<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sullivan-cfrg-raae-02" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="raAE">Random-Access Authenticated Encryption</title>
    <seriesInfo name="Internet-Draft" value="draft-sullivan-cfrg-raae-02"/>
    <author initials="N." surname="Sullivan" fullname="Nick Sullivan">
      <organization>Cryptography Consulting LLC</organization>
      <address>
        <email>nicholas.sullivan+ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="13"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum</workgroup>
    <abstract>
      <?line 157?>

<t>This document defines random-access authenticated encryption (raAE), a
primitive that partitions a message into an indexed sequence of segments
that can be encrypted and decrypted independently and in any order.  It
also specifies SEAL (Segmented Encryption and Authentication Layer), a
parameterized construction that defines a family of concrete raAE
instantiations, one for each valid choice of an Authenticated Encryption
with Associated Data (AEAD) algorithm, a key derivation function (KDF),
and associated parameters.</t>
      <t>SEAL provides two profiles, immutable (write-once) and mutable (in-place
ciphertext rewrite), each with per-segment authentication.  A separately
configured snapshot authenticator can additionally authenticate the
complete, indexed segment set.</t>
      <t>The document also defines the security notions of raAE, specifies the
requirements for conforming constructions, analyzes SEAL against those
requirements, and provides example cipher suites and test vectors.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Crypto Forum Research Group mailing list (cfrg@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/grittygrease/draft-sullivan-cfrg-raae"/>.</t>
    </note>
  </front>
  <middle>
    <?line 177?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Large encrypted content is often stored as a sequence of fixed-size
segments, so that an application can read or modify any part of it
without processing the whole.  Encrypted backups, encrypted file
formats, object stores with partial updates, and full-disk encryption
over fixed-size blocks all work this way.  Such a system needs to
encrypt, decrypt, or re-encrypt any individual segment on its own and in
arbitrary order, and to verify that the stored object as a whole is
authentic and complete, without re-encrypting the segments that did not
change.</t>
      <t>This document specifies the raAE primitive (<xref target="raae"/>), whose base
interface and security notions come from Fábrega et al. (<xref target="FLRR25"/>),
and defines SEAL (Segmented Encryption and Authentication Layer), a
parameterized construction of raAE.  The base algorithms encrypt and
decrypt segments in arbitrary order, so a caller can read or replace any
segment on its own.  On top of that base, the extended raAE interface
adds in-place rewrite and a snapshot, a stored value that authenticates
the segment set as the writer last recorded it.  A rewrite re-encrypts
only the changed segment and updates the snapshot, leaving every other
segment untouched.  Appending to the end, or truncating from the end,
composes the same per-segment operations, so the snapshot stays
consistent without a separate algorithm.</t>
      <t>SEAL builds the primitive from a chosen AEAD algorithm, a key derivation
function (KDF), and configuration parameters.  Under a snapshot
authenticator, it binds every segment and the count into a public
snapshot value that an adversary cannot forge without the
content-derived key.</t>
      <figure anchor="fig-overview">
        <name>The raAE primitive and the SEAL construction</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="520" viewBox="0 0 520 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,128 L 8,272" fill="none" stroke="black"/>
              <path d="M 8,320 L 8,368" fill="none" stroke="black"/>
              <path d="M 40,208 L 40,256" fill="none" stroke="black"/>
              <path d="M 128,32 L 128,80" fill="none" stroke="black"/>
              <path d="M 224,208 L 224,256" fill="none" stroke="black"/>
              <path d="M 240,88 L 240,120" fill="none" stroke="black"/>
              <path d="M 240,280 L 240,368" fill="none" stroke="black"/>
              <path d="M 264,208 L 264,256" fill="none" stroke="black"/>
              <path d="M 296,320 L 296,368" fill="none" stroke="black"/>
              <path d="M 376,32 L 376,80" fill="none" stroke="black"/>
              <path d="M 448,208 L 448,256" fill="none" stroke="black"/>
              <path d="M 496,320 L 496,368" fill="none" stroke="black"/>
              <path d="M 512,128 L 512,272" fill="none" stroke="black"/>
              <path d="M 128,32 L 376,32" fill="none" stroke="black"/>
              <path d="M 128,80 L 376,80" fill="none" stroke="black"/>
              <path d="M 8,128 L 512,128" fill="none" stroke="black"/>
              <path d="M 40,208 L 224,208" fill="none" stroke="black"/>
              <path d="M 264,208 L 448,208" fill="none" stroke="black"/>
              <path d="M 40,256 L 224,256" fill="none" stroke="black"/>
              <path d="M 264,256 L 448,256" fill="none" stroke="black"/>
              <path d="M 8,272 L 512,272" fill="none" stroke="black"/>
              <path d="M 8,320 L 240,320" fill="none" stroke="black"/>
              <path d="M 296,320 L 496,320" fill="none" stroke="black"/>
              <path d="M 8,368 L 240,368" fill="none" stroke="black"/>
              <path d="M 296,368 L 496,368" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="248,312 236,306.4 236,317.6" fill="black" transform="rotate(90,240,312)"/>
              <polygon class="arrowhead" points="248,120 236,114.4 236,125.6" fill="black" transform="rotate(90,240,120)"/>
              <g class="text">
                <text x="212" y="52">raAE</text>
                <text x="272" y="52">primitive</text>
                <text x="212" y="68">abstract</text>
                <text x="288" y="68">interface</text>
                <text x="204" y="148">SEAL</text>
                <text x="276" y="148">construction</text>
                <text x="88" y="164">parameterized</text>
                <text x="156" y="164">by</text>
                <text x="176" y="164">a</text>
                <text x="212" y="164">cipher</text>
                <text x="264" y="164">suite</text>
                <text x="312" y="164">(AEAD</text>
                <text x="344" y="164">+</text>
                <text x="376" y="164">KDF),</text>
                <text x="408" y="164">a</text>
                <text x="448" y="164">maximum</text>
                <text x="64" y="180">segment</text>
                <text x="120" y="180">size,</text>
                <text x="160" y="180">and</text>
                <text x="188" y="180">an</text>
                <text x="224" y="180">epoch</text>
                <text x="276" y="180">length</text>
                <text x="104" y="228">mutability:</text>
                <text x="320" y="228">snapshot:</text>
                <text x="96" y="244">immutable</text>
                <text x="144" y="244">|</text>
                <text x="184" y="244">mutable</text>
                <text x="300" y="244">none</text>
                <text x="328" y="244">|</text>
                <text x="368" y="244">present</text>
                <text x="300" y="308">provides</text>
                <text x="72" y="340">per-segment</text>
                <text x="172" y="340">authenticity</text>
                <text x="356" y="340">snapshot</text>
                <text x="432" y="340">integrity</text>
                <text x="88" y="356">(always</text>
                <text x="156" y="356">present)</text>
                <text x="360" y="356">(when</text>
                <text x="420" y="356">present)</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                  .------------------------------.
                  |        raAE primitive        |
                  |      abstract interface      |
                  '------------------------------'
                                |
                                v
   .--------------------------------------------------------------.
   |                      SEAL construction                       |
   |   parameterized by a cipher suite (AEAD + KDF), a maximum    |
   |   segment size, and an epoch length                          |
   |                                                              |
   |   .----------------------.    .----------------------.       |
   |   |  mutability:         |    |  snapshot:           |       |
   |   |  immutable | mutable |    |  none | present      |       |
   |   '----------------------'    '----------------------'       |
   '--------------------------------------------------------------'
                                |
                                v   provides
   .----------------------------.      .------------------------.
   |  per-segment authenticity  |      |   snapshot integrity   |
   |      (always present)      |      |     (when present)     |
   '----------------------------'      '------------------------'
]]></artwork>
        </artset>
      </figure>
      <t>raAE separates the two authentication scopes that applications often
conflate:</t>
      <dl>
        <dt>Per-segment authenticity:</dt>
        <dd>
          <t>One AEAD tag verifies under the segment index, a finality bit
marking the last segment, and any caller-supplied associated data.
It does not establish that the segment belongs to the current
snapshot.</t>
        </dd>
        <dt>Snapshot integrity:</dt>
        <dd>
          <t>When a snapshot authenticator is configured, snapshot verification
checks that the present segment set and the count are exactly what
the writer last recorded, under a content-derived key.  It does
not establish freshness against whole-object rollback, which a
consuming protocol must supply.</t>
        </dd>
      </dl>
      <t>raAE and SEAL are deliberately distinct layers.  A
consuming protocol supplies serialization, storage transactions, key
management, and rollback protection, which are out of scope here.</t>
      <t>The remainder of this document presents raAE first and SEAL second.
<xref target="related-work"/> situates raAE against prior segmented
authenticated-encryption (AE) constructions.
<xref target="conventions"/> fixes terminology and notation.  <xref target="raae"/> specifies the
raAE primitive and its extended snapshot operations.  <xref target="framework"/>
defines SEAL.  <xref target="security-properties"/> states the target security
properties an raAE construction must meet, the assumptions SEAL's
components must satisfy, and the operational limits on its use, and
defines the security notions.  Cipher suites, serialization layouts,
and named instantiations are in <xref target="concrete"/>, <xref target="file-layouts"/>, and
<xref target="named-instantiations"/>, and the appendices provide the test vectors.</t>
      <section anchor="related-work">
        <name>Related Work</name>
        <t>CHAIN (<xref target="HRRV15"/>) is a segmented authenticated-encryption construction
that chains state from one segment to the next.  It is sequential by
construction and supports neither independent random-access reads nor
in-place segment rewrites.</t>
        <t>STREAM (<xref target="HRRV15"/>) turns a nonce-based AEAD into a segmented
construction using induced nonces that encode a message nonce, the
segment index, and a final-segment bit.  STREAM supports random-access
decryption and encryption of individual segments, but defines neither
authenticated snapshots nor authenticated rewrites.  SEAL's derived
nonce mode (<xref target="derived-nonces"/>) follows STREAM's counter-plus-final-bit
structure and adds those operations.</t>
        <t>Tink Streaming AEAD (<xref target="Tink"/>) and OpenPGP v2 Symmetrically Encrypted
and Integrity Protected Data (SEIPD) packets (<xref target="RFC9580"/>) are
deployed STREAM-family formats.  Both derive a message key and nonce
prefix from a key and a salt, encrypt each chunk under an AEAD nonce
carrying the chunk index, and detect truncation with a final tag over
the empty string.  Tink derives an AES-GCM key with the HMAC-based Key
Derivation Function (HKDF) (<xref target="RFC5869"/>), while v2 SEIPD selects its
cipher and AEAD from packet identifiers.  Each chunk is
independently authenticated and can be verified locally at its boundary.
Neither format defines an in-place rewrite operation or a snapshot
authenticator over an updatable set of segment tags.</t>
        <t>SEAL defines two types of snapshot authenticator.  The first is a keyed
multiset hash over the segment tags, the MSet-XOR-Hash of Clarke,
Devadas, van Dijk, Gassend, and Suh (<xref target="MSetHash"/>), published behind a
deterministic mask this document adds (<xref target="masked-multiset-hash"/>).  Each
segment contributes a keyed KDF evaluation of its index and AEAD tag,
the contributions XOR into an accumulator that any rewrite updates in
O(1), and a domain-separated snapshot tag binds the segment count and
the accumulator.  The second is a per-object keyed transcript over
per-segment ciphertext digests (<xref target="digest-transcript"/>,
<xref target="epoch-digest-tree"/>), recomputed on any rewrite, whose content binding
holds even against holders of the CEK, so a consuming protocol that
authenticates the one snapshot value obtains per-segment origin
authentication.</t>
        <t>Fábrega et al. (<xref target="FLRR25"/>) formalized random-access AEAD security over
a raAE primitive syntax in which segment encryption and decryption may
be invoked in arbitrary order, and gave a construction, FLOE (Fast
Lightweight Online Encryption), proved to meet it.  FLOE realizes the
base interface:  segments are written once, and there is no snapshot.
SEAL realizes that primitive with the extension of this document, and
<xref target="raae-security"/> defines the security notions used in its analysis.</t>
        <t>Each precedent covers part of the random-access AE design space.  raAE
is the abstract interface that generalizes the family with three
capabilities none of them combines: arbitrary-order encryption, in-place
authenticated rewrite, and an O(1) updatable snapshot over the whole
segment set.  SEAL realizes all three in one construction.</t>
      </section>
    </section>
    <section anchor="conventions">
      <name>Conventions and Terminology</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>A message segment is a unit of plaintext that is individually encrypted
and authenticated.  Segments need not be uniform in length.  A
construction <bcp14>MAY</bcp14> set a maximum segment size, and any segment <bcp14>MAY</bcp14> be
shorter than that maximum.</t>
      <t>A message is the content that one CEK and salt pair protects, the unit
the primitive encrypts.  An object is that message in stored form: the
ciphertext segments, their metadata, and any snapshot that a storage
layer holds.  Each object carries one message, whose content may change
through rewrite and length-changing operations.</t>
      <t>A ciphertext core is the AEAD encryption output corresponding to one
message segment, excluding file-level headers and external segment
metadata.  An AEAD-specific split divides this output into ct_i, the
encrypted segment body, and tag_i, the authentication tag.</t>
      <t>A ciphertext segment is the stored representation of one encrypted
message segment.  Depending on nonce_mode, it contains the ciphertext
core and <bcp14>MAY</bcp14> also contain a stored nonce or other per-segment metadata.</t>
      <t>Segment metadata is per-segment information needed to decrypt or verify
a ciphertext segment, such as a stored nonce, tag, finality status, or
profile-defined values.</t>
      <t>This document writes AEAD.Encrypt and AEAD.Decrypt for the authenticated
encryption and decryption operations defined in <xref target="RFC5116"/>.</t>
      <t>A subscript denotes a per-segment value: X_i is the value X for the
segment at index i, as in A_i, P_i, ct_i, and tag_i.  A value written
f(i), as in segment_key(i) or nonce(i), is computed from the index by
the named derivation.  X[a:b] is the octet range of X from offset
a inclusive to offset b exclusive.</t>
      <t>The remaining terms (ikm, label, info, L, salt, CEK, protocol_id,
nonce_mode, epoch, epoch_key, payload_key, segment_key, snap_key, and
the commitment) are defined in <xref target="framework"/> where they first appear.</t>
      <section anchor="taxonomy">
        <name>Taxonomy</name>
        <t>This document uses the following terms to keep the raAE primitive, the
SEAL construction, profiles, and consuming protocols distinct.</t>
        <dl>
          <dt>raAE primitive:</dt>
          <dd>
            <t>The abstract random-access AE interface and security target.</t>
          </dd>
          <dt>Extended raAE interface:</dt>
          <dd>
            <t>The base interface plus snapshot maintenance and verification.</t>
          </dd>
          <dt>SEAL construction:</dt>
          <dd>
            <t>The concrete construction specified in <xref target="framework"/>.</t>
          </dd>
          <dt>Cipher suite:</dt>
          <dd>
            <t>The AEAD and KDF algorithms and their sizes.</t>
          </dd>
          <dt>Profile:</dt>
          <dd>
            <t>A named set of fixed parameter choices, identified by a
protocol_id, needed for interoperability (<xref target="profiles"/>).</t>
          </dd>
          <dt>Parameter set:</dt>
          <dd>
            <t>The per-object values that affect derivation and verification.</t>
          </dd>
          <dt>Consuming protocol:</dt>
          <dd>
            <t>The protocol or format that stores objects and manages keys.</t>
          </dd>
          <dt>Serialization:</dt>
          <dd>
            <t>The consuming protocol's wire or storage encoding.</t>
          </dd>
          <dt>Segment:</dt>
          <dd>
            <t>A zero-based independently encrypted plaintext unit.</t>
          </dd>
          <dt>Epoch:</dt>
          <dd>
            <t>A group of 2^epoch_length segment indices sharing one epoch key.</t>
          </dd>
          <dt>Snapshot value:</dt>
          <dd>
            <t>The public value that, when a snapshot authenticator is configured,
authenticates one segment set.</t>
          </dd>
          <dt>Per-segment authenticity:</dt>
          <dd>
            <t>AEAD verification for one segment only.</t>
          </dd>
          <dt>Snapshot integrity:</dt>
          <dd>
            <t>Verification of the complete segment set and snapshot.</t>
          </dd>
          <dt>External freshness:</dt>
          <dd>
            <t>Rollback protection supplied outside raAE.</t>
          </dd>
        </dl>
      </section>
      <section anchor="notation">
        <name>Notation</name>
        <t>This document uses the following notation.</t>
        <dl>
          <dt>I2OSP(n, w):</dt>
          <dd>
            <t>The w-octet big-endian encoding of the non-negative integer n, as
defined in <xref target="RFC8017"/>.</t>
          </dd>
          <dt>uint8(n), uint16(n), uint32(n), uint64(n):</dt>
          <dd>
            <t>Shorthand for I2OSP(n, 1), I2OSP(n, 2), I2OSP(n, 4), and I2OSP(n, 8)
respectively.</t>
          </dd>
          <dt>||:</dt>
          <dd>
            <t>Octet string concatenation.</t>
          </dd>
          <dt>XOR:</dt>
          <dd>
            <t>Bitwise exclusive-or of two octet strings of equal length.</t>
          </dd>
          <dt>x[a:b]:</dt>
          <dd>
            <t>Octets a through b-1 inclusive of x (zero-based, half-open
interval).</t>
          </dd>
          <dt>[x, y, ...]:</dt>
          <dd>
            <t>An ordered list of octet strings.  A single-element list is written
[x].  The brackets denote a list, not an optional parameter.</t>
          </dd>
          <dt>frame, encode:</dt>
          <dd>
            <t>The length-prefixed injective encoding used by SEAL, defined in
<xref target="concrete-framing"/>.  frame is total over all field
lengths.  The construction requires an injective framing
(<xref target="framing"/>) but does not mandate this encoding.  Another profile
<bcp14>MAY</bcp14> use any injective encoding that meets <xref target="framing"/>.</t>
          </dd>
          <dt>Nk:</dt>
          <dd>
            <t>Key size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Nn:</dt>
          <dd>
            <t>Nonce size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Np:</dt>
          <dd>
            <t>Presented nonce size in octets: the per-segment nonce stored in
metadata.  Np = Nn in random nonce mode and Np = 0 in derived nonce
mode, where the nonce is recomputed from the key schedule.</t>
          </dd>
          <dt>Nh:</dt>
          <dd>
            <t>Hash or pseudorandom function (PRF) output size in octets for the
chosen KDF.</t>
          </dd>
          <dt>Nt:</dt>
          <dd>
            <t>Authentication tag size in octets for the chosen AEAD algorithm.</t>
          </dd>
          <dt>Na:</dt>
          <dd>
            <t>The snapshot value length in octets, the output size of the
configured snapshot authenticator.  It <bcp14>MAY</bcp14> depend on the segment
count n_seg, and is 0 when none (<xref target="snapshot-authenticator"/>).</t>
          </dd>
          <dt>n_seg:</dt>
          <dd>
            <t>The number of ciphertext segments in a stored message.  Written
n_seg (lowercase) to distinguish it from the per-message nonce N in
the raAE interface (<xref target="raae-syntax"/>).</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="raae">
      <name>The raAE Primitive</name>
      <section anchor="raae-overview">
        <name>Overview</name>
        <t>Random-access authenticated encryption (raAE) partitions a message into
segments, each encrypted and decrypted on its own and in any order.  A
reader can open one segment without the rest of the message, and a
writer can encrypt one without holding the others.  In the base
interface <xref target="FLRR25"/>, each segment is written once and thereafter only
read.</t>
        <t>The extended raAE interface keeps that base and adds one capability:  a
segment already written may be replaced in place, without disturbing the
rest.  Rewriting changes the threat model.  A storage layer holding the
ciphertext can roll a segment back to an older valid copy, substitute
one valid same-index segment for another, or drop one, and per-segment
authentication still passes on each segment it is shown.  An optional
snapshot authenticates the segment set as the writer last recorded it,
so a reader can detect these changes.  The extension (<xref target="raae-writable"/>)
defines the snapshot and the operations that maintain it.</t>
        <t>The security notions follow the interface.  raAE and its rewrites target
ra-ROR (random-access real-or-random) and ra-CMT (random-access context
commitment) (<xref target="raae-security"/>).  Rewriting leaves both untouched, since
replacing a segment is an encryption the read-only adversary could
already ask for.  Snapshot authentication adds the one notion of its
own, snapshot integrity (<xref target="snapshot-integrity"/>).</t>
      </section>
      <section anchor="raae-syntax">
        <name>Interface</name>
        <t>The base raAE interface, from <xref target="FLRR25"/>, is a tuple of five algorithms:
KeyGen, StartEnc, EncSeg, StartDec, and DecSeg.</t>
        <dl>
          <dt>KeyGen:</dt>
          <dd>
            <t>Randomized key generation.  Takes no input.  Outputs a secret key K.</t>
          </dd>
          <dt>StartEnc(K, N, G):</dt>
          <dd>
            <t>Deterministic.  Takes a secret key K, nonce N, and global associated
data G.  Outputs a ciphertext header T_g and an initial per-message
encryption state S.</t>
          </dd>
          <dt>EncSeg(S, p, A_i, M_i):</dt>
          <dd>
            <t>Randomized.  Takes the encryption state S, a position identifier
p, per-segment associated data A_i, and message segment M_i.
Outputs a ciphertext segment C_i.  S is not modified.  EncSeg may
be called with the same S at any position, in any order, or
concurrently.</t>
          </dd>
          <dt>StartDec(K, N, G, T_g):</dt>
          <dd>
            <t>Deterministic.  Takes key K, nonce N, global associated data G, and
ciphertext header T_g.  Outputs a per-message decryption state S or
an error.</t>
          </dd>
          <dt>DecSeg(S, p, A_i, C_i):</dt>
          <dd>
            <t>Deterministic.  Takes the decryption state S, position identifier
p, per-segment associated data A_i, and ciphertext segment C_i.
Outputs message segment M_i or an error.</t>
          </dd>
        </dl>
        <t>The position identifier p = (i, b) consists of a segment number i and a
terminal bit b in {0, 1}.  They impose a total ordering on segments and
carry a truncation defense: a ciphertext lacking a segment with b = 1 is
incomplete.  The encryption state S is immutable.  That immutability is
what makes arbitrary-order and fully parallel operation possible.  The
ciphertext header T_g commits to K, the nonce N, and global associated
data G.  A headerless scheme emits T_g = empty.</t>
      </section>
      <section anchor="raae-writable">
        <name>Extended Interface</name>
        <t>Replacing a segment already written, without re-encrypting the others,
requires no new operation:  re-encrypting a position is an ordinary
EncSeg call over the immutable state, and it leaves ra-ROR and ra-CMT
untouched.</t>
        <t>Rewriting gives a storage layer something to attack:  it can roll a
segment back to an older valid copy, substitute one valid same-index
segment for another, or drop one while per-segment authentication still
passes on what it presents.  A scheme that supports rewriting <bcp14>MAY</bcp14> carry
a snapshot, a value over the current set of segments that a reader
checks to detect these changes.  A write-once scheme <bcp14>MAY</bcp14> carry one too:
a single value over the whole segment set gives a consuming protocol one
thing to authenticate (<xref target="digest-transcript"/>).</t>
        <t>Two operations, added by this document, maintain and check the snapshot.
RewriteSeg replaces a segment and updates the snapshot in the same step.
SnapVerify decides whether a given set of segments is the one the writer
last recorded.</t>
        <dl>
          <dt>RewriteSeg(S, p, A_i, M'_i, C_i, snapshot):</dt>
          <dd>
            <t>Randomized.  Takes the encryption state S and position identifier p,
per-segment associated data A_i, the new message segment M'_i, the
existing ciphertext C_i at position p, and the current snapshot.
Outputs replacement ciphertext C'_i and an updated snapshot
value, snapshot'.</t>
          </dd>
          <dt>SnapVerify(S, segments, snapshot):</dt>
          <dd>
            <t>Deterministic.  Takes the encryption state S, the present segments
(the (position, ciphertext segment) pairs of the current object
state), and the snapshot.  Outputs accept or reject.</t>
          </dd>
        </dl>
        <t>The extension also changes two base signatures.  In the extended
interface:</t>
        <dl>
          <dt>StartEnc(K, N, G):</dt>
          <dd>
            <t>Deterministic.  As in <xref target="raae-syntax"/>, and additionally outputs the
initial snapshot value, the snapshot over the empty segment set.</t>
          </dd>
          <dt>EncSeg(S, p, A_i, M_i):</dt>
          <dd>
            <t>Randomized.  As in <xref target="raae-syntax"/>, and additionally outputs the
snapshot value over the segment set that results from adding C_i at
position p.</t>
          </dd>
        </dl>
        <t>The snapshot is an authenticator over the set of segments belonging to
the current object state.  When the scheme supports incremental
update, an update can run in time independent of the total segment
count.  This is an implementation goal, not a syntactic requirement of
the interface.  The base primitive has no snapshot value.  The
snapshot, the two signature changes above, RewriteSeg, and SnapVerify
are defined by this document.</t>
        <t>These additions define the extended raAE interface of this document:
the tuple (KeyGen, StartEnc, EncSeg, StartDec, DecSeg, RewriteSeg,
SnapVerify) over the auxiliary snapshot value.  The first five
algorithms are those of <xref target="raae-syntax"/>, with the snapshot outputs of
StartEnc and EncSeg defined above.  The snapshot value, RewriteSeg, and
SnapVerify are the extension.  A scheme can realize the base interface
alone, as FLOE (<xref target="FLRR25"/>) does.  SEAL (<xref target="framework"/>) realizes the
full extended interface.  Length change adds no further algorithm, as
the next paragraph describes.</t>
        <t>Changing a message's length is a composition of these operations,
not a separate algorithm in either direction.  Position-addressed
encryption over immutable state already permits re-encrypting a
position or encrypting at a higher index (see <xref target="ra-ror"/>).</t>
        <t>A holder appends by encrypting the new segments and re-marking the old
final segment with RewriteSeg to clear its terminal bit.  It truncates
by re-marking the new final segment with RewriteSeg, dropping the
trailing segments, and updating the snapshot over the surviving set.
Appending to an empty object skips the re-mark, since there is no old
final segment, and truncating away every segment yields the empty
object, with no new final segment to re-mark.</t>
        <t>Length changes occur only at the end of the message: a holder may
append segments or drop a suffix, but cannot remove or renumber front or
interior segments, because positions are index-addressed.  Each step
updates the snapshot, and <xref target="extend"/> gives the construction for both
directions.</t>
      </section>
    </section>
    <section anchor="framework">
      <name>SEAL: A Concrete raAE Construction</name>
      <t>SEAL is a parameterized construction for realizing the raAE primitive
defined in <xref target="raae"/>.  A SEAL instantiation combines an AEAD, a KDF, a
key schedule, a nonce-generation method, a commitment mechanism, and an
optional snapshot authenticator to produce an raAE scheme for segmented
stored content.</t>
      <t>The raAE interface defines what operations and security properties a
scheme provides.  SEAL defines how those operations are realized from
standard cryptographic components.  Different SEAL instantiations <bcp14>MAY</bcp14>
select different AEADs, KDFs, nonce modes, commitment mechanisms, or
snapshot authenticators, provided they satisfy the requirements of this
section.</t>
      <t>The remainder of this section specifies the common SEAL construction.
<xref target="security-properties"/> analyzes its security, and concrete parameter
choices and interoperable suites are in <xref target="concrete"/>.</t>
      <t>The key hierarchy is shown below.  A CEK and per-content salt feed the
payload schedule, which derives four values.  The payload key feeds
per-segment keys (optionally through epoch keys), and each segment
produces an AEAD tag.  When a snapshot authenticator is configured,
every segment feeds it to produce the snapshot.</t>
      <figure anchor="fig-hierarchy">
        <name>SEAL Key Hierarchy</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="624" width="272" viewBox="0 0 272 624" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,240 L 8,288" fill="none" stroke="black"/>
              <path d="M 24,208 L 24,232" fill="none" stroke="black"/>
              <path d="M 40,240 L 40,288" fill="none" stroke="black"/>
              <path d="M 64,240 L 64,288" fill="none" stroke="black"/>
              <path d="M 72,80 L 72,128" fill="none" stroke="black"/>
              <path d="M 88,208 L 88,232" fill="none" stroke="black"/>
              <path d="M 88,352 L 88,400" fill="none" stroke="black"/>
              <path d="M 96,136 L 96,160" fill="none" stroke="black"/>
              <path d="M 120,240 L 120,288" fill="none" stroke="black"/>
              <path d="M 120,496 L 120,544" fill="none" stroke="black"/>
              <path d="M 128,32 L 128,72" fill="none" stroke="black"/>
              <path d="M 136,240 L 136,288" fill="none" stroke="black"/>
              <path d="M 152,136 L 152,160" fill="none" stroke="black"/>
              <path d="M 152,208 L 152,232" fill="none" stroke="black"/>
              <path d="M 168,80 L 168,128" fill="none" stroke="black"/>
              <path d="M 176,352 L 176,400" fill="none" stroke="black"/>
              <path d="M 184,240 L 184,288" fill="none" stroke="black"/>
              <path d="M 192,552 L 192,576" fill="none" stroke="black"/>
              <path d="M 216,208 L 216,488" fill="none" stroke="black"/>
              <path d="M 264,496 L 264,544" fill="none" stroke="black"/>
              <path d="M 72,80 L 168,80" fill="none" stroke="black"/>
              <path d="M 72,128 L 168,128" fill="none" stroke="black"/>
              <path d="M 8,240 L 40,240" fill="none" stroke="black"/>
              <path d="M 64,240 L 120,240" fill="none" stroke="black"/>
              <path d="M 136,240 L 184,240" fill="none" stroke="black"/>
              <path d="M 8,288 L 40,288" fill="none" stroke="black"/>
              <path d="M 64,288 L 120,288" fill="none" stroke="black"/>
              <path d="M 136,288 L 184,288" fill="none" stroke="black"/>
              <path d="M 88,352 L 176,352" fill="none" stroke="black"/>
              <path d="M 88,400 L 176,400" fill="none" stroke="black"/>
              <path d="M 120,496 L 264,496" fill="none" stroke="black"/>
              <path d="M 120,544 L 264,544" fill="none" stroke="black"/>
              <path d="M 92,296 L 116,344" fill="none" stroke="black"/>
              <path d="M 172,456 L 188,488" fill="none" stroke="black"/>
              <path d="M 156,408 L 168,432" fill="none" stroke="black"/>
              <path d="M 200,144 L 208,160" fill="none" stroke="black"/>
              <path d="M 40,160 L 48,144" fill="none" stroke="black"/>
              <path d="M 96,432 L 108,408" fill="none" stroke="black"/>
              <path d="M 140,344 L 164,296" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="224,488 212,482.4 212,493.6" fill="black" transform="rotate(90,216,488)"/>
              <polygon class="arrowhead" points="216,160 204,154.4 204,165.6" fill="black" transform="rotate(63.43494882292201,208,160)"/>
              <polygon class="arrowhead" points="200,576 188,570.4 188,581.6" fill="black" transform="rotate(90,192,576)"/>
              <polygon class="arrowhead" points="196,488 184,482.4 184,493.6" fill="black" transform="rotate(63.43494882292201,188,488)"/>
              <polygon class="arrowhead" points="176,432 164,426.4 164,437.6" fill="black" transform="rotate(63.43494882292201,168,432)"/>
              <polygon class="arrowhead" points="160,232 148,226.4 148,237.6" fill="black" transform="rotate(90,152,232)"/>
              <polygon class="arrowhead" points="160,160 148,154.4 148,165.6" fill="black" transform="rotate(90,152,160)"/>
              <polygon class="arrowhead" points="148,344 136,338.4 136,349.6" fill="black" transform="rotate(116.56505117707799,140,344)"/>
              <polygon class="arrowhead" points="136,72 124,66.4 124,77.6" fill="black" transform="rotate(90,128,72)"/>
              <polygon class="arrowhead" points="124,344 112,338.4 112,349.6" fill="black" transform="rotate(63.43494882292201,116,344)"/>
              <polygon class="arrowhead" points="104,432 92,426.4 92,437.6" fill="black" transform="rotate(116.56505117707799,96,432)"/>
              <polygon class="arrowhead" points="104,160 92,154.4 92,165.6" fill="black" transform="rotate(90,96,160)"/>
              <polygon class="arrowhead" points="96,232 84,226.4 84,237.6" fill="black" transform="rotate(90,88,232)"/>
              <polygon class="arrowhead" points="48,160 36,154.4 36,165.6" fill="black" transform="rotate(116.56505117707799,40,160)"/>
              <polygon class="arrowhead" points="32,232 20,226.4 20,237.6" fill="black" transform="rotate(90,24,232)"/>
              <g class="text">
                <text x="104" y="36">CEK</text>
                <text x="156" y="36">salt</text>
                <text x="120" y="100">Payload</text>
                <text x="124" y="116">Schedule</text>
                <text x="28" y="180">commit</text>
                <text x="96" y="180">payload</text>
                <text x="160" y="180">nonce</text>
                <text x="220" y="180">snap</text>
                <text x="88" y="196">key</text>
                <text x="156" y="196">base</text>
                <text x="216" y="196">key</text>
                <text x="24" y="260">cmt</text>
                <text x="80" y="260">seg</text>
                <text x="160" y="260">nonce</text>
                <text x="92" y="276">key(i)</text>
                <text x="160" y="276">(i)</text>
                <text x="132" y="372">AEAD</text>
                <text x="136" y="388">Seal(i)</text>
                <text x="92" y="452">ct_i</text>
                <text x="168" y="452">tag_i</text>
                <text x="188" y="516">Snapshot</text>
                <text x="192" y="532">Authenticator</text>
                <text x="188" y="596">snapshot</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                  CEK + salt
                      |
                      v
               .-----------.
               |  Payload  |
               |  Schedule |
               '-----------'
            /     |      |     \
           v      v      v      v
       commit  payload  nonce   snap
                key     base    key
         |       |       |       |
         v       v       v       |
       .---.  .------. .-----.   |
       |cmt|  |seg   | |nonce|   |
       |   |  |key(i)| | (i) |   |
       '---'  '------' '-----'   |
                  \       /      |
                   \     /       |
                    v   v        |
                 .----------.    |
                 |   AEAD   |    |
                 |  Seal(i) |    |
                 '----------'    |
                   /      \      |
                  v        v     |
                ct_i     tag_i   |
                            \    |
                             v   v
                     .-----------------.
                     |    Snapshot     |
                     |  Authenticator  |
                     '-----------------'
                              |
                              v
                          snapshot
]]></artwork>
        </artset>
      </figure>
      <t>The figure shows the masked multiset hash, whose per-segment input is
the AEAD tag.  Under the digest transcript (snap_id 0x0002) the snapshot
authenticator instead takes each segment's leaf leaf(i) = LH(ct_i) ||
tag(i) (<xref target="digest-transcript"/>).</t>
      <section anchor="raae-mapping">
        <name>Construction Overview</name>
        <t>A commitment lets a reader reject a wrong key or parameter set before
decrypting anything.  An optional snapshot authenticates the current set
of segments.</t>
        <t>SEAL realizes the raAE operations of <xref target="raae-syntax"/> as follows:</t>
        <table anchor="op-mapping">
          <name>raAE operations and their SEAL realizations</name>
          <thead>
            <tr>
              <th align="left">raAE operation</th>
              <th align="left">SEAL realization</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">StartEnc</td>
              <td align="left">Derive the payload schedule from the CEK and salt, committing G (<xref target="key-derivation"/>)</td>
            </tr>
            <tr>
              <td align="left">StartDec</td>
              <td align="left">Re-derive the schedule and verify the stored commitment (<xref target="framework-commitment"/>)</td>
            </tr>
            <tr>
              <td align="left">EncSeg, DecSeg</td>
              <td align="left">EncryptSegment and DecryptSegment (<xref target="segment-subroutines"/>)</td>
            </tr>
            <tr>
              <td align="left">RewriteSeg</td>
              <td align="left">RewriteSegment, then update the snapshot authenticator for the changed segment (<xref target="full-rewrite"/>)</td>
            </tr>
            <tr>
              <td align="left">SnapVerify</td>
              <td align="left">Check the present indices and finality, then verify the snapshot via the authenticator (<xref target="snapshot-authenticator"/>)</td>
            </tr>
          </tbody>
        </table>
        <t>SEAL's salt, payload_info, and G carry the raAE per-message inputs, and
the commitment stands in for the header (<xref target="components"/>).</t>
      </section>
      <section anchor="components">
        <name>Component Suite and Parameters</name>
        <t anchor="parameters">This section names every parameter, input, and derived symbol the
construction uses.  <xref target="param-table"/> summarizes them, grouped by what
sets each one.  The entries that follow define the suite choices, the
profile-level constants, the algorithm-determined sizes, and the
per-message inputs.  Derived values are defined where they are computed,
in the sections the table cites.</t>
        <table anchor="param-table">
          <name>Parameters, inputs, and derived values</name>
          <thead>
            <tr>
              <th align="left">Parameter</th>
              <th align="left">Type or range</th>
              <th align="left">Set by</th>
              <th align="left">Defined in</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">AEAD</td>
              <td align="left">RFC 5116 algorithm</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete-algorithms"/></td>
            </tr>
            <tr>
              <td align="left">KDF</td>
              <td align="left">kdf_id from <xref target="kdf-table"/></td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete-framing"/></td>
            </tr>
            <tr>
              <td align="left">segment_max</td>
              <td align="left">power of two, at least 4096</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="concrete"/></td>
            </tr>
            <tr>
              <td align="left">epoch_length</td>
              <td align="left">integer r in 0 to 63</td>
              <td align="left">suite</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">protocol_id</td>
              <td align="left">octet string</td>
              <td align="left">application</td>
              <td align="left">
                <xref target="security-domain-separation"/></td>
            </tr>
            <tr>
              <td align="left">nonce_mode</td>
              <td align="left">"random" or "derived"</td>
              <td align="left">message, within the profile</td>
              <td align="left">
                <xref target="nonce-generation"/></td>
            </tr>
            <tr>
              <td align="left">aad_label</td>
              <td align="left">ASCII string ("SEAL-DATA" in SEAL)</td>
              <td align="left">profile</td>
              <td align="left">
                <xref target="concrete-segment-aad"/></td>
            </tr>
            <tr>
              <td align="left">commitment_length</td>
              <td align="left">integer, at least 16, default Nh</td>
              <td align="left">profile</td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
            </tr>
            <tr>
              <td align="left">Nk, Nn, Nt</td>
              <td align="left">sizes in octets</td>
              <td align="left">AEAD</td>
              <td align="left">
                <xref target="notation"/></td>
            </tr>
            <tr>
              <td align="left">Nh</td>
              <td align="left">size in octets</td>
              <td align="left">KDF</td>
              <td align="left">
                <xref target="notation"/></td>
            </tr>
            <tr>
              <td align="left">CEK</td>
              <td align="left">32 uniform random octets</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">salt</td>
              <td align="left">32 uniform random octets</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">payload_info</td>
              <td align="left">ordered element list</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="seal-encodings"/></td>
            </tr>
            <tr>
              <td align="left">G</td>
              <td align="left">octet string, empty by default</td>
              <td align="left">message input</td>
              <td align="left">
                <xref target="framework-commitment"/></td>
            </tr>
            <tr>
              <td align="left">commitment</td>
              <td align="left">commitment_length octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">payload_key</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">snap_key</td>
              <td align="left">Nh octets</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">nonce_base</td>
              <td align="left">Nn octets, derived mode only</td>
              <td align="left">derived per message</td>
              <td align="left">
                <xref target="key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">epoch_key(i)</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">segment_key(i)</td>
              <td align="left">Nk octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="epoch-key-derivation"/></td>
            </tr>
            <tr>
              <td align="left">nonce(i)</td>
              <td align="left">Nn octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="nonce-generation"/></td>
            </tr>
            <tr>
              <td align="left">segment_aad(i, is_final, A_i)</td>
              <td align="left">octet string</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="concrete-segment-aad"/></td>
            </tr>
            <tr>
              <td align="left">tag(i)</td>
              <td align="left">Nt octets</td>
              <td align="left">derived per segment</td>
              <td align="left">
                <xref target="segment-subroutines"/></td>
            </tr>
          </tbody>
        </table>
        <t>SEAL fixes the segment additional authenticated data (AAD) encoding, the
commitment derivation, and the snapshot value for every suite.  They are
specified in <xref target="concrete-segment-aad"/>, <xref target="framework-commitment"/>, and
<xref target="snapshot-authenticator"/> respectively, and are encoded identically
across all SEAL cipher suites.  The resulting octet lengths still vary
by suite, because Nh and Nt are suite-dependent.</t>
        <section anchor="suite-choices">
          <name>Suite Choices</name>
          <t>A suite is assembled from the following choices.</t>
          <dl>
            <dt>AEAD:</dt>
            <dd>
              <t>An authenticated encryption with associated data algorithm
satisfying the interface of <xref target="RFC5116"/>, with Nk-octet keys,
Nn-octet nonces, and Nt-octet authentication tags.</t>
            </dd>
            <dt>KDF:</dt>
            <dd>
              <t>A key derivation function supporting the abstract interface defined
in <xref target="concrete-framing"/>.  See <xref target="kdf-table"/> for the permitted KDFs.</t>
            </dd>
            <dt>segment_max:</dt>
            <dd>
              <t>A positive integer, a power of two and at least 4096 octets.  Each
segment carries at most this many plaintext octets.  The
length-dependent limits of <xref target="aead-usage-limits"/> are computed at
this size.</t>
            </dd>
            <dt>epoch_length:</dt>
            <dd>
              <t>A non-negative integer r in 0 to 63.  Each epoch covers 2^r
consecutive segments aligned to a multiple of 2^r
(<xref target="epoch-key-derivation"/>).  Profiles <bcp14>MAY</bcp14> restrict r further per AEAD
(<xref target="concrete"/>).  The value sets a rotation granularity, not an on/off
switch:  r = 0 selects the finest rotation, a fresh epoch key for
every segment, and no value of r disables epoch-key derivation.  A
flat key, one epoch key covering all segments, is r = 63.</t>
            </dd>
            <dt>protocol_id:</dt>
            <dd>
              <t>An application-chosen octet string that binds all derived values to
a specific protocol version.  Selection guidance is in
<xref target="security-domain-separation"/>.</t>
            </dd>
            <dt>nonce_mode:</dt>
            <dd>
              <t>A payload_info element selecting one of two nonce constructions,
"random" or "derived".  The constructions are defined in
<xref target="nonce-generation"/>, the default mode each SEAL suite uses in the
mutable profile (<xref target="aead-table"/>), and the valid (nonce_mode,
snap_id) tuples for each profile in <xref target="profiles"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="profile-constants">
          <name>Profile-Level Constants</name>
          <t>One constant is fixed by the profile rather than carried per message.</t>
          <dl>
            <dt>aad_label:</dt>
            <dd>
              <t>A profile-level ASCII string bound as the first element of the
segment AAD encoding (<xref target="concrete-segment-aad"/>).  Consuming
protocols <bcp14>MAY</bcp14> define their own profiles with a distinct aad_label.</t>
            </dd>
          </dl>
        </section>
        <section anchor="algorithm-sizes">
          <name>Algorithm-Determined Sizes</name>
          <t>The sizes Nk, Nn, Nt, and Nh are fixed by the chosen AEAD and KDF rather
than by the parameter set directly.  They are defined in <xref target="notation"/>,
with concrete values in <xref target="aead-table"/> and <xref target="kdf-table"/>.  One
configurable length defaults from Nh.</t>
          <dl>
            <dt>commitment_length:</dt>
            <dd>
              <t>A positive integer of at least 16, defaulting to Nh, the length in
octets of the key commitment prefix.  The collision bounds for each
length are given in <xref target="appendix-commitment"/>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="message-inputs">
          <name>Per-Message Inputs</name>
          <t>An encrypted message is built from four input values.</t>
          <dl>
            <dt>CEK:</dt>
            <dd>
              <t>A 32-octet uniform random Content Encryption Key generated fresh for
each message.  The CEK is input keying material for the key
schedule, not an AEAD key.</t>
            </dd>
            <dt>salt:</dt>
            <dd>
              <t>A per-content value of 32 uniformly random octets.  The salt
separates payload schedule outputs across messages even when the
CEK is reused.  <xref target="full-encryption"/> and <xref target="extend"/> give the rules
for generating and reusing it, and <xref target="salt-reuse"/> analyzes the
consequences of reuse.</t>
            </dd>
            <dt>payload_info:</dt>
            <dd>
              <t>The committed record of the object's configuration: an ordered
list of parameter set context elements covering key derivation,
AEAD operations, AAD construction, and nonce construction, which
the commitment (<xref target="framework-commitment"/>) binds.  The profile fixes
the concrete element set and their encodings.  SEAL's payload_info
is specified in <xref target="seal-encodings"/>.</t>
            </dd>
            <dt>G:</dt>
            <dd>
              <t>An octet string of global associated data, the G input of StartEnc in
the raAE primitive (<xref target="raae-syntax"/>), binding whole-message
application context such as a name, version, or policy.  G defaults to
the empty octet string and is never stored:  a decryptor supplies it
from application context, and the commitment binds it
(<xref target="framework-commitment"/>).</t>
            </dd>
          </dl>
          <t>The remaining symbols in <xref target="param-table"/> are derived values.  The
payload schedule (<xref target="key-derivation"/>) computes the per-message values
commitment, payload_key, snap_key, and nonce_base once from the CEK and
payload_info (the commitment also binds G, <xref target="framework-commitment"/>),
and they are fixed for the message's lifetime.  The per-segment values
epoch_key(i), segment_key(i), nonce(i), segment_aad(i, is_final, A_i),
and tag(i) are defined where they are computed:
<xref target="epoch-key-derivation"/>, <xref target="nonce-generation"/>,
<xref target="concrete-segment-aad"/>, and <xref target="segment-subroutines"/>.</t>
        </section>
      </section>
      <section anchor="concrete-framing">
        <name>The KDF Combiner</name>
        <t>The KDF combiner uses a length-prefixed encoding for all of its inputs.</t>
        <artwork><![CDATA[
frame(x):
    if len(x) <= 0xFFFE:  return uint16(len(x)) || x     ;; literal
    else:                 return uint16(0xFFFF) || LH(x) ;; digest



encode(x1, ..., xn) = frame(x1) || ... || frame(xn)
]]></artwork>
        <t>frame is total over every field length.  A field of at most 0xFFFE
octets is emitted literally behind its 2-octet length, identical to a
plain length prefix.  The reserved length 0xFFFF is a typed prefix
meaning that an Nh-octet digest LH(x) of an over-large field follows in
place of the field itself.</t>
        <t>LH(x), the over-large-field digest, runs the cipher suite's native KDF
primitive directly on x, invoking neither encode nor frame, and returns
Nh octets.  The two-step and one-step classes are HPKE's: a two-step KDF
(<xref target="RFC9180"/>) uses its extract step, and a one-step KDF
(<xref target="I-D.ietf-hpke-pq"/>) its XOF, with x carried under the label
"raAE-LP-v1":</t>
        <artwork><![CDATA[
two-step:  LH(x) = Extract("raAE-LP-v1", x)
one-step:  LH(x) = XOF("raAE-LP-v1" || x, Nh)
]]></artwork>
        <t>Routing LH through the KDF would encode-frame x and recurse, because
frame of an over-large x would re-enter LH.  LH therefore runs the
native primitive directly on x.  The injectivity of encode and the
domain-separation and collision properties of LH are established in
<xref target="framing"/>.</t>
        <t>Key material is derived through a KDF with the interface</t>
        <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L)
]]></artwork>
        <ul spacing="normal">
          <li>
            <t>protocol_id: binds the output to a specific protocol
version and application context.</t>
          </li>
          <li>
            <t>label: a unique ASCII string identifying the
derivation role.</t>
          </li>
          <li>
            <t>ikm: input keying material, provided as a single
octet string or an ordered list of octet strings.</t>
          </li>
          <li>
            <t>info: context information, provided as a single
octet string or an ordered list of octet strings.</t>
          </li>
          <li>
            <t>L: the requested output length in octets.</t>
          </li>
        </ul>
        <t>This KDF binds protocol_id, a label, and inputs of any size into a
derived value.  frame reduces any over-large input to a fixed-size
digest before the KDF sees it.  Any protocol instantiates the combiner
by supplying its own protocol_id, which domain-separates its derivations
from those of every other protocol.  SEAL's two profiles instantiate the
combiner at protocol_id SEAL-RW-v1 and SEAL-RO-v1 (<xref target="profiles"/>).</t>
        <t>The KDF is built from the cipher suite's hash in one of two forms.  The
cipher suite's kdf_id (<xref target="kdf-table"/>) selects which one.</t>
        <section anchor="two-step-kdf">
          <name>Two-Step KDF</name>
          <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L):
  extract_input = encode(protocol_id, label,
                         ...ikm)
  prk = Extract(salt=protocol_id,
                ikm=extract_input)
  expand_info = encode(protocol_id, label,
                       ...info, uint16(L))
  return Expand(prk, expand_info, L)
]]></artwork>
          <t>The notation <tt>...x</tt> means each element of the sequence x, whether ikm or
info, is a separate argument to encode.  A single octet string is the
one-element sequence containing it.  An absent value is the empty
sequence and contributes no arguments.  The empty sequence and the
one-element sequence whose element is the empty octet string are
distinct:  the first adds nothing to the encode, the second adds one
zero-length field.  A derivation with no info <bcp14>MUST</bcp14> use the empty
sequence, not the empty octet string, so that every implementation
encodes a given (protocol_id, label, ikm, info, L) tuple to the same
octets.  The protocol_id appears in both the Extract salt and the
extract_input as a defensive measure, and binding in either position
suffices for domain separation.</t>
          <t>The label appears in both Extract and Expand so that label binding is
preserved even if one phase is weak in isolation.  Implementations <bcp14>MAY</bcp14>
amortize the Extract computation internally when deriving multiple
outputs from the same protocol_id, label, and ikm.</t>
        </section>
        <section anchor="one-step-kdf">
          <name>One-Step KDF</name>
          <artwork><![CDATA[
KDF(protocol_id, label, ikm, info, L):
  M = encode(protocol_id, label,
             encode(...ikm), encode(...info),
             uint16(L))
  return XOF(M, L)
]]></artwork>
          <t>The XOF-based form frames ikm and info each as a single element of one
length-prefixed encode and squeezes L octets of output.  protocol_id
binding is via the message-side encode prefix only.  In both forms the
encoded input ends with uint16(L):  the two-step form places it last in
expand_info and the one-step form places it last in M.  Within a fixed
kdf_id, distinct (protocol_id, label, ikm, info, L) tuples yield
distinct outputs, by the injectivity of encode (established in
<xref target="framing"/> and demonstrated in <xref target="combiner-vectors"/>).  The two forms
are not mutually injective:  a cipher suite's kdf_id (<xref target="kdf-table"/>)
selects one form for that suite, and payload_info commits to the kdf_id
(<xref target="seal-encodings"/>), so no derivation ever compares outputs across
forms.  The two-step form binds ikm in Extract and info in Expand.  A
multi-value ikm or info is the encode of its elements, so any number of
elements is admitted.</t>
          <t>The following example expands M for combiner vector KDF.33
(<xref target="combiner-vectors"/>): TurboSHAKE-256, label "commit", ikm a single
32-octet element of repeated 0xAA, info the two elements 010203 and
0405, and L = 64.  Each frame is a 2-octet length followed by the
element, and the ikm and info lists are each one nested encode:</t>
          <artwork><![CDATA[
M, 71 octets, in frame order:

000a 5345414c2d52572d7631      frame(protocol_id "SEAL-RW-v1")
0006 636f6d6d6974              frame(label "commit")
0022 0020 aa..aa (32 octets)   frame(encode(...ikm)): one inner
                               frame wrapping the single element
0009 0003 010203 0002 0405     frame(encode(...info)): inner
                               frames of 3 and 2 octets
0002 0040                      frame(uint16(L)), L = 64

XOF(M, 64) = the KDF.33 output
]]></artwork>
          <t>With info = [], the empty sequence, the fourth frame is the two octets
0000:  encode() of no elements is the empty octet string, and its frame
is a zero length with no content.  With info = [""], one zero-length
element, the inner encode is 0000 and the fourth frame is 0002 0000.
KDF.8 and KDF.28 (<xref target="combiner-vectors"/>) exercise the same distinction in
the two-step form.</t>
        </section>
      </section>
      <section anchor="seal-encodings">
        <name>SEAL Encodings and Labels</name>
        <t>SEAL fixes the concrete encodings the combiner and the AEAD consume: the
payload_info tuple, the segment AAD, and the derivation labels.</t>
        <section anchor="payload-info-construction">
          <name>Payload Info Construction</name>
          <artwork><![CDATA[
payload_info = [aead_id, segment_max_be, kdf_id, snap_id,
                nonce_mode, epoch_length_u8, salt]
]]></artwork>
          <t>Element encodings for SEAL:</t>
          <ul spacing="normal">
            <li>
              <t>aead_id: 2 octets, uint16(id), the unsigned 16-bit AEAD identifier
from <xref target="aead-table"/> (for example, 0x0002 for AES-256-GCM).</t>
            </li>
            <li>
              <t>segment_max_be: 4 octets, uint32(segment_max).  SEAL's segment
sizes are given in <xref target="concrete"/>.</t>
            </li>
            <li>
              <t>kdf_id: 2 octets, uint16(id), the unsigned 16-bit KDF identifier
from <xref target="kdf-table"/> (0x0001 for HKDF-SHA-256 per <xref target="RFC9180"/> Section
7.2; 0x0013 for TurboSHAKE-256 per <xref target="I-D.ietf-hpke-pq"/>).</t>
            </li>
            <li>
              <t>snap_id: 2 octets, uint16(id), the snapshot authenticator identifier
from <xref target="snapshot-table"/> (0x0000 for none, 0x0001 for the masked
multiset hash, 0x0002 for the digest transcript, 0x0003 for the
epoch digest tree).</t>
            </li>
            <li>
              <t>nonce_mode: 1 octet, the nonce construction (<xref target="nonce-mode-table"/>):
0x00 for random, 0x01 for derived.  <xref target="aead-table"/> gives the default
mode each SEAL suite uses in the mutable profile.  A profile <bcp14>MAY</bcp14>
select another valid (nonce_mode, snap_id) tuple.</t>
            </li>
            <li>
              <t>epoch_length_u8: 1 octet, uint8(epoch_length).  Valid values per
<xref target="aead-table"/>.  Implementations <bcp14>MUST</bcp14> reject epoch_length &gt;= 64 on
both encode and decode.</t>
            </li>
            <li>
              <t>salt: 32 raw octets, the per-message salt.</t>
            </li>
          </ul>
          <t>The aad_label is a profile-level constant for SEAL (see
<xref target="concrete-segment-aad"/>) and is not carried in payload_info.  It is
bound transitively via protocol_id.  The KDF (<xref target="concrete-framing"/>)
applies frame to each element of the list.</t>
        </section>
        <section anchor="concrete-segment-aad">
          <name>Segment AAD</name>
          <t>The segment AAD binds each segment to its context.  What it must carry
depends on the nonce mode: a random nonce binds neither the segment
index nor the finality bit, so the AAD must, whereas a derived nonce
binds both (<xref target="derived-nonces"/>).</t>
          <artwork><![CDATA[
segment_aad(i, is_final, A_i):
  if nonce_mode is "random":
    if A_i is empty:
      return encode(aad_label, uint64(i), uint8(is_final))
    return encode(aad_label, uint64(i), uint8(is_final), A_i)
  ;; derived nonce mode: index and is_final are bound in the nonce
  if A_i is empty:
    return ""              ;; no AEAD associated-data pass
  return encode(aad_label, A_i)
]]></artwork>
          <table anchor="segment-aad-modes">
            <name>Segment AAD by nonce mode</name>
            <thead>
              <tr>
                <th align="left"> </th>
                <th align="left">Random nonce mode</th>
                <th align="left">Derived nonce mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Index i and is_final</td>
                <td align="left">bound in the AAD</td>
                <td align="left">bound in the nonce</td>
              </tr>
              <tr>
                <td align="left">A_i, when present</td>
                <td align="left">appended as a fourth encode element</td>
                <td align="left">the sole variable element</td>
              </tr>
              <tr>
                <td align="left">A_i, when empty</td>
                <td align="left">omitted, not a zero-length element</td>
                <td align="left">segment_aad is empty, with no associated-data pass</td>
              </tr>
            </tbody>
          </table>
          <t>aad_label is the profile-chosen label from the parameter set, the index
i is a big-endian 8-octet integer, and is_final is 1 for the last
segment and 0 for all others.  Because encode length-prefixes every
element, omitting an empty A_i stays injective, so the index and
finality bit remain authenticated.  Any profile that defines a
random-mode segment_aad <bcp14>MUST</bcp14> preserve injectivity and <bcp14>MUST</bcp14> authenticate
the segment index and finality bit.  aad_label is bound transitively
through protocol_id (<xref target="parameter-mismatch"/>), so segment_aad need not
repeat it for cross-profile separation.</t>
          <t>More generally, the binding of the triple (i, is_final, A_i) <bcp14>MUST</bcp14> be
unambiguous under one segment key, so that no two distinct triples
present the same inputs to the AEAD.  In random nonce mode segment_aad
alone <bcp14>MUST</bcp14> injectively bind the triple, because the nonce is an
independent random draw.  In derived nonce mode i and is_final are bound
in the nonce and A_i, when present, in segment_aad, and the (nonce,
segment_aad) pair <bcp14>MUST</bcp14> jointly determine the triple
(<xref target="derived-nonces"/>).</t>
          <t>A_i is the caller-supplied per-segment associated data of EncSeg and
DecSeg (<xref target="raae-syntax"/>), passed to the segment algorithms
(<xref target="segment-subroutines"/>).  It <bcp14>MAY</bcp14> be empty and <bcp14>MAY</bcp14> differ per segment.
Unlike a global associated data value G, which the commitment fixes at
creation (<xref target="framework-commitment"/>), A_i rides the per-segment AEAD
associated data and is rewritable: a rewrite can change a segment's A_i.
The example test vectors use an empty A_i, so the random-mode vectors
keep the three-element encoding and the derived-mode vector has an empty
segment_aad.</t>
          <t>The salt is not included in the AAD because it is already bound into
segment_key via the payload schedule.  Different messages produce
different segment keys even at the same index.  Transposing two segments
within a message fails because the AAD at each position encodes the
expected index.</t>
          <t>Unauthorized truncation is detectable, and <xref target="full-decryption"/>
requires a decryptor to reject it.  A reader that sees the
highest-indexed present segment carry is_final = 0 knows more data
must follow.  Authorized truncation by the CEK holder instead
re-marks the new final segment and updates the snapshot
(<xref target="extend"/>).  Extension is also caught: appending after a segment
marked is_final = 1 either invalidates the original final segment
on re-read or produces a ciphertext that cannot verify.</t>
          <t>Each segment binds both its index and its finality bit, through
the AAD in random nonce mode and through the nonce in derived
nonce mode.  This per-segment binding, rather than reliance on
the snapshot alone, catches these attacks.  A reader can
check them without holding all tags before decrypting any one
segment.</t>
          <t>The per-segment AEAD binds a segment's index and finality, not its
length (through the AAD in random nonce mode and through the nonce in
derived nonce mode).  A segment's ciphertext length is authenticated
implicitly by the AEAD tag over the ciphertext: altering, truncating, or
splicing a segment ciphertext is an AEAD forgery, not a parsing
ambiguity.  Because segments <bcp14>MAY</bcp14> be shorter than segment_max, the
consuming format <bcp14>MUST</bcp14> convey each segment's ciphertext length to the
decoder.  A wrong length yields an AEAD rejection, never a silent
accept.</t>
        </section>
        <section anchor="labels">
          <name>Labels</name>
          <table anchor="label-table">
            <name>SEAL core KDF labels by role</name>
            <thead>
              <tr>
                <th align="left">Derivation role</th>
                <th align="left">Label variable</th>
                <th align="left">Value</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Commitment</td>
                <td align="left">commit_label</td>
                <td align="left">"commit"</td>
              </tr>
              <tr>
                <td align="left">Payload key</td>
                <td align="left">payload_key_label</td>
                <td align="left">"payload_key"</td>
              </tr>
              <tr>
                <td align="left">Snapshot authenticator key</td>
                <td align="left">snap_key_label</td>
                <td align="left">"acc_key"</td>
              </tr>
              <tr>
                <td align="left">Nonce base</td>
                <td align="left">nonce_base_label</td>
                <td align="left">"nonce_base"</td>
              </tr>
              <tr>
                <td align="left">Epoch key</td>
                <td align="left">epoch_key_label</td>
                <td align="left">"epoch_key"</td>
              </tr>
            </tbody>
          </table>
          <t>SEAL fixes each label to the value above.  The construction formulas
reference labels by variable name, so the labels are SEAL parameters
rather than constants of the raAE construction.  Each value is an ASCII
string and is distinct from all others.  These label strings are frozen
for wire compatibility.  In particular the snapshot authenticator key
snap_key uses the label string "acc_key", retained from an earlier name.
These are the always-present key-schedule labels.  The masked multiset
hash (<xref target="masked-multiset-hash"/>), the digest transcript
(<xref target="digest-transcript"/>), the plaintext-bound nonce construction
(<xref target="appendix-pt-bound"/>), and hedged randomness (<xref target="hedged-randomness"/>)
each define their own labels.</t>
        </section>
      </section>
      <section anchor="key-derivation">
        <name>Key Schedule and Nonce Generation</name>
        <t>A message's entire key hierarchy grows from two random values: the
32-octet CEK and the per-content salt.  All other keys are derived
deterministically through the KDF of <xref target="concrete-framing"/>.</t>
        <section anchor="payload-schedule">
          <name>Payload Schedule</name>
          <t>Four values are derived from the CEK and per-content salt.  The
commitment allows early rejection of a wrong key and additionally binds
the global associated data G (<xref target="message-inputs"/>).  The payload key
encrypts segments through epoch keys.  The snapshot authenticator key is
used by the configured snapshot authenticator.  The nonce base
(derived-mode only) seeds deterministic per-segment nonces.</t>
          <artwork><![CDATA[
payload_info = [aead_id,
                uint32(segment_max),    ;; segment_max_be
                kdf_id,
                snap_id,
                nonce_mode,
                uint8(epoch_length),    ;; epoch_length_u8
                salt]

commitment  = KDF(protocol_id, commit_label,
                  [CEK], [...payload_info, G], commitment_length)
payload_key = KDF(protocol_id, payload_key_label,
                  [CEK], payload_info, Nk)
snap_key     = KDF(protocol_id, snap_key_label,
                  [CEK], payload_info, Nh)

;; For derived nonce mode only:
nonce_base  = KDF(protocol_id, nonce_base_label,
                  [CEK], payload_info, Nn)
]]></artwork>
          <t>G is the global associated data of <xref target="message-inputs"/>, always the last
element of the commitment info.  It defaults to the empty octet string,
one zero-length element, so every commitment derivation includes it.
The other three derivations never take G.</t>
        </section>
        <section anchor="epoch-key-derivation">
          <name>Epoch Key Derivation</name>
          <t>AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305 use a 96-bit nonce.  At
a 2^(-32) collision-probability target, the random-nonce budget is about
2^32 encryptions per key.  For rewritable content, this limit can be
reached through repeated modifications to the same segments.  Epoch keys
partition the nonce space:  each epoch key covers at most 2^r segment
positions (initial writes plus rewrites), so the per-key invocation
count is bounded regardless of the content's total size.</t>
          <t>When epoch_length = r is specified, the segment key for segment i is an
epoch key derived from the payload key:</t>
          <artwork><![CDATA[
segment_key(i):
  epoch_index = i >> epoch_length
  return KDF(protocol_id, epoch_key_label,
             [payload_key],
             [uint64(epoch_index)], Nk)
]]></artwork>
          <t>At epoch_length = 0 the shift is the identity, so each segment has its
own epoch key.  At a large epoch_length every segment shares one epoch
key.  Implementations <bcp14>MUST</bcp14> apply this derivation at every epoch_length,
including 0, and <bcp14>MUST NOT</bcp14> use payload_key directly as a segment key.
Epoch keys implement the parallel external rekeying pattern of
<xref target="RFC8645"/>, adapted for random-access patterns.</t>
        </section>
        <section anchor="nonce-generation">
          <name>Nonce Generation</name>
          <t>Two nonce modes, random and derived, trade off AEAD flexibility,
storage cost, and trust in a cryptographically secure pseudorandom
number generator (CSPRNG).  Derived mode needs misuse-resistant
authenticated encryption (MRAE) unless the profile is write-once
(<xref target="profiles"/>).  The chosen mode is part of the parameter set and <bcp14>MUST</bcp14>
be consistent across all segments of a message.</t>
          <figure anchor="fig-nonce-modes">
            <name>The Two Nonce Modes</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="328" viewBox="0 0 328 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 104,64 L 104,96" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="112,96 100,90.4 100,101.6" fill="black" transform="rotate(90,104,96)"/>
                  <g class="text">
                    <text x="32" y="36">Random:</text>
                    <text x="188" y="36">Derived:</text>
                    <text x="196" y="52">nonce_base</text>
                    <text x="44" y="68">Random(Nn)</text>
                    <text x="96" y="68">-</text>
                    <text x="176" y="68">|</text>
                    <text x="168" y="84">XOR</text>
                    <text x="256" y="84">((i&lt;&lt;1)|is_final)</text>
                    <text x="176" y="100">|</text>
                    <text x="112" y="116">nonce_i</text>
                    <text x="184" y="116">nonce_i</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
Random:            Derived:
                   nonce_base
Random(Nn) -.        |
            |      XOR ((i<<1)|is_final)
            v        |
          nonce_i  nonce_i
]]></artwork>
            </artset>
          </figure>
          <t>The two modes differ as follows:</t>
          <table anchor="nonce-mode-comparison">
            <name>Random and derived nonce modes</name>
            <thead>
              <tr>
                <th align="left">Property</th>
                <th align="left">Random nonce mode</th>
                <th align="left">Derived nonce mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Per-segment nonce stored</td>
                <td align="left">yes, in segment metadata</td>
                <td align="left">no</td>
              </tr>
              <tr>
                <td align="left">CSPRNG required</td>
                <td align="left">yes</td>
                <td align="left">no</td>
              </tr>
              <tr>
                <td align="left">AEAD requirement</td>
                <td align="left">any AEAD</td>
                <td align="left">MRAE, or any in a write-once profile</td>
              </tr>
              <tr>
                <td align="left">Rewrite</td>
                <td align="left">fresh nonce each write</td>
                <td align="left">nonce fixed by index, reused on rewrite</td>
              </tr>
              <tr>
                <td align="left">Per-segment AAD</td>
                <td align="left">binds index and finality</td>
                <td align="left">empty when no A_i (index/finality in nonce)</td>
              </tr>
              <tr>
                <td align="left">Minimum nonce size Nn</td>
                <td align="left">no added constraint</td>
                <td align="left">at least 8 octets</td>
              </tr>
            </tbody>
          </table>
          <section anchor="random-nonce-mode">
            <name>Random Nonce Mode</name>
            <t>In random nonce mode (nonce_mode = "random"), each segment gets an
independent random nonce:</t>
            <artwork><![CDATA[
nonce(i) = Random(Nn)
]]></artwork>
            <t>Each segment's nonce is stored in per-segment metadata and <bcp14>MUST</bcp14>
be accessible to any reader that decrypts individual segments.
This mode requires a functioning CSPRNG.  The nonce collision
probability across independently generated per-segment nonces
follows the standard birthday bound.  See <xref target="aead-usage-limits"/>.</t>
            <t>Two optional encryptor-side hedges harden this mode against
different threats.  Hedged randomness (<xref target="hedged-randomness"/>)
mixes in a long-term key and defends against a weak or
predictable CSPRNG.  It does not defend against CSPRNG state
duplication, since identical CSPRNG output still yields identical
hedged output.  Only the plaintext-bound construction
(<xref target="appendix-pt-bound"/>), which mixes in plaintext content,
defends against state duplication.  Both are implementation-local,
leave the wire format unchanged, and are not separate nonce modes.</t>
          </section>
          <section anchor="derived-nonces">
            <name>Derived Nonce Mode</name>
            <t>Derived nonce mode is intended for profiles that do not store a
per-segment nonce.  Nonces are derived deterministically from the
payload schedule.  Derived nonce mode is defined only for AEADs whose
nonce size Nn is at least 8 octets.
The segment index occupies the high bits of an 8-octet counter and the
finality bit occupies the low bit, so the per-segment AAD need not carry
either one.  The XOR is applied to the last 8 octets of nonce_base, with
the remaining octets unchanged:</t>
            <artwork><![CDATA[
nonce(i) = nonce_base[0:Nn-8]
           || (nonce_base[Nn-8:Nn]
               XOR uint64((i << 1) | is_final))
]]></artwork>
            <t>No per-segment nonce storage is required.</t>
            <t>The encoded value (i &lt;&lt; 1) | is_final <bcp14>MUST</bcp14> fit in the low 8 octets of
nonce_base, so the segment index i <bcp14>MUST</bcp14> be less than 2^63.  This caps an
object at 2^63 segments, far beyond any reachable object.  See
<xref target="max-object-size"/> for the resulting size limit.</t>
            <t>A derived nonce is fixed by the segment index, so re-encrypting a
segment reuses its nonce.  An MRAE AEAD such as AES-256-GCM-SIV
(<xref target="RFC8452"/>) tolerates that reuse, degrading to equality leakage rather
than plaintext recovery, within the per-segment rewrite limit given in
<xref target="aead-usage-limits"/>.  A non-MRAE AEAD does not: reusing its nonce
leaks plaintext, so with a non-MRAE AEAD, derived nonce mode <bcp14>MUST</bcp14> be
confined to a write-once profile, in which each segment is encrypted
exactly once.</t>
            <t>A write-once profile rewrites nothing and performs no length change.  A
rewrite would repeat a derived nonce, and a length change re-marks the
terminal segment under a fresh nonce (is_final flips the low bit).  The
write-once discipline is the simplest rule that keeps every derived
nonce unique.  It <bcp14>MUST</bcp14> draw a fresh salt for every object, so the nonce
base differs, and <bcp14>MUST NOT</bcp14> re-encrypt under that salt after a crash
(<xref target="nonce-misuse"/>).</t>
            <t>Folding is_final into the nonce also removes a per-segment cost.  The
nonce binds the index and finality, so the per-segment associated data
need not carry them: segment_aad is empty when the caller supplies no
A_i, and is encode(aad_label, A_i) otherwise (<xref target="concrete-segment-aad"/>).
When A_i is empty the AEAD processes no associated data, removing the
per-segment associated-data pass that random nonce mode incurs.  This is
the structural reason an immutable, write-once profile in derived nonce
mode coincides with STREAM (<xref target="related-work"/>) at the nonce-and-AEAD
layer: a key-derived counter-plus-final-bit nonce over a per-segment
AEAD with no associated data.</t>
          </section>
        </section>
      </section>
      <section anchor="framework-commitment">
        <name>Commitment</name>
        <t>Per-segment AEAD authenticates the ciphertext core together with the
segment index and finality bit (through the segment AAD in random nonce
mode and through the nonce in derived nonce mode) so position binding
for the segment being opened is already provided.  Two further
properties remain: context commitment, provided here, and snapshot
membership, provided by the snapshot authenticator
(<xref target="snapshot-authenticator"/>).  The commitment lets a reader reject an
incorrect CEK or parameter context before attempting any segment
decryption, providing ra-CMT-style context commitment (<xref target="ra-cmt"/>) for
the construction.</t>
        <t>The commitment is a commitment_length-octet value the payload schedule
derives from the CEK, payload_info, and the global associated data G
(<xref target="key-derivation"/>).</t>
        <t>Before decrypting any segment, a reader derives the expected commitment
from the CEK, payload_info, and G, and compares it octet-for-octet with
the stored value.  A reader <bcp14>MUST</bcp14> verify the commitment before decrypting
any segment and <bcp14>MUST</bcp14> treat a mismatch as an authentication failure for
the object.  A mismatch indicates a wrong key, a wrong parameter set, a
wrong G, or a corrupted header.  This check provides ra-CMT context
commitment.  The reduction outline and bound are in <xref target="key-commitment"/>.</t>
        <t>G is the global associated data input of StartEnc in the raAE primitive
(<xref target="raae-syntax"/>), binding whole-message application context such as a
name, version, or policy.  The key schedule commits G by appending it as
one length-prefixed element after payload_info in the commitment info
input (<xref target="key-derivation"/>), so the commitment covers G just as the
primitive's ciphertext header T_g does (<xref target="FLRR25"/>).</t>
        <t>G is bound through the commitment, which is fixed when the content is
created, so G is immutable:  changing it invalidates the stored
commitment.  Segment contents remain rewritable through the snapshot
authenticator (<xref target="snapshot-authenticator"/>).</t>
        <t>G defaults to the empty octet string, so a message whose application
supplies no context commits over an empty final element.  G is never
stored.  A decryptor supplies it from application context, and a wrong G
fails the commitment check (<xref target="full-decryption"/>) the same way a wrong
CEK does (<xref target="parameter-mismatch"/>).</t>
      </section>
      <section anchor="snapshot-authenticator">
        <name>Snapshot Authenticator</name>
        <t>The snapshot authenticator binds the current segment set into the public
snapshot value.  A SEAL profile selects one with snap_id
(<xref target="snapshot-table"/>).</t>
        <section anchor="snapshot-interface">
          <name>Interface and Requirements</name>
          <t>A snapshot authenticator defines a per-segment input, one value per
segment.  It produces and checks a snapshot value over the (index,
input) set and the count with two operations:</t>
          <dl>
            <dt>snapshot():</dt>
            <dd>
              <t>Produce the snapshot value over the current (index, input) set and
the count n_seg.</t>
            </dd>
            <dt>verify(snapshot):</dt>
            <dd>
              <t>Recompute the snapshot value over the current (index, input) set and
the count and accept only if it matches the stored snapshot, in
constant time.</t>
            </dd>
          </dl>
          <t>For use in a mutable profile, an authenticator provides one of two
update styles:</t>
          <dl>
            <dt>Incremental:</dt>
            <dd>
              <t>The authenticator provides add(i, input), remove(i, input), and
set_length(n).  A single-segment change updates the value in place
without recomputing it over the whole set.  add folds one segment's
input into the running value, remove takes one back out, and
set_length sets the segment count to n.  An authenticator that
provides add but omits remove rebuilds the value by re-adding the
surviving segments.</t>
            </dd>
            <dt>Recompute-on-change:</dt>
            <dd>
              <t>The authenticator omits add, remove, and set_length.  A single-
segment change recomputes the snapshot over the updated (index,
input) set and the new count and re-publishes it.  The consuming
protocol serializes concurrent rewrites so that each recomputation
binds a consistent set.</t>
            </dd>
          </dl>
          <t>SEAL's authenticators define the per-segment input as follows.  The
masked multiset hash is incremental and uses the segment's AEAD tag
(<xref target="masked-multiset-hash"/>).  The digest transcript
(<xref target="digest-transcript"/>) and the epoch digest tree
(<xref target="epoch-digest-tree"/>) are recompute-on-change and use the segment
leaf:</t>
          <artwork><![CDATA[
leaf(i) = LH(ct_i) || tag(i)
]]></artwork>
          <t>This binds the segment's ciphertext through the collision resistance of
LH and binds the presented nonce, segment index, and finality through
the tag.</t>
          <t>The scheme's RewriteSeg and SnapVerify (<xref target="raae-writable"/>) are realized
from these operations.  SnapVerify(S, segments, snapshot) checks a
stored snapshot:</t>
          <ol spacing="normal" type="1"><li>
              <t>Let n_seg be the number of present segments.</t>
            </li>
            <li>
              <t>Verify that the present segments occupy exactly the indices
  0..n_seg-1, each once.  Finality is not checked here: is_final is
  authenticated by the segment AEAD at decryption, and
  <xref target="full-decryption"/> rejects a present set whose highest-indexed
  segment does not carry is_final = 1.</t>
            </li>
            <li>
              <t>Call verify(snapshot) over the present (index, input) set and the
  count n_seg.</t>
            </li>
          </ol>
          <t>A duplicate or missing index is caught only by step 2, because an
authenticator's verify <bcp14>MAY</bcp14> accept a malformed index multiset.  An
implementation <bcp14>MUST NOT</bcp14> skip the index-set check.  SEAL's masked
multiset hash realizes verify in <xref target="masked-multiset-hash"/>.</t>
          <t>SnapVerify above checks the whole-object target.  An authenticator <bcp14>MAY</bcp14>
also support a single-segment target that verifies one (index, input)
against the recorded set.  The masked multiset hash reads all tags and
supports the whole-object target only.  The digest transcript likewise
supports the whole-object target at this layer.  A consuming protocol
that carries its leaf list can verify a single segment against an
authenticated snapshot value (<xref target="digest-transcript"/>).  The snapshot
value stays a single target-independent value of length Na, with no
per-segment proof stored.</t>
          <t>A conforming authenticator's snapshot() <bcp14>MUST</bcp14> bind both the (index,
input) set and the count n_seg, so a verifier detects any added,
dropped, reordered, re-marked, or otherwise altered segment, and the
snapshot value <bcp14>MUST</bcp14> be unforgeable by a party without the
authenticator's key, under that authenticator's security assumption.
How the value is computed, and whether a single-segment change updates
it in place or rebuilds it, is the authenticator's choice.  The masked
multiset hash (<xref target="masked-multiset-hash"/>) updates in place in O(1).  The
digest transcript (<xref target="digest-transcript"/>) recomputes over the full leaf
list, and the epoch digest tree (<xref target="epoch-digest-tree"/>) recomputes only
the affected epoch head and the snapshot.</t>
          <t>The snapshot value length is written Na and <bcp14>MAY</bcp14> depend on n_seg, with Na
= 0 meaning no value.  A fixed-length authenticator suits any layout,
while a count-dependent one is supported only by the split layout of a
mutable object (<xref target="file-layouts"/>).</t>
          <t>A segment's finality is a function of its index and the count:</t>
          <artwork><![CDATA[
is_final(i) = 1 if i = n_seg - 1, else 0
]]></artwork>
          <t>It is carried by that segment's input.  Because finality follows the
count, changing n_seg re-marks the boundary segment on its own, so
rewrite, extend, and truncate are one update over the segments whose
input changes:</t>
          <ol spacing="normal" type="1"><li>
              <t>Under the current count, remove each changed segment's current
  input (remove(i, input)).  The current n_seg fixes which segment
  is terminal, so each removal carries that segment's current finality.</t>
            </li>
            <li>
              <t>Set the length to the new count (set_length(n)).</t>
            </li>
            <li>
              <t>Under the new count, re-encrypt each surviving changed segment under
  its new finality and add its new input (add(i, input)).  New
  segments are added here.  Discarded segments are not added back.</t>
            </li>
            <li>
              <t>Call snapshot(), which recomputes the snapshot value over the new
  count and segment set.</t>
            </li>
          </ol>
          <t>Each operation is an instance of that shape over different segments:</t>
          <table anchor="length-change-table">
            <name>Rewrite, extend, and truncate</name>
            <thead>
              <tr>
                <th align="left">Operation</th>
                <th align="left">Count</th>
                <th align="left">Inputs removed</th>
                <th align="left">Inputs added</th>
                <th align="left">Terminal re-mark</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Rewrite</td>
                <td align="left">unchanged</td>
                <td align="left">the changed segment</td>
                <td align="left">the changed segment</td>
                <td align="left">none</td>
              </tr>
              <tr>
                <td align="left">Extend by k</td>
                <td align="left">n_seg to n_seg+k</td>
                <td align="left">old terminal</td>
                <td align="left">old terminal and k new</td>
                <td align="left">old final, 1 to 0 (none if empty)</td>
              </tr>
              <tr>
                <td align="left">Truncate to m</td>
                <td align="left">n_seg to m</td>
                <td align="left">the tail and old terminal</td>
                <td align="left">new terminal</td>
                <td align="left">new final, 0 to 1 (none if m=0)</td>
              </tr>
            </tbody>
          </table>
          <t>Each operation re-encrypts only the segments whose input changes, so a
caller that cannot recover a re-encrypted segment's plaintext cannot
perform it.</t>
          <t>This sequence uses remove, so it is the mutable-authenticator path.  An
authenticator that omits remove instead resets and re-adds the surviving
segments to rebuild the snapshot value.</t>
        </section>
        <section anchor="snapshot-selection">
          <name>Selecting an Authenticator</name>
          <t>A SEAL profile selects its snapshot authenticator with snap_id
(<xref target="snapshot-table"/>):  0x0000 for none, 0x0001 for the masked multiset
hash, 0x0002 for the digest transcript, or 0x0003 for the epoch digest
tree.</t>
        </section>
        <section anchor="snapshot-none">
          <name>None</name>
          <t>With snap_id = 0x0000 there is no snapshot authenticator: no snapshot
value is produced (Na = 0), snapshot() and verify() are no-ops, and a
mutable object rests on per-segment authentication alone.  Such a
profile <bcp14>MUST NOT</bcp14> produce the empty object (n_seg = 0).  With no snapshot
value to bind the zero count, a truncation that removed every segment
would be indistinguishable from a legitimate empty object, so a valid
object always has at least one segment (<xref target="snapshot-limitations"/>).</t>
        </section>
        <section anchor="masked-multiset-hash">
          <name>Masked Multiset Hash</name>
          <t>With snap_id = 0x0001 the snapshot authenticator builds an updatable,
masked multiset hash over the segment tags.  It accumulates one indexed,
keyed contribution per segment, in the MSet-XOR-Hash form of Clarke et
al.  (<xref target="MSetHash"/>), then publishes that accumulator behind a
deterministic mask this document adds.  Its per-segment contribution is:</t>
          <artwork><![CDATA[
contrib(i) = KDF(protocol_id, contrib_label,
                 [snap_key],
                 [uint64(i), tag(i)], Nh)
]]></artwork>
          <t>The masked multiset hash fixes three labels:  contrib_label =
"acc_contrib", snapshot_tag_label = "snapshot_tag", and
snapshot_mask_label = "snapshot_mask", each distinct from all other SEAL
labels.</t>
          <t>The finality bit is bound through tag(i):  it is an AEAD input in both
nonce modes (segment_aad in random mode, the low nonce bit in derived
mode, <xref target="derived-nonces"/>), so flipping it changes tag(i), hence
contrib(i), hence the accumulator.  No explicit binding in contrib is
needed.</t>
          <t>The masked multiset hash aggregates the per-segment contributions into
the accumulator acc by bitwise XOR:</t>
          <artwork><![CDATA[
acc = contrib(0) XOR contrib(1) XOR ... XOR contrib(n_seg-1)
]]></artwork>
          <t>The accumulator is an Nh-octet value, with the all-zero string as the
value for the empty segment set.
XOR is order-independent, so the accumulator does not depend on segment
order, and it is its own inverse, so rewriting segment i removes its old
contribution and adds the new one by XOR, in O(1) time and without
re-reading any other segment.</t>
          <t>An object with n_seg = 0 is a valid empty object.  It holds the salt,
the commitment, and the snapshot value, with no ciphertext segments and
no per-segment tags.  Its accumulator is the XOR over the empty segment
set, namely 0^Nh, and the same masking as any other count applies, so
the empty snapshot is not a fixed constant but a masked authenticator
over zero segments:</t>
          <artwork><![CDATA[
acc          = 0^Nh
snapshot_tag = snaptag(0, 0^Nh)
mask         = snapmask(0, snapshot_tag)
snapshot     = snapval(0, 0^Nh) = mask || snapshot_tag
]]></artwork>
          <t>An empty object is distinct from a zero-length plaintext, which is one
final segment (n_seg = 1) whose plaintext has length 0.</t>
          <t>To rewrite segment i without re-reading the other tags, the writer first
recovers the accumulator from the stored snapshot by removing the mask,
acc = wrapped_acc XOR snapmask(n_seg, snapshot_tag).  It then XORs
contrib(i) computed from the old tag (stored alongside the ciphertext)
out of acc, XORs in contrib(i) computed from the new tag, and produces
the new snapshot value over the unchanged count.  The wrapped_acc and
snapshot_tag <bcp14>MUST</bcp14> come from locally trusted snapshot state
(<xref target="full-rewrite"/>).</t>
          <t>The accumulator is linear, and publishing it in the clear would let a
write adversary recombine the differences between successive values into
a non-historical segment set (<xref target="appendix-snapshot"/>).  The masked
multiset hash therefore does two things.  First it authenticates the
count and accumulator with the snapshot tag, a message authentication
code (MAC) under snap_key with its own label:</t>
          <artwork><![CDATA[
snaptag(n_seg, acc) = KDF(protocol_id, snapshot_tag_label,
                          [snap_key],
                          [uint64(n_seg), acc], Nh)
]]></artwork>
          <t>Write snapshot_tag = snaptag(n_seg, acc) for the present count and
accumulator.  Second, the masked multiset hash derives a mask from
snap_key under the third label, seeded by that synthetic tag rather than
by a fresh nonce, and XORs it into the accumulator to form the masked
accumulator wrapped_acc:</t>
          <artwork><![CDATA[
snapmask(n_seg, snapshot_tag) =
    KDF(protocol_id, snapshot_mask_label,
        [snap_key],
        [uint64(n_seg), snapshot_tag], Nh)

mask        = snapmask(n_seg, snapshot_tag)
wrapped_acc = acc XOR mask
snapshot    = wrapped_acc || snapshot_tag
]]></artwork>
          <t>Seeding the mask with the synthetic tag rather than a fresh nonce is the
synthetic-IV derandomization of deterministic authenticated encryption
(<xref target="DAE"/>):  the snapshot stays a deterministic function of (n_seg, acc)
while the published accumulator is hidden behind a one-time pad
(<xref target="appendix-snapshot"/>).  The count n_seg is not stored in the snapshot
value.  The verifier supplies it as the number of segments present, and
snaptag binds it under the MAC.</t>
          <t>The masked multiset hash stores wrapped_acc and snapshot_tag, each Nh
octets, so Na = 2*Nh.  <xref target="snapshot-interface"/> defines Na in general.</t>
          <t>As a function of the count and accumulator, the snapshot value is</t>
          <artwork><![CDATA[
snapval(n_seg, acc) = wrapped_acc || snapshot_tag
]]></artwork>
          <t>The snapshot tag binds n_seg and the accumulator under snap_key, and the
mask hides the accumulator behind a tag-derived one-time pad.  The
forgery bound and the masking argument are in <xref target="snapshot-security"/> and
<xref target="appendix-snapshot"/>.</t>
          <t>SnapVerify runs only after the verifier has re-derived and checked the
commitment as part of decryption (<xref target="full-decryption"/>).  The snapshot's
per-object binding rests on snap_key (<xref target="appendix-snapshot"/>).</t>
          <t>The masked multiset hash realizes verify(snapshot) for the SnapVerify
of <xref target="snapshot-interface"/>.  SnapVerify supplies the count n_seg and the
present segment tags:</t>
          <artwork><![CDATA[
verify(snapshot):
  ;; Caller (SnapVerify, {{snapshot-interface}}) MUST already have
  ;; checked that the present indices are exactly 0..n_seg-1, each
  ;; once.  This accumulator is order-independent under XOR, so a
  ;; duplicate or missing index is invisible here and MUST NOT be
  ;; skipped by the caller.
  acc_calc      = XOR over i of contrib(i)   ;; present segment tags
  tag_calc      = snaptag(n_seg, acc_calc)
  snapshot_calc = (acc_calc XOR snapmask(n_seg, tag_calc)) || tag_calc
  compare snapshot_calc to snapshot in constant time
          (on any mismatch, reject)
  return accept
]]></artwork>
          <t>The comparison runs in constant time (<xref target="constant-time"/>).  Because the
accumulator is order-independent under XOR, a duplicate or missing
index can leave acc_calc recomputing to the genuine accumulator and the
comparison passing, which is why SnapVerify's index-set check
(<xref target="snapshot-interface"/>) is mandatory.</t>
          <t>verify returns only accept or reject.  An implementation <bcp14>MUST NOT</bcp14>
surface the recomputed accumulator or any value derived from it, and
<bcp14>MUST NOT</bcp14> signal through an error code or timing whether the snapshot tag
matched while the masked accumulator did not.  The mask hides the
accumulator only against a one-bit verifier:  exposing it, or
distinguishing a tag-valid accumulator-mismatch from a plain reject,
reinstates the recombination attack of <xref target="appendix-snapshot"/>.</t>
          <t>A modified tag or count changes the recomputed snapshot, and a different
key or parameter context fails the commitment check that precedes
SnapVerify (<xref target="full-decryption"/>).  The forgery bound is in
<xref target="snapshot-security"/> and the rollback limitation in
<xref target="snapshot-limitations"/>.</t>
        </section>
        <section anchor="digest-transcript">
          <name>Digest Transcript</name>
          <t>With snap_id = 0x0002 the snapshot authenticator is a per-object digest
transcript:  one keyed KDF evaluation over the ordered list of
per-segment digests.  It has no accumulator and no mask, and it
recomputes over the full leaf list on any rewrite.  Its distinguishing
property is that the snapshot value binds each segment's ciphertext
bytes, not only its AEAD tag, so the binding holds even against an
adversary that holds the CEK and every key derived from it
(<xref target="snapshot-security-dt"/>).  A consuming protocol that authenticates the
snapshot value, for example by binding it into a signed reference or
manifest, extends that binding to per-segment origin authentication.</t>
          <t>Its per-segment input is the segment leaf, the ciphertext digest
concatenated with the AEAD tag:</t>
          <artwork><![CDATA[
leaf(i) = LH(ct_i) || tag(i)
]]></artwork>
          <t>LH is the length-prefix digest of <xref target="concrete-framing"/>, so LH(ct_i) is a
fixed Nh-octet value that binds segment i's ciphertext through the
collision resistance of LH for any segment length, and leaf(i) is the
fixed Nh + Nt octet concatenation of that digest with the segment's AEAD
tag.  The ciphertext digest is a deterministic function of public object
bytes, so any party can recompute or publish it without holding a key.
The tag is the value the AEAD already produced for the segment.  leaf(i)
is the digest transcript's per-segment input, taking the role
<xref target="snapshot-interface"/> assigns the tag for an Incremental authenticator.</t>
          <t>The leaf binds the segment's index and finality, and the presented
nonce, through the tag.  The tag authenticates the segment AAD, which
carries the index and is_final in random nonce mode and is empty in
derived nonce mode where the nonce carries them
(<xref target="concrete-segment-aad"/>), and the tag is a function of the presented
nonce, so a segment cannot be reinterpreted under a different nonce
without changing the tag and hence the leaf.  Position within the object
is bound by the ordered transcript below and the count by n_seg.
Because the tag binds the index and finality in either nonce mode,
snap_id 0x0002 places no restriction on the nonce mode.</t>
          <t>The snapshot value is one keyed derivation over the commitment, the
count, and the ordered leaf list:</t>
          <artwork><![CDATA[
snapshot = KDF(protocol_id, transcript_label, [snap_key],
               [commitment, uint64(n_seg),
                leaf(0), ..., leaf(n_seg-1)], Nh)
]]></artwork>
          <t>so Na = Nh.  The digest transcript fixes one label, transcript_label =
"snap_transcript", distinct from all other SEAL labels under the encode
frame (<xref target="concrete-framing"/>).  The injective framing of the ordered list
binds each leaf's position and the count, so a leaf cannot move to
another index without changing the transcript.  The snap_key ikm makes
the value unforgeable without the key (<xref target="snapshot-interface"/>).  The
commitment element repeats the object's commitment
(<xref target="framework-commitment"/>) inside the transcript.  For SnapVerify alone
it is redundant, because snap_key already binds the CEK and salt.  It is
load-bearing for a consuming protocol that lifts the snapshot value into
a signature or MAC, which then carries the full object context (CEK,
payload_info, and G) and cannot be replayed against another object
(<xref target="snapshot-security-dt"/>).</t>
          <t>The digest transcript realizes verify(snapshot) as follows.  The
caller (SnapVerify, <xref target="snapshot-interface"/>) <bcp14>MUST</bcp14> already have checked
that the present indices are exactly 0..n_seg-1, each once.</t>
          <artwork><![CDATA[
verify(snapshot):
  ;; The caller has checked the present index set (see above).
  for i in 0 .. n_seg-1:
      leaf_calc(i) = LH(ct_i) || tag(i) over the stored segment i
  snapshot_calc = KDF(protocol_id, transcript_label, [snap_key],
                      [commitment, uint64(n_seg),
                       leaf_calc(0), ..., leaf_calc(n_seg-1)], Nh)
  compare snapshot_calc to snapshot in constant time
          (on any mismatch, reject)
  return accept
]]></artwork>
          <t>The comparison runs in constant time (<xref target="constant-time"/>).  The
index-set check in SnapVerify remains mandatory
(<xref target="snapshot-interface"/>).  Here it is defense in depth rather than
load-bearing, because a malformed index multiset changes the framed
leaf list and the recomputed value with it.</t>
          <t>The digest transcript is per-object (<xref target="snapshot-interface"/>): it
provides no add, remove, or set_length, and produces the snapshot in a
single KDF call over the leaf list.  Any change to the segment set
recomputes the transcript over the new leaf list.  Under a write-once
profile the value is computed once at encryption and only verified
thereafter.  Under a mutable profile a rewrite recomputes the transcript
over the updated leaf list and re-publishes the new snapshot value
(<xref target="profiles"/>).</t>
          <t>An object with n_seg = 0 is a valid empty object under the digest
transcript.  The leaf list is empty and the snapshot value is
KDF(protocol_id, transcript_label, [snap_key], [commitment,
uint64(0)], Nh), so the count is bound and truncation to the empty
object is distinguishable from a legitimate empty object.</t>
          <t>verify above recomputes each leaf from the stored segment bytes, so
whole-object SnapVerify reads the full object.  A layout or consuming
protocol <bcp14>MAY</bcp14> store or carry the leaf list itself:  the aligned and
split layouts hold leaf(i) in each per-segment metadata entry
(<xref target="aligned-layout"/>), and a consuming protocol using the linear
layout <bcp14>MAY</bcp14> carry the list beside the object, for example in a
manifest.  A reader <bcp14>MAY</bcp14> then verify the transcript over the stored or
carried leaves without reading any ciphertext, and <bcp14>MUST</bcp14> compare
leaf(i), recomputed from the one segment it reads, against the stored
or carried entry at position i before treating that segment as
covered by the snapshot.  A segment whose recomputed leaf does not
match fails authentication.  This is the single-segment pattern of
<xref target="snapshot-interface"/>, and it is how a consuming protocol obtains
per-segment origin authentication from one authenticated snapshot
value.</t>
          <t>A modified segment, tag, or count changes the recomputed transcript,
and a different key or parameter context fails the commitment check
that precedes SnapVerify (<xref target="full-decryption"/>).  The forgery and
binding arguments are in <xref target="snapshot-security-dt"/>.</t>
        </section>
        <section anchor="epoch-digest-tree">
          <name>Epoch Digest Tree</name>
          <t>With snap_id = 0x0003 the snapshot authenticator is an epoch digest
tree.  Segment leaves (<xref target="digest-transcript"/>) fold into per-epoch heads,
and the heads fold into the snapshot.  A reader verifies one segment
from two aligned metadata reads plus the segment itself:  the target
epoch's leaf run, and the epoch-heads region.  Each of those two
metadata reads is one segment_max or less for objects up to roughly 128
GB at the recommended parameters (<xref target="epoch-transcript-table"/>).  The
design has the digest transcript's binding properties and adds this
bounded random-access verification for large objects.</t>
          <figure anchor="fig-epoch-transcript">
            <name>Epoch digest tree: leaves in each epoch are folded by a keyed transcript into one epoch head, and the epoch heads are folded by a keyed transcript into the snapshot.  There is no Merkle path</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="576" viewBox="0 0 576 272" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,48 L 8,80" fill="none" stroke="black"/>
                  <path d="M 232,48 L 232,80" fill="none" stroke="black"/>
                  <path d="M 296,176 L 296,192" fill="none" stroke="black"/>
                  <path d="M 344,48 L 344,80" fill="none" stroke="black"/>
                  <path d="M 568,48 L 568,80" fill="none" stroke="black"/>
                  <path d="M 8,48 L 232,48" fill="none" stroke="black"/>
                  <path d="M 344,48 L 568,48" fill="none" stroke="black"/>
                  <path d="M 8,80 L 232,80" fill="none" stroke="black"/>
                  <path d="M 344,80 L 568,80" fill="none" stroke="black"/>
                  <path d="M 144,176 L 464,176" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="48" y="36">epoch</text>
                    <text x="80" y="36">0</text>
                    <text x="400" y="36">epoch</text>
                    <text x="440" y="36">E-1</text>
                    <text x="40" y="68">ct(0)</text>
                    <text x="88" y="68">ct(1)</text>
                    <text x="128" y="68">...</text>
                    <text x="184" y="68">ct(2^r-1)</text>
                    <text x="288" y="68">...</text>
                    <text x="384" y="68">ct(...)</text>
                    <text x="432" y="68">...</text>
                    <text x="504" y="68">ct(n_seg-1)</text>
                    <text x="136" y="100">|</text>
                    <text x="456" y="100">|</text>
                    <text x="80" y="116">keyed</text>
                    <text x="148" y="116">transcript</text>
                    <text x="212" y="116">over</text>
                    <text x="400" y="116">keyed</text>
                    <text x="468" y="116">transcript</text>
                    <text x="532" y="116">over</text>
                    <text x="72" y="132">the</text>
                    <text x="120" y="132">epoch's</text>
                    <text x="180" y="132">leaves</text>
                    <text x="392" y="132">the</text>
                    <text x="440" y="132">epoch's</text>
                    <text x="500" y="132">leaves</text>
                    <text x="136" y="148">|</text>
                    <text x="456" y="148">|</text>
                    <text x="132" y="164">d(0)</text>
                    <text x="460" y="164">d(E-1)</text>
                    <text x="280" y="212">keyed</text>
                    <text x="348" y="212">transcript</text>
                    <text x="276" y="228">over</text>
                    <text x="320" y="228">epoch</text>
                    <text x="368" y="228">heads</text>
                    <text x="296" y="244">|</text>
                    <text x="300" y="260">snapshot</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
   epoch 0                                     epoch E-1
+---------------------------+             +---------------------------+
| ct(0) ct(1) ... ct(2^r-1) |     ...     | ct(...) ...  ct(n_seg-1)  |
+---------------------------+             +---------------------------+
                |                                       |
       keyed transcript over                   keyed transcript over
       the epoch's leaves                      the epoch's leaves
                |                                       |
              d(0)                                    d(E-1)
                +-------------------+-----+-----+--------+
                                    |
                                keyed transcript
                                over epoch heads
                                    |
                                 snapshot
]]></artwork>
            </artset>
          </figure>
          <t>The leaf is:</t>
          <artwork><![CDATA[
L(i) = leaf(i) = LH(ct_i) || tag(i)
]]></artwork>
          <t>d_e is the epoch head over one epoch's leaves, and the snapshot is the
keyed digest over d_0 ..  d_{E-1}.</t>
          <t>Its per-segment leaf is leaf(i) = LH(ct_i) || tag(i), exactly as in
<xref target="digest-transcript"/>.</t>
          <t>Segments are grouped into epochs of 2^r consecutive indices, where r =
epoch_length (<xref target="epoch-key-derivation"/>) is reused as the grouping
fan-out, so no new parameter is added.  Each epoch holds 2^r consecutive
segments.  Only the final epoch may be short.</t>
          <artwork><![CDATA[
epoch e  =  segments  e * 2^r  ..  min((e+1) * 2^r, n_seg) - 1
E = ceil(n_seg / 2^r) epochs
]]></artwork>
          <t>There are E epochs, the same grouping the epoch key uses, so each epoch
head covers exactly the segments under one epoch key.</t>
          <t>The epoch head d_e is a keyed digest over that epoch's leaves:</t>
          <artwork><![CDATA[
epoch_run(e) = leaf(e * 2^r) || ... || leaf(last index in epoch e)
d_e = KDF(protocol_id, epoch_head_label, [snap_key],
          [LH(epoch_run(e))], Nh)
]]></artwork>
          <t>The leaves are fixed length (Nh + Nt octets) and the epoch heads are
fixed length (Nh octets), so each run parses unambiguously given its
element count, which n_seg and epoch_length fix.</t>
          <t>An epoch head needs no index or count of its own.  Its position is bound
by where d_e sits in the ordered heads_run, exactly as a leaf's position
is bound by the ordered transcript in <xref target="digest-transcript"/>.  The final
epoch's size is fixed by n_seg and epoch_length, both already bound
(n_seg in the snapshot below, epoch_length in snap_key through
payload_info), so a partial final epoch needs no explicit count.</t>
          <t>Because the epoch heads carry no index or count of their own and the
segmentation is recovered only from n_seg and epoch_length, a profile
that selects the epoch digest tree <bcp14>MUST</bcp14> bind epoch_length into snap_key.
SEAL satisfies this through payload_info, which carries epoch_length
into the snap_key derivation.  A profile that left epoch_length unbound
would let a key holder present one heads_run under a different fan-out,
defeating the position and count binding above.</t>
          <t>A full leaf run can be larger than the 0xFFFE-octet frame literal
(<xref target="concrete-framing"/>), so LH compresses it to a fixed Nh octets before
it enters the KDF, and every element the KDF sees stays at most Nh
octets.</t>
          <t>The snapshot value is a keyed digest over the epoch heads:</t>
          <artwork><![CDATA[
heads_run = d_0 || d_1 || ... || d_{E-1}
snapshot = KDF(protocol_id, head_label, [snap_key],
               [commitment, uint64(n_seg), LH(heads_run)], Nh)
]]></artwork>
          <t>so Na = Nh.  LH pre-hashes the heads run for the same reason.  The epoch
digest tree fixes two labels, epoch_head_label = "snap_epoch" and
head_label = "snap_epoch_root", each distinct from all other SEAL labels
under the encode frame (<xref target="concrete-framing"/>).  The commitment and count
are bound as in <xref target="digest-transcript"/>, and the snap_key ikm makes the
value unforgeable without the key (<xref target="snapshot-interface"/>).</t>
          <t>Because the leaf binds the tag (<xref target="digest-transcript"/>), the epoch digest
tree places no restriction on the nonce mode.</t>
          <t>A reader stores the E epoch heads in the header alongside the snapshot
value, and the per-segment leaves in the metadata entries.
<xref target="aligned-layout"/> gives the layout, and the snapshot value is Nh
octets.  The epoch heads are recomputable from the leaves, so an
implementation <bcp14>MAY</bcp14> store none of them and recompute them, at the cost of
reading every leaf.</t>
          <t>The two-read random-access verification below requires a layout whose
per-segment leaves are contiguous within an epoch, so one seek reads the
whole epoch:  the aligned layout (<xref target="aligned-layout"/>) or the split
layout (<xref target="split-layout"/>).  Under the linear layout the leaves are
interleaved with the ciphertext, so this property does not hold and a
reader gathers an epoch's leaves with one seek per segment.</t>
          <t>verify(snapshot) recomputes the whole transcript.  The caller
(SnapVerify, <xref target="snapshot-interface"/>) <bcp14>MUST</bcp14> already have checked that the
present indices are exactly 0..n_seg-1, each once.</t>
          <artwork><![CDATA[
verify(snapshot):
  ;; The caller has checked the present index set (see above).
  for e in 0 .. E-1:
      d_calc(e) = KDF(protocol_id, epoch_head_label, [snap_key],
                      [LH(epoch_run(e))], Nh)
  snapshot_calc = KDF(protocol_id, head_label, [snap_key],
                      [commitment, uint64(n_seg),
                       LH(d_calc(0) || ... || d_calc(E-1))], Nh)
  compare snapshot_calc to snapshot in constant time
          (on any mismatch, reject)
  return accept
]]></artwork>
          <t>Random-access verification of one segment costs two aligned reads beyond
the segment itself.  A reader verifies the head once and keeps the epoch
heads, then per segment:</t>
          <artwork><![CDATA[
verify_segment(i):    ;; aligned or split layout
  ;; once per object, then cached:
  read the epoch-heads region (E * Nh octets), which follows the
      snapshot value in the header ({{aligned-layout}})
  head_calc = KDF(protocol_id, head_label, [snap_key],
                  [commitment, uint64(n_seg), LH(d_0 || ... ||
                   d_{E-1})], Nh)
  check head_calc equals the stored snapshot (constant time)
  ;; per segment i:
  e = i >> epoch_length
  read epoch e's leaf run, min(2^r, n_seg - e * 2^r) leaves,
      from segment e * 2^r's metadata entry ({{aligned-layout}})
      ;; one aligned read
  d_calc = KDF(protocol_id, epoch_head_label, [snap_key],
               [LH(epoch_run(e))], Nh)
  check d_calc equals the cached d_e (constant time)
  read segment i from the data region ({{aligned-layout}})
  leaf_calc = LH(ct_i) || tag(i)
  check leaf_calc equals the stored leaf at position i mod 2^r
      within epoch e's run (constant time)
]]></artwork>
          <t>A cold single-segment check is two metadata reads, the epoch-heads
region and one epoch's leaf run, each one aligned read up to the ceiling
(<xref target="epoch-transcript-table"/>).  A reader scanning many segments reads the
epoch-heads region once and then one epoch leaf run per epoch, so the
amortized cost is one metadata read per segment.</t>
          <t>All comparisons run in constant time (<xref target="constant-time"/>).  A segment
whose recomputed leaf, epoch head, or head does not match fails
authentication.  The reader recomputes only its own leaf and its own
epoch head and reads no other segment's ciphertext.</t>
          <t>The epoch digest tree is per-object (<xref target="snapshot-interface"/>): it
provides no add, remove, or set_length.</t>
          <t>A rewrite of segment i recomputes only epoch e's head and the snapshot
value, where e = i &gt;&gt; epoch_length, leaving the other epoch heads
unchanged.  As with any keyed snapshot, a consuming protocol that signed
the value re-signs the new one.  Under a write-once profile the value is
computed once at encryption.  Under a mutable profile a rewrite is the
same two aligned metadata reads as verification (the epoch's leaf run
and the epoch-heads region) followed by three metadata writes: the new
leaf, the new epoch head, and the new snapshot value (<xref target="profiles"/>).</t>
          <t>An object with n_seg = 0 has E = 0 and an empty heads run:</t>
          <artwork><![CDATA[
snapshot = KDF(protocol_id, head_label, [snap_key],
               [commitment, uint64(0), LH("")], Nh)
]]></artwork>
          <t>so the count is bound and truncation to the empty object is
distinguishable.</t>
          <t>Choose the largest epoch_length whose epoch leaf run still fits
one aligned read (<xref target="aligned-layout"/>), so recomputing an epoch
head is a single read:</t>
          <artwork><![CDATA[
2^r * meta_len  <=  segment_max
]]></artwork>
          <t>The values below are for a derived-nonce entry (Np = 0, meta_len = Nt +
Nh).  A random-nonce entry has meta_len = Np + Nt + Nh.  Recompute r
from the rule above.</t>
          <table anchor="epoch-transcript-table">
            <name>Suggested epoch_length by segment_max and KDF output length Nh</name>
            <thead>
              <tr>
                <th align="left">segment_max</th>
                <th align="left">Nh</th>
                <th align="left">Suggested epoch_length</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">65536</td>
                <td align="left">32 or 48</td>
                <td align="left">10</td>
              </tr>
              <tr>
                <td align="left">65536</td>
                <td align="left">64</td>
                <td align="left">9</td>
              </tr>
              <tr>
                <td align="left">16384</td>
                <td align="left">32 or 48</td>
                <td align="left">8</td>
              </tr>
              <tr>
                <td align="left">16384</td>
                <td align="left">64</td>
                <td align="left">7</td>
              </tr>
            </tbody>
          </table>
          <t>The epoch-heads region of the header is E * Nh octets, one aligned read
up to about 128 GiB at r = 10, Nh = 32, and segment_max 65536.  Past
that it spans 1 + ceil(content size / that ceiling) reads.  A tree over
the epoch heads would restore a single bounded read but is out of scope.</t>
          <t>The forgery and binding arguments are in <xref target="snapshot-security-dt"/>.</t>
        </section>
      </section>
      <section anchor="segment-subroutines">
        <name>Segment Algorithms</name>
        <t>The construction defines the per-segment subroutines EncryptSegment,
DecryptSegment, and RewriteSegment.  In this random-access construction,
is_final is an explicit input to each subroutine.  Full-message
encryption derives it from the total segment count n_seg, while
random-access decryption and rewrite callers supply it directly.  The
full-message procedures (<xref target="full-encryption"/>, <xref target="full-decryption"/>,
<xref target="extend"/>) and the rewrite procedure (<xref target="full-rewrite"/>) compose them.</t>
        <t>Each subroutine is the cryptographic core of one operation of the base
or extended raAE interface (<xref target="raae-syntax"/>, <xref target="raae-writable"/>),
refining the operation-level mapping of <xref target="op-mapping"/> to the signature
level.  The primitive's position identifier p = (i, b) appears here as
the explicit arguments i and is_final.  Its immutable state S is
realized by the payload schedule:  the segment_key(i), nonce(i), and
segment_aad calls below read the schedule from context rather than
taking S as an argument.  Its message segment M_i is the plaintext P_i,
and its opaque ciphertext segment C_i is stored as the field triple
(nonce_metadata(i), ct_i, tag_i).</t>
        <table anchor="subroutine-mapping">
          <name>Segment subroutines and the primitive operations they realize</name>
          <thead>
            <tr>
              <th align="left">Subroutine</th>
              <th align="left">Realizes</th>
              <th align="left">Composed by</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">EncryptSegment</td>
              <td align="left">EncSeg</td>
              <td align="left">
                <xref target="full-encryption"/>, <xref target="extend"/></td>
            </tr>
            <tr>
              <td align="left">DecryptSegment</td>
              <td align="left">DecSeg</td>
              <td align="left">
                <xref target="full-decryption"/></td>
            </tr>
            <tr>
              <td align="left">RewriteSegment</td>
              <td align="left">the encryption core of RewriteSeg</td>
              <td align="left">
                <xref target="full-rewrite"/> and <xref target="extend"/>, which add the snapshot bookkeeping</td>
            </tr>
          </tbody>
        </table>
        <t>These subroutines emit ct_i and tag_i as separate fields, and ct_i has
length len(P_i), which can be shorter than segment_max.  The consuming
format conveys each segment's ciphertext length to the decoder so
DecryptSegment can recover the two fields, as required by
<xref target="concrete-segment-aad"/>.</t>
        <t>In every subroutine, i is the segment index (a non-negative integer),
is_final is 1 for the last segment and 0 for all others, A_i is the
caller-supplied associated data for segment i, and P_i is the segment
plaintext.  The subroutines call segment_key(i) and nonce(i) as defined
in <xref target="key-derivation"/>, with nonce(i) following the chosen nonce_mode,
and segment_aad(i, is_final, A_i) as defined in
<xref target="concrete-segment-aad"/>.</t>
        <t>nonce_metadata(i) denotes the stored nonce metadata for segment i:
nonce(i) when nonce_mode is "random", and empty when it is "derived".
In random mode DecryptSegment reads its nonce from nonce_metadata_i,
and in derived mode it recomputes nonce(i).</t>
        <section anchor="encryptsegment">
          <name>EncryptSegment</name>
          <artwork><![CDATA[
EncryptSegment(i, is_final, A_i, P_i):
  key   = segment_key(i)
  nonce = nonce(i)                        ;; per nonce_mode
  aad   = segment_aad(i, is_final, A_i)
  C_i   = AEAD.Encrypt(key, nonce, aad, P_i)
  split C_i into ct_i and tag_i
  return (nonce_metadata(i), ct_i, tag_i)
]]></artwork>
          <t>AEAD.Encrypt and AEAD.Decrypt are the interfaces of <xref target="RFC5116"/>
Sections 2.1 and 2.2.  For the AEADs in <xref target="aead-table"/> the tag is the
final Nt octets of C_i, so ct_i is the first len(P_i) octets and
C_i = ct_i || tag_i.  EncryptSegment splits C_i at that boundary, and
DecryptSegment reassembles it.</t>
          <t>The caller supplies the segment's input to the snapshot authenticator
(<xref target="snapshot-authenticator"/>).  The input is the tag tag_i for the masked
multiset hash and the leaf LH(ct_i) || tag(i) for the digest transcript.
EncryptSegment itself does no snapshot work.</t>
        </section>
        <section anchor="decryptsegment">
          <name>DecryptSegment</name>
          <t>DecryptSegment returns the segment plaintext, or a decryption error:</t>
          <artwork><![CDATA[
DecryptSegment(i, is_final, A_i, nonce_metadata_i, ct_i, tag_i):
  key   = segment_key(i)
  nonce = nonce_metadata_i or nonce(i)    ;; per nonce_mode (above)
  aad   = segment_aad(i, is_final, A_i)
  C_i   = ct_i || tag_i
  P_i   = AEAD.Decrypt(key, nonce, aad, C_i)
          (on verification failure, return a decryption error)
  return P_i
]]></artwork>
        </section>
        <section anchor="rewritesegment">
          <name>RewriteSegment</name>
          <t>RewriteSegment assumes the caller has already verified the commitment or
otherwise confirmed it holds the correct CEK.  A rewrite under the wrong
key produces unreadable ciphertext and corrupts the snapshot
authenticator's state.  The error is detectable only on a subsequent
read.</t>
          <t>RewriteSegment(i, is_final, A_i, new_P_i) is defined as
EncryptSegment(i, is_final, A_i, new_P_i): a rewrite is a fresh
encryption of the new plaintext new_P_i.  The output
(new_nonce_metadata_i, new_ct_i, new_tag_i) replaces the stored nonce
metadata, ciphertext, and tag for segment i.</t>
          <t>RewriteSegment produces the replacement ciphertext and tag only.  The
caller updates the snapshot authenticator by reading the stored old tag
and calling remove(i, old_tag_i) then add(i, new_tag_i), or rebuilds if
the authenticator omits remove (<xref target="full-rewrite"/>).</t>
        </section>
      </section>
      <section anchor="toplevel-algorithms">
        <name>Top-level Algorithms</name>
        <t>The top-level algorithms compose the segment subroutines
(<xref target="segment-subroutines"/>) over complete messages.  They call the
snapshot-authenticator operations of <xref target="snapshot-authenticator"/>
(snapshot() and verify() in every profile, and add(i, input), remove(i,
input), and set_length(n) in a mutable profile) without referring to how
any is computed.  The authenticator selected by snap_id
(<xref target="snapshot-table"/>) realizes those operations.  For the masked multiset
hash they reduce to the accumulator, snapshot-tag, and mask formulas of
<xref target="masked-multiset-hash"/>.  For the digest transcript and epoch digest
tree the mutable-interface operations reduce to a recomputation of the
snapshot over the updated (index, input) set.</t>
        <t>These procedures do not expose per-segment associated data, so they pass
an empty A_i to each subroutine.  An application that needs per-segment
A_i calls the subroutines directly.</t>
        <section anchor="read-only-ops">
          <name>Read-Only Operations</name>
          <t>Encryption and decryption are available in every SEAL profile.  They
write a message once and read individual segments.  Neither rewrites a
stored segment.  When the profile configures no snapshot authenticator
(snap_id = 0x0000, <xref target="snapshot-table"/>), the snapshot steps below are
omitted, and a reader relies on per-segment authentication alone.</t>
          <section anchor="full-encryption">
            <name>Encryption</name>
            <t>Encryption runs in two phases.  The first phase derives the per-message
schedule and writes the commitment.  The second encrypts each segment
independently and feeds its input to the snapshot authenticator, and
then snapshot() binds the whole (index, input) set and the count into
the stored snapshot value.  Because the segments are independent, the
second phase may run in any order or in parallel.</t>
            <figure anchor="fig-encrypt-build">
              <name>Key Schedule and Segment Encryption</name>
              <artset>
                <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="528" viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                    <path d="M 64,48 L 64,64" fill="none" stroke="black"/>
                    <path d="M 64,96 L 64,112" fill="none" stroke="black"/>
                    <path d="M 152,112 L 152,128" fill="none" stroke="black"/>
                    <path d="M 152,160 L 152,176" fill="none" stroke="black"/>
                    <path d="M 152,208 L 152,224" fill="none" stroke="black"/>
                    <path d="M 24,112 L 240,112" fill="none" stroke="black"/>
                    <polygon class="arrowhead" points="160,224 148,218.4 148,229.6" fill="black" transform="rotate(90,152,224)"/>
                    <polygon class="arrowhead" points="160,176 148,170.4 148,181.6" fill="black" transform="rotate(90,152,176)"/>
                    <polygon class="arrowhead" points="160,128 148,122.4 148,133.6" fill="black" transform="rotate(90,152,128)"/>
                    <polygon class="arrowhead" points="72,64 60,58.4 60,69.6" fill="black" transform="rotate(90,64,64)"/>
                    <g class="text">
                      <text x="44" y="36">CEK,</text>
                      <text x="84" y="36">salt</text>
                      <text x="48" y="84">payload</text>
                      <text x="116" y="84">schedule</text>
                      <text x="24" y="132">v</text>
                      <text x="240" y="132">v</text>
                      <text x="44" y="148">commitment</text>
                      <text x="152" y="148">payload_key</text>
                      <text x="252" y="148">snap_key</text>
                      <text x="96" y="196">EncryptSegment(i,</text>
                      <text x="188" y="196">P_i)</text>
                      <text x="248" y="196">using</text>
                      <text x="320" y="196">payload_key</text>
                      <text x="404" y="196">(one</text>
                      <text x="440" y="196">per</text>
                      <text x="492" y="196">segment)</text>
                      <text x="128" y="244">ct_i,</text>
                      <text x="176" y="244">tag_i</text>
                    </g>
                  </svg>
                </artwork>
                <artwork type="ascii-art"><![CDATA[
   CEK, salt
       |
       v
  payload schedule
       |
  .----+----------+----------.
  v               v          v
commitment   payload_key   snap_key
                  |
                  v
   EncryptSegment(i, P_i)   using payload_key   (one per segment)
                  |
                  v
             ct_i, tag_i
]]></artwork>
              </artset>
            </figure>
            <t>The per-segment inputs then feed the snapshot authenticator, which binds
them into the snapshot value (<xref target="snapshot-authenticator"/>).  For the
masked multiset hash the input is the AEAD tag.  For the digest
transcript and the epoch digest tree it is the segment leaf leaf(i) =
LH(ct_i) || tag(i) (<xref target="digest-transcript"/>, <xref target="epoch-digest-tree"/>).  An
Incremental authenticator <bcp14>MAY</bcp14> maintain the value with add and set_length
as each segment is produced.  A Recompute-on-change authenticator
computes snapshot() over the full set.</t>
            <t>An application that writes a new message <bcp14>MUST</bcp14> generate a fresh,
uniformly random salt.  Given a CEK, that salt, a parameter set, G, and
a plaintext P split into segments P_0 through P_{n_seg-1}:</t>
            <artwork><![CDATA[
derive  commitment, payload_key, snap_key from the payload schedule
        (and nonce_base, in derived mode)
store   commitment

for i in 0 .. n_seg-1:
    is_final = 1 if i = n_seg-1, else 0
    nonce_metadata_i, ct_i, tag_i
        = EncryptSegment(i, is_final, empty, P_i)
    store nonce_metadata_i, ct_i, tag_i

if snapshot authentication is enabled (snap_id != 0x0000):
    snapshot = snapshot()   ;; over the (index, input) set and n_seg
    store snapshot
]]></artwork>
            <t>A zero-length plaintext produces a single segment of length 0 with
is_final = 1.</t>
          </section>
          <section anchor="full-decryption">
            <name>Decryption of Segment i</name>
            <t>Opening a segment is a local operation:  check the commitment to reject
a wrong key early, then AEAD-decrypt the one segment.  This yields
per-segment authenticity over the ciphertext core, the segment index,
and the finality bit.  Under a snapshot authenticator (snap_id !=
0x0000), whole-set authenticity is a separate and stronger check that
requires the full present segment set.  It detects any added, dropped,
reordered, or re-marked segment, and same-index rollback to an older
sibling.  A reader holding only one segment gets per-segment
authenticity but <bcp14>MUST NOT</bcp14> claim snapshot integrity until it runs
SnapVerify (<xref target="snapshot-authenticator"/>).  A profile with no snapshot
authenticator (snap_id = 0x0000) defines no snapshot, so per-segment
authenticity is the whole integrity guarantee.</t>
            <t>Given the CEK, salt, parameter set, G, segment index i, finality status,
and the stored ciphertext segment for index i:</t>
            <artwork><![CDATA[
derive  commitment from CEK, salt, and G
derive  payload_key, snap_key from CEK and salt
if stored commitment != derived commitment:  return error
P_i = DecryptSegment(i, is_final, empty, nonce_metadata_i, ct_i, tag_i)
       (return its error on failure)
if snapshot authentication is enabled and the full set is available:
    if SnapVerify(snapshot) fails:  return error  (do not deliver P_i)
return P_i
]]></artwork>
            <t>Here SnapVerify is the three-argument SnapVerify(S, segments, snapshot)
of <xref target="raae-writable"/>, with S the derived schedule and segments the
present set:  (index, tag) pairs for the masked multiset hash, and the
stored segments themselves for the digest transcript
(<xref target="digest-transcript"/>).</t>
            <t>SnapVerify needs its per-segment input for every segment (each tag at
snap_id 0x0001, each leaf at 0x0002 and 0x0003), so a reader that
streams segments in order cannot gate their release on snapshot
integrity without first buffering those inputs or using a layout that
carries them in a header.  Delivering on per-segment authenticity alone
forgoes snapshot freshness for that segment (<xref target="snapshot-limitations"/>).
A streaming reader likewise cannot rule out truncation before the end of
the stream:  plaintext delivered before the highest-indexed segment
verifies under is_final = 1, and before SnapVerify passes where a
snapshot authenticator is configured, <bcp14>MUST</bcp14> be treated as unverified with
respect to completeness.</t>
            <t>A decryptor <bcp14>MUST</bcp14> reject a truncated object, one whose highest-indexed
segment does not carry is_final = 1.  A run of segments 0 through k-1
whose last segment (index k-1) carries is_final = 0 is incomplete, and
the decryptor <bcp14>MUST</bcp14> fail rather than return the partial plaintext.</t>
            <t>The check works because the application supplies the segment count
n_seg, from which the decryptor derives the finality each segment must
carry (<xref target="segment-subroutines"/>).  It then verifies the final segment
under is_final = 1.  A truncated object, whose last surviving segment
was written as non-final, fails that verification.  The finality bit is
bound per segment and is unforgeable without the CEK: in derived nonce
mode it occupies the low bit of the segment nonce
(<xref target="nonce-generation"/>), and in random nonce mode it is bound through
segment_aad (<xref target="concrete-segment-aad"/>).  An adversary therefore cannot
re-mark a non-final segment as final and can only drop trailing
segments, which this check detects.</t>
            <t>Authorized truncation by the CEK holder re-encrypts the new final
segment under is_final = 1 with a fresh nonce (<xref target="extend"/>), so a
legitimately truncated object still ends with is_final = 1 and verifies.
This check needs no snapshot authenticator.</t>
            <t>Truncation to an empty object is covered too.  A profile with no
snapshot authenticator forbids the zero-segment object, so a valid
object always has at least one segment, and a decryptor <bcp14>MUST</bcp14> reject one
that has none.  Under a snapshot authenticator the snapshot binds the
count, so the empty object (n_seg = 0) is a distinct authenticated state
(<xref target="snapshot-limitations"/>).</t>
            <t>On a commitment mismatch the implementation <bcp14>MUST NOT</bcp14> proceed with
decryption, <bcp14>SHOULD</bcp14> zeroize derived key material, and <bcp14>MUST</bcp14> return an
error.  Under a snapshot authenticator, when the full present set is
available (for example, a full read or an integrity audit), the reader
<bcp14>MUST</bcp14> run SnapVerify (<xref target="snapshot-authenticator"/>) on the stored snapshot
before delivering any plaintext, and <bcp14>MUST</bcp14> return an error if SnapVerify
fails.  With no snapshot authenticator there is no such check, and
per-segment authentication stands alone.</t>
            <t>Decryption can fail in up to three distinguishable ways:</t>
            <table anchor="decryption-failures">
              <name>Decryption failure conditions</name>
              <thead>
                <tr>
                  <th align="left">Failure</th>
                  <th align="left">Cause</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td align="left">Commitment mismatch</td>
                  <td align="left">wrong key or parameters</td>
                </tr>
                <tr>
                  <td align="left">AEAD verification failure</td>
                  <td align="left">corrupted or tampered segment</td>
                </tr>
                <tr>
                  <td align="left">Snapshot mismatch</td>
                  <td align="left">segment set or count modified (snapshot authenticator only)</td>
                </tr>
              </tbody>
            </table>
            <t>Implementations <bcp14>SHOULD</bcp14> report these as distinct error conditions for
local diagnosis, but <bcp14>SHOULD</bcp14> return a single opaque error to untrusted
callers to avoid leaking an oracle (for example, distinguishing "wrong
key" from "tampered segment" over a network).</t>
          </section>
        </section>
        <section anchor="rewritable-ops">
          <name>Rewritable Operations</name>
          <t>Rewriting and length change are available only in a mutable profile
(<xref target="profiles"/>), which admits snap_id 0x0001, 0x0002, or 0x0003.  The
procedures below are written against the Incremental interface
(<xref target="snapshot-interface"/>) used by the masked multiset hash.  Under a
Recompute-on-change authenticator (the digest transcript or the epoch
digest tree) the remove, add, and set_length calls in these procedures
collapse into a single snapshot() over the updated (index, leaf) set,
and the operations are otherwise identical.  A caller that cannot
recover a re-encrypted segment's plaintext cannot perform them.</t>
          <section anchor="full-rewrite">
            <name>Rewriting Segment i</name>
            <t>A rewrite touches exactly one segment's ciphertext.  Replacing the
segment removes its old tag from the snapshot authenticator and adds the
new one, then updates the snapshot over the unchanged count with
snapshot().  Under the Incremental interface the update trusts, rather
than re-verifies, the stored snapshot state.  The old tag is already
stored alongside the old ciphertext, so no other segment is read or
decrypted (<xref target="snapshot-authenticator"/>).  Under a Recompute-on-change
authenticator the snapshot() call recomputes the value from the stored
per-segment leaves, and no stored snapshot state is trusted.</t>
            <t>The procedure is:</t>
            <artwork><![CDATA[
read   old_tag_i
new_nonce_metadata_i, new_ct_i, new_tag_i
       = RewriteSegment(i, is_final, empty, new_P_i)
remove(i, old_tag_i)                    (count n_seg unchanged)
add(i, new_tag_i)
snapshot      = snapshot()
store  new_nonce_metadata_i, new_ct_i, new_tag_i, snapshot
]]></artwork>
            <t>In derived nonce mode the nonce for segment i is deterministic, so a
rewrite reuses the same nonce under a key whose derivation context is
identical.  This is safe because a mutable profile that selects derived
nonce mode requires an MRAE AEAD (AES-256-GCM-SIV).  MRAE AEADs are
designed to tolerate nonce reuse, degrading to equality leakage rather
than plaintext recovery, within the per-segment rewrite limit in
<xref target="rewrite-budget-security"/>.  The snapshot update proceeds identically.</t>
            <t>The stored snapshot cannot be validated during an in-place rewrite.
Validation is SnapVerify (<xref target="snapshot-authenticator"/>), which recomputes
the authenticator from every segment's tag and so requires reading all
tags.  During a rewrite the application trusts the stored snapshot
state, applies remove and add for the one changed segment, and produces
the new value with snapshot().  Because it trusts that state, the writer
<bcp14>MUST</bcp14> take it from locally trusted storage or run SnapVerify first.
Otherwise a storage adversary can roll the stored snapshot back and have
the writer rebuild on it, laundering the rollback into a snapshot that
verifies going forward (<xref target="snapshot-limitations"/>).  Full validation is a
separate operation that an application performs when it has access to
all tags (for example, on a full read or an integrity audit).</t>
          </section>
          <section anchor="extend">
            <name>Changing Message Length</name>
            <t>An application that holds the CEK <bcp14>MAY</bcp14> change a stored message's
length in either direction: appending new segments, or truncating
to a prefix.  The two directions share one shape.  Exactly one
retained segment, the old or the new terminal one, is re-encrypted
to move the finality bit, with none re-encrypted when appending
from the empty object or truncating to it.  Every other changed
segment is removed or added by tag without re-encryption, and the
snapshot is updated over the new count (<xref target="fig-length-change"/>).
Both reuse the existing salt: an application extending an existing
message <bcp14>MUST</bcp14> reuse the salt from the object it extends.  A fresh salt
would change every payload schedule output and force re-encryption of
the retained segments.</t>
            <figure anchor="fig-length-change">
              <name>Append and Truncate</name>
              <artset>
                <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="576" viewBox="0 0 576 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                    <g class="text">
                      <text x="20" y="36">Both</text>
                      <text x="84" y="36">directions</text>
                      <text x="152" y="36">share</text>
                      <text x="192" y="36">one</text>
                      <text x="232" y="36">shape</text>
                      <text x="272" y="36">(no</text>
                      <text x="324" y="36">terminal</text>
                      <text x="392" y="36">re-mark</text>
                      <text x="440" y="36">for</text>
                      <text x="472" y="36">the</text>
                      <text x="24" y="52">empty</text>
                      <text x="84" y="52">object):</text>
                      <text x="28" y="84">1.</text>
                      <text x="72" y="84">re-mark</text>
                      <text x="120" y="84">the</text>
                      <text x="164" y="84">single</text>
                      <text x="228" y="84">terminal</text>
                      <text x="296" y="84">segment</text>
                      <text x="372" y="84">remove</text>
                      <text x="408" y="84">+</text>
                      <text x="432" y="84">add</text>
                      <text x="468" y="84">(new</text>
                      <text x="516" y="84">count)</text>
                      <text x="28" y="100">2.</text>
                      <text x="68" y="100">update</text>
                      <text x="112" y="100">the</text>
                      <text x="164" y="100">boundary</text>
                      <text x="236" y="100">segments</text>
                      <text x="284" y="100">by</text>
                      <text x="312" y="100">tag</text>
                      <text x="380" y="100">remove</text>
                      <text x="420" y="100">or</text>
                      <text x="448" y="100">add</text>
                      <text x="500" y="100">(each)</text>
                      <text x="28" y="116">3.</text>
                      <text x="68" y="116">update</text>
                      <text x="112" y="116">the</text>
                      <text x="164" y="116">snapshot</text>
                      <text x="396" y="116">snapshot()</text>
                      <text x="44" y="148">append</text>
                      <text x="120" y="148">(n_seg'</text>
                      <text x="160" y="148">=</text>
                      <text x="192" y="148">n_seg</text>
                      <text x="224" y="148">+</text>
                      <text x="248" y="148">k):</text>
                      <text x="76" y="164">terminal</text>
                      <text x="120" y="164">=</text>
                      <text x="144" y="164">old</text>
                      <text x="184" y="164">final</text>
                      <text x="240" y="164">n_seg-1</text>
                      <text x="320" y="164">(is_final</text>
                      <text x="368" y="164">1</text>
                      <text x="388" y="164">-&gt;</text>
                      <text x="416" y="164">0);</text>
                      <text x="452" y="164">none</text>
                      <text x="484" y="164">if</text>
                      <text x="520" y="164">n_seg</text>
                      <text x="552" y="164">=</text>
                      <text x="568" y="164">0</text>
                      <text x="56" y="180">add</text>
                      <text x="84" y="180">IN</text>
                      <text x="128" y="180">the</text>
                      <text x="160" y="180">new</text>
                      <text x="212" y="180">segments</text>
                      <text x="364" y="180">n_seg..n_seg+k-1</text>
                      <text x="52" y="196">truncate</text>
                      <text x="120" y="196">(n_seg'</text>
                      <text x="160" y="196">=</text>
                      <text x="184" y="196">m):</text>
                      <text x="76" y="212">terminal</text>
                      <text x="120" y="212">=</text>
                      <text x="144" y="212">new</text>
                      <text x="184" y="212">final</text>
                      <text x="224" y="212">m-1</text>
                      <text x="320" y="212">(is_final</text>
                      <text x="368" y="212">0</text>
                      <text x="388" y="212">-&gt;</text>
                      <text x="416" y="212">1);</text>
                      <text x="452" y="212">none</text>
                      <text x="484" y="212">if</text>
                      <text x="504" y="212">m</text>
                      <text x="520" y="212">=</text>
                      <text x="536" y="212">0</text>
                      <text x="68" y="228">remove</text>
                      <text x="128" y="228">the</text>
                      <text x="184" y="228">discarded</text>
                      <text x="260" y="228">segments</text>
                      <text x="340" y="228">m..n_seg-1</text>
                    </g>
                  </svg>
                </artwork>
                <artwork type="ascii-art"><![CDATA[
Both directions share one shape (no terminal re-mark for the
empty object):

  1. re-mark the single terminal segment   remove + add (new count)
  2. update the boundary segments by tag    remove or add  (each)
  3. update the snapshot                    snapshot()

  append   (n_seg' = n_seg + k):
     terminal = old final n_seg-1  (is_final 1 -> 0); none if n_seg = 0
     add IN   the new segments       n_seg..n_seg+k-1
  truncate (n_seg' = m):
     terminal = new final m-1      (is_final 0 -> 1); none if m = 0
     remove   the discarded segments m..n_seg-1
]]></artwork>
              </artset>
            </figure>
            <artwork><![CDATA[
re-mark the terminal segment t:
   append:    t = n_seg - 1    is_final: 1 -> 0
   truncate:  t = m - 1        is_final: 0 -> 1

if a terminal segment t exists (n_seg >= 1 for append, m >= 1 for
truncate):
   read   salt, payload schedule, snapshot value, segment t
          (truncate also reads old_tag_j for discarded j in m..n_seg-1)
   P_t    = plaintext of segment t       (decrypt, or use if held)
   meta, ct, new_tag_t
          = RewriteSegment(t, is_final_t, empty, P_t)
   under the old count:  remove(t, old_tag_t)
else:
   (append from empty: no old terminal; the appended loop below
    marks the last new segment is_final = 1.  truncate to m = 0:
    no segment remains, so nothing is re-marked.)
truncate:  for j in m .. n_seg-1:  remove(j, old_tag_j)

n_seg' = n_seg+k (append) or m (truncate)
set_length(n_seg')

if a terminal segment t exists:  add(t, new_tag_t)
append:    for j in n_seg .. n_seg+k-1:
              meta_j, ct_j, tag_j
                  = EncryptSegment(j, is_final_j, empty, P_j)
              add(j, tag_j)
           (is_final_j = 1 only for the last segment)

snapshot      = snapshot()
store  segment t and snapshot; append adds the new segments,
       truncate drops segments m..n_seg-1
]]></artwork>
            <t>Changing message length re-encrypts the terminal segment, except when
truncating to the empty object (m = 0), where no segment remains.  A
caller that cannot recover that segment's plaintext cannot do it.</t>
            <t>Under the Incremental interface each add and remove takes the segment's
stored tag, which already encodes that segment's is_final bit, so an
implementation never tracks finality separately.</t>
            <t>A botched Incremental update corrupts the snapshot authenticator's state
silently, surfacing only at a later SnapVerify.  An implementation <bcp14>MAY</bcp14>
run SnapVerify over the new segment set immediately after a length
change to catch this.  A botched update yields a value that the
from-scratch recomputation will not match, turning a silent corruption
into a caught error.  A Recompute-on-change authenticator recomputes the
snapshot from the stored per-segment leaves on every update, so it has
no analogous silent-corruption failure mode.</t>
            <t>Both operations count against the same per-CEK AEAD usage budget as
initial encryption (<xref target="aead-usage-limits"/>).  Each re-encrypts one
terminal segment, except a truncate to the empty object (m = 0), which
re-encrypts none.  In derived nonce mode the nonce for the re-marked
segment is fixed by its index and finality bit.  Re-marking flips the
finality bit, so this nonce differs from the segment's previous one, but
repeated length changes can make the same (index, finality bit) pair
recur, and only an MRAE AEAD tolerates the resulting nonce reuse
(<xref target="key-derivation"/>).</t>
            <t>Applications that do not need length changes <bcp14>MAY</bcp14> simply forbid them.
The salt-reuse requirement applies only when a length change is
performed.  An application that re-encrypts the entire content can
generate a fresh salt and is not bound by the constraints in this
section.</t>
            <t>Test vectors for the SEAL profile are provided in <xref target="test-vectors"/>, and
the serialization layouts are in <xref target="file-layouts"/>.</t>
          </section>
        </section>
      </section>
      <section anchor="concrete">
        <name>SEAL Suites</name>
        <t>This section lists example algorithm suites for the SEAL construction.
SEAL's concrete framing and procedures are defined in <xref target="framework"/>.</t>
        <section anchor="concrete-algorithms">
          <name>Algorithms</name>
          <t>SEAL defines the following AEAD algorithms.  Each has a code point, a
key size, a nonce size, a default nonce mode, and an epoch_length range.
The key size Nk is 16 octets for AES-128-GCM and 32 octets for the other
suites.  All use a 16-octet authentication tag (Nt = 16).</t>
          <table anchor="aead-table">
            <name>SEAL AEAD algorithms</name>
            <thead>
              <tr>
                <th align="left">Algorithm</th>
                <th align="left">aead_id</th>
                <th align="left">Nk</th>
                <th align="left">Nn</th>
                <th align="left">default mode</th>
                <th align="left">epoch_length</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM</td>
                <td align="left">0x0001</td>
                <td align="left">16</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM</td>
                <td align="left">0x0002</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305</td>
                <td align="left">0x001D</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">random</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">0x001F</td>
                <td align="left">32</td>
                <td align="left">12</td>
                <td align="left">derived</td>
                <td align="left">0 to 63 (default 0)</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256</td>
                <td align="left">0x0021</td>
                <td align="left">32</td>
                <td align="left">32</td>
                <td align="left">random</td>
                <td align="left">63</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256X2</td>
                <td align="left">0x0024</td>
                <td align="left">32</td>
                <td align="left">32</td>
                <td align="left">random</td>
                <td align="left">63</td>
              </tr>
            </tbody>
          </table>
          <t>The aead_id values are the unsigned 16-bit code points from the IANA
AEAD Algorithms Registry (<xref target="RFC5116"/>), encoded as uint16(id).  The
registry's textual identifiers are, in table order, AEAD_AES_128_GCM,
AEAD_AES_256_GCM, AEAD_CHACHA20_POLY1305, AEAD_AES_256_GCM_SIV,
AEAD_AEGIS256, and AEAD_AEGIS256X2.  AES-128-GCM and AES-256-GCM are
specified in <xref target="NIST-SP-800-38D"/>, ChaCha20-Poly1305 in <xref target="RFC8439"/>,
AES-256-GCM-SIV in <xref target="RFC8452"/>, and AEGIS-256 and AEGIS-256X2 in
<xref target="I-D.irtf-cfrg-aegis-aead"/>.  The AEGIS code points 0x0021 and 0x0024
are early allocations that firm up when that I-D is published as an RFC.</t>
          <t>The 96-bit-nonce AEADs (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305) and
the MRAE AES-256-GCM-SIV (in derived nonce mode) rotate the segment key
and may set epoch_length anywhere in 0 to 63.  The 256-bit-nonce
AEADs (AEGIS-256, AEGIS-256X2) use a flat key (epoch_length = 63, one
epoch key covering every segment).
<xref target="epoch-length-guidance"/> gives the per-suite budgets that fix these
ranges.</t>
          <t>The default nonce_mode column gives each AEAD's mode in the mutable
profile, SEAL-RW-v1.  The immutable profile, SEAL-RO-v1, instead pairs a
derived nonce with any of these AEADs, because its write-once rule keeps
every derived nonce unique and needs no MRAE AEAD (<xref target="profiles"/>).</t>
          <t>SEAL permits the KDF cipher suites in <xref target="kdf-table"/>, identified by
entries from the HPKE KDF Registry (<xref target="RFC9180"/> Section 7.2 and
<xref target="I-D.ietf-hpke-pq"/>):</t>
          <table anchor="kdf-table">
            <name>Permitted SEAL KDF Cipher Suites</name>
            <thead>
              <tr>
                <th align="left">kdf_id</th>
                <th align="left">Name</th>
                <th align="left">Construction</th>
                <th align="left">Nh</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x0001</td>
                <td align="left">HKDF-SHA-256</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">32</td>
              </tr>
              <tr>
                <td align="left">0x0002</td>
                <td align="left">HKDF-SHA-384</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">48</td>
              </tr>
              <tr>
                <td align="left">0x0003</td>
                <td align="left">HKDF-SHA-512</td>
                <td align="left">Two-step HKDF-Extract+Expand</td>
                <td align="left">64</td>
              </tr>
              <tr>
                <td align="left">0x0013</td>
                <td align="left">TurboSHAKE-256</td>
                <td align="left">One-step XOF (absorb+squeeze)</td>
                <td align="left">64</td>
              </tr>
            </tbody>
          </table>
          <t>HKDF-SHA-256 is specified in <xref target="RFC5869"/>.  TurboSHAKE-256 is the
extendable-output mode of the Keccak-p permutation family, specified in
<xref target="RFC9861"/> and selected by <xref target="I-D.ietf-hpke-pq"/> for the HPKE KDF
Registry.  The <tt>kdf_id</tt> values are the unsigned 16-bit code points from
the HPKE KDF Registry, encoded as uint16(id).  Nh and
<tt>commitment_length</tt> equal the KDF's primitive output size, 32 octets for
HKDF-SHA-256, 48 for HKDF-SHA-384, and 64 for HKDF-SHA-512 and
TurboSHAKE-256.  HKDF-SHA-256 is the baseline KDF.  The others are
optional alternatives.</t>
          <t>The two-step Extract and Expand are HKDF-Extract and HKDF-Expand.  The
one-step XOF uses TurboSHAKE256 with D = 0x1F, the Derive convention's
domain-separator byte, which an implementation <bcp14>MUST NOT</bcp14> change.</t>
          <t>The snapshot authenticator is selected by snap_id:</t>
          <table anchor="snapshot-table">
            <name>SEAL Snapshot Authenticators</name>
            <thead>
              <tr>
                <th align="left">snap_id</th>
                <th align="left">Name</th>
                <th align="left">Snapshot value</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x0000</td>
                <td align="left">none</td>
                <td align="left">none produced</td>
              </tr>
              <tr>
                <td align="left">0x0001</td>
                <td align="left">masked multiset hash</td>
                <td align="left">snapshot, per <xref target="snapshot-authenticator"/></td>
              </tr>
              <tr>
                <td align="left">0x0002</td>
                <td align="left">digest transcript</td>
                <td align="left">snapshot, per <xref target="digest-transcript"/></td>
              </tr>
              <tr>
                <td align="left">0x0003</td>
                <td align="left">epoch digest tree</td>
                <td align="left">snapshot, per <xref target="epoch-digest-tree"/></td>
              </tr>
            </tbody>
          </table>
          <t>snap_id = 0x0000 selects no snapshot authenticator:  no snapshot value
is produced and a reader relies on per-segment authentication alone.  An
immutable (write-once) profile enforces snap_id = 0x0000, 0x0002, or
0x0003.  A profile that supports rewrite requires a snapshot
authenticator (snap_id 0x0001, 0x0002, or 0x0003), so every rewritable
object carries whole-object integrity (<xref target="rewritable-ops"/>).  Every
rewrite re-publishes the snapshot value, at a cost that depends on the
selected authenticator (<xref target="profile-applicability"/>).</t>
          <t>The nonce mode is carried explicitly by nonce_mode:</t>
          <table anchor="nonce-mode-table">
            <name>SEAL Nonce Modes</name>
            <thead>
              <tr>
                <th align="left">nonce_mode</th>
                <th align="left">Name</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">0x00</td>
                <td align="left">random</td>
              </tr>
              <tr>
                <td align="left">0x01</td>
                <td align="left">derived</td>
              </tr>
            </tbody>
          </table>
          <t>The two constructions are defined in <xref target="nonce-generation"/>.</t>
          <t>The supported maximum segment sizes are 16384 and 65536 octets.  Both
values are powers of two and at least 4096 octets.  The 16384-octet size
aligns to 16 KiB memory pages (for example, on Apple Silicon).  The
65536-octet size aligns to 64 KiB (four 16 KiB pages).</t>
          <t>The aad_label is "SEAL-DATA".  Under snap_id = 0x0001 the snapshot
authenticator is the masked multiset hash (<xref target="snapshot-authenticator"/>),
with wrapped_acc and the snapshot tag each an Nh-octet value, so Na =
2*Nh.</t>
        </section>
        <section anchor="profiles">
          <name>Composing a SEAL Suite</name>
          <t>A SEAL suite fixes an AEAD and a KDF (<xref target="aead-table"/>, <xref target="kdf-table"/>), a
maximum segment size, a snapshot authenticator (snap_id,
<xref target="snapshot-table"/>), a nonce mode (nonce_mode, <xref target="nonce-mode-table"/>),
and an epoch length.  The protocol_id identifies the parameters a
profile fixes, and only certain (nonce_mode, snap_id) tuples are valid
under each one.  This document defines two named profiles, SEAL-RW-v1
and SEAL-RO-v1.</t>
          <t>A profile's payload_info <bcp14>MUST</bcp14> carry the full parameter context
affecting key derivation, AEAD operations, AAD construction, and nonce
construction, so that the commitment (<xref target="framework-commitment"/>) binds
that context.</t>
          <t>SEAL-RW-v1 is the mutable profile (read-write).  It requires a snapshot
authenticator, admitting snap_id 0x0001 (the masked multiset hash),
0x0002 (the digest transcript), or 0x0003 (the epoch digest tree), and
it permits a random nonce or a derived nonce with an MRAE AEAD.  It
supports rewrite, extend, and truncate, and carries SEAL's snapshot
machinery per the selected snap_id.  Under 0x0001 that is the
accumulator with its mask; under 0x0002 the recomputed snapshot value
over the leaf list; under 0x0003 the epoch-heads region and the
recomputed snapshot value.  All three include SnapVerify.  Unauthorized
truncation surfaces at two points:  the terminal finality check of
<xref target="full-decryption"/>, and SnapVerify over the complete segment set, which
also binds the segment count.</t>
          <t>SEAL-RO-v1 is the immutable profile (read-only).  Here "immutable" names
the writer's write-once discipline, not a guarantee of tamper evidence.
The write-once discipline follows from the nonce mode.  SEAL-RO-v1
selects a derived nonce and works with any AEAD including a non-MRAE
one, so a rewrite would repeat the segment's derived nonce with the
consequences given in <xref target="nonce-misuse"/>.  An encryptor under SEAL-RO-v1
therefore <bcp14>MUST NOT</bcp14> rewrite a segment once it has been written.  The
profile admits snap_id 0x0000 (no snapshot authenticator), 0x0002 (the
digest transcript, <xref target="digest-transcript"/>), or 0x0003 (the epoch digest
tree, <xref target="epoch-digest-tree"/>), and the choice does not affect the
write-once discipline.  A protocol that needs rewrites picks SEAL-RW-v1
instead, per <xref target="profile-applicability"/> and <xref target="nonce-generation"/>.</t>
          <t>SEAL-RO-v1 provides per-segment confidentiality and integrity, binding
the segment index and the finality bit, and key commitment through the
commitment field.  At snap_id 0x0000 it has no snapshot or whole-object
integrity:  that, when needed, comes from the digest transcript at
snap_id 0x0002 or 0x0003, from the snapshot in the mutable profile, or
from a layer above SEAL.  At snap_id 0x0002 or 0x0003 the digest
transcript binds the whole segment set, and a consuming protocol that
authenticates the snapshot value obtains per-segment origin
authentication (<xref target="snapshot-security-dt"/>).  Truncation detection at
snap_id 0x0000 rests on the finality bit alone and surfaces only when
the highest-indexed present segment verifies under is_final = 1
(<xref target="full-decryption"/>), so a consumer of streamed plaintext has no
completeness guarantee before that terminal check.  At 0x0002 and
0x0003, SnapVerify additionally binds the count.</t>
          <table anchor="profile-table">
            <name>SEAL profiles</name>
            <thead>
              <tr>
                <th align="left">protocol_id</th>
                <th align="left">nonce_mode</th>
                <th align="left">snap_id</th>
                <th align="left">mutability</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">SEAL-RW-v1</td>
                <td align="left">random or derived</td>
                <td align="left">0x0001, 0x0002, or 0x0003</td>
                <td align="left">rewrite/extend/truncate</td>
              </tr>
              <tr>
                <td align="left">SEAL-RO-v1</td>
                <td align="left">derived</td>
                <td align="left">0x0000, 0x0002, or 0x0003</td>
                <td align="left">write-once</td>
              </tr>
            </tbody>
          </table>
          <t>An encryptor <bcp14>MUST</bcp14> set payload_info to a (nonce_mode, snap_id) tuple that
is valid for its protocol_id, and a decryptor <bcp14>MUST</bcp14> reject any object
whose tuple is not.  A derived nonce under SEAL-RW-v1 requires an MRAE
AEAD.  SEAL-RO-v1 admits any AEAD because the write-once rule keeps each
derived nonce unique.</t>
          <section anchor="profile-applicability">
            <name>Choosing a Profile</name>
            <t>Pick the profile from how the stored content changes after it is first
written.</t>
            <t>SEAL-RW-v1 (mutable) fits content updated in place:  editable files,
mutable object stores, and append-or-truncate logs.  It admits any of
snap_id 0x0001, 0x0002, or 0x0003, so a reader detects tampering with
the current segment set as a whole: any added, dropped, reordered, or
re-marked segment, a same-index rollback, or a count change
(<xref target="snapshot-integrity"/>).  The masked multiset hash (0x0001) updates in
O(1) per rewrite; the digest transcript (0x0002) recomputes over the
full leaf list; the epoch digest tree (0x0003) recomputes one epoch head
and the snapshot from two aligned metadata reads.  Whole-object
freshness beyond replay still comes from a layer above SEAL
(<xref target="snapshot-limitations"/>).  A derived nonce under this profile requires
an MRAE AEAD, while a random nonce works with any of the suites.</t>
            <t>SEAL-RO-v1 (immutable) fits write-once content:  archives, backups,
content-addressed blobs, and write-once media.  It stores no per-segment
nonce and works with any AEAD, so it is the smaller and simpler choice
when content is never rewritten.  Whole-object integrity, if needed,
comes from the digest transcript (snap_id 0x0002, <xref target="digest-transcript"/>)
or the epoch digest tree (snap_id 0x0003, <xref target="epoch-digest-tree"/>), or a
layer above SEAL.</t>
            <t><xref target="epoch-length-guidance"/> covers epoch_length selection, and
<xref target="concrete-algorithms"/> covers the per-AEAD trade-offs that further
narrow the suite.</t>
          </section>
        </section>
      </section>
      <section anchor="file-layouts">
        <name>Serialization Layouts</name>
        <t>Three serialization layouts, linear, aligned, and split, let a consuming
protocol store raAE output.  The parameterized SEAL construction
mandates none of them.  Each named instantiation binds one, and the
consuming protocol pins the remaining details
(<xref target="named-instantiations"/>).  The commitment field in every layout is
commitment_length octets (<xref target="algorithm-sizes"/>).  The figures annotate it
with its default, commitment_length = Nh.</t>
        <section anchor="linear-layout">
          <name>Linear Layout</name>
          <t>In a linear layout the salt, commitment, snapshot value, and segment
data appear in sequence.  The salt comes first because it is needed to
derive all payload schedule values.  The commitment follows so a reader
can reject a wrong key before reading any segment data.  The snapshot
value (Na octets), the configured authenticator's output,
precedes the segment data so a streaming reader has it before the
segments and can check it once all are read.  Segments then follow in
index order.</t>
          <t>When the object has at least one segment, that final segment carries
is_final = 1.  An empty object (n_seg = 0) has zero segments, so no
segment is final.</t>
          <figure anchor="fig-linear-layout">
            <name>Linear Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="528" viewBox="0 0 528 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,112" fill="none" stroke="black"/>
                  <path d="M 64,32 L 64,112" fill="none" stroke="black"/>
                  <path d="M 168,32 L 168,112" fill="none" stroke="black"/>
                  <path d="M 296,32 L 296,112" fill="none" stroke="black"/>
                  <path d="M 384,32 L 384,112" fill="none" stroke="black"/>
                  <path d="M 432,32 L 432,112" fill="none" stroke="black"/>
                  <path d="M 520,32 L 520,112" fill="none" stroke="black"/>
                  <path d="M 8,32 L 520,32" fill="none" stroke="black"/>
                  <path d="M 8,112 L 520,112" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="36" y="52">salt</text>
                    <text x="116" y="52">commitment</text>
                    <text x="212" y="52">snapshot</text>
                    <text x="336" y="52">segment</text>
                    <text x="408" y="52">...</text>
                    <text x="472" y="52">segment</text>
                    <text x="36" y="68">(32)</text>
                    <text x="92" y="68">(Nh)</text>
                    <text x="228" y="68">(Na)</text>
                    <text x="320" y="68">0</text>
                    <text x="348" y="68">data</text>
                    <text x="472" y="68">n_seg-1</text>
                    <text x="336" y="84">[nonce]</text>
                    <text x="472" y="84">[nonce]</text>
                    <text x="316" y="100">ct</text>
                    <text x="336" y="100">+</text>
                    <text x="360" y="100">tag</text>
                    <text x="452" y="100">ct</text>
                    <text x="472" y="100">+</text>
                    <text x="496" y="100">tag</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------+------------+---------------+----------+-----+----------+
| salt | commitment | snapshot      | segment  | ... | segment  |
| (32) | (Nh)       |     (Na)      |  0 data  |     | n_seg-1  |
|      |            |               | [nonce]  |     | [nonce]  |
|      |            |               | ct + tag |     | ct + tag |
+------+------------+---------------+----------+-----+----------+
]]></artwork>
            </artset>
          </figure>
          <t>Brackets mark the nonce, which precedes the ciphertext and tag for a
segment and is stored only in random nonce mode.  In derived nonce mode
(AES-256-GCM-SIV) the nonce is recomputed from the key schedule, so no
nonce is stored.</t>
          <t>A streaming reader recovers segment boundaries from the segment lengths.
Because a segment <bcp14>MAY</bcp14> be shorter than segment_max (<xref target="conventions"/>), a
linear layout that is to be read as a stream <bcp14>MUST</bcp14> keep every non-final
segment at the full segment_max, leaving only the final segment short.
A reader then finds each boundary at the fixed segment length.  A layout
that stores shorter interior segments <bcp14>MUST</bcp14> record their lengths so the
reader can locate each segment.</t>
          <t>Linear layout supports streaming writes.  A writer emits the salt,
commitment, and a placeholder for the snapshot value, then streams
segments.  After all segments are written the writer seeks back to the
snapshot position and writes the final value in place.</t>
        </section>
        <section anchor="aligned-layout">
          <name>Aligned Layout</name>
          <t>In an aligned layout the ciphertext segments occupy slots aligned to
segment_max, so a reader can seek to any segment with page-aligned I/O.
An arbitrary-length prefix, which the consuming protocol uses for its
own machinery and which raAE does not specify, comes first.  The raAE
header follows, and the ciphertext follows the header.</t>
          <figure anchor="fig-aligned-layout">
            <name>Aligned Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="376" viewBox="0 0 376 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,288" fill="none" stroke="black"/>
                  <path d="M 312,48 L 312,56" fill="none" stroke="black"/>
                  <path d="M 368,32 L 368,288" fill="none" stroke="black"/>
                  <path d="M 8,32 L 368,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 368,80" fill="none" stroke="black"/>
                  <path d="M 8,128 L 368,128" fill="none" stroke="black"/>
                  <path d="M 8,190 L 368,190" fill="none" stroke="black"/>
                  <path d="M 8,194 L 368,194" fill="none" stroke="black"/>
                  <path d="M 8,224 L 368,224" fill="none" stroke="black"/>
                  <path d="M 8,256 L 368,256" fill="none" stroke="black"/>
                  <path d="M 8,288 L 368,288" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="44" y="52">prefix</text>
                    <text x="116" y="52">(consuming</text>
                    <text x="196" y="52">protocol</text>
                    <text x="272" y="52">machinery</text>
                    <text x="56" y="68">arbitrary</text>
                    <text x="128" y="68">length;</text>
                    <text x="176" y="68">not</text>
                    <text x="232" y="68">specified</text>
                    <text x="296" y="68">here)</text>
                    <text x="48" y="100">header:</text>
                    <text x="104" y="100">salt,</text>
                    <text x="176" y="100">commitment,</text>
                    <text x="264" y="100">snapshot,</text>
                    <text x="64" y="116">per-segment</text>
                    <text x="148" y="116">metadata</text>
                    <text x="216" y="116">(broken</text>
                    <text x="264" y="116">out</text>
                    <text x="308" y="116">below)</text>
                    <text x="48" y="148">leading</text>
                    <text x="104" y="148">slot:</text>
                    <text x="156" y="148">either</text>
                    <text x="200" y="148">the</text>
                    <text x="240" y="148">first</text>
                    <text x="308" y="148">ciphertext</text>
                    <text x="48" y="164">segment</text>
                    <text x="92" y="164">(&lt;</text>
                    <text x="120" y="164">B),</text>
                    <text x="148" y="164">or</text>
                    <text x="180" y="164">zero</text>
                    <text x="232" y="164">padding</text>
                    <text x="276" y="164">to</text>
                    <text x="296" y="164">a</text>
                    <text x="52" y="180">multiple</text>
                    <text x="100" y="180">of</text>
                    <text x="120" y="180">B</text>
                    <text x="60" y="212">ciphertext</text>
                    <text x="136" y="212">segment</text>
                    <text x="268" y="212">(=</text>
                    <text x="292" y="212">B)</text>
                    <text x="32" y="244">...</text>
                    <text x="40" y="276">final</text>
                    <text x="108" y="276">ciphertext</text>
                    <text x="184" y="276">segment</text>
                    <text x="272" y="276">(&lt;=</text>
                    <text x="300" y="276">B)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+--------------------------------------------+
| prefix (consuming protocol machinery,      |
| arbitrary length; not specified here)      |
+--------------------------------------------+
| header: salt, commitment, snapshot,        |
| per-segment metadata (broken out below)    |
+--------------------------------------------+
| leading slot: either the first ciphertext  |
| segment (< B), or zero padding to a        |
| multiple of B                              |
+============================================+
| ciphertext segment            (= B)        |
+--------------------------------------------+
| ...                                        |
+--------------------------------------------+
| final ciphertext segment      (<= B)       |
+--------------------------------------------+
]]></artwork>
            </artset>
          </figure>
          <t>Offsets are measured from index 0, the start of the prefix.  Let B =
segment_max and let H be the offset at which the ciphertext begins (the
prefix length plus the header length).  The leading slot, from H up to
the first segment boundary M * B, is filled in one of two ways, chosen
before writing:</t>
          <ul spacing="normal">
            <li>
              <t>No padding: the first ciphertext segment occupies the slot, with
M = ceil(H / B).  It is shorter than B and ends on the boundary M * B.</t>
            </li>
            <li>
              <t>Padding: the slot is zero-padded to a multiple of B, with
M &gt;= ceil(H / B) (the next boundary, or a larger multiple to reserve
whole segment slots for append headroom).</t>
            </li>
          </ul>
          <t>From M * B onward every ciphertext segment begins at a multiple of B and
is a full B octets, with the final segment at most B.  H, M, and the
first-segment length all follow from the prefix and header sizes, so a
writer computes them before emitting any ciphertext.</t>
          <t>The header holds the salt, the commitment, the snapshot value, an
optional epoch-heads region, and one metadata entry per segment:</t>
          <figure anchor="fig-aligned-header">
            <name>Aligned Layout Header</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="96" width="576" viewBox="0 0 576 96" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 64,32 L 64,80" fill="none" stroke="black"/>
                  <path d="M 168,32 L 168,80" fill="none" stroke="black"/>
                  <path d="M 256,32 L 256,80" fill="none" stroke="black"/>
                  <path d="M 384,32 L 384,80" fill="none" stroke="black"/>
                  <path d="M 568,32 L 568,80" fill="none" stroke="black"/>
                  <path d="M 8,32 L 568,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 568,80" fill="none" stroke="black"/>
                  <circle cx="320" cy="64" r="6" class="closeddot" fill="black"/>
                  <g class="text">
                    <text x="36" y="52">salt</text>
                    <text x="116" y="52">commitment</text>
                    <text x="212" y="52">snapshot</text>
                    <text x="292" y="52">[epoch</text>
                    <text x="348" y="52">heads]</text>
                    <text x="440" y="52">per-segment</text>
                    <text x="524" y="52">metadata</text>
                    <text x="36" y="68">(32)</text>
                    <text x="116" y="68">(Nh)</text>
                    <text x="212" y="68">(Na)</text>
                    <text x="300" y="68">(E</text>
                    <text x="344" y="68">Nh)</text>
                    <text x="428" y="68">(n_seg</text>
                    <text x="464" y="68">*</text>
                    <text x="512" y="68">meta_len)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------+------------+----------+---------------+----------------------+
| salt | commitment | snapshot | [epoch heads] | per-segment metadata |
| (32) |    (Nh)    |   (Na)   |    (E * Nh)   |  (n_seg * meta_len)  |
+------+------------+----------+---------------+----------------------+
]]></artwork>
            </artset>
          </figure>
          <t>The bracketed epoch-heads region is present only under the epoch digest
tree (snap_id 0x0003, <xref target="epoch-digest-tree"/>).  It holds the E epoch
heads, E * Nh octets.</t>
          <t>Each metadata entry holds the segment's stored nonce and its AEAD tag:</t>
          <figure anchor="fig-meta-entry">
            <name>Metadata Entry</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="96" width="320" viewBox="0 0 320 96" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 112,32 L 112,80" fill="none" stroke="black"/>
                  <path d="M 216,32 L 216,80" fill="none" stroke="black"/>
                  <path d="M 312,32 L 312,80" fill="none" stroke="black"/>
                  <path d="M 8,32 L 312,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 312,80" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="60" y="52">[nonce(i)]</text>
                    <text x="164" y="52">[LH(ct_i)]</text>
                    <text x="268" y="52">tag(i)</text>
                    <text x="60" y="68">(Nn)</text>
                    <text x="164" y="68">(Nh)</text>
                    <text x="240" y="68">(Nt</text>
                    <text x="264" y="68">=</text>
                    <text x="288" y="68">16)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+------------+------------+-----------+
| [nonce(i)] | [LH(ct_i)] |   tag(i)  |
|    (Nn)    |    (Nh)    | (Nt = 16) |
+------------+------------+-----------+
]]></artwork>
            </artset>
          </figure>
          <t>The bracketed nonce is present only in random nonce mode, and the
bracketed ciphertext digest LH(ct_i) only under the digest transcript
(snap_id 0x0002, <xref target="digest-transcript"/>) and the epoch digest tree
(snap_id 0x0003, <xref target="epoch-digest-tree"/>).  The tag is always present, Nt
= 16 octets in every SEAL suite (<xref target="aead-table"/>).  The fields are stored
in leaf order:  under a derived nonce (Np = 0) the metadata entry is
exactly the leaf, LH(ct_i) || tag(i), so an implementation folds the
stored bytes directly.  Each metadata entry holds the Np-octet presented
nonce and the Nt-octet tag, so meta_len = Np + Nt octets, plus Nh under
the digest transcript or the epoch digest tree.  A random-nonce entry
sets Np = Nn and is Nn + Nt octets.  A derived-nonce entry recomputes
the nonce from the key schedule, so Np = 0 and the entry is Nt octets.
The per-suite values, for a metadata entry with no stored leaf (snap_id
0x0000 or 0x0001), are:</t>
          <table anchor="meta-len-table">
            <name>Metadata entry size by AEAD</name>
            <thead>
              <tr>
                <th align="left">AEAD</th>
                <th align="left">nonce mode</th>
                <th align="left">meta_len</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305</td>
                <td align="left">random (Nn = 12)</td>
                <td align="left">28</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256, AEGIS-256X2</td>
                <td align="left">random (Nn = 32)</td>
                <td align="left">48</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">derived</td>
                <td align="left">16</td>
              </tr>
            </tbody>
          </table>
          <t>The n_seg entries total n_seg * meta_len octets, so the whole header
size is:</t>
          <artwork><![CDATA[
header_size = 32 + commitment_length + Na + n_seg * meta_len
]]></artwork>
          <t>With the default commitment_length = Nh, this specializes by
authenticator:</t>
          <artwork><![CDATA[
masked multiset hash (Na = 2 * Nh):
    32 + 3 * Nh + n_seg * meta_len
digest transcript (Na = Nh):
    32 + 2 * Nh + n_seg * meta_len
epoch digest tree, adds the epoch-heads region:
    32 + 2 * Nh + E * Nh + n_seg * meta_len
]]></artwork>
          <t>A reader verifies the commitment and the snapshot value from the header
alone, then seeks to any segment using these offsets.  Because the
authenticator's per-segment inputs live in the metadata entries (each
tag at snap_id 0x0001, each stored leaf at 0x0002 and 0x0003), a reader
authenticates the whole object's snapshot from the header without
reading or streaming any ciphertext.  At 0x0002 it <bcp14>MUST</bcp14> then check each
leaf against the segment it reads (<xref target="digest-transcript"/>).  This
supports efficient random-access reads.</t>
          <t>Under the epoch digest tree a reader fetches the snapshot value and the
epoch-heads region together, then reads one epoch's leaf run to check a
segment.</t>
        </section>
        <section anchor="split-layout">
          <name>Split Layout</name>
          <t>A split layout separates the ciphertext from the metadata into two
streams that grow independently.  The data stream holds the ciphertext
segments, each a full segment_max except the last.  Segment i is at
offset i * B.  The metadata stream holds the salt, the commitment, the
n_seg per-segment metadata entries (each meta_len octets, broken out in
<xref target="fig-meta-entry"/>), and the snapshot value last.  The authenticator's
per-segment inputs live in the metadata stream:  tags at snap_id 0x0001
(<xref target="masked-multiset-hash"/>) and stored leaves at 0x0002 and 0x0003.  A
reader therefore authenticates the snapshot by reading only the metadata
stream, never the data stream that holds the ciphertext.  Under the
epoch digest tree (snap_id 0x0003) the metadata stream also carries the
E epoch heads, an additional region of E * Nh octets. <xref target="aligned-layout"/>
gives the region's byte layout.</t>
          <figure anchor="fig-split-layout">
            <name>Split Layout</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="320" width="560" viewBox="0 0 560 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,64 L 8,192" fill="none" stroke="black"/>
                  <path d="M 8,256 L 8,304" fill="none" stroke="black"/>
                  <path d="M 64,256 L 64,304" fill="none" stroke="black"/>
                  <path d="M 168,256 L 168,304" fill="none" stroke="black"/>
                  <path d="M 176,64 L 176,192" fill="none" stroke="black"/>
                  <path d="M 272,256 L 272,304" fill="none" stroke="black"/>
                  <path d="M 320,256 L 320,304" fill="none" stroke="black"/>
                  <path d="M 424,256 L 424,304" fill="none" stroke="black"/>
                  <path d="M 552,256 L 552,304" fill="none" stroke="black"/>
                  <path d="M 8,64 L 176,64" fill="none" stroke="black"/>
                  <path d="M 8,96 L 176,96" fill="none" stroke="black"/>
                  <path d="M 8,128 L 176,128" fill="none" stroke="black"/>
                  <path d="M 8,160 L 176,160" fill="none" stroke="black"/>
                  <path d="M 8,192 L 176,192" fill="none" stroke="black"/>
                  <path d="M 8,256 L 552,256" fill="none" stroke="black"/>
                  <path d="M 8,304 L 552,304" fill="none" stroke="black"/>
                  <g class="text">
                    <text x="20" y="36">data</text>
                    <text x="72" y="36">stream:</text>
                    <text x="32" y="84">seg</text>
                    <text x="56" y="84">0</text>
                    <text x="76" y="84">ct</text>
                    <text x="124" y="84">(=</text>
                    <text x="148" y="84">B)</text>
                    <text x="32" y="116">seg</text>
                    <text x="56" y="116">1</text>
                    <text x="76" y="116">ct</text>
                    <text x="124" y="116">(=</text>
                    <text x="148" y="116">B)</text>
                    <text x="32" y="148">...</text>
                    <text x="32" y="180">seg</text>
                    <text x="80" y="180">n_seg-1</text>
                    <text x="128" y="180">(&lt;=</text>
                    <text x="156" y="180">B)</text>
                    <text x="36" y="228">metadata</text>
                    <text x="104" y="228">stream:</text>
                    <text x="36" y="276">salt</text>
                    <text x="116" y="276">commitment</text>
                    <text x="220" y="276">meta_0</text>
                    <text x="296" y="276">...</text>
                    <text x="368" y="276">meta_last</text>
                    <text x="468" y="276">snapshot</text>
                    <text x="36" y="292">(32)</text>
                    <text x="116" y="292">(Nh)</text>
                    <text x="220" y="292">(meta_len)</text>
                    <text x="372" y="292">(meta_len)</text>
                    <text x="484" y="292">(Na)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
data stream:

+--------------------+
| seg 0 ct    (= B)  |
+--------------------+
| seg 1 ct    (= B)  |
+--------------------+
| ...                |
+--------------------+
| seg n_seg-1 (<= B) |
+--------------------+

metadata stream:

+------+------------+------------+-----+------------+---------------+
| salt | commitment |   meta_0   | ... | meta_last  | snapshot      |
| (32) |    (Nh)    | (meta_len) |     | (meta_len) |     (Na)      |
+------+------------+------------+-----+------------+---------------+
]]></artwork>
            </artset>
          </figure>
          <t>Because neither stream embeds the other, both grow by appending.
Extending a message appends one ciphertext segment to the data stream,
appends one metadata entry to the metadata stream, and rewrites the
trailing snapshot value.  Truncating drops the tail of each stream and
rewrites the snapshot value.  Neither operation shifts an existing
ciphertext segment, which the in-place aligned layout cannot avoid once
the header grows.</t>
        </section>
        <section anchor="read-only-layouts">
          <name>Immutable-Profile Layouts</name>
          <t>Under an immutable profile (SEAL-RO-v1, derived nonce), stored fields
drop out of the layouts above.  Each nonce is recomputed from the key
schedule, so Np = 0 and no nonce is stored.  At snap_id 0x0000 no
snapshot authenticator runs, so the snapshot value also drops (Na = 0),
and a metadata entry is the Nt-octet tag alone.  The linear layout
reduces to the salt, the commitment, and the per-segment ciphertext and
tags.  The aligned and split header sizes are:</t>
          <artwork><![CDATA[
snap_id 0x0000 (Na = 0):
    32 + commitment_length + Nt * n_seg
snap_id 0x0002 (Na = Nh, adds the leaf):
    32 + commitment_length + Nh + (Nt + Nh) * n_seg
snap_id 0x0003 (adds the epoch-heads region):
    32 + commitment_length + Nh + E * Nh + (Nt + Nh) * n_seg
]]></artwork>
          <t>At snap_id 0x0002 each aligned or split metadata entry also carries the
segment's leaf (<xref target="digest-transcript"/>).  At snap_id 0x0003 the header
also carries the epoch-heads region (<xref target="epoch-digest-tree"/>).  In the
aligned layout every ciphertext segment begins at a multiple of
segment_max, so a reader seeks to any segment by arithmetic on its index
and verifies it from its own tag.</t>
        </section>
      </section>
      <section anchor="named-instantiations">
        <name>SEAL Named Instantiations</name>
        <t>SEAL has many parameters (<xref target="components"/>).  A relying protocol that does
not want to choose them all can cite one of the named instantiations
in the table below.  Each row fixes a profile, a segment size, the nonce
mode, a snapshot authenticator, and one of the serialization layouts of
<xref target="file-layouts"/>, leaving the cipher suite (an aead_id and a kdf_id from
<xref target="concrete"/>) to the referencing protocol.  Each instantiation applies
to a cipher suite the same way, so a protocol writes
SEAL-simple(aead_id, kdf_id), SEAL-disk(aead_id, kdf_id), and so on,
to obtain a complete raAE scheme.</t>
        <table anchor="named-instantiation-table">
          <name>SEAL named instantiations</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Profile</th>
              <th align="left">segment_max</th>
              <th align="left">nonce_mode</th>
              <th align="left">epoch</th>
              <th align="left">snap_id</th>
              <th align="left">layout</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">SEAL-simple</td>
              <td align="left">SEAL-RO-v1</td>
              <td align="left">65536</td>
              <td align="left">derived</td>
              <td align="left">32</td>
              <td align="left">0x0000</td>
              <td align="left">linear</td>
            </tr>
            <tr>
              <td align="left">SEAL-attachment</td>
              <td align="left">SEAL-RO-v1</td>
              <td align="left">65536</td>
              <td align="left">derived</td>
              <td align="left">10</td>
              <td align="left">0x0003</td>
              <td align="left">aligned</td>
            </tr>
            <tr>
              <td align="left">SEAL-attachment-small</td>
              <td align="left">SEAL-RO-v1</td>
              <td align="left">65536</td>
              <td align="left">derived</td>
              <td align="left">10</td>
              <td align="left">0x0002</td>
              <td align="left">aligned</td>
            </tr>
            <tr>
              <td align="left">SEAL-editable</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">65536</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">0x0001</td>
              <td align="left">linear</td>
            </tr>
            <tr>
              <td align="left">SEAL-memory</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">0x0001</td>
              <td align="left">aligned</td>
            </tr>
            <tr>
              <td align="left">SEAL-disk</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">random</td>
              <td align="left">16</td>
              <td align="left">0x0001</td>
              <td align="left">split</td>
            </tr>
            <tr>
              <td align="left">SEAL-compact</td>
              <td align="left">SEAL-RW-v1</td>
              <td align="left">16384</td>
              <td align="left">derived</td>
              <td align="left">16</td>
              <td align="left">0x0001</td>
              <td align="left">aligned</td>
            </tr>
          </tbody>
        </table>
        <t>Each instantiation is named for its primary use case, described below.
The snap_id column selects the snapshot authenticator within the
profile's admitted set (<xref target="profiles"/>).</t>
        <t>Every instantiation uses commitment_length = Nh and a fresh 32-octet
salt per object (<xref target="full-encryption"/>).  The epoch_length is the value in
the table.  The write-once SEAL-simple performs no rewrites, so it takes
a larger epoch (32).  SEAL-attachment, also write-once, takes
epoch_length 10 for the epoch digest tree's grouping
(<xref target="epoch-transcript-table"/>).  SEAL-attachment-small takes the same
epoch_length as SEAL-attachment for the same aligned per-segment use
case.  The four mutable schemes take a conservative 16 that leaves the
per-epoch-key budget headroom for rewrites, which reuse the epoch key
(<xref target="aead-usage-limits"/>).  A 256-bit-nonce suite (AEGIS-256, AEGIS-256X2)
uses a flat key (epoch_length 63) regardless of the row
(<xref target="aead-table"/>), and a referencing protocol <bcp14>MAY</bcp14> override the epoch.
Each instantiation binds the layout named in its row (<xref target="file-layouts"/>).
The layout fixes field order and placement, and the consuming protocol
pins the remaining serialization details, such as the aligned layout's
prefix and leading slot, for byte-level interoperability.  SEAL-compact
is mutable with a derived nonce, so an in-place rewrite reuses that
nonce, which requires an MRAE AEAD (<xref target="profiles"/>).  The write-once
SEAL-simple, SEAL-attachment, and SEAL-attachment-small, and the
random-nonce SEAL-editable, SEAL-memory, and SEAL-disk admit any AEAD.</t>
        <t>SEAL-simple is for write-once content read whole.  It carries no
snapshot authenticator, because under the immutable profile per-segment
authentication and the finality bit detect truncation, reordering, and
tampering on a whole-object read, and write-once leaves no earlier
version to roll a segment back to (<xref target="snapshot-limitations"/>).  Its
linear layout takes the reduced immutable form (<xref target="read-only-layouts"/>).</t>
        <t>SEAL-attachment is for write-once content whose segments a reader
verifies or decrypts individually.  It requires the epoch digest tree
(snap_id 0x0003, <xref target="epoch-digest-tree"/>):  an object under
SEAL-attachment <bcp14>MUST</bcp14> carry its snapshot value, which binds every
segment's ciphertext into the two-level fold's Nh-octet snapshot value
that holds even against holders of the CEK.  Its aligned layout
(<xref target="aligned-layout"/>) stores each epoch's leaf run in the metadata
stream, so a reader verifies one segment in two aligned metadata reads
plus the segment itself, without reading the other segments.  Each of
those two reads is one segment_max or less for objects up to about 128
GB at the recommended parameters (<xref target="epoch-transcript-table"/>,
<xref target="snapshot-security-edt"/>).</t>
        <t>SEAL-attachment-small is the same shape for small write-once content
whose segments a reader verifies or decrypts individually, without the
epoch digest tree's locality benefit.  It uses the flat digest
transcript (snap_id 0x0002, <xref target="digest-transcript"/>) in the aligned
layout.  A reader still verifies one segment against the snapshot, but
does so by reading the full leaf list rather than one epoch's leaf run
and the list of epoch heads.  That is a sensible tradeoff when the
object is small enough that the leaf list fits in one read anyway, or
when the consumer verifies every segment on the way through.</t>
        <t>SEAL-editable is the basic mutable object with whole-object integrity
from the masked multiset hash (<xref target="masked-multiset-hash"/>), stored in the
linear layout (<xref target="linear-layout"/>).  SEAL-memory targets in-memory random
access with the aligned layout (<xref target="aligned-layout"/>).  SEAL-disk rewrites
individual segments on stored media, with the split layout
(<xref target="split-layout"/>) holding the headers apart from the segment data so a
rewrite touches one segment and extension appends to both streams.</t>
        <t>SEAL-compact is the aligned layout with a derived nonce.  Like
SEAL-memory it stores each segment at a fixed offset for random access,
but the derived nonce is recomputed rather than stored, so each
per-segment metadata entry is Nt octets instead of Nn + Nt
(<xref target="aligned-layout"/>).  Because that region scales with the object,
removing the stored nonce saves Nn octets per segment, a substantial
part of the metadata for the large random-access objects the aligned
layout targets.  It reuses the derived nonce on an in-place rewrite, so
it requires an MRAE AEAD and the rewrite is deterministic.</t>
      </section>
    </section>
    <section anchor="security-properties">
      <name>Security Analysis</name>
      <t>This section states the construction's target security properties, the
assumptions its components must satisfy, and the operational limits on
its use, but does not reproduce the formal proofs.  The division of
labor is deliberate.  The ra-ROR and ra-CMT notions are taken unchanged
from <xref target="FLRR25"/>, whose proofs apply to SEAL's realization of the base
interface.  Snapshot integrity is the one notion this document defines.
<xref target="appendix-snapshot"/> argues its bound, and integrating that argument
into a combined proof is deferred to <xref target="SEALPROOFS"/>, the companion
formal write-up, in preparation, that this document cites for every
deferred proof.  The limits of <xref target="aead-usage-limits"/> are operational
deployment bounds, not proof obligations.  The security notions are
defined in <xref target="raae-security"/>.</t>
      <section anchor="operational-summary">
        <name>Operational Summary</name>
        <t>The construction provides the following properties against an adversary
that observes ciphertexts, tampers with stored segments or their order,
and attempts decryption with chosen keys, but does not know the CEK or
per-content salt:</t>
        <dl>
          <dt>Confidentiality:</dt>
          <dd>
            <t>The construction targets ra-ROR (<xref target="ra-ror"/>): the adversary learns
nothing about the plaintext beyond what the underlying AEAD already
permits.  The adversary observes the message's segment count and the
per-segment lengths from the wire format.  Segment boundary metadata
is not confidential.</t>
          </dd>
          <dt>Integrity:</dt>
          <dd>
            <t>A reader that runs snapshot verification, including its index-set
check over the correct segment count n_seg (<xref target="snapshot-interface"/>),
detects any added, dropped, reordered, or re-marked segment, including
same-index rollback to an older valid segment.  Per-segment AEAD
verification alone detects modification of individual segments and
relocation of a segment to a different index, but reverting a segment
to a previous version at the same index is not detected.  Snapshot
verification realizes the snapshot integrity notion of
<xref target="snapshot-integrity"/>.  Replacement of the entire message with a
previous valid version under the same CEK is not detected, even when
performing snapshot verification.  Rollback resistance at the message
level is the application's responsibility (<xref target="snapshot-limitations"/>).</t>
          </dd>
          <dt>Context commitment:</dt>
          <dd>
            <t>A reader that verifies the commitment (<xref target="framework-commitment"/>)
rejects a wrong CEK, parameter context, or global associated data
before decrypting any segment, per the ra-CMT notion (<xref target="ra-cmt"/>).
Commitment to segment positions is out of scope.  See
<xref target="key-commitment"/> for that gap and its non-normative mitigations.</t>
          </dd>
          <dt>Rewrite safety:</dt>
          <dd>
            <t>An individual segment can be rewritten in place under the same CEK
without re-derivation of other keys, provided the per-key AEAD usage
budget (<xref target="aead-usage-limits"/>) is not exceeded.  A rewrite reuses the
segment's derived nonce, so in derived nonce mode it <bcp14>MUST</bcp14> use an MRAE
AEAD (<xref target="derived-nonces"/>).  Rewrite safety is otherwise a corollary of
ra-ROR and snapshot integrity (<xref target="raae-relations"/>).</t>
          </dd>
          <dt>Out of scope:</dt>
          <dd>
            <t>Atomicity of writes (the application <bcp14>MUST</bcp14> use write-ahead logging or
copy-on-write); confidentiality of segment count or layout;
traffic-analysis resistance; side channels in the application's
storage layer; protection of the CEK before encryption or after
decryption.</t>
          </dd>
        </dl>
      </section>
      <section anchor="raae-security">
        <name>Security Notions</name>
        <t>raAE has two security tiers.  The base tier comprises the two notions
inherited from <xref target="FLRR25"/>, ra-ROR and ra-CMT, summarized here.  The
extension tier adds one notion, snapshot integrity, defined by this
document.  A construction <bcp14>MAY</bcp14> provide the base tier only.  Advantage
definitions and proofs for ra-ROR and ra-CMT are in <xref target="FLRR25"/>.</t>
        <section anchor="ra-ror">
          <name>ra-ROR</name>
          <t>ra-ROR (random-access real-or-random) is the joint confidentiality and
authenticity notion for raAE in a multi-user, nonce-respecting setting.
An adversary with adaptive encryption and decryption access across many
key instances, sessions, and arbitrary positions cannot distinguish real
ciphertexts and headers from random, and cannot make an out-of-context
ciphertext segment decrypt.  The game is defined in <xref target="FLRR25"/>.</t>
          <t>The encryption core of the extension operations is ordinary EncSeg.
A RewriteSeg produces its replacement ciphertext as a repeated
EncSeg at the same position, and appending is EncSeg at fresh
positions plus one RewriteSeg of the old final segment.</t>
          <t>In random nonce mode these draw fresh nonces and stay within the
nonce-respecting ra-ROR game.  In derived nonce mode a rewrite
reuses the position's derived nonce.  This is a deliberate
nonce-repeating query.  The underlying MRAE AEAD handles it under
the equality-leakage relaxation that derived nonce mode documents
(<xref target="appendix-nonce-modes"/>), not the unmodified nonce-respecting
game.</t>
          <t>These operations also maintain a snapshot value.  That value is
outside the <xref target="FLRR25"/> syntax.  It is governed not by ra-ROR but by
the snapshot integrity notion of <xref target="snapshot-integrity"/>.</t>
        </section>
        <section anchor="ra-cmt">
          <name>ra-CMT</name>
          <t>ra-CMT (random-access context commitment) is the segment-level
commitment notion:  no single ciphertext segment decrypts successfully
under two different decryption contexts (key, nonce, global associated
data, and per-segment associated data).  In the position-respecting
variant ra-CMT the two contexts share a position.  The ra-CMT-p variant
lets the adversary choose the positions freely.  Because the scheme is
random access, committing one segment's context commits the full
ciphertext's context.  Both game variants are defined in <xref target="FLRR25"/>.</t>
          <t>ra-CMT is distinct from the per-AEAD notions CMT-1 and CMT-4 of
<xref target="RFC9771"/>: a scheme can achieve ra-CMT through an external commitment
mechanism even when its underlying AEAD commits to nothing.  The
Invisible Salamanders attacks (<xref target="DGRW18"/>) show what a non-committing
AEAD permits, and <xref target="ADG22"/> frames it as a key-commitment failure with
fixes.</t>
        </section>
        <section anchor="snapshot-integrity">
          <name>Snapshot Authentication</name>
          <t>Per-segment AEAD authenticates a segment at its position, but it does
not authenticate the current object snapshot: which set of segments
belongs to the current stored object state.  An adversary with write
access to stored segments can silently substitute an old valid
same-index segment or delete a segment, and per-segment AEAD
verification at each presented segment still passes.  (A segment moved
to a different index fails its AEAD check through the index binding of
<xref target="concrete-segment-aad"/>.)</t>
          <t>Snapshot authentication covers that set.  The resulting notion, snapshot
integrity, is the one this document adds.  The construction that
realizes it is in <xref target="snapshot-authenticator"/>, its bound is in
<xref target="snapshot-security"/>, and the supporting reduction is in
<xref target="appendix-snapshot"/>.  A combined formal treatment with the ra-ROR
framework is in preparation (<xref target="SEALPROOFS"/>).</t>
          <t>A construction <bcp14>MAY</bcp14> omit snapshot integrity, providing only the
per-segment guarantees and ra-CMT.  SEAL provides it under a snapshot
authenticator (snap_id != 0x0000) and omits it otherwise (<xref target="profiles"/>).</t>
        </section>
      </section>
      <section anchor="raae-relations">
        <name>Relations to Other Notions</name>
        <t>raAE relates to the following established security notions.</t>
        <dl>
          <dt>AEAD (<xref target="RFC5116"/>):</dt>
          <dd>
            <t>raAE generalizes AEAD to multi-segment content with arbitrary-order
encryption.  A single-segment raAE is an AEAD.</t>
          </dd>
          <dt>nOAE2 (<xref target="Tink"/>):</dt>
          <dd>
            <t>nOAE2 is the nonce-based online authenticated encryption notion for
schemes that encrypt in order and support random-access decryption.
Hoang and Shen introduced nOAE2 in their analysis of Tink Streaming
AEAD (<xref target="Tink"/>), where they also show STREAM satisfies it.  ra-ROR is
strictly stronger:  every ra-ROR-secure scheme is nOAE2-secure when
used in order, but nOAE2-secure schemes can fail when encryption order
is arbitrary (<xref target="FLRR25"/>).</t>
          </dd>
          <dt>Commitment (<xref target="RFC9771"/>):</dt>
          <dd>
            <t>CMT-1 and CMT-4 (<xref target="RFC9771"/>) are per-AEAD commitment notions.
ra-CMT is the corresponding notion for segmented random-access
schemes.  See <xref target="ra-cmt"/>.</t>
          </dd>
        </dl>
        <t>Rewrite safety and extension safety are corollaries of the notions
above, not additional notions.  Replacing a segment in place is an
EncSeg at an already-used position together with a snapshot update.  In
random nonce mode it adds no adversary capability beyond ra-ROR
(<xref target="ra-ror"/>) and snapshot integrity (<xref target="snapshot-integrity"/>).  In
derived nonce mode the rewrite repeats the segment nonce, so it <bcp14>MUST</bcp14> use
an MRAE AEAD (<xref target="derived-nonces"/>), and it adds the equality-leakage
relaxation that derived nonce mode already documents
(<xref target="appendix-nonce-modes"/>).  Each rewrite also counts against the
per-key AEAD usage budget (<xref target="aead-usage-limits"/>).</t>
        <t>Appending and truncating likewise add no algorithm (<xref target="extend"/>) and no
notion.  An adversary's ability to add, drop, reorder, or re-mark a
terminal segment is exactly the snapshot integrity adversary of
<xref target="snapshot-integrity"/>, and detection follows from the index and
finality binding of <xref target="concrete-segment-aad"/> together with snapshot
verification.  Rollback of the whole object to an earlier honest (state,
snapshot) after truncation is the freshness case that snapshot integrity
excludes (<xref target="snapshot-limitations"/>).  The application supplies it.</t>
      </section>
      <section anchor="adversary-model">
        <name>Adversary Model and Assumptions</name>
        <t>The adversary model is that of the ra-ROR game (<xref target="ra-ror"/>, <xref target="FLRR25"/>).
In the construction's terms: the adversary can observe all ciphertexts
and content metadata, tamper with individual segments or their ordering,
replace the snapshot value, and attempt decryption with chosen keys.
The adversary does not know the CEK, any derived key, or the per-content
salt.  Every bound in this section assumes the CEK is secret and
uniform: an application <bcp14>MUST</bcp14> supply a CEK that is either generated
uniformly at random or derived so that it is computationally
indistinguishable from uniform, such as the output of a KDF keyed by a
secret.  When multiple messages share a CEK, the per-content salt
separates payload schedule outputs across messages under the PRF
assumption.  The multi-message advantage grows linearly in the number of
messages.  The construction claims the properties below against this
adversary.</t>
        <t>The persistent state of an raAE object, and the party that owns each
item, is:</t>
        <dl>
          <dt>CEK:</dt>
          <dd>
            <t>Secret key-management state.  It is the root secret for the object.</t>
          </dd>
          <dt>salt:</dt>
          <dd>
            <t>Stored object metadata.  It separates objects under one CEK.</t>
          </dd>
          <dt>parameter set:</dt>
          <dd>
            <t>Profile or object metadata.  It fixes suite, maximum segment size,
and epoch policy.</t>
          </dd>
          <dt>commitment:</dt>
          <dd>
            <t>Stored object metadata.  It rejects wrong key or parameter context
before decryption.</t>
          </dd>
          <dt>segment metadata:</dt>
          <dd>
            <t>Storage-format state.  It holds AEAD tags, the per-segment nonces
in random nonce mode, and the ciphertext-digest leaves under the
digest transcript.</t>
          </dd>
          <dt>snapshot:</dt>
          <dd>
            <t>Stored object metadata.  It authenticates the segment set and
segment count.</t>
          </dd>
          <dt>external freshness state:</dt>
          <dd>
            <t>Consuming-protocol state.  It detects whole-object rollback.</t>
          </dd>
        </dl>
        <t>The security argument relies on three distinct assumptions about the
KDF.  For derivations whose input keying material is secret and
uniformly random, including payload_key, snap_key, nonce_base,
epoch_key, and the snapshot authenticator's keyed derivations, the KDF
is assumed to be a multi-user PRF with domain separation by protocol_id
and label.</t>
        <t>For commitment, the function</t>
        <artwork><![CDATA[
Commit(CEK, payload_info, G, L) =
    KDF(protocol_id, "commit", [CEK], [...payload_info, G], L)
]]></artwork>
        <t>is additionally assumed to be collision resistant over adversarially
chosen tuples (CEK, payload_info, G), with G empty by default.  PRF
security alone is not sufficient for this property, because the
commitment adversary may choose the CEK and context values.</t>
        <t>For the plaintext-bound nonce construction, the plaintext digest step
targets collision resistance, not PRF security.</t>
        <t>For the HKDF cipher suites (HKDF-SHA-256, HKDF-SHA-384, and
HKDF-SHA-512), the PRF assumptions are placed on HKDF keyed by the CEK
or payload_key, and the collision-resistance assumption on the commit
derivation reduces to the collision resistance of the underlying SHA-2
variant (SHA-256, SHA-384, or SHA-512).  Because every SEAL KDF output
is at most Nh octets, HKDF-Expand makes a single HMAC call per
derivation.  The extractor-then-PRF analysis of HKDF is in <xref target="RFC5869"/>.</t>
        <t>For TurboSHAKE-256 (<xref target="RFC9861"/>, the one-step XOF cipher suite defined
in <xref target="I-D.ietf-hpke-pq"/>), the same PRF and collision-resistance
assumptions are placed on the XOF as instantiated by that HPKE KDF
registry entry, which fixes the primitive and its parameters but carries
no security assumptions of its own.</t>
      </section>
      <section anchor="framing">
        <name>raAE Construction Requirements</name>
        <t>The bounds below rely on properties of the construction's components,
namely the KDF framing and the snapshot authenticator.  The requirements
those components <bcp14>MUST</bcp14> satisfy are obligations on the raAE construction,
not part of the raAE primitive of <xref target="raae"/>.</t>
        <t>A profile selects the concrete framing for every derivation surface: the
KDF input assembly (<xref target="key-derivation"/>), the payload_info construction
(<xref target="components"/>), the segment AAD (<xref target="concrete-segment-aad"/>), and the
snapshot authenticator's keyed inputs (<xref target="snapshot-authenticator"/>).  The
requirements below are the contract that any such framing <bcp14>MUST</bcp14> meet.
SEAL is one such framing (<xref target="concrete-framing"/>, <xref target="seal-encodings"/>).</t>
        <t>The per-component requirements any raAE construction must satisfy are
as follows.</t>
        <dl>
          <dt>Pseudorandomness:</dt>
          <dd>
            <t>KDF outputs <bcp14>MUST</bcp14> be computationally indistinguishable from random to
an adversary that does not know the ikm, assuming the underlying
hash or PRF is a secure pseudorandom function.</t>
          </dd>
          <dt>Injectivity:</dt>
          <dd>
            <t>The construction <bcp14>MUST</bcp14> define the encoding of the tuple (protocol_id,
label, ikm, info, L) into the underlying primitive input, and that
encoding <bcp14>MUST</bcp14> be injective: distinct tuples <bcp14>MUST</bcp14> map to distinct
primitive inputs.  This is a requirement on the encoding, not on the
KDF.  The KDF need not itself be injective, because injectivity is
supplied by the encoding placed in front of it.  ikm and info <bcp14>MUST</bcp14> be
unambiguously separable in the encoded input, whatever the number of
elements each contains.
The two-step form binds ikm and info in its separate Extract and
Expand inputs.  The one-step form frames ikm and info each as a single
encode element.  Where the encoding admits inputs too large to encode
literally, it <bcp14>MAY</bcp14> substitute a fixed-length digest of the over-large
field.  The encoding is then injective only up to the collision
resistance of that digest, which the construction <bcp14>MUST</bcp14> justify and
domain-separate from the literal encoding (<xref target="concrete-framing"/>).</t>
          </dd>
          <dt>Label uniqueness:</dt>
          <dd>
            <t>Each derivation role, including commitment, payload key, snapshot
authenticator key, nonce base, epoch key, segment nonce, hedged key,
and the authenticator's internal roles, <bcp14>MUST</bcp14> use a distinct label
string within each protocol version.</t>
          </dd>
          <dt>Protocol binding:</dt>
          <dd>
            <t>The protocol_id <bcp14>MUST</bcp14> appear as a distinct component of the KDF
primitive input.  Different application protocols using the same
AEAD and KDF <bcp14>MUST</bcp14> use different protocol_id values to ensure that
derived values from one protocol cannot be confused with those from
another.</t>
          </dd>
          <dt>Output length commitment:</dt>
          <dd>
            <t>The requested output length L <bcp14>MUST</bcp14> be part of the KDF primitive
input.  This prevents attacks in which an adversary attempts to use
a truncated version of a longer derived output as a valid shorter
one.</t>
          </dd>
          <dt>Cross-role isolation:</dt>
          <dd>
            <t>A KDF output for one derivation role, such as payload_key, <bcp14>MUST</bcp14> be
computationally independent of the output for any other role, such
as snap_key, even when derived from the same CEK and payload_info.
This property follows from label uniqueness and PRF security of the
underlying primitive.</t>
          </dd>
          <dt>Snapshot authenticator:</dt>
          <dd>
            <t>The construction <bcp14>MUST</bcp14> bind the current segment set and the segment
count into a public snapshot value that an adversary without the
authenticator's secret key cannot forge for a modified segment set
or count, even after observing snapshot values and their deltas
across rewrites.  How the value is computed, and whether a
single-segment change updates it in place or rebuilds it, is the
authenticator's choice.  SEAL's snapshot authenticators are in
<xref target="snapshot-authenticator"/>.</t>
          </dd>
        </dl>
        <t>SEAL's construction (<xref target="framework"/>) satisfies these requirements.  Its
KDF (<xref target="concrete-framing"/>), any of the cipher suites in <xref target="kdf-table"/>
keyed by the CEK, is modeled as a pseudorandom function.  Its encode
framing (<xref target="concrete-framing"/>) is injective and places protocol_id and
the output length L in the primitive input, so injectivity, protocol
binding, and output-length commitment hold.  SEAL's labels
(<xref target="label-table"/>, the masked multiset hash's labels in
<xref target="masked-multiset-hash"/>, the digest transcript's label
"snap_transcript" in <xref target="digest-transcript"/>, the epoch digest tree's
labels "snap_epoch" and "snap_epoch_root" in <xref target="epoch-digest-tree"/>, the
plaintext-bound construction's labels in <xref target="appendix-pt-bound"/>, and the
hedged-randomness label in <xref target="hedged-randomness"/>) are distinct, giving
label uniqueness and, with PRF security, cross-role isolation.  SEAL's
masked multiset hash (<xref target="snapshot-authenticator"/>) satisfies the snapshot
authenticator requirement, with its forgery argument in
<xref target="snapshot-security"/>.</t>
        <t>encode is injective.  Among fields of at most 0xFFFE octets each frame
entry is self-delimiting, so the concatenation parses uniquely
regardless of the number of arguments, and distinct input tuples produce
distinct output strings.  For over-large fields the encoding is
injective only up to the collision resistance of LH, not
unconditionally:  a literal entry carries a length prefix in the range
0x0000 through 0xFFFE while a digest entry carries the reserved prefix
0xFFFF, so a literal entry and a digest entry never collide, and a
collision between two digest entries reduces to a collision in LH.  A
0xFFFF entry is bind-only:  it commits to the field but does not carry
it, so a protocol that must recover a field from the encoding <bcp14>MUST</bcp14> keep
that field at most 0xFFFE octets.  SEAL's own derived and fixed fields,
the payload_info elements, the commitment, the leaf elements, and the
uint-encoded scalars, are all at most 0xFFFE octets, so for them frame
is byte-identical to a plain 2-octet length prefix.  The two
caller-supplied octet strings, the global associated data G
(<xref target="message-inputs"/>) and the per-segment associated data A_i, are
unbounded:  an application that supplies one longer than 0xFFFE octets
has that field bound as 0xFFFF || LH of it.  The digest transcript
invokes LH directly on each segment's ciphertext, digesting it to a
fixed Nh-octet value that it concatenates with the Nt-octet tag to form
leaf(i) before framing it into the transcript (<xref target="digest-transcript"/>),
so no transcript element is over-large.</t>
        <t>The "raAE-LP-v1" prefix (the HKDF-Extract salt in the two-step class, a
fixed input prefix in the one-step class) is distinct from every
protocol_id and label, so LH inputs are domain-separated from encode
inputs.  LH is a shared collision-resistant digest rather than a
per-protocol separator: the same over-large field yields the same LH
value in every protocol that reuses this combiner.  Cross-protocol
separation comes from protocol_id in the KDF inputs and from aad_label
in the segment AAD, not from LH.</t>
        <t>A concrete SEAL suite specifies the following.</t>
        <dl>
          <dt>AEAD:</dt>
          <dd>
            <t>One of the algorithms from <xref target="concrete-algorithms"/>, with associated
Nk, Nn, and Nt values.</t>
          </dd>
          <dt>KDF:</dt>
          <dd>
            <t>One of the KDF cipher suites from <xref target="kdf-table"/>.</t>
          </dd>
          <dt>nonce_mode:</dt>
          <dd>
            <t>A per-object payload_info field constrained by the profile, not a
suite-fixed lock.  <xref target="aead-table"/> gives the default mode each suite
uses in the mutable profile.  A profile <bcp14>MAY</bcp14> select any valid
(nonce_mode, snap_id) tuple (<xref target="parameter-misuse"/>): in the mutable
profile an MRAE AEAD <bcp14>MAY</bcp14> use either mode, and the immutable profile
SEAL-RO-v1 pairs a derived nonce with any AEAD because write-once
keeps every derived nonce unique.</t>
          </dd>
          <dt>epoch_length:</dt>
          <dd>
            <t>The key-rotation granularity, with range given by <xref target="aead-table"/>.
Per <xref target="security-properties"/>, a 96-bit-nonce AEAD rotates the segment
key to bound per-key nonce-collision risk and an MRAE AEAD rotates to
bound its per-key encryption count, so both take epoch_length in 0 to
63.  A 256-bit-nonce AEAD makes both negligible and uses a flat key.</t>
          </dd>
          <dt>segment_max:</dt>
          <dd>
            <t>One of the sizes from <xref target="concrete"/>: 16384 or 65536 octets.</t>
          </dd>
        </dl>
        <t>Fábrega et al. (<xref target="FLRR25"/>) proved ra-ROR and ra-CMT security for a
construction that instantiates the same component contracts enumerated
above, and SEAL's analysis of those notions follows the same structure.
SEAL's additional components (the epoch keys and the snapshot maintained
across rewrite and length change) are analyzed in <xref target="segment-security"/>
and <xref target="snapshot-security"/>.</t>
      </section>
      <section anchor="segment-security">
        <name>Segment Confidentiality and Integrity</name>
        <t>The construction targets ra-ROR security (<xref target="ra-ror"/>).  The ra-ROR
advantage bound, its adversary parameters, and the per-term analysis are
in <xref target="appendix-reductions"/>, with the full proof in preparation
(<xref target="SEALPROOFS"/>).  This section states the property and the operational
quantities a deployment needs.</t>
        <t>Ciphertext cores are indistinguishable from random under the ra-ROR
definition, up to the public length leakage, the equality leakage
allowed by derived nonce mode, and public metadata exposed by the
consuming format (file-level headers, stored nonces in random mode, the
salt, and the commitment).  Each segment AEAD ciphertext binds the
segment to its own index and finality bit (through segment_aad in random
nonce mode and through the nonce in derived nonce mode) so an adversary
cannot modify or substitute a segment under a given index, or flip its
finality bit, without causing an AEAD verification failure on that
segment.  Same-index rollback to an older valid segment within the same
message is not detected by per-segment AEAD alone.  This requires the
snapshot verification of <xref target="snapshot-authenticator"/>.</t>
        <t>The multi-message advantage grows linearly in the number of messages.
In derived nonce mode the salt-collision term q_m^2/2^256 is the only
quadratic floor for the 256-bit-key suites.  For AES-128-GCM the
epoch-key collision floor E^2/2^128 (<xref target="appendix-adv-notation"/>) is
an additional quadratic term that dominates.  In random nonce mode,
with or without the plaintext-bound hedge, the nonce-collision term is
also quadratic:</t>
        <artwork><![CDATA[
nonce collision:  q^2 / 2^(8*Nn + 1)
at Nn = 12:       q^2 / 2^97
]]></artwork>
        <t>where q is the number of segment encryptions under one key and Nn is the
nonce length in octets.  The block-size birthday term is derived in
<xref target="aead-usage-limits"/>.</t>
        <t>Segment size enters the analysis only through the forgery and block-size
terms, both bounded in <xref target="aead-usage-limits"/>.  It does not affect the
confidentiality or commitment terms.  A segment's length is
authenticated implicitly by its AEAD tag, not through segment_aad or the
nonce, so the analysis assumes the consuming format conveys each
segment's true ciphertext length.  Segments shorter than segment_max
consume no more than their share of the per-key budget and need no
separate accounting.</t>
      </section>
      <section anchor="key-commitment">
        <name>Commitment Security</name>
        <t>The ra-CMT notion is defined in <xref target="ra-cmt"/>.</t>
        <t>raAE's commitment target is ra-CMT (random-access context commitment),
not the per-AEAD notion CMT-1 (<xref target="RFC9771"/>).  CMT-1 is key commitment
defined for
AEADs, but raAE is a higher-level construction whose commitment binds
the CEK and the full payload_info, which together carry the full
parameter context that affects encryption, decryption, AAD construction,
nonce construction, and key derivation.</t>
        <t>ra-CMT relies on the collision resistance of the commitment derivation
map over the tuple (protocol_id, "commit", CEK, payload_info, G,
commitment_length), with G empty by default.  PRF security alone does
not suffice, because the commitment adversary may choose the CEK and the
context values (<xref target="key-derivation"/>).  SEAL sets commitment_length = Nh,
so the commitment offers about 2^128 collision-search work with
HKDF-SHA-256 and about 2^256 with TurboSHAKE-256.  The reduction outline
for this assumption and the collision quantities for a general
commitment_length are in <xref target="appendix-commitment"/>.</t>
        <t>The commitment bounds the ra-CMT variant in which the positions match
(<xref target="ra-cmt"/>).  It does not bind the segment position.  Position binding
for the ra-CMT-p variant is inherited from the underlying AEAD's
commitment level.  Because the SEAL AEADs are not natively
key-committing, position confusion under an adversarially chosen key is
out of scope, consistent with <xref target="FLRR25"/>.  A malicious encryptor that
controls the CEK can craft a single ciphertext segment that opens at two
positions, and the per-segment AEAD tag does not prevent it.</t>
        <t>The per-segment associated data A_i is likewise outside the commitment:
SEAL binds A_i through segment_aad and the AEAD tag for that segment.
Contexts that differ only in A_i are therefore not commitment
collisions.  Their separation relies on AEAD commitment for the segment
AAD.  A_i is also rewritable across rewrites and is not bound at the
snapshot level.  An application that needs it bound there <bcp14>MUST</bcp14> bind it
externally.  The exact accounting of this term in the ra-CMT reduction
is deferred to <xref target="appendix-reductions"/>.</t>
        <t>A deployment that must defend against a malicious encryptor who controls
the CEK can close the adversarial-key position gap by one of two
changes.  These are non-normative.  SEAL adds none of them to the
construction.</t>
        <ul spacing="normal">
          <li>
            <t>A context-committing AEAD, so that each segment ciphertext
commits to its full decryption context rather than relying on the
external commitment over (CEK, payload_info, G).</t>
          </li>
          <li>
            <t>A per-segment collision-resistant position commitment, on the order
of 16 to 64 octets per segment, bound alongside the segment so that
no segment opens at two positions.</t>
          </li>
        </ul>
        <t>Several AEADs including AES-GCM (<xref target="NIST-SP-800-38D"/>) and
ChaCha20-Poly1305 (<xref target="RFC8439"/>) lack strong native key or context
commitment.  CMT-4 (<xref target="RFC9771"/>) is full commitment to key, nonce,
associated data, and plaintext.  None of the SEAL AEADs is relied upon
to provide CMT-1 or CMT-4.  In particular, AES-256-GCM-SIV is not a
key-committing AEAD, and key-commitment attacks against it are known
(for example partitioning oracles).  raAE obtains ra-CMT context
commitment from the external commitment over (CEK, payload_info, G)
regardless of the AEAD's own committing or non-committing properties,
provided that the commitment check is not bypassed and that payload_info
contains the full parameter context that influences any later derivation
or AEAD operation.</t>
        <t>With commitment_length = Nh and Nt = 16, ra-CMT is bounded by the
commitment collision resistance, and ra-CMT-p adds the per-segment AEAD
commitment term.  The ra-CMT collision bound is derived in
<xref target="appendix-commitment"/>, and the ra-CMT-p bound is stated there as a
sum.  The two key regimes differ.  Under honestly generated keys the
idealized per-pair tag-forgery floor is 2^(-128) because Nt = 16, and
concrete per-AEAD authenticity bounds degrade with segment length
(<xref target="aead-usage-limits"/>).  Under an adversarially chosen CEK the position
term is the AEAD's commitment level, which the SEAL AEADs are not
relied upon to provide.</t>
        <t>The global associated data G (<xref target="framework-commitment"/>) enters the
committed map as an additional input, empty by default, and the
collision-resistance argument above applies unchanged with G in the
committed context.  This matches the ra-CMT treatment of global
associated data in <xref target="FLRR25"/>.</t>
        <t>The ra-CMT and ra-CMT-p notions are defined in <xref target="FLRR25"/>.  SEAL
realizes ra-CMT through the external commitment over (CEK, payload_info,
G), independent of the underlying AEAD's own commitment level.  Position
binding for ra-CMT-p is inherited from the underlying AEAD's commitment
level, as described above.  This document states these properties and
their component bounds.  The exact accounting of the per-segment
associated data and position terms in the ra-CMT-p reduction is the open
item deferred to the proof in preparation (<xref target="SEALPROOFS"/>).</t>
      </section>
      <section anchor="snapshot-security">
        <name>Snapshot Authenticator Security</name>
        <t>Snapshot authentication is an extension this document adds to the
<xref target="FLRR25"/> raAE framework.  The raAE primitive and its ra-ROR and ra-CMT
notions are taken unchanged from <xref target="FLRR25"/>, whose proofs apply to
SEAL's realization of the base interface.  The snapshot authenticator
adds two operations (RewriteSeg, SnapVerify) over an auxiliary snapshot
value and one new security property, snapshot integrity
(<xref target="snapshot-integrity"/>).  Integrating its reduction into a single
combined proof with the ra-ROR framework is in preparation and will be
published separately (<xref target="SEALPROOFS"/>).</t>
        <t>raAE's guarantees form a ladder.  The table names what establishes each
and who provides it, so the keyed snapshot is not read as sender
attribution.</t>
        <table anchor="snapshot-guarantee-matrix">
          <name>What each layer guarantees</name>
          <thead>
            <tr>
              <th align="left">Guarantee</th>
              <th align="left">Established by</th>
              <th align="left">Scope</th>
              <th align="left">Provided by</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Segment confidentiality and integrity, index and finality bound</td>
              <td align="left">AEAD decrypt, per segment</td>
              <td align="left">segment</td>
              <td align="left">this construction</td>
            </tr>
            <tr>
              <td align="left">Segment-set integrity: content, position, count</td>
              <td align="left">SnapVerify over the snapshot value</td>
              <td align="left">whole object</td>
              <td align="left">this construction</td>
            </tr>
            <tr>
              <td align="left">Sender attribution, third-party verifiability</td>
              <td align="left">signature over the snapshot context</td>
              <td align="left">whole object</td>
              <td align="left">consuming protocol, not provided</td>
            </tr>
            <tr>
              <td align="left">Freshness, whole-object rollback protection</td>
              <td align="left">external version or freshness state</td>
              <td align="left">whole object</td>
              <td align="left">consuming protocol, not provided</td>
            </tr>
          </tbody>
        </table>
        <t>Snapshot integrity is keyed by snap_key and protects the writer's
current segment set against a storage or write adversary that does not
hold snap_key.  A verifier who holds snap_key, hence the CEK from which
it is derived, detects any added, dropped, reordered, re-marked, or
otherwise altered segment.  Forgery of a fresh snapshot value gives no
protection among parties that share the CEK, because any CEK-holder can
recompute snap_key, and the value is not a third-party-verifiable
commitment to a segment set.  Whether a fixed, externally authenticated
snapshot value binds segment content against key holders depends on the
authenticator (<xref target="snapshot-security-dt"/>).  An application that needs
sender attribution or third-party verifiability <bcp14>MUST</bcp14> add a signing layer
over the snapshot context, and <xref target="snapshot-security-dt"/> states which
authenticator's value can carry that layer.</t>
        <t>Per-segment AEAD binds each segment's index and finality bit.  The
snapshot authenticator adds authentication of the full segment set (its
tags at snap_id 0x0001, leaf digests of the stored segments at 0x0002
and 0x0003) and the count n_seg as a single unit, which detects
same-index rollback, segment-set modification, and count changes.  The
index-set check in SnapVerify (<xref target="snapshot-interface"/>) is mandatory:  an
authenticator's verify <bcp14>MAY</bcp14> accept a malformed index multiset, so without
the check a duplicated or dropped index could pass.</t>
        <t>A profile <bcp14>MUST</bcp14> keep each of an authenticator's KDF labels inside the
injective encode frame (<xref target="concrete-framing"/>) so distinct roles cannot
collide on the primitive input.</t>
        <t>Whole-object rollback to a previously valid snapshot is out of scope and
is treated in <xref target="snapshot-limitations"/>.  snap_key is not exposed through
any public API.  It is derived internally per message from the CEK and
salt, so snap_key exposure is not a threat surface in the construction
itself.</t>
        <section anchor="snapshot-security-mmh">
          <name>Masked Multiset Hash</name>
          <t>SEAL's masked multiset hash (snap_id 0x0001) publishes snapshot =
wrapped_acc || snapshot_tag.  The snapshot tag is a MAC over the count
and accumulator under snap_key, and wrapped_acc is that accumulator
hidden behind a deterministic, tag-derived one-time pad.  The mask is
what stops a write adversary from recombining the differences between
published accumulators into a non-historical segment set.  Its three
labels, contrib_label, snapshot_tag_label, and snapshot_mask_label, are
distinct under the encode frame.</t>
          <t>Its forgery advantage Adv_acc is bounded by a fresh-input MAC term, a
mix-and-match term, and a birthday term in the number of published
snapshots that the deterministic masking introduces, on no assumption
beyond the multi-user PRF the key schedule already uses.
<xref target="appendix-adv-notation"/> states the bound and <xref target="appendix-snapshot"/>
derives it.</t>
        </section>
        <section anchor="snapshot-security-dt">
          <name>Digest Transcript</name>
          <t>SEAL's digest transcript (snap_id 0x0002) publishes one keyed KDF
evaluation over the commitment, the segment count, and the ordered leaf
list (<xref target="digest-transcript"/>).  Its transcript label is distinct under
the encode frame, and the injective framing binds each leaf's position
and the count.</t>
          <t>Unforgeability without snap_key rests on the same multi-user PRF
assumption as the rest of the key schedule.  The transcript is a
single PRF evaluation over the framed input, so its term in
<xref target="appendix-adv-notation"/> is a fresh-input forgery term alone:  there
is no accumulator to recombine, no mask, and no birthday term in the
number of published snapshots.</t>
          <t>The leaf leaf(i) = LH(ct_i) || tag(i) gives the transcript two bindings
against a key holder.  The first is content binding.  LH(ct_i)
(<xref target="concrete-framing"/>) is the ciphertext digest, and a fixed transcript
binds the ordered leaf list under the collision resistance of the KDF
over framed inputs, so the ciphertext binding rests on the collision
resistance of LH for any segment length.  Every input to LH is public,
so this is a collision-resistance requirement, separate from the PRF
assumption above, and it does not degrade when the adversary holds the
CEK and every key derived from it.  The digest transcript is still a
symmetric authenticator:  any snap_key holder can compute a valid
snapshot for an object it writes itself.  What a key holder cannot do is
exhibit a second segment set that verifies under a fixed,
already-published transcript value.</t>
          <t>The second binding is the presented nonce, through the tag.  A
non-committing AEAD lets a key holder reinterpret a fixed ciphertext:
holding ct_i unchanged and presenting a different stored nonce yields a
different plaintext under the same key (<xref target="key-commitment"/>), with a tag
the key holder recomputes.  The ciphertext bytes do not change, so a
leaf of LH(ct_i) alone would not detect the substitution.  The tag does
change, because it is a function of the nonce, so a leaf that carries
the tag binds the presented nonce and rejects the reinterpretation.  How
firmly it binds depends on the AEAD's nonce and tag widths:  for the
narrow-nonce suites, whose nonce width Nn is at most the tag width Nt,
the tag is effectively injective in the nonce and the binding is
structural, while for a wide-nonce suite (Nn greater than Nt, AEGIS in
SEAL) a nonce change can preserve the tag only by a 2^(8*Nt) search, so
there the binding is 2^(8*Nt) rather than structural.  The write-once
profiles that select this leaf use derived nonces (<xref target="profiles"/>), which
are not stored, so a wide nonce raises no reinterpretation concern in
deployment.  The tag also binds the segment index and finality, through
the segment AAD in random nonce mode and through the nonce in derived
nonce mode (<xref target="concrete-segment-aad"/>).</t>
          <t>This nonce binding is why the digest transcript places no restriction on
the nonce mode.  In random nonce mode the nonce is stored and a key
holder could otherwise move it, and the tag in the leaf closes that.  In
derived nonce mode the nonce is recomputed from the key schedule and
cannot be moved independently, so the tag is redundant there but not
harmful.  A leaf without the tag, under a non-committing AEAD in random
nonce mode, would be forgeable by a key holder, so SEAL's leaf carries
the tag in every case.</t>
          <t>The masked multiset hash gives no such binding, in two independent
ways.  Its contributions bind AEAD tags, and under an adversarially
known CEK a non-committing AEAD admits a second ciphertext with the
same tag (<xref target="key-commitment"/>), so segment content can change under an
unchanged accumulator.  Separately, its aggregation is linear:  a
party that knows snap_key can evaluate contributions offline and
search for a different tag list with the same accumulator by a
generalized birthday attack, at a cost far below the PRF bound for
objects of more than a few segments.  Neither observation weakens the
masked multiset hash in its own threat model, which excludes key
holders.  Both matter only when a snapshot value is lifted into a
stronger statement.</t>
          <t>That lifting is the signing layer this section requires for sender
attribution.  A signature or MAC over a snapshot value carries content
binding against CEK holders only when the underlying value already binds
content against key holders.  The digest transcript is designed for that
use, and its commitment element carries the full object context (CEK,
payload_info, and G) into the authenticated value, so a signed value
binds one object.  An application <bcp14>MUST NOT</bcp14> rely on a signature over the
masked multiset hash's snapshot value for content attribution among CEK
holders.  A leaf over the tag alone, as the masked multiset hash uses,
would bind content only at the AEAD's commitment level.  The ciphertext
digest is what grounds content binding on collision resistance.  A
fixed, authenticated digest transcript also strengthens position
binding.  It pins each segment's ciphertext to its index, so no one, not
even a party that holds or chose the CEK, can take a valid segment and
make it verify at a different index.  The base construction pins
position only as strongly as the AEAD commits under an adversarial key,
which the SEAL suites do not (<xref target="key-commitment"/>), so a CEK holder can
craft one ciphertext that opens at two positions.  The transcript closes
that gap by grounding position on collision resistance instead.  In the
terms of <xref target="key-commitment"/>, this is the position-commitment notion
ra-CMT-p, restored against adversarially chosen keys.  SEAL's leaf
carries both the ciphertext digest and the tag, because no SEAL suite
carries a commitment claim (<xref target="key-commitment"/>) and all admit random
nonce, so neither component is redundant.</t>
          <t>The formal forgery and content-binding reductions for the digest
transcript are deferred to the combined proof in preparation
(<xref target="SEALPROOFS"/>), with SEAL's other snapshot proofs.</t>
        </section>
        <section anchor="snapshot-security-edt">
          <name>Epoch Digest Tree</name>
          <t>The epoch digest tree (snap_id 0x0003, <xref target="epoch-digest-tree"/>) has the
same per-segment leaf and the same key as the digest transcript, so its
content, nonce, and position bindings are those of
<xref target="snapshot-security-dt"/>.</t>
          <t>The two-level fold rests on the same collision-resistance assumption.
An epoch head binds its epoch's leaf run through LH, and the snapshot
binds the epoch heads through LH, so a forged snapshot requires an LH
collision at one of the two levels or a snap_key PRF forgery on the
head.  The snapshot binds the epoch heads in order and binds n_seg, so
an epoch head cannot move to another position and the segmentation is
fixed by n_seg and epoch_length.</t>
          <t>The forgery term without snap_key is the digest transcript's single
fresh-input PRF term, with no birthday term in the number of published
snapshots.  Against a key holder, substituting content under a fixed
published snapshot requires an LH collision against that fixed target, a
second preimage, at one of three target classes:  the n_seg leaves it
shares with the digest transcript, the E epoch heads, and the single
root.  The work factor is 2^(8*Nh) per target with a benign
multiplicity of n_seg + E + 1, so the two fold levels add the epoch and
root targets to the transcript's leaf targets without lowering the
per-target strength.  A writer that chooses both openings of one
snapshot instead faces a birthday collision at 2^(4*Nh), the same
equivocation floor as the digest transcript, which the fold does not
lower.  The formal two-level reduction, the snap_key PRF term on the
head and the LH terms at the epoch and root levels, is deferred to the
combined proof in preparation (<xref target="SEALPROOFS"/>), with the digest
transcript's.</t>
        </section>
      </section>
      <section anchor="aead-usage-limits">
        <name>Capacity and Usage Limits</name>
        <t>These usage limits are organized around independent limit classes, not
around named suites.  The accounting unit is one segment encryption
under one segment-encryption key (an epoch key).  For random-nonce AEADs
that budget is a single per-epoch-key pool.  For a derived-nonce MRAE
AEAD (AES-256-GCM-SIV in SEAL) there are two separate budgets: a
per-epoch-key budget for distinct derived nonces, and a
per-derived-nonce budget for repeated encryption of one segment.  Such
an AEAD therefore does not follow a simple "divide the per-key budget by
2^epoch_length" model.</t>
        <t>The length-dependent limits in this section are computed at the suite's
segment_max, the largest plaintext one segment encryption carries.
Independent of these per-key budgets, a segment-encryption procedure
<bcp14>MUST</bcp14> respect each underlying AEAD's per-invocation input limits.</t>
        <section anchor="accounting-model">
          <name>Accounting Model</name>
          <t>One segment encryption consumes one write from a segment-encryption
key's budget.  Initial writes and rewrites are both segment encryptions.
The budget belongs to the epoch key, not the CEK.</t>
          <dl>
            <dt>epoch-key budget:</dt>
            <dd>
              <t>the segment encryptions allowed under one epoch key.</t>
            </dd>
            <dt>write (initial write):</dt>
            <dd>
              <t>the first encryption of a segment.</t>
            </dd>
            <dt>rewrite:</dt>
            <dd>
              <t>a later encryption of the same segment.</t>
            </dd>
            <dt>epoch_length (r):</dt>
            <dd>
              <t>the base-2 log of the number of segments that share one epoch key.</t>
            </dd>
          </dl>
          <t>For a random-nonce AEAD an epoch key has one budget, shared by the
segments under it.  For a derived-nonce MRAE AEAD an epoch key has two:
how many distinct segment nonces it may cover, and how many times any
one segment may be re-encrypted at its fixed nonce.</t>
        </section>
        <section anchor="limit-classes">
          <name>Limit Classes</name>
          <t>Six phenomena bound how much may be encrypted.  Each is set by one
property of the AEAD or the segment size, and each bounds
confidentiality or integrity.</t>
          <table anchor="limit-class-table">
            <name>Usage-limit classes</name>
            <thead>
              <tr>
                <th align="left">Limit class</th>
                <th align="left">Applies to</th>
                <th align="left">Depends on</th>
                <th align="left">Failure mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Random-nonce collision</td>
                <td align="left">random nonce modes</td>
                <td align="left">nonce size</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">Forgery bound</td>
                <td align="left">all AEADs</td>
                <td align="left">MAC strength, segment size</td>
                <td align="left">integrity</td>
              </tr>
              <tr>
                <td align="left">Block-size birthday</td>
                <td align="left">block-cipher AEADs</td>
                <td align="left">total blocks</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">MRAE distinct-nonce</td>
                <td align="left">derived-nonce MRAE across segments</td>
                <td align="left">derived-nonce count</td>
                <td align="left">confidentiality and integrity</td>
              </tr>
              <tr>
                <td align="left">Fixed-nonce data volume</td>
                <td align="left">derived-nonce hot rewrites</td>
                <td align="left">segment size, rewrites</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">Epoch-key collision</td>
                <td align="left">128-bit-key AEADs</td>
                <td align="left">key size</td>
                <td align="left">confidentiality</td>
              </tr>
            </tbody>
          </table>
          <t>Random-nonce collision and the block-size birthday bound the
confidentiality of fresh-nonce encryption, and forgery bounds integrity
for every decryption.  Two further classes apply only in derived-nonce
MRAE mode: a derived-key collision across the distinct segment nonces
under an epoch key, and a data-volume limit on repeated encryption of a
single hot segment, one rewritten many times at its one derived nonce.
A sixth class applies only to 128-bit-key AEADs: a collision across the
distinct epoch keys that holds the number of epoch keys per payload_key
below about 2^48 (<xref target="epoch-length-guidance"/>).</t>
        </section>
        <section anchor="binding-limits-for-profiled-suites">
          <name>Binding Limits for Profiled Suites</name>
          <t>For each profiled suite the binding limit is the smallest applicable
class.  At 65536-octet (64 KiB) segments and a 2^-32 advantage target:</t>
          <table anchor="budget-table">
            <name>Binding limits for profiled suites at 64 KiB</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">Binding limit</th>
                <th align="left">Budget</th>
                <th align="left">Failure mode</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">random-nonce collision</td>
                <td align="left">~2^32 per epoch key</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived, distinct segments</td>
                <td align="left">MRAE distinct-nonce</td>
                <td align="left">~2^48 per epoch key</td>
                <td align="left">confidentiality and integrity</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived, hot segment</td>
                <td align="left">fixed-nonce data volume</td>
                <td align="left">~2^36 per segment at 64 KiB</td>
                <td align="left">confidentiality</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256, random</td>
                <td align="left">forgery bound</td>
                <td align="left">~2^83 per key</td>
                <td align="left">integrity</td>
              </tr>
              <tr>
                <td align="left">AEGIS-256X2, random</td>
                <td align="left">forgery bound</td>
                <td align="left">~2^83 per key</td>
                <td align="left">integrity</td>
              </tr>
            </tbody>
          </table>
          <t>The 96-bit-nonce suites bind on random-nonce collision.  AEGIS makes
nonce collision negligible with a 256-bit nonce (~2^112) and binds on
forgery.  A derived-nonce MRAE AEAD has the two limits above, the
distinct-derived-nonce ceiling and the fixed-nonce data-volume cap, not
a single shared pool.</t>
        </section>
        <section anchor="max-object-size">
          <name>Maximum Write-Once Object Size</name>
          <t>Two limits bound a write-once object: each epoch key's AEAD write
budget, and the 2^63 segment index ceiling.</t>
          <t>Under a flat key (one epoch key for the whole object), the AEAD budget
sets the size:</t>
          <table anchor="write-once-table">
            <name>Flat-key write-once size limit</name>
            <thead>
              <tr>
                <th align="left">Suite</th>
                <th align="left">Flat-key write-once limit</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM</td>
                <td align="left">~2^36 segments</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV</td>
                <td align="left">~2^48 segments</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, AEGIS-256, AEGIS-256X2</td>
                <td align="left">2^63 segments</td>
              </tr>
            </tbody>
          </table>
          <t>For the block ciphers this limit is a confidentiality bound.  The
AES-GCM suites (AES-128-GCM and AES-256-GCM) bind on the block-size
birthday and AES-256-GCM-SIV on the distinct-derived-nonce budget.
ChaCha20-Poly1305 and AEGIS have no write-count confidentiality bound
below the index ceiling.  The AES-128-GCM, AES-256-GCM, and
ChaCha20-Poly1305 figures assume derived nonce mode, which these
non-MRAE suites may use only in a write-once profile.  In the default
random nonce mode they bind earlier, at the random-nonce-collision
budget of about 2^32 per epoch key (<xref target="budget-table"/>).</t>
          <t>With epoch rotation each epoch key carries a fresh budget, so any suite
can reach the 2^63-segment ceiling, about 2^79 octets at 64 KiB
segments.  For AES-128-GCM this requires a sufficiently large
epoch_length.  At epoch_length 0 its epoch-key collision floor caps
the object near 2^48 segments (<xref target="epoch-length-guidance"/>).  Reaching
2^63 needs epoch_length at least 15, so the distinct epoch keys stay
near 2^48.
A rotating profile <bcp14>MUST</bcp14> keep each epoch key's 2^epoch_length initial
writes within its per-key budget.  For a derived-nonce MRAE AEAD that
means 2^epoch_length below the distinct-derived-nonce budget of about
2^48.  Rewrite capacity is a separate condition
(<xref target="rewrite-budget-security"/>).</t>
        </section>
        <section anchor="rewrite-budget-security">
          <name>Rewrite Capacity</name>
          <t>A rewrite consumes the same budget as an initial write.  How that budget
is shared depends on the nonce mode.</t>
          <t>For the random-nonce AEADs, epoch_length divides one per-epoch-key pool
among the 2^epoch_length segments that share the key.  If rewrites are
spread evenly, the count each segment can take falls as epoch_length
rises:</t>
          <table anchor="rewrite-random-table">
            <name>Rewrite share by epoch_length</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">epoch_length</th>
                <th align="left">Segments per epoch key</th>
                <th align="left">Rewrites per segment</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^32</td>
              </tr>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^26</td>
              </tr>
              <tr>
                <td align="left">AES-128-GCM, AES-256-GCM, random</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^22</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^32</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^26</td>
              </tr>
              <tr>
                <td align="left">ChaCha20-Poly1305, random</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^22</td>
              </tr>
            </tbody>
          </table>
          <t>For a derived-nonce MRAE AEAD the hot-segment rewrite cap is not divided
by 2^epoch_length, because a rewrite reuses the segment's one derived
nonce:</t>
          <table anchor="rewrite-siv-table">
            <name>GCM-SIV rewrite cap by epoch_length</name>
            <thead>
              <tr>
                <th align="left">Suite / mode</th>
                <th align="left">epoch_length</th>
                <th align="left">Segments per epoch key</th>
                <th align="left">Hot-segment rewrite cap</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">0</td>
                <td align="left">1</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">6</td>
                <td align="left">64</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
              <tr>
                <td align="left">AES-256-GCM-SIV, derived</td>
                <td align="left">10</td>
                <td align="left">1024</td>
                <td align="left">~2^36 at 64 KiB</td>
              </tr>
            </tbody>
          </table>
          <t>The hot-segment cap is length-dependent:  about 2^36 at 64 KiB segments
and about 2^38 at 16 KiB.  The distinct-derived-nonce budget stays about
2^48 per epoch key.  A derived-nonce MRAE AEAD thus has two separate
constraints, the distinct derived nonces per epoch key and the repeated
encryptions at one derived nonce.  AEGIS uses a flat key, and its
forgery budget, about 2^83 per key from <xref target="I-D.irtf-cfrg-aegis-aead"/>,
exceeds any reachable rewrite workload.</t>
          <t>Applications <bcp14>MUST</bcp14> track segment encryptions per key and freeze the
object before a budget is exceeded.  The CEK is fixed per object and
cannot be rotated in place, so continued writing requires a new object
under a fresh CEK.</t>
        </section>
        <section anchor="epoch-length-guidance">
          <name>Choosing epoch_length</name>
          <t>epoch_length means different things by mode.  For the random-nonce
AEADs, a smaller epoch_length puts fewer segments under each key, so
each segment keeps a larger share of the random-nonce collision pool, at
the cost of more epoch keys to derive and hold.  For a derived-nonce
MRAE AEAD, a smaller epoch_length reduces the distinct derived nonces
under an epoch key but does not raise the hot-segment rewrite cap, which
is per derived nonce and length-dependent.  AEGIS has a 256-bit nonce
and a high forgery floor, so a flat key (epoch_length 63) is the natural
choice.  When the epoch digest tree (snap_id 0x0003,
<xref target="epoch-digest-tree"/>) is selected, epoch_length also sets the
transcript's grouping fan-out, and <xref target="epoch-transcript-table"/> gives the
value that keeps random-access verification to one aligned read per
epoch.</t>
          <t>The random-access benefit is realized only when epoch_length is in the
grouping range of <xref target="epoch-transcript-table"/>.  A profile that sets a
large epoch_length for key rotation, such as an AEGIS suite's flat key
at 63, makes E = 1, so the fold is a single epoch:  still correct, with
no random-access benefit.  A single epoch is still the two-level epoch
digest tree under its own labels, not the snap_id 0x0002 digest
transcript value.  A profile that wants random-access verification sets
epoch_length to the <xref target="epoch-transcript-table"/> value and accounts for
the resulting per-epoch-key write budget in <xref target="aead-usage-limits"/>.</t>
          <t>The cipher suite's default epoch_length, used when a referencing
protocol does not choose one, is 0 for the suites with an epoch_length
range and 63 for the AEGIS suites.  epoch_length 0 derives a fresh epoch
key per segment, the finest rotation, giving each segment the largest
share of the random-nonce collision pool.  The AEGIS 256-bit nonce makes
a flat key safe.  The named instantiations (<xref target="named-instantiations"/>) do
not take this default:  each pins an epoch_length tuned to its profile
and object size, trading some rotation for fewer epoch keys while
staying within budget.</t>
          <t>The epoch keys are independent under the PRF security of the KDF
(<xref target="RFC8645"/>), so no epoch key is weaker than another.  The epoch_length
parameter controls budget distribution, not key strength.</t>
          <t>For AES-128-GCM the 128-bit AEAD key adds one further constraint.  The
epoch-key collision term (<xref target="appendix-adv-notation"/>) is about
E^2/2^128 over the E distinct epoch keys, so an AES-128-GCM profile
<bcp14>SHOULD</bcp14> keep distinct epoch keys per payload_key below about 2^48, which
holds that term within the 2^-32 target.  At epoch_length 0 this caps
an AES-128-GCM object at about 2^48 segments, far below the 2^63 index
ceiling, so it constrains only extreme object sizes.</t>
        </section>
        <section anchor="derivations">
          <name>Derivations</name>
          <t>The per-suite figures come from the bounds below.</t>
          <section anchor="confidentiality-nonce-collision">
            <name>Confidentiality (Nonce Collision)</name>
            <t>For random nonce mode with Nn-octet nonces and q segment encryptions
under one key, the collision probability follows the birthday bound:</t>
            <artwork><![CDATA[
P(collision) <= q^2 / 2^(8*Nn + 1)
]]></artwork>
            <t>When epoch_length = r is specified, q counts encryptions per epoch key
(initial writes plus rewrites within that epoch), not across the whole
content.  Each epoch key has an independent budget.</t>
            <t>For derived nonce mode, nonces are deterministic and distinct across
segment indices, so this collision term does not apply.  The limits on
reusing a derived nonce are in <xref target="mrae-bounds"/>.</t>
          </section>
          <section anchor="confidentiality-block-size-birthday-bound">
            <name>Confidentiality (Block-Size Birthday Bound)</name>
            <t>Nonce collisions alone do not exhaust the confidentiality bound.
Following the AEAD usage-limits analysis (<xref target="I-D.irtf-cfrg-aead-limits"/>
Section 5), block-cipher AEADs have a distinguishing bound that grows
with the total number of cipher blocks processed under a key.  For the
AES-GCM suites (AES-128-GCM and AES-256-GCM), if s is the total number
of AAD-plus-plaintext 128-bit blocks and q is the number of encryption
queries under a key, the confidentiality advantage is at most:</t>
            <artwork><![CDATA[
CA <= ((s + q + 1)^2) / 2^129
]]></artwork>
            <t>For 65536-octet segments (L = 4096 blocks per segment), s = L * q in the
worst case, so CA scales as q^2 * L^2 / 2^129.  In random nonce mode the
nonce-collision bound q^2 / 2^97 dominates for typical deployments
because L^2 / 2^32 is small.  In derived nonce mode the nonce-collision
term vanishes and the block-size term is the binding confidentiality
constraint.</t>
            <t>For ChaCha20-Poly1305 there is no comparable block-size bound because
ChaCha20 is a stream cipher, leaving nonce collision and forgery as the
only relevant terms.  <xref target="mrae-bounds"/> gives the derived-nonce block-size
limits.  No analogous block-size confidentiality bound has been
published for AEGIS-256 or AEGIS-256X2.  Nonce collision (negligible at
a 256-bit nonce) and the per-key margin govern AEGIS confidentiality.
The per-query forgery bound governs integrity.</t>
            <t>SEAL implementations <bcp14>MUST</bcp14> compute usage budgets from the AEAD-specific
confidentiality and integrity bounds, not from nonce-collision
probability alone.  <xref target="budget-table"/> gives the binding limit per suite.</t>
          </section>
          <section anchor="integrity-forgery">
            <name>Integrity (Forgery)</name>
            <t>Each AEAD decryption query gives the adversary a chance to forge a valid
ciphertext.  The forgery advantage per query depends on the AEAD and
segment_max.</t>
            <t>For the AES-GCM suites (AES-128-GCM and AES-256-GCM)
(<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5.1):</t>
            <artwork><![CDATA[
IA <= 2 * v * (L + 1) / 2^128
]]></artwork>
            <t>where v is the number of forgery attempts and L = 4096 blocks per
segment.</t>
            <t>For ChaCha20-Poly1305 (<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5.2):</t>
            <artwork><![CDATA[
IA <= v * (L' + 1) / 2^103
]]></artwork>
            <t>Here v is the number of forgery attempts and L' is the segment length in
16-octet Poly1305 blocks (about 4096 at 65536-octet segments), per
<xref target="I-D.irtf-cfrg-aead-limits"/>.  The 2^103 denominator (not 2^128)
reflects Poly1305's per-query forgery bound.  At 65536-octet segments,
the integrity limit for ChaCha20-Poly1305 is tighter than for AES-GCM.</t>
          </section>
          <section anchor="mrae-bounds">
            <name>Derived-Nonce Bounds</name>
            <t>A derived-nonce MRAE AEAD has two limits the random-nonce analysis above
does not capture.</t>
            <t>Across the distinct segment nonces under one epoch key, the derived-key
analysis of <xref target="RFC8452"/> Section 9 (<xref target="BHT18"/>) bounds the number of
distinct derived nonces at about 2^48 for a 2^-32 advantage.</t>
            <t>For a single hot segment, every rewrite reuses that segment's one
derived nonce, so N rewrites of an L-block segment run AES-CTR under one
derived per-record key.  The binding term is the keystream block-size
birthday over the total blocks, in the form of
<xref target="I-D.irtf-cfrg-aead-limits"/> Section 5 with s = N * L blocks and q = N
queries:</t>
            <artwork><![CDATA[
((s + q + 1)^2) / 2^129 <= 2^-32
]]></artwork>
            <t>The N * L term dominates, so this holds while N * L stays below about
2^48, giving N &lt;= about 2^48 / L.  That is about 2^36 rewrites of one 64
KiB segment (L = 4096) and about 2^38 at 16 KiB.  This per-nonce cap
does not divide by 2^epoch_length, because the segment reuses the same
derived nonce regardless of epoch_length.</t>
            <t>Distinct plaintexts under the fixed nonce produce distinct synthetic IVs
and hence distinct counter keystreams (the GCM-SIV synthetic-IV
construction, <xref target="RFC8452"/>), so confidentiality degrades only by this
block-birthday term and not by nonce reuse.  Two rewrites with identical
plaintext and associated data produce identical ciphertext
(deterministic-MRAE equality leakage), independent of this count.</t>
          </section>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>raAE's ra-ROR security target (<xref target="ra-ror"/>) rests on three assumptions:
the AEAD is multi-user real-or-random (mu-ROR) secure, the KDF is a
secure multi-user pseudorandom function (mu-PRF), and nonces do not
collide.  Each subsection below describes a way one of these can fail
and what breaks.</t>
      <t>Integrity across the SEAL suite is bounded by the 16-octet AEAD tag (Nt
= 16): no suite member offers more than approximately 128 bits of
forgery resistance per query (<xref target="budget-table"/>).  The AEGIS algorithms'
256-bit keys raise confidentiality margins, not the tag-length forgery
floor.</t>
      <section anchor="detection-summary">
        <name>Detection Summary</name>
        <t>The table below maps common failure modes to the check that detects them
and notes the cases where raAE provides no detection.  The rows detected
by SnapVerify assume a snapshot authenticator is configured (snap_id !=
0x0000).  Without one, those modes go undetected.  The one exception is
a dropped trailing segment: the per-segment finality requirement of
<xref target="full-decryption"/> detects it in any profile, with no snapshot
authenticator.</t>
        <table anchor="detection-table">
          <name>Failure modes and the checks that detect them</name>
          <thead>
            <tr>
              <th align="left">Failure mode</th>
              <th align="left">Detected by</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Wrong CEK, salt, or parameter set</td>
              <td align="left">The commitment, before any segment decryption, provided reader and writer use the same payload_info construction.</td>
            </tr>
            <tr>
              <td align="left">Modified ciphertext core or AEAD tag</td>
              <td align="left">AEAD.Decrypt for the affected segment.</td>
            </tr>
            <tr>
              <td align="left">Segment moved to a different index</td>
              <td align="left">AEAD.Decrypt: the segment index and finality bit are authenticated by segment_aad (random nonce mode) or by the nonce (derived nonce mode).</td>
            </tr>
            <tr>
              <td align="left">Segment copied from another object at the same index</td>
              <td align="left">Detected when the copied segment was encrypted under a different CEK or salt.  Reusing a salt with the same CEK breaks this separation (<xref target="salt-reuse"/>).</td>
            </tr>
            <tr>
              <td align="left">Segment copied from another version at the same index</td>
              <td align="left">Not detected by per-segment AEAD alone; detected by SnapVerify, unless the whole object (including snapshot) is rolled back to that earlier valid version.</td>
            </tr>
            <tr>
              <td align="left">Dropped trailing segment(s) (truncation)</td>
              <td align="left">The finality requirement of <xref target="full-decryption"/>, in any profile: the highest-indexed present segment then carries is_final = 0 and the decryptor rejects.  Truncation to zero present segments is rejected by the zero-segment prohibition without a snapshot authenticator, and detected by SnapVerify with one (<xref target="snapshot-limitations"/>).</td>
            </tr>
            <tr>
              <td align="left">Missing interior, duplicated, reordered, or inserted segment</td>
              <td align="left">SnapVerify, which checks the segment count, finality, and recomputed snapshot value.</td>
            </tr>
            <tr>
              <td align="left">Stale snapshot value</td>
              <td align="left">SnapVerify, unless the stale value is part of a whole-object rollback to a previously valid snapshot.</td>
            </tr>
            <tr>
              <td align="left">Whole-object rollback</td>
              <td align="left">Not detected by raAE alone; the consuming protocol needs authenticated external freshness state.</td>
            </tr>
            <tr>
              <td align="left">Concurrent lost update</td>
              <td align="left">Not a cryptographic forgery; the consuming protocol needs writer serialization or another way to publish object state atomically.</td>
            </tr>
            <tr>
              <td align="left">Equality leakage in derived nonce mode</td>
              <td align="left">Not an authentication failure; rewriting equal plaintext at the same index under derived nonce mode can reveal equality (<xref target="nonce-generation"/>, <xref target="nonce-misuse"/>).</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="nonce-misuse">
        <name>Nonce Misuse</name>
        <t>Nonce reuse under a non-MRAE AEAD leaks plaintext:  an adversary who
observes two ciphertexts under the same key and nonce recovers the XOR
of the plaintexts (for CTR-based AEADs) and can forge new ciphertexts.
For AES-GCM and ChaCha20-Poly1305, nonce reuse also recovers the
polynomial authentication key, enabling forgery of arbitrary messages.</t>
        <t>Random nonce mode depends entirely on the CSPRNG.  If the CSPRNG returns
duplicated state, segments collide.  Derived nonce mode removes that
dependence, since nonces are deterministic, but the determinism is
itself a hazard: re-encrypting a segment with different content under
its repeated derived nonce is a two-time pad, catastrophic for a
non-MRAE AEAD.</t>
        <t>A non-MRAE AEAD therefore uses derived nonces only in a write-once
profile that draws a fresh salt per object and never re-encrypts under
it after a crash (<xref target="derived-nonces"/>).  An MRAE AEAD instead degrades
only to equality leakage, not plaintext recovery.</t>
        <t>The plaintext-bound construction (<xref target="appendix-pt-bound"/>) partially
defends against CSPRNG duplication: different plaintexts at the same
index produce different nonces because the plaintext digest differs,
but equal plaintexts still collide.  Implementations that need a full
defense against random number generator (RNG) state duplication <bcp14>MUST</bcp14>
use derived nonce mode with an MRAE AEAD.</t>
      </section>
      <section anchor="parameter-mismatch">
        <name>Parameter Set Mismatch</name>
        <t>The full parameter set that affects encryption, decryption, AAD
construction, nonce construction, and key derivation is bound into
payload_info (see <xref target="components"/>) and therefore into the commitment.  A
reader using a different parameter set than the writer triggers a
commitment mismatch before any AEAD operation is attempted.  A reader
supplying a different G than the encryptor likewise triggers a
commitment mismatch (<xref target="framework-commitment"/>).  Consuming protocols
<bcp14>MUST</bcp14> still reject unrecognized or unsupported parameter values before
decryption, since the commitment check detects mismatch but does not by
itself indicate which parameter value the recipient is unable to
support.</t>
        <t>One profile-level constant is bound transitively rather than via
payload_info:  aad_label is bound through protocol_id (each profile
fixes its own aad_label).  nonce_mode, by contrast, is carried in
payload_info, so the commitment binds it directly.  Each SEAL AEAD
additionally sets a default nonce mode (see <xref target="aead-table"/>).  Profiles
<bcp14>MUST NOT</bcp14> share a protocol_id across distinct aad_label values.  Reusing
a protocol_id with a changed aad_label produces objects whose commitment
matches the wrong reader but whose per-segment AEAD verification fails
with no clear error attribution.</t>
      </section>
      <section anchor="framing-label-errors">
        <name>Framing and Label Errors</name>
        <t>Two classes of implementation error break cross-role isolation.  A
non-injective framing function maps distinct KDF input tuples to the
same primitive input, correlating outputs that should be independent.
Implementations <bcp14>MUST</bcp14> verify injectivity per <xref target="framing"/>.  Reusing a
label across roles (for example, "commit" for both commitment and
payload key) has the same effect.  Labels <bcp14>MUST</bcp14> be distinct within a
protocol version, and a new version that changes any derivation <bcp14>MUST</bcp14>
change the protocol_id.</t>
      </section>
      <section anchor="parameter-misuse">
        <name>Parameter Misuse</name>
        <t>The nonce mode and AEAD choice are coupled, and the table gives the rule
for each pairing:</t>
        <table anchor="nonce-aead-table">
          <name>Nonce mode by AEAD class</name>
          <thead>
            <tr>
              <th align="left">AEAD class</th>
              <th align="left">random nonce</th>
              <th align="left">derived nonce</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">non-MRAE</td>
              <td align="left">valid</td>
              <td align="left">mutable: unsafe; write-once: valid</td>
            </tr>
            <tr>
              <td align="left">MRAE</td>
              <td align="left">wasteful</td>
              <td align="left">valid</td>
            </tr>
          </tbody>
        </table>
        <t>Rewrite is where the coupling matters.  A derived nonce is fixed by
the segment index, so a rewrite reuses it, while a random nonce is drawn
fresh every time.  A repeat is catastrophic for a non-MRAE AEAD and only
equality-leaking for an MRAE one, which is what the table reflects.
<xref target="derived-nonces"/> gives the rules and their consequences.</t>
        <t>The optional plaintext-bound construction (<xref target="appendix-pt-bound"/>) is an
encryptor-side hedge over random nonce mode, not a separate nonce mode.
See <xref target="concrete-algorithms"/> for SEAL's per-AEAD guidance.</t>
      </section>
      <section anchor="snapshot-limitations">
        <name>Snapshot Integrity Limitations</name>
        <t>Snapshot integrity has the following limitations.</t>
        <t>First, a reader that does not run snapshot verification
(<xref target="snapshot-authenticator"/>) does not verify that a segment belongs to
the current authenticated snapshot.  Such a reader gets per-segment AEAD
authenticity only, without the snapshot integrity guarantee of
<xref target="snapshot-integrity"/>: the ciphertext core is authenticated under the
segment index and finality bit, but the reader cannot detect that the
segment was substituted from a previous valid version of the same
message at the same index, nor that other segments were dropped or
rolled back.  Such readers <bcp14>MUST</bcp14> still verify the commitment per
<xref target="framework-commitment"/>.  Applications that support random-access
single-segment reads <bcp14>MUST</bcp14> either run snapshot verification on every read
or explicitly document that they accept per-segment authenticity without
snapshot freshness.</t>
        <t>Conversely, snapshot verification authenticates the segment set, its
positions, and the count.  Over the segment tags (snap_id 0x0001) it
does not confirm that a tag is a valid AEAD tag for the ciphertext
beside it.  Over leaf digests (snap_id 0x0002 and 0x0003) it binds the
ciphertext bytes and the tag, but not that the tag opens the ciphertext
under the AEAD.  Decrypting the segment is what establishes that, so
snapshot verification layers set, position, and count binding on top of
per-segment AEAD without replacing it.</t>
        <t>Second, snapshot integrity does not provide freshness against
whole-object rollback.  A storage adversary that rolls back the entire
encrypted object, including the snapshot, to a previously valid version
is not detected by raAE alone, because the rolled-back snapshot is
itself a valid snapshot for that prior state.  This is replay of an
intact prior snapshot, not a forgery:  it stays out of scope unless the
consuming protocol authenticates external freshness into the snapshot
context.  Applications that require whole-object rollback resistance
<bcp14>MUST</bcp14> bind an authenticated version field, timestamp, monotonic counter,
or authenticated storage layer into that context.  Relatedly,
<xref target="full-rewrite"/> requires a writer to update only trusted snapshot
state, so a rewrite cannot launder a rolled-back snapshot into a valid
ongoing history.</t>
        <t>Third, same-index rollback within a snapshot is detected when snapshot
verification runs.  If an adversary replaces one segment with a
previously valid same-index segment but leaves the current snapshot
value in place, the recomputed snapshot value no longer matches the
stored one, so verification fails except with negligible forgery
probability (see <xref target="snapshot-security"/>).</t>
        <t>Detecting these substitutions is a benefit of the design, not a
limitation.  It is the property that distinguishes raAE's snapshot
integrity from per-segment AEAD authenticity.</t>
        <t>Truncation, including removal of the final segment marked is_final = 1,
is detected by snapshot verification.  The removed segment is absent
from the recomputed snapshot value and the count n_seg no longer matches
the segments present, so verification fails.  Truncation is not a
separate limitation.  It is a special case of the first limitation above
for readers that skip snapshot verification.</t>
      </section>
      <section anchor="salt-reuse">
        <name>Salt Reuse</name>
        <t>Reusing a salt with the same CEK across two files produces identical
payload schedule outputs: the same payload_key, the same snap_key, and,
in derived nonce mode, the same nonce_base.  The damage depends on the
nonce mode.</t>
        <t>In every nonce mode, an adversary can silently swap same-index segments
between the two files: both per-segment AEAD checks and the snapshot
authenticator accept the swap.  Salt reuse is therefore an integrity
break in every configuration.</t>
        <t>In derived nonce mode the nonces also repeat across the two files, so
an MRAE AEAD degrades to deterministic encryption and leaks plaintext
equality between same-index segments.  A non-MRAE AEAD under derived
nonces, a combination the construction forbids (<xref target="derived-nonces"/>),
would permit plaintext recovery.</t>
        <t>In random nonce mode (and with the plaintext-bound hedge) fresh nonces
keep confidentiality intact, although the per-key nonce-collision budget
of <xref target="confidentiality-nonce-collision"/> then counts encryptions across
both files under the single CEK.  The integrity break above remains.
Applications <bcp14>MUST</bcp14> therefore ensure salt uniqueness per CEK when creating
a new message.  The freshness requirement in <xref target="full-encryption"/> exists
for this reason.</t>
      </section>
      <section anchor="rewrite-hazards">
        <name>Rewrite Hazards</name>
        <t>Rewriting introduces the following hazards.</t>
        <t>Applications <bcp14>MUST</bcp14> track total segment encryptions per key and freeze the
object before exceeding the budget in <xref target="rewrite-budget-security"/>.  For
the 96-bit-nonce AEADs (AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305) the
binding limit is the per-epoch-key collision pool of roughly 2^32
encryptions, counted across every segment that shares the key.  Spread
evenly, that pool gives each segment a uniform rewrite share of roughly
2^(32 - epoch_length), as tabulated in <xref target="rewrite-budget-security"/>.  See
<xref target="epoch-length-guidance"/>.  Exceeding the per-epoch-key pool risks nonce
collisions and plaintext recovery.</t>
        <t>A mutable profile with derived nonces and an MRAE AEAD (SEAL-RW-v1)
reuses a segment's deterministic nonce across non-terminal rewrites, and
a crash that replays a write reuses it again.  Confidentiality there
rests on the per-segment rewrite limit (<xref target="rewrite-budget-security"/>),
not on nonce uniqueness: the AEAD degrades to
equality leakage between identical rewrites rather than to plaintext
recovery, as long as that budget is respected.</t>
        <t>For the masked multiset hash, when multiple writers rewrite different
segments concurrently, each computes an independent accumulator
difference (old_contrib XOR new_contrib).  Applying these differences is
commutative, but the read-modify-write on the stored accumulator
requires coordination.  Supplying that coordination, for example a
compare-and-swap on the published snapshot value and segment count, is
the consuming protocol's responsibility, consistent with the
serialization and storage transactions this document places out of
scope.  The digest transcript (0x0002) and epoch digest tree (0x0003)
have no accumulator to fold differences into, so concurrent rewrites
under a mutable profile <bcp14>MUST</bcp14> serialize the snapshot recomputation and
publication.  For 0x0003 the epoch head recomputation and write for each
affected epoch <bcp14>MUST</bcp14> likewise be serialized so that the head binds the
epoch's leaf run as read.  The snapshot tag and the mask <bcp14>MUST</bcp14> be
recomputed over the final accumulator and segment count inside the same
critical section that publishes the snapshot update.  Otherwise a
storage layer can publish a masked accumulator and a snapshot tag that
were computed for different accumulators.  As a recovery mechanism, the
accumulator can always be rebuilt from scratch by XOR-ing all contrib
values and then re-masked.</t>
        <t>Length changes are a separate concurrency case.  Append and truncate
change the segment count and re-mark a terminal segment.  Those updates
do not commute with each other or with a concurrent rewrite of the old
or new terminal segment unless the consuming protocol serializes them.</t>
        <t>Per-segment associated data A_i is rewritable, not fixed at creation.
Unlike a global associated data value G, which the commitment fixes when
the object is created (<xref target="framework-commitment"/>), A_i rides the
per-segment AEAD associated data (<xref target="concrete-segment-aad"/>), so a
rewrite can replace a segment's A_i, for example to change a policy or
version field.  A reader therefore cannot treat A_i as context fixed at
creation the way it can treat G.  An application that needs context
fixed at creation places it in G, which the commitment binds, rather
than in A_i.</t>
        <t>raAE also does not guarantee atomic rewrites.  A segment rewrite touches
the nonce metadata, ciphertext core, AEAD tag, and the snapshot value.
A crash between any two of these leaves the content inconsistent.
Applications <bcp14>MUST</bcp14> use write-ahead logging, copy-on-write, or an
equivalent mechanism to make rewrites recoverable.</t>
      </section>
      <section anchor="constant-time">
        <name>Constant-Time Implementation</name>
        <t>Several raAE operations handle secret data and <bcp14>MUST</bcp14> be implemented in
constant time to prevent timing side-channels.</t>
        <t>The KDF calls in the payload schedule and epoch key derivation take the
CEK or payload_key as input keying material.  Implementations <bcp14>MUST</bcp14>
ensure that HKDF-Extract and HKDF-Expand execute in constant time with
respect to their key inputs.  In practice this is satisfied by HMAC
implementations that do not branch on key octets.</t>
        <t>Both the commitment comparison (<xref target="full-decryption"/>) and the snapshot
comparison in SnapVerify <bcp14>MUST</bcp14> use a constant-time octet comparison.
SnapVerify <bcp14>MUST</bcp14> compare the full recomputed snapshot value, the masked
accumulator and the snapshot tag together, in one constant-time
comparison, so that no observable difference reveals which half differs
(<xref target="masked-multiset-hash"/>).  A variable-time comparison reveals the
position of the first differing octet.  An adversary who can retry
tampered inputs learns the expected value one octet at a time and can
then present a matching stored value.  This reduces the forgery cost of
either check to a linear number of trials (for the snapshot, the bound
of <xref target="snapshot-security"/>).</t>
        <t>The epoch digest tree's verify_segment (<xref target="epoch-digest-tree"/>) compares
recomputed values against stored ones at three levels, the snapshot, the
epoch head, and the leaf, and <bcp14>MUST</bcp14> use a constant-time octet comparison
at each.  The stored value compared against at each level is public
metadata, and snap_key enters only through the KDF, whose constant-time
requirement is stated above, so no comparison carries a secret.  Because
the reference operands are public, the fused single-comparison rule for
the masked multiset hash does not apply:  a per-level early return
reveals only which stored region a tampering party altered, which that
party already knows, and leaks no keyed value.</t>
        <t>AEAD.Encrypt and AEAD.Decrypt operations inherit the constant-time
requirements of the underlying AEAD.  Implementations <bcp14>SHOULD</bcp14> use AEAD
libraries that document constant-time guarantees.</t>
      </section>
      <section anchor="properties-not-provided">
        <name>Properties Not Provided</name>
        <t>raAE protects segment content and binds segments together.  It
deliberately does not address four concerns that belong to the consuming
protocol.</t>
        <t>The CEK must remain available as long as any reader needs access, so
there is no forward secrecy.  Ciphertexts are not bound to any sender
identity.  A signing or MAC layer is needed for sender authentication.
Key identifiers and structural features of the encrypted format are
visible, so unlinkability requires application-layer measures.  Finally,
snapshot verification covers segments within a message but cannot detect
replacement of the message itself.  An adversary who swaps one encrypted
message for another goes undetected unless the application binds message
identity externally.</t>
        <t>These concerns are not artifacts of raAE's design.  Any raAE
construction inherits them from the consuming protocol's scope.</t>
      </section>
      <section anchor="security-domain-separation">
        <name>Cross-Application Domain Separation</name>
        <t>Two applications that both reuse the same SEAL profile label
(<xref target="profiles"/>) with the same input keying material, the same
payload_info, and the same G derive identical commitments, keys, nonces,
and AADs.  The protocol_id provides cross-application domain separation
only when it is distinct per application.  Applications whose keying
material may be shared across systems <bcp14>SHOULD</bcp14> use an application-specific
protocol_id (for example, "myapp-backup-v1") rather than a SEAL profile
label.  An application adopting a SEAL profile (<xref target="profiles"/>) unchanged
<bcp14>MAY</bcp14> use that profile's label.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
      <t>SEAL consumes identifiers from existing IANA registries: the AEAD
Algorithms Registry (<xref target="RFC5116"/>) for <tt>aead_id</tt> values and the HPKE KDF
Registry (<xref target="RFC9180"/> Section 7.2) for <tt>kdf_id</tt> values.  No new
raAE-side registries are created.</t>
      <t>The following code points are drawn from IANA registries.  AEGIS-256
(0x0021) and AEGIS-256X2 (0x0024) are already registered in the AEAD
Algorithms registry per <xref target="I-D.irtf-cfrg-aegis-aead"/>.  TurboSHAKE-256
(0x0013) is a pending early allocation in the HPKE KDF registry per
<xref target="I-D.ietf-hpke-pq"/>, and its entry firms up when that draft publishes
as an RFC.  The SEAL normative references to those drafts are downrefs
under IRTF stream conventions until publication.</t>
      <table anchor="iana-early-alloc">
        <name>Registered and Early-Allocation Code Points</name>
        <thead>
          <tr>
            <th align="left">Registry</th>
            <th align="left">Code point</th>
            <th align="left">Algorithm</th>
            <th align="left">Status</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">AEAD Algorithms</td>
            <td align="left">0x0021</td>
            <td align="left">AEGIS-256</td>
            <td align="left">assigned</td>
          </tr>
          <tr>
            <td align="left">AEAD Algorithms</td>
            <td align="left">0x0024</td>
            <td align="left">AEGIS-256X2</td>
            <td align="left">assigned</td>
          </tr>
          <tr>
            <td align="left">HPKE KDF</td>
            <td align="left">0x0013</td>
            <td align="left">TurboSHAKE-256</td>
            <td align="left">early allocation</td>
          </tr>
        </tbody>
      </table>
      <t>Future SEAL profiles <bcp14>MAY</bcp14> consume additional entries from either registry
without revising this document.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="RFC8452">
          <front>
            <title>AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption</title>
            <author fullname="S. Gueron" initials="S." surname="Gueron"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="Y. Lindell" initials="Y." surname="Lindell"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This memo specifies two authenticated encryption algorithms that are nonce misuse resistant -- that is, they do not fail catastrophically if a nonce is repeated.</t>
              <t>This document is the product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8452"/>
          <seriesInfo name="DOI" value="10.17487/RFC8452"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC9861">
          <front>
            <title>KangarooTwelve and TurboSHAKE</title>
            <author fullname="B. Viguier" initials="B." surname="Viguier"/>
            <author fullname="D. Wong" initials="D." role="editor" surname="Wong"/>
            <author fullname="G. Van Assche" initials="G." role="editor" surname="Van Assche"/>
            <author fullname="Q. Dang" initials="Q." role="editor" surname="Dang"/>
            <author fullname="J. Daemen" initials="J." role="editor" surname="Daemen"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>This document defines four eXtendable-Output Functions (XOFs), hash functions with output of arbitrary length, named TurboSHAKE128, TurboSHAKE256, KT128, and KT256.</t>
              <t>All four functions provide efficient and secure hashing primitives, and the last two are able to exploit the parallelism of the implementation in a scalable way.</t>
              <t>This document is a product of the Crypto Forum Research Group. It builds up on the definitions of the permutations and of the sponge construction in NIST FIPS 202 and is meant to serve as a stable reference and an implementation guide.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9861"/>
          <seriesInfo name="DOI" value="10.17487/RFC9861"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aegis-aead">
          <front>
            <title>The AEGIS Family of Authenticated Encryption Algorithms</title>
            <author fullname="Frank Denis" initials="F." surname="Denis">
              <organization>Fastly Inc.</organization>
            </author>
            <author fullname="Samuel Lucas" initials="S." surname="Lucas">
              <organization>Individual Contributor</organization>
            </author>
            <date day="5" month="October" year="2025"/>
            <abstract>
              <t>   This document describes the AEGIS-128L, AEGIS-256, AEGIS-128X, and
   AEGIS-256X AES-based authenticated encryption algorithms designed for
   high-performance applications.

   The document is a product of the Crypto Forum Research Group (CFRG).
   It is not an IETF product and is not a standard.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-aegis-aead.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aegis-aead-18"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-pq">
          <front>
            <title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>Selkie Cryptography</organization>
            </author>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>   Updating key exchange and public-key encryption protocols to resist
   attack by quantum computers is a high priority given the possibility
   of "harvest now, decrypt later" attacks.  Hybrid Public Key
   Encryption (HPKE) is a widely-used public key encryption scheme based
   on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
   Function (KDF), and an Authenticated Encryption with Associated Data
   (AEAD) scheme.  In this document, we define KEM algorithms for HPKE
   based on both post-quantum KEMs and hybrid constructions of post-
   quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
   that is suitable for use with these KEMs.  When used with these
   algorithms, HPKE is resilient with respect to attacks by a quantum
   computer.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-05"/>
        </reference>
        <reference anchor="NIST-SP-800-38D" target="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf">
          <front>
            <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
            <author initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007" month="November"/>
          </front>
          <seriesInfo name="NIST" value="Special Publication 800-38D"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8645">
          <front>
            <title>Re-keying Mechanisms for Symmetric Keys</title>
            <author fullname="S. Smyshlyaev" initials="S." role="editor" surname="Smyshlyaev"/>
            <date month="August" year="2019"/>
            <abstract>
              <t>A certain maximum amount of data can be safely encrypted when encryption is performed under a single key. This amount is called the "key lifetime". This specification describes a variety of methods for increasing the lifetime of symmetric keys. It provides two types of re-keying mechanisms based on hash functions and block ciphers that can be used with modes of operations such as CTR, GCM, CBC, CFB, and OMAC.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8645"/>
          <seriesInfo name="DOI" value="10.17487/RFC8645"/>
        </reference>
        <reference anchor="RFC8937">
          <front>
            <title>Randomness Improvements for Security Protocols</title>
            <author fullname="C. Cremers" initials="C." surname="Cremers"/>
            <author fullname="L. Garratt" initials="L." surname="Garratt"/>
            <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG might be weak or broken as well, which can also lead to critical and systemic security problems. This document describes a way for security protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8937"/>
          <seriesInfo name="DOI" value="10.17487/RFC8937"/>
        </reference>
        <reference anchor="RFC9580">
          <front>
            <title>OpenPGP</title>
            <author fullname="P. Wouters" initials="P." role="editor" surname="Wouters"/>
            <author fullname="D. Huigens" initials="D." surname="Huigens"/>
            <author fullname="J. Winter" initials="J." surname="Winter"/>
            <author fullname="Y. Niibe" initials="Y." surname="Niibe"/>
            <date month="July" year="2024"/>
            <abstract>
              <t>This document specifies the message formats used in OpenPGP. OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management.</t>
              <t>This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.</t>
              <t>This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("The Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in OpenPGP").</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9580"/>
          <seriesInfo name="DOI" value="10.17487/RFC9580"/>
        </reference>
        <reference anchor="RFC9771">
          <front>
            <title>Properties of Authenticated Encryption with Associated Data (AEAD) Algorithms</title>
            <author fullname="A. Bozhko" initials="A." role="editor" surname="Bozhko"/>
            <date month="May" year="2025"/>
            <abstract>
              <t>Authenticated Encryption with Associated Data (AEAD) algorithms provide both confidentiality and integrity of data. The widespread use of AEAD algorithms in various applications has led to an increased demand for AEAD algorithms with additional properties, driving research in the field. This document provides definitions for the most common of those properties and aims to improve consistency in the terminology used in documentation. This document is a product of the Crypto Forum Research Group.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9771"/>
          <seriesInfo name="DOI" value="10.17487/RFC9771"/>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="BHT18" target="https://eprint.iacr.org/2018/136">
          <front>
            <title>Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds</title>
            <author initials="P." surname="Bose">
              <organization/>
            </author>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="S." surname="Tessaro">
              <organization/>
            </author>
            <date year="2018"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2018/136"/>
        </reference>
        <reference anchor="HRRV15" target="https://eprint.iacr.org/2015/189">
          <front>
            <title>Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance</title>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="R." surname="Reyhanitabar">
              <organization/>
            </author>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="D." surname="Vizár">
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2015/189"/>
        </reference>
        <reference anchor="Tink" target="https://eprint.iacr.org/2020/1019">
          <front>
            <title>Security of Streaming Encryption in Google's Tink Library</title>
            <author initials="V. T." surname="Hoang">
              <organization/>
            </author>
            <author initials="Y." surname="Shen">
              <organization/>
            </author>
            <date year="2020"/>
          </front>
          <seriesInfo name="IACR" value="ePrint 2020/1019"/>
        </reference>
        <reference anchor="DGRW18" target="https://doi.org/10.1007/978-3-319-96884-1_6">
          <front>
            <title>Fast Message Franking: From Invisible Salamanders to Encryptment</title>
            <author initials="Y." surname="Dodis">
              <organization/>
            </author>
            <author initials="P." surname="Grubbs">
              <organization/>
            </author>
            <author initials="T." surname="Ristenpart">
              <organization/>
            </author>
            <author initials="J." surname="Woodage">
              <organization/>
            </author>
            <date year="2018"/>
          </front>
          <seriesInfo name="CRYPTO 2018, LNCS" value="vol. 10991, pp. 155-186"/>
          <seriesInfo name="DOI" value="10.1007/978-3-319-96884-1_6"/>
        </reference>
        <reference anchor="ADG22" target="https://www.usenix.org/conference/usenixsecurity22/presentation/albertini">
          <front>
            <title>How to Abuse and Fix Authenticated Encryption Without Key Commitment</title>
            <author initials="A." surname="Albertini">
              <organization/>
            </author>
            <author initials="T." surname="Duong">
              <organization/>
            </author>
            <author initials="S." surname="Gueron">
              <organization/>
            </author>
            <author initials="S." surname="Kölbl">
              <organization/>
            </author>
            <author initials="A." surname="Luykx">
              <organization/>
            </author>
            <author initials="S." surname="Schmieg">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
          <seriesInfo name="USENIX Security 2022" value="pp. 3291-3308"/>
        </reference>
        <reference anchor="FLRR25" target="https://eprint.iacr.org/2025/2275">
          <front>
            <title>Random-Access AEAD for Fast Lightweight Online Encryption</title>
            <author initials="A." surname="Fábrega">
              <organization/>
            </author>
            <author initials="J." surname="Len">
              <organization/>
            </author>
            <author initials="T." surname="Ristenpart">
              <organization/>
            </author>
            <author initials="G." surname="Rubin">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="EUROCRYPT" value="2026"/>
          <seriesInfo name="DOI" value="10.1007/978-3-032-25333-0_10"/>
        </reference>
        <reference anchor="MSetHash" target="https://doi.org/10.1007/978-3-540-40061-5_12">
          <front>
            <title>Incremental Multiset Hash Functions and Their Application to Memory Integrity Checking</title>
            <author initials="D." surname="Clarke">
              <organization/>
            </author>
            <author initials="S." surname="Devadas">
              <organization/>
            </author>
            <author initials="M." surname="van Dijk">
              <organization/>
            </author>
            <author initials="B." surname="Gassend">
              <organization/>
            </author>
            <author initials="G. E." surname="Suh">
              <organization/>
            </author>
            <date year="2003"/>
          </front>
          <seriesInfo name="ASIACRYPT" value="2003, LNCS 2894, pp. 188-207"/>
          <seriesInfo name="DOI" value="10.1007/978-3-540-40061-5_12"/>
        </reference>
        <reference anchor="DAE" target="https://doi.org/10.1007/11761679_23">
          <front>
            <title>A Provable-Security Treatment of the Key-Wrap Problem</title>
            <author initials="P." surname="Rogaway">
              <organization/>
            </author>
            <author initials="T." surname="Shrimpton">
              <organization/>
            </author>
            <date year="2006"/>
          </front>
          <seriesInfo name="EUROCRYPT" value="2006, LNCS 4004, pp. 373-390"/>
          <seriesInfo name="DOI" value="10.1007/11761679_23"/>
        </reference>
        <reference anchor="SEALPROOFS">
          <front>
            <title>Security Analysis of the SEAL Construction: raAE, Snapshot Integrity, and Commitment</title>
            <author initials="N." surname="Sullivan">
              <organization/>
            </author>
            <date/>
          </front>
          <seriesInfo name="Work in Progress" value="manuscript in preparation"/>
        </reference>
      </references>
    </references>
    <?line 4526?>

<section anchor="appendix-pt-bound">
      <name>Optional Plaintext-Bound Nonce Construction</name>
      <t>This appendix is informative.  It describes an optional encryptor-side
construction that mixes plaintext content into the per-segment nonce
derivation to defend against RNG state duplication.  The construction is
encryptor-only: the decryptor reads the resulting nonce from the wire
(in the same slot used by random mode) and never invokes any of the
machinery below.  Implementations <bcp14>MAY</bcp14> use this construction in place of
a fresh CSPRNG call when generating nonces under nonce_mode "random".
The wire format is indistinguishable from random mode and decryption is
unaffected.</t>
      <t>One such construction:</t>
      <artwork><![CDATA[
pt_digest(i) = LH(plaintext_i)

encryption_params = [aead_id, segment_max_be, kdf_id]
pt_hash(i) = KDF(protocol_id, pt_hash_label,
                 [pt_digest(i)],
                 encryption_params, Nh)

nonce_ctx = encode(protocol_id, uint64(i), pt_hash(i))
nonce(i) = KDF(protocol_id, pt_nonce_label,
               [Random(Nn), payload_key],
               [...payload_info, nonce_ctx], Nn)
]]></artwork>
      <t>This construction fixes two labels:</t>
      <table anchor="pt-bound-labels">
        <name>Plaintext-bound construction labels</name>
        <thead>
          <tr>
            <th align="left">Derivation role</th>
            <th align="left">Label variable</th>
            <th align="left">Value</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Plaintext digest binding</td>
            <td align="left">pt_hash_label</td>
            <td align="left">"pt-nonce"</td>
          </tr>
          <tr>
            <td align="left">Final nonce derivation</td>
            <td align="left">pt_nonce_label</td>
            <td align="left">"nonce"</td>
          </tr>
        </tbody>
      </table>
      <t>Both labels are distinct from all other SEAL labels.  Neither
derivation uses nonce_base_label (<xref target="label-table"/>): the "nonce_base"
label belongs to derived nonce mode and does not appear in this
construction.  In the final derivation nonce_ctx enters the info list
as one element after the payload_info elements: its encode output is
framed behind a length prefix like any other element, not spliced
flat into the list.  Component vectors for both KDF classes are in
<xref target="pt-bound-vectors"/>.</t>
      <t>LH is the over-large-field digest of <xref target="concrete-framing"/>, which runs
the cipher suite's native KDF primitive directly on its input and
returns Nh octets.  It is collision-resistant per <xref target="framing"/>.
Decryptors never compute pt_digest.</t>
      <t>When the encryptor's CSPRNG produces duplicated state (for example, from
a virtual machine snapshot or a fork without reseed), two encryptions of
distinct plaintexts at the same segment index still produce distinct
nonces because pt_hash(i) differs.  Two encryptions of identical
plaintexts at the same index produce identical nonces, resulting in
deterministic encryption: the ciphertexts are identical, revealing only
that the plaintexts are equal.  No additional information beyond this
equality is leaked.</t>
      <t>For rewrites under this construction, the encryptor recomputes
pt_hash(i) with the new plaintext, derives a fresh nonce(i) using the
new pt_hash(i) and a new Random(Nn), seals the new plaintext under the
new nonce, and updates the snapshot value as in
<xref target="full-rewrite"/>.</t>
      <t>The construction is observationally equivalent to nonce_mode "random" at
the wire format.  A decryptor cannot distinguish whether the encryptor
used a fresh CSPRNG call or this construction to produce the stored
nonce.  Implementations that elect to use this construction internally
do not need to advertise it.</t>
    </section>
    <section anchor="hedged-randomness">
      <name>Optional Hedged Randomness</name>
      <t>When a long-term symmetric key sk of at least Nh octets is available to
the encryptor, implementations <bcp14>SHOULD</bcp14> mix it into random generation
using the hedging pattern of <xref target="RFC8937"/>.  If only an asymmetric private
key is available, it <bcp14>MUST</bcp14> first be processed through a KDF to produce a
uniform symmetric key.</t>
      <artwork><![CDATA[
hedge_key = KDF(protocol_id, hedge_label, sk, [], Nh)

HedgedRandom(n, label):
  return KDF(protocol_id, label,
      [hedge_key, Random(n)], [], n)
]]></artwork>
      <t>This construction fixes one label, hedge_label = "hedge", distinct from
all other SEAL labels.</t>
      <t>HedgedRandom output depends on both the CSPRNG and sk, so a weak CSPRNG
alone cannot predict it.  Hedging does not help when the CSPRNG state
itself is duplicated (VM snapshots, fork without reseed).  Identical
CSPRNG output still produces identical HedgedRandom output.  An optional
encryptor-side construction that mixes plaintext content into the
per-segment nonce derivation to defend against state duplication is
described in <xref target="appendix-pt-bound"/>.  That construction is orthogonal to
hedging and the two <bcp14>MAY</bcp14> be combined.</t>
    </section>
    <section anchor="appendix-reductions">
      <name>Proof Status and Security Claim Provenance</name>
      <t>This appendix is informative.  It states what is proven, where, and by
whom.  Each result below is inherited from <xref target="FLRR25"/>, argued in this
document, or deferred to a companion proof paper in preparation
(<xref target="SEALPROOFS"/>).</t>
      <dl>
        <dt>Inherited from <xref target="FLRR25"/>:</dt>
        <dd>
          <t>The ra-ROR and ra-CMT games, their advantages, and their proofs apply
to SEAL's realization of the base interface, summarized in
<xref target="segment-security"/> and <xref target="key-commitment"/>.  The ra-CMT-p notion and
its base proof are likewise inherited, but SEAL's realization of its
position binding is argued here (see below).</t>
        </dd>
        <dt>Argued in this document:</dt>
        <dd>
          <t>The mechanisms this document adds beyond <xref target="FLRR25"/> are argued in the
subsections below.  These are the snapshot authenticator that realizes
snapshot integrity, the nonce modes, the per-segment associated data
and position binding of ra-CMT-p (bound stated here, formal accounting
deferred), and the injectivity and domain separation of the KDF
combiner.  The combiner argument is structural and proof-complete
(<xref target="concrete-framing"/>).  The others state their bounds.  Their full
proofs are not here.</t>
        </dd>
        <dt>Referenced from external work:</dt>
        <dd>
          <t>The capacity, rewrite, and maximum-object-size bounds
(<xref target="aead-usage-limits"/>) are operational ceilings derived from
<xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9, and <xref target="BHT18"/>,
not security reductions proven here.</t>
        </dd>
        <dt>Deferred to <xref target="SEALPROOFS"/>:</dt>
        <dd>
          <t>The formal proof of masked-multiset-hash snapshot integrity as an
extension of the ra-ROR framework, the forgery and content-binding
reductions of the digest transcript, the real-or-random treatment of
the derived-nonce equality leakage (which relaxes that framework's
nonce-respecting hypothesis to deterministic MRAE), and the
per-segment associated data and position accounting of ra-CMT-p.</t>
        </dd>
        <dt>Precedent, not proof:</dt>
        <dd>
          <t>The derived-nonce unique-nonce transform rests on TLS 1.3
(<xref target="RFC8446"/>) and STREAM (<xref target="HRRV15"/>) precedent, treated in
<xref target="appendix-nonce-modes"/>.  That precedent does not prove SEAL-RO-v1.
The KDF hierarchy, the arbitrary-position ra-ROR syntax, the ra-CMT
commitment, the epoch accounting, and the object-level semantics
remain SEAL-specific proof obligations.</t>
        </dd>
      </dl>
      <t>The combiner's input encoding is injective and canonical, so distinct
(protocol_id, label, ikm, info, L) tuples map to distinct primitive
inputs and a given tuple has one encoding across implementations
(<xref target="concrete-framing"/>, <xref target="framing"/>).  Injectivity comes from the
length-prefixed encoding, not from the KDF, which need not itself be
injective.  Collision resistance is assumed only of LH.  For the KDF
combiner's injectivity it is needed only for over-large fields.  The
digest transcript additionally relies on LH collision resistance to bind
each segment's ciphertext, of any length (<xref target="snapshot-security-dt"/>).
The commitment derivation carries its own separate collision-resistance
assumption (<xref target="appendix-commitment"/>).</t>
      <t>The capacity and usage limits in <xref target="aead-usage-limits"/>, including the
maximum write-once object size (<xref target="max-object-size"/>) and the derived
nonce bounds (<xref target="mrae-bounds"/>), are operational ceilings.  They are
referenced from <xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9
with <xref target="BHT18"/>, and the 2^63 segment-index ceiling, not proven here.</t>
      <section anchor="appendix-proof-map">
        <name>Provenance of the Security Claims</name>
        <table anchor="proof-map-table">
          <name>Provenance of the security claims</name>
          <thead>
            <tr>
              <th align="left">Property</th>
              <th align="left">Source</th>
              <th align="left">Argument</th>
              <th align="left">Rests on</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ra-ROR</td>
              <td align="left">
                <xref target="FLRR25"/> notion and base proof; SEAL's arbitrary-position ra-ROR syntax is a SEAL-specific obligation</td>
              <td align="left">
                <xref target="appendix-adv-notation"/>, <xref target="appendix-ror"/></td>
              <td align="left">mu-PRF KDF (two keying levels), mu-ROR AEAD, no nonce collision, fresh per-message salt</td>
            </tr>
            <tr>
              <td align="left">ra-CMT (commitment, position-respecting)</td>
              <td align="left">
                <xref target="FLRR25"/></td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
              <td align="left">collision resistance of the commitment derivation map over (protocol_id, "commit", CEK, payload_info, G, commitment_length)</td>
            </tr>
            <tr>
              <td align="left">ra-CMT-p (per-segment associated-data and position commitment)</td>
              <td align="left">
                <xref target="FLRR25"/> notion and base proof; SEAL position-binding realization and per-segment associated-data and position accounting argued here, formal write-up in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="appendix-commitment"/></td>
              <td align="left">ra-CMT collision bound plus the underlying AEAD's commitment bound for the forged position</td>
            </tr>
            <tr>
              <td align="left">KDF combiner injectivity and domain separation</td>
              <td align="left">this document (structural, proof-complete)</td>
              <td align="left">
                <xref target="concrete-framing"/>, <xref target="framing"/></td>
              <td align="left">injectivity of the length-prefixed encoding (KDF need not be injective); collision resistance of LH for over-large fields only</td>
            </tr>
            <tr>
              <td align="left">Snapshot integrity (masked multiset hash)</td>
              <td align="left">this document, <xref target="appendix-snapshot"/></td>
              <td align="left">
                <xref target="appendix-snapshot"/></td>
              <td align="left">mu-PRF KDF under snap_key; MAC unforgeability of snapshot_tag over (n_seg, acc); deterministic-masking birthday and mix-and-match terms; per-object separation via salt-bound snap_key</td>
            </tr>
            <tr>
              <td align="left">Snapshot integrity (digest transcript)</td>
              <td align="left">this document, <xref target="snapshot-security-dt"/>; formal write-up in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="snapshot-security-dt"/></td>
              <td align="left">mu-PRF KDF under snap_key (single fresh-input forgery term, no mask or birthday); collision resistance of LH binding each ciphertext leaf; per-object separation via salt-bound snap_key and the commitment element</td>
            </tr>
            <tr>
              <td align="left">Snapshot integrity (epoch digest tree)</td>
              <td align="left">this document, <xref target="snapshot-security-edt"/>; formal write-up in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="snapshot-security-edt"/></td>
              <td align="left">as the digest transcript, with LH collision resistance applied at the epoch and root levels of the two-level fold</td>
            </tr>
            <tr>
              <td align="left">AEAD usage, rewrite, and max-object bounds</td>
              <td align="left">external work (operational, not proven here)</td>
              <td align="left">
                <xref target="aead-usage-limits"/>, <xref target="max-object-size"/>, <xref target="mrae-bounds"/></td>
              <td align="left">
                <xref target="I-D.irtf-cfrg-aead-limits"/>, <xref target="RFC8452"/> Section 9 with <xref target="BHT18"/>, 2^63 segment-index ceiling</td>
            </tr>
            <tr>
              <td align="left">Derived-nonce unique-nonce transform</td>
              <td align="left">precedent, not proof (TLS 1.3 <xref target="RFC8446"/>, STREAM <xref target="HRRV15"/>)</td>
              <td align="left">
                <xref target="derived-nonces"/>, <xref target="appendix-nonce-modes"/></td>
              <td align="left">write-once uniqueness discipline reducing to nonce-respecting AEAD security</td>
            </tr>
            <tr>
              <td align="left">Derived-nonce equality leakage (MRAE)</td>
              <td align="left">this document; full proof in <xref target="SEALPROOFS"/></td>
              <td align="left">
                <xref target="appendix-nonce-modes"/></td>
              <td align="left">MRAE AEAD (<xref target="RFC8452"/>); per-segment fixed-nonce data-volume cap</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="appendix-adv-notation">
        <name>Advantage Notation and Adversary Parameters</name>
        <t>For a ra-ROR adversary (<xref target="adversary-model"/>) using at most u distinct
CEKs and q_m messages, each encrypted with an independent fresh 32-octet
per-content salt (<xref target="full-encryption"/>), across E total epochs and making
q_e encryption and q_d decryption segment queries with sigma = q_e +
q_d, the advantage is bounded by:</t>
        <artwork><![CDATA[
Adv_raROR(A) <= Adv_salt_coll
                   + Adv_muPRF(KDF, B_KDF)
                   + Adv_muROR(AEAD, B_AEAD)
                   + Adv_nonce_coll
                   + Adv_acc
]]></artwork>
        <t>The terms in the bound are as follows.</t>
        <dl>
          <dt>Adv_salt_coll</dt>
          <dd>
            <t>The probability that two messages encrypted under one CEK draw
the same salt.  Because the salt is a 32-octet value drawn
uniformly at random, this term is at most q_m^2 / 2^256.  A salt
collision is not a PRF-distinguishing event: the KDF
deterministically produces identical payload_key, snap_key, and
nonce_base outputs whenever (CEK, payload_info) repeats, so the
event must be charged separately.  Conditioned on no salt
collision, distinct messages under one CEK have distinct
payload_info values and therefore independent KDF outputs under
the mu-PRF assumption.  This term holds only under the fresh
per-message uniform salt requirement of <xref target="full-encryption"/>.  A
profile that reuses salts or draws them non-uniformly forfeits it
and must argue payload-schedule separation by other means
(<xref target="salt-reuse"/>).</t>
          </dd>
          <dt>Adv_muPRF(KDF, B_KDF)</dt>
          <dd>
            <t>The multi-user PRF advantage of the KDF, covering two keying levels.
Level A is keyed by the CEK and produces payload_key, snap_key, and
nonce_base.  It has u users, queried once per message.  Level B is
keyed by payload_key (producing epoch_key per <xref target="epoch-key-derivation"/>
and, in the plaintext-bound construction, per-segment nonces per
<xref target="appendix-pt-bound"/>) and by snap_key (producing the snapshot
authenticator's keyed derivations).  It has q_m users.  The snap_key
subset of Level B feeds the configured snapshot authenticator and is
counted under Adv_acc below.  It is not counted again here.</t>
          </dd>
          <dt>Adv_muROR(AEAD, B_AEAD)</dt>
          <dd>
            <t>The multi-user real-or-random advantage of the AEAD over sigma total
segment queries.  There is one mu-ROR user per distinct segment key,
for E epoch keys total (E = q_m when each message uses a single flat
epoch key).  This advantage absorbs a key-collision birthday term of
about E^2/2^(8*Nk) over the E distinct keys.  For the 256-bit-key
suites (Nk = 32) that term is about E^2/2^256 and is negligible.  For
AES-128-GCM (Nk = 16) it is about E^2/2^128 and is the binding
epoch-key collision floor.  <xref target="epoch-length-guidance"/> bounds E
for that suite.</t>
          </dd>
          <dt>Adv_nonce_coll</dt>
          <dd>
            <t>The probability of a nonce collision under any segment key.  In
derived nonce mode it is zero, conditional on no salt collision
(already charged via Adv_salt_coll).  In random nonce mode (with or
without the plaintext-bound hedge) it is bounded per
<xref target="confidentiality-nonce-collision"/>.  The
derived-mode statement relies on the deterministic-MRAE analysis in
<xref target="appendix-nonce-modes"/>.</t>
          </dd>
          <dt>Adv_acc</dt>
          <dd>
            <t>The masked multiset hash's snapshot forgery advantage, present only
under snap_id 0x0001 and zero otherwise.  SEAL authenticates the XOR
accumulator (<xref target="snapshot-authenticator"/>) with a snapshot tag, a MAC
under snap_key, and masks the published accumulator with a
deterministic tag-derived pad.  A different snapshot authenticator
contributes its own term in place of Adv_acc:  the digest transcript
(snap_id 0x0002) contributes a single fresh-input PRF forgery term,
with no birthday or mix-and-match component
(<xref target="snapshot-security-dt"/>).  The epoch digest tree (snap_id 0x0003)
contributes the same fresh-input PRF forgery term.  The key-holder
content binding of either authenticator is a separate notion from this
without-key term, resting on LH collision resistance
(<xref target="snapshot-security-dt"/>, <xref target="snapshot-security-edt"/>), and is not
counted here.</t>
          </dd>
        </dl>
        <t>The Adv_acc term is bounded by:</t>
        <artwork><![CDATA[
Adv_acc <= Adv_muPRF_acc
           + q_s^2 / 2^(8*Nh)          (snapshot-collision birthday)
           + q_v / 2^(8*Nh)            (fresh-input tag forgery)
           + q_s * q_v / 2^(8*Nh)      (mix-and-match accumulator guess)
]]></artwork>
        <t>Here Adv_muPRF_acc is the snap_key subset of B_KDF's Level B queries,
counted here and not again in Adv_muPRF(KDF, B_KDF).  q_s is the number
of published snapshot states the adversary observes and q_v the number
of SnapVerify queries it makes.  The q_s^2 birthday term is the cost of
the deterministic masking (<xref target="appendix-snapshot"/>).  The dominant terms
are that birthday and the mix-and-match q_s * q_v / 2^(8*Nh), and for
the SEAL suites (8*Nh of 256, 384, or 512) every term is negligible.</t>
      </section>
      <section anchor="appendix-ror">
        <name>ra-ROR Reduction</name>
        <t>The reduction follows the <xref target="FLRR25"/> hybrid over the two-level key
schedule (<xref target="key-derivation"/>).  Condition on no salt collision
(Adv_salt_coll).  Replace the CEK-keyed KDF outputs, then the
payload_key- and snap_key-keyed outputs, with uniformly random values
(Adv_muPRF at the two keying levels).  Bound the resulting segment AEAD
outputs (Adv_muROR).  A flat epoch key is the single-epoch case of the
same argument.  The segment AEAD calls are nonce-respecting only under
no nonce collision, the event charged to Adv_nonce_coll
(<xref target="appendix-adv-notation"/>).  In derived nonce mode this term is zero
conditional on the same no-salt-collision event
(<xref target="appendix-nonce-modes"/>).  The snapshot authenticator's forgery enters
separately as Adv_acc (<xref target="snapshot-security"/>).  The reduction constructs
adversaries B_KDF against multi-user PRF security of the KDF and B_AEAD
against multi-user real-or-random security of the AEAD, each running in
time approximately that of A.</t>
      </section>
      <section anchor="appendix-commitment">
        <name>Commitment</name>
        <t>ra-CMT security reduces to collision resistance of the commitment
derivation map over the tuple (protocol_id, "commit", CEK, payload_info,
G, commitment_length), with G empty by default.  PRF security alone is
not sufficient for this reduction, because the commitment adversary may
choose the CEK and the context values.  The collision-resistance
assumption captured in <xref target="key-derivation"/> is what makes the reduction
sound.</t>
        <t>For commitment_length = L octets, the relevant quantities are:</t>
        <artwork><![CDATA[
fixed-pair collision probability:  2^(-8*L)
q-query birthday probability:      q^2 / 2^(8*L + 1)
collision-search work factor:      about 2^(4*L)
]]></artwork>
        <t>Thus 16 octets gives about 2^64 collision-search work, 32 octets gives
about 2^128 (capped by SHA-256's own 2^128 collision resistance for
HKDF-SHA-256), 48 octets gives about 2^192 (capped by SHA-384's 2^192
for HKDF-SHA-384), and 64 octets gives about 2^256 (for HKDF-SHA-512,
capped by SHA-512's 2^256, and for TurboSHAKE-256).  The fixed-pair
collision probabilities at 32, 48, and 64 octets are 2^(-256), 2^(-384),
and 2^(-512), respectively.</t>
        <t>The ra-CMT-p advantage is bounded by the sum of two terms:  the
commitment collision bound above and the underlying AEAD's commitment
bound for the forged position.</t>
        <t>Position binding for ra-CMT-p is inherited from the underlying AEAD's
commitment level (<xref target="key-commitment"/>).  The notion and base proof are
inherited from <xref target="FLRR25"/>.  The exact per-segment associated data and
position accounting is deferred to <xref target="SEALPROOFS"/>.</t>
      </section>
      <section anchor="appendix-snapshot">
        <name>Snapshot Authenticator</name>
        <t>SEAL's snapshot authenticator (snap_id 0x0001) is the MSet-XOR-Hash of
Clarke et al. (<xref target="MSetHash"/>) with a deterministic mask this document
adds.  Each segment contributes a keyed KDF evaluation of its index and
tag, the contributions XOR into an accumulator, and the published value
masks that accumulator under snap_key.  A different authenticator that
meets the requirement of <xref target="framing"/> carries its own argument.</t>
        <t>The adversary has full read and write access to the stored segments,
their metadata, and the snapshot, and wins by making SnapVerify accept a
(segment set, snapshot) pair other than the writer's current state.
Whole-object rollback to an earlier honest state is excluded and is the
application's freshness responsibility (<xref target="snapshot-limitations"/>).</t>
        <t>Publishing the accumulator in the clear would be insecure.  That is the
MSet-XOR-Hash with its mask removed, which is only set-collision
resistant.  A write adversary reads the accumulator across honest
rewrites, collects the contribution differences old_contrib XOR
new_contrib, and after more than 8*Nh of them solves a GF(2) system for
a subset of segments it can revert without changing the accumulator.
The current snapshot tag still verifies, so a non-historical mixture of
versions is accepted with no MAC forgery.</t>
        <t>The deterministic mask defeats this attack.  Here wrapped_acc = acc XOR
snapmask(n_seg, snapshot_tag) hides the accumulator behind a one-time
pad keyed by snap_key and seeded by the synthetic snapshot tag, the
synthetic-IV derandomization of deterministic authenticated encryption
(<xref target="DAE"/>).  Two published states that collide on (n_seg, acc), or on the
snapshot tag at equal count, would expose a raw accumulator difference.
Over q_s published states that costs a birthday term q_s^2 / 2^m, with m
= 8*Nh.  Off that event the masks are independent one-time pads, the
published transcript is independent of every accumulator, and the
recombination above has no linear system left to solve.  Security
reduces to the PRF security of the KDF.  The mask protects the
accumulator only against a verifier that returns one bit, which is why
SnapVerify does not surface the recovered accumulator
(<xref target="masked-multiset-hash"/>).</t>
        <t>A forgery is then one of two events.  Either a fresh snapshot-tag input
is guessed, a MAC forgery bounded by q_v / 2^m over q_v verifications,
or a different segment set is made to hit a published accumulator by
chance, a mix-and-match bounded by q_s * q_v / 2^m against q_s published
states.  The mix-and-match term is a set collision on the keyed
contribution function and relies on the set-collision resistance of the
MSet-XOR-Hash-style construction (<xref target="MSetHash"/>).  The formal bound for
this term is discharged in <xref target="SEALPROOFS"/>.  Collecting the terms, the
snapshot forgery advantage Adv_acc of <xref target="appendix-adv-notation"/> is</t>
        <artwork><![CDATA[
Adv_acc <= Adv_muPRF_acc + q_s^2 / 2^m + q_v / 2^m + q_s * q_v / 2^m
]]></artwork>
        <t>with m = 8*Nh and dominant terms q_s^2 / 2^m and q_s * q_v / 2^m, both
negligible at Nh of 32, 48, or 64.  The argument relies on segment AEAD
authenticity, already charged as Adv_muROR, and adds no term beyond
Adv_acc.  Per-object separation comes from the salt-bound snap_key, and
the authenticator needs no assumption beyond the multi-user PRF the key
schedule already uses.  It does not need the commitment's collision
resistance.  Integrating this reduction into the combined ra-ROR proof
is in preparation (<xref target="SEALPROOFS"/>).</t>
      </section>
      <section anchor="appendix-nonce-modes">
        <name>Nonce Modes</name>
        <t>The unique-nonce transform of <xref target="derived-nonces"/>, which XORs the
segment index and finality bit into nonce_base, follows TLS 1.3
(<xref target="RFC8446"/>) static-IV-XOR-identifier and STREAM (<xref target="HRRV15"/>)
counter-plus-final-bit precedent.  Under the write-once uniqueness
discipline every derived nonce is distinct, which reduces
unique-nonce record protection to nonce-respecting AEAD security.
This is precedent, not a SEAL-specific proof.</t>
        <t>In derived nonce mode the nonce-collision term is zero conditional on no
salt collision, because each segment index maps to one derived nonce and
a fresh per-message salt makes the segment keys distinct across
messages.  A rewrite reuses a segment's derived nonce, so the
construction relies on the underlying MRAE AEAD: re-encrypting the same
plaintext and associated data under the same key and nonce reproduces
the same ciphertext, which leaks only equality of those inputs, while
distinct inputs remain real-or-random secure (<xref target="RFC8452"/>).  The formal
real-or-random treatment of this equality leakage for derived nonce mode
is in preparation (<xref target="SEALPROOFS"/>).  That treatment builds on the
<xref target="FLRR25"/> ra-ROR analysis and changes its nonce-respecting hypothesis:
a rewrite repeats a segment's derived nonce, so the proof replaces the
nonce-respecting AEAD assumption with deterministic-MRAE security, under
which nonce reuse leaks only input equality.</t>
      </section>
    </section>
    <section anchor="appendix-rationale">
      <name>Design Rationale</name>
      <t>This appendix is informative.</t>
      <section anchor="key-schedule-design-rationale">
        <name>Key Schedule Design Rationale</name>
        <t>The per-content salt makes the payload schedule unique even when a CEK
is reused across messages, which matters for applications that derive
CEKs from group keys.  The encryptor chooses the salt locally at write
time.  A per-message counter would instead require synchronized state.</t>
        <t>The CEK is 32 octets regardless of the AEAD key size Nk, so a
128-bit-key AEAD still derives its keys from a 256-bit CEK.</t>
        <t>Epoch keys bound the number of AEAD invocations under any one segment
encryption key.  Several considerations motivate this.</t>
        <dl>
          <dt>AEAD per-key bounds:</dt>
          <dd>
            <t>The per-key bounds of the underlying AEAD (birthday for 96-bit-nonce
schemes, block-size for AES, integrity forgery for all schemes) become
the limiting factor on security long before the nonce space is fully
exhausted.</t>
          </dd>
          <dt>Write-once content:</dt>
          <dd>
            <t>This matters even for content written once: large content with many
segments can place many AEAD invocations under a single key.</t>
          </dd>
          <dt>Rewrites:</dt>
          <dd>
            <t>Rewrites consume additional invocations and can exhaust the same
budget faster than write-once use, but they are not the only reason
for epoching.  Write-once large content benefits from the same
partitioning.</t>
          </dd>
          <dt>Random access:</dt>
          <dd>
            <t>Rekeying the entire content would defeat the random-access property,
so epoch keys bound the per-key invocation count without requiring a
full re-encryption.</t>
          </dd>
        </dl>
        <t>Labels separate derivation roles: commitment and payload_key share the
same inputs but different labels, making them independent under the PRF
assumption.  Once CEK and salt are chosen the hierarchy is fixed, with
no mutable state to synchronize across writers.</t>
      </section>
      <section anchor="nonce-mode-design-rationale">
        <name>Nonce Mode Design Rationale</name>
        <t>Random mode is simplest but trusts the CSPRNG completely.  Derived mode
removes that trust.  In a mutable profile it requires an MRAE AEAD,
because an in-place rewrite reuses the segment nonce
(<xref target="parameter-misuse"/>).  In the immutable profile SEAL-RO-v1 the
write-once rule keeps every derived nonce unique, so derived mode pairs
with any AEAD.  <xref target="aead-table"/> gives the default nonce_mode each suite
uses in the mutable profile, and a profile <bcp14>MAY</bcp14> select another valid
(nonce_mode, snap_id) tuple.</t>
      </section>
      <section anchor="snapshot-authenticator-design-rationale">
        <name>Snapshot Authenticator Design Rationale</name>
        <t>Three shapes were considered for whole-object integrity over an
updatable segment set.  A MAC over the concatenated tag list is the
simplest, but a rewrite changes one tag in the middle of the input, so
the writer recomputes over all n_seg tags on every update.  A Merkle
tree over the tags updates in O(log n) and can offer per-segment
inclusion proofs, but it either stores interior nodes that grow with the
object or re-reads segment tags to rebuild paths, and it rests on
collision resistance of a hash.  The masked multiset hash updates in
O(1) per rewrite, stores a single value of 2*Nh octets regardless of
object size, needs no per-segment proofs, and needs only the multi-user
PRF assumption the key schedule already carries.  Its costs are the ones
this document states explicitly:  the accumulator stays masked, the
verifier returns a single bit (<xref target="masked-multiset-hash"/>), and the
deterministic mask adds the q_s^2 birthday term to the bound
(<xref target="appendix-snapshot"/>).  A profile that needs per-segment inclusion
proofs or third-party verifiability needs a different authenticator
under its own snap_id (<xref target="snapshot-interface"/>).</t>
        <t>The accumulator is on the wire so a stateless writer can resume the O(1)
update from the stored snapshot alone, rather than holding it in trusted
state or re-reading every tag.  Publishing it is why the mask and the
one-bit verifier are needed:  an exposed accumulator would let a write
adversary recombine observed values (<xref target="appendix-snapshot"/>).</t>
        <t>The digest transcript verifies one segment only by recomputing over
every leaf, so a reader of one segment in a large object still reads the
whole leaf list.  The epoch digest tree (<xref target="epoch-digest-tree"/>) folds
the leaves into per-epoch heads and the heads into the snapshot, so a
reader verifies one segment from two aligned metadata reads, each one
segment_max or less:  the target epoch's leaf run and the list of epoch
heads.  That is the cost it saves the digest transcript on large content
read at random.</t>
        <t>The epoch digest tree has two levels but is not a Merkle tree.
Verification reconstructs an inclusion proof for a segment, recomputing
its leaf, then its epoch head from the epoch's leaves, then the root
from the epoch heads, rather than transmitting a compact authentication
path.  Recomputing an epoch head reads the epoch's leaf run as one
contiguous aligned read, while a Merkle authentication path would read a
logarithmic set of scattered sibling nodes.  On the aligned layout,
where a reader seeks in segment-sized units, one contiguous aligned read
beats a scattered logarithmic path whenever the run fits one read.  The
same holds one level up for the list of epoch heads.</t>
        <t>The two random-access reads trade off against epoch_length.  The epoch
leaf run, 2^r * meta_len, grows with r, while the epoch-heads region,
ceil(n_seg / 2^r) * Nh, shrinks with r as the epochs get fewer and
larger.  The largest r that keeps the leaf run within one aligned read
therefore also makes the epoch-heads region as small as it can be, which
pushes the content-size ceiling as high as it goes.  At that point the
two reads are each about one aligned read, so neither dominates.  A
smaller r shrinks the leaf read but enlarges the head region and lowers
the ceiling, and a larger r overflows the leaf read.  The rule in
<xref target="epoch-digest-tree"/> selects that balance point.</t>
        <t>The list of epoch heads is E * Nh octets and stays one aligned read up
to a content-size ceiling:  about 2 GiB at segment_max 16384 and about
128 GiB at 65536.  The ceiling is a read-efficiency threshold, not a
size limit.  Past it the head list spans a few aligned reads and grows
slowly, and the ceiling scales about cubically with segment_max, so a
larger segment size moves it far out at the cost of coarser
random-access granularity.  A tree over the epoch heads would keep a
single bounded read at any size but is out of scope.  The two-read
regime already covers the write-once content this authenticator targets.</t>
      </section>
    </section>
    <section anchor="seal-simple-sketch">
      <name>SEAL-simple Implementation Sketch</name>
      <t>This appendix is informative.  It specializes <xref target="full-encryption"/> at
cipher suite (aead_id = 0x0002, kdf_id = 0x0001) for the SEAL-simple
named instantiation (<xref target="named-instantiations"/>), so an implementer of
only that profile can build a conforming encryptor and decryptor from
one block.</t>
      <table anchor="seal-simple-sketch-params">
        <name>Fixed parameters for SEAL-simple(HKDF-SHA-256, AES-256-GCM)</name>
        <thead>
          <tr>
            <th align="left">Field</th>
            <th align="left">Value</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">protocol_id</td>
            <td align="left">"SEAL-RO-v1"</td>
          </tr>
          <tr>
            <td align="left">aead_id</td>
            <td align="left">0x0002 (AES-256-GCM)</td>
          </tr>
          <tr>
            <td align="left">kdf_id</td>
            <td align="left">0x0001 (HKDF-SHA-256)</td>
          </tr>
          <tr>
            <td align="left">snap_id</td>
            <td align="left">0x0000 (no snapshot authenticator)</td>
          </tr>
          <tr>
            <td align="left">nonce_mode</td>
            <td align="left">0x01 (derived)</td>
          </tr>
          <tr>
            <td align="left">epoch_length</td>
            <td align="left">32</td>
          </tr>
          <tr>
            <td align="left">segment_max</td>
            <td align="left">65536</td>
          </tr>
          <tr>
            <td align="left">Nk</td>
            <td align="left">32</td>
          </tr>
          <tr>
            <td align="left">Nn</td>
            <td align="left">12</td>
          </tr>
          <tr>
            <td align="left">Nt</td>
            <td align="left">16</td>
          </tr>
          <tr>
            <td align="left">Nh</td>
            <td align="left">32</td>
          </tr>
          <tr>
            <td align="left">commitment_length</td>
            <td align="left">32</td>
          </tr>
          <tr>
            <td align="left">layout</td>
            <td align="left">linear, immutable reduction (<xref target="read-only-layouts"/>)</td>
          </tr>
        </tbody>
      </table>
      <t>Per-segment associated data A_i is empty throughout this sketch, and a
caller that needs a non-empty A_i follows the general segment-AAD form
defined in <xref target="concrete-segment-aad"/>.</t>
      <t>Three separate quantities bound how large an object under this profile
can grow.</t>
      <ul spacing="normal">
        <li>
          <t>Integrity: 512 ZiB (2^79 octets) of ciphertext has total forgery
probability at most ~2^-52, from the AES-256-GCM tag-forgery formula 2
x v x (L + 1) / 2^128 at v = 2^63 segments and L = 2^12 blocks per
segment (<xref target="aead-usage-limits"/>).</t>
        </li>
        <li>
          <t>Confidentiality: 8 YiB (2^83 octets) is the AES-256-GCM budget across
all 2^31 epoch keys, each held to a 2^-32 advantage (2^52 octets per
key).  A full 512 ZiB (2^79-octet) object uses 1/16 of that, a ratio
fixed by the SEAL-simple choice of epoch_length 32.</t>
        </li>
        <li>
          <t>Structural: 512 ZiB (2^79 octets) is the object ceiling, from
derived-nonce framing capping the segment index at 2^63 across up to
2^31 epoch keys (<xref target="derived-nonces"/>, <xref target="max-object-size"/>).</t>
        </li>
      </ul>
      <t>In the block below, each KDF(...) call denotes the two-step KDF combiner
of <xref target="concrete-framing"/> evaluated at protocol_id = "SEAL-RO-v1", whose
leading argument is the derivation label.</t>
      <artwork><![CDATA[
inputs:  CEK  (32 octets)
         salt (32 octets, fresh uniformly random draw per object;
               see {{full-encryption}}, {{derived-nonces}})
         G    (octet string, empty by default)
         P_0, ..., P_{n-1}
              (segment plaintexts;  every non-final P_i is exactly
               65536 octets, only the final P_i may be shorter)

;;---- payload_info ----

payload_info = [uint16(0x0002),  ;; aead_id
                uint32(65536),   ;; segment_max_be
                uint16(0x0001),  ;; kdf_id
                uint16(0x0000),  ;; snap_id
                uint8(0x01),     ;; nonce_mode = derived
                uint8(32),       ;; epoch_length_u8
                salt]            ;; 32 octets

;;---- message schedule ----

commitment  = KDF("commit",      [CEK], [...payload_info, G], 32)
payload_key = KDF("payload_key", [CEK], payload_info,         32)
nonce_base  = KDF("nonce_base",  [CEK], payload_info,         12)

;;---- per segment ----

for i in 0 .. n-1:
    is_final    = 1 if i = n-1 else 0
    epoch_index = i >> 32                       ;; epoch_length = 32
    segment_key = KDF("epoch_key",
                      [payload_key], [uint64(epoch_index)], 32)

    nonce_i     = nonce_base[0:4]
                  || (nonce_base[4:12]
                      XOR uint64((i << 1) | is_final))

    (ct_i || tag_i) = AES-256-GCM.Seal(segment_key, nonce_i, "", P_i)

;;---- stored object ----

stored_object = salt || commitment
                || (ct_0 || tag_0)
                || (ct_1 || tag_1)
                || ...
                || (ct_{n-1} || tag_{n-1})

;;---- decrypt ----

;; Parse salt (32 octets), commitment (32 octets), and n segments from
;; stored_object.  Every non-final ct_i is exactly segment_max octets
;; and only the final ct_i may be shorter ({{linear-layout}}).

if KDF("commit", [CEK], [...payload_info, G], 32) != commitment:
    return commitment error   ;; wrong CEK, parameter set, or G

for i in 0 .. n-1:
    ;; segment_key, nonce_i, is_final derived exactly as in the
    ;; encrypt loop.
    P_i = AES-256-GCM.Open(segment_key, nonce_i, "", ct_i || tag_i)
          (return a decryption error on AEAD verification failure)

;; The reader MUST reject the object if segment n-1 did not open under
;; is_final = 1 ({{full-decryption}}).
]]></artwork>
      <t>The general algorithm's <tt>snap_key</tt> derivation is not used at <tt>snap_id
= 0x0000</tt> and an implementer of this profile omits it.</t>
      <t>See <xref target="seal-simple-vector"/> for the corresponding byte-level test vector.
A conforming implementation reproduces its commitment, payload_key, and
nonce_base, and the per-segment nonce, ciphertext, and tag, from the
fixed inputs of that vector.</t>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix is informative.</t>
      <t>All vectors except <xref target="seal-simple-vector"/> use protocol_id =
"SEAL-RW-v1"; <xref target="seal-simple-vector"/> uses "SEAL-RO-v1".  Every vector
uses CEK = 32 octets of 0xAA and salt = 32 octets of 0x04.  Each block
opens with its parameter set,
grouped into three buckets:  the cipher suite (aead_id, kdf_id), the
geometry (segment_max), and the operational parameters (epoch_length,
nonce_mode, snap_id).  aead_id and kdf_id are the 2-octet IANA code
points from <xref target="aead-table"/> and <xref target="kdf-table"/>.  Then come the
payload_info elements as encoded on the wire, the payload schedule
outputs, the per-segment values, and the snapshot fields.  Hexadecimal
values wrap at 16 octets per line.</t>
      <t>The snapshot fields are the internal accumulator acc, the mask
snapmask(n_seg, snapshot_tag), the published wrapped_acc = acc XOR mask,
and the snapshot tag.  The snapshot stored on the wire is wrapped_acc ||
snapshot_tag (<xref target="masked-multiset-hash"/>).  The accumulator is an
intermediate value and is not on the wire, and the count is recovered
from the segment set.</t>
      <t>Single-segment plaintexts are "Hello, SEAL!" (12 octets).  Two-segment
messages append "Two segments of SEAL" (20 octets) as the final segment.
Most vectors use nonce_mode "random" with stored nonces 0x03 and 0x07
repeated to the AEAD nonce length.  The derived-nonce vector in
<xref target="derived-nonce-vector"/> instead recomputes each nonce from nonce_base,
and the cross-epoch vector in <xref target="cross-epoch-vector"/> sets epoch_length 0
and exposes the intermediate epoch_key and segment_key for each segment.
<xref target="single-trace"/> gives the full KDF trace for one commitment.  The other
blocks list schedule outputs only.  The nineteen computed positive
vectors, plus the negative SnapVerify vector in <xref target="snapverify-reject"/>,
are published byte-for-byte as raae-v1-vectors.json in the draft
repository.</t>
      <t>The vectors are organized by purpose:</t>
      <dl>
        <dt>Annotated walkthrough:</dt>
        <dd>
          <t><xref target="single-trace"/> shows one complete HKDF-SHA-256 trace, including the
commitment KDF inputs.  Use it to debug framing, payload_info
construction, commitment derivation, segment AAD, accumulator
contribution, and snapshot_tag computation.</t>
        </dd>
        <dt>Combiner injectivity coverage:</dt>
        <dd>
          <t><xref target="combiner-vectors"/> exercises the KDF combiner in isolation and
demonstrates encode() injectivity, including the empty-sequence and
same-octets-different-grouping cases.  The 38 combiner vectors are
published as raae-v1-combiner-kdf-vectors.json.</t>
        </dd>
        <dt>Cipher-suite coverage:</dt>
        <dd>
          <t>The single-segment and two-segment vectors exercise the listed AEAD
and segment-size combinations with HKDF-SHA-256.  Use these to check
AEAD code points, segment_max encoding, nonce storage, and
finality-bit handling.</t>
        </dd>
        <dt>KDF coverage:</dt>
        <dd>
          <t><xref target="turboshake-vectors"/> covers the TurboSHAKE-256 KDF suite and its
64-octet Nh outputs.</t>
        </dd>
        <dt>Rewrite coverage:</dt>
        <dd>
          <t><xref target="rewrite-vector"/> shows a segment rewrite and the corresponding
accumulator and snapshot_tag update.</t>
        </dd>
        <dt>Derived-nonce coverage:</dt>
        <dd>
          <t><xref target="derived-nonce-vector"/> covers AES-256-GCM-SIV in derived nonce mode,
where the nonce is recomputed rather than stored.</t>
        </dd>
        <dt>Epoch coverage:</dt>
        <dd>
          <t><xref target="cross-epoch-vector"/> shows epoch_length = 0, the finest rotation,
and exposes per-segment epoch_key and segment_key values.  The
AEGIS-256 blocks exercise the opposite endpoint, the flat key at
epoch_length = 63.</t>
        </dd>
        <dt>Plaintext-bound nonce coverage:</dt>
        <dd>
          <t><xref target="pt-bound-vectors"/> exposes the component values of the optional
plaintext-bound nonce construction, which no end-to-end vector can
reach.</t>
        </dd>
        <dt>Global associated data coverage:</dt>
        <dd>
          <t><xref target="g-commitment-vector"/> pins the commitment's G input at its empty
default, which equals the <xref target="single-trace"/> commitment, and at a
nonempty value.</t>
        </dd>
        <dt>Empty-AAD coverage:</dt>
        <dd>
          <t>All vectors use empty per-segment A_i.  As specified in
<xref target="concrete-segment-aad"/>, an empty A_i is omitted from the encoding
rather than encoded as a zero-length fourth element.</t>
        </dd>
        <dt>Negative coverage:</dt>
        <dd>
          <t><xref target="snapverify-reject"/> changes the accumulator without recomputing the
snapshot tag.  SnapVerify rejects the stored snapshot.</t>
        </dd>
      </dl>
      <t>The JSON file is the complete corpus for automated tests.  The text
below is intended for debugging and review.</t>
      <section anchor="single-trace">
        <name>Single Segment, AES-256-GCM, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  payload_key  (32 octets):
    c1f2663e99977428dc0fec1566ce15e9
    1398634ab9b1d004945de48560707062
  snap_key     (32 octets):
    bc314ecaa8ff6c1c4ebc13b54597a10d
    2bcf412b40c428a0e411a828fcfb52ef

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    6a2b84e72ce8edbf4259eebd
  tag          (16 octets):
    a821834621b302b0eb00b0245fff2efb
  contrib      (32 octets):
    97b74013b135f6fe1739da05e1720b90
    dc596a6d09e29bfe437bb710391c9ba8

accumulator  (32 octets):
    97b74013b135f6fe1739da05e1720b90
    dc596a6d09e29bfe437bb710391c9ba8
mask         (32 octets):
    9356a1f7905b40b4561315a6892503d6
    2b0c7162aa19285f939325709f5847fb
wrapped_acc  (32 octets):
    04e1e1e4216eb64a412acfa368570846
    f7551b0fa3fbb3a1d0e89260a644dc53
snapshot_tag (32 octets):
    4e7bb00b4216798e02e511b26f0167c2
    a3f6c791407994e1f503f3923e591438

KDF trace for the commitment (HKDF-SHA-256):
  extract_input = encode(protocol_id, "commit", CEK):
    000a5345414c2d52572d76310006636f
    6d6d69740020aaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaa
  prk = HKDF-Extract(salt = protocol_id, extract_input):
    8eb0007f1e8ac96904742b4fb4448aba
    9d8a4b319f72f7e4a6d7bb8aab95737d
  expand_info = encode(protocol_id, "commit", ...payload_info, G,
                       I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000200020004000040000002
    00010002000100010000010100200404
    04040404040404040404040404040404
    04040404040404040404040404040000
    00020020
  commitment = HKDF-Expand(prk, expand_info, 32):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
]]></artwork>
      </section>
      <section anchor="g-commitment-vector">
        <name>Commitment with Global Associated Data</name>
        <t>These vectors pin the G input (<xref target="framework-commitment"/>) against the
schedule of <xref target="single-trace"/>:  the same CEK, salt, and payload_info with
G at its empty default and at a nonempty value.  The default case equals
the <xref target="single-trace"/> commitment, since every commitment includes the G
element.  These values are printed here only and are not part of the
end-to-end corpus.</t>
        <artwork><![CDATA[
G default (empty):
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  (the Single Segment, AES-256-GCM, HKDF-SHA-256, 16384
   commitment)

G = "raae-demo-g":
  G            (11 octets):
    726161652d64656d6f2d67
  commitment   (32 octets):
    d8eedb1fa0f77428cc33d252eb307796
    ae3bb911c2f6ea7a9e5b0bde312afd73
]]></artwork>
      </section>
      <section anchor="combiner-vectors">
        <name>KDF Combiner Vectors</name>
        <t>These vectors exercise the KDF combiner (<xref target="concrete-framing"/>) in
isolation.  They demonstrate that encode() is injective over
(protocol_id, label, ikm, info, L): distinct inputs, including inputs
whose octets concatenate to the same string under a different grouping,
produce distinct framed inputs and therefore distinct outputs.  The full
set of 38 combiner vectors, covering both KDF classes and every SEAL
label, is published byte-for-byte as raae-v1-combiner-kdf-vectors.json
in the draft repository.  All blocks below use ikm equal to a single
32-octet element of 0xAA.  Hexadecimal values wrap at 16 octets per
line.</t>
        <t>The first pair frames the same five info octets 01 02 03 04 05 two ways.
Because encode length-prefixes each element, the two expand_info values
differ, so the outputs differ.  The second pair shows that the empty
sequence and a one-element sequence whose element is the empty octet
string are distinct.  The third pair repeats the distinction in the
one-step form, where encode(...ikm) and encode(...info) are each a
single nested element of the message.</t>
        <artwork><![CDATA[
KDF.29  HKDF-SHA-256, label "commit"  (info = [010203, 0405])
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000301020300020405000200
    20
  output (32 octets):
    0dfb8948fcc220f61f43f291648903b7
    1fe6e5208647b6e18d3308f59fca0fa0

KDF.30  HKDF-SHA-256, label "commit"  (info = [0102, 030405])
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000201020003030405000200
    20
  output (32 octets):
    299aa40869ae880bc8a064bb5afe38c4
    13f420ff30bcbfac7651d5e248b3db98

KDF.8  HKDF-SHA-256, label "commit"  (info = [], the empty sequence)
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400020020
  output (32 octets):
    90073e3e9f1c855c2b7460e851f75d1a
    063a1daf007f81e4a695da1a0f97fca6

KDF.28  HKDF-SHA-256, label "commit"  (info = [""], one empty element)
  expand_info = encode(protocol_id, "commit", ...info,
                     I2OSP(32, 2)):
    000a5345414c2d52572d76310006636f
    6d6d6974000000020020
  output (32 octets):
    5a4b4b2d59f5989c598f05a0a448acda
    faf27e10914c3894430ee7482c9a1913

KDF.33  TurboSHAKE-256, label "commit"  (info = [010203, 0405])
  encoded_input = encode(protocol_id, "commit",
                       encode(...ikm), encode(...info),
                       I2OSP(64, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400220020aaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaa0009000301020300
    02040500020040
  output (64 octets):
    dcefbcdced8b413e18303d2ffe1cac63
    44ee71b13324caa91d1712efc6b81ca8
    9ce2b62ce3aedde0ed16e14d7d17e2f2
    bc69f5e856eb96f9e4845f8522b0a9b5

KDF.34  TurboSHAKE-256, label "commit"  (info = [0102, 030405])
  encoded_input = encode(protocol_id, "commit",
                       encode(...ikm), encode(...info),
                       I2OSP(64, 2)):
    000a5345414c2d52572d76310006636f
    6d6d697400220020aaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaa0009000201020003
    03040500020040
  output (64 octets):
    02958e6256193c71b0cc4b8ac3273b31
    15d1ac30fd9aab537ad6916206be9828
    9146b56526054b3c11e22f2c375d0b24
    43e8d2ad2e6a89b874aa9ef4ce2c9c77
]]></artwork>
      </section>
      <section anchor="single-segment-aes-256-gcm-hkdf-sha-256-65536">
        <name>Single Segment, AES-256-GCM, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    df4b1428af3c5ecb6d804159fec249e0
  contrib      (32 octets):
    73e62d2574a38dc44b406a0c2f2d57b1
    2b7ca777b053cdbb4e9d6f1b3257991a

accumulator  (32 octets):
    73e62d2574a38dc44b406a0c2f2d57b1
    2b7ca777b053cdbb4e9d6f1b3257991a
mask         (32 octets):
    dfd59806ded61dbf83bab8a7e143da0e
    01714d207c2f53af86e00c875590093b
wrapped_acc  (32 octets):
    ac33b523aa75907bc8fad2abce6e8dbf
    2a0dea57cc7c9e14c87d639c67c79021
snapshot_tag (32 octets):
    5a7713eab7ce2f7f246647aa407e14fa
    f295a04333f06c27cdc1193252a9b8bc
]]></artwork>
      </section>
      <section anchor="single-segment-chacha20-poly1305-hkdf-sha-256-16384">
        <name>Single Segment, ChaCha20-Poly1305, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9ef7166bbce42787fd834f79d29f85b6
    6a050b24f372ecfb79a66b3f2fdc1acb
  payload_key  (32 octets):
    d0f1d392a371642db684a23858c0193c
    2d7406cb4360c81ef9190391cacf885f
  snap_key     (32 octets):
    b156708dc559791d78014bae5e01b5fd
    f8a397c2d140fd9b9468e3cceeb8aa5d

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    f1d968bc047a7bf6a15ef400
  tag          (16 octets):
    567deca2d91b732fd1f814a65335df79
  contrib      (32 octets):
    235bfbd70b8ce751d3720bea8351f039
    dac89c0055d817a5b949a8582c590035

accumulator  (32 octets):
    235bfbd70b8ce751d3720bea8351f039
    dac89c0055d817a5b949a8582c590035
mask         (32 octets):
    3beeed96dd10cd4bc3ec5f439a789d84
    acd1542b0edabd0c48c1bfb4766af53e
wrapped_acc  (32 octets):
    18b51641d69c2a1a109e54a919296dbd
    7619c82b5b02aaa9f18817ec5a33f50b
snapshot_tag (32 octets):
    b7a4b41dfb8de76d9ebaf0833f72d03b
    277bab9453c9085553dee456c998f4b7
]]></artwork>
      </section>
      <section anchor="single-segment-chacha20-poly1305-hkdf-sha-256-65536">
        <name>Single Segment, ChaCha20-Poly1305, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    ed76666a233fc9724c82f209aea191fa
    bdf8e65f12fa97f0a4e317839ee56f19
  payload_key  (32 octets):
    a859c3a684d35378bbbcf7ed48286313
    3e3af8d2cbf8d40687d693243c32cdea
  snap_key     (32 octets):
    aa42a852946818754780e48a9209a451
    345367bd07a04ad794c62a703366aa90

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    db9cf72ba226e3210aa9fcb5
  tag          (16 octets):
    f5048c0d08372770fe066f2b5c052ab8
  contrib      (32 octets):
    aec6ba40c8e7234e704d3a689866dcb0
    efb84a6f0c75e27ea45756486d2b9a72

accumulator  (32 octets):
    aec6ba40c8e7234e704d3a689866dcb0
    efb84a6f0c75e27ea45756486d2b9a72
mask         (32 octets):
    b372584c8a52e2daec61e6b3b2740b87
    c56913270ebf83456636645bccbd125c
wrapped_acc  (32 octets):
    1db4e20c42b5c1949c2cdcdb2a12d737
    2ad1594802ca613bc2613213a196882e
snapshot_tag (32 octets):
    2eb1e1d010fa697a4c577445e36aacc6
    3cfbaafc893b8cd6730099c560d3524a
]]></artwork>
      </section>
      <section anchor="single-segment-aegis-256-hkdf-sha-256-16384">
        <name>Single Segment, AEGIS-256, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    c4e0d853da06a0d7da0f062952ce8c1d
    c9936ec06b883accd2117aed9475f0cb
  payload_key  (32 octets):
    7b69e4c6a70d806c97315c4f37e698f8
    ad104677c20b4336ad81c9de7544246a
  snap_key     (32 octets):
    fb987468cf2e7f1321b8130b68933c7f
    039a39b0606fc7bc106d3169a9323d73

Segment 0 (is_final=1):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    91c6c2100dd9d365e5a6df47
  tag          (16 octets):
    f48dd988d409eb7b90b4fe6447ec7b25
  contrib      (32 octets):
    176e02c54d994c99f50928a7c67386fb
    ea17424dbcf70230e9f4bea73f5265a4

accumulator  (32 octets):
    176e02c54d994c99f50928a7c67386fb
    ea17424dbcf70230e9f4bea73f5265a4
mask         (32 octets):
    5e9bb90f0671afe58fb72584dce62ae6
    6bfaa33159a97eefc2de2304c8b2528a
wrapped_acc  (32 octets):
    49f5bbca4be8e37c7abe0d231a95ac1d
    81ede17ce55e7cdf2b2a9da3f7e0372e
snapshot_tag (32 octets):
    cb35b42e68a265b2c6a09de9b381044b
    29f46e98342a44f6eaae3eb8f7470789
]]></artwork>
      </section>
      <section anchor="single-segment-aegis-256-hkdf-sha-256-65536">
        <name>Single Segment, AEGIS-256, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    6bb3b3000bbdba28de3a8fcf29fd862e
    094e2e28c6df0d677aeba07ab747fe18
  payload_key  (32 octets):
    425c1db85e1d3c85025ab41d5e263db9
    c4969b4599942fa582d2394f0c5870e4
  snap_key     (32 octets):
    4bb7fb2a1e5036cbe9aa018af5b5fe56
    2fd60a1c388c54168621a40530ae4237

Segment 0 (is_final=1):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    f53c634ccf8aab1157fa44fd
  tag          (16 octets):
    90b6fa24f3cd9cb2b18574536f7bfdfc
  contrib      (32 octets):
    0b649e2b2702281a67ac5ab72c4b8e68
    afbe4135ee9a5fe693f34b6383377a24

accumulator  (32 octets):
    0b649e2b2702281a67ac5ab72c4b8e68
    afbe4135ee9a5fe693f34b6383377a24
mask         (32 octets):
    462e3c1a58d6f5f665988d3a28769729
    3bb3fa914b43a3d99b69da1b9491d1a3
wrapped_acc  (32 octets):
    4d4aa2317fd4ddec0234d78d043d1941
    940dbba4a5d9fc3f089a917817a6ab87
snapshot_tag (32 octets):
    34303daf7ba4f37eeddd4fd2bb382bb2
    439ceaecb5c240fc2839e2602d3a7d33
]]></artwork>
      </section>
      <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-16384">
        <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    47ea0ec7409b9b95d676019917a19f1c
    5831eb236aba459063458e525d130d0c
  payload_key  (32 octets):
    c1f2663e99977428dc0fec1566ce15e9
    1398634ab9b1d004945de48560707062
  snap_key     (32 octets):
    bc314ecaa8ff6c1c4ebc13b54597a10d
    2bcf412b40c428a0e411a828fcfb52ef

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    6a2b84e72ce8edbf4259eebd
  tag          (16 octets):
    1574936244d54aedf589c87002dbac90
  contrib      (32 octets):
    322c4622cd9f50552740d1eee7a530eb
    3fd371e44178b8ce18816b53dd3f1587
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    50b0eda5d7a86a5a94e501f317020173
    6d755d56
  tag          (16 octets):
    f22fb2b4bfed679d1d90d2a0814e429c
  contrib      (32 octets):
    7455e0472187dcd04a5747d508587a8c
    9f3e281818188be0edd46be8e32d4a6e

accumulator  (32 octets):
    4679a665ec188c856d17963beffd4a67
    a0ed59fc5960332ef55500bb3e125fe9
mask         (32 octets):
    ad55f19bb8997c8ad0def92830f0ce09
    4542ec804f7b99e66f294164985979a8
wrapped_acc  (32 octets):
    eb2c57fe5481f00fbdc96f13df0d846e
    e5afb57c161baac89a7c41dfa64b2641
snapshot_tag (32 octets):
    a08c73b5c414542cc06830d893d0eaca
    c749418dea32b11d5cc121d6b2db93b8
]]></artwork>
      </section>
      <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536">
        <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    2597e2f2243b98c4bb7f320dc2f46ce3
  contrib      (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    f17c9cac3693dcb4bdd524714da804d4
    c4390056
  tag          (16 octets):
    97d4f0d1303a2b112eac5aae081ef6bf
  contrib      (32 octets):
    a8e8df627852127e058558353da2def9
    9a83928b4c96ef37a5d0b08068b1a87c

accumulator  (32 octets):
    a563e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask         (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
wrapped_acc  (32 octets):
    3109c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67
]]></artwork>
      </section>
      <section anchor="two-segment-chacha20-poly1305-hkdf-sha-256-16384">
        <name>Two Segment, ChaCha20-Poly1305, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9ef7166bbce42787fd834f79d29f85b6
    6a050b24f372ecfb79a66b3f2fdc1acb
  payload_key  (32 octets):
    d0f1d392a371642db684a23858c0193c
    2d7406cb4360c81ef9190391cacf885f
  snap_key     (32 octets):
    b156708dc559791d78014bae5e01b5fd
    f8a397c2d140fd9b9468e3cceeb8aa5d

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    f1d968bc047a7bf6a15ef400
  tag          (16 octets):
    0359d2adbe709e374e6fae7830001295
  contrib      (32 octets):
    92c78ada192f60346b35491986711454
    9e20d72ede4b78a9567cf414365bc781
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    4d8f7a1b6aa589808c384a52bd90e4d0
    a44ed35e
  tag          (16 octets):
    61c3caca0ecda929269f52978f4a60e1
  contrib      (32 octets):
    85db0789dfd84dfaeb095fc28101d929
    af58800d6ae8882353c83c9a6013492c

accumulator  (32 octets):
    171c8d53c6f72dce803c16db0770cd7d
    31785723b4a3f08a05b4c88e56488ead
mask         (32 octets):
    e399bc51986eaf7f8d7cbcb3e76da43a
    b9607c01e413dd462639c4fd50191f32
wrapped_acc  (32 octets):
    f48531025e9982b10d40aa68e01d6947
    88182b2250b02dcc238d0c730651919f
snapshot_tag (32 octets):
    f4bfbdff53178451463ef23c73a31ab5
    06a6acfb49282af14598b2f49f32ceeb
]]></artwork>
      </section>
      <section anchor="two-segment-chacha20-poly1305-hkdf-sha-256-65536">
        <name>Two Segment, ChaCha20-Poly1305, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001d  (AEAD_CHACHA20_POLY1305)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001d
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    ed76666a233fc9724c82f209aea191fa
    bdf8e65f12fa97f0a4e317839ee56f19
  payload_key  (32 octets):
    a859c3a684d35378bbbcf7ed48286313
    3e3af8d2cbf8d40687d693243c32cdea
  snap_key     (32 octets):
    aa42a852946818754780e48a9209a451
    345367bd07a04ad794c62a703366aa90

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    db9cf72ba226e3210aa9fcb5
  tag          (16 octets):
    6423011bc81f13a30ef51ff32f209cff
  contrib      (32 octets):
    fab6f671b544bb356337a2b811475663
    cc5fab22c29a6770c6cd035bc44d0554
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    85ead0c3a974dd014622ec0e2ba9a6e6
    199a7b88
  tag          (16 octets):
    3ee3399f906110b8e7900805f2b72a85
  contrib      (32 octets):
    361a4ce5127403db2e54950d48a81af1
    a71913771db2885bcb6bcdab971a3611

accumulator  (32 octets):
    ccacba94a730b8ee4d6337b559ef4c92
    6b46b855df28ef2b0da6cef053573345
mask         (32 octets):
    b62dbfa20e0725e6cc0bb81b169f6294
    a8b1d7b94968ac589c9b7ebcffc37882
wrapped_acc  (32 octets):
    7a810536a9379d0881688fae4f702e06
    c3f76fec96404373913db04cac944bc7
snapshot_tag (32 octets):
    e0b3b1cadba56bb4994d7872b57aff7f
    42215a8e2b7a2241cffd5107f571d560
]]></artwork>
      </section>
      <section anchor="two-segment-aegis-256-hkdf-sha-256-16384">
        <name>Two Segment, AEGIS-256, HKDF-SHA-256, 16384</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   16384
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00004000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    c4e0d853da06a0d7da0f062952ce8c1d
    c9936ec06b883accd2117aed9475f0cb
  payload_key  (32 octets):
    7b69e4c6a70d806c97315c4f37e698f8
    ad104677c20b4336ad81c9de7544246a
  snap_key     (32 octets):
    fb987468cf2e7f1321b8130b68933c7f
    039a39b0606fc7bc106d3169a9323d73

Segment 0 (is_final=0):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    91c6c2100dd9d365e5a6df47
  tag          (16 octets):
    c4837c14751196e622301d3e8a5e00b2
  contrib      (32 octets):
    002805d6180149a3852b8afd82b40db9
    4d4e2af23a11bfb1e2922e5e3efb4210
Segment 1 (is_final=1):
  nonce        (32 octets):
    09090909090909090909090909090909
    09090909090909090909090909090909
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    006704b222fa9285da01b706be831b76
    ead7332c
  tag          (16 octets):
    9965b57015a2b058514fb1fca7708242
  contrib      (32 octets):
    f1edcc4f336fb96b7319d30bca9a9194
    e6795e34a3a0b19652521d749dd2e767

accumulator  (32 octets):
    f1c5c9992b6ef0c8f63259f6482e9c2d
    ab3774c699b10e27b0c0332aa329a577
mask         (32 octets):
    0affb88aa98af47cf91aa6c80b733679
    070bc7b44df36f22859f0c89a91a3cc9
wrapped_acc  (32 octets):
    fb3a711382e404b40f28ff3e435daa54
    ac3cb372d4426105355f3fa30a3399be
snapshot_tag (32 octets):
    3d8899806c647a198c1c4e23f6ce8a2e
    be5d8cba11d65a16bbd2e7d5c4f415fc
]]></artwork>
      </section>
      <section anchor="two-segment-aegis-256-hkdf-sha-256-65536">
        <name>Two Segment, AEGIS-256, HKDF-SHA-256, 65536</name>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0021  (AEAD_AEGIS256)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  63
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0021
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 3f
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    6bb3b3000bbdba28de3a8fcf29fd862e
    094e2e28c6df0d677aeba07ab747fe18
  payload_key  (32 octets):
    425c1db85e1d3c85025ab41d5e263db9
    c4969b4599942fa582d2394f0c5870e4
  snap_key     (32 octets):
    4bb7fb2a1e5036cbe9aa018af5b5fe56
    2fd60a1c388c54168621a40530ae4237

Segment 0 (is_final=0):
  nonce        (32 octets):
    05050505050505050505050505050505
    05050505050505050505050505050505
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    f53c634ccf8aab1157fa44fd
  tag          (16 octets):
    c466896ca6da6509959b1c0c10dd688d
  contrib      (32 octets):
    e558127502262f71ac5ce07b9e0e101f
    177a5428a10ecb464cfcd731d75b35fe
Segment 1 (is_final=1):
  nonce        (32 octets):
    09090909090909090909090909090909
    09090909090909090909090909090909
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    40865396160e5aa905a96d3a6552f6cc
    fecf30ec
  tag          (16 octets):
    ddd6e4979a6d648400b236abc617d033
  contrib      (32 octets):
    23f4cfab2a5601a75d7f87148c5f32fd
    d8ab5ac1a16d25c9688e61b7d09171bb

accumulator  (32 octets):
    c6acddde28702ed6f123676f125122e2
    cfd10ee90063ee8f2472b68607ca4445
mask         (32 octets):
    8d8832a7c865352b6ebcfabaa1c85c69
    0aacfbfb2bf08a73cc090281bea1ca42
wrapped_acc  (32 octets):
    4b24ef79e0151bfd9f9f9dd5b3997e8b
    c57df5122b9364fce87bb407b96b8e07
snapshot_tag (32 octets):
    016300d12db61dc1b6b11fbeee8ecaf8
    614efe5802f3fc919ab8aa665cdf9294
]]></artwork>
      </section>
      <section anchor="turboshake-vectors">
        <name>TurboSHAKE-256 Cipher Suite Vectors</name>
        <t>These two vectors exercise the one-step TurboSHAKE-256 cipher suite
(<xref target="kdf-table"/>), for which Nh = 64.  The commitment, snap_key, contrib,
the accumulator, and the snapshot tag are therefore 64 octets, while
payload_key (Nk) and the nonces (Nn) are unchanged.</t>
        <section anchor="single-segment-aes-256-gcm-turboshake-256-65536">
          <name>Single Segment, AES-256-GCM, TurboSHAKE-256, 65536</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0013  (TurboSHAKE-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0013
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (64 octets):
    b19991b71ed275d98070eab735179d60
    be397354a85f6d6f58e74dcb90f0ff43
    8271da594a267d81aaa74a88736ba549
    d9e88c1b9d9a972135220b76c9568483
  payload_key  (32 octets):
    bdecddf1340029c520b9b4a9e1b15144
    d283209261a58113294728e337d14ea8
  snap_key     (64 octets):
    92fc2e47ac72bbdbcac62a67ced07dad
    a1e907bd82e92a68ba5f6098ec067931
    e59683904d5213ddd0abe237ac0f9450
    ef33180028f2ea7e47d738e6f3faed01

Segment 0 (is_final=1):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000101
  ciphertext   (12 octets):
    429b98993decaa7c1792d52d
  tag          (16 octets):
    be8cd796db427f283859fa6722708d5b
  contrib      (64 octets):
    371669ebb5f158b73bd65f0f66a33878
    3e2372d1cbfced76ff866e264fb6c85f
    151dcdf2662d286cc065844a2b5aff57
    200d689ad4ee7d027df20be43747bbf2

accumulator  (64 octets):
    371669ebb5f158b73bd65f0f66a33878
    3e2372d1cbfced76ff866e264fb6c85f
    151dcdf2662d286cc065844a2b5aff57
    200d689ad4ee7d027df20be43747bbf2
mask         (64 octets):
    39bc62cc8b75a8745da4cf36061350a1
    a1c439359cde43df5355ce7c8527cb0f
    23dbf74cd0534517d729fc1ebad29d15
    b27c8f0373ca74ccc7a19de9e174ce39
wrapped_acc  (64 octets):
    0eaa0b273e84f0c36672903960b068d9
    9fe74be45722aea9acd3a05aca910350
    36c63abeb67e6d7b174c785491886242
    9271e799a72409ceba53960dd63375cb
snapshot_tag (64 octets):
    75dd576b0a3f5ba7181b3e183e6ef741
    b1e7ea93a7852fc0c7657ed905f74eb6
    45570ac0b639c2f901797f1152c8c7d4
    196aed0cf4af2308431af242399b0c22
]]></artwork>
        </section>
        <section anchor="two-segment-aes-256-gcm-turboshake-256-65536">
          <name>Two Segment, AES-256-GCM, TurboSHAKE-256, 65536</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0013  (TurboSHAKE-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0013
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (64 octets):
    b19991b71ed275d98070eab735179d60
    be397354a85f6d6f58e74dcb90f0ff43
    8271da594a267d81aaa74a88736ba549
    d9e88c1b9d9a972135220b76c9568483
  payload_key  (32 octets):
    bdecddf1340029c520b9b4a9e1b15144
    d283209261a58113294728e337d14ea8
  snap_key     (64 octets):
    92fc2e47ac72bbdbcac62a67ced07dad
    a1e907bd82e92a68ba5f6098ec067931
    e59683904d5213ddd0abe237ac0f9450
    ef33180028f2ea7e47d738e6f3faed01

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    429b98993decaa7c1792d52d
  tag          (16 octets):
    c2afc8ba9d2d163d600a88ed34420cc8
  contrib      (64 octets):
    97b151445a7f50b4f41811e8b9d0f4c9
    04648ba6d13085e7d7180d94321aa3f8
    4f895847053ce9c66e4b27f4251f6ffc
    356e72ec1a867e2b405163732b65b8c1
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    7597ac827f175c664e7bebb8b828753b
    fc778463
  tag          (16 octets):
    78545349b2e5092b9d279c97abfe1511
  contrib      (64 octets):
    df8a6116f5535741f7973cfbb2aa6ef0
    78f54da534fea79f953ef95b6a60c5d8
    eaa6a034c9dc8186f27726ae99772694
    0cb46e83581e1466f34a46a76abbca41

accumulator  (64 octets):
    483b3052af2c07f5038f2d130b7a9a39
    7c91c603e5ce22784226f4cf587a6620
    a52ff873cce068409c3c015abc684968
    39da1c6f42986a4db31b25d441de7280
mask         (64 octets):
    49cc05dd25532375d143f69b276b0b8d
    5246388217b39b7ef2262b6e7f293fdc
    a43408f13b9172cb3e98a72c735d2546
    e15b860122ebea099a7cbd987bfee991
wrapped_acc  (64 octets):
    01f7358f8a7f2480d2ccdb882c1191b4
    2ed7fe81f27db906b000dfa1275359fc
    011bf082f7711a8ba2a4a676cf356c2e
    d8819a6e607380442967984c3a209b11
snapshot_tag (64 octets):
    f6b15b8cf01fd11587f9fe7a32185abe
    31ac84194ae3eed199a5b19ba83b0cdf
    bf0c8e3b4f48199b01bdd1710d87c076
    9d0cdc82f5292a913b7f1d14cd93b843
]]></artwork>
        </section>
      </section>
      <section anchor="rewrite-vector">
        <name>Segment Rewrite Vector</name>
        <t>This vector applies RewriteSegment (<xref target="full-rewrite"/>) to segment 0 of a
two-segment AES-256-GCM message, replacing its plaintext under a fresh
nonce.  acc_delta = old_contrib XOR new_contrib, the new accumulator is
the old accumulator XOR acc_delta, and the snapshot tag is recomputed
over the count and the new accumulator.</t>
        <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536-rewrite">
          <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536 (Rewrite)</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  1
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 01
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    9285553e10209c27bb5858b621426513
    b0832f26d7ee813d9dd62c218ce6972a
  payload_key  (32 octets):
    bb78da70d5e99d36c78e8a8b1a79b620
    e4a4250dd6b471024c379917dfbb2de7
  snap_key     (32 octets):
    953950ab75bdefd67ef15bbd7665b8af
    d3c9ced50ce7cb369e789606fc455025

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    1815f12b13f7ee2532f0fcca
  tag          (16 octets):
    2597e2f2243b98c4bb7f320dc2f46ce3
  contrib      (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    f17c9cac3693dcb4bdd524714da804d4
    c4390056
  tag          (16 octets):
    97d4f0d1303a2b112eac5aae081ef6bf
  contrib      (32 octets):
    a8e8df627852127e058558353da2def9
    9a83928b4c96ef37a5d0b08068b1a87c

accumulator  (32 octets):
    a563e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask         (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
wrapped_acc  (32 octets):
    3109c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67

Rewrite of segment 0:
  new_nonce    (12 octets):
    0b0b0b0b0b0b0b0b0b0b0b0b
  new_ciphertext (22 octets):
    f20adfd4e5ab8016903d7eaa022f65c7
    0a3f9988b1e5
  new_tag      (16 octets):
    ff3268f44b36f41c84a2e85d0a975d38
  old_contrib  (32 octets):
    0d8b3cb23192377e88232945f623150b
    1a1c0b61745a4fa39a5f65e162b6e672
  new_contrib  (32 octets):
    d1799e445a84608aae7dfca35bc03813
    138fd92f58adb6c1fec48907e9a90f9e
  acc_delta    (32 octets):
    dcf2a2f66b1657f4265ed5e6ade32d18
    0993d24e2cf7f962649bece68b1fe9ec
  new_accumulator (32 octets):
    7991412622d672f4abf8a4966662e6ea
    890c4ba4143b59f65b1439878118a7e2
  new_mask        (32 octets):
    76615f532f527eaecac7d2fa4232fc32
    10596f72a1e2637cfbb5db656d53c9ac
  new_wrapped_acc (32 octets):
    0ff01e750d840c5a613f766c24501ad8
    995524d6b5d93a8aa0a1e2e2ec4b6e4e
  new_snapshot_tag (32 octets):
    bba55e58311ebbd38d7880a9ebec3d19
    3212c0600ce04aeeb7c18ee62e33b9cc
]]></artwork>
        </section>
      </section>
      <section anchor="derived-nonce-vector">
        <name>Derived-Nonce Cipher Suite Vector</name>
        <t>This vector exercises AES-256-GCM-SIV (<xref target="aead-table"/>), the MRAE cipher
suite that uses derived nonce mode.  There is no stored per-segment
nonce:  each nonce is recomputed from nonce_base by the formula in
<xref target="derived-nonces"/>, which XORs uint64((i &lt;&lt; 1) | is_final), the segment
index and finality bit, into the low 8 octets of nonce_base (here Nn =
12).  The block applies RewriteSegment to segment 0.  Because the nonce
is recomputed deterministically, the rewrite reuses the same nonce as
the original segment 0.  AES-256-GCM-SIV is misuse-resistant, so the
reuse leaks only equality of identical plaintext-and-context pairs, not
plaintext.</t>
        <section anchor="two-segment-aes-256-gcm-siv-hkdf-sha-256-65536-rewrite">
          <name>Two Segment, AES-256-GCM-SIV, HKDF-SHA-256, 65536 (Rewrite)</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x001f  (AEAD_AES_256_GCM_SIV)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  0
    nonce_mode    derived
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 001f
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 01
  epoch_length_u8 ( 1 octets): 00
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    bf20f8c7691934f0ccf767b2a5ac19e4
    67228674414f68d839a6698a3edd1813
  payload_key  (32 octets):
    d2f4ae67c4024a3b61b902188a75cdc4
    757245350393608e8d4af530b91a4411
  snap_key     (32 octets):
    18e303acfa725f11d6a75a48723fb408
    c481e5703032b0e5f1724461f8901bbc
  nonce_base   (12 octets):
    8a2860a4c1e733427aaa7aeb

Segment 0 (is_final=0):
  nonce        (12 octets):  (derived from nonce_base, not stored)
    8a2860a4c1e733427aaa7aeb
  epoch_key    (32 octets):
    a65f10ea805ada25b9f1ef7527383cde
    423b104e8813edaed5490747633291c6
  segment_key  (32 octets):
    a65f10ea805ada25b9f1ef7527383cde
    423b104e8813edaed5490747633291c6
  segment_aad  ( 0 octets): (empty)
  ciphertext   (12 octets):
    b3b34ccfb3481851057f1eab
  tag          (16 octets):
    2d143f398a84cdfd47146c194e1c177c
  contrib      (32 octets):
    fce4eed2d488b1ee8994c270cd145202
    ea63b9fd0c0f7401c5cad41c767e91c6
Segment 1 (is_final=1):
  nonce        (12 octets):  (derived from nonce_base, not stored)
    8a2860a4c1e733427aaa7ae8
  epoch_key    (32 octets):
    3cd69f36c405895994a14b8b5aafaf09
    09517de95d17e6b903cf350fa8769826
  segment_key  (32 octets):
    3cd69f36c405895994a14b8b5aafaf09
    09517de95d17e6b903cf350fa8769826
  segment_aad  ( 0 octets): (empty)
  ciphertext   (20 octets):
    3392acaffbaaa0224644ee4b0efa53ad
    c0d21628
  tag          (16 octets):
    408046d4fb0789a8ae0c41ddb0f66fc3
  contrib      (32 octets):
    7e2e00b404bf5962b6220c4196298f4b
    d25bff62bd9e3230ddd0d344e2b78cc1

accumulator  (32 octets):
    82caee66d037e88c3fb6ce315b3ddd49
    3838469fb1914631181a075894c91d07
mask         (32 octets):
    b0c48fd39186cb0b55dd036ffd1c46ef
    73c6b282977ecd28e6065cdcc64e36d2
wrapped_acc  (32 octets):
    320e61b541b123876a6bcd5ea6219ba6
    4bfef41d26ef8b19fe1c5b8452872bd5
snapshot_tag (32 octets):
    44dea9b3ed7c07f3e95bfe10848430f3
    cc1059251c3cf85d2c2e717634155aaf

Rewrite of segment 0:
  new_nonce    (12 octets):
    8a2860a4c1e733427aaa7aeb
  new_ciphertext (22 octets):
    f1cb96bd31369de3d8f26e007bf71759
    51a0c59330b0
  new_tag      (16 octets):
    74105b3b59dd624421f67f295921841d
  old_contrib  (32 octets):
    fce4eed2d488b1ee8994c270cd145202
    ea63b9fd0c0f7401c5cad41c767e91c6
  new_contrib  (32 octets):
    64064c4b612f62cafad57b458158d125
    08164dc2bef7594568a978f6f2a1ae55
  acc_delta    (32 octets):
    98e2a299b5a7d3247341b9354c4c8327
    e275f43fb2f82d44ad63acea84df3f93
  new_accumulator (32 octets):
    1a284cff65903ba84cf7770417715e6e
    da4db2a003696b75b579abb210162294
  new_mask        (32 octets):
    5f4185e7b2b940639b4fa672174edf71
    a88c8015423ed35d14134b1741d869a2
  new_wrapped_acc (32 octets):
    4569c918d7297bcbd7b8d176003f811f
    72c132b54157b828a16ae0a551ce4b36
  new_snapshot_tag (32 octets):
    a4ad2d7fa8abbbec998af5c3ced3514f
    e420923c403ba57771bad99a8d03034a
]]></artwork>
        </section>
      </section>
      <section anchor="cross-epoch-vector">
        <name>Cross-Epoch Key Vector</name>
        <t>This vector sets epoch_length = 0, the finest epoch partition, so the
epoch index equals the segment index and each segment is sealed under a
distinct epoch key (<xref target="epoch-key-derivation"/>).  The block exposes the
intermediate epoch_key(i) and segment_key(i) for each segment.  At
epoch_length = 0 the shift is the identity, so segment_key(i) equals
epoch_key(i), and epoch_key(0) and epoch_key(1) differ.</t>
        <section anchor="two-segment-aes-256-gcm-hkdf-sha-256-65536-epochlength-0">
          <name>Two Segment, AES-256-GCM, HKDF-SHA-256, 65536, epoch_length 0</name>
          <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  0
    nonce_mode    random
    snap_id       0x0001  (masked multiset hash)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0001
  nonce_mode      ( 1 octets): 00
  epoch_length_u8 ( 1 octets): 00
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    248167fa761884de975ed84dd2464c7b
    0e85cfaf205470750ca644137da76517
  payload_key  (32 octets):
    e27e393efb0b8abec87b27fa0ae3f19c
    0f19093877aae8267d14be74b035eeb6
  snap_key     (32 octets):
    f152bcb8e03852f726a7824c902e9b4f
    aa9b849478cd115c1a3de02b8f04ddb8

Segment 0 (is_final=0):
  nonce        (12 octets):
    030303030303030303030303
  epoch_key    (32 octets):
    cfe9ccdc21e8021fd5cada3fff397f2b
    86431ec14eb0ac60809e4aee4a497f36
  segment_key  (32 octets):
    cfe9ccdc21e8021fd5cada3fff397f2b
    86431ec14eb0ac60809e4aee4a497f36
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000000000100
  ciphertext   (12 octets):
    04b77b3d7370bf0ce5baeb78
  tag          (16 octets):
    4fd2abdb95a887e32aacced927ea7666
  contrib      (32 octets):
    22f6f5e04dc24fcd3ea57d2aab707c37
    7530de5b5cde77959c85888afe189675
Segment 1 (is_final=1):
  nonce        (12 octets):
    070707070707070707070707
  epoch_key    (32 octets):
    c6b0ed6d72fe7fe3114623c98f527e3d
    3644cfdc88c56f6e4550495dc92b3fe2
  segment_key  (32 octets):
    c6b0ed6d72fe7fe3114623c98f527e3d
    3644cfdc88c56f6e4550495dc92b3fe2
  segment_aad  (24 octets):
    00095345414c2d444154410008000000
    0000000001000101
  ciphertext   (20 octets):
    550d0675f7ed31bf5377805fcf64bb30
    38167fe1
  tag          (16 octets):
    15c5bbacef49c9e0cc6f4a16a1fb0204
  contrib      (32 octets):
    e9341dfae1376b08122e20e8580b1e94
    7b771e1cf4b11cf5472868cc34a18870

accumulator  (32 octets):
    cbc2e81aacf524c52c8b5dc2f37b62a3
    0e47c047a86f6b60dbade046cab91e05
mask         (32 octets):
    4b770b765273b67eda59116abc4521c7
    28998adf914b868f6c94bcdda7f57910
wrapped_acc  (32 octets):
    80b5e36cfe8692bbf6d24ca84f3e4364
    26de4a983924edefb7395c9b6d4c6715
snapshot_tag (32 octets):
    7ec104576a2197294a35d2d28000331e
    30dc4172f1f18492950e15ef0c1f1742
]]></artwork>
        </section>
      </section>
      <section anchor="pt-bound-vectors">
        <name>Plaintext-Bound Nonce Component Vectors</name>
        <t>These vectors exercise the optional plaintext-bound nonce construction
(<xref target="appendix-pt-bound"/>) component by component:  the plaintext digest
pt_digest, the bound digest pt_hash, the framed nonce_ctx, and the final
nonce.  The construction is encryptor-only and its output is
indistinguishable from random mode on the wire, so no end-to-end vector
exercises it.  Component values are the only way to check an
implementation byte for byte.  The labels are those of
<xref target="pt-bound-labels"/>, and nonce_ctx enters the final derivation as a
single framed info element after the payload_info elements.</t>
        <t>Each block reuses the payload_key, payload_info, and salt of a
published cipher-suite block, so the values chain into the payload
schedules above.  The random_input value stands in for the fresh
Random(Nn) draw of the construction, and both blocks bind the
plaintext "Hello, SEAL!".  These component vectors are printed in
this appendix only and are not part of the end-to-end corpus.</t>
        <section anchor="aes-256-gcm-hkdf-sha-256-16384-segment-0">
          <name>AES-256-GCM, HKDF-SHA-256, 16384, Segment 0</name>
          <t>The payload schedule is that of <xref target="single-trace"/>.</t>
          <artwork><![CDATA[
plaintext    (12 octets):
    48656c6c6f2c205345414c21
random_input (12 octets):
    0f0f0f0f0f0f0f0f0f0f0f0f
pt_digest    (32 octets):
    e66fec4cada0ccdb73930622ef393d5b
    a05fb73bdd81205a9f828f75e85ded81
pt_hash      (32 octets):
    072fa800d5069a226a7322c5b3fb704f
    8564fd2075dd9de6de274a2b5645faaa
nonce_ctx    (56 octets):
    000a5345414c2d52572d763100080000
    0000000000000020072fa800d5069a22
    6a7322c5b3fb704f8564fd2075dd9de6
    de274a2b5645faaa
nonce        (12 octets):
    ef044c5a935e8bd52db61582
]]></artwork>
        </section>
        <section anchor="aes-256-gcm-turboshake-256-65536-segment-1">
          <name>AES-256-GCM, TurboSHAKE-256, 65536, Segment 1</name>
          <t>The payload schedule is that of the single-segment TurboSHAKE-256
block (<xref target="turboshake-vectors"/>).  The segment index is 1, visible in
the second framed element of nonce_ctx.</t>
          <artwork><![CDATA[
plaintext    (12 octets):
    48656c6c6f2c205345414c21
random_input (12 octets):
    0f0f0f0f0f0f0f0f0f0f0f0f
pt_digest    (64 octets):
    f809e1b9b0e28d0fd1dce5cf9e4aae59
    fde2b08a551c311b621323a5d2f3c78d
    e55c22edcdd091231c4509849acf592a
    85ab446dfcff4fac008194e6ef59d9b4
pt_hash      (64 octets):
    ad6a35f94960ee1004391bdfaee16149
    ef56bca4fd5b98abfec56fdb80752624
    ade63d71f3b15e9aa5dd9fb0ffa8e533
    f7ef5caa7620432cf1c1bf7d97611536
nonce_ctx    (88 octets):
    000a5345414c2d52572d763100080000
    0000000000010040ad6a35f94960ee10
    04391bdfaee16149ef56bca4fd5b98ab
    fec56fdb80752624ade63d71f3b15e9a
    a5dd9fb0ffa8e533f7ef5caa7620432c
    f1c1bf7d97611536
nonce        (12 octets):
    dbd450bb6f147795caeeee12
]]></artwork>
        </section>
      </section>
      <section anchor="dt-vectors">
        <name>Digest Transcript Component Vectors</name>
        <t>These vectors exercise the digest transcript (<xref target="digest-transcript"/>)
component by component:  the schedule values of a SEAL-RO-v1 digest
transcript (snap_id 0x0002) context, two segment leaves over specified
segment bytes and tags, and the transcript over them.  The segment bytes
are specified component inputs, not the AEAD output of a full object.
The leaf and transcript derivation is what an implementation checks byte
for byte.  These component vectors are printed in this appendix only and
are not part of the end-to-end corpus.</t>
        <t>The context is a SEAL-RO-v1 object using the digest transcript (snap_id
0x0002), with AES-256-GCM and HKDF-SHA-256, the demo CEK (0xAA repeated)
and salt (0x04 repeated) of <xref target="single-trace"/>, and the default empty G.
payload_info is [aead_id 0x0002, segment_max_be 65536, kdf_id 0x0001,
snap_id 0x0002, nonce_mode 0x01 (derived), epoch_length_u8 0x20, salt].</t>
        <artwork><![CDATA[
CEK          (32 octets):
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
salt         (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404
commitment   (32 octets):
    86e87a2c11e9b0c0b592c6542fa5bb44
    1df57f06777274295bf803d28287a180
snap_key     (32 octets):
    ac141c5b853179c84843c8df51b5cc56
    dc4d4a13da95425fb880349e9c508318
]]></artwork>
        <section anchor="leaves-and-transcript-nseg-2">
          <name>Leaves and Transcript, n_seg = 2</name>
          <t>Segment 0 is non-final with 16 specified ciphertext octets, segment 1 is
final with 8.  The leaf is the ciphertext digest LH(ct_i) concatenated
with the segment's AEAD tag.  Here the tag is a specified component
input.  The tag binds the segment's nonce, index, and finality
(<xref target="digest-transcript"/>).</t>
          <artwork><![CDATA[
ct_0            (16 octets):
    000102030405060708090a0b0c0d0e0f
tag_0           (16 octets):
    202122232425262728292a2b2c2d2e2f
leaf(0)=LH(ct_0)||tag_0 (48 octets):
    b726af81e3cadd5c7a486e6a3becc39b
    1c5628da64e8145161124bc172a4ad64
    202122232425262728292a2b2c2d2e2f
ct_1            (8 octets):
    1011121314151617
tag_1           (16 octets):
    303132333435363738393a3b3c3d3e3f
leaf(1)=LH(ct_1)||tag_1 (48 octets):
    3c36a934a52861d5b6c1da66ab493edb
    41f744771e16750ac409b3bed2758f87
    303132333435363738393a3b3c3d3e3f
transcript      (32 octets):
    2d1cd8ffda1e1e71f09e36fee6b41767
    c43d43caea85dc4e1197ab0b5215369f
]]></artwork>
          <t>Each leaf is leaf(i) = LH(ct_i) || tag(i).  The transcript's ikm is
[snap_key] and its info elements are [commitment, uint64(2), leaf(0),
leaf(1)].  The ordered list binds each leaf's position and the count.
The stored snapshot value is the transcript.</t>
        </section>
      </section>
      <section anchor="edt-vectors">
        <name>Epoch Digest Tree Component Vectors</name>
        <t>These vectors exercise the epoch digest tree (<xref target="epoch-digest-tree"/>)
with four segments in two epochs.  The context is a SEAL-RO-v1 object
using the epoch digest tree (snap_id 0x0003) with epoch_length 1
(epoch_length_u8 0x01), chosen small so the example has two epochs of
two segments.  Changing snap_id and epoch_length changes payload_info,
so the commitment and snap_key differ from <xref target="dt-vectors"/>.  The segment
bytes and tags are specified component inputs.</t>
        <t>The context uses the same CEK (0xAA repeated) and salt (0x04 repeated)
as <xref target="dt-vectors"/>, AES-256-GCM, HKDF-SHA-256, segment_max 65536, derived
nonce, and the default empty G.</t>
        <artwork><![CDATA[
commitment   (32 octets):
    bcb3f7ba5ac54aa98ae62f6500290a40
    3c3dbdd8bf498d24bd12a4280c1fb5bb
snap_key     (32 octets):
    f618eea83b891b2ab60d311c7be63db5
    28af4126158376c909f7407812ea74fd
]]></artwork>
        <t>The four leaves, each leaf(i) = LH(ct_i) || tag(i):</t>
        <artwork><![CDATA[
leaf(0) (48 octets):
    b726af81e3cadd5c7a486e6a3becc39b
    1c5628da64e8145161124bc172a4ad64
    202122232425262728292a2b2c2d2e2f
leaf(1) (48 octets):
    3c36a934a52861d5b6c1da66ab493edb
    41f744771e16750ac409b3bed2758f87
    303132333435363738393a3b3c3d3e3f
leaf(2) (48 octets):
    2c8e6a5e8019913bebc27623854e35e3
    2bcd1ef439372403f8492e60d571cad1
    404142434445464748494a4b4c4d4e4f
leaf(3) (48 octets):
    cbd4067f9d6dc18f7bb5f33675a1b01e
    6ce102113947a9dc1045776b8e62d200
    505152535455565758595a5b5c5d5e5f
]]></artwork>
        <t>Epoch 0 is segments 0 and 1, epoch 1 is segments 2 and 3.  Each epoch
head is d_e = KDF(protocol_id, "snap_epoch", [snap_key],
[LH(epoch_run(e))], 32) over that epoch's two concatenated leaves:</t>
        <artwork><![CDATA[
d_0 (32 octets):
    fe52c52a3688c6f4e7607f937b19ec94
    b9713e57d0f53e3191c9eed88e2f94c1
d_1 (32 octets):
    b826e5aa024e5444a82be1c26b097f18
    08d2bd18257b8ccde900dd1c01ab1a7a
]]></artwork>
        <t>The snapshot is KDF(protocol_id, "snap_epoch_root", [snap_key],
[commitment, uint64(4), LH(d_0 || d_1)], 32):</t>
        <artwork><![CDATA[
snapshot     (32 octets):
    4c4ca5479c92e989e9fb0a7e9691f34f
    33e87c9ae08af31d24ac4ce408201eb4
]]></artwork>
      </section>
      <section anchor="snapverify-reject">
        <name>Negative SnapVerify Vector</name>
        <t>This vector demonstrates the snapshot integrity check.  It takes the
honest state of the two-segment AES-256-GCM, HKDF-SHA-256, 65536 vector
and flips the first octet of the stored masked accumulator, leaving the
snapshot tag unchanged.  SnapVerify recomputes the snapshot from the two
present segment tags (<xref target="masked-multiset-hash"/>):  the recomputed
accumulator is the honest one, so the recomputed snapshot tag equals the
stored tag, but the recomputed wrapped accumulator differs from the
tampered one.  The single constant-time comparison of the full
recomputed snapshot against the stored value therefore fails, and
SnapVerify returns reject without revealing which half differed.  A
consumer <bcp14>MUST</bcp14> treat this entry as expect-reject and <bcp14>MUST NOT</bcp14> accept it
as a valid snapshot.</t>
        <section anchor="tampered-accumulator-snapshot-tag-not-recomputed">
          <name>Tampered Accumulator, Snapshot Tag Not Recomputed</name>
          <artwork><![CDATA[
Source: the two-segment AES-256-GCM, HKDF-SHA-256, 65536 vector;
        the tamper flips the first octet of the stored masked
        accumulator, with the snapshot_tag left unchanged.

tampered_accumulator (32 octets):
    a463e3d049c025008da67170cb81cbf2
    809f99ea38cca0943f8fd5610a074e0e
mask                 (32 octets):
    946a2744cf3fd572a03993d434705704
    47d1ce03f4769035a5058780660e5eff
tampered_wrapped_acc (32 octets):
    3009c49486fff0722d9fe2a4fff19cf6
    c74e57e9ccba30a19a8a52e16c0910f1
snapshot_tag (32 octets):
    5ce50c9e90db4bbc28297372e401625c
    2e43203ce8008c452ea4355f0941ef67

SnapVerify recomputes the snapshot from the present segment tags
and compares it, whole, against the stored value in constant
time. The recomputed wrapped accumulator differs from the stored
tampered one, so the comparison fails.

SnapVerify result: reject
]]></artwork>
        </section>
      </section>
      <section anchor="seal-simple-vector">
        <name>SEAL-simple(HKDF-SHA-256, AES-256-GCM)</name>
        <t>This vector realizes the named instantiation of <xref target="named-instantiations"/>
at cipher suite (aead_id 0x0002, kdf_id 0x0001) and matches the
implementation sketch of <xref target="seal-simple-sketch"/> byte-for-byte.  It uses
SEAL-RO-v1, snap_id 0x0000 (no snapshot authenticator), derived nonce
mode, epoch_length 32, segment_max 65536, and the linear immutable
reduction layout.</t>
        <artwork><![CDATA[
Parameter set:
  cipher suite:
    aead_id       0x0002  (AEAD_AES_256_GCM)
    kdf_id        0x0001  (HKDF-SHA-256)
  geometry:
    segment_max   65536
  operational:
    epoch_length  32
    nonce_mode    derived
    snap_id       0x0000  (none)

payload_info (the KDF frames each element):
  aead_id         ( 2 octets): 0002
  segment_max_be  ( 4 octets): 00010000
  kdf_id          ( 2 octets): 0001
  snap_id         ( 2 octets): 0000
  nonce_mode      ( 1 octets): 01
  epoch_length_u8 ( 1 octets): 20
  salt            (32 octets):
    04040404040404040404040404040404
    04040404040404040404040404040404

Payload schedule:
  commitment   (32 octets):
    c081f6696c915671a52fc1d6276fdcd7
    ee3bf3a4df4d2651c79e72373f7217ba
  payload_key  (32 octets):
    ee33dbf0003c4bc469fa763c78a041c1
    752ba3e90e2378b4dc7dd9baf54bcc10
  nonce_base   (12 octets):
    552edc38ea645c520b1e5223

Segment 0 (is_final=1):
  nonce        (12 octets):  (derived, not stored on the wire)
    552edc38ea645c520b1e5222
  segment_aad  ( 0 octets):  (empty; derived mode, empty A_i)
  ciphertext   (12 octets):
    3c77d59ed9ff36062b6dac35
  tag          (16 octets):
    384072dfa1786cd210baff70fd6f8b6e

Stored object (92 octets, salt || commitment || ct_0 || tag_0):
  0404040404040404040404040404040404040404040404040404040404040404
  c081f6696c915671a52fc1d6276fdcd7ee3bf3a4df4d2651c79e72373f7217ba
  3c77d59ed9ff36062b6dac35
  384072dfa1786cd210baff70fd6f8b6e
]]></artwork>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks Andrés Fábrega, Thomas Ristenpart, Gregory Rubin,
Richard Barnes, Brendan McMillion, Thibault Meunier, Kenny Paterson,
Christopher Patton, Martin Thomson, and Christopher A. Wood for their
reviews, comments, and discussions.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9S9+XobR5Yv+H88RY78h8gugCapxTK7XHdobdZY24iqpT/b
pZsEkmS2ACQKCUhimepnmfsS8wBzX2zO7ywRJzITFF1V880Mu8sCEpmRESdO
nH0Zj8dhXa9n1VFx6025mDbz8fFkUrVtcbxZX1SLdT0p19W0eLyYrC6X67pZ
3Arl6emq+kAPrMrjx7fCtJksyjkNMF2VZ+txu5nN6g/lYjw5W52PV2VZjfcP
A0Y5b1aXR0W9OGtCvVwdFevVpl0f7u9/S7+3m9N53bY0/vpySWM9e/P2SShX
VakfPzar9+erZrM8Kh5iIk3xpFlt5qFd06TflbNmQQ9dVm1o5+Vq/e5vm2Zd
tUfFognL+igUxbhYNxP+t21W61V11sqXyzl/DiWttlnJnfWCnny5V5zoSuhi
UcgSX9aT9/n1ZnVeLuq/lwCNze18VS4vLouHzYKAsa4X58Xz5w/57mpe1jOa
Vj25aGZlu2fA+l1drc/+13P8ujdp5iEsmtWcxvxQYUpvnjy8d3Bw3z4+uP+t
fnywf/CNfbx7J169e+9QP3578GDfPj64f4CPz8aP9urV+kz2p6zO65b+W07j
bzST8cXyfTVe/g3XXj47eTs+eT1+sL8/vvPg0RGvY12uzqv1UXGxXi/bo6+/
XnyYLTen7d6ibtd7582Hr/EBV75+Xp2Xk8uvT17zpXZZTeoS986AWAQzGXa6
t5yeyciGjBXBYV4tpnxXcdasiu9nDUH/Yb28qFbFi2ZatUVzVrxaViuB/s88
QFH8XDwlhKjbrx82m8Va7y12nj58sVsQthRPXxw/vMX3pl3Hn+78i73iEdCt
lg2mCdB8CE2/GR8c8JW2WtVVCzy2JwGjo+JEFle8TqsrFGoh4PZ8Sx/cvWtb
+uD+3Xv28ds7tqXf3kub9803g5tXTsezel6vW/z4/Q9vDx4M70+1XNWL9V5d
TlZ7hLFfH+4fPPj64M79Dsg/1G3N+Hr8+GRM8BqfPPsTAQRIPN7QsouTarJZ
1evLUYL1k7IFjH+sLotHBJgPvO4RA/r7ao2fvqdtmLbXQPz1Ht3TVvnFP+0V
b/eKH5pycZ7/cEI/EIEqV022PwcPtmzOrWfHD9/covVVrwGEwtaOCf3w5s2f
Du7dGGb3vj548G0Gs1eLWb2ocmI5TsSSwUDbk8D1sllMqvGbisBZvKhb+oe+
tDXo2KS6BkZbwfFmr3hTXV4QEVqXp+WqB9k3zXn5sbzMrz/aK/5U//1//o9V
DsJ7NwchgwLzfVsv3t8UgIf7Xx/sH+QQNJTCWT4hylzOgYAOhPXCHeymOZ9V
t1t+a/G8Pl2Vq8t/BGr/QeSddixb/uH+jZevC8GbHz198+dtx27a1Lzyg/29
AyIgX3/7zYPxnfGdg2/H395/8ODu+OBdfgJxlooXQO7zqniyKhdEhM6P6FMz
L54tcDpPZ1WCxkk5K+eEYdWqJfZmMCOiub4GJLTyR820bnuI8nS1OT3tXCbg
vSHcrBZL4qr5T//bXvHnppnSTG94DB+++Y/Xb1/xLaPi+cuHJ4Doh2a2Vxzs
f/vtwahYLunjvXvjgwf3b9lDj149w23XABC3Hj96eng4vAUfP37co0O2qD/x
TkyaxVm1quisfS1XW0W/w8Ovl6uKLq2ZgH1dzk6rFdHCOtugH5qPgPTxKY4v
zvaT+lN++NPuOBT+c00bsVkzkXxIbK3+0iYd7xXH2QT8jjzaNAM08emmWjWL
3uUf/+f/OTud9UZ/vrl8/6l388nkYl5X5/mpONy2oX88efzy2V8iT+B7sVnY
xzuH3x6M79zZf4BFPnn+5s3hjans4b2vDw+/uZezplw0fXz8iCUCPi/P6/OL
9ccK/03AV7rsxdbrgP3kf/4PkmnPyx6KP68WNz4RT+mnzWlHbDi8vw18j//4
5hWfCcAMN16P9Pt3DseH9+7coU/vDvZx74uTav1D2V78Ftpz7+7++O7+/v2D
8b13B4cZjJ8RrCrgJYkwzPLbal1g/OLJZjEBDFtG+bcXVb1KkD5eLqO0Q0fj
RTUnMZ+oFcn7jBUPL6oJyNg1G0Dc6OGsXL2vegj5qPpQTssOUSIBjUTm4lH9
n+/zH76nU1C2dIanvY15DHH+Ihfo7mzbmeMTEPy4M/t3hF4Vhw++vatk6sGD
8eH+N9fvWA5r5hXHj2+2WQcH39w/uP/Nt+8O72R7dFy8XjUfSuIC43js3hLP
ZHoCDkqUCFRm/GdSQdIe0UP0yPx6EWxQUHgLPrmq56TVdMThm+L1/n2FHoFC
oXfnG6Lh3+5vg55bPG45eXz8/PWbV6+enBwNCw7Hi3J2SSKUrR8PsPJFCuZE
9DJoqk5mPVmUy/aiWSc0FYH1RrS5qxkKRM7KmUqwAyD5M6kT9DD24ZyYTIvV
EuPetJNVvVzjF+I9RFBKoVRhPB4X5SnNv5ysQ3h7QWsjLXvDmzytzoiytbQk
JomlkMQy09arxHp2sPRdWl4gQkuLI/2DgFSuC9CvWk91MVeZg0hxQ5Cgf6fV
Jxqorf62AbMEaNvqHBNoAz8+obtOK3sT3Qr4TSv7hgGWdBDpgdmlSMEQhknK
W5G4skeazDoQxJqCNcIzAphs286JvCUzOfDzjsvi0vPyslrJughu84oUjfrv
9NTE7bss1ABW0h7N6xkLmnQXEbt1xYhBuhnE73XNI7ejoiHOAfZSlZMLIjWz
moa9aGoBA617m2kkfCQ+Xxy3bUN6IH56VK7LYgfsijTP2XlDmHYxpzkX70kQ
mEZtqThTAlvs/Pjoye4oYL1lGiausN0LgcG0JCpQQwFef2zw5ayeVTTxej7f
rEEdip2P9K5qDGVDlN74Q70YL2flpAoTVqTX1ad1sar4dgInL5mXQWr1WLfc
YxfNknbvmLCB8bWaXQbIVPX5ZgV8sYPlniBAAlnK6ZTRrZwBIRwEcWZpjPly
RkscOdSTdxMX2sMZqNIRYMSxbcWJNyGuWDSC0bRPfOQdeuEtK0LnWphcyzuM
qZNaDo3DI04LckBE5e+GluV5CSShQaCn+mGEcMT9qD6VWEghwC3aDYFV2Cb9
uy4+VBOCB7YRR3xeT6ezKoSvQIdWzVReHsJzcAd3tGhqa6ybSRx9KloaBEcO
SO2P6FlNkBu3dBCCnVYCQSPnAHvgeDX2hDjHlE5kMSeF4OySzyfIAoaq14zN
kFppcaAxABKA/fGimVWEA4/j/E7LyfvNkl6VpgyEDGLxwIE6/U9auEy7VfQC
+SFJY7ME/VQwnhFdHZNu8t5RsNB8IECmlRWnMAPRymezAmYamhPBhRgXTelk
Q9hLILkkAW1eLKpqCsUo6GAjo08jrHlVjfU6r5vQrqYt3NCUDPOgexKeNB9V
jV+EcnVar6FyChmTSRPFpBkCfgxmxkfZH102bxNDjXYwRNTnhxPeG7TTvAzg
tpVKzogaEZqHCan859Velz1kCM+HoEiEf+fXX2GQ/fyZTvpHoDJtHeFzDSvZ
GdEEnlLvMNEciR5CBzUxuahwCPcwnsj2GDEIB5BT+f8AMdczTdsMYoCJJ5ra
Fmkvp0G3OQEOvKe7dXQsSjoEs1m1ys4CMeKZgOIy9DGB3v4Kcu5ShA3aD0xk
xMAmSgqONxWoR6AGonyYgpBdo7UMhjISTDAFxRpiOBvl0Z5Mgu9WnioCr/g8
YrhVMYMutKomWB5sTkyl7WUJqdrQLGaX/KBgUKK0mJEeR8G7OLdZVX4ANlaE
6ARA+nEVYbMhkYGOXTXFC5fg+Yy3jYBkMeXDRpu4wF7TL4xI9hvTfcJDfSFt
fcZ3GrPtGhlLkyJolZcteE/L6tg6HqAy8qaEH8Y3Tzf1bCovS6eCZ1SCxZPq
IMrlNcw6dJi1HmNhgYLOjl8XxR9hn3E7HTLWSPyOUIiIT6vA9ZvBmwQbtspl
hdjNQ4SBRxVwWBqhBYoTPtPhBYcjPmJwETbLnGTMy6Gtp6URaP7rv/6rKMv2
gxkV/N/e+Nq/vYFHruxDh/rYz9sfMZk3HZ7tj9y+fmK3Bx7pvPOLd3zAHV8A
wJf+GEBXw+MzSmY07pqZYoycOp5eAmudoCGiZvG7QhGzmJef6vlmno0RKQiN
IchLqFMtG+Kcs2pxTqz5eohtWctN/+IYW+C6V3zhNz8G/Y/l2npG/OoovUP/
Y+fkyL9/YIwkNl8V6ZP8toAycFWobXDLGFtw8Xbxhd9sjC/g8pf+/iW4Tv8z
KfaLaK8bsfUeQ/pBHQKihYGQEdKoWR1tRjmq7ZQzEu9a24PdbBPkn52PNHZ+
w5cBq1uw9Z7bIIzh16PiK6LtY4ihH+rqo9gfvrv1ti9eGc3unetbn0Pge40z
CQuC8parVkU7IZ6nkp6T1lXwZ1VrBntDCK+3wPYoHJGIUgkfW5fnIpxCINww
J/JSBOtaIBQktJU4Q8SKYNScl3B/ivTJcoU+YPTiUgWncbvBHKtMWyUBogQC
PCNZtaHXghOR7kOnqm4vnIysczitZs3ivDWJgWTPFV0OCS/Au3soglX+GXte
btM567ZIiuko3SXgELDSWyYwT7ZpWnbQM0Er48XlCqIecSkSoz7SYzTINjFs
pDAviyHGG0EUig6QzmgSFwu266jiyerDWBWKVTObQeeCEF9D48E6EGzAiiyd
4nUzaWZEyrBz2CEwecY/rEQUWlrEtJrVp5Uo8aRWtCSe0eAzyOIQXI7DwJi6
4S1buQhl/q7uXsiuMCAR+160pSnRtMowJ036vErYY5PnMauJPK7roElBUoGx
CeegIM5WqfK/QugEA5MFb6/y6Ja1chzP6lW7TgslbaZZTPcCaT7VjL2zUBo/
fyb+t97wSRTAKJzpMBPutKa3hMyuNvZ2tePHu7nNAO+gCx9wO32lV0BpJdSq
YGBoZs25GMJoq82MYupY10zRJytQP6J+EXE5ycc82BmkA1le8IoY/2hq3Zjg
voRnqcIUCeUiNWKbdFT/QroPEgLPKZNVGL3mVbUW7YcowGa+FGKFl95uRbhf
8NYILtJc2zO1teKZOH/SuiWOwVStTSvCSbjOzEPreujtLKMcK4HKhE6taKYI
4IES7019jHGkHPLGsUHw8+cRAFnTYdOncQUT+fVXHmGcj6C/CgRE+5lUrXFS
gWtu+Pnqq+KNYGLBZuFfv8oQM4SHPxw/ewnVWoITSLUGLSsTUhZbkdLvj5pp
L4DXss2i6ECeMeKmNHdBmCXUqG7VnsS2mVO27aUdZ+sAEYBmRTu0qGrogd7S
27FJQ6MG+V+FqPzai1UvZXvm2zePj1/k611vVmyWXnCwBDTsqfAz1YPS+czm
t2EbFU1oM6mm8rBSdoIRYoCSoZt/ZMQNXWbIejkzxMhfT1md1plGCGSrNaOD
wcntCqxpPesSIevpJhmnFZo5vYkHnaHYsfFHEBZ63ArlLYHXBpseG3z06ljA
AeieEQVuPra6ntut8DXi5svZph3LyiEHCGCJfQpMpqw4w2jkyA4RZ0RipMAN
3iZ6LS7jZXj0FeHH66eviw+HxcnlnBSYVT1hM3A0IfIJTT7D18IaogX95PGz
1492Sf2ZvK8IGDS8hkfxG1YVAX85ay7pflnTWC39aoAkEH3fkGIjoHBYAM1e
SDLBhggebcYnMwfYb4Rt5WwdbZtiIZ9cbGjVytzVZiCDTMrV6tJkJ7nNIda0
wrqiOYSQg42him8srkHOZFNPRdT0kk7uikbbkzgbXUEr7+QQLZ4nD4Jnfnhx
/FDPy4/Ee1NAVvThFjs/QDtUGCKWUK2BRPJ4gwBqQtIZzbMFKVY/gZjt2PEO
+MhWFDWOPRgXSwyPE2jqNnRcQBnyss1EPEgqnk6LWSNIQccVHOAUUWPlikSX
l0ppZDeTP2fRN6pFzITRaZvNhUGMx9nYxdoepLzk4sI+RFdLZEAkrCM2lZ0L
wzKnmiZFAmGaTZtDyD03b/oFvOn8di8B423CQ+HRH//l1Zsxu93pPeIWHwX1
g4+i43tknm7Bq5PNBXbUIgJ4S9lY1F7AUFBd1MDkAPSDMAJZb0JSfvu+I0rx
IaeB8BPRDJv4+EIG1T2OJBNS7aomOlbFxcL2UFQwTJWR+LEFls5AwiFa8iiI
SK0jMDumpUcXJJHVDb2fN0wtXJdxn81MWS/Cq52DXaPaRI6J3Y1Ny3KSEk6W
mNk85FWgJ+7O/Du9UXdShEfZSuiyKn/LQlnUFQcun1mv7Drf2rQ+JwGAoSof
x+lBkh5IrmDjyzj+WIl9HjrEfLnBKpqFX7yZ7s0rhGURiQikIYgVcRGlWVxC
cJg6xh8+/tHs3n3JHjDO2I+AisWF3N7YnK5ZqMgstav6HA6S3FEYwnUeAznQ
M7Zl5ZID40iU9hi6ZVfZbi8X6/ITpDdRHmwmVe5pcGx5Xl6GU8h7H5r31XTQ
KYAnzkvmEV6yGBVPnr96XOwg3ii4eKN+mBHOHcl+FbuFIByLJZ4fJxaJxYqM
z/6LaOY8inY5kUmx0XD0iZSiAiZkVUgCTjNmCuXGLdcOQpErsOLQ6mnMDryJ
thymbwAnteBa5+qmFejhXJcae0FbzdSfeCjJXnK2YI2O/kTxRuWbTK9p6/MF
aT8Egr1CnfHy1gFTMC/vvFoQiY9wNJ++rpUOD3HgpVgEazY+LCp9/RyOrFMs
6yht/Jg33iHNKDKVMChvRZMp6I7nIFEnM/LOKntwdgSV1NJ+wYXJcwY0MVGP
c1AVEMVi+qTEXjld8tevvLYpWjILA7Sktrj14o8nb2+N5N/i5Sv+/Obx//7H
Z28eP8Lnkx+Onz+PH4LecfLDqz8+f5Q+pScfvnrx4vHLR/IwXS2yS+HWi+P/
uCXAufXq9dtnr14eP7+FdXUYDCExnYxTxf0ldC5Yj4g1gSSeCmZ9//D1//V/
HNwlTex/ISHl8OCAhBT98uDgm7v0BfY+eRu7s+QrQf0yQAsrV3y6CbyEDPW6
nMG/TKrNBXy5alT4t58AmV+Oit+fTpYHd/+gF7Dg7KLBLLvIMOtf6T0sQBy4
NPCaCM3segfS+XyP/yP7bnB3F3//35hAjQ8e/Lc/hBCOo+gbtR7wts2i5kNK
eI9t+bSWs1a3TnEhKFeZuJ4dD+C2ETD43dmgRbtMI4PKYzvEuxANS1Fro1WI
lS26K4ZcFMkzhvtP6WBdkBLGR63UQB99fM8vU6mJ8Uq+DyeNWKGosyTbE42q
V2aOUkkMEAm5m9AcqFjBwnz7tVLdFEBlblws+0icbkkYSMrfGlGU9Ni6BAVx
q4wSC8s8ZlgLbJZjhh4lbZ0CNA6QOixLp9EVEYjzqbeX1rRqNucXmRtadmbM
d0AmyPS7Yy/MTJpVhCkzaa/mbtYkruCWVdUum+gHpnmFDtaRNvVpMtvwHWJr
IbFlRiezZHGF9WfiWatF0peDgUrAj5eP1Wo2IQZC5L5gTGW2gEAZmQ1Lk5P1
u1p0/RSgElX7ZmoGqfJcb+sa5emXLiDc8XEBH6vKx5DjRGFT0rHpgIGW8qgy
jzndzxrkOyju7BbG7rGgxRgc3x14EzBjnASOhdI7UwyBmACg6rDm5CW1CEfS
bzqXsBp/a8xZwtzoUItUY9EVNLrEvYRyADIkaHIwTtuZ1Ihl/+RwgGVqgxCh
VdA4trEIHxoI0fYiXMTswRiw9zhFfciFRzq5s2bV3UmC/3bZMKF8Ya9nu6Cm
3n3+zAjQbk5V4icRpxGtxwOMZ3xU/OVdbYghEvNfbD5RHCjV3lTUzJnoXcdA
vtf4j6BrREkO5JBxVCwMZzv1rj2nI74j1k9XsSsMZ76DfSCqRMS4C3nv6SWT
N7GKpugGetlffv6pPDr9+RdbQjNZV2zaO2dJ6i9qRjw7I6JNW18v6CS3HFba
6NXiVM43rmbme6YIJMKQNlS/n4+KWXlazUaMZ6Pi+UgtLaymmF7yrp6Ogj8Y
rC3pP1g03VpezppyKl8cOMTpI59Mx5vECN9d9YG4zXb2c0gUK7bfXppHgeUK
MeC+LT81i2YOGWytHz930XRjUS1ibktLJzC9r6rlQHyW0Kie93DkIjw12KSj
vLXRfWOOnjgmHGVvvTzdE8K3RH+JOwBy/XBYkw2cKzIFbIiJic1Znlggt41H
9843M7D4pdqgMT43kxTMS9LfLhrLewJsGInlWYhRwgWLqUJFDBgiBkjMa4Ew
HjzWQ6E2IY48TJEXGgmMYFuzfUkkRigynDWCiYPP0GEKI5EK0IJtS2FVodfH
4emtNntncRBSqDLB2RkuufDhAcg+7OFIHNUU/iZa1HhYDc6UFwqIxHXXQqtg
c5h3rrid6rzoNiI8V8x9zCvI5neYMSPPEUD/ncCi5srcWpj4dBJJIZIBHXHw
5XFOCMceHf5VyIEGsDiLPntj2otyJSy20kgXiXs6yewaEUAcZOViq0asXtzU
0xyKPGwvc7hIMPN1rntGWb+ZjEF+DCg8W33if/JPqtptMaY9n7bzsD82cSu6
njHam76vtogufzjH4OPioEwmiy/Vs0lk0ZycNyGL0SEawrPDVyevd+AQ3rXt
+DgWBnRan48hKiFaSdHJFkjsYbyozjm5WsBBBwnqITzrXXaOnHkmGBu688EO
LDb4dHA/frxzGD/ev0sfMZMTaBsXHKNM2xGnCdNj/HLov9xVo2S88GCXJgPJ
GHAkaRd7eHXF0Rq8PjH0M+UrQTIVIn959Qb3fF+vP9ZtlfjquBFP+MdGGbQ8
z7a+6m9wNKm+FcInZejxXRBbTA84HR84Fk4Pfyp20rEcFRfl7GxMtAuxEkzH
6FyAYv3806dRQYx1b29PRoZOBFsKLPnEjFj49ROTrAH6RBJeNeOAALkR0dsq
1xQFDfvzLxbiu1J/jwhbNGncP2LVsoTIpp7jSJtpWswTRurvMxRS/Ub8O4wK
/ymbkDCJbVpExsGRRg5nQuGcw2OMTncT+hQFv4llpAYZc+JTmNEBqqsZ8s/k
pa2uJeNjmj+gLgybiw5Oj+4Ib+M37Yqb0AJpkO4rORN1m8gqVCKV9IWtIDuQ
lAPJUr0cWrBqrQCvextB8OV7gA2ZqhxtD8uU4IyJ1INxsniQeQLnt//mR5d4
9LXoTlF9yQc5kvAcRzr1LlEueKucjvhyWXxXvAR8VeIpnFsUB5Nv2MfvFpMj
DryiEDkzCoD6YN16k3yUpmFxaxH+vJlB1n3JrEncN7QbbbWZNvr+FDf8+s2T
XVNQhyHFgUkMK5JcMKwwzJ5a+psBXdqZ6Nj0lXPGkUQP9nMUWiuRRten+0go
AfBPWHrBmViR/fAQ8Lss3tEVoZIE3H3hsmywpQNgQ4+zoUVa4gdtIYvN/FSi
ggbsLIVXilX7pun9OdIbHqrYIU5UrSZE8XZZw2Vh+nyDUCzSw+NeA/myAILi
peBdFOWTHLxjRnV2U8i8vypi0ODraFb69SuOAWIG+spiDOVijDmkX9/8lnS/
7cl9Li+IHdnb8vd6uS9Z8t5xWLGphn24YA6ZgOICzsHwovk/GqfY1hU0YG4i
DF1MCosUrg5Tl/nRmbaBlD4TTOpkrSSfkq7KWWe8JyU5UsozvBqSFK9EldQt
CRysrrUp2yOFQ7DN3twNCEAuk4I/w8CX8f0wwZ1Wll3CEOVPKfEHWLdZneqa
AyBHK37DdjqWDNiAp7FaF0j6ZUo1E8aqknYyE9o43nqHOC4Su1IEDaduFeJw
ZV+hpTs2S6jPG1Ia6zURvICVyk9I0hiLDcEGAdUphQFxtsd0hfyYhe60I9mh
G+26rmfg323LcnJn8yQc6UKybo4Tww9DZKfKPbtfzo8ZBfaEOkS24IyLqrXk
GGPfyYNm5xqjwvFDJzuPUYtz68a4maUY+kzJ7jNFu56DTURjNdYoEqp7LAYD
WviP6umk9Y/fvHqD898JwZqRpDiWqxKNQ3c+fPG2eyebitm4mAwkOz3H4G6G
kUgLqhCpQZwjpgGNIORNgL/Ab9xWZs6GhSdXQiLK6Zi9OC6BpdmQEGVnCHEK
Z8xXTgZ2njXg6TS5qwWMGnkQCH1GQzHmnsfEq0qnOSHTiMtXno7LjjEVyInE
SNiEJ0XsWllvkA7KdoQPPmHtKJCI9RReqxPawfXjxWQEN/IJOCJfeVRN5PzQ
B7pK05IHWC/jrWPHOeQP8Ymq+e5t+Z5lRZoa8W7kqzETlwhCiLH8yI/QIPXF
Oz+Oipej4ikrOo98iEgcLn92ZNxPHeaz5pQk4BQCHjgpvkTdBfd2R4jE0F+8
fXdu3lR6IYccOhZLozhMkQjGE6iqDKWdk1GxHInV9MW7ejcHS5w4u797oyDk
fdm0tdQXijFMMOGM8qSFPKxdXsemkY4bjaaAmPfB1do9D9mWeyJO/LUk3dY8
V1kSBygU4BIcXT9NDnxOjDspNAjGZj7K2DKb0Fk60xB6sRIoKtkejwD0aza6
u7+9vdWdFYtqMbyp2bZ7ockZ3HUnZNIgCqtVAwVOsN3v7kPd3eEJAzz9YUf/
5PZu2T23wwMIwDFnaSVsS+rPooDesUPvOZX4cVTF47oCcSiVaGuVk2TVCMdF
qiDbMfZHxcFnYU2k3HEGJUiNKKJABnUopZgS2iyOTMRtKfiQGBexteoox1ci
2+9zus2IeErzPpDAPrMoGXfsHTB2HVtWFd8Fh8c8JWthnI/CDpm+dOIxLBmc
89FxGGYutI+Wy4Ww5O1hmK4IH2Nr+48jp8ZtpVmRYh3rMDOwRah2c8RiYiyM
+53EZQqXiKbxHruI4gFJ7gOMsCMdXpf9LbLvKESjAZH2BakIER5HRecpT9uY
4RJMCYFWl0o6mbykOJWU/cabpwrZ2ri7ChZJcggp4xeLM2HgXAJTO5Jo25BO
fqGe4HK9JtSi+dZeFg2/URYthmTR8CVZVCNct1e1EGE0JGGU0bNO6SUiZws+
iMU8BoJHIEDp5XMW8tRuDZwzkCuF7oSdmn1fZdJgqUnNNsn0uEhVPmxmcQa8
6HXTHGEqbHbrzkJKEniJ2fZwIDwQXvy0kb58x3BgI+SotzBOuhRuktLEytaJ
QYsiMZNerDoTpfcUyyrgripQrT9MW/LWJfpIuWe7rpZ7bDT/kxRrIKbB0QIf
Lyq2nJW8+kVvT+okWCZtImTaRDwHVVcwua0MLEmgv01QEQVqiInAz/BFVsZk
j2hFj1ndtoAIkrE+ibXDcwCaMYSN+OJlSnKJqBs3J/FE3ZtuBOzD2+9qk/Nk
n5LliJ5mrEwAuq2+DdkmQNOVMvFA3C4PDAl8635uH7wDO7i+kySqPuPf5fCg
GENr6xc/GdIU8YbdBKAIGCcEkYolAROrCk95cwMrlRLEYfo9nRpWMBAbWSL/
wlk+zEQRnB/2ZoL8cSsukMwqNTJbRirN0+ikBTtMLs/NhaP8nEWKoikLmbPr
huL6Pza9bmRyN7Qeh5mJKgFxM4OBlJM7pmwdESzHOYp4bhp5pCDMPweyB+Ql
OaWQTFYhkaGPK4IpsD7CzskDCMmOfKROFfiCHJRROjPCMTds0V7X8ypLvFLk
FAnQjC1sZWUhqW51JTXktnkMUDpvypn6UySeeoK8AFfeiAYOXTNEVIBTaNxF
mcUly26oeJbYIM+QkDvidUT58rRB9EMioprVEMlA8LEaXQYimwYRWBHFYniy
E9M16nVDoY94oaKu79xENxdNJZu1I1y7CU/KzSeSeWHWGAKQhpfAPBB8iAI7
Hzjb6qx/LJJmGM+gngvaMJs0w1BFPoMdQ9qyGzpnugN+zyzLlQNmG2uACf5q
9RzENEfrrC9/MxNTYKtB9D4DAH4tC4veySI6dvNweSgDaSs9Oj4Xz4WgkhiC
CBXPNivh6q6Qi1TQQbIjaxVcpb2wuGMEODy0AMhoM7/dRs+IyEXzSCvkyGXZ
cAhUGq4/g0OrWUxTOloTtdW81sHGNG3UBcxD1BiBOtJ51ByWIO7MczPRP6T5
pah2/IB5XdTnlrH5qdhpq4oRa7wyv8qxJoxoJmuLk9bRRiBNeK0S7/fVAuj5
ILlsme7oBDjEY844QnttudGi24rbSLXTqg2nl93B8fJrBx+xuL800zfJo3Tw
6EuSIKKsGItr9ZhYu1l9qD/IY0RbsppGUO+ZxxlJf18vtdKWTFWtn+Jl0HSN
HkxUWEg1kVB3s1P/5xJu5DZx1SBv1KOvOmAODJqfzoL2MjsWRBYmxIwkVl4L
HbBjLnPMwAygCABLlCBB2m1Tpgi/N2dn9SdJYNVSQ8Qumg+ViDhqvyBWy4lB
Iqq4tHqkvlaTEs5pw1bLxCbETGfB4pwhuofhwlSA46+/Cl34/Fn1l3XX3w6d
EEbqEM8eJ2Iz2UEc0UNfDTKrHErqfKJJGq8m2WDb65SdMRBAuwzH8oi8kEWk
SAEAJqcyuk8vjxkrlmQKXfLHR09QKc07nkcxVzqZguEMv2iQH+iCHukiMKJu
5xZxHmIYxZbopjUXmERKdSwDoHT/LKuUoE5WDTm3sM+c55qjhFVr5xjJAg99
3YGgr7LKNMYrbKALdpPkOcmMSso8xFEvXULKFc0u9ecgQSfVJ0Akdn3GlcHX
A/vQQq0OkhRLBNxuxI4QMtOGtCMXXkBfhiAuQc7DUG5HtsSpxJxqqQQlLa5q
pYotNBnLEnp7MVQdo63ymEk7FvM5XezFXaJ2xXCBiFgHE+TabolxqHJs4mEI
GhypPuMY9QjupZUw+wUX9lLq0gWptuVqcnEZPX8sVH/k42EpG9B6LbGB0zfO
KoFa0EBgdywkNdCyps+azcqiykUEsifwcgzTZlmciHssduyAcNU8CZqKQYSt
Kn7ecRn0uMRDy/kDxW8qVxNyZsBTgy3KHcbcQnJtDTdA7ncMqy1loLaVh/rQ
ve4rPvVKv12RQKPw7I9IP57otvR/vJ1VXfK/fG0Pp39+9jd8GPzH7pBjWMRt
1kMqemNvzUAC/LH8Kt/TPVfb/k23fNjyb7xlT0pn7VkRrb1YTCvecjWZr2no
K0Sl4CVXPOOr7Bb535UE/NMtBeL+s1tuS3Wr21bn6nasdzW00z/rv1/3VtS9
5+v+ot3fB7fmoVsc8uxtuQWr4CNjRdwGbzkh4m5rHrrFodPtrdP92i9s8JYP
+Yf+LUjU4A+cp7HtRfHv561zyd/ZO3Xy16+2NlR8sVDIRU/5NS+lG48zIrTt
xn6JtC+VnPtSwbkta+S/aBv05dcSa9D6a8zDEKb4g/1yS73zQkSZfwjXk2oG
RVaGwVLk8nwnThkTPdFR7j/Gwmli6Pap/zucY1JPi/1P+/v7h7sZXe7UnYBM
gSqza7ZUep7BemZ5xv8BZn9XPP9hB+hFSH4VaBa4uN3Q/tVXudTajSObl6wU
feYktiSazCQUWENgxDaJUsUkuJ8zNUQIo89MIG5MQl8Va91AdVlcslsgD9EZ
5HImgyTnR3DmM0sH8Wq/yI9OtOvbQmBX0II2RyFcdZ4gFHeD6qVwRQjM/6P7
o7HkStpXCWPtShIpBtAnjpqcx4B4iv0hoI1TYgasGPEdjyq8402lJeCiAZCH
jxkcIvFFWTpulTeOjNN1e4NZp8QmVVxZRYIT5yLR1Di7hPgX+ThuN6ck16wh
UduATmH3X0R7xY6aVTKPecrQPQWj5nWGsRYU+tYQpgilZG66kq4hmdHekjnY
NazZgzoVD7lo06pLNb75KV0XWEqTALFplnZcjNJ0kTBlD3Vxq72lSiKdZ0EQ
y02TFDc8+VTdc0kxdAESTIHaoXS1gnUYNpIbXNXbvQNh2hQZRw/0UnGysTzf
mGXUcvGA+IzmaJjKgPQnK0ccj/9I5mZljCRiur2cn3LpkKpbiKuSinT8+FgD
5UgHmM/LlR1uUkE5gUcsulxJsQVBYrpIM4vBBetVbblPGhnnzLtS+DYmZbEa
oHmkklTMEyst5zqZ5MZWDAfrwJyiCyf0d4QzdWXNmorlDdIuVxCXLUh8FMwB
qUYHsYCzOjSR6mdAuFQt+jMIWEoFuyreXi7FpsK2TToiIMGXTKqiCcGRM0fW
mHtdoXVggfxVZ4m8UpBd+cSGZHimbcLzSJi7Kt5Pz8DaNLKNvsWtHBwlphHw
EJaJOS8/oYAuIqw1Y2UEGxSxOuKkd/e/vT84mA6S5XVdxeQeru+wD3Xo/p3s
caml0yXDPJTLzqNbfW4KffWdEa58tcS8pFAaLaWk0v23JJbyFvbqlh6OWygm
HNPxazBJpWeMnfyWrs1Gxy6JYHBqLN10fPLw2TOb5w5LPeNHx2+PubYGvu1y
deI0ZtwNo+40mo6bqEkPom5LDu5zAkxJ0lLx8qIzutY4/JTxIB785ftR8XJB
/1tjQ/iQp7yEiJBY89qvld/QyWIw9OvdDOZ7Vdw5jGUlNLUiPpedWh5hEBXY
bPCvGMiTdyCVJkBl+U1Dg7WIy7VcHDtzTztoOVJb8+ll3I+hsYblgs6GF0O7
H1dr9HwJ06++4ItrhoCIbf8Hh7Hc7IJx4B8bQw4h6+tXSPax3BUbhI8nG71/
48Axu1zUzG2LNInmC5Snk6L/T49nCf5+0deMtIXK2KyIPiAcsW7fsVjFTvrd
PoXcNvo19Eb1livQhC/OclAYVZnMiREmlCVZZuSlpji8sGmTx6wUrwsNSFEF
nWyaqTRtQs8mO6EjFXHiaUpb0g/80FgEbiAlVjxwJ4vWRLXKTh77MARHW4+2
Fe3aJslmWaZq519p6h/eOZV7Z7PLUE5WTSuFqMQm7MvpqgAmoRMcUcoYoYmN
mrzxAXGFp7rI5NihI81JdlLxiX8cx3AFllC/UsH0oZqMf/1K7lJR7rPU28Ad
cLi0bTU/nfnEu5Q/rE/AgUlMRnNRt2ZIScHNTrRUlH8QUyKmd3PeZBEDriCI
euJevtf8ZFiDEZT1cqEXpODqSOGgF/uVZTBvYneS0b6tL5iGiNicBoqjqSzK
ITvbUlZP2OPrxThTJcSbvJbyjZiRE95kZuKpS/nVEkKfZDpBs0yskyNvNSNT
5wkrWMQJTNxUi3Z4zpHtMdk/PvuW43w0gzcFvFi1aGwJt8HegKBrM2xYBZwc
XmiNdqg4JGjQ6rxUqSUfhlLIvZRpzkgx/Wtxu8O/asg9xEWpShh947P6fCEF
c0qxPGkeiDyzs43AI8NGi1Gw14kz6FY1CnfEoAaQTqC6jJMk5l09sUKAWrXu
WFL+Ock4m1kp/hvLoV583Zyh8XpLyDy5QCgxZ8Va/Vc+aCDF6zgOtwtAkYDk
BQEaIZLQ+ywE7xeNRWadFQh9aIF3bRGXnleeOaZB0N6g4JItWbUGgTgbnGa+
hjKycmnGtD8hOAHfiECS6seaEptxNUnp47KgGDbnHYjiKuCwsSpTMRYWey8z
PmE4MXQ39bTUPGFNG79Oh0AWa9Qg9IR5WdIkSNkIK16hR028GHnDOnrjoBYy
kH/edirf8GT7QsJIcytE8mRRilVzKavPlJmLOYheE4rYOsX0hR09mpYnl1il
RG/vuLI+GstHW7crMVht6sBo4zFhS3VTlIvoYRk/Z23/oWn7xE/MDhAtAMRT
XlmVxVLS0aQgwOllppoRBC6sspwQq0xspBdHDU23LrM4ZCoblzG2VEQJ9bK9
jRnVRhiPpaCaJOjvbBMMcMpjeRdXdabVlGszjdQrTt81gFml6djoIa5BAXkc
LSOPkmXkhBW5X79KZhNW7dTSLmpe0vyU2Uknhwy0WUK6FuQRMAcGs+1AZm2W
cI3ZpZOd8nIeST0cSe/N6JLWI8x3eSTUiBHHA7mjWxWbWDIGq36kuK9Roy9R
S6OnRA1zR07oGVCoNYzo5YUcrph1T9uoArKG5AjJi/KmlK6IZ3lGiiWIDiNX
OimRUTKkJJxdIDCktdv5qVZjazn/jAVp2m7F9LFI1pDFFi5V3BVXREM1zZBn
77qopbFyGynsAqA7hyoAdRTuh+rId/0Bf0wZjSzvgdUogwE1SFn8b9UczxQX
ryWgAcDzcs2ViqJ0I47cFBWgzI+RUSoBwSCgO+miCyLrSoYCUiUzU4GFUopv
PbX36TkQmhgLzhK3rkLrNX/UiOBQ2IJW1UYioNRWngTYiMNZ1JOYk+lFCGrH
uo2SL841TE+bI8SgKUx5zK/xUR5rK/FgbUWllypuA4d1LCoVgJqr6CjpEIbB
Eq92O4U1aLJSGevEAF21Ukx+7jUX2Qhlm5h/LjKAa/Am+iQTENG8elppFf47
1zk4RKs33MzVwqKChY4os2DNMo6i5Cex77VzF0SDT+rZ4CEK2b3tFjnrWopo
F55auR0vyhAQh3M1hdI81SNCt0WPV166otclNJWuGFmNcW1DlBJ0s4ayumup
7uOCa/GotMTZWMuGbgc9f5qIK4tZMc4xX5XWBllAtFSvGKosWMYnAtCsIRE3
rpLw/v6kXP5K2mgR/Pi57Xveq18oPg9lLbl/Q/iTlyFVgelRg0FXoeorrWlk
0QchYzne06156MsceqMYI33XdZmdYkmAcUDhVBSBzNPtJgjt9hpdHsLrjd66
4On6rEKygp2Zbq3MNnhL26hjKRu5UpbXWqt0NmJuuoFn5ihsU79Gw6Jw2G6l
UWo6ZL3SYpG0cIg7DyWWcyWFu3PtXJAMd03sLpaty17tqigfcqIj8jitwQL7
qTgQ7L+kDNbOp13pQF8jsGBBX4vfk3L36cmTJ485aRRtdqz4mdyAcIPiE0dh
/Pu/0+6tUWudx6hmyBPu/uVj8NBPeIznP+B1NIZELAT6E/vTzqcDLho2Kj4t
EOegMz3gp+g6/tFri11ZTBgqtSXKJhfbcpWl9YJIX2xckOUGla5QNEu5lS5u
dmntMQBFk1JkxFGylbEeH9g+YTJWJpPBSb3CudcfBRRaAuISPk65PcyrchFV
T+KFLy/0lRpaIoCTPvNY6HjGzcBlXda5hyi39D1RXiu/0gKq2RlivzGGVnCK
Q4zlJnnNCJlEvrCwKHR0YhdiAiFUDIkjmCCOtNhPI+mgwJX7NKdB2yuhSZEW
YBOZg/s4hWjeV1iRCjtGTHch5dsr+TKZSeYtzukPr398fBtl+tO9mJD2/TmQ
vj+ifEpfNDaG4T7rBBKH1eeejR/t1dX6bHyxfF+Nl3/jrlprdBx5ooa8T1HV
S30SWT0KHAAwfv56/OHg1pEeMJsXHQnZse+QDI5p7PjbCct3g83F3Uuvze7j
Y0ca1IWh/BsmIuf0QAw6XSuF+IjaKArysRyNTwrvyWbVJiOsnpseLn3SITh1
BDLX8x+QR/ODJC0gwCdiR1B02IIKuqFWXo6bdZzFZlvqTe9ZPzR42JQYF+9N
D9M02FhtvRDFQpGXqIOGEIX8Oja+ipAqBU6WI5VSkQS49ONOVqrVyhCjJLHW
IrZ9GHu38ZFrIaOl0aQdWddChKxWkXoEHfsCyR6NLAYEKb9PwnZuN9BcXzND
cyHLaBdeNSg2N8aMj4Z1HxdPLiW4OQPc1MwoNK6cOL6lbCNeA3E/yneuKvi/
9C3Pj2K0O+2+FBjFyrql6awgOPZY9iPbzNK2U2LQNSmO66Som5lJeSanxXKO
NEGN3L70J0ZAzHvNXJiNIEEptsTExePZVkyWOB7uMtkMUz5BCsVnRi/OEzTp
FP2sNatNWpJGsefNjYT2JaRogwp6mjPoerXH0ZLeATNitAy5uZmjS2QQbieT
oiY4+ODNn4lgSXomf32Fr72CxibO5CaCAX7DLbG0/YmaN4FeJjl37taAlJ3M
grMbzdUCKMQOiW3jLVHpE+MCv+HwH3FePJPzd7L33ylVG3p2eygryTM07i4b
6d47FgHd+7uswnn3SXrsu2wGuzylJcFd5PZ/ZEKYDq9Q5bXnu1KTlmW4xzw4
Dfd+5F/kaCH21CxuxX+nwT799wLijIZs5WbNwgwI4GtWY4FWJQlhGFebWlqq
5Op8Y1lssjJXMDanJ1KRgdlq0rP1ZdoJQY6SxKSWp20y5tQ+pS4+pdkssZfZ
oonziRXgNLXdPbF1EhJZbJf9KzvaLUJp1Rx7VDgLsWaxxnob/DwDZWQBZY2r
QRi4YK/SSRbzGHaOYVjSIKMOt7mBk7YPCbGNDU+XW4dJN00mLXkuuYr3bayj
8eVTpsnWuj5U6QiZnOhJj1TfZ62by83hiccm9yGaxzYkP7bMlaTKEYQXwtZ2
s1Lx1GwaKTXXshEDJzhO1AchdLdI8ouSN4nQ6k7MJsW513yMItjkgfjaNiyj
1sBWwFrahSwvOH+aqFlVonkkfWxm5iJ7lgFd8tLKOVzDmnxt7xdVV3afBSDJ
YGJLIyMGSwvqlwxmnYxUmmumDO0gc9X3cyWwrwj9jcCSXmuS7pio8+ffSnBf
/AaapvcpfR357zTibufuIXIHCfxFh7jRNa1GzyZqFglaJloiS8AvV8amJkKZ
HNXDSRxU17WzAh2xCjbW587WL4Dfy3oHhIQiMYzZDPJccV0H1X6lXA+eC4Qw
AjL3lKNgAR98FDihm+lABIfSnKhj8aq1vA4KQMF5QcK3ZzuxqqXpV8PPFC+Q
8CZBjyozBeHdo+SAuimFaCUZOpJKs6WPzGs0rH/sbNchNFJozuZgtpRq0ITI
PWPt1pw86lEs4UIUXL1vs5amWLG2NhsmbySvBJNXcNwF1azJpYbRcJ6jN9O5
cmbs0eBxw07fPrzLZHrReOrP1lMQhJI7PGSeiOCkrQ4mqH30PVcv8HSNZ1Sb
yMCOe6YkY+WxzOX1rtYxL7NVmV1fmlGSlBxrOIdo8od0MBVTjdLbFPBTfSpB
BlVMISLI8ItSq+weV86+cyfsDO7rUfF2szptTn44/vHx+PDefcW/4pYA+tZI
jr1pNNF95Y77qiLKD9zZ/3R8LDhrxyl5LvYP9g/377DZdf/u/j3Z2eeIWLhr
ESXRulV2zE+64uhENeAkY3ZGmmZcSZCVZ42gLxaiSFk1fCF1RPW+OYihksgn
EDMB9DO6Z39/vyzu3bl77+7B3cnh9N7hvW8Op9/cv3MgtFRsc54130pqwa1d
PH6/uH/n/tn9Kf3ft9/czUVQeTyHNR46PCzoP/tFWe7tlWWxc+dQZ7gbH8pp
Pu0gVlgvFlzY8do/WeDHVRlLQ3SoN2b9LU2Adko3DLlcBXbMzbrDZHaPfsPb
mdgzHhS2siDvoJdc89xO4l0jxRv0hGDedf8uTEmqdxKq68lWhgbqW6iq8PNP
P/8ycmJdEvckkg5xRa6hgSJxmub+UWS5bJtcOAzfKt5aIcFWRg6M4ZBUDb1N
KLWSAcIx0pxv3cKssctOvk2HQCj/IpkfUUSe/uLp6K5L4b2/vwehZO+BBSLs
HT4ohqkEUZhqNalVVGaZyJiQyFWhxz/F5s8xMo+NKsuhB85zmGNOsXsBqsmJ
GJ/39oK4PPZ8SqW+ShoNZhyDWaepCzG+JNEOxx/4OLYWD6C+qmcYxGcVKvnI
XvJd8ROiK5iBu5DBd6f0ZuP3GtfT10p7Xb00pOLd5oG0AvtFUfmxEt0EENB7
rt4BC53O4CierKjg1tNda+fYSjjewX20thfYZZVhNcclixXZ4cAKYTYjTfDk
V6P3OjEN9F/fhekqX/pRcTebyJ3DHXfDbjLCpIYIEkjTidrwJRLGCs7fski2
vwys0QeA7vCqDnhVaAw/Jo6IpXG8kzO3FycS50ajfLN3+O8MjIM7/FjOSPXB
AXs7A0pw4bpVbKuPMLCQGACdr2afp7XgqlNueeuYCcyxalkusNvb9VCar95x
x/XnkNDEeGdV8QJdUF+hTNZXn82y5HbM1Yjbo3AIVQgvkzoyHGvCb5dFqNmS
A0MyXE2lb9Sxro1MrovZ60bssdXA4hqgWRZqWbOKqgOBe52wPcCgc5YdIKTl
kv8dp+FPPKhGbC15g/PFDem9sGFoxnKWI/YHsMiCEZXVIaeATSs2KwENEe6D
qJ5V+TFreOK97rhJRc+UkCXFfwYTDCNR4tJaWz3GuzGooVlHlxO6QTi6KqWw
6jZI9CDjYS3x/KwROvFLJXec9Z2hsO/dUGqAhPDBdTNorYPwaGH5LhrRuar9
IqxvQbpRdIWsfwO9qV7HxgJcAEUK6s437Vqr5EpAd2sdYlINHbhFsr498gJz
ODquFqSc2UKPbmwseopQp1ZEcswQb9WuPmoV8l1/ZHjGGKTZy29jCeEXizaz
omujEHBy6zOfGUi7bEG50RN/LM1BWV46Up6oNgkVsSK2xR5k9a6dHXsjmzL+
oQdlroEd/BkMFO4CTsFReYT5kmBi7fYpbFmOzunWrZzb0+tI1pMA0BihNObs
C9RcDtcshicsosBVMfh3pcVEfZOnq5iy6y9ytuzA39DlwVuR2PRMWrfmULrK
YXTM+Y59sHFmFNdBZVucpbdfadE9c6Wp8Krky07rlWB+w8WcVzUT7/hbNq7I
41dFIzq0Vfn0luI0qEPruJmp0tzQdmliliMKzMXaWJ3D04ZLtwPIyMrI6TrF
0lmMvvyW2i754ECT+1HzuxZy7DoDPlAFOiWp+B2iu5MoAEtV6tZDt+2nkJq1
thv6XrOZdBdy456myCeFpLFSELFKIA4H8YbLNlmJIk2K5yx4kqWBZr3m6upL
ZM7MhiKrgFYG7ePC6O03klmkmZgzGxlWy7/6twSvKSQi4CdH88i2rs+dYntx
byDY0Tg5bOF4Xrfzcj25MEuVn7E1jg9iWuHeWzDswE41ttVndvgX8LxKpNZs
JuUgooHdauKuOPNmIMWRQXBahc2iJNXqfNNsWo398N2sJMJOTfh0GqAZR0uk
DK6W/MU6qYnqeFZzHbemZhNtvxedA4CUSpV5RYRBgFKtOpu8LmXZJaLC5X2D
Lwmsb5qSiCOv7hP7LgWLdD5kBAv39AgWW47c3JNiKdLhyPNKqaEtC/vPpuYW
r7H8gltZ2MJ7j1NDbW6NshrHLqTX1UAnDNDytzhmWhtlILqVa/5PoyMq9miw
mghha62U1Oru1EwgfLiQiMFlAn2a617442JWv0erji1tVcR++tQ8/p3QTCE6
5TpM0PxLNYht8ZlMe1Zc4d4E2yivIXWslwEpQqnUZAFfYQlMKrRwhV8rsOtK
Fh2jJQo7R9Ugu4YupOYTbT6ZKGGkfJ5g6c0hdsRGZ7PkUo3RjpnVopr6h7n6
tL3IY50V84Z7UOVt7nQqPpHIpO0wSb8xq69rjDu1zONkdfPHdCN6swKSMbhf
a/WFVDIyKy3IXr8yoxpEdiHRg6TCGwlr5cdIJNvw0VwqpqSclfWszegBlgQf
LWdOWTFgc86KhxTJwdpy+RMB6Y8L8IFGSpm67jAcWYXGE0AHC3TlbITUcOfz
59SYxIdlcy1a1s7EDW9FpsTJUelUuCBxu5YWHhIj6Qv0a6WcSJ+Qmfh+gQDI
Oeg+8DawMiGG8j0pZ9ZfiLqJEP+s9W21ElfQerlyRvoVdbd1lgBBsPQL0IDH
sZI/YxCK+ZfEBUnHLGP1YGk5GI9PwHurqV/cgfmh6wXr2fG1tKJzviebXeBO
smMAlkPrY9VJ38SA4a01eqVMEkryezXNaT4SRxzFf1huM21KmXswNNvaW9WH
LCp/ivwnpHutNr0nTsq9R1kS3qqa1Zxc2YjFNdmIpLb4BBKFAAtEh9vMtB7t
CAIhNhaZ93pMQuhDKrbFcuX1zdixG2m49HXqkFNLInXEsS9CiQyOnnQqgO94
OP1mgIY+Q9+VmJk4B9/UKZUx96JlQBQHmo/PLu2YWOE7164mDkMIPVtXYt1P
9aulsC2Pk3U5cq+vUzVUgjCJ5paDDOkedC6IDEZgcnJ3zKZWDtuiC7chhbOp
Wn0G61qjfe1Z3qCrH4hwd6rt9SEj3D+IkWil3XUa7nLIv2tBbluFUDeOgZTs
FPgKZziW0u1DjSli9Yfe+igP38y1V74tqXR87U8sDMR7timuN1dfuYJOEif6
OrRIECrf6zVz0sVZRAeBlUvNhnB5KbGE0S138VYs9TZg45VqMJbNkuZBQxBQ
5XGbhfSZtlKtnVmkFBgbhIZIF2/JEI9jcvnAEDEvJU6DhogXb/EsoAHzr3lp
Eq2uvBKrnDhXcLiw7Z2CJIyV8gKVPkUE9G0ausXF5xtSXYlzsUQxqdwLIv5I
4pWKW/o7hHt+c6o3FrJE55g5rYoTZ4VlRaLVYR0j6XAWELMc8mytqB1JNpZX
qN8ygZYFW8N6zh9aNX+vFohFINqsiTp0VqRXnKgv3NJ4ggIG17kJkOoZKwux
qTuCwKLuIi6NYHEqOU9IZooGtKsZ2isBgHvWVUSDe8vZR9LkxyajIHMo5nOp
B002rFNuNHCIK0kMcn1s18e4zqL6oMshbCn3qYZqq5QxFkG1717A8zHvd6n3
xSx8mvc590QBt1mg0x3dLhfH6SLMx4yivaxy5zLkhN0TX8lSzubTVIr+1686
eVYo7pKyxLB9q24F8PMVBD0xApEIrHxRvATi7oxBGVaT0xQdXx0chNwwUKRu
l6UXTAnlJklZiW91q0uFkYFqKrmz1JYfwpNUYzzLB+wVEB2Y6Nu8yFApyT7A
ycvEb6RXZKrRWnY7JLEowmLStuadjIx5hneMdHIV0a0XSZv4cL8AereXTJ+i
121ALnOsBHCD9vFvo5jDnb53Mq0P8W4I+UZJ9Gz/MqlMzAd7X3Ba93zSA/7a
Ea7/+793nLz96uHi7u5dv4n7e3AaHUeZTaPjXeu/jx3nHo9owb0gTM/qh+LF
fyI0/WVU/LS3t5eXMH36i+9uYJMLvijcwOt6YsE178zf9/L9biLo+BsYPZcY
bj40zTsQRJ8kv6qXu4FnR8Fl0w69uitp3PzlMbvxqZm2thxXpkDd4zpSdpRM
2R2Hntv/5FF0OdfbgnZCJ96miOZtEick8HuwDpqZVjj3hXWkRmWLVeWDTSyZ
GzWwi6dKRkUSAx9xUvKvXw2m6KLK18n44PABoi9GPhRDONvDi5L+/3B//LqZ
XR7c2b8nhqjiWwmK4A0DUyBBvTj86874zuFuSkaDlfnUWtRKZ/WRt1kpUdoQ
nxSdhrjqOhz+9c6hKzHGCi0XligYt5JNzUKdMGbdShErNq6dol96CSYSSWwM
L5Q+0RPrIZ+i5VPp7CLJsm1gQUmqi0Uy2i7RKVAraHSKKqVCXId/jbbKkDrz
7FgPQG04v5xtUvv53ShmgvgyuV98aGSy0oAuOgq4QsR5uZpyY92IpgyQ25bb
qwW6uFdG5tf/rlhl1RHyyCYtQpX8F2oQT0vt8WHH6I463l3JPj+yII93osp/
R6P+4Q/ZrJLTskcYOvpDhy785AjiL93f1Hfr3r37ixBCIRjH6y5o9gUYF/VZ
TDeReJm1+C4yvzzMpTBCQIyL8OETwblzyHfLhs9bkbQXEkRsxbmCPDwYn4HI
A+vVl851TCDxb0GtZNAPCOj7o+ShevlKUlU8f4kpqKXvAsuFXNIxSOkp0YfI
baRhtkMuBG2cpkySooFLiD7mgKcH9+/eYwI7LbnaTYrDGUO1b1t7wiLmBsTd
XgkBaYab9QhSidYVrYRNpeQw6TM1lcyqT6oEjYI1Vp40beogJtH2Zd7YiMVA
rj5GC2+rzbSRdwWNs9Z5oR76w5PXb14+3XX1rZn3LVi6mtctwX5M+12zahi2
FlXcefHm+PFusVnw2XYuXc5jiU2KQydPUBVc8fpaxATol5GHvC6MYUU4rax1
OsvJqYhlalZ2lozkWXcciRPIKhnoyo8GWLfj7/rkDjHuQvqX4C/vc6HRCX95
9abY2al///uD3asYd5HdONgmRd5Vxw9Z/4sUKRZ97IAdsErw7wV+shYY0Jjk
XnVDdbokvJac68vfGjjhS4y/7krb1rbgqrisWu8fRCuykmUZmGakkjPjnbW2
0mfSz2piS31Ir9gQq0WkgWwjSSu+FPR3fbBjterUxaC40jJSMk2mhvaDXIq1
ypjcjrT8UsEWdr2zs2IN75AUib63/EplK3aZIu6F9nWH7/s63lMv5O3S/uAF
sdn5xjaCU5VfLgQi0jdblHuo/YCGFRd7ECvrMqq4gEJJ+KhbCAKCMG96FMdT
JODOV6BneltCqxAGPdcuDJB4kAU6IRvLs5tzLkM56Jvm5435xqLG3xXppFkA
cG68jS5vRThEz7mtidjm6YWQ7vpUEg6BON4jpQZ/3sr6Qz3dJDdLuyfp5rxM
5+uy2qzcSZixOVNco0gZvEippMrBYuaLnfUV2GAlP5jBWxu703q1vpiW6qWM
lV0HCqHGLuxa6lhpdrOSTDK2+CAJezXlCmS2zvK8hIvMOS4hx5csav5wY9PR
nG2cfEDRGXkMXT3aLDgrEwZ1eRUOMfIdmxWCKaa1eB0TZKG9NJV4ceXR+KTS
Eu6PGqabWGvBenGmIi56pxYWkALGatePNwU1jcXMvFeL2eWgze1m1jZx5UdQ
pBK3pguELiSk0atbCDwijVb1y7NuxzOStUm4JFqgNeDYfKr+D8JQab2SikAD
fDHn2h3+PT37RvnT4SdpphOSEcIAf+AifNqe90zckVJcQM5XI2/GeUUdnS6e
0wr5jbnNrG+dM+m9V1HLCTD5pKwSFFeBl9j940etpGiHnNbWbZ+s7mWRrkLo
0Ut1aR0V4cKGd1SLTMQINNZ9UrZGHuSVjYCGJj5YddnhMhYVpSGz6iNODVIg
bWDqGhCzbqJNIDGH5sxJMhLZxxbCVNZMb4woM0CW0wg/7R+9XIwf/OJlmqsr
Ywh8B36nm37pClWYrSo4O3Xx+98XqPxUuLBWofgvmz4xLEwC5jgVERzUH2up
ruKaGBhYtImzem2RH4C6A0/w4GnzQKBaoz01XqxQGZc2+/CvXBia+cOkXDKf
087A5Zp/daWKz8oVPX3JifvCfgjUoHHyhFDxADfBp7Fc4jIjrkp3qsTOKMs0
nts259y8W9Y2Wwevrts02u5gsUcKi0Q7yYLFLRG9rLSfM7qMT579SQszPbh7
7xDx7etmVq00eKHUQVEBlbQT66NMuyengU7be2yprwWbSCQqSn5gX7FvoOLw
wqQzsaRY7kwYZoWF1vlO6zGOcuTqY+rSQVLft2kuDDctoZsNMhqyHVpoIRu7
YxnwvpTKUrJwiExoQhCulVsN1adSKy5NKt7uAWnX7DGxaoS6GCQbfBFz7uR0
c8quwc6KQXHIZScu3sppZU8XPmomxBbeNncJoSwzkTuGn5NKax2zle6pFhjc
oqZ1O6mJmi1iOmLLbA9VyDcWAIuIMetSlYeWSDklDc3DRiAGMk5IWsbG5gzW
VlvPvGYDwNwrsk/bMUakoxPrhJVWgkIjfCarsr0IKbuHtWgJZHyiAScpJHmx
di+W2CHppc2JJg7VofYrqHxGRBZK7EJNBphJx7AccsbCkTFHg6HgsT6tRl+m
opuLJnBkn3p+h0P3xRL8EWmU1xS1FpufTydI0SiE5ZDetTJLt74pw8vqZA0v
2AWuC03qKTMkKW7URQ1RRhxoIt5tVmwuKlsu50USmKZNjYYOYt0JtA08+qSh
8TkYk0nIyds3j49fcChqNeP5cYNx5AatEzaMaZJjDtaclZfVCgGZ0RbO+iBL
GGPYY8e88cnALbE7GQJxc4yBmH4GYuwZZ4Z91/fcB5aG8Lob+TTQ4DHF1nAU
xLo5l/I/VpEt5Jy1G2aex0V5UagTHxVuFHDm46NwLGJQpIaaBWOvMQStYoGI
hHmOz4shoVbrDEiCehDSjSG4+nUiTqVSaVnFVquUhgwkOTExnHBewS7XXtRL
d99pp6Nh5iQN13UyjIEjX+j0CaWcdgjWVHZLZ+0+bQ0aEgeT5zyFxBlSpUhQ
mznuWJXjhy/ejtv1pfk8MmBIDPZ4Mueiyqjtve7EuahY551YbdbIXs3GKmyL
2DcUlxti72/nfx9qy3idvzwMleulKX4/GC2YGmAYvG0O7HKz6Nu0lvCluT21
futawaPW/ihjer1CIEr0ahKxsnYxApIZmGuU6esgd5cR3DIS91uvRECwDI5C
wq47HW0QkLwRFZTnE4Xb4/Qgt/JkcuECGUbxSyffpwxy+amY/EBTVhu2zEsD
zCiAc3ynHp9WcdCwz/nDY8XWqcZUkabPsgYXhZJ2DdalHrveqZn/JXftUJ3t
FE8VC2mGm1bZvr7GdrimxjZWCWtLjFKyIjJPQVtSZHINTsl+3171IvWgiGST
BVHoojpu5iCrHzovUSRxj6j/8Wnxn3BkSJOMVHY2D9PUbqdv352L2E7vePL8
zZvDe3IWn7qEJMcMPAUWOTtqR0mo0SgcYvqcWQF7Cc2VR4zM/qgQ6VcB1g3R
lmOXY9lJlNx4fGMP3h+cMbrhptHXEnqs+wZOfa6zE3MGpDydQ6vg5LkOuW5V
krA8DpFaFS+4jruVZw8CAq08N1Ce/QvF2e30Pw2S09BFFT7dOwMJCLvJIf6x
vLRx0HoiIspg+plW6jD2mndC//WrLUDXnJLhcKckkqcm1+o2laREFco3pwSD
kDeMY8BJgGbMdEtVolh00lCijPdb2QD1RT6LDcEA0zfJg9L6JcWKuNJlbXgx
McOw3yNdqrII10XCvgXHs8qVEhHAs7Bt7KbNu+PF2HJxioyEcOz6hgki4KrQ
yDZsa/JwFCLsdnbRDOG1vDKXlzovsh3RFxb5C2MDB7xy8Y4WRAAVdrljI/Kr
3lRaRP5f9TLGfQ4ZFxtlfcY58imjwVi6vWskjRti2QGurw/VkmvGi7m9U9hh
1GHUYp8VPpkKrwZt6c1iG4D8DJoa25pn1u1jyyDlVPLheZmqkVX+iqya1q+C
285i19X3TEquGBh8zo1GGy+kyBwNYskbK90JpcgR9sw98Sqkq065aLqUyUwe
JO6SB0YVj+Rqs2AzKL/NFsBBSvLoaUnUp9H+19lKpM+a1x9kX2nghRYgzWAG
/VO6NkXQFaeQGJja6otXFarmTj0EEEBOKuF0mipCt5vVBynkmHxVISLomJue
AZ7DmycvpAFtuaqUxJX5DfLt+8wIlPWriCch7oNs4jSe8KIYOOPIuUrngBbI
tLG9sBrKb1Ux6Da7okFQ5prL5sCioOctmsFiqVJY1WyqpVawsWQdF0MAdImt
2zM4tS74uU8JnWNdjTOd6G8tcAzvSDxMkldmwekun1Izb8L2YHEFyY2jxSOg
e+VqQmxBGJ+ruJgyhN9VH4ls0n7OMJKemacAn8VR8PyHHVRg5ZYO0pQjFtmE
kBaZ5GA6Ti69WZF4i0HhngcBReK1gqtFm3BQfjJbdmzemYnBp7HR9CxNlOjt
HDKnBg1o2jALCH8SvclEdhPfErQYE6dRkUMF7sitIAnGMXZO4tzaUTw0u5FP
hg6xJ+AeoDh/pVwJ/gc+N1YxsZszSSTgEDV1TNNTg1L3LnFBXRZmW1YzIore
ov7Q3h6/bXwwsmKC7Ax4EkMXtHwNZq0mjSNfZwGtgbJYoY4rQixH0e9ubZpC
MZRhqvYKqbxjy1irGNtJIXV0KrqLe1mkB3sBbpuHiBjq8vhEv+xdwzxcSXAu
MBxHry2SNqHwilNBHEitZoUKn0fZdxSNO0zp/OUil/0JGVVjR/6bCgnE3MsZ
zPqWwRtJDXObkDuIk+G6fV8vk7V4zH22sH2pHJkWx8opl+J2nAmrxcPECQQ0
HRZOYTK8jnxZPVsaWzvEH7miMczg2vM2FuGMhFeeFdzmWdXKpPOdCuZPF9cZ
epNVU5UL3vbTdOJytRko54MCJ3UeWxdhBXgH6XKBhH+Yvr88TKmdcNnYy7w3
JTTGxhKazysNdMG/QXWlpwLiiHWTYnXiaMSxIItFJ4avI8Bu4SKdJI+gDWa5
skl8lyxj7ON8YgM9FZVelrGqTGaop+XRTapA4hjBb9aseOndE5Ekf/Wy1Wy2
0ZrgX1Qn+KiqQqzIs9I0d2n7wMFWozBdNctlxbKRdq4Ymd8LHyE/Ra8G58Qy
bpnlT+lDB7rmQN4sOAeWJXRYYjjk8TIKtniyu2o2kDmHUw8q2msW5qjNfCk2
1B+aj16EbmP/K5mhVeXvHbBcCg/iNNeGQ6skmyJmQW1h3elIS+7soHXoynYR
J0r/8aX04dXOgTkK+2dsm+zjRNRI1cFd+NAEHJrRdvmo2CYf+VEXXPKG1n92
JlZdGQa2qjiyIcFex3Qgu5LysiFVkCxKhyTVEOGThDBERVtpOV4GhHxbJynr
saz9r9CexLqAZoQV5f8ExYnCQJUJHy9gZijlZLjm2o04XpViWfCMsXBicGsd
gmNegimbSs5go+HqeHyLVXBxwt6ZkyJSHF1qZGY+oXhoTcI0Fi5S5gGryohL
YcFoXEBYmdFx3Fdpk0voxRJ7pyoN+Qx9CfCybPM4LxdzJzkMo2T7k5dldSPY
6li6GHlkw0gfFxAac7SPCikZEWO3FxNpfMHV1BXrE6JGSU1ClUTbkJPZqlT4
x9ioyvQfna1qkSy6aTyPF7bl5qgE73TV9ehA0lFlzZKxLEZUk/+5Y6VFAKRU
Ax6QRC1jVB3A27gGcBFZTyph1Vk+vlMQdzLrwa7IcAkE8caR99FLVEXUkzvA
EIqKVSDsw8p/WIksaOb2g0Iqs3MATC+rj0nklOg1idaFSMxFYdpJqYKHu4dL
H/B9MCzshbsmjibuZvbqbXp2x+K04IkkVdoZHq3iR1RJNHdb2v5YF7mSczuW
OmSvYo3Ejb+KQ6CUwIZDkbVpsCDRNF2Q9V0Vby1ARA9NN5TchZSneO0Yh6Yl
77obt+0qqr5Kcj+fNZz697jMGAyTDD78Dpea2TRibvcrAPie911+0KphBxhh
n8PcKhAfNolL9PZbO850x9y/cK5TXZe1jNt5L17S+apv28fjB+lt8+/2d63o
gPhpZPl58YE31xEbhHh3UCGdFWFnA7SnyGiPyE5BI0F8fRmN1mK/5ziGL7lz
72Jf+YmgAUqcMijGgdhDh80jZpdqG63OhMkpuxl3TJGlGKw6KpRMMLOtae0f
btm4bs3uxL10eO1GLEKEAhczYqFn4AjGqqkw1mv1v62+BDHpWwb8oLUfM91i
kf+iE+BISgd/uQJyXpzgJvWP6Ze8BHImMQUIRykdqvJrxjQ+az16nTxS1mSe
a27QyuaELas+8j+FKMqql2Fa7JC8RMPtjrxmgE1VzX5XCe64WWosV09iIUxg
7M+jpXK/NlcaApdiz2uIVZJNvV46F4R64FQcElKAKVqF+/6C1k0q8scl8pWT
lb6MlUZTCpnNsvKCxPCdig0H1TfON3Ur0aXidSOuel6va7QHzKZnmhCcmTF0
VTKLuayaxUP7ioge8zi4UuxcyQn1QnDshQn8P0Dg//WrQXl/GDEOrgl9KVT9
oHPGMhOHYg2bXbvCFCv14qUqJ5MNKqms1Xag9qMR8hkr1w2sFrRIup06vl+Q
uDL+y6s3Y14cUzFiow9n0A8LOlclmu0RpHDfD67Qx6JIFm7R5GwiWJl0oi3z
uhR8ZsU2MG0m0iUN5IoX0naCBN2069YEZ70scvNALQD+dWsC+0+WX9/NVPXZ
qqg0LLbeX3wf062GFut3AE1LiokcFflMiu8Cl2rRi7fSAX9HL7J7ilv+6i0x
I8ZLePXAnbh8S02bW6rVMHEOscwJ1pHFqPWjDXjxR4XVEdQ6UeZnYhOFq33W
FrHIBIdaxsi2eezyhgBZC/Vc+wpqcstAqUw+zYiwXapTTHm2Tm5EUinC5hI6
6BXR4RMicjoGQpW4NJjvlKaPwsSL8NEYgD+4x+X5OTK+fUvzIURtpcxiZw74
DPGN1s5GFjprhs745TsbYoekIiQV2NcD+YpW0v6y2rM9XvqXyY69zALKRqmF
LKHFmOmyVToS5VCId2SI2lvFCd6am8EWJG8Zi8Ewfg4uv8nU/ljqDwNYQxX2
Jmmf0HqBCJpKo/oh+jl3IGnHFkvM98+mISMQpfUQNP2JPZ2XgNvIjC7sXhZz
kZingtYcjMXx+LSk8njHC+N8Yukz7ifavjQQ8BxIyPFFY95OhFKPNCAwxe50
jSnZDiFqJTmQkqK1QER4hnaR/rfd3cfg2K3IMrLdDByJhlgrkpD3//ryws0I
gSdAf8WLBBNVxiQAhi0Bblxbh3pStEla8urDJVzascpDP3mKgo1JN4sHI/59
xxMNnjzSNXwFNdgf8c+7zDjdM/gdl3CDf3Q3GTPTjbQJcSC6xENdXWXPWc2C
RS4V9cuEZUVHXNpFjNpCFca8PGcUrQhNRVNJGgakF+vFDhplx8Olw7hIgojR
2CEtXEKoInSYH1tJa86gSk7bO72pdWLuwRPHfYpQZyiNlIZxT6pq+g7fgH0R
+mam9jsgJ4VlCLq39VzdDLtpFqxm0o7v6HQgv55zzicfrXhcdoPZ8SaTEY/r
yPzw0KyyltrfyaJ9gv2yzUCRNHo+F2pi8gDIODfmrvUb5yrEcq4jNFSUPfAQ
lsxPiw3TfU59iDsnHbGepRJTlcViUJ8Ah0TelabFzOBAkNwUIpXYeBj62CZz
akEBZitBzNNptf5Y0Qa1G8k3/lBZMTDmcZI7RJIczYUzUn18mE8htbUl58ug
FX0dO7Yz80CYFKf/tOysRSvZet2P0A9Z5FGETeR2EbCyyzFwMFeJgnRZfHH8
cFc9E7FOE49kLEranFuJFSU/it/0+kGRtC/pXdNl+XoBtSep8qt3+d2ZqPpn
oQ7D5NLP1/i9OYgjNEMuQp1wl97RkNotu2dx4ULnGcld8cJo2aQdXU2tP2bL
UleyZl8u6BYoCZivq+cY2LHkcrAE4eWAu8AnjwBraXLpJhwy/Ehn1W/nVnpF
Ajzgvn1zk3Se9m1oL7s759+iW5ixse+up6PBE53vCqO9uD9jcjl5HuZrJ7Qd
nrC7Q7RtZzqpcdrNOt4+fvYnIAYrA/XfS3ON5BrhtkIsIIKPjh+LKSg7yuas
zcfxzheP4+oaWluwKvdQ7dDRi3qKogGms3JLWBYWl+U0XE/LnCvWBKBUysFP
O5hnC09Fd60PKi7bTjxMFP9iowLjK9gHLdixdseLCNh1SgxPrO0yqgwXVJMk
Yct6SZE0zmapw5//7eUFN+saiL39HENsXyJtwPpYQIbuOsaS/7pDtDs908w8
5o4nZLSc2n4Zq992mIB1X+INM8HXo0NO/5MDnI/ERexCMGTrwPgxp83jkLp7
tVy0ZWboy6PAbW3jY8qGs7WKS1za/YZBhMxDVlabhRrBJeFh7ZEOAiUJijbT
GNxcTZWlprqdqYZRCmMaDl3vBFbcbjksQmVkU7ujeTLyhm2n6xo07sTxuIAn
Y2cJEIFLDg5hbBbLls7hunOmbfu79fwhUxvr6AdXc3nLh+JX2EmvGW2Zi8Z/
WHbeRfmhkiHStnSC3zTATXrkauBbN9RNhtB4N3ZJdMheT5dX5GelmV0j0lrr
2kAwUttrKUbD9u8sw/hUl4GAraWrm8qA2UNkHYxi5WxizC6qrTVQzonuPMzQ
HiAAnQQrP0hf0OGfUbYqEgi+/7tiJ05gSGWxgXct/JO/sW+S09c6w62d3b9O
VajZ7OCEuR02V1zGHLKRBgW6ju4SH+comCuAxCe7O7xmI/MFpjpyIL9PzTTC
b9n7cnDPtT0dgrOkSEsEno9fV2GMOMCGM9G8GWwRCYytBnnMnNYTdeOPF5fu
YFr3gRTkl3mLsjOEij+oKkSvuowpDwpSI4aanWCJoxK1tyXOMLQbyT9ZX7gw
4lx40Mpdwqyywoy1susUtVifQ+M3IyvykFYrbvY9ZSjTtknGXLWOfQEd4wqS
R4FYJ5NnzKTiDW8158E7RSvxrAwFBByxYBG4FUyzxiNQYPOTtm2p2WcWnDdG
eiOA24kRzA0c05LMFsJ2DAX3KKwqdtWbHdW0TyunuObcBJDsYQ53rCVEK7EI
NGaZisbhfKdSnomkZcVQALhGhnOEr8nYYiJMNGhCakvrme11/DDn+Uwvw1bO
LvNvZjPO0UgOqc5DmadKHVWPxM/5NoWS/fpVP5Js2EV1eJ2Lqra0KWXl0Utq
gxKqwNgqzibUGa9wGlTaN5OJBh5KeGdzloVMyojqzIJsgqT+DtmgS2xsUrtx
uDYeTt+y0OI0bPJQU2mOxJbwfimqi/UvykXQfj/QLMqftNM1bKKQ/CXraZ3S
H6Jx3AQgMQ5LtyQXyBrNMTyJZEG2CuviIu0Vf63XGTU0ZBpPVUEZirvtBV0q
ceiao13DaPFdxAxbVrjLQjs0p+4NRCOI/tZnFYIRJWZDoWoPr3MTtjQD6thi
9hDt1g6kp1j9FL2IjR51LICGnEijoYUtWKWMaqxtym/I8nj+g702yye2qIIt
FfV51+OYOEBBTOIvu1n+pTUtikvdmkEStmSQ0Iuk26NLdNdCtIw6tkpVzm0i
xe+Kl5p7XyRwRR2tNFg6K0CW3BOQbqIqcBf+QjO2q+eSNKr2czs/rZQylPjh
CXdKsvREEGpR3YF+vY5HUi/3LUcmndt+pToKkqCRCl9IrEWnUgYtRQEVdIBe
4MjtAaSEjPjejCZoihK2qMcQc84XrcZPneuOFc98JlXWOUDkPqZmQ1lGQ3Vy
Yt8IyyAKai3zeUhp2zCNfsUTV6NEhbKQQh99fR5X92dLp6dY/GawwZP0LxaL
h5SZTK+Zh+3VddI6dbf75oUeADgwJPprJcTrFJICb9ESb5nGYk8pXlAqsxi+
xbhZe7c0HzGfM7aKIPvaSrK4Ml+K6NHPrmqQ8UQX/n1awVOeh/mj56wk5Thx
3pky8m3xJVm1vl6C+SgY51e+z0HpzHChma9qBWO3hfVwvLc4spTxu6rYKXXY
eT3XKQDZlhdlAmPZ3hTL7xkwpydgWV2ma0zmP/kZ5JbXnnWdjz9ir/b29kby
zRztmW3d7GFsDHs7RCg0IISrUMgUu5NGPAjPOv1wa3Rt+Ia1Pkq2PilQFaQV
+nC/dJ1g7L9a6E92TrxQFpyYg8WD2hkqZ/iop4k3TY+SJBg3oVzIhAUbh89N
XLCzF7EhqH4/JxHvvbrfBMN8dolLKSnUcDSoBvabz1jpD6kL17ojebv1tWu2
tyBFoKX5G7MVIFPdJ4ohsi5IWAOKspAyCoBZUlxca+zMGQ+wCXraPofj/QNK
lIxPq3KljeA0z3dInpvVZ5a63Tmk4qtj5XONajacl/bQ9WVdeMorQrSK+qYT
7aCYTxgo5iPRiZ6gLpHyNXWyrWCEUsBrhFWhMP2ztN3Y10tXnvwz9jYztYV/
yNRmBQ2vMwe+jZYvVnKcxdW/ig4OO1DbSlun7cJOhs2vQdL3iTwV+mqr8o6j
yHaYbcKsCx5Uh77JMAMmsX+O4v4DhNfRX1lFRoTlUocS///HAge87Biw8Ki3
1HMlHWe62mrg4oLVK+vuy6WWW60OtyQZ3XtMPeVwSblb820zAwoTwWlImnS0
TCTLihAXdY5vPbzaEDVlUw2u6wh6bCwiIUXiUyEHboVi2TJ5oEZO76BJBk3g
hBliwhzUMD+uZk860GtiYKdRNsLIO1kqbjk+QyUb8I8qOrr2EKnD/UDSYiEV
Mte+7wQnVMB+oCY4UCLabXbfuFd0yqG4ztZb5x16dSzyrc1KVdjycjbS7Xbx
22PjnOTSsyCpKJBmFTWH4Vg58MYbkKmfI536+Rd8czQpKE3a3/1ZSIor6eUb
/fiUE45bd3WpQjf+66aB6sk2LYnlbuOi+NWPwbKKjqYthyzxOiMo5bTHy9kY
ZJmOK1eHJIoRSNKUoub43cqo+k1Zt9XsTJ3xtL9s/WGHtEujbFktT0aHhXbv
HuppQF+E2ulgmmYZdbxBaUdqG/PMOPgp6KIwfTdrTPi0ikKbZQh4oxbTCzNY
ZfUFaSiWi1yNwSEqoDvTrIIlZrJbpHXBeCm2NBlJXBVe5WJmiRp5CpvC31y+
Qi2DIvvDVQTQim26bzWHURBoQWCiDF9bbUSufSgwTJmMqJrHwYD9Yp17rg+z
hia6WTJ6WLRvUMM/m9A7Vr1YjVYGz7O0s75FQzzCxwtfQEMeQo3mFC1Q2/BF
E6PAFnAdriAQLBvKuRti0gRbdb/keHDpRqHjeij+AddDyFwPnTouX3Q94Iya
BdaCDNprogxYIs/a2UXnAnpzfNVPJR92K9z5klthMZB4lWoN6mHalhGPWlhi
isZ+p2T1ViCOV/NXd2MPrfXAZ5U3LEw6tms1UhfplhBY7h3nZYeMPkoFCWna
dltLWxAb6STpj2WGK+ITqScxK+c4Zqhj1nlpnc0R/TuBSlzFH6RNyFxLfJ4T
/WD0I4Hi4PBBePq91WNmLJ1Ld4vUPzmVCEhQTgX5tFpBBS2SlZdtBlJDM1dI
2EXmE9uO7fNK34VMNsAOJ1bEvdt0OVnTq0I72ZGkcZM/uffx+CD87pqW47/L
nrn2znBVTNZI1KD/HuxybgZ9OvzrasxNGvCHa/jjO+mL3IUvpsagWda/aj7d
FV/dCC6uXZfY77oMrv83eJ8NElFakB0Hd/Cvf98/vwD9m2JXbvA33XmM5Jnu
5SEo/67330GQ32R2/b8uPL/4AO+LI3T/onkktuebtHWJgSVlP+4WFzmy/TZZ
T2bIrdCJ8opAUfaxhyly7L3IK+qWMBHqeLOROrT9rUvGfVGt3kNjIv3Ymsox
PU5Jhc/FcnIDh+D0XWzk4Oqj8M7EtUTUHsj1US+c2szVi8hVCt6xaYf+/ZXQ
8/OAF1TnfO0sR9FCVWqkwQDvRKSgr+BwToxiWSmP5BVwlx20UIWURVIBG4/V
DjZSx82q+C5kzTUjB+nVSxZzKLehU97Br+SC9eVizLUoW7RVYs0zCUa1Vl4w
zqgQZ+94Z3Yxw913udIKv/zUHC3G0Fi0Wa3NUCe/cDfkFGtL3/+NR+ftIAlz
Z6f6HZFsvjgSRXcXJVrCY2TuVbXGpBZf44ZdBWCyHK2kLspj/UGjXGG0NyA4
bOJo+Vbdoek0BcYyzdbxde7irEW7TseJXaLSTyihqSKvHSGPflJhMsPeIw+l
dyS87FTxkCiMGPPA3Ogfvs6tmjQ00KS7apdPzYBlUUbG1K63LP5EiO5n0c/L
VRLEpIId3IaTmaO77daQjAQm9J7SB1whmA2i1Vao5bBZlPPT+nzTbFr0vJNW
Pes29q1WP4lY2FMYaXZa6IViRXH7I61KF4015zIlQ8sJNR8XlicdtTq1UyBF
Qo4lQN1K8aHMx8NLfcciqCMRZdfXcxMnJWsNQ3RF1Q6cuij5cnsn38ZpGB4j
qXsWHSO8KD1YnUB6cZKOcnDWLqTYimJ6h8Wuuq24ozR69zjSEMEes4QlrStk
DlePMWJoGNwourVecbJQrJwmZzSWq9G0O6tFxXrGNqCUZucLqq1LYY00H1/l
K9WQ64BGzeLvmCiwN7Gl2bRn4vNhliQBArmLR/DXnENZs+iM5b6LcUmm6h8X
yfzJdRfOOn2eNwvZYZeZxrQPtB3l+dUfAnoWEXfAQW/cg/sOmlWjyh2X6kQ3
/RcWN9bsU7QYxpbO5aJ3aG4LRtr/9OTJk8catCOu1hkyKAnBh12uGvrDlp2V
9Pmp19IyK0beaKc2scfAW4hYBU3DJBo5chFflev7DJt2W6EgsOS/aKfzmKqx
1Uk/TO8zjDZan4D9HUskRNen7w4clVfx5FoX/ZcJulD17T4iSDZxKte43wnQ
BGWuvmE9DEWh3ixSgA82TVoeKYESlupPjlZwIGVf3Ox91mQ1F97xD7fYprLt
13erplnfpCaDvi10nfrFDZz6PknDsDyA/6ndut1KpnOpNPe9M8H6J3zvOcns
RC9xDu+wNWfUI2lsDfoN8SnRmKNJTrjhcUa0lY1o8408iTi3/LlQqlz+VjUH
v2RW7BpdR/t2bBYNNHxQ6hRud2i4c+yw1KlAsfJ3dDCso+Cj0XO9grnRpL+w
0vgX1Vx9Pq72/3xkxiF0ZoMV1izXQoU4tCl24+YE8+sMOBLE5PoLq4leqv8N
gBTLgxFURCqLnDLzIC9OrF7V++TdEP+H3NJxSuj7hjwLhVEF+CxCupG/p9uy
cnziaLBRE9RZcGT05+8u0tQb+9mvJFWeJNQ41sZgT4lUcVLcPWcXbrKMJmMK
Dx2B4Kr4DPR26HoCBVA9d5vEIoR/LlyisHCJ8P+1cIkqhks8TqESUwknqAYz
tW+qjmRMbItqcoO4it/4ot8eUUFTm1pERcbC+RqMYP8vxVO82U47iEZ5fxfo
UZtZ4eX8S/PZ0De/D5r1jeyr2x0VEbnjZuQ5IvdYUat0uPIEv3d6VWojMZLa
rBCk4LygKfOORzPv41qCrZDFc8SgKbf5Aoqdx6RhezVUhHFfzjU33qXmIo7J
DVFAeo4x759Hyy8IcCo/CtYN4ajKkg4JOTwmzY5b6w42jil2MlzcFYC7nStq
QBhWh7r4wx9y5UUhr9aJzDsDc08y8xTjIho6lNHqOpj/2qv0HpSdz1zb28Cv
uMP+R4fVwcjTP02bthMlgXAfvIKUbDzoQ5ahlUrNRNlD/VLnmhI8tNQYwTVs
U7UJpdv6W86bk3uySeQDwHXZKi6k7YT0312Flu5BG45pv0Y4R2UJnckdbqPu
+Qy6XonWyQy+ikLK3/K9VY8cg7qqZ7B8fsHhluRZhFdCFpu7DI/WyUED1CPS
OaY4ySoY1d2leRIs7iWU82a1RucPkQHV0ZhBoyN2HJMuk6LiBOw3jIqLAQVh
MKBglPkEiLaK9dLkJhdlEAaiDKrUGzSrbp6quDBGLaZ2IXQqnQtoSefI6oFl
iTmZbdVrkv/yiDdVbSTEK9WE4Hpo+fLSARis2W6qjZgJBykjR1zG4k6yeu9v
inWPsIUqkwIpxbzgki23hilLzpiL8CbtPSXGaN22wYC6YiigLlwTUHejmDmr
WAJ1+xpff9mRUnY6bkw+VGG7a39XGbdF1wBT4iukzdORQSCkxDbAY8g7NlCb
6ubxeRCmH/MnVj2smFk0nNwkCeOfsPDsi3Bw61bPrLP+TdF3qfpa6ETf0eIf
XjSN2SBg0Ws75kehOh2aSIPMYBheSwPRjHwPB6lxocKU+W5am3hratdPBGMY
XOFa+jfefcymKH6fnE+I53BODa22pTlB0og2dbWXUpkmabxcYktHadzv4PX4
XSAICzMRkds/A0Twty/FU/I7Ma2l5oCr1NSXW9abCfUqC0O5grQqf1fFyeYc
QK86lmiplp7+rgY/5n+oSH7/3r079+Pgdw5BIe8+oI8Hw0Eg/Wfu340fvx18
hJ85uH/nQbrRvefBTZ9x7/lm2zPwsA9zfvOxbwHf6WUGcRwO2IQJG5Eea31p
oo97SC4489pBDULgtIxRXyQVsYV2nF5wcPigeFpzHNEKhQr3cX7pw51D67aX
5sbQRzZcCUseKD/pRu2SllscEIax19R61bKH6GvhDyoc7QrdZcxltsqhJl0v
jDgPYBjkrt522GKIEU7hqSQOa2HAdtIsLZnNRccV/1h0XIxUO56dN/TTxZw7
k2q2Yrs5XTUgDESRLYUgdQWP9ZK6Vkb3WPFYmJm+ZhQeVdl3nnpq8aZprM8W
Ym/KDXT+3aPg2psx1TK/lyRarxvrNWFTQaYTogy1el5wYetW+M2a4rKht1m7
eoBZsyIuXhHyubnKQiJ+CW8W44/0bmHpjQQt9He3DlXhzE0JvH1STTcriRjk
n9IsYfQeCJQcBZLBOU/dtxe098cR44CpHCMLvspi5taUIsHLQkSkdfD5qlyS
9o5u35UZOFLXAj2Tp2VbBY5OXlcaIXf8uIhCY2zYZz22saBuBz+U16B9jQKc
vWM8qz5UM5KbpZgyZ603y7F+//w5ZkFYkljgB1Sa9k2skxKGkjFSTQqcB51E
Tne5EXe5arUSkGTyReRKh6vOEojVpx3bU0sNzOIErN3aEZo3Wh2UsQ+4lYZT
0kNSCAfBMJvjTxyf7opTA6naaKFW+0vsKs4YbOG4Pp9Gs7xPrFG8LkWnbjho
GP/iXW0YkKq4vn5XS2Qqax3L8m+baqDUb/FQnrVSpxrIX1eogUqcgg7PDq/u
ncmPvEwo1lKvqN5l1nyScBG9SDSHDp1OGG8ZoJ3mJeg0khGcgi/QF/qw5UjZ
6WFWmJOngi9kT2edEF2TlPSE+sCMHNiJcX0s42DxMDIypamYqQwtb/KwgaZ5
D7sfNlK4cDqwdhYiBx6gxim9Xs+Da4yJHy4tV1EZMBI+3ePVHIEFtE8yELYK
29tWiHda6x5ryBjfRvJZUKZO/+wQ/uwmn/wiBjOZu9qx316zWeR8lZzP+aG6
vKaWSadhEe1XwyaIpsN6Yn0GcyVDd4oLaM33AywL2xL5EeG2sN4PEU6jIh6d
VGgBVv4dqTe7QBF2iUZbV8S/d3NmlpqDcCRSzG4gmEojkeiApYkex2OqqaNj
rQKHc9c2k5qTAlhHO2ucZVH26PW77kxDPOyW2+y2n7PRcjqlhW2EVAFsIhNM
Awse3Si6WCBc7xeN0mj9BBrNolDSwKn+XiYjiHOzJwUVr92/UmIFt25Uj+LQ
c4smlowQWqXuWFNrM5AdhTjvjxfZPAHDWyIP3NLIB1bv+DZJ+LilGs+tPWCM
6y3QpTgaI48+VzwXCa3J5h6JcGxBICPVa29PsclaEkRGFlWPyy/2oDsCgrAv
Cw5zLkuXbT79IJP8Lm3plj+1bCeYoXAesS4/6OAG031gJ7gPRVD2dMo7XNfS
KunCsPBabhYXBnMgxPfkxCr5cr7EgMzY6l7Jw/AF3TIWsIE8UcJpRS558+Th
vYOD+58/hxNpL9QWh3sH/Pzh3qGm3ONBjKZBDiXtu9lOY6RBrHcD0hAjALmz
Caba6vpq47CoMG101m6G9ABwfCf3ahHAGvGoOadkyLUMulLbuVorPZFB+pja
ttWcZtym/Fn1dmalKH3FF5XNM6aWl9P39sbsF18MwtVSApyEE+U9lTqluY3z
salkIL18a6+lvc4pUSedmXLTMlBywQqZVflh60FOyvl5DuFK7KuFJEoQXGLP
TC/5UANHtkcrMry++WF2QxTNKjvgvcNMnI391v/Aoc6Qkq6/9oddF9s/7A9l
EPuD8zbPvynrGekAo+i67cHT+XXplXrcsXe5PBdCR77jhq5WYzW59i2uwBKf
1RIY45vQJ2JtDWrRTreWDHZfKI0kReiGqKOhzhNR4lJo1cdVQ5IQ9i+mj28W
eDHrHE4GknCq1Wqz7FTU6HWyZUXFwnW4liPn5aMBr/TkglkeWi0kAWkHt+ZQ
j70uaIZwsfr47rXWDzMuTRLhF9mOPXeUm7m1UrdX3VXz5Jj7qKbo47oqsS2R
ykFX+4cDV+WA4JMcEqkBMhkQDWIu26iXDGsVsaK80ANQnvOv7xBRNN85LgsZ
u1hbTRDrw7uddkpvi9Q5w5J7pfdEkDons5kUMbYeo/SrLZs9bdpTM0FjlHcZ
PpPOQNl7s4Z+g40f6GC9JXVdlPjM1rRulnx1XMaramtaxwfST95okSoeJBmV
2ceA9eqzFhDB4zPCbtN3NVLtUmTbtash2Glo6PSkvBxzh0eFGATU7XtXm6ag
To6RpRWmFqajtC/BrogI7FqtctJ31x+06xK2z+gca6XCi+ZjgHfL1W3QU9Fp
RsxB2aJSawbsYEfDVMpG0jsTVJxUM9TT0JRLacrX63WQWgKMYysTacJAWh/d
0kpa9ZZG9+nV/fIdMR49i8nkaWrjymSfcnucZlqmqEVHcZJrqVeYIm97rx1f
RZd2Br5pw35gLlCbW087ept5ty+5znCIzi5ofoNWzuOFNDnybQolPcC9JeBx
MSStO1petFAaPyTBlNORXiXw/PoV6MwYRAqNHNHHNK8C4u2hsKN9IIbM+BpP
ge+2qYfQGrtEY1SMAWAzFwzcH+rpJtllW275KxXilNygUGVebgJtHkHYxO4h
3lPmwOe8EVs7XcpJ9u0xs9jCaLDMCXK7RlRW9HcFkMbY4r1Mbv2Z5Gp/uccl
70LU33D916+6dqwM/FbaB/aMJZ0Qo3GqH/ClaPI2071ZxaMZEdNVgOaijNkF
uJtKEZvVentMcCW5Z+KdOGMElJyeL+oAom4wN3LENAVhSzBo/5x1ig7GNnbd
wCvrYvF/0/auW1IcSbbwf3+KGPRDWa1MmiokWkKjWQsBEqxGwKLoVp81p5uJ
qoyqCpGXUkYmUA2adznP8r3Y57bt4uYengXqM0drLlJWZoRfzM3tsm2bx3kb
KIWzJq41HE47z5bXjsrwBCiC7mIblK0RZRzq/uJlvSjLvYl8DLxoarQamOxN
/JcyIuy/dDOr283+lVCibwo/2/33G88fZy95xda/JrwrmLYazo1G2YzNNth2
jfCZ5C+YUIbAgW3GxcrXvCn943yXvLSXxzKTNsAc8fxzfPOxF2A1vNLp0MTi
iAV1YOuH5PRayeTgJWSRZGs5rtxNaIbr/Fi5seqNUrelk6u0v6OrLhRXXcov
ZoieKvNwqsINFYe4XuWAgPmIO4MBUauwlwoWMH7iCCN2Ewd/YfjNfF5YOaHN
FYrvMAzXyDL78QqSvtuF8rY4mNMgOcs2X8y121IvErgVehcBPs49YXBHwRWZ
ht2qJxslqjkJ6gn74Y+oqGz55DNuiDopcvme1Aaji+GPrO1an2aRKBZXvali
ev6K+jNzkdvzV+8FjP6bBgZYozcZYak7ktNUKWM5zn16J7rzGtV9RTm9aRlq
POArtvFvC+Eagj+Lb3/XHFLzdApHJTT9IirVW/jetcELG953FVWUPEiYRxYP
bFL1yDVPDnFMtRMv5Y7dii77aNqpRfBvahIc8Pwc0MjJG0NkVej23FdYBjdQ
z2QAuGe1EWPyJQ0zYHRBZ9ZpEecr+MVXc+JB511oC22pbeGyXCFEu2/FJNXu
OLbc/y/ZzHcbazGQRT7QrR3MmS3HLxB/6trN4krQ5KTc9I2c9E3oeeVcukJi
JlStJWIKTny9yZWmzNt0nIZJ3Dq+g7CD2u1xrt3mB9n8KZsi4EXMhsPAKU2L
Qbltae7kgVofhmDlRaaTyu4wpKPApMoRGW5nCj6BaTPfrKkhDSXMpcBZPPXZ
krpeO7onJmVddjNOQ1lzBvJuVg3KVQO1v4mb7FG7Sk4uIaC0jOddTusQsrkT
XMUahpxGgV36Aoxtd04IlCYaaP0CKYtorhaNKK67N1NZrvaarYe2mpH1fmB4
FfcjeFd7p9J7ezON/XwX9zX+FxnnrOfpW2bjTSsqPk8ERr1jskcBuJ0jfBJj
tZJWh37l3+9X+qzd3VhAcmtfvOZG8PS90IcykPToqPX0Fkif3rU4KsKH4Tly
DdeFqUVBXx+oVmU/kYeT68DxyRTePfhEtW3nXa59HE/1SOWCOnOMZL4bFyG0
iynGQYn3Po9uHCke3DWjaDKITp1ka8KCoLMz65TmXntscjKkgMgBt/8qcDKS
ST2WHDdvSua8md2wzTp/0X7pTYSukJdtdAuL3Elujqb+cbljzTT3Q7cgR3Jv
/iTsKZfNe72tzD8cN81AJRzn2OXzCYxD8Ndvczp4Lc7TigvhiEfyHHxuSqIg
Og56eCA+weWQ5hVtGPbqhBaamqbT7Hp47h05gevkm4akGTQIx672yY6K/Dka
ux46dTSoQd/AF6rVY8ZR+N4BHONjjGNUeg9YzlgZ10MG9Ham7iZQ4NoZvmyp
rpRfLaNMnOzryBO3517D68LhYqzWon/dcQaD1wVYWkwgAZyVohEomDnF7Vir
0aOi7CULRg4PBR3TTy768wsSFUhoErVgdXCcDPEmDYunPMOJFIXLqOqUgVxh
z62OyKgEg+IFyvwTwjDJ4KXdypI6MKfial5SmoayyxJNpsVFkYNYMeTw0IPY
8KE2U7w+FIyXOjq6TxnCXUxZoV6pVoSZOjIrDrf0bpU12EzewevZoRSlZAgS
Pvb01wNjxHBPvcWdnXROFoQpJ0UqMWugKoqPPQqmJkkoEkkLw+ihDOlgTM4I
ATvXq5YzFk4AAV7imjLOdzcuH82yizVzIJe7gU8YGxjVDIFr6J2VXWZdzsNY
AAXiW+6w34Hd5k2PohSrGWoHuJlbchIB1pjJ7agMmu02S2l6YhoxWRvlIsyK
BqVryT7qg3jL3/XunKS1BD+yPj3dXeq8KYRJr5Ecm76AfxFXEf8yE5eYWbKE
47TWTaV3NRHKbuNRjfu7pUhM2/WX0i7brIaCmLxNm9bRkcLK/gnLP1uzZDvT
HcVlbOnSVeHqBy0zZLubDndUG+sNgJxe213pqirvSxyMBUU1Ncl0QjqksQRJ
HCRrRDxxuF7pZJm4mLnteiZwUvuBhlXMae5fYJko0Dy8TBM04qC6fqTzmxWv
WP4hMUcrFdB2va4Z6Ps0b9zBk14iuvBxzYGVA4R7GizcSlPdLt4SbQwS7ohh
DVvvmFiLvKoWpruRW5Pxges+7vJlYT2LP4fUQ2RblvJMrEjpQDpIKXdKQdNL
afdw3fUbnq1QhGbWtzUlRHSw3u6RM0x6UyUvftocP3r2lycPsNBUq6DHn6x/
EqhNT7rHSJ0VNrEKsHg/ulJTxrpV/FhoqZT+mTj26inaHsVvI7vDzaSSKdXu
5v1WsitsfnAbSrr2PtFdVJKVIv4fxFaYJ6sKXbsSAme8DoqN8G5CgKqm9FLh
iY6lyHgchx1BX+nk8f16TfqHCk6pbk+yQC5iQ2oMt3BUtFqUS2HeksKdDstd
QlL/wP4SYadx9TrUdACeeiRjH1ysxhM9D8A8IxxdA9wQXyzDTphQYBs3uvPU
7/TrY10m9zYX8EhUZEZcPdmzsqTLDwQInYR9JoMZNC/glk7HSekcVAEMlBF4
nJ2mQQ/Lprtcb3BtUuOJIZ1lbXqqzyBdFjgeNu/b89V66ONlQoEQe5LAkCRW
J9h5fk7cvzjbzY6qpYJWjJCqfbPuUUz8Wirz1pv2dHSGipamNwwjdIPtpRvl
HtzgYBlFt7dkkR3c9MAnCE6R6dXPJdXLX+QxGd+gBuGzZC+XLFfgCkUvhoR3
B5Ck9OjYiUN0i504Aca4dHoqMDSrypHL+7yEpfv3N+HdDalao+YQJ3UYPpqI
4DrbMS5h7fjLPI/XgSg8LqNGTXWeG5GsPadRMkwBuivG+XSpuyUHhisZkBKs
QP4yYtIpEOXQELSuCb7GdTOnqHq5pyA4Ln1Te+xURCwZQ0n+qATHnEBxJOOr
KIsC31dD1EnMRuFphRb5uvLtOqrWLlGLOrsgL3unulCCXglKyswyXnMOQghk
ynWwqCsgRwzeBSn9lqh2Fa6V1l/L0EXV4b5OG5VxN1Wl1+1iA90RFQ47ZUGc
spnae9PaJZgB/3S6vQEZNdSTU4zR9wpeqJJigNkhcZ+r/dHNPxbUVeOicprC
fotscsCorYIqijOLRe+RCmXXVGoX6iuDaB3rZPFhUy1dIl3GTJuEoQufDDIM
lsu6DkWpoVLBQ4YqbK/yz8QVLCZZOwgjcF8yzmU0aXE1x/fJU5qWuavHhZvJ
jiCcIq5t8HBJxZ1au1VxelJrICIV5i0lqgN+hPJpkp3CDrdr4qhVcNEC9TpL
m3gM7Vnn+0oVDAsZW6nMI7h5JHK4aH+/uPeQraLJvYfHs6Ov7sx+vP/T7Pjx
X0m87a9Mt8Y9COAwxf9ZcEKZH4xJxjs92sCtdhsGnQxZxGQJUCbaH/OkSUXp
Xk19104v9bqQcDS4WEY+mp3s5uedb+TtGhtCOETRiHcxpCtgoRTN5SFKDfXg
wTGcbSfGdnz7DOhXHdTN8Ff+lkTuP9HAV7shaYAKOBWaIIsfx/tAe5+C/kD2
0VrdLBbUGZgs+wcy4nTLFEErVr1VLwNqZMrf7gwdKzeGxcvpmtKrIHNjNcEb
NIjgEBPZRaEopn6bRtOKFmPVj6GL+7RtX3dW6AyTlWMJA3ul0cQ8R/ekws1C
QPtmeGZGQGtfToEZVNStGUc7EghkHGliRL0X0rAUWkzOWh/nvmhxpl1DYk5W
qk2jz0PM3OJ052vpL/m23cyvC2tzFbgKpYhbGyxXm4qaucd4Dg8RO2Ww0i6E
IrgEnHpU0tyj5BQmOuDzH/N01ey5r61GfxLgyRM2+95/JuGgOmYl77eOTlJi
jepOCJDlc6vITN11GfKJJD6VPzORABhaLDJG4iqBoOheYCu4j7h2Yn67To+J
uvUCNiPZYBftJdkZD5NdRqmyFsUAJvFqXaxTczq+CghigJLKITMmaQTcsrUI
iqYSwy63PrFjNrvEB5KFb7JZkvIFMOAhlAebOXJWQ2bu0Eh4X+fS4oH0S0Jk
O6ymS6a5fgpqjmfd+fgOJzh9fy4AEDGKECD6nsjGcWHwPN6xI4j87d1ScFl2
lOFFvhoybFN6FD3B9e6SQN9WHsKUFhyqRK6YOSxE3ATiXiCLlOADUND15rTL
F0WzRKVc5G1zMOH9MkY1fUloNCYsejb4bT6I5ltDcXv9EibNzpI9QDe4Uc39
BfT2xHaGUtRHN80Gv+isXC7lZEQS0kNYRhrOYNITbmdPyK2x/B9nmVGdFSSZ
TD0YeZ8roCoO87WAktJcvsPZ4miwwK4oC6wB4sNm9h/NrYNv+dT0Z4lpiZ9D
I378tGlMMm1+/A+39mZ61C8o+dRYdNoNb1kZlgXHmyUNCaarDesWDevQDWuZ
hiTL2UjOeTiNat9nppfG1prBRrNTpOGhe7yUJJsS60b5uxj4SUJGorHFhHgn
wKa5tV2YNYce93ZX1pi+r0tzl7+/1O/m3+fJA5jWVt7MZ3jQePN/fCdl4zyY
aXyqfhT0fbz84rEoTiU/psmCb4RpzV7oq+1sc9sF7CeqWFZ/5BcMI+3IL3TN
pN0AruP5qy07G8l6daxwKvwTcR+nnDCHBFx0izkeQa4IAUaS++FHOHKqtsmp
erV1EEGGJacCOzi4dLjvqojRT3Vu8duEVcQ6TuQAsnVJz7sLX5g8admtb9Va
ZDKUxXp9yXEqjJTESnm1h60/VmVy0Zab7jw6AncFK9kk0x79d8Uh3yIQyBcm
Q8FuHgQndbRBvC0ep2kT/iVN+JeoanL18sVrnTloqJdJGKK/6KqU8KODj4nv
XeiWid/F6KOm82QjZSnX0ZKOuVtgx8EC9gswRL8whuiXCrp8hBz9xQnGL04w
finx6jROfXD2t0n6PTJt3BCjwuAQV+PjznZaIXgn8vdvVd1rrCk3zqyBmQoK
pTeHfcrwv4lbTmxMNQDEIixzl+XGUd8V4kCGMRVyS2mcCoOsHihb41hcyY4I
4/ChI+VISJVa0HC+5rrzj0XKAARQkLlcHFvtFJBeoCEvFKBJPFqqermlwVCO
yM4p7M4qff2qw0w20YMZHOZPvA14z/eobQyoa/3wxSioFvHmDq4W8Yahj9u4
JVjtsKOZG3aT/JgoiuRsJZeOs+pjtv1QeH6ZSerTNP1y2c17TkajwzM68QC+
nxpTn0rGsmerUWcqs2NUL2d5dxJxIWONlOpsON3gx3n53VtKchuDajyQu42C
kzF9XTH0AWKXMbrH5xeStPm06oEipJjObdnRuNIIYK0FbjxHyAU7ioFIUqME
rM+pQwAPd5aGa7kp6QYBc9cF4dkdyHrmUhyMhkAuH6JPO5xmDudQpXW/6oHH
cab2RLgm8FX2jsUxBgGYVwHImO9TAW12L113+uNJCv6xknv/lOggOwVyi3mf
y1oxcUkZ4ZrgW+SI7hf8U4QGFv2lY9Mwb1FbG/A7uS3P4PY5qZ9N96anjYM7
erKjNMdlJ63IXQpsQBiEOpGkPdIsi381Iy8pV7Ljgjc5qz6YqNFBrRgfKAtF
rnkKFlIWa9SsjrRKcv5EbwlmlQAf5YjRZINUwZWgMiQR81KcwRn7hhIp42S1
hLUwaPati1RgD7g+hUu4aKcStCjvGzqA0kejY4amUFbcsHMqICdEGH2nL6YI
pHtCMmRxEAP7ixSnpCTbm/ifa4d49XWoSHQJp/GceVm2BM2T30jfGaHsJ8hE
/0+ejTYON8pFeprQrA5GtUhvOt6htuj9Zwp2QkEaRaN5mGj7PViDb6t8jzod
P8yG7RkRuSvW54Az4sGN9NvRaKKmSltAH5QyicZKuX3KBFvH5KxA31BZWYE+
3u8JIBOXE0Q3fVk1C0JlDXoDXa57hDlBZUHcmVPGbp129l/x0W2Udqcapkb2
6wlFNyRrLKn6sOYpmNAP7ygFDq0ZheUPj76msDyeQ8yo6a+w/RFV52UmeV0s
Gk4MHN6R5lkFQAO9gJ6SD3d4hxnrbN2aDw0pWUpif6DhxP+ziv9HJwVN96FG
LFv9XyAu0vA/SGKcyGPv0P85iv9HAHcfCAa6bu7cJveJX0aNM+QJkpfQJxwx
Q+ynPiFajfF/jm7Nnq8XV4e3b30lzzl88PueU2RI9Ck/ZE/Rq+G6x/z4GA+S
Bxwd6gNuZ8OIP82+/rcj/cGX1/yAIgaJk8k49UjqC/nWklLdcKE8VnKo3Uqy
PVGMTtCXTw+Au2Ye33t6D2RT/ui96M6jLmDEqlFKUXtUWKOMTY6PObwz6efa
33ojv6EURzSVqVY+0VxiUCjmE24XwrhPMZ9XcVNeRQF7FTdlGuyTuFz4hL9z
/9G9+D9Ht149f/bkf5EAuN/KN1/FDbXfxwWPH0+NOMs++huRYJUn0gsopckI
Zc3wH2ipp4+PX86On8++vnVrdvvrB6SLxwKJb8a1+vrL298QN2opaunvXx1p
F7EkR9l/RTFBjuzx7MHNfrM9m52ebc5nLa3vjLbakmT4RbatIo1adHD0JZqa
oeSNkkvr7FomJiBCcQmALn4S34iC191JvAsueKOj2ovDllzbN5AkIcLmvOLE
rebUL2VllQ7sEhNLI1+jSYkO5pLPZrPeWphSDDEqIGeqjiu4BJlCa1dX7Pmh
IhRnWFaM3mYTCDYBWfip34MD0cFn0X3htm3ZO76LDwWWPqTes3AeU+Mv9b6p
uRlXLksQ8HzXz9sVIX5cjzMY9HQFiBFtm/SO4TYB9432KcwuKWbCOl0vdsuV
PBGeJ82P+qoABC2N1zjVHIwJhvTK7MXPszeHSnG2LNLR+p1n8Tt0hIctulmg
eKcN+X5ZUwNGbg8iJFNLdpPR7NoSoIwD7YQCr1n+uN2qJ7Aa0BKKFnYJ75K1
nw0qchu21g9SUCNqxDA55PxsZtVMpqTAt9lxP7qkHx89//NDPKfQid8cfn0r
7p/Q7DV/uolSHz21XTy1F5evu9nlr9Swgm7o+FK5lMkuT/8QCtIxW1f/AT28
438f8b3vJYAvv0P3kd3hj+K8ZseP7kEF0Vtevl3PiEaE//LwHUUPtl88fHfZ
IuAvvO72jCP/DCZy/6RnECu8PuO2f8ZX8QL+xGfc+dKecUjPeLnbnKzjM/78
UC7mZ6uOn/G3Zz8QS9wQ3YsvhihO3T+jSpEH0F1r0qBX7XNIELlXECja/Pss
RGxC07WbLR3Z0PmVQZfm13e+YU2dj0yYFTmjxdhGzlDhmErFw5+709P29ewS
0qwBiLNoVCPG4t4VWBi/vnMoVL6eT6kmjGZ0qmAHFWw5///Fgvpfv9eaCNXT
st9meApmxPBfCWcuqvW/GHeiBxgOsHEG81KxqZ4Z0tmOTEnEaKJeOvnOjdue
/YFEjsaR71IcX7nDSLO1cXmJFTr+TQFs2wsxb8IaYQ4q+Fhsu80KTLuqr7cq
0SLMGIsINK2wF3T8TT6gL4iBtfYCDURSGjONEbr3AYqOD3/gvPYDrr0Fc/GK
Bvf5EKKlGb3UmQQCQd227SzsOI7LWT31Bfs7eZvcUUlbhc8L6k+RtSP9Zyru
OEsA1RUhf9U1wtin+D5FIepXVRXdolEg41cZHT5XJpBrBtc4DRt/ViVZaT64
KnCqoNoPNPLKlnyTEZqXR1c+rlL2WozudqNuYMbXUn9chXdFHwcm8IyZKvNY
bFPv+XlBhZZV8oZ421vPcLfJ/gY5CY6g5V9mugKFTDJ8JslCObAATbcCfCBh
xBM3V0KJB0OJF028qcRwvQFVoYIKrcHrx2gE9oLRuTqLDaeEldeSJS20ZKII
xVIY9meiIDzD13Molp7moI8zdQaKRIC2+t0isjIIbS+TVw1S/hJMGRQzM8Nt
JoG5k34B9N+B6BdfvTfITObWDCE6MydXzvSFgnGWcNIxRc+cD6NDb+dbfHA9
IIf2BwsHQNS58pDeUhH2pxj1T5SwUdecwEk+VlYJgo2LGVXJssyQ+mjf9ctd
6pk4gAiRnsQNdHCxoWWPNUGmGH5wV/jl+i3dU2RfUKcuOihax/blrW/cD+nN
eKqEnuhdAW1tUBpyeKf5c/99s+yWa6BtKIg7wpxRCLhrjuOmxrlrgAADdA9t
0kPjpUwPjc/ZbfQNeLTKQ2u9wonRHP7Ig3sv790wBHdxKA8zYQ2jW2q7p77i
esxnwBX7dkMp0fmr9vTU+B0SNrA9l6zfKlo4MltFNHDz9XD0v//w9ELindxR
gtNIKUrbvP/MPBtK0+Ev7Bxys/V2JbEgKDwyuCY5kfc0d3OoPDbUpGj6cdYZ
6vNS4R5s/SGdpNM3NZFOpwSL52OoErC3HinWHS25Y+IVp/KvVp1WXgOXuTjt
NmD3ykYhoz9otrvLhRwCLulk0IV2mlRY9nx9yrQYFlqO52TVEley7oX3ljGd
5BgjmyrfI4tVyE76eGmwCcUV4FsrUzSeFoGKh/bsjHxJqXxLSRWOdLl0XPwg
/nfWkij1Qgj558gxWXdyK7abuND7LH1OFUjKL8cNL6SQPk3bDk8BWZ+AlROX
hlSzf/SCm3LRFSMHs6uOK5dq5zOKkRhD9eKmA3c7uj6D3sSRtjb91iIFbV4z
7tvE5WGNFHvAFEN5qU8FpyhIS0lSSlMSuY0lVWJLsoxiGMWNdKlku+3SlEUx
HWearVVSveCIbKX0mkAXceG+FWiRrBYn8azfY2FCWaKdufmi45b9/HaqF8sb
oimedO+TJZnBNaL96nSxm3c5EOAvq9aq24OrbmccQYdqa9CJwtGUhkWWGbas
JleUg6l33KeKCRkruAKjZHbgAk0bA2CWiD8zVgg7Ec/ciRjFzeRMoFKU/EkK
SN6wb92AbhkcHP3zLDJGOLb+coGmLpRsbBP3Ey5xlFZG24/05amkoao/t67X
FtJKejsOK00kqP1dSj8IWUGgYeE9qCTeUL67iP6ATkdAjlp4btiG1EZzlLIu
MtuVU7a9YB0GvncSgHPQXDlLadkP0ftFaOXeSvEFBNSDxLr5bI2twZxYHVMi
lMObBU5/0sU3SRVnKvTk9GylPvQWcL/12/NAzXVooTBSVNO6k3a9/gKD9D4e
zNTg9PRi3ZMIKIsL3yxY2aqEqLfiOs1ytNWIjS97AhG5y0+iwOof7rHmpbdU
1cB1B8ha+Xo/DdQ4sAX4hDO7hzgvU+05mPewNzDGdgTNp085RJ/oAYWzhiUu
sZgRMoiWZFvudq8EDq6qcpO5V4mPCZqq3Qo7AS0ncfzE1/jYcoUzvCCVOkri
MK2UhOZB/RSwX0vXUdA8ETyKemRg/yoTc+9wo/L0riX/caYu2QTd07LY3/hV
D7JZn5Dplu99vA7O+1XRnTozzbN2knAw0tXBxCm4n4rVvIV2l+qd5ow2CARw
BFWvHgOYQMpKfqiSMPEanqgwqVxLSgfGK0c8zmfCVUUPN8QhS1zwfE/uJjD+
KlKteiviMuSNTiRkQaXIXYTtnFkEUImVNlnvuA+ZYZ552OYd6/rWQmYQS6iC
/fG7fbG66+J3+/8Gjodkqya33pia5oZhqMRT6Pus8v7IhtwfDWiWnvxMnqzP
8zMeB4TSk53qLVaD4gqqQcdBBXU+bnD5VbrvcKmRYZw5G8AdXuMI8bGMNgt8
IWZ23A5+p6/nskFyj5UdV73yUxkShZukTOGlWxmbUhavBrGn3erKZWuGhuft
qiYP4cyFWu4w1bat1c1+Lle6+djFtRXC817IZM3hJGV6sX7rAZgGFRMkGwNR
e8EIbqIGVUsi858moqwP0CvbnqJlWD0Ka08JLN/NhRODfc+gWt5Il+IwxAtm
jPZsvZmZwC7WKCONjphbzWggfzSomLMUKvsr25u0gOALgJrYbTZeAYKKlqxH
XBJ3a4SxTUYYG2qEsTW6WGlMxTBUKc4vKTTONxJA5JBCPbjDkz4whoR4yTyb
xP++TF0cvt1zM/Nvjw48QFcdCfTS9c5T1fGUR9zOH7HyXZnDKJ7Edz5F7KSx
tHUI1B7PP3v7IxEunnRXa4DOozhdCUOXMz/GlsF1lFD7jjXwq3pI9GAH7yhL
z+LSxy7cCeV5YwRcZhxOzGOSE+MUgBwequXYRC8azAokL7vLeFzkj7MognFQ
4FVZrE/kwLiHAErOJ4WPFBl4npf3WidIQdZKcr/kogLYEcikbcQcDzAE9biT
ugQ+n6WO/Y2fq4H6Kcri2IAMHzUg86TB0T43I3gSmFxIswfc3u9t0JEMI/My
XIN1ATxmyKE67HNqDMt30XSYT/up4mQYoryJGmq2PjtTpMxuAxzlqt1sVFXv
UOHP3cY9avaJoGbff5bBZSnYTItQhdhOG3KWWopb8VkUfhwizCcam603g4OZ
wVxeg37UnL3WoKdGAEHsNwLVhmV8eCvtNBUXsFREK8clyQtryUNiQsCeMy9d
KvStWOWX/Uox3ZQHpr/NqfZ1gQZWeO4se+6QlGrpJaWWOsIm2w9hlM7XHD0F
qHVLZ0hgpAdrRxxU14ACZRssnCVQp2kzfvR3jQXSn2BvZGPjvvJeyc7+BkaQ
VjYwcd92Uo3oOxeMMlyJ0ThA8XKbbpq7BimUs4Lw4XJCmYU38SPgwNMZpmJ9
ocRuEQcuypU5ZVNZcIniuMs5cB9hIXpNrGniFBipxCrRF9MECoaNIE1Dnray
U8J8l7hpR0U/LMdT4nY+7eYFbyrWCKMckfiSL9NvHemu8V8aRyYH8nqJy9AK
tTIVMhEd+/NKVoTucLYWYFlEabCWS6JJ93M2CsDO1wdKmDaULKur/WSL9Hwi
N/QM2muwT/qiEWrV7kvKpZvOF959+aJwZ0bNd/wHhKkggfvgpSSl7s1B02Ly
D83NmzezD+ITJrePCAs1eXpxYE4M/ROl4cD++xbvqfzpQ6rjpie4HzWV/8B/
/yeu0L+nJ6QPPvEJccm/QG7tw+iD/4GVzOq0vd5QRyxTLuSIfU9ldR1i7VKi
LT1CGUaTHYxKi0XUS5t8SEmJ9kwU5roRj+2+wqUwIv5xUV7U4lp03gwHFCyk
0muIq/2AB4KM1ugIS4WklXgq80CGmUx1aaSlo0H3vVEd6Z+o7ueaHuzCySuo
pUESmKX6ljzImp6E6nK4HzxmdlrJO5Qrygh607pvUz7OvRuUdG+shNEiRcnR
oUHfDNatgrURbl8kFY2MQV/QOz7xlPm8JxMJQpoD21MXBDWkfWKpGtQJP41q
jp7ab3R5hQ02yGhIiwLo3WU81HE7n2TLZ8mrtMcc7cXQhCGnMygtLsrgL0qO
EsBbFQJihRaWVygWSKjuTeXTa7h2My3/kPEoptRI/HtH/N3SOmTrCyMpfW7N
/1zfON4zvtzUq7YiI/alzFgQgy63Flbmczl7YdwcY2Dq6nieFmuawEIZtkIm
U96pPoWwd9IGJd3OMHkI9zDTpzz+47ObIN3ZnPTR3t1cWTseMOBMHSd5xdYD
SFAiPGH9lmoDNdmIxWIGK7JMLVfA2NKrqbdjxGCgLwZuDKDWiMs5pHVRSwVB
U+4jULn4Pu2fLxCEpKkSsdxogjafqUUW01LJ+fjWzYtARJQU0rvt9w+GJ3T3
Grtx6sKcWVTbPPfJyWb9Oso3yRRYGQ7+xcEsxMIjyburjEos+2R+uj3BYHQg
k39vvmcHDmbLJYWBuZK+9WNH7IRie9H3+L659p849u9+xz809kqXGffP5Ls4
RPf037syZOp84j//wtNZteybweTf3eB/99O9LZKrJSONybQXWSPPog/cifJc
RjMXRjtuY7aMbykPZ7sxTn2j0HoSHdfvm++8thJ23W3zCA0pyJTGG+hCcwon
zf+kOye3EqlOOa7WNmznNYF8rH6fF2DJbz1iXumQxLiwNK6an5o/NN9P2axe
LDhoqj7y2zW4p6cUdRm6lRJuC5/r3RBmzVMT+bv1w2JpKN+SgIeI4GcTR/Bd
c9r1i8mj5o9xrzl61A+5OfM9ltHBIYsZ3Ixjee4HQq+gp4CS/pIJvXAos5Po
BvEf2Sg4X7zCfsiLJHC6aDfU/8seg8ZoQ7d5Q333ipQeLrHE54N926zXS0Li
/UAbhLHHGYHujk2rytqJRAAemisSgG8GpaX7XpzOqWX/C2OrpcKIuD/fE4Ri
2vyUghvYt1luVsGYEMcwNRtkiWxlNmROUPhBWD7FwvCsC0t1UTvFJ9Et7Yh8
GZR4kZqVORupwFpNqxZRu0rVAmNgjULbunRnUF3Sle+2cfd3OJPXeEOlarvW
pYyOW4pVD39v9txvzrEkdSi+5YfG3Er+/GEUJP7bB+USi5+ATSdu5kHzcdfu
k+dVU6qye1Wl2jzCHxXEe8LeXjevgaAQAedUMPyFROk0bv79icFV1idJrh4K
WTfeO2144RSxGwIigoWkOKE0tI04mCmeTba99netydP1qw95YU9+0h+QNPyn
NnP9O7ZY2rmqkz95ujJBcFJhdezlXXnNe/1+0sRnPGnZy590KR7Sp+NNNEc3
27eay52UTfq1U3YSN7cWtsX+VxqSfVp03qzqUXg+fLoE0ZyNWRvNS2S60+bp
NnznSAryxugMMy7gxClQy7Q5G2O3jj9G4gvRt7uN0SLncYrJ00sOlgGukotq
PwRlTlcM4rQZtwUWmqOyPulMBV1JlKicybWSl4D53uPx9FJA2rI6xrSse/B0
K18AO1Mcg2ooij5fNl/EL9gdBmsnHk0sQqhnaPZlXrizFiRQ6qsx1ADLDsv3
dKWhovhv7r0+Ped/WpITC7nN3hgQ71ESPtkd96LUwBpCwrHqKZsL5RJbk0ze
FgiJSq90MbWk8yGFdzZcxwGFdI257mHn+pFtSQktqfxT+YL7qGC8+FhBe0KY
RO1Gagy33tHXZv079oesutzNJ3sAX5tf5g/Iq+RHCzJCooCdQx9AehI6Mq5P
Di/5Kd8w1GSccFpTlSbfyloUvV1vlcbT3dQm/dKViA1Kvl4DHppY6/nTV/iU
JhvFeJzV+YLKJL4YvUcY5H5WO1FL4OtpoSknp+H3UyqPOnVc5QB0HVQdK0Cl
Gs0R2yhM+Yfh3ubLtzK8SjIWz8h/f7T39yONME2ke2O7o/bIh3ufrR2dJQCV
NZlztt4IflB0NJBNBVZOw3qIzBWBLG4yuQUBALuOg6MLJ2VdppRGvTeHhlok
GcLRiyoNHCy2gftwjrq2cNzT6Z097TgtkTZGKbIQc7bn86HEYyTjX5iWgybb
KGJr8dTCa/CIvF46FWMNOemFGfFwPdOaLspW6E73NTXlMpZUk9CdnfWnPf1U
LhUhC2fciOcuHIMALFJ51m1P66V/ZhlVTOLt+ryjWJSIiNC0KtIlLidmSWx/
xNOHyVs2REK0x2hDbwFaJNlTePaetKnXULaQGo7yLbZbJj8g5tu+XVvnVQTf
zzdIJHL1Yrdiu4H0HyczOaGQbIb0BtfAj6u+RtkEJa2DadMimHrsG0+02yDB
lR5BAYEv6XhH797rYzJdat0jy07NWHG7eCQYBXKzOsOWF0IgM6IhFyc6fOqJ
tv6soK8fnWZCJbCCnqmCnpGCVjM5HfM3XC0yOugg+0ypGikJuAaYfHJluXPL
AOlwRW6mSq9ZyEhBiJ8dfjtwY01fOoYHtSVizmPXqzc8dNAxxOIdolfP4vqs
8BcbwmFk6Y7fQmKh4V99PsCMlvOVhe/9noV6cPMLjjVHU/IUIVEJ5u4Jheq3
Dz/525Xg7keerRlrCc3u/XYopTJ8PLs8yidX4hJ7AivCHXyrSdl5PpuEVBjn
8veEVSYpZKLZ8dFHLp//PzQj74J77WzYZafAkTGXy38laQqR6W550slhWfOV
cULko1DI8Rxa14Sb4WHqI2DkwfxnvlsqQUhhB3UbOg3+J4XHIl8vZGAq5L0p
tRi0feu42u1lIiZmJuQtvPB+QedQzBI+y6t58M8cP+qpLFRqCzJc9GeAyqQ2
CuNJ+5Sg9bopEpnCYsxd/lA16iwaWvpBbuHHir2cKWg6AeesuM2h56Sb1qpW
DOdJpLLgAHn2rMQ5uhDQIpfGKakKo7gkmKEh4D4Cbwj7XNvVuimRDrVin/3d
Y+MWJ2enNIpIRfPOs/F/Swufx1GPUXTByCiQGvHJ+igq6MijIlo3AvSOzsqo
MvCJNhfCfS0yYRjGLDgu7jj8hrLoTSbmPJCqD7eN1w4Ub1nSpG6R82/QBPBj
D6T/Q9HCLxA2rj78djO5xmf6pDeYEzV+lXhRo/opNv1kPckDwHIWGz66vVNg
lmMje+368oW3c18sf2wtRD3ZH2Zmno5CP/zerM5+pEPVOyS9DhhoF48UN18S
JuXgm0Vbryi0RXwL1lNHZ/sUENjHGVQ1qqUqglWo4Qipt0TD3cQqAKDR8jIe
vNXWsO6bbnE1qmUDSCKQ4nzb8uVySkUlHWeMKPEEACMFxhJit4bUJXJsuRhI
QwICYCTYlLhiiodUzpdgU0zZYMG8IEHqvb2RNY9kjdRr1MFcNp3RBicMVDJj
NTJMZqYQjrJmE2Y7kIAlADcZ6KKuoskdze7VqV9SnXCOYRZuZ+7ylL2W1d4S
rYVFxmx3+BrlqgFG3U9khFMZ3IFQN8z74XXlb9KPbb2a0pu5JJFbYHN9ODAy
dKEsO9TFgV7mg1USfcgcvoKKhk10T4Alp8xilfvYrKrUNZUvW20az73JKtU+
CDGM57W9rTy0UZt/0JvGntJut3FjxET9yJMObzWOx0/VSOVRM1RG/J4HHtUe
aDVRWZ1fepAx6R4qNy+IDsspCntN8RDm0tn7kNFgSJh+5zP4ZrAnkIAR4due
h7hl2TMSUBKNNV6ljLCmh8gurxxCwqrj26k4sF8SbIHs99OW20TSBXVC6RZo
LyOFIwkXIlKlE8jMpNyUSv0iQ+JOYVYQICa3Y45P7oiWDxg4t3oYWFQUE7jf
PmJjK8AZo2S6wrmlPjc1K0gpr6xcpfeNXnsuDMZay5ddXZE/kda8b7U2T0Ir
h9APJBhIg9UF+XlaE5kO0ZSNiPSSqfw6G2M8Qmf7kkxxeaN9v7sk38GsgmRv
+HRf/QC77iVRRPIXt8NIgRgilBSmiq23T6mPAImU5heJAEpdB1a4AzeO5Nqa
bvMGtIp0IHAnS9wHEhQfyxNCEQR3olD4CkaSll6bd1oLO+XwDfubVNzL2YP1
OtzDHhwglHvpg++gDPC83cwXFJSV+zne/qHMvCrQtnaJAkZNeOyN9knGS27W
TnWq75b7RzUCjjjZHZPSCjjgcy3fZ7OEC3+Q7WV6f3Iwc/9jDNQMlaqj3BaR
GiRqIHMKSdpelG4rxRQTkqeAjgmP5WwRbVfpwAPHmWt6VZxF3xL+SIWMq/ly
j9RSzUWv2NQJuJWywCRJ1Y68ufIqVYQ3WKaVs64EU+UhTKiELF2cXZBTf9G5
Z+HOgoa1EkattxRd1TP8a1xmyRB7JEYYoKJex15XOdE+J1DEODLgay1LdsYK
l4eUJDeJLMjKiqM8SJsMq1ZGA9SMAXED3pKiCFTUSFTPxJXeR7+Kihw4l8GN
ZZMNrij0a+tlH2+HslzBNCc783O3FOhAD0LGMqZivNZeq+7fIi7JT2h6TXCZ
TwUiBOl7QhQqb/r5Dr2Uc86u/yvwCdXjrvRqZShEOQNHiaa0Oh4ex4eKNRac
UecsO7eUkzkXzK7LJ5/gIJ8PiXqvYLpy8fmOaIU008YFDKaH7z/8M+9hoYKg
nIvg+YGWbiAKMMpwFekOyx94Lzntzsol/FbX1H0Hw9Wm/GC0t86mrvWrtPHW
yGrqbCqeFzqfwn99q60U+2wI8GbWhNkdWOB4SwdG6FI4Lr7n8Ojr8OP3WuqC
YNySuw7mTvY+UyNjFzRal455XUaiL1ZIn0wQ6cCKhu742/hUhD2novnoqUjL
WU3b0D5TH2topm4V76YtnyPrF4/bf0yo86k4MBEekYEg6RiOUHB8BXX9VfnJ
kshWm0Ddo1DsQexmV5mU5CQG0uudocy13K1xFeDbFN5OuShcdVydRXpzNfRw
R6hge312pg0njKmWIrHYu24ljEwiTmk0Zxwjari5MpV6ra4QCVhvgj4uUenY
gmSNGBSGHX/XCPmTSpj5lYnouz9tCsYNZv+sFumnps77WEX35DAt9i1uUH5n
xN/ldczJMhcXdkteA5ZGP2GbIEi231DVRYivpsj00bAR1FYO6Ty4iqdVau09
71sH3vZ5eTBK+MR9lGhStCpwHMGMInJJdQmj6kErJDY24u16BzRCJuaEsafU
0CDxI2R3qCaQ8kiS5ddtVn+7r9mXVVOQCiT612KqyQr320zlO6R6K7V+ktGH
z8GBAN6OaTiROrIcHpmnMfzJ42VmnmfCh+xN7+dIPWvTEc+lgAWrd1eGykFb
NASMh6jUOic8LO7TgBaWun0ZnHiA/fRUMQUeqY745O5EfJHoC7gqFJtCalsa
5blArOi1M1aFKv5qvZjezZcXluTImqdFDf12j+2u2k1ljxhiO6bYotzbKUWi
qfsH7qvmXrRPr4aeAtB2h13CA9n23VA2WkPTzMFUllI+UOckzKfRZzTpGYzx
aIeo4C451s30QRq6jhqHamWiDTqcXSVfzLKH8fiyM9tQe0q6xAduJphq/zad
EKnzdRBt0vij+NH6THNGpAkG6Zq+iPf/hpdl0Z+gU54VCs5ePHvBadN2dv+n
l/R0474mO3gVzUJtZ49z//79D09evDj6iiLPfFvzexEQRmZWeFPjcTafUWSI
mjIE67lKSizR4ynZuRx4Uhw8lmZb4/ylTj2Scn4300uTeAw357uOVxylNVNH
RyhtaOn00Nfgxmj7z/XyBDzfmAyvVXTiN1zX8/49zen5i2fPfjimeUs677Jd
Ef2HLD9bM7tL9M6K7i+ATvB55JL0szi1Pn1sNNvb8H5LLLIUnDXVSAf2yElN
fMjlYn2VKrAG5iPlKa1P4nlkv0dpJVR03Z6HjO9807adWXraofCZk9Pj3ZLC
jYxA9QckMUWygGrbv3RKzOoBFoZ8OHoQlmp9goon70DQoYKnKKpONFq65qCT
+o20K+NE7nZLTBBDk7j8+MdccEahnqE4V69XQkdDzVKjvUI6XB02ikTeDeF+
znZ5N9xtRpPXq16OF7mL7WwDZnKuH7MJk920WQ2hsZbcbKsjOWzMgsIQ9VaN
LXhqnPeSPnNoQRyfIkTJmji219iSsioHJuPzRA0gbWMlVtEULWu5dt1u/bfU
fhNC7yFyVjFn/lOj3Tc9QehNqthW5s24dq40ny613cq7mLANNXKQOGwtCRnH
SB3dhVI4cQVvNqBdyybHmLuSiwyKCJznjRGofZQNramwodno4oMqvGicWG24
+J75/BRF2TTP3WrTfsZH+KkL4aUOb7mepz+RrqpYfRRZoV7t2kaOvpfCItB4
3MW2UzJWPggb0kZbaZUsgZ6Gv2+tbTXcohTB5NnxZGW7eaAAa6h+L2fEd0OJ
p0mXgGj+eHc1TZ09Do17LaKpF0zHvWEVdMRmIsmzDR5Lr1NIsS7Mgg59MYcp
Bx9ALdpociDHE7l50aB0w6OZ0pMhRZierT928TkS+hQ7KTW8xa05RDMhemHM
xnlN5AqqiFudWz5lfKL24cf388pDcH4RemmmKooLMx3z4OMonC/WJ9RHaRjW
pz14EeXsS12m6t6c3WhqFOqZ2SGa8nTJIYWGei4YB3BqDa88EhwFYfTRcBov
FqijDjJD7Y79tMRsJQRxe2kldcQ0soImo0wFda7SKzKEF2JODu1ZJ7pqVTls
gBKcqPW5ZQJstl7H4kVFvBb1ce2YaQYc+uFLydoLK0iI0hKpeTctLydN9uRA
VIwJ0UxUVhKIKELj9Jw9DN+c8qo231Y8PFhihBi0sSh6VtwkEdZ8JbFpNNe3
/cDJIlKSuKTouDuTtKIYJmKURNXmT8IzJwTYqe16Se1nwFco0L1JcdjSLNhy
a8nJJTLOc64OoItlfXlF7d+5WcK3I6ZremV2yaw1HvAtqc1NS8D+WaseR1IJ
3zYDpYHIsF51i8GiR14V0OZEK4f0GLj7vkWORvySFP20AujUvZ1qvIivBXea
fqrcemLzPV0rDCc38kIAgoLwNxRsNBtxS61hxawgMx4fwAje9OrKoQ3HWnEz
cYd7g/p5r2HkdFAqiexI0OsR7FsY3VOwAC8DXCz5BdOKfEytXw96fffUQ40t
bpyAzEijhJycM3NO+EUU1qfvz99EP5iOGx4qKqddzdXj4aBB6UFZe2+dsSA0
5Zu04LAFaaXZPBxVfSyIH5Y/PdBr4hdqq1DjWk+ZGHdz8tDiRgIdg1BW1BEE
2mWKd7pmpIdJtKG2gO3ec4a4XJ3z9hKa0QkXzdQZ1DLo9nSzHhiyhX7dnNA8
Re48/p2boXAHPeV8SVpcQK5zRsru+uECi+Ags4OjBBBLlJdHO3bgAUtkn1Ed
MVufzbRdSwUdJxMQeT6HCTPkvZ7c7gFbkFbglI6bGhwmoqnrCxTcJtqCNMuH
q9NoIRMFlWjB4+5cu6Cxm7pxZozHgHL0m1oxRNebH5PZXLp+nlcY1vHQpG8D
TRHSUiMZQWfIjUamEm3TnNABpvq40pq+HE/KfNO+FbAG63qp8WivPFZkJG0i
87Tk+1jSUkOK4OJEOofyptKmQD13w9AAh72ZFpBe/Ouus8aZzn9KYaSoiynD
T/dbKgpGf0sKEUU/7TWpYrp43klrd26jNhq+qhzQdFqMIjVaYo40Elj25dig
12e4xQpYJcjf0HkBA7aEsvOCfhuD22H6MfRlCJSeVC2XBLsZruLv3xkjyjk5
UCsMgwtreKfILTi5Ch8z1PeZ6ab7SDVC95F1B91HnxS673Rk0Zr+E6Hk5KHv
AsFDkIaDcdUW1QIDSxoNO7yKUihX0l+K7q3kDjnlJsOJtkPUaVO1jEYmLypt
+Bhm/QtzmziBeE2W/V6/ifdfixJALIzepzaE4YIultZ+myJ48euzy0Z+Hxad
xl9Nlyfwq1O68eh2uOZcrafgeEhm8mC4bMiW8/SeqSLfscHSU07rpm9JsztW
uDLgSps9p3plNUg543Y4ddkHoxfW+BUtBHdUp3/7ktGy1HP3T386/O23u3RQ
eH5kshMfWRSltN7cYgQlG+gJu3BSGJYd2Wr9sEz+IJR3GYmxZVhrQEdsmccr
isdSiuq4XbTEGIx8CqVLXyPr+uDHFz8ffo0kNdHXI9bDzXrS2oOAX2M8U+nZ
cu/Bj0dH5OCQewb1hasjd4Cas7Zf7DbsEgfgg7R8s9L2k2T//WeV8xxCGaso
qvNan2MBINFuKVIkvYNm+x+ydyos9cqaL6+/KxgDStMkg3sIBGdcnVuhhXHc
CzenUu9zsHts2/AFI3pnux5FFMH81y9QYspJkX6723YSxZH+dC7SY5lLSlAD
ity6tEqhGhDlyWM8W05RGbdFApIjcXwZtQkIHyf37C/LqLHnoRbNwXYPiTWG
I2SujY58TXrz8EkxPm9VtW07j4fwIITjCmaI9aNwfbfoKaAqqRvI3oyPLQ31
4KnSU5w/D42TmW+kyj6oSlAuCxwxUTPUxb4ukNOUBeDv1vAL2nQM2o8LsplD
dS6v1V9Wkg3iU0jmQNIAlMbkI2c5Ob5Jg8VbZOQuR0AKwKcYDkDpOnJX1gQG
q3k97Mf4Mtgs/WhdaAbnqEgOOUXq1fD5hD63/6Yddbmydw2dR1TQ5teP0MBR
1bxQp53O2zOEOwo3NLn14ofig1RNlRIJ3UAJf+p2Ox8lMmjxJBxB3d0PD+9Q
4D3cZY+Iu1uxFDGl0locpOTLC0QLPpDxeSICHH3q5ApAANjmsB+z12V9P+NY
Vs/uPTyiwbzsV69lJPyZnAG2+8j/BKcwdYLzynHunY/k31F8QGG3dADlS4Be
GOZTRLpI0/qoQNM8WreIzs2bY1xrq602aZZRriS3YoGMqIZpLs2x8ie4AJBM
Eu20mDpcCqpwrR2/fPHw3k+S/OTKoZsW8+k55rHpwTAU/yXqdzAVSd9kfItP
rjNVeJT6sURqd4OQDSIdhLsn+5quHGl50pV8o2cxFN5s2klzWSfJNuH4qw+n
mqGBDS5tkewL3OZXzZeRLTvc5DiYWD6W06DI8DzpVUZSsdgBi+C2OAkHx0Sb
FFgdhTYLYIZ+uOksNAfAkhRJSXwHFZ7S7zBVsuv4NTifZRJSYBTHw/m0IPBF
CmuGjTOiYKWnUMCH6T5uCwOLOow91J5vEfIInBXcXmqPK+24wnrZp+euiTvu
62ETR1BxAj0ggZ3QHATooqwpnhpKTPIomirp7K3jmyk81PAJHqos9id5qlbu
pv0YUcVI0c7BA9fCOEr9kRg1aWkLWrSpCyv956J/3XF4eI4yYGtHAXwiyst1
s0CHrsrYWXlUniLbTRbSXLJ5lsrzibymDdaSzYR1aDzXWUUmXHb1LNTlYyrh
Mg3bjhp8WiPE4IDTapM1+2yy4lyk/hB7clFydj1TjiQkBUPdXEQ7bCC0I9nL
UwOJH0ivLNfuVRRSal902iokabxGoXuHTrLD9RDsl0Vknm6thdwOsBzu2VJT
y/YFVvWeA9i8/8w2A4K7EFKstEX4lAffWrrQBaN8kn7aZHr+cYIsevxPFJih
zOafAk2NVDuXmaYIJiAJallojlxRDdIRuIbfy4ANBJsPEjDMxdK1QBHcw3Ww
h5vF6lQBEFNk7FR9IAIi0C8Hi0CBFukIXNFibAtmR0FUgEJJGE9yrPFPm44L
3Xernkznu7gFyvQMJCEeNfxO2wgI3YK0Ke3sEQvw+I/7CGprbfYZGLzXajdF
oCYt8MwYfzqd8sy8zIXbqXA2nVq5x0XhXAORItGM0BsqLrKVXEvSN8VvsLDF
IgJbEhI30qjVDL83hdn1oSnD+PzFDw5yptxEMGuNgkPzGUwcIaWWzKeJq323
PEFzy6DPr7lhp4u2X0pINoF5UFvo7oNoypl0SQSdwDtxodmlJZ+fVnEl7ZYY
tZh4EdoN6W0c1bcraRoYb5/llBnq4iKSkXXMUkShjmU0Ts+7pT3dwpo45+v1
VkVO4Yv8yjg2xvXEh2WBAz2h0m7MtsaA9Vh58l6pAiGElB2PjjA9TiuODYxf
PJJrtFCZNm2W7bt+uVvmxeOhYcsMYO3LdTwYtJR5sv+6QWsWP7UbimMZd7Mf
peqRKyyRq/oyusIZ++PXmes0lKB2SAKemTtklV7L3er0pRSqaLmPCTrlNEv2
PhquBos+siYVLinfExGwmSylG59t8cB052HqMPO1gG7muojZsihkJ69qkltZ
joU5rwpJJJ+XKwQa7sZukU8PKTWYWIh6KL7tB9V34mEzNBNsXrT1ZFDEPUMh
X13/Lq4spZaQVtqvFMofzn8KhL8ih3UqdaX4eMQ8VlIHsrp0w2RBiTMAzziu
ibl0ifFZS9JufIfF8bVo52WRk5Mr3xEVt+yijeqISNDXmxG991k0ZNC0jSlC
2IWbCMAlNWedNj9OmycHzXegIYkDnGRtV2/wY29Mm/+MP/17/H83b94sfv93
eoAQkdDsfAfffKrxqQsG6ypCYMtoNlWhPS4qub/RxTUaVLUxHwi+/0fpgXVy
pdybBDOLV0SSNmDKBCYy7IyBkNUj94ok5X419T1dfd7F2VZtlmOgq9qMnXdb
7ZPG+5EBG2dsL6y0BMhumWkBgJQjH2+Py6DgyvGqnYpDStKiE3WvfUQ3tmeq
iItIn82OH93jqmD7r9tff8nlifbJV4dH0m2Nnp6dxE3Hbi0Fb/glZhbIcgQo
XneUUv2tzGHm4WL2cC2D4VUPDi9UsAzV1kKNXJeiwEQt0zSxeduU4zh1si4z
5CinaXZsjECmhfHfKOtkCR++u6QZLlFH2WpW7tFP9+5HC5mC2d3GTUar999F
jX66pc64UWnMsMwu4ISF1ZAvhfW+vvMNghm0vS93m5N1HPmfH9KENNjy9Z1D
RWtHYZ+R9DR/e5bLgGaeAp77ePbgZt9tz2YXl6+72eWv8Lgt485Dmld3LewX
Cfo9vbYdXJ23ykdcwkfP//wQOpBKOgaqD0GViNZWsqHA9hY5TuhHKPg1V7h3
skst8VYOuOPHRWhRZuhhtwq2131v3b3gCgv2Pd5/RiHruHnKyw5Qudh6RLzT
MNBbjUARuMJRSoUP00CF7OJQ03bK4z9ycVhaIQ1NyiFdTQV7C1xTwcD4hHfX
TcB0MzWDRJSvcsFX0jrDB6fINCTtnhVCe8IMddFtNobqdzedtqq/q1e2XM2U
1VmeLBBgIjM2/cJEL+sZnvUdLQmRpplBc49DSPUIQuIJ3VMQbre1EIJO9udZ
xIMPfoPUIdh0ukY43CzwAIKSV6Urhs1bdtF9YvYnLW713/FTUbGEpz4QXqpb
na7JYpHA0kvzr2R5MunBAEbCkJXloBaiHTRgEx/5fOh28zWbSGQDkvWXtKEI
4ElXupfNHvdSjODtGla+u0yNvyr3x/vXhHUahK0h1+vxEahdXLOhJKWciHNf
ulGb7QNgD9mi/Zt9FQyYDatGAVbz+uo54VbymVFEuGYyvKY8VrZInhyk0m93
EaUTBvFSYWy3nF7hV+mK9jLWeHjMFBYjiAWnRZGz/g1w7+zxQ4YRcpKgikFf
yeYDfxhg9onuoY2mprD4O9dvZyNLRlKfFlbyGRzLMnPApicXRLx3okAwhB3J
kLh6UrMUz7usAWU0ou486c93691AyREYwCiDdVPQ4zoFfMBob5NjH1d3IWcA
2WY6l+SyU8LhJSNO+JoEzQFX9WfjEQ4S9Yebh3xpi+ck975bdHfz4pEKUvDP
ZE6+ZCioDHQ6WA6qbApJBDXGoPppu15LRWIUBf45CSQ1DOLy8J47WfpMPpeA
ap8+sTEVDRcXb4YHxseASUXNFH1/L81tTQikqcjlyCgDoj43y6zWvOwLmJ/A
X6JK6s+uZHnZ+ZnZ4lsUWaaZxlZVlqQYn9AJpdgWtUMWLYbwvrct10RKkpxA
70JpZMocQqnuyPPEyUkEqnaaSHumZQLkopufS3RR4h2IqBZXEUp1QJUcxxat
zARATyoBykcSiNQhk0GIAqoQ31wKP0id60cSblct6DQav0V6SEM+7V3pXhFx
IfNtpHeixDwwXIYPbepLhkS/zyRNTapoJZVj00zwDj8+dqxY4KmTnGpQjXvK
3yEmdJ/aMghe9oRbRyPlJmAFsqrADkh7gWw+o+vJVpFzkgeg1DKLokzWbvbN
J6bCvYlFE7OFQkRIO61zn583fEULMqpfyQHJLkkr7Ytzp7xZHK3mKLpU3oMw
7QJJZFsTGSG2U+qwuBNcfAZRuoZwn0KsMxK0eMTXjEfgupp03TPHxqobHxuN
FmfuXtLiFetAmexN86Q3kJ3CZSHp4TTXwcViEh5Np5jK87WoCfAjZ0ayundO
fp6YWhRKAr/3TrUMNTTVO/1mHTBEXTz2WRp0CHMUVx6V84YtVnG3Ek6Ztrnc
RUv/tKT3FUOzQH1pzKwZaZjBQsl6OuIGnHfaMEchum5cJDAbHorsAufKOP8z
5pwedCI9EGLblqwDCegrhQN1zhODT9G72u5OmZAuOPFHJVYF8oTLtCU1zggp
Tbgj1Xmy6ylK228VfFVZhtOLdc+V2VzEXXcOBilyyKvzCrdAmBwY/Zn22xee
Ae1oUJAtYM7eUBd2Jjp39RuNU1Tqd2ahHfjzr+dnyl4TyqAMVgFpwU7aUdeN
ZWYXEpPiWm/kgOMTag4Y59qQaW2wXqVzbrpSDLmRaYxCLDMqp4mpTW4uoY7F
02YjHY3QfNpPHG2k+/FvRu2DV9cIUew3jIKrc6Pwz0dxef1tuAF1lf5wg3en
QqTDT6rQ9wQZBT8KX7iBibsPXlGeR55dYbtiXoYy+FhEK2yyjUNEXMqXHVgw
sOEySw6hqE38cvRHBf2oBTFtznvSEaGmayWI6zXutDmtXEu2r3saI13js+fn
bh/gzx1GGVTPPUfP0ZlaMxb7oJWUPGFL3h8MAmosKSUlLerWZxZIvPXuhx9+
eKjMJLDdoCxCp7wp5HrNqMxjiTaxxu5OpzGqvZUYWO1mQNaIlnVxFcb8jeYT
2SwEUG02HgdoxNGUip1gf5XTy8bmIAmY5DTo3La5xxA+7iwUrsKTR3BKQ9RG
BP5Sw4GI25zZvwX2gDn+WmvoyxSMvQa/4uWg3dwUCSzrHS2sBdvSOHH587YM
6SVMw1yeGfC7H4QaLR8GU2BmT+IGLJihJvvakCZ80m3fdt1KyjDsd/RuF+Zu
3RLFKT15hGYxPJBEq0M6EbR8cYF6V5Ug8FEwYmaMD2C2C/22JKqG/YCIENH9
IBkjPzfzKg9UvO4oN0G/4q9VRTopYmJJV4ONFoTZiFhqpmEU91O3vd6zFuRb
6SuqonZR0c00MEBEQfFUoHsfsCnVAWIZJEUu3joF+kHYyXWHp4RxxlKRIm2E
pzeXuZsWTQgU70cXQomCCNcfHxsefb2EvPkR/YQYiTBjL9833Lym0qa596rH
POOpgd7u5kx06H0wRiwp0IhsefEUQOaULUpANWzaWr444mcifR8+RHG0+M3L
2lUYD/6bNWVD4he14SUFmjwtVcaYOJVnMN8FVjywjBhhojN0IeqqAD0dVNa0
YoutXaJzGbV7lby/2jS9p2l0DHh1xrtpGKjGxX9TJBDhW9OEEo29QfHW2ZPn
szeHN1QzTTQrN9MwEtielXJfY1Gni5ZKkHT+rJdz5WZBJnz3YFwvxCw7hRmm
8co4kbgtEkjCLZ0HWuTMiwlo0S36DaJWhOypZYUsb+lpwlogJRNagN8RnaPk
spXXSHOVLhN84cmjoLzWkmnI9ZaVTbL7QPUJlEVhz9bsR5dEj1/SQIFfI1ld
S1ewC4OvtVEzsXEnX3JpBw6j4mtRTUslA+dIXN9a9Hs0A8SQ/QLeJ1/xWWqH
YADQQevJzfxOfwIlFYDCqTSvaZ6+njZPpUr2qctGx1kVLxnnh+Vdzo0gPL/1
DOCwAO2nYDsync17x/Zlm4rSjU5X0NOIERMBAYv3Yn36+mbT5NTSTWr7pb00
AeRl9UG/Zsy7MQkUzL0oVNDkFcKgSGDBe+JKJurrbfOaKkH8gQb637+3VONs
2Q/xVeAyyt+GCBi/IwMy0wuRR2bcXg75GbEMh8Z3Hrhs+80walLMuyysyBZ7
d3zNDe7jwefh7MdsFZJt6mi+NTZBSbh4AvhYnEfdtiP8+1b4RdmKwm4AeZLv
EoVVnscJUk5qzCxHvkPzjaclx+DxshyLhNFfMTPiTirH6AMGZjtLEQzRdBX5
1bYHUmpJAJlM84eHZIXsiF0MwsAI8vacQz9ehPycO7crtOp4HSf58YBVd77o
z1HkSKMqaNUTqIzYaoujx52MiqNNNZvcYCEaJNw3wjqp//D//Z8TsuobChAt
bmalGShp6hTf77kZLICFsE4Y1Zf5BL3Ttyncq4lMCggQfyl0jNRCKHM3Ic8d
cIGDqlqjqoE2ezYPYLfpbmq4xNVTuAT3JDnGhOAd58y1HpwGlEWV+KqTwABi
ROyLYpD/1KJbTQ8n7y1wfWndrwOXCGv8+2NOisY4vkCzWDy5QhdXMKbZPvna
jIyzMCQ0q/D8kZCnaF9CRuTdtgi2nbaHbMTc1bfCv3Sb4Hoixl3hBswq98Ko
ck9CqxUGSYu2Vigfw687kjtmxmsckx+lHUng76ea9lMwmnII7rrkckIHy5ol
HpOpcz0lgCoSImUkEoiR4hL9NLQkvXyTjetKpM6VH5coT99drge7/EJqOSAw
0gl3MgAlljB8TDPG0sGBRvk1gC2gsVoCUhlhgBasZFXKjhHAuisYxnW7tsZV
Vo+RE9lP1GFWDRbNnzSq4EtrMKBUZyussTWeiwPpXZDYD5XHhKLNQOtm2Upr
xCFFmnwLCXtb/PLZor+kifhSkm3ixaY7ksE2vCRZ+bGWh2udbSKnO/49ZHaO
+oMTWoo9L2jVgNocVZJbTz1wJSV++wRRycack06Mo88vL/5lBLwh7FH9sae8
iyTQ3cbQLL++Wv7j6I9H/yAUmlU4L67odM/pqJ/GXVrTXgkmUS9UupnZ5pRQ
kutsjyVI7VLSG/lRD/HC+N3GF3HFqcZbeqtQIoo95U1n04gwcIGdUA0UD6JG
/TINUIjrjU+mjOCcCH661mflGtFQqIjMRqDdCxUHKt+OPvuv/zhq/tgc/WPy
9R/AjXx4EOIw479+1xwe3ZWOsvqlb/4kaFuuPP3VymttV1Xckg3kgfy0uHAS
tMhJBpSMIQvikGidkKU+I8MlnrPN9mJOXOU8P5MYrhwfF79RbsRB/Sl+xYX0
nTMduJI7qRILu8Yxppejcm2QZqwS7ZDwdeW9DEvX4Fd7doZSMFbLObWZh05z
sRNXO7tWiNJnKeTFytSbhLioFoAfGwVBPHZKejNWpXwaQiqKzFbC1w+Nro/4
wRuyh1AikkYXLYuMB4ZHm/hKB837slfuLFO5oUh4o9BzVl0roLmIR2xWtail
zBHFiIwRslIe4k8hI5v92mgzuZJho2J7/1lBVsiqK2dGLOmpXDUvRVY+H7Lt
Ym7qfmg+mWaHoZA6LUerIpXMWf0yxRLwaT9wxjQRpeggqUCdniIMu1YV31z0
5xcU3sB9n9mAbxXTqdPATR0kXWdXPZtiGe5dIDRaFMndSvS7YVTyIslhCP/g
lMHUlcBMgZ8swaJjnDqNipbAwZmNtcYXclyP0XaTTg8KBGwzVtsK4s6VIVQL
GBxaXzy6j9UHNEV9gJG1cIVAlxUDNL+nGEB0jCsIqEJelZRiYIR/rU8cAo/F
69cEj9GiGL4MUzhuiHd8FA8wb4D+xoP+2X+W39F/Y31yPLkBkJUTJH6bTIdg
xRIOsj+C9jfOsmc0gTBQjLcncQfaPe45TG+q45ROCCOyt0ldKLjfcDM40sb6
FDVmVJMZzWp+JRgSoyRbJQHRsnzJPAe1YkoSKk73ZQSQ24sRbfXngy8ngUIo
6KggCtAiWBka3wpUrQuwDDpmpGniDGBIU2/0vs7CRh2Nq4MVcjSjDp3icEuR
IgTBkVHR7bds6WojImHRGkIqC9HeEKBLZR4NZjft2TbVP9TanqPCMW41aiko
X2JbVW8SrVdp2jBBTHGp9MuPJ0Zob6y83jPDeVwXFp4dJfpJ7crW0dmIjGDX
6APvK3eZ4B3pkLJZE6WTnivw8A3nIZgq3G4SO0BicNH1myLWSbeWHBrWyFCC
aVGP097xzGF4clwE7nKBv2FQqpwEzvJscw9ExfReJZsEV53SKPxTzMzhm/qt
lRIulIkQFAPOSuALoR/Eklz5o236J4zaE1TDF4i8u0hCSmnSj2luysBflet4
HTcq1iET64Uqd3euYAnZGSSO5ZMr62dMeUAEnmQrCbiJDXfsy6r5hbjDQoNL
CVNkwbo4tRnzucLvcOx0JA1Tq/jOur6k88dAPM0MA9JARsWY+S/L3GiracOH
V4ji+L6u1+bJoLOe75WckVNkKcsrNoSy0sSlobaa6+bOl9U2LiK7IEjT823Q
NV6bwISJylrmdFC6LuCmvEFyn7VwAgWTf0q+abxKnj4+fjk7fj77+tat2e2v
H0iSNty/aOP/HN2aPV8vrg5v3/pKbMivv7z9DX1nQZEEJvkRra41ykbcagsg
BmdJo9PLxnnTd+3Qx9NQKMCpgrJ65SN86npuu+sGEQgkrHeX8cDFpypVMBu+
cZQYEDvKBG/tTylTMMXCkFcfF2d2/Pivqk3a4sISQRXz0TP1KfJVTyeRvcTD
QpUgqzBBcdG7lnvV0mtpo5iwuj1ddMMB6JRQUg9kvyqP8Zo6IMPvk+MKmoav
c0TQPFPkpuAv9E1yguM4F1pb93omrFNNfAX2O71z2jzPFrSIwXsHVYs/fjsa
nsJVe9UQs5gvmg4Iu8TLxMKyUf5/7jM43ahh8dMtxSLuTB1fkzrhFvBMs6qW
rKb8RLSgjNdnRBdYuOMZ/6d7svHd5TGImj2ZTAx7vf0aYWu9wwgdGaKFm3Ad
OKpUr0h+Od/s8Y9/gcHFXDLxljeCDs5Y0GLEDQf1Gie1KLlHtsNMQxsc0Yqv
P/rHhMJfB+Zv2DqTarF0svmqGQe2WMVzavkzl2Rh3s3kmt7Bf7nWaGQakmRR
B434uFNQGrW+xGNs0QanZ5qkZ8SY24eNuaZ/gwsmiczQz8iXbIcmjwEKwrT0
BafOY6vVJyvsD3kvNoMAtpM+UepiCgV0GkNigUWIF75Il3kviTwxKhaee6nC
q+zcSr3uT5LvZFWnl2WLI3FKFlSwv1c1Biq/rwD6R26P05OZ66P+lSJ7lWCe
5/OJPpU3oUX82sF1gcem6RYY6WbKUg0Zr4uAlfuNy4Hy8brWgC1aBRc7iDvY
KN4otJhbunGyGf+mpMpWYIDJLF/Jqo2ycjU+zT1ct1TyniJx42TnfvZTJnl0
TQpGNKZqujrSbdzNdnJNiWdVx1rdPcpfh2u6s437LFS7s4Xru7M1vjvby4t9
JdmBZxfvAcdKPkmc8lMs9V8pW3N1IFwWUfPs3vWLnoJEibEMMCYA2KmxQ/d2
1FDvqtbnIVzLx5d6vTG/vokSF4xIlWHR8q1ga22uY2tFIQax8p50AelOoSHl
oC9Xc5fiJ1FaR8WKgsg2miHzeadF7uyVrlAkCQroxHMqIW4uArF7gus5JCLG
JQ5pubRZYAu04tCB1j7al1ET7MS++dD8qCNqPjQPHatqvA8+NMcUFon//7ka
a/Rp+DCbzbL/jY85NpdmjAbwtL+VBCtsjg9se4kPNvX+TPxb+jcBtbm4sXs7
NQRLb7urfGtTR0PNtUMfnICmGGtRQ/QhZ8zb/242GdK6UvKr38xnTGPFSUsl
I4xz6c+jv4Ns6+jFaq+OXp3yHhoBtuZ+vDE0kh+UoGhapxzyHWQ+pLvN6uU2
JcXRvzSO93ebpEdN3mfxut/075rosSy67278bO45mtu4c3HDq9ysL6RV8Gj1
G98kPCe+JqCANhRZrBWSWbxDG+toa/Z99feBqmfsdQgBSkMtjo8w71Uqxrsg
78JigNDIsP0CU8+JST791FZz1mcOzZNd06TFtnNk5ZwyhgGNkkfuylEIMyMI
V+vgZKBFGQbcSGUR5gyXzCCF+2mg8YMZd1+nMFCwNrhu/upPWPEaXF9/GmZ6
GhaZZ8SKOe0Vl3wj9iJl2tMmBc9yeuRQzJTjliWZs24+iY32kGdTTTM0Jdl1
rdv5XELme8N/YRhpA85u7tMHXGQ8n+NiOocrjxMR9ioHJf6vj05NOZa7sr6P
VwhRPEmStVt+380Ktz+vZIFRr0NkhAOkbi6wMVSYT2J1wGH3p3RCEBZikWuE
UtS6rx9OudKBUdUWfCiZ+9utNGvHXYl/vZ3qBnw3SEc6QKhQK8aX4xkqjRyt
gB1Xje/FKK2I8Pgs2hmsV6WGNVb+9tnXkhLlifGRtICo91mNd5OfQPhayuxe
SiiXDAs4OzRwLQmDkSCwDYRzeSxtM9+xHHdIw4sakh/H2Szm6D2Q0d9YwQvL
BhM5loMjNLVV02kU0hVASWUY7Kx99ZRDovXg0n8pzg1STKRx0bLwPoSfq/df
1slycaXgJWcw+XQQvB/yPzYdIxuybgMZi23cabuUrPce497EnQykQgUbd+/5
Y+OnTGEa025k+ihkyRw9SaQK7o341PV9eBGZE07f0oiVc0idq4w7iElMpAfI
T1w9+JNWDz6i6sGKMzRbLi9+s7Lees1hfmIPGrWPXS3xd+HthgJS81dRaql6
Rv/yKh770u+g1BKAA8Qe5nq87sixpCD3aXS4dguoGU745deRf5XS/7rfhIs+
3r9UhHbRc+Wabx0+RXTKuANW3WzbU+utVtlAaA0oiwhbPSqiS26amZsUjMns
2OFQvgeldDgFeyoq4Jwv4UY4qN9CsdRogMaPUISV35aPYQBtuk4KZaecu+lP
XmmRi1tj/cyTnb+iqdgfNq7UMcFI/ZElEiFfC2rQunvzN7rYLhIqVgkXcmEv
aZmpqmdJaLXVfIZwkH6KrShgVSVGz1bLbp0hxZKzbcQ2wR/U3gYDUirELG6Z
+yCs8FuDDRr1pPhWiY9XCdQJ4p51Is9hdx78KykZ3NyVXiLCIW+U1581D7h2
6GWqr6qdyPk2HchR1VlxGo/8aRTEWwemkdCRYSD3cjpjeZVhxovq+taztYqr
OcSH760YUylNw5OKaVes5TqvOVlz1SJ2fWjVmrNRaASfp5ZDIbvy46r+ZQVp
VctLMYymSDdsVST4aiEHwcM8rDDW4nxeQtSdT3PtEUNnW4NkqrbimKxxOA2c
mhThv0bKoB798dJDyWB3QvJE+wGh/NBzVwSnNLdr000oScJh4RWP/1E7g6Fy
Bk2PDBKShaWmlYbfNU8eTU63r+K/RnUf1QR9mGqa3DJRTEnCn0NIDluy2mVl
z/rNIHTebN/Lj1CXx68K+0kaIBUJjqFUTKx2uA7L1W4aYjyT9QaynpTjdfgu
OmLYZb/DQypez9Hp3IDIyWJikiqLw40mJs9vGCG7FLGvpViR7Q9BUCkhWjXI
n1X+jxmnytOQKmB6ByayDAzR03jAwJV4ziRMihDjUi3D0mlEc39NLaepKAwX
D9bVctlR55iCcabhxdETntxXpVVRGqDkufCKasQjTkegIWIxkWPa5iJpDUzX
ZAp07y56qhkABx9dKN65yXtyK5KfHdygPVDSoXKT5daOxhlND1ZZ6bW8RFuH
CY7WJzLYsroXioQs3Dy0DMwmtOlgjl6CI1oORBLSuwiLgBosnjMXguZwDEbB
nV8Sb5Uv6NB61jY4Xivj+i26ZtOoJuN+3opkbGlmQdWvDV921xjs3QG7os2c
rxluhIFz7T/KovlUiapiDORb+ECpeoGHpoUZvfHXKior6EONEnArGloYZVIr
HUU7t6xQIBzK4SqblspVyv3lvIBwvPNdZJum7CCP1m9D1JRE7t1r5Use9NCs
UXokvfRtP99eDPH0nCkyO45q/Vbq/rhQQRMMWpEZfyHQeWUW0CnI37ZTmxQ1
cQD8Flg+d6urkZdGc9E5OQ9aLddyVnWhBE3xFZ0fXTN5SuWbXWsI7/j6ONcf
Hx/TXUoG0wGb1KedEieRVrgUpgsbO+BqsF+pCuF//+HpNnqlAJTSzoWt8RK6
w5i+6eFDaegiMK5cVVulSQyOi3OhoSEYoIDzRShD0V9tquEegdHxaRPZorWR
mW5aNOterUfCghLt6IDS6iTMmBNtIOeSMKaeTmU0yPRO8N8jNHWN+/+jBVO+
uGo/nS0UY69i7Pbi7cWVuFvl7SHUTFgLbjqGs7kKaRT00j2lMH6sg2o3th+i
Igp6MUB3pMAtdWxEwkZFG4eBZR47DWwdi8G1raXszabqXE44d1UIL2F8f2gZ
6ZPURI0pVogcTMqXreYtAIMk3OidRqHwdrM82wH7yGP1NUCo7tDrrHbH1Irl
pqJbT6S2BbkvnLWkyzE6Ja/CChX60SgQqA+RVn3VIhMaAGeKPiPP6pl4xi1J
eNteCfWYOtE7znACxum6XKDKuYoXCYBrcdCmuh7CXmpGgruhNBOJ8CPmWL//
hvUoyA3DRmjgZFzBXc/J6kchjKYrpXb2/JyAXZra5to4MqCC68ZC00oJD7xP
HJmuWKv12Rl3MqSYFSPwWVWnO5+mBiPacq+YsXdO0FondWycJ3+EYXJTtI+L
rx6oxe1GaKfFQhWfm0pRtG0LlfZZTU+8kpFwPleyuafCUMAUfrwUbzvKs7Op
WpUrocSl7Za4G0jlNJZsHbCSWqBXoQ/ykngsBRING7ls5c0bccbBR3DAaFdE
Di0wzjqg3Td9z1mDWTKhyfoxWW0lNxAcZYW5q6UlKTcp9DYan5JEaTco1bzq
udEB0GxLmmYBXBEQgMRUuOrnmrTNdf5AXOg4cK4/gsSG3WCOSQbNUrIaT3OF
XIQY/pqJBdAn5BhIetyPjtk6L4CTVlzDWlI6+pH4kQCccvOhUR4JgfWnz14a
u35byRZXxdBzNfJ6nimSljGllo3ipB91pUjrKRo9FRvhwl9TQEACHVXRp/DX
NIgS71epvxm2WiJxe1BxI8s8yIb2gnw43zCMr3DwG9gqY1cb3o1kCvP9GAsK
9yPdbuAr0+G+LJBXHJ2/7Fej7JfT0wIdlwJsZkNacwxlG5gQ1DeyYo+XNuXC
FUdNoUNBvdEWtdSkOYldg0x3yfRA2RW9nrUctR0KTgUavtWTyJYMgrjmf9ft
MTR87TJjbuYCwij8OOJG7b2fWqcAkDTmkhg6An4hyyoYh0AfxdHYQmKmNSkz
YEkBJiHNth6PIV3SIXrPXf24epZLycspTC1GsnWITw/VZjhWUNTaFJYkW4Ia
udpTeeSY4BA3VS3ERCy16JQ3GZNvuVq7/QiJAtCDjqlhW3WL2F6l+AkZI5l9
xvIs12GC/nnzUGwtaXvti5PlxM5SLEuLUqw4h+cU/JlkmGYG7SsgWh9h3pCI
gBLsYeimExkGJ6H1h6BRsQA7tcethNa7uZbijvhIi8D67WmdcfSgYeY4MeU8
pBv61jhcNNAhZ3KksTQYHAzQJLuUQSk1bip1VaRl8s6kGVBA9o9o1rgY94yw
LuMY+Ed6FN0M8Q7jBSL2Dm0aQIW19KGa7Zvdytw84rQs6WtckDU9bMh+An0C
OXMpW7NlWuKEdKyS7bZxpR2kVDBLaOA2WbBkJqrsCgzkorP0nr2mPrqs1TZ/
BcAChAbabFmM2uNNx/QZLJ+2dwXJtZrhwnkXlZwgFlbzjKIpHcIU8B/lNfo9
UkU2A2MhffIACS9k4XCc9uQArs/D0WVcid1PXdwMjQX4Zs/CoGGcUig22Wn2
1HCy3WrcHrXvU+7IueaAZL8Eo40XCTrEUiYPzsBu4BSJrLO0Hey3AYAox6hY
OZv08UMvGE68eX2JmFijPgQpPUOjKxcrujhA1l9GJJHNk24Vjb8gvUS5tiEO
nkf4RXzlF81h8t7frvkEi5gTpCjJK9kS6IKpREsjnkc9qPoFlSLi+9lI0hrU
hTJGNZ9gPTLsTgKYKP6Wq4xudaikOO649inKLhcxrQQuLJOx7ATH1fkSq5O6
cAWShTdr5a1Bwch+tZnMFqyN4fowK00l8Q2WFKHdV1NTUaYrcAScorCdjnLJ
toSYvbbu3H2Ud2XaFKWb24sREPkjSPZpKYrB76GwTLSX7amCb/8CHMkTlLhQ
o+RR2QtUSLwruGk3f8gttDbn7Qped7uRxr6puAHf07PDNq98a4UUl7HZ0BK7
+gDCWVmDpxEfS0h0LBrgc4R1yAWYXo3/dSBsOUJvkWjpxEAUao7e4bxIhBOZ
zuV6vZBnGMegPIYY9QI3Yh/V9K0ajiBzhAzX7dt1SpPxa6NGYbLP9DoZD1lB
lvLOA7tKj0y/y8fjfssN5eNv3NrwAXOQ0OMd0OISr7Iqa0vOMRMdFgbVhDfQ
fJodk4La5OQqHP3DXzs3OMZhqV76bFbIhhR1+D7QG22P1WlhNYvJ54OnBhRO
Y1Izg08M1SVGHXhiaipLb4ZyJrS8NcGKJ+80HvpNF+CBR4V/STEA+H7jCht6
JvH5ah0Irk2esxiY95K8o2F5CM/2DJ65Zvg4MG6I6VUro6QK0s8HmQk8mJ5A
9o0rXU917BS4Xbu6N0d5xM2/dWs7FAnrfeAa9SgfDPc3LmWY+Bt9fN9TKilJ
XDrL9tj4JJ7lpPejP9DHcVo/F2tbC6qi4AnS11sp4My/bGZr+k1GaTnZ2LvI
Y54dxQvOipZGTFEZKLqcCCuNkeppvIKCA0A/5FWbKlmw1Ibaa3ip+u01umjP
w6PioXzsW8KKXiWtkjdephACiFkowsMqxn6yRQ1n/LfgDxh9+4RyiiqAfGRR
Kw87Cw8Wccfl0tznuyCE4/5dE73X1To+qZUgLF5HgXd5sD1V6fqgJ7bCGhCM
KtEVGGv3+axJNlvE9AAuS6sRWVkRAepdnqSLi4pOpHoxyv+H5kFKjX5ofhBK
PORc6jUvL/zeJ8PlwzhdRK+S9CTxfX0YlcmgfEOseC2IIdeca0U/IASrJtc0
W4L4x1QlQY/5vkJM9kEYw4TeWJ+6XW/jEcSfhj2DguipWMlUP9TEU6g0TKTL
L2nhzbUFQrwOaMvGv0LB4Jv1ggi5yieyayAa70MhF+4PtWk9rPDpfWiIcU/p
+HSNkE3bt2lU6wLNP4NAMROw1rj8JVlZaihRccseqbFsd2X7jFBkLN5ngvzi
x3kyq5ZzH0mkBldA55uUWtv3aKyRF7HbcNiHhyylg8rbkm1BwM6DCtvprHxV
RS7YYK1qp2BhR3f9SB+JuP0z2X5eSMTzquaPwetILowKg5Qay0L0NTONx9rM
unglnUbZj3dU9g8d0VqLABRQjmXkbtabIk03IWgdba8LBec3jvsOeYKuf1iQ
XqpCUvUliB75PhbL63zXzykso4WunzXfS+hNzH7a7ecMF5hHw5DOBd9f2h6P
/8LQCY9m4DXXlNKSmjkM1ssONTy0RuQDbpmhWdoNTO582fy5//7AVWVgP4/+
Mbt95MDC7EzeJb2MYTV/FH1rM+ARxP9me+WT9LIjz5yqLv6Q39T+1P/30T/i
oGjV09Va1xrOEfifffCILOX/2bjJgZm6SrTiSOKuqar8/4bofextY22+/93u
nMYnne3V+jTPO1lBaDxDLGB75/vj42PubW7LeFbcrvGpX9/GU3km5ajlCX87
+hefQVcDW335rZAJNh/N/AAOaXo3JACd0cbLl5BwW6/2iAcdSaCdwM9eUqt6
qnYJNgkTrVgpkzizw8OjAxfZjA6ITB8hn30GqkS8OeIqsQRGh3qVWPi2p12/
8I3AS1nQK+C0vZRQg7rzYk/Dj9dilnf9crdsfga86hk94hmndI/pTn3/WXQx
pTAItywtcRqrwPQdOEuStXdZV5rsfy68pvhiUPNeJ3D0jzu3C4yUzBE4dIl3
CjN+M8lcC0uS+NJbiYBxWR5eFsCRyEHGf3ZOhUYVGR+M+8nNQvRo2Ksn3Tm1
M5eUwvggm0rIvlRRZO4wulMVf+4XaZATk0acn5ralGAjYV50Tn6QVYP9JPkz
6YFit1g70hbYb6nTU04rOWATz8HcAvljC3Bgxy832ULCp+Q/wIrJ1/ccAnHs
K8RZ/Cw6zRftGyT9eBWk2LA2pZCQMLn4cUBu385P91B3nfXnOwTgQcVb5X63
UOsAIt8ZVIIsJTl9lK5UIzI7X6lHyWNZH6ahCVXQHQNEGuLt7uHLcpTCa8FE
OC3nEtahmE+jGzMaU15Nsw0F2if+jnUDyc+/67fG9dbm4a8Zcy4ZWTJXW4lB
k8An7jfekKmN7E/fKJeb6X8LEFRZwT1NeisUrT0wfRw9yyIfbKNlsZBbKU1X
ZRaP2pZxdgKJIUBYkx/56yzRpnlBMyeiUJx0pkfMRtAiERotysOvLJFRs5qH
bXsV7PVkofOuMA1BrSbV6+k8dtlI5CmIfyiU9b5HioXYro/FAF+07NrV6BXp
8F171k0uA6ZFC8bRsVMN4HPkWuPK1gIQDK783ZkIb+rOoT6APsyyAe8/2/cb
Ku7VbiEWkrRQmhJcI/+Wxe2sX63F2qnASO7kAmjuILVJWY8D99NcQjgozW7a
OHQfGMzEZyv7XS2AJ9hYUjRnWag0DJcgSSHQzuJKe+yRbs0JJBWpcxb9INKF
2VDDhrDVNVcmG9iHxEBe2tIvdEgZ98nHPZy6V3KL4hnmJXzij+7Q/37Jvzq6
86m/OsS7bh3pD48+6tOMB3fdtyujuu7rteGQbaHSL0KX2Rd6WFhSTq6yTVPz
4jpVgLCDKfdNOsjW+wKSHC/mq0JWHcuG/c46uFm48/MsVMEG/f+NsD3aM9r9
8lZz4oqtvOM9s+t/5vf09/yu2Nzip36bh/5NvsdqhvnpVnb6ZbGXsodlloug
0WpT+EGo5gmeWfz21/SNwzv0DcOvXncz0I03uMsh379rPbDtxW7Q1IDdHcH6
0GkT0T0JyEJQjCFSYm4hS/RsK+EzdTyL9l8Gwg3mRKvPJGvkPGnhMns8e3Az
2tNns9Ozzfms7c77YUb5699+m4bu3SnsCbK1YGFhp3VrCWVB8TOirUj42oGt
BOrg9bqaudL3I3S66bp/MmmF2D/SL7N1aWUeRad4IUI79pohuQSS/Bfus+eL
MLhD29zas8P0ITBMv9oRfeIGrY29bUfEaPyoYGAZGJ2cnKPb/j7BLuhnmQJ4
/1ndPCuyYmzEOGT+BUAb8XBICUztvtb+Dq0EBjf5q9Ev8qx7m+4yTXPhUoVI
DOuQ3bDctK9l87Vot7EnDEZmAHkBzGmy5nJsYPx91HUtQiqpL7REr2j0YKdo
77SsJfH+I1SJZ+dNh1GGdd2dofVcPYtk7m7RFEplZKfuApw2WTCHFREab1gA
Cwa+QuosDJFN9M5tK5UGAJ0aFlyse5zwnxXF/3FkZNiDjORe3ugGVZh8jM6W
4EaGbgHS9xLMmO1qtt4ZFRK/IX113DczuG65LGV5S5Sss9QWQO44EEbvwzaM
+8BnxihH/c9PulV31gtAVkpVUr1D7n4o22Ww2XBXSYCQ980k6+ApVYLkKQbu
E5u9geJH4DMQz3XKJU9sv7OYCOzC9p7aKt25PZVujg+Ja9ccMiCnPIQGL4vX
Hxdfn6431M+YcUmByulqKyNFJen3qXp7m6FQ8cfgJUpz41xjo/QmCk/IGS4q
wGIunB4t39t2tb1WCGh9cy0pGIlrxC3RWQriCfHdwBfoQDg+8lgzN4bPvN4o
+/o2SecP15z288FawebG5I5Ih6SaaNMxxwz54NYiOPU+5zYtqFmIu3ErtU7Y
mWdsWsy8HMgqTTG69PoDJ1QUqiiiDEptopcWbzF8OE9az4HfFRomm+TGA4xL
zd8SDh4UPvWKsLgXDTSPdXOE3OnBoT1TAo+V0DVoV1AmOn3/Hp/P8s9Jq83X
3EeJvETmg+U9iqeFU21UUlIsabPdrRgNiBiEdMEFJypbD5zQjuKGvMGwXnYp
KEU7wJesu+5QGR3IhKQfSIBDw4sO0c6NRLmPpEGnUv191hDIMVkIj/+dL7/S
Oo946tNVRwU8VDSnDa8Z6qx8wV6Wcp529E+Rg0A3a2LTpCXFxijmlN2xokee
ZmbZCoYZN5d6K0tpmxEsId9a8AsQz+t76YlhnlrvWeXUw1r8SoKC2YB1n48f
PfvLkwccuaqFvopkcFMmg9VU0Jxyu00ocIFqc9KVU63VMCDzmlK0rxikmq9b
n31Wa25aVFwiyIdgc7DYJsoW0rJLFr17tyVqES/fipx7YHT8g2tnAxdXY9DU
rDwVOwuyAcPgZ3w26kg7eYqDfl+3+CDaxUXUvIwci8c/DkFDKT5dSZ5bfCY6
rL/WPAqHZ4XBy0aqKabN+kTZiHxj4Bz3oe0Rn09O0wT+/btac0Tuf/jzyOb4
rgHYXFuuR4vr10bup9L9MdELOUQv/nWxc51yTL5aEacD6Wee4B7IX2nJiuK8
cvRau8p0j+koWvtakkHXe1MyfNEO2PHhMQSXf+sBrVXam+Ksp36IhHQRRSX5
QHDuSOPU0g7XZl3LTdtx78tBeiPXZJBhWchBfq/7+z396CCEp/mNNVj7NWES
vGh3g/bIqOWv4nqR9Ci3HBSgtyAa66U4GXvV0dpQOyMcC1T3q7ibFcQY0k9t
45oOg4JL0ElctPl2CIZQZ3xZArnIwwRwBtQtGnuoU8uhDXE2f1c+LlowZ40V
6/n3hvjee/cezEh8ZwlNrJeFjIVP8KhjqEPf/rrrNp60x53nAgJh6JbEhaJn
+P49OrmTyRDP6684s/84OsApPjz6Ro7vD9rtXHRMSrY8iQf5y1vf3LEFTOYT
3cNEs9X8gabB/sXbNYFpiRcBoh/fPZy2C2TxoDz+0DwRFRJffg3PRSjbuPKG
p76rqXEsW4RXl2AoTDwiQ9AQp74xXkikkMjD5jdfR3ThEno4sHF9mcSugpnz
DTkUxVTskIuFiaoZJzwZ2c9saYRZj5YK2CkcOA+LIPOylKk4SkQZuhRxB2st
rNga5M8KJ9lNxf24iY7xm9b1XS10jKNOK4KHKREteHTqcITTvz6n9l5u/FVN
AqV8knNRnsHUksR94//jb0fcQSmb1MRhS1pCamTWdiLi1WTbMtolUWDPyYRS
97QY202zBOgQXhUwHP7lkMF8URSLugarppPgn/J+cbWLlAUkc4L03EzuydMR
2jJHN/F28LWHB5TC6u937W5dZpvdXuagu0v19PRGeWwvnghSON4cuFM9c36P
jpO0OunBiXatBT3IKWoQsYrGf5YKjlNZVMHsSSPiR1c4pITow6o4XJLv9+jx
cP0F1dgFdfPwQJXqYyhV0mdv4v9GLUl6VfTa11lP6DdjDW/T3G6pDw7rlIqi
tZbo+zTGJw/8qBg4D/pzN+pbt2XUj37XoD83oGZGBkiUTod6mdhwZWYTNuwx
2XZbvXcO0IwhXDs9kRmMPUrHiu8DYlGnw4GNoL5hZwuwsOggpJamcqjHiFLz
OgJjWvQs8GE5q24JLUd/fmEcYGfiNEZB00P1QPQna7Hv2Zl4/5lXt9xG8Rq0
W0KPjYIQqYc1YeBCCr20l8TpQemJj8Kja3U000z5I4BnfcMpjIg+e18dObn7
hgT0+0cvD78mF9Y1jjWpCvsyQrn7xyw+BZDXymFqEGzGmY9Sm6lVKOc2c64r
mCxPk7/BJONPZgzvspj5jh3W+y9fpGWyB5FwEUHWZi6W5UunZb2hQJ42X9k1
KFeiRXHlElMthEYbF9TZf9Lxl3Zk1EGODLDc/owfqp2pOmKPrQiNR3sgmoJm
xg8Ul0YMsuT0cICASfP4m5xjdAGFwAEFibk9pXe4jf9j8wRL2G4tAsK5T79H
JKV3vgwuEZrMViGc2JcS5WSHRu/ay3RapDLxmsy513o+d04Fw7llmTcvLGrp
H+gJMD9hcPEwV/hEvgvlgdyZvVrF75Ar+vivnPvlZiD2BfjbnF9kWYvKl56q
WWl7wOzxX7Nmp1N/ng80WZjZJUK0OhhdIe14YFnOq/eZ1hd1VroecbWk8iNz
7ht+QTTkQ/KasIFFOy9dCvu+J/WZZG46gwK7X3c87GgXv47Ko9Y2DV460zZ/
lhp03V+jk4B2nHr/mTFanGZ/+c36LUk3JwtjSvU6d8DerDekDB3nBeUbErdF
PIRm3lA3hsQGTUme2XojUJJmstzRaw74PYx1RgMEZn3Gh/7nl0O3m6/lx8YL
Sk95/uKHAyVfhvLlGIA2PNAoCvEoiEbh86sN3sA/36bWuyiCJeDSWdsvpHkU
gbXiBF5TzC0ZlS5wkyhlxv0sGzMlrPPz5Ok2UHPGg7tMr0e/W3Zyq6Axu+Nc
u4zi8q5fcp8sCp2eIMxyZrAAxzKSDM4KSNMH9NvF+TpO4mI5fB7U3UD0lDOt
5XFhl8MlkYjlPyXPaBgBGVIup3/QacOc490y/vZKmFPYI8TyL9tLprha80pr
gYoV1nK3DW4u1Fm/omWQ8yj6inx10tFk9klTOOnytVrL7xLhLIVa5EOGFbmm
IoLTdXxteUMWJs7miOo85Wz/7buAPNotWt6fhQEC+SGmk+Epna+hFPnFMhhY
J++oB4kQl7TWSoQ8baD7RUHfNfdPNbY1knGs03ylEiPbLHk28SLV1euRLUNT
DY6kJ74S45TJ5oziz7x4SHZ21NYsfvHnjbCkRX2LjhtUpmHpigGVSEjJOZJ8
xYc4Ou409GlqkUX5ZCGNEeIMu8JAE+S45jJGr5tckImeMxkhM+Vgu0bb19KR
5G5qNx/w6y1P14J013eO8q3bmBwUvSYKjrHieXnpd70hEMKjORHbia0LOshP
RsGmg4YpHxNcdDIOCx3kgz5dX/ZKfqqsOiltYYuq07AdNyJCeYDO5m07pOJk
C/al9SCID9EmRqEAYFdjw/RBQWRJX2VF2wgPgmf1oB/McPtCm31sTtqkrTap
p0ZOzatc9g7m4MO32XeSsiDiVthDFrPXBZykft96ppD9on469BRpqSOt1gHI
Fw47GS1P68EeRTAZDqIJFE14zrgfyJHaow2aijaYFjqABZOQLgQ1wfJ0Rknu
88dGGxGn8wovjDbqLYtNyTtAtQHiUNJyNlCa8z+7zbp8sLQN/8XWmB5FX7TN
iMMEOTyIRUW97tPRbAXUt4wFjXTuZF9HIhGpn/phkM4n8Zf01NTvKes1hzr5
gfRJOgsfMinhAg9cZHmYQRqCJAJopqIwqo+cmFJEPXpSlYaLe6RywLeNEpVY
FZkZot7m8Po2TzyAeoOo8VnCNSznR6L9RQNEKWzIdZ01Vyw6KvLLox2rDQoX
BFnbXc652+JT9G9i4Ysm/WVccrVIPvJ6uUniDvaus+vG9AcZhdRemsO6lnpF
l8cobksy3Cn5heL4wkB3dd8+Pi/DXZWd3cQA+lb8CeA36ImOy2WsxVjTVt7C
JTRvosGdHAdCYCDWKi3GRRnop8t+SGqVIMFmOhVFZZmlZu1iVMJbT/m/JGhw
NAY5UPQT3hAdkOyFmsiDVs/osFPEaIH7wFYCHSpcgDYKdGD64Y4jS+mWH2qt
EcxTwIF7I42/m789exG0E3NyZScIk718MSPqE2ayHtgpP+Xo2Dn34HXvvGlI
C43WVpD3zpNk9J4fS7iM36OAIPUxzwUFgaxuRS1nudu19bDcRCW5ofWQPmjk
qrwY5aY0DE2PVMZcmvL94+cvnv7IdR7pv+OotrvNagiu4x3kf5oUeHKzHowl
MV5F6zcSugrqryJS1dN39uWmpwB/8rWiH1PkSXqwETSz/We7md91bCtiU6hN
0qMSRk2QjDcvcI9jYUTIzw9yUQSt065lxDa7bYkCVjVLdE8z+USfv1xit8Yd
hbhKERyslfSFDGk337RvE/gLdlIOjY4y9wY+tc5+sKlFi3WLQ3S6QXe59++z
SOxg3TjTcJVZTmMiQYkbyrCDNK41nSRCeyUQKfsDx4Fzbl0PD7qUb1AoAb1U
QQBPLG8km8aEzTKoshcfcreptD8ZvGrkzpEu1qRfl7X30a80D8FO8reHaSDp
K/TvYNhNFffHRa7MOpqiccliwfOh8y3zUeOdo8eihyngH2d5IPeKmyySb2HU
yMJhalq3iex3Pzd/6zj6W1Hlcou495+ZI0aKFx9K2QYIvHM3jRv+we8ZMnoU
75rdu/egCLlpqtZ/RqJq/YmMKP9EqPG264wlPDrVxCv73shzB2XcTefJCMST
Fwkaa3EQDXaSxKScGus7pV/c9OfnpHVb31pXl8i7p0ynpK3bGaeATBL8+Xvi
oYZhR4CYchA/phfLesZtX/SvO7S4+Mgg4sGxzuo5G3F88f2RcTMwIRtLK5vW
UTfQST1nZkJ0faRxrmG5pgWCsTjIpIPfbNbW+bJLfEaDC2nNPGz/5EpVNhBF
JOFsExdv5TRQF2/RvmPS5N2KzY51kKHeZEY40ZMCfYa0tfwLwdQQxLiXLjm+
mcybvs2kjcyI+K/WUE8hOcyeq6tJIZ6Jp3wBvexg2Gp7BG0GTsArhl2dXDFC
s6UuacAKkvNEUl8w4w+lPBsfcBQggokDX4UQJoKMJIihnXNVKziyGdZu2Gbf
/YUPFPIqLgoovDYiKUSez5jgNpu2RDcTRMxWiwUl+fIh/6HQY1gPDfudaOWh
0d4S3A4pTT1AhDptTL5GSQ8ONkkVf3vkqWcQdDKkBU1FMJQFFUB3m806ay/N
uvIHaYeIRDDG95C+SDFyaX03w7Bn+P0gpBdK8US0o9kFIK9B9KLB0s2o/27c
+/VCm0txM7FxR0aLZyMoaiuOcDi3o4vXgkVGhRo7b+A75aqCBZd4Ry8ZxURS
yqs9Y1zO4GYo7y8Ig7Dm6xDp7ifLg1UQugH6EA53TlVJ4XbDsJi7dy09fdrc
4M29AcMJ9IpO0An/IIcB1KTGhIIJcrsr6k7ILZExvhOXHhI8ZZtw+hJDUSos
Msw1CCREu2gyDYXuriRctNIEBoZBEubyWjUvJrtQ2ZN5eeFLtgWnQa0CUAMk
XJ60kXPfzYi0XMKdbHakYoxmqu2JSBhFq/wo4eDL4oAfCgOBw7L2T/Yfo/9E
6Nas1yY+jF1/+edDs9xhjHfp0mjPoouajNa78l0jvdPfvI1ar4uWhfxn9kTx
L9kLTJpJHcynaQFPrtykQQMn+fBeA/6sOMlkitLIrWEGX+iZjHolBc86bKU+
FKMyYulsvuiMrzI9i6zzVZDCDCTqyVkQK4C8Ctb3pddQ+AioVoh2dlAje0ZG
tnh1Ztohk8BXpnb5SGKj6BDqp1sa+YVMma/eM6Q/vhSNlMVyX1/ybfKvmfBk
DK2CWTYztC6/6Obn0oFlFLUW3HOiafBMB8diBErXspSoipOipZFuBXQPYCG1
QpOP6rHGx1Ka7kkK8vmuBT72F8JxotnW36k2OjOksPsJwTeIeXUK2WnnyuWd
KhZ3Kxesc3dU8AHILH7J5TDye9HEbIybyCbyWa7elJBYHklLYTtQGqcRArhX
XqAp54OiFdA5+EZlw3hlzndx2+J/ld0S7Bu//cZx5TLh0pdBP4vPhOtzIyki
IFPRBqIabeKDEXxO4v9n71275DaubMHv+BW48gdX9c1iI/AG1bpr0bYsedqW
tCRf9/T42uwAECBzWFVZzswSVUvy/PbZ5xGBQGZWJaVWd8tukrZIZiGBQDzO
2ee1T2DOD4GB4OFc+txjFtzEt5E/8rfRptVF1k4Z3gXylmSRj91ttknk7PdL
IKNWJSbYPCzwAvxJ3thpwE8iJi7NFu0u8HhZl6e8jlGhLDVf4Idrh5JHtyd5
hHz6kR0TVuZCpQ+oOW6Gew0IyPxQEJxCmItdtdhQupWibrHevYsjBPOF1oA7
qp0eTbxdlj70HVXCU3V8aH0zq1VJhEjTz30eUghkWByeZcGtuaSmBXOeGQV5
tzf+4GmLP99pKIQLfXwwStzoHQu+dXgwdwcQ38LhQ3MeqhT8Xs6dRmkLH3Ve
nbHCq5XvLRgWQFpu3mm/tXg4s+uT/QPknwuOsoUWVL2CUVrf6pzuzrXmpxeF
O6TtZAX87K+0kc39svHUfnNHQuIItXsJA415bQeOt5CJ9xV3oFidEjphhTQq
HMUJ1MOSnIxtSB0txCuf6uA25gmka3YalWPjnLyiyRzMlFtRzMxH9WKJuHok
bKJiJfE0JidjI8tMLBEZVzyS+d0jh+cyIBOatZEZsNn6QImkhHFIDbMqfmEM
AxB/CFeGsYsKVhcyrOG1p9DgDIYp3Q3YVlFIKTkRSFmezhMRnOCvCRkG2iXu
pCzT8OUjMao5zUUMV2Y1W8ZS3CzTJ+qYvBLm2j2skRXgBV55cws8pollK5Ju
B6pT94n0ANTR29Dbjo0fIlEfIbF8soVCR8CTiH/CO5g2PlIlPtXt/S7W0In3
pscQVFXbtfXhkNObg7sbaio6MMGGFgbLjxcQf+x6S+cIekSiuvM8ersp3mjz
JuUofxjf4thDZ+wkRLAIwMgRdssGFeIESI5DivOAAqa53/vuMTGmmccgQcxA
/aG+otOxUjL7r6XfY+RMSLTJGJ87TPaxz0BTcTQjZq7H8MlNcWGCulWOmkQJ
kZjmPoms2C0bX2v/eM99oLhDWjDqiUxmkCk99UKvcuV3F5g515O5XaqZe2HG
ZqHJuOc4uSFS0LRXQpw+lnQcu8Fh1kFKyH8mu99Sc8MoFcCskngb9Q+nFbrP
xHKSOhMpIdtTZkAS6koeX+KFltfmPkfLHlt6O5938MjiL3MVVGxTFqKaJyeW
xEppKKVu2p2bJ4nqx+bLNYldOpAIAhTQ9mZ998j8iBVDIZ8vnbgaorQXsoHP
pM/4pESiJecG2cHrFmWnqtMltDxWf9Hz45SqkDkvLSK0sQ8reyz4qSB3dLk4
RCl06hmcLPWVOiiGSWLrL/mNh5/xHRfyhiKvO7wa0zbu3tq7E0KFyuf2b50m
LIXJeC4+qKMDoQHsoxZryxRAhbp8BR5L2J7WQKK4cky3PmIQEceLS3DuuqxZ
hH65z1Ty7Xx8mD0LUcppeCnfO232LYTk5v3moOg34n8XUpxFaD34IlI/eydm
lvHU0pexyERIQlse7UaoGUCvD5ptYqL69bg7GaH0LVLvaOiPRBxP1l5ecIqg
PxSH3gz2SVxqWFWZh5hG4DDdVSATXuGaUKr2Wffld0e1nULjyPlW52rk/6qp
VMeV5FqBzftTDm6UuyAlIkRdJecoqqjjzcVihoQq4eBnpwi8wtaEpUAJHCw9
7m/X5AcioEZeXhIfrP4Hasosjn3yoapJ7KvcAriLs824rJvh0PxSeFv3DfYd
E5ilyr5qd17IeXfepxzL30VkmxLd3wWXn6ZjeUG2dMroxU/wlkkRyg9mLxPG
Mg/+Y96ZRwlFpSSbVdCCiFxqwi8eJ4g8ShXhjlnJyeYCS1acJXkLKSSOZF0/
cOlwTEK3UvwbQjwil+ZcP0//GSp9SNIx32cy832S7UEPEj/jgm3G0sbiIp/t
giNyHlOS//miyNOrRTXJpbROtv39tSd7e3qKv3IueZRNl4Jmi4U75kJNt+vd
m51SfsVUAtQD8ZTIeeG94YEYSfJMDoq/xCyZxeMFuSyvvvyXq6/NZaIO5uDS
+/nuQERrGZwsDclZ+aG9DsUmQjntMzzUciKDLxgesxtbbGOJFC9EHEuEZNG8
NFaLfuVkxz1JnrtiAh+iyOeRz0LlefA+xBopOcwqCcpmLocJZTVxBJdy8YKm
8qvCe4aQn5SDLzrYaVMyN0aVtae6cq9E6mnXSJ8cEJg75kB+EmU9+XREOg28
+xWtHjF0ADXc39CWhkDwd6I87c31+JJDxOueks9I0vp/X6p1/DBbEfM3yYbg
RIF7wpjUJiB2jV7dULL7w5WM3Hel1RbL0UiCqTpsNttRlTR7K+fnst07/3SV
RqE9SVYAPnZX2IxXDMP8NjpuRzrj9oMM2PUuOZ2j+XNZPqpREqtrxRfhiATr
Uvy9cfImP0AteE4EsIP3LpBt4p2X3lxlP0fCfo7AMHrY+PxC3HWXcx/ZJXef
uvASTzMfzbFUjFMPzXjtYLb7gjRv6frdHpgqD6WMeI31Vd3SK+/NpDADwkMQ
rC3a+DJIcXHNDXaPvunb6Wn4MQm1D/IlHkXIWundPKJRshjUIxk1Nd57wqi4
qbFlGHDUMJgcmR6A0yn1Ad8kMgRDXalYnfFkH20uSmvz3RnZsz8QkhgYCQz7
EBP2u3W3nFbx2pAnlwQQv7FNlt4hskN8crD1guVwSHb5gpwIyfGC8E7S2tKn
CkXfZ6S9Y8eQyDoAMYpSr3c30hokfhYNxl6/lfJUfKO/X18rxwJ2smTmPJCc
uWLrkTPZWNYkmvajU0+Zw1fyLpCav5UKrxA35ySRmFxdtvDwwFawSC13qy1e
xaJ2cWR9uUCS9H5FvgTytHs1Nzfk/D1nfMhS7BLl9hHRp6qXJa+WsGxD5snR
0fL2OU4j+fwI1B4+Lk6eP+HpDHtdqtAwN1/EEY+DAs8XL9eigOjpdJSV8oKj
0CRWGWATEP7ft3SiMOhX15uetvTBnURyfhL35Y2iRZKMRNor7jpA4eetZLc+
njy24kFuuVRur42Kl06ig5FcREFZ32rTErOwFNjaJPJfep/gAubgeUsVAvmo
e8MCj0FmUe/BZOHAjXLrIhtGPaRUE7zn17A776ENc5z4OZZkIvvAtGoEI/hb
n0gSrJ1NhjQkcIabJUcL5nWH1NI9tiws/FYKXhIGL7gaA30mVbZi0oeAxhxO
lbKCoBAkdHGAyPab++DfUsvX7S0t0eow3roK8arj9vFaWgJMKzDSgzBu9/Z2
M5fCxq5ZTaNe3866+JS1Sf4QQYuWlcH15tUrJreDqn24AqTlH66k2ELaU9tr
dit6AUd7g1gmIyQoQpAOk7Zs1ty/q99TqvYym0nY6uTHFAGgAD9ZOQQtaf5D
IicRdN2OVFfjaGfLTqep8tlGIclLcvdCwiHnh++5oOlrJ//mOi2cpyt6h1t3
7ZMrKI1r4P4Hyn9w5H6bscVBsqyyYrpEa+hiWkO70+Qw/EPzX1hGnUhN5gQn
Nfx5l3+KMV19/A2ZxyKG9YM7Hsk3wPZ79rgvX5fpan2nX4nrrMV+5oHshJbq
jm66HpTNk4r4MIod119CA336uxe/TA5phjRzQlJGcRRIpkvvamnvgon8xWZ/
dMwEgK53kppyVOp2eezPi75BHann6rCwbW262DgygOhJz5LDbykMFlhyz0m3
jziuV5EFkhwChf0hFtpvYMYwGdb6lkMri4FFr7IK6Av4UyphGD1GxoZUA+1U
Wr2215NPdqdsFBnRlbeJrsgm0jIBDBx7CneT2Yjmz9+SdYfGgJducHkCx4Fp
ElXgxnU7qir224eEQnRUVqdbiaTOVmPa7hux4lQXcp0+r4oE6GlcWpCTMIDx
NYZWQgF8LMUA8sTGvxdXVOxNkkIaZUNPNElCS9Apzna95mY6M6HQns6apjse
BIVfK9WZuAQfCRP9/vUJLvCfK6Pyw8tABfIIGbjuul2Mjj2S03qDOealJRJk
sHDetPYzWAw5mS2DWVkQZl/N8vBdDkhipQeMh/fRzPtBj2GIeq2MiusU2XZJ
Zo3GsF6jDhSfJ7tcQqmaqb0XCbsKycTxIVl4KLWecPTd9YSFN9rSc38q0QZ4
hV8oWZ2Y1/44sfrgUpWtmruDkjEzlbQm38SH5V5CicljLogDRk1KTmd3jDJ8
2y1z3FExVuIPnpKl04HWSd66V2zJpXKYGL/aLTOp7aVk1aMVwCP/EwJXD+mb
281bzZ+RmABmBjMezkzCrQuefSxexJDbGsrlI4W6vsXRWQfuzdOrsfOi4qBX
/AnlpXS/tPc4Xe16DRXB66RqQ6365bYMmGqnKbwSPqWvUQnmF55Z4Nuf3YWf
EGXxleccUEIUtgA4WX22XQQE2dDnce6cpCKbo4TJ6DBUmhZ3HWWv2HHckp0x
be45FXNwW68BJbkv8F94IyTkN6vUICxwQ+ym4u9P7dd2fc0SP3KFaZMPws1a
bMuJYRwr2kdMjdiUb+12lB0/kKf3l1H5JO1vVspSHKF92pyUmrG3bv+gPPWv
blnSb7nvtqZP7PjZauPK1w4KGp8l/0zwgW8FiLDdqQ+HgkTUQCGdHHVScGG/
zLk55GC2TJqQfL3erdnI2hHPBkT1Gx+qnzMyZpB6JaO7cZYAETeKW3MlxeqR
dCetzJzz/XwChc8VJAfcIiExUfvHF+LzsdeLJaXnlDYkJ5pkUYS3DOmIU1SY
/Gqj0SGNtUeWa2zPyObUG4TlClk611q2J0JTtqFfb6rJm+wgx1SzCyRLgcct
eUyL+i9/7MU8ntkhT3r2xOUmKJ4rJSITIv3Vhnf1VzP1Q0RaNPIPr2ZeCC3L
sEe5RBxIk9BsiEdzAY13qnHtAsEf/YCrzZbx9JP4eo5vH1TyBBRHX/3Et0+J
OJ4CcsUxFJJzDZUyp82LF7/aqdKMq2kCn43UlMQLLJMRkWQkcwMNCROFWgkK
dEVfPcy+Et0pL5r4F+UelH1oGOu71T/A7LtZiGW7sKNnLtBFEdWyLOTmAd/g
jKb7u6uvzQeXC0+/XayUVJkc2+t23Piy38XCHizp/a1WIiW/e/GvyhvDiXN8
CTkm+fbEmvWbF5+9OGbMWttbe8yW9fuFS5lyxSFN+QbqdPacqqE7YCzl+Hxw
cJRegL9G2pso/F0UN0lehOz39Ev5OZfyf/nrX1bG1PR6NK//RnUUmOV/S5fO
vPTTL/75Y25AcPDlzrRZRLHXPMv1Rm/GKbqPcOHeuresCiWvfx6mVLSIo0lV
0xyVHSgaf7dZ36oW4aIJee2Dt/WNeCgImrA/PTeXcwNX7X0rPygvxQepqEVu
ombDyUnb+veWKqbH22PRybvf9puvPn3xzx/PQzHS0ofAmERgBYpBem58ttDt
YqYXT/QMhw5PfH33xl3d/YVIF7StF8FZYvFcbzHQ+zvPryP131PkmU6E9h3r
pvKB99Ut67/11xEw1QoxOst8C536zdtbXOLDC7/58ve/DnTLlH99Kxv9Hn9e
p3HwgMqOwsYhCg6/pERu5Oc4ZWaS/T03M34+lxU9j2uMnp/4+3e+qClaru9S
Wf80aieOv9vdTvoKPfGdMl20ID/8VlgfudwURJ2zWHDqBHi4uFKrxAKAf3bF
P5s7IIbtR0v6MV/xYv42T9gXfAa4H+I9IZmFrNqlJJNUQqRzVSdvDTpiIic0
ZV+XIplzpwn4cKgukkVYNswuJzWTTPvcl/Z8EZJhmLM19R0eIh3+7c+O63tU
0vkfSDOmye89yYeLqPRu51qiZUHQEi3wNr9h7/UcaZ/diwqBY5+0ROlj3xjl
Nk0cbVBrktgCjsro9cgsscouqlYinflc8zBnDiOrXK9zEyLxtQZg85YyxS/0
9Ety3DXFjXY+0ZtTk4Sja2ZsWN9+vXmjFYiCC6FuyUfBPL7ckeOE+y7oLSGh
i0GXOKTJZxEa3AltAnkcRaR4xhf/Dj6zaC5XTj+Q4X4gtOH0ah5e83JH2aZs
Z/AkRG+ovEshtWxNssZHD7VwmxtqxYP3dK13+5fi27hYXxIf/6cXYUe8XF8m
UebKSy66JCLYP6rCCzwkxJ/9sgeyEAX2J7or2dVyT5z7iwiMrFL9qdQlr5L0
8Ncf40H96cQFR4NapZ+9xmBlTof9N3gqrsHcLB98jxerS9w0jAF/v5SvPT5W
uevpwf5RSF4uPrule87+4eNR//HZs2dLxBpG+ycM//YyEOMebjMJMzFrM9fi
ckHq3HeGK3/n53yn5dTedYgP/sDuHy3/PKxAfaI4dfkByfEvDkk7fGrUd8tF
pWF8cKd5Vx+wCmArT49xJEdS+Wo0x/RV/V6oV/XyUGrCd14FfPFUvaRcSqKf
vdf6TVbJHpdLXRpOqlh2rBvkOsJeIvhjocdZPXNarY4XoE5K1X2Rv8izD+YL
P9BS7bl+8FTSKR/jyBFFHk+WcJxxEtMq+sbzEoePBjgfAHXW7TldcSLC792e
kAzbtyLflKsmiokIEYj+GEBYYBKDSclRJtnCEU0qaH/NFSCetP0OIAcKSuKp
JF95SvVeEoDdkVqAJcCNy4KaoZFxhpTyjsD6Hyj+PhetcwhHK/+liQ2gXdgS
ejl3svntpz49j5wGV9x07YpDmX7D+jxRiaSGunrvnKMiC8mJWbauuxWsRyOZ
S/89QwSFS2iqxGClJBBlboJU8jEUn7keEt2ufEHN/qjGP/mVV4U7VVy+CUQQ
jM+0a1LklNlsMU5VPyHr/JA66sASpAMA1fU1UPk9m5ysDOdICFdO4xtvooqx
nXMjhB3JoziZM+ZjP80OdEDAKXWYh7zUyQFVUKRJNGai3M/LZ58if96dYG07
5n72+dIz1MD2eixt+7CuVvejv9lK4zJSfXdN9e46hHhQlNRKSXja62SGnQHZ
MUvyw4bNSEJLPmWPuzrbNyGlLoRnfbLygepYLffHHBvbxRo6eF0oMSMM1Pew
npmwgpq8V9jrEv7GfKeZ+CFWizsfqVo+IKo+ps+VRJ9uoSknJwLmEnY9Kv3y
7SaXKNNH4wJVSxTq3m9OATDfljeCYEpo4GfQ+xlnSEYoT30n0VQnjERPgcLN
iXWSULbszDljMPH9qU9yXXEvWq5wewSbej+jz9xhcixyIpPXk2IfUvMZ2Sif
UoL+qGvHOebf/oyT9kflDafP/qqSx7Kzm9Nj093DzY2DyTRI18M3XPrIZWWQ
uEEGsikfvOVaQx9mbHXU/kZ9XDdk9qi+UNQ7sygmYS9yeYEEXYiJ4nbuK9EV
DXsYfjNJ1IZcXPOI71h5ukQ7QYYBUnWzxN0kntq7qP+XD39Z1gjR6tnEJ18v
5uSZom2eTQ6mnYCa8kPBmZjEVfrHPymulYXRM4VTLZxHzwExRdEc32uBVv8Y
HrvyB/MWuJrvfxZ3EmDQMUUDxPg/4H9+sFrCqeQ0nFq+g0cTUSVS7zMM9Kxw
IOKN1mZSe079QSKd5vQcAnSMa8q5onP6qW6AgKFeu+u7mTdZb8xqMPBiLTTk
xR9+F+TNbnVS79E2CppG76gvs9BnUb1XeuLNxZ3qbfVD8o7vb6snR7Z6+qSt
fkx3BzXj/Qia+3+CbMS30zgStFtM0iuWITjW/iCGynloazKie6clSay/OCiI
M6ruK7p4bpuAF73hKKG7ZWL9yDXCiQMLN/CTzhF+U62xX3M5Hu65EgYb0Tb9
A1Wu33iaL8EBSpO/DgFVz2Lx7be//u2XX+YVexK3r+6985PmT11AnFlFE77d
enpyDkbfrqWFJl76zt6xO4I2cAgfwI6gI/PFl59//uuvJE3hN489/HnyXCo5
pV0E53Laq1/+7vfpK4AdyTBYb+d+NzM7Az7lMUhQ7gEiAiNUVhdpBW7jZBIy
X0SZTFz+u+OOApx1DEVM7cF8NuKcYMGP+vZbyJtDAg0dMsZ5dUdH1CdNp4yf
+VkyQQSSQrJzWAJJtj89WOKiSAMfQjBMaX/IMnHYlYuHeW1pel8sFjD48Pzk
hny4wxR27tOrCG1eE3GOR7d0GNDc+GIXPEwS9vNZS490PNDCEsl6pRsdcTII
upsNSM0ruXs8MzZJpbrmcJI4zKirciGmtCZryDHhM3Xte4RTlCoNG/xyDr3F
vGVizB5EyOKmzKkXBtvgI5R/8hTOOSMhFs0jp83BqR3XQOi4x8UpY8732mA1
pHknuvWlj5T8HP9kptA0HAiNv9JLE3+vd+yPPmCkBAuUzuv3yGDv7MCLoWhU
puPGfrO+ub9RFoWoAeNOBn2iZ7oEV0IqB4UspSvxTGHLCjY9EUmJOjetTnfT
Wumh1I5aBA3YJPcidxarKiP9LPwqEmRLAeWnQHeHHFz871RC2ylKEY6rYBw0
r7cxE5AKtZA6vVpkiQnRCeu/K93ADITC+H1d/2E1iecuWHTC4Xxk378jVUd0
3DvtqF7qQj0F7tp+49NgwlB/vkuUifJKUzW5SPLhjvYidTs7qgmmQrX5DNFm
fCKzfXF65+MYH2DKjYed58bgduGF8Yu1fDmpFtN/8Exp4aDWpf3+t1+l5lkh
e5Z3VVn71M6vfv/lxy9+Rz/49Msv/2AqphOen7zXHHjVEkF/KwE5yasZUITv
LXlmJFyDzXD1tXmWyKEmwP16jUOyHV6rCAzs21dhbnwbpQdov29WfldhgkTu
hBYo+5AHOM/mLND09Eoa2M7dWJLOO95tkiVBo/MBd38A+uv1q8BSFgu2n3sP
EbvUVDnNdJSaRUkUKeRJoBR17xM5he3T9ZubVSqe5N9eeo7KG3vHWyx4Yryz
KtHMTjHRqWz0Vr7DwXPNepFRaarBgTmWnBS1q9hxxeg40gHU+HxuVZpokag4
CqmuSR8YNSSN0gnpjLHJSj9UuN7Ta+h8scvQF91GPZhI4XMzISH4o6Px20/n
Js2sexYrMo9XsjY0aYq/TM6y2ZMoRRGqPZLjarUFLyzkw5rNJzw+Kg+ORop1
IvmVxNW7GNHsXVoJhdCDd7FenEhnvRqZi9hvNJ+cHaH/0DhESXOjAqJDV+Tg
krmZ2IJwcMl8rPtaVZ/4bDhPSttKiv1wrOIOqJwS1ZIRqWXo80AKk5Ojv4l1
aJxWviA88A0iLw46D5NkfUSryjI+cArb9kDV/xANK7y3s4YNA83/XBd+fZXN
QcewmiVd0LeSLekNH9VlS8totwgVMyTCuf8rhYW+8Dw136Vfbe63zE/6wuMp
yidQwR41j4qaSKnU/C4GtTNKj/D5hx6EnxO9kr6xlJOzhOQnhTeBsUI5oFF3
jNnoI3pGpkOlhnOsAy7IrNTkMEmrxlpLWztOUqC5PWxgvVJ/HKlYn9rHVAz6
8mQ/XcTqwb9UpMwvl9OzeIP4lOAnJ0+9rujps0rim6sslxLf8/iupMHXMoz4
ySq6mS/mj96IMP1pTHF1jCnmO12+8zaYZ8nbE7Fpxrd/18dHkCay2oIBInLi
/k4ETIxFn1wHXdnDfvB31/e7U1nQP98tqsn4Wl9nwCA0GjBNM4envPFy3gb6
7sCYvJhtnNWBgSNrcEbr4pr4obq/HlO26QUNNyjWfrba3OWHj+5YqLCTqlC0
JPdHOsb3F6dS7S8P339xzr16O1zQxeeREJAQgq9Q+JCzn+9veZF8DjJx6em3
XzJbIx8vpq1a0X67/HAJyLn8liYq9CFle47k0y2MGq7l5Tb3H/K29vpqXt+v
18IOpTHpUD7x2Cwd4YiTU3Ra8X/4jifj9LefmktsS6G9YYl5JcDVm2D0/ixf
uVKcwrQ6V09vIS8ehLBhLpakOpfvO5szC1k4qT6s/dhEH9X7vONEu3/fTDud
art7zCxl4PAYSuScWymDjYwV8vdtiKaQNZ8/9NQ6R4wVZj4I+XqMwo49FH66
FTt9t/RwpBcRajpCKiKaTmK8E6iNP4xxGX/7+2Os9BBjPY6tpJPfu1i738Vm
azCY0ws1ftPI8l15qzc2eulVDjm0FlJtYfISQfsMdyMOKNhsOBNU6SbOjLUU
oxw5E3hFg9/m+C2PHRbsYjjc6x9q8xl+1zP69PAFInKduNXzhwdNUr8JYyJN
f/X15pryLGE2+KweD12XJPTH8De87cDwVzubvfDObaopmsHGi1DVERoHLADz
Amb6NvDejx6+S8aP/we/+TVnswv7H7UepS54s4UOXKY90V/ehB5gSk0zF834
vkExQY0g0iKXJsUcyPHRHYamFyeIvciqESP9Y6XXYrGw04NN6iv5y0t3yDf3
l5eLPEG/UNrAXRu9r1/d2PSjlL7+P3GTUV0sYa4XDZZ9FiHm/OXWYgYvXlxS
F3b6N43+JYm04/y9NP2ffMnNPZTPBRv8v3iJPy6fupTvzsD+Fy/pzycu1jSo
J58N1R+1omeN7rPJRdWwN3+nSfVMcLZ4qee+ViQQk0qyB6wSv/5HfVnJzUL1
Y5SOr85GSYyR5qy/iJvD09qz8eS3hmZASP+D1JN8UTzb04+v5IRzSJ5bJMk2
xZb8c57+I2RlXtVSL4absyPM6xtPupliPa6i5AbW1pSj/jzy2y/gEvs6TgQ9
FwyWC+JK7yDlzLjQK4XCtJzqdHFk4lwq/eLOt+shnzGX/XMdHoUVX1uG5d61
wU17frm5FXcMO3O4z/LBa0eh67Bky4ViXqFwyNNlntyy2iO0yJqPNqEq/37S
IE7WXEHX7GrxRdG8cq83AVjPHIQsJdQ57C3XkGkgNJines/GQoM74KShTkfj
S5zSSHfYcdSSW99xDRlxn817DH9Mjl07ew0i8dyzkeZn5SowKkT4rfeZgDcO
+lYcyctOwnKwjkWBxuDmJvQ8Z0EOzaGklZQIsr489AmQ1/i3jIhe0CaXolrt
dMt8rRJUkt37jntWAsvkNr2n5Jst9qWIUNpn2gV+Jm2Up/+CAuzp/PyYSuJC
BsBnjQn5mCGPcwIDY97V7CT4619lBVaB0OKJLNjVcRY/8y4uffJxOxEJiUd2
wDy6OFpJY4jjlT/3kzsPdHc5zxSpRZ6riHeKbu8jpLxp/VRNXDIr6D70fH8k
TMrVPDs+1cKqKGdGJfyc1L/3Mi6wL1IqhHe6PaZhjvbgQfToaDtKozqSY6JI
WTvTSy51rcyClAGTrFG/FT+CVj7IJf892oi4DRnhH89kJTvV/hcfs8a+kWQX
Bh1BSCjdoRpz15ZWLtzg0kue+UVsv9tse/qOxO+Dz8SbwyykOFhme8qM+fjP
+T/mf75o/+GzN5czRdjH8zvQQCMHPLFtEienX31OYLz47A1eocgvVYt6FRY9
gYqEZLUjhnCl+kzTiNRTb2bqS/Xox3fBNf4urOpDAPEUl+d0vdlQePpRmktv
On2sa6M9QfBKuqkiJHIMGLgj9IGL0nfhvX2I154DK6x6j7LG5RWpazdz9IVk
0lnlzTcn8eur97zOJAN7gWwkinOK3VeaeNNsxx1qHqH5Xe9jqOhFzlmGXg2u
hFdl7C0hfOVh8mEViQHEnhs2Syxe/mHHkbWnAo+yPAQC9Yyf8FVFpO5z9Nkf
lFVgOuFM3zT2n4TmJrzVuPU6K0HKZiGWR3KaHrdWoR7I6YLC7sleRUq3FrPW
EOszMfykB84cb/HvtBH6zBEZP02bBhwAPLrvld93d1Y4wWbGvNNimeXxrbT8
i0JPcqznqikvpp+np10jtF+XjVsuF/ed5VrkpCKYsHBU6X6l4xCEGF536dIL
bU8VojwSZxPtdYKJcjHM4vJgAgLSf2qgenMSu4QBnZ9Fz2mmgX6tR1yqQeHE
nxt6SQKnhFRZPeqJZQEn7jsK8mubmEd8T09NxROuMs1mEH0baWbVtfSOXj17
OX/aoqQr1JhkeMjHdWHI/eXlTk0b0j+vL+efXYTBHauwy8ObfH3yFrhJvFza
d4iW6+gGu/QfTt7mYrnJ4tMG4Lzb+eTbTwkLLN7TK6iAw2aYxPgYssnDJcUU
qySeaKl63CgDMRPgnULZ2HM0en2Y8CsRcdIJFlnNpFRvgLpJQut38S98fXCb
iK3LexnWe6aW80BQVnAJLtYe/Akd1JGgT72L/uJkiMCfUqiv9S3Tp5Fxn1hP
v7Zw7LM9tlgkmo//Ey/n/6H1lD3tSYRYgnvowhfQwgChrNKiLTkBtDIQVtqg
UF8qgi3swFKn05c+dWmR5gohL2clZDZ5VwSPOQrNvX7ot+uInXX2AhPECkbZ
hWRkxobEZWwmn0YMF0fY4Esll1QT6kpgf2TrssdI8h8jM+dqQSal3wrfYAE9
m5sKPsTCljHw1vVe8OPYL7lPtIdwXDa8aLXnbfGLAPeFZY3r0WYGQH/yhEdK
Po/ajEgDWJ+k6O2ZRT8LphuUbMID5+1s1ienwtPs4WfXhodn+82hR+vi0ZC5
IreT/SwivxDhkeQAKgYFdbu5YvN8lpo8nsVTF0jq8tkBk/ChWehVnFQkJrOP
hrxrXsyf0jPzvecjEGxbnGcVQiRUWJiF7PYDn0HwHs8uA96LYuQlJ751YOUd
3kBsRDaztve3t1ozJlR4dwD436xv5AWlXSFgjufMDLGq6KRHwWoiveJQ9TIt
U5gl3i2bIDmVTcBHhpO93j2vIDmZV6An9ZOUmq8/kKNAG19TY+t4rqVMA9CD
s0zvp2k9cHPxqBfF6F0UcSu2uEFx0DI39iEZXm82uyB1ovifVEQEyhRJhHo6
s2mwd/v7rS90OJSKoScf6ykVKDrYZEdCRsvvjqaHCui12Mknm0I8Wbb7KXdw
r7wtHuRIiIT6DMcNJGYLEbgYCuiq/YffXiZ/uSIN+jBrr+V19OsvMxb6LWCJ
uZzbKuBQUcKkBPaIW2qz1S+JcYwvlfQU7xG/38F+9nVb0mTCX1iX6cnbQvXl
i28k/htkc18Mlht0Ysd89ekLYvz4udgE8uOTm5u0LVOj6jew+8r29KBMlx8+
AooYj+AfcQeUcCf8QNU5XuXk3cjVcLH4DrQ58NXi/viI789aX8HBAamJl1/z
Oien1nktFJFFTu93ODJSI7QJ5P3pbzx+Jq2ifxHOWPlmC3gLTyw2Z/88ErsR
mX9/wzIE+pRRklhiyYLmdZk1I81u/PF7KnUmeTJ1hvKUD+sQuFOXH/Zx7c3J
B8ZjFdRzcVx64hfiZBYTZwA+WubjTb5v7LA/l5udnEpk4r5sj+XQH7RNfrEw
6iIlEdCt0FrFnomlIXjcXVUk2O++cvsrIqD/lLLxgap/eU1N5FIicr1+RnNG
V3wq3LPet3CMupcx5IQKYXzhVMzQOBvoMzp0JKLjcp252XDCvgsvzvnLnMlP
jTmk0+JtbDvNqZWzmcLyP/EuDrug8j/whhx4MI7LbpIb5/Ze8B+GVULa1WFe
bUCEcvxm7UX+b6UmtmPU6UE4IT3hpLKIeprDFdkZ62265GKNPfDyyds1FRY9
aNQ3Nri0X5pNLhY9e/3XL7m/vQZnpMPLa998hY6x7wPJvU2TfznZE1RWhriZ
1rjJa+K69bWFa+7peH0/Kj2TbMMkYpAjaBg1s4q7jSzgYNwpnMNFX8ii+4hE
vNAaERmIvziVJmac4cawxPlqAx3L8kjwlqe15G2uHRKj7u+M3KmcZbaNAoMD
7yhd1Kgxp2cxWpBNS9xe5iqZewrRXZno9PAULPqXHHStSaKuNbIdhNLjZiO2
7m0abFOO6e0211LQ/8mvL2CdCpkgq1kb+RcC06ZS9hOnwXYffL7M53di8jUH
/aB/KLtNopbba+mYJ47vK+mYygFjGOFM0AXRpD0IpGCcd7HPnbjdcIqfmhR6
0k5IKRK4dq9le3a/l0bE7GV5u2UtzlbHR3R7nkgaLn3TJwbGKYOX6Wvfp2Gx
lIEBBWspFLt3ON8hxLdIVdtJUYHXug+3+INGu/TesnXpf3b1mz+QKccmSFTn
uHzbZf/cOdxL9tqvXnysmg/aPXLoeD+OVeU+cqeiOCWSHRhiFSaLhSQ7mdKL
fAMhOWLum7sNc1Nv7dvFDM1b91nCPbnJt/LYSCgz3R54gmb/3o1aHjfJR7Kp
qTnMNMmXtQmAuvE9ScwciPcLRP5rQebJPIqogEPotuavTerAOaV7hPo7NFgU
WKRElEpXrufr2k1M1MCnjxuniY2URMYdjf0RW1UBCO/rQIe8P2hAI8QGntfb
H7VQRSpsNGSR9et9JNTevn6IGfVD8dXunst9VQVyeP2gg9UTxPXUqc0b/SJq
hUFfcSYvFqMGdWRrClQQ+Nz0nVyu1NKW3aQkiG188mMY6x11N2Lr0j9j/uCd
9JmOQxazOqTx3diRa3FeU7u2R0Ij/QP30WGCkgN34WIksR/4JqzHYtdL02lv
qR7nFXtXfoy81UHDoiVZKIfp/nYIkHYZG1voqmOfwVL9Xe32D9cHzANLTOhN
GcmCDdA+WbiWKIdRHVdHKYVasDV3ZxaLY7WUMkdxtuAiYvj1iOeLHA1Pxw0W
wYKbyOt/c+TAv1ErWORNqvLGZ/NHLuXFHcUBvnAdQ2YRrUUSNbS2wocyBWMP
m6sudW5D4fO8kAv/Zdw4epUeBnLVm8Z+TQUDVKZ+K5adlqv7+SF3zcl862XN
3qnUa0mIYWW4QM5CdE5N2GZHS2AxOkrk0f08u6f961DCgvJaemkkzDUL59DP
IyatZN7b7AClhG+7D8ycs/MwUI55GgrvgWczMGHpHzMypCcYGWCtCXXn78j9
GZtosVdUgMkj+ca8kY8ThkUo40Bqz/QFWRb7F4jtjbvOejqcOSdpFYIDvmR3
WbBLQochBZ/4mQv5sUpejSVtr6hI5oqfTEkbc6Y0Zvp/h+y0kwnNSZTQLGp0
6ZiOCLID+5ooxGQxcaR/tqNXfcpn8nRW9DMhBmG+j0Vm92EpGi/8+S7QkRyN
nejH+RbJMnoyuzYXHVplSW+Ibh6vQqpx+XDL/UUfKVWbnZJRfkjENa6djH1C
o7bwWvQlXXY/jZ4cEiwXemCpViIHTEgDf06N5Dz49IliTNEeGGtYHh14TKIW
yxR68FjZL7vPy0vCFXFprOwYaZfB6CfkvbN+2+yUQH7Hl167mZ1OK6G1hvuU
r98t89oXqi95gkBABM5RAj73GDzaXu8ib9RgnZ9BjQXn1u1REDAQwWj2C1eT
a+NAsmqf4CR4nthoh3Cm7fktoq4z7bQgIuv0oYzUgfbrPcrZ8ed2paExrf7W
fXAvbdD8OmsNvU4yMwn9ipsjpF9qscqSL8h/eI4uiGU79cP4yqukw9uKVD/K
0J9P5FFrMRFkDHklN89S8CJhrSQMceIOmCsG5NVvmMNMKDCPmyvIgkjNAWvq
V9vN/Z3Ps2NvZaD8k7DJLijzlPixryVrnJec41YsJWJRo+JfDTxCsdKzlL1h
ZL8Or7ebW2k+Kh6i0BwFLzcHArbuld2O3CAjzpDkhAYq8f5MKb4Syt3TrECV
5ewz8ByEtIVZzgllq08i5KbsSfLxnBDZhyDw3CyK70fcz34W5xw7Er660yOq
Y991W5vWLbsP4PDumTKOT7v25gnt6SUh0LNtLD99pOtOehGMXlrvuGU5JUhi
LzGjU4+VeyNMMnTZi4+/WkXVbR43847BxOnXLkkDAdJp5jn70tjTziEgQZhq
cXLvGm26HjRfuruzoqvJg/nAbC2vodGEWfpfZr2vJ0JenK0q2cG89ScOlsmR
oU23Z4twcM9TKSYNP2PEjXWZM2Z30uiVMw7oJ48upk8FE7Y97W7PC+H/forp
Pb6REnD4N5y1WOq7Wk92t/fe0hjz7OY20A+BRYi+zgILwnvHuZdMvUpbFSPF
9opmbzkNPfDTRDs+guE8DOoaxSOnG+AlNQmZ/cjyppoUwXkEgHjbaG75JItj
TOx6/vaVeqG1DxNnGeNAulMnyu/medJETkQkeSQfuESKXld83lERAjH0Cg1z
SFWLwtXEY717vogAU3Z+lCkvjexDDoYqcpr52boXwsGVd4iz3zN26sygA2ZI
sqjB+Jwp+TW4zMKSe2wQlhDsE3hn+EBQUE+8UpTL4btGK9vUJhaSXsxra/ND
M+KEovkyoncnGiwmY6FiF9pl2/udOoo9sajWi3Pdi1YDCsYQP7bqDf6i5Igc
d7lehxoS7iMQsN0q8RiWC9eu5CgeIMoYjorgojYwvvzu6ma902KPQF29vjkc
wEz1wyscnS/u3/bGubvdSUNClKww5kTvzvGNXaI1dw++wZkWrSpXtwZ+9+xG
5kSGmBdWUDuleSX8mhpeOBi5Gttzv/AX/4rJYHpW3zPqa2CVMbmYb73yicLK
3PNkHPAUDqGkUxyHO6rbk4bWoqO03dfbOF4zawn2kNnbhBl2ZbvOzjAGAeRk
CzkjxDyA3XzLkJ3ccsTV7cMnfk+K6JshpEedpFrFladJdiN1elUVyEfXt0PT
cxHRE+tAIT/YK033YdAryx+6g2O4bvsGE8I5uHOqC13tSYTx+M8vrjev0tvL
IOE3JCziYG7CvDQ+LL+ZdvJSOBOabcvRuZ0QIa7J2bEZ/akC+HobOJQTnXIm
W76SEJCfYh4Wkdhye3CSbPvXO9+PJnBuJY/57CznpEfe4KMuhvMrJ59fmEuu
JAk13/oGQU9qO88pzSVEdAKvJREZz2r278RBcD9b0mPD+cK1pcMnWVa7ed9P
euT70ZAqu392PiSgcIQCZsmSOUPjB+4bAsjrPTduPAzS4JqHnU6XuBqDb9y7
xcOUEKB83K89e/5PBJzY1bZ/JJ9VvU7SlfTxnNUXy9o8mc54ssMmTZSwUHKp
tpRaQpw/8ma+ukQbDz4W6dZ+RIEVStMG4shroP2cOZ8WwdbgE2C+bA7q8ZLw
9tEzLQFEhl10Je1LkT5RMxcf+g4ZDZQ7tlr0JKOEeE6m4M7frMi8Kz06a1qu
Sim3lhBWFCmWcpS3rx9CmCgsJ0WHaOnDxmAExwE76gR6q/Gtg2IJhlPXlD6h
dlQc+VUHo0+PDs1hH1t8DWQeMYr5kGlsp8gJ6x+CuOS8UlyZyKtL11heDW1B
Sax00fe5eaIgTn/A2dYKAeuEtQffyHdnYKPyuOrhkfa4xD4hbhttX87eStrK
c5vbuU2a/Cs4Z+f8Bu1rz+9wciZkB1EDwmvpNeWzJeRdNEcT3/DeVGpUQ/uF
dqgKiz1NhKb//nwnL729vw2jY5VHkUC6IOGxLvMIJE99Tc6AACWOFpL7kUQY
P5FcEF+5/VhHYg4ocucX4flgpeRrtUX38XXPkj/ELTNpZ/g8WYFtC+0mRqKf
xVW8kYgYW3fQXhoZ7tJ5zeYjG03X1y7K+GZWkmR5mSzw8jzz1ADmawdB5kce
9gftSRPSkJxxPm90Oo7zeOYci+P1463C0bL1q/sNUUzrJtlyk2V2Cs6zuHwy
62Y947JSCSCE5Z5nFLXXRImBjVzuOdxfS4enkdXX5zIZ/onX9gHm0Sp5K5UZ
/lzunHvDACVQKLNDBXiWvJbadPzU6AHJ1UkXRhAPTwbvC+p5Ve6Jzn0vp4fu
oGV2bEb5gnNtT03N8HzO3mLzyzrqVqVNubQgdS22FE4FwArRT6lplgTZWJIk
fqkoq3Gb/gMfXrpuxZBK+Si2fqXCIl+JvJB2y6uE6F4kd4FjbttL3Omz1xAe
r2GIvvF38ew7ypPBxrx7K/GPhE+mpyHmf1B7X9HCYnaoKJOdpQ1oacIWi7IP
JAD2ereJ3ILHw6bh7G4I39qQZkP9s9j7l9zdU9/BkAnkd0ZgtsF3Xq+p+wB/
l/rREnrYy4ClRSBJcV4ikbRbtWUkwfVw5NKMW5GuhDglQv0i4UESVgrzOU8F
nYue6UxlzoIwDy9J/aw3bynrn9/Fkx6KuSSzngqr2BQKW8K9fe4/AUTu+XFC
1aid5ZvO2msGyzwFuk9P7GCSoB/zLgk5tkJ4/bA7mhochkQZ3I8X4nnInk4/
Wf+CpHmsZkxdtKW8K11EHk5/WV1VRe1z1XVROexPj7xymiw/cJt1t6PzqeGr
hB/PXjyCN1YUT5h3ftndnWVQi/29eBV5TT5ayQ7Tff0w5xT6QUCeXIc86OG+
V34PYYaZ301Vs65gMCFpbOJuWJOvbEvlPb5iR4u58KfdkkmwlB2v8E8Aq61v
aL205+K1E5lMp5JnQ3C7pmB4ncrF08y4LeqS9/ykfY9l1qlGig8tbdWbyAKR
ZtMHQU3vQ5N0smW+KMMHdulobJHN4oOeLelXbxwleFAvZXut11zt+MN3a2NA
EUvhgj/F7UGNa+KOVemFtuhLP9LCWd+bz39gLoOQj4ad3HJvr7X0cl+HqBR/
fLX4WMhVd5wBGqiCGWwmagLObX5FvrHRyyeJXo6xeghT2LmFIf7FPOecrUQ+
b+6E+mtu4uV72c1t7L6LutPFHY+/Sz+YHUrSgc5PyXc6JekFkQZQJOGTX/5O
GDN1jr7z5dsXi/IDvsQbSnpNll5Q0dzJZGz5QuRP4u/gruqmkp/H+hFXFLk8
JpIk34nA4M8/ezNf8xmRSRr9O9G7Gr0mus9xjUr4kaAS/FvS1VaRT27OmcDi
s1CiNb2SbzBXvTB4He/mK+0SqVxev2byybuZiIs2XbThFhO8SuMFIZavL57I
t3/xcs1ZxlyIpA15hJOAHKY8GFU1ySBKLDKrJf1Uvks3iksrpbvQdUBlL178
imO/sPsnzhrh1KbAyukvs9zIOPjmvIM7qvxRfoTNW7UFyBMlBljUv8u33aYj
Q8KaGspqUgtX+lRY8P8HauQi/3PTqQK7ZMk6Eyqy1cDMIBoWEt6fQDzhmaH+
v/zPV1W+mmF9NP9c9x9FlcjwTXPc6Jv0a/z/QiqMGHMxpwaMVciWmI9PFM5v
+VMMms+yJ5/xi/pIK4RneOdfLqkinqdt+q/y3m0R3ltNsHjcGqvRPIiUvYj5
nwsTxTTUMHxNIoW1O+YBh2LOOcNDqhDDlBErW8oLCWssVkH4uS7DYpKr2Pwj
1U9JfuqKU2NxnCgowgdC84BjhTG83qzF0bcQCEVOc/FVoIh9bAP4tocyhAC1
tGPEkvVfaxioDO4upGss0432spIat7gnUvkkPZxGWr1TxIfHpN2SYsNOMNoF
Qsujq0C9q549e3Yp7dGw4BtfZk5KereHpo8ZdpNHOjj6+hKhyoxVwUcLVUAg
e7MjNnrxF8XdRiQMEAJSvjU9pwNKsAmQjwJE6UUIcUdcAMLXF37i2aaPypqJ
ZYudszJJHx6S1FGPmhNKfnUibSx6+idMOCBUcdTbnZb/sEozuvyLl9kqxbyv
8Ldvb6/MXw9GEapG5taFH6bqXSPZKb1Hv1AhTNVRHB5e/BK15WcjeIbnr95Y
6rsM22IDwbW9TJIPPyRlvuRZo0+SZPHRR+kfqZevqS+UFmSVph9+6DX8Eekf
XVvkFzwcupSuXbYuPvkVf3ujtxd08OSlmV6qKOHktS1dyveUkUQA4aPAan/6
i0WuX+MvxoLi5X179B3aj3+KP8B3wu4Mcx2yy7w3XuY7CsNqs7q5Wph//REH
gZrIHfU1/uRPVAp6GRf/+ztEH+E2eoflt/0vukPEE+jvEDXVXaVP38Hk0YaK
7BR5PwIia1LlGU5BigPwnOdvvXsp2zOlR5p0PeGqj+jnqbvGODK+SmZeZOVH
uOB//S+a2NO/DhaKaa74Jn4HRvMT+N8+ONH1WmZ90WRajkFdXkQDutTp5xvI
dK1TeZ158v6YPS//dOIR332XXkRXlc9Nfuoy+kXFefr0i3X6T/9EaOC7MH+X
OoCLYY/H47bQqy+5xXakq599Bfx4Ec2Db4q9XqUffECSaT0voUYJVMPJIspn
L/Wzj5TMP0a9R4OnN8SYMj+m7JhHVC8x/hJz8hLs+8e+yfLUf5v/Mb+GWjn6
AtgcX5BBfKg7LuPi++XnHGqbMRZreJI48VRQdcWBpOZ1mEX1wsBQiUAS9HY8
lNP8xaWg5pbXbDSoSSAqHmdlKSfOiYj0f3wUvaYcQO1oGfN6b7c4q3yQ3m4p
SUnJCtSmkLJGXPHJo4c6EvfLTRZOu08c8LNjfbDff18VcXq92dzJupP+Wu7m
z2HAP7Gblych2jsX+s42ZueVt8ZfOOEprmhJJ7u+vt863lPKj8H+ZO5WunV8
FiIwuJ7m3AyIsXEtxEAbjFbzLXGbMBMk9Dzn8DwcXuCZLtebSPb61Ya9zj/f
pf/mCwT+LcZQGq2QZMe9XgTFqG6I7N/ERDv0ISxsoXQjXWXIp/cVY6PY7pT+
3wCA3p8xbLZSTsr4rn8AShTH9p78unL5s+RF7IhY9jqKco85ALLoCBJzhJLz
OM7Bt1Gi1CIdZrVIXebL7KvZ7hIiCJ/PpFZDGGnys/T3NPI/aF/0b39GLxL6
np9Na33BtZfyXfcNFwU/MoP3UhI/I+dEkfO/EHL+8Imv7RYYO4gfuUSSZwg3
fxSlhuI1s29evJiTrY5+mJW+tpythoR27G4u1F1KgISTYHkWOZBIRnh/P7xx
ex/pO+kg836xS0kOeOU21LX3IcBfko9Ri8O4kVDk1biINfwqOZXng1fxDii6
mXqafHaD53j+zYvPaGOOLmEn9s6zESxylqSTH+7gPxGnphTv8GsswLL2RaC+
WNIGRAiRfeB+dTJ1OYnJnBYbWkLZx/Xoc3esTyFFITrWlC2vgW+quqXzP5OK
ECIjHaJ++oO7hInxfawPiqiHVYjjP127q+MPVX0ny3/5PkKpsXgjySJYDM+j
kCjxYb1b3PW775J4BE9klPiyr2VOhb1N+KVv3EjeLt/4PDDqLddu5sG5Fxs2
lGvOUdg4xwsSVHitjs07nvMPPnXX19DQdJr/xwfphQnIQwqJQ8ZUYMwWwZN+
QFXGAZUQ9xvugBvkWfBRaAxO9Ixe+iz53SZI5R1LoFON2SUCIXOvLMaQDwW/
Pv7SJFK4IBQbe59mLu6ORehx6QmRx0p4afGTWbjNue8hOY3dFt6V4jlSRQWE
PcSOE013CE8hx8X8+fyMnfNhdm8kZHwjSTzZzQfB74mZJ1qKy2dDgnOMo2Kj
Z3gzZTLbbzmVJ0p5ZFcWdzCnH0mLn9u4zC5upJqoA0+CTN5Y9JxqBBo9yQpO
9d6JOKIJ85wvX1PuFS/zau69dOtesZ6KmSvi+aKjxODn4UqQDfUupY06H2nW
8Bj7Ff2FNtnWWiyg8Rry2f+74+I/ce9s7UTZFzykTeAQ8PuPm8VtX1kpbSCi
7vstrcFzqNFbrjclGWKv36jDmbKujyYYR//tzs8kJ+amsZtbZvuwF17cl5LX
RNAA1dntODuXO4f296+8+25p9gpXaMT7fbLB2GouKCUKs7igOyIs5Qs9W1+Q
Y7KaVvO4f3mq4RVLHggFmRXvsQtI5a/Y0G47rP2WPmicBem1uQ59PNhrecOv
JFl+rLkuLuMHHsyhuLsgoagCUevoUs6dF+26uwq5cFeMFsQJugvV2EU7jyfa
EeQ9n8vC5/0VXpBUcbzZaH4YbFwJ2IjnhbXJUgSzzJhFawTWZLZCKgYez4XA
aXzsNSQ9cxEoRIq3nO6iPTeeJi651w54KlW6Qk6WZrixWpiFcYNOrgXBqJj5
WCbW16Ny8txrfHYtZQmyrPFO2BMr1u61feOivRCFWpesWbwvZOIkN5a8+HWp
CImi9iJz5jKPg8dpzmskX/lAhoynkKo8K8/IYjjgYD46B5p9TJ2RY1WyHMIj
ykTfOTIar776zR9o7x/XBzJvMScM7UM1jup3FatxQpXoxlALdXASTyodnpQD
11S28iqac2C0wH6lO87roxgOPq6KYko+3muf/IZf20eCFtt7c8cSmcpWRt6L
OpBrzsGhkJXnaJ8HWxfEBnRAP35qNXx/g4UkmlVr4H72aZqapL65E6RP5/+R
p8QS11ct0itc7TdXhIpUlQ3c6HpLihlD/uR60xOiPQhoLsf8KiIwmxftbn0b
xjyXwn+iRZF2Lwl7JAZZfrLT34+MSyY9e+yByopNXDbI91zCg9eUEAJPDO0u
lrAvWGrMo40tTK525u/Eu+TFyzUFz3apll7PjaFPx1FXnOgXwrOUxEHZgjET
nJdONLHRQfAWDnUX5yptZe0Hurnf4g+1hvAun3nosZz4E4gj1DTsD+D6XPg0
ZyiKMj+wISJ0Izfdncp8VjDyf331+WepFOXMG5RhBATV3b2Whd7vNzeCeKly
wOe1YIsmHF0TP8DecWaMVCADPLySHEqCs1+v3VstO5E0mq98PmgknlbpMkAv
SU3f/myxfTRC9kVsj5PjLTa4xRHnLWD5pWkYKTfdeImnvsQzXlLsny9WEzm+
2KQHKRm40JvszxdOddJfqQwXn0dm+/PIga87IzWRr5ztDvJDsuUh99SUj4OB
nGxveRCouvA4hzvEq+mgW/CShrKcEdw1DQbX85SmJ0kPQlV0Tbm4Jivx/+Rw
wo7vZZLDdzl9zXIi6BoTX3MgiF/etwdX8HPIoxP9ilzYsgIY9JO/3+0ibLql
3+L5EkifeHDZOJu5oSmzrsfvaqybOjNdZxpruskIw3zVFsb1eVHb3pZVl9VF
WbWuyqvRFNmYDUm6KEw8fspgpryuC9d1XdOUeTsO2eQGU9X14EzlOr7IFF2L
O1uMw4xYxq6sRle2VZ01+F3nfr34EafepR8KU7rB2naa6sEMpesHU/QVhoy3
ySSMmPfDVJq8L7MBA8G7l8bYNm+nYeqr3E3kVBUpnaUX3g/8keFHiJ7za2gO
17A4/Tvas5Dm+GJeHnwxy7oKU1qacsjHsixNhf/j0zbjX/6i+ZfhXRXluJwY
Tm3zvi1dkw+udWM/lXnVOdfTLBBwm/di8ELpFzEbpi3KOjd9keV95vos67O8
rKZpwgT1s3H0yGbumh77CTNvimqqJ2eaohttVuEvedZ38j7jUHW1rcesc3nX
T64smr5vTFZ0Zuh62yYLRq//qIdw6cujp7IrqtqaqemyCvulL6vaFKayddvl
VVaMtW6obGhMnVscmLytpq7oirxqsm6q2rLBdMXusFMn3xn8LnNTu74uLfam
HSZb1C3u0ZbyjKmpKtNn+Hjq+8LieDiMoc5sXZZ4x+LAx3Z0yB1eG4tID2m6
1mW5q4zp83rK8MEgAVjcux6azpRZ03UY1IRXnIouL1yFD4tWTJnZN7LEXQea
6DnXxtPF+5eCxj7yNuvjnNvzcbDzcYCUafKxqQs6EJAh9SS7e8TvDjsgyzN7
4pe80plfRxdxZhi1S+KX+Vhe4EL98YuBL15OB97SScmaybjWDl3dZSVkXV9O
PY50C9Epe2psbdkXEK5NPjWuxO7E4rQWYq9qimbkibuDuvW5HU9P23Ew8bFY
efqb/POvvrggqq388odNNeZa/l96Pas6me9k9IdG/89iij96ZwV29qJIGub0
v6V+C+tG84cZe7OK55KDrD+m1pMI4JLKXgjhxaR5MZs0vyKT5tufnTJjGOXu
ZqfbnfrmvBlzITS7jljFlzTOoaiEQPbsg5yODJrnUXdNDhfTjl4tCAV4s3H1
/icLwykUgns76NAK8o5kuYo7Q4hplZw1rfCjwbNhRasoXiy1Lz5JvInCD9q5
0GiSvJ7b9dziRUgftVUpNy62272n94uMULEafCLbJ2HoF/xWl/95kInR8Pe1
Nujm8/AAsD+hjD72wZGD8OrVBzTIT+Jzf2HM8gWavDb4XeVjXdYVDveEvzVn
33tsHXCEmWw2MYgbhqIYc2AmwISm6Wq1aYq+74wZ8ql2trGdq/qsH10BtTaN
TTEfGtImwW86R3OP/KSH52PhKFk4TS9OZUKSizQJvlTZRQ+xM1XCy7NDdRd8
qlJ0kSxFL6dBrtL1m5tVKlLlt0D5B3RasStWPkk4z9KH+yIqgcB4za1vOVMx
kLjMxcreQbtKNBY/P5GFQwiXL/uvhou8k1C5u+6vrxMt2zvh5Y1aiBJjo0zy
td3ttLORnFiKaCV+NnbvEoF41EOcxOGINApHpOxMUQ+ZGPLkUcHkK/Mu5yuL
iElCa2CVGD6mvozBpk/FYJMoBjutt7u90IKruRqWaaK9wRJTvwoLGKZ7VkB5
pVnF5YBv7QOEjG9iLNtLg29Xd1ie9TcHBvDKZ/ku9L82/ZGdEOjGfJxJPg5d
d4iBT0Ys7kzhOfGhgCQOBShRs5+q8CPZpv5j9biIvJeW3LpFbbS7vLeFiu/l
8Z44jRdVr1qHsBPXmHMqMyVmrNSvqycQgAbLK+wU0Ufc+Xiu3PPFTuSYpUSl
ecU5EK79ZlXGE21w3qUH4pS3bkBSkHc+lxagJc+KFQGR6k+X3x+PScOY/ygI
VsjwGABhgAKExBChP2RnnDAzxqlvuxJm7pDn2VSbqSymvDN12XZZ0TdigU+u
ho7K2rps+tqZdiyKrJ2qbhog9G3GJsCzIvteU7kiw/gnOZU5T2XGVvr3mMq8
66wtMUmddW2b9UNrs7rs+8pOrmiHUp0ZMLizaSrw836yQ1NXZqxcXrZ9Mfad
WFPP2neeyT+topPoT+tPcEazJ6eug3lUuMIRTGqrashhw9ewZSsY2UBGYiEB
K8HCtROZUq0hCwkYyxrswK7BRqxl6vJ3n7sPPviTFJDL7HmH409t8rJ3mMAK
tmPZ424dTmXbDfjPlFU2s2RhDqNM4GSnvHEmg9k+FDj0ZZE515RtPnRAqKbQ
Y1ykB6HG7yUTJbDwbsb9YxbpUuSvDuX9GUu2Ln/4ZOf5KcfBD3Ma0C9y4cXC
WcYUSegyXtX6wAE4Dm7qB/x3bPvSFBC8EEljDt1uBjvUhZgdJRbR9KYo8nKw
tjOjaUzupqHuW1wmBQ/d4PK+zgdXWDeOLnOjgRwvxwYXu3zK1U9aY/vg1NWu
7+qpc2VbVlNb5Xmf2a6vdH+U33N/LAX9+/1xYn8EjeMdxu+2P7K8g/FYYwlM
VwzYBNkwlD0OfJE3RV9IwMaQAB2KbBqhnvqqaCzexdR5Vveua3PdH6as+wqm
X51VZV8Mxrgc22IoIH6zPhfdVRauHXM75q62bde3TYnt5qYSe2vohqaZbbjv
Yb1yudFPNzYmw/t7j42Z7H1s7N1jY+TOx7ZwdGa7IW8A8dqqhXg1ZQ44J4e4
z9oCJ6geG+daU4zdOEL+5qYdHERJzi7lJ2Njfd+0o20yoMOuG4t6aFrX2rY3
tunwLC2xKm2ZVxnu3ZcNxgPF3pDHCageaMA1ybnYWFcVXZXZvqn60U1j3bjJ
VH0PGVhXkCQi/8YC59uNVTa4ZuiLunNN29VZPQ1lVWV59XcTGzOtqSaTQ5lO
WLa8wgpmsIxosZ6OjY1T2RuKG07FULmhr8c2w5C6yQ152TnxRz8VGwP8rfMR
6qe0RTsOJeBcVttswBYaq6Y3GlJqBts0TZ9VxTD2fem6sZ5MT3ElrLo9Fxv7
cR7ydGxsnABC26yGkq/N2E9t0VtsJODOshhtJqVCGSBKOeZZg0dXhZ3a2mXZ
0DZVBW3YFediY1BnRV/lhbUNvtDA0pqglWyPowUN1cumzW02Ols1w9AMHZ6O
24910Q11MzRdlpszsbEKcwDIhZMB9TY1U17WsH7JwKNXmRRRQwHbrCyKYspq
SAJgNWMozJcDL7X98LhG/OVri//l2dUXm+sHU2TVaa/uv0MvmtHrxV9++gL/
y7OXX3z+23+lZ73PHPGayIzvoB3fZ458L+3opsbUdY/TWOZN20xjW5RT0415
B1uil3AApE5FuHIqmtwNU990Fl8ppnzCCbJDf1Y7jtlkxqLLbYGHlfnY121p
8wJ6eMgIDIsIGIHZ66EvixrSxbipMx3H+O0wtW01ndWOvanqJoOohGBqYFk1
bWbK3rrKZaavJskcmVpbdJBkoykJZPddWbeuGAbnKHxbjX832hEz3tWQahnk
YNNPtTUV0D/f7WntiEkc3WDzsTN9A506mqk1pa2roqhGbI2z2jEvqn4CKMl6
wKemwspTMoezbVGZCSsqW8IObTdkWVWNrWlshYXoLDZEPpBWKapz2vHHecjT
2rHonXOYxXE02TCW/VC4oZrKorNAVKOE8aDeRqwXZdiMth+zoWwHg5GVwGQW
6tKd0Y6m7SucCQMzb8itsSbrXFVa7P0cD+5l0zYwGYc276s+y2GHdpNp8T4Y
jIUuw9E8ox37hhxOhpzHQJn12LneTkC8wE35mBW9TChAhMUEAUd0GUPm0bmy
qoeua4GXnrAXz2rHf7fV+J+hHf/mbcd30o7vbcfvox0dWVY4xzmOygA7ELAU
6DvrsBKmMwor+3FqXU2WyGS7Zsps6QrTtEXnXAUo3p3VjpBI3VBY6MSxqIqm
7aGNYdGMZZu3daEWauEIeY/5AJA+Qk8SPgZ2LYuhyAdA57PaEWA4x5NyUngG
4L2EenRlazt6n7KSfQ0tVNQNxFgDoGzHpiuHOodZWxSYBdtlfzfacew7zHHe
2zyvXZGbjKTq0FdntSPELSR8NkJ8NhCZ2eSyup4gmocMdkTfntWO1g11D8Nk
aF2TF6VrMiw7ZSO2dT0OvXoKIKqhcqdsaCqXNw4L1FR12dZj3kP75Oe044/z
kKe1Y48JqFocCVvlLh/pkcYBFvY5cFzfSjByqOrOFHmTOTIuoU5q7KSy6oeh
H01eDee04wiLNqckX0ywgfYesNlh50JTAi4WjdqO0MBd2Wb5YGtT9EOO/+am
wBmt2zZ3Z7Rj7nrjzIhtM9m6g6ocqqYpy8oV2PLDIBC4AOy1dgKcKAA4xrop
sC07vF2GM5uX9ilvqtYI/eg2Y25mXyqeoTruP9NU1KDGT1Eb5uZvz1Yspp+0
NhxKl41tRY4hWIRjgz+nrM67ipLTByNQFXCxqN2Q1X3bFjg+Y26AvIGiy6aC
pDlvKzZ93TmoHXKmtrAHu6Yw1UC2p6uBRCUCghOflXUDOy6DvYiDCnw/dAC3
0A15WZ/XhlPftQ004TDlrplIXPQt4CQM064ohmZSndXBWOwzdp42/WCyeixM
3Vko3oLS4N5ZGx6tYfX073e96L9CdcIirwdozGwcydNducrW41Q251Vn2eIr
LcEXWCBN32HtJleXJSyZps+rs6rTNLWDkK/KsQMw6Tro4i5vbTNAHLf1JHYM
oFmDPTAShsryInMdrBdnGxhKeV3Z8pzq/HEe8rTqrFzX4/VxehpjJ1e1U8+6
dBwc4JZTr0s/Wdh3UG2Alc5NWEKHR0HhYq4wojOqs8TIASRh+bnWFc3Q2B7H
Ny+M7SrrT2tr3OhMM7iqcs0wAsfkthstOdQzcvacUZ1DDyu8zF3dWrx2n+PU
ZjiFXV+0OJ+lGpaYm9p10P65LUtKKLWucH07NWWTwZD+Aarz321Q/geqzne0
I//WVedPzJD8iavOugcupnS/vh9hc7QjrDkqVsPZGNs61zhLB6zr8naAOM0A
MaE2ewtLrMdBmZxpz6rOEoAaiLmtAGeLoaVgnyW/D9B9TflqqsW7uuvLqoN4
g8VatTmEQldCN1ctYHp5VnWWfd9MhMBdlRX10LvO2sy0FuKmgizTeqpprDNr
hqJtIUpNjZc0sEeqIrOuzAHc/1uqzqkqhrooh2GiUiFjqmYikXi+mg+qsp4s
eeCHsRv6vDdt1ZCtPjX9NE7DWdWJ75edg3iHuspbY+vGDtgcTU4pKJDfIien
3pWmqByWFEtZd8VUlD1MgaLAZszPqs4f5yFPq84Sp6UYDPbtWE/VVNcVIYoC
Z6qhSL3s8QLHbbKdKQEObQFFDkw5WkPuXzMaW5xTnWNpLTRlM43lOALMwoQe
m3bMymKEESqukq7Mxh42tq3GbhqKKWuhp01Dfubakvn7tOosSsoOs1g/y9jW
jeOInZBj5C3+IzleZdENDoY1jN+8zIAAyKuU11mOF27GIqrDIKaqdy8/+ckm
8PzNhyjfF7f/6LrzfXH7OxW3Zz81J2x2Vh3+4OJ2KM6yK+q8LMeqtG6cqrYb
gF4gGHs7dOcTeIocOqnGf0ay76qKXJajcc41FhDFieFSTGPRGIcXbVqKMlLQ
re6rYhyLyQAshWUw39cX3pz+/SMvg3kElcz0hWqNZhy8rMbGtrWtLGBolZkJ
+o9SXRsxVOqxqaqR0d0ZKz/PgQ77sp8cTmo3mrGD2WmzFhu/zLvzUAW4pnJZ
2eSmbcYBStditZuxylrMuW3lvHdTAaRs+HfbU4r0WNZs6WJebO3OQZWy5iSG
CkccCBUneDRNVxe9myb6vjiWcfQoR5/oB7KiwMmrqoogfOFMDujSnYEqdqyq
ycDSbyFThtaO2eimDjochv/gMhEpWMzcDW1WAgl0naNYAhAGcFRLSQy2PQNV
IPMGoEhXla2Zsmzqx6GrJ1OQBdHC7JaLKoCuqhlMbXpLIXHbDBQOtnXZ53V5
LrkKazc0EFL4Do12GLIa7zC2XTFm0I8SBYN8xrhh2NgC6BQ2xzCY3Ix1jyNJ
PvPvD1Xe5xr/BKDKT8zM/4lDlfe5xu+Ua/w3CFV+cK4xIA3X7ORl0XftwM6T
Is/GIZ9KQMvivOU+tn0Bk78wXQ4L2bVtXkBFwPTFR5T7w8OzZoD1baA7YU7a
gkxrKDdT533t6ib/e4Eqk2mw4eyAnVaMA0DGOFZ5SenJFip0lJM9wGzOsneA
Kl0DkzsjC6GwpLRyR/4K6zLKPqw5M/lMLB8Hb8RCNG2Vm7xxGY47LBEKkeWk
6+UpFlZ73vYlNLODqW+pSAfTUNOJbZvhbCy/glkCVVt2A04UJnAEPgE2G6hi
rNdqsDbrJsAHW7TYlFlXFlM7Aa2ZzGZNCXh0jiOpBBZvynKYAHorCKGs6DDD
ZVE2WdWoxAQIM8AtxVQ2dZcVlQVybhu8SJ25CsDpDFQpDGQiQEJbT9OUNXkO
7O1ybNcJIGmYag8jXNW4bhh6W2Qw8CynF5h6yDqTTWfzwAdA16FzgJzYHP2Q
t3nXUCCjzHAWKk00dSVOYAGjA5MJQYVlLwtANUwbrXvzCFR5nwT+k4At75PA
f3zY8j4J/F2SwP8GYcsPTgKHeO+oerR3Tda5AlK5nizAHcWwTN6dj9V3OWCp
HYlOb4L1DOO8qEosZgvdRWakbjwgIWyn0ZXAtLbD0pHrC4tf9fi6+XuBLeXY
To01fY3N1XYttA6EMPRaP3aZK0e5qy1LNxaVO7s2tRkKnAdyio62y7ucCsGh
59qptFDF5uzatNXYU+R9xEEvR6xrj5em6ALeZew0hmKnqsVLjzXxYwBzVsXQ
Au3jCaYosbrn8yjM0I4U8KIsc1K2xWBqejCgy9iMigkAnZq86EtLERRLFI1D
2zpKQ2ypl/XTsMUBpfRDRbvK2amZ2hFWCOwQSnKHTtf8XBgkDUQMRZ3IS5RT
XVkJmJNRDm+Rn4EtU9lWgC45GVstUGI2lpm1kBcZ5eyX4ilqW4Of5Tm50vCy
A8TamA1NkcHqw6afzsCWqaRahmmqaD7KypRAfFNe4Aa2MLbXmGZta0jBHpPf
5nbCIeraHlZEh3cgyfVDYcv77PyfDGx57215n53/o2fn/w3Clh+cnQ9cWWTG
9ICOk4HwzNxUmWkqeF8M03mLfrJ9DRMQULGE/VjA9IbBnsPSNmVDyetipA4V
rsvzIYc6JHVWDyMAUz+U0OUVsM3fCWxpK8i0DJu/a8pxBI6uc0D/zGFh8OKa
pmi6DtCybc+uTeFcAX09dVltTNa3rulofNWU9w3t/bNrU9TGljDwDUXrirHP
HRBlBX3c2tZAIcpBaogcqWkMfg6DAWig7gGT+q4xFjcw52DLAGSF1ystlDfG
CHRGW6CHNUHcKZ14W+oeeLatqnHKWyjqPhttPbgpq4qqKbAM5yonalg/E3Sy
yxrginoYsh5brDcAcjVEgMqdHtYLpazUrR0owNn1jYPsmQZIofYcbGkwJxhP
bbsChlxGocu2BdQrKWHVZeptKaamntzQ1RDBRQM7C9OalZiCDtt/OJfD4rK+
6GGajb2tYD2WXUdpMji3VWOnSZOoyzw3lW2xaXCQ8tLgBcbKZM1UYY2qOns0
MPS+bOJgJD+Z3M+fmHflJ577+b5s4p3KJk7BlL+d3M/zmOYHl00MZVs0A+EP
Yzpo3Zwgzli41lYuyzhT8EwEKcuhZsfakCsMSwOYSQG8saUUI58WXI6lg1WZ
F9ZQ+bpxeQdlXzkYotRxIHtnTHP09O7p3+960X8FAMqyuslKID0yHvK2wtE1
fUNcbG2Bv4gShUCF0s+HswvZdXUF1ZhBHQIyVC3sfEz0RPw9WZuX5xdyMm4c
6EwXNQ5i3eOIYytl/WAp9VRxg6ubDstW2sJmPTZMlVc5gETZjSPObN2cA0CT
GSpIo44ih5A87VQXeQVcAnvHdZhbESQ9IBakTdf1Bniw6bOBMmSsLQCJq6Y5
A4AywAMIOqB67MOyGabOWCCoNsMrwcLpPBgGBOmBqSe8b47p72g89Kq2GIbu
nN+mL4AFTdFS8Ie4k4DVYAm4ssAy2sqTNxQD1bFix+Q14aWqmoqJIk8EVftz
9S/F2LYd8ScNxDZkupZT+nLqwYHjqWn9vavGFpjSmLGurAFQooUYSThjl07D
9wVA74tf/ssB0E/MT/MTB0Dvi1/eqfjl7x0A/eDil6GsgS/rAXjJ1lXWdRW0
zpABV44jjNrxrN50VdWavMGWyOt8agzM6QGmd9+5zAEGCGo12HIV5VtDoQ2w
78thGqDYoTqrvsDa/rcEQESQXhVdbSjFg1yMle1qYpKoqhxKTmK2kxumApN2
diFHrJcrKa21HoEnSkKvlLE/1KYZgR/OLiQ0K5bF4vxVdWZsU43N1DamxDEj
H59gk7G1PVW4QtWOkAnEAeFqoLUx60xj+v6sB6i2A0YKWUSeEmJTxCAb+qMy
gMTiARommFLOdUCIhXPtlJcNAFNLkSZs6rMeoBbAAXCpGWh6K4JaPb2XtcSo
DlilKInCPZRMTaGxBpgHOyFvTe9wmS3PeYCAW0s3NdjkpgKkH7sJv8cRu7nr
GtdK4thQNeNE79XD/iwnwJamB1ZqCF62OCNnAFBmagj20VA034yD6Wsc7Ilo
s1o3WLU6a4NxuKrN8okc9aYjiklKvh7GqSN31wyAlk2TpeF0+hX3TZ6by5xo
vezby1DjjZMtZkKzioNHxHgpufj2W2pqsrf9tfvrXy9X3CFNGs1+xs15S22S
seh/pPpi5ffuKjloqboKTZnjDqrcB2Nu8hLYorm17bVLYm138dmby3ATljY7
fHYrvTTub6WV68idT8/QOR9ygf/nJlmbAhcvh/B3H/j7MdOsOdr03y/wd8ik
DrO2I3JCmMPQ6iMMMGA3IMWiMk0H6KVmV9Hhk9K21UTdsarWNeU4MO3CNJVi
gbR5Y0ZbdaXN62ZsYYXaBt9om6LugQaURbBzLZH6dSMxMeQGAjuHpVoPXVW3
ZVuchab96KBRJlMQJ303VNTasi9t50wP0VzKRI05NELWwQwFLIXdCsHY5K0r
imaE/OTOAEtoejgrXT4NsHUbO0AVAWlT04Hc1s3gxqwZrRruxhEH70jGPH7Y
9pQonHUtuR6bTknoXQWlWXRZOVY55UyMme1h1eLO2dSVlWePKgrTkm9pyp1t
8GCgJWhasp/xRPN3QxVW5l3ftZQOS4V7zYA9Rr0HzuPW3rVAkMTiWObNhOUl
DwYWJM8pQa06bsF6uKKUKFd3rodpYaoW+7sf6wq7t65tUbSNaNeCViYfKRV4
oIj4NLV1DZunnPp6kIw5KpiDdh6pwhEGT0sBp7pqS+x66nczVcqjRdk+bWdH
6lExZjmQAVFqlgVMsJ4SjQ+A0099uEsIdjTaDrgzHwYMtLJtU1ajpfTnOqtx
wGG96XGhZPKi6oYRNwZSKqqKSh3aKm+GPlPuapiXU1MOY0abD1C2gWU7GNiv
Y96NRoyyHl9op6wAjIOIGYaB/EWjgwzAvyCqDsDcUfMIBzsT9yhcS9ZqUWMb
UWJknfVZ3Y6aaT5BxGEGKmwxaKUOOLawgOyD7UxW6LmF1VoXOM993TjqWkrP
b1rKzWthp5a5yhII14Yiu3mZdQNehawAsrcgj6rhkHD0cLQQymPV1H1mCxjG
tjEArdwQxdVApFpA3+MJGGRhKXt+gj3X1FXjRtgYuMRp1mlZVU1mqbah6IZ8
6jKcvmaC8ZgP7dBowr/pahI5w1SSAztry8LgL7C0u67PhjwPAPOp4rP3yCh9
j4zeI6P3yOi/CBn9DaZp/WBkNOREpdnbbgQSqAtszAxby41FWeYZVPJZZNQ1
sj8q2xD/NUVSsDNci52YUZqOHrC6xENqKvBqK2AE6KFs7Moix24u1DlRTm1H
Ld6pf4brBmCREmqWqAjMBHAiHq6iqh1VPRjbQmtS2LTCsJsi76kWcvi7yVNv
iIZiwNGfDLR8XVPLeeC5tm/ztqmUKHwamqYtOYTz9CoTqsAYO0rUwvHF2uRN
N+AJ/eSwesd56kcd1abW1sZAQlFiVWkm6H4iYu1zayk4qU+ZqnKktmATDls3
YVoc/tPXts6GapRVBnqqbVZgZ4xDa9p6ypsmB2ggso+81shpRm5f1xYQMs6U
Nc5racvaNrVlHr2j1LHD4ULg9QWxAE/5QPlNWQEBQJuvbyxlRMhwB0oEyAoH
HAlDoC3zvCanJnEb1L541wIQTS15/BzQHSGwYqCwMRBrS/lgCmBHwFN8Oe/a
2pZjX5g+r7AXzIjN2mZn8G/ZAVYDp+WY3Jw6h5mymGosFuG2vhWhWOVY6LbN
TdMXlH42kQe9x2GY8q6YRjkdtoT4biHE+840OaXfdy2A4wAdg7uXGiU3OCl1
Rh7U3tmMoOXQQ0E12AxYBnMO/2LxsTDYENTcBccYyH3sMTJq4WJ6WcAcBsXk
WoPVHaHN8B4wESZLrv+CeBz0Tob8qfnUNESr0tvcEuFDDexf1YNGo8a2NZzi
mEFyZ5BKHXRAWw6FhSLqzWEZ4uFop7qn1x0mDHs0xBUyETa3kDwtVlGeAZA6
tKWBhnWFcyPlUVbQ373FNspg/YiCpJC3K0jCYUSAs6YfqWVgNrYNNpnMLYTe
MFLyc5VDdXVYCBxgrOcwEvNCGdFEeTn1pXu7nZ2q6bc/28oHcTv79U5dqSkW
5noNgKff8jehnvb319dX+l3q0r3feLkF3baZUpvs326u/EcR3vbdfVfUZfja
Dtxjm9o3X1vqBg/x5NtnT1u3e52wGH1GAfvh5eiu9zb9KN1cjy+9APm/P/8y
vXVv/b+lzyo+iP2w6Vra2eN7i4/pu+G+jzhrMRlbB+x1d793Y0KNtfmaYXOP
9wqe2eXznp0zOU7E9dMLneTL98wXfxOGx/taDIXY75kv3jNfLIO175kv3jNf
vGe+SP+WmC8SDwyB3QKQ47MCbBXOy/FZ6U//1i9GO/siP8wKyjM7TiPe3fYt
horphXqwNstznONBXP3kR+66FtvGVXrPsL+PCeggZep2KktI5ak0A7EMuBZb
z3awcgoynmLk+B8ld9IYj554ChHOdY5cGDCmsxaHDxpqsFRGBsNRNaaBCTl2
APatHft6MJMbyrbLsE1sl00dGRIzIj61vcdhyi1mEgZJXZFbA2OE9qztSEx5
RizJjHZ8Xrp8mGCo1HkNm91BJ2O+J9dxYg+9S3xYj+sPoGJLA+swh8KEhIeR
31rYqviVu9pJMSaGDj1gqcK/p5xi2DuQWDhJxlDTUT9p8Yk9flBdQyGRGqqo
Z42DTGzGfILOx0dDIULBZFVHdefWUPZfQz6DChNY1VSQ3ln/RvGxPd4GOKvG
NRUR6WWQjjVpwBomYlllxqpjoesqiGFAjQq2Fk6szeiR+I33rF3p9EFn+rP1
tqocUZgaB5xRtGPTttiusJQHYhwWIQI5O2R1RtSBMBld3wymdY7okKFfhyiN
+Fduu/7ajVef8Xk9kUQDe2/Ua/hMn7b6fP7MLjZarr76zR/I8COEHSXKECD/
3ZcvPlYllrB1gk8t7Di6gz5OVS6BYMmk2TqyrG5hNeKJ+DksCm8tisn3PBV0
L19cWGFA/5sbhdW93bm0f+BxTJst7dJ0fZt8++3iPXd//etK83lg8+3Se5ia
dXlxsU7/6Z9Sc5l+l3qEoK/kh7KGLfoNm3n80/X+Ie3XsObw/Q1feL15m7a6
qCQ7o1Fd8Ft+dpt+lJj8UhOI+uvN8OYxuzo2onH9L7DF7zWNie+bLKdhJOvw
Zn273u3Xg72+fpCxq1WOP3kF+HVgLelMWjWFt+tX9EaLBx4uNx53s97hLrD0
d3iK5bQnfvGE755eO/sG7317/ZC6v9zLBGEW1iNuSWOazforTOIVCUVSBnd2
vd2tMKJ9Ei44YzTTgP4DDWcznTCcX+KZ/9nGc3bCeNa9/F9tPXO+7E/LejZn
refsJ209A8tmUzsAXJquoPg+FHHdUJqrHUzn5MGUONLWgKqmnOp2BLS2dd21
tnAjFLk5H2wbSS0DmwwljGJbALz01Fq7heqthnGQpzTAwGVVVIDBBWAJUH5J
bUyzvjMWjw7r9aj1DKVEVsUw2SaH4WjGGre3ZdvkxdSXWauGCgwNwGtcSZ1T
cR2eWtZmAkIwQK9hxVmEnkCcrcVcZLYcoKGLoswbik9a1/8gsxv/8grqQKew
cFLldPn0g/0O1Ik5NmaIhCJzsNYqCyOp6rsJmLsBiCnaYhjFJwwQ05usBOQ0
WFYLqFYC7cHqKIBADfei8yfvEbaKH/kpYuKmszGaXribu/3D5Vm/AdV8ULI/
/tuatgIiazAU25/3G3AkArAQwHgg0wBGbk3N/5wZTNOcJ5CeBgAvN8L2ZovB
tdTIKSfWIQOTJxOE6GwN2DSN2ZBNDWykoRrsCGsB587xHPwAv8GPsI/as/sI
q1h3U1HjFFdtV+HdrCn7tof5PtkplBNQHpLrKlgZrsYxLyi8kU2WumS0+fl9
9GM/5d330aHjoyDKuIEKBi1bhWVdYnVLSI3JVoUG74dszGF6nSehgADKynos
JybAAmB3GVFhjz2lqcF8OLu5YKVQ1S0EfT/BxoC1l1N/SoO/cp9klbRVP8Fc
7McOZlaRUaIABbeJBKEdhrMkFG0+AOHX9ZgVZH4OBSXHORifPeUcaPIFDjQs
x27qTUeEUTChjM0arFY5dGbMztVg9tSqehqLzrT1AFu9qjBIWMzTaIayduLl
bIqh7tmV0LhhzFtXZ5S2Pwx16Yp6PFeCUOQZlV5UpelNXmBXWCLjqHD2cgp0
aYpXPznY6WOOh+K8dhPOedW3OKpEJTFWZxwfZTk62/UQZBQQmwpsR4ovZ23Z
lkU2ecYWsgjzipjTprYa8yF3jYHAK01FW/qHOj6e0AZnHR9moCKLsTBF3cEa
H9sJM5BlTT9hZJWscYUlHaqugP7Nzjo+mhIv2ZNlTX71sszNVFOgFi9u2pKJ
Bp52fPw4gvOc46Mus7ok89jkOCI42Xasmr6sWlO11BNWREtr6nIc8p6UV1dW
dWuJ4K6eqEe6q6qzjo+udbnNuw4SqxmLvGyw1H1XVHjy0Ba5+JVc3lA/96nP
p5ZctXasgVygPanmeOqKd3F8GGyBcsBpryD/etJZU9M0WQlVZSqnDPwjxedz
m+GAUd02lYF3tu9zQ845YXw56/ioKMmlcoCFfYcpLLq+5Gxi05RuxJ4R/U/d
DDJqSF8QmSAWzhQl5Xiasa076z0sTzo+/v/2rmxHjuPKvudXpPnibqCKiMjI
VQYfKI1sGRJlg6Q9D6JBxErmqLqqUZnFxSQ/xo/zHf6xOTcicquu7mrJki0B
IwESmZVLrPeec7fAaDcQITXFsVZKK1MpTExVovWu5jFdrso0B3bD1sbk1ZQ2
V0KWygJbzJLl7V6GD4kRz0wFhYHBUJaOmgfYxB6ltgPmhknKKfhLQBNheAuM
LVfSNJDdhuDj/OjdL/a7rlt/Seoz/RpqbbR2aP+D16unbR0d8fYFA3uUssCj
oflt14cfAbD3fUusbSTA4XowEHju280tB+lkOfA0a7zc4Y9yA6AQ3dyJIfq+
1cOHfNbPhw+hyfjL2gMLTxg/fVpaEey7611k+Alx6P2VNa2EKBtxxEUbsodm
Kp8uUXbTvFVE/fvkeBRCd163zrea/hJoff/ej8HRO8MQJPNPB4/6dIVdHl3g
l6lpnbM/ymG+Wk4b+9W7zU8x//93m/9ot/kvm/hn4EbQ0bIqQcMBZJqqsFST
1RDM1VVAk8zWBei0y1hBJ6YWTEtgYC4qg+eAwM8SfzrcHXTeOgrskpCzdUUx
jpJJK8gDFc3dvGENQBowjK0p6BeAn/IJGJ3V58Pxz9QG4kUGbVFbRhVmHMXX
VXUGMMoyS7oqbDpAtTpvcsBgCozSXApjWaZqx9BrVf8sbvO7CZV25HQD1uC2
ZsBMhgCNFM6BgwI+hTmoy1xwq3luFZO6BItoLFnhc5njJnGeUP3UX/l3hgCA
61SVotJNFaOANFsoYNzqHmzLmUwqo5qCIsctFYjR0O0NOW6odudZtkVOQEen
QWHgcqeNsEAAeKdU2AhaVNFkBYaFNoGY2KoC3NV1UddAEpbXTVkVP0cIwJkl
VdKJWiUAlLOVA3Gj0olCgyCSz0rE2scleZ2NpiIRpSstxY3k4NK6yZRwNju/
pH7ir/xbzxwrmGGYG6qkKjiotKgqqgWpXUl1N2OqkheOvqD1ufPgwBgVkLvL
gVxB6SkslhAph8jLvPw+UyGiEf5ALAupilGtfaI/yd2agQjF+OAKu4CDnILl
c/y3oCyEEnQeGBTSu2JnCwsosE7KpMCzkIuUwqQKCocRlSozKaKwzytfrr3G
bKmSGYBdrP9SS9Vwy84VFqCdShkYZPCjDC9K4eCcaiyAwfHoTs+oaJE0jg5I
RQ9cqZscvNxQMH3VcHaG1WNMCrB/SDRQikwpV0JdaTAfX12pjLG4pYHYaigA
BPQEqqcSTaEbVZpcl2BGZ1h9BSnI8qIqZcbpWNdcUjCxyWjRCcjIsD6Y0eBZ
meMOBLcB02V0ViMkFC5U+ZT3lf559D99vgPiTqNrdHd1vduSZJiKC1z3a0W3
3CgtcLqswHUAcjMHl386ChYsuq7fHzTdRNUFaFS3pn23Hr5CMbN6bIV6P/3l
s9R/YIqHNe0r8JDkun8Z/hTYSfhauJLiN8J9kbcQyIsNean7d1NgqxeAY0Rt
qGcwtZNQvt3q/ftrdHftfXr0IAXn7g799YFoADlEPV95dWi71+QFDgbPgFO9
fzfFm+hjb9u99URhu8NrzbrfrfG/OJrJ5GNuiX5ME/JGbg64GmskBNfiW/me
fKMAV+Q73Sbt1XUArx5NY/R67/z1f4gd2wDtbIbXgCWlO5d8+DDOcfiZvMJy
OxsqNBTMoZsGK53YVyrxuqQLNRbiGHt0HYF0Kl0fg4MX4Dv+3IHjfEm4O3C3
mXN2BuFWi0dD4zyG9RHV1we1wajju0HEroOz3b9woKXD+OnXWD6Tmzq+NhkA
Krqidm+GwQqzh2/SJPsXpOTsNZicrR/YsKwoHPupv9WXoDB7+ZYa1h+to9Bs
tetjX7tUtWEBTs7e9MFXdrNBD599+fib3zwI7ejsbEsMu45m8HpPT9FwJz1x
92E3peMipbvI0E40fWjTbNHp3f760EWWee6Q5NUYLM+8CBgGb0T3gQ5L/6EP
H8KKWPd7aKFPnx5GGjr19BS+yOuyKDX+dZnO2KhkebKYiZuwxJ3+d5INp3Vc
SaV+c4KdjJInIJAFo4rOQKAipKPTWY+F85nbBjqQqv04OngWrKQuDJgJT6KM
uUX9MAhjSadGFIysTUQB6KjVAlADiC1ygLooCRgyyhJujIWiyCqf213mhZNS
JtNGpG8Ux0eTMCYnQFJkRZWZqhQjJLmJcQEBjhsWLJFHrTtuWDDdnWzdrZgR
2geACwMH1lQryoZTJS/qeQ7y+bTjae3x82vP22fC6hvMS8uXJkHWQP+cqJwz
GpOWFiu8n6/SN23XknD3O45uwQY3g9QbBN4Y7oIJ+yWs+xvJOMSiuGoAlrPa
MGe4AYPRjqiVtNHQ7jDNwH3efgkgTYHrIhMSmMMJXcVsKFsUGvvFACqxhmeC
A1SxBsiDEF2TxRg3KjuXlwZQ1uVOaqxK8l2WFrcY8OCjHXTcWmlKQB1HZb+Z
tVjUuWi4Imhqecmj6wfvKiklDSxSAckp7GuAe9BnLN2szGJtS6xgcDbuhKID
rOlcI9MADztsBFuIADeBv11ByZslYLLItOMaaLwyTVWCnoNxLvdiXf9re5H6
w467GDnmsp/HXQytPerncRdDv4/6edzFwftyop+37mqjDKZaqdLxnCgmuefQ
0BnC/K+wAJ9jCXd63173J9Gl6e+HK+Ny7qe3YfeGi+vpIjZvcid6HMVFhAOE
H7yuXT/90/oNHzDl/DODTS7YQy/TGKu18qW1BhmxsfINvY7SoLprq1vXWqCK
+Cvhry6gTfmqm3Dn7DNDAtXVkfDxjyakxsfXzsCAlwshYMy/kEy1Ayj1XaN0
tHSn/gdD+tDLTTTUhe9P355hOUi5tyRFJf64BJMeZHa+PckSU94DnqSn4Uly
X3gSIbmXn/Si+ZSF3qUHkvi3LZU4h0mcwxVAOFDYPPuOhmSJefyr7NUu/eLL
r9ML9u7xY8rMs7KngIURgOIHlk8/nII+03yD9ckDHvKO/vQPD5fWaHTsxXeD
xTm0dHVsXY7KMNqSg7F7lSyX6GpuIsYlPgZhXK5u2IbZu4ytfFde/G3QVdTh
2wm1PPPP/W5aWKB/JvPz3ZbmurR1JSld1lJRFFD4JtNl4augKhUrLXDjisqx
sqoqgJ6MPOk1E2DdGZ7lNUvOHGKjee5993SOVaO9B17XVF9QFVrH4qig7CaX
XBjZ4OsF1YFmAvK+0QWrBa9nQOmbIGZoPU1yFfP9EsskfZRmc2OxDyPergNd
8+udl3MhMlmjQpPHtZZyIrSz5+qBO5LsiC6v2eNxv33z1YXuX7ZeQGpshi1t
iMS/YOb/+20XhBQEId76lY10NmaUylNSLvFSLraBbiTa1B291C/5VcBqq0Vg
cnKLohhWOxrN0tk/N0/+Iy2dMYE1BazMKjJCM8lozRhmgbbQpsUrbgZwsYxn
WSYyTC+0dEXxIxkQNMCeyWzmEhrZC3b5KIwhu/z4MbzzIj+CF4qcCK7mVoC1
mEJXEtDRAj0oq7VoYiYGVlZGqUG5rXleAD3wLFeaV5TYbQZz1Lk2oSF8MS5H
TeGM471cYIXTJyo/DPyuYRBMEIYUIheQYoIC8BqBpgstjLAiDgMfhoHHYeA3
hwFP0DkudGJgXXIAolJz9LcE0GyENWEYqDxCnnsLZVkVTOqcNQoDRYVgaldX
92vTTI2c3uNUusvUzhmJD1lALzoeEsTSlirnVF6ebtI5ZVABJEnQRp1bzqnq
A2RORlircXGPe0PIsM38aGA/PZq21sePtAFwcdgNY+OwBdrvr2jjvvhukEkv
/jYaqhYWF6+cX3w3r9kZA/9JNca1uBpmA3ohfGy3hxrBxty02O1hD9qhvfj8
9a5rgz0oajufCh5QR0xmGBPIgy0lipKpE94QkYZwhRE+2tNmSXtf5BjCB0ZQ
gNeNYQSjWLCUtBFkldsd9oNc8XYegnn+9m6yDd4BRJIJiJz48kJTi8sgXxfu
bp5c3NTRjGNiNNnrtml3JYHpolXLvpME08i7PWsoGfVm6JQa/gVVRKWGDS2Y
Ig7ih0PN1G5paUvid2aq1EOfQeuFMIVg64SYnabk0xLHJksInN4NaI8Q3zJd
4wQcS2+DYwmGZdmsO+Mn5uEJEWkNKQZRv9yK5KIuuTuoXStwL0Ux7EXuj3qw
JeX0UaUnJnM2iDZDxibl8qY2kNuGQ2xnNZnwFYDJGcThSsqBoooZNdhjJslh
AvquK0XEMB6cmdEhEzwjM4yg2lSsocC1qqas14oKkAdp9NznDmE7BHazmrb7
kVh68fHFIJg+iyMRpch/VINFAfYfVR++DdmJNmS6Rq8LWzPeUIESq3QGQi7q
IreisMEYkSltuHVUcZHqDgpHTh2LKS0qOmUsRLgB6vI8ywVV2c7LvMopnEDm
KidcafPYBnGiDVrR0YyVa0xpNK8dFSmgs1SqQnLFok+p1FTDgHPR5JVsTPBC
VVQMm2pRRotGwQpeZIUo8qIoygIjVDSFJA90YQpbjPrNS0QWor2iiGV+U/FI
TTz4nH7M/I8CwsSrRn9L8hocie4yLy1WIXbwxfV+1+/0bgPBtkof+B3ib32w
SufqcAXliEUbxN7+sL2wl1Bvq1RggiIBlzHe7LdBns6xbNwGwwo3hM9ubD9b
ZLrIpCjrmlyutgJgdJg9xRuro9uUjt4TtqgMcwUWCW+4bqw1dY1F2+Sa49X8
hPSos5JKzrMstwXmWtaZslxnpWJUADImrkJkQGLUGcUgam2oHrsBQGFcUk0I
OdvZozLGSN41hi/3u11/YiBPwIccWgrjSyMDpIJeDKM7jNn4zZOyiyJRZZFT
SazMNjUYkFNMVrYp6VjiaCsXArRNN5SZL53gkJDYmdrmrM6wYtWsdvq39pXs
IbzTZ/jqXyHH3SwAklryxl9b7y3p7aP4R2L+5LqR/aB7xuGCUnq1p4Q+bxLB
0vwjVcT5PgYcvt756MiulyF22iOc0yV/TqftRUegpzCb9npwuu27SNRGC3fA
VDHObVFdnRZqBCHTkBNzmiqjp/NRGXMnj7rq1XrsQHK9B8RCB4aOeD0OKBUa
sB4C7dZkygWaiga3WY2gZeEh/2scLPx39NPN8jgXTZ9CSZPYc1xdperQHz8W
ffWLikYBp3Rjj0BWrq49msW3B6gSXJjeZSe3gIXtVbBsyX3bAdfGcSeTWnKq
lfKVbLddP5+cgHOnmvZOtptg/0sWw98f9ltKYfWWLMKEO3Rrb99YMFjMY8jQ
fS03LnbET+DjhJp6uILcevKXZ88JYco+WNowP/v35Ji17wCy+rjEvSz1t377
p+c0PBakpu0JJElqajt1Zgg8HUbp8Xx5PRt6/Bzz8u2OimeNkxy23zOgBkpV
/pGL/3fJwCGDbYAa8QM2w/j0YlNMloh5nMXGun5xYMCwMO6OcZf5T16IY6TN
P09BjrFfd0a6C/arKczxQ+TXKdnlJWzY3j7aghLhdxvC+LftY5DBQTgkJBwe
hiCBHyZ54isXAmgUfjNp40XFw6NudhCyn0U5MathRxy08/b6i+Wmmu23S1J6
kCfxxtNR/3sSOH+Pw7iNoRy+w23wAnjztv9hvfgBzCqB8JnHlKcXx7bshdU6
kLYr2UOLxlD9pcMBOxm/RYP6rOHh+qdP3gOxhlhdR1fEHwNTTCZKvkoXfBt4
jQorjPL6gK/6dHx0/XK1LMmQkPX8KJReZCcp4sAJIaqthGq7ujr4OhBQEiZG
EG3ke0j0h7/6UPxYTOQHZeGzlIZ9a3/1wfcs+Zez7rNfdvC9ZjV3ZdmUuuEF
9BlVXQUzBrcundEmpohZoZyQuXG5oUp2umpslYH6Osq8Uudr1tGp50Y5MoBp
kHrK2JRVSUEFEkxWB1JbFRmUC3QEFZOuVW50ZUyjpCvwiObTXNyWD18UFJcg
aivLvPB1tDm4WXbLWbv3zmOe5y3PI/ou7/rozZjied5vTPz93SiAoujxpqXH
L9vzmeUYu8oUjYWy9uc1ZKo0UovibJiwqHMoeaoIW9UlHbHMFJ1TzpwpXa1K
i8GKPQ1O1otm+HLwGRLNmy0p+lsfyJ/3X/ivnFuo91jt59blPZbkHUN0dhCi
ogUI/n67e7uxJhgnkg+fbQ9XipT4owcO5MQ+CJZor1l8dKDcft+lj7dm/8//
7dLf//Mfag9OugJs2AH6pU/brrdb8n2v0j/glx0w+9ODarer5CkAv9yb9HO5
35Ll7fO93Rq5TZ/oJ+1m44MJobeVt0E+sYdta4Fwv7bb7fv0z5JCNXFH8sVr
QIl+53ULrvb01BPK19v6FnRDSOL8vscP0//e7cwQ3djuocXetPZtt/ITTf0O
D5m204euI93/MPk/ZqdMgv67BAA=

-->

</rfc>
