Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3740135290_3015843448" --B_3740135290_3015843448 Content-type: multipart/alternative; boundary="B_3740135290_4202246633" --B_3740135290_4202246633 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable > On the other hand, requiring only the =E2=80=98hedged=E2=80=99 version wo= uld mean that an implementation > must do two passes over the message to be signed. =20 =20 I=E2=80=99m not sure it=E2=80=99s true, considering that every sane email o= r document signer (that I=E2=80=99m aware of) signs the hash, rather than t= he document itself. =20 > This can be a practical issue; for example, if an HSM is signing a large = message, it > can=E2=80=99t hold the entire message internally, which means it must be = fed the message twice. >=20 > You can, of course, get around this by hashing the message first (possibl= y external to the HSM), > and then Dilithium signing the hash; however, that is obviously not trans= parent to the verifier; > would it be appropriate to mandate that? The answer may be =E2=80=9Cyes= =E2=80=9D; I=E2=80=99m just pointing out the question=E2=80=A6 =20 In my understanding, this has been de-facto standard for a long time. Thus,= IMHO, it is perfectly appropriate to (explicitly) mandate it. =20 Thanks! =20 =20 From: 'John Mattsson' via pqc-forum =20 Sent: Friday, July 8, 2022 12:30 PM To: Hanno B=C3=B6ck ; pqc-forum@list.nist.gov Subject: Re: [pqc-forum] OFFICIAL COMMENT: CRYSTALS-Dilithium =20 Vadim Lyubashevsky wrote: > The "hedged" version can simply replace the current randomized version=20 =20 I think that is a great idea.=20 =20 Hanno B=C3=B6ck wrote: >Please make one the default and don't spec several different versions >of the possibly major crypto algorithm of the future internet. I think >if we've learned one thing from past cryptography standards it's that >excess flexibility is almost always bad. =20 I think there are strong reasons to have a deterministic implementation opt= ion. That enables testing which might otherwise be impossible. If the signa= ture algorithm is implemented in a black box like an HSM, any randomized ve= rsion (also hedged) implies blind trust in the HSM vendor. A deterministic = version allows the user to verify that the HSM follows the specification an= d does not leak the private key by using bad randomness (I don=E2=80=99t kn= ow if that is the consequence in Dilithium, but it is in ECDSA). National s= tates have in the past controlled cryptographic hardware manufacturers like= the Swiss company Crypto AG and intentionally weakened the products. Putti= ng minimal trust in the HSM manufacturer is an essential part of following = zero trust principles. =20 Note that the =E2=80=9Dversions=E2=80=9D that are discussed would be the sa= me algorithm from a protocol perspective. The verifier stays the same. The = =E2=80=9Cversions=E2=80=9D are just implementation choices for the signer. =20 Cheers, John=20 =20 From: pqc-forum@list.nist.gov on behalf of Hanno = B=C3=B6ck Date: Friday, 8 July 2022 at 12:38 To: pqc-forum@list.nist.gov Subject: Re: [pqc-forum] OFFICIAL COMMENT: CRYSTALS-Dilithium On Fri, 08 Jul 2022 11:47:30 +0200 Vadim Lyubashevsky wrote: > If people think it's a good idea, it should be easy to incorporate and > I suspect that it's better having just 2 versions of the algorithm > instead of 3. Or just 1. Please make one the default and don't spec several different versions of the possibly major crypto algorithm of the future internet. I think if we've learned one thing from past cryptography standards it's that excess flexibility is almost always bad. Provide as few options as possible. --=20 Hanno B=C3=B6ck https://protect2.fireeye.com/v1/url?k=3D31323334-501d5122-313273af-45444555= 5731-92357668b9c0e739&q=3D1&e=3D68f2c4c0-896f-42e1-b043-5663c2850e2e&u=3Dht= tps%3A%2F%2Fhboeck.de%2F --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://protect2.fireeye.com/v1/ur= l?k=3D31323334-501d5122-313273af-454445555731-286a1b795108b884&q=3D1&e=3D68= f2c4c0-896f-42e1-b043-5663c2850e2e&u=3Dhttps%3A%2F%2Fgroups.google.com%2Fa%= 2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2F20220708123712.47fa7569%2540compu= ter. --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/DB6PR0701MB3047E7AE2489938E5048CDD689829%40DB6PR0= 701MB3047.eurprd07.prod.outlook.com. --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/CH0PR11MB54441756530D08538099094AC1829%40CH0PR11M= B5444.namprd11.prod.outlook.com. --=20 You received this message because you are subscribed to the Google Groups "= pqc-forum" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+unsubscribe@list.nist.gov. To view this discussion on the web visit https://groups.google.com/a/list.n= ist.gov/d/msgid/pqc-forum/806BC870-E868-4A0B-AEEA-0CF912E530F1%40ll.mit.edu= . --B_3740135290_4202246633 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable

> On the other hand, requiring only the =E2=80=98hedged= =E2=80=99 version would mean that an implementation

> must do two passe= s over the message to be signed. 

=  

I=E2=80=99m not sure = it=E2=80=99s true, considering that every sane email or document signer (th= at I=E2=80=99m aware of) signs the hash, rather than the document itself.

<= o:p> 

> This can be a practica= l issue; for example, if an HSM is signing a large message, it

> can=E2= =80=99t hold the entire message internally, which means it must be fed the = message twice.

> 

=

> You can, = of course, get around this by hashing the message first (possibly external = to the HSM),

> and then Dilithium sig= ning the hash; however, that is obviously not transparent to the verifier;<= o:p>

> would it be appropriate to mandate that?  The answer may be =E2= =80=9Cyes=E2=80=9D; I=E2=80=99m just pointing out the question=E2=80=A6

 = ;

In my understanding, this has been de-facto standard for a long = time. Thus, IMHO, it is perfectly appropriate to (explicitly) mandate it.

 

Thanks!

 

 

From: 'John Mattsson' via= pqc-forum <pqc-forum@list.nist.gov>
Sent: Friday, July 8,= 2022 12:30 PM
To: Hanno B=C3=B6ck <hanno@hboeck.de>; pqc-f= orum@list.nist.gov
Subject: Re: [pqc-forum] OFFICIAL COMMENT: CRY= STALS-Dilithium

 

Vadim Lyubashevsky wrote:

> The "hedged&= quot; version can simply replace the current randomized version <= /o:p>

 

I think that is a great ide= a.

<= span style=3D'color:black'> 

Hanno B=C3=B6ck wrote:

>Please make one the default an= d don't spec several different versions
>of the possibly major crypto= algorithm of the future internet. I think
>if we've learned one thin= g from past cryptography standards it's that
>excess flexibility is a= lmost always bad.

 

I think there are strong reasons to have = a deterministic implementation option. That enables testing which might oth= erwise be impossible. If the signature algorithm is implemented in a black = box like an HSM, any randomized version (also hedged) implies blind trust i= n the HSM vendor. A deterministic version allows the user to verify that th= e HSM follows the specification and does not leak the private key by using = bad randomness (I don=E2=80=99t know if that is the consequence in Dilithiu= m, but it is in ECDSA). National states have in the past controlled cryptog= raphic hardware manufacturers like the Swiss company Crypto AG and intentio= nally weakened the products. Putting min= imal trust in the HSM manufacturer is an essential part of following zero t= rust principles.

 =

Note that the =E2=80=9Dversions= =E2=80=9D that are discussed would be the same algorithm from a protocol pe= rspective. The verifier stays the same. The =E2=80=9Cversions=E2=80=9D are = just implementation choices for the signer.

 

Cheers,

= John

 

From: pqc-fo= rum@list.nist.gov <pqc-fo= rum@list.nist.gov> on behalf of Hanno B=C3=B6ck <hanno@hboeck.de>
Date: Friday, 8 July 2= 022 at 12:38
To: pqc-f= orum@list.nist.gov <pqc-f= orum@list.nist.gov>
Subject: Re: [pqc-forum] OFFICIAL COMM= ENT: CRYSTALS-Dilithium

On Fri, 08 Jul 2022 11:47:30 +0200
Vadim L= yubashevsky <vadim1980@gmail.com<= /a>> wrote:

> If people think it's a good idea, it should be e= asy to incorporate and
> I suspect that it's better having just 2 ver= sions of the algorithm
> instead of 3.

Or just 1.
Please ma= ke one the default and don't spec several different versions
of the poss= ibly major crypto algorithm of the future internet. I think
if we've lea= rned one thing from past cryptography standards it's that
excess flexibi= lity is almost always bad.
Provide as few options as possible.

--=
Hanno B=C3=B6ck
ht= tps://protect2.fireeye.com/v1/url?k=3D31323334-501d5122-313273af-4544455557= 31-92357668b9c0e739&q=3D1&e=3D68f2c4c0-896f-42e1-b043-5663c2850e2e&= amp;u=3Dhttps%3A%2F%2Fhboeck.de%2F

--
You received this mess= age because you are subscribed to the Google Groups "pqc-forum" g= roup.
To unsubscribe from this group and stop receiving emails from it, = send an email to pqc= -forum+unsubscribe@list.nist.gov.
To view this discussion on the web= visit https:= //protect2.fireeye.com/v1/url?k=3D31323334-501d5122-313273af-454445555731-2= 86a1b795108b884&q=3D1&e=3D68f2c4c0-896f-42e1-b043-5663c2850e2e&= u=3Dhttps%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-f= orum%2F20220708123712.47fa7569%2540computer.

--
You received this message= because you are subscribed to the Google Groups "pqc-forum" grou= p.
To unsubscribe from this group and stop receiving emails from it, sen= d an email to pqc-fo= rum+unsubscribe@list.nist.gov.
To view this discussion on the web vi= sit https://groups.google= .com/a/list.nist.gov/d/msgid/pqc-forum/DB6PR0701MB3047E7AE2489938E5048CDD68= 9829%40DB6PR0701MB3047.eurprd07.prod.outlook.com.

--
You received this message b= ecause you are subscribed to the Google Groups "pqc-forum" group.=
To unsubscribe from this group and stop receiving emails from it, send = an email to pqc-foru= m+unsubscribe@list.nist.gov.
To view this discussion on the web visi= t https://groups.google.com/a= /list.nist.gov/d/msgid/pqc-forum/CH0PR11MB54441756530D08538099094AC1829%40C= H0PR11MB5444.namprd11.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups &= quot;pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pqc-forum+un= subscribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.c= om/a/list.nist.gov/d/msgid/pqc-forum/806BC870-E868-4A0B-AEEA-0CF912E530F1%4= 0ll.mit.edu.
--B_3740135290_4202246633-- --B_3740135290_3015843448 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIUfQYJKoZIhvcNAQcCoIIUbjCCFGoCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGgghJDMIIE8zCCA9ugAwIBAgITWQAE/KGDHCQY5NLn7AAAAAT8oTANBgkqhkiG9w0BAQsF ADBRMQswCQYDVQQGEwJVUzEfMB0GA1UECgwWTUlUIExpbmNvbG4gTGFib3JhdG9yeTEMMAoG A1UECwwDUEtJMRMwEQYDVQQDDApNSVRMTCBDQS01MB4XDTIwMTIxMTAwMDQ0OVoXDTI1MTIx MDAwMDQ0OVowYTELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRv cnkxDzANBgNVBAsTBlBlb3BsZTEgMB4GA1UEAxMXQmx1bWVudGhhbC5VcmkuNTAwMTA1ODQw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKE/w5SMRbjqdnzi3xm35MTfqSl/hP NjMbDakZIdbjOM3UKEmPFXc6a6VU/QqOJUi6ndjw0tH7RCVP73bdRPXO/E8WiAaaSYG6Ddqr 02Pv6wThtFuh+ll9IbDRWZCrXdglHg5CdvqpmlsX5UY54/Gb5r+Je3CwHewClS9/KqklAu/M Rj7Cc7g+PM9GcvU63WDVgXiuAplgvA+W5Hvmcnseb97nBuBnZ1kgbFScRNLR8y5QxSrSpXxW YRiH8dlr/LfBSYsgClZ57NhMk6Z4YL3y1Pw6Vq8pXtM7hlSq8/6s/jhxwf6vUDDeBAkoEWxl hqJtjdD+qrucwiRcrt9SNOufAgMBAAGjggGyMIIBrjAdBgNVHQ4EFgQURapIqD1qtfvgIhzU 5deTdhe9DyMwDgYDVR0PAQH/BAQDAgbAMB8GA1UdIwQYMBaAFC/vu8YNHbvpav6sZ/MHOwh2 9ktZMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwubGwubWl0LmVkdS9nZXRjcmwvbGxj YTUwZgYIKwYBBQUHAQEEWjBYMC0GCCsGAQUFBzAChiFodHRwOi8vY3JsLmxsLm1pdC5lZHUv Z2V0dG8vbGxjYTUwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLmxsLm1pdC5lZHUvb2NzcDA9 BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiDg+Udh+ynZoathxWD6vBFhbahHx2Fy94yh/+K cwIBZAIBCjAiBgNVHSUBAf8EGDAWBggrBgEFBQcDBAYKKwYBBAGCNwoDDDAZBgNVHREEEjAQ gQ51cmlAbGwubWl0LmVkdTAYBgNVHSAEETAPMA0GCyqGSIb3EgIBAwEIMCcGCSsGAQQBgjcU AgQaHhgATABMAFUAcwBlAHIAUwBpAGcALQBTAFcwDQYJKoZIhvcNAQELBQADggEBABAw2S9N p+Aii+rVwD0uTZSRjpL7QD9sWkH1WB1Yd/88m+R6xZtKiD1PJLKXzcumU1V9FAPYZufhCcPV KRgyGbizPBn+f3t13bDieGHLd0DWM4abQiEgiFDsUDzTJ78WwHt/PFMjFe/oFSgghgKcOiBO QdxA7oWgV0cvJmc0hNxV6aPACboXW4qAXKMaMXPrhAXJTkL81uoemEf54gdROFIdVLYOUdba mGmstwRcTn1RsJhIcu2EDSNpyfwfK1NUNQAe199BaNenGrKW9yTHwEY55c9xusIEEaW+FLAi jseXn2gIvlQ0W2P2NMm7YCir0F6PI3DDH8+XmfcrbSfNt9swggTAMIIDqKADAgECAgEGMA0G CSqGSIb3DQEBCwUAMFYxCzAJBgNVBAYTAlVTMR8wHQYDVQQKExZNSVQgTGluY29sbiBMYWJv cmF0b3J5MQwwCgYDVQQLEwNQS0kxGDAWBgNVBAMTD01JVExMIFJvb3QgQ0EtMjAeFw0xNzAz MDIxMjAwMDBaFw0yNjAzMDIyMzU5NTlaMFExCzAJBgNVBAYTAlVTMR8wHQYDVQQKDBZNSVQg TGluY29sbiBMYWJvcmF0b3J5MQwwCgYDVQQLDANQS0kxEzARBgNVBAMMCk1JVExMIENBLTUw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnmoMOvTkfw7nq19mrWazGaa+Q83Uv 0+ATXT3q6kr+WExIMIZ87C74WCcRXpvO7uvx7HvMsYWAFHW93wQwhjytxHIOZgKNJ4VnGVDU l+KI7g0n9+Zjt3hB3HhHbcvbe9+Y4jz+XzCiLl2OaYvICKbxvbBSCLtPEeZQ6x6Tb6EK0ym0 gvYeHO3kuuY+SJHJMltbrLnIVLxjZrNVS77zXKvu6Q3hSdkRIB7kJgEXfL+p/z/2p94bEEZ2 TnQz0TkOjG+Jq7UlXlFRtvsYcDPEQD3UNkZsWcXgC1hXG8TGknUcAhlGxVhlKlFLmNd7342s eGy2s9YxNDnSE+eXTtb0I5LLAgMBAAGjggGcMIIBmDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBQv77vGDR276Wr+rGfzBzsIdvZLWTAfBgNVHSMEGDAWgBT/ycllTFOA8akMPCGu girH7vgy+zAOBgNVHQ8BAf8EBAMCAYYwZwYIKwYBBQUHAQEEWzBZMC4GCCsGAQUFBzAChiJo dHRwOi8vY3JsLmxsLm1pdC5lZHUvZ2V0dG8vTExSQ0EyMCcGCCsGAQUFBzABhhtodHRwOi8v b2NzcC5sbC5taXQuZWR1L29jc3AwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5sbC5t aXQuZWR1L2dldGNybC9MTFJDQTIwgZIGA1UdIASBijCBhzANBgsqhkiG9xICAQMBBjANBgsq hkiG9xICAQMBCDANBgsqhkiG9xICAQMBBzANBgsqhkiG9xICAQMBCTANBgsqhkiG9xICAQMB CjANBgsqhkiG9xICAQMBCzANBgsqhkiG9xICAQMBDjANBgsqhkiG9xICAQMBDzANBgsqhkiG 9xICAQMBEDANBgkqhkiG9w0BAQsFAAOCAQEAMJYRwLPJ91K7e2mA2Nj10W0o5JMHYkaa+ctL 8/xY8QzIHFI5Ij+iydpPN9KCYn/4Sy80T3aNoYkFlS0GRQXhf0nsiY7TWJwAKw4AiO/yJ37/ oRKRgtyRicvaJ6RjlHCXBOalFLw9UtpodP4/idC51lxzsolaQZraBjVe7PL95PhS7D+22Nff InzLdIb1DBf54NwOVfPIgABtxH1fhZrja7EhR9RoUw5E1O6iWaAuP/xWhSTQFWlhyA0/kkIi 9/HXaY0hYnhcjcbPPqjpyfIhSFjjXhjqK7t2wPrSrBFLFUbnLiNlgQHrvNYF5IqgIfnSBWIr m3rfLhpZZJ/xJ7Yf6DCCA4owggJyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UE BhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAKBgNVBAsTA1BLSTEY MBYGA1UEAxMPTUlUTEwgUm9vdCBDQS0yMB4XDTE2MDQyMDEyMDAwMFoXDTM1MDQxOTIzNTk1 OVowVjELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAK BgNVBAsTA1BLSTEYMBYGA1UEAxMPTUlUTEwgUm9vdCBDQS0yMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAv3WoBEGOOJtm4ucvaf6vKIFPs8watCd6Smwq/XeRNo7P3jPIxNPw F398RGDUmPJIXA7idzD6j0opFIW+kLqYye9e788PV0dqaJlX8818fNDbSE+8B6hieqKTR7Vf OI74UVQEUKVRFuRFw6uVYuvgew2Tj/C2dEee37eruQl5nHkbV2OsWnZ7O+yt+etd6HRcaXLl P9q8WKgA3B7vkOVIMCKoAuaWj+BFq7K+WNkiyi/KdOH9JmOpbyRK4jcA7xbLnF8JFUSNg5c4 Y1BJrFaZtkCeG6Nm9p524GllkRFzPgpj8VicV+AK+9rY07dTx02kYotTnKuy0YxBAwsUXxAQ EwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT/ycllTFOA8akMPCGugirH 7vgy+zAfBgNVHSMEGDAWgBT/ycllTFOA8akMPCGugirH7vgy+zAOBgNVHQ8BAf8EBAMCAYYw DQYJKoZIhvcNAQELBQADggEBAHqYfEf/3J5aMKhlYQ0PnUAbMB8jZSr9/HvjfOF00crFUCfS rqG8JQwo+S/iq66gcp62FEgJ0fQkDgVg6m+C2ETo1LoWiSxhYCfcSIQECljlXwR8wFSayF82 2S69IqvHhdq4d58jU6gYi6ssjU4vwsvsVLRJKk/m/Cg/w8gW6YHM5ahBD6/5Ccel2fI7oSms kO991+otrC11YfDwCFvz7Am0r+K9iVhSWta4hmIuV0YBia07eZKSO02LPgQ8YOz3ku0Yt+mh 8VWRKux2CcYjMpk+WDV0BMp75tqb6pqBFkcKvEBXqxg+8+G/umjii4H0c5kvJhaQyykbmOKm xO9IcJIwggT2MIID3qADAgECAhNZAAUW1xDL1n3IkFBHAAAABRbXMA0GCSqGSIb3DQEBCwUA MFExCzAJBgNVBAYTAlVTMR8wHQYDVQQKDBZNSVQgTGluY29sbiBMYWJvcmF0b3J5MQwwCgYD VQQLDANQS0kxEzARBgNVBAMMCk1JVExMIENBLTUwHhcNMjEwNzA2MjM0ODI1WhcNMjYwMzAy MjM1OTU5WjBhMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWTUlUIExpbmNvbG4gTGFib3JhdG9y eTEPMA0GA1UECxMGUGVvcGxlMSAwHgYDVQQDExdCbHVtZW50aGFsLlVyaS41MDAxMDU4NDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMRXUPN5Fz28jb9GOca2/6HDq5EE4Hu T1enB0TiMEnOTipW88pgPmSZ/AAFyJF7AWX7PYPw94Ed/Bbs7yCCa6WZS7cQzdHOWppx9gRZ AxkR8+TgosxPcHoCMXmI/hXtVdZ7mwZlpBGJvyBe6YRmxOWLl3WiCRi/gBThwEWsiQZOfhEN 7hC2GhgCKetpNlTRPxslLmkStNlnjNAxhet8Vm/KSYJFVPOx3qytdLwnO6sz4AfIJJQkFX26 6oP0F/4bjRGlIZrZpdUPGiydpJl1r5SRcYs1ZE7JHErULWSyiAIzBDHUCTcN2GnFoR+9fz92 q2VIHvNHx7bV1hd0E0zlC9UCAwEAAaOCAbUwggGxMB0GA1UdDgQWBBSQ5IixU+wo9uUYNUB4 G/ea7vuWEjAOBgNVHQ8BAf8EBAMCBSAwHwYDVR0jBBgwFoAUL++7xg0du+lq/qxn8wc7CHb2 S1kwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5sbC5taXQuZWR1L2dldGNybC9sbGNh NTBmBggrBgEFBQcBAQRaMFgwLQYIKwYBBQUHMAKGIWh0dHA6Ly9jcmwubGwubWl0LmVkdS9n ZXR0by9sbGNhNTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AubGwubWl0LmVkdS9vY3NwMD0G CSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIOD5R2H7Kdmhq2HFYPq8EWFtqEfHYXr0HCD6+0g AgFkAgELMCUGA1UdJQQeMBwGBFUdJQAGCCsGAQUFBwMEBgorBgEEAYI3CgMEMBkGA1UdEQQS MBCBDnVyaUBsbC5taXQuZWR1MBgGA1UdIAQRMA8wDQYLKoZIhvcSAgEDAQgwJwYJKwYBBAGC NxQCBBoeGABMAEwAVQBzAGUAcgBFAG4AYwAtAFMAVzANBgkqhkiG9w0BAQsFAAOCAQEAICZO a7qQQMDGZzRUaX+Mm/3meVo0nTEdNby178MGq6uYGUS4keIkljEoI+KiEMbT8rtCOBZwomnO HdJmLuRUEgrVAos27V4yjvoic8QKsz+qEhxslFg/2EYMAbTsyLqg34R+wG5o6K95ohUrgLud fPxAmcLOFBtIZBr/3DUIlzw4xHKiX2ruex7YOrQccgXb2qGtNB7tG6jAaXqFb+NZTJhj+3pd OiZiZanzpZvPLIH6Xe4awqDrok7q9ImwwSSQorNrJxKKtA3vLUW3DGvom3XDiOjDqpzhmqXC u6Wf7JfrSJRaudU2WyvYfPk7NQlkLR/1G6Xz+zKqO/cBt2aNATGCAf4wggH6AgEBMGgwUTEL MAkGA1UEBhMCVVMxHzAdBgNVBAoMFk1JVCBMaW5jb2xuIExhYm9yYXRvcnkxDDAKBgNVBAsM A1BLSTETMBEGA1UEAwwKTUlUTEwgQ0EtNQITWQAE/KGDHCQY5NLn7AAAAAT8oTANBglghkgB ZQMEAgEFAKBpMC8GCSqGSIb3DQEJBDEiBCAmRIjUAW1VPudtUl98YePMio5u9ZBKPmTNmK+f N710JDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjA3MDgx ODI4MTBaMA0GCSqGSIb3DQEBAQUABIIBAEq3F44X/fH+aEq9DFZDxw1UqUwwjvnvNCM1+uxh N8oQaVWDoDW7hBQh4YmRC/Nruj6pLd0yygEh8d74TBkz0KkH5/b8od42q4qCj6jePwY2ml/A Xi9RUqp7v5lQrWtV3926o32XSm6LlHtXqKl/aEjqKkpgqZ+Xf/7YhDuiODkNQxaeGStmtIJD 70Fuw3dNzPTHYhDDOH+M91QRyycpxAQPkwGs5uR7KXFIpmaY0PjpTuDWtSwnnGKhqLsv0n0i uH1x1UzNsw4/9JaoHSczhZ1XnK3mHMPC3GNehhxOQpRBJA4AV/NpzHNHk+MKugkloKA1kG8W gVvyqI/XtuzpaSU= --B_3740135290_3015843448--