<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-cllz-cfrg-ecdsa-pop-00" category="info" submissionType="IRTF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="ECDSA-PoP">Schnorr-Type Proofs of Possession for ECDSA Device Binding</title>
    <seriesInfo name="Internet-Draft" value="draft-cllz-cfrg-ecdsa-pop-00"/>
    <author fullname="Sofia Celi">
      <organization>Brave Software / University of Bristol</organization>
      <address>
        <email>cherenkov@riseup.net</email>
      </address>
    </author>
    <author fullname="Anja Lehmann">
      <organization>Hasso Plattner Institute</organization>
      <address>
        <email>anja.lehmann@hpi.de</email>
      </address>
    </author>
    <author fullname="Shai Levin">
      <organization>Chalmers University of Technology / University of Gothenburg</organization>
      <address>
        <email>shai.levin@chalmers.se</email>
      </address>
    </author>
    <author fullname="Alexandros Zacharakis">
      <organization>Hasso Plattner Institute</organization>
      <address>
        <email>alexandros.zacharakis@hpi.de</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>IRTF</area>
    <workgroup>Crypto Forum Research Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 148?>

<t>This document specifies a Schnorr-type, circuit-free zero-knowledge proof of possession (PoP) of an ECDSA signature produced under a committed public key over the NIST P-256 (secp256r1) curve.
The PoP lets a credential holder prove, in zero knowledge, that it can produce a fresh ECDSA signature under a device public key without revealing that key, thereby providing device binding for privacy-preserving credentials whose presentation must remain unlinkable.</t>
      <t>The construction is built exclusively from Sigma protocols as it decomposes the ECDSA verification equation into a scalar-multiplication relation and a point-addition relation over P-256, each proved with a dedicated Sigma protocol over a companion ("Tom") curve whose scalar field equals the base field of P-256.
It is designed to be expressed using the interfaces of the CFRG Sigma-protocols specification and to serve as the device-binding sub-proof of the modular BBS / JSON Web Proofs construction.
SNARK-based realizations of the same relation are out of scope.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://levanin.github.io/cllz-cfrg-ecdsa-pop/draft-cllz-cfrg-ecdsa-pop.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-cllz-cfrg-ecdsa-pop/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Crypto Forum Research Group mailing list (<eref target="mailto:cfrg@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cfrg/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/cfrg/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/levanin/cllz-cfrg-ecdsa-pop"/>.</t>
    </note>
  </front>
  <middle>
    <?line 157?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Anonymous credentials enable privacy-preserving authentication: a holder presents an issuer-attested credential to a relying party while revealing only the minimum necessary information and remaining unlinkable across presentations. BBS signatures are a leading basis for such credentials and are being adopted in several standardization efforts <xref target="BBS"/><xref target="BLIND-BBS"/><xref target="W3CBBS"/>. These efforts are of relevance to the European Union Digital Identity (EUDI) wallet <xref target="EUDI-ARF"/>, which is mandated to implement user authentication with strong privacy guarantees, including selective disclosure and unlinkability.</t>
      <t>A central requirement for credentials used in digital-identity deployments is non-transferability: a credential must be usable only by its legitimate holder, and not be shared, or copied. The standard way to enforce this is device binding. The credential is tied to a key held in a secure element (SE) on the user's device, and at presentation time the holder produces a fresh signature -- a proof of possession (PoP) -- under the corresponding secret key, which never leaves the SE. Because the key is non-exportable, the credential cannot be used without the device that holds it.</t>
      <t>The EUDI architecture mandates device binding to a secure element, but consumer-device secure elements are, in practice, restricted to ECDSA over P-256 and do not expose the pairing-friendly operations required by native anonymous-credential device binding. The lack of an efficient and robust device-binding mechanism for anonymous credentials on legacy hardware was a key reason such credentials were not used in the initial EUDI deployment, which instead relies on batch-issued one-time-use credentials <xref target="DEROSA"/>.</t>
      <t>Here, we address the gap by specifying how to prove possession of an ECDSA signature under a committed device public key, so that ECDSA device binding can be composed with a pairing-based credential layer such as BBS. Our solution is based on Schnorr-type proofs, providing a robust, well-understood approach that avoids the implementation and interoperability challenges of circuit-based constructions.</t>
      <section anchor="scope">
        <name>Scope</name>
        <t>This document specifies only the <em>Schnorr-type</em> (Sigma-protocol-based) PoP.
This is the most conservative construction in <xref target="PAPER"/>: it uses no arithmetic circuits and no general-purpose proof system, relying solely on Sigma protocols and Pedersen commitments.
SNARK / circuit-based realizations of the same statement (the "foreign-field" and "native circuit" constructions of <xref target="PAPER"/>, and the Committed Schnorr reduction used by them) are explicitly out of scope.</t>
        <t>The proof is interactive as described, and is made non-interactive with the Fiat-Shamir transform (<xref target="fiat-shamir"/>).
Sigma protocols are composed using the interfaces of <xref target="SIGMA"/>, and the non-interactive transform and its codec are taken from the companion specification <xref target="FIAT-SHAMIR"/>.</t>
      </section>
      <section anchor="relationship-to-other-specifications">
        <name>Relationship to Other Specifications</name>
        <t>This document is designed to compose with two CFRG / IETF efforts:</t>
        <ul spacing="normal">
          <li>
            <t><xref target="SIGMA"/> (Sigma protocols).
The sub-protocols specified here are Sigma protocols and are described, where possible, using the <tt>Group</tt>, <tt>LinearRelation</tt>, and <tt>SigmaProtocol</tt> abstractions of <xref target="SIGMA"/>.
In particular, the point-addition proof of <xref target="point-addition"/> is a batch of linear relations whose group bases include commitments drawn from the statement, and is therefore expressible through the <tt>LinearRelation</tt> interface; the scalar-multiplication proof of <xref target="scalar-mult"/> is a custom <tt>SigmaProtocol</tt> (a bit-challenge proof run with parallel repetition) that internally invokes the point-addition proof.</t>
          </li>
          <li>
            <t><xref target="MODULAR-BBS"/> (modular BBS sub-proofs).
The PoP specified here is intended to instantiate the <tt>ecdsa-p256-db</tt> device-binding sub-proof of <xref target="MODULAR-BBS"/>, which exposes the holder's P-256 public key as four committed BBS messages carrying its 128-bit limbs (at indices <tt>[0, 1, 2, 3]</tt>) and binds the sub-proof to a challenge derived from the presentation headers.
<xref target="integration"/> describes this binding.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used throughout.</t>
      <dl>
        <dt>ECDSA curve (P-256):</dt>
        <dd>
          <t>The curve secp256r1 / NIST P-256 <xref target="FIPS186-5"/><xref target="SEC1"/>.
<tt>G_p</tt> denotes its group of points (prime order <tt>n_p</tt>), <tt>P</tt> a fixed generator, <tt>F_q</tt> its base field, and <tt>F_np</tt> its scalar field.</t>
        </dd>
        <dt>Tom curve (Tom-256):</dt>
        <dd>
          <t>A curve forming a "2-chain" with P-256: its scalar field equals the base field <tt>F_q</tt> of P-256 (see <xref target="ZKATTEST"/>).
<tt>G_t</tt> denotes its group of points.
Arithmetic over <tt>F_q</tt> -- i.e. arithmetic on P-256 coordinates -- is therefore <em>native</em> in the scalar field of <tt>G_t</tt>, which is what makes the Sigma-protocol proofs efficient.</t>
        </dd>
        <dt>Credential curve:</dt>
        <dd>
          <t>The pairing-friendly curve used by the credential layer (e.g., BLS12-381 for BBS), with scalar field <tt>F_s</tt>.
Commitments produced by the credential layer live over this curve.</t>
        </dd>
        <dt>Pedersen commitment:</dt>
        <dd>
          <t>For a group <tt>G</tt> with independent generators <tt>(g, h)</tt> (and, for vectors, <tt>(g_1,...,g_k, h)</tt>), the commitment to message <tt>m</tt> with randomness <tt>rho</tt> is <tt>Commit(m; rho) = m*g + rho*h</tt> (resp. <tt>sum_i m_i*g_i + rho*h</tt>).
Pedersen commitments used here are perfectly hiding and computationally binding under the discrete-log assumption in <tt>G</tt>.</t>
        </dd>
      </dl>
      <t>Throughout, lowercase letters denote scalars and uppercase letters denote group elements.
<tt>x*P</tt> denotes scalar multiplication and <tt>A + B</tt> denotes group addition.
<tt>H(.)</tt> is a hash into <tt>F_np</tt> (SHA-256 reduced mod <tt>n_p</tt>, as in ECDSA), and <tt>F: G_p -&gt; F_np</tt> is the ECDSA conversion function mapping a point to the integer reduction mod <tt>n_p</tt> of its x-coordinate.</t>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>In this system there are three parties: a holder, who holds a credential and possesses an ECDSA-based device key pair; an issuer, who issues credentials; and a verifier, who verifies credentials and their binding to devices.
The holder has a device ECDSA key pair (<tt>private_key = x</tt>, <tt>public_key = Q</tt>), where <tt>Q = x*P</tt> over P-256. This public key is included in the holder's credential (e.g., as a committed BBS message).
The public key <bcp14>MAY</bcp14> be carried into the credential as a committed message via blind issuance (<xref target="BLIND-BBS"/>), that is, in hidden form, so that the issuer signs over <tt>Q</tt> without learning it. This case requires the additional functionality described in <xref target="transfer"/>.
When presenting a credential, the verifier supplies a fresh <tt>nonce</tt>. The holder uses the secure element to produce an ECDSA signature over <tt>nonce</tt> with the device key pair, then proves in zero knowledge that it knows a valid signature under the committed key <tt>Q</tt>, without revealing <tt>Q</tt>.</t>
      <t>In order to instantiate this functionality, we rewrite how ECDSA signatures (which are of the form <tt>(r, s)</tt>) look like.
As shown in <xref target="ZKATTEST"/>, an ECDSA signature on a message <tt>msg</tt> can be rewritten as a pair <tt>(K, z)</tt> with <tt>r = F(K)</tt>, and <tt>z = r^{-1} * s mod n_p</tt>.
The verification then reduces to checking (where <tt>P</tt> is a fixed generator):</t>
      <artwork><![CDATA[
z*K = H(msg) * r^{-1} * P + Q
]]></artwork>
      <t>Because the signature is fresh and single-use, the value <tt>K</tt> <bcp14>MAY</bcp14> be revealed without harming unlinkability; only the long-lived device public key <tt>Q</tt> must stay hidden.
The purpose now is to prove that one knows a valid signature of the form above without revealing the underlying <tt>Q</tt> (this is the purpose of our PoP).
By setting:</t>
      <artwork><![CDATA[
alpha = H(nonce) * F(K)^{-1}  mod n_p          (a public scalar)
Hpt   = alpha * P                              (a public P-256 point)
]]></artwork>
      <t>the statement to be proved becomes: knowledge of a scalar <tt>z</tt> and an opening of the commitment to <tt>Q</tt> such that</t>
      <artwork><![CDATA[
z*K = Hpt + Q                                  (Eq. POP)
]]></artwork>
      <t>The computation is over P-256. <tt>K</tt>, <tt>Hpt</tt> are public; <tt>z</tt> and <tt>Q</tt> are secret.</t>
      <t>The PoP for (Eq. POP) can be interpreted as three functionalities, each run between prover (holder) and verifier (relying party):</t>
      <ol spacing="normal" type="1"><li>
          <t>Commitment transfer (<xref target="transfer"/>).
Transfer the commitment to <tt>Q</tt> from the credential curve to the Tom curve, where P-256 coordinate arithmetic is native.
After this step <tt>Q = (x, y)</tt> is committed as two Tom Pedersen commitments <tt>C_x = Commit(x; rho_x)</tt> (to the <tt>x</tt> coordinate), <tt>C_y = Commit(y; rho_y)</tt> (to the <tt>y</tt> coordinate).</t>
        </li>
        <li>
          <t>Reduction to curve operations (<xref target="rok-group"/>).
Set <tt>Z = z*K</tt> and commit to it to generate <tt>C_Z</tt>. Then, split Eq. POP into two statements: i. a scalar-multiplication statement (<tt>Z = z*K</tt>) and ii. a point-addition statement (<tt>Z = Hpt + Q</tt>).</t>
        </li>
        <li>
          <t>Curve-operation proofs.
Prove the two statements with the Sigma protocols of <xref target="scalar-mult"/> (scalar multiplication, <tt>SM</tt>) and <xref target="point-addition"/> (point addition, <tt>PA</tt>), run in parallel.</t>
        </li>
      </ol>
      <t>Symbolically, with <tt>x</tt> denoting parallel (AND) composition and <tt>o</tt> sequential composition of functionalities (see <xref target="RoK"/>), our PoP is:</t>
      <artwork><![CDATA[
PoP = ( SM x PA ) o group o transfer
]]></artwork>
      <t>Each functionality is an honest-verifier zero-knowledge reduction.
This composition in the reduction of knowledge framework is then made non-interactive by applying the Fiat-Shamir transform (<xref target="fiat-shamir"/>), deriving every verifier challenge from the transcript; the exact per-challenge transcript inputs remain to be specified (see <xref target="fiat-shamir"/>).
The result is a non-interactive zero-knowledge proof of knowledge for (Eq. POP).</t>
    </section>
    <section anchor="parameters-and-encodings">
      <name>Parameters and Encodings</name>
      <section anchor="curves-and-generators">
        <name>Curves and Generators</name>
        <t>An instantiation of this PoP fixes:</t>
        <ul spacing="normal">
          <li>
            <t>the ECDSA curve P-256, with generator <tt>P</tt>, group order <tt>n_p</tt>, base field <tt>F_q</tt>;</t>
          </li>
          <li>
            <t>the Tom curve Tom-256 with group <tt>G_t</tt> whose scalar field is <tt>F_q</tt>, with two independent Pedersen generators <tt>(G_t, H_t)</tt>;</t>
          </li>
          <li>
            <t>the credential-layer commitment scheme (e.g., Pedersen over BLS12-381) and its generators, as fixed by the credential profile (e.g. <xref target="MODULAR-BBS"/>).</t>
          </li>
        </ul>
        <t>The generators <tt>(G_t, H_t)</tt> <bcp14>MUST</bcp14> be sampled verifiably (e.g., via hash-to-curve from fixed domain-separation strings) so that no party knows their relative discrete logarithm.
The concrete instantiation of such parameters should be resolved by future standardisation efforts.</t>
      </section>
      <section anchor="encoding">
        <name>Committing to a P-256 Public Key</name>
        <t>A P-256 public key is a point <tt>Q = (x, y)</tt> in <tt>F_q^2</tt>.
Because the credential-layer commitment commits to scalars of the credential curve (<tt>F_s</tt>), each coordinate is encoded as a fixed number of limbs in <tt>F_s</tt>, and the limbs are committed with Pedersen.</t>
        <t>This document adopts the approach of <xref target="PAPER"/>, where each of <tt>x</tt> and <tt>y</tt> is split into two 128-bit little-endian limbs, i.e.</t>
        <artwork><![CDATA[
x = x_0 + 2^128 * x_1,   0 <= x_i < 2^128
]]></artwork>
        <t>and likewise for <tt>y</tt>.
This matches the four 128-bit limb commitments (at indices <tt>[0, 1, 2, 3]</tt>) now used by the <tt>ecdsa-p256-db</tt> device binding of <xref target="MODULAR-BBS"/>, which adopted this layout to align with <xref target="PAPER"/>.
The 128-bit limb size guarantees 112 bits of security for the transfer of <xref target="transfer"/> -- sufficient for this application -- and is chosen for efficiency and for interoperability with <xref target="MODULAR-BBS"/>; the proofs below are otherwise agnostic to the limb size (see <xref target="transfer"/>).</t>
        <t>The credential layer is responsible, at issuance, for guaranteeing that (a) each limb lies in its declared range and (b) <tt>(x, y)</tt> is a valid P-256 point.
This PoP assumes those facts hold a priori and does not re-prove them.</t>
      </section>
    </section>
    <section anchor="transfer">
      <name>Commitment Transfer</name>
      <t>The PoP operates over the Tom curve, but the credential layer commits <tt>Q</tt> over the credential curve.
The transfer step re-expresses the commitment to <tt>Q</tt> as commitments over Tom-256, preserving the committed value.
Following <xref target="PAPER"/>, it is structured as a <em>reduction of knowledge</em> (<xref target="RoK"/>): a public-coin interactive reduction that maps a committed statement under the credential-curve scheme to the <em>same</em> statement under the Tom-curve scheme, after which the curve-operation proofs of <xref target="rok-group"/> take over.</t>
      <t>Let <tt>Commit</tt> be the credential-curve commitment scheme and <tt>Commit~</tt> the Tom-curve scheme.
Generically, for each committed value <tt>m_i</tt> with credential-curve commitment <tt>C_i</tt>, the prover produces a fresh Tom commitment <tt>C~_i = Commit~(m_i; rho~_i)</tt> and proves, with a public-coin proof of knowledge <tt>EQ</tt>, the relation</t>
      <artwork><![CDATA[
R_eq = { (C_i, C~_i ; m_i, rho_i, rho~_i) :
            C_i  = Commit (m_i; rho_i)  AND
            C~_i = Commit~(m_i; rho~_i) }
]]></artwork>
      <t>i.e. that <tt>C_i</tt> and <tt>C~_i</tt> open to the same value.
All instances of <tt>EQ</tt> run in parallel.</t>
      <t>For Pedersen-to-Pedersen transfer across the credential and Tom curves, <tt>EQ</tt> <bcp14>MUST</bcp14> be instantiated with a cross-group equality-of-opening proof for small-integer messages (the technique of <xref target="OKMZ"/>); the limb encoding of <xref target="encoding"/> guarantees the small-message precondition.</t>
      <section anchor="protocol">
        <name>Protocol</name>
        <t>Unrolling the reduction of <xref target="PAPER"/> with <tt>EQ</tt> instantiated by the cross-group proof of <xref target="OKMZ"/> gives the following per-limb, public-coin protocol.
It is run in parallel over all committed limbs, sharing a single challenge <tt>c</tt>.
Write <tt>(g, h)</tt> for the credential-curve Pedersen generators and <tt>(G_t, H_t)</tt> for the Tom generators (<xref target="encoding"/>), and let <tt>b_m</tt>, <tt>b_c</tt>, <tt>b_f</tt> be the <xref target="OKMZ"/> message-bound, challenge, and slack widths, with</t>
        <artwork><![CDATA[
b_m + b_c + b_f  <  log2( min(|F_s|, |F_q|) )
]]></artwork>
        <t>so that every value below stays an integer in both scalar fields (no wraparound).</t>
        <artwork><![CDATA[
Prover P                                  Verifier V
  inputs: m_i, rho_i  (0 <= m_i < 2^b_m)  inputs: C_i = m_i*g + rho_i*h

  # 1. new commitment: reduce the statement to Tom
  rho~_i <- F_q
  C~_i = m_i*G_t + rho~_i*H_t
                 ---            C~_i            --->

  # 2. announcement: bounded masks in both groups
  k_i  <- { 0, ..., 2^(b_m + b_c + b_f) - 1 }
  t_i  <- F_s;   t~_i <- F_q
  A_i  = k_i*g   + t_i*h
  A~_i = k_i*G_t + t~_i*H_t
                 ---         A_i, A~_i          --->
                 <---   c <- {0,...,2^b_c - 1}  ---
  # 3. bounded response (z_i over the integers)
  z_i  = k_i  + c*m_i
  s_i  = t_i  + c*rho_i        (in F_s)
  s~_i = t~_i + c*rho~_i       (in F_q)
  if z_i outside the admissible range R: abort and restart
                 ---       z_i, s_i, s~_i       --->

Verifier checks (per limb i):
  (1)  z_i*g   + s_i*h    == A_i  + c*C_i   # open, cred curve
  (2)  z_i*G_t + s~_i*H_t == A~_i + c*C~_i  # open, Tom curve
  (3)  z_i in R                             # range: no wraparound
]]></artwork>
        <t>The abort in step 3 is the rejection sampling of <xref target="OKMZ"/>; the admissible range <tt>R</tt> and the exact bound widths are those of <xref target="OKMZ"/>, to which implementations <bcp14>MUST</bcp14> conform.
On acceptance, both parties use Pedersen homomorphism to fold the per-limb Tom commitments <tt>C~_i</tt>, weighted by the appropriate powers of <tt>2^b_m</tt>, into the two single-scalar coordinate commitments</t>
        <artwork><![CDATA[
C_x = Commit~(x; rho_x),    C_y = Commit~(y; rho_y)
]]></artwork>
        <t>These two commitments, together denoted <tt>C_Q</tt>, are the output statement of the reduction and the committed form of <tt>Q</tt> used by the remaining proofs.</t>
        <t>This document adopts 128-bit limbs (and the parameters <tt>b_m = 128, b_c = 112, b_f = 8</tt>) for the transfer, as in <xref target="PAPER"/>: this minimizes the number of cross-group instances, and with the <xref target="OKMZ"/> parameters achieves 112-bit security.
Smaller limbs (e.g. 64-bit) work equally well -- they leave more headroom below <tt>min(|F_s|, |F_q|)</tt> and so can reach higher soundness -- at the cost of proportionally more cross-group instances; profiles with stricter requirements <bcp14>SHOULD</bcp14> adjust the limb size and repetition accordingly.</t>
      </section>
    </section>
    <section anchor="rok-group">
      <name>Reduction to Curve Operations</name>
      <t>After transfer, the statement is (Eq. POP) with <tt>Q</tt> committed over Tom as <tt>C_Q</tt>, <tt>K</tt> and <tt>Hpt</tt> public.
The <tt>group</tt> reduction introduces the point <tt>Z = z*K</tt> and splits (Eq. POP) into independent scalar-multiplication and point-addition statements.</t>
      <t>Inputs:</t>
      <artwork><![CDATA[
statement: (C_Q, K, Hpt)   witness: (z, Q, rho_Q)
relation:  z*K = Hpt + Q
]]></artwork>
      <t>Protocol:</t>
      <ol spacing="normal" type="1"><li>
          <t>P computes <tt>Z = z*K</tt>, samples randomness <tt>rho_Z</tt>, and sends <tt>C_Z = Commit~(Z; rho_Z)</tt> (a Tom commitment to the P-256 point <tt>Z</tt>).</t>
        </li>
        <li>
          <t>Both parties compute <tt>C_H = Commit~(Hpt; 0)</tt>, the (deterministic, zero-randomness) commitment to the public point <tt>Hpt</tt>.</t>
        </li>
        <li>
          <t>The reduction outputs two statements:  </t>
          <ul spacing="normal">
            <li>
              <t>Scalar multiplication: <tt>statement_SM = (C_Z, K)</tt>, <tt>witness_SM = (Z, rho_Z, z)</tt>, asserting <tt>Z = z*K</tt>.</t>
            </li>
            <li>
              <t>Point addition: <tt>statement_PA = (C_Q, C_H, C_Z)</tt>, <tt>witness_PA</tt> the openings of the three commitments, asserting <tt>Q + Hpt = Z</tt> (equivalently <tt>Z = Hpt + Q</tt>, Eq. POP).</t>
            </li>
          </ul>
        </li>
      </ol>
      <t>Note that <tt>C_Q = (C_x, C_y)</tt> is a pair of coordinate commitments; the point-addition proof of <xref target="point-addition"/> operates per coordinate.
Likewise <tt>C_Z</tt> and <tt>C_H</tt> are coordinate-commitment pairs.</t>
      <t>The two output statements are then proved in a parallel composition: <tt>SM x PA</tt>.</t>
    </section>
    <section anchor="scalar-mult">
      <name>Scalar-Multiplication Proof</name>
      <t>This section specifies the Sigma protocol <tt>SM</tt> proving the relation</t>
      <artwork><![CDATA[
R_SM = { ((C_Z, K) ; Z, rho_Z, z) :
            C_Z = Commit~(Z; rho_Z)  AND  Z = z*K }
]]></artwork>
      <t>where <tt>K</tt> is a public P-256 point, <tt>z</tt> a secret scalar, and <tt>Z</tt> a P-256 point committed over Tom.</t>
      <t><tt>SM</tt> is the scalar-multiplication proof of CDLS <xref target="CDLS"/>, used here with one modification from <xref target="PAPER"/>: the original protocol additionally committed to the scalar, whereas here <tt>z</tt> is a free (uncommitted) witness, which improves efficiency.</t>
      <t>It is a bit-challenge Schnorr-type proof: a single execution uses a one-bit verifier challenge and has knowledge-soundness error <tt>1/2</tt>.
To reach error <tt>2^-lambda</tt>, <tt>lambda</tt> independent executions are run in parallel (<tt>lambda = 128</tt> is <bcp14>RECOMMENDED</bcp14>).
In one execution, the prover derives from its witness an auxiliary ("combined") instance using fresh randomness, sends the corresponding commitments, the verifier replies with a challenge bit, and the prover opens one of two related committed instances according to that bit; the point relation among the committed instances is established by invoking the point-addition proof internally.
The per-execution protocol is that of <xref target="CDLS"/> (Construction for <tt>R_SM</tt>), with the scalar treated as a free witness as noted above.</t>
      <section anchor="protocol-1">
        <name>Protocol</name>
        <t>The following is one execution, between prover <tt>P</tt> and verifier <tt>V</tt>; <tt>lambda</tt> such executions run in parallel and share a single Fiat-Shamir transcript (<xref target="fiat-shamir"/>).
<tt>F_np</tt> is the scalar field of P-256, and <tt>Commit~</tt> the Tom commitment scheme of <xref target="transfer"/>.
As in <xref target="rok-group"/> and <xref target="point-addition"/>, each <tt>Commit~</tt> to a P-256 point is a pair of coordinate commitments -- one to the <tt>x</tt> and one to the <tt>y</tt> coordinate -- so <tt>C_Z</tt>, <tt>C'</tt>, and <tt>C''</tt> are coordinate-commitment pairs, and the openings (<tt>rho_Z</tt>, <tt>rho'</tt>, <tt>rho''</tt>, <tt>tau</tt>) and check (2) are taken per coordinate.</t>
        <artwork><![CDATA[
Prover P                                        Verifier V
  inputs: Z, z, rho_Z   (Z = z*K)               inputs: C_Z, K

  # sample a fresh "combined" instance
  omega <- F_np \ {0, z, 2z}
  Z'  = omega*K                  # public-scalar multiples of K
  Z'' = (omega - z)*K
  rho', rho'' <- Tom randomness
  C'  = Commit~(Z';  rho')
  C'' = Commit~(Z''; rho'')

  # point-addition instance over the committed points,
  # asserting  Z + Z'' = Z' :
  #   statement_PA = (C_Z, C'', C')
  #   witness_PA   = (Z, rho_Z, Z'', rho'', Z', rho')
  # PA is run with the C[2]-opening dropped (see {{point-addition}})
  msg_1 = announcement of PA on statement_PA
                 ---     C', C'', msg_1     --->
                 <---       b <- {0,1}      ---
  msg_2 = response of PA under challenge b
  if b = 0:  (alpha, tau) = (omega,       rho')
  if b = 1:  (alpha, tau) = (omega - z,   rho'')
                 ---   alpha, tau, msg_2    --->

Verifier checks:
  (1)  PA on (C_Z, C'', C') accepts the transcript (msg_1, b, msg_2)
  (2)  if b = 0:  C'  == Commit~(alpha*K; tau)
       if b = 1:  C'' == Commit~(alpha*K; tau)
]]></artwork>
        <t>Because <tt>Z' = omega*K</tt> and <tt>Z'' = (omega - z)*K</tt> are public-scalar multiples of <tt>K</tt>, the committed points satisfy <tt>Z + Z'' = z*K + (omega - z)*K = omega*K = Z'</tt>; the point-addition proof <tt>PA</tt> (<xref target="point-addition"/>) establishes this relation among <tt>C_Z</tt>, <tt>C''</tt>, <tt>C'</tt>, and is run here with the one-bit challenge <tt>b</tt>, which it shares with the opening (its announcement and response are <tt>msg_1</tt> and <tt>msg_2</tt>).
Inside this composition <tt>PA</tt> drops its <tt>C[2]</tt> opening proof (the lines flagged <tt>omit in SM</tt> in <xref target="point-addition"/>), since the opening of <tt>C_Z</tt> is recovered from the two openings revealed across the <tt>b = 0</tt> and <tt>b = 1</tt> transcripts.
The exclusion of <tt>{0, z, 2z}</tt> when sampling <tt>omega</tt> keeps <tt>Z</tt>, <tt>Z'</tt>, <tt>Z''</tt> non-identity and pairwise non-opposite, so the non-degeneracy precondition of <xref target="point-addition"/> holds.
An extractor with accepting responses for both <tt>b = 0</tt> and <tt>b = 1</tt> recovers <tt>alpha_0 = omega</tt> and <tt>alpha_1 = omega - z</tt>, hence <tt>z = alpha_0 - alpha_1</tt> and the opening of <tt>C_Z</tt> as <tt>Z = z*K</tt>; revealing only one opening per execution gives (statistical) honest-verifier zero knowledge.</t>
        <t>When expressed via <xref target="SIGMA"/>, <tt>SM</tt> is a custom <tt>SigmaProtocol</tt> (not a plain <tt>LinearRelation</tt>): its challenge is a single bit and the protocol is run as <tt>lambda</tt> parallel repetitions.
Its zero-knowledge simulator follows the standard simulation for bit-challenge Sigma protocols (sample the challenge bit, then produce a consistent commitment and response).</t>
      </section>
    </section>
    <section anchor="point-addition">
      <name>Point-Addition Proof</name>
      <t>This section specifies the Sigma protocol <tt>PA</tt> proving the relation</t>
      <artwork><![CDATA[
R_PA = { ((C_1, C_2, C_3) ; P_1, P_2, P_3, openings) :
            C_i = Commit~(P_i; rho_i)  AND  P_1 + P_2 = P_3 }
]]></artwork>
      <t>over Tom commitments to the affine coordinates of <tt>P_1 = (a_x, a_y)</tt>, <tt>P_2 = (b_x, b_y)</tt>, <tt>P_3 = (t_x, t_y)</tt>, under the promise <tt>P_1 != +-P_2</tt> and <tt>P_1, P_2 != identity</tt> (guaranteed by the callers in this document).
Each <tt>C_i</tt> is a pair of coordinate commitments; we write <tt>C_1 = (C[1], C[2])</tt>, <tt>C_2 = (C[3], C[4])</tt>, <tt>C_3 = (C[5], C[6])</tt>, committing to <tt>a_x, a_y, b_x, b_y, t_x, t_y</tt> respectively, all over Tom with generators <tt>(G, H) = (G_t, H_t)</tt>.</t>
      <section anchor="affine-addition-constraints">
        <name>Affine Addition Constraints</name>
        <t>For <tt>P_3 = P_1 + P_2</tt> with <tt>tau = (b_y - a_y) / (b_x - a_x)</tt> over <tt>F_q</tt>, the affine addition law is equivalent to the three constraints</t>
        <artwork><![CDATA[
(C1)   tau * (b_x - a_x) = b_y - a_y
(C2)   tau^2             = a_x + b_x + t_x
(C3)   tau * (a_x - t_x) = a_y + t_y
]]></artwork>
        <t>together with <tt>b_x - a_x != 0</tt> (which enforces <tt>P_1 != +-P_2</tt>).
<tt>PA</tt> proves knowledge of openings of the coordinate commitments and of a commitment to <tt>tau</tt> satisfying (C1)-(C3).</t>
      </section>
      <section anchor="protocol-2">
        <name>Protocol</name>
        <t>Both parties first recompute, by Pedersen homomorphism, the derived commitments</t>
        <artwork><![CDATA[
C_f1 = C[3] - C[1]        # commits to (b_x - a_x)   : factor of (C1)
C_p1 = C[4] - C[2]        # commits to (b_y - a_y)   : product of (C1)
C_p2 = C[1] + C[3] + C[5] # (a_x + b_x + t_x) : product of (C2)
C_f3 = C[1] - C[5]        # commits to (a_x - t_x)   : factor of (C3)
C_p3 = C[2] + C[6]        # commits to (a_y + t_y)   : product of (C3)
]]></artwork>
        <t>(Here <tt>C_f_i</tt>, <tt>C_p_i</tt> are the "factor" and "product" commitments of the i-th constraint.)  The prover commits to <tt>tau</tt> as <tt>C_tau = tau*G + r_tau*H</tt>.</t>
        <t>The protocol is a three-move public-coin Sigma protocol: the prover sends a commitment message, the verifier replies with a uniform challenge <tt>c</tt> in <tt>F_q</tt>, and the prover sends a response.
The verifier accepts iff all checks below hold.</t>
        <artwork><![CDATA[
Prover P                                      Verifier V
  inputs: a_x,a_y,b_x,b_y,t_x,t_y, r_1..r_6
                                              inputs: C[1..6]

  tau = (b_y - a_y)/(b_x - a_x);  r_tau <- F_q
  C_tau = tau*G + r_tau*H

  # masks
  a_tau, a_rtau, a_f1, a_rf1, a_e1, a_e2 <- F_q
  a_f3, a_rf3, a_e3 <- F_q
  a_2, a_r2 <- F_q                 # omit in SM (opening of C[2])
  beta_2, beta_3, beta_4 <- F_q;   beta_1 <- F_q \ {0}

  T1 = a_tau*G + a_rtau*H
  T2 = a_f1*G  + a_rf1*H
  T3 = a_tau*C_f1 + a_e1*H
  T4 = a_tau*C_tau + a_e2*H
  T5 = a_f3*G  + a_rf3*H
  T6 = a_f3*C_tau + a_e3*H
  T7 = a_2*G   + a_r2*H            # omit in SM
  U1 = (beta_1*(b_x - a_x))*G
  U2 = beta_2*C_f1 + beta_3*H
  U3 = beta_4*G
                  --- C_tau, T1..T6, T7, U1..U3 --->   # T7: omit in SM
                  <---            c <- F_q        ---
  z_tau  = a_tau + c*tau
  z_rtau = a_rtau + c*r_tau
  z_f1   = a_f1  + c*(b_x - a_x)
  z_rf1  = a_rf1 + c*(r_3 - r_1)
  z_e1   = a_e1  + c*((r_4 - r_2) - (r_3 - r_1)*tau)
  z_e2   = a_e2  + c*((r_1 + r_3 + r_5) - r_tau*tau)
  z_f3   = a_f3  + c*(a_x - t_x)
  z_rf3  = a_rf3 + c*(r_1 - r_5)
  z_e3   = a_e3  + c*((r_2 + r_6) - r_tau*(a_x - t_x))
  z_2    = a_2   + c*a_y           # omit in SM
  z_r2   = a_r2  + c*r_2           # omit in SM
  v_1    = beta_2 + c*beta_1
  v_2    = beta_3 - c*beta_1*(r_3 - r_1)
  v_3    = beta_4 + c*beta_1*(b_x - a_x)
                  ---  z_*, v_1, v_2, v_3  --->

Verifier checks:
  (1)  z_tau*G + z_rtau*H   == T1 + c*C_tau
  (2)  z_f1*G  + z_rf1*H    == T2 + c*C_f1
  (3)  z_tau*C_f1 + z_e1*H  == T3 + c*C_p1
  (4)  z_tau*C_tau + z_e2*H == T4 + c*C_p2
  (5)  z_f3*G  + z_rf3*H    == T5 + c*C_f3
  (6)  z_f3*C_tau + z_e3*H  == T6 + c*C_p3
  (7)  z_2*G   + z_r2*H     == T7 + c*C[2]      # omit in SM
  (8)  U1 != identity
  (9)  c*U1 + U3 == v_3*G
  (10) c*U1 + U2 == v_1*C_f1 + v_2*H
]]></artwork>
        <t>Checks (1)-(2) and (5) are openings; checks (3)-(4) and (6) prove the multiplicative / squaring constraints (C1)-(C3) (check (4) is a squaring proof realizing constraint (C2)); check (7) is the opening proof of <tt>C[2]</tt>, the <tt>y</tt>-coordinate commitment of <tt>P_1</tt>; and checks (8)-(10) are the non-zero proof for <tt>C_f1</tt>, establishing <tt>b_x - a_x != 0</tt> and hence <tt>P_1 != +-P_2</tt>.</t>
        <t>The lines flagged <tt>omit in SM</tt> -- the masks <tt>a_2, a_r2</tt>, the announcement <tt>T7</tt>, the responses <tt>z_2, z_r2</tt>, and check (7) -- together form the opening proof of <tt>C[2]</tt>.
They are <bcp14>REQUIRED</bcp14> when <tt>PA</tt> is used standalone, as in the <tt>SM x PA</tt> composition of <xref target="rok-group"/> that proves <tt>Z = Hpt + Q</tt>.
They are dropped when <tt>PA</tt> is composed inside <tt>SM</tt> (<xref target="scalar-mult"/>): there the opening of <tt>C[2]</tt> is instead extracted from the two colliding transcripts of the bit-challenge execution (Optimisation 3 of <xref target="PAPER"/>), so proving it again would be redundant.</t>
        <ul empty="true">
          <li>
            <t>Note on further optimizations (from <xref target="PAPER"/>): constraint (C2) uses a dedicated squaring proof rather than a generic multiplication proof, and the mask <tt>(a_tau, a_rtau)</tt> of <tt>C_tau</tt> is shared across the three coordinate proofs.</t>
          </li>
        </ul>
      </section>
      <section anchor="expressing-pa-via-the-sigma-protocols-interface">
        <name>Expressing PA via the Sigma-Protocols Interface</name>
        <t>Each of checks (1)-(7) and (9)-(10) has the form <tt>linear_map(response) == commitment + challenge * image</tt>, i.e. a <xref target="SIGMA"/> <tt>LinearRelation</tt> whose group bases are <tt>G</tt>, <tt>H</tt>, and statement commitments (<tt>C_f1</tt>, <tt>C_tau</tt>).
An implementation <bcp14>MAY</bcp14> therefore realize <tt>PA</tt> by allocating the scalar witnesses (<tt>tau</tt>, the coordinate values, and the opening randomizers) and elements (<tt>G</tt>, <tt>H</tt>, the <tt>C_*</tt> commitments) with <tt>allocate_scalars</tt> / <tt>allocate_elements</tt>, encoding (C1)-(C3) and the opening relations with <tt>append_equation</tt> and <tt>set_elements</tt>, and running the resulting batch as a single Sigma protocol.
The multiplicative and squaring checks (3),(4),(6) use statement commitments (<tt>C_f1</tt>, <tt>C_tau</tt>) as bases -- bound to allocated elements via <tt>set_elements</tt> -- rather than fixed generators; this is the standard Sigma technique for multiplication of committed values, and it stays within the <tt>LinearRelation</tt> interface.</t>
        <t>The non-zero proof for <tt>C_f1</tt> (masks <tt>beta_1..beta_4</tt>, elements <tt>U1, U2, U3</tt>, responses <tt>v_1, v_2, v_3</tt>, and checks (8)-(10)) is a distinct gadget of <xref target="CDLS"/> and does not reduce to a plain <tt>LinearRelation</tt>.
Its relations (9)-(10) are linear (over bases <tt>G</tt>, <tt>H</tt>, <tt>C_f1</tt>, with the prover-sent <tt>U1</tt> as image), but the defining ingredient is check (8), <tt>U1 != identity</tt> -- a non-identity test on a prover message, not a linear relation.
Because <tt>U1 = (beta_1*(b_x - a_x))*G</tt> for a uniform nonzero mask <tt>beta_1</tt>, <tt>U1</tt> is the identity exactly when <tt>b_x - a_x = 0</tt>; check (8) thus certifies <tt>b_x - a_x != 0</tt> (hence <tt>P_1 != +-P_2</tt>).
An implementation <bcp14>MUST</bcp14> perform check (8) explicitly, outside the batched <tt>LinearRelation</tt>.</t>
      </section>
    </section>
    <section anchor="fiat-shamir">
      <name>Non-Interactive Proofs (Fiat-Shamir)</name>
      <t>The interactive protocols above are public-coin and are made non-interactive with the Fiat-Shamir transform specified in the companion document <xref target="FIAT-SHAMIR"/>, applied to the Sigma protocols composed via <xref target="SIGMA"/>: each verifier challenge -- the equality-proof challenge of <xref target="transfer"/>, the bit-challenge <tt>b</tt> of <xref target="scalar-mult"/>, and the challenge <tt>c</tt> of <xref target="point-addition"/> -- is derived by absorbing, into the <xref target="FIAT-SHAMIR"/> codec (duplex sponge), a transcript that includes a protocol/version domain separator, the ciphersuite identifier, the full statement, and all prior prover messages.</t>
      <t>Implementations <bcp14>MUST</bcp14> use the codec and challenge-derivation of <xref target="FIAT-SHAMIR"/> and <bcp14>MUST</bcp14> include the following in the Fiat-Shamir transcript:</t>
      <ul spacing="normal">
        <li>
          <t>a fixed domain-separation label for this PoP and its version;</t>
        </li>
        <li>
          <t>the public statement of (Eq. POP): <tt>K</tt>, <tt>nonce</tt> (or <tt>Hpt</tt>), and the committed key <tt>C_Q</tt> (and, after transfer, the Tom commitments);</t>
        </li>
        <li>
          <t>for the bound presentation context, the challenge octets supplied by the calling protocol (see <xref target="integration"/>).</t>
        </li>
      </ul>
      <t>The exact Fiat-Shamir binding for the composed protocol is not yet fixed by this document.
In particular, the precise inputs absorbed before each challenge -- the domain separator, the credential- and Tom-curve commitments and announcements of the transfer (<xref target="transfer"/>), the prover messages of <tt>SM</tt> and <tt>PA</tt>, and the <xref target="OKMZ"/> bound parameters -- remain to be specified, and <bcp14>MUST</bcp14> be pinned down (consistent with <xref target="FIAT-SHAMIR"/>) before this profile is interoperable.
The move structure of the sub-protocols is normative; the exact byte-level Fiat-Shamir inputs and complete composed protocol specification are deferred to a future revision.</t>
    </section>
    <section anchor="integration">
      <name>Integration with Modular BBS</name>
      <t>When used as the <tt>ecdsa-p256-db</tt> sub-proof of <xref target="MODULAR-BBS"/>:</t>
      <ul spacing="normal">
        <li>
          <t>The holder's P-256 public key occupies four committed BBS messages carrying its 128-bit limbs, encoded as in <xref target="encoding"/>.
The sub-proof carries <tt>alg = "ecdsa-p256-db"</tt> and takes no inputs beyond the base sub-proof fields; its <tt>i</tt> field <bcp14>MUST</bcp14> be <tt>[0, 1, 2, 3]</tt>, naming the four indices that hold these limbs.
The BBS core proof (<tt>CoreProofGen</tt>) exposes the four messages as Pedersen commitments over the credential curve; these are the inputs <tt>C_i</tt> to the transfer of <xref target="transfer"/>.</t>
        </li>
        <li>
          <t>The four messages <bcp14>MAY</bcp14> be populated at issuance as committed messages using blind BBS issuance (<xref target="BLIND-BBS"/>): the holder sends the issuer a commitment to its device public key (with the holder-held blinding scalar) and a proof of its correctness, and the issuer blindly signs without learning <tt>Q</tt>.
This keeps the device secret key bound to the holder's secure element and unknown to the issuer, and the issuance-time commitment to <tt>Q</tt> is reused as the transfer input above.</t>
        </li>
        <li>
          <t>The message signed by the secure element is not transmitted; both parties recompute it as <tt>db_msg = "JWP-BBS-DB-CHAL" || presentation_header_octets</tt>, where <tt>"JWP-BBS-DB-CHAL"</tt> is the literal ASCII string.
Because <tt>db_msg</tt> binds <tt>presentation_header_octets</tt> (which carries the <tt>nonce</tt> and <tt>aud</tt>), it is fresh per presentation.
<tt>db_msg</tt> is the ECDSA message of the PoP: it plays the role of <tt>nonce</tt> in <xref target="overview"/>, so <tt>alpha</tt> and <tt>Hpt</tt> are formed from <tt>H(db_msg)</tt>.</t>
        </li>
        <li>
          <t>The <tt>proof</tt> bytes are the serialized non-interactive PoP (<xref target="fiat-shamir"/>): a zero-knowledge proof of knowledge of <tt>(Q, (r, s))</tt> such that the four commitments at the indices in <tt>i</tt> open to the 128-bit limbs of <tt>Q</tt>, and <tt>(r, s)</tt> is a valid ECDSA P-256 signature on <tt>db_msg</tt> under <tt>Q</tt>.</t>
        </li>
        <li>
          <t>The verifier accepts iff the four indices in <tt>i</tt> are all committed in the core proof and the sub-proof verifies against the four commitments and the locally recomputed <tt>db_msg</tt>.
This meets the <xref target="MODULAR-BBS"/> requirement that a sub-proof bind to commitments attested by the core proof, since the transfer of <xref target="transfer"/> ties the Tom commitments <tt>C_Q</tt> to the credential-curve commitments produced by <tt>CoreProofGen</tt>.</t>
        </li>
      </ul>
      <t>The PoP itself is agnostic to the credential scheme: any scheme that can expose a Pedersen commitment to the device public key over a curve supported by the transfer of <xref target="transfer"/> can use this sub-proof.</t>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <ul empty="true">
        <li>
          <t>Note to the RFC Editor: please remove this section before publication.</t>
        </li>
      </ul>
      <t>A public, benchmarked reference implementation of the complete Schnorr-type PoP specified here -- the <tt>( SM x PA ) o group o transfer</tt> composition of <xref target="overview"/>, including the <xref target="OKMZ"/> style commitment transfer of <xref target="transfer"/> and the Tom-256 scalar-multiplication and point-addition proofs -- is available at <eref target="https://github.com/hpicrypto/ecdsa_pops">https://github.com/hpicrypto/ecdsa_pops</eref>.
It is written in Rust and underlies the measurements reported in <xref target="PAPER"/>.</t>
      <t><xref target="PAPER"/> gives three realizations of the same ECDSA-device-binding relation -- the Schnorr-type proof specified in this document and two circuit-based variants that are out of scope here (see <xref target="scope"/>) -- and earlier variants of the Schnorr-type approach appear in <xref target="UBIQUE"/>.
The repository above is the specific implementation that matches this document's Schnorr-type protocol and parameter choices.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <dl>
        <dt>Knowledge soundness.</dt>
        <dd>
          <t>The composed protocol is a proof of knowledge for (Eq. POP) (see <xref target="PAPER"/> for the analysis in the reductions-of-knowledge framework).
<tt>SM</tt> has soundness error <tt>2^-lambda</tt> after <tt>lambda</tt> parallel repetitions; <tt>PA</tt> has the <tt>2^-lambda</tt> soundness error of a Sigma protocol over <tt>F_q</tt>.
At the moment, we set <tt>lambda = 128</tt>, but since the commitment linking protocol <xref target="transfer"/> achieves 112 bits of soundness for our proposed parameters, we may update to <tt>lambda = 112</tt> in future revisions.
Soundness of the overall PoP additionally relies on the binding of all Pedersen commitments, i.e. on the discrete-log assumption in both the credential curve and the Tom curve, and on the small-message soundness precondition of the transfer proof (<xref target="transfer"/>).</t>
        </dd>
        <dt>Zero knowledge / unlinkability.</dt>
        <dd>
          <t>Each sub-protocol is honest-verifier zero-knowledge; with Fiat-Shamir over a random oracle the composition is non-interactive zero-knowledge.
The device public key <tt>Q</tt> is the only long-lived value and remains perfectly hidden by the Pedersen commitments, so presentations are unlinkable.
The ephemeral value <tt>K</tt> is fresh per signature and per presentation; revealing it does not link presentations.
Implementations <bcp14>MUST</bcp14> use fresh randomness for every commitment and every proof; reuse of the per-execution randomness in <tt>SM</tt>, of commitment randomizers, or of the per-presentation <tt>nonce</tt> can leak the secret key or link presentations.</t>
        </dd>
        <dt>Secure-element trust.</dt>
        <dd>
          <t>This PoP assumes the device secret key never leaves the secure element and that the element produces signatures only on inputs presented to it; the holder cannot extract the key.
Revealing <tt>K</tt> as part of the statement is sound for proof of possession only under the honest-secure-element assumption discussed in <xref target="PAPER"/>.</t>
        </dd>
        <dt>Choice of the Tom curve.</dt>
        <dd>
          <t>Using the Tom curve introduces a discrete-log assumption over an additional, less-studied curve.
Deployments unwilling to take this assumption should use a circuit-based realization instead (out of scope here).
<tt>(G_t, H_t)</tt> and all credential-curve generators <bcp14>MUST</bcp14> be nothing-up-my-sleeve / verifiably random so no party knows discrete-log relations among them.</t>
        </dd>
        <dt>Non-degeneracy.</dt>
        <dd>
          <t>The point-addition proof is sound only under <tt>P_1 != +-P_2</tt> and <tt>P_1, P_2 != identity</tt>.
The callers in this document guarantee these: <tt>SM</tt> excludes the degenerate scalars when forming its auxiliary instances (per <xref target="CDLS"/>), and the <tt>group</tt> reduction fixes the operands structurally.
Other callers <bcp14>MUST</bcp14> establish these preconditions independently.</t>
        </dd>
        <dt>Post-quantum.</dt>
        <dd>
          <t>As with all discrete-log Sigma protocols, these proofs provide (statistical) zero-knowledge against unbounded adversaries but are not sound against quantum adversaries.</t>
        </dd>
      </dl>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions of its own.
It defines the construction behind the <tt>ecdsa-p256-db</tt> sub-proof algorithm whose registration is requested by <xref target="MODULAR-BBS"/> in that document's sub-proof algorithm registry; this document does not create a new registry.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="SIGMA">
          <front>
            <title>Interactive Sigma Proofs</title>
            <author fullname="Michele Orrù" initials="M." surname="Orrù">
              <organization>CNRS</organization>
            </author>
            <author fullname="Cathie Yun" initials="C." surname="Yun">
              <organization>Apple, Inc.</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   A Sigma Protocol is an interactive zero-knowledge proof of knowledge
   that allows a prover to convince a verifier of the validity of a
   statement.  It satisfies the properties of completeness, soundness,
   and zero-knowledge, as described in Section 3.

   This document describes Sigma Protocols for proving knowledge of pre-
   images of linear maps in prime-order elliptic curve groups.  Examples
   include zero-knowledge proofs for discrete logarithm relations,
   ElGamal encryptions, Pedersen commitments, and range proofs.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-sigma-protocols-02"/>
        </reference>
        <reference anchor="FIAT-SHAMIR">
          <front>
            <title>Fiat-Shamir Transformation</title>
            <author fullname="Michele Orrù" initials="M." surname="Orrù">
              <organization>CNRS</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document describes how to construct a non-interactive proof via
   the Fiat–Shamir transformation, using a generic procedure that
   compiles an interactive proof into a non-interactive one by relying
   on a stateful duplex sponge object.

   The duplex sponge interface requires two methods: absorb and squeeze,
   which respectively read and write elements of a specified base type.
   The absorb operation incrementally updates the duplex sponge's
   internal state, while the squeeze operation produces variable-length,
   unpredictable outputs.  This interface can be instantiated with
   different constructions based on permutation or compression
   functions.

   This specification also defines codecs to securely map prover
   messages into the duplex sponge domain, from the duplex sponge domain
   into verifier messages.  It also establishes how the non-interactive
   argument string should be serialized.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-fiat-shamir-02"/>
        </reference>
        <reference anchor="MODULAR-BBS" target="https://c2bo.github.io/draft-bormann-jwp-modular-bbs/draft-bormann-jwp-modular-bbs.html">
          <front>
            <title>BBS and Modular Sub-proofs with JSON Web Proofs</title>
            <author initials="C." surname="Bormann" fullname="Christian Bormann">
              <organization/>
            </author>
            <author initials="B." surname="Zundel" fullname="Brent Zundel">
              <organization/>
            </author>
            <date year="2025"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-bormann-jwp-modular-bbs"/>
        </reference>
        <reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf">
          <front>
            <title>SEC 1: Elliptic Curve Cryptography, Version 2.0</title>
            <author>
              <organization>Standards for Efficient Cryptography Group</organization>
            </author>
            <date year="2009"/>
          </front>
        </reference>
        <reference anchor="FIPS186-5" target="https://doi.org/10.6028/NIST.FIPS.186-5">
          <front>
            <title>Digital Signature Standard (DSS)</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2023"/>
          </front>
          <seriesInfo name="FIPS" value="PUB 186-5"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="PAPER">
          <front>
            <title>Device Binding for Anonymous Credentials on Legacy Phones</title>
            <author fullname="Sofia Celi">
              <organization/>
            </author>
            <author fullname="Anja Lehmann">
              <organization/>
            </author>
            <author fullname="Shai Levin">
              <organization/>
            </author>
            <author fullname="Alexandros Zacharakis">
              <organization/>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="BBS">
          <front>
            <title>The BBS Signature Scheme</title>
            <author fullname="Tobias Looker" initials="T." surname="Looker">
              <organization>MATTR</organization>
            </author>
            <author fullname="Vasilis Kalos" initials="V." surname="Kalos">
              <organization>MATTR</organization>
            </author>
            <author fullname="Andrew Whitehead" initials="A." surname="Whitehead">
              <organization>Portage</organization>
            </author>
            <author fullname="Mike Lodder" initials="M." surname="Lodder">
              <organization>CryptID</organization>
            </author>
            <date day="8" month="January" year="2026"/>
            <abstract>
              <t>   This document describes the BBS Signature scheme, a secure, multi-
   message digital signature protocol, supporting proving knowledge of a
   signature while selectively disclosing any subset of the signed
   messages.  Concretely, the scheme allows for signing multiple
   messages whilst producing a single, constant size, digital signature.
   Additionally, the possessor of a BBS signatures is able to create
   zero-knowledge, proofs of knowledge of a signature, while selectively
   disclosing subsets of the signed messages.  Being zero-knowledge, the
   BBS proofs do not reveal any information about the undisclosed
   messages or the signature itself, while at the same time,
   guaranteeing the authenticity and integrity of the disclosed
   messages.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bbs-signatures-10"/>
        </reference>
        <reference anchor="BLIND-BBS">
          <front>
            <title>Blind BBS Signatures</title>
            <author fullname="Vasilis Kalos" initials="V." surname="Kalos">
              <organization>MATTR</organization>
            </author>
            <author fullname="Greg M. Bernstein" initials="G. M." surname="Bernstein">
              <organization>Grotto Networking</organization>
            </author>
            <date day="26" month="June" year="2026"/>
            <abstract>
              <t>   This document defines an extension to the BBS Signature scheme that
   supports blind digital signatures, i.e., signatures over messages not
   known to the Signer.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Crypto Forum Research
   Group mailing list (cfrg@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/cfrg.

   Source for this draft and an issue tracker can be found at
   https://github.com/cfrg/draft-irtf-cfrg-bbs-blind-signatures.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bbs-blind-signatures-03"/>
        </reference>
        <reference anchor="W3CBBS" target="https://www.w3.org/TR/vc-di-bbs/">
          <front>
            <title>Data Integrity BBS Cryptosuites v1.0</title>
            <author>
              <organization>World Wide Web Consortium (W3C)</organization>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="RoK">
          <front>
            <title>Algebraic Reductions of Knowledge</title>
            <author fullname="Abhiram Kothapalli">
              <organization/>
            </author>
            <author fullname="Bryan Parno">
              <organization/>
            </author>
            <date year="2023"/>
          </front>
          <seriesInfo name="CRYPTO" value="2023"/>
        </reference>
        <reference anchor="CDLS">
          <front>
            <title>CDLS: Proving Knowledge of Committed Discrete Logarithms with Soundness</title>
            <author initials="S." surname="Celi" fullname="Sofia Celi">
              <organization/>
            </author>
            <author initials="S." surname="Levin" fullname="Shai Levin">
              <organization/>
            </author>
            <author initials="J." surname="Rowell" fullname="Joe Rowell">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
          <seriesInfo name="AFRICACRYPT" value="2024"/>
        </reference>
        <reference anchor="ZKATTEST">
          <front>
            <title>ZKAttest: Ring and Group Signatures on top of existing ECDSA keys</title>
            <author initials="A." surname="Faz-Hernandez" fullname="Armando Faz-Hernandez">
              <organization/>
            </author>
            <author initials="W." surname="Ladd" fullname="Watson Ladd">
              <organization/>
            </author>
            <author initials="D." surname="Maram" fullname="Deepak Maram">
              <organization/>
            </author>
            <date year="2021"/>
          </front>
          <seriesInfo name="SAC" value="2021"/>
        </reference>
        <reference anchor="OKMZ">
          <front>
            <title>Beyond the Circuit: How to Minimize Foreign Arithmetic in ZKP Circuits</title>
            <author initials="M." surname="Orru" fullname="Michele Orru">
              <organization/>
            </author>
            <author initials="G." surname="Kadianakis" fullname="George Kadianakis">
              <organization/>
            </author>
            <author initials="M." surname="Maller" fullname="Mary Maller">
              <organization/>
            </author>
            <author initials="G." surname="Zaverucha" fullname="Greg Zaverucha">
              <organization/>
            </author>
            <date year="2025"/>
          </front>
          <seriesInfo name="CiC" value="2025"/>
        </reference>
        <reference anchor="LSZ" target="https://doi.org/10.1007/978-3-032-19567-8_3">
          <front>
            <title>Vision: A Modular Framework for Anonymous Credential Systems</title>
            <author initials="A." surname="Lehmann" fullname="Anja Lehmann">
              <organization/>
            </author>
            <author initials="A." surname="Sidorenko" fullname="Andrey Sidorenko">
              <organization/>
            </author>
            <author initials="A." surname="Zacharakis" fullname="Alexandros Zacharakis">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
          <seriesInfo name="SSR" value="2025"/>
        </reference>
        <reference anchor="UBIQUE">
          <front>
            <title>BBS+ Device Binding via ECDSA (EUDI Innovation Competition prototype)</title>
            <author>
              <organization>Ubique</organization>
            </author>
            <date year="2024"/>
          </front>
        </reference>
        <reference anchor="EUDI-ARF" target="https://eudi.dev/2.4.0/">
          <front>
            <title>EU Digital Identity Wallet -- Architecture and Reference Framework</title>
            <author>
              <organization>European Commission</organization>
            </author>
            <date year="2026"/>
          </front>
        </reference>
        <reference anchor="DEROSA" target="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/discussions/211/#discussioncomment-9882388">
          <front>
            <title>Discussion comment on Cryptographers' Feedback on the EU Digital Identity's ARF #211</title>
            <author initials="P. D." surname="Rosa" fullname="Paolo De Rosa">
              <organization/>
            </author>
            <date year="2024"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 676?>

<section numbered="false" anchor="note-on-authorship">
      <name>Note on Authorship</name>
      <t>The authors are listed in alphabetical order by surname and contributed equally to this work; the ordering does not denote a lead or corresponding author.
The document name uses the authors' combined initials ("cllz") rather than any single surname.
The "et al." form that appears in running headers is an artifact of the RFC document format and carries no such connotation here.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This specification is derived from the construction and analysis in <xref target="PAPER"/>.
The Schnorr-type proof of possession formalizes and optimizes the ECDSA-device-binding approach of <xref target="UBIQUE"/> and the CDLS / zkAttest proofs of <xref target="CDLS"/> and <xref target="ZKATTEST"/>, composed through the modular credential framework of <xref target="LSZ"/> and the reductions-of-knowledge framework of <xref target="RoK"/>.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA5196XrbRrLofz5FH/mHSYWgTMpbpDhnaFlexnYsS3LyjXMz
Akg2SYxAgAFASZTGeZb7LPfJbm29AASVzGS+sSSg0Ut17VVdHQRBq4zLRB+o
nbPxPM3yPDhfL7U6ybNsWqhsqk6yotBFEWepmma5Oj56dTZUr/RVPNbqZZxO
4nS204pGo1xfQSf0OjjJTnZa46jUsyxfH6g4nWat1iQbp9ECRprk0bQMxkly
G4yn+SzQ40kRBctsGTx61CpWo0VMw5UwjwP17vT8dStdLUY6P2hNoMuDFoyz
34pyHcnb6yy/nOXZanmgjvL1sszU6yxfLdSpLnSUj+fqDb5sXeo1tJzAR2mp
81SXwSucSOtKpyvoVamGPuApT6PWl1KLKE4OFM7/b7Eup70sn8FTbHKg5mW5
LA729rANPomvdM802sMHe6M8uy70Hn6+hyPH5Xw1OlCJvorSON1rgA20SmD1
Rem6l9Y9/roXZ03f7W2Fdm9eLpJWK1qV8wxgqwIYQqnpKkl4m86yaRypI53E
9ALmDqPdRiVszYF6mUdXGpuU17ATak99SWGVeRGXa0Sal3lclFlCH2oB1Vzn
Or3Mrv4G7/Rq2YMd2Bx0mP4rUh/0fBGlacOwb6OiyNQJQKJMdQ47WQD2rkrt
DxRBF72Eu/jbfBn3JrphcfMohnGu4qZRjuZRsoDF1BZ1rpFCkmy23ljvm6yc
63S0IiSwMylgEJgJDPK3sXTZKxomM0z0TZRO8qxQXyNomUeXcfHfrt721bu1
fRkwtIDAF9DZFeH72bs3H4dADsGrXpyXU0aPIp4tAD3yrMzGWYKzeP1ueB6c
vR1+fHdabwwIUgawykWcQ8OPn159+TA8DV6+PDugKRnOAg9gVybqYzZZAUGo
s9UIR0AGcw24q/5+9ukn9YseCdfZ4Y+jfKY9bB8PRpmH6ozWI1xPmgb/ul4G
C+49GI2K+98y4uMYFvfpv0DxdhzNEXvjKFUvuYPa+5eAx6X6ukonmrshtqQG
jwZP6M9C57EukOmZnqscx3DALdPDnTk+6ldBCE9U/0AdJ0m8LOOxOlrlQH/M
qmZ5tJyvu+pnxEdg04Peo2YQXl9fA/6NZ8SH4Jd+cDXoLSfTRlhAGyCTEvYt
yicF8/7pNB7HuHh/YMsSHSAefU94c3LWf/40eFJdyasYNjFK1Fk8S6NyBczD
DKLar87OOs1Tn2Qxzbr/qPf00eD53k/vzs57OEKPhti+gp+IdmA8Sy1Ir25d
iJeOsLfsHw50oE6+vFRuNLvp+60WtvUI62R4cnxaW3VFYBI0h2mWrhfZqgBo
6glANY4SkLgpsKVZNF6rk3mWaiGG+tK2cunqyw1uWvu2ygRr325lShV0R2Kv
cQXAYWQjvLv4ycsP7356FWxpOUoAJtX2v+wfbfCQV1EZER3NcuS5yFIYCYtV
DGJRXfXvw/rrfcKe89O9q3EwiYlHbMeZX7I8mahf4okmrnSUpUWWlzGoFG2Y
WmcTCKfZ++psh8lMj/IICPVUT1ZjREFSpt6n2XWiJzP9Z9s6HM3jPFqo9yBY
omWUNG7vy3wNTOokytOsjpLNeHx0+o+T80+2ydGrDzUo0xNkw1eIpXa2OPWj
bLGIy1JP1Ku4GOcaCOlDNotgN+YL4eNnGfBEwNktSLsVYbdiI7/4e6YBwtc6
qXHbx1tWOXx9+u5oSGu17b6+H56fH5+dV5cLT0vWqU5xvcgLiJk55kQEWWZL
hIC+QbEA7VgHBn3y3oUOkbtPQJGMboO3wP7hD31ba/NLVBZI8dFkUnvzSutl
dKk+At0tqsvub1n22fDIvv/0/uPXmgzW6wyWB2qKOorzMRAN6BPZNaxNfYzT
eBHfalR5NSwcZo6bqlHOxCmA7sR8cu96P8ag4iVafcrzVe3VGw10pdX7aAJS
1fIR79MoX8M/SaLz+pe5ngH/AVVrBTzor0nbo/jIvv9wVoPDz3FButTQaiOv
AcIabYitXFmdrYtSL7YoJp5o6j969Gzv+2fPg/3g0f4g6H//5Omz4PnF/n1Y
0sSizatJrteAi5OMNOf66z9n0E+3ocrZqYXQl5fvPn853lDYvqvZeOoKqJYR
v3385dU74MVpdkXCFVnDErCFfifNEW2mTjOuEIP9Mop/X+lNasaOg+Hp6+ps
jr8oozS8ox0B/v8LIkupggCQFQysUo9JlUAKPtVTtDRg6nZnmzdOryaoFV/t
DXqPe4/ukQfHqzxb6ihlHkjG6SacXx2ffjob1nWdYrxi23kMn6LmhOByyhNo
bA/Va60no2h8SawG6LNhvQ8LBWBRDwb9fvNaRDGGUWBZIOHo8yCWz4NrAhet
OAA7PIg8oAUAtCA3QAumBmh7Ezv7Yg8G3nvgHshqgu+fPx/sP39+D36fRKBY
AS4BBy+i+o63AtjAaFSUeTQuW63zeVwomN6KIFUs9TieAuaqSBnfBCJWV42Z
G8FUtVa3Os+CSyupyK5Abr10fov2SXbSwWewhYzCVt3A9iCgQaqhOp/DUGMr
55Yr0E3GyOdVBgyI9gb1TnUSDJ48VW3QoJfwS97vqDGq4z1YgFYwFtjxJc56
7DjIPEuwexjtChYAXBWnrey0u9B5VKq4VOMoNXOCHmCFxXxjzmaqE6ZQb54o
hrNVqXJ9paMEyZb6hVc4AuzwaE1ziImk5fuRp5Qu8/gKlE8wzzSwDdICxp52
ej3PCoQZvExLJv7FqsDxwPpMYWIw5mU0SgAWBIwx4E6ZswKkYHNHqzgpQZCO
k1UBynKyhhVmCxS3i0hZo1NFBYJiomEvYBsBA4gsCAqwEYAUYx5b/77iX+IU
5FikinGERtRilZTxMjGtcp3wL8gdYJgMWgcgcePqW9pj2tqu0sBQebMmrNog
sCfYITyozpa/I7xZgq2O6LZzni12BCkEZDwzBegMmiVOO+FFjSJ4yU/R14aj
91rvSoTVROOOw3iwtJEGoCHYC8TUgjdW47J1Po3GmpRLku2vT9/wBJ0Nbyhp
7KAAXeL2aoQ0fsaYEBhMKIyBbroV85TU7r26vV7Z5V7r7Kfh6fsAFzYB4AIW
svvCTrEAvuDtCeAzYiy8LMbAZXvMFBbxZJLoVusB6vxEDti61XLi2UdLnSLO
NSEvMiVsNRYXSuQokXAYDUAAdrHSeRCRLgiz9uiW0Aomu8bOllEOoud6Hifa
o7AsBTQmIKEeBUZCqmFDClRprF0oYGcywY8cpahoDCK8qBBV0SNIO6OIwBQB
X4lofwC4MZvkBahFFVAQjkPjkablT7Ilrghos4AJ57CiQkxf2Ralp9APwOHu
Dob89g1+GGsN/2BT7Nu3ngJyBlQ1rWnbpggZdEICEwFAEZEaUfmFSGFDbpPu
0FEsj2BMI/G/fesiYGExsDDUm4nSoNN4sUw0yYNVgXRW2U+mTcC9DHeHd1/N
VqAKAWHoAhktcBpGaZjpGA10hVIsAbNR1AWzE3EC8wPsG6oxDICQyoFO45wH
R1j7YF4VDNW6pAVKWibZekGoBUsBdA2gs7QA8SpjHFQlA/FPoO9VQdhA2ARc
GpRt2G7oPAb80YK1XZpxmtEHBah8etJVOLNsGesJ7ZHdX4DxGgGoEQdxg1C4
ElvxmT5/400HWpQxgz4ikTJH3gQrBe6qxwg0LfvRPjvuGJUF9+ah6ZtnCWKn
IidgIZraOlGIQq6wUs7JN1QK7hHk8JolYEkSJoevl5kwLo2WKcs7RqcU0R4J
50rEyNkxEJceRzBl+hvXKBsFLBaQG7ehy307sIBYFrDTzhs563gnC1pcG8ou
EX+kKPu6lkHt+jYwuKsA7oK0LIm3gj6UB/JBtQ0RIukTS1ShCPgAjjKPx0I/
LDWdbKO9AasUV4PrFSgsoziHeYBKFet0AigIVJwL3xY6mCBapuTkgk6EDQce
jJowKyG9ljQvbb2HxAqzESJ+TfAsNBgyaVwsiOCiRmYPeJCwhwwIYELhh+uo
EGwFgYMG9QZbvAbdh9ZsCJfFZ0wTp21yhGs5EUg1YLjI5GJ2BIyicjwPSFyA
vE51gEgdICb5Y93dsS0AXLPVAssf9uQaQDaZoPymgWfREoHJcplEy5xNcVI5
fIxvVlo3ddUNVbCrioxxkj+u4RuqmSOtRMGySo5BA5be3t4m0VqLtAFYg0jo
qU8reJAlK6vb0Tfwu6+sMxkDJ3ZaZyR7j1BJkoDWUpRZBixjCa1Q86J5R1dZ
PGF4WSHgRCmpPoSkzFUVRlgSnc5YFzImgizEU1AK2JQHD2CS8PF2k8MK9V1/
NbvA9Cq6FfffQaW/x33FhShMBdMu6CFMMlVVOAUsITfxt28HqOuuUMtNgQk4
14ssoRCer2Y6RQEeLFf5krVwZJAFuSa6VkeBHUG1GrehrlRDNycaga1TwRxi
IaKxgV5XBdpW3Q0kTCkiAJ/tTNltFJAau0Pj7AifkB53qjuAvdnls7Qg3dVi
s8AcpiCKH5PtiLZk0SHtA5gXoDoY2uu6/oh8h4GD+4F4ErHkj0ipHufxCOUm
YREqGxNN3N9vSeSAc3qNEa4zinApluOg0Kn23Z0X+vr2rQMwrEM796hrm8Z+
d0cxOB8I9Zm4QWm+JWrbYBhR/2V0CVtJFhSLQmOBVBX+uzsvhEdMCfD/VBTw
Yh4vkfN8QvNQnfkfFnXyqBklsjwB1nXGxseeend8/tooigegzrtlCvk4MAHg
FGstbHFUDRYYBm1WWmsTNuNzb0OvqTEyz5hEuIN6SF7dsKvCD3Gqo9wsPmS4
h9T5ifQdWo+Ew1WZP872XUp2QDxGg4j1hJpFaTWXu7vqGwBAjIKKxAg2SGg2
1hgy9jUlIhA/LUSD1T7BYvjw2tt3S48Wp8nUR7I0ViMCBJ5CvzPG6zogHGIe
cp+NlrS3Mq+BWdYYmDpMqQ7NNiwYmIrlz9JLvhL1HaCJb1DfNl7EjrhDKGwK
L9GSusouRYNrAneP8cwLQSO2+WartWkd0qGrpoZqwjFAJrH1kaI6DRKwZDUp
lOwJUKSCySi8126uzcZoFax0FZ4qDIozq2aeIydC826VexIe17BAuxIl3DjK
c2L3yBD6g+cwgxKwaTEqANwIuEmMLCb89VFX9btq0FX7v4UdQg+cK4/uZkva
p9sgmFOMng+LYRVFfg46EWYyABDv7mKKyEWC3YYYC7Y2jCaIZvxRll6hLoFY
jtN4paekfgmbYT0c83MKtfPxy9n5Tpd/qp8+0e+nx5+/vDs9foW/Ayf78MH+
0pIWZ28/ffnwyv3mvjz69PHj8U+v+GN4qiqPWjsfh//YYdrZ+XRy/u7TT8MP
O6wj+tyPOC65YggvlxgCAx5UtCwLwm9eHp38v//bfwyg+Z/T10eDfv97gAv/
8bz/7DH8AWwq5dFIyeA/AcrrFug/yA7Q2ErQ5FiiaQm6EyBDAQpiSigK0Nz9
FSHz24H6YTRe9h//KA9wwZWHBmaVhwSzzScbHzMQGx41DGOhWXleg3R1vsN/
VP42cPce/vC/yB5V0H/+vz+2GEemWZJk18TVdb5gIUuagbA2UAQAPKzwsvet
TZTVOWgdsKFLD63jFoSV59BFOSkpC+j6wCQMZvnhm4sl0jrYD8iRgeSYQ5Nx
GiNHbi9zNG8BfUGIhik074CwOQnRuI1vYIKsvJUZSIzw9cXvIfXinH8ih15f
pEt+5fsLUaUBQpQFwa92SWaVqB+war0zQEYbpzvMW2lhBxs9bvFA8syMHxId
3BqAYkKnpOYQMMp7gYGNvAgimZ7cMxjucU/3fCUX+AkPNs4AeHFKtjG284XY
LmuTu8ZuqywFxqUpef6jaxQei8jIi6rKLhaJM0cBvF6ojwBq0GXDKmZwe8ro
po3U1r1Zr6tefjjrD4L9532yZIF5A0Kwt8qfPMClCBFgR554tyGJbUMkqBhK
SAKWK8GHVoNyjwt5jZa0bFL4JuRZAGcGaZtivw43QWC0Z10176DQTgEpcepX
eoyvuvjuot/t9Xrd2cUltep0jd4pwyF/FBmlwoUMlWMUfIFpASrM51mIOxTy
etuLQwWPOuqFWuzO1Hf4x+4cRkeXTk+FxWpxESv4/+4MfprXhIZNlgxvjFUZ
wTicwuRh2+ZieaYTUlpXpSQFoatNRLfzKE0kvSFIMvgEbP3F0thsAD6yLwyz
6SpgRzofIwklGsR0XghlyDazrFsBX29sxJtifDm9Vnize+JoSzClpoMRoxgC
MF66ltyP0Yign7ftXidkrWweFXOOjwh7aQO/J5Ij6woABloS8yySNLG4GzqG
Jx0oYH8q+FEJd/KjMWOU6px1Nl2lbKotQIwxMyJ+YDzDpClo36az4yINIyO5
CRwXIKXh0xW68fV1q/VOpDGbu8wbWCLPMQhIGrkunH8fuUEm7riKuxXXJP4V
XVjfipi84iRBVQRJ/9AFB7g/+r3ijTqUoBKHpUw7+avY8MzDvMGQ9Jx+PGLB
oUPxjM7JmyVzsbkmNCPVDsnNXeoLfPRC3aBRw3qjPPmMZMmmUPgZWyBKOf8f
uuUAjp6qGVsjwzrGrF7qAU74Gs2tUSvt8CK8nkHIk5MJlNWYOhdU8Lej2p1h
HphsQIlhBHIKMLQrkYmOiZiSkx8JfKIpQX3hHF+EdbR75DorRBR9Dq37NgF1
K2U1WuBCVCoOT0Z0Q1UwWYPiUcKefk/tu7szXn5UGX4Bnc4ozUwKbsnMMw2+
gBK+XCax5wYP0wyWG7L7VDBiZQyGmguePYYcK970EvJyuTvn0ajhOE0nZcdj
sRmYtnFpfIKTvILFTzZckU4M4C5i3wDmbkM4Gh73iJpZVdowsTCs5UOZXKe5
vgaNQZOTtLZIUL1Y7EtAqpyzNgTSCpZWgIwCFp1dgsi8BJYyNIo07ZhTbLqN
4MOYh5NmxSw0XlOeD1iJjL5EmGH7fVfddgTQYQ6U97r9vmM8DLfwd/7Pu6D/
Te2qglgfcj4mmUpMm7aDWXNBXpa5Hl8i6NpC1CfC2GuKJSiErT/++KN1u/se
xnrbhgl3YCw76AmIjM/UouWHP9x6EfSEgThhdJ0k5NoWfI2SFYz9PjREzVvq
hULmEeuglXjaoXOkJhkoUgnZlZt5C0iUFAgDXFgLNRt2wt5OQD8SPcZHTniZ
gX2wDTF9ZIhGmTj16skRgsDsO8VZtEvPi2sGR4MejHGMPvVaL9dAhiXStUA8
SpbziGBOtIZQx61nwJutVva/dmRWzgK+03q7LOH5C8Ud4Vbd+5/rQNwGKGY7
vLUVf5CYq5LHMMJ0CpSRl35ap0maABQNWZalGPshriggrOp3CCSKA+AOVFAO
VgEodv/caf7Hv/fUyacTmfK5uC5FK0PY++IKcA5EHHQeslJHKz+008Xp4HOO
/In3Fx07qLvakQzlVi13UR58hhNj1JiyP9A/NdLltTbcEbpjdsx+FMvB25X0
ACTDfs/T55URDCjBnJAgJVadm3fNcHau3ZqBYpQqaxcakV83pnxbC6OcZEjR
0MNpaQwIUKmWrCy0b7pqzZqjY+cIqOuMxmrUusOjixv4VlT6G1LpL27QiJBZ
hjehNyW0jI8u1u6LNX+x9r9YV76AbR30XCo1sUUCgxelBOjm2WVAqrAB75ku
VfgVRgIMDY36D0OS3KF/hX1qnNJXFropyA0QyaUS5BG9BSBgCQuIKO5tzTfy
4iN2cMaZmL6q+S/rzYWO0Mxp7ff4pEdgFyrmKy3vRDihrs3OCfu617zBddtu
NDNgj84+yqwb3NhtVu3NE/R1DFHvRKKJU+vShRWcrRejDHsFY0ssYEQHslyE
aNj72x7+9KojMYXYWTpgLxagjhnk917DWmqUazwWp9l70hCFZwM2C6fGPwDJ
1dlHdaNOhqqjMuO9sGTKTOkYWUBV34vJXKBDGWVgqb+WfmitGwkH+hMW5doZ
QLAC96XNuxThkzZHpkZrDJMyw/kPAlRdduriV5gQsXbsy7l9LbehfkC3XZYc
DNA3MDia054T37WBdQHvLkwOIMsc51aXPanHy84JEgUgHWsz9XVuS+v0AOYz
eDIXTzBZXpOBjbhznI4ztLMKCngRHfGLN9bhgQllngYqm0JMkWQIqFgcwvJM
XmI8kidI+GxVMNTNugahnCuwu+FjO5QenVtPvHrSofhq0NHWkD6I/hPspesi
b747x/Loil8HOuuqtxdlxw7uZErAbiVP/hSgdS60sflsjyQFrWerY0OSbiQy
EFkz3fRewSZOMXeOuq3HRzoiu7fMWpGHe0Qh6CXqnYzA0QjUS5kmGo3o7QjK
LBC/KGI0z2aSIXYGhUaGI3wXfXtFx9qLaSYZfqxSsq3Osbkr5xYCRVZOvfRM
iis/30Aj0pKWDifB9FglE1aeiyy5YhhNV6Su2rS8opKWx8FaiYzbRCGW8ies
BL4H/fnugRZk/4YZbBvhJCIx5tlVOZ8SKv1zAJaIbxXchxv8K6nixsllFMW6
ltIm/2ZHNCpPK4kxZxMD2RM2oXiP+Jg3B0YxlMWzK0IXHefnElsX9YQd3YKi
vXrMmjIgxZI36SXV9ANWnLS8QOFEgmdNWhBrAlYDcKG2sgTzCCgOj4nSrLrk
22Y5g+rQzcUjEOODf8InoNLfXPS7ILEfqR/wTax+4DcsbHA8NFCv44LZGgwu
8mOBoWIx/ikg6Af7KlrYfXE/NJ58p3VzGNP6pbYHL00+KXFIwAzKgQOMTPDY
EG2EBSxTR2W6BR4ycumZqt8fYGiY8Ic8Gyhmcf1WCE0ZHXzFGaMDxcrmknFz
xO+l08AwgZAj4WNkn1y5wDj8x2t6iY82kohkCZW1H0oIlKIGI50ALMnZgD5I
2rFolmYFKtiivLq1iuyraP2tWsIl01eM8hPTGCV3gVxb7PliN7wFm03qb0cd
xloaj3xIQDAIzokeJ5gbiq73GWe5tkcdYKdOuzf2smdBCsah3COvN2EdCp8p
iOSCXFGUlhlneSxZhJSzhAZ1YIxyvZBor2UX1sS5e2Dh4Kw01mt14U5YeCbN
SDIsN6BlWBDaSPbDOvdhBLRoREYOzNTk0RdbbK6oqJAVdS/Suau8zPKqy4v8
I73Waxug9BhMTCoOpz+tcsPydpv1wF3U3ViBRW828/BgnMVpJZXJfVxysGtZ
daQ6o8Jz0DmmLnFQlvKCtruY3LXb+CWu3/8E8JOsR2YKpQmsblgpTLueWUYp
SwRTQJMPaJ0xpoQoFRvnuKmUEHfmz/4IG6fXa5GGZ4wOIn4WQJXtUuHiIhaH
3X3jgmkYh13DBa6acpcJaf0v/gAebwzcP9owDtm48LTD4oX9rV2bd+ltc4Oq
Gx5/lgmYVCGWM6cX+ncY5k61YYpdRaMeYrysSxY1/8BBlTmWxf9Ba2Wnp+z0
sKECM6zadvtS1DeWXxTUJTwkUMkO/YG/oivJIBglDwqhDJNEFCZJhcMlNpiP
GLw0sh31OquKWrqW4xP1uAIe6zecBIOX2L1RIT2Xs818pV4CCchhdByPzWXT
wPjCeFfoyMUCJheYcJZNyaFcyBIrCeDZRsZ8PIYLhHzoxIJR0/i9Vdq++WKR
YEWDGO8zsJ0xZrizYYkaoUmvarW+pDkwHcORKkzF8iCxuxEGlbVbFd2t3Utf
4tmrWXxlFRDD3dAWxPV065hLkzInmGrbKSelksQjRFGd8CwDB0rY8exZpeEY
dKFfyP9vo9NGR9ig2ibbh7DRtyTM14gfXru2vx8S/cRDKuHoYoEuyNHFmH9M
LbeyMJKNCkZ4Ar7rZs+9FJQFfx1PyrmQPJMvdAwqIvRL/04VaIVoXQzaeJSo
/W9Qff/dVfDj9393lDhLja0iRjyxMdZJ0HPOp5kEMwHyo6yWcACrBCvnOo9g
T3CqHVFYT5iv/YnjGf/72fgNfgYuwZb/gcdxlGqTjrsQHReW2HHtjoiVUDyf
o/nwG8BCqQeq31OpvvZTFyQIUk1xRF4C+wafMA9SPwQKANSyfAo7h73m7uHR
Lux5a2MVeMSszuOqr3/kaQ16Ck9+rIBN8aRohzFSGRWXhYUx0Q4evr7EjmBO
dwo0cMyVABi0a/vcUYHqA+9UqpTWsNOHMGxZWdCQmfQlQUvBpyVBC17wSi/t
Ssu/tM4hbtKwslJa58ZHP/BXY1rHI8r4wI0c47S/0UcEmv2eBYaorqDw3kL3
ViMTTCywYsatXQ0uZbwL+wRPC35amqeCQ/xfG6ALkMGvC14yAUjauYVwu9+x
XTylgcAsKbB6B8dv6cg2JsCyOnx6gPGgXI6haECt/F7I3SLcCvrHjckY8rNz
ounxJaaBUXYO8Pm4gxK33e/Q97KBBW4gfv3iBe8uLoVkMYATBU2XOBoLLfx8
IJ/zNheyzfS5gQSjrvncijz8ep+/RiQ93Vif/98DhsyBqvAGF51hcOEZQtSh
9010LNf/0ixryCdjpRrzxMNm6IenobXm2a9ISCTcUVI6JOZmuuoi1Ut2V+Uk
SMEiHWQjej17rU8pqANjvSzZbiLSlNQQtH+deJhnC/hfvpzjUSPofIrGDSl4
IthqGl0h+gyGo+PZ3JOd5FQAowi9GktMBmJthjhf2HU5D+Sh56CqMGTPHeIN
xPzYj6j84UIqXWJWXuzkDxc8sdtV8GBenwi/maYEf84YQvXsAlVKBjedwAUO
7bFZ8eg4dcLsmRPd5GjGtYJW4TsX3CFXE6podsnU05ZlAM9hhpIXlgoNu8Q9
X6DHoEui8oV6HnY2fAUmgck7W0O+gYVUOGG8dW4mX/Gx2ijLbBtCsTLemxgY
E7G+Yg8GrcF4L3qtswWVMTGrIk/n08fYqKPIu0/KJeb9alCEAnLFrvl8olpg
siOmVwPcFiLWww1VgOkHFAGMaeZk2MwBJ9HENfV3yAEitjMeRMLcTMBSLGIk
aW80VOPyD42btrCna/EwYe4fhy2UpAJHk39h1L7q9WC+aiuCAEUSos+SNfkG
KmE8rmP2yYXx7h44c7HVkiCl3d6qLgA76yK8rOJ+Dj0MNbY7YoUgfChxQA4o
s/LKjoKQxgw9lI/l5Ll/7KAWTiT3oD8LonffG98cIuQstOYwYEEJMqQwMTOw
bw7QzvvcVe+7GCQE7o6Lxv2GF7dd9Zl1sM+dlrESD5SqxOaZRxjbgSPVJxJ8
R7ehWVtXvOxFPXnz4qs4Y4GJTgioXz1e9JV50VfKH63bxMIHPYcTjIdBTlCx
XvqMWqaDnb/1On+L0ahHHbGD2xOkRKRr9Lx1OVzkJttpGFnc4TI07n8P46vn
VauJGGFRD/eiMgjqz1lTqPRAhbblxdlH9K4DWGCXcK6h7JC8+Mpb9JVShZBb
FTont74FfY9HOqnEVytDnAx5CNhugBD+87Uy0smQvSJiuVrvPCc7VMSCN/5n
wA/EkhfqK+wekjoYF9AKeEUlKt1VXsjtp6zU1vD/zNO6wRlZLyPlRiGnbRR2
h46w/trxKesuXGpfgPZaH4z7nOL44oG4eBtKrMA0DDy0wKkV4o/F7a7LQKOM
mPwPOQVvrVkvtHuA0XIKKYfE4hhPgo9VoqdqGcDg/Pi7yMbCKFL2AOpm9J4i
8nyO1hr7VWcQ4didahv8U4fKR7gNJ1Aj7ZIHSCnBR+Pikdyz92ZbN/KPupyR
Y07g8xol+Q03pEL4mywawEbLE9XyT46fYZk6QA/8gdqhS/smIYBZYQuw421K
HYUBKzoBHtWIZ3HKQUkGr0v0xER/O0PjvJIFESBAnjA8bk0uHpJWe5XazzqG
NXed4sopli4MgXxeot/VA3KbB6gPnGdE34CuYc7E4rd4Dh11kIaIPkIfs4mt
JzFwKoLOc4w09fcw9neeiSYhTwf/DJJoMZpEyFjkt4pYs7NgKql7etryEWtv
BCTvJBCwDswATb3FVNyrfP6s4H2LOZ+F5gwKT7S6iZMYi6u0dwDaozjVk52O
VV/k0Cd7ZZ086IrAYo3IrxhRVZP9zFxQYSioYhyEFqoAbBeRlCkjsy1oScht
rzOmTT3xEMm5O61GxMgF7BO69HihVx1nkW2EGlw/GEUtsF5FXMxZ/6ZjkoY9
NPJVd6ZS8ivB4HEoZYmB6DAqmQ0znQFz94+wU5wSeU5oTrY4MgGNTUelDe4i
cdgtpJARvsKczLoz87ziZYyLOpLUEvLohJWfixf+HB46hKUAvIepdSwlRWbO
pXWEujbSaTjFpeHAd1g5DlE/kiT5IY2xioaYRi3GSZnKZMf4sZPmXCwJrnuj
ZDVu+xcEMRoMCGovYY8PKLpHlYw8CsJmLGwxne+hyXM+evjwT2WuIx6rorSt
com/PDQ/6ZcyWkkiGnlZyCviTr/XFYH/0J3J/zU6NVFmivREJ5MIxE7tU+fa
RJHLTkNWnm1wyPEpS7vQLFvoWcTevnSp/g962nC8wS06Br8+RLcYNQEZ3OCw
Ebd7NXePIynv6fuHqI3xGAHI/t337DJ9SCuCtzAwoqJjkehCfah8jeDhIX/S
oVcPK68eHnI/HV5xjdVYbuyCs66qHh0S7NJnTv8EfeM7mTWs/YDeKrWp9AKQ
YSr4T0faOLUXHWu+iv31oVkt/t61a3mAqX8SnrCM6+jXwW822AMG+HLpctfq
JIedLIrZRR9ztj3vMBH+UPnGHExru2/x6KGshjuTV9s9svjfSLyy6ImVD2Q2
AzxiYByxPBOO4HqSi12kI2j56AATyTHhHMRetOpYdOnKQAZa0r6/rT2iV1fa
P+xsW6z7siuTVVucqNZvypCs7rm494pamqJqEwRBPkjvHeM99VZL2O1wmGa0
+/6QVmOm7S2WMH5b88oxivDrQ0esYns0EKCfv95IuJTp3kQsCnPCiilZYoZK
UDf/rjqAxzGQisJ7rCtM10WhtoHZnkIhh/hruohj+Q8rnF/oyWnhxN9FNfWi
eSN3ULdk4eulKxv6a3PZG4+yxFfPyI1wDGnHBdq05yGpleL3r6Xe0nqRqvnE
cojUHqpqbLfNXqwUFc8kms3QS5otKPtLkWmSNrGCLmoOEqXyzk2wGUrgGyMT
9KspkLFpJJ89R+PFsUNCWVkb4WPoIbscFpQimhzpDZ30CKmigHPJh4QTobrU
eokuHty1rw/5X5DVlHdriteRWwpENFnS+AbYIIJQy6E6fjjRHDUdryuB6S0m
O53B7GGerb6hqiqgN7JKTaSMUzQbyyUNyWvfBAIBJSyCiPHikUF4acZP++Yp
UgUsc06lgOkAlvkskN/6YV0TcVsXee6ww3q1R9LzDfIA53IKNAfL28j/yTMV
JZ3GlHFnkoHKQscFXX1PzGP1KgMZu3h7gRXMwQINL8H063phlw6f/ncUSD2J
tou06RkyVvVHSkYAGEW6oURLgUH+op6mXcTA0SgVmrX4wnhsuSShvDbmQ83q
rZ1VaIsaRRyxanwZp4xUycXiUgBtl5y6wTIkP5xwc2hYofHH1FD2P3LJIF+5
zyVDegu7ZProGBvgP/vomTnBByf44ORiv2sZQlOqjpNCJ7VMHYXdgBw4IekP
HRl/jXV9+0q+qPLRdIqFNfyKCyQSiHTaEXrwIvTg4akO6rc9wmcj+2wfn5X4
rORnLlMMYLEgNxz29j8v1HcBdCH0aVaMzw3LAey1mS8uH4VCKMVGCRbYxWO2
dTC16C/5F69BGnHuyBEv7+jX/m9d0vZoMUe8wKNf9+npY/N0n58+oadP6em4
koQdGjghYBg6CA6GSUiIx/VGMQMNc17sjlTPDFCWe1e9JYXKJamwYTzknbIY
ywZ4FFOc8DUdOKCZWiQwx09BSeF9WyOzg01Se7SL9BcezXJVObo+Tlg1IYno
uKXzAxvkMV5kbyKIcO0jVNlQOVK7/kgwCzsJaDSQRv8cVHTEF9iWkiNuKM/h
Bprue/1F1F/J/UFP1GgtJx5NaJNXbodGLAMBIseDpQpqUUNMtOMNCeuiejKy
7j/fYjmTnTy1yZc2lRTNVqO4kU4DEApwWXWfRyX4MQX7uCRJR0GQLpJEY9Sa
t81UamoIIE8R3RGvARyI9M529BL4/Z1S6oBSfTMiKJwu9LLkXh5zL4OtvVg8
w16YM5d+NwPqBmbxHc8Jfzz5Dbpp13a+U/9+gN9P9833AX/YOA0PTeqL2adZ
cC8DHv7p1l4EvxoWsy+qf/stuX9hYpQUAL8sKfFRwuk7PLTUQpQedqp5xYxU
cYDJp5aaeh2uTCb+LW9ajE8cyGTqhn9332CeE/69+zZ0lQ+tHI+YXIMFVRX1
MvWqYuzA92Syo7SCzpLddr9/dJXGlBFQydwzB0zCDYepGcZIaP8kPGV1sp0X
T6ecMcgJNhwTR5Xyv/L0NPp5kJEjH0c2jlwcmXiJ3Dy/6Pd6+cXTTZv23v+s
R+hX+Pzpb+gg2WDHex7hoZeFttSlsjXvMLtaKPEMfosuyJiOLnL5Oe3TX/xD
878D1yk02OcG9EPv+68G9Ma03ljSA+UMIbA5na5MchR6GOmSOqGf+/LzsXSH
qW30oG/6R2/XN1zOOblQLsxCeTGwUngzoDfTPrzgN/Arvdi3nxCT+45Wy68e
e68QhPRuwO+ecH/7rr99fvHUvPC+kVfP6NUAP+FvoK9tcMGrVEjD4KXuejvc
2X2Db3FFDCgzcwYXjfVl37x9TK3r/6Eb5Yi3/Bzw6vwp/HzWhSF7PfgUPSk0
n/NnB9U51f/7oZb6OK7tOfuTbgkUBpqUaAY/6UXOuMlbxcl4F+bdFJ1YvG2c
3OYBgT/GFy94N7lBDgpMgKTGDbTpQZseoMVjajHAvEmv/a44bm4RzeWjgfuo
T4SzT/8+6dA3iBj2IxApMtd9+ciJD5nrvpnrvplrn/p5IsOaHvS+G3ZAAz51
A3rd8mek+hBeKf4MBc5WnLpFspR5yOryi8H29lfsSDSYRh8wRtLLgfcSAWle
1jbi6mLfa/jY66W2pU1oCnPe7eJE8J9Blzu739d3a1nArbAARc66877kSDKG
SUKkYQq3zBSUtB1I22nfZT96bOKW2AQ33ZemS2r62GvKSH1LbIOaPjZNB9j0
CU9g301g303giZkAXvjUfmqaep3umwk8Nb1S02fU1PCZW8dnsOkzbmqVr9qG
t593iPN4RhU+/R6ejne/4MKRtbzAXSDG0u4/6tg3A37TNzCC/QJuRCrOkaS0
otY64PgLrp6OvolmfGjzXveh0WNpBOu2p8EqqTJXeE9s8fuKU/09E8Lpxqot
MR7ojB0VprkUjaWa1NXPSUfsHJro0LOOiclV3Xvk2UG3X9fEs4JGjd7YwuGh
izkVCOWAIGdUPHSEkSPHHQxBdbAP3VsXKrnf6gYJxeTZJ1UxRUR9u8cBycmC
knkeWqFtLDjfXRqeP7MHhoxvLbzFL275Cy+c9oxuVLBmFClx94CPFLU1wcHU
F2WPIxlSsRThY5dPkqXa5GQS0E2WTL2QQ+2Q2JwujyCTrJJ85I1tQjSVoW3B
7Zj9wOQ6a9cqXnRI3c0bXLbkFKZyaFz4XxyWdd/tGM/bcPjeOWWNQl/1aTnH
YPvTsowX5nT3fuV4Tofcq8aNhD65Gbryrt1x8ckKoEmlKn9UlHRFBfdy2rCM
OjaF2tvVZBdYbI1STNqIu8+oTmMRdQubgOlOMz5JV69CSE2dUo84qcJ2RSft
hOJNJcsFPWp0YYnv6DbOBEuGNmMYLORjKV0NEzsZklPUOuCCE+slfGfqVkvN
DvQFeZzrmTCl74V855E5yoQ1wrj+9sUiWratpxA5oscNvvMMml0VL8AOCrtS
xtQrbL5RT3uzkjdFLd5QMSOTRGkzWSsHuQ0fEdB1yHleuwIBq3CVtkAqs0XN
dIAVQpIkw40Sp6QEmyRSiv5psia7dbcGHSfaDM9LkBgGyAsGp719pO0WRPR9
dLEb+osxabkyIX0hFQNCkATuoekOeac5H+dEwsZsXLV07nuJSUkX5i4wcTYW
uvT7JWfwKk2dnxZLj/BdSiVfamG94lXjmA3Tmhyj3bOSzArBLsitLgpADAv+
xd3FoRlBgAvzWQg6Uc+w8WCNFFBdFn7hU2utIhylV7piZtYLz+tzRxVRdtXI
mzyqlcOyghZxKQfNEPaGq2+tJS8ybausVG0RZqxb9nqsbiIemFWHX0CN/AKC
68t+2PWlWUW/9CWaE9aiQ0zo2tZxqWbRBIRcJaepdo6dD5xlW6MpHPRwGGj5
ChK3VPNvk0eCt9SRh9l2G+tkP0hQkLj+0iffDrGXjjv4PqEi6SgT0hlMLpak
dxHcz7GSVlXzC/nupEpQDy8142KG4nqx7hyOG9UuIXCFQMJ77Fk+Rem8PjAi
7TALAv4k7PLCBP/shOjYj1Q+9/UjVI8O3eLgI7z5BxNEKPyy6dptUqOauSWe
EsJywOygMgO4K0S6lSNjxBJQ+9rY/dYDEL9p8M47iS934LW9zLGOunvgp4sx
FfjH9717LKg0oZcZQP45c7vFf3M5iSu9JPTp7gWxR3BqV4J0uXqGy3atx+Ks
YlWJTR5w6llD4qmoqvYgNRO+e1/Ld+s2qE7hKGwoV+aEU9XP2Bx75kLixkmO
gnFUZPkIqMk7mVWDhdyv0p6sAIVuFPIbosnIzzeR6ymoam6hHKT2TDVkLjek
pNxQJkdXxjFd+Yo3lgs5cM1g0khWSVK/ygM9n1Rwo0a6dESk6SScrd/Dd8QQ
SxQwBQSGyGnc1VVjW+rCXDhSVlMx02aMI3BQhaxoa6GlJBrpxBVqoQIjUjhK
wGVKUpm6mP4xNHu25kBKQUpB2zZKETzF0fFwolqCFo/8SCXzqOEgUS082sFZ
mBNlLIgr916AHl2CRdCtYV8GBgKm6KyEgrwYpujU7I6XXLLKhRmmHAwfhPSB
69/JamiYCNB37yP/XoNA8+ptedFSSrLeuKomB+ZQaFOzjemBioPydTFUJqNO
xluQ2R2+N+UWNmpnyD09nmnqjqM0l8WsJILb4gpoSKAtx3HkoRdOsMfzZMfc
IT1UjhpL0nUdsmN11DhNCW2vwUjzMgmkFFCFSjoGTgRoU87M3DLFhYQSCWVQ
zMUWfbEXaFXuOaI9pAtCr7Rfam+0xvLz+grIxkcKs2lSxj7RZRNi1G57pTuS
ALa5udRRCo7l+oquQu/JJasGK3nhH72bc+4e+Egr6Spk5YsxVS8ndd81OMQr
ED7b777JxuPVkoKh/9UNOF2/tBglbbmyDrXrplAmUXFyyimagQayU1nKjiQI
0VUSaWY2YKTXmaAfVfZzvXGRhUNOMotDyQc3qFYty9XFG7KNPUJLNeW77FWS
+KqQqmdm6giFcZabkohgT8AfpIS80WnYqdwvRL1akAE4Guu3bq2gdCjjG5+X
LJ/TL0w+wJYyXT3Z5uoUpHj0Mluu+HiEV+fKVV7yKsEXcqCDi8Hj2rcVhOcg
phRMd6c9pAB8PTzPZbLqZajbVrXifgK6/JTGpuuduF6zlPy3GM6XsgGBjeXE
j+FNMjZ9D/ouF6HfqD1PJdEVl5/nJD1W/c11n3KhqbMNS596ahXh6bqJFPMY
bNkdc4GBPysEIF1e2VAAi5IWffK2W0z7bw5u8PaaCjVyK5wIv9qkRFRRP7y9
h9Wz+TbfgZxfgGGT0cWiIHr8+y8nuMHBq5fB0Vu8l+nf/66I5Qu+juqCxXBo
rz7Y+NDaIaCQ0kXIw7Ojd++kCiRugDV7ePBQbsoK7xnNZJcYJkLMUPQTTklc
TVA/4QpgfBpg6S6fFntLuSErl2sY2IroAL2JrooEy3QtBRiyhN6aIYnZZXJn
BurKeESDUh39Q89IzWgoGLdm+LbNw2PWEe9qSLgdkhyyxyDxxvCY/EyTDZME
dbqNMzJ4aO3Py7ji/Nufu4rr9Xe84uKOhVUUCrnYQXglGum1OlPVwgJcoUCO
p8ilAH4FPIY1C6FK8X+7KZzdRmTK4GnMUtjg4jIzOl5UqXlkzTLLxA1pOkFi
bxAhV3CxDRamLGZGpc4cHU3s7C1rWWgtefP1a/L8e6755lVvIkgEctmjtwVy
UbrRde1K/GzorQUcS0MqmzU2UGHfuCSkQav0r0iqCkCvAjzwZZ3QJaD1Co2e
oOMDWICq6drWw0MYYHEFuR85ahKbpqtNIcJVrsxVY2AWZLkHq61QwQHZfENX
uYE/a2dVb8YZ/FwVNhQgEzl9faSOwfLN8gNgEZrvMVlwHM5LZxUFlucrDKg1
lL8xcSMdzxdRfklVfWBm5GKpuVPcvQCsg1bOqzZcqihmRHh/4e2GoJDPy9xV
7hW1vyjXSVWKbQOwIRZTavkvV2aQWobsTIiuojihm9oBSX6Yl+WyONjbm4FQ
X416MI29+TIe5+tlme2RKnkBuk7xo6mIZu4NwZI8WDiDxTVeQGFoYgE7tzJV
NnItyOPXNIH9coXdTHE2jKNsvbCXrziq3VVpz3XI7mweOq57kio1XBCYGAur
XBl8FYGEoExjYiO5rlzNy8ggdjA9QYtKarWCNpQgS7VdyAIq07IVfN1NiXd3
X16++/zl2BScRZAVSAVrca0Z77dYRXVclvKZpsqut0ZQruowkYPivp2JFWb5
Bic892+K2GKibjwxRU1arfcuQ94cwO6ZKwmbLPuoSVJWb7QQOBpEMI6CKI2S
dRHbkKstbVFgNcOGcvN8qR8a1xgb2zgf7k6Ciw/l3kMBhxyCMlE2/+t6z5Qz
W0und1nJdIkgS71FJpeyowZSqurJcvaVO6HjMQK8hqbigalyA6+EjytCbOeI
4ERpS2VzaHesY4FmsojWarWcRMx/vTn1B6SH1Yxsst7ObO+C27hcVA3II+ZX
H3A3zrNf1JZlptYNNpxEJOWDe26wI7W7ydbz2aOpv8tHgJl8KvUoHZzqB4Aq
Ik4s1HoB5K/VG6b2qlcGIV1QJNd3lSBN3H/zwiH7LXx3iQhijl6qDHTVxCKJ
u5Sh+JOrB4zd3XxpkUk1wVNB3g1HXJiRT6CgC6qoXkaId5WJPtC8m5QO4GwE
uelUwJTYOeklKixozLj7mSqGhlNoiWnVTA//XBPoyzYOhsNUx6eLr7c5nOvF
FrjgLhWorB3H4YeEFodsZBqcqZYh8PpCLRqYU9eFJKk3LyQNr3K/m4rT1phG
qF2BUnRpzFNjVGd542pbxMl1YC9ay0FaM8feKJHdZKunuFKu6tV4cRsTm5gy
5qGtKuzdbibHzYzrRaYpl1NLzQjxeYzRzVqapBV6A1PBnTt116+9pzgj2t1W
Q/DLaRFh0/5Z+SOXJRJ942TcWR8hyKIKKo/fIB9aFcWm/nJEMtPMwHIcBPAX
e2m7uxzDK8QVbWVuTO2px0i7sAFFERQlqI2mqiKC45VeJtlabgxNr2Opnptx
cWouJu/6lVsbVmQIVNUdT+GyOUPtDY2HBaxfgNaEdjZMHO9UkPEZwpZiHlmw
WgaLdVAkWlManXf7hfA3YBm1CywqkHIxa1tTZEEVnPzznEYnaa4cYtDDQ4O/
fMzLcKxtR7tc/WP2OR6wSkKHXCeWzOxtTebiCQohm9uP6dCwLQ/jyqRQVU4T
8feiRZsV3+i+F2bo6MtH94/x4HPFFKU+lXOiNV4G7ZLN9xN3qS8TC79qDhXA
OwFLNPh9BWtdLRDeQ3OCAhCismO1GGzX9k7WCGWLTXTtqGnN3WKcB6vUVGqN
Jhhyi8hbhZoTyhXkGryzpr1Mz2/Nhujwp+GGblst7jinAi/cMhpbW4QUrOuU
7CDKarD1972SMiM9j83ebA0pRMkso+tXJMUq17MY89uMNEdvhvVO1F0dsSj8
no7f1LP0uT6sIamVkGOqb4OZFvratgYQYfrzKBpfcqIA5+kNV+UcKHoeL1t3
B1x7Uk9e7EyjpNA7khsQcRtJIynE5CPX3UjT3sqFQrAmMA/TSOrgY0wyj0fk
8TGFJckfgLYmKPcsIOhTqmth5i/3D0cooiYoBKtFkXg6bFDZxdOg9iZSmfFD
ZYqbwIRjvui2vTNOktudTjWTEP0rnF8lC+Dud0BiRklvx+Sdot1Ixh3xCJOy
xW7XQu7gQq8xnrAyAgRdH3aaUwqoMXTELQv4SE5FgBYsmzEFOTPh9HBs6IWP
z23ZI7oLxg+seYkF7po+H5s58umssdrNKA32dlXa0kISqlpKijineWrPQ1w3
6asX3Bi72PI7qpq2p24vh+S/q9zR4KVDVS9GteZpybdei0nG0UHPiHDXl1F/
H86+eiP/qRHKH9G1F73W/wdtKXdFlaYAAA==

-->

</rfc>
