm9ybWFuY2UgcGVuYWx0eSBj b21wYXJlZCB0byBHQ00uIFRoZTxicj4NCiZndDsmbmJzcDsgJm5ic3A7ZHJhZnQgc2hvdWxkIGFs c28gbWVudGlvbiB0aGF0IGNvbXBhcmVkIHRvIEdDTSwgc29tZSBuaWNlIHByb3BlcnRpZXM8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwO2Rpc2FwcGVhcjo8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOy0gTmVp dGhlciBFbmNyeXB0aW9uIG5vciBEZWNyeXB0aW9uIGlzIG9ubGluZSBhcyBlbmNyeXB0aW9uL2Rl Y3J5cHRpb248YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDtjYW5ub3Qgc3RhcnQgYmVmb3Jl IHRoZSB3aG9sZSBwbGFpbnRleHQvY2lwaGVydGV4dCBpcyBrbm93bi48YnI+DQo8YnI+DQo8L3Nw YW4+SSBhZ3JlZSB0aGF0IHRoaXMgaXMgdHJ1ZSBmb3IgZW5jcnlwdGlvbiwgYnV0IEkgZG9uJ3Qg YmVsaWV2ZSB0aGF0PGJyPg0KQUVTLUdDTSBzaG91bGQgYmUgKmRlKmNyeXB0ZWQgaW4gYSBzdHJl YW1pbmcgZmFzaGlvbiwgYnV0IHJhdGhlciB0aGF0PGJyPg0KcmVjb3JkcyBzaG91bGQgYmUgc2l6 ZWQgc28gdGhhdCB0aGlzIGlzbid0IGEgcHJvYmxlbS4gKEF0IHdoaWNoIHBvaW50PGJyPg0KdGhl IGJlbmVmaXQgZm9yIHN0cmVhbWluZyBlbmNyeXB0aW9uIGJlY29tZXMgc21hbGwgb3IgbW9vdC4p PGJyPg0KPGJyPg0KSSd2ZSBhIGxvbmcgc3BpZWwgYWJvdXQgdGhlIGRhbmdlcnMgb2YgcHJvY2Vz c2luZyB1bmF1dGhlbnRpY2F0ZWQ8YnI+DQpjaXBoZXJ0ZXh0IHdoaWNoIEknbGwgc3BhcmUgeW91 IDopIEJ1dCwgZXZlbiBmb3Igc21hbGwgbWFjaGluZXMsIHRoZTxicj4NCm1lbW9yeSBuZWVkZWQg dG8gc2FmZWx5IGJ1ZmZlciB0aGUgZGVjcnlwdGVkIHBsYWludGV4dCB0byBhdm9pZDxicj4NCnJl bGVhc2luZyBpdCBiZWZvcmUgaXQncyBhdXRoZW50aWNhdGVkIGlzIGVxdWFsIHRvIHRoZSBtZW1v cnkgdG88YnI+DQpidWZmZXIgdGhlIGNpcGhlcnRleHQgZm9sbG93ZWQgYnkgZGVjcnlwdGluZyBp bi1wbGFjZS48YnI+DQo8YnI+DQpTbyBJIGFjdHVhbGx5IHF1aXRlIGxpa2UgdGhhdCB0aGUgdGFn IGlzIGF0IHRoZSBlbmQgb2YgdGhlIG1lc3NhZ2U8YnI+DQp3aXRoIEFFUy1HQ00tU0lWIGJlY2F1 c2UgaXQgbWFrZXMgaXQgaGFyZGVyIHRvIGRvIHdoYXQgSSB0aGluayBpcyB0aGU8YnI+DQomcXVv dDt3cm9uZyZxdW90OyB0aGluZy48YnI+DQo8c3BhbiBjbGFzcz0iIj48YnI+DQomZ3Q7Jm5ic3A7 ICZuYnNwOy0gR0NNLVNJViByZW1vdmVzIHRoZSBwb3NzaWJpbGl0eSB0byBwcmVwcm9jZXNzIHN0 YXRpYyBoZWFkZXJzIChBQUQpLjxicj4NCjxicj4NCjwvc3Bhbj5JbmRlZWQuPGJyPg0KPGJyPg0K KEkgd2Fzbid0IHN1cmUgd2hlcmUgdG8gcHV0IHRoZXNlIHBvaW50cyBpbiB0aGUgc3BlYyBzbywg Zm9yIHRoZTxicj4NCm1vbWVudCwgSSd2ZSBhZGRlZCBhbiBhcHBlbmRpeCBmb3IgJnF1b3Q7QWRk aXRpb25hbCBjb21wYXJpc29ucyB3aXRoPGJyPg0KQUVTLUdDTSZxdW90Oy4gSSdtIGNvbGxlY3Rp bmcgY2hhbmdlcyBpbiBHaXRIdWIgYmVmb3JlIG1ha2luZyBhIG5ldzxicj4NCnZlcnNpb24uIEZv ciB0aGlzIG1lc3NhZ2UsIHNlZTxicj4NCjxhIGhyZWY9Imh0dHBzOi8vZ2l0aHViLmNvbS9hZ2wv Z2Ntc2l2L2NvbW1pdC9jNmM3ZmQzODhkZDEyMjI1MTI2NDIyMmI3NDkxYzYyMTJlODE4MzE5IiBy ZWw9Im5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2dpdGh1Yi5jb20vYWdsL2dj bXNpdi88d2JyPmNvbW1pdC88d2JyPmM2YzdmZDM4OGRkMTIyMjUxMjY0MjIyYjc0OTFjNjx3YnI+ MjEyZTgxODMxOTwvYT4uKTxicj4NCjxzcGFuIGNsYXNzPSIiPjxicj4NCiZndDsgLSDigJxUaGUg cmVzdWx0IG9mIHRoZSBlbmNyeXB0aW9uIGlzIHRoZSByZXN1bHRpbmcgY2lwaGVydGV4dCAodHJ1 bmNhdGVkPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgdG8gdGhlIGxlbmd0aCBvZiB0aGUgcGxhaW50 ZXh0KSBmb2xsb3dlZCBieSB0aGUgdGFnLiZxdW90Ozxicj4NCiZndDs8YnI+DQomZ3Q7Jm5ic3A7 ICZuYnNwO0kgc3VnZ2VzdCB0aGF0IHRoZSB0YWcgaXMgcGxhY2VkIGZpcnN0IGluc3RlYWQgb2Yg bGFzdCBpbiB0aGU8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwO2NpcGhlcnRleHQuIFRoaXMgbWFrZXMg ZGVjcnlwdGlvbiBvbmxpbmUsIHdoaWNoIG1ha2VzIGEgbGFyZ2U8YnI+DQomZ3Q7Jm5ic3A7ICZu YnNwO2RpZmZlcmVuY2UuIFN1Z2dlc3Rpb246PGJyPg0KJmd0Ozxicj4NCiZndDsmbmJzcDsgJm5i c3A74oCcVGhlIHJlc3VsdCBvZiB0aGUgZW5jcnlwdGlvbiBpcyB0aGUgdGFnIGZvbGxvd2VkIGJ5 IHRoZSBjaXBoZXJ0ZXh0PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgKHRydW5jYXRlZCB0byB0aGUg bGVuZ3RoIG9mIHRoZSBwbGFpbnRleHQpJnF1b3Q7PGJyPg0KPGJyPg0KPC9zcGFuPihTZWUgYWJv dmUuKTxicj4NCjxzcGFuIGNsYXNzPSIiPjxicj4NCiZndDs8YnI+DQomZ3Q7PGJyPg0KJmd0OyAt ICZxdW90O3dpdGhpbiA1JSBvZiB0aGUgc3BlZWQgb2YgQUVTLUdDTS4mcXVvdDs8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwO1Nob3VsZCBzdGF0ZSB3aGVuIHRoaXMgaXMgdGhlIGNhc2UsIGUuZy4gbG9u ZyBwbGFpbnRleHQvYWFkLjxicj4NCjxicj4NCjwvc3Bhbj5Eb25lLjxicj4NCjxzcGFuIGNsYXNz PSIiPjxicj4NCiZndDs8YnI+DQomZ3Q7IC0gSSB0aGluayB0aGUgZHJhZnQgc2hvdWxkIGdpdmUg cGVyZm9ybWFuY2UgZGF0YSBhbHNvIGZvciBzaG9ydDxicj4NCiZndDsmbmJzcDsgJm5ic3A7cGxh aW50ZXh0cy9hYWQgb3IgZXZlbiBiZXR0ZXIgbGlzdCB0aGUgcGVyZm9ybWFuY2UgaW4gbnVtYmVy IG9mPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDtvcGVyYXRpb25zOjxicj4NCiZndDs8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwO0dDTTo8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDtCbG9jayBDaXBo ZXIgT3BlcmF0aW9ucyA9IHAgJiM0MzsgMTxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwO0dG KDJeMTI4KSBNdWx0aXBsaWNhdGlvbnMgPSBwICYjNDM7IGEgJiM0MzsgMTxicj4NCiZndDs8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwO0dDTS1TSVYtMTI4PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5i c3A7QmxvY2sgQ2lwaGVyIE9wZXJhdGlvbnMgPSBwICYjNDM7IDU8YnI+DQomZ3Q7Jm5ic3A7ICZu YnNwOyAmbmJzcDtHRigyXjEyOCkgTXVsdGlwbGljYXRpb25zID0gcCAmIzQzOyBhICYjNDM7IDE8 YnI+DQomZ3Q7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDtHQ00tU0lWLTI1Njxicj4NCiZndDsmbmJz cDsgJm5ic3A7ICZuYnNwO0Jsb2NrIENpcGhlciBPcGVyYXRpb25zID0gcCAmIzQzOyA3PGJyPg0K Jmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7R0YoMl4xMjgpIE11bHRpcGxpY2F0aW9ucyA9IHAgJiM0 MzsgYSAmIzQzOyAxPGJyPg0KJmd0Ozxicj4NCiZndDsmbmJzcDsgJm5ic3A7KGlmIEkgZ290IGl0 IHJpZ2h0Li4uKTxicj4NCjxicj4NCjwvc3Bhbj5JIHRoaW5rIHRoYXQncyBjb3JyZWN0IGFuZCBJ J3ZlIGFkZGVkIHRoYXQgdG8gdGhlIG5ldyBhcHBlbmRpeC48YnI+DQo8c3BhbiBjbGFzcz0iIj48 YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwO1doZXJlIHAgaXMgdGhlIGJsb2NrIGxlbmd0aCBvZiB0aGUg cGxhaW50ZXh0IGFuZCBhIGlzIHRoZSBibG9jayBsZW5ndGg8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNw O29mIHRoZSBhZGRpdGlvbmFsIGF1dGhlbnRpY2F0ZWQgZGF0YSw8YnI+DQomZ3Q7PGJyPg0KJmd0 OyZuYnNwOyAmbmJzcDtJIGRvdWJ0IHRoYXQgZW5jcnlwdGlvbiBvZiBzaG9ydCBtZXNzYWdlcyBh cmUgYW55d2hlcmUgbmVhciA1JSBvZiBHQ00uPGJyPg0KJmd0Ozxicj4NCiZndDsgLSBUaGUgJnF1 b3Q7JiM0MzsmIzQzOyZxdW90OyBhbmQgJnF1b3Q7Wzo4XSZxdW90OyBvcGVyYXRpb24gc2hvdWxk IHByb2JhYmx5IGJlIGRlZmluZWQuPGJyPg0KPGJyPg0KPC9zcGFuPkRvbmUuPGJyPg0KPHNwYW4g Y2xhc3M9IiI+PGJyPg0KJmd0Ozxicj4NCiZndDsgLSBXaGF0IGl0IHRoZSBzZWN1cml0eS9wZXJm b3JtYW5jZSB0cmFkZW9mZiB3aXRoIHRydW5jYXRpb24gaW4gdGhlIGtleTxicj4NCiZndDsmbmJz cDsgJm5ic3A7ZGVyaXZhdGlvbj8gV2hhdCB3b3VsZCB0aGUgc2VjdXJpdHkgcHJvcGVydGllcyBi ZSBpZiAmcXVvdDtbOjhdJnF1b3Q7IHdhczxicj4NCiZndDsmbmJzcDsgJm5ic3A7cmVtb3ZlZD88 YnI+DQo8YnI+DQo8L3NwYW4+SSdsbCBoYXZlIHRvIGxldCBTaGF5IGFuc3dlciB0aGlzLCBidXQg dGhlIHJvdWdoIGlkZWEgaXMgdGhhdCwgc2luY2U8YnI+DQpBRVMgaXMgYSBwZXJtdXRhdGlvbiwg bm90IHR3byBjaXBoZXJ0ZXh0cyBjYW4gYmUgZXF1YWwgZ2l2ZW4gdGhhdDxicj4NCndlJ3JlIGVu Y3J5cHRpbmcgZGlmZmVyZW50IHBsYWludGV4dHMgdXNpbmcgdGhlIEtERiBwaGFzZS4gSG93ZXZl ciw8YnI+DQppZGVhbGx5IHdlIHdvdWxkIHdhbnQgYSBQUkYgd2hlcmUgb3V0cHV0cyBjYW4gYmUg dGhlIHNhbWUuIEJ5IHRha2luZzxicj4NCm9ubHkgdGhlIGZpcnN0IGVpZ2h0IGJ5dGVzIG9mIGVh Y2ggY2lwaGVydGV4dCBibG9jaywgd2UgYmV0dGVyPGJyPg0KYXBwcm94aW1hdGUgYSBQUkYuPGJy Pg0KPHNwYW4gY2xhc3M9IiI+PGJyPg0KJmd0OyAtIFRoZSBkZWZpbml0aW9uIG9mIFUzMkxFIHNl ZW1zIHVubmVjZXNzYXJ5IGFuZCBvbmx5IGFkZHMgY29tcGxleGl0eS48YnI+DQomZ3Q7Jm5ic3A7 ICZuYnNwO0kgc3VnZ2VzdDo8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDtPTEQgJnF1b3Q7 VTMyTEUoMykgJiM0MzsmIzQzOyBub25jZSZxdW90Ozxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZu YnNwO05FVyAmcXVvdDswMyAmIzQzOyYjNDM7IDAwMDAwMCAmIzQzOyYjNDM7IG5vbmNlPGJyPg0K PGJyPg0KPC9zcGFuPkdvb2QgcG9pbnQuPGJyPg0KPHNwYW4gY2xhc3M9IiI+PGJyPg0KJmd0Ozxi cj4NCiZndDsgLSBUaGUgdGVybSBLMSBpcyBvbmx5IHVzZWQgaW4gVGVzdCBWZWN0b3JzLiBJIGd1 ZXNzIGl0IGlzIGFuIG9sZCB0ZXJtPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDt0aGF0IHNob3VsZCBi ZSByZW1vdmVkLjxicj4NCjxicj4NCjwvc3Bhbj5Eb25lLjxicj4NCjxicj4NCiZndDsgU29tZSBl ZGl0b3JpYWxzOjxicj4NCjxicj4NClRoYW5rIHlvdSBmb3IgYWxsIHRoZXNlLiBUaGV5IHNob3Vs ZCBiZSB0YWtlbiBjYXJlIG9mLjxicj4NCjxzcGFuIGNsYXNzPSIiPjxicj4NCiZndDsgLSBPTEQg JnF1b3Q7VGhlIHJlY29yZC1hdXRoZW50aWNhdGlvbiBrZXkgaXMgMTI4LWJpdCBhbmQgdGhlPGJy Pg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyByZWNvcmQtYXV0aGVudGljYXRpb24g a2V5JnF1b3Q7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDtORVcgJnF1b3Q7VGhlIHJlY29yZC1hdXRo ZW50aWNhdGlvbiBrZXkgaXMgMTI4LWJpdCBhbmQgdGhlPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyByZWNvcmQtZW5jcnlwdGlvbiBrZXkmcXVvdDs8YnI+DQomZ3Q7PGJyPg0K Jmd0OyAtICZxdW90O30gZWxzZSBpZiBieXRlbGVuKGtleS1nZW5lcmF0aW5nLWtleSkgPT0gMzIg ezxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyByZWNvcmQtZW5jcnlwdGlvbi1rZXkgPSBB RVMxMjgoa2V5ID0ga2V5LWdlbmVyYXRpbmcta2V5LCZxdW90Ozxicj4NCiZndDs8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwO1Nob3VsZCBiZSBBRVMyNTY8YnI+DQo8YnI+DQo8L3NwYW4+SW5kZWVkLCBh bmQgcmVjb3JkLWF1dGhlbnRpY2F0aW9uLWtleSBpcyB3cm9uZyB0b28hPGJyPg0KPHNwYW4gY2xh c3M9IiI+PGJyPg0KJmd0OyAtIFNwYWNpbmcgYXJvdW5kICZxdW90OyYjNDM7JnF1b3Q7IGFuZCAm cXVvdDsqJnF1b3Q7IGFyZSBub3QgY29uc2lzdGVudC48YnI+DQomZ3Q7PGJyPg0KJmd0OyAtICZx dW90O3RoZSB0aGUmcXVvdDs8YnI+DQomZ3Q7PGJyPg0KJmd0OyAtIHllaWxkczxicj4NCiZndDs8 YnI+DQomZ3Q7IC0gcmVtYWluZGluZzxicj4NCiZndDs8YnI+DQomZ3Q7IC0gUkZDNzMyMiBzYXlz ICZxdW90O0EgY29tbWEgaXMgdXNlZCBiZWZvcmUgdGhlIGxhc3QgaXRlbSBvZiBhIHNlcmllcyZx dW90Ozxicj4NCjxicj4NCjwvc3Bhbj5JIHRoaW5rIEkndmUgbGVhdmUgdGhpcyBvbmUgdG8gdGhl IFJGQyBFZGl0b3IhPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KQ2hlZXJzPGJyPg0KPGJyPg0KQUdM PGJyPg0KPGRpdiBjbGFzcz0iSE9FblpiIj4NCjxkaXYgY2xhc3M9Img1Ij48YnI+DQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX188d2JyPl9fX19fX19fX19fX19fX19fPGJyPg0KQ2ZyZyBt YWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86Q2ZyZ0BpcnRmLm9yZyI+Q2ZyZ0BpcnRm Lm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pcnRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2NmcmciIHJlbD0ibm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3Lmly dGYub3JnL21haWxtYW4vPHdicj5saXN0aW5mby9jZnJnPC9hPjxicj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxicj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjwvc3Bhbj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_D4A63083582EBjohnmattssonericssoncom_-- From nobody Thu Jan 19 00:30:23 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC7912947B for ; Thu, 19 Jan 2017 00:30:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8iaFwYVQsBF for ; Thu, 19 Jan 2017 00:30:03 -0800 (PST) Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A48961293EE for ; Thu, 19 Jan 2017 00:30:02 -0800 (PST) X-AuditID: c1b4fb3a-1afff70000002f76-15-588079085831 Received: from ESESSHC013.ericsson.se (Unknown_Domain [153.88.183.57]) by (Symantec Mail Security) with SMTP id F0.68.12150.80970885; Thu, 19 Jan 2017 09:30:00 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC013.ericsson.se ([153.88.183.57]) with mapi id 14.03.0319.002; Thu, 19 Jan 2017 09:29:59 +0100 From: John Mattsson To: Brian Smith , Adam Langley Thread-Topic: [Cfrg] AES GCM SIV analysis Thread-Index: AdJxpsd4XptcpHspSrmRb4tIGlxjEwABD2ML///7coCAADcaAIAADCmAgABplYCAAF4bAA== Date: Thu, 19 Jan 2017 08:29:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.149] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIIsWRmVeSWpSXmKPExsUyM2K7pS5HZUOEQd8US4sXz5pYLa5MPcRs 0f3jIJPFwpanzA4sHvsaDrN6/PyW4zF542E2j/5dL1kDWKK4bFJSczLLUov07RK4Mu5f38Ra sEai4u1NzwbGO+JdjJwcEgImEv+Wr2HrYuTiEBJYxyixbf9KdghnCaPEkfsf2UCq2AQMJObu aQCzRQR8Jfbs2M0CYjMLeEmc7fnBDmILC2hInLt1jRWiRlPi5rkeRgg7TGLX+eNg9SwCqhIN /XPB5vAKmEtM2jULrF5IoI1F4uhEXRCbUyBQ4sa6NrA4o4CYxPdTa5ggdolL3HoynwniagGJ JXvOM0PYohIvH/8DqxcV0JNY/nwNVFxJYu3h7UB7OYB6NSXW79KHGGMtcWrmNmYIW1FiSvdD dohzBCVOznzCMoFRfBaSbbMQumch6Z6FpHsWku4FjKyrGEWLU4uLc9ONjPRSizKTi4vz8/Ty Uks2MQIj8uCW31Y7GA8+dzzEKMDBqMTD+6GpPkKINbGsuDL3EKMEB7OSCK9yRUOEEG9KYmVV alF+fFFpTmrxIUZpDhYlcV6zlffDhQTSE0tSs1NTC1KLYLJMHJxSDYwlz9Uad0yKS9YuTn9g +ua2VzbTi3mb5+aUbJtswOl0+oJOhoXT/K93xCe23RFVyF/pssHVazHz1YVHm5+XW/LMvbFv 8dG78/umtr6WPxW7cNGEvT3mz/2f+Ssu0r+TkCk2MyuA99zNmRsMogo7PlVoic9ZdNtGn+VR Jo9A7p3V4YaJz74EKRorsRRnJBpqMRcVJwIA4UcphMQCAAA= Archived-At: Cc: "Cooley, Dorothy E" , "cfrg@irtf.org" Subject: Re: [Cfrg] AES GCM SIV analysis X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 08:30:22 -0000 SSB0aGluayB0aGF0IGhhdmluZyB0aGUgc2FtZSBub25jZSBsZW5ndGggYXMgcHJldmlvdXMgSUVU RiBBRUFEcyBzaG91bGQNCm5vdCBiZSBhIGdvYWwuIE15IHZpZXcgaXMgdGhhdCB0aGUgR0NNLVNJ ViBub25jZSBsZW5ndGggc2hvdWxkIGJlIGJhc2VkDQpwdXJlbHkgb24gbWF0aC4NCg0KSm9obg0K DQoNCk9uIDIwMTctMDEtMTksIDA0OjUzLCAiQ2ZyZyBvbiBiZWhhbGYgb2YgQnJpYW4gU21pdGgi DQo8Y2ZyZy1ib3VuY2VzQGlydGYub3JnIG9uIGJlaGFsZiBvZiBicmlhbkBicmlhbnNtaXRoLm9y Zz4gd3JvdGU6DQoNCj5BZGFtIExhbmdsZXkgPGFnbEBpbXBlcmlhbHZpb2xldC5vcmc+IHdyb3Rl Og0KPj4gQnJpYW4gU21pdGggPGJyaWFuQGJyaWFuc21pdGgub3JnPiB3cm90ZToNCj4+PiBUaGUg YWN0dWFsIHRleHQgaW4gdGhlIGRyYWZ0IGlzICJUaHVzIHdpdGggQUVTLUdDTS1TSVYgd2UgcmVj b21tZW5kDQo+Pj4gdGhhdCwgZm9yIGEgc3BlY2lmaWMga2V5LCBhIG5vbmNlIG5vdCBiZSByZXBl YXRlZCBtb3JlIHRoYW4gMl44DQo+Pj4gdGltZXMuIg0KPj4+DQo+Pj4gSXMgdGhpcyBhIG1lYW5p bmdmdWwgcmVjb21tZW5kYXRpb24/IEhvdyB3b3VsZCBvbmUgZ28gYWJvdXQgZm9sbG93aW5nDQo+ Pj4gdGhpcyByZWNvbW1lbmRhdGlvbiBpbiBhIHByYWN0aWNhbCBpbXBsZW1lbnRhdGlvbj8gSW4g cGFydGljdWxhciwNCj4+PiBBRVMtR0NNLVNJViBpcyBtb3N0bHkgaW50ZXJlc3RpbmcgaW4gaW1w bGVtZW50YXRpb25zIHRoYXQgY2Fubm90DQo+Pj4gcmVsaWFibHkgYW5kL29yIGNvbnNpc3RlbnRs eSBzYXZlIHN0YXRlLCBhbmQgaXQgc2VlbXMgbGlrZSBhbnkgYXR0ZW1wdA0KPj4+IHRvIHdyaXRl IGNvZGUgdG8gZW5mb3JjZSB0aGlzIHJlbGllcyBvbiBzYXZpbmcgc3RhdGUgW3NuaXBdDQo+DQo+ PiBbc25pcF0gV2l0aCBhIHJhbmRvbSwgOTYtYml0IG5vbmNlIHlvdSBkb24ndCBoYXZlIHRvIHdv cnJ5DQo+PiBhYm91dCB0aGUgcHJvYmFiaWxpdHkgb2YgaGF2aW5nIHJlcGVhdGVkIGEgc2luZ2xl IHZhbHVlID4gMl44IHRpbWVzDQo+PiB1bnRpbCB5b3UgaGF2ZSBhIHN0YWdnZXJpbmcgbnVtYmVy IG9mIHBsYWludGV4dHM6IGdyZWF0ZXIgdGhhbiAyXjEwMA0KPj4gb2YgdGhlbS4gU2luY2UgdGhh dCB2YXN0bHkgZXhjZWVkcyBvdXIgY3VycmVudCByZWNvbW1lbmRhdGlvbiBmb3INCj4+IG51bWJl ciBvZiBwbGFpbnRleHRzIHBlciBrZXkgKDJeNTApLCBpdCdzIGJhc2ljYWxseSBub3QgYSBjb25j ZXJuLg0KPj4NCj4+IElmIHRoYXQgbWFrZXMgc2Vuc2UsIHdoYXQgY291bGQgd2UgaGF2ZSB3cml0 dGVuIHRvIGJlIGNsZWFyZXI/DQo+DQo+UGVyaGFwczogIldlIHJlY29tbWVuZCBpbnN0ZWFkIHRo YXQgYW4gaW1wbGVtZW50YXRpb24gdHJ5IHRvIGF2b2lkDQo+cmVwZWF0aW5nIGEgbm9uY2UgZm9y IGEgc3BlY2lmaWMga2V5LCBqdXN0IGxpa2UgaXQgd291bGQgaXQgd291bGQgZG8NCj5mb3IgYW4g QUVBRCB0aGF0IGlzbid0IG5vbmNlLW1pc3VzZS1yZXNpc3RhbnQuIiBUaGlzIHNoaWZ0cyB0aGUN Cj5lbXBoYXNpcyBhd2F5IGZyb20gdGhlIDJeOCBudW1iZXIgdG8gd2hlcmUgaXQgYmVsb25ncywg SU1PLiBOb3RlIHRoYXQNCj4iMjU2IiBhbmQgaG93IGl0IGlzIGRlcml2ZWQgYW5kIHdoeSBpdCBp cyBzYWZlIGlzIGV4cGxhaW5lZCBpbiB0aGUNCj5uZXh0IHBhcmFncmFwaCBhbnl3YXkuDQo+DQo+ PiBJIGFncmVlIHRoYXQgbGFyZ2UgQUVBRCBtZXNzYWdlcyBoYXZlIHNldmVyYWwgcHJvYmxlbXMu IEJ1dCBJIGRvbid0DQo+PiB0aGluayB0aGF0IHdlIGhhdmUgYW55IG5lZWQgZm9yIGEgbGFyZ2Vy IG5vbmNlIChzZWUgYWJvdmUpLiAoQW5kIHRoZQ0KPj4gbm9uY2UgaXMgdXNlZCB3aXRoIGEgY291 bnRlciBvbmx5IGluIHRoZSBLREYgcGhhc2UsIHNvIGl0J3MgdW5yZWxhdGVkDQo+PiB0byB0aGUg bWF4aW11bSBwbGFpbnRleHQgc2l6ZS4pDQo+DQo+SXMgdGhlcmUgYW55IHdheSB0aGF0IGEgbGFy Z2VyIG5vbmNlIChlLmcuIDEyMCBiaXRzKSBodXJ0cywgb3RoZXIgdGhhbg0KPmJlaW5nIGluY29u c2lzdGVudCB3aXRoIGV4aXN0aW5nIElFVEYgQUVBRHM/DQo+DQo+Q2hlZXJzLA0KPkJyaWFuDQo+ LS0gDQo+aHR0cHM6Ly9icmlhbnNtaXRoLm9yZy8NCj4NCj5fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KPkNmcmcgbWFpbGluZyBsaXN0DQo+Q2ZyZ0BpcnRm Lm9yZw0KPmh0dHBzOi8vd3d3LmlydGYub3JnL21haWxtYW4vbGlzdGluZm8vY2ZyZw0KDQo= From nobody Thu Jan 19 01:47:07 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528FB129435 for ; Thu, 19 Jan 2017 01:47:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LX4d4CQjBwv for ; Thu, 19 Jan 2017 01:47:03 -0800 (PST) Received: from mail-1.ca.inter.net (mail-1.ca.inter.net [208.85.220.69]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C47AA120727 for ; Thu, 19 Jan 2017 01:47:03 -0800 (PST) Received: from localhost (offload-3.ca.inter.net [208.85.220.70]) by mail-1.ca.inter.net (Postfix) with ESMTP id 8E6732EA0A1; Thu, 19 Jan 2017 04:47:02 -0500 (EST) Received: from mail-1.ca.inter.net ([208.85.220.69]) by localhost (offload-3.ca.inter.net [208.85.220.70]) (amavisd-new, port 10024) with ESMTP id 6Amc1BwfUIcX; Thu, 19 Jan 2017 04:47:02 -0500 (EST) Received: from [192.168.168.110] (toroon0246w-lp130-04-50-100-151-175.dsl.bell.ca [50.100.151.175]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: outer@interlog.com) by mail-1.ca.inter.net (Postfix) with ESMTPSA id 21F892EA085; Thu, 19 Jan 2017 04:47:02 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Richard Outerbridge In-Reply-To: Date: Thu, 19 Jan 2017 04:47:01 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <060196FB-762D-4DE3-8E95-DBF79D0987B5@interlog.com> References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> To: "cfrg@ietf.org" X-Mailer: Apple Mail (2.3259) Archived-At: Cc: Adam Langley Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 09:47:05 -0000 Just sitting here on the sidelines, but already my complexity meter has = gone into the infra red. __outer From nobody Thu Jan 19 02:19:53 2017 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A45D129435 for ; Thu, 19 Jan 2017 02:19:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4Eu189kFbof for ; Thu, 19 Jan 2017 02:19:50 -0800 (PST) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25F91129434 for ; Thu, 19 Jan 2017 02:19:49 -0800 (PST) X-AuditID: c1b4fb25-5dfff70000002ee9-a3-588092c2c28c Received: from ESESSHC015.ericsson.se (Unknown_Domain [153.88.183.63]) by (Symantec Mail Security) with SMTP id 59.A9.12009.2C290885; Thu, 19 Jan 2017 11:19:48 +0100 (CET) Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC015.ericsson.se ([153.88.183.63]) with mapi id 14.03.0319.002; Thu, 19 Jan 2017 11:20:38 +0100 From: John Mattsson To: Adam Langley Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt Thread-Index: AQHScbC0p4x0I5wsw0aH69/GsFzxwqE+udeAgAAj0wCAALoPAA== Date: Thu, 19 Jan 2017 10:19:45 +0000 Message-ID: References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.1.161129 x-originating-ip: [153.88.183.148] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Trans