From nobody Wed Oct 16 12:45:15 2019
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8B41200FA for <crypto-panel@ietfa.amsl.com>; Wed, 16 Oct 2019 12:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level: 
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vq7TF_qlmAnh for <crypto-panel@ietfa.amsl.com>; Wed, 16 Oct 2019 12:45:10 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF50120020 for <crypto-panel@irtf.org>; Wed, 16 Oct 2019 12:45:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1571255109; d=isode.com; s=june2016; i=@isode.com; bh=e8M6kolH7D8OM7+HWj8/qHYrtNhczDRvlKwx6DEU2hc=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=D/44FlI+h/1EDnu/tVhrMkQJve3xIJND8/XoNBAvBSBZFfv2weJDMff8mff9KpLuUA9jOg 9AihnlWx+5E0areB3/BsvIxgiDlfEUvgQ2BoP2jixUthxrCoxX8EQk5mlRy9D1owOPEwTo Zzt2Q/d1tNGY5eMXojoQEVRwV6rV6no=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <XadzRABbd31c@waldorf.isode.com>; Wed, 16 Oct 2019 20:45:09 +0100
To: "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Cc: Adrian Farrel <rfc-ise@rfc-editor.org>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <537ceb97-7902-1b51-b517-b51a0215dab8@isode.com>
Date: Wed, 16 Oct 2019 20:44:51 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------1701476623EE76C8E47ED08C"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/SN7T5ct9csOZCOYsRdX7uhBDoWc>
Subject: [Crypto-panel] Request for document review: draft-dolmatov-magma
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 19:45:13 -0000

--------------1701476623EE76C8E47ED08C
Content-Type: text/plain; charset=utf-8; format=flowed
Content-transfer-encoding: quoted-printable

Dear Crypto Review Panel members,

Independent Stream Editor has asked for review of:

 =C2=A0https://datatracker.ietf.org/doc/draft-dolmatov-magma/=20
<https://datatracker.ietf.org/doc/draft-dolmatov-magma/>

in particular he wants to know:

1)=C2=A0 can the document be unambiguously implemented

and

2) whether there are any obvious security holes that should be noted as=20
caveats


Thank you,

Alexey


--------------1701476623EE76C8E47ED08C
Content-Type: text/html; charset=utf-8
Content-transfer-encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF-8"=
>
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Dear Crypto Review Panel members,</p>
    <p>Independent Stream Editor has asked for review of:<br>
    </p>
    <p><a href=3D"https://datatracker.ietf.org/doc/draft-dolmatov-magma/">=
=C2=A0https://datatracker.ietf.org/doc/draft-dolmatov-magma/</a></p>
    <p>in particular he wants to know:</p>
    <p>1)=C2=A0 can the document be unambiguously implemented</p>
    <p>and</p>
    <p>2) whether there are any obvious security holes that should be
      noted as caveats</p>
    <p><br>
    </p>
    <p>Thank you,</p>
    <p>Alexey<br>
    </p>
  </body>
</html>

--------------1701476623EE76C8E47ED08C--


From nobody Wed Oct 16 12:50:13 2019
Return-Path: <housley@vigilsec.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AECFA120831 for <crypto-panel@ietfa.amsl.com>; Wed, 16 Oct 2019 12:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level: 
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKYY5SYktQ1t for <crypto-panel@ietfa.amsl.com>; Wed, 16 Oct 2019 12:49:57 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90094120805 for <crypto-panel@irtf.org>; Wed, 16 Oct 2019 12:49:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E799E300B1F for <crypto-panel@irtf.org>; Wed, 16 Oct 2019 15:49:55 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kbUdedojo09V for <crypto-panel@irtf.org>; Wed, 16 Oct 2019 15:49:54 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id D5DFF300A31; Wed, 16 Oct 2019 15:49:53 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <332EAEFC-F99F-40F1-BFAA-D11C193F9B93@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2F04F42F-5A46-4899-B4BB-EE86F51B7C1C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 16 Oct 2019 15:49:54 -0400
In-Reply-To: <537ceb97-7902-1b51-b517-b51a0215dab8@isode.com>
Cc: "crypto-panel@irtf.org" <crypto-panel@irtf.org>, Adrian Farrel <rfc-ise@rfc-editor.org>
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <537ceb97-7902-1b51-b517-b51a0215dab8@isode.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/iHhVN1Y6LXqHi7SZkmGK6HfXQ1k>
Subject: Re: [Crypto-panel] Request for document review: draft-dolmatov-magma
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 19:50:12 -0000

--Apple-Mail=_2F04F42F-5A46-4899-B4BB-EE86F51B7C1C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I do not see any obvious problems, but I did not try to write code ...

I do not understand Section 4; I cannot figure out why it is in a
document that describes the Magma block cipher.

Section 3.2 says:

   A<<<_11  cyclic rotation of string A belonging to V_32 by 11
      components in the direction of components having greater indices

Since components are enumerated from right to left starting from zero,
can't this be greatly simplified by saying "left cyclic rotation".
Also, a comma is missing at the end of the definition.

Russ

> On Oct 16, 2019, at 3:44 PM, Alexey Melnikov =
<alexey.melnikov@isode.com> wrote:
>=20
> Dear Crypto Review Panel members,
>=20
> Independent Stream Editor has asked for review of:
>=20
> =C2=A0https://datatracker.ietf.org/doc/draft-dolmatov-magma/ =
<https://datatracker.ietf.org/doc/draft-dolmatov-magma/>
> in particular he wants to know:
>=20
> 1)  can the document be unambiguously implemented
>=20
> and
>=20
> 2) whether there are any obvious security holes that should be noted =
as caveats
>=20
>=20
>=20
> Thank you,
>=20
> Alexey
>=20
> _______________________________________________
> Crypto-panel mailing list
> Crypto-panel@irtf.org
> https://www.irtf.org/mailman/listinfo/crypto-panel


--Apple-Mail=_2F04F42F-5A46-4899-B4BB-EE86F51B7C1C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><div =
class=3D"">I do not see any obvious problems, but I did not try to write =
code ...</div><div class=3D""><br class=3D""></div><div class=3D"">I do =
not understand Section 4; I cannot figure out why it is in a</div><div =
class=3D"">document that describes the Magma block cipher.</div><div =
class=3D""><br class=3D""></div><div class=3D""><div class=3D"">Section =
3.2 says:</div><div class=3D""><br class=3D""></div><div class=3D"">&nbsp;=
 &nbsp;A&lt;&lt;&lt;_11 &nbsp;cyclic rotation of string A belonging to =
V_32 by 11</div><div class=3D"">&nbsp; &nbsp; &nbsp; components in the =
direction of components having greater indices</div><div class=3D""><br =
class=3D""></div><div class=3D"">Since components are enumerated from =
right to left starting from zero,</div><div class=3D"">can't this be =
greatly simplified by saying "left cyclic rotation".</div><div =
class=3D"">Also, a comma is missing at the end of the =
definition.</div></div><div class=3D""><br class=3D""></div><div =
class=3D"">Russ</div><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D"">On Oct 16, 2019, at 3:44 PM, Alexey Melnikov =
&lt;<a href=3D"mailto:alexey.melnikov@isode.com" =
class=3D"">alexey.melnikov@isode.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
 =20

    <meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3DUTF-8" class=3D"">
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><p class=3D"">Dear =
Crypto Review Panel members,</p><p class=3D"">Independent Stream Editor =
has asked for review of:<br class=3D"">
    </p><p class=3D""><a =
href=3D"https://datatracker.ietf.org/doc/draft-dolmatov-magma/" =
class=3D"">&nbsp;https://datatracker.ietf.org/doc/draft-dolmatov-magma/</a=
></p><p class=3D"">in particular he wants to know:</p><p =
class=3D"">1)&nbsp; can the document be unambiguously implemented</p><p =
class=3D"">and</p><p class=3D"">2) whether there are any obvious =
security holes that should be
      noted as caveats</p><p class=3D""><br class=3D"">
    </p><p class=3D"">Thank you,</p><p class=3D"">Alexey<br class=3D"">
    </p>
  </div>

_______________________________________________<br class=3D"">Crypto-panel=
 mailing list<br class=3D""><a href=3D"mailto:Crypto-panel@irtf.org" =
class=3D"">Crypto-panel@irtf.org</a><br =
class=3D"">https://www.irtf.org/mailman/listinfo/crypto-panel<br =
class=3D""></div></blockquote></div><br class=3D""></body></html>=

--Apple-Mail=_2F04F42F-5A46-4899-B4BB-EE86F51B7C1C--


From nobody Thu Oct 17 00:44:19 2019
Return-Path: <smyshsv@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA235120018 for <crypto-panel@ietfa.amsl.com>; Thu, 17 Oct 2019 00:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level: 
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jUJ7DLYSrKFZ for <crypto-panel@ietfa.amsl.com>; Thu, 17 Oct 2019 00:44:14 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD942120090 for <crypto-panel@irtf.org>; Thu, 17 Oct 2019 00:44:13 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id y3so1443481ljj.6 for <crypto-panel@irtf.org>; Thu, 17 Oct 2019 00:44:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to;  bh=gBjn/l5WRa/SQM0J5eC5J0xmtje7TlpDMHCNQTR+x8I=; b=NGUSGFBFib6FdjfEd3X7TjwcY0PS1QWtNUP3TIkhLkR54IEZZ2o8vED5knZMgac2r1 U34hfH0LIMnrtJSG6yc5We7zXWmIMEPdUw47lZugvOPENoVPMyzF4k9U/MIN2Mho0Nb/ JPeoeQxUGLpRY2UUR0swZkXDDevxx0tfe//EK/O0mMTiObiyKSNTUkxdBLqhW/KdNIgr 0zvUOeRJAqgPmvmuiyGFEdKsI+DFv3459bbAZQKKiOAvm1ldiWauwuQXPOkcLBKoXsp4 hebpyQZ5ux66wnUIhbXtwblu85GITi7I5LRdrVmn0QnrwchyGFVqBr7WVE8qqAgkSXeI L2Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gBjn/l5WRa/SQM0J5eC5J0xmtje7TlpDMHCNQTR+x8I=; b=tJxROAPxpMZavkTzOzktmCz0XZJ59+Q8AGv/CtldByEoKOiGqijZrEQBRPokO+hWqa khS8C0h7zBkcLRPGcO7hBl/ZLiyH/Q5/T37BZQ/kDYWVrprfhuxXfVXVR9DfNxdPHLwE Lo4UbYDEAXLULcRI/HAUSKtVhKTdPwxcAvH13TrTBIr1cT0WDkLkRm/+ZckLAX3naDIH QTY86Si93kmwqwKPcLgE0qSaCR0Ri3BC0yJUXSGZVZTyFxDCIFXLH0NGqyUA7Wkfs8xf beQbmTJ7r3ZbR3maEEjTi5ZEuZi3X5/vpSd9q2zPSEBRHM0FKmZFJo3CkaypJrqZAHsp Dpdw==
X-Gm-Message-State: APjAAAUT++0mDo+60+qxViTQYGGJzGBiADJWHFV1aA/goYzY1i5p2+dL hnZ++nPipMEZPRojbMaBz3qNTW8GIf/Ci+GwrbC6Lb7TV+L7rw==
X-Google-Smtp-Source: APXvYqxiuMO0Wq3PNIBtEpx5wvC86uc8GGH2Wel9lb5J+isoq/+T79IdNBPAvQDoIHfkyCthTbIDx2+4Kr/rFVemr/4=
X-Received: by 2002:a2e:9bc1:: with SMTP id w1mr1503625ljj.136.1571298251278;  Thu, 17 Oct 2019 00:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com> <83FAAC9C-A56C-43FC-BD68-5E1DB0794D7E@vigilsec.com> <31D078E7-08CD-46F5-AF97-6F2450C5934A@gmail.com> <CAMr0u6k_VW=2rb+x1CTmcjCMUr-gs2pcCPdZH5RpKdJYXFJkfw@mail.gmail.com>
In-Reply-To: <CAMr0u6k_VW=2rb+x1CTmcjCMUr-gs2pcCPdZH5RpKdJYXFJkfw@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Thu, 17 Oct 2019 10:43:58 +0300
Message-ID: <CAMr0u6mCSd0vx=oT_zWPkLduFDXEuSK2BLFQcvgkmcRrkSCw9Q@mail.gmail.com>
To: crypto-panel@irtf.org
Content-Type: multipart/alternative; boundary="0000000000001a8c4d059516620e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/D3xzb3Gdf4yM7VfAmhNCWcOiSAU>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 07:44:17 -0000

--0000000000001a8c4d059516620e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Dear Bjoern, Scott, Russ, Yaron, Tibor (and myself :) ),

This is just a kind reminder that according to the plan of the PAKE
process, the overall reviews for the nominated PAKEs should be provided
until October, 30th (so that the chairs are able to make their
recommendations until the Singapore meeting).

All materials on the nominated PAKEs have been gathered (many thanks to
Yaron again) here: https://github.com/cfrg/pake-selection

Many thanks again!

Best regards,
Stanislav Smyshlyaev,
CFRG Secretary

=D0=BF=D0=BD, 23 =D1=81=D0=B5=D0=BD=D1=82. 2019 =D0=B3. =D0=B2 21:20, Stani=
slav V. Smyshlyaev <smyshsv@gmail.com>:

> Dear Russ and Yaron,
>
> The security proof reviews were intended only to provide input informatio=
n
> for the Crypto Review Members, who are intended to provide overall review=
s
> - thus no PAKEs were dropped in any sense.
>
> In the PAKE selection process description it is assumed that during Stage
> 5 overall reviews are prepared with recommendations (of any kind) - and w=
e
> have an option that after overall reviews (conducted by the Crypto Review
> Panel members) the CFRG chairs are not able to come to a decision. In tha=
t
> case at IETF 106 meeting we=E2=80=99ll have a revision of the process (an=
d decide
> what to do next).
>
> In any case, after a PAKE (or two PAKEs...) is selected, the process of
> working on a CFRG document on Recommendations for PAKEs in IETF protocols
> will only start - and then all minor things (like options, parameters,
> implementation recommendations, etc.) can be handled.
>
> So, in my personal opinion, at the current stage we need to reflect the
> current understanding of pros and cons of each nominated PAKE - and then
> we=E2=80=99ll see whether this allows the chairs to make any decision (an=
d move to
> specifying the winning PAKE in the CFRG document, taking into account all
> known issues) - or continue the process of selection in some way.
>
> Best regards,
> Stanislav
>
>
> =D0=BF=D0=BD, 23 =D1=81=D0=B5=D0=BD=D1=82. 2019 =D0=B3. =D0=B2 21:03, Yar=
on Sheffer <yaronf.ietf@gmail.com>:
>
>> The CPace/AuCPace paper was updated =E2=80=9Cin place=E2=80=9D (in the I=
ACR ePrint repo)
>> since the process started. Also, Hugo hinted that OPAQUE needs to be
>> updated, not the base protocol but some of the options.
>>
>>
>>
>> *From: *Crypto-panel <crypto-panel-bounces@irtf.org> on behalf of Russ
>> Housley <housley@vigilsec.com>
>> *Date: *Monday, 23 September 2019 at 20:05
>> *To: *"Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
>> *Cc: *<crypto-panel@irtf.org>
>> *Subject: *Re: [Crypto-panel] Stage 5 of PAKE selection process
>>
>>
>>
>> Stanislav:
>>
>>
>>
>> I just want to make sure that I understand.  Is it correct that none of
>> the algorithms is being dropped or revised based on the proof analysis?
>>
>>
>>
>> Russ
>>
>>
>>
>>
>>
>> On Sep 20, 2019, at 12:23 PM, Stanislav V. Smyshlyaev <smyshsv@gmail.com=
>
>> wrote:
>>
>>
>>
>> Dear Bjoern, Scott, Russ, Yaron, Tibor (and myself :) ),
>>
>>
>>
>> Many thanks again for volunteering to provide overall reviews for the
>> nominated PAKEs on behalf of the Crypto Review Panel.
>>
>>
>>
>> According to the PAKE selection process plan, at Stage 5 Crypto Review
>> Panel members write overall reviews for all candidate PAKEs, based on th=
e
>> materials that have been gathered and verified. According to the plan,
>> Stage 5 will last until October, 30th.
>>
>>
>>
>> Those materials (including all partial reviews) have been gathered (many
>> thanks, Yaron!) here: https://github.com/cfrg/pake-selection
>>
>>
>>
>> Best regards,
>>
>> Stanislav,
>>
>> CFRG secretary
>>
>> _______________________________________________
>> Crypto-panel mailing list
>> Crypto-panel@irtf.org
>> https://www.irtf.org/mailman/listinfo/crypto-panel
>>
>>
>>
>> _______________________________________________ Crypto-panel mailing lis=
t
>> Crypto-panel@irtf.org https://www.irtf.org/mailman/listinfo/crypto-panel
>>
> --
>
> =D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC,
>
> =D0=A1=D1=82=D0=B0=D0=BD=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=A1=D0=BC=D1=8B=
=D1=88=D0=BB=D1=8F=D0=B5=D0=B2, =D0=BA.=D1=84.-=D0=BC.=D0=BD.,
>
> =D0=97=D0=B0=D0=BC=D0=B5=D1=81=D1=82=D0=B8=D1=82=D0=B5=D0=BB=D1=8C =D0=B3=
=D0=B5=D0=BD=D0=B5=D1=80=D0=B0=D0=BB=D1=8C=D0=BD=D0=BE=D0=B3=D0=BE =D0=B4=
=D0=B8=D1=80=D0=B5=D0=BA=D1=82=D0=BE=D1=80=D0=B0
>
> =D0=9E=D0=9E=D0=9E =C2=AB=D0=9A=D0=A0=D0=98=D0=9F=D0=A2=D0=9E-=D0=9F=D0=
=A0=D0=9E=C2=BB
>
>

--0000000000001a8c4d059516620e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div dir=3D"ltr" class=3D"gmail_signature" data-smart=
mail=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div dir=3D=
"ltr"><div dir=3D"ltr"><div>Dear Bjoern, Scott, Russ, Yaron, Tibor (and mys=
elf :) ),<br>=C2=A0<br>This is just a kind reminder that according to the p=
lan of the PAKE process, the overall reviews for the nominated PAKEs should=
 be provided until October, 30th (so that the chairs are able to make their=
 recommendations until the Singapore meeting).<br><br>All materials on the =
nominated PAKEs have been gathered (many thanks to Yaron again) here: <a hr=
ef=3D"https://github.com/cfrg/pake-selection">https://github.com/cfrg/pake-=
selection</a><br></div></div></div></div></div></div></div></div><div><br><=
/div><div>Many thanks again!</div><br><div>Best regards,</div><div>Stanisla=
v Smyshlyaev,</div><div>CFRG Secretary</div></div><br><div class=3D"gmail_q=
uote"><div dir=3D"ltr" class=3D"gmail_attr">=D0=BF=D0=BD, 23 =D1=81=D0=B5=
=D0=BD=D1=82. 2019 =D0=B3. =D0=B2 21:20, Stanislav V. Smyshlyaev &lt;<a hre=
f=3D"mailto:smyshsv@gmail.com">smyshsv@gmail.com</a>&gt;:<br></div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex"><div><div dir=3D"auto">Dear Russ =
and Yaron,</div></div><div dir=3D"auto"><br></div><div dir=3D"auto">The sec=
urity proof reviews were intended only to provide input information for the=
 Crypto Review Members, who are intended to provide overall reviews - thus =
no PAKEs were dropped in any sense.=C2=A0</div><div dir=3D"auto"><br></div>=
<div dir=3D"auto">In the PAKE selection process description it is assumed t=
hat during Stage 5 overall reviews are prepared with recommendations (of an=
y kind) - and we have an option that after overall reviews (conducted by th=
e Crypto Review Panel members) the CFRG chairs are not able to come to a de=
cision. In that case at IETF 106 meeting we=E2=80=99ll have a revision of t=
he process (and decide what to do next).=C2=A0</div><div dir=3D"auto"><br><=
/div><div dir=3D"auto">In any case, after a PAKE (or two PAKEs...) is selec=
ted, the process of working on a CFRG document on Recommendations for PAKEs=
 in IETF protocols will only start - and then all minor things (like option=
s, parameters, implementation recommendations, etc.) can be handled.</div><=
div dir=3D"auto"><br></div><div dir=3D"auto">So, in my personal opinion, at=
 the current stage we need to reflect the current understanding of pros and=
 cons of each nominated PAKE - and then we=E2=80=99ll see whether this allo=
ws the chairs to make any decision (and move to specifying the winning PAKE=
 in the CFRG document, taking into account all known issues) - or continue =
the process of selection in some way.=C2=A0</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto">Best regards,</div><div dir=3D"auto">Stanislav</div><di=
v dir=3D"auto"><br></div><div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">=D0=BF=D0=BD, 23 =D1=81=D0=B5=D0=BD=D1=82. 2019 =D0=
=B3. =D0=B2 21:03, Yaron Sheffer &lt;<a href=3D"mailto:yaronf.ietf@gmail.co=
m" target=3D"_blank">yaronf.ietf@gmail.com</a>&gt;:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex"><div lang=3D"EN-US"><div><p class=3D"Ms=
oNormal">The CPace/AuCPace paper was updated =E2=80=9Cin place=E2=80=9D (in=
 the IACR ePrint repo) since the process started. Also, Hugo hinted that OP=
AQUE needs to be updated, not the base protocol but some of the options.<u>=
</u><u></u></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><div style=3D=
"border-right:none;border-bottom:none;border-left:none;border-top:1pt solid=
 rgb(181,196,223);padding:3pt 0cm 0cm"><p class=3D"MsoNormal"><b><span styl=
e=3D"font-size:12pt;color:black">From: </span></b><span style=3D"font-size:=
12pt;color:black">Crypto-panel &lt;<a href=3D"mailto:crypto-panel-bounces@i=
rtf.org" target=3D"_blank">crypto-panel-bounces@irtf.org</a>&gt; on behalf =
of Russ Housley &lt;<a href=3D"mailto:housley@vigilsec.com" target=3D"_blan=
k">housley@vigilsec.com</a>&gt;<br><b>Date: </b>Monday, 23 September 2019 a=
t 20:05<br><b>To: </b>&quot;Stanislav V. Smyshlyaev&quot; &lt;<a href=3D"ma=
ilto:smyshsv@gmail.com" target=3D"_blank">smyshsv@gmail.com</a>&gt;<br><b>C=
c: </b>&lt;<a href=3D"mailto:crypto-panel@irtf.org" target=3D"_blank">crypt=
o-panel@irtf.org</a>&gt;<br><b>Subject: </b>Re: [Crypto-panel] Stage 5 of P=
AKE selection process<u></u><u></u></span></p></div><div><p class=3D"MsoNor=
mal"><u></u>=C2=A0<u></u></p></div><p class=3D"MsoNormal">Stanislav:<u></u>=
<u></u></p><div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></div><div><=
p class=3D"MsoNormal">I just want to make sure that I understand.=C2=A0 Is =
it correct that none of the algorithms is being dropped or revised based on=
 the proof analysis?<u></u><u></u></p></div><div><p class=3D"MsoNormal"><u>=
</u>=C2=A0<u></u></p></div><div><p class=3D"MsoNormal">Russ<u></u><u></u></=
p></div><div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><div><p class=
=3D"MsoNormal"><br><br><u></u><u></u></p><blockquote style=3D"margin-top:5p=
t;margin-bottom:5pt"><div><p class=3D"MsoNormal">On Sep 20, 2019, at 12:23 =
PM, Stanislav V. Smyshlyaev &lt;<a href=3D"mailto:smyshsv@gmail.com" target=
=3D"_blank">smyshsv@gmail.com</a>&gt; wrote:<u></u><u></u></p></div><p clas=
s=3D"MsoNormal"><u></u>=C2=A0<u></u></p><div><div><div><div><div><div><div>=
<div><p class=3D"MsoNormal">Dear Bjoern, Scott, Russ, Yaron, Tibor (and mys=
elf :) ),<u></u><u></u></p></div><div><p class=3D"MsoNormal"><u></u>=C2=A0<=
u></u></p></div><div><p class=3D"MsoNormal">Many thanks again for volunteer=
ing to provide overall reviews for the nominated PAKEs on behalf of the Cry=
pto Review Panel.<u></u><u></u></p></div><div><p class=3D"MsoNormal"><u></u=
>=C2=A0<u></u></p></div><div><p class=3D"MsoNormal">According to the PAKE s=
election process plan, at Stage 5=C2=A0Crypto Review Panel members write ov=
erall reviews for all candidate PAKEs, based on the materials that have bee=
n gathered and verified. According to the plan, Stage 5 will last until Oct=
ober, 30th.<u></u><u></u></p></div><div><p class=3D"MsoNormal"><u></u>=C2=
=A0<u></u></p></div><div><p class=3D"MsoNormal">Those materials (including =
all partial reviews) have been gathered (many thanks, Yaron!) here:=C2=A0<a=
 href=3D"https://github.com/cfrg/pake-selection" target=3D"_blank">https://=
github.com/cfrg/pake-selection</a><u></u><u></u></p></div><div><p class=3D"=
MsoNormal"><u></u>=C2=A0<u></u></p></div><div><p class=3D"MsoNormal">Best r=
egards,<u></u><u></u></p></div><div><p class=3D"MsoNormal">Stanislav,<u></u=
><u></u></p></div><div><p class=3D"MsoNormal">CFRG secretary<u></u><u></u><=
/p></div></div></div></div></div></div></div><p class=3D"MsoNormal">_______=
________________________________________<br>Crypto-panel mailing list<br><a=
 href=3D"mailto:Crypto-panel@irtf.org" target=3D"_blank">Crypto-panel@irtf.=
org</a><br><a href=3D"https://www.irtf.org/mailman/listinfo/crypto-panel" t=
arget=3D"_blank">https://www.irtf.org/mailman/listinfo/crypto-panel</a><u><=
/u><u></u></p></div></blockquote></div><p class=3D"MsoNormal"><u></u>=C2=A0=
<u></u></p></div><p class=3D"MsoNormal">___________________________________=
____________ Crypto-panel mailing list <a href=3D"mailto:Crypto-panel@irtf.=
org" target=3D"_blank">Crypto-panel@irtf.org</a> <a href=3D"https://www.irt=
f.org/mailman/listinfo/crypto-panel" target=3D"_blank">https://www.irtf.org=
/mailman/listinfo/crypto-panel</a> <u></u><u></u></p></div></div>
</blockquote></div></div>-- <br><div dir=3D"ltr"><div dir=3D"ltr"><div><div=
 dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><p><font color=3D"#1f497d">=
=D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC,</font></p><p=
><font color=3D"#1f497d">=D0=A1=D1=82=D0=B0=D0=BD=D0=B8=D1=81=D0=BB=D0=B0=
=D0=B2 =D0=A1=D0=BC=D1=8B=D1=88=D0=BB=D1=8F=D0=B5=D0=B2, =D0=BA.=D1=84.-=D0=
=BC.=D0=BD.,</font></p><p><font color=3D"#1f497d">=D0=97=D0=B0=D0=BC=D0=B5=
=D1=81=D1=82=D0=B8=D1=82=D0=B5=D0=BB=D1=8C =D0=B3=D0=B5=D0=BD=D0=B5=D1=80=
=D0=B0=D0=BB=D1=8C=D0=BD=D0=BE=D0=B3=D0=BE =D0=B4=D0=B8=D1=80=D0=B5=D0=BA=
=D1=82=D0=BE=D1=80=D0=B0</font></p><p><font color=3D"#1f497d">=D0=9E=D0=9E=
=D0=9E =C2=AB=D0=9A=D0=A0=D0=98=D0=9F=D0=A2=D0=9E-=D0=9F=D0=A0=D0=9E=C2=BB<=
/font></p><div><br></div></div></div></div></div></div></div>
</blockquote></div>

--0000000000001a8c4d059516620e--


From nobody Wed Oct 23 08:11:25 2019
Return-Path: <smyshsv@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01204120A1D for <crypto-panel@ietfa.amsl.com>; Wed, 23 Oct 2019 08:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJElqt-_4Vm5 for <crypto-panel@ietfa.amsl.com>; Wed, 23 Oct 2019 08:11:20 -0700 (PDT)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF0F120A34 for <crypto-panel@irtf.org>; Wed, 23 Oct 2019 08:11:13 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id l21so21530845lje.4 for <crypto-panel@irtf.org>; Wed, 23 Oct 2019 08:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5u/Cvh119oAmVqKpY/U86AJQTZa8IrfhXtFZIfX2APc=; b=aDWTmqda8L6JhiETtYU4ycpHVA3TBRquUZtL5YqHmn9lJm0CDoLFti4LWrnzgVSZNz /CeYMH6Q/GCL9IGxhcGEPNNkS0KjtRKemA7TtQdhDN0Ake4fM63vtjM8k7u7AwIAFdFg BLF1QBCVSnNZmUj3uTVjPRUXFm0ZbBrzNc2CcjbH7azF6KjPssxiazWmtcpBqemcL2bD bDF/uYTZxjvu/5bTnqjxNNrc5fAaZN3LzShZIbzunGltoZLuLXXGtsvRLGVeD/AkxzLp +vKxyy8qqWGTz+/GgUarLI9riFO7lEfxqObj++bUKt38JkawIML4PWwx43vKzgacPLf1 dPTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5u/Cvh119oAmVqKpY/U86AJQTZa8IrfhXtFZIfX2APc=; b=USRPNYceuqXSUzoV1ud7MyT5eO/TKrtU/OgUI+plcxA6/jXlv/zji+kDnH0j+N4TZ9 4X30YKcxZV1mC8+W7pY7gTO0MIw5FF0BTXqVK0xPcP52rz/D8ueIbwsq7eraXt5pX+nQ sLJCVDjBVfwdDHr016rPlmh7olJwcBOW1ju1m5kadPAOJFjlfnw3Tpvt/lJ3W9IUl9C+ c85fhCfCYA2u8CwBh23QmQYraho4+Pyv8qSGQ//q8ZIWnHmUQVeJPgT96AQ/Km8Lovjc zC0Pkzv9bCJa+Ssyh7pYvRSd9lY+tDHmO5ZCmLudBAshJsyHamw0FaXMqEgpyozR/afj JvzA==
X-Gm-Message-State: APjAAAUA05HX91khG3cMdFs9sIA4Z4ySxEPxEpfCu95tgBc2eDY7GeNJ 4Tz5pPaoVI2nhOkqeU42Q3EYKQSNUWApWIBub04=
X-Google-Smtp-Source: APXvYqxhuTVya+yM4qaGoC+v4f18y6ZrcqX9U9skESPbeyGG35PKiAIzCbIrFeq8nUzMpDge1oTqtPvWg3m6qkHtuFI=
X-Received: by 2002:a2e:9bc1:: with SMTP id w1mr6333978ljj.136.1571843471899;  Wed, 23 Oct 2019 08:11:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
In-Reply-To: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 23 Oct 2019 18:09:22 +0300
Message-ID: <CAMr0u6m3sUkTkC1X1ED35DVdurcaTauoADho4ZTUPqLoN+Wx4Q@mail.gmail.com>
To: Bjoern Tackmann <bjoern.tackmann@ieee.org>, Scott Fluhrer <sfluhrer@cisco.com>,  Tibor Jager <tibor.jager@upb.de>, Russ Housley <housley@vigilsec.com>,  Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: crypto-panel@irtf.org, cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c8ff5c059595535f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/J_TcGJZjxyFGOpT8iww1ZD3zfFk>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 15:11:24 -0000

--000000000000c8ff5c059595535f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Dear CFRG chairs,

Please find below my review of the nominated PAKEs (a Stage 5 review -
i.e., an overall review, taking into account the partial reviews published
at https://github.com/cfrg/pake-selection) with my opinion about possible
recommendations.
According to the PAKE selection process plan, it is one of the Crypto
Review Panel experts reviews, which are to be taken into account by the
CFRG chairs at Stage 6 ("01.11.2019-16.11.2019: CFRG chairs discuss the
obtained reviews and make their recommendations to CFRG/convey to CFRG that
they can=E2=80=99t make a recommendation yet.") =E2=80=93 so I am not sure =
that we want to
disclose these reviews to the group beforehand.


Documents: 8 PAKEs, nominated to the PAKE selection process; partial
reviews provided at Stage 4 (see https://github.com/cfrg/pake-selection).
Reviewer: Stanislav Smyshlyaev
Review Date: 2019-10-23
Summary:
*I would recommend selecting two PAKEs (one balanced and one augmented):
SPAKE2 and OPAQUE. *
*No strong objections against: CPace, AuCPace, VTBPEKE*

1. Balanced
1.1. SPAKE2
The main issue with SPAKE2 is potential existence of a backdoor in case
when the parameters M and N have not been selected in a way that their
joint discrete logarithm is guaranteed to be unknown. A variant of the
protocol has been proposed, which is using a hash-to-curve function =E2=80=
=93 but
such a change would lead to a different protocol, which requires a separate
security analysis. Another possible issue is that the protocol is not
=E2=80=9Cquantum annoying=E2=80=9D, since one needs to calculate only one d=
iscrete
logarithm to break any instance of the protocol.
In my opinion, this is not an important issue for the current PAKE
selection process. From the security point of view (regarding =E2=80=9Cclas=
sical=E2=80=9D
attacks on key exchange protocols), SPAKE2 has such an advantage as absence
of known attacks exploiting small subgroups. Nevertheless, the checks
related to cofactors are mentioned in the draft, which is good. The experts
do not see major issues with integrating SPAKE2 into TLS 1.3, while there
is a note about minor issues with mixing-in a password value into KDF (but
it seems to be possible to mix it as ePSK). There does not seem to be any
major issues with integrating into IKEv2 also or IoT applications also.
1.2, 1.3. CPace and SPEKE
SPEKE and CPace are based on the same basic scheme, but SPEKE has been
initially defined for the finite fields with the proof only for that case.
Therefore, it seems that it is worth considering CPace, since it is defined
in the general case.
The main issue with CPace seems to be about the stage of negotiating =E2=80=
=9Csid=E2=80=9D
parameter. Such a stage turns the CPace into a 2-RTT protocol, which
eliminates its main advantage, efficiency. Such a sid is needed to provide
a proof in UC-framework.  The existence of sid for UC-framework may be more
a technical issue for the approach, so CPace without negotiating the sid
could be considered. The important part of the protocol is a Map2Point
function, which impacts the overall security of the protocol, hence a
careful choice of such a primitive is required.  The CPace without
negotiating sid seems to be easily integrated into TLS 1.3, IKEv2 and IoT
protocols.
Nevertheless, CPace should be separately defined and described (not only as
a part of AuCPace) and carefully studied for the case without sid. In my
opinion, if CPace is selected as recommended PAKE, these actions can be
done during the further steps of writing a CFRG RFC on recommendations for
PAKEs.
1.4. J-PAKE
The main advantage of J-PAKE seems to be that it does not use any
hash-to-curve functions, that can lead to some vulnerabilities or
backdoors. At the same time, it has significant problems with efficiency.
Therefore, it seems to be much more problematic to integrate it into TLS
and IKEv2. Moreover, since IKEv2 and IoT protocols are very sensitive to
the message sizes, long messages (with up to three points in a single
message) in J-PAKE look like a real problem for practical usage.
There are no major problems with the security of the protocol, although
some improvements of the proofs could be made (SE-NIZK-proofs, but =E2=80=
=9Cnone of
them would be nearly as practical=E2=80=9D).
1.5. Balanced: overall
Two ideas compete: DH on password-based points as generators (CPace =D0=B8
SPEKE) and DH on points, which are masked with password-based points
(SPAKE2).
In my opinion, only CPace and SPAKE can be considered in the current
selection process. For CPace the security without pre-negotiation of sid
should be studied.
Since the only issue with SPAKE2 seems to be eliminating the discrete
logarithm (between M and N) problem and since it can be done (in my
opinion) during the further steps of writing a CFRG RFC on recommendations
for PAKEs, I would recommend SPAKE2 as a balanced PAKE.

2. Augmented
2.1. OPAQUE
OPAQUE is more a =E2=80=9Cconverter=E2=80=9D of AKEs to PAKEs using a secur=
e OPRF. The main
advantage of OPAQUE is security against precomputations, which is desirable
for applications, for which augmented PAKEs are preferred.
OPAQUE can be integrated into TLS 1.3 (the method of this integration has
already been specified) without any changes in the protocol.
The authors have recently updated the security proof, addressing the raised
concerns about it; nevertheless, in my opinion, the security assessment is
already mature enough and sufficient for considering it secure.
The protocol is also not =E2=80=9Cquantum annoying=E2=80=9D, but, in my opi=
nion, that
cannot be treated as a major disadvantage of the protocol.
2.2. AuCPace
AuCPace is an augmented version of CPace. AuCPace itself is not secure
against precomputations, but preventing precomputation is a minor change =
=E2=80=93
a strong version of AuCPace is called strong AuCPace.
There are some questions to the security proof of AuCPace (one of the
reviewers treats the initially subitted version of it as =E2=80=9Crather sk=
etchy=E2=80=9D),
but, as well as OPAQUE, the security assessment seems to be already mature
enough and sufficient for considering it secure.
AuCPace is a =C2=ABquantum annoying=C2=BB PAKE.
Integrating AuCPace into TLS 1.3 is deeply studied in the materials =E2=80=
=93 there
exist some issues, but none of them seems to be critical.
2.3. BSPAKE
BSPAKE =E2=80=93 is an augmented Elligator-version of SPAKE2. The main disa=
dvantage
of it is absence of a complete security proof (the authors just say that
the security follows from the security of the underlying elements of the
construction).
The blind salt mechanism is similar to the one used in OPAQUE (OPRF); the
mechanism of using blind salt in AuCPace is different: in AuCPace the salt
is chosen by the client during registration phase.
BSPAKE is =C2=ABquantum annoying=C2=BB.
BSPAKE is 2-RTT, so it needs certain efforts to be integrated into TLS 1.3.
It seems that a separate work of modifying the PAKE in a way similar to
OPAQUE for TLS 1.3.
BSPAKE does not seem to be a solid construction with detailed security
analysis, in my opinion it should not be considered to be recommended as a
selected PAKE.
2.4. VTBEKE
VTBEKE =E2=80=93 is an augmented version of TBEKE (a modified SPEKE). VTBEK=
E is not
secure against precomputations, but it can be modified to be such by adding
blind salt.
The game-based security proof is sufficient to consider the protocol
secure. The situation with integrating AuCPace into TLS 1.3 is similar to
the one with AuCPace, several issues have to be resolved.
2.5. Augmented: overall
In my opinion, only AuCPace, VTBEKE and OPAQUE can be considered in the
current selection process. Currently only OPAQUE provides security against
precomputations =E2=80=93 and in my opinion, it is important for an augment=
ed PAKE
(otherwise, balanced PAKEs are not much less convenient for the same
client-server applications).
Blind-salt versions of AuCPace =D0=B8 VTBEKE should be considered instead o=
f the
"plain" versions of them, but the corresponding detailed security proofs
should be obtained to do so.
In addition, since integration of OPAQUE into TLS 1.3 also seems to be
studied more deeply, I would recommend OPAQUE as an augmented PAKE, if no
patent issues occur to be preventing it.

3. Remarks
To be considered in the future for the selected PAKEs: while integrating a
PAKE into protocol, it is important to decide, on which step to negotiate
PAKE parameters (e.g., elliptic curve group); cross-cipher suite security
must also be taken into account.

4. Overall recommendations
Overall recommendations about the anticipated results of the PAKE
selection. If we are to use PAKEs for IKEv2 or other peer-to-peer
protocols, a balanced PAKE is desirable. To address the remote access
applications or other client-server scenarios, it is better to also have an
augmented PAKE.
Therefore, I would recommend selecting one balanced PAKE and one augmented
PAKE.
*I would recommend selecting two PAKEs (one balanced and one augmented):
SPAKE2 and OPAQUE*. In my opinion, these protocols are mature enough and do
not have any significant problems; all existing concerns can be addressed
during the work on a CFRG RFC on recommendations for PAKEs. CPace, AuCPace
and VTBPEKE are also strong candidates (I wouldn't have any strong
objections against CFRG recommending any of them).

Best regards,
Stanislav Smyshlyaev


=D0=BF=D1=82, 20 =D1=81=D0=B5=D0=BD=D1=82. 2019 =D0=B3. =D0=B2 19:23, Stani=
slav V. Smyshlyaev <smyshsv@gmail.com>:

> Dear Bjoern, Scott, Russ, Yaron, Tibor (and myself :) ),
>
> Many thanks again for volunteering to provide overall reviews for the
> nominated PAKEs on behalf of the Crypto Review Panel.
>
> According to the PAKE selection process plan, at Stage 5 Crypto Review
> Panel members write overall reviews for all candidate PAKEs, based on the
> materials that have been gathered and verified. According to the plan,
> Stage 5 will last until October, 30th.
>
> Those materials (including all partial reviews) have been gathered (many
> thanks, Yaron!) here: https://github.com/cfrg/pake-selection
>
> Best regards,
> Stanislav,
> CFRG secretary
>

--000000000000c8ff5c059595535f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div dir=3D"ltr" data-smartmail=3D"gmail_signature"><=
div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div>Dea=
r CFRG chairs,</div><div><br></div><div>Please find below my review of the =
nominated PAKEs (a Stage 5 review - i.e., an overall review, taking into ac=
count the partial reviews published at <a href=3D"https://github.com/cfrg/p=
ake-selection" target=3D"_blank">https://github.com/cfrg/pake-selection</a>=
) with my opinion about possible recommendations.</div><div>According to th=
e PAKE selection process plan, it is one of the Crypto Review Panel experts=
 reviews, which are to be taken into account by the CFRG chairs at Stage 6 =
(&quot;01.11.2019-16.11.2019: CFRG chairs discuss the obtained reviews and =
make their recommendations to CFRG/convey to CFRG that they can=E2=80=99t m=
ake a recommendation yet.&quot;) =E2=80=93 so I am not sure that we want to=
 disclose these reviews to the group beforehand.</div><div><br></div><div><=
br>Documents: 8 PAKEs, nominated to the PAKE selection process; partial rev=
iews provided at Stage 4 (see <a href=3D"https://github.com/cfrg/pake-selec=
tion" target=3D"_blank">https://github.com/cfrg/pake-selection</a>).<br>Rev=
iewer: Stanislav Smyshlyaev<br>Review Date: 2019-10-23<br>Summary:=C2=A0</d=
iv><div><b>I would recommend selecting two PAKEs (one balanced and one augm=
ented): SPAKE2 and OPAQUE.=C2=A0</b></div><div><b>No strong objections agai=
nst: CPace, AuCPace, VTBPEKE</b><br></div><div><br></div></div></div></div>=
</div></div></div><div>1. Balanced<br>1.1. SPAKE2<br></div><div>The main is=
sue with SPAKE2 is potential existence of a backdoor in case when the param=
eters M and N have not been selected in a way that their joint discrete log=
arithm is guaranteed to be unknown. A variant of the protocol has been prop=
osed, which is using a hash-to-curve function =E2=80=93 but such a change w=
ould lead to a different protocol, which requires a separate security analy=
sis. Another possible issue is that the protocol is not =E2=80=9Cquantum an=
noying=E2=80=9D, since one needs to calculate only one discrete logarithm t=
o break any instance of the protocol. <br>In my opinion, this is not an imp=
ortant issue for the current PAKE selection process. From the security poin=
t of view (regarding =E2=80=9Cclassical=E2=80=9D attacks on key exchange pr=
otocols), SPAKE2 has such an advantage as absence of known attacks exploiti=
ng small subgroups. Nevertheless, the checks related to cofactors are menti=
oned in the draft, which is good. The experts do not see major issues with =
integrating SPAKE2 into TLS 1.3, while there is a note about minor issues w=
ith mixing-in a password value into KDF (but it seems to be possible to mix=
 it as ePSK). There does not seem to be any major issues with integrating i=
nto IKEv2 also or IoT applications also.=C2=A0</div><div>1.2, 1.3. CPace an=
d SPEKE<br>SPEKE and CPace are based on the same basic scheme, but SPEKE ha=
s been initially defined for the finite fields with the proof only for that=
 case. Therefore, it seems that it is worth considering CPace, since it is =
defined in the general case.<br>The main issue with CPace seems to be about=
 the stage of negotiating =E2=80=9Csid=E2=80=9D parameter. Such a stage tur=
ns the CPace into a 2-RTT protocol, which eliminates its main advantage, ef=
ficiency. Such a sid is needed to provide a proof in UC-framework.=C2=A0 Th=
e existence of sid for UC-framework may be more a technical issue for the a=
pproach, so CPace without negotiating the sid could be considered. The impo=
rtant part of the protocol is a Map2Point function, which impacts the overa=
ll security of the protocol, hence a careful choice of such a primitive is =
required.=C2=A0 The CPace without negotiating sid seems to be easily integr=
ated into TLS 1.3, IKEv2 and IoT protocols.=C2=A0</div><div>Nevertheless, C=
Pace should be separately defined and described (not only as a part of AuCP=
ace) and carefully studied for the case without sid. In my opinion, if CPac=
e is selected as recommended PAKE, these actions can be done during the fur=
ther steps of writing a CFRG RFC on recommendations for PAKEs.<br>1.4. J-PA=
KE<br>The main advantage of J-PAKE seems to be that it does not use any has=
h-to-curve functions, that can lead to some vulnerabilities or backdoors. A=
t the same time, it has significant problems with efficiency. Therefore, it=
 seems to be much more problematic to integrate it into TLS and IKEv2. More=
over, since IKEv2 and IoT protocols are very sensitive to the message sizes=
, long messages (with up to three points in a single message) in J-PAKE loo=
k like a real problem for practical usage.<br>There are no major problems w=
ith the security of the protocol, although some improvements of the proofs =
could be made (SE-NIZK-proofs, but =E2=80=9Cnone of them would be nearly as=
 practical=E2=80=9D).<br>1.5. Balanced: overall<br></div><div>Two ideas com=
pete: DH on password-based points as generators (CPace =D0=B8 SPEKE) and DH=
 on points, which are masked with password-based points (SPAKE2). <br>In my=
 opinion, only CPace and SPAKE can be considered in the current selection p=
rocess. For CPace the security without pre-negotiation of sid should be stu=
died. <br>Since the only issue with SPAKE2 seems to be eliminating the disc=
rete logarithm (between M and N) problem and since it can be done (in my op=
inion) during the further steps of writing a CFRG RFC on recommendations fo=
r PAKEs, I would recommend SPAKE2 as a balanced PAKE.</div><div><br>2. Augm=
ented<br>2.1. OPAQUE<br>OPAQUE is more a =E2=80=9Cconverter=E2=80=9D of AKE=
s to PAKEs using a secure OPRF. The main advantage of OPAQUE is security ag=
ainst precomputations, which is desirable for applications, for which augme=
nted PAKEs are preferred.<br>OPAQUE can be integrated into TLS 1.3 (the met=
hod of this integration has already been specified) without any changes in =
the protocol.<br>The authors have recently updated the security proof, addr=
essing the raised concerns about it; nevertheless, in my opinion, the secur=
ity assessment is already mature enough and sufficient for considering it s=
ecure.<br>The protocol is also not =E2=80=9Cquantum annoying=E2=80=9D, but,=
 in my opinion, that cannot be treated as a major disadvantage of the proto=
col.<br>2.2. AuCPace<br>AuCPace is an augmented version of CPace. AuCPace i=
tself is not secure against precomputations, but preventing precomputation =
is a minor change =E2=80=93 a strong version of AuCPace is called strong Au=
CPace.<br>There are some questions to the security proof of AuCPace (one of=
 the reviewers treats the initially subitted version of it as =E2=80=9Crath=
er sketchy=E2=80=9D), but, as well as OPAQUE, the security assessment seems=
 to be already mature enough and sufficient for considering it secure.<br>A=
uCPace is a =C2=ABquantum annoying=C2=BB PAKE.<br>Integrating AuCPace into =
TLS 1.3 is deeply studied in the materials =E2=80=93 there exist some issue=
s, but none of them seems to be critical.<br>2.3. BSPAKE<br>BSPAKE =E2=80=
=93 is an augmented Elligator-version of SPAKE2. The main disadvantage of i=
t is absence of a complete security proof (the authors just say that the se=
curity follows from the security of the underlying elements of the construc=
tion).<br>The blind salt mechanism is similar to the one used in OPAQUE (OP=
RF); the mechanism of using blind salt in AuCPace is different: in AuCPace =
the salt is chosen by the client during registration phase. =C2=A0<br>BSPAK=
E is =C2=ABquantum annoying=C2=BB.<br>BSPAKE is 2-RTT, so it needs certain =
efforts to be integrated into TLS 1.3. It seems that a separate work of mod=
ifying the PAKE in a way similar to OPAQUE for TLS 1.3.<br>BSPAKE does not =
seem to be a solid construction with detailed security analysis, in my opin=
ion it should not be considered to be recommended as a selected PAKE.<br>2.=
4. VTBEKE<br>VTBEKE =E2=80=93 is an augmented version of TBEKE (a modified =
SPEKE). VTBEKE is not secure against precomputations, but it can be modifie=
d to be such by adding blind salt.<br>The game-based security proof is suff=
icient to consider the protocol secure. The situation with integrating AuCP=
ace into TLS 1.3 is similar to the one with AuCPace, several issues have to=
 be resolved. <br>2.5. Augmented: overall<br>In my opinion, only AuCPace, V=
TBEKE and OPAQUE can be considered in the current selection process. Curren=
tly only OPAQUE provides security against precomputations =E2=80=93 and in =
my opinion, it is important for an augmented PAKE (otherwise, balanced PAKE=
s are not much less convenient for the same client-server applications).<br=
>Blind-salt versions of AuCPace =D0=B8 VTBEKE should be considered instead =
of the &quot;plain&quot; versions of them, but the corresponding detailed s=
ecurity proofs should be obtained to do so.<br>In addition, since integrati=
on of OPAQUE into TLS 1.3 also seems to be studied more deeply, I would rec=
ommend OPAQUE as an augmented PAKE, if no patent issues occur to be prevent=
ing it.<br><br></div><div>3. Remarks</div><div>To be considered in the futu=
re for the selected PAKEs: while integrating a PAKE into protocol, it is im=
portant to decide, on which step to negotiate PAKE parameters (e.g., ellipt=
ic curve group); cross-cipher suite security must also be taken into accoun=
t.<br><br>4. Overall recommendations<br>Overall recommendations about the a=
nticipated results of the PAKE selection. If we are to use PAKEs for IKEv2 =
or other peer-to-peer protocols, a balanced PAKE is desirable. To address t=
he remote access applications or other client-server scenarios, it is bette=
r to also have an augmented PAKE. <br>Therefore, I would recommend selectin=
g one balanced PAKE and one augmented PAKE.<br><b>I would recommend selecti=
ng two PAKEs (one balanced and one augmented): SPAKE2 and OPAQUE</b>. In my=
 opinion, these protocols are mature enough and do not have any significant=
 problems; all existing concerns can be addressed during the work on a CFRG=
 RFC on recommendations for PAKEs. CPace, AuCPace and VTBPEKE are also stro=
ng candidates (I wouldn&#39;t have any strong objections against CFRG recom=
mending any of them).=C2=A0</div><div><br>Best regards,</div><div>Stanislav=
 Smyshlyaev</div><br><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">=D0=BF=D1=82, 20 =D1=81=D0=B5=D0=BD=D1=82. 2019 =D0=B3. =D0=
=B2 19:23, Stanislav V. Smyshlyaev &lt;<a href=3D"mailto:smyshsv@gmail.com"=
 target=3D"_blank">smyshsv@gmail.com</a>&gt;:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D=
"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div>Dear Bjoern, =
Scott, Russ, Yaron, Tibor (and myself :) ),</div><div><br></div><div>Many t=
hanks again for volunteering to provide overall reviews for the nominated P=
AKEs on behalf of the Crypto Review Panel.</div><div><br></div><div>Accordi=
ng to the PAKE selection process plan, at Stage 5=C2=A0Crypto Review Panel =
members write overall reviews for all candidate PAKEs, based on the materia=
ls that have been gathered and verified. According to the plan, Stage 5 wil=
l last until October, 30th.</div><div><br></div><div>Those materials (inclu=
ding all partial reviews) have been gathered (many thanks, Yaron!) here:=C2=
=A0<a href=3D"https://github.com/cfrg/pake-selection" target=3D"_blank">htt=
ps://github.com/cfrg/pake-selection</a></div><div><br></div><div>Best regar=
ds,</div><div>Stanislav,</div><div>CFRG secretary</div></div></div></div></=
div></div></div>
</blockquote></div></div>

--000000000000c8ff5c059595535f--


From nobody Thu Oct 24 10:00:37 2019
Return-Path: <housley@vigilsec.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545DB120013 for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 10:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWU8y-3YGvMP for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 10:00:33 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9C01200B2 for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 10:00:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DBFF7300B24 for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 13:00:31 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Edsv2N7HD3EI for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 13:00:28 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id E90913002AD; Thu, 24 Oct 2019 13:00:27 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
Date: Thu, 24 Oct 2019 13:00:28 -0400
Cc: crypto-panel@irtf.org, Yaron Sheffer <yaronf.ietf@gmail.com>, Bjoern Tackmann <bjoern.tackmann@ieee.org>, Scott Fluhrer <sfluhrer@cisco.com>, Tibor Jager <tibor.jager@upb.de>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
To: cfrg-chairs@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/kJ1IA8EVbuaDqgnmyCwGXdBH4NQ>
Subject: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 17:00:36 -0000

Reviewer: Russ Housley
Review Date: 24 October 2019

CFRG is looking for a PAKE to support TLS 1.3 and IKEv2.  TLS 1.3 has
a very rigid handshake in terms of the number of messages that are
exchanged.  IKEv2 has mechanisms to accomodate the exchange os many
messages as part of authentication.  As a result, I focus on TLS 1.3.
Any PAKE that will work with TLS 1.3 will also work with IKEv2.

RECOMMENDATION: OPAQUE


Observations about each of the candidates follow.


J-PAKE

J-PAKE requires significant computation, even when elliptic curve is
used.

J-PAKE has big messages, even when elliptic curve is used.

J-PAKE is a two round (or three round) protocol, so it does not easily
fit into the TLS handshake.


CPace

CPAKE requires two elliptic curve operations by each party, one to
compute an ephemeral public value from the ephemeral random (private)
value and one to compute the shared secret.

CPake requires the pre-establishment of an session identifier (sid).
Perhaps this is done when the password is established, but the
requirements are not clear to me.  The sid is sent by both the initiator
and the responder.  Assuming the sid is not bigger than an ephemeral
public value, the message sizes seem reasonable.

CPAKE is a one round protocol, so it easily fits into the TLS handshake.

CPake requires a check that the "point order is sufficient for
security parameter 2k".  I could not figure out the check to be
performed.  Maybe I did not spend enough time searching for it ...


AuCPace

AuCPAKE requires two elliptic curve operations by each party, one to
compute an ephemeral public value from the ephemeral random (private)
value and one to compute the shared secret.

AuCPake requires the pre-establishment of an session identifier (sid).
Perhaps this is done when the password is established, but the
requirements are not clear to me.  It also requires a sub-session
identifier (ssid) that can be a concatenation of the nonces from the
TLS handshake or computed from them.  Assuming the sid is not bigger
than an ephemeral public value, the message sizes seem reasonable.

AuCPAKE requires more than one round trip, so it does not easily fits
into the TLS handshake.

AuCPake requires a check that the "point order is sufficient for
security parameter 2k".  I could not figure out the check to be
performed.  Maybe I did not spend enough time searching for it ...


OPAQUE

OPAQUE computational cost is determined by OPRF, Diffie-Hellman, and
authentication.  The OPRF requires two elliptic curve operations for the
client and one for the server.  The Diffie-Hellman requires two elliptic
curve operations for each party.  If authentication uses signature, then
each party will have to generate and verify one signature.

OPAQUE requires two private key operations by each party during
registration, and then just one private key operation by each party
to compute the shared secret.

OPAQUE is a one round protocol; it easily fits into the TLS handshake.

If one is willing to employ an extra round trip, OPAQUE can provide
confidentiality of the user's name by encrypting it in the TLS
handshake key.  It seems like this could be implemented as TLS-in-TLS.

OPAQUE needs an AEAD that includes "key committing".  AES-GCM mode does
not provide this property, but I think that AES-KEY-WRAP mode does.  It
seems straightforward to enhance an AEAD to get this property by adding
a all-zero block to the plaintext and checking it on decryption.


SPAKE2

SPAKE2 computational cost is four elliptic curve operations for each
party after the pre-provisioning takes place.

SPAKE2 is a two round protocol, but the pre-provisioning will take place
prior to any handshake, so it easily fits into the TLS handshake.  That
said, if the point associated with the system-wide elements M and N
become known, then an offline dictionary attack becomes possible.

I found this part odd:

           TT = len(A) || A || len(B) || B || len(S) || S
             || len(T) || T || len(K) || K || len(w) || w

   If an identity is absent, it is omitted from the transcript entirely.

So, if A or B is absent, the inputs quite similar:

           TT = len(B) || B || len(S) || S || len(T) || T
             || len(K) || K || len(w) || w

           TT = len(A) || A || len(S) || S || len(T) || T
             || len(K) || K || len(w) || w

Somehow, using a zero length for the missing identity seems safer:

           TT = len(nil)    || len(B) || B || len(S) || S
             || len(T) || T || len(K) || K || len(w) || w

           TT = len(A) || A || len(nil)    || len(S) || S
             || len(T) || T || len(K) || K || len(w) || w


SPEKE

SPEKE computational cost is two elliptic curve operations for each
party.

SPEKE is a one round protocol, so it easily fits into the TLS
handshake.  Also, the TLS 1.3 Finished message provides the
optional key confirmation.  Finally, identity and session-unique
values are easily accommodated by the client and server Hello
messages.


VTBPEKE

VTBPEKE computational cost is four elliptic curve operations for each
party.

VTBPEKE is not a one round protocol, cannot be accommodated by the
TLS 1.3 handshake.

VTBPEKE offers forward secrecy.  However, if the points associated with
the system-wide element U and V become known, then an offline dictionary
attack becomes possible.


BSPAKE

BSPAKE computational cost is five elliptic curve operations for the
client and four elliptic curve operations for the server.

BSPAKE requires two-round trips in the protocol, so it cannot be
accommodated by the TLS 1.3 handshake.


 


From nobody Fri Oct 25 05:25:19 2019
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065D412007C for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.827
X-Spam-Level: 
X-Spam-Status: No, score=-0.827 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.159, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STSnmfiwnWdu for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:14 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0417120879 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id q70so1927677wme.1 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=ip2NEg/MkjNGtQtLanRvdxjgz3B40FhZJETo1+WfPa7Ch5Y+EjEUSUl1JuDDupluS1 y1LMsHMR/1AexLlPI6CSXlW1MEygcNXvIdkkIvpH0FpO5mpcTqrfUDUBejzaeh+6DBXk hK33gQAUUvqGPAwhq4N+I1LPiSbhxltjkHWbThRG33pVzdPD2iK3Pm/P1lQKUTIhPJwW bfT1MVj4622hWSb+aCW7QraJAC0i46hsbT72vw5U47ZL8FvtKWC4UyxSY9ns5UrPRP6s LoljmciSfFvMXmVDRxtg7C6mrWHD6aaBCrxgtRrXTl6Db3FzqoQmeEwfe4/d98YIbHEi t+5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=WVih6d0qdDZ+js16oii+vGCoPEadF3LLcHOzVMnMF9RojNOua/sCOUEyiThpAcbK9D P6JIMA0fiIc5g/JEqlCT9M/X4ZVlmJQnuk9ZoS7QbPfpm7ZpqvKYCECyLdUwi01x8UIh yt7BtwIpVZU1hfwKVPvW3pUfR2NDIx2hbVnImOzjlk/OXlxye6c4R/WJ5NZZgum1VpOb PNqdjh3joevUmDEqpIn74CGnOPfi01GBeTtC7f46Nt+gZYAc8Vzs1uzIevxVeXn86nSV tHZ8pZfXG1xhv8AY2dnFtcj3LewpVsE/Yb0LbwExtvdMtzXBnyC3x8yYfLZty7lhvmvh hUAg==
X-Gm-Message-State: APjAAAW5Z2Dc0bn57NLZ/iBd3DUTmQDw1vfMDA9DekxekM6ppsdXaASZ Mv4KUUNIPq81GXgSC3/uzfw=
X-Google-Smtp-Source: APXvYqwLaruFygFlUvjVxBhmtaN5wdYc4YavV0TWTJo+BCnMt2ffJ9nLaAOWUu5Yb4xN9+cSFDkiUQ==
X-Received: by 2002:a7b:c444:: with SMTP id l4mr3314359wmi.49.1572006312021; Fri, 25 Oct 2019 05:25:12 -0700 (PDT)
Received: from [10.0.0.147] (bzq-79-182-74-87.red.bezeqint.net. [79.182.74.87]) by smtp.gmail.com with ESMTPSA id f17sm2111399wrs.66.2019.10.25.05.25.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Oct 2019 05:25:10 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.1e.0.191013
Date: Fri, 25 Oct 2019 15:25:08 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>, <cfrg-chairs@ietf.org>
CC: Tibor Jager <tibor.jager@upb.de>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Scott Fluhrer <sfluhrer@cisco.com>, <crypto-panel@irtf.org>, Bjoern Tackmann <bjoern.tackmann@ieee.org>
Message-ID: <63EBDE7B-4B7F-4E65-A2D1-7864071C7D4C@gmail.com>
Thread-Topic: [Crypto-panel] Stage 5 of PAKE selection process
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com> <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
In-Reply-To: <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3654861910_971338930"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/IFtADguL13GxynZQLNDn6RBUeGw>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 12:25:17 -0000

> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--B_3654861910_971338930
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: quoted-printable

Dear CFRG chairs,

Please see my review in the attached (two formats).=20

Thanks,
	Yaron

PS: this is formatted as an I-D, but I have not submitted it, at least whil=
e the chairs are deliberating their selections.

=EF=BB=BFOn 24/10/2019, 20:00, "Crypto-panel on behalf of Russ Housley" <crypto-p=
anel-bounces@irtf.org on behalf of housley@vigilsec.com> wrote:

    Reviewer: Russ Housley
    Review Date: 24 October 2019
   =20
    CFRG is looking for a PAKE to support TLS 1.3 and IKEv2.  TLS 1.3 has
    a very rigid handshake in terms of the number of messages that are
    exchanged.  IKEv2 has mechanisms to accomodate the exchange os many
    messages as part of authentication.  As a result, I focus on TLS 1.3.
    Any PAKE that will work with TLS 1.3 will also work with IKEv2.
   =20
    RECOMMENDATION: OPAQUE
   =20
   =20
    Observations about each of the candidates follow.
   =20
   =20
    J-PAKE
   =20
    J-PAKE requires significant computation, even when elliptic curve is
    used.
   =20
    J-PAKE has big messages, even when elliptic curve is used.
   =20
    J-PAKE is a two round (or three round) protocol, so it does not easily
    fit into the TLS handshake.
   =20
   =20
    CPace
   =20
    CPAKE requires two elliptic curve operations by each party, one to
    compute an ephemeral public value from the ephemeral random (private)
    value and one to compute the shared secret.
   =20
    CPake requires the pre-establishment of an session identifier (sid).
    Perhaps this is done when the password is established, but the
    requirements are not clear to me.  The sid is sent by both the initiato=
r
    and the responder.  Assuming the sid is not bigger than an ephemeral
    public value, the message sizes seem reasonable.
   =20
    CPAKE is a one round protocol, so it easily fits into the TLS handshake=
.
   =20
    CPake requires a check that the "point order is sufficient for
    security parameter 2k".  I could not figure out the check to be
    performed.  Maybe I did not spend enough time searching for it ...
   =20
   =20
    AuCPace
   =20
    AuCPAKE requires two elliptic curve operations by each party, one to
    compute an ephemeral public value from the ephemeral random (private)
    value and one to compute the shared secret.
   =20
    AuCPake requires the pre-establishment of an session identifier (sid).
    Perhaps this is done when the password is established, but the
    requirements are not clear to me.  It also requires a sub-session
    identifier (ssid) that can be a concatenation of the nonces from the
    TLS handshake or computed from them.  Assuming the sid is not bigger
    than an ephemeral public value, the message sizes seem reasonable.
   =20
    AuCPAKE requires more than one round trip, so it does not easily fits
    into the TLS handshake.
   =20
    AuCPake requires a check that the "point order is sufficient for
    security parameter 2k".  I could not figure out the check to be
    performed.  Maybe I did not spend enough time searching for it ...
   =20
   =20
    OPAQUE
   =20
    OPAQUE computational cost is determined by OPRF, Diffie-Hellman, and
    authentication.  The OPRF requires two elliptic curve operations for th=
e
    client and one for the server.  The Diffie-Hellman requires two ellipti=
c
    curve operations for each party.  If authentication uses signature, the=
n
    each party will have to generate and verify one signature.
   =20
    OPAQUE requires two private key operations by each party during
    registration, and then just one private key operation by each party
    to compute the shared secret.
   =20
    OPAQUE is a one round protocol; it easily fits into the TLS handshake.
   =20
    If one is willing to employ an extra round trip, OPAQUE can provide
    confidentiality of the user's name by encrypting it in the TLS
    handshake key.  It seems like this could be implemented as TLS-in-TLS.
   =20
    OPAQUE needs an AEAD that includes "key committing".  AES-GCM mode does
    not provide this property, but I think that AES-KEY-WRAP mode does.  It
    seems straightforward to enhance an AEAD to get this property by adding
    a all-zero block to the plaintext and checking it on decryption.
   =20
   =20
    SPAKE2
   =20
    SPAKE2 computational cost is four elliptic curve operations for each
    party after the pre-provisioning takes place.
   =20
    SPAKE2 is a two round protocol, but the pre-provisioning will take plac=
e
    prior to any handshake, so it easily fits into the TLS handshake.  That
    said, if the point associated with the system-wide elements M and N
    become known, then an offline dictionary attack becomes possible.
   =20
    I found this part odd:
   =20
               TT =3D len(A) || A || len(B) || B || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
   =20
       If an identity is absent, it is omitted from the transcript entirely=
.
   =20
    So, if A or B is absent, the inputs quite similar:
   =20
               TT =3D len(B) || B || len(S) || S || len(T) || T
                 || len(K) || K || len(w) || w
   =20
               TT =3D len(A) || A || len(S) || S || len(T) || T
                 || len(K) || K || len(w) || w
   =20
    Somehow, using a zero length for the missing identity seems safer:
   =20
               TT =3D len(nil)    || len(B) || B || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
   =20
               TT =3D len(A) || A || len(nil)    || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
   =20
   =20
    SPEKE
   =20
    SPEKE computational cost is two elliptic curve operations for each
    party.
   =20
    SPEKE is a one round protocol, so it easily fits into the TLS
    handshake.  Also, the TLS 1.3 Finished message provides the
    optional key confirmation.  Finally, identity and session-unique
    values are easily accommodated by the client and server Hello
    messages.
   =20
   =20
    VTBPEKE
   =20
    VTBPEKE computational cost is four elliptic curve operations for each
    party.
   =20
    VTBPEKE is not a one round protocol, cannot be accommodated by the
    TLS 1.3 handshake.
   =20
    VTBPEKE offers forward secrecy.  However, if the points associated with
    the system-wide element U and V become known, then an offline dictionar=
y
    attack becomes possible.
   =20
   =20
    BSPAKE
   =20
    BSPAKE computational cost is five elliptic curve operations for the
    client and four elliptic curve operations for the server.
   =20
    BSPAKE requires two-round trips in the protocol, so it cannot be
    accommodated by the TLS 1.3 handshake.
   =20
   =20
    =20
   =20
    _______________________________________________
    Crypto-panel mailing list
    Crypto-panel@irtf.org
    https://www.irtf.org/mailman/listinfo/crypto-panel
   =20


--B_3654861910_971338930
Content-type: text/html; name="draft-sheffer-cfrg-pake-review.html";
 x-mac-creator="4F50494D"; x-mac-type="48544D4C"
Content-disposition: attachment; filename="draft-sheffer-cfrg-pake-review.html"
Content-transfer-encoding: base64

PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgU3RyaWN0Ly9F
TiIgCiAgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXN0cmljdC5k
dGQiPgoKPGh0bWwgbGFuZz0iZW4iIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3ho
dG1sIiB4bWw6bGFuZz0iZW4iPgo8aGVhZCBwcm9maWxlPSJodHRwOi8vd3d3LnczLm9yZy8y
MDA2LzAzL2hjYXJkIGh0dHA6Ly9kdWJsaW5jb3JlLm9yZy9kb2N1bWVudHMvMjAwOC8wOC8w
NC9kYy1odG1sLyI+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50
PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXMtYXNjaWkiIC8+CgogIDx0aXRsZT5SZXZpZXcgb2Yg
dGhlIENGUkcgUEFLRSBQcm9wb3NhbHM8L3RpdGxlPgoKICA8c3R5bGUgdHlwZT0idGV4dC9j
c3MiIHRpdGxlPSJYbWwyUmZjIChzYW5zIHNlcmlmKSI+CiAgLyo8IVtDREFUQVsqLwoJICBh
IHsKCSAgdGV4dC1kZWNvcmF0aW9uOiBub25lOwoJICB9CiAgICAgIC8qIGluZm8gY29kZSBm
cm9tIFNhbnRhS2xhdXNzIGF0IGh0dHA6Ly93d3cubWFkYWJvdXRzdHlsZS5jb20vdG9vbHRp
cDIuaHRtbCAqLwogICAgICBhLmluZm8gewogICAgICAgICAgLyogVGhpcyBpcyB0aGUga2V5
LiAqLwogICAgICAgICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgICAgICAgei1pbmRleDog
MjQ7CiAgICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5vbmU7CiAgICAgIH0KICAgICAgYS5p
bmZvOmhvdmVyIHsKICAgICAgICAgIHotaW5kZXg6IDI1OwogICAgICAgICAgY29sb3I6ICNG
RkY7IGJhY2tncm91bmQtY29sb3I6ICM5MDA7CiAgICAgIH0KICAgICAgYS5pbmZvIHNwYW4g
eyBkaXNwbGF5OiBub25lOyB9CiAgICAgIGEuaW5mbzpob3ZlciBzcGFuLmluZm8gewogICAg
ICAgICAgLyogVGhlIHNwYW4gd2lsbCBkaXNwbGF5IGp1c3Qgb24gOmhvdmVyIHN0YXRlLiAq
LwogICAgICAgICAgZGlzcGxheTogYmxvY2s7CiAgICAgICAgICBwb3NpdGlvbjogYWJzb2x1
dGU7CiAgICAgICAgICBmb250LXNpemU6IHNtYWxsZXI7CiAgICAgICAgICB0b3A6IDJlbTsg
bGVmdDogLTVlbTsgd2lkdGg6IDE1ZW07CiAgICAgICAgICBwYWRkaW5nOiAycHg7IGJvcmRl
cjogMXB4IHNvbGlkICMzMzM7CiAgICAgICAgICBjb2xvcjogIzkwMDsgYmFja2dyb3VuZC1j
b2xvcjogI0VFRTsKICAgICAgICAgIHRleHQtYWxpZ246IGxlZnQ7CiAgICAgIH0KCSAgYS5z
bXBsIHsKCSAgY29sb3I6IGJsYWNrOwoJICB9CgkgIGE6aG92ZXIgewoJICB0ZXh0LWRlY29y
YXRpb246IHVuZGVybGluZTsKCSAgfQoJICBhOmFjdGl2ZSB7CgkgIHRleHQtZGVjb3JhdGlv
bjogdW5kZXJsaW5lOwoJICB9CgkgIGFkZHJlc3MgewoJICBtYXJnaW4tdG9wOiAxZW07Cgkg
IG1hcmdpbi1sZWZ0OiAyZW07CgkgIGZvbnQtc3R5bGU6IG5vcm1hbDsKCSAgfQoJICBib2R5
IHsKCSAgY29sb3I6IGJsYWNrOwoJICBmb250LWZhbWlseTogdmVyZGFuYSwgaGVsdmV0aWNh
LCBhcmlhbCwgc2Fucy1zZXJpZjsKCSAgZm9udC1zaXplOiAxMHB0OwoJICBtYXgtd2lkdGg6
IDU1ZW07CgkgIAoJICB9CgkgIGNpdGUgewoJICBmb250LXN0eWxlOiBub3JtYWw7CgkgIH0K
CSAgZGQgewoJICBtYXJnaW4tcmlnaHQ6IDJlbTsKCSAgfQoJICBkbCB7CgkgIG1hcmdpbi1s
ZWZ0OiAyZW07CgkgIH0KCQoJICB1bC5lbXB0eSB7CgkgIGxpc3Qtc3R5bGUtdHlwZTogbm9u
ZTsKCSAgfQoJICB1bC5lbXB0eSBsaSB7CgkgIG1hcmdpbi10b3A6IC41ZW07CgkgIH0KCSAg
ZGwgcCB7CgkgIG1hcmdpbi1sZWZ0OiAwZW07CgkgIH0KCSAgZHQgewoJICBtYXJnaW4tdG9w
OiAuNWVtOwoJICB9CgkgIGgxIHsKCSAgZm9udC1zaXplOiAxNHB0OwoJICBsaW5lLWhlaWdo
dDogMjFwdDsKCSAgcGFnZS1icmVhay1hZnRlcjogYXZvaWQ7CgkgIH0KCSAgaDEubnAgewoJ
ICBwYWdlLWJyZWFrLWJlZm9yZTogYWx3YXlzOwoJICB9CgkgIGgxIGEgewoJICBjb2xvcjog
IzMzMzMzMzsKCSAgfQoJICBoMiB7CgkgIGZvbnQtc2l6ZTogMTJwdDsKCSAgbGluZS1oZWln
aHQ6IDE1cHQ7CgkgIHBhZ2UtYnJlYWstYWZ0ZXI6IGF2b2lkOwoJICB9CgkgIGgzLCBoNCwg
aDUsIGg2IHsKCSAgZm9udC1zaXplOiAxMHB0OwoJICBwYWdlLWJyZWFrLWFmdGVyOiBhdm9p
ZDsKCSAgfQoJICBoMiBhLCBoMyBhLCBoNCBhLCBoNSBhLCBoNiBhIHsKCSAgY29sb3I6IGJs
YWNrOwoJICB9CgkgIGltZyB7CgkgIG1hcmdpbi1sZWZ0OiAzZW07CgkgIH0KCSAgbGkgewoJ
ICBtYXJnaW4tbGVmdDogMmVtOwoJICBtYXJnaW4tcmlnaHQ6IDJlbTsKCSAgfQoJICBvbCB7
CgkgIG1hcmdpbi1sZWZ0OiAyZW07CgkgIG1hcmdpbi1yaWdodDogMmVtOwoJICB9CgkgIG9s
IHAgewoJICBtYXJnaW4tbGVmdDogMGVtOwoJICB9CgkgIHAgewoJICBtYXJnaW4tbGVmdDog
MmVtOwoJICBtYXJnaW4tcmlnaHQ6IDJlbTsKCSAgfQoJICBwcmUgewoJICBtYXJnaW4tbGVm
dDogM2VtOwoJICBiYWNrZ3JvdW5kLWNvbG9yOiBsaWdodHllbGxvdzsKCSAgcGFkZGluZzog
LjI1ZW07CgkgIH0KCSAgcHJlLnRleHQyIHsKCSAgYm9yZGVyLXN0eWxlOiBkb3R0ZWQ7Cgkg
IGJvcmRlci13aWR0aDogMXB4OwoJICBiYWNrZ3JvdW5kLWNvbG9yOiAjZjBmMGYwOwoJICB3
aWR0aDogNjllbTsKCSAgfQoJICBwcmUuaW5saW5lIHsKCSAgYmFja2dyb3VuZC1jb2xvcjog
d2hpdGU7CgkgIHBhZGRpbmc6IDBlbTsKCSAgfQoJICBwcmUudGV4dCB7CgkgIGJvcmRlci1z
dHlsZTogZG90dGVkOwoJICBib3JkZXItd2lkdGg6IDFweDsKCSAgYmFja2dyb3VuZC1jb2xv
cjogI2Y4ZjhmODsKCSAgd2lkdGg6IDY5ZW07CgkgIH0KCSAgcHJlLmRyYXdpbmcgewoJICBi
b3JkZXItc3R5bGU6IHNvbGlkOwoJICBib3JkZXItd2lkdGg6IDFweDsKCSAgYmFja2dyb3Vu
ZC1jb2xvcjogI2Y4ZjhmODsKCSAgcGFkZGluZzogMmVtOwoJICB9CgkgIHRhYmxlIHsKCSAg
bWFyZ2luLWxlZnQ6IDJlbTsKCSAgfQoJICB0YWJsZS50dCB7CgkgIHZlcnRpY2FsLWFsaWdu
OiB0b3A7CgkgIH0KCSAgdGFibGUuZnVsbCB7CgkgIGJvcmRlci1zdHlsZTogb3V0c2V0OwoJ
ICBib3JkZXItd2lkdGg6IDFweDsKCSAgfQoJICB0YWJsZS5oZWFkZXJzIHsKCSAgYm9yZGVy
LXN0eWxlOiBvdXRzZXQ7CgkgIGJvcmRlci13aWR0aDogMXB4OwoJICB9CgkgIHRhYmxlLnR0
IHRkIHsKCSAgdmVydGljYWwtYWxpZ246IHRvcDsKCSAgfQoJICB0YWJsZS5mdWxsIHRkIHsK
CSAgYm9yZGVyLXN0eWxlOiBpbnNldDsKCSAgYm9yZGVyLXdpZHRoOiAxcHg7CgkgIH0KCSAg
dGFibGUudHQgdGggewoJICB2ZXJ0aWNhbC1hbGlnbjogdG9wOwoJICB9CgkgIHRhYmxlLmZ1
bGwgdGggewoJICBib3JkZXItc3R5bGU6IGluc2V0OwoJICBib3JkZXItd2lkdGg6IDFweDsK
CSAgfQoJICB0YWJsZS5oZWFkZXJzIHRoIHsKCSAgYm9yZGVyLXN0eWxlOiBub25lIG5vbmUg
aW5zZXQgbm9uZTsKCSAgYm9yZGVyLXdpZHRoOiAxcHg7CgkgIH0KCSAgdGFibGUubGVmdCB7
CgkgIG1hcmdpbi1yaWdodDogYXV0bzsKCSAgfQoJICB0YWJsZS5yaWdodCB7CgkgIG1hcmdp
bi1sZWZ0OiBhdXRvOwoJICB9CgkgIHRhYmxlLmNlbnRlciB7CgkgIG1hcmdpbi1sZWZ0OiBh
dXRvOwoJICBtYXJnaW4tcmlnaHQ6IGF1dG87CgkgIH0KCSAgY2FwdGlvbiB7CgkgIGNhcHRp
b24tc2lkZTogYm90dG9tOwoJICBmb250LXdlaWdodDogYm9sZDsKCSAgZm9udC1zaXplOiA5
cHQ7CgkgIG1hcmdpbi10b3A6IC41ZW07CgkgIH0KCQoJICB0YWJsZS5oZWFkZXIgewoJICBi
b3JkZXItc3BhY2luZzogMXB4OwoJICB3aWR0aDogOTUlOwoJICBmb250LXNpemU6IDEwcHQ7
CgkgIGNvbG9yOiB3aGl0ZTsKCSAgfQoJICB0ZC50b3AgewoJICB2ZXJ0aWNhbC1hbGlnbjog
dG9wOwoJICB9CgkgIHRkLnRvcG5vd3JhcCB7CgkgIHZlcnRpY2FsLWFsaWduOiB0b3A7Cgkg
IHdoaXRlLXNwYWNlOiBub3dyYXA7IAoJICB9CgkgIHRhYmxlLmhlYWRlciB0ZCB7CgkgIGJh
Y2tncm91bmQtY29sb3I6IGdyYXk7CgkgIHdpZHRoOiA1MCU7CgkgIH0KCSAgdGFibGUuaGVh
ZGVyIGEgewoJICBjb2xvcjogd2hpdGU7CgkgIH0KCSAgdGQucmVmZXJlbmNlIHsKCSAgdmVy
dGljYWwtYWxpZ246IHRvcDsKCSAgd2hpdGUtc3BhY2U6IG5vd3JhcDsKCSAgcGFkZGluZy1y
aWdodDogMWVtOwoJICB9CgkgIHRoZWFkIHsKCSAgZGlzcGxheTp0YWJsZS1oZWFkZXItZ3Jv
dXA7CgkgIH0KCSAgdWwudG9jLCB1bC50b2MgdWwgewoJICBsaXN0LXN0eWxlOiBub25lOwoJ
ICBtYXJnaW4tbGVmdDogMS41ZW07CgkgIG1hcmdpbi1yaWdodDogMGVtOwoJICBwYWRkaW5n
LWxlZnQ6IDBlbTsKCSAgfQoJICB1bC50b2MgbGkgewoJICBsaW5lLWhlaWdodDogMTUwJTsK
CSAgZm9udC13ZWlnaHQ6IGJvbGQ7CgkgIGZvbnQtc2l6ZTogMTBwdDsKCSAgbWFyZ2luLWxl
ZnQ6IDBlbTsKCSAgbWFyZ2luLXJpZ2h0OiAwZW07CgkgIH0KCSAgdWwudG9jIGxpIGxpIHsK
CSAgbGluZS1oZWlnaHQ6IG5vcm1hbDsKCSAgZm9udC13ZWlnaHQ6IG5vcm1hbDsKCSAgZm9u
dC1zaXplOiA5cHQ7CgkgIG1hcmdpbi1sZWZ0OiAwZW07CgkgIG1hcmdpbi1yaWdodDogMGVt
OwoJICB9CgkgIGxpLmV4Y2x1ZGVkIHsKCSAgZm9udC1zaXplOiAwcHQ7CgkgIH0KCSAgdWwg
cCB7CgkgIG1hcmdpbi1sZWZ0OiAwZW07CgkgIH0KCQoJICAuY29tbWVudCB7CgkgIGJhY2tn
cm91bmQtY29sb3I6IHllbGxvdzsKCSAgfQoJICAuY2VudGVyIHsKCSAgdGV4dC1hbGlnbjog
Y2VudGVyOwoJICB9CgkgIC5lcnJvciB7CgkgIGNvbG9yOiByZWQ7CgkgIGZvbnQtc3R5bGU6
IGl0YWxpYzsKCSAgZm9udC13ZWlnaHQ6IGJvbGQ7CgkgIH0KCSAgLmZpZ3VyZSB7CgkgIGZv
bnQtd2VpZ2h0OiBib2xkOwoJICB0ZXh0LWFsaWduOiBjZW50ZXI7CgkgIGZvbnQtc2l6ZTog
OXB0OwoJICB9CgkgIC5maWxlbmFtZSB7CgkgIGNvbG9yOiAjMzMzMzMzOwoJICBmb250LXdl
aWdodDogYm9sZDsKCSAgZm9udC1zaXplOiAxMnB0OwoJICBsaW5lLWhlaWdodDogMjFwdDsK
CSAgdGV4dC1hbGlnbjogY2VudGVyOwoJICB9CgkgIC5mbiB7CgkgIGZvbnQtd2VpZ2h0OiBi
b2xkOwoJICB9CgkgIC5oaWRkZW4gewoJICBkaXNwbGF5OiBub25lOwoJICB9CgkgIC5sZWZ0
IHsKCSAgdGV4dC1hbGlnbjogbGVmdDsKCSAgfQoJICAucmlnaHQgewoJICB0ZXh0LWFsaWdu
OiByaWdodDsKCSAgfQoJICAudGl0bGUgewoJICBjb2xvcjogIzk5MDAwMDsKCSAgZm9udC1z
aXplOiAxOHB0OwoJICBsaW5lLWhlaWdodDogMThwdDsKCSAgZm9udC13ZWlnaHQ6IGJvbGQ7
CgkgIHRleHQtYWxpZ246IGNlbnRlcjsKCSAgbWFyZ2luLXRvcDogMzZwdDsKCSAgfQoJICAu
dmNhcmRsaW5lIHsKCSAgZGlzcGxheTogYmxvY2s7CgkgIH0KCSAgLndhcm5pbmcgewoJICBm
b250LXNpemU6IDE0cHQ7CgkgIGJhY2tncm91bmQtY29sb3I6IHllbGxvdzsKCSAgfQoJCgkK
CSAgQG1lZGlhIHByaW50IHsKCSAgLm5vcHJpbnQgewoJCWRpc3BsYXk6IG5vbmU7CgkgIH0K
CQoJICBhIHsKCQljb2xvcjogYmxhY2s7CgkJdGV4dC1kZWNvcmF0aW9uOiBub25lOwoJICB9
CgkKCSAgdGFibGUuaGVhZGVyIHsKCQl3aWR0aDogOTAlOwoJICB9CgkKCSAgdGQuaGVhZGVy
IHsKCQl3aWR0aDogNTAlOwoJCWNvbG9yOiBibGFjazsKCQliYWNrZ3JvdW5kLWNvbG9yOiB3
aGl0ZTsKCQl2ZXJ0aWNhbC1hbGlnbjogdG9wOwoJCWZvbnQtc2l6ZTogMTJwdDsKCSAgfQoJ
CgkgIHVsLnRvYyBhOjphZnRlciB7CgkJY29udGVudDogbGVhZGVyKCcuJykgdGFyZ2V0LWNv
dW50ZXIoYXR0cihocmVmKSwgcGFnZSk7CgkgIH0KCQoJICB1bC5pbmQgbGkgbGkgYSB7CgkJ
Y29udGVudDogdGFyZ2V0LWNvdW50ZXIoYXR0cihocmVmKSwgcGFnZSk7CgkgIH0KCQoJICAu
cHJpbnQyY29sIHsKCQljb2x1bW4tY291bnQ6IDI7CgkJLW1vei1jb2x1bW4tY291bnQ6IDI7
CgkJY29sdW1uLWZpbGw6IGF1dG87CgkgIH0KCSAgfQoJCgkgIEBwYWdlIHsKCSAgQHRvcC1s
ZWZ0IHsKCQkgICBjb250ZW50OiAiSW50ZXJuZXQtRHJhZnQiOyAKCSAgfSAKCSAgQHRvcC1y
aWdodCB7CgkJICAgY29udGVudDogIkRlY2VtYmVyIDIwMTAiOyAKCSAgfSAKCSAgQHRvcC1j
ZW50ZXIgewoJCSAgIGNvbnRlbnQ6ICJBYmJyZXZpYXRlZCBUaXRsZSI7CgkgIH0gCgkgIEBi
b3R0b20tbGVmdCB7CgkJICAgY29udGVudDogIkRvZSI7IAoJICB9IAoJICBAYm90dG9tLWNl
bnRlciB7CgkJICAgY29udGVudDogIkV4cGlyZXMgSnVuZSAyMDExIjsgCgkgIH0gCgkgIEBi
b3R0b20tcmlnaHQgewoJCSAgIGNvbnRlbnQ6ICJbUGFnZSAiIGNvdW50ZXIocGFnZSkgIl0i
OyAKCSAgfSAKCSAgfQoJCgkgIEBwYWdlOmZpcnN0IHsgCgkJQHRvcC1sZWZ0IHsKCQkgIGNv
bnRlbnQ6IG5vcm1hbDsKCQl9CgkJQHRvcC1yaWdodCB7CgkJICBjb250ZW50OiBub3JtYWw7
CgkJfQoJCUB0b3AtY2VudGVyIHsKCQkgIGNvbnRlbnQ6IG5vcm1hbDsKCQl9CgkgIH0KICAv
Kl1dPiovCiAgPC9zdHlsZT4KCiAgPGxpbmsgaHJlZj0iI3JmYy50b2MiIHJlbD0iQ29udGVu
dHMiPgo8bGluayBocmVmPSIjcmZjLnNlY3Rpb24uMSIgcmVsPSJDaGFwdGVyIiB0aXRsZT0i
MSBJbnRyb2R1Y3Rpb24iPgo8bGluayBocmVmPSIjcmZjLnNlY3Rpb24uMS4xIiByZWw9IkNo
YXB0ZXIiIHRpdGxlPSIxLjEgRGlzY2xhaW1lciI+CjxsaW5rIGhyZWY9IiNyZmMuc2VjdGlv
bi4xLjIiIHJlbD0iQ2hhcHRlciIgdGl0bGU9IjEuMiBDb252ZW50aW9ucyB1c2VkIGluIHRo
aXMgZG9jdW1lbnQiPgo8bGluayBocmVmPSIjcmZjLnNlY3Rpb24uMiIgcmVsPSJDaGFwdGVy
IiB0aXRsZT0iMiBQcmVsaW1pbmFyaWVzIj4KPGxpbmsgaHJlZj0iI3JmYy5zZWN0aW9uLjIu
MSIgcmVsPSJDaGFwdGVyIiB0aXRsZT0iMi4xIFByb3RvY29sIENvbXBsZXRlbmVzcyBhbmQg
Q2xhcml0eSI+CjxsaW5rIGhyZWY9IiNyZmMuc2VjdGlvbi4yLjIiIHJlbD0iQ2hhcHRlciIg
dGl0bGU9IjIuMiBJbnRlZ3JhdGlvbiBpbnRvIEV4aXN0aW5nIFByb3RvY29scyI+CjxsaW5r
IGhyZWY9IiNyZmMuc2VjdGlvbi4zIiByZWw9IkNoYXB0ZXIiIHRpdGxlPSIzIERldGFpbGVk
IFJldmlldyI+CjxsaW5rIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEiIHJlbD0iQ2hhcHRlciIg
dGl0bGU9IjMuMSBCYWxhbmNlZCBBbGdvcml0aG1zIj4KPGxpbmsgaHJlZj0iI3JmYy5zZWN0
aW9uLjMuMS4xIiByZWw9IkNoYXB0ZXIiIHRpdGxlPSIzLjEuMSBTUEFLRTIiPgo8bGluayBo
cmVmPSIjcmZjLnNlY3Rpb24uMy4xLjIiIHJlbD0iQ2hhcHRlciIgdGl0bGU9IjMuMS4yIEot
UEFLRSI+CjxsaW5rIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEuMyIgcmVsPSJDaGFwdGVyIiB0
aXRsZT0iMy4xLjMgU1BFS0UiPgo8bGluayBocmVmPSIjcmZjLnNlY3Rpb24uMy4xLjQiIHJl
bD0iQ2hhcHRlciIgdGl0bGU9IjMuMS40IENQYWNlIj4KPGxpbmsgaHJlZj0iI3JmYy5zZWN0
aW9uLjMuMiIgcmVsPSJDaGFwdGVyIiB0aXRsZT0iMy4yIEF1Z21lbnRlZCBBbGdvcml0aG1z
Ij4KPGxpbmsgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMi4xIiByZWw9IkNoYXB0ZXIiIHRpdGxl
PSIzLjIuMSBPUEFRVUUiPgo8bGluayBocmVmPSIjcmZjLnNlY3Rpb24uMy4yLjIiIHJlbD0i
Q2hhcHRlciIgdGl0bGU9IjMuMi4yIEF1Q1BhY2UiPgo8bGluayBocmVmPSIjcmZjLnNlY3Rp
b24uMy4yLjMiIHJlbD0iQ2hhcHRlciIgdGl0bGU9IjMuMi4zIFZUQlBFS0UiPgo8bGluayBo
cmVmPSIjcmZjLnNlY3Rpb24uMy4yLjQiIHJlbD0iQ2hhcHRlciIgdGl0bGU9IjMuMi40IEJT
UEFLRSI+CjxsaW5rIGhyZWY9IiNyZmMuc2VjdGlvbi40IiByZWw9IkNoYXB0ZXIiIHRpdGxl
PSI0IENvbmNsdXNpb25zIj4KPGxpbmsgaHJlZj0iI3JmYy5yZWZlcmVuY2VzIiByZWw9IkNo
YXB0ZXIiIHRpdGxlPSI1IEluZm9ybWF0aXZlIFJlZmVyZW5jZXMiPgo8bGluayBocmVmPSIj
cmZjLmFwcGVuZGl4LkEiIHJlbD0iQ2hhcHRlciIgdGl0bGU9IkEgRG9jdW1lbnQgSGlzdG9y
eSI+CjxsaW5rIGhyZWY9IiNyZmMuYXBwZW5kaXguQS4xIiByZWw9IkNoYXB0ZXIiIHRpdGxl
PSJBLjEgZHJhZnQtc2hlZmZlci1jZnJnLXBha2UtcmV2aWV3LTAwIj4KPGxpbmsgaHJlZj0i
I3JmYy5hdXRob3JzIiByZWw9IkNoYXB0ZXIiPgoKCiAgPG1ldGEgbmFtZT0iZ2VuZXJhdG9y
IiBjb250ZW50PSJ4bWwycmZjIHZlcnNpb24gMi4zMi4wIC0gaHR0cHM6Ly90b29scy5pZXRm
Lm9yZy90b29scy94bWwycmZjIiAvPgogIDxsaW5rIHJlbD0ic2NoZW1hLmRjdCIgaHJlZj0i
aHR0cDovL3B1cmwub3JnL2RjL3Rlcm1zLyIgLz4KCiAgPG1ldGEgbmFtZT0iZGN0LmNyZWF0
b3IiIGNvbnRlbnQ9IlNoZWZmZXIsIFkuIiAvPgogIDxtZXRhIG5hbWU9ImRjdC5pZGVudGlm
aWVyIiBjb250ZW50PSJ1cm46aWV0ZjppZDpkcmFmdC1zaGVmZmVyLWNmcmctcGFrZS1yZXZp
ZXciIC8+CiAgPG1ldGEgbmFtZT0iZGN0Lmlzc3VlZCIgc2NoZW1lPSJJU084NjAxIiBjb250
ZW50PSIyMDE5LTEwLTI1IiAvPgogIDxtZXRhIG5hbWU9ImRjdC5hYnN0cmFjdCIgY29udGVu
dD0iVGhpcyBkcmFmdCBjb25zaXN0cyBvZiB0aGUgYXV0aG9yJiM4MjE3O3MgcmV2aWV3IG9m
IHRoZSBwYXNzd29yZC1hdXRoZW50aWNhdGVkIGtleSBleGNoYW5nZSAoUEFLRSkgcHJvdG9j
b2xzLCBhcyBzdWJtaXR0ZWQgdG8gdGhlIElSVEYmIzgyMTc7cyBDRlJHLiBBbGwgb3Bpbmlv
bnMgaGVyZSBhcmUgdGhlIGF1dGhvciYjODIxNztzIGFsb25lLiIgLz4KICA8bWV0YSBuYW1l
PSJkZXNjcmlwdGlvbiIgY29udGVudD0iVGhpcyBkcmFmdCBjb25zaXN0cyBvZiB0aGUgYXV0
aG9yJiM4MjE3O3MgcmV2aWV3IG9mIHRoZSBwYXNzd29yZC1hdXRoZW50aWNhdGVkIGtleSBl
eGNoYW5nZSAoUEFLRSkgcHJvdG9jb2xzLCBhcyBzdWJtaXR0ZWQgdG8gdGhlIElSVEYmIzgy
MTc7cyBDRlJHLiBBbGwgb3BpbmlvbnMgaGVyZSBhcmUgdGhlIGF1dGhvciYjODIxNztzIGFs
b25lLiIgLz4KCjwvaGVhZD4KCjxib2R5PgoKICA8dGFibGUgY2xhc3M9ImhlYWRlciI+CiAg
ICA8dGJvZHk+CiAgICAKICAgIAk8dHI+Cjx0ZCBjbGFzcz0ibGVmdCI+Q3J5cHRvIEZvcnVt
IFJlc2VhcmNoIEdyb3VwPC90ZD4KPHRkIGNsYXNzPSJyaWdodCI+WS4gU2hlZmZlcjwvdGQ+
CjwvdHI+Cjx0cj4KPHRkIGNsYXNzPSJsZWZ0Ij5JbnRlcm5ldC1EcmFmdDwvdGQ+Cjx0ZCBj
bGFzcz0icmlnaHQiPkludHVpdDwvdGQ+CjwvdHI+Cjx0cj4KPHRkIGNsYXNzPSJsZWZ0Ij5J
bnRlbmRlZCBzdGF0dXM6IEluZm9ybWF0aW9uYWw8L3RkPgo8dGQgY2xhc3M9InJpZ2h0Ij5P
Y3RvYmVyIDI1LCAyMDE5PC90ZD4KPC90cj4KPHRyPgo8dGQgY2xhc3M9ImxlZnQiPkV4cGly
ZXM6IEFwcmlsIDI3LCAyMDIwPC90ZD4KPHRkIGNsYXNzPSJyaWdodCI+PC90ZD4KPC90cj4K
CiAgICAJCiAgICA8L3Rib2R5PgogIDwvdGFibGU+CgogIDxwIGNsYXNzPSJ0aXRsZSI+UmV2
aWV3IG9mIHRoZSBDRlJHIFBBS0UgUHJvcG9zYWxzPGJyIC8+CiAgPHNwYW4gY2xhc3M9ImZp
bGVuYW1lIj5kcmFmdC1zaGVmZmVyLWNmcmctcGFrZS1yZXZpZXc8L3NwYW4+PC9wPgogIAog
IDxoMSBpZD0icmZjLmFic3RyYWN0Ij48YSBocmVmPSIjcmZjLmFic3RyYWN0Ij5BYnN0cmFj
dDwvYT48L2gxPgo8cD5UaGlzIGRyYWZ0IGNvbnNpc3RzIG9mIHRoZSBhdXRob3ImIzgyMTc7
cyByZXZpZXcgb2YgdGhlIHBhc3N3b3JkLWF1dGhlbnRpY2F0ZWQga2V5IGV4Y2hhbmdlIChQ
QUtFKSBwcm90b2NvbHMsIGFzIHN1Ym1pdHRlZCB0byB0aGUgSVJURiYjODIxNztzIENGUkcu
IEFsbCBvcGluaW9ucyBoZXJlIGFyZSB0aGUgYXV0aG9yJiM4MjE3O3MgYWxvbmUuPC9wPgo8
aDEgaWQ9InJmYy5zdGF0dXMiPjxhIGhyZWY9IiNyZmMuc3RhdHVzIj5TdGF0dXMgb2YgVGhp
cyBNZW1vPC9hPjwvaDE+CjxwPlRoaXMgSW50ZXJuZXQtRHJhZnQgaXMgc3VibWl0dGVkIGlu
IGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJD
UCA3OS48L3A+CjxwPkludGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1bWVudHMgb2Yg
dGhlIEludGVybmV0IEVuZ2luZWVyaW5nIFRhc2sgRm9yY2UgKElFVEYpLiAgTm90ZSB0aGF0
IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlIHdvcmtpbmcgZG9jdW1lbnRzIGFz
IEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtRHJhZnRz
IGlzIGF0IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1cnJlbnQvLjwv
cD4KPHA+SW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEg
bWF4aW11bSBvZiBzaXggbW9udGhzIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9y
IG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55IHRpbWUuICBJdCBpcyBpbmFw
cHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlIG1hdGVyaWFs
IG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiI8L3A+
CjxwPlRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gQXByaWwgMjcsIDIwMjAu
PC9wPgo8aDEgaWQ9InJmYy5jb3B5cmlnaHRub3RpY2UiPjxhIGhyZWY9IiNyZmMuY29weXJp
Z2h0bm90aWNlIj5Db3B5cmlnaHQgTm90aWNlPC9hPjwvaDE+CjxwPkNvcHlyaWdodCAoYykg
MjAxOSBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZSBkb2N1
bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNlcnZlZC48L3A+CjxwPlRoaXMgZG9jdW1l
bnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWwgUHJv
dmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cyAoaHR0cHM6Ly90cnVzdGVlLmll
dGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mIHB1YmxpY2F0
aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50cyBj
YXJlZnVsbHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJlc3RyaWN0aW9u
cyB3aXRoIHJlc3BlY3QgdG8gdGhpcyBkb2N1bWVudC4gIENvZGUgQ29tcG9uZW50cyBleHRy
YWN0ZWQgZnJvbSB0aGlzIGRvY3VtZW50IG11c3QgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBM
aWNlbnNlIHRleHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mIHRoZSBUcnVzdCBM
ZWdhbCBQcm92aXNpb25zIGFuZCBhcmUgcHJvdmlkZWQgd2l0aG91dCB3YXJyYW50eSBhcyBk
ZXNjcmliZWQgaW4gdGhlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UuPC9wPgoKICAKICA8aHIg
Y2xhc3M9Im5vcHJpbnQiIC8+CiAgPGgxIGNsYXNzPSJucCIgaWQ9InJmYy50b2MiPjxhIGhy
ZWY9IiNyZmMudG9jIj5UYWJsZSBvZiBDb250ZW50czwvYT48L2gxPgogIDx1bCBjbGFzcz0i
dG9jIj4KCiAgCTxsaT4xLiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4xIj5JbnRyb2R1Y3Rp
b248L2E+CjwvbGk+Cjx1bD48bGk+MS4xLiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4xLjEi
PkRpc2NsYWltZXI8L2E+CjwvbGk+CjxsaT4xLjIuICAgPGEgaHJlZj0iI3JmYy5zZWN0aW9u
LjEuMiI+Q29udmVudGlvbnMgdXNlZCBpbiB0aGlzIGRvY3VtZW50PC9hPgo8L2xpPgo8L3Vs
PjxsaT4yLiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4yIj5QcmVsaW1pbmFyaWVzPC9hPgo8
L2xpPgo8dWw+PGxpPjIuMS4gICA8YSBocmVmPSIjcmZjLnNlY3Rpb24uMi4xIj5Qcm90b2Nv
bCBDb21wbGV0ZW5lc3MgYW5kIENsYXJpdHk8L2E+CjwvbGk+CjxsaT4yLjIuICAgPGEgaHJl
Zj0iI3JmYy5zZWN0aW9uLjIuMiI+SW50ZWdyYXRpb24gaW50byBFeGlzdGluZyBQcm90b2Nv
bHM8L2E+CjwvbGk+CjwvdWw+PGxpPjMuICAgPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMiPkRl
dGFpbGVkIFJldmlldzwvYT4KPC9saT4KPHVsPjxsaT4zLjEuICAgPGEgaHJlZj0iI3JmYy5z
ZWN0aW9uLjMuMSI+QmFsYW5jZWQgQWxnb3JpdGhtczwvYT4KPC9saT4KPHVsPjxsaT4zLjEu
MS4gICA8YSBocmVmPSIjcmZjLnNlY3Rpb24uMy4xLjEiPlNQQUtFMjwvYT4KPC9saT4KPGxp
PjMuMS4yLiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEuMiI+Si1QQUtFPC9hPgo8L2xp
Pgo8bGk+My4xLjMuICAgPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMS4zIj5TUEVLRTwvYT4K
PC9saT4KPGxpPjMuMS40LiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEuNCI+Q1BhY2U8
L2E+CjwvbGk+CjwvdWw+PGxpPjMuMi4gICA8YSBocmVmPSIjcmZjLnNlY3Rpb24uMy4yIj5B
dWdtZW50ZWQgQWxnb3JpdGhtczwvYT4KPC9saT4KPHVsPjxsaT4zLjIuMS4gICA8YSBocmVm
PSIjcmZjLnNlY3Rpb24uMy4yLjEiPk9QQVFVRTwvYT4KPC9saT4KPGxpPjMuMi4yLiAgIDxh
IGhyZWY9IiNyZmMuc2VjdGlvbi4zLjIuMiI+QXVDUGFjZTwvYT4KPC9saT4KPGxpPjMuMi4z
LiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjIuMyI+VlRCUEVLRTwvYT4KPC9saT4KPGxp
PjMuMi40LiAgIDxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjIuNCI+QlNQQUtFPC9hPgo8L2xp
Pgo8L3VsPjwvdWw+PGxpPjQuICAgPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjQiPkNvbmNsdXNp
b25zPC9hPgo8L2xpPgo8bGk+NS4gICA8YSBocmVmPSIjcmZjLnJlZmVyZW5jZXMiPkluZm9y
bWF0aXZlIFJlZmVyZW5jZXM8L2E+CjwvbGk+CjxsaT5BcHBlbmRpeCBBLiAgIDxhIGhyZWY9
IiNyZmMuYXBwZW5kaXguQSI+RG9jdW1lbnQgSGlzdG9yeTwvYT4KPC9saT4KPHVsPjxsaT5B
LjEuICAgPGEgaHJlZj0iI3JmYy5hcHBlbmRpeC5BLjEiPmRyYWZ0LXNoZWZmZXItY2ZyZy1w
YWtlLXJldmlldy0wMDwvYT4KPC9saT4KPC91bD48bGk+PGEgaHJlZj0iI3JmYy5hdXRob3Jz
Ij5BdXRob3IncyBBZGRyZXNzPC9hPgo8L2xpPgoKCiAgPC91bD4KCiAgPGgxIGlkPSJyZmMu
c2VjdGlvbi4xIj4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjEiPjEuPC9hPiA8YSBocmVmPSIj
aW50cm9kdWN0aW9uIiBpZD0iaW50cm9kdWN0aW9uIj5JbnRyb2R1Y3Rpb248L2E+CjwvaDE+
CjxwIGlkPSJyZmMuc2VjdGlvbi4xLnAuMSI+VGhlIENGUkcgdG9vayB1cG9uIGl0c2VsZiB0
byByZXZpZXcgbXVsdGlwbGUgcHJvcG9zZWQgUEFLRSBhbGdvcml0aG1zIGFuZCBzZWxlY3Qg
emVybyBvciBtb3JlIG9mIHRoZW0gYXMgc3VpdGFibGUgZm9yIGdlbmVyYWwgdXNlIGluIElF
VEYgcHJvdG9jb2xzLiBFaWdodCBwcm90b2NvbHMgd2VyZSBzdWJtaXR0ZWQgZm9yIGNvbnNp
ZGVyYXRpb24sIGFuZCB0aGV5IGFyZSBsaXN0ZWQgb24gdGhlIENGUkcgR2l0SHViIHJlcG9z
aXRvcnk6IGh0dHBzOi8vZ2l0aHViLmNvbS9jZnJnL3Bha2Utc2VsZWN0aW9uLjwvcD4KPHAg
aWQ9InJmYy5zZWN0aW9uLjEucC4yIj5PdmVyIHRoZSBsYXN0IGZldyBtb250aHMgbXVsdGlw
bGUgcmV2aWV3cyB3ZXJlIHN1Ym1pdHRlZCB0byB0aGUgQ0ZSRywgZXZhbHVhdGluZyB0aGUg
cHJvdG9jb2xzJiM4MjE3OyBjcnlwdG9ncmFwaGljIHF1YWxpdHkgYXMgd2VsbCBhcyB0aGVp
ciBlbmdpbmVlcmluZyBwcm9wZXJ0aWVzLiBBcyB0aGUgbGFzdCBzdGFnZSBvZiB0aGlzIHBy
b2Nlc3MsIG1lbWJlcnMgb2YgdGhlIENGUkcgQ3J5cHRvIFJldmlldyBQYW5lbCB3ZXJlIGFz
a2VkIHRvIHByb3ZpZGUgc3VtbWFyeSByZXZpZXdzLCBhbmQgdGhpcyBkb2N1bWVudCBpcyB0
aGUgYXV0aG9yJiM4MjE3O3MgY29udHJpYnV0aW9uIGFzIGEgUGFuZWwgbWVtYmVyLjwvcD4K
PGgxIGlkPSJyZmMuc2VjdGlvbi4xLjEiPgo8YSBocmVmPSIjcmZjLnNlY3Rpb24uMS4xIj4x
LjEuPC9hPiA8YSBocmVmPSIjZGlzY2xhaW1lciIgaWQ9ImRpc2NsYWltZXIiPkRpc2NsYWlt
ZXI8L2E+CjwvaDE+CjxwIGlkPSJyZmMuc2VjdGlvbi4xLjEucC4xIj5UaGUgYXV0aG9yIGlz
IG5vdCBhIGNyeXB0b2dyYXBoZXIuIFNwZWNpZmljYWxseSwgSSBkbyBub3QgaGF2ZSB0aGUg
c2tpbGxzIHRvIHByb3ZlIHNlY3VyaXR5IG9mIHN1Y2ggcHJvdG9jb2xzLCBub3IgZXZlbiB0
byBldmFsdWF0ZSB0aGUgcXVhbGl0eSBvZiBzdWNoIHByb29mcy4gSSBkbywgaG93ZXZlciwg
cG9zc2VzcyBhIHJlYXNvbmFibGUgYW1vdW50IG9mIGV4cGVyaWVuY2UgaW4gaW50ZWdyYXRp
bmcgY3J5cHRvZ3JhcGh5IGludG8gcHJvdG9jb2xzLCBpbmNsdWRpbmcgUEFLRS1iYXNlZCBh
bGdvcml0aG1zIDxhIGhyZWY9IiNSRkM2MTI0IiBjbGFzcz0ieHJlZiI+W1JGQzYxMjRdPC9h
PiA8YSBocmVmPSIjUkZDNjYzMSIgY2xhc3M9InhyZWYiPltSRkM2NjMxXTwvYT4uPC9wPgo8
aDEgaWQ9InJmYy5zZWN0aW9uLjEuMiI+CjxhIGhyZWY9IiNyZmMuc2VjdGlvbi4xLjIiPjEu
Mi48L2E+IDxhIGhyZWY9IiNjb252ZW50aW9ucy11c2VkLWluLXRoaXMtZG9jdW1lbnQiIGlk
PSJjb252ZW50aW9ucy11c2VkLWluLXRoaXMtZG9jdW1lbnQiPkNvbnZlbnRpb25zIHVzZWQg
aW4gdGhpcyBkb2N1bWVudDwvYT4KPC9oMT4KPHAgaWQ9InJmYy5zZWN0aW9uLjEuMi5wLjEi
PlRoaXMgaXMgZXNzZW50aWFsbHkgYW4gb3BpbmlvbiBwaWVjZSBhbmQgZG9lcyBub3QgZW1w
bG95IGFueSBub3JtYXRpdmUgbGFuZ3VhZ2UuPC9wPgo8aDEgaWQ9InJmYy5zZWN0aW9uLjIi
Pgo8YSBocmVmPSIjcmZjLnNlY3Rpb24uMiI+Mi48L2E+IDxhIGhyZWY9IiNwcmVsaW1pbmFy
aWVzIiBpZD0icHJlbGltaW5hcmllcyI+UHJlbGltaW5hcmllczwvYT4KPC9oMT4KPHAgaWQ9
InJmYy5zZWN0aW9uLjIucC4xIj5CZWZvcmUgZGl2aW5nIGludG8gdGhlIGluZGl2aWR1YWwg
cHJvdG9jb2xzLCBJIHdvdWxkIGxpa2UgdG8gZ2V0IHR3byBpbXBvcnRhbnQgcG9pbnRzIG91
dCBvZiB0aGUgd2F5LjwvcD4KPGgxIGlkPSJyZmMuc2VjdGlvbi4yLjEiPgo8YSBocmVmPSIj
cmZjLnNlY3Rpb24uMi4xIj4yLjEuPC9hPiA8YSBocmVmPSIjcHJvdG9jb2wtY29tcGxldGVu
ZXNzLWFuZC1jbGFyaXR5IiBpZD0icHJvdG9jb2wtY29tcGxldGVuZXNzLWFuZC1jbGFyaXR5
Ij5Qcm90b2NvbCBDb21wbGV0ZW5lc3MgYW5kIENsYXJpdHk8L2E+CjwvaDE+CjxwIGlkPSJy
ZmMuc2VjdGlvbi4yLjEucC4xIj5DRlJHIGhhcyBwdWJsaXNoZWQgaW4gdGhlIHBhc3Qgc29t
ZSBwcm90b2NvbHMgaW4gZW5vdWdoIGRldGFpbCB0aGF0IHRoZXkgY2FuIGJlIGltcGxlbWVu
dGVkIGJ5IGEgbm9uLWV4cGVydCBkZXZlbG9wZXIuIEEgZ29vZCBleGFtcGxlIGlzIDxhIGhy
ZWY9IiNSRkM3NzQ4IiBjbGFzcz0ieHJlZiI+W1JGQzc3NDhdPC9hPi4gT2YgdGhlIGVpZ2h0
IFBBS0Ugc3VibWlzc2lvbnMsIGluIG15IG9waW5pb24gb25seSBvbmUgIGNvbWVzIGNsb3Nl
IHRvIHRoaXMgbGV2ZWwgb2Ygcmlnb3IuIFdoYXRldmVyIHByb3RvY29scyBhcmUgc2VsZWN0
ZWQsIENGUkcgbXVzdCBtYWtlIGl0IGNsZWFyIHRoYXQgc3VjaCBzZWxlY3Rpb24gaXMgY29u
ZGl0aW9uYWwgb24gdGhlIGFsZ29yaXRobXMgYmVpbmcgcmVwdWJsaXNoZWQgaW4gYSBkZXRh
aWxlZCBmb3JtYXQuIENGUkcgbXVzdCBub3QgbGVhdmUgdGhpcyB0YXNrIHRvIHRoZSBJRVRG
IHdvcmtpbmcgZ3JvdXBzLCBiZWNhdXNlIHRoYXQgd291bGQgYm90aCBkdXBsaWNhdGUgd29y
ayBhbmQgaW50cm9kdWNlIGEgbWFqb3IgcmlzayBvZiBpbmFkdmVydGVudCBlcnJvcnMgdGhh
dCBpbnZhcmlhYmx5IG1hbmlmZXN0IHRoZW1zZWx2ZXMgYXMgdnVsbmVyYWJpbGl0aWVzLjwv
cD4KPHAgaWQ9InJmYy5zZWN0aW9uLjIuMS5wLjIiPklyb25pY2FsbHksIEkgY2FuIHF1b3Rl
IHRoZSBhYnN0cmFjdCBvZiBvbmUgb2YgdGhlIHN1Ym1pc3Npb25zIHRvIHN1cHBvcnQgdGhp
cyBwb3NpdGlvbjogJiM4MjIwO1dlIG9ic2VydmUgdGhhdCB0aGUgb3JpZ2luYWwgU1BFS0Ug
c3BlY2lmaWNhdGlvbiBpcyBzdWJ0bHkgZGlmZmVyZW50IGZyb20gdGhvc2UgZGVmaW5lZCBp
biB0aGUgSVNPL0lFQyAxMTc3MC00IGFuZCBJRUVFIDEzNjMuMiBzdGFuZGFyZHMuIFdlIHNo
b3cgdGhhdCB0aG9zZSBkaWZmZXJlbmNlcyBoYXZlIGNyaXRpY2FsIHNlY3VyaXR5IGltcGxp
Y2F0aW9ucyBieSBwcmVzZW50aW5nIHR3byBuZXcgYXR0YWNrcyBvbiBTUEVLRTogYW4gaW1w
ZXJzb25hdGlvbiBhdHRhY2sgYW5kIGEga2V5LW1hbGxlYWJpbGl0eSBhdHRhY2suJiM4MjIx
OyBJbiBvdGhlciB3b3JkcywgYW4gdW5kZXItc3BlY2lmaWVkIHByb3RvY29sIHJlc3VsdGVk
IGluIHR3byBkaWZmZXJlbnQgc3RhbmRhcmRzLCBib3RoIG9mIHRoZW0gdnVsbmVyYWJsZS4g
VGhpcyBpcyBpcm9uaWMgYmVjYXVzZSB0aGUgcGFwZXIgZnJvbSB3aGljaCB0aGlzIGlzIHF1
b3RlZCBpcyBub3QgaXRzZWxmIGEgcmlnb3JvdXMgZGVzY3JpcHRpb24gb2YgdGhlIHByb3Rv
Y29sIHRoYXQgaXQgYXR0ZW1wdHMgdG8gZml4LjwvcD4KPHAgaWQ9InJmYy5zZWN0aW9uLjIu
MS5wLjMiPkkgd291bGQgcHJvcG9zZSB0aGF0IGVhY2ggb2YgdGhlIHNlbGVjdGVkIHByb3Rv
Y29scyBiZSBwdWJsaXNoZWQgYXMgYW4gUkZDLCBjb250YWluaW5nOjwvcD4KPHA+PC9wPgoK
PHVsPgo8bGk+QSBkZXRhaWxlZCBkZXNjcmlwdGlvbiBvZiB0aGUgcHJvdG9jb2wsIHRvIGEg
bGV2ZWwgdGhhdCBjYW4gYmUgaW1wbGVtZW50ZWQgYnkgZGV2ZWxvcGVycyB3aG8gYXJlIG5v
dCBzZWN1cml0eSBleHBlcnRzLjwvbGk+CjxsaT5UZXN0IHZlY3RvcnMgdG8gZW5zdXJlIGlu
dGVyb3BlcmFiaWxpdHkuPC9saT4KPGxpPlJlY29tbWVuZGF0aW9ucyBvbiBpbnRlZ3JhdGlu
ZyB3aXRoIGhpZ2hlci1sZXZlbCBwcm90b2NvbHM6IHN1cHBvcnRlZCBpZGVudGl0eSBmaWVs
ZHMgYW5kIHJlY29tbWVuZGF0aW9ucyBvbiBob3cgdGhleSBzaG91bGQgYmUgcHJvdGVjdGVk
LCBzZXNzaW9uIElEIGFuZCAmIzgyMjA7ZXhwb3J0ZXImIzgyMjE7IGludGVncmF0aW9uLCBz
ZWN1cmUgY2FwYWJpbGl0eSBhbmQgcGFyYW1ldGVyIG5lZ290aWF0aW9uLCBjb25kaXRpb25z
IG9uIHdoZXRoZXIgYW5kIGhvdyAmIzgyMjA7b3B0aW9uYWwmIzgyMjE7IHByb3RvY29sIGV4
Y2hhbmdlcyBjYW4gYmUgZWxpbWluYXRlZC48L2xpPgo8bGk+TWFuZGF0ZWQgYXV4aWxpYXJ5
IHByaW1pdGl2ZXMsIHN1Y2ggYXMgaGFzaC10by1jdXJ2ZSBhbmQgbWVtb3J5LWhhcmQgaXRl
cmF0ZWQgaGFzaGluZy48L2xpPgo8L3VsPgo8aDEgaWQ9InJmYy5zZWN0aW9uLjIuMiI+Cjxh
IGhyZWY9IiNyZmMuc2VjdGlvbi4yLjIiPjIuMi48L2E+IDxhIGhyZWY9IiNpbnRlZ3JhdGlv
bi1pbnRvLWV4aXN0aW5nLXByb3RvY29scyIgaWQ9ImludGVncmF0aW9uLWludG8tZXhpc3Rp
bmctcHJvdG9jb2xzIj5JbnRlZ3JhdGlvbiBpbnRvIEV4aXN0aW5nIFByb3RvY29sczwvYT4K
PC9oMT4KPHAgaWQ9InJmYy5zZWN0aW9uLjIuMi5wLjEiPlRoZSBJUHNlYy9JS0UgY29tbXVu
aXR5IGhhcyBhbHdheXMgYmVlbiBpbnRlcmVzdGVkIGluIFBBS0UgYXMgYSBjb21wb25lbnQs
IGJvdGggZm9yIHJlbW90ZSBhY2Nlc3MgYW5kIGZvciBwZWVyLXRvLXBlZXIgVlBOIGRlcGxv
eW1lbnRzLiBUaGlzIHRvIG1lIGp1c3RpZmllcyB0aGUgc2VsZWN0aW9uIG9mIGJvdGggYSBi
YWxhbmNlZCBhbmQgYW4gYXVnbWVudGVkIFBBS0UsIGFzc3VtaW5nIGdvb2QgY2FuZGlkYXRl
cyBleGlzdC4gSXQgYWxzbyBtZWFucyB0aGF0IHRoZSBpbnRlZ3JhdGlvbiBvZiBzdWNoIHBy
b3RvY29scyBpbnRvIElLRXYyIGlzIHJlbGF0aXZlbHkgc3RyYWlnaHRmb3J3YXJkLjwvcD4K
PHAgaWQ9InJmYy5zZWN0aW9uLjIuMi5wLjIiPk9uIHRoZSBvdGhlciBoYW5kLCB0aGUgVExT
IGNvbW11bml0eSBoYXMgYmVlbiBsZXNzIHJlY2VwdGl2ZSB0byBQQUtFIHNvbHV0aW9ucywg
YW5kIGFzIGEgcmVzdWx0LCB0aGUgcHJvcGVydGllcyByZXF1aXJlZCBmcm9tIHRoZSBwcm90
b2NvbCBmb3IgcHJvcGVyIGludGVncmF0aW9uIGFyZSBub3QgYXMgY2xlYXIuIEl0IGlzIHBv
c3NpYmxlIHRoYXQgdGhlIG1vc3QgY29tbW9uIGRlcGxveW1lbnQgd2lsbCBiZSBhIGNvbWJp
bmF0aW9uIG9mIFRMUywgUEFLRSBhbmQgT0F1dGguIEFyZ3VhYmx5IHdlIHNob3VsZCB0YWtl
IHRoZSBjb21iaW5hdGlvbiBpbnRvIGFjY291bnQgd2hlbiBkZWZpbmluZyB0aGUgUEFLRSBw
b3J0aW9uIG9mIHRoZSBwcm90b2NvbCwgYW5kIHJlc2lzdCB0aGUgdGVtcHRhdGlvbiB0byBv
bmx5IGNvbnNpZGVyIHRoZSBuYXJyb3cgaW50ZWdyYXRpb24gb2YgYSBQQUtFIHByb3RvY29s
IGludG8gVExTIDEuMy48L3A+CjxoMSBpZD0icmZjLnNlY3Rpb24uMyI+CjxhIGhyZWY9IiNy
ZmMuc2VjdGlvbi4zIj4zLjwvYT4gPGEgaHJlZj0iI2RldGFpbGVkLXJldmlldyIgaWQ9ImRl
dGFpbGVkLXJldmlldyI+RGV0YWlsZWQgUmV2aWV3PC9hPgo8L2gxPgo8cCBpZD0icmZjLnNl
Y3Rpb24uMy5wLjEiPkFzIG1lbnRpb25lZCBhYm92ZSwgSSBiZWxpZXZlIHdlIHNob3VsZCBz
ZWxlY3Qgb25lIGJhbGFuY2VkIGFuZCBvbmUgYXVnbWVudGVkIFBBS0UgcHJvdG9jb2wuPC9w
Pgo8aDEgaWQ9InJmYy5zZWN0aW9uLjMuMSI+CjxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEi
PjMuMS48L2E+IDxhIGhyZWY9IiNiYWxhbmNlZC1hbGdvcml0aG1zIiBpZD0iYmFsYW5jZWQt
YWxnb3JpdGhtcyI+QmFsYW5jZWQgQWxnb3JpdGhtczwvYT4KPC9oMT4KPGgxIGlkPSJyZmMu
c2VjdGlvbi4zLjEuMSI+CjxhIGhyZWY9IiNyZmMuc2VjdGlvbi4zLjEuMSI+My4xLjEuPC9h
PiA8YSBocmVmPSIjc3Bha2UyIiBpZD0ic3Bha2UyIj5TUEFLRTI8L2E+CjwvaDE+CjxwIGlk
PSJyZmMuc2VjdGlvbi4zLjEuMS5wLjEiPlRoaXMgcHJvdG9jb2wgaXMgdGhlIGJlc3QgZG9j
dW1lbnRlZCBvZiBhbGwgdGhlIGNhbmRpZGF0ZXMuIE9uIHRoZSBkb3duIHNpZGUsIGl0IHJl
bGllcyBvbiBhIHNldCBvZiBwYXJhbWV0ZXJzIHRoYXQgcHJlc2VudCBhIGhpZ2ggdmFsdWUg
dGFyZ2V0IGZvciBmYWN0b3JpemF0aW9uIG9uY2UgYSBxdWFudHVtIGNvbXB1dGVyIGlzIGF2
YWlsYWJsZSB0byBhbiBhZHZlcnNhcnksIGFuZCB0aGF0IHdvdWxkIGJyZWFrIGFsbCBpbnN0
YW5jZXMgb2YgdGhpcyBwcm90b2NvbC48L3A+CjxoMSBpZD0icmZjLnNlY3Rpb24uMy4xLjIi
Pgo8YSBocmVmPSIjcmZjLnNlY3Rpb24uMy4xLjIiPjMuMS4yLjwvYT4gPGEgaHJlZj0iI2ot
cGFrZSIgaWQ9ImotcGFrZSI+Si1QQUtFPC9hPgo8L2gxPgo8cCBpZD0icmZjLnNlY3Rpb24u
My4xLjIucC4xIj5UaGlzIGFsZ29yaXRobSBpcyBhbiBvdXRsaWVyIGluIGl0cyBjb21wbGV4
aXR5LCB3aGljaCBhbHNvIGltcGxpZXMgYSBzaWduaWZpY2FudCBwZXJmb3JtYW5jZSBwZW5h
bHR5LiBGb3IgdGhpcyByZWFzb24gSSBkb24mIzgyMTc7dCB0aGluayBpdCB3b3VsZCBiZSBh
IHJlYWxpc3RpYyBzZWxlY3Rpb24uPC9wPgo8aDEgaWQ9InJmYy5zZWN0aW9uLjMuMS4zIj4K
PGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMS4zIj4zLjEuMy48L2E+IDxhIGhyZWY9IiNzcGVr
ZSIgaWQ9InNwZWtlIj5TUEVLRTwvYT4KPC9oMT4KPHAgaWQ9InJmYy5zZWN0aW9uLjMuMS4z
LnAuMSI+U1BFS0UgaGFzIGJlZW4gYXJvdW5kIGZvciBhIGxvbmcgdGltZSwgd2hpY2ggaXMg
YW4gYWR2YW50YWdlLiBCdXQgdGhlIHF1b3RlZCBwYXBlciBkZXNjcmliZXMgc2V2ZXJhbCBh
dHRhY2tzIG9uIGNvbmNyZXRlIHNwZWNpZmljYXRpb25zL2ltcGxlbWVudGF0aW9ucywgYW5k
IEthcnRoaWsmIzgyMTc7cyByZXZpZXcgY2FzdHMgZG91YnRzIGFib3V0IHRoZSB2YWxpZGl0
eSBvZiB0aGUgc2VjdXJpdHkgcHJvb2YgcHJlc2VudGVkIGZvciB0aGlzIHByb3RvY29sLiBB
cyBmYXIgYXMgSSBjYW4gdGVsbCwgdGhlIG1haWxpbmcgbGlzdCBkaXNjdXNzaW9uIGhhcyBu
b3QgZnVsbHkgY2xhcmlmaWVkIHdoaWNoIGV4YWN0IHZlcnNpb24gb2YgdGhlIHByb3RvY29s
IGlzIHByb3Bvc2VkIGFuZCB3aGljaCBwdWJsaXNoZWQgc2VjdXJpdHkgcHJvb2YgYXBwbGll
cyB0byBpdC4gU3BlY2lmaWNhbGx5LCBkb2VzIDxhIGhyZWY9IiNIYW8yMDE4IiBjbGFzcz0i
eHJlZiI+W0hhbzIwMThdPC9hPiBhcHBseT88L3A+CjxoMSBpZD0icmZjLnNlY3Rpb24uMy4x
LjQiPgo8YSBocmVmPSIjcmZjLnNlY3Rpb24uMy4xLjQiPjMuMS40LjwvYT4gPGEgaHJlZj0i
I2NwYWNlIiBpZD0iY3BhY2UiPkNQYWNlPC9hPgo8L2gxPgo8cCBpZD0icmZjLnNlY3Rpb24u
My4xLjQucC4xIj5DUGFjZSBpcyBub3Qgc3BlY2lmaWVkIGFzIGEgc3RhbmQtYWxvbmUgcHJv
dG9jb2wsIGJ1dCByYXRoZXIgbmVlZHMgdG8gYmUgZXh0cmFjdGVkIG91dCBvZiB0aGUgQXVD
UGFjZSBzcGVjaWZpY2F0aW9uLiBNb3Jlb3ZlciwgaXQgYWRkcyBhIG1hbmRhdG9yeSAodGhv
dWdoIHRyaXZpYWwpIG1lc3NhZ2Ugcm91bmQgdG8gZXN0YWJsaXNoIGEgc2Vzc2lvbiBJRC4g
VGhpcyBleHRyYSByb3VuZCBtYXkgb3IgbWF5IG5vdCBiZSBzdWJzdW1lZCBieSB0aGUgaGln
aGVyLWxldmVsIHByb3RvY29sLiBIYXZpbmcgc2FpZCB0aGF0LCBpdCBjb21lcyB3aXRoIGFu
IGFjdHVhbCBzZWN1cml0eSBwcm9vZiBhbmQgbm8gbWFnaWMgcGFyYW1ldGVycy48L3A+Cjxo
MSBpZD0icmZjLnNlY3Rpb24uMy4yIj4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMiI+My4y
LjwvYT4gPGEgaHJlZj0iI2F1Z21lbnRlZC1hbGdvcml0aG1zIiBpZD0iYXVnbWVudGVkLWFs
Z29yaXRobXMiPkF1Z21lbnRlZCBBbGdvcml0aG1zPC9hPgo8L2gxPgo8aDEgaWQ9InJmYy5z
ZWN0aW9uLjMuMi4xIj4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMi4xIj4zLjIuMS48L2E+
IDxhIGhyZWY9IiNvcGFxdWUiIGlkPSJvcGFxdWUiPk9QQVFVRTwvYT4KPC9oMT4KPHAgaWQ9
InJmYy5zZWN0aW9uLjMuMi4xLnAuMSI+T1BBUVVFIGlzIGRlc2NyaWJlZCBhcyBhIGdlbmVy
aWMgZnJhbWV3b3JrLCB3aXRoIHR3byBpbnN0YW50aWF0aW9ucywgYW5kIHdpbGwgaGF2ZSB0
byBiZSBuYXJyb3dlZCBkb3duIHdoZW4gc3RhbmRhcmRpemVkLiBUaGUgcHJvdG9jb2wgaXMg
c2VjdXJlIGFnYWluc3QgcHJlLWNvbXB1dGF0aW9uIGF0dGFja3MuIFRoaXMgaXMgYSBnb29k
IHRoaW5nIG9mIGNvdXJzZSwgaG93ZXZlciBJIGFtIG5vdCBzdXJlIGhvdyBzZXJpb3VzIHRo
aXMgYXR0YWNrIGlzIGluIHByYWN0aWNlOiB3aGlsZSBzZXJ2ZXJzIGFyZSBvZnRlbiBicmVh
Y2hlZCB3aXRoIGF0dGFja2VycyBnYWluaW5nIGJ1bGsgYWNjZXNzIHRvIGhhc2hlZCBwYXNz
d29yZHMsIEkgZG9uJiM4MjE3O3QgdGhpbmsgaXQgaXMgY29tbW9uIGZvciBhdHRhY2tlcnMg
dG8gcmVjb3JkIG11bHRpcGxlIHNhbHQgZXhjaGFuZ2VzIGFuZCB1c2UgdGhlbSBpbiBhIGZv
bGxvdy1vbiBhdHRhY2suIE9QQVFVRSBjb21lcyB3aXRoIGEgc2VjdXJpdHkgcHJvb2YuIE9Q
QVFVRSBpcyB3ZWxsIGRvY3VtZW50ZWQsIHdpdGggYSBzZXBhcmF0ZSBkcmFmdCA8YSBocmVm
PSIjSS1ELnN1bGxpdmFuLXRscy1vcGFxdWUiIGNsYXNzPSJ4cmVmIj5bSS1ELnN1bGxpdmFu
LXRscy1vcGFxdWVdPC9hPiBvbiBpdHMgaW50ZWdyYXRpb24gaW50byBUTFMuPC9wPgo8aDEg
aWQ9InJmYy5zZWN0aW9uLjMuMi4yIj4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMi4yIj4z
LjIuMi48L2E+IDxhIGhyZWY9IiNhdWNwYWNlIiBpZD0iYXVjcGFjZSI+QXVDUGFjZTwvYT4K
PC9oMT4KPHAgaWQ9InJmYy5zZWN0aW9uLjMuMi4yLnAuMSI+VGhlIHByb3RvY29sIGhhcyB0
d28gdmVyc2lvbnMsIHRoZSBtYWluIHBhcGVyIGFuZCBBcHBlbmRpeCBDICgmIzgyMjA7U3Ry
b25nIEF1Q1BhY2UmIzgyMjE7KSwgd2hpY2ggaXMgcmVzaXN0YW50IHRvIHByZS1jb21wdXRh
dGlvbiBhdHRhY2tzLiBJdCBpcyB1bmNsZWFyIHdoaWNoIG9uZSBpcyBub21pbmF0ZWQuPC9w
Pgo8aDEgaWQ9InJmYy5zZWN0aW9uLjMuMi4zIj4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMu
Mi4zIj4zLjIuMy48L2E+IDxhIGhyZWY9IiN2dGJwZWtlIiBpZD0idnRicGVrZSI+VlRCUEVL
RTwvYT4KPC9oMT4KPHAgaWQ9InJmYy5zZWN0aW9uLjMuMi4zLnAuMSI+VGhpcyAyMDE3IHBh
cGVyIGV4dGVuZHMgU1BFS0UgaW50byBhIGJhbGFuY2VkIFBFS0UgdGhhdCBjYW4gYmUgcHJv
dmVuIGV2ZW4gZm9yIGVsbGlwdGljIGN1cnZlcywgYW5kIHRoZW4gYWdhaW4gaW50byBhIHZl
cmlmaWVyLWJhc2VkIChpLmUuLCBhdWdtZW50ZWQpIFBBS0UgbmFtZWQgVlRCUEVLRS4gSXQg
aGFzIGEgZmV3ICYjODIyMDttYWdpYyYjODIyMTsgY29uc3RhbnRzIHdoaWNoIGFyZSBwb3Rl
bnRpYWxseSBvZiBjb25jZXJuIC0gSSBkaWRuJiM4MjE3O3Qgc2VlIGFueSBtZW50aW9uIG9m
IGhvdyB0aGV5IHNob3VsZCBiZSBnZW5lcmF0ZWQuPC9wPgo8aDEgaWQ9InJmYy5zZWN0aW9u
LjMuMi40Ij4KPGEgaHJlZj0iI3JmYy5zZWN0aW9uLjMuMi40Ij4zLjIuNC48L2E+IDxhIGhy
ZWY9IiNic3Bha2UiIGlkPSJic3Bha2UiPkJTUEFLRTwvYT4KPC9oMT4KPHAgaWQ9InJmYy5z
ZWN0aW9uLjMuMi40LnAuMSI+VGhpcyBwcm90b2NvbCBpcyBzb21ld2hhdCBsb29zZWx5IHNw
ZWNpZmllZCwgd2l0aCBubyBzZWN1cml0eSBwcm9vZiAob3IgZXZlbiBzZWN1cml0eSBqdXN0
aWZpY2F0aW9uL2ludHVpdGlvbikgcHJvdmlkZWQuIFNvIGl0IGlzIGhhcmQgdG8gYmUgY29u
dmluY2VkIG9mIGl0cyBmaXQgZm9yIHB1cnBvc2UuPC9wPgo8aDEgaWQ9InJmYy5zZWN0aW9u
LjQiPgo8YSBocmVmPSIjcmZjLnNlY3Rpb24uNCI+NC48L2E+IDxhIGhyZWY9IiNjb25jbHVz
aW9ucyIgaWQ9ImNvbmNsdXNpb25zIj5Db25jbHVzaW9uczwvYT4KPC9oMT4KPHAgaWQ9InJm
Yy5zZWN0aW9uLjQucC4xIj5BcyBub3RlZCwgSSB0aGluayB0aGUgUmVzZWFyY2ggR3JvdXAg
c2hvdWxkIHJlY29tbWVuZCBvbmUgYmFsYW5jZWQgYW5kIG9uZSBhdWdtZW50ZWQgYWxnb3Jp
dGhtLjwvcD4KPHAgaWQ9InJmYy5zZWN0aW9uLjQucC4yIj5CZWZvcmUgcHJlc2VudGluZyBt
eSBjb25jbHVzaW9ucywgSSB3b3VsZCBsaWtlIHRvIGNsYXJpZnkgbXkgdmlldyBhYm91dCBx
dWFudHVtIHJlc2lzdGFuY2UgaW4gdGhpcyBjb250ZXh0LiBTdGV2ZSBUaG9tYXMgZGVmaW5l
cyAmIzgyMjA7cXVhbnR1bSBhbm5veWluZyYjODIyMTsgYXM6IGFuIGF0dGFja2VyIHdpdGgg
YSBxdWFudHVtIGNvbXB1dGVyIG5lZWRzIHRvIHNvbHZlIGEgRExQIHBlciBwYXNzd29yZCBn
dWVzcy4gSU1PIHRoaXMgaXMgdG9vIGhpZ2ggb2YgYSBiYXIsIGFuZCBvbmNlIHdlIGdldCB0
byB0aGUgcG9pbnQgd2hlcmUgdGhpcyBpcyBhIHJlYWwgcmlzayB3ZSB3aWxsIG5lZWQgdG8g
bWlncmF0ZSB0byBQUUMgZm9yIHRoZXNlIHByb3RvY29scy4gSG93ZXZlciBJIHRoaW5rIHRo
YXQgZXZlbiBub3csIGEgcHJvdG9jb2wgd2hlcmUgYSBzaW5nbGUgRExQIHNvbHZlIHdvdWxk
IGJyZWFrIDxlbT5hbGw8L2VtPiBpbnN0YW5jZXMgb2YgdGhlIHByb3RvY29sLCBpcyB0b28g
cmlza3kgdG8gYWRvcHQuPC9wPgo8cCBpZD0icmZjLnNlY3Rpb24uNC5wLjMiPk9mIHRoZSBi
YWxhbmNlZCBhbGdvcml0aG1zLCBJIHdvdWxkIHJlY29tbWVuZCBDUGFjZS4gSSB0aGluayB0
aGUgZXh0cmEgcm91bmQgdHJpcCBpcyBhIHJlYXNvbmFibGUg
cHJpY2UgdG8gcGF5IGZvciBh
IGZvcm1hbGx5IHByb3ZlbiBwcm90b2NvbC4gVG8gbWUgdGhlIHBvdGVudGlhbCBxdWFudHVt
IHZ1bG5lcmFiaWxpdHkgb2YgdGhlIFNQQUtFMiBwYXJhbWV0ZXJzIGlzIGEgc2hvd3N0b3Bw
ZXIuPC9wPgo8cCBpZD0icmZjLnNlY3Rpb24uNC5wLjQiPk9mIHRoZSBhdWdtZW50ZWQgYWxn
b3JpdGhtcywgSSB3aWxsIGZvbGxvdyB0aGUgTW96aWxsYSByZXBvcnQgYW5kIHJlY29tbWVu
ZCBPUEFRVUUsIHdoaWNoIGFwcGVhcnMgdG8gYmUgdGhlIGJlc3QgZml0IGludG8gVExTLCBh
bmQgaXMgYWxzbyBhIGdvb2QgZml0IGludG8gSUtFdjIuPC9wPgo8aDEgaWQ9InJmYy5yZWZl
cmVuY2VzIj4KPGEgaHJlZj0iI3JmYy5yZWZlcmVuY2VzIj41LjwvYT4gSW5mb3JtYXRpdmUg
UmVmZXJlbmNlczwvaDE+Cjx0YWJsZT48dGJvZHk+Cjx0cj4KPHRkIGNsYXNzPSJyZWZlcmVu
Y2UiPjxiIGlkPSJIYW8yMDE4Ij5bSGFvMjAxOF08L2I+PC90ZD4KPHRkIGNsYXNzPSJ0b3Ai
Pgo8YT5IYW8sIEYuPC9hPiwgPGE+TWV0ZXJlLCBSLjwvYT4sIDxhPlNoYWhhbmRhc2h0aSwg
Uy48L2E+IGFuZCA8YT5DLiBEb25nPC9hPiwgIjxhPkFuYWx5emluZyBhbmQgUGF0Y2hpbmcg
U1BFS0UgaW4gSVNPL0lFQzwvYT4iLCBJRUVFIFRyYW5zYWN0aW9ucyBvbiBJbmZvcm1hdGlv
biBGb3JlbnNpY3MgYW5kIFNlY3VyaXR5IFZvbC4gMTMsIHBwLiAyODQ0LTI4NTUsIERPSSAx
MC4xMTA5L3RpZnMuMjAxOC4yODMyOTg0LCBOb3ZlbWJlciAyMDE4LjwvdGQ+CjwvdHI+Cjx0
cj4KPHRkIGNsYXNzPSJyZWZlcmVuY2UiPjxiIGlkPSJJLUQuc3VsbGl2YW4tdGxzLW9wYXF1
ZSI+W0ktRC5zdWxsaXZhbi10bHMtb3BhcXVlXTwvYj48L3RkPgo8dGQgY2xhc3M9InRvcCI+
CjxhPlN1bGxpdmFuLCBOLjwvYT4sIDxhPktyYXdjenlrLCBILjwvYT4sIDxhPkZyaWVsLCBP
LjwvYT4gYW5kIDxhPlIuIEJhcm5lczwvYT4sICI8YSBocmVmPSJodHRwczovL3Rvb2xzLmll
dGYub3JnL2h0bWwvZHJhZnQtc3VsbGl2YW4tdGxzLW9wYXF1ZS0wMCI+VXNhZ2Ugb2YgT1BB
UVVFIHdpdGggVExTIDEuMzwvYT4iLCBJbnRlcm5ldC1EcmFmdCBkcmFmdC1zdWxsaXZhbi10
bHMtb3BhcXVlLTAwLCBNYXJjaCAyMDE5LjwvdGQ+CjwvdHI+Cjx0cj4KPHRkIGNsYXNzPSJy
ZWZlcmVuY2UiPjxiIGlkPSJSRkM2MTI0Ij5bUkZDNjEyNF08L2I+PC90ZD4KPHRkIGNsYXNz
PSJ0b3AiPgo8YT5TaGVmZmVyLCBZLjwvYT4sIDxhPlpvcm4sIEcuPC9hPiwgPGE+VHNjaG9m
ZW5pZywgSC48L2E+IGFuZCA8YT5TLiBGbHVocmVyPC9hPiwgIjxhIGhyZWY9Imh0dHBzOi8v
dG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM2MTI0Ij5BbiBFQVAgQXV0aGVudGljYXRpb24gTWV0
aG9kIEJhc2VkIG9uIHRoZSBFbmNyeXB0ZWQgS2V5IEV4Y2hhbmdlIChFS0UpIFByb3RvY29s
PC9hPiIsIFJGQyA2MTI0LCBET0kgMTAuMTc0ODcvUkZDNjEyNCwgRmVicnVhcnkgMjAxMS48
L3RkPgo8L3RyPgo8dHI+Cjx0ZCBjbGFzcz0icmVmZXJlbmNlIj48YiBpZD0iUkZDNjYzMSI+
W1JGQzY2MzFdPC9iPjwvdGQ+Cjx0ZCBjbGFzcz0idG9wIj4KPGE+S3VlZ2xlciwgRC48L2E+
IGFuZCA8YT5ZLiBTaGVmZmVyPC9hPiwgIjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5v
cmcvaHRtbC9yZmM2NjMxIj5QYXNzd29yZCBBdXRoZW50aWNhdGVkIENvbm5lY3Rpb24gRXN0
YWJsaXNobWVudCB3aXRoIHRoZSBJbnRlcm5ldCBLZXkgRXhjaGFuZ2UgUHJvdG9jb2wgdmVy
c2lvbiAyIChJS0V2Mik8L2E+IiwgUkZDIDY2MzEsIERPSSAxMC4xNzQ4Ny9SRkM2NjMxLCBK
dW5lIDIwMTIuPC90ZD4KPC90cj4KPHRyPgo8dGQgY2xhc3M9InJlZmVyZW5jZSI+PGIgaWQ9
IlJGQzc3NDgiPltSRkM3NzQ4XTwvYj48L3RkPgo8dGQgY2xhc3M9InRvcCI+CjxhPkxhbmds
ZXksIEEuPC9hPiwgPGE+SGFtYnVyZywgTS48L2E+IGFuZCA8YT5TLiBUdXJuZXI8L2E+LCAi
PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzc3NDgiPkVsbGlwdGlj
IEN1cnZlcyBmb3IgU2VjdXJpdHk8L2E+IiwgUkZDIDc3NDgsIERPSSAxMC4xNzQ4Ny9SRkM3
NzQ4LCBKYW51YXJ5IDIwMTYuPC90ZD4KPC90cj4KPC90Ym9keT48L3RhYmxlPgo8aDEgaWQ9
InJmYy5hcHBlbmRpeC5BIj4KPGEgaHJlZj0iI3JmYy5hcHBlbmRpeC5BIj5BcHBlbmRpeCBB
LjwvYT4gPGEgaHJlZj0iI2RvY3VtZW50LWhpc3RvcnkiIGlkPSJkb2N1bWVudC1oaXN0b3J5
Ij5Eb2N1bWVudCBIaXN0b3J5PC9hPgo8L2gxPgo8aDEgaWQ9InJmYy5hcHBlbmRpeC5BLjEi
Pgo8YSBocmVmPSIjcmZjLmFwcGVuZGl4LkEuMSI+QS4xLjwvYT4gPGEgaHJlZj0iI2RyYWZ0
LXNoZWZmZXItY2ZyZy1wYWtlLXJldmlldy0wMCIgaWQ9ImRyYWZ0LXNoZWZmZXItY2ZyZy1w
YWtlLXJldmlldy0wMCI+ZHJhZnQtc2hlZmZlci1jZnJnLXBha2UtcmV2aWV3LTAwPC9hPgo8
L2gxPgo8cD48L3A+Cgo8dWw+PGxpPkluaXRpYWwgdmVyc2lvbi48L2xpPjwvdWw+CjxoMSBp
ZD0icmZjLmF1dGhvcnMiPjxhIGhyZWY9IiNyZmMuYXV0aG9ycyI+QXV0aG9yJ3MgQWRkcmVz
czwvYT48L2gxPgo8ZGl2IGNsYXNzPSJhdm9pZGJyZWFrIj4KICA8YWRkcmVzcyBjbGFzcz0i
dmNhcmQiPgoJPHNwYW4gY2xhc3M9InZjYXJkbGluZSI+CgkgIDxzcGFuIGNsYXNzPSJmbiI+
WWFyb24gU2hlZmZlcjwvc3Bhbj4gCgkgIDxzcGFuIGNsYXNzPSJuIGhpZGRlbiI+CgkJPHNw
YW4gY2xhc3M9ImZhbWlseS1uYW1lIj5TaGVmZmVyPC9zcGFuPgoJICA8L3NwYW4+Cgk8L3Nw
YW4+Cgk8c3BhbiBjbGFzcz0ib3JnIHZjYXJkbGluZSI+SW50dWl0PC9zcGFuPgoJPHNwYW4g
Y2xhc3M9ImFkciI+CgkgIAoJICA8c3BhbiBjbGFzcz0idmNhcmRsaW5lIj4KCQk8c3BhbiBj
bGFzcz0ibG9jYWxpdHkiPjwvc3Bhbj4gCgkJPHNwYW4gY2xhc3M9InJlZ2lvbiI+PC9zcGFu
PgoJCTxzcGFuIGNsYXNzPSJjb2RlIj48L3NwYW4+CgkgIDwvc3Bhbj4KCSAgPHNwYW4gY2xh
c3M9ImNvdW50cnktbmFtZSB2Y2FyZGxpbmUiPjwvc3Bhbj4KCTwvc3Bhbj4KCTxzcGFuIGNs
YXNzPSJ2Y2FyZGxpbmUiPkVNYWlsOiA8YSBocmVmPSJtYWlsdG86eWFyb25mLmlldGZAZ21h
aWwuY29tIj55YXJvbmYuaWV0ZkBnbWFpbC5jb208L2E+PC9zcGFuPgoKICA8L2FkZHJlc3M+
CjwvZGl2PgoKPC9ib2R5Pgo8L2h0bWw+Cg==
--B_3654861910_971338930
Content-type: application/octet-stream;
 name="draft-sheffer-cfrg-pake-review.md"; 
 x-mac-creator="4F50494D"
Content-disposition: attachment; filename="draft-sheffer-cfrg-pake-review.md"
Content-transfer-encoding: base64


LS0tCnRpdGxlOiBSZXZpZXcgb2YgdGhlIENGUkcgUEFLRSBQcm9wb3NhbHMKCmFiYnJldjog
U2hlZmZlciBQQUtFIFJldmlldwpkb2NuYW1lOiBkcmFmdC1zaGVmZmVyLWNmcmctcGFrZS1y
ZXZpZXcKY2F0ZWdvcnk6IGluZm8KCmlwcjogdHJ1c3QyMDA5MDIKYXJlYTogU2VjdXJpdHkK
d29ya2dyb3VwOiBDcnlwdG8gRm9ydW0gUmVzZWFyY2ggR3JvdXAKa2V5d29yZDogSW50ZXJu
ZXQtRHJhZnQKCnN0YW5kX2Fsb25lOiB5ZXMKcGk6CiAgcmZjZWRzdHlsZTogeWVzCiAgdG9j
OiB5ZXMKICB0b2NpbmRlbnQ6IHllcwogIHNvcnRyZWZzOiB5ZXMKICBzeW1yZWZzOiB5ZXMK
ICBzdHJpY3Q6IHllcwogIGNvbW1lbnRzOiB5ZXMKICBpbmxpbmU6IHllcwogIHRleHQtbGlz
dC1zeW1ib2xzOiBvLSorCiAgY29tcGFjdDogeWVzCiAgc3ViY29tcGFjdDogeWVzCgphdXRo
b3I6CiAtCiAgICBpbnM6IFkuIFNoZWZmZXIKICAgIG5hbWU6IFlhcm9uIFNoZWZmZXIKICAg
IG9yZ2FuaXphdGlvbjogSW50dWl0CiAgICBlbWFpbDogeWFyb25mLmlldGZAZ21haWwuY29t
CmluZm9ybWF0aXZlOgoKICAgIEhhbzIwMTg6IERPSS4xMC4xMTA5L3RpZnMuMjAxOC4yODMy
OTg0CgotLS0gYWJzdHJhY3QKClRoaXMgZHJhZnQgY29uc2lzdHMgb2YgdGhlIGF1dGhvcidz
IHJldmlldyBvZiB0aGUgcGFzc3dvcmQtYXV0aGVudGljYXRlZCBrZXkgZXhjaGFuZ2UgKFBB
S0UpIHByb3RvY29scywgYXMgc3VibWl0dGVkIHRvIHRoZSBJUlRGJ3MgQ0ZSRy4gQWxsIG9w
aW5pb25zIGhlcmUgYXJlIHRoZSBhdXRob3IncyBhbG9uZS4KCi0tLSBtaWRkbGUKCiMgSW50
cm9kdWN0aW9uCgpUaGUgQ0ZSRyB0b29rIHVwb24gaXRzZWxmIHRvIHJldmlldyBtdWx0aXBs
ZSBwcm9wb3NlZCBQQUtFIGFsZ29yaXRobXMgYW5kIHNlbGVjdCB6ZXJvIG9yIG1vcmUgb2Yg
dGhlbSBhcyBzdWl0YWJsZSBmb3IgZ2VuZXJhbCB1c2UgaW4gSUVURiBwcm90b2NvbHMuIEVp
Z2h0IHByb3RvY29scyB3ZXJlIHN1Ym1pdHRlZCBmb3IgY29uc2lkZXJhdGlvbiwgYW5kIHRo
ZXkgYXJlIGxpc3RlZCBvbiB0aGUgQ0ZSRyBHaXRIdWIgcmVwb3NpdG9yeTogaHR0cHM6Ly9n
aXRodWIuY29tL2NmcmcvcGFrZS1zZWxlY3Rpb24uCgpPdmVyIHRoZSBsYXN0IGZldyBtb250
aHMgbXVsdGlwbGUgcmV2aWV3cyB3ZXJlIHN1Ym1pdHRlZCB0byB0aGUgQ0ZSRywgZXZhbHVh
dGluZyB0aGUgcHJvdG9jb2xzJyBjcnlwdG9ncmFwaGljIHF1YWxpdHkgYXMgd2VsbCBhcyB0
aGVpciBlbmdpbmVlcmluZyBwcm9wZXJ0aWVzLiBBcyB0aGUgbGFzdCBzdGFnZSBvZiB0aGlz
IHByb2Nlc3MsIG1lbWJlcnMgb2YgdGhlIENGUkcgQ3J5cHRvIFJldmlldyBQYW5lbCB3ZXJl
IGFza2VkIHRvIHByb3ZpZGUgc3VtbWFyeSByZXZpZXdzLCBhbmQgdGhpcyBkb2N1bWVudCBp
cyB0aGUgYXV0aG9yJ3MgY29udHJpYnV0aW9uIGFzIGEgUGFuZWwgbWVtYmVyLgoKIyMgRGlz
Y2xhaW1lcgoKVGhlIGF1dGhvciBpcyBub3QgYSBjcnlwdG9ncmFwaGVyLiBTcGVjaWZpY2Fs
bHksIEkgZG8gbm90IGhhdmUgdGhlIHNraWxscyB0byBwcm92ZSBzZWN1cml0eSBvZiBzdWNo
IHByb3RvY29scywgbm9yIGV2ZW4gdG8gZXZhbHVhdGUgdGhlIHF1YWxpdHkgb2Ygc3VjaCBw
cm9vZnMuIEkgZG8sIGhvd2V2ZXIsIHBvc3Nlc3MgYSByZWFzb25hYmxlIGFtb3VudCBvZiBl
eHBlcmllbmNlIGluIGludGVncmF0aW5nIGNyeXB0b2dyYXBoeSBpbnRvIHByb3RvY29scywg
aW5jbHVkaW5nIFBBS0UtYmFzZWQgYWxnb3JpdGhtcyB7ez9SRkM2MTI0fX0ge3s/UkZDNjYz
MX19LgoKIyMgQ29udmVudGlvbnMgdXNlZCBpbiB0aGlzIGRvY3VtZW50CgpUaGlzIGlzIGVz
c2VudGlhbGx5IGFuIG9waW5pb24gcGllY2UgYW5kIGRvZXMgbm90IGVtcGxveSBhbnkgbm9y
bWF0aXZlIGxhbmd1YWdlLgoKIyBQcmVsaW1pbmFyaWVzCgpCZWZvcmUgZGl2aW5nIGludG8g
dGhlIGluZGl2aWR1YWwgcHJvdG9jb2xzLCBJIHdvdWxkIGxpa2UgdG8gZ2V0IHR3byBpbXBv
cnRhbnQgcG9pbnRzIG91dCBvZiB0aGUgd2F5LgoKIyMgUHJvdG9jb2wgQ29tcGxldGVuZXNz
IGFuZCBDbGFyaXR5CgpDRlJHIGhhcyBwdWJsaXNoZWQgaW4gdGhlIHBhc3Qgc29tZSBwcm90
b2NvbHMgaW4gZW5vdWdoIGRldGFpbCB0aGF0IHRoZXkgY2FuIGJlIGltcGxlbWVudGVkIGJ5
IGEgbm9uLWV4cGVydCBkZXZlbG9wZXIuIEEgZ29vZCBleGFtcGxlIGlzIHt7P1JGQzc3NDh9
fS4gT2YgdGhlIGVpZ2h0IFBBS0Ugc3VibWlzc2lvbnMsIGluIG15IG9waW5pb24gb25seSBv
bmUgIGNvbWVzIGNsb3NlIHRvIHRoaXMgbGV2ZWwgb2Ygcmlnb3IuIFdoYXRldmVyIHByb3Rv
Y29scyBhcmUgc2VsZWN0ZWQsIENGUkcgbXVzdCBtYWtlIGl0IGNsZWFyIHRoYXQgc3VjaCBz
ZWxlY3Rpb24gaXMgY29uZGl0aW9uYWwgb24gdGhlIGFsZ29yaXRobXMgYmVpbmcgcmVwdWJs
aXNoZWQgaW4gYSBkZXRhaWxlZCBmb3JtYXQuIENGUkcgbXVzdCBub3QgbGVhdmUgdGhpcyB0
YXNrIHRvIHRoZSBJRVRGIHdvcmtpbmcgZ3JvdXBzLCBiZWNhdXNlIHRoYXQgd291bGQgYm90
aCBkdXBsaWNhdGUgd29yayBhbmQgaW50cm9kdWNlIGEgbWFqb3IgcmlzayBvZiBpbmFkdmVy
dGVudCBlcnJvcnMgdGhhdCBpbnZhcmlhYmx5IG1hbmlmZXN0IHRoZW1zZWx2ZXMgYXMgdnVs
bmVyYWJpbGl0aWVzLgoKSXJvbmljYWxseSwgSSBjYW4gcXVvdGUgdGhlIGFic3RyYWN0IG9m
IG9uZSBvZiB0aGUgc3VibWlzc2lvbnMgdG8gc3VwcG9ydCB0aGlzIHBvc2l0aW9uOiAiV2Ug
b2JzZXJ2ZSB0aGF0IHRoZSBvcmlnaW5hbCBTUEVLRSBzcGVjaWZpY2F0aW9uIGlzIHN1YnRs
eSBkaWZmZXJlbnQgZnJvbSB0aG9zZSBkZWZpbmVkIGluIHRoZSBJU08vSUVDIDExNzcwLTQg
YW5kIElFRUUgMTM2My4yIHN0YW5kYXJkcy4gV2Ugc2hvdyB0aGF0IHRob3NlIGRpZmZlcmVu
Y2VzIGhhdmUgY3JpdGljYWwgc2VjdXJpdHkgaW1wbGljYXRpb25zIGJ5IHByZXNlbnRpbmcg
dHdvIG5ldyBhdHRhY2tzIG9uIFNQRUtFOiBhbiBpbXBlcnNvbmF0aW9uIGF0dGFjayBhbmQg
YSBrZXktbWFsbGVhYmlsaXR5IGF0dGFjay4iIEluIG90aGVyIHdvcmRzLCBhbiB1bmRlci1z
cGVjaWZpZWQgcHJvdG9jb2wgcmVzdWx0ZWQgaW4gdHdvIGRpZmZlcmVudCBzdGFuZGFyZHMs
IGJvdGggb2YgdGhlbSB2dWxuZXJhYmxlLiBUaGlzIGlzIGlyb25pYyBiZWNhdXNlIHRoZSBw
YXBlciBmcm9tIHdoaWNoIHRoaXMgaXMgcXVvdGVkIGlzIG5vdCBpdHNlbGYgYSByaWdvcm91
cyBkZXNjcmlwdGlvbiBvZiB0aGUgcHJvdG9jb2wgdGhhdCBpdCBhdHRlbXB0cyB0byBmaXgu
CgpJIHdvdWxkIHByb3Bvc2UgdGhhdCBlYWNoIG9mIHRoZSBzZWxlY3RlZCBwcm90b2NvbHMg
YmUgcHVibGlzaGVkIGFzIGFuIFJGQywgY29udGFpbmluZzoKCiogQSBkZXRhaWxlZCBkZXNj
cmlwdGlvbiBvZiB0aGUgcHJvdG9jb2wsIHRvIGEgbGV2ZWwgdGhhdCBjYW4gYmUgaW1wbGVt
ZW50ZWQgYnkgZGV2ZWxvcGVycyB3aG8gYXJlIG5vdCBzZWN1cml0eSBleHBlcnRzLgoqIFRl
c3QgdmVjdG9ycyB0byBlbnN1cmUgaW50ZXJvcGVyYWJpbGl0eS4KKiBSZWNvbW1lbmRhdGlv
bnMgb24gaW50ZWdyYXRpbmcgd2l0aCBoaWdoZXItbGV2ZWwgcHJvdG9jb2xzOiBzdXBwb3J0
ZWQgaWRlbnRpdHkgZmllbGRzIGFuZCByZWNvbW1lbmRhdGlvbnMgb24gaG93IHRoZXkgc2hv
dWxkIGJlIHByb3RlY3RlZCwgc2Vzc2lvbiBJRCBhbmQgImV4cG9ydGVyIiBpbnRlZ3JhdGlv
biwgc2VjdXJlIGNhcGFiaWxpdHkgYW5kIHBhcmFtZXRlciBuZWdvdGlhdGlvbiwgY29uZGl0
aW9ucyBvbiB3aGV0aGVyIGFuZCBob3cgIm9wdGlvbmFsIiBwcm90b2NvbCBleGNoYW5nZXMg
Y2FuIGJlIGVsaW1pbmF0ZWQuCiogTWFuZGF0ZWQgYXV4aWxpYXJ5IHByaW1pdGl2ZXMsIHN1
Y2ggYXMgaGFzaC10by1jdXJ2ZSBhbmQgbWVtb3J5LWhhcmQgaXRlcmF0ZWQgaGFzaGluZy4K
CiMjIEludGVncmF0aW9uIGludG8gRXhpc3RpbmcgUHJvdG9jb2xzCgpUaGUgSVBzZWMvSUtF
IGNvbW11bml0eSBoYXMgYWx3YXlzIGJlZW4gaW50ZXJlc3RlZCBpbiBQQUtFIGFzIGEgY29t
cG9uZW50LCBib3RoIGZvciByZW1vdGUgYWNjZXNzIGFuZCBmb3IgcGVlci10by1wZWVyIFZQ
TiBkZXBsb3ltZW50cy4gVGhpcyB0byBtZSBqdXN0aWZpZXMgdGhlIHNlbGVjdGlvbiBvZiBi
b3RoIGEgYmFsYW5jZWQgYW5kIGFuIGF1Z21lbnRlZCBQQUtFLCBhc3N1bWluZyBnb29kIGNh
bmRpZGF0ZXMgZXhpc3QuIEl0IGFsc28gbWVhbnMgdGhhdCB0aGUgaW50ZWdyYXRpb24gb2Yg
c3VjaCBwcm90b2NvbHMgaW50byBJS0V2MiBpcyByZWxhdGl2ZWx5IHN0cmFpZ2h0Zm9yd2Fy
ZC4KCk9uIHRoZSBvdGhlciBoYW5kLCB0aGUgVExTIGNvbW11bml0eSBoYXMgYmVlbiBsZXNz
IHJlY2VwdGl2ZSB0byBQQUtFIHNvbHV0aW9ucywgYW5kIGFzIGEgcmVzdWx0LCB0aGUgcHJv
cGVydGllcyByZXF1aXJlZCBmcm9tIHRoZSBwcm90b2NvbCBmb3IgcHJvcGVyIGludGVncmF0
aW9uIGFyZSBub3QgYXMgY2xlYXIuIEl0IGlzIHBvc3NpYmxlIHRoYXQgdGhlIG1vc3QgY29t
bW9uIGRlcGxveW1lbnQgd2lsbCBiZSBhIGNvbWJpbmF0aW9uIG9mIFRMUywgUEFLRSBhbmQg
T0F1dGguIEFyZ3VhYmx5IHdlIHNob3VsZCB0YWtlIHRoZSBjb21iaW5hdGlvbiBpbnRvIGFj
Y291bnQgd2hlbiBkZWZpbmluZyB0aGUgUEFLRSBwb3J0aW9uIG9mIHRoZSBwcm90b2NvbCwg
YW5kIHJlc2lzdCB0aGUgdGVtcHRhdGlvbiB0byBvbmx5IGNvbnNpZGVyIHRoZSBuYXJyb3cg
aW50ZWdyYXRpb24gb2YgYSBQQUtFIHByb3RvY29sIGludG8gVExTIDEuMy4KCiMgRGV0YWls
ZWQgUmV2aWV3CgpBcyBtZW50aW9uZWQgYWJvdmUsIEkgYmVsaWV2ZSB3ZSBzaG91bGQgc2Vs
ZWN0IG9uZSBiYWxhbmNlZCBhbmQgb25lIGF1Z21lbnRlZCBQQUtFIHByb3RvY29sLgoKIyMg
QmFsYW5jZWQgQWxnb3JpdGhtcwoKIyMjIFNQQUtFMgoKVGhpcyBwcm90b2NvbCBpcyB0aGUg
YmVzdCBkb2N1bWVudGVkIG9mIGFsbCB0aGUgY2FuZGlkYXRlcy4gT24gdGhlIGRvd24gc2lk
ZSwgaXQgcmVsaWVzIG9uIGEgc2V0IG9mIHBhcmFtZXRlcnMgdGhhdCBwcmVzZW50IGEgaGln
aCB2YWx1ZSB0YXJnZXQgZm9yIGZhY3Rvcml6YXRpb24gb25jZSBhIHF1YW50dW0gY29tcHV0
ZXIgaXMgYXZhaWxhYmxlIHRvIGFuIGFkdmVyc2FyeSwgYW5kIHRoYXQgd291bGQgYnJlYWsg
YWxsIGluc3RhbmNlcyBvZiB0aGlzIHByb3RvY29sLgoKIyMjIEotUEFLRQoKVGhpcyBhbGdv
cml0aG0gaXMgYW4gb3V0bGllciBpbiBpdHMgY29tcGxleGl0eSwgd2hpY2ggYWxzbyBpbXBs
aWVzIGEgc2lnbmlmaWNhbnQgcGVyZm9ybWFuY2UgcGVuYWx0eS4gRm9yIHRoaXMgcmVhc29u
IEkgZG9uJ3QgdGhpbmsgaXQgd291bGQgYmUgYSByZWFsaXN0aWMgc2VsZWN0aW9uLgoKIyMj
IFNQRUtFCgpTUEVLRSBoYXMgYmVlbiBhcm91bmQgZm9yIGEgbG9uZyB0aW1lLCB3aGljaCBp
cyBhbiBhZHZhbnRhZ2UuIEJ1dCB0aGUgcXVvdGVkIHBhcGVyIGRlc2NyaWJlcyBzZXZlcmFs
IGF0dGFja3Mgb24gY29uY3JldGUgc3BlY2lmaWNhdGlvbnMvaW1wbGVtZW50YXRpb25zLCBh
bmQgS2FydGhpaydzIHJldmlldyBjYXN0cyBkb3VidHMgYWJvdXQgdGhlIHZhbGlkaXR5IG9m
IHRoZSBzZWN1cml0eSBwcm9vZiBwcmVzZW50ZWQgZm9yIHRoaXMgcHJvdG9jb2wuIEFzIGZh
ciBhcyBJIGNhbiB0ZWxsLCB0aGUgbWFpbGluZyBsaXN0IGRpc2N1c3Npb24gaGFzIG5vdCBm
dWxseSBjbGFyaWZpZWQgd2hpY2ggZXhhY3QgdmVyc2lvbiBvZiB0aGUgcHJvdG9jb2wgaXMg
cHJvcG9zZWQgYW5kIHdoaWNoIHB1Ymxpc2hlZCBzZWN1cml0eSBwcm9vZiBhcHBsaWVzIHRv
IGl0LiBTcGVjaWZpY2FsbHksIGRvZXMge3tIYW8yMDE4fX0gYXBwbHk/CgojIyMgQ1BhY2UK
Q1BhY2UgaXMgbm90IHNwZWNpZmllZCBhcyBhIHN0YW5kLWFsb25lIHByb3RvY29sLCBidXQg
cmF0aGVyIG5lZWRzIHRvIGJlIGV4dHJhY3RlZCBvdXQgb2YgdGhlIEF1Q1BhY2Ugc3BlY2lm
aWNhdGlvbi4gTW9yZW92ZXIsIGl0IGFkZHMgYSBtYW5kYXRvcnkgKHRob3VnaCB0cml2aWFs
KSBtZXNzYWdlIHJvdW5kIHRvIGVzdGFibGlzaCBhIHNlc3Npb24gSUQuIFRoaXMgZXh0cmEg
cm91bmQgbWF5IG9yIG1heSBub3QgYmUgc3Vic3VtZWQgYnkgdGhlIGhpZ2hlci1sZXZlbCBw
cm90b2NvbC4gSGF2aW5nIHNhaWQgdGhhdCwgaXQgY29tZXMgd2l0aCBhbiBhY3R1YWwgc2Vj
dXJpdHkgcHJvb2YgYW5kIG5vIG1hZ2ljIHBhcmFtZXRlcnMuCgojIyBBdWdtZW50ZWQgQWxn
b3JpdGhtcwoKIyMjIE9QQVFVRQoKT1BBUVVFIGlzIGRlc2NyaWJlZCBhcyBhIGdlbmVyaWMg
ZnJhbWV3b3JrLCB3aXRoIHR3byBpbnN0YW50aWF0aW9ucywgYW5kIHdpbGwgaGF2ZSB0byBi
ZSBuYXJyb3dlZCBkb3duIHdoZW4gc3RhbmRhcmRpemVkLiBUaGUgcHJvdG9jb2wgaXMgc2Vj
dXJlIGFnYWluc3QgcHJlLWNvbXB1dGF0aW9uIGF0dGFja3MuIFRoaXMgaXMgYSBnb29kIHRo
aW5nIG9mIGNvdXJzZSwgaG93ZXZlciBJIGFtIG5vdCBzdXJlIGhvdyBzZXJpb3VzIHRoaXMg
YXR0YWNrIGlzIGluIHByYWN0aWNlOiB3aGlsZSBzZXJ2ZXJzIGFyZSBvZnRlbiBicmVhY2hl
ZCB3aXRoIGF0dGFja2VycyBnYWluaW5nIGJ1bGsgYWNjZXNzIHRvIGhhc2hlZCBwYXNzd29y
ZHMsIEkgZG9uJ3QgdGhpbmsgaXQgaXMgY29tbW9uIGZvciBhdHRhY2tlcnMgdG8gcmVjb3Jk
IG11bHRpcGxlIHNhbHQgZXhjaGFuZ2VzIGFuZCB1c2UgdGhlbSBpbiBhIGZvbGxvdy1vbiBh
dHRhY2suIE9QQVFVRSBjb21lcyB3aXRoIGEgc2VjdXJpdHkgcHJvb2YuIE9QQVFVRSBpcyB3
ZWxsIGRvY3VtZW50ZWQsIHdpdGggYSBzZXBhcmF0ZSBkcmFmdCB7ez9JLUQuc3VsbGl2YW4t
dGxzLW9wYXF1ZX19IG9uIGl0cyBpbnRlZ3JhdGlvbiBpbnRvIFRMUy4KCiMjIyBBdUNQYWNl
CgpUaGUgcHJvdG9jb2wgaGFzIHR3byB2ZXJzaW9ucywgdGhlIG1haW4gcGFwZXIgYW5kIEFw
cGVuZGl4IEMgKCJTdHJvbmcgQXVDUGFjZSIpLCB3aGljaCBpcyByZXNpc3RhbnQgdG8gcHJl
LWNvbXB1dGF0aW9uIGF0dGFja3MuIEl0IGlzIHVuY2xlYXIgd2hpY2ggb25lIGlzIG5vbWlu
YXRlZC4KCiMjIyBWVEJQRUtFCgpUaGlzIDIwMTcgcGFwZXIgZXh0ZW5kcyBTUEVLRSBpbnRv
IGEgYmFsYW5jZWQgUEVLRSB0aGF0IGNhbiBiZSBwcm92ZW4gZXZlbiBmb3IgZWxsaXB0aWMg
Y3VydmVzLCBhbmQgdGhlbiBhZ2FpbiBpbnRvIGEgdmVyaWZpZXItYmFzZWQgKGkuZS4sIGF1
Z21lbnRlZCkgUEFLRSBuYW1lZCBWVEJQRUtFLiBJdCBoYXMgYSBmZXcgIm1hZ2ljIiBjb25z
dGFudHMgd2hpY2ggYXJlIHBvdGVudGlhbGx5IG9mIGNvbmNlcm4gLSBJIGRpZG4ndCBzZWUg
YW55IG1lbnRpb24gb2YgaG93IHRoZXkgc2hvdWxkIGJlIGdlbmVyYXRlZC4KCiMjIyBCU1BB
S0UKClRoaXMgcHJvdG9jb2wgaXMgc29tZXdoYXQgbG9vc2VseSBzcGVjaWZpZWQsIHdpdGgg
bm8gc2VjdXJpdHkgcHJvb2YgKG9yIGV2ZW4gc2VjdXJpdHkganVzdGlmaWNhdGlvbi9pbnR1
aXRpb24pIHByb3ZpZGVkLiBTbyBpdCBpcyBoYXJkIHRvIGJlIGNvbnZpbmNlZCBvZiBpdHMg
Zml0IGZvciBwdXJwb3NlLgoKIyBDb25jbHVzaW9ucwoKQXMgbm90ZWQsIEkgdGhpbmsgdGhl
IFJlc2VhcmNoIEdyb3VwIHNob3VsZCByZWNvbW1lbmQgb25lIGJhbGFuY2VkIGFuZCBvbmUg
YXVnbWVudGVkIGFsZ29yaXRobS4KCkJlZm9yZSBwcmVzZW50aW5nIG15IGNvbmNsdXNpb25z
LCBJIHdvdWxkIGxpa2UgdG8gY2xhcmlmeSBteSB2aWV3IGFib3V0IHF1YW50dW0gcmVzaXN0
YW5jZSBpbiB0aGlzIGNvbnRleHQuIFN0ZXZlIFRob21hcyBkZWZpbmVzICJxdWFudHVtIGFu
bm95aW5nIiBhczogYW4gYXR0YWNrZXIgd2l0aCBhIHF1YW50dW0gY29tcHV0ZXIgbmVlZHMg
dG8gc29sdmUgYSBETFAgcGVyIHBhc3N3b3JkIGd1ZXNzLiBJTU8gdGhpcyBpcyB0b28gaGln
aCBvZiBhIGJhciwgYW5kIG9uY2Ugd2UgZ2V0IHRvIHRoZSBwb2ludCB3aGVyZSB0aGlzIGlz
IGEgcmVhbCByaXNrIHdlIHdpbGwgbmVlZCB0byBtaWdyYXRlIHRvIFBRQyBmb3IgdGhlc2Ug
cHJvdG9jb2xzLiBIb3dldmVyIEkgdGhpbmsgdGhhdCBldmVuIG5vdywgYSBwcm90b2NvbCB3
aGVyZSBhIHNpbmdsZSBETFAgc29sdmUgd291bGQgYnJlYWsgKmFsbCogaW5zdGFuY2VzIG9m
IHRoZSBwcm90b2NvbCwgaXMgdG9vIHJpc2t5IHRvIGFkb3B0LgoKT2YgdGhlIGJhbGFuY2Vk
IGFsZ29yaXRobXMsIEkgd291bGQgcmVjb21tZW5kIENQYWNlLiBJIHRoaW5rIHRoZSBleHRy
YSByb3VuZCB0cmlwIGlzIGEgcmVhc29uYWJsZSBwcmljZSB0byBwYXkgZm9yIGEgZm9ybWFs
bHkgcHJvdmVuIHByb3RvY29sLiBUbyBtZSB0aGUgcG90ZW50aWFsIHF1YW50dW0gdnVsbmVy
YWJpbGl0eSBvZiB0aGUgU1BBS0UyIHBhcmFtZXRlcnMgaXMgYSBzaG93c3RvcHBlci4KCk9m
IHRoZSBhdWdtZW50ZWQgYWxnb3JpdGhtcywgSSB3aWxsIGZvbGxvdyB0aGUgTW96aWxsYSBy
ZXBvcnQgYW5kIHJlY29tbWVuZCBPUEFRVUUsIHdoaWNoIGFwcGVhcnMgdG8gYmUgdGhlIGJl
c3QgZml0IGludG8gVExTLCBhbmQgaXMgYWxzbyBhIGdvb2QgZml0IGludG8gSUtFdjIuCgot
LS0gYmFjawoKIyBEb2N1bWVudCBIaXN0b3J5CgojIyBkcmFmdC1zaGVmZmVyLWNmcmctcGFr
ZS1yZXZpZXctMDAKCi0gSW5pdGlhbCB2ZXJzaW9uLgo=
--B_3654861910_971338930--



From tibor.jager@uni-wuppertal.de  Thu Oct 24 02:19:39 2019
Return-Path: <tibor.jager@uni-wuppertal.de>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61F38120814 for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 02:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uni-wuppertal.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJQLtQDnGt5k for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 02:19:34 -0700 (PDT)
Received: from smtpout.uni-wuppertal.de (smtpout.uni-wuppertal.de [IPv6:2001:638:50a:64::104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837DA1200B8 for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 02:19:33 -0700 (PDT)
Received: from EX03.uni-wuppertal.de (exchange.uni-wuppertal.de [132.195.99.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtpout.uni-wuppertal.de (Postfix) with ESMTPS id D387C9F3AC; Thu, 24 Oct 2019 11:19:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-wuppertal.de; s=mail; t=1571908771; bh=VLCoTZ79cyc7keRnC3eyqxdu91QAxG9M/BIuGSkSMOQ=; h=From:To:CC:Subject:Date:From; b=qe7TiONaA8KQS+gOPxlli4TILdWAV3AbzJvEJD3z/xEZkuRPWmWcVMm8Jc9aTZHVt sTRb57KbilGtCR+PgGXbFm/6PwdkSdgyM8Lktv5DWjA3sW6pPi0bUshCcwvXyVxkCM 422cCWqSDtFVJ7CsPevp8pNnWCi3hesw5wMDKFT4=
Received: from EX03.uni-wuppertal.de (132.195.99.184) by EX03.uni-wuppertal.de (132.195.99.184) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1531.3; Thu, 24 Oct 2019 11:19:17 +0200
Received: from EX03.uni-wuppertal.de ([132.195.99.184]) by EX03.uni-wuppertal.de ([132.195.99.184]) with mapi id 15.01.1531.010; Thu, 24 Oct 2019 11:19:17 +0200
From: "Jager, Tibor" <tibor.jager@uni-wuppertal.de>
To: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
CC: "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Thread-Topic: Security review for augmented PAKE proposals
Thread-Index: AQHVikwc9QOpiOGxbU+aAUwj6WYZgw==
Date: Thu, 24 Oct 2019 09:19:17 +0000
Message-ID: <20539721-AC48-4EFD-A861-DDBCAF84E47F@uni-wuppertal.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-mailer: Apple Mail (2.3594.4.19)
x-originating-ip: [132.195.147.65]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C54B4BBB054D7843A773C9201291C4C3@uni-wuppertal.de>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/_Zd2aEKgkU6Q01Aj2Ns1_KOitWo>
X-Mailman-Approved-At: Fri, 25 Oct 2019 05:40:48 -0700
Subject: [Crypto-panel] Security review for augmented PAKE proposals
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 09:45:18 -0000

RGVhciBhbGwsDQoNClBsZWFzZSBmaW5kIG15IHJldmlldyBvZiB0aGUgYXVnbWVudGVkIFBBS0Ug
cHJvcG9zYWxzIGJlbG93Lg0KDQpDaGVlcnMsDQpUaWJvcg0KDQoNClJFVklFVzoNCg0KU3Rhbmlz
bGF2IGFza2VkIG1lIHRvIGZvY3VzIG9uIHNlY3VyaXR5IGlzc3VlcyAoZXZhbHVhdGlvbiBvZiBz
ZWN1cml0eSBhc3Nlc3NtZW50LCB2ZXJpZmljYXRpb24gb2YgdGhlIHNlY3VyaXR5IHByb29mcyku
IEFzcGVjdHMgY29uc2lkZXJlZCBpbiBvdGhlciByZXZpZXdzLCBzdWNoIGFzIGNvbXB1dGF0aW9u
YWwgZWZmaWNpZW5jeSwgaW1wbGVtZW50YXRpb24gY2hhbGxlbmdlcywgc3VpdGFiaWxpdHkgZm9y
IFRMUyBhbmQgSVBTZWMsIGV0Yy4sIGFyZSBvdXQgb2Ygc2NvcGUgb2YgbXkgcmV2aWV3Lg0KDQpC
asO2cm4gVGFja21hbm4ncyByZXZpZXcgaGFkIGEgc2ltaWxhciBvbmJqZWN0aXZlIGFuZCBjb3Zl
cmVkIGFscmVhZHkgbWFueSBhc3BlY3RzLiBHaXZlbiB0aGF0IHdlIGhhdmUgYSByYXRoZXIgc21h
bGwgdGVhbSBsb29raW5nIGF0IHRoZSBwcm9wb3NhbHMsIEkgcmVmcmFpbmVkIGZyb20gcmVwZWF0
aW5nIGhpcyB3b3JrLiBJIGFsc28gdGhpbmsgdGhhdCBoZSBpcyBtdWNoIG1vcmUgY2FwYWJsZSBv
ZiB1bmRlcnN0YW5kaW5nIHRoZSBzdWJ0bGV0aWVzIG9mIFVDLWxpa2UgbW9kZWxzIHRoYW4gSSBh
bS4gVGhlIHNhbWUgaG9sZHMgZm9yIEp1bGlhIEhlc3NlLCBJIHVuZGVyc3RhbmQgdGhhdCBzaGUg
YWxzbyBwcm92aWRlZCBpbnB1dCB0byBhdXRob3JzIG9mIHByb3Bvc2FscyB3aGljaCwgdG8gbXkg
a25vd2xlZGdlLCBoYXZlIG5vdCBiZWVuIG1hZGUgcHVibGljIHlldCwgYnV0IHdlcmUgdGFrZW4g
aW50byBhY2NvdW50IGluIHRoZSByZXZpc2lvbiBvZiBzb21lIHByb3Bvc2Fscy4NCg0KTXkgcmV2
aWV3IGNvdmVycyBhbGwgYVBBS0UgcHJvcG9zYWxzLCBhbmQgcHV0cyBwYXJ0aWN1bGFyIGVtcGhh
c2lzIG9uIHRoZSBmb2xsb3dpbmcgYWRkaXRpb25hbCBhc3BlY3RzOg0KDQotIEJTUEFLRSBoYXMg
bm90IGJlZW4gY29uc2lkZXJlZCBpbiBkZXRhaWwsIHNpbmNlIGl0IGRvZXMgbm90IGhhdmUgYSBz
ZWN1cml0eSBwcm9vZi4gSG93ZXZlciwgQlNQQUtFIGlzIGFuIGV4dGVuc2lvbiBvZiB0aGUgY2xh
c3NpY2FsIEFiZGFsbGEtUG9pbnRjaGV2YWwgY29uc3RydWN0aW9uLCBhbmQgSSB3b3VsZCBsaWtl
IHRvIHVuZGVyc3RhbmQgd2hldGhlciB0aGVpciBwcm9vZiBhcHBsaWVzLCB0b28uIFRoaXMgd2Fz
IHN1Z2dlc3RlZCBpbiB0aGUgQlNQQUtFIHByb3Bvc2FsLCBidXQgaXQgc2VlbXMgbm90IG9idmlv
dXMgdG8gbWUgdGhhdCB0aGUgc2VjdXJpdHkgYW5hbHlzaXMgY2FycmllcyBvdmVyLg0KDQotIFRo
ZSBwcm9wb3NhbHMgdXNlIGRpZmZlcmVudCBzZWN1cml0eSBtb2RlbHMuIEkgYW0gY3VycmVudGx5
IHRyeWluZyB0byB1bmRlcnN0YW5kIHRoZWlyIHJlbGF0aW9uIHRvIGVhY2ggb3RoZXIgYW5kIGhv
cGUgdGhhdCBJIGNhbiBzYXkgc29tZXRoaW5nIG1lYW5pbmdmdWwgc29vbi4NCg0KLSBJIHJlYWQg
dGhlIHJldmlzZWQgdmVyc2lvbiBvZiB0aGUgT1BBUVVFIHBhcGVyIHRoYXQgd2FzIHJlY2VudGx5
IHBvc3RlZCBvbiB0aGUgZVByaW50IGFyY2hpdmUuIFRoZSBwYXBlciB3YXMgcG9zdGVkIG9ubHkg
YSBmZXcgZGF5cyBhZ28uDQoNCg0KTXkgcmV2aWV3IGlzIGJhc2VkIG9uIHRoZSBmb2xsb3dpbmcg
ZG9jdW1lbnRzOg0KDQpBdUNQYWNlOg0KKDEpIFRoZSBtb3N0IHJlY2VudCAoYXQgdGltZSBvZiBy
ZXZpZXcpIHZlcnNpb24gMjAxOTA5MjI6MjAwMDQzIG9mIHRoZSBlUHJpbnQgcGFwZXIgYXQgaHR0
cHM6Ly9lcHJpbnQuaWFjci5vcmcvMjAxOC8yODYucGRmDQooMikgQ1BhY2UgYW5kIEF1Q1BhY2Ug
LSBjb3JyaWdlbmR1bS5wZGYgZnJvbSBodHRwczovL2dpdGh1Yi5jb20vY2ZyZy9wYWtlLXNlbGVj
dGlvbi90cmVlL21hc3Rlci9DYW5kaWRhdGVzDQoNCkJTUEFLRToNCigzKSBic3Bha2UtZXhwbGlj
aXQudHh0LCBhcyBwcm92aWRlZCBhdCBodHRwczovL2dpc3QuZ2l0aHViLmNvbS9TYzAwYnovZWYw
OTUxYWI5OGU4ZTFiYWM0ODEwZjY1YTQyZWFiMWENCig0KSBUaGUgY29tbWVudHMgb24gcmVxdWly
ZW1lbnRzIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL2NmcmcvcGFrZS1zZWxlY3Rpb24vYmxvYi9t
YXN0ZXIvQ2FuZGlkYXRlcy9CU1BBS0UubWQNCig1KSBUaGUgb3JpZ2luYWwgcGFwZXIgYnkgQWJk
YWxsYSBhbmQgUG9pbnRjaGV2YWwgZnJvbSBodHRwczovL3d3dy5kaS5lbnMuZnIvfm1hYmRhbGxh
L3BhcGVycy9BYlBvMDVhLWxldHRlci5wZGYNCg0KT1BBUVVFOg0KKDYpIFRoZSBtb3N0IHJlY2Vu
dCBPUEFRVUUgZHJhZnQgYXQgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWtyYXdj
enlrLWNmcmctb3BhcXVlLTAzDQooNykgVGhlIHBhcGVyIGF0IGh0dHBzOi8vZXByaW50LmlhY3Iu
b3JnLzIwMTgvMTYzLnBkZiwgY3VycmVudGx5IG1vc3QgcmVjZW50IHZlcnNpb24gKDIwMTkxMDIx
OjIzMjgyNSkNCig4KSBUaGUgY29tbWVudHMgb24gcmVxdWlyZW1lbnRzIGZyb20gaHR0cHM6Ly9n
aXRodWIuY29tL2NmcmcvcGFrZS1zZWxlY3Rpb24vYmxvYi9tYXN0ZXIvQ2FuZGlkYXRlcy9PUEFR
VUUubWQNCg0KVlRCUEVLRToNCig5KSBUaGUgcGFwZXIgYXQgaHR0cHM6Ly93d3cuZGkuZW5zLmZy
L2RhdmlkLnBvaW50Y2hldmFsL0RvY3VtZW50cy9QYXBlcnMvMjAxN19hc2lhY2NzQi5wZGYNCigx
MCkgVGhlIGNvbW1lbnRzIG9uIHJlcXVpcmVtZW50cyBmcm9tIGh0dHBzOi8vZ2l0aHViLmNvbS9j
ZnJnL3Bha2Utc2VsZWN0aW9uL2Jsb2IvbWFzdGVyL0NhbmRpZGF0ZXMvVlRCUEVLRS5wZGYNCg0K
DQoNCkF1Q1BhY2U6DQoNClRoZSBzZWN1cml0eSBhbmFseXNpcyBvZiB0aGlzIHByb3RvY29sIGlz
IGNvbmR1Y3RlZCBpbiB0aGUgVUMgZnJhbWV3b3JrLCBiYXNlZCBvbiB0aGUgY2xhc3NpY2FsIGlk
ZWFsIGFQQUtFIGZ1bmN0aW9uYWxpdHkgb3JpZ2luYWxseSBkZXNjcmliZWQgYnkgW0dlbnRyeSBl
dCBhbC47IENSWVBUTyAyMDA2XS4NCg0KSSBhbSBub3Qgc3VyZSB3aGljaCBtb2RlbCBleGFjdGx5
IGlzIHVzZWQgZm9yIHRoZSBzZWN1cml0eSBwcm9vZi4gRmlndXJlIDggZGVzY3JpYmVzIGEgc2xp
Z2h0bHkgbW9kaWZpZWQgdmFyaWFudCBvZiB0aGUgR2VudHJ5IGV0IGFsLiAnMDYgbW9kZWwsIHNv
IEkgYXNzdW1lIHRoaXMgb25lLiBIb3dldmVyLCDCpzUuMS4xIGRpc2N1c3NlcyB0aGUgRl9hcHdL
RSBmdW5jdGlvbmFsaXR5IGFuZCBmaXJzdCBzdGF0ZXMgImZvciBvdXIgcmVhbCB3b3JsZCBwcm90
b2NvbCwgd2UgY291bGQgbm90IHVzZSBpdCBhcy1pcyIsIGJ1dCB0aGVuIGEgZmV3IHNlbnRlbmNl
cyBsYXRlciAiYnV0IHdlIGZpbmFsbHkgZGVjaWRlZCB0byBzdGljayB3aXRoIGl0Ii4gVGhpcyBp
cyBjb25mdXNpbmcgYW5kIHNob3VsZCBiZSBjbGFyaWZpZWQuDQooQnR3LiwgaW4gdGhlIHNhbWUg
cGFyYWdyYXBoOiBJIGJ1dCBkaWQgbm90IHVuZGVyc3RhbmQgdGhlIGNvbW1lbnQgb24gInBlcHBl
ciIsIGV2ZW4gdGhvdWdoIEkga25vdyByYWluYm93IHRhYmxlcywgc2FsdGluZyBhbmQgInBlcHBl
cmluZyIuIFdoYXQgZG8geW91IG1lYW4gYnkgIndvdWxkIGFsbG93IGZvciByYWluYm93IHRhYmxl
cyIgaW4gdGhpcyBjb250ZXh0PykNCg0KVGhlIGNvbnN0cnVjdGlvbiBjb21lcyB3aXRoIGEgZnVs
bCBzZWN1cml0eSBwcm9vZiwgYnV0IEkgZm91bmQgaXQgdmVyeSBza2V0Y2h5LiBNb3JlIHByZWNp
c2VseSwgdGhlIHByb29mIGluIMKnNSBkZXNjcmliZXMgYSBzZXF1ZW5jZSBvZiBnYW1lcywgYnV0
IHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gdHdvIGNvbnNlY3V0aXZlIGdhbWVzIGlzIG5ldmVyIGJv
dW5kZWQuIEZvciBnYW1lcyBHMSBhbmQgRzIgdGhpcyBzZWVtcyBmaW5lIHRvIG1lLCBzaW5jZSB0
aGUgYXJndW1lbnQgaXMgcmF0aGVyIG9idmlvdXMgKGJ1dCBzdGlsbCBpdCBhcHBlYXJzIGEgYml0
IHNsb3BweSB0aGF0IHRoZSBleGFjdCBwcm9iYWJpbGl0eSBvZiBhYm9ydCBldmVudHMgaXMgbm90
IHByb3ZpZGVkKS4gSW4gRzIsIGl0IGlzIG5vdCBjbGVhciB3aGF0IGV4YWN0bHkgaXMgbWVhbnQg
YnkgImluIGNhc2UgdGhlIGFkdmVyc2FyeSBtYW5hZ2VzIHRvIGd1ZXNzIi4gSSBjYW4gZ3Vlc3Mg
d2hhdCB0aGUgYXV0aG9ycyBtZWFuLCBidXQgYSBwcm9vZiBzaG91bGQgbm90IGZvcmNlIHRoZSBy
ZWFkZXIgdG8gZ3Vlc3Mgd2hhdCBtYWtlcyBzZW5zZSBoZXJlLCBidXQgcmF0aGVyIGRlZmluZSBz
dWNoIGFib3J0IGV2ZW50cyBleHBsaWNpdGx5Lg0KDQpHYW1lcyAzIGFuZCA0IGFyZSB0aGUgY29y
ZSBvZiB0aGUgcHJvb2Ygb2YgVGhtLiAyLiBUaGUgZGVzY3JpcHRpb24gb2YgRzMgbWl4ZXMgdGhl
IGRlc2NyaXB0aW9uIG9mIHRoZSBleHBlcmltZW50IHdpdGggYSBicmllZiBhbmFseXNpcywgSSB3
YXMgbm90IGFibGUgdG8gdmVyaWZ5IHRoYXQgdGhlIGNoYW5nZXMgaW50cm9kdWNlZCBpbiB0aGlz
IGdhbWUgaW5kZWVkIHByb3ZpZGUgYSBwcm9wZXIgc2ltdWxhdGlvbiB0aGF0IGlzIGluZGlzdGlu
Z3Vpc2hhbGUgZnJvbSBHMi4gSSB3b3VsZCBzdWdnZXN0IHRvIHNwbGl0IHVwIHRoZSBkaWZmZXJl
bnQgYXJndW1lbnRzIG1hZGUgaW4gdGhpcyBzdGVwIGludG8gc2V2ZXJhbCBnYW1lIGhvcHMsIGFu
ZCB0aGVuIHRvIGFuYWx5emUgZWFjaCBob3AgaW5kaXZpZHVhbGx5LCB0aGlzIHdvdWxkIGltcHJv
dmUgcmVhZGFiaWxpdHkgYW5kIHZlcmlmaWFiaWxpdHkgb2YgdGhlIHByb29mIHNpZ25pZmljYW50
bHkuIFRoZSBzYW1lIGhvbGRzIGZvciBHNC4NCg0KSW4gc3VtbWFyeSwgSSBzZWUgbm8gcmVhc29u
IHRvIGRvdWJ0IHRoYXQgdGhlIHNjaGVtZSBpcyBzZWN1cmUsIGFuZCB0aGUgcGFwZXIgY29udGFp
bnMgYSBwcm9vZiBza2V0Y2ggdGhhdCBvdmVyYWxsIHNlZW1zIHBsYXVzaWJsZSwgYnV0IGl0IGlz
IGxhY2tpbmcgY2xhcml0eSBhbmQgcmlnb3IgYW5kIEkgaGF2ZSBub3QgYmVlbiBhYmxlIHRvIHZl
cmlmeSBpdCBpbiBkZXRhaWwuIEhvd2V2ZXIsIEkgdGhpbmsgdGhhdCB0aGUgcHJvcG9zYWwgaXMg
YW4gaW50ZXJlc3RpbmcgY2FuZGlkYXRlIGFuZCBzaG91bGQgc3RpbGwgYmUgY29uc2lkZXJlZCwg
dGhlIGlzc3VlcyB3aXRoIHRoZSBwcm9vZnMgYXBwZWFyIGZpeGFibGUsIGFzIGZhciBhcyBJIGNh
biB0ZWxsIGF0IHRoaXMgcG9pbnQuDQoNCg0KDQpCU1BBS0U6DQoNClRoZSBwcm9wb3NhbCBkb2Vz
IG5vdCBjbGVhcmx5IHNwZWNpZnkgdGhlIHNlY3VyaXR5IG1vZGVsIGFuZCBhc3N1bXB0aW9ucy4g
VGhlIGNvbW1lbnQgb24gUkVRMiBpbiAoNCkgbWVyZWx5IGRlc2NyaWJlcyB0aGUgY2hhbmdlcyB0
byB0aGUgcHJvdG9jb2wsIHdpdGhvdXQgc3RhdGluZyBjbGVhcmx5IHdoYXQgdGhlIGRlc2lyZWQg
Z29hbHMgYXJlIGFuZCBob3cgdGhlIHByb3Bvc2VkIGNoYW5nZXMgYWNoaWV2ZSB0aGVtIGV4YWN0
bHkuIFRoZSBtb2RlbCBmb3JtICg1KSBkb2VzIG5vdCBhbGxvd3MgZm9yIGFkYXB0aXZlIGNvcnJ1
cHRpb25zIGFuZCBkb2VzIG5vdCBjb3ZlciBmb3J3YXJkIHNlY3VyaXR5LCB3aGlsZSB0aGUgZ2Ft
ZS1iYXNlZCBtb2RlbCBmcm9tIHRoZSBWVEJQRUtFIHBhcGVyIGRvZXMuDQoNCkkgcmVhZCB0aGUg
b3JpZ2luYWwgQWJkYWxsYSBhbmQgUG9pbnRjaGV2YWwgJzA1IHBhcGVyICg1KSwgYnV0IGRvIG5v
dCBzZWUgaG93IHRoZSBzZWN1cml0eSBhbmFseXNpcyBjYXJyaWVzIG92ZXIsIGl0IHNlZW1zIG5v
dCBvYnZpb3VzLiBJIGFtIG5vdCBjbGFpbWluZyB0aGF0IEJTUEFLRSBpcyBpbnNlY3VyZSwgYnV0
IEkgYWxzbyBkbyBub3QgdGhpbmsgdGhhdCBhIHByb3BlciBmb3JtYWwgc2VjdXJpdHkgcHJvb2Yg
aXMgYXMgdHJpdmlhbCBhcyBzdWdnZXN0ZWQgYW5kIHdvdWxkIHJlcXVpcmUgYSBzaWduaWZpY2Fu
dCBhbW91bnQgb2YgYWRkaXRpb25hbCB3b3JrIGFuZCBkZWVwZXIgYW5hbHlzaXMuIEl0IGlzIGFs
c28gbWVudGlvbmVkIGluICg0KSB0aGF0IHBhcnRzIG9mIE9QQVFVRSdzIHNlY3VyaXR5IHByb29m
IHNob3VsZCBjYXJyeSBvdmVyLCBidXQgSSBjb25zaWRlciB0aGlzIGFzIGV2ZW4gbGVzcyBvYnZp
b3VzLiAgQXQgdGhpcyBwb2ludCwgdGhlIHByb3Bvc2FsIHNob3VsZCBiZSBjb25zaWRlcmVkIGFz
IGhhdmluZyBubyBzZWN1cml0eSBwcm9vZiBhdCBhbGwgKGF0IGxlYXN0IGN1cnJlbnRseSksIGJ1
dCBpdCBtaWdodCBiZSBwb3NzaWJsZSB0byBnaXZlIGEgcHJvb2YuDQoNCg0KDQpPUEFRVUU6DQoN
ClRoZSBGX3NhUEFLRSsgbW9kZWwgY29uc2lkZXJlZCBpbiB0aGlzIHBhcGVyIGlzIHRoZSBmaXJz
dCB0byBydWxlIG91dCBwcmVjb21wdXRhdGlvbi1iYXNlZCBkaWN0aW9uYXJ5IGF0dGFja3Mgb24g
dGhlIHNlcnZlcidzIHBhc3N3b3JkIGRhdGFiYXNlLiBJdCBleHRlbmRzIHRoZSBjbGFzc2ljYWwg
bW9kZWwgYnkgW0dlbnRyeSBldCBhbC47IENSWVBUTyAyMDA2XS4gVGhhdCBpcywgaW4gcHJldmlv
dXMgc2VjdXJpdHkgbW9kZWxzLCBhbmQgYXR0YWNrZXIgbWlnaHQgcGVyZm9ybSBwcmVjb21wdXRh
dGlvbnMsIGJhc2VkIG9uIHRoZSBwYXNzd29yZCBkaWN0aW9uYXJ5IGFuZCBwb3NzaWJseSB0aGUg
c2FsdCB1c2VkIGZvciBpbmRpdmlkdWwgdXNlcidzIHBhc3N3b3Jkcy4gQXMgc29vbiBhcyBhIHNl
cnZlciBpcyBjb21wcm9taXNlZCwgdGhlIGF0dGFja2VyIG1pZ2h0IHRoZW4gKmltbWVkaWF0ZWx5
KiBkZXRlcm1pbmUgdGhlIHVzZXIncyBwYXNzd29yZCwgYnkgdXNpbmcgdGhlIHByZWNvbXB1dGVk
IGRhdGEuIFRoZSBuZXcgbW9kZWwgY29uc2lkZXJlZCBoZXJlIHByZXZlbnRzIHRoaXMuIEV2ZW4g
YWZ0ZXIgb2J0YWluaW5nIHRoZSBzZXJ2ZXIncyBwYXNzd29yZCBkYXRhYmFzZSwgdGhlIGF0dGFj
a2VyIGhhcyB0byAicGF5IiBmb3IgZWFjaCBwYXNzd29yZCBndWVzcyB3aGVuIGludGVyYWN0aW5n
IHdpdGggdGhlIGlkZWFsaXplZCBmdW5jdGlvbmFsaXR5LiBBIHByb3RvY29sIHRoYXQgc2VjdXJl
bHkgcmVhbGl6ZXMgdGhpcyBpZGVhbCBmdW5jdGlvbmFsaXR5IGlzIHRodXMgc2VjdXJlIGFnYWlu
c3QgdGhpcyB0eXBlIG9mIGF0dGFja3MuDQoNClRoZSBtb2RlbCB3LiByLiB0LiB3aGljaCB0aGUg
cHJvcG9zZWQgZ2VuZXJpYyBwcm90b2NvbCBjb25zdHJ1Y3Rpb24gaXMgcHJvdmVuIHNlY3VyZSBz
bGlnaHRseSBkaWZmZXJzIGZyb20gRl9zYVBBS0UrLiBUaGUgc28tY2FsbGVkIEZfc2FQQUtFIG1v
ZGVsIGFkZGl0aW9uYWxseSBhbGxvd3MgZm9yIEd1ZXNzUGFzc3dvcmQtcXVlcmllcyBldmVuIGJl
Zm9yZSB0aGUgc2VydmVyJ3MgZGF0YWJhc2UgaXMgY29tcHJvbWlzZWQsIGJ1dCB3aGVyZSB0aGUg
YXR0YWNrZXIgcmVjZWl2ZXMgdGhlIHJlc3BvbnNlIG9ubHkgYWZ0ZXIgdGhlIHNlcnZlciBpcyBj
b21wcm9taXNlZC4gSXQgc2VlbXMgdG8gbWUgdGhhdCB0aGlzIGlzIHJlcXVpcmVkIG9ubHkgdG8g
bWFrZSBhIHN0ZXAgaW4gdGhlIHNpbXVsYXRpb24gZ28gdGhyb3VnaC4gRXZlbiB0aG91Z2ggaXQg
YXBwZWFycyB3ZWlyZCwgSSBkbyBub3Qgc2VlIGhvdyBpdCBjb3VsZCBtYWtlIGFueSBkaWZmZXJl
bmNlIGluIHByYWN0aWNlLg0KDQpUaGUgYXBwcm9hY2ggb2YgdGhpcyBwcm9wb3NhbCBsb29rcyB2
ZXJ5IHBsYXVzaWJsZSB0byBtZS4gVGhlIHByb29mIGlzIHZlcnkgY2FyZWZ1bGx5IHdyaXR0ZW4g
YW5kIGFuYWx5emVkLiBUaGUgbW9kZWwgY29uc2lkZXJlZCBieSBPUEFRVUUgc2VlbXMgdG8gYmUg
dGhlIHN0cm9uZ2VzdCBzZWN1cml0eSBtb2RlbCBhbW9uZyBhbGwgc3VibWlzc2lvbnMuDQoNClNv
LCBpbiBzdW1tYXJ5LCBteSBvcGluaW9uIGFib3V0IHRoZSBzZWN1cml0eSBhbmFseXNpcyBvZiBP
UEFRVUUgaXMgdmVyeSBwb3NpdGl2ZSwgaXRzIGRlc2lnbiBhcHByb2FjaCBpcyB2ZXJ5IGNsZWFy
IGFuZCB0aGUgbGV2ZWwgb2YgZGV0YWlscyBpbiB0aGUgcGFwZXIgaXMgZXhjZXB0aW9uYWwgKGUu
Zy4sIHRoZSBzZWN1cml0eSBwcm9vZiBvZiB0aGUgZ2VuZXJpYyBjb25zdHJ1Y3Rpb24gb2YgYW4g
c2FQQUtFIGZyb20gQUtFK09QUkYgc3BhbnMgb3ZlciAxNSBwYWdlczsgT1BBUVVFIGlzIGFuIGlu
c3RhbnRpYXRpb24gb2YgdGhpcyBjb25zdHJ1Y3Rpb24pLiBCdXQgSSBoYXZlIHRvIGFkbWl0IHRo
YXQgSSB3YXMgcHJvYmFibHkgbm90IGFibGUgdG8gZ3Jhc3AgYWxsIHN1YnRsZXRpZXMgYmVmb3Jl
IHRoZSByZXZpZXcgZGVhZGxpbmUuIFRoaXMgaXMgZHVlIHRvIG15IGxhY2sgb2YgZXhwZXJpZW5j
ZSB3aXRoIFVDLWJhc2VkIHNlY3VyaXR5IG1vZGVscywgSSBob3BlIHRoYXQgcGVvcGxlIG1vcmUg
ZmFtaWxpYXIgd2l0aCBVQyB3aWxsIGFsc28gaGF2ZSBhIGRlZXBlciBsb29rIGludG8gdGhpcyBw
cm9wb3NhbCwgc2luY2UgaXQgaXMgYSB2ZXJ5IHByb21pc2luZyBjYW5kaWRhdGUuDQoNCg0KDQpW
VEJQRUtFOg0KDQpUaGUgc2VjdXJpdHkgbW9kZWwgY29uc2lkZXJlZCBpbiAoOSkgaXMgZ2FtZSBi
YXNlZCwgYXMgaW4gKDUpLCBidXQgaXQgaXMgc2lnbmlmaWNhbnRseSBzdHJvbmdlciwgYXMgaXQg
YWxsb3dzIGZvciBhZGFwdGl2ZSBjb3JydXB0aW9ucyBhbmQgY292ZXJzIGZvcndhcmQgc2VjdXJp
dHkuDQpUaGUgc2VjdXJpdHkgcHJvb2YgaXMgYmFzZWQgb24gImdhcCIgYXNzdW1wdGlvbnMgKCJn
YXAgRGlmZmllLUhlbGxtYW4iIGFuZCAiZ2FwIHNpbXVsdGFuZW91cyBEaWZmaWUtSGVsbG1hbiIp
LiBUaG9zZSBhc3N1bXB0aW9ucyBjYW4gYmUgcHJvdmVuIGluIGlkZWFsaXplZCBtb2RlbHMsIHN1
Y2ggYXMgdGhlIGdlbmVyaWMgZ3JvdXAgbW9kZWwsIHRoZXkgYXJlIHJhdGhlciBzdHJvbmcsIGJ1
dCBzZWVtIGFjY2VwdGFibGUgdG8gbWUuIFRoZSBzZWN1cml0eSBhbmFseXNpcyBpcyB0aG9yb3Vn
aCBhbmQgY2xlYXIuIEFsbCBhc3N1bXB0aW9ucyBhcmUgcHJlY2lzZWx5IHNwZWNpZmllZCBhbmQg
dGhlIHNlY3VyaXR5IG1vZGVsIGlzIHZlcnkgY2xlYXJseSBkZWZpbmVkLiBUaGUgc2VjdXJpdHkg
cHJvb2YgaXMgY29tcGFjdCBhbmQgb2NjYXNpb25hbGx5IHNrZXRjaHksIGJ1dCBvdmVyYWxsIGFw
cGVhcnMgc291bmQgYW5kIGNvcnJlY3QuDQoNCg0KDQoNCkEgY29tbWVudCBvbiBnYW1lLWJhc2Vk
IHZzLiBVQy1iYXNlZCBzZWN1cml0eSBtb2RlbHM6DQoNCkFzIGZhciBhcyBJIHNlZSwgdGhlIG1h
aW4gZGlmZmVyZW5jZSBiZXR3ZWVuIGdhbWUtYmFzZWQgYW5kIGNsYXNzaWNhbCBVQy1iYXNlZCBz
ZWN1cml0eSBtb2RlbHMgaXMgdGhhdCB0aGUgZm9ybWVyIHVzdWFsbHkgYXNzdW1lIGEgdW5pZm9y
bSBkaXN0cmlidXRpb24gb2YgcGFzc3dvcmRzIG92ZXIgYSAic21hbGwiIHBhc3N3b3JkIHNwYWNl
LiBJbiBjb250cmFzdCwgVUMtYmFzZWQgbW9kZWxzIGFyZSBhYmxlIHRvIGNvbnNpZGVyIGFyYml0
cmFyeSBwYXNzd29yZCBkaXN0cmlidXRpb25zLg0KDQpJIGdvdCB0aGUgaW1wcmVzc2lvbiB0aGF0
IHRoZSBhc3N1bXB0aW9uIG9mIHVuaWZvcm1seSBkaXN0cmlidXRlZCBwYXNzd29yZHMgaXMgbm90
IHJlYWxseSBhIHdlYWtuZXNzIG9mIHRoZSBjb25zaWRlcmVkIHNjaGVtZXMsIGJ1dCByYXRoZXIg
YSBjb21wcm9taXNlIHRoYXQgaXMgbmVjZXNzYXJ5IHRvIGZvcm1hbGx5IGRlZmluZSB0aGUgYWR2
YW50YWdlIG9mIGEgInRyaXZpYWwiIGFkdmVyc2FyeSBpbiBhIHNpbXBsZSB3YXkgaW4gYSBnYW1l
LWJhc2VkIG1vZGVsLiBJbiBjb250cmFzdCwgdGhlIHNpbXVsYXRpb24tYmFzZWQgZm9ybXVsYXRp
b24gb2YgVUMgYWxsb3dzIHRvIGNhcHR1cmUgYXJiaXRyYXJ5IHBhc3N3b3JkIGRpc3RyaWJ1dGlv
bnMgbW9yZSBlYXNpbHkuIFdoaWxlIHRoaXMgaXMgdGhlb3JldGljYWxseSBtb3JlIGdlbmVyYWws
IEkgY2Fubm90IHRoaW5rIG9mIGEgY29udmluY2luZyBleGFtcGxlIHdoZXJlIHRoaXMgd291bGQg
bWFrZSBhbiBhY3R1YWwgZGlmZmVyZW5jZSBpbiBwcmFjdGljZS4NCg0KVGhlIFZUQlBFS0UgcGFw
ZXIgYWxzbyBzdGF0ZXMgdGhhdCBpdHMgYW5hbHlzaXMgY2FuIGJlIGV4dGVuZGVkIHRvIGNvbnNp
ZGVyaW5nIHRoZSAgbWluLWVudHJvcHkgb2YgcGFzc3dvcmRzIGluc3RlYWQgb2YgYSB1bmlmb3Jt
IGRpc3RyaWJ1dGlvbiwgb3IgdG8gY29uc2lkZXIgb25seSBtb3N0IGxpa2VseSBwYXNzd29yZHMg
YXMgaW4gW0JyZXNzb24gZS5hLiwgUEtDIDIwMDRdLiBUaGlzIGFsbCBhcHBlYXJzIHBsYXVzaWJs
ZS4NCg0KSGVuY2UsIGluIHRoZW9yeSwgVUMtYmFzZWQgbW9kZWxzIGFwcGVhciBzdHJvbmdlciwg
YnV0IEkgY3VycmVudGx5IGRvIG5vdCBzZWUgYW55IGNvbnZpbmNpbmcgYXJndW1lbnRzIHRoYXQg
d291bGQgbWFrZSBpdCByZWFsbHkgbmVjZXNzYXJ5IHRvIHByZWZlciBVQy1iYXNlZCBzZWN1cml0
eSBwcm9vZnMgb3ZlciBnYW1lLWJhc2VkIG9uZXMgd2hlbiBjaG9vc2luZyBhIFBBS0UgZm9yIHN0
YW5kYXJkaXphdGlvbi4gU3RpbGwsIG5vdCBiZWluZyBhYmxlIHRvIGNvdmVyIGFyYml0cmFyeSBw
YXNzd29yZCBkaXN0cmlidXRpb25zIGlzIGNsZWFybHkgYSBsaW1pdGF0aW9uIG9mIGN1cnJlbnQg
Z2FtZS1iYXNlZCBtb2RlbHMuDQoNCg0K