<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-jose-pqc-kem-06" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="PQ KEM for COSE">Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-jose-pqc-kem-06"/>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Aritra Banerjee">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>London</city>
          <country>United Kingdom</country>
        </postal>
        <email>aritra.banerjee@nokia.com</email>
      </address>
    </author>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>COSE</workgroup>
    <keyword>PQC</keyword>
    <keyword>COSE</keyword>
    <keyword>Hybrid</keyword>
    <abstract>
      <?line 106?>

<t>This document describes conventions for using Post-Quantum Key Encapsulation
Mechanisms (PQ-KEMs) with CBOR Object Signing and Encryption (COSE).</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-jose-pqc-kem/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        cose Working Group mailing list (<eref target="mailto:cose@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/cose/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/cose/"/>.
      </t>
    </note>
  </front>
  <middle>
    <?line 111?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Quantum computing is no longer perceived as a consequence of computational sciences and theoretical physics.  Considerable research efforts and enormous corporate and government funding for the development of practical quantum computing systems are being invested currently. As such, as quantum technology advances, there is the potential for future quantum computers to have a significant impact on current cryptographic systems.</t>
      <t>Researchers have developed Post-Quantum Key Encapsulation Mechanisms (PQ-KEMs) to provide secure key establishment resistant against an adversary with access to a quantum computer.</t>
      <t>The National Institute of Standards and Technology (NIST) has standardized
ML-KEM as a post-quantum key encapsulation mechanism in <xref target="FIPS203"/>. This
document specifies how ML-KEM is used to protect the confidentiality of content
encrypted with COSE against adversaries with access to quantum computers.</t>
      <t>Although this mechanism could thus be used with any PQ-KEM, this document focuses on Module-Lattice-based Key Encapsulation Mechanisms (ML-KEMs). ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for an originator to securely send keying material to a recipient
using the recipient's ML-KEM public key. Three parameters sets for ML-KEMs are specified by <xref target="FIPS203"/>. In order of increasing security strength (and decreasing performance), these parameter sets
are ML-KEM-512, ML-KEM-768, and ML-KEM-1024.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document makes use of the terms defined in <xref target="I-D.ietf-pquip-pqt-hybrid-terminology"/>. The following terms are repeatedly used in this specification:</t>
      <ul spacing="normal">
        <li>
          <t>KEM: Key Encapsulation Mechanism</t>
        </li>
        <li>
          <t>PQ-KEM: Post-Quantum Key Encapsulation Mechanism</t>
        </li>
        <li>
          <t>CEK: Content Encryption Key</t>
        </li>
        <li>
          <t>ML-KEM: Module-Lattice-based Key Encapsulation Mechanism</t>
        </li>
      </ul>
      <t>For the purposes of this document, it is helpful to be able to divide cryptographic algorithms into two classes:</t>
      <t>"Traditional Algorithm": An asymmetric cryptographic algorithm based on integer
factorization, finite-field discrete logarithms, or elliptic-curve discrete
logarithms. In the context of COSE, examples of traditional key exchange
algorithms include Ephemeral-Static (ES) DH and Static-Static (SS) DH
<xref target="RFC9052"/>.</t>
      <t>"Post-Quantum Algorithm":  An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Post-quantum algorithms can also be called quantum-resistant or quantum-safe algorithms. Examples of Post-Quantum Algorithm include ML-KEM.</t>
      <section anchor="KEMs">
        <name>Key Encapsulation Mechanisms</name>
        <t>For the purposes of this document, we consider a Key Encapsulation Mechanism (KEM) to be any asymmetric cryptographic scheme comprised of algorithms satisfying the following interfaces <xref target="PQCAPI"/>.</t>
        <ul spacing="normal">
          <li>
            <t>def kemKeyGen() -&gt; (pk, sk)</t>
          </li>
          <li>
            <t>def kemEncaps(pk) -&gt; (ct, ss)</t>
          </li>
          <li>
            <t>def kemDecaps(ct, sk) -&gt; ss</t>
          </li>
        </ul>
        <t>where pk is public key, sk is secret key, ct is the ciphertext representing an encapsulated key, and ss is shared secret.</t>
        <t>This document uses the COSE header parameter <tt>ek</tt> to carry the KEM ciphertext
<tt>ct</tt> produced by ML-KEM encapsulation. This differs from the terminology used
in FIPS 203 and <xref target="RFC9936"/>, where <tt>ek</tt> denotes the public ML-KEM
encapsulation key. In this document, the public ML-KEM encapsulation key is
represented as the public component of an AKP key, while the COSE header
parameter <tt>ek</tt> carries the encapsulated key, namely the KEM ciphertext <tt>ct</tt>.</t>
        <t>KEMs are typically used in cases where two parties, hereby refereed to as the "encapsulater" and the "decapsulater", wish to establish a shared secret via public key cryptography, where the decapsulater has an asymmetric key pair and has previously shared the public key with the encapsulater.</t>
      </section>
    </section>
    <section anchor="rational">
      <name>Design Rationales</name>
      <t>Sections 8.5.4 and 8.5.5 of COSE <xref target="RFC9052"/> define Direct Key Agreement and
Key Agreement with Key Wrap, respectively. This document specifies the use of
PQ-KEMs in these two modes. In Direct Key Agreement mode, the derived shared
secret is used as the content encryption key (CEK). In Key Agreement with Key
Wrap mode, the derived shared secret is used as a key-encryption key to wrap
the CEK.</t>
      <t>Key Agreement with Key Wrap supports efficient encryption for multiple
recipients: the content is encrypted once with the CEK, and an individually
wrapped CEK is provided for each recipient.</t>
      <t>It is essential to note that in the PQ-KEM, one needs to apply Fujisaki-Okamoto <xref target="FO"/> transform or its variant <xref target="HHK"/> on the PQC KEM part to ensure that the overall scheme is IND-CCA2 secure, as mentioned in <xref target="I-D.ietf-tls-hybrid-design"/>. The FO transform is performed using the KDF such that the PQC KEM shared secret achieved is IND-CCA2 secure. As a consequence, one can re-use PQC KEM public keys but there is an upper bound that must be adhered to.</t>
      <t>During the transition from traditional to post-quantum algorithms, protocols
may need to combine both types of algorithms. The use of hybrid post-quantum
KEMs with HPKE and COSE is outside the scope of this document.</t>
    </section>
    <section anchor="kem-pqc-algorithms">
      <name>KEM PQC Algorithms</name>
      <t>At time of writing, NIST have standardized three PQC algorithms, with more expected to be standardised in the future (<xref target="NISTFINAL"/>). These algorithms are not necessarily drop-in replacements for traditional asymmetric cryptographic algorithms. For instance, RSA <xref target="RSA"/> and ECC <xref target="RFC6090"/> can be used as both a key encapsulation method (KEM) and as a signature scheme, whereas there is currently no post-quantum algorithm that can perform both functions.</t>
      <section anchor="ml-kem">
        <name>ML-KEM</name>
        <t>ML-KEM offers several parameter sets with varying levels of security and performance trade-offs. This document specifies the use of the ML-KEM algorithm at three security levels: ML-KEM-512, ML-KEM-768, and ML-KEM-1024. ML-KEM key generation, encapsulation and decaspulation functions are defined in <xref target="FIPS203"/>. The main security property for KEMs standardized in the NIST Post-Quantum Cryptography Standardization Project is indistinguishability under adaptive chosen ciphertext attacks (IND-CCA2) (see Section 10.2 of <xref target="I-D.ietf-pquip-pqc-engineers"/>). The public/private key sizes, ciphertext key size, and PQ security levels of ML-KEM are detailed in Section 12 of <xref target="I-D.ietf-pquip-pqc-engineers"/>.</t>
      </section>
      <section anchor="encrypt">
        <name>PQ-KEM Encapsulation</name>
        <t>The encapsulation process is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Generate an inital shared secret SS' and the associated ciphertext CT
using the KEM encapsulation function and the recipient's public
key recipPubKey.</t>
          </li>
        </ol>
        <artwork><![CDATA[
          (SS', CT) = kemEncaps(recipPubKey)
]]></artwork>
        <ol spacing="normal" type="1"><li>
            <t>Derive a final shared secret SS of length SSLen bytes from
the initial shared secret SS' using the underlying key derivation
function:</t>
          </li>
        </ol>
        <artwork><![CDATA[
          SS = KDF(SS', SSLen)
]]></artwork>
        <t>In Direct Key Agreement mode, the output of the KDF <bcp14>MUST</bcp14> have the key length
required by the content encryption algorithm used by the COSE_Encrypt
structure. In Key Agreement with Key Wrap mode, the output of the KDF <bcp14>MUST</bcp14> have
the key length required by the key wrap algorithm selected by the recipient
algorithm. For the algorithms defined in this specification, the KDF output
length is 128 bits for ML-KEM-512+A128KW, 192 bits for
ML-KEM-768+A192KW, and 256 bits for ML-KEM-1024+A256KW.</t>
        <t>When Direct Key Agreement is employed, SS is the CEK. When Key Agreement with Key Wrapping is employed, SS is the key-encryption key used with AES Key Wrap to wrap the CEK; SS is not the CEK.</t>
      </section>
      <section anchor="decrypt">
        <name>PQ-KEM Decapsulation</name>
        <t>The decapsulation process is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Decapsulate the ciphertext CT using the KEM decapsulation
function and the recipient's private key to retrieve the initial shared
secret SS':</t>
          </li>
        </ol>
        <artwork><![CDATA[
          SS' = kemDecaps(recipPrivKey, CT)
]]></artwork>
        <artwork><![CDATA[
If the decapsulation operation outputs an error, output "decryption error", and stop.
]]></artwork>
        <ol spacing="normal" type="1"><li>
            <t>Derive the final shared secret SS of length SSLen bytes from
the inital secret SS' using the underlying key derivation
function:</t>
          </li>
        </ol>
        <artwork><![CDATA[
          SS = KDF(SS', SSLen)
]]></artwork>
      </section>
    </section>
    <section anchor="kdf">
      <name>KDF</name>
      <section anchor="key-derivation">
        <name>Key Derivation</name>
        <t>The key derivation for COSE is performed using KMAC as defined in NIST
SP 800-108r1-upd1 <xref target="SP-800-108r1"/>. The KMAC(K, X, L, S) parameters are
instantiated as follows:</t>
        <ul spacing="normal">
          <li>
            <t>K: the input key-derivation key. In this document this is the initial shared secret (SS') outputted from the
kemEncaps() or kemDecaps() functions.</t>
          </li>
          <li>
            <t>X: The context structure defined in Section 5.2 of <xref target="RFC9053"/>, excluding
the PartyUInfo and PartyVInfo fields. PartyUInfo is omitted because sender
authentication is not available in PQ-KEMs. PartyVInfo is omitted because
the recipient's identity is bound to the public key used for
encapsulation. If mutually known private information is included, the
sender and recipient <bcp14>MUST</bcp14> agree out of band to include it as SuppPrivInfo,
as defined in <xref target="NIST.SP.800-56Ar3"/>.</t>
          </li>
          <li>
            <t>L: length of the output key in bits. In Direct Key Agreement mode, L is set to the key length required by the content encryption algorithm. In Key Agreement with Key Wrapping mode, L is set to the key length required by the key wrap algorithm; for ML-KEM-512+A128KW, ML-KEM-768+A192KW, and ML-KEM-1024+A256KW this is 128, 192, and 256 bits, respectively.</t>
          </li>
          <li>
            <t>S: the optional customization label. In this document this parameter is unused, that is it is the zero-length string "".</t>
          </li>
        </ul>
        <t>For all security levels of ML-KEM, KMAC256 is used.</t>
      </section>
    </section>
    <section anchor="post-quantum-kem-in-cose">
      <name>Post-Quantum KEM in COSE</name>
      <t>This specification supports two uses of PQ-KEM in COSE, namely</t>
      <ul spacing="normal">
        <li>
          <t>PQ-KEM in a Direct Key Agreement mode.</t>
        </li>
        <li>
          <t>PQ-KEM in a Key Agreement with Key Wrap mode.</t>
        </li>
      </ul>
      <t>In both modes, the COSE header parameter <tt>ek</tt>, defined in Section 7.2 of
<xref target="I-D.ietf-cose-hpke"/>, is used to convey the ciphertext <tt>ct</tt> output by the
PQ-KEM encapsulation algorithm.</t>
      <section anchor="direct-key-agreement">
        <name>Direct Key Agreement</name>
        <t>The CEK will be generated using the process explained in <xref target="encrypt"/>.
Subsequently, the plaintext will be encrypted using the CEK. The resulting
ciphertext is either included in the COSE_Encrypt or is detached. If a payload is
transported separately then it is called "detached content". A nil CBOR
object is placed in the location of the ciphertext. See Section 5
of <xref target="RFC9052"/> for a description of detached payloads.</t>
        <t>The COSE_Recipient structure for the recipient is organized as follows:</t>
        <ul spacing="normal">
          <li>
            <t>The sender <bcp14>MUST</bcp14> set the 'alg' parameter to indicate the use of the PQ-KEM algorithm.</t>
          </li>
          <li>
            <t>This document RECOMMENDS the use of the 'kid' parameter
(or other parameters) to explicitly identify the recipient public key
used by the sender. If the COSE_Encrypt contains the 'kid' then the recipient may
use it to select the appropriate private key.</t>
          </li>
        </ul>
      </section>
      <section anchor="key-agreement-with-key-wrap">
        <name>Key Agreement with Key Wrap</name>
        <t>With the two layer structure the PQ-KEM information is conveyed in the COSE_recipient
structure, i.e. one COSE_recipient structure per recipient.</t>
        <t>In this approach the following layers are involved:</t>
        <ul spacing="normal">
          <li>
            <t>Layer 0 (corresponding to the COSE_Encrypt structure) contains the content (plaintext)
encrypted with the CEK. This ciphertext may be detached, and if not detached, then
it is included in the COSE_Encrypt structure.</t>
          </li>
          <li>
            <t>Layer 1 (corresponding to a recipient structure) contains parameters needed for
PQ-KEM to generate a shared secret used to encrypt the CEK. This layer conveys
the encrypted CEK in the "ciphertext" field (Section 5.1 of <xref target="RFC9052"/>).
The unprotected header <bcp14>MAY</bcp14> contain the kid parameter to identify the static recipient
public key the sender has been using with PQ-KEM.</t>
          </li>
        </ul>
        <t>This two-layer structure is used to encrypt content that can also be shared with
multiple parties at the expense of a single additional encryption operation.
As stated above, the specification uses a CEK to encrypt the content at layer 0.</t>
      </section>
    </section>
    <section anchor="COSE-PQ-KEM">
      <name>COSE Ciphersuite Registration</name>
      <t>All security levels of ML-KEM internally use SHA3-256, SHA3-512, SHAKE128,
and SHAKE256. This internal usage influences the selection of the KDF described
in this document.</t>
      <t>ML-KEM-512 <bcp14>MUST</bcp14> be used with a KDF capable of producing a key with at least
128 bits of security and, in Key Agreement with Key Wrap mode, with a key wrap
algorithm having a key length of at least 128 bits.</t>
      <t>ML-KEM-768 <bcp14>MUST</bcp14> be used with a KDF capable of producing a key with at least
192 bits of security and, in Key Agreement with Key Wrap mode, with a key wrap
algorithm having a key length of at least 192 bits.</t>
      <t>ML-KEM-1024 <bcp14>MUST</bcp14> be used with a KDF capable of producing a key with at least
256 bits of security and, in Key Agreement with Key Wrap mode, with a key wrap
algorithm having a key length of at least 256 bits.</t>
      <t><xref target="ciphersuite-table"/> lists the COSE algorithm values for the PQ-KEM
ciphersuites defined by this document.</t>
      <figure anchor="ciphersuite-table">
        <name>COSE PQ-KEM Ciphersuites.</name>
        <artwork><![CDATA[
+===============================+=========+===================================+=============+
| Name                          | COSE ID | Description                       | Recommended |
+===============================+=========+===================================+=============+
| ML-KEM-512                    | TBD1    | ML-KEM-512                        | No          |
+-------------------------------+---------+-----------------------------------+-------------+
| ML-KEM-768                    | TBD2    | ML-KEM-768                        | No          |
+-------------------------------+---------+-----------------------------------+-------------+
| ML-KEM-1024                   | TBD3    | ML-KEM-1024                       | No          |
+-------------------------------+---------+-----------------------------------+-------------+
| ML-KEM-512+A128KW             | TBD4    | ML-KEM-512 + AES128KW             | No          |
+-------------------------------+---------+-----------------------------------+-------------+
| ML-KEM-768+A192KW             | TBD5    | ML-KEM-768 + AES192KW             | No          |
+-------------------------------+---------+-----------------------------------+-------------+
| ML-KEM-1024+A256KW            | TBD6    | ML-KEM-1024 + AES256KW            | No          |
+-------------------------------+---------+-----------------------------------+-------------+
]]></artwork>
      </figure>
    </section>
    <section anchor="use-of-akp-key-type-for-pqc-kem-keys-in-cose">
      <name>Use of AKP Key Type for PQC KEM Keys in COSE</name>
      <t>The "AKP" (Algorithm Key Pair) key type, defined in
<xref target="I-D.ietf-cose-dilithium"/>, is used to represent PQC KEM keys in COSE. A
COSE_Key with "kty" set to "AKP" represents a PQC KEM key pair. The public key
is carried in the "pub" parameter. If included, the private key is carried in
the "priv" parameter. Both parameters are byte strings containing the raw
algorithm-specific key material.</t>
      <t>The "AKP" key type mandates the use of the "alg" parameter. While this requirement is suitable for PQ digital signature algorithms, applying the same model to PQ KEMs would require distinguishing between keys used
for Direct Key Agreement and those used for Key Agreement with Key Wrap.</t>
      <t>Note: This differs from the "OKP" usage model and requires further discussion within the WG.</t>
      <t>For ML-KEM algorithms, as specified in <xref target="FIPS203"/>, there are two possible
representations of a private key: a seed and a fully expanded private key
derived from the seed. This document specifies only the seed form. The "priv"
parameter <bcp14>MUST</bcp14> contain the 64-octet ML-KEM seed <tt>d || z</tt>, where <tt>d</tt> is the
first 32 octets and <tt>z</tt> is the last 32 octets. The ML-KEM public key and
expanded private key are derived from this seed using
<tt>ML-KEM.KeyGen_internal(d, z)</tt>, as specified in <xref target="FIPS203"/>. This document does
not define a 32-octet private seed representation and does not support carrying
the expanded private key in "priv". This avoids implicit,
implementation-specific key expansion.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>PQC KEMs used in the manner described in this document <bcp14>MUST</bcp14> explicitly be designed to be secure in the event that the public key is reused, such as achieving IND-CCA2 security. ML-KEM has such security properties.</t>
      <t>ML-KEM key generation and encapsulation both rely on high-quality random input.
For key generation, the 64-octet seed <tt>d || z</tt> contains 32 octets used to
deterministically derive the key pair and 32 octets used as a rejection value.
For encapsulation, ML-KEM uses fresh random input to produce the ciphertext and
shared secret. Implementations <bcp14>MUST</bcp14> use a cryptographically secure random number
generator for these values. Weak or repeated random input can make it
substantially easier for an attacker to reproduce keys or ciphertexts and can
undermine the security properties expected from ML-KEM.</t>
      <t>ML-KEM encapsulation and decapsulation output only the shared secret and
ciphertext values described by this specification. Implementations <bcp14>MUST NOT</bcp14> use
intermediate ML-KEM values directly as COSE keying material, KDF input,
authentication input, or application data. Implementations <bcp14>SHOULD</bcp14> avoid exposing
intermediate values through APIs, logs, errors, or side channels.</t>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <section anchor="cose-algorithms-registrations">
        <name>COSE Algorithms Registrations</name>
        <t>IANA is requested to add the following entries to the "COSE Algorithms"
registry <xref target="COSE-IANA"/>:</t>
        <ul spacing="normal">
          <li>
            <t>Name: ML-KEM-512</t>
          </li>
          <li>
            <t>Value: TBD1</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-512 PQ-KEM.</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
          <li>
            <t>Name: ML-KEM-768</t>
          </li>
          <li>
            <t>Value: TBD2</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-768 PQ-KEM.</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
          <li>
            <t>Name: ML-KEM-1024</t>
          </li>
          <li>
            <t>Value: TBD3</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-1024 PQ-KEM.</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
          <li>
            <t>Name: ML-KEM-512+A128KW</t>
          </li>
          <li>
            <t>Value: TBD4</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-512 PQ-KEM and CEK wrapped with "A128KW".</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
          <li>
            <t>Name: ML-KEM-768+A192KW</t>
          </li>
          <li>
            <t>Value: TBD5</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-768 and CEK wrapped with "A192KW".</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
          <li>
            <t>Name: ML-KEM-1024+A256KW</t>
          </li>
          <li>
            <t>Value: TBD6</t>
          </li>
          <li>
            <t>Description: PQ-KEM that uses ML-KEM-1024 and CEK wrapped with "A256KW".</t>
          </li>
          <li>
            <t>Capabilities: [kty]</t>
          </li>
          <li>
            <t>Change Controller: IESG</t>
          </li>
          <li>
            <t>Reference: This document (TBD)</t>
          </li>
          <li>
            <t>Recommended: No</t>
          </li>
        </ul>
      </section>
      <section anchor="cose-elliptic-curves-registrations">
        <name>COSE Elliptic Curves Registrations</name>
        <t>IANA is requested to register the following values in the "COSE Elliptic Curves" registry <xref target="COSE-IANA-Curves"/>.</t>
        <section anchor="ml-kem-512">
          <name>ML-KEM-512</name>
          <table>
            <thead>
              <tr>
                <th align="left">Name</th>
                <th align="left">ML-KEM-512</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Value</td>
                <td align="left">TBD1</td>
              </tr>
              <tr>
                <td align="left">Key Type</td>
                <td align="left">AKP</td>
              </tr>
              <tr>
                <td align="left">Description</td>
                <td align="left">NIST Post-Quantum ML-KEM-512</td>
              </tr>
              <tr>
                <td align="left">Change Controller</td>
                <td align="left">IETF</td>
              </tr>
              <tr>
                <td align="left">Reference</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">Recommended</td>
                <td align="left">No</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="ml-kem-768">
          <name>ML-KEM-768</name>
          <table>
            <thead>
              <tr>
                <th align="left">Name</th>
                <th align="left">ML-KEM-768</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Value</td>
                <td align="left">TBD2</td>
              </tr>
              <tr>
                <td align="left">Key Type</td>
                <td align="left">AKP</td>
              </tr>
              <tr>
                <td align="left">Description</td>
                <td align="left">NIST Post-Quantum ML-KEM-768</td>
              </tr>
              <tr>
                <td align="left">Change Controller</td>
                <td align="left">IETF</td>
              </tr>
              <tr>
                <td align="left">Reference</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">Recommended</td>
                <td align="left">No</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="ml-kem-1024">
          <name>ML-KEM-1024</name>
          <table>
            <thead>
              <tr>
                <th align="left">Name</th>
                <th align="left">ML-KEM-1024</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Value</td>
                <td align="left">TBD3</td>
              </tr>
              <tr>
                <td align="left">Key Type</td>
                <td align="left">AKP</td>
              </tr>
              <tr>
                <td align="left">Description</td>
                <td align="left">NIST Post-Quantum ML-KEM-1024</td>
              </tr>
              <tr>
                <td align="left">Change Controller</td>
                <td align="left">IETF</td>
              </tr>
              <tr>
                <td align="left">Reference</td>
                <td align="left">This document</td>
              </tr>
              <tr>
                <td align="left">Recommended</td>
                <td align="left">No</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank AJITOMI Daisuke, Brian Campbell, Daniel Huigens, Filip Skokan, Ilari Liusvaara, Neil Madden,
and Stepan Yakimovich for their contributions to this specification.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/>
          <seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC9052">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR.</t>
              <t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="96"/>
          <seriesInfo name="RFC" value="9052"/>
          <seriesInfo name="DOI" value="10.17487/RFC9052"/>
        </reference>
        <reference anchor="RFC9053">
          <front>
            <title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052).</t>
              <t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9053"/>
          <seriesInfo name="DOI" value="10.17487/RFC9053"/>
        </reference>
        <reference anchor="COSE-IANA" target="https://www.iana.org/assignments/cose">
          <front>
            <title>CBOR Object Signing and Encryption (COSE)</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="COSE-IANA-Curves" target="https://www.iana.org/assignments/cose">
          <front>
            <title>COSE Elliptic Curves</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="PQCAPI" target="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/example-files/api-notes.pdf">
          <front>
            <title>PQC - API notes</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="FO" target="https://link.springer.com/article/10.1007/s00145-011-9114-1">
          <front>
            <title>Secure Integration of Asymmetric and Symmetric Encryption Schemes</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="HHK" target="https://link.springer.com/chapter/10.1007/978-3-319-70500-2_12">
          <front>
            <title>A Modular Analysis of the Fujisaki-Okamoto Transformation</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="FIPS203" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf">
          <front>
            <title>FIPS-203: Module-Lattice-based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="SP-800-108r1" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf">
          <front>
            <title>Recommendation for Key Derivation Using Pseudorandom Functions</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="NISTFINAL" target="https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards">
          <front>
            <title>NIST Releases First 3 Finalized Post-Quantum Encryption Standards</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RSA" target="https://dl.acm.org/doi/pdf/10.1145/359340.359342">
          <front>
            <title>A Method for Obtaining Digital Signatures and Public-Key Cryptosystems+</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="NIST.SP.800-56Ar3" target="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">
          <front>
            <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, NIST Special Publication 800-56A Revision 3</title>
            <author>
              <organization>National Institute of Standards and Technology</organization>
            </author>
            <date year="2018" month="April"/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-pquip-pqt-hybrid-terminology">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="Flo D" initials="F." surname="D">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <author fullname="Michael P" initials="M." surname="P">
              <organization>UK National Cyber Security Centre</organization>
            </author>
            <author fullname="Britta Hale" initials="B." surname="Hale">
              <organization>Naval Postgraduate School</organization>
            </author>
            <date day="10" month="January" year="2025"/>
            <abstract>
              <t>   One aspect of the transition to post-quantum algorithms in
   cryptographic protocols is the development of hybrid schemes that
   incorporate both post-quantum and traditional asymmetric algorithms.
   This document defines terminology for such schemes.  It is intended
   to be used as a reference and, hopefully, to ensure consistency and
   clarity across different protocols, standards, and organisations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqt-hybrid-terminology-06"/>
        </reference>
        <reference anchor="RFC9936">
          <front>
            <title>Use of ML-KEM in the Cryptographic Message Syntax (CMS)</title>
            <author fullname="J. Prat" initials="J." surname="Prat"/>
            <author fullname="M. Ounsworth" initials="M." surname="Ounsworth"/>
            <author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) is a quantum-resistant Key Encapsulation Mechanism (KEM). Three parameter sets for the ML-KEM algorithm are specified by the US National Institute of Standards and Technology (NIST) in FIPS 203. In order of increasing security strength (and decreasing performance), these parameter sets are ML-KEM-512, ML-KEM-768, and ML-KEM-1024. This document specifies the conventions for using ML-KEM with the Cryptographic Message Syntax (CMS) using the KEMRecipientInfo structure defined in "Using Key Encapsulation Mechanism (KEM) Algorithms in the Cryptographic Message Syntax (CMS)" (RFC 9629).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9936"/>
          <seriesInfo name="DOI" value="10.17487/RFC9936"/>
        </reference>
        <reference anchor="I-D.ietf-tls-hybrid-design">
          <front>
            <title>Hybrid key exchange in TLS 1.3</title>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Shay Gueron" initials="S." surname="Gueron">
              <organization>University of Haifa and Meta</organization>
            </author>
            <date day="7" month="September" year="2025"/>
            <abstract>
              <t>   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if a way is found to defeat the encryption for all but
   one of the component algorithms.  It is motivated by transition to
   post-quantum cryptography.  This document provides a construction for
   hybrid key exchange in the Transport Layer Security (TLS) protocol
   version 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design-16"/>
        </reference>
        <reference anchor="RFC6090">
          <front>
            <title>Fundamental Elliptic Curve Cryptography Algorithms</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="K. Igoe" initials="K." surname="Igoe"/>
            <author fullname="M. Salter" initials="M." surname="Salter"/>
            <date month="February" year="2011"/>
            <abstract>
              <t>This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6090"/>
          <seriesInfo name="DOI" value="10.17487/RFC6090"/>
        </reference>
        <reference anchor="I-D.ietf-pquip-pqc-engineers">
          <front>
            <title>Post-Quantum Cryptography for Engineers</title>
            <author fullname="Aritra Banerjee" initials="A." surname="Banerjee">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Dimitrios Schoinianakis" initials="D." surname="Schoinianakis">
              <organization>Nokia</organization>
            </author>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
              <organization>Entrust Limited</organization>
            </author>
            <date day="25" month="August" year="2025"/>
            <abstract>
              <t>   The advent of a cryptographically relevant quantum computer (CRQC)
   would render state-of-the-art, traditional public key algorithms
   deployed today obsolete, as the mathematical assumptions underpinning
   their security would no longer hold.  To address this, protocols and
   infrastructure must transition to post-quantum algorithms, which are
   designed to resist both traditional and quantum attacks.  This
   document explains why engineers need to be aware of and understand
   post-quantum cryptography (PQC), detailing the impact of CRQCs on
   existing systems and the challenges involved in transitioning to
   post-quantum algorithms.  Unlike previous cryptographic updates, this
   shift may require significant protocol redesign due to the unique
   properties of post-quantum algorithms.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-engineers-14"/>
        </reference>
        <reference anchor="I-D.ietf-cose-hpke">
          <front>
            <title>Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Michael B. Jones" initials="M. B." surname="Jones">
              <organization>Self-Issued Consulting</organization>
            </author>
            <author fullname="Orie Steele" initials="O." surname="Steele">
              <organization>Tradeverifyd</organization>
            </author>
            <author fullname="Ajitomi, Daisuke" initials="A." surname="Daisuke">
              <organization>bibital LLC</organization>
            </author>
            <author fullname="Laurence Lundblade" initials="L." surname="Lundblade">
              <organization>Security Theory LLC</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   This specification defines hybrid public-key encryption (HPKE) for
   use with CBOR Object Signing and Encryption (COSE).  HPKE offers a
   variant of public-key encryption of arbitrary-sized plaintexts for a
   recipient public key.

   HPKE is a general encryption framework utilizing an asymmetric key
   encapsulation mechanism (KEM), a key derivation function (KDF), and
   an Authenticated Encryption with Associated Data (AEAD) algorithm.

   This document defines the use of HPKE with COSE.  Authentication for
   HPKE in COSE is provided by COSE-native security mechanisms or by the
   pre-shared key authenticated variant of HPKE.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-hpke-26"/>
        </reference>
        <reference anchor="I-D.ietf-cose-dilithium">
          <front>
            <title>ML-DSA for JOSE and COSE</title>
            <author fullname="Michael Prorock" initials="M." surname="Prorock">
              <organization>Tradeverifyd</organization>
            </author>
            <author fullname="Orie Steele" initials="O." surname="Steele">
              <organization>Tradeverifyd</organization>
            </author>
            <date day="15" month="November" year="2025"/>
            <abstract>
              <t>   This document specifies JSON Object Signing and Encryption (JOSE) and
   CBOR Object Signing and Encryption (COSE) serializations for Module-
   Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum
   Cryptography (PQC) digital signature scheme defined in US NIST FIPS
   204.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-cose-dilithium-11"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1c63LbRpb+j6fopX9EiglKlCxfNJOZoSU51soXxVTGk5qa
ikGgSSICAQQNSGFkzbPss+yT7XdOdwMNkJSVSTae2lr9sMEG0H3utz4N3/e9
Mi4TeSh655kq/W+qIC2rhTiTS3GShkGuqiQo4ywVr2U4D9JYLZTYOv9GnJ28
VttimhXi6O34pOcFk0khr2gavufcCYNSzrJieShUGXlelIVpsMCCURFMSz+W
5dT/IVPSz38M/Uu58Hcfe6qaLGKlsGy5zPHo6cnFCy+tFhNZHHoR5jv0wixV
MlWVOhRlUUkPS+97QSEDgDCWYVXE5bLnXWfF5azIqhyjGppLucRgdOgJX5x/
c0T/0Q36/+VyUsSA8EqmFVYQwr4ZArwefmtgeu8xaZzOxNd0m8YXQZyYx/5C
+AyyYkbjQRHOMT4vy1wd7uzQYzQUX8mBfWyHBnYmRXat5A5NsNPzPFUGafR9
kGQplltK5eXxofh7mYV9obKiLORU4Wq5MBdlEYdlX4TZYiHTEiMg8SLIc8D4
D88LqnKeFYQvIBJiWiWJpv9FXFSLIJHqOijEOxlFS34AQIHNPzPTD8Wb7DIO
eDwEQQ/F8yCdAbBC8lghZ/zUWVCkQRlcmiezKi2J36dpZF6WhkSXWRqVcfGX
Gf0eAOLeKlwjsK4IaCVZ/CDlPYB6hVmztL32t2lcykicgQhRtmgBEfACg4lZ
4C8pTdcCJk4hVi8H4kKF82wq03jWgfFlkKZSde+3oQQEV7JQgFBkU1HOpXhe
pRHILeeFeF2lcTjnt6zm4Pnn1+L1wEHsjawmMYR+1qL28+AKKHRo/bUsFkG6
NIMRYHx6cPDkiYv4nIEelDXQYMNPg1SWnpdmeLsEvCT2714c7Q2Hz8zl0+GT
R/by2SM7+mz3YK+53KdLUiP/dPRmdMiLilrwzB+oA5HAfT1izM7R87fvxNvJ
DzIsxTiepaRYkH4yPsUyZ8uzRTNvm7eCYiZL4GJ06vr6ehAHaaB1CSZjlrIS
sC65QPlHVXEl1S+DDS+LkySJAUco9AT/ChhenE4bAmMGGJ7R+elhazEYziMY
IYyLNCul6q1fKVRFOIAZLgez7GrnaPzuaGchoWY750VGRFQ7rh33j4iI2awI
8vlyB3ah0mDJn4JFnkh/GkP/d4I89nnNQR5N9bJsZMU0SJiKL952YGULK6Hg
MO2F9g+Q8RFs0kKSOWIWjutfDjPH4VwuNmKXxOnlQOUFpEAWpJKwj6B9IneG
u4Ph7u6THbW7O3x04O8Oh/6z4fCRP1wH78uXZx2AR+J1FsGVFWKUBslSxcoq
5Yvqh1gFl7H/9jJYZGUmLoogVYZfWXpvQOEd81IWNaDPnjz19/394TP/ye7B
7q6/9/1wby1tT8/He7v7HXhp1KdhDbf0XwUlCCH9SaDIrMmlv8E9izF5j6CI
NkCeXiV5NVGNDNEFjezQmjtvTscXA7oaYPVN8jA+958CpeHu02LYAfyd1H4o
0mBRGECxxLEs4is99K0iHT9XsooykBrWGTxIQ7q3SSw2wzzOZRgHyXk1SeKQ
51cahfH5oAbRr/JouAkXevrF6ZvRK42IxYOG4RUTCXor8SIuVCn28T+kJ/4Z
HGhFS658G+obVNYZigYLea18ecUaSdc7e7t7j3Z2nzJ6fmEWh5JiccjS1C7u
57T4j0bFZb24r+ziZJnHo1UdkDB7ETPl7aQMYra2x/EsLoOErW9QQq0Va68m
qU/M00ZELVUpF+rhBh5FySAIF2wAoyzeAbVZFaCsO/sHz/Yf7Q74v7U64HLs
4PGo2L/LTL9hNgPg01QBtaqUpMo13Rn4C2hDmiXZbNkiwRrhPA/iwn8fK6l1
ChQE2mpOZtLaKiOxx7EKC4nVXmUzCiHmC+Fa1z5jIYxACkcihUELy1/FFNQi
Uv2NxZyJ1pXwEcxTIvZ2h089z/d9BBoIFYMQ7v5iDvtnvYFATBIWCDMUAoeU
pJGmZ+JUWlXvTAy8dmLg68TgGvS5v28faAAXcRQlcJcPyLEUsHtsFDzPrg3m
5VVJswD8NBMIkGF9RS6LUMK1RiIA9wVnBj9WUAsWDP2SlRkVxnRDSwnMPyJZ
mFXcAAdVHKoBQga8H0eygCBIxFxKUogu5BQEKfV7ksKlrCJ6FTlsGGSChsEx
WbDfR6SI0BdwEhHJyUTQ8iTL+R5gyokNvOyPK6gZNUPyIMVEMrJgiqJgFj63
wAzJcgBXK1QVzvuEsp2jrIVeBNFVQGj2aXVMBHoRGDmcPNiLdQmwaUXa3gEB
EauAE5wHV0BKUCATTwEp4I4XOaAWYJqBQ4SN+MPJG8DBy3eGaDQXT2TQ75rN
TyWZRpYATl5kV+CJUDruQBInZEtVwaeYrF8pghnsGox1kBIVAEJQLLU4BiEo
wtgFK0gPSCnkL7QtYot0cBs4ghvmGbLP3utXBLoWR9dWa8BbGC9qvx2n4ubG
RAO3t0g+oKReraSKLMA0huTOM2QJegGwtaJwQFOoJD0jNkMDpqAWc9qkHxgi
1nvGWeAdraEU4dYUM+SiRToEW5ER0GuUwDhXszmWBBwNHkhJEtIt6MdEavj0
bOlSaJ729Ss1blNckJclAdgQ7dwhJ5oWanvgUCXAXNLPEYmLLVVCyX1wx4fQ
I9eNtjuC24BOWgG5yQq4RPhCUt7MyFyyxAW4Dw6STiI4REQDQWFpKsCbPCb6
aotJTKjHvlAWsJzNN01B3C0kFDIokE+y0ilZaqNr8GEDYLkeicmyLR2nBCas
FDE3BlMRKrD1MKUPqgrIdAayb5HMRrJ+AtaSg1uYh202D8oBg6GgMoqBwj8Y
7vXt9ZPHT/usAeb3ENHKgKz1keM26P6xRKgS82+tViT2VHVRovf62/FFr6//
F2/e8vW7k2++PX13ckzX45ejV6/qC888MX759ttXx81V8+bR29evT94c65cx
KlpDXu/16Luehrr39vzi9C0CvR6pWlsCCWNwEvIaQ0+KnPw8uRPP+saI3nl+
dP7f/zV8BEb8h8mRb2/ND8qS8eN6LlO9WpZCYvRP0HjpBXkOm0izBEkiIMsU
cym23woanQqy06Dml38nyvzjUPxxEubDR38yA4Rwa9DSrDXINFsdWXlZE3HN
0Jplamq2xjuUbsM7+q7129LdGfzjn5FASeEPn/75T143HlkEl5INm03RwBEo
ekRSpRlxc/PnU/+Yi2h+/mMV5/i39Odcv/Pp6VgbaG1GJdQqSbJr1kyeithd
SDAEXAab2EZZmTAqp6MsZOs+lTMP77JBnm/s2uG93RteOTo5OyTNIbPsRkR4
C3e1im3O/jZO7L0wIUdeITZhqzptC3tfxCXZyLlM8mmVGLnnaAeXUcyOtm0h
g2SWccSrSD8yUV5nIkxgXamg4vWQMUexcZwj+2gPASiEvSkJbJhSaJyABKke
4jlvijAD93QdrS/YllCpQsKtRDYIT2wQDh0CxtJUafyQqjT1Y17zGJtM4x1L
+RPHYeT++sIUQzSlHFTYWf9EhJ1Jr0WCMKlAo5Oc0oMiSPwxxZeh2DoZb4vj
l7r4wUP1nTHf8W5uTO0MkgnCtcTFpdw9SVfOA2blRCaxvNKBwKSOkmq/XpZB
eKlMNL8a7sEEXYN+9D8zlQPTxtNrobavOXQIKcRKFC+JVxKsb3PSJhwDb+yg
CqbSeX8gThzCrydFTWutD+RtHtwdDtw8IOd5ey89uGZh4GAfTvyOacUWJt22
moI4ZiNvFKeMTL0iZrmeuiRTmFhNlzZGaOwSux0IPuC8udHlQRaRL8nsQRIX
gO5rmW5tC/9PYiu/7At1ud3c1XBjXN+n7QClnPvHku/zuH5GwTVfc26QX5II
NbEJPUIjimKGUo+EpU0hENTgLVYgWFBKj9JS53VOYCsj/RopAkIwmmwOmxuZ
OQddi8/RH83O8ehcBsSRJij5IC8/EPHDoEAsT89RNNVA4n0Iyw8UASNj1KGS
CbhaobaOqGEaplOS+mmRLWrvYvwFewIPnoACLWTO+4wBvA1p7bP9x7e3faGJ
xiAhxKaqqREzpp9e2GvH+BzwnaZd8Vt5Tay8BtJ5NZl1guu8RVKGOFfnlGDA
6Oxc0/16HpM1bxPU6xCUqBkb6FdZR/scyTpiCyI2OFjHqOUyJ4vh+NGQa2aa
UOQqciriUjJKI+BOIcEBqc2VwajnQFD0bHYuepF0hoEY8j16q07+KEd1RUtc
xYEjy652Li3vdELezMv5W9AyuPRqHsQFA0K3wYKrGCk/pQF6PYcPHN5SitMh
ZcHR8bGkLFq8M6klafiDwvyAnRpLXfoUTwcHg0e8IF0dWP8kHJ9hYiBxHBeU
65HFGs1ASR3DppHXHmGYaOg98O9TjpzTYsjFl1YZVtNLwkHHXp7JwHVoRHkC
MXORISZmcV4LBd3uGxIXXJTR9PIMf2zKavhu8lLRFDGZmluIjrZ5kfUYeYTR
xrXE6loBTet3VoEgXWMejxXl5IyEejP9hKrynEtAcorwMO5ATZnbokrKGA7N
q3M/2p12sARATQKeUYGqFhusr+1lQIEQR2EVKZVHEFLlBA+wndaVEF3ElUE4
bxJNwH+q11DKlHmAIZkoEyjo+Mfm4LAcIoUW6opInkO0V/ZCkHK+hdiVdkuE
3HkMEvAGJBC6uXn58gwPZHbqI7YWpPCspqmqCrM63acCGaU/xksC1NM3x/7R
0WjPxCycDy10Lrka6peJskF+xEpl4/sXbx0QiUg6x8UMTT5+dvyCS2YNNBba
ttCApDqWWoWOy26tAqOmIgVChfRJa2oK1JYB0VlVNmU4PAo5gtGZZBUbOQCz
qBClUWQR0VNkFsHK46qwoDNusRYz9lpOkEqln/XxWZ9rQlmYJcpbBEvmNXvR
bDEhIzLJSPSWuQ6N3LjsojYBQpO7tYS2/Cy4L8/PTlho2VDRnlpVUjjFUKsw
y+VK1MUmkShElKrjPAQjIxApXvAL1xgD7qaizhVEt7yGCal2QhO42DJEiwxk
lj+RnWvCYftuneZJW/vcurmp939ub7cZdeUGqezhoEKgHtXCIPZQk6jIcj8m
nucJQjbeUtWlXocxnw7fQWkKUilGD1iW3o1HZO3HI2gU18mPjkzw8Xj32S4G
SdBsTQ2KwhwM1hYVeZ9HR61sVJQp5vIGj9E/4w+1JdbSWVeYqby+Xq60yBIk
Rss0GFO7hadjdBMH2UpopmMuJdkAdOpNmnMwKRwXJ1QrZpGsa1mEgVO2YjJL
H3Oq+7gxvrQV2RoLtgEkRvUqeuHDe1e+7JxE/plMZWHy1TYrTPUtULkdqSnF
stWqarSqv5L6itIGPmgziIAL3lMlHWwphRFsVplWMuVuUtWlbJNdC9M1QLwn
r6NI7yrEVcEk5tIxdawgCoqCnOIGEc6RSqVuNGiTyy1rK7fFlgJZTVgjhruD
PWLCupJNCIc8A/YQDat8xnDu5LxdrCuHCvhBv51F7ahmyvk3XSbSgpbjTOMy
iBNNoxqu+0GlpVm7zE52ePPA+PJbXeRs8x3c4uJ5zPm1TvSoWDIcCPG1lhap
fT1vvrZ90Hj8RR0CIyHPwpgDc4cCRxe80+e4t5X0wcpZPZNbkdZk5jmImHzr
vJog2AHG//znP+stV0G1iy/6WHBbfOWkms4b2/yCtwfMeJufNo54r3oFKyJ5
osvS4/ErCNJkSfkTOTW9Wz6XTJB4LUUaZFkqEzYXBH1UNxeYNi2N+GEXEwDw
FcUBGiOGwMD+6WgWni2vSmtOKJjgsiw7p9KUuDVqiP4gSYVORDfEuI0dYltu
HiQv+r0pBXqqLKqw5KhjYxgsOmHwHUB6bSBFF0jOYWi2BjQlE+1GzSPNLkf9
jPZgLKaNy3RM2mpFtV+DpoH1DDx4brj3VEzi1i4IWeGHI9w4e98Xw2d79X2v
scy4/2yP7pOc7x08XpmDrPXDEe6cvYdwv5/LDcymyHmRJ9lSRiQdtuJBmYHg
t+5gQm52pddNsCbzaHbFRifjhpMmIbHL/sFMQvFHk6M09uhYtu0R7fI09iiS
97VHzTyyW+M5uujYmNasLXVbb2ccOw7sCgqIpFGZtqbzXI22r1HeL7QBMrUs
bYAw/RmVK2CetCbTo6fTTo7P/Wm5tJ1qLHgcisuiyIq+1ZueISA9xHfMzpEq
s3zQMnAcQv4qE0ev/i6m7QEN13XTpg+r2Zlr1qi7ttclUWevR0ckO456U7Dh
jc9Fu9MKXtVtELPRDL2/hST3b33xCiBuu5ufoKGn4+BSu7qWjAK/L4U4OzTE
I1aRTjlwr62w6V9GCde7FSLXtmE/LWuLgoayjbvbpsy3Eb7tVryr4fvbIaNp
txdq++0SzEYfBzYoMv2zVFiUP1GpG5Q2i3OKikR6+e1pOs10pEM//8o/eTuE
ivPNE5R/LWLGYwIwKfqlLWtZmAmpm4pSa9OVZAxLcEVt6bT7A/hMxWfgrrQ6
rQOgq+u65aBc8o6Ezm6zbpmMDR/Zbz1Fp0ALxV0gMeNi4mVKu6LWftQdtBpw
sy0Q9R1maVyZTjVU2v8FZLOJy0TzSaABszsLcUnCNkZSTsaEMO5benX2HFca
rjg81Mx/dWi13jhfY1K4hpuyS/pUzeyVLrqXlmp3OOu7IopPhQvsqX7xiqvh
wR82uekNnnnVGdf6iRfZu7ddeKdgaSk91mYgy02eHVYwzwubz0CSZbLJFDRp
J1UGU5LFfr2HFtdbHD/LIvMNHehwBejV6w30jhJXrzYlG322cQS/qTxysaO9
J0z9Kak+cqI3QVrRUVNkpFJrZbatjLs379naPG0OObeCzbI1WHn0U+HkgENi
Tuy53tv/xO5Mf52Re8JGznNzLGqH9+f5pSSD53QvcePhsht88LaOUSQth6Yk
3c2xa9lnP7eODtrbUQ31OgYLJ9Km7K0aoQ2S5E95EjSKb/M8qPu4mujaX5ks
zQ4OPcng2pmbEm8zMweRF2wwFVWJYeUdRClwjKkIUxs2m867KQEXXxVns+Ec
wkXmMgAjlkkWULnS4zohiQ87OOJQafZwUiPeZpu2Z+ewlqQ3ECORxgm3bHrZ
xNYEuL5VA5NkYd3r32bVAExvcv4Dz/FttG3BfVWmzzS3M9QwGAyU6cFjlN/V
Frzxo7aZsrHu5Jr0mZu1IQPNZrwC+wE2dRj7AgLzhSPB7A0iUkHZrRsZeXMk
zMzsGpe6EWbcff2LyzhyVtKOZQt4ZMztJgLizWUSuziMqfymfem0k3g5nlRP
5WaPGtOBjX5bkkNspmYAByiWivbsi6CZlgSGm98S21UI11Fk8MdEJSesb/bk
NxgUpFx2k4OMWhIsqe5Xc9WhcsfJa6PQ0YUmCa2ngCUZIEumSnz7EWcVqri3
NkqMg2CkgnDe2Y5nIHWBLk6vsuRKRtwK9IqB3xVbYVaQd8p0m6/xny2S12tv
t6lvffdWbTi2u12ZjsEgMjR2gsr4E1lrjvaX8ZTjuGaQOOvFpRsnrTUnTYWh
QW24BjWnv3EtVk4cT3sMJsAzPMX7s7rc1Ym+rfU36Hfw1oKihUB5ZmvVkIk3
wzRKvYY+PR0VI6qvw+yhaJui7QHbmCo1/bKYyzi016PvLEo64qFtj5aJcFVS
6b6eRhqdGLdRRt46nkgomvYEzF1NGNsDAZXwuyrhOEbpKLCOY0zx3TbeGIrS
zJ7df7Qb7sJsdNF+SKqNEu0CpLOE9prqnQoniqyT5IE34voy52KT7MoUmNrB
CscnATOjw0ULLgDQyO3qRlEKII6YX6qKIRHv5CymQwmmgMGn9TR9bqnB+I5Y
S3fMpLbvQIxfjvZ9hF59fcXVe1ydnVBw6XFHFv3CE0a87Pt4O5hxgpFU+miA
5l9iZMgpptXNoF63gXRgdzpoYe1s2r3P/D5iFk60+AQANatw40zTPkDUkoEq
vboS1tkF6ZPQf7oUaJa0MXtTrqNKYLNmk7DYhesSXIMPwvjfAB9bufvd8TEL
N/hQ/vHrEarLjL83QnZhIHRzEzaa5FM/DKJqkUCfnF6qZuarAPKt6iBKa5nn
TNFkuxxQtKWbSkkPv7r77+Gaq/s8zb+8j+INbK3Y+PdRI3R6jKtjJ5Lc9HR9
1gsIffxfh93R/rXQXDw/Huqru5/Uz7zJnF/eQ//uv4drru7zNP9qYCdN3wT7
Xgv2DU9+RthZqzfAvt+CfcOTnxH2pnayCvujFuwkMw9px2Dd059LZkyRZxX2
gxWZ0bCvefqzyYytRHVhf7wqMwz8mqd/T9jJCt8cigcrhl8fcP2Kv3Fisykn
zlKD3i3FX9/qIJD6RMkjXSxznVXbrqUzaldyylOIrvFsT2w1Ddn0Hp2Z3dah
LmZwaz+rxZ6I+gjmcbXoVHzqrtZ68Utn8YEYeZyrnFnX27sslz1brNRQ1VNQ
EOrMwp2bbjcB58tc/aCO1zoZ6uFur4nxOXNuFZZbu1et9z39Pm63JnhOBbP2
tgbv/5gyorIJRn1GLLhufL9vg2tezh4wG7h8sCTHXTrDvNrm0sNsLYjem05g
QG9KunarkwSDRUcLgIjMMfCmS8htruL+QAu2IkdNkQy3n5mPAYlrPvdnVhFO
Lwm9NpHlNeVBzGTusqZlN/WxYhXITr1ZcFdEBfq8yei08/rm7t5bopsO8TXE
en+AgcRzVcGFGDovUvEHh3h2IyDvvzZV3273kDm3VR/Oazfv2EO3gW1/zjDz
hNtCjcDqE9w6H3Nk7JDSM+rS45Yt/twMnUDJAw5inAc92+9a40mvbW6G4sNo
9jGi6EKrh5ZgpzGcA2M3C378yM+QJZeWBDzBB0RUH8XPH+pm+OiDqZ17U/2h
hD3Bb+njgB9+treRDLp3NRArhyO5k3kd2qaZp4U672DYUqv3wZwT0aclvrc5
3hb0+eftD3dyrUu9KJPK04UV7rkOALehhQWJF24zVfd74VWuyZhqvj64QPCZ
bHwVM8CimWHACK6yOFJ05porgn2Prlj8A/2lB9dW8IyKs3YYefv1q+YguzmJ
aUykcs67sSVJSQHcc47trROWCac0yQUoshLd80ZmRv6ghai7bB2+shHSuy7c
iUtdidxtSxai3WsL+OsGOz5eTc93W+Eg2nVi12nDM+f03V0C3s3gg7z4MY9n
c+pt5CY38xUS3lkesMJ3e/paqtDSgaYM1gi98XHQUn22hEyhPiERNe0DrSMG
nXe5XbOQP5gSBKduGrAWSnavTRdiphDDeQsXcy6cTsV0t1ZIxdpncsRpS8KU
5jv5lqDdwMqIGJab1fSn2TxDMfq0gM4y8bJOO+GIZHBJGxj22GUbUKpo0bFP
EZf08TfTCMDmL1CxLOzJbN1tqOtxpHgaN3YqeKDBTxsezOpxP8WCFFjbvxUJ
arqF2aLUB83WHsmx3ZxOW4lpuaotbLuZHGR2qG5y8EbZbKbdqqttYAUduaXN
dzZq/M2nsjaedmL2pwmdT9PZcue0ep+rHEzyvtdtB+BRIiP5ejuKKCNYhccc
FmYjRfTL2Pi2ADMQlfOCvxEwOj+F00yyGf7l1hp9bJObxUP+MFnCncP8Ea6O
5RI3D2j0ljcaGK2mb7xVQYSN49dNsKM/mkEF7Cjq1PeBij77pAv3vc6sPa/Q
09Kh+/oTYre3vAfwhr8A16RkGPorIXvIST5+OdWJQxuMszlkNXVyOVsJ9sUR
FZ4oUgZQh+LviHX/QaN89JQPCRcAXRb0JcTx17jzjk9QpWEd91hjvQUYtvmB
uvpB38tbgRvpWAvuvfvCTXncZ4SbUrEW4Pv3BZyTuM8IeZPmt+B/9MsFRp+4
oK1sczRIJ0h68t7nEidTB2ghd/BLpGoTVjTr58HKqRC00Hr8i2RuA1487e+E
l7WbnW8Z3st4aksoi44FNfbdptLrpu+JdVbUfIjRtNY/cA3puhrwfQqm9/v7
6H1crbCsGfoX/zC9FpGVYtLw18FdQ9/UbJrpqZTzW02/UlX/uOY0icMNemdF
Sj/yx3p/K5BqUa8HOyL/a6dv9gjM9FpdHrh+8k6xvKMWfm84Po9Y/kp1qqH/
dxJL4sb/UbH8lWDX07vSzdHUneJ9x3bJfRf8TOK9/6vAroH/d5JuZsb/i/ed
0yOFHIXUO57IaMYnc2nHRBcoZPRVjz852jNHZPT3RSlLDdJLMfrP04u3r0/F
cRCr6lL2xXM65I7wbJFPZILk+ThIY5mIl1U8kykS2BcI2nIxvswug7QvTpOg
iMWruFJXQVAEffFGxol4jeRTpqYDpZQ5JvwuuIwX2VUczm2dJOY+J6Skk0pn
vJyXrtQFvP8B/hiZHq9fAAA=

-->

</rfc>
