From eb476b26cef064ba2d8af1d9c7f274554222c0d0 Mon Sep 17 00:00:00 2001
From: Trance-0 <60459821+Trance-0@users.noreply.github.com>
Date: Tue, 3 Mar 2026 12:41:30 -0600
Subject: [PATCH 1/4] updates

---
 content/CSE4303/CSE4303_E1.md      | 404 +++++++++++++++++++++++++++++
 content/CSE4303/_meta.js           |   1 +
 public/CSE4303/Feistel_network.png | Bin 0 -> 38661 bytes
 3 files changed, 405 insertions(+)
 create mode 100644 content/CSE4303/CSE4303_E1.md
 create mode 100644 public/CSE4303/Feistel_network.png

diff --git a/content/CSE4303/CSE4303_E1.md b/content/CSE4303/CSE4303_E1.md
new file mode 100644
index 0000000..3f9d021
--- /dev/null
+++ b/content/CSE4303/CSE4303_E1.md
@@ -0,0 +1,404 @@
+# CSE4303 Introduction to Computer Security (Exam Review)
+
+## Details
+
+Time and location
+
+– In class exam – Thursday, 3/5 at 11:30 AM
+– What is allowed:
+    - One 8.5” X 11” paper of notes, single-sided only, typed or hand-written
+
+Topics covered:
+
+– Security fundamentals
+– TCP/IP network stack
+– Crypto fundamentals
+– Symmetric key cryptography
+– Hash functions
+– Asymmetric key cryptography
+
+## Security fundamentals
+
+### Defining security
+
+- Understand principles of security analysis
+  - The security of a system, application, or protocol is always relative to
+    - A set of desired properties
+    - An adversary with specific capabilities ("threat model")
+
+### Key security concepts
+
+C.I.A. triad:
+
+- Integrity: Prevent unauthorized modification of data, and/or detect if modification occurred.
+  - ARP poisoning (ARP spoofing)
+  - Authentication codes
+- Confidentiality: Prevent unauthorized parties from learning the contents of data (in transit or at rest).
+  - Packet sniffing / eavesdropping
+  - Data encryption
+- Availability: Ensure systems and data are accessible to authorized users when needed.
+  - Denial-of-Service (DoS) / Distributed DoS (DDoS)
+  - Rate limiting + traffic filtering (often with DDoS protection/CDN)
+
+Other security goals:
+
+- Authenticity: identity of an entity (issuer of info/message) is verified
+- Anonymity: identity of an entity remains unknown
+- Non-repudiation: messages can't be denied or taken back (e.g. online transaction commitments)
+
+### Modeling attacks
+
+Common components:
+
+- System being attacked (usually a model, with assumptions and abstractions)
+- Threat model 
+- Attack surface: what can be attacked
+  - Open ports and exposed services
+  - Public APIs and their parameters
+  - Web endpoints, forms, cookies
+  - File system permissions
+  - Hardware interfaces (USB, JTAG)
+  - User roles and privilege boundaries
+- Attack vector: how the attacker attacks
+  - SQL injection via POST /login
+  - Phishing to steal credentials, then SSH login
+  - Buffer overflow in a network daemon
+  - Cross-site scripting through a comment field
+  - Supply-chain poisoning of a dependency
+- Vulnerability: what the attacker can do
+- Exploit: how the attacker exploits the vulnerability
+- Damage: what the attacker can do
+- Mitigation: mitigate vulnerability
+- Defense: close vulnerability gap
+
+Importance of correct modeling
+
+- Attack-surface awareness guides defenses
+  - E.g. pre-Covid-19 vs. post-Covid attack surface of company servers
+- Match resources to expected threat actors
+  - "Script kiddie": individual or group running off-the-shelf attacks
+    - Caveat: off-the-shelf attacks can still be quite powerful! Metasploit, Shodan, dark web market.
+  - "Insider attack": employee with access to internal machines/networks
+  - "Advanced Persistent Threat (APT)": nation-state level resources and patience
+  - All these threats have different motivations, require different defenses/responses!
+- Reevaluate often
+  - Threat capabilities change over time
+
+## TCP/IP network stack
+
+Local and interdomain routing
+
+- TCP/IP for routing and messaging
+- BGP for routing announcements
+
+Domain Name System
+
+- Find IP address from symbolic name (cse.wustl.edu)
+
+### Layer Summary
+
+Application: the actual sending message
+Transport (TCP, UDP): segment
+Network (IP): packet
+Data Link (Ethernet): frame
+
+### Types of Addresses in Internet
+
+- Media Access Control (MAC) addresses in the network access layer
+  - Associated w/ network interface card (NIC)
+  - 00-50-56-C0-00-01
+- IP addresses for the network layer
+  - IPv4 (32 bit) vs IPv6 (128 bit)
+  - 128.1.1.3 vs fe80::fc38:6673:f04d:b37b%4
+- IP addresses + ports for the transport layer
+  - E.g., 10.0.0.2:8080
+- Domain names for the application/human layer
+  - E.g., www.wustl.edu
+
+#### Routing and Translation of Addresses
+
+(All of them are attack surfaces)
+
+- Translation between IP addresses and MAC addresses
+  - Address Resolution Protocol (ARP) for IPv4
+  - Neighbor Discovery Protocol (NDP) for IPv6
+- Routing with IP addresses
+  - TCP, UDP for connections, IP for routing packets
+  - Border Gateway Protocol for routing table updates
+- Translation between IP addresses and domain names
+  - Domain Name System (DNS)
+
+### Summary for security
+
+- Confidentiality
+  - Packet sniffing
+- Integrity
+  - ARP poisoning
+- Availability
+  - Denial of service attacks
+- Common
+  - Address translation poisoning attacks (DNS, ARP)
+  - Packet spoofing
+- Core protocols not designed for security
+  - Eavesdropping, packet injection, route stealing, DNS poisoning
+  - Patched over time to prevent basic attacks
+- More secure variants exist:
+  - IP $\to$ IPsec (IPsec is )
+  - DNS $\to$ DNSsec
+  - BGP $\to$ sBGP
+
+## Crypto fundamentals
+
+- Well-defined statement about difficulty of compromising a system
+  - ...with clear implicit or explicit assumptions about:
+    - Parameters of the system
+    - Threat model
+    - Attack surfaces
+- Example: "A one-time pad cipher is secure against any cryptanalysis, including a brute-force attack, assuming:
+  - the key is the same length as the plaintext,
+  - the key is truly random, and
+  - the key is never re-used."
+
+### Common roles in cryptography
+
+Alice and Bob: Sender and receiver
+
+Eve: Adversary that can see but not create any packets
+
+Mallory: Man in the middle, can create and modify packets
+
+The message M is called the **plaintext**.
+
+Alice will convert plaintext M to an encrypted form using an
+encryption algorithm E that outputs a **ciphertext*- C for M.
+
+#### Cryptography goals
+
+Confidentiality:
+
+- Mallory and Eve cannot recover original message from ciphertext
+
+Integrity:
+
+- Mallory cannot modify message from Alice to Bob without detection by Bob
+
+#### Threat models
+
+- Attacker may have (with increasing power):
+  - a) collection of ciphertexts (ciphertext-only attack)
+  - b) collection of plaintext/ciphertext pairs (known plaintext attack: KPA)
+  - c) collection of plaintext/ciphertext pairs for plaintexts selected by the attacker (chosen plaintext attack: CPA)
+  - d) collection of plaintext/ciphertext pairs for ciphertexts selected by the attacker (chosen ciphertext attack: CCA/CCA2)
+
+## Symmetric key cryptography
+
+### Classical cryptography
+
+Techniques: substitution and transposition
+
+- Substitution: 1:1 mapping of alphabet onto itself
+- Transposition: permutation of elements (i.e. rearrange letters)
+
+- Caesar cipher: rotate each letter by k positions (k is fixed)
+- Vigenère cipher: If length of key is known, split letters into groups based on index within key and do frequency analysis within groups
+
+> The three steps in cryptography:
+>
+> - Precisely specify threat model
+> - Propose a construction
+> - Prove that breaking construction under threat mode will solve an underlying hard problem
+
+#### Perfect secrecy
+
+Ciphertext attack reveal no "info" about plaintext under ciphertext only attack
+
+Def: A cipher $(E, D)$ over $(K, M, C)$ has perfect secrecy if
+
+- $\forall m_0, m_1 \in M$ $(|m_0| = |m_1|)$ and $\forall c \in C$,
+  - $\Pr[E(k, m_0) = c] = \Pr[E(k, m_1) = c]$ where $k \leftarrow K$
+
+#### XOR One-time pad (perfect secrecy)
+
+Assumptions:
+
+- Key is as long as message
+- Key is random
+- Key is never re-used
+
+In practice, relax this assumption gets "Stream ciphers"
+
+### Stream cipher
+
+- Use pseudorandom generator as keystream for xore encryption (security is guaranteed by pseudorandom generator)
+
+Security abstraction:
+
+1. XOR transfers randomness of keystream to randomness of CT regardless of PT’s content
+2. Security depends on G being “practically” indistinguishable from random string and “practically” unpredictable
+3. Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
+
+#### Semantic security
+
+- $(E, D)$ has semantic secrecy if $\forall m_0, m_1 \in M$ $(|m_0| = |m_1|)$,
+  - $\{E(k, m_0)\} \approx_p \{E(k, m_1)\}$ where $k \leftarrow K$
+- ...and the adversary exhibits $m_0, m_1 \in M$ explicitly
+
+The advantage of adversary is defined as the probability of distinguishing $E(k, m_0)$ from $E(k, m_1)$.
+
+#### Weakness for stream ciphers
+
+- Week pseudorandom generator
+- Key re-use
+- Predicable effect of modifying ciphertext or decrypted plaintext.
+
+### Block cipher
+
+View cipher as a Pseudo-Random Permutation (PRP)
+
+#### Pseudorandom permutation
+
+- PRP defined over $(K, X)$:
+  - $E: K \times X \to X$
+  - such that:
+    1. There exists an "efficient" deterministic algorithm to evaluate $E(k, x)$.
+    2. The function $E(k, \cdot)$ is one-to-one.
+    3. There exists an "efficient" inversion algorithm $D(k, y)$.
+
+- i.e. a PRF that is an invertible one-to-one mapping from message space to message space
+
+#### Security of block ciphers
+
+Intuition: a PRP is secure if: a random function in $Perms[X]$ is indistinguishable from a random function in $SF$ (real random permutation function)
+
+The adversarial game is to let adversary decide $x$, then we choose random key $k$ and give $E(k,x)$ and real random permutation $Perm(X)$ to let adversary decide which is which.
+
+#### Block cipher constructions: Feistel network
+
+Forward network:
+
+![Feistel network](https://notenextra.trance-0.com/CSE4303/Feistel_network.png)
+
+- Forward (round $i$): given $(L_{i-1}, R_{i-1}) \in \{0,1\}^n \times \{0,1\}^n$,
+  - $L_i = R_{i-1}$
+  - $R_i = L_{i-1} \oplus f_i(R_{i-1})$
+
+- Proof (construct the inverse):
+  - Suppose we are given the output of round $i$, namely $(L_i, R_i)$.
+  - Recover the previous right half immediately:
+    - $R_{i-1} = L_i$
+  - Then recover the previous left half by undoing the XOR:
+    - $L_{i-1} = R_i \oplus f_i(R_{i-1}) = R_i \oplus f_i(L_i)$
+  - Therefore each round map is invertible, with inverse transformation:
+    - $R_{i-1} = L_i$
+    - $L_{i-1} = f_i(L_i) \oplus R_i$
+  - Applying this inverse for $i=d,d-1,\ldots,1$ recovers $(L_0,R_0)$ from $(L_d,R_d)$, so the whole Feistel network $F$ is invertible.
+
+- Notation sketch (each wire is $n$ bits):
+  - Input: $(L_0, R_0)$
+  - Rounds:
+    - $L_1 = R_0,\ \ R_1 = L_0 \oplus f_1(R_0)$
+    - $L_2 = R_1,\ \ R_2 = L_1 \oplus f_2(R_1)$
+    - $\cdots$
+    - $L_d = R_{d-1},\ \ R_d = L_{d-1} \oplus f_d(R_{d-1})$
+  - Output: $(L_d, R_d)$
+
+## Hash functions
+
+## Asymmetric key cryptography
+
+## Appendix for additional algorithms and methods
+
+### Feistel network (used by several items below)
+
+A **Feistel network*- splits a block into left/right halves and iterates rounds of the form $(L_{i+1},R_{i+1})=(R_i, L_i\oplus F(R_i,K_i))$, so decryption reuses the same structure with subkeys in reverse order.
+
+Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).**
+
+### A) Cipherlist *filters / set operations- (not crypto primitives)
+
+These don’t implement encryption or authentication; they just include/exclude suites.
+
+- **COMPLEMENTOFDEFAULT*- — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
+- **ALL*- — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
+- **COMPLEMENTOFALL*- — (selection) suites excluded from `ALL` (currently `eNULL`).
+- **HIGH / MEDIUM / LOW*- — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
+- **TLSv1.2 / TLSv1.0 / SSLv3*- — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
+- **SUITEB128 / SUITEB128ONLY / SUITEB192*- — (selection) enforces “Suite B”-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
+- **CBC*- — (mode selector) selects suites using **CBC mode*- for symmetric encryption (confidentiality only unless paired with a MAC).
+
+---
+
+### B) “No encryption” / “no authentication” flags
+
+- **eNULL, NULL*- — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
+- **aNULL*- — **authentication: none*- (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
+- **ADH / AECDH*- — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
+
+---
+
+### C) Key exchange and authentication selectors (not symmetric encryption, not MAC)
+
+These describe *how keys are negotiated- and/or *how the peer is authenticated*, not whether payload is a block/stream cipher.
+
+#### RSA / DH / ECDH families
+
+- **kRSA, RSA*- — (key exchange) the premaster secret is sent encrypted under the server’s RSA public key (classic TLS RSA KX).
+- **aRSA, aECDSA, aDSS, aGOST, aGOST01*- — (authentication) the server identity is proven via a certificate signature scheme (RSA / ECDSA / DSA / GOST).
+- **kDHr, kDHd, kDH*- — (key exchange) *static- DH key agreement using DH certificates (obsolete/removed in newer OpenSSL).
+- **kDHE, kEDH, DH / DHE, EDH / ECDHE, EECDH / kEECDH, kECDHE, ECDH*- — (key exchange) *ephemeral- (EC)DH derives a fresh shared secret each handshake; “authenticated” variants bind it to a cert/signature.
+- **aDH*- — (authentication selector) indicates DH-authenticated suites (DH certs; also removed in newer OpenSSL).
+
+#### PSK family
+
+- **PSK*- — (keying model) uses a pre-shared secret as the authentication/secret basis.
+- **kPSK, kECDHEPSK, kDHEPSK, kRSAPSK*- — (key exchange) PSK combined with (EC)DHE or RSA to derive/transport session keys.
+- **aPSK*- — (authentication) PSK itself authenticates endpoints (except RSA_PSK where cert auth may be involved).
+
+---
+
+### D) Symmetric encryption / AEAD (this is where “block vs stream” applies)
+
+#### AES family
+
+- **AES128 / AES256 / AES*- — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitution–permutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
+- **AESGCM*- — **both encryption + message authentication (AEAD)**; **both*- (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
+- **AESCCM / AESCCM8*- — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
+
+#### ARIA family
+
+- **ARIA128 / ARIA256 / ARIA*- — **encryption/decryption**; **block cipher**; core algorithm: ARIA is an SPN-style block cipher with byte-wise substitutions and diffusion layers across rounds.
+
+#### CAMELLIA family
+
+- **CAMELLIA128 / CAMELLIA256 / CAMELLIA*- — **encryption/decryption**; **block cipher**; core algorithm: Camellia is a **Feistel network*- with round functions plus extra FL/FL$^{-1}$ layers for nonlinearity and diffusion. *(Feistel: yes)*
+
+#### ChaCha20
+
+- **CHACHA20*- — **encryption/decryption**; **stream cipher**; core algorithm: ChaCha20 generates a keystream via repeated ARX (add-rotate-xor) quarter-rounds on a 512-bit state and XORs it with plaintext.
+
+#### DES / 3DES
+
+- **DES*- — **encryption/decryption**; **block cipher**; core algorithm: DES is a 16-round **Feistel network*- using expansion, S-boxes, and permutations. *(Feistel: yes)*
+- **3DES*- — **encryption/decryption**; **block cipher**; core algorithm: applies DES three times (EDE or EEE) to increase effective security while retaining the **Feistel*- DES core. *(Feistel: yes)*
+
+#### RC4
+
+- **RC4*- — **encryption/decryption**; **stream cipher**; core algorithm: maintains a 256-byte permutation and produces a keystream byte-by-byte that is XORed with plaintext.
+
+#### RC2 / IDEA / SEED
+
+- **RC2*- — **encryption/decryption**; **block cipher**; core algorithm: mixes key-dependent operations (adds, XORs, rotates) across rounds with “mix” and “mash” steps (not Feistel).
+- **IDEA*- — **encryption/decryption**; **block cipher**; core algorithm: combines modular addition, modular multiplication, and XOR in a Lai–Massey-like structure to achieve diffusion/nonlinearity (not Feistel).
+- **SEED*- — **encryption/decryption**; **block cipher**; core algorithm: a 16-round **Feistel network*- with nonlinear S-box-based round functions. *(Feistel: yes)*
+
+---
+
+### E) Hash / MAC / digest selectors (message authentication side)
+
+These are not “ciphers” but are used for integrity/authentication (often as HMAC, PRF, signatures).
+
+- **MD5*- — **message authentication component*- (typically via HMAC, historically); **cipher method: N/A**; core algorithm: iterated Merkle–Damgård hash compressing 512-bit blocks into a 128-bit digest (now considered broken for collision resistance).
+- **SHA1, SHA*- — **message authentication component*- (typically HMAC-SHA1 historically); **N/A**; core algorithm: Merkle–Damgård hash producing 160-bit output via 80-step compression (collisions known).
+- **SHA256 / SHA384*- — **message authentication component*- (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family Merkle–Damgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
+- **GOST94*- — **message authentication component*- (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
+- **GOST89MAC*- — **message authentication**; **block-cipher-based MAC (so “block” internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*
diff --git a/content/CSE4303/_meta.js b/content/CSE4303/_meta.js
index ab7862b..d62ca52 100644
--- a/content/CSE4303/_meta.js
+++ b/content/CSE4303/_meta.js
@@ -3,6 +3,7 @@ export default {
     "---":{
         type: 'separator'
     },
+    CSE4303_E1: "Exam review",
     CSE4303_L1: "Introduction to Computer Security (Lecture 1)",
     CSE4303_L2: "Introduction to Computer Security (Lecture 2)",
     CSE4303_L3: "Introduction to Computer Security (Lecture 3)",
diff --git a/public/CSE4303/Feistel_network.png b/public/CSE4303/Feistel_network.png
new file mode 100644
index 0000000000000000000000000000000000000000..ad6be5c61664ac7efdddbecfa9796e61c85379ea
GIT binary patch
literal 38661
zcmeEuWm_9j*KUiJV#VFvi@UqKTXA;?4#hRNySuvtXwl;C?(Safr0;W{_c}k~e8^;G
zGBerPYwacXx>q8U6eJP9;(q<~=@X)~l$gq=PY~ze{mCyd;H|Lur3?7&vx|zP$fueK
z{A2I|l!dUo@TX7pvGA`((BNY@M=5RaMM!=BUY~~?%1l3fO39EG6ISyuILo&1z@J|Z
zy-Yt>uT)R<u4S8L?g}*~{+9I#j)I)LC~i*{f`lZAyhusqh~kbg(u$)Cd)I!=J9XY$
z+v+swa_DS?PP>6Z+srigrDH<8AX|TOLcnE$_tJCHrKq5QlpsKe_}dpKhybA<I(rZP
z|JnU_=0F7M9DMda9}c4kcmD5n&SF!H|Gh2^AEgQY-`)SNqm=yrxBTyn#YaX)-aYv9
zeOuDmkn>dqz2&}S=W{cD4Xk<a$NZlO2TxhY*k`P!(~g)DtJjNTAU@B`>ifQ5aS2U8
z!SU-RrzF`ZO9FYbpxA$eAVj=G1*<nzQ$c&}k+o{DHj%9vBSH8}sJ)GHq%*4Wd7AU9
z6BoW#^}<8gf1eNa(jUxz{<YFVa4<;GPbz(8`c^EQ!a<<7kI6^6dgZ}Qe^HtoRg5&A
z!=Fe>O`ZZZB9HoO$Hw#{%735m5W^kx;GVnvJ|s}UHvP^n1YiHuOy&7>%v7$i(p_}w
zWwT|E=_*e}7+YwS@nr@2|EdCiZ?JHuFz7+m{(S*~v281`<-FI%(@5U#rEfK_!umxJ
z5xb+Nu%hDsxnr<NxU*)i(e4~~p~`BLLj`4Kg=j;DcGaG83?LAAk*Kr9HzjX*{7cwU
z<_AnL5_A`EN^R4qH>6D2;OW|Gt^Vu_p~tg%3D*o}!pS}8u{77|GF8FvdGqk;ng)7l
zcB9-1ciJ-P?_aO?H@_en%!2M`b)3}PEedRe9q0BsE&6k0w6rv}L)As}?L>7q1Xm(r
zY1C4p6nXn!G;857G&J(n8`Ho3>N6nRO&+;uKMyLmYcXKvmj{I>A+@G*Hk!KZ{yd$s
zPv-te<I4h6PHhuY6qhq;XsRj`5h=+Z^F)uiIjt3Kecs=&=*{CF%<B30S;|2$oJ;ry
zoj4l=AO=0dF?L-!h$+6~IS8;M%8gzuicc{f*{P{h#7otgnlR*6BRUNl{eB3$qq|*T
zcRceTD#gzr`_Itc9{W&1_H-sU>*vVFnj6}B;|!a)0h_1j89d=q$5+)M7;5b0_{=Md
z?{R+n*#q->{t6_8UwuTvf|8O--k*9oCIm>sX9XOu735X3=6N%o&nf!qSI=RiOXRSd
zE(!FPdp8-|qp4a5Croa0cFwBSF$730vF<24?CD97!usepltk5+CdSZiSBMsBL7hdo
zxuS=2ea>KYgq3^P`az<v$}~~EvnSe!V|Zlcuhnyts@dw&x6Ey7_BXf$33bNpX=2AZ
z^w7fbwLkhH?4AyJl4ko%v@4nb_Zts>aFNZ)M(ZeeOk_?gur&~!9n2HAxyjdsjV@On
zeBd#{Ttq&^N$pbt=ESB<)Ya57hbSZ*x8gHSqK0<G3a1~Kkg+2R@ayiqV0n%+SY`t~
zw;kOa<7-64nJ2k$6~7Q5Y0R*jVY=#5VMY-sWw01c5$?|$=8PoKsPb5%rSZI#`l#U!
z<gmwIi`t%V(to?-34Mw6grH|w<|d@hp86eLQ32U4KuYlMsm8At2hZc|_rLUoJnDXw
zm_p%uT=-HVtdO7pr`J#myCkE@m#@tZn77N|+s^}ZxdtspX0h;vj-)wBSrKhZA|IgE
zDT`^oPhNWDAy@|1khxMH*#T@u_|ndO9<XL5x?<L%JnWZs7OHg@R~BmY`zkPGpN@dA
zPZ#yv2mGG@H9mP*%tmW;tnYI;dY;R!&ecCP#(P^0cS2GHj4k$lc^RYrcXf9J!UX|%
zhkOnn*WOoUv5gX^l8rasC-v97URbMaF#p%+Z*BE~*Ykfp0I?L<(EE;EghYGW*VC<R
zWa3~or+v;Z&*99c`8Nav4Y{871VY0JhRr9!T6Cg8QFw!`*Q|+LR<=aDnx@8vki{PQ
zgDlbYr#C-*1z5~wy-d2|Ky2-c*A67|1p35dw=Jjpo-T`y9L$<ZQhHceAD7}*%#^~x
zUVMILyv{zxyE#a5?Gj?H?|9k8HYd#?h*<&*o9LNz`o0BWfgt+&&uhXW9Y}{h`a?_G
z?IlZk$3;$<l)w>`|LD?oES`LQ`;1F&%2gK{a@9D4_|%4^Wyavc4W&VjZV2VQ|F3pM
zovv>6DWH%<f+;yGv~EXCjZK!57A1JiMAO{epT?M*!>_Q*@7{Y-*iy45BHJhY&Z7d@
zoZP71V5eX9T^?`h-+;a3cgTOMgoD)bk_fD$0F>c`K4w<N{m4;8i?+(Q$^)@QH*|3l
zLRNq~D_KTKfz4OUN`k2Q(2VeWn+i|9Uv32Q>QidTlM8IugRfr;rk8|uSK?-p(g93z
zlCx@T6i8B9wg9qSdrJO#UDZ#uW0gi58P+@3Pr{Y|5d))Knw6&3{e+2+GIQu?w?9(I
zg0I<c^o0q}1VsR*<FwmhV(B0Z-)xN)ZiHB%yf{1Pec8MuHqnVEd&!PNH3{*kLxD6t
zuZfU@eV@3{$@PJ8jS-8Z)A!e;asoM<yr??6h*SDN@#jzG_!wJ95z9-qZ>%mxC34;}
zs<o5r(rjvdMfnP*+82xTP8LOX=s+<oUA#Q$`@~aAV;TE?bgzQ!l9q+`rRAeuqY%9A
zc**Zuc;DnB<T`)keM<)jJCL!QzxDmnpH@)TVm*W={Chc+1fVG|t9uW^YWs*srjE(n
zeHKk9TA&<dVayC(v>G^VNH1t7z|;faL{YHA=b0p{WdU$v;U;Exn|1(Nj#_Rkw#v@y
z%AYW8ZAs&$@RQP~*S!+zbSc)5MhO?~@^oYrHMB)#E^4S{JFM>Z>`Key-ziO{sY-q&
zj3ZJ<IxAVr{By)X@Mz{Mg`lh5*|z&cY!fQPfv!oh0tL})7@4F-PxIez_+}Bv9wh`q
z%IGc095;h&=UM(~1htD%v&U=$i8&P&{l?53DQt~Rb79eg%Y`;Nxf0bHHZQGrycHFw
zKnW{*`;rD_Gb1a?PpO2t!`mi}FZ=l8Nmf+l<*f&)c|*9|<|3ae=dEe^+1c3YeuM#6
z+ER_Wzf;NAWlAVE&CcDR(sgF6wb`O_W@Sp6ht?WSsG6=on+t(AUBEw0kH{s6D<4;W
z+AmlSkpuqS<$(bG#bxc~F+9VIoteUQD2UIh(C6_|!Sk!9>7C+(q*gwsS5Vs8+HLC>
zesma1co`)qQ3ICN)&<?&Ii9>(bHR3du=KA-YujA-zCAyuY{5?a6x3A*5w$WV9k#dS
z$R$@?3U;~z2B~=s1HYGSLmH8h)BcTAP1+2S$l*E<Y}8G$sEATFFEdbu!Lt8uGW9-n
zW~_iu$LeI-GG&A;mAg&!MQmzAFzvf#*g?bO(<rjvcx7f)7GQqzX~R=8&d$zw_m$K0
zuD+GpEqBl`_X&RX7631jK=9P~YAHQ^#$d^md$=oj`KRf6D^4iE72iHPtCveM8+X6W
zX~u6J`Me_LY7m6l?VB~ER-mk&?8r41$uRE&QWzjT_Icz=&&tA|h0-qPIaZ<;v$JDZ
zrPa|=+JoL2QEf=);%l5_Ed(2b&tRt;lKrKWFvWt0e|~<R*;^cbp9Bx>=Eq=td&x8!
zf#pdQ5H1q${3#188Qq_gr^lM|5qbLGmC|S|7u^Wd)jhY?Nkh$L_RPHMmdESg=?EHE
zmt_)yC++s*;&HU-Q~Z!Oz=rDIB*Zpub<?$<1h8lQJ=OGlIt(*%@Rc`Ngl%;?Rx}{r
z&Fb_#|LqWOwahT)`tQeYzWN}sei%{Z2Nd8Yzj46l1r=bcw<oaw9%xm&I=qy*W80&y
ziMTn?G}H47Y!^%X+K}Q<vlBG$M4vD*KWn#lkU{rnhOL?%yQ;i=e^*`uw?HG*Lbv^)
z%4q4uBfby^93Q5t?Zz2r`H6KO->GS84)Km=P}?-HFdOddpna7qrdqMGmb4-uvTcGy
zJ;XoQZX0fYtDpfV4lrL?q0b`=zQqo;e`II(yQ1mzQ=Hohi!Q3-*tx7M!|<aPe&x&Z
zb|thg?J|UPM*(Xuq`Nq;aIC|R30OQO{UPSt5z!e4z^8Ph(#btM6Moy59e&Kk`!i3I
z*T)L&_Ld~cTIKiv(H{N5$mZfIea(>!GYr1FC~BMxVCx6YULh))moX9fpN8mh^S)!(
z9cONwTr|iZnm`d{voGoxJ-|HgA{$!Ht-N0rT0)G=xRj{CukvtEZ{axz;f2%G5n51T
zS-(tFuUFVXNG@!x3<0C4;wcPTRUBsxfvYLMOf(<40C^chHQNp3W$>pyUDYAQcsA1H
z9eaBu*rsWWmXg&a1ssvKw>xf4{wU;8u?V?{{08FUZlJf(7vOlQ;~;Vdw?$FR!j9>H
zwaeeCM|6hvY;Vb;l8-U;HgKG8I(1>}Q4&3ApS7xail?mJJbOucL<EzWV_8~0{5;q`
z-+E-bWXAUe@ZbvtA$*y5Lgh-)%k{{pfU7ZTRfx-N;%fP8^|&yD%S?=H2y4MO73gP_
zB-lUPhsWisHcL2!EXM01$7&I6zjMb-68aR~zYqwNZwe+WIrWBqiG2<Pa0`9!i$T?y
z(2T-c?U4ala~nF?K*+*qr~7iw=UWf+xZmpM6XsL+cJE$uMHY|;CAP3)R8$mDe+9c6
zF;b(*E%6kyGeBQR|GqN|$LLW~iv~G$tsRPnFQnLzmvto;>q!J4gBF43&pkFyxp-z@
zzcK73i~)qOe`14p%j!8-79$@a6Algz*l4k^vciJQOii~QU!2<Y;;Pu{mu;VX1ZJ~L
zh`;?hyxj(L;w0k0xQZxetFPjQWS@TyKNe9LW=?KYAOKb+-`rLAY$w-NN+I4~XYBJi
z-u7sz)y4^)yT*(hzloc8jrC%E+}}9G2M^$Fm-WfHM|cHSRIss2dh7%lZ)6!NkfU0m
ziCJYxxQPZ22~cnMnPG^LqNuK2C6F66>ww4O!AB@z7PM-f^$2nUzU{2mobn`-q+700
z7k@iz@ziVVN(nQ^YBaY<jGvc&$Ly#<iyhK#>JAOtSRGhUxkVs8XJ=<lx2r|6vSmcP
zk18Q$PF9+0Q-JvWJ9@zQ_qOAf<MW>{rU}W(;tC2eRyrCQm;pk0ZoXNo=cIIWqiTog
znVGTx00*=-;Z2tWs`2o`_i3#$wqaD^%OAbrbHn9=T@j;{W~hvB!I@0i6ZNH8eb9$F
zgY~ma`|s@oe{dvk8+B{)e&lu*1AuN0doI1x(D=S;pTiVJ4~IUSrp{uny95_p%!N12
zZeOC*B1FveS<UXh+C-UDZ5Tm;Xm+l-a;xE#=gS((*+gVzqpSkyqXuR&aNIhxq7iX3
z8SLnzl;^))G%85Xvf*YHg4lY}6DWD(Ek)!wOO9#qks8~J(pTa}N^Nw$H1{Xy(%~%D
z6qH0vF0!klsVr;YvH<_-yOA(&I^%AD?eziX&b3FbwY9!7+T?@{NkUxskco(DU{J;!
z4_fAW#O(gy>HW^_v)n8nA+midUV?Dvy8T(_%zImaZ8^^8p3TXmK+|DEEsM7rO4a+$
zz_+2BO2fC4m<NA+OZp3xEWqz;(_lconJ#nk{Jfg_BHFxuH1Eag>v2Hm^8(5HgM;Y*
z#B{j821}cyS)}o`)01QU+b&S2$e`{wla)EB&sFG}vU~EChsRi_?RQe1Jvr7Hy<hPF
zAzY?uDELdZkR~R{9gGRMg>5`?)RfB0MTy7Z$_u8VDXx4A)TgvSvz{<4%0Gxp;2;fb
z0zPvex~lXTop>+ZVFDIbmDnQ0M2vR66E)CZ-nU*bW|Y*o7sU?=R*+}-w8SfOTW9$z
zGU<)?4#hru-l<a&`GY!rZz6&e1zhSJ)06G?dD2DEAtv5<hsKMIsuD)ZATEEN(x68C
zP|jS^p-7w}H@=3t4pwmKl?f&LU84gGErSjdKWrLC0uh=N76))0J~S;R<ye-qO-oQ$
zu(DCdCvTs)$<suRNE&KhZ%4vJkFZ7Le@+g}^G24ZILYRFqC$4?X)7%e$hA2<oyV*w
zpcM@ZG7(g~9(B9N7g&p#wBdS7+kQm3V>mY1KWO;!H)fmfEh`pzw&~%TDs-b;?}x=X
zCft1OcXC-7^@uy#1oC=Yn{Z`rjhhA^F8r8<@m-h(>4e}CtNvXl4GaqK?8Gl)N?@99
zx$=O`gEz>6Sf|2po(+)>ZsZiLiJX2e1RV))S+HKRqa?*Xmf2V3lTAh^(cPsMPE2{#
z%5=X`A1ufFiJjaFVpTxj({DpV<L#SbAD$P6jWqVmc3F+9VLErG_q~ng5?oIe0%QT5
z$=wh8gKx-c4uCp3z!qP62?RvcKyQ4Xo2e@)T!g&3glBw-Y!xl1#v4pFoCMVU0#YMq
zP|Dlygt6$3b$dR0Diao<?aRsz_I-X!vA|1^@<RMpP%#GIqqbS*Vp0*iwxo8Hoh%6S
z(Ve<{>E(Gyz;ro&&0-M~`?&FNy)&Esy1T%~*iHRMHxtHRgI!;dFl;RC2h>lyW)2bN
zLfLYwcxrpLJ2$EP$RRTXd-G|ub2fI;)tF7AR}Oei_D5^P?wZp%4hfIfH`0S@hfamk
ze43T~lDj&fIFYxfe@v?T=JoXiufYMx!SbYf@s00U3bW@$nPl@lB0C#a$&lj6&{bb@
zk-fKAK)_>jG;3Mn<9@<B^x*(>xZ9k{;&HTr-|g=t(Bm&G>5-6z7ByfzCegVrH^KS0
z=AHieloobYYZ(h1?`SS}Y%y$jxWlnW#_Ww5pUshRS+A%`nDPdEIqgXs$Rw&NDt8~8
z)5t2+Z9DM6$XEy61%||ctSVZU(>W)5Cprw?hhE~;e(t;S3?p~oWSjXkmb7i>R+FJ9
zXnoEu_e5E<*Q_ip*UphEHYIQ#xi^t(iIiVZVo&So&exPdaMdp@AsIs>I$I%YgHTc{
zq&JP7P}F$7RxPg5Hs~8;{#oVNw<}(yuRGFlUrhgAlyRy!7p~#a_Cds0q3+_E!%v~F
zXy2L%*G{Vt6&NEHWo${CG^Y_NYBcga?D$TMSH69nk#Z0FQCt})A+7FGYh`^O<3;Gx
z8oq;Tg5t)L?+6l=Uk(fQ@YJS(&vh^=!^jE&f?nMs^2?je#ylJ13mc4954HL3Iu<%E
zB#DoZB&Lx1n3ia4<6yZlql)Jz0G27h9}RmB(<SEU;>XS8{eDhyz+~S5Pl+iFRC=!q
zqP3et&E@H7vM!Cu(%AI@yGM|ucJGt$y$6~b&>JayU2-?tMknnoAlU)>se!cGWriMf
zTdFsaoj$zzkuqLvad=Z3J1@+trBkhO2H+)(4I>NHb<}#`yCuo_{+vF@Tz)LgY9!65
zb>r3b#HSzu3*7YCkNKXT@}}!pXoXwZGJkz_W-Md9`!mP3Q`xOuG&RW=1siksZ>|`1
zlT1=Apn*c*iMPO&-;<w_(mZU12;x`MHm*P|_dR&-fWwX3(u~gU)}ph17OT5($=bKF
zo@VwG)4?%?LA68?c*ue4&+g=v6KQCodV-?j66WVDyv7ktd9_?qc5%F-c>RDDuyCZG
zC2Ey)YU{h!v{X$2Nd5H<t;|MK_TOqfb8~Y%NoPwH9aa@Of~mS|toRi)Tbw@TEnM#I
z=sewK-(fE%m>Klm5HYHM_eC*{R;vc=6Ioovx}*C&I^#4Rs$K6Xk{i6c{G<R9Y|fdJ
zC9Au(>p?*ZlpM5XOV-KIs=}jsbQyr15l7~@S}_87k0@>87C2f-tu~H#MWv-*(c0Wq
zkXBc>KFRcSGr$1<uJr;|h8~nKTc4aNJc7nhWmc(%*$bo&m<;<WvxJu-+9rSL#l*=&
z6SWqgT&FT+qH#FWL>XVJ)xYWT<hLKBYCPAaLsOf>iK_Pwtf&~%RUMdN80?daku)=Q
zd_0qvQB@u&OD|r{NSIRF^~$(v_zDA8uF_iLn72&q9-7kB2$V2kqq68-fxQH0tcv7d
zul(?`-OVXYL9%AgNj59<j%mw=S@dx4c``iS@Nl@vJvBJ8G1%0aThpSXts*i^Se-S<
z!Jb8X-4<9vU3Ts>#9L^bpSt?Kbr|xD%A?f47PRVc&umi+VVUJ-mlk2Kbt8k+^Bk1>
z@=nG4K}HorCX&TI0da)yEFDav%#_Q>wwU;^QKwT~tvxU-nr&x*hh|Ah_oFIYkwNI(
z+F~QO$lLa%OF;rE8n)SNwYNzu8mWc%f1nK^X)&5VKYen0@A8}bcj1gP5T}Mq{%~Q!
zJDE+Yg!-b?)ZO-zG197K_mYuD+jNd!=7E>8KyGTer(MuPp@ekF;y;Tiuo*dPEk*^O
zxcrb~O*>nS;@Fo2!j?RkS6(qqLTE3-<eP)|CJS@EKAY5E6Jn5)#!x7Y8%Bs%8bsbL
zRHxX1+C)^w@h3Z<^4!)i*KlIp;llW>rYPGERem-?!i4YIh~{yEwxDQ)4~gM;7`=9}
zuYYZw!hc{`zyIZgPxWo1V~4uKUT^5aIWH!;E5hnh!25y%1ajub<FGxdW61VJ+a*9v
zaO3Ood-v_mctq8dv&IVtNbH(p)%IK*MgcKh$xm9mJa^fN=pqrAI|tca?zwSwf)bGp
z9<Pr@cvqu{E!qNkmwSfoLrBt5#aCe$9n&)eZeM(}m>Itwc~rqsV(45w`&3s}J<i7?
zqaSA{%pRNiC_vz3TZ&j5A6zW9ls3@H@Qn-?n&7h*;iMwU=pwk2_7vmPu9@P~OS6S^
zUOi_df4uu(OA_h-Ql9<FeUgMvn9G#N-4e0+CLp8nf^i>|mXzZoK=dq()dw2?BsT$!
z&o#4^F*fI)R!}8uO{^bgC&C-qnd1oct}3@}9pOeZjvkKwrp_=YrvGVg`Ls@Uum?qx
zL4QO>obFZ6+nD6vH=%@KIxn!}_~@59^>f;^T_?P`w4>s$xw_gA9)ZOXPwNR61|$b3
z4>r1%5&ct%`w0~lb+)o->Ok5Gm~n=KrCD-u>wvD&ePgwl=H@+z_rY%MxC$zL6I@XS
zzE?jA7fzhT0@;Oj*lDe0-L$&e)O4Q-xtgB8uA$FsZR-S_sk0kiHx0aDB-|H(+*xk4
zni})B5>$?6E3?;QQZh6cT&$0-EW}KirKa+v<&U3^P-hda^`~5C-w;dRtiBP0OGCEB
z+>B(yEZP%aMAt|%&@_xY;<?#pjeo~T<w79*)khfr&a+6Nn-S69F{SJ(R3X=U4oHmS
zpBqBp%qGd9TmwYRl?cnDm^@B)x%=>h>=xpCnnvq|1xHR;3DTH7R8dagd;UQ5aGo*I
zZs4+1So-56d8M_x=izojhKhTj<FkTuoROhsIbc6M?HU1%7yX9tps8BSARyFBQn}}C
z(pEJXB&64vS8*c1PQi;#DIdjRR}sj-NYY96dhx81^Pw9kl8L<p)fGj>InhK`C`TI{
z4B<I@;&~q=W8W^d^XugIN<ry-1(8mikVq*vOr<-8PAV6B7#jVi*&Qrd5G{^EA-<`@
zqk}(bF%GoH4CYd)%zH;>@DiTR43dkt6=bZxmIAf49@et)xz3c|H(+vC2%MxU?`-!o
zo!?6%4#KJ9Z4su1?-eN%s5$uWyN))!jR)VisG{6hF*X=RMZxSoKP9}#>*Gk7oHt9@
zM^H<;U=Jvy6;rLjM>gEUg~5z{oPHgBCuEZD`Bpa5bL+hN)xn;5w3XwV?A-?9hHjC@
zFgUl+W5hypM*FECD`zpFVRATLlkl|)tjfQC#0e4qdhjA6JE^BZfRlOx+0)DLC)Dh?
zU=z$6@LFo`gK{-*j|$z^-U_*p$Xlvf3h{}3<4UY-Y2dFP0#yieyMR4i9m%j8bO)99
zKwHKLVo6%9uEGe#ltsr$yw&GX*-Q`P362e2wZVyztBu<APw_Q0J&OZrd!&bM6i&Dz
z5|q`I;Bb8?Ram);nT&IcXz<i2@qB)29?HIwx$az6^<nHg=epsL$w&3!i3wX%UG{zE
zJtWUhR0Mq34n${*qLC1KOn4l|i1^`~QTcg}f(jHyyQ&s6O^T|7K_gMMD#}JlN(Q*?
zYY*&93oC|a-6?qZGu5&R89qXbixcadH&Di)<LacG_VPuwA@9`CNcS&rjUfQlDzC{B
zPq)?9{Pv)!#fsfQ&<olB?GTKfSg}$xhZ?#Yl4@fN#)f9-Yv?2(f0ap0-r)hpn~Y)2
zL5S_r-Y%%!ZmsHiY*pI@<JqJOkoQiO+VFX$13Q_TTwXj4-W}~>{JEHZ5ny?EZlS_{
zfR;wwkrls_6h^4yjkcc_13_0-D0oqc6r_~-@-6E&CgGD>EFeo4)@zT&(oeIe>HLJq
zv>Jc~>`Q`doW9-bE$8+>N`M^&^zHKl1&%}}tAnb1r4H&}nWK+$GHuEQ6*2`S2Ao}J
z%HsOL?wBbzi<%s_8-d0R)rezh-wr2S%m_bPf_n6}_7`p;U*Fe0wPqjg*4z^C0n&kj
zImOq&dS)Ll{#sw<{!PR6{w#|9IkxkU-s=r=eO0tups@BdIi>>(A(VGTxt;nqO$snz
zmu8C*J0v<~BU--tCrya+k}j&(Y%?~_B>wr#QxLDvJ4e+d0{HA=N55I*ZmCQ6%{94Z
ziMTX8#I&N4yuxO=GPM&ozN{vptRnPJj{eTigq&gkI3yp|M6faPbuTL-|9EVx`Xb!(
zd=@YLAgob|(YgwpJT=#AxsI}>2HuzL)$&IcOnr;IIxD5{>E=jUqpx9*->!-6b2X}x
zD=lBZ<~-%$VBpPTjvdj7xV~o<H2J$7=F&S{>N1#a;k2M_b$)hvwHN876KSyD;WBw}
z7UefuO5uGf;{}<GHW8Iqb9MWGix{VUQ;><+Z9c)Xp%)8AVy@>itlzJD#*>oNU8akm
zKH9YoUL;5H1y#&FgnG@HA<#?vLML|z51qE1x$1NnJP26OoJ}Y2Ew)Q$$>03~#*%)p
zUNSLm|88wnQZtM3%2O-dbH>RwxBgnkTvhKSY0}D5tQHYQKU&2YS#W~Np=}~pQy(`2
z#t|Gl>Q;dSR~-!=bRlQ4j^h|`XOTc{#m+L>Tmo>E?5s*snx*##da<2Gxntw^Jyu7J
zDpBOs$e}nNhXt%aSHNag#qFYt8Doy|cAZGNt-EvHsgPm=ef(~GI)~VSZkSHn3q(Y&
z;$r>aspr+X-PqrXV8^CY?XzyM0^kT>kp&G3wN_9|sJb*sW+aeDB#RIBN#_g3Oxiij
zC#`SyZXb1*I4fG4AFyQ~WcwLpWM51(*54i5PIP{c65Pbvve+c-H4|(lLdQ`NHmt|O
z+vAX;Zxc*aRixRQgZHTlcdcokac|^$OA=8KV9(TE9do)YHIZ*@y!XzIo?K&Pan;43
z#L|(oiIwXd-=)O-Q%&Iy|JWx@sb1M#TofRAkkrsPazq9h!=G3xAK#Vw+H6s4VutIr
zHY`{}zn7Hwwf*m;w|^YpH)j2*nxT~ISF~IulxF4c7vE!e4zOdaW@CPMghEGk#`VPr
zgwjB(gRWmK<^VU4kC@z49M@rVri9&I)Ku9?Lz4!|&)d0~X$P!B6mxFb<Hho?r{fG&
zo63C-3L$ukY=IOuRHc^nT6L>cOLiLcDKV|Kla4Z3{2RT7-6Sr5%b+IxL5Wy`45a9U
zPr4NQ20MVx;RoH}TinB>mFWgvg3y}NezdPPkw67YG2(ztn<WgdE`v2fCWY2kx6_lD
z8g&b~cKZI~5T!dan9C|zygSq6OF@khSx!nh3)|vT9ysys-P+OT$0`ETWw1znBGSXO
zu~Vk6mjU96p9%v}H3>;>TW`s2WzgJvT0)o>)!a`XPv~aY*|`lRQ(Si{`WqP5M_Up>
zp}M1eY~-cDAu|fcPIsG;{fF)A2O-rIsLgH;krevd>qdbVs-PRO>`Y0b)~j)E+2^fn
z>ka>U=;KP_Nq_t9UsB&aj>cfx8F)(H@&lPJqZ*ia!?#&&v|a(>*X0zZl%m!a7Q6zR
zfs+dWjjOoVFF1a;D`bfpC5O)KR~^}4@!9|eEWe0%BnM07SI~m#6zw)AmJwE3X29X!
zJZlXoO{?K1(igZWk=PHh>-n?wEQrH|`!&cTZMSO=wfOk1s1u099ibK0TC5WX8?Bo=
zz(s@I=DUZJzOgLSeti!C_ns#~1MhQn!tQ-M-<}aI4epo4d7m3$c4PsqVaePD$G3<B
zN4qIDpeMLMx_^tx$g8%EY#|jrcD8aKM?S2T)e);8nX;9{%<|DDL^?D*7IbM_S_Syg
zcu{U^ZtZjvjBmnK4p&~aIe%~4nbTCE)7%yBs3$36A(9h1v}<K&--_JI3E8^ZRqC5h
zdHbA*v*uNrS*-q(@piyP_}!y4NS>KsnP_{3Zf6M<DW`)!N^tFDzw7=0u?P$jP@o>B
z$3{}q+U&)+Y(<ipnh0MA9986edR2(9iA`zWN61#!t?;~VB;A1og_7#4{zl*=gBT3j
zx*=fB=+mEUDP?Q6OjLePIM?`dgOlE_=F-;n^cH}`Ud+bjx%Yr@;WZ+W{WU@YD|R#f
zx1d3i)Tj1RHrCtk*`eb&Yk&Q5)&Qy5M*zH46XqDcl_&hoKTx9UEQt3n?+j3|OdUvW
zl?@$ML0LWyYrTQ3e6KGC$df%(({s(MeRoBK8>)a7Rp-?hH<KIS&y6!ci(SL{Gb*?m
zI{o9C(!}S?9#upcy<nO;@rGRjb~lR)6wjxaRZ)ig6JM8sBRVYTpzQkD?j87sO-E)1
zFz}xl_5E<ZzQ(;xO?<#G59eMbUPd-MQ1t)v$Rr4%*%^ZP>5oAS*9WiOeYMFKBq6iN
zTA}T_J~n5SjabO&f-=yvI-D%$!qrgYR$0EUw{n(71YK;M<1q<t>?Dn`zOv|x=-*_u
zxBSt4Qo%lvment7Jvy8B(40Cm1r7s9eHNf!wF${aN$X3t9JU;I8kq!{<I_44voQL`
zeR@pbq{ql65vn7^&G5<7Hzjezba-?wogvHMOY*5N=)EI$en9_{{sm2bwyerwJARp$
z#&M|anJq%kVH1ER%4%xQui9G^>goCbz}1CmS>V@KO@xmQYm*YO@MKxtP?uMq3t3h-
zLEtiJ+^sIwqmf^>MLLU#VK3%beYQ=B)h6P#oEEloy1LF35YYZ13`uSic<Cc3lVWQ$
zK;^gLu^Qpx3g7xh){mYFl@Y>}dsU|e@AB8x<xU;KrQnn&pVaWtHV#Wy2{-HYyh6{<
zBQsVJv%}+}2BM~WazUEX?<$_K4SC!-?h=VC-({iA9K@eag7;}A@mo3$p#){(H#&C-
zD+ITm7JiK2!xxGe+?x3PMpcaa!Xr#mwy*pQOJ<^<$C(R>Y+pX}<I&M!nK=$naIf7b
zMM2;Cta-T+#?sroOvA$a^5Q;1Ee|EBPM8cn5B;Fq{M8bfvXE*FG&`e?bezNJ*)GAG
zpllU&PY;5XpY`xHfCB=@*ZcsRu$sqmL^QXRs;(PpnuCKo>%9CAoZfRSRGf)rmP*Sy
z=C+jeoGQyf=NRK^VbKaEJ~4r#`@Qz9t&HCj%=$<h`;b-&ZW0e=R<*-Z>Ws|DsJx>$
z`x8(O1aqlkm$fD?Cz&_b>PoEUI72*df{Z8dD;>|LSyKEGlGaJDXOCIJ4yinR9u#_~
z1MvRNvL|P68(W5=crdLJlHf19x9}I2hu{HUdhKSh6MhqBB&c+p2&u;8%Y#}vx)|(e
zhy;s%q{WN8YrD~FIe=R1rO{e`1kO&Vz=fW_J}xe=y($E5@~I7R_q{v_8+`YWZpQ?+
zIa;*Z#vQJeHtawPGC2URUk*n+E`hikA9bM)F>x?%FlveyN97f?^=%?%qFM50%nRs4
z%6;r@_dG3{V%qxX=H6y$p?f;1Y6~5_>8J0#8EdkA=K$9BPya(pm>FMZdX}YN0~!1)
zf_d;6061`=l|weD1!5sf2abry;C5YBef*FIM|3ByuEy34PKFk)M_!Ua*X9^5IlwqU
zN74SDGm4_l?%}M5wSqqeqjAR4oKSlFtqI_&113LieM^XZAxd+6=!deMARQc*2*!w_
z%PK}d^YcmbO;=Hg<a&@>^L!k#2UN4$^X+D83&?uqauur1?Rx0uT3@(;#HW?_FF6o%
zY>48@S{=(;w&;$u=;pYebtQ48ATi`;!^KQMcj7p+l2%##em@|(WRc_3(<*On4m&%{
z8kbg!Y^-GhV2*+dcq&`*I>|0%RmZov@FIaclhf(U_(*;7CAI9yWzNn+&DtOW`@IOw
zQ!c7S1!eWaL)ve52=F$VtJGXI5e|g*N6RO%x7ksE%L(3(czVX}@0sw4=NsIR?t+(5
zb6j=JRT0{T$&Q<Nx=*)sx}G+E(8b9lpam#s0qo3au@X@-6kwf)FTrDvet)jPTED;G
z((l)1b+)k19y)i!L>ZB`b$gb#8ZaiqYtkfUtS_*6hx;5IjljafLXAA!)NdvPb}x~e
zmlkD$BBU$5M^(PM%K&HwQ;TyXpemz{ap2~Z&H~AJmSFW;JS?m)r`H{JI*Liy4@pw*
zwc{*+E2F$D;qJnVAXyS~I;%o<VE3u-yX!65nVi5dfi0M~lrlrvt))6zt6(k!@qnJ_
zY{r;XaQ#X(AZ84Cd$iipvOe%+TL?1N1olouPBfl-IimqjLcgz8s+b{swQpU$YmV%S
zNLeG^?GoQNUBc*g`|}IxjHZT1g%Ty|dU`QA`yJpb-%)bIl8yd^;7k9n3VzPFnlm$(
zFn&+YRyTrM*x39&on*bAzG=~5X3RdxhrT_951;$Wn%Zd)5HqRaSVtzU62@C_fk%*u
zxWm9w&xRJh!Xs;qOzKP}#=SfC#Ucl1dyKVD4ris%zid*<Y+jUsSwKr?kiXVpzq(dt
z*e&>J*)?0T$84L3mHzcajaQT4^e}Q4!sjrJzJ_mM2sy^(W~h;#&!>FMa59z4LM~dr
zxOwgEuSU+ZB`jVPaJ~JJ^T#<um9!*&>*{!s&p7pS6y8gQ>mgt99_hN8_S6b$p~dh$
z^&adx7>aH1)zCQ^#m+H1PlgIH{ah(tP|R(IDVbbOv^28z+2o_v(xH&O&Qla8g(UTA
z>w|EA$YP)Mqgs(#JuB-Yit6dIvG(e4bWpj+k8pHk{AF)L^GJHMcv-fh?S#6^P}Z1d
z_v{+;t8XaND<Qk>n-DEzTm}R_Vbb+7aKiNc??maRW>bcjnQ{3eDK2^*6X)t`4g*Zt
zP1xG{I5}DTDRL1+??=uHI&|^;GM4_525Ld>{L&zgOQYoNLn@s2qj^NgMjTaddHG?^
zJ2j#O?Viy(xzi&Mn>-n2Y@=~!y@0Wn1VruX(q2(5JBH5w{yc`00-u5Td@4ZTWo&Rz
zrf$V;wjB*_EC5WlFh!W=GWW_FEKYwtm&VhLH0#dUJ)BfrR&tF<k-&Dch8OIq55aS=
z-5$j2%kl=hYIeryC0jlz2~ie?YyQi^ZgPyOA!Db5nu@*L#uhXi`<=sCw~KC}gM@NS
z38*5C#pa1KTUF%E&!zp-ee|z8<mvtf)GljrT#endyXmn2B@GjDAkPWi-$XT3WB1`)
z<{7Z|U8oEj@+6SwpYmY1p^PLZ*Q4FsYiQEvPKJ#i|K4|gjP&n1i*WAUzFJOP20gWl
zImH9DKaj3=zAB-i0!d)pq&3`^dn%V<kFJ6AhN`mLC{(Nrmg2Dv#>Y3#buqhtOq}DK
zn47-CO2?ueTjrm9j;W}qTGI(rSK%HMYp&SjLBO=PETUlft`P@DI#<t)ZBydyHg(eT
zs!H1X!r<g*!C0YI>fJLDLG<o@n@&)rz-V~M6g}vwQl!SaUtv9zc$0_sS3wH@WFr%p
zYNSO!xHj*W#VJiRrJd;tp%9@ubmG&}P@)Sd<B(8O-b+u_PH2*+3*wez!#!71Jq2)3
zwB9b@r0Nk(6J=EBSrmen2ZDMgc0=)Q+O|XWattYrnvraO5r608Pu^=wzh84I9t6GI
zwr!0;)ch?B3MAW6x;zYJZA?>Lxc1fMp^IW=dTeCh*(1_K*xx{Y;e0Nspyj2@X#2<}
zu%)xwYAyYJKQtWu72rqGVQq2RBAdk{aX@r9DmNZ;{q#aHW}qhl%EavV6|UHu+`azJ
zEm*zhAbBVq9;1}Vo6opvokZ<@j$7yg+yh6~zb_w6+@HaW-7eNfOXa7H^ZPMs$D39n
z<n6IWm-fR(C`q~bWe%!bhxeuF!<0?)URPn>G6`QhRWc)WDueb&^-dkfJvrkWN4yS|
zUd^Z$QrIC@`?6=u+k1*~mQc^r%(lC@hgtxz<edBUH7tzvp{S7SCSx1aUc4LA+=*~K
zDmOBl-cwW3_oJj%T7I?oBu>)&xXo_R(`R0|g<pNJ&e|J|c|a?Rm89p~__u(hM*BsN
zRg_Z-r?ZMPvx0wIhSiethM0Qd2+pq8jl*b_j|2LlzAHJIB6n8Q#h)KGRqlQtw^YNn
zv_K_oB94#}$^)F=;%-tFvf5>;@(k-M2tqlW!c#U-Z*TeK^_!LE>x5BovYuD4n5=-i
zK;alu^|qrFYk^$N-&G&#SHoE9uP-E`L3oP`PEJ$`=6yZ-i6yfv_PNu7yKOm5M*7{w
zp@#wty9qS7tyzrBq*Kj#Dkq`Y)#DIYaxGV_w-mHC8J-ur`fOn)kTbExQWPXv3Kpvg
zJq$+1*B+^p^6KhfriE>}91{(DG%-FBEK(R`=K6Bw{?7>`lnbBw1WzK(s}<d1pH~IQ
z*e-*?5_t-rd*kS=?v_^$l#<g?idD-&;Dc)SllF!8gM3cMrP+dnYbd@Ge#q*^ehZQQ
zWYBHppG-$;vTWE%WO0^1v^Dm^vurWgGjF*Hi)(BCLtHs}Kd4;9vNACGp3e2#yIRl=
z+tG~1Cl2@n)89oDRs}ZpUB7d*r}qywaLpseb7Utl^W&NfAeq!}ee)0eImu3K3-XGZ
z6Wz+lCQ-ntG`SQW!de#y&RtjjqpAM2u(8_bp+|b{q36P;k&F)zu`AJAVTV{UH5Vs`
zm(FOCr_)3O3M(!vu|ii5rLN>843>o5<;ou1a;vkHalG0dQ%m<rlL?pv{Z)WI%dIKf
z+Qo2tJy46-m3&YTZ02MEQ}}Wz<1Zs_m$FDJ@L(uE$CGyLIXHJur_MK9+DfIoo=2&r
zyq#9dQ)kq>JQb02VlC@dYgB2_H4Lo4vPSV}_hBGqL*)=gtHXZvtzEe=#u+Tu%ocCy
z$UeM$6?_-4;m<H(!!q>bxjC5hcuth>pR%H6D$aLL=nsP6w<2q8Zc2}6KQ}zb^_m-6
z)Fsaf+2?!e=OKK*XY}*XC|W$xmoyy-CZ&~UsQ(OKr&77sWx!<O?23;`pda>pda4WA
zqXyeuUKH`S&M61Yd46FauxoQUEjB3!oZ(>raT9O79(+ade5&C4NDdwLx`tYBN{KL?
z4$^XbH6-Om=9ksY&NeuwGH#whath|FqquA>sh1Pr^fh@!ZrDN-2Q?0v7R-_}7gMZ(
z)NSj|VCNNC^J{5ZR7u+yB<*{QP2qMb>b=cPnZmzlYpM~HQWQZq<<XIS$F#R5*$A=i
ztf&wxWL_u%AWf=WdAp~6!2Kn>g+Bii-L?hD@x5vt<GYlbcsl?C<7@D*XZ@ejOWy()
zEyj%(s<c5*TkO%Ucbh=YsiMHDnGUW*FYKmDl=N^?BNy7XYPgA>inL9A9CInA=XG6E
z>}-a{=Bi!XoA*3mV)W?mw7hs}!$vw8-#>p^N=HPxH_VsR%-hj#SP9zn7|CSoa^Wpt
zAZhqRbPDF!Pov=;&UnMfP-%G>TSNIP0}S6PvMzI{yno;K>!l~~gjm{cm88tFgXt8Z
zn?|Pan6_(O0jVWcY{3P#G_uvP;ms-Y`1Bd5U&bU(jJ#x}$#QG0_EM=tODf$5J1<yF
z8bX+bfs2R9ZZtv{@H4XS;QBC{Gmso?eg+Q`y1*s1!DzS646BHs;E5!X6hFETH0(52
zawq2fwOr>(GR2#t9tV>Hr;tBC*}q5jmCBo}G+E(uSW$--fBX)ps31p$tH@LvG;Q^F
z+e~5{KU9o0t7C<k{wqiLJo){-v+l7Kf-tdKS;wYI;_~d^Qg&sLBzAndZWy-$2A+d0
zL5f@nJtVRN6EKhad$Db8Jqp^p5@zzOtiqZPYC(efPh6c_W6!)BUM`3)$=`2BOw@RB
zQM7G$bJ<6IzH`=4AS`&2Mp=E6KP>1UkZs=@711t{QeGxe*wj(1t}4sHS#a{B^(cB|
z2ASud9*HWWpJeuq>8On&$At72O+E@afwQ`J%PeqrO`;S+u%?!?vfa$Plh%J|4%;PN
zsVyZkCMp!g&jKM?Kb2Kz|F*rG{J@|;LM=ab7gr9a+qwwolbo;Mdw&z*=tP&AgZ4Zq
zM*+2ut(*#XuEJbD{klL(&46(2T=!T<k}$(<KBsdJwz7^v1+(%xigDr`SJ@=Yh<q|>
znp1}QlL(LD)(2l7LvQ<28QI8XG!XU;6)~>d>@GhJ6!651J4cmZ0$t^S6U{p<ILO}&
z?JP+NW6@&zwc2OvJn>P&w*fe;oUn-{P!O!~I*qIjb_`*dNBlal3#&`?j(u=-jwazH
zd-fG?@~h;*nGxWkuk0y1z_p=P+8VT^jZ#3{?()>{LjZ>1*X^-<^#n<4?ubd)p=(dQ
zV(B}O+MOBjHkXI5?XRNOhGBE*cS0`dsyi3&F&m(CW?<d(q}*f}Q{llu@e@8qR8gXm
z(RL`$30~&1k}=dxVUW|B{cc;3S$$qki+XE?75_{kdD!!PpX~F=0Zf%8zVH5`?O#^{
zLF~oxBwwsJ3MI8Zb?dyq2iJcr1Ihzz?S|@PIGM^!t@`E|sj;OdQ`;717nko=GQ{7}
z%846m>O<zml^JtZ-ot%oH5F_;4buC<eu0{s$zlF{W#L~H;InZb-h939lzpF(PEKN!
zO-VB6QVX@fi-_2`GRATxa4LrVT%M`3=vIXpp@qC=P{o+MCWlc8)gVs6DoJv5{Pv@_
zPI1k50y2PHT8kbNAIU@&uV-;M{3l9L?Gld3^&k%_trkUg1awLek1nySSL_|s*0@yM
zKJ$C)cyU~A;r4OyJ<4%EdYu$xs#z(dJaDvir^)(f|Bn1P{qo$;np5;AR47nPkd7+E
zZ=uAI2BxK{U(96W4V_lStBVRYSc)O);>sBrWZn$Y$8;*vU%)b2Jhd8cxh&J5E?;pG
zrB+ujw?k+w<k42iFu~>w*Lip^^_Iaz;KE_d)~DR)ZY?t)oi#a2<A^KL6VzkWJPpLd
z$xefyb03^yPc{mG5>UMSJB-8u!I<43(PuOi-H)E#ftii)_{&}WIOFDpFM5=t;XIR$
zy#f~jJa&bq6+Xf$u*HE%P)p&*jH++c*-m0Uk6q&QJ#R`mO~%QgsV}yj{M6nfHQ5q7
z(Yy^V*}*rbf3_TNa6rsIMg>GoJVEsFsF*Il<U&4Jm&$yC>9`*pPs4qpkS0A+S<-6$
z$W4!_k)4~@qN#0BN^KH4qsgrNVL63wk5jHNyzjj2zDj+E!#-4DDmjZjcvw*#1&zF5
z8?ef_TX%A1z1FkY#oxi$Xa|f%K4@Q7TECs#(5Xy3hwf~)$;`N8KhD6-h2_u|l@v)~
zcsgTte!CH_r3v^!Je`=C#U4z`Cg~;t)gg#^-#m-^tDg^8Fmm)W`A-uKnHzU{9PM*u
zxT^BvjLvEe_1A5wXg7+%)51U}KKoKFQ$ZnD!*NO~x4x5(!M;ZK>#a`6MT2x*VOhEJ
zWGXA^ggEjDzMlTjk&Q0tqz<2M@Avv>{(Y?)uR#$-x<^_O2?D*8O{2&>ety;yM=tDR
z2N-?H1O|_D+GRhoC!QsqoTL;}ZHW{!mTV^ujfV|fD29{W3nHRnI6<5~q7UZu#EJC5
zScB#%wAx_AWFBooM4K57r#$~s4puHk*yoyWpE$yzAl%#7^8}aJD88jZGo<5e7@(ND
zwnP_aiYohaSIdtiQ#*Xu1M%p*E)x|cd;_zunA=$tD&vE-+VY3BZj)^3TG>(Me@0L2
ziQvQzk)fhNigE7S`l$$a((9&iaQuqjg{=WHUJ+B|s<F$TUK8hhtpf)t&p4PTI<Aqp
z50@mw1iBjBjaXHCi(!|W78C0=tmJt{()Q%DvzM!xTK_}&0(53;@hLP7lrhYZQ)y&g
zKL#=Xk~to>ZcaFlVRq=8v!P%qCPLf~IG+dIOf1s-IzV6Q)m{(2kv;Lvbp=RI|9D4=
z*cNVAS2ZWrSKU5<ag~Rbri{664N_Ny2*8mV_|%*aMaI%eWc`>ryK?nYOutdtyB0Cd
zDJW|#h*bTClVh~ZZc_=jw4*!SgHHimUp9-cr?iy{6`8uk{QUCC`4{xL&I|_RR<QKv
z667De_Qo)P%ISbJrgGxZT>uLYYj0*{CzjE924}G08k(sMIw|||>)XWi+Fe1H<nm<9
zmjT!AC5SMj#vhH#a%iT~!_dJTnLu#G)xH9TxJH+zV*O3XwJv@p5lnpXC=nyCX{ahX
z<(YTmz2sw#T-{{%S!o?78lH5(``t)~!C~*Zi=#PNpN=VH*4sw?P?rr;xOvH9Xus&F
ztsZK=EMHEe-=Lz09Ir(1$&5h&eLM}33!5D*`_Js{rP6%)yGH^1I$*(bSE0hqa~b-6
zI=5vQhJFBZ*seVX1<)$&&umbm2A1?@r1Ybl>=VEKqTo=)RYGcur(n;^fNoEPag<Kb
z$qlE%{9{|au&lj#p9un}a!mFlO1FQNF@b5^!0%m!&&FP*JrlgFS;WRv8iq@oWhX;j
zq_%1*u)$3c<Ns6{1>4eyFQwuo!;pc0?65P=zW%4>R71l@`PWAZuCVuhC|{0mR~)oB
zt}4^oh_B$6?N6xpIBRdNl<7n2jv}1avS_rRMkLCEL8tV&OCJ+ybbV)3WKQB^+(>&P
z(RL?Eg6MyCD&y`&K~nPcx80JVf=vce!W_79jTjud-FmM_!{II`yA3c~pNJ0g%M;HQ
ze<!zjWSlgY%EOONvq3+DrpJtG4}93WOC&$fEtK&xpSyHp6~I22hUSSETNJnrC#oWC
zdZ+8HwiC!CwC$aL|3z4rFSA>D?s%jmcbE~c69?*`4zzXKaa_VVsDQ|0M97rM^fse3
zts@zg7?!5(W8tIDFNfREnr*fr88))_cM{IX=_UpFk;Lkomi{m%!;+gVGt~U`*v%Oq
z>$B?d?$C^IK1f<~m}+Cng&umCHW@*|{?^^W6*F*<M=VM;s{;S4LnYgh&F^268MdX0
zG`9X?{V)$h7kly=tQaZ}pc19&Qqgt_54_;O$fvunhyb|g7EH<PFN(%nxs!JqJ*n)-
zlU=P1XuKPO#RIpAE3i0n!Y7zQNp{6k$bp&vv0>7pRb2bju?+ZHo!uFjz_6ac!cd7n
zh=1iC(e0~zVjH^E28<h7X@_Kteu<RyEk$~6OPHJ<1XR%AOU>Nx-FtD9cLucUx}{)V
zf*T}nqo%VScOlNOYW8+vPrj&iltsJBm*v{cYw1@w&DB8})GoRTcNS3F(%To%&>Gb*
z<D@#6nM$yt^29?`tq}59f>j!UT*a9onOxe`(@0l-^B%{mS46#eyJG?UQfD(|Vga`g
zht91VQku5?=-T7U(^@nFb~D(Y39Dk9HT0(O^%2fQH|D^i?TjFks&J+(o(^0-vf7o2
zSOxV~Rz3*+If2Vho9O8dR!&D5M84j>_j2MI+r}4N`5Ovua1O5+L>Nojwg+Rh*l28L
zM5B0WEh!-nI6sa%Vm1PbE&N+I#{LwY4j<meV_bb_uS_XT{gsl@Wf<FqLPxtL>Hfrh
z-csxN_b;|EMbze-BWW$>xo)Y=2)lt{vCG&LX5eR0Rdd?bnS=}-5O*-S?w|W(gz@`C
ztUHx0c0#CB`zX|i!KseC@`s*Fp{9+wq#svK#K+(HpT_T{lQ=B-H~8!g*=lir(^wFU
zrm2=X9j2}`v8^i=qq)-jk=CpVKw4us2DG$)Wx>^95yQs`-vYR;A6yH~BrV5*|8)Q<
z&7t`J>2-&6H{izgB-%NVjkGBMm)8E<^e$un+$m@|oV_8E|Ly+%K1p-FzHI6L@O73^
zZN*=gu2a0w;#P{g1`ATWMT@(;yIb+%?p}(!I~3R87PPnq_aJlmzw4bfvqnCat`(A-
z%elXE_TJBd4A3Lbkx&^lI6lGmn?(#Vk~*FYY3ZWisXG->F*Q;6?dxJ0K9HF~Cvk4;
zQh#0MZ(?FWMal_up+K?&S=L)q#_3zZUxKYoyS~(5TdppgMJ;xbGL*4;dzf0cEf=8`
z583nB|I763EUSwWRtatT{JV>i@8pUZW@HQ_T-Maq4IUj8b%5Tk&!VobURY9+o0H>f
zg(b%^jc|JugGm*BXkAHv3iT4VU9OfmYT^$-9#44Tvbw($nxuTP!BT%^W4e_Kp|vUV
z%?+w$t{)d?#_c)2PTLp!A@|8yiT$Lfzt3;mASeho!9WT}1tfB7Sb`AE1^>a>FFUwc
zlAoEf_?4R0V7Vj9R)B@wX_<yG2z&D?H2=*ul~!;CQ)yo5pmAtBY@LjVkb}{u!x1;C
z-wen?78i$J&lPKOL%K-cE*}VB*1gp{iC`%mS?!~;Nwoh}wsCDS!E2n!l8)iR_^+J}
ze7wlBK8wyyiBm|(L)qYTxTM0oGzWZSe0+RrCZ?U`Erx)+&&~Pvqm7h(k@#ZP){M?A
zZQbWmbJGtb9Qp|qJY1!#KR}h=@aM9Q$iQHa4t66-AR!riAv!K&@8rpjPw@#!PDMpr
z+KP{ESnHcI0%s<99PDVtMaJpJx%vx7vCOvAiYKc#nnYElB3nhh%%t-pq-0CaIVx6G
zDJA?kBr#6xnX`RA$`>+31V&Q6=xGo!>QDL>qVc`G#4pOZ`O>O{{jI!7q^I5ocLR~X
z8dEPUtSWj&9>#*pOW%LpTXmbw2I+2wr2JVGDt>B8N+G@a0Yap}=L?r<;pj?jwv-`c
zu-hX|Wb`09X!iGcJfVJU%r1LJZb5|J+K_sTzB=VkTE5@fC}g4(GBgoL8nkI#Yfh_#
zZ}3h&H5JqmKGUM#XobHc9U2p}W-~KwLI4^P=6Gctaxga7e|+v#T%>}{&SK?>wh@Gj
zPe@IiqR<6I8Byp)4nWd~Bht-iCO%rS%E}!5G6Sa1Jc6YHqjZp{@qY6C!=xUqnu3-V
z<TvUiIXOCK#_Z+T0?6jQPZrU?ZfJ_42SJLR*e}w!p~izDE)K(bA0orqS5yp{A8@?7
zN3)m+ps;K&g}OdrojpzWKY^`Fgn-!(`0^g~9)L+QI|w8vFW(hMa@dmqdPg48jr=>^
zU4#^f*JfPx@1?rmOfk=8D*beLk@cnoe|<z-zEf!`V{?1^C@Fs=;QazTx*ciZyR+1u
zuZOVkYXUl>P$BP8Tyz|%L_24LH60adt4UWg?oV?TgsF=?1H7^p9PC>sdO<%k6d63Y
zMxM5nD$67&{wX%?zNZ5MVxYgpK%g^M8coO!+2GvD^ZG*1s``Cu{>0>@kdhJ>@|;pm
z6LN~1zBb&aSjWxfJE(ecsYDPwcz^{2fPs{9RaH!LGY`<3TNaLqOb~hQyw4yDzKV37
zQma(h@S*E8iLx`*PEId<k&==E=qd_)Z(>`;oKPXW%q@hX{zYzbk%Tbw+@dlHC(q_y
z*QK_9-_XUS2M!b!Y#0&kMytAUb+{@8;X2yOqa(TW;keB{ow2$n(dFIONpoyQOU#j3
z&;Q-+Ai-ta*hRX5bR`*F^ha4sizv?s%d-{=iJ+1UA3j>xDZ4q=OTU-ZS)lai>6X#y
z9)fp!p8osP{uDqkHehV8NCob~k91G5S)Oalekhk^Z=J=C%u1IA>c+w4mAYl6fNARU
zt>0Ok(aP8Hrhw|_Fiwxv)XiE7baT_t#XS@F+RU}XSG8F&3)(E^TA2#1!_TLKMLl;^
z!MC>vGOHXn9i4)qz4|QahWFmp)zt$-L+jBw*pYOl#!7bKX)7}~ws8{F^-p7l-~*>j
z^<ulZejfGKkSQ?`OaAz(I;KJWPp#)nSq>0FxuVUTwbiVD7R6!C8-OXtmA7%3vCoL$
zN?C&rGk(VLklbJ|FR-UgR7cZ9(q683^_Yr{Ee<HtGUH=0x6&w1O6Ogy5gp#eRmD=m
z%N|8n{ND>JOI5e7(3Ms+%UDTO`>VP)Hn-jkj*eP;y=PbW3+Q~+3=!0+Yvs(88jHdT
zfr5Y{(Os=Sk<UC~TB{(Pveoi(pxSLTPvD1ALY`#OSuc*x4+Vv($1N|`@#A9#skw$r
zKeR1&6Z)vd!NPE3ZH<}7!qL4Evk2+H`%^rsDWB$WtmAUM&cm%%Z=>+t%!X@iHI*W{
znNl|XRW9+Gh>Yg)ns%vfV;8+Jm6tqg0V8+o%%Q&zYh+q$vb{e?yARqgN)f8AZhsbv
z{j-c6J@}Uo3{E3$N|B;NVWX)Ds;KX~fq-dUe9BpTg2kj=$I=+;bjgWC{eQp9P_t07
zc9-4A(kYCe3F2~d<qM9gj7v%rmXSew&QF4x)Od&{Uze7VI+7D&M^xPgQ8g`FTTX8{
z^4PU3hmX8!fZROll-VrhDoCK3XGkNWy(tQm1U&gI!V<E8Yf?2n^*NA<23UP3+|VK!
z3I%1R&$?Ix2~3K3+oTM<66%AuOvT+_nT8yc(#*Mf#`HzhC;|tFXgxFCyGqJFth<51
zK~f;V8UGSIc#I`W4vdUc|MHHI^zX17QZHJV%eS+H&aod@(y%Rs@Jz;A{_cdBvy{8o
zm=BeDUe2hb+jb#(9%!tt@0V0;&l^N-MS_oZe>4zHK;d9_u7h6>UOqN@Vnq4G#@FJ(
zdj`3SFk{V35wEbW(mE};7dY3rEy^lUy}XSz6g`?e;bXg2_r%JTxU-Cw>Q2>LX6^#K
ztU3Qh7>ANh0X5QAogQtPVW~4!ZVkwfqr1QhdWCx`qF-?xvPb+XPJLcSIt6jK!uzrW
zyzpdK8H+RvjGDvh#kgVPBQM+V{$~KP>Prh#X{@1|H7czY2LVSKYROFKA{ux3`?uwk
zsbnm(it4wzxg+2M_QV9-qt66%ShERqr3@;na>b{;9Ig(it@ZLoZXq%T4)LT%@A9{M
zaTATmlABs)=QmE1M?;xJ0h&b-_XwO$s1QGVIFiNs*IHwoHd$FQZD{P*kp4o;dbyAC
zDZJAmb5@NB0I?#hm%7Z16u6mKTM76aNh+Jz!=-0&wM?hCuk$kHQ&}G^D7tf^caSg~
z*%g#4DjVnfN<lnX))Q)4`89Q7MqX~|mst2E!%FRpf#{syTbtz#uG}LSW@v#w@9$93
zK0_K5$Z2$n*)B~UO^y2tDojLWD;r%%Id!(fMI|n`pigjWwWOWIzT%fqDFsPCVKG-A
z<l<p!?)5!<;;nYI=WC7OyRByTNZh@@$LALz`6E5`R*T8p4wTZ;eLOg^Q+ISK<p5$t
zhHEW=qrbt#=6H_1Y;1K^<IjPug<C-B&m=wQ=re6cvVon2by3KAyk(U~>XHNiGZoQl
zH^nr8(>HG&kskQqODD60#J8I3BQ`25GZvm=tzY8$wXaw&O7%za+OC7M0+3vMa$+`6
z*o>0nzJ4B8A8r>|t!n^mdVsuHP_kc$X4Yth6pT7?%ELaS-YW7jdMj>V_^@$=Q%gaz
zp+A|Q=4Ty3A8wl{SAMm*_%AXsd~_Rl2~CY|wM}-V`;`Ij&1P`Clj+na{lT=TlM`ee
z`4Z=gyUq{_vzbkxGkEjL(8MI}zaq|V+=7(Y3tZKodj^H+xO1{&2{k}UpqbM7iJk%t
zm}fg=G;!VhOOCmi2OYPU2o@D;$;N;lk^z#7iB?TbjmAL)r1mQ_5nt0OWXLL_=TkH=
z9=yf0ZfKbaB<K4G6kOblvW-ey?`vQTo=r^zbwSnKnOYq%%WMM-IKaDTczgt&<)4h<
z$?Dm5Qr-*&sAd16btw`>-Y!ZOCwFLVO_e!gTSX~oYKJM5Y@QrSjN-~c?1a;}9Fqfc
z+)_3-ace-p3jjbhj+ZUaZ)WCui636Lt-Mj=@2+WNla?OhWLE@IYPnql^$k1!<l^02
z*8*{V_39HDFK2q+nd!6SYL>ITyL<5Rg%U@5yryZ|s9A*d0ZmNY-d5$(yG%{X_=1ao
ze=(?pdnoqT8G)XygG1XOwfob^SIS}(>lk#>9yFp6G(6~@c{wGB`Digfu*a2m+x^=t
zdqm$hwFWKbK=nwYW{NIz93V||TX#2jbq0M1@iJV5^t`0D`uGlZ%-{VG<t1V!4o)#6
z#qPKwM;CaYnDL18MF15Y76Q+$9k#<Wdk2TX;bAf+rV7xvp|L?j#mun5K<uD*iqYic
z-%T`~{Z8L12kp2I4i8$R-k+bH4L~4P3|h7=%lU&SwNzM|y+E878_$1r93@byL(U<6
z$T{|KTA{_)eQ8vA^$OGi2sHS09tdpq)r`{s*5TB3V1)e@EIt$Xy>Y&+7(G#gPRyh#
zy;dN0EL(Faye}-}e<9;bFSxm_F5_w2zU$bU8%x8A&GTD3aSQt>=frCTj)4jONd1Nj
z?iLy{2M0hvL35W*@x`K3u6<IV%lYvu1ME`&<UpWYt_gjVEo0~8yuO9M)uKumk$_pS
z(k~8@LN9qQ5=Q&eT697;apgxJToTtb1QNsA-3Wtq_!Hmyx}(|6yPj?D-TyP%rH(H{
zJ-EL$$mp{T&kgQ9g+Bl!gLIh!v)E6m`FUl~m`XKA%1`QpBO~NwWVv;l6~*5T6uwUp
zQ~3Bjc6;WMf2eqfPwN2rBQrK;TeY01YpWVq;xNvCq-omyg2nX*8*6)eTmHw7uY!Uv
zg@aH?1q8AH!U->Ncb$;X7cw$`;2%gxNCRVI1=-ozAXV7}#y`CCkn|L}Pk|A=5$pjG
zPXa7D$Cd0fm(g*>9)xMR25}LhiA9$1&J~)x3&Vy*Aew&T**=?+-rC9wyb?7%{U6|!
zoFatHuX?Q;;xaO%y}kK?-<$*d^m2`bjjg86*{jmjd`&Djy>sUWUaA?iAfK0*^P@w=
zi12eLb|$k9=J!~@7Pa?@V{wJ(t0i2uqo(7SbK`JJx6inyj<Wi>k54(+EL@^Bu9&+y
z){jWEh8Y&Kot9>Jo}OYVcQmE<k}w({b<|gy-g<T&;GA?={Na05tYn1m;$66rK)`Ko
z8m^l!hh$n`rwb5nLi$u|h6f6x1{4QQ@M=EsXGP@*0>UxbUi46XSi7aJX$6ZyHr=JA
zMoSRLVxb{IF@VQC5ev9Azdpy#|4tuY$Hl}5GUJj1a5?9e2!9Io*VT$%cC@ck)t57A
zUox{57XvEVje8nKl}QuU*=w=CX0Yt5cF60<x!zqVGH^#RwS)r~ziIvpxWD49IPK4C
zS6<)<4SY)VW#fBqAB*h)<C>V16lgI`$LeY`TGvFc*5$}gpuq_EVoAgKu7;)4^?+|?
z!sXlC^t>mSI4veey|L-7s9Zq)yW}Yua9Ovma4dNc8qv`1MDAk8bdXn@&vc<2Ovk*t
zeWjzqM`xUGvsS)CQ9vmgwlVL=6Kc_2#%Qr@*Ar`rWIz?fZTQ|Xk&4NB`nG=uUzTAO
zm!!~W{{v7JzJ2~+y1WIYSG!VVxLe4OuI&*NGSP331n-3=+#UbX%tfa!Q-P{YR86I3
zAF~*ZTMu(*i3{Aux}9&staaMEAtq@3`XpnQ4O;!C!M6yWY@fgPp=AT-fR^RR?ln`Z
zmKveH+V<|XzknsQSudII^#ZY|9DoeTZyeqA?cbpWAVqEOREsb_Bn|gA5@MA+OIj0s
z?h`alKjTN*3trtgLbxWK8KsTVr<{!H)DiOXv2DynraG-B@DhwrjI}1>`(gS*k^klB
zX;nsXd=1%3(vi{A(@R^Gmf(?G@;rxFMZ$iywLRshSuY5q!=S6z$j!2MsTCt5QU(#q
z%0GdYjxbRRvXl1l-nzc;5S7-6h^y2IONov303D)od(e;X-s&3{G{;u|cR7{%oXW+O
zV=7#tn0@;ICRR<iTJYflFC;|q2?j)fGmR`5ZsF$LnKBlBkDZ2sEh4s?s%Qd+yktS>
zCa&%TcDQp(o>(907n3j7lWKnj7V>?;a?Dc~_aO;?ElxY!ZYjz3d9B_o9Kvagd!_7e
z^Zo7?pbB^rBap>HuPPeE0jrXn5=d>XG=$y^p>|H8*_r2VQ5Wd_zEp9QIE%f+1=Pv&
z=9avoDmQFRWz=ZZ#))KQ88Zn55X<f*oA1}3oGY&Wcx=YC?_@qwO8uJ<C)w&kX0r6T
zA^x-C13Z}O+kNhDPI>Qkb2S|&L}BQw{-Y~T17uN-dk=n@F-S|x)-D!(e7GpA?ET#n
zfzl|~idC*20RkfvH^Wps$2N*UA29J@*~@1ic4+yL_RxI%xv@+!3QB+>4}ZePKj1bq
zMO8pD@=Fop)*JfUDTU`eS$znm6H?@$jMHjTKPW8(us&<H<R;2|QUfg2FmQ=dXo=7l
zM3xthy!$A)Xru7u^VY`;rj#W?%4N`<q744A$&Si#O|2k`^DBSF{;6p~BZHI}C}CW}
zU)YKk+cI8Jshv5#E#OL~-xK-BBgx4Lpo@yELaXa1zuP%UO`j2w|6#8)*Z3F{5E(Gq
zsA<5KcVs%W<HW|XIKG*G_6CH?@JynBh5sO`udGv?4!+_H3=HHw`TN>(p*BQ1jpKAJ
zn8g05X{TPGQ~?PYx#{T<uCe+ATv*sOd<=ZtdKHZ5j>p}^-w$*C`2LMLC&kFfh@oP6
zSoc|Xx~giVMuq-FJ@XiYT;mpB1cA27&BNiFhE^P#hhv)+<;FFqKp(H1v&TCwiiAt4
z;iAp?E_XCMb5bU%xI@eC@f_e-nG%az<ZXRw+#SZ(ox@CTah*w7)FZjy95Ir3T6<*i
z1^W-$8%pGbYneaxAHn8dcB^P<i^0`N7=+<}@~@RG(PPHROJhfSUXhvZOBj>!vEiTa
z;BIqPBM#RGnjwl)mq%vrvQ9LL@md?MzD3}mk!Dz3dG$3%mUQZ1Hzpql5Y032q%u~S
zD*Q5KAG#{$`YfkJf|ZK@S)M|Z&nSD9X_sF<70Xae>>Y4MD!Up08Y^AnpDaxrXpksd
z5g8B_I?c|&p?vig<~|uK2m_3r=R1*UFGHk0T6LR1n7BAFP5L9+s<A%L@A8TgEdw%w
zN?u$nzldw>p+pNc;xfpiq6D1sVt~<*pe^r<jHp)FZp$5BToLt9Ne6ENjY7WTI3=^w
zo$PHPdnlj9myO^<uY~q&1NO3WR&>6mz*F58L?tB(%!q1QvvV$9Ho>5=KsK|YnS>Fs
zVl?QUBP*$_pilutevP>}TLeVx15*wl)bO-<Bak8d&irO>ZlU&Tf3xeliW^b0JkxCG
zz!_j7jgQ|=zNxz;?PA$*Z~`#`8sG()ynTjB@gZ3qj_44G0eE=d-`~&b@^kJMFi**t
zXJw-#iRjg*rCXBy8yg<B@RA*x<S;T>gf8H)MFSf3@?=21BygEG&LaM`K3M7(w+?LC
zv(RdoGu)=Fb~3K}wf7ndg2{igq-yAU++;|^66qKde~fI7UL<Y|H1Ny^J1GFn27uq>
z${YEcy0ADjzpiaU5fHjRVTSZ%L%#wxFGVGz?(z>178H$gPxXVy>jVr6s9T@`ZPs(0
z?i30d7RnhL;4P(9Mih;$;c2$>lJDH@lzIj}C3O~3O|sWH*65w%0#5NarOUI^S3}HM
z<%k$Fhv8#WRYUlplvUN#V(c_D-`UEu#^b+^cYOOUP9NMovA+cnI}5J<e6yn6xrS@J
zwn-YEX<pN{wzfWK{|I9{fHCMng7VD*fG!f7AY)=+1edrWrqMhrIeJRd^`3w1h+O1*
zc<Q?tt7BQIB5Ls?QQihihJ)EM3oDDca=n>Q3eSta*Phq&gbtaFA%Ju9hh%^WKh4^*
zD1ds3;Sh`mQU@HOu6G;q{91AVQy1@(?6|u9!4?)cyw}f7JFs<xkF$LbMVd`Qdlpt`
z0<Fj9SHm%pi^<T#>)Wa8F_K7Yd-1Kg>gNyLT^c}~w>Dvj^7+vfw4TpF)BsGwH|!Fv
zOSh`7!=Q2;uB@!7`G9|>>xy;*9u8rxK3txeUYe<+UnSnI>%|BqutXVSHukHZRShW?
z`)8Bzt{;T)9!*g`<$C(JWW(aJxe3AhH$c|}94g77@AWfeOiDoZz#kQV7P^bQ%VxY}
zA|Bhp-k<8j|0u`11G`cqxe#x9*mnqFvnFHT4nc~WbZ{U6g6yjI=gRAeg4Gy2pM8|_
zR!g2H<*y~iYl}>$U6LeKY+v3?D9BSFZGj-4l&Dmz*oK;ai(!T=AG~@7LRBEj$rn^w
zt0X64cdIOnaO&@SB+S<SSTRlC3E%}>ek)6Sli%NF0S=y=l)lwa0>i{4kCz*4Sj)SA
z$+d{4t*P5Y_nU*e^*D~q^M4Bh#9jvWU>BP)0A;CEC+*qHAtLI}YU(^8>D54ymNx#f
zK*_+cews|0h=0j%5iRtc4vt2lHH*X@W-1CUe)Ui@a3|@$l9y3cE~%UO!aV~xBIWlp
ztxQZTYM_;9tl-6Isl8C5KAC^Qte;--lMSyxQ3L@pF;`g=pdQ73C<)UC4qk<TG;=|@
z>veT+^zPID6RLWo^-_`P?5t(g_+;_IIWFm%gV0qYqQE*^igOblet6eaMjKOTH|0Az
zx=#&`OM^rXuV{_xZWA!goYF7r(_>#imBhAj!``;UVn}P@NKcK&<MyM5*}8h;mi)m`
zaY0a~A^%Rqo?)*O+iYE2%*ulcBnZ0@RpsKp%8ss3hjw)_uwWL)#H2*qu(SbHr<elM
zM61fqCVVJ-!x;~ncVtexD`h)-^IkX(IZgPKuPw!@n)2Ct5Uuzj%be)Ji+QD`sNDmo
zRSSuR)pRPb%EUIlqPiE1NpxkK=-5`4pJTpdQ-@Zu<e0}xA-QL@MSVqJUel7{_XGey
z*R8GR05xdk{Ol1<%%M~(V1EKc11ug^<j7Fq&9*|u3JG=&`^`Q3tlhnzyJK_}6ZxrG
z5r7)K`pMWL?=&04SYXv(Q{f=%)Ls-hU|z?}`(Y;_r|!+6*t;)8Da$Ws+xg*NDf6hp
zdi};|SSY8cDHh}n3b?H`lNPW;e!nC8mZ6@#?t~f%X$ET4ZQ?t9BvtZ^DsC$);%lcz
z7-*|nBUu@D`=r&~@+{Lo8PcpF3BR)hh_>@O7lvjdu@KT1evE;wKg&QYRSn+M305vm
znue}gfG&v`k^s&HcyNHSHKK+kT0IYypRG5P9|sfG3c`P-fJ#+0`c^xNNM8nfw}fL^
z(B58}c^G%U0~fs*-gA_X-ZFL^rw%g<hrS$-HhpFi37?TQE{i>s_v%AUjP0_4(W)!&
zXf=a$VRHa5fXb?MlY(t8V99qTjO|!lPC;xnQW7=#->WF48Bk!T3WE87IVI&b4HrEv
z4<-arSV7v3;PYBd2_fs!z(}&1?4N`>&x~3(!gbl`HBj{-yrf9)B^P5ytW+AykNirt
zcP8~R0K`{DQ7NywJdkKctlGlTc`l>skKx%EVB<M;O^z=3BFV$@Hqo+}>J!pL^pa9N
z%_l2{6pRbvZ6d+9ZK0qhSZn{r+OIWM4mVk<s8_N9T~ZskWapNn2+7kI+T{2K()L^M
z!fd}W14rIvZX3XnP$9{TYw7gr{To)?q+HuVA26#}{ogMK`RKgxFh{;yUPj6{i|=x2
z@=;Yz+#qGoPl+PK>ufguxfA*$2I;Lg4^qSEEF)&TDEsDwVZ8%G$bfTjTL=ueBkDFE
zKLVb@mqAV&yPCN&e09I-=>Xzm_uA*~4P6n|#dh-~AuVC*CS!!sYM$NlG2O4>pAZoD
zWCzqz07wr3r#e#DANz0KC;-6~FtHogz%D~PK7W@!E`v^pkiW#_i9?F$^~+%R4JDAb
z??z1;4qQF9S+*s^MTw1D`^P-?j<8C<w0c4fabX`&lUXR|B!ZTy<G#lnN3c<@8o2Yt
z@Ef)E&f_sJW_;%CKA||0mNqhai<cFrTkJum{)bo+XMgkUE5WB2bvi(H`PGA2m@yBf
z#6;|xxXG@mu|n%t)zJ@sGN=v*fwiQis6&N#iFcMMW?FeWVw!&?*g@^c0n(VNMl+me
zo?%<3n;n<s(v(!qp3Ar|Pt)#p55=X<M`>KE)GV`BA*gOS#KuvK4VuF5$)8ok8SuG`
z-MCkV>>K?>iQ#QT`0nGI;G%<#|4iJ<h}(R>zI!Q2hSm~;0o&UlG5wEN&I;mO+P*Xp
z8}t{FB?l>KFACXN*$;7vccv^^mN2m=#O-zdX0PR$ytp_AKGbn6ZCqMiwx3U{c29n6
zeH}D4AAo?l-o>#VxfxL9&G>iYg&B^wd0LR!&8XI}F}gIc&9)Cc$%jNFCSupeixpZb
z-s)zIM)DB2SsT!=s2`j0t(bvk`4Qc5;@$$(`xUoePrQ#WjY829^)$~)1WxA!9)1e9
z5@i&3EpSJj9tW@HQ0qMs^r5K6IV<6LlN3a<5V8_tCjhf3PktQ><B3vEjpB`YW#Zp`
z-$Gf7{?1Dk(Sh9HLWx_mlR?uQbDg>$8s>tRtBwPC5C~}aZaw*tYBWE&hX3`_bWZoP
zJU<9wmu6Tnl)`JV!Y8W<hs58>E67BVsNi7xAinW?Bvm@YL<=@Ejm+6Qfu>@2#o)S6
zzEV}fO0=>1T`NPHBcwphOYL_x{fI%6)}Qmp^;io6!}tB=9}L;?x8m)Pyo0Og_7l~q
zl=Q^m{&owC%}4Lu5#qGu0znSi|8kzZrS`0mPusHpo0mL~b-YYKDQB?b-$2wVK+^0;
z>mP9OLf_FhSPu^|A2kGXV7^T-AjPIuvH$#1*`P}IZxJhf%K=A}mY_tU_aDEBub+P|
zTD^f~AlR~I@e=;)BUr3|YMJT0dVS-|`iw=2A`3P%<Wh_zwz8Dhcjk+kR#b3^kI3tb
zKi$<ORN=HFZV?hswQp|Y%E+*gu&_U?&^azDYSAWd8WQ@v%U8Suzfl60E#F8A*pz`!
zETh2ykL)4Z?+qr8w4AB}p{&)SpaXg5WQG{tz=>4C&*4f}ki&Q;QX?mJuxa@2&(Q$h
zy1J;NQgjJ%3H%R$O{Th)wII@3Pci%L_{2hBY-+xKo#T>CsJGSA?oBZo^J()~lhL-Q
zCNM#Tn<kz9YdyQNImY^;!FRuvNci}u17;|8v*{b1c%Q(yQ&#ZQTh?)hq2djfXKeik
zI4<4Za^CMp@t)m#04^#nqw2Jf?t6e{zGUr^l-Y<7s@Sifwc0g`pF2gEL~roTiMK6;
z!YYZkrP~)$pR|0$9uiw;y*=u5J{U~Qe?Q(`kkyjXFfP{ZJNeNJ!<jLy`{PrqzmDb;
zpRu+*DVwooSAvSpSecL4PnQnWsPzlBjrU-+l<m2XW~u7+c^IOvOG;Td#E)^Lp@%Y-
z&IZ2L;&b03G}QQ3AvjrXHz&eOB;K2A=S|ki*0FemShaqgB7c@flN^>kuZkvoye^8;
znjA6?3$1-NeZ%67P15!faWR;Ub2*ivAw_+B%|#0`nhAi_AQ)Y)3hkB0=CuF7WLe*Z
zW4So#;%XZRT+{=oKz+c(Ywa2+lYY5p=C<k!`5Z=JSl{;>4`nYb;Qj4BMK8a~PFEXU
z(khoNsAx#bX+3RqZa66?j@DG^msqb;2}Ptj9iJ2&jO{eWwGT2K-EfX|++s*7mm5P;
zL8Y4Q0kW$ef&E7<2_!oF{#o~rg6&Jh{TtV5{B)`6pD!-!jh`jDjH;$S{ehLCU-jbV
z%ip^FY8%Fql*-*2!xJR;xf@<YW0iZ@;z$Zu8K*joMOysG0aba<wrQS603pjg)cY*~
z+4I@{Fx5I^REybC{o7b3*JB^qv#gG#ftl5&&=z8!ESMhIE-Y;I59b6RZSal`ZQlJ_
z!$ag{G+;hJmxjU4t)LLzw!&~GlE`Qpf3kv@9qgpDg)H{)Hl??I4^#=Ci66_<+qIQO
z`I7KC2IAV)I;*ji?)Rs?n11m7`1ba2^iKvX-t%o*Y0fUIyM0YtJb0*4H@+0*e32}!
zbc(6OEa%VY`!EHLs3P^NNWX)~N=gWVypcE145N(M*=Y)*-i`*%Za6~b`C7?DI_iBK
zJ(UnpsBl)Dagt;azi2pcZ@_)lQ|4B;+8VSsS5~!$R6E|PJf_?qEQ`{sRsX4DxI3&M
zJlI>Ts6LN-vC2yooc2WgZ)cTpb05qwoyzdKV&-h`wZQhhr1j<?dP9uMbVK9bk;#qg
zse0o5wRttYvdrUc8hr+5TEWvTfiYo%By_Ik<{Wrp=XQ91&6~VTbNS5dtPxh7GvaE9
zABWYybMEN2)shV-H^+9kzGhlq?C|`_6q=sy2xYpNtEo||w+1~uj=CBih*<l0AnLSU
zzw&`^84==J>OZDEZKg_g^m{ot$1+zvH_rg>6~baL<f>U7+E2z#!R5+)%dl{)I(2Bt
z)+*EYE;g)S(pLQwC3=jsO_Y>+;<9SZYvQz_%4`fz7Z(mWiDrG^$OMd6pA}aorl_ua
z!brk=R*D}%S`yhkWCQxXURmP}G1d(sHFsO$u3laNY~Hsz#BC4eGT^%(Xx!@}jBsch
zuh$sXO|ihnns|FxW`?A;HnE$V+vfHg=6c6Hg6Vgh*AKnD$s|dqYlr6iu0Xaa-7@oj
zMC8`FER@p*&d<37CzVd=cR2q@a?<&9v{A6iA8~q{Sxd4YF?&*!?!7nWb`mjmbJHte
zyYN0DkZGkyNx&@?h7rg2i~RfTaQVWlh}289$rMFXv&$sdVUhN@!+JuN{dt1Gdd^rF
z9?t_6@6!Yougme1-C&WzpxyD&E``OrTr}<wI&UW?8?RHmr#82DZWB(tcRng7Ehe+$
zvzpVqz&wlH>^yl#IvU1lej1qn#?L=a5$_kBnF%=OYoCGDVi-{@3F$x14n9_^*+bks
zeuHXED~=zBgH0N-1Os(0z4!?So4ZT)@v69K5NbH!s6*!ISImtiUj3Vn&XL_5X|SCT
zT#MXe6qLaqXA^!|2@AVc)ok$TG=j*ZH#~Iq6VQ=6W*eHlYk2A$BZ-BTn^>|_A(!rB
zH>r((Sn~^WwEXGfiHt*NWORgpw!ou+{)q*f?~K6OOOIldWpzDAC2Nh!B<iTkKRhFb
zN_*^M1>Y!0+_37QrsLGd#rvB-)cC`sWux*DD^F$)9#YEVirw{x!w_Pv{th2+WE*Qs
zy@e4Ew>@YYmsvo|gPzA{FcQ}R)%E$lkBwn$K_chVnZo0xT^@}EmXeZ@iW1uvY7x!G
zavBXHaQsAInq>!Tbc_whJ3H4Koc|YCqq#ip8@Xz05wYm&G@xpmoi}!{z1dT9=~%T<
zg>G*~$6<Yq-C~>@LT(OjDlb%*7Pa~W-R@l+6@34-`ext+I=-Q#sCcaNSngJm#;JW>
zW7~rAZQAPctna{ETeiM|zadV7C&{`Y+l1!Rojhm$XeBAF6BwpQ_nPD%M}<eC03UBu
z@{{Z1&4~_|mk0um4b!~6%s+JWr;wUpb=BJrf%BW4Iv6_M4|%)^NFFJEtk=%wtA*)J
zME5wZ;YYa2V@qRb&Xmt^$D=*Q+xjCE307g*I|}p_Cp_*2#>}R3?L^Ag1~t)>)9a8v
znR5P?p%Z!oHuC4SAiB~H9{4dEpXaayg?38q7;YZ?yGNC$*nb1F=CE+Xxs$Ji6^pij
z0_z|Pk@!=61ek_^2dX97c^a@!WCW{r_@y77bNsk{yZX}nqtd$4@U6SXM^)B=p`{K%
zr_HUI(nZCte6QLj+5RdqBYI~(28Xf@+kI-eB2Xm>b1nXg`|jIWPB8a5RfEG|PbN&r
zh>16Nb=8qH#T~JN|HQAz^B5?s!wm$F)llm|zwD}0i0;s@#0vYfZ2~lGYmmx|#Y~Y)
zao&pyeauX<+gl<Pw#kXO13I?t`_+>YWHAgH@38*NMcv}wMPN8X5?Wceq&mRQK^Mu^
zlrot;5pS#q4VGE)93CpKbURY%^!@(3Z#11VqZO>u_5LNg<tA{8h@(v5CSm0=FM>@E
zErHufOYYZpGB8KJ(JT|MJA`-XSLrq^YT%rxTRE4`62F7})>)*>mrvhJ9#Sia6q}WB
zyPI7-8Jbfno7(?BAm+EVGA^gC?9;05;uIJW1F9K3<;14doFNI`J!v}ex?|vAi*`2O
z%+(-PveC9g8=0YOX9&G<1^cT_U&<|91?4FzJD_6=@N9G1NP9?GInW{JXipj>@y>!g
zVVmaD<FNdIa=;n3=L)6n`<yhH+dXPHtfCznPwph~tYj;1Aal@9Y~l#%05m{4q7Z0B
zcnr?MFERYTD>UmH%nH=pJd}AWbEc}u`MvfZaOQMbO@%DWE|_uXA#Qn3yaj6v!ZrdB
zGX?dcq*61ihPGM8(mwAlW*8mA5YT8K{aUdenKvIE7FPC_b*wt<?Du7D)~mm#1V{?3
zZA%t79MbIAb~Y8*9bQN_`B<~q_f6a%Cel$?UP*o6)4O@|R--MUI^R${Z}4!5A`ZkO
zV=a)`pJ^KJb%|x6;n<gH&p7o8e(fM}bqaVoX$H&@k+-cmM2!{aE;o%OAb*@o2$NP@
z2v$)(nXBfvO8qX?{9@_HO826cXB(m=sX4kGe=cKqoj=Xj&2~zV4&weQdFqL6#Ubu3
zGw0Mbp?VO1`s*u7R=;X8XdaYcT3dO;hLAN{^JBsi6EGCH>Pw61C~FU{;AC20)@`vG
z8DTmZkDGA9ERQ`MPv)V;#Y3Z^#<X$1$Bl#rY!o$fYsX=Iw88>PsFdSlFLZfkpw+V5
z6&1Y0Bo*m0z8ZPvJ7Tk?t1@0)gN+*<!w(g_gD&Xj^*$O|v2IcUan)L_r`1xpg<4x{
zWkyH^88`+4XVGmxyY4_5-*ioe<fh!$G)u#|&1s?72}Blix<M&4qH?C@k=0FKjLwt)
zZrKxmaOyX5VC6n86_OEP3*+QSTf;!S=rNwPHvj4@WxP=P&@o1SU>nI>`r<pZvl$e$
zHUBl28p*<$9pgK$Lf?kHV)|%jMNwZJe>uNERNB$y>6pg(O`luJ$bv4K79yHuB5&d_
z)C9|Z8%1FFTAnS{^yK6q42kRfLdY9F{rBjn+vi1Se)VA(CxMrBkg(CWe3rEN#XOdW
z5Mr0J<AXEqgK(kp+Zv~1^j`?n`M}bS|1ZWH*hF>BUCq?>v`n0Tl^`U;N0U`kVHfA(
z2Aa#@9q&R{kXs3$g#Xx2I=|h?a#`4}pd-sUm`*C42as0vf7nA8UqKSKUbhc$0NHYT
zaW+KhE?NsITK3Y$JAL<x4!o-}_3bevmK71OglP;dE&jTy7xqy5qdvOVp|wtR(eJlf
zHhS<-Ca^2tO#5$EJz=5T;#M1HrX#c#&Ry1_4kRz66n=wkV`dA9Ir<UrF7d;73FEP%
zwYDhpo1+h$vb@&)gn`z6uT$c@H9B#wMWAzMI2x5H1vrX!u$<T6dO{TEdZ!4zdSzS-
z=RTA^5SZvQG<WIIn!6!O*uJF1AHArs&{X$0lcUg5>x8ky9GQD-DR*!s_kz6Zj)`B_
z!10qwrWe<v^F~R&nMkhO{=vcRH5_%xZOe31`%}S!zTUYqqKCI1iyQoLX+4$NW`u6*
z>|?8;v2p#~?<;(DJaq5lFGm_brXCX>`oR0@kJoE3DX0olx`?b*$(*qKvFuaDZ)(6V
zd)h-)$KJ2&$UKS{d;=WMI$_S&M|Fok9r+kERYX<MSkHR^S&Skk<vKhHokK&Fr(aY~
z#N><yA~g#264}B>*RhJ_zD5^aa!J6#dv9}fo{{3r=uzZ%EWP5w0E7#Rt3GaBkez9O
z|E-W~-(jwDpGTGcx^ia72{iCN`BL$4dUM6(D4}C!E-Xj%q@hdiDB$FnY}d_-Afiyg
zVEOOD>^7X~u<`wOWNz1WZK}oLj8=g;u`Z&G3!5I(GQTN?(whOum1#iB4tv#okS69F
zmfai$$JcepDz>eU6{?K@9+d%8!|Aijb%x5FdSG}TK;G&~OgeGx9Psp^jTvbcM#ERD
zf3$WD`&nV87^rhSyf<)Be33Ug7@W0uN~8eMkQGNPR^IM7Fr2^+`PaitHJmciO4r$~
z!*0K%jqR})8sSkfptli{$LpOt-Hdjy#!ZpVKHBw1j@zqPn6Ej~qr5pW7-!C*XT-zx
zrUJHHwch&Fk9WUGf$WpY7j`TymDN2<opNpCeKUms{Xjf~8r9loGd9Ggbj7A5fA<(`
zk8Kn2uX0zDnL^B32Ai9k+e>*NuDmE%z<RSGDZIyQ^?Y?tro;KTe@63%E~%#Z&N39(
zMNvfPE*21E5`5y9=cjgEl%cMn!rA9`G=<sj@;gbFdA=ZZUsejcR@`l^zu>fBi|S;3
z$%DK3A)+GT^lt*rnd(e$EB_9<l;gMEQ_6iZG(WsZe)NTw;n5-NN6v<LgFam6Z*3iV
zk{`49uT-`z>si-s6p}GbyC`X3=&wF2pHaxRw+7tDRcxj88#~>_7Y8YypM4~mWZf2T
zWr4edF9y$Kt#x5g;Hylq6A>9`SZd8pI4<1#Xdy_;5*gh4#8wa-&rGmyB*z<!TuqA2
zs;IumK+Z1?$4e9j){U&$Ubxj~YY4U&uZ0{SH@axUaTanNR=nT9YOoWhmI#d|ZGEx~
zgJ#CR5Z@15#LtT{KTHp99?WFi6VNUScw}-WYTWcWsn~uiu$JL*qBB07?gw)}7F3*0
zN>442R6Y;H)ks*_|KRaVeBYxgD%gConNch$4}TYwkHUagQB*AU1;b>bkJ4P-@Rdy9
zdA^X$=wDNF9YK%Z3&S9jx2p9~icN;d4r9Si;VXK<6LR^Vh7{>X|Md&Fu-tMQ-5ce%
z&SeAJKM_cX-ooC}_1QlXq45w4I>&iff+`-6Gw;4f<8bbV;}?8jYWP@X&Mwl;%Q812
z=#id>u05P^JwoMjckH&dN8<c1vaTVU=&QkEOT$TqPOF5&ni22$iU60hz+BuVC1A5L
zM?24Qk@!XK*k>ZjZJi!>cxVaqV0V@;tyKK4jxH>&y)_{dqJrKRl1!qBT)F2I5)H%i
zOW2<MN+*f$7ZC8tOgk=f#q5z;p*7}TDHOGQISvv2b6Zqe?mQlA4L(=|+0Pv?u{yLu
z*achi%?_#2PtTH+3J<}!2dKuG@xyw#Y+#gX{GEqDwsP;(BF^@1g^u*ez0bsVcl@L9
ztJma_w`2~PPyB+CJ9A7}svQ8VN@K{wB_=1oxbXD-scZbm*Pl{Rqqo5=&y@-Ai-&cK
zH~3u<PiACmO|ffdsSE{Gd!d%J`S-qR7$uw;?A~sFSO3Xw`|*;s+|81Y?dU!oUV*pp
z_>%)LnHN$Ft?DqDKTUeaO~#iWH1ZLnF@@XhQUgW)GkaY{cAK~<tE3K+?XZs};bShX
z^;3If#e?h|8b&RNCt&Hks^;m77}&ZA(PHA$y3=Kx<14Wpj+@c+E(BOp8@>b%uAW+K
zvZ-9AvWgx3=pCn$+hS-N$2M&}4PeLqeWBHSrSnN9lQVdOB-g{7&1p}B!c})u+4Xo_
z8VyisdlBe_2X@oJG$WOMgut?$Q};Hai>)@{=PxRo&iN=ar5hnrofwE2xMoQ$tCI*k
z_-6I(A()J}`>51Ljn81yN=i^ea}%cK`#5AMh*icvy>${OnDmI7X7{AW7FNQXH$n{-
z?bpkjOH;C<Tv+<~o0_^9pwq+Ul(Xg9jb9rfrjUN5Tw9d<E3?3u7pgxEaUwAw&8FW|
zB_|3iHArx>td4~IHb_u1tP6}eVvQszTIc!2+5X*3LT+7^95uMk=3=wbe0M@jpMlho
zNVprGOH&4Tw<ISR-iD`rvV7VnekK#Q3ncuu0?iZ`uuB(B@W>D=Lk27jO#Z$WQ%DWG
zeoTZgWzIHkciKPlDCAp$5dsV9vv(W?Dvb1C<^;F>9CoKUeO_d6%#m~q3+dXxM0nF#
z7vZSDs;SE3im_itJ-R0#Bys^ON|0X!KE8QbAve5Ych<XPN(#1cF-`YW`*k{aC~Rwv
zyhA+kIN*<<@aT87B<bq5<<4O_Kdz_21E=f*lan8~dOzI5JweA5<>{N2Pb{y4<nD5E
zsS&3WB_fBHd(Fs-xjm%#R&nR%EnrKh(&<}1aTHJO=`LAb?|SKS%;0iirHSXKR3$$)
zEhG8N%n{g#T394-!bQFMBc{21<dYrxK=z~a??#DMd)z(>X);%(;Kijj*;Y?5rY?>2
zDx}_S#~U-IER0YnXxwa1V>4z>b_K?zrLeH{+<r{ua`8NaONZK>#>h~joqt4eJ$2>v
zUnn;B`DTVBt(Tk|UL!W=FghQ^$6nO|yt@dg1#haFqg#%WxpFGPsN<x3{XB<TPa~qM
zbOSE${gva1_<VA$wQ90FK6a<afDbrQD0SxhzZp&U{X$4b556jBH@xmR{yRC{tisv^
zFM0pu+Mak!OgGg^{TKalOu8t9L*gUh``vlV4;G0bf8MUwIVH|MP+3ClWWaPI+&j3i
z_*_Lo__tS=+z7rIWyQq+Tw87`z1mIDwn@|9{3*nd99fkC6Cyo%)F!Q%au-zJPb8I0
zZ~A{jxv&2>%AKw9TWkRNcR*sIA6AVeK%2L$*R}#k$;Z2U>0B$ae>N3XQZ<6xNjk;5
zhg4jh>_96RJ9aCG?N?04g8Sg+4CQ-k0{$e_is7LC=aq(QPK&3_M6Q}*4lRU@>1gRP
z2x#JqiR#cJ`zF8;>&n|li46<@fs9aWN=nGoUXStOVs6hrp$JKK4*z1|TD5$N6*t=%
zWd&?{>|tW}-3a44o@Coe#BlrF(x*+UM35;QV_Zz_;=ZKR)VG_lF+i9Peq=4bI&r+B
zpg;_~jm3##nuc*jI`^ec3#Nr+Tl4rHF{&&tV}nO^JV<d(zq_}uZpZjDCoDfNW$Cgp
z0@BN>Gj@8uQ(#HmEaLEbKsfjQ-wwl)YwkpOhe-F^?C$~i<m>xKj};wUxc}*M2Pro+
zS+$Vd@PZZ>bVsUR4`fnP5u#=B$3PsiBtGFllP`~7FqOYxAf3SN>LI|oLZyUb!KC2Z
z6*sUkW9HKCnEXH`lGXua8-^V3zXc0CR9LR_md=Na=>N4D%&+q^aDmzu{GbZAS0IxZ
z2GGeUnQSGk;TxA_(Wugmn2uHvxi5cj1=@oKN85aY;+GyqfR$R;@MnK57~E24WMqVa
z@~&lOvO@((b2K$IJzwmMjEJ$FgQP&ehwpo(^rNjyW3z>E9vz(V9b<c~%6xe=B{M<8
zR*e`&#>PiE!7HY>!P+C&qj-Vp*I2T=?E&A=8M^RQ1iDvsGy^~J1|I7;I2P0e(*)$Z
z%lw`l4U$LJ;ZNvC<-~<?MsbgqHq)3}y+y#@FrIbjcL8DZ#`lM_Avf+vp&>>7A_Lvt
zKvSTt8cS8LJ$|orqnd1=Evcsj%A)9POV4`Kt@4b+fN8?BlnYbp<6@=6wSZJ>xX%Zp
zb72P_FKds93TG@m#F3`EIWt~+CjR?X!~^CZ*;zlxP(-Z+Ir#u6n!<Mye|(3E)xX$b
zF+3bzsB1UfzSAxOr@=|uB17EBa8v6%hWNZld%iM>%s6FaBtTkEjaZV1VP8JHzX%Z}
z`T1w=d<8al3Rly>bGx(ReK@HLw`}-eYJ)82lovneeJyP5X2mBg+Y*=b<bf4P#Lr%5
z<dRW0A@4L+G)kI4bc9%Ro&T!IcOdAhUugO$`+&!Wsq}Ago$dPcA^$SDa8cSYgUVwN
zx<s3%dw<RSLuwJs@2HJwHZ;+5prYbVU}e#IL&L`{!=oKsFNx;|3?00xKhz-ren|w9
zJszp1en%5h^H9^aKv>IXhgu=u3X^N2P+%XM!@6op2w4qWB=~ePsqwya@!isBegA>~
z<To#|J0C33wTwWc(s{gYqZuw6`|$f#P2f(GDFF6C!n~?JIB{auwa~}cQ-|YKZ0rdY
z&G<Hdm@yRe2(QSx1qs|PdMJuqd#PvY;hg=YySD55L6**}FpgGP!qb&@E|KDv-f}GZ
zQM;RO?%`K|;xzMpBgxrZi_c&PnPwT23wCXPapK7diS=4%RQ-C^4Ii=B8d@Y|PaBq&
zZ`NW_9(TcBDM7_Ifd763yY_W!O(POmPKJ-Z!RGP}d#R`2v5pIRiEv8#?MBPZRK(7Y
zd7jr(YUAZUT2Ju2eWtuTn<O_HEr>TK7DvfzkTWcK5d8CjUADN??sTTdsK7!eB_(24
z8=RL^hBxV|49et9F2{19>WHxwEr~WznBB&!Po{Yp7jL}`OiIk~Q6X|1*bTKc;ww`~
zO_v>I{fGQ3m2J`jGU79izhkHghOrd2fMu`&X1VE`TU%@Ax0RPM5Ca}Bf?5|6fI#@#
z-IBk9=YhvKq3~09T2Hi;c*~)tU#N5mjr1mq)6fsXSgFxki`#SQooFK#Y`s((Q>Opk
zWGVFYOUy#OySw87>*-b(x!8t%N86iWHI3Wfpw9@?{9~=`7sc9S&P<;~9Bp`j6)F!|
zBpl<({ofN8YlFv2xNrFXy4TV>>i{v^c+27bZs+M=m==R!1b+lwc}uE|mhBg^*XoPe
zUaeh;fyXEJY-8u!1qY^y)!YYEPn$<NnM<&r4`0RJz+SQG=4Wd?yX4+nchtlc)?fGT
zw~2l>-RP?cc3dZ%Q4{*jr`1q16MHp~CV}r}q^$){x+aiT`mrvTo(QDrqvHB|s7Hps
z00l{hBSQEM?4b`>jT<=*QdH_rwd1&Mf55hBy~3}^YfvFE-j4r#)OFqj?|nL5u&6jY
zVOaev`R475fk)vRD4EUK8K1!Bz=*lAz@vD(*S4G#_>sQdW6ly^DIuZaDRe4|JDyDD
z5zU4Flz;1LP}6DAq4jdzM)WV^y#HZ$#roj2_Qu#;reE$lGVx9KOuGB#TDt31-u=Ob
zmgzoY=1p%Cq0@j~x?AtD>s2n~4O&w`N81f?)Wh8;j7sD;elinrk#be4C=}R~x)wQq
z2~2+J=$QsBv_Mw<)OoYC4iYCZzkgVjH7Pxshvt`BCb*(hy!J#p0XyBxWS}I;{LPEo
zn?-DPs^%3NzS`d;*C>~z8Y_r9mIX!l8PZ*pe7aLY@<ieu{V)|g1JG{~${@MA$I1J1
z@rS{z=LG_r@FWsnx}{DCxd-?9{ju##LnJBJ4N3CdJLs4ko6VL_mUkyX)Y2e2BVS<5
z3U;XE{scYt7bh%{Wisy5`;wb(FQ#)Sj?MYbLH@@>A=H+C|9VncQc8|o6UW*;li)T_
zh&Y+N7#@Z3lXqO$lIaU)AMkRc)_#}xbo*C$cTw3qg$+m1F{|tVrBNy@-)z@BTyInY
zZP-dzUGNtfa+*gS5r};>ew={b73QqWxcbe}=PGMAD8p*MlRV~Iv|g0MQO|pmaI^L4
zn22<q>X<39KrSmswt@)jwdo0lbk-qLswm5~KZamC5#%ZHTHCG@>`0Q?k<)H<E@xA=
zeiTGIMZI4@Fy8j?TOgU(bBqy46)ag_zcetRn~!MfQ~KYb&PWFSFMg^T;DJNG5IXhR
zH0}k}3}OjxYsVZy3Efse_orF1r?dUYs!h&hi}f}JQ+G4;ck6ta9yeo}Ph}sePktRx
z@8XxI7inHRq%}S5&D~nA+0R-n^j%q{sWrIMWVORFub=jIfZRWM2D;8G->;QvioiBB
z>;7$9Ahe^gJS&f;);9CXmp+nfN3oAb_krrT`ir3|>vi}M6e>}6q(h`3un4>2qqhKC
z(9kV9f;FDkQS6Y>4O52<N-aQ%-*0{Pt3T8-dyq-z_IY^8W;_Bwj>B#q6b`<bqIy1N
z9kV^`e&o8`G~hl8Cvf%XKGM~GUh({@^IwmC6|P{(RG0wSxcS%uj@53hjRWk~;D>p~
zznEYgj6J;{i$vhXc#Q-gjBo%tbXVwf8XBtSJhXI(O{{-5hAi@ZK2r5-?+0xABfqMI
zE6HN`jvQscJW2T!QFaFpSr|jfBX|Wef~%MOKFzm?&Y@b5K<w-5XWVIAkJR}}Xhvgf
z9ubh9k6QS^*nZoP&bc%?^t3!gG*(8n@)&R>Si33g{WOfAx*FTr+wu5%2W8R4HvKMA
zyQ0Afo0RW`jR4*Fa^f9f$7&Ry&ac@X_S5_Q9Z5b=nZciL%|RKCmUKPwi8|Y;IZJt(
zrHZGO8GY*gcz+F5xj8r5DAW;%GTO?p5g~iN7{0o;pTA?q(i>DcYVuE}K{9;Md~U~>
zxR-Rs2wb##Wse?zRx_$f5jfXBZ3QPi#a`Fb5V~CQExF$&Grk2jh3nNopUDpr>gq0T
zvetgnQ;FLA26afnA+J-)cgt4CHwe_)^Ao$sWQ^6vLy1>=Cbzb9iTY#uH$QLao9dy(
z5>rf02q`@;mVf`oukAznl|iQGm9q>U=GI2A_sH8F?<^0U8@~)xBJ$UD*!3emDU05&
zq&wQTCff;3-0;4BkJ=}ZV#Pl5x_S;^?<k#gqEXfE#pl18{IH3!+rf~z8vDtz5w~sH
zC8IG1s9Hk}jV)e<=P5c`1NP}(B{nzRVaLp;d;ZAtdarHM<0*dj#m=whjqPf^dUB2H
zZ%8^{4^Um`3f|NryA!NU0W05)&&*^`Ptq}E@J;k43)8))awh*rb=Un3SJ#CF(M!au
z#3%{Td+#ODB3c9^I$?C8j$WdLXbDLWEw45aEy@_35Co&QQHLR-k3PEZ%D28h;yXXx
zweGq5>~q)N=j?UPex6;Qn|^gf%^G;5-PggCI?*#MTHq<|4l#_0p`rCAP2b9Il)Z&w
zgq~1@1@-HOnAh8FzutBJZ_W4!d(c4rNLU|(a)0PhYp)@$1vwKp_>LpFz;m`~?zmtx
z&@+rKkd_K!zd4xbu2nwTy7uhjzsXO%f8X`y;W9^0R0^8#IXrcsgC)izlx`)!Z2ta8
z<m>M>bQDs^BE^0Yp_UDS>WOWI@ITjkIMdA$=7NTkzOnbx;obdtZtSsos)4+eF6Yu%
zD%3Vq{`8S_!M;UepP#7Ml=B5P%-us{weeTqZtYGZS0wbmvSV&!(*t*Q9O9VB*}&r;
zXt9H4aaml}lo!rNc(;a@z&`hw+$v8p!L-I<4-+*dGFs(`m;H^w2gs+iw|@r!#DKf=
z)6-KRBsenHz6=IpZomvD-J{iqh5lNk%KbG`0EckPLPr({n>+ZGrf`Ox%?Px3AZA0E
zh}m@>%aC$sdZWuUvrb#dxqiBFaL;drS9$CMw@Y}f?~pM-7TmccbKj-pug3ur38F}&
zjxPa76hM6ikTs~f7G1dk#CUIjd>sec+>#r=yfHpjpLUJZY5_ZE$MSKsAf)r5jL5Jb
zi+e=YV*BH%>1F91ESEi}h&q}pIzYviOqV4hqi^2;V7ptV2fNl8@2#)4xP#}zv%~At
z3b<BTMCif9v;cd6zq8`33$kkPcdU5x$|^~JPgIOA%b=xU=i9qJZohnvv{*H$dg<ku
zqYGU(;)hgg)#N?N*B!k><<LqC;VPy|Z@*aHUn2x)Rk~hENJu=hwA2Mi5cUF?f!yHp
zQ(h%FB@_Un0ibvQp=2SHp3!^Ho&?~)h#3C&3xekJ1{)CD-SLh5n`8btE32fk5>`?Y
zug3nm_~_cBxx`zz4XqEHX<~89o-)xKBllIEp4t#aQvt=~hmEd1RRCtKfZP7oI9H{_
zoZe9V>+oQIRxl*<+Up{e9(-&15$yT<5dld=nS^(lg@#~%HFH1mQ)cmgb!evbSnZ$Z
z1BI(!EkD&4lJM~r$Hw!szh&q7Lc&hQ%O|wu`3cQdk2gAWs>?`x)?AUG9FXfX7`hm8
zeWHN&LE{eS70skBOZl8F=o4c4`kn%fho8S`T=GOx9=O*=LL`{H{QSD+=PyU`9i4-W
z3^61|Z$^iW45zGW$hM8SO+-8v`Q7+8yZ&shisvWUAs<!fPn68N4Y~K{D28NVT^1bx
zl$jmetm=gTP<>rvoyo$tD)@`~pl+7SQ|8wj&zNT5<-DLC{~n*Z%k4ST{)VdvQ$?}c
z3U;m|6OH@rfGtf4E|)AFrjjD7fu^}TYo;WJQGsF;#0mlrD%orp;fc;ewSFiZZ@Q#L
z&zFkNEQHQy|I?DGwU`fuI3(x}|1c13d=RkMSn59jDlX=Gk`$D}p!5q<gk=!JC^O>B
z&N;)A2*fb6tqd*9GT)<O2++a~?yIMb+&^DWG`qYi%d?&oyrWt0`L5;{xeu|E!;%p8
z6f8r<veP}rO<8NSzUuggd2e8d$#>>6&luR+ENa$k8Me)TATxZ+B7Tg=E(s@MH2mdH
zXBnz&#thu>y6+Puv&1Ssh{S^3mlpT<%>3{5kyj=cmA2h8-?O40w9wA&qGEJLW3`9~
zi|;CNr@Egf8?3Hq!>kAbFG@7mn2Z#UiZ|@>eg1f0YA2|=!4zSuqK&6BDEJ}&q$3#5
zW`Co@E}ZqTs}Jui!;pP%b&(oYM(_N)ve&D05D7>zxphi@$B31NhUR^#tbYJU!m6O1
zcAxE_u^cVqXwqxy6kD|y=GnL0V5mE+dYJfc<g%{J)blhdS}qdeCXP0@MFPCfIfnM%
zKnGE8abn@!FY^oXQ9gVT!E8+_pvukOVb(u!r=q22dw^y^E`&l&45HF}$%z;278f%<
zJzqu=S*AhC+ypkusJfUC1Sd6Uaa1l5#)eIBG-gUDE@z*5NlZaFw|{5(ijhoNd?y1&
ze8=9S`F8mLS1p4;mP%fFK?y#^puZT0t&-}+*28egSei71<%vxwDXFN}%5d)n`j*J<
z`T14vzB4r@$eXm_yhZ(G37yE;IyKH_x+NER0LOv+$ai|)_&A7E*AN%os|nb>inljH
ziDWd1ib|y#JfMrd4#dM&oRi|EFKWi4B;t1lVJA4$1D!bw&viIOab0s&0Ob%4S}7VC
z7Z>-$(4hDAN4C8=H2phEBgYhI6nAKD#?N#t)q@CCoe-yo;%P&84n)mWvD3o7Uu@P1
zcS4HfI&CQ&LQYbeq3OiNw`nfcD-hGB&{IjpnIyYDltOnKj)1=1#zXr$SW)Xm`qS;=
z`pn}?^vmN!M-o3os)Qc}hjK~}*@<6xQpQ&XQlX@!czLexMJO`Hb+I$hr_dQT)s|(Y
zu2es)ca8RP%(3<H{A&VI#{CDgn9e|%LiMBqF1eJfM;*y@7e!6fD6(F~^`TDT@E@aW
zQq>m;2DM_378V|Q^KHwVqKCG0_XGk;sJR3RUs-6reigoOu`fS)#n_)}iWR9%WBc7B
zy|-67_Cy%5OfMI!o>jm&HPO^vpQ|7Sp_8u*dz4|46hp3|+^v_el+||J5uJIfvfM_q
zLo9b|3B26E4m4d&gFa@iX34y*m;N5XD_Ep8{QZCz|LMl|8`3=<&aj2eX7ONUDIfXn
zA<G^Bi&wB(o*Wq)_9O%YUSJt->^AV+XB(UXG3@;u5ERV_-Zjv{2c@_6wG=4XohLix
zZtq0Rr*_7|GiyO2x%U#l2X<Rx#Vv}d&xGYoz0yv54s(oN7H^JSI~b1h`+BxAhbCDO
zWU?Z1P`#aA4IA~9o^~8W(9ecW()B?!jEhMLCC7R8P#l*?JGBWn2ayj?WjJl`N;+%4
zNe|SQO)O$?!QtD}1YY>ekF~e@Hh6;b-=gYVOP6%a#S;Fot!cxCsph0kOpArC7&=wW
zJXaT=gWUwXZJ<3pXppqwHuY#Z1n<!m>-bm7_P8blo8Wvl9)Xa@0wLkq(n6dy95A=I
z3*6I_2MVc)ck54o#3MhSNcj7?Yi7MOXFQ(!XEj6uU)hcq)Y&<0?$FWMgMB{O_-k=P
z-R2pdVD{!5e0=RKqK(?afrAlQySvBTK1Az?_(Vt)u<Rm+r{NLgDMs$l+Bd9}L%Kbj
zcAl4oj1=zKm-nHIf1jWw1Ya8O0ENHucj=L2XeNl-bzOQ~-l;6^VTU$^Pe&hLC(7qq
zNmdk5=*eUyq1@{>WU=s!H90ql&`1}CPt)hnSTsxI2sAeFQqwhu7Fd2x1*=RPs{GMf
zB9=Xin%Hg_m``eSCxv5es_$c;;rVoUVRd&ytgQ%qskMh_(cE!vQT`3hWH*p|PQa{S
zX1r`Mb_62dzGfq84!ziD_$G!~T1vk4l}ETV__>;z+6to6>XB*8ZHnB0;3-;uN~_vK
zUwl3u{wAV+9?FH2v#FXlja9dEJ@iyg;r9?U;|J)EF5v31V*@kX_ic)j^Ay{zCn}zI
z@Q4T)TESIzZPgHAz*a{E?je8FlKFOe3~)*|?7qz;H-;UjLCXkr9@Tn4@P%TEiKhGK
zJrs4!Ha^ZenUjq@kq1*0<3&aZ)!7JBhIE~~k^M6h{wb%7tyoNQ)$_>30gvxVLN0O&
zbRgR3w_MSLFU;)UHQhyW{Bkf4VWiwt9Z|pQ^!)8+Sw0bxi^B$%pC6?C<Yw*W>K*?a
zOzhj$Wu=B3$C;*?dar*dmq^>iIab&F>OMkH=li$ENJa?>MdYOBA22`<N*_vx-6~Dh
zvkKaQaDB5g<fQw36diJIntv_%zJ9L1hHdM&tiY8M7pbElp+8oCh<usJ65w1_f$Rke
zb=OqW%4Z-#xJ~rt8v5#!+7I{ph1*PUHio`oxW@~5jUOy|iFpJnS1#gJnGvyf-ZAtR
zX7*3NZ_cCT{P<6f67q_fc0Q=Ca{?NTZL{q9k$-n^mF+(4kSGYfrv0PBiT;%$ezx7z
z1_}7pLg!92r5ZB#r=!oZtn0y->w~la$P*9}PlG$zBjKTx;G0^@-Yspj&a(Kt-J^}r
z4=B7~*%-~SUcQFhS@~1LPkRIh%VM&b>AGeZskgI-%d2uef7AhkV9t9Vp|{PeKhu7E
zXg{f;UgNG$HY+UvIfEI-%@{^ZS5jXe47H8O50^ArTfA%UnBZMuMyWqN^T_|BvpQA@
zP7PhaNAW0TX_{$>;^qQriOLGgtdNu03ds=1)H`|lJx#%jt}@yo_Jr}LbT0<C9U(u-
zFu1J;S3MA9hD>~ye0axVAi1#aDe+~6Pk9(jk2~JHKK8KL7s?HL|NYFID@-8=mH2oo
zqG*d*b9Af<zOMU~?I^|EarwQqArMof{{b+ORiC09%TeXZRe^yIvkdjT`P>0d;@1-V
zia+ao*F@OX*o{dNCOysX{erC_y1sDP2-kZH8LfCAx=f5%f+=psThZ%UJQo62QYBuU
zOY4NLOMTPEYflR9PRvh8$s98^H*H}5q&k@uuy=qUadqxCOYLg>#rbnv4v0u5a2_6%
zo~ssvQZFYty}p(4hG}sCE`hIs6KXy_VqOS51e<|>*Vu(hXcyRN4OHfDm#2ukkGN?-
z8=G6;uTTXFll+Xq22x)9Cf`Njsjd3DwjB{*8(|1KmM0&))4Ypmji%g*L6l@CmW#US
z^uh8q+{7~E4=}LGu}Wjn_$q!=dY1kLJIIMYb2qn78w4mtrkx_$h_gkaW_Kn2Nvq?G
zHQvNwW*`D-Xy!<MC>eDZ4NX<*Wlw2^oQIv0l(dP94EVW&QZGSXw+{~FnsND<M_m(F
z#Vts!oiORUvyiz+Zz80B`>RZj7N$bgC<tDlIh1@NbA2)K0%FT04~5trY^x0IxbHdr
z<d?p2!q{ifjXS}H)v|`a)jZb(eciF<L&dB%h-@xJ(fGN$)N;O9t+?=koYBqdXP%zi
zy>I$Swop+O?k%Eb)CbcX92vPGsz*tJvtTb7KWXBF{@pW6?neJs)~O)#F?v1bIW2Fn
zXzPRdwMkJtSR-{qVXoJv(uzspa9B*^zb&c-VJbKK=X1^ZVOER<j%FZv--)tr6klv?
ztXI*p#ZgDgmTG;S_+<U!V}jO=3#?3;gs>+Z9(HE)BJk<5e+}NhY&Uod3OwtB7wZL6
zs%zzmuZ%dafF~}}1NK)A0~Xq_``J9eL}{EUKDwRRKhz(5S^;-2=yl~;A{`@j9SJ!f
zA={QT%0)f;xo<h{QU=OiSJ)*zi@CD)DF?<=TbZdz1+jH)D8gJ~pat5&u}LgHkMsuo
zlfFD|y4lL&qFh_i5B@$$(2{N6%!Zvx?_bNCZ-4&atxdRjB_k69z0rY&7&a_)(*v{k
u&&<tq)R?pXC&ti;;iiX|=l_9_`s>^1tjGwAb)^#?(6rR`)G8j^ME(a4V(x?h

literal 0
HcmV?d00001


From 70bdce97aaa6817ed6aa747e4d376069fd0692f3 Mon Sep 17 00:00:00 2001
From: Trance-0 <60459821+Trance-0@users.noreply.github.com>
Date: Tue, 3 Mar 2026 13:43:40 -0600
Subject: [PATCH 2/4] Update CSE4303_E1.md

---
 content/CSE4303/CSE4303_E1.md | 338 +++++++++++++++++++++++++++++-----
 1 file changed, 296 insertions(+), 42 deletions(-)

diff --git a/content/CSE4303/CSE4303_E1.md b/content/CSE4303/CSE4303_E1.md
index 3f9d021..d134546 100644
--- a/content/CSE4303/CSE4303_E1.md
+++ b/content/CSE4303/CSE4303_E1.md
@@ -6,7 +6,7 @@ Time and location
 
 – In class exam – Thursday, 3/5 at 11:30 AM
 – What is allowed:
-    - One 8.5” X 11” paper of notes, single-sided only, typed or hand-written
+    - One 8.5" X 11" paper of notes, single-sided only, typed or hand-written
 
 Topics covered:
 
@@ -170,7 +170,7 @@ Mallory: Man in the middle, can create and modify packets
 The message M is called the **plaintext**.
 
 Alice will convert plaintext M to an encrypted form using an
-encryption algorithm E that outputs a **ciphertext*- C for M.
+encryption algorithm E that outputs a **ciphertext** C for M.
 
 #### Cryptography goals
 
@@ -234,7 +234,7 @@ In practice, relax this assumption gets "Stream ciphers"
 Security abstraction:
 
 1. XOR transfers randomness of keystream to randomness of CT regardless of PT’s content
-2. Security depends on G being “practically” indistinguishable from random string and “practically” unpredictable
+2. Security depends on G being "practically" indistinguishable from random string and "practically" unpredictable
 3. Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
 
 #### Semantic security
@@ -302,15 +302,269 @@ Forward network:
     - $L_d = R_{d-1},\ \ R_d = L_{d-1} \oplus f_d(R_{d-1})$
   - Output: $(L_d, R_d)$
 
+#### Block ciphers: block modes: ECB
+
+New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaintext)-capable, not just CT-only
+
+- Attacker sees many PT/CT pairs for same key
+- Conservative model: attacker submits arbitrary PT (hence "C"PA)
+- Cipher goal: maintain semantic security against CPA
+
+#### CPA indistinguishability game
+
+- Updated adversarial game for a CPA attacker:
+  - Let $E = (E, D)$ be a cipher defined over $(K, M, C)$. For $b \in \{0,1\}$ define $\operatorname{EXP}(b)$ as:
+
+- Experiment $\operatorname{EXP}(b)$:
+  - Challenger samples $k \leftarrow K$.
+  - For each query $i = 1,\ldots,q$:
+    - Adversary outputs messages $m_{i,0}, m_{i,1} \in M$ such that $|m_{i,0}| = |m_{i,1}|$.
+    - Challenger returns $c_i \leftarrow E(k, m_{i,b})$.
+
+- Encryption-oracle access (CPA):
+  - If the adversary wants $c = E(k, m)$, it queries with $m_{j,0} = m_{j,1} = m$ (so the response is $E(k,m)$ regardless of $b$).
+
+#### Semantic security under CPA
+
+- Def: $E$ is semantically secure under CPA if for all "efficient" adversaries $A$,
+  - $\operatorname{Adv}^{\operatorname{CPA}}[A,E] = \left|\Pr[\operatorname{EXP}(0)=1] - \Pr[\operatorname{EXP}(1)=1]\right|$
+  - is negligible.
+
+### Summary for symmetric encrption
+
+1. Stream ciphers
+   - Rely on secure PRG
+   - No key re-use
+   - Fast, low-mem, less robust
+2. Block ciphers
+   - Rely on secure PRP
+   - Allow key re-use (usually only across blocks, not sessions)
+   - Provide authenticated encryption in some modes (e.g. GCM)
+   - Slower, higher-mem, more robust
+   - Used in practice for most crypto tasks (including secure network channels)
+
 ## Hash functions
 
+### Hash function security properties
+
+- Given a function $h:X \to Y$, we say that $h$ is:
+
+- 1. Preimage resistant (one-way) if:
+  - given $y \in Y$ it is computationally infeasible to find a value $x \in X$ s.t. $h(x) = y$
+
+- 2. 2nd preimage resistant (weak collision resistant) if:
+  - given a specific $x \in X$ it is computationally infeasible to find a value $x' \in X$ s.t. $x' \ne x$ and $h(x') = h(x)$
+
+- 3. Collision resistant (strong collision resistant) if:
+  - it is computationally infeasible to find any two distinct values $x', x \in X$ s.t. $h(x') = h(x)$
+
+### Collision resistance: adversarial definition
+
+- Let $H: M \to T$ be a hash function ($|M| \gg |T|$).
+- A function $H$ is collision resistant if for all (explicit) "efficient" algorithms $A$,
+  - $\operatorname{Adv}^{\operatorname{CR}}[A,H] = Pr[$A outputs a collision for $H$ $]$
+  - is negligible
+
+### Hash function integrity applications
+
+1. Delayed knowledge verification
+2. Password storage
+3. Trusted timestamping / blockchains
+4. Integrity check on software
+
 ## Asymmetric key cryptography
 
+## Asymmetric crypto overview
+
+- Parties: sender, recipient, attacker (eavesdropping)
+- Goal: sender encrypts a plaintext to a ciphertext using a public key; recipient decrypts using a private key.
+
+#### Public-key encryption system
+- Def: a public-key encryption system is a triple of algorithms $(G, E, D)$:
+  - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
+  - $E(pk, m)$: randomized algorithm that takes $m \in M$ and outputs $c \in C$
+  - $D(sk, c)$: deterministic algorithm that takes $c \in C$ and outputs $m \in M$ or $\bot$
+- Consistency: for all $(pk, sk)$ output by $G$, for all $m \in M$,
+  - $D(sk, E(pk, m)) = m$
+
+## Public-key building block: trapdoor function
+
+#### Trapdoor function
+- Def: a trapdoor function $X \to Y$ is a triple of efficient algorithms $(G, F, F^{-1})$:
+  - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
+  - $F(pk, \cdot)$: deterministic algorithm that defines a function $X \to Y$
+  - $F^{-1}(sk, \cdot)$: defines a function $Y \to X$ that inverts $F(pk, \cdot)$
+- More precisely: for all $(pk, sk)$ output by $G$, for all $x \in X$,
+  - $F^{-1}(sk, F(pk, x)) = x$
+
+## Symmetric vs. asymmetric security: attacker models
+
+- Symmetric ciphers: two security notions for a passive attacker
+  - One-time security (stream ciphers: ciphertext-only)
+  - Many-time security (block ciphers: CPA)
+  - One-time security $\Rightarrow$ many-time security
+  - Example: ECB mode is one-time secure but not many-time secure
+- Public-key encryption: single notion for a passive attacker
+  - Attacker can encrypt by themselves using the public key
+  - Therefore one-time security $\Rightarrow$ many-time security (CPA)
+  - Implication: public-key encryption must be randomized
+  - Analogous to secure block modes for block ciphers
+
+## Semantic security of asymmetric crypto (IND-CPA)
+
+#### IND-CPA game for public-key encryption
+- For $b \in \{0,1\}$ define experiments $\mathrm{EXP}(0)$ and $\mathrm{EXP}(1)$:
+
+- Experiment $\mathrm{EXP}(b)$:
+  - Challenger runs $(pk, sk) \leftarrow G()$
+  - Challenger sends $pk$ to adversary $A$
+  - Adversary outputs $m_0, m_1 \in M$ such that $|m_0| = |m_1|$
+  - Challenger returns $c \leftarrow E(pk, m_b)$
+  - Adversary outputs a bit $b' \in \{0,1\}$ (often modeled as outputting 1 if it "guesses $b=1$")
+
+#### Semantic security (IND-CPA)
+- Def: $E = (G, E, D)$ is semantically secure (a.k.a. IND-CPA) if for all efficient adversaries $A$,
+  - $\mathrm{Adv}^{\mathrm{SS}}[A, E] = \left|\Pr[\mathrm{EXP}(0)=1] - \Pr[\mathrm{EXP}(1)=1]\right|$
+  - is negligible
+- Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
+
+## RSA cryptosystem: overview
+
+- Setup:
+  - $n = pq$, with $p$ and $q$ primes
+  - Choose $e$ relatively prime to $\phi(n) = (p-1)(q-1)$
+  - Choose $d$ as the inverse of $e$ in $\mathbb{Z}_{\phi(n)}$
+- Keys:
+  - Public key: $K_E = (n, e)$
+  - Private key: $K_D = d$
+- Encryption:
+  - Plaintext $M \in \mathbb{Z}_n$
+  - $C = M^e \bmod n$
+- Decryption:
+  - $M = C^d \bmod n$
+
+- Example:
+  - Setup:
+    - $p = 7$, $q = 17$
+    - $n = 7 \cdot 17 = 119$
+    - $\phi(n) = 6 \cdot 16 = 96$
+    - $e = 5$
+    - $d = 77$
+  - Keys:
+    - public key: $(119, 5)$
+    - private key: $77$
+  - Encryption:
+    - $M = 19$
+    - $C = 19^5 \bmod 119 = 66$
+  - Decryption:
+    - $M = 66^{77} \bmod 119 = 19$
+
+- Security intuition:
+  - To invert RSA without $d$, attacker must compute $x$ from $c = x^e \pmod n$.
+  - Best known approach:
+    - Step 1: factor $n$ (hard)
+    - Step 2: compute $e$-th roots modulo $p$ and $q$ (easy once factored)
+  - Notes (as commonly stated in lectures):
+    - 1024-bit RSA is within reach; 2048-bit is recommended usage
+
+## Diffie-Hellman key exchange (informal)
+
+- Fix a large prime $p$ (e.g., 2000 bits)
+- Fix an integer $g \in \{1,\ldots,p\}$
+
+- Protocol:
+  - Alice chooses random $a \in \{1,\ldots,p-1\}$ and sends $A = g^a \bmod p$
+  - Bob chooses random $b \in \{1,\ldots,p-1\}$ and sends $B = g^b \bmod p$
+  - Shared key:
+    - Alice computes $k_{AB} = B^a \bmod p = g^{ab} \bmod p$
+    - Bob computes $k_{AB} = A^b \bmod p = g^{ab} \bmod p$
+
+- Hardness assumptions:
+  - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
+  - Diffie-Hellman function: $\mathrm{DH}_g(g^a, g^b) = g^{ab} \bmod p$
+
+## Diffie-Hellman: security notes
+
+- As described, the protocol is insecure against active attacks:
+  - A man-in-the-middle (MiTM) can insert themselves and create 2 separate secure sessions
+- Fix idea: need a way to bind identity to a public key
+  - In practice: web of trust (e.g., GPG) or Public Key Infrastructure (PKI)
+
+## Implementing trapdoor functions securely
+
+- Never encrypt by applying $F$ directly to plaintext:
+  - Deterministic: cannot be semantically secure
+  - Many attacks exist for concrete TDFs
+  - Same plaintext blocks yield same ciphertext blocks
+
+- Naive (insecure) sketch:
+  - $E(pk, m)$: output $c \leftarrow F(pk, m)$
+  - $D(sk, c)$: output $F^{-1}(sk, c)$
+
+## Public-key encryption from TDFs
+
+- Components:
+  - $(G, F, F^{-1})$: secure TDF $X \to Y$
+  - $(E_s, D_s)$: symmetric authenticated encryption over $(K, M, C)$
+  - $H: X \to K$: a hash function
+
+- Construction of $(G, E, D)$ (with $G$ same as in the TDF):
+  - $E(pk, m)$:
+    - sample $x \leftarrow X$, compute $y \leftarrow F(pk, x)$
+    - derive $k \leftarrow H(x)$, compute $c \leftarrow E_s(k, m)$
+    - output $(y, c)$
+  - $D(sk, (y, c))$:
+    - compute $x \leftarrow F^{-1}(sk, y)$
+    - derive $k \leftarrow H(x)$, compute $m \leftarrow D_s(k, c)$
+    - output $m$
+
+- Visual intuition:
+  - header: $y = F(pk, x)$
+  - body: $c = E_s(H(x), m)$
+
+- Security theorem (lecture-style statement):
+  - If $(G, F, F^{-1})$ is a secure TDF, $(E_s, D_s)$ provides authenticated encryption, and $H$ is modeled as a random oracle, then $(G, E, D)$ is CCA-secure in the random oracle model (often denoted CCA-RO).
+  - Extension exists to reach full CCA (outside the RO idealization).
+
+## Wrapup: symmetric vs. asymmetric systems
+
+- Symmetric: faster, but key distribution is hard
+- Asymmetric: slower, but key distribution/management is easier
+- Application: secure web sessions (e.g., online shopping)
+  - Use symmetric-key encrypted sessions for bulk traffic
+  - Exchange symmetric keys using an asymmetric scheme
+  - Authenticate public keys (PKI or web of trust)
+
+## Key exchange: summary
+
+- Symmetric-key encryption challenges:
+  - Key storage: one per user pair, $O(n^2)$ total for $n$ users
+  - Key exchange: how to do it over a non-secure channel?
+
+- Possible solutions:
+
+- 1) Trusted Third Party (TTP)
+  - All users establish separate secret keys with the TTP
+  - TTP helps manage user-user keys (storage and secure channel)
+  - Applicability:
+    - Works for local domains
+    - Popular implementation: Kerberos for Single Sign On (SSO)
+  - Challenges:
+    - Scale: central authentication server is not suitable for the entire Internet
+    - Latency: requires online response from central server for every user-user session
+
+- 2) Public/private keys with certificates
+  - All users have a single stable public key (helps with key storage and exchange)
+  - Users exchange per-session symmetric keys via a secure channel using public/private keys
+  - Trusting public keys: binding is validated by a third-party authority (Certificate Authority, CA)
+    - Why better than TTP? CAs can validate statically by issuing certificates, then be uninvolved
+  - CA/certificate process covered in a future lecture
+
 ## Appendix for additional algorithms and methods
 
 ### Feistel network (used by several items below)
 
-A **Feistel network*- splits a block into left/right halves and iterates rounds of the form $(L_{i+1},R_{i+1})=(R_i, L_i\oplus F(R_i,K_i))$, so decryption reuses the same structure with subkeys in reverse order.
+A **Feistel network** splits a block into left/right halves and iterates rounds of the form $(L_{i+1},R_{i+1})=(R_i, L_i\oplus F(R_i,K_i))$, so decryption reuses the same structure with subkeys in reverse order.
 
 Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).**
 
@@ -318,21 +572,21 @@ Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89M
 
 These don’t implement encryption or authentication; they just include/exclude suites.
 
-- **COMPLEMENTOFDEFAULT*- — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
-- **ALL*- — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
-- **COMPLEMENTOFALL*- — (selection) suites excluded from `ALL` (currently `eNULL`).
-- **HIGH / MEDIUM / LOW*- — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
-- **TLSv1.2 / TLSv1.0 / SSLv3*- — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
-- **SUITEB128 / SUITEB128ONLY / SUITEB192*- — (selection) enforces “Suite B”-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
-- **CBC*- — (mode selector) selects suites using **CBC mode*- for symmetric encryption (confidentiality only unless paired with a MAC).
+- **COMPLEMENTOFDEFAULT** — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
+- **ALL** — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
+- **COMPLEMENTOFALL** — (selection) suites excluded from `ALL` (currently `eNULL`).
+- **HIGH / MEDIUM / LOW** — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
+- **TLSv1.2 / TLSv1.0 / SSLv3** — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
+- **SUITEB128 / SUITEB128ONLY / SUITEB192** — (selection) enforces "Suite B"-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
+- **CBC** — (mode selector) selects suites using **CBC mode** for symmetric encryption (confidentiality only unless paired with a MAC).
 
 ---
 
-### B) “No encryption” / “no authentication” flags
+### B) "No encryption" / "no authentication" flags
 
-- **eNULL, NULL*- — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
-- **aNULL*- — **authentication: none*- (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
-- **ADH / AECDH*- — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
+- **eNULL, NULL** — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
+- **aNULL** — **authentication: none** (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
+- **ADH / AECDH** — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
 
 ---
 
@@ -342,63 +596,63 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
 
 #### RSA / DH / ECDH families
 
-- **kRSA, RSA*- — (key exchange) the premaster secret is sent encrypted under the server’s RSA public key (classic TLS RSA KX).
-- **aRSA, aECDSA, aDSS, aGOST, aGOST01*- — (authentication) the server identity is proven via a certificate signature scheme (RSA / ECDSA / DSA / GOST).
-- **kDHr, kDHd, kDH*- — (key exchange) *static- DH key agreement using DH certificates (obsolete/removed in newer OpenSSL).
-- **kDHE, kEDH, DH / DHE, EDH / ECDHE, EECDH / kEECDH, kECDHE, ECDH*- — (key exchange) *ephemeral- (EC)DH derives a fresh shared secret each handshake; “authenticated” variants bind it to a cert/signature.
-- **aDH*- — (authentication selector) indicates DH-authenticated suites (DH certs; also removed in newer OpenSSL).
+- **kRSA, RSA** — (key exchange) the premaster secret is sent encrypted under the server’s RSA public key (classic TLS RSA KX).
+- **aRSA, aECDSA, aDSS, aGOST, aGOST01** — (authentication) the server identity is proven via a certificate signature scheme (RSA / ECDSA / DSA / GOST).
+- **kDHr, kDHd, kDH** — (key exchange) *static- DH key agreement using DH certificates (obsolete/removed in newer OpenSSL).
+- **kDHE, kEDH, DH / DHE, EDH / ECDHE, EECDH / kEECDH, kECDHE, ECDH** — (key exchange) *ephemeral- (EC)DH derives a fresh shared secret each handshake; "authenticated" variants bind it to a cert/signature.
+- **aDH** — (authentication selector) indicates DH-authenticated suites (DH certs; also removed in newer OpenSSL).
 
 #### PSK family
 
-- **PSK*- — (keying model) uses a pre-shared secret as the authentication/secret basis.
-- **kPSK, kECDHEPSK, kDHEPSK, kRSAPSK*- — (key exchange) PSK combined with (EC)DHE or RSA to derive/transport session keys.
-- **aPSK*- — (authentication) PSK itself authenticates endpoints (except RSA_PSK where cert auth may be involved).
+- **PSK** — (keying model) uses a pre-shared secret as the authentication/secret basis.
+- **kPSK, kECDHEPSK, kDHEPSK, kRSAPSK** — (key exchange) PSK combined with (EC)DHE or RSA to derive/transport session keys.
+- **aPSK** — (authentication) PSK itself authenticates endpoints (except RSA_PSK where cert auth may be involved).
 
 ---
 
-### D) Symmetric encryption / AEAD (this is where “block vs stream” applies)
+### D) Symmetric encryption / AEAD (this is where "block vs stream" applies)
 
 #### AES family
 
-- **AES128 / AES256 / AES*- — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitution–permutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
-- **AESGCM*- — **both encryption + message authentication (AEAD)**; **both*- (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
-- **AESCCM / AESCCM8*- — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
+- **AES128 / AES256 / AES** — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitution–permutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
+- **AESGCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
+- **AESCCM / AESCCM8** — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
 
 #### ARIA family
 
-- **ARIA128 / ARIA256 / ARIA*- — **encryption/decryption**; **block cipher**; core algorithm: ARIA is an SPN-style block cipher with byte-wise substitutions and diffusion layers across rounds.
+- **ARIA128 / ARIA256 / ARIA** — **encryption/decryption**; **block cipher**; core algorithm: ARIA is an SPN-style block cipher with byte-wise substitutions and diffusion layers across rounds.
 
 #### CAMELLIA family
 
-- **CAMELLIA128 / CAMELLIA256 / CAMELLIA*- — **encryption/decryption**; **block cipher**; core algorithm: Camellia is a **Feistel network*- with round functions plus extra FL/FL$^{-1}$ layers for nonlinearity and diffusion. *(Feistel: yes)*
+- **CAMELLIA128 / CAMELLIA256 / CAMELLIA** — **encryption/decryption**; **block cipher**; core algorithm: Camellia is a **Feistel network** with round functions plus extra FL/FL$^{-1}$ layers for nonlinearity and diffusion. *(Feistel: yes)*
 
 #### ChaCha20
 
-- **CHACHA20*- — **encryption/decryption**; **stream cipher**; core algorithm: ChaCha20 generates a keystream via repeated ARX (add-rotate-xor) quarter-rounds on a 512-bit state and XORs it with plaintext.
+- **CHACHA20** — **encryption/decryption**; **stream cipher**; core algorithm: ChaCha20 generates a keystream via repeated ARX (add-rotate-xor) quarter-rounds on a 512-bit state and XORs it with plaintext.
 
 #### DES / 3DES
 
-- **DES*- — **encryption/decryption**; **block cipher**; core algorithm: DES is a 16-round **Feistel network*- using expansion, S-boxes, and permutations. *(Feistel: yes)*
-- **3DES*- — **encryption/decryption**; **block cipher**; core algorithm: applies DES three times (EDE or EEE) to increase effective security while retaining the **Feistel*- DES core. *(Feistel: yes)*
+- **DES** — **encryption/decryption**; **block cipher**; core algorithm: DES is a 16-round **Feistel network** using expansion, S-boxes, and permutations. *(Feistel: yes)*
+- **3DES** — **encryption/decryption**; **block cipher**; core algorithm: applies DES three times (EDE or EEE) to increase effective security while retaining the **Feistel** DES core. *(Feistel: yes)*
 
 #### RC4
 
-- **RC4*- — **encryption/decryption**; **stream cipher**; core algorithm: maintains a 256-byte permutation and produces a keystream byte-by-byte that is XORed with plaintext.
+- **RC4** — **encryption/decryption**; **stream cipher**; core algorithm: maintains a 256-byte permutation and produces a keystream byte-by-byte that is XORed with plaintext.
 
 #### RC2 / IDEA / SEED
 
-- **RC2*- — **encryption/decryption**; **block cipher**; core algorithm: mixes key-dependent operations (adds, XORs, rotates) across rounds with “mix” and “mash” steps (not Feistel).
-- **IDEA*- — **encryption/decryption**; **block cipher**; core algorithm: combines modular addition, modular multiplication, and XOR in a Lai–Massey-like structure to achieve diffusion/nonlinearity (not Feistel).
-- **SEED*- — **encryption/decryption**; **block cipher**; core algorithm: a 16-round **Feistel network*- with nonlinear S-box-based round functions. *(Feistel: yes)*
+- **RC2** — **encryption/decryption**; **block cipher**; core algorithm: mixes key-dependent operations (adds, XORs, rotates) across rounds with "mix" and "mash" steps (not Feistel).
+- **IDEA** — **encryption/decryption**; **block cipher**; core algorithm: combines modular addition, modular multiplication, and XOR in a Lai–Massey-like structure to achieve diffusion/nonlinearity (not Feistel).
+- **SEED** — **encryption/decryption**; **block cipher**; core algorithm: a 16-round **Feistel network** with nonlinear S-box-based round functions. *(Feistel: yes)*
 
 ---
 
 ### E) Hash / MAC / digest selectors (message authentication side)
 
-These are not “ciphers” but are used for integrity/authentication (often as HMAC, PRF, signatures).
+These are not "ciphers" but are used for integrity/authentication (often as HMAC, PRF, signatures).
 
-- **MD5*- — **message authentication component*- (typically via HMAC, historically); **cipher method: N/A**; core algorithm: iterated Merkle–Damgård hash compressing 512-bit blocks into a 128-bit digest (now considered broken for collision resistance).
-- **SHA1, SHA*- — **message authentication component*- (typically HMAC-SHA1 historically); **N/A**; core algorithm: Merkle–Damgård hash producing 160-bit output via 80-step compression (collisions known).
-- **SHA256 / SHA384*- — **message authentication component*- (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family Merkle–Damgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
-- **GOST94*- — **message authentication component*- (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
-- **GOST89MAC*- — **message authentication**; **block-cipher-based MAC (so “block” internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*
+- **MD5** — **message authentication component** (typically via HMAC, historically); **cipher method: N/A**; core algorithm: iterated Merkle–Damgård hash compressing 512-bit blocks into a 128-bit digest (now considered broken for collision resistance).
+- **SHA1, SHA** — **message authentication component** (typically HMAC-SHA1 historically); **N/A**; core algorithm: Merkle–Damgård hash producing 160-bit output via 80-step compression (collisions known).
+- **SHA256 / SHA384** — **message authentication component** (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family Merkle–Damgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
+- **GOST94** — **message authentication component** (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
+- **GOST89MAC** — **message authentication**; **block-cipher-based MAC (so "block" internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*

From 1221e03ac348073546ff7b069cbd385dd7c43115 Mon Sep 17 00:00:00 2001
From: Trance-0 <60459821+Trance-0@users.noreply.github.com>
Date: Tue, 3 Mar 2026 13:58:25 -0600
Subject: [PATCH 3/4] Update CSE4303_E1.md

---
 content/CSE4303/CSE4303_E1.md | 55 +++++++++++++----------------------
 1 file changed, 20 insertions(+), 35 deletions(-)

diff --git a/content/CSE4303/CSE4303_E1.md b/content/CSE4303/CSE4303_E1.md
index d134546..52e2829 100644
--- a/content/CSE4303/CSE4303_E1.md
+++ b/content/CSE4303/CSE4303_E1.md
@@ -374,12 +374,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 
 ## Asymmetric key cryptography
 
-## Asymmetric crypto overview
+### Asymmetric crypto overview
 
 - Parties: sender, recipient, attacker (eavesdropping)
 - Goal: sender encrypts a plaintext to a ciphertext using a public key; recipient decrypts using a private key.
 
 #### Public-key encryption system
+
 - Def: a public-key encryption system is a triple of algorithms $(G, E, D)$:
   - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
   - $E(pk, m)$: randomized algorithm that takes $m \in M$ and outputs $c \in C$
@@ -387,9 +388,8 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 - Consistency: for all $(pk, sk)$ output by $G$, for all $m \in M$,
   - $D(sk, E(pk, m)) = m$
 
-## Public-key building block: trapdoor function
-
 #### Trapdoor function
+
 - Def: a trapdoor function $X \to Y$ is a triple of efficient algorithms $(G, F, F^{-1})$:
   - $G()$: randomized algorithm that outputs a key pair $(pk, sk)$
   - $F(pk, \cdot)$: deterministic algorithm that defines a function $X \to Y$
@@ -397,7 +397,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 - More precisely: for all $(pk, sk)$ output by $G$, for all $x \in X$,
   - $F^{-1}(sk, F(pk, x)) = x$
 
-## Symmetric vs. asymmetric security: attacker models
+#### Symmetric vs. asymmetric security: attacker models
 
 - Symmetric ciphers: two security notions for a passive attacker
   - One-time security (stream ciphers: ciphertext-only)
@@ -410,12 +410,13 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Implication: public-key encryption must be randomized
   - Analogous to secure block modes for block ciphers
 
-## Semantic security of asymmetric crypto (IND-CPA)
+### Semantic security of asymmetric crypto (IND-CPA)
 
 #### IND-CPA game for public-key encryption
-- For $b \in \{0,1\}$ define experiments $\mathrm{EXP}(0)$ and $\mathrm{EXP}(1)$:
 
-- Experiment $\mathrm{EXP}(b)$:
+- For $b \in \{0,1\}$ define experiments $\operatorname{EXP}(0)$ and $\operatorname{EXP}(1)$:
+
+- Experiment $\operatorname{EXP}(b)$:
   - Challenger runs $(pk, sk) \leftarrow G()$
   - Challenger sends $pk$ to adversary $A$
   - Adversary outputs $m_0, m_1 \in M$ such that $|m_0| = |m_1|$
@@ -423,8 +424,9 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Adversary outputs a bit $b' \in \{0,1\}$ (often modeled as outputting 1 if it "guesses $b=1$")
 
 #### Semantic security (IND-CPA)
+
 - Def: $E = (G, E, D)$ is semantically secure (a.k.a. IND-CPA) if for all efficient adversaries $A$,
-  - $\mathrm{Adv}^{\mathrm{SS}}[A, E] = \left|\Pr[\mathrm{EXP}(0)=1] - \Pr[\mathrm{EXP}(1)=1]\right|$
+  - $\operatorname{Adv}^{\operatorname{SS}}[A, E] = \left|\Pr[\operatorname{EXP}(0)=1] - \Pr[\operatorname{EXP}(1)=1]\right|$
   - is negligible
 - Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
 
@@ -481,7 +483,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 
 - Hardness assumptions:
   - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
-  - Diffie-Hellman function: $\mathrm{DH}_g(g^a, g^b) = g^{ab} \bmod p$
+  - Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$
 
 ## Diffie-Hellman: security notes
 
@@ -568,29 +570,7 @@ A **Feistel network** splits a block into left/right halves and iterates rounds
 
 Feistel-based here: **DES, 3DES, CAMELLIA, SEED, GOST 28147-89 (and thus GOST89MAC uses a Feistel block cipher internally).**
 
-### A) Cipherlist *filters / set operations- (not crypto primitives)
-
-These don’t implement encryption or authentication; they just include/exclude suites.
-
-- **COMPLEMENTOFDEFAULT** — (selection) picks suites in `ALL` that are not enabled by default (notably RC4/anonymous, depending on build).
-- **ALL** — (selection) all suites except `eNULL`, in a default preference order (OpenSSL-defined ordering).
-- **COMPLEMENTOFALL** — (selection) suites excluded from `ALL` (currently `eNULL`).
-- **HIGH / MEDIUM / LOW** — (selection) groups suites by effective key strength class (OpenSSL policy buckets).
-- **TLSv1.2 / TLSv1.0 / SSLv3** — (selection) restricts to suites whose *minimum supported protocol version- is at least that value.
-- **SUITEB128 / SUITEB128ONLY / SUITEB192** — (selection) enforces "Suite B"-style constraints: only very specific ECDHE-ECDSA-AES-GCM suites and curves/hashes.
-- **CBC** — (mode selector) selects suites using **CBC mode** for symmetric encryption (confidentiality only unless paired with a MAC).
-
----
-
-### B) "No encryption" / "no authentication" flags
-
-- **eNULL, NULL** — **encryption/decryption: none**; **cipher method: N/A**; core idea: the record payload is not encrypted at all (plaintext).
-- **aNULL** — **authentication: none** (no peer authentication); **cipher method: N/A**; core idea: uses anonymous key agreement (no cert/signature), enabling MITM.
-- **ADH / AECDH** — **authentication: none**; **cipher method: N/A**; core idea: anonymous (EC)DH establishes a shared secret but without identity binding → MITM-friendly.
-
----
-
-### C) Key exchange and authentication selectors (not symmetric encryption, not MAC)
+### Key exchange and authentication selectors (not symmetric encryption, not MAC)
 
 These describe *how keys are negotiated- and/or *how the peer is authenticated*, not whether payload is a block/stream cipher.
 
@@ -610,12 +590,15 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
 
 ---
 
-### D) Symmetric encryption / AEAD (this is where "block vs stream" applies)
+### Symmetric encryption / AEAD (this is where "block vs stream" applies)
 
 #### AES family
 
 - **AES128 / AES256 / AES** — **encryption/decryption**; **block cipher**; core algorithm: AES is an SPN (substitution–permutation network) of repeated SubBytes/ShiftRows/MixColumns/AddRoundKey rounds.
-- **AESGCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
+- **AES-GCM** — **both encryption + message authentication (AEAD)**; **both** (AES block cipher used in counter mode + auth); core algorithm: encrypt with AES-CTR and authenticate with GHASH over ciphertext/AAD to produce a tag.
+- **AES-ECB**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm encrypts each 128-bit plaintext block independently under the same key, which deterministically leaks patterns because equal plaintext blocks map to equal ciphertext blocks.
+- **AES-CBC**: Functionality is encryption/decryption (confidentiality only) using a block cipher mode; core algorithm XORs each plaintext block with the previous ciphertext block (starting from a fresh unpredictable IV) before AES-encrypting, which hides repetitions but requires correct IV handling and padding for non-multiple-of-block messages.
+- **AES-OFB** — **encryption**; both (stream-like); repeatedly AES-encrypts an internal state to generate a keystream and XORs it with plaintext, where the state evolves independently of the plaintext/ciphertext.
 - **AESCCM / AESCCM8** — **both encryption + message authentication (AEAD)**; **both**; core algorithm: compute CBC-MAC then encrypt with CTR mode, with 16-byte vs 8-byte tag length variants.
 
 #### ARIA family
@@ -647,7 +630,7 @@ These describe *how keys are negotiated- and/or *how the peer is authenticated*,
 
 ---
 
-### E) Hash / MAC / digest selectors (message authentication side)
+### Hash / MAC / digest selectors (message authentication side)
 
 These are not "ciphers" but are used for integrity/authentication (often as HMAC, PRF, signatures).
 
@@ -656,3 +639,5 @@ These are not "ciphers" but are used for integrity/authentication (often as HMAC
 - **SHA256 / SHA384** — **message authentication component** (HMAC / TLS PRF / signatures); **N/A**; core algorithm: SHA-2 family Merkle–Damgård hashes with different word sizes/output lengths (256-bit vs 384-bit).
 - **GOST94** — **message authentication component** (HMAC based on GOST R 34.11-94); **N/A**; core algorithm: builds an HMAC tag by hashing inner/outer padded key with the message using the GOST hash.
 - **GOST89MAC** — **message authentication**; **block-cipher-based MAC (so "block" internally)**; core algorithm: computes a MAC using the GOST 28147-89 block cipher in a MAC mode (cipher-based chaining). *(Feistel internally via GOST 28147-89)*
+
+> Latest version of cheatsheet distilled from this note.

From 69174f2157e86e1feab1e169d7ddd8227bd04dbe Mon Sep 17 00:00:00 2001
From: Trance-0 <60459821+Trance-0@users.noreply.github.com>
Date: Tue, 3 Mar 2026 15:52:01 -0600
Subject: [PATCH 4/4] updates

---
 content/CSE4303/CSE4303_E1.md                | 149 +++++++++++++++++--
 content/Math4202/Exam_reviews/Math4202_E1.md |  28 +++-
 2 files changed, 165 insertions(+), 12 deletions(-)

diff --git a/content/CSE4303/CSE4303_E1.md b/content/CSE4303/CSE4303_E1.md
index 52e2829..59c980f 100644
--- a/content/CSE4303/CSE4303_E1.md
+++ b/content/CSE4303/CSE4303_E1.md
@@ -84,7 +84,7 @@ Importance of correct modeling
 - Reevaluate often
   - Threat capabilities change over time
 
-## TCP/IP network stack
+### TCP/IP network stack
 
 Local and interdomain routing
 
@@ -95,7 +95,7 @@ Domain Name System
 
 - Find IP address from symbolic name (cse.wustl.edu)
 
-### Layer Summary
+#### Layer Summary
 
 Application: the actual sending message
 Transport (TCP, UDP): segment
@@ -190,9 +190,9 @@ Integrity:
   - c) collection of plaintext/ciphertext pairs for plaintexts selected by the attacker (chosen plaintext attack: CPA)
   - d) collection of plaintext/ciphertext pairs for ciphertexts selected by the attacker (chosen ciphertext attack: CCA/CCA2)
 
-## Symmetric key cryptography
+### Symmetric key cryptography
 
-### Classical cryptography
+#### Classical cryptography
 
 Techniques: substitution and transposition
 
@@ -372,6 +372,133 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
 3. Trusted timestamping / blockchains
 4. Integrity check on software
 
+#### File integrity with secure read-only space
+
+- When user downloads package, can verify that contents are valid
+- $H$ collision resistant $\Rightarrow$ attacker cannot modify package without detection
+- No encryption needed (public verifiability) if publisher has secure read-only space (e.g. trusted website, social media account)
+
+#### Symmetric-crypto message authentication
+
+- Context: Assume no secure RO space (insecure channel only)
+  - Need means of message authentication
+- Idea: add tag to message
+- System: Message Authentication Code (MAC)
+- Def: a MAC $I=(S,V)$ defined over $(K,M,T)$ is a pair of algorithms:
+  - $S(k,m)$ outputs $t \in T$  // "Sign"
+  - $V(k,m,t)$ outputs `yes' or `no'  // "Verify"
+
+- Symmetric-crypto message authentication:
+  - Alice and Bob share secret key $k$
+  - Generate tag: $\text{tag} \leftarrow S(k,m)$
+  - Verify tag: $V(k,m,\text{tag}) = \texttt{yes}?$
+
+#### MAC security model
+
+- For a MAC $I=(S,V)$ and adversary $A$, define a MAC game as:
+- Def: $I=(S,V)$ is a secure MAC if for all "efficient" $A$,
+  - $\operatorname{Adv}^{\operatorname{MAC}}[A,I] = \Pr[\text{Chal. outputs }1]$
+  - is negligible
+
+- MAC game (sketch):
+  - Challenger samples $k \leftarrow K$
+  - Adversary makes queries $m_1,\ldots,m_q \in M$
+    - For each $i$, challenger returns $t_i \leftarrow S(k,m_i)$
+  - Adversary outputs a candidate forgery $(m,t)$
+  - Challenger outputs $b=1$ if:
+    - $V(k,m,t)=\texttt{yes}$ and
+    - $(m,t) \notin \{(m_1,t_1),\ldots,(m_q,t_q)\}$
+  - Otherwise challenger outputs $b=0$
+
+- MAC security example: secure PRF not sufficient
+  - Suppose $F: K \times X \to Y$ is a secure PRF with $Y=\{0,1\}^{10}$.
+  - Is the derived MAC $I_F$ a secure MAC system?
+    - No: tags are too short, anyone can guess the tag for any message
+
+#### MACs from PRFs: sufficient security condition
+
+- Thm: If $F: K \times X \to Y$ is a secure PRF and $1/|Y|$ is negligible (i.e. $|Y|$ is large), then $I_F$ is a secure MAC.
+- In particular, for every efficient MAC adversary $A$ attacking $I_F$, there exists an efficient PRF adversary $B$ attacking $F$ such that:
+  - $\operatorname{Adv}^{\operatorname{MAC}}[A, I_F] \le \operatorname{Adv}^{\operatorname{PRF}}[B, F] + 1/|Y|$
+- Therefore $I_F$ is secure as long as $|Y|$ is large, e.g. $|Y| = 2^{80}$.
+
+#### MACs from collision resistance
+
+- Let $I=(S,V)$ be a MAC for short messages over $(K,M,T)$ (e.g. AES).
+- Let $H: M_{\text{big}} \to M$.
+- Def: $I_{\text{big}}=(S_{\text{big}},V_{\text{big}})$ over $(K,M_{\text{big}},T)$ as:
+  - $S_{\text{big}}(k,m) = S(k, H(m))$
+  - $V_{\text{big}}(k,m,t) = V(k, H(m), t)$
+- Thm: If $I$ is a secure MAC and $H$ is collision resistant, then $I_{\text{big}}$ is a secure MAC.
+- Example: $S(k,m) = \operatorname{AES2\text{-}block\text{-}cbc}(k, \operatorname{SHA\text{-}256}(m))$ is a secure MAC.
+
+#### Using HMACs for confidentiality + integrity
+
+- Confidentiality:
+  - Semantic security under a CPA
+  - Encryption secure against eavesdropping only
+- Integrity:
+  - Existential unforgeability under a CPA
+  - CBC-MAC, HMAC
+  - Hash functions
+- Confidentiality + integrity:
+  - CCA security
+  - Secure against tampering
+  - Method: Authenticated Encryption (AE)
+  - Encryption + MAC, in correct form
+
+#### Authenticated Encryption: security defs
+
+- An authenticated encryption system $(E,D)$ is a cipher where:
+  - $E: K \times M \times N \to C$
+  - $D: K \times C \times N \to M \cup$ cipher text rejected
+- Security: the system must provide
+  - semantic security under a CPA attack, and
+  - ciphertext integrity: attacker cannot create new ciphertexts that decrypt properly
+
+#### Ciphertext integrity
+
+- Let $(E,D)$ be a cipher with message space $M$.
+- Def: $(E,D)$ has ciphertext integrity if for all "efficient" $A$,
+  - $\operatorname{Adv}^{\operatorname{CI}}[A,E] = \Pr[\text{Chal. outputs }1]$
+  - is negligible
+
+- Security model: ciphertext integrity (sketch):
+  - Challenger samples $k \leftarrow K$
+  - Adversary makes encryption queries $m_1,\ldots,m_q \in M$
+    - For each $i$, challenger returns $c_i \leftarrow E(k,m_i)$
+  - Adversary outputs a ciphertext $c$
+  - Challenger outputs $b=1$ if:
+    - $D(k,c) \ne \bot$ and
+    - $c \notin \{c_1,\ldots,c_q\}$
+  - Otherwise challenger outputs $b=0$
+
+#### Authenticated encryption implies CCA security
+
+- Thm: Let $(E,D)$ be a cipher that provides AE. Then $(E,D)$ is CCA secure.
+- In particular, for any $q$-query efficient adversary $A$, there exist efficient $B_1,B_2$ such that:
+  - $\operatorname{Adv}^{\operatorname{CCA}}[A,E] \le 2q \cdot \operatorname{Adv}^{\operatorname{CI}}[B_1,E] + \operatorname{Adv}^{\operatorname{CPA}}[B_2,E]$
+- Interpretation: CCA advantage is $\le O(\text{CT-integrity advantage}) + \text{CPA advantage}$.
+
+- AE implication: authenticity
+  - Attacker cannot fool Bob into thinking a message was sent from Alice
+  - If attacker cannot create a valid ciphertext $c \notin \{c_1,\ldots,c_q\}$, then whenever $D(k,c) \ne \bot$ Bob knows the message is from someone who knows $k$ (but it could be a replay)
+
+- DS construction example: signing a certificate
+
+### Comparison: integrity/authentication approaches
+
+- 1) Collision resistant hashing: need a read-only public space
+  - Allows public verification if the hash is published in a small read-only public space
+- 2) MACs: must compute a new MAC for every client/user
+  - Must manage a long-term secret key per user to verify MACs (depending on application)
+  - Typically useful when one party signs, one verifies
+- 3) Digital signatures: must manage a long-term secret key
+  - E.g. vendor's signature on software is shipped with software
+  - Allows software to be downloaded from an untrusted distribution site
+  - Public-key verification/rejection works, provided public key distribution is trustworthy
+  - Typically useful when one party signs, many verify
+
 ## Asymmetric key cryptography
 
 ### Asymmetric crypto overview
@@ -430,7 +557,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - is negligible
 - Note: inherently multiple-round because the attacker can always encrypt on their own using $pk$ (CPA power is "built in").
 
-## RSA cryptosystem: overview
+### RSA cryptosystem: overview
 
 - Setup:
   - $n = pq$, with $p$ and $q$ primes
@@ -469,7 +596,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Notes (as commonly stated in lectures):
     - 1024-bit RSA is within reach; 2048-bit is recommended usage
 
-## Diffie-Hellman key exchange (informal)
+### Diffie-Hellman key exchange (informal)
 
 - Fix a large prime $p$ (e.g., 2000 bits)
 - Fix an integer $g \in \{1,\ldots,p\}$
@@ -485,14 +612,14 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Discrete log problem: given $p, g, y = g^x \bmod p$, find $x$
   - Diffie-Hellman function: $\operatorname{DH}_g(g^a, g^b) = g^{ab} \bmod p$
 
-## Diffie-Hellman: security notes
+#### Diffie-Hellman: security notes
 
 - As described, the protocol is insecure against active attacks:
   - A man-in-the-middle (MiTM) can insert themselves and create 2 separate secure sessions
 - Fix idea: need a way to bind identity to a public key
   - In practice: web of trust (e.g., GPG) or Public Key Infrastructure (PKI)
 
-## Implementing trapdoor functions securely
+### Implementing trapdoor functions securely
 
 - Never encrypt by applying $F$ directly to plaintext:
   - Deterministic: cannot be semantically secure
@@ -503,7 +630,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - $E(pk, m)$: output $c \leftarrow F(pk, m)$
   - $D(sk, c)$: output $F^{-1}(sk, c)$
 
-## Public-key encryption from TDFs
+### Public-key encryption from TDFs
 
 - Components:
   - $(G, F, F^{-1})$: secure TDF $X \to Y$
@@ -528,7 +655,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - If $(G, F, F^{-1})$ is a secure TDF, $(E_s, D_s)$ provides authenticated encryption, and $H$ is modeled as a random oracle, then $(G, E, D)$ is CCA-secure in the random oracle model (often denoted CCA-RO).
   - Extension exists to reach full CCA (outside the RO idealization).
 
-## Wrapup: symmetric vs. asymmetric systems
+### Wrapup: symmetric vs. asymmetric systems
 
 - Symmetric: faster, but key distribution is hard
 - Asymmetric: slower, but key distribution/management is easier
@@ -537,7 +664,7 @@ New attacker model for multi-use keys (e.g. multiple blocks): CPA (Chosen Plaint
   - Exchange symmetric keys using an asymmetric scheme
   - Authenticate public keys (PKI or web of trust)
 
-## Key exchange: summary
+### Key exchange: summary
 
 - Symmetric-key encryption challenges:
   - Key storage: one per user pair, $O(n^2)$ total for $n$ users
diff --git a/content/Math4202/Exam_reviews/Math4202_E1.md b/content/Math4202/Exam_reviews/Math4202_E1.md
index 4f2801c..f5bfd97 100644
--- a/content/Math4202/Exam_reviews/Math4202_E1.md
+++ b/content/Math4202/Exam_reviews/Math4202_E1.md
@@ -78,6 +78,27 @@ An $m$-dimensional **manifold** is a topological space  $X$ that is
 2. Second countable: With a countable basis
 3. Local euclidean: Each point of $x$ of $X$ has a neighborhood that is homeomorphic to an open subset of $\mathbb{R}^m$.
 
+<details>
+<summary>Example of space that is not a manifold but satisfies part of the definition</summary>
+
+Non-hausdorff:
+
+Consider the set with two origin $\mathbb{R}\setminus\{0\}$. with $\{p,q\}$, and the topology defined over all the open intervals that don't contain the origin, with set of the form $(-a,0)\cup \{p\}\cup (0,a)$ for $a\in \mathbb{R}$ and $(-a,0)\cup \{q\}\cup (0,a)$.
+
+---
+
+Non-second-countable:
+
+Consider the long line $\mathbb{R}\times [0,1)$
+
+---
+
+Non-local-euclidean:
+
+Any 1-dimensional CW complex (graph) that has a vertex with 3 or more edges connected to it will be Hausdorff and second-countable, but not locally Euclidean at those vertices.
+
+</details>
+
 #### Whitney's Embedding Theorem
 
 If $X$ is a compact $m$-manifold, then $X$ can be imbedded in $\mathbb{R}^N$ for some positive integer $N$.
@@ -97,6 +118,12 @@ Let $\{U_i\}_{i=1}^n$ be a finite open cover of a normal space $X$ (Every pair o
 
 Then there exists a partition of unity dominated by $\{U_i\}_{i=1}^n$.
 
+#### Definition of paracompact space
+
+Locally finite: $\forall x\in X$, $\exists$ open $x\in U$ such that $U$ only intersects finitely many open sets in $\mathcal{B}$.
+
+A space $X$ is paracompact if every open cover $A$ of $X$ has a **locally finite** refinement $\mathcal{B}$ of $A$ that covers $X$.
+
 ### Homotopy
 
 #### Definition of homotopy equivalent spaces
@@ -128,7 +155,6 @@ Two pathes $f$ and $f'$ are path homotopic if
 
 The $\simeq$, $\simeq_p$ are both equivalence relations.
 
-
 #### Definition for product of paths
 
 Given $f$ a path in $X$ from $x_0$ to $x_1$ and $g$ a path in $X$ from $x_1$ to $x_2$.