<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-mattsson-cfrg-aes-gcm-sst-19" category="info" consensus="true" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="GCM-SST">Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
    <seriesInfo name="Internet-Draft" value="draft-mattsson-cfrg-aes-gcm-sst-19"/>
    <author initials="M." surname="Campagna" fullname="Matthew Campagna">
      <organization>Amazon Web Services</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>campagna@amazon.com</email>
      </address>
    </author>
    <author initials="A." surname="Maximov" fullname="Alexander Maximov">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>alexander.maximov@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum</workgroup>
    <keyword>next generation</keyword>
    <keyword>unicorn</keyword>
    <keyword>sparkling distributed ledger</keyword>
    <keyword>quantum magic</keyword>
    <abstract>
      <?line 561?>

<t>This document defines Galois Counter Mode with Strong Secure Tags (GCM-SST), an Authenticated Encryption with Associated Data (AEAD) algorithm that addresses several weaknesses of GCM. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. Main differences from GCM are the introduction of a second authentication subkey H<sub>2</sub>, per-nonce derivation of both H and H<sub>2</sub>, and stricter usage limits. Together, these changes yield authentication tags with near-ideal forgery probabilities, including reforgeability resistance. All registered instances have an expected number of forgeries E(F) ≈ v / 2<sup>t</sup>, a property that GCM is far from providing. GCM-SST is designed for security protocols with replay protection such as TLS, QUIC, SRTP, and PDCP, and provides hardware and software performance comparable to GCM. This document registers nine AEAD algorithm instances using AES and Rijndael-256 in counter mode, with tag lengths of 48, 96, and 112 bits. GCM-SST has been standardized by 3GPP for use with SNOW 5G, AES-256, and ZUC-256.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://emanjon.github.io/draft-mattsson-cfrg-aes-gcm-sst/draft-mattsson-cfrg-aes-gcm-sst.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Crypto Forum Research Group mailing list (<eref target="mailto:cfrg@irtf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg"/>.
        Subscribe at <eref target="https://mailman3.irtf.org/mailman3/lists/cfrg@irtf.org/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/emanjon/draft-mattsson-cfrg-aes-gcm-sst"/>.</t>
    </note>
  </front>
  <middle>
    <?line 565?>

<section anchor="introduction">
      <name>Introduction</name>
      <section anchor="background-and-motivation">
        <name>Background and Motivation</name>
        <t>AES in Galois Counter Mode (AES-GCM) <xref target="GCM"/> is a widely deployed Authenticated Encryption with Associated Data (AEAD) algorithm <xref target="RFC5116"/>, valued for its performance in hardware and software, and its provable security. During NIST standardization, Ferguson identified two weaknesses in GCM's authentication function <xref target="Ferguson"/>. The first significantly increases the forgery probability. The second allows recovery of the authentication subkey H upon a successful forgery, enabling arbitrary subsequent forgeries, a property known as reforgeability failure. Both weaknesses affect all tag lengths, but are especially damaging with short tags.</t>
        <t>Nyberg et al. <xref target="Nyberg"/> showed that small, theoretically grounded changes would mitigate these weaknesses, but NIST instead imposed ad hoc restrictions for short tags. Mattsson et al. <xref target="Mattsson"/> later showed that attackers can nearly always observe whether a forgery succeeded, contradicting NIST's assumptions. NIST is now planning to remove support for tags shorter than 96 bits <xref target="Revise"/>, but has not addressed the underlying authentication weaknesses. A third weakness is that GCM does not impose sufficiently strict limits on the number of invocations and the lengths of plaintext and associated data. Even with 96-bit tags, AES-GCM <xref target="GCM"/> offers only a forgery probability of 2<sup>-39</sup>, and with 128-bit tags in QUIC <xref target="RFC9001"/>, the expected number of forgeries, E(F), is worse than that of an ideal 65-bit MAC. Reforgeability resistance is a core design criterion in modern AEAD schemes <xref target="Reforge"/><xref target="AEZ"/>.</t>
        <t>Short tags are widely used: 32-bit tags are standard in most radio link layers including 5G <xref target="Sec5G"/>, 64-bit tags are very common in IoT transport and application layers, and 32-, 64-, and 80-bit tags appear frequently in media encryption. Audio packets are small, numerous, and ephemeral, making them highly sensitive to cryptographic overhead; since each packet typically encodes only 20 ms of audio, forgery of individual packets is and barely noticeable. Due to its weaknesses, GCM is typically not used with short tags, forcing a choice between the overhead of unnecessarily long tags <xref target="I-D.ietf-moq-transport"/> and much slower constructions such as AES-CTR with HMAC <xref target="RFC3711"/><xref target="RFC9605"/>. Short tags are also useful in packets whose payloads are secured at higher layers, in protocols where security is given by the sum of tag lengths, and in constrained radio networks where low bandwidth limits forgery attempts. For all these applications, it is essential that the MAC behaves ideally: the forgery probability should be ≈ 1 / 2<sup>t</sup>, where t is the tag length in bits, even after many encryptions, many forgery attempts, and a successful forgery. CCM <xref target="RFC5116"/> achieves near-ideal probabilities with short tags but at a performance penalty relative to GCM.</t>
      </section>
      <section anchor="galois-counter-mode-with-strong-secure-tags-gcm-sst">
        <name>Galois Counter Mode with Strong Secure Tags (GCM-SST)</name>
        <t>This document defines GCM with Strong Secure Tags (GCM-SST), an AEAD algorithm that addresses these weaknesses. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. The differences from GCM <xref target="GCM"/> are: the introduction of a second authentication subkey H<sub>2</sub>, per-nonce derivation of H and H<sub>2</sub>, stricter usage limits, fixed-length deterministic nonces, and the replacement of GHASH with POLYVAL <xref target="RFC8452"/>. Together, these changes yield truncated tags with near-ideal forgery probabilities, even against multiple forgery attacks, and provide nonce-misuse resilience. GCM-SST is designed for use in security protocols with replay protection such as TLS <xref target="RFC8446"/>, QUIC <xref target="RFC9000"/>, SRTP <xref target="RFC3711"/>, and PDCP <xref target="PDCP"/>. In unicast settings with replay protection, GCM-SST's authentication tag behaves as an ideal MAC with full reforgeability resistance. Compared to Poly1305 <xref target="RFC8439"/> and GCM <xref target="RFC5116"/>, GCM-SST achieves stronger integrity with less overhead. Its hardware and software performance is comparable to GCM; in software, the two additional AES invocations are offset by POLYVAL's advantage over GHASH on little-endian architectures. GCM-SST preserves GCM's additive encryption structure, enabling efficient implementations on modern processors <xref target="GCM-Update"/><xref target="Gueron"/>.</t>
        <t>This document also registers GCM-SST instances using AES <xref target="AES"/> and Rijndael with 256-bit keys and blocks (Rijndael-256) <xref target="Rijndael"/> in counter mode, with tag lengths of 48, 96, and 112 bits. These instances address the strong industry demand for fast authenticated encryption with minimal overhead and strong security. All registered instances achieve an expected number of forgeries E(F) ≈ v / 2<sup>t</sup>, where v is the number of forgery attempts, matching the behavior of an ideal MAC. This is a property expected of a modern AEAD but one that GCM does not provide. Rijndael-256 is already standardized by 3GPP for authentication and key generation <xref target="Milenage-256"/> and is planned for NIST standardization <xref target="AES-WIDE"/>. On modern x86 platforms with AES-NI and VAES instructions, Rijndael-256 performs efficiently <xref target="Drucker"/>. Compared to AEGIS <xref target="I-D.irtf-cfrg-aegis-aead"/>, AES-GCM-SST offers substantially higher throughput in dedicated hardware while retaining the advantage of being a mode of operation for AES.</t>
        <t>GCM-SST was originally developed by ETSI SAGE and subsequently standardized by 3GPP for use with SNOW 5G <xref target="NCA4"/>, AES-256 <xref target="NCA5"/>, and ZUC-256 <xref target="NCA6"/> in 3GPP TS 35.240–35.248. Security proofs for GCM-SST in single- and multi-key settings are provided by Inoue et al. <xref target="Inoue"/> and Naito et al. <xref target="Naito"/>.</t>
        <t><xref target="GCM-SST"/> specifies GCM-SST, <xref target="AES-GCM-SST"/> registers AEAD algorithms using AES and Rijndael-256, and <xref target="Security"/> discusses security considerations.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following notation is used in the document:</t>
      <ul spacing="normal">
        <li>
          <t>K is the key, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>N is the nonce, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>A is the associated data, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>P is the plaintext, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>Z is the keystream</t>
        </li>
        <li>
          <t>ct is the ciphertext</t>
        </li>
        <li>
          <t>tag is the authentication tag</t>
        </li>
        <li>
          <t>t is the authentication tag length, in bits</t>
        </li>
        <li>
          <t>b is the block size, in bits</t>
        </li>
        <li>
          <t>v is the number of forgery attempts</t>
        </li>
        <li>
          <t>= is the assignment operator</t>
        </li>
        <li>
          <t>≠ is the inequality operator</t>
        </li>
        <li>
          <t>x || y is concatenation of the byte strings x and y</t>
        </li>
        <li>
          <t>⊕ is the bitwise exclusive-OR (XOR) operator</t>
        </li>
        <li>
          <t>len(x) is the length of x in bits</t>
        </li>
        <li>
          <t>zeropad(x) right-pads the byte string x with zeros to a multiple of 128 bits</t>
        </li>
        <li>
          <t>truncate(x, y) retains the first y bits of x and discards the remainder</t>
        </li>
        <li>
          <t>n is the number of 128-bit chunks in zeropad(P)</t>
        </li>
        <li>
          <t>m is the number of 128-bit chunks in zeropad(A)</t>
        </li>
        <li>
          <t>POLYVAL is defined in <xref target="RFC8452"/></t>
        </li>
        <li>
          <t>BE32(x) is the big-endian encoding of 32-bit integer x</t>
        </li>
        <li>
          <t>LE64(x) is the little-endian encoding of 64-bit integer x</t>
        </li>
        <li>
          <t>V[x] is the 128-bit chunk at index x in array V; the first chunk has index 0</t>
        </li>
        <li>
          <t>V[x:y] is the range of 128-bit chunks at indices x through y in array V</t>
        </li>
      </ul>
    </section>
    <section anchor="GCM-SST">
      <name>Galois Counter Mode with Strong Secure Tags (GCM-SST)</name>
      <t>This section defines the GCM-SST AEAD algorithm following the recommendations of Nyberg et al. <xref target="Nyberg"/>. GCM-SST is defined with a general interface so that it can be used with any keystream generator, not only a 128-bit block cipher.</t>
      <t>GCM-SST adheres to the AEAD interface defined in <xref target="RFC5116"/>. The encryption function takes four variable-length byte string parameters: a secret key K, a nonce N, associated data A, and a plaintext P. The keystream generator is instantiated with K and N. The keystream <bcp14>MAY</bcp14> depend on P and A. The minimum and maximum lengths of all parameters depend on the keystream generator.</t>
      <t>The keystream generator produces a keystream Z consisting of 128-bit chunks. The first three chunks Z[0], Z[1], and Z[2] are used as authentication subkeys H and H<sub>2</sub>, and masking subkey M, respectively. The subsequent chunks Z[3], Z[4], ..., Z[n + 2] are used to encrypt the plaintext.</t>
      <t>In place of GHASH <xref target="GCM"/>, GCM-SST uses the POLYVAL function from AES-GCM-SIV <xref target="RFC8452"/>, which yields more efficient software implementations on little-endian architectures. GHASH and POLYVAL can be defined in terms of one another, as shown in <xref target="RFC8452"/>. The subkeys H and H<sub>2</sub> are field elements used as inputs to POLYVAL, while the subkey M is used for the final masking of the tag.</t>
      <t>Both the encryption and decryption functions are defined only on inputs comprising a whole number of bytes. Figures illustrating the GCM-SST encryption and decryption functions can be found in <xref target="Campagna"/>.</t>
      <t>For every computational procedure specified in this document, a conforming implementation <bcp14>MAY</bcp14> replace the given steps with any mathematically equivalent steps, provided the output is correct for every valid input.</t>
      <section anchor="authenticated-encryption-function">
        <name>Authenticated Encryption Function</name>
        <t>The encryption function Encrypt(K, N, A, P) encrypts a plaintext and returns the ciphertext together with an authentication tag that verifies the authenticity of both the plaintext and associated data, if provided.</t>
        <t>Prerequisites and security requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The key <bcp14>MUST</bcp14> be chosen uniformly at random.</t>
          </li>
          <li>
            <t>For a given key, each nonce <bcp14>MUST</bcp14> be unique; random nonces <bcp14>MUST NOT</bcp14> be used.</t>
          </li>
          <li>
            <t>Each key <bcp14>MUST</bcp14> be restricted to a single tag length t.</t>
          </li>
          <li>
            <t>Supported input and output lengths <bcp14>MUST</bcp14> be defined.</t>
          </li>
        </ul>
        <t>Inputs:</t>
        <ul spacing="normal">
          <li>
            <t>Key K (variable-length byte string)</t>
          </li>
          <li>
            <t>Nonce N (variable-length byte string)</t>
          </li>
          <li>
            <t>Associated data A (variable-length byte string)</t>
          </li>
          <li>
            <t>Plaintext P (variable-length byte string)</t>
          </li>
        </ul>
        <t>Outputs:</t>
        <ul spacing="normal">
          <li>
            <t>Ciphertext ct (variable-length byte string)</t>
          </li>
          <li>
            <t>tag (a byte string of length t / 8)</t>
          </li>
        </ul>
        <t>Steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the lengths of K, N, A, P are not supported, return an error and abort</t>
          </li>
          <li>
            <t>Instantiate the keystream generator with K and N</t>
          </li>
          <li>
            <t>Let H = Z[0], H<sub>2</sub> = Z[1], M = Z[2]</t>
          </li>
          <li>
            <t>Let ct = P ⊕ truncate(Z[3:n + 2], len(P))</t>
          </li>
          <li>
            <t>Let S = zeropad(A) || zeropad(ct)</t>
          </li>
          <li>
            <t>Let L = LE64(len(ct)) || LE64(len(A))</t>
          </li>
          <li>
            <t>Let X = POLYVAL(H, S[0], S[1], ...)</t>
          </li>
          <li>
            <t>Let full_tag = POLYVAL(H<sub>2</sub>, X ⊕ L) ⊕ M</t>
          </li>
          <li>
            <t>Let tag = truncate(full_tag, t)</t>
          </li>
          <li>
            <t>Return (ct, tag)</t>
          </li>
        </ol>
        <t>The encoding of L aligns with existing implementations of GCM.</t>
      </section>
      <section anchor="authenticated-decryption-function">
        <name>Authenticated Decryption Function</name>
        <t>The decryption function Decrypt(K, N, A, ct, tag) decrypts a ciphertext, verifies that the authentication tag is correct, and returns the plaintext on success or an error otherwise.</t>
        <t>Prerequisites and security requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The calculation of the plaintext P (step 10) <bcp14>MAY</bcp14> be done in parallel with tag verification (steps 3–9). If tag verification fails, the plaintext P <bcp14>MUST NOT</bcp14> be given as output.</t>
          </li>
          <li>
            <t>Each key <bcp14>MUST</bcp14> be restricted to a single tag length t.</t>
          </li>
          <li>
            <t>Supported input and output lengths <bcp14>MUST</bcp14> be defined.</t>
          </li>
        </ul>
        <t>Inputs:</t>
        <ul spacing="normal">
          <li>
            <t>Key K (variable-length byte string)</t>
          </li>
          <li>
            <t>Nonce N (variable-length byte string)</t>
          </li>
          <li>
            <t>Associated data A (variable-length byte string)</t>
          </li>
          <li>
            <t>Ciphertext ct (variable-length byte string)</t>
          </li>
          <li>
            <t>tag (a byte string of length t / 8)</t>
          </li>
        </ul>
        <t>Outputs:</t>
        <ul spacing="normal">
          <li>
            <t>Plaintext P (variable-length byte string), or an error indicating that the authentication tag is invalid for the given inputs.</t>
          </li>
        </ul>
        <t>Steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the lengths of K, N, A, or ct are not supported, or if len(tag) ≠ t, return an error and abort</t>
          </li>
          <li>
            <t>Instantiate the keystream generator with K and N</t>
          </li>
          <li>
            <t>Let H = Z[0], H<sub>2</sub> = Z[1], M = Z[2]</t>
          </li>
          <li>
            <t>Let S = zeropad(A) || zeropad(ct)</t>
          </li>
          <li>
            <t>Let L = LE64(len(ct)) || LE64(len(A))</t>
          </li>
          <li>
            <t>Let X = POLYVAL(H, S[0], S[1], ...)</t>
          </li>
          <li>
            <t>Let full_tag = POLYVAL(H<sub>2</sub>, X ⊕ L) ⊕ M</t>
          </li>
          <li>
            <t>Let expected_tag = truncate(full_tag, t)</t>
          </li>
          <li>
            <t>If tag ≠ expected_tag, return an error and abort</t>
          </li>
          <li>
            <t>Let P = ct ⊕ truncate(Z[3:n + 2], len(ct))</t>
          </li>
          <li>
            <t>If N fails replay protection, return an error and abort</t>
          </li>
          <li>
            <t>Return P</t>
          </li>
        </ol>
        <t>The comparison of tag and expected_tag in step 9 <bcp14>MUST</bcp14> be performed in constant time to prevent information leakage about the position of the first mismatched byte. For a given key, a plaintext <bcp14>MUST NOT</bcp14> be returned unless it is certain that no plaintext has previously been returned for the same nonce. Replay protection <bcp14>MAY</bcp14> be performed either before step 1 or during step 11. Protocols with nonce-hiding mechanisms <xref target="Bellare19"/>, such as QUIC <xref target="RFC9001"/>, implement replay protection after decryption to mitigate timing side-channel attacks. If tag validation or replay protection fails, intermediate values such as H, H<sub>2</sub>, M, Z, P, X, full_tag, and expected_tag <bcp14>MUST</bcp14> be destroyed (zeroized).</t>
      </section>
      <section anchor="encoding-ct-tag-tuples">
        <name>Encoding (ct, tag) Tuples</name>
        <t>Applications <bcp14>MAY</bcp14> store the ciphertext and the authentication tag in separate structures or encode both as a single byte string C. In the latter case, the tag <bcp14>MUST</bcp14> immediately follow the ciphertext ct:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>C = ct || tag   .</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="AES-GCM-SST">
      <name>AES and Rijndael-256 in GCM-SST</name>
      <t>This section defines instantiations of GCM-SST using AES and Rijndael-256.</t>
      <section anchor="aes-gcm-sst">
        <name>AES-GCM-SST</name>
        <t>When GCM-SST is instantiated with AES (AES-GCM-SST), the keystream generator is AES in counter mode</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>Z[i] = ENC(K, N || BE32(i))   ,</t>
          </li>
        </ul>
        <t>where ENC is the AES Cipher function <xref target="AES"/>. The use of big-endian counters aligns with existing AES counter mode implementations.</t>
      </section>
      <section anchor="rijndael-gcm-sst">
        <name>Rijndael-GCM-SST</name>
        <t>When GCM-SST is instantiated with Rijndael-256 (Rijndael-GCM-SST), the keystream generator is Rijndael-256 in counter mode</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>Z[2i]   = ENC(K, N || BE32(i))[0]   ,</t>
          </li>
          <li>
            <t>Z[2i+1] = ENC(K, N || BE32(i))[1]   ,</t>
          </li>
        </ul>
        <t>where ENC is the Rijndael-256 Cipher function <xref target="Rijndael"/>.</t>
      </section>
      <section anchor="instances">
        <name>AEAD Instances and Constraints</name>
        <t>Nine AEAD algorithm instances are defined below, following the format of <xref target="RFC5116"/>. These instances use AES-GCM-SST or Rijndael-GCM-SST with tag lengths of 48, 96, or 112 bits.</t>
        <table anchor="iana-algs">
          <name>AEAD Algorithm Instances for AES-GCM-SST and Rijndael-GCM-SST</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">K_LEN (bytes)</th>
              <th align="right">P_MAX = A_MAX (bytes)</th>
              <th align="right">Tag length t (bits)</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_6</td>
              <td align="right">16</td>
              <td align="right">2<sup>36</sup> - 48</td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_12</td>
              <td align="right">16</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_14</td>
              <td align="right">16</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">112</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_6</td>
              <td align="right">32</td>
              <td align="right">2<sup>36</sup> - 48</td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_12</td>
              <td align="right">32</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_14</td>
              <td align="right">32</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">112</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_6</td>
              <td align="right">32</td>
              <td align="right">2<sup>37</sup> - 48</td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_12</td>
              <td align="right">32</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_14</td>
              <td align="right">32</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">112</td>
            </tr>
          </tbody>
        </table>
        <t>The following parameters apply to all the instances:</t>
        <ul spacing="normal">
          <li>
            <t>N_MIN = N_MAX (minimum and maximum nonce length) is 12 bytes for AES-GCM-SST and 28 bytes for Rijndael-GCM-SST.</t>
          </li>
          <li>
            <t>C_MAX (maximum ciphertext length, including the tag) is P_MAX + t / 8 bytes.</t>
          </li>
          <li>
            <t>Q_MAX (maximum number of encryption function invocations) is 2<sup>32</sup> for AES-GCM-SST and 2<sup>64</sup> for Rijndael-GCM-SST.</t>
          </li>
          <li>
            <t>V_MAX (maximum number of decryption function invocations) is 2<sup>54</sup> for AES-GCM-SST and 2<sup>118</sup> for Rijndael-GCM-SST.</t>
          </li>
        </ul>
        <t>Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ≈ v / 2<sup>t</sup> ,</t>
          </li>
        </ul>
        <t>for all permitted invocation counts, plaintext lengths, associated data lengths, and tag lengths. This is how users expect MAC algorithms to behave, i.e., the behavior of an ideal MAC. The limits specified for AES-GCM-SST and Rijndael-GCM-SST are chosen to achieve this property in unicast settings with replay protection and are therefore more restrictive than the corresponding limits for GCM in <xref target="RFC5116"/>.</t>
        <t>To ensure that v / 2<sup>t</sup> is the dominant term in the integrity advantage <xref target="Inoue"/> for all permitted plaintext and associated data lengths, this document sets:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>P_MAX = A_MAX = min(2<sup>128 - t</sup>, 2<sup>32</sup> ⋅ b / 8 - 48)   ,</t>
          </li>
        </ul>
        <t>where b is the block size in bits. This ensures that the integrity advantage is ≈ δ ⋅ v / 2<sup>t</sup>.</t>
        <t>To ensure that the Bernstein bound factor satisfies δ ≈ 1, protocols using AES-GCM-SST <bcp14>MUST</bcp14> enforce stricter limits on Q_MAX and/or P_MAX such that:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>Q_MAX ⋅ P_MAX / 16 + V_MAX ⪅ 2<sup>59</sup>   .</t>
          </li>
        </ul>
        <t>The Bernstein bound factor <xref target="Bernstein"/> satisfies δ(a) ≈ 1 + a<sup>2</sup> / 2<sup>b+1</sup> <xref target="Iwata"/>. Following the analysis in <xref target="Naito"/>, this document conservatively upper-bounds a by Q_MAX ⋅ P_MAX / 16 + V_MAX. For AES, the 128-bit block size implies that achieving δ ≈ 1 requires balancing the constraints on Q_MAX and P_MAX. For Rijndael-256, the 256-bit block size already guarantees δ ≈ 1. Protocols employing Rijndael-GCM-SST <bcp14>MAY</bcp14> impose stricter limits on P_MAX, A_MAX, Q_MAX, and V_MAX.</t>
        <t>In addition to bounding δ, the Q_MAX and P_MAX constraints establish a minimum complexity for distinguishing attacks and an upper bound on the fraction of plaintext bits recoverable by an attacker. This aligns with the European <xref target="ACM"/> recommendation of limiting the number of block-cipher invocations to 2<sup>b/2-5</sup>. This ensures that an attacker cannot recover more than ≈ 0.0007 bits across all plaintexts <xref target="Entropy"/> and that δ ⪅ 1.0005.</t>
        <t>To align with zero-trust principles and minimize the impact of key compromise, protocols using GCM-SST <bcp14>SHOULD</bcp14> enforce rekeying well before reaching the cryptographic limits. Modern guidance recommends rekeying via ephemeral key exchange providing Forward Secrecy (FS) and Post-Compromise Security (PCS) after 1 hour or 2<sup>30</sup>–2<sup>37</sup> bytes <xref target="RFC4253"/><xref target="ANSSI"/>.</t>
      </section>
    </section>
    <section anchor="Security">
      <name>Security Considerations</name>
      <t>GCM-SST introduces a second authentication subkey H<sub>2</sub>, alongside the subkey H. The inclusion of H<sub>2</sub> enables truncated tags with forgery probabilities close to ideal. Both H and H<sub>2</sub> are derived for each nonce, which significantly decreases the probability of multiple successful forgeries. These changes are based on proven theoretical constructions and follow the recommendations in <xref target="Nyberg"/>. Inoue et al. <xref target="Inoue"/> prove that GCM-SST achieves its v / 2<sup>t</sup> design goal in the single-key setting, and that it provides nonce-misuse resilience <xref target="NMRL"/>. Because the subkeys in GCM-SST are derived independently per nonce, any confidentiality or integrity advantage an adversary gains against one nonce, whether through nonce misuse or a successful forgery attempt, does not carry over to a different, fresh nonce: GCM-SST recovers its full security as soon as such a nonce is no longer in use. Naito et al. <xref target="Naito"/> derive a tighter single-key bound and further prove that GCM-SST achieves its v / 2<sup>t</sup> design goal in the multi-key setting, including when combined with nonce randomization and nonce-based key derivation.</t>
      <t>GCM-SST is designed for use in security protocols with replay protection. Each key <bcp14>MUST</bcp14> be chosen uniformly at random. GCM-SST <bcp14>MUST</bcp14> be used in a nonce-respecting setting: for a given key, a nonce <bcp14>MUST</bcp14> be used at most once in the encryption function and at most once in a successful decryption function call. The nonce <bcp14>MAY</bcp14> be public or predictable. It can be a counter, the output of a permutation, or a generator with a long period. The reuse of nonces in successful encryption and decryption function calls enables universal forgery, as demonstrated by <xref target="Joux"/>, <xref target="Lindell"/>, and <xref target="Inoue"/>, and so GCM-SST <bcp14>MUST</bcp14> be used with replay protection. Additionally, GCM-SST <bcp14>MUST NOT</bcp14> be used with random nonces: besides reducing the efficiency of replay protection, they introduce a nonce-collision probability that degrades security bounds. Implementations <bcp14>SHOULD</bcp14> add randomness to the nonce by XORing a unique number such as a sequence number with a per-key random secret salt of the same length as the nonce. This significantly improves security against precomputation and multi-key attacks <xref target="Bellare17"/> and is implemented, for example, in TLS 1.3 <xref target="RFC8446"/>, OSCORE <xref target="RFC8613"/>, and <xref target="Ascon"/>. By increasing the nonce length from 96 bits to 224 bits, Rijndael-GCM-SST can offer significantly greater security against precomputation and multi-key attacks compared to AES-GCM-SST. GCM-SST does not aim for full nonce-misuse resistance <xref target="NMR"/>. Like GCM, it derives its keystream in a single pass, avoiding the two-pass, non-online structure that nonce-misuse-resistant algorithms require. NIST is addressing nonce-misuse resistance through the planned Accordions <xref target="Accordions"/>.</t>
      <t>Unless otherwise specified, formulas for the expected number of forgeries apply to unicast scenarios.</t>
      <section anchor="Int">
        <name>Integrity</name>
        <t>The GCM-SST tag length t <bcp14>SHOULD NOT</bcp14> be smaller than 32 bits and cannot be larger than 128 bits. Let ℓ = (P_MAX + A_MAX) / 16 + 1. When ℓ ≪ 2<sup>128 - t</sup>, the forgery probability is ≈ 1 / 2<sup>t</sup> <xref target="Nyberg"/><xref target="Inoue"/>. The tags in the AEAD algorithms listed in <xref target="instances"/> therefore achieve near-ideal forgery probabilities. This is a significant improvement over GCM <xref target="GCM"/>, where the forgery probability is bounded by ⪅ δ ⋅ ℓ / 2<sup>t</sup> <xref target="GCM"/><xref target="Iwata"/>. For a graph of the forgery probability assuming δ ≈ 1, see Fig. 3 in <xref target="Inoue"/>. For 128-bit tags and long messages, the forgery probability of GCM-SST is no longer ideal and becomes comparable to that of GCM. In GCM-SST, the full_tag is independent of t unless the application explicitly incorporates t into the keystream or the nonce.</t>
        <t>The expected number of forgeries depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ≈ v / 2<sup>t</sup>   ,</t>
          </li>
        </ul>
        <t>where v is the number of forgery attempts. Following the constraints in <xref target="instances"/>, AES-GCM-SST and Rijndael-GCM-SST achieve this ideal. AES-GCM-SST significantly outperforms AES-GCM <xref target="GCM"/>, for which the expected number of forgeries (assuming deterministic 96-bit nonces) is bounded by:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ⪅ δ ⋅ v<sup>2</sup> ⋅ ℓ / 2<sup>t+1</sup>   .</t>
          </li>
        </ul>
        <t>For further details on the integrity advantages and expected number of forgeries for GCM and GCM-SST, see <xref target="Iwata"/>, <xref target="Niwa"/>, <xref target="Inoue"/>, <xref target="Naito"/>, and <xref target="Multiple"/>. BSI states that an ideal MAC with a 96-bit tag length is considered acceptable for most applications <xref target="BSI"/>, a requirement that GCM-SST with 96-bit tags satisfies when ℓ ⪅ 2<sup>32</sup> and δ ≈ 1. Achieving a comparable level of security with GCM, CCM, or Poly1305 is nearly impossible.</t>
      </section>
      <section anchor="Conf">
        <name>Confidentiality</name>
        <t>The confidentiality offered by GCM-SST against passive attackers depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. For AES-GCM-SST, the confidentiality is equal to AES-GCM <xref target="GCM"/>. Regardless of key length, an attacker can mount a distinguishing attack with a complexity of approximately 2<sup>129</sup> / σ, where σ ⪅ P_MAX ⋅ Q_MAX / 16 is the total plaintext length measured in 128-bit chunks. In contrast, the confidentiality offered by Rijndael-GCM-SST against passive attackers is significantly higher. The complexity of distinguishing attacks for Rijndael-GCM-SST is approximately 2<sup>258</sup> / σ. McGrew <xref target="Impossible"/> and Leurent and Sibleyras <xref target="Difference"/> demonstrate that for block ciphers in counter mode, an attacker with partial knowledge of the plaintext can execute plaintext-recovery attacks against counter mode with roughly the same complexity (up to logarithmic factors) as distinguishing attacks. However, Preuß Mattsson <xref target="Entropy"/> demonstrated that an attacker cannot recover more than ≈ σ<sup>2</sup> / 2<sup>b</sup> bits of the plaintext. Given the constraints outlined in <xref target="instances"/>, an attacker cannot recover more than 0.0007 bits of AES-GCM-SST plaintexts.</t>
        <t>While Rijndael-256 in counter mode can provide high confidentiality for plaintexts much larger than 2<sup>37</sup> bytes, GHASH and POLYVAL do not offer adequate integrity for long plaintexts. To ensure robust integrity for long plaintexts, an AEAD mode would need to replace POLYVAL with a MAC that has better security properties, such as a Carter-Wegman MAC in a larger field <xref target="Maximov"/><xref target="Degabriele"/> or other alternatives such as <xref target="SMAC"/>.</t>
        <t>The confidentiality offered by GCM-SST against active attackers is directly linked to the forgery probability. Depending on the protocol and application, forgeries can significantly compromise privacy, in addition to affecting integrity and authenticity. It <bcp14>MUST</bcp14> be assumed that attackers always receive feedback on the success or failure of their forgery attempts. Therefore, attacks on integrity, authenticity, and confidentiality <bcp14>MUST</bcp14> all be carefully evaluated when selecting an appropriate tag length.</t>
      </section>
      <section anchor="weak-keys">
        <name>Weak Keys</name>
        <t>In general, there is a very small possibility in GCM-SST that either or both of the subkeys H and H<sub>2</sub> are zero, so-called weak keys. If H is zero, the authentication tag depends only on the length of P and A and not on their content. If H<sub>2</sub> is zero, the authentication tag does not depend on P and A. Due to the masking with M, there are no obvious ways to detect this condition for an attacker, and the specification admits this possibility rather than complicating implementations with additional checks and regeneration of values. In AES-GCM-SST, H and H<sub>2</sub> are generated with a permutation on different inputs, so H and H<sub>2</sub> cannot both be zero.</t>
      </section>
      <section anchor="replay-protection">
        <name>Replay Protection</name>
        <t>The details of the replay protection mechanism are determined by the security protocol utilizing GCM-SST. If the nonce includes a sequence number, it can be used for replay protection. Alternatively, a separate sequence number can be used, provided there is a one-to-one mapping between sequence numbers and nonces. The choice of a replay protection mechanism depends on factors such as the expected degree of packet reordering, as well as protocol and implementation details. For examples of replay protection mechanisms, see <xref target="RFC4303"/> and <xref target="RFC6479"/>. Implementing replay protection by requiring ciphertexts to arrive in order and terminating the connection if a single decryption fails is <bcp14>NOT RECOMMENDED</bcp14>, as this approach reduces robustness and availability and exposes the system to denial-of-service attacks <xref target="Robust"/>.</t>
      </section>
      <section anchor="Comp">
        <name>Comparison with ChaCha20-Poly1305 and AES-GCM</name>
        <t><xref target="comp1"/> compares the integrity of GCM-SST, ChaCha20-Poly1305 <xref target="RFC8439"/>, and AES-GCM <xref target="RFC5116"/> in unicast security protocols with replay protection. In both Poly1305 and GCM, the forgery probability depends on ℓ; in GCM, it additionally involves the Bernstein bound factor δ. GCM-SST requires δ ≈ 1, a property that GCM does not mandate. Furthermore, GCM provides no reforgeability resistance, which substantially increases the expected number of forgeries. See <xref target="Procter"/>, <xref target="Iwata"/>, and <xref target="Multiple"/> for further details.</t>
        <table anchor="comp1">
          <name>Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast security protocols with replay protection. v is the number of forgery attempts, ℓ is the maximum length of plaintext and associated data, measured in 128-bit chunks. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">Tag length (bytes)</th>
              <th align="right">Forgery probability before first forgery</th>
              <th align="right">Forgery probability after first forgery</th>
              <th align="right">Expected number of forgeries</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">GCM_SST_14</td>
              <td align="right">14</td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">v / 2<sup>112</sup></td>
            </tr>
            <tr>
              <td align="left">GCM_SST_12</td>
              <td align="right">12</td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">v / 2<sup>96</sup></td>
            </tr>
            <tr>
              <td align="left">POLY1305</td>
              <td align="right">16</td>
              <td align="right">ℓ / 2<sup>103</sup></td>
              <td align="right">ℓ / 2<sup>103</sup></td>
              <td align="right">v ⋅ ℓ / 2<sup>103</sup></td>
            </tr>
            <tr>
              <td align="left">GCM</td>
              <td align="right">16</td>
              <td align="right">ℓ / 2<sup>128</sup></td>
              <td align="right">1</td>
              <td align="right">v<sup>2</sup> ⋅ ℓ / 2<sup>129</sup></td>
            </tr>
          </tbody>
        </table>
        <t><xref target="comp2"/> compares the integrity of GCM-SST, ChaCha20-Poly1305 <xref target="RFC8439"/>, and AES-GCM <xref target="RFC5116"/> in unicast QUIC <xref target="RFC9000"/><xref target="RFC9001"/>, a security protocol with mandatory replay protection, and where the combined size of plaintext and associated data is less than ≈ 2<sup>16</sup> bytes (ℓ ≈ 2<sup>12</sup>). GCM_SST_14 and GCM_SST_12 provide better integrity than ChaCha20-Poly1305 <xref target="RFC8439"/> and AES-GCM <xref target="RFC5116"/>, while also reducing overhead by 2–4 bytes. For GCM-SST and ChaCha20-Poly1305, the expected number of forgeries is linear in v when replay protection is employed. ChaCha20-Poly1305 achieves a security level equivalent to that of an ideal MAC with a length of 91 bits. For AES-GCM, replay protection does not mitigate reforgeries, the expected number of forgeries grows quadratically with v, and GCM provides significantly worse integrity than GCM-SST and ChaCha20-Poly1305 unless v is kept very small. With v = 2<sup>52</sup> as allowed for AES-GCM in QUIC <xref target="RFC9001"/>, the expected number of forgeries for AES-GCM exceeds that of an ideal 65-bit MAC.</t>
        <table anchor="comp2">
          <name>Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast QUIC, where the maximum packet size is 65536 bytes. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">Tag length (bytes)</th>
              <th align="right">Forgery probability before first forgery</th>
              <th align="right">Forgery probability after first forgery</th>
              <th align="right">Expected number of forgeries</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">GCM_SST_14</td>
              <td align="right">14</td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">v / 2<sup>112</sup></td>
            </tr>
            <tr>
              <td align="left">GCM_SST_12</td>
              <td align="right">12</td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">v / 2<sup>96</sup></td>
            </tr>
            <tr>
              <td align="left">POLY1305</td>
              <td align="right">16</td>
              <td align="right">1 / 2<sup>91</sup></td>
              <td align="right">1 / 2<sup>91</sup></td>
              <td align="right">v / 2<sup>91</sup></td>
            </tr>
            <tr>
              <td align="left">GCM</td>
              <td align="right">16</td>
              <td align="right">1 / 2<sup>116</sup></td>
              <td align="right">1</td>
              <td align="right">v<sup>2</sup> / 2<sup>117</sup></td>
            </tr>
          </tbody>
        </table>
        <t><xref target="comp3"/> compares the confidentiality of Rijndael-GCM-SST, AES-256-GCM-SST, SNOW 5G-GCM-SST, and ChaCha20-Poly1305 <xref target="RFC8439"/>, all of which use 256-bit keys, against passive attackers. The confidentiality of block ciphers in counter mode is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. While plaintext-recovery attacks on block ciphers in counter mode have a complexity similar to distinguishing attacks, the attacker cannot recover more than ≈ σ<sup>2</sup> / 2<sup>b</sup> bits of the plaintexts <xref target="Entropy"/>.</t>
        <table anchor="comp3">
          <name>Comparison of confidentiality against passive attackers among Rijndael-GCM-SST, SNOW 5G-GCM-SST, ChaCha20-Poly1305, and AES-256-GCM-SST. σ is the total plaintext length measured in 128-bit chunks.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="center">Key size (bits)</th>
              <th align="center">Complexity of distinguishing attacks</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">CHACHA20_POLY1305</td>
              <td align="center">256</td>
              <td align="center">2<sup>256</sup></td>
            </tr>
            <tr>
              <td align="left">SNOW_5G_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">2<sup>256</sup></td>
            </tr>
            <tr>
              <td align="left">RIJNDAEL_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">≈ 2<sup>258</sup> / σ</td>
            </tr>
            <tr>
              <td align="left">AES_256_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">≈ 2<sup>129</sup> / σ</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="onemany">
        <name>Multicast and Broadcast</name>
        <t>While GCM-SST offers stronger security properties than GCM for a given tag length in multicast or broadcast contexts, it does not behave exactly like an ideal MAC. With an ideal MAC, a successful forgery against one recipient allows the attacker to reuse the same forgery against all other recipients. In contrast, with GCM, a successful forgery against one recipient enables the attacker to generate an unlimited number of new forgeries for all recipients.</t>
        <t>With GCM-SST, a few successful forgeries against a few recipients allow the attacker to create one new forgery for all other recipients. While the total number of forgeries in GCM-SST matches that of an ideal MAC, the diversity of these forgeries is higher. To achieve one distinct forgery per recipient with an ideal MAC, the attacker would need to send on average 2<sup>t</sup> forgery attempts to each recipient. In one-to-many scenarios with replay protection and r recipients, the expected number of distinct forgeries is ≈ v ⋅ r / 2<sup>t</sup>.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to assign the algorithm names listed in the first column of <xref target="iana-algs"/> to the "AEAD Algorithms" registry under the registry group "Authenticated Encryption with Associated Data (AEAD) Parameters", with this document as the reference.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC8452">
          <front>
            <title>AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption</title>
            <author fullname="S. Gueron" initials="S." surname="Gueron"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="Y. Lindell" initials="Y." surname="Lindell"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This memo specifies two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated.</t>
              <t>This document is the product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8452"/>
          <seriesInfo name="DOI" value="10.17487/RFC8452"/>
        </reference>
        <reference anchor="AES" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf">
          <front>
            <title>Advanced Encryption Standard (AES)</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="May"/>
          </front>
          <seriesInfo name="NIST" value="Federal Information Processing Standards Publication 197"/>
        </reference>
        <reference anchor="Rijndael" target="https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf">
          <front>
            <title>AES Proposal: Rijndael</title>
            <author initials="" surname="Joan Daemen">
              <organization/>
            </author>
            <author initials="" surname="Vincent Rijmen">
              <organization/>
            </author>
            <date year="2003" month="September"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3711">
          <front>
            <title>The Secure Real-time Transport Protocol (SRTP)</title>
            <author fullname="M. Baugher" initials="M." surname="Baugher"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="M. Naslund" initials="M." surname="Naslund"/>
            <author fullname="E. Carrara" initials="E." surname="Carrara"/>
            <author fullname="K. Norrman" initials="K." surname="Norrman"/>
            <date month="March" year="2004"/>
            <abstract>
              <t>This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3711"/>
          <seriesInfo name="DOI" value="10.17487/RFC3711"/>
        </reference>
        <reference anchor="RFC4253">
          <front>
            <title>The Secure Shell (SSH) Transport Layer Protocol</title>
            <author fullname="T. Ylonen" initials="T." surname="Ylonen"/>
            <author fullname="C. Lonvick" initials="C." role="editor" surname="Lonvick"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network.</t>
              <t>This document describes the SSH transport layer protocol, which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression.</t>
              <t>Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.</t>
              <t>This document also describes the Diffie-Hellman key exchange method and the minimal set of algorithms that are needed to implement the SSH transport layer protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4253"/>
          <seriesInfo name="DOI" value="10.17487/RFC4253"/>
        </reference>
        <reference anchor="RFC4303">
          <front>
            <title>IP Encapsulating Security Payload (ESP)</title>
            <author fullname="S. Kent" initials="S." surname="Kent"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4303"/>
          <seriesInfo name="DOI" value="10.17487/RFC4303"/>
        </reference>
        <reference anchor="RFC6479">
          <front>
            <title>IPsec Anti-Replay Algorithm without Bit Shifting</title>
            <author fullname="X. Zhang" initials="X." surname="Zhang"/>
            <author fullname="T. Tsou" initials="T." surname="Tsou"/>
            <date month="January" year="2012"/>
            <abstract>
              <t>This document presents an alternate method to do the anti-replay checks and updates for IP Authentication Header (AH) and Encapsulating Security Protocol (ESP). The method defined in this document obviates the need for bit shifting and it reduces the number of times an anti-replay window is adjusted. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6479"/>
          <seriesInfo name="DOI" value="10.17487/RFC6479"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9605">
          <front>
            <title>Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media</title>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="J. Uberti" initials="J." surname="Uberti"/>
            <author fullname="S. G. Murillo" initials="S. G." surname="Murillo"/>
            <author fullname="R. Barnes" initials="R." role="editor" surname="Barnes"/>
            <author fullname="Y. Fablet" initials="Y." surname="Fablet"/>
            <date month="August" year="2024"/>
            <abstract>
              <t>This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media.</t>
              <t>This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9605"/>
          <seriesInfo name="DOI" value="10.17487/RFC9605"/>
        </reference>
        <reference anchor="I-D.ietf-moq-transport">
          <front>
            <title>Media over QUIC Transport</title>
            <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
              <organization>Cisco</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <author fullname="Ian Swett" initials="I." surname="Swett">
              <organization>Google</organization>
            </author>
            <author fullname="Alan Frindell" initials="A." surname="Frindell">
              <organization>Meta</organization>
            </author>
            <date day="12" month="May" year="2026"/>
            <abstract>
              <t>   This document defines Media over QUIC Transport (MOQT), a publish/
   subscribe protocol that runs over QUIC and WebTransport.  MOQT
   leverages the features of these transports, such as streams,
   datagrams, priorities, and partial reliability.  MOQT operates both
   point-to-point and through intermediate relays, enabling scalable
   low-latency delivery.  Despite its name, MOQT is media agnostic and
   can be used for a wide range of use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-18"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aegis-aead">
          <front>
            <title>The AEGIS Family of Authenticated Encryption Algorithms</title>
            <author fullname="Frank Denis" initials="F." surname="Denis">
              <organization>Fastly Inc.</organization>
            </author>
            <author fullname="Samuel Lucas" initials="S." surname="Lucas">
              <organization>Individual Contributor</organization>
            </author>
            <date day="5" month="October" year="2025"/>
            <abstract>
              <t>   This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and
   AEGIS-256X AES-based authenticated encryption algorithms designed for
   high-performance applications.

   The document is a product of the Crypto Forum Research Group (CFRG).
   It is not an IETF product and is not a standard.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-aegis-aead.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aegis-aead-18"/>
        </reference>
        <reference anchor="Accordions" target="https://csrc.nist.gov/pubs/sp/800/197/a/iprd">
          <front>
            <title>NIST Launches Development of Cryptographic Accordions</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2025" month="June"/>
          </front>
        </reference>
        <reference anchor="ACM" target="https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en">
          <front>
            <title>Agreed Cryptographic Mechanisms</title>
            <author>
              <organization/>
            </author>
            <date year="2025" month="April"/>
          </front>
        </reference>
        <reference anchor="AES-WIDE" target="https://csrc.nist.gov/pubs/sp/800/197/iprd">
          <front>
            <title>NIST Proposes to Standardize a Wider Variant of AES</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2024" month="December"/>
          </front>
        </reference>
        <reference anchor="AEZ" target="https://eprint.iacr.org/2014/793.pdf">
          <front>
            <title>Robust Authenticated-Encryption: AEZ and the Problem that it Solves</title>
            <author initials="" surname="Viet Tung Hoang">
              <organization/>
            </author>
            <author initials="" surname="Ted Krovetz">
              <organization/>
            </author>
            <author initials="" surname="Phillip Rogaway">
              <organization/>
            </author>
            <date year="2017" month="March"/>
          </front>
        </reference>
        <reference anchor="ANSSI" target="https://messervices.cyber.gouv.fr/documents-guides/NT_IPsec_EN.pdf">
          <front>
            <title>Recommendations for securing networks with IPsec</title>
            <author>
              <organization/>
            </author>
            <date year="2015" month="August"/>
          </front>
        </reference>
        <reference anchor="Ascon" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.ipd.pdf">
          <front>
            <title>Ascon-Based Lightweight Cryptography Standards for Constrained Devices</title>
            <author initials="" surname="Meltem Sönmez Turan">
              <organization/>
            </author>
            <author initials="" surname="Kerry A McKay">
              <organization/>
            </author>
            <author initials="" surname="Donghoon Chang">
              <organization/>
            </author>
            <author initials="" surname="Jinkeon Kang">
              <organization/>
            </author>
            <author initials="" surname="John Kelsey">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-232 Initial Public Draft"/>
        </reference>
        <reference anchor="Bellare17" target="https://eprint.iacr.org/2016/564.pdf">
          <front>
            <title>The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3</title>
            <author initials="M." surname="Bellare">
              <organization/>
            </author>
            <author initials="B." surname="Tackmann">
              <organization/>
            </author>
            <date year="2017" month="November"/>
          </front>
        </reference>
        <reference anchor="Bellare19" target="https://eprint.iacr.org/2019/624.pdf">
          <front>
            <title>Nonces are Noticed: AEAD Revisited</title>
            <author initials="" surname="Mihir Bellare">
              <organization/>
            </author>
            <author initials="" surname="Ruth Ng">
              <organization/>
            </author>
            <author initials="" surname="Björn Tackmann">
              <organization/>
            </author>
            <date year="2019" month="November"/>
          </front>
        </reference>
        <reference anchor="Bernstein" target="https://cr.yp.to/antiforgery/permutations-20050323.pdf">
          <front>
            <title>Stronger Security Bounds for Permutations</title>
            <author initials="" surname="Daniel J Bernstein">
              <organization/>
            </author>
            <date year="2005" month="March"/>
          </front>
        </reference>
        <reference anchor="BSI" target="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html">
          <front>
            <title>Cryptographic Mechanisms Recommendations and Key Lengths</title>
            <author>
              <organization/>
            </author>
            <date year="2026" month="January"/>
          </front>
          <seriesInfo name="BSI" value="Technical Guideline TR-02102-1"/>
        </reference>
        <reference anchor="Campagna" target="https://csrc.nist.gov/csrc/media/Events/2023/third-workshop-on-block-cipher-modes-of-operation/documents/accepted-papers/Galois%20Counter%20Mode%20with%20Secure%20Short%20Tags.pdf">
          <front>
            <title>Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
            <author initials="M." surname="Campagna">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="J." surname="Preuß Mattsson">
              <organization/>
            </author>
            <date year="2023" month="October"/>
          </front>
        </reference>
        <reference anchor="Degabriele" target="https://doi.org/10.3929/ethz-b-000654260">
          <front>
            <title>SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields</title>
            <author initials="J." surname="Degabriele">
              <organization/>
            </author>
            <author initials="J." surname="Gilcher">
              <organization/>
            </author>
            <author initials="J." surname="Govinden">
              <organization/>
            </author>
            <author initials="K." surname="Paterson">
              <organization/>
            </author>
            <date year="2024" month="May"/>
          </front>
        </reference>
        <reference anchor="Difference" target="https://link.springer.com/chapter/10.1007/978-3-319-78375-8_24">
          <front>
            <title>The Missing Difference Problem, and Its Applications to Counter Mode Encryption</title>
            <author initials="" surname="Gaëtan Leurent">
              <organization/>
            </author>
            <author initials="" surname="Ferdinand Sibleyras">
              <organization/>
            </author>
            <date year="2018" month="March"/>
          </front>
        </reference>
        <reference anchor="Drucker" target="https://rd.springer.com/chapter/10.1007/978-3-030-97652-1_18">
          <front>
            <title>Software Optimization of Rijndael for Modern x86-64 Platforms</title>
            <author initials="" surname="Nir Drucker">
              <organization/>
            </author>
            <author initials="" surname="Shay Gueron">
              <organization/>
            </author>
            <date year="2022" month="May"/>
          </front>
        </reference>
        <reference anchor="EIA3" target="https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/EEA3_EIA3_specification_v1_8.pdf">
          <front>
            <title>128-EEA3 and 128-EIA3 Specification</title>
            <author initials="" surname="ETSI SAGE">
              <organization/>
            </author>
            <date year="2019" month="January"/>
          </front>
        </reference>
        <reference anchor="Entropy" target="https://eprint.iacr.org/2024/1111.pdf">
          <front>
            <title>Collision-Based Attacks on Block Cipher Modes - Exploiting Collisions and Their Absence</title>
            <author initials="J." surname="Preuß Mattsson">
              <organization/>
            </author>
            <date year="2025" month="February"/>
          </front>
        </reference>
        <reference anchor="Ferguson" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/Ferguson2.pdf">
          <front>
            <title>Authentication weaknesses in GCM</title>
            <author initials="N." surname="Ferguson">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
          <front>
            <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
            <author initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-38D"/>
        </reference>
        <reference anchor="GCM-Update" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/gcm-update.pdf">
          <front>
            <title>GCM Update</title>
            <author initials="D." surname="McGrew">
              <organization/>
            </author>
            <author initials="J." surname="Viega">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="Gueron" target="https://csrc.nist.gov/csrc/media/Presentations/2023/constructions-based-on-the-aes-round/images-media/sess-5-gueron-bcm-workshop-2023.pdf">
          <front>
            <title>Constructions based on the AES Round and Polynomial Multiplication that are Efficient on Modern Processor Architectures</title>
            <author initials="S." surname="Gueron">
              <organization/>
            </author>
            <date year="2023" month="October"/>
          </front>
        </reference>
        <reference anchor="Impossible" target="https://eprint.iacr.org/2012/623.pdf">
          <front>
            <title>Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes</title>
            <author initials="" surname="David McGrew">
              <organization/>
            </author>
            <date year="2012" month="November"/>
          </front>
        </reference>
        <reference anchor="Inoue" target="https://eprint.iacr.org/2024/1928.pdf">
          <front>
            <title>Generic Security of GCM-SST</title>
            <author initials="" surname="Akiko Inoue">
              <organization/>
            </author>
            <author initials="" surname="Ashwin Jha">
              <organization/>
            </author>
            <author initials="" surname="Bart Mennink">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
        </reference>
        <reference anchor="Iwata" target="https://eprint.iacr.org/2012/438.pdf">
          <front>
            <title>Breaking and Repairing GCM Security Proofs</title>
            <author initials="" surname="Tetsu Iwata">
              <organization/>
            </author>
            <author initials="" surname="Keisuke Ohashi">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <date year="2012" month="August"/>
          </front>
        </reference>
        <reference anchor="Joux" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf">
          <front>
            <title>Authentication Failures in NIST version of GCM</title>
            <author initials="A." surname="Joux">
              <organization/>
            </author>
            <date year="2006" month="April"/>
          </front>
        </reference>
        <reference anchor="Lindell" target="https://mailarchive.ietf.org/arch/browse/cfrg/?gbt=1&amp;index=cWpv0QgX2ltkWhtd3R9pEW7E1CA">
          <front>
            <title>Comment on AES-GCM-SST</title>
            <author initials="Y." surname="Lindell">
              <organization/>
            </author>
            <date year="2024" month="May"/>
          </front>
        </reference>
        <reference anchor="Mattsson" target="https://eprint.iacr.org/2015/477.pdf">
          <front>
            <title>Authentication Key Recovery on Galois/Counter Mode (GCM)</title>
            <author initials="J." surname="Mattsson">
              <organization/>
            </author>
            <author initials="M." surname="Westerlund">
              <organization/>
            </author>
            <date year="2015" month="May"/>
          </front>
        </reference>
        <reference anchor="Maximov" target="https://eprint.iacr.org/2017/889.pdf">
          <front>
            <title>On Fast Multiplication in Binary Finite Fields and Optimal Primitive Polynomials over GF(2)</title>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="H." surname="Sjöberg">
              <organization/>
            </author>
            <date year="2017" month="September"/>
          </front>
        </reference>
        <reference anchor="Milenage-256" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4244">
          <front>
            <title>Specification of the MILENAGE-256 algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="Multiple" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/multi-forge-01.pdf">
          <front>
            <title>Multiple Forgery Attacks Against Message Authentication Codes</title>
            <author initials="" surname="David McGrew">
              <organization/>
            </author>
            <author initials="" surname="Scott Fluhrer">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="Naito" target="https://doi.org/10.1007/978-3-032-08124-7_3">
          <front>
            <title>The Multi-user Security of GCM-SST and Further Enhancements</title>
            <author initials="" surname="Yusuke Naito">
              <organization/>
            </author>
            <author initials="" surname="Yu Sasaki">
              <organization/>
            </author>
            <author initials="" surname="Takeshi Sugawara">
              <organization/>
            </author>
            <date year="2025" month="October"/>
          </front>
        </reference>
        <reference anchor="Niwa" target="https://eprint.iacr.org/2015/214.pdf">
          <front>
            <title>GCM Security Bounds Reconsidered</title>
            <author initials="" surname="Yuichi Niwa">
              <organization/>
            </author>
            <author initials="" surname="Keisuke Ohashi">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <author initials="" surname="Tetsu Iwata">
              <organization/>
            </author>
            <date year="2015" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA4" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4220">
          <front>
            <title>Specification of the Snow 5G based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA5" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4221">
          <front>
            <title>Specification of the AES based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA6" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4224">
          <front>
            <title>Specification of the ZUC based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NMR" target="https://eprint.iacr.org/2006/221.pdf">
          <front>
            <title>Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem</title>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="T." surname="Shrimpton">
              <organization/>
            </author>
            <date year="2007" month="August"/>
          </front>
        </reference>
        <reference anchor="NMRL" target="https://doi.org/10.1007/978-3-319-63697-9_1">
          <front>
            <title>Boosting Authenticated Encryption Robustness with Minimal Modifications</title>
            <author initials="T." surname="Ashur">
              <organization/>
            </author>
            <author initials="O." surname="Dunkelman">
              <organization/>
            </author>
            <author initials="A." surname="Luykx">
              <organization/>
            </author>
            <date year="2007" month="August"/>
          </front>
        </reference>
        <reference anchor="Nyberg" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/general-comments/papers/Nyberg_Gilbert_and_Robshaw.pdf">
          <front>
            <title>Galois MAC with forgery probability close to ideal</title>
            <author initials="K." surname="Nyberg">
              <organization/>
            </author>
            <author initials="H." surname="Gilbert">
              <organization/>
            </author>
            <author initials="M." surname="Robshaw">
              <organization/>
            </author>
            <date year="2005" month="June"/>
          </front>
        </reference>
        <reference anchor="PDCP" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3196">
          <front>
            <title>NR; Packet Data Convergence Protocol (PDCP) specification</title>
            <author initials="" surname="3GPP TS 38 323">
              <organization/>
            </author>
            <date year="2026" month="January"/>
          </front>
        </reference>
        <reference anchor="Procter" target="https://eprint.iacr.org/2014/613.pdf">
          <front>
            <title>A Security Analysis of the Composition of ChaCha20 and Poly1305</title>
            <author initials="" surname="Gordon Procter">
              <organization/>
            </author>
            <date year="2014" month="August"/>
          </front>
        </reference>
        <reference anchor="Reforge" target="https://eprint.iacr.org/2017/332.pdf">
          <front>
            <title>Reforgeability of Authenticated Encryption Schemes</title>
            <author initials="" surname="Christian Forler">
              <organization/>
            </author>
            <author initials="" surname="Eik List">
              <organization/>
            </author>
            <author initials="" surname="Stefan Lucks">
              <organization/>
            </author>
            <author initials="" surname="Jakob Wenzel">
              <organization/>
            </author>
            <date year="2017" month="April"/>
          </front>
        </reference>
        <reference anchor="Revise" target="https://csrc.nist.gov/news/2023/proposal-to-revise-sp-800-38d">
          <front>
            <title>Announcement of Proposal to Revise SP 800-38D</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2023" month="August"/>
          </front>
        </reference>
        <reference anchor="Robust" target="https://link.springer.com/article/10.1007/s00145-023-09489-9">
          <front>
            <title>Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3</title>
            <author initials="M." surname="Fischlin">
              <organization/>
            </author>
            <author initials="F." surname="Günther">
              <organization/>
            </author>
            <author initials="C." surname="Janson">
              <organization/>
            </author>
            <date year="2024" month="January"/>
          </front>
        </reference>
        <reference anchor="Sec5G" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169">
          <front>
            <title>Security architecture and procedures for 5G System</title>
            <author initials="" surname="3GPP TS 33 501">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="SMAC" target="https://eprint.iacr.org/2024/819">
          <front>
            <title>A new stand-alone MAC construct called SMAC</title>
            <author initials="D." surname="Wang">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="SNOW-Vi" target="https://eprint.iacr.org/2021/236">
          <front>
            <title>SNOW-Vi: an extreme performance variant of SNOW-V for lower grade CPUs</title>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="J." surname="Yang">
              <organization/>
            </author>
            <date year="2021" month="March"/>
          </front>
        </reference>
        <reference anchor="SNOW-Axn" target="https://cic.iacr.org/p/3/1/31/pdf">
          <front>
            <title>Pushing to the limits: SNOW-Axn – a fast AEAD stream cipher in aggregated mode</title>
            <author initials="D." surname="Wang">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <date year="2026" month="May"/>
          </front>
        </reference>
        <reference anchor="UIA2" target="https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/uea2uia2d1v21.pdf">
          <front>
            <title>UEA2 and UIA2 Specification</title>
            <author initials="" surname="ETSI SAGE">
              <organization/>
            </author>
            <date year="2009" month="March"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 901?>

<section anchor="aes-gcm-sst-test-vectors">
      <name>AES-GCM-SST Test Vectors</name>
      <section anchor="aes-gcm-sst-test-1-128-bit-key">
        <name>AES-GCM-SST Test #1 (128-bit key)</name>
        <artwork><![CDATA[
         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 22 ce 92 da cb 50 77 4b ab 0d 18 29 3d 6e ae 7f }
       H_2 = { 03 13 63 96 74 be fa 86 4d fa fb 80 36 b7 a0 3c }
         M = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }
]]></artwork>
        <section numbered="false" anchor="case-1a">
          <name>Case #1a</name>
          <artwork><![CDATA[
         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }
       tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1b">
          <name>Case #1b</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 f2 3a e8 f9 }
       tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1c">
          <name>Case #1c</name>
          <artwork><![CDATA[
         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b 44 69 8a 8b }
       tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1d">
          <name>Case #1d</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 7e e9 cc b6 }
       tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d c0 cb c7 85 a7 a9 20 db 42 28 ff 63 32 10 }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1e">
          <name>Case #1e</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb 3b 0a 16 81 }
       tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d }
]]></artwork>
        </section>
      </section>
      <section anchor="aes-gcm-sst-test-2-128-bit-key">
        <name>AES-GCM-SST Test #2 (128-bit key)</name>
        <artwork><![CDATA[
         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 2d 6d 7f 1c 52 a7 a0 6b f2 bc bd 23 75 47 03 88 }
       H_2 = { 3b fd 00 96 25 84 2a 86 65 71 a4 66 e5 62 05 92 }
         M = { 9e 6c 98 3e e0 6c 1a ab c8 99 b7 8d 57 32 0a f5 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { 45 03 bf b0 96 82 39 b3 67 e9 70 c3 83 c5 10 6f }
       tag = { 45 03 bf b0 96 82 }
        ct = { b8 65 d5 16 07 83 11 73 21 f5 6c b0 75 45 16 b3
               da 9d b8 09 }
]]></artwork>
      </section>
      <section anchor="aes-gcm-sst-test-3-256-bit-key">
        <name>AES-GCM-SST Test #3 (256-bit key)</name>
        <artwork><![CDATA[
         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 3b d9 9f 8d 38 f0 2e a1 80 96 a4 b0 b1 d9 3b 1b }
       H_2 = { af 7f 54 00 16 aa b8 bc 91 56 d9 d1 83 59 cc e5 }
         M = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }
]]></artwork>
        <section numbered="false" anchor="case-3a">
          <name>Case #3a</name>
          <artwork><![CDATA[
         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }
       tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3b">
          <name>Case #3b</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 04 01 67 61 }
       tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3c">
          <name>Case #3c</name>
          <artwork><![CDATA[
         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc 6e 62 10 90 }
       tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3d">
          <name>Case #3d</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e 1f 49 ed 04 }
       tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 11 7e 17 58 b5 ed d0 d6 5d 68 32 06 bb ad }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3e">
          <name>Case #3e</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 26 fe e7 b5 }
       tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 }
]]></artwork>
        </section>
      </section>
      <section anchor="aes-gcm-sst-test-4-256-bit-key">
        <name>AES-GCM-SST Test #4 (256-bit key)</name>
        <artwork><![CDATA[
         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb
               b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 b3 12 }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 13 53 4b f7 8a 91 38 fd f5 41 65 7f c2 39 55 23 }
       H_2 = { 32 69 75 a3 3a ff ae ac af a8 fb d1 bd 62 66 95 }
         M = { 59 48 44 80 b6 cd 59 06 69 27 5e 7d 81 4a d1 74 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c d5 4d }
       tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c }
        ct = { b5 c2 a4 07 f3 3e 99 88 de c1 2f 10 64 7b 3d 4f
               eb 8f f7 cc }
]]></artwork>
      </section>
    </section>
    <section anchor="compatibility-with-3gpp-algorithms">
      <name>Compatibility with 3GPP Algorithms</name>
      <t>The integrity part of GCM-SST was originally developed by ETSI SAGE, under the name Mac5G, following a request from 3GPP. Mac5G follows the same structural approach as the integrity algorithms used for SNOW 3G <xref target="UIA2"/> and ZUC <xref target="EIA3"/>.</t>
      <t>3GPP has standardized GCM-SST for use with SNOW 5G <xref target="NCA4"/>, AES-256 <xref target="NCA5"/>, and ZUC-256 <xref target="NCA6"/> in 3GPP TS 35.240–35.248. These AEAD algorithms are designated as NCA4, NCA5, and NCA6, respectively. GCM-SST, as specified in this document, is fully compatible with the SNOW 5G-based NCA4 and the ZUC-256-based NCA6. The AES-based NCA5 differs only in its subkey generation but is otherwise identical. The NCA algorithms support bit-aligned associated data and plaintext inputs, whereas this specification is restricted to byte-aligned inputs. They also provide more detailed specifications for nonce construction based on 3GPP protocol requirements. SNOW 5G is functionally equivalent to SNOW-Vi <xref target="SNOW-Vi"/>, except that the finite-state machine (FSM) adders have been changed from 32-bit to 16-bit operations to increase the complexity of correlation attacks while also improving implementation efficiency <xref target="SNOW-Axn"/>.</t>
      <t>The version of GCM-SST specified in this document imposes stricter security considerations and constraints than the ETSI SAGE specifications for the NCA algorithms. This document recommends that 3GPP adopt the additional security measures described herein.</t>
    </section>
    <section removeInRFC="true" numbered="false" anchor="change-log">
      <name>Change Log</name>
      <t>Changes from -18 to -19:</t>
      <ul spacing="normal">
        <li>
          <t>3GPP standardization status updated from prospective to completed, now citing final TS 35.240–35.248 specifications instead of WIDs and Liaison Statements.</t>
        </li>
        <li>
          <t>Added a more complete description of 3GPP NCA4, NCA5, NCA6.</t>
        </li>
        <li>
          <t>New citation to Naito et al. for a tighter single-key bound and a proof of the multi-key bound, and a more complete description of Inoue et al.'s single-key security results.</t>
        </li>
        <li>
          <t>Significantly revised usage limits (P_MAX, A_MAX, Q_MAX, V_MAX) with clearer motivation for P_MAX and the δ ≈ 1 condition.</t>
        </li>
        <li>
          <t>Restructured decryption steps so that replay-protection failure is an explicit abort step, and added a requirement to zeroize intermediate values on tag or replay failure.</t>
        </li>
        <li>
          <t>Added zero-trust key compromise rekeying considerations.</t>
        </li>
        <li>
          <t>Added nonce-misuse resilience discussion.</t>
        </li>
        <li>
          <t>Added a more complete description of technical changes compared to NIST SP 800-38D (stricter usage limits, fixed-length deterministic nonces).</t>
        </li>
        <li>
          <t>Corrected the GCM formulas: E(F) ⪅ δ ⋅ v<sup>2</sup> ⋅ l / 2<sup>t+1</sup> is a bound; other formulas assume δ ≈ 1 as well as deterministic 96-bit nonces.</t>
        </li>
        <li>
          <t>Substantial editorial changes including terminology cleanup (tag_length -&gt; t, octet string -&gt; byte string).</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank <contact fullname="Richard Barnes"/>, <contact fullname="Thomas Bellebaum"/>, <contact fullname="Patrik Ekdahl"/>, <contact fullname="Scott Fluhrer"/>, <contact fullname="Russ Housley"/>, <contact fullname="Eric Lagergren"/>, <contact fullname="Yehuda Lindell"/>, <contact fullname="Kazuhiko Minematsu"/>, <contact fullname="Santeri Paavolainen"/>, <contact fullname="Sini Ruohomaa"/>, <contact fullname="Erik Thormarker"/>, and <contact fullname="Magnus Westerlund"/> for their valuable comments and feedback. Some of the formatting and text follow the conventions of <xref target="I-D.irtf-cfrg-aegis-aead"/>.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1923IjR3bgO74itxVrkzu439EazRhNsrspNbs5BKWe0Vjq
SBQSQA2BKkxVgWyK6o2JsB2x3n1U7LP97H11+Gmfdt7tf9CX7LlkZmVdQKJb
I629tmaiCRSqsk6ePHnu52StVqskfrJSj8WjZ3IV+rE4CrdBoiJxFs6UuPGT
pZgkURgsxER520iJS7mIxcGzo7PaZHJ5+Kgip9NIXePzfOlRxZOJWoTR7WPh
B/OwUpmFXiDX8IpZJOdJbS2TJI7DoObNo0VNqri28Na1OE5qrVEl3k7Xfhz7
YZDcbuCR04vLp0J8JOQqDuEdfjBTGwX/BMmjqnh0On4Cf8IIPsF9jyrBdj1V
0ePKDCB4XPHCIFZBvI0fiyTaqgoA2anISMnH5v6bMLpaROF2A1eOottNEoqn
YbRdP6pcqVv4cfa4ImoiUG8TsVCBimQCgOGlbeB7YUQf442MrlY+IGjmx0nk
T7eJmomVmi1UhL//fiuDZLsWa7nwvcq1CrYAmhDlrxWCp/3oQsVKRt5SPMP7
8Ie19FfwAyLtL3yVzOthtMDreBdcXybJJn7caOBteMm/VnVzWwMvNKZReBOr
Bg6Azy1gabdTeFKtZfC7MGg8sDr4zArwGifO2/SzdR6s7ocPjfLQ7/Vlsl49
qlTkNlmGsJKAfSKdM3hgqW7EkVxv5CKQAAxMTAb+N7Qmj8V4Lb8JA/FaTYFQ
o2vfUzHc4yExIyUeyUDO8CnFePT0OH8h6bm6F67tu8Yr9VYCjcEekG/9dXhd
eNlJ5HsIvvuGyY0CskzfIM0o9TWP8hdKP5V52afhMhDfivNIbf/4dzRNPfD7
v/F3MFTdYDb7tkoQRvALEMXjCjxw8fSo12r1H/PHYbfXpsvjkwleAiKU0ULB
OptlDq5Xm+00rgdA4fVFeN3AD3il8fT0fNJ4eTq5rOOnems0qG03s1Z9M5vz
SJq5jGfXMvBgY5wEHlI8TAr4CuBHRjNxAC8+fET3xwC2ipFvMCRCPMLRH8EQ
T2G2kVyJU/iRJgNDnEchLHSMu8+MFovz7XTle3wDAMQDE0sA/N6KdrPdIST4
v4MH1Kp8yl4ceel88VtjrWa+bGyi8HfKS+IGzSNcRHKz9L1abF5fg7+1xdaf
KWAKKm4A99uugV/FDSTzmbpWq3CDFxqRBqAm12vkabMi1k4mOMVNGEtYXwMw
T8jsEMZSTf8VwHNjpCoZiGOp1kQfJTd84cNqBAmOae5hDE3UJlHIRQFPTcCT
b7Cdkk5n0Gpp0um2ex3zsdM0H/vdwcjSVif92LUU12+Ze0fNZjP9aMYd9Zs9
/HhaOyYuVluHv68lkQziTRgl9pcIftEcZOED5pWcMSF7wJ1nsP7xPotLhBxv
GsNmswH00pANfxPNMguBNCheyG3gLVUsjtNFFOFcHLmE4Lx7j3XCcR3kf7oN
FNJnjyZxdLYDehUl/lxTeF3BPGRdbYFM8I+lN/hwE6xCOWtI2OD9fnsK+FHN
WnfYVbVRa9SqDUdNr+vN5UBK+UYTgaW8RaRgt2andqa8JfCkeB27e2q8ifxV
CvXJpPb69PjkQxBfjnbeAIB2EJNmk/vfKCHFax+Z9Bcy8iWvBLz8/ZF+rDxD
8O0uT+HLcugVzDRI6r70IhKr7War2xiMOoV9exFOt3EixgAFrASulJrVUs73
GF8hYCYCfsf5TVdqDZ9lIvxETMLVtdqHeL6AnSEut8D7nsN2X5TfdAmr+FkU
Xqvkm/Ibzpf+auVvxEW4kDfyNsMsQW2oAlpaA0LLy8nktBwxa+DBWujWvVvA
JSzv9ro+j1Luxywxbry8fHN6HivvzcnLItoUyCpkhUTZsQDOAwIBtE7k74FK
UF2LWSelMTJUuF0gygFYJsMYtL/3FWaTjfJ8uXLkR8yybXJeBxqttTvtur8p
YdP4stoTGQOuX/iLZXKj8F9399w68gmndQRjAz8DCTFDdoKYe1AAavAy8k2D
BULRT9LfxDFqWXuQ0JlaAbcXkz/+U7BW3wAxAYstv/MzFUW3YlwXZ95nmkoK
9xyDmbAMAaqj5U56/NQPrhTc8tnuO1Aj+kytYuUS40sg4cwufaJWoOiq1mDv
vdpv9PrdwuJdwhY8264Sv/Y54J6tHD+5JXbi7l+R3b+TGtg7ALC4fDERrXpn
H2TXDdDlvz+pg3HlXYFKHZRPnPehmfho74mPGv12ceIvQ1ABYrAfFLwDJqlm
OK/xsbgAeox9mPI+c/KXfnT/tC7gefFyx2I/+d0f/ykKHpr3iOcdwZ5R/o5t
DdO93dSTsAGywIctBubXbWOjovU24a1cA4Wm1+y0i+yaDVx38Z+Ajq136rkz
xB4IOQYBqVbi03oKb56lomZFTOrJLn56c3NTn8Z+fQpQ1GeqMVkCdmfHoRc3
jrVUjxsnLxswQCPDrS5BQj9Ldc/LZ812q9nG+2qXFzX6UmuRjZVBwC4xL/Ic
GWXWZ+pWvFDBIlnuZlnwQuRYCA5YysCXLFAihcNl35/KYCsjUs77iBpj572n
cn5yTZo2qviNBChzViOZsQw3NeDQ01XoXdU8f7NUEWiUII5q4bwWbrRh76rq
nod68Ky2kfBr3GDfyH9uN7V3BD6hfwT+oDSCP+wcwQ9AGgn8RTdJgdA+0MWy
D2dxDOOSG5BvW1u25Hcg16IFatbmlZeEmvOS4XSsFnIKS75S5aszC33iPK1m
vTNqjxoqWX5Tm9ZA0e/3uu1+M7v3ws/Aup2DOuujOn0MhLQIiM5O15sVGjC8
95Afn4er2yBco5x7LuOleAr6ONMl8ArYqZG/VuIpADbbZ6fCnNOZ7Lzlmb8C
nT/a/Xt4jU6pXVIT8Ao4jLII1VYoibFjfz5XkQJWXI5M2DNX9Rh5OjAotOUb
sDmBNCNEb6vZHDRGg2GtU+u0RrXBsDPo1YZvYGQXxSThfLaS09cZvbPKyE5i
UOQ3lpOgsp0h01T67YHaZ/KP/wvUHWATQM5BUn7TUwV6fIAvn/gAyG0k4xJO
2RoSlqKtd6WichRFs30Q1Ow0a6NBvweM5w0MmqXBeXKDcvAVTHCtfS5IcMbi
JkGAaABR9XbYr/W74nwlE7SM97LyQETqGZTfAPz9FlikisrIpI0IODkdd3bL
ikW8ljT1OFxtWdihF8IHluAljQS5cLgKF8ClG7EWcY2bTQ201gQtxe2GJQqp
Cs1e4+Rk3HmDb3wTo8ppTM031603wwJPa7WHNXyAyIi+wINi4j64B4pOLien
YjJ+dlIqE1gBOAmAS25u91V72t1GC/4rAHwUgr2DHmatsY+TBLQP4CGBeIIC
QhyRgKD1jkVNnLwF9IB2DbvHPsqSEDYWrOx4GuN+2o/j7OayT9U0MiKQtAPY
H2DS7LJisiLwaHJxpEXgufFP0WRqPJkaS+LfbzMOqSdHZ40jku/w5ej1Eaq0
DfPadtHMSdVh3B83Sl4FaPjFqAbDo/vshLqdVoHQWSd6tsvr4UiVfrM9zBhm
neHxPYYk7d6SpYUN/srIfuRZKJsbGaaHMviQlvrZ2fjogw00AG8/IX6M2oq/
QwtuDjR+ap9vOMDxMF2U+S0zWlBSRhdTD5iooQvvxkPnfAMd9Ft6cVGtAUuI
YdpHQUYT8lmkbnbukS98EMu7yIOY5HtOHTZdbPQIrRx6ZH9vWX2oTZERoIYI
BE7RiAj1/4a/lgv4woMAnce1Xm1BANQARalqiSOWsBnnDYLegCwGPT7o1r3A
NxBpOVoN2aFWCLNHCOVSqh/BVS2HtOsbSHuM4R5YyASE7T7iaFIvypq8jgfK
Vwgaw3SXjldiZbbByiyiIR1IbFYSnsFgGqkSMpCr29hnVgrUOZVwU825yTBb
IQ2Hnot+tzb1E0E0LJiGBWnye5lm1/7MJb6ioUmy9jQIt3tPG6XMqF0Ui88w
XgjGlOtPsBHSB0EdX/lXIQOy44Z4eQNc99PlDoX/iYwSMOSCANTHHaqp/Ga7
xLecgVW2lkm8LccJq6mnNzLZYYyVkkK3U0TJkwgkBopRXPALtZE+OfaQe1gs
AVWH830W81IBxAzWjvkpP95egU63BFPB/wAcpB5FoopPw+3bn4jlssyosaSp
UcQ0Rv7b+B3A8Mbc9pB8fir9FXIElM7kSAcbKdaK7X7SGqxGnLWLE+3rb5KR
/gItn9WOANpegejGLxfT5JPWn+FAbz/xXm+um79a/Lq9Sq5eL5NZ52K0OXk9
OGkdjXOsdb3WzFA74vbcVr+pG5h3WGNGL9ub0nuN7mDw0EqgxwRVEliAWwR6
p6qxnw6ZUR7L1IjXKoZxVyBgCtNk77j2Bew9y0FjOBwVZvkKaQx2SE5qAbk9
AbsOpvrUD0AuaYucdj0ZWKghganuY0zRkX7ain/29KC9DyIecmk8r4vJ7/74
T8DEFg4W3PAmu1PP/JUKQM7X2r1+OUIw5ChX9c5isyGEgLS5SsINiJ3tSumo
wdy64DJfj1UC2yCuy3jz9pcZY+p09km33c0a6plHcZuisnB2+uLkJRhGCJ+Q
q0UIfHK5BjV0H/9+59n5ealFxSaGXrmfWpVck7udfLS1ZtFAM1BhUgx6ca2F
Nl6AboAEB3oPrJjIbbOjD9UDihqSFyaJeLraLiNtshc10ZfST8IHTZWMA6Jd
aw5b7W5t8KaTmXAagtjmQxCat9HmebqNEtR3ToIl5lIQTvdheluSgwTvrjvE
RMYgm3eIWnmlQISKyRYjhJGrmjtqIyPFv9lfS+g12q1iWCKjDmg/PDLPIMZo
715Bid9sfZA7BMyfXDd4UBHJua8YLUfj7k/NW9o5P2sZb5kE4Y3oPdPWCTAY
VK7jH8plzNzZkw9z7/3kc289PHc0wn7kef/k8qS9hzz58vOjH3feZxf7coBm
vwFLVeAAMEkVrX2UPJhPszuJAq2Fa7IaLcO4BBsjMYk5OF3QvWqvI7kx7u49
pndezyRDFHc8aBZLUGA2ScaEtvYCO2oADy/eRzygA7/f6Y8GtdGbLPk+CcOY
3I+74tGC803QGcfhJGBZpGaBZplS0j5GVR0Ny+0OL/WrujjeBldqtd6VJAA6
2Yvt7dXbe7CC2SGLn8ilyTm7q5pVQHQ0j4F488xfwd/kDcjWN4DBeClvdkXs
zsZHjFkdWNb+Cn+FNOetwlhhwAQElNwnO++zusbDTs1Vg7ZTw9fguqodp46x
bnJ+fHT+0/IeoN5+BnEvLz4W56C1qQT0rURiwgto9wsTeUpCL1yJAwT0UMTv
GSxA/iMuJ6IzrHfanXL9lngR+siSXWGj0myufqvowhqn+sjY+Kw0dwFS24Sx
b/jr0VLC/9tN69drdZq9feJlYTTT2axJRuFMfRBknl4oor/3sNs6naIfX49i
yPeeRBdQhJegZ+7DOo6AIwKXkgFq7atdga4T/wos8HgHYU8SNceo4RaU/fI7
PpVX4RTs2+Ab5Zrwxi3BFh3lr+xl0wTqRvuDNzrLtpaEtYier8WbGjtisjmJ
4yAApZTVbwpK6yeRAfCbxeT8Pdz+uWxEu+I6SZk4+76hYRnBGq6UlSxxEwin
V4Oxas1RdziqjbKEwGmKmK0VqBVyHqBbKmX4PIjUykfRKl6avDufndeoi0cz
8ULeAitFBPzq89MjIvjj90qFeurH3nLl75AkT4EH/vF/B8nO0PtRHXd7No7k
bP/ufyDvByIPeF7v2U8tRPpZHFu+K50Qh4kXeGpG7k2M7oENM7mNk73UOys9
OvVes7VTj52AzH+PIMCwlQV9LIC5CKoKqIEOAcIZdQgbdhKeXK2A105sXPGh
oNnrnQmTD3nCQJ89uZrJ5Wqn0vdpCFSci0ebXHQmhpevXte+8PfGR6vR7mT1
ATMCrJ5Qb5MI+KcAZYyKC1AnuE6zuPlWWtdVeKMisYjkDGTt+ef7CKL3ne2H
5Er9xqxFjnBaFlfjt7uClL6XYmrT6DRajU6rkRfR59t4iawEZAqyjRV6S1FA
6qHF93/4TkgxR+8rpWwCUSm5NgExYDZysYjUgsQ5hsf+dZKY9rzTdvv8dNz+
yRJctkq2t75sz1rXJfbn5yfjNjEZhOlPksli0z5HlUqtVhNyisnfXlKpXC5B
mTTmi5ipOeZtig/KE8RErt2aHD0+hgXwfPqJlPIDJJ5Dx/7niPNsFnFeR6yu
qeTKSfVgn2TdOiY9eOlUiS06FOgdMrgVV+pWU6QumwyjqghCjNisbilJKB/E
jZHAgG5nNj8NGHsUrik6iCFw3AY+JgDNOKSOgEisDggxjJ51BMfbKUAgnv8c
Pvyi/fMG/qkit6kFmPMMaI78a+sUmYYA9XNa8NwTeAlLOlEphxmiy5l3Yl1c
hkCjAHcVAQOVDzNmFwDzLcY68vAkuE6EnEDJqEZmYoklCdRbhTl6q+0M936U
VdNhSXwUJ54CI321gu8LH8M8gHd0iktC2VJeK+awQLW4zFwRi9Pk98E7xMnB
00Px/d/+N3EtGqINU978IsEpb3DKCA9gCl5ItEBJ7rAUMuLlgF+vfQQvpQAk
YMrahNelFRsJzYzMPD33SG1Wkq8qT68T7AoZYwp9lTShqphcXJ4z4tE0rBpZ
f421IzC7aEZ5erQwJmnPlSLAIjYyItULWCcRanaHGazFIsBkZGKeKfmniNxS
tiT6CClYbSr1MAYDVOrpjYmstcqzgzUWK86KRmx3h1Ux6jP8rVZbTIlqDMqW
MOmpUoGI03qmmZjesm6CSIT9pHc8sHxQb6oU6YTX85Bffn6EX+rMTtb+bLZS
lcpH4tTZIfD9I/EETPBFZHNNzsJEU36lgpPzg1Jec6DDqofi7g7+vHuHiywB
oJmC/TuDhQxvMXPuhzGbuztdh/ruXRXk/2qrCQhdku6iApClK8+ooLu1H9DS
HnqqKLmAAt8plmnqVZuDhh4brBbw4c2gqBdT2v48zu/luc45BujNKO/eIZUp
MfcjkMe4E0heBAngCrYz8EGqXsM7it4jftTwsRUoPDEQqYkVs5dhB3sT2w0m
x+A2wkyg+dYylapQAeCDci0iIL0IFXt4LFa/3+IusLwgs+GvgvAmwP2Y4zxz
TiSoiyfIKR0cSeDVoMoC1C75V8V0y2lLKuaEOKQZifXvAA+RRoxJ8sQWgYLZ
FSYUDlQHtPJ3oDm46wYXBvkQyP/ViphtGCnEBA7KhA23GO57E26B+2JkGVUf
zZpTgBkyIgnc6UoC9aD/BkaAj8vQQyZL/D4tP0shtXH3FFRzBYDF0vgoAzJn
LSGrQRmJnB9AlqsbeQscYor1cgDbkqQI6nKaNGgxFUyqisYCrNwMwdGUjOQY
x9s17TKAiKcCvCy8wewqzPYhnRG0ayAgGGuDphpNhGQQzQZeB/AFwJ6IK+E2
JLcF7kLEDzInlNVGDeAqRUQ0TIBIalceKAgmQVUX9hoCZ+XILFQ8MiMdwDNp
bYAYxruWryZRLpVefnAdmtR0UzjpsNs0awx/lCnnAf1Lgm56rTRTGlHIg7BR
tVVchsmFqHvErKTIUlcvvIoFZq0zsiIz0JqP0WsI1cA/yLYnJoeVzYhehPo+
0Vwl2VxFrN2EETqVcaEIgajuBOxhFv0evQdMx7q42KUlMMv2YLto8Sw84Izw
Gk7RWHMWIVsP7OUjSqDR3r27uxuffAmMrVKZ2B1Ae1rLANT3wJRupxPGHw2j
5RcAM0TyDQX6WmCDkM8j1W/AZr+7Iy8DokYn9tmhiP+h457BPQ0vha3/5kVO
qxX02LwUABONxt+GTWfYzUaRHsNckLizoAgDsEsju4CGtwjzhnzXelrMfGDB
FHAc/R61QaSBdlwVa05rg9Vdi6W/WCI5qyDmBBfYjplOAZTlsgTe8zGIClwn
JUEL4tdh9w/N2wAiTlJGYmw3xZroXCJsVUuatDFmPmhHWyALA7JOqZwC6PBs
QLV9KB1RKHKcAm5yuaJW8tKX4yZNNfqUB9KbPeIBwHNDGBfUmOQGNRkkbTMz
hGsbBAqlEpj1MOAKrRZahLu78pp+2H4I9BpVwpjN/kyOrlUWcdMeXV4waM/R
qUJbDJsSINnq5gEok3OUiy1kcFYoJ2HhDbZulsiLNvKWTERebzKvgMQSWk4A
xRAYPpdqtfBLqnIgBhc+MprpLWED+DQJcFcyksIS6Jlx9S9vkbS6mQYFBMD6
BTPYbTBLzRTNqoNgUSACgN0+BcZO0pcEnbMjENQEIcIVDqgymLgIJRQByqYK
LYWY+cnq9vEu7QTXHkUqWHhoMLSKBgPDmzCjV85scZ4oX0AXQaTIOSnMaB2m
my2u8pX8zBhRZZpNXRwRw7aao4Dd4yuci2NbZWyqPBGzepKg5uMomRvQmFbE
QFfS7Fu0H0iL/iB7fKdxDxPY05jPWic54zyv3fwYNjnqpqUmuRGZsF0e/4i2
ealZXmqSA2vy36pZTRPfLJNDQENrqkJgyRRNQzjPno8nzxlT569e/OaL8Qum
MGyMQ8r9vcY+sKiALaD3sfN5U+iEtrXJeHM2Ama8ZexfnkVt7cdoHKKgX/mK
3AG7LHG8D3bhBxnkBgNdss4yqkwTr6Ch7nLe1GiHq/gHEXcaUKcsdFPGKkE1
dterq2YSRYsLWYrhVzJOtaA0Jr8ld8hOb8kROQVwfUIblDXT64y04HmWZSvV
NPPO8JfYVImjprkghNLrV6jnGtFXp0rKhx0VsFQFX8XHtFjWuCV2CkYp7HgK
MMOU2WR3NGEYFZRWwC0KHU27iEHstpTg5uCUWqJv1JP8JFmpmgKdAdDoBlUc
7rHBapnomjkVDTZjTSbl24Ll8hbBtJamskUqfqZyl7R5rW5uTNFKzBxElzKh
4OaSFFI5s3yT5Hbqt7HEXuKrQa11ohfU1m7SIulcJ+KCrB0howOG67p20N1h
vqPP48MdPZfEJ1IQNddmvYDZPihuW/iI7pQ1Powblhz6MuNVUTmvylqn9lhd
SzspccjU+7HTQaip+Qf5CFnkXxuRn3/cFeNrmXhLrRvzJvbDKGPLkBFDC072
inVGWOhIlrjWCopvjKcV7UrNKOs5fx0muIHgm93udrflWA7iFKVU2vQPjX0n
UVzTGAxNZrfmt2XOJqZJaomEHPGV3Qpvh318mIuItccMbnx5SiN/wVs91X+r
2UlpXhKnuw6E+N2drjLGN7lcb3zy7HRiVO+SplnI75xKCmMIo8cokaQ+wuha
FU6WYAMtlhtYBfTXg/nEhGp53s0SEAXUl4BsM0vvMKQ50AFbEIgI/G4bMBAS
AQ5gAQaSG+D4oP4s/IDdSNx5i1fPRlp4D1j31uqehc77VdHfdDTuGgQgaulK
z0g07Wnlq33mCjaC3Ku3u83v//AdfRjW0zyhDZUx0RtTfoX23gLYrzZ0MN8b
icxKRpIRTMIENJV/pc4m+qoJj5K5HZcZfiXWyVwV3of+M45cKcszq5oY01tS
tprVNe9zgDNeyHSnycIwMz/2tjpipDFgErZZBKAazSlgQerDOUaFmERbjDxf
0ZbDrpuxeHT2+eQSO3ziX/HyFX2+OAE15OLkGD9Pno9fvLAfKvqOyfNXn784
Tj+lTx69Ojs7eXnMD8NVkblUeXQ2/s0jntijV+eXp69ejl884qSNjCiKSFZP
Sd1VEUhKpHwZV0Dt8iJ/SqxWPDk6/z9/3+oCiv4T6BPtVgt1DP4ybA2A1pCD
Bvw2Ur75K+yT24r2UWAEF1i4Jzd+AvKviooP+hYDgbwXsPlffouY+eqx+PnU
27S6v9AXcMKZiwZnmYuEs+KVwsOMxJJLJa+x2Mxcz2E6C+/4N5nvBu/OxZ//
klrG1FrDX/6iwjQyD9FHTg3BQt0ZxI/Z1NE5Nma1HgOWxGdGSgFtERbZCqOb
HXUP7nxp5Rmq2fffOzb35jyN9z91bp6y3sr77//SgZ1NN7joWVObjTQcBi6j
VmJgKqjP+PvuX7U2UzUGO9w9NXezORgDG3V/3kP0w12fOEgCm4SNrQ1bnvDz
93/79+YGmP7vt5IdrOkNb8VffvuX34pb1pXJxAoymezT24S0KWKeb2k73eLA
//1/WvD95AYT8tRbbwUM7VrVXl2Ig1+/ujh0XwTzP3h7aJ7RBiS8460z5W8U
9lec4X0R9narbdBZlIMCniDZgjdTBxWZWnYwHtjYZjhjMx68rYrbQy0sdYyI
oki37JsnKHBiyGGpeRybr2uJZYwIfFBcC2PLe8ttwKlnBvrzQ3hi/T5PjPEJ
YxT7RWJlExnueXLSaTtYnPoLY2aQJxOxAy/SDmOyoODVb+HBFyf9rov+jIni
Pqs9xO6zX/z27Vfmwcwc0L9DNaW8iDKKwNr84mMHwXwbxjr4viYP9/jWDhih
kV+CHR4aO/bB4FobErfOa1DWfZDHSNx9ZESzNoJibZgb3xHCZRSKnHcoZYxM
ItnGXTCNXXG2nP+A15fdRloBXrG4m0swXOPQNqr8ADeTLHU0OfqenKGAi03i
E80xfXk5q2Q3lWMo2RhtgpVrgJltxPllWCqi97e7bdEMX6PDKH7MfivYj6SM
fIbxUfZLvazmmb0YGzdlGn06Z1hKkIDIZTMs4SEIY5+xNpd/CkSj4EbnaDuf
001jvonsv+2adUhMyYLPjjmKWkM6HWeQpBysutW8CgBvyJ+HNqPz85es2HE9
SmFvuHFw2BlKmT3z5W+bX1Xh39ZXWqv+bfsr0qaIeGTB58Newnh3Ws5axhRz
0e7Esyp6fNBiBCa/MkH1NOBtwegQGF34t16v48dA/Ey4sKBazZSUFdWAqNNA
kNswdRlqL2jqLNqaSL9hmZYUyXNqle/TL1z2iSa17y3ZnxiDXYSxc+tNsf6j
ErfK/Q4dgpHcchoavWOdbYReUiIctKgl7FNyc1ptM8vmLVp3rQ2hcU5eUcWg
xnaF/QBMRtrYGpqqthQTO6Y4s7ochayJltDvZVZbC35QWmA5KBshye58EpWq
wAjYtjLTJk5EYUWCCP1wkR+zTXqzDFeuZEQ2gYEWf8GtFFYrdNrIxPBZs/D7
wKCxP6dsHMKsadpHphsGc5QJe250y0kOZnCqszXoZgXLpEqhXmrVjZBlKYXY
iXZ5E9AcpgK7bxOnjHstMX4pTW4FbBz/Wq6IAPHGamqaUqhvm5AHANEXRZgF
Mrfgw2P+jLHL4ZOdeUKmgR8zoTIOrm8+AE4MHBg47vmhuS/OcF7EOrDtbRTk
tWMgOXbfm7mW6cAk0wB6tpczirKO+08Nud2bawBq8txiCmZ/HikMN1M/VbZ6
rYVM1yPeJWSrGBOYDLkp8s4wVuRBx3VF6YkB9WAWrutwN8X+9FKScUNxZBZW
ZoQt1cd9rJ/SYRBhDEUjvHG0E3zYfbnJhGGWKLXvwo3vJfjchFNMlF5vtmmZ
NoxUMiPq7UeMFDce22coZcXBPdIZFdCXLIIfvG+cl9APPnGeiu4H7q28omkx
2EcpdQHpP/QSRNqBzKgcQFAGjaIhhjD8BHcZDN6qi9N5Pr8lJX/iZKhPxQbz
VU335NONIiQLpMsp/FhpYwzGKh27lICMLlLp1MUL0H+egwHHYjvL4j/RYvyM
PrW/qnT5fsDDJwAeWl/WugF5+5gFbJWsrPPDw0qPb5/A3amRwaae+e4lh5U+
3/YCbiMLAR+H6/pOe2kMIw741l/j+1m0HDyvignBPiFYQdYfVoZ8G0aL3uCK
OHdn9Ytf0yReHNKfs8qIn+NH7NTMMFUBwLaamIhDiwBAVvHeQ8vTrAHzArQz
MIQ1z1VvtRZVEOvzNPCc5ZzHagfnLBE35uaUcxrAzN2UHmTpuOpyP50pUMIn
U4ZfLbDclDFyKNGjwFiU0iVpF2iQfwBjBKnkbVcZ+3/j7l0UUqLVPCRhh9wG
FRpK84iw0maVBm94nnpOBywFO9//4bvRIe+8/C2Y/hhXC290uShzYXRVE4/4
98xQfwTO6DLevfl1NUN5ZLAbre1e6vYDVl+MAspLy6pifV8uDc96SRmnRlBo
fge0E9EHlvwr4d8PMeTe/gy5vx9DHnwgQ9aM3EQI39zHmUd2TyOu3UfuQzvy
c3zFOYwLC3mvTEMcVFpMDy+ZWZSlN9zzsrYVHufMzjkzwI81q5PcMS8zX5/1
dzGy3EBHBFWaYIbldAm2xAZ+s4kw4QQ9V+nhSSslrzAkB2BstbXr1LKnrrK1
H1Mcl6JSiaoXVU9XEXf5Ik8antsGlCXBOWl4fo30dV5rEDrPojsOIfXDbQz6
LpVI2DHMjozlWjvpEW/5FBbN/lNsKJ90/ynmhyhGWgv34YwLBPhCq26bEpgM
Hkq2WVKti1inHfHv7uz5C2i4m4yZYq6vFesleTacDOdIbVihNGvdJxsOo2c1
j6uLTT5QKqCQR2lhGJW8QMss8pxRhmuiuMIizaN8Xs37Vc6q4kvQMGG/VUW6
iQqkl4ofTDvAOpAD5BMYaj1kreXEKD1WGRKXW8BGXKlkeozjWsVJqKu7HIvN
5GmVsWjMZ0Khzqyes1BIzeCMWbbT0KNkJKwrXI4oJ4nYNkYqgE3L2KTamKn5
a42x1a12qubB8zC2dPcYBr1dqU8ePUL/9xGzCmKGOJQQFPPcVUFk/AZ3H7kB
2R1e39Rv6CiI2t+0K0qr9cd08ErlNeDS9fUW3ZE40IHzzGF1p8jxY52NlMmR
KaDly9/6XwFmTl4ekSLK+KFYgQ+iQ4hqpcLpJHCHcbzjuLpRs1NtQ5k97IHC
ID5a5GmMQcMQl2vYOKALZV7lZlxZ7L0HwjLLepAf4X703VdUVoLHNiBS7EQl
yFbCJt/5s9ZupIP83YH3DEDFBUgzowxtjY+1duJpFd6eaoRlJR/ZrCOg65f3
Vtu53rmpgh1XzYUzWGjhouf9/pk0KySMTB5LVFjVe5O44H6bw1WpfCteoqj5
Vnz25sUJ6MrkCzzEwxrfnI1RuRnT3/T6paPLw2UYBa7CMDjvNwDXm1Z7+Abg
eANwvOnDAy38h7OrOn1OrxI1gAau4j+7HgUQs8+29bPfYlHP7se62cdaffsY
zjrzHJBABtJOe29I3UcJUvfZ3ZBmHutmH9sF6cXppy+PxycvdoI62A1q4dk9
YS0+9xCwsJU/AiYla0D6MVeZf/KI9sLY7oV0H+kcKEuvGcZuWt1ic+z4k0cr
EeH/Hr3L50Y4ISCsCrglk5MLBdLtQgbVyzdnpy+Bll8yLZeFl9inyIRNcVrc
IkjzpbBikNv+mAccLdwj/SY9uiNX00QEUyOkBTO9lXfdz9gs1I55GO5X2eFS
132ZO9lJnqUxcytdOh+6pd91bimb1Re7wCjzzZSD0es+CEarNbwXjsoYywM5
lJEpr1thUwXyR2AyByuBpH9Po22isBerRz/XbO2pabquoxaBAl3KIyNWpims
JhHaKsimYCSG2cXz24Ic251XiiJprutZ8NguP2EniMEUy0eMQ1hzIS2rybkp
MvU2Dq9PM02XoNVhs9VY67aUTe6kv1GWF+acAzXWVb36YAKrqUNwgjT77GQS
fdrRj3tUp+dScMfmwvp7p9GzWckKdcQWD0UTbV3rta0pVOzIizdhQFstLTIS
+mQ7V9QCg8HAaLyNdOJtcf20FjEL13iqT0KhRZOTlVJKmgmaZjQWl/3eGEu6
vNnsPMBNXFTMs8L6EwygH+jNBKyqJmxac44XfP8//kZMidWg8MjoqiXpUSZV
SFMYY8pxpZYhAO7DnfDP/0jvKiC0iHMcyJ4qB4YOxhHn0kN9kvcbem9xOCzV
qjrlHtZMsGRHlo4KeN/bgpq0+pa5KiC/gUfg0RfLM4o45rtxFnxrA9WMn2me
+P0//I1hcLpmlo2jy92zQSNb/4B5rM7cDuShrkT7mZA0qFkvg73pz1r6ChAY
duVFRfFpRpu0J08Qkevk2Tw10enx0bXkjAKx3WCN0pT7EaPH8t5Js48EEF7N
5Ca59AImiHW287ZH8MzqGSc4nhyyAmltQPccDdtdJoaBX5tN1sWnTPWD836T
Er/YgqoAxOlQjusLUWvs9YBvL3AutN5NJXeRgAieKu+6KsPJ7JjxQ9kUprKF
uC1iljHAMOemlpk5cDMsOokxRcloLOg0W4HJl1A5ISbMIaPc+txIyUgzYicB
r6amOZ0cM8eGPNr3lbIfysLTMpFKdWDhZWBr+/V2d61OHOsET2NWksxWKpPL
pmORj5sa4OtVdfINnI7qmVIfQJGm70a71tMcooTZOMCh6Eb/swafJQFxf1zm
Zr3ZbA54gtKLwjhmHmymjq4ufeKWTjqn8ZFIYEO38OkesyiafZr5WEsibIyH
TcE8TH1kpNMyIeERN6S+TThf1EgoAQOkBnpi8jzLEJvOOzYcK1LwILWTUACz
9u1FGAG3GyVTc23a9uizc/AsYirDsusSp0NeYz24Ke4mANVbrvhLu9/gPrvB
QvcJJot5t+Lg6eRQd/2Mk9qRnVFaEnBwfoS3kOevBfrHNkJzUwudJi/o93/4
Lme4sCpNkhjPWqfCfDyHmZP9Hz/WrW3fVX6lxVv76w43r2p/3e+SnJJXSqcf
6YQV7ljAQt5qV4ShSlZY/hzppP31gRaUh1lK+/6vv2u0v8bffv5zrgz+OqnD
P7UEveNf1w6Sn3UOuTsFJv7SwQ/cYULrOyaVkF+KavDXwEEZ9k5b55KV1CSj
BUKvG/Xqww7JEa6H4P28jZnIUJbwCw5+vwKQrg+/botf4Bf8AN+/blf0JrC1
zV+3mvUufz9of90b4Z10uT2Cv6tAdCt4GWcMeAFRc9hoE9L73XoPfupgNQj8
GeiF88n+ikIwCtih2ILfW82mePYEVq/xDl2ElkKOMiUT4u4jW2GR5keaMltK
y3ufClvsQbjA4d18q+eMZLK3zNEw2WgRVffhipcUuZZWtua6IeumMbtyxaja
V6vKaf6KyYfLttJBQyptpZPrymHzrAsl476y9XimbhffbA/kwj3N/QtMZ5lc
4wEuzrN+4HxmLesQNpd2R9EOvcWWrGULS5EDF9Vp3bRjEVL6La8a1w85RUPV
lDH7tv4t3lUpjICeXbxAMJ8oT5qNYhL6HLe0uzaYH41ZpGxIotw0FRIBlfnM
uYmSzt+PSlVdlEozPH8IGxFR0bOtfcY4vV11ztMySdXseNDToJhTsSGAqTio
pmWAnsSjyknkUaTdFLDDPXNAhh73sZ2slo+8EFRMbFMRMBESDzSXJm6iYSKu
Rl0tuN0iAFjfUZSl8QiPJlg4gE2C0mWc2s5cc324x5+EUArFZa5PBauNUOZO
00RvnhRniZm6RQSK6Yi3Co6WFuc7Kds/tOq8XsyVuCfzTWQsGJN+jsn3GlqT
B0z1sDT5x2xgZgOWuUS5mNt9UNOaUDcdy+WWWu8N6ZC5ezOkWebywaxK5rb6
zTpOSUdFCkq3xlLKhBu1nNrsemniAlU375KKYp3DzTnbIZ8RILnvygab/sz4
5ZHSwROdC+gHLuAPZ7HSPGIrFmCFaFc7nceoomnNynrChYx3d3iMGJpYd3f6
/C1TXmk5pO62GJav7y7KGdva+NVtNfuok+CoH3eTIB/DbzHxSkD71ppXJuva
I6FSEsaHm25TIWyJLj2r0JVLtItnitrXOqWRbETWcwdcx0bHBatIw0odtHQl
BFMNIPPXry7Yv8fJncZ2MGFd1Aow592zv2hSQPMV95hGg65ygKWzR2VQYF3H
L6RTC6fNjFxjuzVxKmdahqFvSEKaBOZcsauxw9Iw+iCtpbZhOfQykkrwVuIl
qj3T/bGzfSleTY5eXZzoa/1WJyWrcexxZ74ntgmftbYcfzYrxqYVGhpZ7a5u
W1MweHFHUmV0DhULPHNERR+ICS9Tp209NCmjs3JN+mvuEoAiqiDiddcvEvE4
7xf+FWn71AmIZRBLkDQcyXyLo+QbGaO/9Dr0U8f7TVjjy/CyWhhQLaaNuZv0
jRSMmgEjcT2p2pGRNqvTvRC4hLN8EkYB0Dl3VGA/9rB1OmvGd+kXMoQ+5/QS
m1+YOmGJjgDpMrb5I/f2PbDREutw9YDXAf/UQeJTq9zcfXSKdheZH2ap3GQ+
kZbKIh+iHmKm9V6nre1uoAhtpE8V++j1HaZWkPOQwNQCK+PAREDIOjs0DqdW
XVCgGm/6/m//QZQ6N5PdtlRpYydHp7UsmiWI6W5ny7OctV5hMbmubUijv+8c
b7RxcD/UIMftCeHsNsN2uJiUepukzYhsM6rdc53qhpHAR9GLoV2viLni/GnM
jA+RRCx6FGx+VMlbpInApI7YWOEhiIu66DBqLD5xyEzXQCQIktlrPuIu3r1y
ThZIVhslpFKLE+Q+Kt9oxnQTpOa4p0HaG4BeZHLx/NjV+2m+JomLPKhO8z3Y
TyuskuBup2G0CVHwx4JKNcNcBoTegyxXdIr0ffuRQYjvq2AjLGb6VhU7t3Di
2QIpJuDlJ/e9Dzr3TGqJXE2bcLDGa0bb0MkQwEOwgafbuo2H8cEgAosDzMOi
mxfPU/o3G5BzIh57VHznneyuvzbPEKp7xMXcSJh2JbgPZUUwqsWmI0quqydr
EuxQeJD9H9jdm20gptuGsu54mOUkxXAI4zTlL9eZQEWB49iABYVFnpKEZ2Nw
xqdlGOovsazjTH5e6ZxMRE93ueLNjizJ8jbUy/GwRP5kFXInNMI6lTmYk9Sq
ySl2WUkcv3OuLZd0mq3anoCxSE9yhDX21IYsHgKSDCq3iSFqiejqRAp3igKy
1nG+rasTLrqxYtGGoGx4D2eUBjzGNgAjXXa5wnYziE2r2tHbSKs6wn8wOGY6
ivmxafLr2zPPc07ag9YhcSvyvRJL4p7LNKHx7DpDNDtF029p2b6qHLTvGa1E
DJVJEfyp9B2muTW8pvN+r0k5yp5k/1s+ihXe1D0kFYO9Iogst8QcZAkWpfJ7
S+dyr0SvHPQyo3fvGf0DN7Bx6VKrm4xb7O4jvPLOpHfnfGbkniJxYrmfsSCw
dwY6j2wv6X/zAvFpNiuiaoRFBiUY1cKWII5RZPg5Jn0vZDRjjZ8jSCZxKBf8
grlu0RgpDwYaLuUEDtGtknHXG116ZIPM//JXRs38l78iEjm3YeBfpWFg0w01
TOSqkLACwlnGW+7LViigPw103+84KUeNQy1FobmTbAr2O3fzYpU+i4EdkdOy
hKNifIMR1u4NHYTV9VnLKFssZ9RW/wu1jaizEnye4PVbmDk2MrNNR8mDav1J
dvc/ROAuKdBCE9FiQA+Y10rNuLVHtqjLo654wOoT52pRATNYzqQUs4sJrdbV
bepNcTB7sN0gNa9CIF60lkCr4GwH0CfQZ1aK9bp4Ht5gVXVVnEdq+8e/S5vQ
u9HZjMPt/cLA//JX5VkUJv6ou9BkEIXnU+qYSTYhYZus0v4cGX1vL3jckDSe
Suioe2lYuo552dg34L78aVpK0zcVSb2wjZCEnFg39Z12DfCyOGy1pKXCLOT4
JvmF5Ay5VuJqanyKFXph0xmINK8n4lPk7r0/7QXMlEb6fKBYaJm6fgOPZmqo
hREh8FEjScY/pRPLqA9t6jc8kng2QO21WqxlQAOQf0gjhbs64JEHdAwUWsbH
wIenoGLSZjblnUKuYJSA0mbSYpO7OzzoTDf3fC8JKDlpLcPJZj4WoKIR5QdX
jIYdVnJdHJO8pMLCwAQO+fDRXBP5qqMyI/Vk2WWao4CJDdfSuyWnpJvBwqdh
+BkzTLrhWYLnNLGebdKdiqdF6CMiYIoKZz6HhZ6iuNLwO4W1+mAOvT9B7BZt
skvjeala9kX5pxrAagY61vPzi0PgSkqzwNAa9k/H/hBYTsSFEKhlx2qlJ487
HUUCoIn4tVX+2YH2WskrLFKNKQNI9xeqsoeI3T3Ea8ldJlhYaO9NGp0khOm6
LpQEYWI9Mg81J8EEFSD6sKbP38P22aREUWnVc4SAb9lRfpSqX9xDJK0ApbNA
uVOPjp0l+gafWtnjQWT8kgxQD77QeH9L+gHpdv4U8dMdUvj4Z4NPrkAV4ZQq
6gTRFTyAti3lRrA5pkl4zgWzhhDTbtmZYxqB5CnFizNUnfWJpI7dUjnOWu+r
kvp25lBpU2NvqUxmVqScjquATy5ZI6UoozLuWl39dNq/ygmRIeZsJFgX9CIl
lA5mnLJIWVOmGl0kxCGhcxsSMgX42lCf6xyBfF5u6o/h0Do7F1LNuxAtFdsE
8PqNkwNlK451CJoCuqok4lPNN+eal9UIYpNgy6lXFBNNC+tyISRnsGwfGLNn
w0DhybkYy1/D7keozcEQubHiNLCs20XpgyQopHkf4hzLRytOVrxk/DoYcFM0
nj5UI1JhhAEQSpeIOWWMCk0dQZDrmKPXk60VHYWKS0OCTm2o8apgrlan2dEa
Ln3vdwcjyg4xr+ED3vJjTU3zA/w5LYzgXoIRpRH4WPE5U1xAzFSUdiOCzRzo
ofx5Gttx47hEprBmuc6cVUaj0ecxIE+BUQyQpofLkzi7hiGss5udT6HJyonp
EFbmMQHIj1o4r2EWLS5wGvrjo3NNHdlRWu1Mu9Ycol2znhVid8YK/Ajvf4ed
bpHLtADLOoJmekka2Zs6yKslYzr936vZFzhnS2QS7/dOZzgNmHFk4Cef0S5f
vkPa3//1dx9rWUf7WDoRbsrXW13rme7Inf7nf6w7mS06iTj1zpQd8GdlDDYi
l1ThzQ7INSkOeIuTWrS71b7N28r0jc4egXafqxIbKOMG0uega3ek8VHmfZA6
FprxlLpVe041Xlqi97QE+zp9lIvdzfKU38rpm5k7vxUn93lfsW4sW4BH/1hD
q9VKy8zKr16XXXVHpWrAdub5Ub9kUOfidclFGBKNCKJYXSfoerlazY59fNf1
os/S+ZVBLh26PXTA/TbrbvuzYBpvPoZx9Ye//o4/NPhP3kPD5XbEGkyp3VGm
nYKjnK/DVLqW8IgsX/gwXrBXl3zEhb4t29LxwaPNqvf6knRo2lT+s71hecHH
rLnntEDLC5bhala1KcNmCOzv7p5MRtn/2CqwnqtJ5KpEZtLtn4pJ548pyTRk
kCVKFh+pQFwvjG7LEn4oV9qGlW3aHAXtHlodXFQdMtXellyFKCcJH3Dk3v6q
Cf+w7jIOLUPMjje+DW3apwilV92LyV2INP0Y9XkbOivKnjMBukn7+z9817Ut
EZ3e9lT7Xdw+D4bbED9+oBueXzM9FrUi35ShqFm9TDsw6ZHOAnPgxulh6AS+
yyJV6XYbtXTeheOnrpYAlcpM07dDi0U+x+/BqS8iPOnz91s5i2zPRQLmumrW
OhW6WV8Eb8Dckt+7FCZ0T9zoSm0Sx8iui9f0Wkxj5yotGyKL+UDSbCmj+KCT
DTMjqLd4xGVcXBHnYMN/z4L8Ty3HnUdbZeO1ysZrlcttd2r9h6R2Vka3BgUZ
3f7RZDQfJ51ybiNYtU3INXgxUFyv0zcs7V+LvOzk5WXRX1oIxdjzS9IL+oiT
9EI5b8gK2RXFu1mPx6w89+Ck6u4AkwkkFeC8N0zz/yoGyQGEe0I8aIvfCzgf
tO7Gd2J/DXYxlRyUx3K0i+9Hi8pkCvYy7UtMkpFpSUIm94MBP9z4R8/H8P92
843DUTDc8q0N9LlsBwnuTe+Z6Yxx7735Nhr25lQRykYRdQeOTKOQkoeysVqH
1XTKWU2eZHeHUJkVFfddYZvdw6Sc/VlH8D44TpxyD094jzjpgExjYn74uidR
KGf07e6jMMAzxrCOjCnf9sfR5zyZk+1KIkRWu8gUUWSP+VzbF6M33r6XnN4U
v8IMZMMnua0COtV0COdK5ZopvNZtmu2l6o7KH6eCCLaRv/H5uDg6Qz2z1yhO
ZsudcFfkxyC+R54EO1I+GJ+m/rwHNLZ+LgeO8VRTMXJAxZcZvSNQNznlSdKR
bhY2WEoNj+btYg6PlFW/pXOkW9IxGFUF0DxKZ+e6LAvFrYWhiKXXto0703Gp
pp9qqNxLsET7o5XGYWZUVKK5U0KlexmbweYupA0zEFrmY56THOQCart/516W
Zglk4qqxDrZILPxeqFx6VN6Gp2MD2GmqX0fEo93idMatTSS/r3WHi9idSnVu
nhopnMOJ/peopJPER+J0/HKcKzGtVOiiz0n6Kja9aem8HkaObVAUSEwlThO8
yZXJJ6mEq+064N5cts0RJn1zZCrX6Sh+pA8dA+zRmfI6YKIvgVm03cAzuzrG
szaQmtnHaGYf4CsOxbltevTInNWYPb3LnJ6jM0sALbVaTWBwVbfqs+kGl4AM
8YWiKEO+kR7/+FFLHBieDLrRYaXyX8v/qwjz32dgYt2JZlM0W6LZFs2OaHYF
iNRmXzQHojkUzZFoStGciqYnmjPRVKI5F+/SAV7SAJ2m6LSwhKDTEZ2u6PQE
aLCdgegMRWckOlJ0pu5Dz+mhdlt4SozaYgZKy1T0mmIwEN2pkFN8U2so2vDo
TPRhyZUYOG99/qbNYHdEqyP6HayVGXTpHAMphn3RRcezmE/FsIlwTAdCwgfP
heCMBhhNRWsmuiPYJ6LbFtMmzlV5+GHqCQUDzMSsKRSIZPh1BAPsQiisx0fi
CLRBWAQJ8p13hpp98mguV7FCafjgWowJJgfI8/yFF3a13uf/OIDT0PZDpq3f
/z4DpGBTF/a7PZE3/UHI6zZFt4UgdTui2/0BuGwP98Ql0OW8g+Qru2LWw8+w
aWRPDAAS4NBzutjGLaCGYl6Cy30G+EBcen9aQuw3Rb8l+m3ccf0umKmi3xf9
gegPRX8k+lL0p0UE938osc6HAmyb1kAMATnAFqQYNcVsJIYtMZwj3gZTXGqA
YAibf1pE8D4DFBAM85s3RW+KrKcFYryNpAWLOGiBdi96cGW25yLM/pQE3e2J
LvC3AXYNhO3Xlcgvux5yPCCW7vzDFq3viT7x2f48fZz/AyqEKQ/aYtBBFjsA
uuwjmx4MxWAkBhKRN/DEYCYGqrj48x27aLg3p+rgxMGcanVRBg27OPG2h9wJ
rngDxA+8WI2EB9ynX8Kp9hjggxa/18EF6AG3axVwNhNeEwnLI5qTIH5Gog00
N8WFBM4yn+NqgLRsNfckIvXTEdGPQEEFuhjuoIvBvlwXCAvUBRDso4FotXBe
oDQAFYAS0pNiNkAZBCoHSKVWHzd6GVN4cIAfgS7uXe0Sha79gQodaE7tDipE
QPCqhcsz6yPUvTYyPwBw3sL/T2nOmalqhW4kET9K0QYbohaFrLONjwLdzvti
lKEUprPWHFUywB/MFPRGUP4ALXCxB+pEFzfEHKuWxLyHJNiZ5vEDulxzVqQ/
OUPGBrsVxChSbxPpD/YvkJ3XRc0TVhE1T1gWWId2flSAFRTNUUuMMmNrFXSG
dAsiuOUhbiRpijAwvAoUmekMsQg8D/YKTAyotqCCwlsBMUCiMC+YLKC7TSoo
7BKgChDpAKvq4e4BpRpU3aIKqnB1RoBiYGNN/AwCCmjRG4rRCKcGqlSPJgjE
PO8V95LcwUtH+/JYWAuY3HSO2hvMYthGlX3awS0OxAHb14Opg4bSQ3bVnxf3
UnGAws6ZDhEjoMm0yK6A4WDTgUhpt3BOfdIcB0QWcMO0k19DMBBg9aZkjbzv
FuqIA8df/KPZRAVibuIUYccAVQPttmhmoISAWdMa4Rq3pkh0oEYDJ2n9qUwq
uAaazWiOVAM3ArdqK9wWQ1oZIEfU0Ft4D9zZmhbpWc5xN/S6OH1sfCUR67AV
YP+AEIXnZi1cvR4JXNUr0jMQDoLaQhEI5AP0AvIFUAjbAiYyVGgmAFaAtoHg
+8P95F/nX71J9f7Tzm2ifQb4MDOg82/NpAI9Q3rCk6iQgNoE1AzIGTW15gTc
CLYR7sgWaSElwn2fAT4Ql/9fmFSgEWCaxhxFV2+OvATUVNVBfRBEHpAe7G3U
5UhBHTWLCN5ngAKCQfiD2gkSF7gZCFpQo0AuwztAuIO+BfyoPdhzEf7DpPoB
JhWQP2qqJIRhZ6AEHqAiKMFSGQrZRl4D8gidOzPcZoXF32eAD1p8UJ7QUAcN
u6A6d1hhIDO+B0TWQ+BABwStFpRLQDzqR32CYk+7vPMfJlVODRwh1YGqAqQI
oMBqdkjzBPg8RUouCCNQ3kESDXABimrgHgP8CHTxvvpg9wP1wfc0qfKQggSS
fXQBdDwxHKDmCIoAqAPtLu4m9Hd7RMEDvLOVMRT+XVlk8Eo0oafIVIYS70I9
dkYgtsisIq80qMC9Hi5I0SJr4x4Crio7KJhA4Ets8YOaLbCn+RQ1WBRSbQR6
VKLBgm6Lu7iLLHXaF94Mr8DSwKhAjLBYgMthC/c4jDToFrfiD7bIAImAONBf
YM1h9l4fRQXADwJ35OFnWHP4DJQEFlV3VsKi9x6gaKn1EL1gKYCpM+9oIh2S
C9VroTsajcAuyqgOUkF+bdH3P8e1Iw1g987kCovEFGpRZKzz7PzcCcpxFVOa
doXZNW6HoRs82zLyFz7XIcwwvTLccLbNyeXkVEzGz06qTkAPw4XiTHq9Z+5R
PtIEGrntGgJR57v0TXEaoTeNxrCZkSlJkfn0Yaf3lK10onyMzjNxd/f56bit
812//BwTFk9Oxx3KjaHpY2ks1inMZDTD08vsbE0XS8KUTu/AbihH467pXYNp
J3SlZ1KT4Q3pVZ2XTK+5nIC1UW93sTUwfRiafrT59llcGobBV4ptAnj4yir+
q3NIcOj8UfdpCkB87wnhPjc35VpWJIeVSjuWmyQWTrLC19ryPz2x9Kc+J3ul
OVkIn66t05WR8HY6C4PbDDtFfVM+NDzt1Ma5N57UzTFhKBcjMR+diQlPNWoz
ropJ1ghnmjpjCvso88/UNGUrGCne7R7Giul/dnh91CdCc8u50CbXmlK0uNAE
M8DdMTlFgwvz3O7BaZthIgWbd+4ecVu3JEYrxH0282ewA5R4V+0LH2up+RNS
HqbSbnRHHA7JBz5MhjrziDX1Q1fYnPzsECuJcH0o+4ZOVuR2yDO9F9vcQScU
LRbYmACU9p43RTwmC95JH6NjRPTJvCZ3zMkk545tJafSO7029ZTGbwNbIk4Z
IJyiZVs+7SRufQ5BnB5EYDOZvGxTbV3gbFsW2MNQLBcrW9ikQJm6P50FwGkk
T2tByy1n4UafNZuWu1rIdHYXdc/1In8K80Ka9QNK1zjijvMvwgXozkAp4bU6
DS6eHn3yCGhLPRIl6vSRbm9N61lrDXHdaq0RHfNE8KTMTncKh5XYAufczGg3
0XOwWIa5UDIQLTV1GQvCG+HxmQVzlAMljC2PO0w7wtoBWMTXp8eM/Re+pNy7
CZIobwA8aHiGFaWS95h5qcbMxpQD0yRclkjMCA+xUgSaNKX4mU7MnLd2b/Nl
KoqDF+iUyrRJp85B5Xvuhc3t+/3ncbZVtz3XOoaBabqTTEI/nniKbGKLLf/M
GRoHpSdofMGtH4lveysFEgNTRxPdlZnmem4PzsC52ANFbMoyvv9C2T6emTa/
fBq2aczPOUq13LmiW130m3b+44Ns6WGNK72amaZdodDHhJYeS6rL3dNKZf2q
lDicsyWyp0akRzdkN3v66K5+6DM/9rZxrJGyFw0CJpYBd4nX281t4Eo9Tifn
oM42a53hMR4vrhmSu7agEvlv1cwcW51tNad7zNFJaXzSOpdamxxMamb6eI8W
VauSVltUrE1E/bFO5LPtUXPZ7m6l9D298PjIclvuKWBRE2CRDnqcw9xokHAV
Lm6JdoPtRuA52G80Hmq/wMOwsfQzMee11n6ROdSbj1T1TAsf4h7lroVL3U0B
q8SRx1+BjLm78AGoaCaeyCjAtjRUX3p3uQzXMEnsR6ymcrs2188lvPRKnFzN
5HJlLk68MEnE09V2GWGBKl+8ABoSz/HMYnVrrp3AuosXsObRIlKBufobtdzO
pLBNsPnqZ/Kb7dK/CsWZj4m6Sby1r8OjeSJfnEt5HaKOkw41gfUQF9sQoZfO
W69AMuFpmdGVBpDrZu/O5CIAZv8a0/yiFVDAO11Cy9ny1M4DVULdrE6fe6Cb
j4COEq5txyQ+jVN3+8Aq9LdJ5qTcMMCzps1ZtXd3p7Xjuh8l85o3jxY1ibl+
8K+cobD/v5bKuEKC6AAA

-->

</rfc>
