<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-devevey-cfrg-silithium-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Silithium">Silithium - A Compact, Efficient and Non-separable Hybrid Signature</title>
    <seriesInfo name="Internet-Draft" value="draft-devevey-cfrg-silithium-00"/>
    <author fullname="Julien Devevey">
      <organization>ANSSI</organization>
      <address>
        <email>julien.devevey@ssi.gouv.fr</email>
      </address>
    </author>
    <author fullname="Maxime Roméas">
      <organization>ANSSI</organization>
      <address>
        <email>maxime.romeas@ssi.gouv.fr</email>
      </address>
    </author>
    <author fullname="Morgane Guerreau">
      <organization>PQShield</organization>
      <address>
        <email>morgane.guerreau@pqshield.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>CFRG</workgroup>
    <keyword>post-quantum</keyword>
    <keyword>cryptography</keyword>
    <keyword>hybridization</keyword>
    <keyword>signature</keyword>
    <abstract>
      <?line 106?>

<t>This document defines Silithium, an augmentation of US NIST Module-Lattice-based Digital Signing Algorithm (ML-DSA) <xref target="FIPS.204"/> with traditional elliptic-curve operations, that uses ML-DSA in a black-box manner.
This results in a digital signature scheme with hybrid security, requiring solving hard lattice problems as well as discrete logarithm in order to forge a signature.
This augmentation is designed to satisfy regulatory guidelines in certain regions.
Silithium is strongly unforgeable as long as ML-DSA is.
Morevoer, Silithium can be used in a backward compatible and interopable manner without hindering security.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-devevey-cfrg-silithium/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Cryptography Forum Research Group mailing list (<eref target="mailto:cfrg@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/cfrg/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/jdevevey/draft-silithium"/>.</t>
    </note>
  </front>
  <middle>
    <?line 116?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Quantum computing poses new challenges to cryptography, as traditional signature algorithms, such as RSA or ECDSA, are vulnerable to quantum attacks.
Fortunately, new cryptographic standards, such as ML-DSA, recently became available and are assumed to be resistant to such attacks.</t>
      <t>This leaves the community in a situation where some standards are widely deployed, remain secure for now, but will be broken some time in the future,
while on the other hand other standards are only at the beginning of their deployment.
For the latter, even if the mathematical problems underlying their security are starting to be well understood, many other security issues may arise due to the lack of time to fully harden their implementation, or even find all the bugs they may contain.</t>
      <section anchor="hybrid-cryptography">
        <name>Hybrid cryptography</name>
        <t>Due to the recent nature of post-quantum cryptography and especially post-quantum standards, several European cybersecurity agencies <xref target="ANSSI2024"/> are recommending to hybridize these new standards with traditional cryptography, resulting in PQ/T hybrids.
These hybrids must be resistant to both classical and quantum attacks, ensuring security as high as the maximum security between post-quantum and traditional cryptography.</t>
        <t>Hybridization for signature scheme must be tackled carefully. The role played by signatures in modern protocols and their induced complexity is reinforced by the intrinsic complexity of hybridization. One particular notion that is not covered by the standard unforgeability (EU-CMA) or strong unfogeability (sEU-CMA) security notions for signatures is the reuse of keys between the hybrid signature scheme and its components. In this setting, which should be avoided in general but could also be necessary in some applications for backward compatibility or interoperability reasons, it must not be possible to break down the hybrid signature scheme into its traditional and post-quantum components, and vice-versa.
Previous works have covered this topic and defined guidelines and desirable notions for hybrid signature schemes <xref target="I-D.draft-ietf-pquip-hybrid-signature-spectrums-07"/>.</t>
      </section>
      <section anchor="silithium">
        <name>Silithium</name>
        <t>Silithium is a particular instantiation of the hybrid signature framework described in <xref target="DGR26"/>.
This paper introduces a new security notion called (s)H-EU-CMA which captures the well known notions of (strong) unforgeability and apply them to PQ/T hybrid schemes. In particular, this grants strong non-separability to the resulting scheme, and this removes the security issues that may arise when private key material of one component is reused outside the PQ/T scheme. See <xref target="sec-considerations"/> for more details on the security properties.</t>
        <t>As described in <xref target="DGR26"/>, Silithium is a PQ/T hybrid construction building on ML-DSA and EC-Schnorr (also called EC-SDSA).
While we assume that the developer will have access to an ML-DSA implementation, we do not make such assumption for EC-Schnorr, as this scheme is less widely used. However, we expect that a general purpose elliptic curve library is likely to be available. For this reason, in <xref target="scheme-description"/> we describe directly the elliptic curve operations rather than relying on the high-level description of EC-Schnorr like in <xref target="DGR26"/>.</t>
        <t>Silithium is designed with the goal of lessening the implementation burden. Assuming elliptic curve addition and multiplication as well as ML-DSA are available, then it can quickly be implemented: signing requires in essence sampling a curve point, signing with ML-DSA and computing one multiplication and one addition modulo the order of the curve.</t>
        <t>Silithium offers existential unforgeability (EU-CMA) under hybrid assumptions, i.e. either elliptic curve discrete logarithm or lattice problems are hard, as well as strong existential unforgeability (sEU-CMA) under the assumption that lattice problems are hard, making it fit for most applications.
It also offers various notions of non-separability (and other beyond unforgeability features), making it resilient to uses (and sometimes missuses) where hybrid keys are split and reused inside their component signature schemes, which could be useful for backward compatibility or interopability reasons.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This specification is consistent with the terminology defined in <xref target="RFC9794"/>.
Some relevant definitions from <xref target="RFC9794"/> are copied here for easier reading.
In addition, the following terminology is used throughout this specification:</t>
      <t><strong>ALGORITHM</strong>:
  The usage of the term "algorithm" within this
  specification generally refers to any function which
  has a registered Object Identifier (OID) for
  use within an ASN.1 AlgorithmIdentifier.</t>
      <t><strong>POST-QUANTUM TRADITIONAL (PQ/T) HYBRID SCHEME</strong>:
  <xref target="RFC9794"/> defines a PQ/T Hybrid Scheme as:
  A multi-algorithm scheme where at least one component algorithm
  is a post-quantum algorithm and at least one is a traditional algorithm.</t>
      <t><strong>SIGNATURE</strong>:
          A digital cryptographic signature, making no assumptions
            about which algorithm.</t>
      <t><strong>BACKWARD COMPATIBILITY</strong>:
  A PQ/T hybrid scheme is used in backward compatibility mode if the traditional component of its keypair
  is simultaneously used in a traditional algorithm.</t>
      <t><strong>INTEROPERABILITY</strong>:
  A PQ/T hybrid scheme is used in interoperability mode if the post-quantum component of its keypair
  is simultaneously used in a post-quantum algorithm.</t>
      <section anchor="notations">
        <name>Notations</name>
        <t>The algorithm descriptions use python-like syntax. The following symbols deserve special mention:</t>
        <ul spacing="normal">
          <li>
            <t><tt>||</tt> represents concatenation of two byte-arrays.</t>
          </li>
          <li>
            <t><tt>[:]</tt> represents byte array slicing.</t>
          </li>
          <li>
            <t><tt>(a, b)</tt> represents a pair of values <tt>a</tt> and <tt>b</tt>. Typically, this indicates that a function returns multiple values; the exact conveyance mechanism -- tuple, struct, output parameters, etc. -- is left to the implementer.</t>
          </li>
          <li>
            <t><tt>(a, _)</tt>: represents a pair of values where one -- the second one in this case -- is ignored.</t>
          </li>
          <li>
            <t><tt>func(a) -&gt; b</tt>: represents a function named <tt>func</tt> that takes <tt>a</tt> as input and produces <tt>b</tt>.</t>
          </li>
          <li>
            <t><tt>Func&lt;TYPE&gt;()</tt>: represents a function that is parameterized by <tt>&lt;TYPE&gt;</tt> meaning that the function's implementation will have minor differences depending on the underlying TYPE. Typically this means that a function will need to look up different constants or use different underlying cryptographic primitives depending on which composite algorithm it is implementing.</t>
          </li>
        </ul>
        <t>For the purpose of describing the elliptic curve operations, the following notation is used throughout the document:</t>
        <artwork><![CDATA[
q           Order of the group

G           Generator of the group

[n]P        P added to itself n times
]]></artwork>
      </section>
    </section>
    <section anchor="scheme-description">
      <name>Scheme Description</name>
      <t>This section describes the Silithium functions needed to instantiate the public API of a digital signature scheme.</t>
      <section anchor="key-generation">
        <name>Key Generation</name>
        <t>The security properties guaranteed by Silithium do not forbid key material generated for Silithium to be reused outside of Silithium (and conversely). See <xref target="sec-considerations"/> for further discussion on security properties. In this document, we describe the generation of fresh key material.</t>
        <t>To generate a new key pair for Silithium, the <tt>KeyGen() -&gt; (pk, sk)</tt> function is used.  The <tt>KeyGen()</tt> function calls independently the key generation algorithm of ML-DSA, and the <tt>RandomPoint</tt> function that outputs <tt>(d, P)</tt> such that <tt>P = [d]G</tt>. Multi-threaded, multi-process, or multi-module applications might choose to execute the key generation functions in parallel for better key generation performance or architectural modularity.</t>
        <t>The following describes how to instantiate a <tt>KeyGen()</tt> function for a given variant of Silithium represented by <tt>&lt;OID&gt;</tt>.</t>
        <artwork><![CDATA[
Silithium-<OID>.KeyGen() -> (pk, sk)

Explicit inputs:

  None

Implicit inputs mapped from <OID>:

  ML-DSA  The underlying ML-DSA algorithm and parameter set,
          for instance "ML-DSA-65".

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  (pk, sk)    A Silithium keypair.

Key generation process:

  1. Generate component keys

    mldsaSeed = Random(32)
    (mldsaPK, mldsaSK) = ML-DSA.KeyGen_internal(mldsaSeed)
    (d, P) = Curve.RandomPoint()

  2. Check for component key generation failure

    if NOT (mldsaPK, mldsaSK) or NOT (d, P):
      output "Key generation error"

  3. Output the Silithium public and private keys

    pk = SerializePublicKey(mldsaPK, P)
    sk = SerializePrivateKey(mldsaSeed, d)
]]></artwork>
        <t>This keygen process makes use of the seed-based <tt>ML-DSA.KeyGen_internal(𝜉)</tt>, which is defined in Algorithm 6 of <xref target="FIPS.204"/>.
If private key interoperability is not required, it is possible to deviate from <xref target="serialize-privkey"/> and store the ML-DSA private key as an expanded private key, allowing the use of <tt>ML-DSA.KeyGen()</tt> (Algorithm 1 of <xref target="FIPS.204"/>).</t>
      </section>
      <section anchor="sign">
        <name>Sign</name>
        <t>The <tt>Sign()</tt> algorithm of Silithium opens up the signature procedure of EC-Schnorr to integrate a call to <tt>ML-DSA.Sign()</tt>. The rough idea is that the challenge of EC-Schnorr is no longer computed with a hash function, but is rather extracted from an ML-DSA signature. To further bind the two components together, the random nonce <tt>R</tt> (a point on the Curve) is passed to ML-DSA as a context string, along with the EC-Schnorr public key.</t>
        <artwork><![CDATA[
Silithium-<OID>.Sign(sk, M) -> s

Explicit inputs:

  sk      Silithium private key consisting of signing private keys
          for each component.

  M       The message to be signed, an octet string.

Implicit inputs mapped from <OID>:

  ML-DSA  The underlying ML-DSA algorithm and parameter set,
          for instance "ML-DSA-65".

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  s    The Silithium signature value.

Signature Generation Process:

  1. Deserialize the private key and recompute the public point

    (mldsaSeed, d) = DeserializePrivateKey(sk)
    (_, mldsaSK) = ML-DSA.KeyGen_internal(mldsaSeed)
    P = [d]G

  2. Generate a random scalar k in the range ]0, q[

    k = RandScalar(0, q)

  3. Compute the random nonce

    R = [k]G

  4. Serialize R and the EC-Schnorr public key as an octet string

    ctx = SerializeCommitment(R, P)

  5. Sign the message with ML-DSA and extract the challenge component

    mldsaSig = ML-DSA.Sign(mldsaSK, M, ctx)
    c = mldsaSig[:c_len]

  6. Complete the EC-Schnorr signature procedure

    x = k + ecSK * c mod q

  7. Serialize and output the Silithium signature

    s = SerializeSignatureValue(mldsaSig, x)
]]></artwork>
        <t>Note that in step 4, both <tt>R</tt> and the EC-Schnorr public key are at most 66 bytes (in compressed form), hence their serialization fits under the maximum size of 255 bytes for ML-DSA context string. Silithium does not take any context string as an input and does not allow user-defined context string to be transmitted to ML-DSA. See <xref target="user-context"/> for a discussion on user-defined context string.</t>
      </section>
      <section anchor="verify">
        <name>Verify</name>
        <t>The <tt>Verify()</tt> algorithm recomputes the context string from the EC-Schnorr components <tt>(x, c)</tt> and the EC-Schnorr public key. Validating the ML-DSA signature with such context string implicitly validates the EC-Schnorr signature. It is not possible to abort early from the signature verification, ensuring the Simultaneous Verification property (further discussion in <xref target="sec-considerations"/>).</t>
        <artwork><![CDATA[
Silithium-<OID>.Verify(pk, M, s) -> true or false

Explicit inputs:

  pk      Silithium public key consisting of verification public keys
          for each component.

  M       Message whose signature is to be verified, an octet string.

  s       A Silithium signature value to be verified.

Implicit inputs mapped from <OID>:

  ML-DSA  The underlying ML-DSA algorithm and parameter set,
          for instance "ML-DSA-65".

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  Validity (bool)   True if the Silithium signature is valid, false
                    otherwise.

Signature Verification Process:

  1. Deserialize the public key

    (mldsaPK, P) = DeserializePublicKey(pk)

  2. Deserialize the signature and extract components. Both c and x
    are interpreted as scalars.

    (c, x, mldsaSig) = DeserializeSignatureValue(s)

  3. Ensure that x is within the bounds

    if (x < 0 or x >= q)
      return error

  4. Recompute the nonce R

    R = [x]G - [c]P

  5. Serialize R and the EC-Schnorr public key as an octet string

    ctx = SerializeCommitment(R, P)

  6. Output the result of ML-DSA verification

    return ML-DSA.Verify(mldsaPK, M, mldsaSig, ctx)
]]></artwork>
      </section>
    </section>
    <section anchor="serialization">
      <name>Serialization</name>
      <section anchor="point_encode">
        <name>Curve Point encoding</name>
        <t>Elliptic curve points <bcp14>MUST</bcp14> be encoded in compressed form, so that the commitment can fit inside the ML-DSA context string (of maximum length 255 bytes).
To unify the implementation, the same point encoding is used at every step of the algorithm, even if no size constraints apply.</t>
        <t>Point compression consists in storing only the x-coordinate of a point, with an additional byte at the first position of the encoding set to <tt>0x02</tt> (resp. <tt>0x03</tt>) if its y-coordinate is positive (resp. negative).
We refer to <xref target="SEC1"/> (sections 2.3.3 and 2.3.4) for a formal description of point compression.</t>
        <t>Scalar (also called field element) are encoded to bytes following sections 2.3.5 to 2.3.8 of <xref target="SEC1"/>.</t>
      </section>
      <section anchor="serializepublickey-and-deserializepublickey">
        <name>SerializePublicKey and DeserializePublicKey</name>
        <t>The serialization routine for public keys performs encoding of the EC-Schnorr public point, and then concatenates the ML-DSA public key with the encoded point.</t>
        <artwork><![CDATA[
Silithium<OID>.SerializePublicKey(mldsaPK, P) -> bytes

Explicit inputs:

  mldsaPK The ML-DSA public key, which is bytes.

  P       The EC-Schnorr public key, a point on the Curve.

Implicit inputs mapped from <OID>:

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  bytes   The encoded Silithium public key.

Serialization Process:

  1. Encode P using compressed encoding.

    encP = Curve.Compress(P)

  2. Combine and output the encoded public key

    output mldsaPK || encP
]]></artwork>
        <t>Deserialization reverses this process.
This function depends on the underlying variant of ML-DSA, as the length of <tt>mldsaPK</tt> varies across parameter sets.
Values for <tt>ML-DSA.PKLen</tt> are listed in <xref target="tab-mldsa-sizes"/>.</t>
        <artwork><![CDATA[
Silithium<OID>.DeserializePublicKey(bytes) -> (mldsaPK, P)

Explicit inputs:

  bytes    An encoded Silithium public key.

Implicit inputs mapped from <OID>:

  ML-DSA  The underlying ML-DSA algorithm and
          parameter set to use, for example "ML-DSA-65".

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  mldsaPK The ML-DSA public key, which is bytes.

  P  The EC-Schnorr public key, a point on the Curve.

Deserialization Process:

  1. Split the Silithium public key into both components
    mldsaPK = bytes[:ML-DSA.PKLen]
    encP = bytes[ML-DSA.PKLen:]

  2. Decode P using compressed encoding.
    P = Curve.Decompress(encP)

  3. Output the decoded public key

    output (mldsaPK, P)
]]></artwork>
      </section>
      <section anchor="serialize-privkey">
        <name>SerializePrivateKey and DeserializePrivateKey</name>
        <t>The serialization routine for private keys performs encoding of the private scalar, and then concatenates the ML-DSA private seed with the encoded scalar.</t>
        <artwork><![CDATA[
Silithium.SerializePrivateKey(mldsaSeed, d) -> bytes

Explicit inputs:

  mldsaSeed The ML-DSA private key, which is the bytes of the seed.

  d         The secret scalar.

Implicit inputs:

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  bytes   The encoded Silithium private key.

Serialization Process:

  1. Encode d with fixed-length encoding defined by the Curve.

    encd = ScalarEncode(d)

  2. Combine and output the encoded private key

    output mldsaSeed || encd
]]></artwork>
        <t>Deserialization reverses this process. This function does not depend on the ML-DSA variant, because the length of <tt>mldsaSeed</tt> is fixed across all parameter sets.</t>
        <artwork><![CDATA[
Silithium.DeserializePrivateKey(bytes) -> (mldsaSeed, d)

Explicit inputs:

  bytes      An encoded Silithium private key.

Implicit inputs:

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  mldsaSeed The ML-DSA private key, which is the bytes of the seed.

  d         The private scalar.

Deserialization Process:

  1. Split the Silithium private key into both components

    mldsaSeed = bytes[:32]
    encd = bytes[32:]

  2. Decode d as a scalar

    d = ScalarDecode(encd)

  3. Output the decoded private key

    output (mldsaSeed, d)
]]></artwork>
      </section>
      <section anchor="serializesignaturevalue-and-deserializesignaturevalue">
        <name>SerializeSignatureValue and DeserializeSignatureValue</name>
        <t>The serialization routine encodes the <tt>x</tt> component of the EC-Schnorr signature (which is a scalar), and concatenates its encoding with the ML-DSA signature.</t>
        <artwork><![CDATA[
Silithium.SerializeSignatureValue(mldsaSig, x) -> bytes

Explicit inputs:

  mldsaSig The ML-DSA signature value, which is bytes.

  x        The scalar component of the EC-Schnorr signature.

Implicit inputs:

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  bytes   The encoded Silithium signature value.

Serialization Process:

  1. Encode x with fixed-length encoding defined by the Curve.

    encx = ScalarEncode(x)

  2. Combine and output the encoded private key

    output mldsaSig || encx
]]></artwork>
        <t>Deserialization reverses this process. Furthermore, it extracts the component <tt>c</tt> of the ML-DSA signature to allow its independent reuse.
This function depends on the underlying variant of ML-DSA, as the length of <tt>mldsaSig</tt> varies across parameter sets.
Values for <tt>ML-DSA.SigLen</tt> and <tt>ML-DSA.cLen</tt> are listed in <xref target="tab-mldsa-sizes"/>.</t>
        <artwork><![CDATA[
Silithium<OID>.DeserializeSignatureValue(bytes) -> (mldsaSig, x)

Explicit inputs:

  bytes    An encoded Silithium signature value.

Implicit inputs mapped from <OID>:

  ML-DSA  The underlying ML-DSA algorithm and
          parameter set to use, for example "ML-DSA-65".

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  c         The challenge component of the EC-Schnorr signature.

  x         The scalar component of the EC-Schnorr signature.

  mldsaSig  The ML-DSA signature value, which is bytes.

Deserialization Process:

  1. Split the Silithium signature into all components.
    mldsaSig = bytes[:ML-DSA.SigLen]
    encx = bytes[ML-DSA.SigLen:]
    encc = mldsaSig[:ML-DSA.cLen]

  2. Decode x and c as a scalar.
    x = Curve.ScalarDecode(encx)
    c = Curve.ScalarDecode(encc)

  3. Output the decoded signature.

    output (c, x, mldsaSig)
]]></artwork>
      </section>
      <section anchor="serializecommitment">
        <name>SerializeCommitment</name>
        <t>The EC-Schnorr nonce <tt>R</tt> (a point on the Curve) is serialized together with the EC-Schnorr public key <tt>P</tt> (a point on the Curve) as a context string, later passed on to the ML-DSA signature function. As discussed in <xref target="point_encode"/>, compressed encoding is used, such that the resulting bytes string fits under the maximum length of 255 bytes for all parameter sets.</t>
        <artwork><![CDATA[
Silithium.SerializeCommitment(R, P) -> bytes

Explicit inputs:

  R   The EC-Schnorr nonce, a point on the Curve.

  P   The EC-Schnorr public key, a point on the Curve.

Implicit inputs:

  Curve   The underlying elliptic curve, for instance "P256" or "P-384".

Output:

  bytes   The encoded commitment.

Serialization Process:

  1. Encode R and P using compressed encoding.

    encR = Curve.Compress(R)
    encP = Curve.Compress(P)

  2. Combine and output the encoded commitment.

    output encR || encP
]]></artwork>
        <t>There is no need to reverse this process.</t>
      </section>
    </section>
    <section anchor="algorithm-identifiers-and-parameters">
      <name>Algorithm Identifiers and Parameters</name>
      <t>This section lists the algorithm identifiers and parameters for all Silithium variants.</t>
      <t>Only one parameter set per security level is defined to keep the overall number of combinations within a reasonable limit.</t>
      <ul spacing="normal">
        <li>
          <t>id-Silithium44-P-256
          </t>
          <ul spacing="normal">
            <li>
              <t>OID: <strong>TODO</strong></t>
            </li>
            <li>
              <t>ML-DSA variant: ML-DSA-44</t>
            </li>
            <li>
              <t>Curve: P-256</t>
            </li>
          </ul>
        </li>
        <li>
          <t>id-Silithium65-P-384
          </t>
          <ul spacing="normal">
            <li>
              <t>OID: <strong>TODO</strong></t>
            </li>
            <li>
              <t>ML-DSA variant: ML-DSA-65</t>
            </li>
            <li>
              <t>Curve: P-384</t>
            </li>
          </ul>
        </li>
        <li>
          <t>id-Silithium87-P-521
          </t>
          <ul spacing="normal">
            <li>
              <t>OID: <strong>TODO</strong></t>
            </li>
            <li>
              <t>ML-DSA variant: ML-DSA-87</t>
            </li>
            <li>
              <t>Curve: P-521</t>
            </li>
          </ul>
        </li>
      </ul>
    </section>
    <section anchor="sec-considerations">
      <name>Security Considerations</name>
      <t>This section brushes over the security properties of Silithium.
More detailed proofs and reductions can be found in <xref target="DGR26"/>.
This section also explains the differences in security introduced by the variant considered in this specification.</t>
      <section anchor="dgr-changes">
        <name>Changes with respect to the published version of Silithium</name>
        <t>The original scheme from <xref target="DGR26"/>, which we dub Silithium-DGR to avoid ambiguity, is similar to the one presented here, except that it replaces <tt>tr = H(vkPQ)</tt> with <tt>tr' = H(vkT, vkPQ)</tt>, which is then used to derive <tt>mu = H(tr('), R, M)</tt>. Contrary to this variant, no specific context string is necessary, but could be introduced for the sake of domain separation.
To avoid reimplementing the whole scheme, Silithium-DGR relies on either an implementation of ML-DSA providing the external-mu variant or by modifying its secret key.
Silithium-DGR can be used both in backward compatibility and interoperability mode securely at the same time with ECDSA as the traditional component and ML-DSA as the post-quantum component.</t>
        <t>As neither external mu nor updating the signing key may be available, Silithium puts the updated data inside the context string of ML-DSA instead of its signing key.
The resulting scheme can be implemented using any ML-DSA implementation and has the following security properties, detailed in the following sections.</t>
        <ul spacing="normal">
          <li>
            <t>Unforgeability: breaking Silithium is equivalent to breaking ML-DSA <em>and</em> the discrete logarithm problem.</t>
          </li>
          <li>
            <t>Strong unforgeability: finding a new signature for an already signed message is equivalent to doing the same for ML-DSA.</t>
          </li>
          <li>
            <t>Backward compatibility: Silithium can be securely used in backward compatibility mode with ECDSA, in the sense that unforgeability for the two schemes is still guaranteed.</t>
          </li>
          <li>
            <t>Interoperability: Silithium can be securely used in interoperability mode with ML-DSA, with the restriction that the application <bcp14>MUST NOT</bcp14> allow the user to set arbitrary context strings.</t>
          </li>
        </ul>
        <t><!-- - Interoperability: When used in interoperability mode with ML-DSA, valid ML-DSA signatures can be extracted from Silithium. Assuming a discrete logarithm break, the converse is true. This is mitigated by the use of specific contexts and with the right applicative measures security can be guaranteed. -->
        </t>
        <t>The following sections give rationale about the aforementioned security claims.</t>
      </section>
      <section anchor="unforgeability">
        <name>Unforgeability</name>
        <t>Silithium satisfies the standard unforgeability security notion as long as either ML-DSA does so <em>or</em> discrete logarithm is a hard problem.
Indeed, to forge a signature, an adversary must simultaneously forge a ML-DSA signature as well as respond correctly to a Schnorr challenge.
As long as one of the two is a difficult problem, then forging a Silithium signature is also hard.</t>
        <t>This also means that the nature of the unforgeability of Silithium changes if one of the two is broken:</t>
        <ul spacing="normal">
          <li>
            <t>If discrete logarithm is broken, e.g. with a quantum computer, then Silithium is as secure as ML-DSA.</t>
          </li>
          <li>
            <t>If ML-DSA is broken, then Silithium remains secure against classical adversaries, as long as the discrete logarithm problem is.</t>
          </li>
        </ul>
      </section>
      <section anchor="strong-unforgeability">
        <name>Strong Unforgeability</name>
        <t>Theorem 2 in <xref target="DGR26"/> shows that signing a message for which a signature is already known for Silithium-DGR is as hard to do as for ML-DSA.</t>
        <t>This result remains true for Silithium. In order to forge another signature for an already signed message, an adversary could:</t>
        <ul spacing="normal">
          <li>
            <t>Use another traditional nonce <tt>R'</tt>. In that case, the (message, context) signed by ML-DSA changes, and the adversary must break ML-DSA to complete its forgery.</t>
          </li>
          <li>
            <t>Find another <tt>x' != x</tt> such that <tt>[x]G - [c]P = [x']G - [c]P</tt>. This is actually impossible to do, as Silithium checks that <tt>x</tt> lies in a domain where no such <tt>x'</tt> exists.</t>
          </li>
          <li>
            <t>Find another ML-DSA signature for the same (message, context) pair. Assuming that this new signature contains the same challenge <tt>c</tt> as the genuine signature,
this allows to recycle the traditional component that is part of the Silithium signature without changes,
while still obtaining a fresh signature, as the other part of the ML-DSA signature is fresh.</t>
          </li>
        </ul>
        <t>Out of the three attack paths, the second one is impossible, and the first and third ones require breaking the (strong) unforgeability of ML-DSA.
As such, with respect to strong unforgeability, Silithium is at least as hard to break as ML-DSA.</t>
      </section>
      <section anchor="backward-compatibility-mode-with-ecdsa">
        <name>Backward compatibility mode with ECDSA</name>
        <t>As a starting point, it was proven in <xref target="DGR26"/> that Silithium-DGR can be used simultaneously in backward compatibility and interoperability mode with ECDSA and ML-DSA, respectively.</t>
        <t>Does the knowledge of multiple (message, signature) pairs for both Silithium and ECDSA help forge signatures for either of them, when ECDSA uses a keypair that is a subset of a Silithium keypair?</t>
        <ul spacing="normal">
          <li>
            <t>Each of these two signature schemes is unforgeable when used alone, the remaining question being whether concurrent usage creates undesirable interactions.</t>
          </li>
          <li>
            <t>The two signature schemes are relying on different hash functions and different paradigms.</t>
          </li>
        </ul>
        <t>The only attack path to leverage this additional information is a key-recovery attack on one of the schemes in order to use the recovered key to attack the second one.
However, key-recovery on either of the two schemes is a difficult problem, harder than directly forging, making this attack path impractical.</t>
        <t>As such, Silithium used in backward compatibility mode with ECDSA is secure, both classically and quantumly.</t>
      </section>
      <section anchor="sec-interop">
        <name>Interoperability mode with ML-DSA</name>
        <t>The changes introduced in Silithium with respect to Silithium-DGR have an impact here.
Indeed, Silithium integrates an ML-DSA signature as part of its signature.
An adversary can extract this signature, giving a valid ML-DSA signature that was not produced by the ML-DSA signer.</t>
        <t>Conversely, the ML-DSA signer can be used to produce Silithium signatures. The adversary still has to break the discrete logarithm problem to complete the signing algorithm of Silithium, which is possible for a quantum adversary. Hence, under these hypotheses:</t>
        <ul spacing="normal">
          <li>
            <t>the standalone ML-DSA instance is not secure, as an adversary is able to use Silithium signatures to produce valid ML-DSA signatures,</t>
          </li>
          <li>
            <t>Silithium has degraded security against quantum adversaries.</t>
          </li>
        </ul>
        <t>Noting that Silithium uses a specific context string when calling ML-DSA, the applicative layer can:</t>
        <ul spacing="normal">
          <li>
            <t>disallow ML-DSA verification on user-provided context string,</t>
          </li>
          <li>
            <t>disallow ML-DSA signing on user-provided context string.</t>
          </li>
        </ul>
        <t>Each of the above points answers its corresponding security concern.
Assuming that in interoperability mode ML-DSA has a restricted set of context string it can produce and verify signatures on, these attacks do no longer work.
Under these two hypotheses on the applicative layer, a security level similar to Silithium-DGR is attained: Silithium can securely be used in interoperability mode with ML-DSA.</t>
      </section>
    </section>
    <section anchor="potential-changes">
      <name>Potential Changes</name>
      <section anchor="append-r-to-the-message">
        <name>Append R to the message</name>
        <t>In this proposal, the commitment <tt>R</tt> is passed to ML-DSA as part of its context.
It could be instead passed to ML-DSA as part of the message to sign, by appending it at the end of <tt>M</tt> using the external-mu feature of <xref target="FIPS.204"/>.</t>
        <t>In that case, the security of the interoperability mode is improved. On one hand, the message is now appended with a suffix that is impredictible for the adversary, which could make the signed message useless for the adversary. On the other hand, the context string is fixed once the public key is known, which makes it easier to identify potential ML-DSA signatures extracted from a Silithium signature.</t>
        <t>This option is currently left out due to implementations considerations. As ML-DSA is not a streaming signature algorithm, appending the commitment <tt>R</tt> to the message <tt>M</tt> before signing would require a new memory allocation whose size is not predictable, and this would not be suitable for devices with memory constraints.</t>
      </section>
      <section anchor="user-context">
        <name>User-defined context string</name>
        <t>As outlined in precedent sections, Silithium uses at most 2 * 66 = 132 bytes of ML-DSA context string to incorporates the EC-Schnorr public key and nonce. This leaves 123 bytes of available space, as the maximum length of ML-DSA context string is 255 bytes. It could hence be possible to define a Silithium variant that takes as input a user-defined context string, with a maximum length of 123 bytes.
If a longer context string is desirable, note that the previous modification frees 66 bytes of context.</t>
      </section>
      <section anchor="silithium-dgr">
        <name>Silithium-DGR</name>
        <t>As discussed in <xref target="dgr-changes"/> this proposal made the choice to introduce a variant of the Silithium-DGR scheme in order to be implementable in any context and not require the external-mu variant of ML-DSA.
This comes at the cost of additional assumptions made on the applicative layer in order to ensure interoperability security, as discussed in <xref target="sec-interop"/>.
If the other trade-off is more desirable, this proposal could be changed back to the original Silithium-DGR scheme.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
    <section anchor="implementation-considerations">
      <name>Implementation considerations</name>
      <t>Silithium uses ML-DSA (a FIPS approved algorithm) as a black-box, enabling the reuse of existing FIPS certified implementations.</t>
      <t>The <tt>Curve.RandomPoint()</tt>, which outputs <tt>(d, P)</tt> such that <tt>P = [d]G</tt>, is not specified in this document. Its output is exactly the same as what would be produced by a key generation algorithm for most schemes based on elliptic curves, as for example ECDSA. Even though Silithium is not built on ECDSA, it is entirely possible to reuse the key generation algorithm of ECDSA as <tt>Curve.RandomPoint()</tt>, if such function is available.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6090">
          <front>
            <title>Fundamental Elliptic Curve Cryptography Algorithms</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="K. Igoe" initials="K." surname="Igoe"/>
            <author fullname="M. Salter" initials="M." surname="Salter"/>
            <date month="February" year="2011"/>
            <abstract>
              <t>This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6090"/>
          <seriesInfo name="DOI" value="10.17487/RFC6090"/>
        </reference>
        <reference anchor="RFC5480">
          <front>
            <title>Elliptic Curve Cryptography Subject Public Key Information</title>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="D. Brown" initials="D." surname="Brown"/>
            <author fullname="K. Yiu" initials="K." surname="Yiu"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="T. Polk" initials="T." surname="Polk"/>
            <date month="March" year="2009"/>
            <abstract>
              <t>This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5480"/>
          <seriesInfo name="DOI" value="10.17487/RFC5480"/>
        </reference>
        <reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf">
          <front>
            <title>SEC 1: Elliptic Curve Cryptography</title>
            <author>
              <organization>Certicom Research</organization>
            </author>
            <date year="2009" month="May"/>
          </front>
        </reference>
        <reference anchor="SEC2" target="https://www.secg.org/sec2-v2.pdf">
          <front>
            <title>SEC 2: Recommended Elliptic Curve Domain Parameters</title>
            <author>
              <organization>Certicom Research</organization>
            </author>
            <date year="2010" month="January"/>
          </front>
        </reference>
        <reference anchor="FIPS.204" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf">
          <front>
            <title>Module-Lattice-Based Digital Signature Standard</title>
            <author>
              <organization>National Institute of Standards and Technology (NIST)</organization>
            </author>
            <date year="2024" month="August"/>
          </front>
          <seriesInfo name="FIPS PUB" value="204"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9794">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t>One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="DGR26">
          <front>
            <title>Compact, Efficient and Non-separable Hybrid Signatures</title>
            <author fullname="Julien Devevey" initials="J." surname="Devevey">
              <organization/>
            </author>
            <author fullname="Morgane Guerreau" initials="M." surname="Guerreau">
              <organization/>
            </author>
            <author fullname="Maxime Roméas" initials="M." surname="Roméas">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="Lecture Notes in Computer Science" value="pp. 143-177"/>
          <seriesInfo name="DOI" value="10.1007/978-3-032-22698-3_5"/>
          <seriesInfo name="ISBN" value="[&quot;9783032226976&quot;, &quot;9783032226983&quot;]"/>
          <refcontent>Springer Nature Switzerland</refcontent>
        </reference>
        <reference anchor="I-D.ietf-lamps-pq-composite-sigs">
          <front>
            <title>Composite Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for use in X.509 Public Key Infrastructure</title>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="John Gray" initials="J." surname="Gray">
              <organization>Entrust Limited</organization>
            </author>
            <author fullname="Massimiliano Pala" initials="M." surname="Pala">
              <organization>OpenCA Labs</organization>
            </author>
            <author fullname="Jan Klaußner" initials="J." surname="Klaußner">
              <organization>Bundesdruckerei GmbH</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <date day="21" month="April" year="2026"/>
            <abstract>
              <t>   This document defines combinations of US NIST Module-Lattice-Based
   Digital Signature Algorithm (ML-DSA) in hybrid with traditional
   algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA, Ed25519, and Ed448.
   These combinations are tailored to meet regulatory guidelines in
   certain regions.  Composite ML-DSA is applicable in applications that
   use X.509 or PKIX data structures that accept ML-DSA, but where the
   operator wants extra protection against breaks or catastrophic bugs
   in ML-DSA, and where existential unforgeability (EUF-CMA) level
   security is acceptable.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite-sigs-19"/>
        </reference>
        <reference anchor="I-D.draft-ietf-pquip-hybrid-signature-spectrums-07">
          <front>
            <title>Hybrid signature spectrums</title>
            <author fullname="Nina Bindel" initials="N." surname="Bindel">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Britta Hale" initials="B." surname="Hale">
              <organization>Naval Postgraduate School</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Flo D" initials="F." surname="D">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <date day="20" month="June" year="2025"/>
            <abstract>
              <t>   This document describes classification of design goals and security
   considerations for hybrid digital signature schemes, including proof
   composability, non-separability of the component signatures given a
   hybrid signature, backwards/forwards compatibility, hybrid
   generality, and simultaneous verification.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-hybrid-signature-spectrums-07"/>
        </reference>
        <reference anchor="ANSSI2024" target="https://cyber.gouv.fr/sites/default/files/document/Quantum_Key_Distribution_Position_Paper.pdf">
          <front>
            <title>Position Paper on Quantum Key Distribution</title>
            <author>
              <organization>French Cybersecurity Agency (ANSSI)</organization>
            </author>
            <author>
              <organization>Federal Office for Information Security (BSI)</organization>
            </author>
            <author>
              <organization>Netherlands National Communications Security Agency (NLNCSA)</organization>
            </author>
            <author>
              <organization>Swedish National Communications Security Authority, Swedish Armed Forces</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DLOGsig">
          <front>
            <title>IT Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms</title>
            <author>
              <organization>ITU-T</organization>
            </author>
            <date year="2018" month="November"/>
          </front>
          <seriesInfo name="ISO/IEC" value="14888-3:2018"/>
        </reference>
      </references>
    </references>
    <?line 798?>

<section anchor="silithium-and-components-sizes">
      <name>Silithium and Components Sizes</name>
      <table anchor="tab-silithium-sizes">
        <name>Sizes (in bytes) of keys and signatures of Silithium</name>
        <thead>
          <tr>
            <th align="left">Algorithm</th>
            <th align="left">SKLen</th>
            <th align="left">PKLen</th>
            <th align="left">SigLen</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">id-Silithium44-P-256</td>
            <td align="left">64</td>
            <td align="left">1345</td>
            <td align="left">2452</td>
          </tr>
          <tr>
            <td align="left">id-Silithium65-P-384</td>
            <td align="left">80</td>
            <td align="left">2001</td>
            <td align="left">3357</td>
          </tr>
          <tr>
            <td align="left">id-Silithium87-P-521</td>
            <td align="left">98</td>
            <td align="left">2659</td>
            <td align="left">4693</td>
          </tr>
        </tbody>
      </table>
      <table anchor="tab-mldsa-sizes">
        <name>Sizes (in bytes) of ML-DSA signature components</name>
        <thead>
          <tr>
            <th align="left">Algorithm</th>
            <th align="left">PKLen</th>
            <th align="left">SigLen</th>
            <th align="left">challLen</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">id-ML-DSA-44</td>
            <td align="left">1312</td>
            <td align="left">2420</td>
            <td align="left">32</td>
          </tr>
          <tr>
            <td align="left">id-ML-DSA-65</td>
            <td align="left">1952</td>
            <td align="left">3309</td>
            <td align="left">48</td>
          </tr>
          <tr>
            <td align="left">id-ML-DSA-87</td>
            <td align="left">2592</td>
            <td align="left">4627</td>
            <td align="left">64</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="appdx_components">
      <name>Component Algorithm Reference</name>
      <table anchor="tab-component-sig-algs">
        <name>ML-DSA variants used in Silithium</name>
        <thead>
          <tr>
            <th align="left">Component Signature Algorithm ID</th>
            <th align="left">OID</th>
            <th align="left">Specification</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">id-ML-DSA-44</td>
            <td align="left">2.16.840.1.101.3.4.3.17</td>
            <td align="left">
              <xref target="FIPS.204"/></td>
          </tr>
          <tr>
            <td align="left">id-ML-DSA-65</td>
            <td align="left">2.16.840.1.101.3.4.3.18</td>
            <td align="left">
              <xref target="FIPS.204"/></td>
          </tr>
          <tr>
            <td align="left">id-ML-DSA-87</td>
            <td align="left">2.16.840.1.101.3.4.3.19</td>
            <td align="left">
              <xref target="FIPS.204"/></td>
          </tr>
        </tbody>
      </table>
      <table anchor="tab-component-curve-algs">
        <name>Elliptic Curves used in Silithium</name>
        <thead>
          <tr>
            <th align="left">Elliptic CurveID</th>
            <th align="left">OID</th>
            <th align="left">Specification</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">secp256r1</td>
            <td align="left">1.2.840.10045.3.1.7</td>
            <td align="left">
              <xref target="RFC6090"/>, <xref target="SEC2"/></td>
          </tr>
          <tr>
            <td align="left">secp384r1</td>
            <td align="left">1.3.132.0.34</td>
            <td align="left">
              <xref target="RFC5480"/>, <xref target="RFC6090"/>, <xref target="SEC2"/></td>
          </tr>
          <tr>
            <td align="left">secp521r1</td>
            <td align="left">1.3.132.0.35</td>
            <td align="left">
              <xref target="RFC5480"/>, <xref target="RFC6090"/>, <xref target="SEC2"/></td>
          </tr>
        </tbody>
      </table>
      <t>EC-Schnorr is not used as a black-box algorithm.
As an informative reference, the EC-SDSA scheme is defined in <xref target="DLOGsig"/>.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We would like to thank Scott Fluhrer (Cisco), John Gray (Entrust) and Thom Wiggers (PQShield) for the useful discussions about Silithium.</t>
      <t>The structure and content of this document are heavily inspired by <xref target="I-D.ietf-lamps-pq-composite-sigs"/>.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA919W3MbybHmO35FmXoYUAeAeNWFnhmbIimJHknkkJS9EwqF
2AAKQJuNbqirQRLWjGNf9/08no3Y1/0bu/9kf8H+hM1b3RoNipodezesczwk
geq6ZGVlfnmp7G6323rw4EHrgTrOK13muuoelsmoUm+S8mpY3OTqQk9nWVLp
FjY603ky1aqapEaN0kyrUVlM1RCf6FbFsOguinmJTbqzsqiKQZH1pkNVFWqs
K2WqpKz0sAf98BjU16gop0mloMM17udb28f33W9vivJqXBbzGfxOH0F3az2a
youiVGmeVmmSKaOr+ayj4EFV5NlC5VrTqHqYVjBZGCQtTaX6WTG4UsUI/tTZ
0OBETrD5WpVWmV6jxww+19dqMEnysR7+Xg11piut1pJ+v9TXayod4Tilomdw
2mZSlBX2tZ8vVAGjlWpQADHzSg2SHPvCaehhR/XnFXWdlHo0z1ReVDhYmldl
MZwPoF1ZFiVN67xAytAs1U2aZfgYLFIl86oAaqWDJIN5D+dlmo959TgvGHuh
oHM1z2X6TKrDIv8GKJwPsvkQVtLd2FhTQL21Lu6rqWBNuVApo/3FGbxO+joz
7hvYJHWP7ZEeeRIGNqG/gL6wh6ooMqItrB0oBL/gp4N5WSKhrnVp0iL/PawF
JjgsBtjbGg6r9G0CDKh5JRfIeJVwJI5g1FWZTJFRu+VosKcmVTUze48ejdNq
Mu/3BsX00SDpF4/CVtDPT8ApuDmlhp4GmuYC80hLJoJssprxZBM1TEfwC86U
2RUpdEAkdoSDicKe4ypwcdBmMHGkA/5u926nGS3oP7153VG6GvR6vXVcFJw+
4qU9tXaeZjDvdD5VXbWvDorpLBlUHXU0GqWDFEdP8qF6W+Rdo2dJmfRh1FeL
fpkO1Xk6zpNqXuq1FjNq2NtaawDkGhflYg8O4bDVEgLvyZYO9TX836I7GJXj
rrFPAZu0zLw/TQ0uqlrMoP3x0cULpR6oJDMFjJDmQz3T8J+8WuuoNeTzooQD
iX8c7z+HH8hmx2cXL9Za+Xza1+VeawhT2WvBCTFArbnZU1U51y2Y73YLuCbZ
U+cauCKtFi3HXXvq4MXZy9aVXsBHw70WUGdWmKr7aZ7k1XyKfw/KxawqxmUy
myzw7wmRJf0bnJUixw+MJVDrWudzmIFStu/gUZQq2KHi5Z5po5MSNvIlNoWP
p0ma7Smk0x9TXY16RTmGT7GJZz1sg5+k17pnGz3CDx71y+LG6Ef4+CMcn3h0
T/1V6P+Id8NtQKsFxx2ECy4YmisFQiPjffvTPAN+UIf8IH0JoyS5LHhP7b89
Pz+mzzXP+a/0RE+G+iPsaW9czK97o3K59zfJbQry56yY/s//npj79D6lJ3qg
DHRivtA5daXVyzmIO53MG7o//fF8grIvGoEf643lsT/OPhlqhGe81crplAHJ
cWPPXhw83ni2Ib/u7jylX8+PDjb3qEt33I4O1OaeOsqydAYyVR3My2sd8cMa
tSeWBaos1NZmR21tbDyjj93u0L8uLgI6PdAl9AVa0TIP9wG6D3Sg55Kbm5ue
0YMxcQf8stm93urNhiOe6NbyRLeQHaHfKZ63YX3Sh6AWQFafglSYgroqTTjz
PyX5PClh9k9w9psbv/3st/zsXxyfnve2NnbiFbwBDZfp7uukgu5193mCyuEw
hSMA6tsJL3VegYRLymE4+/35eA4qZXMbJ7+1c8fk3xL/QIfHuYGB56AiQNnb
Pg1Jzws9mORFVowXqv32+PxivXmB+XU2m/dNL09NBbx8/Qh/wU8e4foe4ZM9
u1JZuALlVabapPmosDNbwzbq9N3zNZgeNF1rtfDrmFefPXlG1Dp8ebb1eE8d
nhz3Njfg/zeePHr25Gl3u7uxvdXd2nr8DH7/uAsNj7uHJFlA205npjv71IUd
A4kIKAOkx9jsSRuWJ9Ry9mmezrosFbtOFnbNTA9A/k5Nd+MJPkUHG6kc794p
9o2a7TSZgT6EX35k0at+AMRxCKQpUwA30KKZmoMFiH4rEh7hPM2joR4l86x6
hLoT/ioGc+Ds6pF0/BE6/hh2/NHO4SPNwdG8mRNegK4GsX2A4xrRJ2p/DB/C
ttMiZd+DR/RQl8A7J6hsSW0DG8lWwYKtVlLt5w0Pv9WI+zJgMKMcF4L+ns5z
wGr4t/E92Hm8ff324Hx/qa/zG9CjZnKPfmjp8FtH2Wf2yymcK1BiA00S4PD1
yUvY7Xg3jy98HxUeh/TTHIDU//rP/+5OpOMQhJ/VRCUzVPPpLTUCIVOp7T3c
90GJ2BhOUwK9TaaqT+d6qhF+pmYaSaG3xbVGCIAi6OnqvTu+eNe9WHGcjs9P
Hh0fHeypzZ2nT+E07FFXAKRarW63q5I+8AsgplarRUDRMhVg+FGaw1ocIuqA
LIDhx/gt7y8IinfnCs+1qsmq/pKsQtC9n40LXnP7zevuIeyjem8FwgcmGsxl
mMoeahHX3QGJ6wJYmLezAyAR4CFBWe4IMXcCtkoyuOr2i1vQrXkODM9Lgh2B
Q2O4zbC+W8oMJho0Nw3Ph11Z9u/AsyAE2GIosmv8OQGxqDJeJ4DdAgDlFMQk
bDrMF38Ol7cYRgYQxhAejgcg4MRPQGYZURY3QmMLtskMfGpGC5jNeA5DAyhV
43kKVhbtEPQ+ABWEugwaIIF6LY+K0doCYykfg/Ezz2l0AsEw0ww+xZ+WhvAc
IA19Xeiy4/fdWmRkmzCdgcw3SAYUoTA16i7HL0GLFjPqnneAqFqACTdB2CuW
F9MW+I8YcJoOh5lusTVNRh3Bz5aVljgGSDN4EqQ1rDbXN2hoZmB2jTVZRyGO
7eB6Qiby+5xY7gP+MXOQdNDyDJYNQuvoANbfIQvsep7BvGkJ0LWgZQXbDWsG
+oCYqObQoc5gKJqKHxyAhbF60w/BxEVOGsD2wib09QBt+OQaMa8lHQ6dGDOf
8oYDuYFrU+yO7F3uzE6CGSbTyTUSAE1ClnYgm2h/QOjPmY9uQMICh6NlbLxK
L5HbgXvAGgZbrlignV1qAkO0OyzJ8+KGzW9rTAMUvwIATb1VCHatoTtH+nZa
NxM06Qr+kI36Ca6Nf43HJ5dDwo6GPjBtTgKiIHs8LWVeeB6I5NQMzxwyJmDx
XCx3NBnh8LJx7w/jHHktW2CP3J1TZzg0uVToO6IzHVt6woC9DZQAzrU+Cfcc
2HMo7qcJdpEarYZzbe1xFDo0cyQJHvA5+hlQTOhcxk/RGnenmyw8WgVIWNh6
GJ/IMB8bdkfgMOgOgQ2BzX7wwBqskcHWOvRTYN5Swugwl9DUix4jZtMIYVJy
h0QNQ+6F+aFmP5rDgdYgAAYRLEhQHYOiUe8d+vlAxC0t3BYCW5uSbH6gGx4Z
zwlLIj8+yiy4sSeE6T8+upDuDIpM7E3+VFMEu/Uz04c9VIMMThVxBy68dpyB
l8CcjqQSnthJOqaTywwGRhqSxn7f19WNhq2LCId9r1oG7OCr0LCms7WkfewK
cF4ZyADxd2WLnrrADS7gZM2yZEHuoRBqAGWmBTBvrqz3kDG7MF6OTjIW1Jm+
ZVYGMhGgHnBnuEz0p6U5ECpsCXwUuQR66gRs0BmengGoIZQQtCBSxtAt+uYG
AFhK36/daq95UKsAjjt61z14A/ofaUHaiVoEDYxt4SjPo5mYfgYH5iMA+gmn
fKUXxu0SfmN1ep3kpLEAFpAdkMP5MT1QQeynNbpCvuuAAE1B8hrQYdkQ9ye5
LtIh60E4AnREUEQO6Hv08GCjHI6jMWg9piIuAQtmDoziApZUKC+b/LOkRFEH
8WdguRsCPWnFbIJ0hlGAA00qeqoPja4U+Z7vWjL0XdCaQ2ZFOsTywhGkQ19e
I6JDb2PSa50CPEiLORzdoryCowIqyO05Ua4qZsBF+BgDyGGIVPhjk7J+DTd0
xYyN+vz5662yX35hsXnuvUIRHkpCJga2R4mROkjbSMAR+ghwzTj/ARhYzAPv
yf78IBBuRpae803jQCTvYg5W6IiGx9tm/VWXuVzYbJDMmKdxCqSXrnLcUkso
mFybT8t6/UARhgAmo2M3RZYI5KUlJvG3X3qHdwzEFGy1PYa595Ryz07FWFnM
nXVEypA4mRYWidQ1JskGrzYBj6CgSq/RFX1Fqg64HcMRsDbgOc97LKcIcwJ+
NMBC1D+timfQA4tMA3/AkF10jaZDax/88gvx1BSwLGwXqFGQiQJL3PxmdMYq
0GHAK/umcVtDEExsE9IUhwSGI7QKMiDNSOXB74KmkTxHB91zdJ2UpWqTcJCt
x8/R/Om1/kKY6caCP6YXThSdjhlOkeEXHbRkgHIFdyRxw9ShBXQ1LEhETJMr
bVEo9D1zysfPitEyCTwREAgrjbHwEMnfU6+KG0QD1Le+xXPG00ycCJzNSwTn
zmJTbLFlab8kKQi9plfYIUMuB317isEd7TVKuQ5SH7aUZtPlPaGJw5biymST
wMYCoFExt9dH9XaiKhOCcTBbNI0YEQojoJLvZkhkFQyDbBhsGs46OuaxHHEm
GuMY6HVcMCsjEXUuALS2R8AsCA17ah+3BdvUFpAMWTYTC03x1DnlEdqZls/K
gKB4pBEdcxgNJCWgCcQsfgp6uEdiDcdl45ZBBE0YLFqDkSP8MpHZzAoQaB33
DC01YHFvnuHxrc8W0X8erGiKbgIWKGwQi7yloSLyFhg8MsBvAOgwypRkKzEE
gXd7LD2vo8bsAYvplJigRuQGKx1YcdmuB+oilO+ElBdRedfcTDw5XGNwCun4
3DEWHF1CvRVYCJXIMowQBiii1zquGHAIpa5hFaiYA2WxJMvb3hzr60WRL+Gy
kWZUtR7OAVF1RqE0OL7kdKF+ENigzQPwG4U9fL4u9qZsBSExsrhg2hyHE4me
5lagp2Ug8pe0v8VfAwu/4GmMAt8LQdXwE0ICdVDk17hjSCCczyFiFGJNg1Y1
6yQMmBm19ubd+QUG5fCnentCv58d/fju+OzoEH8/f7X/+rX7pSUtzl+dvHt9
6H/zTx6cvHlz9PaQH4ZPVfRRa+3N/k9rrFXXTk4vjk/e7r+WKHPolkN6shSl
Zc6Qh5HrW5ECe35w+j/+2+YOiNLfnb042NrcfAYClP94uvlkB6UpyImOHFAQ
EfwnWp8t9FsSLiLLFDAJ+ssMHQDAwQBHcI+Bmg/fI2U+7Klv+4PZ5s738gEu
OPrQ0iz6kGi2/MnSw0zEho8ahnHUjD6vUTqe7/5P0d+W7sGH3/4Boavqbj79
w/fWR0rm88gKudQQFmBZ4FUBbA4Id46aWChMyk2iFwhSKWUBFJO+TqzHNRVM
jDkiQVva9wFga+iFzhiF+ROTwlEGBkfsARIhd5K2I3H0LCtuSA0Fs4EJ0yms
JmUxH5N7rlpa1h5s8MP91y9Pzo4vXr15+BDdyXhA5gZsfyu2sVe15hxra7R6
YVloH9NJwEK24HQGwTEgc+b5QJxVcNbhsUmCWAtdmUBSNCxO+n9F0HGMMXPo
D5bcPjk+XEcaQHO0+2Rc0Hn75297m97T7J9Bjn14enJ+0f3x3f7bi3dv1MXZ
/uExb7hqI7RbV69+en52fKjOD14dvTniRYebYH3iggRtHoHYkxRD2mcd2HVE
cf5l2jaU+7BtVQ3sutbQAxsokXvB9UUwP+yCGkfWnG1L6z0/fvl2/+LdmazF
/tt3bvCa+9IKYCf+8yLUqEEXSiV95BwW0PGoz/cPfvjL/tmhglN3un9x/Pz4
9fHFTzyF/QbDxHEkbOEKsY4+Duv0izwtjoTAkmjZggCfJWnJdDQpbkaSa1CM
AmfZQ7qaYsdvL47OTk6Pzva/ZtZLRns432bj+usm3MwPbOa+LRhYigrz3BIA
W5qqmi2qCWACgrVmAXj0lt1LXk6YxbSPLiR4VCNMEk+hmrLWBKmgHqrLn3++
xDQgAAboJUDxh8kyuTehb0BDLSrdTcoyWaDqxafe732IHsMWilooA7iGRBg1
bCcd1V+P2qLJnhJcvE4yNCwvk0s6DZf9S1jDYsbpXWLSpvkQpY61PxMvY0Bd
zsvcWKCqpbvfsyFxmwzQlwMYYZEgGHZBOdXtqmo+Q4DNRl8HrVIAvmhOS/YA
JyhhS7KiRpU1nT32LoMFfly/3LtzhSww8JDj4Gy7FgKoLSwYJEbLiHB0wd4d
ygi44Hayrrrfq359HEcMTC4ZcttLsTzBZhTaIhVxgeQesg4NpDYP8AIe+vbi
p9Oj79tLC3EDWM+gI1L6N/YNXvKjl0DhRMwksXvts9+Yutnk7WDUZKXLL8N5
cUpVYN4FIQAcKWARJhyOu8wdNIRNhMyK4krNZ0EeG5n85CyB4fE8+a+C8WKR
OivTaYqJC7VJWmArOQjBqU2JZG7xfCxsEMRa2sAmAviskbnSCq5DgbzwQcZl
HKAd1ISz/ve//731KRD5J6HNRqlgrdbL4PuXpOKrot7mff7h1LY5RYzCFAbx
pzMwUyh0Ymg0zONk6XoYWOWfHzR4BCwY07x3Fv+yH8obknZzDW2sDOx8flqo
2gcBpPZPj3Hiq4PELG8xf0NWSpHKi2a/khrPE3StaWZ5PyPxzwB66bOV5L1g
jJEQ0SO+84/YkGDkD8M8HdeizcZ4jn5anS3Wv+gdG81LMgTREJ5TuiKyZZN/
zHnFLWd0Il8M7bMjB6UKgyiYRAvDmGXhVid+UWxAMi9aK7PrJRAZaNwmCdae
XYHcvQKN4E6q8G6PQalrHbTAw06awGZbircIRw2m688dTNzGaiWAoi7P4Ldi
eooukMuaWGP5DyKxDQb7KYxMrjb66vJUfafeDz+8BNX0htAgHDEA6RhnZXQI
1EVXHkUC+RPyjNQCBdN0PAGpMynwxGNq9i3sjrBsbRmey1Ny8aKfUexkjWHT
envYW8rTQS0HjSj3soKTNEd3Hs0lkSB9jA/8KQNTsH6UksaNwEkkapxiwBOd
FAljH8+6TndY3QDg/nvUMygQXLMufdxr4otW6+gWyYaSE3WWQZiCOb+61Tqe
Rt8AR4J5O2T7inqktuLQYgvHi3Lr54rwt1NmGCXqBJB4VNhoAhB1jZ/tPt5d
Q40pKYdLI8RSu1Pr43Rr9zGnnZ92t5/uYE8nxHY0abt8RvSenoIoofEPtU1n
rqOHN3tWhoV2CLpsWrSkaTY0yTnKru8Un4L29tY6fdWm705/6EijH9ahDS9X
tucj4WEA123XjTxKZwWaEzl6wfFqr+O4Wz11MNGDK6JDNK2I2ZM0w6xk6hJA
Npr4DZOCLugbGtOaPwLb1mqkoWsEa9jjdk8xjWt6RHQEwyEXwBBqza5gTeck
6gDinFJTGMFP6pTXb+J23I9riHTqKCAVaULSbjDEWLudI58+Q3lRsAYekWyr
yxVb8L//63/8l/VL60ojt7XzRviMrMfYo8/G6rWOR1GgZsnCkYCv+JCHHcEt
YVRyqK9JLogzw9h1d7Fj6BTdGuhIrDBQg6uR8xaOi76AHMMOCaXwBl910D8l
3g1yTBBRYiqgIGr7RW7Gi1y3YcKxaPFL/BWfibRC4JQGVWIQExLpHTig3RlK
6kUQPuCLKnosOm9AmR6Fm6IMZiP8AMEUaOmEI9oCh12mU61roj4lcOlSfPA2
DpGgA2Xi5C/n8KQuGKJvKd/PykAfSfIJaeqicPCgn4ouRJvOR4ZhHWPK32R1
XdJBRofzALUmED3hwIHF43Te19kWMIZRmJWuaDLQ7Z9bvO9UUtw9odw050wL
Vi7nEBhghYYgshoQjW9ISZhm7QAnkf4FBzzgOnHoSU6SjX1E5z6W+zqxaD6n
pCXUKfI17u4U8wHG1nPLUSPKpyxgJ+yqe//S2spYWniK+xNEJi/Ff+wnHmCr
01htHWonSBi8h9KCYgxyHkJoT8zYCtSXlbUgj4MOA4mMuIKaf/wVes4CQNFp
Lz3wlZNiQBgkgMpsDl1J96I+bHTUp/c8zStRvOfUso3frIt+OgjWF548fvAM
x77isXd6XtvAFxbXNh4nEbUhR3KHg+o21FqYWp1WaAe0z0ixQaPdHklRTpkS
Xq9HCkXw1MSaOzMh7EjHntJ0nGUD4Ex3cDpM5AE0su3f7w0+QocfsJfHTCG6
glhbbYPM5nFxhVfq35QenP+gHkLXgIHVJ/zuSUhCipc0oQN/VYr1fEgwx9R/
Ri5v2yl31K1o+rdFJZF/zBeq9EztdDh9DUXpFzaNncoUH3z8mHxqRrUxJRhI
UGqStYj01ztqQgFemxHJkxNAhY5IH6l0SW+4ZJB/W7u70jEeeNnSWGL3IvtW
MzZAbxK5+OO2wmjeveQeIIWOmrzsWpBSe5QFKDBSboAJq1CRWIuXHpfHxNZN
albuHSMwJPgzkGe0EFDAf8SwwAkZm4AbzZLkdW3PAt152b4FNl7/wtb2FPBL
Okwqi3DqeppPGJmdtfFTUSNg8l5zHzLPpqMA9r1L3wvRW9IvygoUG8h+v6BA
ZCNVxFQNEin5WHgvNpPSxoDEq7BQ7Qb3A6d+NPgr1ldoetkYNINALhhS93gz
EnXQKMmMblb9s2XV789TrPmvo8m7Vl+h/d9YaThBI96TL7WXpnmIZjggWrNm
39XUZq2ff20UQUeCUhn6RZGh6XuBGy6RliYapYbPQEdYQjX8o5SIm9TEECTi
3C+BEMcbIchgy68GMZxxOLuyNm+9t+DSQqA4w0TV55TcTF/f8r2gsp4RIBiD
oi84owEonI5TmLVZ1XSUsVDjCM+1KKdbpKWL8GrQULCpxlnh7Vv1rdrAnbtV
33+HaIWJyyEXtrAFk5xFEI2thrMAvdx+eKm66v3gw6kFF/8MEPM4svw54dF7
BSNZwH3KykT9iDRyG//GE1tAi3Vwh7qX1A0fFPKDgCQdFBQk+PyAQOtH+kD/
ArIs9vDTt0ZRzgUWTKBmZNXXVD+IxiKwKN3KKUdsRGLC5Vc2KnfVBipYUICw
DXjPYQIQzmAuznNYe0OyG5uHBi+8zOLl2egDTAuzCxcMfMSt4aSPv+4B5i7h
Ec67TGjtlPEK/M2Us8sm7y+LccOIqig56iIu4FvQMEUJs0j4tmtik9zYfvZZ
FJjdTUHKsCLGzF7slLm6FWGxCTTvN243tsAChqnMevTX9uU6rgBB1iIcmt0l
FB2yzXM9pmuumBqqfd2Hz5/xJjagmbaEOwyIje3eNh0G/G1nXYAOeXWXchpn
dQKhoGMTJEpMpfIZIKBpA9dJqFi+qgqHAV2wOJzLLrbAX57igHbC4mFZEn6S
fbUsFW04JYSnZYEZhpzzEihh68Q2fgtkS5ZFg2ywyI48CFkLMrKuJy9JnPPB
UoD6qEMR8Tnc6fqjKCzSrhmPSEtSk0vTCPx21AVJcxtMu1glBjuqyf9yb2jw
D1DczDvcpSVoEwBDxow2v6Z4j+hZoMDcULDVizrLBKLv4M9T52g+kGbtU+dm
LqZ95KmaRef2uqbPpYndqp9/pv5Zons2FnbVFISTzGpx3coVARcV4bCUaYhX
BzESF49iHhXRi15OmcgltcaMpEEJ0D3GaTDmnzmVADfKeh1Pf3it80s62hkm
WElWWpX0u9RpF6WsoZPbwOiNQIb1AEVkQod3I7NbPlD7+Zf44DeHsQH2iwgl
ea2dsHbOPwPM/qqD//Vnvs6ftRN1Ttm5jcEOcfzbu3QOf3pXDcz+O57f+72Q
wT6EZ5C/D7/e++CQ75ePs3Wo8XoOtW3Uxu4tUA2Q21DfeYYjHmVI9qApJrOk
ovw3nx8sxzK+qLgC5/FqzWVbMXa/j8KyD+jwHoI9WdxN/Sj3vhiBuo/GouDg
xfJMYt4lQ4HOfBCxIl4eusMoCRQlQnY74drh/3+klvyS7qmXZA9G6a0edkVe
uz22Hie5HGnPp5wUjLQyJuO+2sP76io/y2VlRbvE6mr4NepK1dSVddGx3rIi
xppGrLI6dLcdA3FN2gpncqmoCN4t4n7WWBgTq2utGrc2++frSscFT+9WO6sU
T7TT/yTm+wcco1h+/ErhH4d9l6X/UoKAKIDtrQ8hM/On21t1YT/kkB9PkTvz
vM9tULQP7xLtK1i+KY4eSvfYzVGX8PG3dwl0ZiDelsvbyzird2XMoe22065+
vSOXqALhjmaiExlOoi8FaVfK9DvCDfcS6+k4ZMeas7ERldxGgpzNyntR5P8X
Od8QiLyHrL/99bL+ti7rb38TWQ9bx6L+9qtE/Qv2xeN9WUrjEIejqy0iG3k5
uLSbucQcGC+g4E1aRUl3nLP4jzB+YLG/wvqBp9j8yX3CzOA3MohqB29JQUnI
71eYRcv8+S9vGw0itdYQL/6CXAmk0q8RS4Ew/Dpp+Cv0bRCryPkcha7+elg8
NraYnz+EciWytvj7PdcgjpkHB6Cmo29ZL4WauucC5SzM6vo6iMo3NxjcodBj
2nt9XgtaLGt078hnfR3s532ykdzhHbqMpi9kHanL05UdNqYyYdnd0qY9caXb
RhFqpSNeDLdhUSuMokjAL50mO9k61DtBIrKPY2ADljE2RN0c8vdSNg763wOm
r4ytfAF1nC07MmnnVvoz2P/5f+37/GdCDR90uSe24DDXvbycZ8tezrP138AF
Gs05OJM0ZOQAvaCbSpySaG/PCNSo+UCx4rfTOv5uJl/G9oVYa1c7MorkRHEh
zJSMHvb3sBy/egkrqAInQMXLC65jFGi5WVjti8tCBJmysJ4rrTnts6DCWJni
2sx4UgZER8nZtzdR5do5FbrJ8AoQ3i6EWXfdrHZ2uqdd4KQWlnEElb2nHj68
ODk8efiQPolN6z35u7uzQ9/Snu4p7qDW8ePdLvHl13X8eDfuGDuodfz0CXS8
u7X5dR0/fRJ3jB1QFFSofRBle5BvbSkFpMYQ/XJuJmgLX4v4arp+E2bucmFD
KQZDMLooRkbSBaXkoLGFDkcY12a5S3U/EPpFw1PETIMoS9Kc+TK8i5YGt2hc
LSBnCFiAaxfIEn75/jUHzrheuhRKK6lum7tWSBIPyDC0leDjXOXPD4bjsss1
7Y14J+HsjFOqish3rCQxW1Zp0Qxe7pn3fVdd+J4APta+Ugkw+3hOxTH5wipW
7rZzooPlLnOgWOgAoQZ6JiVjqJoElY836rIqQTi9al9fnf64fslLhM++kQ8v
Ooq/ib0gudxZw+zyEgOnl9M5PVGV7W/AnD7DvN9LFG5Aeiw+QzNLjfdRYSBZ
KL2UN2V87a5OUNiLqy3YnRzJXTyD6W14Ea+Q0okoUnjvLiy1Sh1e5KPHbiZY
zM1WUYqpXOqMWDe3VUswTy6+BukTEoCJr9Ohu/93y6moXaCHs6JKZLspKIzR
got5GOtoJUdXPHhY55NcPquvYwfVPmt3nrmApC/uSKF/Ko1IG0yVNq1J13yR
G/v2qeHE6Y0XqLluU27Lu8jyFSwfb4fOZ0HmnE3gvpLiiv2oZE4Y9hA9Q08D
GeC/SZgeUeMXvxcIDnQytJe6gwGpVuFS+SxL7KAuj+h6zJdsrO1EhJkISaIg
fF30dbygc++iqMfsUad31buo/Mse15HDZlGdI7ziAfaOVIBxbWSWD2FeD0UK
LtXUkeI2PNq5r/QXDopVMLniEFVL84C4IP5PMrw7t5CseZdevDSvYeG2W96R
YjNzaPDnjZy8t1zn1nHwfUoSeKbuWFrjOxokY6peXUcEB16lsPXtqDwvXjv2
t0V5vse143WfmTYfySARu+ONG+BIYOLgQiPhK3/9UNliLuLYoWNhOB2FXqtS
9lOWsPGhIM769nfdbuMa/uIk+P2mS6l7S7aSU9W1yyxe3/viWkkTWxIPd+yR
ZqSK+qWca4l84B1xkE3jpPK6W64Y1bUH4whPWLq16SiJ99UBCtKs3VmV6Qd7
rrrd7+uXLV1+DV6eVKXUNtdSeYP2C1hKS20GPQz6B2gyNYwh4jMe1tjistKp
Ld23olZnvXxhUDhaZK9sD8WIABk9LMqHjVWwDd1NKodeKhyDyYUma1NdbK43
PqTCk8BlVPqyVh/DPrNkSwfFuhA1FeRjL23NOFDOyqVlW89SD7WJXRjiGFvj
Bg4rzRwxHhZOrOz0pdgaToIZbUX6KcFFXLet3EwfBBUIcBhfu5c9otEWRMBO
IB1mlC1Pk2s077EEGa3YBW4EyKw37tk7Y5+icttyryuvFUA0tj60Kz/XsyO5
GuKu99rzXGDa9zDGv6qwQK9sNSmwgMnu1ixUtZw8Qqxc6twOJwqPiNqKAD1V
shLqW12dONWCclrq2tR3klURl+WMrq0TgmIaEYuTQsK/Ij0U1KN3BKGM9agv
unFfLxifS0nq+6nH2uEhGMtc8c74zkIAZr1l31zKhf+kovIiLCXbrl8Reut2
wL6DK8KY/vp87fBykVppXBVSahjzICvDqywXzE8vqC62TPLy9hv1u+/UbXTD
PkgRpoThb9yfl16Ag2aYU8mPdBpdSy2Iv8ITpQdXwg0YzSMMzm8LYGjPpVhy
qcMOE7rk4n+mYbrLfj1nLkwb6Uh3tb2+EomQmhoakoLgxvflneIYmZGTMtb5
HJ06Xoy2KpY5GXE8emYGi0Gm70DgQdkW5ydvkm22uL/deKkAz3im6ON0+WBx
QYhQsvNkmWLhMEvUw7ARPs0+NiftJqXWUsYbnq8mUuUkLJFjgm33PMk5vFK7
tqSmxl5i9tCWWH5FqV0H+kljIEd0luxz04R06+VkbR2vQGTwEQmlK4q2Zuha
B6BkDiW+vL2kvILJfZOQC44SqUMhSPu82gasKdtfYw2GNp8z6zqWUoBqKH37
sBAIgnIVrBa+7exKNPkz49iCT42U0kZT1VOW6+7iiBOdzUR6BsiR4liMW5iZ
ph0uS8wPUX3LxNZQcEcB6DrvI+yldPGlWgt/IDlwhNeAuFMjKH+pnjV66YO3
cNw4PIw3nkXYsmbAPcSXzLDHS1M2wIQjFJgvIG8B5Hp8oBwpdwBd2La8Nu1I
Elp7F5NVs+LS/a5Arq9rFF0llwLe7kv0dwzT8dRImRB5qYM7lFRFiV4kMBZH
cJBYnwYvCkqF5F28VkeXAaQXuq7nix1YGgba0WYbyZOaC+ogxOMeYqnQa7li
xtFw3uESwKlgyxrRH73iQaoLu4LEggZdAT1edkATEEq0KwOqiuMkiGeprzM7
OYg1IKkav/EgW4TvPKCD9uDBkkm2ZHOJA1bOszgOHeb0XrA0BHd1+RcLFS5e
TZ4svMfE9UMt9A9koq2VYJqqEqBUtJrCulgkYrgfQR0qF2GvGqcmVDtgR7FC
ajYr+bSjtKS7kDXPbdCaCrkduGJLneXvI0EKBJHOmtSo4QIQfgWsP8nTYzXC
FzBwCKZCf1dzGYvAoepgEV8ecQUG7Vx66pWmUJyLFNJbN2YF/WYYUXrjEUVY
6BGjcJlcLbVMyhe0/GrxeAgww7PcRKCQgCscAh12MLmHkXpD5KZhaBZbo6O+
Tq4C/7aoHACLjiOJ/xUuYxLgeNq8R6wTu1KwEHqyYJZggsFOsk+l4WaZu57M
3t2l+8mdxh7shn/hYVhkoKPQj+DvkYE1eoPRM34lRilmc+RhRLWjyxxxTwhW
V3pyZHK2niv7m2g/Ko6bxc53vpBmN5rePEFX6kJOkBtlxoI/w9XUbCUUfEND
r/UuYFYU5J5hbUh4aXMwaFyL/wWhjWUrr0Jwi7XUY6ec88gF78v6opeLwqKn
hS0lLjEfktb79A45dWbjK4KEWi1bkg2dvgXwgvVlubt9mPawotpKKEVlD6ia
eBDrYGf2XQ8HsyHAC1vUQUkpb73j/UxsRHnIpXkuxcddj1dI2fF6CaLWsh3q
9kimsKLwKmF/RLxDfGkNYQh8FVUnmjYJphuZsa+eY+ag6W8d8sOO9BAdpVZO
RqZtXKKc3rlgJXDgrAZeoPcqLD1O0/OmkJ/kcmSK06YLqeEQXdEw7JGwc+Eq
UZjIxwWisQ4Rh8vxhU+Wz5adqvXSQE3C2Doxipkrfs1INFtw0VM0COXtWHH8
wqg4qEt5Lt5tRPUfcLk6IdHS8OK2TsBdDewenxFit75GB6l/eQFtkrX2ON4w
1VN8nx6K04F9aRpf1f+b013CAUlgSeJVaOpN3sZj5il9T1uMha8GNmwrAwT3
VsUve0eZi88PoioWhBOBsJmt2zXDN35RfqX1EXeWVJYUBdlSD7EwyHdqc3vL
p5A33/OlglUg/GdF2VQyIrxmnQ/ZYyTeFnkZ3ebWth/Dv+HOAO7zVv9yrlHz
bKBbl4RERSr4jHEZk9oLkJiOEcvaIGhQ2NYXtb2rBIi9B9wwUbc+qo+W+AJc
9Yk7Mwzjzba6Cx1b+wIlispapT8qNUzP1W/xyrH2IiPUP/y6mjg/LAz1/xJr
BliFDV5OCnzfBFcls1o2zLiN/Dyk6tx7o7zBFQYtxc6MarwwZ7jCcKtj096N
QhwEh5m5lk+2YVPb24tBGXJe0ipVHs1Wc/2CJTXh3/CZLBEzNH9+oY32Ahod
ZrpbjEYUIOKcErfTMd2dOuWNGZJB5xIlbCZGE70JEBzvv92v5cbUX9E6IUuF
W3pDHx6N48aDWic1QSGHr53Qa6iRnqQ4vdiVvEb3dlWs9gILtlLYvXmNXKL4
KfWDrySlgiR1NSDOgsuGEpAu1+NexVU7zrRgbB6k0lgSodgwNnENI8ZY4Vuq
AJAPFQNFZPTZzQqtvmR1sVj3ThbrJOAajOhHiFIHOZQR5k6T1d5TR9f0ejqq
+he5BUmfzNOM0hdtZJknD3qbwGUo+Jj65Dy7o7CtS7tYQfV0xBQO6+v6tzTx
i1qRfSlxK3K1HfiyRueYJ99q/Ryk+P2szvG6J/w8lZ+ckKx+hmZd+0/J7/Wf
XWrWlDMHLR7vwH82t3d24cfWzu7WUlubBgffP93ARhsbm/Bje3v3yVJbm9kG
3z97im0f7z6DHzuPn21D28976gFeBzDurNKVAH459HdrtG6quSUp//YthFTc
MrBdAht87Zc6oeoEYvf+F2llf7FLcmmCRJ3NLaLOFq5/e6vW5jGSbvMZkg6o
skELflpr8/QJdrD7bIuosfVECO9IEtyQuIscS54Wn+COlHjg2SigyZmWnDqA
QyCVhrcf/VNEPv+QL9oTpJcewmRP6L/n0YtIInoGlGz8a5mqW73Nx72nOxu9
zd7mxibW3oD/bSJlgpdZN1C6+bmndz3H1G987ln9Obsjjkb4ckR8DYnbmDg/
07+8osaUrswMiYrfjIqgVWdwcks8Y5u9LV7RxsbOLq6mR+Q7e3HweOPZxoeO
en9+dLD1wT0Hp1ieg7bbW72N3vaOPLC785QeWPksnOr6s7tffnaZmiTOI3rG
hFpBz3rN1kq8/ZFGDd/osS/F8cQ7fi1VYNgNZwE5HSb3FpKgoO97eXv9B861
HtiIypQubn7e46xlPfxujaph4Qz/okX70WtBCJ8k+ZU6HxRVpV5k80mJL9w5
AIxUrHfUn4pJrl7iOzvaR4Ai5wbLxOR4gxUsxr+k4zH6kNqnP55PsJTMurN4
5c1dvtybkTSWIEeXL1zS+zVs7StClRad1t+DNQGjI6XIlJml8tZZfl8ovSk0
A4VrurNPXfeWBTwSdJPr/wCPflW9w4sAAA==

-->

</rfc>
