<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-mls-targeted-messages-01" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Messaging Layer Security (MLS) Targeted Messages</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-mls-targeted-messages-01"/>
    <author fullname="Raphael Robert">
      <organization>Phoenix R&amp;D GmbH</organization>
      <address>
        <email>ietf@raphaelrobert.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Messaging Layer Security</workgroup>
    <keyword>MLS</keyword>
    <abstract>
      <?line 33?>

<t>This document defines targeted messages for the Messaging Layer Security
(MLS) protocol. A targeted message allows a member of an MLS group to
send an encrypted and authenticated message to another member of the same
group without creating a new group. The mechanism reuses Hybrid Public Key
Encryption (HPKE) and the MLS key schedule to provide confidentiality,
authentication, and binding to the group state.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://mlswg.github.io/mls-targeted-messages/draft-ietf-mls-targeted-messages.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-mls-targeted-messages/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Messaging Layer Security Working Group mailing list (<eref target="mailto:mls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/mls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/mls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/mlswg/mls-targeted-messages"/>.</t>
    </note>
  </front>
  <middle>
    <?line 43?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>MLS application messages make sending encrypted messages to all group members
easy and efficient. Sometimes application protocols require that a group member
sends a message only to specific members of the same group, either for privacy
or for efficiency reasons.</t>
      <t>Targeted messages are a way to achieve this without having to create a new group
with the sender and the specific recipients, which might not be possible or
desired. Instead, this document defines the format and encryption of a message
that is sent from a member of an existing group to another member of that group.</t>
      <t>The goal is to provide a one-shot messaging mechanism offering confidentiality
and authentication, reusing mechanisms from <xref target="RFC9420"/> and <xref target="RFC9180"/>.
Targeted messages can be used as a building block for more complex messaging
protocols.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="format">
      <name>Format</name>
      <t>This document defines the <tt>mls_targeted_message</tt> WireFormat, where the content
is a <tt>TargetedMessage</tt>.</t>
      <t>A <tt>TargetedMessage</tt> is carried in the <tt>MLSMessage</tt> envelope defined in
<xref section="6" sectionFormat="of" target="RFC9420"/>:</t>
      <sourcecode type="tls"><![CDATA[
case mls_targeted_message:
    TargetedMessage targeted_message;
]]></sourcecode>
      <sourcecode type="tls"><![CDATA[
struct {
  opaque group_id<V>;
  uint64 epoch;
  uint32 recipient_leaf_index;
  opaque authenticated_data<V>;
  opaque encrypted_sender_auth_data<V>;
  opaque ciphertext<V>;
} TargetedMessage;

struct {
  uint32 sender_leaf_index;
  opaque signature<V>;
  opaque kem_output<V>;
} TargetedMessageSenderAuthData;

struct {
  opaque group_id<V>;
  uint64 epoch;
  uint32 recipient_leaf_index;
  opaque authenticated_data<V>;
  uint32 sender_leaf_index;
  opaque kem_output<V>;
} TargetedMessageTBM;

struct {
  ProtocolVersion version = mls10;
  WireFormat wire_format = mls_targeted_message;
  opaque group_id<V>;
  uint64 epoch;
  uint32 recipient_leaf_index;
  opaque authenticated_data<V>;
  uint32 sender_leaf_index;
  opaque kem_output<V>;
  opaque ciphertext_hash<V>;
} TargetedMessageTBS;

struct {
  opaque group_id<V>;
  uint64 epoch;
  opaque label<V> = "MLS 1.0 targeted message psk";
} PSKId;

struct {
  opaque application_data<V>;
  opaque padding[length_of_padding];
} TargetedMessageContent;
]]></sourcecode>
    </section>
    <section anchor="cryptographic-algorithms">
      <name>Cryptographic Algorithms</name>
      <t>All cryptographic operations on a targeted message use the cipher suite of
the MLS group in which the message is sent (<xref section="5.1" sectionFormat="of" target="RFC9420"/>). In
particular, the group's cipher suite determines:</t>
      <ul spacing="normal">
        <li>
          <t>the KEM, KDF, and AEAD used for the HPKE encryption of the message content
(<xref target="application-data-encryption"/>),</t>
        </li>
        <li>
          <t>the KDF underlying the <tt>MLS-Exporter</tt> and <tt>ExpandWithLabel</tt> derivations
(<xref target="authentication"/> and <xref target="sender-data-encryption"/>), including the value
<tt>KDF.Nh</tt>,</t>
        </li>
        <li>
          <t>the AEAD used to encrypt the sender authentication data
(<xref target="sender-data-encryption"/>), including the values <tt>AEAD.Nk</tt> and <tt>AEAD.Nn</tt>,</t>
        </li>
        <li>
          <t>the hash function used to compute <tt>ciphertext_hash</tt>
(<xref target="authentication"/>), and</t>
        </li>
        <li>
          <t>the signature algorithm used to sign and verify the <tt>TargetedMessageTBS</tt>
struct (<xref target="authentication"/>).</t>
        </li>
      </ul>
    </section>
    <section anchor="authentication">
      <name>Authentication</name>
      <t>A targeted message is authenticated by the sender's signature. The sender uses
the signature key of its <tt>LeafNode</tt>. The signature scheme is determined by the
cipher suite of the MLS group. The signature
is computed over the serialized <tt>TargetedMessageTBS</tt> struct and is included in
the <tt>TargetedMessageSenderAuthData.signature</tt> field:</t>
      <sourcecode type="tls"><![CDATA[
signature = SignWithLabel(sender_leaf_node_signature_private_key,
              "TargetedMessageTBS", targeted_message_tbs)
]]></sourcecode>
      <t>The <tt>ciphertext_hash</tt> field of <tt>TargetedMessageTBS</tt> is computed over the
<tt>TargetedMessage.ciphertext</tt> field with the hash function of the group's
cipher suite:</t>
      <sourcecode type="tls"><![CDATA[
ciphertext_hash = Hash(ciphertext)
]]></sourcecode>
      <t>Covering the ciphertext hash binds the signature to the encrypted message
content.</t>
      <t>The recipient <bcp14>MUST</bcp14> verify the signature:</t>
      <sourcecode type="tls"><![CDATA[
VerifyWithLabel(sender_leaf_node.signature_key,
                "TargetedMessageTBS",
                targeted_message_tbs,
                signature)
]]></sourcecode>
      <t>In addition, targeted messages are authenticated using a pre-shared key (PSK),
exported through the MLS exporter for the epoch specified in the
<tt>TargetedMessage</tt>:</t>
      <sourcecode type="tls"><![CDATA[
targeted_message_psk =
  MLS-Exporter("targeted message", "psk", KDF.Nh)
]]></sourcecode>
      <t>The <tt>targeted_message_psk</tt> is used as the <tt>psk</tt> parameter in the Hybrid
Public Key Encryption (HPKE) encryption.
The corresponding <tt>psk_id</tt> parameter is the serialized <tt>PSKId</tt> struct.</t>
      <section anchor="additional-authenticated-data-aad">
        <name>Additional Authenticated Data (AAD)</name>
        <t>Targeted messages can include additional authenticated data (AAD) in the
<tt>TargetedMessage.authenticated_data</tt> field. This field is used to carry
application-specific data that is authenticated but not encrypted. The AAD is
included in the <tt>TargetedMessageTBM</tt> struct.</t>
      </section>
    </section>
    <section anchor="encryption">
      <name>Encryption</name>
      <t>Targeted messages use HPKE to encrypt the message content to a specific group
member.</t>
      <t>Unlike the HPKE Base mode used in <xref target="RFC9420"/>, targeted messages use HPKE PSK
mode (<xref section="5.1.2" sectionFormat="of" target="RFC9180"/>). The PSK is derived from the MLS group key
schedule, binding the encryption to the group state and providing authentication
that the sender holds the group's PSK.</t>
      <section anchor="padding">
        <name>Padding</name>
        <t>The <tt>TargetedMessageContent.padding</tt> field is set by the sender, by first
encoding the application data and then appending the chosen number of zero
bytes. A receiver identifies the <tt>padding</tt> field in a plaintext decoded from
<tt>TargetedMessage.ciphertext</tt> by first decoding the application data; then the
<tt>padding</tt> field comprises any remaining octets of plaintext. The <tt>padding</tt>
field <bcp14>MUST</bcp14> be filled with all zero bytes. A receiver <bcp14>MUST</bcp14> verify that there
are no non-zero bytes in the <tt>padding</tt> field, and if this check fails, the
enclosing <tt>TargetedMessage</tt> <bcp14>MUST</bcp14> be rejected as malformed. This check ensures
that the padding process is deterministic, so that, for example, padding
cannot be used as a covert channel.</t>
      </section>
      <section anchor="application-data-encryption">
        <name>Application Data Encryption</name>
        <t>The <tt>TargetedMessageContent</tt> struct is serialized and encrypted using HPKE.</t>
        <t>The HPKE context is a <tt>TargetedMessageContext</tt> struct with the
following content:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque label<V>;
  opaque context<V>;
} TargetedMessageContext;

label = "MLS 1.0 TargetedMessageData"
context = ""
]]></sourcecode>
        <t>The <tt>TargetedMessageContext</tt> struct follows the same structure as <tt>EncryptContext</tt>
in <xref section="5.1.3" sectionFormat="of" target="RFC9420"/>, but uses PSK mode rather than Base mode. The
<tt>context</tt> field is empty; the message is bound to the group state through the
<tt>targeted_message_psk</tt>, as described in <xref target="group-state-binding"/>.</t>
        <t>The <tt>TargetedMessageContext</tt> struct is serialized as <tt>hpke_context</tt> and is used
by both the sender and the recipient. The recipient's leaf node HPKE encryption
key from the ratchet tree of the epoch specified in the <tt>TargetedMessage</tt> is
used as the recipient's public key <tt>recipient_node_public_key</tt> for the HPKE
encryption.</t>
        <t>The <tt>TargetedMessageTBM</tt> struct is serialized as <tt>targeted_message_tbm</tt>, and is
used as the <tt>aad</tt> parameter for the HPKE encryption. Note that
<tt>targeted_message_tbm</tt> contains the <tt>kem_output</tt> of the HPKE encapsulation.
The sender therefore cannot use the single-shot <tt>SealPSK</tt> API defined in
<xref section="6.1" sectionFormat="of" target="RFC9180"/>, because the <tt>aad</tt> parameter depends on the
<tt>kem_output</tt> that <tt>SealPSK</tt> would produce. Instead, the sender encapsulates
first, constructs the AAD, and then seals:</t>
        <sourcecode type="tls"><![CDATA[
(kem_output, context) = SetupPSKS(recipient_node_public_key,
                                  hpke_context,
                                  targeted_message_psk,
                                  psk_id)

ciphertext = context.Seal(targeted_message_tbm,
                          targeted_message_content)
]]></sourcecode>
        <t>In full, the sender performs the following steps in order:</t>
        <ul spacing="normal">
          <li>
            <t>Derive the <tt>targeted_message_psk</tt> (<xref target="authentication"/>) and the
<tt>sender_auth_data_secret</tt> (<xref target="sender-data-encryption"/>).</t>
          </li>
          <li>
            <t>Encapsulate to <tt>recipient_node_public_key</tt> using <tt>SetupPSKS</tt> to obtain
<tt>kem_output</tt> and the HPKE sender context.</t>
          </li>
          <li>
            <t>Serialize the <tt>TargetedMessageTBM</tt> struct, which includes <tt>kem_output</tt>, as
<tt>targeted_message_tbm</tt>.</t>
          </li>
          <li>
            <t>Compute <tt>ciphertext</tt> by calling <tt>Seal</tt> on the HPKE sender context with
<tt>targeted_message_tbm</tt> as <tt>aad</tt> and the serialized <tt>TargetedMessageContent</tt>
as plaintext.</t>
          </li>
          <li>
            <t>Compute <tt>ciphertext_hash</tt> from <tt>ciphertext</tt>, construct the
<tt>TargetedMessageTBS</tt> struct, and compute the <tt>signature</tt> as described in
<xref target="authentication"/>.</t>
          </li>
          <li>
            <t>Assemble the <tt>TargetedMessageSenderAuthData</tt> struct from
<tt>sender_leaf_index</tt>, <tt>signature</tt>, and <tt>kem_output</tt>, and encrypt it as
described in <xref target="sender-data-encryption"/>, using a sample of the <tt>ciphertext</tt>
computed above.</t>
          </li>
        </ul>
        <t>The <tt>TargetedMessageSenderAuthData.kem_output</tt> field is set to <tt>kem_output</tt>,
and the <tt>TargetedMessage.ciphertext</tt> field is set to <tt>ciphertext</tt>.</t>
        <t>The recipient learns the <tt>kem_output</tt> by decrypting
<tt>encrypted_sender_auth_data</tt> before decrypting the content, and can therefore
use the single-shot API to decrypt the content:</t>
        <sourcecode type="tls"><![CDATA[
targeted_message_content = OpenPSK(kem_output,
                  recipient_node_private_key,
                  hpke_context,
                  targeted_message_tbm,
                  ciphertext,
                  targeted_message_psk,
                  psk_id)
]]></sourcecode>
        <t>The functions <tt>SetupPSKS</tt>, <tt>Context.Seal</tt>, and <tt>OpenPSK</tt> are defined in
<xref target="RFC9180"/>. The two-step flow on the sender side produces the same
<tt>(kem_output, ciphertext)</tt> as <tt>SealPSK</tt> would with the same inputs; the
single-shot API merely cannot express an <tt>aad</tt> that depends on its own
<tt>kem_output</tt>.</t>
      </section>
      <section anchor="sender-data-encryption">
        <name>Sender Data Encryption</name>
        <t><tt>TargetedMessageSenderAuthData</tt> is encrypted similarly to <tt>MLSSenderData</tt> as
described in <xref section="6.3.2" sectionFormat="of" target="RFC9420"/>. It contains the sender's leaf
index, the signature over <tt>TargetedMessageTBS</tt>, and the Key Encapsulation
Mechanism (KEM) output of the HPKE encryption.</t>
        <t>The key and nonce provided to the Authenticated Encryption with Associated
Data (AEAD) are computed as the Key Derivation Function (KDF) of the first
KDF.Nh bytes of the <tt>ciphertext</tt> generated in <xref target="application-data-encryption"/>.
If the length of the ciphertext is less than KDF.Nh, the whole ciphertext is
used. As with the <tt>targeted_message_psk</tt>, the <tt>sender_auth_data_secret</tt> is
exported from the key schedule of the epoch specified in the
<tt>TargetedMessage</tt>. In pseudocode, the key and nonce are derived as:</t>
        <sourcecode type="tls"><![CDATA[
sender_auth_data_secret =
  MLS-Exporter("targeted message", "sender auth data secret", KDF.Nh)

ciphertext_sample = ciphertext[0..KDF.Nh-1]

sender_auth_data_key = ExpandWithLabel(sender_auth_data_secret,
                           "key", ciphertext_sample, AEAD.Nk)
sender_auth_data_nonce = ExpandWithLabel(sender_auth_data_secret,
                             "nonce", ciphertext_sample, AEAD.Nn)
]]></sourcecode>
        <t>The Additional Authenticated Data (AAD) for the <tt>encrypted_sender_auth_data</tt>
ciphertext is the first three fields of <tt>TargetedMessage</tt>:</t>
        <sourcecode type="tls"><![CDATA[
struct {
  opaque group_id<V>;
  uint64 epoch;
  uint32 recipient_leaf_index;
} SenderAuthDataAAD;
]]></sourcecode>
      </section>
    </section>
    <section anchor="recipient-validation">
      <name>Recipient Validation</name>
      <t>Upon receiving a <tt>TargetedMessage</tt>, the recipient <bcp14>MUST</bcp14> perform the following
steps in order:</t>
      <ul spacing="normal">
        <li>
          <t>Verify that <tt>group_id</tt> matches a group the recipient is a member of.</t>
        </li>
        <li>
          <t>Verify that <tt>epoch</tt> corresponds to the current epoch of that group, or to a
past epoch for which the recipient still has the necessary key material
(<xref target="messages-from-past-epochs"/>).</t>
        </li>
        <li>
          <t>Verify that <tt>recipient_leaf_index</tt> matches the recipient's own leaf index
in the specified epoch.</t>
        </li>
        <li>
          <t>Decrypt <tt>encrypted_sender_auth_data</tt> as described in
<xref target="sender-data-encryption"/> and verify that <tt>sender_leaf_index</tt> refers to a
non-blank leaf in the ratchet tree of the specified epoch.</t>
        </li>
        <li>
          <t>Compute <tt>ciphertext_hash</tt> from <tt>TargetedMessage.ciphertext</tt> and verify the
signature as described in <xref target="authentication"/>.</t>
        </li>
        <li>
          <t>Decrypt <tt>ciphertext</tt> as described in <xref target="application-data-encryption"/>.</t>
        </li>
        <li>
          <t>Verify that the <tt>padding</tt> field of the decrypted <tt>TargetedMessageContent</tt>
contains only zero bytes, as described in <xref target="padding"/>.</t>
        </li>
      </ul>
      <t>The signature <bcp14>MUST</bcp14> be verified before <tt>ciphertext</tt> is decrypted. The
<tt>TargetedMessageTBS</tt> struct covers the <tt>ciphertext</tt> only through its hash,
which the recipient computes from the wire-format <tt>ciphertext</tt> field, so
signature verification does not depend on the decrypted content. Verifying
first ensures that no plaintext is produced from a message whose claimed
sender has not been authenticated. The decrypted <tt>TargetedMessageContent</tt>
        <bcp14>MUST NOT</bcp14> be passed to the application before all of the above steps have
completed successfully.</t>
      <t>If any of these steps fails, the <tt>TargetedMessage</tt> <bcp14>MUST</bcp14> be rejected.</t>
      <section anchor="messages-from-past-epochs">
        <name>Messages from Past Epochs</name>
        <t>Processing a <tt>TargetedMessage</tt> for a past epoch requires the recipient to
retain the following key material and state for that epoch:</t>
        <ul spacing="normal">
          <li>
            <t>the exporter secret, or the <tt>targeted_message_psk</tt> and
<tt>sender_auth_data_secret</tt> derived from it,</t>
          </li>
          <li>
            <t>the recipient's leaf node HPKE private key, and</t>
          </li>
          <li>
            <t>the leaf nodes of the ratchet tree, in order to look up the sender's leaf
node.</t>
          </li>
        </ul>
        <t>Support for past epochs is <bcp14>OPTIONAL</bcp14>, accepting only the current epoch is the
most conservative behavior. Retaining key material from past epochs weakens
the Forward Secrecy properties described in <xref target="forward-secrecy"/>: targeted
messages for an epoch remain decryptable for as long as that epoch's key
material exists. Applications that accept messages from past epochs <bcp14>SHOULD</bcp14>
bound the number of retained epochs and <bcp14>SHOULD</bcp14> delete the corresponding key
material as soon as it is no longer needed.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section describes the security properties of targeted messages and their
limitations relative to MLS application messages <xref target="RFC9420"/>.</t>
      <section anchor="authentication-1">
        <name>Authentication</name>
        <t>Targeted messages use two complementary authentication mechanisms. The sender's
signature (<xref target="authentication"/>) binds the message to the sender's identity:
the recipient verifies the signature against the sender's <tt>LeafNode</tt> signature
key, confirming that the holder of that key produced the message. The PSK
exported from the group key schedule provides a second layer that proves group
membership. Per <xref section="9.1" sectionFormat="of" target="RFC9180"/>, HPKE PSK mode provides outsider
authentication, ensuring that an entity that does not know the PSK cannot forge
a valid ciphertext. It does not, however, authenticate which PSK holder
produced the message. Sender identity relies entirely on the signature.</t>
        <t>Because the PSK is derived from the MLS key schedule, it is only valid for a
specific group and epoch. The Forward Secrecy and Post-Compromise Security
guarantees of the group key schedule therefore extend to targeted messages. The
PSK also ensures that an attacker needs access to the private group state in
addition to the HPKE and signature private keys, improving confidentiality
guarantees against passive attackers and authentication guarantees against active
attackers.</t>
      </section>
      <section anchor="group-state-binding">
        <name>Group State Binding</name>
        <t>Targeted messages are bound to the group state through the
<tt>targeted_message_psk</tt>. The key schedule of <xref target="RFC9420"/> injects the
serialized <tt>GroupContext</tt> into the derivation of each epoch's secrets, so the
exporter-derived PSK commits to the full group state of the specified epoch,
including the tree hash and the confirmed transcript hash.</t>
      </section>
      <section anchor="signature-verification-before-processing">
        <name>Signature Verification Before Processing</name>
        <t>Because the PSK is shared among all group members and each member's HPKE
public key is available in the ratchet tree, any group member can construct
HPKE ciphertext that decrypts successfully while claiming a different sender
identity. The signature is the sole mechanism that binds the message to the
claimed sender.</t>
        <t>The <tt>TargetedMessageTBS</tt> structure covers the <tt>kem_output</tt> and a hash of the
<tt>ciphertext</tt>, both of which are available before content decryption: the
former from the decrypted sender authentication data
(<xref target="sender-data-encryption"/>), the latter from the wire format itself.
<xref target="recipient-validation"/> therefore requires the recipient to verify the
signature before decrypting the HPKE ciphertext, ensuring that plaintext is
never produced from a message whose claimed sender has not been
authenticated.</t>
      </section>
      <section anchor="forward-secrecy">
        <name>Forward Secrecy</name>
        <t>Targeted messages encrypt directly to the recipient's leaf node HPKE encryption
key. Unlike application messages in <xref target="RFC9420"/>, which derive per-message keys
from a secret tree, targeted messages have no per-message key derivation.
Compromising the recipient's leaf private key therefore exposes all targeted
messages encrypted to that key within the epoch. Forward secrecy is at epoch
granularity only: it depends on the key schedule advancing to a new epoch and on
the recipient deleting the previous epoch's leaf private key. Applications that
require stronger forward secrecy guarantees <bcp14>SHOULD</bcp14> advance the epoch frequently.
Accepting targeted messages from past epochs requires retaining old key
material and further weakens forward secrecy, as described in
<xref target="messages-from-past-epochs"/>.</t>
      </section>
      <section anchor="sender-identity-confidentiality">
        <name>Sender Identity Confidentiality</name>
        <t>The <tt>sender_auth_data_secret</tt> used to encrypt the
<tt>TargetedMessageSenderAuthData</tt> is derived from the MLS exporter
(<xref target="sender-data-encryption"/>) and is available to all group members. Sender
identity is therefore protected from the Delivery Service and from entities
outside the group, but not from other group members who obtain the encrypted
message.</t>
        <t>The encryption mechanism is the same as the one used for <tt>MLSSenderData</tt> in
<xref section="6.3.2" sectionFormat="of" target="RFC9420"/>, and the analysis of <xref section="16.3" sectionFormat="of" target="RFC9420"/> applies equally to targeted messages. In particular, using the
same <tt>sender_auth_data_secret</tt> with the same ciphertext sample more than once
would reuse an AEAD key and nonce pair; with the AEAD algorithms of the
cipher suites defined in <xref target="RFC9420"/>, the probability of two ciphertext
samples colliding is no more than 2^-128.</t>
      </section>
      <section anchor="replay-protection">
        <name>Replay Protection</name>
        <t>Targeted messages do not include a generation counter or nonce at the protocol
level. A captured targeted message can therefore be replayed within the same
epoch and will pass all validation checks. However, targeted messages are a
stateless one-shot mechanism: replaying a message causes the recipient to see
duplicate content but does not change any group state. Applications that require
replay detection <bcp14>SHOULD</bcp14> include a unique nonce in the <tt>authenticated_data</tt>
field and track previously seen values.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="mls-wire-formats">
        <name>MLS Wire Formats</name>
        <t>The <tt>mls_targeted_message</tt> MLS Wire Format is used to send a message to a
single member of an MLS group.</t>
        <ul spacing="normal">
          <li>
            <t>Value: 0x0006 (suggested)</t>
          </li>
          <li>
            <t>Name: mls_targeted_message</t>
          </li>
          <li>
            <t>Recommended: Y</t>
          </li>
          <li>
            <t>Reference: RFC XXXX</t>
          </li>
        </ul>
      </section>
      <section anchor="mls-signature-labels">
        <name>MLS Signature Labels</name>
        <section anchor="targetedmessagetbs">
          <name>TargetedMessageTBS</name>
          <ul spacing="normal">
            <li>
              <t>Label: "TargetedMessageTBS"</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mls-public-key-encryption-labels">
        <name>MLS Public Key Encryption Labels</name>
        <t>Although targeted messages use the HPKE PSK mode directly rather than
<tt>EncryptWithLabel</tt>, the label follows the same convention and is registered
to prevent collisions with other uses of the same HPKE keys.</t>
        <section anchor="targetedmessagedata">
          <name>TargetedMessageData</name>
          <ul spacing="normal">
            <li>
              <t>Label: "TargetedMessageData"</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mls-exporter-labels">
        <name>MLS Exporter Labels</name>
        <section anchor="targeted-message">
          <name>targeted message</name>
          <ul spacing="normal">
            <li>
              <t>Label: "targeted message"</t>
            </li>
            <li>
              <t>Recommended: Y</t>
            </li>
            <li>
              <t>Reference: RFC XXXX</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC9420">
        <front>
          <title>The Messaging Layer Security (MLS) Protocol</title>
          <author fullname="R. Barnes" initials="R." surname="Barnes"/>
          <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
          <author fullname="R. Robert" initials="R." surname="Robert"/>
          <author fullname="J. Millican" initials="J." surname="Millican"/>
          <author fullname="E. Omara" initials="E." surname="Omara"/>
          <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
          <date month="July" year="2023"/>
          <abstract>
            <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9420"/>
        <seriesInfo name="DOI" value="10.17487/RFC9420"/>
      </reference>
      <reference anchor="RFC9180">
        <front>
          <title>Hybrid Public Key Encryption</title>
          <author fullname="R. Barnes" initials="R." surname="Barnes"/>
          <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
          <author fullname="B. Lipp" initials="B." surname="Lipp"/>
          <author fullname="C. Wood" initials="C." surname="Wood"/>
          <date month="February" year="2022"/>
          <abstract>
            <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
            <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9180"/>
        <seriesInfo name="DOI" value="10.17487/RFC9180"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
    </references>
    <?line 547?>

<section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>The following test vectors exercise the receiver-side processing described in
<xref target="recipient-validation"/>. Because the HPKE encapsulation is randomized, the
sender-side operations are not reproducible from the inputs alone; sender
implementations can be tested by round-tripping against a receiver
implementation.</t>
      <t>All vectors use the MTI MLS cipher suite
MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519. All values except <tt>cipher_suite</tt>,
<tt>epoch</tt>, the leaf indices, and <tt>padding_length</tt> (all decimal) are hex-encoded.</t>
      <t>Each vector provides the group state held by the recipient:</t>
      <ul spacing="normal">
        <li>
          <t><tt>group_id</tt> and <tt>epoch</tt>: the group and epoch the message belongs to.</t>
        </li>
        <li>
          <t><tt>exporter_secret</tt>: the exporter secret of that epoch, from which the
<tt>targeted_message_psk</tt> and the <tt>sender_auth_data_secret</tt> are derived
(<xref target="authentication"/> and <xref target="sender-data-encryption"/>).</t>
        </li>
        <li>
          <t><tt>sender_leaf_index</tt> and <tt>sender_leaf_node</tt>: the sender's leaf index and
serialized <tt>LeafNode</tt>, which provides the signature public key.</t>
        </li>
        <li>
          <t><tt>recipient_leaf_index</tt> and <tt>recipient_encryption_priv</tt>: the recipient's
leaf index and leaf node HPKE private key.</t>
        </li>
      </ul>
      <t>as well as the message and its expected plaintext:</t>
      <ul spacing="normal">
        <li>
          <t><tt>targeted_message</tt>: a serialized <tt>MLSMessage</tt> with the
<tt>mls_targeted_message</tt> WireFormat, containing the <tt>TargetedMessage</tt>.</t>
        </li>
        <li>
          <t><tt>authenticated_data</tt>: the expected content of the
<tt>TargetedMessage.authenticated_data</tt> field.</t>
        </li>
        <li>
          <t><tt>application_data</tt>: the expected application data after decryption.</t>
        </li>
        <li>
          <t><tt>padding_length</tt>: the expected length of the zero-filled <tt>padding</tt> field of
the decrypted <tt>TargetedMessageContent</tt>.</t>
        </li>
      </ul>
      <t>A verifier performs the steps of <xref target="recipient-validation"/> on
<tt>targeted_message</tt> and checks that all validation steps succeed, that the
decrypted application data matches <tt>application_data</tt>, and that the padding
has length <tt>padding_length</tt>.</t>
      <section anchor="vector-1">
        <name>Vector 1</name>
        <artwork><![CDATA[
cipher_suite: 1
epoch: 1
sender_leaf_index: 0
recipient_leaf_index: 1
padding_length: 0
group_id: cc545d00feed847c9fcba01ca8b4987a
exporter_secret:
  05971f5e2b9993bcafa0a3d56807244c66a3c93b4e439c7bd5cdd169be0f4381
sender_leaf_node:
  20261fe9ecdc72ea51d0b6fca9ca9ac9f60cce427ffefefe5b69f9b1c6ddfe03
  7920086ea8e6a03548f2c0c01822d17a7b740246fade24764cea0bfb15dab691
  7acd00010673656e64657202000106000100020003000002000101000000006a
  467e24000000006ab54a34004040864a206fc50f108bdfa0444aefb4e128a66b
  9eb41b9c6cbf966cfd4ed512a7ba487fcb4b0e18999f67ee08a301538c3f7d92
  b28ac24103c61b92192df4d52905
recipient_encryption_priv:
  26bd8122d929b7eb26efb4669803d5faffe166027c33a4b6965379b452978d7f
authenticated_data:
application_data:
  4b41542074657374207061796c6f616420666f72207461726765746564206d65
  737361676573
targeted_message:
  0001000610cc545d00feed847c9fcba01ca8b4987a0000000000000001000000
  010040775fce6b31a536d82b8622160021b9f8d334a0f90215041a63f9bbbab9
  904f01d4d0639f70cb46058325779b5183a341ad21d83bb541930994320ab0eb
  aeade031efc60de304661bdac6bde5746c152f39dd083664cddd07d93ddc7361
  fc49f928044a6971c270dfec5d2d0ac6b63053f0c56308332b3eb137baeda80e
  696a69ce98d42e38d68823767268900a4af6ea2b0973a099c82a51268a318c6c
  699e774895879be7c35c1e7f557fcc1733bd93
]]></artwork>
      </section>
      <section anchor="vector-2">
        <name>Vector 2</name>
        <artwork><![CDATA[
cipher_suite: 1
epoch: 5
sender_leaf_index: 0
recipient_leaf_index: 2
padding_length: 64
group_id: 819eec2f706ac61ee9bafd7b9fd31cf7
exporter_secret:
  249a5afd41a1f2fea3b3f3acf23a2e8be12067ef1e9922663287204be7571f00
sender_leaf_node:
  2060a9e120484d9c6506aeff9749bbca4ee725c40b6575ecaf080d392323584b
  2520f3791381dd844d3c5d9b900ed98e69dd424a5509b69789629ae0ede99689
  cbf100010673656e64657202000106000100020003000002000101000000006a
  467e24000000006ab54a34004040eef8e9ba566bfe53d663cdbd1285c5d10998
  e95b9fca89452629757f454b11f639df15b4200a1c32691015ca881ac9cdf550
  831c6d89fdaed85b5efb21461d0d
recipient_encryption_priv:
  fbe8a1258df29b81fe1e0fa7cf3b1048f4be9309a5590ab1e922eb7ba4bfa49f
authenticated_data: 726571756573742d69643d3432
application_data: 7365636f6e64207461726765746564207061796c6f6164
targeted_message:
  0001000610819eec2f706ac61ee9bafd7b9fd31cf70000000000000005000000
  020d726571756573742d69643d343240773a219020641baacc55e5b762759721
  0fc36b1e65be4c362f575a3b7d69eceae55eb6419c1d69a891f78ea9986f819d
  03c48986009182483818722da3df2f8e875a8a9226511adbba26532d223c7229
  4679b9ff52460d68df08ac61e76c906f43e0711e02f49f2cc23327a475fcb348
  b1ca7ef919feaaf44068c83943bc53e8055ce739cb31a6bcc9264b11130f1844
  575caf153b0d46ed98c51f53581cda073a7936bf9acf620738fa001c3fc049ed
  94a17455cabd088bfb00efc2bed7a8ae49dc7a8672a88d0936bc157f1f8487b8
  719d2049c07eddf0762c2802bdb73c26274f
]]></artwork>
      </section>
      <section anchor="vector-3">
        <name>Vector 3</name>
        <artwork><![CDATA[
cipher_suite: 1
epoch: 42
sender_leaf_index: 3
recipient_leaf_index: 7
padding_length: 128
group_id: 70a9204973aff6642734f9ba6b5792c6
exporter_secret:
  2a1691e01a751a5e22a3906633f78435b14f1b313124338d9896e8b49cb59fef
sender_leaf_node:
  206e9de742e7abd12d797ffb94e124000dbeaf94dcccc6a70b55fca99a321980
  1d206f84c7f10dc4ecfe93952108ffb0904825a199b1f37aeac4aedb848a166e
  1d8300010673656e64657202000106000100020003000002000101000000006a
  467e24000000006ab54a3400404075ec3f38b4d0d35a7b5a42f85416c26e3e56
  e30d03827adeaa2319b187fac34bf1f108dca9d17274416d8dbf7ec03ad02a56
  d80c9e0c755286d0b447fc40e802
recipient_encryption_priv:
  89a94b207c3bf5b9ba9a704b689ec56437952f1ada84883e3b2225618c61b75d
authenticated_data:
application_data:
targeted_message:
  000100061070a9204973aff6642734f9ba6b5792c6000000000000002a000000
  07004077cd789de01be4a55d679fc7551e3ca215de779efb874b905911ec7a74
  0ce2c7fb4c71356aae83dcd8a0ba96d64cf3e5a4413af85eabd4fef58d100396
  581a69a20516c1cef76bc76b5caedcf17ce1b3d89118e3b1c0ac974a6f78fbd4
  3b9cb97098d2697f97f0edeb3a403d4f3683d22fabbb6da67c16154091ce8156
  d3d5057e803f17af6f88d59f4fe70e254a82dbc5037f86f81a8c8ac0eee77396
  fcb0f97f5ad7a3100ac20b621563f6bb3acd5bc5a8cac3479a041e93e737c8fc
  255b0c4fd93c601e648658c76a7b7e1db60610111b04f1539c6ea5d76d66a3cc
  16cd8ca078ef72f460dfd7adc6be27f11b435aed87f46a6cb9a1b8d3667d084e
  0144e65839be751022d26f2e65e5
]]></artwork>
      </section>
    </section>
    <section removeInRFC="true" anchor="change-log">
      <name>Change Log</name>
      <t>draft-ietf-mls-targeted-messages-01:</t>
      <ul spacing="normal">
        <li>
          <t>Changed the intended status from Informational to Standards Track.</t>
        </li>
        <li>
          <t>Added a <tt>ciphertext_hash</tt> field to <tt>TargetedMessageTBS</tt> so that the
signature covers the message content; <tt>TargetedMessageTBM</tt> now carries
<tt>sender_leaf_index</tt> and <tt>kem_output</tt> directly.</t>
        </li>
        <li>
          <t>Replaced the single-shot <tt>SealPSK</tt> call with <tt>SetupPSKS</tt> followed by
<tt>Context.Seal</tt>, and specified the full sender-side order of operations.</t>
        </li>
        <li>
          <t>Specified the recipient-side processing steps, including signature
verification before content decryption.</t>
        </li>
        <li>
          <t>Emptied the <tt>context</tt> field of <tt>TargetedMessageContext</tt>; the group state
binding is provided by the PSK, as described in the new Group State
Binding security consideration.</t>
        </li>
        <li>
          <t>Added a Cryptographic Algorithms section binding all operations to the
group's cipher suite.</t>
        </li>
        <li>
          <t>Bound the recipient's public key and the exported secrets to the epoch
specified in the message, and added a Messages from Past Epochs section.</t>
        </li>
        <li>
          <t>Referenced the analysis of sender data encryption from RFC 9420 in the
security considerations.</t>
        </li>
        <li>
          <t>Registered the "TargetedMessageData" MLS Public Key Encryption Label.</t>
        </li>
        <li>
          <t>Added a Test Vectors appendix.</t>
        </li>
        <li>
          <t>Editorial fixes: corrected the RFC 9180 section reference for PSK mode and
aligned the IANA wire format description with the single-recipient design.</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8196XLcSJLmfzwFlm02I7WRWbgPqtUzLIlqyUqq0oqq6mlr
62UGgACJUWYiG0CSYsuqn2WfZZ9sP48DCBxJqedYW9YhJhKI8PDzcw8P6Ozs
zOqqbsPP7ZN3vG3ZTbW7sd+yB97YVzw/NFX3YD959/bqqf2RNTe844Ut7+Pt
iZWzjt/UzcO53XaFZRV1vmNbDFU0rOzOKt6VZ9tNe9apJ8+26skzx7XaQ7at
2raqd93DHs+8ufz4yrZ/Y7NNW4OYalfwPcf/dt3JqX3Ci6qrm4pt6MObi+/x
R93gtw8fX51Yu8M24825VYCccyuvdy3ftYf23O6aA7fuzm3fYg1nGFUv6cS6
r5tPN0192D+y8BPrE3/AjcW5ZZ/ZYIJ1x3cHTGHbX3/UtuW6Tv6ImeiGP9Aj
dH3Lqg2ugzP/Sixa1c0NXWZNfovLt123b8+/+47uokvVHV/p276jC99lTX3f
8u/w/Hf03E3V3R4yOeD9zXeLDKf7NuBO25kz0P0r+fiqqpef/O5rslzddtvN
iWWxQ3dbN8QpzGXb5WGzkcrwge1vGd/YH2oIqRNfYilsV/2NdZD+uf3+tua7
6rP94Z9e2n/YZq/FLVxyieb910aO0IgBVnm9taxd3Wzx+B2EYa1WK8s6Ozuz
WdZ2Dcs7y/p4W7U21PGwhf7YBS+rHW9tTbutabdLKFF3y+1jYrSk6u+buqvz
erOyL2aDQGE3kIfNcIHU0K5Lm+1IW6SS2F1tQR8Lush3efOwp4cZXQDHQF5F
VjQM19X4ssY3jTEg0diCm5Yc8h4yqw+dnUOrO6Ka2Tt+L+db2R9x85bnt2Bx
u7Ubfmix0tcPWVMV9vtDtqly+wf+YF1KYiAC+8nr9z9cPhVECW6Admi+3ea3
vDhsBE1gwV1VcBvWVVZklbBFMOjUMlaBoU7FIBmsl8jCczSeJLrtsE5ISohq
WxXFhlvWb+w3u66pi0NOT1sWTc32+40abpDUln0CC7gcd+Bj/z2xbbNRU0nG
tRZn7YMgiJdllVcgc2Vf1VveVXhuNI+WcAt+/fVQNVjzLevAV3NAIUcpaSmr
erd5oJnbPc8rzKAnNkUmRzi1eSVkShq3b6o7lj9YtfyoicsfMDlr4b7ApY8z
XYULw9T3TMzI4Bj4HVEJRdfqcMvuFNeFYnBTLSy6SRJFXrXphd3T3uDPPfGo
PbXvb6v8FkK6ue1sKKOdcXtfw1lnUIa6sQregkXFCsJrO86KU0nH3OAwfiks
VUph0DgyEr00S7Aaz7f0bNnU26kx8c9VK/RcW9SiiWAQaQFk/+B7zTY0qqG8
DBLjZ+0tVrTtLX4wlboseUOXJkpuTaxV6DnZ1ejxVpL+5cv/+PDqRRp4zq+/
ilWrC26CC6sFueZYIPgLK8UkpF3ZodoINc82df5JqMi2bsj0tvsN/zyQbvVa
uyJLelHv7ohCKJCY+CVJoRKfJUfIpimctYhbP199pFBKf9o//iR+/3D5P39+
8+HyJf1+9fri7dv+F0vdcfX6p5/fvhx+G5588dO7d5c/vpQP46o9umSdvLv4
04n0DSc/vf/45qcfL96e2NVuojek4hAXuFHtOt7sG8Ep1pLC5U2V4QOe+f7F
+//zv91AMdZz3RSclh8SNw7w4R6SkrMJC5UfIT5Icr/nrKFRyFvkbF91AByn
xHioxf3OhlKRk/rtn4kzfzm3f5flezf4vbpACx5d1DwbXRQ8m1+ZPSyZuHBp
YZqem6PrE06P6b340+iz5rtx8Xf/soGd2mdu8i+/t0iFXgljPRo/oUNrgIBr
HQOvlRKv7T/CH8iHyXlw4T9FsOgwgFWRWq+16iv8uAabL+ZXyWRz1jSVFLaY
E1Gh/5pDyTf1niuq6CbryxcEbOFXInIFgwECHfz973+3u00LrNoiLC4Qfy7w
xoQMe3rXMxpoGA1AAyHL/oJn6z3760G5+euq+N0vv3+GqwdocBTYfF/nt/qz
7w1O9nrDWXlNKPfzs2GQESS4Bp5lajj1fR/4rqUXv6YHFu7DJBBCxz934vqv
0+U9s8wVKNrUkIuEtdXNjnWHho/n+cS314g8+8ORea7EkBcg8iVoHM/6/4Rv
37C0r63h4/fvxoS/V173F0R60rk79edzUi/XoaEHc0Bwbvi1CoLPFxXw2f+/
zFhQqOtb1t4e49TVf0TE6q4Ny/gGt4BLJwQD3ZUzB9v79tMJzfz+6oc3xeJk
BqpbMIw9Kyi0/nnDdzewnLq8Vlf+srCeF9J9KdNHgCXbq28oHQFeutgg9QWo
2iK6XlAwGX0LD9UwGYuhGmy+EsR76SMFZ+32UAGw1aWlAbiEOvCAEot1AtTL
RzVUejL4vXDljj3fUwJn1p410IMDEsnTAYn/czuetABdzZY8PNzlmbjvh8t3
p/YPL1/JIHpxefFS4hOdL1G+MIFzJoHa79tEoiGQMxLI2fAcyDzVM758ZR9I
LzcPAsMqt392+XlfQ++ataBkjY/4849g+1tSlzWIJzAtQY6cboTTegwmlX6J
APA43xwKPesd2xw4hlqDotWPt2tN4MAEIBQ1wghPj+a1aSJJ0D82c2uvaabV
j5/UiuWnXU8HmR+y652UuyaIsOEBslxPDHW9zJSnQrBqxN63AxMple7Hpe8E
HXByVfkg5TI3e5pGmeLSbAKeXoyuUuyf2QThhFFSnD0YLIbe9qTKLFexnhJc
a7wSgrpQyqoDP9/C0f1YFwAc8qH+Jspvt2LW3gT0lNbELO2RWU4GInyjBADE
CU4poqleVf0N15Y4pvlFzMXzUhUknFli8jiSrvq513ZZ8U1hAJ1hfc/tK/ze
G8sT0/HvwJDr/tZrkZJ2/Bp8OxV4aPg5mRMPKD8NYtdd1j6VjpJ4M9NDSSZx
cpEZSxy0pneuhkH1eH1WOzYLJTDl7kbCNCHhmEbw6zX+eDJcVgt6QRRpKx2+
lXNSraOd2JGqe8zKFJZyjCpD7eO4LXILw8T6oQxqfxFfH5fmoBNLUjwix9ld
S3Kd39VPpTj0Bk4CYVRmxvMymyhdjAxb5s4MmTnl4/i+ECb7BHEdIYFLp08F
Ckjw5ra3PvVF0wciASJ0DaPPGGaaszb4OFshMIX9HEs0w82Tk+kqKLEl9CHi
IgKDqexLQwqd1km9sGhxERGZbcnb6ORGFuasoTBnzwtzQ9hYiQnzuml4u69l
NYwGBroajd3OXJBATNrrkEOGR1YiYxvTOeNmcjH2k4uLl0+XClFUsFDuqpc6
hhgLuOiHOCaT1RynKqsm94oVSAvXXKQgh7RQpPA9nuiLV2I6XUeaxJCDrGH1
1ii9N0jDvZbhd48Et3cm0wzhLLGGQJ3ARhOMMAFGooI1VN5kgU6WsjDJz7tN
9YkPOOt7kbnCwiUjQKhZY1qyt54MCN0ST46h4srrwaIoSz2VLMHdMhgiGBDY
o3LWGI7CRi1dFT4dyryDr6MJ5lVfEeRkEU6Y/RgJCLEZSOq23iiPquEqCJMa
+16CdWV2y3B9pRD9elCglndjKHFKH8uqaTsLhNf9KsySsFApVSXd0Td8WG1+
W2MgW248ES//xpvayh463tIeARw7ryiKySIi6NAuYEIaZQb7DaNq12eqs4AU
xfjHg5+mXj5yjPpnknRhfJOZKdg2FW0MsB2VnbeggYap8453on7dkyV1ox/A
kgOIiJVxDLfZcBWHqaRGjLDnjBgHOClvACcKDLsa/+7Ohgd7UxzTLHORqpQ1
Qygh1UZZRdU7WiHkuKlFVJmXlDSxDf93GIF0yVu2oayca28jB6SNw0agSaWT
igbS3hzDmWCRatL5qd3WYkWnspb/mVGR9lQ/Z8FZqgL6UODNCU90NtWNd3yj
fLEhO+F+R47muLb3OFKoee/ujXJ7H23JIyjkIZyDcEafpcdcHv7zMLwGWlZZ
036XqpITBeePVcV0Um+WEuTIyyUENS0ye/GkWQuY3ElMOrH0GnDfiRGQv7IY
uYZ22KOR10UKhIRBsV4/ZQmPa7pPf5xrn4oYI7bZyIUKh4vk/1bAWATL3oEL
U7LWuSand1B8u+8enk2T/Kw+7Iold2rAImsZfIiK9qhq/uWLGOFMjHCmXDft
SHwTxybaBSbd7j/x634lKoshHYcbBOXLm0094pVOpf8IH0841iYcOy0u0Cb8
EIvAV1gqbLPhfV62DAIXS8uWicjM6fcSf9Fc66G+JrIk+RWB6vWoAGKZsGyR
iwZ4WODgAtTerpWXGxO6ZmwE746UYVb2j3Undy4X1IJGF8YHv66GHap9a81L
PSTbt4cNGyCnEqRw26XYjZKOTZexyMNs1N7a+oqzDSxhbV+8f3OkTm/UqwQE
gQ3xnOnRpguWvSCilCZ03iRcuOphyvv6sBFgozjkfLRD2S9iWB48vYijp8QY
KSjJGqDD0yH4txi8Nfzck2H+U+3PnlK6zbvDHlRcPTmqQvNcav5jmta33L/k
Ab7lOZk3AOMbOe1zvZ4VcfTJkhY9NvTsfhUkhjyRGkNG0tjzhgKx3i3W0QVi
2wsoUDcFNfdQC85LgUylhiznXEvVJy1HIns93Te5bnne8G79aKVuRZNfDlpD
PvkxLyHj7bpXhzU9UGdkeYIIU321axSGp1iiRUDTXmmn8bX0RO/aq4ymHU1D
8UBMvegWxEQv5iVEATRzwDq1HLZZKxNcIldghOOTCJ8n7LpvPTheIdPohobD
cwMYPUKpLjJRmDAXYBh2rwLHi3HS5HUtVfDbKLRNIiqNNdc2QeBF2yKZ2yyL
bFzJGzAJgX5DQ4ftGSzCIEPSOJHtgPbsqlOinkT/Y8p92tdiWgFddSAwuUjD
9eU5lgG+Hgl4kyqlqeejZIzsx1yBpVXiG0p+xhDGl7OSGvjXLMU5aDSSJrF8
wPP18R1V3Coj3XC7uamtdIXthphoLQVDCoGgVQ1ijvBYTUoXCp7bPyHywYeY
IWfB/06d0fFyLv18LcB8q9cf+P9NoxwJSzoM9fBdl3Fb04XCCF4YkUnbgWLP
WtQYR1DD6LoRYLO7r88oqNglIox2Y8qDtdQdpDDDkBZY63GgH+rC0plNMMfQ
YUUpRbXDQ63A9NZUH7ZQmM2DhlD8876h1BKqJP2jQDQG5KFdjPp+N4I9MmuU
9jZPGL/mcyjl6LPDttpSq6lsZaNNN3m3vHPafGNCON+oI4lECHCrG0PMfueG
3Jkl3NnppFguyv1LTrkHYLoqOmBS613ftPXkh8t3T23JlSmIHaNzwvY04q7e
5Vz3hPX51bgCatRghVjh0eu8oq8sVRy9pNImU21Zh24A60Tsy35X0n6l9ySe
/PDy1VNNoaw9yUqyqnos+F37hu9oG1mz/tGt1JX1Ro4g97b1eAa2q0gMbSuT
Ujm3FMb9bb2Z3CnyjxXWPaj1sUxTxsljuApD9eX8PosbdZc+msXNS/mE6eEz
+KGoqVx22g84yFb6AlnFZCZwP0LlN5b/jZ1eWR2UTxtbAuaWkgqnzw2+/tlZ
reStZ+5frDk1tIrn9mSP+8kRoh9F+CcY6sR0WYqcU1vtLj+dzy55918zPygQ
wz1Gw85w+d+wFdFnvY/FbGus7r2pUcmEc4kg2qVdyPWjZaz/TF/Or/bY+2It
fUfJhx6u/AIgXKid8Z/3cBeydCqR2YzY03H9QhY4VSI1zqOspTzqF6MQu9Zr
W9tbUVtp+67n8RzVqMd9NRtHcGNt7E212rXmB1zCCNLCR7264hgH7YaQMu1Z
q28iWQ+NLwMRbVdtNrTxKq7vONVkWfMg7B/ki4SChkI21x82Ia9zRmOfibFb
ndCNqF+S3cCRabWIOkVFwUrcRxOqmtPgvsRcK5m1Suj3KNZcTC6OYfZxRwaR
P08aQG9JreiauVRjzzZs90kTfrSctrSGr6Vcj8H2cfsI0WJ0nMyqlIsJVc/C
0bjzZx+PjxOZL+3IKBYotP6VxLRHOqLLeNjAWCq+qnn6guvAAr05IVhEXFdp
x2itYtvB3L+cxUWzp0RsMLRzOCHPK6jiMaFKEuGptWRoCtW0Q8ymRsYz1ci4
nqVltA9itJ7Ixei9qBrjENKVmFZj74HJui1CiYfclvTaajtGymtXG3tlYIjC
68VwZEBWzu9pc87OcesWcE1vKrJWnWSgzTwzxMjs4BskrhvAxWkI1rYDdjQ3
3pT0aC9MKZNImFU965bdURcIhUEBvQ85eTCqiT1AMd6UYjtOPtfqZ4ZNrm/Y
2pJ5gT6iJ1nznvzqpfB9lvVebmQdCSzC8TLTE6vzMBMfSKeagAGYciND2c50
xMLy5Y6FjN1MDdr3Gfb9HApS2DrEL1f3qGftsRreaOe66nTL3CPbDCpRJrLN
lrj+rh6Wm47ytA+npACbuv5kq2g5TndsMQQkcnXY0zrl4Z+etWIzUXflY3ao
gqwyKDOdBk6JZ6xt3Yokq+XNnTgCB/HTyZ+6WQFPdGojdyQHwQ9z4nvOPsG2
RKfZq7q5Z01BZ97AqAcyKyCJjvasJz6slHeetfLOX38973N8a3Skjo7sKOWh
jWVtXIxKYuJ7MKgmBWwNpQDXqL2gJ1oc+qFd5MG41O2SU8Ypvuny5CkKS+2f
EVDoN+ql0urYJg/KqEMXBSejVBUas8FmRBadFKmppbelUltFXkUsBsPvOC+k
BQ5nZ+E9qLigeoHVyYpWpdCavzpXVs8YEiDtm7dTyVVVjbVB6t4p1jR8I9UB
Onn0GJ3ZOaI2nidtmctNLd19rc4f0YkQQlyTftfhGJTZmvnPZjviYm1+aJ8z
DkCOTEn2UHQP59bYA6l4Oe29YzcUkrvxGEMPqNG1KWxeHPWi3fybARRQA4px
qIxMqY81BqV908xCgtu3ywxprio4EIqGpKFa9kacNRVz0Jf4yuwEam+r/cp+
jzuGmks63zbTfT5y27mfpD50Qu9m5zNFSO2XKw6lEndV0UlH6k+7+l4shEZW
dSpY7g23GPUpV4WR1omqj37yFNy753fUYmNGWQXmaTTJXWuZo6qgpWVOSk0i
pk+iZKbLdn0fsGV9b+wbPtbBZArjVNmu8LRyPcIvWeOeLFlYFyBYyHrqKunr
93DHZwSPMVcFMvqjwzcH1jBAhyGGLCjFsJ8KRnK12z+1QAn4aG10OH4MiiBA
1nUs/6T8Tyu8Y9vnXjrAme0DSC90356+TWiRCNe9IRmhEeij2grVWjgcaaxT
2x6hI/JEmrJ2et6ZZl54juXkwKz+MemhxMF5+0qQ/r3sWzh2PvY/0TEhJTwt
TI1Oc1Y7wlgyCpt7V4LAvmMCALVW+LYvAmIkzqD/OtBJwNKq5iGuHQhSPaW5
wuzq7ZZAuhqOQOJoTcvp2qk1PlUgMjvRqayrqcrlkelBABSB9rKXWdWUew34
xQTx30s1HeDjouWpXl62FeF9eiBb2hMxQl4AJ0QjhdF8QVWGO3r1AWGFhST1
VCBkc1SxB9Pv8lmytWmoAqliugAg7Qhwk0/aqERBwuGiohPAos4g/JCl/dD0
5IDur6Wy6XB+WEx1LKBZKiFRQx/tGOmzuIOoLQ+J3HTTmEmpSi2wxpueov8G
30ivK9qve6aqBEXvMOndLXoTQyf6u6AazeA6h8TokYMujx9zEYgaRm0OS9mk
PhsOJeebcmV9+dJH97O7vh4Gwxu85NFsxKwwDHJa3sGbqMg0JppJprWjWPZt
qaa9kGpa41RTGNgkiiz5Mr2ZW2CteSd3Zr6SyYwbpla26iJeRIGzFmKpJ9L5
UB1Rv91DOH9LLVrVyqUVzlEppbYiRx8/brjBldXHSS2K2YKMqDMKjvtaNKvC
o8xTjmErq6sHyEb7FsqBqBCuGa/yF+FrVM5g3cAV0jk5Ah2ECs4JIYzbjsbB
gRV3bJer9y3IFy3InEceO5+AVZFb6EXvG4507dD24WC68oWkx9LvpYBzkNlG
OVmNEU9VQiNJ5MbuSkmjgB6qNlz0+ebCe1GmGVVvd02fYQLGTTIjLLw8NCQ1
nWBOiZxVxqxH67SjTc43GhO+mAAQ6UiPFgUWzux9y/7oIobUcfpRh6ebIQeX
u/RyEo11+xijgorSeHq1g+xV7gl4CSwMZ/RALUF3VS676sW3YgDgZEuh/gH+
nPbHH8SN8qUZ45gMH6Z6k6SiaGPS9qUildHgP0S8atgs19uf9Y4PZ0Wnu8mT
HsDZBvKw5ct2bPPQVq0EYfoRNxK9t5b5ig2yFHICfz2wjfKUcwBNW4bGWdiD
dkCWIP248oz39A1YoXb3xIs5xH4q7XZZshFAvHKHkLk4MzrZdmZV82wYVtzR
H7vUmcLowFprtDVMT34IZ1JnLKs2wnGVMlHvybQkmXS4brORhy9kxWKg2/tf
Z66XSEv7wBH7HsQBd54fKwcUtdCn/gSQ3qQm+eTA3xTmIXq1E9tpIsWReWuD
cCpeo5SzPUXoYn4IdNRSI0ubRJU6ZKD3Wag9Y/C397QrRFmHsLMBO8iufsj/
tU5KjxxOswSkFrvjxitilJqfKxIkSBzoFB3fMyDScm4VB+m+B5hFZthn1zQu
vTmqR7Ly3UgLpS7ldy1JgDh6IC1BufhBCoddRTuVku26A3rhiJU6vyHsrEGa
1Ucj2E5LxXF5DFlUsd5c/Hgxq2BReRmukF5xoN4Xol4vc+TVIJObzQNd8r1Y
o1dfqV6ZIy/TAlX2b2mv9MDPbeez4ziR/aQ93ECOmPMpffmjeOnYEin07QdO
WRVZe3Fu/0leEZA/pzeVvXph/xt++jUOqZDYCReL/83CWw8s67fyjvPFU5bW
bN7Hp10+C6hJuNjQ254ol12u1N3ySU2oB5HGmQRLH3IYjtJrnE7HLmYHJPL+
3UI6ujX8pgLTYcKWeMMSv5PbRvAzrdBf4eNkwBGGYr4TSxBI2HK1yFIKFo/w
VB79+AeZqls7RqKcstCcdNYB8s0z0gvOMpgWmdBHaCYS6byrG2Umw14JvY8P
eYv4DtCCN3mlBKjPTZ3pxjS9ZTPBTsv50so2M/N5R78QH8QIIP43Llvj1TaZ
nM94d4U8oEV+SKZA4g1gPSKRPW7wufCZz/qcua8SyyHU+606YaLUftlQkeas
a6r9XnhUXfzpVz0ZYiXfr6EZpdf17uMbIVgzVtL7464Rzq5fvv7h8t2/eWHo
ptcXl1e49IcX766vXl94YXR9WYgv4G9lsKC3LvDPYk9BpdHXYrT1qaW6Gk6H
XSEqQOVij5faD9W27rXsuVrbTyj+IN2stmwj28Nu+eczccZQpH+XVPyQKxlq
tdNi1S05aHVesZew2DMzmjXE9JK6c2OEvmI5KkFAo5E0UClpRaNoGKthzvnS
Zlxf/5ZlJSn1fqvYWmrz1pt0MvgcBVVGe9Z/7J0dYhELLQ+CJ9Nz8Wp1o605
2beh9hPNUl6/T6Bz4pGQjOJoX7EStCx3jwhyhq+GJYj+XEWXkQHTSzpHxD2y
WwldYrSPt9lo4K1lLfxzRxq9lwlEX8+QKjSL0Ocitx94YL5tqz/2Z3/Lm79U
Q0T/Apf5G7/OFjFJr3+SYI2ZFBiet+w/cnRczDB5BdB0/Pkp31IeMhoaRs9m
pj0ZY9xkSb0fZ+oo7LylhN4F+00tBuKNaGpfa3IwRrYCiGToSJEMaH0uW9mk
LkCw2i8Y42M5rKiKykggAbs10Dpjlu6JmrNZZ2/jo7MW1cMUu6ZMlWmHDI+2
KzrwLNMDn+Oi7BjALzODBwS0liyPbh5PRHdq13lu53kYhIXjlFhzEsR5WuYZ
c9ycJVmQJjGzJv6R3hDnhGnsliH3sjRN/SxnJXOYX4RR4sReEORRxPwcXwQ8
8NM8zoowLwo3SjPulIGfjKkni6ZBPceL3JKnPC/y2OMsdAsni8qcpfiXga7I
gWACLy5LTv+EWZSWaebmUVGU3PExRJx6jpNEnCU8Yo4fBknp5U7uuInnFW7M
4iwOHC+ISlZwL4ijIOfMycrMDQuG0VwaguVghuM6UexHYcSjIApjkCavif87
4pPvOOo3V1wTPxF1lwVRjNGHS1kYMB+fA/yTRAHzHKwqdErXSbICnAuCgPES
zEJgZlGUYYiUZ4GbpXmUZ2UaRXlZBLwIXQ8rYEESQ0RB5nA3AftLzMadhPmO
G/pJ7pdxkXoYIsNguRe4jp9HGMpzU68ogyL0Uie0jvphIYgoKxIXHEu9NIt5
5kVEXRSliQMZlwz8d6PI8eLc91kAvkWhH6dZgKHjpIhLa+6Qzq2pfdBEARYZ
InuPicd+TL85kRunUR6VkRvhcxRFZeyJO9zYi2Lch3vFN0UUkrh8iMkVX/iz
gyNCVaXEItf5mqI74x8lUxrCJdnFcVjmPMp8l4V+VCRelkSe50IlPLC3TArf
D5hTpvgYOoHLIh/KmWUsS0meTlA6bhEUTuSnZexAfpETJr4XxuBc6CY+NMRl
hecWiZ9BYdzUd9I08D2HQdCkEoxDaR3f5WUeOQX3HUjEzQqWQ1qc2JK7oVf6
aVE4iR9BtQv8Bl3wC5gTeIQhyjyAxXgJNI5FsODcix2YTh4WXuHQQJHvhH7p
5CF+SXzfy3yeuT50jhcscSj4QNh4NOdpUgQe95MiShLPjyMIJ0kdhwWshPl5
mZPGPsMK8sSDIeNL5rsJ1FkMkfI4DpI0TLB2Di0Kc5fHZRhCr3M39v0MVKum
4N4feo/6w/Af8YfezB9GgeEQEzflPPcgpQg8cTlPM1YWMWRc+G5exksO0QtS
FuIuyNAtvZIzP/NLn+Wl5zOPJxlMGw6Fly5PU8+LIt9L4FQCrD6EI4WWLTvE
yGEpPRokQQFnEIIiXpZpHECzchZwHnthHsBLhnGIJKd0EqfwU8/3/DAJSGm8
0HNKGKcLp1tA64PCh7TTDKLiRQovCXUJvICFoZPCkOMkjbyUcXwJQiFRDAEP
5P43OkTOy4Q4HMLxwaf7BZiTF1kBXxiCVBc6lGAInoYQAGw1hZsBjeBbGYRB
5rolLKoo3TCDU3CYm/seHDl8Ie5NXISNvIBmkRknPoWKBGKEOidhFsKreS4c
S+EUjzvEMuMJc70wKUp4xARBykUgY3Fe+pkL4ZQQJNkr2JjCXiFkz+MZueqs
ZDC5JYdow2Ig+zhUrq+AZQV+4cPk577SFqz34RV5FCx5w7Hf/Ioj/JqCTxxh
ODhCzymOk00uEtruwgM6EaIXY/C4IcJ0HHkxAINHLsgpcz8Ch6Iw4wF+9Uqo
LqwlxkBIeBnHExmeTnMXVyBut4wTzqAEUQm6KUNBQIPzSKB6KeJ6kEC1YUxe
AQAC00t4ggETRmYWunCpcMH4zfcKz/OBK7xUKiRsoCxDYAEHLqyA5QhWxFGe
IjoHPndiF0L2SojPy3MPzjBmAYWAzA9IIYE7GAw6dVNYOyuDwImSPPHhsrM8
9HnihGHOY6AfChhRluepF5G6uj4CPwwRQ2DlsFlE7cwpgojsMQ+BqmC7bl4w
B8yMUzCrBPgpI8jYTwAWELD8MneCVKSLacDcOMBULIPbTwBlYNhl7mW8iMEE
HqRw/iyBe4Y1FA4NhzARl26ZAEZktJAYXIWHSXMn5gBSDqSVI0R4WZHFfg5b
i4Ny6oz9R51x4C15Y/+IN45n3himb7jjGD6Q6AM7yhJxzYv9AJEVPA0B9/Jo
0R0zgE2Iz2VxiHDNPY/5kGvkAx0lgR9mblC6EIzveoGPIJbC73GCAXkWQp7l
MXfM04JD6XnMyEEVcQosmqUE3Mi7FRluT4Mix0/EYicLQ0KvKfNhFAkZkFsQ
9kuCHBJwijzgOfCun4YejBIjOYAJiRcyNwWshdtGyM8BDYsMwsKKIi6GSPz/
RndMcQSRC7yAV/RD4M2QBbAqIJIIysB9Hkbkjn2ncPwENlFA+z3fBcGApSz3
4fJcQrYFVg7IDe3Bk0VSZGXMc8dnhQNAQEMUiZOn3MnjMPSSCFA/CBD/ERCg
e4+74yRlaZDBIHI/KxEWMqQHMYIp4hWwDNxRDI6WMH0GviU+9zPP88KI8Ieb
xWHxjfj0cSf6NbUc+1CPDU40lmgyLxBtgehcOEIEjgIuqSRmuNzP4UVDaFqc
IkQlcYBwHaZwRzDlmByHk3MPKpRBj1w/jBjjiV/kRYJchqUAxgECE4fcAhfE
JSGHtgbQasQvEO+nxH34GOA4pCIh5OrmvIzhGfAfPAkv8tKNcw4DQbR03QQM
dHPgQ+AOBjielBgOQ/jIT7I0dgAFEXJjwJKScEOGnAB5QlD6EajyvJIBBUcF
i+LcjQD34bVznrhSB5BPOGEMkfuYEtCxhJeCBYLa2OEe9DLxCvhTx49LEQAY
fCzLARrAHLkQOGSHpg4ZPJ6P9SHpASACAwHAowzU5EWIIfAkaWecIt9CgPbh
m+M8KXMBksLMyYMSqBNyQ2wKkihMwA3KF7lbZBEJHK47A4qHuwYSQ3ZaxOA0
5bk0BJhYYAIHsQr5SklRBRGVFcDUHAkrHoXXIdgB1AIADb4xN0PKEEUx/HbA
RZYRBAiLCCGECl0HEc2LSg+XeNi/c1lulb2tb6wv5w3f1nf8ze7DqxfPT+gv
9zn51bK+4S8bEoUvOVKhCtedKOKLgutB9Tu82cl+JHkMsaup5XBXMPr7Ej7S
ThlVhS4Keoodfb8pnaBebOmqh9qKef7JaPCavCPw2fK7PqgvV74ev7UWXxYx
ez1Ev/9D9IsdXt11u/zOHnrfh6z7mS8wkbsWooBP8y4cxR/6EPtuxdGmQqN6
qofdBSLoavTUUNqabnyIQpX5xuShj9senzY62t9G011u8auabPoeroVTobqp
89m0Rk9wSL39UJ5EkmfJVdEeLJufAevEgcV7s50Vo6iG1qH5Pze3W02VO/b2
8f40gSZIHD0atnBU+6G9+PJvmuD7/pjEkRdi6Yp+3+au2lf799yKDip7/gYu
pdJSP5hax9GzSXohUk/Vvtq8G0R12YlapNGUIkajPThqjtCHx+0jfG3lHHoH
U8yxuMv4tf1YU0DmVp9+X+RnoXT6Ly+Don3m7bk8XiLKyDSxINpNnF6QjV68
6KHp93HlbgXbQPHVk2J/3uyklApnvLfAMHOzGY2MR76UO6dO/w0vbmi7rYWP
lUdlePH8pGSbljzs/wVOGdHlJG4AAA==

-->

</rfc>
