<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-keytrans-protocol-05" category="std" consensus="true" submissionType="IETF" tocDepth="2" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Key Transparency Protocol</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-keytrans-protocol-05"/>
    <author fullname="Brendan McMillion">
      <organization/>
      <address>
        <email>brendanmcmillion@gmail.com</email>
      </address>
    </author>
    <author fullname="Felix Linker">
      <organization/>
      <address>
        <email>linkerfelix@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>SEC</area>
    <workgroup>KEYTRANS Working Group</workgroup>
    <keyword>key transparency</keyword>
    <abstract>
      <?line 75?>

<t>While there are several established protocols for end-to-end encryption,
relatively little attention has been given to securely distributing the end-user
public keys for such encryption. As a result, these protocols are often still
vulnerable to eavesdropping by active attackers. Key Transparency is a protocol
for distributing sensitive cryptographic information, such as public keys, in a
way that reliably either prevents interference or detects that it occurred in a
timely manner.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-keytrans.github.io/draft-protocol/draft-ietf-keytrans-protocol.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-keytrans-protocol/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Key Transparency Working Group mailing list (<eref target="mailto:keytrans@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/keytrans/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/keytrans/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-keytrans/draft-protocol"/>.</t>
    </note>
  </front>
  <middle>
    <?line 85?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>End-to-end encrypted communication services rely on the secure exchange of
public keys to ensure that messages remain confidential. It is typically assumed
that service providers correctly manage the public keys associated with each
user's account. However, this is not always true. A service provider that is
compromised or malicious can change the public keys associated with a user's
account without their knowledge, thereby allowing the provider to eavesdrop on
and impersonate that user.</t>
      <t>This document describes a protocol that enables a group of users to ensure that
they all have the same view of the public keys associated with each other's
accounts. Ensuring a consistent view allows users to detect when unauthorized
public keys have been associated with their account, indicating a potential
compromise.</t>
      <t>More detailed information about the protocol participants and the ways the
protocol can be deployed can be found in <xref target="ARCH"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="presentation-language">
        <name>Presentation Language</name>
        <t>This document uses the TLS presentation language <xref target="RFC8446"/> to describe the
structure of protocol messages, but does not require the use of a specific
transport protocol. As such, implementations do not necessarily need to transmit
messages according to the TLS format and can choose whichever encoding method
best suits their application. However, cryptographic computations <bcp14>MUST</bcp14> be done
with the TLS presentation language format to ensure the protocol's security
properties are maintained.</t>
        <t>An optional value is encoded with a presence-signaling octet, followed by the
value itself if present. When decoding, a presence octet with a value other than
0 or 1 <bcp14>MUST</bcp14> be rejected as malformed.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
    uint8 present;
    select (present) {
        case 0: struct{};
        case 1: T value;
    };
} optional<T>;
]]></sourcecode>
      </section>
    </section>
    <section anchor="tree-construction">
      <name>Tree Construction</name>
      <t>A Transparency Log is a verifiable data structure that maps a <em>label-version
pair</em> to some unstructured data such as a cryptographic public key. Labels
correspond to user identifiers, and a new version of a label is created each
time the label's associated value changes.</t>
      <t>KT uses a <em>prefix tree</em> to store a mapping from each label-version pair
to a commitment to the label's value at that version. Every time the prefix
tree changes, its new root hash and the current timestamp are stored in a <em>log
tree</em>. The benefit of the prefix tree is that it is easily searchable and the
benefit of the log tree is that it can easily be verified to be append-only. The
data structure powering KT combines a log tree and a prefix tree, and is called
the <em>combined tree</em>.</t>
      <t>This section describes the operation of prefix trees, log trees, and the
combined tree structure, at a high level. More precise algorithms for computing
the intermediate and root values of the trees are given in
<xref target="cryptographic-computations"/>.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>Trees consist of <em>nodes</em>, which have a byte string as their <em>value</em>. A node is
either a <em>leaf</em> if it has no children, or a <em>parent</em> if it has either a <em>left
child</em> or a <em>right child</em>. A node is the <em>root</em> of a tree if it has no parents,
and an <em>intermediate</em> if it has both children and parents. Nodes are <em>siblings</em>
if they share the same parent.</t>
        <t>The <em>descendants</em> of a node are that node, its children, and the descendants of
its children. A <em>subtree</em> of a tree is the tree given by the descendants of a
particular node, called the <em>head</em> of the subtree.</t>
        <t>The <em>direct path</em> of a root node is the empty list, and of any other node is the
concatenation of that node's parent along with the parent's direct path. The
<em>copath</em> of a node is the node's sibling concatenated with the list of siblings
of all the nodes in its direct path, excluding the root.</t>
        <t>The <em>size</em> of a tree or subtree is defined as the number of leaf nodes it
contains.</t>
      </section>
      <section anchor="log-tree">
        <name>Log Tree</name>
        <t>Log trees store information in the chronological order that it was added, and
are constructed as <em>left-balanced</em> binary trees.</t>
        <t>A binary tree is <em>balanced</em> if its size is a power of two and for any parent
node in the tree, its left and right subtrees have the same size. A binary tree
is <em>left-balanced</em> if for every parent, either the parent is balanced, or the
left subtree of that parent is the largest balanced subtree that could be
constructed from the leaves present in the parent's own subtree. Given a list of
<tt>n</tt> items, there is a unique left-balanced binary tree structure with these
elements as leaves. Note also that every parent always has both a left and right
child.</t>
        <figure>
          <name>A log tree containing five leaves.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="272" viewBox="0 0 272 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
                <path d="M 264,96 L 264,192" fill="none" stroke="black"/>
                <path d="M 160,64 L 248,64" fill="none" stroke="black"/>
                <path d="M 112,128 L 176,128" fill="none" stroke="black"/>
                <path d="M 104,176 L 112,192" fill="none" stroke="black"/>
                <path d="M 176,128 L 184,144" fill="none" stroke="black"/>
                <path d="M 200,176 L 208,192" fill="none" stroke="black"/>
                <path d="M 248,64 L 264,96" fill="none" stroke="black"/>
                <path d="M 80,192 L 88,176" fill="none" stroke="black"/>
                <path d="M 104,144 L 112,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 176,192 L 184,176" fill="none" stroke="black"/>
                <g class="text">
                  <text x="240" y="36">X</text>
                  <text x="144" y="100">X</text>
                  <text x="96" y="164">X</text>
                  <text x="192" y="164">X</text>
                  <text x="72" y="212">X</text>
                  <text x="120" y="212">X</text>
                  <text x="168" y="212">X</text>
                  <text x="216" y="212">X</text>
                  <text x="264" y="212">X</text>
                  <text x="28" y="244">Index:</text>
                  <text x="72" y="244">0</text>
                  <text x="120" y="244">1</text>
                  <text x="168" y="244">2</text>
                  <text x="216" y="244">3</text>
                  <text x="264" y="244">4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                             X
                             |
                   .---------+.
                  /            \
                 X              |
                 |              |
             .---+---.          |
            /         \         |
           X           X        |
          / \         / \       |
         /   \       /   \      |
        X     X     X     X     X

Index:  0     1     2     3     4
]]></artwork>
          </artset>
        </figure>
        <t>Log trees initially consist of a single leaf node. New leaves are
added to the right-most edge of the tree along with a single parent node to
construct the left-balanced binary tree with <tt>n+1</tt> leaves.</t>
        <figure>
          <name>Example of inserting a new leaf with index 5 into the previously depicted log tree. Observe that only the nodes on the path from the new root to the new leaf change.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="320" viewBox="0 0 320 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
                <path d="M 288,96 L 288,144" fill="none" stroke="black"/>
                <path d="M 160,64 L 272,64" fill="none" stroke="black"/>
                <path d="M 112,128 L 176,128" fill="none" stroke="black"/>
                <path d="M 104,176 L 112,192" fill="none" stroke="black"/>
                <path d="M 176,128 L 184,144" fill="none" stroke="black"/>
                <path d="M 200,176 L 208,192" fill="none" stroke="black"/>
                <path d="M 296,176 L 304,192" fill="none" stroke="black"/>
                <path d="M 272,64 L 288,96" fill="none" stroke="black"/>
                <path d="M 80,192 L 88,176" fill="none" stroke="black"/>
                <path d="M 104,144 L 112,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 176,192 L 184,176" fill="none" stroke="black"/>
                <path d="M 272,192 L 280,176" fill="none" stroke="black"/>
                <g class="text">
                  <text x="240" y="36">X</text>
                  <text x="144" y="100">X</text>
                  <text x="96" y="164">X</text>
                  <text x="192" y="164">X</text>
                  <text x="288" y="164">X</text>
                  <text x="72" y="212">X</text>
                  <text x="120" y="212">X</text>
                  <text x="168" y="212">X</text>
                  <text x="216" y="212">X</text>
                  <text x="264" y="212">X</text>
                  <text x="312" y="212">X</text>
                  <text x="28" y="244">Index:</text>
                  <text x="72" y="244">0</text>
                  <text x="120" y="244">1</text>
                  <text x="168" y="244">2</text>
                  <text x="216" y="244">3</text>
                  <text x="264" y="244">4</text>
                  <text x="312" y="244">5</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                             X
                             |
                   .---------+---.
                  /               \
                 X                 |
                 |                 |
             .---+---.             |
            /         \            |
           X           X           X
          / \         / \         / \
         /   \       /   \       /   \
        X     X     X     X     X     X

Index:  0     1     2     3     4     5
]]></artwork>
          </artset>
        </figure>
        <t>Leaves can have arbitrary data as their value, and are frequently referred to as
"log entries" later in the document. The value of a parent node is always the
hash of the combined values of its left and right children.</t>
        <t>Log trees are powerful in that they can provide both <em>inclusion proofs</em>, which
demonstrate that a leaf is included in a log, and <em>consistency proofs</em>, which
demonstrate that a new version of a log is an extension of a previous version.</t>
        <t>Inclusion and consistency proofs in KT differ from similar protocols in that
proofs only ever contain the values of nodes that are the head of a balanced
subtree. Whenever the value of the head of a non-balanced subtree is needed by a
verifier, the prover breaks down the non-balanced subtree into the
smallest-possible number of balanced subtrees and provides the value of the head
of each. This allows verifiers to cache a larger number of intermediate values
than would otherwise be possible, reducing the size of subsequent responses.</t>
        <t>As a result, an inclusion proof for a leaf is given by providing the copath
values of the leaf with any non-balanced subtrees broken down as mentioned. The
proof is verified by hashing the leaf value together with the copath values,
re-computing the head values of non-balanced subtrees where needed, and checking
that the result equals the root value of the log.</t>
        <figure>
          <name>Illustration of an inclusion proof. To verify that leaf 2 is included in the tree, the prover provides the verifier with the values of leaf 2's copath. These nodes are marked by (X).</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="320" viewBox="0 0 320 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
                <path d="M 288,96 L 288,144" fill="none" stroke="black"/>
                <path d="M 160,64 L 272,64" fill="none" stroke="black"/>
                <path d="M 112,128 L 176,128" fill="none" stroke="black"/>
                <path d="M 104,176 L 112,192" fill="none" stroke="black"/>
                <path d="M 176,128 L 184,144" fill="none" stroke="black"/>
                <path d="M 200,176 L 208,192" fill="none" stroke="black"/>
                <path d="M 296,176 L 304,192" fill="none" stroke="black"/>
                <path d="M 272,64 L 288,96" fill="none" stroke="black"/>
                <path d="M 80,192 L 88,176" fill="none" stroke="black"/>
                <path d="M 104,144 L 112,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 176,192 L 184,176" fill="none" stroke="black"/>
                <path d="M 272,192 L 280,176" fill="none" stroke="black"/>
                <g class="text">
                  <text x="240" y="36">X</text>
                  <text x="144" y="100">X</text>
                  <text x="96" y="164">(X)</text>
                  <text x="192" y="164">X</text>
                  <text x="288" y="164">(X)</text>
                  <text x="72" y="212">X</text>
                  <text x="120" y="212">X</text>
                  <text x="168" y="212">X</text>
                  <text x="216" y="212">(X)</text>
                  <text x="264" y="212">X</text>
                  <text x="312" y="212">X</text>
                  <text x="28" y="244">Index:</text>
                  <text x="72" y="244">0</text>
                  <text x="120" y="244">1</text>
                  <text x="168" y="244">2</text>
                  <text x="216" y="244">3</text>
                  <text x="264" y="244">4</text>
                  <text x="312" y="244">5</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                             X
                             |
                   .---------+---.
                  /               \
                 X                 |
                 |                 |
             .---+---.             |
            /         \            |
          (X)          X          (X)
          / \         / \         / \
         /   \       /   \       /   \
        X     X     X    (X)    X     X

Index:  0     1     2     3     4     5
]]></artwork>
          </artset>
        </figure>
        <t>When requesting a consistency proof, verifiers are expected to have retained the
head values of the largest-possible balanced subtrees (these will later be
defined as the "full subtrees") of the previous version of the log. A
consistency proof then consists of the minimum set of node values that are
necessary to compute the root value of the new version of the log from the
values that the verifier retained.</t>
        <figure>
          <name>Illustration of a consistency proof between a log with 5 and with 7 leaves respectively. The verifier is expected to already have the values (X), so the prover provides the verifier with the values of the nodes marked [X]. By combining these, the verifier is able to compute the new root value of the log.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="376" viewBox="0 0 376 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
                <path d="M 336,112 L 336,128" fill="none" stroke="black"/>
                <path d="M 360,160 L 360,192" fill="none" stroke="black"/>
                <path d="M 160,64 L 320,64" fill="none" stroke="black"/>
                <path d="M 112,128 L 176,128" fill="none" stroke="black"/>
                <path d="M 304,128 L 344,128" fill="none" stroke="black"/>
                <path d="M 104,176 L 112,192" fill="none" stroke="black"/>
                <path d="M 176,128 L 184,144" fill="none" stroke="black"/>
                <path d="M 200,176 L 208,192" fill="none" stroke="black"/>
                <path d="M 296,176 L 304,192" fill="none" stroke="black"/>
                <path d="M 344,128 L 360,160" fill="none" stroke="black"/>
                <path d="M 320,64 L 328,80" fill="none" stroke="black"/>
                <path d="M 80,192 L 88,176" fill="none" stroke="black"/>
                <path d="M 104,144 L 112,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 176,192 L 184,176" fill="none" stroke="black"/>
                <path d="M 272,192 L 280,176" fill="none" stroke="black"/>
                <path d="M 296,144 L 304,128" fill="none" stroke="black"/>
                <g class="text">
                  <text x="240" y="36">X</text>
                  <text x="144" y="100">(X)</text>
                  <text x="336" y="100">X</text>
                  <text x="96" y="164">X</text>
                  <text x="192" y="164">X</text>
                  <text x="288" y="164">X</text>
                  <text x="72" y="212">X</text>
                  <text x="120" y="212">X</text>
                  <text x="168" y="212">X</text>
                  <text x="216" y="212">X</text>
                  <text x="264" y="212">(X)</text>
                  <text x="312" y="212">[X]</text>
                  <text x="360" y="212">[X]</text>
                  <text x="28" y="244">Index:</text>
                  <text x="72" y="244">0</text>
                  <text x="120" y="244">1</text>
                  <text x="168" y="244">2</text>
                  <text x="216" y="244">3</text>
                  <text x="264" y="244">4</text>
                  <text x="312" y="244">5</text>
                  <text x="360" y="244">6</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                             X
                             |
                   .---------+---------.
                  /                     \
                (X)                      X
                 |                       |
             .---+---.               .---+.
            /         \             /      \
           X           X           X        |
          / \         / \         / \       |
         /   \       /   \       /   \      |
        X     X     X     X    (X)   [X]   [X]

Index:  0     1     2     3     4     5     6
]]></artwork>
          </artset>
        </figure>
      </section>
      <section anchor="prefix-tree">
        <name>Prefix Tree</name>
        <t>Prefix trees store a mapping between search keys and their corresponding values,
with the ability to efficiently prove that a search key's value was looked up
correctly.</t>
        <t>Each leaf node in a prefix tree represents a specific mapping from search key to
value, while each parent node represents some prefix which all search keys in
the subtree headed by that node have in common. The subtree headed by a parent's
left child contains all search keys that share its prefix followed by an
additional 0 bit, while the subtree headed by a parent's right child contains
all search keys that share its prefix followed by an additional 1 bit.</t>
        <t>The root node, in particular, represents the empty string as a prefix. The
root's left child contains all search keys that begin with a 0 bit, while the right
child contains all search keys that begin with a 1 bit.</t>
        <t>A prefix tree can be searched by starting at the root node and moving to the
left child if the first bit of a search key is 0, or the right child if the first bit
is 1. This is then repeated for the second bit, third bit, and so on until the
search either terminates at a leaf node (which may or may not be for the desired
search key), or a parent node that lacks the desired child.</t>
        <figure>
          <name>A prefix tree containing five entries.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="296" viewBox="0 0 296 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 104,112 L 104,144" fill="none" stroke="black"/>
                <path d="M 176,48 L 176,64" fill="none" stroke="black"/>
                <path d="M 240,112 L 240,128" fill="none" stroke="black"/>
                <path d="M 272,160 L 272,192" fill="none" stroke="black"/>
                <path d="M 112,64 L 224,64" fill="none" stroke="black"/>
                <path d="M 216,128 L 256,128" fill="none" stroke="black"/>
                <path d="M 112,176 L 120,192" fill="none" stroke="black"/>
                <path d="M 208,176 L 216,192" fill="none" stroke="black"/>
                <path d="M 224,64 L 232,80" fill="none" stroke="black"/>
                <path d="M 256,128 L 272,160" fill="none" stroke="black"/>
                <path d="M 104,80 L 112,64" fill="none" stroke="black"/>
                <path d="M 88,192 L 96,176" fill="none" stroke="black"/>
                <path d="M 184,192 L 192,176" fill="none" stroke="black"/>
                <path d="M 208,144 L 216,128" fill="none" stroke="black"/>
                <g class="text">
                  <text x="176" y="36">X</text>
                  <text x="104" y="100">0</text>
                  <text x="240" y="100">1</text>
                  <text x="104" y="164">0</text>
                  <text x="200" y="164">0</text>
                  <text x="20" y="212">Key:</text>
                  <text x="80" y="212">00010</text>
                  <text x="128" y="212">00101</text>
                  <text x="176" y="212">10001</text>
                  <text x="224" y="212">10111</text>
                  <text x="272" y="212">11011</text>
                  <text x="28" y="228">Value:</text>
                  <text x="96" y="228">A</text>
                  <text x="144" y="228">B</text>
                  <text x="192" y="228">C</text>
                  <text x="240" y="228">D</text>
                  <text x="288" y="228">E</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                     X
                     |
             .-------+-----.
            /               \
            0                1
            |                |
            |             .--+-.
            |            /      \
            0           0        |
           / \         / \       |
          /   \       /   \      |
Key:   00010 00101 10001 10111 11011
Value:     A     B     C     D     E
]]></artwork>
          </artset>
        </figure>
        <t>New key-value pairs are added to the tree by searching it according to the same process.
If the search terminates at a parent without a left or right child, a new leaf
is simply added as the parent's missing child. If the search terminates at a
leaf for the wrong search key, one or more intermediate nodes are added until the new
leaf and the existing leaf would no longer reside in the same place. That is,
until we reach the first bit that differs between the new search key and the existing
search key.</t>
        <figure>
          <name>The previous prefix tree after adding the key-value pair: 01101 -&gt; F.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="240" width="344" viewBox="0 0 344 240" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 176,160 L 176,192" fill="none" stroke="black"/>
                <path d="M 216,48 L 216,64" fill="none" stroke="black"/>
                <path d="M 288,112 L 288,128" fill="none" stroke="black"/>
                <path d="M 320,160 L 320,192" fill="none" stroke="black"/>
                <path d="M 160,64 L 272,64" fill="none" stroke="black"/>
                <path d="M 120,128 L 160,128" fill="none" stroke="black"/>
                <path d="M 264,128 L 304,128" fill="none" stroke="black"/>
                <path d="M 112,176 L 120,192" fill="none" stroke="black"/>
                <path d="M 160,128 L 176,160" fill="none" stroke="black"/>
                <path d="M 256,176 L 264,192" fill="none" stroke="black"/>
                <path d="M 272,64 L 280,80" fill="none" stroke="black"/>
                <path d="M 304,128 L 320,160" fill="none" stroke="black"/>
                <path d="M 88,192 L 96,176" fill="none" stroke="black"/>
                <path d="M 112,144 L 120,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 232,192 L 240,176" fill="none" stroke="black"/>
                <path d="M 256,144 L 264,128" fill="none" stroke="black"/>
                <g class="text">
                  <text x="216" y="36">X</text>
                  <text x="144" y="100">0</text>
                  <text x="288" y="100">1</text>
                  <text x="104" y="164">0</text>
                  <text x="248" y="164">0</text>
                  <text x="28" y="212">Index:</text>
                  <text x="80" y="212">00010</text>
                  <text x="128" y="212">00101</text>
                  <text x="176" y="212">01101</text>
                  <text x="224" y="212">10001</text>
                  <text x="272" y="212">10111</text>
                  <text x="320" y="212">11011</text>
                  <text x="28" y="228">Value:</text>
                  <text x="96" y="228">A</text>
                  <text x="144" y="228">B</text>
                  <text x="192" y="228">F</text>
                  <text x="240" y="228">C</text>
                  <text x="288" y="228">D</text>
                  <text x="336" y="228">E</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                          X
                          |
                   .------+------.
                  /               \
                 0                 1
                 |                 |
              .--+-.            .--+-.
             /      \          /      \
            0        |        0        |
           / \       |       / \       |
          /   \      |      /   \      |
Index: 00010 00101 01101 10001 10111 11011
Value:     A     B     F     C     D     E
]]></artwork>
          </artset>
        </figure>
        <t>The value of a leaf node is the encoded key-value pair, while the value of a
parent node is the hash of the combined values of its left and right children
(or a stand-in value when one of the children doesn't exist).</t>
        <t>An inclusion proof is given by providing the leaf value, along with the value of
each copath node along the search path. A non-inclusion proof is given by
providing an abridged inclusion proof that follows the path for the intended
search key, but ends either at a stand-in node or a leaf for a different search
key. In either case, the proof is verified by hashing together the leaf with the
copath values and checking that the result equals the root value of the tree.</t>
      </section>
      <section anchor="combined-tree">
        <name>Combined Tree</name>
        <t>Log trees are desirable because they can provide efficient consistency proofs to
show verifiers that nothing has been removed from a log that was present in a
previous version. However, log trees can't be efficiently searched without
downloading the entire log. Prefix trees are efficient to search and can provide
inclusion proofs to show verifiers that the returned search results are
correct. However, it's not possible to efficiently prove that a new version of a
prefix tree contains the same data as a previous version with only new values
added.</t>
        <t>In the combined tree structure, based on <xref target="Merkle2"/>, each label-version pair
stored by a Transparency Log corresponds to a search key in a prefix tree. This
prefix tree maps the label-version pair's search key to a commitment to the
label's value at that version. To allow users to track changes to the prefix
tree, a log tree contains a record of each version of the prefix tree along with
the timestamp of when it was published. With some caveats, this combined
structure supports both efficient consistency proofs and can be efficiently
searched.</t>
        <t>Note that, while a Transparency Log implementation would likely maintain a
single logical prefix tree, every modification to the prefix tree changes its
root value, and the updated root value is then stored in the log tree. As part
of the protocol, the Transparency Log is often required to perform lookups in
different versions of the prefix tree. Different versions of the prefix tree are
identified by the log entry where their root value was stored.</t>
        <figure>
          <name>An example evolution of the log tree in the combined tree structure. Every new log entry added contains the timestamp T_n of when it was created and the new prefix tree root hash PT_n.</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="112" width="560" viewBox="0 0 560 112" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 72,32 L 72,48" fill="none" stroke="black"/>
                <path d="M 360,32 L 360,48" fill="none" stroke="black"/>
                <path d="M 440,48 L 440,64" fill="none" stroke="black"/>
                <path d="M 40,48 L 112,48" fill="none" stroke="black"/>
                <path d="M 280,48 L 432,48" fill="none" stroke="black"/>
                <path d="M 200,62 L 216,62" fill="none" stroke="black"/>
                <path d="M 200,66 L 216,66" fill="none" stroke="black"/>
                <path d="M 384,64 L 480,64" fill="none" stroke="black"/>
                <path d="M 32,48 L 60,104" fill="none" stroke="black"/>
                <path d="M 112,48 L 128,80" fill="none" stroke="black"/>
                <path d="M 272,48 L 300,104" fill="none" stroke="black"/>
                <path d="M 480,64 L 488,80" fill="none" stroke="black"/>
                <path d="M 4,104 L 32,48" fill="none" stroke="black"/>
                <path d="M 244,104 L 272,48" fill="none" stroke="black"/>
                <path d="M 376,80 L 384,64" fill="none" stroke="black"/>
                <path d="M 4,104 L 60,104" fill="none" stroke="black"/>
                <path d="M 244,104 L 300,104" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="224,64 212,58.4 212,69.6" fill="black" transform="rotate(0,216,64)"/>
                <circle cx="32" cy="48" r="6" class="opendot" fill="white" stroke="black"/>
                <circle cx="72" cy="32" r="6" class="opendot" fill="white" stroke="black"/>
                <circle cx="272" cy="48" r="6" class="opendot" fill="white" stroke="black"/>
                <circle cx="360" cy="32" r="6" class="opendot" fill="white" stroke="black"/>
                <circle cx="440" cy="48" r="6" class="opendot" fill="white" stroke="black"/>
                <g class="text">
                  <text x="104" y="100">(T_n,</text>
                  <text x="152" y="100">PT_n)</text>
                  <text x="344" y="100">(T_n,</text>
                  <text x="392" y="100">PT_n)</text>
                  <text x="464" y="100">(T_n+1,</text>
                  <text x="528" y="100">PT_n+1)</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
        o                                   o
   o----+----.                   o----------+---------o
  / \         \         ==>     / \            .------+----.
 /   \         |               /   \          /             \
/_____\   (T_n, PT_n)         /_____\   (T_n, PT_n)   (T_n+1, PT_n+1)
]]></artwork>
          </artset>
        </figure>
        <t>It's also worth noting that an arbitrary number of label-version pairs can be
added or removed from the prefix tree between subsequent log entries. That is,
the Transparency Log is not constrained to making one change to the prefix tree
per log entry. This allows changes to the prefix tree to be efficiently batched,
and batching prefix tree modifications allows Transparency Logs to achieve
significantly higher throughput than they otherwise would be able to.</t>
      </section>
    </section>
    <section anchor="updating-views-of-the-tree">
      <name>Updating Views of the Tree</name>
      <t>As users interact with the Transparency Log over time, they will see many
different root hashes as the contents of the log changes. It's necessary for
users to guarantee that the root hashes they observe are consistent with respect
to two important properties:</t>
      <ul spacing="normal">
        <li>
          <t>If root hash B is shown after root hash A, then root hash B contains all the
same log entries as A with any new log entries added to the rightmost edge of
A.</t>
        </li>
        <li>
          <t>All log entries in the range starting from the rightmost log entry of A and
ending at the rightmost log entry of B, have monotonically increasing
timestamps.</t>
        </li>
      </ul>
      <t>The first property is necessary to ensure that the Transparency Log never
removes a log entry after showing it to a user, as this would allow the
Transparency Log to remove evidence of its own misbehavior. The second property
ensures that all users have a consistent view of when each portion of the tree
was created. As will be discussed in later sections, users rely on log entry
timestamps to decide whether to continue monitoring certain labels and which
portions of the tree to skip when searching. Disagreement on when portions of
the tree were created can cause users to disagree on the value of a
label-version pair, introducing the same security issues as a fork.</t>
      <t>Proving the first property, that the log tree is append-only, can be done by
providing a consistency proof from the log tree. Proving the second property,
that newly added log entries have monotonically increasing timestamps, requires
establishing some additional structure on the log's contents.</t>
      <section anchor="implicit-binary-search-tree">
        <name>Implicit Binary Search Tree</name>
        <t>Intuitively, the leaves of the log tree can be considered a flat array
representation of a binary tree. This structure is similar to the log tree, but
distinguished by the fact that not all parent nodes have two children.</t>
        <figure>
          <name>A binary tree constructed from 14 entries in a log</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="392" viewBox="0 0 392 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 144,112 L 144,128" fill="none" stroke="black"/>
                <path d="M 240,48 L 240,64" fill="none" stroke="black"/>
                <path d="M 336,112 L 336,128" fill="none" stroke="black"/>
                <path d="M 160,64 L 320,64" fill="none" stroke="black"/>
                <path d="M 112,128 L 176,128" fill="none" stroke="black"/>
                <path d="M 304,128 L 368,128" fill="none" stroke="black"/>
                <path d="M 104,176 L 112,192" fill="none" stroke="black"/>
                <path d="M 176,128 L 184,144" fill="none" stroke="black"/>
                <path d="M 200,176 L 208,192" fill="none" stroke="black"/>
                <path d="M 296,176 L 304,192" fill="none" stroke="black"/>
                <path d="M 320,64 L 328,80" fill="none" stroke="black"/>
                <path d="M 368,128 L 376,144" fill="none" stroke="black"/>
                <path d="M 80,192 L 88,176" fill="none" stroke="black"/>
                <path d="M 104,144 L 112,128" fill="none" stroke="black"/>
                <path d="M 152,80 L 160,64" fill="none" stroke="black"/>
                <path d="M 176,192 L 184,176" fill="none" stroke="black"/>
                <path d="M 272,192 L 280,176" fill="none" stroke="black"/>
                <path d="M 296,144 L 304,128" fill="none" stroke="black"/>
                <path d="M 368,192 L 376,176" fill="none" stroke="black"/>
                <g class="text">
                  <text x="240" y="36">X</text>
                  <text x="144" y="100">X</text>
                  <text x="336" y="100">X</text>
                  <text x="96" y="164">X</text>
                  <text x="192" y="164">X</text>
                  <text x="288" y="164">X</text>
                  <text x="384" y="164">X</text>
                  <text x="72" y="212">X</text>
                  <text x="120" y="212">X</text>
                  <text x="168" y="212">X</text>
                  <text x="216" y="212">X</text>
                  <text x="264" y="212">X</text>
                  <text x="312" y="212">X</text>
                  <text x="360" y="212">X</text>
                  <text x="28" y="244">Index:</text>
                  <text x="72" y="244">0</text>
                  <text x="96" y="244">1</text>
                  <text x="120" y="244">2</text>
                  <text x="144" y="244">3</text>
                  <text x="168" y="244">4</text>
                  <text x="192" y="244">5</text>
                  <text x="216" y="244">6</text>
                  <text x="240" y="244">7</text>
                  <text x="264" y="244">8</text>
                  <text x="288" y="244">9</text>
                  <text x="308" y="244">10</text>
                  <text x="332" y="244">11</text>
                  <text x="356" y="244">12</text>
                  <text x="380" y="244">13</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
                             X
                             |
                   .---------+---------.
                  /                     \
                 X                       X
                 |                       |
             .---+---.               .---+---.
            /         \             /         \
           X           X           X           X
          / \         / \         / \         /
         /   \       /   \       /   \       /
        X     X     X     X     X     X     X

Index:  0  1  2  3  4  5  6  7  8  9 10 11 12 13
]]></artwork>
          </artset>
        </figure>
        <t>The implicit binary search tree containing <tt>n</tt> entries can be defined
inductively. The index of the root log entry in the implicit binary search tree
is the greatest power of two, minus one, that is less than the size of the
log. That is <tt>i_root = 2^floor(log2(n)) - 1</tt>. The left
subtree is the implicit binary search tree of size <tt>i_root</tt>, i.e. the implicit
binary search tree for all elements with a smaller index than the root. The
right subtree is the implicit binary search tree of size <tt>n-i_root-1</tt>, but
offset with <tt>i_root+1</tt>. Initially, these will be all indices larger than the
root.</t>
        <t>Users ensure that log entry timestamps are monotonic by enforcing that the
structure of this search tree holds. That is, users check that any timestamp
they observe in the root's left subtree is less than or equal to the root's
timestamp, and that any timestamp they observe in the root's right subtree is
greater than or equal to the root's timestamp, and so on recursively. Following
this tree structure ensures that users can detect misbehavior quickly while
minimizing the number of log entries that need to be checked.</t>
        <t>As an example, consider a log with 50 entries. Instead of having the root be the
typical "middle" entry of <tt>50/2 = 25</tt>, the root would be entry 31. As new log
entries are added, users that interact with the Transparency Log will
consistently verify the timestamps of other log entries against that of entry 31
until the log roughly doubles in size and a new root is established at entry 63.</t>
        <t>The protocol frequently refers to the <strong>frontier</strong> of the log, which is defined
as the root log entry followed by the root's right child, the right child's
right child, and so on until the rightmost log entry is reached. Using the same
example of a log with 50 entries, the frontier would be entries: <tt>31, 47, 49</tt>.</t>
        <t>Example code for efficiently navigating the implicit binary search tree is
provided in <xref target="appendix-implicit-search-tree"/>.</t>
      </section>
      <section anchor="update-view-algorithm">
        <name>Algorithm</name>
        <t>Users retain the following information about the last tree head they've
observed:</t>
        <ol spacing="normal" type="1"><li>
            <t>The size of the log tree (that is, the number of leaves it contained).</t>
          </li>
          <li>
            <t>The head values of the log tree's <strong>full subtrees</strong>. The full subtrees are
the balanced subtrees which are as large as possible, meaning that they do
not have another balanced subtree as their parent.</t>
          </li>
          <li>
            <t>The log entries along the frontier.</t>
          </li>
        </ol>
        <t>When users make queries to the Transparency Log, they advertise the size of the
last tree head they observed. If the Transparency Log responds with an
updated tree head, it first provides a consistency proof to show that the new
tree head is an extension of the previous one. It then also provides the
following:</t>
        <ul spacing="normal">
          <li>
            <t>In the new implicit binary search tree, compute the direct path of the log
entry with index <tt>size-1</tt>, where <tt>size</tt> is the tree size advertised by the
user. Provide the timestamp of each log entry in the direct path whose index
is greater than or equal to <tt>size</tt>.</t>
          </li>
          <li>
            <t>The last of these log entries will lie on the new tree's frontier. From
this log entry, compute the remainder of the frontier. That is, compute the
log entry's right child, the right child's right child, and so on. Provide
the timestamps for these log entries as well.</t>
          </li>
        </ul>
        <t>Users verify that the first timestamp is greater than or equal to the timestamp
of the rightmost log entry they retained, and that each subsequent timestamp is
greater than or equal to the one prior. This only requires users to verify a
logarithmic number of the newly added log entries' timestamps and guarantees
that two users with overlapping views of the tree will detect any violations.
While retaining only the rightmost log entry's timestamp would be sufficient for
this purpose, users retain all log entries along the frontier. The additional
data is retained to make later parts of the protocol more efficient.</t>
        <t>The Transparency Log defines two durations: how far ahead and how far behind the
current time the rightmost log entry's timestamp may be. Users verify this
against their local clock at the time they receive the query response.</t>
        <t>For users that have never interacted with the Transparency Log before and don't
have a previous tree head to advertise, the Transparency Log simply provides the
log entries along the frontier. The user verifies that the timestamp of each is
greater than or equal to the one prior, and that the rightmost timestamp is
within the defined bounds of the user's local clock.</t>
      </section>
    </section>
    <section anchor="binary-ladder">
      <name>Binary Ladder</name>
      <t>A <strong>binary ladder</strong> is a series of lookups, producing a series of inclusion and
non-inclusion proofs, from a single log entry's prefix tree. The purpose of a
binary ladder varies depending on the exact context in which it is provided, but
it is generally to establish some bound on the greatest version of a label that
existed as of a particular log entry. All binary ladders are variants of the
following series of lookups that exactly determines the greatest version of a
label that exists:</t>
      <ol spacing="normal" type="1"><li>
          <t>First, version <tt>x</tt> of the label is looked up, where <tt>x</tt> is a consecutively
higher power of two minus one (0, 1, 3, 7, ...). This is repeated until the
first non-inclusion proof is produced.</t>
        </li>
        <li>
          <t>Once the first non-inclusion proof is produced, a binary search is conducted
between the greatest version that was proved to be included and the version
that was proved to not be included. Each step of the binary search produces
either an inclusion or non-inclusion proof which guides the search left or
right until it terminates.</t>
        </li>
      </ol>
      <t>As an example, if the greatest version of a label that existed in a particular
log entry was version 6, that would be established by the following: inclusion
proofs for versions 0, 1, 3, a non-inclusion proof for version 7, then followed
by inclusion proofs for versions 5 and 6. This series of lookups uniquely
identifies 6 as the greatest version that exists, in the sense that the
Transparency Log would be unable to prove a different greatest version to any
user.</t>
      <t>While the description above may imply that the series of lookups is interactive,
this is not the case in practice. Users may receive one or more binary ladders,
corresponding to the same or different log entries, in a single query response.
The Transparency Log's query response always contains sufficient information to
allow users to predict the outcome of each lookup (inclusion or non-inclusion of
a particular version) in the binary ladder.</t>
      <t>Example code for computing the versions of a label that go in a binary ladder is
provided in <xref target="appendix-binary-ladder"/>.</t>
    </section>
    <section anchor="greatest-version-search">
      <name>Greatest-Version Search</name>
      <t>Users often wish to search for the "most recent" version, or the greatest
version, of a label. Since label owners regularly verify that the greatest
version is correctly represented in the log, this enables a relatively simple
approach to searching.</t>
      <t>Users reuse the implicit binary search tree from <xref target="implicit-binary-search-tree"/>
to execute their search. This ensures that all users will check the same or
similar log entries when searching for a label, allowing the Transparency Log to
be monitored efficiently. This section additionally defines the concept of a
distinguished log entry, which is any log entry that label owners are required
to check for correctness. Given this, users can start their search at the
rightmost distinguished log entry and only consider new versions which have been
created since then.</t>
      <section anchor="reasonable-monitoring-window">
        <name>Reasonable Monitoring Window</name>
        <t>Transparency Logs define a duration, referred to as the <strong>Reasonable Monitoring
Window</strong> (RMW), which is the frequency with which the Transparency Log generally
expects label owners to perform monitoring.</t>
        <t><strong>Distinguished</strong> log entries are chosen according to the recursive algorithm
below, such that there is roughly one per every interval of the RMW:</t>
        <ol spacing="normal" type="1"><li>
            <t>Take as input: a log entry, the timestamp of a log entry to its left, and the
timestamp of a log entry to its right.</t>
          </li>
          <li>
            <t>If the right timestamp minus the left timestamp is less than the Reasonable
Monitoring Window, terminate the algorithm. Otherwise, declare that the given
log entry is distinguished and then:</t>
          </li>
          <li>
            <t>If the given log entry has a left child in the implicit binary search tree,
recurse to its subtree by executing this algorithm with: the given log
entry's left child, the given left timestamp, and the timestamp of the given
log entry.</t>
          </li>
          <li>
            <t>If the given log entry has a right child, recurse to its subtree by executing
this algorithm with: the given log entry's right child, the timestamp of the
given log entry, and the given right timestamp.</t>
          </li>
        </ol>
        <t>The algorithm is initialized with these parameters: the root node in the
implicit binary search tree, the timestamp 0, and the timestamp of the rightmost
log entry. Note that step 2 is specifically "less than" and not "less than or
equal to"; this ensures correct behavior when the RMW is zero.</t>
        <t>This process for choosing distinguished log entries ensures that they are
<strong>regularly spaced</strong>. Having irregularly spaced distinguished log entries risks
either overwhelming label owners with a large number of them, or delaying
consensus between users by having arbitrarily few. Distinguished log entries
must reliably occur at roughly the same interval as the Reasonable Monitoring
Window regardless of variations in how quickly new log entries are added.</t>
        <t>This process also ensures that distinguished log entries are <strong>stable</strong>. Once a
log entry is chosen to be distinguished, it will never stop being distinguished.
This ensures that, if a user looks up a label and checks consistency with some
distinguished log entry, this log entry can't later avoid inspection by the
label owner by losing its distinguished status.</t>
      </section>
      <section anchor="search-binary-ladder">
        <name>Binary Ladder</name>
        <t>To perform a search, users need to be able to inspect individual log entries and
determine the greatest version of the label that was present in the prefix tree
at that time. Specifically, they need to be able to determine if the greatest
version of the label was greater than, equal to, or less than their <strong>target
version</strong>.</t>
        <t>This is accomplished by having the Transparency Log provide a binary ladder from
the log entry. Binary ladders provided for the purpose of searching the tree are
called <strong>search binary ladders</strong> and follow the series of lookups described in
<xref target="binary-ladder"/>, but with two optimizations:</t>
        <t>First, the series of lookups ends after the first inclusion proof for a version
greater than the target version, or the first non-inclusion proof for a version
less than or equal to the target version. Providing additional lookups is
unnecessary, since the user only needs to know whether the greatest version of
the label that exists is greater than, equal to, or less than the target
version, rather than its exact value. However, note that the binary ladder
continues after receiving an inclusion proof for a version <strong>equal</strong> to the
target version, as this is often needed to determine whether or not any versions
greater than the target version exist.</t>
        <t>Second, depending on the context in which the binary ladder is provided, the
Transparency Log may omit inclusion proofs for any versions where another
inclusion proof for the same version was already provided in the same query
response for a log entry to the left. Similarly, the Transparency Log may omit
non-inclusion proofs for any versions of the label where another non-inclusion
proof for the same version was already provided in the same query response for a
log entry to the right. Whether or not these lookups are omitted is specified in
context.</t>
      </section>
      <section anchor="gv-algorithm">
        <name>Algorithm</name>
        <t>The algorithm for performing a greatest-version search is described below as a
recursive algorithm. It starts at the rightmost distinguished log entry, or the
root of the implicit binary search tree if there are no distinguished log
entries, and then recurses down the remainder of the frontier, each time
starting back at step 1:</t>
        <ol spacing="normal" type="1"><li>
            <t>Obtain a search binary ladder from the current log entry where the target
version is the claimed greatest version of the label, omitting redundant
lookups.</t>
          </li>
          <li>
            <t>Verify that the binary ladder terminates in a way that is consistent with the
claimed greatest version of the label. That is, verify that every lookup for
a version greater than the target version results in a non-inclusion proof.
If this is the rightmost log entry, additionally verify that every lookup for
a version less than or equal to the target version results in an inclusion
proof.</t>
          </li>
          <li>
            <t>If this is not the rightmost log entry, recurse to the log entry's right
child.</t>
          </li>
        </ol>
        <t>The terminal log entry of the search is defined as the leftmost log entry
inspected that contains the greatest version of the label. If the Transparency
Log is deployed in Contact Monitoring mode and the terminal log entry of the
search is to the right of the rightmost distinguished log entry, the user <bcp14>MUST</bcp14>
monitor the label as described in <xref target="monitoring-the-tree"/>.</t>
      </section>
    </section>
    <section anchor="fixed-version-search">
      <name>Fixed-Version Search</name>
      <t>When searching the combined tree structure described in <xref target="combined-tree"/> for a
specific version of a label, users essentially perform a binary search for the
first log entry where the prefix tree contained the target version of the label.
This search may terminate early if the user discovers a log entry where the
target version of the label is the greatest that exists, as this is assumed to
have been verified by the label owner (discussed in <xref target="monitoring-the-tree"/>).</t>
      <section anchor="maximum-lifetime">
        <name>Maximum Lifetime</name>
        <t>A Transparency Log operator <bcp14>MAY</bcp14> define a maximum lifetime for log entries. If
defined, it <bcp14>MUST</bcp14> be greater than zero and greater than the RMW. Whether a log
entry is expired is determined by subtracting the timestamp of the log entry in
question from the timestamp of the rightmost log entry and checking if the
result is greater than or equal to the defined duration.</t>
        <t>A user executing a search may arrive at an expired log entry by either of two
ways: The user may have inspected a log entry which is <strong>not</strong> expired and
decided to recurse to the log entry's left child, which is expired.
Alternatively, the root log entry might be expired, in which case the user
would've started their search at an expired root log entry.</t>
        <t>Regardless of how the user arrived at the expired log entry, the user's next
step is always to recurse to the log entry's right child (if one exists) without
receiving a binary ladder. This allows the Transparency Log to prune large
sections of the log tree and any versions of the prefix tree that are older
than the defined maximum lifetime. Pruning is explained in more detail in
<xref target="ARCH"/>.</t>
      </section>
      <section anchor="fv-algorithm">
        <name>Algorithm</name>
        <t>The algorithm for performing a fixed-version search is described below as a
recursive algorithm. It starts with the root log entry, as defined by the
implicit binary search tree, and then recurses to left or right children, each
time starting back at step 1.</t>
        <ol spacing="normal" type="1"><li>
            <t>If the log entry is expired, recurse to the log entry's right child. If the
log entry does not have a right child, proceed to step 6.</t>
          </li>
          <li>
            <t>Obtain a search binary ladder from the current log entry for the target
version, omitting redundant lookups as described in <xref target="search-binary-ladder"/>.
Determine whether the binary ladder indicates a greatest version of the label
that is greater than, equal to, or less than the target version.</t>
          </li>
          <li>
            <t>If the binary ladder indicates a greatest version less than the target
version (that is, if it contains a non-inclusion proof for a version less
than or equal to the target version), then recurse to the log entry's right
child. If the log entry does not have a right child, proceed to step 6.</t>
          </li>
          <li>
            <t>If the binary ladder indicates a greatest version greater than the target
version (that is, if it contains an inclusion proof for a version greater
than the target version), then recurse to the log entry's left child. If the
log entry does not have a left child, proceed to step 6.</t>
          </li>
          <li>
            <t>If the binary ladder indicates a greatest version equal to the target version
(that is, it contains inclusion proofs for all expected versions less than or
equal to the target and non-inclusion proofs for all expected versions
greater than the target), then:  </t>
            <ol spacing="normal" type="1"><li>
                <t>If there are no expired log entries in the current log entry's direct
path, then terminate the search successfully.</t>
              </li>
              <li>
                <t>Otherwise, identify whether the log entry itself is distinguished, or
whether there are any unexpired distinguished log entries in its direct
path and to its left. If yes, terminate the search successfully. If no,
terminate the search with an error indicating that the target version of
the label is expired.</t>
              </li>
            </ol>
          </li>
          <li>
            <t>If this step is reached, the search has terminated without finding an
unexpired log entry where the target version is the greatest that exists. In
this case, out of all the log entries inspected, identify the leftmost one
where the binary ladder indicated a greatest version greater than the target
version.  </t>
            <ol spacing="normal" type="1"><li>
                <t>If there is no such log entry, terminate the search with an error
indicating that the target version of the label does not exist.</t>
              </li>
              <li>
                <t>If any expired log entries were encountered in the search, and there are
no unexpired distinguished log entries to the left of the identified log
entry, terminate the search with an error indicating that the target
version of the label is expired.      </t>
                <t>
Clients <bcp14>MUST NOT</bcp14> accept a proof where the identified log entry is itself
the leftmost unexpired and distinguished log entry. Since the target
version is not the greatest that exists in the log entry, it may not have
been checked for correctness by the label owner.</t>
              </li>
              <li>
                <t>Otherwise, look up the target version of the label in the log entry's
prefix tree. If the result is a non-inclusion proof, terminate the search
with an error indicating that the requested version of the label does not
exist. If the result is an inclusion proof, terminate the search
successfully.</t>
              </li>
            </ol>
          </li>
        </ol>
        <t>The terminal log entry of the search is defined as the log entry that triggered
step 5, or the log entry identified in step 6. If the Transparency Log is
deployed in Contact Monitoring mode and the terminal log entry of the search is
to the right of the rightmost distinguished log entry (defined in
<xref target="reasonable-monitoring-window"/>), the user <bcp14>MUST</bcp14> monitor the label as described
in <xref target="monitoring-the-tree"/>.</t>
      </section>
    </section>
    <section anchor="monitoring-the-tree">
      <name>Monitoring the Tree</name>
      <t>As new entries are added to the log tree, the search path that's traversed to
find a specific version of a label may change. New intermediate nodes may be
established between the search root and the terminal log entry, or a new search
root may be created. The goal of monitoring a label is to efficiently ensure
that, when these new parent nodes are created, they're created correctly such
that searches for the same versions of a label continue producing the same
results.</t>
      <t>Label owners <bcp14>MUST</bcp14> monitor their labels regularly, ensuring that past versions of
the label are still correctly represented in the log and that any new versions
of the label are permissible, alerting the user if not.</t>
      <t>If the Transparency Log is deployed in Contact Monitoring mode, then the users
that looked up a label (either through a fixed-version or greatest-version
search) are also sometimes required to monitor the label. Specifically, if a
user looks up a label and the terminal log entry of their search is to the right
of the rightmost distinguished log entry, the user <bcp14>MUST</bcp14> regularly monitor the
label-version pair until its monitoring path intersects a distinguished log
entry. That is, until a new distinguished log entry is established to its right
and the two log entries are verified to be consistent. The purpose of this
monitoring is to ensure that the label-version pair is not removed or obscured
by the Transparency Log before the label owner has had an opportunity to detect
it.</t>
      <t>If the Transparency Log is deployed with a Third-Party Auditor or Third-Party
Manager, this monitoring is unnecessary assuming that either the Service
Operator or the Third Party are honest. However, the user <bcp14>MAY</bcp14> still perform it
to detect collusion between the Service Operator and the Third Party.</t>
      <t>If a user looks up a label and the terminal log entry of their search is either
a distinguished log entry or to the left of any distinguished log entry,
monitoring is never necessary. In this case, the only state that would be
retained from the query would be the tree head, as discussed in
<xref target="updating-views-of-the-tree"/>.</t>
      <t>"Regular" monitoring <bcp14>SHOULD</bcp14> be performed roughly as frequently as the RMW and
<bcp14>MUST</bcp14>, if at all possible, happen more frequently than the log entry maximum
lifetime.</t>
      <section anchor="binary-ladder-1">
        <name>Binary Ladder</name>
        <t>Similar to the algorithm for searching the tree, the algorithms for monitoring
the tree requires a way to prove that the greatest version of a label stored in
a particular log entry's prefix tree is greater than or equal to a <strong>target
version</strong>. The target version in this case is the version of the label that the
user is monitoring. Unlike in a search though, users already know that the
target version of the label exists and only need proof that there hasn't been
an unexpected downgrade.</t>
        <t>Binary ladders provided for the purpose of monitoring are called <strong>monitoring
binary ladders</strong> and follow the series of lookups described in
<xref target="binary-ladder"/>, omitting any lookup for a version greater than the target
version. As a result, all lookups in the binary ladder will result in an
inclusion proof if the Transparency Log is behaving honestly.</t>
      </section>
      <section anchor="contact-algorithm">
        <name>Contact Algorithm</name>
        <t>To monitor a given label, users maintain a small amount of state: a map from a
position in the log to a version counter. The version counter is the greatest
version of the label proven to exist at that log position. Users initially
populate this map by setting the position of the terminal log entry of their
search to map to the version of the label they searched for. A map may track
several different versions simultaneously if a user has been shown different
versions of the same label.</t>
        <t>To update this map, users receive the most recent tree head from the
Transparency Log and follow these steps for each entry in the map, from
rightmost to leftmost log entry:</t>
        <ol spacing="normal" type="1"><li>
            <t>Determine if the log entry is distinguished. If so, leave the
position-version pair in the map and move on to the next map entry.</t>
          </li>
          <li>
            <t>Compute the ordered list of log entries to inspect:
            </t>
            <ol spacing="normal" type="1"><li>
                <t>Initialize the list by setting it to be the log entry's direct path in the
implicit binary search tree based on the current tree size.</t>
              </li>
              <li>
                <t>Remove all entries that are to the left of the log entry.</t>
              </li>
              <li>
                <t>If any of the remaining log entries are distinguished, terminate the list
just after the first distinguished log entry.</t>
              </li>
              <li>
                <t>If the Contact Monitoring operation is being executed in the context of an
Owner Monitoring operation, and the log entry in the monitoring map is
equal to or to the right of the owner's advertised <tt>start</tt> position, skip
inspecting the final distinguished log entry. This log entry will be
inspected by the algorithm in <xref target="owner-algorithm"/>.</t>
              </li>
            </ol>
          </li>
          <li>
            <t>For each log entry in the computed list, from left to right:  </t>
            <ol spacing="normal" type="1"><li>
                <t>Check if a binary ladder from this log entry was already provided in the
same query response. If so:
                </t>
                <ol spacing="normal" type="1"><li>
                    <t>If the previously provided binary ladder had a greater target version
than the current map entry, then this version of the label no longer
needs to be monitored. Remove the position-version pair with the lesser
version from the map and move on to the next map entry.</t>
                  </li>
                  <li>
                    <t>If it had a target version less than or equal to that of the current
map entry, terminate and return an error to the user.</t>
                  </li>
                </ol>
              </li>
              <li>
                <t>Obtain a monitoring binary ladder from this log entry where the target
version is the version currently in the map. Verify that all expected
lookups are present and all show inclusion.</t>
              </li>
              <li>
                <t>If the above check fails, terminate and return an error to the user.
Otherwise, remove the current position-version pair from the map and
replace it with a new one for the position of the log entry that the
binary ladder came from.</t>
              </li>
            </ol>
          </li>
        </ol>
        <t>Once the map entries are updated according to this process, the final step of
monitoring is to remove all mappings where the position corresponds to a
distinguished log entry. All remaining entries will be non-distinguished log
entries lying on the log's frontier.</t>
        <t>This algorithm works by progressively moving up the implicit binary search tree
as new intermediate or root nodes are established, and verifying that they're
constructed correctly. Once a distinguished log entry is reached and
successfully verified, monitoring is no longer necessary and the corresponding
entry is removed from the map.</t>
        <t>Users will often be able to execute the monitoring process, at least partially,
with the output of a fixed-version or greatest-version search for the label.
This may reduce the need for monitoring-specific requests. It is also worth
noting that the work required to monitor several versions of the same label
scales sublinearly because the direct paths of the different versions will often
intersect. Intersections reduce the total number of entries in the map and
therefore the amount of work that will be needed to monitor the label from then
on.</t>
      </section>
      <section anchor="owner-algorithm">
        <name>Owner Algorithm</name>
        <t>Label owners initialize their state by providing the Transparency Log with a
<strong>starting position</strong> coresponding to the log entry where they wish their
ownership of the label to begin. This starting position <bcp14>MUST</bcp14> correspond to an
unexpired distinguished log entry. The user then executes the following
algorithm:</t>
        <ol spacing="normal" type="1"><li>
            <t>Compute the list of log entries to inspect: this list starts with the log
entry at the requested starting position, followed by the log entries that
are on the starting position's direct path and to its left, ending just
before the first expired log entry.</t>
          </li>
          <li>
            <t>Obtain the greatest version of the label that existed as of each of these log
entries. If the label did not exist, no value is provided. Verify that each
version is less than or equal to the one prior.</t>
          </li>
          <li>
            <t>Obtain VRF proofs for version zero of the label and all other versions of the
label that would appear in a search binary ladder where the target version
was any of the versions given in step 2.</t>
          </li>
          <li>
            <t>Obtain the commitment to the label's value at each version where a VRF proof
was provided in step 3 and the version is understood to exist based on the
information provided in step 2.</t>
          </li>
          <li>
            <t>Obtain a search binary ladder from each log entry in the list computed in
step 1 where the target version is the corresponding version given in step 2,
or zero if no version was given, without omitting redundant lookups. Verify
that each binary ladder terminates in a way that is consistent with the
claimed greatest version of the label.</t>
          </li>
        </ol>
        <t>If any new versions of the label were created after the requested starting
position, the label owner will need to process each of these individually as
described in <xref target="updating-a-label"/>.</t>
        <t>Once the label owner has fully initialized their state, through the algorithm
above and by processing any remaining new versions, they can begin regular
monitoring. The label owner advertises to the Transparency Log the greatest
version of the label that they're aware of and the rightmost distinguished log
entry that they've verified is correct. For a number of subsequent distinguished
log entries, the Transparency Log provides a binary ladder proving that no new
unexpected versions of the label exist. This is described below as a recursive
algorithm, starting with the root log entry:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the current log entry is not distinguished, stop.</t>
          </li>
          <li>
            <t>If the current log entry's index is less than or equal to that of the log
entry advertised by the user:
            </t>
            <ol spacing="normal" type="1"><li>
                <t>If the current log entry has a right child, recurse to the right child.</t>
              </li>
              <li>
                <t>Regardless of the outcome of step 1, stop.</t>
              </li>
            </ol>
          </li>
          <li>
            <t>If the current log entry has a left child, recurse to the left child.
Afterwards, proceed to step 4.</t>
          </li>
          <li>
            <t>If a stop condition has been reached, stop. From a user's perspective, the
only stop condition is having consumed all of the Transparency Log's
response. The Transparency Log may stop at this point if the greatest version
of the label present at this log entry is greater than the version advertised
by the user, or if a maximum output size has been reached.</t>
          </li>
          <li>
            <t>Obtain a search binary ladder from the current log entry where the target
version is the greatest version of the label expected to exist at this point
according to the label owner's local state, without omitting redundant
lookups. Verify that the binary ladder terminates in a way that is consistent
with the expected version being the greatest that exists.</t>
          </li>
          <li>
            <t>If the current log entry has a right child, recurse to the right child.</t>
          </li>
        </ol>
        <t>To avoid excessive load, the Transparency Log <bcp14>SHOULD</bcp14> limit the number of
distinguished log entries that it provides binary ladders for in a single
response. Users repeatedly query the Transparency Log until they detect that the
above algorithm has either hit an unresolvable error or successfully reached the
rightmost distinguished log entry.</t>
        <t>Since this algorithm checks only distinguished log entries for correctness,
label owners use it in conjunction with the algorithm in <xref target="contact-algorithm"/>
to ensure the correctness of updates that occur between distinguished log
entries.</t>
      </section>
    </section>
    <section anchor="updating-a-label">
      <name>Updating a Label</name>
      <t>As discussed in <xref target="ARCH"/>, a label owner is the authoritative source for a
label's contents and must either initiate all changes to the label's value
themself or at least be informed of changes afterwards. This section describes
the mechanism by which label owners ensure that new versions of a label are
inserted correctly into the Transparency Log. Label owners <bcp14>MUST</bcp14> follow this
process for every new version of a label that is created after their ownership
begins.</t>
      <section anchor="update-algorithm">
        <name>Algorithm</name>
        <t>Whenever a log entry is added to the Transparency Log that contains some new
versions of a label, the Transparency Log informs the label owner of the
following:</t>
        <ul spacing="normal">
          <li>
            <t>The index of the log entry where the new versions were inserted.</t>
          </li>
          <li>
            <t>The commitment opening that was chosen for each new version of the label.</t>
          </li>
          <li>
            <t>If the Transparency Log is deployed with a Third-Party Manager, the signature
produced by the Service Operator over each new version.</t>
          </li>
          <li>
            <t>VRF proofs for the following versions of the label:
            </t>
            <ul spacing="normal">
              <li>
                <t>Compute the set of all versions that would be contained in a search binary
ladder for the new greatest version of the label.</t>
              </li>
              <li>
                <t>If more than one new version of the label was created, additionally include
each of these individual versions.</t>
              </li>
              <li>
                <t>Of the versions matching the two criteria above, omit any versions that
would be contained in a search binary ladder for the previous greatest
version of the label, as the label owner is expected to already know these
VRF outputs. If there was no previous greatest version of the label, omit
only the version zero.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>To ensure that the new versions of the label were inserted correctly, the label
owner considers the Transparency Log as it existed at two points in time: The
first is the <strong>previous tree</strong>, which is defined as the log tree up to but
excluding the log entry where the new versions were added. The second is the
<strong>current tree</strong>, which is defined as the log tree as it is currently presented
to the user, containing the new log entry and potentially other log entries to
its right. Given this, the user executes the following algorithm:</t>
        <ol spacing="normal" type="1"><li>
            <t>Starting from the root log entry of the previous tree, proceed down the
frontier of the previous tree and identify the first log entry that is not
distinguished in the current tree. If there is no such log entry, skip to
step 3.</t>
          </li>
          <li>
            <t>Starting from the identified log entry, proceed down the remainder of the
previous tree's frontier from left to right:  </t>
            <ol spacing="normal" type="1"><li>
                <t>If a binary ladder would have already been received from this log entry in
step 2.2 when processing a previous label update, skip this log entry.</t>
              </li>
              <li>
                <t>Obtain a search binary ladder from this log entry where the target version
is the previous greatest version of the label that existed, or 0 if no
version of the label existed. Lookups that would be omitted in a
greatest-version search for the label are also omitted here. Note that
this means that lookups that would occur in log entries that were skipped
by step 2.1 will still be omitted as if the log entries had been
inspected.</t>
              </li>
              <li>
                <t>Verify that the binary ladder terminates in a way that is consistent with
the previous greatest version of the label being the greatest that
exists.</t>
              </li>
            </ol>
          </li>
          <li>
            <t>If the log entry where the new versions were added is distinguished in the
current tree, and if there are any new versions of the label that would not
be looked up in a search binary ladder for the new greatest version, obtain a
<tt>PrefixProof</tt> from the log entry for those versions in ascending order by
version. Verify that all lookups result in an inclusion proof.  </t>
            <t>
If all checks succeed, the label owner retains the position and new greatest
version of the label for later verification with the second algorithm of
<xref target="owner-algorithm"/>.</t>
          </li>
          <li>
            <t>If the log entry where the new versions were added is not distinguished in
the current tree, obtain a <tt>PrefixProof</tt> from it with lookups corresponding
to a search binary ladder where the target version is the new greatest
version of the label, omitting redundant lookups. Verify that all lookups
terminate in a way that is consistent with the new greatest version of the
label being the greatest that exists.  </t>
            <t>
Additionally, if there are any new versions of the label that were created in
this log entry but that weren't included in the search binary ladder, obtain
a second <tt>PrefixProof</tt> from the log entry with those lookups in ascending
order by version. Verify that all lookups result in an inclusion proof.  </t>
            <t>
If all checks succeed, the label owner retains the position and new greatest
version of the label for later verification with <xref target="owner-algorithm"/>. The
label owner additionally inserts a new entry into their contact monitoring
map, discussed in <xref target="contact-algorithm"/>, that maps the log entry to the new
greatest version of the label.</t>
          </li>
        </ol>
        <t>In essence, this algorithm has two phases. The first phase is doing a
greatest-version search in the previous tree. This is necessary to prevent forms
of misbehavior where a Transparency Log might create a malicious version of a
label, later change the corresponding value to something non-malicious, and try
to only inform the label owner of the non-malicious value. The second phase is
verifying how the new versions of the label were created in the claimed log
entry. This depends on whether the log entry is distinguished or not to minimize
redundant lookups with the second algorithm of <xref target="owner-algorithm"/>.</t>
      </section>
    </section>
    <section anchor="walking-distinguished-heads">
      <name>Walking Distinguished Heads</name>
      <t>There are many cases in KT where it can be useful to allow a user to walk the
most recently issued distinguished log entries. One particular case where this
is useful is in deployments that rely on credentials, explained further in
<xref target="credentials"/>. It can also be helpful for new label owners, running the first
algorithm of <xref target="owner-algorithm"/>, in deciding what they want their "starting"
log entry to be. And perhaps most importantly, walking the recent distinguished
log entries gives users common reference points in the log tree and allows them
to verify that they aren't being shown a fork.</t>
      <section anchor="distinguished-algorithm">
        <name>Algorithm</name>
        <t>Walking the recent distinguished log entries is essentially done as a
right-to-left depth-first search in the log tree. Users and the Transparency Log
share an application-defined concept of what a "recent" distinguished log entry
is, and enumerate all of the log entries that meet this definition. Users can
optionally provide the Transparency Log with a <strong>stopping position</strong>
corresponding to a point where the enumeration can stop early if hit.</t>
        <t>This is described below as a recursive algorithm, starting with the root log
entry:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the current log entry is not distinguished, stop.</t>
          </li>
          <li>
            <t>If the current log entry has a right child, recurse to the right child.</t>
          </li>
          <li>
            <t>If a stopping position was provided and the current log entry's position is
less than or equal to the requested stopping position, stop.</t>
          </li>
          <li>
            <t>If the current log entry doesn't meet the application's definition of
"recent", stop.</t>
          </li>
          <li>
            <t>If the current log entry has a left child, recurse to the left child.</t>
          </li>
        </ol>
        <t>This algorithm works with any definition of "recent" for distinguished log
entries that is monotonic. However, the two simplest possible definitions are:
a.) a distinguished log entry is "recent" if it is one of the <tt>n</tt> rightmost, or
b.) a distinguished log entry is "recent" if subtracting its timestamp from the
timestamp of the rightmost log entry yield a value less than some threshold. It
is <bcp14>RECOMMENDED</bcp14> that applications choose one of these definitions.</t>
      </section>
      <section anchor="detecting-forks">
        <name>Detecting Forks</name>
        <t>As discussed in <xref section="3.3" sectionFormat="of" target="ARCH"/>, two of the primary ways that a user can
detect the existence of a fork is through either an anonymous channel, or some
form of direct peer-to-peer communication. Both of these approaches rely on
exchanging root values of the log tree in a way where the Transparency Log can't
reliably partition users.</t>
        <t>To compute the log tree root values to exchange, a user follows the algorithm in
<xref target="distinguished-algorithm"/>, using data provided through the same channel that
the user typically interacts with the Transparency Log. The user then computes
the log tree root value at each point where one of the recent distinguished log
entries is the rightmost log entry. The exact number of distinguished log
entries to use, and therefore the number of root values to compute, depends on
the application. That said, using a larger number provides more resilience
against clock skew and applications generally <bcp14>SHOULD</bcp14> compute at least two root
values.</t>
        <t>Users then obtain the same information either by requesting it over their
anonymous channel, or through direct peer-to-peer communication. The information
exchanged can either be just the list of root values, if bandwidth is a
particular concern, or a signed query response, if the ability to provide
non-repudiable evidence of misbehavior is desired.</t>
        <t>The list of root values determined from the authenticated channel, and the list
of root values received over the partition-resistent channel, are verified by
checking that each list is either a prefix or a suffix of the other, having at
least one root value in common. Example code for this is provided below:</t>
        <sourcecode type="python"><![CDATA[
def compare_roots(roots_a, roots_b):
    if len(roots_a) != len(roots_b):
        raise Exception('lists must be the same size')

    N = len(roots_a)

    for x in range(N):
        if roots_a[:N-x] == roots_b[x:] or roots_b[:N-x] == roots_a[x:]:
            return True

    raise Exception('no valid overlap found')
]]></sourcecode>
      </section>
    </section>
    <section anchor="cryptographic-computations">
      <name>Cryptographic Computations</name>
      <section anchor="cipher-suites">
        <name>Cipher Suites</name>
        <t>Each Transparency Log uses a single fixed cipher suite, chosen when it is
initially created, that specifies the following primitives and parameters for
cryptographic computations:</t>
        <ul spacing="normal">
          <li>
            <t>A hash algorithm</t>
          </li>
          <li>
            <t>A signature algorithm</t>
          </li>
          <li>
            <t>A Verifiable Random Function (VRF) algorithm</t>
          </li>
          <li>
            <t><tt>Nc</tt>: The size in bytes of commitment openings</t>
          </li>
          <li>
            <t><tt>Kc</tt>: A fixed string of bytes used in the computation of commitments</t>
          </li>
        </ul>
        <t>The hash algorithm is used to calculate intermediate and root values of
hash trees. The signature algorithm is used for signatures from both the Service
Operator and the Third Party, if one is present. The VRF is used for preserving
the privacy of labels.</t>
        <t>Throughout the document, the following shorthands are used to denote different
parameters of the current cipher suite:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Hash.Nh</tt> denotes the hash function's output length in bytes.</t>
          </li>
          <li>
            <t><tt>VRF.Nh</tt> denotes the VRF algorithm's output length in bytes.</t>
          </li>
          <li>
            <t><tt>VRF.Np</tt> denotes the VRF algorithm's proof size in bytes.</t>
          </li>
        </ul>
        <t>Cipher suites are represented with the CipherSuite type and are defined in
<xref target="kt-cipher-suites"/>.</t>
      </section>
      <section anchor="tree-head-signature">
        <name>Tree Head Signature</name>
        <t>The head of a Transparency Log, which represents its most recent state, is
encoded as:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 tree_size;
  opaque signature<0..2^16-1>;
} TreeHead;
]]></sourcecode>
        <t>where <tt>tree_size</tt> is the number of log entries. If the Transparency Log is
deployed in Third-Party Management mode, then the public key used to verify the
signature belongs to the Third-Party Manager; otherwise the public key used
belongs to the Service Operator.</t>
        <t>The signature itself is computed over a <tt>TreeHeadTBS</tt> structure, which
incorporates the log's current state as well as long-term log configuration:</t>
        <sourcecode type="tls-presentation"><![CDATA[
enum {
  reserved(0),
  contactMonitoring(1),
  thirdPartyManagement(2),
  thirdPartyAuditing(3),
  (255)
} DeploymentMode;

struct {
  CipherSuite ciphersuite;
  DeploymentMode mode;
  opaque signature_public_key<0..2^16-1>;
  opaque vrf_public_key<0..2^16-1>;

  select (Configuration.mode) {
    case contactMonitoring:
    case thirdPartyManagement:
      opaque leaf_public_key<0..2^16-1>;
    case thirdPartyAuditing:
      uint64 max_auditor_lag;
      uint64 auditor_start_pos;
      opaque auditor_public_key<0..2^16-1>;
  };

  uint64 max_ahead;
  uint64 max_behind;
  uint64 reasonable_monitoring_window;
  optional<uint64> maximum_lifetime;
} Configuration;

struct {
  Configuration config;
  uint64 tree_size;
  opaque root[Hash.Nh];
} TreeHeadTBS;
]]></sourcecode>
        <t>The <tt>ciphersuite</tt> field contains the cipher suite for the Transparency Log,
chosen from the registry in <xref target="kt-cipher-suites"/>. The <tt>mode</tt> field specifies
whether the Transparency Log is deployed in Contact Monitoring mode, or with a
Third-Party Manager or Auditor. The <tt>signature_public_key</tt> field contains the
public key to use for verifying signatures on the <tt>TreeHeadTBS</tt> structure. The
<tt>vrf_public_key</tt> field contains the VRF public key to use for evaluating VRF
proofs provided in the <tt>BinaryLadderStep.proof</tt> field described in <xref target="search"/>.</t>
        <t>If the deployment mode specifies a Third-Party Manager, a public key is provided
in <tt>leaf_public_key</tt>. This public key is used to verify the Service Operator's
signature on modifications to the Transparency Log, as described in
<xref target="update-format"/>.</t>
        <t>If the deployment mode specifies a Third-Party Auditor, the maximum amount of
time in milliseconds that the auditor may lag behind the most recent version of
the Transparency Log is provided in <tt>max_auditor_lag</tt>. The position of the first
log entry that the auditor started processing is provided in
<tt>auditor_start_pos</tt>. A public key for verifying the auditor's signature on views
of the Transparency Log is provided in <tt>auditor_public_key</tt>.</t>
        <t>The <tt>max_ahead</tt> and <tt>max_behind</tt> fields contain the maximum amount of time in
milliseconds that a tree head may be ahead of or behind the user's local clock
without being rejected. The <tt>reasonable_monitoring_window</tt> contains the
Reasonable Monitoring Window, defined in <xref target="reasonable-monitoring-window"/>, in
milliseconds. If the Transparency Log has chosen to define a maximum lifetime
for log entries, per <xref target="maximum-lifetime"/>, this duration in milliseconds is
stored in the <tt>maximum_lifetime</tt> field.</t>
        <t>Finally, the <tt>root</tt> field contains the root value of the log tree with
<tt>tree_size</tt> leaves.</t>
      </section>
      <section anchor="auditor-tree-head-signature">
        <name>Auditor Tree Head Signature</name>
        <t>In deployment scenarios where a Third-Party Auditor is present, the auditor's
view of the Transparency Log is presented to users with an <tt>AuditorTreeHead</tt>
structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 timestamp;
  uint64 tree_size;
  opaque signature<0..2^16-1>;
} AuditorTreeHead;
]]></sourcecode>
        <t>Users verify an <tt>AuditorTreeHead</tt> with the following steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the user advertised a previously observed tree head, verify that the
<tt>tree_size</tt> of the <tt>AuditorTreeHead</tt> structure in the previous tree head
(which may be from a different auditor) is greater than or equal to
<tt>auditor_start_pos</tt> for the current auditor.</t>
          </li>
          <li>
            <t>Verify that the timestamp of the rightmost log entry is greater than or equal
to <tt>timestamp</tt>, and that the difference between the two is less than or equal
to <tt>Configuration.max_auditor_lag</tt>.</t>
          </li>
          <li>
            <t>Verify that <tt>tree_size</tt> is less than or equal to that of the <tt>TreeHead</tt>
provided by the Transparency Log.</t>
          </li>
          <li>
            <t>Verify <tt>signature</tt> as a signature over the <tt>AuditorTreeHeadTBS</tt> structure:</t>
          </li>
        </ol>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  Configuration config;
  uint64 timestamp;
  uint64 tree_size;
  opaque root[Hash.Nh];
} AuditorTreeHeadTBS;
]]></sourcecode>
        <t>The <tt>config</tt> field contains the long-term configuration for the Transparency
Log. The <tt>timestamp</tt> and <tt>tree_size</tt> fields match that of <tt>AuditorTreeHead</tt>. The
<tt>root</tt> field contains the root value of the log tree when it had <tt>tree_size</tt>
leaves.</t>
      </section>
      <section anchor="full-tree-head-verification">
        <name>Full Tree Head Verification</name>
        <t>Tree heads are presented to users on the wire as follows:</t>
        <sourcecode type="tls-presentation"><![CDATA[
enum {
  reserved(0),
  same(1),
  updated(2),
  (255)
} FullTreeHeadType;

struct {
  FullTreeHeadType head_type;
  select (FullTreeHead.head_type) {
    case updated:
      TreeHead tree_head;
      select (Configuration.mode) {
        case thirdPartyAuditing:
          AuditorTreeHead auditor_tree_head;
      };
  };
} FullTreeHead;
]]></sourcecode>
        <t>The <tt>head_type</tt> field may be set to <tt>same</tt> if the user advertised a previously
observed tree size in their request and the Transparency Log wishes to continue
using this same tree head. Otherwise, <tt>head_type</tt> is set to <tt>updated</tt> and a new,
more recent tree head is provided.</t>
        <t>Users verify a <tt>FullTreeHead</tt> with the following steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>If <tt>head_type</tt> is <tt>same</tt>, verify that the user advertised a previously
observed tree size and that the timestamp of the rightmost log entry of this
tree is still within the bounds set by <tt>max_ahead</tt> and <tt>max_behind</tt>.</t>
          </li>
          <li>
            <t>If <tt>head_type</tt> is <tt>updated</tt>:
            </t>
            <ol spacing="normal" type="1"><li>
                <t>If the user advertised a previously observed tree size, verify that
<tt>TreeHead.tree_size</tt> is greater than the advertised tree size.</t>
              </li>
              <li>
                <t>Verify <tt>TreeHead.signature</tt> as a signature over the <tt>TreeHeadTBS</tt>
structure.</t>
              </li>
              <li>
                <t>If there is a Third-Party Auditor, verify <tt>auditor_tree_head</tt> as described
in <xref target="auditor-tree-head-signature"/>.</t>
              </li>
            </ol>
          </li>
        </ol>
      </section>
      <section anchor="update-format">
        <name>Update Format</name>
        <t>The leaves of the prefix tree contain commitments which open to the value of a
label-version pair, potentially with some additional information depending on
the deployment mode of the Transparency Log. The contents of these commitments
is serialized as an <tt>UpdateValue</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  select (Configuration.mode) {
    case thirdPartyManagement:
      opaque signature<0..2^16-1>;
  };
} UpdateSuffix;

struct {
  opaque value<0..2^32-1>;
  UpdateSuffix suffix;
} UpdateValue;
]]></sourcecode>
        <t>The <tt>value</tt> field contains the value associated with the label-version pair.</t>
        <t>In the event that Third-Party Management is used, the <tt>suffix</tt> field contains a
signature from the Service Operator, using the public key from
<tt>Configuration.leaf_public_key</tt>, over the following structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  Configuration config;
  opaque label<0..2^8-1>;
  uint32 version;
  opaque value<0..2^32-1>;
} UpdateTBS;
]]></sourcecode>
        <t>The <tt>value</tt> field contains the same contents as <tt>UpdateValue.value</tt>. Users
<bcp14>MUST</bcp14> successfully verify this signature before consuming <tt>UpdateValue.value</tt>.</t>
      </section>
      <section anchor="commitment">
        <name>Commitment</name>
        <t>Commitments are computed with HMAC <xref target="RFC2104"/> using the hash function
specified by the cipher suite. To produce a new commitment, the application
generates a random <tt>Nc</tt>-byte value called <tt>opening</tt> and computes:</t>
        <sourcecode type="pseudocode"><![CDATA[
commitment = HMAC(Kc, CommitmentValue)
]]></sourcecode>
        <t>where <tt>Kc</tt> is a string of bytes defined by the cipher suite and CommitmentValue
is specified as:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque opening[Nc];
  opaque label<0..2^8-1>;
  uint32 version;
  UpdateValue update;
} CommitmentValue;
]]></sourcecode>
        <t>The Transparency Log <bcp14>MAY</bcp14> generate <tt>opening</tt> in a non-random way, such as
deriving it from a secret key, as long as the result is indistinguishable from
random to other participants. The Transparency Log <bcp14>SHOULD</bcp14> ensure that individual
<tt>opening</tt> values can later be deleted in a way where they can not feasibly be
recovered. This preserves the Transparency Log's ability to delete certain
information in compliance with privacy laws, discussed further in <xref target="ARCH"/>.</t>
      </section>
      <section anchor="verifiable-random-function">
        <name>Verifiable Random Function</name>
        <t>Each label-version pair corresponds to a unique search key in the prefix tree.
This search key is the output of executing the VRF, with the private key
corresponding to <tt>Configuration.vrf_public_key</tt>, on the combined label and
version:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque label<0..2^8-1>;
  uint32 version;
} VrfInput;
]]></sourcecode>
      </section>
      <section anchor="log-tree-1">
        <name>Log Tree</name>
        <t>The value of a leaf node in the log tree is computed as the hash, with the
cipher suite hash function, of the following structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 timestamp;
  opaque prefix_tree[Hash.Nh];
} LogEntry;
]]></sourcecode>
        <t>The <tt>timestamp</tt> field contains the timestamp that the leaf was created in
milliseconds since the Unix epoch. The <tt>prefix_tree</tt> field contains the updated
root value of the prefix tree after making any desired modifications.</t>
        <t>The value of a parent node in the log tree is computed by hashing together the
values of its left and right children:</t>
        <sourcecode type="pseudocode"><![CDATA[
parent.value = Hash(hashContent(parent.leftChild) ||
                    hashContent(parent.rightChild))

hashContent(node):
  if node.type == leafNode:
    return 0x00 || node.value
  else if node.type == parentNode:
    return 0x01 || node.value
]]></sourcecode>
        <t>where <tt>Hash</tt> denotes the cipher suite hash function.</t>
      </section>
      <section anchor="prefix-tree-1">
        <name>Prefix Tree</name>
        <t>The value of a leaf node in the prefix tree is computed as the hash, with the
cipher suite hash function, of the following structure:</t>
        <sourcecode type="tls"><![CDATA[
leaf.value = Hash(0x02 || vrf_output || commitment)
]]></sourcecode>
        <t><tt>vrf_output</tt> contains the VRF output for the label-version pair and <tt>commitment</tt>
contains the commitment to the corresponding <tt>UpdateValue</tt> structure.</t>
        <t>The value of a parent node in the prefix tree is computed by hashing together
the values of its left and right children:</t>
        <sourcecode type="pseudocode"><![CDATA[
parent.value = Hash(0x03 || parent.leftChild.value || parent.rightChild.value)
]]></sourcecode>
        <t>If one of the children does not exist, an all-zero byte string of length
<tt>Hash.Nh</tt> is used instead.</t>
      </section>
    </section>
    <section anchor="tree-proofs">
      <name>Tree Proofs</name>
      <section anchor="log-tree-2">
        <name>Log Tree</name>
        <t>In the interest of efficiency, KT combines multiple inclusion proofs and
consistency proofs into a single batch proof. Recalling from the discussion in
<xref target="log-tree"/>,</t>
        <ul spacing="normal">
          <li>
            <t>Whenever the Transparency Log serves an inclusion proof for a leaf of the log
tree, it provides the minimum set of head values from balanced subtrees that
allows the user to compute the root value when combined with the leaf's value.</t>
          </li>
          <li>
            <t>Whenever the Transparency Log serves a consistency proof, the user is expected
to have retained the head values of the full subtrees of the previous version
of the log. The Transparency Log provides the minimum set of head values from
balanced subtrees that allows the user to compute the new root value when
combined with the retained values.</t>
          </li>
        </ul>
        <t>These two proof types are composed together as such: considering the leaf values
which will be proved included, and any node values the user is understood to
have retained, the Transparency Log provides the minimum set of head values from
balanced subtrees that allows the user to compute the root value when combined
with the leaf and retained values. This proof is encoded as follows:</t>
        <sourcecode type="tls-presentation"><![CDATA[
opaque HashValue[Hash.Nh];

struct {
  HashValue elements<0..2^16-1>;
} InclusionProof;
]]></sourcecode>
        <t>The contents of the <tt>elements</tt> array is in left-to-right order: if a node is
present in the root's left subtree, then its value is listed before the values
of any nodes in the root's right subtree, and so on recursively.</t>
        <t>Batching together inclusion and consistency proofs creates an edge case that
requires special care: when a user has requested a consistency proof, and also
requested inclusion proofs for leaves located in one or more of the subtrees
that the user has retained the head of. When this happens, the portion of the
batch proof that shows inclusion for the leaves in these subtrees will itself be
sufficient to recompute the retained head values. This makes the retained values
redundant for the purpose of computing the new root value, which could result in
the retained values being disregarded in a naive implementation. Users <bcp14>MUST</bcp14>
verify that the computed value for the head of any such subtree matches the
retained value to avoid accepting invalid proofs.</t>
      </section>
      <section anchor="prefix-tree-2">
        <name>Prefix Tree</name>
        <t>A proof from a prefix tree authenticates that a search was done correctly for a
given search key. Such a proof is encoded as:</t>
        <sourcecode type="tls"><![CDATA[
enum {
  reserved(0),
  inclusion(1),
  nonInclusionLeaf(2),
  nonInclusionParent(3),
  (255)
} PrefixSearchResultType;

struct {
  opaque vrf_output[VRF.Nh];
  opaque commitment[Hash.Nh];
} PrefixLeaf;

struct {
  PrefixSearchResultType result_type;
  select (PrefixSearchResult.result_type) {
    case nonInclusionLeaf:
      PrefixLeaf leaf;
  };
  uint8 depth;
} PrefixSearchResult;

struct {
  PrefixSearchResult results<0..2^8-1>;
  HashValue elements<0..2^16-1>;
} PrefixProof;
]]></sourcecode>
        <t>The <tt>results</tt> field contains the search result for each individual value,
provided in the order requested. For <tt>PrefixProof</tt> structures that correspond to
a binary ladder, this means the entries of <tt>results</tt> correspond directly with
the lookups of the binary ladder. The <tt>result_type</tt> field of each
<tt>PrefixSearchResult</tt> indicates what the terminal node of the search for that
value was:</t>
        <ul spacing="normal">
          <li>
            <t><tt>inclusion</tt> for a leaf node matching the requested search key.</t>
          </li>
          <li>
            <t><tt>nonInclusionLeaf</tt> for a leaf node not matching the requested search key. In
this case, the terminal node is provided since it can not be inferred.</t>
          </li>
          <li>
            <t><tt>nonInclusionParent</tt> for a parent node that lacks the desired child.</t>
          </li>
        </ul>
        <t>The <tt>depth</tt> field indicates the depth of the terminal node of the search and is
provided to assist proof verification. The root node of the prefix tree
corresponds to a depth of 0, the root's children correspond to a depth of 1, and
so on recursively.</t>
        <t>The <tt>elements</tt> array consists of the fewest node values that can be hashed
together with the provided leaves to produce the root. The contents of the
<tt>elements</tt> array is kept in left-to-right order: if a node is present in the
root's left subtree, its value is listed before any values from nodes that are
in the root's right subtree, and so on recursively. In the event that a node
does not exist, an all-zero byte string of length <tt>Hash.Nh</tt> is listed instead.</t>
        <t>The proof is verified by hashing together the provided values, in the
left/right arrangement dictated by the bits of the search keys, and checking
that the result equals the root value of the prefix tree.</t>
      </section>
      <section anchor="proof-combined-tree">
        <name>Combined Tree</name>
        <t>As users execute the algorithms defined in <xref target="updating-views-of-the-tree"/>,
<xref target="greatest-version-search"/>, <xref target="fixed-version-search"/>, <xref target="monitoring-the-tree"/>,
and <xref target="updating-a-label"/>, they inspect a series of log entries. For some of
these, only the timestamp of the log entry is needed. For others, both the
timestamp and a <tt>PrefixProof</tt> from the log entry's prefix tree are needed.</t>
        <t>This subsection defines a general structure, called a <tt>CombinedTreeProof</tt>, that
contains the minimum set of timestamps and <tt>PrefixProof</tt> structures that a user
needs for their execution of these algorithms. For the purposes of this
protocol, the user always executes the algorithm to update their view of the
tree as described in <xref target="updating-views-of-the-tree"/>, followed immediately by one
or more of the other algorithms.</t>
        <t>Proofs are encoded as follows:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  uint64 timestamps<0..2^8-1>;
  PrefixProof prefix_proofs<0..2^8-1>;
  HashValue prefix_roots<0..2^8-1>;

  InclusionProof inclusion;
} CombinedTreeProof;
]]></sourcecode>
        <t>The <tt>timestamps</tt> field contains the timestamps of specific log entries, and the
<tt>prefix_proofs</tt> field contains search proofs from the prefix trees of specific
log entries. There is no explicit indication as to which log entry the elements
correspond to, as they are provided in the order that the algorithm the user is
executing would request them. The elements of the <tt>prefix_roots</tt> field are, in
left-to-right order, the prefix tree root hashes for any log entries whose
timestamp was provided in <tt>timestamps</tt> but a search proof was not provided in
<tt>prefix_proofs</tt>.</t>
        <t>If a log entry's timestamp is referenced multiple times by algorithms in the
same <tt>CombinedTreeProof</tt>, it is only added to the <tt>timestamps</tt> array the first
time. Additionally, when a user advertises a previously observed tree size in
their request, log entry timestamps that the user is expected to have retained
are always omitted from <tt>timestamps</tt>. This may result in there being elements of
<tt>prefix_proofs</tt> that correspond to log entries whose timestamps are not included
in <tt>timestamps</tt>. Users <bcp14>MUST</bcp14> verify that any such proof in <tt>prefix_proof</tt> is
consistent with their retained prefix tree root hash for the log entry, due to
the fact that the log entry will not be included in <tt>inclusion</tt>.</t>
        <t>If different algorithms in the same <tt>CombinedTreeProof</tt> require a search proof
from the same log entry, the <tt>prefix_proofs</tt> array will contain multiple
<tt>PrefixProof</tt> structures for the same log entry. Users <bcp14>MUST</bcp14> verify that all
<tt>PrefixProof</tt> structures corresponding to the same log entry compute the same
prefix tree root hash.</t>
        <t>Users processing a <tt>CombinedTreeProof</tt> <bcp14>MUST</bcp14> verify that the <tt>timestamps</tt>,
<tt>prefix_proofs</tt>, and <tt>prefix_roots</tt> fields contain exactly the expected number
of entries -- no more and no less. Additionally, users <bcp14>MUST</bcp14> verify that the
timestamps explicitly included in <tt>timestamps</tt>, along with any retained
timestamps, represent a monotonic series. That is, users verify that any given
timestamp is greater than or equal to all observed timestamps to its left.</t>
        <t>Finally, the <tt>inclusion</tt> field contains the minimum set of node
values from the log tree that would allow a user to compute:</t>
        <ul spacing="normal">
          <li>
            <t>The root value of the log tree, and</t>
          </li>
          <li>
            <t>If an <tt>AuditorTreeHead</tt> was provided by the Transparency Log, the root value
of the log tree when it had <tt>AuditorTreeHead.tree_size</tt> leaves,</t>
          </li>
        </ul>
        <t>from the following:</t>
        <ul spacing="normal">
          <li>
            <t>The values of all leaf nodes whose timestamp was provided in <tt>timestamps</tt>, and</t>
          </li>
          <li>
            <t>If the user advertised a previously observed tree size in their request, any
intermediate node values the user is expected to have retained.</t>
          </li>
        </ul>
        <section anchor="updating-view">
          <name>Updating View</name>
          <t>For a user to update their view of the tree, the following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>If the user has not previously observed a tree head, the timestamp of each log
entry along the frontier.</t>
            </li>
            <li>
              <t>If the user has previously observed a tree head, the timestamp of each log
entry from the list computed in <xref target="update-view-algorithm"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="greatest-version-search-1">
          <name>Greatest-Version Search</name>
          <t>For a user to search the combined tree for the greatest version of a label, the
following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>From each log entry along the frontier, starting from the log entry identified
in <xref target="gv-algorithm"/>, a <tt>PrefixProof</tt> corresponding to a search binary ladder.</t>
            </li>
          </ul>
          <t>Note that the frontier log entry timestamps are either already provided as part
of updating the user's view of the tree, or are expected to have been retained
by the user, and no additional timestamps are necessary to identify the starting
log entry.</t>
        </section>
        <section anchor="fixed-version-search-1">
          <name>Fixed-Version Search</name>
          <t>For a user to search the combined tree for a specific version of a label, the
following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>For each log entry touched by the algorithm in <xref target="fv-algorithm"/>:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The log entry's timestamp.</t>
                </li>
                <li>
                  <t>If the log entry is not expired, then a <tt>PrefixProof</tt> corresponding to a
search binary ladder in the log entry's prefix tree.</t>
                </li>
              </ul>
            </li>
            <li>
              <t>If step 6.3 is reached, a second <tt>PrefixProof</tt> from the identified log entry
specifically looking up the target version.</t>
            </li>
          </ul>
        </section>
        <section anchor="contact-monitoring">
          <name>Contact Monitoring</name>
          <t>For a user to monitor a label in the combined tree, the following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>For each entry in the user's monitoring map, from rightmost to leftmost log
entry:
              </t>
              <ul spacing="normal">
                <li>
                  <t>The timestamp of each log entry on the path from the root to the parent of
the log entry in the user's monitoring map, stopping if a non-distinguished
log entry is established.</t>
                </li>
                <li>
                  <t>From each log entry in the list computed in <xref target="contact-algorithm"/>, a
<tt>PrefixProof</tt> corresponding to a monitoring binary ladder.</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
        <section anchor="owner-initialization">
          <name>Owner Initialization</name>
          <t>For a label owner to initialize their state to begin monitoring a label, the
following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>The timestamp of each log entry on the path from the root to the user's
requested starting position.</t>
            </li>
            <li>
              <t>For each log entry in the list computed in the first algorithm of
<xref target="owner-algorithm"/>, a <tt>PrefixProof</tt> corresponding to a search binary ladder.</t>
            </li>
          </ul>
          <t>The timestamps are provided to allow both the client and server to verify the
precondition that the user's requested starting position is unexpired and
distinguished.</t>
        </section>
        <section anchor="owner-monitoring">
          <name>Owner Monitoring</name>
          <t>For a label owner to perform regular monitoring, the following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>The timestamp for each log entry that causes the second algorithm of
<xref target="owner-algorithm"/> to recurse either left or right.</t>
            </li>
            <li>
              <t>For each log entry that reaches step 5 in the second algorithm of
<xref target="owner-algorithm"/>, a <tt>PrefixProof</tt> corresponding to a search binary ladder.</t>
            </li>
          </ul>
        </section>
        <section anchor="updating-a-label-1">
          <name>Updating a Label</name>
          <t>For a label owner to verify that some new versions of a label have been
correctly inserted, the following is provided:</t>
          <ul spacing="normal">
            <li>
              <t>The timestamp of each log entry on the path from the root to the parent of the
rightmost log entry of the previous tree, stopping if a non-distinguished log
entry is established.</t>
            </li>
            <li>
              <t>The timestamp of each log entry on the path from the root to the parent of the
log entry where the new versions were inserted, stopping if a
non-distinguished log entry is established.</t>
            </li>
            <li>
              <t>Any <tt>PrefixProof</tt> structures that may be required by steps 2.2, 3, or 4 of the
algorithm in <xref target="update-algorithm"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="walking-distinguished-heads-1">
          <name>Walking Distinguished Heads</name>
          <t>For a user to walk the most recent distinguished log entries, the following is
provided:</t>
          <ul spacing="normal">
            <li>
              <t>The timestamp of each log entry that reaches step 2 of the algorithm in
<xref target="distinguished-algorithm"/>.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="user-operations">
      <name>User Operations</name>
      <t>The basic user operations are organized as a request-response protocol between a
user and the Transparency Log.</t>
      <t>Users <bcp14>MUST</bcp14> retain the most recent <tt>TreeHead</tt> and <tt>AuditorTreeHead</tt> they've
successfully verified as part of any query response, and populate the <tt>last</tt>
field of any subsequent query request with the <tt>tree_size</tt> of the last
<tt>TreeHead</tt>. This ensures that all operations performed by the user return
consistent results.</t>
      <t>Modifications to a user's state <bcp14>MUST</bcp14> only be persisted once the query response
has been fully verified. Queries that fail full verification <bcp14>MUST NOT</bcp14> modify the
user's protocol state in any way.</t>
      <section anchor="search">
        <name>Search</name>
        <t>Users initiate a Search operation by submitting a <tt>SearchRequest</tt> to the
Transparency Log containing the label that they wish to search for. Users can
optionally specify a version of the label that they'd like to receive, if not
the greatest one.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  optional<uint64> last;

  opaque label<0..2^8-1>;
  optional<uint32> version;
} SearchRequest;
]]></sourcecode>
        <t>In turn, the Transparency Log responds with a SearchResponse structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque proof[VRF.Np];
  optional<HashValue> commitment;
} BinaryLadderStep;

struct {
  FullTreeHead full_tree_head;

  select (SearchRequest.version) {
    case absent:
      uint32 version;
  };
  opaque opening[Nc];
  UpdateValue value;

  BinaryLadderStep binary_ladder<0..2^8-1>;
  CombinedTreeProof search;
} SearchResponse;
]]></sourcecode>
        <t>If no target version was specified in <tt>SearchRequest.version</tt> for a
fixed-version search, the greatest version of the label is provided in
<tt>SearchResponse.version</tt>.</t>
        <t>Each <tt>BinaryLadderStep</tt> structure contains information related to one version of
the label in the binary ladder for the target version, listed in the same order
that the versions are output by the algorithm in <xref target="binary-ladder"/>. The <tt>proof</tt>
field contains the VRF proof. The <tt>commitment</tt> field contains the commitment to
the label's value at that version. The <tt>commitment</tt> field is omitted only for
versions of the label that don't exist and for the target version of the label,
as the commitment to the target version is computed from <tt>opening</tt> and <tt>value</tt>.</t>
        <t>The <tt>search</tt> field contains the output of updating the user's view of the tree
to match <tt>TreeHead.tree_size</tt> followed by either a fixed-version or
greatest-version search for the requested label.</t>
        <t>Users verify a <tt>SearchResponse</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify <tt>value</tt> as described in <xref target="update-format"/>.</t>
          </li>
          <li>
            <t>Verify that the expected number of entries is present in <tt>binary_ladder</tt> and
that no commitment value is provided for the target version.</t>
          </li>
          <li>
            <t>Compute the VRF output for each version of the label from the proofs in
<tt>binary_ladder</tt>. Compute the commitment to the value of the target version
with <tt>opening</tt> and <tt>value</tt>.</t>
          </li>
          <li>
            <t>If <tt>SearchRequest.version</tt> is absent, verify the proof in <tt>search</tt> as
described in <xref target="gv-algorithm"/>. Otherwise, verify the proof in <tt>search</tt> as
described in <xref target="fv-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>search.inclusion</tt> and any previously retained full subtrees of the log tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FullTreeHead</tt> as
described in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="contact-monitor">
        <name>Contact Monitor</name>
        <t>If the Transparency Log is deployed in Contact Monitoring mode, users that
looked up a label initiate a Contact Monitoring operation by submitting a
<tt>ContactMonitorRequest</tt> to the Transparency Log containing information about the
label they wish to monitor.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 position;
  uint32 version;
} MonitorMapEntry;

struct {
  optional<uint64> last;

  opaque label<0..2^8-1>;
  MonitorMapEntry entries<0..2^8-1>;
} ContactMonitorRequest;
]]></sourcecode>
        <t>The Transparency Log verifies that each <tt>MonitorMapEntry</tt> in <tt>entries</tt> is sorted
in ascending order by <tt>position</tt>, that no <tt>position</tt> or <tt>version</tt> is duplicate,
and that <tt>position</tt> always lies on the direct path of the first log entry to
contain the associated version of the label. In turn, the Transparency Log
responds with a <tt>ContactMonitorResponse</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  FullTreeHead full_tree_head;
  CombinedTreeProof monitor;
} ContactMonitorResponse;
]]></sourcecode>
        <t>The <tt>monitor</tt> field contains the output of updating the user's view of the tree
to match <tt>TreeHead.tree_size</tt> followed by executing the algorithm in
<xref target="contact-algorithm"/>. Users verify a <tt>ContactMonitorResponse</tt> by following
these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify the proof in <tt>monitor</tt> as described in <xref target="contact-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>monitor.inclusion</tt> and any previously retained full subtrees of the log
tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FullTreeHead</tt> as
described in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
        <t>While access control decisions generally belong solely to the application, users
of a Transparency Log deployed in Contact Monitoring mode <bcp14>MUST</bcp14> be able to
monitor versions of a label they previously looked up, even if they would no
longer be allowed to make the same query. One simple way for a user to prove
that they were previously allowed to look up a particular version of a label
would be for them to provide the corresponding commitment opening.</t>
      </section>
      <section anchor="owner-initialization-1">
        <name>Owner Initialization</name>
        <t>Users that wish to initialize their owner state for a label submit an
<tt>OwnerInitRequest</tt> to the Transparency Log containing the label they wish to
take ownership of and their desired starting log entry.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  optional<uint64> last;

  opaque label<0..2^8-1>;
  uint64 start;
} OwnerInitRequest;
]]></sourcecode>
        <t>The Transparency Log verifies that <tt>start</tt> identifies a log entry that is
unexpired and distinguished. In turn, the Transparency Log responds with an
<tt>OwnerInitResponse</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  FullTreeHead full_tree_head;

  uint32 greatest_versions<0..2^8-1>;
  BinaryLadderStep binary_ladder<0..2^16-1>;
  CombinedTreeProof init;
} OwnerInitResponse;
]]></sourcecode>
        <t>The <tt>greatest_versions</tt> field contains the greatest version of the label that
exists in each log entry computed in step 1 of the first algorithm in
<xref target="owner-algorithm"/>, ending at the first log entry where the label doesn't
exist.</t>
        <t>The <tt>binary_ladder</tt> field contains one entry for each version computed in step 3
of the first algorithm in <xref target="owner-algorithm"/>, in ascending order by version. If
a version of the label exists, the commitment to the label's value at that
version is provided in the <tt>commitment</tt> field of the <tt>BinaryLadderStep</tt>.</t>
        <t>The <tt>init</tt> field contains the output of updating the user's view of the tree to
match <tt>TreeHead.tree_size</tt> followed by executing the first algorithm in
<xref target="owner-algorithm"/>.</t>
        <t>Users verify an <tt>OwnerInitResponse</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that the number of entries in <tt>greatest_versions</tt> is less than or
equal to the number of log entries in the computed list, and that
<tt>greatest_versions</tt> is in descending order.</t>
          </li>
          <li>
            <t>Verify that the expected number of entries is present in <tt>binary_ladder</tt> and
that a commitment is provided for each version in <tt>greatest_versions</tt>. (Note
that the existence of a version does not require the existence of all lesser
versions.) Compute the VRF output for each version of the label from the
proofs in <tt>binary_ladder</tt>.</t>
          </li>
          <li>
            <t>Verify the proof in <tt>init</tt> as described in the first algorithm of
<xref target="owner-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>init.inclusion</tt> and any previously retained full subtrees of the log tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FullTreeHead</tt> as
described in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="owner-monitoring-1">
        <name>Owner Monitoring</name>
        <t>Users that wish to monitor a label they own submit an <tt>OwnerMonitorRequest</tt> to
the Transparency Log containing the label they wish to monitor and their current
monitoring state.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  optional <uint64> last;

  opaque label<0..2^8-1>;
  MonitorMapEntry entries<0..2^8-1>;
  uint64 start;
  optional<uint32> greatest_version;
} OwnerMonitorRequest;
]]></sourcecode>
        <t>The <tt>entries</tt> list contains the label owner's monitoring state for versions of
the label that have not yet been proven to be included in a distinguished log entry. The
<tt>start</tt> field contains the rightmost distinguished log entry that the label
owner has verified as correct. The <tt>greatest_version</tt> field contains the
greatest version of the label that the label owner is aware of, if any.</t>
        <t>The Transparency Log verifies an <tt>OwnerMonitorRequest</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that each MonitorMapEntry in <tt>entries</tt> is sorted in ascending order by
<tt>position</tt>, that no <tt>position</tt> or <tt>version</tt> is duplicate, and that <tt>position</tt>
always lies on the direct path of the first log entry to contain the
associated version of the label.</t>
          </li>
          <li>
            <t>Verify that <tt>start</tt> is less than the size of the tree.</t>
          </li>
          <li>
            <t>Verify that <tt>greatest_version</tt> is either absent, or less than or equal to the
greatest version of the label. Verify that, if some version of the label
existed at <tt>start</tt>, that <tt>greatest_version</tt> is present and greater than or
equal to that version.</t>
          </li>
        </ol>
        <t>In turn, the Transparency Log responds with an <tt>OwnerMonitorResponse</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  FullTreeHead full_tree_head;
  CombinedTreeProof monitor;
} OwnerMonitorResponse;
]]></sourcecode>
        <t>The <tt>monitor</tt> field contains the output of updating the user's view of the tree
to match <tt>TreeHead.tree_size</tt>, followed by executing the algorithm in
<xref target="contact-algorithm"/>, followed by executing the second algorithm in
<xref target="owner-algorithm"/>. Users verify an <tt>OwnerMonitorResponse</tt> by following these
steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify the proof in <tt>monitor</tt> as described in <xref target="contact-algorithm"/> and the
second algorithm of <xref target="owner-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>monitor.inclusion</tt> and any previously retained full subtrees of the log
tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FullTreeHead</tt> as
described in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
      </section>
      <section anchor="updating-a-label-2">
        <name>Updating a Label</name>
        <t>Users that wish to create one or more new versions of a label they own submit an
<tt>UpdateRequest</tt> to the Transparency Log containing the label and the new values
to store.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque value<0..2^32-1>;
} LabelValue;

struct {
  optional<uint64> last;

  opaque label<0..2^8-1>;
  optional<uint32> greatest_version;
  LabelValue values<0..2^8-1>;
} UpdateRequest;
]]></sourcecode>
        <t>The <tt>greatest_version</tt> field contains the greatest version of the label that the
user is aware of, if any. The <tt>values</tt> field contains the values for the new
versions of the label that the user would like to create. The <tt>values</tt> field <bcp14>MAY</bcp14>
be empty to indicate that the user only wishes to be informed of
already-existing versions of the label greater than <tt>greatest_version</tt>, rather
than create any new ones.</t>
        <t>If <tt>greatest_version</tt> matches the current greatest version of the label that
exists and <tt>values</tt> is non-empty, the Transparency Log inserts the new versions
of the label into the prefix tree and sequences a new log entry. Version
counters are assigned sequentially and in the same order as given in <tt>values</tt>.
If the <tt>greatest_version</tt> field does not match the current greatest version of
the label that exists, <tt>values</tt> is disregarded.</t>
        <t>The Transparency Log returns an <tt>UpdateResponse</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  opaque opening[Nc];
  UpdateSuffix suffix;
} UpdateInfo;

struct {
  FullTreeHead full_tree_head;

  uint64 position;
  LabelValue values<0..2^8-1>;
  UpdateInfo info<0..2^8-1>;

  BinaryLadderStep binary_ladder<0..2^8-1>;
  CombinedTreeProof update;
} UpdateResponse;
]]></sourcecode>
        <t>The <tt>position</tt> field contains the index of the log entry where the new versions
of the label were inserted. This may or may not be the rightmost log entry.</t>
        <t>If <tt>greatest_version</tt> is less than the current greatest version of the label,
<tt>UpdateResponse.values</tt> contains the values of all of the immediately subsequent
versions of the label that were created in the log entry <tt>position</tt>, in
ascending order by version. If <tt>UpdateResponse.values</tt> is non-empty, this
indicates that <tt>UpdateRequest.values</tt> was disregarded by the Transparency Log.
Inversely, if <tt>UpdateResponse.values</tt> is empty, this indicates that all of the
new versions of the label in <tt>UpdateRequest.values</tt> were successfully created
and no versions of the label other than those in <tt>UpdateRequest.values</tt> were
created in the log entry <tt>position</tt>.</t>
        <t>The <tt>info</tt> field contains an <tt>UpdateInfo</tt> for each new version of the label
created in the log entry <tt>position</tt>. The entries of <tt>info</tt> correspond to the
entries of <tt>UpdateResponse.values</tt> if it is non-empty, and to the entries of
<tt>UpdateRequest.values</tt> otherwise.</t>
        <t>The <tt>opening</tt> field of an <tt>UpdateInfo</tt> structure contains the commitment opening
that was chosen for the version of the label and, if in Third-Party Management
mode, the <tt>suffix</tt> field contains the Service Operator's signature over the new
value.</t>
        <t>The <tt>binary_ladder</tt> field contains VRF proofs for the versions specified in
<xref target="update-algorithm"/> in ascending order by version. If a version of a label
exists and is less than or equal to the user's advertised <tt>greatest_version</tt>,
the commitment to the label's value at that version is provided in the
<tt>commitment</tt> field of the BinaryLadderStep.</t>
        <t>The <tt>update</tt> field contains the output of updating the user's view of the tree
to match <tt>TreeHead.tree_size</tt>, followed by executing the algorithm in
<xref target="update-algorithm"/>. Users verify an <tt>UpdateResponse</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that <tt>position</tt> is to the right of where the previous greatest version
of the label was inserted. If this is the first version inserted since the
user became the label owner, verify that <tt>position</tt> is to the right of the
starting position chosen in <xref target="owner-algorithm"/>.</t>
          </li>
          <li>
            <t>If <tt>UpdateResponse.values</tt> is non-empty, verify that the length of <tt>info</tt> is
equal to that of <tt>UpdateResponse.values</tt>. Otherwise, verify that the length
of <tt>info</tt> is equal to that of <tt>UpdateRequest.values</tt>. Regardless, verify that
<tt>info</tt> is non-empty.</t>
          </li>
          <li>
            <t>If the Transparency Log is deployed with a Third-Party Manager, verify that
the signatures provided in each element of <tt>info</tt> are valid.</t>
          </li>
          <li>
            <t>Verify that the expected number of entries is present in <tt>binary_ladder</tt>,
that all of the proofs properly evaluate into a VRF output, and that no
commitment is provided for any version greater than <tt>greatest_version</tt>.</t>
          </li>
          <li>
            <t>Verify the proof in <tt>update</tt> as described in <xref target="update-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>update.inclusion</tt> and any previously retained full subtrees of the log tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FulTreeHead</tt> as described
in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
        <t>The Transparency Log <bcp14>MAY</bcp14> provide multiple <tt>UpdateResponse</tt> structures in
response to a single <tt>UpdateRequest</tt>, each corresponding to a subsequent
<tt>position</tt> where more new versions of the label were inserted. These
<tt>UpdateResponse</tt> structures are processed by clients serially as if an
<tt>UpdateRequest</tt> with the following parameters had been sent:</t>
        <ul spacing="normal">
          <li>
            <t><tt>last</tt> set to the tree size of the previously processed <tt>UpdateResponse</tt></t>
          </li>
          <li>
            <t><tt>label</tt> set to the same value as the previous <tt>UpdateRequest</tt></t>
          </li>
          <li>
            <t><tt>greatest_version</tt> incremented to cover the versions created by the
previously processed <tt>UpdateResponse</tt></t>
          </li>
          <li>
            <t><tt>values</tt> remains unchanged until the first <tt>UpdateResponse</tt> with an empty
<tt>values</tt> field is received, and is empty from then on.</t>
          </li>
        </ul>
      </section>
      <section anchor="walking-distinguished-heads-2">
        <name>Walking Distinguished Heads</name>
        <t>Users that wish to walk the recently issued distinguished log entries submit a
<tt>DistinguishedRequest</tt> to the Transparency Log, optionally containing their
requested stopping position.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  optional<uint64> last;
  optional<uint64> stop;
} DistinguishedRequest;
]]></sourcecode>
        <t>In turn, the Transparency Log responds with a <tt>DistinguishedResponse</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  FullTreeHead full_tree_head;
  CombinedTreeProof distinguished;
} DistinguishedResponse;
]]></sourcecode>
        <t>Users verify a <tt>DistinguishedResponse</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify the proof in <tt>distinguished</tt> as described in
<xref target="distinguished-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>distinguished.inclusion</tt> and any previously retained full subtrees of the
log tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>FullTreeHead</tt> as
described in <xref target="full-tree-head-verification"/>.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="credentials">
      <name>Credentials</name>
      <t><strong>Credentials</strong> are proofs that are designed to be sent directly between users
and verified without direct interaction with the Transparency Log. They are
frequently useful in applications where anonymity is important, as they
generally prevent users from needing to make direct requests to the Transparency
Log regarding their contacts.</t>
      <t>Credentials are encoded as follows:</t>
      <sourcecode type="tls-presentation"><![CDATA[
enum {
  reserved(0),
  standard(1),
  provisional(2),
  (255)
} CredentialType;

struct {
  opaque label<0..2^8-1>;

  uint32 version;
  opaque opening[Nc];
  UpdateValue value;
  BinaryLadderStep binary_ladder<0..2^8-1>;

  uint64 position;
  CredentialType credential_type;
  select (Credential.credential_type) {
    case standard:
      PrefixProof distinguished;
    case provisional:
      TreeHead tree_head;
      CombinedTreeProof search;
  };
} Credential;
]]></sourcecode>
      <t>In essence, credentials in KT are implemented as a greatest-version search for a
user's <tt>label</tt>. As such, the fields <tt>version</tt>, <tt>opening</tt>, <tt>value</tt>, and
<tt>binary_ladder</tt> are the same as they would be in a <tt>SearchResponse</tt> for a
greatest-version search, described in <xref target="search"/>.</t>
      <t>The <tt>position</tt> field contains the position of a recently issued distinguished
log entry, and this log entry will be the basis for verifying the credential.
Applications define their own policy for what constitutes a "recently issued"
distinguished log entry. Users can learn of and retain all of the recently
issued distinguished log entries by making a <tt>DistinguishedRequest</tt>, or through
the process of monitoring labels they own. Once a distinguished log entry no
longer meets the application's definition of "recent", any credentials relying
on the log entry are considered expired.</t>
      <t>The <tt>credential_type</tt> field specifies whether the credential is of the
<tt>standard</tt> type, meaning that the target label-version pair is included in a
distinguished log entry, or is of the <tt>provisional</tt> type, meaning that the
label-version pair is not yet included in a distinguished log entry.</t>
      <t>Regardless of credential type, users start verification of a credential by
following these steps:</t>
      <ol spacing="normal" type="1"><li>
          <t>Verify that the user is aware of a recently issued distinguished log entry at
<tt>position</tt>. To preserve user anonymity, implementations <bcp14>MUST NOT</bcp14> use a
verification failure at this point as a prompt to request an updated tree
head from the Transparency Log.</t>
        </li>
        <li>
          <t>Verify <tt>value</tt> as described in <xref target="update-format"/>.</t>
        </li>
        <li>
          <t>Verify that the expected number of entries is present in <tt>binary_ladder</tt> and
that no commitment value is provided for the target version.</t>
        </li>
        <li>
          <t>Compute the VRF output for each version of the label from the proofs in
<tt>binary_ladder</tt>. Compute the commitment to the value of the target version
with <tt>opening</tt> and <tt>value</tt>.</t>
        </li>
      </ol>
      <t>Additional verification based on credential type is described in the following
two subsections.</t>
      <section anchor="standard">
        <name>Standard</name>
        <t>If the credential type is standard, the <tt>distinguished</tt> field is present and
contains lookups corresponding to a search binary ladder for the target version
of the label in a recently issued distinguished log entry.</t>
        <t>Users follow these steps to verify a standard credential:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that the binary ladder in <tt>distinguished</tt> terminates in a way
that is consistent with <tt>version</tt> being the greatest version of the label
that exists.</t>
          </li>
          <li>
            <t>Verify that the prefix tree root value produced by evaluating <tt>distinguished</tt>
matches that of the recently issued distinguished log entry at <tt>position</tt>.</t>
          </li>
        </ol>
      </section>
      <section anchor="provisional">
        <name>Provisional</name>
        <t>If the credential type is provisional, the <tt>tree_head</tt> and <tt>search</tt> fields are
present. The <tt>tree_head</tt> field contains a signature from the Transparency Log
over a view of the tree that, at minimum, includes the log entry at <tt>position</tt>.
The <tt>search</tt> field contains the output of updating the user's view of the tree
from a tree size of <tt>position+1</tt> to <tt>TreeHead.tree_size</tt>, followed by a
greatest-version search for <tt>label</tt>.</t>
        <t>Users follow these steps to verify a provisional credential:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that <tt>TreeHead.tree_size</tt> is greater than <tt>position</tt>.</t>
          </li>
          <li>
            <t>Verify the proof in <tt>search</tt> as described in <xref target="gv-algorithm"/>. Verify that
the terminal log entry of the search is to the right of <tt>position</tt>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>search.inclusion</tt> and the retained full subtrees of the log tree.</t>
          </li>
          <li>
            <t>With the candidate root value for the tree, verify <tt>TreeHead.signature</tt> as
described in <xref target="tree-head-signature"/>.</t>
          </li>
        </ol>
        <t>The verification process explicitly rejects a provisional credential if a
standard credential could have been produced from the same log entry <tt>position</tt>.
However, when generating a credential, users <bcp14>MAY</bcp14> choose to output a provisional
credential from an older distinguished log entry rather than a standard
credential from a newer distinguished log entry. This can allow users to
accommodate reasonable delays in the distribution of newly issued distinguished
log entries. Applications <bcp14>MAY</bcp14> define a policy restricting provisional
credentials to a subset of recently issued distinguished log entries.</t>
        <t>Verifying a provisional credential <bcp14>MUST NOT</bcp14> have any effect on the state used
for the user's direct interactions with the Transparency Log, or on the
verification of other credentials (even for the same label). In particular, the
view of the tree presented in a provisional credential <bcp14>MUST NOT</bcp14> cause a user to
change its view of the tree for any other purpose. Successfully verified
provisional credentials are retained by the receiving user until the sender
provides a <tt>CredentialUpdate</tt> structure:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 position;
  CombinedTreeProof monitor;
} CredentialUpdate;
]]></sourcecode>
        <t>The <tt>position</tt> field identifies the first distinguished log entry to the right
of the terminal log entry of the search. The proof in <tt>monitor</tt> then contains
the output of executing the algorithm in <xref target="contact-algorithm"/>. The proof in
<tt>monitor.inclusion</tt> is computed with a tree size of <tt>position+1</tt> and assumes
that the user has retained the full subtrees of the log tree with size
<tt>Credential.tree_head.tree_size</tt>.</t>
        <t>Users follow these steps to verify a <tt>CredentialUpdate</tt>:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that the user is aware of a recently issued distinguished log entry at
<tt>position</tt>. Again, a verification failure at this point <bcp14>MUST NOT</bcp14> prompt a
request for an updated tree head from the Transparency Log. Implementations
<bcp14>MAY</bcp14> retain the <tt>CredentialUpdate</tt> and re-attempt verification at a later
time.</t>
          </li>
          <li>
            <t>Verify that, according to the user's retained state, <tt>position</tt> is the first
distinguished log entry to the right of the terminal log entry of the search
done in <tt>Credential.search</tt>.</t>
          </li>
          <li>
            <t>Verify the proof in <tt>monitor</tt> as described in <xref target="contact-algorithm"/>.</t>
          </li>
          <li>
            <t>Compute a candidate root value for the tree from the proof in
<tt>monitor.inclusion</tt>. Verify that this matches the user's retained state for
the distinguished log entry at <tt>position</tt>.</t>
          </li>
        </ol>
        <t>If a user verifies a provisional credential and doesn't receive a
<tt>CredentialUpdate</tt> from the sender before the credential expires, the user <bcp14>MUST</bcp14>
fetch and verify a <tt>CredentialUpdate</tt> from the Transparency Log themself. The
user <bcp14>SHOULD</bcp14> attempt to fetch the <tt>CredentialUpdate</tt> over an anonymous channel,
to preserve the anonymity of the sending user as much as possible. If the user
is still unable to obtain or verify a <tt>CredentialUpdate</tt> structure for a
provisional credential, this <bcp14>SHOULD</bcp14> be reported to the user as evidence of
potential misbehavior by the Transparency Log.</t>
        <section anchor="detecting-forks-1">
          <name>Detecting Forks</name>
          <t>In a user's typical interactions with a Transparency Log, every response is
required to prove that it comes from the same view of the log tree as every
prior response. However, this model doesn't work for credential verification.
Since credentials are provided in a non-interactive and peer-to-peer manner,
when a user is creating a credential they have no way to know what other
credentials (and therefore which tree heads) the receiving user(s) may want to
check consistency with. In fact, trying to convey this information to the
user creating a credential risks violating the anonymity of the receiving user's
other contacts.</t>
          <t>KT addresses this by using the recently issued distinguished log entries as
common reference points for the state of the log tree. Users compute and retain
the full subtrees of the log tree at each point where a recently issued
distinguished log entry is the log's rightmost log entry. This retained state is
then used either implicitly or explicitly in credential verification.</t>
          <t>In particular, when a provisional credential is received, the proof in
<tt>Credential.search</tt> is constructed as if the user advertised a previously
observed tree size of <tt>Credential.position+1</tt>. As a result, computing the
candidate root value for the log tree requires incorporating the user's retained
full subtrees for the log tree up to this point. This prevents the user from
accepting a view of the log that forked at any point prior to the log entry at
<tt>Credential.position</tt>.</t>
          <t>Once a <tt>CredentialUpdate</tt> is received for the credential, it will necessarily
include a proof of inclusion for the first distinguished log entry that's to the
right of the search's terminal log entry. Users take this proof, compute the
full subtrees of the log tree just up to the point of the subsequent
distinguished log entry, and verify that it matches their retained state. This
ensures that the terminal log entry of the search, containing the value of the
label that the user consumed, is also contained in a fully-consistent view of
the log tree.</t>
        </section>
      </section>
    </section>
    <section anchor="third-parties">
      <name>Third Parties</name>
      <t>Third-Party Management and Third-Party Auditing are two deployment modes that
require the Transparency Log to delegate part of its operation to a third party.
Users are able to run more efficiently as long as they can assume that the
Transparency Log and the Third Party won't collude to trick them into accepting
malicious results.</t>
      <section anchor="management">
        <name>Management</name>
        <t>With the Third-Party Management deployment mode, a third party is responsible
for the majority of the work of storing and operating the Transparency Log. The
Service Operator serves only to enforce access control, authorize the addition
of new versions of labels, and prevent the creation of forks by the Third-Party
Manager. Critically, the Service Operator is trusted to ensure that only one
value for each version of a label is authorized.</t>
        <t>All user queries specified in <xref target="user-operations"/> are initially sent by users
directly to the Service Operator and are forwarded to the Third-Party Manager if
they pass access control. While other operations are forwarded by the Service
Operator unchanged, <tt>UpdateRequest</tt> structures are forwarded to the Third-Party
Manager with the Service Operator's signature over each new value:</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  UpdateRequest request;
  optional<uint64> last;

  opaque label<0..2^8-1>;
  optional<uint32> greatest_version;
  UpdateValue values<0..2^8-1>;

  uint32 signed_version;
} ManagerUpdateRequest;
]]></sourcecode>
        <t>This structure is the same as <tt>UpdateRequest</tt>, except that the <tt>values</tt> field is
an array of <tt>UpdateValue</tt> structures with the Service Operator's signature over
each value, computed as described in <xref target="update-format"/>.</t>
        <t>This structure also contains a <tt>signed_version</tt> field. If <tt>values</tt> is empty, the
<tt>signed_version</tt> field is always zero. If <tt>values</tt> is non-empty, the
<tt>signed_version</tt> field contains the version that was used in the computation of
the Service Operator's signature over the first element of <tt>values</tt>.</t>
        <t>If <tt>values</tt> is non-empty and <tt>signed_version</tt> is greater than the next greatest
version of the label to be created, the Manager <bcp14>MUST</bcp14> insert a sufficient number
of "dummy" entries into the Transparency Log's prefix tree such that the next
greatest version of the label to be created is <tt>signed_version</tt>, and sequence at
least one new log entry containing the updated prefix tree root, before creating
the versions requested in the <tt>ManagerUpdateRequest</tt>. These dummy entries in the
prefix tree map the VRF output for the label-version pair to an all-zero
commitment. As a result, the Manager will also need to provide an
<tt>UpdateResponse</tt> to the user that covers the dummy versions of the label before
providing an <tt>UpdateResponse</tt> that covers the requested versions.</t>
        <t>If <tt>signed_version</tt> is less than the next greatest version of the label to be
created, this generally indicates a bug in the Service Operator and the request
<bcp14>MUST</bcp14> be rejected by the Manager.</t>
      </section>
      <section anchor="auditing">
        <name>Auditing</name>
        <t>With the Third-party Auditing deployment mode, the Service Operator obtains
signatures from a Third-Party Auditor attesting to the fact that the
Service Operator is constructing the tree correctly. These signatures are
provided to users along with the responses to their queries.</t>
        <t>For each new log entry that the Service Operator adds to the log, it produces a
corresponding <tt>AuditorUpdate</tt> structure and sends this to the Third-Party
Auditor. The auditor <bcp14>MUST</bcp14> receive and successfully verify an <tt>AuditorUpdate</tt>
structure for a log entry before providing the Service Operator with an
<tt>AuditorTreeHead</tt> structure whose <tt>tree_size</tt> field would include that log
entry.</t>
        <sourcecode type="tls-presentation"><![CDATA[
struct {
  uint64 timestamp;

  PrefixLeaf added<0..2^16-1>;
  PrefixLeaf removed<0..2^16-1>;

  PrefixProof proof;
} AuditorUpdate;
]]></sourcecode>
        <t>The <tt>timestamp</tt> field contains the timestamp of the corresponding log entry. The
<tt>added</tt> field contains the list of <tt>PrefixLeaf</tt> structures that were added to
the prefix tree in the corresponding log entry. The <tt>removed</tt> field contains the
list of <tt>PrefixLeaf</tt> structures that were removed from the prefix tree.</t>
        <t>The <tt>proof</tt> field contains a batch lookup proof in the previous log entry's
prefix tree for all search keys referenced by <tt>added</tt> or <tt>removed</tt>. The
<tt>proof.results</tt> field contains the result of the search for each element of
<tt>added</tt> in the order provided, followed by the result of the search for each
element of <tt>removed</tt> in the order provided.</t>
        <t>An auditor processes a single <tt>AuditorUpdate</tt> by following these steps:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify that <tt>timestamp</tt> is greater than or equal to the timestamp of the
previous log entry.</t>
          </li>
          <li>
            <t>Verify that the elements of <tt>added</tt> are sorted in ascending order by
<tt>vrf_output</tt> and that the same <tt>vrf_output</tt> is not present twice. Verify the
same in <tt>removed</tt>. Note that a VRF output in <tt>added</tt> is also allowed to be in
<tt>removed</tt>.</t>
          </li>
          <li>
            <t>For each element of <tt>added</tt> where the same VRF output is not in <tt>removed</tt>,
verify that the <tt>PrefixSearchResult</tt> provided in <tt>proof</tt> has a <tt>result_type</tt>
of <tt>nonInclusionParent</tt> or <tt>nonInclusionLeaf</tt></t>
          </li>
          <li>
            <t>Verify that the <tt>PrefixSearchResult</tt> provided in <tt>proof</tt> for each element of
<tt>removed</tt> has a <tt>result_type</tt> of <tt>inclusion</tt>.</t>
          </li>
          <li>
            <t>For each element of <tt>removed</tt>, verify that, with the addition of the new log
entry, the prefix tree leaf was published in at least one
distinguished log entry before removal.</t>
          </li>
          <li>
            <t>With <tt>proof</tt> and the <tt>PrefixLeaf</tt> structures in <tt>removed</tt>, compute the root
value of the previous log entry's prefix tree. Verify that this matches the
auditor's state.</t>
          </li>
          <li>
            <t>With <tt>proof</tt> and the <tt>PrefixLeaf</tt> structures in <tt>added</tt> and <tt>removed</tt>,
compute the new root value of the prefix tree. Compute the new root value of
the log tree after adding a leaf with the specified <tt>timestamp</tt> and prefix
tree root value.</t>
          </li>
          <li>
            <t>Optionally, provide an <tt>AuditorTreeHead</tt> to the Service Operator where
<tt>AuditorTreeHead.timestamp</tt> is set to <tt>timestamp</tt> and
<tt>AuditorTreeHead.tree_size</tt> is set to the new size of the log tree after the
addition of the new leaf. The signature is computed with the log tree root
value computed in the previous step.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security properties provided by this protocol are discussed in detail in
<xref target="ARCH"/>. Generally speaking, the Key Transparency protocol ensures that all
users of a Transparency Log have a consistent view of the data stored in the
log. Service Operators may still be able to make malicious modifications to
stored data, such as by attaching new public keys to a user's account and
encouraging other users to encrypt to these public keys when messaging the user.
However, since the existence of these new public keys is equally visible to the
user whose account they affect, the user can promptly act to have them removed
from their account or inform contacts out-of-band that their communication may
be compromised.</t>
      <t>Key Transparency relies on users coming online regularly to monitor for
unexpected or malicious modifications to their account. Users that go offline
for longer than the log entry maximum lifetime may not detect if the
Transparency Log made malicious modifications to their labels.</t>
      <t>Similarly, Key Transparency relies on the ability of users to retain long-term
state regarding their account and past views of the Transparency Log. Users
which are unable to maintain long-term state, or may lose their state, have a
correspondingly limited ability to detect misbehavior by the Service Operator.
In particular, users which are completely stateless will generally gain nothing
by participating in this protocol over simply verifying a signature from the
Service Operator and, if there is one, the Third-Party Auditor or Manager.</t>
      <t>Ultimately, ensuring that all users have a consistent view of the Transparency
Log requires that the Service Operator is not able to create and maintain
long-term network partitions between users. As such, users need access to at
least one communication channel (even a very low-bandwidth one) that is
resistant to partitions. The protocol directly provides for a Third-Party
Auditor or Manager, which is trusted to prevent such partitions. Other options
include allowing users to gossip with each other, or allowing users to contact
the Transparency Log over an anonymous channel.</t>
      <t>Key Transparency provides users with a limited assurance that query responses
are authentic: a network attacker will not be able to forge false responses to
queries, but may provide responses which are up to <tt>max_behind</tt> milliseconds
stale. Key Transparency provides no privacy from network observers and does not
have the ability to authenticate specific users to the Transparency Log. To
mitigate these limitations, users <bcp14>SHOULD</bcp14> contact the Transparency Log over a
protocol that provides transport-layer encryption and an appropriate level of
authentication for both parties.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests the creation of the following new IANA registry:</t>
      <ul spacing="normal">
        <li>
          <t>KT Cipher Suites (<xref target="kt-cipher-suites"/>)</t>
        </li>
      </ul>
      <t>This registry should be under a heading of "Key Transparency",
and assignments are made via the Specification Required policy <xref target="RFC8126"/>. See
<xref target="de"/> for additional information about the KT Designated Experts (DEs).</t>
      <t>RFC EDITOR: Please replace XXXX throughout with the RFC number assigned to
this document</t>
      <section anchor="kt-cipher-suites">
        <name>KT Cipher Suites</name>
        <t>A cipher suite is a specific combination of cryptographic primitives and
parameters to be used in an instantiation of the protocol. Cipher suite names
follow the naming convention:</t>
        <sourcecode type="tls-presentation"><![CDATA[
uint16 CipherSuite;
CipherSuite KT_LVL_HASH_SIG = VALUE;
]]></sourcecode>
        <t>The columns in the registry are as follows:</t>
        <ul spacing="normal">
          <li>
            <t>Value: The numeric value of the cipher suite.</t>
          </li>
          <li>
            <t>Name: The name of the cipher suite.</t>
          </li>
          <li>
            <t>Recommended: Whether support for this cipher suite is <bcp14>RECOMMENDED</bcp14>.
Valid values are "Y", "N", and "D", as described below. The default value of
the "Recommended" column is "N". Setting the Recommended item to "Y" or "D",
or changing an item whose current value is "Y" or "D", requires Standards
Action <xref target="RFC8126"/>.
            </t>
            <ul spacing="normal">
              <li>
                <t>Y: Indicates that the item is <bcp14>RECOMMENDED</bcp14>. This only means that the
associated mechanism is fit for the purpose for which it was defined.
Careful reading of the documentation for the mechanism is necessary to
understand the applicability of that mechanism. A cipher suite may, for
example, be recommended that is only suitable for use in applications where
the Transparency Log's contents are public. Mechanisms with limited
applicability may be recommended, but in such cases applicability statements
that describe any limitations of the mechanism or necessary constraints will
be provided.</t>
              </li>
              <li>
                <t>N: Indicates that the item's associated mechanism has not been evaluated and
is not <bcp14>RECOMMENDED</bcp14> (as opposed to being <bcp14>NOT RECOMMENDED</bcp14>). This does not
mean that the mechanism is flawed.</t>
              </li>
              <li>
                <t>D: Indicates that the item is discouraged and <bcp14>SHOULD NOT</bcp14> be
used. This marking could be used to identify mechanisms that might result in
problems if they are used, such as a weak cryptographic algorithm or a
mechanism that might cause interoperability problems in deployment.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Reference: The document where this cipher suite is defined.</t>
          </li>
        </ul>
        <t>Initial contents:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">R</th>
              <th align="left">Ref</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">RESERVED</td>
              <td align="left">-</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">KT_128_SHA256_P256</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">KT_128_SHA256_Ed25519</td>
              <td align="left">Y</td>
              <td align="left">RFC XXXX</td>
            </tr>
            <tr>
              <td align="left">0xF000 - 0xFFFF</td>
              <td align="left">Reserved for Private Use</td>
              <td align="left">-</td>
              <td align="left">RFC XXXX</td>
            </tr>
          </tbody>
        </table>
        <t>Both cipher suites currently specified share the following primitives and
parameters:</t>
        <ul spacing="normal">
          <li>
            <t>The hash algorithm is SHA-256, as defined in <xref target="SHS"/>.</t>
          </li>
          <li>
            <t><tt>Nc</tt>: 16</t>
          </li>
          <li>
            <t><tt>Kc</tt>: The byte sequence equal to the hex-encoded string <tt>d821f8790d97709796b4d7903357c3f5</tt></t>
          </li>
        </ul>
        <t>The KT_128_SHA256_P256 cipher suite is as follows:</t>
        <ul spacing="normal">
          <li>
            <t>The signature algorithm is ECDSA over the NIST curve P-256. Messages are
hashed with SHA-256 before being signed. Public keys are encoded as an
uncompressed point as defined in SEC 1, Version 2.0, Section 2.3.3. Signatures
are encoded as the concatenation of two 256-bit big endian integers r and s.</t>
          </li>
          <li>
            <t>The VRF algorithm is ECVRF-P256-SHA256-TAI as defined in <xref target="RFC9381"/>. Public
keys are encoded as a compressed point as defined in SEC 1, Version 2.0,
Section 2.3.3.</t>
          </li>
        </ul>
        <t>The KT_128_SHA256_Ed25519 cipher suite is as follows:</t>
        <ul spacing="normal">
          <li>
            <t>The signature algorithm is Ed25519 as defined in <xref target="RFC8032"/>. Public key and
signature encodings are as defined in <xref target="RFC8032"/>.</t>
          </li>
          <li>
            <t>The VRF algorithm is ECVRF-EDWARDS25519-SHA512-TAI as defined in <xref target="RFC9381"/>
with the output truncated to 32 bytes.</t>
          </li>
        </ul>
      </section>
      <section anchor="de">
        <name>KT Designated Expert Pool</name>
        <t>Specification Required <xref target="RFC8126"/> registry requests are registered after a
three-week review period on the KT Designated Expert (DE) mailing list
<eref target="mailto:kt-reg-review@ietf.org">kt-reg-review@ietf.org</eref> on the advice of one or more of the KT DEs. However, to
allow for the allocation of values prior to publication, the KT DEs may approve
registration once they are satisfied that such a specification will be
published.</t>
        <t>Registration requests sent to the KT DEs' mailing list for review <bcp14>SHOULD</bcp14> use an
appropriate subject (e.g., "Request to register value in KT registry").</t>
        <t>Within the review period, the KT DEs will either approve or deny the
registration request, communicating this decision to the KT DEs' mailing list
and IANA. Denials <bcp14>SHOULD</bcp14> include an explanation and, if applicable, suggestions
as to how to make the request successful. Registration requests that are
undetermined for a period longer than 21 days can be brought to the IESG's
attention for resolution using the <eref target="mailto:iesg@ietf.org">iesg@ietf.org</eref> mailing list.</t>
        <t>Criteria that <bcp14>SHOULD</bcp14> be applied by the KT DEs includes determining whether the
proposed registration duplicates existing functionality, whether it is likely to
be of general applicability or useful only for a single application, and whether
the registration description is clear.</t>
        <t>IANA <bcp14>MUST</bcp14> only accept registry updates from the KT DEs and <bcp14>SHOULD</bcp14> direct all
requests for registration to the KT DEs' mailing list.</t>
        <t>It is suggested that multiple KT DEs who are able to represent the perspectives
of different applications using this specification be appointed, in order to
enable a broadly informed review of registration decisions. In cases where a
registration decision could be perceived as creating a conflict of interest for
a particular KT DE, that KT DE <bcp14>SHOULD</bcp14> defer to the judgment of the other KT DEs.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="ARCH">
          <front>
            <title>Key Transparency Architecture</title>
            <author fullname="Brendan McMillion" initials="B." surname="McMillion">
         </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   This document defines the terminology and interaction patterns
   involved in the deployment of Key Transparency in a general secure
   group messaging infrastructure, and specifies the security properties
   that the protocol provides.  It also gives more general, non-
   prescriptive guidance on how to securely apply Key Transparency to a
   number of common applications.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-keytrans-architecture-09"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC2104">
          <front>
            <title>HMAC: Keyed-Hashing for Message Authentication</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="M. Bellare" initials="M." surname="Bellare"/>
            <author fullname="R. Canetti" initials="R." surname="Canetti"/>
            <date month="February" year="1997"/>
            <abstract>
              <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2104"/>
          <seriesInfo name="DOI" value="10.17487/RFC2104"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC9381">
          <front>
            <title>Verifiable Random Functions (VRFs)</title>
            <author fullname="S. Goldberg" initials="S." surname="Goldberg"/>
            <author fullname="L. Reyzin" initials="L." surname="Reyzin"/>
            <author fullname="D. Papadopoulos" initials="D." surname="Papadopoulos"/>
            <author fullname="J. Včelák" initials="J." surname="Včelák"/>
            <date month="August" year="2023"/>
            <abstract>
              <t>A Verifiable Random Function (VRF) is the public key version of a keyed cryptographic hash. Only the holder of the secret key can compute the hash, but anyone with the public key can verify the correctness of the hash. VRFs are useful for preventing enumeration of hash-based data structures. This document specifies VRF constructions based on RSA and elliptic curves that are secure in the cryptographic random oracle model.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9381"/>
          <seriesInfo name="DOI" value="10.17487/RFC9381"/>
        </reference>
        <reference anchor="RFC8032">
          <front>
            <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8032"/>
          <seriesInfo name="DOI" value="10.17487/RFC8032"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CONIKS" target="https://eprint.iacr.org/2014/1004">
          <front>
            <title>CONIKS: Bringing Key Transparency to End Users</title>
            <author initials="M. S." surname="Melara" fullname="Marcela S. Melara">
              <organization/>
            </author>
            <author initials="A." surname="Blankstein" fullname="Aaron Blankstein">
              <organization/>
            </author>
            <author initials="J." surname="Bonneau" fullname="Joseph Bonneau">
              <organization/>
            </author>
            <author initials="E. W." surname="Felten" fullname="Edward W. Felten">
              <organization/>
            </author>
            <author initials="M. J." surname="Freedman" fullname="Michael J. Freedman">
              <organization/>
            </author>
            <date year="2014" month="April" day="27"/>
          </front>
        </reference>
        <reference anchor="SEEMLess" target="https://eprint.iacr.org/2018/607">
          <front>
            <title>SEEMless: Secure End-to-End Encrypted Messaging with less trust</title>
            <author initials="M." surname="Chase" fullname="Melissa Chase">
              <organization/>
            </author>
            <author initials="A." surname="Deshpande" fullname="Apoorvaa Deshpande">
              <organization/>
            </author>
            <author initials="E." surname="Ghosh" fullname="Esha Ghosh">
              <organization/>
            </author>
            <author initials="H." surname="Malvai" fullname="Harjasleen Malvai">
              <organization/>
            </author>
            <date year="2018" month="June" day="18"/>
          </front>
        </reference>
        <reference anchor="OPTIKS" target="https://eprint.iacr.org/2023/1515">
          <front>
            <title>OPTIKS: An Optimized Key Transparency System</title>
            <author initials="J." surname="Len" fullname="Julia Len">
              <organization/>
            </author>
            <author initials="M." surname="Chase" fullname="Melissa Chase">
              <organization/>
            </author>
            <author initials="E." surname="Ghosh" fullname="Esha Ghosh">
              <organization/>
            </author>
            <author initials="K." surname="Laine" fullname="Kim Laine">
              <organization/>
            </author>
            <author initials="R. C." surname="Moreno" fullname="Radames Cruz Moreno">
              <organization/>
            </author>
            <date year="2023" month="October" day="04"/>
          </front>
        </reference>
        <reference anchor="Merkle2" target="https://eprint.iacr.org/2021/453">
          <front>
            <title>Merkle^2: A Low-Latency Transparency Log System</title>
            <author initials="Y." surname="Hu" fullname="Yuncong Hu">
              <organization/>
            </author>
            <author initials="K." surname="Hooshmand" fullname="Kian Hooshmand">
              <organization/>
            </author>
            <author initials="H." surname="Kalidhindi" fullname="Harika Kalidhindi">
              <organization/>
            </author>
            <author initials="S. J." surname="Yang" fullname="Seung Jin Yang">
              <organization/>
            </author>
            <author initials="R. A." surname="Popa" fullname="Raluca Ada Popa">
              <organization/>
            </author>
            <date year="2021" month="April" day="08"/>
          </front>
        </reference>
        <reference anchor="SHS">
          <front>
            <title>Secure hash standard</title>
            <author>
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.180-4"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
      </references>
    </references>
    <?line 2720?>

<section anchor="appendix-implicit-search-tree">
      <name>Implicit Binary Search Tree</name>
      <t>The following Python code demonstrates efficient algorithms for navigating the
implicit binary search tree:</t>
      <sourcecode type="python"><![CDATA[
# The exponent of the largest power of 2 less than x. Equivalent to:
#   int(math.floor(math.log(x, 2)))
def log2(x):
    if x == 0:
        return 0
    k = 0
    while (x >> k) > 0:
        k += 1
    return k-1

# The level of a node in the tree. Leaves are level 0, their parents
# are level 1, etc. If a node's children are at different levels,
# then its level is the max level of its children plus one.
def level(x):
    if x & 0x01 == 0:
        return 0
    k = 0
    while ((x >> k) & 0x01) == 1:
        k += 1
    return k

# The root index of a search if the log has `n` entries.
def root(n):
    return (1 << log2(n)) - 1

# The left child of an intermediate node.
def left(x):
    k = level(x)
    if k == 0:
        raise Exception('leaf node has no children')
    return x ^ (0x01 << (k - 1))

# The right child of an intermediate node.
def right(x, n):
    k = level(x)
    if k == 0:
        raise Exception('leaf node has no children')
    x = x ^ (0x03 << (k - 1))
    while x >= n:
        x = left(x)
    return x
]]></sourcecode>
    </section>
    <section anchor="appendix-binary-ladder">
      <name>Binary Ladder</name>
      <t>The following Python code demonstrates efficient algorithms for computing the
versions of a label to include in a binary ladder:</t>
      <sourcecode type="python"><![CDATA[
# Returns the set of versions that would be looked up to establish that n was
# the greatest version of a label that existed.
def base_binary_ladder(n):
    out = []

    # Output powers of two minus one until reaching a value greater than n.
    while True:
        value = (1 << len(out)) - 1
        out.append(value)
        if value > n:
            break

    # Binary search between the established lower and upper bounds.
    lower_bound = out[-2]
    upper_bound = out[-1]

    while lower_bound+1 < upper_bound:
        value = (lower_bound + upper_bound) // 2
        out.append(value)
        if value <= n:
            lower_bound = value
        else:
            upper_bound = value

    return out

# Returns the set of versions that would be looked up in a search binary ladder
# where the target version is t and the greatest version of the label that
# exists in a given version of the prefix tree is n.
def search_binary_ladder(
    t, n,
    left_inclusion = [], right_non_inclusion = []
):
    def would_end(v):
        # (Proof of inclusion for a version greater than t) OR
        # (Proof of non-inclusion for a version less than or equal to t)
        return (v <= n and v > t) or (v > n and v <= t)

    def would_be_duplicate(v):
        return (v in left_inclusion) or (v in right_non_inclusion)

    out = base_binary_ladder(n)
    end = next((i+1 for i,v in enumerate(out) if would_end(v)), len(out))
    filtered_out = [v for v in out[:end] if not would_be_duplicate(v)]

    return filtered_out

# Returns the set of versions that would be looked up in a monitoring binary
# ladder where the monitored version of the label is t.
def monitoring_binary_ladder(t, left_inclusion = []):
    out = base_binary_ladder(t)
    filtered_out = [v for v in out if v <= t and v not in left_inclusion]

    return filtered_out
]]></sourcecode>
    </section>
    <section anchor="combinedtreeproof-implementation">
      <name>CombinedTreeProof Implementation</name>
      <t>The <tt>CombinedTreeProof</tt> structure is designed to provide all of the information
a user needs to evaluate the algorithms defined in this document with as little
overhead as possible. The main strategy used to reduce overhead is
deduplication, such that the same timestamp or prefix tree root value is never
provided twice. Another strategy used is providing data in the specific order
that it's required by the algorithm being executed, rather than explicitly
indicating which timestamp or proof belongs to which log entry.</t>
      <t>As such, the generally simplest way to process a <tt>CombinedTreeProof</tt> is for an
implementation to execute the algorithms specified in this document, and have
the algorithm implementations call functions like <tt>get_timestamp(x)</tt> or
<tt>get_search_ladder(x, target_ver)</tt> where <tt>x</tt> is the log entry's position. These
functions can then pop the first timestamp or <tt>PrefixProof</tt> from the
corresponding field as a queue, and associate this value with the log entry <tt>x</tt>
for the purpose of deduplication and, eventually, evaluating the associated
inclusion proof. These functions can also evenly enforce the invariants that all
timestamps are monotonic, and that if there are multiple <tt>PrefixProof</tt>
structures from the same log entry, that they all compute the same prefix tree
root value.</t>
    </section>
    <section anchor="log-entry-maximum-lifetime-and-the-reasonable-monitoring-window">
      <name>Log Entry Maximum Lifetime and the Reasonable Monitoring Window</name>
      <t>The log entry maximum lifetime is an optional configuration parameter that a
Transparency Log can define to allow pruning. Transparency Logs are only
required to retain a logarithmic number of log entries that have passed their
maximum lifetime, and aren't required to retain any versions of the prefix tree
that have passed their maximum lifetime. This prevents the amount of storage
that the Transparency Log needs from growing infinitely over time, which
naturally allows the Transparency Log to remain operational much longer that it
otherwise would be able to.</t>
      <t>The Reasonable Monitoring Window (RMW) is a similar but mandatory parameter
defined by the Transparency Log, and represents the general frequency with which
users are expected to monitor labels they own. The protocol creates roughly one
distinguished log entry per every interval of the RMW, and these distinguished
log entries act as common reference points for all users in their monitoring of
the Transparency Log.</t>
      <t>Similar to how the log entry maximum lifetime bounds the amount of state that
the Transparency Log needs to maintain, the Reasonable Monitoring Window bounds
how log users need to retain certain monitoring-related state. Importantly, the
log entry maximum lifetime, if defined, will always be greater than the RMW.
This ensures that users are able to take advantage of the common reference
points provided by distinguished log entries prior to the Transparency Log
permanently deleting them.</t>
      <t>The log entry maximum lifetime and the RMW can interact in somewhat subtle ways,
and this section hopes to clarify those interactions.</t>
      <t><strong>The rightmost distinguished log entry is always on the frontier.</strong> The
algorithm for computing distinguished log entries is structured such that if a
given log entry is distinguished, then its parent will always be distinguished
as well. Every log entry in the implicit binary search tree is either on the
frontier itself, or in the left subtree of a log entry that is on the frontier.
Given these two points, if a log entry is distinguished and not on the frontier,
then it has in its direct path a frontier log entry that is also distinguished
and to its right.</t>
      <t><strong>The rightmost distinguished log entry is never expired.</strong> This is obviously
true in the case where the rightmost distinguished log entry is the rightmost
log entry, since the rightmost log entry is never expired by definition.</t>
      <t>If the rightmost distinguished log entry is not the rightmost log entry, then it
has a right child. Say that <tt>T_i</tt> is the timestamp of the rightmost
distinguished log entry and that <tt>T_rightmost</tt> is the timestamp of the rightmost
log entry. The right child of the rightmost distinguished log entry obviously
can not itself be distinguished. Through the algorithm in
<xref target="reasonable-monitoring-window"/>, this corresponds to the statement that
<tt>T_rightmost - T_i &lt; RMW</tt>. Since we know by definition that the RMW is less than
the log entry maximum lifetime, or that <tt>RMW &lt; ML</tt>, this directly implies that
<tt>T_rightmost - T_i &lt; RMW &lt; ML</tt>, or that the rightmost distinguished log entry is
not expired.</t>
      <t>This property is particularly important for the algorithms in KT since it means
that, once a distinguished log entry is created in a Transparency Log, there
will always be at least one unexpired distinguished log entry that users can
inspect and use as a common reference point for monitoring.</t>
      <t><strong>The Contact Monitoring algorithm will always intersect the first distinguished
log entry established to its right.</strong> The Contact Monitoring algorithm takes as
input a log entry that is, or was previously, to the right of the rightmost
distinguished log entry. It computes the direct path of this log entry and
checks that the (newly created) log entries on the right side of this path are
constructed correctly, stopping once it reaches the first distinguished log
entry. The claim here is that, assuming the monitored log entry doesn't itself
become distinguished, this algorithm always intersects the first distinguished
log entry established to the right of the monitored log entry. Equivalently, the
claim is that the algorithm terminates within a bounded amount of time, being
roughly the RMW.</t>
      <t>Assume we know the position of the first distinguished log entry established to
the right of the monitored log entry. Then one of the following cases apply:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Case 1:</strong> The monitored log entry is in the left subtree of the
distinguished log entry. In this case, the claim of this section is
true by definition.</t>
        </li>
        <li>
          <t><strong>Case 2:</strong> The distinguished log entry is in the right subtree of the
monitored log entry. Recalling that if a log entry is distinguished then it's
parent is also always distinguished, then in this case the monitored log entry
is now itself distinguished. In this case, the Contact Monitoring algorithm
removes the version of the label from monitoring without further inspection.</t>
        </li>
        <li>
          <t><strong>Case 3:</strong> Neither of the above cases apply. In this case, there is a
"middle" log entry where the monitored log entry is in its left subtree and
the distinguished log entry is in its right subtree. Because the middle log
entry is a parent of the distinguished log entry, it must be distinguished as
well. This is a contradiction, since the distinguished log entry can not be
the "first" distinguished log entry if the middle log entry is distinguished
and to its left.</t>
        </li>
      </ul>
      <t><strong>Assuming no clock skew and no Transparency Log outages, a user that performs
Contact Monitoring every interval of the RMW will never hit an expired log
entry.</strong> Each Contact Monitoring request follows a path from a monitored log
entry to a frontier log entry. The frontier log entry, if it is not
distinguished, becomes the monitored log entry in the user's subsequent Contact
Monitoring request.</t>
      <t>As a result of this structure, each Contact Monitoring request only inspects log
entries that were created since the prior Contact Monitoring request. If the
rightmost log entry's timestamp during the first request was <tt>T_rightmost</tt>, then
the rightmost log entry's timestamp during the subsequent request will be
approximately <tt>T_rightmost + RMW</tt>, and all inspected log entries will have a
timestamp in this range. Since the RMW is less than the log entry maximum
lifetime, no log entry in this range can be expired.</t>
      <t>However, clock skew is permitted by the protocol, configurable by the
<tt>max_ahead</tt> and <tt>max_behind</tt> parameters, and some degree of service outages
are generally unavoidable. The maximum lifetime parameter needs to be set with
sufficient allowance for both of these eventualities.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y963obx5Uo+r+eokf5IYkBYVGSnYwcZ29ZlmKNJdtbku3k
y2TMJtAgOwLQmO4GKUZRnuU8y3mys65Vq6qrAUjWZPY+39aX0CTQXZdVq9b9
cnx87Pq6X1YPihvfVNfFq7Zcd5uyrdaz6+L7tumbWbO84WZlX5037fWDouvn
blM/cEUBX31VbfqLB8Vd5+bNbF2uYJR5Wy7647rqF8evq+sehzveyDjHdz51
3fZsVXdd3az76w08//Txqyfu8kFxz8Gk5YPi5eNH7qppX5+3zXbzoPjm8Z9e
vXj47cviJ/isXp8Xf8DPHQwND81xGccF/FH0Zt3uslpvK/xOBhns7AYun6a/
EY2Ln6/Kegmf6+L/J25l2rTn+F3ZzmC7Ny76ftM9+OQTfBQ/qi+rqT72CX7w
yVnbXHXVJzrIJ/jyed1fbM/gdQLO1bmHzycMs42HdlEsAd5db6ZK35nyaNO6
Sd7+ZNcBTC/6FYzvym1/0bQAoWOYqygW2+WST+/GlwCfebkuns+e18slnNIN
eqISqJzx16vZir/9n+f4xXTWrG5kBntSLes3xbN6/bpq43GW9NkCv7dDuHXT
rsoe4PnAuXq9CH8VxaPvvn36zcsHNExftucVgEehU23aet1P63LW0hncvXNy
/5OTO3fu89OC3zJC8SU8fI5nPkD4viker+fFD13VdrzgORwEIDiMd3zn/vHd
39CHHnz077jg7T6Hk6+WZfFyWjyH/7Zl8v3Dsm3WxZfLcv2666t6nXz9b01X
bS6KL5v1uiq3yZeP51dlOy9+mhYA075K331ezy7Kaln8G3zfVtV8VeITLx8/
fv6s6rqDYfbbTz6785sIZDjEEocoXlazbVsheI775hih9Hg9a683fTWH7XZd
SRC9Aqws8AW4kNuuT2D42+M7nx2f/HYXDAEjYKzi0UXZVSn8Nk3TXpZl8VXV
XWzK9Tx94HF3URZ/uGi6i+SLr8v2r2W3rCrA63J5Wdbw/Xffv3oPdLp775OT
T08+jWAjIxQP18V3m75e1X8DUAxQ6uU1HPYqBsTde8cnd44FO/OA+Lftsi6L
Z8OT3gGg0f1/U6+KZ2W9Tl94Uc7hv13xqN3+rXjewIIbeOJ51b5eVncPBs3J
J/c/vRdBhkf4j7sAm+JZc3X8DPaNsIgA86w5zwPnBG/anV1Y8qftetYAtn2d
XpNvaiBdXzcAAbgB8yEW1K/L4ptyWc8v6vW8Tr5/WW1hzH+r18WfyvX5AFTL
7awsHs7L4vtmg1f75ddw9l9993R6cmf62Z27v/3k26cvX02fPP3+5fTkt3eO
7zvnjo+Pi/KsAxo865376aJeVkV/UcE1AhgUXXVZteWyAEJfnsGpXgD6KKHu
CqB9RcWXDf4Dv9JlA5I7cS1QF6SKy+tiWfcA8qLsAcD4ZQFoUZwhop/DA2sk
aB1dXHh2XsNK6rNtjxcVlkHDb4HUuc0W5p8hH+V5u+3swsw4LR52RVm0Vbdd
9hN8tavMSnEvzQIWALIBcAV3uV2uYWNnuNmmqMrLqpu3zWaD055dFwALWBou
uZwBD+imwztT43Q6gcMVRWvvqnVX0yC0wua8LTcXsH7PMABIvAcAhtnbBJ4o
SndVAqG/KHvYENyxM4BMVeOpwIxwIuu+g8d6ZE64GNgazF711Qw+p7fqvmhm
ANIWjovGg6uP4AWMg21P+dRX9Xy+rAAFflU8XfdtM9/OcFnOPR4cKQwDvG+1
XdczWjpsr72sZ3At6dTgAzwrPsWiegOEfn2OAI9ODQG97vAJWuOKCDINAcx1
DROsF/UcUaRcTounPUIY5B+YcQlTlF23XVVzR6/K7Aj+S3il7eBl2Ous5y3C
qLQeOzm838zqEndC9L8qZxcOEesmfDebNVsgGHArrxDfEX1gcvjfuumLcgmH
QbyiAiQbzC0A7xwACD4DuRGmgPNYwRWe1c0W1gb3XSCyb1VlwUtysiT6tNn2
+GLdFq/XzdWymp9XE76iiKnLZXOllyWsyeA0nI4DQlPUqw1AqlnDbLxmnApQ
4RXuFURjAC9MOK+6GSBxZbGbH6/WeF3wc5JY4XRphPRc4YQqWhZc80vecQfU
qbisqyt855CDKRrcXgAD3L/HOAPus0RE6eCq4WppUAJBFxbDN6G4uoDbvl0z
dUa+FyEjLY6IULoABrXMjNdxTkhPU2+anhHUnDaAENkSTgsyIl04f8WBssrp
BWACAekBM0A4gNuKB4PfMopdVM4/hlhzhqNuls013j/+ewGrojv99u2/PHzx
6Osvnh5/NY0FaZL2EQRwJO/eTfF+P2rWl0x8ecqvqkW9rulvRICK1BNUVjpg
jD+8fHVjwv8tvv2Ofn/x+H/98PTF46/w95dfP3z2zP/i5ImXX3/3w7Ovwm/h
zUffPX/++Nuv+GX4tIg+cjeeP/wTfIOrImnlu28fPruBG+wjvEQCDmcLECDC
B2QQD6zsnCIsAeXLR9//v//PyX0Ezosnj+6enPzru3fyx29PfnMf/kCs4Nma
NVAL/hNR1pWbTVW2RC6XCP5N3ZdLoMdAn7uL5grYFtw4gObRnxEyf3lQ/O5s
tjm5/3v5ADccfagwiz4kmA0/GbzMQMx8lJnGQzP6PIF0vN6Hf4r+VribD3/3
P0D9qQqQhP/H75FF/AoUbWCp657x+hmQsy3Q2ZR8wCUkPC5ePXuJvCq8sZQ3
9Dju3/8MjoOuKx8goT9w0C0hLpIKfxeUVUwK4K4wWcWUua3+c1u3TGNgYnyl
LLpNNasX9cyxtt20vR+HZATkuRMkhstqpYvDDdCI62qGU7U1oMYadBRcH42z
qnvnGRbShnZORLfxm+U7T5jFBB8kPLjXwPMvkKcgJ23onVUFBGnugMQCI9vW
xLKJ4mw2S2GvhhPF0gNSna2umbAOSUQDQrOSrh2AlxVach3IErBBYt91f400
CFhFX1csNyF37lEynwP2gyLRkMAFQuElyJsVsknaW+BhPP2sOu7qc3gON93M
+gqI6aJBWg1Pnl3TccsIfVctF0W90IVPi5+QeM8rBtnEjMkj6Uz8PnELZD5r
dwdZ74kHTVv9FeggEQpkyAgB2sU//vGPol+izSEASnCveEtS9Rb2/Ftdz+f0
ESwS+cot+fC2PIn/ZqDoFHfQ8IRDvH33efzNyYPiFa+Vv4Dv33kw/u7V7z/H
BSGdfgWKMRJrHoeEsYdDjYRET8AOQHOSYEErKYtwc1i6Kjf41NGyPKuWx/Aw
WrPcpqzbIxK4G2DJ27V/aS6DiEBaJngXOOcUrj6MiOIOSFxwv9Z0SZD5Fiy9
LWqYjElsCZfoqpDJ+XrSenAHs7YinkuCGIqnhI709c1IKuAzZgGqg7P75hVT
GdgcnMSifgM3tKp4Vz0y4hI3T5L8Ajg0CxQRGAoEg4PnS5Jq655Il9xlXQFP
i/cFwSlvghwCvwHu6np5BQ5XoEucID7TxtsGSAooOxeezZNIjnPB+6BRrTas
ZOGyWVCHA2vOabijaYGM+axawwy9l5zCjkk+FmEf72DZIdXqKmT/hBYyqUuG
gAkG7yPFkgHg1jBqMfWDP5ExgkaA/JLW5BJ828CNJtEMTgbgeQaUAk/Hz8OY
YFbOyIE4AJyWZPqqOJI353yaKpcCTSIiFsRSfBjJExM34hJ+YIC9zioYiPuP
Rg7rnuDhlsVFfY7WINBUp2RewPFmINaBFHAOcmN/sWJ9k0kvbJOWS0II0BJE
UZqIzppwplNA0zLogFnPrdfu7dvoXh1bes6iGtAAGLheN7CRawACjSESLw58
tAZK2x1NmLOwGFsCOe1pZySlKkM5ouUcodKCL6GOIkokollVLo6Q5NaEovAE
4G+9nLcoDzX0CJGc3j5kX1/0jl44kqdbgGPPY9gpCRJHCJ0jJgCMenZenqeb
kJYCiHhkgWunPwNC71dJUJdXp8W3CBWC9VFXnyHL6Y5cTecAd+KibI0mwi9N
WfA9Qswie3HfyQpp5aUSUvyLr3SAj15n8y4qu/YhBMFRtz1j2mR23nncELRg
VpiMBSo76wnbJcikvAa+LQzQi6qcHymiyTR+RzWqwrDN/kJmJuS0B1KtNj0a
ZrpeZGF4an0tjNQ8CHdnjW6Vtb9tHiZAIhmQcFEataoSiaJP4WuzDqYbcMfN
oux6ZEA5uiLMapQyWi6+qgfscJjl0g+ANhE6KDPxBK0Ry+1cNWSEhMKpA6XQ
Hg0Zlc70lOaoIrHkQBNsV2cAG3gab47O1yOAUDbq+O4id8Yr69wzpUPClKxS
WLO5ZHbRNnTP0cQBswdjAsg3yITnIFPR+aDbiYgA0S5eFF3B47MSxLtZBbgA
JK5EzoRzopxmP8D9HIVH6UYhtP9WiRkLKTid7lVD+IAEDxGCz9LxUa095vJ9
wAUw7aOrL7DrEr0fZ8HLYJbj6uHyYU1kTST2ytNOlN4ErMLl6jtEphBHaR16
coqi4Xlm6u05ytv6rn+cngVNfwkiKWG7BzHJDvQuWVJUFFQweCxHzVAvYPEH
utGloqo7XZ8CqKpVJwYbBvd2Xf/ntioiCETHFXirIn9XuYoVFpSNZE1I9pD9
LLtGTDQGemq38oSzTA6MybcIw2XZXZ57oTX774+7v/577uvpsf779TTz/Sf2
j38fPvDHvVP8fecTOP2v4f/TsSfCAv49/8Qfc7/bJz4xb4bfzROfmMHN7+GJ
P479dO7pel69eVAUd+iDE/p5l37eo5/3SW94+4CdGl/ceBiELqFLJAWjFVow
5sY7S5rIBkTmVSNhgGgHby2rQOgAz0CalXsAyOWIMqnATMh0vGrgbTRNWunH
sgY/rKAn0ZS+CXdOLtvYnaBBTte/PjnVvfyzMBcRaB/yFofgb36uv+97KIPF
g4dyiJw+lMXlIgZPHp3p970ozb/vx2uZdD92089PExx//KZE2w2iGbBdNFOQ
ZXbNGLpgPKlx6OJTFNMb1Zsu0Ri/vHbzalMThde7Mi2+O0OrvnADsgsGmaJR
eg/Dep7gtTtAYP2bZmcdkK8Z3xdUrVhKb8/qvkV8Jv3Ji+kkpYu+DBR/gVYt
uCCwCFBsKnLhoKrauRu4YPimravuBkVftMqN1P7GOqNYRfAq28uGvGfpDc2k
l8pd9RpSUGAyDN6LtpaElKoALrZLXg2pzCB148bFIcEMCOR6EMVYAQfgLbwW
A0eyIirgXRMlQxOdMPjOXLVjgABD6sg7AWbXB4w2NEOIGQXU3jc9uur0C0UU
r/Ejnuqyybg3mBiXBqrvvF7AcTGOdPUKo26MA1JA4+QVQjKyCwqhpnMI4Gfc
49WL7oIiP69R6aPzcgeay2i03h5//Na6WR8P5B/0cVXVnC1ypRPNnzxg7E6C
Mc/aqnyNJtKrtdyL3EBy01y3QjWl6483TYeSuhWd07fYGSFI0uUXj1I+mnAQ
tQmDydmjCyWHzwy+rsi2BFJea+aLtHQGLjoQ18UVSXyk7lyhrn+GSMzLncC1
m29nqjCQkIxKxxZoBF3Mgs1eHYvZ1ulcrosExVmQ9sjsFT7ess7BapGLrQeB
mKEgnoM5yHVt8xrtpHgyaOFkF081Z3WLV1B3wZ4DM+O113lpCgZ435xXJGt7
bYsXJVBDf/6xt4AExLIIm1vgFQm9jGF8ceGkZq/ZisKEQqBXAHBBkPVKWowI
cF3/L7vPLmaU3d/64+3syuDzfxK/lxX8Qn7/dAkXqg/mvuElA2xvGMclZoLw
+q7lHi5SXg1ti2mPEJVwCQJ+85g30e7tDRqdygjsJWlf8xWDfZMAQD4M4uZd
n3iulXdMDCErKXRiw/4KoGokNLQVe16YZcdXzii2gdgO7+AtjoW5qpdLERpA
002sGzcwINK/cuO2MTdH3NDex+KhG+wHv1zrNv0iV6BnrLbAFateeZtuQzmc
U88bxTcypalGiEHCzNWmrcKZs0NHx6rA/GeSEv53CEHhf0OyEl3kPYsbEpfs
QvMkRj6fHkJp9PN/P0jByC1jB+UZPr2TAqVPj6gcDMc///Ev/PNgekQ/P9tH
lYZ3G65Zf1VVIrYyTfmUeCD9+hsnCjWKE9WMY+VEfleERbeOoQjlEiSx+XUw
sAmmw84mRceayPvStaDoCAED0EyLL6/FayLcvhOqaVemwXP2snq9yF5Yh9QC
CSIHEaCzhm2k3xvPzcB3p9Bjh5bECrHdvW6L4H3EZ1VI8fsrz+pl3RMtqRaL
elazQkXAUZ0gDOy9fWh1XTYNgmG7cT6mDOjFY3IiqkGElRHri2srsQ92JgQh
9kOG+VBrFK3viuItyUVpVTUzHHlqZSr2+aDN20KlXjvjBSDBTD3sYqtnjKEY
u9UKvZivss+X3qrJNlVS+FRB6Qbzcige+VZQW5Q1Whd/uUZTUS3hAncKUIB1
y/kVhxVYndMvwX3IEgqzhBNcgtj/vVOEQi6Dt2VioR+cJcG7pifPUjYOc1N0
5UMAdladw3RiEhuAxFhm32cc3dfDCCklZIxfZXB0fSkWkz5wV3Z4wd1aAdHw
US0WB9iTVizqFo3otdoJA0YDPbijBvno6NI30fZ/IrocG+dRRtpwLMBCBuiq
GcYVEGz6i7qVX3GJXYMWmS0oOktWN3kN6ikg3ynmpRTBikDbu8V3Z1Vec3Dm
NcX7UEBdq/63ukWd2m/qtjhCI4MlyZfl7HVnXyoONKWPiBMZ7hzEhzF2zP9i
ceFOOvJJ9PVAOvj7jq+nuIDp+AM5ASBagP89mmUvqx/n799U1w9w3Dt3Tu4U
+OOkOME/4OfJCfzE/7gfka4+oDce0s8v6ecj+vkV/Xw8sJpHlyYxnIvBjRgY
msEBMY6ZW2AUCYvtkT2cRjnTSAwcB+7LIGSMPdFtg1Lv1D0VRy7jXorFgoAa
CyyOHMBNc9EmxgaKd6zDCLdrWZlI+Z62UnIb+lkJbYudszu6Q3pLrtqGgtv1
jsAVWZPndMVOTmNvCaoRL8LfWVwnj6p+9OpNzSoSGz3IOLNuCnQekNje1cH/
yICDK1ghFaHQ64njsa+QcSIrjWkV3Vm2znVerFBpxdCwdDWGFByoMexSF3bp
Cr8+XEvImB0Gtz659jz93gXxhR9+Ej+m1374SZ4Q/H34SZ4c/H34SZ4o/H34
iYryljTcOXkvAvGEfu4iE6+sPmwpRrlApRqlDDGNxSTigSzl+PfFE6IiiYne
SJUib0g0ZTyMlRLC2y4x8JNl7oMt++4WMTwQEtbzY7hvIhUjj6ZrLmNqBA4G
4q5v9nxhbnNwaGoAHbd6BuvjJA0h0f05us1iiWQphR401IqNMQ/J/rhjbhfm
RonwrK3n5+RUiN8gUsHio5JMdPsI8UPytp5HMgJHJMOnITiqtxCkRQcbMJuD
mRbhsfFAjuIqn651CIwZ9VaqHSZctdnG5uKewnaM8TayuxbvZXeVsKJfYQaB
IFIa3lK2IgaRPnhWzUoMxR54gLwalnOggD6EIfbWqs+qS08b9flibQUSqsZm
SIQhPoh6m4nPgFuRenFCQLUPEMTl3SQR0KqIXlgWbuvQuL5sSo+2aGNvxQIW
KbBkv/O7pKQ2whKNCBdIuNQLRo9mds9n1G9bhLqMxWfGTnhRT83WauTtKNZ6
a+Au/Tf1ibmMFNQFlqtOy6GLjNGOPFo0JvtZiOmT9ywmRGkQ5llJCVOY0CJJ
ne/eTUaDdiVUllTFQVx0MAoQUGMFJdHYWQWJ9kwh02xUTeel6Hijvucih92e
yOFXDTuvQqIS5ly+1rDhIniqNaJ4YqNogzYIWIDCZCGOsdQWGrEmT1fJRBDC
juFZIusSakbx3ZjcOS1+wsMko8OsvAS1rJNsOD1Ak6LRbTeYXyHxRTtvuF6C
+LY5vW2AJxTKhBBTRpc54DhrQwTFZf2aUxs5SwEQWeNXJLIuijzmEKlVM0cD
DQ8TAb6wodzIK12giiHwc7uZk8JqKKYqsyGYWw3TjG4PKV6yd/6U2DPMdD4X
4s/pqpLjQtrFpmoxiJBMVNsNGX4CKxEs6DJoMC2+OuQxoio+hl9zNAqNOrgW
bx4b4MzOEYF411kxuSn2/8OU7qLxonBqly7029Suju9ZjTL89sUXv0/ESfpn
BW6QbD+J3kll5PjbRBT/d/fJz/gPH7j16uf1pPgefgZT/di3+NevT/jvX5/c
TnVRDEjgAJfqsllu+8TJIb72XSR16jhHgbRBf3asg0VkPVADWEpKETQ9A6NP
VVeKDJ4+twE3QnLtU2Q/FIx4BVQBBbbeCxwodPn4FxNLO6C0nZAJiTFDJdcy
/RRlvZU4uOdNlIzREMduGbJLDkETP1sDlIQEJZR4NW13QCEc3MUA3Tg2IUvQ
ebmcUGFZ8lnZIwHk4Hf6A+eO2JKhVX6OdCvM8OBloG8O067oFZoBExxISGyb
7fnFhtJRyzVLaCEC4kpiYNWsP6W88B+QzuGCfqyrK08zWAR8qCm3pPWXsz7I
7wNAk08C8Y1zLdkZ2RHPXV8bIuaxqurUaIEoW62DMxGBrslABaFccB0CdXSe
u55vS1hGr0G+XsCV4Xn/Evil8dWSVkwbEb8M5glhWDTwHsBqGLAI6XEPnDtG
60m4DF8iTnG6KKuF4auHE7F2mocjEy/KEAULWwaHEQ4PTSCIudX07SAU00Zi
wngPp7DGh+j7NW8JBWkJu71N2N+wME4gIAD+hwUXrKjY66JAzT/85YS9DqsG
rlizljR+EH5bTDSi2hWeAHVikmebjcD3moOTjFvYVg/IohnFQDkmGJqCJOSP
DgMPRgxyJMMhrkwY0WAuvgIso+FZDIaHd3hsoM3IJ2eV6tN43qu6O6tgy3XT
ioOFrdi6HcfLV583nAijqqTwpFntSo/ZNwSoZzgBUSBDpUm6oDuF6aB1N9t2
Hcsg7PCXLCoQ5XhKLdrg4ePCUXBK7gx1Npif9cuGELVeb+k4a+D1ZD2EXZU0
ByYEsmeTAvBktVEiFGk5r+sNb8rbRlE06cpzeIAkaRTq8HszgvMjXKH0oXyJ
cmxJ1Qx5/zKShmwaK8mQz6DTh2te+EgvylaQHFjAvW7Ll69EsvJ6iu5KcY8M
MHUScNJm15nEuYnP50e2EtsjMq7jkHzg5Uc7e4JZEw6mAtLgLb72su+8huYS
TlTY7Jwv90KlTFAZME40k6PthdybnSfUbC94usJsZrhoX3IM90tWn5h1PF33
25o93hO1XlxW3UDQEZgRfOYVSsFwGEuKGGnLa+f9dMYNb0LGhSuH5bJZnAIz
NdlTZiIzjpuz3XfLZW5E/F2Us96bI+jaGpObJrtcNTY69v+g4JJMzNro4j5G
cMkOh1Y2vqR43xCT4uB49vD7e8WZmMf3RLjLYmycyQlFmNyj2JJPi+KzovhN
Ufy2KP61OLlToIn6bnFyb+CesmkQgxSlk/uWqxPPu1GIlbnWSygjqIcn8XNh
lpKO4cuOUHyYq9dUFSjEpnBkvVxUEmUCkxWpYsesTkzU50TFkYKazLMJBopt
MTa6EoJad1KnTQRWH42rUSUq3xen9c+0mC+Ku/+xAP24vQVf3721vn27OC5O
TnntlLRqIp/3LJZzDWFCGfwUeMYUqIp9zWVeIyMv0AmfsKX5LxQZ3QoI/Z4o
JZFDCWwe3XstcH3MSzw+OWVS1iwWnZZJkOX/GsHwVDN+tESWSg24YCp1Azgg
cdS6QidJk1RxMBLCwtEb+YGCIZXbIBWtMPVxZm3PcZmPnhO9w7YumuXc6G7C
4cmCrdqkmdFFknwdgKpRGQagAZsw1xAt3150pheCHKS2nnS2Ysds6fk5RvN2
14xFMiPHN7QohnRy7Z40UuPJEaSSDMFIqhRIlWstgmSE0gJ4++w11bypl5Wj
oMz6bypSGJ3ciA4iV/hSAHQGXAdEkifIVjHxLDoKdrsT9PCnQLUkEwFXY7Jx
C6n8IqW+ihtcluxG0CROP73zyV282Z+eTsJrXmHl5+6dkBAs6pHz6pG6nxWL
mK7s11jxXoT4VtSjfYRxZbEd1sdZ05FSdo5KnYgNaKaVJbrgA8fHSSHHonfN
liprATbRdQ6lM2inGAVoyu9RKS4c77N7ojb5Ojlp7pC3QRwdAa+Auav26MhI
WVpFIKQ7u9K4gsL1Tuq2xAgv8QdeF+QP4DLF4QnD4J2s6lh37MRHreaHzgrn
rgqpX1k04zXoTmMMQW29OL13Minu/wb+/6+nGNQn46G7lbOPjWFmDWh6Xvp0
h11kmPwI5NyRylws+NdvjvWtY378GB/XOg8Ptb5E8fZXbE8+RsXv2NedeKck
l+OWeXNKC0aqjC1LRDsNqiNidfOyckKv5g+cOxHlNHDSIG/f6pXkJiSBxfO6
V6mhmt+eurs8Ui4qXQYEFAHMs6HlR1LWJPqQDM8gK+GruRwSCnrEiyysiUom
+nSdVVWuLXPB+4SjrcnMgrr1mm/oIGfJp+BpRYh7IifYq+wdzopXU4nsZ3qy
Kl9XQFkrJpdNlpiI0aucX6LZqKuGoszw1JTFhPCcAYnyvi4xDjn1SviR0CUY
VFUOCM6pm+qB9FosRuiE9WQS5XobDAECGxVsJPMWGYBt+LHzOMvmshB7s+NO
TaKwYlPQwaAYWaLILxFSPk8RrCQFsbOC/j6Nqm4widWz8KWoCq6HyHr2vEos
5OprGwi7dmlXF1jyixYCw2H0wRj/52WhZe6VXlreVxdjHydt1F7TRqjJxfLo
WDwBNQCtaSgc+PXFAOQSm3MRtS0yBynLPA+j+YH2kvkiT+Y9JF2R8kyJp+gG
ds6rarn0gqbN6Akml3Aku+AbTagutxy3oaumeSFG5qPDNk4FO+1usQ7tO5tW
jIC1ZHqqYSUYq2R3JaoxJZF7EJYDxZXDztlzbkbCNizYG7o7Saq7amQedszD
VEsJRL+0ZnxJqwcME2ERBV240Ut2NUylGDBDhz0ikhmdgaSVZAPn7bbeKYy2
eULRzbYF4l0FWyR7bRMLdYbu0l0JdiguQ1V3JkeqYXLMRk/0tho3p5YSbGyY
hghQA9LK0lBHoJxvOc0D5AekkYsShFwiiwh7/QSE7FrLTZkaXwdBC4ORz6pp
kaA9IFqQI5FLLRuUj2fwn9dqe9c5EMNmVS1pIciOrn2aKuzxCSCpEX+JK3K+
sErCts7OABpn1YJyM2CD82Z9s3disvYMwLCuJpDWEde2RKZGLOKQk6cScxIj
Y0JkhjT64Btq7nt8TtFtR7gosZesuTMswupxS6oIm+Nh55lYPp/hDW4xNv/o
SBjdkj4CUZzKwXQsPJDqRY79CQJHLNP269omortMxBu8KaFRIQTCI1wS/FLp
RWQLebQyEOdoznm1EV+P8B+QwGcsBII0gCxQ9AdSUlQGZgsEf3ZeYZltNDmj
/0a1GDYpExR1ZG8RylQLpMR5CjLkWGatbKDlsYwfFh1d0VZYBcT9lMGJGESS
IfCF/uNGUTWrOBy66sZX6cIqORSyYzH7CTKsiX/09M1pyNqUIog+2cjLK29O
GSlQSKtmWza9oTgrbtyoVJO3lxW37kwK0G3uTQrQbqbT6e2QYuGzK0LSBAzH
3HQkapLRD/V8kPG/Qz9XYMB7XpkEG7yIcxQ7RGbEiqrd2wjsATxNOB85/bXk
rxSB0PgbrWdJSsPgDcns0LemBWVvAfZs9ADiFcraOxxOozhtJGvTZnfNuH++
9Xl2MpxE5+NoLBox4NHp6EPrhxYUSZTZdw8KvQcc0OYvgQsyDQJD3/5MLKlB
FzaWBPVwePk87FnrVKCo5kOGPI6VWXiYZxELSRtQw4E7u06DbZPBOTXyM3Xa
DK4lF82Cu+AjlLriMw0SyOMRX8aJzxwA9SV4j4fuXQ+j7VpzGzlg0kbsDmfC
imnXToqp+/4JUrFyo/o5uuCAzzPv8yxnuM06xFPA1Z84W4ke36B6spivRk/M
vNiAg6sMYFMyYmI4cXHipE1GoQ4Guk3DkLkjgXKUVLbIiU/AbOLHtO6MD3cw
cqG1Y/SNS0IkgWnNa6kN1Wz7GfKNoIshyIpbOy5qs3ARp5BDu60oEUEnZxGK
a17Y4LnoUp43DKSYi47bhfi5Y36ODEIgL/xBUOv4R0Et9pmqPsTxgFfIPkNw
sYam3yC5BRFg3d/QdfqEPEVaF77wG5gWL2uk8Lyb5mrNQvk5wstaPQVj06GY
vGvzBe+RjSIgJYI0NBAwzUFIGqyw+HrbUOpOY4IDggFMYsp3muFI9Hn71tvc
BMiR6Q2jeao3yFg1kJG/FrIzEqJBSpL6H/x1cepMjjT2KLxB678gbCdxr4ZM
dIk78/EVWBg5GCM9UeRiuEEHIgll4cUTrJtZbTg7M/FmG8OAt/mivmdVYUpt
NFiAkpPGnyLgGAJ8LejE15i8JkUP8YgnxgFBUUURjEVpcUHOHlliKM/v3Qom
WL2zpW8xLcBpTEhXi6iyZgvri6rEfhdIy5+HsJWfQFFrrtyA/qsNHMm9qHyT
pARXwbb07LiOxwWh/taL5z/dNmBmVYYMCTMxVvF3WTTwErPj1P8uPhMTBhxC
cbArwdFXFpiwjEinwsgZtE6th5mI3tcUKh4DIgKmSn8avfocQKE+C1KiKi3Y
SSzrEquYshQDEBBTM+rjJfI0IKMPbEjWZKi92YAtWJwmKoVKzkWx9wVCLpJb
nxqrj9W2SWbuxR0c25NiZ3M4Zpx4gEGTIM7R4x56IDL3ElY5wVCqZWmD1igj
CQeMXB7xTZD9rh+gRVr2wZlM4aULCk2yOdp7ve8TEknpuCuFl9rC0U9LdJHp
E0Wzqn8CUfZBvAgSlUWxDGuY2Ici6IbQ+egA8wCZuvt7th2ZHA/YESsK+zY1
bvBMF43jJa+FHfIXCd6JpSnMX/vym9STLRR6RXkFGAwgV8frM9Wb2R+/024e
L/fODsB7OuyMAu3TMFhfoipKWs+C+M0Nf0lu0NAomN6wfnWnxpYbnyvfZ6Yq
TKPwDmnilUIucJ6/VW2jhd8lNZq5DfbSQLzM8wskcBHjZm9LWwFRDIIMEFks
NHw0Lb5mB3Tdpl/uGL+tu9e+fDpaVGHtyxWlLFvqLJEe7KWKrLmrCTfpWpbX
iI+k3sOaQ0Iyc05K76Plabg81uRfVFcUKJlfnFttO9MojBp/Ia9VUu1FFk+l
hZPt4mMoApbtnA62WbABhUMyAQnR6qnRBIOAZPW4pydJjqHonMbBTYXcj0hV
rfDIyAZRuohkCj9jC0E0FLm9SGZjI2fXNxt4aIBBUzcQ+kgP58Bg0i9A79x4
Ud/nUXaRD+1KM6bGRa7YNyOZh2ymLi+bGok3FwFqtB68M3iFHy35BnB5czsL
AKnfStBlZHEs3v5KRN9Y24BjCTKE5sip5GZiPVQHlqVRdBDoMni3o6Naz523
ko2aMILVK5ewKd5En1yhuXNIskA/MeRHXKmZZYY1JJYUl10GrsBaiSfeRkwX
NZIEsJfCETeZ1MGOfIeKmvsBIUlWo4qJcBmId5oPm+qKqLy43jifgRZ/GRsy
vS6pSp8x4AaNw3t2KEeUWwbAVWIWEVsDQEjkYu8a8p6xR9j2Wu7t20Rx5fRn
5l1XDbW0WdV/E3eJc2IBzY9MSdMclx+si/n6mWrui8z6tFE6lIG+O26pjMcb
DweLB1ZfJtHlEAgdbDZuu/aZCpOghzAdkczYirNSsYdfiKzPXxeXXBc2ZKUe
z10oW8ToCkJS2WuTJCIibMmnsA2TQbz23H9gHXGaAqCHxtYmyajfCWfAP1rp
0ZGmyqbnpikYPu1RitJG91qBRlYe8VaKSrgPMxiCcGVfUuT8ZOjZGPg0BgCI
XRxZCyJVF1rVAzTufEMFo8NSi1UOTUlzwkMhJOqcqGnWKPpKCThrV/IPktHN
eaOb2B6shqRqDxp9yHahAfijW8m6mYbbiWmr3Vt8Dd0v3l8R788N9scaIJZE
ttjSS7wB31hqBwu7IzuVF3CZyAkmDIO0zi+j2KxYnMfFCFNlt51ea591Etwh
gaaSnk1JJi6jhlNQDdlRumGy1aisIV0xSGuQY9kZvLYQ5R5hsm6G42ospdck
NDy1MjWhRwNMJJUfObnziWZnJbuwScU4YUvBd2ccB1DkWFVIiFHveiYrWWke
6GbGOEkvLUuYf75bMpkwRuD6sAI0teJhtZRwhmwKPybW0HiRpnIS7cQ38a27
QXahKJEHrcwE6VhzLJtexAq+YIdToLn7KKKWkqCVZi45pWk8XXi6HGOfVXut
NfLw9R3Ke6OFGkaDo8lC1UgSe0qyizW2gkjYUqWfzkSKueEFlyNdGnxrompZ
w05BSF/jaZ2I0JUEG0RZ2HtOPhP85yR12beGBcg8wiGBoRsr1Uqr+vW79uHC
Piz9HNgIxumNl3Ow6aITo6ThBmUsRBZv3wbD5TE8FoJi3a+KJ/Wbaj5wgPwU
G9WZX2eT39Op9DGZRHiGL9A5dLKqIgTYWa2lOUpQlmL6KVzMsbiZo0iZkirS
wStB8ujQtfUdTYKMOBgaKzJX1CHwhNI90SAR57v6JbgdE+m19igYeU2NTCbN
t9FFEfom25JEYUhWWG9FSagjJ36bWezz8g1Vh35WLypiE7mWl9zxD+D9/OGf
gp1+Ja8u5VU6kSj//+lCS12TUUD7gkbEEc1OHEiXkswXz38KgkTpmeG1FOal
uhx0EUVE5RKbaH9E56wqY6ndzcaQOq4ODgfjOdy4nS7xkPiSTowOTgo67YuL
VHKlTg4qG0qoFAzApcW+sm1JLOk5XoG3HZZy5nvTc1QK9q7vHoSQLRxC6s8q
FYwxVdwkR0dAuUFF0BnYsDCrRQ/YQbmtAdoPJ8NM3cMlgGJd2nTTJLthRRTv
rNJ3JkELIHe73jVHEQI3LyVlvtJixMG9ZQAUzwFAfhEZ1C5E4yYQMYTnKuQN
YByILJU7eNM7kpxMQ5ed8LH1WG8BsqDvhm/5bV/mymhziVc8qm2R1RXIT79d
SzV6p9nmg/QC7u841BqiChna8qRZotLpr6JibXrlUTXfUnQqn/mSSSwc4Co0
ZWfbBbZLzyVfLN5Lrl8Qh/o4Qr0PuYyRZcI8c6EUZa/NfyiYw5FkioRS88rQ
cHdEHp+SPP50QKy6cD8OQzYdJPZ2+fbdEkUaOVvIWMwXnhbzGSzm7i9QDlTR
HKgGOWk/qIcDkSVrSX1HMvJXAwNFxnSAmZVcUnW3wOcj2t7f1mM6FgWv4Xss
I2s/MrpUSA7ijqymINleSxsNLnvbJ/DfnkS4fICoPsTV98ax+x8CsREV6zCg
7bOZyeAeaB8EqMAZD7uLlpPmwPTph4Bpx1njagyIDHzyJifMqtaGCJ6LRM5H
9Etn5mNP5ZglKzcsuXjzByyAf+DwGU8qgwkl5d+m4s6AQvk+uVJVgJvW0rnG
4QVC+brtDO3MmD+HQgW8cTeKN5DoyOuIGBki3nfVcjGIOJgI6OCfeU92hCwb
uLtsatxpF3XfNdth9hTiOQhg15SuuXeH+Oi6mcho2ecl+62o2rbxmBhVOh2o
QDqcVYS8vOg+C+YEFbMkI3Vi58VIBL8gXy8U5AOpjkTIHeA2brBKrVU5dQwz
qH0QA9eHxcma0AE5PgmRtA0+RKYJkAAdn7WsJH+d5x9G9aaDi0FmGQ4nskLt
3uOUgzroUM1xerKmZn++Jk+5y3XuelJtISy8vEUfubE7i3dUJCy+EbIq2NEh
18KY3b09NhRZlFgaDac5BCg7wCFDjSn7Acf5uUfLmgpUkFr87Xev0JOJ8YOl
j3BX/IhXHCRCpif2PimKBdBQ3lDeeqTBp6M7MPa83LWwZTYFfsBEtLsDMjUZ
jywWUr0gjWDMGDAYQvciyorCIUYD7EO+dEk3O6WFNgFHo9O8zp6VovLooJR6
L1JI87HA1fLXRBGQLktmZQNRZeeyEg71oVbUOC4VrtL5eUX9OZAkf+pdvQYb
A4piIQUWWUaTp+vOfRT7adiB+yD7aXFLN046autDco6NzeyKQnLevbudWFuL
3dZWt8/aanbLQJK6jhjTM4jnGdbMMtsnPo8nhZmNbYnoxvZCZIe2JVImrQWv
q/TNpUbTmS4SnCIZypKRlh3SiLQ6dtP0O05M2rmErg/sI+OxQyk9RNjzhmNZ
TbW70thM46raHD/ktHYxr6mTkqm2VlgZ6tdxHMtNW9DOB9Ejm+RMXimP3GX9
pVEWgq/PtxnUtBO7IIYIPbOxaikCYYYpV/LzcXET3punKZsyyAG+Np/gHdaD
7ilOfk82QFxYxwZ2u4g6UWdhPEQt9FAupduzvwM1CofI38dv+SFeEpW3ZVhJ
o/a5eR7It7TLEJdSHRiDAI6p11fcK7f5GmEEHAaKkYk3Ku08uMhp2BOGpbnx
sLSdNCqYKBMvzzAz/jAvj8kPMQvPVFn0qW+dvUpELOiWdxTgXo44na9tDSga
iG/vGClNCuXYiHDngXTVDCINvSdDihx5V+0gT5ayss1OhBgkdUkzcBA5RmsZ
A8Casw6UQc6My+KuZF0nkgmpHReUfV40VH59u5ZOd5zF7+pDL4QEq77CBlvH
35dYcfXhdk6nCf8zH7vn5bo8567QdXSSNeblhRqt5Cfy1MLflqp4WbWX9axy
36kbR1CdJil4bjyJC1BMOtvSIKDdwz8JfVFvXE2leaV0waxZioBi+YJMW/hp
FQvMvAysXSGfh98t3rHL4LO+06bqANLAsUuXYBoHs3poT7mUitcHcVQKNcOI
UMFGTWl0vkaCt5VyMI3PeaRNhroxZRfVkQXJZCuloKlIUXfcLGJp4sYLJgk3
LHq8/Pq7H559Rd21+dDIL8JRyWVny1VpRPLzn8jvg0SGaZ6U3PTVfi4oh46N
++Z9r4warw57Cpz3FAxDZJ17GdcDje3+w6DKSfwUM+aw4VCr1hf8kCgQTSUd
5NHlBCLfQsDl09zjZP6dDr8yF7lKVC21PRhcUkPEePwuUnvmwJYcTIsf1tiN
obCmerSKnPv4Yo3voihIP9QudUoUPZ8SRqG/plsPa+VAFbmZSwVAW7PyyfY8
DFE6b8s5nv97BNRayQ+lNA2kNYf98YNpvUuCM/M0cGZ/VI8eLtXAMw3plyZI
NZPxykHyqulhfM0gErEeZyScx4H9eYhqk7ZHnYJYyPIuNgo4Vzmh1LwZG2wR
endwkcyiXKEhhgKbkZg94L6wUtzCwRlRxFHUZKMxUBIzju+maz9MrWz58HC6
rZRcQPjnu7ngVDq9pl7XWlMTFrbZLpn44sWAFVMfwN5LrX7lWoJnnK1oYA4V
tdkogRq5kpVpXLTA0kMP6SWKHcEmMzDYJWYVFpl+IR1QyWVfrqtm23FsiTBD
33aJ69n7V51VQLxWIqEreNZch8wDIVT6CSVqTLqyqR7jW3gP0C2+Wl1F+j2T
X4ov1HgKHhznpIB6U9KlyQRmceThV2nmwHhmHtkTumbCFfFoqWjYkVNNRD6/
GO2tymW8+CDRi0/faXjA3Sn22PIVu5qWC14va64NllgUxcL7QA2tPpOMN4Av
GdTjevfC5YeuBxXIdT9ocd0RMeo7NvXGoeFLq03F2PqCK+WTb8VWE6VkyKFJ
1ERKsOVNjLWqoVB8KeVbJcJ74seIDVMICNnRXzFJKk03GDNL4jvBJZhRGzke
SSyUnFokaeVe1dWIchLyZBHfkQifGyfk6dnwILkrQVstqSSR2OuUyQepMrI9
kb6ALVlCrbtTcvmfeoydUE1+b2XnHCRf4n5NBGPEcPsqTmmSOsLxUCE4zOQ9
ok2KlmaiLt6x0/qJXucBDKQ4Hd8HqXLEGaYNb9o74x5RknptasHHUQLxqsdD
ztWaOQw8FyLwQJ4IsRJaD2tpBovXQIpbYOIDX6ja0cv4cnk64S0VdZdnBb5r
ahjNZ57Y6gL+flquFNMvH5yC/lU7oD7lVYkDSRy/zX6YuhdYJKLfWFRw6bFa
YBKWY4HjLz/1tqTmecFCLsuSSi28FB9YYi7ZAWiTCTkvBlHnXvDgFS8tf4pD
ya0DWsaymQqaKUfxU1g3FYPHvKDmfRWChVxsRmo1lPWyey+4CJ3qvdujDXii
6JjHlxQdZKi2oma9nJJJBgc04WAImpe6E6EoNf37uxgfzAxvJk4KAPA1qhQZ
lDtoSdSk6kFIS50YWicVooYGnjbwshVXUuxskK+uP+0/OJYPymXKAkvzTkip
xY6OoNE0jGJ5bdKWllRtx5SmfZVkuTft6056rwLZ6bimuDZ6F2/WroL9JXsD
Ipt804acdOl7GcxuzMg4DyAqy3uTelaG7gXeTqzpvbvseuKAJ7yyDiZvu5sk
ZqnQPtqYp4TDRjWQnJkjaTSG91RL0NDZcG6aSTo1pWQiA6fiFmoMFRrNSY0n
S67zdLXZ9hvx4e83JKcFf2ykONd+whJmQndFpTWeH+9/EZcg9c7iAFLt1+Zs
vzYcB3Ena6RWZWJcD3AdKMwV1WJYgmBNlmLTGtbKnf7tjGoSgO68uRiFXfmV
njEb75seVhXS7pPYG6VLZDHwttWgatJ+2WymF9FnIQ4dbYola9dIuRkW7oza
G7lb6khER7MhmekGbZEzleiRajpKh2f/hxKcoyNE5UE1rwyfupa6UaRY8oIu
6k2iRaKEcF6vfducZDa2/Ie7w5XP3L4QiGtTvZOEF7kzUhfH9zbwNIuVMqsL
7dGBhDvjQ2lcra1UUgyc4oMtTgaF7qMpsQwljFaGzkeDERKdKol8Qn8anRQq
I1wL0eMhKySDaKEo/nXMcJhY5+JSmSRQ2+rSChFJkDBvz+t5CJvBbODQ21QF
2lhwoVjiWPIZz+sKlZFJ2Jc9/fjiSaYeICdlxP5AkX44qzShPRTWaOoLcCu3
zQZITzEeODwWiUWxUWVnFVA/H5uvNMLgLseOmvMZ9AUuBn2Bo669kiwb4KCT
W32E5rqXlr9k9wsaH/ummQdjlVXQHWljocTeYNS7HNZ5QIR1XjOje+fVs5pg
x3HkewPd4lqE3sQZA5hi/wAxCCHI4RslDNPTEx99Nx7UrYjrI6xpO/+kBE72
MSXu7iRp2na3C3aKIbVygVqFt9k3KDVPmGVp3ZX4/ocqHuR1cUmcu/fylMc0
MGnmXrpO/ZAsgtkyRoa14fLYTx4ZABzrJ9Tu9FoXqTbvIBNbQEnRD25NBRxK
3c/Ouh5eJevzVo/RtgwROc2bga3wWpRXJTcs0mu4w23uYgUGm3AEN3Momcgm
j9LILKbmfDSoLZE9krJvWjzEaL3xrQOpix11dzAekjw+SjSY1jjJpbeE0nGB
e08CTxzJbnlg00uGGRviKU/MeljCh1nh2Is3O2kBsYMHldbcaASDtBkESSve
tjq20t2lyII5TvKJ1Sxqs8BEDdCypkw3/W7v7Z3cxuunaQAh9B+nfogUBRB4
3g0j++/7BIiSayVhjQyW+bwPwEdA09qo54T4CdAbCRhEpsNL9pASyWZXdDRa
3WltHKSmlFJKHD3vY+LAyWB1e5VDetR9aBa6aCioNDUWFcpXU6aFxX4eMa30
qY0n9apavhsQhoS4gDMUYka2R81TEyWPmo6kwDyY8+ZR4IDCB7uFRU8BYjeX
ApFk3bRapCGxvua9kPtxHmzLKHyUGgpOw19xgJSQiT0+2r8NpQ8R/h/hVqO/
i0t4VW9mbF+Bwcr5CI2WiIhljVViSFlXyj9iLPJ+k9r08Ekq3C8aFXJrrNHs
wpXR8rlcAR4uJFuys0vz5eGvNajGm9+EZXurEsJIonsuasp63a5h0mZ5SYYR
NiuiocBaatSE0x9SAhZL9UhkeGTPkvJrRFzGAZYEeE9sMTXqwUIdC9Bgt/7r
ds1l1zw6Ja6KGTt/rLPC2ZivKgolh/vFJkc5NS7GpzFJo0a9adRsvSzIckCh
uEkiPeewTnyoCMs6ctvLLVxAWCPlOhdds21nvkqO6CC+mzrZ69ElJufIQlzP
Rs6kg32kwKD5ZEVJRE0b7FtUbl8ifAAGOkDpuU5SwljFiY5CZlYVvlB3K6Sl
nHgdnZgNsEslaB+p1VZYZ6Nq42BaoGN56W9aDKNhvYeZK3f7ApRcycTMPCgA
XndD2R0EYW9qcSS4dqOd32wCMla7oFCvMmZHURR2Rpi1lUWowQbKeRlQjZAm
Pr9uIOinLTOoixfy4qgVbI4txUWbKQ9IDkg7XxlludlUoY0b9Tbn+o7exZ+A
3yhXxzui/HeGO5q4RnRenwPf2VJ6j3azUN4+CCTEihuDZeFKEnNGZOPKS9oo
Zx5H9i7s3CqZXf6NuItDqCUylBzIWaLSgywBF7lHQ8VFPF1wYB2LzutqFOaF
aT6fVACSrhu0ijHV02+Lp/0uMbGsyt6E3WFvbbgaIDWU7NviOKm4koDa5g4D
UQoe38jIa4PWnRcXiSqHN4Qzq7wolcS4wdZpOMQMlgY7kxmHgFw3wxXsKFFF
o/leXNZgxuJIGo68x+YwJJrGsMDGYl+HfaQAREm9Ib3ZkVuQkQzJxvd6VVFB
EKmUU2sh9aiB1NHRsB2pzQaiCJMtRUJhfyEQtwDPFEsOIz9cl5b7X1IhQFmK
OzqycSwHrYT3jHTfu3d9toMzLtWJ7bSty4oLuWwa5Mlca2jYTLZvXChsHhXb
1ylGTOpFYlJ/qYq51ymSOiihHEc4laAtaq036h6kPVZzr9CeorzTtECSskzJ
PYvFonoYWLQ3kxSjWBBQanu8x7aC4Y5zeYzDLQ7K2XGxMbNH43TdFYzydBiG
wgSK8+2FUIhOSNFx82zAQa3RIWKyvct5RtZ6FtbHd5sFCwVNNNww+mGX6rkz
8iEJXpGbfRg1K6yzgjTnO2zg3ZXFKo+D9GbbdXmq74s6wq5kmIM8qSE/R0fA
jZpy6D7FFf2tVakceTlcBYv89XqowhENwvPY+DAPDNLjIz1h6y3nOJidIJ2J
RSwcD4NnKNhZ4K7xVj4Y5GNo2SQymdzeA491RP22WaZdZN16D+I97JUQorUs
xeAohKi25W7zuzlAoUpnlUkB2y9D5EQsQGq5YTjg6fcUtP89SoengSSlxWow
AN2vEd/tZlqqFmNCAWVsqv0gjkgx0kZ1p/m7jCVPF6LskUpNurqWOLDSDaeO
yMVWXzDV0zA7dmP3lSqykRWNzd+zMta2hQ8HpZsdYPkQwfsfijIDi7JQ1JTR
hAPLnZaGMCmI4zgSHK55X0+jUsxDYLmrZNEoHtCyfPjXIV6tXcpCcLPutbGh
zdnoBZP3v4zWIVaH6hfh6M+2fXgU0z98n8CoekN8FHrEZN1U9Nt7NQU4jakh
bK8m+yj5dv7/4mrm7h9J8B4B1MsWqX6oSXQS4qeSC8vCdVuIJc3mS3H45iS1
cmVsbtLHEJ4e1AfQaNOrULJnhx92zaU9Z5VkM8ZWTVJc4Jeqkz713Dz9QrKi
5g3JWm60uLPvZRBExeBDC5Fo3NnusuK+yCvKfF7Vne2MQkEBQ3cH255pevIy
YOAezmQNU07IBR8u2+IKb6kMDneKR+glJZkUbow89GNKSHp7jeoM6ZtsIhqx
EMUva2l5o2spFF0IDtQqiAe6xVU1EJ97lCdca7tatA6PVT9KhQctDk6tVLF1
ARrP02pwu3jVCKNyvyp+KpdUnDNu2/I1CPwdFcUQQrhCSohJd0RQvnklR4+l
sMjdjQreYsu5fGSclOQc+PsKZiCibJJp8JC6brurIA2GW1Y2r5BS/pRBwfHU
nU5a06LYgrYiszFdwraiBmB4LHNWXAFXQu3FxbYVk7KDqxyeQRLylPdFkvYZ
Zv0sNzgRkiLSi41JdlK027XXmukiun2gn/B6ZxxOd+WbAV3heTIVuqH+6Rtx
6XjswP0QsbRqL5DIEFDrFWZYl2syilzJibKCONvpoqe4FG33jlZOKmRN8Y2z
yppGIpMCRzhJnc0VXrvLWIynLGlOdMSVcGJWieB7PTQtR4uLLcx7dhIXk4qL
Ic/RLsjFLZEWHffNMem+gCX9xTHTy5ga6v7UHeWTsBPi5roLFg0wcGsp7OhY
7S+mtyGda1nc0HaXIz4kVwsJq9bbFdptK+ttHmhnq6oS7ydNGaX4Ac66ZuMZ
nTZxyRrDxM6M8ZoNxYqbeM1h+9VSHNZBQNTVUkQ5NVJsNqHu80Xdm84zu6My
ioOiMtwvjcrYEZTxvt7UeyYKIQJdHBHnA7kzQSAhOZRk3/FwRBtZlcymO7u/
Y2dYPAlvoqBNZZH2psUh0WgUW3XsTz9WcEc+5F+KQ13HCwl3ZkHtfsdyDFQ9
ALLV9CCuzZKSDCgmcefWrvfJ+WYqygp44Mrp7d1h/X45XB2z5mbmckNP16ch
xIoqFJ69z3i2DjcaUENdbZ9melCp7eu6wlhSEZcCPpGLrb+A63zRUH3NHjnn
i8ePvnv+/PG3Xz3+SgT/gBYdd7KrzCa7CGpMw78i7zsu+wkeZc4N/FLcqPem
93Ag9QpTDya1yNarkjLcrjXxkgUHJGXevy91oIkpcR4CxsCTTsqhe6Edegni
3fUKJTsUKNekjrbc9oyEQnhdI58rYMrAFvC/xPu2awHAtPiy6Y1HSLv+UjEc
kinQrI/yKim5SKAI6sNS0l6RDXRzQIipy5rzffFI4iGoEVdmX8nMhpnr4HZi
Co1hEXqiIGQLu/jcTbQAiDtjPPcdJkHjpuZlXwZCZiMkKXtCYMsGM2/f7683
0n1Re4MbqXTo2H51YePtZYudG9mjj0i2jMhcwzEBwRkBYeTu8FK41VQIcdxB
dhpct6m26KPjw9vJ4cjuJkb4dwk1lipCXVnP9RSkRWOr4/rIGnJ/wpWusTLi
rHLlOSrYQGuXzex10b0GGZWkNHupfcdeje5RpPLREXgvcd2O1+2Tiuh8mhA7
Ll0aQ7S2XL+za+VWks1N7meSZ13+XipiHXAlX11Ec+oNRJGrDCuoOIGacEjS
McxJkHXnDCBzVc977i3trIaBslu7lgJs6GiH0eOkWrUPFeUZwL73JVPgVKgF
VVtttvOaw4vwQ6FYVmlmeUgKXL7KL9T2avBmHoybQfmWS556MPqEbEwiT4bx
3ho9iUBejhF92KQWhrJVps6unW/dECLRabG+hhD7c7DEC4Nsu6DfJWIUn5j4
RqG9YyzDO2uuNcU3oeIxLQZt7bWxR0hTRvERZMB//OMfxea6v2iQSSwIk2Ht
P+Ow3S36+XM5KfiXs9ucAg0Ht6zW+u3t4l++MH/rQ5QKWtZA9B+/QTkeAHXr
5pJKu1AYkhQnoBuAwZI3b3OR0m+LL6LR+VPcwxvcYYuYeutbM0m9kOWVf37w
7fGbvxRffKHr/fObB3/R5EX8M/m+xO/DQLRiTpV91W4rnniwBc6RqRkRllij
pNmu57B6gCTZAR6115u+OW/LzUU9kzAPJhxcLaXe4HG/3NZIot1jRIVhaF5H
Ud0c3se5gsWMX+zwxYkGy5BXkAQp56uS2JKDSAal11nqLEaBoe5JayWftG9C
TK2bZtEuZmYXgDRHxUMUWS9MkD9+5ANqks/JLMpX+QVMBZfwiQbh3frxxZPb
0eOn385OuZkIhdDW2B+1Z4FgGDzU4Qvf4AsPBUpdz2UWFvLatrMFGvwu4uHY
QJNsqajlbWQ65XLGhV6ivFhKro6EFkdjIMMVe2IGJn5gKjml33dMns4a4fKD
CmqZUmZEQ5EK1L67Ks+KoSd2FvqyvdSKVXD0l+WM/P9cAZLoJzGQZss0f97M
tgiaSYI1IPu2KA3PJd1aAAT0GR2noWSMQac4jz/CYwotO/0aYDb99uJURmFE
JUAuBE9Av5K4aiAN51y7hM4XI7BOYbeD1xECHuIHvL7Z/TrXRoowEmD2yGyF
4WErYHqBjR+jG4+Sndh92tDjhCTJ1/0xg+aYx9POJViklcyIxUsfsMboip+R
EJ/SD41m8avppCJjqMEjIdxAN7AINunYnbCDftkdy3ssIHAGd/EWCOIW8P+z
+4TgPyM0PofPmk0JrD1g8u/uTKd3/+Pks+OT33/u3tH6cfmfM4VkcfPUj3Dq
PWJe4otslwfW8x1G+RGdSKp9bjA9eVa8rq495nqDW+XCXUXuiDn/Gns5DCH8
nJkylkzIjeySEdJ4QhFYwoyhTr9PrWs4JPRUAfjqy5enofGZnDHW72raTdOW
irpcIUBvGycdl+gfXVKxYFzWMdIwAjMIaov6XBpDjZ0/Gqjo9JmKVPNbd25j
lp54bUJ1m1sn9HmP4CJohZO4dTf5iipP4jv36Itbdz/99DZgy1fe9vwcju5z
Z5HP3iO+KnRTEAfj1+jYc6j5Mx/Tz3BMEZb6Jy/bxdgz8BAcEQrXtx5ZqE1x
stu0wIJN6wO4PAjf5WCjIoisAYS70UVkxlFA6ihyRVflm59Lru7587I8/zz+
Vr8hK+HPm6b7PF6Dfj+6jHcEEDvXBd3x6DOQ1Ou1/TBUu/45OAV/5mrXfAps
cv0dP/97zar5WWs6IkGJoJ9giP1KkPvz3WQL+fefhQP9xdIruG5CsvCmnhqE
OwVZA01EUVtHy9Z8jMiAMDsNcvYRedU5yMScXZvlAcTPTxHHdFov0Dnr9Prg
UshNqxUHMmQOv5UasbKS3F3KAcQZishqvqZ7iyvQSD6SXD9C6dgPfRpfzewZ
UCx2dtoKJTROtoCHnARsp02HT7leJNcKfdlXm+lGAgRormyLKGLTwqSC44yL
yQfReyQMvbTLNeoZFnI/TejAqTg94zeGbGzAa252hrM1WEp17p3/o7myk7Qn
llaErY7ZcvAh+xZMYplSE+Z8PQ7uUYaN3OolKIrke+28J0xJEiUAAkErmLjw
UEawCX5xN3Yt7LGfJnTyVEpAJyWK2Bs5LFTkV6UNAk2EZjyTOx3Q3FMs22iO
M74fZvSbXRGdIFXk1Vree3c4pOWnIn6cesJ9SjLpaSDagvOdXrD8kRVyZG54
ZKUp8ygV90uVWJvWnp7klHJqIdndnGYWstezrf7KsY5MgXYxkdOYBr3wj1q6
9xM9OjHid7GvEcMk3eS4YHoRUllIMRppXeqS1qUTdERj9wZ+7lif40gYJObK
1tIbApKwLyDMZCzlmnKYcOpPagnOoueQ92UJqbEqpYZ4ChG14jtVxtREJ7kN
WZ3lqY0sKDCSqmzrpguxL5m65EGxncQXwuEdGEskNq8xddxKSSfun3Iqoyu7
OXWe17yHCqSupD3yxZhalKxBRA02Ewsxzy01aJVGJ8fSqJE/l5uMhiz3ECyO
TpczluJt+e8k7ICiV80Zq4NusJrQhzkXCUWD41i3WB8VOsBVfU39JznV27sq
W9OShiTUi1qq8Mgj2e7tB7n/xtYg8Z6nfpBTtRjL6LqfWRXVpEdfQLZEgQ6Y
aBMpP3JJcHeiOu8vfXAa8JyyGtQCnE8LJie4zBeEvVOONDBcSM3gKU7EstsB
92mfzH7gPRvI8cN1ReI8zZMlfkFDjrTjrFDvvP/N4AXzUnNMwkopzc0fzeAy
iZz7QURZzMCYJWAmdpY2P9kul4Yw/2hCQAEmelujApSWeIqMflW3ZE4Ql+j7
mgzQ3C9WAqnUKIYB1f9xlf7IrjeJBSD9lpb8c0/PBfXcPjX1T0QqukyuOrM+
zZilmizl3+xV+Q9QyfFfctpewx7M+E7U6xgWFnf9lhRNhK5iGikSFATyadQz
foQVuJgVqHmT/IzqgByN3qIKc+qT5WZEjp2t3EkRHTueCUSN1ewGKEWcly1n
wteHQoqxIUbrHdJBnrTlyVKeWZxasB3AL5PVMPQGHHE3HNFwMgRlxB0O4j3a
cQY5g3R64Pwg3IUW9Ed/E0MNSPguEV4jtdIdKqCTgjfvITTg9iIQCe56VjON
mdSgsIqZZlBIXJmPH+sQLmTZj0+dUwOCpEjZnMIRxVS2dDq4nadxozVxPaLi
II9SZ5RjfPTYr09N+D9wffwnpDiLq5oos0mn9N09VOEy7ikx56PTy/cFUD5Q
ZrowTaIMU7oBFLwUgvejoAOOpOAisy6nz4+I2VNJ6ZcKEz7KxzrW6H63Wi2M
SuwVpwyPH3EL7ycrHGiAPcDImhfLhfDy+l6SDz5mQGomxqXzm/fuypv2JfHf
h7For5aGX/LmM2xeYnS6rpnVZeRHGh405zfgd5xbQNRmxBUixiJR/XiBgwWU
xlTkbZSpQUmDahK/BzVgSKTZ1IY1CVfW0uNfLi2q7RxBxAfzWzkXlBnv3VW7
0Oe7DlFPK5EVx8+KQ7h8iZUuQu0pvychxdTiqBiWMr4Wdml8TxQExQWzEDy5
MaXxit4z5x4ZakH9a9SLRNjz9fOHj4BU/cuLJ4/unty5/+6dOcHI0erUdOf1
A2vXhgvfaKkMSfoJd10U9BAo5ThOipuEt+z4R+/+MbpPBc2lzc6p+POZh2kA
m4andNV23qCT0pkIgC9oU7e+mU0MHAhGtyNH4zezU6b3aWSAWn8y+6RVJKMS
JfPAOchZKngme/vzt7O/vC+mmpMXkZUdINHKDKoOZDTsoqbHYKBM0ZQUZcXH
clViTj3m2FOFyLa+lLgzUdW7ataCvAE3eKI+RK2PENrGYrkPH+hHNjduycJT
YEoROSs4TKzelOu+G6nxJmF1tq5FqCXiwjYk7ALD1jj16Qx517LShPA4YJQL
SmJU+6IqMYD5mhulzZAksXVR7UbtZZWvfIHdNUK8Gs9VzECUwQRDy1OZgcNd
KNEeQJdQoy6W5VVnM+BC+oyv98T3ezxuRuKGMn0H05L0xXZdE7/jDA3yGqxT
mUPKittnePuhYjlXnFCa8eOLJ5PAl2hjAAd4cZjvkDCExIsz8W1lmtUZXUdf
+1crGR1+0Q64Uu+KH9vF0zVsSm4NgBkxjjvhvooEK3LEUs37QeKOddOXIV4l
wMRF5CQisRPvU/ggBpgzi8j++URJZo0sIbDBx6heWJ5mrBUZvhaUldDjEoFh
qgANrP6db+z9wxrwqto0swsxjZiFZacThcQNLRxWMOY6W6vytRaPleDP2KE1
HRyjacm78yDPKA+D6xA1596z6kJEupb15sCvkMcC4w95FU/LDBu5FQx9C8d/
xOLCLfkex3uEg9wu/v73KBZR/2Veorn5rdvO2QdwlxQcWTPqTing6Isv6Py+
hQ9YDpY4xztv7tyBaflJrvZWFNWyqwav88S5AU6SASzzxU3HgVXj94JpHudl
H3gfk6aI/8VXEq1pi/g8Yft3cftI1YRWwl9BShFR5DR8fzr0WMuLUXmSmKiT
Yh9GPXVx5MGgAHlMhEfUrYMuyhiEM3fFeeXl49wVgO09hGZ6T+Sp8E24DPyV
AP3pwiY16NyUxmVr3lNy6vKYqo2TYBrkRA4WdCE+sfbxpF2PhgkM9yXLKdUR
6BJuIpoZRYxWHJiuXcRnIEd980qZHkZEL/saA7aT4gAUmut8zYbZtX5MWfY+
QPiMDMtcTqB4UaFQHRVBElmD5RL39i2QP2nkOsEATF9/MGvmE2loWLlAOlXS
rYyqLHNhDVu/lJzHmHC9XWmxOzLkCbpw5Gu5RFlpznlcVei/EDJkfSa0zeIx
TONK0l9YkjD9rMqFVrOcHrzfYgB2U4DLVIBz5MWh+k6+6S5RH7NBJS9ogvfb
S0tphcpKAZojAvL7ABbGy4N2H2BRvUuAS0F/KXj9rn2yyysyA1FpBe7bCkwk
qKUNh6wIhy2p3MXFA19yzld4Q7ziIR3bv7RLC/XqnPviH+yGowIjSLk0Vcgc
VdQzwUVHta+0+iEA/jDwjuGti/BWG3hFEFZNhfq1YrVUjeDd55YRQREJGrED
IyZaGdN/D7IAGY+6xHn9VCkBET4jVybGwOJUBwDNvm3La6kwgMQc05OkfSEW
UnnAZbSZ+WA1Vq7TLXwIgXVTGIpAWcJ6kc/4piVLLkhouqwIAjULjyBdMiav
wQ+K8MaqYOuQVk2Nbr/0NSoVcwM5ZKPFgEizpEyks5qfV2qbLDFHUbpFk0UB
w14wfZbxwDRjDRnLWWrE5QO6xoXnBvyDokzY1owBNqIZE2NsOflNTkpx18Ue
D15GStaQz/zkGxNyi26pT4j1E0z9IMOa+FZgCYPOrNOLPbxIPpsurIdvvYRH
g75OhkvkoVx9r4qulC7UXFG5LKA2VF2OXJn6H5mu0Dy6reQYrq1G2c+oiJiv
8eMyk0ggE/DhltoBqH1iXWLWPuVVr/SSagkCtBe61AvlBTBGeV2xTwUAHCcz
jkCPXc68cReviawDVMe8nFFyExp81pzaxLiTEcgfKudns1CknZmcOh8CJhYF
VBupjEQo08xVqrn1S7A7TIuXZITK0TYjiI95lz1WiYt53aw9pXoGxFR8zfbj
70mGTILQec8vaVkv6FyHrmgTMM4C/J85DcXa+IJkHunjPDwuKB4yP61g1sDL
PXx6ap6M/CEpHNQXEhZCvEb8H2xj+C0X+Pg8C45965Y1d7ExZi9bMUW5rK1C
Bstb4Bl35Pb52tG29DDdVZfG+nL1Lk85uTFLXBbMq0qCz1ErNFemZcaiUpGV
rzWCoR5+B2YIztQV/5zkanP9IaHI0fA+9tGfsIKj4Y5f7nR4DKcEB76RV94R
rS3I18a1F5XILCVvGe8tZ2j5i3VqhX4aIKrdbEpshDuNA6QYOBwHVbL9Y4Hk
4aQsHGL2JLMjG/7KNimprYQzcNn6qm25JPnpkBToyqwyzJU/SyzNxu5RtjuF
ehxwMnRb9EwC2MWd6osg7AQ/lbDsAqoiie6Q6ws9tGXbGCF8W86MwcwNbMF+
IXcmVgLyunHS6y88fzLhRpwZuehVTsoTYSUoPtUVasCxfF76kldoSqAiyiJZ
GcuyQEKkgz64n3T9WSe0y8mdr7Ga0CHCZxELny4rfO6QO6lQudFsWerUZuju
A8TPYujl5dW69zZnFJE5QxYeDBqvGOrMfE0Ge9Y0Gs7HVwVgiCGoPuGdIfjX
4oKGS9GXpkn4WR1QJFxyKeKkKfNBIBUiT0GOYyFxkVdDnKSsr5Kh5u2vaHPH
qmyxGYQqrnCYm23w6hNAuzhU3PdMozj8YxgOnvYGlbdv02KBx5opMoGXo8av
0Tcm7NyOh7DI9WmTJmlSCZiELeU3UQLlE6naIhkRSDR9LflBUFJcAIq6ofII
5LuDk9H8ZFNKh8O19lXUpCRaIy622m1VCxpRIzRtFrIgs1ippTZs2qO4jEv0
LPEh4snyvJzyHptHE+3dr5vT3ndzfNbFHHdUF2G71vLrQcvpLK4wvIwe0fmw
LsC9vpk1S2NIKpdUsCcq6B4yxTH6kmOHeGIT9O60KP1YQ78ccoZ2p/VKktjR
C4qFeCqXKITsrTX7cu57sUliA+gdNodd7qpEJDTQV/cVKx9jkqM8RAUc7DPw
UGyUCMqAuMxjVMn6wvIipsEYzAHXxspR7oYESbrTaBOD4YTIqW6ul8RcjGgO
F13kV6YePhZfpA7eImmQFYL4o3TTMZlKQdx2EYPX1hbXEvKbk49DnlPAyWBY
c8ErfCVKMMeMwjMrqQUkU3uDkD1AhU+J9xo05wxnngzcEETzSWLgK4nc1tb2
u8LcG0Oe0taq0XFjReEyOhZp0NHbd9JjlfaeEXELE9ZdqPw4D6Z9egDvmmEr
wi4pjChLzrRGGvbutN2Aok2whENyFqWp4XfTpBizNS2ZTpl7YjzFnBGigScW
s8K9iG1GSXuUyN7quO4+ET2teE/3wO7I22yuTenkntCfDSkGqwZXbqiqDdEj
4gItKx9qTnYJjlh7TBQV7I0tIi+ti2gpKF8F100ot123wTqUxetgEgsNK+Zk
sCEtcVGaTm1RxWrsBas6TqiLbZQ3xluTd5NiYjGGidoWPrkszpMwbgUfFmzv
up4M4ymtU4Nc9Xa4UT6swIgnGD+U5XJ8rEFwynDgyESPX7nsGfmw86gjRw5w
gxWm13eSYjBzkxyhDNmYVGJNhDh/17iCBtq6FdmPj5FZrFgpwUYHlC6U0oZt
HpSRlNd5lhNaPg3IKaycQsN8LUp/68NDk1CVBLMitd6kSK9Sug0LuW5tWL+/
cGQxdBGxHcsY4+KvnqYZahUatA9SIq2lYygKJLIkaWBW09MbSchiG5MnlZwF
yXxntfHUHla8qVNXPh3QcreRlK6g7Bca47EzgSiZxMbysx4+ceHiD9vEBZ8n
1cBXC8+A9O7kzGbfQVY+ODdhkMWCw12ThdiUbxpzF44yL9IoTd/GH0HEBgQi
e5Ee7Zi8XniflYkyMbYqAp/d7YWXQ4YbNcnVk6Eip33bne93TLeSppYeRtPM
ZB9honAJkibxha8egCBJiqcjTP+gOvOPEvjCdswUusJ8xBXCij2tUNlErh2A
bYPoxoH/JNPzfgg5U1k50zYitJtykh5yfhlXBU015UyB6FwXCwCTb00UrScv
kJGKJoUFpelUKKbcUQwu8glVFj0iYJjEAGfxBNpqeC2kjZWQ+KgrsnAbk3CS
Sly2NULUO8y3vbftqxBFnpDl5BfgRxmUtw/ADnUt2CLyW2pwKztP+sguooPn
po+vEouIB4pvxzg0wpBtb4MGZ/F478cgx5mLmbY0Jv4xY5URqkANqj6b3mNN
RtqA72udkmu0ht4qgThlIqGDA9eITf0u0s44csrDOjXpGYudzPdjrdfD895H
aP1pCpzX9gasTIkcbFZCewzpeqhQgOigqXtK/MIJZ2mkZvhJXF0JElLclk/E
UfE7cA3xFB12LtNXNRdb9vo47laA40WohYs8W9KXjH85CqgYMyTo2aYtjHt7
SZxZe0rmEAm+ozYjT7miZf03SVJ+Yg6dG5Eg7dCHlOdyxTNq8HCOGkaY6cCb
/ouPkM+H3NOh4rzwDC0sM82TlDFoe+U+bZyV7Ynx4Twm2nsXG4Z8RxJfo3K2
pDgM8lmgvNAmBfU2LZEMrqQT2QhudruAwzFbQvVIEIwwOUKSIZ1IEGRTtVSv
vK3OqTZxQIh9RCJGhEWGAbAPi6q1sg8j19ssc0QSukIV/oVNk3cJa9VS288R
hsPNWLiAOlHpT0PnqwOn/iXYEQm/vml5FupWb9Pe1Nk23l6ScLaHN3eofb8D
+iXEltC1GM/JHjRJ3UNsI6k4JbX/BQs/rD1egGu0fA6JGW5gdPkPQRHf7TiR
igRiNZpr28sOW5lOinskU94Py09Ep0GPdNUSdvZYiqUEbZYUFQcbbXozxDT3
Xpg2vJl3FXGihgF4JUdbBnAfKbQrSaotF43Guc/KDqRW2lvjvyLy3LTn5don
VytVPdYy64X6nHxNmtKxMj1S1sFbtsgexNL9AI6hpAzbqgZmCXQr3LzEaL00
37UOGohGrKWF4blF8oYLLpNVZll2/anz8S5seQUdFd6E1ej77HvwwQOZAkY4
jguLFzsz5xmGqF0LYuEeQcon4HH2i7XuSoQPQO95Wl6vVI7HkgnBlSz6GMqM
95OYYKPZUzE0MLmHFa0YhtPif22r0LplUdZLDi+PWvvRXN9+94pTpJgpy2I8
XvCqqDchdQ9ht7mqV4wLLGRRBzr+IoCIrvb2TBtVAnPRCCQ6jlOhWG7YrSPu
km0aQZJPCquLGI1ugQUos72ZWMPAyh/jPYcJHeHC168rYb1YzH/CWU7cd8Mb
Dpo1Rg7sTzlMKpUiapEbcjwZMXrn3t3f27TECGjinMSgjy12Ucjd08KH9kj/
KR/4xff+fXIKff4g0HIOY9z8JVqw97/+3sQ04rLTgpnj5XoIO221GxPKGG1+
KlCJIhjLs87UcBgmSr8zUZdJvrXNob7kfGn4NF24yDo/s6wTn9vAqi9Iac+N
of65Tz1aN2njV7R2hgRyNHdmty3xZy6KE5EJJ6MmroDvadXJeIF+lqmkEA9K
ntqabt72bTOb22pZihUIQ3qTepuRSp5vnBzDZRJikII7hly/IfDHSzHE8Dhd
Lm904RmPeUZfPZf9cW6sYiznTdGTJskuW+TXptqF/WpyUVGKZ853hB0ZtA7O
T+IE2HFhR2fceYONxyjCi5hjHpLRixNXjmUHDhsSe02TPbFRMYZTX3GC9sKI
mAVOSBY/xKyIzQ65IFq2aJAPVIFz9h1S4jsBMNvX6j3omNoONi0WFV+PU5wu
SIE9ZyKEclFamkgqgoxE39gSuZkqhIm/rjD+ujj28DSiSXQcVBkKB1o39mR9
IKK/+nkUoWKCj4yHM8k/Jak23zs4xKpIAiIVZIxXGI89xLzIwxWvDEcjRjaC
fdyZb4xkYoGPM64SagohB7+8Ym1JpbWSM4st9FGlsvcfLLb6Utc/hUmJksu8
JveQcfj5kyIzdQRmhTLPODW+Sc14Mz4bH1SQzTL0PTndZ9PiJxWR9y4oVMSK
q6rl9w6PmDJYVhLVkhaJdddXkP7g6uVb6auFTZGa5jU8vd0Yy7AXWzMDjIqw
VMTIVPBPRNlM47kgylpOWZ5JNxWntNzItWKGOkDUlBA6NY7ly1rIUp+XGyn1
8EuF1WRAJVH2oXdFFk676tGI+iJaC5Gb02Qmqk5zKtNxgcAGjRbO9l8PzddP
FS4S/ImUMXyGdoZTSybmW65PVHFgLVdUDY9LZNKyDlXptaNaGWL42RJrHUEa
csoySajdlW1KXuwU7F0q2A+wUXnV+4j4O0XxnIgr+Jk75UjWJalAHv4niwVR
SZqkL2PGOaH6Y2D+Y4C1QoAbEwJipuAhMJQJcktBueCX8wWlIb+QMWi5SZIO
/pt4w08X9bKiVMSOo5zaZkmNvVkmDi0XubEO0IQlhi4LRTZVx4QlUMbvkP4c
wFPYaILl6rHwElxt9TfmrNdE0g2sPQ+aUK6GFGG9ljCgdeNw8VyoqhRMJoR/
bbrhkQGIm7Zzy10qY7WIrJuUAu+MtaRqK7sOMzguiZmiadA49H87XuKZP+OV
6cgo8pz1EwybsTGHz7vufvBs2jPAgeOOfQdsjloYnwKzZsBqd0qD49jvw5Kt
MhUYsOsR6Nx5/qLesFlxLkvRDC/vmbKxCP8VpiHh8TQfktx0o4fz1FMa4zT4
4zsbqFxIo2cXuddiu/ge/pQanuJj+ei8KUg7quz9rBcxBuEhFh1f5nPI7xAd
E8gP+dxgCVmOt9tAQ7Iq6fIUdZs4EqzTl/wIJ7HQkbC5jHtPBCQNE0pEleAe
4tVIV3NekCr5id6ZbBGtPhLulaqMg9Xfc6Orzzsn80Ket6c8XbgROy9DdDKi
eWbNNM6YQAatgIZGG81gGFjMFGyIQh9BBCKe8yEi0GEYMjCCgPSSucAHGUK8
TSNjylhnr0vSsQAlBdO0YKQLoAnxYfRaSq4jC/AkC+XnqtckiFh8+q+zyZQW
8VJjTHRP8sCZFrcwxs+PxwuL2rXrAD7tU+Pyh89S7G2H6Wswns4xvf3LzD+O
O0iwBWhg/olaVVjpmG9GKhrncJbjnrJoe/9jiMy4ko9kSPn0v9OQMgx+yYhY
aaQcyT8A2SBSydUfGjryzbP2SlVhSi9LSWMWZwKxSMZ7D0mq+MiGi1Teyrjm
0tvpRYNRW0cwWUj0lm0pEoJj4sC9IO0a7cJZ2JY9h8jgZb/Gmv/oCybxf81B
blE2RjkS4nAtzUVEOMx1F/GhL2NxICHniPQFFtfRPW39+hLEI56PFIrZRoH7
xaUUhmTvvSJn0IKcuHCDp/uk41FkP5zTEX1M8StvrcoLMkSCPtRgVWQMVjjg
h9qsbGs3GmeP2Srlm17TsCydtFjU6YxAM2xhNMQLDMMQN48Y8qlwVb63ES13
J9pE8xGKUBBa7lESQd6wDzLsarJrpT5/CQ4kyT5KBJrShje/n1qVYus/2+qX
m/2/w+Y3+UVGv11vD2ImRwTmIi8v7zQbMiFxH9ds6NPMKbx/EPCZF5v+r6Vx
IDwNY1gzwhNX74tK5Y3FsA7lKidFdz/MTqWxeTQfV6nDSChs8niQ1DTa3oJ2
K00DPno001BkKsyEspHYfxQBaZeh5QPtLHRZNK1vIDGwjMLrGm/FElKQ4Th2
RWkohRNjrwabMR5lJ3v+8E8OBLhqteF+Alo2KhmPQkRCty2uYcVBiSAsSn7X
MfEwxKP8EiM+NYTvpGjLnqs4w/eC+1QyE2n1msq6ogN+eDCmxKBvwni4BSw4
+Vl6wkBkgscIl+QQ5i5cD9msi2ag8shMxEzJGUpTwJDRGRlF8XUjH0timZth
b1ukBlSpoMPGLJW+KB2VqE5XGq6EJJzrGSJhly1N1cE9itFek9fugDuhmKoG
avWyIDRVJseEYo5ftc2YPky+2BVxN9IJ6Smg7vtFCWb83zvJSmFmopuS1In5
ZaF/oQ1LDDhLvYI0nyEqcMmrN8N6S/m4/RitoyB+UyRDumJL8YdYm7Oei/wF
HsjvB93iiUswZ6oomCOhYpCSAWzxoRDHvYu20s5D54kEdlalAoFltwE5xfjp
GPWpO2fr+KE2EPEr/yKVNzWlXUc7qz5d4zoqLDZQ71yHWUORrCGA0aXiiKV/
o2tFQEZR+QJVJym7+QG5GJRgCGbx757BHXBUwWq+aIZ9yPzwT/lrtU6aPcda
3CEzckUiU5eT546LxSBk7TNjp7SQ4jwGZ0o/gpnFjcCJQIphZgoIH/hm8hxi
KGQicxN3h4zBnuGr0IlcRZgsP4ZlE0IC6PK94xzHWhEfG2kch9+lfeLitvWX
lZGiuBT/Id4mH6HbpZuIw6ldLm1ovzspThtQX7gRTna0WPYKrSlMkZGsXHJG
u1xSNio3cUm5cZdUytEUsgyQ/5009Exm11C7TiWSww10hvPWnQJaqoktDIv1
yXwpi0N9Mma5ZWc47tOF0OTO2NSCU4cfC52QcDSS4M+qGbXDjc2YcZPZ3WtX
rX+QKisXPO9P9R1gD2J5l4lTTAqGBkLJnWkHTcZHRs9H0kZjC7j98DvGjogn
djlBZos3c9CHNozm90b2hkNCTSXkbkgG28E0bOkU8hbfVq4swDXKzP5QoaAC
67bH+i92QU6C/zFIWEIx4T9Ai4HJVwg4zvOijLTg+DNm5XWDQ+3wYVJhW8H2
PfokuceyJi8lSqPB8xH+fvYxrFc88Edy+/3mgy1X1nAV9xI+yHCV1eSwwaMG
aflSg+M6HQXu+9xQ20MoMVhNGIlzueFBYDcki2lr1kq2Q39BE+muxUr9ARRW
mblwxQHtKYyqeMfWnIHBLdP3G+AGVJh0e6xzRZ40TivDUuCUY6rNyD1CWV+G
QZawqHT5PBTsNhqLzATa2TdmQcnC8f2MjrYG+RbvJMf0zbw05QGt8i8rH644
fLXKDGACEg+269kFlmyew299vTScbnBU6qogIgtzJvYtqh9DqZbSpEdVG39P
sRUJ22R3pnZnzLM+v5tTkrFqQNdtq/l4jre3zrrTaJJ9NtpJYbJNY3tt3Tpb
xkJy6kONjw+NFcx8gaOj1SG39A/KF02B8E/xL0WHk9lOZEtJw7VHFnygeGh5
ULSMASviCJQdafofxaUSx1z+At7kpK7Pf7tjpXjUVnM2ksKdPToyfx4dKS1H
sURL4VOcLZlX2azdcY0GqQKiBQs4nhuh4gMNEIUxt0b83FTVr+Ta4Z7uZ7vV
U61jt2iZgcEkMDjsi/TEEEPeCTsrQYC8XmGzX5T5V9jaqETXtNRNdiEqHc8K
F8/pSFz1v6qUaVJ8t6xV6EWXozaO7ylKtp7AFOIHRAO8AejeItzxnR3rmAP6
xHoO00nDHJIkOiI80itHW+KEqUdb4Qx8RJlEpfdI0n4fQ23eShyvGTmk/Dno
pROenCZPRVnoCq24f06Wsvl3DEj1NU8xI2KJ/8YzzSnF3R5DoPnI2UHhnJgN
UnTeN68ISXx3KS0RsitpttTyECLDTIuH3J9PCqRwFVofoDIJViv1QUjlzkGc
ZGsyHLTuuE85oMilQS6u9IjKL3eSkidtpTA9xAjv1Wcy+uwUIUIdQlWV0CQU
l10WqztWaek0mgvIqhpBwsFM3UNLZrjRgVx0dCBvGviSA6uvuI71GpbSU2uA
sriRLPSGG4328qUysABru9b0BqnnYjRFHdLtFZ+Az2rz5QEvVqWBeEvbbM+5
o5EInkWILKFkCkQtQQHYNKa6zKrx0DWTNrOqKvH9GWp9U+DoD1TAdIOKvka3
oq2WeCiuSY3E3JuSG1DC3JIboaiU0ATFKDU/ErvotSdKeJjS/KUfjZKOU2qG
OaE+UYwe2paJ06Ez3X/rLg7xGzt0gn5tK+17yjM2q8tPp7GGh0UWOheMMTi5
AQDPykyRTFdxeRq6fObxs2v3HjHnqV9/30W2x93HkXggGzRsYgHeKMWGlfdP
kv58Xaiqs8XKJBJeHXaFtXjQ4k3LRBNKU2OsGBfbB7FRGhdytSK4oNL9nA2t
2O+bhGmVGYdepLsfUofg3v9mdQju/x9ah8CF0unxqQPtp2oeKfqzeTGNeg/Z
pVeN6XwjPRdfCrHw6fGZMZWgiFsm0Wi8/m1CFUNbHG00d2Dlv5FDTEMuDr9/
PgWF4WCvuqkdWPo9mv3nScGgyG0KD+m61nMuSYkZlR6FqQBK3KYhROByv4l+
X7SRH4w9R9kck0EjgUvpaEMNzdh3wmZanDLZAU4QIm3KPmXf+yle7Hqlzp6e
P+xCNMNGBNe82Cp3I6oJQ5qJtu+VqCfzQurnNR7CUZLnyNpVZhKlKLgXyw1y
Xf6JcqwuZe/x7mlRH6+SjXRDjeyFfrpfn5Bhab/fbFTSpeun8viBN8cc2s7L
k80wS3sqWNDdHbGohKIo+8qr/Dh0o/ieiIOqmwKBjEPMLuref12RFb5jh3kG
7n+Y6cUfgb8KIwaYYHvxT3p1J+JFKnablh1t9VdgMd0oanAh0AzBlfbGoeC7
p1cjvV+ik/kasPsSnWfUYILtJRJ5G6bwHUge/gndmQ17JuQSRgt2Zl1864AM
L5Hmj9E9jmpkPA4MZTgOei3Gh5FYqxl3V4R7J2VnGlfOULxo+KSrsoNVYtmA
ebXEnIxa0zGwC+OZbxkHc+1TNqkXSqQrInREXyxVTwQqC4/O2COcBVNnnDZ0
bw42lwNi/ei12FG08bIwIQjqW9VigTYVUbE4wQnANXeK/UJGh7a7btx4R7oN
D+lSFYJjk+yWb1HthbhzEJLP25TaHsogcCXwAVsR5qV6z76dUwHoUJvBsfeE
G4SmQ6sXldcsDQKp6/WwTKrLT8ymP0+TJNiM/Sx4VLSM4LmBnWAtPRHIOyp7
4sf6QXyx72PzzxnadlaPSWbbFShpihYEr9NoPprhCCqL7uMkLJBk8i/IF6VC
gIuFgPGIlpHqLtEkLpc8YYvuiT9mXHwghwDc1hXmAUTaL2bfeUwgiO3iUDwT
TuEMDky9dGZkgEPljCEu/RN09YfnsOEJR27tU7v9LRXVm9R1Vb75NkYK+D7t
u3gaGwNwOKTMplBy5n6x6e247Ht0f8brpsRxLKlJuWPUuy/RHiZYF6dpbdMy
X0Nfzp7I7CSNIdIrRLLEAbeoOPAW0XiYGINXyGCSCIHjeeDvWyXpo6R8D69f
ip8URh2yGLLApRqdIq8eqmRReCGhfshCHWMnVIaFi3Go05wq0Q1wKYhdRNm1
6XSivbEFszOdZvEmuEXVS5/xHVd4HP3xw1VXLblcKmfWvPz6ux+efVUobgM+
8SQjV4F1ubXY1zAAAvnlGgPKe2ODI0rr3W8e+9hSwQY6ODTsvojFxJuuq0Hs
mtqeVo6MJGid366llFPRnNEt9Qb6PdxQPBD5E5PwbNk+FbvfcOqvuaO4ugoZ
L1dlcJumlwNa1d1ZBUJT3bTjAeNU9P6rqq9YxHvStK878vn4muKgpWNznYwY
Nax+RTWpTG1xjOfzFfq1qJTYRKj9iG1rxxEsRp7xXIW2COMCnHAzOvq08MI/
37BmHurNFFewFQKvwVlLFqfuJUVRpnKPDbPjvgt+55ec4rOpqhabyOJ/4Vqv
MdDS2fantQTLpGoIOyQk2Z5qbgFMXq+B+5ErhkS2SLK+JQpiyzeQO+96JtLd
zghmt+BTTNW4KrmEMDU5D+an2TWdHYmp2OcTQNdeC9mHhy6r60JyAkKVSQlZ
p63l99XW3WuURZtlsGUM7la8zpudE7E6eJ/Rnzift+hu7HgZZ+g/1xEPj8Mp
sS8qKE3r0CeXubXp9kkkN9Ww1aulLME7tNx+2UfT91ksEP9+uugx14pyU/gA
GUMmuYYVxIRl1CRJUgTDXNPb0ZkgOjkaum1TzfG74BK1RdB5TJW3YVcRO8ww
azV/Es1jF3G9v+eiy/RcRLHVjG8kWPIil9IjYSLnJ3jjdrJ1f3xCp8gV1oDW
1A7Mcr4RXYwHg5Gw+VhjREQ5OongMJ0gkfShfl9t5EoNqB91XgBCxpUDKGaH
sIsJocb5W0k2ByCUFMQDmmFG5jD9XiwTqnvp/CsN9Wp05bIVlDEENWTTDd0P
ske5gr3dVKubi6RDRhz8ciAm6g3tuaAhW48x49Z01XW77+lft7AqPSOhC37m
EHo66gM1so1yMiPb2ebLXIWGTt9FLUAOEYEnaea29Sm5XFYwXjJQ4TDVBi7D
svP1N5SZkfZ/bFwRgm8utjJioBXFpxcYnw70FHXpXNYOgcJ+RV1aCJVRXrxq
JOydnl01c9m+syWlhgIgvrWszvG+ag8XtHSEYspkb+ppgfjA9VQ0SUqnFTms
3a45VrhaAJGrmQSX6JjC1UloAFnbSO31kBx2EfFtbDxEMKwEJYwZaK54CRCR
2npGwaIriX/XS+1WJZJflEJDAxcQuUzqk/Mm3REoJ0CcxLvn+0sSEUqo3gi2
Kv+Kao7HKpKHMN5He9XBvgSmgmDZeDaX5lxxIzZpGQ9brVBSmKWVVWGR2/4C
ZvqbSNri1HRsnIzCtzlaQ7rySJibECFvgkMi2HkxNsDJSfIEqHGwWe4CySxp
sG7ksO22E/mZ7yOfO20FtE0XWEPqH/YFv7uwMYzeeIjSP16+/5RmOVEDjrdv
8bvj0O0HK2xQhHotid7kOiUpB0MQfWSi0KbBHshQw2rDFaeCapDfMJ8EuKwj
NN8AjifHMy24HC6LYEnDpzC4wFuW4fwyfAD3JA0uT2Prdy1Uzy4YZffn94UU
TTyqA4yJ0fLULpONf/5YFSkGkYZdPmSRA1Nt+S+BR75mBSmbqjaKtKixbsPU
ijdIfwJ/GITNOyR9bVtemxSoHznWw5zg4Qfj+MLgCJNgeDwgbCTdmeVbZEuO
wSQ74JyzXD4zRkLl3mCeSHWs/la1zWCAuCzE2CBx5rmQB58KS1J4VElS6Zc7
DLuD1GRzu3ylBze2ZvGSJ0tOvaw4+rp6E9Lu3WUuAIYjpSXbg2mpXlSydXJ6
Dbl8lLdKgA8S9xvz7Wp1fcMU1hxJeogbA1MIaMBXXOa+sm12mbjXdP+TqB4H
ysbLquT2W3FljlTQUmttGk4xUUuYKsHOYIFtN6pm2tx9PpWspILglNQfdXbK
VclNjJPIJQ+BOKgOhQ7yHR4jersQkpSoRvY4SaynC4eh5LYat0130mBZa3Ti
vqSIs3wVeDP5nCwGmviHWPIY5vmkAwZg6qCC/hkkj2tLRBi+A3WcwfDa1n8P
5RDK4mx7rqeZ5cVmqU6rurMjPHBPlVBI7lMJeSD1bWIBeiDzZZfA1sbOmSxR
cTYPpHJccI8gMTZ+NAAFyTcnMHm9Xe8GYabvo6q4bOYv/VEzRrEfm7vce3ai
FjxV/2ovP025y6Zn85nikMODmM87owuTxioxBDCzi2PQtJPk0BTL1ALzlwgh
MvKKvMret1KgKl0sxZ6OYwxcrZx0Hk/sEhuw2alQmXBhsrv2tdEHrTHDyFdU
ScO2qWQ2xmHxqsQTZLF2mobOHeig9e1KSarhVIVnVbnAA6nmST1083VbreCi
xw+4ONeBlHoUiSKgWceunzzLmqNOqsyOLRKkRUtpwdmBqNIqMuGw/mEvWso6
pTG0rq2l414gGF9BcSowyZYvPXwNMop1U/l1+KwF7qc7CJM7o+oLHLgZHGoy
CCeS+kXf7CJORQiMJheOpXpdXXfB8Ep0UCGMcWa6VYE9N8cT5ThfOJa+SwK2
vJIWJCV/jrJursahxCiOhds7rrMSmD+d7MioBq49PdBU2M5kPic05z3KTRg0
T8W5tFRIivNcSTs9unxxct4rl6MRIKL2trfS7GW7+JllEw1mkxFJM4m+lqh/
DRfur4CaWScuFZ/At9CNG3AE65UXUvzcSEL4kJ62GLtMRxJK+KEF+oHQY/xk
iDN+lFC6gxZhp+KF22VNfEi+AaJcT59jBLh1GnmT9OpdUKT+KaMf53tomQqQ
6J+qHfV76sDNd8Z+Tvc/V9/h4AXk7o4FVm6FUmXCO7ix+kIWnh5GFkCTwPvV
EqT3Trg81f1gA2tKQJfINFC/2mylRThhZF94eX5X+IFwU1oWpkdpdzoFhopx
Y9Q1OndrZiadgBDBBvvniGVEhndGBlCVZCYW2s451IN4nxXrJUa9MMJauwEE
vXGJhB2ExT7a9bhGKwQX2KInjw6L+XJwevDBMmapmhj9YEYt3WrmmLrfTkHi
0dz4idFPci3BR4xmdLUJwZNXpjF1lWoKyeryL0axzKYMA8LIVnRIQKNHnLsD
ACwWBoJRYBDEFQ0Z45/tjBIhYsf1mhy23J5tyST8SBLRbAP4Tr/kki5o9w/E
40zcwr6nN+VW191s24nNY45OjyXXYHr44tHXGKT2B69TwdlTYh9f7m+q69gc
4IdNG6U7Vh+abKstDggthv4MVknLvuSKtr6+1RJt2il6cIFDjuMIPbk4ozoY
71dJz3UnI+MsEzZelGSfBiULKCLiPx4qUawZS0S2UTuGW20laQZzrLdteU7M
leyxGvuL6dft9UaRC3N9zXjkol2hS+7cOipNSLQvExU37uCh0uVpbSRUWmpy
JUSOf1YldN1kVy4pDtcEAKE/haPg0Nkyo3XTIZFjRMiQU+EUlD4dDpVNCjjw
0QDIfI+bxfGZlSooV3212q41sg1ODsvbIurDoOhDxiiCFLvaSivXb9W7T7Be
LzHUua3O0eXNRndtLoGhWNTAijV5Kn85hgrxXryDEtd83gC8FzgNuWUkx9Sb
KgKTWpVvML0E1I1FheTHV9ucU2iOOMyHzqlVOd+FpbI0drAAaF7Wq5r2Ohne
wQAl4tJn9VKcRx4b/7/arv25jeNI/75/xRxVdQJkACGp6MWTXEeLsK2KXkXK
1rlSPnJBLMENwQWDBfgoWf/7dX/dPY/FAqIvd0olIcHF7ExPT08/v9YMRF5F
n6OXmeQgNOEEIt7m0IOcSu8TWg0ygV6Z5LawWAnJVIwWk77S0hAVj3SKTH68
Vf8gMiG1+blrHi0cDmldFoKMoGxLllRTQgyayRFCkTBj5r9pIWCjPA04pOBc
C14lzijlHWXRkI3udLzySsJvEFCxfIU7GM35zIcgV+pqMdOq38bQFhdQaUv0
0+o1nRneK8QuDO+h+mVK3AfY1J7IYl/Lm2ugq/6G2G1Bm9C8ivUOHNWwbds9
NvTYc0AWOKAqFghlgoDC6AmORwQoIPOFb1PDXyyDYz9wKk40T1Cz+5H9yzx2
Ayl0U44Zqq4qus5a3NGqSi74gKAL8/HZ2bKVPqjnM+TF4dPiWYo2o6f8lUYt
LTyKCyd+4wcN5MmF7tMzzMj0Z3jCiYxXokxAdceNgwO1+rAK4/ZOPWvTLNtE
sF+6Hh1JH/SnsiZOy+WuIsqiPWXwEWaI6y9pEhWdmD1U0ggL4K69MEe2ghMb
FxGRJ+zinNapvzFTT2PPjZYLSBFTKsNTkTBCnsgJyedjEhNlRWomiVCyQtAc
oWYRyFmh6xdc8aaV1/npnYG2yNw1vWle+7xcXkBm12Usqfza+VSoFn0adqld
qn6aZUTcciJg73zhg9pyNdjR0NRS3efWkXSfM8/O2CK/vAUen80X/Wl+x/FZ
0ViQdg6UIcZRIIVyji7ZU+LeKSDlw5IsY2hEnCgsDS8wqatv9t/vt6iqXO48
O13C4AxYN418Abi3vY+FdR2MRncVV0rd7WXZI4YveV1e8bk5Wpbs7+98+XKx
6J/is36Nz75+7eo77auuPjdQkSXSo3MkY0KjOHNbTU7YkjbQAvMuThbmK1zc
12UuAlH3VGZ/aAmzWoL15cu/Hf74+vnO7lPWqY+KgjTscfH1q4iRUCze2hic
F3lQyK1BQw5vrwBu3zkY1l3GVfjxtRsevPn04XDPfWSxiCTjaU5H8b/on1Oo
DR7M2x/8HS3o9+D1cHtGG4NYR5O+WbbvhLgOxIXnJjD0KWp8/A6Cj2aTeX5F
h5HPELPzNdosjbMIaE/cPRZ6zYGSyjK5THjB2HdgU5IZVDmXvIQSFP6gRO/Z
iuUsDbAuxYB94DtPdTSs7z+y6Bda/PHbX98e/7x/9PPx0Zuf3Cv36/7bX4aR
C5tms7ysfAmf5y/pChDhLfUdIvN7uFaI8iS+TlOTPabqgJ5/T8vSx9E9oP2p
w4KvP87xH++5zwowUi+v+DhrqJEN0MaOHQ5ff3j3bvj+YHgwIOvzV4YbNRB2
nvrWb1s9t/V+S8KvWwdbvTQNgNsr38gVOS7OcvbARv4EnudWNLEtJRO/mQZl
/l/4YFT0nKPZoZ8wvZ4vM34vJ2zMcStNNOyIh8SSMQh6DygRfTHoLIaTwFU4
+wL/lRxH+rjvfttzb1IIdZ4c3tWglySCIt2IgVLC00BnitpjXRY87bLGCGdl
iPxqQZ/i90BBkNwDKdwcDzDSa9oIBh2bB8EEk1hPZxC6/GnyLkvyRMt5Hgoy
DlWtci1JwWiwDrACPwQpXynD0P3as8IWskJzVpR7EiUNe2cgCSAMfw93OM9v
KUDwq8hpGK/tvnooOU5e0IqJO3DvbIqqfajuIYRPFsUqQTpBURW44yyrXQy6
VTe+A7Uf0l0nli88yyNtN7p8bTcC3Wmhge4Scs2RrM56DQYchboE4bn3a3mO
vQttjMQ+XVGRSLc1tN6xebhMB4+41XVyzrpkdlOnOrMSV7pFD3WVp70Cw2Mx
b4dJpbw8zW9sDQcbzw17l+AXkUmarsLvH8n2s8z3PSrmFyK37WrWSWu9512Y
hb7qEgnHGgKSYAGTmBjvsvZN1aEB1swA5uHJ3U2RXzQup6hF1lzq/6JFR2+T
Ol6UkyDlTpknvLaK4v4ioTWIJsLcqz0WrGgRz14OZNoh3R8Hukn+kJvEhX9/
4K5wa/794Q75v8WZ/pr9sddv/Fv9pPnX6AkawG3fbtO/5B3Do+Hhr8RwrTPo
8xOkckAf8QPsxI/QXbuz+/z46Of93SdPjz/S/8R//a11gN31AwzHu0+e7LzY
NMCPvIQ+/0D/QCItVmCh9ZH1fdqNX+qidQnZD6zqxhtX23UkrlJ1k9fnhmkX
IQyv04OgJzCT0Dk/j0uIWcvf79O69B4+s3zwL1+Ofj7iO6zvTt6fnuy5naf8
49/4Rx5odMfmhqVPJaHG8+K2b9CQjA8ANJnnuztnz5+92B6/ePZs+8WzF09H
fx3Tr48fP3l2+vjsyYloPS17taITpspP6hJPVjZ8fXC0H1Ln3r85+sSUJBPq
I6+YpT67RzUtxYE25kpXqlh8SKSbqLMD9zFyjDZwMHOWFcsKPkeBPPbwWxFx
j4av3U7PWj653cF2j93vC/nlMf3HHfmkGRqw8RJJGKhYNAaNmBPqacb9EV35
o3KCPuzQdxfFhDVhSUmqB0ozDmE2qEUf9ZnkfSF//9P+mxWmYO3mxePnO2xs
CBloeq2EcH+eBjRUSoU2prDz9y/whY7Qtrbn2493w9p4ZXoHhrGwSGIH69CV
DhLG2Ezo4cHn/cODI8yECf5kZ/cbBM9csLI0+LyYL8EFuMwe7+JQaglBm2Xn
Ps7IRP/ygOzDLFtjVsoKoL8Go8Mb0gL9wJ8Cp1AjemTdMTTMTVFcOI4rceyA
zJDZ2PzFrZMhK5OLEemW44wXGjJ7SfY1jd6XMf6zLBZng9l88r13O4/hGeSK
oqgroipM/I5hHVd9zjIBSzFVln8LsB1qlPhaKVEF8edeNCAUPngprotMCaJj
aPhEFIGaPqwhmHGli0bgzddcsYERRcp8pFqwC8OQns6SBDGL5vEwIRXWpKRW
1QcgIFUWO1Tq5egfwJctBpNBjy0nyXOHt1420SwcwLXafm+x8c9BZW98Rnua
EAcrssa5QiTeF1KrJGtj3rK6XuxXha0GxeS0rEM5aeui4SphR82AuKlCCayu
3Xs0K1Q05ioVzdVt2jgbF/VyMuE8R3YX5fAPnLNxryG9RcjYjDL10O6jZZcM
RzpjM0gqtvSSz+0AxEGd3R035gxzDoSREjqC88Rv85vh0U8PaU6LhbgWdItr
MnDxa6h0fVkW9SQ6HTGNgNJMEnEO5xFNL9SHgwohv0l30COW2Qp4pAhPlF17
ouQne+nbQtfON348I2Ek3ibAVtog0qaK21EiisYhOTp+GvtomoxzQ8SGtSek
1DypyMwT74G+IIv8Izo52FbiZ2QlmCFoWeVlHx8SMjG4VGEFISeJ3VHJuVIo
Mi8UM4hDz54JZJuit2/gYJ4EqKFcaNLCd86wY3U+S+vVCp8YxVY+XZkcemQ9
LwP08xkMgUVqCRvDlHVDDAkv8JWMasBKk7ZoawoJruXMm/kY2c7a6FNFAACc
EkrLsa1RMi62r9Y2Z60PBhuMVqFlpXlaED+rzmgRUtnHxpAipWR5FGUTQmmT
bPzst4iNItuDfyzHE0s9wrUJhtSbIiM1od93o/z0Av5kLYxW2G8niVIAy6Yr
kwjGCtVt3+qn+5IRCED6r6KnBD38493iHGsdsxvrUmx2nBVfE+FVAuGgKr9m
b7wVJdtbDFlS0w/5ZepyvMIrUIsJKFW6EcM6pwyUSWS7mt0IsOpulAZ/O3BD
uuxJ8Msls0eDcAuYRecyX5wPzqaz2Vx+nM4mndue2+12uxnRlSPSu53bruCI
k1y9da9euW2DFXfa1tNt44ML90p/ukExWefWff+9u+i67+OvXLjvXrmdLPr2
RX8n02VZQABIC2OfKyu5R2+L/FqdivLcdk+DvfD3LGoaJPyRNM1icaod13gw
9gTRvMZzjuUJbE84R/hO3aMROBCBAlMZRiurLvPbMDn+qx/qarpERHUgBONn
Uor9OxuYO3+KcJ5y8t0uf3lnIwmNgMiV8g0/PbpqGbKP2O9zUp0E0DWeNn+t
U+msdczOjnv5Ujig6nbJaI126WwhBBCUbzm12mETtDZinC08LXiRRh0jzkWT
KnlJOs0QxWokOjoPkTEGThB3lSf7w2481Vv3364DKtOMOxc8V2JgI4n4Wr49
XTzI7F/9f06ZjpCf7+NkvoEBaPtfuSq85BYTATGTZUvw4IEJMGlcEMsuESZ9
gan9PxBaKZBCXN+Th1oa081QY54A5TYl2aF2BV4g3wzCzI8pWex2d3AeOl0c
En7lbDzo0/JQxQ5vObmthT6habrB5bIezjvOEMrHCZKzPwQc4nrl/v57ht8e
uA9if0G+1mZ9k/Ikh1/h7+aF5nrlqmUnCdrVINriT3MuV7UNlqdf2Zkrqg69
Xw+dPUOfDGRjO3i86/9Sqm1DgjZiGv43ovdf2BJ+SG4WS5JAOpgRFJmyN4V4
Dpb0Mo7Dkq5by9Txt2N8QpOlCf29v/u7+F752fQvO0o7WW/01e9okfEXWsgQ
v+i7+Nmu+8tf3O6focnLV02ipKvAU/7vdAkU6dPpyuTp+BDSFLL/JSvjgLTh
X9N4If88xcDGheRTfu/R9vyBIkTL26RfeOPppDqlZj7lwyETaxwPCWeQiOwJ
Q5BQOg5IH3xgeiJHj6tZ1fhLpkeLBwc1jrFv3UDvB67zsR0/JDRNTUtYu+7D
YevXBaipfYg17VUD89gNeA3uEYQPOlz0NvpCh3+0D+nv9L3GskbFsbeWkvWF
cTmJLaGdDU1/aKGfvkKEUqvUkoAaeJQrHjudko4ZL7vsYdACgWKeEEsWPh7x
FnR7QehgpLNyCofPscrBa2kyAtuBDvcefe13HoRjRK2L/j05JPFw/9JpiZp6
CAVoMAVhDydGHwrFoumx4BMkLB5Ga9Bz0Wtj7eRqaNmFxX1oB8kEvlEW0mKS
9H0byIc7n3tfrWCgpkiRWt+18thJihsQd8Ty6fRR5/SQRZIpnBkn0Ek6svX4
FF+b1xQid2aSBaJ5XuwaWCymBVDWgX6ZIOp9grrN0VVoI5M7H7wjCixPpTQe
Xytr2kVjOjgJ0qpxVO5EZVDzdYj4CHRfB9DasZUj7VdiQKZT8e0mUJnLeeVq
p/jcFdjXmcIBPaydB71TV0xwD0ucQQBf2TiP4aMDVpf1hRdXDVDf0mXx9nMm
BTupuVchnonbHyRdlUIaKlJK+QJR9DkD8s5bGUd7DeVVlnYoATPIEpq8kOCf
JNwgLh1OcMtSkjS7nzCIi3c1iV/JndCVeOxpQHox10Vl+FTvLT2TpM7LBcol
4l2r6zq59XilSV2O9VHUTqHhpaeSos39kqQKX2AZkl04iSpWA6Rlo95Y6hkR
LvnnsmB0DE0Hkwi9kEi4MqnwkLxwmnfWTP1gf1B8CsQJirzQpVTJRE0eQGmf
DpAF+SZll1q/na4b1XQ8Hrf1VXQfEQ3X+bzMK+8XnU4zTxBNa5vRASIhexo1
/fWZyHjAd5CNiZdF1UtrQN97/pjfQVzFdUx4MjrqWVxBxKKT8xiHIOg7TbR/
a4n2plkdBmj1d+HO+UzncHYjknVDtj4HpyqPDgMHVzlZqmPMx2iVaqtZ/Ex0
a9SldYy0nCU7agcrCS5CaPZvJtCa1neLp5njXJFYCn13YnRETAOJpowMJLjO
5TxrrqpnaEMCGLv6qmoV8SHehPbXrBCvDR0vv5SyEEGryidFQKVeIZ7cTuCa
yVzsXLrDGGGJvdESG8ZqICMzhPiksS9Cie2DYpW4lDw2EiOqLiFkzd/Psl5A
LLkDeVBh1Kersc1NjOU6h+8+dzUPUmozNCu5GnNm/F1gnswu2TVQrj0Fq1Q3
ch3LfaftKBX8Uymx9KBpvs4lqoBZaaH2Kc5plxR9uuc4wKHgWesKMNmoFFhY
+GHoWBq30OJNTgARZV2fAtQS5SjcWYvpGeoT5G5mTgvkVgSeFvxbLYnxYaLN
B12M4xUezbVGuT1T3utPVs3Q+6bE0RdlPCWeTlTJEA7gaTHH/4d19ufFNF8E
5ME31lFUQdGy9UtDGE15rGfIMIBLGhWrMEK0cwNJi04q9gJLWVwDOI35+Jrm
QMc4oDGkG5npRsb1huvRXRPwy5VWPsRudHwkl4aBBO0avBx8U4z7u+DdZ8hk
A/5F6t/ssriRuO+IdFnWn2pJ7Zb4i2Y1nJO8kNoJYiop851ZzlfuO3A9euQd
lUB53QAKq5ug8XESc9WiLOaDR4+AnhCUqNRbt554MdjWONKf0Z1FvAXJ+5OR
esFbLi74JqOkR5iO7E0xnQ7cUCtp/Liymg0xEJQjStRZm3LY0vntxfRMehFq
HR37pxXvUx2AKWxMuUrA7CesVSQP+/aEBSWavIEEYBI24RoD9jIlDdzApRBJ
o4lXOcpd/ApWZweVq0G8ShIYFwoH/OfYBuaN7zIJbimx+bORAewSFwRwEs78
Dwb1vV6RPBj3MA1lpy04xiuTw1n33TUHvlHY/ZY5W6x7kefVTNAMorDAwB3l
vj3VcelNgxXUmLC8tYD8puXSQP7p+wzYAIBpBC3uR4Cwlyyt4FfA2Vg5ifwO
XNUNYxTV2qGpUD+6SW5wD339qvBYwajxNUc+51muvpgAru+Iru4lS9ITznRj
hrgpBOs82e9gvLPQjcG8PCjtuvtqpkrYCX/zpXv39kTn6gvuIF8MdHbd/Oyr
Ntx9eS9jesdtXMVLwIlPYM0QypaZyEUcpSp5k1lSc+TUMJgwVwZkgpox29y3
1oDmDeB3VSmE5ZU1pHQMneFQ5oyDuAmp2Uqn2RVQITdBQgZ14VMBW1QzrDYw
lRdhr7XgLNJ7AlPGk8W9yXdrZIOv6Z2cBDUSwSl35eaXsp4C3Piykp5gKzIa
HAIUEo9R3mvtbfJNoUF62cLsV4XPi+4JjFLWqYwRGP8oS74jHb5097vJFa83
k0yKi+f8mHIRzdlHEfDYPZpbj62tqyupjRdeRIBrc6+kLJJipPSUl87KjrWz
DAMsmysieGrD8qxhg8iubMR1F8Wq3oFb0raryR5rZ7ieP1b2rWVucR6FqdCy
xjLai4iLQhPQG0muy0WTZ73B2wsivuAIzMyA8kp1ti+A1CYtYVVHvcQ37ETr
OrP7rfMT35XIuWzWToZylzuk3T569JqVhZ09PVZtW1rW61SzBWqd1h8M9Rny
S8VKEnIbA5uaXXLONBSYpvbgJ7hrE9wgPMvkpDRn2Uqow4Ldk74s/lvaouog
D3m+qjIHvCrwcKuCHZFh3Z5lWrNzY5d+48ZfJeUmAZg5xedIoW2TOAp8LJFR
zSzOAY6z5RyKul4MjX14zPvw3nR5GS8fcRppxFkt0xUZwtU0W5fleDwttiI6
t8V+mjsrOT0R+0ma9+KbLOFvDvvmwP1QSO0O3ojZKGZVsNNse63Wbl37AL7h
uQNBU0eTjpxiL5myngtedz4uTzXe4VXrdUswTRA1UvzgFqTF1vo1nzVWtYaV
uUghmCRMWFzn+ybeOfNlOju9cPVFcaNWUks1+ZL9AAz2HgHJks7EQac6a+HQ
tZ4ja0rBpsR5udDM4HKe3ErEekNGOWgZOLRoEz9gLrej4qcmbJUV1siszYiT
q2/1c5iSpeHHZY1zLtdcvZ6HRTQpXlDoS2FLyVaXIlEfg/oNMtPM/Z4gPmyg
BbJm9RjXfuXeZwyMSVM4AyuKP2b9sNY0K2ux0rjJhzeSxoY3YleczYvVrsTA
EjkZ7rb7DRpR0Y+sCftIbb9V7JPkXe47WDHqDZ9OjT4NvwoGUvSZ8HIT5HNG
yzdDqM3aaXc8ZsHaocPUYA4b1rLNgy3iCySiA8naH2sniwiZ2Ny5vRCxYLed
/DUD6EUedeGOQTBC4ZnCbENnKyZ6gdYK8aLHHRAeIQi5rPLrWTnOo/BvwxMX
YibeeTqSzAG+dLIIeRxefGCHeBAJD3FlMbFSMCX+B9+AE6X1DwIA

-->

</rfc>
