<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.30 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-moq-secure-objects-01" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.31.0 -->
  <front>
    <title abbrev="MoQT Secure Objects">End-to-End Secure Objects for Media over QUIC Transport</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-moq-secure-objects-01"/>
    <author initials="C." surname="Jennings" fullname="Cullen Jennings">
      <organization>Cisco</organization>
      <address>
        <email>fluffy@cisco.com</email>
      </address>
    </author>
    <author initials="S." surname="Nandakumar" fullname="Suhas Nandakumar">
      <organization>Cisco</organization>
      <address>
        <email>snandaku@cisco.com</email>
      </address>
    </author>
    <author initials="R." surname="Barnes" fullname="Richard Barnes">
      <organization>Cisco</organization>
      <address>
        <email>rlb@ipv.sx</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Applications and Real-Time</area>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 48?>

<t>This document specifies an end-to-end authenticated encryption scheme
for application objects transmitted via Media over QUIC (MoQ)
Transport. The scheme enables original publishers that share a symmetric
key with end subscribers, to ensuring that MoQ relays are unable to
decrypt object contents.  Additionally, subscribers can verify the
integrity and authenticity of received objects, confirming that the
content has not been modified in transit.  Additionally it allows MoQ
parameters to be protected so the publisher can select if they are
readable and/or modifiable by relays.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://moq-wg.github.io/secure-objects/draft-ietf-moq-secure-objects.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-moq-secure-objects/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Media over QUIC Working Group mailing list (<eref target="mailto:moq@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/moq/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/moq/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/moq-wg/secure-objects"/>.</t>
    </note>
  </front>
  <middle>
    <?line 61?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Media Over QUIC Transport (MoQT) is a protocol that is optimized for the
QUIC protocol, either directly or via WebTransport, for the
dissemination of delivery of low latency media <xref target="MoQ-TRANSPORT"/>. MoQT
defines a publish/subscribe media delivery layer across set of
participating relays for supporting wide range of use-cases with
different resiliency and latency (live, interactive) needs without
compromising the scalability and cost effectiveness associated with
content delivery networks. It supports sending media objects through
sets of relays nodes.</t>
      <t>Typically a MOQ Relay doesn't need to access the media content, thus
allowing the media to be "end-to-end" encrypted so that it cannot be
decrypted by the relays. However for a relay to participate effectively
in the media delivery, it needs to access naming information of a MoQT
object to carryout the required store and forward functions.</t>
      <t>As such, two layers of security are required:</t>
      <ol spacing="normal" type="1"><li>
          <t>Hop-by-hop (HBH) security between two MoQT endpoints.</t>
        </li>
        <li>
          <t>End-to-end (E2E) security from the Original Publisher of an MoQT
object to End Subscribers</t>
        </li>
      </ol>
      <t>The HBH security is provided by TLS in the QUIC connection that MoQT
runs over. MoQT support different E2EE protection as well as allowing
for E2EE security.</t>
      <t>This document defines a scheme for E2E authenticated encryption of MoQT
objects.  This scheme is based on the SFrame mechanism for authenticated
encryption of media objects <xref target="SFRAME"/>.</t>
      <t>However, a secondary goal of this design is to minimize the amount of
additional data the encryptions requires for each object. This is
particularly important for very low bit rate audio applications where
the encryption overhead can increase overall bandwidth usage by a
significant percentage.  To minimize the overhead added by end-to-end
encryption, certain fields that would be redundant between MoQT and
SFrame are not transmitted.</t>
      <t>The encryption mechanism defined in this specification can only be used
in application context where object ID values are never more than 32
bits long. This limitation is described in <xref target="nonce"/>.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>
        <dl>
          <dt>E2EE:</dt>
          <dd>
            <t>End-to-End Encryption</t>
          </dd>
          <dt>HBH:</dt>
          <dd>
            <t>Hop-by-Hop</t>
          </dd>
          <dt>varint:</dt>
          <dd>
            <t><xref target="MoQ-TRANSPORT"/> variable length integer (Section 1.4.1).</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="MoQT">
      <name>MoQT Object Model Recap</name>
      <t>MoQT defines a publish/subscribe based media delivery protocol, where in
endpoints, called original publishers, publish objects which are
delivered via participating relays to receiving endpoints, called end
subscribers.</t>
      <t>Section 2 of <xref target="MoQ-TRANSPORT"/> defines hierarchical object model for
application data, comprised of objects, groups and tracks.</t>
      <t>Objects defines the basic data element, an addressable unit whose
payload is sequence of bytes. All objects belong to a group, indicating
ordering and potential dependencies. A track contains has collection of
groups and serves as the entity against which a subscribers issue
subscription requests.</t>
      <figure anchor="fig-moqt-session">
        <name>Structure of an MoQT session</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="496" width="528" viewBox="0 0 528 496" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,48 L 8,368" fill="none" stroke="black"/>
              <path d="M 112,80 L 112,112" fill="none" stroke="black"/>
              <path d="M 112,160 L 112,256" fill="none" stroke="black"/>
              <path d="M 112,288 L 112,320" fill="none" stroke="black"/>
              <path d="M 112,368 L 112,400" fill="none" stroke="black"/>
              <path d="M 112,448 L 112,480" fill="none" stroke="black"/>
              <path d="M 152,112 L 152,160" fill="none" stroke="black"/>
              <path d="M 152,400 L 152,448" fill="none" stroke="black"/>
              <path d="M 192,80 L 192,112" fill="none" stroke="black"/>
              <path d="M 192,160 L 192,256" fill="none" stroke="black"/>
              <path d="M 192,288 L 192,320" fill="none" stroke="black"/>
              <path d="M 192,368 L 192,400" fill="none" stroke="black"/>
              <path d="M 192,448 L 192,480" fill="none" stroke="black"/>
              <path d="M 240,80 L 240,112" fill="none" stroke="black"/>
              <path d="M 240,160 L 240,256" fill="none" stroke="black"/>
              <path d="M 240,368 L 240,400" fill="none" stroke="black"/>
              <path d="M 240,448 L 240,480" fill="none" stroke="black"/>
              <path d="M 280,112 L 280,160" fill="none" stroke="black"/>
              <path d="M 280,400 L 280,448" fill="none" stroke="black"/>
              <path d="M 320,80 L 320,112" fill="none" stroke="black"/>
              <path d="M 320,160 L 320,256" fill="none" stroke="black"/>
              <path d="M 320,368 L 320,400" fill="none" stroke="black"/>
              <path d="M 320,448 L 320,480" fill="none" stroke="black"/>
              <path d="M 384,80 L 384,112" fill="none" stroke="black"/>
              <path d="M 384,368 L 384,400" fill="none" stroke="black"/>
              <path d="M 384,448 L 384,480" fill="none" stroke="black"/>
              <path d="M 424,400 L 424,448" fill="none" stroke="black"/>
              <path d="M 464,80 L 464,112" fill="none" stroke="black"/>
              <path d="M 464,368 L 464,400" fill="none" stroke="black"/>
              <path d="M 464,448 L 464,480" fill="none" stroke="black"/>
              <path d="M 8,80 L 24,80" fill="none" stroke="black"/>
              <path d="M 96,80 L 520,80" fill="none" stroke="black"/>
              <path d="M 112,112 L 192,112" fill="none" stroke="black"/>
              <path d="M 240,112 L 320,112" fill="none" stroke="black"/>
              <path d="M 384,112 L 464,112" fill="none" stroke="black"/>
              <path d="M 112,160 L 192,160" fill="none" stroke="black"/>
              <path d="M 240,160 L 320,160" fill="none" stroke="black"/>
              <path d="M 112,192 L 192,192" fill="none" stroke="black"/>
              <path d="M 240,192 L 320,192" fill="none" stroke="black"/>
              <path d="M 112,224 L 192,224" fill="none" stroke="black"/>
              <path d="M 240,224 L 320,224" fill="none" stroke="black"/>
              <path d="M 112,256 L 192,256" fill="none" stroke="black"/>
              <path d="M 240,256 L 320,256" fill="none" stroke="black"/>
              <path d="M 112,288 L 192,288" fill="none" stroke="black"/>
              <path d="M 112,320 L 192,320" fill="none" stroke="black"/>
              <path d="M 8,368 L 24,368" fill="none" stroke="black"/>
              <path d="M 96,368 L 520,368" fill="none" stroke="black"/>
              <path d="M 112,400 L 192,400" fill="none" stroke="black"/>
              <path d="M 240,400 L 320,400" fill="none" stroke="black"/>
              <path d="M 384,400 L 464,400" fill="none" stroke="black"/>
              <path d="M 112,448 L 192,448" fill="none" stroke="black"/>
              <path d="M 240,448 L 320,448" fill="none" stroke="black"/>
              <path d="M 384,448 L 464,448" fill="none" stroke="black"/>
              <path d="M 112,480 L 192,480" fill="none" stroke="black"/>
              <path d="M 240,480 L 320,480" fill="none" stroke="black"/>
              <path d="M 384,480 L 464,480" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="528,368 516,362.4 516,373.6" fill="black" transform="rotate(0,520,368)"/>
              <polygon class="arrowhead" points="528,80 516,74.4 516,85.6" fill="black" transform="rotate(0,520,80)"/>
              <g class="text">
                <text x="24" y="36">Media</text>
                <text x="68" y="36">Over</text>
                <text x="108" y="36">QUIC</text>
                <text x="176" y="36">Application</text>
                <text x="500" y="68">time</text>
                <text x="60" y="84">TrackA</text>
                <text x="148" y="100">Group1</text>
                <text x="276" y="100">Group2</text>
                <text x="352" y="100">...</text>
                <text x="420" y="100">GroupN</text>
                <text x="152" y="180">Object0</text>
                <text x="280" y="180">Object0</text>
                <text x="152" y="212">Object1</text>
                <text x="280" y="212">Object1</text>
                <text x="152" y="244">Object2</text>
                <text x="280" y="244">Object2</text>
                <text x="152" y="276">...</text>
                <text x="152" y="308">ObjectN</text>
                <text x="492" y="356">time</text>
                <text x="60" y="372">TrackB</text>
                <text x="148" y="388">Group1</text>
                <text x="276" y="388">Group2</text>
                <text x="352" y="388">...</text>
                <text x="420" y="388">GroupN</text>
                <text x="152" y="468">Object0</text>
                <text x="280" y="468">Object0</text>
                <text x="424" y="468">Object0</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
Media Over QUIC Application
|
|                                                           time
+-- TrackA --+---------+-----+---------+-------+---------+------>
|            | Group1  |     | Group2  |  ...  | GroupN  |
|            +----+----+     +----+----+       +---------+
|                 |               |
|                 |               |
|            +----+----+     +----+----+
|            | Object0 |     | Object0 |
|            +---------+     +---------+
|            | Object1 |     | Object1 |
|            +---------+     +---------+
|            | Object2 |     | Object2 |
|            +---------+     +---------+
|                ...
|            +---------+
|            | ObjectN |
|            +---------+
|
|                                                          time
+-- TrackB --+---------+-----+---------+-------+---------+------>
             | Group1  |     | Group2  |  ...  | GroupN  |
             +----+----+     +----+----+       +----+----+
                  |               |                 |
                  |               |                 |
             +----+----+     +----+----+       +----+----+
             | Object0 |     | Object0 |       | Object0 |
             +---------+     +---------+       +---------+
]]></artwork>
        </artset>
      </figure>
      <t>Objects are comprised of three parts: parts that Relays can read and
modify, parts that Relay can read but is not allowed to modify, and
parts the Relays cannot read or modify. The payload portion MAY be end
to end encrypted, in which case it is only visible to the original
publisher and the end subscribers. The application is solely responsible
for the content of the object payload.</t>
      <t>Tracks are identified by a combination of its Track Namespace and Track
Name.  Tuples of the Track Namespace and Track Name are treated as a
sequence of binary bytes.  Groups and Objects are represented as
variable length integers called GroupID and ObjectID respectively.</t>
      <t>Two important properties of objects are:</t>
      <ol spacing="normal" type="1"><li>
          <t>The combination of Track Namespace, Track Name, Group ID and Object
ID are globally unique in a given relay network, referred to as Full
Object ID in this specification.</t>
        </li>
        <li>
          <t>The data inside an MoQT Object (and its size) can never change after
the Object is first published. There can never be two Objects with
the same Full Object ID but different data.</t>
        </li>
      </ol>
      <t>One of the ways system keep the Full Object IDs unique is by using a fully
qualified domain names or UUIDs as part of the Track Namespace.</t>
    </section>
    <section anchor="secure-objects">
      <name>Secure Objects</name>
      <t>Section 10.2.1 <xref target="MoQ-TRANSPORT"/> defines fields of a canonical MoQT
Object. The protection scheme defined in this draft encrypts the <tt>Object
Payload</tt> and Encrypted Properties List <xref target="pvt-ext"/>.  The scheme
authenticates the <tt>Group ID</tt>, <tt>Object ID</tt>, <tt>Immutable Properties</tt>
(Section 11.6 of <xref target="MoQ-TRANSPORT"/>) and <tt>Object Payload</tt> fields,
regardless of the on-the-wire encoding of the objects over QUIC
Datagrams or QUIC streams.</t>
      <table anchor="tbl-protection-levels">
        <name>MoQ Object Security Protection Levels</name>
        <thead>
          <tr>
            <th align="left">Protection Level</th>
            <th align="left">Fields</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Unprotected and Unauthenticated (HBH only)</td>
            <td align="left">Track Alias, Mutable Properties</td>
          </tr>
          <tr>
            <td align="left">End-to-End Authenticated</td>
            <td align="left">Group ID, Object ID, Publisher Priority, Immutable Properties, Track Namespace, Track Name (including Key ID)</td>
          </tr>
          <tr>
            <td align="left">End-to-End Encrypted and Authenticated</td>
            <td align="left">Original Payload, Encrypted Properties List</td>
          </tr>
        </tbody>
      </table>
      <section anchor="properties">
        <name>Properties</name>
        <t>MoQT defines mutable and immutable properties for objects. This
specification uses MoQT immutable properties to convey end-to-end
authenticated metadata and adds encrypted object properties (see
<xref target="pvt-ext"/>). The Encrypted Properties List is serialized and encrypted
along with the Object payload, decrypted and deserialized by the
receiver.  This specification further defines the <tt>Secure Object Key ID</tt>
property (see <xref target="keyid-ext"/>), which is transmitted within the immutable
properties.</t>
      </section>
      <section anchor="setup-assumptions">
        <name>Setup Assumptions</name>
        <t>The application assigns each track a set of (Key ID, <tt>track_base_key</tt>)
tuples, where each <tt>track_base_key</tt> is known only to authorized original
publishers and end subscribers for a given track. How these per-track
secrets and their lifetimes are established is outside the scope of this
specification.  The application also defines which Key ID should be used
for a given encryption operation. For decryption, the Key ID is obtained
from the <tt>Secure Object Key ID</tt> property (that is contained within the
immutable properties of the Object).  The scope of a Key ID is the
namespace so if two tracks inside the same namespace have different
tracks_base_keys, then they need to have different Key ID values. This
design is to support a single key across many tracks where a client uses
subscribe namespace to get new tracks as they are created in the
namespace.</t>
        <t>Applications determine the ciphersuite to be used for each track's
encryption context.  See <xref target="ciphersuite"/> for the list of ciphersuites
that can be used.</t>
      </section>
      <section anchor="app">
        <name>Application Procedure</name>
        <t>This section provides steps for applications over MoQT to use mechanisms
defined in this specification.</t>
        <section anchor="ftn">
          <name>Serialized Full Track Name</name>
          <t>Serialized Full Track Name is composed of MoQT Track Namespace and Track
Name as shown below:</t>
          <artwork><![CDATA[
Serialized Full Track Name = Serialize(Track Namespace)
                             + Serialize(Track Name)
]]></artwork>
          <t>The <tt>Serialize</tt> operation follows the same on-the-wire encoding for
Track Name Space and Track Name as defined in Section 2.4.1 of
<xref target="MoQ-TRANSPORT"/>.</t>
          <t>This mandates that the serialization of Track Namespace tuples starts
with varint encoded count of tuples. This is followed by encoding
corresponding to each tuple. Each tuple's encoding starts with varint
encoded length for the count of bytes and bytes representing the content
of the tuple.</t>
          <t>The Track Name is varint encoded length followed by sequence of bytes
that identifies an individual track within the namespace.</t>
          <t>The <tt>+</tt> represents concatenation of byte sequences.</t>
        </section>
        <section anchor="object-encryption">
          <name>Object Encryption</name>
          <t>To encrypt a MoQT Object, the application constructs a plaintext from
the application data and any encrypted properties:</t>
          <artwork><![CDATA[
pt = Serialize(original_payload)
     + Serialize(Encrypted Properties List)
]]></artwork>
          <t>Where <tt>original_payload</tt> is the application's object data. The
serialization of <tt>original_payload</tt> consists of a varint-encoded byte
count followed by the payload bytes. The serialization for the Encrypted
Properties List follows the rules for immutable properties (as defined
in Section 11 of <xref target="MoQ-TRANSPORT"/>).</t>
          <t>The plaintext is then encrypted:</t>
          <artwork><![CDATA[
ciphertext = encrypt(pt)
]]></artwork>
          <t>The resulting ciphertext replaces the <tt>original_payload</tt> as the MoQT
Object Payload. The ciphertext length reflects the encrypted
<tt>original_payload</tt> plus any Encrypted Properties List plus the AEAD
authentication tag.</t>
          <t>The detailed encryption process is shown below:</t>
          <figure anchor="fig-encryption-process">
            <name>Object Encryption Process</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="704" width="576" viewBox="0 0 576 704" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,32 L 8,80" fill="none" stroke="black"/>
                  <path d="M 8,160 L 8,208" fill="none" stroke="black"/>
                  <path d="M 8,256 L 8,304" fill="none" stroke="black"/>
                  <path d="M 40,304 L 40,448" fill="none" stroke="black"/>
                  <path d="M 40,480 L 40,544" fill="none" stroke="black"/>
                  <path d="M 72,208 L 72,248" fill="none" stroke="black"/>
                  <path d="M 80,512 L 80,576" fill="none" stroke="black"/>
                  <path d="M 88,80 L 88,120" fill="none" stroke="black"/>
                  <path d="M 120,304 L 120,352" fill="none" stroke="black"/>
                  <path d="M 120,384 L 120,416" fill="none" stroke="black"/>
                  <path d="M 144,160 L 144,208" fill="none" stroke="black"/>
                  <path d="M 144,256 L 144,304" fill="none" stroke="black"/>
                  <path d="M 144,624 L 144,688" fill="none" stroke="black"/>
                  <path d="M 168,32 L 168,80" fill="none" stroke="black"/>
                  <path d="M 192,576 L 192,616" fill="none" stroke="black"/>
                  <path d="M 216,32 L 216,80" fill="none" stroke="black"/>
                  <path d="M 224,400 L 224,432" fill="none" stroke="black"/>
                  <path d="M 240,160 L 240,224" fill="none" stroke="black"/>
                  <path d="M 240,624 L 240,688" fill="none" stroke="black"/>
                  <path d="M 264,304 L 264,336" fill="none" stroke="black"/>
                  <path d="M 288,80 L 288,120" fill="none" stroke="black"/>
                  <path d="M 304,224 L 304,296" fill="none" stroke="black"/>
                  <path d="M 304,336 L 304,392" fill="none" stroke="black"/>
                  <path d="M 304,480 L 304,504" fill="none" stroke="black"/>
                  <path d="M 312,512 L 312,576" fill="none" stroke="black"/>
                  <path d="M 360,32 L 360,80" fill="none" stroke="black"/>
                  <path d="M 360,400 L 360,432" fill="none" stroke="black"/>
                  <path d="M 464,304 L 464,336" fill="none" stroke="black"/>
                  <path d="M 488,304 L 488,336" fill="none" stroke="black"/>
                  <path d="M 496,160 L 496,192" fill="none" stroke="black"/>
                  <path d="M 504,256 L 504,296" fill="none" stroke="black"/>
                  <path d="M 504,344 L 504,448" fill="none" stroke="black"/>
                  <path d="M 504,480 L 504,544" fill="none" stroke="black"/>
                  <path d="M 536,304 L 536,336" fill="none" stroke="black"/>
                  <path d="M 568,128 L 568,448" fill="none" stroke="black"/>
                  <path d="M 568,480 L 568,560" fill="none" stroke="black"/>
                  <path d="M 8,32 L 168,32" fill="none" stroke="black"/>
                  <path d="M 216,32 L 360,32" fill="none" stroke="black"/>
                  <path d="M 8,80 L 168,80" fill="none" stroke="black"/>
                  <path d="M 216,80 L 360,80" fill="none" stroke="black"/>
                  <path d="M 88,128 L 568,128" fill="none" stroke="black"/>
                  <path d="M 8,160 L 144,160" fill="none" stroke="black"/>
                  <path d="M 240,160 L 496,160" fill="none" stroke="black"/>
                  <path d="M 8,208 L 144,208" fill="none" stroke="black"/>
                  <path d="M 240,224 L 496,224" fill="none" stroke="black"/>
                  <path d="M 8,256 L 144,256" fill="none" stroke="black"/>
                  <path d="M 304,256 L 504,256" fill="none" stroke="black"/>
                  <path d="M 8,304 L 144,304" fill="none" stroke="black"/>
                  <path d="M 264,304 L 464,304" fill="none" stroke="black"/>
                  <path d="M 488,304 L 536,304" fill="none" stroke="black"/>
                  <path d="M 264,336 L 464,336" fill="none" stroke="black"/>
                  <path d="M 488,336 L 536,336" fill="none" stroke="black"/>
                  <path d="M 224,400 L 360,400" fill="none" stroke="black"/>
                  <path d="M 120,416 L 208,416" fill="none" stroke="black"/>
                  <path d="M 224,432 L 360,432" fill="none" stroke="black"/>
                  <path d="M 80,512 L 312,512" fill="none" stroke="black"/>
                  <path d="M 40,544 L 72,544" fill="none" stroke="black"/>
                  <path d="M 320,544 L 504,544" fill="none" stroke="black"/>
                  <path d="M 320,560 L 568,560" fill="none" stroke="black"/>
                  <path d="M 80,576 L 312,576" fill="none" stroke="black"/>
                  <path d="M 144,624 L 240,624" fill="none" stroke="black"/>
                  <path d="M 144,688 L 240,688" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="512,296 500,290.4 500,301.6" fill="black" transform="rotate(90,504,296)"/>
                  <polygon class="arrowhead" points="328,560 316,554.4 316,565.6" fill="black" transform="rotate(180,320,560)"/>
                  <polygon class="arrowhead" points="328,544 316,538.4 316,549.6" fill="black" transform="rotate(180,320,544)"/>
                  <polygon class="arrowhead" points="312,504 300,498.4 300,509.6" fill="black" transform="rotate(90,304,504)"/>
                  <polygon class="arrowhead" points="312,392 300,386.4 300,397.6" fill="black" transform="rotate(90,304,392)"/>
                  <polygon class="arrowhead" points="312,296 300,290.4 300,301.6" fill="black" transform="rotate(90,304,296)"/>
                  <polygon class="arrowhead" points="296,120 284,114.4 284,125.6" fill="black" transform="rotate(90,288,120)"/>
                  <polygon class="arrowhead" points="216,416 204,410.4 204,421.6" fill="black" transform="rotate(0,208,416)"/>
                  <polygon class="arrowhead" points="200,616 188,610.4 188,621.6" fill="black" transform="rotate(90,192,616)"/>
                  <polygon class="arrowhead" points="96,120 84,114.4 84,125.6" fill="black" transform="rotate(90,88,120)"/>
                  <polygon class="arrowhead" points="80,544 68,538.4 68,549.6" fill="black" transform="rotate(0,72,544)"/>
                  <polygon class="arrowhead" points="80,248 68,242.4 68,253.6" fill="black" transform="rotate(90,72,248)"/>
                  <g class="text">
                    <text x="84" y="52">original_payload</text>
                    <text x="256" y="52">Private</text>
                    <text x="316" y="52">Header</text>
                    <text x="68" y="68">(application</text>
                    <text x="144" y="68">data)</text>
                    <text x="268" y="68">Extensions</text>
                    <text x="76" y="180">track_base_key</text>
                    <text x="272" y="180">Group</text>
                    <text x="312" y="180">ID,</text>
                    <text x="356" y="180">Object</text>
                    <text x="400" y="180">ID,</text>
                    <text x="36" y="196">(per</text>
                    <text x="72" y="196">Key</text>
                    <text x="104" y="196">ID)</text>
                    <text x="288" y="196">Publisher</text>
                    <text x="368" y="196">Priority,</text>
                    <text x="292" y="212">Serialized</text>
                    <text x="376" y="212">Immutable</text>
                    <text x="436" y="212">Ext[</text>
                    <text x="472" y="212">Key</text>
                    <text x="500" y="212">ID</text>
                    <text x="520" y="212">]</text>
                    <text x="32" y="276">Key</text>
                    <text x="92" y="276">Derivation</text>
                    <text x="44" y="292">(HKDF)</text>
                    <text x="288" y="324">CTR</text>
                    <text x="312" y="324">=</text>
                    <text x="388" y="324">GID(64)||OID(32)</text>
                    <text x="512" y="324">AAD</text>
                    <text x="124" y="372">salt</text>
                    <text x="256" y="420">Nonce</text>
                    <text x="320" y="420">Formation</text>
                    <text x="304" y="452">|</text>
                    <text x="40" y="468">key</text>
                    <text x="304" y="468">nonce</text>
                    <text x="504" y="468">aad</text>
                    <text x="564" y="468">pt</text>
                    <text x="196" y="548">AEAD.Encrypt</text>
                    <text x="188" y="644">Ciphertext</text>
                    <text x="168" y="660">(MoQT</text>
                    <text x="208" y="660">Obj</text>
                    <text x="188" y="676">Payload)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
+-------------------+     +-----------------+
| original_payload  |     | Private Header  |
| (application data)|     | Extensions      |
+---------+---------+     +--------+--------+
          |                        |
          v                        v
          +-----------------------------------------------------------+
                                                                      |
+----------------+           +-------------------------------+        |
| track_base_key |           | Group ID, Object ID,          |        |
| (per Key ID)   |           | Publisher Priority,           |        |
+-------+--------+           | Serialized Immutable Ext[ Key ID ]     |
        |                    +-------+-----------------------+        |
        v                            |                                |
+-------+--------+                   +------------+-----------+       |
| Key Derivation |                   |                        |       |
| (HKDF)         |                   v                        v       |
+---+---------+--+              +------------------------+  +-----+   |
    |         |                 | CTR = GID(64)||OID(32) |  | AAD |   |
    |         |                 +----+-------------------+  +-----+   |
    |         |                      |                        |       |
    |        salt                    |                        |       |
    |         |                      v                        |       |
    |         |            +----+-----------+                 |       |
    |         +----------> | Nonce Formation|                 |       |
    |                      +----+-----------+                 |       |
    |                                |                        |       |
   key                             nonce                     aad     pt
    |                                |                        |       |
    |                                v                        |       |
    |    +-------------+--------------+                       |       |
    |    |                            |                       |       |
    +--->+        AEAD.Encrypt        +<----------------------+       |
         |                            |<------------------------------+
         +-------------+--------------+
                       |
                       v
                 +-----+-----+
                 |Ciphertext |
                 |(MoQT Obj  |
                 | Payload)  |
                 +-----------+
]]></artwork>
            </artset>
          </figure>
        </section>
        <section anchor="object-decryption">
          <name>Object Decryption</name>
          <t>To decrypt a MoQT Object, the application provides the MoQT Object
Payload as ciphertext input to obtain the plaintext:</t>
          <artwork><![CDATA[
pt = decrypt(ciphertext)
]]></artwork>
          <t>The plaintext is then deserialized to extract the application's
<tt>original_payload</tt> and the Encrypted Properties List:</t>
          <ol spacing="normal" type="1"><li>
              <t>Read a varint to obtain the <tt>original_payload</tt> length.</t>
            </li>
            <li>
              <t>Read that many bytes as <tt>original_payload</tt>.</t>
            </li>
            <li>
              <t>If no bytes remain, there is no Encrypted Properties List.</t>
            </li>
            <li>
              <t>Otherwise, read the property type (16 bits). If the value is not 0xA,
drop the object. Parse the remaining bytes as the Encrypted
Properties List structure.</t>
            </li>
          </ol>
          <t>If parsing fails at any stage, the receiver MUST drop the MoQT Object.</t>
          <t>The detailed decryption process is shown below:</t>
          <figure anchor="fig-decryption-process">
            <name>Object Decryption Process</name>
            <artset>
              <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="768" width="576" viewBox="0 0 576 768" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,160 L 8,208" fill="none" stroke="black"/>
                  <path d="M 8,256 L 8,304" fill="none" stroke="black"/>
                  <path d="M 40,304 L 40,448" fill="none" stroke="black"/>
                  <path d="M 40,480 L 40,544" fill="none" stroke="black"/>
                  <path d="M 56,704 L 56,752" fill="none" stroke="black"/>
                  <path d="M 72,208 L 72,248" fill="none" stroke="black"/>
                  <path d="M 80,512 L 80,576" fill="none" stroke="black"/>
                  <path d="M 104,656 L 104,696" fill="none" stroke="black"/>
                  <path d="M 120,312 L 120,352" fill="none" stroke="black"/>
                  <path d="M 120,384 L 120,416" fill="none" stroke="black"/>
                  <path d="M 144,32 L 144,96" fill="none" stroke="black"/>
                  <path d="M 144,160 L 144,208" fill="none" stroke="black"/>
                  <path d="M 144,256 L 144,304" fill="none" stroke="black"/>
                  <path d="M 192,96 L 192,128" fill="none" stroke="black"/>
                  <path d="M 192,576 L 192,592" fill="none" stroke="black"/>
                  <path d="M 192,624 L 192,648" fill="none" stroke="black"/>
                  <path d="M 216,704 L 216,752" fill="none" stroke="black"/>
                  <path d="M 224,400 L 224,432" fill="none" stroke="black"/>
                  <path d="M 240,32 L 240,96" fill="none" stroke="black"/>
                  <path d="M 240,160 L 240,224" fill="none" stroke="black"/>
                  <path d="M 264,304 L 264,336" fill="none" stroke="black"/>
                  <path d="M 264,704 L 264,752" fill="none" stroke="black"/>
                  <path d="M 304,224 L 304,296" fill="none" stroke="black"/>
                  <path d="M 304,336 L 304,392" fill="none" stroke="black"/>
                  <path d="M 304,480 L 304,504" fill="none" stroke="black"/>
                  <path d="M 312,512 L 312,576" fill="none" stroke="black"/>
                  <path d="M 328,656 L 328,696" fill="none" stroke="black"/>
                  <path d="M 360,400 L 360,432" fill="none" stroke="black"/>
                  <path d="M 408,704 L 408,752" fill="none" stroke="black"/>
                  <path d="M 464,304 L 464,336" fill="none" stroke="black"/>
                  <path d="M 488,304 L 488,336" fill="none" stroke="black"/>
                  <path d="M 496,160 L 496,192" fill="none" stroke="black"/>
                  <path d="M 504,256 L 504,296" fill="none" stroke="black"/>
                  <path d="M 504,344 L 504,448" fill="none" stroke="black"/>
                  <path d="M 504,480 L 504,544" fill="none" stroke="black"/>
                  <path d="M 536,304 L 536,336" fill="none" stroke="black"/>
                  <path d="M 568,128 L 568,448" fill="none" stroke="black"/>
                  <path d="M 568,480 L 568,560" fill="none" stroke="black"/>
                  <path d="M 144,32 L 240,32" fill="none" stroke="black"/>
                  <path d="M 144,96 L 240,96" fill="none" stroke="black"/>
                  <path d="M 192,128 L 568,128" fill="none" stroke="black"/>
                  <path d="M 8,160 L 144,160" fill="none" stroke="black"/>
                  <path d="M 240,160 L 496,160" fill="none" stroke="black"/>
                  <path d="M 8,208 L 144,208" fill="none" stroke="black"/>
                  <path d="M 240,224 L 496,224" fill="none" stroke="black"/>
                  <path d="M 8,256 L 144,256" fill="none" stroke="black"/>
                  <path d="M 304,256 L 504,256" fill="none" stroke="black"/>
                  <path d="M 8,304 L 144,304" fill="none" stroke="black"/>
                  <path d="M 264,304 L 464,304" fill="none" stroke="black"/>
                  <path d="M 488,304 L 536,304" fill="none" stroke="black"/>
                  <path d="M 264,336 L 464,336" fill="none" stroke="black"/>
                  <path d="M 488,336 L 536,336" fill="none" stroke="black"/>
                  <path d="M 224,400 L 360,400" fill="none" stroke="black"/>
                  <path d="M 120,416 L 208,416" fill="none" stroke="black"/>
                  <path d="M 224,432 L 360,432" fill="none" stroke="black"/>
                  <path d="M 80,512 L 312,512" fill="none" stroke="black"/>
                  <path d="M 40,544 L 72,544" fill="none" stroke="black"/>
                  <path d="M 320,544 L 504,544" fill="none" stroke="black"/>
                  <path d="M 320,560 L 568,560" fill="none" stroke="black"/>
                  <path d="M 80,576 L 312,576" fill="none" stroke="black"/>
                  <path d="M 104,656 L 328,656" fill="none" stroke="black"/>
                  <path d="M 56,704 L 216,704" fill="none" stroke="black"/>
                  <path d="M 264,704 L 408,704" fill="none" stroke="black"/>
                  <path d="M 56,752 L 216,752" fill="none" stroke="black"/>
                  <path d="M 264,752 L 408,752" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="512,296 500,290.4 500,301.6" fill="black" transform="rotate(90,504,296)"/>
                  <polygon class="arrowhead" points="336,696 324,690.4 324,701.6" fill="black" transform="rotate(90,328,696)"/>
                  <polygon class="arrowhead" points="328,560 316,554.4 316,565.6" fill="black" transform="rotate(180,320,560)"/>
                  <polygon class="arrowhead" points="328,544 316,538.4 316,549.6" fill="black" transform="rotate(180,320,544)"/>
                  <polygon class="arrowhead" points="312,504 300,498.4 300,509.6" fill="black" transform="rotate(90,304,504)"/>
                  <polygon class="arrowhead" points="312,392 300,386.4 300,397.6" fill="black" transform="rotate(90,304,392)"/>
                  <polygon class="arrowhead" points="312,296 300,290.4 300,301.6" fill="black" transform="rotate(90,304,296)"/>
                  <polygon class="arrowhead" points="216,416 204,410.4 204,421.6" fill="black" transform="rotate(0,208,416)"/>
                  <polygon class="arrowhead" points="200,648 188,642.4 188,653.6" fill="black" transform="rotate(90,192,648)"/>
                  <polygon class="arrowhead" points="112,696 100,690.4 100,701.6" fill="black" transform="rotate(90,104,696)"/>
                  <polygon class="arrowhead" points="80,544 68,538.4 68,549.6" fill="black" transform="rotate(0,72,544)"/>
                  <polygon class="arrowhead" points="80,248 68,242.4 68,253.6" fill="black" transform="rotate(90,72,248)"/>
                  <g class="text">
                    <text x="188" y="52">Ciphertext</text>
                    <text x="168" y="68">(MoQT</text>
                    <text x="208" y="68">Obj</text>
                    <text x="188" y="84">Payload)</text>
                    <text x="76" y="180">track_base_key</text>
                    <text x="272" y="180">Group</text>
                    <text x="312" y="180">ID,</text>
                    <text x="356" y="180">Object</text>
                    <text x="400" y="180">ID,</text>
                    <text x="36" y="196">(per</text>
                    <text x="72" y="196">Key</text>
                    <text x="104" y="196">ID)</text>
                    <text x="288" y="196">Publisher</text>
                    <text x="368" y="196">Priority,</text>
                    <text x="292" y="212">Serialized</text>
                    <text x="376" y="212">Immutable</text>
                    <text x="436" y="212">Ext[</text>
                    <text x="472" y="212">Key</text>
                    <text x="500" y="212">ID</text>
                    <text x="520" y="212">]</text>
                    <text x="32" y="276">Key</text>
                    <text x="92" y="276">Derivation</text>
                    <text x="44" y="292">(HKDF)</text>
                    <text x="288" y="324">CTR</text>
                    <text x="312" y="324">=</text>
                    <text x="388" y="324">GID(64)||OID(32)</text>
                    <text x="512" y="324">AAD</text>
                    <text x="116" y="372">salt</text>
                    <text x="256" y="420">Nonce</text>
                    <text x="320" y="420">Formation</text>
                    <text x="304" y="452">|</text>
                    <text x="40" y="468">key</text>
                    <text x="304" y="468">nonce</text>
                    <text x="504" y="468">aad</text>
                    <text x="564" y="468">ct</text>
                    <text x="196" y="548">AEAD.Decrypt</text>
                    <text x="188" y="612">pt</text>
                    <text x="132" y="724">original_payload</text>
                    <text x="304" y="724">Private</text>
                    <text x="364" y="724">Header</text>
                    <text x="116" y="740">(application</text>
                    <text x="192" y="740">data)</text>
                    <text x="316" y="740">Extensions</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art"><![CDATA[
                 +-----------+
                 |Ciphertext |
                 |(MoQT Obj  |
                 | Payload)  |
                 +-----+-----+
                       |
                       +----------------------------------------------+
                                                                      |
+----------------+           +-------------------------------+        |
| track_base_key |           | Group ID, Object ID,          |        |
| (per Key ID)   |           | Publisher Priority,           |        |
+-------+--------+           | Serialized Immutable Ext[ Key ID ]     |
        |                    +-------+-----------------------+        |
        v                            |                                |
+-------+--------+                   +------------------------+       |
| Key Derivation |                   |                        |       |
| (HKDF)         |                   v                        v       |
+---+------------+              +------------------------+  +-----+   |
    |         |                 | CTR = GID(64)||OID(32) |  | AAD |   |
    |         |                 +----+-------------------+  +-----+   |
    |         |                      |                        |       |
    |       salt                     |                        |       |
    |         |                      v                        |       |
    |         |            +----------------+                 |       |
    |         +----------> | Nonce Formation|                 |       |
    |                      +----------------+                 |       |
    |                                |                        |       |
   key                             nonce                     aad     ct
    |                                |                        |       |
    |                                v                        |       |
    |    +----------------------------+                       |       |
    |    |                            |                       |       |
    +--->|        AEAD.Decrypt        |<----------------------+       |
         |                            |<------------------------------+
         +-------------+--------------+
                       |
                      pt
                       |
                       v
            +----------+----------------+
            |                           |
            v                           v
      +-------------------+     +-----------------+
      | original_payload  |     | Private Header  |
      | (application data)|     | Extensions      |
      +-------------------+     +-----------------+
]]></artwork>
            </artset>
          </figure>
        </section>
      </section>
      <section anchor="encryption-schema">
        <name>Encryption Schema</name>
        <t>MoQT secure object protection relies on an ciphersute to define the AEAD
encryption algorithm and hash algorithm in use (<xref target="ciphersuite"/>).  We
will refer to the following aspects of the AEAD and the hash algorithm
below:</t>
        <ul spacing="normal">
          <li>
            <t><tt>AEAD.Encrypt</tt> and <tt>AEAD.Decrypt</tt> - The encryption and decryption
functions for the AEAD.  We follow the convention of RFC 5116
<xref target="RFC5116"/> and consider the authentication tag part of the
ciphertext produced by <tt>AEAD.Encrypt</tt> (as opposed to a separate field
as in SRTP <xref target="RFC3711"/>).</t>
          </li>
          <li>
            <t><tt>AEAD.Nk</tt> - The size in bytes of a key for the encryption algorithm</t>
          </li>
          <li>
            <t><tt>AEAD.Nn</tt> - The size in bytes of a nonce for the encryption algorithm</t>
          </li>
          <li>
            <t><tt>AEAD.Nt</tt> - The overhead in bytes of the encryption algorithm
(typically the size of a "tag" that is added to the plaintext)</t>
          </li>
          <li>
            <t><tt>AEAD.Nka</tt> - For cipher suites using the compound AEAD described in
(Section 4.5.1 of <xref target="SFRAME"/>), the size in bytes of a key for the
underlying encryption algorithm</t>
          </li>
          <li>
            <t><tt>Hash.Nh</tt> - The size in bytes of the output of the hash function</t>
          </li>
        </ul>
      </section>
      <section anchor="aad">
        <name>Metadata Authentication</name>
        <t>The Key ID, Full Track Name, Immutable Properties, Group ID, Object ID,
and Publisher Priority for a given MoQT Object are authenticated as part
of secure object encryption.  This ensures, for example, that encrypted
objects cannot be replayed across tracks and that the publisher's
intended priority cannot be modified without detection.</t>
        <t>When protecting or unprotecting a secure object, the following data
structure captures the input to the AEAD function's AAD argument:</t>
        <sourcecode type="pseudocode"><![CDATA[
SECURE_OBJECT_AAD {
    Group ID (64),
    Object ID (32),
    Publisher Priority (8),
    Serialized Immutable Properties (..)
}
]]></sourcecode>
        <t>The Group ID and Object ID fields are encoded as 64-bit and 32-bit
unsigned integers respectively in big-endian (network) byte order. This
fixed-width encoding ensures that both sender and receiver construct
identical AAD values without ambiguity, as variable-length integer
encodings permit multiple valid representations of the same value.</t>
        <t>Serialized Immutable Properties MUST include the <tt>Secure Object Key ID</tt>
property containing the Key ID. This serves as the semantic equivalent
of the KID field in SFrame.</t>
      </section>
      <section anchor="nonce">
        <name>Nonce Formation</name>
        <t>The Group ID and Object ID for an object are used to form a 96-bit
counter (CTR) value, which is XORed with a salt to form the nonce used
in AEAD encryption. The counter value is formed by encoding the Group ID
as a 64-bit big-endian unsigned integer, followed by the Object ID
encoded as a 32-bit big-endian unsigned integer. This
encryption/decryption will fail if applied to an object where group ID
is larger than 2^64-1 or the object ID is larger than 2^32-1 and the
MoQT Object MUST NOT be processed further.</t>
        <t>MOQT supports Object IDs larger than 32 bits. However, for common AEAD
ciphers such as AES-GCM, performance is better when the nonce is 96
bits. For MOQT’s primary use cases, applications can typically design
their track, group, and object structure so that Object IDs do not need
to exceed 32 bits, making this a reasonable performance tradeoff.</t>
        <t>The Group ID and Object ID could both have been limited to, for example,
48 bits each. However, because 32 bit Object IDs were large enough for
the identified use cases, the Object ID field was left at 32 bits.</t>
      </section>
      <section anchor="keys">
        <name>Key and Salt Derivation</name>
        <t>Encryption and decryption use a key and salt derived from the
<tt>track_base_key</tt> associated with a Key ID. Given a <tt>track_base_key</tt>
value, the key and salt are derived using HMAC-based Key Derivation
Function (HKDF) <xref target="RFC5869"/> as follows:</t>
        <sourcecode type="pseudocode"><![CDATA[
def derive_key_salt(key_id,track_base_key,
                    serialized_full_track_name):
  moq_secret = HKDF-Extract("", track_base_key)
  moq_key_label = "MOQ 1.0 Secure Objects Secret key "
                + serialized_full_track_name
                + cipher_suite + key_id
  moq_key =
    HKDF-Expand(moq_secret, moq_key_label, AEAD.Nk)
  moq_salt_label = "MOQ 1.0 Secret salt "
                 + serialized_full_track_name
                 + cipher_suite + key_id
  moq_salt =
    HKDF-Expand(moq_secret, moq_salt_label, AEAD.Nn)

  return moq_key, moq_salt
]]></sourcecode>
        <t>In the derivation of <tt>moq_secret</tt>:</t>
        <ul spacing="normal">
          <li>
            <t>The <tt>+</tt> operator represents concatenation of byte sequences.</t>
          </li>
          <li>
            <t>The Key ID value is encoded as an 8-byte big-endian integer.</t>
          </li>
          <li>
            <t>The <tt>cipher_suite</tt> value is a 2-byte big-endian integer representing
the cipher suite in use (see <xref target="SFRAME"/>).</t>
          </li>
        </ul>
        <t>The hash function used for HKDF is determined by the cipher suite in
use.</t>
      </section>
      <section anchor="encrypt">
        <name>Encryption</name>
        <t>MoQT secure object encryption uses the AEAD encryption algorithm for the
cipher suite in use.  The key for the encryption is the <tt>moq_key</tt>
derived from the <tt>track_base_key</tt> <xref target="keys"/>.  The nonce is formed by
first XORing the <tt>moq_salt</tt> with the current CTR value <xref target="nonce"/>, and
then encoding the result as a big-endian integer of length <tt>AEAD.Nn</tt>.</t>
        <t>The Encrypted Properties List and Object payload field from the MoQT
object are used by the AEAD algorithm for the plaintext.</t>
        <t>The encryptor forms an SecObj header using the Key ID value provided.</t>
        <t>The encryption procedure is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Obtain the plaintext payload to encrypt from the MoQT object. Extract
the Group ID, Object ID, and the Serialized Immutable Properties from
the MoQT object headers. Ensure the Secure Object Key ID property is
included, with the Key ID set as its value.</t>
          </li>
          <li>
            <t>Retrieve the <tt>moq_key</tt> and <tt>moq_salt</tt> matching the Key ID.</t>
          </li>
          <li>
            <t>Form the aad input as described in <xref target="aad"/>.</t>
          </li>
          <li>
            <t>Form the nonce by as described in <xref target="nonce"/>.</t>
          </li>
          <li>
            <t>Apply the AEAD encryption function with moq_key, nonce, aad, MoQT
Object payload and serialized Encrypted Properties List as inputs
(see <xref target="app"/>).</t>
          </li>
        </ol>
        <t>The final SecureObject is formed from the MoQT transport headers,
followed by the output of the encryption.</t>
      </section>
      <section anchor="decryption">
        <name>Decryption</name>
        <t>For decrypting, the Key ID from the <tt>Secure Object Key ID</tt> property
contained within the immutable properties is used to find the right key
and salt for the encrypted object. The MoQT track information matching
the Key ID along with <tt>Group ID</tt> and <tt>Object ID</tt> fields of the MoQT
object header are used to form the nonce.</t>
        <t>The decryption procedure is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Parse the SecureObject to obtain Key ID, the ciphertext corresponding
to MoQT object payload and the Group ID and Object ID from the MoQT
object headers.</t>
          </li>
          <li>
            <t>Retrieve the <tt>moq_key</tt>, <tt>moq_salt</tt> and MoQT track information
matching the Key ID.</t>
          </li>
          <li>
            <t>Form the aad input as described in <xref target="aad"/>.</t>
          </li>
          <li>
            <t>Form the nonce by as described in <xref target="nonce"/>.</t>
          </li>
          <li>
            <t>Apply the AEAD decryption function with moq_key, nonce, aad and
ciphertext as inputs.</t>
          </li>
          <li>
            <t>Decode the Encrypted Properties List, returning both the properties
and the object payload.</t>
          </li>
        </ol>
        <t>If extracting Key ID fails either due to missing <tt>Secure Object Key ID</tt>
property within immutable properties or error from parsing, the client
MUST discard the received MoQT Object.</t>
        <t>If a ciphertext fails to decrypt because there is no key available for
the Key ID value presented, the client MAY buffer the ciphertext and
retry decryption once a key with that Key ID is received.  If a
ciphertext fails to decrypt for any other reason, the client MUST
discard the ciphertext. Invalid ciphertexts SHOULD be discarded in a way
that is indistinguishable (to an external observer) from having
processed a valid ciphertext.  In other words, the decryption operation
should take the same amount of time regardless of whether decryption
succeeds or fails.</t>
      </section>
    </section>
    <section anchor="object-properties">
      <name>Object Properties</name>
      <section anchor="keyid-ext">
        <name>Key ID Property</name>
        <t>Key ID (Property Type 0x2) is a variable length integer and identifies
the keying material (keys, nonces and associated context for the MoQT
Track) to be used for a given MoQT track.</t>
        <t>The Key ID property is included within the Immutable Properties.  All
objects encoded MUST include the Key ID property when using this
specification for object encryption.</t>
      </section>
      <section anchor="pvt-ext">
        <name>Encrypted Properties List</name>
        <t>The Encrypted Properties List (Property Type 0xA) is a container that
holds a sequence of Key-Value-Pairs (see Section 1.4.3 of
<xref target="MoQ-TRANSPORT"/>) representing one or more Object Properties. These
properties can be added by the Original Publisher and are encrypted
along with the Object Payload, making them accessible only to End
Subscribers.</t>
        <artwork><![CDATA[
Encrypted Properties List {
  Type (0xA),
  Length (i),
  Key-Value-Pair (..) ...
}
]]></artwork>
      </section>
      <section anchor="padding-ext">
        <name>Padding Property</name>
        <t>The Padding Property (Property Type 0x32) allows the Original Publisher
to pad the encrypted payload to obscure the actual size of the object
payload, helping mitigate traffic analysis attacks.</t>
        <artwork><![CDATA[
Padding Property {
  Type (0x32),
  Length (16),
  Padding (...)
}
]]></artwork>
        <t>Unlike other properties where the Length field uses the MOQ variable-
length integer encoding, the Padding Property always encodes its Length
as a 2-byte (16-bit) unsigned integer in network byte order. This fixed-
size encoding simplifies computing the amount of padding to add.</t>
        <t>The Padding field contains <tt>Length</tt> bytes, all of which SHOULD be set to
zero (0x00). Receivers MUST ignore the contents of the Padding field.</t>
        <t>This property is included within the Encrypted Properties List, ensuring
that the padding bytes are encrypted along with the object payload and
other encrypted properties. The Padding Property MUST be the last
property in the Encrypted Properties List if present.</t>
        <section anchor="processing">
          <name>Processing</name>
          <t>To add padding, the publisher:</t>
          <ol spacing="normal" type="1"><li>
              <t>Determines the desired padding size based on its traffic analysis
threat model.</t>
            </li>
            <li>
              <t>Encodes the padding length as a 4-byte unsigned integer in network
byte order.</t>
            </li>
            <li>
              <t>Appends that many zero bytes as the Padding field.</t>
            </li>
          </ol>
          <t>To skip padding, the receiver:</t>
          <ol spacing="normal" type="1"><li>
              <t>Reads the 1-byte type field (0x32).</t>
            </li>
            <li>
              <t>Reads the next 4 bytes as the padding length.</t>
            </li>
            <li>
              <t>Skips the indicated number of bytes to reach the payload or next
property.</t>
            </li>
          </ol>
        </section>
      </section>
    </section>
    <section anchor="usage-considerations">
      <name>Usage Considerations</name>
      <t>To implement the protection mechanisms specified herein, a secure object
requires the complete object before any validity checks can be
performed. This introduces latency proportional to the object size; if
the application aggregates excessive data into a single object (e.g.,
encapsulating 6 seconds of video), the entire segment must be received
before processing or validation can commence, delaying access to all
contained data until transfer completion.</t>
      <t>This specification does not provide security for Track Properties.  If
an application needs end-to-end authentication for track associated
data, the application SHOULD send that data in the Immutable Properties
of the first object in each group.</t>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="threat-model">
        <name>Threat Model</name>
        <t>MoQT Objects are published by Original Publishers and delivered to End
Subscribers, potentially through one or more Relays. Each MoQT connection
is protected hop-by-hop using TLS. Security on cross Relay links is
outside the scope of MoQT, but this specification assumes protection
equivalent to TLS on those links.</t>
        <t>Because security is hop-by-hop, each Relay terminates a security
association and can observe, modify, drop, delay, reorder, or replay
MoQT data. Some message fields are expected to be modified by Relays
during normal operation, while other fields are expected to be visible
but immutable. See <xref target="MoQ-TRANSPORT"/> for details.</t>
        <t>This specification assumes that the Original Publisher and End
Subscriber share one or more symmetric keys per Track, each identified
by a <tt>Key ID</tt>.  Key distribution and key negotiation are out of scope
for this document (e.g., MLS could be used).</t>
        <t>In MoQT, sending multiple Objects with the same Track, Group ID, and
Object ID but different values is a Malformed Track Error. This
specification therefore assumes the Original Publisher does not publish
modified versions of the same Object.</t>
        <t>This specification enables an End Subscriber to:</t>
        <ol spacing="normal" type="1"><li>
            <t>detect Relay modification of an Object's Original Payload, Encrypted
Properties, Immutable Properties, Publisher Priority, Group ID, or
Object ID;</t>
          </li>
          <li>
            <t>detect delivery of an Object under the wrong Track Name or with a
modified <tt>Key ID</tt>;</t>
          </li>
          <li>
            <t>verify that the Original Payload and Encrypted Properties remained
confidential from Relays; and</t>
          </li>
          <li>
            <t>detect some (but not all) Object drops or replays in limited cases (see
<xref target="deletion-detection"/>).</t>
          </li>
        </ol>
        <t>This specification does <strong>not</strong> enable an End Subscriber to reliably
detect:</t>
        <ul spacing="normal">
          <li>
            <t>complete suppression of all Objects by a Relay;</t>
          </li>
          <li>
            <t>Relay-induced delay or reordering of Objects.</t>
          </li>
        </ul>
        <section anchor="fan-out-attacks">
          <name>Fan Out Attacks</name>
          <t>Further complexity in the threat model arises from Relay fan out.  A
Relay network can forward Objects on a given Track to many downstream
End Subscribers.  In high rate applications such as video, the number of
Objects delivered per second can be large, and the number of downscale
subscribers can be large.  A malicious Relay can exploit this scale by
attempting different forgeries for different downstream End Subscribers
on a subset of Objects.</t>
          <t>In some applications, a Relay could send a forged packet using a trial
key.  If the forgery was accepted, the forged packet would cause the End
Subscriber to take an action observable by the Relay, such as closing
the connection.  This would allow the Relay to determine that the
forgery succeeded, and therefore learn that the trial key was valid for
the Track.</t>
          <t>This type of attack should be considered when selecting an appropriate
cryptographic key length for an application. If an applications can fan
out to 2^x clients and send 2^y message over a reasonable time period, a
key roughly (x+y) bits longer SHOULD be used.</t>
          <t>One possible mitigation is for the application to track a metric of the
rate of authentication failures across all End Subscribers for each
Track.</t>
        </section>
      </section>
      <section anchor="cryptographic-design">
        <name>Cryptographic Design</name>
        <t>The cryptographic computations described in this document are exactly
those performed in the SFrame encryption scheme defined in <xref target="SFRAME"/>,
The scheme in this document is effectively a "virtualized" version of
SFrame:</t>
        <ul spacing="normal">
          <li>
            <t>The CTR value used in nonce formation is not carried in the object
payload, but instead synthesized from the GroupID and ObjectID.</t>
          </li>
          <li>
            <t>The AAD for the AEAD operation is not sent on the wire (as with the
SFrame Header), but constructed locally by the encrypting and
decrypting endpoints.</t>
          </li>
          <li>
            <t>The format of the AAD is different but contains the same semantic
information:  </t>
            <ul spacing="normal">
              <li>
                <t>The Group ID and Object ID are combined to form what is the CTR
in SFrame.</t>
              </li>
              <li>
                <t>The Key ID (KID) is contained in the Serialized Immutable
Properties rather than a separate header field.</t>
              </li>
              <li>
                <t>The SFrame Header is constructed using MoQT-style varints, instead
of the variable-length integer scheme defined in SFrame.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>The <tt>metadata</tt> input in to SFrame operations is defined to be the
FullTrackName value for the object.</t>
          </li>
          <li>
            <t>The labels used in key derivation reflect MOQ usage, not generic
SFrame.</t>
          </li>
        </ul>
        <t>The security considerations discussed in the SFrame specification thus
also apply here.</t>
        <t>The SFrame specification lists several things that an application needs
to account for in order to use SFrame securely, which are all accounted
for here:</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>Header value uniqueness:</strong> Uniqueness of CTR values follows from
the uniqueness of MoQT (GroupID, ObjectID) pairs. We only use one Key
ID value, but instead use distinct SFrame contexts with distinct keys
per track. This assures that the same (<tt>track_base_key</tt>, Key ID, CTR)
tuple is never used twice.</t>
          </li>
          <li>
            <t><strong>Key management:</strong> We delegate this to the MoQT application, with
subject to the assumptions described in <xref target="setup-assumptions"/>.</t>
          </li>
          <li>
            <t><strong>Anti-replay:</strong> Replay is not possible within the MoQT framework
because of the uniqueness constraints on ObjectIDs and objects, and
because the group ID and object ID are cryptographically bound to the
secure object payload.</t>
          </li>
          <li>
            <t><strong>Metadata:</strong> The analogue of the SFrame metadata input is defined in
<xref target="aad"/>.</t>
          </li>
        </ol>
        <t>Any of the ciphersuites defined in <xref target="ciphersuite"/> registry can be used
to protect MoQT objects.  The caution against short tags in <xref section="7.5" sectionFormat="of" target="SFRAME"/> still applies here, but the MoQT environment provides
some safeguards that make it safer to use short tags, namely:</t>
        <ul spacing="normal">
          <li>
            <t>MoQT has hop-by-hop protections provided by the underlying QUIC layer,
so a brute-force attack could only be mounted by a relay.</t>
          </li>
          <li>
            <t>In some usecases MoQT tracks have predictable object arrival rates, so
a receiver can interpret a large deviation from this rate as a sign of
an attack.</t>
          </li>
          <li>
            <t>The binding of the secure object payload to other MoQT parameters
(as metadata), together with MoQT's uniqueness properties ensure that
a valid secure object payload cannot be replayed in a different
context.</t>
          </li>
        </ul>
      </section>
      <section anchor="aead-invocation-limits">
        <name>AEAD Invocation Limits</name>
        <t>AEAD algorithms have limits on how many times a single key can be used
before the cryptographic guarantees begin to degrade. Exceeding these
limits can compromise confidentiality (allowing an attacker to
distinguish encrypted content from random data) or integrity (allowing
an attacker to forge valid ciphertexts). The severity of these risks
depends on the specific algorithm in use.</t>
        <t>Implementations MUST track the number of encryption and decryption
operations performed with each <tt>moq_key</tt> and ensure that these counts
remain within the limits specified in <xref target="AEAD-LIMITS"/> for the cipher
suite in use. When approaching these limits, implementations MUST
arrange for new keying material to be established (e.g., by rotating to
a new Key ID with a fresh <tt>track_base_key</tt>) before the limits are
exceeded.</t>
        <t>For the AES-GCM cipher suites defined in this document, the primary
concern is the confidentiality limit, which restricts the number of
encryptions performed with a single key. For AES-CTR-HMAC cipher suites,
both encryption and decryption operations count toward the applicable
limits.</t>
      </section>
      <section anchor="deletion-detection">
        <name>Detecting Deletion by Malicious Relays</name>
        <t>A malicious relay could selectively delete objects or groups before
forwarding them to subscribers. While this specification does not
mandate detection of such deletions, it does provide mechanisms that
applications can use to detect when content has been removed.</t>
        <t>Some applications may not require deletion detection, or may be able to
detect missing data based on the internal structure of the object
payload (e.g., sequence numbers embedded in the media format). For
applications that do require deletion detection at the MoQT layer, the
following approaches are available:</t>
        <section anchor="monotonically-incrementing-identifiers">
          <name>Monotonically Incrementing Identifiers</name>
          <t>Applications that assign Group IDs and Object IDs in a strictly
monotonic sequence (incrementing by 1 for each successive group or
object) can straightforwardly detect gaps. A subscriber receiving Group
ID N followed by Group ID N+2, or Object ID M followed by Object ID M+3,
can conclude that intervening content was not delivered.</t>
        </section>
        <section anchor="non-sequential-identifiers-with-gap-properties">
          <name>Non-Sequential Identifiers with Gap Properties</name>
          <t>Applications that use Group IDs or Object IDs with intentional gaps
(e.g., for sparse data or timestamp-based identifiers) MUST include the
Prior Group ID Gap and/or Prior Object ID Gap properties as immutable
properties. These properties indicate the expected distance to the next
identifier. If the Prior Object ID Gap property is absent from a secure
object, receivers MUST assume a gap value of 1. Similarly, if the Prior
Group ID Gap property is absent, receivers MUST assume a gap value of 1.</t>
        </section>
      </section>
      <section anchor="signaling-end-of-content">
        <name>Signaling End of Content</name>
        <t>For applications that need to reliably detect lost objects at the end of
a subgroup, group, or track, it is RECOMMENDED to signal completion
using object status values defined in <xref target="MoQ-TRANSPORT"/>. By explicitly
marking the final object in a sequence, subscribers can distinguish
between "more objects may arrive" and "all objects have been sent,"
enabling detection of trailing deletions that would otherwise be
undetectable.</t>
        <t>Publishers SHOULD send an End of Group status (0x3) as the final object
in each group. This allows subscribers to determine whether all objects
up to that Object ID have been received, enabling detection of any
missing objects at the end of the group.</t>
        <t>Publishers SHOULD send an End of Track status (0x4) when the track is
complete (e.g., end of a recorded stream or live session). This allows
subscribers to determine whether all objects up to that location have
been received, enabling detection of any missing objects at the end of
the track.</t>
        <t>For subgroup boundaries, the transport stream closure (FIN) signals that
all objects in the subgroup have been delivered.</t>
      </section>
    </section>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="moq-object-properties-registry">
        <name>MOQ Object Properties Registry</name>
        <t>This document defines new MoQT Object properties under the
<tt>MOQ Object Properties</tt> registry.</t>
        <table>
          <thead>
            <tr>
              <th align="left">Type</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x2</td>
              <td align="left">Secure Object Key ID - see <xref target="keyid-ext"/></td>
            </tr>
            <tr>
              <td align="left">0xA</td>
              <td align="left">Encrypted Properties List - see <xref target="pvt-ext"/></td>
            </tr>
            <tr>
              <td align="left">0x32</td>
              <td align="left">Padding - see <xref target="padding-ext"/></td>
            </tr>
          </tbody>
        </table>
        <t>Note: The Encrypted Properties List type (0xA) appears only within the
encrypted payload structure defined in <xref target="app"/>, not as a regular MoQT
Object Property. It is registered here to reserve the type value and
prevent conflicts with the property type field used in the encrypted
payload format.</t>
      </section>
      <section anchor="ciphersuite">
        <name>Cipher Suites</name>
        <t>This document establishes a "MoQ Secure Objects Cipher Suites" registry.
Each cipher suite specifies an AEAD encryption algorithm and a hash
algorithm used for key derivation.</t>
        <t>The following values are defined for each cipher suite:</t>
        <ul spacing="normal">
          <li>
            <t><tt>Nh</tt>: The size in bytes of the hash function output</t>
          </li>
          <li>
            <t><tt>Nka</tt>: The size in bytes of the encryption key for the underlying
cipher (CTR suites only)</t>
          </li>
          <li>
            <t><tt>Nk</tt>: The size in bytes of the AEAD key</t>
          </li>
          <li>
            <t><tt>Nn</tt>: The size in bytes of the AEAD nonce</t>
          </li>
          <li>
            <t><tt>Nt</tt>: The size in bytes of the AEAD authentication tag</t>
          </li>
        </ul>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">R</th>
              <th align="left">Nh</th>
              <th align="left">Nka</th>
              <th align="left">Nk</th>
              <th align="left">Nn</th>
              <th align="left">Nt</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0000</td>
              <td align="left">Reserved</td>
              <td align="left">-</td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">AES_128_CTR_HMAC_SHA256_80</td>
              <td align="left">Y</td>
              <td align="left">32</td>
              <td align="left">16</td>
              <td align="left">48</td>
              <td align="left">12</td>
              <td align="left">10</td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">AES_128_CTR_HMAC_SHA256_64</td>
              <td align="left">Y</td>
              <td align="left">32</td>
              <td align="left">16</td>
              <td align="left">48</td>
              <td align="left">12</td>
              <td align="left">8</td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">AES_128_CTR_HMAC_SHA256_32</td>
              <td align="left">N</td>
              <td align="left">32</td>
              <td align="left">16</td>
              <td align="left">48</td>
              <td align="left">12</td>
              <td align="left">4</td>
            </tr>
            <tr>
              <td align="left">0x0004</td>
              <td align="left">AES_128_GCM_SHA256_128</td>
              <td align="left">Y</td>
              <td align="left">32</td>
              <td align="left">n/a</td>
              <td align="left">16</td>
              <td align="left">12</td>
              <td align="left">16</td>
            </tr>
            <tr>
              <td align="left">0x0005</td>
              <td align="left">AES_256_GCM_SHA512_128</td>
              <td align="left">Y</td>
              <td align="left">64</td>
              <td align="left">n/a</td>
              <td align="left">32</td>
              <td align="left">12</td>
              <td align="left">16</td>
            </tr>
            <tr>
              <td align="left">0xF000-0xFFFF</td>
              <td align="left">Reserved for private use</td>
              <td align="left">-</td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left"> </td>
            </tr>
          </tbody>
        </table>
        <t>The "R" column indicates whether the cipher suite is Recommended:</t>
        <ul spacing="normal">
          <li>
            <t>Y: Indicates that the IETF has consensus that the item is
   RECOMMENDED. Requires Standard Action as defined <xref target="RFC8126"/>.</t>
          </li>
          <li>
            <t>N: Indicates the IETF has made no statement about the suitability of
   the associated mechanism. Requires First Come First Serve as
   defined in <xref target="RFC8126"/>.</t>
          </li>
          <li>
            <t>D: Indicates that the item is discouraged and SHOULD NOT be
   used. Requires Standard Action or IESG Approval as defined in
   <xref target="RFC8126"/>.</t>
          </li>
        </ul>
        <t>Cipher suite values are 2-byte big-endian integers.  The algorithms are
the same as defined in SFrame ciphersuites defined in the IANA SFrame
Cipher Suites -registry <xref target="CIPHERS"/>.</t>
        <t><strong>AES-GCM cipher suites</strong> (0x0004, 0x0005) use AES-GCM for authenticated
encryption with a full 128-bit authentication tag.</t>
        <t><strong>AES-CTR-HMAC cipher suites</strong> (0x0001, 0x0002, 0x0003) use AES in
counter mode combined with HMAC for authentication in an
encrypt-then-MAC construction. These suites support truncated
authentication tags, providing lower overhead at the cost of reduced
forgery resistance.</t>
        <t>Implementations MUST support <tt>AES_128_GCM_SHA256_128</tt> (0x0004).
Implementations SHOULD support <tt>AES_128_CTR_HMAC_SHA256_80</tt> (0x0001).</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="MoQ-TRANSPORT">
          <front>
            <title>Media over QUIC Transport</title>
            <author fullname="Suhas Nandakumar" initials="S." surname="Nandakumar">
              <organization>Cisco</organization>
            </author>
            <author fullname="Victor Vasiliev" initials="V." surname="Vasiliev">
              <organization>Google</organization>
            </author>
            <author fullname="Ian Swett" initials="I." surname="Swett">
              <organization>Google</organization>
            </author>
            <author fullname="Alan Frindell" initials="A." surname="Frindell">
              <organization>Meta</organization>
            </author>
            <date day="12" month="May" year="2026"/>
            <abstract>
              <t>   This document defines Media over QUIC Transport (MOQT), a publish/
   subscribe protocol that runs over QUIC and WebTransport.  MOQT
   leverages the features of these transports, such as streams,
   datagrams, priorities, and partial reliability.  MOQT operates both
   point-to-point and through intermediate relays, enabling scalable
   low-latency delivery.  Despite its name, MOQT is media agnostic and
   can be used for a wide range of use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-moq-transport-18"/>
        </reference>
        <reference anchor="SFRAME">
          <front>
            <title>Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media</title>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="J. Uberti" initials="J." surname="Uberti"/>
            <author fullname="S. G. Murillo" initials="S. G." surname="Murillo"/>
            <author fullname="R. Barnes" initials="R." role="editor" surname="Barnes"/>
            <author fullname="Y. Fablet" initials="Y." surname="Fablet"/>
            <date month="August" year="2024"/>
            <abstract>
              <t>This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media.</t>
              <t>This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9605"/>
          <seriesInfo name="DOI" value="10.17487/RFC9605"/>
        </reference>
        <reference anchor="AEAD-LIMITS">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CIPHERS" target="https://www.iana.org/assignments/sframe/sframe.xhtml#sframe-cipher-suites">
          <front>
            <title>SFrame Cipher Suites</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC3711">
          <front>
            <title>The Secure Real-time Transport Protocol (SRTP)</title>
            <author fullname="M. Baugher" initials="M." surname="Baugher"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="M. Naslund" initials="M." surname="Naslund"/>
            <author fullname="E. Carrara" initials="E." surname="Carrara"/>
            <author fullname="K. Norrman" initials="K." surname="Norrman"/>
            <date month="March" year="2004"/>
            <abstract>
              <t>This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3711"/>
          <seriesInfo name="DOI" value="10.17487/RFC3711"/>
        </reference>
      </references>
    </references>
    <?line 1021?>

<section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Alan Frindell for providing text on adding encrypted
properties. Thank you to Magnus Westerlund for doing a thorough
security review.</t>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix provides test vectors for verifying implementations of the
MOQ Secure Objects encryption scheme. The vectors are presented in JSON
format with hex-encoded byte strings and integer numeric values.
Whitespace in the JSON is not significant.</t>
      <t>These vectors are deterministic and can be reproduced from the reference
implementation by running <tt>cargo run --bin generate-test-vectors</tt>.</t>
      <t>The JSON structure has four top-level keys corresponding to four test
categories:</t>
      <sourcecode type="json"><![CDATA[
\{
  "full_track_name": [...],
  "key_derivation": [...],
  "nonce_aad": [...],
  "encryption": [...]
\}
]]></sourcecode>
      <section anchor="full-track-name-serialization">
        <name>Full Track Name Serialization</name>
        <t>Each entry tests serialization of Track Namespace tuples and Track Name
into the Serialized Full Track Name byte string.</t>
        <sourcecode type="json"><![CDATA[
[
  {
    "namespace_tuples": ["example.com"],
    "track_name": "audio",
    "serialized_full_track_name":
      "010b6578616d706c652e636f6d05617564696f"
  },
  {
    "namespace_tuples": ["example.com", "meeting-123"],
    "track_name": "video",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f"
  },
  {
    "namespace_tuples": ["example.com", "meeting-123", "floor-1"],
    "track_name": "slides",
    "serialized_full_track_name":
      "030b6578616d706c652e636f6d0b6d656574696e672d31323307666c6f6f722d3106736c69646573"
  }
]
]]></sourcecode>
      </section>
      <section anchor="key-derivation">
        <name>Key Derivation</name>
        <t>Each entry tests HKDF-Extract and HKDF-Expand for deriving <tt>moq_key</tt>
and <tt>moq_salt</tt> from the <tt>track_base_key</tt>. The <tt>track_base_key</tt> values
are ASCII strings: "sixteen byte key" (16 bytes) for SHA-256 suites and
"a]256-bit-base-key-for-test!!!!!" (32 bytes) for SHA-512 suites.
Intermediate values (<tt>moq_secret</tt>, <tt>moq_key_label</tt>, <tt>moq_salt_label</tt>)
are included to aid debugging.</t>
        <sourcecode type="json"><![CDATA[
[
  {
    "cipher_suite": 1,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00010000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00010000000000000007",
    "moq_key":
      "36543f1f0d00ea1c6ecacaab3ec878772ef6e4bf7e91f29a1fa99af410802420fa92560c1850654f5ae7fa0281d3d1d9",
    "moq_salt": "e905de3e41c5feb642a8ea58"
  },
  {
    "cipher_suite": 2,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00020000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00020000000000000007",
    "moq_key":
      "12acb1032ea6b0c8ee2c1f9cfe052f0d13220782a559c50e669645951bb15ed1c93ae2ff02b411649e0aa99aec19b865",
    "moq_salt": "17efc7dfcc10786fa00771b8"
  },
  {
    "cipher_suite": 4,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00040000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00040000000000000007",
    "moq_key": "eb3b95606d7c4775688c121e8f06832c",
    "moq_salt": "dc11a8d516c299f44b24be8d"
  },
  {
    "cipher_suite": 5,
    "key_id": 7,
    "track_base_key":
      "615d3235362d6269742d626173652d6b65792d666f722d746573742121212121",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "moq_secret":
      "f633519ec99705bae4bcc7fe0f88ccd3c0301355d97d2265773d8b80ccf23ca39d500bc2d5399315bf78bfc5ed69f8be7b6799cfb35691ffe2db6126ab9e897d",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00050000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00050000000000000007",
    "moq_key":
      "03a7b0a238bde6d398c0c8de14538c31c8f84a4356a01f5ca00d9a46d4046953",
    "moq_salt": "2c82451648c8d25e94b8dbdc"
  }
]
]]></sourcecode>
      </section>
      <section anchor="nonce-and-aad-formation">
        <name>Nonce and AAD Formation</name>
        <t>Each entry tests CTR construction from Group ID and Object ID, nonce
formation by XOR with salt, and SECURE_OBJECT_AAD serialization. All
entries use AES_128_GCM_SHA256_128 (cipher suite 0x0004) with Key ID 7.</t>
        <sourcecode type="json"><![CDATA[
[
  {
    "group_id": 0,
    "object_id": 0,
    "publisher_priority": 0,
    "key_id": 7,
    "serialized_immutable_properties": "",
    "moq_salt": "dc11a8d516c299f44b24be8d",
    "ctr": "000000000000000000000000",
    "nonce": "dc11a8d516c299f44b24be8d",
    "aad": "0000000000000000000000000000020107"
  },
  {
    "group_id": 42,
    "object_id": 1,
    "publisher_priority": 128,
    "key_id": 7,
    "serialized_immutable_properties": "",
    "moq_salt": "dc11a8d516c299f44b24be8d",
    "ctr": "000000000000002a00000001",
    "nonce": "dc11a8d516c299de4b24be8c",
    "aad": "000000000000002a000000018000020107"
  },
  {
    "group_id": 18446744073709551615,
    "object_id": 4294967295,
    "publisher_priority": 255,
    "key_id": 7,
    "serialized_immutable_properties": "",
    "moq_salt": "dc11a8d516c299f44b24be8d",
    "ctr": "ffffffffffffffffffffffff",
    "nonce": "23ee572ae93d660bb4db4172",
    "aad": "ffffffffffffffffffffffffff00020107"
  }
]
]]></sourcecode>
      </section>
      <section anchor="full-encryption">
        <name>Full Encryption</name>
        <t>Each entry tests the complete encryption pipeline including key
derivation, nonce formation, AAD construction, and AEAD encryption. The
<tt>plaintext</tt> field shows the serialized input to AEAD:
<tt>varint(payload_len) || payload || encrypted_properties_list</tt>. All
entries include both immutable properties (which affect the AAD) and
encrypted properties (which are encrypted with the payload).</t>
        <t>Common inputs (ASCII values shown for readability):</t>
        <ul spacing="normal">
          <li>
            <t><tt>track_base_key</tt>: "sixteen byte key" (16B) or
"a]256-bit-base-key-for-test!!!!!" (32B)</t>
          </li>
          <li>
            <t><tt>original_payload</tt>: "hello from moq"</t>
          </li>
          <li>
            <t><tt>immutable_properties</tt>: property type 0x0004, value "relay-ok"</t>
          </li>
          <li>
            <t><tt>encrypted_properties_list</tt>: property type 0x0100, value "for-eyes-only"</t>
          </li>
        </ul>
        <sourcecode type="json"><![CDATA[
[
  {
    "cipher_suite": 1,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "namespace_tuples": ["example.com", "meeting-123"],
    "track_name": "video",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "group_id": 42,
    "object_id": 1,
    "publisher_priority": 128,
    "immutable_properties": "00040872656c61792d6f6b",
    "original_payload": "68656c6c6f2066726f6d206d6f71",
    "encrypted_properties_list":
      "000a1001000d666f722d657965732d6f6e6c79",
    "plaintext":
      "0e68656c6c6f2066726f6d206d6f71000a1001000d666f722d657965732d6f6e6c79",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00010000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00010000000000000007",
    "moq_key":
      "36543f1f0d00ea1c6ecacaab3ec878772ef6e4bf7e91f29a1fa99af410802420fa92560c1850654f5ae7fa0281d3d1d9",
    "moq_salt": "e905de3e41c5feb642a8ea58",
    "ctr": "000000000000002a00000001",
    "nonce": "e905de3e41c5fe9c42a8ea59",
    "aad":
      "000000000000002a00000001800002010700040872656c61792d6f6b",
    "ciphertext":
      "170654428664c29b3eab20a76e86ab2c2fc210b218b38eb556974021b7804b1d7ced925e33e3d6080e8157d4"
  },
  {
    "cipher_suite": 2,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "namespace_tuples": ["example.com", "meeting-123"],
    "track_name": "video",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "group_id": 42,
    "object_id": 1,
    "publisher_priority": 128,
    "immutable_properties": "00040872656c61792d6f6b",
    "original_payload": "68656c6c6f2066726f6d206d6f71",
    "encrypted_properties_list":
      "000a1001000d666f722d657965732d6f6e6c79",
    "plaintext":
      "0e68656c6c6f2066726f6d206d6f71000a1001000d666f722d657965732d6f6e6c79",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00020000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00020000000000000007",
    "moq_key":
      "12acb1032ea6b0c8ee2c1f9cfe052f0d13220782a559c50e669645951bb15ed1c93ae2ff02b411649e0aa99aec19b865",
    "moq_salt": "17efc7dfcc10786fa00771b8",
    "ctr": "000000000000002a00000001",
    "nonce": "17efc7dfcc107845a00771b9",
    "aad":
      "000000000000002a00000001800002010700040872656c61792d6f6b",
    "ciphertext":
      "df0fd1431b6883bcb841fa14d4588630aaf11c92363b536ecc08273a27ac4f47bd72fca55f29cd1fad9b"
  },
  {
    "cipher_suite": 4,
    "key_id": 7,
    "track_base_key": "7369787465656e2062797465206b6579",
    "namespace_tuples": ["example.com", "meeting-123"],
    "track_name": "video",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "group_id": 42,
    "object_id": 1,
    "publisher_priority": 128,
    "immutable_properties": "00040872656c61792d6f6b",
    "original_payload": "68656c6c6f2066726f6d206d6f71",
    "encrypted_properties_list":
      "000a1001000d666f722d657965732d6f6e6c79",
    "plaintext":
      "0e68656c6c6f2066726f6d206d6f71000a1001000d666f722d657965732d6f6e6c79",
    "moq_secret":
      "e5e76a372058231c56eedca06436c94e6f6bab38d759687367c92048faf93f18",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00040000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00040000000000000007",
    "moq_key": "eb3b95606d7c4775688c121e8f06832c",
    "moq_salt": "dc11a8d516c299f44b24be8d",
    "ctr": "000000000000002a00000001",
    "nonce": "dc11a8d516c299de4b24be8c",
    "aad":
      "000000000000002a00000001800002010700040872656c61792d6f6b",
    "ciphertext":
      "facafee5c450bd140759bdffa6eef6948ae6dbfdb7ba87cf3e161a641b27f952eb4f13b18e351d4e7e344675f0dc96e0cd5e"
  },
  {
    "cipher_suite": 5,
    "key_id": 7,
    "track_base_key":
      "615d3235362d6269742d626173652d6b65792d666f722d746573742121212121",
    "namespace_tuples": ["example.com", "meeting-123"],
    "track_name": "video",
    "serialized_full_track_name":
      "020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f",
    "group_id": 42,
    "object_id": 1,
    "publisher_priority": 128,
    "immutable_properties": "00040872656c61792d6f6b",
    "original_payload": "68656c6c6f2066726f6d206d6f71",
    "encrypted_properties_list":
      "000a1001000d666f722d657965732d6f6e6c79",
    "plaintext":
      "0e68656c6c6f2066726f6d206d6f71000a1001000d666f722d657965732d6f6e6c79",
    "moq_secret":
      "f633519ec99705bae4bcc7fe0f88ccd3c0301355d97d2265773d8b80ccf23ca39d500bc2d5399315bf78bfc5ed69f8be7b6799cfb35691ffe2db6126ab9e897d",
    "moq_key_label":
      "4d4f5120312e3020536563757265204f626a6563747320536563726574206b657920020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00050000000000000007",
    "moq_salt_label":
      "4d4f5120312e30205365637265742073616c7420020b6578616d706c652e636f6d0b6d656574696e672d31323305766964656f00050000000000000007",
    "moq_key":
      "03a7b0a238bde6d398c0c8de14538c31c8f84a4356a01f5ca00d9a46d4046953",
    "moq_salt": "2c82451648c8d25e94b8dbdc",
    "ctr": "000000000000002a00000001",
    "nonce": "2c82451648c8d27494b8dbdd",
    "aad":
      "000000000000002a00000001800002010700040872656c61792d6f6b",
    "ciphertext":
      "09399b821a1452a320a8bf927c004c71f8fd34449070f99746ff6ab0ef67a4f93b7f889e64d194a7b18a7a946184fed15386"
  }
]
]]></sourcecode>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAFoRTGoAA+1965rbRnbgfzwF0vrhpkTSBO/U7GTTllp2ZyzJUbfjzZdM
1CBQYCMCCQ4AdouRlG9fY19vn2TPrS4AwZZkexzPt+KM1SQuVadOnTp17tXr
9bwqrTL12D/fxL0q78Ef/1JFu0L5L5f/oaKq9JO88J+rOA39/FYV/j/9ePHE
vyrCTbnNi8oLl8tC3T72n+f/dNV404vzaBOuofG4CJOql6oq6a3zv/RKeqyX
82O9QeBFYaVWebF/7JdV7HnptnjsV8WurIaDwWIw9MqqUOH6sX9xfvXMC+H7
Y//kbLvNUngxzTelHwLcr1SY9a7StTrx3qj9XV7E8MKmUsVGVb2nCIIHgI68
W7XZqcee76+KfLeFlhqjO4Fb1X4LcJ/8lBdv0s3K/xafxOvrMM3gOoziH3A4
/bxY4eWwiG7g8k1VbcvHX3+NT+Gl9Fb19WNf44Wvl0V+V6qv4f2v8b1VWt3s
ltxg7271dR0z+EQGmCkrt216ss9v9tO88c7X9+K6f1OtsxPPC3fVTV4ADnrQ
he/zLD3ZZZna+P+oNhsYc0l3APBwk/4nYRmeSMsop+uKEZFkuyTZ/0OE1/tR
vq43eLm7CUv/BcxN+Ga3DotPabHc8OPH2nyVRjdhEfvfhDCtnwRjkS3/Id3e
9su3nudt8mIND97S/APN9q5enb24/OHlqyugld7TfgN7laFz37989urs+TlA
8OzJYjqYwJWz87Onve8vnl9cXdbeLuDtKClWvVCFcS9L1yksBi/dJG7nTy5+
+O781eVjAlUW4eWzAgYJQ9jeAC1e7tJKhmjmCz49HDD0d/bijH7HQCEwE2FW
Km4rLFYKKEYTzN3dXT8NNyETYVmmq81abYBSygR7kz/9t0gaD/hHLyIIeiVD
4PV6PT9cwiIMo8rzrm7S0oe1vcNm/HKrojRJFa5BXzEXgT8EMtzHFapiuBEV
+y3OkF9GN2qtPGQroV3CvlCoTygHjOFbt7Asm6znFGat4xkG1PevbpS0Cb2E
ywwgyYt0lW7CzN/ulllawlCg3ZsQgAXaUX7ol/v1WlVFGiGn8O9gLSHofrlb
llGRLuH5rl/lcK3cFbj+6WXo2C9UFu5hqNDKjjqDx7xY0eBkCH6UA9MBBPeB
QuI4xdGFWbbvus37EWALxpQme2hcAXEAAyzSak+czOAOL+QJ9BopIJtYI6mL
fSRpsTawYRvSr4+LbpNX/lLBal7nMc5O7KcbRm1aNeDy08qHv8CXcITeNkQK
qAhlObThb4u8gk6hiTLHfixSaRClynDQaYL39ogZD/hzTLiBsXwN08ww0JXl
XlDY95is1mkcZ8rzHiCrLvJ4FyFcnsfT/vJwxyECuOr4QIMhwZZHecZIgEs5
0Ng6/U8AFukLsUJv6+e6voK5hjbjFHBaweDhKaSyn9TS9NA178ZpWSpAslBo
4scqg3koaFIAY8SdN9HeXxO0797VOMqHD33aFoE+knSjCF5G3deGEuRN0y6g
BqALoyIvS0At0FSCM4KksAUoYLqFAhHEcrdFePHqXRorHwawUgjaroQlHJbQ
JZI2DCNJVIGkUagyzVICGelMg3+KvXd9JEJc4vCj42+Uivn9fFcBba0Bh+u0
ZIrDFRdm4RIaE5KN8rLyFfRDr8NoYbhlmUcpLX8CQ9OnGSzsy7BLv4GFclHp
weCoNzH2wpgxbOEGtuDVjQc4KXlJEBo2eayQlq72W2AkSM3AMV7+E8gCcBuY
lCo3X1U0FqTmMIoQMISfWxeQYLHf7EqPVoEeID/AS+DE8rUTzcr0ekC6q3Al
8JLTzABuL2lpa3r3v8vvFJIzMT6+is3b2VUWf9new/V606SPLvbFM2OHAxsj
Am32FybVkGlPeBI8HYVFsYe5FKD+soMlAGOo8oIWKsJ1hztrstvQGkS0nsF0
7KIbwM9dzrRJyCehgma+sE099rwAR7ntLfe9m3zrn373zXcd++wSZhs5EjZF
0iJgc5unyCg9b9jXEijy4dPz4bnzZgKUR1C/1Hz9B8OCcKQbHiqKAma0JMha
fou7lvIBINsqcAsg6VtYODRVV99f+oJzYhlAGhtFiDDc/8ordiBr4l7EK1sT
rW9XGEB+rlkmvgu8+E5lGf7V5EVbHz2nYek3N1XLMWRnk1eO76qAB2e+ce+h
FuV1+LYEfgAbCI9QBI21AmFqk5ZrJkq3ba/edn0xvnvHwhBwOM8Tuu4isAqw
FoewtFc5zFKOewIOS6HQgUDAxACtEocmOMJ1vtsQkwvNjoQCTUh3LQilpjJm
fCqMbgSYPo8zLYVN7kDwxj1tjfMSQtv4PLNW4NdLWD4FrrRwF6e5K3/ANAE5
Ka/eL831DWxntNWlcF0BGukqzCbgdBMD5wXpYVeGK9rdQg/HCttdhJ1vVREB
SuEeTkhj8KZtGDvToGUzDvphs1cwFKBN2MezWCSZu3yXxcibYOXtAOebyiww
okyAzJNZxkWKzMmRrPq8HpyBWlJg2mOBgUiIBTwR0xAP+SbD5YzbTIx8yhXj
iKO+rRibej1ePPVvw2ynWHDaEBtcI9+BoWz80dCDeSlhgjYrmU6SmblBph9a
xgTTu3ebfBMpIr0HD/wrhVJQnuWrPY+JBDrQ/UrQ6368vDrp8l//xUv6/uoc
Vver86f4/fK7s++/N1/4CQ9+vPzxe7mP3+ybT14+f37+4im/DFf9xqXnZ/8C
fxDzJy9/uLp4+eLs+xODRrO2EQW8rdB+uy0ULuWwMcxvnvzgB2Pv3bu/A31j
GASLDx98/jEPZmP4AQjeUGc8HfyTRbDtVoUFNgI0Cqr1FlCZgcwIXZQ3+d3G
x6kB7CELeuzVVP9zQxCwrr/5Du8KQ4c/nncbgjRc4dUDUcfHeyTigQ65ghVB
Ei3M8+mlcMKgP+4HHZT7HjCJspkAvsPuBhs2AOq/e4B3PoD4hw/cJzcxO2tI
T1bMY/JLN57ZZGAZATqQBR4qB1393XC4uxvQM0mYlcZFG2mVxWA2WULHa4cd
4nJ2RH/AgEbJEFnkISr1uG9SYDNoRoiQmTK21oQtYGqeu+qQZaJSAEJaSmw+
saoCWTnYQoIK3BsEQNt2dE/IjgCjacTMF0T6NYlFsDqBOQHbLWlqd5sUV3YO
muY23Gc58C5kEMCagZOQ5Lncg8LY98+yzKByqXBhk7zCsKCgGRPksBfCSlWk
YiF82xylsRT3ALUFtEGrKTXHkBNzAUZYkooD85wJHmH/cEZZquIWqaaUTaQi
SWWFL1Z6Ymu6GEj5O6WniNkhbjeqJNHkv/7rv/wwLG9XBzqJY4Hy3nvv/Z//
AaVFeY9AHbrCcZ75vR78kM8j51/328GVv6+D8J6tVgF+c34P6Xe/3zdXXsC3
+quPTKuPWn/LFe68ZeDNK23I+cgz94DQHCYT88AM0/xuabHXaLFtCLqFoNFi
8ItbHDZaHP7sFvEDc3j07fb+X9zT3y+j4DoBf/NzCbjW5ucRcO3VTyRgoafD
4RwQ5+ETv8ZbvwDMe8j+8ImWXtuJ7PAJZH/eu8f+gyRdoUm06pWwG5BWhDbL
P55cVsUuqtDsb1UxX5458T/YvQblntoOBSq9UrSjlo/5D4u2r3hXRUmzIPEY
9k8yIYH623zMPrXckQEIBV1StFjj1+9hG/pd5fSAj9Pr2ky1Z4Oi3t7IvgKD
BdEOJTbcyskuGFszAG5nsq2gzQU1dDREoVB2m5Yp2whZ4BfJw7MWNNqVaZeq
WR8ZCHeHx302z1SG9rNyC/oKNuyJoUrbMRirRuyWQaCwTxs/TQHou7AjkkkQ
1RWckqVj4UJBnJ72X4DuUG7DiK0DdM3Da6jJ7LZkZuXejj5O11jeBRyLlAsK
kisvQNcguInYwMuZd3GXbAoFUnIJcFMT3hFRs9QCF7UCOodtBn4g2rRxBTFy
lztKIgiOoKpVKQ8qt12zUeOKUFzDU2PQXedClwHwaxDgEsQLMJpVli/JVAXi
FGCCBHV/hVYzsQqJXawLPxNVFGK7Kv1nO5DnoZ2XRqtq1dHYnIIwkzAHYg8a
B/XSlJdPETSc7BLU0Q4tI9bLUA0EVTZMQDfBzsjuwu9AR0lagBCl6TembnBd
m9dhkaCBR88eGf6klRKpAcfgDABXrTWeILwonW6Upq07XKflvqzUGjQ7taWL
9TZKg8cSKXpHJsrQT+ChvfeXXZgxscf5GnVo9CKhg8D/8Ud8FbCKbOEIKaOK
2XRqGuE9GPSH/eAe8V3UdbLFAYLyDcnxZKV5aWwXyjUWibWmqYGTW0kzHOZg
10JVP/ASvyZKOzeWyR8sPX+fwoS9e7e9rXqgl6NN2vGYeK7NR1rWxHvd1b3I
j4v1elfRurPNX3tWvwv601Z9pkPA6bYMxIyerleoVVjEGVoyNfva9OBP7y4t
yESRkzm4xtpK6xDyngLRrIpwTbNKcjl7i1F2f4+gaux+DwSawbb4jOcF5J3H
vebHXEJp6MeN9X3gEH7c1M1vaOAkRt+BVpl0zrI0BJ3r+QGiSPJyNO2zWkvv
DcvoWsLuOmbOH4o0R0th12+bhe597Mg/TTdRtiMk/kntoeFOExhLOGELaNbq
ylPXvYfQ3pOsUC2zniXrXoaIL7XAgG40GeOltsU2Z6kkyeHBA6f9hk1AI4HY
mEGJw8dxazTGUDQqeXVD1g7dI9Rk6+toMM83t6pmlKtP/1pVIXFYctnFQFLW
NaB3YNvgaamU56zDDq/+46gkzRo2uozcWaErcnghqdTkt3T481bPj/VB4Gux
ctphp4QnHsXC2IlruEl2BXvJHPPAdY0PCiVdezLCPY0P1v4btU9jGWFXxKK0
7tVFsMXSblDvWUyxXe9SVbAezkAzX7MFmK17rkjEvuySrcFsIAjFZ+afMnzA
tejGazQXvQbYrjteRcKLNhHRy82HEOI3GzSVkRiHuy854AmDh1JcKbNTE+HE
z8P7OrVPLiAcNgiJMNYeXQRpKCrQpyWSYFr4sGEp1KdY9lElIoh2W5IrdxVt
5+yDA5xpK3udvIXL19CVlbmZUZ4YRhJaBcWYTBZdF3DXFA4wS9vP8kLTGBmo
ERhpC0FcopEGG9J+m3ba8S3taPetGHhqROK1rk/ZDrjFjtnUBCGhAw42sTHC
KeAAXdUgorAxTItHRkCxj96Et8oKJx4/b4ikpGFv2OSqHYz1VzQQbPsWLlRz
hmj/EdAtsOeMrdfi/V2Hm70GkmkVxAh03lbEu6xJ0QEZmlwp9BDe6TfZCsae
ukikcMHrxhFzasFUMbr/1zANrFtQLAiFgojdGqnE+mGoo69K12EkTgCYlUti
Ck4TIB9ppSVDLgeT5dwtPaIEFCelH+YGDnjIJyMVIzm9ewD0/UF8Z6XsH+LT
gwuV2soqdAdHggPxfRgM9GA9H6V3r+uDIEHGZHgpyaHORvvuQVJtPqCEePQR
onFQO0QFJjjuV7es2R4NqXePySB5Xxd/tCCeNprutBgtXMNA65sd6pC477W5
f23ZAaCYo0fMEmqV39Bk7UB52aoqlq7sa6zk6DhAG+9hfIXM/RpjxliA5VgY
s3Me09d83gWASNAo4NFOyt4NhlhhRMNONGp61DgaZbzaY8fD86K8YMWcBos2
Alob+GrfPzffvyotRrhv3+nb032LYmvVewGF9GTCGn8zirGOWhBDgCfskfvn
yatTYWOwpkM7tAOzPq9NYz+ggC+05MNyAy1LdmBnc3f5C5PPo2sLMTF7FKSs
To29mG5LWW+yZ7ieqatc70sS5SAP8UbU8EaWZJ8iJ1IWpuycxI3Jaz5rRbnN
3pHk7J4jSw96dZeYFgdei/Qla8xdS0dlPFlaPxF3v262dC27lwvlV6UWLUlX
xl3PO6D1lpYQEdChaKM8+T09+Yh3j2nMJYDKsYOJgebqYGlpEjVj9JpyrMse
il0monnrpn5qGYDnMIAgaNcrhbDtvDK+Nnb2ZMp4h6FH/qhvnm4rh7MBTe4y
WkXOs0CrGZCvyL+HSBUPk6PRaxVJTEa2KVlfhUoyCWdSjjjf0vY225VEiccV
BHoEG8I4VFc3IetsuBL0wG4eplk9WmSLe2hJ3OxgbxFn16MD3fjQXmytxO/9
5hCs1R5011uMufhOhTHsvaR8njZXXkc/ff4WWEJJW7WYzA89BweQ2C/ODnfU
neHaw2+PPXTrPNSGi0/9tLkXfs7n/eGMPHJufwzER7ad935d3akh6oglwrnv
tHMK9GhsCn6jnTbjRWs7B/6gR7XnHFHH2j6ASv5Vi9d/lnYOmnY/h06no/jR
346SxtFOag/cP64mXAfAPTLtvKeBPlW0jHC9tPV9nNiddk6/+9PTZ5173zm+
Hmrjqq3JxriOkuIjfe+Rr/FsQWjzED+5egUM+9uLp6fTcef9+5fwZTREYxv8
/+zsKb3z8XasD+2XwXPfZRfPtcfKMKt+jXaOvXB0vj6pnQPUHJLosXact/4e
Lr/AoCw0DHAE6nF/f7Od2ucXwHPk82l4Ri5434dCzlrvhLjTwWdb/ZrwfLyd
z5n3Ou03VkIbUzrSzr1AHbtZbwc7/3vTJQoufRFw9LVH/+Mo83DaubdLvnmk
HdOebed+/Bzbv9siAOhze3jDDYFoafD9EysptjT7/lQrOa29vtdSZ6f1dm05
1dz5ViDsaYFQbPQHShdbXUptlzdq2VNVU8t0JsxH1DJjo9His193Z6Fk7QjP
6Wa7o6ButiyyYqKFflcrk+5P7buOiH+oJtQM46iyv6UMp0Odq01A1577o/I5
u45fUQSDVrfrY2hplfUE9uDSq6RzkylQdP+y5TV4ftT3LxLgU8YwgN5Ownyh
OC7iOKTw+rjvv8Rn79JSdTkiorpR1kKL+ZD+aTDFCOqyQ33hfbJs6rCLwduz
LpJfDC85vro+kGdRKkk7QLBQzTKjqSuP8HpTzSl1gAmACd1uoTGyJ4FSAw1U
pCSVGGLdlS7Ys+FT1K+BxaEybY4wipE1ZX+KYvSRBfbfsbiPMhZp49iNz9Rr
vqgyX1SZlnE14ToK0O9dlTkc1xdVxv46psn8nlSZe6bynnb+eqrMz4PnyOe3
UmWivxlV5qMYPtrOr6XKmEdJlRFp2Dz/t67KiFL7GW80lJ9HR2FpQnMfAuqd
3beX6d4/z3itIfgcE7Z+53MM2T8HNldfs3LqEX3NamMNfc3V5C4x8i+UcCou
D+KEK+kwrEJlFGaxQS+f9tBzBAB7aKznwfErhNkKxaObNalHN2F541xKKejK
P23EA2Dwxk/Ku0uzjANedbg0O44ompNCd03QB/Zq9K96J56W1x/61651gfW1
a3eVXvs9v5EEydFSRqP1bS608XNRCwiwgKe9rrfoe2H326tnT/xJEEzhfc7Y
wx8fPkiaPIWbcFuHLhs3GBVed3TgLdVGYMdcY2ToNcu3HFNAWValwiIOMFkU
YonlaUryp7+6+gEg+p8A0WgWBOxA03h68UbjAwOC8XHW0MhfiHuKRkDbbDvN
bO5phreeT2zIzI9Jk3UbO9qA759WphZApeGg7k8AwSemUgQn3QqpGdtAx8VI
iCBgrBPPg88hKhJhzPO+3uY7DJlEinTzNxEO7b4c9yd98WDqtOlO18J2FNXQ
BrStimzPeYVH0PUdLID+i5ujeCdNfFehCUV+0ZLRpO0Rf3iuYxnP6jT57gFI
BR9YX9YhdY2Ak2MhqW3Kl4dr4FCbqsXKuVHqVK2lFnQpAduerkJgeJfFj45p
pOotCAmFKr0N19uMbARh5bhedTyxKeDAXt89dsVxWDqQahPb8BIT+vdVSaVb
NjFFCshobFum+orU0aDQqkiiiX5CG5RmuRjhXMB8O7/D+gi7DaaI0+UZ4wh0
usW/bFAxFjPDLvV0f1WSuhEWK8pGFsuGvy3VLs4xHMC7PH/y46vz1y+/+cfz
J1ev8eF3tHOZpAbUYMjQ48TxozLD11pm93Qu91r1X8fec9rvd7wP1mTXkkeB
vySwPtThRUwW03EP0/vx0dEQv3q7DYba0XqUBBE3CYQWCVlB4xT2uFPJuuhw
GArlpUrIXpK+VXGPE/1N9I5QF9PEModbWLhEUnqMEcoEoHgcN4MZAIhSSYfX
ZBGuAZId2RXC0qRS9+r5LZ7uu8Tw0TWMdY0xC0DV2Fwa29gaHeqW2Jgs6rBf
i01rnQKymnHAuPqkuF8J2dQske9LsFQ9E7cEsQNR4GMpB4DHiVP6k55V2qeo
bAEH/jV0MeBHnP1/P30gN9EVpbhWk+yNWCEF1tViSvRBIS+Yog7KeYcx5IQs
/6+Xr2Th4kpE5Vc3QMFNBJiugEBLzOVAVzpqC5o3RlJ8uR42Rk3pUXiYHaXJ
2KHMJhl3D6J0zNA9Zz2Esgzua0oI3EL+tWMLJYkMzawYMUtirggYBrUclrrS
8GPhBiw+VnBdh+G/w1gCX7Z7Wwri4DGAM9DynFcrDSCFG6QMFQq0GHnK0elA
IM9f2hospZsR5LY/GpLR2hTg4f0Atu51zhMn4UFc6gYxd3Z+2fv2yfMuLjOq
qYNTjdlFqsL5vJOwX6EBuLGYetwFCgsI1P/93/8Hq8uka0xuQ6GXqjF165Go
GOVqZRWOC/Y4BJz2nK5Ol6ciDzw4y+918SFn1HFOdngMRqYsxbcRhiXL+Lv+
OnzDJEels7CSSc4lzNxhQs+xypOkf+8KizhgHLkehTxTqTEq2kEkUt9yvfGc
IKCQSGcalioKETcMoDuQOyQrmkNYKVj2iaJHaWOz2YsOWmtrQBjJHUxkppIK
XQSaBFjWQRaFw7nENe3YIt89wLBuYC3nxzQC6pNlNCo0gA1g+QIszaaD3b2D
ZIJGHSwTnN73vyWBJzzIP/CEF1VSz8R0hrxMd8hi6HfPz570uBhG3bTqPZMd
X5tKRReZT7GUSKjDWCWq0RUAQL+TThCY19jxKX5J424dzm6rEcD61F5jDt5r
fgeDQTtYwHCd/+U15zz4f/QRst45u91OT066DXN+R57H3rMQVDt45QTLewX9
QbNM6SW3ieg6OYDr0T1QtTzMDOE1x7w/8nnwFhb/j/SOAL+F2Tm1o+rWIe76
okzosSA6WweD0NMkH4L/efB/ZADUx8dHYOHUQ9iAcuQD3wD2s9GDtM+y1HbB
nDG2qwrjUW3b16Sa62BgjiEHVvFZUcH8vptb4aelKwkCX5336DVn69M7nunf
xdG1bSf0h8ferYVbe76THcGqobFwcCqUUfaEl9bULptEgZPAVY4k68Js6422
PXil37TmvHsgm/eHVouOozVSwpvRB1qNNlrxbBmUZNgcsQRIoPK1UMW11+SK
hylWlCpWmnxUs5caIcnjXGMQw7SgdK1p7dqmvsFgKdUG/Ss8h6ZAFGf964Bg
K29xrC+LSC2TjKUdWe42Jg2ZwOOhuM7uqG2HvAuZ8bvF+IxEKvPM9qzmLFij
RL1aV04lBNdE5sA20HF8w2ZJa5ioLQ5d5e6w6NfWpNKkZX1LCPownsNgCzO6
yobg14ZofP7C1HXud6snVpvwPqaTULi+NOR0IsMusXQg6mLS1qG2YsMYUiqn
K+pN3LVkpDPhFNEFCitaYaJAjKpIQWap0zhbFC1JgoYS3TTUIIrLeKZ1hpCM
WKiZN6t9vXuHZpYPHIjxrK5jYJWGe2qgTfqUHbVvXdqG29BADc+mt7sIT9eU
TmyQrxRS0vNyD+mXPCbCrHA+TMsybC+h3GGeF6eQAC/zOvGYcst6arteU9Wp
W7IclYsYoxuO5CYpbla1JMVPTUz02vIR21MX0tIqmanQdZGubkgi8YwA1+Cd
JlOYNUaNhOhNrZqnpizPGYKTAWwz9muJ9vjbliBo8iBhGQfKsaE7kz3wadzC
xvjUZtoGPGnrod3YiKHU8qZokee1Ne7So8tImip/jc/6fpNF3LOOu+4ixlbb
ZwEb/d0scWdWPrrEaRf0a84Es2ah8WkfV00u1p6j67wrgh/FbuXCNS39Ywd6
ig6qz1wkOrTO1iCQ+C1djnmnuDZoSVvYx2xOshjbE4NB8SwK3CSRJCRaTMiO
smc9DgxLywir3TohY3EjSOyCCndYrDHElY1y1AqsG2RH6tot1v9HuLTa2tiP
pZaNCxVXGNolifiG3NmC+QPkF3t32oluWBWVTSysnKRnPSSQrnAY3n3DYHPZ
3s9pKtguUAcNEOa5CLOt9f2LDRsf7TXQxbhw5lJpNDNNh1jOxdMOGEwdLJEi
dml5Q9g6ZeMSNKGKDZU8JANi0eG5vAmxwKJnDUGh3+wah7uRgVAR0K6oI4dZ
7J5kvVfhGyf72xSkpYpmfr02yd2NYmq1u0y5iyIqx4wEh4jl+pY6G8ypXiGG
B5ieHzQZk8FBqiV4ntw9NbevMOZy8HYotc6PFdikChgmKdMTmwFV0AY9Cndw
/5Tz1YknsCfDsUnoiq16ayIOSu6dTjPfu+ai4ZoGrmvIlbOMkOXunG3SHVaj
zzLjh9Fq3IEdutkFWeG0xHtQ3cNW/ziQEe6pkvNAV+f4mLx/MElnMklaYCDb
Y+Xd5OSoqOXSwkB6/4yMoPdDCBoOy0xukdRRa65zp57sm2ONJKmie0BtJE2U
blENnVJvSg2TyeywnDbRRuHmJraXGjGlYIxRUa2lHjlVPNN1M86xDHGt9ima
Ce6ZAthICKWniFM0MH3P1H6a0q868shhRHUQxWmEFWOwkjRA5KyyLV9yZvbg
oYMJxeC80CauHqLKo9rtunqbyRa2+hFwr0hrJbD1YYq09kXbXdIzNVtuVLal
RZtW6Qqd97C+EqBnmJIw25dIXVUl5VtxrIfjdFAn3jiNu2BKP/UrgDXrZ/tx
k6XAAZlnOgTDtn2EVFphhdZYEdByZRxVXoMnaX2b2e8BqGFGdb14rbO6xZ2w
C0QMMAA2+i86B14L3EvEW3fgrPPZWecRqm2qfbreZpy0jj77ncmXt/xeiIQc
HLHWlTXkPHZTfvaaob1mJ3sXCYX3B3Qd2c0Ptckq9/5TFTlOymDQQRmUPYPa
07ba5IJmfWyIJpBa37rSwcc47D3ymz7MxLNebOlBYvHdZe83lv2hNO4xxbQl
yrMyczDrNOAlDzYLy8rKcx8DHh1QwvukKoCEN+FwMO8EutKj6dYd9KydPNW2
tVLkgZIOP9AIIGIxBfJTPoWmtvjY/ID1U7gCsz6ygAnYRaasBCLkMRPyPfSL
7TokTMoEyPpqo+u8U+oHUVAtY+KAOHK/fJNu60jQXmibicIvBwwW5XQwZTPL
sGkn/NwGxYJxveP6MBngS+hZxx3EEqex2a2XbEzj16lGNpXBuLFVBWADwz4Q
CZoWqOTej1RN/4nESoW6/hNVbOTS1Fr90OFqtoiLOZAopjrnmATTCKTwzFkC
vOywzcqQ+FIlfCLGnqVLCui4URgCwnuoJ+4yrn5I65APrlGlOVAFR8OVQ7Ew
Ru4uIaS1PwBBH9SfCFcrFDcRWei5A+K+NRUcOayLSwRJO6eqv+p30XUbbstd
xgXJp3IEAzERNPrlEmmEUgM6DdWKsLfelRLrwmqCJ6PemmVFB+Pg+G3Zf3SZ
KtIqYyxTSSEqcqBKzqXmjbWEwAbGmmZs00koFIIQzXJYS9ExPKyF/Jdir3TO
/wBYON6oJjZeJF5YP3yAT0ZpP4TKFKvgQmFG/vW4dnpzNoSLY0wHL0SZiaNy
rA5lYKu1TBI8T0RPjlxWDUzNuzp5g5iix8sRm1fMbag6vud6xZlTmxKcKMwd
SieleC517fpDUaxrq62TZYGO16mJla/k4BqqXkMA2DNRPN6LpDjijT30hSXy
q+8v+3akSD8USsUle7N084ZO7GitZYYddakuaMvpEyHWg1Ols/I9G0yCg8RT
XOiMk7xU3BFg/RvR092jXyzIXZ4iho23CVqEoXne09SiPcJ0CAYrp11TYhhT
zWRpoLGEGHrXZ+cWXJPyhVS15TKnw1dKYnNuNNPbLSOU9S4TPQZTzJPhxXwe
GR1jl1lllsJWMi3FHW9RChJ7VCxZE3FfqnQ165gmZECtRKttWbF6NoxAcUSh
qFOeHMLmUpo5jg01V4pu4vUuU2Od/h6VLL4Wg1Cf9AG0McC7MCQ9PW+oItsq
r/SUFWQ3ppOLkMykbLJ7KAdzU/85kE/kFsPDPfFiI0RpTqbSYVdulVtrQxDQ
rcsDpaVjJW8lEIyUx+dhJmZx5nbnaMdqLV5JFifep8wctKLfMlW+5BmaQhn0
IErM2L5aZlsfrge0Xz9cCWiLJQwObpSVxB1Fxo0Lr3HrX5X3VRStZ4Aeiy1t
S8iz+M6LWpXkP5BYI8C5J7gZkDjOltBwV6Dc69TKAlLhqA0yAGvsaRL8AwlA
5iC/g3XgWK9bpVtOiOVh05l+sRyAQRYvXvR/IAJCs7GMoUT2cYp0JNXOO3oc
yINKy3Mo7FuH5fCBcFSG1MfIdMAE7cY9E5OqfTbtW/PDh9Dbw4dCB61kQFkD
cHfvcZvk7DcCFgZqFVI8HrFvijiXXImcRvsHfIW+9UCYpIh3Yqk8KHNaCLwv
73JQzwP/Gc4moOSMtWTPeyZFTLn/t6nVM1xBHphDWoqPUSg3Qe6+o2MSvVdu
QW7i+/qYNA16bqt3M9WgHRulxzi/23AlYq9xGBlbKW9S2G/5MCo3KkwHoZH0
xnKJkaWdc1v0xo68kmU+beKhuCnrXLWCOAEUwVbpNQ+i1G/hkAF4ACbNd3q7
jsgku83yVG/J2AY66MOqUmvyrjkMDfADKo6uwOvU9jboODibjVCIMHHtVjux
gCWidRdBXU0pwqhJQgu5W9ToojeqMkXAKzR/4hmfbAcn+Yzg21N8GIqvW2OI
rzfBB2wZA39zE0OhHi3HKIHKITQkEOhTLvGVVywL6BmNsrzUXjwrSelode4v
NDklr/QBgW41TjnpU49BrM84AJlu2RUyFRYby48IDewroPBiNJpr18SVMeNi
EMde6qfSInIKw+q8FbQ2oOGVT/3kc3tweoDvFChOexyisCrC7Q1v524tw7q4
TlUE6peYHGEBejnHrw///a14IfTZPvDP8N/3Rnqicp61aEYy3MOySHNECx3w
SrItSLmnbx/tO745bAzP2DXGGik2irXnt7lYMcUWJxEu2kDuqglVbioPiwQj
yTu0sBGTDQ0EpCkKG5fkAmSCjeVgKqt6empQHXhSw+tTDhYlG1Ud42zeMoVc
HY/i4Slk6m2IZ6B6LC0btVazSTk+7uDoXrdGp41y6hIw+rzBZncYoGUPt8Rk
nNu0QJsoRhecaGEEWRz3asLEbFwPeSHQcqKziNZmZnAbxOMtUwt8rk9dMAZW
knmBBWEqUbnfwEMlHxSrXcdtx0aYcDEM2ndzwJz6pwJASQdwcO9U+hTzsrRk
6PkanZxC2GF4THoAluDMORBYmIdGOx+NBe/bWIbayZkMHqPDJMidkRPQMl/p
i62XRtrTAfme7zq6H3sUG8jtHnG3y1kuSyIDHTpwJ469iqdN4hLdgH7brnZ2
/QnLLdQKP2via4kJkhZd8SmkLZ7ivJ28Nwlu0MYx221tDqRfMwG8aaCo3yur
PWVVFHyQm5CN9J/r2ietWRoti8SMXyIPdeH4awkVSImPCGyGrkoOCkw0jtly
CjBg/hWxhhcmscOQZq4FeO6K4jdLs3SQFzqhmVKNkkz5dIBllwh5pTaqIKow
gNPS1tpzVDdcoIt3V5YHfKOpsdABuyUfurnXZxBeHXs+o2qlpaKTNpGZYNoL
bWhtNh+PT8OVEqZkYCVRUdd41l2QGRCP4jbn+xEHllel9jmCxgrNw4dCKcKB
6JwRPNv4McjBP5pfSBGGT5m4mFrY2q72MJkCToXfdA2z6QCzSlE8/EkcaAg6
6smwWrAhHUFQ52X4EHvS8UQFHqj4dIX/mLuoXZOxVRW6JD1t+6hEFq4iT+zh
tBmz2TVBPJgwQ0PD+sLEAOnwF44kuksjCZx7+BBfACYDtEXZZoC2n3BpZIpd
XDdcBl27nd2J7ZqzY0Ay1LFEtP3aMwGaITMlHhrQcx6g8JkRAnIGjK7HWhFC
8Yq+adZtNnzHk0LwJIhNY6cXM5Ksf2dKmYtgjCTpA3o+Sydzo+zqOBwnasSk
zrgpHpq9uts6bwyUaspYILzUc7dNuM0Yx6sTOnGwuMjQkZGvdgZ6cwKw5H0K
J3ILcLOaqKOWzjZ7/a5bsL0uDNQLvRdqhaaZvVvPndymbL1z47xKCQMG1Igx
nI9rBAm0qDAzuhRpQ6x+s/4EodHChw8EjuuYkpRKWsHahqj0YdMgcOQbEkZ0
+TGPlIsyTNRqFxbW4/KGDvHC64aBWDi6VNc625OEQk3jYZSOBdTaJusHTDPN
mHxeOqmGjtRG1yzyRX9Z7CrVAxaEoT0sgbOOow/cXTOXYnWZzooiTq/VJACU
lXwbn1Fyfg7o3XEasR3FBCHjPpCRBgqDKnPME3cSFyUims6nhRucjROrW7Gp
idSUlqLCkr0UDzYAEc4nHk0DMDvRMt24x/i00i55zWlDpwHgZr5G5Qd5FgpT
mljRp5GvOBaHGBw+/lXprkjHka10cHBY0RBZ/WkHoCULmOKW7CkQvjncgA8m
QFHwYnOby270PRpbSlgttZBumQWyxBCHuAElj8934HM+3OMf3MUibpnqQMxH
ggXZTSnMSluxABGrFSZvYew1aoXi4i6VJ/2KDwdQs05LVTM3UZZuaMot6Nkj
+vecMC3H3auPnCNCAFhi+EOT49P+C7JQUWvVq7fK2vZBAFfZ0UXG0aZWaZZT
YjBt+QZPaGDfqMjZWmY4qDKBxgPtKxQ5hdzPrKzV7SLHC0A4spjVjoji+NiY
Wii4Q2cCMgkVpcc2PndvkQmxnkribUgzve8vnl9cXTqnZDBuvHouBqWOk9od
moDUUrfbtW5SZ+geLHg62S0hr+vdQZAYi5jucTNiFF+iAl2xgxHIIaS3RYCX
hLYEpIfDY3Q6vkO/MmY8UpkTE0ndfmZUKkq5bFRaODgITdRJ8fFzfiW6HSNV
mCSUJl1Tx1riAzhRS5cK7Naw5h4135hqd3FyhicCCxJQD3Pv6hB3PYqNPUpR
rnTP0mqV3+moShF+UNFhZOmYdl0Q4KlYbHFGntetdOg/bDHoAiNy7HlFzWyW
GW2cXnSOViv0mdE8fZ6YPE2cFx1c41gzfyLfU4u7TnsfPDmgw5Y/IF8M2sU0
0Ei1Fb+g/b+OT5+Y94GdiKSoXFvFyS6luRLuyZSUCosvvyVSu2xaEgEze58P
AKV4AAOLBZP8d/gYhs7xSZ5i2jaxyiQ9mdgRDoKQ+NXSPRr1MOZLry8THMjk
CDsW/Iljq1DxKeesoHeIBOu4YP90fs84/NARhVjoEEOi4fnCTCQQyIQwP2br
+vMcEMUnGALBXAB9E3/BNy+0d64oG+cIsbpGp3QZQ0JZtySUvL/yosz23lr3
Y7GCx9fZ3oD0A3v2EBlAOVKCRWlADSOZj7QkqXx1UwkFE63T7K3CLZ0rbunY
OcKdYPWAu72oZdobW8iLR0MiDGsPeV570Ln+aNT1eN81oaxoJEEKuVUUTK8p
Fi2zSIzGtC+RTi9gQV8SLsgv5GCb2dO34bYWZ3w4A7hMLPpduKUJqmAiwSqI
GE8IE9Fcbimxg6gceTXKK1W43krOcWrB6RzE7HrknLN4Q1Bh9r/OxW3nIApv
OTIbJii0HQ3Hca21vBuJOGKbmfZ2o8jC6ey5iWTyLKymfu09YJByGC5LI+Po
KCJPl2Mp6qF87IlFZxA0wgYDWPZB378EZg7iM5odUqdbr4aXw14/uQM+Lw8W
GTB6ICg0J6NBQk4Coi32kF3oE8u0x04vjCw30Sul5hqKWvTIRyMlCeRPbkoV
8KnHr86fvHz+/PzF0/OntEsQUE7kj8c2NlPMIKx2pTab1BTJ5kFP/jd7ckLB
TkZsIix02LHkl9mAGxtt3fWbji5HlAXZurrDHeKEQhD0kJHZk2qkTohTnVBs
p9y0tQ5ogk488oXSLuBubMh05KpsboxzdvGQhoN1ljGWDBVCfJPiMDzPid9x
A5DE1wpNM80I4jBqr6MD81w0ePW4IzHysFXKRUnNu6SzG5wBe9BX1awz4WBB
h491/XZEgIbj6X2ylaasEeRTBs/+VTv4ccfW4pB8rdIz7mZhYtIRqbY5ZaKI
FzLHkxZvlT6rvFNDk/c5aPIdNGVaE0QseZ+KJf9eLHlmgCIx63XIJqGwSHUR
DJtAKYNEnyMKIKfPLl50ZD1qccoZgAgapl07xbXtyL84e3F2GLiWhpuQg9bQ
knyQjQASKtuBxMlonEL6MErUJ9yyLw57N4EZ3nVr29fGyESn/VL8+/FSkpQ5
cOwmVhXGmos+//ncD70/eDvkOs8tScg9/+CE1IP+B2/PqHTk0UBo3Yg5Rrb5
/mhIJcM5SNc87SRAfPCPfN573ou8Uo8/cixtZbIzcFdRIB2weco5sPMwHcJK
wjUuT3nC7HQIuSbNagc7Zf1ELR0Y7F9UnNmG802eaM5QwD2MQvF4BSB4vDmi
vXVbKKzMSEphltZiteq17U12g5G6bQqMSeknCZz3Wy7q7l+yovrugWv5bNK5
1alxkHQAcqN4Sa21E4emKfayVo5BGw0oEOt4KQdK5KGSE569aBK56o4gnaht
lAHZkUNnvozI7QLDdTZf3Fw/Pl56sF71gtO3+bU34X3vOaNyi05YC6qpj0n1
u7TJgI7jlvbva54wh6nZ9Ojmo4+S15kfrj768GFhT2ROwn3ec1zZkUXov8IH
bvCfNyH9i/9gofQXlWFRH2FSeJMe4KfsV/mHGMUAPtgdr524FZaeWyz5feMf
3UqAFczPL18Hw/lrmIjXaBV5ffnd2XAyfT3HLv4F/iO2FEzx3fEcv9LvgW1l
eE8r0/F9rcwdWEb3tEIvvzjWythpZey08u2T57oB+CmIMLBsvg65LT2iqW1l
Iq3gq9LKJBg2WqGhcSsMVq2VZ9BMD/7Ax50qXAtbqUiMyp1M1JFporV98uoE
eGC2W2+MxlQaUcaaGXXJF9yzOdw/pkMUH/r/8hi0fv2i8RNenF89I1sLesDQ
AOrcg4bWUnDDdxUDzDCR/IvLCu1CReyfiZXCagFcrWoeDKfkfXrov6gD4PS9
DmNMpCfBkJNDwmUuvh8cT7hMMzYlMyziRNT5r8bM5AD2jIL4n6DFiL9e0gYT
ymhqm1gDzqetiBJkkLM83xUhBppRDTIWdLnGHTdOgUjHcQRzf3F++S1mCRU5
OnDCps/ObwL1xJ1bh7cfLXSkvXGOAwPttsYz3DinV3zOR7yCNFcoN/JzXn3n
7Bkn4bt3Ty5++O781SUj8mGrSfjhQ86kG4y7sso6tAT0wxRl5haMdatTa2M1
1q+FZcjlQtuOzeTO2028BoJAIBjK35GBBOdBF3/EIFMbKkMQUJsNQCmOCK3F
Gl48QXnTo951iEoqhSVLpTc7fXw43N7waA+Hg4keZFClrK38Du3duqKyEGeU
80HcIFNhwK0JLwTyEzvKMXeKBuC6nV1e68nq9A/e1ypes4XDLUS3EmB0sufh
jrbE07FBHzmL3mzyu0zFHF+ASWKwlt+QynaWAUE/K4DdKaxjSTxT44ES3pHh
xLFTWxlFvZqtCZry9/mOapKEqw1wt58Uyp4ZOuIpvDWXONObnGIMPRMkA3Jn
qu5IabqCd/x/BjkvL1BShImrerf8U4uKIaX8pW+dk7HwJXmKuuIYc+yu6d2R
iEPUjxpi5UHoHjvXdLOUR6SLUSD5/ePlyxeehJIRqd6ot7VTgslQi5E4VHRA
Ap42IOVi5KMcc+/9dIPESadsy/LHdk2YHOig5CHYSF2rsg6Q1rTRUhOZbBv2
yOoa6CZkj+rFo6nHqyOFfFa7DRlYr6OwWOX4E4QfWIYc3wSrpefOhK7xRaBa
deWG6tzs0GO57WWgS2SconJw3Dc/BA16uBCRbeoDo/+jzDfev2F29kmjct/J
Y/9f+/3+nzEA4ARr9FmRvHaLZM/XYRjXrtrJ1Ze9f7Np8M1T4XU8Hde+YL0C
sFXsCejykw9Mr5/Y7lFqYiNer9m1Qzh9i5F/xfL4tF2dmIPCX3MnOJ4TqR7a
B9558meuNHlSQ91JuIvT/ERuHa+PePJY4vZOBsFgOZ3M5tNgGs8G02g6Garp
aJpM48FkGswm0/F0MU2w/OKH7mdA1/VP1kqhXbEXDEdHgKVw/s8CdngU2OU0
nk7gHoKrprNhPApGw9FoMJlN4coY7v3iQcDPJMvzohccGU+ZIZv6rAGNPntA
MB54LpkmsyFeG0xnI/hNQ5yNaIjenw3FN8qfHpK4W2yU6NgpfynJbgU7gGwd
w0aNt6PlDJmxHhQ5ZJboIV87u3xycaH5JyIwfVuhgY1WBzx8wsfroS7ZIWhg
/+vBBqj3erRmnIR/hisot5D7pQevYbgQMbK/w88JFmJvNgJahzQCuzAKJeRP
tKLgqVufs2sGz8U/3fJYcqVD4zHVBzD0MkUn93K3Wh1d4261TaCfQAiHK5PC
hVmNyjQGkdJgzhez+QzJejJVw8F0OFvgL/iG9LT4DReV9GTRZVtWEzWbhqPZ
cDCZD0dBBKCqOAoH0zGQ7GKsoI9luBzN49lkMZ3DmGbRYjgYz5MwWYySYO62
bZBvmx/H4wTmcTAKhmoEo5iMAKDRbDIbIiLGyXQ4DenKeDYyd4c4HI2m4eCX
DR4FsEH9M6shxBDIR6EWuAAJwTTCb39dyIiONEgAwRjwnQziwUCFQTRVURiF
MDMqmgOVzYYqmarxMpmpRZAMF2GQhItFmIyDwXwwBFDhJyzBQRTMJwNoKpmE
apaEg+E8iEdxEC+aKEEKVovBJFYjNQaySNRyOh6GcxVO5k0m3Vgjwy9r5G9v
jQx/t2vkXshqayQYhtEyGIyGKpwuB9FcqWEUJIsoUYPJEFYOtA6QzYfhZLKI
JgNFvUwWk2C5DCYqDqLFKFTDJBkMl+MgmI4XahDiKlJRsFjOp5O2NRLMVBLN
4iSKAmh6CktqMJsFy4+tkfGXNfK3t0bGv9s1ci9kQkdqOVouYAuALqLxDLSG
+TwKhoGaJ4PpfDSM2qg7joIgnMcTgHO4WCTj8XI4Xqp5/BHqnnwqdWtETYNJ
DMMC/AxjmEqgb/obAIom8I0nMAapmiTqGcnR8Eyg//f7WAPJdDSaBAsVLRaz
wWQZwn4cRTPgPgmgOopHEagSwWgyiRezeIhEMBvF8+V8EEXJcBSFo0U8GQyW
0TCejBaLUTCB3Xy+TCJgTdNFMl+q2XI6WwA7W44mU9jlEzWMl9MAKH+5UHNo
829hDU1+t2voXshq1DoYhbPlIByO5stYTePRYh7BbhOrYDwZzSNgfvNkPg7H
MEvhIEgmwAUH8SIcT+PxAECYjNpW2jCaD8ewzsZzaGk4UYvxch4v46ipLfLB
QqjeYbKkOWCoRW1E56Jrg2UlsD0xUmpsejY7dbnHCvZsTUMYOVP78Iytmv2l
TyUxEQiKgWCrcps76rTmthFbK3cmUQezdnWMwjyYpwwEixwLUr9myqi91oeb
OTcPuJLDNUz03mtrUcXp+SzmKM9GVYGPDY589GOE+U9pjw1pR9ujzxBUilmT
OztIGw9bsBbchzWYrt8D3oahfAk+grdYSXvRvXiz7c0/BW/BfDyezsZjYDiz
wWICfQWTFkyOh4vxAjjMYnIfSoeToxvkXxelyZHPAUqHI6VgXwjVYgS77mC5
HMcgEs+GDZQeay9Jaih12BfZWO0xIC1six07EgvnnvmQblWGgWxswEFzF4ZB
WNNzt5lh3yUW6bJAZmJth5551+asCKk+j6lzd/oAOGMjNgcUYiOPvWtOtT6V
SJvXmdp0/PfvTfwQfDU+GmcaX2OW8HWdW+r4Y0rEaK0QfirJv1SPQOfLd8jA
1lbN0jxfq49pw4gYRPRNPeEzxbi0un/KFj8xsiEWuABdocJYXNIdDqBpWA2P
GQe/6XBlo0+zAn7TwaabRxpj4zcqy3LexYD2T/CxtjUCj9ZDpLTflaOrTiib
pJe/oQaOz05LK8FgYFpBwNVelT0M3Dn5bzId/m2a+Lu/6q50jE3inA/mKCcC
gAGpD6CC6s6b9IVvTOf0bDRNAM8AOw4IvsF7M7PpHKUXBzuDQRiwac9oLDhp
qLMQEAoEVjOFhu04Daj7IPm85v9/VdW/mHx/ZZPvz5TN6u0tImlvURMknJXz
EQnt/kVt03Edm+AMxz4ezqfTMchGgLxwORyEs6mag948jIZJNAwGy2EwB4pX
y8kEjQ+DYbCczQfjZRDPIhUDGtVopEAUAsyqeTCZxePf3gb+hdl/YfZfmP0X
38Vv4Lv4mcy+3t54Iu39dsw+TgZJHIxHwXI6n4+W0XI+hk0xgOmezOfTEWAk
CQBTw9F0tIQ5V1E0mA9no3A4C6NxMp4t4xnsB4Bi2E6jGF6NF8vf3pHzhdF/
YfRfGP0XB9x/m630r8miE1BhEqUm0XgyWAKvHgA5LuMkCYFck+liPA/VNF4m
8XK2DOezKBmpYBqE03GwHM6SBUzLcpwEo2UwV6NJEI/VTI3QMjuBLTKCCRpE
8UT9Xr2TXxj7F8b++Yz9i1f5i1f5V/cq/8zto97ebCztxb/Z9jFYABEv58MA
pPrJMASKCoGYF8NZBE1FsyCZJzFsCOMFNJ4sULxOEqDkAewts3AMks5yBstm
oabjOFiMAeHBPJyFi/E0mI8TUKMA1VPXZ/X/AA8S8/xq1gAA

-->

</rfc>
