<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-irtf-cfrg-hybrid-kems-12" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="hybrid-kems">Hybrid PQ/T Key Encapsulation Mechanisms</title>
    <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hybrid-kems-12"/>
    <author fullname="Deirdre Connolly">
      <organization>SandboxAQ</organization>
      <address>
        <email>durumcrustulum@gmail.com</email>
      </address>
    </author>
    <author fullname="Richard Barnes">
      <organization>Cisco</organization>
      <address>
        <email>rlb@ipv.sx</email>
      </address>
    </author>
    <author fullname="Paul Grubbs">
      <organization>University of Michigan</organization>
      <address>
        <email>paulgrubbs12@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <workgroup>Crypto Forum</workgroup>
    <abstract>
      <?line 229?>

<t>This document defines generic constructions for hybrid Key Encapsulation
Mechanisms (KEMs) based on combining a post-quantum (PQ) KEM with a
traditional cryptographic component. Hybrid KEMs built using these
constructions provide strong security properties as long as either of the
underlying algorithms are secure.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Crypto Forum Research Group mailing list (cfrg@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/cfrg/draft-irtf-cfrg-hybrid-kems"/>.</t>
    </note>
  </front>
  <middle>
    <?line 237?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Post-quantum (PQ) cryptographic algorithms are based on problems that are
conjectured to be resistant to attacks possible on a quantum computer. Key
Encapsulation Mechanisms (KEMs) are a standardized class of cryptographic
scheme that can be used to build protocols in lieu of traditional,
quantum-vulnerable variants such as finite field or elliptic curve
Diffie-Hellman (DH) based protocols.</t>
      <t>Given the novelty of PQ algorithms, however, there is some concern that PQ
algorithms currently believed to be secure will be broken.  Hybrid
constructions that combine both PQ and traditional algorithms can help
moderate this risk while still providing security against quantum attacks.  If
constructed properly, a hybrid KEM will retain certain security properties
even if one of the two constituent KEMs is compromised, for whatever reason
that compromise might occur. If the PQ KEM is
broken, then the hybrid KEM should continue to provide security against
non-quantum attackers by virtue of its traditional KEM component. If the
traditional KEM is broken -- whether by a quantum computer running a
polynomial-time attack or by some classical cryptanalytic advance -- then
the hybrid KEM should continue to resist quantum attacks by virtue of
its PQ KEM component. The advent of quantum computing lends particular
urgency to the latter case, but the hybrid construction guards against
the failure of either component regardless of the cause.</t>
      <t>In addition to guarding against algorithm weaknesses, this property also
guards against flaws in implementations, such as timing attacks.  Hybrid KEMs
can also facilitate faster deployment of PQ security by allowing applications
to incorporate PQ algorithms while still meeting compliance requirements
based on traditional algorithms.</t>
      <t>In this document, we define generic frameworks for constructing hybrid KEMs
from a PQ KEM and a traditional algorithm.  The aim of this document is to
provide a small set of techniques to achieve specific security properties
given conforming component algorithms, which should make these techniques
suitable for a broad variety of use cases.</t>
      <t>We define four generic frameworks as variants of a common overall scheme.
The variations are based on (1) what type of cryptographic object is being
used for the traditional component, and (2) whether the PQ KEM is assumed to
have an additional property known as Ciphertext Second Preimage Resistance
(C2PRI).  Hybrid KEMs built using PQ KEMs that satisfy C2PRI can achieve the
same security level with more efficient computations, trading off performance
for an additional security assumption.</t>
      <t>The remainder of this document is structured as follows: first, in
<xref target="cryptographic-deps"/> and <xref target="frameworks"/>, we define the abstractions on
which the frameworks are built, and then the frameworks themselves.  Then, in
<xref target="security"/>, we lay out the security analyses that support these frameworks,
including the security requirements for constituent components and the
security notions satisfied by hybrid KEMS constructed according to the
frameworks in the document <xref target="hybrid-ind-cca"/>.  Finally, we discuss
some "path not taken", related topics that might be of interest to readers,
but which are not treated in depth.</t>
    </section>
    <section anchor="requirements-notation">
      <name>Requirements Notation</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="notation">
      <name>Notation</name>
      <t>This document is consistent with terminology defined in <xref target="RFC9794"/>.  In
particular, this document defines PQ/T Hybrid KEMs, where "PQ" refers to the
post-quantum component and "T" to the traditional component.</t>
      <t>Hexadecimal values <tt>0x...</tt> represent byte strings (not integers).</t>
      <t>We write <tt>x $← {0,1}</tt><sup>n</sup> to denote drawing <tt>x</tt> uniformly at random
from the set of <tt>n</tt>-bit strings, denoted {0,1}<sup>n</sup>.</t>
      <t>A function <tt>f</tt> that maps from one domain to another is denoted
using a right arrow to separate inputs from outputs: f : inputs → outputs.</t>
      <t>Constants and algorithms belonging to a particular component are written
using dot notation, e.g., <tt>KEM_PQ.Nseed</tt> for the seed length of the PQ KEM or
<tt>Group_T.Exp</tt> for the exponentiation map of the traditional group. The same
symbol (such as <tt>Nseed</tt> or <tt>Nout</tt>) may name the analogous quantity for
different components; the component prefix disambiguates these uses.</t>
      <t>The following functions are used throughout this document:</t>
      <ul spacing="normal">
        <li>
          <t><tt>random(n)</tt>: return a pseudorandom byte string of length <tt>n</tt> bytes produced
by a cryptographically-secure random number generator.</t>
        </li>
        <li>
          <t><tt>concat(x0, ..., xN)</tt>: Concatenation of byte strings. For example,
<tt>concat(0x01, 0x0203, 0x040506) = 0x010203040506</tt>.</t>
        </li>
        <li>
          <t><tt>split(N1, N2, x)</tt>: Split a byte string <tt>x</tt> of length <tt>N1 + N2</tt> into its
first <tt>N1</tt> bytes and its last <tt>N2</tt> bytes.  This function is the inverse of
<tt>concat(x1, x2)</tt> when <tt>x1</tt> is <tt>N1</tt> bytes long and <tt>x2</tt> is <tt>N2</tt> bytes
long. It is an error to call this function with a byte string that does not
have length <tt>N1 + N2</tt>. Since this function operates over secret data <tt>x</tt>,
it <bcp14>MUST</bcp14> be constant-time with regard to the contents of the bytes in <tt>x</tt>,
for given non-secret lengths <tt>N1</tt> and <tt>N2</tt>.</t>
        </li>
      </ul>
    </section>
    <section anchor="cryptographic-deps">
      <name>Cryptographic Dependencies</name>
      <t>The generic hybrid PQ/T KEM frameworks we define depend on the following
cryptographic primitives:</t>
      <ul spacing="normal">
        <li>
          <t>Key Encapsulation Mechanisms (<xref target="kems"/>)</t>
        </li>
        <li>
          <t>Nominal Groups (<xref target="groups"/>)</t>
        </li>
        <li>
          <t>Pseudorandom Generators (<xref target="prgs"/>)</t>
        </li>
        <li>
          <t>Key Derivation Functions (<xref target="kdfs"/>)</t>
        </li>
      </ul>
      <t>In the remainder of this section, we describe functional aspects of these
mechanisms.  The security properties we require in order for the resulting
hybrid KEM to be secure are discussed in <xref target="security"/>.</t>
      <section anchor="kems">
        <name>Key Encapsulation Mechanisms</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="248" viewBox="0 0 248 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,272 L 8,304" fill="none" stroke="black"/>
              <path d="M 40,128 L 40,160" fill="none" stroke="black"/>
              <path d="M 40,224 L 40,264" fill="none" stroke="black"/>
              <path d="M 40,312 L 40,352" fill="none" stroke="black"/>
              <path d="M 48,32 L 48,96" fill="none" stroke="black"/>
              <path d="M 80,272 L 80,304" fill="none" stroke="black"/>
              <path d="M 120,96 L 120,128" fill="none" stroke="black"/>
              <path d="M 168,272 L 168,304" fill="none" stroke="black"/>
              <path d="M 192,32 L 192,96" fill="none" stroke="black"/>
              <path d="M 208,128 L 208,160" fill="none" stroke="black"/>
              <path d="M 208,224 L 208,264" fill="none" stroke="black"/>
              <path d="M 208,312 L 208,352" fill="none" stroke="black"/>
              <path d="M 240,272 L 240,304" fill="none" stroke="black"/>
              <path d="M 48,32 L 192,32" fill="none" stroke="black"/>
              <path d="M 48,96 L 192,96" fill="none" stroke="black"/>
              <path d="M 40,128 L 208,128" fill="none" stroke="black"/>
              <path d="M 8,272 L 80,272" fill="none" stroke="black"/>
              <path d="M 168,272 L 240,272" fill="none" stroke="black"/>
              <path d="M 88,288 L 160,288" fill="none" stroke="black"/>
              <path d="M 8,304 L 80,304" fill="none" stroke="black"/>
              <path d="M 168,304 L 240,304" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="216,352 204,346.4 204,357.6" fill="black" transform="rotate(90,208,352)"/>
              <polygon class="arrowhead" points="216,264 204,258.4 204,269.6" fill="black" transform="rotate(90,208,264)"/>
              <polygon class="arrowhead" points="216,160 204,154.4 204,165.6" fill="black" transform="rotate(90,208,160)"/>
              <polygon class="arrowhead" points="168,288 156,282.4 156,293.6" fill="black" transform="rotate(0,160,288)"/>
              <polygon class="arrowhead" points="48,352 36,346.4 36,357.6" fill="black" transform="rotate(90,40,352)"/>
              <polygon class="arrowhead" points="48,264 36,258.4 36,269.6" fill="black" transform="rotate(90,40,264)"/>
              <polygon class="arrowhead" points="48,160 36,154.4 36,165.6" fill="black" transform="rotate(90,40,160)"/>
              <g class="text">
                <text x="120" y="52">GenerateKeyPair</text>
                <text x="116" y="68">or</text>
                <text x="120" y="84">DeriveKeyPair</text>
                <text x="44" y="196">ek</text>
                <text x="204" y="196">dk</text>
                <text x="124" y="276">ct</text>
                <text x="44" y="292">Encaps</text>
                <text x="204" y="292">Decaps</text>
                <text x="44" y="388">ss</text>
                <text x="124" y="388">==</text>
                <text x="204" y="388">ss</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
     +-----------------+
     | GenerateKeyPair |
     |       or        |
     |  DeriveKeyPair  |
     +--------+--------+
              |
    +---------+----------+
    |                    |
    V                    V

    ek                  dk

    |                    |
    |                    |
    V                    V
+--------+    ct    +--------+
| Encaps |--------->| Decaps |
+--------+          +--------+
    |                    |
    |                    |
    V                    V

    ss        ==        ss
]]></artwork>
        </artset>
        <t>A Key Encapsulation Mechanism (KEM) comprises the following algorithms:</t>
        <ul spacing="normal">
          <li>
            <t><tt>GenerateKeyPair() -&gt; (dk, ek)</tt>: A randomized algorithm that generates a
secret decapsulation key <tt>dk</tt> and a public encapsulation key <tt>ek</tt>, each of
which are byte strings.</t>
          </li>
          <li>
            <t><tt>DeriveKeyPair(seed) -&gt; (dk, ek)</tt>: A deterministic algorithm that takes as
input a seed <tt>seed</tt> and generates a secret decapsulation key <tt>dk</tt> and a
public encapsulation key <tt>ek</tt>, each of which are byte strings.</t>
          </li>
          <li>
            <t><tt>Encaps(ek) -&gt; (ss, ct)</tt>: A probabilistic encapsulation
algorithm, which takes as input a public encapsulation key <tt>ek</tt> and outputs
a shared secret <tt>ss</tt> and ciphertext <tt>ct</tt>.</t>
          </li>
          <li>
            <t><tt>Decaps(dk, ct) -&gt; ss</tt>: A deterministic decapsulation algorithm, which
takes as input a secret decapsulation key <tt>dk</tt> and ciphertext <tt>ct</tt> and
outputs a shared secret <tt>ss</tt>.</t>
          </li>
        </ul>
        <t>In the notation above, <tt>Decaps</tt> is written as if it always returns an output
<tt>ss</tt>; this is an artifact of the Python-like pseudocode used in this document.
In the event of a decapsulation failure, <tt>Decaps</tt> <bcp14>MAY</bcp14> instead return an error.
This allows the KEM interface to represent both implicitly rejecting KEMs --
such as ML-KEM, which produce a deterministic pseudorandom output on invalid
ciphertexts -- and explicitly rejecting KEMs, which return an error.  The
security analyses in <xref target="security"/> take this variation into account.</t>
        <t>We assume that the values produced and consumed by the above functions are
all byte strings, with fixed lengths:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Nseed</tt>: The length in bytes of a key seed</t>
          </li>
          <li>
            <t><tt>Nek</tt>: The length in bytes of a public encapsulation key</t>
          </li>
          <li>
            <t><tt>Ndk</tt>: The length in bytes of a secret decapsulation key</t>
          </li>
          <li>
            <t><tt>Nct</tt>: The length in bytes of a ciphertext produced by <tt>Encaps</tt></t>
          </li>
          <li>
            <t><tt>Nss</tt>: The length in bytes of a shared secret produced by <tt>Encaps</tt> or
<tt>Decaps</tt></t>
          </li>
        </ul>
      </section>
      <section anchor="groups">
        <name>Nominal Groups</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="456" viewBox="0 0 456 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 56,128 L 56,352" fill="none" stroke="black"/>
              <path d="M 80,112 L 80,144" fill="none" stroke="black"/>
              <path d="M 80,336 L 80,368" fill="none" stroke="black"/>
              <path d="M 104,64 L 104,104" fill="none" stroke="black"/>
              <path d="M 104,152 L 104,192" fill="none" stroke="black"/>
              <path d="M 104,224 L 104,240" fill="none" stroke="black"/>
              <path d="M 104,288 L 104,328" fill="none" stroke="black"/>
              <path d="M 104,376 L 104,416" fill="none" stroke="black"/>
              <path d="M 128,112 L 128,144" fill="none" stroke="black"/>
              <path d="M 128,336 L 128,368" fill="none" stroke="black"/>
              <path d="M 224,48 L 224,64" fill="none" stroke="black"/>
              <path d="M 328,112 L 328,144" fill="none" stroke="black"/>
              <path d="M 328,336 L 328,368" fill="none" stroke="black"/>
              <path d="M 352,64 L 352,104" fill="none" stroke="black"/>
              <path d="M 352,152 L 352,192" fill="none" stroke="black"/>
              <path d="M 352,224 L 352,240" fill="none" stroke="black"/>
              <path d="M 352,288 L 352,328" fill="none" stroke="black"/>
              <path d="M 352,376 L 352,416" fill="none" stroke="black"/>
              <path d="M 376,112 L 376,144" fill="none" stroke="black"/>
              <path d="M 376,336 L 376,368" fill="none" stroke="black"/>
              <path d="M 400,128 L 400,352" fill="none" stroke="black"/>
              <path d="M 104,64 L 352,64" fill="none" stroke="black"/>
              <path d="M 80,112 L 128,112" fill="none" stroke="black"/>
              <path d="M 328,112 L 376,112" fill="none" stroke="black"/>
              <path d="M 56,128 L 72,128" fill="none" stroke="black"/>
              <path d="M 384,128 L 400,128" fill="none" stroke="black"/>
              <path d="M 80,144 L 128,144" fill="none" stroke="black"/>
              <path d="M 328,144 L 376,144" fill="none" stroke="black"/>
              <path d="M 40,240 L 56,240" fill="none" stroke="black"/>
              <path d="M 104,240 L 216,240" fill="none" stroke="black"/>
              <path d="M 240,240 L 352,240" fill="none" stroke="black"/>
              <path d="M 400,240 L 416,240" fill="none" stroke="black"/>
              <path d="M 104,288 L 216,288" fill="none" stroke="black"/>
              <path d="M 240,288 L 352,288" fill="none" stroke="black"/>
              <path d="M 80,336 L 128,336" fill="none" stroke="black"/>
              <path d="M 328,336 L 376,336" fill="none" stroke="black"/>
              <path d="M 56,352 L 72,352" fill="none" stroke="black"/>
              <path d="M 384,352 L 400,352" fill="none" stroke="black"/>
              <path d="M 80,368 L 128,368" fill="none" stroke="black"/>
              <path d="M 328,368 L 376,368" fill="none" stroke="black"/>
              <path d="M 128,430 L 320,430" fill="none" stroke="black"/>
              <path d="M 128,434 L 320,434" fill="none" stroke="black"/>
              <path d="M 216,240 L 240,288" fill="none" stroke="black"/>
              <path d="M 216,288 L 240,240" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="392,352 380,346.4 380,357.6" fill="black" transform="rotate(180,384,352)"/>
              <polygon class="arrowhead" points="392,128 380,122.4 380,133.6" fill="black" transform="rotate(180,384,128)"/>
              <polygon class="arrowhead" points="360,416 348,410.4 348,421.6" fill="black" transform="rotate(90,352,416)"/>
              <polygon class="arrowhead" points="360,328 348,322.4 348,333.6" fill="black" transform="rotate(90,352,328)"/>
              <polygon class="arrowhead" points="360,192 348,186.4 348,197.6" fill="black" transform="rotate(90,352,192)"/>
              <polygon class="arrowhead" points="360,104 348,98.4 348,109.6" fill="black" transform="rotate(90,352,104)"/>
              <polygon class="arrowhead" points="112,416 100,410.4 100,421.6" fill="black" transform="rotate(90,104,416)"/>
              <polygon class="arrowhead" points="112,328 100,322.4 100,333.6" fill="black" transform="rotate(90,104,328)"/>
              <polygon class="arrowhead" points="112,192 100,186.4 100,197.6" fill="black" transform="rotate(90,104,192)"/>
              <polygon class="arrowhead" points="112,104 100,98.4 100,109.6" fill="black" transform="rotate(90,104,104)"/>
              <polygon class="arrowhead" points="80,352 68,346.4 68,357.6" fill="black" transform="rotate(0,72,352)"/>
              <polygon class="arrowhead" points="80,128 68,122.4 68,133.6" fill="black" transform="rotate(0,72,128)"/>
              <g class="text">
                <text x="224" y="36">g</text>
                <text x="104" y="132">Exp</text>
                <text x="352" y="132">Exp</text>
                <text x="104" y="212">pkA</text>
                <text x="352" y="212">pkB</text>
                <text x="16" y="244">skA</text>
                <text x="440" y="244">skB</text>
                <text x="104" y="356">Exp</text>
                <text x="352" y="356">Exp</text>
                <text x="100" y="436">pkAB</text>
                <text x="348" y="436">pkBA</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
                            g
                            |
             +--------------+---------------+
             |                              |
             V                              V
          +-----+                        +-----+
       +->| Exp |                        | Exp |<-+
       |  +-----+                        +-----+  |
       |     |                              |     |
       |     |                              |     |
       |     V                              V     |
       |    pkA                            pkB    |
       |     |                              |     |
 skA --+     +-------------.  .-------------+     +-- skB
       |                    \/                    |
       |                    /\                    |
       |     +-------------'  '-------------+     |
       |     |                              |     |
       |     V                              V     |
       |  +-----+                        +-----+  |
       +->| Exp |                        | Exp |<-+
          +-----+                        +-----+
             |                              |
             |                              |
             V                              V
           pkAB ========================= pkBA
]]></artwork>
        </artset>
        <t>Nominal groups are an abstract model of the groups over which we instantiate
Diffie-Hellman key agreement <xref target="ABH_21"/>.  In practice they are instantiated
with elliptic curve groups, but the model applies to other groups as well.  A
nominal group comprises a set <tt>G</tt> together with a distinguished basis element
<tt>g</tt>, an "exponentiation" map, and some auxiliary functions:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Exp(p, x) -&gt; q</tt>: An algorithm that produces an element <tt>q</tt> of <tt>G</tt> from an
element <tt>p</tt> and an integer <tt>x</tt>.
            </t>
            <ul spacing="normal">
              <li>
                <t>The integers <tt>x</tt> are called "scalars" to distinguish them from group
elements.  The nominal group <tt>G</tt> is assumed to comprise a finite number
of elements <tt>r</tt>; scalars are integers modulo <tt>r</tt>, and all operations on
scalars are implicitly performed modulo <tt>r</tt>.</t>
              </li>
              <li>
                <t><tt>Exp</tt> must respect multiplication in its scalar argument <tt>x</tt>, so that
<tt>Exp(Exp(p, x), y) = Exp(p, x * y)</tt>.</t>
              </li>
            </ul>
          </li>
          <li>
            <t><tt>RandomScalar(seed) -&gt; k</tt>: Produce a uniform pseudorandom scalar from the
uniformly pseudorandom byte string <tt>seed</tt>.</t>
          </li>
          <li>
            <t><tt>ElementToSharedSecret(P) -&gt; ss</tt>: Extract a shared secret from an element
of the group (e.g., by taking the X coordinate of an elliptic curve point).</t>
          </li>
        </ul>
        <t>A scalar value of zero <bcp14>MUST NOT</bcp14> be used as a private key: it does not
correspond to a meaningful Diffie-Hellman exchange and, for some curves such
as P-256, is explicitly forbidden by the relevant standards and would yield a
point-at-infinity encoding that departs from the fixed-size model used here.
<tt>RandomScalar</tt> <bcp14>MUST NOT</bcp14> return a zero scalar; for the groups of interest this
occurs only with negligible probability.</t>
        <t>For some groups (for example P-256 and ristretto255), there exist byte
strings of the correct length that do not decode to a valid group element.
When <tt>Exp</tt> is given such an invalid element, it returns an error rather than a
shared secret.  A hybrid KEM whose nominal group can fail in this way is an
instance of an explicitly rejecting KEM (see <xref target="kems"/>): when <tt>Group_T.Exp</tt>
returns an error during decapsulation, the hybrid <tt>KEM_H.Decaps</tt> returns an
error.  This operates only on public data (the ciphertext), so failing
explicitly rather than substituting a pseudorandom shared secret is safe.</t>
        <t>We assume that scalars and group elements are represented by byte strings
with fixed lengths:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Nseed</tt>: The length in bytes of a seed (input to RandomScalar)</t>
          </li>
          <li>
            <t><tt>Nscalar</tt>: The length in bytes of a scalar</t>
          </li>
          <li>
            <t><tt>Nelem</tt>: The length in bytes of a serialized group element</t>
          </li>
          <li>
            <t><tt>Nss</tt>: The length in bytes of a shared secret produced by
ElementToSharedSecret</t>
          </li>
        </ul>
        <t>Groups used with the hybrid KEM framework in this document should be secure
with respect to the strong Diffie-Hellman problem (see <xref target="sdh"/>).</t>
      </section>
      <section anchor="prgs">
        <name>Pseudorandom Generators</name>
        <t>A pseudorandom generator (PRG) is a deterministic function whose outputs are
longer than its inputs. When the input is chosen uniformly at random, this
induces a certain distribution over the possible outputs. The output
distribution is pseudorandom if it is indistinguishable from the uniform
distribution.</t>
        <t>The <tt>PRG</tt>s used in this document have a simpler form, with fixed
output lengths:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Nout</tt>: The length in bytes of an output from this PRG.  Where it is
necessary to distinguish it from the output length of other components (such
as the <tt>KDF</tt>), it is written <tt>PRG.Nout</tt>.</t>
          </li>
          <li>
            <t><tt>PRG(seed) -&gt; output</tt>: Produce a byte string of length <tt>Nout</tt> from an input
byte string <tt>seed</tt>.</t>
          </li>
        </ul>
        <t>The fixed sizes are for both security and simplicity.</t>
        <t>A <tt>PRG</tt> used with the frameworks in this document <bcp14>MUST</bcp14> be a secure
pseudorandom generator (as defined in <xref target="security-prgs"/>) at the security level
required by the component algorithms it feeds.  It expands a single seed into a
longer output, of which a subset is passed to each component's key-generation
algorithm.</t>
        <t>The security requirements for <tt>PRG</tt>s used with the frameworks in this document
are laid out in <xref target="security-prgs"/>.</t>
      </section>
      <section anchor="kdfs">
        <name>Key Derivation Functions</name>
        <t>A Key Derivation Function (KDF) is a function that produces
keying material based on an input secret and other information.</t>
        <t>While KDFs in the literature can typically consume and produce byte strings
of arbitrary length, the KDFs used in this document have a simpler form, with
fixed output lengths:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Nout</tt>: The length in bytes of an output from this KDF.  Where it is
necessary to distinguish it from the output length of other components (such
as the <tt>PRG</tt>), it is written <tt>KDF.Nout</tt>.</t>
          </li>
          <li>
            <t><tt>KDF(input) -&gt; output</tt>: Produce a byte string of length <tt>Nout</tt> from an
input byte string.</t>
          </li>
        </ul>
        <t>The fixed sizes are for both security and simplicity.</t>
        <t>Any KDF that utilizes HKDF <xref target="HKDF"/> <bcp14>MUST</bcp14> fully specify HKDF's salt, IKM,
info, and L arguments.</t>
        <t>The security requirements for KDFs used with the frameworks in this document
are laid out in <xref target="security-kdfs"/>.</t>
      </section>
    </section>
    <section anchor="frameworks">
      <name>Hybrid KEM Frameworks</name>
      <t>In this section, we define four frameworks for building hybrid KEMs.  These
frameworks are based on a common set of subroutines for things like key
generation and computing a final shared secret.</t>
      <t>The four frameworks vary along two axes:</t>
      <ol spacing="normal" type="1"><li>
          <t>Whether traditional component is a nominal group or a KEM</t>
        </li>
        <li>
          <t>Whether to rely on the C2PRI property for the post-quantum component</t>
        </li>
      </ol>
      <t>The choice of which framework to use when building a hybrid KEM will depend
on the application's needs along these two axes.</t>
      <table anchor="variants">
        <name>Hybrid KEM frameworks</name>
        <thead>
          <tr>
            <th align="left">Name</th>
            <th align="left">PQ C2PRI?</th>
            <th align="left">T component</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">UG</td>
            <td align="left">No</td>
            <td align="left">Nominal group</td>
          </tr>
          <tr>
            <td align="left">UK</td>
            <td align="left">No</td>
            <td align="left">KEM</td>
          </tr>
          <tr>
            <td align="left">CG</td>
            <td align="left">Yes</td>
            <td align="left">Nominal group</td>
          </tr>
          <tr>
            <td align="left">CK</td>
            <td align="left">Yes</td>
            <td align="left">KEM</td>
          </tr>
        </tbody>
      </table>
      <t>Instantiating one of these frameworks creates a hybrid KEM <tt>KEM_H</tt> based on
the following constituent components:</t>
      <ul spacing="normal">
        <li>
          <t>A traditional component that is either a nominal group <tt>Group_T</tt> or a KEM
<tt>KEM_T</tt> (referred to as <tt>Comp_T</tt> when the distinction doesn't matter).</t>
        </li>
        <li>
          <t><tt>KEM_PQ</tt>: A post-quantum KEM</t>
        </li>
        <li>
          <t><tt>PRG</tt>: A PRG producing byte strings of length <tt>KEM_PQ.Nseed +
Comp_T.Nseed</tt> (<tt>PRG.Nout == KEM_PQ.Nseed + Comp_T.Nseed</tt>)</t>
        </li>
        <li>
          <t><tt>KDF</tt>: A KDF producing byte strings of length <tt>KEM_H.Nss</tt> (<tt>KDF.Nout
== KEM_H.Nss</tt>)</t>
        </li>
        <li>
          <t><tt>Label</tt> - A byte string used to label the specific combination of the above
components being used, as well as which framework is being instantiated.
This value should be registered in the Hybrid KEM
Labels IANA registry to avoid conflict with other instantiations (see
<xref target="iana-considerations"/>).</t>
        </li>
      </ul>
      <t><tt>KEM_PQ</tt>, <tt>Group_T</tt>, <tt>PRG</tt>, and <tt>KDF</tt> <bcp14>MUST</bcp14> meet the interfaces
described in <xref target="cryptographic-deps"/> and <bcp14>MUST</bcp14> meet the security requirements
described in <xref target="hybrid-ind-cca"/>.</t>
      <t>The constants for public values are derived from the concatenation of
encapsulation keys and ciphertexts:</t>
      <artwork><![CDATA[
KEM_H.Nek = KEM_PQ.Nek + (KEM_T.Nek or Group_T.Nelem)
KEM_H.Nct = KEM_PQ.Nct + (KEM_T.Nct or Group_T.Nelem)
]]></artwork>
      <t>The <tt>Nseed</tt> and <tt>Nss</tt> constants should reflect the overall security level of
the combined KEM, with the following recommended values:</t>
      <artwork><![CDATA[
KEM_H.Nseed = max(KEM_PQ.Nseed, (KEM_T.Nseed or Group_T.Nseed))
KEM_H.Nss = min(KEM_PQ.Nss, (KEM_T.Nss or Group_T.Nss))
]]></artwork>
      <t>Since we use the seed as the decapsulation key, <tt>Ndk = Nseed</tt>.  For legacy
cases where it is not possible to derive per-component decapsulation keys
from a common seed, see <xref target="key-generation"/>.</t>
      <section anchor="subroutines">
        <name>Subroutines</name>
        <t>The four hybrid KEM frameworks share a substantial amount of structure, which
we capture in a set of subroutines.</t>
        <section anchor="using-a-nominal-group">
          <name>Using a Nominal Group</name>
          <t>Hybrid KEM frameworks that use a nominal group for the traditional component
invoke the <tt>DeriveKeyPair</tt>, <tt>Encaps</tt>, and <tt>Decaps</tt> functions of PQ KEMs,
alongside analogous functions of the nominal group.  The "encapsulation key"
is the receiver's public key group element; the "ciphertext" is an ephemeral
group element; and the shared secret is the secret value resulting from an
ephemeral-static Diffie-Hellman exchange.</t>
          <artwork><![CDATA[
def expandDecapsKeyG(seed):
    seed_full = PRG(seed)
    (seed_PQ, seed_T) = split(KEM_PQ.Nseed, Group_T.Nseed, seed_full)

    (dk_PQ, ek_PQ) = KEM_PQ.DeriveKeyPair(seed_PQ)
    dk_T = Group_T.RandomScalar(seed_T)
    ek_T = Group_T.Exp(Group_T.g, dk_T)

    return (ek_PQ, ek_T, dk_PQ, dk_T)

def prepareEncapsG(ek_PQ, ek_T):
    (ss_PQ, ct_PQ) = KEM_PQ.Encaps(ek_PQ)
    sk_E = Group_T.RandomScalar(random(Group_T.Nseed))
    ct_T = Group_T.Exp(Group_T.g, sk_E)
    ss_T = Group_T.ElementToSharedSecret(Group_T.Exp(ek_T, sk_E))
    return (ss_PQ, ss_T, ct_PQ, ct_T)

def prepareDecapsG(ct_PQ, ct_T, dk_PQ, dk_T):
    ss_PQ = KEM_PQ.Decaps(dk_PQ, ct_PQ)
    ss_T = Group_T.ElementToSharedSecret(Group_T.Exp(ct_T, dk_T))
    return (ss_PQ, ss_T)
]]></artwork>
        </section>
        <section anchor="using-a-traditional-kem">
          <name>Using a Traditional KEM</name>
          <t>Hybrid KEM frameworks that use a KEM for the traditional component invoke the
<tt>DeriveKeyPair</tt>, <tt>Encaps</tt>, and <tt>Decaps</tt> functions of the traditional and PQ
KEMs in parallel.</t>
          <artwork><![CDATA[
def expandDecapsKeyK(seed):
    seed_full = PRG(seed)
    (seed_PQ, seed_T) = split(KEM_PQ.Nseed, KEM_T.Nseed, seed_full)
    (dk_PQ, ek_PQ) = KEM_PQ.DeriveKeyPair(seed_PQ)
    (dk_T, ek_T) = KEM_T.DeriveKeyPair(seed_T)
    return (ek_PQ, ek_T, dk_PQ, dk_T)

def prepareEncapsK(ek_PQ, ek_T):
    (ss_PQ, ct_PQ) = KEM_PQ.Encaps(ek_PQ)
    (ss_T, ct_T) = KEM_T.Encaps(ek_T)
    return (ss_PQ, ss_T, ct_PQ, ct_T)

def prepareDecapsK(ct_PQ, ct_T, dk_PQ, dk_T):
    ss_PQ = KEM_PQ.Decaps(dk_PQ, ct_PQ)
    ss_T = KEM_T.Decaps(dk_T, ct_T)
    return (ss_PQ, ss_T)
]]></artwork>
        </section>
        <section anchor="combiners">
          <name>Combiners</name>
          <t>A combiner function uses the <tt>KDF</tt> used in the hybrid KEM to combine the
shared secrets output by the component algorithms with contextual
information.</t>
          <t>The two combiner functions defined in this document are as follows:</t>
          <artwork><![CDATA[
def UniversalCombiner(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, label):
    return KDF(concat(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, label))

def C2PRICombiner(ss_PQ, ss_T, ct_T, ek_T, label):
    return KDF(concat(ss_PQ, ss_T, ct_T, ek_T, label))
]]></artwork>
          <t>Note that while the names of the inputs are suggestive of the shared secret,
ciphertext, and encapsulation key outputs of a KEM, the inputs to this
function in the hybrid KEM framework are not necessarily the output of a
secure KEM. In particular, when the framework is instantiated with a nominal
group, the "ciphertext" component is an ephemeral group element, and the
"encapsulation key" is the group element that functions as the recipient's
public key.</t>
          <t>The choice of combiner brings with it certain assumptions
under which the resulting hybrid KEM is secure.</t>
          <t>The <tt>UniversalCombiner</tt> combiner explicitly computes over shared secrets,
ciphertexts, and encapsulation keys from both components.  This allows the
resulting hybrid KEM to be secure as long as either component is secure, with
no further assumptions on the components.</t>
          <t>The <tt>C2PRICombiner</tt> combiner does not compute over the ciphertext or
encapsulation key from the PQ component. The resulting hybrid KEM will
be secure if the PQ component is IND-CCA secure, or, the traditional
component is secure and the PQ component also satisfies the C2PRI property.</t>
        </section>
      </section>
      <section anchor="key-generation">
        <name>Key Generation</name>
        <t>All four frameworks share a common key generation function, and a function to
compute the encapsulation key that corresponds to a decapsulation key:</t>
        <artwork><![CDATA[
def GenerateKeyPair():
    seed = random(Nseed)
    return DeriveKeyPair(seed)

def DecapsToEncaps(dk):
    # The dk is always in seed format
    (_, ek) = DeriveKeyPair(dk)
    return ek
]]></artwork>
        <t>In some deployment environments, it is not possible to instantiate this
process.  Some implementations of component schemes do not support the
<tt>DeriveKeyPair</tt> function, only <tt>GenerateKeyPair</tt>. Likewise in the nominal
group case, a (scalar, group element) pair will only be generated when the
scalar is generated internally to the implementation.</t>
        <t>An implementation of a hybrid KEM in such environments <bcp14>MAY</bcp14> deviate from the
above description in the following ways:</t>
        <ul spacing="normal">
          <li>
            <t><tt>DeriveKeyPair</tt> is not implemented.</t>
          </li>
          <li>
            <t><tt>GenerateKeyPair</tt> returns a decapsulation key that carries both the
decapsulation and encapsulation keys of each component, rather than a shared
seed:  </t>
            <artwork><![CDATA[
dk_H = (dk_PQ, ek_PQ, dk_T, ek_T)
ek_H = (ek_PQ, ek_T)
]]></artwork>
            <t>
Each element can be a key or a pointer/handle to a key.  Carrying the
component encapsulation keys explicitly avoids relying on the ability to
recompute an encapsulation key from a decapsulation key, which is not
supported by all KEM algorithms or implementations (for example, some
hardware modules do not expose such a function).</t>
          </li>
          <li>
            <t>The <tt>expandDecapsKeyG</tt> and <tt>expandDecapsKeyK</tt> functions are replaced by the
following, which simply extracts the stored components:</t>
          </li>
        </ul>
        <artwork><![CDATA[
def expandDecapsKey(dk):
    (dk_PQ, ek_PQ, dk_T, ek_T) = dk
    return (ek_PQ, ek_T, dk_PQ, dk_T)
]]></artwork>
        <t>These deviations have both interoperability and security impacts.</t>
        <t>From an interoperability point of view, the use of a second format for the
hybrid KEM decapsulation key (other than the shared seed) introduces the risk
of incompatibilities in cases where a private key needs to be moved from one
system to another.</t>
        <t>Separate key generation / handling also reduces binding properties from
MAL-BIND-P-Q to LEAK-BIND-P-Q. As discussed below, binding properties can
address a variety of attack scenarios, including LEAK scenarios in which an
attacker has passive access to the decapsulation key and MAL scenarios in
which an attacker can cause the victim to use a crafted decapsulation
key. The above hybrid KEM framework assures binding properties in the face of
a LEAK attacker, irrespective of how key generation is done. The additional
protection provided by the default "shared seed" key generation upgrades this to
protection against a MAL attacker.</t>
        <t>Allowing for separate private key generation and handling also introduces a
risk of inappropriate key reuse and cross-protocol attacks.  A given key pair
<bcp14>MUST NOT</bcp14> be used in both a hybrid KEM and a non-hybrid algorithm. A
pair of key pairs generated for a hybrid algorithm <bcp14>MUST</bcp14> only be used with
that hybrid algorithm, not separately with their component algorithms.
Likewise, key pairs generated outside of the context of a hybrid KEM <bcp14>MUST NOT</bcp14>
be used with a hybrid KEM.  The "shared seed" style of key generation
prevents such reuse, because the per-component private keys are derived
internally to the hybrid KEM.</t>
        <t>As a result, this alternative style of key generation should only be used in
environments where implementations of component algorithms do not allow
decapsulation keys to be imported or exported.  In scenarios where separate
key generation is used and decapsulation keys can be imported/exported,
additional measures should be put in place to mitigate the key reuse risks
noted above.</t>
      </section>
      <section anchor="ug-framework-universal-combiner-with-a-nominal-group">
        <name>UG Framework: Universal Combiner with a Nominal Group</name>
        <t>This framework combines a PQ KEM with a nominal group, using the universal
combiner function.  It should be used in cases where the application wants to
use a nominal group for the traditional component, and does not want to rely
on the C2PRI assumption for the PQ KEM.</t>
        <artwork><![CDATA[
def DeriveKeyPair(seed):
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyG(seed)
    return (seed, concat(ek_PQ, ek_T))

def Encaps(ek):
    (ek_PQ, ek_T) = split(KEM_PQ.Nek, Group_T.Nelem, ek)
    (ss_PQ, ss_T, ct_PQ, ct_T) = prepareEncapsG(ek_PQ, ek_T)
    ss_H = UniversalCombiner(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, Label)
    ct_H = concat(ct_PQ, ct_T)
    return (ss_H, ct_H)

def Decaps(dk, ct):
    (ct_PQ, ct_T) = split(KEM_PQ.Nct, Group_T.Nelem, ct)
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyG(dk)
    (ss_PQ, ss_T) = prepareDecapsG(ct_PQ, ct_T, dk_PQ, dk_T)
    ss_H = UniversalCombiner(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, Label)
    return ss_H
]]></artwork>
      </section>
      <section anchor="uk-framework-universal-combiner-with-a-kem">
        <name>UK Framework: Universal Combiner with a KEM</name>
        <t>This framework combines a PQ KEM with a traditional KEM, using the universal
combiner function.  It should be used in cases where the application wants to
use a KEM for the traditional component, and does not want to rely on the
C2PRI assumption for the PQ KEM.</t>
        <artwork><![CDATA[
def DeriveKeyPair(seed):
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyK(seed)
    return (seed, concat(ek_PQ, ek_T))

def Encaps(ek):
    (ek_PQ, ek_T) = split(KEM_PQ.Nek, KEM_T.Nek, ek)
    (ss_PQ, ss_T, ct_PQ, ct_T) = prepareEncapsK(ek_PQ, ek_T)
    ss_H = UniversalCombiner(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, Label)
    ct_H = concat(ct_PQ, ct_T)
    return (ss_H, ct_H)

def Decaps(dk, ct):
    (ct_PQ, ct_T) = split(KEM_PQ.Nct, KEM_T.Nct, ct)
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyK(dk)
    (ss_PQ, ss_T) = prepareDecapsK(ct_PQ, ct_T, dk_PQ, dk_T)
    ss_H = UniversalCombiner(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, Label)
    return ss_H
]]></artwork>
      </section>
      <section anchor="cg-framework-c2pri-combiner-with-a-nominal-group">
        <name>CG Framework: C2PRI Combiner with a Nominal Group</name>
        <t>This framework combines a PQ KEM with a nominal group, using the C2PRI
combiner function.  It should be used in cases where the application wants to
use a nominal group for the traditional component, and is comfortable relying
on the C2PRI assumption for the PQ KEM.</t>
        <artwork><![CDATA[
def DeriveKeyPair(seed):
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyG(seed)
    return (seed, concat(ek_PQ, ek_T))

def Encaps(ek):
    (ek_PQ, ek_T) = split(KEM_PQ.Nek, Group_T.Nelem, ek)
    (ss_PQ, ss_T, ct_PQ, ct_T) = prepareEncapsG(ek_PQ, ek_T)
    ss_H = C2PRICombiner(ss_PQ, ss_T, ct_T, ek_T, Label)
    ct_H = concat(ct_PQ, ct_T)
    return (ss_H, ct_H)

def Decaps(dk, ct):
    (ct_PQ, ct_T) = split(KEM_PQ.Nct, Group_T.Nelem, ct)
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyG(dk)
    (ss_PQ, ss_T) = prepareDecapsG(ct_PQ, ct_T, dk_PQ, dk_T)
    ss_H = C2PRICombiner(ss_PQ, ss_T, ct_T, ek_T, Label)
    return ss_H
]]></artwork>
      </section>
      <section anchor="ck-framework-c2pri-combiner-with-a-kem">
        <name>CK Framework: C2PRI Combiner with a KEM</name>
        <t>This framework combines a PQ KEM with a traditional KEM, using the C2PRI
combiner function.  It should be used in cases where the application wants to
use a KEM for the traditional component, and is comfortable relying on the
C2PRI assumption for the PQ KEM.</t>
        <artwork><![CDATA[
def DeriveKeyPair(seed):
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyK(seed)
    return (seed, concat(ek_PQ, ek_T))

def Encaps(ek):
    (ek_PQ, ek_T) = split(KEM_PQ.Nek, KEM_T.Nek, ek)
    (ss_PQ, ss_T, ct_PQ, ct_T) = prepareEncapsK(ek_PQ, ek_T)
    ss_H = C2PRICombiner(ss_PQ, ss_T, ct_T, ek_T, Label)
    ct_H = concat(ct_PQ, ct_T)
    return (ss_H, ct_H)

def Decaps(dk, ct):
    (ct_PQ, ct_T) = split(KEM_PQ.Nct, KEM_T.Nct, ct)
    (ek_PQ, ek_T, dk_PQ, dk_T) = expandDecapsKeyK(dk)
    (ss_PQ, ss_T) = prepareDecapsK(ct_PQ, ct_T, dk_PQ, dk_T)
    ss_H = C2PRICombiner(ss_PQ, ss_T, ct_T, ek_T, Label)
    return ss_H
]]></artwork>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>Hybrid KEMs provide security by combining two or more schemes so that
security is preserved if all but one scheme is broken. Informally, these
hybrid KEMs are secure if the <tt>KDF</tt> is secure, and either the traditional
component is secure, or the post-quantum KEM is secure: this is the 'hybrid'
property.</t>
      <t>In this section, we review the important security properties for hybrid KEMs,
and discuss how these security properties are provided by hybrid KEMs
constructed according to the framework in this document.</t>
      <section anchor="security-properties-for-component-algorithms">
        <name>Security Properties for Component Algorithms</name>
        <t>In order to precisely define our security objectives for a hybrid KEM, we
need to describe some properties that we will require from the component
algorithms.</t>
        <section anchor="indistinguishability-under-chosen-ciphertext-attack-ind-cca">
          <name>Indistinguishability under Chosen Ciphertext Attack (IND-CCA)</name>
          <t>The first goal we have for our hybrid KEM constructions is
indistinguishability under adaptive chosen ciphertext attack, or
IND-CCA <xref target="BHK09"/>. This is most common security goal for KEMs and public-key
encryption.</t>
          <t>For KEMs, IND-CCA requires that no efficient adversary, given a ciphertext
obtained by running <tt>Encaps()</tt> with an honestly-generated public key, can
distinguish whether it is given the "real" secret output from <tt>Encaps()</tt>, or
a random string unrelated to the <tt>Encaps()</tt> call that created that
ciphertext. (Readers should note that this definition is slightly different
than the corresponding definitions for public-key encryption <xref target="BHK09"/>.)</t>
          <t>Whether a given KEM provides IND-CCA depends on whether the attacker is
assumed to have access to quantum computing capabilities or not (assuming the
scheme is without bugs and the implementation is correct).  Post-quantum KEMs
are intended to provide IND-CCA security against such an attacker.
Traditional KEMs are not.</t>
          <t>IND-CCA is the standard security notion for KEMs; most PQ KEMs were
explicitly designed to achieve this type of security against both a
quantum attacker and a traditional one.</t>
          <t>For traditional algorithms, things are less clear.  The DHKEM construction in
<xref target="RFC9180"/> is an IND-CCA KEM based on Diffie-Hellman <xref target="ABH_21"/>, but "raw"
ephemeral-static Diffie-Hellman, interpreting the ephemeral public key as the
ciphertext, is not IND-CCA secure.  RSA-KEM is IND-CCA secure <xref target="ISO18033-2"/>,
and RSA-OAEP public-key encryption can be used to construct an IND-CCA KEM,
but "classical" RSA encryption (RSAES-PKCS1-v1_5 as defined in <xref target="RFC8017"/>)
is not even IND-CCA secure as a public-key encryption algorithm.</t>
        </section>
        <section anchor="ciphertext-second-preimage-resistance-c2pri">
          <name>Ciphertext Second-Preimage Resistance (C2PRI)</name>
          <t>Ciphertext Second-Preimage Resistance (C2PRI) is the property that given an
honestly generated ciphertext, it is difficult for an attacker to generate a
different ciphertext that decapsulates to the same shared secret.  In other
words, if an honest party computes <tt>(ss, ct) = Encaps(ek)</tt>, then it is
infeasible for an attacker to find another ciphertext <tt>ct'</tt> such that
<tt>Decaps(dk, ct') == ss</tt> (where <tt>dk</tt> is the decapsulation key corresponding to
the encapsulation key <tt>ek</tt>).</t>
          <t>A related notion in the literature is chosen-ciphertext resistance (CCR)
<xref target="CDM23"/>. C2PRI targets preimage-resistance, whereas CCR targets
collision-resistance, much like the analogous properties for hash functions.
In the language of the binding properties discussed in
<xref target="binding-properties"/>, CCR is equivalent to the property LEAK-BIND-K,PK-CT.</t>
          <t>C2PRI is a weaker property than CCR / LEAK-BIND-K,PK-CT because it requires
the attacker to match a specific, honestly generated ciphertext, as opposed
to finding an arbitrary pair.</t>
          <t>Several PQ KEMs have been shown to have C2PRI.  ML-KEM <xref target="FIPS203"/> was shown to have this
property in <xref target="XWING"/>, and <xref target="CHH_25"/> proves C2PRI for several other
algorithms, including FrodoKEM, HQC, Classic McEliece, and sntrup.</t>
        </section>
        <section anchor="sdh">
          <name>Strong Diffie-Hellman Problem (SDH)</name>
          <t>The strong Diffie-Hellman problem is whether an attacker can compute <tt>g^xy</tt>
given access to <tt>g^x</tt> and <tt>g^y</tt> and an oracle <tt>DH(Y, Z)</tt> that answers whether
<tt>Y^x = Z</tt>. (This is the notion specified in <xref target="XWING"/>, not the notion of the
same name used in the context of bilinear pairings <xref target="Cheon06"/>.)</t>
          <t>When we say that the strong Diffie-Hellman problem is hard in a group, we
always mean this in the context of classical attackers, without access to
quantum computers.  An attacker with access to a quantum computer that can
execute Shor's algorithm for a group can efficiently solve the discrete log
problem in that group, which implies the ability to solve the strong
Diffie-Hellman problem.</t>
          <t>As shown in <xref target="ABH_21"/>, this problem is hard in prime-order groups such as
the NIST elliptic curve groups P-256, P-384, and P-521, as well as in the
Montgomery curves Curve25519 and Curve448.</t>
        </section>
        <section anchor="binding-properties">
          <name>Binding Properties</name>
          <t>It is often useful for a KEM to have certain "binding" properties, by which
certain parameters determine certain others. Recent work <xref target="CDM23"/> gave a
useful framework of definitions for these binding properties. Binding for
KEMs is related to other properties for KEMs and public-key encryption, such
as robustness <xref target="GMP22"/> <xref target="ABN10"/>, and collision-freeness <xref target="MOHASSEL10"/>.</t>
          <t>The framework given by <xref target="CDM23"/> refers to these properties with labels of
the form X-BIND-P-Q.  The first element X is the model for how the attacker
can access the decapsulation key: HON for the case where the attacker never
accesses the decapsulation key, LEAK for the case where the attacker has
access to the honestly-generated decapsulation key, or MAL for the case where
the attacker can choose or manipulate the keys used by the victim.  P-Q means
that given the value P, it is hard to produce another Q that causes Decaps to
succeed. For example, LEAK-BIND-K-PK means that for a given shared secret (K)
obtained using an encapsulation key (PK), it is computationally infeasible to
find a distinct encapsulation key (PK') that could have produced the same
shared secret, even if all of the secrets involved are given to the adversary
after the encapsulation operation is completed (LEAK).</t>
          <t>There is quite a bit of diversity in the binding properties provided by KEMs.
Table 5 of <xref target="CDM23"/> shows the binding properties of a few KEMs.  For
example: DHKEM provides MAL-level binding for several properties. ML-KEM
provides only LEAK-level binding <xref target="SCHMIEG2024"/>. Classic McEliece provides MAL-BIND-K-CT,
but no assurance at all of X-BIND-K-PK.</t>
        </section>
        <section anchor="security-kdfs">
          <name>Indifferentiability from a Random Oracle</name>
          <t>The <tt>KDF</tt> used with a hybrid KEM <bcp14>MUST</bcp14> be indifferentiable from a random
oracle (RO) <xref target="MRH03"/>, even to a quantum attacker <xref target="BDFL_10"/> <xref target="ZHANDRY19"/>.
This is a conservative choice given a review of the existing security
analyses for our hybrid KEM constructions: most IND-CCA analyses for the four
frameworks require only that the <tt>KDF</tt> is some kind of pseudorandom function,
but the SDH-based IND-CCA analysis of CG in <xref target="XWING"/>, and the corresponding
analysis for UG <xref target="CG26"/> relies on the <tt>KDF</tt> being a RO. Proofs of our
target binding properties for our hybrid KEMs require the <tt>KDF</tt> is a
collision-resistant function.</t>
          <t>If the <tt>KDF</tt> is a RO, the key derivation step in the hybrid KEMs can be
viewed as applying a (RO-based) pseudorandom function - keyed with the shared
secrets output by the constituent KEMs - to the other inputs. Thus, analyses
which require the <tt>KDF</tt> to be a PRF, such as the one given in <xref target="GHP18"/> for
UK, or the standard-model analysis of CG in <xref target="XWING"/>, apply.</t>
          <t>Sponge-based constructions such as SHA-3 <xref target="FIPS202"/> have been shown to be
indifferentiable against classical <xref target="BDP_08"/> as well as quantum adversaries
<xref target="ACM_25"/>.</t>
          <t>HKDF has been shown to be indifferentiable from a random oracle under
specific constraints <xref target="LBB20"/>:</t>
          <ul spacing="normal">
            <li>
              <t>that HMAC is indifferentiable from a random oracle,
which for HMAC-SHA-256 has been shown in <xref target="DRS_13"/> when
the compression function underlying SHA-256 is a random oracle,
which is a regular assumption in the literature.</t>
            </li>
            <li>
              <t>the input domains used by HKDF's internal HMAC calls are disjoint.
Following Lemma 6 of <xref target="LBB20"/>, it suffices that the domains for <tt>IKM</tt>, for
<tt>info || 0x01</tt>, and for <tt>m || info || i</tt> (for <tt>i &gt;= 2</tt>, where <tt>m</tt> is an HMAC
output) are pairwise disjoint.  In general this is easily achieved by
considerations of length alone: it suffices that <tt>len(IKM)</tt> differs from
<tt>len(info) + 1</tt> and from <tt>len(info) + 1 + len(HMAC output)</tt>. This <bcp14>MUST</bcp14> be
enforced by the concrete instantiations that use HKDF as a <tt>KDF</tt>.</t>
            </li>
          </ul>
          <t>Using HKDF as a KDF in the sense defined in this document requires mapping the
single <tt>input</tt> defined here to the <tt>IKM</tt>, <tt>salt</tt>, and <tt>info</tt> inputs required by
HKDF.  Concrete instantiations <bcp14>MUST</bcp14> define this mapping in such a way that no
<tt>input</tt> value will ever map to colliding <tt>IKM</tt> and <tt>info</tt> values.</t>
          <t>The choice of the <tt>KDF</tt> security level <bcp14>SHOULD</bcp14> be made based on the security
level provided by the constituent KEMs. The <tt>KDF</tt> <bcp14>SHOULD</bcp14> at least have the
security level of the strongest constituent KEM.</t>
        </section>
        <section anchor="security-prgs">
          <name>Security Requirements for PRGs</name>
          <t>The functions used to expand a key seed to multiple key seeds is closer to a
pseudorandom generator (<tt>PRG</tt>) in its security requirements <xref target="AOB_24"/>.  A
secure PRG is an algorithm <tt>PRG</tt> : {0, 1}<sup>n</sup> → {0, 1}<sup>m</sup>,
such that no polynomial-time adversary can distinguish between <tt>PRG(r)</tt> (for
r $← {0, 1}<sup>n</sup>) and a random z $← {0, 1}<sup>m</sup> <xref target="Rosulek"/>.
The uniform string r ∈ {0, 1}<sup>n</sup> is called the seed of the <tt>PRG</tt>.</t>
          <t>A <tt>PRG</tt> is not to be confused with a random (or pseudorandom) <em>number</em>
generator (RNG): a <tt>PRG</tt> requires the seed randomness to be chosen uniformly
and extend it; an RNG takes sources of noisy data and transforms them into
uniform outputs.</t>
          <t><tt>PRG</tt>s are related to extendable output functions (XOFs) which can be built
from random oracles. Examples include SHAKE256.</t>
        </section>
      </section>
      <section anchor="security-properties">
        <name>Security Goals for Hybrid KEMs</name>
        <t>The security notions for hybrid KEMs are largely the same as for other
algorithms, but they are contingent on the security properties of the
component algorithms.  In this section we discuss the intended security
properties for hybrid KEMs and the requirements that the component algorithms
must meet in order for those properties to hold.</t>
        <section anchor="hybrid-ind-cca">
          <name>IND-CCA Security</name>
          <t>The idea of a hybrid KEM is that it should maintain its security if only one
of the two component KEMs is secure.  For a PQ/T hybrid KEM, this means that
the hybrid KEM should be secure against a quantum attacker if the T component
is broken, and secure against at least a classical attacker if the PQ
component is broken.</t>
          <t>More precisely, the hybrid KEM should meet two different notions of IND-CCA
security, under different assumptions about the component algorithms:</t>
          <ul spacing="normal">
            <li>
              <t>IND-CCA against a classical attacker if all of the following are true:
              </t>
              <ul spacing="normal">
                <li>
                  <t><tt>KDF</tt> is indifferentiable from a random oracle</t>
                </li>
                <li>
                  <t>If using <tt>Group_T</tt>: The strong Diffie-Hellman problem is hard in
<tt>Group_T</tt></t>
                </li>
                <li>
                  <t>If using <tt>KEM_T</tt>: <tt>KEM_T</tt> is IND-CCA against a classical attacker</t>
                </li>
                <li>
                  <t>If using <tt>C2PRICombiner</tt>: <tt>KEM_PQ</tt> is C2PRI</t>
                </li>
              </ul>
            </li>
            <li>
              <t>IND-CCA against a quantum attacker if all of the following are true:
              </t>
              <ul spacing="normal">
                <li>
                  <t><tt>KDF</tt> is indifferentiable from a random oracle</t>
                </li>
                <li>
                  <t><tt>KEM_PQ</tt> is IND-CCA against a quantum attacker</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>Some IND-CCA analyses do not strictly require the <tt>KDF</tt> to be
indifferentiable from a random oracle; they instead only require a kind of
PRF assumption on the KDF. For simplicity we ignore this here; the security
analyses described below for our constructions will elaborate on this point
when appropriate.</t>
        </section>
        <section anchor="hybrid-binding">
          <name>Binding Properties</name>
          <t>The most salient binding properties for a hybrid KEM to be used in Internet
protocols are LEAK-BIND-K-PK and LEAK-BIND-K-CT.</t>
          <t>The LEAK attack model is most appropriate for Internet protocols.  There have
been attacks in the LEAK model <xref target="BJKS24"/> <xref target="FG24"/>, so a hybrid KEM needs to
be resilient at least to LEAK attacks (i.e., HON is too weak).  Internet
applications generally assume that private keys are honestly generated, so
MAL is too strong an attack model to address.</t>
          <t>The LEAK-BIND-K-PK and LEAK-BIND-K-CT properties are naturally aligned with
the needs of protocol design.  Protocols based on traditional algorithms
frequently need to incorporate transcript hashing in order to protect against
key confusion attacks <xref target="FG24"/> or KEM re-encapsulation attacks <xref target="BJKS24"/>.
The LEAK-BIND-K-PK and LEAK-BIND-K-CT properties prevent these attacks at the
level of the hybrid KEM. Protocol designers may still need or want to include
the ciphertext or encapsulation key into their protocol or key schedule for
other reasons, but that can be independent of the specific properties of the
KEM and its resulting shared secret.</t>
          <t>Implementors should not interpret the paragraph above as absolving them
of their responsibility to carefully think through whether MAL-BIND attacks
apply in their settings.</t>
        </section>
      </section>
      <section anchor="non-goals">
        <name>Security Non-goals for Hybrid KEMs</name>
        <t>Security properties not targeted by these designs are listed in
<xref target="out-of-scope"/>.</t>
      </section>
      <section anchor="security-analysis">
        <name>Security Analysis</name>
        <t>In this section, we describe how the hybrid KEM framework in this document
provides the security properties described above.</t>
        <section anchor="ind-cca-analyses">
          <name>IND-CCA analyses</name>
          <t>The UG construction has two complementary IND-CCA analyses: one for when the
SDH problem holds but the PQ KEM is broken, and one for the reverse. Both are
technically novel but are substantially similar to the existing peer-reviewed
analyses of the CG <xref target="XWING"/> and UK <xref target="GHP18"/> constructions. <xref target="CG26"/> by the
editorial team describes the analysis of UG in detail.</t>
          <t>The first IND-CCA analysis, based on SDH, is similar to the
corresponding analysis of CG given in <xref target="XWING"/>: it gives a straightforward
reduction to the SDH hardness in the underlying group. Notably, since the PQ
KEM key and ciphertext are hashed, the C2PRI security of the PQ KEM does not
appear in the bound.</t>
          <t>The second IND-CCA analysis is a straightforward reduction to the IND-CCA
security of the PQ KEM, and the PRF security of the RO when keyed with the PQ
KEM's shared secret.</t>
          <t>This document's UK construction does not have a dedicated IND-CCA analysis; the
<xref target="GHP18"/> paper on which the construction is based gives a slightly different
version, namely they do not include the public encapsulation keys in the
KDF. However, we argue that the proof goes through with trivial modifications
if the public encapsulation keys are included in the KDF. The relevant step
is claim 3 of Theorem 1, which reduces to the split-key pseudorandomness of
the KDF. (<xref target="GHP18"/> call the KDF a "core" function, and denote it as W.) We
observe that adding the public encapsulation keys to the inputs only changes
the concrete contents of the reduction's queries to its oracle. Since the
reduction chooses the public encapsulation keys itself, they can be added to
the oracle inputs, and the remainder of the proof goes through unmodified.</t>
          <t>We reiterate that modulo some low-level technical details, our requirement
that the KDF is indifferentiable from an RO implies that, in the ROM, the KDF
used in <xref target="GHP18"/> meets the split-key pseudorandomness property used in
<xref target="GHP18"/>'s analysis: this is shown in <xref target="GHP18"/>, Lemma 6, where a
pseudorandom skPRF is constructed from any almost-uniform keymixing function
in the random oracle model by <tt>H(g(k1,...,kn), x)</tt> , where <tt>H</tt> is modeled as
a random oracle and <tt>g</tt> is ϵ-almost uniform. Example 3 from <xref target="GHP18"/>
qualifies <tt>g(k_1,...,k_n) = k_1 || ... || k_n</tt> as ϵ-almost uniform with <tt>ϵ =
1/len(k_1 || ... || k_n)</tt>.</t>
          <t>Like UG, the CG construction has two complementary IND-CCA analyses. Both
were given in <xref target="XWING"/>. We summarize them but elide some details.</t>
          <t>One analysis (Theorem 1) <xref target="XWING"/> shows that if the KDF is modelled as a RO,
IND-CCA holds if the PQ KEM is broken, as long as the SDH problem holds in
the nominal group and the PQ KEM satisfies C2PRI. The other (Theorem 2)
<xref target="XWING"/> shows that if the PQ-KEM is IND-CCA and the KDF is a PRF keyed on
the PQ-KEM's shared secret, IND-CCA holds.</t>
          <t>As long as the aforementioned security requirements of the component parts
are met, these analyses imply that this document's CG construction satisfies
IND-CCA security.</t>
          <t>The CK construction has two complementary IND-CCA analyses: one for when the
IND-CCA security of the traditional PKE-based KEM holds but the PQ KEM is
broken, except for the PQ KEM's C2PRI security, and one for when the IND-CCA
security of the PQ KEM holds.  Both are technically novel but are
substantially similar to the existing peer-reviewed analyses of the CG
<xref target="XWING"/> and UK <xref target="GHP18"/> constructions. <xref target="COS_26"/> by the editorial team
and collaborators describes the analysis of CK in detail.</t>
          <t>Therefore all four hybrid KEMs in this document are IND-CCA when instantiated
with cryptographic components that meet the security requirements described
above. Any changes to the algorithms, including key generation/derivation,
are not guaranteed to produce secure results.</t>
          <t>The IND-CCA analyses of UG in <xref target="CG26"/>, CG in <xref target="XWING"/>, and CK in <xref target="COS_26"/>
all model component key generation as sampling the two component key pairs
independently, whereas the default key generation in this document derives both
component key pairs from a single seed via the PRG (<xref target="key-generation"/>). This
apparent mismatch is resolved by a standard hybrid argument: by the PRG security
required in <xref target="security-prgs"/>, the joint distribution of component key pairs derived
from a single seed is computationally indistinguishable from the joint
distribution of independently generated component key pairs. Thus, any IND-CCA
adversary against the shared-seed scheme implies an IND-CCA adversary against
the independent-keys scheme with at most an additive PRG-distinguishing term in
the bound. The same observation underlies the binding sketches in Section
<xref target="binding-analyses"/>.</t>
        </section>
        <section anchor="binding-analyses">
          <name>Binding analyses</name>
          <t>There are four hybrid KEM frameworks, and two target binding properties, so
we need eight total analyses.  The CG and CK binding analyses additionally
require the corresponding LEAK-BIND property of <tt>KEM_PQ</tt>.
None of these exact results were known; thus the following
are results by the editorial team.  We include informal
justifications here and defer rigorous proofs to a forthcoming paper.  <!--
TODO: Also cite https://eprint.iacr.org/2025/1416.pdf which has some results
about hybrid kem binding; unclear how they compare to ours though.-->
          </t>
          <t>We note that these sketches implicitly ignore the fact that in our hybrid
KEMs, both key pairs are derived from a common random seed; we instead
implicitly think of them as two runs of DeriveKeyPair with independent random
seeds.  We justify this simplification by noting that in the LEAK model - in
which the adversary is given the key pairs resulting from an honest run of
KeyGen - the pseudorandomness of the seed expansion implies the adversary's
input distributions in the two cases are computationally
indistinguishable. The derivation of component scheme key pairs from the
common random seed provides further protection against manipulation or
corruption of keys such that it can contribute to stronger binding properties
against a MAL adversary, as well as operational benefits in practice, but we
do not prove that here.</t>
          <t>The paper that establishes the IND-CCA security of the UG construction
(<xref target="CG26"/>) does not also include a proof of its binding properties.
Instead, <xref target="CG26"/> Section 4.3 observes that the binding arguments for UK
transfer to UG essentially unmodified, since both constructions include the
relevant ciphertexts and encapsulation keys in the KDF input; we make that
argument concrete in the sketches below. The sketches rely on collision
resistance of the KDF (<xref target="security-kdfs"/>), and for CG and CK, additionally on the
corresponding LEAK-BIND property of the PQ KEM.</t>
          <t>Two points of notation apply throughout the sketches below.  First, we
describe the LEAK-BIND games in terms of two honestly-generated key pairs,
following the formalization of <xref target="CDM23"/> (Figure 5).  In that game the
adversary may set the second key pair equal to the first, so the analyses also
cover the case of a single key pair (two distinct ciphertexts that decapsulate
to the same key under one decapsulation key); the KDF-collision arguments
cover both cases.  Second, we write <tt>reject</tt> for the abstract
decapsulation-failure symbol used in <xref target="CDM23"/>.  As noted in <xref target="kems"/>, a
<tt>Decaps</tt> in this document may return <tt>reject</tt> (for an explicitly rejecting
KEM) or, for an implicitly rejecting KEM, return a deterministic pseudorandom
output in place of <tt>reject</tt>.  The LEAK-BIND games are won only by a collision
on non-<tt>reject</tt> keys -- that is, both decapsulations must succeed -- so the
collision arguments below, which rely on distinct ciphertexts or public keys
producing distinct KDF inputs, are unaffected by how rejection is signaled.</t>
          <section anchor="ug-binding">
            <name>UG Binding</name>
            <section anchor="leak-bind-k-ct-of-ug">
              <name>LEAK-BIND-K-CT of UG</name>
              <t>Claim: If KDF is collision-resistant, then UG is LEAK-BIND-K-CT.</t>
              <t>Justification: To win LEAK-BIND-K-CT, given knowledge of two
honestly-generated UG secret keys, the adversary must construct two distinct
UG ciphertexts that decapsulate to the same (non-<tt>reject</tt>) key. Since UG
includes the ciphertexts in the key derivation, the condition that the
ciphertexts are distinct directly implies that a LEAK-BIND-K-CT win gives a
collision in the KDF.  This argument also covers the case where both
ciphertexts are decapsulated under a single decapsulation key: in the game of
<xref target="CDM23"/> (Figure 5) the adversary may set the two key pairs equal, and
distinct ciphertexts still produce distinct KDF inputs.</t>
            </section>
            <section anchor="leak-bind-k-pk-of-ug">
              <name>LEAK-BIND-K-PK of UG</name>
              <t>Claim: If KDF is collision-resistant, then UG is LEAK-BIND-K-PK.</t>
              <t>Justification: As described above, in the LEAK-BIND-K-PK game, to win the
adversary must construct two ciphertexts that decapsulate to the same non-<tt>reject</tt>
key, for distinct UG public keys. Again, since UG includes the public keys
in the KDF, the distinctness condition implies a LEAK-BIND-K-PK win must
collide the KDF.</t>
            </section>
          </section>
          <section anchor="uk-binding">
            <name>UK Binding</name>
            <section anchor="leak-bind-k-ct-of-uk">
              <name>LEAK-BIND-K-CT of UK</name>
              <t>Claim: If KDF is collision-resistant, then UK is LEAK-BIND-K-CT.</t>
              <t>Justification: To win LEAK-BIND-K-CT, given knowledge of two
honestly-generated UK secret keys, the adversary must construct two distinct
UK ciphertexts that decapsulate to the same (non-<tt>reject</tt>) key. Since UK
includes the ciphertexts in the key derivation, the condition that the
ciphertexts are distinct directly implies that a LEAK-BIND-K-CT win gives a
collision in the KDF.  This argument also covers the case where both
ciphertexts are decapsulated under a single decapsulation key: in the game of
<xref target="CDM23"/> (Figure 5) the adversary may set the two key pairs equal, and
distinct ciphertexts still produce distinct KDF inputs.</t>
            </section>
            <section anchor="leak-bind-k-pk-of-uk">
              <name>LEAK-BIND-K-PK of UK</name>
              <t>Claim: If KDF is collision-resistant, then UK is LEAK-BIND-K-PK.</t>
              <t>Justification: As described above, in the LEAK-BIND-K-PK game, to win the
adversary must construct two ciphertexts that decapsulate to the same non-<tt>reject</tt>
key, for distinct UK public keys. Again, since UK includes the public keys
in the KDF, the distinctness condition implies a LEAK-BIND-K-PK win must
collide the KDF.</t>
            </section>
          </section>
          <section anchor="cg-binding">
            <name>CG Binding</name>
            <t>The LEAK-BIND proofs for CG are a bit more subtle than for UK; the
main reason for this is CG's omission of the PQ KEM key and ciphertext from
the KDF. We will show that CG still has our target LEAK-BIND properties as
long as the underlying PQ-KEM also has the corresponding LEAK-BIND
property. We note that our preliminary results suggest that a different proof
strategy, which instead directly uses properties of the nominal group, may
work here; we present the PQ-KEM route for concreteness.</t>
            <section anchor="leak-bind-k-ct-of-cg">
              <name>LEAK-BIND-K-CT of CG</name>
              <t>Claim: If KDF is collision-resistant and the PQ KEM is LEAK-BIND-K-CT, then
CG is LEAK-BIND-K-CT.</t>
              <t>Justification: To win the adversary must construct two distinct CG
ciphertexts that decapsulate to the same non-<tt>reject</tt> key.  Call the CG
ciphertexts output by the adversary (ct_PQ^0, ct_T^0) and (ct_PQ^1,
ct_T^1). Distinctness implies (ct_PQ^0, ct_T^0) != (ct_PQ^1, ct_T^1). Since
ct_T is included in the KDF, if ct_T^0 != ct_T^1, a win must collide the KDF.</t>
              <t>Thus we can restrict attention to the case where ct_PQ^0 != ct_PQ^1 but
ct_T^0 = ct_T^1. In this case, there are two relevant sub-cases: either
ss_PQ^0 (:= KEM_PQ.Decaps(dk_PQ^0, ct_PQ^0)) is not equal to ss_PQ^1 (:=
KEM_PQ.Decaps(dk_PQ^1, ct_PQ^1)), or they are equal. If they are not equal,
the KDF inputs are again distinct, so a LEAK-BIND-K-CT win must collide the
KDF.</t>
              <t>If ss_PQ^0 = ss_PQ^1, we can show a reduction to the LEAK-BIND-K-CT security
of the PQ KEM. The reduction is given two PQ KEM key pairs as input and must
output two distinct PQ KEM ciphertexts that decapsulate to the same key. Per
the LEAK-BIND-K-CT game of <xref target="CDM23"/> (Figure 5), these two ciphertexts may be
decapsulated under either the same key pair or the two distinct key pairs, at
the adversary's choice; the reduction covers both cases. The
reduction does this by generating two nominal-group key pairs and running the
CG LEAK-BIND-K-CT adversary on all keys. Then the reduction outputs the PQ
KEM ciphertexts output by the adversary. The probability that the adversary
wins and ss_PQ^0 = ss_PQ^1 and ct_PQ^0 != ct_PQ^1 and ct_T^0 = ct_T^1 is a
lower bound on the probability of the reduction winning the LEAK-BIND-K-CT
game against the PQ KEM.</t>
              <t>We conclude by noting these cases are exhaustive.</t>
            </section>
            <section anchor="leak-bind-k-pk-of-cg">
              <name>LEAK-BIND-K-PK of CG</name>
              <t>Claim: If KDF is collision-resistant and the PQ KEM is LEAK-BIND-K-PK, then
CG is LEAK-BIND-K-PK.</t>
              <t>Justification: Similar to the above, we proceed by a case analysis on the win
condition of the LEAK-BIND-K-PK game.  The condition is (ek_PQ^0, ek_T^0) !=
(ek_PQ^1, ek_T^1) and ss_H^0 = ss_H^1. Again, as above we argue that the only
nontrivial case is the one where ek_PQ^0 != ek_PQ^1 but ek_T^0 = ek_T^1: in
the other case we can directly get a KDF collision from a winning output. In
this case the result of KEM_PQ.Decaps for the two PQ KEM keys can either be
the same or different. IF they are different, we again get a KDF collision
from a win. If they are the same, in a similar way as above, we can build a
reduction to the LEAK-BIND-K-PK of PQ KEM.</t>
              <t>Again, we conclude by noting that these cases are exhaustive.</t>
            </section>
          </section>
          <section anchor="ck-binding">
            <name>CK Binding</name>
            <section anchor="leak-bind-k-ct-of-ck">
              <name>LEAK-BIND-K-CT of CK</name>
              <t>Claim: If KDF is collision-resistant and the PQ KEM is LEAK-BIND-K-CT, then
CK is LEAK-BIND-K-CT.</t>
              <t>Justification: To win the adversary must construct two distinct CK
ciphertexts that decapsulate to the same non-<tt>reject</tt> key.  Call the CK
ciphertexts output by the adversary (ct_PQ^0, ct_T^0) and (ct_PQ^1,
ct_T^1). Distinctness implies (ct_PQ^0, ct_T^0) != (ct_PQ^1, ct_T^1). Since
ct_T is included in the KDF, if ct_T^0 != ct_T^1, a win must collide the KDF.</t>
              <t>Thus we can restrict attention to the case where ct_PQ^0 != ct_PQ^1 but
ct_T^0 = ct_T^1. In this case, there are two relevant sub-cases: either
ss_PQ^0 (:= KEM_PQ.Decaps(dk_PQ^0, ct_PQ^0)) is not equal to ss_PQ^1 (:=
KEM_PQ.Decaps(dk_PQ^1, ct_PQ^1)), or they are equal. If they are not equal, the
KDF inputs are again distinct, so a LEAK-BIND-K-CT win must collide the KDF.</t>
              <t>If ss_PQ^0 = ss_PQ^1, we can show a reduction to the LEAK-BIND-K-CT security
of the PQ KEM. The reduction is given two PQ KEM key pairs as input and must
output two distinct PQ KEM ciphertexts that decapsulate to the same key. Per
the LEAK-BIND-K-CT game of <xref target="CDM23"/> (Figure 5), these two ciphertexts may be
decapsulated under either the same key pair or the two distinct key pairs, at
the adversary's choice; the reduction covers both cases. The
reduction does this by generating two traditional KEM key pairs and running the
CK LEAK-BIND-K-CT adversary on all keys. Then the reduction outputs the PQ
KEM ciphertexts output by the adversary. The probability that the adversary
wins and ss_PQ^0 = ss_PQ^1 and ct_PQ^0 != ct_PQ^1 and ct_T^0 = ct_T^1 is a
lower bound on the probability of the reduction winning the LEAK-BIND-K-CT
game against the PQ KEM.</t>
              <t>We conclude by noting these cases are exhaustive.</t>
            </section>
            <section anchor="leak-bind-k-pk-of-ck">
              <name>LEAK-BIND-K-PK of CK</name>
              <t>Claim: If KDF is collision-resistant and the PQ KEM is LEAK-BIND-K-PK, then
CK is LEAK-BIND-K-PK.</t>
              <t>Justification: Similar to the above, we proceed by a case analysis on the win
condition of the LEAK-BIND-K-PK game.  The condition is (ek_PQ^0, ek_T^0) !=
(ek_PQ^1, ek_T^1) and ss_H^0 = ss_H^1. Again, as above we argue that the only
nontrivial case is the one where ek_PQ^0 != ek_PQ^1 but ek_T^0 = ek_T^1: in
the other case we can directly get a KDF collision from a winning output. In
this case the result of KEM_PQ.Decaps for the two PQ KEM keys can either be
the same or different. IF they are different, we again get a KDF collision
from a win. If they are the same, in a similar way as above, we can build a
reduction to the LEAK-BIND-K-PK of PQ KEM.</t>
              <t>Again, we conclude by noting that these cases are exhaustive.</t>
            </section>
          </section>
        </section>
      </section>
      <section anchor="other-considerations">
        <name>Other Considerations</name>
        <section anchor="domain-separation">
          <name>Domain Separation</name>
          <t>ASCII-encoded bytes provide oracle cloning <xref target="BDG20"/> in the security game
via domain separation. The IND-CCA security of hybrid KEMs often relies on
the KDF function <tt>KDF</tt> to behave as an independent random oracle, which the
inclusion of the <tt>label</tt> achieves via domain separation <xref target="GHP18"/>.</t>
          <t>By design, the calls to <tt>KDF</tt> in these frameworks and usage anywhere else
in higher level protocol use separate input domains unless intentionally
duplicating the 'label' per concrete instance with fixed parameters. This
justifies modeling them as independent functions even if instantiated by the
same KDF. This domain separation is achieved by using suffix-free sets of
<tt>label</tt> values.  Recall that a set is suffix-free if no element is a suffix of
another within the set.</t>
          <t>Length differentiation is sometimes used to achieve domain separation but as
a technique it is brittle and prone to misuse <xref target="BDG20"/> in practice so we
favor the use of an explicit post-fix label.</t>
        </section>
        <section anchor="fixed-length">
          <name>Fixed-length</name>
          <t>Variable-length secrets are generally dangerous. In particular, using key
material of variable length and processing it using hash functions may result
in a timing side channel. In broad terms, when the secret is longer, the hash
function may need to process more blocks internally. In some unfortunate
circumstances, this has led to timing attacks, e.g. the Lucky Thirteen
<xref target="LUCKY13"/> and Raccoon <xref target="RACCOON"/> attacks.</t>
          <t>Furthermore, <xref target="AVIRAM"/> identified a risk of using variable-length secrets when
the hash function used in the key derivation function is no longer
collision-resistant.</t>
          <t>If concatenation were to be used with values that are not fixed-length, a
length prefix or other unambiguous encoding would need to be used to ensure
that the composition of the two values is injective and requires a mechanism
different from that specified in this document.</t>
          <t>Therefore, this specification <bcp14>MUST</bcp14> only be used with algorithms which have
fixed-length shared secrets.</t>
        </section>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests that IANA create a registry "Hybrid KEM Labels", which
lists labels that uniquely identify instantiations of the frameworks in this
document.  The registry should be administered under the First Come First
Served policy <xref target="RFC8126"/>.</t>
      <t>Template:</t>
      <ul spacing="normal">
        <li>
          <t>Label: The name of the wire format</t>
        </li>
        <li>
          <t>Framework: The framework used in the hybrid KEM.  This value <bcp14>MUST</bcp14> be one of
the following values: "UG", "UK", "CG", or "CK".</t>
        </li>
        <li>
          <t>PQ component: The name of the post-quantum KEM used in the hybrid KEM.</t>
        </li>
        <li>
          <t>Traditional component: The name of the traditional KEM or nominal group
used in the hybrid KEM.</t>
        </li>
        <li>
          <t>KDF: The name of the Key Derivation Function used in the hybrid KEM.</t>
        </li>
        <li>
          <t>PRG: The name of the Pseudorandom Generator used in the hybrid KEM.</t>
        </li>
        <li>
          <t>Nseed: An integer representing the size of a seed for this hybrid KEM.</t>
        </li>
        <li>
          <t>Nss: An integer representing the size of a shared secret for this hybrid
KEM.</t>
        </li>
        <li>
          <t>Reference (optional): The document where this hybrid KEM is defined</t>
        </li>
      </ul>
      <t>To preserve the domain separation described in <xref target="domain-separation"/>, the set
of registered <tt>Label</tt> values <bcp14>MUST</bcp14> be suffix-free: no registered <tt>Label</tt> may be
a suffix of another.  A registration request whose <tt>Label</tt> is a suffix of an
already-registered <tt>Label</tt>, or of which an already-registered <tt>Label</tt> is a
suffix, <bcp14>MUST</bcp14> be rejected.</t>
      <t>The registry should initially be empty.</t>
    </section>
    <section anchor="out-of-scope">
      <name>Out of Scope</name>
      <t>Security properties and design considerations that were considered
and not included in these designs:</t>
      <ul spacing="normal">
        <li>
          <t>Anonymity <xref target="GMP22"/>, deniability, obfuscation, other forms of key-robustness
or binding <xref target="GMP22"/>, <xref target="CDM23"/></t>
        </li>
        <li>
          <t>More than two components: this document restricts the scope to two
components: one post-quantum component and one traditional component</t>
        </li>
        <li>
          <t>Parameterized output length: not analyzed as part of any security
proofs in the literature, and a complication deemed unnecessary</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="FIPS202">
          <front>
            <title>SHA-3 standard :: permutation-based hash and extendable-output functions</title>
            <author>
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.202"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="FIPS203">
          <front>
            <title>Module-lattice-based key-encapsulation mechanism standard</title>
            <author>
              <organization/>
            </author>
            <date month="August" year="2024"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.203"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="ABH_21">
          <front>
            <title>Analysing the HPKE standard.</title>
            <author initials="" surname="Joël Alwen">
              <organization/>
            </author>
            <author initials="" surname="Bruno Blanchet">
              <organization/>
            </author>
            <author initials="" surname="Eduard Hauck">
              <organization/>
            </author>
            <author initials="" surname="Eike Kiltz">
              <organization/>
            </author>
            <author initials="" surname="Benjamin Lipp">
              <organization/>
            </author>
            <author initials="" surname="Doreen Riepel">
              <organization/>
            </author>
            <date year="2021" month="April"/>
          </front>
        </reference>
        <reference anchor="ABN10" target="https://eprint.iacr.org/2008/440.pdf">
          <front>
            <title>Robust Encryption</title>
            <author>
              <organization/>
            </author>
            <date year="2010"/>
          </front>
        </reference>
        <reference anchor="ACM_25" target="https://eprint.iacr.org/2025/731.pdf">
          <front>
            <title>The Sponge is Quantum Indifferentiable</title>
            <author>
              <organization/>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="AOB_24" target="https://eprint.iacr.org/2024/843.pdf">
          <front>
            <title>Formally verifying Kyber Episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt</title>
            <author>
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="AVIRAM" target="https://mailarchive.ietf.org/arch/msg/tls/F4SVeL2xbGPaPB2GW_GkBbD_a5M/">
          <front>
            <title>[TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3</title>
            <author initials="" surname="Nimrod Aviram">
              <organization/>
            </author>
            <author initials="" surname="Benjamin Dowling">
              <organization/>
            </author>
            <author initials="" surname="Ilan Komargodski">
              <organization/>
            </author>
            <author initials="" surname="Kenny Paterson">
              <organization/>
            </author>
            <author initials="" surname="Eyal Ronen">
              <organization/>
            </author>
            <author initials="" surname="Eylon Yogev">
              <organization/>
            </author>
            <date year="2021" month="September" day="01"/>
          </front>
        </reference>
        <reference anchor="BDFL_10" target="https://eprint.iacr.org/2010/428.pdf">
          <front>
            <title>Random Oracles in a Quantum World</title>
            <author>
              <organization/>
            </author>
            <date year="2010"/>
          </front>
        </reference>
        <reference anchor="BDG20" target="https://eprint.iacr.org/2020/241.pdf">
          <front>
            <title>Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability</title>
            <author>
              <organization/>
            </author>
            <date year="2020"/>
          </front>
        </reference>
        <reference anchor="BDP_08" target="https://www.iacr.org/archive/eurocrypt2008/49650180/49650180.pdf">
          <front>
            <title>On the Indifferentiability of the Sponge Construction</title>
            <author>
              <organization/>
            </author>
            <date year="2008"/>
          </front>
        </reference>
        <reference anchor="BHK09" target="https://eprint.iacr.org/2009/418">
          <front>
            <title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title>
            <author fullname="Mihir Bellare">
              <organization>University of California San Diego</organization>
            </author>
            <author fullname="Dennis Hofheinz">
              <organization>CWI Amsterdam</organization>
            </author>
            <author fullname="Eike Kiltz">
              <organization>CWI Amsterdam</organization>
            </author>
            <date year="2009"/>
          </front>
        </reference>
        <reference anchor="BJKS24" target="https://www.usenix.org/system/files/usenixsecurity24-bhargavan.pdf">
          <front>
            <title>Formal verification of the PQXDH Post-Quantum key agreement protocol for end-to-end secure messaging</title>
            <author>
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="Cheon06">
          <front>
            <title>Security Analysis of the Strong Diffie-Hellman Problem</title>
            <author fullname="Jung Hee Cheon">
              <organization>Seoul National University</organization>
            </author>
            <date year="2006"/>
          </front>
        </reference>
        <reference anchor="CDM23" target="https://eprint.iacr.org/2023/1933.pdf">
          <front>
            <title>Keeping Up with the KEMs: Stronger Security Notions for KEMs and automated analysis of KEM-based protocols</title>
            <author initials="C." surname="Cremers" fullname="Cas Cremers">
              <organization>CISPA Helmholtz Center for Information Security</organization>
            </author>
            <author initials="A." surname="Dax" fullname="Alexander Dax">
              <organization>CISPA Helmholtz Center for Information Security</organization>
            </author>
            <author initials="N." surname="Medinger" fullname="Niklas Medinger">
              <organization>CISPA Helmholtz Center for Information Security</organization>
            </author>
            <date year="2023"/>
          </front>
        </reference>
        <reference anchor="CG26">
          <front>
            <title>StarFortress:: Hybrid KEMs with Diffie-Hellman Inlining</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>Oracle; Selkie Cryptography</organization>
            </author>
            <author fullname="Paul Grubbs" initials="P." surname="Grubbs">
              <organization>University of Michigan</organization>
            </author>
            <date month="May" year="2026"/>
          </front>
          <seriesInfo name="IACR Communications in Cryptology" value="vol. 3, no. 1"/>
          <seriesInfo name="DOI" value="10.62056/ahmp-49p1"/>
          <refcontent>International Association for Cryptologic Research</refcontent>
        </reference>
        <reference anchor="COS_26" target="https://eprint.iacr.org/2026/427">
          <front>
            <title>StarHunters— Secure Hybrid Post-Quantum KEMs From IND-CCA2 PKEs</title>
            <author>
              <organization/>
            </author>
            <date year="2026"/>
          </front>
        </reference>
        <reference anchor="CHH_25" target="https://eprint.iacr.org/2025/1397">
          <front>
            <title>Starfighters — on the general applicability of X-Wing</title>
            <author>
              <organization/>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="DRS_13" target="https://eprint.iacr.org/2013/382.pdf">
          <front>
            <title>To Hash or Not to Hash Again? (In)differentiability Results for H^2 and HMAC</title>
            <author>
              <organization/>
            </author>
            <date year="2013"/>
          </front>
        </reference>
        <reference anchor="FG24" target="https://link.springer.com/chapter/10.1007/978-3-031-91823-0_5">
          <front>
            <title>Security Analysis of Signal's PQXDH Handshake</title>
            <author>
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="GHP18" target="https://eprint.iacr.org/2018/024.pdf">
          <front>
            <title>KEM Combiners</title>
            <author initials="F." surname="Giacon" fullname="Federico Giacon">
              <organization/>
            </author>
            <author initials="F." surname="Heuer" fullname="Felix Heuer">
              <organization/>
            </author>
            <author initials="B." surname="Poettering" fullname="Bertram Poettering">
              <organization/>
            </author>
            <date year="2018"/>
          </front>
        </reference>
        <reference anchor="GMP22" target="https://eprint.iacr.org/2021/708.pdf">
          <front>
            <title>Anonymous, Robust Post-Quantum Public-Key Encryption</title>
            <author initials="P." surname="Grubbs" fullname="P. Grubbs">
              <organization/>
            </author>
            <author initials="V." surname="Maram" fullname="V. Maram">
              <organization/>
            </author>
            <author initials="K.G." surname="Paterson" fullname="K.G. Paterson">
              <organization/>
            </author>
            <date year="2022"/>
          </front>
        </reference>
        <reference anchor="LBB20" target="https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&amp;arnumber=8806752">
          <front>
            <title>A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol</title>
            <author>
              <organization/>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="LUCKY13" target="https://ieeexplore.ieee.org/iel7/6547086/6547088/06547131.pdf">
          <front>
            <title>Lucky Thirteen: Breaking the TLS and DTLS record protocols</title>
            <author initials="N. J." surname="Al Fardan">
              <organization/>
            </author>
            <author initials="K. G." surname="Paterson">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="HKDF">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="ISO18033-2" target="https://www.iso.org/standard/37971.html">
          <front>
            <title>Information technology -- Security techniques -- Encryption algorithms -- Part 2: Asymmetric ciphers</title>
            <author>
              <organization/>
            </author>
            <date year="2006"/>
          </front>
        </reference>
        <reference anchor="MOHASSEL10" target="https://www.iacr.org/archive/asiacrypt2010/6477505/6477505.pdf">
          <front>
            <title>A closer look at anonymity and robustness in encryption schemes.</title>
            <author>
              <organization/>
            </author>
            <date year="2010"/>
          </front>
        </reference>
        <reference anchor="MRH03" target="https://eprint.iacr.org/2003/161.pdf">
          <front>
            <title>Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology</title>
            <author>
              <organization/>
            </author>
            <date year="2003"/>
          </front>
        </reference>
        <reference anchor="RACCOON" target="https://raccoon-attack.com/">
          <front>
            <title>Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)</title>
            <author initials="R." surname="Merget">
              <organization/>
            </author>
            <author initials="M." surname="Brinkmann">
              <organization/>
            </author>
            <author initials="N." surname="Aviram">
              <organization/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization/>
            </author>
            <author initials="J." surname="Mittmann">
              <organization/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization/>
            </author>
            <date year="2020" month="September"/>
          </front>
        </reference>
        <reference anchor="Rosulek" target="https://joyofcryptography.com/pdf/book.pdf">
          <front>
            <title>The Joy of Cryptography</title>
            <author>
              <organization/>
            </author>
            <date year="2021"/>
          </front>
        </reference>
        <reference anchor="SCHMIEG2024" target="https://eprint.iacr.org/2024/523.pdf">
          <front>
            <title>Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK</title>
            <author initials="S." surname="Schmieg" fullname="Sophie Schmieg">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="XWING" target="https://eprint.iacr.org/2024/039.pdf">
          <front>
            <title>X-Wing: The Hybrid KEM You’ve Been Looking For</title>
            <author>
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="ZHANDRY19" target="https://doi.org/10.1007/978-3-030-26951-7_9">
          <front>
            <title>How to Record Quantum Queries, and Applications to Quantum Indifferentiability</title>
            <author>
              <organization/>
            </author>
            <date year="2019"/>
          </front>
        </reference>
        <reference anchor="RFC9794">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="RFC9180">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC8017">
          <front>
            <title>PKCS #1: RSA Cryptography Specifications Version 2.2</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="J. Jonsson" initials="J." surname="Jonsson"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="November" year="2016"/>
            <abstract>
              <t>This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes.</t>
              <t>This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 3447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8017"/>
          <seriesInfo name="DOI" value="10.17487/RFC8017"/>
        </reference>
      </references>
    </references>
    <?line 1545?>

<section anchor="deterministic-encapsulation">
      <name>Deterministic Encapsulation</name>
      <t>When verifying the behavior of a KEM implementation (e.g., by generating or
verifying test vectors), it is useful for the implementation to expose a
"derandomized" version of the <tt>Encaps</tt> algorithm:</t>
      <ul spacing="normal">
        <li>
          <t><tt>EncapsDerand(ek, randomness) -&gt; (shared_secret, ct)</tt>: A deterministic
 encapsulation algorithm, which takes as input a public encapsulation key
 <tt>ek</tt> and randomness <tt>randomness</tt>, and outputs a shared secret
 <tt>shared_secret</tt> and ciphertext <tt>ct</tt>.</t>
        </li>
      </ul>
      <t>An implementation that exposes <tt>EncapsDerand</tt> must also define a required
amount of randomness:</t>
      <ul spacing="normal">
        <li>
          <t><tt>Nrandom</tt>: The length in bytes of the randomness provided to EncapsDerand</t>
        </li>
      </ul>
      <t>The corresponding change for a nominal group is to replace randomly-generated
inputs to <tt>RandomScalar</tt> with deterministic ones.  In other words, for a
nominal group, <tt>Nrandom = Nseed</tt>.</t>
      <t>When a hybrid KEM is instantiated with constituents that support derandomized
encapsulation (either KEMs or groups), the hybrid KEM can also support
<tt>EncapsDerand()</tt>, with <tt>Nrandom = PQ.Nrandom + T.Nrandom</tt>.  The structure of
the hybrid KEM's <tt>EncapsDerand</tt> algorithm is the same as its <tt>Encaps</tt> method,
with the following differences:</t>
      <ul spacing="normal">
        <li>
          <t>The <tt>EncapsDerand</tt> algorithm also takes a <tt>randomness</tt> parameter, which is
a byte string of length <tt>Nrandom</tt>.</t>
        </li>
        <li>
          <t>Invocations of <tt>Encaps</tt> or <tt>RandomScalar</tt> (with a random input) in the
constituent algorithms are replaced with calls to <tt>EncapsDerand</tt> or
<tt>RandomScalar</tt> with a deterministic input.</t>
        </li>
        <li>
          <t>The randomness used by the PQ constituent is the first <tt>PQ.Nrandom</tt> bytes
of the input randomness.</t>
        </li>
        <li>
          <t>The randomness used by the traditional constituent is the final <tt>T.Nrandom</tt>
bytes of the input randomness.</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+292VYcWbYg+H6+4lyiVgtS7s6gISQyI7MQSEAiIQQohltV
GW64HxxLzM08zcwBDyLuqqe76rFWrXqpt37v5/qB7g+of8gv6T2dycxAhDJu
1r3dobUiAHezM+557Pf7qk7rzGzqpb3FWZmO9dGH1VN9YBb6dT5KZtU8S+q0
yPU7M7pI8rSaVksqOTsrzdWmvqA3+pdmWqlRUptJUS42dZqfF0qNi1GeTGHc
cZmc1/20rM/7o/Ny0g9e6q9vqGp+Nk2rCqaoFzN4fP/49I0aFXll8mpeberz
JKuMgsmeqOuivJyUxXwGi90uF7O60G+Kcj5dUiqZ1xdFual0X2n4dz7PMp59
x6TluDR6u8jzIssW9HVRTmArP9DGNvVJko/PiputD/SdmSZpBquew8Cjcl7V
82w+/fcT/HQwKqbtGY5TOJhyrF8lZW6qjvG302pUhGOX2dm/T2dXg+qmPdpR
Ms/0bjk/O+sa6mOeXpmySuuFLs71O5g5ha/DsWfw/oReX98IVq0U3ko5hXGu
DByTfrN/dLKxtgEH9H5/sL42eL628WL1cP/kdIDfDOAr99CTux96Ag9tvdp7
vLG+SYuwoLSVJ9miSvOJri+M3js6eK2rGo4ZzmmwRE+OAVw29dasTLOehtnW
6VN3jfSvLz81gBRAwh+L/+f/yvRWdm3y7gdelfO80K+yJB9dmLr7mdfjOV7W
XjIfXd7xRHpp9EGa1T/cMYvJ/5xM01y/TWez7kd2itKYHCDDzExGR3S4vhaf
0HFxBrCFOIaADJcbHsvG2voaP52UE1MDotX1rNpcXTVwXnk9SJNROQDIWN1Y
W3ux+vTp2mA2Psd5tt893ngWT3QKF3AyK/KJ0WmlP8yTvJ5P9X4+Ts/PTWny
Ok3OMhPPvvHsgbNvPFv98sm6nf39q8cbT+PZ3yDMAdppANv0fIEQcbA4M6V+
PUurYmz015v6XQJgnJs+XNro0oz1/uFOf3t7S1dmNC8R1AFw9KgoSzOqAcMq
Av23/YPX7+C09eukWhAxaGzh6UO38HT1xdMndgtf7x9vvdvsfBVxKSlhqVdm
kJr6nN7HD1an1WS1zqrVN09PvjZvN27Odo+So1cbu998v3v56mzn++TZu9Xo
VP7D6duT/wQkaXqW5ngkJ2ZUmrrC7QgRJvp7gxQX7y3X8IJeHzxp7HG9v/ay
v/YA1DlMp2Ux1ltXaZlMPwHWO8V1BovqfmofkEsfFFM4m2JcXabdTx2YPF8A
KauBVhV3IOvrRZLp4yK/C5lfLzLgOt8VE3MFX7zaefP2cQuHADCKqX5fJqPM
0OklDsC/Kcps/Jk4tb62+nTjhYDEq53djca8J2aWlDAorG5ewnkBZNAhA2EE
7rmtATKrnixLb8M28I4RiI9NMu6/zwEdYvxLMwDzpYcC7NrqxlOLcwEwrNFi
jx6vvYhX+z4nItwxIyJS7ckDsMiqLucjT42ai7m+vvYrEVxYNfOyICLGxOjl
82dr6y/W3C+tha69wIXuHay9bJzq/Ax+qVO+SVzXjjkH/CDpA1YqZGFTf3MB
tBWPc6+41icXxTwb6+0LoDIGdtHfMZai6jOjdtIKviiuzfgPDz3ftZerT9df
xEt+eS+Kee79Lr1IS0ClDCiFcd/DuE3WvZ1kKfDjPE1Q/NA7KchO94y7AwgF
1HuvOL8waf5DPPL2N/t6a1oBso07kNsP0mJsd7z/6o8HJ910nKl4OkrsneAt
HX34dmdPHxVV3bfIdwnUK5kAD5wCtOlZWdTFqMg0bFibfNyviz78YPpu9BRI
ejIBFHkQAUcQnINsmN7QdVULWPd09TwFArDKn1u2sfG0fwaC2SS5SnIBwu0L
U+Rrz5vYLGxGhJbKoUVdAl7A3Zyfp6a/B5c6has6Kgvgl9N4sWvPHwggf5zD
iHvG8FLiezgxAMr6kA4XztoDDK58593Gk3jdB8bMkLB8nOnrtL6gJSPl2ZSF
A5N1WzsscNCKbgCfIfSB1QLpqoHjJsHO4ev+WVLBp/beqgdTpier6y+fPGmT
pief5lDbA71dAryUlfucT2w7qVrfMNjunxxtwVlm04sCYFpvA6zBnnGL+1bW
BSi1Z9A97dZA7yQ3jSm3MnMDBwSDhd/9cpMeDkCbGqd4RY2ZD9PLDPbb+vYz
597e3XjuhfeNtWfPV5OL6az/9OUMhYbt9yePN5rYANe8N8eBq7/+5//Ogxkr
lURITnD0pgQGLJR5Q4Oc/3BgeQ5M9ssYThCLtvf2WjIsLuo8nVzgqjQuq2AG
MTG5KQFVktksA6rkudq3/W8cQXmQFLv+5GVjLSgC7xyfPF5voN1pAcpDdQFX
glila/lzawJCwB/08n6+0uazxwbU6JrRb+9PG8y83m1tP3SB609Wn7zYaOHV
OuLVm90mre4kaCfpBP56VAm53oMlVBfJZVPw7ya6IA9eDipcFgAl6pOrIJnO
4DZWAa7W19a+XH355Yv+k/7ak/X+y/UXG/Db93h+u3tH6w1pBKV2FnzhLh+8
/xersLT2/l+06UpfMOmNAfxNR4XehXEspfVfZukNYNLcopj94pUpa5CQAdBN
DdtjMXj33dHGRlO/LfLFtJiDmCeKXIQaR/MzgMe+GFEiBe8B0Li++uXaizYR
3biXiIr1YBDaDtrffw2UJ+lSAfjrg8HuIBTb37561ZR9t5whCDgEG2EmZTK7
SEfIGQHQhHl+k5Zml1Ttr9OyngOSHpXpFQrNh6ZGQw4+TuylIaS/7Dym1Bhz
M8tArx7gr8z762Q64/8P/lzN/lDPvvo/kjKfT0G//OrFi7XnXz7DM3v7cfvg
O4fFDxg3NdmXq8+fPYVbeC4/Af7wl/UnXu62B/J2Prpc6FOQ+2rQ+dEIYZJL
a/lAtQ2RfQd/Af21KFtsNbxQex+WS/xxALxIv4FTFCNP9MABXHZ0XXsHO282
9fGb7WcvnuMx7p+8BwH8yZN+A3pDblHDbeZFVkwWut/3AgN9nP5lDsI4fOyB
WCfZpIAnLqb0xVFS1noDOGa1mE5NDQinR+nswqF2Qz6yp78UKRRVYa+TDESr
T758+eX64KKeEmi8e7+3dXLy+m1T+dvSo6yogP9lRXGpkxrOGXHS2gtKQksy
F4A2YfwGqtEFCBPV4F7dcOlejSep8CPSeEBVfP70yy+frT2zPxFAaN3He2tP
mufeYg09vT+dFVWVNjgFLPTYjFkXAyKDO9piJseCHLAdhK9IAwbMBFAa02U2
jv/JQ3UfkOCeWxg/3trefv/+sBtxYMZRUeT9pK6T0SXxhIZuTt/rLfoeSG6a
j60a/BoxDvQ6+PMdkk3kTaRW5HX/VVr3A4Ue8Ka/s7f8euUTyHKMIhWusP3V
uwHgJDAwEN47kAiwLLCKRF8B9p0U06IsrqrLRefX79K67h4W3x1dXJv8sqGk
90mXPC7gms1l21L3x4LVQ09YF02bT+d1/LlYFOej4C26EbjH1TNAD7nQk+29
d/uvd5HNxzN/zIEfj9EOqA/MdLrAtU/TMYxv7WyVzg1gPaDbu623/Vco8R30
t091XkSfHB08mMs9XX220aEqPP20qnAy4PWZifuc2ddJAXzIBF9++83+4W68
VZYMNzUetrW1wQa/K+Z//c//48qABGBy/RbODKETtN6fsZ+1Jy+79/OPe1uH
O8ffrTcMHmi+ADw+ZrZgZYcPIJSk5g6c7zbfBuajT7DRcZHSepti21p/4/nL
Z+v9L79/qVQfCHtyVoEgNKqVAs5W6XExmpMuP0aTDKAmSd5I7QObEcu3F4EB
M3QgKe9A0suoO6xoVjOBSIycJTTRM6QIf5F9Lh99WKH7IQ03UbCmcSr68SgS
PmCIGRoT60FwrZU+m6dZrefWFVEZFa8YmPFVOja6Yl3fmZzh8xnIgmiMAn0s
w+/gp6AAizhqjipiRjbtgCsmoC6xZWPARwmINM6MUl/ArcEsQtT17Rcp/vmT
UketHcdbawzuTm3GlggAjAtkfyXt7c9mVMPcY4SWMwMyB8j/wFhJUWFaXWlm
OIDsyM+1nRlPcA6yxADvTt3l/LN3hytJnFMn/QFmHIHqSrpGtHzFDJcXCSQe
VzWvZIFwO4FAhAQ/S82cDtjfdE/JEvtX8wwVPlz6VVKm8GGlq/noAu+GTIUG
fhgYEg1NWZYCxwfImJdXaAiMrDjLO3sW/tz0cF+7wN5ZtcyLK5OxMnn0IbiC
nr4ors2VKXv4WElOlaqA/cHZj0yZ8z6PPqjg1mAFiKnZAvYO+7tytyMWsOs0
y/DPs7K4NPlACwQ3QJUPkFUnfVYAPuDCgEiESBHOCtu8MNlMTQuAU5S8a0Tl
Mq0u9fVFmiHQ48SMAmkI/Qkqs6DUWNAQwIGV7Z/7VfHZzRAHgFo5xCdshXFL
U8MoGg6FfnagljJ42inoDLAj0RtAN2CiktZzJDiExbBshM6ymKLa0SM6cw3H
gfcA8yQo/trjkacA7SYXtS5GMOsAli2mSs3cTPFR0x3yfQerr9ikDKsAEWVu
8K4cmWickAKZsx+fEpoozhb6CrUe2lUKQBpeEU4RUCtemmo+AVvmNaKYfX1h
iPDAuG181eU8Z9qpZkW2yGH7SdavU4BJXhFiA7zJUIo4ChxFyCcZ/hBJkvFV
AvCLk+GRqE8fCVOWJohEW1e4dTnzYMfIemE+vF04nng7uI/M5GMgUqBapCMg
QKWaAxPLRwsr9AJNwm2PAHt7QELq8P5ClNET1D8rd1f42HmSZohyMLEQc7cw
2NEEns/Ew4hPjxKgVEAW9oFOjvl6cBE0Lp244InDOn0Nyh8qHcjACd0E2uHi
sqpQ8Yr0eZZcE9VLp7OMjOWJCPyWqsE10kQOAQPmphDDcVjY1QhlAMTx8wQN
+cCnQcReTOWM4Q4c5CIMoUeEhg3ECwUbS3MQRWYFEYuI6kUEY2oM3ROeXJYS
2JTmL/O0pB0AblkG1U2Y+DzrUKzowbmJaOEki3OQyQ0aClis8BcLM18Eh3CO
FsjEghnZtbsnhsMjyEunfL2hWJOidKUslgNfQ6c1nBmdXqALIxMFHRDojq5m
ZoRKSydhmxAfgTWjom3PiqEsZCVwqnDNglzT5NKwjBLMqKo53CsyPDyEBGlC
MibmZ5g5AYASJuCxfuMO8Rwdkx0nCRDlGCe8nOC6pujKuUI7aibK8UDhQdGD
zHoisWN5fYWIr8Z4nRa718UZiiBEvwzaz4jX4+KJuofymz0SFnWXN1YcnYto
NSy6gltCnqkuEjj5xGNjknkEu8yL6xx3uE0WiNrc1GjPKGDso9Kk02RiUL0m
cWhk1PL2xtHx/kqMUpG8yCsQxlvBUVTnC01vEW+1gIDUu4IT9oCQwccZi6yg
PhptQPQYpXj5TOQsktNpwETF+bmGPZBRBpdGVx1t0vMdPAsyZAwU3VKJcT/k
q+gCakYZkgdRRCoQ8TGmKi0rOPY0V7e30e31gW5UP/1EF3J76wHnp59CFMXr
sQoCwQewXwZlIrEBuCHc4InyFTtmGzwCf04rk12ZivEzl2XZHcvMWQLQLqQ+
iAtB+7axNzSfAemqBYX8FD0FZC2bj61Nzr0eEi1PY0TucNBZ2aUr92Iu3jSG
iRQOF4iqp0knOhSR0A7C3ILZlwo2L35ud2O3txIcBzfaH42Sn36CQ3mT5hhB
wxeQVqN5BVQBefnSLAEIy9EJAaQjX+rBjjLy59XFLB3JsbAcdMaiCPp1TFUz
/04AauB0kIPy7eF10XDwHQ4DywN4qC8GqLwch6d1WDAQMwyiuxc2BIxt6d3H
k1NYCP3Uh+/p9+PXHz7uH7/ewd9P9rbevnW/KHniZO/9x7c7/jf/5vb7d+9e
H+7wy/Cpjj5SS++2vlti4Fp6f3S6//5w6+0SH2uICbgxlrjpBGYgmhJGqLGp
RmV6xnt9tX30f/+f60/hFv7h+M32xvr6S8AE/uPF+pdP4Y9rgk+crcAgDv4T
bnChgJOapKQQFCCjoDoB1c5Qia+QvF+jJE4K4W/+A57Mf9rUvzsbzdaf/l4+
wA1HH9oziz6kM2t/0nqZD7Hjo45p3GlGnzdOOl7v1nfR3/bcgw9/94cM6UR/
/cUffq8QeEJ4aZAoxBWgyfgXu7ENcky2SDO9ocu5vf0D3MPLL18+JaTYz5UX
EHuN67ZGCopkDag7MlxU2ZaOPiwB/J+jqC5IGVkdAmaNgHW6ZCXPTvYFt7pn
bgCZRimFSCQZSgrDtZvBYDCEaQDaKhzrbFGTnQFIAWjRiGcIjBNYxArz7usS
Fdjhjf53f/3n/6pv13rrPw1/B1Tt9/nvVvEHrmJs4EWDMbUkwA1vhnqeYyTJ
FOARsL0kgzALRUzsSIQZ5sP+WVrb6XsyzphnCSeBpWzp83nOEvTwfChUJJkB
jcRRUVcbU8gTSUMwDHJsPH4eUjHzTEDRRMKTlCWbuSobNJXmwALtYPMa/wCO
pDftF3/95/9mP4fFUFBSYslwIJGCKl3kE6GrSaAuhNdX8qkCdMmyxnDsuQBj
T5vBZNDTQ4CN748+DA4rY8ZDJ6vgX6iLTAAoi0h/LEo13MU45O9PB69vZv4V
c8MTs9yEh+bU2gByKISZ1SCUG1S1mJ4VmV62Mv9QFgKDDg/hJIYrMNKCbJzM
emGQYlLMK9adkCPBApSzCAa867esxrgDAVg8T2+QjSTTsxS0kZq4JzLMOcuQ
uCqWE/C4LCAwK2ezzQUsf3LBzDjAuk2l+nrI8Lecrww30QAwL9HCNKvMfFzw
VyEa4OHIAQOA0jekMI3nI4AjzepuJJ8gI+yL1UTGY3+fhALURTnAZaAxJqmX
b9Z6GrCwp28OcUHb9KnJXfhSiJIDtPbCDSaoivVgdjvI2s3aek/D/zfWntDP
p2vP1p6v6K/w93X8lD8Z0swVqET18iG8cbgB8+K0J/gRyu7BzhFxg90fruvH
8MIQSUKBFgOYn4Q0/MqeDCIAatSgwuPnG/I5yU1wEQ5pU7pSGArDh0gP95u5
gYXdbKwMiXfBKmDwtAonYVMnzDS82ZDv7EQwDH470PtEuEFCNYDcJeIfXgyD
g1sFW2yjTRMlGRcwC6AgjEbSfPMIBvokRZUyHg1lfAJW1FRQhAPgQmN3gieJ
twUnTIz0zLD0hb4ksoHQOli1t2QczRhGVCD8m3ee5nYsRGfW4NC8I5PxOuWs
6IBwscjcYi/4jpkZkMfzEdqOb7/oEK8Zyax2dhFmXQBxCcRDL3GPaVAb9uLw
U8Wq16xMpykG+FeEjPflcOjl21vMwPjppxV48rCYopCpiajRd0Sj5NujEH13
LZ7RY7NyIg/hZDuGXPw40xtHOHCi8Tk9xXp/l84CZ8wUmbbMMpm7fFTiUdt2
F1YZNXU7EbW+y3J/7QwTeLkgoEq0FK8BHa14hoGZK7LKIsUTeduKIF4pwYv/
4v4Tvv2CDlipf/qnf9JJUl2Ju+pxv/nvMX/xoz1cA+MeJWmpf7Rf8D9Yuvzz
X9CZuxfsF26Ox405dDyCX8vj5nJ+1B3/+K2vu776WtF35rL91fhSfWrInz+b
3xn+Paqj7TxWP8rF6B/dvn7/I5wWf9Z4m/89fvABfObZVJX94Kuv7G+gzAF8
oNB1DzCR02WFrdspK7whl/ZSETPhBhgtr+j+7/Xy+BIEnktkSFvCO8lr422X
RJ6FjyK7gTVbQmvCZaG6NxxfDsXYNqNgJwyxaD5jLocwZTK6YB7klcyI7+KK
IyheRvGnveaxYdUAlIXQKcbLRg0YLUXICVCMRBseym9DFqVwpcHOHrIvGOlh
O7tvX3yfy7AF2k4Fkveo5u2g945ct7SdaA6Y2m3PGgntBt327l0c66gsRONo
oIQmaASSfQ+rih8ZeVPZcFQP5S5ozXj0sFZcNzzdvoD47JrrVbq94k8femM5
+BkMJPvo3MXAMRUr1evkDGSEnt0HyTCiA9Bi0CEDy71OFpVIqCTK8CQKx/wt
8yQWcVCtOE9GtVMBFvUFCAUZxtKzXDvCNKa58IhIJB7YtRnr7Egauxd3RLBa
0K4xyqE2ydgJ0CJoDVh5Jut9ZcO92aIBKxSnjNM20UGIboV0lKLnsTRolqX8
K7Rp9vvKqhsc4mHhTMRvWml43ZEMz4eF4ggImUmGrkp3cxQXhpeJcXWdk9up
mtsjRq7a1r0G6yXA4oN2JmqWm9HUNieFHLRpthoLdSBzNunlVr2QpLKcTcug
abBRE0AnVnoUSrYhXvdYogQ1yqmHQnZZbePQEpFqYeksXNLdI6zjM/QwYOk9
j96F3fTq+N5X70IzehWw6p5XA/xz5wRHI2RsyJus7p08wtCuQVB71g7eSYxq
iJ+3X4j02RKd7vh3/7c/xt82xK+mNNaQkzo5/Z1jdzL/4Ovg6cdN6SP+9zhe
zGMUXl7fzO5ej3z9O//Ojw+dJNjGj8H/7/wnD/3t73zquDremV1u3ffK7PLV
37C2Cga3xxXDBdCmQQwm9iF46VU8W+Pff1ztnPPed1b/4wPeiVf4SOtHHSv8
33FLPxvqPge69c9FIbe8+/79+HfCfoTjV6AF3PEP4XiL9QJLG5kkcthV7rxv
GmN7MiubyDNkImEWe21ImEjIJNkKgorT9G5vOZNf7OtAvNG9R5YYfK6Mhhor
4oJxkJUswAdl8OooyoCd52wstntBDT3LYLYtlYfbDBSdhCzYw90hvD1h57AY
lsYol+STeVpdIINJMM/FcBCFGk6G6KbRS7FBdgktsuy/IQdaMr8B+TspF57l
MycHYFueofUOpd+/oPCbNxUOYW1sBuNp9fAvZNTD1XJUAkry7suZKBa5tfuj
uWlAQPEbYqjWHUDGQTxvtKrB3pYq+CUpK3JDBNsm3ynPRMcm8CUTWsNIfLK4
tsil7s4ajlRC6NiiKqNhoIwMqIclyMayGAEIWTFc9Dwr8IGe2OkzMdlZ/zCP
Fr3shVNxfsOC/ED2ZIZkYZ9ijg2ItmgGgj+yOnWRKxQ/g4GANDYMPWEvEBrz
4J7pumR6ulh3uT29QCuu/RvmWqywCsRh9Sc0oNdGUeo6cuKxuF1iwVjWYN0v
MK33ztxpBWcdlfVFPurT4oTkKK4LsHzktbDXN4z3TUlL4M1hgI5ogl5mTweK
uT455Vu4e3JNo1cGpbe8ic+zAm54hVxCsjOSovHhH0xZaOu6dDGdCWLsTBJ9
gLxsorLlLL5Uw6GaYUQG+WymJsHAtfN51kyyNbb0AZwWh/tx9BquikM+FUx1
1N949ryH8BzoGvDwWToem9wK9SWcyRVGwNpgVbakX1PQzYLCRTFyDnbaT+p+
mhMWLFD0Lsbeao3eK+u1IusLyv/9Kv3BUjnaP3t5I/gZ+lNyDhE6PD7R3zqL
pKXeoZselBxFIYyVeJyR9uVmkqUTCuB1RoR6Abf0xp6TDLV87j0afFicGgMk
BJZSFxvPnq3YMFZzg9F8CJbK+ihtEBxX3rDyvhjxKVAAdAxUfukySQ8UcBMo
HChK1WcMhltimzrrnU51tA/3EFQChZx9C0BBOCAImZ6KYB75RhR0elFUTXKH
cTqoYzvVHNR+VuwVM7ORg/w7tFWN+K+dsXxTHCeh+0+1Vj2eE2JHKlgvDFMk
l+PewCr9fgDlVWHM23ReD7x8DPlmtZAcH8t0OU5jWyFih5tFo3a4neAIq/kZ
RbjUEmsf0a6IoKBRPjk3bV3akfC8cdtM1Z0FgrW+UHNWn604kylvme1ImDER
oNcKD8Codt8Q9ARr3rDe+2crU4BMNI5GG/xb1F8gyJ20XSlReol8uDz+AKyd
P6gd1iKBg85locTXxVxSnF1VZxUDyR2w0F2NLwC42alxl7vn9gvy9iAziODG
eV718tHx7gqhV8N45J2ChKPOoAdLzrhSAUFnWouxEGSXb2ysGN86Borgu3lX
uAPHfwBGi0TmYs5RWCpTkEZTiXGkEX36g0QZ0H2KATB6BeN3w62y8RBtg3kg
h3F4pmUMsr5oIPGrD+F8hlW3rZCdoQBBFApMfqppaGpSYnOLEQejA+4GR2vV
tIuD6WAFQFy+4cwF3AoAZm5GWIKjXDTly7T224qmx9GLOHq64vgFNDazbXJ4
sPNmuNKTA7MWWDyCAS2b5B34y8tXPEUkZN0RLEADOJmHIITCBdoyFcczEMlB
Xs00Ctki2UejClOVFUgXJPDQZTXQshm6F96f9T4nFhnvQpKkiuOa7CL64kzV
SSPMkcJJlXgyna2yK6KYbgw2TpkaNfI0TPMnqMonmYS0sKnUIh4fei/wYxCT
YA4wSyrJ1CFfh5vyUYXCXV82hR4LH2XNR353kGWIBA85WIU3liUp+TM6T8z7
Yjsd0LdfkP/Zutg6ntHLAKtCuBypirQ8BdtFsMJyKcgcfDS0hT9L88nxwiFR
PssauSgF0MM8LuoThDY8vTkpejlGU3N8i7VK01DWHB/xUcRtEHJBEygXghMs
XdDwP5O8KMaOX4a8wAL+XuQFwahNXnABnrzAXyw1/C30xbkUg4f/BsKSL/CU
GLyAOWT0MmbuA2Djj59+YlKCNYMWkmWwoAceoUiGsdT7B+96VM+Rle23Tuet
Pol9HkL+VtzjoA4KgAnyaN/4wW6/COLHfc5HHOrhsxUa+R6UGtjI9WCLRhWF
UEepCS6fQcIegZKBdFVTMCirWaTYkPMOPSKegIk7yKYgkS0E4+4jhcNGx8Wr
vULQTihuCpPXkhsKv1knEYYl766oUaY2sbZCGR6wUbURvIxOPRb+8bI4/cDl
PFjdsTt8ldcLclPKag4TeC9QwtiYPkIajTvvdiIfBx8pWUGQM/QIs8INMhje
PeeuyBnAaf2oDzFmkQypRx947X+A30+DY0Ar6o+b1vDpf4t/p79hvI+71jB7
WHgjbWQj1fTcQddzuKPQevuj3nbjfWeqe8bbPuh6rjne7ab+wqXXUJb3V0t7
HZJ8taQJIaw1laiPS4GMkhf0iGLxq/haWH0cOsBXcTxIdx4DAOVvQGPuhkYi
R6nLcG5CptV3hx5GNa8CPlqmUGrJOcb41W0YFr+4tjI8U33mq2gNyh9hRDFm
8YHO8RsbgMthESEk4zy/YVKP38FPYYi4yyieOiDeYTSvRvM/L8eG9y47ERSj
cOKH40dXaGkgxeLcSKAfNvfeAJVEmMfyIqXtTPwVjfs2OTPZUPdh6JAJ2czo
DL9mMdDmmXHqb1R6j/zVMHzAJinpiobpWQM7/Wygvk3Pimz6aHI9Zb86Wvm8
elmaCYbol1awCEsnwDu0l0rvbx1uyaPM7JOrglMyz4FiSHi/lY0c7FOMIJw3
jHN7C6iT9CkjYGyNx6yXWhDpeVDsMWAwD6R7YsaJ6YmiOUpkRCPP456cp3iA
TjbaHKuVsSNU18WtI40Wu43EIFBkIUU8jb0ENGoEJ6uW779qxMggRqOPSCDL
XGoPz/DHY4oaQ2g2lAJsTVZk/1ixb8G9+LfgD/8Wxry03iKfFOmyhz6yiqwi
wY4FcIAsZGSIQPnOJhjGOXKwTdFlzkgh4kAUJ5k4ioalk6ZTjKsdyyHGeyf0
/Qpoys1yiNE9txl6INwOaZ3uFKoK305z/3YVvFvFb1Yrcg4cqHxNtm+fMiAC
aiv+okeRGzAPnxxmdsGwmZkko4WiFE5JT2GRFu2rzlJBmR8IMOgq6Xuy3ZrE
5cM6QQhPwZowQ5XN6k0nXkYK5JsuA1TF4pBoiIy/QFymGHND0pZNNrQxYNeo
2cxIw6HavG2pjJbwhf4oKSNRIIhSnbxTJGdyWMVM6t4kU5CXrwpOsG2EGyIh
kdgUoSXWLOsDgTiHmoKXFAk7FeUJu0SM6Mm66XUTT9xSC6OXlMTqA3wbrPYJ
EpWQCvTNRtZHTuVY8ui/ZIPwZ5izC9ilGs9L3mLbsCu0Df9iSu+CoZ3O4wbt
VxhWN7rLQTNgNARBXqwNfHZwtGLY4ZI3+Ov3qNEA+DubD31DvwLK9fiZU/TI
cQ5FjMgR4vb8gCscWrs8vqRBDP5Y8SStHViK33OpnMvvT+FBO3DL5wdrkYjm
6Dl0F9rfJz0aRdYg7p1l45ZySt/jH/IYntOsRF+SYZDbDZ+Ww1quKvpoVMd7
ccGkbgvV5fev79qCZOI0CR6+BgPfsyMcVIav4uc6nZPhKLxlGmAlOhLZEQ4o
+6IfjSNh2NldDh6ID3DTLguQMbhiiVcNDu3zlu8mPL17+UL6Q6p1GpfueADd
om/uo1baUyv1WdSqOTI+efRBcTWVHLPlMLYguxt9D35Z9A3YcIS8n4m7+Mqp
II28cNr1/OnKZ2Pmwd+EmcsO1IMF+sdOPx89Dn5h9LBnZ5+yq34AArg6rmhb
FRmu9BbUuc1UYOHc2yUj/xaHoJxJXYHYxVtZu+B9Nm8SFyml6wbrjKrY7nrq
ago1lhdZ4dvp4kG5BI8jUpI7yezO77w5gWYLa6TOyf3ImaJtUpLyftYgAhNk
TLlzGaefN/FpcyoJQavF98tVYEi+AbLmCI0k7lLls/lkYirMQbNfRhfaCwLF
mXy18xesd5AcqqQQBHOQUzMFKdclO7YAyiu5tp6BtUCn2SI0NuMESpK94MUB
Bb0FSeXXrXIV7PrzCrONRRNpjwWwXltQi61+gcgWi3iuSobqEBWt4Ba9wdcS
BKw7cTKdpeSoUV6eHDTtgQ4nztiQQbsB7cO6T32xkYqL3Wlf5cOLjMHRs3mX
S9+RkthCmKGfNAhRkFJWNrszIgEhyFR3wIzE5ZDp3dtCbBSFT5hQnauOs/5a
1f6iy+OnxHOSF3D0JRvM/FFZU22wEDmNCGeDk7ABUvYcvKs6CMgvyrZFwFsP
gOI3Kmx1bhXtucpvNj1vvYybjBrwwGYLLnYXChSq41ScwhGNRwWqbKWUqsOI
7d13u96fqLayrGVpt+qn6LakInkLvsUCiUAMPHmFsgeLs7dPUUrH2eA0LvPU
1q0DRtDKsPNyErBUEb0PvZgkpLcjzY2pObPf00IkhPGlDPgFXeWYCI/kLKWs
1GtmcixsfE9ZcjBzPAEME85uLpmeA5mjKLGgRpjJr9KyyMnA1bvDABEQPqbB
cIFIVwHNTnC4Rg0zITACBVJ12QaOBbV6mvJtcI8U9dTMZhwO9Nv00lxjyGpq
U78C8it14RIQWkgR6sUUcwVIfFqyY4PGPzMuM3DsSL6ScMe0Cr4keyLV4rGx
NfGWybvX+Iy5WEgiJQAuPHFK+hqbKzpaFzvKyUhsbZyFvM6bxRAgyKzfPEO5
PrcWtO3+pn2UPvCsIytPCnaWWI2WSStHtDYS/7rpMYYNRyEDvTiUT4i8YpzZ
RAUaYZO08j0A5EgnYPFWJHFFGjk9EwroMgDGWeG8lj9KwVHOvSLfBUV6mnIV
ljHOJHYRmaPW27DXhQTHhkb1rv0FzIus3BV56diRI6Z5LuhdY1sfMl8SAUry
DvojJrsOiyHz29QWTBC04SAQNKdSyTsvCsMGm1gYxoD2CO+p8EI5vkZaSuHW
Hi0xXL4yEqHpEJF8NMTAmiYeMf82Vcdho24IqC9ZMnKhK1RhQUDY1cDDdS9g
ARTeLCaqukA5IPJg3aGteop5N+AAxIwvH6gOWjN3ZQQvaS8UQ8GJlQhCFJ0p
15zYfkb4B+wFN4ERuS5EqfE8QSFiyVVqrpm7zivjEvgwRJoJvLUThGUK2ri6
XHjcioRuDK1KpeywcF8sAKsoyhhPFsagJUnbrdAOHUVyi6eXZaVp4VwXcDOK
mzAF5YBg565HWoNLr2pCPE5br9C5zSs7k/rwQfkGHF+54uJH/Q84w9vXWwfu
g4HeqoIaDVgSCA6zYyggAyoZj0us7ZmE5ROlQmo1Mjl8WCDzc8XicCr/DZ6O
REjBWFLqFTbDUVKo8CQjZIeWN7QviRxMW2+jIZUd0lWPJZJFhUdpmKsUEGlq
XfVYDic5RwIQDa+IgJ26DNZubQhE1LL7pC1jSUgvUAlv3a4IzqSUoFLR6y6K
6+a9kv6cG1vd1cmJWF2ZIz5sEV0XwQZ4nICIqpcCaF1qjjufTUDqJNB1RTrt
gK78Kh2rXe6AhEepX4QR8RYSQ2huRH7EMBkgTKKoXjKhSzLDIytTO0Zp6ErQ
J1eCnNR3fc58tdYtiXnHx1HuUK2MCYyoKkiJDC6NBVgsPiMfBkVMtxQJMLAi
O2goo3CV0OZb7Ne04o4L/+Gayc2HeyyhyanZpAO4sLTsNMAMlJXHep1LAm2b
vCUunSBnfaYhGNmTUeEKo0esGyUCl6peZMaeRhCQOCsp6V7qg9NVAWUwHrFi
R1oAG5F/VrWFvmBBAGlIT1jVkip0SUYvEKrcsTjrII0uBGhBJBOKL/A+oTrg
/MLASdVVba+grX44FfGBZAL+nZP9PE3iee31qzaac6JPPu5wPlpxy86zaifp
qaCY6dQkTIl8gMGMw8tITMC1YhmjSSIKm8c1xMVKceU6onSsO37c9XFnm95I
5+yTFpQa7kWumuXoo6jjlS8mHFt3tFh3XDMBDPXmmVTLusgBuH6DFtdD/tqI
pgJpnuKGCvWznZus8jozwrXU+0eR1IZtsc7tzRRuQN5r4AjoUFJFtLpTXgLR
qtv7FxuRyfgvpsdQdhcl2BdLac/X9iuYy14cnEA6cGSmb9vTYZR73G/WLI7K
xWebeikYxvnZcCjZcWTXbxjX9+jzvcgaYCuwyGE0thEfxqhuHQa8+Rm3Nu44
wuDUPumh+6WPUM4IR7R+BwzuexC6ky/uoUjeqL//90PzT/oC70FuUTbV3xm5
D/4uyO2Clz4HsQ/+P4TYLh7r85D64GFIfY9f8e+B1NsRD2eA/pfm3zTLvw7e
zR1O4EEu9i/GpF+Z9+cx7wc6R39l1Z9/YJ04fPBpHP6lmPK/HO4+kCF3Y+yv
HPnnc+R/7dj6r4r//hKY6tu8bkeh9vr2C1dmL4xiC9rkBV2EfNM+jK8B8KZe
J9bRZwuveKM4jmIqU6LpOD0n98UZFRG0L/meVwPb0Jz6XlBOTGD/DnvsWRc2
hxgFDnryS6W17SbzCdc1+rjbiVRRSMOmtlUh8blHvJxHKvBid2W4lQYN/NZZ
iMQirztrFYetEznMGIV+Nm2TvZUzgzobFJYmsq2G3ZHu60RyT2kBCQ23kx3F
69x2B7jlLFC0fS6xTP3SzCitUEORFD/05Lu1c4sgrFMd2ys5+t8odDVwyLtU
giZ3dbBjDkYyts8cl3gOMilszHfUdAoj1vbjvH32xXBoyzaXFwiaB3HrWr0s
4RArNucTy7JPCuAIsAJyCeEmGkHzces+Lk5w18zJOJmRuVAqHARBH2xJRuhU
Nijj9vbV3sHaS6zSdSoAOQWg9QH/csi0Qkr5JIzBXGLuSo6Jj74fspSN4bqc
dg45UjnovAg6GGHjthKzeXti2g6rRqriDAOHGAxtWzpbBBeLzhNbzwGegdvX
mUtHMOMg7L1H3powUdi2heK4hInr0bhUmiRbsqHsYTKyn5POLrHNAmyWVe47
5TD58GuUUvbo+5Y2OETH/CYHevmYe+dYOSN3AXKMRIZKCIm5tMqwDwZigu3P
oJybzseccLkY+16YNIT3Ffav9ve/glnlRvL1+FQQ9IQU+DAezt+kuKSwwZZz
OAF0BvXAOFHcubLa7fngoBLnMoRlolFimQawvnNPzvHCMdPubD5xfZSaERIk
SFGJIWzGddQgwJWyhcYo+SfoxRhFKYVdK22BIe8QakRoVzYyEIm2jGLTIqRG
lB+Vmz05TPotY5vtDXYNNxoW24FzTye5pEK6BmE4uDRLa62WvT+q2USyo5Md
utcYW7sb65EDAuP4KGsb72+UmUTq6uqdvSZd4kZb1FZn/cXaTz9JcKI9EXzc
ZVY30j98rUAu9rdUJtdLn0oa6fnuS1aK94GQQdoLBzFGkaISzxIHpsHGjk+2
bH/q+DtY4f7Je9jWkyf9DVglsVN8+v3W66M7MKvRnNYdVeNQuGPWkuukuYTj
huMsw9+vT/pHB9sn6/2r9e+f6WbJDzzzF2vrX2JTBNkatUJt7IGrqXWuNay3
QaHYzZ53/Y6ed1p63in1sx63uOGyzrlQPFP/XFliHrj8oqsjoo3ED+NqOZ4h
dHdjP015EdAgaGLjlygV2Ky3yTgfO7fdaxQFQzkEiZyilmQ9kjUty6H43iDe
dGhLsmMdQKcPDaUvLFewSPNzk3AUXMfa4VbHrgtSXL/80ZBJEfGPuKz6oxVM
CaY0YdZJqQR6ekfmYINPgKbaHceIld+5Wp9lb0K82hVHXD2lfrDmMrz67eMV
oA7bO+82nqCswQot9xMnSZ6gpe9fkeZa2H9x+9g+CPJnlqUVrCF6corHQlUY
iBG5NLqmPJwA83ehRK6aepaAXICgatu3tAMawr4dsAt5ou+fQMKF68SUd5B1
rpLM5K5klgN0H2xy0DvCfvfYkIoOgqo3YLNXuPUQL3IadbX9pvM9U5U7Fq9U
xIbR7ZnUXIFHcr57+hPIlWCNOIzZGiuBRQpiyIP6MOiOp3gcysB1jItjmbDZ
Pfens5yftgdYxFXhgVa92T862Vh7gt3vXDM7+7ANA+XtE2n79pv9w108XW4h
ub0HbOIZvIxcGy6GT4/DMnhBjKshF/MROG/KYlyQVrD3YRsujEmufjd6naVm
JFpelQOVngkdPOmsdnZkq52dYNtv0HLHF9KF5/7qaGnlJKZWhI4E9A0nf7pZ
DKXhqxeb8GOJjpv8aeEqvxZlAjxZD3f2lr/r6X9cke5qSV5dozwpk6nhd3+6
AYr0j0OQNU8DrVPQWcDDchN35NS70T8mbeqJSFLzsDADJwjDQGEux+6FCCok
QMC9XZgiX3vupMwclZ0qWVgx9wEnh0GGnPcrhvdrLKZPMcxY+FPU6dZqfIdq
10+75+RId8Cq2QWbom2CO2JVw91HR9ts25AexDdgt3CVJxcFJuD6qBlWTn0l
SacFYWGeIuPer0RrsKGkBiKm3P6lgJTdOsdxTqUQchQfGgzFZ9os0yxjcrQJ
I2Aai2C203Tz6LEhlOmzVi41QaXrA5Gew/2T0+4Szra06lH/yYunjGZH/Wcb
61FNCb479Q7ubgIKOtAaqc+6jT82nj1bf0lv0p9Pn74QFH0lVCowKtx+0UGh
QTYn0aE4x8pOALtYJ/bc1h9xNMgmqyzJEEsBH6CKt5yLbh/DsJYpFiesXI1C
PwbRIoCkYyAu2I8STSOOB+oJaUbKrsQZTwBom6obG2vajGngdo8d+w6kt32g
jLIc0eCDHRp8IAv2XD1cAIB5VWP7cVj17rujjQ1qYLr16nB9zZJkz5DPS6D+
/Oy793tbJyev3+JjtsqR2x6TNjhIfxJR78wqMs0Q3mVcEESqO1CZ5G+DoE3t
7Sg2TvtbS+K4mC5xfzZ6OZTmdueC0V1i0qbee3/oDO1o8Q8N/pYw5Mh3FI9j
7izVQAGQnxoK5BMVB312GDY6BodhMWCxPXwsEBCbuSioYmYJskGezkj8tUFR
Eool0ZQcKIoadP8DEdhKBXI6PUG5/kdWJL+Qjniu44sIsR8sZaT8TemYBRQX
oGxkMF4s7JMYCjqg8fDEPIBQT675G5UgWD5Y8ZYiaRfaFRe/fHTgKrwFnbMp
GC+QymFtLIW7OkPdY4HQLZk+aLQh4uEqtFptIs4/7bFaJtZqm9AoqamYop2h
MRvVbTllhgJnI1MYqyutQaMVudrodmsZdSRextNcYQxkIR0ExZoK1aXEHMfk
fE9Z2LpD9g1NwVQ1TZ2Sh+oZDuBxGBlJddcYFJx5bq5t2bU3mH3GV74plgRn
ZsIIba7mcuZpmxPvQtrHMqVyb1L8IwFQ/P7t7cn23rv917sbaxvU7rcp+MWT
C/Rtn7Jmnhcc6kx6TFLbq/vWQ2lgDBZtM7XsWFIxuJKCfs/imneL9KWU5Gmc
1dwKVXXVQNNoDlsn1tojlciDy8fvV5AMH++hoC1QF0ktjijc3r7aefP2MVJq
+P0f97YOd46/w07V0h2KFBM0XZjyKrFWZcz3tNZa8UgIMFPZbzxzu0Pl2i59
yqq9yZYwa7OI3mOyPy/DSn3WTk+37sRI77hBG/8l4jEsLaqd6hLClO0rAWJ8
n01T8ewkLWAoSVsVaZlblXsFF/xxF1Fjd+M5cTeS0iT2ghfIxbIAMN4PUHAp
zmkm3CFrup35C60D9IcQbT3pUJN9Vi8aKRtOLlxHz8XGjn1F06o2s3ZKtI3L
VXjzUqV/NmN/dYLAx4e50n3suo+zhBUjJXfrrhx9X3yO5u5bsmhLf9may3NK
52WoUbYlWPN4OHA50UfHb3pWeOXRcgvTdNm7e0frL+DyUK76eOD8edae25dW
JPeCCZ4JqsozLI0rABY7cuwCTva2+k+ccoxiVoc+DQfeQn9r9fVaDiL00eM1
XHsgWzu8F1YC8KRAktt+R9o0thzHgnSYfdKc8xMkx6qg5HpSQXE53CasrUZ5
8O2rVxtAYKgKLGHq3rutbVv3+pNj9+QyEf7xxT6eFjYfaCyXTn/n+OTxOlkX
QMm0xcDQUVyFOb28XIZYOxrhQefE/I2ZUDfwIAajZQYb8AZtkXFua+7FKim6
alMA+BTQP1TZ5rB/xjSugXrjMjLfmuk00c+Z1coxkghTzVF5tC41kjplNiqK
vH/wbkiNLtQQ61foH3+k7tJS44UemeKH9st0yJl9w1T//iu9MbSt7YfToZjx
cbFSNHyFXcSg3VPWrFs32UpZUs2cdxulKsxqZOcF1a6PC/IF9Q6xFJbZbG9v
CN8vw5ZWhuL1kmQu+hy3sKIfa2mjzP666Av4D/+m45YdDMXbKXxVGYwP8CmF
FApCSnijsqArukP4QgZ1oitw81y+x3+OvwiEVCavzN31QZx7dAokwzm9uMT2
kEBp6F5mrUG8jHzLQ6zia6v34KaHtrpFUOObEByTUu/YGB2EONdpdXYtNsE4
oV4X4sBVdlmsA5DfHAU0alFPvg7gP8S/aI3h0rjcXqt2hKfQjZJ+J3vvP77d
oSzBZBzU5hXRmYUMfrSZENZkHZxMxrPIsAnWiMb+52J/DPpF2oqCgSXFkF88
GtTaCe1bx80KyUfHu2EgTF+aHpDK6rJarY+IQ32C1o5kxeX2RMZ9SHg1ykCR
IytvcmdpeC5q7RoadVZxBi7w/tVjlov1lq1fgqVRpWGpM19xBftNfbvW0+s/
/a6az36f/24Vf+i//vN/Cz+e8sc95fwVKEXPimyBgaxJxp3UnVpD4kTooD8z
9bWR6v7L5QrTJlXqf/fXf/6vHdOviHNTDuCH1nOyHtjrcQE6k7lk8dY1V7B+
/FL/9b/8l6794Xlz8ywGOzN2MIuHEhT4F/cbs04sVRoK9LLAZXTGB1e2or/n
Hlnfq+Dyjg93VzaRvtC4QQiFLIDfzcVacGZaDS0Ud01FTzfcP9bv0zCm9NGt
QJIcsWaWF2m14B4wJNnCwBWOQHNNqb6/sgdlW1woJXX3OR/b2Zt4usR3wwiA
fPnb92+qFbFdinMUy0TXXGMyYr2Aq69ZP6zEfm+QUR+8Bk7dCCbaLZKMUS2M
MIswLrABngZkQwzbrWApdnijHC4FfsjknYgE3vIviBbBPe3Q8gygRP15YyLV
0IfJJd2V/khcNAz8osrmErnFwoUELzjyd3fcl9NVIpx3MkPXAhT1RqOitY0u
90VsmkOLaZGNrfYrmpO7l9svGqVs+fCBQCftKhayptTF2qIsQzbUiHKl57Z1
kVG2Kh0X45JtWBOo8+i/IavR0YfV0ygqjFmcMy6pWMFpdcIJUoNbGrREDAZF
yJULPOz5RP5gDMtzkg7nhK+hE8cVSiCjUu8KCs+TeLioC1Swcq45fF34KCEH
7HBucleO1/Ukcsw/HNYfSs6K+d3gQvVCnNrsjql7Z4HZK2g3jxJNOTebtkOf
VUsfpB3IS6DSsuXP1XPmRhMPdSvZjn727dawXJx801UpD0JE7tt1a5y4aNOm
K1aOA3IQeud5doHdv9xphov69FpAxUVjS8tyY4vzAHMdcSO0Tm28rdV2rey3
TGNtL3MiA3bAxBp6FKj1oYYmJJhEX+pm51pnUCvTSV6UIu6iXP3bWKj0+3AV
uqkihDPExLo8C8EZYAvFnhRCxKkyh6JCQEHC/32+KyGbYgESskm2MRD0KWjy
DuNQ0q5CZl20+6RzmlrZogLM5BrWdur+EXxEAQo4e1C/QTwqNkw0LGKAa7AT
aTcR+2dKjm1VpK9LQQOrHtHoPOzt7as/HpygNIrWkF38hfrQRVuzpUMUlZIH
9ZIjSS1ZlaoebpbldGAGPXLmUMmHggItVojRyqkE6Ru21AA6BcI+da2M/nYo
Ba4UC4zYaYT2OFe/7BFFdq4dEpzuvbfQjM7O0drAK8w4PFDKLxg5GzR52uoR
HEKIjhx39V6J6gz8A3kMEIv90jZ2Gqu7lDMGbZIQqYoUhdSIlhgEa1NFDUsw
FEccoSRMkWZyK/Z6NTsk4SL7sU/DP2hBYvDzT0vKNohf0Q7J0o+KNLywLsRR
fHbUkRaUX1BQAMVzKf1uE2dFPGVbU1hfr8NrRL2yaip94e4HHiTFbnRhsHgS
GW3YtInRTwCQVsJMXPkpQH+KwTVc84eolrW8taVMWwEkJYuAreLXbEWzb6No
iygQ2cdYcihTUibU50Aqw6Cl4wwDDsRsMRWxLC01m8ar1AcmjGBGbkOEgaWX
8H9gthMfj22dL/aeCC2taypFH1CNS68aCsBhkfcndygBuf3uJwxZagvipKuR
xd2ZDchSg9cuegB2qpC4L5CD+sV5vxrB+67evR11S2zBd7UmktwD64Z+UEtG
79u6S5PwvMkXsPiixYqZznzcjeN10X5qxWeJoAZlvPnuJpnG8WhdNbuTnT0n
QqEKULkO3ZJv1xCA7QCsiKDWD6L5KwpURie1GV3k0qssL8hxN6+l+qvrC4Ah
Muk0RQusWL+cq2lmTNlnN5QZe64tiLG9623ytJiPB4F5P2LhA++zkcpiBqhj
QQ3aQOiYusOWkJvA+P+RjP9jAypLNggTO5oOpZ4nvnCKFIkc70vFwZkND0Pg
oZA9kbl0QskviSab++SihsO+BrlWUTUsKVppPV0k8ZLZQNhvYAuX9gKHBSYh
glpQUUcK0UfwYm3dqTCnhFg7dk1nZYRD8nxyznkIGK53M6A2hohZt3MBi/DN
xrBcWcsTl3ZsULc22FRt4vm97w4FxeYzx+8ZxBvuKd76o6qje1eAqvA9QFaE
X67GgjTLA50dhYwONyNJnsqD5SyZYS/FPCiQG0faWx7uLr6dFUKefaQ+GKvH
hoyFFcmtSYVIOkfKdxQllIAskp73imtEXKJl2B7OJaiQSQAOcFIQWghFp7MD
iQlRB6Qe5EwsXSnRb++elfMzaH0uupCWcHoRNd82M0Vm0CSd6id4hfA9iPNT
vW7j42wtOBvdjZmYFOwUGt8IEySyiKZZDqgD5+7QF3DIS4CaZqlRGBaYMKbr
pKgz628GK/obo4ozykvkI8JKRZKecPembQFQttuTcsMNMSoVuSMosDGvHXVz
8P8IfXymFLsMsnpWmwb6xOJwQA04DKj61P3XlcnOeww5tvLlmNNmaFni++NV
9wJbE1pvUBqUVXZAyDxnsMBKotgSujTsRZNDo0KSBTvxQeWSgA7HKYTSwpyo
hwW2LeWgktwvd2q9OSK7j59MMLEgFyLwzjW/VFZ98iCBhpXqU+DkQpjnLmRc
3sd4UMF5nwAauC/lsZ51/Fk/XMPGX10i/aJYH5+PKTtDpQBVs7612cISp+kN
BdII5CrZa+zCZe0EON9wb3myfLneGwwGvct8padvVobaeQT3hqz8wcPk+1dN
VzBHKdNT/+t/9nkx1irtzLqAsrRet2WMwM1Squk8hNm/l+m/zzGXAv5ELyV8
gj/gwyFiW2t0pjvD//U/9VdqfRV9fq0XV9BYjwXmgGX3rIDwGVIRyy8K87U6
mPIAqABIL3CFZfqDYTs6CjUmo6xnrpZMEAyreZ8HssSyo2Irgdxig6vQRHoe
gjddQyYxGBjF4RLQWC5LI+4bimW+LrmVC2KJLmXveVx5JKjITcZGV4ZbwvxP
XViG28cGpn3cvY+jD82EKzuH7JBCNYQlS2dCfqfJkH26KW2Aw5vDPSbnBRMJ
uOXAeh6bxl1VQVfJLylrThqcmrpnFUkrZHKZ2SBX00sDTbhyh+WuyK5ABJ/t
g19IPG9lMnY0cDk6eC0RKXj8dwjxykKLuRmZmasdKw88qhqyXizsu3YH94tk
clva6QP6Tn1AfYY+oNv6gPpZ+sD7k8eBRqBjjUDZEGi2+hVldY+OAPfb0BFA
HUYDZGJr04eOm84uIvZm6WzDzhGKu5aEfQjDLo7MU+/tQ+g1Sa4UPtDYWliE
EBeJ2plWE9d0XPXxYz1lW2ZM5gkwidqYKERYHCNslLDWsJYZ2alXVjvrdYfk
8fn6K1N4rszUPDo3i7ViD2QUA0RCi71JrvyoCiwu2cKnpuErtuxss7Jl8/64
AiiXPlcdc1ird9hbHeRn0VZ2US5tdtxb4SgWVKYScttM04pzvigLoOJ4Yqzt
7RORbXlWafG8aQEbp3Cmbxc40tUfndkmhfyQ1x6AZm4ThLr2ZUufduyvMxA7
KmyQBYUYaErVnDK6mjCvrb0UHyXo6KjyUQjWwVG7kMQ+LdKmn4u0GGTvtt5V
LMS7BfVJjpYBOAigFrt5LlWNr+jo+8GmCRZNObUsmJVj9mahI5q1iySIY7NJ
QNYvUF0aAAIuxHzCRqgga9EilliwvBcishYhXSrv694o8j4gzJ0hq2QQv2aj
tDaooQL210kWSFG0LUBnQeCzxlKC0s+ZA0vh0KGZxFmAvewNoGHdWAN1GPVD
NjfJqLZkh3Lu9WUOMjiq4fMqdqipxFOobiaAHeqdyqqlXVSm/jyHG3V6Lwdu
scJ4jrbdFCip5Khi9C9FZ2P1p4tRQYUPyAQAQ//uH/p9dfp+5/2m3sJi0iMM
4L+o61m1ubpqZiUG3qXJqBwU5WR1Y23j2er60/Xng9nY9udGMYIkTtmEYn+u
3OklSqZ86L8FaKIMf2uj5MTmhAPOAA7wZFB5G/T7vyelLSxUQdVkHNxNXQUD
52SjeuC2M3QeRDIrLhZChQs81Wg1tXV9WqwOBED1W3LjsUtQBZOyfZnve6pF
jirn7P2OKmRJk6LAoC6h9BRoxVfLN7kQoy5NY+8VIQId68Q+eGMNj1bfV2Un
DupIRlR6xO+71TvTpprD8tFOgbXaDAZRk2LdNmQIh0eEw2Ay8rlEiYJ2AY+Q
q1GYakBQnVGQGCEVOeOolohIN6vPZFKnPYgc7+jW0mR1bOxsXqnPxbC9kDoq
tLvkJZqqJJvpfGYnZqLrQs/SWjJsc94mgbME9JUdVEs16sD7CjVBQLXLuAEi
cAY85zytuRMi9ptIMZcYhdZro8TiRvnKvB6kBCLrsJ2PPoUrhoOE45R7ukuI
bxjx1bKVila8vVGqzjNBSsT8gqyy7irXP6DW8YBBPW//Fq6hnw6eCL8JQ40d
lRYhQnIeDhTHjrEbEBaKKXFWWvcGH2tWlvZaUWEjb5dUztQX9Ou6qz2MNxOy
MYrowjS55BNXdp1hWC/jiSVY5NgXHms/sxVxXTKFCgoaFF4NXw4kJMrn+WnF
h1k71taLWJmt6/cQLuZ1JYSa64JDCiR0T4resKdMjGs2XKe5O/0GXRKUOO3c
UZZa8bQTasOHh2Mw/g8nvy66shAdKveUDz1hvonML/3BUQGfIbb8Jp2guP9s
xca4YTphMuXr9oSRXK1eVUFngJ0Oiyskmas3xtupikDVQoIF0A8H63qeJa4R
CkuebrBlDpCSHL8QzJoVQlRYIATf53gpFCpa+Zgrv7WQ0XeQ4zFFFsawn7AI
xCVTyLR+XSJ7H5YGK5oNncKdnFXUyCYuxd8/B00ST7RaTM+KTHtrpSuzgQ1N
uL49fQ7cngT4RLk2ry09BY9favy5dSxLpZKgMhF/hQISAOYK9XSThwI+7B5i
54sMm7hUaTz7UcTFJMXAV+9HMU6WIdJiE1yRQV1TsE+2YGXHYyx8jC5gtxGi
Fn3JQkmt1BGdaqUpAFLSU/HhyjrmWrdpW8RYfwMjdidIuQJc3FadVWAq02Wf
dtQLResS/XLJ+bkZiWcaZTI5TikEBpJVkhmJv6SuBSLI8wdfNMMiSI9Wahs9
JpsYkSYWto5kMSlY85GCwFsRQX8MJdtNfVqAEJU3HrPl3FCuhkVKdZXrQnUQ
k4+7NpMXj6bXkJPoNnzxpBBnFTLDe9A2quuzHALCCvfoYt8InIowHma94ZCp
l88Cu4b1yDFBd4xRRayKU3r4bscpFiTLFpHPQSfNK8JzFJdeAG6hE0xaUFqG
RpyeSErliR0b6tnO0FyQP5yxLRdo6WJHArzMTEQaZM8uWt68rYB441V5mY9I
NzFG1YkgHF1jTUMdWDHoguujg18ErimJtwHXW63oil4o3wcrwPPpIbBdi8v0
Xuh9MMSGAKso0x8prDsZ2EVAUQZ6C8VWK1yRxSyA6ZD2eHhiQLYjkgbhodoZ
PJrbxV3ivhhExY2M0Gkp0cEDKNHBz7uxg78PJTr4bEp08ItQooNfKdG/cUr0
t8L1v0lKdHAfJTr430eJtgOZKBYdxexmVbTSFsXgotPzs5oakye5aLYcoINh
DRKVKaI5O/C3dx+BgDdNOck4dm91RExR7qrDo28kf7JiqxvcAiyIQRBNd2gn
EwNrSz2kM6lU6OQMgrnEtUqIeSFf36Fv+rLTOjLr4eQzrF+ATuBy4eyg0pbd
0g6fN0LHqlBZqc3ENxyVoH1He6gUTCtStdlZAzBYUVgkB+dfG674nVsvJW0P
HpXQc6vc5xxZfRfn2X6grNB0drf4D6Ow2v45QvKDGQou87PQ0zWfldClxjhx
cQW/FK4W/6c1Lvv+pzXOqZRP13uKPl0HzX0nRFGLmO23/+Er/7J2LxOXo7E4
NqcV5UXlNXkMHIJfxO7LFtN1G9PRp4PAgUY+uD3KNsEQYvb024MK+JEsVibA
JaKxTsm0dtaBy8PjDtC184mQMdkFos3P+qTIb0p9eEVF9GGg5c2vtNT9d8U6
/SnhLysrNl/U2TX45XV8WXW9vG5fXl9ZsVUpOPOQhhhoru2xsCWJhdlZcmMj
zBKbj+YATtIsOsSA5rErPnaYyO70K7vsnr0HImZJOzyzMbxzOMZmLgn1G/to
R7GUw8EHZFUcBZWUW0CAJWYgMB6hk7z2YJQiLDqC2+xYtQghnaYtGyHSZK8o
jZwZ1SH1BF0FnHmJW3KWTnZx2/B2Ny1Zi4E9X9Lp2f4UBPuxUBaanE6jaMBx
YfuhnnkXtvRhEJLc5/if4NThsG1FdoQJoIKNU/K0heoLZyIbnNqwED+/JBUL
BKjmPd1BshhKMGjJ1T609mlfMOsaK2JQDmYTVJkptymBfBxSAq6pkxXXZLib
567+QDh5MyATUceeTuNoFAFQ6G525t1vONaTjOChawlByrtjzM1FguzFxvt3
SqK/EJ87OriTz3WJqidxUI4Iq8S6C7KnsYEuqcLYGD5NODDlZT45zw75VsyA
gXhYSQMVJK3Yr4QZkJIP1+XD9RULCXsWEPaQzIu0Sqks6KRpRzijZVHl5D+i
iGZafurrBjFbkSUgMMnEHPN3KcDEi9i0bn0p8UxsyUgJBBGPUNjjAiJe9RIf
qIUqRgrkUcrxKAFAFNHw+CL24VsQRTSUSzkJCTrjJCYOMgiygWGWN56puI85
FpyYSMeClV9wzJTsFD0u5mqjuLC6iL0Cx0awPMAYmybfx0cY3B0KyXVe34FJ
zll9DzphJMInLRjbD9T0HixH/hwTx8+QIw9+ITny4Fc58lc50sp/v4QcqX+V
I///I0c2Wu/dJ0ke/CpJ/iuTJH8ZTuclyQcZPX+VJH+VJP+NS5L6PZ1G3BWR
Y253qFqjPsGOjezmuP2CKzj2K/fZT7CGk+39fayMUHBhu9pXZLb5VqOsyLnM
8aud3Q1qvNSoPIWwrjCWnGfQfgYmfV2xZmEuApfMd3VsnTHJldMMqrlwriuF
SbejKm1hTZ/Xyv6u0G4+pGrvQ1sxstKdC/c5G3DSr2yjLHGHUUlN7JrBtW9y
uaegeDCi77zCpi9JvhCkyypcjb5IJ3hprqQgV2mYU7NEmr1V3jPPOJtaJEWK
kBzPpaKI0O1HtKtHGuP9GsUlRxIafp7eYPijayggwf0SR2wk2csWWmB5xR+w
r7Nma4yH+SE2oZ0wUrJpKeineazIoHypTilaRNU4b6jCP7rUKF/WXpPUc9TY
5MC1ukvI84ZBKsGb6Tm1/pMK/ZzOTV/jcLZaPJ6EA19Msn7LpUGDLE4XAFPA
OaUYAWTLJ9oOae1tUQYRpipyctFf5kbqwAOQ17UkLcJl5yS9TdMK7ztCKBvY
ieLttVHnyZWQwbmEl/noKO76iRujM5Io+zd4vX2udKrU10lJ+ajygasCT8Xf
XQGaMWbfYJg4KRGYioZNr5LSdi7G3otTuF+KRYdFXMmorqAq7wpbClCVllre
izshScgXUntFlLROKQQdiRZlAOUmowWclUUy5tjAns/vEo95ytl2mCOOn+IU
yhEInCH32T/U44BcbWdZwZWAuCZutqCJKF59jpH09TzH+LtRWo7mU8aWSsq3
oU8rk56LvGCpGwJcejAZMHWfjy4XCOsgARpMgnj7cfvgOyoQTB3csIcpEZPj
re3t9+8P8XMeBFvjcQAyrhNDY7e+3j/eeofQgAjHDXNANUkrijTng72641pd
NeLo5KMOOo3S2+4Z0uzkaLsKe7MKxb2LTS4tqKVKrK0ARfSFMVUQVLS68wAo
MSxQlj0rDeGllDvEULTpGagmmLBAvAj3es01YuRWg053Jq/m1HwirDJYRcIY
yg6yHlLgpYErKwO21GWipwbBL62mQSM3iR2HsaO+Rc1+s6c2vU6gxRbI4QOi
crccMBgekc9vc8kTV4DrwSHFOafkZ9T7W4dbLSZ/2irxayqrLNIL3A6UK0tj
BP5CL/naNdxwuVoSTqmwCk1l+6BwEWKiYhjHwdC4aFb0tZXhPNOTU1LulLQo
yDK/r3qYjDk405ROvcSxKH4Y2/XKr+qE2y/PCqB72NDlH7AR4TpGkOMNmOkM
FVSqEEj74ZJ8uai9LKmXEjNc41NBu/fTcO0RooSVmpiNcRVi2yOBU32U5u27
6GQGt0299HEXjnXp4wH+fxt/BzBf2j5YGuAKQPhzeQvt5bbaOd+xLhzptKvX
e3vIpmJMHVADNzjs455JgJW3hzwASrLjKcmbLmrTGOfoeLc9zlFYcmDXVaa9
Z5hDzODYxMZZSNAnVMNKfPZWEKowIZ7DsZFyuDCK1kjVg8eJmsE0BoTjs0Me
G6Ig2I2wmPGJr/CmHZrapjzReqjfJJffBqAuXNtxWkZb1PCROhRy3RbqJYES
xBs0VzH2EaIN34YilYPnQIbaRFbQ8YZYhQKByrbfwRBwi+G8PiFFsFes52pH
iMUx7MOZZECgxot+ezrCmMLml1GN6LseZYMHj9tzO2ITs7EVf5oEiFpfkfwD
zwIRoQx5UKbmpIyeYPUt0JaiYlzd1b043Q4VA92oOS8dv7lgL31BpaPGYXWc
sdccpCAYNTDYAvV9MaUKt7YpVg+rwNieL3A6Z+fzaiTxecxAuZ4y5yb1fV8t
gM6iDPrUuPGcSRBnfMcJdEkepyfbCiIBk2GjtdQnoXNC4ei6gHnC15BCRqQs
KOwqGfx1F/XCxRxZ/QTwb2wtaswbNzn5CI0xP3BJCpRYGZwW3karbfBVq39C
Twp5U8UDy6rHxkyJC+UGxUa0xal+v6/PQEpDsNiJcgleh8lB0mrwChZ7vrCE
g1TUlCGYW781Gkgvo/TYa9gwi1IFwyD+XAEIF2XlOkoFHeVwmsagXNwdMS5R
SwiHSFTxCJe0FGpy+i9vYeiFEQI7+XiHXl02l72gAPiK7v9eLzMd/N5WwxjV
K0MgoXGuBdZ3bZRZtLM4pZzqg3tr+J0FgnAsbBHLQpvPQRz636UrgTXLNmg1
DRCtetgMlRti2odSW3nrPClnjk60is9myI4GCnuThgaJ64Sgkmkx56qJfpV8
vof8gdQNFmkvzcXmYo2yUZEf7jYAVxvOL50NokA7LqMgRVrjkipUKxTZG2W7
8PhhTLISTwuaM7iN1Ano2Uk5ZIk1zqTBiOagZbGWlsU0r2pE19kN66+YbeM5
E7o0K3NHdgSuM+F7IAgpreazGShrOoRsFUPMstgG2aJkG0iutCpYU1s+vDwZ
U8WQj92UucyPX//Rh4H947E+tb/bfCH2iqJbRcp8+cketWDHtzsQq6yt/Y65
kw41gQBeFOOecjXivJhpFRWgVST4nnqUbs9B+xSEi/DGm4FcDCUyi4Sg0bYr
8I1THPAOsHh0flWMvBLgFo3tXWIIWo77EhCkrdiybzpqdRFoRpwQT/Bq4cEZ
3OKNFlj+ugtqmxlgNPNATivAsbAhIUnmfkFyPVxlceghYMgIi5yVUZbJmB/0
E9PEjK9jPvxi6IEMJoooRHs64FFbI5t9wEmAt5vc8MGMv1o6ByAwS1jm+f3O
e524J81A/b/qUir9ThEBAA==

-->

</rfc>
