<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-mattsson-cfrg-aes-gcm-sst-21" category="info" consensus="true" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="GCM-SST">Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
    <seriesInfo name="Internet-Draft" value="draft-mattsson-cfrg-aes-gcm-sst-21"/>
    <author initials="M." surname="Campagna" fullname="Matthew Campagna">
      <organization>Amazon Web Services</organization>
      <address>
        <postal>
          <country>Canada</country>
        </postal>
        <email>campagna@amazon.com</email>
      </address>
    </author>
    <author initials="A." surname="Maximov" fullname="Alexander Maximov">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>alexander.maximov@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <country>Sweden</country>
        </postal>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum</workgroup>
    <keyword>next generation</keyword>
    <keyword>unicorn</keyword>
    <keyword>sparkling distributed ledger</keyword>
    <keyword>quantum magic</keyword>
    <abstract>
      <?line 561?>

<t>This document defines Galois Counter Mode with Strong Secure Tags (GCM-SST), an Authenticated Encryption with Associated Data (AEAD) algorithm that addresses several weaknesses of GCM. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. Main differences from GCM are the introduction of a second authentication subkey H<sub>2</sub>, per-nonce derivation of both H and H<sub>2</sub>, and stricter usage limits. Together, these changes yield authentication tags with near-ideal forgery probabilities, including reforgeability resistance. All registered instances have an expected number of forgeries E(F) ≈ v / 2<sup>t</sup>, a property that GCM is far from providing. GCM-SST is designed for security protocols with replay protection such as TLS, QUIC, SRTP, and PDCP, and provides hardware and software performance comparable to GCM. This document registers nine AEAD algorithm instances using AES and Rijndael-256 in counter mode, with tag lengths of 48, 96, and 112 bits. GCM-SST has been standardized by 3GPP for use with SNOW 5G, AES-256, and ZUC-256.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://emanjon.github.io/draft-mattsson-cfrg-aes-gcm-sst/draft-mattsson-cfrg-aes-gcm-sst.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Crypto Forum Research Group mailing list (<eref target="mailto:cfrg@irtf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg"/>.
        Subscribe at <eref target="https://mailman3.irtf.org/mailman3/lists/cfrg@irtf.org/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/emanjon/draft-mattsson-cfrg-aes-gcm-sst"/>.</t>
    </note>
  </front>
  <middle>
    <?line 565?>

<section anchor="introduction">
      <name>Introduction</name>
      <section anchor="background-and-motivation">
        <name>Background and Motivation</name>
        <t>AES in Galois Counter Mode (AES-GCM) <xref target="GCM"/> is a widely deployed Authenticated Encryption with Associated Data (AEAD) algorithm <xref target="RFC5116"/>, valued for its performance in hardware and software, and its provable security. During NIST standardization, Ferguson identified two weaknesses in GCM's authentication function <xref target="Ferguson"/>. The first significantly increases the forgery probability. The second allows recovery of the authentication subkey H upon a successful forgery, enabling arbitrary subsequent forgeries, a property known as reforgeability failure. Both weaknesses affect all tag lengths, but are especially damaging with short tags.</t>
        <t>Nyberg et al. <xref target="Nyberg"/> showed that small, theoretically grounded changes would mitigate these weaknesses, but NIST instead imposed ad hoc restrictions for short tags. Mattsson et al. <xref target="Mattsson"/> later showed that attackers can nearly always observe whether a forgery succeeded, contradicting NIST's assumptions. NIST is now planning to remove support for tags shorter than 96 bits <xref target="Revise"/>, but has not addressed the underlying authentication weaknesses. A third weakness is that GCM does not impose sufficiently strict limits on the number of ions and the lengths of plaintext and associated data. Even with 96-bit tags, AES-GCM <xref target="GCM"/> offers only a forgery probability of 2<sup>-39</sup>, and with 128-bit tags in QUIC <xref target="RFC9001"/>, the expected number of forgeries, E(F), is worse than that of an ideal 65-bit MAC. Reforgeability resistance is a core design criterion in modern AEAD schemes <xref target="Reforge"/><xref target="AEZ"/>.</t>
        <t>Short tags are widely used: 32-bit tags are standard in most radio link layers including 5G <xref target="Sec5G"/>, 64-bit tags are very common in IoT transport and application layers, and 32-, 64-, and 80-bit tags appear frequently in media encryption. Audio packets are small, numerous, and ephemeral, making them highly sensitive to cryptographic overhead; since each packet typically encodes only 20 ms of audio, forgery of individual packets is and barely noticeable. Due to its weaknesses, GCM is typically not used with short tags, forcing a choice between the overhead of unnecessarily long tags <xref target="I-D.ietf-moq-transport"/> and much slower constructions such as AES-CTR with HMAC <xref target="RFC3711"/><xref target="RFC9605"/>. Short tags are also useful in packets whose payloads are secured at higher layers, in protocols where security is given by the sum of tag lengths, and in constrained radio networks where low bandwidth limits forgery attempts. For all these applications, it is essential that the MAC behaves ideally: the forgery probability should be ≈ 1 / 2<sup>t</sup>, where t is the tag length in bits, even after many encryptions, many forgery attempts, and a successful forgery. CCM <xref target="RFC5116"/> achieves near-ideal probabilities with short tags but at a performance penalty relative to GCM.</t>
      </section>
      <section anchor="galois-counter-mode-with-strong-secure-tags-gcm-sst">
        <name>Galois Counter Mode with Strong Secure Tags (GCM-SST)</name>
        <t>This document defines GCM with Strong Secure Tags (GCM-SST), an AEAD algorithm that addresses these weaknesses. GCM-SST can be used with any keystream generator, not only 128-bit block ciphers. The differences from GCM <xref target="GCM"/> are: the introduction of a second authentication subkey H<sub>2</sub>, per-nonce derivation of H and H<sub>2</sub>, stricter usage limits, fixed-length deterministic nonces, and the replacement of GHASH with POLYVAL <xref target="RFC8452"/>. Together, these changes yield truncated tags with near-ideal forgery probabilities, even against multiple forgery attacks, and provide nonce-misuse resilience. GCM-SST is designed for use in security protocols with replay protection such as TLS <xref target="RFC8446"/>, QUIC <xref target="RFC9000"/>, SRTP <xref target="RFC3711"/>, and PDCP <xref target="PDCP"/>. In unicast settings with replay protection, GCM-SST's authentication tag behaves as an ideal MAC with full reforgeability resistance. Compared to Poly1305 <xref target="RFC8439"/> and GCM <xref target="RFC5116"/>, GCM-SST achieves stronger integrity with less overhead. Its hardware and software performance is comparable to GCM; in software, the two additional AES ions are offset by POLYVAL's advantage over GHASH on little-endian architectures. GCM-SST preserves GCM's additive encryption structure, enabling efficient implementations on modern processors <xref target="GCM-Update"/><xref target="Gueron"/>.</t>
        <t>This document also registers GCM-SST instances using AES <xref target="AES"/> and Rijndael with 256-bit keys and blocks (Rijndael-256) <xref target="Rijndael"/> in counter mode, with tag lengths of 48, 96, and 112 bits. These instances address the strong industry demand for fast authenticated encryption with minimal overhead and strong security. All registered instances achieve an expected number of forgeries E(F) ≈ v / 2<sup>t</sup>, where v is the number of forgery attempts, matching the behavior of an ideal MAC. This is a property expected of a modern AEAD but one that GCM does not provide. Rijndael-256 is already standardized by 3GPP for authentication and key generation <xref target="Milenage-256"/> and is planned for NIST standardization <xref target="AES-WIDE"/>. On modern x86 platforms with AES-NI and VAES instructions, Rijndael-256 performs efficiently <xref target="Drucker"/>. Compared to AEGIS <xref target="I-D.irtf-cfrg-aegis-aead"/>, AES-GCM-SST offers substantially higher throughput in dedicated hardware while retaining the advantage of being a mode of operation for AES.</t>
        <t>GCM-SST was originally developed by ETSI SAGE and subsequently standardized by 3GPP for use with SNOW 5G <xref target="NCA4"/>, AES-256 <xref target="NCA5"/>, and ZUC-256 <xref target="NCA6"/> in 3GPP TS 35.240–35.248. Security proofs for GCM-SST in single- and multi-key settings are provided by Inoue et al. <xref target="Inoue"/> and Naito et al. <xref target="Naito"/>.</t>
        <t><xref target="GCM-SST"/> specifies GCM-SST, <xref target="AES-GCM-SST"/> registers AEAD algorithms using AES and Rijndael-256, and <xref target="Security"/> discusses security considerations.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following notation is used in the document:</t>
      <ul spacing="normal">
        <li>
          <t>K is the key, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>N is the nonce, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>A is the associated data, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>P is the plaintext, as defined in <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>Z is the keystream</t>
        </li>
        <li>
          <t>ct is the ciphertext</t>
        </li>
        <li>
          <t>tag is the authentication tag</t>
        </li>
        <li>
          <t>t is the authentication tag length, in bits</t>
        </li>
        <li>
          <t>b is the block size, in bits (e.g., 128 for AES and 256 for Rijndael-256)</t>
        </li>
        <li>
          <t>m is the polynomial hash field size, in bits (e.g., 128 for POLYVAL)</t>
        </li>
        <li>
          <t>v is the number of forgery attempts</t>
        </li>
        <li>
          <t>= is the assignment operator</t>
        </li>
        <li>
          <t>≠ is the inequality operator</t>
        </li>
        <li>
          <t>x || y is concatenation of the byte strings x and y</t>
        </li>
        <li>
          <t>⊕ is the bitwise exclusive-OR (XOR) operator</t>
        </li>
        <li>
          <t>len(x) is the length of x in bits</t>
        </li>
        <li>
          <t>zeropad(x) right-pads the byte string x with zeros to a multiple of m bits</t>
        </li>
        <li>
          <t>truncate(x, y) retains the first y bits of x and discards the remainder</t>
        </li>
        <li>
          <t>n is the number of m-bit chunks in zeropad(P)</t>
        </li>
        <li>
          <t>POLYVAL is defined in <xref target="RFC8452"/></t>
        </li>
        <li>
          <t>BE32(x) is the big-endian encoding of 32-bit integer x</t>
        </li>
        <li>
          <t>LE64(x) is the little-endian encoding of 64-bit integer x</t>
        </li>
        <li>
          <t>V[x] is the m-bit chunk at index x in array V; the first chunk has index 0</t>
        </li>
        <li>
          <t>V[x:y] is the range of m-bit chunks at indices x through y in array V</t>
        </li>
        <li>
          <t>P_MAX is the maximum plaintext length, in bytes <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>A_MAX is the maximum associated data length, in bytes <xref target="RFC5116"/></t>
        </li>
        <li>
          <t>E_MAX is the maximum number of encryption invocations</t>
        </li>
        <li>
          <t>D_MAX is the maximum number of decryption invocations</t>
        </li>
        <li>
          <t>ℓ = (P_MAX + A_MAX) ⋅ 8 / m is the maximum input length, in m-bit chunks</t>
        </li>
      </ul>
    </section>
    <section anchor="GCM-SST">
      <name>Galois Counter Mode with Strong Secure Tags (GCM-SST)</name>
      <t>This section defines the GCM-SST AEAD algorithm following the recommendations of Nyberg et al. <xref target="Nyberg"/>. GCM-SST is defined with a general interface so that it can be used with any keystream generator, not only a 128-bit block cipher.</t>
      <t>GCM-SST adheres to the AEAD interface defined in <xref target="RFC5116"/>. The encryption function takes four variable-length byte string parameters: a secret key K, a nonce N, associated data A, and a plaintext P. The keystream generator is instantiated with K and N. The keystream <bcp14>MAY</bcp14> depend on P and A. The minimum and maximum lengths of all parameters depend on the keystream generator.</t>
      <t>The keystream generator produces a keystream Z consisting of m-bit chunks. The first three chunks Z[0], Z[1], and Z[2] are used as authentication subkeys H and H<sub>2</sub>, and masking subkey M, respectively. The subsequent chunks Z[3], Z[4], ..., Z[n + 2] are used to encrypt the plaintext.</t>
      <t>In place of GHASH <xref target="GCM"/>, GCM-SST uses the POLYVAL function from AES-GCM-SIV <xref target="RFC8452"/>, which yields more efficient software implementations on little-endian architectures. GHASH and POLYVAL can be defined in terms of one another, as shown in <xref target="RFC8452"/>. The subkeys H and H<sub>2</sub> are field elements used as inputs to POLYVAL, while the subkey M is used for the final masking of the tag.</t>
      <t>Both the encryption and decryption functions are defined only on inputs comprising a whole number of bytes. Figures illustrating the GCM-SST encryption and decryption functions can be found in <xref target="Campagna"/>.</t>
      <t>For every computational procedure specified in this document, a conforming implementation <bcp14>MAY</bcp14> replace the given steps with any mathematically equivalent steps, provided the output is correct for every valid input.</t>
      <section anchor="authenticated-encryption-function">
        <name>Authenticated Encryption Function</name>
        <t>The encryption function Encrypt(K, N, A, P) encrypts a plaintext and returns the ciphertext together with an authentication tag that verifies the authenticity of both the plaintext and associated data, if provided.</t>
        <t>Prerequisites and security requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The key <bcp14>MUST</bcp14> be chosen uniformly at random.</t>
          </li>
          <li>
            <t>For a given key, each nonce <bcp14>MUST</bcp14> be unique; random nonces <bcp14>MUST NOT</bcp14> be used.</t>
          </li>
          <li>
            <t>Each key <bcp14>MUST</bcp14> be restricted to a single tag length t.</t>
          </li>
          <li>
            <t>Supported input and output lengths <bcp14>MUST</bcp14> be defined.</t>
          </li>
        </ul>
        <t>Inputs:</t>
        <ul spacing="normal">
          <li>
            <t>Key K (variable-length byte string)</t>
          </li>
          <li>
            <t>Nonce N (variable-length byte string)</t>
          </li>
          <li>
            <t>Associated data A (variable-length byte string)</t>
          </li>
          <li>
            <t>Plaintext P (variable-length byte string)</t>
          </li>
        </ul>
        <t>Outputs:</t>
        <ul spacing="normal">
          <li>
            <t>Ciphertext ct (variable-length byte string)</t>
          </li>
          <li>
            <t>tag (a byte string of length t / 8)</t>
          </li>
        </ul>
        <t>Steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the lengths of K, N, A, P are not supported, return an error and abort</t>
          </li>
          <li>
            <t>Instantiate the keystream generator with K and N</t>
          </li>
          <li>
            <t>Let H = Z[0], H<sub>2</sub> = Z[1], M = Z[2]</t>
          </li>
          <li>
            <t>Let ct = P ⊕ truncate(Z[3:n + 2], len(P))</t>
          </li>
          <li>
            <t>Let S = zeropad(A) || zeropad(ct)</t>
          </li>
          <li>
            <t>Let L = LE64(len(ct)) || LE64(len(A))</t>
          </li>
          <li>
            <t>Let X = POLYVAL(H, S[0], S[1], ...)</t>
          </li>
          <li>
            <t>Let full_tag = POLYVAL(H<sub>2</sub>, X ⊕ L) ⊕ M</t>
          </li>
          <li>
            <t>Let tag = truncate(full_tag, t)</t>
          </li>
          <li>
            <t>Return (ct, tag)</t>
          </li>
        </ol>
        <t>The encoding of L aligns with existing implementations of GCM.</t>
      </section>
      <section anchor="authenticated-decryption-function">
        <name>Authenticated Decryption Function</name>
        <t>The decryption function Decrypt(K, N, A, ct, tag) decrypts a ciphertext, verifies that the authentication tag is correct, and returns the plaintext on success or an error otherwise.</t>
        <t>Prerequisites and security requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The calculation of the plaintext P (step 10) <bcp14>MAY</bcp14> be done in parallel with tag verification (steps 3–9). If tag verification fails, the plaintext P <bcp14>MUST NOT</bcp14> be given as output.</t>
          </li>
          <li>
            <t>Each key <bcp14>MUST</bcp14> be restricted to a single tag length t.</t>
          </li>
          <li>
            <t>Supported input and output lengths <bcp14>MUST</bcp14> be defined.</t>
          </li>
        </ul>
        <t>Inputs:</t>
        <ul spacing="normal">
          <li>
            <t>Key K (variable-length byte string)</t>
          </li>
          <li>
            <t>Nonce N (variable-length byte string)</t>
          </li>
          <li>
            <t>Associated data A (variable-length byte string)</t>
          </li>
          <li>
            <t>Ciphertext ct (variable-length byte string)</t>
          </li>
          <li>
            <t>tag (a byte string of length t / 8)</t>
          </li>
        </ul>
        <t>Outputs:</t>
        <ul spacing="normal">
          <li>
            <t>Plaintext P (variable-length byte string), or an error indicating that the authentication tag is invalid for the given inputs.</t>
          </li>
        </ul>
        <t>Steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the lengths of K, N, A, or ct are not supported, or if len(tag) ≠ t, return an error and abort</t>
          </li>
          <li>
            <t>Instantiate the keystream generator with K and N</t>
          </li>
          <li>
            <t>Let H = Z[0], H<sub>2</sub> = Z[1], M = Z[2]</t>
          </li>
          <li>
            <t>Let S = zeropad(A) || zeropad(ct)</t>
          </li>
          <li>
            <t>Let L = LE64(len(ct)) || LE64(len(A))</t>
          </li>
          <li>
            <t>Let X = POLYVAL(H, S[0], S[1], ...)</t>
          </li>
          <li>
            <t>Let full_tag = POLYVAL(H<sub>2</sub>, X ⊕ L) ⊕ M</t>
          </li>
          <li>
            <t>Let expected_tag = truncate(full_tag, t)</t>
          </li>
          <li>
            <t>If tag ≠ expected_tag, return an error and abort</t>
          </li>
          <li>
            <t>Let P = ct ⊕ truncate(Z[3:n + 2], len(ct))</t>
          </li>
          <li>
            <t>If N fails replay protection, return an error and abort</t>
          </li>
          <li>
            <t>Return P</t>
          </li>
        </ol>
        <t>The comparison of tag and expected_tag in step 9 <bcp14>MUST</bcp14> be performed in constant time to prevent information leakage about the position of the first mismatched byte. For a given key, a plaintext <bcp14>MUST NOT</bcp14> be returned unless it is certain that no plaintext has previously been returned for the same nonce. Replay protection <bcp14>MAY</bcp14> be performed either before step 1 or during step 11. Protocols with nonce-hiding mechanisms <xref target="Bellare19"/>, such as QUIC <xref target="RFC9001"/>, implement replay protection after decryption to mitigate timing side-channel attacks. If tag validation or replay protection fails, intermediate values such as H, H<sub>2</sub>, M, Z, P, X, full_tag, and expected_tag <bcp14>MUST</bcp14> be destroyed (zeroized).</t>
      </section>
      <section anchor="encoding-ct-tag-tuples">
        <name>Encoding (ct, tag) Tuples</name>
        <t>Applications <bcp14>MAY</bcp14> store the ciphertext and the authentication tag in separate structures or encode both as a single byte string C. In the latter case, the tag <bcp14>MUST</bcp14> immediately follow the ciphertext ct:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>C = ct || tag   .</t>
          </li>
        </ul>
      </section>
      <section anchor="limits">
        <name>Usage Limits</name>
        <t>The general limits in this section apply to all instances; instance-specific limits <bcp14>MAY</bcp14> be stricter but <bcp14>MUST NOT</bcp14> be loosened. Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ≈ v / 2<sup>t</sup>   ,</t>
          </li>
        </ul>
        <t>for all permitted invocation counts, plaintext lengths, associated data lengths, and tag lengths. This is how users expect MAC algorithms to behave, i.e., the behavior of an ideal MAC. Usage limits for a GCM-SST instance <bcp14>MUST</bcp14> be chosen to achieve this property in unicast settings with replay protection, and are therefore more restrictive than the corresponding limits for GCM <xref target="RFC5116"/>.</t>
        <t>To ensure that v / 2<sup>t</sup> dominates the integrity advantage <xref target="Inoue"/><xref target="Naito"/> for all permitted plaintext and associated data lengths, GCM-SST instances <bcp14>MUST</bcp14> ensure:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>ℓ ≪ 2<sup>m - t</sup>   .</t>
          </li>
        </ul>
        <t>This ensures that the term v ⋅ ℓ / 2<sup>m</sup> is negligible. If the keystream generator is a Pseudo-Random Function (PRF), this condition is sufficient to satisfy E(F) ≈ v / 2<sup>t</sup>. If the keystream generator is a Pseudo-Random Permutation (PRP) in counter mode, this condition is sufficient to satisfy E(F) ≈ δ ⋅ v / 2<sup>t</sup>, where δ is the Bernstein bound factor  <xref target="Bernstein"/><xref target="Iwata"/>.</t>
        <t>GCM-SST instances using a block cipher in counter mode <bcp14>MUST</bcp14> ensure:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E_MAX ⋅ P_MAX ⋅ 8 / b + 3 ⋅ D_MAX ≪ 2<sup>b/2</sup>   .</t>
          </li>
        </ul>
        <t>This requirement is not specific to GCM-SST and should also have been explicitly included in the GCM specification <xref target="GCM"/>. Beyond ensuring δ ≈ 1, it imposes a minimum complexity threshold for distinguishing attacks and bounds the fraction of plaintext bits that can be recovered by an adversary. Following the European <xref target="ACM"/> recommendation of limiting the number of block-cipher invocations to 2<sup>b/2−5</sup> is <bcp14>RECOMMENDED</bcp14>; this ensures an attacker cannot recover more than ≈ 0.0007 bits across all plaintexts under a key <xref target="Entropy"/>, and that δ ⪅ 1.0005.</t>
        <t>To align with zero-trust principles and minimize the impact of key compromise, protocols using GCM-SST <bcp14>SHOULD</bcp14> enforce rekeying well before reaching the cryptographic limits. Modern guidance recommends rekeying via ephemeral key exchange providing Forward Secrecy (FS) and Post-Compromise Security (PCS) after 1 hour or 2<sup>30</sup>–2<sup>37</sup> bytes <xref target="RFC4253"/><xref target="ANSSI"/>.</t>
      </section>
    </section>
    <section anchor="AES-GCM-SST">
      <name>AES and Rijndael-256 in GCM-SST</name>
      <t>This section defines instances of GCM-SST using AES and Rijndael-256.</t>
      <section anchor="aes-gcm-sst">
        <name>AES-GCM-SST</name>
        <t>When GCM-SST is instantiated with AES (AES-GCM-SST), the keystream generator is AES in counter mode</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>Z[i] = ENC(K, N || BE32(i))   ,</t>
          </li>
        </ul>
        <t>where ENC is the AES Cipher function <xref target="AES"/>. The use of big-endian counters aligns with existing AES counter mode implementations.</t>
      </section>
      <section anchor="rijndael-gcm-sst">
        <name>Rijndael-GCM-SST</name>
        <t>When GCM-SST is instantiated with Rijndael-256 (Rijndael-GCM-SST), the keystream generator is Rijndael-256 in counter mode</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>Z[2i]   = ENC(K, N || BE32(i))[0]   ,</t>
          </li>
          <li>
            <t>Z[2i+1] = ENC(K, N || BE32(i))[1]   ,</t>
          </li>
        </ul>
        <t>where ENC is the Rijndael-256 Cipher function <xref target="Rijndael"/>.</t>
      </section>
      <section anchor="instances">
        <name>AEAD Algorithm Instances and Specific Limits</name>
        <t>Nine AEAD algorithm instances are defined below, following the format of <xref target="RFC5116"/>. These instances use AES-GCM-SST or Rijndael-GCM-SST with tag lengths of 48, 96, or 112 bits.</t>
        <table anchor="iana-algs">
          <name>AEAD Algorithm Instances for AES-GCM-SST and Rijndael-GCM-SST</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">K_LEN (bytes)</th>
              <th align="right">P_MAX (bytes)</th>
              <th align="right">A_MAX (bytes)</th>
              <th align="right">Tag length t (bits)</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_6</td>
              <td align="right">16</td>
              <td align="right">2<sup>36</sup> - 48</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_12</td>
              <td align="right">16</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">2<sup>28</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_128_GCM_SST_14</td>
              <td align="right">16</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">2<sup>12</sup></td>
              <td align="right">112</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_6</td>
              <td align="right">32</td>
              <td align="right">2<sup>36</sup> - 48</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_12</td>
              <td align="right">32</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">2<sup>28</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_AES_256_GCM_SST_14</td>
              <td align="right">32</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">2<sup>12</sup></td>
              <td align="right">112</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_6</td>
              <td align="right">32</td>
              <td align="right">2<sup>37</sup> - 48</td>
              <td align="right">2<sup>33</sup></td>
              <td align="right">48</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_12</td>
              <td align="right">32</td>
              <td align="right">2<sup>32</sup></td>
              <td align="right">2<sup>28</sup></td>
              <td align="right">96</td>
            </tr>
            <tr>
              <td align="left">AEAD_RIJNDAEL_GCM_SST_14</td>
              <td align="right">32</td>
              <td align="right">2<sup>16</sup></td>
              <td align="right">2<sup>12</sup></td>
              <td align="right">112</td>
            </tr>
          </tbody>
        </table>
        <t>The following parameters apply to all the instances:</t>
        <ul spacing="normal">
          <li>
            <t>N_MIN = N_MAX (minimum and maximum nonce length) is 12 bytes for AES-GCM-SST and 28 bytes for Rijndael-GCM-SST.</t>
          </li>
          <li>
            <t>C_MAX (maximum ciphertext length, including the tag) is P_MAX + t / 8 bytes.</t>
          </li>
          <li>
            <t>E_MAX (maximum number of encryption invocations) is 2<sup>64</sup> for Rijndael-GCM-SST.</t>
          </li>
          <li>
            <t>D_MAX (maximum number of decryption invocations) is 2<sup>54</sup> for AES-GCM-SST and 2<sup>118</sup> for Rijndael-GCM-SST.</t>
          </li>
        </ul>
        <t>Following the general usage limits in <xref target="limits"/> the AES-GCM-SST and Rijndael-GCM-SST instances sets</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>P_MAX = min(2<sup>m - t</sup>, (2<sup>32</sup> ⋅ b - 3 ⋅ m) / 8)   .</t>
          </li>
          <li>
            <t>A_MAX ≈ P_MAX / 2<sup>4</sup></t>
          </li>
          <li>
            <t>D_MAX ≈ 2<sup>b/2-10</sup></t>
          </li>
        </ul>
        <t>This ensures E(F) ≈ δ ⋅ v / 2<sup>t</sup> in unicast settings with replay protection.</t>
        <t>For Rijndael-256, the 256-bit block size already guarantees δ ≈ 1. Protocols employing Rijndael-GCM-SST <bcp14>MAY</bcp14> impose stricter limits on P_MAX, A_MAX, E_MAX, and D_MAX.</t>
        <t>For AES, the 128-bit block size implies that achieving δ ≈ 1 requires balancing the limits E_MAX and P_MAX. Protocols using AES-GCM-SST <bcp14>MAY</bcp14> enforce stricter limits on P_MAX and <bcp14>MUST</bcp14> enforce limits on E_MAX such that:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E_MAX ⋅ P_MAX ≪ 2<sup>68</sup>   .</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="Security">
      <name>Security Considerations</name>
      <t>GCM-SST introduces a second authentication subkey H<sub>2</sub>, alongside the subkey H. The inclusion of H<sub>2</sub> enables truncated tags with forgery probabilities close to ideal. Both H and H<sub>2</sub> are derived for each nonce, which significantly decreases the probability of multiple successful forgeries. These changes are based on proven theoretical constructions and follow the recommendations in <xref target="Nyberg"/>. Inoue et al. <xref target="Inoue"/> prove that GCM-SST achieves its v / 2<sup>t</sup> design goal in the single-key setting, and that it provides nonce-misuse resilience <xref target="NMRL"/>. Because the subkeys in GCM-SST are derived independently per nonce, any confidentiality or integrity advantage an adversary gains against one nonce, whether through nonce misuse or a successful forgery attempt, does not carry over to a different, fresh nonce: GCM-SST recovers its full security as soon as such a nonce is no longer in use. Naito et al. <xref target="Naito"/> derive a tighter single-key bound and further prove that GCM-SST achieves its v / 2<sup>t</sup> design goal in the multi-key setting, including when combined with nonce randomization and nonce-based key derivation.</t>
      <t>GCM-SST is designed for use in security protocols with replay protection. Each key <bcp14>MUST</bcp14> be chosen uniformly at random. GCM-SST <bcp14>MUST</bcp14> be used in a nonce-respecting setting: for a given key, a nonce <bcp14>MUST</bcp14> be used at most once in the encryption function and at most once in a successful decryption function call. The nonce <bcp14>MAY</bcp14> be public or predictable. It can be a counter, the output of a permutation, or a generator with a long period. The reuse of nonces in successful encryption and decryption function calls enables universal forgery, as demonstrated by <xref target="Joux"/>, <xref target="Lindell"/>, and <xref target="Inoue"/>, and so GCM-SST <bcp14>MUST</bcp14> be used with replay protection. Additionally, GCM-SST <bcp14>MUST NOT</bcp14> be used with random nonces: besides reducing the efficiency of replay protection, they introduce a nonce-collision probability that degrades security bounds. Implementations <bcp14>SHOULD</bcp14> add randomness to the nonce by XORing a unique number such as a sequence number with a per-key random secret salt of the same length as the nonce. This significantly improves security against precomputation and multi-key attacks <xref target="Bellare17"/> and is implemented, for example, in SRTP <xref target="RFC3711"/>, TLS 1.3 <xref target="RFC8446"/>, OSCORE <xref target="RFC8613"/>, and <xref target="Ascon"/>. By increasing the nonce length from 96 bits to 224 bits, Rijndael-GCM-SST can offer significantly greater security against precomputation and multi-key attacks compared to AES-GCM-SST. GCM-SST does not aim for full nonce-misuse resistance <xref target="NMR"/>. Like GCM, it derives its keystream in a single pass, avoiding the two-pass, non-online structure that nonce-misuse-resistant algorithms require. NIST is addressing nonce-misuse resistance through the planned Accordions <xref target="Accordions"/>.</t>
      <t>Unless otherwise specified, formulas for the expected number of forgeries apply to unicast scenarios.</t>
      <section anchor="Int">
        <name>Integrity</name>
        <t>The GCM-SST tag length t <bcp14>SHOULD NOT</bcp14> be smaller than 32 bits and cannot be larger than 128 bits. When ℓ ≪ 2<sup>m - t</sup>, the forgery probability is ≈ 1 / 2<sup>t</sup> <xref target="Nyberg"/><xref target="Inoue"/>. The tags in the AEAD algorithms listed in <xref target="instances"/> therefore achieve near-ideal forgery probabilities. This is a significant improvement over GCM <xref target="GCM"/>, where the forgery probability is bounded by ⪅ δ ⋅ ℓ / 2<sup>t</sup> <xref target="GCM"/><xref target="Iwata"/>. For a graph of the forgery probability assuming δ ≈ 1, see Fig. 3 in <xref target="Inoue"/>. For 128-bit tags and long messages, the forgery probability of GCM-SST is no longer ideal and becomes comparable to that of GCM. In GCM-SST, the full_tag is independent of t unless the application explicitly incorporates t into the keystream or the nonce.</t>
        <t>The expected number of forgeries depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. Assuming a sufficiently large key size such that brute-force key-recovery attacks can be neglected, a strong integrity mechanism should satisfy</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ≈ v / 2<sup>t</sup>   ,</t>
          </li>
        </ul>
        <t>where v is the number of forgery attempts. Following the usage limits in <xref target="instances"/>, AES-GCM-SST and Rijndael-GCM-SST achieve this ideal. AES-GCM-SST significantly outperforms AES-GCM <xref target="GCM"/>, for which the expected number of forgeries (assuming deterministic 96-bit nonces) is bounded by:</t>
        <ul empty="true" spacing="normal">
          <li>
            <t>E(F) ⪅ δ ⋅ v<sup>2</sup> ⋅ ℓ / 2<sup>t+1</sup>   .</t>
          </li>
        </ul>
        <t>For further details on the integrity advantages and expected number of forgeries for GCM and GCM-SST, see <xref target="Iwata"/>, <xref target="Niwa"/>, <xref target="Inoue"/>, <xref target="Naito"/>, and <xref target="Multiple"/>. BSI states that an ideal MAC with a 96-bit tag length is considered acceptable for most applications <xref target="BSI"/>, a requirement that GCM-SST with 96-bit tags satisfies when ℓ ≪ 2<sup>32</sup> and δ ≈ 1. Achieving a comparable level of security with GCM, CCM, or Poly1305 is nearly impossible.</t>
      </section>
      <section anchor="Conf">
        <name>Confidentiality</name>
        <t>The confidentiality offered by GCM-SST against passive attackers depends on the keystream generator. For block ciphers in counter mode, it is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. For AES-GCM-SST, the confidentiality is equal to AES-GCM <xref target="GCM"/>. Regardless of key length, an attacker can mount a distinguishing attack with a complexity of approximately 2<sup>129</sup> / σ, where σ ⪅ P_MAX ⋅ E_MAX / 16 is the total plaintext length measured in 128-bit chunks. In contrast, the confidentiality offered by Rijndael-GCM-SST against passive attackers is significantly higher. The complexity of distinguishing attacks for Rijndael-GCM-SST is approximately 2<sup>258</sup> / σ. McGrew <xref target="Impossible"/> and Leurent and Sibleyras <xref target="Difference"/> demonstrate that for block ciphers in counter mode, an attacker with partial knowledge of the plaintext can execute plaintext-recovery attacks against counter mode with roughly the same complexity (up to logarithmic factors) as distinguishing attacks. However, Preuß Mattsson <xref target="Entropy"/> demonstrated that an attacker cannot recover more than ≈ σ<sup>2</sup> / 2<sup>b</sup> bits of the plaintext. If σ = 2<sup>59</sup>, an attacker cannot recover more than 0.0007 bits of AES-GCM-SST plaintexts.</t>
        <t>While Rijndael-256 in counter mode can provide high confidentiality for plaintexts much larger than 2<sup>37</sup> bytes, GHASH and POLYVAL do not offer adequate integrity for long plaintexts. To ensure robust integrity for long plaintexts, an AEAD mode would need to replace POLYVAL with a MAC that has better security properties, such as a Carter-Wegman MAC in a larger field <xref target="Maximov"/><xref target="Degabriele"/> or other alternatives such as <xref target="SMAC"/>.</t>
        <t>The confidentiality offered by GCM-SST against active attackers is directly linked to the forgery probability. Depending on the protocol and application, forgeries can significantly compromise privacy, in addition to affecting integrity and authenticity. It <bcp14>MUST</bcp14> be assumed that attackers always receive feedback on the success or failure of their forgery attempts. Therefore, attacks on integrity, authenticity, and confidentiality <bcp14>MUST</bcp14> all be carefully evaluated when selecting an appropriate tag length.</t>
      </section>
      <section anchor="weak-keys">
        <name>Weak Keys</name>
        <t>In general, there is a very small possibility in GCM-SST that either or both of the subkeys H and H<sub>2</sub> are zero, so-called weak keys. If H is zero, the authentication tag depends only on the length of P and A and not on their content. If H<sub>2</sub> is zero, the authentication tag does not depend on P and A. Due to the masking with M, there are no obvious ways for an attacker to detect this condition, and the specification admits this possibility rather than complicating implementations with additional checks and regeneration of values. In AES-GCM-SST, H and H<sub>2</sub> are generated with a permutation on different inputs, so H and H<sub>2</sub> cannot both be zero.</t>
      </section>
      <section anchor="replay-protection">
        <name>Replay Protection</name>
        <t>The details of the replay protection mechanism are determined by the security protocol utilizing GCM-SST. If the nonce includes a sequence number, it can be used for replay protection. Alternatively, a separate sequence number can be used, provided there is a one-to-one mapping between sequence numbers and nonces. The choice of a replay protection mechanism depends on factors such as the expected degree of packet reordering, as well as protocol and implementation details. For examples of replay protection mechanisms, see <xref target="RFC4303"/> and <xref target="RFC6479"/>. Implementing replay protection by requiring ciphertexts to arrive in order and terminating the connection if a single decryption fails is <bcp14>NOT RECOMMENDED</bcp14>, as this approach reduces robustness and availability and exposes the system to denial-of-service attacks <xref target="Robust"/>.</t>
      </section>
      <section anchor="Comp">
        <name>Comparison with ChaCha20-Poly1305 and AES-GCM</name>
        <t><xref target="comp1"/> compares the integrity of GCM-SST, ChaCha20-Poly1305 <xref target="RFC8439"/>, and AES-GCM <xref target="RFC5116"/> in unicast security protocols with replay protection. In both Poly1305 and GCM, the forgery probability depends on ℓ; in GCM, it additionally involves the Bernstein bound factor δ. GCM-SST requires δ ≈ 1, a property that GCM does not mandate. Furthermore, GCM provides no reforgeability resistance, which substantially increases the expected number of forgeries. See <xref target="Procter"/>, <xref target="Iwata"/>, and <xref target="Multiple"/> for further details.</t>
        <table anchor="comp1">
          <name>Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast security protocols with replay protection. v is the number of forgery attempts, ℓ is the maximum length of plaintext and associated data, measured in 128-bit chunks. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">Tag length (bytes)</th>
              <th align="right">Forgery probability before first forgery</th>
              <th align="right">Forgery probability after first forgery</th>
              <th align="right">Expected number of forgeries</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">GCM_SST_14</td>
              <td align="right">14</td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">v / 2<sup>112</sup></td>
            </tr>
            <tr>
              <td align="left">GCM_SST_12</td>
              <td align="right">12</td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">v / 2<sup>96</sup></td>
            </tr>
            <tr>
              <td align="left">POLY1305</td>
              <td align="right">16</td>
              <td align="right">ℓ / 2<sup>103</sup></td>
              <td align="right">ℓ / 2<sup>103</sup></td>
              <td align="right">v ⋅ ℓ / 2<sup>103</sup></td>
            </tr>
            <tr>
              <td align="left">GCM</td>
              <td align="right">16</td>
              <td align="right">ℓ / 2<sup>128</sup></td>
              <td align="right">1</td>
              <td align="right">v<sup>2</sup> ⋅ ℓ / 2<sup>129</sup></td>
            </tr>
          </tbody>
        </table>
        <t><xref target="comp2"/> compares the integrity of GCM-SST, ChaCha20-Poly1305 <xref target="RFC8439"/>, and AES-GCM <xref target="RFC5116"/> in unicast QUIC <xref target="RFC9000"/><xref target="RFC9001"/>, a security protocol with mandatory replay protection, and where the combined size of plaintext and associated data is less than ≈ 2<sup>16</sup> bytes (ℓ ≈ 2<sup>12</sup>). GCM_SST_14 and GCM_SST_12 provide better integrity than ChaCha20-Poly1305 <xref target="RFC8439"/> and AES-GCM <xref target="RFC5116"/>, while also reducing overhead by 2–4 bytes. For GCM-SST and ChaCha20-Poly1305, the expected number of forgeries is linear in v when replay protection is employed. ChaCha20-Poly1305 achieves a security level equivalent to that of an ideal MAC with a length of 91 bits. For AES-GCM, replay protection does not mitigate reforgeries, the expected number of forgeries grows quadratically with v, and GCM provides significantly worse integrity than GCM-SST and ChaCha20-Poly1305 unless v is kept very small. With v = 2<sup>52</sup> as allowed for AES-GCM in QUIC <xref target="RFC9001"/>, the expected number of forgeries for AES-GCM exceeds that of an ideal 65-bit MAC.</t>
        <table anchor="comp2">
          <name>Comparison of integrity among GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast QUIC, where the maximum packet size is 65536 bytes. The GCM values assume δ ≈ 1; when this condition does not hold, the GCM values are worse than those shown.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="right">Tag length (bytes)</th>
              <th align="right">Forgery probability before first forgery</th>
              <th align="right">Forgery probability after first forgery</th>
              <th align="right">Expected number of forgeries</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">GCM_SST_14</td>
              <td align="right">14</td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">1 / 2<sup>112</sup></td>
              <td align="right">v / 2<sup>112</sup></td>
            </tr>
            <tr>
              <td align="left">GCM_SST_12</td>
              <td align="right">12</td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">1 / 2<sup>96</sup></td>
              <td align="right">v / 2<sup>96</sup></td>
            </tr>
            <tr>
              <td align="left">POLY1305</td>
              <td align="right">16</td>
              <td align="right">1 / 2<sup>91</sup></td>
              <td align="right">1 / 2<sup>91</sup></td>
              <td align="right">v / 2<sup>91</sup></td>
            </tr>
            <tr>
              <td align="left">GCM</td>
              <td align="right">16</td>
              <td align="right">1 / 2<sup>116</sup></td>
              <td align="right">1</td>
              <td align="right">v<sup>2</sup> / 2<sup>117</sup></td>
            </tr>
          </tbody>
        </table>
        <t><xref target="comp3"/> compares the confidentiality of Rijndael-GCM-SST, AES-256-GCM-SST, SNOW 5G-GCM-SST, and ChaCha20-Poly1305 <xref target="RFC8439"/>, all of which use 256-bit keys, against passive attackers. The confidentiality of block ciphers in counter mode is governed by the birthday bound, with AES-based ciphers particularly constrained by their narrow 128-bit block size. While plaintext-recovery attacks on block ciphers in counter mode have a complexity similar to distinguishing attacks, the attacker cannot recover more than ≈ σ<sup>2</sup> / 2<sup>b</sup> bits of the plaintexts <xref target="Entropy"/>.</t>
        <table anchor="comp3">
          <name>Comparison of confidentiality against passive attackers among Rijndael-GCM-SST, SNOW 5G-GCM-SST, ChaCha20-Poly1305, and AES-256-GCM-SST. σ is the total plaintext length measured in 128-bit chunks.</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="center">Key size (bits)</th>
              <th align="center">Complexity of distinguishing attacks</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">CHACHA20_POLY1305</td>
              <td align="center">256</td>
              <td align="center">2<sup>256</sup></td>
            </tr>
            <tr>
              <td align="left">SNOW_5G_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">2<sup>256</sup></td>
            </tr>
            <tr>
              <td align="left">RIJNDAEL_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">≈ 2<sup>258</sup> / σ</td>
            </tr>
            <tr>
              <td align="left">AES_256_GCM_SST</td>
              <td align="center">256</td>
              <td align="center">≈ 2<sup>129</sup> / σ</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="onemany">
        <name>Multicast and Broadcast</name>
        <t>While GCM-SST offers stronger security properties than GCM for a given tag length in multicast or broadcast contexts, it does not behave exactly like an ideal MAC. With an ideal MAC, a successful forgery against one recipient allows the attacker to reuse the same forgery against all other recipients. In contrast, with GCM, a successful forgery against one recipient enables the attacker to generate an unlimited number of new forgeries for all recipients.</t>
        <t>With GCM-SST, a few successful forgeries against a few recipients allow the attacker to create one new forgery for all other recipients. While the total number of forgeries in GCM-SST matches that of an ideal MAC, the diversity of these forgeries is higher. To achieve one distinct forgery per recipient with an ideal MAC, the attacker would need to send on average 2<sup>t</sup> forgery attempts to each recipient. In one-to-many scenarios with replay protection and r recipients, the expected number of distinct forgeries is ≈ v ⋅ r / 2<sup>t</sup>.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to assign the algorithm names listed in the first column of <xref target="iana-algs"/> to the "AEAD Algorithms" registry under the registry group "Authenticated Encryption with Associated Data (AEAD) Parameters", with this document as the reference.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC8452">
          <front>
            <title>AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption</title>
            <author fullname="S. Gueron" initials="S." surname="Gueron"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="Y. Lindell" initials="Y." surname="Lindell"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This memo specifies two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated.</t>
              <t>This document is the product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8452"/>
          <seriesInfo name="DOI" value="10.17487/RFC8452"/>
        </reference>
        <reference anchor="AES" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf">
          <front>
            <title>Advanced Encryption Standard (AES)</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="May"/>
          </front>
          <seriesInfo name="NIST" value="Federal Information Processing Standards Publication 197"/>
        </reference>
        <reference anchor="Rijndael" target="https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf">
          <front>
            <title>AES Proposal: Rijndael</title>
            <author initials="" surname="Joan Daemen">
              <organization/>
            </author>
            <author initials="" surname="Vincent Rijmen">
              <organization/>
            </author>
            <date year="2003" month="September"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3711">
          <front>
            <title>The Secure Real-time Transport Protocol (SRTP)</title>
            <author fullname="M. Baugher" initials="M." surname="Baugher"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="M. Naslund" initials="M." surname="Naslund"/>
            <author fullname="E. Carrara" initials="E." surname="Carrara"/>
            <author fullname="K. Norrman" initials="K." surname="Norrman"/>
            <date month="March" year="2004"/>
            <abstract>
              <t>This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3711"/>
          <seriesInfo name="DOI" value="10.17487/RFC3711"/>
        </reference>
        <reference anchor="RFC4253">
          <front>
            <title>The Secure Shell (SSH) Transport Layer Protocol</title>
            <author fullname="T. Ylonen" initials="T." surname="Ylonen"/>
            <author fullname="C. Lonvick" initials="C." role="editor" surname="Lonvick"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network.</t>
              <t>This document describes the SSH transport layer protocol, which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression.</t>
              <t>Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.</t>
              <t>This document also describes the Diffie-Hellman key exchange method and the minimal set of algorithms that are needed to implement the SSH transport layer protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4253"/>
          <seriesInfo name="DOI" value="10.17487/RFC4253"/>
        </reference>
        <reference anchor="RFC4303">
          <front>
            <title>IP Encapsulating Security Payload (ESP)</title>
            <author fullname="S. Kent" initials="S." surname="Kent"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4303"/>
          <seriesInfo name="DOI" value="10.17487/RFC4303"/>
        </reference>
        <reference anchor="RFC6479">
          <front>
            <title>IPsec Anti-Replay Algorithm without Bit Shifting</title>
            <author fullname="X. Zhang" initials="X." surname="Zhang"/>
            <author fullname="T. Tsou" initials="T." surname="Tsou"/>
            <date month="January" year="2012"/>
            <abstract>
              <t>This document presents an alternate method to do the anti-replay checks and updates for IP Authentication Header (AH) and Encapsulating Security Protocol (ESP). The method defined in this document obviates the need for bit shifting and it reduces the number of times an anti-replay window is adjusted. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6479"/>
          <seriesInfo name="DOI" value="10.17487/RFC6479"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8613">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <author fullname="G. Selander" initials="G." surname="Selander"/>
            <author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
            <author fullname="F. Palombini" initials="F." surname="Palombini"/>
            <author fullname="L. Seitz" initials="L." surname="Seitz"/>
            <date month="July" year="2019"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8613"/>
          <seriesInfo name="DOI" value="10.17487/RFC8613"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9605">
          <front>
            <title>Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media</title>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="J. Uberti" initials="J." surname="Uberti"/>
            <author fullname="S. G. Murillo" initials="S. G." surname="Murillo"/>
            <author fullname="R. Barnes" initials="R." role="editor" surname="Barnes"/>
            <author fullname="Y. Fablet" initials="Y." surname="Fablet"/>
            <date month="August" year="2024"/>
            <abstract>
              <t>This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media.</t>
              <t>This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9605"/>
          <seriesInfo name="DOI" value="10.17487/RFC9605"/>
        </reference>
        <reference anchor="I-D.ietf-moq-transport">
          <front>
            <title>Media over QUIC Transport</title>
            <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
              <organization>Cisco</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <author fullname="Ian Swett" initials="I." surname="Swett">
              <organization>Google</organization>
            </author>
            <author fullname="Alan Frindell" initials="A." surname="Frindell">
              <organization>Meta</organization>
            </author>
            <date day="12" month="May" year="2026"/>
            <abstract>
              <t>   This document defines Media over QUIC Transport (MOQT), a publish/
   subscribe protocol that runs over QUIC and WebTransport.  MOQT
   leverages the features of these transports, such as streams,
   datagrams, priorities, and partial reliability.  MOQT operates both
   point-to-point and through intermediate relays, enabling scalable
   low-latency delivery.  Despite its name, MOQT is media agnostic and
   can be used for a wide range of use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-18"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aegis-aead">
          <front>
            <title>The AEGIS Family of Authenticated Encryption Algorithms</title>
            <author fullname="Frank Denis" initials="F." surname="Denis">
              <organization>Fastly Inc.</organization>
            </author>
            <author fullname="Samuel Lucas" initials="S." surname="Lucas">
              <organization>Individual Contributor</organization>
            </author>
            <date day="5" month="October" year="2025"/>
            <abstract>
              <t>   This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and
   AEGIS-256X AES-based authenticated encryption algorithms designed for
   high-performance applications.

   The document is a product of the Crypto Forum Research Group (CFRG).
   It is not an IETF product and is not a standard.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-aegis-aead.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aegis-aead-18"/>
        </reference>
        <reference anchor="Accordions" target="https://csrc.nist.gov/pubs/sp/800/197/a/iprd">
          <front>
            <title>NIST Launches Development of Cryptographic Accordions</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2025" month="June"/>
          </front>
        </reference>
        <reference anchor="ACM" target="https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en">
          <front>
            <title>Agreed Cryptographic Mechanisms</title>
            <author>
              <organization/>
            </author>
            <date year="2025" month="April"/>
          </front>
        </reference>
        <reference anchor="AES-WIDE" target="https://csrc.nist.gov/pubs/sp/800/197/iprd">
          <front>
            <title>NIST Proposes to Standardize a Wider Variant of AES</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2024" month="December"/>
          </front>
        </reference>
        <reference anchor="AEZ" target="https://eprint.iacr.org/2014/793.pdf">
          <front>
            <title>Robust Authenticated-Encryption: AEZ and the Problem that it Solves</title>
            <author initials="" surname="Viet Tung Hoang">
              <organization/>
            </author>
            <author initials="" surname="Ted Krovetz">
              <organization/>
            </author>
            <author initials="" surname="Phillip Rogaway">
              <organization/>
            </author>
            <date year="2017" month="March"/>
          </front>
        </reference>
        <reference anchor="ANSSI" target="https://messervices.cyber.gouv.fr/documents-guides/NT_IPsec_EN.pdf">
          <front>
            <title>Recommendations for securing networks with IPsec</title>
            <author>
              <organization/>
            </author>
            <date year="2015" month="August"/>
          </front>
        </reference>
        <reference anchor="Ascon" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.ipd.pdf">
          <front>
            <title>Ascon-Based Lightweight Cryptography Standards for Constrained Devices</title>
            <author initials="" surname="Meltem Sönmez Turan">
              <organization/>
            </author>
            <author initials="" surname="Kerry A McKay">
              <organization/>
            </author>
            <author initials="" surname="Donghoon Chang">
              <organization/>
            </author>
            <author initials="" surname="Jinkeon Kang">
              <organization/>
            </author>
            <author initials="" surname="John Kelsey">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-232 Initial Public Draft"/>
        </reference>
        <reference anchor="Bellare17" target="https://eprint.iacr.org/2016/564.pdf">
          <front>
            <title>The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3</title>
            <author initials="M." surname="Bellare">
              <organization/>
            </author>
            <author initials="B." surname="Tackmann">
              <organization/>
            </author>
            <date year="2017" month="November"/>
          </front>
        </reference>
        <reference anchor="Bellare19" target="https://eprint.iacr.org/2019/624.pdf">
          <front>
            <title>Nonces are Noticed: AEAD Revisited</title>
            <author initials="" surname="Mihir Bellare">
              <organization/>
            </author>
            <author initials="" surname="Ruth Ng">
              <organization/>
            </author>
            <author initials="" surname="Björn Tackmann">
              <organization/>
            </author>
            <date year="2019" month="November"/>
          </front>
        </reference>
        <reference anchor="Bernstein" target="https://cr.yp.to/antiforgery/permutations-20050323.pdf">
          <front>
            <title>Stronger Security Bounds for Permutations</title>
            <author initials="" surname="Daniel J Bernstein">
              <organization/>
            </author>
            <date year="2005" month="March"/>
          </front>
        </reference>
        <reference anchor="BSI" target="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html">
          <front>
            <title>Cryptographic Mechanisms Recommendations and Key Lengths</title>
            <author>
              <organization/>
            </author>
            <date year="2026" month="January"/>
          </front>
          <seriesInfo name="BSI" value="Technical Guideline TR-02102-1"/>
        </reference>
        <reference anchor="Campagna" target="https://csrc.nist.gov/csrc/media/Events/2023/third-workshop-on-block-cipher-modes-of-operation/documents/accepted-papers/Galois%20Counter%20Mode%20with%20Secure%20Short%20Tags.pdf">
          <front>
            <title>Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
            <author initials="M." surname="Campagna">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="J." surname="Preuß Mattsson">
              <organization/>
            </author>
            <date year="2023" month="October"/>
          </front>
        </reference>
        <reference anchor="Degabriele" target="https://doi.org/10.3929/ethz-b-000654260">
          <front>
            <title>SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields</title>
            <author initials="J." surname="Degabriele">
              <organization/>
            </author>
            <author initials="J." surname="Gilcher">
              <organization/>
            </author>
            <author initials="J." surname="Govinden">
              <organization/>
            </author>
            <author initials="K." surname="Paterson">
              <organization/>
            </author>
            <date year="2024" month="May"/>
          </front>
        </reference>
        <reference anchor="Difference" target="https://link.springer.com/chapter/10.1007/978-3-319-78375-8_24">
          <front>
            <title>The Missing Difference Problem, and Its Applications to Counter Mode Encryption</title>
            <author initials="" surname="Gaëtan Leurent">
              <organization/>
            </author>
            <author initials="" surname="Ferdinand Sibleyras">
              <organization/>
            </author>
            <date year="2018" month="March"/>
          </front>
        </reference>
        <reference anchor="Drucker" target="https://rd.springer.com/chapter/10.1007/978-3-030-97652-1_18">
          <front>
            <title>Software Optimization of Rijndael for Modern x86-64 Platforms</title>
            <author initials="" surname="Nir Drucker">
              <organization/>
            </author>
            <author initials="" surname="Shay Gueron">
              <organization/>
            </author>
            <date year="2022" month="May"/>
          </front>
        </reference>
        <reference anchor="EIA3" target="https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/EEA3_EIA3_specification_v1_8.pdf">
          <front>
            <title>128-EEA3 and 128-EIA3 Specification</title>
            <author initials="" surname="ETSI SAGE">
              <organization/>
            </author>
            <date year="2019" month="January"/>
          </front>
        </reference>
        <reference anchor="Entropy" target="https://eprint.iacr.org/2024/1111.pdf">
          <front>
            <title>Collision-Based Attacks on Block Cipher Modes - Exploiting Collisions and Their Absence</title>
            <author initials="J." surname="Preuß Mattsson">
              <organization/>
            </author>
            <date year="2025" month="February"/>
          </front>
        </reference>
        <reference anchor="Ferguson" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/Ferguson2.pdf">
          <front>
            <title>Authentication weaknesses in GCM</title>
            <author initials="N." surname="Ferguson">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="GCM" target="https://doi.org/10.6028/NIST.SP.800-38D">
          <front>
            <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
            <author initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-38D"/>
        </reference>
        <reference anchor="GCM-Update" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/gcm-update.pdf">
          <front>
            <title>GCM Update</title>
            <author initials="D." surname="McGrew">
              <organization/>
            </author>
            <author initials="J." surname="Viega">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="Gueron" target="https://csrc.nist.gov/csrc/media/Presentations/2023/constructions-based-on-the-aes-round/images-media/sess-5-gueron-bcm-workshop-2023.pdf">
          <front>
            <title>Constructions based on the AES Round and Polynomial Multiplication that are Efficient on Modern Processor Architectures</title>
            <author initials="S." surname="Gueron">
              <organization/>
            </author>
            <date year="2023" month="October"/>
          </front>
        </reference>
        <reference anchor="Impossible" target="https://eprint.iacr.org/2012/623.pdf">
          <front>
            <title>Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes</title>
            <author initials="" surname="David McGrew">
              <organization/>
            </author>
            <date year="2012" month="November"/>
          </front>
        </reference>
        <reference anchor="Inoue" target="https://eprint.iacr.org/2024/1928.pdf">
          <front>
            <title>Generic Security of GCM-SST</title>
            <author initials="" surname="Akiko Inoue">
              <organization/>
            </author>
            <author initials="" surname="Ashwin Jha">
              <organization/>
            </author>
            <author initials="" surname="Bart Mennink">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <date year="2024" month="November"/>
          </front>
        </reference>
        <reference anchor="Iwata" target="https://eprint.iacr.org/2012/438.pdf">
          <front>
            <title>Breaking and Repairing GCM Security Proofs</title>
            <author initials="" surname="Tetsu Iwata">
              <organization/>
            </author>
            <author initials="" surname="Keisuke Ohashi">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <date year="2012" month="August"/>
          </front>
        </reference>
        <reference anchor="Joux" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf">
          <front>
            <title>Authentication Failures in NIST version of GCM</title>
            <author initials="A." surname="Joux">
              <organization/>
            </author>
            <date year="2006" month="April"/>
          </front>
        </reference>
        <reference anchor="Lindell" target="https://mailarchive.ietf.org/arch/browse/cfrg/?gbt=1&amp;index=cWpv0QgX2ltkWhtd3R9pEW7E1CA">
          <front>
            <title>Comment on AES-GCM-SST</title>
            <author initials="Y." surname="Lindell">
              <organization/>
            </author>
            <date year="2024" month="May"/>
          </front>
        </reference>
        <reference anchor="Mattsson" target="https://eprint.iacr.org/2015/477.pdf">
          <front>
            <title>Authentication Key Recovery on Galois/Counter Mode (GCM)</title>
            <author initials="J." surname="Mattsson">
              <organization/>
            </author>
            <author initials="M." surname="Westerlund">
              <organization/>
            </author>
            <date year="2015" month="May"/>
          </front>
        </reference>
        <reference anchor="Maximov" target="https://eprint.iacr.org/2017/889.pdf">
          <front>
            <title>On Fast Multiplication in Binary Finite Fields and Optimal Primitive Polynomials over GF(2)</title>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="H." surname="Sjöberg">
              <organization/>
            </author>
            <date year="2017" month="September"/>
          </front>
        </reference>
        <reference anchor="Milenage-256" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4244">
          <front>
            <title>Specification of the MILENAGE-256 algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="Multiple" target="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/multi-forge-01.pdf">
          <front>
            <title>Multiple Forgery Attacks Against Message Authentication Codes</title>
            <author initials="" surname="David McGrew">
              <organization/>
            </author>
            <author initials="" surname="Scott Fluhrer">
              <organization/>
            </author>
            <date year="2005" month="May"/>
          </front>
        </reference>
        <reference anchor="Naito" target="https://doi.org/10.1007/978-3-032-08124-7_3">
          <front>
            <title>The Multi-user Security of GCM-SST and Further Enhancements</title>
            <author initials="" surname="Yusuke Naito">
              <organization/>
            </author>
            <author initials="" surname="Yu Sasaki">
              <organization/>
            </author>
            <author initials="" surname="Takeshi Sugawara">
              <organization/>
            </author>
            <date year="2025" month="October"/>
          </front>
        </reference>
        <reference anchor="Niwa" target="https://eprint.iacr.org/2015/214.pdf">
          <front>
            <title>GCM Security Bounds Reconsidered</title>
            <author initials="" surname="Yuichi Niwa">
              <organization/>
            </author>
            <author initials="" surname="Keisuke Ohashi">
              <organization/>
            </author>
            <author initials="" surname="Kazuhiko Minematsu">
              <organization/>
            </author>
            <author initials="" surname="Tetsu Iwata">
              <organization/>
            </author>
            <date year="2015" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA4" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4220">
          <front>
            <title>Specification of the Snow 5G based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA5" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4221">
          <front>
            <title>Specification of the AES based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NCA6" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4224">
          <front>
            <title>Specification of the ZUC based 256-bits algorithm set</title>
            <author initials="" surname="3GPP">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="NMR" target="https://eprint.iacr.org/2006/221.pdf">
          <front>
            <title>Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem</title>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="T." surname="Shrimpton">
              <organization/>
            </author>
            <date year="2007" month="August"/>
          </front>
        </reference>
        <reference anchor="NMRL" target="https://doi.org/10.1007/978-3-319-63697-9_1">
          <front>
            <title>Boosting Authenticated Encryption Robustness with Minimal Modifications</title>
            <author initials="T." surname="Ashur">
              <organization/>
            </author>
            <author initials="O." surname="Dunkelman">
              <organization/>
            </author>
            <author initials="A." surname="Luykx">
              <organization/>
            </author>
            <date year="2007" month="August"/>
          </front>
        </reference>
        <reference anchor="Nyberg" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/general-comments/papers/Nyberg_Gilbert_and_Robshaw.pdf">
          <front>
            <title>Galois MAC with forgery probability close to ideal</title>
            <author initials="K." surname="Nyberg">
              <organization/>
            </author>
            <author initials="H." surname="Gilbert">
              <organization/>
            </author>
            <author initials="M." surname="Robshaw">
              <organization/>
            </author>
            <date year="2005" month="June"/>
          </front>
        </reference>
        <reference anchor="PDCP" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3196">
          <front>
            <title>NR; Packet Data Convergence Protocol (PDCP) specification</title>
            <author initials="" surname="3GPP TS 38 323">
              <organization/>
            </author>
            <date year="2026" month="January"/>
          </front>
        </reference>
        <reference anchor="Procter" target="https://eprint.iacr.org/2014/613.pdf">
          <front>
            <title>A Security Analysis of the Composition of ChaCha20 and Poly1305</title>
            <author initials="" surname="Gordon Procter">
              <organization/>
            </author>
            <date year="2014" month="August"/>
          </front>
        </reference>
        <reference anchor="Reforge" target="https://eprint.iacr.org/2017/332.pdf">
          <front>
            <title>Reforgeability of Authenticated Encryption Schemes</title>
            <author initials="" surname="Christian Forler">
              <organization/>
            </author>
            <author initials="" surname="Eik List">
              <organization/>
            </author>
            <author initials="" surname="Stefan Lucks">
              <organization/>
            </author>
            <author initials="" surname="Jakob Wenzel">
              <organization/>
            </author>
            <date year="2017" month="April"/>
          </front>
        </reference>
        <reference anchor="Revise" target="https://csrc.nist.gov/news/2023/proposal-to-revise-sp-800-38d">
          <front>
            <title>Announcement of Proposal to Revise SP 800-38D</title>
            <author initials="" surname="NIST">
              <organization/>
            </author>
            <date year="2023" month="August"/>
          </front>
        </reference>
        <reference anchor="Robust" target="https://link.springer.com/article/10.1007/s00145-023-09489-9">
          <front>
            <title>Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3</title>
            <author initials="M." surname="Fischlin">
              <organization/>
            </author>
            <author initials="F." surname="Günther">
              <organization/>
            </author>
            <author initials="C." surname="Janson">
              <organization/>
            </author>
            <date year="2024" month="January"/>
          </front>
        </reference>
        <reference anchor="Sec5G" target="https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169">
          <front>
            <title>Security architecture and procedures for 5G System</title>
            <author initials="" surname="3GPP TS 33 501">
              <organization/>
            </author>
            <date year="2026" month="March"/>
          </front>
        </reference>
        <reference anchor="SMAC" target="https://eprint.iacr.org/2024/819">
          <front>
            <title>A new stand-alone MAC construct called SMAC</title>
            <author initials="D." surname="Wang">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <date year="2024" month="June"/>
          </front>
        </reference>
        <reference anchor="SNOW-Vi" target="https://eprint.iacr.org/2021/236">
          <front>
            <title>SNOW-Vi: an extreme performance variant of SNOW-V for lower grade CPUs</title>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="J." surname="Yang">
              <organization/>
            </author>
            <date year="2021" month="March"/>
          </front>
        </reference>
        <reference anchor="SNOW-Axn" target="https://cic.iacr.org/p/3/1/31/pdf">
          <front>
            <title>Pushing to the limits: SNOW-Axn – a fast AEAD stream cipher in aggregated mode</title>
            <author initials="D." surname="Wang">
              <organization/>
            </author>
            <author initials="A." surname="Maximov">
              <organization/>
            </author>
            <author initials="P." surname="Ekdahl">
              <organization/>
            </author>
            <author initials="T." surname="Johansson">
              <organization/>
            </author>
            <date year="2026" month="May"/>
          </front>
        </reference>
        <reference anchor="UIA2" target="https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2019/05/uea2uia2d1v21.pdf">
          <front>
            <title>UEA2 and UIA2 Specification</title>
            <author initials="" surname="ETSI SAGE">
              <organization/>
            </author>
            <date year="2009" month="March"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 936?>

<section anchor="aes-gcm-sst-test-vectors">
      <name>AES-GCM-SST Test Vectors</name>
      <section anchor="aes-gcm-sst-test-1-128-bit-key">
        <name>AES-GCM-SST Test #1 (128-bit key)</name>
        <artwork><![CDATA[
         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 22 ce 92 da cb 50 77 4b ab 0d 18 29 3d 6e ae 7f }
       H_2 = { 03 13 63 96 74 be fa 86 4d fa fb 80 36 b7 a0 3c }
         M = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }
]]></artwork>
        <section numbered="false" anchor="case-1a">
          <name>Case #1a</name>
          <artwork><![CDATA[
         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d d0 ef c2 b9 }
       tag = { 9b 1d 49 ea 42 b0 0a ec b0 bc eb 8d }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1b">
          <name>Case #1b</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 f2 3a e8 f9 }
       tag = { 7f f3 cb a4 d5 f3 08 a5 70 4e 2f d5 }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1c">
          <name>Case #1c</name>
          <artwork><![CDATA[
         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b 44 69 8a 8b }
       tag = { f8 de 17 85 fd 1a 90 d9 81 8f cb 7b }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1d">
          <name>Case #1d</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 7e e9 cc b6 }
       tag = { 93 43 56 14 0b 84 48 2c d0 14 c7 40 }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d c0 cb c7 85 a7 a9 20 db 42 28 ff 63 32 10 }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-1e">
          <name>Case #1e</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb 3b 0a 16 81 }
       tag = { f8 50 b7 97 11 43 ab e9 31 5a d7 eb }
        ct = { 64 f0 5b ae 1e d2 40 3a 71 25 5e dd 53 49 5c e1
               7d }
]]></artwork>
        </section>
      </section>
      <section anchor="aes-gcm-sst-test-2-128-bit-key">
        <name>AES-GCM-SST Test #2 (128-bit key)</name>
        <artwork><![CDATA[
         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 2d 6d 7f 1c 52 a7 a0 6b f2 bc bd 23 75 47 03 88 }
       H_2 = { 3b fd 00 96 25 84 2a 86 65 71 a4 66 e5 62 05 92 }
         M = { 9e 6c 98 3e e0 6c 1a ab c8 99 b7 8d 57 32 0a f5 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { 45 03 bf b0 96 82 39 b3 67 e9 70 c3 83 c5 10 6f }
       tag = { 45 03 bf b0 96 82 }
        ct = { b8 65 d5 16 07 83 11 73 21 f5 6c b0 75 45 16 b3
               da 9d b8 09 }
]]></artwork>
      </section>
      <section anchor="aes-gcm-sst-test-3-256-bit-key">
        <name>AES-GCM-SST Test #3 (256-bit key)</name>
        <artwork><![CDATA[
         K = { 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
               10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f }
         N = { 30 31 32 33 34 35 36 37 38 39 3a 3b }
         H = { 3b d9 9f 8d 38 f0 2e a1 80 96 a4 b0 b1 d9 3b 1b }
       H_2 = { af 7f 54 00 16 aa b8 bc 91 56 d9 d1 83 59 cc e5 }
         M = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }
]]></artwork>
        <section numbered="false" anchor="case-3a">
          <name>Case #3a</name>
          <artwork><![CDATA[
         A = { }
         P = { }
         L = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec 12 99 3e 68 }
       tag = { b3 35 31 c0 e9 6f 4a 03 2a 33 8e ec }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3b">
          <name>Case #3b</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 }
         P = { }
         L = { 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 }
  full_tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 04 01 67 61 }
       tag = { 63 ac ca 4d 20 9f b3 90 28 ff c3 17 }
        ct = { }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3c">
          <name>Case #3c</name>
          <artwork><![CDATA[
         A = { }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b }
         L = { 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  full_tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc 6e 62 10 90 }
       tag = { e1 de bf fd 5f 3a 85 e3 48 bd 6f cc }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3d">
          <name>Case #3d</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e }
         L = { f8 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 }
  full_tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e 1f 49 ed 04 }
       tag = { c3 5e d7 83 9f 21 f7 bb a5 a8 a2 8e }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 11 7e 17 58 b5 ed d0 d6 5d 68 32 06 bb ad }
]]></artwork>
        </section>
        <section numbered="false" anchor="case-3e">
          <name>Case #3e</name>
          <artwork><![CDATA[
         A = { 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e }
         P = { 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
               70 }
         L = { 88 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 }
  full_tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 26 fe e7 b5 }
       tag = { 49 7c 14 77 67 a5 3d 57 64 ce fd 03 }
        ct = { fc 46 2d 34 a7 5b 22 62 4f d7 3b 27 84 de 10 51
               33 }
]]></artwork>
        </section>
      </section>
      <section anchor="aes-gcm-sst-test-4-256-bit-key">
        <name>AES-GCM-SST Test #4 (256-bit key)</name>
        <artwork><![CDATA[
         K = { 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb
               b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 b3 12 }
         N = { 9a 50 ee 40 78 36 fd 12 49 32 f6 9e }
         A = { 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b
               13 0d }
         P = { ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22
               f6 22 91 9d }
         H = { 13 53 4b f7 8a 91 38 fd f5 41 65 7f c2 39 55 23 }
       H_2 = { 32 69 75 a3 3a ff ae ac af a8 fb d1 bd 62 66 95 }
         M = { 59 48 44 80 b6 cd 59 06 69 27 5e 7d 81 4a d1 74 }
         L = { a0 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 }
  full_tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c d5 4d }
       tag = { c4 a1 ca 9a 38 c6 73 af bf 9c 73 49 bf 3c }
        ct = { b5 c2 a4 07 f3 3e 99 88 de c1 2f 10 64 7b 3d 4f
               eb 8f f7 cc }
]]></artwork>
      </section>
    </section>
    <section anchor="compatibility-with-3gpp-algorithms">
      <name>Compatibility with 3GPP Algorithms</name>
      <t>The integrity part of GCM-SST was originally developed by ETSI SAGE, under the name Mac5G, following a request from 3GPP. Mac5G follows the same structural approach as the integrity algorithms used for SNOW 3G <xref target="UIA2"/> and ZUC <xref target="EIA3"/>.</t>
      <t>3GPP has standardized GCM-SST for use with SNOW 5G <xref target="NCA4"/>, AES-256 <xref target="NCA5"/>, and ZUC-256 <xref target="NCA6"/> in 3GPP TS 35.240–35.248. These AEAD algorithms are designated as NCA4, NCA5, and NCA6, respectively. GCM-SST, as specified in this document, is fully compatible with the SNOW 5G-based NCA4 and the ZUC-256-based NCA6. The AES-based NCA5 differs only in its subkey generation but is otherwise identical. The NCA algorithms support bit-aligned associated data and plaintext inputs, whereas this specification is restricted to byte-aligned inputs. They also provide more detailed specifications for nonce construction based on 3GPP protocol requirements. SNOW 5G is functionally equivalent to SNOW-Vi <xref target="SNOW-Vi"/>, except that the finite-state machine (FSM) adders have been changed from 32-bit to 16-bit operations to increase the complexity of correlation attacks while also improving implementation efficiency <xref target="SNOW-Axn"/>.</t>
      <t>The version of GCM-SST specified in this document imposes stricter security considerations and usage limits than the ETSI SAGE specifications for the NCA algorithms. This document recommends that 3GPP adopt the additional security measures described herein.</t>
    </section>
    <section removeInRFC="true" numbered="false" anchor="change-log">
      <name>Change Log</name>
      <t>Changes from -19 to -20:</t>
      <ul spacing="normal">
        <li>
          <t>Separated generic GCM-SST usage limits from AES-GCM-SST and Rijndael-GCM-SST-specific limits</t>
        </li>
        <li>
          <t>Corrected, clarified, and slightly adjusted the usage limits.</t>
        </li>
        <li>
          <t>Added the hash field size m as a variable independent of the block size b</t>
        </li>
        <li>
          <t>Editorial changes</t>
        </li>
      </ul>
      <t>Changes from -18 to -19:</t>
      <ul spacing="normal">
        <li>
          <t>3GPP standardization status updated from prospective to completed, now citing final TS 35.240–35.248 specifications instead of WIDs and Liaison Statements.</t>
        </li>
        <li>
          <t>Added a more complete description of 3GPP NCA4, NCA5, NCA6.</t>
        </li>
        <li>
          <t>New citation to Naito et al. for a tighter single-key bound and a proof of the multi-key bound, and a more complete description of Inoue et al.'s single-key security results.</t>
        </li>
        <li>
          <t>Significantly revised usage limits (P_MAX, A_MAX, E_MAX, D_MAX) with clearer motivation for P_MAX and the δ ≈ 1 condition.</t>
        </li>
        <li>
          <t>Restructured decryption steps so that replay-protection failure is an explicit abort step, and added a requirement to zeroize intermediate values on tag or replay failure.</t>
        </li>
        <li>
          <t>Added zero-trust key compromise rekeying considerations.</t>
        </li>
        <li>
          <t>Added nonce-misuse resilience discussion.</t>
        </li>
        <li>
          <t>Added a more complete description of technical changes compared to NIST SP 800-38D (stricter usage limits, fixed-length deterministic nonces).</t>
        </li>
        <li>
          <t>Corrected the GCM formulas: E(F) ⪅ δ ⋅ v<sup>2</sup> ⋅ l / 2<sup>t+1</sup> is a bound; other formulas assume δ ≈ 1 as well as deterministic 96-bit nonces.</t>
        </li>
        <li>
          <t>Substantial editorial changes including terminology cleanup (tag_length -&gt; t, octet string -&gt; byte string).</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank <contact fullname="Richard Barnes"/>, <contact fullname="Thomas Bellebaum"/>, <contact fullname="Patrik Ekdahl"/>, <contact fullname="Scott Fluhrer"/>, <contact fullname="Russ Housley"/>, <contact fullname="Eric Lagergren"/>, <contact fullname="Yehuda Lindell"/>, <contact fullname="Kazuhiko Minematsu"/>, <contact fullname="Santeri Paavolainen"/>, <contact fullname="Sini Ruohomaa"/>, <contact fullname="Erik Thormarker"/>, and <contact fullname="Magnus Westerlund"/> for their valuable comments and feedback. Some of the formatting and text follow the conventions of <xref target="I-D.irtf-cfrg-aegis-aead"/>.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+19S3McR3rgvX9FLhVrAzv9fqGbGs24CYAkJIKEAVKckSwx
squyu0uormpVVQOEMNyYiLEj7N3bTuzZPnuvDp/2tHO3/4N+yX6PzKysrmqg
SY2047VnFER3dVVW5pff+5WNRqOWBVmoHooHT2QYB6k4jNdRphJxGvtKXAfZ
QlxkSRzNxYXy1okSL+U8FXtPDk8bFxcv9x/U5HSaqCt8ni89qHkyU/M4uXko
gmgW12p+7EVyCa/wEznLGkuZZWkaRw1vlswbUqWNubdspGnW6HZq6Xq6DNI0
iKPsZgWPnJy/fCzER0KGaQzvCCJfrRT8E2UP6uLByeQR/IkT+AT3PahF6+VU
JQ9rPszgYc2Lo1RF6Tp9KLJkrWowyV5NJko+NPdfx8nlPInXK7hymNysslg8
jpP18kHtUt3Aj/7DmmiISL3NxFxFKpEZTAwvraPAixP6mK5kchkGACA/SLMk
mK4z5YtQ+XOV4O/frmWUrZdiKeeBV7tS0RqmJkT1a4XgZT84V6mSibcQT/A+
/GEpgxB+QKD9RZBks2aczPE63gXXF1m2Sh+2WngbXgquVDNQfFsLL7SmSXyd
qhYOgM/NYWvXU3hSLWX0TRy17tkdfCYEuKaZ8zb9bJMHawbxfaPc93tzkS3D
B7WaXGeLGHYSoE+ocwoPLNS1OJTLlZxHEiYDC5NR8B3tyUMxWcrv4ki8VlNA
1OQq8FQK93iIzIiJhzKSPj6lGI6eHucvJD3X9OKlfdckVG8l4BjQgHwbLOOr
0suOk8DD6btvuLhWgJb5G6QZpbnkUf5C6acKL/s0XkTiN+IsUes//D0tUw/8
/m/8BoZqGsgW31aL4gR+AaR4WIMHzh8fDjqd4UP+OOoPunR5cnyBlwAJZTJX
sM9mm6OrcLWeps0IMLw5j69a+AGvtB6fnF20np9cvGzip2ZnfNBYr/xOc+XP
eCTNXCb+lYw8IIzjyEOMh0UBXwH4yMQXe/Di/Qd0fwrTVinyDZ6JEA9w9Acw
xGNYbSJDcQI/0mJgiLMkho1OkfrMaKk4W0/DwOMbYEI8MLEEgO+N6La7PQJC
8A08oMLqJXtp4uXrxW+tpfID2Vol8TfKy9IWrSOeJ3K1CLxGal7fgL+N+Trw
FTAFlbaA+62XwK/SFqK5r65UGK/wQivRE2jI5RJ5ml+G2vEFLnEVpxL210yY
F2QohKHU0H8F8NwUsUpG4kiqJeFHxQ2fB7AbUYZjmnsYQhdqlSnkogCnNsAp
MNDOUad30Olo1Ol3Bz3zsdc2H4f9g7HFrV7+sW8xbtgx947b7Xb+0Yw7HrYH
+PGkcURcrLGMv21kiYzSVZxk9hdgg4aDzAOAvJI+I7IH3NmH/U932VxC5HTV
GrXbLcCXlmwFq8QvbATioHgm15G3UKk4yjdRxDNx6CKC8+4d9gnHdYD/6TpS
iJ8DWsTh6ZbZqyQLZhrDmwrWIZtqDWiCfyy+wYfrKIyl35JA4MNhdwrwUe1G
f9RXjXFn3GmMxm2v783kgZTyjUYCi3nzRAG1Fpd2qrwF8KR0mbo0NVklQZjP
+vii8frk6PhDAF8NdiYAADuISUPkwXdKSPE6QCb9uUwCyTsBL39/oB8pzyB8
t89L+KJ69gpWGmXNQHoJidVuu9NvHYx7Jbo9j6frNBMTmAXsBO6U8hs553uI
rxCwEgG/4/qmoVrCZ5mJIBMXcXildkGez4EyxMs18L6nQO7z6ptewi5+lsRX
Kvuu+oazRRCGwUqcx3N5LW8KzBLUhjqApXNAYHl+cXFSDZgl8GAtdJveDcAS
tnd91ZwlOfdjlpi2nr98c3KWKu/N8fMy2BTIKmSFhNmpAM4DAgG0TuTvkcpQ
XUtZJ6UxCli4niPIYbKMhilof+8rzC5Wygtk6MiPlGXbxVkTcLTR7XWbwaqC
TePLGo9kCrB+FswX2bXCf13quXHkEy7rEMYGfgYSwkd2gpC7VwDq6RXkm54W
CMUgy38TR6hl7YBCpyoEbi8u/vDP0VJ9B8gELLb6zs9UktyISVOcep9pLCnd
cwRmwiKGWR0utuLjp0F0qeCWz7bfgRrRZypMlYuMzwGFC1T6SIWg6KrOwc60
OmwNhv3S5r0EEjxdh1nQeAWwZysnyG6Inbj0K4r0e9EAewcmLF4+uxCdZm8X
YDfNpKt/f9QE48q7BJU6ql4406FZ+HjnhY9bw2554c9jUAFSsB8UvAMWqXxc
1+RInAM+pgEseZc1BYsguXtZ5/C8eL5lsx9984d/TqL71j3mdSdAMyrYQtaw
3JtVM4tbIAsCIDEwv25aK5Us1xmTcgMUmkG71y2zazZw3c1/BDq2ptQzZ4gd
AHIEAlKF4tNmPt9NloqaFTGpR9v46fX1dXOaBs0pzKLpq9bFAqDrH8Ve2jrS
Uj1tHT9vwQCtArd6CRL6Sa57vnzS7nbaXbyv8fK8QV8aHbKxCgDYJubFJkdG
mfWZuhHPVDTPFttZFrwQORZOByxl4Et2UiKfh8u+P5XRWiaknA8RNMbOe0/l
/PiKNG1U8VsZYKbfIJmxiFcN4NDTMPYuG16wWqgENEoQR4141ohX2rB3VXXP
Qz3Yb6wk/Jq22Dfyn7tt7R2BT+gfgT8ojeAPO0fwA6BGBn/RTVJCtA90sezC
WRzDuOIG5NvWlq34HdC1bIGavXnhZbHmvGQ4Ham5nMKWh6p6d/w4IM7TaTd7
4+64pbLFd41pAxT94aDfHbaLtBd/BtbtDNTZANXpI0CkeUR4drJchWjAMO0h
Pz6Lw5soXqKceyrThXgM+jjjJfAKoNQkWCrxGCbm70KpsOZ8JVtveRKEoPMn
23+Pr9AptU1qAlwBhkkRoNoKJTF2FMxmKlHAiquBCTRz2UyRpwODQlu+BcQJ
qJkgeDvt9kFrfDBq9Bq9zrhxMOodDBqjNzCyC2KScAFbyfnrjN5ZZ2BnKSjy
K8tJUNkuoGku/XYA7RP5h/8F6g6wCUDnKKu+6bECPT7Cl18EMJGbRKYVnLIz
Iigla+9SJdUgSvxdANTutRvjg+EAGM8bGLSIg7PsGuXgC1jgUvtcEOGMxU2C
AMEAourtaNgY9sVZKDO0jHey8kBE6hVU3wD8/QZYpEqq0KSLADg+mfS2y4p5
upS09DQO1yzs0AsRAEvwslaGXDgO4zlw6VaqRVzretUArTVDS3G9YolCqkJ7
0Do+nvTe4BvfpKhyGlPzzVXnzajE0zrdUQMfIDSiL/CguHAf3AFExy8vTsTF
5MlxpUxgBeA4Ai65utlV7en2Wx34X2nChzHYO+hh1hr7JMtA+wAeEolHKCDE
IQkI2u9UNMTxWwAPaNdAPfZRloRAWLCzk2mK9LQbx9nOZR+raWJEIGkHQB9g
0myzYooi8PDi/FCLwDPjn6LFNHgxDZbE364LDqlHh6etQ5Lv8OXw9SGqtC3z
2m7ZzMnVYaSPayUvIzT8UlSD4dFdKKFpl1VCdNaJnmzzejhSZdjujgqGWW90
dIchSdRbsbVA4C+M7EeehbK5VWB6KIP3aaufnE4OP9hAg+ntJsSPUFsJtmjB
7QMNn8arFQc47seLKr9lQQvKqvBi6gETNXjhXXvonG+hg35NLy6rNWAJ8Zx2
UZDRhHySqOutNPJ5AGJ5G3oQk3zPpQPRpUaP0MqhR/b3mtWHxhQZAWqIgOAU
jUhQ/28FSzmHLzwI4HnaGDTmNIEGgChXLXHECjbjvEHQG5DFoMcH3brn+AZC
LUerITvUCmH2CKFcyvUjuKrlkHZ9A2pPMNwDG5mBsN1FHF00y7JmU8cD5SsG
jWG6TcersDK7YGWWwZAPJFahhGcwmEaqhIxkeJMGzEoBO6cSbmo4NxlmK6Th
0DMx7DemQSYIhwXjsCBNfifT7CrwXeQrG5oka0+ieL3zslHKjLtlsfgE44Vg
TLn+BBshvXeqk8vgMuaJbLkhXVwD1/10sUXhfySTDAy5KAL1cYtqKr9bL/At
p2CVLWWWrqthwmrqybXMthhjlajQ75VB8igBiYFiFDf8XK1kQI495B4WSoDV
8WyXzXypYMY8rS3rU0G6vgSdbgGmQvABMMg9ioQVn8brtz8Ry2WZ0WBJ06CI
aYr8t/UNzOGNue0++fxYBiFyBJTO5EgHGynViu1u0hqsRly1CxPt62+Tkf4M
LZ9wSwBtp0B065fzafZJ589woLefeK9XV+2/nP+qG2aXrxeZ3zsfr45fHxx3
DicbrHW51MxQO+J2JKtfN82ct1hjRi/bGdMHrf7BwX07gR4TVElgA25w0ltV
jd10yILyWKVGvFYpjBuCgCktk73j2hew8yoPWqPRuLTKF4hjQCEbUgvQ7RHY
dbDUx0EEcklb5ET1ZGChhgSmeoAxRUf6aSv+yeO97i6AuM+l8bQpLr75wz8D
E5s7UHDDm+xOPQ1CFYGcb3QHw2qAYMhRhs3efLUigIC0ucziFYiddah01GBm
XXCFr0cqAzJImzJdvf1lwZg68T/pd/tFQ73wKJIpKgunJ8+On4NhhPMTMpzH
wCcXS1BDd/Hv956cnVVaVGxi6J37qVXJJbnbyUfbaJcNNDMrTIpBL6610CZz
0A0Q4UDvgR0TG2R2+KF6QFlD8uIsE4/D9SLRJntZE30ugyy+11QpOCC6jfao
0+03Dt70CgvOQxDrzRCE5m1EPI/XSYb6znG0wFwKgukuTG9NcpDmu+0OcSFT
kM1bRK28VCBCxcUaI4SJq5o7aiMDJbjeXUsYtLqdcliioA5oPzwyzyjFaO9O
QYlfrwOQOzSZP7pucK8isuG+YrAcTvo/NW/pbvhZq3jLRRRfi8ETbZ0Ag0Hl
Ov2hXMasnT35sPbBT772zv1rRyPsR173Ty5PujvIky9eHf646z4935UDtIct
2KoSB4BFqmQZoOTBfJrtSRRoLVyR1WgZxkuwMTKTmIPLBd2r8TqRK+Pu3mF5
Z81CMkSZ4kGzWIACs8oKJrS1F9hRA3B49j7iAR34w95wfNAYvymi76M4Tsn9
uC0eLTjfBJ1xHE4ClkVqFmiWOSbtYlQ10bBcb/FSv2iKo3V0qcLltiQB0Mme
rW8u394BFcwOmf9ELk3O2Q0bVgHR0TyexJsnQQh/szcgW98ABNOFvN4WsTud
HDJkdWBZ+yuCEHHOC+NUYcAEBJTcJTvvs6aGw1bNVU9tq4avp+uqdpw6xrrJ
2dHh2U/LewB7hwXAPT//WJyB1qYy0LcyiQkvoN3PTeQpi704FHs40X2Rvmew
APmPeHkheqNmr9ur1m+JF6GPLNsWNqrM5hp2yi6sSa6PTIzPSnMXQLVVnAaG
vx4uJPzXbVu/XqfXHuwSL4sTX2ezZgWFM/dBkHl6rgj/3sNu6/XKfnw9ikHf
OxJdQBFegJ65C+s4BI4IXEpGqLWH2wJdx8ElWODpFsS+yNQMo4ZrUPar7/hU
XsZTsG+j75Rrwhu3BFt0lL+yk00TqWvtD17pLNtGFjcSer6RrhrsiCnmJE6i
CJRSVr8pKK2fRAbAbxYXZ+/h9t/IRrQ7rpOUibPvGhqWCexhqKxkSduAOIMG
jNVoj/ujcWNcRAROU8RsrUiFyHkAb6mU4VWUqDBA0Sqem7y7gJ3XqIsnvngm
b4CVIgD+8tXJISH80XulQj0OUm8RBlskyWPggX/431G2NfR+2ERqL8aRHPLv
/wfwfiDwgOcNnvzUQmRYhLHlu9IJcZh4gad8cm9idA9smIubNNtJvbPSo9cc
tDtb9dgLkPnvEQQYdYpTnwhgLoKqAhqgQ4BwRh3Chp2EJ8MQeO2FjSveFzR7
vTVh8j5PGOizx5e+XIRblb5PY8DijXi0yUVnZHj+4nXj82BneHRa3V5RHzAj
wO4J9TZLgH8KUMaouAB1gqs8i5tvpX0N42uViHkifZC1Z692EUTvu9oPyZX6
tdmLDcTpWFhN3m4LUgZeDqlVq9fqtHqd1qaIPlunC2QlIFOQbYToLUUBqYcW
3//290KKGXpfKWUTkErJpQmIAbOR83mi5iTOMTz2p4li2vNO5PbqZNL9yRJc
1kp214Hs+p2rCvvz1fGkS0wG5/RHyWSxaZ/jWq3RaAg5xeRvL6vVXi5AmTTm
i/DVDPM2xQflCWIi13ZNjh6fwAZ4Af1ESvkeIs++Y/9zxNn3E87rSNUVlVw5
qR7sk2xax6QHL50qsUaHAr1DRjfiUt1ojNRlk3FSF1GMEZvwhpKENoO4KSIY
4K1v89OAsSfxkqKDGAJHMggwAcjnkDpORGJ1QIxh9KIjOF1PYQbi6c/hwy+6
P2/hnzpym0aEOc8A5iS4sk6RaQyzfkobvvEEXsKSTlTKYYXocmZKbIqXMeAo
zLuOEwOVDzNm5zDnG4x1bM4nw30i4ERKJg0yEyssScDeOqzRC9c+0n5SVNNh
SwIUJ54CIz0M4fs8wDAPwB2d4pJAtpBXijksYC1uM1fE4jL5ffAOcbz3eF98
/3d/K65ES3RhyatfZLjkFS4Z5wOQghcSLlCSO2yFTHg74NerAKeXYwAiMGVt
wuvyio2MVkZmnl57olah5KvK0/sEVCFTTKGvkyZUFxfnL88Y8Gga1o2sv8La
EVhd4lOeHm2MSdpzpQiwiJVMSPUC1kmIWqQwA7VURJiMTMwzR/8ckGvKlkQf
IQWrTaUexmAASz1NmMha67w62GMRclY0Qrs/qovxkOff6XTFlLDGgGwBi54q
FYk0r2fyxfSGdRMEItCTpnhg+aDe1CnSCa/nIb94dYhfmsxOloHvh6pW+0ic
OBQC3z8Sj8AEnyc21+Q0zjTm12q4uCCq5DV7Oqy6L25v4c+7d7jJEibkK6Bf
HzYyvsHMuR/GbG5vdR3qu3d1kP/hWiMQuiTdTYVJVu48g4Lu1n5Ai3voqaLk
Agp851CmpddtDhp6bLBaIIA3g6JeTmn783STlmc65xhmb0Z59w6xTIlZkIA8
RkogeRFlACsgZ+CDVL2Gd5S9R/yo4WMhKDwpIKmJFbOXYQt7E+sVJscgGWEm
0GxtmUpdqAjgQbkWCaBegoo9PJaqb9dIBZYXFAj+MoqvI6THDc4z40SCpniE
nNKBkQReDaoszNpF/7qYrjltSaWcEIc4I7H+HeZDqJFikjyxRcBgdoUJhQM1
Aaz8HXAO7rrGjUE+BPI/DInZxolCSOCgjNhwi+G+1/EauC9GllH10aw5nzDP
jFACKV1JwB7038AI8HERe8hkid/n5Wf5TG3cPZ+quQKTxdL4pDBlzlpCVoMy
Ejk/TFmG1/IGOMQU6+VgbguSIqjLadSgzVSwqDoaC7BzPk5HYzKiY5qul0Rl
MCNeCvCy+BqzqzDbh3RG0K4BgWCsFZpqtBCSQbQaeB3MLwL2RFwJyZDcFkiF
CB9kTiirjRrAVYoIaFgAodS2PFAQTIKqLuw1nJyVI36seGQGOkzPpLUBYBju
Wr6aRLlcetmcW1KHcz6bp4vhjzJnOaB4SVBKr5TmRmOKdRAY6rZ8y3C3GJWO
lLUTWenjhVexpGz0xlZWRlrlMQoNwRgYBxn1xN2wpBnhirO+SybXSSjXEVzX
cYLeZNwhghzqORG7lsVwQO8Bm7EpzrepB8yrPaATLZeFBywRXsO5GUtOH2Sz
gd17hAI02rt3t7eT4y+Ao9VqFxb1iZg180dFD2zobr5g/NFwWH4BcEHE21ig
kwUog5wduWIDxvrtLbkXEDQ6o88ORYwPPfY83ZP4pbCF37zJeZmCHpu3AuZE
o/G3UdsZdrVSpMAw+yO2LCi0AHzSCC1A3jXOeUVOa70s5jqwYQpYjX6PWiHQ
QC2uiyXns8HuLsUimC8Qj1WUcmYL0GGhRQCltyyA6XwMMgL3SUlQf/h12PZD
MzWYEWcnIzJ222JJeC5xbnWLmkgRkR+AWrQGtDBT1rmUU5g6PBtRUR+KRZSG
HKCAm1x2qLW7/OVInbkqnzM/erNHxA/MNoZxQX/JrlGFQdQ2K8N5raNIoTgC
ex4GDNFcoU24va0u5gfyw0kvURdM2d4vJOdaLRGJ9vDlOU/tKXpTiMSwGwGi
re4agMJ4A3OxdwyuCgUkbLyB1vUCmdBK3pBtyPtNdhWgWEbbCVMxCIbP5eos
/JLrGgjBeYCMZnpD0AAGTZLbFYmkqUR6ZVz2yySSlzXToAAA2L/IB2qDVWpu
aHYdJIoC3g989jFwdBK7JOEcisCpZjgj3OGISoKJi1AmEYBsqtBESJmfhDcP
t6kluPcoS8G0Q0uhU7YUeL4Zc3jlrBbXiYIFlBAEipyRpoxmYU5saZ2vbK6M
AVWl0jTFITFsqzIKoJ5A4Voco6pgTG0iMeslGao8jna5AlUpJAYaSkO3aDiQ
+vxBhvhWqx4WsKMVXzRLNqzyTbXmxzDGUSmttMWNyARyefgjGuWV9nilLQ6s
KXir/IZGPr+QPEBDa6zCyZINmsdunjydXDxlSJ29ePbrzyfPGMOwIw5p9Xda
+cCiIjZ93sfAZ6LQmWxLk+rmEAKmuhUMX15FYxmkaBWioA8DRX6AbSY43gdU
+EGWuIFAn8yygirTxitoobucN7fW4Sr+QcCdRNQiC/2TqcpQf9326rpZRNnU
QpZi+JVMcy0oD8avyQ+y1U1ySN4A3J/YRmPN8npjLXieFNlKPU+5M/wlNeXh
qGnOCaD0+hAVXCP6mlRCeb+HAraq5KT4mDbLWrXETsEaBYqnyDIsmWx1UoFh
ONBWAagobTTSIuiwv1KGVMFJtITYqCAFWRaqhgJlAeDnhlEctrHC+pjkilkU
DeazCpMzbMECeY3zs7alsmUpQaFWl/R3rWeuTJlKyqxDFy+hxOYiFNI1iwyT
BHbuqbFYXuGdQXX1Qu+krdak3dHZTcT+WC1CDgec1nXmoIPDfEcvx4e7dl4S
g8inqNk1KwTM70FjW8NHdKAs8WGkVHLhy4IfRW34UZY6mccqWdotiUPm/o6t
LkGNxj/IK8iy/srI+s3HXfm9lJm30EoxU28QJwUjhqwX2nAyVKz7wc6OhIhr
pqDcxgha2ZLUHLK54aHDlDaQeP7NdgfbBq9BmKJ4ytv8oXnvpIZrHIOhydDW
jLbKvcQ4SU2QkBW+sKTwdjTEh7lsWPvI4MbnJzTy5+yPyxXfenFRmomkOdWB
9L691XXF+CaX3U2On5xcGJ27ok0WMjqndsJYwOgjyiTpjTC61oGzBRg/88UK
dgE99GA3MaJaZne9AEAB9mUg1MzWOwxpBnjApgMCAr/blgsERJgHsAAzk2tg
9aD3zIOIHUfca4t3z8ZWmAasQyu8Y6M3PanoYTqc9A0AELR0ZWBEmfat8tUh
cwUbMx40u/3297/9PX0YNfPMoBUVLtEbc36Fht4c2K+2cDDDG5HMikQSDozC
NGkq+MrdS/RVIx6lbztOMvxKrJO5KrwPPWYcq1KWZ9Y1Mua35Gy1qGTe5fJm
uJDNTouFYfwg9dY6RqQhYFK0WQSg/sxJX1HeOuQINWGSaSnyfEUkh302U/Hg
9NXFS+zpiX/F8xf0+fwY9I/z4yP8fPF08uyZ/VDTd1w8ffHq2VH+KX/y8MXp
6fHzI34YrorCpdqD08mvH/DCHrw4e3ny4vnk2QNO0yiIooSE9JT0XJWApETM
l2kN9C0vCabEasWjw7P/8w+dPoDoP4Ei0e10ULngL6POAeAactCI30ZaN38F
OrmpaecExmyBhXtyFWQg/+qo8aA3MRLIewGa/+VLhMxXD8XPp96q0/+FvoAL
Llw0MCtcJJiVr5QeZiBWXKp4jYVm4foGpIvznfy68N3A3bn4819Sk5hGZ/TL
X9QYR2YxesWpBVise4EEKds4OqvG7NZDgJL4zEgpwC2CIptfdLOj58Gdz608
Q/367nsn5t4NF+PdT52Zp6yb8u77v3DmzjYbXPSsjc3WGQ4Dl1ErMXMq6c34
+/ZftTZTN5Y63D01d7MdmAIbtT+LPdWcN+toKhp+TZiMTBK/FxQqGGtpV51X
NmOhBRhqaDbdObbWaHGYHdQNuOsTZ2PAAGLLbsVmLvz8/d/9g7kBQP7tWrI3
N7/hrfir3/zVb8QNK+Zkz0WFfPnpTUYaHDHst7TwGxz4v/1PC7Igu8a0P/XW
C4GJXqnGi3Ox96sX5/vuiwDme2/3zTPaWoV3vHV24TuFXRx9vC/BDnKNFXqm
NmYBT5A8w5upT4vMzUgYb2kGM+bp3tu6uNnX4lnHoShSdcM7QHPAZSFPpwZ1
bCkvJZZK4tSj8k4sSbf2FuuIk9vMzM9w54wtHZRRnS1ruOfRca/rwGMazI2R
Qg5QXCe8RvuZyfCCF7+FB58dD/suIAsGjvusdiy7z37+5duvzIPOCtApRBWo
vBkyScBE/fxjB1R8G0ZG+L42D/bwxg6XoGegBBkeGLv7wdBajxI3zksQWm9O
J7+ys8Ism/XSiWu4tApIkG4ypqqnN5jUfWMcV42R77VjkATRVawdjfDc0d3P
+WrLc9//9e+Bbvd44T/jJYDt8d//RozA9lhujhhEqHo6a3BBDArQw4c6wf9d
bfvISxh5xESeJBi1dDQ1tN3vQXFtxhq/2lNycZD7nJ68770/Ex2YZ+sdKkUf
5FMUtx8ZHU5by6l23RjvIk7eaJ4b/sNcgjJlF3u6wVK3hWA3PExMyuxY1JZS
yHrRTHrAnmLbw/QDHJGy0hXpGAbSR00oNTlxtMb85dUylR2ZDgLb8H2GRY0A
mXXCqYdYRaSZsstr0VGzRJdi+pA9m8BGSWv9DEPn7Ll8Xi8R3MQ4snM6PuO5
VAABgcv2esZDEMQ+Y7V/8ynQoQT3wEcnyxndNOGbyFGA1I/GhqYdx2+B6mW+
HGeQrHpaTauilya8Io8vOhecn79gC4BLlTbox02QADaolKGrL75sf1WHfztf
aePry+5XpHQT6siST5C9yOn2fK2lTCkmp93Np3X0CKJjAeRyaLIt8kwIO40e
TaMP/zabTfwYAdG6c0Hri/GoqNEBmIAVkFs5dylrL3nuTFybFBAjGy0ikmfd
2mgnn7tyEj0vgbdgf3MK5jMmVVinm/UvVnjf7vb70RzJbatno+nVISL0ohPa
oONFApWSG9waJUV5bsG6bW8IjKz+KZ5qaneY2DuRtZ5NXTsUMjumOLUqP+Uy
EC6hX9TsttbVQLeF7aA0laxI96TfqBIbYBPcLJv4EEkrmhH6aZMgZdfF9SIO
XelAchQT8efcYyMM0bcnM8NlzcbvMgcN/RmlaRFkTTdHsvAx2KdMWHyle5Fy
sItz4K3d75cM2DqlAlAPd5xZEVOImeiQCE2aw5hpplZpzraXEuPb0iTdAOEE
VzIkBMQb67kHg0LB64wcRUVBy9OHxwKfocvhta0JZKazI7OgKv6tb94DPgz8
F/jt2b65Ly3wXYQ6MO11Em0aUYByHN4xa60ylUiiwezZrVKwp3ReyNSg2525
KKC4zCykYPVnicJ0BGq0y84R60ih6wlTCZm0xlNC9v4UeWecKoqw4L6i7MSE
i8iPl024m2LDeivJBqY8AxZVZoQ1FU5+rJ/SYTJh/AlGdONox/iw+3KTIsUs
UWoXlxv/zfC5C849Unq/2fXBuGFkkhlRkx8xUiQ8NuNRxoq9O2QzWhrPWQDf
e99kUz7f+8RZLrjvubf2gpbF0z7MsQtQ/76XIND2ZEHhAIQyYETNEYa/QCqD
wTugc842859y9CdOhtpUaiBf13hPrv8kQbRAvJzCj7UuKrBW5dimAhQ0kVqv
KZ6B9vMUNF0W20UW/4kW46f0qftVrc/3Axw+gemhwWxNUpC3D1nA1skwPtvf
rw349gu421iTk322zs13L9uvDfm2Z3AbmYL4OFzXd9pLExjxgG/9Fb6fRcve
07q4oLlf0FxB1u/XRnwbRhPf4I44dxf1i1/RIp7t05/T2pif40fs0swwdQGT
7bQxUYs2ASZZx3v3LU+zluoz0M2CeaR5rnqrdaiSWJ/pxATX4mFqN6H6TCzr
Flr3gGe/9hppz2PWHRPu+LG2vNJLVidNTCNdz+dA+DqH7EvyTH8lfE4rwkf+
9Xc/637b6n7NmoMxdjZZ/JHawuIr5KK5OWfxBoLmbspzswRXd9m0TnmpYOi5
ZKqXZEPOwTkm7lGEN8kJiNQgdPZ8AAcH8emtw4JvaeUyGZSmotPeJ6mMbBE1
L8pXSrBWLMyDkbxOvaY9Fte973/7+/E+s4jNWzCBN62X3uiyexYXGHohZvbv
mfP/CCzclRA7C5Z6AfPIjWTUyzuxO4hYzzKaMm8t67TNXcUJPOtlVSIFp0Lr
2yNKRP9q9iciaO6THIPdJcdwN8lx8IGSQ0scE/F+c5cIGVuaRli7j9wFdhQ8
+IozGBc28k7hizCodRgfnjOzqMrTueNlXSvlzpidc4pLkGpWJ7nnY2G9ARsa
Ymy5gY5wqzxTEgtCM2zqDvxmlWDmFPpT8+O/QiUvMcQM01hrs9zpxpC7b5dB
SnkJFGXNVLOsI7sWg8sXedHw3DqidB929+EJTDLQCdpR7DyLLmKcaRCvU1DM
qcjHjmEoMpVLHXRCuG3mYmn2n0NDBWSkTDHRSTHQOkiHPpe48IVO07bVMKlo
lDW2oGotsczPdLi9tSeIoIfBpH6Vk9at/lGRMMZZnY7Uhh3K6y4CMjYxGtzw
uD7eJLblAgp5lBaGScULtMwiBx+lameKa4TyhOCn9U0H0GldfAGqMNBbXeRE
VEK9XPxgGg1WMu0hn8DUgX02TI+Ndma1NvFyDdBIa7VCl3zcqzSLdX2iY1qa
hMMqFo2JeSjUmdVzVhWpGZz6zQYlur6MhHWFyyF5noltYxQM2LRMTc6YWVqw
1BALb7Tvd3N6HsZKbx/CoDeh+uTBA4wCHDKrIGaIQwnBsHhFyZbPOBX59iPO
unzHdG6cwDpR2XgfjG8aE5NvSFkIwzwl6WP7sWE6AJgBNO7bRE/M/HHJMYzR
8gWNAeX6esmumUIdSYjVw6S2YJyRcYXIdJqsM4VNBz36uWGLrEx3Ye2FiRSA
3CNZJ/PMLZP4Z+nIJEinsLHp7KYEze3pVADYeq020xnceEJNkLG2ZGIknISG
npWNKFBa9jQXMsydTLU8xWoB2499BVNNBJQ/6eR9UHoDZlkCtTVVs35P5tYr
J/eWM6lKCXqbjgpEAJ2FRuhhU76C90gTJXHDhJYwJyR3qK3YurJFM4oV/HQV
R0TDzlw3kj3RxY1u3XSd6Oyy8m75MaAZnntqsp01JuQJTjZRx6bliPLu3ukc
ynexnOtIsOQplmkW407f/90/6ikvRUPkSGbSKvlZxyhCjgoLxegUPm8WvNRP
Yj0Z0EAwD6h0RCuJW+IWUpylau3HjXP2JBmrTuydnWNBE+03poMHJnEjp1bE
C00+d5DL+87AOa8JJ3G2X87qfO9J/cs/EbS2ZkbC7zp8aA99Ai6O3tyZ9HCe
JHT1L4gn1C6S8G9bcqss9jjfWMPdWMHxXJzxmf2EkdUpKH09+saR2xxzpq1u
CW8cI5ZrDDPbqEvnLdvOpJoXUt4ulaCT3gPsJkQvKZfBhms/z9hBOix0fzER
Ezw26warB2htCAiEPVagcGHLko+ClDbYhZpmqN4GVLAOaL6IQ1a0fPaigH1O
6aiGy1MmMHcVJf0Q2zBofTEnUcqLIHrRQkELC87SQ0exj820JZalPC4EV4/x
HE4lKQmU6iSK0VayDan1sb7fCSg4vXTdeDnC2m7S93/7PwY5mTp5Vh8zUhta
l5EtP8Ul4N7pJTDXJE6JYG032+32AS9Yekmcpsy3DChSLvzkQB8sSp/BYnIl
CUa4Q//4N6KDQw2YpZI/K09TaYCak2K2LuAB5qnwNmgHk+7tQK08EBD4Igq9
AONF1SYvXmDKMIinE9NUxDI9UfAgVRiDdmuU5QR93wbWxWo808lBH6eAx1OS
7LIbluZDXmGloCn7owmqt1wLkjdEQJviGksgLzBI7N2IvccX+7oRXJo1Du2K
8pzRvbNDvIVU6Q7I6XWCWiBvdq/N+/z9b3+vLxzojXcyOPD4XSrZxKM5ORt0
IxmCSPzrPZIM+0VRAD+3ul8vxc9/zuVdX2fNmlYtOdmUORh6oZZ0nOU65a1C
nsZD7H0bAku52v+6K36BX/ADfP+6Wzu9YcShtFxyZjoCyNh2qeA+K52R+JJe
yeFWbMSF77Bd9pZ5b2Q3GAVfcHNJh4NRqGYZHR0L9oRaLcMkcgVJtvBBq+B1
wearcNYUrxeooWDbUIMnF6909NOo6eENyoyYUryyRDrzv0JdcNGsaTKypXJf
g/3d5+973a8HYwQMXe6O4W8YiX6NyUU/8rPSbbXu1z1MNIY/B3rLA6pkTeK3
wZJ1+w783mm3xZNHNrlkW8cKQzS3H7npwFtSSXJZ5HSg3p4erGN5+bi1GgHV
yR0ppzfgQHvOM/v1u4S87lXhisCS1Pviy+ArMGGOnx+Sx5gNGUozC/b3Welm
aQ13GHGN4+ozgZzGDlRSwjFtxHlkznl6mp5DWu2zxwELgnrDic+wstB7D4AV
dnRvc4S7wXdX/5IKOHYBkGIrKL9sf0XQ5Dt/1tkO9C87X22Be2FC5Q3IS3IM
bk2OxMTmM53kxS14epxRSqyJavEXEPz5nW1e3Oj/VIEcr28kS7GvCVFgM6uo
UO2DaFIop0hKe3xnLRHcb0uJarXfAANeKvEb8dmbZ8fPxR6R/z58Z3Uu/z7Z
+P7SccXDZRgNrsJwuP43ML83ne7oDcznDcznzRAe6OA/Wr4MtXxpwKzyq0Yv
/A1d3TYWzL04WP4YX+iO7IXx8I5x+sVxOsONcTr5wAiwwkCAS4XF9bofvjh3
LFqcO9h7LK4wTr84zs6LOz/59PnR5PjZ1tUdVK6uV7m60mAfurzyQO+9PuA8
HwFPlQ2gzZT7r33yYCux69zzhmt5bFLZAzw2Kv3kQSgS/v+Dd5tVBE4OXME/
xea9fhmFap6/OT15DtztOZNZVX4dp1UwzVFOMlIxSeuq2XZHzo+bU8fY2aF+
kx7d8djl6a+mjYZ2+dFbTeIpBZx0bpI1BPd2TemloXirhn29VdtmerRt6Oqs
X2fogTt0CUKMKJ3Rna+vFY0u44V0y8I5j0o7K98ZYX8n7jj8PFVZWhKMDORP
0G7ZKzlc6mJvg3zQzp7CDWxxL/cpFkj2tcnaRt2PBzV+BQ0aC1+8wxp/jY62
CTYcO/e6Kd7Dz6bTzYrVXwg8U06b14fYGsv5GigK9AmYijHW3WCEWmK7MNyr
EsDR3WuaARmXb94BiEBTZ1jVGZfZ6iTY6JnCpvIEi9nDNEHUvWw6AHsgXY+C
8XDg6Xwh7LtBJz0DJh4y4Oh9zpKsLlxYibFEty2FO7Cx44bvzG/gl1lv9Q4+
Heu7GY5c141rAB5rhO1+PeyT5iUvlU44NU4Y6mFEeeyUNArTqfH4PyfU29ly
hH8aGcYUv27sZT/r7+uE34rGIkjRTjMm4pk0yHjQHOdZ8tZIPiyUFYJ2Z6sQ
XedZlmckv0/7CezMO8fh3WTTpzx54rTmwLRiBJoq4BEaFR0gKts+bJwRoFup
bUuUpVYYOl6YJ++ZZOBigzlkt3mDuY2WVbYuqNRPJVC2Zt00tcA322Mq0a3B
zX1Mv7WNrjxcwG5jS5tFBcR98zKCLYWt9BZhyrqLXReQMCq88dzRah5T5QHv
GtfYOoW1jm8qsDXi6bY2GjjR0/Nn7Hv0pPFymGxmx3h29wbrgDCBnqNOK6B2
U0UYUSnsjFsL6nqzpDJw4DoSBXUEsY1B0Otid52TVE35EKscehkUfyl3yzEV
cvW8VN6TCTaOQhcgZe/YlLE6NsZK9bgP7WK1v5A3gjpt2PQmzAKPY0oX4lis
nhN5ianlE3usYYLNLYXLGo7waIa+JWydl2/j1ParnOkjr/4oiFIqwHa1KazI
RbfjNK9x4UVxiqzJg2NHE+IRkwqOlneucf35P7AlS7Ocf3VH2q+Fik3w1eWx
emsapgiCekbQ4h/q4F0hCWIjSzjlXljU0S3WrTg3Euut1U5hrY17C6hZleKH
KeXMbfWbde4DHaAsqNIE2w1k3MXsxPrjpXFh1N2kc2ocscrjP5xBtZllJLkp
2Qo74vn88kRpP49OhA4id+L3p/DTOlIrFmCHiKqdfpxU9bvk7l8ZhxFub/Fw
TfSk397qUymNW91ySN2DOK7e322YM7GNY9BzWXjUye7Wj7sZ4A/ht5R4JYB9
bRUiU3LikVCpiM3CTTe5ELZIl5/g68olomJfUVN3p30AB2WaePJwIetVu/ml
7+u5Ul9JnXXKWAPA/NWLc46acWa7sUdMqghqBVjw49lfNCpg/ymkMQ0GXeAF
W2cPkKJkHe1UkU69uA6wb7R7XRKncpZlGPqKJKSp3thoCGGCU3lqzkHeb8R6
EDElgVSCtxIvUSlkuRuTPkei2MbpxcXhi/NjfW3Y6eWINkk97mD7yDartbEp
x7ZlrdG0DMWQVLevu7yVtHqkUeonsgGcOTrZVfKBsPEK3U2s5p2zPivpZLDk
3jootEpCX6cokNDHdT8LLkkVpvgiSyWWKbkvlTkZ5+KsZIrJFldxkBvh13GD
L8PLGnFEHQxsZo9JEsun0TDTyNw0DG2M5E1ddQchbnxQvQijEujMXmpLM/Hw
iBHWlW/zL+RKfcVJbDaLOS8cIswCoMvUZqnd2S3Iek6sXekB9wOOqj3cJ1bd
uf3oBG0RcsKYrXJThkXeYIJSf7DlpmlR2+vqyCRghA5jYhIQpvjoO7BvADdg
Ig/61nyIuvHmluwRrN6t6nDo6K+WHbO0MG1es8WmZzkFEyrNTBVq7oZ+52St
mEyY+zrFuT2SHDoyLIYbHVCvr7wrn+3KuH2tU90yGXgmBm21y8DNA8nXT2Pm
yQomaxIDqDa/suIt0qRm5aH7VOExwPOm6DFoLDxxyEL7XNxqks9LPuQ13b5z
TnCqqHkSUCnQj3xFbXZcM211qT38SZT3yqEXmVzeIHV1fFqvSQKlxD6nC20x
0SFOVnHCCUMoE+ONwIymLpYhuhbkLkrjKaR3FeoSFAsNHMs5L5y4OkeMiXj7
yzHRet6UirVbM9qKzkYC7oAtrN0epjxMAMYPWBdgCpadMP/2M/V2bn62mQtS
dkc6HKF+vzuykDOn/QbuQ0XpijqwaRG20d+a1Qb2HtzL2fcs+RZbaWqfDSuK
+0VWUuGuIqDmDOaKIwmOa7TAcn7WcX1Yj0l4s+Xn84FRBv0rzOi0kOBbuSaT
+qf7PTK1I0+yzA2VcDwvmD9Z7dvaq0ZdMmdTk8Z0cYJtxzLrYSw1qJSOp8t2
x01Ffpgx7LGnVmTe0CTJenLb+aJKiKkdiOJuQlbBFN5scK5RnVrglqWidVDj
inKH7cT6R6XLL0Psv4bQtFobvY0UpkP8B5v2mN6aQWr63JNXN6UMwqJPcq+z
T+wq753Bxw7Qgib+VQFptsqmL2nbvqrtde8YrUIOVYkR/KnyHeZ8B3hN7/1e
k7OUHdH+Sz6NHN7U3ycdg10gCCy3lQbmJi7I4yaz6rXcKdJre4PC6P07Rv9A
As4L/w43fGC3H+GVd6Y+ZMNBRr4okieW+xnjABs7oafIHqfwb14iPi4Gvuom
KaoAEgzwYL8qx97JkyTP1VwmPivznDFn4oMbmX+w1jXaGdXpkIZLOUmU6EMp
JBmZ0K0+9gC2/F9/Z/TMf/0doUieZXqso1mdoe0LHmcyLCWyg3SW6ZoblVoQ
mVYhJ5E++iLNqkHjYEtZaG5Fm5Kxzu0tWacvQmBL7mhVMLKclaWD5oORA7Cm
YAJH2WI5ozbxn6k15atRLgtev4GVY2dP236b3KXWeWSp/z4Ed1GBNpqQFhMY
gXmFyud+VcWqUI/axAKrz5yrZQ3MQLmQ6sT+JDRIw5vcdeJAdm+9QmwOY0Be
NJdAq+D8aNAn0EFWCfWmeBpfY/+IujhL1PoPf5+fw+Kkoxa9a0Yc75YD+6+/
K/A2w9OmJt8yyDMR864vmJUO6P+JCWo7p4Ls8Fo37RbP33W0ujz1tolpYdgI
5a70Ldox0ygcMbpELYgpTj4vHbTgmtBV6aX1ih4xPpeIs2dH+sicMlch4/Ma
0bOar0Dk5RUJn5d65/1583tGKNLbI8WyyTQqMfPRvAuVLdpvPlQrK3iYdA4o
NV7PfYGHEk/BabxW86WMaADy8GigcJsaPNyHDjxEC/gI2O0UNEmiWVMGDmY/
jBLRoQF5UdrtLR7pqZtav5egk1zEUmBYfoCF6mgsBdElg2GLNdwURyQWqQA5
MsFAPmZ749SUuqMZI/YUuWKeeo352lfSuyFHo2lGTsEjOvcpKJhb0g250nxO
MuutJhWpfC6SPgwJlqhw5TPY6ClKJT1/pwBfH0GlyRCka9n2emk8LHXLpSgF
RU+wXpgdq/Obm0PTlZQ9juEyPDAEG95g2SHnYaIynapQL15GzPkBTMSWrY7P
LrDXSl5iMXtKDaJ0jkqdPUHs1iGWSg4vwTJBe2nyiCMBTNd/IsOPM+t5ua/b
EubdA9LHDX3SLJ4XQboSsa6nOAO+ZUuZYq5lcVOkvFKcTr3mxmM28ZpvCOjs
Fjxyk19SmNS9LzT+24r2Zkd5ownT8onI/9TAkyvVRTylyltBeDXj+nnLjWEA
NGkped0tAMqPhyiWpEh/yXUgWLLm7E8idTyWsoGXmq4qGnYwh8q7+HsLZUpQ
EuV0Ggd4cmkr6T4FzXDb7uqn83Z8TtgLIZc3BOHCf8SEysGMWxUxa8pYo3OU
OcxzZsM8plGHtsdnOu6/Wbib+104XM4+hFzBLkVAxToDuH7nlHbYki8dVubi
oYooTn2z1+CsqpYYm+NbTh1SnDMvwN0ICzmDFRtbGZqNI4VnxFNVBFA/ztqc
hLQxVpoHi3X/O31yEoUp7wKcY+Bo/ciKl4L7BoNoisbTp0glKk4whEEpEClX
wlBBuiMINlqA6f1ko0RHltLKMJ9TQ26cJ1iC0mv3tCJL34f9gzFlfJjX8FGm
m2NNTZMU/DlPc+R+tgmlBgRYGU61R0idhEV5jQYQb6SHCmZ5dMaNzRKawp5t
dKSuMxiN2o5Bdgp2YtCTVBSKL5I4u4IhrFObfUyxybRJ6bhx5ikRyI9GPGvg
IRq4wXk4jw+JN2nsh3lXBKLaw4WE/7rthnWgELszxt5HeP877PCOXKYDUNYx
sM1S1NwRXq8Y0znwpF58gXOYUiFDcOcUhZOIGUdh/uQa2uazd1D7+7/+/cda
1hEdSydqTamj4ZW6s6jyX/6p6WSr6FS+3AlTdZStlTF4AIekThDsZ1yS4oC3
OOlC28+WsblYhfMSiod93uWRxIMDkICAu2KmoPY6GlfkpqtRRzMLDlG3TMBJ
+89rAR5XQF9XxXFTDLM91bdyVVrhzt+I47ucrJgYXszjp3+sPdVx078rr15V
XXVHpSqDbuH58bBiUOfiVcVFGBKNCMJYXW7gOrM67Txzftv1smvS+ZWnXDm0
k0vfwWFcy/PPomm6+hjG1R/++vf8ocV/Nh0xnD5PrMGkzh8W2q44yvkyzqVr
BY8o8oUP4wU7nQ6DsNjo7pzrlPf0T7zLZaSDy6ZDCNsblhd8zJr7Rtm35QVY
Mly3GbFmCDzXxD2Kk5KUsfdps7LGgJl096di0pvnchUat8gKJYuPEiKuFyc3
2xos5OFjmwpHwbn7dgc3VYdGtVNlowSEyx72OBJhf9WIv990GYeWIYbijW9D
m/Y5QOlVd0JyGyBNg1l9zpTOdLLnK4Fu0v3+t7/v2x6vzpkuOGIF+dwbVUP4
BJE+6OOK8bGsFQUmWx47nFRoBybl0dlgjs84TVmdAHdVQCont3FHZ0447uh6
xaRymWn6+2ixyAfX3rv0eYJnWn+7ln5im8jSZK7qZq9zoVv0RTABbmz5nVth
QvTEjS7VKnOM7KZ4Ta/NnXY2Epby0dvagnAY4fsf5VsYQb3Fw5zT8o44J/n+
exbkf2w57jzaqRqvUzVep1puu0sb3ie1izK6c1CS0d0fTUYjirqJP/YICbYJ
uRImBYwb9IaGpf2pyMveprws+0tLERd7bld+QR/tlV+o5g1FIRtSWJv1eMyr
cw8MrG+PI5l4UWmed0Zj/l+FGjmAcEckB23xOydO/VwKIcI0WIJdzP60ypCN
dvH9aMGX1I38FOqlTTKRqX0mk/veuB4S/uHTCfzXbb9xOAqGW2wR7MBlO4hw
bwZPTOnrnfdu1snam3NFqBgs1CW2heLhioeKIVmH1fSqWc0mym6PlDIrKtNd
iczuYFIOfTZxeh8cDs65hye8B5xbQKYxMT983aMklj59u/0ojvBsTawNY8y3
Bfn6fENzlGtFhMhqF4XCiOK51kv7YvTG2/eS05viV5hDbPgkd1VDp5oO4Vyq
jV5qr3XfeXupvqWax6kKAjIKVgEfkxqiZlWgNYqT2RImpIrNMYjvkSfBjrQZ
c88zfN5jNrYmbmM6xlON6wTlDLPhCnpHpK43lCdJR5naucFW6vlo3i5m8EhV
RVu+RrolH4NBVZqaRwnpXGtlZ3Fj51CG0mt7LgXjcaWmn2uo3HO0QvujncZh
fCoUCWyTmlQVbQabopB30MPZMh/znBwgd6L2OIONl+XJAIW4aqqDLYCrCSYs
FrOgNm14OgeFnab6dYQ82i1Oh7rbVPBtp01TAMQB7FalemOdGiicq4n+l6TU
LA5LR08mzycbZaO1Gl3UXc1UanpY05lxDBzbcCCSmDKcJ3KTK5NPAYvD9TLi
ZiC2bQEmd3NkaqNzQfpAH7aZ6F5IOmCiL4FZtF7BM9uOwGBtIDezj9DM3sNX
7Isz28LggTmjuHhqpTnDTSeQAFgajYbA4KpuEmTTDV4CMMTniqIMm318+MeP
OmLP8GTQjfZrtf9a/b+aMP/7DEysW9Fui3ZHtLui3RPtvgCR2h6K9oFoj0R7
LNpStKei7Ym2L9pKtGfiXT7Acxqg1xa9DhYB9Hqi1xe9gQANtncgeiPRG4ue
FL2p+9BTeqjbFZ4S467wQWmZikFbHByI/lTIKb6pMxJdeNQXQ9hyJQ6ctz59
0+Vp90SnJ4Y9rHY56NPBLFKMhqKPjmcxm4pRG+cxPRASPnjuDE5pgPFUdHzR
HwOdiH5XTNu4VuXhh6knFAzgC78tFIhk+HUMA2wDKOzHR+IQtEHYBAnynSlD
+Z88mMkwVSgN792LCc3JmeTZ5oVndrfe5z8cwGl8/SHL1u9/nwHyadOxErc7
Am/6g4DXb4t+B6fU74l+/wfAsjvaEZaAl7Meoq/sC3+An4Fo5EAcwEyAQ8/o
YhdJQI3ErAKWuwzwgbD0/riIOGyLYUcMu0hxwz6YqWI4FMMDMRyJ4VgMpRhO
ywAe/lBknY0E2DadAzEC4ABbkGLcFv5YjDpiNEO4HUxxq2EGIyD+aRnAuwxQ
AjCsb9YWgymyng6I8S6iFmziQQe0ezGAK/6Om+D/MRG6PxB94G8H2CcIyK8v
kV/2PeR4gCz92Ydt2tATQ+Kzw1n+OP8PsBCWfNAVBz1ksQeAl0Nk0wcjcTAW
BxKBd+CJA18cqPLmz7ZQ0WhnTtXDhYM51emjDBr1ceFdD7kTXPEOED7wYjUW
HnCfYQWn2mGAD9r8QQ83YADcrlOCmS+8NiKWRzgnQfyMRRdwboobicfnznA3
QFp22jsikfrpkOhHwKASXoy24MXBrlwXEAvUBRDs4wPR6eC6QGkALAAlZCCF
f4AyCFQOkEqdIRJ6FVO4d4AfAS/u3O0Kha77gQodaE7dHipEgPCqg9vjD3HW
gy4yP5jgrIP/TWnNhaVqhW4sET5KEYGNUItC1tnFRwFvZ0MxLmAK41lnhioZ
wA9WCnojKH8AFrg4AHWijwQxw+IkMRsgCvamm/ABXa7tl/FP+sjYgFpBjCL2
thH/gH4B7bw+ap6wi6h5wrbAPnQ3R4W5gqI57ohxYWytgvqItyCCOx7CRpKm
CAPDq0CRmfoIReB5QCuwMMDakgoKbwXAAIrCumCxAO4uqaBAJYAVINJhrmqA
1ANKNai6ZRVU4e6MAcTAxtr4GQQU4KI3EuMxLg1UqQEtEJB5NijTktzCS8e7
8ljYC1jcdIbaG6xi1EWVfdpDEgfkAPL1YOmgoQyQXQ1nZVoqD1CinOkIIQKa
TIfsChgOiA5ESreDaxqS5nhAaAE3THubewgGAuzelKyR9yWhnthz/MU/mk1U
QuY2LhEoBrAacLdDKwMlBMyazhj3uDNFpAM1GjhJ549lUsE10GzGM8QauBG4
VVchWYxoZwAdUUPv4D1wZ2daxmc5Q2oY9HH5MGEpEepACkA/IEThOb+Duzcg
gasGZXwGxMGpdlAEAvoAvoB8ARACWcBCRgrNBIAK4DYg/HC0m/zr/cmbVO+/
7A0i2mWADzMDev/WTCrQM6QnPIkKCahNgM0AnHFba07AjYCMkCI7pIVUCPdd
BvhAWP5/YVKBRoBpGjMUXYMZ8hJQU1UP9UEQeYB6QNuoy5GCOm6XAbzLACUA
g/AHtRMkLnAzELSgRoFchneAcAd9C/hR92DHTfgPk+oHmFSA/qipkhAGykAJ
fICKoARLZSRkF3kNyCN07vhIZqXN32WAD9p8UJ7QUAcNu6Q691hhIDN+AEg2
wMmBDghaLSiXAHjUj4Y0ix3t8t5/mFQbauAYsQ5UFUBFmArsZo80T5ifp0jJ
BWEEyjtIogPcgLIauMMAPwJevK8+2P9AffA9TarNmYIEkkN0AfQ8MTpAzREU
AVAHun2kJvR3e4TBB3hnp2Ao/LuyyOCVaEJPkamMJN6FeqxPU+yQWUVeaVCB
BwPckLJF1kUaAq4qeyiYQOBLbOWDmi2wp9kUNVgUUl2c9LhCgwXdFqm4jyx1
OhSej1dga2BUQEbYLIDlqIM0DiMd9Muk+IMtMgAiAA70F9hzWL03RFEB8weB
O/bwM+w5fAZMAouq71ew6J0HKFtqAwQvWApg6sx6GklH5EL1OuiORiOwjzKq
h1iwubfo+5/h3pEGsJ0yucIiM4VaFBnrPTk7c4JyXMWUp11hdo3bSegaz8BN
gnnAdQg+plfGK862OX55cSIuJk+O605AD8OF4lR6gyfu2QHSBBq5cRpOosl3
6ZvSPEJvWoVh0yJTkiJLx43lPaZspRPlY/SeiNvbVyeTrs53/eIVJiwen0x6
lBtDy8fSWDqJRSY+nnJoV2s6UxKkdHoHNj05nPRNixpMO6ErA5OaDG/Ir+q8
ZHrNywuwNprdPp5bQh9GpsfsZpssLg3D4CvFNmF6+Mo6/qtzSHBozEbltpVY
t9V0UgDSvHOZPXTQRD/rGObl0k1Po0OoTJRU2SQWTrLC19ryP72w/KchJ3vl
OVk4P11bpysj4e2YoqRbBztFfXh0YeD2WuPcG0/qhpcwlAuRlI/YxYSnBp0s
ospJ1jjPPHXGFPZR5p+paSpWMFK82z20GdP/7PD6SGCczQ3nQptca0rR4kIT
zAB3x+QUDS7MczsC562DCRVs3rl7FHbTohjtEPfOJDIr5i/jXY3PA6yl5k+I
eZhKu9KNbzgkHwWwGGrAY04CwjOXTvexkgj3Jz+JjFsc+5oWu9woJxYdFtiY
AJSftWWKeEwWvJM+RscK6hO8Te6Yk0nOndnKhaBu/0y9pMnbyJaIUwYIp2jZ
zk5bkduegGabjNtMJq/YKBuRpdCByp6OaNlY1c5mJdTUjejsDJwDsmgzaL+l
H6/0odR5vaudmk7vopa4XhJMYWGItEFE+RqHfJLWs3gOyjOgSnylTqLzx4ef
PADkUg9EhT59qHtW04Y2OmPcuEa3Tac2XOjaTp+pMfCcI4zcoyvx0ft6cG0e
UIpHNPDh8Vgf6oUy0d0TqU1riK2MsS+v/82aU0w2uoBR639fV5QiV17obgOU
tLjk7gTmTPBS+zlMGc2b20+xyxaAGnaJSosJICXIjAgynTFBhnYqlwO6MTog
6RqEysonmNFzgMeG71KeFFEBLTmKr4XHx9fNUERW8PxNrMKMLCyrgCW8Pjli
xHwWSEpLvEDqZd5gQSOZ/ZiXapxZmUppWoQrLYhP42kdiqYmTZeCQuNpTum7
s9c01QvCCwqHjtlb9AGkd8/NbXP+52mxM7kmBaACGJiWe1GodcBDo5GDFpB0
r/IMBDr/YJ9FmhcqEKaYVZvpJtS01vzAAVyLPfHAZnPj+8+VbVJa6GqMB0pj
h28mb07famwczbzW9dB580M+C5we1rDSu1loWxYLfdJy5cnOuhNAXsStX5Uj
h3OaYPGcwPywviIfzB/d1v7dD1JvnaYaKDvhIEBiEXFTfE1ubndaauB6cQaa
frvRGx2JPcur3b0FbTF4q/yGTi4tNtvTXfaaLr+xGfemU+vDHZp0hRXNxqiO
nZD6Y53jaHu/bhQCuEXkd3QDJGTOK2GF2mRL7qk1NEgcxvMbwt1ovRJ7sOlv
NBwavxCgwWFVbGaOvG78wj0Bm07oFhPPNDEi7lHtdXmpG01gAT1Kv0sQv7fn
AUwq8cUjmUTYiJFKb29fLuIlLBLbL6upXC/N9TMJL70Ux5e+XITm4oUXZ5l4
HK4XCdbu8sVzwCHxFI99Vzfm2jFKn2ew58k8UZG5+mu1WPtS2J7ffPUz+d16
EVzG4jTAHOYsXdvX4eEqSSDOpLyKUf3Lh7qA/RDn6xhnL523XoLMxpPLkks9
QS4pvj2V8wiY/WvMgExCwIB3urqYCwmo0wmKHt2uTx/zoPuygPoWL23PKD4Z
TTdCwQL9t1nhsPE4ukJ9FyUAJUyeNI6aQZLNGt4smTckpkHCv9JHPej/Ava7
FveH8AAA

-->

</rfc>
