<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-bradleylundberg-cfrg-arkg-11" category="info" consensus="true" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="ARKG">The Asynchronous Remote Key Generation (ARKG) algorithm</title>
    <seriesInfo name="Internet-Draft" value="draft-bradleylundberg-cfrg-arkg-11"/>
    <author fullname="Emil Lundberg" role="editor">
      <organization>Yubico</organization>
      <address>
        <postal>
          <street>Gävlegatan 22</street>
          <city>Stockholm</city>
          <country>SE</country>
        </postal>
        <email>emil@emlun.se</email>
      </address>
    </author>
    <author fullname="John Bradley">
      <organization>Yubico</organization>
      <address>
        <email>ve7jtb@ve7jtb.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum</workgroup>
    <keyword>KDF</keyword>
    <abstract>
      <?line 156?>

<t>Asynchronous Remote Key Generation (ARKG) is an abstract algorithm
that enables delegation of asymmetric public key generation without giving access to the corresponding private keys.
This capability enables a variety of applications:
a user agent can generate pseudonymous public keys to prevent tracking;
a message sender can generate ephemeral recipient public keys to enhance forward secrecy;
two paired authentication devices can each have their own private keys while each can register public keys on behalf of the other.</t>
      <t>This document provides three main contributions:
a specification of the generic ARKG algorithm using abstract primitives;
a set of formulae for instantiating the abstract primitives using concrete primitives;
and an initial set of fully specified concrete ARKG instances.
We expect that additional instances will be defined in the future.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-bradleylundberg-cfrg-arkg/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/Yubico/arkg-rfc"/>.</t>
    </note>
  </front>
  <middle>
    <?line 173?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Asynchronous Remote Key Generation (ARKG) introduces a mechanism
to generate public keys without access to the corresponding private keys.
Such a mechanism is useful for many scenarios when a new public key is needed
but the private key holder is not available to perform the key generation.
This may occur when private keys are stored in a hardware security device,
which may be unavailable or locked at the time a new public key is needed.</t>
      <t>Some motivating use cases of ARKG include:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Single-use asymmetric keys</strong>:
Envisioned for the European Union's digital identity framework,
which is set to use single-use asymmetric keys to prevent colluding verifiers from using public keys as correlation handles.
Each digital identity credential would thus be issued with a single-use proof-of-possession key,
used only once to present the credential to a verifier.
ARKG empowers both online and offline usage scenarios:
for offline scenarios, ARKG enables pre-generation of public keys for single-use credentials
without needing to access the hardware security device that holds the private keys.
For online scenarios, ARKG gives the credential issuer assurance
that all derived private keys are bound to the same secure hardware element.
In both cases, application performance may be improved
since public keys can be generated in a general-purpose execution environment instead of a secure enclave.</t>
        </li>
        <li>
          <t><strong>Enhanced forward secrecy</strong>:
The use of ARKG can facilitate forward secrecy in certain contexts.
For instance, <eref target="https://www.rfc-editor.org/rfc/rfc9052.html#name-direct-key-agreement">section 8.5.4 of RFC 9052</eref> notes that
"Since COSE is designed for a store-and-forward environment rather than an online environment,
[...] forward secrecy (see <xref target="RFC4949"/>) is not achievable. A static key will always be used for the receiver of the COSE object."
As opposed to workarounds like exchanging a large number of keys in advance,
ARKG enables the sender to generate ephemeral recipient public keys on demand.</t>
        </li>
        <li>
          <t><strong>Backup key generation</strong>:
For example, the W3C Web Authentication API <xref target="WebAuthn"/> (WebAuthn) generates a new key pair for each account on each web site.
ARKG could allow for simultaneously generating a backup public key when registering a new public key.
A primary authenticator could generate both a key pair for itself and a public key for a paired backup authenticator.
The backup authenticator only needs to be paired with the primary authenticator once,
and can then be safely stored until it is needed.</t>
        </li>
      </ul>
      <t>ARKG consists of three procedures:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Initialization</strong>:
The <em>delegating party</em> generates a <em>seed pair</em> and discloses the <em>public seed</em> to a <em>subordinate party</em>,
while securely retaining the <em>private seed</em>.</t>
        </li>
        <li>
          <t><strong>Public key generation</strong>:
The subordinate party uses the public seed to autonomously generate a new public key
along with a unique <em>key handle</em> for the public key.
This can be repeated any number of times.</t>
        </li>
        <li>
          <t><strong>Private key derivation</strong>:
The delegating party uses a key handle and the private seed
to derive the private key corresponding to the public key generated along with the key handle.
This can be repeated with any number of key handles.</t>
        </li>
      </ul>
      <t>Notably, ARKG can be built entirely using established cryptographic primitives.
The required primitives are a public key blinding scheme and a key encapsulation mechanism (KEM),
which may in turn use a key derivation function (KDF) and a message authentication code (MAC) scheme.
Both conventional primitives and quantum-resistant alternatives exist that meet these requirements. <xref target="ASIACCS_SteWil24"/></t>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
      <section anchor="notation">
        <name>Notation</name>
        <t>The following notation is used throughout this document:</t>
        <ul spacing="normal">
          <li>
            <t>The symbol <tt>||</tt> represents octet string concatenation.</t>
          </li>
          <li>
            <t>Literal text strings and octet strings are denoted
using the CDDL syntax defined in <xref section="3.1" sectionFormat="of" target="RFC8610"/>.</t>
          </li>
          <li>
            <t>Elliptic curve operations are written in additive notation:
<tt>+</tt> denotes point addition, i.e., the curve group operation;
<tt>*</tt> denotes point multiplication, i.e., repeated point addition;
and <tt>+</tt> also denotes scalar addition modulo the curve order.
<tt>*</tt> has higher precedence than <tt>+</tt>, i.e., <tt>a + b * C</tt> is equivalent to <tt>a + (b * C)</tt>.</t>
          </li>
          <li>
            <t><tt>LEN(x)</tt> is the length, in octets, of the octet string <tt>x</tt>.</t>
          </li>
          <li>
            <t>The function <tt>I2OSP</tt> converts a nonnegative integer into an octet string as defined in <xref section="4.1" sectionFormat="of" target="RFC8017"/>.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="arkg">
      <name>The Asynchronous Remote Key Generation (ARKG) algorithm</name>
      <t>The ARKG algorithm consists of three functions, each performed by one of two participants:
the <em>delegating party</em> or the <em>subordinate party</em>.
The delegating party generates an ARKG <em>seed pair</em> and emits the <em>public seed</em> to the subordinate party
while keeping the <em>private seed</em> secret.
The subordinate party can then use the public seed to generate derived public keys and <em>key handles</em>,
and the delegating party can use the private seed and a key handle to derive the corresponding private key.</t>
      <t>This construction of ARKG is fully deterministic, extracting input entropy as explicit parameters,
as opposed to the internal random sampling typically used in the academic literature <xref target="CCS_FGKLMN20"/> <xref target="Wilson2023"/> <xref target="AC_BreCleFis24"/>.
Implementations <bcp14>MAY</bcp14> choose to instead implement the <tt>ARKG-Derive-Seed</tt> and <tt>KEM-Encaps</tt> functions
as nondeterministic procedures omitting their respective <tt>ikm</tt> parameters
and sampling random entropy internally;
this choice does not affect interoperability between the functions
<tt>ARKG-Derive-Seed</tt>, <tt>ARKG-Derive-Public-Key</tt> and <tt>ARKG-Derive-Private-Key</tt>.</t>
      <t>The following subsections define the abstract instance parameters used to construct the three ARKG functions,
followed by the definitions of the three ARKG functions.</t>
      <section anchor="arkg-params">
        <name>Instance parameters</name>
        <t>ARKG is composed of a suite of other algorithms.
The parameters of an ARKG instance are:</t>
        <ul spacing="normal">
          <li>
            <t><tt>BL</tt>: An asymmetric key blinding scheme <xref target="Wilson2023"/>, consisting of:
            </t>
            <ul spacing="normal">
              <li>
                <t>Function <tt>BL-Generate-Keypair() -&gt; (pk, sk)</tt>: Generate a blinding key pair.      </t>
                <t>
Input consists of input keying material entropy <tt>ikm</tt>.      </t>
                <t>
Output consists of a blinding public key <tt>pk</tt> and a blinding private key <tt>sk</tt>.</t>
              </li>
              <li>
                <t>Function <tt>BL-PRF(ikm_tau, ctx) -&gt; tau</tt>: Derive a pseudorandom blinding factor.      </t>
                <t>
Input consists of input entropy <tt>ikm_tau</tt>
and a domain separation parameter <tt>ctx</tt>.      </t>
                <t>
Output consists of the blinding factor <tt>tau</tt>.</t>
              </li>
              <li>
                <t>Function <tt>BL-Blind-Public-Key(pk, tau) -&gt; pk_tau</tt>: Deterministically compute a blinded public key.      </t>
                <t>
Input consists of a blinding public key <tt>pk</tt>,
and a blinding factor <tt>tau</tt>.      </t>
                <t>
Output consists of the blinded public key <tt>pk_tau</tt>.</t>
              </li>
              <li>
                <t>Function <tt>BL-Blind-Private-Key(sk, tau) -&gt; sk_tau</tt>: Deterministically compute a blinded private key.      </t>
                <t>
Input consists of a blinding private key <tt>sk</tt>,
and the blinding factor <tt>tau</tt>.      </t>
                <t>
Output consists of the blinded private key <tt>sk_tau</tt>.</t>
              </li>
            </ul>
            <t>
<tt>ikm</tt> is an opaque octet string of a suitable length as defined by the ARKG instance.
<tt>ikm_tau</tt> is an opaque octet string generated as the <tt>k</tt> output of <tt>KEM-Encaps</tt> and <tt>KEM-Decaps</tt>.
<tt>ctx</tt> is an opaque octet string of arbitrary length.  </t>
            <t>
The representations of <tt>pk</tt> and <tt>pk_tau</tt> are defined by the protocol that invokes ARKG.
The representations of <tt>sk</tt>, <tt>tau</tt> and <tt>sk_tau</tt> are undefined implementation details.  </t>
            <t>
See <xref target="Wilson2023"/> for definitions of security properties required of the key blinding scheme <tt>BL</tt>.</t>
          </li>
          <li>
            <t><tt>KEM</tt>: A key encapsulation mechanism <xref target="Shoup"/>, consisting of the functions:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>KEM-Derive-Key-Pair(ikm) -&gt; (pk, sk)</tt>: Derive a key encapsulation key pair.      </t>
                <t>
Input consists of input keying material entropy <tt>ikm</tt>.      </t>
                <t>
Output consists of public key <tt>pk</tt> and private key <tt>sk</tt>.</t>
              </li>
              <li>
                <t><tt>KEM-Encaps(pk, ikm, ctx) -&gt; (k, c)</tt>: Derive a key encapsulation.      </t>
                <t>
Input consists of an encapsulation public key <tt>pk</tt>,
input entropy <tt>ikm</tt>
and a domain separation parameter <tt>ctx</tt>.      </t>
                <t>
Output consists of a shared secret <tt>k</tt> and an encapsulation ciphertext <tt>c</tt>.</t>
              </li>
              <li>
                <t><tt>KEM-Decaps(sk, c, ctx) -&gt; k</tt>: Decapsulate a shared secret.      </t>
                <t>
Input consists of encapsulation private key <tt>sk</tt>, encapsulation ciphertext <tt>c</tt>
and a domain separation parameter <tt>ctx</tt>.      </t>
                <t>
Output consists of the shared secret <tt>k</tt> on success, or an error otherwise.</t>
              </li>
            </ul>
            <t>
<tt>ikm</tt> is an opaque octet string of a suitable length as defined by the ARKG instance.
<tt>k</tt>, <tt>c</tt> and <tt>ctx</tt> are opaque octet strings of arbitrary length.
The representation of <tt>pk</tt> is defined by the protocol that invokes ARKG.
The representation of <tt>sk</tt> is an undefined implementation detail.  </t>
            <t>
The KEM <bcp14>MUST</bcp14> guarantee integrity of the ciphertext,
meaning that knowledge of the public key <tt>pk</tt> and the domain separation parameter <tt>ctx</tt>
is required in order to create any ciphertext <tt>c</tt> that can be successfully decapsulated by the corresponding private key <tt>sk</tt>.
<xref target="hmac-kem"/> describes a general formula for how any KEM can be adapted to include this guarantee.
<xref target="design-rationale-mac"/> discusses the reasons for this requirement.  </t>
            <t>
See <xref target="ASIACCS_SteWil24"/> for definitions of additional security properties required of the key encapsulation mechanism <tt>KEM</tt>.</t>
          </li>
        </ul>
        <t>A concrete ARKG instantiation <bcp14>MUST</bcp14> specify the instantiation
of each of the above functions.</t>
        <t>The output keys of the <tt>BL</tt> scheme are also the output keys of the ARKG instance as a whole.
For example, if <tt>BL-Blind-Public-Key</tt> and <tt>BL-Blind-Private-Key</tt> output ECDSA keys,
then the ARKG instance will also output ECDSA keys.</t>
        <t>We denote a concrete ARKG instance by the pattern <tt>ARKG-NAME</tt>,
substituting for <tt>NAME</tt> some description of the chosen instantiation for <tt>BL</tt> and <tt>KEM</tt>.
Note that this pattern cannot in general be unambiguously parsed;
implementations <bcp14>MUST NOT</bcp14> attempt to construct an ARKG instance by parsing such a pattern string.
Concrete ARKG instances <bcp14>MUST</bcp14> always be identified by lookup in a registry of fully specified ARKG instances.
This is to prevent usage of algorithm combinations that may be incompatible or insecure.</t>
      </section>
      <section anchor="the-function-arkg-derive-seed">
        <name>The function ARKG-Derive-Seed</name>
        <t>This function is performed by the delegating party.
The delegating party derives the ARKG seed pair <tt>(pk, sk)</tt>
and keeps the private seed <tt>sk</tt> secret, while the public seed <tt>pk</tt> is provided to the subordinate party.
The subordinate party will then be able to derive public keys on behalf of the delegating party.</t>
        <sourcecode type="pseudocode"><![CDATA[
ARKG-Derive-Seed(ikm_bl, ikm_kem) -> (pk, sk)
    ARKG instance parameters:
        BL        A key blinding scheme.
        KEM       A key encapsulation mechanism.

    Inputs:
        ikm_bl    Input keying material entropy for BL.
        ikm_kem   Input keying material entropy for KEM.

    Output:
        (pk, sk)  An ARKG seed pair with public seed pk
                    and private seed sk.

    The output (pk, sk) is calculated as follows:

    (pk_bl,  sk_bl)  = BL-Derive-Key-Pair(ikm_bl)
    (pk_kem, sk_kem) = KEM-Derive-Key-Pair(ikm_kem)
    pk = (pk_bl, pk_kem)
    sk = (sk_bl, sk_kem)
]]></sourcecode>
        <section anchor="derive-seed-nondeterministic">
          <name>Nondeterministic variants</name>
          <t>Applications that do not need a deterministic interface <bcp14>MAY</bcp14> choose
to instead implement <tt>ARKG-Derive-Seed</tt>, <tt>KEM-Derive-Key-Pair</tt> and <tt>BL-Derive-Key-Pair</tt>
as nondeterministic procedures omitting their respective <tt>ikm</tt> parameters
and sampling random entropy internally;
this choice does not affect interoperability with <tt>ARKG-Derive-Public-Key</tt> and <tt>ARKG-Derive-Private-Key</tt>.</t>
        </section>
      </section>
      <section anchor="the-function-arkg-derive-public-key">
        <name>The function ARKG-Derive-Public-Key</name>
        <t>This function is performed by the subordinate party, which holds the ARKG public seed <tt>pk = (pk_bl, pk_kem)</tt>.
The resulting public key <tt>pk'</tt> can be provided to external parties to use in asymmetric cryptography protocols,
and the resulting key handle <tt>kh</tt> can be used by the delegating party to derive the private key corresponding to <tt>pk'</tt>.</t>
        <t>This function may be invoked any number of times with the same public seed,
using different <tt>ikm</tt> or <tt>ctx</tt> arguments,
in order to generate any number of public keys.</t>
        <sourcecode type="pseudocode"><![CDATA[
ARKG-Derive-Public-Key((pk_bl, pk_kem), ikm, ctx) -> (pk', kh)
    ARKG instance parameters:
        BL        A key blinding scheme.
        KEM       A key encapsulation mechanism.

    Inputs:
        pk_bl     A key blinding public key.
        pk_kem    A key encapsulation public key.
        ikm       Input entropy for KEM encapsulation.
        ctx       An octet string of length at most 64,
                    containing optional context and
                    application specific information
                    (can be a zero-length string).

    Output:
        pk'       A blinded public key.
        kh        A key handle for deriving the blinded
                    private key sk' corresponding to pk'.

    The output (pk', kh) is calculated as follows:

    if LEN(ctx) > 64:
        Abort with an error.

    ctx'    = I2OSP(LEN(ctx), 1) || ctx
    ctx_bl  = 'ARKG-Derive-Key-BL.'  || ctx'
    ctx_kem = 'ARKG-Derive-Key-KEM.' || ctx'

    (ikm_tau, c) = KEM-Encaps(pk_kem, ikm, ctx_kem)
    tau = BL-PRF(ikm_tau, ctx_bl)
    pk' = BL-Blind-Public-Key(pk_bl, tau)

    kh = c
]]></sourcecode>
        <t>If this procedure aborts due to an error,
the procedure can safely be retried with the same <tt>(pk_bl, pk_kem)</tt> and <tt>ctx</tt> arguments but a new <tt>ikm</tt> argument.</t>
        <t>See <xref target="long-ctx"/> for guidance on using <tt>ctx</tt> arguments longer than 64 bytes.</t>
        <section anchor="derive-pk-nondeterministic">
          <name>Nondeterministic variants</name>
          <t>Applications that do not need a deterministic interface <bcp14>MAY</bcp14> choose
to instead implement <tt>ARKG-Derive-Public-Key</tt> and <tt>KEM-Encaps</tt>
as nondeterministic procedures omitting their respective <tt>ikm</tt> parameter
and sampling random entropy internally;
this choice does not affect interoperability with <tt>ARKG-Derive-Private-Key</tt>.</t>
          <t><tt>BL-PRF</tt> and <tt>BL-Blind-Public-Key</tt> must always be deterministic
for compatibility with <tt>ARKG-Derive-Private-Key</tt>.</t>
        </section>
      </section>
      <section anchor="the-function-arkg-derive-private-key">
        <name>The function ARKG-Derive-Private-Key</name>
        <t>This function is performed by the delegating party, which holds the ARKG private seed <tt>(sk_bl, sk_kem)</tt>.
The resulting private key <tt>sk'</tt> can be used in asymmetric cryptography protocols
to prove possession of <tt>sk'</tt> to an external party that has the corresponding public key.</t>
        <t>This function may be invoked any number of times with the same private seed,
in order to derive the same or different private keys any number of times.</t>
        <sourcecode type="pseudocode"><![CDATA[
ARKG-Derive-Private-Key((sk_bl, sk_kem), kh, ctx) -> sk'
    ARKG instance parameters:
        BL        A key blinding scheme.
        KEM       A key encapsulation mechanism.

    Inputs:
        sk_bl     A key blinding private key.
        sk_kem    A key encapsulation private key.
        kh        A key handle output from ARKG-Derive-Public-Key.
        ctx       An octet string of length at most 64,
                    containing optional context and
                    application specific information
                    (can be a zero-length string).

    Output:
        sk'       A blinded private key.

    The output sk' is calculated as follows:

    if LEN(ctx) > 64:
        Abort with an error.

    ctx'    = I2OSP(LEN(ctx), 1) || ctx
    ctx_bl  = 'ARKG-Derive-Key-BL.'  || ctx'
    ctx_kem = 'ARKG-Derive-Key-KEM.' || ctx'

    ikm_tau = KEM-Decaps(sk_kem, kh, ctx_kem)
    If decapsulation failed:
        Abort with an error.

    tau = BL-PRF(ikm_tau, ctx_bl)
    sk' = BL-Blind-Private-Key(sk_bl, tau)
]]></sourcecode>
        <t>Errors in this procedure are typically unrecoverable.
For example, <tt>KEM-Decaps</tt> may fail to decapsulate the KEM ciphertext <tt>kh</tt> if it fails an integrity check.
ARKG instantiations <bcp14>SHOULD</bcp14> be chosen in a way that such errors are impossible
if <tt>kh</tt> was generated by an honest and correct implementation of <tt>ARKG-Derive-Public-Key</tt>.
Incorrect or malicious implementations of <tt>ARKG-Derive-Public-Key</tt> do not degrade the security
of an honest and correct implementation of <tt>ARKG-Derive-Private-Key</tt>.
See also <xref target="design-rationale-mac"/>.</t>
        <t>See <xref target="long-ctx"/> for guidance on using <tt>ctx</tt> arguments longer than 64 bytes.</t>
      </section>
      <section anchor="long-ctx">
        <name>Using <tt>ctx</tt> values longer than 64 bytes</name>
        <t>The <tt>ctx</tt> parameter of <tt>ARKG-Derive-Public-Key</tt> and <tt>ARKG-Derive-Private-Key</tt>
is limited to a length of at most 64 bytes.
This is because this value needs to be communicated from the <em>subordinate party</em> to the <em>delegating party</em>
to use the same argument value in both functions,
therefore it is necessary in some contexts to limit the size of this parameter
in order to limit the size of overall protocol messages.</t>
        <t>If applications require <tt>ctx</tt> values longer than 64 bytes,
implementors <bcp14>MAY</bcp14> use techniques such as that described in <xref section="5.3.3" sectionFormat="of" target="RFC9380"/>.
Precise procedure definitions are left as an application-specific implementation detail.</t>
      </section>
    </section>
    <section anchor="generic-formulae">
      <name>Generic ARKG instantiations</name>
      <t>This section defines generic formulae for instantiating the individual ARKG parameters,
which can be used to define concrete ARKG instantiations.</t>
      <section anchor="blinding-ec">
        <name>Using elliptic curve addition for key blinding</name>
        <t>Instantiations of ARKG whose output keys are elliptic curve keys
can use elliptic curve addition as the key blinding scheme <tt>BL</tt> <xref target="CCS_FGKLMN20"/> <xref target="Wilson2023"/>.
This section defines a general formula for such instantiations of <tt>BL</tt>.</t>
        <t>This formula has the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>crv</tt>: An elliptic curve.</t>
          </li>
          <li>
            <t><tt>hash-to-crv-suite</tt>: A hash-to-curve suite <xref target="RFC9380"/>
suitable for hashing to the scalar field of <tt>crv</tt>.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: A domain separation tag.</t>
          </li>
        </ul>
        <t>Then the <tt>BL</tt> parameter of ARKG may be instantiated as follows:</t>
        <ul spacing="normal">
          <li>
            <t><tt>G</tt> is the generator of the prime order subgroup of <tt>crv</tt>.</t>
          </li>
          <li>
            <t><tt>N</tt> is the order of <tt>G</tt>.</t>
          </li>
          <li>
            <t>The function <tt>hash_to_field</tt> is defined in <xref section="5" sectionFormat="of" target="RFC9380"/>.</t>
          </li>
        </ul>
        <sourcecode type="pseudocode"><![CDATA[
BL-Derive-Key-Pair(ikm) -> (pk, sk)

    DST_bl_sk = 'ARKG-BL-EC-KG.' || DST_ext
    sk = hash_to_field(ikm, 1) with the parameters:
        DST: DST_bl_sk
        F: GF(N), the scalar field
           of the prime order subgroup of crv
        p: N
        m: 1
        L: The L defined in hash-to-crv-suite
        expand_message: The expand_message function
                        defined in hash-to-crv-suite

    pk = sk * G


BL-PRF(ikm_tau, ctx) -> tau

    DST_tau = 'ARKG-BL-EC.' || DST_ext || ctx
    tau = hash_to_field(ikm_tau, 1) with the parameters:
        DST: DST_tau
        F: GF(N), the scalar field
           of the prime order subgroup of crv
        p: N
        m: 1
        L: The L defined in hash-to-crv-suite
        expand_message: The expand_message function
                        defined in hash-to-crv-suite


BL-Blind-Public-Key(pk, tau) -> pk_tau

    pk_tau = pk + tau * G


BL-Blind-Private-Key(sk, tau) -> sk_tau

    sk_tau_tmp = sk + tau
    If sk_tau_tmp = 0, abort with an error.
    sk_tau = sk_tau_tmp
]]></sourcecode>
      </section>
      <section anchor="hmac-kem">
        <name>Using HMAC to adapt a KEM without ciphertext integrity</name>
        <t>Not all key encapsulation mechanisms guarantee ciphertext integrity,
meaning that a valid KEM ciphertext can be created only with knowledge of the KEM public key.
This section defines a general formula for adapting any KEM to guarantee ciphertext integrity
by prepending a MAC to the KEM ciphertext.</t>
        <t>For example, ECDH does not guarantee ciphertext integrity - any elliptic curve point is a valid ECDH ciphertext
and can be successfully decapsulated using any elliptic curve private scalar.</t>
        <t>This formula has the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Hash</tt>: A cryptographic hash function.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: A domain separation parameter.</t>
          </li>
          <li>
            <t><tt>Sub-Kem</tt>: A key encapsulation mechanism as described for the <tt>KEM</tt> parameter in <xref target="arkg-params"/>,
except <tt>Sub-Kem</tt> <bcp14>MAY</bcp14> ignore the <tt>ctx</tt> parameter and <bcp14>MAY</bcp14> not guarantee ciphertext integrity.
<tt>Sub-Kem</tt> defines the functions <tt>Sub-Kem-Derive-Key-Pair</tt>, <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt>.</t>
          </li>
        </ul>
        <t>The <tt>KEM</tt> parameter of ARKG may be instantiated using <tt>Sub-Kem</tt>,
HMAC <xref target="RFC2104"/> and HKDF <xref target="RFC5869"/> as follows:</t>
        <ul spacing="normal">
          <li>
            <t><tt>L</tt> is the output length of <tt>Hash</tt> in octets.</t>
          </li>
          <li>
            <t><tt>LEFT(X, n)</tt> is the first <tt>n</tt> bytes of the byte array <tt>X</tt>.</t>
          </li>
          <li>
            <t><tt>DROP_LEFT(X, n)</tt> is the byte array <tt>X</tt> without the first <tt>n</tt> bytes.</t>
          </li>
        </ul>
        <t>We truncate the HMAC output to 128 bits (16 octets)
because as described in <xref target="design-rationale-mac"/>,
ARKG needs ciphertext integrity only to ensure correctness, not for security.
Extendable-output functions used as the <tt>Hash</tt> parameter <bcp14>SHOULD</bcp14> still be instantiated
with an output length appropriate for the desired security level,
in order to not leak information about the <tt>Sub-Kem</tt> shared secret key.</t>
        <sourcecode type="pseudocode"><![CDATA[
KEM-Derive-Key-Pair(ikm) -> (pk, sk)

    (pk, sk) = Sub-Kem-Derive-Key-Pair(ikm)


KEM-Encaps(pk, ikm, ctx) -> (k, c)

    ctx_sub = 'ARKG-KEM-HMAC.' || DST_ext || ctx
    (k', c') = Sub-Kem-Encaps(pk, ikm, ctx_sub)

    prk = HKDF-Extract with the arguments:
        Hash: Hash
        salt: not set
        IKM: k'

    info_mk = 'ARKG-KEM-HMAC-mac.' || DST_ext || ctx
    mk = HKDF-Expand with the arguments:
        Hash: Hash
        PRK: prk
        info: info_mk
        L: L
    t = HMAC-Hash-128(K=mk, text=c')

    info_k = 'ARKG-KEM-HMAC-shared.' || DST_ext || ctx
    k = HKDF-Expand with the arguments:
        Hash: Hash
        PRK: prk
        info: info_k
        L: The length of k' in octets.
    c = t || c'


KEM-Decaps(sk, c, ctx) -> k

    t = LEFT(c, 16)
    c' = DROP_LEFT(c, 16)
    ctx_sub = 'ARKG-KEM-HMAC.' || DST_ext || ctx
    k' = Sub-Kem-Decaps(sk, c', ctx_sub)

    prk = HKDF-Extract with the arguments:
        Hash: Hash
        salt: not set
        IKM: k'

    mk = HKDF-Expand with the arguments:
        Hash: Hash
        PRK: prk
        info: 'ARKG-KEM-HMAC-mac.' || DST_ext || ctx
        L: L

    t' = HMAC-Hash-128(K=mk, text=c')
    If t = t':
        k = HKDF-Expand with the arguments:
            Hash: Hash
            PRK: prk
            info: 'ARKG-KEM-HMAC-shared.' || DST_ext || ctx
            L: The length of k' in octets.
    Else:
        Abort with an error.
]]></sourcecode>
        <t>In concrete instances where <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt> ignore the <tt>ctx</tt> parameter,
implementations <bcp14>MAY</bcp14> eliminate the parameter and omit the computation of <tt>ctx_sub</tt>.</t>
      </section>
      <section anchor="kem-ecdh">
        <name>Using ECDH as the KEM</name>
        <t>Instantiations of ARKG can use ECDH <xref target="RFC6090"/> as the key encapsulation mechanism <tt>KEM</tt> <xref target="CCS_FGKLMN20"/> <xref target="ASIACCS_SteWil24"/>.
This section defines a general formula for such instantiations of <tt>KEM</tt>.</t>
        <t>This formula has the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>crv</tt>: an elliptic curve valid for use with ECDH <xref target="RFC6090"/>.</t>
          </li>
          <li>
            <t><tt>Hash</tt>: A cryptographic hash function.</t>
          </li>
          <li>
            <t><tt>hash-to-crv-suite</tt>: A hash-to-curve suite <xref target="RFC9380"/>
suitable for hashing to the scalar field of <tt>crv</tt>.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: A domain separation parameter.</t>
          </li>
        </ul>
        <t>The above parameters define the following intermediate value:</t>
        <ul spacing="normal">
          <li>
            <t><tt>DST_aug</tt>: <tt>'ARKG-ECDH.' || DST_ext</tt>.</t>
          </li>
        </ul>
        <t>The <tt>KEM</tt> parameter of ARKG may be instantiated as described in section <xref target="hmac-kem"/> with the parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Hash</tt>: <tt>Hash</tt>.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: <tt>DST_aug</tt>.</t>
          </li>
          <li>
            <t><tt>Sub-Kem</tt>: The functions <tt>Sub-Kem-Derive-Key-Pair</tt>, <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt> defined as follows:  </t>
            <ul spacing="normal">
              <li>
                <t><tt>Elliptic-Curve-Point-to-Octet-String</tt> and <tt>Octet-String-to-Elliptic-Curve-Point</tt>
are the conversion routines defined in sections 2.3.3 and 2.3.4 of <xref target="SEC1"/>,
without point compression.</t>
              </li>
              <li>
                <t><tt>ECDH(pk, sk)</tt> represents the compact output of ECDH <xref target="RFC6090"/>
using public key (curve point) <tt>pk</tt> and private key (exponent) <tt>sk</tt>.</t>
              </li>
              <li>
                <t><tt>G</tt> is the generator of the prime order subgroup of <tt>crv</tt>.</t>
              </li>
              <li>
                <t><tt>N</tt> is the order of <tt>G</tt>.</t>
              </li>
            </ul>
            <sourcecode type="pseudocode"><![CDATA[
Sub-Kem-Derive-Key-Pair(ikm) -> (pk, sk)

    DST_kem_sk = 'ARKG-KEM-ECDH-KG.' || DST_aug
    sk = hash_to_field(ikm, 1) with the parameters:
        DST: DST_kem_sk
        F: GF(N), the scalar field
          of the prime order subgroup of crv
        p: N
        m: 1
        L: The L defined in hash-to-crv-suite
        expand_message: The expand_message function
                        defined in hash-to-crv-suite

    pk = sk * G


Sub-Kem-Encaps(pk, ikm, ctx) -> (k, c)

    (pk', sk') = Sub-Kem-Derive-Key-Pair(ikm)

    k = ECDH(pk, sk')
    c = Elliptic-Curve-Point-to-Octet-String(pk')


Sub-Kem-Decaps(sk, c, ctx) -> k

    pk' = Octet-String-to-Elliptic-Curve-Point(c)
    k = ECDH(pk', sk)
]]></sourcecode>
          </li>
        </ul>
        <t>Note: This instance intentionally ignores the <tt>ctx</tt> parameter of <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt>.</t>
      </section>
      <section anchor="kem-x25519-x448">
        <name>Using X25519 or X448 as the KEM</name>
        <t>Instantiations of ARKG can use X25519 or X448 <xref target="RFC7748"/> as the key encapsulation mechanism <tt>KEM</tt>.
This section defines a general formula for such instantiations of <tt>KEM</tt>.</t>
        <t>This formula has the following parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>DH-Function</tt>: the function X25519 or the function X448 <xref target="RFC7748"/>.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: A domain separation parameter.</t>
          </li>
        </ul>
        <t>The <tt>KEM</tt> parameter of ARKG may be instantiated as described in section <xref target="hmac-kem"/> with the parameters:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Hash</tt>: SHA-512 <xref target="NIST.FIPS.180-4"/> if <tt>DH-Function</tt> is X25519,
or SHAKE256 <xref target="NIST.FIPS.202"/> with output length 64 octets if <tt>DH-Function</tt> is X448.</t>
          </li>
          <li>
            <t><tt>DST_ext</tt>: <tt>'ARKG-ECDHX.' || DST_ext</tt>.</t>
          </li>
          <li>
            <t><tt>Sub-Kem</tt>: The functions <tt>Sub-Kem-Derive-Key-Pair</tt>, <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt> defined as follows:  </t>
            <ul spacing="normal">
              <li>
                <t><tt>G</tt> is the octet string <tt>h'0900000000000000 0000000000000000 0000000000000000 0000000000000000'</tt>
if <tt>DH-Function</tt> is X25519,
or the octet string <tt>h'0500000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000'</tt>
if <tt>DH-Function</tt> is X448.      </t>
                <t>
These are the little-endian encodings of the integers 9 and 5,
which is the u-coordinate of the generator point of the respective curve group.</t>
              </li>
            </ul>
            <sourcecode type="pseudocode"><![CDATA[
Sub-Kem-Derive-Key-Pair(ikm) -> (pk, sk)

    sk = ikm
    pk = DH-Function(sk, G)


Sub-Kem-Encaps(pk, ikm, ctx) -> (k, c)

    (pk', sk') = Sub-Kem-Derive-Key-Pair(ikm)

    k = DH-Function(sk', pk)
    c = pk'


Sub-Kem-Decaps(sk, c, ctx) -> k

    k = DH-Function(sk, c)
]]></sourcecode>
          </li>
        </ul>
        <t>Note: This instance intentionally ignores the <tt>ctx</tt> parameter of <tt>Sub-Kem-Encaps</tt> and <tt>Sub-Kem-Decaps</tt>.</t>
      </section>
      <section anchor="blinding-kem-same-key">
        <name>Using the same key for both key blinding and KEM</name>
        <t>When an ARKG instance uses the same type of key for both the key blinding and the KEM -
for example, if elliptic curve arithmetic is used for key blinding as described in <xref target="blinding-ec"/>
and ECDH is used as the KEM as described in <xref target="kem-ecdh"/> <xref target="CCS_FGKLMN20"/> -
then the two keys <bcp14>MAY</bcp14> be the same key.
Representations of such an ARKG seed <bcp14>MAY</bcp14> allow for omitting the second copy of the constituent key,
but such representations <bcp14>MUST</bcp14> clearly identify that the single constituent key is to be used
both as the key blinding key and the KEM key.</t>
      </section>
    </section>
    <section anchor="concrete-arkg-instantiations">
      <name>Concrete ARKG instantiations</name>
      <t>This section defines an initial set of concrete ARKG instantiations.</t>
      <section anchor="ARKG-P256">
        <name>ARKG-P256</name>
        <t>The identifier <tt>ARKG-P256</tt> represents the following ARKG instance:</t>
        <ul spacing="normal">
          <li>
            <t><tt>BL</tt>: Elliptic curve addition as described in <xref target="blinding-ec"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp256r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P256_XMD:SHA-256_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P256'</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><tt>KEM</tt>: ECDH as described in <xref target="kem-ecdh"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp256r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>Hash</tt>: SHA-256 <xref target="NIST.FIPS.180-4"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P256_XMD:SHA-256_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P256'</tt>.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Each <tt>ikm_bl</tt>, <tt>ikm_kem</tt> and <tt>ikm</tt> input to the procedures in this ARKG instance
<bcp14>SHOULD</bcp14> contain at least 256 bits of entropy.</t>
      </section>
      <section anchor="ARKG-P384">
        <name>ARKG-P384</name>
        <t>The identifier <tt>ARKG-P384</tt> represents the following ARKG instance:</t>
        <ul spacing="normal">
          <li>
            <t><tt>BL</tt>: Elliptic curve addition as described in <xref target="blinding-ec"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp384r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P384_XMD:SHA-384_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P384'</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><tt>KEM</tt>: ECDH as described in <xref target="kem-ecdh"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp384r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>Hash</tt>: SHA-384 <xref target="NIST.FIPS.180-4"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P384_XMD:SHA-384_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P384'</tt>.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Each <tt>ikm_bl</tt>, <tt>ikm_kem</tt> and <tt>ikm</tt> input to the procedures in this ARKG instance
<bcp14>SHOULD</bcp14> contain at least 384 bits of entropy.</t>
      </section>
      <section anchor="ARKG-P521">
        <name>ARKG-P521</name>
        <t>The identifier <tt>ARKG-P521</tt> represents the following ARKG instance:</t>
        <ul spacing="normal">
          <li>
            <t><tt>BL</tt>: Elliptic curve addition as described in <xref target="blinding-ec"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp521r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P521_XMD:SHA-512_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P521'</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><tt>KEM</tt>: ECDH as described in <xref target="kem-ecdh"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The NIST curve <tt>secp521r1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>Hash</tt>: SHA-512 <xref target="NIST.FIPS.180-4"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>P521_XMD:SHA-512_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P521'</tt>.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Each <tt>ikm_bl</tt>, <tt>ikm_kem</tt> and <tt>ikm</tt> input to the procedures in this ARKG instance
<bcp14>SHOULD</bcp14> contain at least 512 bits of entropy.</t>
      </section>
      <section anchor="ARKG-P256k">
        <name>ARKG-P256k</name>
        <t>The identifier <tt>ARKG-P256k</tt> represents the following ARKG instance:</t>
        <ul spacing="normal">
          <li>
            <t><tt>BL</tt>: Elliptic curve addition as described in <xref target="blinding-ec"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The SECG curve <tt>secp256k1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>secp256k1_XMD:SHA-256_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P256k'</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><tt>KEM</tt>: ECDH as described in <xref target="kem-ecdh"/> with the parameters:
            </t>
            <ul spacing="normal">
              <li>
                <t><tt>crv</tt>: The SECG curve <tt>secp256k1</tt> <xref target="SEC2"/>.</t>
              </li>
              <li>
                <t><tt>Hash</tt>: SHA-256 <xref target="NIST.FIPS.180-4"/>.</t>
              </li>
              <li>
                <t><tt>hash-to-crv-suite</tt>: <tt>secp256k1_XMD:SHA-256_SSWU_RO_</tt> <xref target="RFC9380"/>.</t>
              </li>
              <li>
                <t><tt>DST_ext</tt>: <tt>'ARKG-P256k'</tt>.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>Each <tt>ikm_bl</tt>, <tt>ikm_kem</tt> and <tt>ikm</tt> input to the procedures in this ARKG instance
<bcp14>SHOULD</bcp14> contain at least 256 bits of entropy.</t>
      </section>
    </section>
    <section anchor="cose">
      <name>COSE bindings</name>
      <t>This section proposes additions to COSE <xref target="RFC9052"/> to support ARKG use cases.
These consist of a new key type to represent ARKG public seeds,
algorithm identifiers for signing using an ARKG-derived private key,
and new <tt>COSE_Sign_Args</tt> <xref target="I-D.cose-split-algs"/> algorithm parameters for ARKG.</t>
      <section anchor="cose-arkg-pub-seed">
        <name>COSE key type: ARKG public seed</name>
        <t>An ARKG public seed is represented as a COSE_Key structure <xref target="RFC9052"/>
with <tt>kty</tt> value TBD (placeholder value -65537).
<xref target="tbl-arkg-pub-params"/> defines key type parameters <tt>pkbl</tt> (-1) and <tt>pkkem</tt> (-2) for the <tt>BL</tt> and <tt>KEM</tt> public key, respectively,
as well as key type parameter <tt>dkalg</tt> (-3), representing the algorithm that derived public and private keys are to be used with.</t>
        <table anchor="tbl-arkg-pub-params">
          <name>COSE key type parameters for the ARKG-pub key type.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Label</th>
              <th align="left">Value type</th>
              <th align="left">Required?</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">pkbl</td>
              <td align="left">-1</td>
              <td align="left">COSE_Key</td>
              <td align="left">Required</td>
              <td align="left">BL key of ARKG public seed</td>
            </tr>
            <tr>
              <td align="left">pkkem</td>
              <td align="left">-2</td>
              <td align="left">COSE_Key</td>
              <td align="left">Required</td>
              <td align="left">KEM key of ARKG public seed</td>
            </tr>
            <tr>
              <td align="left">dkalg</td>
              <td align="left">-3</td>
              <td align="left">int / tstr</td>
              <td align="left">Optional</td>
              <td align="left">
                <tt>alg</tt> parameter of public and private keys derived from this ARKG public seed</td>
            </tr>
          </tbody>
        </table>
        <t>When <tt>dkalg</tt> (-3) is present in an ARKG public seed,
the <tt>alg</tt> (3) parameter of public keys derived using <tt>ARKG-Derive-Public-Key</tt> with that seed
<bcp14>SHOULD</bcp14> be set to the <tt>dkalg</tt> (-3) value of the seed.</t>
        <t>The <tt>alg</tt> (3) parameter, when present,
identifies the ARKG instance this public seed is to be used with.
An initial set of COSE algorithm identifiers for this purpose is defined in <xref target="cose-algs-arkg"/>.</t>
        <t>The following CDDL <xref target="RFC8610"/> example represents an <tt>ARKG-P256</tt> public seed
restricted to generating derived keys for use with the ESP256 <xref target="RFC9864"/> signature algorithm:</t>
        <sourcecode type="cddl"><![CDATA[
{
  1: -65537,   ; kty: ARKG-pub (placeholder value)
               ; kid: Opaque identifier
  2: h'60b6dfddd31659598ae5de49acb220d8
       704949e84d484b68344340e2565337d2',
  3: -65700,   ; alg: ARKG-P256 (placeholder value)

  -1: {        ; BL public key
    1: 2,      ; kty: EC2
    -1: 1,     ; crv: P256
    -2: h'69380FC1C3B09652134FEEFBA61776F9
          7AF875CE46CA20252C4165102966EBC5',
    -3: h'8B515831462CCB0BD55CBA04BFD50DA6
          3FAF18BD845433622DAF97C06A10D0F1',
  },

  -2: {        ; KEM public key
    1: 2,      ; kty: EC2
    -1: 1,     ; crv: P256
    -2: h'5C099BEC31FAA581D14E208250D3FFDA
          9EC7F543043008BC84967A8D875B5D78',
    -3: h'539D57429FCB1C138DA29010A155DCA1
          4566A8F55AC2F1780810C49D4ED72D58',
  },

  -3: -9       ; Derived key algorithm: ESP256
}
]]></sourcecode>
        <t>The following is the same example encoded as CBOR:</t>
        <artwork><![CDATA[
h'a6013a0001000002582060b6dfddd31659598ae5de49acb220d8704949e84d48
  4b68344340e2565337d2033a000100a320a40102200121582069380fc1c3b096
  52134feefba61776f97af875ce46ca20252c4165102966ebc52258208b515831
  462ccb0bd55cba04bfd50da63faf18bd845433622daf97c06a10d0f121a40102
  20012158205c099bec31faa581d14e208250d3ffda9ec7f543043008bc84967a
  8d875b5d78225820539d57429fcb1c138da29010a155dca14566a8f55ac2f178
  0810c49d4ed72d582228'
]]></artwork>
      </section>
      <section anchor="cose-algs-arkg">
        <name>COSE algorithms</name>
        <t>This section defines COSE algorithm identifiers <xref target="RFC9052"/> for ARKG instances,
and for signature algorithms combined with using a signing private key derived using ARKG.</t>
        <t><xref target="tbl-cose-algs-arkg"/> defines algorithm identifiers to represent ARKG instances.</t>
        <table anchor="tbl-cose-algs-arkg">
          <name>COSE algorithm identifiers for ARKG instances.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Value</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ARKG-P256</td>
              <td align="left">TBD (placeholder -65700)</td>
              <td align="left">The ARKG instance <tt>ARKG-P256</tt> defined in <xref target="ARKG-P256"/>.</td>
            </tr>
            <tr>
              <td align="left">ARKG-P384</td>
              <td align="left">TBD (placeholder -65701)</td>
              <td align="left">The ARKG instance <tt>ARKG-P384</tt> defined in <xref target="ARKG-P384"/>.</td>
            </tr>
            <tr>
              <td align="left">ARKG-P521</td>
              <td align="left">TBD (placeholder -65702)</td>
              <td align="left">The ARKG instance <tt>ARKG-P521</tt> defined in <xref target="ARKG-P521"/>.</td>
            </tr>
            <tr>
              <td align="left">ARKG-P256k</td>
              <td align="left">TBD (placeholder -65703)</td>
              <td align="left">The ARKG instance <tt>ARKG-P256k</tt> defined in <xref target="ARKG-P256k"/>.</td>
            </tr>
          </tbody>
        </table>
        <t><xref target="tbl-cose-algs-arkg-sign"/> defines algorithm identifiers to represent signing algorithms.
These <bcp14>MAY</bcp14> be used to negotiate algorithm selection between a <em>digester</em> and <em>signer</em>
as described in <xref section="2" sectionFormat="of" target="I-D.cose-split-algs"/>,
and in key representations exchanged between such <em>digesters</em> and <em>signers</em>,
but <bcp14>SHOULD NOT</bcp14> appear in COSE structures consumed by signature verifiers.
COSE structures consumed by signature verifiers <bcp14>SHOULD</bcp14> instead use the corresponding algorithm identifier
listed in the "verification algorithm" column.</t>
        <t>All algorithm identifiers in <xref target="tbl-cose-algs-arkg-sign"/> denote signature algorithm suites where:</t>
        <ul spacing="normal">
          <li>
            <t>Key generation consists of executing <tt>ARKG-Derive-Seed</tt> to derive or generate an ARKG seed pair,
and disclosing the public seed.</t>
          </li>
          <li>
            <t>Signing consists of first executing <tt>ARKG-Derive-Public-Key</tt>
to derive a verification public key and key handle,
then executing <tt>ARKG-Derive-Private-Key</tt> with that key handle to derive the private signing key,
and finally using the derived private signing key to generate a signature valid under the derived verification public key.
Multiple signings can also be done with the same verification public key and key handle.</t>
          </li>
          <li>
            <t>Verification consists of executing the verification algorithm indicated in the table,
using the derived verification public key.</t>
          </li>
        </ul>
        <table anchor="tbl-cose-algs-arkg-sign">
          <name>COSE algorithms for signing with an ARKG-derived key.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Value</th>
              <th align="left">Verification algorithm</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ESP256-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-9 (ESP256)</td>
              <td align="left">ESP256 <xref target="RFC9864"/> using private key derived by ARKG-P256 (<xref target="ARKG-P256"/>).</td>
            </tr>
            <tr>
              <td align="left">ESP256-split-ARKG</td>
              <td align="left">TBD (placeholder -65539)</td>
              <td align="left">-9 (ESP256)</td>
              <td align="left">ESP256-split <xref target="I-D.cose-split-algs"/> using private key derived by ARKG-P256 (<xref target="ARKG-P256"/>).</td>
            </tr>
            <tr>
              <td align="left">ESP384-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-51 (ESP384)</td>
              <td align="left">ESP384 <xref target="RFC9864"/> using private key derived by ARKG-P384 (<xref target="ARKG-P384"/>).</td>
            </tr>
            <tr>
              <td align="left">ESP384-split-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-51 (ESP384)</td>
              <td align="left">ESP384-split <xref target="I-D.cose-split-algs"/> using private key derived by ARKG-P384 (<xref target="ARKG-P384"/>).</td>
            </tr>
            <tr>
              <td align="left">ESP512-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-52 (ESP512)</td>
              <td align="left">ESP512 <xref target="RFC9864"/> using private key derived by ARKG-P521 (<xref target="ARKG-P521"/>).</td>
            </tr>
            <tr>
              <td align="left">ESP512-split-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-52 (ESP512)</td>
              <td align="left">ESP512-split <xref target="I-D.cose-split-algs"/> using private key derived by ARKG-P521 (<xref target="ARKG-P521"/>).</td>
            </tr>
            <tr>
              <td align="left">ES256K-ARKG</td>
              <td align="left">TBD</td>
              <td align="left">-47 (ES256K)</td>
              <td align="left">ES256K <xref target="RFC8812"/> using private key derived by ARKG-P256k (<xref target="ARKG-P256k"/>).</td>
            </tr>
          </tbody>
        </table>
        <t>As an example of the intended uses of these algorithm identifiers,
consider a split signing <xref target="I-D.cose-split-algs"/> use case
with signing keys derived using ARKG-P256:</t>
        <ul spacing="normal">
          <li>
            <t>First, a <em>digester</em> and <em>signer</em> use the algorithm identifier -65539 (ESP256-split-ARKG, placeholder value)
to negotiate a signing protocol and their respective roles in it.
This identifier expresses that the <em>signer</em> will generate ARKG seed pairs,
the <em>digester</em> will use <tt>ARKG-Derive-Public-Key</tt> with those public seeds to derive public keys,
and the <em>signer</em> will use <tt>ARKG-Derive-Private-Key</tt> and ESP256-split <xref target="I-D.cose-split-algs"/>
to sign data with private keys corresponding to those derived public keys.</t>
          </li>
          <li>
            <t>The <em>signer</em>, acting as the ARKG <em>delegating party</em>, then generates an ARKG-P256 seed pair
and discloses the public seed to the <em>digester</em>.
The public seed is encoded as a <tt>COSE_Key</tt>, with
<tt>1 (kty): -65537 (ARKG-pub, placeholder value)</tt> to indicate it is an ARKG public seed,
<tt>3 (alg): -67000 (ARKG-P256, placeholder value)</tt> to indicate
which instance of <tt>ARKG-Derive-Public-Key</tt> to use it with,
and <tt>-3 (dkalg): -9 (ESP256)</tt> to indicate which verification algorithm
third-party verifiers may use to verify signatures made by keys derived from this public seed.</t>
          </li>
          <li>
            <t>The <em>digester</em> uses the ARKG public seed in <tt>ARKG-Derive-Public-Key</tt>.
The resulting public key is encoded as a <tt>COSE_Key</tt>
with <tt>1 (kty): 2 (EC2)</tt> to indicate it is an elliptic curve key
and <tt>3 (alg): -9 (ESP256)</tt> to indicate its verification algorithm.
The <em>digester</em> then provides this derived public key to some third party.</t>
          </li>
          <li>
            <t>That third party later requests a signature by the derived public key.
The <em>digester</em> relays this request to the <em>signer</em>,
along with some identifier for the ARKG seed pair if necessary,
and uses a <tt>COSE_Sign_Args</tt> structure to convey <tt>ARKG-Derive-Private-Key</tt> inputs to the <em>signer</em>.
The <tt>COSE_Sign_Args</tt> structure has <tt>3 (alg): -65539 (ESP256-split-ARKG, placeholder value)</tt>
to indicate the <em>digester</em>'s intent as initially negotiated,
and includes the <tt>kh</tt> and <tt>ctx</tt> arguments for the <em>signer</em> to use in <tt>ARKG-Derive-Private-Key</tt>.  </t>
            <t>
Since the negotiated algorithm is ESP256-split-ARKG,
the <em>digester</em> performs the hash step of the ECDSA signing procedure
as defined in <xref section="2.1" sectionFormat="of" target="I-D.cose-split-algs"/>,
and provides the digest as the "data to be signed" input to the <em>signer</em>.  </t>
            <t>
The <em>signer</em> uses the indicated ARKG private seed in <tt>ARKG-Derive-Private-Key</tt>
and uses the resulting derived private key to generate the requested signature.</t>
          </li>
          <li>
            <t>The third party receives the signature,
uses the <tt>3 (alg): -9 (ESP256)</tt> attribute of the public key to identify the verification algorithm to run,
and uses that algorithm to verify the signature.</t>
          </li>
        </ul>
        <t>Note how in this example, the identifier -65539 (ESP256-split-ARKG, placeholder value)
is not exposed to the third-party verifier;
it is used only between <em>digester</em> and <em>signer</em> to negotiate and execute a signing protocol.
The verifier does not need to know the internal details of the signing protocol,
only what algorithm to use to verify the signature.</t>
        <t>Consider also an example using ESP256-ARKG instead:</t>
        <ul spacing="normal">
          <li>
            <t>A <em>digester</em> and <em>signer</em> use the algorithm identifier TBD (ESP256-ARKG) to negotiate a signing protocol.
This identifier expresses that the <em>signer</em> will generate ARKG seed pairs,
the <em>digester</em> will use <tt>ARKG-Derive-Public-Key</tt> with those public seeds to derive public keys,
and the <em>signer</em> will use <tt>ARKG-Derive-Private-Key</tt> and ESP256 <xref target="RFC9864"/>
to sign data with private keys corresponding to those derived public keys.</t>
          </li>
          <li>
            <t>The example proceeds just like the the ESP256-split-ARKG example above,
except the <em>signer</em> uses the derived private key with ESP256 instead of ESP256-split.
Therefore, the <em>digester</em> relays the "data to be signed" unaltered from the third party to the <em>signer</em> in this case.</t>
          </li>
        </ul>
      </section>
      <section anchor="cose-sign-args-arkg">
        <name>COSE signing arguments</name>
        <t>This section defines ARKG-specific parameters for the <tt>COSE_Sign_Args</tt> structure <xref target="I-D.cose-split-algs"/>.
These consist of the parameters -1 and -2 respectively
for the <tt>kh</tt> and <tt>ctx</tt> parameters of <tt>ARKG-Derive-Private-Key</tt>.
<xref target="tbl-cose-args-arkg"/> defines these algorithm parameters for <tt>COSE_Sign_args</tt>.
<tt>kh</tt> and <tt>ctx</tt> are both <bcp14>REQUIRED</bcp14> for all the relevant <tt>alg</tt> values.</t>
        <table anchor="tbl-cose-args-arkg">
          <name>Algorithm parameters for COSE_Sign_Args.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Label</th>
              <th align="left">Type</th>
              <th align="left">Required?</th>
              <th align="left">Algorithm</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">kh</td>
              <td align="left">-1</td>
              <td align="left">bstr</td>
              <td align="left">Required</td>
              <td align="left">ESP256-ARKG, ESP256-split-ARKG, ESP384-ARKG, ESP384-split-ARKG, ESP512-ARKG, ESP512-split-ARKG, ES256K-ARKG</td>
              <td align="left">
                <tt>kh</tt> argument to <tt>ARKG-Derive-Private-Key</tt>.</td>
            </tr>
            <tr>
              <td align="left">ctx</td>
              <td align="left">-2</td>
              <td align="left">bstr</td>
              <td align="left">Required</td>
              <td align="left">ESP256-ARKG, ESP256-split-ARKG, ESP384-ARKG, ESP384-split-ARKG, ESP512-ARKG, ESP512-split-ARKG, ES256K-ARKG</td>
              <td align="left">
                <tt>ctx</tt> argument to <tt>ARKG-Derive-Private-Key</tt>.</td>
            </tr>
          </tbody>
        </table>
        <t>The following CDDL example conveys the <tt>kh</tt> and <tt>ctx</tt> arguments for signing data
using the ESP256-split algorithm <xref target="I-D.cose-split-algs"/>
and a key derived using <tt>ARKG-P256</tt>:</t>
        <sourcecode type="cddl"><![CDATA[
{
  3: -65539,   ; alg: ESP256-split with ARKG-P256 (placeholder value)

               ; ARKG-P256 key handle
               ; (HMAC-SHA-256-128 followed by
                  SEC1 uncompressed ECDH public key)
  -1: h'27987995f184a44cfa548d104b0a461d
        0487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043de
          c2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361',

               ; info argument to ARKG-Derive-Private-Key
  -2: 'ARKG-P256.test vectors',
}
]]></sourcecode>
        <t>The following is the same example encoded as CBOR:</t>
        <artwork><![CDATA[
h'a3033a0001000220585127987995f184a44cfa548d104b0a461d0487fc739dbc
  dabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea906
  0fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361215641524b
  472d503235362e7465737420766563746f7273'
]]></artwork>
      </section>
    </section>
    <section anchor="Security">
      <name>Security Considerations</name>
      <section anchor="security-properties">
        <name>Security Properties</name>
        <t>ARKG satisfies two security properties, defined in <xref target="CCS_FGKLMN20"/>.
Informally, they are:</t>
        <ul spacing="normal">
          <li>
            <t><strong>Public key unlinkability</strong>:
Derived public keys are indistinguishable from randomly sampled public keys,
even with knowledge of the ARKG public seed.
Consequently, it is also not distinguishable whether two derived public keys
were derived from the same ARKG public seed or from different public seeds.  </t>
            <t>
This property holds under the assumption that the adversary does not know
the <tt>tau</tt> or <tt>ikm_tau</tt> value that was computed in <tt>ARKG-Derive-Public-Key</tt>
when deriving the public key.
Indeed, knowledge of <tt>tau</tt> along with a public seed <tt>pk</tt> and derived public key <tt>pk'</tt>
is sufficient to determine with certainty whether <tt>pk'</tt> is derived from <tt>pk</tt>.
This also means that is is possible to <em>prove</em>, by revealing <tt>tau</tt>, that <tt>pk'</tt> is derived from <tt>pk</tt>,
and therefore that knowledge of the corresponding derived private key <tt>sk'</tt>
implies knowledge of the private seed <tt>sk</tt>.  </t>
            <t>
This property is called <em>PK-unlinkability</em> in <xref target="CCS_FGKLMN20"/>.</t>
          </li>
          <li>
            <t><strong>Private key security</strong>:
Derived private keys cannot be recovered without knowledge of the ARKG private seed,
even with knowledge of other public and private keys derived from the same seed.
Consequently, signatures by derived private keys enjoy the same unforgeability properties
as signatures made by equivalent keys generated without ARKG.  </t>
            <t>
This property is called <em>SK-security</em> in <xref target="CCS_FGKLMN20"/>,
specifically the <em>msKS</em> variant ("malicious-strong SK-security")
which is the strongest of the four variants defined.</t>
          </li>
        </ul>
      </section>
      <section anchor="security-secrets">
        <name>Secret Values</name>
        <t>Both security properties discussed in <xref target="security-properties"/>
rely on the secrecy of the ARKG private seed.
This is the primary secret which must be kept confidential in all circumstances.</t>
        <t>The ARKG functions also use other values of varying levels of sensitivity:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>ikm_bl</tt> and <tt>ikm_kem</tt> arguments to <tt>ARKG-Derive-Seed</tt>:
These uniquely determine the ARKG private seed,
and so must be at least equally well protected as the private seed itself.
Note that implementations can choose to not store <tt>ikm_bl</tt> or <tt>ikm_kem</tt>
if the resulting <tt>pk</tt> and <tt>sk</tt> are instead stored directly.  </t>
            <t>
See also <xref target="derive-seed-nondeterministic"/> for discussion
of nondeterministic variants that eliminate the <tt>ikm_bl</tt> and <tt>ikm_kem</tt> parameters;
note however that the same considerations apply to any and all random entropy used to replace them.</t>
          </li>
          <li>
            <t>The arguments to <tt>ARKG-Derive-Public-Key</tt>, and all intermediate variables used during its execution,
do not need to be kept confidential for private key security to hold.
No special protection of them is needed during execution of <tt>ARKG-Derive-Public-Key</tt>,
they do not need to be securely erased,
and no additional protection is needed for outputs in transit between subordinate party and delegating party.
The private key derived by <tt>ARKG-Derive-Public-Key</tt> remains secure
even if <tt>ARKG-Derive-Public-Key</tt> is executed entirely in public.  </t>
            <t>
However, some of these values enable varying levels of attack on privacy
or public key unlinkability if known.
Some of them ultimately become private key material,
so they should not be revealed unnecessarily.  </t>
            <t>
The subsequent list items expand on these considerations.</t>
          </li>
          <li>
            <t>The <tt>ikm</tt> argument to <tt>ARKG-Derive-Public-Key</tt>
determines <tt>ikm_tau</tt> and therefore <tt>tau</tt>.
<tt>ikm</tt> must therefore be confidential for public key unlinkability to hold;
the considerations in <xref target="privacy-pub-seed-secrecy"/> also apply to <tt>ikm</tt>.  </t>
            <t>
Since <tt>ikm</tt> is used to derive private key material, it should not be revealed unnecessarily.  </t>
            <t>
See also <xref target="derive-pk-nondeterministic"/> for discussion
of nondeterministic variants that eliminate the <tt>ikm</tt> parameters;
note however that the same considerations apply to any and all random entropy used to replace it.</t>
          </li>
          <li>
            <t>The <tt>ctx</tt> argument to <tt>ARKG-Derive-Public-Key</tt> and <tt>ARKG-Derive-Private-Key</tt>
is fuctionally similar to <tt>ikm</tt>,
but intended for domain separation rather than a primary entropy source.
It is not intended to be kept confidential and can safely be a public constant,
or an application constant appended with a key index, or similar.</t>
          </li>
          <li>
            <t>The <tt>pk'</tt> output from <tt>ARKG-Derive-Public-Key</tt> may safely be made public,
but may become a correlation handle if the same <tt>pk'</tt> is shared with multiple recipients.
Privacy considerations for public keys in general apply.</t>
          </li>
          <li>
            <t>The <tt>kh</tt> output from <tt>ARKG-Derive-Public-Key</tt> does not need to be kept confidential,
but - unlike the <tt>pk'</tt> output - also does not need to be revealed to third parties.
It should not be revealed unnecessarily since it encodes private key material.</t>
          </li>
          <li>
            <t>The <tt>kh</tt> argument to <tt>ARKG-Derive-Private-Key</tt> is equivalent to
the <tt>kh</tt> output from <tt>ARKG-Derive-Public-Key</tt>; the same considerations apply.</t>
          </li>
          <li>
            <t>The values <tt>prk</tt>, <tt>mk</tt> and <tt>k</tt> in the procedures of <xref target="hmac-kem"/>
do not need to be kept confidential for private key security to hold,
but knowledge of at least one of them enables distinguishing
the <tt>kh</tt> output produced by that execution of <tt>ARKG-Derive-Public-Key</tt>.
This could enable a limited de-anonymization attack against that particular <tt>kh</tt> value.  </t>
            <t><tt>k</tt> should not be revealed unnecessarily since it encodes private key material.</t>
          </li>
        </ul>
      </section>
      <section anchor="security-kem-integrity">
        <name>KEM Ciphertext Integrity</name>
        <t><xref target="arkg-params"/> requires that the <tt>KEM</tt> scheme guarantees ciphertext integrity,
meaning that a valid KEM ciphertext can be created only with knowledge of the KEM public key.
This is not a security requirement; failure to satisfy this property
does not weaken either of the security properties discussed in <xref target="security-properties"/>.
It may however degrade the correctness of the ARKG instance, as explained in <xref target="design-rationale-mac"/>,
potentially causing protocol failures that may be difficult to troubleshoot or for end-users to understand.</t>
      </section>
    </section>
    <section anchor="Privacy">
      <name>Privacy Considerations</name>
      <section anchor="privacy-pub-seed-secrecy">
        <name>Public Seed Secrecy</name>
        <t>The security properties described in <xref target="security-properties"/> hold even if the ARKG public seed is publicly known,
as the name suggests,
but there are situations when it may nevertheless be desirable to keep an ARKG public seed confidential.</t>
        <ul spacing="normal">
          <li>
            <t>If ARKG is used to derive multiple "pseudonym" public keys,
then the public seed is a correlation handle
that may reveal that some pseudonyms are related,
even without conclusive proof that they were derived from that seed.
The public seed should therefore not be revealed along with such pseudonyms.</t>
          </li>
          <li>
            <t>Knowledge of an ARKG public seed is sufficient to derive public keys from it,
and prove that they were derived from that seed by revealing <tt>tau</tt> (see <xref target="security-properties"/>).
A malicious actor could use this to, for example:  </t>
            <ul spacing="normal">
              <li>
                <t>make purchases at the seed owner's expense,
if the seller does not require proof of private key possession at the time of the purchase.</t>
              </li>
              <li>
                <t>accuse the seed owner of wrongdoing by planting incriminating keys in their name.</t>
              </li>
            </ul>
            <t>
To prevent such and other abuse,
it is prudent to keep the public seed confidential.</t>
          </li>
          <li>
            <t>Knowledge of the KEM component of an ARKG public seed is sufficient
to generate ARKG key handles valid for that ARKG private seed.
If this is undesirable -
for example if it could lead to the delegating party being overloaded -
then the KEM component of the public seed should be kept confidential.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="cose-key-types-registrations">
        <name>COSE Key Types Registrations</name>
        <t>This section registers the following values in the IANA "COSE Key Types" registry <xref target="IANA.cose"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Name: ARKG-pub
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (Placeholder -65537)</t>
              </li>
              <li>
                <t>Description: ARKG public seed</t>
              </li>
              <li>
                <t>Capabilities: [kty(-65537), pk_bl, pk_kem]</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-arkg-pub-seed"/> of this document</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="cose-key-type-parameters-registrations">
        <name>COSE Key Type Parameters Registrations</name>
        <t>This section registers the following values in the IANA "COSE Key Type Parameters" registry <xref target="IANA.cose"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Key Type: TBD (ARKG-pub, placeholder -65537)
            </t>
            <ul spacing="normal">
              <li>
                <t>Name: pk_bl</t>
              </li>
              <li>
                <t>Label: -1</t>
              </li>
              <li>
                <t>CBOR Type: COSE_Key</t>
              </li>
              <li>
                <t>Description: ARKG key blinding public key</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-arkg-pub-seed"/> of this document</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Key Type: TBD (ARKG-pub, placeholder -65537)
            </t>
            <ul spacing="normal">
              <li>
                <t>Name: pk_kem</t>
              </li>
              <li>
                <t>Label: -2</t>
              </li>
              <li>
                <t>CBOR Type: COSE_Key</t>
              </li>
              <li>
                <t>Description: ARKG key encapsulation public key</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-arkg-pub-seed"/> of this document</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="cose-algorithms-registrations">
        <name>COSE Algorithms Registrations</name>
        <t>This section registers the following values in the IANA "COSE Algorithms" registry <xref target="IANA.cose"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Name: ARKG-P256
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (placeholder -65700)</t>
              </li>
              <li>
                <t>Description: ARKG using ECDH and additive blinding on secp256r1</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ARKG-P384
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (placeholder -65701)</t>
              </li>
              <li>
                <t>Description: ARKG using ECDH and additive blinding on secp384r1</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ARKG-P521
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (placeholder -65702)</t>
              </li>
              <li>
                <t>Description: ARKG using ECDH and additive blinding on secp521r1</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ARKG-P256k
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (placeholder -65703)</t>
              </li>
              <li>
                <t>Description: ARKG using ECDH and additive blinding on secp256k1</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP256-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP256 using private key derived by ARKG-P256</t>
              </li>
              <li>
                <t>Reference: <xref target="RFC9864"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP256-split-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD (placeholder -65539)</t>
              </li>
              <li>
                <t>Description: ESP256-split using private key derived by ARKG-P256</t>
              </li>
              <li>
                <t>Reference: <xref target="I-D.cose-split-algs"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP384-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP384 using private key derived by ARKG-P384</t>
              </li>
              <li>
                <t>Reference: <xref target="RFC9864"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP384-split-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP384-split using private key derived by ARKG-P384</t>
              </li>
              <li>
                <t>Reference: <xref target="I-D.cose-split-algs"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP512-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP512 using private key derived by ARKG-P521</t>
              </li>
              <li>
                <t>Reference: <xref target="RFC9864"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP512-split-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP512-split using private key derived by ARKG-P521</t>
              </li>
              <li>
                <t>Reference: <xref target="I-D.cose-split-algs"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ESP256K-ARKG
            </t>
            <ul spacing="normal">
              <li>
                <t>Value: TBD</t>
              </li>
              <li>
                <t>Description: ESP256K using private key derived by ARKG-P256k</t>
              </li>
              <li>
                <t>Reference: <xref target="RFC8812"/>, <xref target="cose-algs-arkg"/> of this document</t>
              </li>
              <li>
                <t>Recommended: TBD</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="cose-signing-arguments-algorithm-parameters-registrations">
        <name>COSE Signing Arguments Algorithm Parameters Registrations</name>
        <t>This section registers the following values
in the IANA "COSE Signing Arguments Algorithm Parameters" registry <xref target="I-D.cose-split-algs"/>:</t>
        <ul spacing="normal">
          <li>
            <t>Name: kh
            </t>
            <ul spacing="normal">
              <li>
                <t>Label: -1</t>
              </li>
              <li>
                <t>Type: bstr</t>
              </li>
              <li>
                <t>Required: yes</t>
              </li>
              <li>
                <t>Algorithm: ESP256-ARKG, ESP256-split-ARKG, ESP384-ARKG, ESP384-split-ARKG, ESP512-ARKG, ESP512-split-ARKG, ES256K-ARKG</t>
              </li>
              <li>
                <t>Description: <tt>kh</tt> argument to <tt>ARKG-Derive-Private-Key</tt>.</t>
              </li>
              <li>
                <t>Capabilities: [alg(-65539, TBD)]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-sign-args-arkg"/> of this document</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Name: ctx
            </t>
            <ul spacing="normal">
              <li>
                <t>Label: -2</t>
              </li>
              <li>
                <t>Type: bstr</t>
              </li>
              <li>
                <t>Required: yes</t>
              </li>
              <li>
                <t>Algorithm: ESP256-ARKG, ESP256-split-ARKG, ESP384-ARKG, ESP384-split-ARKG, ESP512-ARKG, ESP512-split-ARKG, ES256K-ARKG</t>
              </li>
              <li>
                <t>Description: <tt>ctx</tt> argument to <tt>ARKG-Derive-Private-Key</tt>.</t>
              </li>
              <li>
                <t>Capabilities: [alg(-65539, TBD)]</t>
              </li>
              <li>
                <t>Change Controller: IETF</t>
              </li>
              <li>
                <t>Reference: <xref target="cose-sign-args-arkg"/> of this document</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="design-rationale">
      <name>Design rationale</name>
      <section anchor="design-rationale-mac">
        <name>Using a MAC</name>
        <t>The ARKG construction by Stebila et al. <xref target="ASIACCS_SteWil24"/> omits the MAC and instead encodes application context in the PRF labels,
arguing that this leads to invalid keys/signatures in cases that would have a bad MAC.
We choose to keep the MAC from the construction by Frymann et al. <xref target="CCS_FGKLMN20"/>,
but allow it to be omitted in case the chosen KEM already guarantees ciphertext integrity.</t>
        <t>The reason for this is to ensure that the delegating party can distinguish key handles that belong to its ARKG seed.
For example, this is important for applications using the W3C Web Authentication API <xref target="WebAuthn"/>,
which do not know beforehand which authenticators are connected and available.
Instead, authentication requests may include references to several eligible authenticators,
and the one to use is chosen opportunistically by the WebAuthn client depending on which are available at the time.
Consider using ARKG in such a scenario to sign some data with a derived private key:
a user may have several authenticators and thus several ARKG seeds,
so the signing request might include several well-formed ARKG key handles,
but only one of them belongs to the ARKG seed of the authenticator that is currently connected.
Without an integrity check,
choosing the wrong key handle might cause the <tt>ARKG-Derive-Private-Key</tt> procedure to silently derive the wrong key
instead of returning an explicit error, which would in turn lead to an invalid signature or similar final output.
This would make it difficult or impossible to diagnose the root cause of the issue and present actionable user feedback.
For this reason, we require the KEM to guarantee ciphertext integrity
so that <tt>ARKG-Derive-Private-Key</tt> can fail early if the key handle belongs to a different ARKG seed.</t>
        <t>It is straightforward to see that adding the MAC to the construction by Wilson
does not weaken the security properties defined by Frymann et al. <xref target="CCS_FGKLMN20"/>:
the construction by Frymann et al. can be reduced to the ARKG construction in this document
by instantiating <tt>BL</tt> as described in <xref target="blinding-ec"/>
and <tt>KEM</tt> as described in <xref target="kem-ecdh"/>.
The use of hash_to_field in <xref target="blinding-ec"/> corresponds to the KDF<sub>1</sub> parameter in <xref target="CCS_FGKLMN20"/>,
and the use of HMAC and HKDF in <xref target="hmac-kem"/> corresponds to the MAC and KDF<sub>2</sub> parameters in <xref target="CCS_FGKLMN20"/>.
Hence if one can break PK-unlinkability or SK-security of the ARKG construction in this document,
one can also break the same property of the construction by Frymann et al.</t>
      </section>
    </section>
    <section anchor="impl-status">
      <name>Implementation Status</name>
      <t>This section is to be removed from the specification by the RFC Editor before publication as an RFC.</t>
      <t>There are currently two known implementations using features defined by this specification:</t>
      <ul spacing="normal">
        <li>
          <t><eref target="https://github.com/wwWallet">wwWallet</eref>, an EU Digital Identity pilot project.
wwWallet was entered into the
<eref target="https://www.sprind.org/en/actions/challenges/eudi-wallet-prototypes">"EUDI Wallet Prototypes" competition held by SprinD GmbH</eref>,
and a branch of the wallet was submitted in the competition.
The competition entry implements ARKG
for efficiently generating single-use hardware-bound holder binding keys.  </t>
          <t>
The <eref target="https://github.com/gunet/funke-s3a-wallet-frontend/blob/stage-3/src/services/keystore.ts">implementation</eref>
uses the <tt>COSE_Key_Ref</tt> data structure defined in an earlier version of <xref target="I-D.cose-split-algs"/>
(version -01 of the Individual-Draft <tt>I-D.draft-lundberg-cose-two-party-signing-algs-01</tt>)
in order to send ARKG inputs to a WebAuthn authenticator,
and uses the placeholder value for ESP256-split-ARKG defined in <xref target="cose-algs-arkg"/>
to negotiate creation and usage of ARKG-derived keys for signing operations.
Work to update the implementation to instead use <tt>COSE_Sign_Args</tt>
as defined in <xref target="I-D.cose-split-algs"/> is ongoing.</t>
        </li>
        <li>
          <t><eref target="https://www.yubico.com/">Yubico</eref>, a hardware security key vendor,
has produced limited-availability prototypes of their YubiKey product
with an ARKG implementation interoperable with wwWallet.
The YubiKey implementation uses the <tt>COSE_Sign_Args</tt> data structure defined in <xref target="I-D.cose-split-algs"/>
to receive ARKG inputs from a WebAuthn Relying Party,
and uses the placeholder value for ESP256-split-ARKG defined in <xref target="cose-algs-arkg"/>
to negotiate creation and usage of ARKG-derived keys for signing operations.</t>
        </li>
      </ul>
      <t><xref target="tbl-impl-status-matrix"/> summarizes implementation status for individual features.</t>
      <table anchor="tbl-impl-status-matrix">
        <name>Implementation status of individual features.</name>
        <thead>
          <tr>
            <th align="left">Feature</th>
            <th align="left">Implementations</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">ARKG-P256</td>
            <td align="left">wwWallet, Yubico</td>
          </tr>
          <tr>
            <td align="left">ARKG-P384</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ARKG-P521</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ARKG-P256k</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP256-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP256-split-ARKG</td>
            <td align="left">wwWallet, Yubico</td>
          </tr>
          <tr>
            <td align="left">ESP384-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP384-split-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP512-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ESP512-split-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">ES256K-ARKG</td>
            <td align="left">-</td>
          </tr>
          <tr>
            <td align="left">
              <tt>COSE_Sign_Args</tt></td>
            <td align="left">wwWallet, Yubico</td>
          </tr>
        </tbody>
      </table>
      <section anchor="impl-status-dependencies">
        <name>Related Internet-Drafts</name>
        <t>Parts of this specification depend upon definitions from <xref target="I-D.cose-split-algs"/>:</t>
        <ul spacing="normal">
          <li>
            <t>The algorithm identifiers ESP256-split-ARKG, ESP384-split-ARKG and ESP512-split-ARKG defined in <xref target="cose-algs-arkg"/>
depend respectively on the algorithm identifiers ESP256-split, ESP384-split and ESP512-split defined in <xref target="I-D.cose-split-algs"/>.</t>
          </li>
          <li>
            <t>The ARKG-specific <tt>COSE_Sign_Args</tt> parameter definitions in <xref target="cose-sign-args-arkg"/>
depend on <xref target="I-D.cose-split-algs"/> for the definition of the <tt>COSE_Sign_Args</tt> structure.</t>
          </li>
        </ul>
      </section>
      <section anchor="impl-status-future-work">
        <name>Future Work</name>
        <t>Hierarchical Deterministic Keys (HDK) <xref target="I-D.dijkhuis-cfrg-hdkeys"/> is a possible application of ARKG
which has identified a limitation in the present construction,
as discussed in <eref target="https://github.com/sander/hierarchical-deterministic-keys/issues/94">HDK GitHub issue #94</eref>.
ARKG can be used recursively - for example, ARKG-P256 can be used to derive P-256 keys that are themselves used as ARKG seeds -
but then requires one invocation of <tt>ARKG-Derive-Private-Key</tt> per layer of recursion
in order to derive higher-layer private keys.
This can be an issue if the base ARKG private seed is hardware-bound,
since it would require multiple calls to the secure hardware device,
especially if each of those calls requires a user gesture for authorization.
Therefore a modified ARKG construction has been proposed,
along with a <eref target="https://github.com/Yubico/arkg-rfc/blob/pqarkg-h/pqarkg-h-security/pqarkg-h.pdf">draft for a potential security proof</eref>,
which enables multiple layers of recursive ARKG to be condensed into a single invocation of <tt>ARKG-Derive-Private-Key</tt>.
We would have liked to use this modified construction in this specification,
but have not been able to get the potential proof appropriately peer reviewed in a timely manner,
so prototypes have moved forward with the present construction.
The modified construction may be revisited in the future if there is demand for applications,
in which case new algorithm identifiers and such can be defined for the modified construction.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.cose-split-algs">
          <front>
            <title>Split Signing Algorithms for COSE</title>
            <author fullname="Emil Lundberg" initials="E." surname="Lundberg">
              <organization>Yubico</organization>
            </author>
            <author fullname="Michael B. Jones" initials="M. B." surname="Jones">
              <organization>Self-Issued Consulting</organization>
            </author>
            <date day="24" month="April" year="2026"/>
            <abstract>
              <t>   This specification defines COSE algorithm identifiers for negotiating
   how to split a signature algorithm between two cooperating parties.
   Typically the first party hashes the data to be signed and the second
   party finishes the signature over the hashed data.  This is a common
   technique, useful for example when the signing private key is held in
   a smart card or similar hardware component with limited processing
   power and communication bandwidth.  The resulting signatures are
   identical in structure to those computed by a single party, and can
   be verified using the same verification algorithm without additional
   steps to preprocess the signed data.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-split-signing-algs-00"/>
        </reference>
        <reference anchor="IANA.cose" target="https://www.iana.org/assignments/cose">
          <front>
            <title>CBOR Object Signing and Encryption (COSE)</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="NIST.FIPS.180-4" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">
          <front>
            <title>Secure Hash Standard</title>
            <author fullname="Quynh H. Dang" surname="Dang">
              <organization>Information Technology Laboratory</organization>
            </author>
            <author>
              <organization abbrev="NIST">National Institute of Standards and Technology</organization>
              <address>
                <postal>
                  <country>US</country>
                  <city>Gaithersburg</city>
                </postal>
              </address>
            </author>
            <date month="July" year="2015"/>
          </front>
          <seriesInfo name="NIST Federal Information Processing Standards Publications" value="180-4"/>
          <seriesInfo name="DOI" value="10.6028/NIST.FIPS.180-4"/>
        </reference>
        <reference anchor="NIST.FIPS.202" target="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf">
          <front>
            <title>SHA-3 Standard:  Permutation-Based Hash and Extendable-Output Functions</title>
            <author fullname="Morris J. Dworkin" initials="M." surname="Dworkin">
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <author fullname="Morris J. Dworkin" surname="Dworkin">
              <organization>Information Technology Laboratory</organization>
            </author>
            <author>
              <organization abbrev="NIST">National Institute of Standards and Technology</organization>
              <address>
                <postal>
                  <country>US</country>
                  <city>Gaithersburg</city>
                </postal>
              </address>
            </author>
            <date month="August" year="2015"/>
          </front>
          <seriesInfo name="FIPS" value="PUB 202"/>
          <seriesInfo name="NIST Federal Information Processing Standards Publications" value="202"/>
          <seriesInfo name="DOI" value="10.6028/nist.fips.202"/>
          <seriesInfo name="DOI" value="10.6028/NIST.FIPS.202"/>
        </reference>
        <reference anchor="RFC2104">
          <front>
            <title>HMAC: Keyed-Hashing for Message Authentication</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="M. Bellare" initials="M." surname="Bellare"/>
            <author fullname="R. Canetti" initials="R." surname="Canetti"/>
            <date month="February" year="1997"/>
            <abstract>
              <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2104"/>
          <seriesInfo name="DOI" value="10.17487/RFC2104"/>
        </reference>
        <reference anchor="RFC4949">
          <front>
            <title>Internet Security Glossary, Version 2</title>
            <author fullname="R. Shirey" initials="R." surname="Shirey"/>
            <date month="August" year="2007"/>
            <abstract>
              <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="FYI" value="36"/>
          <seriesInfo name="RFC" value="4949"/>
          <seriesInfo name="DOI" value="10.17487/RFC4949"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC6090">
          <front>
            <title>Fundamental Elliptic Curve Cryptography Algorithms</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="K. Igoe" initials="K." surname="Igoe"/>
            <author fullname="M. Salter" initials="M." surname="Salter"/>
            <date month="February" year="2011"/>
            <abstract>
              <t>This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6090"/>
          <seriesInfo name="DOI" value="10.17487/RFC6090"/>
        </reference>
        <reference anchor="RFC7748">
          <front>
            <title>Elliptic Curves for Security</title>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="January" year="2016"/>
            <abstract>
              <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7748"/>
          <seriesInfo name="DOI" value="10.17487/RFC7748"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
        <reference anchor="RFC8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="C. Vigano" initials="C." surname="Vigano"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC8812">
          <front>
            <title>CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="August" year="2020"/>
            <abstract>
              <t>The W3C Web Authentication (WebAuthn) specification and the FIDO Alliance FIDO2 Client to Authenticator Protocol (CTAP) specification use CBOR Object Signing and Encryption (COSE) algorithm identifiers. This specification registers the following algorithms (which are used by WebAuthn and CTAP implementations) in the IANA "COSE Algorithms" registry: RSASSA-PKCS1-v1_5 using SHA-256, SHA-384, SHA-512, and SHA-1; and Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve and SHA-256. It registers the secp256k1 elliptic curve in the IANA "COSE Elliptic Curves" registry. Also, for use with JSON Object Signing and Encryption (JOSE), it registers the algorithm ECDSA using the secp256k1 curve and SHA-256 in the IANA "JSON Web Signature and Encryption Algorithms" registry and the secp256k1 elliptic curve in the IANA "JSON Web Key Elliptic Curve" registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8812"/>
          <seriesInfo name="DOI" value="10.17487/RFC8812"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9380">
          <front>
            <title>Hashing to Elliptic Curves</title>
            <author fullname="A. Faz-Hernandez" initials="A." surname="Faz-Hernandez"/>
            <author fullname="S. Scott" initials="S." surname="Scott"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="R. S. Wahby" initials="R. S." surname="Wahby"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="August" year="2023"/>
            <abstract>
              <t>This document specifies a number of algorithms for encoding or hashing an arbitrary string to a point on an elliptic curve. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9380"/>
          <seriesInfo name="DOI" value="10.17487/RFC9380"/>
        </reference>
        <reference anchor="RFC9864">
          <front>
            <title>Fully-Specified Algorithms for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="M.B. Jones" initials="M.B." surname="Jones"/>
            <author fullname="O. Steele" initials="O." surname="Steele"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>This specification refers to cryptographic algorithm identifiers that fully specify the cryptographic operations to be performed, including any curve, key derivation function (KDF), and hash functions, as being "fully specified". It refers to cryptographic algorithm identifiers that require additional information beyond the algorithm identifier to determine the cryptographic operations to be performed as being "polymorphic". This specification creates fully-specified algorithm identifiers for registered JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) polymorphic algorithm identifiers, enabling applications to use only fully-specified algorithm identifiers. It deprecates those polymorphic algorithm identifiers.</t>
              <t>This specification updates RFCs 7518, 8037, and 9053. It deprecates polymorphic algorithms defined by RFCs 8037 and 9053 and provides fully-specified replacements for them. It adds to the instructions to designated experts in RFCs 7518 and 9053.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9864"/>
          <seriesInfo name="DOI" value="10.17487/RFC9864"/>
        </reference>
        <reference anchor="SEC1" target="http://www.secg.org/sec1-v2.pdf">
          <front>
            <title>SEC 1: Elliptic Curve Cryptography</title>
            <author>
              <organization>Certicom Research</organization>
            </author>
            <date year="2009"/>
          </front>
        </reference>
        <reference anchor="SEC2" target="http://www.secg.org/sec2-v2.pdf">
          <front>
            <title>SEC 2: Recommended Elliptic Curve Domain Parameters</title>
            <author>
              <organization>Certicom Research</organization>
            </author>
            <date year="2010"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.dijkhuis-cfrg-hdkeys">
          <front>
            <title>Hierarchical Deterministic Keys</title>
            <author fullname="Sander Dijkhuis" initials="S." surname="Dijkhuis">
              <organization>Cleverbase</organization>
            </author>
            <date day="19" month="January" year="2025"/>
            <abstract>
              <t>   Hierarchical Deterministic Keys enables managing large sets of keys
   bound to a secure cryptographic device that protects a single key.
   This enables the development of secure digital identity wallets
   providing many one-time-use public keys.  Some instantiations can be
   implemented in such a way that the secure cryptographic device does
   not need to support key blinding, enabling the use of devices that
   already are widely deployed.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-dijkhuis-cfrg-hdkeys-06"/>
        </reference>
        <reference anchor="BIP32" target="https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki">
          <front>
            <title>BIP 32 Hierarchical Deterministic Wallets</title>
            <author initials="P." surname="Wuille" fullname="Pieter Wuille">
              <organization/>
            </author>
            <date year="2012"/>
          </front>
        </reference>
        <reference anchor="AC_BreCleFis24" target="https://eprint.iacr.org/2023/1275">
          <front>
            <title>Post-Quantum Asynchronous Remote Key Generation for FIDO2 Account Recovery. ASIACRYPT '24</title>
            <author initials="J." surname="Brendel" fullname="Jacqueline Brendel">
              <organization/>
            </author>
            <author initials="S." surname="Clermont" fullname="Sebastian Clermont">
              <organization/>
            </author>
            <author initials="M." surname="Fischlin" fullname="Marc Fischlin">
              <organization>Technische Universität Darmstadt</organization>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="WebAuthn-Recovery" target="https://github.com/Yubico/webauthn-recovery-extension">
          <front>
            <title>WebAuthn recovery extension: Asynchronous delegated key generation without shared secrets. GitHub</title>
            <author initials="E." surname="Lundberg" fullname="Emil Lundberg">
              <organization/>
            </author>
            <author initials="D." surname="Nilsson" fullname="Dain Nilsson">
              <organization/>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="CCS_FGKLMN20" target="https://eprint.iacr.org/2020/1004">
          <front>
            <title>Asynchronous Remote Key Generation: An Analysis of Yubico's Proposal for W3C WebAuthn. CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security</title>
            <author initials="N." surname="Frymann" fullname="Nick Frymann">
              <organization/>
            </author>
            <author initials="D." surname="Gardham" fullname="Daniel Gardham">
              <organization/>
            </author>
            <author initials="F." surname="Kiefer" fullname="Franziskus Kiefer">
              <organization/>
            </author>
            <author initials="E." surname="Lundberg" fullname="Emil Lundberg">
              <organization/>
            </author>
            <author initials="M." surname="Manulis" fullname="Mark Manulis">
              <organization/>
            </author>
            <author initials="D." surname="Nilsson" fullname="Dain Nilsson">
              <organization/>
            </author>
            <date year="2020"/>
          </front>
        </reference>
        <reference anchor="EUROSP_FryGarMan23" target="https://eprint.iacr.org/2023/419">
          <front>
            <title>Asynchronous Remote Key Generation for Post-Quantum Cryptosystems from Lattices. 2023 IEEE 8th European Symposium on Security and Privacy</title>
            <author initials="N." surname="Frymann" fullname="Nick Frymann">
              <organization/>
            </author>
            <author initials="D." surname="Gardham" fullname="Daniel Gardham">
              <organization/>
            </author>
            <author initials="M." surname="Manulis" fullname="Mark Manulis">
              <organization/>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="Shoup" target="https://www.shoup.net/papers/iso-2.pdf">
          <front>
            <title>A Proposal for an ISO Standard for Public Key Encryption (version 2.0)</title>
            <author initials="V." surname="Shoup" fullname="Victor Shoup">
              <organization>IBM Zurich Research Lab</organization>
            </author>
            <date year="2001"/>
          </front>
        </reference>
        <reference anchor="ASIACCS_SteWil24" target="https://eprint.iacr.org/2024/678">
          <front>
            <title>Quantum-Safe Account Recovery for WebAuthn. ASIACCS '24</title>
            <author initials="D." surname="Stebila" fullname="Douglas Stebila">
              <organization/>
            </author>
            <author initials="S. M." surname="Wilson" fullname="Spencer MacLaren Wilson">
              <organization>University of Waterloo</organization>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="WebAuthn" target="https://www.w3.org/TR/webauthn-3/">
          <front>
            <title>Web Authentication: An API for accessing Public Key Credentials - Level 3</title>
            <author/>
          </front>
          <seriesInfo name="W3C WD" value="webauthn-3"/>
          <seriesInfo name="W3C" value="webauthn-3"/>
        </reference>
        <reference anchor="Wilson2023" target="http://hdl.handle.net/10012/19316">
          <front>
            <title>Post-Quantum Account Recovery for Passwordless Authentication. Master's thesis</title>
            <author initials="S. M." surname="Wilson" fullname="Spencer MacLaren Wilson">
              <organization>University of Waterloo</organization>
            </author>
            <date year="2023"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1566?>

<section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This section lists test vectors for validating implementations.</t>
      <t>Test vectors are listed in CDDL <xref target="RFC8610"/> syntax
using variable names defined in <xref target="arkg"/> and <xref target="generic-formulae"/>.
Elliptic curve points are encoded using the <tt>Elliptic-Curve-Point-to-Octet-String</tt> procedure
defined in section 2.3.3 of <xref target="SEC1"/>, without point compression.</t>
      <section anchor="arkg-p256">
        <name>ARKG-P256</name>
        <sourcecode type="cddl"><![CDATA[
; Inputs:
ctx         = 'ARKG-P256.test vectors'
ikm_bl      = h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f'
ikm_kem     = h'202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f'
ikm         = h'404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f'

; Derive-Seed:
DST_bl_sk   = h'41524b472d424c2d45432d4b472e41524b472d50323536'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
pk_bl       = h'046d3bdf31d0db48988f16d47048fdd24123cd286e42d0512daa9f726b4ecf18df
                  65ed42169c69675f936ff7de5f9bd93adbc8ea73036b16e8d90adbfabdaddba7'
pk_kem      = h'04c38bbdd7286196733fa177e43b73cfd3d6d72cd11cc0bb2c9236cf85a42dcff5
                  dfa339c1e07dfcdfda8d7be2a5a3c7382991f387dfe332b1dd8da6e0622cfb35'
sk_bl       = 0xd959500a78ccf850ce46c80a8c5043c9a2e33844232b3829df37d05b3069f455
sk_kem      = 0x74e0a4cd81ca2d24246ff75bfd6d4fb7f9dfc938372627feb2c2348f8b1493b5

; Derive-Public-Key:
ctx_bl      = h'41524b472d4465726976652d4b65792d424c2e1641524b472d503235362e7465737420766563746f7273'
ctx_kem     = h'41524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
ctx_sub     = h'41524b472d4b454d2d484d41432e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
k_prime     = h'fa027ebc49603a2a41052479f6e9f6d046175df2f00cecb403f53ffcd1cc698f'
c_prime     = h'0487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'
info_mk     = h'41524b472d4b454d2d484d41432d6d61632e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
mk          = h'796c615d19ca0044df0a22d64ba8d5367dca18da32b871a3e255db0af7eb53c9'
t           = h'27987995f184a44cfa548d104b0a461d'
info_k      = h'41524b472d4b454d2d484d41432d7368617265642e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
k           = h'cf5e8ddbb8078a6a0144d4412f22f89407ecee30ec128ce07836af9fc51c05d0'
c           = h'27987995f184a44cfa548d104b0a461d0487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'
ikm_tau     = h'cf5e8ddbb8078a6a0144d4412f22f89407ecee30ec128ce07836af9fc51c05d0'
DST_tau     = h'41524b472d424c2d45432e41524b472d5032353641524b472d4465726976652d4b65792d424c2e1641524b472d503235362e7465737420766563746f7273'
tau         = 0x9e042fde2e12c1f4002054a8feac60088cc893b4838423c26a20af686c8c16e3
pk_prime    = h'04572a111ce5cfd2a67d56a0f7c684184b16ccd212490dc9c5b579df749647d107
                  dac2a1b197cc10d2376559ad6df6bc107318d5cfb90def9f4a1f5347e086c2cd'
kh          = h'27987995f184a44cfa548d104b0a461d0487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'

; Derive-Private-Key:
sk_prime    = 0x775d7fe9a6dfba43ce671cb38afca3d272c4d14aff97bd67559eb500a092e5e7
]]></sourcecode>
        <sourcecode type="cddl"><![CDATA[
; Inputs:
ctx         = 'ARKG-P256.test vectors'
ikm_bl      = h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f'
ikm_kem     = h'202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f'
ikm         = h'a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf'

; Derive-Seed:
DST_bl_sk   = h'41524b472d424c2d45432d4b472e41524b472d50323536'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
pk_bl       = h'046d3bdf31d0db48988f16d47048fdd24123cd286e42d0512daa9f726b4ecf18df
                  65ed42169c69675f936ff7de5f9bd93adbc8ea73036b16e8d90adbfabdaddba7'
pk_kem      = h'04c38bbdd7286196733fa177e43b73cfd3d6d72cd11cc0bb2c9236cf85a42dcff5
                  dfa339c1e07dfcdfda8d7be2a5a3c7382991f387dfe332b1dd8da6e0622cfb35'
sk_bl       = 0xd959500a78ccf850ce46c80a8c5043c9a2e33844232b3829df37d05b3069f455
sk_kem      = 0x74e0a4cd81ca2d24246ff75bfd6d4fb7f9dfc938372627feb2c2348f8b1493b5

; Derive-Public-Key:
ctx_bl      = h'41524b472d4465726976652d4b65792d424c2e1641524b472d503235362e7465737420766563746f7273'
ctx_kem     = h'41524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
ctx_sub     = h'41524b472d4b454d2d484d41432e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
k_prime     = h'38c79546fc4a144ae2068ff0b515fc9af032b8255a78a829e71be47676a63117'
c_prime     = h'0457fd1e438280c127dd55a6138d1baf0a35e3e9671f7e42d8345f47374afa83247a078fa2196cd69497aed59ef92c05cb6b03d306ec24f2f4ff2db09cd95d1b11'
info_mk     = h'41524b472d4b454d2d484d41432d6d61632e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
mk          = h'0806abac4c1d205c3a8826cd178fbf7f91741268e3ca73634035efd76085d2a9'
t           = h'b7507a82771776fbac41a18d94e19a7e'
info_k      = h'41524b472d4b454d2d484d41432d7368617265642e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1641524b472d503235362e7465737420766563746f7273'
k           = h'dcdd95c742ddf25b8a95f3d76326cb3593b7860bb3e04c5e5b25cc15ce1e5c84'
c           = h'b7507a82771776fbac41a18d94e19a7e0457fd1e438280c127dd55a6138d1baf0a35e3e9671f7e42d8345f47374afa83247a078fa2196cd69497aed59ef92c05cb6b03d306ec24f2f4ff2db09cd95d1b11'
ikm_tau     = h'dcdd95c742ddf25b8a95f3d76326cb3593b7860bb3e04c5e5b25cc15ce1e5c84'
DST_tau     = h'41524b472d424c2d45432e41524b472d5032353641524b472d4465726976652d4b65792d424c2e1641524b472d503235362e7465737420766563746f7273'
tau         = 0x88cf9464b041a52cf2b837281afc67302ec9cb32da1fe515381b79c0d0c92322
pk_prime    = h'04ea7d962c9f44ffe8b18f1058a471f394ef81b674948eefc1865b5c021cf858f5
                  77f9632b84220e4a1444a20b9430b86731c37e4dcb285eda38d76bf758918d86'
kh          = h'b7507a82771776fbac41a18d94e19a7e0457fd1e438280c127dd55a6138d1baf0a35e3e9671f7e42d8345f47374afa83247a078fa2196cd69497aed59ef92c05cb6b03d306ec24f2f4ff2db09cd95d1b11'

; Derive-Private-Key:
sk_prime    = 0x6228e470290e9d7cc0feff32a74caafa14c608c956337eba23997f5904cff226
]]></sourcecode>
        <sourcecode type="cddl"><![CDATA[
; Inputs:
ctx         = 'ARKG-P256.test vectors.0'
ikm_bl      = h'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f'
ikm_kem     = h'202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f'
ikm         = h'404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f'

; Derive-Seed:
DST_bl_sk   = h'41524b472d424c2d45432d4b472e41524b472d50323536'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
pk_bl       = h'046d3bdf31d0db48988f16d47048fdd24123cd286e42d0512daa9f726b4ecf18df
                  65ed42169c69675f936ff7de5f9bd93adbc8ea73036b16e8d90adbfabdaddba7'
pk_kem      = h'04c38bbdd7286196733fa177e43b73cfd3d6d72cd11cc0bb2c9236cf85a42dcff5
                  dfa339c1e07dfcdfda8d7be2a5a3c7382991f387dfe332b1dd8da6e0622cfb35'
sk_bl       = 0xd959500a78ccf850ce46c80a8c5043c9a2e33844232b3829df37d05b3069f455
sk_kem      = 0x74e0a4cd81ca2d24246ff75bfd6d4fb7f9dfc938372627feb2c2348f8b1493b5

; Derive-Public-Key:
ctx_bl      = h'41524b472d4465726976652d4b65792d424c2e1841524b472d503235362e7465737420766563746f72732e30'
ctx_kem     = h'41524b472d4465726976652d4b65792d4b454d2e1841524b472d503235362e7465737420766563746f72732e30'
ctx_sub     = h'41524b472d4b454d2d484d41432e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1841524b472d503235362e7465737420766563746f72732e30'
DST_kem_sk  = h'41524b472d4b454d2d454344482d4b472e41524b472d454344482e41524b472d50323536'
k_prime     = h'fa027ebc49603a2a41052479f6e9f6d046175df2f00cecb403f53ffcd1cc698f'
c_prime     = h'0487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'
info_mk     = h'41524b472d4b454d2d484d41432d6d61632e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1841524b472d503235362e7465737420766563746f72732e30'
mk          = h'd342e45f224a7278f11cf1468922c8879f4529125181d4159e4bf9ee69842f04'
t           = h'81c4e65b552e52350b49864b98b87d51'
info_k      = h'41524b472d4b454d2d484d41432d7368617265642e41524b472d454344482e41524b472d5032353641524b472d4465726976652d4b65792d4b454d2e1841524b472d503235362e7465737420766563746f72732e30'
k           = h'cde7e271f8da72e5fd2557de362420ddb170dce520362131670eb1080823a113'
c           = h'81c4e65b552e52350b49864b98b87d510487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'
ikm_tau     = h'cde7e271f8da72e5fd2557de362420ddb170dce520362131670eb1080823a113'
DST_tau     = h'41524b472d424c2d45432e41524b472d5032353641524b472d4465726976652d4b65792d424c2e1841524b472d503235362e7465737420766563746f72732e30'
tau         = 0x513ea417b6cdc3536178fa81da36b4e5ecdc142c2d46a52e05257f21794e3789
pk_prime    = h'04b79b65d6bbb419ff97006a1bd52e3f4ad53042173992423e06e52987a037cb61
                  dd82b126b162e4e7e8dc5c9fd86e82769d402a1968c7c547ef53ae4f96e10b0e'
kh          = h'81c4e65b552e52350b49864b98b87d510487fc739dbcdabc293ac5469221da91b220e04c681074ec4692a76ffacb9043dec2847ea9060fd42da267f66852e63589f0c00dc88f290d660c65a65a50c86361'

; Derive-Private-Key:
sk_prime    = 0x2a97f4232f9abba32fbfc28c6686f8afd2d851c2a95a3ed2f0a384b9ad55068d
]]></sourcecode>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>ARKG was first proposed under this name by Frymann et al. <xref target="CCS_FGKLMN20"/>,
who analyzed a proposed extension to W3C Web Authentication by Lundberg and Nilsson <xref target="WebAuthn-Recovery"/>,
which was in turn inspired by a similar construction by Wuille <xref target="BIP32"/> used to create privacy-preserving Bitcoin addresses.
Frymann et al. <xref target="CCS_FGKLMN20"/> generalized the constructions by Lundberg, Nilsson and Wuille
from elliptic curves to any discrete logarithm (DL) problem,
and also proved the security of arbitrary asymmetric protocols composed with ARKG.
Further generalizations to include quantum-resistant instantiations
were developed independently by Brendel et al. <xref target="AC_BreCleFis24"/>, Frymann et al. <xref target="EUROSP_FryGarMan23"/> and Wilson <xref target="Wilson2023"/>.</t>
      <t>This document adopts the construction proposed by Wilson <xref target="Wilson2023"/>,
modified by the inclusion of a MAC in the key handles as done in the original construction by Frymann et al. <xref target="CCS_FGKLMN20"/>.
The construction by Wilson <xref target="Wilson2023"/> was later refined by Stebila et al. <xref target="ASIACCS_SteWil24"/>,
but this revision replaced the "key blinding scheme" component with a "key-blinding signature scheme" component
which is not one-for-one compatible with the construction in the present revision of this specification.</t>
      <t>The authors would like to thank all of these authors for their research and development work that led to the creation of this document.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>-11
* Editorial fixes.
* Clarified meaning of COSE algorithm identifiers for signing algorithms,
  and added "walk-through" examples of usage.
* Added subsection "Security Properties" to Security Considerations.
* Added subsection "Secret Values" to Security Considerations.
* Added subsection "KEM Ciphertext Integrity" to Security Considerations.
* Added subsection "Public Seed Secrecy" to Privacy Considerations.
* Updated "Split Signing Algorithms for COSE" reference from individual-draft to WG draft.
* Fixed undefined references <tt>WebAuthn</tt>, <tt>FIPS 180-4</tt> and <tt>FIPS 202</tt>.</t>
      <t>-10</t>
      <ul spacing="normal">
        <li>
          <t>Fixed <tt>tau</tt> misspelled as <tt>tau'</tt> in body of <tt>BL-Blind-Private-Key</tt>
in section "Using elliptic curve addition for key blinding".</t>
        </li>
        <li>
          <t>Fixed definitions and references misspelling ESP512 as ESP521.</t>
        </li>
        <li>
          <t>Minor editorial clarifications.</t>
        </li>
        <li>
          <t>Updated informative references to research papers and changed citation style for the same.</t>
        </li>
        <li>
          <t>Made "Acknowledgements" and "Document History" sections un-numbered.</t>
        </li>
        <li>
          <t>Added Implementation Status section.</t>
        </li>
      </ul>
      <t>-09</t>
      <ul spacing="normal">
        <li>
          <t>Fixed <tt>hash_to_field</tt> argument <tt>ikm_tau</tt> misnamed as <tt>tau</tt>
in section "Using elliptic curve addition for key blinding".</t>
        </li>
        <li>
          <t>Updated to match draft -02 of <tt>I-D.draft-lundberg-cose-two-party-signing-algs-02</tt>.
          </t>
          <ul spacing="normal">
            <li>
              <t>COSE algorithm identifier definitions for ARKG instances moved
from section "COSE key type: ARKG public seed" to new section "COSE algorithms".</t>
            </li>
            <li>
              <t>Added COSE algorithm identifier definitions for signature algorithms with key derived using ARKG.</t>
            </li>
            <li>
              <t>COSE key type <tt>Ref-ARKG-Derived</tt> deleted in favour of new <tt>COSE_Sign_Args</tt> algorithm parameters.</t>
            </li>
            <li>
              <t>Section "COSE key reference type: ARKG derived private key" replaced
with "COSE signing arguments".</t>
            </li>
            <li>
              <t>Added section "COSE Signing Arguments Algorithm Parameters Registrations".</t>
            </li>
          </ul>
        </li>
      </ul>
      <t>-08</t>
      <ul spacing="normal">
        <li>
          <t>Fixed incorrectly swapped <tt>ikm_bl</tt> and <tt>ikm_kem</tt> arguments in <tt>ARKG-Derive-Seed</tt> definition.</t>
        </li>
        <li>
          <t>Extracted parameter function <tt>BL-PRF</tt> and modified signatures
of <tt>BL-Blind-Public-Key</tt> and <tt>BL-Blind-Private-Key</tt> accordingly.
This is an editorial refactorization; overall operation of concrete ARKG instances is unchanged.</t>
        </li>
        <li>
          <t>Removed three redundant sets of ARKG-P256 test vectors.</t>
        </li>
        <li>
          <t>Added intermediate values to ARKG-P256 test vectors.</t>
        </li>
        <li>
          <t>Changed second set of ARKG-P256 test vectors to use a 32-byte <tt>ikm</tt> instead of <tt>h'00'</tt>.</t>
        </li>
        <li>
          <t>Clarified in sections "Using HMAC to adapt a KEM without ciphertext integrity", "Using ECDH as the KEM"
and "Using X25519 or X448 as the KEM" that <tt>ctx_sub</tt> is intentionally ignored in those instances.</t>
        </li>
      </ul>
      <t>-07</t>
      <ul spacing="normal">
        <li>
          <t>Fixed hash_to_field DST in <tt>Sub-Kem-Derive-Key-Pair</tt> in section "Using ECDH as the KEM"
to agree with test vectors.</t>
        </li>
      </ul>
      <t>-06</t>
      <ul spacing="normal">
        <li>
          <t>Changed DST construction in section "Using ECDH as the KEM" to include the "ARKG-ECDH." prefix everywhere in the formula.
Previously the prefix was added in the argument to the "Using HMAC to adapt a KEM without ciphertext integrity" formula
but not in the Sub-Kem functions defined in "Using ECDH as the KEM".</t>
        </li>
      </ul>
      <t>-05</t>
      <ul spacing="normal">
        <li>
          <t>Deleted concrete instances <tt>ARKG-curve25519ADD-X25519</tt>, <tt>ARKG-curve448ADD-X448</tt>,
<tt>ARKG-edwards25519ADD-X25519</tt> and <tt>ARKG-edwards448ADD-X448</tt>
since implementations with a non-prime order generator, including EdDSA,
are incompatible with the additive blinding scheme defined in section "Using elliptic curve addition for key blinding".</t>
        </li>
        <li>
          <t>Remodeled procedures to be fully deterministic:
          </t>
          <ul spacing="normal">
            <li>
              <t><tt>BL-Generate-Keypair()</tt> replaced with <tt>BL-Derive-Key-Pair(ikm)</tt>.</t>
            </li>
            <li>
              <t><tt>KEM-Generate-Keypair()</tt> replaced with <tt>KEM-Derive-Key-Pair(ikm)</tt>.</t>
            </li>
            <li>
              <t><tt>ARKG-Generate-Seed()</tt> replaced with <tt>ARKG-Derive-Seed(ikm_bl, ikm_kem)</tt>.</t>
            </li>
            <li>
              <t>Parameter <tt>ikm</tt> added to <tt>ARKG-Derive-Public-Key</tt>.</t>
            </li>
            <li>
              <t>Instance parameter <tt>hash-to-crv-suite</tt> added to generic formula "Using ECDH as the KEM",
affecting concrete instances <tt>ARKG-P256ADD-ECDH</tt>, <tt>ARKG-P384ADD-ECDH</tt>, <tt>ARKG-P521ADD-ECDH</tt> and <tt>ARKG-P256kADD-ECDH</tt>.</t>
            </li>
            <li>
              <t>Section "Deterministic key generation" deleted.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Flipped order of <tt>(pk_bl, pk_kem)</tt> and <tt>(sk_bl, sk_kem)</tt> parameter and return value tuples
for consistent ordering between BL and KEM throughout document.</t>
        </li>
        <li>
          <t><tt>info</tt> parameter renamed to <tt>ctx</tt>.</t>
        </li>
        <li>
          <t><tt>ctx</tt> length limited to at most 64 bytes.</t>
        </li>
        <li>
          <t>Encoding of <tt>ctx</tt> in <tt>ARKG-Derive-Public-Key</tt> and <tt>ARKG-Derive-Private-Key</tt> now embeds the length of <tt>ctx</tt>.</t>
        </li>
        <li>
          <t>Renamed concrete instances and corresponding <tt>DST_ext</tt> values:
          </t>
          <ul spacing="normal">
            <li>
              <t><tt>ARKG-P256ADD-ECDH</tt> to <tt>ARKG-P256</tt></t>
            </li>
            <li>
              <t><tt>ARKG-P384ADD-ECDH</tt> to <tt>ARKG-P384</tt></t>
            </li>
            <li>
              <t><tt>ARKG-P521ADD-ECDH</tt> to <tt>ARKG-P521</tt></t>
            </li>
            <li>
              <t><tt>ARKG-P256kADD-ECDH</tt> to <tt>ARKG-P256k</tt></t>
            </li>
          </ul>
        </li>
        <li>
          <t>Added ARKG-P256 test vectors.</t>
        </li>
      </ul>
      <t>-04</t>
      <ul spacing="normal">
        <li>
          <t>Extracted COSE_Key_Ref definition and COSE algorithm registrations to draft-lundberg-cose-two-party-signing-algs.</t>
        </li>
        <li>
          <t>Redefined alg (3) parameter and added dkalg (-3) in ARKG-pub COSE_Key.</t>
        </li>
        <li>
          <t>Defined alg (3) and inst (-3) parameters of Ref-ARKG-derived COSE key type.</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Renamed section "Using HMAC to adapt a KEM without {integrity protection =&gt; ciphertext integrity}".</t>
        </li>
        <li>
          <t>Fixed info argument to HMAC in section "Using HMAC to adapt a KEM without ciphertext integrity".</t>
        </li>
        <li>
          <t>Added reference to Shoup for definition of key encapsulation mechanism.</t>
        </li>
        <li>
          <t>Added CDDL definition of COSE_Key_Ref.</t>
        </li>
        <li>
          <t>Editorial fixes to references.</t>
        </li>
        <li>
          <t>Renamed proposed COSE Key Types.</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Rewritten introduction.</t>
        </li>
        <li>
          <t>Renamed ARKG-Derive-Secret-Key to ARKG-Derive-Private-Key.</t>
        </li>
        <li>
          <t>Overhauled EC instantiations to use hash_to_field and account for non-prime order curve key generation.</t>
        </li>
        <li>
          <t>Eliminated top-level MAC and KDF instance parameters.</t>
        </li>
        <li>
          <t>Added info parameter to instance parameter functions.</t>
        </li>
        <li>
          <t>Added requirement of KEM ciphertext integrity and generic formula for augmenting any KEM using HMAC.</t>
        </li>
        <li>
          <t>Added curve/edwards25519/448 instances.</t>
        </li>
        <li>
          <t>Added proposal for COSE bindings and key reference types.</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Editorial fixes to formatting and references</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Initial Version</t>
        </li>
      </ul>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact fullname="Dain Nilsson">
        <organization>Yubico</organization>
        <address>
      </address>
      </contact>
      <contact fullname="Peter Altmann">
        <organization>Agency for Digital Government</organization>
        <address>
          <postal>
            <country>SE</country>
          </postal>
        </address>
      </contact>
      <contact initials="M. B." surname="Jones" fullname="Michael B. Jones">
        <organization>Self-Issued Consulting</organization>
        <address>
          <postal>
            <country>United States</country>
          </postal>
          <uri>https://self-issued.info/</uri>
        </address>
      </contact>
      <contact fullname="Sander Dijkhuis">
        <organization>Cleverbase</organization>
        <address>
          <postal>
            <country>NL</country>
          </postal>
        </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+2923bcOJIo+p5fwS2vdSzVKNMk866a6tmyLra27bLHcnV1
b4+XBJKgxFZmMptkWla7PN9yHvaXnP1jJy4ACDCZkuyyu6pn2qu7JJEgEAgE
4oZARLfb7ZSVWCRnYpYv5J5XFSvZyZYF/VZWoe9P/bDTqbJqBm/fXEpvv7xZ
xJdFvshXpfdazvNKes/kjfdELmQhqixfeNv7r5892fHE7CIvsupy3hFRVMj3
e94WvtjqzMTiYs+Ti04sKgltbva8bJHmnU6Sxwsxh4GSQqRVNypEMpM3s9Ui
iWRx0Y1T+I8ori66QdApV9E8K0sYr7pZwicnR2+OPe8BjFrmMFK2SORSwn8W
1dautyWTrAJgxAz/ONl/DD/yAn57/eZ4q7NYzaH/vU4C4Ox14nxRykW5KhU2
AO5+RxRS7On21znAUOSrJTw5KG6WVe4d58VqvtW5kjfwMtnreF3v2eFx571c
rKBLz2tv7nkM+9ZrWUpRxJfeE2yHLy4AcasIXv15FWVx/oimXaTxVqfTEavq
Mgd4u16R47Lw5OCjdDWbMQKP5tnMe64QB2/y4kIssr/R+ux53Cc8LqtCymrP
e/J//8/7mbwQQApeGMKLOKtgVU6rPL66zGdzfJKvFhUu1ekR/CXnIpvByDDM
/5RzWKFeKTsAUA3B/8ovF95jXsHNAKh+3svxX6rof/KPXpzPO7gMVZFFq4pn
Wnd8KLKF92M2K8t8salj54NXspKFtz+r5mKx/sX+hVzEN14K5HCYAdbFzHuS
v5fFYg6k05i30+2LLL4UcuY97sFcF7KEttkCiOZFz3rijnUqZ2n3pCxXMvEO
gMxWsypb4PKsimzPu6yqZbn36FGJrTJq1cN98ciG4qdFVsHXpxXQaukCdAr7
WOIs/nJ1ucrWRz+YSZhXJGClrA5/fN7pLPJiDo3eE6medA9hBUrZLZezrOrC
LoZJ4UPelJms0q71vswuFjAJatf1fexg/8d96gF7+/Hk9E3v+OTVaS+Y+N2B
+yj0Q3zw+vggDPyB+nUwHUzVr8PJSP86Akakfh2PBxP168QPxubXvu5sMgp0
28kk0E+n/tD82p/oBtPJiAY+PToI8CdsSVFc4J7A5YDVuL6+BtqOL3qATFia
OOi+D3vLJKW2eifi711EN2BZFhWQ4NzTe5peEmvxkJ3yGMxPH8KoXgC7dTbL
lvCVd7Aq3kuPmcRFIZaXNw8ZtvBesIW/CrbAX4Mt3IOm8MEcOWnShPMwn+Ne
fCUKoD/YY+XDTgcJtkFMiSJI5t+XCTBJh6La3sOnj09e9VumjTuEmSPyiUdR
VsV5toCfy/JRNMujR3NRAiz4AMixH/bmwB7FdXaV2bODzr1+6D3NQGYBHrIY
tv0hzmGeLbISp/izmM1kVbagUnGVjNjKz6sM2rl4RAa6f7D3uJCw5Y6zMhy0
T0Mui2xR9TIRF7SCsB36j4JwPNw46P8S8V9XcpYtJLBWXJOZ8/pUwu6uMmDi
MHAxz4mB1a9fwFQ9gCe+hB7ojcd0sfVGxpcLfCGRwQCXKLPq//6fCnhtMQf9
IKm2nBmGfRuXW6/ysur++0osqtX8PvoB8trjk8OXobcfEx8iIoNRb3re/unJ
/sHrP7964z0MBzjqzzLaB0wsurrN3kbsNIVe/aYhM2rQde9eoXr35IcKpD+L
BnsqgGsUkLALgD69i3o210CM+aryyktQEhIPtmEBdNPznmTV01XkIi6Y3kXP
Stxfw0rSrDVcXQMX9HBwcLp3/OTZ8xc/hv5mdPyYxVfecXGjxJ6NjUUGguuJ
KJJLMXdeHRdi8besvIIJP8tkKot7IhhI6wr+s1jNsvJ+mL+bTmABFvA/Mbsp
s9LLUyXcH5beqyJf5iVsWaSkn/sHhkh6iBqgHH8P28QStv7igr6tgLSBcH3Y
mC+805Mnp/sHKIJhhiD+pQfreJDPlyvc0iBG8Y/5agFsAQEpYWPFIKKrm8Y2
8O+7rf1Hge8PoPXRT69fnr7ag1UB7AO+wv7XXb+1dVDovueudHYyi6HyBtjp
vPTSAuTGc1EBb5RA3cgEQOc+OvIm1aV3tIIVkcB3Tm/msDIZfA09aqwRRl8V
2XsR37TykfvwxQHtndNL1KM3ouyPWQz6IreyGdzJ4xfe/wZYQMM2qvZzETkY
cqkK5nJy+hL1rEUCeGbsrKIZSAbE29EiRuyQtUPsEn4Je/6OK+yD1umR1EYI
ewtZPVqKJXz/KCvzrpbdxANhi59W8udspqVH23wP89XFTAB9VjLKZsIVBkuk
7AKoIX4OnGnhQV96Eyq0GF5/g1vkZwC7mOW5s00VMXRPRSrX2DXvP7P3FNya
c3/JOg8ejcYTi+vv4fbuGW6I/fA0sNPNePk6c3flWtvcX4myRINvJsvSQ4DB
ZlBMoweDoyIC7AoeAwe7EyWAkctk1rsEiptJog1gGkH4KJj2gxGYfZ1ut+uJ
CGw2EVedzv0NceCeQM76S8sury5FBXa4iAB+LeDwO0CIKG9A6wMLLPaWTPYb
xN5F9h54rCfiGHEAti1y2jgvClku8wXyX2+JWx+gQ8Wu13lzCfDEYimAYhH7
enzhvRcFKFW0HmIJxoXivnsd4a1KZMwwfAWfLjQc0luWcpXki5s5IqEGlABZ
FmDvwAc46yuA43voZw5AQjcgpclWcvqSy0s5h19nqAxkywy/bXQpF7A6IC5g
7a+RK5Cwj2++71TXMJ7IUAEQDhkAWt8jx6ShpAC+cylAdYYmWeHl1wsHOd71
ZTaT3AzbF/IiQxpywIA+I3kpZqkWazn8p+h1GLFJHq/mBHmRv88SidQHNr5H
mrqxqTVayyXMNNWgqv4IITAaEk9NLLAEtM6aigDueYZqfol4LWWFn6Puv5oJ
QhBaw8A9QR1FI5d6bvlYdQuQodok3W5BbAAWQCOHTmZmDDB4bzTkgG/zKcHL
g6KI6vwMmPwAzYACkM5FkmQ4TejJNAIqns0AnbBKKSjVCbwhQNNVtSpkT2+6
eZbAlux0Pu6Rr2PPK/NVEcsftlAh2vrU6TzwTgCzebKKcYTP2pvqO9oAc1DD
QbaXsDNzi8atxde77v7b7XQFxGR1jdwAdhNgkRYJlAtAZgybsMhyJEBglsJb
yGt728MnC9ClZNIB2qERrTG8y3yGewkb5QDZewGSCHY0bUFZIEnQJy7/UHxg
LmC7x6Am8MjOZgDG7ZUgznlZBGycIrmmh1qv4L2124FtA5PEvmApV4saBJjg
LI+vcFcy3FU2l7fMD1b8NIcWsGAICGITcAV7sZSkRSoSi2erBMzbTtc7OzuF
RjPZxWYWz8QJnJ2hUDpavM9QPZCsQyAQRlsCGZQvQEAkyvGUobsSJ5aiRY1u
xl3ogWcHMOIGAKTiUOXGUW3OF+czgBRnARILd0uh9DjedDZhgRJBVDRj6mQh
BOQDE0ButAYhbDn6FZ5d56tZAhMDUgf0s+OKCBUQbcEJDClPu/A/ULIAnaQy
wdA4Q3idAF+DbZ0jd+UZlMS7kbrroeCNMHNB4GhBJOic1zi3CFgh9oP2MTKP
PE3p9xXzfE3luCy4Fvq1ebGr+lMSCYDoWhIP1t/GGPZgTa+GEhVvvU8XbIIQ
4GrLwow2UTIzKtxPZXOX0VIcI9CLVpgviJk20EVrAXITfhTI79DhTKwQmB5s
WfgkWd9yEag5ieYsJdAhQ2lBDYoCihiE6GTBSKcdsmuLbb33SV6qrZnNUSoB
G/EQc7HL2lDgRdKwPbXp+c9Zd7kqgG6QowMw1L+EjQUcloQdMnQpEtIcNLig
Ac5A1PZ4mx6x5E6aops3KR5s4CLqLY6wpCJGBQVx0/gGIQPtstIiFUxzszxa
tOx6b6E1ATrpDXsD7Pr18YGHXsh3b4s0xl+6CWgMcdWF+XfFBYhpnMw7ZKO0
lgLdN1unhKmDl6dHyANAomcXmpkI5o9doPWuhtFGC+ARVAPsaYGCVJGO1QI3
33+87fV6//FubZLbJagNb5VD9t2O4e/xZSbf4wYBhR/GF5VioiRKxexa3BAf
oD2tOR50KFHd1ioGzSaP/gKT76FevA/cdYnrS4SHjE8USIalN8uucNFReF2Q
/uHNUGX2+MwG+yPiQVpJ3hPiDVdQu5jImNU9W6repe2R6gbUmygCegxK5GrZ
kGJMPbju8oOYL2ew7Dicckk0LAJv/9WJ91ZbNu+8bf3rjoGqVLIJR0F1khBI
6qBQ5keutEgwiWAPVdIwwZi4MOzs/FqxJtDEgBQlqCCzGmZCYcRzsSQgSV+t
bnIjV0bSOKSdCbB9LB0XhuKhDWaJIQh3DlmFpxrElIU9LlOx0pwVWE7nPbU7
296xyEAWS1IPiE51RMJHMdAWeHNFJggN7nR8h1+XYOOiask6B2A7AxZaOdqB
QvUC7LlK+ZVQu16isykBrlMqreCEdVZ19lIzmTNtZaH4FUV1c+as/RnsuYRm
cUbQJVkZz/JSUfGZQhw2OmNZeFauIrA/swUpitShUhlmmm/DjEA9Bl6ltfAz
zfKpnx7B+6rNxqvBXhsFt7eSUTVMBNKqAq137hDdusaFyJ/lAI9SE1aL7K8r
gIzUSVI9zgzvcGlQWY+0XoUELQolBeqwNUNAHa9U07LUVBJ4jXk1V4OnxbTL
cNAy2LIYJ4pyNFcSdE0ddpVxJUfXbWgEu0aBVpCV8b9poowuZ7b1VzDnzo95
BVzvZrcWY/B5tMpmaOdXGVEDK3+yxJZZeYkmVH3ghPa+McFQScfR/7qibWVZ
bagGOBsZfuEJ4yHCXKqdjm9ADotluVKKZW2HbD87erFj6+5oe62KBQli0Vgy
sMgWLE23nx0e76jutTXfMLnjPJHe9ov9gx0FTa/zmJSUfIFqMduA9mSgs78q
P1eBrho0W2F1gBUuBDeRH+ApK09zKUkvLQ1mUJKWPe9t02/3DszH20W96xSE
pl0+yyd3GPz5SH3du6zmswfo22rtB8Z58ADszBoa7znIyxXgpkNLSCwednDp
bb346fQNBkHgT+/Hl/T766N//+nk9dEh/n76dP/5c/NLR7U4ffryp+eH9W/1
lwcvX7w4+vGQP4annvOos/Vi/8/wBlG89fLVm5OXP+4/32Iz2/ZWID0xCweD
WBZLNOhhhcsO6DtxkUWsDj4+ePX//b/BwPv48X/QmXEw/fRJ/TEJxgP4A+UY
j0aygf+ExbrpgGoqRUGKAugpQJJoz6DKCnbVJTpiQFNCZfG7t4gZWJl/jeJl
MPiDeoATdh5qnDkPCWfrT9Y+ZiS2PGoZxmDTed7AtAvv/p+dvzXerYf/+m+k
CnaDyb/9ocPkg6yDvRdIMWmOmgRu6IV6rhwHyA1BN7sg88ZZRBJ9JC1u5lE+
885/+eUcWRebciAt4wp2TlkV2uEDLG2hnAHw5XPQZlAdQ3VateKtaX/HnAfs
G1CRE7IctVQ7ODx8DiMvKvHB9uZ8/Hiq1PB+L1BKOMYHfPpEg5oT7ZhOtMEs
L9SRD45zDbYZwMjaZULcwqADRcj5v5wrWMBYzLNF7WTa9bKe7LE2yF1TBFA9
wPf4+XfNz1Fly4wJpTsx7N8d43ulwiAUGPVk+ipjAUqyaefN82Q1yy1YgBOw
+YwQXMIOuMwu0FBYop6e0IEY2QzQs4bhXHj/4kXed97BORICspr3YkYmes4v
t+ntzjnh9fz50Y/bH3aoLY4LLS+qy13EJC0nbDztvbSp4vzDeU8RkWH45yfh
y9NX58y9i4pU5HyxILn9nvnFBbqfFqh9LNz+RNlOC4OaFvxgTLTQefCl4W3e
xwcYnfWJN07Da7quK+qJAQpIk1d2Muq/6P8gI5TdyRiskS1BFoFWWbUrj0pH
alEDWXavKTiWtrlgWJs6pwSxuEHfrNpUwQ4rm1dSLts1THUkzgCta5JGA0e5
36JRGiXSeCxstxUAbGmNJWi/WmFbmzoOZMawALR0FaXzucrdRu+q9rnjGlcF
+35rL2GpPNWJHVayi/EF6ALHrrLFckV6WZEvb5BW5Qfc+2ByLE1IDczHsY0R
IBKRqMMUAG4+RycNfIe4v1liJAvpeLUzW8QCLFnA2Iw4LHq2vbd2CMG7t+/A
LjXHavSnG78Cj3qdEzRwkdErDglixosvc/TKAGDaBZPpVjT2OeKie0jI7J4C
ss+ZZYHu1z0ixfC83hA4VdjaDsIs08rLgTL1WQLYlbgouJ9hmc6zq/m5hTUi
AoMWhSaNaI2+GZ7b0Ppd5uh8S3KpXBxpiqcG1I4YtjqpimR1LaU+IdBAr09x
150221Zd4CJq8s5LJid622uKXtgsyomk+Zh7jKKdTdbMlYjOa6JkvzexHiLM
mv90eCTmPLxlUjpswfEUe277sMcKw0nL6MwKu/Sk/KTsZdoicyZh9tCtgBLx
Vzq6qrmlMjis/rD5wj3ZQclMqsb54+fnFCPiesDXTBGbtHc1Q8b3eYpCvOsd
G1Hz+HlXMXpaEWSK2zte9w/e9vJq1yuvdmDAJ7VRa0bSvg7ADJ7qntDGtlk/
b3Vohq3neNiM/llNkUS+6tuXq6r5sTWQZXGdL6/OFeuqX1t26Hl5xX02Jvjq
9fE2jHdWiRVgo/pA84M/YGpMk2jY0bGq2jem91TE5JG5dY72nHCMcz6kJzgT
DhgsJa4wO4n1UnvnAMotOEBabADinWP3bVN8jA2tfUerB41pqsurMz1bi88Q
14w5BEhj1JE1G6e9eXV2ralvhv326TowYK9nd0y65ifbpTXr8rNm7ci4u6fd
oLp63rev2t0zdzuup878nuMa8qVA35Gj9xkuQ6eArHzayqDidw5f6al+aZRb
+rb8N6wmncM+zHkiMK4j2oysO5T0gMZAQr8D9iLKgMMXNwp0mjO7YpQ1JQyT
NmxA04aykJyJghCt8hhsMvJgZIv3+RXIOpx+75aecSl5uXiA0hpgtTCKtaMW
oLojgN8SyKfS5b7k02sIGXMEtiRZW2UAmPE4KXpo4+rI/dnUAPyiHLjV2fSW
QsKa7N+V5CwM1HKRcIZN1H2FMgDIoikGDK9cH/bbSoM2EbCB71u0SJBDxzXL
34YH8e0z2bz5F40pt3K+dYHwlYSBcINtaQeqYBEXLDCfQMEgj8J57GCFNySx
yLjGyRWhQ/cgmwNtxEcDGU1+eCtUX08+riMFeihXdO5M950QP0WBJyCod11n
pfy23JT4R6y4B7E9ZB0tQ5TtXK+NNRmel60B8LlcTjM5NfU7WJphwkA+HrkE
L1awOmAkKCdEoWIJyWY0S4xbYS6FOn0BuK4W+fVMJhdSt23b0KSN30UN0HNm
MUv0rRTqmBMogOh3cdOgNoZBHQwo2tB2qqF7g9GNpq/iMp738ePlXMTdKzn/
9MnTztqyPrjXIWHE+i/zawIJMahAEIlYVmyxqLgadioa3PIgfOzdZTyImezC
oDhgVsarUh9FwZxLlCp8clSjhoMVtDxa89K3SSUrWOy+AmqT6CH5hEeHrZFq
FB4H7YmgOKjtRhn51usO8hh0FqnxRJS/l45BhoSplBA+vuaGKCXNkQye2aCf
sGpv27CycBGvL3M8jXIOuLO0VcdWu7xNETXq0dHB4SnJabA9yeWzPqyKIgAo
176BWf6sfb8AW3vcn+EFokIrXxnbP+6/OAKhhPZ0lVUrEv+46uf0wisx5ouJ
d2lHQsaXYLMuGitF3yFatXIHi/sjgkQ7i+hODw40jv6EbGF2A8enzaPsYsVH
pLClwSz+vpM1nSvqzMHDrubLyjXp12ziiHtipwEF/GkYmMH2OgftYZI8UB22
wQFeFFgJfc7yHE/dKRKHowOKm7YYzGboJbnFMicWjWOwcGtZvlFAxEJNmM/W
VJzQAm0SeKFi+KBnOspWjgfHPdz0viifnHmPy2F7WNtcgxt8pewDLGsqNZ5S
79xoguRqQuenG7JFTUm4sDjeVWfyTQenFmUqXDfZ6Gbd5D6lDaMjGHTcpfJe
3ho2vI6Ezn/+53+y5Y8nqJ0mZslrEM1IjTwDhu9oxKSXuDRZu3H2VOC95z1+
rn/bb9Pqe6Yhigi74Qbuamtk1jAMaa2rbVK1cS8/ft5zvoOZ3es7gNBRx+rR
NU48usDkEg6d4NsEsLwy39n/bK2e2pVXajSL05uBKFRgFivhLUrlQ8RoFAUQ
LRx6AaIZwPUDzLrNyMG35gtABPbOS/2Dt8Euotf0zfIKWumh+Ht+UdKLkl+o
DpHWaDfjwWPD5Yv3APDUw/v4gAm5ixjoNl3D6F60rgkwB0lycuEuyK/v+t7Z
oZsKIM3add1pdV23+nRbEFALveaL37svm+jwi93Ut3LhuqP78OI1jrarAp7r
MFjaQg2muU5q5zpaRV2rb+jVD8+1ymmzWrxVSUcpdNomSx1fnTleZSs+5sZY
GWV91FSPaR0inV9dmiHJKb9B+HxOKBHNo9dEq5GaaPC0RkPVQUYU0GvhcrfD
R+hJltJdyErRX14Yi+2CTvdhuraBUYd2OaNZEudWeWL5ZhvL2PRSwIx3vavL
35mAIZjbhnGj1UxjFiqtQ7V9AShQv504PhQld5peGv0ZIE3PabFmwmu7HbSs
vKy80WC3VfBgQLMKFsyXygRSQc7IFtqFlRX2ra8UeSYTgLl35/7b1hag9zdg
TV0FHsO7s0GyAjGYRWtz0et2V5eeaWdtSTb0Cr6xZjmaW+GzN2IJ465tRgCm
VSQzvd4lk8GMwhgJovM/eKNBPcl9YIiVDvVjh40aBxrT/H/wKCZiW3ew6wU7
3i+/4HvdjsjzB++hvelQOIG2A11w24emMZJnS2NUcR6axqwY1EdHWikwDkbW
GPT2reU/NGeNo3n0ZNQNXFdq0XJyQ8wBjzEYAFjaH7yY1YeTVNlbWq6iYYwh
IsmK1GCNPrI2rVZIeSrYl6IrgebsqGHikedN8eJ4sRRP9PA+FAe3MtvUb/Ai
kZTex48Y4tmFjz59Iuq7WGWJUBfOmfE2e8QPdMz+aABCo5LqwPVemtLy6jfT
k9YUCOsk5KupQ383bchVeNTB6ZqTw5ryfFVWliHtTLWTUpg827T3HPJ2Hatu
+yUG7yYdyzFeGxr7un7lugMfutrOfTSoDvkH0JVl3Qljpyz0pjawraHdqBtS
6uSt4Z60z2p/rYZkYcJVfCxVjVqiSDG6k3uZqi0q/TadyDq6beAeJUqtEwF2
fl/aULlRG7IPkq3Wt6lDbZ9skOdK5tKVxnZO9N9INyrbdKO1g3xLVcEP/msq
KUrHME4LddTH+onaSbV6AlpEffZBHl6RzWRyn7nerdmUDc3GCc+oVRtSZ46w
59IEx1taDUbH17F9C5UUiC7huc55O9iAuB7OhdlWfapZqUMs+2QIjVVY7ayi
L0q+d68PtYBZxFe9zvqxRempsPXIcpbjuYFQnJqc0ZLnhbPIMAysRL9uB88R
cNRroLo6piLCbDEglxayrPiCFvJ4lNnumRxKiQ3KR69zstBf0Q13jKnEcN6m
j/2WPrR+lAAGRKLYvToI6vAB+BfA6Ah41A/poGPT6da30CG9n6wP3ovZSra3
BoXSjMqHS/xJfQJ5G/JudR91MrzVOc/UqZ/QzBexavivhlkfJERAvhy7C38Q
3M69v9ika8JLpygONkRFa/f6eih1R3l+jGDX6FTDZeqmsxU+iYfoElZEmluC
eJqKB9h4bItnSvp2MA5Lc+bus7+pw186K9Kara1lrDemDT+b1Yfc6vITLuyJ
mzBFH0/evcy79bkT7lBU9wkHlA7ur/gVnyZpo8G+jFNH0w97/V5fxdNjakUk
3Vd4q7a0jS77hBVZwUymFZ0yLmzgu7WM3HAI33nAIZg6Q0mDIX18oPKXdHUy
kk9KG9T3sfmUvzR5Tu5IWoKqzPssWYGsZyXZis1mLdpWe4nVUqTuLae97maU
7h0Uc20DwXG0qY8P9K9diVbdiTtzHXl+jYzYOeDlS/vOKPi8oyPiN0Gg1OxN
4VeNKPL/ZxGVy+/teK9eO+LbgwOI0rK1Kak4L9bnVXOt/9eR0rbyizFhcfGe
Y4PdqeHlknP4+rJb5V1o06VIZIoeM08JBRyh/FYR9DsQ5Sb+hQIZoLF1u1Nd
uEkzOaOQABqexjo8fXMGDIBGWI/nqMQFH90v6sN6h8PSehrjRaOmqanBOE/M
TRslSnNz1x4vOqorP+hsV/eQbCB/NB9zK3z5pOUiDs76rMrPaJ5OAI7LDhqs
oGHytJ88uYeJpDoh7qLZGZ0esdYHnx4ddJ89YX1P4bY+YnLg2yY/FKic9WXw
FgMJ+tirBzKPj/e8J8fbP+7sri2vra7fgWDAb+243PN+NH/M97zA/PGc02o/
t3G5RqGmtfywxGzdivfzp+4zs16thgX+u3Wg+iQPUPqd9wQY1S0x4/VCsSZs
LZOzRrbezy3X1or7vvd64eD/XC1anHtEu+tlVcsE6/svtA5mge8TPN5ROw1/
P6vmS6YR6kjbUc5Lf5fdsU3Lqe6FetBfmBNhJRafvtg/IAURI8RAZqDFotPq
WJZLbaV8fGBC0egiPF30vcWZYQWZtXa423Hi9jA/3SxLmpaTEv4ccKevHeOE
1+L88EPbR/UZspFwQBcaVfQcnsDdCnwHI4IKSoHP6TwUNtdtP2DQjgl5dHD4
tPaY3j6K1yWIGvoDX1PNSoMy6rL+vqMTb9wagqjyzbV0r31ztNE/Xzd4CtuI
BLKb9gB3l9mO9xDepltqe7qKYNvM7wxEp7BZrUXrFBcURWZJfhKn9kWqT+iP
kh9iCTvBDEXqOtiNaIBULRYaYhmb3L2MFKxrutWk6ATHm/drkQ679Svn2kPd
Xl19YDOyMdXblBxl3GrAdjvEEt6qdPHvaJinzw6P6RHmin+3phc9r1Ub1odr
Y5PpoL6R3ONry8dvtv+06y3qq8tpVoBJer44V5axvqNyg4ffRQFwn/9JKXuv
X746a+nBbWqYWEvnHOJYFSu6HE8taM4KeNi/QTjxIrygux2MFOA7HW0dO8RF
RNTuWdhlVw5b0K37mtgYJbws6cCMHRwLCiRHeiKFXflDep0jzE2doHbc1S5Z
QzdkFembMozyevWV96isVBpGe/k7Wmy4Kwe2YpEDC1B5udTxRpmpyHcO1cVK
BzPXb49Qz6S4sn2vKJ/UQtTk70bRs+fU1WA797kiYiKvOELrB2/D/qEPO9zn
7Vc1jHsV/RpG2cLvkEY26lvbeCAdP7RBaBkH+1QjLAtU/3BjdY/4snKtkxkf
U62S4Zru0X9rV7SYVXuE8VJW5unJsxd73pV20cIqnM2v1qaBBLpxKnMLMNSi
PheuV6+f7eH06jgLgGJPw2Irec9ZVcXhECjspQtbb/vZD3PUiwCuHwCl1lRa
ZsKEtHEy33AuV019teZ66POvOR4RFMDBgD3saNJuvRvTMTghHgevghE7uWP0
cdfcz37zudRK7nJXdDAgD38TMv1GFPcZNG8IkrH/8C6SpCmktEzVwxq2z5nH
hrm0zmfjnO6g/s8g0KMZl5Lhf62HMRwNsqh9blaGX3TS3k9FuUWZ2l0P0AfN
SqKbdqEltat55dqBy9dr6xMBRcXnjg+QNGQlJVE9//gAzJiujJPLzX4+7b2j
b9+qGjnvbKfdrVdS2r13a7djvooPT12B+SInnmg68ZRRgePh9IkUXBz0PkvN
//34Ay2TgpRlvuZjpUOwkkDUaKNoFqpyU0l29jP6cCyxuoCxznlvIpKcDfkl
SnlTx9SE4VwEa/XhWIvCPxsYMQA3DKo3X9UOMQ6VxmE3DKmTQXWpvFH3FZqx
SAIvkRl1T+n0XXVqP8ImbZ+qm52FziKz0IUiihxvIEnHfWryfIR0mIKD4G+U
N/YtFqd6xyEJ2nhgGxt5S8FxM/pyKy6yuZxip9/SvAgFZX1d3d04NEQzObS3
bZn1O+2Xjrflh2W+kPTeun/85W5p+nyTYxreuhq5d6t2va6Ws88SaNX2LpMG
DuhwHMxAj+qLL3UxW05LHtB6cz/P5ee4LhvOy4b78nMdmF/HhXkfl3PT6ezd
ZqysGUWeirstrx7ebWrxBziatVeU5sTq8H0YAQ644wB6q9qsY1zvwzi24511
IB/qa1ak6+CFwz3OEWoCwFAOqOyWYLyzLlO2eoZwH93TZ1OrKH8Kh8NgihEV
fxoMJuvKygd63/0AL+/WWRqdvVVl/e6vvfyGaglwCJ14BaST7SWzpuU+dub4
BYrA311Anz7d7w6D0HvbqN/4jq7/2hhADs3TRgGFxZee7j87Cocj+9vQD9/x
mK4zZzRQmn57t4C2po5QazJ/aqoyv43SUIs4N5Ph5UMQqM4/z/c/98HDcx2G
dwvOPU1vawAMfzUAXxlmWlAdh1hKoxzNsqqayS4eVnAOj9wp3KZyPJbelFZn
qFQhXRcDm6y6cW5ifexCNqRzsLakHlvB5VZqzq+iVZCOAC9tkWYhgWTDk52/
l3hzR36IVxlsKbdEJ8f95VfbXOLfUiCZSK0rlUie4rOcYBXsgyWUiZxBUYVf
YQZlkFM/U8Gb5nV6k92c+scizTrVthlnLTBGXwbE8boU8G+nTGiG2NANeEm3
Lcq6VoLb4Zo33w7/+USnaKS+Z66XHQFY/9b4Ez41DH8AttIRKJh3lCKG0LsR
SQfFvc7r9RxRHB5m33LGL+sqBPa9DpREOUVLLus8KZjSIKtWGGd3hcVg8EIN
ddpMSEV5CuKZFAXSEmcpuNE5F3RBnGZ/KgeBCs7qcGWClqAm/MNeP/b6dx54
bVkTtAqxIaxsvWLVPSLBSKq9Qqn58YH5XUVempQMhQqqxHdrpl2trzikbGVK
PNoc5XUbnW2yboyDBmFEUa/6PQeELAHCIjgnyzV8p6y5Nj/LOc7l7E8vDvdQ
48DfT09//uns9cuz89rbor5f0wLw24cs+DkHmPaibSb9rzUXS01qqDqsJn3r
KXeoKtM5X9lHLUbdxFdskxM6LdSZoXP5rY4vd+iko47i1BUHDMWFvVZWHk6P
DhwpzRXds3Jotj8ZGJqF3zfSLLz7ndMsQHhPmoWWZgHx989ZQGj/d6DZtrlY
NIuL9nk0+xWm/PejWZzebTQ7DANDs/D7RpqFd79zmgUI70mz0NIsIFh2n7WA
8O3fgWbb5nKXOfqtp/z3o1mc3m00C3z4ylYOrm7TDq5+Z2QLS/qkIVKv7kW2
pvGvEZhX34B47zOjX6MkfL2J//aqApd7i5ho8IZGnJdrtzKWVH0b9WdFeKS5
05c0V6ybh0/K1XKJJ8AEkinOSXeTS6lTYnLKSl1Jjew3+NRsibWMMpjLxaQl
q3eULvJ4QVGgOiCRN2RL/UROCEPJABDus1P48Gy/uABj9u1J97CH0+6Wy1lW
dWG08p2VCs0648Mh9ylnJe1+woCexd56LhzGZpejBcFaxod443+x3pQyIioU
sLkoqPuzZ5jigjLLUW0AjW6OwDq/qm7UJSLvzeNDb3s5E7FURV/5cXc0HPbH
O73Ox49VNKth0dGLxjYyq2HN93x5BXTpbXeDHZ3HmKhzuxvu1BGSTsI963Bq
13LnzG6oWsK1xBSCbYN558kV4Bz77u/s1sjQBmq9Huq6k1NwonHmVVpFi8j8
Rmz1sEiw96AFC1xV/IctZz2b645AEHXBd6ZRb+tT5xfvRzTDvV+wbL2cwc8/
Euapk1906afk3+D3QyuP4S/wYRf/eY2fa384L7r0Ia4LjtgN0P3zS00qnjUi
/v74OcGqndI2yXE/eHMX+gnv6EdZ3hs7osXDjvrcEfr0HnkVUC788VJfyIbf
z2mRHffSpjXUa6wuDWpe5w7NXiKbeDhlHzOTrHYgOYmViG75C/igDRoHAhXt
uulOpRJKeKcWsxzW925VVWAazYaQt6ZODSypfOGbdpB2dfVlmtBux3BAKzeE
8Y3xrUWXraztgv01JwjR/WYmq3rlIq/Nm0XM4YBl0qaiO0VvHJ2Gij+9VaWd
3mnHm60DiYXjPLHg70ATzFFROeVmKCeWWpkrXe7XhJsgVo5OyV9D3HIyGrwj
OcHVVcw09yh0NE6SWecjyOlgT7HKXaDf7z1grHv1dl/nq9pZa/7BJ1myB6RO
CZRrFEK7cM+7fDjyo1GSJknSD0bD6XA6EXKYyMFUxFEY+slE9zf2saarnAyS
wWQQjSb9waA/8CVMZ9jvj5PwITrY+wTs2PcZWJjTnuWmaoMWNRGY4scaXOAM
TtFHQkG4a2aDCACFid7gp8GuegO60J6HA/Ernh3qO8cHwUH/sT8dgYLeHxwf
HR0/3h8F4/HoeGpha7x/PBkPD44Go4P90A+H4cEAMBL44XQ0Onp8MHzIJwjd
PvY7eTwMhpN+MBiFBweP/ceHw+HB431/8Pj4cOgf7o+sfvvH+8fB5PHhZDAc
9PujMDzcP56OD/zRfuAf+scB9ftplzAROphwL3/8WlQMD/zp9PHRQT843t8f
ToLDYHAU+pMQ4O0fHx/uWyBPjw7GxwCtD//zJ48PJoPpaLw/OQT8PB4ejicO
Kob96eFwPAinxwePg4OgPzncD6d+4O8Hw+Hhwb4dSDAYjkb7k+PhcP8gPA7G
E38S+AeD6eHg6HAcHg4nNiqQlKYGFYf1trJ2itpPnU8czOfu78zyxuvNTadE
rMYcPH75mrda5/KhGPlBX/g+gI3/wuEk9O/aGPaGAIDb9oTf152KfuiLAfwG
n/pBGNAASJtpHMT9CGgTuiDyTKVMI0HkmU7HIgWcx3IwigXRZFzTpIziYUiQ
TiImRoRiFMZx5EfJcBhHwh9EaTL0EzHqpyINJlFiiDAR0Hvsj0TgJ34KEDF0
yBUMgMMYKCaScT9IhQCKSYKBZIpJ+mmaiKmMx6khkygmMhHQxQSwM4yGyXjC
AAKJJEQiaRwFMZBIIohEBJBIEosA6UJM0uFQxGEKdAFdIGnEg2kykMk4TKCT
MJw8rK97uZKhNBqt4fcbHO23SJTaYtDadB0Rylq6VuwbDLtUSYl1OjCl8xsb
wI55cgW3UtlZA24KrPpwoBXcddvEyqVsFEq3U0ef3CxXG71ZqqTHShTrkS3/
NmiSLdqi869FkaylBrxcMyFYyOzgqzVdwxbZjkZQn5GAMqBHQLffxhGCW0cg
73TLCOjRtkZAx+HGEcJbRyBfYssI6H+0RiA3z6YR+ndh6WoTmq64xmEbdXaR
tj+PRPVuaBTuKqU+N9SpEBbyIqewFKvXUs7URtb11IR3lmQXEkuPcwnCM6px
X5x11t00+pJ5iDpli1GNl5uwi4zLsDRPEVUleUw0owanw0YzfukAgOUE8UCy
rs3q1WVkaeMZq5mrAK5UzrWas7wHJkEY7HU+8wM9qs66p5OTuEnP2larM8My
7qb+3xZ3qXJQmQ+2oKfZao6Bo/uUc79t2Qnnt9EMJeNvYaQcMa3C78nL+Myp
Le6WT/kgY07K31IvsM65hrlv6rSzjczauqC7KpmuTXpL0adqQaeKdO3h+RLe
BiAsG6xjl/0WnoNWK1yWE8LrJGUIF52vb+rfrpNQG3lWlrP2/MB6D5LfiacO
+1cVf9SzbzqprI/cJL42AVJ0PRZDKZw+NkwX/Y8vuGyt6Z8Ll1NyI8yEiEVN
3fR690MdLdgf7abtRIPdttM4JW/hrEBqM1DMPiJsHUkbJ7hBAtMmaBfDruNQ
X1Zx/IbYc1Mae/eRyn9sn+lt4vqzxfbt8pw19S7tPwMWSqzWf7+g7r/N3+y4
L9ZMaBV63qJkAY+0jE9HAdjp1TCxIGDI2qUo6K87d8PEHW1w2/4qKEGj+AzM
DQMCEz7acV7ws8/DHH6w7Sg2NkzrmPsymH4t5jZDOQzCz8FcSFDCR2tQ0kni
52AO1b5tR2GzYfoMzN0K06/F3EYogf6efQbmBmOEEj9qQonP2M02CcL77oMr
ZyNcEVSgcpSc3JVteSvOk/JWUvwdPyxlu2qy2yFhgLsapBdhTvPbTRjksyI+
1bAkYdMFa2AlteUYlYPdzTqq0cvaoFQMR7Mai1R2vVZ3n6szW2anSvqmgtTc
FMlFPuOzuqziQmcYhFnDID/QHSFZ1tFyBniqHmPUAFejKpXqYs+c2uOM7/JT
oxvXPmBrr0qjNZd1mNbHsPUkCn28k1EzPklKJ6ISqvaK7f1fy+nOgLdUGidd
5I0FJpAEV/EWlpN8Pa3gLit/a2XXWUQYXLvKq/K7Nwqhu0uhS9o1PPGWV0yo
Y0jE2C5NHj45Bx5xVd3saE80V7NHB3QbRZ5zXTbWoVSWw9azDui4720D1qnj
McaFb5tp3tlzxwRza5P2tuySukQH3wLWJHTeBQDo/GNnz5bu7hR4mHZlkag9
K5IuZ5quDTG8ZbHiKuf00DLX8GVC5bc2nCY17Y837n4ygcbrh7WLWxKc6mqG
LaVONtNAx1NJxw0JoDg6CDet8nrGQI3qeqk34RmjANqxrIG3kFDx4RNVZSkZ
bes7kLYy5tSkNTIlqxCjXHZNP/QwfVBBOTAlmgq2bWPSoTd7b4GqkDNM5W4K
CWKyV70LNQ9AhGBeTUYsgWcxXvtE1yoBlaV1plBNvUQHYj1uoD6V5/pv7zHX
+ka2SGEcZRNKPbdbOsdLT/YG/gyhpaxis/Iul3pYqlsASIzqRBAsVCPjEo0A
VfxRV1S+bC+3oDFqZEVdrue2VPoemP18dCmtoW2JXa4bEC3ST+XVZyDpIjk8
X2rthSsVWiKbo2hwghsyJYa94BY3li4CZvYFEC6BokXOFkk1PnslhCRbbiRP
TQGavC2lpVQqlzaQmQPZFQBuw6pNt5XDi1oCYxxfA7em/YRpdvTeNNzR3soF
7BNTgs80ZfNd00o7MxJVVWTRqmqrsorkWl8g2Og7QJfnarHrzhQTwdktlEBw
4OvxdRgqd6ojqMxdkMqN2fs8BTHjpGx42bqslYI2qfV9h/k4eWIpm5N2eG7S
Y13VE96wg6VNDeVKEHqoOlncQmkqmPrOKPRUvEFVBTfhCI0OdzucN28Nva7Y
bWL5wFgA6Gqy7AlW5G0/hfKikkq//2W6PHkTrD537tLW/9sp47VV/U1Ub726
xFpxGn/Bkiuz7EqqbSBb3ED6I8qlYaXRq1rZYRvz4gQjPEHtjMfMCdZQSsRy
NvDd5joZTaKdZa9gg0A7O3O5zQMbvNxwFLRl7RhBcyhjpKU6SKUMcPD09tNU
Wl6TfLslLu0W9aHV+moJyXRjajGwDGmnGzoxfB0zoKsFWB/enljfPrAo1o9g
mz6FxlStaeLX0N+aNiL5BuDro3//6eT10SFn6OQqrLjW8r3A0kgUZsW519dc
yEXjEHd/EzQuzi2HcR0I+GY9BHB/s1eY3bjqR7fx522/w18wNhViqUMCI469
s4P4LAa526JU2S7Q3XXf467t6Ntd97DtOu6sXxSN6Ez9WCFxI12Q65qqwNSh
iL89/I6Ce+cEWuPeNIdj8+AeGrTmFMiLOvU5iONQqfdHu2sF+xYtYRDWiX0j
+K2vDQsrnswZkvjsnRFmzr/vrfb1udF6q21KSaai6DFrmsIhuSqbzeEfJtwB
vqzT60h10bYWSjsq1u3yYTieTsbT6TANJgMxGMSpGA4mSeAPIl8MRkGdyMUf
TMZpPO5PkyhORBSH076Ih4PRNAyDREwDjESS/iAeTQJ/PJAxvhHjUZqKOJr6
g35izysOJ4OxFFN/5KfJIExEOBqno9FkGMpRfziZpn7s+0k8maTh1E9GIz8e
DQX8b+jHk1F/hIFq61jCPG4OLW4gRRXdVt8z6FVolbwHDp4XJXT962O4+nW4
FYZZDSewje5AtI1fgPDLUFzjFeOWvgi1YTAcDYJhOIgwhgsDnvx+2B/2R6Ec
D0bDcX88CP3xaDQcwW+jdByO+yYYyjvVGUy1amuqWug3n0jim3avqI4dla79
+EDnP+0uzVO8CkCKJHRUckTvdV4nSq0b7tomqntDHAvqUM5UMN1JublBIUiq
9HffvartqtVili2uVE29777DOzOH6+oc1wECta9Ec3GVlZecRg11H67nh6Xl
iT6SpnqKpeQ3ZNduOtBQJUMkoqW5qBBw5dhCU4FK+zQAuL6U0E9B+GnRQtF7
JgvZdPEpgl5z3wGbpRZWbThLAVcGORd5wgW4UaX46mN3UZarOYttYymIBFOI
YYEZY3IhHpRlcF6JFRfuVen09a0N+h7LLHEqwtudi+SLlQu3TqrrKDsBIGWy
664Bj255w8R6nXtyca979qiqMfSLWukqBfUzU/xH11BU4QMxIEqASXlj1orr
OmcNxyuOZWwvWm9M5K4sLq4npKtQ4ShnVILwbBe9gwVQmKDSkjSfXf5m8zCW
zaRKAXH0RpM6XWunzco4LxUSsLQlXpVpduEWZ9RJ1lwi4nJuuHHOXj3rOvvx
rG1f8w62oNCMobF7HcNNLJDwqHAqlSFTsZKYlW7DrnSKKW7cxTkt6T0vaqh9
177TLfd8dNOGbfSR/yW/qftZIYO7kLoeaM0W2XvX4u9HlRG2l0o0YZcw08hQ
EaG3rNHps65GeMvyIKq0QUZeUzID5+Wz0zNd+NXb3jLlzbqgy+Lmszrd2uk0
0uRwG1mbY2m+KuoyskoEKLPylFNg/5HrR1nihXNjo2x5jIZQizShk6xVWWqP
Z5tk+tQpsAJvvlA3VKDP+GYj4dS1wNRmmCMfVFm6eY5UgTXCBV5iasRFyn4X
MaMrOmCgxVkRr+Z1ZK0JpawzRRG7QH8HU6OqnQVAAY5ucO9SanHOfSJBRIPN
CtPa0y4Kfc3S3K1UNy2N/t3U8CnGba+jEyKtqOwWlULQrG/jNqJKuLmZtbmG
CZRJ5EL34NAXJeOqzg7jenirUs5S3EDksGQG2Uh0i6FcXANYp1EvK2R0Zqpa
4uBMO5T4yXUIG9aPTEtJf/aiUEd46onJ5WdcotIpi0coQkjXixpzLTxFZpx9
ENZkrcawIW2am5uwd8Ni1Sb499DpQnlyYdmLWhIT04hdHQ2rmN1w1VqOZEOS
a1Qo1oGxhSTrBvuaG//WZiqx5POu6bqR9xXmGWEcAA2RrCgJGB7DqTi5nDzZ
dtln9kKtbxbE67JFJuAHqKUwuTBrEobCVHpjnBDXwpNJDYeB4baDXeXhvGkB
kkDAbQHILmvqX+TmtrALSA0AJSGinHN8mxnWAzatFf3bqBCodBT3FN+ctbeH
umx0vxYSE/uVCnwt+bJbzrYzvV7QMy4HTTrT4Yi0QZ4yLe7ycaMJklGcSi5I
mV3nVqKqRHzl6Qq7MVpxeWGrYY66gFCidF7g3E/rkeYe7uo5YIGOFOJ87qIF
3wAlzkh45byeJYjDWeIZrQFVLHQYLPQxaKb2PuIYVkRJcg/DmIGE5bxUKUeV
rCibW69ns9/b3CmOmmtYbGlpzK4yR0ogVUehjonV1m+p8GRz42zCp9o83ytl
vcE7SEiqhTHXuLtKJgKv4wMOzWAIGutcU13iL60ShOzcb1sYtIPuvSLr3Lit
wPxX4sV/X9aLXntNNnd44e5d2pRsmHQVm6R3JcwRc/rqRcNtgTcKTKQbIW4t
/yf8uNS1OoVRdvRMStDZYirefcJ1R3Orw01cXddcKkXKW7c20ChpmsCLv8QS
3IKc5i1dfaAhlHlH0Sbw4MOuR05FmmmNU7KZ7ArdG3GK8TU1WKRgM2QaW5zm
lHiNYFNKJYVVEfJK5SDKMLaaquNCwM51gDpWJV2ieUm1BV7xhmtSk7uPaXPq
rLJEaPUc0ct6rymuHZG2rZGebpdYhzrVcvDY5c3Y1pvZxHRepI+PMlkqOrnP
lscserQzlGOubOUg7vTv5bsmuVYbTFWuXRb3ReD3t299A5KSgufL4gpTncy1
5nl1ri8AWNlNgEfZSXG/knqkV9GxbY1yjnchtCRlWV3anij40YIagDlZxaxs
MO+8jz5lXCAxrbzSDIQpvpzIrgAefTPP/qZCH1hFEBeotFQ8EhER1ocvGCJC
MIkGxOlXJSo0OfGa9EFdkOrEKu5nTEjM1GMqVX3CS21OqTRd/dg6YeekIapy
rSmF1l766u9S9U8xbVETjwIad9L3VIJdxXyx3/bGq2wfQscwgGsprvBuUUby
wiR7+DJ7vNc5YV6rZa5d/dwqAebY6DpkcxcNTFDTZqKOc9pUfWyZV7yZAGtY
ucwJcVaTV8unMlyjGxXJkEObinyFGweMUqrwTrlWF0kXJDzfVCQvKoLFngzD
59ec6uoF+9SVJxstcnZ9xEh2G5Uydh+04tq9stiKa2IVxh5ojwDV0aOAJVLF
KbsNxbCR62t1gY6ckq8oklZKxjWYNys1QXLkZozEBa4otJrhAkaqZppQLtAr
KZdtgb0O5yMme6Jys6wrm0bGbnEKZWAsW03/faUTzTbm2SbVqbmiAOYs/DeZ
PWYIPk6gTxvORaoTmmNYYcm6cE5kyyzhptWZr5KrtIVWK05XK/9NnmfHgeKV
0hpCwtszRxq0J2dqOr+bAToMZlbZoYHyflNq8W172/BiE3nuIA72PeNcxGB3
2GUsSThKitK+7HpWouM9PlPswmdXCHgRXwqKa1WKO52LXIMi9ZA4hVyUcled
QmoNTs5mdkCZLmTPi4eJcyzRgT58rn2iR6iyuRXvx8P3FEwijnV0Vw0INr5G
j2iSI16wZupMcD4oEFoFGyjmmghrEFlB+48N1hyT5rynO9GcCTlRjkMRrXh2
fOq0LFaJWlfaa809sLbPnrXJETy/oSor9yIijsFy48nqQ/LSKqNEZNLiceVK
YkpgIVPVLKMLr6yFx+XLKkUdM/TsqaClpiMFdgz+jqcGs1ygLdG1ucLaHJto
UruwTS9jTn+y/+P+OpvHp5/qSCm8iYxRM6X3Wl6A7lW05nMu6B1JFOccW6mY
Sp2kAbfcbrfUt2CyvcX3PXzNpy0Yu1Pn/MGDdHav73F04avmXcUxBRrYQTzr
KeCoxYFYsqcBtu+e9x9vr6qbbdUD5n0/i2b0A3Sn/3hHH7yWdC4Zw9A6wZKT
Qu4T4x8PvfKYNPzOOga9V3W40jfBpTXALVjVrRUW22+02PjkZSC00N8US7Xn
dQPG5eOXr1V/+vLEhlVwkog76X2+DMG/ZiqwtM5cwi+Yi1ty5StMyFDMfn01
+qsSSt3v/XadSqTkbruWdCQbkLSyqvWhm4m8zyCEDRHkVHCFc4ZvwpqVF2YN
Y/wJMME5+VoIwOYU+pPB3VMIfu0UKIX0t5rCMAzunkL4a6dAGYW/1RTwMuvd
c+h/BUq6+gZzsMIcG5NYh1fFPt/vum8TVBMSvvv1oK7jKe9aALztv2lCKuzw
C6fVFhX5laao40vvszB4Xf5+t+q/9cK4gbD3hP3+a9A2g2+4BjqG9z7zwHwC
97uf/63XwA02vifs91+Dthl8wzUwgdL35FDP7puRoG0ZKKXBrwHcqDo6xdC+
Oc6v4/G/ir7cWVeD7jemoyK1rNtejf6ryxbFmPVIDJpXOOCw+T3vhgKluvWg
e3/POPp1eviMawGt1hNgY1sHq8Pi7iib6YByh6F9WRU5eir2vJOjN8cbpHPj
3k27vs/Y5qrYTd39Hwfdn3GL4TfFd+cBAo630oxP2iooJrwX+wfexwetbmsr
WoxORIuVSmJ3451WEiYjPInXJnreeg1tKoPFexlH4PvOHAKlz0QaJ67qTII+
efX62JshYWDqSsCxOZugyaG7peQb2OzQQVfVIytgEXqhFPkqDJgcKJeCMphF
Aut1HfQ6P0srxMs4qBBWE27ZnPRxcTMXi4WZdCN0EX3SXAYsq9RRGtUCY6c4
AsS94qW/BZcsmxUwlZu7zmdU2B60LQEQkzqak1DLRbkqapfouv8Jz22s4zbH
H0ZfAZpzvo+IK2buYPY6x3ZBNz1kNsdaBHg4TnfA6jUsrfxiP/cPvJ9l5O2v
0NFV6VXef3XivYXn+HgBGOMYRnUCSTdoI/I0I3gqwFHUPeQFe75hWRYqvg+t
iPcCCDHC1GknTGC79kcsWlReBPSrq1v38FBtJsJiiUcFYoYRGhcUJO2OywkW
cWZ4mKlv4Jd6LXOqz7DimA864lFZF/RcvXhGPu5EYjyBMnXUBPEMQ8/B9ur2
6ru+dZIeqm5KblevjOVCFFlubp3SKUF99VS0RQHvdQTCXvCZF24JPfMmomm+
q9K8N3QByChVzXclgXWqiHl2cVkZBOsPMSazi3cp9IV7iwB509BRon1KzBRp
sjrU14KVf9SB1dMx7vGqKCgauqYQ2ObqWIRK1OmT1fhSxle7Hdr/mmTJJ27n
IOTZ4FmdikrYeNJvztd5KWYMhJXA0PTdsS7TFhKY1ULV18BTxCzGA+OiyCk5
PdIGcy7kidDSeJlpKsz46jQfdTgK50RU5+jq8JU7ojOKrLJOFuEr3M/1xYAk
ExeLXM24wMNGRoDOVlWWK6kOYjgvquDAn4huoGMCEFimSMRXzD1UJhHkWzAn
aQ43tOcbnfWa97WyPiY1vI+wEfvI3/AA1VN1EhlSayEtahLW5RSL0XU4qAhV
U1x0INZrUSTMFxRrRWeFohSUEYoymxICZB9Mde2seuMJtbp+dJds2evcQxyp
83nQlihuwt47zpf6MrVREaIbu0AjnpVR5ZF7lOLkIIPbCgtx2gRFQU4l+ba6
SvWVEbP3nx0e/2u5iv4Q/Osj/GHVlGi5PKCZtBrvqdY8nkIvPJ5VD7plMN1e
Dxo2By3bbpQ8lRTskRILo1UAir/ymrdRqFB0fVHBiSi4dYEwU4S00otS7yY2
yFyysMuLbqQSPjFywt1BlwMWgmdGGAbfLemv5pV5U/CikPPcvZOir2voAfEh
GJfeUZIhd2aJrhzrQpfXgslAG1Zs1CF+zb6pJCue/q8F5rMgTKXS86z9Qxhz
YCHL7u319c9486R6t31ZVcty79GjC5AIqwgMwfkj/XIHI8y9o5+8Q5D+FTDP
Ezphw82azXIKRvoLIAIVef0JXS7DokIFET0TELx/u3X00+GJpxq9wgiPig/I
8JRPVlxg7BI3AKrRIJoXh96TefS0BvD6+rpX4ouklxcXj+TiETPZ8lF8id3i
ZZZHcpVk3Wsapbs0o+zoc3JQdIGrgghRVHFdAw0UXWulTDEGMB0GYMOKIZg3
9UqwhqgPQ/XB6+zGriLClWkxOAX2fJEAM5XdKF8BXMpNGdVFaEsTBv3WXe3W
FbtYLWT1KF0trsD46QuNAaBGCgZ9FM3y6BGQ8IXs9h+VRfwIZNL7DJS8RzgU
3r3oVSW6R+tkOvqM6AzMq3PWn+o0D9YFUZTSIGEwowleSVSRaJuy8G3rNl0/
0ItwApN+nyUrMeseFiIFoYYfJ/hrdwbYiWRxwdkSYAdwcpuu0rHYO+MH5wg7
AJMXdGkSBdQi0ZqhzoQlar3T0ZQaeX3kerodWtT1hCK3VqbpNFI4UoAYbXMa
SvB5PolvKxGwey0fWZiOa/e8n/PiipTsZaJjpV3SYNuvzhHezNPRaeafak+P
CRwDFAMMg6Ajs7d/XkVZnLsb8YaeEe0hlzD0XMtz1DTewyowfjGtmIldVGGH
XaXfm4t2arcqusgKD0fGY1D+Et1tdgLl5uzpFgyhjC7xYkvNlvQG1h02vmxQ
vZXZZDPd35JnUuWqcuiPBINFga/ljK5lvEJy/segQJVOxRKH3bmoiuwDaA3l
aj4Hq+tvsmzilltSp5nZ6EZWWflQ1vvVOVFOWnsE2Ns6pMQox/yXk7T2pCE0
2zNjt2S/blauMD1q6tr1eItYDakARZ1I13pDhSNa31CG3Mab9QTbjTcWMWwA
aD3TtNVFI9+z9aaRY7nxpvWbZnZh/WZtV7WDSv631xy/R/G+BQg1FgkNNazL
DgNQMDmvAW6i0jj5XNWLmwLT1BmOVElJ2pCbfd90C6+1EMJml6qFFJUJq4Gq
u7argtXOgaQvxd4NiwvGGgR38i4TOU/UaPI/rS1ebWrY6Kyn1HS+1vPKN0kc
neep7lDrBptTTakw8eMVbXSSjS6NpPSmew1vgESeAr5EEV+iI8o7dC4jPUOm
t/308NkOg5dkf7m6XGVlN05B8bhMkCm+49hU4xOwnbSKiSq3HUo6s0SJDrIX
tQkjjZPAtkkootcJzX4LEHlPsurpKlIOhgfTQav2VwqMcn50aU2x69y36pIn
mDopH00HOz3OBKJMY4reLVBul0xyXTuib9diffYHdVzqq65KuqOzIrInY17K
2Xt9C1VYHtTS6+pA5UUdoo/GXLZ4n9dIvcWzBMQ3EzcctakgzxcdWwFUsF1m
F2BJdbmxfe1feYDUjNB3RChWbpIIvdJrYZBIA67ivtsxVxrYl6Q9OSYEGv2e
xpDm25+1spRIVMJ3O1LdoGU/jRTaQMlL3YFBk/JTYrw3dkXOZlAogDfw1Y0e
m45kXApvnidMhuvmNNJpJKUpt5tg4VsrZcdbUsB5AM+E6Tv+mjxtJUdm6I8o
JKxIYzY+ln+lvy/NL8biN096yyTd0d5vfSPGIJKWsLQWXCtYbIDHeMVwUWqr
Uyhj674kRQcf1okIXrpKTNpJpBSDylanhCNz2H1L/XBsOFY2Up7EC8mu7Bqj
HNEMDAXWocj4Ou1SUt7i95m8VlYW+b5neEtmAfYk+ZotjZnGUh4I5aWrS1e3
cBv2P7VPSd2zwNHLzLKHmZ+qHVKo0pxzXUHNPvHYxZ3Iy0jHO1gHuV1+UeKC
FbVb8FUEllFaILRCiJwf1TL0p6Lf5g062f/IKaca/pkZlYixc1JR1+QlZpu8
4UpB14vdGndpXUOpUVy0vIHPPqi8afraPYWEN7L8qlNInO3Hj+QQAJ6Mvv/V
TEj0BjYqri/B+Kp4cJ0Xqz5EOteNuwfYuPsKG2PV8JdxBfrSaYX37C3ve8cC
pTTphvu9PtnpmN/s3a65JkEjezrbmUK2XXm+zuT2PehoaNrsdSiVnvr3w8Zk
YB3OsaCbXT6kpF6h3/cH/tAf+WN/4k994Ud+7Ce+9NPAD4IgDPrBIBgGo2Ac
TIJpIAKsNZgEMki5R6worHsM/TAIw7AfDsJhOArH4SSchiKMwjhMQhmmfb8f
9MN+vz/ALFz9cX/Sn/ZFP+rH/aQv+9yjNZXLhwN/EAzCQX8wGAwHo8F4MBlM
B2IQDeJBMpCDdOgPg2E47A8Hw+FwNBwPJ8PpUAyjYTxMhnIIPXZ0mUtK8LHX
wfLs0eysvNIjUIIwzA4G4wCcWMoR/otPZP1OZw57SN/DnKmDxvcRfJtwDwDv
ZL0X86a1ZwqCtubuD0ZJP0rSfpD4STSYTCeTNBglg7E/mKRJEg6CsB8n4WQk
B2ECeAgTIabpOBxFAxmnwSRJO97av9FQwkSD0TQeTUfjYTrtj9J0nACqplEC
i5FE8USKMazUKApGcpIASSRRKqJEJEkkxgSmXnMFZtyfRFGSwHKPAui0309F
MB7LQT8a9+M06ScjeBcnQRDHfgTEMA37ozidDAXAHafpsAXMJBX9/jQOpD9O
0jhJEzFJxpEMxVD0Y6CbcDoN0v4EXsp+P4yCJJkkYiT9URjGadQfPuyUDjb9
D8kUKMP3xXgS49g+lf+c+GISD/1BP56KEHqaDAZAvRH2D3gfA1ajvj+apkBd
2KE1b//DeCB9MYiTSRALIG+gHsTkMEphuoM0GqfQRTwFEh/jVkgl7oI+rNwk
CgbTfjS0KLO+Kkqb2dmlFvVgzrpwNMWMdUhb8NdUUa0MRusUdVuWOxzF3rl3
jsK0/UXjlKBAt4yjdwuWeg1gz91zn3wrSL/dvr46w7QB0uAgFX44llE8mI78
vgjFIPDho/E0HUn4fwLbPhgPkzRMfSDSOBr4/XTYT2EXwP4ZTSfA0+JGj78+
oeWvzmLZwZSVZ/Or+6w0bJBRMPrNV3xuvD0M8Xg6ikfBMAmmsfD9wSBJfREC
sIMImA/0NcaiusBmgEFMxoHoy3A4TCJfpLCYQ+AgDzuV5/Z4V6JMhbWr1t2+
hrVxfwQMFuY/HA1+a9xdNWYap0OQFUkUTfzxRIyEHwD+BiCh0jBMJ9OBP5ax
lH1fxkE4iYGrT/ojkU7TeBjE/jDxgaY/E3e/C5rnXDVfEQvIheweW7WTL1nn
L5ISGhIt8qaA0DBNJPQUxkE68EF9HA7EJAWTeeT7ExCtExBtgwkIUtBNwpEI
YXsA1caTGJSJPuoOhnMx4wJYBaiZsRyCphAK2GRDwFs6hnUbwMqDDhKDjhOE
A1iCeBqDZjcGuToG3jkYAzWM23QHEYeopk7HcRz4Sdgfj4bDqQCuk44ieDLu
wy6G4YAMQDUH4S4CYLBACj4ACnoKUPflPx4tWtpEbVfvodZiYRy0FhAtoIxM
BWAjEqD4yNE4iEHjEWks+gno7KBZBwORptNxlICGOJwCdwO9yZ+GcijHnB/3
v5UNInwRgJjuiwFonyMxFhMxFUKA+SsSIUUa+RGscAR0Hw2jUTSOJtE0ElEU
xVESyeifNkjz3z9tkH/aIP+0QX5TG6Q/icdTkFBpDNJvMBAy9EeTNPWjYTAE
ihGpj1ouKLhAqwIoUY6DSA7Go/FIjPpBMG6zQYbjFHjyAAh34oOCM04S+HwU
9EFSRtCh6A9lX8LeDEBhhl036Q+G6QARIVIxAX49FqAQpSKE/Rsno+lgOhYy
AfGTTkPQjmJgrT6waH8EwnIA1tEgTUNQv6cx7CoYIfgvYYOA/BuhZBmAfAPd
Ku6LySQEdASAmSiF/RyMgeWOJrIfA4Mc9cE4HMo0GY/8yRDUpxYbJBoPfRBZ
4XgM/HCUYt8BmjHTgQymYiz/69ggCagk02EMTROwnocRiOlh2gfc9AGDwI+B
4Y0nI+D+fdTFhnIYhUPQEIexDED7nAzWbZC7cPe7oPmGDfLrsfD7tkHAyEin
AzDKfViLIUha4FMg3iYBKLAg9/1QgpkQAamCVi+Bm/UnQTSeojqJMj8MW2wQ
0DWS6Qh0gnQACJYgHEHJ8YcTMYB168Nip9DHCGyOwUTKNA4mI3Qwg56JQnzS
qjuMYauOkIUOUPUnHjsAYyiaDvp+NAE4g7gPFJHEUTgBbUgAwYxHsMFB1Qf6
mozWbZB/BFq8pw0CCtIEhIkPpoycJmCl+alM0z6YRINYADABWEr+JJ4CHQCS
IhH2p9NxOgRLCTS1MBz9Khuk5/9jWiH/PAn5pxXyTyvkHvJl8jnyBabq/wpL
5AvH+o2skS+A9p+nIv/wpyJfsOpNqyTpo7I/BNk7ENAKmC+oPsFgNAFUwuzH
yBbCaRAOQTDCZEBnGETpVEpYlwEs2GDdKgFWMZCoRgEqhwCTHw0w+0Y0nUTA
yobB78gq+QL8rZ2OJHIsQ1C8gDXDFhmmCVjWIGqgJ+gBpEkwBjICRICsQTVj
NPZlFIAWMgn7Igj665bJXfj7XdB+83TkV2PhG1smX7DSTetkGPQlsK5xBCp0
jB2g4S5gV4g+KiNDCY9BjUNYR2C9SOBxoLaHwRjU+P54Mm2xTsB6ATCTURRF
g2CKfnnfH4HymcDn/XQgkiHordADKMmAR7DqRoDC6QS0+f4YlPagTadIJqAp
hKjXALpgVSZJPATzBwwPCRbGaJoM/FCABjOJx0A1YwmsVoCOOR3JALRiuW6d
/CPQ4z2tk1CAsYHKTzoVUSTgZ5TC4DGMNUonAqg2mQyDGJqBBiaTEC2rCcwU
FgKMh0liKgjuxyYFNd1Qw5sWi9U8wrt5P2ylYlbKLV0UEG/ApVlRViYc1BSg
wwzVeKPy7kwP15d4C1vMbv5Ggc+mJ/mhwgJJfEFpQw4E6P25uutFcXI/ZrMS
0zqYvAjd11xj7MYkSECY9SXwbFEuqW4r9CPMle+1e8irbDaT3tvHJ6/64TsT
x8y5u3U1lC4FTBZU8e5xVsU5hl8mCdfq7nVuxYGuDpAhBprXTkt7krtmhjhb
BqxDdxKkEwtY6loWGBteSABzll8IjqTcPny+g1iOZnLOt3zpJiwlA07c29UY
YVpEWVVg9QhR3sznsiqwurPKtc0VAWm1TPFVmOuqoBS2Zlbq6gzdM+N0Bn9d
iUW1mncBPRkXh7AuTWM6I5WK+L2c5UsKQtR3NyrOB/G4wL9mdcqUgz14dDCT
x1kZYjqsJsKPfnr98vTVHjx+IooXYhH23zEO6ZI5EAz9BAO4/66nwkH1lWFY
x3yp0q84tGFI1VxWd/rZ7ZhAVHWTN+Ns0hxVzNliVJisnUcEQ/o5rp2TZBTZ
BSUh+KwMKhyr236l3oGSNgTensHQYXMD+M6UNDprOKUkwJhfSg1CN9CYiLac
3KacO3/Lys6rAsaxWbduZlIwrH3QMXXoMDoaHmEobJcuc0MTIBtzfW9tnRoX
KAy8rVd/VH4YDo/XyR64mgZlT1hcUXEYUzdJN1TBxxmisZR4o0KVgiIaJjq6
pquYl1TLweQUMPfrmtmG+Hr5oSbCpxneuL3ZwI67QdD5Tt0SpyIT2QdkO995
B8DRmAZ1WQIYh1J+tcdW29f4TIvS3IROMKp461rMrrrVZZGvLi639JUPirKn
C4I47j61pGJMvAhbLSVntxAJG0rWbuykLin4+Z9vKg/x+T21JPunTtpLBWAf
P9EFXMDeKV2sMhnX6sS2umD7Vp1PR6Vsr+868/0KlIhPPPoduz6G1WbRyxvY
SsdzriUhljM5Pnl16gUTvztQZU3oAbABLAbVDfyO6YszvM+zEvYG1ZoEJoHP
HlIdlChPSDicP37efYx7d62KUR00vsW5sVz5ZMqu0ZxtTrFVz8e+KCYWzqw0
YJQClRMoCrrXNgwD7OBFtsC7SGY7xLwL4vXVyLgyMaVOdbMYmW28FEt96yCm
hGLwMzO3Sm9m0lw8KCmvOwyPRS+2mprUFnWx1dzRWxpVmCK9q/d2TXXtCSbU
N7hu/tRaNyctiJVTra5QBrhDzcws6VdYL41MwBqgErNQEZV2/ZCo5HMv5oeU
5e27zWzKvZIJEDmVREq+00IWBG0fMzXqEKGvKDNeMxH6Ft98vm58ULPBLYaL
1+X+0NVSre5KVXuxMkzWeams2WtgvfPXMu1a95BgbTE5mbpikor3WIcVi6YB
+GvXH2so6+QrPMjpGmpq1mMhqSX51ZYR94Romg73YsSHziXpoM3F7Zfkutwi
op/URA9qFReXwWJB11hmLLm7kGqzhDUVUrWWDun66AOMScnR6uurutQrMb9X
r495BKPp1YnzOl6DRTarwLUyT6wzQRUlL2Y3pgBTRjleanYGa0T1NJRq/T0V
RCCtRF+8x6GxeAnp/o3dQbUYFCfDWb5WWWhAoEtOebRIUCUvJV+Prm9yOidS
hkE16ohSonXYSJs/O1BcFEghx6tcsto8jL5NJ7x+2I1uKlOssM79dY5HYQ/P
XW2n5milZmlPVa4pkYgl1k5CZcAUemlJl7W1q7/kLNulzrS1pbQh9fZP4XAY
TDEj0Z8Gg4ndTmXbUs5zqmJGdfY4LyTe27xY5IW+LIf3Ns0qEY2Paxp30z0d
nr4hAj5dRUA1c03DQEDdVyIrzlsYesscEBcXuOasNjurBKOPOtZa4YhNpfqO
EWyDjywCWmFs1dtCZRx0VKy2U9xc881AdWGQL7hxeT3Q1PNVqUpXq0/QXhGK
8PiSu5U3lMb5wuXWQ3e4/hpXRaQeFZqtMs/W7bgNsycUDhGFh4pPm/1Yb0Xm
QCRiiYj2Dw+7TE6ortUvga7oFfykEpD8SuJ94KRsfmnVmFQt7M/ha3X7uJHZ
Qhlki3zRZc8S34pWmYgwjx4vJk02OTzdJ6OAFq7NAltPSK/qp7VcLPwSnQO5
FkrAxK7Ix7d609XMqoBNd9n3SAIhy32i6tngZlnCXtneOa8NV4IeWzU21Dbw
nB2llWCetvv0gs1u64YWyPSD4qelk6aE2maxBmvBEk33ZmSlLmGbqFqetxX3
+847UZRoyTfSIPFiaFy875arrJJWb+oWqt4pm2ifqzKJNMX1hfcbKR/ZPVIm
dmAoHtNRrD8Ezd48tCic8p+YFw2lxs3YgCSk82rliy2tP5HBAYSHWgOTPMqU
bafmzY4acrvkp6V+WuONLRRyK3LunWqFRrHK7UVFJ8uKyhLhGFQtStWQfvyc
8+RhCke2qZFF1W4AoBW0UuzBQEEjFR4XGHMnUyNKoowZzYBwdI1G5H8VaCfA
2kcDD+UnSeAjvB+snAH8XVMdunfNWg8zzUowWhJefwWA7pi3KkPbQgZkVJnc
gZQvEY9LgDGrUpHlHmVrbiGXmrrx8bndzCYgqxk8dpo5JFU3g8fnjUGvNox6
dW60oE3qDkiBQcfRJe0caXbyEsRFw6gobL2XElTc24xixGtmC0+87f5Og155
XydX9LYLr7OFqS1lwOyRCHO70Rmo+SsroyMsuzFUtNHgGDKEkH7HooqGELhN
bH+ss85axdp/+EOrPP9kuRJw/zh6wlPle/2MwVt1hloLtuym3DuFL5Zcm9lJ
TrNeI2kuURPPynndE+ULcL+zSaa37uhjd4V2Xthbzrio3QpjtAohr8J1gQkM
KREaJ0xTxo/uwhVBuIFx3xsNf50l4McvQa+7FCsUz0cHDee+VuldlZboEWyf
lUqG3dRDWCdweTihQpcBR2a37FLBejv3qGE2ju1b2y5AGPWmUKnwGiLRqH32
aptyq7g+jequNZkiEE2hydlXLvBbTlh8Q9+vDAXWw9CkH9l63iM0MSwrQbfk
hVblhWmxVVpI5rHrlj3TQNBppyZ2iin4bNcbfkR+whOkTvjkj5yasfP/AxeK
0RQLRgEA

-->

</rfc>
