From 5e2f2aad1c2e3a2c11195dfe254b4a9eb0d9423e Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sat, 3 Jun 2023 18:50:33 -0400
Subject: [PATCH 01/50] Draft payjoin v2 BIP

---
 bip-???-payjoin-v2.mediawiki | 142 +++++++++++++++++++++++++++++++++++
 1 file changed, 142 insertions(+)
 create mode 100644 bip-???-payjoin-v2.mediawiki

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-???-payjoin-v2.mediawiki
new file mode 100644
index 0000000000..0e3b33e4ba
--- /dev/null
+++ b/bip-???-payjoin-v2.mediawiki
@@ -0,0 +1,142 @@
+<pre>
+  BIP: ???
+  Title: Serverless Payjoin
+  Author: Dan Gould <d@ngould.dev>
+  Replaces: 78
+  Status: Draft
+  Type: Standards Track
+  Created: 2023-04-08
+  License: BSD-2-Clause
+</pre>
+
+==Abstract==
+
+This document proposes a second version of the payjoin protocol described in BIP 78, allowing full payjoin receiver functionality including payment output substitution without the requirement to host a secure public endpoint. This requirement is replace with network protocols available in all modern web browsers.
+
+===Copyright===
+
+This BIP is licensed under the 2-clause BSD license.
+
+==Motivation==
+
+Payjoin[^1] solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner."[^2] Breaking that common-input ownership assumption requires contributions from multiple owners via interaction, namely hosting a server endpoint secured by a certificate on the receiving side either via TLS or Tor onion hidden service. Because the protocol is synchronous, both sender and reciever must be online to payjoin. These problems of convenience have been identified as the greatest barriers to widespread payjoin adoption.[^3]
+
+===Relation to BIP 78 (Payjoin v1)===
+
+The BIP 78 standard allows for an [[#|unsecured payjoin server|]] to operate separately from the so-called "payment server" which generates [[bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages are neither authenticated nor encrypted a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring [[payment output substitition]] to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition without compromising sender or receiver privacy.
+
+Although server separation is mentioned in BIP 78, no specification exists to deploy them. This document specifies one. The opportunity to make the protocol asynchronous is also taken.
+
+The protocols in this document reuse BIP 78's BIP 21 URI parameters in order to reduce the size of v2 URIs and their QR code representations. It also provides a downgrade mechanism for unsecured payjoin relay to support v1 senders without modification. A timeout parameter is introduced better coordinate the synchronous v1 protocol.
+
+==Specification==
+
+===Overview===
+
+Instead of a public http endpoint, this scheme allows a streaming client to act as a reciever. Requests are relayed via a server hosting , and symmetric cryptography for security. Without a replacement for secured networking, the relay could steal funds. Aside from a pre-shared secret and relayed networking, the PSBT protocol takes the same form as the existing BIP 78 spec.
+
+===Basic scheme===
+
+The recipient first generates a 256-bit key psk. This pre-shared key will be the basis of end to end encryption over the relay.
+
+Rather than hosting a public server, they may allocate a subdirectory from to the http relay and start a streaming session to receive messages. This allocation includes the first 8 characters of the hash of their PSK as an identifier where they can be reached by another client. They await a payjoin request on this session. Out of band, they share a BIP 21[^5] payjoin uri including the relay endpoint in the <code>pj</code> query parameter and the pre-shared key in a new <code>psk</code> query parameter.
+
+The sender constructs their request containing a PSBT and optional parameters as in BIP 78. They construct an encrypted an authenticated payload from this data<!-- noise framework NNpsk0[^6] pattern message A with he original PSBT as the payload using psk to encrypt then MAC-->. The resulting ciphertext ensures message secrecy and integrity when sent to the recipient by the relay hosted <code>pj</code> endpoint.
+
+The pay-to-endpoint proceeds as in BIP 78. The sender's request is relayed to the receiver over their streaming session via the relay allocation. Messages are secured by symmetric cryptography <!--the noise NNpsk0 pattern--> rather than TLS or Onion routing session key.
+
+===V2 Payjoin Protocol===
+
+Payjoin v2 messages use [[bip-0370.mediawiki|BIP 370 PSBT v2]] format to simplify PSBT mutation and obsolete the transaction finalizer.
+
+Assuming the receiver has already allocated space according to the [[#allocation|allocation protocol]] the relay, the payjoin protocol follows these steps. Steps required only when using a relay are prefixed [relay].
+
+* The receiver of the payment, pre-shares a [[bip-0021.mediawiki|BIP 21 URI]] to the sender with a parameter <code>pj=</code> describing a payjoin endpoint and parameter <code>psk=</code> with 256-bit secret key.
+* The sender creates a complete signed PSBT. We call this the <code>Fallback PSBT</code>, akin to BIP 78's Original PSBT. This Fallback PSBT and optional sender parameters are encrypted then authenticated with the <code>psk</code> using symmetric encryption and is transmitted to the payjoin endpoint.
+* [relay] If the receiver is online, the relay transmits the payload to the reciver, else it responds with a success code notifying the sender that the receiver is offline.
+* The receiver processes the payload, modifies the PSBT invalidating sender signatures. It updates it to include its signed inputs and outputs. It signs its inputs. We call this the <code>Payjoin PSBT</code>, akin to BIP 78's <code>Payjoin proposal PSBT</code>. It responds with the Payjoin PSBT encrypted then authenticated under psk.
+* [relay] The relay awaits a connection from the sender. Upon connection, it relays the encrypted Payjoin PSBT to the sender.
+* The sender validates the Payjoin PSBT, signs his inputs broadcasts the transaction to the Bitcoin network. We call this transaction <code>Payjoin transaction</code>.
+
+The Fallback Payload is sent in an HTTP POST request body, base64 serialized, with <code>text/plain</code> in the <code>Content-Type</code> HTTP header and <code>Content-Length</code> set correctly.
+The Payjoin PSBT is sent in the HTTP response body, base64 serialized with HTTP code 200.
+
+To ensure compatibility with web-wallets and browser-based-tools, all responses (including errors) must contain the HTTP header <code>Access-Control-Allow-Origin: *</code>.
+
+Because the payloads themselves are encrypted, the protcol is safe to transmit over unsecured network protocols. Senders MAY accept a url representing unencrypted, unauthenticated connections.
+
+The Fallback PSBT MUST:
+* Have all the <code>witnessUTXO</code> or <code>nonWitnessUTXO</code> information filled in.
+* Be signed.
+* Be broadcastable.
+<!-- * Not include fields unneeded for the receiver such as global xpubs or keypath information. (? curious if PSBTv2 obviates this requirement, I believe it does) -->
+
+The Fallback PSBT MAY:
+* Have outputs unrelated to the payment for batching purpose.
+
+The Payjoin PSBT MUST:
+* Use all the inputs from the Fallback PSBT.
+* Use all the outputs which do not belongs to the receiver from the original PSBT.
+<!-- * Only finalize the inputs added by the receiver. (Referred later as <code>additional inputs</code>) -->
+* Only fill the <code>witnessUTXO</code> or <code>nonWitnessUTXO</code> for the additional inputs.
+
+The Payjoin PSBT sender MAY:
+* Add, remove or modify Fallback PSBT outputs under the control of the receiver (i.e. not sender change).
+
+The Payjoin PSBT MUST NOT:
+* Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
+* Decrease the absolute fee of the original transaction.
+
+===Serverless Relay Allocation Protocol===
+
+A relay hosts both an HTTP server to service BIP 78 requests from the sender and a streaming server with WebTransport. The relay protocol is inspired by TURN.
+
+Relay allocation and usage takes the following steps
+
+* First, the client contacts a Relay server with an "Allocate" request. The Allocate request asks the relay to allocate some of its resources for the client so that it may contact a peer. If allocation is possible, the server allocates an address for the client to use as a relay, and sends the client an "Allocation Successful" response, which contains an "allocated relayed transport address " subdirectory located at the TURN server. 
+* Second, the client sends in a CreatePermissions request to the Relay server to create a permissions check system for peer-server communications. In other words, when a sender is finally contacted and sends information back to the Relay to be relayed to client, the Relay uses the permissions to verify that the peer-to-TURN server communication is valid (by checking psk signature). 
+* A receiver enrolls at the relay's allocation endpoint including relevant authentication headers to prevent DoS. An API token, proof of work, ecash, or payment of a lightning invoice could all impose cost to prevent DoS
+* The relay responds with an allocation identifier subdirectory <!-- The relay may need to keep multiple mailboxes for requests and some way to identify senders if it's re-using one. Or maybe all the (encrypted) data can be pushed and they can just try to decrypt to get it. the receiver should be the one to delete encrypted PSBT after receipt or have it automatically go stale by the server --> 
+* Upon receiving a POST request to payjoin, the server relays the request to the receiver, otherwise it holds onto it until it starts a session with the server again
+* A sender who went offline after receiving success response but "receiver unavailable" should make another request to the relay when it comes online and be pushed any updates at the time of their arrival from the server.
+
+===BIP21 payjoin parameters===
+
+This proposal is defining the following new [[bip-0021.mediawiki|BIP 21 URI]] parameters:
+* <code>dl=</code>: Represents an deadline after which the sender will post the fallback transaction. Exclude for asynchronous operation of the protocol.
+
+===<span id="optional-params"></span>Optional query parameters===
+
+When the payjoin sender posts the original PSBT to the receiver, he can optionally specify the following HTTP query string parameters:
+
+* <code>v=</code>, the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
+
+===Improvements===
+
+====Offline Asynchronous Payjoins====
+
+The relay may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid. Storing such requests without requring client authentication may create a vulnerability to relay DoS attacks. More research needs to be done before such a protocol can be recommended.
+
+The existing BIP 78 protocol has to be synchronous only for "interactive" endpoints which may be vulnerable to probing attacks. They can cover this tradeoff by demanding a fallback transaction that would not preserve privacy the same way as a payjoin. They could specify a deadline after which they will broadcast this fallback with a new deadline <code>dl=</code> <!-- I also like to for timeout --> parameter.
+
+===Noteworthy details===
+
+====Backwards Compatibility====
+
+The receivers are advertising payjoin capabilities through [[bip-0021.mediawiki|BIP21's URI Scheme]].
+
+Senders not supporting payjoin will just ignore the <code>pj</code> variable and thus, will proceed to normal payment.
+
+Receivers may allow v1 senders to send unencrypted payloads to the relay. Payjoin relayed this way should enable <code>pjos=0</code> so that these v1 sender's disable output substitution across a relay since the v1 messages are neither encrypted nor authenticated. The relay protocol should carry as normal, bundling HTTP header, query, and body information to send to the receiver.
+
+====Attack vectors====
+
+Since relays store arbitrary encrypted payloads to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement or proof of work before they provide relay service.
+
+Since psk is a symmetric key, the first message containing the sender's original PSBT does not have forward secrecy.
+
+Since the Fallback transaction is valid, even in the asynchronous setting where <code>dl=<code> is not specified, the receiver may broadcast it and lose out on ambiguous privacy protection from payjoin.
+
+====Network Privacy====
+
+Peers will only see the IP address of the relay but not their peer's. Relays may be made available via Tor hidden service in addition to IP to allow either of the peers to protect their IP with Tor without forcing the other to use it too.

From 3df3f51bf2e9145ede6cf751f45bde95f083bee9 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sat, 12 Aug 2023 16:49:05 -0400
Subject: [PATCH 02/50] Include mailing list feedback

---
 bip-???-payjoin-v2.mediawiki | 272 +++++++++++++++++++++++++----------
 1 file changed, 200 insertions(+), 72 deletions(-)

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-???-payjoin-v2.mediawiki
index 0e3b33e4ba..5c74ac1b3c 100644
--- a/bip-???-payjoin-v2.mediawiki
+++ b/bip-???-payjoin-v2.mediawiki
@@ -1,142 +1,270 @@
 <pre>
   BIP: ???
-  Title: Serverless Payjoin
+  Layer: Applications
+  Title: Payjoin Version 2: Serverless Payjoin
   Author: Dan Gould <d@ngould.dev>
-  Replaces: 78
   Status: Draft
+  Replaces: 78
   Type: Standards Track
-  Created: 2023-04-08
+  Created: 2023-08-08
   License: BSD-2-Clause
 </pre>
 
 ==Abstract==
 
-This document proposes a second version of the payjoin protocol described in BIP 78, allowing full payjoin receiver functionality including payment output substitution without the requirement to host a secure public endpoint. This requirement is replace with network protocols available in all modern web browsers.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party relay and streaming clients which communicate using an asynchronous protocol and authenticated, encrypted payloads.
 
-===Copyright===
+==Copyright==
 
 This BIP is licensed under the 2-clause BSD license.
 
 ==Motivation==
 
-Payjoin[^1] solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner."[^2] Breaking that common-input ownership assumption requires contributions from multiple owners via interaction, namely hosting a server endpoint secured by a certificate on the receiving side either via TLS or Tor onion hidden service. Because the protocol is synchronous, both sender and reciever must be online to payjoin. These problems of convenience have been identified as the greatest barriers to widespread payjoin adoption.[^3]
+Payjoin solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner." Breaking that common-input ownership assumption and others requires input from multiple owners. Cooperative transaction construction also increases transaction throughput by providing new opportunity for payment batching and transaction cut-through.
+
+Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor onion hidden service hosted by the receiver. Version 1 is synchronous, so both sender and reciever must be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. These barriers are [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regarded]] as limits to payjoin adoption.
+
+The primary goal of this proposal is to provide a practical coordination mechanism  to be adopted in a vast majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
+
+===Relation to BIP 78 (Payjoin version 1)===
 
-===Relation to BIP 78 (Payjoin v1)===
+The message payloads in this version parrallel those used in BIP 78 while being encapsulated in authenticated encryption, forgoing HTTP messaging for WebTransport streaming of asynchronus interactions, and leveraging PSBT version 2.
 
-The BIP 78 standard allows for an [[#|unsecured payjoin server|]] to operate separately from the so-called "payment server" which generates [[bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages are neither authenticated nor encrypted a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring [[payment output substitition]] to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitition to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition while using a relay without compromising sender or receiver privacy.
 
-Although server separation is mentioned in BIP 78, no specification exists to deploy them. This document specifies one. The opportunity to make the protocol asynchronous is also taken.
+Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation of one exists. This document specifies one to be backwards compatible with version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the relay stealing funds.
 
-The protocols in this document reuse BIP 78's BIP 21 URI parameters in order to reduce the size of v2 URIs and their QR code representations. It also provides a downgrade mechanism for unsecured payjoin relay to support v1 senders without modification. A timeout parameter is introduced better coordinate the synchronous v1 protocol.
+The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Fallback PSBT timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
+
+===Relation to Stowaway===
+
+[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from the wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to online Stowaway's synchronous HTTP-based messaging. Offline stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Instead of a public http endpoint, this scheme allows a streaming client to act as a reciever. Requests are relayed via a server hosting , and symmetric cryptography for security. Without a replacement for secured networking, the relay could steal funds. Aside from a pre-shared secret and relayed networking, the PSBT protocol takes the same form as the existing BIP 78 spec.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows a WebTransport client to enroll with a relay server to receive payjoin. Relays may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the relay to support asynchronous interaction. Authenticated encryption prevents the relay from snooping on message contents or forging messages. Aside from a application layer authenticate encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
-The recipient first generates a 256-bit key psk. This pre-shared key will be the basis of end to end encryption over the relay.
-
-Rather than hosting a public server, they may allocate a subdirectory from to the http relay and start a streaming session to receive messages. This allocation includes the first 8 characters of the hash of their PSK as an identifier where they can be reached by another client. They await a payjoin request on this session. Out of band, they share a BIP 21[^5] payjoin uri including the relay endpoint in the <code>pj</code> query parameter and the pre-shared key in a new <code>psk</code> query parameter.
-
-The sender constructs their request containing a PSBT and optional parameters as in BIP 78. They construct an encrypted an authenticated payload from this data<!-- noise framework NNpsk0[^6] pattern message A with he original PSBT as the payload using psk to encrypt then MAC-->. The resulting ciphertext ensures message secrecy and integrity when sent to the recipient by the relay hosted <code>pj</code> endpoint.
+The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the relay.
 
-The pay-to-endpoint proceeds as in BIP 78. The sender's request is relayed to the receiver over their streaming session via the relay allocation. Messages are secured by symmetric cryptography <!--the noise NNpsk0 pattern--> rather than TLS or Onion routing session key.
+Rather than hosting a public server, they start a streaming session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message streamed from the relay to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the relay endpoint in the <code>pj=</code> query parameter.
 
-===V2 Payjoin Protocol===
+The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when streamed to the recipient by the relay-hosted subdirectory <code>pj=</code> endpoint.
 
-Payjoin v2 messages use [[bip-0370.mediawiki|BIP 370 PSBT v2]] format to simplify PSBT mutation and obsolete the transaction finalizer.
+Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin relay subdirectory.
 
-Assuming the receiver has already allocated space according to the [[#allocation|allocation protocol]] the relay, the payjoin protocol follows these steps. Steps required only when using a relay are prefixed [relay].
+===Payjoin version 2 messaging===
 
-* The receiver of the payment, pre-shares a [[bip-0021.mediawiki|BIP 21 URI]] to the sender with a parameter <code>pj=</code> describing a payjoin endpoint and parameter <code>psk=</code> with 256-bit secret key.
-* The sender creates a complete signed PSBT. We call this the <code>Fallback PSBT</code>, akin to BIP 78's Original PSBT. This Fallback PSBT and optional sender parameters are encrypted then authenticated with the <code>psk</code> using symmetric encryption and is transmitted to the payjoin endpoint.
-* [relay] If the receiver is online, the relay transmits the payload to the reciver, else it responds with a success code notifying the sender that the receiver is offline.
-* The receiver processes the payload, modifies the PSBT invalidating sender signatures. It updates it to include its signed inputs and outputs. It signs its inputs. We call this the <code>Payjoin PSBT</code>, akin to BIP 78's <code>Payjoin proposal PSBT</code>. It responds with the Payjoin PSBT encrypted then authenticated under psk.
-* [relay] The relay awaits a connection from the sender. Upon connection, it relays the encrypted Payjoin PSBT to the sender.
-* The sender validates the Payjoin PSBT, signs his inputs broadcasts the transaction to the Bitcoin network. We call this transaction <code>Payjoin transaction</code>.
+Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki|BIP 370 PSBT v2]] format to fascilitate PSBT mutation.
 
-The Fallback Payload is sent in an HTTP POST request body, base64 serialized, with <code>text/plain</code> in the <code>Content-Type</code> HTTP header and <code>Content-Length</code> set correctly.
-The Payjoin PSBT is sent in the HTTP response body, base64 serialized with HTTP code 200.
+The payjoin version 2 protocol takes the following steps:
 
-To ensure compatibility with web-wallets and browser-based-tools, all responses (including errors) must contain the HTTP header <code>Access-Control-Allow-Origin: *</code>.
+- The recipient sends their payjoin pubkey and optional authentication credential according to [[#receiver-relay-enrollment|receiver relay enrollment]] protocol. It may go offline and replay enrollment to come back online.
+- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter describing the relay subdirectory endpoint parameter with base64-uri encoded pubkey. To support version 1 senders the relay acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
+- The sender creates a valid PSBT according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]] formatted as PSBTv2. We call this the <code>Fallback PSBT</code>. This Fallback PSBT, optional sender parameters, and cryptographic keys are encrypted and authenticated according to the Secp256k1 IK handshake and streamed to the relay subdirectory endpoint.
+- The sender awaits a response from the relay stream containing an encrypted <code>Payjoin PSBT</code> as Message B. It can replay the <code>Fallback PSBT</code> Mesasge A to request a response if it goes offline.
+- The request is stored in the receiver's subdirectory buffer.
+- Once the receiver is online, it awaits a stream of request updates from the relay. The receiver decrypts aund authenticates the payload then checks it according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates it to include new signed inputs and outputs invalidating sender signatures, and may adjust the fee. We call this the <code>Payjoin PSBT</code>.
+- It responds with the <code>Payjoin PSBT</code> encrypted then authenticated as Message B according to the Secp256k1 IK handshake.
+- The relay awaits a connection from the sender if it goes offline. Upon connection, it relays the encrypted <code>Payjoin PSBT</code> to the sender.
+- The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
-Because the payloads themselves are encrypted, the protcol is safe to transmit over unsecured network protocols. Senders MAY accept a url representing unencrypted, unauthenticated connections.
+The encrypted Fallback PSBT and Payjoin PSBT payloads are sent as bytes.
 
 The Fallback PSBT MUST:
-* Have all the <code>witnessUTXO</code> or <code>nonWitnessUTXO</code> information filled in.
-* Be signed.
-* Be broadcastable.
-<!-- * Not include fields unneeded for the receiver such as global xpubs or keypath information. (? curious if PSBTv2 obviates this requirement, I believe it does) -->
+
+- Include complete UTXO data.
+- Be signed.
+- Exclude unnecessary fields such as global xpubs or keypath information. <!-- I believe PSBTv2 obviates this requirement -->
+- Set input and output Transaction Modifiable Flags to 1
+- Be broadcastable.
 
 The Fallback PSBT MAY:
-* Have outputs unrelated to the payment for batching purpose.
+
+- Include outputs unrelated to the sender-receiver transfer for batching purposes.
+- Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
 
 The Payjoin PSBT MUST:
-* Use all the inputs from the Fallback PSBT.
-* Use all the outputs which do not belongs to the receiver from the original PSBT.
-<!-- * Only finalize the inputs added by the receiver. (Referred later as <code>additional inputs</code>) -->
-* Only fill the <code>witnessUTXO</code> or <code>nonWitnessUTXO</code> for the additional inputs.
+
+- Include all inputs from the Fallback PSBT.
+- Include all outputs which do not belong to the receiver from the Fallback PSBT.
+- Include complete UTXO data.
 
 The Payjoin PSBT sender MAY:
-* Add, remove or modify Fallback PSBT outputs under the control of the receiver (i.e. not sender change).
+
+- Add, remove or modify Fallback PSBT outputs under the control of the receiver (i.e. not sender change).
 
 The Payjoin PSBT MUST NOT:
-* Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
-* Decrease the absolute fee of the original transaction.
 
-===Serverless Relay Allocation Protocol===
+- Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
+- Decrease the absolute fee of the original transaction.
+
+===Receiver's Payjoin PSBT checklist===
+
+Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist|the BIP 78 receiver checklist]]
+
+===Sender's Payjoin PSBT checklist===
+
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-checklist|the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+
+===Relay interactions===
+
+The Payjoin Relay provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It is available on the open internet over HTTPS to accept both WebTransport for Payjoin version 2, accepting encrypted payloads, and optionally HTTP/1.1 to support backwards compatible Payjoin version 1 requests.
+
+===Receiver interactions===
+
+====Relay enrollment====
+
+Receivers must enroll to have resources allocated on a relay. Sessions may begin by having a receiver send the static pubkey to the relay. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey. Enrollment may be replayed in case the receiver goes offline.
+
+Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the Relay out of band. If authentication fails an error is returned.
+
+In the case a relay is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the relay describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
+
+====Receiver Payjoin PSBT response====
+
+The receiver streams the base64 Payjoin PSBT as encrypted bytes according to Secp256k1 IK.
+
+===Sender interactions===
+
+The sender starts a WebTransport session with the relay at the Payjoin endpoint URI provided by the receiver. It sends the following payload and awaits a relayed response payload from the receiver.
+
+====Version 2 Fallback PSBT request====
+
+The version 2 Fallback PSBT Payload is constructed in JSON before being encrypted as follows.
+
+<pre>
+{
+  "psbt": "<fallback_psbt_data_base64>",
+  "params": {
+      "param1": "<value1>",
+      "param2": "<value1>",
+      ...
+  }
+}
+</pre>
+
+The payload must be encrypted according to Secp256k1 IK.
+
+====Version 1 Fallback PSBT request====
+
+The message should be the same as version 2 but unencrypted, as version 1 is unaware of encryption when using an unsecured payjoin server. The Relay should convert the PSBT to PSBTv2 and construct the JSON payload from the HTTP request body and optional query parameters. Upon receiving an unencrypted PSBTv2 response from a receiver, it should convert it to PSBTv0 for compatibility with BIP 78.
+
+===Asynchronous relay buffers===
+
+Each receiver subdirectory on the relay server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent to relevant client sessions.
+
+===BIP 21 receiver parameters===
+
+A major benefit of BIP 78 payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
+
+This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
+
+- <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the Fallback and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
+
+BIP 78's BIP 21 payjoin parameters are also valid for version 2.
+
+===Optional sender parameters===
+
+When the payjoin sender posts the original PSBT to the receiver, it can optionally specify the following HTTP query string parameters:
+
+- <code>v</code>: represents the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
+
+BIP 78's optional query parameters are also valid as version 2 parameters.
+
+==Rationale==
+
+===Request expiration & fallback===
+
+The relay may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
+
+The existing BIP 78 protocol has to be synchronous only for automated endpoints which may be vulnerable to probing attacks. It can cover this tradeoff by demanding a fallback transaction that would not preserve privacy the same way as a payjoin. BIP 21 URI can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this fallback with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
+
+===WebTransport===
+
+Many transport protocols are good candidates for Serverless Payjoin functionality, but WebTransport stands out in its ability to stream and take advantage of QUIC's performance in mobile environments. In developing this BIP, serverless payjoin proofs of concept using TURN, HTTP/1.1 long polling, WebSockets, Magic Wormhole, and Nostr have been made. Streaming allows the relay to have more granular and asynchronous understanding of the state of the peers, and this protcol is designed specifically to address the shortcomings of an HTTP protocol's requirement to receive from a reliable, always-online connection.
+
+While WebTransport and HTTP/3 it is built on are relatively new, widespread support across browsers assures me that it is being accepted as a standard and even has a fallback to HTTP/2 environments. Being built on top of QUIC allows it to multiplex connections from a relay to multiple peers which may prove advantageous for later payjoin protocols between more than two participants contributing inputs, such as those used to fund a lightning node with channels from multiple sources in one transaction, or those with threat models more similar to ZeroLink CoinJoin.
+
+While Nostr is fascinating from the perspective of censorship resistance, the backwards compatibility with Payjoin v1 would mean only custom Nostr Payjoin relays exposing an https endpoint would be suitable. Nostr transport is also limited by the performance of WebSockets, being an abstraction on top of that protocol. There is nothing stopping a new version of this protocol or a NIP making Payjoin version 2 possible over Nostr should Payjoin censorship become a bottleneck in the way of adoption.
+
+WebTransport is already shipped in both Firefox, Chrome, h3 in Rust, Go, and all popular languages. There is also [[https://w3c.github.io/p2p-webtransport/|a working draft for full P2P WebTransport]] without any relay, which a future payjoin protocol may make use of.
+
+===Secp256k1 IK inspired handshake===
+
+<-- The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static noise keys are only to be used once per session
+
+====Noise IK pattern====
+
+<pre>
+NKpsk0:
+  <- s
+  ...
+  -> e, es, s, ss
+  <- e, ee, se
+</pre>
+
+====BIP 21 pre-shared public key====
+
+The recipient shares the first handshake message containing the receiver's static public key, i.e. <code>s</code> in Noise framework parlance. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding so it can be provided in the <code>pj=</code> parameter
+
+====Fallback PSBT Message A====
+
+Sender derives an ephemeral secp256k1 key pair for this session. Sender derives a shared secret using Elliptic Cureve Diffie-Hellman (ECDH) key agreement. The sender derives a symmetric key
+
+Message A includes a sender ephemeral key, DH shared secret derived from the sender's ephemeral key and the receiver's static key, the sender's static key <code>s</code>, and a shared <code>ss</code> DH secret derived from both sender and receiver's static keys.
+
+Message A, sent by the sender, benefits from receiver authentication and is resistant to Key Compromise Impersonation. Message contents benefit from message secrecy and some forward secrecy since ephemeral keys are used. The compromise of the receivers's (but not the sender's) static private keys,even at a later date, will lead to message contents being decrypted by an attacker.
+
+====Payjoin PSBT Message B====
+
+Message B is encreypted and authenticated using the shared secrets based off of per-session ephemeral keys.
 
-A relay hosts both an HTTP server to service BIP 78 requests from the sender and a streaming server with WebTransport. The relay protocol is inspired by TURN.
+The receiver's shared secrets 
 
-Relay allocation and usage takes the following steps
+The sender can be confident that message B has sender authentication and is Key Compromise Impersonation resistant. If the sender receives a valid message from the receiver, then the receiver must have sent that message, unless the keys have been compromised before this session. If the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an active attacker, should that attacker also have forged the initiator's ephemeral key during the session
 
-* First, the client contacts a Relay server with an "Allocate" request. The Allocate request asks the relay to allocate some of its resources for the client so that it may contact a peer. If allocation is possible, the server allocates an address for the client to use as a relay, and sends the client an "Allocation Successful" response, which contains an "allocated relayed transport address " subdirectory located at the TURN server. 
-* Second, the client sends in a CreatePermissions request to the Relay server to create a permissions check system for peer-server communications. In other words, when a sender is finally contacted and sends information back to the Relay to be relayed to client, the Relay uses the permissions to verify that the peer-to-TURN server communication is valid (by checking psk signature). 
-* A receiver enrolls at the relay's allocation endpoint including relevant authentication headers to prevent DoS. An API token, proof of work, ecash, or payment of a lightning invoice could all impose cost to prevent DoS
-* The relay responds with an allocation identifier subdirectory <!-- The relay may need to keep multiple mailboxes for requests and some way to identify senders if it's re-using one. Or maybe all the (encrypted) data can be pushed and they can just try to decrypt to get it. the receiver should be the one to delete encrypted PSBT after receipt or have it automatically go stale by the server --> 
-* Upon receiving a POST request to payjoin, the server relays the request to the receiver, otherwise it holds onto it until it starts a session with the server again
-* A sender who went offline after receiving success response but "receiver unavailable" should make another request to the relay when it comes online and be pushed any updates at the time of their arrival from the server.
+====Secp256k1====
 
-===BIP21 payjoin parameters===
+Secp256k1 should be used in place of Noise's specified Curve25519 DH functions because of it's availability in bitcoin contexts.
 
-This proposal is defining the following new [[bip-0021.mediawiki|BIP 21 URI]] parameters:
-* <code>dl=</code>: Represents an deadline after which the sender will post the fallback transaction. Exclude for asynchronous operation of the protocol.
+====ChaCha20Poly1305 AEAD====
 
-===<span id="optional-params"></span>Optional query parameters===
+This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305|algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439|RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki|BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
 
-When the payjoin sender posts the original PSBT to the receiver, he can optionally specify the following HTTP query string parameters:
+===PSBT Version 2===
 
-* <code>v=</code>, the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
+The PSBT version 1 protocol was replaced because it was not designed to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 78 uses a hack where a new PSBT is created by the receiver instead of mutating it. This can cause some strange behaviors from signers who don't know where to look to find the scripts that they are accountable for. PSBT version 2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates the transaction finalization step. Receivers who do not understand PSBT version 1 may choose to reject Payjoin version 1 requests and only support PSBT version 2.
 
-===Improvements===
+===Attack vectors===
 
-====Offline Asynchronous Payjoins====
+Since relays store arbitrary encrypted payloads to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement before they provide relay service to receivers to mitigate such attacks.
 
-The relay may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid. Storing such requests without requring client authentication may create a vulnerability to relay DoS attacks. More research needs to be done before such a protocol can be recommended.
+Since we make use of 0-RTT IK, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Fallback PSBT could be read.
 
-The existing BIP 78 protocol has to be synchronous only for "interactive" endpoints which may be vulnerable to probing attacks. They can cover this tradeoff by demanding a fallback transaction that would not preserve privacy the same way as a payjoin. They could specify a deadline after which they will broadcast this fallback with a new deadline <code>dl=</code> <!-- I also like to for timeout --> parameter.
+Since the Fallback PSBT is valid, even where <code>exp=</code> is specified, the receiver may broadcast it and lose out on ambiguous privacy protection from payjoin at any time. Though unfortunate, this is the typical bitcoin transaction flow today anyhow.
 
-===Noteworthy details===
+===Network privacy===
 
-====Backwards Compatibility====
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the relay, not their peer's. Relays may be made available via Tor hidden service or Oblivious HTTP in addition to IP / DNS to allow either of the peers to protect their IP from the relay with without requiring both peers to use additional network security dependencies.
 
-The receivers are advertising payjoin capabilities through [[bip-0021.mediawiki|BIP21's URI Scheme]].
+==Backwards compatibility==
 
-Senders not supporting payjoin will just ignore the <code>pj</code> variable and thus, will proceed to normal payment.
+The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP21's URI Scheme]].
 
-Receivers may allow v1 senders to send unencrypted payloads to the relay. Payjoin relayed this way should enable <code>pjos=0</code> so that these v1 sender's disable output substitution across a relay since the v1 messages are neither encrypted nor authenticated. The relay protocol should carry as normal, bundling HTTP header, query, and body information to send to the receiver.
+Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 
-====Attack vectors====
+Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, validating based on HTTP headers and constructing an unencrypted Version 2 payload from optional query parameters, and PSBT in the body.
 
-Since relays store arbitrary encrypted payloads to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement or proof of work before they provide relay service.
+The BIP 78 error messages are already JSON formatted, so it made sense to rely on the same dependency for these payloads and error messages.
 
-Since psk is a symmetric key, the first message containing the sender's original PSBT does not have forward secrecy.
+==Reference implementation==
 
-Since the Fallback transaction is valid, even in the asynchronous setting where <code>dl=<code> is not specified, the receiver may broadcast it and lose out on ambiguous privacy protection from payjoin.
+An early proof of concept draft reference implementation can be found at https://github.com/payjoin/rust-payjoin/pull/78. It implements an asynchronous payment flow using WebSockets using PSBTv1 without encryption. Another reference can be found at https://github.com/payjoin/rust-payjoin/pull/21 which uses HTTP long polling for transport and Noise NNpsk0 for crypto. Recently, I've come to realize the rationale for WebTransport, PSBTv2, and Noise IK substitutions and am working on an implementation including this exact specification, but wanted to get early feedback on this design in the spirit of BIP 2.
 
-====Network Privacy====
+==Acknowledgements==
 
-Peers will only see the IP address of the relay but not their peer's. Relays may be made available via Tor hidden service in addition to IP to allow either of the peers to protect their IP with Tor without forcing the other to use it too.
+Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, waxwing, Christopher Allen, Symphonic, and countless twitter plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.
\ No newline at end of file

From 936d0e7fd99f54fdae0c1e792bb256348d3dcb99 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 1 Nov 2023 16:05:39 -0400
Subject: [PATCH 03/50] Include TABConf feedback

---
 bip-???-payjoin-v2.mediawiki | 169 ++++++++++++++---------------------
 1 file changed, 66 insertions(+), 103 deletions(-)

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-???-payjoin-v2.mediawiki
index 5c74ac1b3c..83c67a0aaa 100644
--- a/bip-???-payjoin-v2.mediawiki
+++ b/bip-???-payjoin-v2.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party relay and streaming clients which communicate using an asynchronous protocol and authenticated, encrypted payloads.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party relay and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use Oblivious HTTP to prevent the relay and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -22,29 +22,29 @@ This BIP is licensed under the 2-clause BSD license.
 
 Payjoin solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner." Breaking that common-input ownership assumption and others requires input from multiple owners. Cooperative transaction construction also increases transaction throughput by providing new opportunity for payment batching and transaction cut-through.
 
-Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor onion hidden service hosted by the receiver. Version 1 is synchronous, so both sender and reciever must be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. These barriers are [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regarded]] as limits to payjoin adoption.
+Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and reciever to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet develoepers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regard]] these as limits to payjoin adoption.
 
-The primary goal of this proposal is to provide a practical coordination mechanism  to be adopted in a vast majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
+The primary goal of this proposal is to provide a practical coordination mechanism adaptable to a majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parrallel those used in BIP 78 while being encapsulated in authenticated encryption, forgoing HTTP messaging for WebTransport streaming of asynchronus interactions, and leveraging PSBT version 2.
+The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180|HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
 
 The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitition to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition while using a relay without compromising sender or receiver privacy.
 
-Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation of one exists. This document specifies one to be backwards compatible with version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the relay stealing funds.
+Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin relay as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the relay stealing funds.
 
-The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Fallback PSBT timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
+The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original PSBT timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
 
 ===Relation to Stowaway===
 
-[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from the wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to online Stowaway's synchronous HTTP-based messaging. Offline stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows a WebTransport client to enroll with a relay server to receive payjoin. Relays may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the relay to support asynchronous interaction. Authenticated encryption prevents the relay from snooping on message contents or forging messages. Aside from a application layer authenticate encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward relay server to receive payjoin. Relays may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the relay to support asynchronous interaction. Authenticated encryption prevents the relay from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the relay to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
@@ -62,19 +62,17 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 
 The payjoin version 2 protocol takes the following steps:
 
-- The recipient sends their payjoin pubkey and optional authentication credential according to [[#receiver-relay-enrollment|receiver relay enrollment]] protocol. It may go offline and replay enrollment to come back online.
+- The recipient sends their payjoin pubkey and optional authentication credential according to [[#relay-enrollment|receiver relay enrollment]] protocol. It may go offline and replay enrollment to come back online.
 - Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter describing the relay subdirectory endpoint parameter with base64-uri encoded pubkey. To support version 1 senders the relay acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
-- The sender creates a valid PSBT according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]] formatted as PSBTv2. We call this the <code>Fallback PSBT</code>. This Fallback PSBT, optional sender parameters, and cryptographic keys are encrypted and authenticated according to the Secp256k1 IK handshake and streamed to the relay subdirectory endpoint.
-- The sender awaits a response from the relay stream containing an encrypted <code>Payjoin PSBT</code> as Message B. It can replay the <code>Fallback PSBT</code> Mesasge A to request a response if it goes offline.
-- The request is stored in the receiver's subdirectory buffer.
-- Once the receiver is online, it awaits a stream of request updates from the relay. The receiver decrypts aund authenticates the payload then checks it according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates it to include new signed inputs and outputs invalidating sender signatures, and may adjust the fee. We call this the <code>Payjoin PSBT</code>.
-- It responds with the <code>Payjoin PSBT</code> encrypted then authenticated as Message B according to the Secp256k1 IK handshake.
-- The relay awaits a connection from the sender if it goes offline. Upon connection, it relays the encrypted <code>Payjoin PSBT</code> to the sender.
+- The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the relay's OHTTP Gateway.
+- The sender continues to replay this request in order to await a response from the relay containing a <code>Payjoin PSBT</code>. It stops after expiry.
+- The request is stored in the relay's subdirectory buffer.
+- Once the receiver is online, it sends <code>/receive</code>requests to await updates from the relay subdirectory. The receiver decrypts and authenticates the response which and checks it according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates it to include new signed inputs and outputs invalidating sender signatures, and may adjust the fee. We call this the <code>Payjoin PSBT</code>.
+- The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the relay's OHTTP Gateway.
+- The relay awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
 - The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
-The encrypted Fallback PSBT and Payjoin PSBT payloads are sent as bytes.
-
-The Fallback PSBT MUST:
+The Original PSBT MUST:
 
 - Include complete UTXO data.
 - Be signed.
@@ -82,80 +80,63 @@ The Fallback PSBT MUST:
 - Set input and output Transaction Modifiable Flags to 1
 - Be broadcastable.
 
-The Fallback PSBT MAY:
+The Original PSBT MAY:
 
 - Include outputs unrelated to the sender-receiver transfer for batching purposes.
 - Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
 
 The Payjoin PSBT MUST:
 
-- Include all inputs from the Fallback PSBT.
-- Include all outputs which do not belong to the receiver from the Fallback PSBT.
+- Include all inputs from the Original PSBT.
+- Include all outputs which do not belong to the receiver from the Original PSBT.
 - Include complete UTXO data.
 
 The Payjoin PSBT sender MAY:
 
-- Add, remove or modify Fallback PSBT outputs under the control of the receiver (i.e. not sender change).
+- Add, remove or modify Original PSBT outputs under the control of the receiver (i.e. not sender change).
 
 The Payjoin PSBT MUST NOT:
 
 - Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
 - Decrease the absolute fee of the original transaction.
 
-===Receiver's Payjoin PSBT checklist===
-
-Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist|the BIP 78 receiver checklist]]
-
-===Sender's Payjoin PSBT checklist===
-
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-checklist|the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
-
-===Relay interactions===
-
-The Payjoin Relay provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It is available on the open internet over HTTPS to accept both WebTransport for Payjoin version 2, accepting encrypted payloads, and optionally HTTP/1.1 to support backwards compatible Payjoin version 1 requests.
-
-===Receiver interactions===
+====Enroll Messaging====
 
-====Relay enrollment====
+The client discovers the OHTTP gateway's key configuration via an HTTP OPTIONS request to the gateway's URI.
 
-Receivers must enroll to have resources allocated on a relay. Sessions may begin by having a receiver send the static pubkey to the relay. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey. Enrollment may be replayed in case the receiver goes offline.
+Receivers must enroll to have resources allocated on a relay. Sessions may begin by having a receiver send the static pubkey to the relay. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey AND an Oblivious HTTP Key Configuration. Enrollment may be replayed in case the receiver goes offline.
 
 Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the Relay out of band. If authentication fails an error is returned.
 
 In the case a relay is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the relay describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
 
-====Receiver Payjoin PSBT response====
+====Send Messaging====
 
-The receiver streams the base64 Payjoin PSBT as encrypted bytes according to Secp256k1 IK.
+The version 2 Original PSBT is placed in an HTTP POST request body, base64 serialized, with text/plain in the Content-Type HTTP header and Content-Length set correctly, as in version 1, before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the relay in an OHTTP request encapsulating the binary payload.
 
-===Sender interactions===
+The relay's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The relay's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
 
-The sender starts a WebTransport session with the relay at the Payjoin endpoint URI provided by the receiver. It sends the following payload and awaits a relayed response payload from the receiver.
+====Receive Messaging====
 
-====Version 2 Fallback PSBT request====
+The receiver sends a GET request to the path of the subdirectory followed by `/receive`. This request is encapsulated in OHTTP. It awaits an OHTTP response from the relay containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the relay has not yet received an request from the sender.
 
-The version 2 Fallback PSBT Payload is constructed in JSON before being encrypted as follows.
+Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair `e` from which it derives a shared secret `ee` with the sender's key `e` from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the relay in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by `/receive`.
 
-<pre>
-{
-  "psbt": "<fallback_psbt_data_base64>",
-  "params": {
-      "param1": "<value1>",
-      "param2": "<value1>",
-      ...
-  }
-}
-</pre>
+===Receiver's Payjoin PSBT checklist===
 
-The payload must be encrypted according to Secp256k1 IK.
+Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist|the BIP 78 receiver checklist]]
 
-====Version 1 Fallback PSBT request====
+===Sender's Payjoin PSBT checklist===
 
-The message should be the same as version 2 but unencrypted, as version 1 is unaware of encryption when using an unsecured payjoin server. The Relay should convert the PSBT to PSBTv2 and construct the JSON payload from the HTTP request body and optional query parameters. Upon receiving an unencrypted PSBTv2 response from a receiver, it should convert it to PSBTv0 for compatibility with BIP 78.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-checklist|the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+
+===Relay interactions===
+
+The Payjoin Relay provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
 
 ===Asynchronous relay buffers===
 
-Each receiver subdirectory on the relay server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent to relevant client sessions.
+Each receiver subdirectory on the relay server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===BIP 21 receiver parameters===
 
@@ -163,7 +144,7 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
 
-- <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the Fallback and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
+- <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 BIP 78's BIP 21 payjoin parameters are also valid for version 2.
 
@@ -177,79 +158,63 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 ==Rationale==
 
-===Request expiration & fallback===
+===Request expiration & Original PSBT===
 
 The relay may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
 
-The existing BIP 78 protocol has to be synchronous only for automated endpoints which may be vulnerable to probing attacks. It can cover this tradeoff by demanding a fallback transaction that would not preserve privacy the same way as a payjoin. BIP 21 URI can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this fallback with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
-
-===WebTransport===
-
-Many transport protocols are good candidates for Serverless Payjoin functionality, but WebTransport stands out in its ability to stream and take advantage of QUIC's performance in mobile environments. In developing this BIP, serverless payjoin proofs of concept using TURN, HTTP/1.1 long polling, WebSockets, Magic Wormhole, and Nostr have been made. Streaming allows the relay to have more granular and asynchronous understanding of the state of the peers, and this protcol is designed specifically to address the shortcomings of an HTTP protocol's requirement to receive from a reliable, always-online connection.
+The existing BIP 78 protocol has to be synchronous only for automated endpoints which may be vulnerable to probing attacks. It can cover this tradeoff by demanding  Original PSBT from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URI can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
 
-While WebTransport and HTTP/3 it is built on are relatively new, widespread support across browsers assures me that it is being accepted as a standard and even has a fallback to HTTP/2 environments. Being built on top of QUIC allows it to multiplex connections from a relay to multiple peers which may prove advantageous for later payjoin protocols between more than two participants contributing inputs, such as those used to fund a lightning node with channels from multiple sources in one transaction, or those with threat models more similar to ZeroLink CoinJoin.
+===HTTP===
 
-While Nostr is fascinating from the perspective of censorship resistance, the backwards compatibility with Payjoin v1 would mean only custom Nostr Payjoin relays exposing an https endpoint would be suitable. Nostr transport is also limited by the performance of WebSockets, being an abstraction on top of that protocol. There is nothing stopping a new version of this protocol or a NIP making Payjoin version 2 possible over Nostr should Payjoin censorship become a bottleneck in the way of adoption.
+HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consider an implementation. Unlike a WebSockets protocol, plain HTTP is eligible to enjoy metadata protection from Oblivious HTTP.
 
-WebTransport is already shipped in both Firefox, Chrome, h3 in Rust, Go, and all popular languages. There is also [[https://w3c.github.io/p2p-webtransport/|a working draft for full P2P WebTransport]] without any relay, which a future payjoin protocol may make use of.
+===Oblivious HTTP===
 
-===Secp256k1 IK inspired handshake===
+OHTTP protects sender and receiver IP addresses from both the relay and one another. This makes it more difficult for a relay to correlate many payjoin transactions with a specific IP addresses by intersection.
 
-<-- The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static noise keys are only to be used once per session
-
-====Noise IK pattern====
-
-<pre>
-NKpsk0:
-  <- s
-  ...
-  -> e, es, s, ss
-  <- e, ee, se
-</pre>
+OHTTP relays can be run as basic HTTP proxies from wallet providers. Getting OHTTP Gateway configurations does require additional communication between each client and the relay, but this can be done over Tor (hidden service even), a VPN, or provided by a trusted third party like the wallet provider.
 
-====BIP 21 pre-shared public key====
+===Message Padding===
 
-The recipient shares the first handshake message containing the receiver's static public key, i.e. <code>s</code> in Noise framework parlance. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding so it can be provided in the <code>pj=</code> parameter
+TODO ??? TODO
 
-====Fallback PSBT Message A====
+All cyphertexts should be padded to the same length to prevent traffic analysis. This is not yet implemented in the reference implementation.
 
-Sender derives an ephemeral secp256k1 key pair for this session. Sender derives a shared secret using Elliptic Cureve Diffie-Hellman (ECDH) key agreement. The sender derives a symmetric key
+===Secp256k1 Hybrid Public Key Encryption===
 
-Message A includes a sender ephemeral key, DH shared secret derived from the sender's ephemeral key and the receiver's static key, the sender's static key <code>s</code>, and a shared <code>ss</code> DH secret derived from both sender and receiver's static keys.
+Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 appication specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-Message A, sent by the sender, benefits from receiver authentication and is resistant to Key Compromise Impersonation. Message contents benefit from message secrecy and some forward secrecy since ephemeral keys are used. The compromise of the receivers's (but not the sender's) static private keys,even at a later date, will lead to message contents being decrypted by an attacker.
-
-====Payjoin PSBT Message B====
-
-Message B is encreypted and authenticated using the shared secrets based off of per-session ephemeral keys.
-
-The receiver's shared secrets 
-
-The sender can be confident that message B has sender authentication and is Key Compromise Impersonation resistant. If the sender receives a valid message from the receiver, then the receiver must have sent that message, unless the keys have been compromised before this session. If the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an active attacker, should that attacker also have forged the initiator's ephemeral key during the session
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding as a subdirectory of the relay server in the <code>pj=</code> parameter.
 
 ====Secp256k1====
 
-Secp256k1 should be used in place of Noise's specified Curve25519 DH functions because of it's availability in bitcoin contexts.
+Secp256k1 should be used in place of HPKE's specified DH functions because of it's availability in bitcoin contexts. A proposal to standardize its inclusion may be appropriate.
 
 ====ChaCha20Poly1305 AEAD====
 
 This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305|algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439|RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki|BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
 
+====HKDF-SHA256====
+
+SHA-256 is secure and widely available in bitcoin contexts.
+
 ===PSBT Version 2===
 
 The PSBT version 1 protocol was replaced because it was not designed to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 78 uses a hack where a new PSBT is created by the receiver instead of mutating it. This can cause some strange behaviors from signers who don't know where to look to find the scripts that they are accountable for. PSBT version 2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates the transaction finalization step. Receivers who do not understand PSBT version 1 may choose to reject Payjoin version 1 requests and only support PSBT version 2.
 
 ===Attack vectors===
 
-Since relays store arbitrary encrypted payloads to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement before they provide relay service to receivers to mitigate such attacks.
+Since relays store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement before they provide relay service to receivers to mitigate such attacks.
 
-Since we make use of 0-RTT IK, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Fallback PSBT could be read.
+Since we make use of 0-RTT HPKE, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 
-Since the Fallback PSBT is valid, even where <code>exp=</code> is specified, the receiver may broadcast it and lose out on ambiguous privacy protection from payjoin at any time. Though unfortunate, this is the typical bitcoin transaction flow today anyhow.
+Since the Original PSBT is valid, even where <code>exp=</code> is specified, the receiver may broadcast it and lose out on savings from payment batching and  privacy protection from payjoin structure at any time. Though unfortunate, this failure mode is the typical bitcoin transaction flow today anyhow.
 
-===Network privacy===
+===Network privacy=== 
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the relay, not their peer's. Relays may be made available via Tor hidden service or Oblivious HTTP in addition to IP / DNS to allow either of the peers to protect their IP from the relay with without requiring both peers to use additional network security dependencies.
+Oblivious HTTP must be used to protect the IP address of both sender and receiver from the relay. This requires an additional key configuration to be shared in the bip21 URI and for the relay to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the crypto already in use for the payjoin protocol.
+
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the relay, not their peer's. Relays may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the relay with without OHTTP.
 
 ==Backwards compatibility==
 
@@ -257,9 +222,7 @@ The receivers advertise payjoin capabilities through [[https://github.com/bitcoi
 
 Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 
-Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, validating based on HTTP headers and constructing an unencrypted Version 2 payload from optional query parameters, and PSBT in the body.
-
-The BIP 78 error messages are already JSON formatted, so it made sense to rely on the same dependency for these payloads and error messages.
+Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, responding to `/receive` get requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to `/receive` to respond to these version 1 senders within 30 seconds to respond to the sender's request.
 
 ==Reference implementation==
 
@@ -267,4 +230,4 @@ An early proof of concept draft reference implementation can be found at https:/
 
 ==Acknowledgements==
 
-Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, waxwing, Christopher Allen, Symphonic, and countless twitter plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.
\ No newline at end of file
+Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Andrew Chow, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.

From 4069db51ba2589faf79cf7389c68c1d094dd8c64 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 13 Dec 2023 21:29:42 -0500
Subject: [PATCH 04/50] Include padding

---
 bip-???-payjoin-v2.mediawiki | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-???-payjoin-v2.mediawiki
index 83c67a0aaa..db95066085 100644
--- a/bip-???-payjoin-v2.mediawiki
+++ b/bip-???-payjoin-v2.mediawiki
@@ -176,9 +176,7 @@ OHTTP relays can be run as basic HTTP proxies from wallet providers. Getting OHT
 
 ===Message Padding===
 
-TODO ??? TODO
-
-All cyphertexts should be padded to the same length to prevent traffic analysis. This is not yet implemented in the reference implementation.
+All cyphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most transaction PSBTs without exceeding the 8KB limit of many HTTP/1.1 web servers.
 
 ===Secp256k1 Hybrid Public Key Encryption===
 

From 45daed4ef1c64b48053d32342896d3bdb120e10d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 15 Dec 2023 14:09:36 -0500
Subject: [PATCH 05/50] Include production reference implementation

---
 bip-???-payjoin-v2.mediawiki | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-???-payjoin-v2.mediawiki
index db95066085..ae1a3f92b9 100644
--- a/bip-???-payjoin-v2.mediawiki
+++ b/bip-???-payjoin-v2.mediawiki
@@ -220,12 +220,16 @@ The receivers advertise payjoin capabilities through [[https://github.com/bitcoi
 
 Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 
-Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, responding to `/receive` get requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to `/receive` to respond to these version 1 senders within 30 seconds to respond to the sender's request.
+Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds to respond to the sender's request.
 
 ==Reference implementation==
 
-An early proof of concept draft reference implementation can be found at https://github.com/payjoin/rust-payjoin/pull/78. It implements an asynchronous payment flow using WebSockets using PSBTv1 without encryption. Another reference can be found at https://github.com/payjoin/rust-payjoin/pull/21 which uses HTTP long polling for transport and Noise NNpsk0 for crypto. Recently, I've come to realize the rationale for WebTransport, PSBTv2, and Noise IK substitutions and am working on an implementation including this exact specification, but wanted to get early feedback on this design in the spirit of BIP 2.
+An production reference implementation client can be found at https://crates.io/crates/payjoin-cli/0.0.2-alpha. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for Oblivous HTTP relays may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+
+A payjoin directory server is run by the Payjoin Dev Kit team on https://payjo.in.
+
+Independent Oblivious HTTP relays are run by Obscura VPN at https://ohttp-relay.obscuravpn.io/payjoin and by BOB Spaces at https://pj.bobspacebkk.com.
 
 ==Acknowledgements==
 
-Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Andrew Chow, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.
+Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Ava Chow, jbesraa, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.

From b593c457c9bda5a47ad2f91f96585178058669e8 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 27 Dec 2023 10:59:49 -0500
Subject: [PATCH 06/50] Adopt BIP-77 for payjoin v2

---
 bip-???-payjoin-v2.mediawiki => bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename bip-???-payjoin-v2.mediawiki => bip-0077.mediawiki (99%)

diff --git a/bip-???-payjoin-v2.mediawiki b/bip-0077.mediawiki
similarity index 99%
rename from bip-???-payjoin-v2.mediawiki
rename to bip-0077.mediawiki
index ae1a3f92b9..a75f95c206 100644
--- a/bip-???-payjoin-v2.mediawiki
+++ b/bip-0077.mediawiki
@@ -1,5 +1,5 @@
 <pre>
-  BIP: ???
+  BIP: 77
   Layer: Applications
   Title: Payjoin Version 2: Serverless Payjoin
   Author: Dan Gould <d@ngould.dev>

From 6becb34a5e134246f5376515c221bea7b6886a0d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 6 Mar 2024 10:55:06 -0500
Subject: [PATCH 07/50] Distinguish payjoin directory from OHTTP Relay

---
 bip-0077.mediawiki | 72 +++++++++++++++++++++++-----------------------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index a75f95c206..47f773a235 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party relay and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use Oblivious HTTP to prevent the relay and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use Oblivious HTTP to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -30,9 +30,9 @@ The primary goal of this proposal is to provide a practical coordination mechani
 
 The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180|HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitition to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition while using a relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitition to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition while using a directory relay without compromising sender or receiver privacy.
 
-Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin relay as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the relay stealing funds.
+Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
 The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original PSBT timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
 
@@ -44,17 +44,17 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward relay server to receive payjoin. Relays may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the relay to support asynchronous interaction. Authenticated encryption prevents the relay from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the relay to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
-The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the relay.
+The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a streaming session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message streamed from the relay to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the relay endpoint in the <code>pj=</code> query parameter.
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter.
 
-The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when streamed to the recipient by the relay-hosted subdirectory <code>pj=</code> endpoint.
+The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 
-Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin relay subdirectory.
+Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin directory.
 
 ===Payjoin version 2 messaging===
 
@@ -62,14 +62,14 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 
 The payjoin version 2 protocol takes the following steps:
 
-- The recipient sends their payjoin pubkey and optional authentication credential according to [[#relay-enrollment|receiver relay enrollment]] protocol. It may go offline and replay enrollment to come back online.
-- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter describing the relay subdirectory endpoint parameter with base64-uri encoded pubkey. To support version 1 senders the relay acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
-- The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the relay's OHTTP Gateway.
-- The sender continues to replay this request in order to await a response from the relay containing a <code>Payjoin PSBT</code>. It stops after expiry.
-- The request is stored in the relay's subdirectory buffer.
-- Once the receiver is online, it sends <code>/receive</code>requests to await updates from the relay subdirectory. The receiver decrypts and authenticates the response which and checks it according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates it to include new signed inputs and outputs invalidating sender signatures, and may adjust the fee. We call this the <code>Payjoin PSBT</code>.
-- The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the relay's OHTTP Gateway.
-- The relay awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
+- The recipient sends their payjoin pubkey and optional authentication credential according to [[#directory-enrollment|receiver directory enrollment]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
+- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64-uri encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64-url Key Config should also be provided.
+- The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the directory's OHTTP Gateway.
+- The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
+- The request is stored in the subdirectory.
+- Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+- The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
+- The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
 - The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 The Original PSBT MUST:
@@ -104,23 +104,23 @@ The Payjoin PSBT MUST NOT:
 
 The client discovers the OHTTP gateway's key configuration via an HTTP OPTIONS request to the gateway's URI.
 
-Receivers must enroll to have resources allocated on a relay. Sessions may begin by having a receiver send the static pubkey to the relay. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey AND an Oblivious HTTP Key Configuration. Enrollment may be replayed in case the receiver goes offline.
+Receivers must enroll to have resources allocated on a directory. Sessions may begin by having a receiver send the static pubkey to the directory. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey AND an Oblivious HTTP Key Configuration. Enrollment may be replayed in case the receiver goes offline.
 
-Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the Relay out of band. If authentication fails an error is returned.
+Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails an error is returned.
 
-In the case a relay is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the relay describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
+In the case a directory is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the directory describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
 
 ====Send Messaging====
 
-The version 2 Original PSBT is placed in an HTTP POST request body, base64 serialized, with text/plain in the Content-Type HTTP header and Content-Length set correctly, as in version 1, before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the relay in an OHTTP request encapsulating the binary payload.
+The version 2 Original PSBT is placed in an HTTP POST request body, base64 serialized, with text/plain in the Content-Type HTTP header and Content-Length set correctly, as in version 1, before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
 
-The relay's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The relay's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
+The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory followed by `/receive`. This request is encapsulated in OHTTP. It awaits an OHTTP response from the relay containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the relay has not yet received an request from the sender.
+The receiver sends a GET request to the path of the subdirectory followed by `/receive`. This request is encapsulated in OHTTP. It awaits an OHTTP response from the directory containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the directory has not yet received an request from the sender.
 
-Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair `e` from which it derives a shared secret `ee` with the sender's key `e` from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the relay in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by `/receive`.
+Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair `e` from which it derives a shared secret `ee` with the sender's key `e` from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by `/receive`.
 
 ===Receiver's Payjoin PSBT checklist===
 
@@ -130,13 +130,13 @@ Other than requiring PSBTv2 the receiver checklist is the same as the [[https://
 
 The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-checklist|the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
-===Relay interactions===
+===Directory interactions===
 
-The Payjoin Relay provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
+The Payjoin Directory provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
 
-===Asynchronous relay buffers===
+===Subdirectories===
 
-Each receiver subdirectory on the relay server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
+Each receiver subdirectory on the directory server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===BIP 21 receiver parameters===
 
@@ -160,7 +160,7 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 ===Request expiration & Original PSBT===
 
-The relay may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
+The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
 
 The existing BIP 78 protocol has to be synchronous only for automated endpoints which may be vulnerable to probing attacks. It can cover this tradeoff by demanding  Original PSBT from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URI can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
 
@@ -170,9 +170,9 @@ HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consid
 
 ===Oblivious HTTP===
 
-OHTTP protects sender and receiver IP addresses from both the relay and one another. This makes it more difficult for a relay to correlate many payjoin transactions with a specific IP addresses by intersection.
+OHTTP protects sender and receiver IP addresses from both one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with a specific IP addresses by intersection.
 
-OHTTP relays can be run as basic HTTP proxies from wallet providers. Getting OHTTP Gateway configurations does require additional communication between each client and the relay, but this can be done over Tor (hidden service even), a VPN, or provided by a trusted third party like the wallet provider.
+OHTTP relays can be run as basic HTTP proxies from wallet providers. Getting OHTTP Gateway configurations does require additional communication between each client and the directory, but this can be done over Tor (hidden service even), a VPN, or provided by a trusted third party like the wallet provider.
 
 ===Message Padding===
 
@@ -182,7 +182,7 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 appication specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding as a subdirectory of the relay server in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
 
 ====Secp256k1====
 
@@ -202,7 +202,7 @@ The PSBT version 1 protocol was replaced because it was not designed to have inp
 
 ===Attack vectors===
 
-Since relays store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. Relay operators may impose an authentication requirement before they provide relay service to receivers to mitigate such attacks.
+Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. Directory operators may impose an authentication requirement before they allocate a subdirectory to receivers to mitigate such attacks.
 
 Since we make use of 0-RTT HPKE, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 
@@ -210,9 +210,9 @@ Since the Original PSBT is valid, even where <code>exp=</code> is specified, the
 
 ===Network privacy=== 
 
-Oblivious HTTP must be used to protect the IP address of both sender and receiver from the relay. This requires an additional key configuration to be shared in the bip21 URI and for the relay to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the crypto already in use for the payjoin protocol.
+Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the crypto already in use for the payjoin protocol.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the relay, not their peer's. Relays may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the relay with without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peer's. Directories may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
 
 ==Backwards compatibility==
 
@@ -220,11 +220,11 @@ The receivers advertise payjoin capabilities through [[https://github.com/bitcoi
 
 Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 
-Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The relay protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds to respond to the sender's request.
+Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds to respond to the sender's request.
 
 ==Reference implementation==
 
-An production reference implementation client can be found at https://crates.io/crates/payjoin-cli/0.0.2-alpha. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for Oblivous HTTP relays may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at https://crates.io/crates/payjoin-cli/0.0.2-alpha. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
 
 A payjoin directory server is run by the Payjoin Dev Kit team on https://payjo.in.
 

From 754e287d462a074de169e3943c69a6fc131a5500 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 6 Mar 2024 11:17:27 -0500
Subject: [PATCH 08/50] Detail OHTTP Key Configuration mechanism

---
 bip-0077.mediawiki | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 47f773a235..b7b098cd66 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use Oblivious HTTP to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html|Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -50,7 +50,7 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter.
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration|OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 
@@ -102,9 +102,11 @@ The Payjoin PSBT MUST NOT:
 
 ====Enroll Messaging====
 
-The client discovers the OHTTP gateway's key configuration via an HTTP OPTIONS request to the gateway's URI.
+Receivers must enroll with a directory to a subdirectory allocated. 
 
-Receivers must enroll to have resources allocated on a directory. Sessions may begin by having a receiver send the static pubkey to the directory. The receiver returns the subdirectory endpoint url with the final subdirectory as base64-uri encoded pubkey AND an Oblivious HTTP Key Configuration. Enrollment may be replayed in case the receiver goes offline.
+A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01|OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+
+Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64-uri encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
 Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails an error is returned.
 
@@ -144,10 +146,9 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
 
+- <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64url encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
 - <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
-BIP 78's BIP 21 payjoin parameters are also valid for version 2.
-
 ===Optional sender parameters===
 
 When the payjoin sender posts the original PSBT to the receiver, it can optionally specify the following HTTP query string parameters:
@@ -172,7 +173,7 @@ HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consid
 
 OHTTP protects sender and receiver IP addresses from both one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with a specific IP addresses by intersection.
 
-OHTTP relays can be run as basic HTTP proxies from wallet providers. Getting OHTTP Gateway configurations does require additional communication between each client and the directory, but this can be done over Tor (hidden service even), a VPN, or provided by a trusted third party like the wallet provider.
+OHTTP relays can be run as basic HTTP proxies from wallet providers or third parties.
 
 ===Message Padding===
 
@@ -194,7 +195,7 @@ This authenticated encryption with additional data [[https://en.wikipedia.org/wi
 
 ====HKDF-SHA256====
 
-SHA-256 is secure and widely available in bitcoin contexts.
+SHA-256 is considered secure and is necessarily available in bitcoin contexts.
 
 ===PSBT Version 2===
 
@@ -210,7 +211,7 @@ Since the Original PSBT is valid, even where <code>exp=</code> is specified, the
 
 ===Network privacy=== 
 
-Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the crypto already in use for the payjoin protocol.
+Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
 Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peer's. Directories may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
 
@@ -224,7 +225,7 @@ Receivers may choose to support version 1 payloads. Version 2 payjoin URIs shoul
 
 ==Reference implementation==
 
-An production reference implementation client can be found at https://crates.io/crates/payjoin-cli/0.0.2-alpha. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at https://crates.io/crates/payjoin-cli. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
 
 A payjoin directory server is run by the Payjoin Dev Kit team on https://payjo.in.
 

From 80b8bacfd02152ac7961090b6c74b38a6fd962d2 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 6 Mar 2024 11:19:01 -0500
Subject: [PATCH 09/50] Fix punctuation

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index b7b098cd66..7d24816d18 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -213,7 +213,7 @@ Since the Original PSBT is valid, even where <code>exp=</code> is specified, the
 
 Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peer's. Directories may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
 
 ==Backwards compatibility==
 

From b5353b59b07b694c21ca5ef977e4453ea23d7375 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 6 Mar 2024 11:27:28 -0500
Subject: [PATCH 10/50] Make base64URL references consistent

---
 bip-0077.mediawiki | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 7d24816d18..2dcd73ad9d 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -63,7 +63,7 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 The payjoin version 2 protocol takes the following steps:
 
 - The recipient sends their payjoin pubkey and optional authentication credential according to [[#directory-enrollment|receiver directory enrollment]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64-uri encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64-url Key Config should also be provided.
+- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
 - The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the directory's OHTTP Gateway.
 - The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 - The request is stored in the subdirectory.
@@ -106,7 +106,7 @@ Receivers must enroll with a directory to a subdirectory allocated.
 
 A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01|OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64-uri encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
+Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
 Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails an error is returned.
 
@@ -114,7 +114,7 @@ In the case a directory is operated by an exchange, it may give out authenticati
 
 ====Send Messaging====
 
-The version 2 Original PSBT is placed in an HTTP POST request body, base64 serialized, with text/plain in the Content-Type HTTP header and Content-Length set correctly, as in version 1, before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
+The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
 
 The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
 
@@ -146,7 +146,7 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
 
-- <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64url encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+- <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64URL encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
 - <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
@@ -183,7 +183,7 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 appication specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64url]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64URL]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
 
 ====Secp256k1====
 

From 9e8b4d7ee755bb72a0389a3bce44731d131ecad1 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 6 Mar 2024 11:29:42 -0500
Subject: [PATCH 11/50] Reference standardized Secp256k1 DHKEM for HPKE

---
 bip-0077.mediawiki | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 2dcd73ad9d..ffd30a5be2 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -185,9 +185,9 @@ Hybrid Public Key Encryption is a modern web standard for secure message exchang
 
 The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64URL]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
 
-====Secp256k1====
+====Secp256k1-based DHKEM====
 
-Secp256k1 should be used in place of HPKE's specified DH functions because of it's availability in bitcoin contexts. A proposal to standardize its inclusion may be appropriate.
+[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html|Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
 
 ====ChaCha20Poly1305 AEAD====
 

From 3c1629bb2361aa229adbde36527b7e1bc59138dc Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 26 Mar 2024 23:45:48 -0400
Subject: [PATCH 12/50] Add Comments-URI

---
 bip-0077.mediawiki | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index ffd30a5be2..eb82665732 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -3,6 +3,7 @@
   Layer: Applications
   Title: Payjoin Version 2: Serverless Payjoin
   Author: Dan Gould <d@ngould.dev>
+  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0077
   Status: Draft
   Replaces: 78
   Type: Standards Track

From a0d365447129ffa31aca98ef84f54eaf6641b08d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 2 May 2024 22:59:22 -0400
Subject: [PATCH 13/50] fixup: Format and spell check

Co-authored-by: spacebear <144076611+grizznaut@users.noreply.github.com>
---
 bip-0077.mediawiki | 67 +++++++++++++++++++++++-----------------------
 1 file changed, 33 insertions(+), 34 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index eb82665732..52ca07d3f8 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -5,7 +5,6 @@
   Author: Dan Gould <d@ngould.dev>
   Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0077
   Status: Draft
-  Replaces: 78
   Type: Standards Track
   Created: 2023-08-08
   License: BSD-2-Clause
@@ -23,7 +22,7 @@ This BIP is licensed under the 2-clause BSD license.
 
 Payjoin solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner." Breaking that common-input ownership assumption and others requires input from multiple owners. Cooperative transaction construction also increases transaction throughput by providing new opportunity for payment batching and transaction cut-through.
 
-Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and reciever to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet develoepers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regard]] these as limits to payjoin adoption.
+Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regard]] these as limits to payjoin adoption.
 
 The primary goal of this proposal is to provide a practical coordination mechanism adaptable to a majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
@@ -31,7 +30,7 @@ The primary goal of this proposal is to provide a practical coordination mechani
 
 The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180|HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitition to be disabled. Output substitition is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substition while using a directory relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
 
 Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
@@ -39,13 +38,13 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original
 
 ===Relation to Stowaway===
 
-[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronus networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronous networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
@@ -63,47 +62,47 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 
 The payjoin version 2 protocol takes the following steps:
 
-- The recipient sends their payjoin pubkey and optional authentication credential according to [[#directory-enrollment|receiver directory enrollment]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-- Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
-- The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the directory's OHTTP Gateway.
-- The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
-- The request is stored in the subdirectory.
-- Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
-- The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
-- The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
-- The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
+* The recipient sends their payjoin pubkey and optional authentication credential according to [[#directory-enrollment|receiver directory enrollment]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
+* Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
+* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the directory's OHTTP Gateway.
+* The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
+* The request is stored in the subdirectory.
+* Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
+* The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
+* The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 The Original PSBT MUST:
 
-- Include complete UTXO data.
-- Be signed.
-- Exclude unnecessary fields such as global xpubs or keypath information. <!-- I believe PSBTv2 obviates this requirement -->
-- Set input and output Transaction Modifiable Flags to 1
-- Be broadcastable.
+* Include complete UTXO data.
+* Be signed.
+* Exclude unnecessary fields such as global xpubs or keypath information. <!-* I believe PSBTv2 obviates this requirement -->
+* Set input and output Transaction Modifiable Flags to 1
+* Be broadcastable.
 
 The Original PSBT MAY:
 
-- Include outputs unrelated to the sender-receiver transfer for batching purposes.
-- Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
+* Include outputs unrelated to the sender-receiver transfer for batching purposes.
+* Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
 
 The Payjoin PSBT MUST:
 
-- Include all inputs from the Original PSBT.
-- Include all outputs which do not belong to the receiver from the Original PSBT.
-- Include complete UTXO data.
+* Include all inputs from the Original PSBT.
+* Include all outputs which do not belong to the receiver from the Original PSBT.
+* Include complete UTXO data.
 
 The Payjoin PSBT sender MAY:
 
-- Add, remove or modify Original PSBT outputs under the control of the receiver (i.e. not sender change).
+* Add, remove or modify Original PSBT outputs under the control of the receiver (i.e. not sender change).
 
 The Payjoin PSBT MUST NOT:
 
-- Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
-- Decrease the absolute fee of the original transaction.
+* Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
+* Decrease the absolute fee of the original transaction.
 
 ====Enroll Messaging====
 
-Receivers must enroll with a directory to a subdirectory allocated. 
+Receivers must enroll with a directory to have a subdirectory allocated to them as follows.
 
 A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01|OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
@@ -147,14 +146,14 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
 
-- <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64URL encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
-- <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
+* <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64URL encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+* <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
 
 When the payjoin sender posts the original PSBT to the receiver, it can optionally specify the following HTTP query string parameters:
 
-- <code>v</code>: represents the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
+* <code>v</code>: represents the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
 
 BIP 78's optional query parameters are also valid as version 2 parameters.
 
@@ -182,7 +181,7 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 ===Secp256k1 Hybrid Public Key Encryption===
 
-Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 appication specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
+Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
 The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64URL]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
 
@@ -210,11 +209,11 @@ Since we make use of 0-RTT HPKE, the first message containing the sender's origi
 
 Since the Original PSBT is valid, even where <code>exp=</code> is specified, the receiver may broadcast it and lose out on savings from payment batching and  privacy protection from payjoin structure at any time. Though unfortunate, this failure mode is the typical bitcoin transaction flow today anyhow.
 
-===Network privacy=== 
+===Network privacy===
 
 Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may aditionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may additionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
 
 ==Backwards compatibility==
 

From b758311ba6fd4d01cc384b040d12a1c26b4f5497 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 2 May 2024 23:08:04 -0400
Subject: [PATCH 14/50] Add BIP 77 to README

---
 README.mediawiki | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.mediawiki b/README.mediawiki
index 94ecb8bcb3..1801ebcdb1 100644
--- a/README.mediawiki
+++ b/README.mediawiki
@@ -400,6 +400,13 @@ Those proposing changes should consider that ultimately consent may rest with th
 | Standard
 | Final
 |-
+| [[bip-0077.mediawiki|77]]
+| Applications
+| Payjoin Version 2: Serverless Payjoin
+| Dan Gould
+| Standard
+| Draft
+|-
 | [[bip-0078.mediawiki|78]]
 | Applications
 | A Simple Payjoin Proposal

From 95a3b14b817f57461f05e9a0b413d3a3f92d0279 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 3 May 2024 16:49:31 -0400
Subject: [PATCH 15/50] Add Payjoin V2 overview diagram

---
 bip-0077.mediawiki | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 52ca07d3f8..74382869de 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -56,6 +56,48 @@ The sender constructs an encrypted and authenticated payload containing a PSBT a
 
 Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin directory.
 
+====Sequence Diagram====
+
+<pre>
++----------+                 +-----------+       +--------+  +---------+
+| Receiver |                 | Directory |       | Sender |  | Network |
++----------+                 +-----------+       +--------+  +---------+
+|                                  |                  |                |
+| Request subdirectory             |                  |                |
++--------------------------------->|                  |                |
+|                                  |                  |                |
+|           subdirectory           |                  |                |
+|<---------------------------------|                  |                |
+|                                  |                  |                |
+|      destination (address,       |                  |                |
+|        subdirectory)             |                  |                |
++---------------------------------------------------->|                |
+|                                  |                  |                |
+|      Request Original PSBT       |                  |                |
++- - - - - - - - - - - - - - - - ->|                  |                |
+|                                  |  Original PSBT   |                |
+|                                  |<- - - - - - - - -|                |
+|                                  |                  |                |
+|                                  |                  |                |
+|          Original PSBT           |                  |                |
+|<---------------------------------|                  |                |
+|                                  |                  |                |
+|                                  |                  |                |
+|             Payjoin PSBT         |                  |                |
++--------------------------------->|                  |                |
+|                                  |   Payjoin PSBT   |                |
+|                                  |----------------->|                |
+|                                  |                  |                |
+|                                  |                  |   Payjoin      |
+|                                  |                  +--------------->|
+|                                  |                  |                |
++                                  +                  +                +
+
+Key: 
+|-----> Single transmission
+|- - -> Polled transmission
+</pre>
+
 ===Payjoin version 2 messaging===
 
 Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki|BIP 370 PSBT v2]] format to fascilitate PSBT mutation.

From 6646e9908c7e7dd14426582be63a341519c35d50 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 5 May 2024 20:58:24 -0400
Subject: [PATCH 16/50] Add Oblivious HTTP Sequence Diagram

---
 bip-0077.mediawiki                   |   5 +++++
 bip-0077/oblivious-http-sequence.png | Bin 0 -> 57987 bytes
 2 files changed, 5 insertions(+)
 create mode 100644 bip-0077/oblivious-http-sequence.png

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 74382869de..66a402e3e8 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -217,6 +217,11 @@ OHTTP protects sender and receiver IP addresses from both one another and from t
 
 OHTTP relays can be run as basic HTTP proxies from wallet providers or third parties.
 
+====OHTTP Sequence Diagram====
+
+<img src=bip-0077/oblivious-http-sequence.png></img>
+
+
 ===Message Padding===
 
 All cyphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most transaction PSBTs without exceeding the 8KB limit of many HTTP/1.1 web servers.
diff --git a/bip-0077/oblivious-http-sequence.png b/bip-0077/oblivious-http-sequence.png
new file mode 100644
index 0000000000000000000000000000000000000000..53809d7f17470e827ff4fcb1e5ca160d08a0fa47
GIT binary patch
literal 57987
zcmeFZcT|+y_9ZGof=EUXN+bt~N-A<tf`9~3as~k<6glT0IY|_Xpa_B_$rM?jNRkAV
zSfoOdWXZXAopbMd=l;51kN&IQdt>w%HO{f1_`dz^z4qF3%{f;^X{sv`-=Mp3?b<bB
z<;U_`*RJ6}uU*4J5#WKJtPeh~x^|86nzFpyb1##PY{F*kXJ<VO#8kw2k(%9F4<EkQ
z>U%qC|M*^p07tbzw`#X0!97+cHUZV;%62kZt*<F$1wx5eC*?<NTfXAiuEPzU+pfd=
zhSL6{Exw-@n#Lw=E)E4ti7(@*o{?jbll}7*e21eV7^xON{H~E7o0;(+uX%#UsFzHU
zK?MJN{ko171#f<<Nc<32UiP0aw4&XAyvLPi<Odh{)g@$0_8*sJ#HN56;QW^#dCSS7
z+4(;{4gHU?VUZ^yM(F;_k9vu~1-u``(S;F2%GQw`pRD9M{QmLjupOUa!gssHCWeN;
zPU>)?^AP2#adc!JL2td(pKe;%BxpTQ5k<){wbir@n`!dY5Kl1;y!Z*;Ntb99L}xp9
z({7z|<al)~4`tga-Ej^RhM`1X(T~uaA1@{x&WDm3)Y|?m4ZON!YlJ4#%z3Y5*ZG~e
z*v+-JY}QS~2%7|4emyp<dJ#n*aJ(>9Vg9J;WErmdWAmdLd}@E~yQ<r8>)Do_!&FTr
zbk6Vltj~HG;z*}Rv%PLEz;_x9+o5T*j{E6FquyV0$|#K$1u46USt)|3F9R8Z*<Nz<
ztX%d;2A@@?lBXXON7zVZ&MOXn|Lnhzd%?=h5O`imsbXkf`I^_Drq@`#iNAR#q~r{Y
zTtlZzye;r-vwkxOhor)xZnB%2&qy!NSJ3-`h5clel?ZrBiRHJJ6dqlsQ0sx)o->LN
zhv#{)T>ryK5AbK{t2tOWcoV$!D2sGsj|^ka8F%IF7IZXstPI4yLT=Q~J@~KqkhQ=p
zD?Mge$*_Z0a(svM)%+TMC8^qjD^-@&O?_P+$gmuiJ}Z^FJYL)ym)NKXrDT@atVure
zyp8^7+7>XRa^HU9K8Kr%7MYd(sVB-=X?)n|UI96@hu$-b_^zZ^3lj;0G>WhwlvH}6
z;)i^?^<btLw~_t5t(=RaxjAvSRZUhHS$tuRkL}Z2cH`x>pW7~{O#BbD&%hd^h8eu(
zvDUvAYLw6G$|!(HW#lG&jC!$DQ}hgsxk3I~df}kR^ng2UeIX$wyIv?B@fZYKCv~>P
zw<*_i3pJVJ_ec5Y$~+QogubO?s>%YByqb`<2aBfuV*dBC@kP>sV5)EP65hx@I)=Yo
zmks8Q=x^EWhQKxla-<~mt4~}0o~8%5tgsqM%+_IK#6rbSAho1VS6OHzl8ekn8ZJ-Q
z#~VZpP!$c`J|P9~T$a9$<ttN4{4V-n-$@MRDHg~vq<g@G=o~rhhB(^ux1CotwHh~h
ztRuecR{t!~oqnbvwG<FIAB=BMppt52L=Z^HL1A392X;ukezkSOF*Vw|;-+^=avL=f
z68tq9HC+cH(f#+AJb5EhYVuN@)>6I7j=R1a56(8KhmB_Jw<^8vFF#k2j)Zj6^7`nO
z8PpCL6?Vvt|D6%e6M~R&I-!^c!)2{lN;4EU54O7<eA#uYRMLHY%$-kj+{Cxc*k`Rk
zAq|3>nD|vanZS2`CtYOg18Ypf+C=3C?awAN#=hgmo|CT%v+LCTBX5;nr#gM)yK4b^
z9P6}E+0z}z)VTH$Za@DeSmB`V<wyr1D^kT?D~!*$5fMg+Z1(E!qcQa}2Lp>XtY1m8
zH~6D~x?eBlv+vZIicl6=|9jf0G-T0=-13;Mg-xc{==SPOqSyY2(&p-i1a$)l+y|A|
zeEUxtB#<TVy;XnO;ZnNk)N2}()d0WM_YvYmDqQIBFl;1@k=>vkwuu(cQ=Mz|ci3MY
zQ6RjDW}|uwbu@XCdcA)niX&&Ws#$7pK+xl8#<S@+yISV2Qk9gXX!yn9^zf|zkulBU
zL!KLb<f|NV2UO^k-{YT6c~tpf<&D3&R+iI?7*S-&BWSL}spm!mDy|v=^)-Q)Cp}%u
zWYui-HTewm#(yPeWe~Qk3i(8Th0udw4e68oUgEex@%ELz8*uMYO5X)?UYNyoEw?;u
z9u|ZHTQ!OiX5zhcYb8nXWUVmw<~qd^*cdJ_J1V1b67f~W7!Fu3O0jLK&S5=?A+c^E
zeQ#K1uHczs;yg^J+^B&f3NCYX{=HbI?00eJMSM+PYgWMN+Rzl09c^^aj~Mui=8J8?
zdoYhlD;kOI=Dp~~)1$e-rb-qva+8$N7mcd!8;$CidB5>G2&wjdpr-pCHgh61ww_r9
zQnU4B8R7|3u6p?8G?JVp%SkrO%lT3B%?A=AR)d+s3J-42cJbVD?p$tA&lVrrT%Yyb
zu1!`K@6%Q-RV!4_&boiH5W$co%&vnnQ`@n?<5qJ^<NqB=?Uo<UPN}EN14T~RSM{-%
z%j9>n4;7iT_-xG~tWM^XdT6^We|HgEPP%<pqqOM3R_x11DA%z^cF_sEh@_0>`uk)m
z;9zuq=Ht=$3^RE9%kvY3kZwbrBy%P!A!=F+b26U3ssi#yd;8xtBxq_OFa#4@Ke2!0
z3dPTA8x7xIZ<KE8miP0wq1=UaP>I4fp}b!Ua|3MS=!6Yy9*=|&=?d^@vXMiddkl%K
zl)8G{?1-1Y9&yJdQq_gb;hqXoFx>)17F78vhn8in{%FdMe<kT7^Is=3Sr(W^r|@Dq
zT={oFgl0^i^eXdM62FSEz2GX*um0$&Kqu~2WbD*_T>-tE@=U$bcdNlhD)Zv($kUk*
zB<1oMaPZuVflyrcGOzO5wMZu(Yzp;1_^GQvJ8aQKyrne=hk9Pf_9AZ(54~(hKWeuk
zmea~YFyTzsy!t*?nWc%3pJvg13Qof@TGtIR*%L+>ML`JPd_sIUA7*^7m>8XtsY{EW
zgW)9-B%-~#V`;aD&m$ND^fvD8E%qdM;#+IYdauxPFgGuSvtoltJoQ;6DDA2J4GvLP
z>V)U0Q9rg;M*@DM_TI0zrqxRkQFV$7A>fxyW#2hMF2M1ldsICvbA`%YdzOXRrB0KF
zndc{V|5i9Bj3VKjwfc;3Pf<;SM8O~WFuyDXL&{(ULsCAqHT(;ZIK8x~hs~h$y5k_a
ztR@!tN>f(y*QirhH*8E$X4?8SFW*Sab<>Dkg0tS`>eo3$OEg^`HGim>C|${mtU!Kz
z@o`qqnbILH+Ox=Nzkw&eoLvqpitsT#y{{A@{&@q`1U3Iv@gX(^q1U*mjEVg1j7iR`
z%QMHy^+y2SNK0cdOAtYr3IIFLvx=X9St28xx9HLr(sSg*4X0#SocVb?iE40-o1hI0
zA3WP`+unLFZ=)LHt_G3xswg4V<sAxdS14sg<9P~UZ+#$ID{1jHkaX@G_Tze0`jk~_
z2kQ*+o!qihZ&-Z2G!Kyx!`Il`FsWdp%klv0Q(obd40PrZI=u3%)P+@Y2OVcu-g;`A
zP9mOK(@Oz;ef;YCTg=J$&I@ytGhy}t88#M@h|knyUXxAk&kG*7w7<`Yd1~a1BpfoK
zZPg7iC;=_{xzkmLaSVmOsI@YZ_~`VJ&`Dq^Ge`ng;w<s$H+<Sdt}8@@k1`09nk&l{
z%`^9iS`X(Kr+AtD`PHXjGt2mdAcbS7yHG5i8mbpg2CaDL^`_6EdQimm(;KmGNiG0_
zNbEj0dV?S|UnstT0Ytrm82l&lo-Q8Xzh#0%o@-EUfy^#$Jz>Q-I&D_Eb79M#c;TUs
zwD-+|B%tBduskA|BLS6Zuh|&F*^=X?ljVowoA$dXwBM;sx$kD}c(j)8*{Nu5#3Nzy
z2a!Ui6$0+tvn{<-zXIchBcxCE2QOE~O#@rrjEXkiq!a2D9S`?nlD{)K#mOr4C6)9&
zwV_$$0lU7zFOcU~4=tykj5FoLE@j%4J8y*{ZWaH1Qs$?FZR>MV>_JWzjLjM(G1lz8
zXGCWua;WD-(5T@7i&1)A8~OsL)^6NmOaD{8f;x?LDG$NjQX%A6qES#ychuLfsocg%
zSVJXD<PSj>p)euhxXqN;`!)QFS@Y$W5w|$ygXq72`Y(Qf&(E_B<3Moz1CQT`1_O{&
ztH<O12f$~<K2Zgc7`URtLiryhK?pNQewyFQ+W)@h-_H;!dr6Uq=$mW!+568c%fEXE
zU_R9kH@k|zGv~klo7e`B&L2;hu)u%R8=RbA^{xxg(3Sp$hyGn${GVa}@0e{_KJu5N
z`BA*ajY8>-rLCCNl{Fwt;WwRaJ^#}m=I|Jmf2)m)=I>Yt9;KXc?xA;RqBEQbR?AFn
zrI-O{HzT(9!}*rU>Wz!uT+^##V>G+Q^7GEWOEgYK>`1tYgT#aty*lT+r*=hurI6e&
zJ2u^u!i!2OsF%V24kbQJD0S&S%LNH%Q~?B`@eA$G|B8qdED*v1L8a^<%v{1j+zvfS
z73ca_+^$oClCT(azu+rOb!hwdt;vG#u!B6`nOs;N0}`w{xT0HrvF5+_z}I+imB~sS
zRWP7QfCbslRvt@H{p&HqFo;|f6Vmg6xY$wfI)~{gaM~dSuVa@P*4KS{R`}7WfUi#*
zTi4h<byumti4fFtJ(ygBxF+-`mW)#!b<^7|-*|6TigqoXZcqao4%7Nc9mjhzyM3Th
zINctq-lxGyr>#hU@;uajBXq1(KJH=Wy!X50v-JzvhOw7$5eHV7i^HhOglX7ds;-HC
zN0XbkH2Lau{b!__wA#z~ShfsAgAZy(On|~&kcQw#k-;Ffl##ge_pPdASM$i<mhohW
ztE`gm954XWY-bwX`^l-SrUx;_Y#OhjH3ihFUy8C!AqKuR(`1;+r7bW*T$_P~O)9w)
zWT%a0$JzOrU%&<1HyX7de0Xg;*|F_ntb+{7Ygkv4?J;%lv8S73FvT&zjvEatIj$cx
zN)VF)XPcXF$JTqA16`!P5%eAv-h0c+D5@_2enIzEhU**M*Qvi03Ck0taO)0TUL2W5
zL3kr#$sTK?RvS{@to6Yao7~ncC^^(`DxhNTN=>PYE`&9ke+W*Y4+bT}Ai+T*;-19v
zdM&GSvfQy1ss^b>i!+?J%nGY|DR85L8)OjCHQL)%NHx57C4C1V|Ga3=0|6DH%=v-u
zF)D?8mB(HY%}&Ho5Y))({7g1EyZyZi>IGSACLhRb$=74#z%SX~$2NjAr}(bAf;I}y
zla+$~I|-?VrRISb!G*c4tpS=HJ_Z6uWKhxPjM+Kaq;=A$3A`OvzdTYyvtO-<LKHcj
zlZmU}N%y)WU$+Bs^}le@G`PJ14h3{l2(q>rgE<teT{pp7Nr{s=D9GHoi}ttQgPRP5
zoHF*SQI~?P!1Fdt;CBd^g5aSJYcK^)S~rSR!4wEh(%vZsQ?O9-N*`ABiWtnocl-Q$
zehTQ?5`3^$74>3o<5%Du$iji~)#hQ~CijVchw?!6EAYTo%qYGV5rNRa6(@qfLG*Pf
z-+RXgmhjsP8>b=)C~es1k5&zRABDkmsa3z3Z3U?z-BDzm&pCOpI{C^!8PRtoHWW?{
zX0?;2h_nhU0Nwx60;Dbd|7B9wQ1vKGISgxDV}F$Gf4Wv!2N;5hVEnr;(@lIn{Vdi0
zPP_w1r<%{Lr(eq(mg#)g%j!3Be77peSrqlaHmkD5FbqH4@@oaxD4>BC2kFERk%3vi
zJ+(6cpi5yhjbk;ho&ioGLD+7r^yQPz2-12CX8~(D7(3|hTlux!c2yUQgFlsFlcUcQ
z0k-lK#IgD5hA^g5aR2?IPhI9>-@TmMw6(bwRK^#uy+LS#VNVZ3;D+>Er4<-W9S(`;
z7eI_8{*g5H+wH3Bx$8So*>e~EM`{hBiDsvNu5D9{E5HW38*pq6DutDe8PB=e8@IR+
zD<kAecg%b4xITG0ZVHM=h@f@s*??nZ7xnthHBjeP^d)mlgAY4A3cp#o-Fn8ikXS$C
zVR!~$U$TiSz*JLK>BiPXG<-&d<$yB!+32|q16<FuO1-P&Mbf5)a0qJ8W47754iG|!
zl~F>DEX|s$$L=P7HXH4!pa8$s(wKOe)Bh-~2D3DYVa_Dsp=p4~8E(D0^lbw4Q<Bat
zHyLrjxz!)~y}tsbXSJ~7ED98~@A7i_O`0eCb8}sX#9%U-kJ&hQp)%(?p%`MW8?Q(y
z;Vy=r^SwA2$Iymb?Z+cZ4Emc>wVQzQ5V@OKZ8Ka4rVwR(w*I+o${OxK?G=xI^Y;AR
zF;L#B&o{EduvrE&Zj3U)yn@^TF+_Nb;iLRV_yF;SVNML|>@#Knq31EG%ps;|zjKnc
zb2bq&FU#5jj#v-CI?!C4f)d*k{u&%KbRA)%t^U4n0V|ct@g48Q7!s`Ne!eEXi_?Rd
zgEsJ}Z|?gXPTI`ah}C_=m!X#KrwSVfr_bg}ZlH*CU_Hu3Rb@}T$^IjnurY;;V2wEn
zo+w+KsYT9d=iIrHs&<Q?>Lgxz|Jx(uHgA~U$x^z<*L#H%*`BknZgJ}fiP!<Itava(
zuy9pu0pEKmRhMp9EeAql<P<!ZD>HWyZFAc<sO4~~WR;B&(hOphwIw`VvUx}LZ4GQ@
z>Sw*nl1jbj{E5KJZ;VG;LM97Kn&2cu3GN~m;{|bVLGB&mNUnIbj(vK@Q6P51mEnz6
zsFl-Gk!U!EV1R+zKQG+^&~(DB;}{-*L#0p+z8vP6=+aGVgP@54u^%vM8?vQzcDQNx
zK`DWcj&yF%5Blc_5JlGYa{*0fMohEy(=Z9&<qR8?r^m!=8q(&Q1a_wM)>kfCsQs;(
z>AQd{<uICXIzdC_!GsDvcdJ1VQqsBaGA^5Uciw*qY6_M6o?99b2s!zk3i*MZce_iV
zO0SBimuST2BmIL%Oqb6J^LngEQ~LhuWH@jGl$|wdB9p9q8}j4lhtrO*#r6w5&AhX2
zMYCb4BR76_i<m2(w*67nv2x?4Jku-ipdLS-Dm4&~{#ojGSd4?Ji=R+HmC4sauo*SS
z(97jbTP`|=B0G;FNO-3t%S~FQ^uxW^I*x?q#y>^FfB!6@8T<jRv27B&qj;CwxmgP(
z90><Z?5GLY%z1|7iuTyvTl4f<4K7Ou#Ra^rXQrT(cb^SEBj(1A-TkQ5fl|sJHPJUp
z9z^3kt!~GIP?;l6f0twzyl&WMhT1Fo*_@<@nE#AJWZX9o0idv^NX3MGhdw59u{xrc
zu*vLJ+%go<!yG${QE<1|Cf3D1G3RQtcI*`w*FSw6P52h}=9N{1iwhLIU@z=Sh$u)h
zdOPiUgyU0?8qRW=ThH2-lx={$RKt=WIm*}Yivl8Sn<9AS&~|Yceh;2oEoX)GKFQlI
z%vYTYUMf$?;`}U$4L&^{4lWndJFS8mzUws~d@w(dCHB2+q<ToazhzLl%jFq0Iy@dt
z^5v297ODYo8GOxPW6c<9=Ui_V=H03uIH*L2L;L);ybU9KXE5|XNG0z}BA`_*J_l8<
z!&3D{8Wm??^|I}rBr^A_k@+-2IfJXHp!OkNmdzkDHPUdO(;Is|Xg`|$2#494`t2%=
zMM6#^o2J~yjaPUCE2(dnF6tp1n|BpE>BtNxjLHpai+fcD1Yi62eAkfKoXy)4p!Sr!
zL{2L)espSEB-LS?LVHIvk^A00WJR1TNcXrV(-`V)PWEeh^@Z6GIUYFo73OM49i%KK
zG*OIQ=Q%^%U#v?=?IThwHM7rjzKF3=({R67N<swR^KDaN@c-e>jceW=18Yqn-$*%{
z^&R$4U<@k(1YPR~bHg$NVQBiu*;A8;%$YJLzbN5Cuae;WNJ6^@CQ%$P1W9n`5xuX$
z7-Vb^#OTz)xasy7#kv((5!bnFkiFX$4uT1kYiK^IH;d`%8fmm=XE|36ogQs(OLH`B
zw>D8e2c$%sp>Oj5Qd|{5kW1Jd^2M@+>2e{c=$G^%r<Zn(?a!}2HRevT?(>J@ld8K<
zmU$WvMM2tbbEs#nGScYgbrF-|itw74SH1TJwfzj7ZI+S6DClb_b+wR1c*pjn<ewn9
zft`7ak*ZY$^_$M{2ay8lh<gX8gAI^QYUnIaR&NWDEWtIuUT=vmgC)74bO-x(Xu4NT
z6&cho{J5iaH7^Dg3aw+ULhWdF#|5D;mSWC$_C}cuP&*34t~lwpTfbD&?V2sI;hEl!
zgiP%KGVU#%uq^^#h;)Nd0nJVzH3LbJ)sKdlkWnzCukH=%Ii*^4B0aev%%!&xpLYKU
zG|m?UYiAByH1b0254~u^e0?`u6Q#-P`xSX}&WxH*#K1v;vZi6G0i;#KN~~vpXVu-N
z1ld?dGcU-{UX(vk+P%||)TqI{KyFgO9Q_T`i5Nys=Y@hmzhScsv;sd|IcMFT{R9dz
z$?-*U?k&&sNS~xD>P>qur`G+7M#y<}B-9=Na#55tlyP7_Ru;)i{07-vA!kF{=Xry_
zZ%16V8M&o&60gWQA3f;DDE*1(L7Z76ZxoVv+?z%c-SJlSu&Vhji+bwzLwS6QnBxjC
z&Ov=H%FWj&m+~p(q&@wCVYGHB?#KXiyu_B%!#hxoW%?M79PN!3ayu{G-HWd=+T97Y
zQKB3-<`zrcZ{n5ej|q1L9?{enDqA@$XCW3g_c2^JHJKx0G&i{I@7t8DX$(BFR9E5f
zI0mc)9)cgAj=tMCSKL=N`BwClrJ<mps?lxG2e*S7ip*wIId6=O$byRaz1q9J+NGBF
zX(2|69vwayGFMZvyDQfob-KymgzA|#z5$1rNNReib{jHWT~poHUv@C6K`f|Vhf1|d
zayEaPc=;g?1;1zFbWGe?s$Y$wp&!P1dvX}U^C}9?xbNnuiEVWcb{uP-VYL|gGD`Qn
zI+4*Hs944;+iDRAbDXs!a(leV<EIt2I|4#=$8nZ5G3E8~@}~XlBo8`N$q{G%cxTjy
zG_$FEQ@nBMh4y#JMR317BMSi3Vbx-S%xo9m?vsuduk+(wn5DV|s>jgnm~0vu{&t-#
z0daMbF4r7caAlP6x|hSo8)Q>s!~JUIWcF^NYDPAAS6r@L=`A2wI(5E~iR$gnyd6e+
z<m24gFNoqZ-=x%I!ktLA=sVx(Bpvsjj7Kn0XG!noWu@=1cB|~4+*3zY*eE<_sfc8W
z=762s+?zb&$Tc@<r94`uWMkCR`+)Fc{_|mG^fvz7-bf#bS4LzP9*sCZtir&%<R&^w
zIFjr`n_j5i)qO@-Q4QM)GVbWT+Ao&Ayspm_oM16Y`ObqfsB+7q>hCrSV~djtQ{ytY
zJn^C85Aa$H=2m^%T2+Ng@i<wY^*4`!w9)oZbcAx6EU3oF=t)f$?JXzDew}#uO)59n
zEfOLvc&SRAYkW6E&#3veP#yosu4^;a2eO@*sN4b7X5vK$a>tx#uz9b=xvO@@QBfnv
zDkg)jJ0?0Q=mVkkENPe2wY7-+H7gsT0V^zo;>U#?K}rE)cdP1!%;J)2a|e6)AjFwZ
zPv}^kO-{r9qkz!>IoTQ+)V_#}q_u)!-il0T$*W7Ituo-a6ox>Y#t95linz>LQA3$T
z+$3|ohjt`Hnk75EE)}*}ytcMlj%Hzjay)tb1hn!*zIR35+MAdM6G>fl|BRJ3^Z(K^
z=19>HuEspfH+4AKG4bNha*hqlmfSh~1l^^>b@xHvn3+fnd=;UAR)Rob8$5K<h6ZHT
zBk1sf7e5&2HGaS5<^M`PI+7!QRpFcaZ!dr!L&sp7Tj+zi<N*!I@ftKBSnt<2BNn^l
zN)d8K)%YJ-&n{m`Rq;p0IUd<DiZA0m?T&dY&7z0pzne!_*+JLs(y59ona4Q`i4oB|
z^TRXGu<dv!zy4qaNxa1@d45|Io;eY+&D^^0XGR$Xk-tfL{cd?>r2wM9EW=z*9^S<Y
zOOhJhKYLCP#tUoq#e!T+r1bAc3_L7dvX5=J7q81)FEsn&k3s@l^e}>yKy6>Y``2Aw
z*!i?z7&VO6uVFVW4w@ASxiNN^2kJ+=Td}+_0Izrlk}Rj(3_}<u$vTp=wG+Z*Dqp8_
zHrLFnIn;HbsCp(0UA(0g3Q-3~$187Wpv|@2x6%-|kvKZHjhxU?5Rm{R-F$qvAYWs}
z3EN&)!byACTQ#w~*Kv&FmgGImp^)5!SIj0MVqe%u?8MI4L1bs{om&PR2g*~X?W&}5
zUDvmUCC5K5ep;K!>*Hk*weEBAeQj*3>dNQG&L5JaPw%=6Q5KXp<i{Z?`XHZFclRrb
zT(z1Fn(f7>CZ)fuMB}}o-#j%kaDLQ;-1wGrb(!Fy8Z&e!bK{JXX^7}4QbMO?0zjg9
zr7Ze#xL@IE#}OBH+yfRfGUy0Dz8BUPB86qzZBC;-t=$2YI(8Rz)HUqg;10zLg|m4d
z86^gz?8hiZ13kTwjJL;M1PLW$cMO4)S?9KYHcCcdh^m-8auk0MrF5oZ8Hc3DPL^m}
zjNyS(+@R{=e}h=Kdw%Q<@5ftvqjdM)Vf6rH;-zzF34vp5^JEsj01Ri=<<W)x9WUjF
z634VXL_B<hC{<KSc;*&i3}!J-H>xwyA(Xz|;R#|pyDXDQyu7q_x!(w|I$W8>$EbCM
zu`j$$oaoc6agAzJNz)+mPbHlnVPiFmdaVzA{7zG9s`tw0aAOU-dy?SK%}0@Bo{tBZ
z`81n%%q{x_XPdUa-{rTzciGev0|^K}qZ?K#Rn$xJQl_r?Rg56~%42{!7S%lbG|TnN
zxYv29!$FW9fL6l5w&kQK$d%ZW8X9Zf#Gq^Gk4+f0$QEK#>nd*e)C(DL?Y@onDEZ}M
zVe3T**-WG6g(2{E`vil+@V#_)I#^x;#M&9;tcE2@O7g@>vPR}?L(t}OS?&54@9%FO
zqcoKOCd}IAQlZ^r>Ijdx<@iu@pbr^GO7((yLI_U`R|WP;E*-#3hB}1#ui1oDcjQX2
zdmQ2I?}CoI$419E5BB6xiT8-Bp<6Tr2()y+U;KwIVm^*$IrJuNN4SsI<GuNA`C$nE
z_R5eU_bjtQVKi~oC`eV`zPHE`rqm+Z`$Otm{Nj)87f3qct|BP=dGFnz^y?2C8<=5l
zajw|u`U!n+TIiCoOR6^e(xLIj`AtN2t5W^(_)RCN{%EDCu>~*UzE5`gvduC<MLE~A
zmw8Mkf@<!KQr}DHT_}hjzP+AY{SDgoYM=Q=Wr$si279M4;$0;*=PYm3l?GL_$*6mJ
z3D}L*FP#^8{hIGs=1k~XJZKLIKVUX_7@TAPtFWyk;Usuv!p!)vf`m!u*oci1>K8$M
zbkQeGhZTFjU6`u>rU@f~7Xx>McG6qgR&M=aM5cwTS%SI@8P9CX(6+WkSDa_x3!cgz
z#T2)TlXX`u)Hm-i0+{GX;jKm6j?OP<f6Tj=i0@nA&po3~7{=}B#NB&Ks<|u|Hpef+
zvdK+(H(O?|sbIG|-9zu)<$2udyUNigVMw)CMN7+4AeSeaC4YgxTOG!+%jEA~^*i!=
z@F(N3TO`L8Yh^^@$&aG0Y}e#fI)=`UX$2mpPibf#sI(<HpEV-+){*|lmY2?tTJG=U
z`VOo_lHBc;l$eOr^a@&RrStXBEWSwa%trpZI-rK`rw`tuz9ao%<h2b2Omp`7jeeZm
zE;Pw*Y@Mj4?(G$n8TtF1B&t#lNnZ<NZRbx5Vi5=3O$AI^6FVmzg4dZM*yt-eO;~&w
z+V_%ZGzo}J^UA)S4>-n7PPp)1EX0Xfj4*HwsWPDKqPpIbF(5y_VO2(ypRCA0o(oj$
z=G{IVv3Z*kro3M}$q9>8uy8fWGBnV{93CFW>ajz((Rx;{31*Qq34a8oIaq6VUpL4;
z7QCwLVnEYgxc*kU!-7y&l->2!KkV1jL}#C*ZJZ^$w@)4RiI6>ryoH+6Q(`?_I7_(@
zcp$z}UHRnnVF%ur)H(@y*hKs-sL{G$gL&KwH9TH1ZrE*6*gZ-4`#tE)(1tqJ*Kv0!
zdpfale<qz~GTRn)a<FkKPmheNpi<I|wr0}#oEMc7g(IM@l04+A=6?E1*h@)%Y2L7%
z29A=L;TJei>7M4zydCPa`b<f~^WhMeL{N}x9^o@35;`xQ#rTrU-fDJgue!rZq(z2j
zKC8-%i+dxmI`FX&I}g%cz(1CJm?4)7Zu4+MIwbBv8Y2bnPF`L9S?214s<r%p!`pr|
zJK+piuZun$KR>!uczWBf>M1Jag;9YOND_X&%};u47r%SitRFd7ZEJ)v*u5Qg+z3eb
zrRBh$3hZIhobLtRg$s){bK}zuf3}QjukmHT9*7^?H<+T?4Xv3kE*{q-l&=W>G+n<t
zuh+KosfScld|mb18&wo8ThUo4S#LgqaMW=Ieis{2ZJxnS&AK`%G9oqL?)>b|ru={?
z2i}n&>YcN<j&k<39BtN}b~GhDOPUYy?&lN?EfIFc274IvmPH#dh)43?P>S<NWhB|J
z`%M#X0OfjwTJhZmysm$^s)%$c0pe=De2MfAk3RV8Asgr9$PCX<H&{|VZo4L`x|79(
zK@6SoFVn0gDWC=KssBh(K$&m`(Z2x)?B&92y!gY`2&yGqkp4o50?PKjz^)SrDU>23
zsB+SAQLSgm@e%_`!)SJLL3F#5Gf9#j*ML}WL8DVL@<8HHFYTQrX3_pR++V%&1@GY$
z&{sjlT+c9?i~yJM?I2m{82B|kH#=G&-`umD-^~OB^8aD$|6gM3t*je9X}%A^SPq%*
zMttdbO|*%jnnfI@CVqT+*2S4XC?5lnCiUZcek1e?P^wX~f01yCaa^%-b}9Og7`2^0
ztZ0or(O36)F_NcHXVG<|<lkVbXXmu=d)bT?N7I?@&tfa>;^+6A=^N#6ftTo&%;oV1
z9Oo-BUBl0HO6B-g$AXI+nY%2T<1zsn1ookUENrum({&DZfKV@fTqq0ll<SYh0+eeI
zeY@|A&I*8$<C%(6BQII-^Deb_if+{e=Q6?fk#T0xvbS+ZnPEN$zpa4n!2k9IQCYlp
ziOys!tzfBKC|(^fkWJx1?8yvf<hY8T6~;>eMpUl&TZ_KB+3L6Vhv$34Hs1W-ze~*q
z@)*_)NMD`1+D%lv*9KII6tR_enOde$B@nyB`h7obEkT0O$U!xY_&OTv=4{7D>iu5U
zeis=(i(4}s3`;x=eh(L_n9>PUAv@b$Tn9fKr5v|DY%>3u`BOxyiW)LLGg%C4R(?<1
zCcn5jQ)hXc2B$c97t3c-VHP}Xr1tiH`&6x+4X~^7e@OcoOF+ekWyC+{yDhaoRa>H#
zBRP2pDEE%n@8878(ozE1F~wQerLh68(4%H?`p&ELyZ%Y3)9;Mb6BM$Cjj{J={2dQi
z>~>Svx2ma$;lH+I1t#`nVXtU6JUc$J!K$2feiZrvlT-4xVCk-vAkdkdtd-F0cjAlL
zZi6>w=LkbIyXd2zjM&$KV)}7DJ?PqtM4*O=?y$i+7K#i)fci?<tpPqG13tq{2An@1
ztbpBy1!NBrUvM?i;xscLt%mF-BM65ygn{x4?8L;8vWh?z2@3^T^#8sU_|)DrVj#}`
z<qS@I3jV(^pN=4m_+U$@2*TjDOcZ?n{5i&Hh>RNxB6yL48OZVfa3Ek9!i?CoY?xsL
z{BIuyKY!O?^eyg<E*jGsjO(v%!h&epER;CpnHJ{xx+snT$+ijj>uS$g?;aA-`D?(<
z8y*=IM36#`SpwO%`-=`GO<g)VfpDKXxnDB3$a`^vmr5?HXg;<%;BSrn5cyp9ioG#$
z&w(V+I?GrvAphdDXPdC6O76wtAII|8l=5=@>Ta&*MP^H1Q~Oh4CArLrd$@p*UMJZD
zYF3^J*ROMX+iMN-U|O>#4fc-c>K!>v%l$-e6;qRQUdO6WxZwC>Y|t9gs;b(~&(8}j
z`1Nl3Uw#ip4zP5;e${;X4j$zdbE0P&T*z6g7QDf{5>vrySGgGcxCgZPn;<&+$h?IA
zZ8tF|1JM$i_Z#Eip~3d%fa#POSXEmOR-GQK8v+~i(&xAQ+}ex1w%Er6SHQ1&2qq9?
z!Yu{$n*NNbyE^WlD9oByi|xV1bV>|}r#~*IEj%wWkbg&ot5c@$Ah<GAsp#%mQ=AID
zr$F4uwv8P0obz9)5{?7%GO%u2E%kHX*X%dK9aRgG#|A#&`d0t5sZLTEdtd?5ZG=C+
z0MBrR@djiSeDgEYSf52}LcV=UPkr|Br_;OQGzv<+ien|a022+k=*zdlC36Vm(K=pr
zGbNOWnx`V17%~+`NLdQZxFCd=m^JZm$)MXUM>+1BQ$N`?a_oV0<w#pojIlH@g2)^a
z|0V`qaC*+$POzHw|HZww0o)07K#cUs&J;m8J({*mkScXu8Nw)_`9Hn_4%m@JF}4E8
zZi4$ljTra&3~*DfA6Np>(IaCCBROg@xW6G_WoE1wDkCQEy@Ltv2~|{B=hIqTOp1uj
z1wO_A;C?@w+?cE`19oABT3(>rVQjJ`fKc}b((2Yg_KVjWKml~GR*0dVq&BpFv+;-G
z;u83C>oB4lP{tTajGOA3#tXMDFl_)|g0MXLdFxY(hMpLs0I`U1PH!}>m-j!X`2o9w
z$u88)iDH=SQt{tq7eHI`WCL%$YxWcw^qi!BXudr(x$ZeNdbuFo#AU70AKV}?OY^OO
zRWz?@D@tV6Ycc<Vr=LjlwoB;SYP>oie@dLLepocf`&#8_YiEqP8~Oj^-6*0V>UKRY
zu2ZiHCxJk^WZ(lt(~YWrK0y?+LN?3i_ouN!4Ths8J?Fijx~7wH(Ak$5g<xUX<C`4*
zB&|)>LMeY|IB_*TgWtE0>e;ry{q1@5j02yOgjN7a0_0A2#bsV7P(ot(+Rj~?mNV^Q
z_kzhtxOGY^z==2s_(@oa?&rEkq*6a%hy}c9pwt*;0}Y{yh`;&UUH|>37&mFQ7di@N
z6qz4zaXN_+Qk3p`=VyB_XKbAU+h)H(%}aA#Bj?xd8xs%iMX;%+O_bHo+5(SfJ+PLK
z>Su+MGQcppEWI<59Q0xgi<M`KySv<cUKI*9vd2KE&(pUcVRU48{xeB0!m?c{6U`<2
z2Z7;j6GJ~U2YsLN1*`&(1TdtyJ>ZKBq7}489Mhrgfhy6KgJ8184|Z$6PJ_682Z?pn
z?XU?njd~nX$#1~oX#*7OSV%C<J)m#Ee}aHua}Is?UMA%=5lv$oIR`Mh)MW!Va~+Ue
zCu+w{*5!wQnS6mqV&DHq(bK=QQcSZ5#{K6H9Np^AnNW2=a^>*4+{?W}oRX=+?W>}s
zcD~@K_p&WI^|7TRP90lMtPLC8K2f^F2A=M(sXL8aUY>0`u4H@W(7W_9VcBTZM_}wu
zJW0h$xGKP=^zqjKdWH#{RZ2f8V!_1R51@dypNRDn^Sva%GOZBRjF-9e!pQHbz)1sq
zNtU3UBE$dc;z;NH!|O+9zz078B%v2zZyGD181dA_*H~>XcF>`Nmmppp`_p)<!9>C}
z@OFMBYcw_<yVwE$m((tjay{;=AuMtUV}hR94!pYXWSI?r$Uw%WXBJ6MC+3o$?f0i|
z%Tv&1s0Jv&{ra|Kx27HHvnh>$R_WfRL@?3=Fqi;IETBMu3EQA6`c}3=^n-<|p0=el
z>W)0MN4Ng202CM%z(%+iqT-SPviBWr)%)OW`?0g<tUk=i&SEhx^_nhwn1VPF8n3@g
z-zIx0lSv(S{VSO6l`w*gADHeKn)K>U5(zy3L1P;C#ta?Bh)B}j0RO?~WX)^44?H&X
z(o5$7JgWpUU;9jiFit&>$Qi+nOEm~VB53y!_bi)0cM<E5@^@75F@1H~>re?@A9tvq
zSxzFl1DZ_gK${Lt96k|c<s$@g;m;v30Z=!zmVq<0VXy#T%A>996dY=X(&w?2zDHX_
zNl1oEwKoXm6<a?48BCK2#w-=(Jx05i4-DFxBAAF?@av@fP`aj0y!lQlvy5h&R-LF=
z0XK>A*kO{v<6`l{#{QvH>1>*N(%d`lF_uJ6bhsLIxh61-a8)JdyUtRwQQemEsfh`0
z0NP&mb$mNju+hh3BINwY_x=nB4pT)zc%TGKXzhvlZQzSmmwhub5Chkcx%fc`h1n-a
z9lqVYLVhxfGDk%r)$9j|cLn#OHef$ug5>n(*=gWL*J6k)HYY3-YC-D&@*oP^G0c$J
zIkX8fb{943^j@{w{6n0G3(PZ_UCkwmq#}d~Rq-p)2!w2QiJ0CDYmwQYKu;;*EpWzH
z0mw&5va-Z|RTWJ>98Jvq{AS_9pUl_=j1?k(lCo+MyNao$ewn7<((`=9oK<I|;8h=U
z9;3|UrtGT+jlNo-A5WyXE)Rkn@$82J4==%Wv{fGEjfzhku-9Q&kvG0->l$0>ns{3Q
zTGIx(lxUslMO6yXGexJODQ+0KjVKI_c6ILqqO%fs`}J!G9`4`Ab0oKDMnqu_UE$Y1
z35WoF%T!Ri-H#E`akCQuW8DdG#fBc}-RLBwyRqd&P^@d}|FdC08I^KyL)RBTfJuyX
zaN6ea1#rZ2s)As}dc{Ejoi*<7DP$xgK&&{HJ|G|nyKaHaM8*rNKqk`1<+3nOOjNfY
zS%mNlM0>I<UO79nuz$=)<CTzygvjF}et_IOOegemo&wuUF0TzNRE=vKizS`@EGNO8
zQhDTcrjBL=6AQ+3_?LS~-2FFVg1(gB1jV{2n{>@+`DJchh0aJ%Zop|D8~41;4_}ar
zB-YcSF?LBRad5CcG{vH816EEU@b94YV4<Fr30K&$J`kd^VusF7_OexfPTJ&dqJH?T
zeS04oQ^J%JhP(!x+wP!3TN-j<lDPd^{+j(E@GuzZGK_0JRu2-66wMTKU1r@U=Nobf
zC15fZo}3}$0+M&QYr<Y1-YR6W|CsjmZ6+kGMa0A6m*`;d1o8O6Aw-a)q}I$>+k6Mb
zUM8dH#UNF>Px%dVG+IxSz2mVXRQX$ebX_$AM?5AG0;6W6>=qyd`YyzN5CCM<@z-V$
zO#;12VxGK1K~Yk;0+Mb8C4}Yzj<b^Ko3VN+=o{FfYSPp<x`Xe3nHkI#do+qQD(!2o
z)p)lokcN<iO!dVVW_Avd_=sG~IHo<iMOmcz>ka{hg(Cv-Zl$VVuL4n${O08>1~l||
zwA+HxIN;(ymqjF^)Rt>f?pg`Mp5j+0p1@4_##@?$y!)VF2@@O^Y|F5$E&f^IU|W8c
zO{u;K_OcdBh3%j%T+B0GxVY(qc3HEsEp)Beo#0nCf@vq`2NHL`-u5S#BMux>yrn<6
zR$u02Go7*|o^T6lH3?ebNU#YEEZQFDwNI)`TXRYH6q-cJ27rkmv<ZNdZoHZ?ykm<a
zeo*D|h6c2wBobm1QD40r9A1A#iBDW@eE_k^BNCglo{fT#d_+#k-c)V!*!%;UVEWqG
zHbGw)k9e=(vl4RWN29oxMO5rq*{;vt?v+2a!N)+bWx17qVX$|upfp>Afx_yhpjKys
z%;l<u>v`}y+BM`AROPn=YPjk>f5tD(UI$ea)t?Q!jSLJeG;|Y8$$vsPOe+fGL(pH<
zFN-Un1UAo|Lx8XTg0_!QxQiUllv%k%c`NU}dc7_+zcb&r@HPvd(zwFSNnLGaC_CF%
z-;JqE(3uEx7RMC6nyUE}!@}HuJ9wW88=)b(fO~X>gHPh-u8<C@;-)87cdGhMMA?+#
zPo|cEdFgAHrqkOM&=<5Rka8mQ?ZrLF1B<X3(3;7&ntM1bwsL2DxQY`8@21nel2^%$
zhrpfTpKUEBo5bUhHCPQ2f4V~YjaK3)c!()BcA^~E><eH1dt6v_4B9BOk0W^rKwn7K
zYeC;bdryJ_e$ZwrGRmIJcLI>8)8q_i{u9NT#LJVS5Aju*!gh_JGGY=Rfh(5JN@#MF
z47zlA^~*ryjFmc)Pr6n}<_t);&nWKNYbuWqv}a(Pwiwqj0GL}8G@9pfnIkrT60_q=
zUk*#|#nw8`N#B1uG|co<h;~F2SJ;Hfm#&$X1x<?eNZfunk;f&!=A$I&*V`g{nz|2c
z)yn*)Kl!k`Fy*<8|38<D!IOKLo$(Qp7`_Q$&I5C`D3Vio)Q$v?1aNA2Fh`w|$=Uz;
zP)3p^{Qa}3j18d==zbd`2S?3Nb5y+dLe?FA6|Gy)R$`JtB=geum&r*!h1ni1pK6sS
zf{Nx*kWsPk9&fEs2xkwJb5E)s%IR_tBwM2&w@5DJcQDrB?nyDOHBgrWBW<xUI4DQk
zfDd(aSdW(#LqlXet>Ol9Be}|-Ge$ICIu{T0PM$aD3~Uf;%&%CErFDEA3A+pBMs)!j
zA3g^4SEHQBRxySf9tr%rUhkSv<LiMdUBu%v0L^%SI%EoXeA;Gvz0Q;tN|PpjUAw~>
zed`x+^td>9JBMD6>QoXdqSU>Ai9vQvGFdB~!x*G&<DTa<!EsT@YcyS9X8s<1e+2ly
z4X!RP;@p6O)!JlP1(Mh2@nNqtxSn&T8Yt^NQz`@SMJ(FiC`Ai)*o&}zU-HKcSo*LI
zbMAk_Iux%nWg-(g9FYRdfu7l!TsozCteR+jm}p{hClvJSKBO`I4w}b2r6L$8)+s(a
z(Zei1w;X1=LLQ;ate6y+BU$2|4xW-RgXYGH2bSHUG*EsR24magcz^T<zCv|Lc^V71
zml8QKhW4g;Go!sJ;hLF}-c^(ak$1EnTKc!s$4a;DbP&OwWcj;b%!$DYH_4nOpM88%
z32+h}8uv|@FMUU3tH;`CR}^9*DH^eGhY|NyM9e71|2(e#s^k<NKr6Ku%3n`YUv~~A
zqJwF*V*G|%fzE=D!sfBV_2g1w8Dykk!xi>-+`h>T&D`vdqJi4;T$tzR86D3gv8iVD
ziXP90jz=}LSD|MH^B^an0yVk<K0#{$5cZ<kk{_ey)q66a1n^4Bo<{M=J|-*SMWohZ
z7x7pI=E$@oi_EeeMyRf*;cWx^dE@EhWVMSF%xTL>{*d5%85aehAVx;Xf(I}=BckO$
z;AlM$6pOa%0Y@k;<Y@Jwh>#<_91vQi*GsEWYy>yMhCz_n04(jA@#EN~gSispTAe@l
zdM$ee>f$ksqj#lzsY|UVo<3XFYpozXi<`Rg0gF<+8+EFlbMi~XK90G|Pi<W>Xw}5S
zF=3Gkz5F~&SROCb(6ObqzcgGsN{_~rjQ38d%0p}<ar-5r^(5r=GDyi4U+&TWU*8J=
zpisdNbhwDW7Cv$s06#n6yVo;1Y6^N*KD~%}wyOW(vniu+S61W|UQym4Gkugr%;#W#
z3Yz);DkF%dj_&1tXz~K4P=sCOlW!kspn!65;d9VaFT%kJ^J12hD+Ur%Q8hS_hq`#`
zP#)6`LsoH@yFEQ9z!0ORdMm;u=q%V98ATq?42Z7LtmSu7K|$~C!?z~dZ<xVuppsh?
zAb*U5IeFfx{Nv;>HHn6xD#J<WZT(O8D}f=kfz#N<>G`f50W)lsdoBKR)0X(kL&c2&
z;3IlTKo}<L);=1%p5|$|_vu|!gB*&iXc$2_Z}UO<urA#+pg|rTZWe$xwx}*)GRqWt
zWs$GPPNdJ=KL~5uT()@Cd#;ElYWn!0?5Qm}8f2VW3PD5uv=$6<Z_rEnN&2AVe+=Eb
z+~-INZvjBt^<Sa;mHV9TJ=)-AS5?d8F6(Bk0+n^Eb1vG<ALS&>u(48oOT=eP52pHC
zMio&4%6>eZB#Z-6WXA1T`n7A7&l+5;R+7SB#@vEtDJ_<<<-2t=Q*py8dgpII?I$V_
zTLzK5xKy8VovS+)NQlUE$VsRVlyRa}Ilr_Q?9<3~UJ!_MD`t_cjI&ZgF(@4$&it-I
z+?+U?_Y*7CV~0aG?YFp~`eX1c;$BY)eXb3V)mKa#jc8W-=ktCpMYImIRP#aB4ec0$
zl#nk|k5{qnoEPJ`^iQs2hAXIkQtk5se(tM}2su=bEeEt9hpAbry=Q!4LFCM5kGC?M
zyM4)SM~iiV9FV6m8tRo?4&7-%G#pOZ8IL`PmeEYv|9a<gt!ogF?^#P-HmYZ!@Vv>b
z+WhdE^ruhcf~{nw!;|6!G|@7QR12NfbpX5b(F<GHFLb;f;^jLHDAm#{<V1{t{$D$(
zdZAHWONTsli&Qeb7y5e+ibuCft~oy;V0XM=W}(X%c@CaT{@piB``J{iT{A%Mm{YHB
z^gyoorO^l(DZv{r>R2}q`ZvMz51;IEn1t8LZ(2$%#==blPP+6noLab*^;>*u0Z;3=
z6{Lxd{_A?OxD=QcBMejdKW{N&+(r_w6we>ZAKuquPDi52#ErE%v9CY8230m9@<+#1
z)d^7(SQ9_PMT0|`(8he=+&cbeu}){*rv|Hkv8}<{b~@7o4X&k6XXwjpm(*0AhQj(J
zoIAY*vOFJVE&-18UWLA$5$@NZYkl`WYUFNF=#xR}K!;4KT!}6C0*-4K$Wj`*jN@x?
zL>(~|q~20$^s8CuFV6USOkmCO%0W$3XgK)xfjGgD*IAB&V8}MeMB&(26JU5(EkWov
z&5vi9UZay;Amaoj@heE_P=hkWK${2q?>6(4(d*(X>}*dOIR|mwhSZ$CfO_b5dB&eN
zlQMQVKi(NCyxSmnzA?e-5T}gFCobcn4$cP$dlIwC8fc_Sxxbbtgh90=dT91*o!3cQ
z>@OUzw#`%3JnYSM?~J!0YcCpHUT3=>1yan`uaFRLWW`IV8aay0?Cg{bPmIg(RB-#|
zm{`w*yn@dhRq~zH8-5<tSPrzRf8yiRlIz%_&pRDBE>(6RUG}v!cg=qFYbA^Q7}ONO
zu9y{&@pIGn<rI(^|I6b5GQxaR;S~nV-l;&UT??<?_WtT2QI<@}U>_~99jF;)ceXh!
zQ|d7+Qm1e*XkS=XZ@3+B&g-};@eX-l{hb(Ri{AE`jL)2O<6cxsV{K2yOsQq{n1|YD
z!Do%qvkKF>UWjZLFKAP~Z`(n@#aE^6$%XWz`W8>v3q#ncscu=|*rlal>m@4SauEv6
zg&some%JN??q&$MnEajX^;V5eav*-9X~}0$J>W<ie!6=mV)51MY@=McZvB-~L75%k
zRUVZ@D=^*zNi{!Gs}UgXzt;zdC^%^d!Y|)q;75-B$cl=Tk6zBMd&(=*`t<SKYPZ&B
zst@OC-<b7oh%sQwQ}fXeOH9G?#$4#-hLY{7(8HHH$nD(T6G`LG^k%~W$Ke;36VqF6
z^Y&aXSYw7R>z#Hr>K2ui<U>dtRbM(}ULM%g&3#z}O42LlpETqI8JG+s`%g(Gp@|KK
zeV<1i<=46cX<A%U+V~i-Ler$Iu8lG}n(#kdbc}I`n3|rL8J4ncJKt?`f9YX{oO!AF
z^x~-Xeml&^rDpJK%~zsy4Qs64xRBY70%i`?@cWh%;FzghsyQ;XRr&cqCNHAeWZ(pr
zlkKr0>@oV@c;n5h;i>-WS@*OeL-p1#hf~hFN|AP3em+@hJ~qW?o@f4slW`m*HMS5(
z3tcIf^uenWeBXJLUG&Qwx3g58`Y|1m<B4aypqvtGIGgOr5-yxgGn@`?+H|0Cml@H2
zDsJMRCM9#hn|@hgxi?lmbgM*X>J}+!J;$ui<k)#jH_5D>Ow(4Ft9=Qbu(5Bx+MWG*
zdXbZhS2_iw-5wjkO7hf)AC&)MW*cw!*Dh|?I&K9H72v3iiHs#zZ#B$*^gj=_bhlsc
z+{{_ITi-N{Ks9jP^<JX&kVg(~?jI^OwO-cxq}H|~J`+nXKbLTs!y#@L_;bR6$~}n*
zsKBAydX-M^uktiJg)NY;cA6uhwrAFBr1f;c(5~LbwdvwVOxYhr$Rty!x~t4|s|UTr
zQIQEu+7dLP1(70Pw}S6rIGrJR<$s*j0N%+4bVb2|;ORhLF8-Z5F56nT__^vt5)G8b
zZPT(xL1d}20PtD%$ttOvKO{ca;hSXs5~-r`Twf_A(ojIfhwn@G^KDFx-}SSqV&Xid
zAMG*_nd*;pmCJv^ATmogK0TS4<61*LCs?sZsD8~zc#F^Qa@_QACX|2r%rwB3mv415
zlO0wxv}`yLN2xfip&C#rcJ!nUh^n<X%x!b`nWKlKetVs{wU2wOBO^9ySQ@8mTZZde
z>xt|5Tj7q5bNiZ4j|@$`LVnI!`!;QFaF3Hi=Ps&xJytytF%e>G-^vgBN9Q)PB1Kmx
zKekW`P|o`FsW&XzPJeFS@=(t&3x#j2;C4v3N_%W>HoF_24KE%|{uU0L-e_VMH&;5d
zG|jd!CKa9Vh^rCfVa7|ls6~~FU&dO@jDoLJNK4eAIdHdp3;ityzJtL*w^Xy;L!zac
zG83mMYd-7-I#S?3=EyK6T+JRnyIHEy^Z_OL6cEdY6LZdM{+db<@dYf7f%sSM2+I6~
zCvXe?A-|s4rX_NY_~V(?^xUfV962_sy63dy1B<09OJ5JsiEp-6Xi$OG*)zMM>oav9
zHd`<FK+=}^-e`>L@&>a<tJ(iqmVn=#yuJscaPM+VYC&Yk{Pvy}XO`w9NIRYWQLV&>
zXm{$IlD4?+z0`P?wN8=uX>GD+f=%jFe|T&&TeQO`NFm&1JwIY24<A-L*WLCim-o0k
z3Le9<drwyh7wfv};FgV>Flwn$K^~`l6%{yrkEUVH63bx!%yDSy8HKZ;<<^RaDl$Y~
zDw18L&~C`NlF#IhLQ_G@<(iwF=VYJ9IBjT_(}#iRJ2iFNL5ubq*T<)4C4{R^3q71x
zD2^xc)0xrl{N>4jEe$EAJ(pixvX`*bZ^Xc9LdI?fdEk1kmX0vm-#j{T9EhRe{uBwZ
zs1cF*SU@R4O42+wlW@y+-2{Kqxh$bVLcIwYNBrP)i`TNu;^c;+Kp4kdz$Bm4>5H?q
zdedKN)H{Nu(+Z3Xe^Ej)|0FniW?WQ>zTDSARqP@y9%ay1!pzjZTonDe>VajEc|S8P
z@riRc*iVD-FgGtG@Jjrc9piF9yr<-F9LiZMz18Y=H7t81a<!`ptIX`FbK^6sq4|7%
zcd|Lbce5cfF$3akcs8Vu&)Ft@8t&ifltT%9R(@xThpn|@w>vKc@_btLbP}FB=$4ku
z!ov3|LfFB)%)`!hsXvwb4dVS)gA89y&z#>#YyA0zg1mgoQ5VOM6kiUa!T%47$K?f7
z46DMs_IJ5m<c*MDl>)-$P08*tPLW$p_3;2&`jc+`>VBl(V4d2+u!hg)T&RF*y6sw3
zr>kf*0Q0g)xj65&t6RH@$@g6Ldx5W5D)T84KEq5cO!B*<qq>LWAO<0G*I91beVTrw
zz)oo@5g0vwD{Xnee2ht7+C*&Cw$W3Zbhh1crJV09F;rko_-kr2{&Q+EaHBgKBC-*B
zx3TkQWIs*XHPnCO>@A?G?A9(&L6DMGKtf6okr0tq8YBdyL+P$fcZqbTfTVzQgTUT&
zr=&ES?go*rySCr?&hh;J_m6S!9mC<!4f~DtuJx>E&SyUJ?Q(ZH|H)?&&wDgx$~Kxn
z)`q?KWa_9lB<W%RHU)E?asBD%*b&uP$d!R$rq6Titq&erM3RZ2G@sy~luoC*I#byA
zI5c%mTwV<bR2dG8MKxWEq>LIkJQ_na@3V{QyJ@S|wt;9vp;tKrJT~pvL;-POiN$Mi
z#|x?zmN$oPJS-G6Y>%<4CaDQJ52f0Mzr84i9wc2T;_fwQZ4Y~gomA2F#?>5W#_$fF
zgw<}xjMx%x#rcmKoUqdt+v0Pvi)xowrCrTqKPG{V5eqbkE_T$eEW}mK5WN#yG?I1L
zH3|H@E?gHO_w1l!`+@jsg|UG9kM@cA;^W;u{ji$Yw^U7NYSqDlsfd!gG0mSlE>L4o
zH9ngejy9BjDhq!Dv-O?+PH6Xhw}lLzizma(x~|{$b3WVA_R+(&cIp$gt&R)moHpoN
zckF|@0j4Jt?XJ!4+k2FO{7iby+zip~I&U6juU)cuyuZX-L^8)5Bjh~3y;s|<b@5B&
zVlg#mrrt}mP_i=Iaz#%{Paop${>Gk3VJk$=e(_1_ia!dP2ZX|4NZ4Q_cm+SC`zp$Q
z$nw4R)O*{Eif=kLLA!3xdu8f;k>kT35J~nt>rjzB2ZhI-GrehXd+V!@L#*mMq&G58
zcJ$LS+GXMczkKz&M;U@j%%oi_D!OKfPh7Fi9&J56ZB~&8;SXBaaBQNM9en%HZ3%S^
zGeFrmfVmp9_nkf%+o6fX{at1h`>!(NZe0bONxi)74+uKhBL>eNR&Ke+HKRdp5%6Nt
ztG;+~cf_=@s-KxTYGu{We7DT*_3V7x9phH()$TsRPUv^zWah&k(b_wM%{evLoHh?j
zJbtE6Qz=T22)-47n6`a+1Kn1k{q)OFAL0ZtxlCm;;t1z&Y9CJ?&#RWU{-CB&XCG8S
zg|{3&A@t_kbj4?Ek42>TZK_o0LB?iSx_+n#d*_>!ZFq6%d(exKWCxKjdscU2s8TO=
zfBNhzt)|6Lq?R#k4%jeUajy7`@AO8=y-Nx7(;r~3ot`tlsX8E@S#Rt2%Y@i?u!cdY
z6-hrL9~@aNH!e<TRT_nH@MnhTyJ|ivLyoK29mlr!a<lp2(ghRW#tASXcq*pCTgb|v
z-h{83451vj7;eW}NaR}ml#>h<{z?NmeYI=#=#dF@CY+N=&oVOttFvx-*kgRdBQoR@
zZ$)bv<XTT!-B9`+nPlb_P`gYeu;~{9i?=FZm6yGxpW_N#AM_CGz2cEIJETTY#7R`p
ze(K8FOqH1?lGJ-H?h1c$Ei|}|=OoY|_A2c}&dg~mzYetMl>^dD7tvac8D*ie!2}}C
zx^t+r2lXiHu67V+k|&DP&4S2wri*srTAY9HWQA&&^;k5aRV^GAF5eaDKTQ%xqNfyI
z3yhC~LR;t)`koWT_mDvh<iz_Wfs(s<dsIS79}}WKo@Nb^XEar~ul?LL!R~b?-r>On
z9T$uhiSv*=IOsHke6%i%`C4DH4Yi~=?By0F-`*@)*sp<5pONmAl2_wK{V7Yubj?WP
zG4Q4k>IR)V0`|u8<T%1B30tfTn5Q{AZUYT1HQRIjqu$)yjM1_47uv)yuj+`eTGu}>
ztZ0uMN<(T=pbs^?0*znxVsCsKAh9Wub{0hTGq42Pf;!(qoRFC1AZJT&2-#u~9)oq}
z+*fn@ja#1=0*zZL@1~y}uT=zZei^vFrC2EP=>0w%7WiUf?R9yDd~Q;q^H4Wc1{!Ey
zI0V!w%*<@Oxc*_IsKDuC8m60IsJ=?LfgNZlckemb5C-`7F9Fw~)1ikH(VOQ!`GJDj
z=!Ie1lWHLbK6J(ES<5It`)w6%QL-9oLq%Rn&$(Xm;otWX8^$Iaz<-BF?R8yA6Rlhn
z?)J3O_Q>pAxqBYgo7Zr>>T-`|a*9P8JmoU0V)T*6it1T`R8uZnJ8+{{HKp>M<qGdN
z&AnbpqUI~jPN@4a1iqX)^ge48pM7tkRF=_uPrTVO%>IX((K?wVQATf~7foJz<JA;r
zNll*RyQfFkE{vBkmDt1`x9!w+9ULQQY(%bpolSS~2>yCH8&4niydT>9vFgXz^puhE
zbrN?ov4XRmEIylJvfc9M12^9-xyBpP2Tn&&hj<nEn<UOYpr)_}z3V@=GeTGxqq-#h
z@`{0nCOYuGlW}HJj`>#&3*%XU7To$yw<q>71Ftii;HL+$(KI_kirBQM@MWRQG;tJ_
zLTL9$X&3yse~ogoJ=3aUU^mgAHnqx=vq98D1P;o79al8~@{iTKIi2JHLCj~;@TvPq
z_!2+}DK0I7urj$u)K{9!PI+wym#CxI)fo8M)jn)KcPt?0qMSW8f%{OgkCl;IOoSwv
zjz=)^Dl#axa<7CJyw5=E!BU;G<V$lm=+O)!;<}~}N{&4MPnbawFbIah@4|op&49-n
zsF@HN5J2~-gNErMAgDCO#(dAdLR;ZAW^{J%@!qUJ6gS;4)zVxZLFg?YqrbrKjkQF|
zyU)id2|9n<WNc{APM`?CxQ5e3Ec3xH-pWCbKE4IR#XyFjDy&l<*whv)7x_m8Ym1>g
z7yEEUV$&VAxeHCb@X9`qHQ!lHft~@$#WupLawzllJ8(6_q!X8W+UB;F4Wo0&^rb>8
zBR&Qpgj@%rvLQsw7C>V$R&Ay2cDfK?3D|N*ong`%^jKyD;pogoIq{>WntSAq{pS5{
zahMSICxpa}+8Zz<_Gs>M<S&?vTPdWtmj_t~_<r{_PXp6}LZ`ji-97v4k2oHjO6lkZ
z7~U|uwJBgvr?82=i||&dKxn-psYNV+e^nK*KFGE&VIctX0Z}*R7BTxDx-LGecI*uk
zuF&q>`{eOvc-}2krM!z8CqO_IZ&C`3oXXonh^N6yWVTVHu?6Ozf2k@5=0LIFKZ+2S
zrx0hKm%1$|KyaX`F*E#eNfnzWG6hA!M*8s8;}DH_7EO3_3ecW?TA}C5QL69JM-29x
z;y)>F1Pz=+3OrdcK=^idH9^Qy8h1cX8xUgmj(!m`<U@>^k;Fg9G9%+rf(f~XGCFXz
zfQebW_nl9)zjsuIKX=rBi97|h2m&8N7K2EENo=wwHe=`StWNjOtnPP35DZ1#BTzvP
zCgcESUOZQ%O5wi?RxJqq#QzkRx=7x#Vb^K8h46hSRLqf;>|_9jh=KOr=wHJSh{oi9
z<Uqd_sV<TT1*A%zLRM@i{cjaI19CcojY7-&hj9@^p#k^w?XD=59pc_}S^pe=gd!*J
z4zRHTo~%H>$bcBB{XeyAfX+@r2%rYjMT+Fo_^S^4`QCx1{C|r+)oLA!JV3WICoovu
z8ZSxX8&nhn%%ufla9Yp&AB(I1NFkjPa(hvM%{f7pEQMfZBb%&xuS>TmDGhU~_jHe{
z3Kd&w9b5o!&Z!PmT-FE3_ZgK2nLrIa7T+7;6A8RSSqt97%0IDcH-u^^vja91jC!H>
zZ+S+PN2~vRMt{Y0Gkk9aJT>s>J2c?VnNliRtn1Q3gBE`(v7K-3+=xr%nT^YUL;Ur}
z6j8NPsmp&4O1+3Dx;){VSNpG@;>m#Uv;~U5e}yOUg5UoH|Fca1&jv>>wFWo?;_?1N
zY{A65>(QMnjIWk<E42XJLXO8lJMq{Tq1y;Q-e>=j#18zwCQc85K6(-fja&y9MpXUD
zp02^)r18(311kxHZ7z`7X&DZhK{yV8Il%-r7hDI(wz7fs;Q&HWcv8r_;7eEt++|@L
z3HMwtz%Nb9aLs(1{e&pjkU0h5P$=Yz#eW4gZ~FUE-6f{{r8y2(Ho4gABfULO-f7tC
z)X*@a5HVd3C8mx4pvNIK>f7X!l_opWG6fPCR4gJjpy#n{@x=h5T)v<rckO0UZ56yh
z>eP0*Rv<OA1RlX`S`7$o5{vS&c}cwy2r|VxKpM#Du&Gp___#7Q4N=lQsRy%6o$Vxu
z_uywQ>ohQ;*%o~dSlt;zEtDG|Y46~Mz*gc4AKp&6088C6$+D^pR0=z$s;$yKU3~(`
zK?4xFe<`v6#Y-Zv3%JAnw;X|j&0vu{@x&kpay8k=I^Y)pTxxz~gaDDJ&DKz60HUz5
z>t3wXlb4gaxd{}H5el%E`s2<vhr`mWFk+d8$mf@cBKQ-<?1_KbUi7O`E^&m082)<j
zxb9iOyXs<~W#=(3k^%FRiTWRc$Om*$Fv%Wi-La}aibGi2K!Dc*AGoRU+I`@z%c+M7
zexPzvi!k2NyckiGoAf7xn4nSEM<QID`;if~w#h!OISWL|uGkA9Tj5h(2m6Ynm$g%7
z5yF=<k;@9g+HjhoY1>WLuWSwK%#|R{^RkV??2O4?m_(ZIfxD@s^gL~b{UjQ997ugN
za|CQ@m`QJ+fa*3ye}37h%DW==Do}X}S)bz=f3J^@R;ZRNBkqOg_P4MSwtvREV7K5$
zJe3*2zxn=D_T_=7@tN==8<Xun)s)4!$<-(UPm7@~ypG%Jo*hRBpXCLXaUfR|d1O1m
z?$?^OAmDlFd;uPFO1tUl{z5qO<=G?--?k1yR+toG@e~Z?_rO1+nhhvuHb2O}gU^8Q
zatw-ZdUXQV2i5vS;P%o<$1ACFJfV*ppNwRV6ZBx>%i$i7*YdEn-brc04opUrG%=`A
z?(RZ>Z6}oQIl@Xh#CyuNml^1Y5L(sq4<ytqn5x{HO;X;yB#k26_s5SB8{+<av)D&p
zn{A+O_orJ0p3K@-YM^2KqkjTf59l$OnG1{oKbi)vMfT&>U}BF2k)H<|q9L)HjWF=7
z#41{VN_;gi-I;}*4n1~$CW|uQb$v*wN~vcWBg0t+YWz(YB#X%!RTdjlS;asE`rF6`
zAw#~ty5RF1!TpgX9Y0m7+e+>RM?K@oSOuC>2Zv^c>0mH2>@@!r(7n+?C~xb%WsaR>
zgn~&139kMwIwzJ)MYf6XnN_E%yEU)1*`(3B2ioQT(o>Zl5Zx~%|GUNCa&|H_rWvOI
zrN!S7ifi5nx@dOw?v=6FXxdob0BcypM!+Zk;i#q7{LHJ9V1Lmlgt@8|1e1}g#N)u~
z^m&zlx6K*DH4f%ve@ZUx<DM{afEe8fWQxGtd6(LEJ|-VZJ-bmcz;AcJexK&?pkj^v
z#^U)04lJ8n(;%b`0yV*UA)nmK17AWrM4JtK7<2i_V;e;(!jzR(&{4)OR1QZm&LtK7
zGLP^N)<RYjEw1}1W$dDxDc5|3xrKyUfJTJ8m*ICyFc%nBPa`aOjQ!Ge<a0GDH+dKD
zY<)+lYzhewezNk9@ty|~>A9C)&fALBLtPH6+Aus$fhaq<b{rH{S2?e`r#ciA8{A!t
zF@#2v9mdolhkJx~L>2cJ??_{ek^J_utQ!PYENg`?pq?|Js>}krg=`7ztDMGl<uk4e
zN*bnMOS)0Nt&iqnf%6b|e7#be46x<YOtX0!B8&dvi#|>%p6-D+mV2$!-Y%2m<-%Mr
z>`8KGQk%@ecL&Z0rA7MFZJ<B;uUn?Hrqr*HyA-$3y*<#8DDw-LJFRjqw1t*-&w`Oo
zzPPX64%*Axq(KkTOg1GOp=O{V&swrwva<ha3@`?oLT#f>C>^wZ)#3|{4tVI=g?jSX
zJPG;`4lVtFSL-9@@0{dJ7xj)bj&4e;&bf>%hEm|DgPyo)@#7~9&ouX+K}$mFAQ2#B
z0*hi7qUL5TjWAw^lbHSpp`DupX5X-hv@p)8E-kMs2ZU{lw7p;`b{s7e&q$UpvfqI@
zt7O;Tz5szS&?liT{m1fBaFjF<Lg())`=H-@iI~mOO^s*9`e98vio00FW+>;hI#3)T
z!EN+7a?ay>R%gHjMuO@CRkH_X)I8Q&uTB;<#w|M^la{Qz@y|H7+6v)7og%A)N9gM;
zi2letX{(H16G$yt=5K&+m>mspp7l3}rEOccZN2>2MLSlY${Nz2-=T)6*KdvF#T1Z+
z;6wC4ChBlQU&*-ypa#g8?c%6<5DHA+&<L2&I=<Vz6n?kGwjkMOQG?znXn`DF{4vB|
z17Dv?!S8j@$}VO<TjiO4{ltdQ-5->+*p;wp-tL2(ELa=aVg$pz)7BPj(qw4rG;b!9
z+)iG!VNdpy?v_d#(+;eXE-Y~UYV*f~d(L^Bz?PB2$haJL72Cq8Osp65L?WyMi5>=$
zi=wbGw^h{vZ7oX@X?txib#8QJ-;n{O$XEGb>6Q2It6mh+g;F?izaIn!OlylDt#N5t
zFtomTf5M0ocVx#z&H>ea7W$xTR~wNuVD7)_OS*>2CX0}3I)naX5)ldNQat5SdSxya
zyKi#u)OyxwZN$}_@azpfwGymqVpVL2l=vbqeE0wFaQ!b+XUtTPGaX3Z;s<K71W{sz
z2l`^ou0GJ_8fzf%sdXm7Bs1lN8*H{zVp9L?d0KKWh0Ldy$TSpR5Sn%-e9X%EvmsI_
zEbJw6fcXZl_aQpDRiB^%c#7wjlP~#==!d!haN_qNe}l(}&cVdWKY6Q+#o)=3@jVo(
z43shvYULMY5?XM)P9H&Uv=ahFlyO9NK^WP>$J{oJ6)fSH3Hstrx-g|-_#UvZS&U*B
z38NC8kL+gthX{*MJ0+)sEdL`y+ciZ%h4*mlt{36$k4=H9zz2S)gD&_s-DEPY-X)Cn
zGF;G^@`K!6Ohgawe6b&yhN*OURlSLj^$XMCuiyF#ohX;6H95^OIMqxtumn0uMUrvj
zSj*dVJ(_967fyiRq*EE^BeFnMya4M(&*BgkDEf1*Ha==13DzB~7Tl*eb%di7q=5=b
zzzP!6#0CP0!GAZFH6mE0Th`t4FOeITZJr>Yssx~U#z9|7QP>0ajucwqP#-Bze8IOi
zyLZ?2@Sgfq(#FuKzzxb-KSMx+T=E0xLXiBJeU885;6vc1fcm@k4hSsWaRL4wS*y9$
zO-uF1gqmGvoQM6kt@I(c;m%uY1MFRA>ch80snF0%7gmb6b`^(&4tWM09N18i`DFt@
zNa<<$HuZJz(lwq60xYED(uqNuq|)^Blb3qCgw!wWr)|}_{y&02Hou5b7^W7i9ztfN
z)ZMd%>X8?R5Lzq95B@8AZzm9}TP$DITzVcB60Zgg+@Oo&;i~zUNo&`yZ@C`7J(amZ
z=m?eb=KVY4|HJ;A>IRYV&n26Q{+02gg4VI@5A^Ru5Zr_mLIshdJ&?%J3+(KzfYe#_
zt<Esr7c5aKZlrR_D9hjvcKuHQ2$R~EI{bPE8p+8cPc6o_tDLMz_^xZyp$Q2MdT67E
zwULtMw#!3{{k&KmNIxoQ!?|0+c~%oLq#w(rZuk3BZ%qMXRG1b8xyl((=uZKcMVMCN
zrs&m5>06wkP?ld_K=)qSpTbvbKbCiI_(e=g=%GOi%hx#i9d-x1TWi2G&vK$vck4x~
z3orRE$;7pZ?-sfzk7tfRp;N?pmCLSBrINHtrtikE2P?-2NPhAN)hdlD`;z%ONk?af
z@>OOZ9g#U0;v-N@@~=K49iSi|%U6Di%4uE(nlbUHuvy8vKtma662xoR?ZJzbBN^+r
zbWePFD*W$;m#yR%6x*VyKXl)3-o@(&EuOW~FBKQx-vO?IIB~xO)}D0($4F>wck-F=
zXV6|G{mK1bHhmkzZ|ufGaG{Ss+1R`4?=H~colvFX3FpNkS_^@Vwk0sAWvOvLSZtRy
zurc}$mh1ecj0&DZ@}!8SZaiX(0{sg+TK3d6+<37*{AZAT({hBXppz$#$2GtRGYe@j
zV4c(Q8TO}yB)L4x@3wMfY(mq=b^(pUL)WP`Az+|%)j`*w&9$D4z`%Ikc!<WeHoSW1
z!n6Jm)&}lfzaX5tM}cWR{P--Of3+HPEKTgzY_S+)2=7N8&!Uak$=*fN(<_4lH1l3+
z7dS8Yv-?J{0#SP&2jp^&wLdzTtbCy!h;p|=fr4<qxt!g3fBtI$BjKXIk1WDYJfoo=
z0Y<7U--+mGd7iCEUL+S00|3p=4)Dugy`-RbD3sD^EoH@DvB4#Y2QVg1!PN@GceEb?
zm2xy77$hU0=_;HvP}KvA)|FmLg`i66V?jw2JQfpj`=F37#9V>I{dv0Vdss9ms!(9@
ztB!cF1QQp42Pq!FqzSw%1q$^MZfYasg3jrp@&Hya`Br8f&_3-(_5r=#M5WzkUQP{r
z7XvVf@ebe!ZUhOhoAHAh;0c&gnP)tZx|<5ri$q5lTbC40a9tqp{qFhzPM{6}HW_<%
zKxV2r{nrEG`M+TikWH?F){SKc7Exa+HSk@$7f=Ox@KzTSMB;}ZU^gU2%(FmHl59UL
z=?EHy$PNOa<qL7*?pP2FsGf}g>Nwl`DeJx#<=)yXz%up$GeI%XvSbQB2R478%ZNAK
z24EK6YSA|IxD;SIT63*0mO%ku!NU&>GO=l$z_V17FJ-v`Xrvz#tasM&6KWBEZgaes
zmq=y5ZugEM5?3t&MSQM8^>ZK8yWS&UT_j&I0ltLY;U9P)#5;bTIAS|je{&|*Z3l*b
zXu)mRHazGLdl1=l|EF|!u=P~|p>3^m9FSp-?>1aOj8TJBt;=X!ZVBJf{QwnW8UbFc
zma7BYOLvVWsfkuV2bfc11QFMW<lVO!gj4wUp<fXAS*(w+T7(C@ea7;80-Fkp?f!e<
zR|%pCzunb-v7Kg(y^a27KBryYMSo}JLJ9Oo=aM`i$C)|BXMOaHN~`;XGD;-l*3F(8
z4#?j;=!fna_9yf7C;DYQO})<)&p&|xVR8SxtHX!?&R+~*l65GcNkZ1&7i$PrzIk=(
z9i-ISdFTTN3cir|i(LwScjqB`O6q6U^G(n&z57C!z_F|Y<4zmajTZo%lOV^RXJQPb
zeBXI`0vu?esn917AzFw8+;&Xe7}kp?49HMh8~#94;H_c^EoQ4S2|<VGs#yo(X50*6
zphEW$>Dz-5yoaGFC|I-42`$-#M+W)hn9@E_*9?IBS?o2oYt4%AbOfz4upcY7V2?CD
z{wFT(ccXXAdw48;`mJKaHoWMtyIgFd&ETa$2H>SiPQp}G^VxpfEeZq_c0SP0Ad9WF
zy1qQ?zX}mWg%$xUpV78Ruk{_9?O7lf0Vx#?qiXT?xopkK`bXsek_;>s=obmNbI3it
zz(S+i-I{_|XUj4E&wef5Y4*2nB^b$kjcdHnlES1V+0M+I#t%gddG?<}{x6nO5Rorx
z-WDp)l4m>MFc1@gQr!(q(LKCI^s4>HmKirqawc9>D(%6W*dxTGg5XId3-~@0BsrTu
zFKz2Xh>;~|sFB8K^z=)k>i~um^GN2l$&gkNjP_kmAQPZh1HFW;nsSYJc3N<%ed}qT
zPCz2fcYIKbfwBQ2bd8PapU@`QV!s8G6_N)cH3BhW7I1s(N8Lue_9DOucrlKFHqOnD
zyGekU09R;7lnR`iI06K3K+|Pg5X$=+Jn6E<)hY852R0tiV;R9$EDHJx-a=h<ql7}K
zZM$MS<^m&uFL5^pVH+`v<IrM9CkC~zg!6~{>%mWpt>Y-$u+bn2rJL49*zGwTaZvDp
zx2VBo5=o8{`huhr&-JEWmF?f8fvvPOn6F~D)0<cMwIpMi!_0Zo?mWHQd~AT1Ij`Yg
z3Cv7q)pB@?Ymdg>6@lG-cTJ6(`yJYXH|S&{-8C`bSaQ18hAngnEs{q+&k+bJ&$4+%
zcbrV-30OIfwQ%tp35gFMnq~Tk6%=CnKa&vS&}32I9JGzzT@ZeW<9F9Qh0m!9V1~J@
zaQY486+po`#XY9<i4Cl&);SZs3oRLPv|wCstB8Bo7_~y5d=~vjO84JPR`+*;Q-S0D
z+YQ-=H%pXyZH4l+Mt)M2GSc#->?6gmLh#Chr`)Xa>Vu*to>m4=Nts$wjF^N)l8SwA
zdvmjPc$#t{N3*q>T<F#~u(vX*4Yx}@Og`b^-n*a(pctKq3N7CUz?j;wCl;e3k|Dgu
z=yp7-whI1(Dz|X6(!5&(etT65Uq}?9f8p5HpeTGKsgFKL{LmG~<Ma{yMQ%u>k0J^Q
zJs^a!^~)LIAqxxAQrXg03%w`M!F)*e=-EnG<!cLF=A|2qKzM>37x=4H-iS?HaJhp-
zASss2^GBz<Rrd4!di3v4;;B)51>pobeVrgCkMhY*^s9Ld>A@c=8&wk{zYZstuN1Yw
z?tAenXv(+#Ck@x?rDOuslTGTLqxh!?sn_SJkL|)ARiJx!VZhyf-69-g7LV7Ec}w;B
zq0oISWX|}wj)1~1U#LFW6*qFT5WP1brlvwEeAHw$;^X6^+=u!OwRdn9$!;%5=b5))
zpraM)EUxHSVTtzs6Iv#30FvfI<a*K_V5OGTelZRxsV}j`rHVM2m4n;jXH925ca2GY
z77RSzeKs3ns>s(O)bJ%@H0v7=Ea*P!q$D~z5;YzgiZBG;S)d=kq+|410r3$Pith)!
zz(6pRaAILWbaZcS8bR2ZZnIR8U9XvgugWL$OkG&M3Z>;}#B}N5$W0?F{Ur*mhQ0Xp
zHmoR>i*4tb^Tu6wwJ+$2aU~B~dwKUeF}}}K5j{N*fBn<IDw{Pzz2cVF9F)k2`BEHs
zF`lT?Eq9;SYzQfk5+fIXnOn>=>s|?o7c4n1iW&ZCSoHf6NbvDsLHP8O5{L`bd4<%|
zmvQi8P<K_rxpK?Twx8v6Bo8`Dc%=ROz9JWk$fO<%{w`lmuMYQ`+xVsn;SZcWr{V}w
zx?bJr*J&p4M*}m{41>kIoH!}riFBHoGyECY4560UcZCL>IwNU5zK|OCw6q?(iH^SI
z0e2w@q+RoR?f+t9|8UumAv#B}Fq|Td&%?=?D^X@UAnEDx!sla!5e_t`rVBKISVj$U
zY1h#3fvm1FFp7A{2f~8O^jgn)g~0zxUn8flte$0$?^y@+4X$)_kuOACq{WT*arWA<
z>9JRH*xK#PB{^4n$XJj($FAgOrYukl41#k%a%#H92x<K;2TMP_JDy?aljPd5IdK5{
zk$79+%jmL@6r}vCmo!Dqb;850Sbm=_8Fwvoo;bwG#hX@_{aJkqfH{S$O>#j&!9C8-
z>7qwy<;KVs^i56?&aSTc)xEV)QF7f<F7cu6KL1uX>(!|_lHqS6u_k&nTwKU|UuM^L
z*XMF6+#Ri2(kpT*W%*!in+3&*x9Y+nC<0#o>AgmJ-NiDSYc+<98Ez?Yr>8R~BLj!u
zUNAR`)E+ERb{@bEJ9CdE)qk1J7t@fLS6W@F?#^W&>n6_Zsj_4YttqpOR#4g+^yD8K
zClXU;<KDQCQr@#}nHZaquNUPxoon#!AapITJX$BDOTV~0*e82&f3Gg(_QDE%c_qBY
z3vJZjzNOu(I76rZ<@$l)Q~TmcQHsoy49SU$E&1i|mz<=rMIY1q_%woBy?EU)X;r_s
zr;W2LROnHf%Ew=xjtxBS>5>t(Jv=qVD}QlCPLa>mQrPb^;=<l;Iq`EcILNL+c>gkk
zT0=F@9F|>2blW{UUjpxQ9HRnx0j@>of@Ckg^_t2zi;t<V+N~|GkESYJ4t}EMd;WaT
zQF(R;_U&+)+v)1Lk)^s{n82R0z&NAw!?~)hFdt*tj4ikgI@C>C6Sw%J;)I_77PKt)
z?#y#nV=9-dX4En-i?Ji@bb5Nu+qPkh5bC%_|Nf$?dCEIxbngE1!pAyxwo7|^xW>lD
zr)Ou)eSI>^9p`Ss$9Tvpgpnt3(NHE{*n=7iqACi3K*As6qTTP~lN8y<8p<?zJ745$
zu8&UNG<8>0o!7-2muhpX@`t|XA&&T%HeWV}e-ydL=D{7eGn4T!ls#J}pqtG7Ky=I6
z$@IW+o7)B*yYoo+f|c}3&6rCFZpRO<k`GQN_$HaJa^)sVmD~i={I{(P<%jowwcGvD
ze4*am({K<{y0ol2LNSU>IDI^_DPOL?k=mCp8;I}2hl?y<Cw<%EA*W(DPG_oi#FviJ
z{!_bI`nsg2RwS@VTLZ7J=6NUThICdh9ZzbQ2WxCKm;2%f{ier<`=7jW9W(cfFVV`c
zEN?JXZVXCPy2Or$gpE$sj+qu47@TZqkML$lNn^2c$yI(Uo_wdO`(?oX^qACV^}ZQn
zP~nTxl*Pd+vscOI7joYxYwob~VT*Q>hBfmNr}Bvv=FsbP-tZPotamopA8LHFFpD@P
z6-c{~sVxp$h~*RLD0vsS#;UdW9gZy#!^qKdWLZ>f6~WrrLV4|_yXkLeHeCfddS>~<
zmg!XYm61L9mr+dRp*GfnE}2JOQ_HWoRBlFD`Pz_>Tn55ya%s3a9`xK5ZrTM~QCkFD
z)IL^<(leMMbM4)-KklXLOwY+{FHxVeS2nJzyrU}LBm#J)-uQEF<!0-}W>&_P|GElP
zXUw<0Tzv56V7q|dtym0wn2RY4DeTp^^?`9B*d(tWXTIm<=P9G1{=Gq$V-oVu<pk1>
zR!UK6jl>Ye@&l@Mwro=eVQuC7FjeZ3437`E6fj+1hWtujIcc)mj(0(DtBR}rSw7U!
zDF%{PL~q&*W#HmPi6vqMoQr9OZU>GXZ#M0+<Jes9eS+`X_4x9WFfW?Om(dfQkYthK
zD^b9O#C(dGCUx^>OkXx|dDhw@t*u$fM-le4hpk*ha<p!Jd)9;59?=;t3qk&NPE*~S
zns9N1=d5J@<ygRDgIwy!BAr7d;R}t$*|cYRJz?gPY=`v{{v7hz8ZWt^{I6N<mnFtg
zNeLCv%uC^5*RrYlb3jGiu|)5|biex3G?(p6Anhbw6|AR=k#Q^Jya|FhXw<QNeh5qd
z>Ps1_@~lWY0$#Xr!@Oz!L_MAI<B3_+r_N>}#&Ti&3_P(H2{o1P+}5w9w+I}!7b&6c
z?1EXaFv#dA4VSk$j`t7^&MU^|b&2d>50oGIFZDkEq;#%qS@e)zHO?Y#M~@V?KrUZI
zR|hZkHz?@%xi!_tl(SMYy0TC0b)sfvpTwmlmXG6lronH_^-ccin%EPr@jZCe_io;d
z>61OZGJ45S|CFRg^{gwNv8Q<%&(q1so-yx@%&qM&*JkDpHWu-&f<VO7X~auj+uAM)
zsd~s4$gfeOS@Dx2l4Hr7XHkQ}%5_F=#rt6}u~=bMT(nAk+gd(8@>~?PE#YBfsu)DC
zU#cpU4;hTyWH6k>n1LM~srE6IE#Uz(UKIS-yO*d*;oFLQa2IRsR}6;>3ABnecNsAW
zJlnpmipM7nBBy(`%E5F4%1Y?5+lKO<E-0)!gvqQo^CqUwYBAOa<94(k6068R5JwU2
z?W+iT%oK+H>+I+rb5DOwnxk$!y@Y$y+WyI;Uw}}=Y#<n;fUO_~X6Bko-*_^9_>Jq?
z$6zI2%ANeN*Pn!TlvDb6nFBN_**Qy;hIM2#NKXu<)Gr>;J}cRJ`z`lNRtpD<kDd#b
z`tZ)Lvj?LOhRWIbx2N9LA9)(i1;y#JD~Fy48Q2mg_AwT51`u@I;}V|}j=-dhRZ?hY
zAQOYs#%Xl%vdk*hZ&f!tpIC`P3Qwoimpd@k%1x6&4#F0$vfRNf@>vLd;uTU<QlJ%5
zg*hZ+Gma<){?%S0U7_rk241oA&0goA%@{)=CAXNECgxhd@di!@mw_=vV>hg;&kyyT
zQW!3pxvkoTt^1T2`LF@~>ue?s>c*t=?cu(y`PRi!qLe{}m=75gTe;`NSFZ#Lxe}qC
zHomrpvgXwc;{;j|XPh^DwH2FRf(NZjp=n|lGnI?h*|QXl&O|rG=R-eb$zDzA7r{~Z
zJp;*^pE54!D;4O}l4>k7xh3QdW@{fWoD>i%XQF3+(QG)1$d4Eb(7I^TKYX8|*E+&|
zk|$E?G4fvNEcaXDqV6DJ*bL1GvnIyp%3|Y&MC-Bx5hG^TV+HeFAya*WwcSl04g38s
z_R=8>bAvQoY$(89`w3DM*^;vuB$Pe&f$xVILXfvn!qf*Xoqf^rb3J?ps`@P$@YI*H
z-wff(FD7M|P=-z)zja_Ml*AZRC{bf=slnlgS`E)qh?G4@A1&RdPQmx--nqzyyk{CV
z7P-|>vG#qm@ms+96UM|Q4Pws631z0JM&^6)ykELcicD^x`6rXl3~Htx%Unh0KP4l>
zfqOVp_SI{R2Y?`u$Nfb!*4$-(neFGd;*3r2395O$4~>kQR_b{~uA}DI{N#5BgReg=
ze?L$h!fN<o^i_p#B-@sv@X9nNIN4h5DHrQEBh(Gj*m6;E`oec#d9&mlNlmfuPUPxD
z?%k~<B0AWLdib#RlZscH(Vf`)R}*y*`Lgb0YTD$faq%H1Or19c5JtMlP6N`1V(dv{
zkG#QKg6<Cha@H&=%d67q=jC%3zu@&3!)6~yD)Sc=NH-{cNQrn$Tz3$`$}YTm2vBc<
zk&PGnbN)?qV^an@CBM9<%c!ybU@|4-C*Gu5$t&pd(ZW(=W?z=m@gE(h#YEXjDUF_D
z7y()&d#eiKZu5H?T1-8=hL-fW9Xn_zBf6)h-$xjUT3JVUvuB2UeQgzG%;}r-oN@Yj
z-kGyrHpI0!vhTBKI3FoiQl8KAnOxqHEBoHM=o<b~-Ohw&KAT2>sm54CYuz7tsL0PU
z&KzeiLsZzxxyk6x%$i&&c~YKU=)HrLZ0Z|7ou+8he7gkx1W4z)_`d&AJ}2Gf7abd4
zuK{c?R&#dM(X8#omLiGltB4JEi(<U<y7=RV1zN}5`X|~il~W4%yHd=@+k-<h^+dA!
z=zmqdC+pvu@qp4vbzHebJfjHnNh_h?mK1Y^fZYtdN?Q41^ThvE-P-DS@7jTUb4Jwl
z=b-i5QDg<y-5oZf0O@h7ff2oHc!yf&1Ykv)2Gk5`Y3V?+fcEw4n^{5E9VE5A*{qT!
zWr;v~!T2avH<lx8fzB|u8=8=@l@Nz#v1HjDWu5^Wa&VT*c|O(aQ4N6#3j6frJ>Rp0
zJ@W<k%d2%QD$-F6u+?M*Z(5n*?!H8;5?Y;aeT5o6gykrM<#o3KE3h-?^sVf7^4P$q
z8t3YeB5&kOy@k%1*SPn%8ngq73MZGT>_-@QISUIGU{QSIdkKuAWEM{<!lzt#OgH@Q
zk$YIrxkWsram)TL^<qZ|GSR+!9rHS$PiJQMzP^1P2<*O+oWc5tz>XC1XJD^~pJFFw
zJd{!&kG>ahotl)p=^4G~Lf4kKW~F`N4{z(_O>jJoIliWG4AvJlmy8%Xu$e&NxwGQW
znz@quw(hGd&*QE7^7>Ca!$*PeM_pObKK=k;>tDu!Ald&G0B%P)fP8FW>RdBqw>`AS
zy?!BNwc%Ql3wH=$Y<r9wwuI_Z$u6%k`3PzGWF9woM#$Gc|D=2sQxraEo0+C>A5Ckk
zU*IG%%*zTM(zx`W)4pqEb+oLP)5fbbGWChPQI6dt3i(sHkK~^ji5e;^KK<xgmB$N|
zfMmpwN0Gs@2yP=nl4|qnGX1k>cv@Oo)=o|VF)@VEuirA5ktclzcvsK_nOdW$1Hk)*
ztt~8ET-@cpB-LA{DAyM!QPz0KHnLxox5jewIi8pts8@0es3`CVD%lc#UM}U}nUic2
zzdJPQOLrfqy#MR#`BarOF5MZu9SVIJCd-qUS@lQT!IrX+)5!bx?xDPX{ram!6piji
z&ye2-3Vi1*53+ijCGoGrm?<mLsC+g1w)q&cUpy|3a|>TZaxp8@HIGND5h3vOWqRe)
zi0;83qh=<oqJ5uMETw&d6SkjDqa#&d_?q-7OoXRJ%>?rDBznAjmprh#+(E<|og9NF
z!HDAeYu$U}hxT}U7lH&qe{>J2fjDqxMUQvF1ER9lY*JK@Cg~5rqGZyCE}7v5&vIAl
z$Xs-I?a4XCljjH~KmeIeDprtioOQ6)_3)I>ghqg1T9fkn(EeM2eZQ)NgS@#~RsNVz
z@!N0Hy>}32@C36h=!Uc#yq6dp7knZrH4oHdVo#YDpFw5G(timc4~@bDN4kn=P%Pp>
z#<rvNj)(m(-l6n1__CGOa@Vr>*AAR(!LBD$uaJ^rl0JO6rBtYfKRY{X?cm@CsF4|M
z10*Vx#l%}l7|AbP2vSp1_YV%dLqeqAQ!1<yBMXBU4vIoD;*%02WB{hxG)$Y>tP=fc
z(7k+3fQ%tLKb4YXy)%8s98Fd{kEWf_09*3v3+H35>+5Sm7VW&hwE)(Rj{a$BlyEp)
z6cT+-!MG(yfC932$;Id0G?uYoyq0YV3G;?d;!fZb>y(j?95sHXk}VOx`D3z@)i$D{
z2qF{U!CVMEccL`qU&tZ-GM^ygd2SpwG>ZS5)nEt*nLh~{ldXPoI+%{zsbEZI=8%!8
zkih447&jY-YdUVm=Kft_9N!G4p)_EfB^QE3*Z;W>Ua1=xFh?&e^baVHz~?ybQDk=9
zJxm?w;D}3|^?z=}Wf$)RZ#|*{tHEwQ<WIf}ERRcrJKzDl0LQW=L-+PYEM*+GKM(a7
zoHGrvRuH_<ZDA@Q1aIb}z1%?_{yc;Ye6Qm)2u`y07$lC=fM`4UfG6=5e7ZVM3}Xw(
z{H_-YzQ^VXe(kLLE|?O5@UB->C<I^(!+1``Am0}lDo79~4NU|0<q7T!4{<5D=-w!F
zh)ePO|9B~rU*RZs?zHswV(sqkTHD$R14VI|Vl>D|@B*U+B_z<n8=)|@wY8m{ovEy5
z>xAC`n#&n6t~l#KTf~{7y2c;_dI8vKqyDc!CUI=$MDu%O<1K{@%E7UxrGoe)7li~r
z4f>)2Rm>ZuVJGWIAR!24sZ9JL82<7YtEK7lG~DgK)_lt?(n)1NUYVoUxgKFQH#bYf
z&|{O6lNU}ZSKUVzZn_1Y%I$sOo%3bWX9{Km*zWVy?F&;S*!}0)!e@(gOgT<#x>VuG
zHxv(szqSs<#HUN7A_rZMTreem9djS-<r*sC;KaInwkNQ!^(JWwALl2khXvl$tn^EL
zF(F3+#3BUGB~lbTv`0f&!~?zA|E875KW8)z_*buoHp{$Pa#0?mEbdKalY+>;(bm7}
zFAvbfD}{B1X};&+k^F0g;vwJsW>UeJiPCdLq}`#G{xL9=?n?W8^QDB0!+ZoGNtHXN
zXQM5C{~2cUVTiwpW>)davw;58j$3JYj08$MG35-(U%6E%C&F7};`FD>ZtGyeXKg|v
z``N;#jAyGVPp{V_PCeT!j_d|2a!88%8m|W-b<StV$^vJ1m!{l(-hZA`N!#N+Vkf#R
zeVF7q8Ss(kFt_rka2yk8CH1E|R-Er$qEI$oJUkB5E~FuUjtK8yG70?6ZA!F&&=9@f
z9@3fh`Vp60nn34vQNgo8V_tW+Frh<C4k4So7o`+EM0P^c`A629djf36TcqE&U*J)g
zzv%G$@RVUT%R4$eRlBO?ps`;MkQpUeE4BJ+4SR0(2|NT&Diop}-!?|}A^@c_D{#7S
zK0LFzHbvXeF|g(-l9Tv9`GZqA>E50-E$lG<l3>6_mR<Z}O=$F>0OVwGU;M+?xW3^r
z>-$<euIZ*{o6$A*BTn8b@Wgh>D8LlTW&eI6_;`4*sA(E{6b7z0YZ-6Wmlg$7M{g|u
z!r*?(-O-tw^Eju6Q*`gu%WprqRu!0ZcDK58TtV(1nEP04*O`~w^A{9<N2ETPC-zQ{
zhAR{khJD-yF9~SM)VN)Fvmw3qHs2VlaGeh+{E1@v0#r+FW)2IxrzUS8$4bk4@eHfL
z2sb*8D5k)2Zh9gaj)H>nMXx=0|M=MdH|;oma>Z;+DTgxgW`4OlX8+eO--rm@_wU~?
zZgkm_fZGs-e21a+oY=i?wS}y!RA(JWTDi>(Gaz7a$9QGZ6P?gVc!L*lh?Av~sn*)6
z)mV+)iobq+G$UhcZV*4tjf+Oed~$2dUU-J^P1R;KuAGL^+2uO{%DY;;wBokx`iD}b
zPXzx1he;^(X5{#oHGY{!tU|BmAM!h0t7X-Xo_~AE&oKYBs?q@l`w!u!T$6Tp3j^HL
z>BU9s<m3ZSPfu$*J3?65b!y}*-w&fGS`F?&z>?;RZma)9oeMkg)ipdKFGs|%GO$z#
z`5+4?<wt;&Q?YA}Ek9-#*U=hJH<3>#dd~S9s;0XJ+3Mo4<+EoP8oN(arkj1PFW(dG
zUHiew{JODSk>(SbxEtqnooZHA*+b)z9v8-TX7~Cxez;PMc{Ml7_?+akK6{ntDa@~r
z3&0yrpKHdDt0u*h0cz<$U;qT%e{)L{SIktm2qF<7cYjA2f=nqO8Xk9_twve(m(>Uk
z>hx$6pOrE053|pHSB={Bfz&d5xvrmktFPsc*v|J8_{n>ZA@a5rt4+8je3lHwW~P>~
zas$Pr*qtAk*TCo)rVjHWgXiEhAIsY*CqC$G{qh);LGU-@iodoYGVr02g)MaaX&Tjs
z%ii{RKXmp^#lZFe-{pK2(iJA7t;NGbjVA!+!D2uKxfr@AB0o>QXwh0(Z7+zI82@t5
zb==D5V0X@hHS+ym(Cbq{KIS>vS-)VfROPeGrCXyfKSZTQX?ujJd@?KOH;cWG(}Qhp
z*YnFPZ@9l^%rrbD2d6+n=D50?0R}rcMfwAk<!6#cz?4IV->a3P0>(Rcq<Ukj%-Ovm
zB)~zih;dwgYpd3zTq<iiCrI`H*-tqok{KK9b&ZMt*Wg-eLKtyOas>VU#x-9hKamm>
zL&To%c)hBxFEv?nA}TF(QJ-=vbe%Nr@}gdEbk1k|IUbNC{eVs=mJDa$Gi|BfoXXLS
zH1XA~z15zOnH<kDd+Cdf?I$mi231E#t*y28c3YKiBaO}3C%z(;e&IcYmPEBp&W`I+
zzS=aa9g%TfD!ZBKX6`BM+WBo2ek;g;2<-C2!vC0=u%R^+^@df(LQMPa6q{@q!zxG0
z>n3d*$}Rv7*+*1Mq8|$Y{$IG-W$6=qonnk6-Q|4yfvs`h!-e!T^Sx>wuPaO~Gi+0}
zrKJQ$<%AuQW|;jF@AI62TaR~0o=_;L@f+XvUDGJanJwy@vI`m5Au~;x^XJ?PjKCxc
z8`4FflqWr5pj`KF(%`>ym9|vcIT1oFh@L=_<<95LUbztrjuC}zQq!5!)45!b7aeS|
z{$ui#a9ews{+QeWhB0gXUMv3rP9_W2xz+2(JTzQojkrgz{_pe%oKmqj!3Y2fyKUod
zDX&_4Wqw1F%c(zMl>SNehg%YYh(xF9uSAC+P7u&bpO-=U)#&qo-w~qPSSAZ;k;c)E
z)cB^ax&5FTFOAQOiCbR?z$T)>-(|oSkTpi}38OzEN91f1#6NSrRW)3d`<bkg*weq$
zfOIYAn&0?7TGi<6;TApswz+;Y6aNe5JgzQ^=X(GhD=)wcWJji^riQv6F}izrEG#T|
zgEtU#OqLnwfe4H^8QWU;`o<MA^6so~g9YpxS3STCt9a;F{9o3M3g6Z}%8zFXc*=Dn
zw0EaSp6Ye#x?|J;EfuIlwEiw(a`W=ihy~y51+l1VgM11~*JSk)Wa?4$GNjzx+-*C}
z29Dr7Ouu9OgWr|P9T+u8s8-)FRG=e;3EFdT`HJS5o;Gq0sk0j)?}>35TStP%Y6slO
zWO!Tf$L&WT`$QlLsvvN!k{QIZahAj=8PQ3AE!!#j?$}JrFRQRj&(F}y_Sf$TqPO7#
zmW~_w=?_dKLUhqbTr?c?AHwu7qmrO2Pb;uMriwUXpdxsFHo>a&#K`{WzHwwxq#_LZ
zbroGQq4M4Se`QV}Riy++YIBk?5EB-BEC}n4;(2<`VSzQkO4`h(%;-(niDCihYh>iN
zWqM-HZf>okqso{`OQ(0DH~em4lzwgkuDS~w8yJ+7lu#%X9kJyt1|cHxm);XQRk4}B
z(8(}sA9?=s-tWv$i=q?FoggihR%C?~+z+yX?-73}LyYwQsQJ(nartf2pcK+k?ZL|8
z5-eCzzW+|$rCow@{;Gi&!!aY{ok>N|qsV-289IUU0vZX1<tx~NpfdyN|E!fS&Hi5z
z?VmGrQZOxH*#CH_|CHUA#dksG`33RRo53Q*dHuPa1bk2b5-g6x7(_-6Cb=7cjSPrM
zzW>j_L=>|85Dytc3Tz7Gmte73$Et@SuD?SL1T+Ca$D$)H1<hCRBVrb#HU4>5|GzI~
zIv9RRG3B=xL4kgo&ZT_WnM+kmiB%pat?u1-a-HYW$>7S_!j)(3{ter{eXRNeV}b7@
z%4#4f%`}o!eIy<CrWwPPD0GQ<U{QXbuyA+J?~dWjcW?TN1X%<br2t@VQ<I>xi%av&
z427($tVHTdn2pqLEF@2Wj)Bqq-~2=%1}NXlA;uNymCco2EW>svBju+m32z?u&ON3Y
zI9%I}1Qh)>a6C_jZoB_-5V_a;4!yR6C2(A<e)u}f`q}==W1#(`+c4L|-gcXENGyf0
z)r^>ZMCSRaR#9MaA%F}3v3nOLCg#V?Oj?Dn64b;RzhTn;=IB!tG&EZ9@(ycj>%g4M
z9^Kzhk!|gv^UoI~Pb$~^m7XXhvg;!E5qySQ^AulA%^&-?aSM2bXr$cikgeC75FB5-
z-s53!EE2QN*D*N^C%RKBdliZ*P}m9h>2yRT_ia5ssPCa>!;~rDNZ38Fh565f6E=&b
zQ(hA6axY5W{;*w@KC$R%JCe3ONGs@y;Xpg*Fe_O7vL5=b7LRN9DnyuPuDNc<+-9xW
zW8{e@l3mT+GKopJrFj`hV7M>WOx@o$Vd%eeQq6N97aB;_JN-GS=4HaARp;)VpXTmw
zW7#0YVo4$C;%h?F=@zADCW;>O{C1{!H4lspQ}h@R41Xc2Sb$_7Wfj~%F%Oe~2w!70
zgA%#C;afLQz4`#t#ub`h3SfXY5IxV9De+xdDTpVTXUE3wRc_DsBpki%$bVvH^2<f}
z(_+;hS-+?3(aPgZ0}bWk%nVI)+})<CCA2cY$sZjCd%PQRoO)|tG(!%djBn<b`H~HC
z@4VEjeTN;Rb#C)}aobb5UrhyRaVuHr%-(E4*2hbkJweUZ;k83+Th%KLwjP||VOg0f
zNby7f)5e_e4!-u%nq6bMVqb@KPYUJIICI+}F{_QyuKzRq0_bCw*Af<Bei2OHk2?Ar
zJe7U~QR{x`wvM7EgaP|WbYs5`?1A&^(doCyI5HZ+Z#JIi){sLkrY!{OPGp5DXOfG|
z2lbmp-)q%TJia+61l40q#Y_>NC#j94(ZoG6K&mmp=b0Y745S2i)?|<NB^UHSg&!4U
zqk=$BQtH*Bhvm>;eN(Lutv&xD1}SE`MuKs;EHE6%DBknPxutTP61aQ#SSOVTcILLg
ziKq_aetZZ(py6r0f+Y&P9vhSsrG^>I$#Ym!MDkLZOEdORUR>8DQoJ|iY41Yt5cNRb
z^Vhb50jd>}EyS!iamBrTfpMBl8-}<XY&uHI1LpBcO8!Hi&-Gn(3dWSf<nMW$-nbFI
z3*YYCEt^e5Uun&Gm00kiY9K{Gyi%?wV=QMy*_8xs#prF!@x0Bi1%8J>BAK)MuXBop
zt5#Ro3dJ7ZHJxhyd8Q;Id(QefKZEtQNA^+<dydjqG0L#clRM)z`oG+_&yLW|?rs(G
zpO?R(bGV$EI<PbB_J5G1nh_BvJ6`CHZP0fbH|6iZ6I-#s%&Tv$IKWNyRFVEZ*vuqX
zq`G<k&Atf=E{j7#22p4VU@$yu)b`pJZ-q<0ov0~2T=&*y)fT*9)q2e@9O0<ERe;`e
z^*Ew*VgKQ%M&fX5nQoW8jICBqmdwv}pIwJ{zELq)NUCKHZ5H=_=B95N3l9kB&d}Wb
zv1tG)xs;de2YQah{jY}jJ=k6`=2|B|SW1rr9Jt7@`D;t9b121&k^{myNE@R*sx0_K
zGg`{}UlEk@z%bC!1%b!?!p;u1s;cS}i>f)dcl|FP{;xf=ZE0xbt#DHVf_JjJ0=woo
z4e4*F7-w`;<7cZtF3)j~VWt4J+^Eafl6FmPxMjDHH+OXAt74ASq?(6LEj<%+<%^QT
z#LHyWBUbXl=De3(w>K1Wh7^W~p1@4sRX$vGqR8g=%Ddu=tZL557dJL7vDv)YqRFx=
z<T?k+>}E-64GksRRwHDd=Z0n9ihwYHccM6H=!-DVEK;VZs|W6y7s)SCbFETz2WeH|
zjSR|1?b118?mPW5&|^!V%G-}Km7*3Uk6#klF8oC`{z)$q{M?P!pT<Tg0%qQu@eGMd
zAOKK^p7|aOV-7Phc4A?Bb_tD}%_Ge0*;`W`zHfy}SoNEgcjii-3rgQtjArk|ecgW(
zj(Ih$=h}&6@-?e$#)TyJ*!Z?L08MJ7n57+l4%`4ys$wInSt;h&i`l2}$vS9EzqFw5
zsXL)QHo?Y7bUW(oDrx9w>UbzsoDogN+DP}iyyo;EREjdL#akdevw0$w(e{^m8ScVJ
zLsc+KnCU3?2Kf(@ofzW07qwVeRgX4^dJq(-7bq$Jb28s44oRpw61?~%;0CcH(rsaS
zGfrAzghUgaL^OBY>B`)<wLbF6`pK_U#tGwv2L4kV^08$g<5C?h1wcmwBZPk<QfDo}
zCBLX*_N|~Cac?9&h3lA=VP09fC`|4_MosEQ>&%WcowTV!miXGFzLEihy9OyO(8J8!
ztqUR2y4wFSsTg;qez?Tt9Bii3G-t(`UXqWoIDb%Ii!1k&mEk^&?K%Ll9sgbA{SSc)
zU=oL|NZx0dA)S$#-%iZbiI6#SVw4hEZ7!m|CMGb!!K@CAts~ROsg&j_rnNi2Yuyt=
z`Gi8tNhcHjW@}J;bi~?AT)w4|Ht?hURX;Nw)%I)$QU6%D-8k#g9GZ7N#f!NhLf4n$
zvsSJ8>~!IJs|k#sDt|n#*#V=eO#lGgzl&Ad*F<=?Fc5Qu{FE&!3FH(_dxI=Ti(LiP
zH}Ys&r+r<IfD>L;POl6Q8|w4<Z4)Db3~8y_@Bg5UFLRgaY4V05%m!>*?^X13Bqi7(
z84!tq<DZ5BTJ#@y>4e(?G_W8kvu#ZX&^{@fnmi#V{|>wL9H4p06R<}}QW=s`>kNSX
zWBY8g7xwrCBE2gXG=cG)ji*_CO%rpx=N1M}5YaTkkP`%X=N`uYb$_u*JsQ0Wp&P^I
zdWSb097BEAV7tpbZO$38q))^0Cc%e#+_2R2lSRB*B3iUti_rfTVR0`GTml>)?9wFk
z;QC3@-%z3G$pC0Iw%)R>_DzK1tJG(ytp<n5e2huXv%;G>l^t3#Ebn#neX%?mt|9s0
zQ@g0737eRDur;8AVGxIacPCmSk}chmoGcFoC`rQ)8m{d?qF+qhQ{89L-9-1z#A{P5
zz*&Tww6|K;hU<ewA$rJ9qb)@tcbj4~K{R#-=NI2a`TIDO4e3qCO9JYfkc?>ZJdlew
ze*c;HVFchtLIjk!4HRxGs7_8!+<+Nz`MKQj<Tr6HDoOR|5sGSwmS0H;>&urfBSE!<
znjVy}ULx{gv|nvUA@Uie?D_6Wyx&8ZG7%*(yVG8#lK&|_Z6*NX)BnovoUe#9AAkXC
zd*!V<MV9e5a+5G0grc#${)_h2?=RZ_7ej4fMLrbx#ukjo0&7JbJ>Jhbulf1}&PrPH
zWvp|x86t4-vJ5Idkfi<wSrQpw@D@*6{Nl-@l1^7xUlSq^fh!IQk924Gd;i5p?7s;i
zhf9=?pBat1f6G@uD|$LEnIP6Bj~G55#3Q};Hz13C1^}6Fy))o%1N8HiFly0xY5+JS
z0^6VM?;-@^sDD$vF<AiY>G1xqO46qmqaRieKEFk;ll;(!BAfaWLrzZa^z^i;y<P0t
zfAVY1hBQ9XI6IN*8s?~%>d)=yKdJkE_=HkC1H%|^uq<_)H;83afcMlJ+97tdgOihh
ziVF72%gg!IReDehf#C(BA^%KG`hTi>>#!=ft#23*1W^Q$l9m#X?rs(W(jZ;Z-60@?
zNJ%3S0@B^xNP{5VumI`q?r$#LXS>hyob&zlzJI*?y1X{J<d!+_ImaAx{9?Fz(fMN_
zM8K{Mt79m)UkMzHVGnYGVM=5BA5AU(+Yb1*8xPnkzcCb3Fr!Nx;94XB3j-(r_Lu%I
zUW@+Q4Xp)w$1<ovuNlE|rWPA?F?#+Hi{^d5;4LB0ibD1mD#ynTC(BH7kzCLAL93bh
zPjUjnfQ=u)VWn~Ifawq0THeq9%l)tfdIvxzXFwNIVlmF3T%dssEJ50UAUadb-(ars
z?FPRV^Aq6yp(^5dx}$CQJ(7~Dj-rc0SXlT)3<D7=Hth$Xa+)jk0|G4qpcE1ZQm|r|
zU7d8G6A&IVK}QBbf0g#Xjf?KI3G^QW>JcG2t!fNnV&dqzZ;tDjXK)ul@{nsP`?4cf
zC2t^AJcxpv6WC9*c14i4CVYvB!39l}!mck*(?onxnYpccIDlY?B(nWL{3A4m9NZHt
z2E>X>z(o}oP&)o2h?cek53!2%R7r!NSx#4Ohg`m%EHwgdJS0p89S;n9zhDQu2II4%
zYF1h{S6Gb81M6!xi?Ns27r>KZ5O^(Uee=}5Hwdk9P^h$2zdBnC!{c);{&<&JYN*6O
zqPnhb@nm~?qZ)K+76D!kqa}IDIjLl{KqK)=@UXpOu_L6_`wsGm=sUws0oOfJ7>W$+
z`cpm556tI)QFY!i%uxi7$I&#_VVIor(f8h+nK~83pwy1TRL39joO0K-9_OV}<BOib
zJGKCd%UuM$^X}p@XvtspedQ+rw_CLaH}+^o-B93!q`&eb?xQg9+s5iA<hIYg23_h%
z9Cv4lfMTc(*p0|%$r8PcV?hF~r9k5;PWd`#E6OC$BccO1(0_Q3bpQ3%M9Ib}H&ETl
zvCo0dbXlHbr~R?aX&2lqH}|e#05i8LY=`^}RNC2q^2oo?Q;@Fw{1L~Rn@Qy{LRA{?
zL)Kz-d9<E(vUrDcc>GMhzuDhj3XWt4I9GUqMSZ`pu#j4{FySL=B0!x%m%Ww*Zigt8
zefStNTdX_Q(oY9S&K#Dzea8wkeI8K=j7T_HTE{;X1wKh5l9Jf|3^Y+3Qp#(O;-K=%
z)ViBv1xjQ}$wKgJ5%iFBE_5R!U~|u9x9}mif3V#EK$fm&dryHkbtuqS=Jh|5`SJni
zy~sevE<EPfh+hTX=JxsUQ5!Pq)C-loZjTCp+2BZ}`#pH_zB7zuaiKk^+GY1^<daa)
z$ckD3>$w!hrk`Tw%fO)wX>!mz)O;3b+C+&yP20~b;b7l>xRQp=(ZxTbNI%uG-)%Ar
z_WL>G1Ck<u+Yn??z(OkqrFVEZhE{_cc4K4XMl&x!P@N@$AH{;+0J;9hp!1D-x)=IF
z3i3N=2ZvTK_&ZVIYwc$eVZ<uv;}<vc!$Y(xx#{L=pjZ}8CXUKZnc;6{oo|yuQ4-M%
zx@C+w=^^@{??eRwGpP4SH^4Ptu`^_6;_C9#;C)p1F!47UC9i#@BGM2+IS-5M<0E9F
z7_xS7dk6u`Ij@2VL8N3}i!kb=<z(qRFgs9;gb+u?0aZ`lA`?&R6geb_nkOoLz=Ip+
zH4}Bkw9)eBWNR`l^(A4JY@*^&+jduieVRnZ8F!jSenhIYmnhr6xBy*-eF;y%IV=o}
zqErk63_$FvcG`^QfjC}0KJbGTe{cSry;IhT_`Oe`mBmW_oJ~WH{Zm<q<*u0dVdM}&
zAYiy3F9!G^J$Jljv}AyCH{1(xf-*QqosQ7O*7ilyXNn&w>TLbWOj5$YFKm?TY@pZQ
zArx%Smd?)3$W(E7z1)cia)~Gu+jpo<VCV`BZcY`6Iu4&`l&IRH#4lk!8VNsBME#W!
z{RdGqUowXTA+#~Na#8b>ygiEem<$B7$mY{PSgH11Lb=me16OH)8WoUWLqgxTm@1y7
zNLWu$3x{p&>HI9grPoNWZ3nU;S)%v|%D&Zwh1YR@5mbPBK5FTm1B$=ssuAQIN~Fj)
z3;k|Oei3+?({>4h?}$N@Mq*&Zlcy$^!1YM(D_@DD$>JNuNT8c7NcXjG-4vc&99Z_x
zanr&b-ory$_!1ZSs?1nM<#`)h<Jy^jOygPoeNcByx&D=Kuq4rnt9f&pILC>jv;_+V
z;5e=Poo&Pl->>@I`&}lVx=Z#~df<bo#`%d+SK!!|SU{sS=X|d(;JwbfmZ?XOyVN4V
z3{3Bvm5T$G{3`gOAW}kS<xG$)usYE^OIo+_GW4_`D%Ii1z&g!+T#zSJb7|R5<K@Wk
zBANniq|(R;qNpIz0@p{wFP5oNzYsvY@Wfv$`*yCJJ6!XH4fsSf0>2~3HIBFeh@jC}
z{H6L7{;REBX#GkySjj#2hNojWIs!1rRWDY9AM6J)aIlkVcFU}d0OpUV<P!TlN0eYU
zRhXpn;J#cUPen5?^+{b2wC!u+77fT|wn4sB(qKVr0_xyG2pB&_In&6a2&IsQ6GYH)
zzOjl2+bgAt-NPnIMpW?QI_i=WvlksqhJ%Uh&OpOD`eEydVt8-@*5wk-CztP?1xFV5
z`68X<OQw)AnX|mR@lbh(Ia9(N^L3@eiS<h}wWJt%t{+1F)7K>e?c^>yP}+kwEY|M#
z0(cSnJOt$IeCWhso6CBSy;pkUpEIZblxM?R9<nf*@bEfj&XP-dwQe4T2Psr@Z?ywW
z45MgOq((WIb8$XHi=$1z`E34BhZj``c>kzqKi+&tZ3qVJH7!d7%J(T<J$4}5dl3vW
z0?b8~2zHQ$g;U&H6JL!&#z`sL*#(v~xioMjBisP&u2{IkMos{>w`xmsIU~noJ*@YM
z?P{&9*$;=Ic-;E9j1a?#{a~^tm-Rj2deFDn-1A|>U0?M1C_)I?Q2>H?z(MP=n2Tkm
z9&>MyNLw>|sqC}VN1vfgDxvG<e7I5%Eh5y&#ZvUK0$7@{crrilC!BE;Anmzs-R)%K
zf@H)Fby_<_5kNfg+VvA3wEGRxqN4dmqMs+2fTbcOtM=UCY)>D6#(9UKQr6VU`KR*&
zSiG5y;IMuOYjuP9ypV?H=AP5=M<@l>8}34oy#_`AQqk*r+EOZzHAm9HL!QSXv~%=b
z3<OO9=af92_X;{k_?T}AASe?UUgAelL}PKqXl&DbthCK;7@08&dPmK*7@4o_G((@O
z7G@*63M8{iwKh{BN8J~ImgT@nICdIu8is;gg?2ubS|K+7GeLt-0)ttCe+1qb>N+@0
zED2vqrXeyDy(Gy`TL*S(M!oq+Watke850VjGb>zpPYjkMNS0bQo89oc(RnL<tzRT(
zWhh7;*SOMMpFxxCzZ)Y)6|S90pimQgDlJhFllDA?rQs|vbYwy@U=Hg5-s?7b(m>xK
zvgXn-g+tT}Y3Zf!>s3aaUVjF>s<=<(3u3XU9msDWgm~V1Vx+0f3oZhVtV6AZhD%*j
zSedpZ9DWhF&U6OdQM2a}Gj*}{9ad_KkEb7jmAh+_^fptm<LI=p?L;l*l$@aO7T6Zh
zmbORL4T##z{8+*AFdd)MPrLs_lkaf%4aE3hwg0vw5>GOfkma?w<S=hfyW=)AX{c3$
zNC#J&@c6oSfn@l&&5##}3*<j~#vfcm2a6M6+MK|p5)W_7BZ&z54?-jVehoOd2qJhg
z_6S@9^e^BY($pVx+e`x%dEHY(i>DX_uv@@{ymb8~(?SamPUS0OdW>n(XGbXXoc9`{
z+nizKt-^r%)xUBTkeV1=RagD<%3kSozZi*yfS@?jzd|%nKL9G`i48L68qxob&`j5&
zov|2ZI+dsimIUK6>SSLA)5jTofbpvOh@SqJj9cMUs4L^$vJSXii0B=~4g!H4S8n6&
zihBU2p|IppGN>^gwM<Tw!U_}elG3dIqI{BZHU;%&ZQTf9z=@F3!0vP1s{PJm41gJ`
z@lRpFowLg=F;JfwY1rGZ+tqgs>U%YZ3&=z%)AjqnW?gZO-y_Y*UaH&Rym5DbT<`{O
zuvEG}@owC!i#;Va>dli5=Ie*sEvKCiKb&6!e#_#F)*FR}4<`sCF1p_^Mxr}Al1^Jp
zPN|$e>W*9c<&wNJ?#UupuL*=sEE~x=KBEUeP9#8R|JFI&Nr<b1hZRN-6e?ryZ^RV5
zK7MPryMJfNQvKfKT=)BynmNlut=cu@*on%l(L<_CA~!d8{oNvo{muMiW{oikZGsf*
z^^bTnxfa2dVWw&Cx6PA9Lm+q)6N@2X5`_stB^LDxW$Di&uZym22FmmZ0aqW$t@NDU
z6`^EMj|EA7;3aO@Lk2t+{A(OJZ<wM=DZ`pf%LvLSxkR<|q~}p8OpU>xwpRJ~omr?H
zM93Rm>rh$kdl0qPtd2Et&_?vyQL{(!G_w=WmcC(ZClY;^iR%fL1pEA><l}L3zjOvF
zdxv-1`sp&;rrhmyVZ=YviU?BGW<@60oxPuA5ifG<nC&9i56n7XO*gy1ucsRK66Q2s
zi7jO+T0JnI5>U8~D_Ozsu9QpyS@pgJ^*<^@G9&hfs}<6*pgKnN=IGub9MMfjU=H;E
z2afr%+t7;ssqwIRIUb(2A-6!2Uz*LVzes|~W?BPVm?oT@lNO6H@FryXsYGTzOhw1j
ziyv~L%huF=JzWd{6Ix96_Oc>M@u2A+Q>CacO%}3Ma`_sq#tEJbXWk)ys%m}fL&*=(
zlr6dre$<sjj|(Fl?Abpa)z}E#@FS5W6ak`6`Kp)V>?SatS)&KX7|B!!E~9Sp#<L`S
zt$3U8=ZDi9uKhZEo#7d*CFg6N=`JsWfOyP&mrsqzYKf{IYRdpqie5JJCnS9n?<JZk
zaY?**a^F)eOy=8`Xmi4w0YHm8${&~Fr&fibSmn54#C#42yt0H4S*r%oFK=>>*I{Bf
zz>~ShaN~dtxEn&>AXcM<SVZ=CjjuU6$~Q8vT|#lxd3*q}@QS4cizl>Zie1~`Co;D0
zd9v5zj>?_F!nZHS`aqFsW8rxOLEY^sT?#ymdjQHHf0#dF^qjo1#E`@YZ99v0Pea)x
z=AldRnD|DtnL)A<(V|9CZ^Ac#euu`>hwn>S$B~P?1|Py#ynQBoEX1Gb#0lf8dc4S#
z2cQ<*_^BZLrWQ5Lv&<rePR1n#(b44c+tjB!eDz^AD{?R{P81)L`1)aE!RS+U&ZuV=
z&K{eqKJnfzw$?Ys^@+@nyUmiaq#`i+8?R8`o!$E85Jbb^rw#qu?eY{Zz$1AGs9W4}
zQX)Vx@jB&%lvu;MaIOY>SwjtdSbv4u<7C$V48n_JA^a~z9#KDyi)XNI6-K{qy|S5i
zaQ)ud^AoGlSvFnl_HqN+xq6X|n2@WDP3qwxksh=(Z9qhX02vW>D}d(|Rxw9Qp3r~)
zO~1=kgm$^#oH$KzIo4jpEi?`0+7rQOprCteO5rr1HI4Rbv5wDHI6G9o)w+Ahw!bu$
z<#wXv#DpaSWHV7~XqH37r^GYkOQX2f3`WIPON5kyQNo$@2VeGyCvv`z^<rO!Q(kKh
z+CQ#=r=aiMxuucDf&(bH?%jXZeSUn7@3PKrSj5e-*#tDS(lg|xF=9h*DUV_0#{mdx
zlP+Yjek$@oU4StnpYcrLi<F~HCO?*Ya{BOPY^nY)ZJd~I+U%N*@`v{#sXe`L1p-D<
zREUJZBOciqrp(%f5mabENaqdMs=3@;m4uUFny0%treQ#Re6TB+rgeYyVPdp1pmEv~
zY~>jG3^m(b3~@(oOd>qLkQMsgvYTew$wRA=I!?v>MN#^3>e`ZDYAo3sRQ6}$p(0{$
zc-YKnSTcIN)<U;qS+Ma#H?cDz{`QJ|@AN4dL8jDn5~`a`#@*bX)Lf&)?*YoFS9fI;
zR^tTS8Mcy&C+yF;=Wgag=Yg;Y2Pg+@SsLk-B&}NU<HUJ6v-|5T-glcq=k8ZMwW&;S
z#W=zn=3r2Y2=J<_N?RH`J2W>J2!y^^>e#tumPY(FuZZ!V2pT>5{;+`U@4V^h*oSE?
z1yDYivLpPnjJmtY_QW0EO%%RiW##laZgT)y=M(zcW}6j%j?DnJ+q_M^LFdXU7JuP%
z32VGZb}p9(Xdb@yE54xiC}r)*;~*ve{Adu+D)~l;O~=s^-dDxf<zg`rGp6pJhFGYb
z4$EF;T%XocF#wdNF#TCM)RKsq_vLtgey^5_qY0!FKAUggj$k5x2JwxB1&!ILv`6Sc
zyL9#ujm46mMUXlD6<;~@$3#8mTO1jY-#kXmjS)QNxH6}Zk1TJK1I5TgMAs@<Khr6F
zDjn=btE*zhZx;>?{=l4Q3$(Gcs8};4(<%l2a_(%ZkuTs2fF66~qP$)TeKDEq!4Mfk
zN?jW>=HX$DuASost)YbuajS-7OL!&`U5sTe)wAoEmnwrXB%vgV5%Cs{b;=i{$o+Ml
z?*maTcJMr}7P-tHxX+}79kecvkA)^Zm##D&7pTt3G733?%Ihs$v{NfgsDC%LG>_g|
z-{s{VuO_#Z%R7xPwk|nAQhZEr#U%$N>hd$G<gS?)eI+lCK}bXtLDs%$Gj9m1HJl=X
zK4!i@f9f6IeS?hbUoEId#w+4llfw5vokOYMAh5$1y&?GFnn6!-988@bTNYr}i?-}{
zfW>nx9TP7;7p$10<Hn=p`Z9l%dOGW~hIFDLHW0J=mQTg;YdEgz<JFuSb)!m$^h$3}
zt(dASJm0z%5tsRDQNa*AW;w2y0_c@#sf2&&0m;A`R??bd+=pmrI9kk4iT3oyvfpPi
zU*>bnA3O`0$^c42v7c%F8)qr;Jht0r1RnSW&<{m0+*RD^TiOfyZGN0VqWBz>(<DAc
zz6p&l9$Xv`;tD1EHp|(@w491AZ$rpjdl?Y5R9HGJI=;|Az8x|DhFF6D#QJDDlt|g$
z!DLieWxDN=hP9&UyOrt{C&6umG?o0id6<IIm-jk#siVSS!hLDw`><a6$X5c#?=pt(
z+PmzxJ^&{OU$kBE%t?GRy4TOD$@pZz261nUwci1^W(q=Ya5%bAj*UUZ#_8#4VY=Z^
zw^);MZw2IsQlBhzU5caq=k{1XV%6ScEqFOgsfkDcx9d>hppQjCGjdl>I7!DhsKXW6
zGQjnsSv7BUZMaE$bXT4jPiEeSV>r!?F(ExP1$Um6|D!_Sm_|CSM{kG@$>T{4*DWCU
z8BbhuqP@BTio*hwcM)R@wUHXq8Q$B<jyX!bRQhAY+8P>SXh>40=HB^FSaQBZuZ7B#
zoF5;&Q8{dD_W#uF!xzrrginuc6@lqrso`kiIj+9}Y=_j+%F4&NoO&H2hIWZE?}Nja
z<)wy(p?&LJ%)c?*+T5r5Y}xXmE>U>m9U=4`;?|fuyAQcb!EI~>Mkb2M`T^h-uS85H
zCF`>$&F#ffn{dNziH3gKyz=rcGEQDdziN(D6j~#J-(0uc?9V*nzH{riV~vQLHI+lV
zfgaqNiYUsthWOE{3(GezYq%G0tIVmJT(-~9zM|rcqn{+E3=K@kd(kMw#YZbW^3yri
z$h(XDRpapeJCeH#G2fq;7ux1UZOKzXwWM05H*eapiUO95k2cN~3Vj_8`8nyrlV;v9
z%}ON^%WhlbO_4dHEv^PzTaJ=Z;^J5ef30$8%CIn~fAA)d{rZ~<LUS!vAwP$G>q8SP
zQI6L?-=*=KpcTkw0nW4(oO+C-#A5UHq>$Gm`i2xZ3m-LqR-j-X#d?3t;Z%Nl_7`BB
zFMiZ*iiY(UU|f~28I#wwWZd16@fTK{&mKgbF^WPY0Tk;hOKZSq0aD}4f80Jx&gp!i
z8k10oQOpgJ6Al;2<qsc(hRF7SG4oTCzJwP*w@9`8=y8p{+an~((nr}De$3a;ONHT6
zk{!SDL&Wd3WMwdGG*RD4qukC!D@%uz?D&`&1h-wKVaJS<Oy2=i$gGF0WG-W-#g#q?
zEn}@w1kOs+S=eO`Oukkk@x;-uhCEP6)>ySO((H<T#(|N7ask5duG*#W`NB`=tpLi1
z;@*LQaMk?U@-_X$P2B3E84bL3eWJDjqcS>nVXV)_k1ui;*E&yj1fZBDXWIuz9y#KC
zfGVk&RJP-rqg#+SB76(ko)wZVG3Ztoi})9wEiLB|v@wx?z0T%dj*0WOn9A%Q@HKha
z*JDj}b4zNu9VNf)LX!)<8EhjOncNYz<3*10L4j{oE6+w3zKF_6-v<O%X6yM;xxfSg
z*Bwuvtn9mY2kjOG$T%Zz20x+0F4>@Kp>^aydt?SGye64Y&J$i|I#_`nRLWC@yb&ZX
zjsR8i0}r#n-dzi%<MVO`t$F18=fhc&7BsS1Y9#?*fX&PNowvf<{5<d)b;eREX9yNJ
z8)ZsyX(vCoqj-}r69#;&zCKY8%ssAXd~0YiC?3u@@-mSnV>#t3jiV)JZ`XtI4yyYp
zok6M^7HfI$a-vwAAF?`t@(RS3VWzq;(d90enMlmgywmoxcJG;Gy#0l#CvQ=8r-g;d
zI2#0l=o1Qvwk$h0`%H1?e6ZZas+=PTEX;aNV6h1T!z$t7;j`6B$m$y!<~KIXV|;r9
z_aUFyCpq9b9&^1ppy1=@pI=<OgNqyULe3RbOVp~Y6EBXJzHi#x0N-{?R{O=#!k81C
z=&<B*W{QgEMOE(~YDXoF^gU%RRE;619FVnKEP8jPV!~DVwQ|+kZ27XrqQd+a!vtqr
zDtdz9Q+}r`idLP2QeK2*nt1CkHixtQ*vi+;-tQsbz6mBICeE*}B6D(bf?ND9Zk!B?
z*b7ps-I~A`=11Qxg{^Nis<B7?8m$}hUG7SMtO{b_?93|Y@J9-wXjgg>WswPGYR^Bs
z#V4Z36la(^C#t`S&ZZ0*)@kcD#ya6zqWpT|I{J8yyT=_QjF0~$jNqMSr*}jzt+cP)
z7CF7>=4^Xjka$yu+dpSokr35S!<?UJ=J8V0pvU-0;3rUATBv6@siXzpud4Mo$-z5d
ziHb_mK-%61x9Hc^{hnyk@?uy8$I$2?(ENQ+_X;6YS?Yi=7-9;dfp5i?|MRT__QT)a
zy}JT^KK0GbQ}2v`Hp_<HQ8cx^OAerfMMlbGHO1zkTuj}K8&W?e(<CmZw-Wt%?Nt`i
zU3RM?o*&;qfdMd{JGh+w49T%3N41C;z!d(#?pvds0`yFIk<#!)3#L+pIibjGdSq4j
zhvxQHAD2zd5pO-<N-pv53c1$45OeAP*B(ajn}4A@Dde1>vqL+uuU202%Q0hqQaK<`
zO0`Ne4fx5Vd%(9mH^%p2;V>0LW>q{lC4H|ogHx)20{B^CB>s#sz}$LbMcw9{FcHwY
zfr^3x?g0$Lg<~8k{3l!z=KhBoj-gUj9{VB`rsESq_)FadLpT8>0P~pQlKL~;*Ptep
zO#%M79h;}{dS2jS4etsb+w@8OC5+2UnDJ*c%n<}ciefNj>}gdv91|dRb-?j~)%No{
zT_z0v4^{m8hlaOUg7~+;g#`d$i})IV7S!^|UNa6@pf1A!0>x|5?cTTPEB}Uy{ci%Q
zmfI-7HyNM}#9;Tv*e*D+yxsa+Aj{d&Ma@k(gv!&=WhnX-!w-hDakl-zK=47Cm(@fO
z)a%v$CkmogQ)OxW=?`tZyEPKJC_+kn@88973;SL6)KB&1z>oW*=0@)8UGj{R#)4nm
zQW*XHwJ_<@x7#LnW-D_Et}fi85>iv2h<G)H@I(*|e+f@16u?OX3RT}rK}9*>G0bfX
z=UJ4Y;%`a<D7V5ioMa75rF7s=FoCpD=Dl8w4=Vic&zbyTLjq1>;J21A@`06>1o!>l
zpB2M6<IZmL%jK{qhkF6^K}ZM=ScRk5*w|Fp)=KG@LC?U5Q2r<NyRB7W83Tm0UoxCi
zVW3SlRqI28(ZB82qm3Ub$F-XyjPF1{Sj=&#@!GOTVbfS2-<0~GabWHJ4_blCFIqv#
zn|>KSI_ZZ`5w~E>Ozs$Uz(@W~vIbN#W>4t!3K=KZ6gH@UC9MX-_%vRZHefJ?!TvJc
zzgG=q=+0mbdt-q&FoF9@Um^kM@*$eY<Mf(s6X4i`pm`4PX1xRKwk3m40@op+datxD
zJl_d=H)Mp4mYXT1%fxeJ4u5wRA=Lo0Ge{N*xZ%HCGmr~@PvpNW*#eQi0Y}3$fE1nq
zEB6Ri6Iu2<BwMlxT;9`FHfaE%k7Y5EDrcRmfAbjh`e*@|uK&gHrbJx>JHZ}h=K4^E
zXo`sM9>BRZov(o>rrpVwdK8V)UH8)+6-Lddr-(mD!N$2O9w&;@1{`5zwyJ&SfPnlD
z02~Nyd!NL>S?9d1$j*PECwvS#T?Ycg*9E}RAA~>_M6Ch%=m+36KW=G8M#iJvIg-oM
zT?t=Q?0mAlq?0kIVF_L7QX^r>%v`Q-cgH^9Z&S@i^uYUi`NF1^)8~H;w`<8yNr4Ii
zP^PhKATGxZPJZx&1rY$it-xa$AnCe#z_y$AHPE<JZ)Yo{6&v;7Xw^BR0nbnf0GUUM
z05F<+RPiqael#I$+O`jXdw$%H`RyM^K-V^PE6hKCiC+X=H`;zS`!q-KLfk;l0~Ej?
zI#$=yOXk@DU7u~|Tad6TzVN$qBqSshyB(X;={6D`Z;ZAA{Co5U(7BsIXX$WqiH8-p
zpwUp;(5~|iG!P(TIpzG2N>p5iU;<9-WME^7$7M^3!>AJs9A@u<rW<V&B?hCr4p#tV
zG8ceUa~)l?f@Un+QwDZ#jAGP44jo9zH7SD<3kz3>0aIB29y6sy;h#T&P;p}6k3nta
zWw~-yi$VdUm?j;=K&_Y_;AWZ?1p^b&Ndz8ziiWwO!&n%gwYe~`<{fPnNE5<B?Uo0i
z_dt%)vmc4Ps=Wn82H^AulL!HK!I#$5v{<;^W6M1;3IJ%Q#IlU*t#EgB&31153%nly
zREZ$hmtXnR3*La1M=z2D8l+kcwiN)aB!b`FIT()_0rZ_g>i2O_=mOsJ-ayru<8TAE
zN%I<-(eD0YXSM4-86ZDo8T$DIQ@_Mw`ENM8Y%J5$sS3?EW=0NoKt%gZ3KIq!<u3e<
zjSGn4f6KO?*+0JTS*yI~EufV7()=z5vR(sPXVJHtkHD%_UR?C7F%j14<l`m42s2PG
zp6u&MsjYp9hre?-+XZ_q1TK`AKbLsRWoyD4Y_OacsA;%Z@3CkUsrS`NUL)<yHsn!|
z9t|w}iL@Em?#&;9b9UqQkVt5Ix=Qu-8}OUVedxc7yiiYwhR-Iy+Kf+B7|7yqb!O*8
z2r(He(k)6A$0F(uX@tDpc}T=VeXc*U3}E(_ul(-HQGuc+P3%ksVZRXcbASt~xRHoc
zIjsEX`t%IF)_FUZOq3A#!nS~&)?^@7b)u%FGf5c@JB;qhIzL9Bf*q>xsT_c#_{YC-
zaTc?tBr=78GuWO9zqL7_o$=e%d+@X7Wg`q%0{_FzFZat$2N6JDEtP3z`{rzv;eKl7
zlx073e-F-n7(o7^_-E3i2YugBFotVm-$NAi(tRBi<;l!-l6%mWrNTCfsRBw%O$W&;
zb{tmwa*lygDZAqi3_TC$a$F1l_>*aY1#}2`K%&;ppY$&-fPj{GC_blk{#c9dm3kPI
z3A6R?UBX}~(DKP0){h92Fmv9wP<Y`F*e$AVK2e-9r5lrU2l-+4A+Uf+6VhT;8ZsZt
z&uI&<;2kXBuRl_MlVjxY98l8L;H5dR5vTxq!i=2#&&haP10rYF&`>O-J;oo_Ws3G~
z5P~R;-UmvLX(I@sR220ih_zZ(OEw~J7IW<<dQFbcewjUJB*bNg-`{gsO=Wl8wa~?z
z(I2neBhQ6_*FXlQqU>vCwiVmq<S%C>4HPH2BvOey?9}*Rua~EPw|g7B#H11u5f2C-
z(rIwovT8xCQJjz%Vm?>B^MnLYs!>t8^Oa<o%F$dK6lL@x?pLK;DV({!JP7#?0ze=L
z0N||#BC$=1qr}2AorK~4-2QSv>vok2?!(B=&g2GBhTy<49nHlSaZyP-0?|em`==7!
zQ5TwpC0?A~461JcINt$zL~Y6MTc;agW=)A{(%=J#BpJTKceG7cwS2jKJ*x)<B!5HR
zO2C;M26^+w(sttG5zD>9MOWGY{b@ph#Rg4tiYe1j`gmXQIozg!Y?461&}i2OGn@Q|
zc`oNIJRsuD*a&j<1W#7FjiysiUD5l9Pm=ru&EP1Aj>agWAaOJL5zJ#^A*_N>66FJc
zXAJuI{|!#FRJ2xOlWW!k9Hot5p;&G}sfO^J$@kXcWqK&+#iq88Fl1UOSWcjYury`+
zfEB*9H=k&+Qb|{7()}d<9uq=Kq4CS+*I!gYA~m{h%iHZ=0SYAuc0^Hxg@K7fXS$h*
z3LVssu~;+5OJ@DeT=<B2bC}UWSHD}^07jRReQP#)8dv_OlnEw9@st|3<J{cI`TCc`
zi+7kTj3x}d(eTvrfMc6{w%Ts%TWV*+3D7eMn<!1qPDY_%=Eo+3gSd>>Ag_)M1Szgm
z(kvQgf_eqpq5g+|ay$(kO}&STag;cSJN#~5_cn3TqzkC1!^!37jKj4p3s?Nm)q}N|
zjwKnxIS*MRC^^Alr<(JM&eMedUfOe5k2W>}y+qWy<o#1Mto|6U4aWVEP1U0c7M^Bm
zwEJf?yq1YS6v|B%DEYU#I<kE$>_IGfG8z)HZo|jX?pyFh{bv#SSS3?p@TQRzK4rkV
z-i02K%s0<#I(E){q}Ne?K7+|`4p(vvY>Qb5$OSKcCIl0geDy<b#cCQryLVL1#$Vd@
z7jV64%=&(9%zDKsrY7}SQ-G1JZ84@xcl861?JfLD0~3;dS*w=F=3?o`AH}lP!4gmi
zso14`!s+X&kx*Nv^ZOUE1*GdXMh^C$CK&EnK-B8{vyq0gskI}}aAps^lW5GbSOw?~
zw3$FVq)M@5fy*sc>9)=v4jGmu{A^*c=3-1rn+5UbKfB+F9lK1diF8n7*A?s&f=RpW
zD5Z|aVjJ6)AIkqMyCb*$l(#hH=Lcf&rd~o=Vqn=WDKktI8LTQk2BU|74wE&K)CaGK
zV;<p-l@wR7Y}&<kM-PyfLn)3lmd<{$WZYp8aFMD`pC*uX1;B(%5tr}j!zZ~zj+s2X
zjb7sc8<%<7E_{$p7rTIS>ckVd>m2ZCF@Vjk3}y|<1hu!B_WZQev!w&wde;=iK{bP?
zqA0(FLYUw-Ak$(SlLm6>a4wj3zWBt4vB=PyFKDcn&eGFqO3+S6T>Udf01`ZMOmT%u
zNo-5${ms_11=YrcvCd9p1_lO5=BKwHx&BLVlsZxFA?U(Jx9Vr@q)AqDl4|-yg!C!w
zKK{7y?X=!@(|2l>B_{`}zp(cpeVm;`->|K0qe|$@ugqwIH=bGwUneS`eQZ=};#rs)
zYmM%|Ycm^gx32uh?w9hpLHpb9<VQy*BBwm``v8$v?|sI>`(wHi=T_iB+ki3A+{E={
z(CQkS`w_vn+gDRZQx_jo_E$%hRWUV*|FW&!!0N$e^cK+m<}G?}b9bf-@4LIT<@rv8
zgY?#~3ycVW^M9Z5UEmJC4-;FyVlrF;$}k2lw;OcVS2h8eg}S7`F!0rnJ-1=ZIkt9~
zL8@g5=eL=aDslHt#!|Pww({2Arn;_G9qi3=8=^+K$8Q&X1cIpMyUyo8t&wvqYY-Sb
zYSq3$17*o~2BFC&auGR_>R3PGko(@uRd{%=uQ*-3*~XLtx^mu5I-xJhIR<a9+8P&u
ztJUk?W}>~DX7r4YIR3j;Wq^HiDgNpBo;MyWgL|57$^nFw|8#PBbuhfVVrLufW*fGh
z4Bcyg>FJZ%=KPWA()S8C)pwxxt-9ITo#IgkmggczW8E?_+y+t5gxE%^F}~MioT6Wx
zn}E+<3!%Y~OC#PAFHv2mTV8-4d#eV+eB6PFMYTp*Wmjc^U?wt4Mn5c>e+iO#3QVvH
zSG0hX^`E(t0p+)~CF84Faq39kr06nD_U<?XGETt+t`GCijSYb5+SI$%pJ(l?XV7y4
zR~Hg*7l#JVOZTQ3%{3kuKH!w-1#HZcBch)}vr>404J|6<c}JnT*KQbb(=l(A{C=yP
zN_tM<Nstfv5mu_|l(d{G$r(JOPNPtr`7v|4I`T0>SyLxEv%w*1K7aLN+}j#d&KQ>1
zK|459i`A;-F3;e>m04cvM?>6=)>KX9#k*lQ0lN}EAg(om=JaW*{hj3@J^R#Wfl~U@
zoSr38k9dJy^5@1*l$d|`&dzTDp!|M?Zq+U_kd_rz=QRwT&Zb=|K&*jmhW{I}aEN|l
zNqxU-yI)J`PygeM@z0vK$q8lm?^-Cftv!@b)*3U9i1>V2m0}(DQR9VUg@$`tf8Og{
z6G0~#E<EA&l#H!yf#V>aRgI+RPKvPEjW4q(^*(NCb!qR?ocAUh?g7YjjDm|3@^(}u
zk-W2JGltosht~4yP0>ZotDJ+gN^Kj%m+`W|I~P>Gp5G4itcZ}_gPjzsWP$&*8QP&Y
zGke7pENk6;V&;q5F8#Xxl2f5is^)v-4LwlD?1pTY8g;*i*~g-P-%;`>75(CfH<8}p
zW@{4V9a#e4)Z);k)<U%Xt9EH%gZv2I#l~Q%yGAPi)p2}4V-S_WeqqR(`Zw&4tIzX^
zqpN`NZJ7fnt#A%+E&;Xt%aAm#ght1Q!|ZW`NP1mEapojN&JBA^Ys|*x=p*YDg{FXG
zp!{tPSV}|Hodyo%dkt8Z*MW75O_z+aMa`RA20!|EU!Z;)EdjRHp}Kw7eo}X)b1Etd
zG|;nvX_P}{Ve=2!JA)+<gPwh9o`x_W?JXALl|xmdl==DFg%;~GgF{CPQ0ZtL-4LIb
zt@_2xVeUcWKNop#P<ES*>pyq?dZC`kx%`}#L5YK|9WKdi;{wfU_K{qLMVrIwo2_9*
zG~If)K=elI<ibgy=8SrQHjH=@cw#?NcF1A2a0Dm&wPKWiFvs{YR^MkiZ6&DzgKy+7
z*258&FDhRhOfL2m?fKv8#@6b`RazMYTg_;Hmsf^z6#+HpyPrl%z#Isi0I?1!pw{wF
zGp5g1KY$y09?2ly`RF*{v$T?Nrfj~tp#S<FV6r~}P#fKU&eZSk7HVgKOWXX@hbK+I
z*S_&im^s>rNhiaNxBXiUgFGDdoQr)EoSJ)TwaAmR-T9Sf{BMeJ+9yM^2*T3TvKS*~
zndv>_N=5jU9UA6{W<!K!_)CEQMc$I}-p~_;LP`$}jnQTzW%?hVDS5+NnuQAr_RnU|
zw!4u4@8XwKH2T34dNWIOw)5_>dXI8@QH39I=T_`<J>fAhqt@%&H`@NG+M^dzWThMq
zDzD3c`0@A&C5uZQE%2$$jLZX8n_}HYD=VL+tQ|X`?|@HkQxtdiAXw=G#@!f{dKc_z
z%F!E>A_Xbk5*eSNjz!ZVK`TcJohEGgKoQ5q??42+E&{Hsz6k-f6+81zk$?%-_Sm(%
z>8<!3vCfd`AgI_;maL~73We3L2qyT?2-ev^X>Wkk3izn&YJdTir=Dr0m6=LbA*~`W
z$SPi7jfiv{4BZoUmyKz*A>=oSu2NB!2!m=J&KOCWy*^6)3x<W5=9mYw0L?d7i>xkV
z#aKOo=WH6g;2BYjHIm+~P3K7KW%PX6Ui&j6KyS2vR2z`=C_J<bGM`I@9pr4)l>PZ|
zgl7`})1~sT=e~&rIp<&jWjVCiv#Uf$QsqjwY-v-OF0}RC*D*4#)sd+)FToc<#v!JY
z?FVmwsqBk5GV!Pg0?26NKq@m~k%*2N8cJbac9_!6)tNz`3s*)UBu<B3<zi04_oK!N
z(37rU|CXZ5ue(Or4U)qgbk&EBCo=L~WA4&^aaIfxdb_#$c;!ok%+%eaRFj5RQX15p
z78mb=E{yWB7dH=DsUB<L_8(@IWsQ9K3oS1+_f^Bh#;$rcN2C%-Yj4m_;yS5}Lh<O=
zd{h7Xe2ZJ>>)}N}nXtDDqggtdU%-*v%y~Zl1ftpZgV=@1(-88%d~I`d!A&x<wH5=S
zPG(LuV5`M=Tp&>QxnzbpjaAozMlEHz<7v$ufZ!UdCkfo@&T7I;A_@5%Fyr4%W@VIJ
zrw=v8Mj!VqVeie9oriSEjMpqG6TJ{KGy65Wd~a_EpAg*Yx}TD0s;YO|T}@BxR%t5h
z8BphQ8711r$tTu?2fzNjNlHMfNa&qYr-5qC6WEQDc{RjbhAq!AA;=cZ!O?t8U0m8F
z=##@NLe6$y>_>9(abM{@%{p$=szDNgIaZtXyW88_hetPDr*AP0N@ouFSL^#&?FCP{
z`%kqteDA%bvpmZje-h#`>|QQy!oc>Rjq`eF7D!%mI)@zRHk?koNxr^==*;Y;s~;W|
z{;1pJ*sXTEnx8((G5KC<VSRFAN)a;`XPd{$+4<G;O}2s%Ujp0BmgjCs$+Me-{5J`^
zMWXMDSVfbn=M~kh$E0T5M$vSt&1zO7QY-}7p@f_kX-AC$7Q{3j8@v5)ypLDsG%Sf_
zv{-Vd-v&j$u+x7uPZjuX*8|Jj@)0Stx<=^(0cWUk$zxLJ#Q7uZ$RmeyHH}njv%r?#
z+Gr~E$zs{5F`LNAq{MaYz&=#A?FlM^T@N9K3x&^BJLEUBF+|2IE8TTAyfo1I+AQta
zi|Zu6MpFx+0pRK?zr%U|+9sCQW{sb{R_%rtz3|AG@#cEx-O?rc+;(qjo2I@+S5QOQ
zF8TaQi$njXfyhk=e~c1|^l)cird*=)Q2x-X$E7;kuC1Dug69`|15;!T*4jO(@1nQ9
z5X`8KKh>_<a6Ui$;>JB)e*D#GlReX0C<GU0A-=E6qvJ>Rx*L`D9oER69-I0V-}rG7
z_l`}!toTBMAtz2o{woQa?NAPTS0mA~1i@>E**S|el!{>&g16TTd)f2GU+!h&)9qFZ
zZ1AUMmI+KjG(~d+a$N_*tnmhA#tGIte#k`LuAOrssFMm++c|tf;j|{qdHqbNy5x`?
zO0mAm0$od4WQEWA>c@~fuDe{3()5CrbINJ6UUS7gXms~>mIavbiyrv+@9x*y6x_}y
zvTUyuxy`hfPitH@#zIfJiW(+y6NS~(>^`4Iy4Q`%3$?!Q^W(c-IMh)an)H!~xe{5K
zt5Xgo7F-#980S@LZSiTn@zt}7*aQy7fzB#NtM0I(n(rQFw{@r4(G2N=PAe;Ux>r&y
z4mF4Sb8mXl9S5(sp0H*(_blpUm8;BMm)ygg3*Y9|WlPa(pu3ntC^CpI)E}&%o07T|
zdAvpJQQGV%>u#?#4{6m}ieWdtYmqn}@v`Xh^GuODqv@z0Qb@nmF+TU2ff2qn#9^@F
z1-`Z8ibOp5Rax51hp;)fFf{Yz!M!XC=kh)qo0``9&!m6!i0d+;Va>8VJuH56zHZ9O
zse5sCZhsNt&~VHyShwRon`XnlxqGOilgnyuQ8f~_0jZWeAmJmCAeBZ0vu%wv-w{Ht
zvIV|&_WTe}aovGw?RX-@s~S?-uDifJWa1ccdy>fL8q{CManq~WRH%7XQZk#R6L}@n
zWC33w19vn?G2=K`SBW$xF|e>HxX`I)BH~>sJJtbr%aT~*X+HI6mt|A9+##kiYD{Jt
zXY;{(0gbFMo%LWyedW!y4bGgkF&d7$Znp(-O}_<Qa(t!a*sG4IS+&;QcQ294huTRR
z+gJx{9Ag=;Rc9O)u36n0kh~Fguh^Q}IMJ+XyL9^tdK|Iq%(hVnC#h!~-}c4y-+wbN
z#QQz57X19@b_L10K@Bv^J&oJ^jaj_}<yMt_^6U6XXPNNwKGD``HEl%>U(F_x%h+no
z&Y*fNseVi|<*d^(70<rFuVs#x9e+KZb;Cy!WVOIa7zro6QTx(IXGZ@POF`81s&VZm
z{*}NQJNbab1;k-^k=fxeV!oM#H2fF=M1rbt+r^FuT4(Szui(tIi-mP<U0p_H<*U@e
z?5NM5C7V8YiD~NUCb6-ze;-xVrB}-Ox|Vrtr<rQ|X^rdg{wY4&?9?~aKK?_?dpOvM
zjsd4KX+9Hmm-X$dQ%*1E%*y8SpASlWXRBVr50-HeSo0-(iykDf!RFz<YZ_Mmjp&mO
zt4~_u_`<Gv;5&$D$Dl#y(iY7yrp}b<YO00VQO|{)14*XGf|6(j8^wB^@sVB05Ub$Z
zA?EUsgZRsnFK-3H8Dk~t*|ut?%5%JlPrc&M;@>#ujQ`Z9W7xNK@UV!lw=%9enq8a9
zP~t?>+{nGbM_nYE?{K@R{pR;oPoboyYSj(i?2O~fw3u%^JZmKn&yOE^25HKws?uib
zfiBD?PraJj?qgU(@iw<k6XKrkcBU$S)0^zYmTyN#&|YbHYr!!d@6>+ZpV;oS)hXiu
z-vihBNcxqWTo|H{Fb&g88Dx4P#TeiNL$k9Cpcia3Xbc=&EzJkrx;P~+(mpi8^*kr{
zCjHFWzoIrpFY`@n(-JA3z<YkaLq^<1rJQwk?uTW9v-@x-D9O1hAFKxRjdeOKc|Klo
z>*aNq`f(Y4a68xH&gV3N438KILOR7N`%u=g1lM+L&Mu~bD5*BWos~{aqM(Zxbv-23
z!%qC`T!p(Wy=oYzTa)BK33YOF8ul*1wOq2Q<U{=Ox7r@fq}2GzEqcyP(o#EeX!SRX
zI6`a3%+-#HXFR9cF6-mV-gTbae9&s#3^D|iU~w;7RvbzJA2@^>vT&t&<8=8?FRPyf
z5FNEo3>-i479##8&s`rsRUtzn{+u~1$mjxxYt^wuCUcIW58ay?6~np%rM(kFi1Znv
zJsFe&mHqpN_-2=|rM9M@WY_fJE**v~A>VA6RbxaEKExB&PHNF20Q22Fr|Ksb*-tF0
zC9}UHV+g^)BVxQLft#ml|4H}|9+5?($z?vXtW1faZi}S`v?0wXDA-PCXAj(IyE;EK
z8cKg`6*Gw;q_>4I)ga4@y)#uIU1>E<wY<D+Fc&9B=H>MnZocEAjp=HSs#vdk7g_1n
zlsINrkAqSaEeZuq@oAH1j#}eH{mT5)d;MP$mu5Y*kia{CT@tGWI*+rs>}XAv82Fn?
zl$Tf^uJn>agRz79pEA7^s>3p`o~&`mvYczwZkcBiKp_n$gKr5TFr9Vyz5jq>p|8Jc
zo(c<9(!rrD!FkGT_SQm`?X4L7V05;oM(XvsJEFac&^s|xE341BxwK|xW>29@8$v&8
zhsnU1)GAwTxA+2^7d$gDX}48|0&{=1DrNiYVnLF`eeMqgm+<1gP%KjD(#qS_Tvkyp
z+r<?Du&lWh+hx6M4OU}V=c)RlsFyITw~(>0?UlT2KgFLW=Jh=Q&x^kV&;Qr6b^Cnd
z#h&`x8VDw5hsT500<GWGaxz8%&w?U@@kr!O+yf7}vgd%dO-@Zu8^PB8$jA~qF~~R2
zscDxo!JFdT<yB350t-K<-haZ+w*+*~EWZRGG5QX~n%gQlUP7VZS@v6g4mD3GVdpOI
zzn!}imkRLkh{164e)?WQ7qC-e>)t=l<=>y9a0bI84$;D<Nbb)tNaj0c!%$JcX|Df(
zH2f9pO?dv}r$+&WI%Tl3TF?yOyvxBlh3-B6Gg+%Ww!<?s^c58qm?4mi{QQ>)-d+uu
z*kDm9dwYAsudl6zcXU8<3Jar$h7{Yt@)m~;bpRY|Js^bCEG$S<Ff#VbDCClcrwffo
zw3Zq>G|*`m%Nr*+$ws;#+UfccTt|)$50f|R$ph=C>K@o)@xHn7T;JaQ92trEy}w^>
zP=Wga0&LcUy-&kVq*Bgj<(1{vGD%f1@cf&aekQM}B`6a{d3Yw1_$PPyS;=+fhJ<}@
zZuN&i1#Jc_7jye$QAoYu5Ku^&Qou{Rx17O+fMOU2-c64+URDt71Ft4qF#bg_#TaMu
zUbd~Kzjm4sX%G?$r@F@>mlGm}Ed!WVSt((}U%OBd<U^8)>=Ghy-al~nw5!**wxYVb
zrE>D}K7IU%io;=YgSYhHEopKu;?&esdS)gBA0I!xz8;FK+D=ItPV{RztRG-2<a{BB
zFdAowgqs<HCM!~!c{d=RNVgxfmzph$Vt!@kUB8}e_D4ekTkeC%Q!{Jp=ob_s)%sE7
z;RxQ1jRIzWZ;uFDu7vk#_9%!L@~~BG*W~`!D+Er{=j*eL@ikAul0>B?4bKPTR%aFn
z^MY+30_p#-5Xiwo!6OY9fPL=%A3p!j3q_*3<TMQd_L}hSprosSP3M>NXT1xygfx(V
zRRiW0Pl&VtHvTK{>rZaJb)5}f(FcMKI0Q3nkh;%5gI3$6e@p}csxQpeU{?YO5rY)U
zbQj}A9{3|P!GESm1nz>g;04e7F?$JVfH!7+_J3+`cs%(ZDFP`*v1%$9WiTxh6B8*B
z5z)}Z1oi0XsG^3(M?3_S^cP^<cipz5-QrkTDO9yQ0+*JTYiOjf5hJnIc<j~2EDK{Y
z?&EX^m-R{7+X(FR*rw^0y1BVg;60EM7KV3u0*|OjF)%mB*wE0RsHjMGetu5FL+dXL
zc4tUD^WM#%4h`EJ!ADfo8LV_vghdQIJfQsu`t;E!vLF3u5d&+oc>A7u#Xd8)>)AlS
z<to}2E3MJVdtg<=)-#ndIKfitu_WNU>A>-6IEl9C_~_R{#{+9ypAWW2NWlKbL;Jm5
z3}FXNkPUHGC>%l`nASc?nt)%MMQ8&Apq#Rm7htcRBQ)OUOiWBvR9B~Qa&l5sP-t#h
z`9b27kb;g_9w(%!89y>I@<LS9Cn_f9@@H-}B4X+9fUMm}MyujL{_Ds|*8D=CoJ&Ff
z*NLOXQQ+~SrOfzQgCOr&af%Qf&L??lir(H{%s?>^;_ML>Ne9NqpA{4oD5|JX($mvp
zKJ-_zRetCVhX9LxtPfrLe+TEiufG#LR!(pz2n!=2MuMe9@w{X8kuBK2b_SCFJ4ot*
zp*^^RIP~lD|5HKq|INLT#Mmn1;!-s-HYUY}|GBi3<sKr!i4-_0ycLk{-o2ZimL`f%
zK#);et05&V{YVtf8w;FZP@$q3MMei>zom~sj1l$qe4OGr?}Z`}v?U()eCa(db!--i
zvm4`<-0AIn`{W<#BQ^C;268W<kBAqSml;)6s!~!?6oP_+;u6bDu#?M<_3o_T)N|hz
zcTol5l=%0`!g_=VcYJ(O4eS){<PXlhJqh2F5mfR&&EpWDLPjUSx4W$uE(^)y;eGlm
z@_RLX04tj+DrNz!StD=?(ADWDFu)=|96~Et+rh|SkNgw`hd>(a5CCJO!vR}lzjtxu
zkx)|&2szv|NWVAB3lNj2oW=;jwqnu!EB~T>{yd|wP?naKR&65T+#sCw$lHtKv8jc{
zr!Qad%}gm0eGuW`;GvRY!pf%M2M6{fTG%mOLe9T3i7b$OWtdxwMQhi+KyZ|H@R9nQ
zj&wpi!HC_1+mrbjUD9=IEB(|2nS=u?p#3!_s&9HtjXGHb%DkUKs1PdR#l=N>MTJUk
zF6eBPA>J}?iyGSf6hlY|76&`vcWZuUGl1l^n&p0Jz2XP58R~2=p;9mhhV5s7kPJ&E
z=>9{%{5#oTgKlklXiA|54Y^<na2=$4Jx!meU(8I;o<LS@r8La*Y6Q}*g=f-K((t>%
z1mjkG7tMC}aBweI`8hAPZh3d>$xRaM{IKHh8-O)3f<h?hsa0EB3uApMs&z^4DW>%)
zU|^_!^K9rEL{Bcp;yRdhS2VntZg)YJe&Jk&IbfS+V0QqrW9;<F^JmXJ1zz9NSuo4%
zx%ul*|Mh;uAA#`%SED5${(h&wKbrvW+!AS$<gWnuD+;oRfPC*!mG`ILM?5T}2487{
z09!zMN&b7W{El)E@OoGlIBYTh`48zm2Za!9!*{<!>aQnabfI|P!oL=^c#^Fx{~8Vs
j?xB&Iq_K<)94+`71^j~jH>C6l_CHB+S+PP9z4!kg#>H{A

literal 0
HcmV?d00001


From 5ff5b7ae776ae8e9e160ced98dce1ab10e9019df Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Mon, 6 May 2024 17:59:46 -0400
Subject: [PATCH 17/50] Correct links and spelling

Co-authored-by: thebrandonlucas <38222767+thebrandonlucas@users.noreply.github.com>
---
 bip-0077.mediawiki | 54 +++++++++++++++++++++++-----------------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 66a402e3e8..a7cc09300a 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html|Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -22,15 +22,15 @@ This BIP is licensed under the 2-clause BSD license.
 
 Payjoin solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner." Breaking that common-input ownership assumption and others requires input from multiple owners. Cooperative transaction construction also increases transaction throughput by providing new opportunity for payment batching and transaction cut-through.
 
-Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html|regard]] these as limits to payjoin adoption.
+Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html regard]] these as limits to payjoin adoption.
 
 The primary goal of this proposal is to provide a practical coordination mechanism adaptable to a majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180|HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
+The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180 HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
 
 Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
@@ -38,23 +38,23 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original
 
 ===Relation to Stowaway===
 
-[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from a application layer authenticated encryption and relayed asynchronous networking, the version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration|OHTTP Key Configuration]].
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 
-Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin directory.
+Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the payjoin directory.
 
 ====Sequence Diagram====
 
@@ -100,16 +100,16 @@ Key:
 
 ===Payjoin version 2 messaging===
 
-Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki|BIP 370 PSBT v2]] format to fascilitate PSBT mutation.
+Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki BIP 370 PSBT v2]] format to facilitate PSBT mutation.
 
 The payjoin version 2 protocol takes the following steps:
 
-* The recipient sends their payjoin pubkey and optional authentication credential according to [[#directory-enrollment|receiver directory enrollment]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
+* The recipient sends their payjoin pubkey and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
 * Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
-* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#original-psbt-request|Original PSBT Request]] is sent to the directory's OHTTP Gateway.
+* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
@@ -140,13 +140,13 @@ The Payjoin PSBT sender MAY:
 The Payjoin PSBT MUST NOT:
 
 * Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
-* Decrease the absolute fee of the original transaction.
+* Decrease the absolute fee of the original PSBT.
 
 ====Enroll Messaging====
 
 Receivers must enroll with a directory to have a subdirectory allocated to them as follows.
 
-A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01|OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01 OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
 Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
@@ -168,27 +168,27 @@ Once an Original PSBT Payload is decrypted and checked according to the list, th
 
 ===Receiver's Payjoin PSBT checklist===
 
-Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist|the BIP 78 receiver checklist]]
+Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the BIP 78 receiver checklist]]
 
 ===Sender's Payjoin PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-checklist|the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
-The Payjoin Directory provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
+The payjoin directory provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
 
 ===Subdirectories===
 
-Each receiver subdirectory on the directory server has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
+Each receiver subdirectory allocated on the directory has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===BIP 21 receiver parameters===
 
 A major benefit of BIP 78 payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
+This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21 URI]] parameters:
 
-* <code>ohttp</code> represents the OHTTP Key Configuration of the directory server. This is a base64URL encoded public key of the directory server's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+* <code>ohttp</code> represents the OHTTP Key Configuration of the directory. This is a base64URL encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
 * <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
@@ -230,15 +230,15 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols|zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html|Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/|IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5|base64URL]] encoding as a subdirectory of the directory server in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/ IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5 base64URL]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
-[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html|Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
+[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
 
 ====ChaCha20Poly1305 AEAD====
 
-This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305|algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439|RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki|BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
+This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305 algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439 RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
 
 ====HKDF-SHA256====
 
@@ -260,11 +260,11 @@ Since the Original PSBT is valid, even where <code>exp=</code> is specified, the
 
 Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may additionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory with without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may additionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory without OHTTP.
 
 ==Backwards compatibility==
 
-The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP21's URI Scheme]].
+The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP21's URI Scheme]].
 
 Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 
@@ -272,9 +272,9 @@ Receivers may choose to support version 1 payloads. Version 2 payjoin URIs shoul
 
 ==Reference implementation==
 
-An production reference implementation client can be found at https://crates.io/crates/payjoin-cli. Source code for the clients, directory server, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at https://crates.io/crates/payjoin-cli. Source code for the clients, the payjoin directory, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
 
-A payjoin directory server is run by the Payjoin Dev Kit team on https://payjo.in.
+A payjoin directory is run by the Payjoin Dev Kit team on https://payjo.in.
 
 Independent Oblivious HTTP relays are run by Obscura VPN at https://ohttp-relay.obscuravpn.io/payjoin and by BOB Spaces at https://pj.bobspacebkk.com.
 

From ce66047deddee3d53c648c4947832ccfb7244475 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 7 May 2024 16:23:29 -0400
Subject: [PATCH 18/50] Wrap <code> blocks

---
 bip-0077.mediawiki | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index a7cc09300a..41fdf30e18 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -109,7 +109,7 @@ The payjoin version 2 protocol takes the following steps:
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends <code>/receive</code>requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends <code>/receive</code> requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
@@ -156,15 +156,15 @@ In the case a directory is operated by an exchange, it may give out authenticati
 
 ====Send Messaging====
 
-The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair `e` from which it derives a shared secret `es` with the receiver's key `s`. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
+The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>es</code> with the receiver's key <code>s</code>. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key <code>e</code>'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
 
 The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory followed by `/receive`. This request is encapsulated in OHTTP. It awaits an OHTTP response from the directory containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the directory has not yet received an request from the sender.
+The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. It awaits an OHTTP response from the directory containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the directory has not yet received an request from the sender.
 
-Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair `e` from which it derives a shared secret `ee` with the sender's key `e` from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key `e`'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by `/receive`.
+Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
 
 ===Receiver's Payjoin PSBT checklist===
 

From 07db5536684b2c111f4bfa0e468d3a5ee1473c88 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 7 May 2024 16:25:21 -0400
Subject: [PATCH 19/50] Fix basic scheme actors

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 41fdf30e18..c36c48adc9 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -50,7 +50,7 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The next message from the directory to sender includes the enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration OHTTP Key Configuration]].
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 

From b693fb9a2ee19175fdc9a9f42271c2eab1403086 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 7 May 2024 16:28:17 -0400
Subject: [PATCH 20/50] Fix dead samourai links

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index c36c48adc9..d05e5718b5 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -38,7 +38,7 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original
 
 ===Relation to Stowaway===
 
-[[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoots/STOWAWAY.md Stowaway]] is a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://docs.samourai.io/en/spend-tools#stowaway Stowaway]] was a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://paynym.is PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 

From f9b4b911eda4f0154ee2ffc85cf4037f57fd0ab3 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 10 May 2024 16:13:27 -0400
Subject: [PATCH 21/50] Orient motivation around a problem

---
 bip-0077.mediawiki | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index d05e5718b5..681a66f3fa 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring them to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory and HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -20,11 +20,13 @@ This BIP is licensed under the 2-clause BSD license.
 
 ==Motivation==
 
-Payjoin solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner." Breaking that common-input ownership assumption and others requires input from multiple owners. Cooperative transaction construction also increases transaction throughput by providing new opportunity for payment batching and transaction cut-through.
+Payjoin is the simplest case of interactive bitcoin batching, allowing two participants to combine their transaction intents. It solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner," by enabling two owners to provide input in a transaction.
 
-Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html regard]] these as limits to payjoin adoption.
+The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased the opportunity to batch payments and and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
 
-The primary goal of this proposal is to provide a practical coordination mechanism adaptable to a majority of wallet environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
+Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html regard]] these as limits to payjoin adoption.
+
+The primary goal of this proposal is to provide a practical coordination mechanism viable to implement in a majority of bitcoin software environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 

From bc3123e1dab1c5b08d6f934b11b4d741107ac386 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 10 May 2024 16:32:27 -0400
Subject: [PATCH 22/50] fix links

---
 bip-0077.mediawiki | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 681a66f3fa..f190fc5e04 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -24,15 +24,15 @@ Payjoin is the simplest case of interactive bitcoin batching, allowing two parti
 
 The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased the opportunity to batch payments and and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
 
-Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html regard]] these as limits to payjoin adoption.
+Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfuihjknhoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
 
 The primary goal of this proposal is to provide a practical coordination mechanism viable to implement in a majority of bitcoin software environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180 HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
+The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
 
 Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
@@ -40,7 +40,7 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original
 
 ===Relation to Stowaway===
 
-[[https://docs.samourai.io/en/spend-tools#stowaway Stowaway]] was a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://paynym.is PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
@@ -52,7 +52,7 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration OHTTP Key Configuration]].
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 
@@ -102,16 +102,16 @@ Key:
 
 ===Payjoin version 2 messaging===
 
-Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki BIP 370 PSBT v2]] format to facilitate PSBT mutation.
+Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370 PSBT v2]] format to facilitate PSBT mutation.
 
 The payjoin version 2 protocol takes the following steps:
 
 * The recipient sends their payjoin pubkey and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
 * Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
-* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
+* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends <code>/receive</code> requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends <code>/receive</code> requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
@@ -148,7 +148,7 @@ The Payjoin PSBT MUST NOT:
 
 Receivers must enroll with a directory to have a subdirectory allocated to them as follows.
 
-A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01 OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
 Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
@@ -170,11 +170,11 @@ Once an Original PSBT Payload is decrypted and checked according to the list, th
 
 ===Receiver's Payjoin PSBT checklist===
 
-Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist the BIP 78 receiver checklist]]
+Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]]
 
 ===Sender's Payjoin PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
@@ -188,7 +188,7 @@ Each receiver subdirectory allocated on the directory has a buffer for requests
 
 A major benefit of BIP 78 payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP 21 URI]] parameters:
+This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters:
 
 * <code>ohttp</code> represents the OHTTP Key Configuration of the directory. This is a base64URL encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
 * <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
@@ -232,15 +232,15 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/ IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5 base64URL]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64URL]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
-[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
+[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html| Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
 
 ====ChaCha20Poly1305 AEAD====
 
-This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305 algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439 RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
+This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305| algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439| RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki| BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
 
 ====HKDF-SHA256====
 
@@ -266,7 +266,7 @@ Unlike BIP 78 implementations, sender and receiver peers will only see the IP ad
 
 ==Backwards compatibility==
 
-The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki BIP21's URI Scheme]].
+The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP21's URI Scheme]].
 
 Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
 

From 35ebad8ea2bd51fed9a796da5f16a6f62c5e4aa6 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 21 May 2024 11:17:05 -0400
Subject: [PATCH 23/50] Keyconfig s/should/must/ be provided

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index f190fc5e04..d4b5b991f5 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -107,7 +107,7 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 The payjoin version 2 protocol takes the following steps:
 
 * The recipient sends their payjoin pubkey and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-* Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config should also be provided.
+* Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.

From 224208c270cdb40f945af826253baa9cf4da8614 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 21 May 2024 11:22:11 -0400
Subject: [PATCH 24/50] Fix typos

Co-authored-by: thebrandonlucas <38222767+thebrandonlucas@users.noreply.github.com>
---
 bip-0077.mediawiki | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index d4b5b991f5..c9c41f1f86 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -22,9 +22,9 @@ This BIP is licensed under the 2-clause BSD license.
 
 Payjoin is the simplest case of interactive bitcoin batching, allowing two participants to combine their transaction intents. It solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner," by enabling two owners to provide input in a transaction.
 
-The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased the opportunity to batch payments and and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
+The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased opportunity to batch payments and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
 
-Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfuihjknhoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
+Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
 
 The primary goal of this proposal is to provide a practical coordination mechanism viable to implement in a majority of bitcoin software environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
 
@@ -107,7 +107,7 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 The payjoin version 2 protocol takes the following steps:
 
 * The recipient sends their payjoin pubkey and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-* Out of band, the receiver of the payment, shares a bitcoin URI with the sender including a <code>pj=</code> query parameter including the subdirectory as a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
+* Out of band, the receiver of the payment shares a bitcoin URI with the sender including a <code>pj=</code> query parameter where the subdirectory is a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.

From d7ffad81e605e958dcf7c2ae1f4c797a8631f146 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 21 May 2024 11:23:17 -0400
Subject: [PATCH 25/50] s/pubkey/public key

---
 bip-0077.mediawiki | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index c9c41f1f86..fcaf3c50b7 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -52,7 +52,7 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their pubkey to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the pubkey as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their public key to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the public key as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
 
@@ -106,8 +106,8 @@ Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.m
 
 The payjoin version 2 protocol takes the following steps:
 
-* The recipient sends their payjoin pubkey and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-* Out of band, the receiver of the payment shares a bitcoin URI with the sender including a <code>pj=</code> query parameter where the subdirectory is a base64URL encoded pubkey. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
+* The recipient sends their payjoin public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
+* Out of band, the receiver of the payment shares a bitcoin URI with the sender including a <code>pj=</code> query parameter where the subdirectory is a base64URL encoded public key. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
@@ -150,7 +150,7 @@ Receivers must enroll with a directory to have a subdirectory allocated to them
 
 A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin sessions begin by having a receiver send the static pubkey to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
+Payjoin sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
 Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails an error is returned.
 
@@ -158,7 +158,7 @@ In the case a directory is operated by an exchange, it may give out authenticati
 
 ====Send Messaging====
 
-The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>es</code> with the receiver's key <code>s</code>. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key <code>e</code>'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
+The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>es</code> with the receiver's key <code>s</code>. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
 
 The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
 
@@ -166,7 +166,7 @@ The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the paylo
 
 The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. It awaits an OHTTP response from the directory containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the directory has not yet received an request from the sender.
 
-Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s pubkey as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral pubkey, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
+Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
 
 ===Receiver's Payjoin PSBT checklist===
 

From 3b863a402e0250658985f08a455a6cd103e269e5 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 2 Jun 2024 14:27:37 -0400
Subject: [PATCH 26/50] Incorporate jonatack's suggestions

---
 bip-0077.mediawiki | 69 +++++++++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 34 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index fcaf3c50b7..1d97766c92 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality including payment output substitution without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients which communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality, including payment output substitution, without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients that communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -24,23 +24,23 @@ Payjoin is the simplest case of interactive bitcoin batching, allowing two parti
 
 The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased opportunity to batch payments and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
 
-Version 1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
+Payjoin V1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
 
-The primary goal of this proposal is to provide a practical coordination mechanism viable to implement in a majority of bitcoin software environments. This is realized as a simple protocol built on bitcoin URI requests, web standards, common crypto, and minimal dependencies.
+The primary goal of this proposal is to provide a practical coordination mechanism that can be implemented in a majority of bitcoin software environments. This is done here using a simple protocol built on bitcoin URI requests, web standards, common cryptography, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parallel those used in BIP 78 while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to PSBT version 2 to simplify transaction construction.
+The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| PSBT Version 2]] to simplify transaction construction.
 
 The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
 
 Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
-The protocols in this document reuse BIP 78's BIP 21 URI parameters. A Original PSBT timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
+The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Original PSBT" timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
 
 ===Relation to Stowaway===
 
-[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a payjoin coordination mechanism which depends on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] Payment codes directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a payjoin coordination mechanism that depended on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] "payment codes" directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
@@ -52,9 +52,9 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, they start a session to receive messages and allocate a subdirectory from which to relay messages. The first message must include their public key to be enrolled as a subdirectory identifier. The response message from the directory to receiver includes the newly enrolled subdirectory payjoin endpoint with the public key as identifying subdirectory. After enrollment, they await a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin uri including the directory endpoint in the <code>pj=</code> query parameter and a new <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server, the receiver starts a session to receive messages and allocates a subdirectory from which to relay messages. The first message must include the receiver's public key to be enrolled as a subdirectory identifier. The response message from the directory to the receiver includes the newly enrolled subdirectory payjoin endpoint with the public key as identifying subdirectory. After enrollment, the receiver awaits a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
-The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the recipient by the subdirectory <code>pj=</code> endpoint.
+The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
 
 Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the payjoin directory.
 
@@ -102,18 +102,18 @@ Key:
 
 ===Payjoin version 2 messaging===
 
-Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370 PSBT v2]] format to facilitate PSBT mutation.
+Payjoin V2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370 PSBT V2]] format to facilitate [[#psbt-version-2|PSBT mutation]].
 
 The payjoin version 2 protocol takes the following steps:
 
-* The recipient sends their payjoin public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. It may go offline and replay enrollment to come back online.
-* Out of band, the receiver of the payment shares a bitcoin URI with the sender including a <code>pj=</code> query parameter where the subdirectory is a base64URL encoded public key. To support version 1 senders the directory acts as an unsecured payjoin server so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64URL Key Config must also be provided.
+* The receiver sends their payjoin public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. The receiver may go offline and replay enrollment to come back online.
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends <code>/receive</code> requests to await updates from the subdirectory. The receiver decrypts and authenticates the response which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. It updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends [[#receive-messaging|<code>/receive</code>]] requests to await updates from the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
-* The directory awaits a request from the sender if it goes offline. Upon request, it relays the encrypted <code>Payjoin PSBT</code>.
+* The directory awaits a request from the sender if it goes offline. Upon request, the directory relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 The Original PSBT MUST:
@@ -121,13 +121,13 @@ The Original PSBT MUST:
 * Include complete UTXO data.
 * Be signed.
 * Exclude unnecessary fields such as global xpubs or keypath information. <!-* I believe PSBTv2 obviates this requirement -->
-* Set input and output Transaction Modifiable Flags to 1
+* Set input and output Transaction Modifiable Flags to 1.
 * Be broadcastable.
 
 The Original PSBT MAY:
 
 * Include outputs unrelated to the sender-receiver transfer for batching purposes.
-* Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
+* Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1.
 
 The Payjoin PSBT MUST:
 
@@ -146,43 +146,44 @@ The Payjoin PSBT MUST NOT:
 
 ====Enroll Messaging====
 
-Receivers must enroll with a directory to have a subdirectory allocated to them as follows.
+Receivers must enroll with a directory to have a subdirectory allocated to them, as follows:
 
 A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64URL encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
+Payjoin sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
 
-Optionally, before returning the uri the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code> after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails an error is returned.
+Optionally, before returning the URI, the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code>, after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails, an error is returned.
 
-In the case a directory is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the directory describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
+If a directory is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the directory describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
 
 ====Send Messaging====
 
-The version 2 Original PSBT is placed in an HTTP POST request body as binary before being encoded into BHTTP and encrypted according to the HPKE protocol. This Original PSBT BHTTP Request is then encrypted according to the HPKE, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>es</code> with the receiver's key <code>s</code>. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Original PSBT BHTTP Request and serialized ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload.
+The version 2 Original PSBT is serialized in base64 followed by the query parameter string on a new line. This plaintext string encrypted according to the HPKE using a shared secret derived from a newly generated session keypair public key combined with the receiver's subdirectory session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
 
-The directory's OHTTP Gateway decapsulates the OHTTP request, decrypts the payload, and forwards the BHTTP POST request to the receiver's internal subdirectory endpoint which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway then awaits a response from the receiver's subdirectory endpoint, encapsulates it, and responds according to OHTTP.
+The directory's OHTTP Gateway decapsulates the OHTTP request, handles the POST request at the receiver's internal subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's awaits a request from the receiver's to the subdirectory endpoint, encapsulates to responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. It awaits an OHTTP response from the directory containing the BHTTP request from the sender with status code 200 OK, or sends a new OHTTP request after receiving 202 ACCEPTED notifying the receiver that the directory has not yet received an request from the sender.
+The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. 
+The recver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, or sends a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
 
-Once an Original PSBT Payload is decrypted and checked according to the list, the receiver may respond with a Payjoin PSBT. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
+Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
 
 ===Receiver's Payjoin PSBT checklist===
 
-Other than requiring PSBTv2 the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]]
+Other than requiring PSBTv2, the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]]
 
 ===Sender's Payjoin PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]] with the exception that it expects ALL utxo data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many headaches since it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
-The payjoin directory provides a rendezvous point for sender and receiver to meet. It stores Payjoin payloads to support asynchronous communication. It must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. It may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
+The payjoin directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
 
 ===Subdirectories===
 
-Each receiver subdirectory allocated on the directory has a buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
+Each receiver subdirectory allocated on the directory has one buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===BIP 21 receiver parameters===
 
@@ -190,12 +191,12 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters:
 
-* <code>ohttp</code> represents the OHTTP Key Configuration of the directory. This is a base64URL encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+* <code>ohttp</code> represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
 * <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
 
-When the payjoin sender posts the original PSBT to the receiver, it can optionally specify the following HTTP query string parameters:
+When the payjoin sender posts the original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
 
 * <code>v</code>: represents the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
 
@@ -207,15 +208,15 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
 
-The existing BIP 78 protocol has to be synchronous only for automated endpoints which may be vulnerable to probing attacks. It can cover this tradeoff by demanding  Original PSBT from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URI can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
+The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
 
 ===HTTP===
 
-HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consider an implementation. Unlike a WebSockets protocol, plain HTTP is eligible to enjoy metadata protection from Oblivious HTTP.
+HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consider an implementation. Unlike a WebSockets protocol, plain HTTP can benefit from metadata protection by using Oblivious HTTP.
 
 ===Oblivious HTTP===
 
-OHTTP protects sender and receiver IP addresses from both one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with a specific IP addresses by intersection.
+OHTTP protects sender and receiver IP addresses from both one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with specific IP addresses by intersection.
 
 OHTTP relays can be run as basic HTTP proxies from wallet providers or third parties.
 
@@ -232,7 +233,7 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64URL]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
@@ -282,4 +283,4 @@ Independent Oblivious HTTP relays are run by Obscura VPN at https://ohttp-relay.
 
 ==Acknowledgements==
 
-Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Ava Chow, jbesraa, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.
+Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Ava Chow, jbesraa, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.

From f86fe4150ba6bfe9622ff36f989de1c15e52fcc4 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sat, 6 Jul 2024 12:39:39 -0400
Subject: [PATCH 27/50] Incorporate more jonatack suggestions

---
 bip-0077.mediawiki | 48 +++++++++++++++++++++-------------------------
 1 file changed, 22 insertions(+), 26 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 1d97766c92..223b2ddff3 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -158,14 +158,14 @@ If a directory is operated by an exchange, it may give out authentication tokens
 
 ====Send Messaging====
 
-The version 2 Original PSBT is serialized in base64 followed by the query parameter string on a new line. This plaintext string encrypted according to the HPKE using a shared secret derived from a newly generated session keypair public key combined with the receiver's subdirectory session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
+The version 2 Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated session keypair public key combined with the receiver's subdirectory session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
 
-The directory's OHTTP Gateway decapsulates the OHTTP request, handles the POST request at the receiver's internal subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's awaits a request from the receiver's to the subdirectory endpoint, encapsulates to responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
+Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway awaits a request from the receiver to the session subdirectory endpoint and responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
 
 ====Receive Messaging====
 
 The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. 
-The recver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, or sends a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
+The receiver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, or sends a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
 
 Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
 
@@ -175,7 +175,7 @@ Other than requiring PSBTv2, the receiver checklist is the same as the [[https:/
 
 ===Sender's Payjoin PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
@@ -191,8 +191,8 @@ A major benefit of BIP 78 payjoin over other coordination mechanisms is its comp
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters:
 
-* <code>ohttp</code> represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
-* <code>exp</code>: represents a request expiration after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
+* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+* <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
 
@@ -206,9 +206,9 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 ===Request expiration & Original PSBT===
 
-The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec recommends broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
+The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receiver-does-not-need-to-be-a-full-node| recommends]] broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
 
-The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>. <!-- I also like to for timeout, but it's hard to coordinate in an asynchronous way -->
+The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>.
 
 ===HTTP===
 
@@ -231,9 +231,9 @@ All cyphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 ===Secp256k1 Hybrid Public Key Encryption===
 
-Hybrid Public Key Encryption is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
+Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP21 URI. Static keys shared in URIs must only for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
@@ -241,7 +241,7 @@ The cryptographic handshake is conducted in parallel to the payjoin messaging in
 
 ====ChaCha20Poly1305 AEAD====
 
-This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305| algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439| RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD seems to be making its way into bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki| BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
+This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305| algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439| RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD has been implemented [[https://github.com/bitcoin/bitcoin/pull/15649| in Bitcoin Core]] [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki| BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
 
 ====HKDF-SHA256====
 
@@ -249,38 +249,34 @@ SHA-256 is considered secure and is necessarily available in bitcoin contexts.
 
 ===PSBT Version 2===
 
-The PSBT version 1 protocol was replaced because it was not designed to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 78 uses a hack where a new PSBT is created by the receiver instead of mutating it. This can cause some strange behaviors from signers who don't know where to look to find the scripts that they are accountable for. PSBT version 2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates the transaction finalization step. Receivers who do not understand PSBT version 1 may choose to reject Payjoin version 1 requests and only support PSBT version 2.
+The PSBT version 1 protocol was replaced because it was not designed to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 78 uses a workaround where a new PSBT is created by the receiver instead of mutating it. This can cause strange behaviors from signers who don't know where to look to find the scripts that they are accountable for. PSBT version 2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates the transaction finalization step. Receivers who do not understand PSBT version 1 may choose to reject Payjoin version 1 requests and only support PSBT version 2.
 
 ===Attack vectors===
 
-Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. Directory operators may impose an authentication requirement before they allocate a subdirectory to receivers to mitigate such attacks.
+Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a subdirectory to receivers.
 
 Since we make use of 0-RTT HPKE, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 
-Since the Original PSBT is valid, even where <code>exp=</code> is specified, the receiver may broadcast it and lose out on savings from payment batching and  privacy protection from payjoin structure at any time. Though unfortunate, this failure mode is the typical bitcoin transaction flow today anyhow.
+Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce penalties if a receiver fails to construct a Payjoin PSBT and wait for a signature once a Payjoin PSBT is returned to a sender. However, such basic transactions that comply with the common-input assumption are the norm, so falling back to them is no worse than typical bitcoin transaction behavior.
 
 ===Network privacy===
 
-Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the bip21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
+Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the BIP 21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory, not their peers. Directories may additionally be made available via Tor hidden service to allow either of the peers to protect their IP from the directory without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory and not that of their peers. Directories may additionally be made available via Tor hidden services to allow either of the peers to protect their IP from the directory without OHTTP.
 
 ==Backwards compatibility==
 
-The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP21's URI Scheme]].
+The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21's URI Scheme]].
 
-Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. <code>req-pj=</code> may be used to compel payjoin. 
+Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support payjoin, it MUST consider the entire URI invalid per BIP 21.
 
-Receivers may choose to support version 1 payloads. Version 2 payjoin URIs should enable <code>pjos=0</code> so that these v1 senders disable output substitution since the v1 messages are neither encrypted nor authenticated, putting them at risk for man-in-the-middle attacks otherwise. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds to respond to the sender's request.
+Receivers may choose to support version 1 payloads. Version 2 payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these v1 senders disable output substitution. Since the v1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
 
 ==Reference implementation==
 
-An production reference implementation client can be found at https://crates.io/crates/payjoin-cli. Source code for the clients, the payjoin directory, and development kit may be found here: https://github.com/payjoin/rust-payjoin. Source code for an Oblivous HTTP relay implementation may be found here https://github.com/payjoin/ohttp-relay. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the payjoin directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
 
-A payjoin directory is run by the Payjoin Dev Kit team on https://payjo.in.
+A payjoin directory is run by the Payjoin Dev Kit team on [[https://payjo.in]].
 
-Independent Oblivious HTTP relays are run by Obscura VPN at https://ohttp-relay.obscuravpn.io/payjoin and by BOB Spaces at https://pj.bobspacebkk.com.
-
-==Acknowledgements==
-
-Thank you to  OpenSats for funding this pursuit, to Human Rights Foundation for putting a bounty on it and funding invaluable BOB Space support, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicolas Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, Mike Schmidt, Murch, Dávid Molnár, Lucas Ontiviero, Waxwing, Christopher Allen, Symphonic, Steve Meyers, Sjors Provost, Ava Chow, jbesraa, and countless plebs for feedback that has turned this idea from concept into draft, to Mike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the "All About BIPS" zine which I've referenced a number of times in the drafting process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hacking on the first iOS Payjoin receiver and uncovering the problem that this solves in the first place.
+An independent Oblivious HTTP relay is run by [[https://www.bobspaces.net| BOB Spaces]] at [[https://pj.bobspacebkk.com]].

From 5c65c2120e0ddc1145ae065b78ad4573a3a3b52e Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sat, 6 Jul 2024 19:55:01 -0400
Subject: [PATCH 28/50] Incorporate satsie's suggesetions

---
 bip-0077.mediawiki                   |  78 +++++++++++++--------------
 bip-0077/oblivious-http-sequence.png | Bin 57987 -> 63078 bytes
 2 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 223b2ddff3..2b347c588f 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,7 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete payjoin receiver functionality, including payment output substitution, without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients that communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the Payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete Payjoin receiver functionality, including payment output substitution, without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients that communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and Payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -22,9 +22,9 @@ This BIP is licensed under the 2-clause BSD license.
 
 Payjoin is the simplest case of interactive bitcoin batching, allowing two participants to combine their transaction intents. It solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner," by enabling two owners to provide input in a transaction.
 
-The payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased opportunity to batch payments and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
+The Payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased opportunity to batch payments and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
 
-Payjoin V1's requirements have proven to be an obstacle to adoption. V1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to payjoin adoption.
+Payjoin version 1's requirements have proven to be an obstacle to adoption. Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to Payjoin adoption.
 
 The primary goal of this proposal is to provide a practical coordination mechanism that can be implemented in a majority of bitcoin software environments. This is done here using a simple protocol built on bitcoin URI requests, web standards, common cryptography, and minimal dependencies.
 
@@ -32,35 +32,39 @@ The primary goal of this proposal is to provide a practical coordination mechani
 
 The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| PSBT Version 2]] to simplify transaction construction.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
 
-Although unsecured payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
+Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
 
 The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Original PSBT" timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
 
 ===Relation to Stowaway===
 
-[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a payjoin coordination mechanism that depended on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] "payment codes" directory for subdirectory identification and encryption. The payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a Payjoin coordination mechanism that depended on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] "payment codes" directory for subdirectory identification and encryption. The Payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to receive payjoin. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to send and receive Payjoin messages. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server, the receiver starts a session to receive messages and allocates a subdirectory from which to relay messages. The first message must include the receiver's public key to be enrolled as a subdirectory identifier. The response message from the directory to the receiver includes the newly enrolled subdirectory payjoin endpoint with the public key as identifying subdirectory. After enrollment, the receiver awaits a payjoin request on a session identified by the subdirectory. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> parameter including the payjoin directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation at a related to a public key. This key is used to identify a store-and-forward subdirectory on the Payjoin Directory server and establish end-to-end encryption. A POST request  to the Payjoin Directory including the receiver's public key enrolls it as a subdirectory identifier. The response message from the directory to the receiver includes the new session subdirectory payjoin endpoint using the public key as a subdirectory identifier. Once a session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
 
-Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the payjoin directory.
+Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin Directory.
 
 ====Sequence Diagram====
 
 <pre>
+Key: 
+|-----> Single transmission
+|- - -> Polled transmission
+
 +----------+                 +-----------+       +--------+  +---------+
 | Receiver |                 | Directory |       | Sender |  | Network |
 +----------+                 +-----------+       +--------+  +---------+
@@ -94,20 +98,16 @@ Messages are secured by symmetric cipher rather than TLS or Onion routing sessio
 |                                  |                  +--------------->|
 |                                  |                  |                |
 +                                  +                  +                +
-
-Key: 
-|-----> Single transmission
-|- - -> Polled transmission
 </pre>
 
 ===Payjoin version 2 messaging===
 
-Payjoin V2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370 PSBT V2]] format to facilitate [[#psbt-version-2|PSBT mutation]].
+Payjoin version 2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370: PSBT Version 2]] (PSBTv2) format to facilitate [[#psbt-version-2|PSBT mutation]].
 
-The payjoin version 2 protocol takes the following steps:
+The Payjoin version 2 protocol takes the following steps:
 
-* The receiver sends their payjoin public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. The receiver may go offline and replay enrollment to come back online.
-* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided.
+* The receiver sends their Payjoin Session public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. The receiver may go offline and replay enrollment to come back online.
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
@@ -142,15 +142,15 @@ The Payjoin PSBT sender MAY:
 The Payjoin PSBT MUST NOT:
 
 * Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
-* Decrease the absolute fee of the original PSBT.
+* Decrease the absolute fee of the Original PSBT.
 
 ====Enroll Messaging====
 
 Receivers must enroll with a directory to have a subdirectory allocated to them, as follows:
 
-A receiver must first discover the directory's OHTTP gateway key configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP gateway Key Configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory url as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response.
+Payjoin Sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response, i.e. it Is idempotent.
 
 Optionally, before returning the URI, the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code>, after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails, an error is returned.
 
@@ -158,9 +158,9 @@ If a directory is operated by an exchange, it may give out authentication tokens
 
 ====Send Messaging====
 
-The version 2 Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated session keypair public key combined with the receiver's subdirectory session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
+The version 2 Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated Payjoin Session keypair public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
 
-Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway awaits a request from the receiver to the session subdirectory endpoint and responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
+Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway awaits a request from the receiver to the Payjoin Session subdirectory endpoint and responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
 
 ====Receive Messaging====
 
@@ -179,7 +179,7 @@ The version 2 sender's checklist is largely the same as the [[https://github.com
 
 ===Directory interactions===
 
-The payjoin directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
+The Payjoin Directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
 
 ===Subdirectories===
 
@@ -187,18 +187,18 @@ Each receiver subdirectory allocated on the directory has one buffer for request
 
 ===BIP 21 receiver parameters===
 
-A major benefit of BIP 78 payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
+A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
 This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters:
 
-* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 payjoin URIs.
+* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 Payjoin URIs.
 * <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 ===Optional sender parameters===
 
-When the payjoin sender posts the original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
+When a Payjoin sender posts an Original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
 
-* <code>v</code>: represents the version number of the payjoin protocol that the sender is using. This version is <code>2</code>.
+* <code>v</code>: represents the version number of the Payjoin protocol that the sender is using. This version is <code>2</code>.
 
 BIP 78's optional query parameters are also valid as version 2 parameters.
 
@@ -206,7 +206,7 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 ===Request expiration & Original PSBT===
 
-The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receiver-does-not-need-to-be-a-full-node| recommends]] broadcasting request PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which payjoin intends to avoid.
+The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receiver-does-not-need-to-be-a-full-node| recommends]] broadcasting Original PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which Payjoin intends to avoid.
 
 The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>.
 
@@ -216,7 +216,7 @@ HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consid
 
 ===Oblivious HTTP===
 
-OHTTP protects sender and receiver IP addresses from both one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with specific IP addresses by intersection.
+OHTTP protects sender and receiver IP addresses both from one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with specific IP addresses by intersection.
 
 OHTTP relays can be run as basic HTTP proxies from wallet providers or third parties.
 
@@ -227,13 +227,13 @@ OHTTP relays can be run as basic HTTP proxies from wallet providers or third par
 
 ===Message Padding===
 
-All cyphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most transaction PSBTs without exceeding the 8KB limit of many HTTP/1.1 web servers.
+All cyphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
 
 ===Secp256k1 Hybrid Public Key Encryption===
 
-Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the payjoin v2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
+Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the Payjoin version 2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a payjoin directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single Payjoin Session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a Payjoin Directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
@@ -255,28 +255,28 @@ The PSBT version 1 protocol was replaced because it was not designed to have inp
 
 Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a subdirectory to receivers.
 
-Since we make use of 0-RTT HPKE, the first message containing the sender's original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
+Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 
 Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce penalties if a receiver fails to construct a Payjoin PSBT and wait for a signature once a Payjoin PSBT is returned to a sender. However, such basic transactions that comply with the common-input assumption are the norm, so falling back to them is no worse than typical bitcoin transaction behavior.
 
 ===Network privacy===
 
-Oblivious HTTP must be used to protect the IP address of both sender and receiver from the directory. This requires an additional key configuration to be shared in the BIP 21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
+Oblivious HTTP must be used to protect the IP addresses of both sender and receiver from the directory. This requires an OHTTP Key Configuration to be shared in the BIP 21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
 
 Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory and not that of their peers. Directories may additionally be made available via Tor hidden services to allow either of the peers to protect their IP from the directory without OHTTP.
 
 ==Backwards compatibility==
 
-The receivers advertise payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21's URI Scheme]].
+The receivers advertise Payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21's URI Scheme]].
 
-Senders not supporting payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support payjoin, it MUST consider the entire URI invalid per BIP 21.
+Senders not supporting Payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel Payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support Payjoin, it MUST consider the entire URI invalid per BIP 21.
 
-Receivers may choose to support version 1 payloads. Version 2 payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these v1 senders disable output substitution. Since the v1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
+Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these version 1 senders disable output substitution. Since the version 1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
 
 ==Reference implementation==
 
-An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the payjoin directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the Payjoin Directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
 
-A payjoin directory is run by the Payjoin Dev Kit team on [[https://payjo.in]].
+A Payjoin Directory is run by the Payjoin Dev Kit team on [[https://payjo.in]].
 
 An independent Oblivious HTTP relay is run by [[https://www.bobspaces.net| BOB Spaces]] at [[https://pj.bobspacebkk.com]].
diff --git a/bip-0077/oblivious-http-sequence.png b/bip-0077/oblivious-http-sequence.png
index 53809d7f17470e827ff4fcb1e5ca160d08a0fa47..62e293431dcd4275834b7a436791257cbb6e4787 100644
GIT binary patch
literal 63078
zcmeFZbx>T<`YjkbxJ!UwL4pPg5ZpCD5+H)Rg#>Nfr3p^(1PK--0Rq9L@x~zp2qd^Q
z?(ROjbMJk1fA{yM-kYkashX*&>OZ<qA5NdM_qV@qeQT{vxQ5ze0$gg`Teofzs3<GE
zxOMBc$gNvwSJ;@~$cWH*(XCqyw^S5lUwIg9rsFhdzMSp4$-l!C$Dtxgz!b;F@=Wg4
zSN_-R9525T<Hqsj#>O&M{D>vB{J~`&!T(Wpxd66o-?&nr;Xb`G^_#B0apUPp+N_s!
zV}^JCjLm7W@3B$y75xb222;l?1sU}J@?yZlwq<}NU{vHYh6P~%`%45uDpE)MUrv@m
zFAoVoR~vcy1(ONF#PIJgSdPtqUfBj)8EMh?%9`Q7o{73F=KoEXO_4)hoy^w6NMDah
zov+@%SWHm2owTc|@;x5!`t<0nncYNX*+i91$>=bpkw?qdXQ{6r-}B5B1c%$Ro+dwR
zX*ye`5#KCrD{@@u+&*QL4;ceze|O)R(W<f@Cfx{=LZ(<{lzAR3kI#kD+t+W`*%b6Y
z8*SP3x;h%Q>*cPg6zCVp>9&8GDK%~6d!$*Y_5IV)=J@Yq`s)sTp)r%&lioXx(*~XT
zA}b9C{S{F{6Wt*MG_Mu63Je>)Ty4fmvjlBMe$o~GV=#%;WFTy5S=Pj8B*bWsP5M3w
zj?_39*B|tYN3sMauT9lD!_0L)OCSD{Ki+L4nq14vG-4WDh!*efjHc5^dQc31sC8bM
z=ojBHFryp9V)($So?#m!d7SLJG4lP@%GV8~_jYYpzvPKQp?*zqUy49pxBZm+tgqXM
zuGM(7`1Tt-3a-+P;`;vL+T~9#Trc)}d23P~nrdIITpo=YYZbis0&ib7^4_upqYW3d
z{*(X8Zq)?bDG4#`2uB&Y`t9#qbYh)4mx6Sk{hknytjafot!iRx%vOfF<rd+-*Jmq2
z9=j$NE1CXNC+{!`%F%9PF4m-B!``vniaP=~K1L|MsqyXk;5GQ&xALKcRch&CAJ?Z`
z=nS-A2NO0WR5#gp2k#I$hZ~~~jf_>c<3o<zeWGFc4Gj%Guy@e!FZ0y=$nhw7Dyals
zkI^_Z%t_h&`V6aA`}V3Jo+sB@8x{KHfgpmlp5|aOLYQLhA%j{l8hdyPPyHr;p+=S*
z%>L@~V8E>vhi#GfgYMLJ)5Z37vI2IRi-5B0g(bO2@DbTY4@X|wd^>jFqYTmk(VOcF
zhbDyQPUA@t2$Ky>N&6`g@$=Q3>6KvJllisCXcE+HlAO|`;m{fqpjHC0asUS3wz`g0
zo!geRdFOkMawP>dFxk^5@RX=~l3tRq-^GUFR?isRg1m@CkhjEFKflBMqnjK_t%YL-
z6`|1PLcilk_n6N0kJnWeJ-yE^%nm*mV()kb0)m=H6T5h;X0{2j=g@pr?Rz>G%Cj7L
zO?>}PnRyq4?|$>mbv>Cqc91-wXfEO`l7ic*j6c=3Jlu8lR~Ev(eUO-5{&K)=(r#tm
zKkWAWSiEXAHf^U$8U?;X-5P5fotom`<nehEof-P0U(G54l`-x=wEn}sG1FLoF<W6Z
zP<?Z`BHa;BB?A3y=)G07ojhEqE&e2?2FV~q{9xu|pLY8Rh`AcgVuNwtS1<4h9YyRW
zt6jVN&X$s@C++LWSAUah8_b!hLce&QOuHMF2aerMv+PYAKU>LkAd)&odM(T~Jf`>k
z)6uN4>U?p$m7Yp2$6n`iJZ{CKJllmh-6?gN_S*QqG5m}_1jLzC^LDn$>jcEyr?cye
zovlt9heyjw|I?>HcF3u;Y~Q0CdH;?`YV7K)jYwMOyI$2k24SWtM(z1};WQ-ET(|qB
zef^eDQhUIQctn=kJhT+o!2jxKq}l)Ga=i7&yN@9|J}=(2qW6zmW!jz0c$bLBwBxjs
zF&aTzF7~?U?Ph&XT*teK-+Un#DQVb`pz~VIDz-OEIG%Knwvx@ZM<>~PaQGcQkI^qQ
zX`4Xb^<r#KUHYohoS3sTJ0_}YnyY%-qd&Y$kpQOhp2+g@bZ?0jQ&rj@6=2=3KweD|
z6If5e4wI>6M0RwNJf=0}Z8|jzzv`@;=cb3d(s>|Z80cz6<YAxP6>hbzj2ip9ZtJt)
z(3a<uEUMWO+Zzj5_5a+V%tpt<x7?fWs6JaxEwO4jTQ4lx|E)-duI^=H+^rLmO0D%3
zWYKmt$)i6n@Y0^})VA9<U%5qEh9D2#R%#a;td+--Yc?P_NKS9)W9?z@L|90Ic;Ptn
z8INrVF*Ybisw2obJH?sl*#6cJ4Q$lPp!ny?NTyP_Wp6<wu`3f^MM7WkTTQ%n!NWUd
zY?sHH($FPta)7n&X}Z{O$D9W71MEZ(^nUOV>6vcHH(QjWl*T?~(~ezq7)8uw6twMF
zOz6*pvG+OheVglC*31T^E{f8f`$dI(PItj=ujb+pNS>rs=$+=`TTq(M-aQWEC|1Cu
z<-Ln1eho4l)QoEyk_Rtiupf);W=m(^V;VyHM;%injYSN0fb78lfuWB{#EXy{6th12
z^vcX`km5t8-+51MyeF*9NJJ{5OIsl=y2hg6aOeq-hV(sH+Zo)iY;BdhW@?_lK2GTq
zGZsAWSqguLUXA_Mr*LwS8A)z261hV}*lden%t1k3C66_{Zf<_rJj%xj!X*ZM&(`Pa
z8QH>U=dpRMpl?_8kt_>DXar}OTsUPCAu9c%kvs&0iT;nlytOB@%xNYIWsIzHYuAeD
zcxSlHv6&#pD!>cP@LK0cQWdKveknhN#}OPOvEL2Hh@M@Hk7Dlm&}k$LPc`jJmiBM5
zsecHQXRSyw_N(nKGHMGUsKDcG`1MK9X1TnKoDG^i+3vN3SM0$|W%9F3g*;4lKm2aQ
zr;L48XoM;moyXal%RlPFT~y6yM%8?VSVVg`nc;**L`~@(O%}B4qm5B_s*3Cd^#+9L
z^MQG(x=T=Z&L{{VyW#%fqk;0s>k)m2t#9%gNG~C?c5KR2=V49lC1Em~mOZV4Y%USD
z43BJ*hJhJAi<g{gNMyD9a*7qj8dHeoS|o21bdOzKVlU{4!!r&QVr3+{5nRmhZw>eW
zYCxh|Q3wmD0b&pxQ)N2|n-Q+I7p+ZvsrGemv*_R;ucL6lw)k;kOYr-748k&Yi=haf
zK^j@o%okwP;TVKR9()S8X2-fMdUDwTtMHFHu!Zk0;L(Gu7i$WX%?^<Rzm^4H<P;UZ
z^VI2+=EcM?L-wx0N*8ij)hN_1G4dN`ra(FrY3kI4?QwilM&@o)Yd=BFoJIx!P9O5d
zUl=ROpz|l*8vjkqb|?N8@k2G+U|s+*obcQrmmHh!^3X<JBjm1oWh%AzpoW7j={pZ@
zkw3zwt>_y7EBNV4*|So=E<%K>Y3z=f$LQABPwx}u`L`!%5HqzOG6ed(2v{w$u?Rm%
z{h)+L%Vng~RNSzynnXQ8$))DH{>PE&XZ-@X;2Nn2)rGT0*Wbze4)Xp`gmF}40Ja4l
zTDf1`)%&03O~eTmUH81<9bzfJd`x2~DONPUz2bO<++{4|uHP(=tiYV>53xi)dE~Ig
z9)*xKnESfCU|@!Uw?$q}L`XGVTB-pG;rjWzT`F<6qKo&;w{?PjOp9h3@t-Rlm#;cL
z#-lBI)lT}H*gN+JtKV8MrBNv;Z6mtg-FF}3Ze&NGt5simJt9N}nlcv}PFnl^D?2cX
zqG|!}EwS%T4V&QwS|I|^LVC4q_xO0>PH`#(d<%HR7CK?s+;Uy?{tZ!70<8Y@)X_&h
z1j_f2zcntze5~JGE3MjAkH5yKLt^wNs7t+VAJqtpV$|1jDT<a3kCHa;YPl!0HCf{h
z>7X<?3A>m(7<<&GV~-@!haQ+GsP}Uhm*Q}Y&!|qAxGr|bjezMk`>jBB@$MroW35F`
zJiK_`qhGhq<*k%WJRgIBCTehH(Bq!~{8#IvSr0OJG^tMIn>aGj_B!H{K-YISo%&<w
zPUnYf_B+%D)v7;!QaChPiV~g(2z|~~-yD_89J8&=Z*{bN9Wjg@`O@}M?a&jRYr51j
zQPDx64}bInJ9WOFqxY^$^k0N8vrQa}=t-{~Q3e6_kKg_~y&C|=SzO(*2|z{R|9HiU
zgIRa7Di(b4cQOCXGN^*%1s1igbO-h4|I#%q5`sCHO0kK0^>0@Os4D~2H>j6kvj5wa
z86dUt;E~;z_3o4Z>$0dU1}kC%Ey>Z#BDB8%<6qbR|8M*Mk<tF34SAL-RK@Zn@x$nL
z;Vdc;V(&nlmw$3p8{wqonrMIdXKWCwA*FB5Vuoj|#l_#m__lGr{EKfj`f;A#Y;)4w
z^xGsRC9%O?_OHB{ru;j<-OnM|X)lQ+e-uj;=|_|PDn-Q~(jWa^=6?1Ot<bOi5mn@B
z9V!G+QQ)K^1IaT`OBLe=cfbsyO$AbD{m+PH&;&vGLQ!uEbgUn+z;{cgiGLpdGeFrv
zlN!xKg!=SvxEqyO`$2?%IKX*z0xm<U3SuuyL^I`|@s*1T(e;!<Mex%<SwH~RI_G4B
z|Dz|CF#ta|-<taltP`gonNq~t$?ETo03V44a@r<;*RQD-p7FR}M4FyHh+f=ythbP<
zx=ku_b@+QLEA-wE!&}szdf0c^pflI|FKwhhYwMkVQL0EnbjfFyvx*C|AKem`vfg=-
znM0=VnH`c>y=8HKfF3?GibEpu^6OKQGZE~{x4)GjY=mk{XT<G&2-wEWuOA1=e@=!-
zRsrrtS6ho+TSX^kS3%NF-TXwa%zl6xR4J-smlTZtI@gV$7wDvN$V#{L1WxETt?$-`
zbuKE(Ru$jltuj12K~qMbfas}CG4z)hgyh+b7K6N(YI*ZnQ0_4jbiHmj9}$BXafFaP
z+_Xe)eZ5AnqoF~?suT?L*L|NX>HSW#XjJkM1;))yD150aqbRS8g?97vSskL_WnQ%J
z&DF`;UGvTwP<{+k#ode1)j9`Wd0^#W^f!1O6uE6p%zgY8;v{R*Mj-rXMpYI0A#&|U
zomwX+R4IzuGB4dtZzRh2wkiS4v@K*D<o;x0SdO=)^)i>f{@#EAPTHgXQgk)yxjgt=
zoU}W)2R<(|L;2tEJC$;hiinD=y}erwzWrR-BZtath+sxo0$M_BHV-Ja*e;kt_hAXJ
zgm`(wctlTDkJ^F;3v>wE_!%Vwn0qwJAapg%r*aW>-~-bys<HRrqnawAs|tiIlvO-R
z{v$%=zK<X`EaB}a2%E2c%KPWwauU@kMit=WfQH+NI)tr$Mfjx>8!UlCAj_{iFaZs9
z>i@<?@zlN=-Ueu1=zh;e47%F>*lVvo@KH*Bd|DbOZ8Kx`DOEc7k)J{5jCg982H;ex
zhd3PTf#_-xGFB!6;G+nK=pPoGG}=#_j|ep(Y*D+zm0ThzZUkTyCf+lbNRx{6n5V7@
zK0#WX<6FAlFhk3|{RAvsz>n~gt%q`nP(e|rBA9dY@km8DAnC9^@DZ82sF4Ip!JG2m
zBCo*Ew`%_`2iFq>BlK1vzTsLK$sA+%b(9O1uqN<f`U(Wq_F3PDK^3IMkEi+c;8X<a
z)c^Ga^alRFWl&w*bf92OysnvcOKm(F(LY{FGM+$DDF7grbCxs=RnK_Y2zR6URX`+&
z(>!_;+X%WsH_!%-OP)-br`lEPDj8ye2@|AK*?L-z-oL-p8->+dztdzx?|)e~Tx>Xb
zJmc*k4l;=ySV;r)zjx=_?2b3b-MZ-9i-gtu*lb3M_|Cg`RsoXXithkzqdDmDy~~OS
zMHh+1*Yk5W)13P`pi@dTb{1IoJU(C87k;mPP#Fyf68NmU?YL<uU6EoW#Ryod@Rc<b
z<s*4K)}|)0*A5?0>4bqe`TR|6fhCp)c5u27Gug}AYzs)1DqQjh@QXndC&rcrmGc|*
zKVM_3pO4_&{3$R{2}XqCF6qEY%R8(|MM}fPjH8mKbL%qs<xBS&&%7~nIMIyHL0`2=
zOCY2R@JQV#9^`0!nDh9up+TY^0B^hb_HZHJbC<v5O`fCuLTA)MdVG-t4;e;(UZ&rA
zM$Dk)?`OhQgmhwe2MT_C<ir}lu=yEx|M3JEU41iO|I5A5qpitN9yk(mlE!1_d9hWq
z1;e_>4y7JYT3?^4t*~p@>)fvY<)%7W@>IOZKo9D7eP-ouT8=HY4PUSwHFOtby^Io`
zc}QV21qHN(xcJTG!4_b_YElHOCdSIlr^`UspQKr0B<XPvKJL_ZjeJKGxDk)QQPQ!0
zpd5mjV|6<md@N2f+vMv#3HS~`$@o?9nRkv!-&`)(*GYOGyS&#~JP@C|7;C*voz>p<
z88ie!4l@$&*j@YjlQt!d`xq)9h;X?Go6grc*}^8O?QF2`;x^ZqM~il*w?RIGe7Jo8
zW^RdB#>i`p<wQT4y95-TYn@Z>m&C@01g0H34&AYgj(y@=<)0rs{nMc-8%P+B0Bw-w
zOIAn$g~+9mE@JORoYf(yQ0wPW?5ChLnU-AMuHQlR=MzP`6}BL(E3oK&et8|PJ~#1^
zXaoF<$$}A|`?dj%uzlLay||Xf_erVPWVp?I6S5lQ?qKpI7K}b<7z4s_x{On+2x^11
z&3hXYAIhtQ$2oN$w3*6mmGIf^iUFzZ>uxwZsBS$a6}jQr^kLZw-=C;j^ODb6Wg}7^
zng;5h3at2Dh2~#xRtywb4}a@CC<OIJ)<Y@g-j>3}d`G0+L7y;hHBZoyn)sFl;5oAC
z9NS60*e4~OfU5Dyn@R%=A7r2t{L%Qqfb`A?B5UizpR%XTe!X81qDOyTZk2W2bDj^z
z_{i(`+@+JsO2n0h8>;##f5>mP-ra!>3TF(Vz)8~xTw1xbz@`mChuo8GYa2>3_P-jQ
z{!_LJy*+E0WH?VDGN{1z?9-w`_hL`N^ki`>E=4BjAbYN_PK+1&l6n1au4>3cd_q}R
z>Kwu{z?%Qvm=?x;UGtMEup^3>%UZ{vG#N#h+LiaPvZytotA&TT$Pf}MS0SkQ%z`Rr
z_W2=r_#-qwzG)V20t(rg*T_TdpdnftsnCo+w?u%~GvBW4*kv+24M@AKkJ?5(nOA^t
ztH)qFp=(e8v}gIuN7xdUO~OvSH1cAnS@^E-+acy{*Or&+l9p`gF7fDU_)AeS6O$v~
z^{uAs-D^Vcd9k04u3-@JqNNHuWEj(%eGp_GSSl=O5`(9=J}{yEKp-^6V0z>YJLsS^
zzEgVFE3V^Hz)kvUt4?;;^QoiWiizgUr!La--%F-&(f~SWshu_X(WyYIUtGT}R?|Hn
zLd^|@hwsth<#1PzwN5v{`N|(IhV<%Z>f6_LRL}Z(Uw|B1WZo6M&Dt4*SCc8`x;{oA
zJcX26>4Jh~Twk-$Fx*LdZ$PdvUnLF^e&WP^)5W5PMA~aL`}wX!pqTLztTz*tZ?~zp
ze&@wZd#<EY-G{EO`dw_T+}i{wR<~qU5r>v=QMP?ja~ne^9=<kDfsmf*HVdD>J7e+O
z41>_&!`XB*z;@dNV<0`gPBL^$sb>QStW!;N=}!G_E8f8cdi~kK%H-+Z!aE)rU1;F$
z+M*1k;Eu>8tEaqS!3&lXr{EhUN+Y%1sfDcr;aQ&qK1it4@y_h5eZ!uTRa~@hVa!p8
zm82YA<O|!m4o==6_~^b_s5kBgA;nn3Gb_G6eZT9yV^rw7Z81a;2XQqy*5?uF1eaRx
z@qfG!Ph^>BJe`l+0&0ibvl^Sx{zi@cldo2pz9UEJNlIJ_k=8Vvc##%dCPks_m7$;E
z*XJ8}Ro}Y2&n(L^*tC$PTJ3>t61xWM_D!m0oo4rDiUezwb|0A${Fp5wcP#AOxOMWl
zfhk(@SZ9T`=OBVIu0cYf)Ff;1#0e+`wHu#HUwlB!=`;wI2JLexe12T>ZdVi;aC@pE
z!F>1n^Y{6TOoM|4#G(go@sb2Rm9gpQPAI+KYE##(Tl&R@#T-UT&_+YAwJ+N{HpR7_
zx-w^t%oi!%diDK6`<JkdEFYgAkt5DyGQIk#+M7#_vWp?d#wpY<Pi1rBNw6E{u(=Jm
z!bqM%19(tm-DLo5^;rv-^^E_G?@36wa8DRz5TUTXJ@a8w>j@Ww?nB48VuRYDWEmcb
zXvJ0JF<JI27N}fF#J;m%Hb%5C3FXo{1|S@THT^;j3Q<g}H?ot$Coo*Sjex6;xh=5G
z0UK?o#8}!rA%+_Sjr~tJl}5u&gMZGCR1Jz-mm_6De1z?Wl?czdV9F`q+b4IUEg1tg
zsCoH4;P;_#+9G+T)~ctRo>=*|;*!5$hRUt3O=+Owq=A{4^>hBLu=ySyUq(SgzA4{8
zHqVIV3P@Bng~fG0a3U=9p*p*c1BhYCV=3iKM|ZYP))B9lf2J6eM2_R1@HnnGX72HL
zrL_enb+GWs!Vg+uNjy^vrM7c&!8G)d4ipJL8F?HV(ocA6@<TgVd9C*BP18G`jL%QJ
z_6yTpCTNHW-sg=jt#cmWwBg`|U{R`$nVB9In=$@O)*eZQ=ac+?H_2@CL*JosxG`uU
zSS&CC4!v8^sgTU%<DqolMR!+#{-FZ26PI6_tpkVF;rslF9DVlWoNkymd+Tk=nk@Oy
zy6Zju=KK{l$Wq+ndybg56mYu)2uH}=r(LyS8%cuv8*fKei_$$4_XCMb@PcR{4NsDI
z?C%;ZV9VW<^QR0<Io*ePJc)|g2H0uQj39y&4F4;BzZ#u@QuODSsrD59=(0}FKg%`F
zN>MT;D8%OY7cx;+mCrz&PZ~gA+>6B~^EaeWN)%R*fRij5A@2y@mY7Olgz7vr@%*w2
zJ;K3{Sg)ZJN$b)#!ZmAS6G8}nsL7bY2u?j9Q<s>FHg9>AqeKA8SgQVAaJhCO9&ah+
z2P|T=l!mN%mahEgIcdL4p9kaNo!m}7JC-X3od~g)nD7Ug2N;CSd|Z`WGi5S&v@RQC
zb+G*=CA1?sdx%B2n6AVEgE=Claq*NX3d=fp@8wLp)@l>bij*R<E~9L?d6kgcqf|xu
zI>x65=7v5VErIp-o;Ez8Zw<X5!jlOi-Jm%Ck)0q&cp}3!)KJhx-PZWtEz*XjH%5JI
zf695Fw(0i(P&lc1`{Yzv@n|V#XUvWOWD$33Fge!hBz}F(BIexY+Iqky_P(`*&#`ZD
zB8*(59h32mr*40wN4zEZ(FKPZ5(sx}+n-*4|0!1U5Z1OsK*%B~T~>_<-JpuZ3+CHv
zSn6QI&oSikbnHIOA7wj`Lw8JXO{PQ#6_S9Lo4vqeIgtjoFw06w-W@tS3&d1Iq}g*w
zXyonT{`ONYHFn!S63E&z$LG89D_>>zDA^o*JlnGGrp4-;Y-gmtfh{-?>L}=F+|lxY
z?h$RUMY_&BB7gmig*bCoogY2gpHt-qnvRSj*Lvl^5w+#+B0)#Qf-8$?c*PKqTqECb
zlv~m;nCmz1=`%;b2J4$*Gc)`H<p{=b067{FD69i_<1&E%!pJ(O5sSnNViaEf#RMZ$
z)mRB7R{nz68^Pdb+=qNE4O9%opmpTM#zQCMy`y_qi87;BA{2y<N5Z}7dmCs**q$dN
zV}1)}??hzo#Eu2GN_Iy==I_<AdG}&#L1y%v{g<WM&bY4Op^i6^6e11XrjEUV{1Xu!
z`aTp*4ewigqiQb07^ZePu<4CDOIgQ#Po}5Kus_C6yoQAr{#vj&oBWp-AfDyPRAX$C
z{+>tY2N#0Z<p|Sa6;;_5!N?V&Q3?tIRqTp4u(k^H$j2^e?5-6&OD8h;dPRsiU9$AG
zs1@dem&vJmj*!q<yb)1SlejkwT1bXc(OKjA4oPXp>DPwDG&|cRFddj0g|Go@&VqGg
zewQ*r@I7MgB--i@3;Ev_c*?h6-<E2lplaKaL^A8;R|!^O5We*X8e7{<d<PBqpwn}O
zS<p7C)_q^Q@W5u)L!PEmMP7}${5%YO`o^F)<?g$ev?bXFe@goq3`&*vXij9a;l;b2
zF0u-79US278kOWOPwY|#<aaV6+Iy-W7Gk7lbfIv*id6&w`DpNenV-bx@fop~%+<S0
z!IYFb9Q@pvc_N)soa7s!I)wx)XBTmlBJj3(ipaZiGA6p61SKGR^@5Udw#~~@SZdvo
zKiYcrqZhbE@r<{hwPTf=ST?rd>2WR68o!v-8K}MClfHClXQ9~t^`R$)3mV~cw(oqe
zl?woiPvMWzMri3j3{>D%`*aBsb3%!Y2kn0WEx4hm&5p)#sg1jV(_pi=DLx~Uc@Fs{
zpR%v4IZ6lCCK*Ec-DewbJH8>Hogg;p12(N$>~8-q%lO}+)o8&cerlU9<6w_|rzvXc
zkuSpaIRtAi@FT03JXs_Qg@^&t=tvbAB%$VNZ;DO|K-1fENg8NP*l~L2gK!)47MM?0
z8`sRE!9ibjC44m%?Z=KPm>x2_$MK4!MD8;l`$F-d^}G$DoowkQQ>&?B!nQNCj=#U`
z5+gorbBp*aPiwpht$_w(&?No2X>CeEaNr51C$OW6)8V+4c!wpcTM1F~UFOn^4x_IY
z&pE>dA@45O<wCvHZHpoX-t<6X_$uy&yY1{zd~QW2Of)z8VPYCK;|D3kwLg;TrL?&-
zVKu12Ai5{qP%104CzNq@eW{lZucqQmq~DIw$tq>v%jT;5pbaDY0mj%QW$~=Vb?ara
zcg-`i@=^$^JaV`E*2$x(8qdx%$}|vk#hCzBObIBfBFzzSA!5b$0Y}66apJA)W%Ehh
z%!7s;4`HvVapIw1oHPq*=iVp;+FknxGAqk4oER0PT<hWEPOQ()Iqa%PjV@p_*c@8U
zPUb6Mv=4YsMYUuQkI{vdGq>GJFrfZg*Pc+7UxUJW=^zc{efCp?Wbu7JB7@P>-F>Z?
zBB@KB%daWp3?LWuw9R0(#rtB?yLPVn#*oNJ*|}9BTCUI&L>v-`h5xigQQPpKCBeB*
z@7^;|fntTL-KTLHRzU{+`dyoa{(>92TaD0+m?dfEHZUi~=GymUgwfocp=d{Zq=dE6
zo(c~YNqfBP$0MU~3A=4}%#KY<;f>8;1TXJ5LF;RcrL5oz!C|%PgSlcQ32zHp7$4|P
zmHO?GCI<8KS~Q*_yxt8{F$VqG8{wZg;(0A4s_JOBK-ksbp`ILHM6+k)zodx_;s?pe
z|N1OXKZ!r|;c|zBvyvGnWalj>2_)2&(?-|mm{H3kW6nO5fpxix8P=9YadNphp@43F
zi=p;b3dtVk+!uOBGl|DJCC1mUqgo<mjf%@NIy<7!Y2dYIRjNf8Y^XSAfhOOv$A>Q}
z>{R#b<3kD?9O$<>8gP_$O?cYTS1A>-$v)%~=`Ck7wBcm#y$*?F6^s2<pYQ0LL)UzE
z*EgInKjMUy*f$MbO*jAJfO9+}l%Yiq7HV?11GD)QEajl=+mhYlkeweT<*76OiQI6$
z40#&rv?(Pr)0`N5i)h{Bi6aH=j0QjJR3DUkfpOs3N32TTL5h?&F!{!ZyUpJB#IT8G
z;Ep>cvNCh5(VRA$Gje;!&7}+f1FBJo9428<B+_Qo3<l5g@;slRi@0TBP!Tb?`deSp
zM^dW8!SMol#~mL}xTs-jR#iXD+yZ~_M4yX2j41vC^hOr3I}|KqXAIAaWxf?D78vUN
z$YHXUzHCMWcsiycb=UWTx%7*SebT~=E1h=cjg(siGX>*_?yXeBPjv1NFp*~k=`0X<
zGaXy^D8SlUX`)%e;l!^8A)&VBe$JlKF+b@?3AXk8qI%NGj<9(b&(dR8J1LhTXl+$@
z^nLKv4p)lqlaOKK6?3TCiU)7uXb&AEYy_g~OQB)OrBN2Zv&*8xn*3BU5PA$^0uOlU
zNQB;#FslE2S%gqI7O0uRp$+(~_q^?N;lTVz{7<KMg&AMhVpef&ZQ{tu9aDKaspql{
zTb=g+!>{GEw9{aLL#qyP$ABo+rZ5bV?I9izeee|cNy9ahwilQK_eMJ*@H=Uk+fOk<
zcJ3tC^xT;V+FOqDj=bUe@D5##T{fLwj)4x+b&?b;tVK=XsgsOT&9f8iO&BRpiiZ^1
z*<mSLXnpZh?spfh<IUdN%38M45M&1@AI=O}5C+4E0Dt=4NJG(=-0H^R)@H5;HsXUT
zme~l7KKPFxTw2IqtQYGH7M>xcN=GSss=qT|(drK!kh!}ToBB1EZA`Zo8y8y@3B!Z#
ze_qfHWj;vJ=fO~Wz$!&<2bkhOr`MHnwy*@M9Ioa@Bx}FEZlI4!&!_I`?<~+CJFamA
zlInSg9!$S+Ax!>y(=1jcCYPO5TT+pZKIi8@!+aSr4|~`$U3Ad|G`lV41=Av|00&NO
zWrSj7Urtp5&K8zbF1nK)V9dA8&qy=VA;b-P`J?C891co@&`4Wq;-C3;;Fdmy+dOW?
zgsC~hEz-fq9zkUvtkV)PIVMD6TTvGMO2QeC*B(pYc1ipqQWFs>e7i4%LZ6@&a6Q@B
zrd9`>@SesHUk?+wBv<)Th0)ZavVQs-8+jqTwCv=)set<`)~{3_GmxV=^`Sl$xfpN>
z_Wt+9Pa$kMd29vg2?&)3Mw&(tlvjhPfFZUI!bX1iM`<4W6!kds$%%EWIB75LbJnl{
zfn~A)ZyS!T_E1ifSO#b;w=&eCQUUWlmG5E_4~TeXDyYQp6J)zQhj?@xq9@vutCt=4
ziR7NGFh_vXvX#GO%mW2{^}PEI5O$~@lKt=S+b(FRbD^^TTeLOcx&Ob%h3EbZe3>PO
zQK(s%7)B`v*j0?`*L~DBzrRK`?sd|beds{X2F(eUALWBuS(ELlTKmucB7B4~zdwJC
z5A(oKi=q~^t>_c#P4+9izZ8i82z0Zg`PwP{+G6bYh{X!#mwSlL$6I!wF{%KJ)C90*
z7_J|<24c$~q@C4mM#q&hq@j}RG3uU!UW7DnJZ%mlFsfx2%?z~1NPx|&3iwyU+-Ol!
zTEMG*qHqe4B_H;6KPr?cN0O$7$3$F$z_C_fi<G$o(}3MiW{SmzsE~=|r8z|a0$e?O
z)x33Gr_3xExI3+?fm3mULf_Vu#<o<pb)B#vA25B#z~>PBD$7|Q4S{TVXE&6qLN(L7
z=n~`3(3{9z0XT0RKqXI4)*5i36wXP9W=YD>V!pgM85M}tuiqzM%G{T7)*2eBj;|b~
zCs0n%xoGjE7`42zq?(h4+@}<2$G5${l#POu1U)^EI~pA9Cav`+3H68B>C@F-@}`bV
zcVM2tJsL;eaf`gARxj)8&y=2Z8@HrP1&pStX{)+Au%0p0qU+pYu-B`yUQ(Dr!=jCy
z!u%`wOTp&RqaSuWHrXrp-wM32FC#D1n)rQ%+2tM|O$uWsKHbPv9H}!V5?}abzS(-e
zo+T@Iv*ZPY?P5je{vFr{AnB{%ycT4F1OtB(PV+-%Xe-sXkalnwXN4U`)~_K5q*4Xc
zy5c8>9g={<R=j@?GoviMB9C#>pdsI6foKnTJQ{$V`w?}}@9#lIJ}_ggq5zBvyh16w
zfBm}*C@)Cs-jlxv!x<UCrJn!Gy$bwMf(($iAb*iX8~;71j1OD^&}dSTIeg7`KyO8l
zE(UfDPSnB6zX#>bz?}s-e*kxtPYpy?W~d86n2a8XjG%?2zXwTCR)Mq}a98rfC~v}F
z!|@PG!=-KhdoUK|GMb}hK|MDn(0)Oty3G`;g*tfp_uzjH1{exzVpt_=xVrv*D7uR7
zh@j%7CxJ~LSR{*p5?S4XNfVUt0`>GAq&hYB>D)#QV>4bG+&1IoUw{l?*beUb1sFRv
z+Qan*L7}S)2QG&#y~*ae?KyIAH|+Oenl@UK`o=zHuGQb)9=VMbysuh3eyhs?)p_&X
zsBz-Kt9%pSLp8M@C{^Nxa4;kNy~#PX{zL}fangQ?%G${`CeMsA3iDf)Xjs0=4KqP3
znM=L;sB1!|l{d!tNq(xrUb2#ksr=J)@q+^lt&^DJdNuHpyZ}SXj8XXDpB@X?A29hU
zbT(DYKvq8kBhBw0{YU;^(s?3EIw$^zbPfXp!KqygsL!vuIZ9EsfN|I63Mlp<QAR_X
zcTnEtb6$RWGFb>B8COq}42%sb*qRCVN0!H@X8o#N<Ct$B*^CgDfY6hn!Xd^Ja=x~m
z{Ho_V+2j?)KN3HgXZZ!8TWSKMgCfw5+sV}7wrZ-6VkaqUl`^RzHuoa~bt_)$=BcII
zZjO~z1OHy`SJNt#RT`EMU}Mr#{$=E5P~5KL+eZ|0h?D<ZGfZY2o9og&+_kAV#?|Kc
zpqKlqUbU*zWf6FegO!0AL$~n`)~CrPAQgQ?^z20%w5b!Iq4&S15-0-JZ6UynpTx_e
zR;VDlMGMYKk?%j3&@ZWfi!0b)zal16tQ0D;Hvcb0*8fe5Y|cwiVi$4y7$`QBr#?AR
zLgnf1Gvm?H*B(i?7&GLA;MZ3dlRylhIuYIb)60iK`G!7w9UF8_YhP3K4wn12aud|}
z&x@EKd!!opY7MzAY1qst_k+mG|6K3}B_Tjln?$LXHq&*k*Y3^N=Y_tPdtLSpvAoTf
zLv9mq^GNmm&e!s`zywyJ?2m4MH7AYX?L!0Km(%&3&W&U%;uRV-)``0Um-8`jDNpP)
z-`JyQ^=YSG?k@%Wc3t}>I}=rf(?Aw{yYY@%D;^ECbk$G;eE6ROTq;9g>k>x3m>tPe
z4h;KuPPb>gcdCG*G>LNHi=QIjJ+ZBIm~A>n>6O4KrZr#oMG{%JQCxxIo5NG61+Qzu
z?_8AtbHZ?m@$3xXUxu_&4;RLtI=v$h>ULNGuHkCna1>Kx%k*&?n$*6nNEVCnSUVIu
zHwHCC-v2p7TpDeF;C=(1tpfbTkgjodFP;0;+*GU7#ioGGL}kH~!i!(>MB`wi!cLL6
zj*mTj4s(S`$&{XiOETwijGO<$`7uz=#(;qI-F~{xUN%PAbZ|hli`MzQA+SZCJ!6V(
zI-SQ$6>-egEYc~HF)p3irL%_)TCNR!slGa%6h}Kov415qo-1@Hh4~rq$A)K0`JU?x
zWJn&Udjs7#os({az7yKb7&-=Q&9)8=dm($%0cf}JBL{(EywLBt+k!QH@+VT~>}1w|
z8vb?%7(UC|2*rPb-3rU+vM2{IzGL@^^z~^@#Ry^^M8sboXw%iPewTTB7)i0+$3s;8
zA#$&J@XsXhpXCQkTU#hm4cN>u&~$xngWCIW5gj}W278<0=3=|Pq!FkT+XuhZrKj(C
zE|R!QWG;|)s_mlmGn6)_RqJGFh0#hK6g>aorJ7^0Id*1VhS!hI_f!iMXJM%z1yL1)
zJseTauIi~mea90vylnVhC)<XfV-EAcmu`!3k0;DyBol9@TZ8e^O+Yx*8{j_&Sw5Y3
zZ7?TPoB~bI@6y8?0E_9nV+!PG?^0=QfUx+;8`xvglgELpINc+=`Op;DqR$d3*IS%|
zg5UJSv)D_tqcf(VRDP?aY^kQM>`L$`^<^ZK3f?s{UWH^KK1x?UZop_P;<%vrDlkuT
zxI-2c2|{Ht1@!p8<)Y|6YZpcS+@F`~uGwgja>2OdQ|>w}D2EOkl$b%^woI|fM3$J=
z_0RKd_^6S0-$aeWjzTXmwcB27R;V}q+Ks#h5mak#>@kPoo>7Bodh|Jc?RQ@N&KV7?
zWwwdFDW@Gv@Xaqo$8AqeoIT-LAe;D2r;EE+J2ahjvIvK{)g1762v55tR8Uj_S?TEL
zOOlb(3ezj7r~G?h2_SPr!m#S@(g(%y0;~RaGIwk-E?FHHu*9+0hS;@@eXA<&e%C2$
z^>yE_U6}yNF_O#t16YI8$Fu(a+QQkdfyt**C4rU2gH_Y;EeiD|CP!1k+W&$Pj(-Cq
zs0ysZge_vVXHa6)2;rld>y9Xah2ket7E#@q>QW{}Z8>0bTBR9D01IHC_KRuNF2)Hb
zI#G7;PHBV5oJ<&(US)Ufo4vC%QD*~MA`FrMgiH_vrpOH5muxd%pM6OGIPmcsNcJZ2
zx|`wFlmo$iBpiRLAEnQ+X;n{H7hd|A&DDZv{SKn4KjK{>mD#(%daA1>?{oFp;^u2F
zZAuKrm-TLTG{Ce<_Bf2bND?R&E`C?=Rz5X~pYT!OpzZMuwV^I{)k#2UK)t=a&hvIi
z1gw8QH{J+hun}fklnlI7P6r?jGsRM)a$TBsk>1;duWDt2o;F4LsnP#}4wjrrlageQ
zC$9-ob$X|dADDC3`s!)n(o%G`$0L_N{&>|j<28pNclbr|Jx&=r$nVbfI>1_zQlX5D
zAlKI^BGYe`^I!g%(x3e<V9a&Ya0{d(SFMjAR0ketep}?CxnodS>Vlk6y2OW_3~D8;
z3WeQfy4NkRKWo~-sI>x;lZ&G)Jlb@)MUbc3q(H76Y@N!IAq@f{-mCj<RX~nNnBOeK
z#}>a#;7^Qls-$-{4N)tLP$6ycYk1~!sH{9OiGL8b0<mfEC*S}x-=B}<odCNN;wGCH
z@u?)6C5wE3V_0R)fmc4H#6C=B0tE$gR#^Ie3>O+Ge&n>HH3FNWVEm*=J%eheV9oap
z?cZNznc%xp75=RKUH$@@YeQk|xkO%L!fV?SB~Hns%XM8k&mcq0uS3tyg@2a8a80Hr
z($cYGLf4{K4y?)|c(^0vTohq<ua)wV#fp1&CmW*!!}3VUlwY`<*hv5j)aKqA#NZ@J
zB;oz#VKU!Jk^YQegJ>Q-5}(J3`4-}1ALUMVC<~U&oq6o%tsZ6YUqX8-?TZXL!1^O%
z<=Fa3{tOV=Q^_a^l?@X9y!BI%&JtG4uDnjmtqsDX1eLz}i7z(W!^J4)VQvDbDq?Ge
zcEEP{^gh5g2&z4;PpuSFbmDF<X15$my^gHeG{Qt{!E{Ye+Lwng-h--}%WD|aKt<bz
z37)?rHZhG!MpV6DD4ifqm2aV*#~@(J%a=5TzRi&&rD4d(#<Mqt_s1b_#VMw?SO0n}
zmFEw_^)Z}bFb1X5<=$p~gdm97NqzKo-pv2B-uq<RKIetOuT|+i6?mGd;U_-x5Hbg!
z#}n3_0Z*oY{b4DdAK4#5Lwm)@hi3lx6(bXsI3(_%8?(#t0f2x^v4sFqI=L<j+Jgsb
zMM2NqI+MMqULDhmkxk&G;gP4-B8|r<R)6=gm9jj4PAH`Jlly^LT+A&IV6r*rz%JGg
zOTy!UBRUR?fOcE^jq%ed@9aWT6;R|U#rT6r?9F4qUO%s5D`puPTN6Ine1>i)cN;`L
z%RU}2Rx>K_79$5_gb7!7G^|T>B@HZp%s`AedFk+8Mp?)>vh+2h7kgM4@FuOCkUw_?
zn*~Mpx{`rkU}0*S{SQn;ZVD0m)Y>Y|F=RuV{}@*l`6cVyUvqQ;c&zvc?T^6w{y_kO
z0`7+ithLW`l<c$U8~H3)`-pJRprhF_?ZbDpOL60{148d&P(HjqV@A{AD@`+b)-n;7
zAIM1q!7PI*%PS~S&byTsnK&}}h2mT1CbB-E4nAmf<#6M@XG{cJ17OuX8&kV_HBg^g
zj_5?F-N=?MH?`B3z+LF$At_X<jfC>)eCO#FqcX}m{^D<E<UBJWk$N#XP|Y*XZ`AxX
zJ~xO=lfaUtl(l?0Mby9A?&bG7JL4<=)Uu?iCIbmxP7K1exbP!}XM9>1L)ca}jPf)$
zP|f=`A7|49=oXF~Wt^y<U|k*7sL)brsTSEX2Q&25Mu29*`fs0RRBl^v<bSAkKXsz}
z04qcr^lYEsqf=bhw~HB%c3B>5OlR3p+4O9oR;LL8f=Mof7jjggi$tymPu?v^3omGi
zk1v+H#P7i>J#OD_OemHrnEpcoaCU+D_e2E-(1fU+3TFK`{Qb2Gb83oRv12N?+!>xT
zS02)vthx=VM^B^ZXqZ4K>aPqy?f`A-e{`f_0G$k4GC<bA0we1O+#A?t`ENbxfek`3
z@-(v*cf7lsY56zfV|saHlX}um*2KYJd^3xC<`qwl{TOdkr;KzLRqu7)OozQk+7GF`
zJU`yrSdZYbUF~80%q27Ko(HP0W6Y-@G~R~Yz)1nDUVKM#ct;#GV1Mv2eQnX}+;~<T
z$X3E!l;79v*l(XICn{BjF!<q$ltNyX39tC4;y&rKc%tI0OG_|PMg_c6WqP%LLMp-{
zFho-Dx5?H8_ipM(fQ@(TCL7RBF~nPO%65jP`xWdVO83W3)dxE!hb`01c&UZXa$|o`
z&B;+O0^ikNBVtm>d7toXCE!VFgCMrhaKxUY64z-cKGloQXR9CnWcuu@7|h?+77!Y=
z*r6d6B<@w1SOuOncwOGpl=)7Xk!l{pI{2eLi;~H=dFi;*tCd{I<JgtJFl=v}mTeYU
zJ?*C7mCAQcpn*c61F@A;xy4^md!I%?nkjctTxtJbLLVTK!vWTNC5trC^Z?uc@Mr@O
zbK+bQ+J>&0*R085*c9i3BUsHhcod96{qHG6!WhfHDPo-gtK{BUE3*-7Ve&5c=_j<v
zmv#w>wMLCz_Vm=pEwVZuF!{-FF56v|{h%RS+IXJQ(P&;&Bg5zgptHI+@D-7bD-M$@
z0`4Q}-TxWRe;S5pX~f0r*R@Kwysz}WbbGpf5*Pudq(o=3$)+_8ilKDo{<O!fErIf0
zM*Ll-b8m;geH5P>-Dp05SoNog_Gi0*y-BFTS9TAhd6v+7s{OUXeT;`A#6pX?+`Ld?
zJzJw6O1bdhy%PYiH?I5A#YcTRS+jLA*}*2a#tmt^x#bWRyeGq;W3fU(_$R)7tT~%I
zw-c88QcFe$TDe5ZAfbQv60&``TchfP%Dth5*5oh`@UC6H;MDxTf${(Zqnahyp@Ly;
z>8#580=EJQI*isY9!;C&y#@_^fVkd_wmMKXGsfkl4aFM=evpsNqeLSVX0HjQFQMA>
z7<^7sj$Pv*!se%@8xSoY36tvP+CobxYvg_s+EFfVQ%okkp%fJIECTIT6utCJICoG#
zYJ+FdLwLyG3Se03`L?P?jYcZ0)V)CyV)&HUQId>JtrGMFGhZ5&*ypT6MY3aTjn;()
zqqgNGAS<AMamoH>-0WAZ{-6h}hy>c=Z<^@ysI@@^9M4eIZ;a$%-L!I`m?<s>C^2Cf
z#wfShD<Gjw4MJ1)mjE7hy&+2y2*Tbr(Xk+A1uYm)WvGq_p!-$~21-9eB_N?=R6%Ha
z>^erL_H(VlYHunXW~Gdg8XOc9J6;si-N4Vea_$a-W)fK747jqg(Fu!PbBmRxO6MK~
z-%Y0$w1zvHmF+>WIG>@m_40-B96vOhvUGj^PB=B=1!(CgtuV5Ez=qee9uiWKt#9i$
z01B_Z_#dns9*W`uY?kp01FnC00RTGu%WN%=BIeV6zUG?A!P6arR%A0kb)Y9}zq_uY
zx@9i^k^%$LH)EUQ73sYciQynpMlm)iwXm<H0eUy&A}ZE5Lb_~EjfV#Tv_4#GNy6z2
z+C%YP)glCk_3GhmM<*~FVoBv=t#TBM!IlriFxe&oD?ld*e{aLg&T!m88Pp4meCzRd
z7@*3x0%+2Bb*w3Pjcfr)?3IE+Xm_qagbfG%7Rpz=d^evN)iLjneS1y99uD5A1gTyd
zLGmn=#Fzw8b0qrDIr{O*BEW-Y-X7{;J~#XI8BMC7O(Ndn$=c_f`iVkqUUx1E+=)X7
zY8O|3BLN<+D?=c$hEC!<xk#maIxsahI}1m0gWck;+ct+W{!*B1K((J&S{5|;P5fvO
zqeWKFs#B#|SukB0_EHC54U(s;Ne(j6<D`)P*-C%?1<}G1se?!H%i{9EPXbQb>2pC7
zQI0}H)<CXY6Cl#l#i`03NqQYVY)3a^0LTUr)mvYB#$^r9XM|$U&`Wrf;;nZL$!XPq
z2JQPRNa!v9d1JGRVn(x1LUz`<#;oGH&neP6qiE{KsQFvtsQM{M$zmryiQEUuwL$P&
zVZsJ+%d?+%AXD`?UrQca>!LgTqpX$aR1I}LOE<IGAJM51qHE&>RIG*)q*sfl#+x;|
z`ie%VEU|t|vs2IMq7rmZ4Jxb}83Fz;`18I6VW$C0C{3|#l95*d85=g4P;YxHtST3H
zEVaJt38qT<){#j70PeW`7Hq~GP$%2MAiNm%D8yOID8ui-r7aJC?yxh{h}V}Lf|OH;
zqo7U_pIRzKH>EQ@c%G^J8P0s$)?U@0L@+Jpjk#?*L0R)Nz@|^Z9XqdO!`O?|b%M>F
zNT^`G5WKPOntELxW>P%x>iW3d2;C_iRj<hrPd<Gt)UJ(qpnblhH1U8bmJnhP*{fAt
z8WE?nu1fykYYyI0Qy+MwwNK>egd^dge<UBrD0=W=%olq49!^OSf@*kf6mv-y)$yOX
zv|PP^Zz1(?Rv(JuS(2jO&kNJB9P!fxdBG0Arfg9>{ML74cZYZrKGl`VX-Lg7zVTrU
z$ZT{c=DpJ#&OUE-w!c&j+P?Z%!`S5*coZU(wW|kZYNlVZcN1@bJ<oVRG3w8VPI`XA
z7>feM_^40npl`=?6r5Edp(fC@@xJ*d0FnZ*7jXgqYLN0a>Lp+k?}6TKPeb*9FE_4}
zn*a^Ap>3M@-olL}3$`k!u~+hl$G>6FiYN_O!+-0hLfbf>=~h{P?8Oc(W$IT3Y$Vts
zW#S7iQTG7#7HsSR+&GHMN4;c3!A`lC{cIYj4OYtRD8hELhTm@Dk<Fj{IOmH8Q5}p~
zE?|e#A~D*E0Bv}4im3C~i!Dts?V(B~SrIZ`D1!Z9KtI*W+5cjEL{Wlhee`n2$olUz
z*zE7yE?<sUKdV}=_C2CrTa~MI5CFKbjK1Bnw1wF_ySu7j$~cc&MwB5yoat?wxa+zF
z2rAbLh5}Sy^H)|_Vd+iOyLr6xsJtLb!r#Or7)T61luhQEpA;Rq`Wgr|&(PH+mL*O}
zadTqyU!ENpVm=I<9*<-phgfY9`7a%R%pJ6P1S7CfG|Oa4&0wu~L!V|bq&dx`Apr(>
zms8>5pJ?whz>0qr3Kzj5KToB_n<bWfA<g@ca2AcS-x;JL;fmiT6c}<);8i{JKPi_w
zYCn%lS8?yLs%?Mas{tOjJ{7B^x@CWDt_rD>nOBRR-ay#lS@m%$*yzh8le*r1QV+Bu
zp(1zb$)bH$jy3A1laIznqu=`NdTsgg?TFLxZx0@U(3(G(Xc)|JYj48(k{c6lZ-FE`
z8C#k4U-;Izl6I|iaj2~4pbI69(me{7=|oZInYjPSExHK)q!pc^J`o$jA*SejEbO4Y
z{^{o0z0A(tiDvS3<hqtaX!?k_|4m5!B=<D$1J}kBm)3)wX8W#Lr-G}~RU7*>mXDJC
z8)oSz4tDR<L`!nzBQKlOVhBeH<tgj4H>ft~4$cpWzPAlqO-dcPSJ)NWEj6+II;<Es
z9^Z+)aXawbpz`gVa(kfu{<WY~In4=;fRvLs;{Y{ZKlRZz*y!`4M?;?})(k~nApRRs
z8-O@ljb<Zw@<ca+QUnNS?dL9H1zeg%?)?+4Hg;_U{8l%~0FJfyIC2x=kh<+*rzMrp
zm~I`9NoN`xF`HbE(eRWfNqKfrM0w5%jl-SfmhV6R7+c0AByPf0sBSe-e*4@F=+bvw
zhVMhDo&s9U$LYTT90gc~M10(ro!d1Nx^&SMtgh5|#?2ZaE1i5qW5Aqm>RK~7xb5rt
z{;Jj^&UK<$vz`2{%(dL*Rf$whq!MBETjwUXk?<U%H&&GNzTfQbjB`034@i$~4M<y)
zN%{PKpq2l|?qqDBU+PlCeQH#?zp7&Uo`oclWM_uY0gLz6K|w#0;Ns6Gb|p8DoP1Z3
z>)9kM7o<Geu6*15u*Sbjo=+^N+FFlFiMB3ZT~|o@%zeIeJZ^CQJX~DXXy|I@5J@i5
zaTJWtlpy6h@J(y{kC?E{*1CnM|4pvdRI_KCO9r>w^zU=}+1^t7=UT-^mbdRU_ICOo
zeszY4mkrMeU3TO>sYJHp(yp6v3BSMhc2@edd<%Y5U2VIBTfe+Fcl^`4WPDw)@cWe!
z)>u@Yp~<8}t*hUp_Iv8r<})d_`gTTrYSO35-WR><=@{R<FLH_&5YAh>VZD>0k7;+J
zSL)vQdb-!I2hEH)HfwDQL^q2KVHP{rZ@(JtmpIfBuQF^uC*`ovtaZL5i#s<i+wseA
zz}gxAxxMLITX9U@sS06}m9__qbSVH;37CO9>c4hwg)Q~@<gZ)Ktj=Cct_LL^Uj~@Q
zB}XSJR<C08f9cAwXH%qDF0)**vzhq%u~28HzN8}5n9j<zy6|n1yJ(v(l~EX++0fsb
zzJ7CT`*=(JplDCDYYbK|R3$(pJ~ESfR7-~Lp6(j_L>PX8(M7W-<r^c_7am}fNp1QB
z@PhW{^u8Bg=sea6ir>zMS=(1dO`mVFU%1X?9v}HG*ll#THYzS&sFIkv%*9P__R_ze
zq#KZaZACXTY%g-;vmtf(;9|MU^Z42>X34#I$udv3jc#M?c3fp@8Th{vO%fL~g(Dlq
z8=C=!pT;oaswadc5tz~!rDPA;X#cbjPSz_b1U;+N{_1N&Pv|++AvJhS_L6m?jC(>q
zM>(~PDe%_ysGE3=4rP@NtO6Nhy!F{{diw6N)M5DrFJ$Rmi50wTWHzgM`q43(ew9~L
zAMIWPSz_aM-H1}-aUfY}{mvBlwS&^D!%>GbyB&}97PZ5N>UYpzRxNxI=Lx&JT+l}@
znf6(M_*v?~M`yl+gHCvXKQt!Nt_Nt-#bMo3MXKb&$E`XlNaoe9@74;RY5(Rg=KsuJ
zPvHoTZ%-Vi4nLD|8zFyszlq->CSkY}B-cjgUd_ha$Z~Tro8j@hddl|Tvg2$--}Y_W
z!1hj4R|G=tlT#PGt7x{(eQY*own|spX9vB1DbC~L22*xGV8_><+Aiv1XG5meEVmQ+
z=`(rnBj;IjoO8RuS$k7sYFNcu=MA}y;t|Fk`Ig&KFw^|<V3RPsx@>F{swysCa5U$(
z_dHLpZ6<v)J4da@{jIkklV5Zgc0xQl;hv1X?fGmJ2PN-SSI4Y|6rGS5lh(R;?~j(N
zfl87U!cqZ3(N5o!vlHV<Kgx6qbptPFg`h1{*MU`}!ossWV`S3}a${}e0aLusB<M(v
zue`^#@tSHpiPWocY3vr)SG`^ur}FLSUo1D_*xNo#5nIG5gg?iyTJqe!8r}S{FyP|f
ztN1<NI9iGlwh78RnN$}@ulSn(CXugNhgBhwYKKV9f%+Y-BBQsXlAa~$Q_I+sc6nag
z0`rokA_|laEiL@5sn=sK-0StUYG1Ih;m)Ls_URJ(m@@v<zv_9nU9p^$HqXW7FmtJq
zm7{-07a@H#(o4c8(6xMho>LK^aqV@U-VO0CCKDmUB6O!9GcJ`G^f$<!FmeoO6u0?Q
zVdnB4o<~=G0&~+?XiUG*e~V6-oelp#xO>a6tk<pWSCB@K?ha{C5Co*8L%Ic|Lpqgi
zknT<?Nu|5H6r{VmyK7&!bNa0Ht~H;1y!-1u4*W2WdBgpWE5<m-Ieu5uViHcH$pfR_
zkjclRUYXTB`D$JFg)ULeDuS^B!axn~p*mqs;fpy92}ul2wYPZT>BZqqS8cW3sn|Ai
z`aeE}c?>f<9da0RO`D!D&DzxT>*}@+`?+Z6nhlm8sV=NBO2v#hnVFC1p9f1V+MCS`
z(UVq&m-i7j4L%gP)(|Wk)tuIb@5ULE*iN8phFRE@5Z9^Ny{0-2Z>GcG^n1U5EeB)k
z4Owqq{+D;5kX&Wal@uM7`1_Srfyr!wwX)uu<_{e?0j$r<XrJ*>)pZd1__QqTxm6IV
zRkSQgd#p^K?M*R!E_zj$!w{#@{ytUn7Cv}&&UB(Y{r>i+f778Ol$TFzOZRM1Z-2Rk
ztR*qxIsd5oa}|+g*^=o7BJ@W<U{ybg3kDY2yAQQ9^E<V9x~+8ISxTWdezNdY3BjFy
zgob{DsTB~J-!z3Iqa#v}ID8=;HdQT*EK?Lr5SQ_6gLr2-8O?nnylEj2S@Tv86SZR6
zjr8Wz73<E&8ElTdffr$PelSl1;s7dzU$jR5tW{*MChqgpx>j<njg!}Ew^&qw7frea
zp=y!A!H?S?JrU=_GzWE@M8e0TGwIfd@Kn|qr}`@F6mqDLP*FDNKVv5xdh5(WCJW#|
zRv!f~6eb08@TgnSYRy>g^?6rtYKtjOpfML4#_2=f*@gPf+=as&(dnrh$7cQw5<-eR
zuGYb96D?nyzFJ4r5OY+-V&p{k40U(P{_Fx8ni@xm0U69SpEc;MU85Pu32J+s)fEU|
zix&-;Q1O((r_0wE4A$#+=h5r|0p<7T@kN_%{{F%k&&;*m%x3btP?`N<gOTInH=E)O
zTIm>jTVlhXl+UEObf|>fbfmePMWwoTKMLlv1Wp3<!ako!DrgH$jShm){ZD4@L5Ez;
zj3uJR#OeZzM40HYr{Szu<rk@A-QA01avx`%30;g2DX-$6mMUxico^tZi9G!x6)bej
z<Uz$Ipw#Hxem7oV({YU%Z6ou76Y<)nkN}+)9+L9Xfd27+X^%if#$nbp0UcuH5NzD`
zSYh>h?m27oor#DZs>fQW=2o9yS~R_<9HV$aAx8XbyfzQpxRsoF#aDyb&eC$jfoG`p
zOQ~A(MMGiHK-KH%4Arxb!RF`NPCLP}vlNMf7+(DGjJC|C0U5?O3rj_4ccir=wb@6!
zE}iC1uE@AnLO+lto}$rtFsg4dBEmFLI-+60AJjG@R~SdWPiO(Eu}rBOxfGF0eZ;2c
zB>6^@!%r>_{rzg@F1YFvvG*RWff2dP_0&-xzJ=~Ny;s#J{}_r%5K!DtLa==O9>+@v
zj$IhG^z9DCgKD#}819Ds9i7{3jTOnw7wOwei<|R%#HzVCcJpw)Ztk!Ot=i$PkF9R6
zW@7M3H>%xE&v5J1NI2%HJ_eaPsOdJeWbm=(m2NyOl`$x(XKkCWhhsg*M(-z-K>9eh
z#m~X0=a3bSOyV^5Q;M-r37JUq9HO!i^10T4zT$q<iTmRIbclF;3>m|0>-XHu#|`f=
zZCLilzv}-<Nv8VN_B)S2iA|VC=YL9UDV34DZ{wJ?Od*goi_?eJ>E5*UWf)Za{sK~u
zFQN6OYF?K?lYHpaJ`8H|uopR7pZN8SpEl2b9lSH*#buuzd|!7?f=g)Io)8JfueTa`
z*Xp$8#w1+i!|Sc_eywq)2V!I+Miym?;NuOrCl1iL($Q{n%PHO^HCGkLCrp?I29(6C
zadb#=aW7P7*O!A328>tU!r-m-1Z-aF9|@Ytl~>IzY!Jl1yRJ!QvB94)HE%L3bz8z)
zmig|yYe{2d-P`^R`HiS~5X)WNY0m-z){))n7r^WyTMH0>w{GQ;M2fDK8nU7nys%mR
z9C@IpcW}D)Vs<f#E&>56!@lij{5lPp&Mf6%a~H^NN($rD5;5Vl2?EWod+*%Dsr(Ub
zwmQc?N7j%CBh7NgkIowSQQomr7<CpXGgn^t6!XL{NMFke!iIJ8?&bAN@_a(2kUj&m
zdp#`N5S!lG{q9Uv^#C-kR+Cg`@-0?Zn@_P8V%T)P9kXKDAJ`H=@A;irME93tUKk*;
z<SPl2X~ERs1d@MO%kU1)SE1vD<hwcDXzrpm&@>I_Wn-R;x*3Cfbfw8|6v6?7`Ir*C
z(zkHIJAP8}cw3R^oE@d3fogIAgKyM2E$MrohBNB%z-)_cUwG{|<szUL5%C3U*ih0I
zu(*39Hs7lg1@h-_vIfYP(3iraj(>H2J!)I}YRGT#KJmnOMn$<${Tsm%%fL#;+gtPx
zC8emXe%Vil{02+=fW4^686}?NHcEW@fPq4Ni`JE&zf2bGj(+>=*-U2h?B&OR6w(=w
z4ptX<bRj=K<bG-UKqK%xKv%r<&aVugREKf(@nY>}1;kWGwQW35MuSwyC5WWPfMZMU
z9*kis6V%2Q-Ea&AxSLQKOeMFzf+Ju<uS%Eg<Bk+T=|oCVLJ7qhBXwn;V<u%EH44Qu
z4s{meKn_Ki8peW=N#=M6Whs!)@^{#q9=n6sdOj2km4ezG9fW)V-D4^UBm89+;^+9K
z^pk|W7qvDsxA3R&6Dhedx^G>`DYE{27Sh`<#XrnUP2xdslrhgCJA_NEJ5Jfh7(9*X
zotPsGB;}?MU%YIR+@!J_SE@#cfk-`5Q(JGrz3fs(#6lad^~G}hEmK$k2q&EcYsvK*
zzPYQyesM&D_!C&Zp3?k?{=1gpmya~BtVK=;KYh(7R4G+7P@H&#EMwk`jLAJ<%!%Q_
z_O}J?teG&k0H_XB>EN3<R~jmvI9@H2G%z0%6_ExKDx-VZqqn3ItKL`?D1X}Dr_Z5*
zTm-Pler$n)p9C#`x=b2X6)2R1a?k3EG@7`lr1RX-Y1zC`=vBq@T8@YVak$}$?IVDk
z+YcI&Au0z1F`E11ZY&Tyw;WJaQsjQ`M=ZVla34OuRi+#kvMc+Q0(y%=V3@AzmMod{
z<{&>NO+W=H1@sMT++Cl26ALF{mbRw{?3SUOC+I!q5Wr3;0CduPm!YtS@ah0OG5!od
z3;<eg^*w9e|0pWPdp-~|Cva_^1CLt57_>12g&_Gt{d-$vJ{)=v3N)Ziah%7{OG8@A
zEan@WIGm0RfUDbcq!h3xL7I%FvugkEfx6MRmMPH7Zr<jLI9_F;p>Ew)j5!wJ1Cv>v
z7yHt+tWdZ01E6REAgUxzN|fi83%dAoh;j4Fe@3OC2uQ|&*g<LSx@~gb|16!&=m#jx
z^%cJH>9dC@1Z-6QX7TuAg)55^0F(FK<Yg;>k*pbhc@v8X`79>&KYvyiI`_FQ0IkH1
z6u*gO`~Ash|NO~{7CM<p;09kiHIrKlfdqWM|CL|@S3wb#XG`s7X7Fy3+4s_{Fz$km
z7kwh%goU{Qk4qHd=lu4c5f89)_DDhlx<LsbPjvHgAg0vFgT+dm6Y@~9|KXtsz)(Om
zJNy8FYl!{?z&{X^>;J8vwOnDb<OWi>GY8a&3g@%!DL6uNG#N>V1c)W217`0zpmIzC
zF32~)kWc}Z6m(3W1)@W)<`;v?w+b7@+{vT{_VI7h-G@lPeH#<mQWo34mll|1@!&6A
zv}WlN`?mmx`kfVY;Z{m>Om%Qfn`F(V>4v_CQ4sfBm@hNzFOrO<zuwD<s87OxNN;AI
z@h=%vi*2!$zgO7&y@z_5*-Z6etCRv0x>APTpZf3Wd5q~Pm?hw+7V<<Vj5Jq(6_qv&
z;sX8+X#$)k+70lC`mSIKZotR>?tCbC`?s4_K^FYl*^jYIu!XN<^hkP@+pb9_b66xn
z=ph^nu6ES;J+nKqy!{l=|Hq<GX^ImnBZTht;~6B2;s<tg^L;D+nL2Ss-Mb{oC=3}T
z_L$g~qz0bk|0$3+imDg(Zk>R#HKSTd3o5{`x-19M6afNh)sjEq`YDy!Aw>idG!<R~
zs8K*XK7hSz1~FgJCo#oalmu==ur83|9K<6zUSp$g28w{GwtaLez{hIK^>vy14wSa0
zLE)%jo*aN8^4YECXCa7O>Kud=2gDQs&&ZK@Mh(+D(#DaVuMlJF9}|$@19R!X#F@?1
zEyULPN9X@<TkD>gW|k~El*K7N=_bVSKJi^^57fLWL1|hYtY0U70}wz>y2pL3Mdg@^
zjq*p}d7A-L6;o2TQ+dtq+?_AL{5J(D@0kr{`T=kAoP$32z3;%Yd0!74w1yu6_c*)I
zCC3z(y!Eye`^__KFdU{J9@*bHDo|+uW%L&C1rx6~z7<qxbs-Cy1!yi9=u-wL!rN%(
z=3Cq99uH6x-37LNrrNR|bVk#eN;6~NLG<{2A%DY&322N=M=#UsVVOhKinb?;tqz)Q
zEbHo24eD#OL=Upgfh_;}%{9dC3F?(8@^`U7Nk#ql1@7OR>o!`C0sX2}^}SOkFjWSh
zaR>tY+jkVa=Pl~+VcgrastXYGFr`?S{kREI8+<>MUKv>I!6QoNDz$Hg#hnDU+7F=M
zP!6%!0@s*PEWL6Wguxv66)Cb2ONRf>zWNp3cN;9>Za~V^fgnbA`T<$M0OGQPfI%Q!
z9v5JvOPNgKaVo>qW86fiW4yLuc)gyW|3rRW3J_!FYM#lYm|!#D%vM9~pe!u$5ot{p
zn}d2|HH1ui=5q`oC4YJ2W4=9_FLQees(%*KyZxXLcF+}YmJ4Xl-;1B}-<FhnlP4@L
zceikL=-b`{@1qgGR~O!ak9`C-yqfdLg!7Vi)N;U)sdblwKxXOznP~2}$20k<S_Alx
zkAP~x-A~9P8iKbpJrDzWrTIWB&i|=I{5I=T0J}8ZJ?katHlL#)KyQa`$`<4q0S3GE
zWkobh1Yd}|j%mLB(}5+Rq-8;n95RPwWN0KVyQQDY(Ndk(6VE|ew?-cxm1xr!v71r7
ztV3P0B-^}xuj)H8pl4QtJ&^NNDa7yzTx|M)nQU_;;3~>PnSO#F?Ajp>NH699z+45a
zdbQkW=oP`wH$iKQSB8z2QlZMvFbH*q)m6R5I%5ZredY`yWaQv@;k?t$p?2c_gzj)s
zD+nAGVn7|3!?XE!>nF;^E6p1;SqNSx7z#qfCVt%qR@yxXiY1wU1*h9F08x<B0<fR_
zlS$87VZHwHf3~KcTQ;7lxNK&8o;5yPWD}-XhO<ee69E$Sv;UN+fA?hoE2JaJVb=qI
zHQBu2KtS&UZ+a8wY{(DRW8|y!Tw97refZhsPI2?BH<5h%a>`(F%`%b(C==ObnF1#*
zCI*DVRz4}G_9OZyYT;0RZrV2MtnO8dvmJ=8ry$TFMrx1>**T1m!uV^SVp0mX4*Mu0
z2BW*RZ+o3Rwh>;ky6#(Ovf%#;=GFkgOOwUxrEgRSp<vSUHCr-@Ex4Y92B$WFebO92
zh4x>=zy~6rnW_a_ch5MkgziCXq6?J2ZK4rMaIGDaD#h<p7s5Af^m}zf0{Ddq)_{Zf
zqjz-2Q`bM%Pzc`KZeamnS*if>X$H`lHic0n%pf4$W!K#6M_~Rg|Gy2kn$;+&Sv@Z2
zBWWVkOs}@gR2Ue>X$e+O(ERFU(o*1EPmsRU)~QF>+FGhcg7zG6ZSu;6btH}q!CRME
z)%idkjK6P0MI~VJD<1enref$6HB&o|exZK1fKaiS-x)ZrltXId%7F+1I%I-qkJWsw
zKbtKyHNJ*ZEuTCF?MO3$G-;c^eWbG!5Fe=u;cQ=tBsr_~>vnoSwLqCN&qblp$PcIt
zVWj+Li<bV@$C*!|qHraOgF3r$eV-Je@lkQMOxpoY)P_fRi++k`bIpV<ROVum{}{5_
zaGZwa*0xB4Q?T0CyG?5A^*SfsKVE<~W8r@n5q>`<&{Xq#tv!nOswNQzcw@Gb?Gha^
zxm(~mw`3tlLbja!X8pLm6FIUR(EVz8n@TFs^dTtSDKKfRI$Aq$NLhqt5x=V-Fo8Zu
z8}w+ON3A)boLHI*)<Qx8=*8Y9Z3VUfTgJ8IW9Z`@j1z}?9hgUcNb;$y4XJG#>?qdE
zdKDYUDnxn?CWJPAXzc|)W}4=$NIn7NI9mXI)&Fq)t$N<phVvAk0U4TV8ukzj=8r^>
zJ!d1T+YycV^<IUd*E4JO_PY>oWP-NnOG-U!G-0)jfJkpdOKUMA8{w|Ibx>l;{l|L;
zyG$TR3`~}}GUw87CHQ1~YodTPkL$=YfqaqpNZ^e<nPtgl#9Pltt~kq7%!`h~@NtnK
ze5+q69o6xB^J~%FU%VDrl`Mjps;pH40M);}wo3Pi{29Ei-wn1PGQ=<n^O(ZF8J%9u
zjdosd6hL8UN)Q@oFyHCIE_o9Yf4BL|FKX4Q>lJ25$DK^D9PF+;*NXJ`spgdHo68nN
z-GF`~x5X3);edFVZG?P1-~+`LG!BjC9IZj6{#z<5ftP&8J(L4UzG#$R1GAwK81QuF
z-nd3W%%ZWJTXZ~-V6^HVf>AWkk)m!L)ciyoL*P08IP|hj3EZNd|CiReVDDe#GM^K$
zmJQMHgK=3t;^5*O*I1Pz(7?g;qsAdJVyGFRajDs=ovvhd3KGXNW5CFv2{9giAoWtp
zk;FEJ6?};fFC52y;NNM(xQmWi6SpM#*|SYgIFZ-oW7C&6t5}sZPnaz#gd+IA8x6r$
zmq5JOX9vERGS+VTnh?tS4N->o<(q^hNilwZRO0Q~b2LNi6_*5xYczW`o5i+CU9kmP
zwV!C50k399tX1`&)O4WF2y0^5aMiR9kzx=%|0s;DLfW+tenl*-zXGxWQU2qa02&JG
z;LxblK4c;zo8UaaEJu@hcJe}<@U;MBdjzIWdnWNG#@WvExlh`vDEo>v+NF3KF4}6d
z`uRsV#7*tCUf76*sD2_Z#<4ZqT}>ev9)9f*GJiCd><m$aZ@`6G8LG3`>?(VMkOPK$
zz^;DC>+!RY8nO;JJ(vt{2Y)<***4lyX<Mi$5;-)oj%yvJ%m{~2M<N*VHnbNGzuv&t
zIuamR8mI*Z;2*!>dXCTIXzi|wt{fn?Y>%f10$Cz$q*C4h>JAhY7GWwCmTT<2XSfp`
zxr=0A73}%PJBDnzfd{MtawXyyiGzCOVOQ_0>nZkq@G!z!>)MvnFVP1&%i4`$1{4>=
z<yupbN`*x$%W!5(tUu`wz0F{`J&}NJU`H}T8V?i39)v4>GmB0^Ux!xhW9avSvZv?E
z`Zrmk&l>pVTQr&3CEg4(pfaDDceL+u&pFVY^jNisxAf*}vG4N@!M=H-3fR&9&lL&C
znv>dI)nPDaQTH#MX|}BmAdQ7zo<lRDs`DIk5XVz+ge&zjLz~0(@oSDHXg6~ibBk`R
zc(RTeGLF3ke=hL<%I$K;!e)eD*xw5=nI1kHG2Wdr$qKc#)nhk72MAJkmt8HvSwDA|
ztpu;tDyOwrRqpB+dS2FrC*xVGRqq`4ItC+LzvLC!Z*3}a&w$3m+`<2GqD*r(2!bX<
zL#md_8c-`O#4DXwEs!hy)3RslBFXLyX^|60g*tD{z{0kRPEkQF#{R^iIi9H~n_G7G
z)=UbTX2eMN4xIiVP6P5K`(f3Yzj7doh({o8MfA*r*g5{=IF<kKP8;O3kjK*1yGOer
zs3KA0|LSCc?xk6D^`|^~wY$(}75=iG{()Kmj&&FxS6TdL12Blsfa6MP=gAEo>o4GP
z6o)u;JA*W24-nO=0N}Cit=aBlJ8&dKy_=yc`Oa^w8pjdUnvFT}EW<&~3Tpg|9|zrv
z!wpw%2AScMD~SunMgTL(n2&V9>oW0+=DbP5-iVboEfO`^ekMEJC~F7=kJy_NUz06O
ziMj2q7jEpQZ5((WKLs4b^caW)b5Wgcp+yx};x0`sfk;z8&?l)QO%=WJ<Eq>u*>ud}
zW}Ch5owQ7P{9js3*Z$Nlb?bXXo=J$SIZDbC=CS$Lo_TU}`dSd5QB}9vD!tB6uAVk!
zsQxSoG?a-QuA3I?LA_Qjz?O}tn2P7JTj%@^i7ReqBU-#BG0(rgAu7?Ob=i^w0rloE
zRdgrnkf(_gaJ+p3<ivf*IVAIY@t9h9pQU-}0!AH?+(de+Ea$i%4ne0=J0g=WlgrRc
z^U0Eq0&%vv94XxD;wR=9>f(t%Gf7d+y}1Esz1oYO(bX1)wXIb3shbgL+GNF0;I3>L
zgak>`U@)by^RSsJ%264)@$|{xU66nJ6Z_XE>V+o$bV2Hd`#_o#d4EmzYCzLev)G36
zvBOk6l^IHDY$1O<1zzC$O)s@(G*0)G{!O3BlqhNXsoio&(;{Hv8>82Oz-+cF)}4hI
z`e5+&0S_UUZ8k6H5VX|qGx72<+yL=lUopT;>ZMEbNHJLVL|p*PBMu%iH2jf|-$p^<
zclx6?sn0FCl!L%Zx^ZFA7elwt<<;Zs=EMY6AGX~8GGap-Y$1)1DXWMne;ScG5Wkz6
zp9f0eseGRN`CKA096KPC&qnqH8or-^#SM*Zp7=@YC~)@~JFL96Y9)tdyXhAW&e$9x
z*F(bOtXbAY;o2!GPeI6P03cQ7)DzH^nPOM~5d0rOb7B2~9_#?vQH&v7RgD0_XQ{b2
zU1>KS4{<ok@Ld^vLXC6M293IF!^+JduY>f(;U;*3qE{(EN+dSAl?232K=u#2e_Tze
ztb-ci8el)GB~Nk^`Xanw5K*_DtihA_oLK-QeT$XQS5?FxCtKC+Cx6wHv_0$Y7(ola
z1j#06b<yvWFhHXiA)8T%!``)a{AbX4hev3nH`TfgP7ScscikTm?5>heXi*29>zIU)
zwnubAU$WLVpXBFz`qFL0PvT$r!gy1tETXmhEY^S^Bo(24J;`i#p{7I&P(}ynPeF17
zIf_IxepBpyhia-?+9XDJORKktM~N?aR2b)SfbES&9GG+5|69_Fn9_#YmUINzh#P?P
zPc~1`3Z3G|4O`9Ti+scc63g^Ca88lTC6<bHH32xd1zn#Nph#(+mt>d7ZvcJXc#!8L
zBzUEj7bU~jOrxSDL#9JU9`PL-PE8i*CL?Qh((|B&Iivh)jnc&}e2aE>XlW1WUX)Jf
zn+sqH!r`phc)_Q+>-ystz@YA9!0I@FxvQ;p8x@}aW^)vrb@OoG2#f0W%;xbLBq(&y
zKcfFZppxc33EoxtKk0yw#yMs$q1m?=`*X-d!96-&drX`#`_WUu-VV^@p6vd9T*$Wf
zMj0L;`B4W6HL?Zn4g$0ZNPq_FmS6{fzOkj*gv0c1mGL!bQY*nE0}1-6GjL@<kz2dp
z9*G%49qS=5AlvXG_)nD^You~Jq!1G72UmqGQutHD%Y#nAOK1tWO<ZOZs^<ce(rG+X
zW8u_@OSl$Xf}6kYLEG!HutozkJk)x5!xEerKRAPF(l-4J@Stxw82>@6{OfiU$HB=5
zP9;G)h62wQzxpSG^rRG4-WRV;4};jp2R0XEDa?wKkh2IN`RmQ+gcfYZac{+_7CJ__
z&k1-iMB~qVVel7vj@Mz6i!pZwfIyI<kuaFK&ep@E-835tX=IZTM!{#L(q1H+Mzd1$
zg>)<78VeKq#X4$^mTi4z0P`dHf0-Xq^w#1Jv!(iCxFg=|>!3lg67*61P}c=?;sa<4
z%m<)w<<^jSc;C52fsX1o@WiXLU1;L2Vf_T^a~Rat0k~}xB2nH9-)q`B`*fJD0513V
zM!dij0}uGQrbR+uoP%6Er|oMv)`95;6K8hjv(%TC4%MJ<&dV`#5)m|SSmaj#g-}xJ
zZ8uFYMB-QfJ=TBo3TX17;cdKk2oeX-xNGvk;a;P)J}AW8qZWq}IIlaPye@YWh5TQ#
z7&HVEK*R4K-K@$5B)85n0TAX3TJ=Eyl-1g-3F^!Amm;#%ra~lhV;2NHIk&ilKLGV~
zy8{v0{PJ)K76x_S&Omy_PP0pV!4*h?b>}ut?SgM~SqM3ANnJLev_*!_mV}CjBMYEl
z-n<duhC%S1C(pRR5Im4}{`~6=LZdixqi7JB2pxq;4s9cyI64Bm{oOggtINWv?M77c
z?Cr+gRZwkxdHJAB4<DEDz?Td?&0nEXKcN(@FDDcX5ap~Xq(ZuzS)j3q+{(Z||6MN_
zaZhi|b)x5#gn7>XxVI7S)NU5ZLZ8rSfPo$zO8BZ^M4snSWXfZBRG4j4`DD<=F9E>H
zV-r6SP{SCs>MCX%T~t{OddNVVX%z6>=jnSRp&~(jdFf!HJo@YDyI*eBhm}}#3VEY1
zL!OEt$#J177;?m9cX1OI<+nBp7?rrwxLuzXz;G0FW{@lR#5ASxx)j`7KOx`~b0!#P
zd*d%?mdE+oo{z{!KeEr?44w&dk9MKqt^9~b)bHzW<$$5(ye6XKynZtE7%{^0jpxnc
zq%nbxE*}!C0A5L}jW-P9E?dO&??_x;)?XUf&kqp`-?aSbGeV<^N%tp9ie3A`>m`@>
zNS?9k6XY+kd3k3IM(|GhKY|rYrv(4VUC5v?zARd!HW))kkYGs*ToWSEeG!13c|ee}
zJ~e*)`y(YNP)K2XVxO^yZmXW=lT9i@Df<Y{^uHk`h5Yt&M4bh!m|YP`v~fqBa10KN
z5^OIZovMFhqJLMB_apgL_)s#L4!8xjz0Sh;va23Gr<3#0mn_<f%|hn_&?*>*9#@)1
zRvMI@b{p}mPRQz0QoDRV$zkF1S%Eed!)izgg%LmieL3I$4x=b>@nZh<`U9^c4*MbT
zE&T(5JYn-^_b3hvZun-!9m`@+u~Vp2Q~w~}Q072<$XHps*FRB=71)7@8Hs>68Tx2F
z^PwL%s)hC<{ki+8)axq31aZwta#$LSi$Ng?PZ;sVMvTjYc||9?%Vn2FxYsmL7~l@U
z4>%(M3Dp?9f=7rAV$f(Q#Pj_fH#1|~^h}y&LG^Yy;@U^?{l<o0i)HgR*qJq?3$W<1
zx7@Qv5Pjm^n6Ap*=tKKdLZfu&+)f3Ye<YK&C)q~~^7WzbCK00U#aV^JzTd%oC8K#o
zH6o@^SyGO5y;@F-pZkqP!RoCn_BZj^+s9X5C-5{r4c?1`i)`5k@A9Ju4ACPnBq%XG
z7a57z)p?A=VgfB(f=@PJb4<RwMmDWkbOm#~e|toc#_bfOv+=25{&`;q*|1OeBBIml
zv1n6~6hqtkrlqu_i@W-$Zx+f^Jof%dEDFzNSA@712kWb;jBg0aKHXB#-8mfwnNzy0
z_e`=QD?O~glUeN|ZNB`><8=R4<!J(~We)v2hrK+W4=YOtIY++twk~UY645+4Zx_l0
z-8tPf!?ZXlU&XnR#tJP}Lav@n5)7?O7&aC`Xeu-fL>R0TRSox20v|d~e%Z4~7XDs+
z2Yx8o4y&UqMfA8HgaPe`**ICAg8r}MBRQf&WhzGjd5b)nE^1NFoU4n`rtfINvjuQJ
zQ76}T4^(eY%R3Dxk$#d4rt@L+_AwirtW$XQO<S-vun)e~Eb<YeFh100tQ3IeM)<h<
z9x$bK;16nSRz&gT-Uq<wF+gGAak`ur=|qc@l9JMC)>xa1pl>#{W2Q)dzUVpd(264u
z<!N8VmT!F%lRF$wz4qfQxa_RQT|d$k`lv`n8;-*y_u9i!DTtuX^(*64qsZN-J&d(%
zmv2TmAExb&jT7tLzU}flDU})aFfv~S^?1TrPzx1Ql%2PHS}ymf=Z2^Ilv}J7bDhJ`
zTXB9jwqa85aVN2Upvj^UVyZO7W`sUiaF(MwhvPl^J&CeT+(Af`d&0y3U#hlvy60CH
zakkM5Tts?Kyl#J?h5o0;VTA}%hLo_y#TsU{Cx>ZDB*XH|_ikERS;nb2-Uv9pIfI$K
zrn~rxxonvX*amr#?ncbRBBQy3nRK>`KM<*DDud#qn>hJW5M<<9TNnFJt*FIqUh@yC
z&Ph2=@SS#B9gn>lSq<ke&by&K|G=kyw}Q&W<K#En@JWoo@l2jb%1uS??Be8VWY}%q
zaq78Al7V#m8zxSYrZ$anLZ0`{PE4^#u`xE^oW-B5@C^;j)zFu_s`jp@pBFrQ*To`A
z7_AB?y1c{P;x<m1ZSW9l>WPywav-3hKEe93=zBQlpEvv5=O|dU*gz(p{PrdoW>>W3
zU`yYIbV4JkMk)GSd3KK@EWuS5yzQNd;zE=IS2wrLv9VZh%xGiUZW4V2Yp@WKDm!|!
z*<UeEx!-!GB$Ph;VQhgk(C7aC*a=}r<d}O+X~Wn`L%Q*Y3Zt4JL0o?3_@02UdqRnD
z<78Fx3(dHLGi8=;x~ON-bjfjj<r{-*eapnQ7fX+OhrTDp3~DR!gpd|oknq18&vTS0
zKV~<O7#w1C7-3zZcB^wuU=79ij4Rri@9zJ6F~>EX9MKW+p~k_Gnpb@1`o5Zy)vB9Y
zia>ol4m-!8lbiLc;VX6(qVxh?I`v66--;r+*Aa`C_YK;2o)>w`&y<n53UM8TiE;3{
z$C<Y17hIb~wCY{<z77vpR=LLTWv!m(>CP(JQY+D(1()hIjuhNuDmfJK5O33RT;48~
z)A+AisH}i~&D)!WW@z>N=RHEx${!V3+8pr_ccyVI-$%Qq&c%eBu^Q}N=I|R#rF}cV
zGv|4xYWa}Ex4>=w_1%mQ+)xomQFKaby~wvKFQR+<{TTbAc>!C)k5NZEIDLf^R;w3W
z$y9;zNBy<hQq;D*J1^teJl;orNRBJipHV6*R2U{p)&6wZr=!{$(OiL*g4Q%s^He6}
z%4X&8@fsiJb$G(>jSDQlcwp_5r{v6#=4hbpe$}@uWIgN}As8m3L46dm$v&LV%Fe<v
zp9(KUE#%C1R+O^}BaeAzYbE^p9l@5=LRbRz0|A{`M8a0uV=Ap6rR|ftESEg-&ZXXd
zChu|!-|8TY45sNyd2Xk0^lUIDKWRuvv{ceXM7jFAD$~koQc!XRU=cT8*1xq_kk#6V
zMXwa!f3MlZN+F+>^eOTSov9jw4?A0K!z=N$qNy>iNwLh0TSVKjh-y-q^oa2he;COR
zgr&AsAsY41HCw$BI>HIH&zxos(%yMI?&W;xl$b4f?)5GgbG)*<SSuT5Wjx3&>f9%$
zfE1yhnQ|H%y|wm(a2h?TWw8O0g5UW}terxUs-o8+Mcvxy*Px(~rKyZJXa{(0NN)^+
z-gVpueO(j|!3=kPfb9Gs{}w}dV;;Xmp!4<#Kv9VORYlnOn0dB=nKv{K`duarVz$P&
zudUo{l$`xHA&U8;P#O(2M^vB2&9|k{Qk+G7+p!+IGU=uYvJOXhv)HXhPG{Bie#+X&
zr<E4pJO0*eFxRSO+k1K8M7f8UuOMQ(hC;>ZZiXsR)*&&vWn>R6k0ERubZ(yM+w+#L
z{Tk1%ArhVF)a@`_d(A}%`gxo_?qJW@%qv5IyDHW?kqI4dpHZIY+Y05SYgP9z$F~+m
z9&SpJN1MqtE>wu+A{kz0Hz^bB;(uQZF&UqVT0ftB$d_z>eKUcLjW6g++h9f+<qIeA
zawZ#P0imEvMA*8D`1KcsEjc<Ci=a>5zGsSPHA~X3dlyCbIvsRgcOow<kBG|_zN@K-
z`KhWV!3;~&kx#N4jFl2#vn+p*4hflF{0W(!gFQ?z4UQa9=Al#3uz&Do6!C(DR|y?T
z81WYxy1+{+li*DPA_SRo+cBmOI-A{CDYC3avFp+B1VhB6bS6DAzx)Fv@|&1O)lBit
z^o|XF>K1KHQa%mAD)K~6iBFbQ3&Ko@^v!AP#=BY`Q{KiM$IfVA&4#uZiNF^n_hfCQ
z;CvNQNh2PJOecb3=IYFpke7|fvK;_TuHZ{6BJS;jdmF9Fk{2NIYrIN<H#X>VMHOyx
zc;T6V32mcR=BILNSQ>D7irZvF{nsJNw&>%PX5stK{OsJB`R<;n`TJMA_~G*l27V{?
zuqYz4s!y$ut<U(oecm{kT<K%`^<xqASkwRnT*m`W8}Xy=lx@Z0*bu8ZA8*Xo<_tPc
zbePWe`PYz;Q4jos#CTLXXkgLiK{0QHqiLWw)kO?5yVo<dx&0CLc&wjw`hKK4yS+%h
z%zaTQvCb*6Xtr8<zi8HqPDE?Juxfja>&v2M!hsnUnInxsK#&g8kE5-^wYbP8hvRLh
zt%G?{xAWajI~(FrnJ8+>Oe$z}qE{P1rc4OapPGr{-ci>3({gfh7_WyLHc#kDY3CDi
zeI{sa<<*gvZb3j9C($MMxS0MqYOE#@Rw-j7+)LzQFus@|TkCl6RkTi>eu~ewY8iLD
zaz>i;nd-sqxAFdjpPI;^VX{tZAGMMZot((0QXO-gMaA2PmSA}2V@Oh#!rd>D8-6xE
zZK}%P_*ZFT@MWWFBR<eiXvy!__cXAN-uQ0ZZ$B1|Ieb)@C$ebu0Z9gi>?nekT%dKR
z`)%uxaSsWIl4v<I2B0*MQHLW__<j)WI*ZE#k46bhZu$|lW{p_ZCzfst=K{YgwJh6{
zd9B*2)z_8QZl?uKwmQoSy(!Nc8RzPiMNs8zo_PCsLy1?n2|Dg>o!p#Bbp@X)VJo*x
z$7kWn1owM#u(qQmT#IgxH+H+z!xs6OF=0yx&`*Sm!j?~UIe+=_fj=g!T(nTqgj~d$
zOhv7sxpQ&@F7suZnzqmA^MEO=@TTL<DaGF5GVgcMBb6$cwT>sUbo?dX=mUP$TT0b_
z-1z!p96xAeYl=|GdB&J{C$I0r2+wu?rgSlEw9*ii84Ucz+2R%@^;=qQwDC&S-8&VY
zCX$R{7>$_Xd^`cQUu2xLW2xEi(Up5G1(QMfly?7@!E$}&OSF{HuA~A@5_V;R<pi8L
zCFd^_bt3fCPs<YLX|Eq$37sNcgbmIRPTX`adKmOcVo&AsH-#4wa*EJnF*5gJ(ild1
zp*88#ao)<~XhHIvbeKQ$`pcpk6K4Ru>qUPC+Q=~U#~=s1v#wKwGj84x+Rp5cZZV4$
z*5C4RmXlHFOvQKFu47MLeGi<Od@srPOU}Z=;AFt`L_S9T`>U$lTj#5k>nB^f4w5nP
zP*Pv>>5cQ|;ac;}vG7`;olfwqvQD2D)aYu7iyaKbZ5vz?nF)RjO=M6XHj;}B*lvGa
zc$)t-ib^pjmBvynlfL53Tj;nzQS4F`MYzH<9ur3=F;je;on%4ZCb|5dj69xY!*ihp
zRz^Mvx~V@lNIf!}48FQ0rc?SM=bHs!B(5bshW4KgRcF%{q{p1IAAY3nVO>o<$5LdL
zbv*6aITE9kfHM2yV>u9rkk?X%S_+!bx7v<qg+gQA6cvBi9UE+We2ZgGYB^<swej?&
zFRJ;_;nlQPv~tJBK>LkCjSHp2cXcufj$I!g6FslpTA{l%#A_&6nzlU0MVDt_T*Lp*
zxPAitRvy`jz!$f*w0qSn;Pz^eNy4%LCRw==I_$9@TojFj>C_BdB$hBf&cSpx3_M|+
zpnn9?+0o}j?>T6NvG22W849_!hBi?!NAt>LLhW1=2lwAH#n$g%X1s7T+x_M%2wwx2
ziE2_!a;vWtDD?qLUp&uuyXxpT%;ot_8!{gis{9irMdZ53{3|X=7RppWw`wrU$|SCF
zGkxCb{Ke9)TLT7uMPSN&RvT6So02$T357D+1)P6GHAo@h2>3v0C$B?vYEx6xnUt#A
zob#eJy8BqSU{n%I-)E7m&!1g4k3elEVAgMfmU9Vxc|%^r(>qHx>EDAFa#<fw?{eK=
zN@sdOmDDdv6K@s;tS3(q$mUq`7B|oEj>?;PuYJr}IbiMvXvMAdr!LU>U-%Ovw!X>X
zd5KjZFill3pCg;d-SIkOv7-cjx1~L2ag$&3&r&PUis*nUU_CCAM)^3tN#p78;5X@j
z*e1O;s?5d7eY!;N6W0+N<vuQYLL>rkLXt{Rwe2X5ob?ZvCsOvboMGIUdh>4bU`pWs
zYfAXiaay5j+XrwRU+)pdlEik1d+Ci(J_-{j6!L<rx)36xYDI+n^1%jI$wUw4mqp<;
z^<Qj63f8x`w;lccQan67RDkY4zRtRnrT>&l01$F@cssy}fE_b48a%wboxQz*o=>0y
z7V&~bdc0xg8N6_qG$eB<a<V@R1s$AmzsNr+fuW%qx@uATR5g`1deMb;wJuuu8b}Se
zP!I8g%83`twI@=E4Su`qA$V?DK&V(%`NI9j3s3~>c)puR1#wMu2IFRtqQT2TzX*KP
zbOGG8REVLSgEm>5d(WQPEUQVhjKdrvHzN5-O18JHS<E?v>{%U_CEBh#cVy;@Yqeje
zyzA_fti#Gz&Vc*<<+p8UB0?A);iQ%?a9l!P)M-xuEul_m<5IjO67dN!w-N-t)>GZ%
z0?{y_U{XT1T_z6ZgAT>zV=Yy3TZe}ys{=zpN^ArkTF352_fWJz1?AylYrUJ)B-jNq
z!vp|aAt%zzVM{ARcU0?Tk~Sh?KMCKBMorf3?FtdSvyVr~1STP3guo9Pf!4sQ!H7>_
zw*^0F{fLlLDu&A>weXcHofv73nrEI`p`dp9EBe6@#Xo}Wwn=9?2m$gK`1UxkJHvSV
z%0NWzd=}@bc*vp8{&$uvK2>H2VdyRI?*8Z;D0L1xS<ec3g!CkZ*F|M^cDAFtTP%XL
zT@-vDJJ_<8kYyb8PFAnj@T=N1-ZwZ?+tob@OoHz&j1WM8xlQB4xv*)>36x_0pxv1o
zQbe{G;ca(!?EnB5;g{FfL4}13u-!p{t%~AgWiVu%zzc|hi;Fu|YnL0tsLooZb?69$
z7zQBn3F4+4c69MX-z=(eT{$NGM6@O)a?Ads_qC7-v@X3QgStTnH)X7CXQ0}fN}YWA
z$%+zRAs6LhNzS@Wq~mdB00`$uU;b;1TcbvJYJorQy&_hCFUc=fA#Y6~8Pwfq1rZb5
z{`_%I?{+Q$=#SKpy;}D7UTrP}Cir0Fp9wB!%?U5w@*NU!U;d7`eJmgw43~oSDSjC|
zxB(>8jYo)+v5;@)|NZTMi);UyzDq=8Q1w8Q+g!<A++;I&S_O#=HpKrG8KgX>(ouz6
z*6r`h`VWop5$tC>Pncava9QE$zc1?_)V{y&_4G*b_hrq1_rGbE{rlU%;K3pqfWjzY
zfCO;vzb{LN5b|wdsC1m}?(WNLYt$qpBvEX}GJ%*hVSIFu_zvxv7jP)a0{<lS{QUg#
z))t+Nj0_cIT!=s(#TV@cXS(F@-RM_V3*slo>}Rh-x_BAq8zoS0@1?$=cLfv5f-r{)
zMM^btR=r$gW$5+&uUl=t_^Fw3@uS(RoVW9WVIJ)VOQ^&O){s-foc=YRFGxyCr7+06
zA`li`1{W5zqo^d>4tQnIF#-f37d?4N{SzpFN@9VS&xQ}46I{qOd{V4Ez0g+R(AMpz
zJ>Y3z>1MfSCZ&>i*8EeGhBRjoFZ5t>?w9MiRXoVodKUUGAoD%*&XJN^;D^XVJPXyE
z+smlu?%n}uT`SON*5a*8n9u%F3B4wTf!Lg!RyE(a+{vZft}vYSku7obyX=<%h=`-L
z5fV+DwJz=l-Fe1ruu}eTcc2|eNMrfsef{7G#zMMBL}Bo!$xG8+=C6>|;FPB4C>jWS
zj}SYYp|Mib_+crYEN=R-Db#68sm~jyyrkD)|K-G1^*zQt_-oJ52R?=8VkBNlt|xam
z>X&n(*mE|$s=&~&NdXiSxeeY|!`EF!X~x0|^N6Ck1So6O3>!+O*f6HE(|)$g!=z<k
zKk9cNlamNRNTgGRf4Efc`le3CpU%%T#cB}8%uXmZBY8G@6kxzOTPa_4TcP^#?mF6F
zFhQi@-C2xt4!wBe3tq#SQqnOSAR8guha$8udZ9{rdasm($GrmM05V22z)aBVj~;Ix
z<eHg~d`fw2V{|Th^-_vsj9hqqH5OUH#@dB0YRB%%@|5T7>?50h|8Zl}aIGli%8rxa
zu)o#nuD0sxK;K;yw-Zu6Z$a`dkB#_seRZTgoubr3=YjBg@_YU454GD0HDZ*NY2CRC
zF#Qh0uWTaI9FqHiJZ7+!_HFon2VGKbJJue1A&bA~YrD(nS^owLy`#k53oCDOp+@Sa
zQc(oxkKG4Nx0UwQWYeP-`;H&9O2aTJH*su+Jrs7|d<HZ3Gsz(J->=+60K9S(62T|<
zg2`J#hHFh0^aL3EmagpEGwv6wy(h->g5~aqN)m}LYYpA{ue}trKL#Fe*YMJK#F@5p
z_ddmp>(S8vnX}XK5fZvn>Yeyq6Ah7y_s|`n9Lv{*MAb!>2aS>?`FvbjXYZYulID1t
zO3uaRmVHn3TzTMaI^jrJa@5y~(Eb1*`x@?)ByQhoGp8%d6ZQ<rZpZ|I2;Y>^NSMx_
z2O5<P34t?v5im!D`r?=vfQKF1*w{Fb@Rjv|5tj8DwK&;0x`3Bgx$$67a&q$J<)!#i
z+k-{}!H&+MzXVwjSQ$^fR$x6Qk*u7Kwqt*6u?jc0n@kIVB#6q!TX?vwGLC?JxaHp6
zS~YI(NIA-GVgp_xcK0#eShb&|lu%#7l;vzarACOPow)8!qfXR27%Nd1>nE2^-!!NO
zUlBv{5eBHK*Y1%q_qS4GoqtQXtJkmU4Z`H9pLBBoO?~*Q_=j5mi|RtdcQ^Ojbpel3
zn?A||iAe#SBtWH9_9S25Mza_eb8Tt5J?f?WvWetOo$eK{8{__pvlM2$>2Om}y+dlp
zaXAP~zH2u#I~}j0Yin!UI5^}ib{tC#%!Cs_qosh8I|GA*gLh|Z6(!>s@!4_LmBAkA
z>z&1qsMpTN3FN$(A55BtY9nE+*^$O%CMzgYc$Nr#Ij}QNmc(;1Spt5<To>s)uZhSK
zoFnXuO3TVozaoemWI#Dr8ZLKRHBa2yp>)HMiMuI$n%8G;!j$_Yu2B?gv#abN=k0@v
z?b-QHfsJJ1jJFrKQ?`g{z4TcM1jCC}r2Jp_{9UUGcfVe9dz=*9@{EZ+EQytq)I1Hl
zf1L4W;f4ddOD+`RWH=b3>2Bs|DRW(dcLbDmd03^}B7HF49F9{HrlCKx9Qb>MD7_bf
zW+VwqIGydojk;rh=yd)>T}c===d0>pnts9H&r`MlOqc>lX8v&cf(uB$Zuf(f{E&2S
zltoM8TkjhxI>qhNvIVnJLn5=Mt~Bvh3lUx@)A<M}L8zm&?^N8vSjR~#3#i=Y-u2d~
z@KU+Vm@4E7b0zL`3H-i#uroXbPZkuUz$*9eJ12;x6XXf90}Lfonb9hMMAtJ#s2UT|
zz`^nQ=VVa>L`gQX$J0^bl`5iOMMKNZHGDqcV5+4~@1d?>^pS|F`t}~ZXzz`%5s*v#
zV`56NXa!oKPDiYcu&&OIx%!h*o?*iGeAh-TyboUQ%e^MCP%=oKa|&=&vWfm04c7xI
z4k~w@Y;go%@>+ham9Ne=e2W^Y;gi&&47E^;4l7vnqGU%3yC3<d9rJ#Yj8kpm=%iMW
zUWCzv;a6o-LB#oB0jYAN*H6(8>;CWEm_BC&O&etCcqW$lo1kX$83}O{O7d!JAEz2f
zM!)AEnr4c?t6==VmS@s$u0Qv)=_puv$<yxDcLG>s?*5-QpGIGhetk<x%j{WTV)CZ=
zVU5N~X$k7nh9rH`sZC*@?ZwdJza?S~4`|^m639dL`ClHgaNMx|gRyC<R1j6Ka_z<!
zln=(@#5XU4qo2ILt}MFN6(e(UzT6F*WedCN$V<SXkx9|nXm&n%$2{NgokBF-<2H~g
zB%SQni_M1yc_*gNkvQ>Od!N1dgkA)Q-OExn%BOK}!hMNs9K3LIbrWKY+*T!X*+<X{
z^2Q{8t4kvM&k+r;KP|zb{B=kiuhpruT~RsaI9;|S!cgw@0QOjOyD1jY-Ns*$*Kd{N
z-(#U2{3h2sNxnR7!Dm%_Oh96;ZlZ+e9l;_xId8)x1}{t)ggGFf`mYe@>`7_-z=<l0
za*+D1<5AH;&zr#~^qfn9sIX!l6ky@|Um`bzL;(|T%%n~531f`^jwJs?S358?d7Cl)
z+Dd&WCJcKawo`Af$}Lsot&3K=%E3K&qb-W2r(jU&@I&I2bF>s@yRP2vn4hU!x)`sC
zLCkpR0X_LZ!}`rs*O<#=CCR>ED8L&N-x?~+LA>?o<OGw2h2`k*Fal6~{ne6wNxtWS
zBotWCJ*`a+J8_OKF2T9Extv^Fk=P(hzyd+>rjNUB5xKgHb$sd4s>~Im8R{J>C@$af
zd*N%SiYE9;HBl%O)&yUImGe7n5Xh<y=u1jP!aRkLP~D?%cc<7Sl3wO_tmswu{6rv;
zh9-bHY}`0FV3CNTTDnMs6HAkXjs)>>AY<ub_e%WBJUIV2PF;#WUvW6TxcEFE^yVQx
zLMEOf_OjWP9C5k(Y1J#V4ABtq6*3)`sbZi`2Nr|~Pkj)Va(3CRYH>aT+8522Nu3b|
z4oI*%=}+lG{&#7%9^BF-3NOoB=p_sU32R!8CA|@D5d8Xu)BF`aMR?wU#bx*52`4lL
zLa2a1YsRGTPo9iLVHD%{e!mkSPndZ^D5L=wq5d!lf#gRpG(y`I!wZd}6~zh*YAdmF
z^|Bw)IQ}~$VgzoHH6BnLb{vF}(^&*Sx#jisXMB8o3N_YC7p@{7Wr6Ss3FHU;Xa>`J
zOR(pUm&X_qM+^hpKLcmNeR|7V?R4=#6#Bf{@Es;;%>w+5+UP87n19%x)Ly)BL_!pf
zdvpOF><bcE=qgH(6d3o0@|}UfIfGX7uuA^wdQ@1VbqJ<s1QfF8!Beq*25udaeN6p-
z3iE#_6~B!W|NqK$US}@Oy4=cLGo@iXktq|F$TmoW9-hoe>If!OB_(kwp@SqmGXIo^
zeG+b+a$1fUB^i^J1XWE18rcl8MqrS<wcRS31r`14y2>a}$lPq#f6DPYHQb8uUfI~7
zdH??X^3oDHuw2G)+AMEI>p_+tU0^V1epm&E2`}&MF{P!YEw8Q$>w*6v53+}>r`P}K
zk!Uyh)t<n9Vi+^1SzBu!o-La=%}N3CkkyfMcIv-m?Pc-M(}joo*czLn@aqPr8<pkm
zVBCB&I37HHGori3frmA_#72uytie?6zEvgz_QFZmOd+I!=7)O*fWME<mWY<*3AM_c
z<ayzEK&68M<$7>+b0Y;Zsmn%V6oE7$;L!lOC?a#q2S*$CtLxZn$z|Wb)7K$zykyRH
z*VELsb&g_RhIm|#H2EyG)HRW@q8%PD<dhKKuBhTy8+qNj-d7m(N2u40nloB3j47r=
zg0lG;mEeQHo3)AljS$=e76bR{rQ<0vuGQfMkD%@e%Iv_%{i>DAH;~G#Ya~<rj~(u}
zL92a*1I=fPr1%xPW>d}v%@7BI<}r3;t=8v0nnXT@^jAs0WRHz+Mr#Hrr>srFdCooP
zQ_WsR4KdXf3=V<{^U0^8cxnE<*yM|YfO<RXF^{0^-q8&pAu<WYyY$aT^GkVOB4)qY
zlB8$Np;S0`bxjD4_yu#cA|<%uK1m_l0>qtTJV&_Ss}sn}G(ldLaI-r<(S!a$VxdFC
z6#G-8m2+sRCR`b->6qrx{m05(;%0G4kNX_PxpL)c!YGA8N3ML;VP)6wd$MHIgUAEX
z!RX_wU`dcWtc{K#v*u-dCdaHc*#2s$kS`~pK5SP3DTcU(ag<tENhHyhKDjmW&z4G*
z9QZj$@4;Wga8*AVKgd5o-ndg0)9t@_`u@3ut?|!ipJ`a)b6IYwrL%^&Z;jT>#7kwH
zBT5T53bE>%<M!i#upG@&|0+T--IZCoPbD^eAT<h7!uH;$%vScB_HWUOY2zj6jZa^V
z{1`j8TI^xj?|T+(XcCReT4D3~!Y}?#)DGOb$-O5h&)@zS1Q2u5@CcS3*a@rf9Vn?H
z3U-ZdVR^oKXo@VXwkqJaBI1!Y#j%S-epM{dG+_C6W*mO~WXMMeMXEO;ZZ2D|6+<EO
z6C3_Q-RIN%2}!r6PH{kzpVdZ`7`(z%;vS34XFx%`dh5n#xhIGZim0<{=ZzI<+`_#>
zoqjV^y$@nthxlPmCF@^O8f@S6JvC>5lw^wuDik+ZfYQJ{K*01#Wj~&se?Mmbq+zwC
zBZuDBm&4-3mRj)gpdocfvcQ0}Cqts22|bzhP9y(jp3nB<uFGMAK2UJm13~`!`{zXp
zxKDrnmW$`NmGDi`prA)@(|h>feR4a7%yoIgQg$%<0)M<B>&b^zx^@-EU{IGBt}$nq
zNT$d!qzX8EYqp@BR6ia=WKpQD&|iSdMCl+^BY7U8K3dx8@+$U}PNBb=vVm!10Qgp}
znUW}IjK9T0YwZ;F$P9A-WJ(Wz&nqihoJ7OIK^m{#RG4#+*=q|DEoyobwO77pLLiaC
z#gfc>wXQ`Dll@hhVYi4vnl`EAW+FYiD}cEm0Gfi+NaK@EJl0^eHpi2sYm%O_{sc$@
zi<ySeE&lf%>Vo~%+8KuWQLCp3#AcHdnurp78(oL3yrl{BJapmLXk%|)J~I(2g)Pc$
z-C*#Td^QtK9I=Ayq54_tea#$NrV{-yTj2=VQPH~vTj#T-)HP5fpr=OJGTYd=dgqG(
zAG<vx$oDo;6y&lQRJ(n9g!EcJ%{fVbhP2$;?`M~C7+1eb_hIJ*rI3hnyJ|eWDmf8v
z=P?U(^IcjWtqJjJ{oqu{9%(sSLk@b5V{@e9gUZXxI}AfFCb{aJCgdd_!NLus@iJIi
zS}w1wfEoyH*znGY9u-<LB#TYw!)c~WIs!ZK*)r(}VaM87^2G6pQo2C(@!=HaRY`s@
zwRd#A5L0gqx7!y}(|~(Tj_fSeR2)|4GtCbw-~CJd*D=SQj<0{AZJ929CiV5@RxFur
zsO*UC*w{ula~k?a6O-~O{Ep`}V+vz#<EsMpS0-XCDUri>@A_mFRm7K4(xpC9aw{#=
zW>WL+e>*Ctl4zu0t&w;6U{F-6-ZU|BS)Lp9lCeq5qr6EgXL!P&FyGRyx;VCbCk)Sz
z9OK>h<|$gyU;Pn<_Wquo9sUjqAiFJWL)j~=>F&@dxk&&D*?%UtlWs{ik4n8B!EB7?
zD=sfDQ@sAP9|Mjp>++vj=ZzAm0D|d|$CI#%r>Im+B0d-e7*qCxP+p5<&^`!#K}{<;
zx{36|2Fs78&iZu|hjcx$e#Xj@y%Hz?lQ9AHA+PgRU&A3DUY11CO6d8(or7|iv^F(z
z^Gx3OBAJM}d$q1<>q7~4`PjPzQW|$k{#4%l^QBhrhwtpkdE(OjbUxIBVpGc3lT6Jn
z%LYnzY~9{onR@T;nfJ>+^w{^Nkq2Y#jtjVjnf&leo(RQ#c&~8PufSTqB0&90E&VaR
zV8w@n{47@6H6l7=EYTLO7nL@oM0Ye|fAWhbAh4Esj8OtCd|`YpX0Y&d+8d#M*G>=o
zZ5jL+cO*)5#`+dd3Q}ODd1p+q5c2q&2J6pWb#W6Rh*avPg5o=YLbsge7huELZiXjZ
zOQo^6>|)L9(~eW3PB<}sP<kgzsHepKn(k<&D?ZpmTeTbHzT**Dt@L##)02vMW23EQ
z_luVOS88G>4xfuhn|K!R^_0yFRJqt(vRsp>lexPzU)x(8$w;Krhbj^5(tRGh|H>z{
z^yrkod_(}E9KFL;S_rV$k&c|YuC3-M$aSa?wm<zK>h=_bYU_W(wSU*WH_O9|76r^*
z-6xq>LfOd%L}B!G!y~VKN)(@p8`hf$i;+=@iy+rsAW^V*5V}n16cgAT;6K6MGNfhT
z?aV61NO`K5Q;CK2+zR%CA?=*&j9PT`|HIl_hDF_WZQn|FNk|Xf9fDE=Lw8C^r+}1!
zGy~Gz2m-<&jf8+8DcyoJ(jY1&-S8Z9#&w_9bzkrE<$b=*wy_N}bNr85YyI|p4NM!7
zcHL(D>UP~%x`AHo6kme2w}N?}*3r$7>9B2Dj_sjcp~Y0(U~S$&6^PN;pns1(yV(E4
zXvAbRK&W#4<>c|`r-r4L0;lr3JYthyI;2F5ObqZoTz9|r_tJ0!kL$|lzrKGNTSLjp
z+Dt?gCpN?EdB0EaTHotOH@7P>alxa#w)t=2-SrnVHtwp3A$TyUB%%(T8(MxtI*p3F
z6>r@BZ!sGtSyp(sx-&VA-^vz)F!HN3{MWDYZYh_vdVoS6wY&=Z{fS5S-lNB&1iSqH
z8Ysk!fxq13(uNZ0o@J_nZJX&S0U?eWI7BF+ARf4bQkG|TCweOct&CBoy$Z)9H%YDi
zY`b6Fx;4cKPFfaT_e~+fIyusg>9z^6QmR-4p6hG`+?quTCpKltiweYW7T`+_WBoOq
zF9JCpgY-%<7C}h?gFa8w<aj}&7qw4oWkMhiR_@xfiMMYMe)=!Kn`Jn}4B)Gde+R$e
zyvW47CL@9ol^vCqcr+qLfBZ0_ChQBA8-DEdH;~u<_t;V;OU(UHxeAmpf&lO<RA*BE
zB%;2)-pkuNGAZd!1QM+zMy{_P6z|RYzcXD#kAJu~*5o@RLmSF=AI#C~t>pl;|H$dX
ztkFSKMT6*<@HtjXWL4(`or7vna5X__R~ZWGbC*|FEFi4BT&Tf-j4=FB`zb@CSQ5TW
z{Jy^V@D~@z>El#&e1V05^hS>4W!ztMFT~$h`L6WsQ9~%Wu=U^&Nc<h;S#jUS(HNI%
z%*~T)k1)P&qQVYQ1g9Sz19)nG9`B>zc<+%S{DCByE@xknEcTLT%sor@!)Px}yoHSh
zg05x6pFl7q=&nW}+<Fo76r3bX<vefwFxyK(z-b7kmKY_ntcI+tg(5TgzcG84!C$76
zL3}$5m~({lOm+3spE~Z(pQi%&be5Fr0Voe*Y5cEai<K3OHanOmqnI)Ct6}B8$zj&t
zpHk*6BB^aIY-EJ~kKATTbLY<2{}MZP?uZY6iep6i_CqLA=0K2{2nD%VK43Y5P0|bm
z{;+IhR4GxDYY!I1pQ(;uP(=C)ib!B|@<+1&NFM#aDkA;8UHw0(q-hj+S^$Y#HBh68
z`(J)UsHCWvnwlc~ug-N!^f<z@?lt?Iq=Hs0=#BMg*d)Ca=DrNT!6;eSaZGH@Z|>q9
za{eQK;D6!a(K1m9>7|n2sb}`b(mp@{w|1RM3+Nfp=8OmA105gx=foPTE*wYT{&5ME
zu!*4SgTsSGw-KNqOa($2J&%oH7s?IbW3&!hY3UScF^E6kx~qE98pa0dcws7k?2Z4c
za)>e%RPVZ|0vaCK++1G)I~j5g^OmM{Pb>`}Rww`qZXZa36diV+{v4AB5<E^Ie0mrX
zTR#Q;X#Q;zd{qP}zXgSk7HKmXeR^L0*P5bQX2`qzIBYlMy3mwxy0@x$>J23vZ*G~O
zh+T^y%~C?aU3LS@R_^$(BH#Z!pF0i&AbX?=yirn;$4m6N(l4L>_yYA<>tzVWz}Lxn
z)ZiiiPAvm@na~U97MBafOR(ySR0fi>iFaKN!1g6!DDz&aWEil%=LQZe4~Y{z*8BUW
ztE}~5SX15hN)b_@dgu#;Rf4{!Zj_?V>G$b3WTjM++22+Wav(b%u2b#o>>#U+l!7+#
z!*3o8Y|qu(g7#&pK8DTSwQ8@0m4EM=Hh6%i3o6K}t^QYNnLMD$MNg1ahu@O%$?hTr
zqD<27TrY;1()9h`EC8k7V&gN_5`%J1r1O$mhG6l*^X*v{q@_<Z@PslG1X{r(N=7TC
zBRM^Xj!^tWL0c6{N$(FIp3KjB45e^A?C*@YvkvZ2`^#bUCGJN*zbXoxU0>|l0^|Ki
zfsahDLw}5cC&vs%dmpq8<ESI51#S@<l3a)Aq7KV3^K=0WV3igB*Mtnl?I(w4t&V|d
zYd}%b3#Jk2&bPJ!53nifKTZn^3tO269UxdBUJcp6j)f$q&Sg#|iB%l|M*WvO9p6oS
zQJ#EMe+c#+0A*jtV-nK!g1J`^aC5zXdFH8{C00esYifw}{9}>&f%zFV=sqCb8_ByP
z_3q!hcTe2!{6jR2xK4K*J)gPXQ3}-v_-Es|(yv=vTWv<NA7M{`c7O1B>Pd21F*g~|
z8Q1!3YkeT?F+PdT7GNBhf-wnGfk}ue==U~ZObe@ye?C>L%ZA+Hz+d_^gzU#((<&KV
zU!I{?qs#<;>5QV#{4E%Vq1=92sF_o-vj;j$fIJAILg2|av1iRF=s3Om>jV0SSffJW
zr01`QpuUg*FAXKst%c@KiQM4?)1ZZmzI*_f^zUGVCu9rL;F0hCyagt*;XfzypB3w0
z_u@~Nvp~K2h#DXxkf0OQTYT-O>JnxMNlD3xC_888c(kVEk=G)s@y4N{4mb!Fi;hK2
zq7<-w^n+_M={+Ulu{okQZK~3FB4LE|27K4wU(<R@YP1RS!<a#HFhs2Qi=8ac<VB;B
z?mK8hQj6$e_%&AVYR*C)-n7I*HwBxezHWiZJw>0A|3%Y@s*S6J24i-a{h)$?NP#(*
z0?q?;pQiA0q}ZsuU4R;ahEGfiN-tfcg}|0X7j$xBI%?pc<uhy25)5%54`Bp{;$u@H
z!ogBt!lMLMWAZp~>;QcpfN=t+T{s5RSS5|uh4{X2?1zt_V`6DIS)KwJr=AwctAMdW
z&G+ZGF2JT%;?tco+H<@;H(?L*`jxQHpQ(NFU=dq_+kjh`{$B-qkT$nqLBck+$8{n)
z5-<EYlIr9CK5~AWC<~2HORLR*LoW|`a{o5*Z%Xc-+?7NmG0@`j&D-`TYcDZ~DHX`d
zt)Xpt{3eVI{<0)b#Ta}jOcNEbDo?|=CS*UXmw<k-D~u>-;K4_+sskd8A}q|jyYU!^
zTqprV>y(AC6Z5BI{4JO{f2hRE{oW)t&GC;K*%BOSeC7rmHm6j1{9f&fIpJGN2ZI?x
zrFuN!v!M43T%A3fWNgfhwnmm_vQ_3I5%e}Le>-2UmNJjiWZC04i8B!1k9>m+N@O8h
zz)?m^o6D`lw4qwXrNcfxKG5l98(u;ga1|?ZTFxeN7nnMidCkw}PFK>zz$xUmBty0i
z6+-V#W`+61&thnITm`e`ITKTUYW9Dt&^~(efS?ue5+uxivAfG&gqK`Ds>D=;1UCG*
z*?+~%e_f$+S2~F4n@;j#Fi3nS>#m{yp+LI9PA4WuNHPp@JII~iHCtd{i4O(+Qi{eo
zU@X6_V$hF>s1b$B1udZQs|pE`JimG8C|}-vDD_ymR&hC)N{_d3bVeb(;XjtpX>%Ap
z2mQbwn?bhOoIsD2E1_VNB0^IlV5IZv>q&=Lgp({UfU^tH$>b1R2}L7Hz%kUj-NRr7
zS0Z4>a&jusE6&@w_v1coG`=rH;T;-d<f}bM3_<Z@B0d=Ao_!4i3c4lqklnn+SEt5K
zJ;m5w6c$|hWaGzZej-42p1o%^r?FP(i>Je^h@+F#xms<hcbR+F*#4Tv^j=fd+$MDp
z+?sE{i5FaIpE84zL9FI0YeoP{RiO=v@G5P59`J4prEm_%Fk2(GY@baAjW#j7XS!v*
z%Yp^Ievbc)?k>Z;0dlFSzznJA8Pj*T4@|<1r!2<t+sCR)uqXdwp^y3w7LX?kcX;5p
zrkA?%UJzCG<>*6kUr=~EhXqT>uo6{4JI*1!czJY&aq!j5d#-dVHI(<C78xJF*)fkV
zu%{~tu&jcxVqcCBv4#^;^_yE)Nt5r%>F}C0IVk_^prR9E3}M#<u7Ifexxt5T`GZPJ
zOI3c#p>-uQc;XcqhZW&RN~NPjZl?cqv`fZ2iG2!1EM{~u{LT`z8!XDUO<<HCKfrO>
z3TK=t)ppyG&z=HcL3k{<nvd=kyQzUosX%HQ(68v9lbPjK5nvV@fmx14MBD^p@(z;U
zRf>>(#*c_!W}!9jprXJc(iw_x!4QzSPldqLCM$atbeQXkcx35<!}%I&)^fS88ijTn
zV4C4=7V5ZWTfiEL1?gF2h5IuIk6{HKj?S42wSZu<TUewTh)zu`t<%DZjr;6+aq@Jg
z4_GZaBy;)7T)|cz%fcCQD2!-iU<}a{D647r^7Hi__ojul#gl~XF)#-E!20iY;*Zt(
zoID}>3FV|`w1^ih^OMD)FZl?La7}DHM!urdP^`Pd=&CR~q8UNzJR8HfU@5I(sx9K%
za<5q;B_MgB?y~RNgg#V-k<LVxM5wh#aE>(*fO(<@k`)oyni1B_V4Sqkh>F{1iOUKE
zsLfg!!~nZs;AE*)eV4;RNjvy%E&~ecODGOC`5M#XTYEv=4Ap@mB8Ez?sa)OSM1*>0
zg1VD~N32SHf)suE-c)O!qZgJW5Ekgs-7=z;7?`reZg+ITaa%%<1i~#s#);(Nc)4RH
zZR7kjQ9tlPhRWhY-)C$(47L!F1z9XFFenv~+6xA8=b2;Cop&<^AR-vL2Acw40fR>x
zhSF&7h?IquFsCyHAu@&mA;OY1P=YUP+3H#?@r+7r2w|`mJQH=?wv=<G07?}81ex9X
z9ZW3#<CKTlzv!1U3B^3!-5xoV(Ue<e9tk@k@-wGA5@U&0o~VQ{lKARZ$^0-Y*~j6s
zxt&60T0_>A2IxA0k)}lCFhimk{u^GoVyj-962E2J`PooXVLe!fF%8U!$fbQT$B;T$
zkB>CEZF*0Qn4{WOu1oTF(0DqBhusakd(4pxyF%b*Chkd901-1DNr?N(CUiue{_eeW
z*(Yrx)zp5n{cRM)i1>3tr>#00(u@{%v4po|`&F9R(n*$FP3v8y4+RSci2kVj0kZPn
z#90g5tzG2eDByfPeH%f4t|TC1CW_AHkpx#v3KT&DRD;NP-iEkR7aRh~3jz;m@w46Q
z<0tF{fr3-hn_)cs$OtBS3Fw0GW&mJ^<o{y-zPKXuAnsX?76!C(%8rNt2K9jjd~Gfz
z^2u?~qH1BGBjWiK;OeAF{&`RM`@Miy((=5OG5{g9OR4(d<~dD)QtVWeM?RBW^Mn8T
zL=pqM$@0Iy@&9+NEcP|(G+!6DE6o@}ri*`T4jyX7ZrB-jWu`@jm+6^@=Lxn@W?+Cy
zoUJ=8b_ZP_MU>Q_FGHv>SMMpTbVkzmRIBmDZiVQyFTK-~%0)uaFP&F!y{T0mVmh-6
z#l$F76>}V)TSn1<2zbrw)zd%8$N$A1YJ0YQ{i<8>=+nDv-;H6~+7W!4c3;bp6s|N7
z3Y4mgGtf^jV)!gBZN}3$A4cqdF{yJ-AYoB~Ihf&7i>d*cc=@rv0GC1@4%KmayBR-G
z?)lMX*xVFY_7m9;rZF+7jb<AyJG7Fw6>kXXB(&5j-P!tO@}ZTLVfa+XySM4<!jbfF
zmcE1HpTOjQl8IRso^55YP<#&1a^3li=3*8Uwu^5TntkdmP_=4krTtA)>J)1$fz?<k
z`q8q8t{X%I^g^no@xQtDI|Gs0g!IMnHtu`ss<0&sAzkM@N73lpW4g%DZm);FgI0(T
zsq>A!cK$Py^uNeUV)87IaaJxhC?8ko1hFLE^969z&@Y(=KeKCo{!u{=kMRd3a4Tg6
zo(P1`eI4Mzs8#lOd9ZjEVMG^$KAz7U#5nj`G5YRX7-!LvMa>{E;40p<Ueyk#$WuSX
z%=BN8I^LOgnxV%WEdg|LZ@PfBY;;QqX**KaX<cR2h2~)wo3Ut03^EZBcMB_H^Zq*`
z3ce@^2K&m4YSu>c6%!fdfdKeXv$sBo-rkN4hvHG@>C84h-{xe~%*G?#7SO~~cB^C?
z1r0yDy1L}IDTAA>0lKZXhBf*YICb=bV-W$m$&KYgQB$ZW^xQzx=yK8Vt-1R5#`GV&
z_N->=Trz=J779MH;M@#2?vc<5d(tRLs{&Vu%8SVGrAsjMoFc9uMgs9%*KVm2s4>7$
z4A{f|Kb|rct_HBE0f*jk26i#SD;{v)Re4M_1nr>XcVFqm-t*GshRA=v<|iU5YlSva
zAQ(VvE|qk*EnuO^kmGlp@e4N(eOWdHV*|r9ICxy3NjNj}F`cBhUL*w{uTn#))>}Ad
zh($#))Labd3#*q<7;g+TQ%4GRjdb14<PKt<-=o)tGSe0xCLoU+G;XluxsQLFA<GAQ
z_Yq4=_fk%`b3jB^!c00F6(l9~hs24bO;yZHhuFQ%%IBa<q>co~1z%%xvRvPLcCOx)
zNB%a7;Ad5-l5&s$(!d~~xyvgBW+y+0Bw%5pt_x*07^9Rh$H!9@<zqt-VY>^ERnUh9
zUtOG(c3s~_$0W`M3ydAw=&>HDq8Kc^JzXV-3}Qh?H~pUuM71D(Ew;h|E?GMIUl=*X
zkk{?RkkHmb_r)I%5PD5+(9V5SknXs%^q<w`|GNVJC*^mzNiyC4DDY?TVGyf}6Eg=m
zDn}qqNUBF2aG7;nXlk&<*YMKh{U9P%)St?xN#_V!y6297K)4?malBg-a_Ha-CR)d4
z7b7C;CFCrDnt?b3_(VScfJKnUZSK4GiiG`=(kY~Jfek!gFnQxAmqK2&UP{;?6R;UU
z<{*=JrSdHKZ;-@L`IhJC%{s2K1#I$8x2A<HU)6;$Q2I_^DZM-am!{DmK<0Svd=pP$
z#Bi6v-Uwt2zp^A6ZS%fMiiV|5j<R5GD34KzNzgB_J6o$N|3MqT=(F^s7{B-Sv|nNV
zMx7v~DQkdwQ{xcf(My>=A|R$gyvrb_@hz7LLgC!^1XGagCG?Q@19^go*ywUY*SG*6
zTYn|3engTNm;fcY$nBQ`udO75fQrrnLJABz(?FzHR4b}9Bs;;6n6$ci9q2RaJm09#
zbF8>t-D{xD1#&&Jo*1Kyq_i?BhQMG^Z}}Ff(2vE|R&Ndak!<}@3SBohIvjM!8v^ZA
z;8e#6l?@6a<1#4vj6x*z4Rr^7`^#H7Wa0}a_KlqsdXL7^OCu2MIw*q-Cl5U?raT~U
zzhZ~5h=r#PW=op%skep7-Ub^bAv2C0SuOa2rH}2P)QsHh8#GVpX=tWE8Yx9KG)7+g
z)~%_nv4W@q+^vM*k*ZvJ>Lk0t^ijr#ApA1WpBxN@qZM_B77>PEZc>A+2L}jC^hfDn
z?>-yvVnxW!JT@iVWd4d!&JQ6V`#ODyTta{57<&NL?w)1e_W)#j!!6OY9Bw5f10uns
zJPoQ}buzETeoGJ;M5J(1q$bO}j_1S-f~JT>Q@mo<g7SdU-~R7qIdHqIt<SAKZrKgK
z!UQ^_<!EGXHt2>JWUrxQjNC=?1&nJotC#{nAklWg5{QDT^vuK4Q+M-z<#q6oJ9cg(
zRh|F<KJ^{l7`FXZKfa*9+KGne->79v1h9hY?Z991@;@-F%EZ9MuRSYL74^dI#jK#-
zX7aaBMXP(KtDH6o*(X<BH>(rojd?}<+gJo+X_dE`$7<qZJHLNKBRYe6&jQYZJJav}
z&b-3SgM4rWVR~{{{Acp<<ez{)vRq{?H%#%~ddO5p8~&mD{%bFVUsRb_*vXvwI=?>Y
zrR=Pq&6zpnV4(LHdq|8-A`|(rKg0$|e+qQPp`fV;8k9FDsRw}KfnWf3qq8mSd#>C&
z@R@(6N06oLc5Tn45i%dd*XV>_Bj)~zilO(mNq;u%9lmOPn)yHqgeBj5nIs?Ii+b8R
z`ZEM6%>A~#X`>K!J5j=YjGdAyJryY2zp3csJ#YRx#oIqVGywOL^n87&^Q#7~lkYIY
zPMI&sSAAC4ygzheGERhqKT=wv{W#u{()bL^m^}beh}di2f0S%QF#XLd_4i*+YNNm@
zRsmBE^L`@Xb*>~R%EgBy9>s+MXtpj_8d~GAT^6<_@953}ej70w;_m?@Qop1+oX{I5
z(`LH{`hJiH4LlBeVb(TMQ(w-SJ@IRx4PzVrrfy?xM90ODjU$oky^T_ef#3D<V*UOA
zi*-P*BH{Q!76A2acqvw6CB2uUX{0VP56va?f#{8)oO3+Z{UrB+1x_q4G~1O6JRZM4
z-C6#Cr0yuW#cCW7!;H%u-z}-_{otB^EK>U}%3=d4rYE_laahbsY1AH+CCsgBq`Jk(
zDE2^MC;<mO(&V&R1jqhk+&0Tx9DRJ46QSxDEW%}9f^iJHf>tvhh5gtVrxeZ0!CJ|%
zkO+NaLe)sp!U{%rCypWLL>8p2<5K=eUH?JOekRMR33!x{(IO?-@Mw|WJei48Y;}@1
z*@W;qfrhfC{~N8-`a*sf66+h>k?0(g_GemjYKI|VSh6=o53Ava6;nFRV&>-;ni<uO
z8AxLRl1@zs!2gsBf8kHKZ#*$g0YcCyMY8<0lk4sMD_2E5*yG0+{yIOBM#h_0(gBQs
zR;=zI5}A^s>~f(5uo@f02u;KD6IUd|vhLHdx=Fl}ER}@kG6sd?Xc$`m&F@PoC8|A6
zV=p{E3^<bwrC#@)qCYqLr#ZyC@t@;IW-b0Ka;Zbf<%%bzq#s#%C%S<5%CdqRFylG@
z+#LO=My7&$mci(&E!N4br90(^r=cY3y#v4KUzAkUmz!#a3LhtjbPLIt)Y+G+8MeZZ
zHW<~2A;{HcJ<?KRLI^c%nXB1WE$T^ktNp-URIBRGkybs~edTv?<7b|A?^8q+7QK$m
zZNOYHd7f7C>dl0GeD>LcsnURo`7@I&X+HK~>X$fqaJ&2^HU54Wa3hi%YC*2b%l}!G
zY^LpJJ82y{pzhmH<I#%H$YvZDx5m+sKA9XF_YxqS1*Ra3eI#rN1T_kMiSwB(0RP<A
zzk1HuU%B2ZMF}{6q=e}&FNSekw~LY;j~{W1<5Al{L|q_Pi-A-<w0q}B9T{_A-)(pt
zE8%l(S`fqVsQ77X>aQ_F#blQ4FhR$Tdmg}UAS<(8f2=@>Ww?98i(}WQumQAONK~8q
zV0z!cHP@_YPK};(!__pYBPq=!)cjolSKk|vPu#+0-NDF52gs^=uVES%mV>o4y6)Oa
zQN;If-u<r)y1%>|1RwOBKEqv~*u1xYk)^J(<93yDQ5OMFtFyt6-=oX9(0#I^oflXJ
zNo#ZA2UF7Z1zUllzvwD>7v5gePSz$dtC6x&=uSeSrsr0GKxKS7^lqX+nWLhJU39b4
z5UbAK07>=kn)cBd(jKMpZm->@qg?V9zVi<T!fc7;KI$};E;x(LMemGCpc_7de<cH&
ziqxrmGi%TsW7g!jbB|klWeVUpERs?e^~ECr*}w89qu*+~v5Q>>*##i)8um!6@-GFp
zC`Hy6)`^9^sN@gna8FR6?{jV%%!8652`i*bUW$-i&r4i0O|aJM1yz~Uu4#Tk<Y2D)
zT$3pVcLporBu%pPbyFVN2A6enKf4^x7ov>b#jZ#3_a812VHS$&kDq;&#4H*i#%?_L
z9Ta&EQ*cXU@n&;+8-u=2#xK9!BgBSSSvr2q)D0M{@mdC)E^m>Pl&dC$(r{BE;8T9;
z*S}&ZaH-!TG4J?z@*9ZtgLGIgWRA{$%-pHH#@OzR76DR}h1xyS&ns3q!$Y<{%*}f=
zUyL;<onfBOd!vSW){~x#bpGs6LjwHkd)76rSB0^CR}+}r@R}z}q{X^<P4_XJ?8vug
z5mLKSBLnOUl?J?g-*|yWirr9GaNer|D65hIDUbjN5cUS6N&B+<6bTiBJe*1ZhDkZi
zLyl`|Uyn4fT>@%1$-k@Z{2*S>x*?<FpIXYjPr-Q4p_N*j;4;+TVU-|p?Pkiuf}#E_
z&q;$(2p-(4v>EvfK2%OaDV+%Px11ndaPc1a2h?G#Ui4b8794*XJwWI!l5>70`E4t1
zVNV!CajGx9#c%Vy+O*kE?uwNjpReEkrm+OgehzC_X5zzd__s1&{IkZ6hb#9h-_QU+
zkqlbwh$z(OF*WZ0&Q+#U3>-e<BP+Y%4)QYXXWpf8hmVAfnu`k66LexIiywjmMSJue
zUzUf8U$9(T6;lBZka;cRXk@B9o4Cqt_PWxE&6Y0DW2B84m;C1GHAVNW$S>U#A~yZ@
z5&&nZib3o&+3SwGG5hiq_sII7upZ}kUW_<32d4~V?PpFupQs9;eR~0Lx6Xi7fwSd7
zcYW^L_$Yb}S{%iWdVvErdcha#`$in2pE43xQN%q=&dmYM<$J76FeCZA<(vvV4BkQS
zaLk6}c`*LYX(00<*t}w!1Urcg1NJ3nL5F-Ww0Ipm(M3z4^{?DBC__2n746!5U7<4Q
zYN)vEV&PV6p8YJ;80z?<(mBmuybY30eV*3kL7zP3`<#^8hkRbxoTrinp>6bzr=*J9
zb6sdj!5iwQjJhf<`q9T_eT9`L`T*~?Oh2VgTl|h_%d<Elbj(#yEpV$O6@j^Zrc%{v
zr>wDSiQdmB9ovHQp1(ND3qO^7Syn+``31E*d%WD?Bm9oAJU(&k<)itDbJlQkuc-<%
zgc@=j_g1=-)aBlpWJhqYOKY5VD}_0gPiisX*onS>7G;xOweX{2gs}Q*`ZkLg(jmm@
z%@-6L4Z!s4Jzi-H{)Dd0Rn`H$ILMq=K--A~hDgwYcTfiu(J~%ETw|?&?gBuX`tJbm
zhmyo-DPs`lRYl$MkMiG~<k>quCfC%|bocN+$^1P%J}5ZKpsyXZMV0ltr05l!m{&%3
zV`hNCl|^xG=u<YBn#$cxqgm>x>lZN@Z0jxTC3K@dCJt<XWdj&Upj*>BCz*{<4N&Tn
z8j5LlY7yj&AxkRgK96mAQa<6$h=rEN=`|CIb!a4JB!6dk<UoIeQJ>Q<sd{WI+z|ay
zaLwvzJAV&}p4;Fv_S?2=RX0M`me-8=$xmO3r0%26m4xFm^4;#CGmA7<lE=`xdu!7)
zUbgN$?2QV)?5F3y*62g}3T6=R@i>}oNV%t<oHghH+p(1M<CA^KedrZQkWMfEF;avR
zv>1S$oJan8iTm_PF!7AC^~~l*Byq;T*SB?%I3j!x<)lOq<l657FND-ZaMXdCMT5*r
zCJLZ8D=3*U&z!+b(RTE6X13r%x#r6$ZPkq07<Rq1DvECoCC-1p84nL$WS0J$1c_dB
zs6s*||Dchr)=#o|&<p*4sv!BVb~;l|>lmf^#ERXq*Pp|eoFy)sg|oky7c^Lo-q-o^
zyIQJ#Qwy+TrFxXJP~}_4zs{Bq-5sUQ=Be;Vi9ep4zE#l<#&fwVp{`};{d?@az6zC8
zkC_0l2PsvO+im30A4SFbDjj#V)|;H7Q2S9|#S218hD)9np`g!CDg%TD{;mGvgH^dI
zG{^1jc`wUoRWc+R*7l2vC#l}PzFQH)-cx5S-T&&WC9x}9fplwDX5sQeVG=JL0pcV*
z{^!8@f^1w%8Q&@6TId@1i+rVS`n;lJ|MW%5zG$w$$&slj{R|gsYsT9W#1LpB)i_L9
zhy!&NVf2arBB^lH2=q&a-7fu)K!RyVrFEfNr|AKqsHg~!UHDgbccFe$S1Q4d>9P;e
zdh`oM8jqTDCt2SbFN{f=BsZ1+l7^Dmgm1%x&Bq{*!&0Z&@3t$T95V(sgpbbx)Y*iS
zd)A3t;HVMgW(AHc-M%3`+L~S-D9n5NuJRqEe*-sIB@s9xWU^8Lwb<gV2!i5GR;?K@
zOiD<4ID)CFEq6}I`FI&~ZMqg$?>+^U4Z4$>g6J-{d-RQnNFH{PmYsj-FQ@RPT#{)8
zrdK#{U8w-=8GCLwMY+ds9+qaO4yo=j#-@29-o0fQtA4&@QyYh;vsX!uh7uZj1i6ve
z7aH5kLc-!DAD+s+Zz-`dIVUadpuvsJsPwPGdnBdWoXiA#K*pv^a|*C-RW#>bxT&t8
z@a;W|?(IQpr`QvrSAVkrM^1M)wSe`}6D$KB77A!)!>GLyF%3+<ageSwk|UQ$)@zC&
z3ODcZMhvN-p07|3M#7t^XXz_phn<tUVeHs~)G#b<A&E47Y3DS9?hSUdpcPyPyU5uC
z^&Ya-cXuvI1zzKyv{?SuBkTHPiC~bm85$R%L8ZHWPb+4KI7_Sb=jm-w(1=E6^4#O1
zQCUIV?N$}i05_WUfx+|L1s<Tij~cy4k-9X!*$t8K${5Z#TeZmalZ9nVo!n!*Z=}~h
z4g%E9-5G1>OB*Z#o$YFBV$!maAVc(dF_KnG7`o79-Gj7IX|pj@(IzdX&m;y$&IhMo
zx~+CxJa77#l#?Mr>s@qCfm)GN#8lDvuP9LJrW9U}?oRP3&l2hsM_Sc6FF$%9%uAF7
z!zSqmuq)T7c0whDrGw$!l3m4=?8}W_QN5<%Ey%A|ScYw(4m8JY&}3d9Nzgm{5f}r%
zV>By~4Fb^nAOMB+6n+*+2n@dS@%fM;R`ZiL=Nr>iFNom)xws#_q~<&~H(g&KlZ#Jk
zJ;o$*(vI!Oqpj8$_e0b`*G=oYc%z7OUF48Ml?E<#Sl(xP5X}SlUJnW1pRb8MAqfvc
zlO>@(5T${-@%q*1auObD)!P{0MFqw6RgZ1}vmlm$V@>N79@v0@qJ6v32dDg5EK--O
zDx=Z{RyJe!TJ9gH77el*aqr2ucx2XUtU$GEX2xiR>O!y*>_ScEDD3=h$6H43o}PF9
zv<9qPhg(L(FkugG(iXzZTK!sc^K(z?yK6eFHgj#$^Owd5{IC(Xx?`xrqC)e3>UMhz
zCa-mS%5psY!#AR=3npCqrxU`wSx5Nj6wq=t_+K@GYQ5sWjOy|W*)i#Lu|j~yHLSBc
z0c~S(^Teuubw!Lex^1al4q>wZ*Wqz>$NW@N^ocfEXjdTaVhKj;ZpI;u@(oil;K{#I
zEx|G}?MBr$5vDD^;$NsTe?#8(%A|7N%%KT2t)7X4+{g`<9x&_rCH9bLM6fozO9e$U
z8cw}B#j8hLH-XA(JcFyrblVRZ_lEv`tAGS9fp#DYWAD_t!V%SAh(KwMkx2T9M6pY<
zNa0c^qVT(yHPV+v_m6T3QvS^h7Xsbvkf=oD5=5Pc(FG(&6FGF>h12v~gC_tdDl)0B
z7-u)qm`yHI5H%q2dYr76W994{S!+*9!^N;KoC&hVKdk>Hx`d+HZw$ZDskTwpN15fu
zq|N>zCQBxwfd))Lf;6ShV8#Z;T)`!x^;1Mvm(Ln7*t(@<!y1rDhx~v2i?>*@*sP3z
z23!_qyuAr>Q)Tw{*+4@DB7py(vqG4}h>2-|yp|Z-5I|$rk`KV|dT?xEf*h6Xe~k(p
zekT>^0mWjJ+JI=EW^)EOsmxSi&VeQH<KSN(n?Oo)XBuGZHe1tG)c_-F@Y>6>8Ay%c
z1}Vcba9yiHF^<<w&wKa3$+SuxH<U;X0Nk(u^|FmJ;7QTJFCzN_V$Cnp9X?2>h@L;`
zGBBdT=wY|Oe>_COuBXe+3jgqWc=~_EJ1;?ZDUW|%aXc6WKwj-n67gzfLUqR1CI{$@
z6keyjFa8@wZ1v>@x8sDrj9ALHSf1y6kB1+C`g}hq%rZNUAxHqgGJO>SGPFdm{wW$X
zBlXxQ06x9>(wM(h!M`*wjwNAJL;UrREqKrW6bYt<?A<Z^E9b`cTv}&A@(&%3j5Bfv
zb<xZ^Q3aEX9BHtD`Nto?9sy9|th?8@#C?HEB@;Y@X;L;MYWYW&un1g}BfP&iF@mXk
z$O2xsjD#}%{YNYypMzoDAw<#$EdNbx0J8Y05*iDvNU`<5*`eT2@H)4)|LzA4EXZ-E
zKTX;gvH7QJ{;!O?&$;2Zo}*Nd%Ru;%z2NeRm@gDZESa|YKiXgGV`^z>S^4$rd;x6(
zBz1w&c$0+?J1`Q~$ydOCwjEvv=qF{+R0|3G5lgas?m60-H`$s0MDgSFKR`#=M?N|w
zl()ozOIi1yA?Zk)zn08r<S%1HPTntIuK+f{pcJ?h{D+ZA`)}asoQQpgRSEd1b2kIh
z26nu=`2Lz2u3uw!T6;+Be*Pmr&IW*f$bwJ|F}n28az|L={b!HQK*t}J7dzilQHOJ+
z`6zh7E%OylUzK&wLMGbmq20962au$Vn2ZYx_WT3#{>v8XUrVi>$k7dOduafilhon^
zjzQX^37~yKUvC0aNAqW(m@5E3+~emMOFJQliD<9E+5WmMX#LclCl^B{qN8KGLrFTi
zxgu}Cw!I73Lz2a!?I$i@n_Ft9)?ZqJx}sa?f7e4A_7U;@R66(^yAAz14jK{hg2o3a
zfOAj*=;H(#0gV_WUokEfiCP_R%^*3<mF4BPQo&fjyZsTUDlvnSg*I_6Ixcw;7SZcZ
zpFVlLe5njdYzWVdVULSrmzj_5`L=7|q)P>*NbKu3pmZtoLKyU${5kbL2ja2|pe=$!
zBP2Ij3vv9I26(uBBqg~xozU`lqD0WT8?P^!Bk8^?_%@FpC5cx6lk>iCVy1EXi4uL?
zV&!lgm+4BV&O5c@oqEvMEY+#Pv_S{-awr;0m%98dCsF|_ctt+lQ<?yjDo{yD1eM7F
zP$zrKXbsAki8g(S*rLs^r2|?>{s0w`1;XLm)E|C#KUuf_?)X>zi%tba^ba4ee<xS1
zS>&1!6zp0upg}V`_yIMC`v8Aa2H2#&-o}XZO)@xD01&8(aG9&)R0&3(4xg4m0b`gy
z`BSe*3)<Ydy6IIll6mjFu*<9-t<U+PBN;lCw0{$Xg+S+n!zkm?=eW>Es|;$O5o(f%
z(<IubOi*X#YH0M_h+VG%&{u!svrPneSb(Lu3;M-WO88$ImS?mX)Al|D-9gbd;aZ60
zrS@PFe$Eu>0RNye8BvHZ5;2EmW8mG*?IyIm08Jy-{tZ2pbTeu3ZHS~p7T6+4EAY>_
zwDUq56_uEDHrlXhQh7|?*|>w2a-8SLvy8?2<9p;lF@b?X@=MJ8bQ&n4;MHi@zaJuC
zpmdFiA_6;eEt>~G+co{CD?Ri9dQN7Qlj!J#MB8lx4IC^)R7%LscKU~%r1-9`u0hNU
zR>7e^aBNnA;lII3P!T%lYzvI8jcYNmRy>b>>Gy$eQ~3!xj%odwilzpt@`VW6eiy?2
zP7K;#Nr#1>zyh;0Yw~()gN56}Kng0T+N-ipF^Rduu_p<jkG&6nydCbkV#*74Ao5D)
zePrzB8ZPsefd}b|Aqe^v0HchEJEe@cb9FAdtH?9k7xec_eWu2tgV6GGUTk^vCID2y
z&W`6?ZGrRqa;&6w9uWT7W|LEbEw}f}N)_`zkH&vl6d4G@o>~KXRE2-=c&Qy#Rj(s@
zI6VOuW&>filRKwEppR0+B;udzH+a}W6Hs70@fFX`_H98O>OBKaFoiEn9Tf34z|u4*
zHU>;yGN_)Tf4YOj`-sG4kvg4C2w`|G@?sJZo|BVPf=Cr{GAMrdKD&TE95;{M%l(xe
z1O5)6{Nh0mHLS5YezRUmsbDX3(*f&uKZ8&!Uirv&vVfDSBtYp7410qiQXip2tSXF|
z69D?5=oIU)un4k;1QrqI*%66+lP(z|<1>?xwN}KTnY#d|$;+GQm*_xZ4zgW;U%vk4
z7r+*ygJKy3L31V|CZ#t7mwaKTNwoqqBt$JQ0~bwp2rXJ#46lZGfagp#nX^RIdVO9>
z@&~DB_n3x}GX9n+W*0Vu4mt;(dNS75{HKRxR9MpxgYY#Ocx4^N=pC3Pyy7eL5DEOM
zM1P^bo@shnLq&+dN5XoDx631Ta%hj2+Jb(y0I;^Oq>rI?7?5?A^TU7-n2>x9$nJvI
z87G$6gv7FF7@J97q<5&b>4eMr+Mjh$e@cl<FO*LN%E!buFEQ+CWRZ!U^^bhszX%dC
zygiS&WDXebpq^k2b(8O^?Lson<(GCwzcOn9>d4!W`@ug5#)f~7#op|IYGNX#b80$^
zD)}?9wcAs{SZ^%_B$;mkI$|Ba2V|5aIzQb75T1&kTu8TCz7Sz2YqU~QaIU2!!6ZI3
z9U|p$b9oR4;B9%Hl`w>9lb5!9<d@3Oo@gwF{v>`&*=O|ON^cnwgMAciFa$%eB01!~
zAA$Y1Vsgx4o_K84A2dsmnfL**Qwr;tBHorge`6F&Z9bANkWaz~^Z!isAX2hY9$4OM
zjJpBz7YH*rC9huoDFXWYsIo?v6H-AHXk)w%#2*XlxA<;M-sH<<EZ{WB&0$cMUh*_F
z@3tW<?ud&BANII1oX*jlUE`LxY$poY7YKhmsve(^Dp%&_<KO!P?O5eDLN@3=TNboh
zZO6ykCKC^PVrgxMv&2)2h{nFg{|XH!!a=ckGlVRpKQHL<rtQVhS>cybqS-;`uvTIS
ze!9KTY$ETi6@lM{3bAEZ3cOGttM|J&#ukOjui1i5gsF!@W%_VDOK!Vh893qH+$<5V
zJa6heQziV)S=#73g0Bv1zjV{-*bGD}4(l=^<)F8fBtp;@?tq)+zvI;48h)2C?@P1K
z3$kbJxB+dUy*Qk{%eJk6K<A_iuH_`c7e@G6T1uCcWNd0dq{9~==v)@U7}Y@{VnmSu
zRWQn9C8F@f-?S!b$0}a7y(1X7iKd3%Q58OXY3{RuVsBl0y=TwMD}?yeFaGwmAf`Cm
znrMc2Ry>TV1Yk0QSOrQHRvsRi;|Z#A>q_~3*p|W^1!KjYDx-Y?oH%{qp`FQt6H7PO
zsUr*agSI1ES54cSu6|Ndw#OGzyT*&Pbu)|2liuXNmV4tvbHtBF#jK!%5DF!+TTodO
z8kaUR+Rj%+45D@xm1=kw;aU*0^s9C{dQvRQ94Ws+HBuY|sxlS-gAiLsC5{-e@Q9V^
z2WUa?ZxHPuCR$;$FfE2E0FUWCe0GxS^D-(7RDbB;t1iqIs9+T77||6+;)%DA*K<!i
zmG<^TZf@ER%-!_#yEU->w1N*G#<yOGdmk2Ml(#2V{K84iWniK@Ua?3;ui+uW-HL%e
zh$p8KqMLSz<F<QFp5+&uL9P^I9g)T4udSUh!xe0U=G79+aXc*Z83HY0^EcZw>y&9u
zK%w>sHt*b_JH+OY^FYJ0)!%zGF|VNztuJ{S!K)|@F`=_ttdx!f;;6O<;Olx1cNMTC
z)><|v({d#to=p8j6-2@IQp&AFD19$C;-oeCkWf)R>wTBygDWoh3HSP9qs`L0utMR-
zGDL1ztjGOJrc{Hzr;Rex@k+NhZdb+MTJVWCvgyT5J)!eSK|=`wo5rH*Y2v#zhhl8K
zR^B*@FL!LwG_ftX$x}&HX*Z*G8WWyL;NKZLK`&TBvyQu89lI=}$$j%#kjI>&XJ2ru
zSXo2k_}Q~l<Yk@&%Ltq^@!Q^_S!hbRIN<dyO7dP)jJIv9egPb(p|@41D%XbRS?sUJ
zFeZbMS}ZvDe73vZ2`=Exl~F+D#hVx{_m}ER3P`N>h`ppz!BFslDDbk{#E|1JVSAAz
z*a)_b_EbOsw8Tb~3=eiT+uPgwzI7KNTd|XMSF@2~V+?}+p%l)o(@P$@ZqoZSR8A^k
zjMAvUZD%N+K@I_W<35q53-hoNx?#)lwG#C(2O<ol&cu^7CLiJ_IQ)uI*de}woN~sE
zH|AbH935BfK@}S&I%Wpry5|{u%S~xFdh0oNyZkL|jCgWd%4@ghB;EIMfj`O%WQ36w
zz{43oKKPWQPB3SfUK~mvPps4?hjOM!Fc9cyZKEaYs=Oo8*1`VP&qND{K!>)cyZd!8
zgL@$24Lq3J&dA8fZXEJTXgI&Uf&X+V7H;2s{;O2siQ6gj@cW;m`C;PJc1SUj^NgS;
z9iGiC$1*1q8v9*{y5MjK)VK2-U~>RA;!t4KivN5z>-1j4e(xLTlT_{amDN+GkQSZt
zYenm|w<nf^{(8lyokR*VFKFdGO!PeTc3CUX`QakCLt5LO=1?45haZ%5-Sw9Z+*mqQ
zR;;9A0NhIc?(^*6eEVLkW1=N-F>io)qRWM=<SWFKTvo;g3xXTq6Xs5L2n$`U>!K9$
zHl6Xat$v=U>NU=AK#&Y*4FAyW)b{Dq4-M$_>;k&z5wpNc()8)5d?A*Gy8FBz?Z)cT
zk~+;TW0Q9A-KK*zpzeBZ7F!eO_Jhr?o#toAd^zU(6HT!D-)vD#atb2{`wAG@3fZ9f
zAYX&7EI6SP*uy|eu{Ng4C!#tE+9m1z#1`Yf<CrbbA!t8Lb8tTdOS*%kCK7o`+TW@f
z=?85-od_Da%{@Fk2A%Q8gkSs|TPJPL5U>tSU{|E&uMzP+bnuKFMyD{fu!Dn3icNKH
z^V#=Ih4FWqIZv)}Z*R`lmS!Zhdk7BVEK_keZvs4s+pOuMj%4ZU_F{IikJvTp>FA$z
zK9>+|>pjJGJz@ac58?8`C<9XIMh||Aq?|$}(!&mES!rSTX2~Lg%FboMYZd<|xR<7A
zwmD;US^`ns_oK>6eosO>UrurwL<H$5&;;qn)bg~#@Ku)}oQCA7IXSM!x0c<$VA6TX
z^!N9#wPVshl@byX(#0U8b4J5}d;VU620<)e(%M<@Q=<n3!D1+d6ughOekLr@h`F_e
zn*t@*dd-MbX_aIX#0`umO5uCMuS+17A3fpt$99QWV!vy^CI-|Y!X$g(x{h;PuBTto
z_=~eW?8>#}th;Gzx*lb;*pMF=E-CRI%(a->at*i2MHUee{W|BFm2Z59gF++eM$F78
zUf>cJvs4CJRc_JBLa8esVtKq;=_3&t<bS)v-g>zo<vdq6bSZ5Y_*)`%3GCI_*)2Az
zC`dE4MUa8|&w*<KEz~?f>%Vkodmsob+Q&Y%4Ut|yDb#yN)>&lU+5(9()-M?EKZOU2
zCV)a`dwUB#^P|8oV*Macw*`Veg(nbkB7!YqxYk=SG^`6dqQyJy;!l6XGqbRW=ez{B
zZQQjAz$W4BH%-tZ_oS+ahJ{+l6XXQ2yZ<^({u&;lgpd$4Xrlwdy}}Ua*=$KrfT(1(
zgetxO5Mt?D)<kdi(FdAl>s?)SgskZ`p25MH0jSQ@<m6<PxX(JGHYUMK;JAsnvqh3s
za=gSIe_$XD0=~V~Vao}4HgW{I{`UxgH;awDY$quf8j<*VM#?Q89L{a}QR_F=aCLDp
z#FJ{c7AhD7dTHMz4=_ll3w$2qV-_vaaDxbV*}V*EKX5n0CLx5BQlb~W%U;^708>Cr
zN~sOmrpWvFKR)aSr@FA6DWE1Ds<W4~s1U*3-F{n=?Urw+7j>lO1*?l5xp$EX0xC>J
z1Ww9OD_ET_dHK8J`^}zEC;UTloc^1orAloZ`QT2FTA$3)Joq9<m|@TGl?qnK+TQNZ
zXak;YedNqHqQW|(anjzGrSu?MaO%EM`51~^HoL&aKAVAQ8tL>3d|0*lB|O%`g*FZK
z!wl|=?l93-=R;H}tCQwIpS?l}%06_6IKVN>s}<szdhtWv`9fubL7butgN2;Azie;!
z5Z*$SB^M#3(Yf!jrnIpQFk)e&IS4OkiB=6tK8{YHS9L>o6(%O-6cIfK0@-;x5yKZ;
zSyO&R7%_HwGPATnbCeXDpKlwZ+b&SCgYgO)(=D^-N9GuP02K7cehFS9J!kQpqCrDD
zX{_PycGfG<w=gsLOE!6L2T*;*ge*}|iQatDh471seSijIux7sg^eo6>qV(Yi2Xsdw
za|+`gIQiU8_)Iny!DpOb1DiogLAWIH`NTpw#KaC*czD$L^8;(_zFiT$@9D>4Ch|tB
zbQa{}8)2Sm+hQ1gWChT^-vnR>%Jy`3jIePr<g@MRXD*(5b{-flgF;8b&drhd(kWG?
zhuj6>R9Z);fW18j2hs<14=6MUrl|NJ?a8a>_iB!qmuOMEcFD-eRrK^o7kw6>!-esI
z$fZDt=Buph@nIaT#JoOR3c?g07>34Aj;k735L>HK_{4^mFhAtj1$^1J^99a-r3;Hd
zYA?h%uBI7qqR2`2jfTEQY9wX#!r%RX*GvQDS`o5U7D_U+XLVD0*9nHgyd(;K!CbEw
zfa_$4z{L1C(?FCp*Bu?76L<M|XYjSy+z=KUpXQKS+HSz?!}aF$Sl^v&y||V00d;AL
zOU`_X!FX*y*Ay<^h$EHSY(MJ^8nG<CJ2&^s#ttgCmUa&NQvChBpURc`2gFmq|HUzS
zq#+5L;7U2(mwS@#(W)%quh8+8naPD0y=UO^OpN5T9DHeiuIgxHx-%R+jVH%cXobr4
zfW);eUmtO)NWM6q|791Flve*~*Y3<}>iN(8Flqfp>2Lkj#|wwLU!gvSMDz<E_-=BA
zX~*PJ<1Rj#E*6`_h){m|&2hGt$+y-)NhxAxGLPQzwXk>CZ*jmRDW~))_GERoyDmk;
zkIO~n0bD-!mKM)Nx|#DU4JW3>_5I`I4HnMcsYfHmZ#Ztwt&*I-9T#l*IWeL4td4e5
zE4Q_R?|fM*ZAcAnRf{B8;QrVk1a47@2?-4D?(QUXbWf;l!<M33#f=mW8)jBN5@mhg
zxY96)&iUycy?>8R+THYX$Ci_Qm&&q9z>Dh91}-tC@9F~ZgPE<8k=rHsh*_-RkW5|X
zqg34yi1%aL(CCqLo?W#^kiGJ`iSOFOPT$sbq{MdQ-NQ;vQcAzC%)D>r)@*6)ecld*
z-=?9;Oiy<ph;^A7mP~#AAx1z6qKCv(C2yRxgNz<&n;LT-C~ADcv_T{J9WQg8&>?6s
zdzUi#i%Fsn{%?L2heh&acv5C2S5;M2;+r=-;21qASyD4^(c*O))5GXIauct9%p~R{
zeF6NaJQ~#~ecvA~zN~h<c<7-&z-7~3r0mg$PVxHGhj1s&=euT_2(@(l;v2tgyy#EH
z-2`_TH{Q6{^|c8+`+2Z`UP#}YopYQ?S(y3hI5D$Kn*CIZkmJ6cAHUyvaIMFOt)g!;
z2N)T@r%01(QC%y=C&QL)>05Z_0(w(QZ^o6s<N3g>%8qRV_FL4dtXl86ycI5@w_UM}
znBL5}RyE5><|RY#(SO9+x}P=J-%on!(e6=q^wpeypiAm>U+7=}L+BAtrkV4?TK!c)
zPSPg4-k?{yOj`Oni_foOixV^8N}k~Ayk>whs|0Oh{^kPaT}Y5NSoIa3I=tt=$y_Ah
z`SuNT#rRs8uC^1aMuNTKBlpE`9;5wh>aq7<b69|wU2PuIY(g$u!@u_sTV>%bsz+<B
z@9vwCd+DMl4T5IbjhnZ>7QQ@_R=(-WUt11((I2&2mU`nn;~e33=cU9?x~~e!?@xT$
zMr>|$tEK!$E}J#Oyk71PV<NPlq8^;Q{&<xNPfAK+!p6q_?luJk<zdII6<}BJN&x2@
zVdlnP+nX0bY&Mv;>Y*Y-OHU~u7?K#*r~Q=M@uZ}Ldm40nwKeFMOR0Ep5?zDX`)Qv+
z*e{oz4JnitiFdz;FG9Z{Fn4RzYt{8Y?f!u1310kIzU_Xx2v^m~Qrvz$%R!9k)xle~
zwf0v5X%v&TeLtu%R5#xVd`CT?&Xh{#IjD(79Qs_E1;H#cXx1zbhTo&p`_q!}Tke^9
zjzmA`>0SQJBsg`hHUCBB=Av(q<@*MQ=MAg$)q&gwrjvwE`z%?t{oaEVH1G_MuY9$1
z%)J%rwueMU8pW@vW_~}5eM<eJuy~GE@_b-p@rj7|^2UOsM(9z?=-K6QT3uo%@52Gc
z(l_yyPf|M@jPrm&C4>tsvJ|o#Bepq;Cf*^cdkK_W<k+*<Q>P0a>Yv0)=_h;Vasr%Z
z@o#%}*?uqS+V733QM*y65mt*Vmy(?ujXj#I?#Q1!!%2%%6ZSjqq-8tlKp2ylXz4MV
zWIuB0`^x9xxZig`vD0$Q8qttj{8KmlO9EMr(wlIl2%q1gOt~lKIn3re3k;g?z55!E
z6*9c%*qLAz9~r<_ICM{vk1gmHD3*=B0N$JbxDS2o`=Zg_UVovV(#jH(?0#=yoiuCz
z!jR6}@*TIYPYR9iy4=R*sZ1Q<arnz}s#~|nW|U!2J@&7uR~<?iQf1c18!HC^d@qjF
zgx|Y-yDsRAX;z;!6ylbw__0Nr)f}~$;;AY9)zoutk-pZ>b0K-9OnpD>)BCj0qkP+r
z!L%Vvr|}o-in~~;8_iArF(&YXA1mU#n>y|h#&L?egA3`8q81W+!?AShsSBkc;-BjJ
z?v2<E$iFyFt<i8=GaU;xSKA<nd=CacY9r@mY{bLoO=>N3^;4HOH79Dx4}88^z*e?e
zpNn|ZoCXzt7YVmXY7a;-x%Mq5E+g+aHyE(paZ-(561%&4{mS({DR)jV#IM=D@SBt;
zJb_;^2g>~*x}|G;nJ-|=0nJ{o)uhbmP1X0abTZYf`^KUpk9h4xotcMre%Pie4y(MJ
zZi=1xa3xKj__mp(fc448Y`E^kr&wvGpf+SJ;Dr7^hP{%ry?v~VsY{-9tgI|;aI5zj
zEy>_wm1(&-S>~2Na4_NAfr5l_F~&yDv)GJz_rWFKoT}l5ChVHKC(<_|q!r)TlgezJ
z(p^qp&M4~J-Qs%iT+P7mvcmWAw#!UI!2710no-}t5&td9pA&Ua#598z$&1r*8S$1Q
z61)wmhTNw0Ds<-iWyKq}oPJX8{B*o(Uz~r_UR=z(j*fW|@$1CZl?26f?s~17J2|fI
zNu8ZXi|DhCu*<#4vPp!AqL}%v)DEvFduk~q&0xh*wVkb2EUmO13(K^%T>!7km|9C#
zy^d79P5#$(lOdfpX|r#iDSaAh)piLf%(yq-Nx7ze*YD{P2u^A}lpZednLFM|oMa*y
zDw_=`&nRMh*yN>>6QurhB}K6D#)1hD6$OOS9QU4{MZIj13yk+dIg)*F)4cAfyRlie
z?l|?~Q~wriwTJG<HG|51U8WLJntO|fO<8CtfykS<^1oe<S6Mqs&@cza`0r}-Gu^r^
zws9ylxOnj)E-j;v(7;>8<#<U9t?*K?avzR5+Ac*rSf`g_af^EV_qJ4ZIs=)Youh*B
zKvh4k2Fxp@>^1*@k+k9^E$*b!*KUg5F!QU2W^<Jb#<Rz+HE4LMA4D&&Z2P=UYE^{9
zP6l)Aj$i53!ph$@CR5Nj|8{<A&BjD($Y{`#`$n#!Wr6$PGoHd3j8G}a)KF(_l0>Al
z#p&33f6QlQU;bRhiE!}tPjSoim%Q2LEtl6>2Wty0_38BbJ?oCDZUVu&iANbiF9YSY
z1iRG)RC}+_-rp-P@S_(q@4*{&M19Z~Jh@Pu?1Vwp{*vceMa?!Ddg1si*DHU&uf}E{
zf91c3`5@)iu{|l+wanX~-uUd}c&Tn0eD%9ec3P4Q1PKxNMEu(|`J0Wy21)Jf>Y@o|
zu^RJ%WOu&d)SF==*7D4*^i+%Ix85`!Ca@I@_1?Cl4_`G+KbpkTcpuTBL7c_+d^`RP
z?xLIjbSSe$(tT#z$l9|23scPvanWg+oWpT3p{S~jHvb0eNtjTkN4wF+YkRrF=QrsO
zmEDX*nqkHSySvrAWNAf~*t5GMj=ud{V~<rowDitD5nZ~cw6*ljDa78|71#g!4js+6
zC_m*Zwnetx!e)qiS)FO>*pv!qymJT$M}$0sL~25>)Ti(0(x#2nxeCB*w$GfCSP0RD
zSf|5k94EQ#_y`jptRddVPcNF=m?`dKRd&oM&fiS87c2?aF_U?Si@Jv!RfNvaBc?;s
zt!At;6HrUnL$4HL&o2#(#?x)uh61#_#Ice64e~KTY3m;;kSBs4blrYC^hC>aJ+{b~
zY<Z)Y81&1|Ek0&5@$J-W{4L!lpB@s>T^sFWr97_o7;3m6cJx(+_uUWWc7Cw`e4w%+
zF4O4lAoI8JBdP|=em~Z}TOqe=7>%eGgg%EDh1iG2r8&`4TNVs(3sjjHCkoEpm$Usf
zh7M=(RB{L`Fr6;-&|HL0VxGheR`WPlycY{ja(j6}wYlG$SEw$F=G^HzFQH&(=op;<
zb=hC?;m-KMu<N{F5z$W5P-{Y;)Q9h5Tv?CqSZ8A7aWdXdQ6Bx6OOk{JYkne*)kMgs
zM*W@OhX)&<TntD8N8!vElt5qGM_bv62VafEJ!XZv@uP->V4JV+RHE6uGm^zB4!UJU
zNVqacbAJ-6-)-~OSX?;*XVEzCEb5s|NhxI(7jJBekZY{ag-iEg>kxOaYPL`xjobg}
z?n<MYFt)H^sU%QAj0=LSVMi1w7(gMcO^Bj}mKS!AML`r)wz3&O0fQ_e3Rbq3T|rsI
z7C{7zCMXCZAlL#?1Vn+r6TzK#Cq!%8cg}l1-jDZQPEHP-Br}tlxp!v1`^|S5XX{km
zqFa==;8M>8hQkR2gRXaQ)&6kkRA*IHRJ6a_*!__8jca)d$72mfs?udO%PhawH9lpL
z8}Ok&fNXksZrIn}nBj$Wymx+wq-QQSey)owM)$E%>laDOY@wx&^@~3azZF0gOLvfJ
z6S(3e)nM&h&bVGZpD16rwtGjRe6fzNWL5i$J5`%&A0?$cC>@N+*N+Tpc<qt5H7tW-
zK##-UCLcc0!;;8(@8Ek`G;nd)EMLD@`N12`ksZ(4Uiftlv1iEkrsNZaq~EG$<wA_T
zeWa!5m=<x4>iEeAevuTak_dbA->Qi#-c)Gpm^(8#d^>;o+C8mN3-jegJ-4>6o_|Ng
z5hQAkJ!T{q=5DJbtjMl3i=~%1w~DN^FuQfdOwU$Dgk%=!P<mJA?LK*uPFu7s#g0S!
zDM3nw*;-?nR95I7v{-X+=UE|P+R!*dI*+xDcsgPE5lA}3JIkB@p<AohnFr|VRSq04
zxAz&m8qy6!NB_1y0`ZOZK~n*5ukj{s@kITOqL{&}r9x^|8FG^*>3a-{l%%EZHV*8W
z(rc;FWsA;xYeha$S27}&3g5}Qouzd1Sj|Y{pq+Qe6M3a`BU)=&`VuLRGbH^Eg^sM(
zoIbDJ?;I~aS?u7R6a8@FE=@u?$11+qYi(ZS2lY-8V>IwZ)6dg}8XGG{-6TvJaFQE1
z^`?%syLEPGe?^h=zj0H6SbSko)09^0@>F`#=R8f`g@gMbVexgzFAw|V7A&HkJ*eFC
za=*P2Wi(my06yoT-B<`gf`|_AO>kHE(*a&#Be5ZLDgz{Z&Y4PY$;-jMnr`6wD-($>
z)$T0QbE6)yPU%)(%2ny?YuPOx`}a7notBY>@}qMank$*kecjA!f%`Mrsii7*U0bJq
zQSSULzEFW3NofXISeecN!)c&8{a%$i@w?+Gf<F6&R1fTOe?6OJF}5bBO|tA*oY#@g
z*9{zxMRDA`&3j{|<T$TI2@gxj87v&QWsN`EUO>#Gt+O-h^5w6PHV2c*B<dZlmy`|@
z8h^E*I;zqoI=}B|Vj^XbZ4^6%zg})yQ}5~Mlvx+tK1}WZzVufOB270tD@%1^Vj?3W
zLlLePzX%hmki!b0yw**cC%;v_bGy&c_q}mm&y-O#$yy#Gj^(gLC+nyCe@Y47-`n>Q
zJwJ0BkH?b%QMRPLwe?prs9TeBX+B{-$@6(UgJgN(RC&de#z&wc^LsADK(OIFuvN;v
zo8zL3pA7U?z__n$rZL@|W!&y=`f=OyV+DAb<+w0r$(6VfDc>QurODHoy}ki%kp{BP
zoCE@wKpLqFx8g}j7<ULMfHm}Lz8b49D`QtihU@UidvIUTQDu8Ji2&bq1Ny<NVt@$)
zVi{blP$h@HRkzTvrpPSZ-##zqji2Fo&SC$<>X!hTDN7*P*+~wdM#2$@m0a~&4UXs6
zRV8}jMhdv8PkS=0I=GRUt3hf5MO+L~#O3)RgKQ{SIJN)}IiTjrQBjTF-ri&vmz>k;
zlTR?|b%-Q4yotb(!VuQ=Uk$lHP*Fi5N=2>>p?SiOU7>{s5QdUc(fuVcz(`-uHQh7#
z16jMamlq6rB4?;2Sdwzm40}zv{=u@HH;&Fl1AJ3o52G!uIWREL4Z+7!PLHp3V%(~3
z?s5Y+Gy3vq4bH5C<SxL!)G$szzmVZWwVf!~Mrk>y4Dy5T3w9svf}X*4#O%579^~!5
z9tQEuPmr!okuWPZ5aO=7A<w>TYj4j4!2;@wv5uGCQot=e0g)r7QBKE8-qpV_fCj{*
zT4WKH{x#0lFhL?0?rOWQHwY+Gy#pB7Zm>0lzDEHU-2rHN+5o8+{s729f#hb0H$B=6
zNC^4_5@-LtJOniIuJjSVAUA{0Ax1!wr%&w!%pMAZKE%tU0<?w{%Vi;p)Muw3FgpQY
zzX>OL(S@Q=4k(nS>a*oKA_0&$=!i$_<T3dOF+?e#{!`We#Z1XGT6P{D{h(h6LBJPj
zyL0E%+*~k)LOJQ%@x#e=5W~s>WN5A+nMx(>yAh#o?4Uv!ym+6FwRloawma8;YjkC=
zlB;vwOFq^T|AL6a;Rr@XPKt_(<_(Dh5t1{Cn8pR1sHn1r27|k8)1mP~L?@IJ{1k0G
zu#IolOVP$$Ho08dk;OM_+r44x&Y;zgNUHwO<v;d~1Z;w)q2W#y=f?p>5SMTnm*kKS
z<L3bHI3Lu7_VY3oghOsv*4y^imhjm{pc2jwH+gnI%n>~c9H7LyR%SB%V}6vh3kS-?
zkpvSHH(gy_g0{A8>x~;0MaBc$C1*DL)nb}1h~;k=P_Rb(ff@H?90BZwL8bb9U}O0Z
zD%<oB?ThWwO7W5r)I*mrA0bq@<*aOA;80UrTMPn-_?#};k$`JiBBUUQI}sEV%=#|6
zYUUb;&3B)Ay$%|UON|km`P^=J{u?F|9f@Cik_4JiT&5OuQ$Bfh-mC<-0JJ)>box#N
zm_fobm|h;@P#hpAXjZ~+RwK#?5;*qAS|FL&XD~XNm8j|!tYz3&nP8D9TiIVs1*+E}
z379~q-b3lo{zt0!+J&=?iD@b-E^Y(<rm~8Pb!%(uT+upY`^vGaRBg#_Zh1werBoXm
z1`vTxFrlLwd7Eoj7bn>K_E86_bt%t6bNQGyj>_;J`k}bH+Ddxj;rYtMZ_M9b0S7$7
zN~10z<y1>c%e@PmVHUd)=nHP1o<CYzS<PM>x0;T^qoMIy=H8ttvr#`5wg;u+;6gYG
zm=iZ!Gj^A+l2Q**dLGUX>tm<1eV)UTgC;BRm{fZra;89$DhN%3S&*;gtxXsZK3&Dx
zz<!2AO~J=_Y1)3lC(dHH;M~LW4f8=woO2xp|HH3aDx~;k(!*FLT<VY=z7l}+Bnbe4
zfr^+0DFmt3)(Om;H!0!a;Yq=&=O{4S=t6?PvpmgYS|Z*$NbB7VJN@VsMV^Vg#fA?6
z%oh2UP!IZ*xBsh%x9x!g7n!$i*@T8(3FZ#v#;tnjl~cJOi4lPWb*TgbferM(Vqj{z
zMd->QK0wR8G|ZoZ&ftC#X#lDwiv9Bd)qk^7{%Feo*K5MzcdrhrtEr_weY*E}Qj*A&
ztnYJ5bF$FPkfxSaW?7k9(?TOVH%*b}=s46LG75`TcD=v)at;H_@m2!8nnttJ3Q<%l
z{`W#g5T{&n?()rGTmp@Pj?v)BoZ;_)n{6ITMnd4A3lm(u@l{|>?@+?cBX1M*Kl00+
zfRRnOTyK|QG*{O9vM~u6T-@2_tDUB2q%LV^c(Kyz1AMdV9!*#l(1}4D`ib@WHb|Ni
za;EyOsUuAg`}7L1@-59Mmi(A`e5}(a%XLlHl;<c#J{`P#==5(=<nMf4ktK7sC`-t$
zk#&iS7k47B9t2sBa{I&q)tLMDZg2>@Qb~@EXJt&H`WqJ%D<?N;LF0!M=$qEkf`zt^
zX=sWPY(QQzxFviGR!zi1>v5PLsM8{aT?V<a&hLJSwt`TP*ouZzyrpibPk65`u(Jt@
zT3Q`Hy`t^5ZC9|ev^n3A@Ox@$Hv&EQ`%`2+thNOcHU>xkR5EWl`1rl0CHpIIGiLWs
h2Z-?948OkSMZuMrzB+FK{oZBppjg>jUNrZJ`v(-?8h!u(

literal 57987
zcmeFZcT|+y_9ZGof=EUXN+bt~N-A<tf`9~3as~k<6glT0IY|_Xpa_B_$rM?jNRkAV
zSfoOdWXZXAopbMd=l;51kN&IQdt>w%HO{f1_`dz^z4qF3%{f;^X{sv`-=Mp3?b<bB
z<;U_`*RJ6}uU*4J5#WKJtPeh~x^|86nzFpyb1##PY{F*kXJ<VO#8kw2k(%9F4<EkQ
z>U%qC|M*^p07tbzw`#X0!97+cHUZV;%62kZt*<F$1wx5eC*?<NTfXAiuEPzU+pfd=
zhSL6{Exw-@n#Lw=E)E4ti7(@*o{?jbll}7*e21eV7^xON{H~E7o0;(+uX%#UsFzHU
zK?MJN{ko171#f<<Nc<32UiP0aw4&XAyvLPi<Odh{)g@$0_8*sJ#HN56;QW^#dCSS7
z+4(;{4gHU?VUZ^yM(F;_k9vu~1-u``(S;F2%GQw`pRD9M{QmLjupOUa!gssHCWeN;
zPU>)?^AP2#adc!JL2td(pKe;%BxpTQ5k<){wbir@n`!dY5Kl1;y!Z*;Ntb99L}xp9
z({7z|<al)~4`tga-Ej^RhM`1X(T~uaA1@{x&WDm3)Y|?m4ZON!YlJ4#%z3Y5*ZG~e
z*v+-JY}QS~2%7|4emyp<dJ#n*aJ(>9Vg9J;WErmdWAmdLd}@E~yQ<r8>)Do_!&FTr
zbk6Vltj~HG;z*}Rv%PLEz;_x9+o5T*j{E6FquyV0$|#K$1u46USt)|3F9R8Z*<Nz<
ztX%d;2A@@?lBXXON7zVZ&MOXn|Lnhzd%?=h5O`imsbXkf`I^_Drq@`#iNAR#q~r{Y
zTtlZzye;r-vwkxOhor)xZnB%2&qy!NSJ3-`h5clel?ZrBiRHJJ6dqlsQ0sx)o->LN
zhv#{)T>ryK5AbK{t2tOWcoV$!D2sGsj|^ka8F%IF7IZXstPI4yLT=Q~J@~KqkhQ=p
zD?Mge$*_Z0a(svM)%+TMC8^qjD^-@&O?_P+$gmuiJ}Z^FJYL)ym)NKXrDT@atVure
zyp8^7+7>XRa^HU9K8Kr%7MYd(sVB-=X?)n|UI96@hu$-b_^zZ^3lj;0G>WhwlvH}6
z;)i^?^<btLw~_t5t(=RaxjAvSRZUhHS$tuRkL}Z2cH`x>pW7~{O#BbD&%hd^h8eu(
zvDUvAYLw6G$|!(HW#lG&jC!$DQ}hgsxk3I~df}kR^ng2UeIX$wyIv?B@fZYKCv~>P
zw<*_i3pJVJ_ec5Y$~+QogubO?s>%YByqb`<2aBfuV*dBC@kP>sV5)EP65hx@I)=Yo
zmks8Q=x^EWhQKxla-<~mt4~}0o~8%5tgsqM%+_IK#6rbSAho1VS6OHzl8ekn8ZJ-Q
z#~VZpP!$c`J|P9~T$a9$<ttN4{4V-n-$@MRDHg~vq<g@G=o~rhhB(^ux1CotwHh~h
ztRuecR{t!~oqnbvwG<FIAB=BMppt52L=Z^HL1A392X;ukezkSOF*Vw|;-+^=avL=f
z68tq9HC+cH(f#+AJb5EhYVuN@)>6I7j=R1a56(8KhmB_Jw<^8vFF#k2j)Zj6^7`nO
z8PpCL6?Vvt|D6%e6M~R&I-!^c!)2{lN;4EU54O7<eA#uYRMLHY%$-kj+{Cxc*k`Rk
zAq|3>nD|vanZS2`CtYOg18Ypf+C=3C?awAN#=hgmo|CT%v+LCTBX5;nr#gM)yK4b^
z9P6}E+0z}z)VTH$Za@DeSmB`V<wyr1D^kT?D~!*$5fMg+Z1(E!qcQa}2Lp>XtY1m8
zH~6D~x?eBlv+vZIicl6=|9jf0G-T0=-13;Mg-xc{==SPOqSyY2(&p-i1a$)l+y|A|
zeEUxtB#<TVy;XnO;ZnNk)N2}()d0WM_YvYmDqQIBFl;1@k=>vkwuu(cQ=Mz|ci3MY
zQ6RjDW}|uwbu@XCdcA)niX&&Ws#$7pK+xl8#<S@+yISV2Qk9gXX!yn9^zf|zkulBU
zL!KLb<f|NV2UO^k-{YT6c~tpf<&D3&R+iI?7*S-&BWSL}spm!mDy|v=^)-Q)Cp}%u
zWYui-HTewm#(yPeWe~Qk3i(8Th0udw4e68oUgEex@%ELz8*uMYO5X)?UYNyoEw?;u
z9u|ZHTQ!OiX5zhcYb8nXWUVmw<~qd^*cdJ_J1V1b67f~W7!Fu3O0jLK&S5=?A+c^E
zeQ#K1uHczs;yg^J+^B&f3NCYX{=HbI?00eJMSM+PYgWMN+Rzl09c^^aj~Mui=8J8?
zdoYhlD;kOI=Dp~~)1$e-rb-qva+8$N7mcd!8;$CidB5>G2&wjdpr-pCHgh61ww_r9
zQnU4B8R7|3u6p?8G?JVp%SkrO%lT3B%?A=AR)d+s3J-42cJbVD?p$tA&lVrrT%Yyb
zu1!`K@6%Q-RV!4_&boiH5W$co%&vnnQ`@n?<5qJ^<NqB=?Uo<UPN}EN14T~RSM{-%
z%j9>n4;7iT_-xG~tWM^XdT6^We|HgEPP%<pqqOM3R_x11DA%z^cF_sEh@_0>`uk)m
z;9zuq=Ht=$3^RE9%kvY3kZwbrBy%P!A!=F+b26U3ssi#yd;8xtBxq_OFa#4@Ke2!0
z3dPTA8x7xIZ<KE8miP0wq1=UaP>I4fp}b!Ua|3MS=!6Yy9*=|&=?d^@vXMiddkl%K
zl)8G{?1-1Y9&yJdQq_gb;hqXoFx>)17F78vhn8in{%FdMe<kT7^Is=3Sr(W^r|@Dq
zT={oFgl0^i^eXdM62FSEz2GX*um0$&Kqu~2WbD*_T>-tE@=U$bcdNlhD)Zv($kUk*
zB<1oMaPZuVflyrcGOzO5wMZu(Yzp;1_^GQvJ8aQKyrne=hk9Pf_9AZ(54~(hKWeuk
zmea~YFyTzsy!t*?nWc%3pJvg13Qof@TGtIR*%L+>ML`JPd_sIUA7*^7m>8XtsY{EW
zgW)9-B%-~#V`;aD&m$ND^fvD8E%qdM;#+IYdauxPFgGuSvtoltJoQ;6DDA2J4GvLP
z>V)U0Q9rg;M*@DM_TI0zrqxRkQFV$7A>fxyW#2hMF2M1ldsICvbA`%YdzOXRrB0KF
zndc{V|5i9Bj3VKjwfc;3Pf<;SM8O~WFuyDXL&{(ULsCAqHT(;ZIK8x~hs~h$y5k_a
ztR@!tN>f(y*QirhH*8E$X4?8SFW*Sab<>Dkg0tS`>eo3$OEg^`HGim>C|${mtU!Kz
z@o`qqnbILH+Ox=Nzkw&eoLvqpitsT#y{{A@{&@q`1U3Iv@gX(^q1U*mjEVg1j7iR`
z%QMHy^+y2SNK0cdOAtYr3IIFLvx=X9St28xx9HLr(sSg*4X0#SocVb?iE40-o1hI0
zA3WP`+unLFZ=)LHt_G3xswg4V<sAxdS14sg<9P~UZ+#$ID{1jHkaX@G_Tze0`jk~_
z2kQ*+o!qihZ&-Z2G!Kyx!`Il`FsWdp%klv0Q(obd40PrZI=u3%)P+@Y2OVcu-g;`A
zP9mOK(@Oz;ef;YCTg=J$&I@ytGhy}t88#M@h|knyUXxAk&kG*7w7<`Yd1~a1BpfoK
zZPg7iC;=_{xzkmLaSVmOsI@YZ_~`VJ&`Dq^Ge`ng;w<s$H+<Sdt}8@@k1`09nk&l{
z%`^9iS`X(Kr+AtD`PHXjGt2mdAcbS7yHG5i8mbpg2CaDL^`_6EdQimm(;KmGNiG0_
zNbEj0dV?S|UnstT0Ytrm82l&lo-Q8Xzh#0%o@-EUfy^#$Jz>Q-I&D_Eb79M#c;TUs
zwD-+|B%tBduskA|BLS6Zuh|&F*^=X?ljVowoA$dXwBM;sx$kD}c(j)8*{Nu5#3Nzy
z2a!Ui6$0+tvn{<-zXIchBcxCE2QOE~O#@rrjEXkiq!a2D9S`?nlD{)K#mOr4C6)9&
zwV_$$0lU7zFOcU~4=tykj5FoLE@j%4J8y*{ZWaH1Qs$?FZR>MV>_JWzjLjM(G1lz8
zXGCWua;WD-(5T@7i&1)A8~OsL)^6NmOaD{8f;x?LDG$NjQX%A6qES#ychuLfsocg%
zSVJXD<PSj>p)euhxXqN;`!)QFS@Y$W5w|$ygXq72`Y(Qf&(E_B<3Moz1CQT`1_O{&
ztH<O12f$~<K2Zgc7`URtLiryhK?pNQewyFQ+W)@h-_H;!dr6Uq=$mW!+568c%fEXE
zU_R9kH@k|zGv~klo7e`B&L2;hu)u%R8=RbA^{xxg(3Sp$hyGn${GVa}@0e{_KJu5N
z`BA*ajY8>-rLCCNl{Fwt;WwRaJ^#}m=I|Jmf2)m)=I>Yt9;KXc?xA;RqBEQbR?AFn
zrI-O{HzT(9!}*rU>Wz!uT+^##V>G+Q^7GEWOEgYK>`1tYgT#aty*lT+r*=hurI6e&
zJ2u^u!i!2OsF%V24kbQJD0S&S%LNH%Q~?B`@eA$G|B8qdED*v1L8a^<%v{1j+zvfS
z73ca_+^$oClCT(azu+rOb!hwdt;vG#u!B6`nOs;N0}`w{xT0HrvF5+_z}I+imB~sS
zRWP7QfCbslRvt@H{p&HqFo;|f6Vmg6xY$wfI)~{gaM~dSuVa@P*4KS{R`}7WfUi#*
zTi4h<byumti4fFtJ(ygBxF+-`mW)#!b<^7|-*|6TigqoXZcqao4%7Nc9mjhzyM3Th
zINctq-lxGyr>#hU@;uajBXq1(KJH=Wy!X50v-JzvhOw7$5eHV7i^HhOglX7ds;-HC
zN0XbkH2Lau{b!__wA#z~ShfsAgAZy(On|~&kcQw#k-;Ffl##ge_pPdASM$i<mhohW
ztE`gm954XWY-bwX`^l-SrUx;_Y#OhjH3ihFUy8C!AqKuR(`1;+r7bW*T$_P~O)9w)
zWT%a0$JzOrU%&<1HyX7de0Xg;*|F_ntb+{7Ygkv4?J;%lv8S73FvT&zjvEatIj$cx
zN)VF)XPcXF$JTqA16`!P5%eAv-h0c+D5@_2enIzEhU**M*Qvi03Ck0taO)0TUL2W5
zL3kr#$sTK?RvS{@to6Yao7~ncC^^(`DxhNTN=>PYE`&9ke+W*Y4+bT}Ai+T*;-19v
zdM&GSvfQy1ss^b>i!+?J%nGY|DR85L8)OjCHQL)%NHx57C4C1V|Ga3=0|6DH%=v-u
zF)D?8mB(HY%}&Ho5Y))({7g1EyZyZi>IGSACLhRb$=74#z%SX~$2NjAr}(bAf;I}y
zla+$~I|-?VrRISb!G*c4tpS=HJ_Z6uWKhxPjM+Kaq;=A$3A`OvzdTYyvtO-<LKHcj
zlZmU}N%y)WU$+Bs^}le@G`PJ14h3{l2(q>rgE<teT{pp7Nr{s=D9GHoi}ttQgPRP5
zoHF*SQI~?P!1Fdt;CBd^g5aSJYcK^)S~rSR!4wEh(%vZsQ?O9-N*`ABiWtnocl-Q$
zehTQ?5`3^$74>3o<5%Du$iji~)#hQ~CijVchw?!6EAYTo%qYGV5rNRa6(@qfLG*Pf
z-+RXgmhjsP8>b=)C~es1k5&zRABDkmsa3z3Z3U?z-BDzm&pCOpI{C^!8PRtoHWW?{
zX0?;2h_nhU0Nwx60;Dbd|7B9wQ1vKGISgxDV}F$Gf4Wv!2N;5hVEnr;(@lIn{Vdi0
zPP_w1r<%{Lr(eq(mg#)g%j!3Be77peSrqlaHmkD5FbqH4@@oaxD4>BC2kFERk%3vi
zJ+(6cpi5yhjbk;ho&ioGLD+7r^yQPz2-12CX8~(D7(3|hTlux!c2yUQgFlsFlcUcQ
z0k-lK#IgD5hA^g5aR2?IPhI9>-@TmMw6(bwRK^#uy+LS#VNVZ3;D+>Er4<-W9S(`;
z7eI_8{*g5H+wH3Bx$8So*>e~EM`{hBiDsvNu5D9{E5HW38*pq6DutDe8PB=e8@IR+
zD<kAecg%b4xITG0ZVHM=h@f@s*??nZ7xnthHBjeP^d)mlgAY4A3cp#o-Fn8ikXS$C
zVR!~$U$TiSz*JLK>BiPXG<-&d<$yB!+32|q16<FuO1-P&Mbf5)a0qJ8W47754iG|!
zl~F>DEX|s$$L=P7HXH4!pa8$s(wKOe)Bh-~2D3DYVa_Dsp=p4~8E(D0^lbw4Q<Bat
zHyLrjxz!)~y}tsbXSJ~7ED98~@A7i_O`0eCb8}sX#9%U-kJ&hQp)%(?p%`MW8?Q(y
z;Vy=r^SwA2$Iymb?Z+cZ4Emc>wVQzQ5V@OKZ8Ka4rVwR(w*I+o${OxK?G=xI^Y;AR
zF;L#B&o{EduvrE&Zj3U)yn@^TF+_Nb;iLRV_yF;SVNML|>@#Knq31EG%ps;|zjKnc
zb2bq&FU#5jj#v-CI?!C4f)d*k{u&%KbRA)%t^U4n0V|ct@g48Q7!s`Ne!eEXi_?Rd
zgEsJ}Z|?gXPTI`ah}C_=m!X#KrwSVfr_bg}ZlH*CU_Hu3Rb@}T$^IjnurY;;V2wEn
zo+w+KsYT9d=iIrHs&<Q?>Lgxz|Jx(uHgA~U$x^z<*L#H%*`BknZgJ}fiP!<Itava(
zuy9pu0pEKmRhMp9EeAql<P<!ZD>HWyZFAc<sO4~~WR;B&(hOphwIw`VvUx}LZ4GQ@
z>Sw*nl1jbj{E5KJZ;VG;LM97Kn&2cu3GN~m;{|bVLGB&mNUnIbj(vK@Q6P51mEnz6
zsFl-Gk!U!EV1R+zKQG+^&~(DB;}{-*L#0p+z8vP6=+aGVgP@54u^%vM8?vQzcDQNx
zK`DWcj&yF%5Blc_5JlGYa{*0fMohEy(=Z9&<qR8?r^m!=8q(&Q1a_wM)>kfCsQs;(
z>AQd{<uICXIzdC_!GsDvcdJ1VQqsBaGA^5Uciw*qY6_M6o?99b2s!zk3i*MZce_iV
zO0SBimuST2BmIL%Oqb6J^LngEQ~LhuWH@jGl$|wdB9p9q8}j4lhtrO*#r6w5&AhX2
zMYCb4BR76_i<m2(w*67nv2x?4Jku-ipdLS-Dm4&~{#ojGSd4?Ji=R+HmC4sauo*SS
z(97jbTP`|=B0G;FNO-3t%S~FQ^uxW^I*x?q#y>^FfB!6@8T<jRv27B&qj;CwxmgP(
z90><Z?5GLY%z1|7iuTyvTl4f<4K7Ou#Ra^rXQrT(cb^SEBj(1A-TkQ5fl|sJHPJUp
z9z^3kt!~GIP?;l6f0twzyl&WMhT1Fo*_@<@nE#AJWZX9o0idv^NX3MGhdw59u{xrc
zu*vLJ+%go<!yG${QE<1|Cf3D1G3RQtcI*`w*FSw6P52h}=9N{1iwhLIU@z=Sh$u)h
zdOPiUgyU0?8qRW=ThH2-lx={$RKt=WIm*}Yivl8Sn<9AS&~|Yceh;2oEoX)GKFQlI
z%vYTYUMf$?;`}U$4L&^{4lWndJFS8mzUws~d@w(dCHB2+q<ToazhzLl%jFq0Iy@dt
z^5v297ODYo8GOxPW6c<9=Ui_V=H03uIH*L2L;L);ybU9KXE5|XNG0z}BA`_*J_l8<
z!&3D{8Wm??^|I}rBr^A_k@+-2IfJXHp!OkNmdzkDHPUdO(;Is|Xg`|$2#494`t2%=
zMM6#^o2J~yjaPUCE2(dnF6tp1n|BpE>BtNxjLHpai+fcD1Yi62eAkfKoXy)4p!Sr!
zL{2L)espSEB-LS?LVHIvk^A00WJR1TNcXrV(-`V)PWEeh^@Z6GIUYFo73OM49i%KK
zG*OIQ=Q%^%U#v?=?IThwHM7rjzKF3=({R67N<swR^KDaN@c-e>jceW=18Yqn-$*%{
z^&R$4U<@k(1YPR~bHg$NVQBiu*;A8;%$YJLzbN5Cuae;WNJ6^@CQ%$P1W9n`5xuX$
z7-Vb^#OTz)xasy7#kv((5!bnFkiFX$4uT1kYiK^IH;d`%8fmm=XE|36ogQs(OLH`B
zw>D8e2c$%sp>Oj5Qd|{5kW1Jd^2M@+>2e{c=$G^%r<Zn(?a!}2HRevT?(>J@ld8K<
zmU$WvMM2tbbEs#nGScYgbrF-|itw74SH1TJwfzj7ZI+S6DClb_b+wR1c*pjn<ewn9
zft`7ak*ZY$^_$M{2ay8lh<gX8gAI^QYUnIaR&NWDEWtIuUT=vmgC)74bO-x(Xu4NT
z6&cho{J5iaH7^Dg3aw+ULhWdF#|5D;mSWC$_C}cuP&*34t~lwpTfbD&?V2sI;hEl!
zgiP%KGVU#%uq^^#h;)Nd0nJVzH3LbJ)sKdlkWnzCukH=%Ii*^4B0aev%%!&xpLYKU
zG|m?UYiAByH1b0254~u^e0?`u6Q#-P`xSX}&WxH*#K1v;vZi6G0i;#KN~~vpXVu-N
z1ld?dGcU-{UX(vk+P%||)TqI{KyFgO9Q_T`i5Nys=Y@hmzhScsv;sd|IcMFT{R9dz
z$?-*U?k&&sNS~xD>P>qur`G+7M#y<}B-9=Na#55tlyP7_Ru;)i{07-vA!kF{=Xry_
zZ%16V8M&o&60gWQA3f;DDE*1(L7Z76ZxoVv+?z%c-SJlSu&Vhji+bwzLwS6QnBxjC
z&Ov=H%FWj&m+~p(q&@wCVYGHB?#KXiyu_B%!#hxoW%?M79PN!3ayu{G-HWd=+T97Y
zQKB3-<`zrcZ{n5ej|q1L9?{enDqA@$XCW3g_c2^JHJKx0G&i{I@7t8DX$(BFR9E5f
zI0mc)9)cgAj=tMCSKL=N`BwClrJ<mps?lxG2e*S7ip*wIId6=O$byRaz1q9J+NGBF
zX(2|69vwayGFMZvyDQfob-KymgzA|#z5$1rNNReib{jHWT~poHUv@C6K`f|Vhf1|d
zayEaPc=;g?1;1zFbWGe?s$Y$wp&!P1dvX}U^C}9?xbNnuiEVWcb{uP-VYL|gGD`Qn
zI+4*Hs944;+iDRAbDXs!a(leV<EIt2I|4#=$8nZ5G3E8~@}~XlBo8`N$q{G%cxTjy
zG_$FEQ@nBMh4y#JMR317BMSi3Vbx-S%xo9m?vsuduk+(wn5DV|s>jgnm~0vu{&t-#
z0daMbF4r7caAlP6x|hSo8)Q>s!~JUIWcF^NYDPAAS6r@L=`A2wI(5E~iR$gnyd6e+
z<m24gFNoqZ-=x%I!ktLA=sVx(Bpvsjj7Kn0XG!noWu@=1cB|~4+*3zY*eE<_sfc8W
z=762s+?zb&$Tc@<r94`uWMkCR`+)Fc{_|mG^fvz7-bf#bS4LzP9*sCZtir&%<R&^w
zIFjr`n_j5i)qO@-Q4QM)GVbWT+Ao&Ayspm_oM16Y`ObqfsB+7q>hCrSV~djtQ{ytY
zJn^C85Aa$H=2m^%T2+Ng@i<wY^*4`!w9)oZbcAx6EU3oF=t)f$?JXzDew}#uO)59n
zEfOLvc&SRAYkW6E&#3veP#yosu4^;a2eO@*sN4b7X5vK$a>tx#uz9b=xvO@@QBfnv
zDkg)jJ0?0Q=mVkkENPe2wY7-+H7gsT0V^zo;>U#?K}rE)cdP1!%;J)2a|e6)AjFwZ
zPv}^kO-{r9qkz!>IoTQ+)V_#}q_u)!-il0T$*W7Ituo-a6ox>Y#t95linz>LQA3$T
z+$3|ohjt`Hnk75EE)}*}ytcMlj%Hzjay)tb1hn!*zIR35+MAdM6G>fl|BRJ3^Z(K^
z=19>HuEspfH+4AKG4bNha*hqlmfSh~1l^^>b@xHvn3+fnd=;UAR)Rob8$5K<h6ZHT
zBk1sf7e5&2HGaS5<^M`PI+7!QRpFcaZ!dr!L&sp7Tj+zi<N*!I@ftKBSnt<2BNn^l
zN)d8K)%YJ-&n{m`Rq;p0IUd<DiZA0m?T&dY&7z0pzne!_*+JLs(y59ona4Q`i4oB|
z^TRXGu<dv!zy4qaNxa1@d45|Io;eY+&D^^0XGR$Xk-tfL{cd?>r2wM9EW=z*9^S<Y
zOOhJhKYLCP#tUoq#e!T+r1bAc3_L7dvX5=J7q81)FEsn&k3s@l^e}>yKy6>Y``2Aw
z*!i?z7&VO6uVFVW4w@ASxiNN^2kJ+=Td}+_0Izrlk}Rj(3_}<u$vTp=wG+Z*Dqp8_
zHrLFnIn;HbsCp(0UA(0g3Q-3~$187Wpv|@2x6%-|kvKZHjhxU?5Rm{R-F$qvAYWs}
z3EN&)!byACTQ#w~*Kv&FmgGImp^)5!SIj0MVqe%u?8MI4L1bs{om&PR2g*~X?W&}5
zUDvmUCC5K5ep;K!>*Hk*weEBAeQj*3>dNQG&L5JaPw%=6Q5KXp<i{Z?`XHZFclRrb
zT(z1Fn(f7>CZ)fuMB}}o-#j%kaDLQ;-1wGrb(!Fy8Z&e!bK{JXX^7}4QbMO?0zjg9
zr7Ze#xL@IE#}OBH+yfRfGUy0Dz8BUPB86qzZBC;-t=$2YI(8Rz)HUqg;10zLg|m4d
z86^gz?8hiZ13kTwjJL;M1PLW$cMO4)S?9KYHcCcdh^m-8auk0MrF5oZ8Hc3DPL^m}
zjNyS(+@R{=e}h=Kdw%Q<@5ftvqjdM)Vf6rH;-zzF34vp5^JEsj01Ri=<<W)x9WUjF
z634VXL_B<hC{<KSc;*&i3}!J-H>xwyA(Xz|;R#|pyDXDQyu7q_x!(w|I$W8>$EbCM
zu`j$$oaoc6agAzJNz)+mPbHlnVPiFmdaVzA{7zG9s`tw0aAOU-dy?SK%}0@Bo{tBZ
z`81n%%q{x_XPdUa-{rTzciGev0|^K}qZ?K#Rn$xJQl_r?Rg56~%42{!7S%lbG|TnN
zxYv29!$FW9fL6l5w&kQK$d%ZW8X9Zf#Gq^Gk4+f0$QEK#>nd*e)C(DL?Y@onDEZ}M
zVe3T**-WG6g(2{E`vil+@V#_)I#^x;#M&9;tcE2@O7g@>vPR}?L(t}OS?&54@9%FO
zqcoKOCd}IAQlZ^r>Ijdx<@iu@pbr^GO7((yLI_U`R|WP;E*-#3hB}1#ui1oDcjQX2
zdmQ2I?}CoI$419E5BB6xiT8-Bp<6Tr2()y+U;KwIVm^*$IrJuNN4SsI<GuNA`C$nE
z_R5eU_bjtQVKi~oC`eV`zPHE`rqm+Z`$Otm{Nj)87f3qct|BP=dGFnz^y?2C8<=5l
zajw|u`U!n+TIiCoOR6^e(xLIj`AtN2t5W^(_)RCN{%EDCu>~*UzE5`gvduC<MLE~A
zmw8Mkf@<!KQr}DHT_}hjzP+AY{SDgoYM=Q=Wr$si279M4;$0;*=PYm3l?GL_$*6mJ
z3D}L*FP#^8{hIGs=1k~XJZKLIKVUX_7@TAPtFWyk;Usuv!p!)vf`m!u*oci1>K8$M
zbkQeGhZTFjU6`u>rU@f~7Xx>McG6qgR&M=aM5cwTS%SI@8P9CX(6+WkSDa_x3!cgz
z#T2)TlXX`u)Hm-i0+{GX;jKm6j?OP<f6Tj=i0@nA&po3~7{=}B#NB&Ks<|u|Hpef+
zvdK+(H(O?|sbIG|-9zu)<$2udyUNigVMw)CMN7+4AeSeaC4YgxTOG!+%jEA~^*i!=
z@F(N3TO`L8Yh^^@$&aG0Y}e#fI)=`UX$2mpPibf#sI(<HpEV-+){*|lmY2?tTJG=U
z`VOo_lHBc;l$eOr^a@&RrStXBEWSwa%trpZI-rK`rw`tuz9ao%<h2b2Omp`7jeeZm
zE;Pw*Y@Mj4?(G$n8TtF1B&t#lNnZ<NZRbx5Vi5=3O$AI^6FVmzg4dZM*yt-eO;~&w
z+V_%ZGzo}J^UA)S4>-n7PPp)1EX0Xfj4*HwsWPDKqPpIbF(5y_VO2(ypRCA0o(oj$
z=G{IVv3Z*kro3M}$q9>8uy8fWGBnV{93CFW>ajz((Rx;{31*Qq34a8oIaq6VUpL4;
z7QCwLVnEYgxc*kU!-7y&l->2!KkV1jL}#C*ZJZ^$w@)4RiI6>ryoH+6Q(`?_I7_(@
zcp$z}UHRnnVF%ur)H(@y*hKs-sL{G$gL&KwH9TH1ZrE*6*gZ-4`#tE)(1tqJ*Kv0!
zdpfale<qz~GTRn)a<FkKPmheNpi<I|wr0}#oEMc7g(IM@l04+A=6?E1*h@)%Y2L7%
z29A=L;TJei>7M4zydCPa`b<f~^WhMeL{N}x9^o@35;`xQ#rTrU-fDJgue!rZq(z2j
zKC8-%i+dxmI`FX&I}g%cz(1CJm?4)7Zu4+MIwbBv8Y2bnPF`L9S?214s<r%p!`pr|
zJK+piuZun$KR>!uczWBf>M1Jag;9YOND_X&%};u47r%SitRFd7ZEJ)v*u5Qg+z3eb
zrRBh$3hZIhobLtRg$s){bK}zuf3}QjukmHT9*7^?H<+T?4Xv3kE*{q-l&=W>G+n<t
zuh+KosfScld|mb18&wo8ThUo4S#LgqaMW=Ieis{2ZJxnS&AK`%G9oqL?)>b|ru={?
z2i}n&>YcN<j&k<39BtN}b~GhDOPUYy?&lN?EfIFc274IvmPH#dh)43?P>S<NWhB|J
z`%M#X0OfjwTJhZmysm$^s)%$c0pe=De2MfAk3RV8Asgr9$PCX<H&{|VZo4L`x|79(
zK@6SoFVn0gDWC=KssBh(K$&m`(Z2x)?B&92y!gY`2&yGqkp4o50?PKjz^)SrDU>23
zsB+SAQLSgm@e%_`!)SJLL3F#5Gf9#j*ML}WL8DVL@<8HHFYTQrX3_pR++V%&1@GY$
z&{sjlT+c9?i~yJM?I2m{82B|kH#=G&-`umD-^~OB^8aD$|6gM3t*je9X}%A^SPq%*
zMttdbO|*%jnnfI@CVqT+*2S4XC?5lnCiUZcek1e?P^wX~f01yCaa^%-b}9Og7`2^0
ztZ0or(O36)F_NcHXVG<|<lkVbXXmu=d)bT?N7I?@&tfa>;^+6A=^N#6ftTo&%;oV1
z9Oo-BUBl0HO6B-g$AXI+nY%2T<1zsn1ookUENrum({&DZfKV@fTqq0ll<SYh0+eeI
zeY@|A&I*8$<C%(6BQII-^Deb_if+{e=Q6?fk#T0xvbS+ZnPEN$zpa4n!2k9IQCYlp
ziOys!tzfBKC|(^fkWJx1?8yvf<hY8T6~;>eMpUl&TZ_KB+3L6Vhv$34Hs1W-ze~*q
z@)*_)NMD`1+D%lv*9KII6tR_enOde$B@nyB`h7obEkT0O$U!xY_&OTv=4{7D>iu5U
zeis=(i(4}s3`;x=eh(L_n9>PUAv@b$Tn9fKr5v|DY%>3u`BOxyiW)LLGg%C4R(?<1
zCcn5jQ)hXc2B$c97t3c-VHP}Xr1tiH`&6x+4X~^7e@OcoOF+ekWyC+{yDhaoRa>H#
zBRP2pDEE%n@8878(ozE1F~wQerLh68(4%H?`p&ELyZ%Y3)9;Mb6BM$Cjj{J={2dQi
z>~>Svx2ma$;lH+I1t#`nVXtU6JUc$J!K$2feiZrvlT-4xVCk-vAkdkdtd-F0cjAlL
zZi6>w=LkbIyXd2zjM&$KV)}7DJ?PqtM4*O=?y$i+7K#i)fci?<tpPqG13tq{2An@1
ztbpBy1!NBrUvM?i;xscLt%mF-BM65ygn{x4?8L;8vWh?z2@3^T^#8sU_|)DrVj#}`
z<qS@I3jV(^pN=4m_+U$@2*TjDOcZ?n{5i&Hh>RNxB6yL48OZVfa3Ek9!i?CoY?xsL
z{BIuyKY!O?^eyg<E*jGsjO(v%!h&epER;CpnHJ{xx+snT$+ijj>uS$g?;aA-`D?(<
z8y*=IM36#`SpwO%`-=`GO<g)VfpDKXxnDB3$a`^vmr5?HXg;<%;BSrn5cyp9ioG#$
z&w(V+I?GrvAphdDXPdC6O76wtAII|8l=5=@>Ta&*MP^H1Q~Oh4CArLrd$@p*UMJZD
zYF3^J*ROMX+iMN-U|O>#4fc-c>K!>v%l$-e6;qRQUdO6WxZwC>Y|t9gs;b(~&(8}j
z`1Nl3Uw#ip4zP5;e${;X4j$zdbE0P&T*z6g7QDf{5>vrySGgGcxCgZPn;<&+$h?IA
zZ8tF|1JM$i_Z#Eip~3d%fa#POSXEmOR-GQK8v+~i(&xAQ+}ex1w%Er6SHQ1&2qq9?
z!Yu{$n*NNbyE^WlD9oByi|xV1bV>|}r#~*IEj%wWkbg&ot5c@$Ah<GAsp#%mQ=AID
zr$F4uwv8P0obz9)5{?7%GO%u2E%kHX*X%dK9aRgG#|A#&`d0t5sZLTEdtd?5ZG=C+
z0MBrR@djiSeDgEYSf52}LcV=UPkr|Br_;OQGzv<+ien|a022+k=*zdlC36Vm(K=pr
zGbNOWnx`V17%~+`NLdQZxFCd=m^JZm$)MXUM>+1BQ$N`?a_oV0<w#pojIlH@g2)^a
z|0V`qaC*+$POzHw|HZww0o)07K#cUs&J;m8J({*mkScXu8Nw)_`9Hn_4%m@JF}4E8
zZi4$ljTra&3~*DfA6Np>(IaCCBROg@xW6G_WoE1wDkCQEy@Ltv2~|{B=hIqTOp1uj
z1wO_A;C?@w+?cE`19oABT3(>rVQjJ`fKc}b((2Yg_KVjWKml~GR*0dVq&BpFv+;-G
z;u83C>oB4lP{tTajGOA3#tXMDFl_)|g0MXLdFxY(hMpLs0I`U1PH!}>m-j!X`2o9w
z$u88)iDH=SQt{tq7eHI`WCL%$YxWcw^qi!BXudr(x$ZeNdbuFo#AU70AKV}?OY^OO
zRWz?@D@tV6Ycc<Vr=LjlwoB;SYP>oie@dLLepocf`&#8_YiEqP8~Oj^-6*0V>UKRY
zu2ZiHCxJk^WZ(lt(~YWrK0y?+LN?3i_ouN!4Ths8J?Fijx~7wH(Ak$5g<xUX<C`4*
zB&|)>LMeY|IB_*TgWtE0>e;ry{q1@5j02yOgjN7a0_0A2#bsV7P(ot(+Rj~?mNV^Q
z_kzhtxOGY^z==2s_(@oa?&rEkq*6a%hy}c9pwt*;0}Y{yh`;&UUH|>37&mFQ7di@N
z6qz4zaXN_+Qk3p`=VyB_XKbAU+h)H(%}aA#Bj?xd8xs%iMX;%+O_bHo+5(SfJ+PLK
z>Su+MGQcppEWI<59Q0xgi<M`KySv<cUKI*9vd2KE&(pUcVRU48{xeB0!m?c{6U`<2
z2Z7;j6GJ~U2YsLN1*`&(1TdtyJ>ZKBq7}489Mhrgfhy6KgJ8184|Z$6PJ_682Z?pn
z?XU?njd~nX$#1~oX#*7OSV%C<J)m#Ee}aHua}Is?UMA%=5lv$oIR`Mh)MW!Va~+Ue
zCu+w{*5!wQnS6mqV&DHq(bK=QQcSZ5#{K6H9Np^AnNW2=a^>*4+{?W}oRX=+?W>}s
zcD~@K_p&WI^|7TRP90lMtPLC8K2f^F2A=M(sXL8aUY>0`u4H@W(7W_9VcBTZM_}wu
zJW0h$xGKP=^zqjKdWH#{RZ2f8V!_1R51@dypNRDn^Sva%GOZBRjF-9e!pQHbz)1sq
zNtU3UBE$dc;z;NH!|O+9zz078B%v2zZyGD181dA_*H~>XcF>`Nmmppp`_p)<!9>C}
z@OFMBYcw_<yVwE$m((tjay{;=AuMtUV}hR94!pYXWSI?r$Uw%WXBJ6MC+3o$?f0i|
z%Tv&1s0Jv&{ra|Kx27HHvnh>$R_WfRL@?3=Fqi;IETBMu3EQA6`c}3=^n-<|p0=el
z>W)0MN4Ng202CM%z(%+iqT-SPviBWr)%)OW`?0g<tUk=i&SEhx^_nhwn1VPF8n3@g
z-zIx0lSv(S{VSO6l`w*gADHeKn)K>U5(zy3L1P;C#ta?Bh)B}j0RO?~WX)^44?H&X
z(o5$7JgWpUU;9jiFit&>$Qi+nOEm~VB53y!_bi)0cM<E5@^@75F@1H~>re?@A9tvq
zSxzFl1DZ_gK${Lt96k|c<s$@g;m;v30Z=!zmVq<0VXy#T%A>996dY=X(&w?2zDHX_
zNl1oEwKoXm6<a?48BCK2#w-=(Jx05i4-DFxBAAF?@av@fP`aj0y!lQlvy5h&R-LF=
z0XK>A*kO{v<6`l{#{QvH>1>*N(%d`lF_uJ6bhsLIxh61-a8)JdyUtRwQQemEsfh`0
z0NP&mb$mNju+hh3BINwY_x=nB4pT)zc%TGKXzhvlZQzSmmwhub5Chkcx%fc`h1n-a
z9lqVYLVhxfGDk%r)$9j|cLn#OHef$ug5>n(*=gWL*J6k)HYY3-YC-D&@*oP^G0c$J
zIkX8fb{943^j@{w{6n0G3(PZ_UCkwmq#}d~Rq-p)2!w2QiJ0CDYmwQYKu;;*EpWzH
z0mw&5va-Z|RTWJ>98Jvq{AS_9pUl_=j1?k(lCo+MyNao$ewn7<((`=9oK<I|;8h=U
z9;3|UrtGT+jlNo-A5WyXE)Rkn@$82J4==%Wv{fGEjfzhku-9Q&kvG0->l$0>ns{3Q
zTGIx(lxUslMO6yXGexJODQ+0KjVKI_c6ILqqO%fs`}J!G9`4`Ab0oKDMnqu_UE$Y1
z35WoF%T!Ri-H#E`akCQuW8DdG#fBc}-RLBwyRqd&P^@d}|FdC08I^KyL)RBTfJuyX
zaN6ea1#rZ2s)As}dc{Ejoi*<7DP$xgK&&{HJ|G|nyKaHaM8*rNKqk`1<+3nOOjNfY
zS%mNlM0>I<UO79nuz$=)<CTzygvjF}et_IOOegemo&wuUF0TzNRE=vKizS`@EGNO8
zQhDTcrjBL=6AQ+3_?LS~-2FFVg1(gB1jV{2n{>@+`DJchh0aJ%Zop|D8~41;4_}ar
zB-YcSF?LBRad5CcG{vH816EEU@b94YV4<Fr30K&$J`kd^VusF7_OexfPTJ&dqJH?T
zeS04oQ^J%JhP(!x+wP!3TN-j<lDPd^{+j(E@GuzZGK_0JRu2-66wMTKU1r@U=Nobf
zC15fZo}3}$0+M&QYr<Y1-YR6W|CsjmZ6+kGMa0A6m*`;d1o8O6Aw-a)q}I$>+k6Mb
zUM8dH#UNF>Px%dVG+IxSz2mVXRQX$ebX_$AM?5AG0;6W6>=qyd`YyzN5CCM<@z-V$
zO#;12VxGK1K~Yk;0+Mb8C4}Yzj<b^Ko3VN+=o{FfYSPp<x`Xe3nHkI#do+qQD(!2o
z)p)lokcN<iO!dVVW_Avd_=sG~IHo<iMOmcz>ka{hg(Cv-Zl$VVuL4n${O08>1~l||
zwA+HxIN;(ymqjF^)Rt>f?pg`Mp5j+0p1@4_##@?$y!)VF2@@O^Y|F5$E&f^IU|W8c
zO{u;K_OcdBh3%j%T+B0GxVY(qc3HEsEp)Beo#0nCf@vq`2NHL`-u5S#BMux>yrn<6
zR$u02Go7*|o^T6lH3?ebNU#YEEZQFDwNI)`TXRYH6q-cJ27rkmv<ZNdZoHZ?ykm<a
zeo*D|h6c2wBobm1QD40r9A1A#iBDW@eE_k^BNCglo{fT#d_+#k-c)V!*!%;UVEWqG
zHbGw)k9e=(vl4RWN29oxMO5rq*{;vt?v+2a!N)+bWx17qVX$|upfp>Afx_yhpjKys
z%;l<u>v`}y+BM`AROPn=YPjk>f5tD(UI$ea)t?Q!jSLJeG;|Y8$$vsPOe+fGL(pH<
zFN-Un1UAo|Lx8XTg0_!QxQiUllv%k%c`NU}dc7_+zcb&r@HPvd(zwFSNnLGaC_CF%
z-;JqE(3uEx7RMC6nyUE}!@}HuJ9wW88=)b(fO~X>gHPh-u8<C@;-)87cdGhMMA?+#
zPo|cEdFgAHrqkOM&=<5Rka8mQ?ZrLF1B<X3(3;7&ntM1bwsL2DxQY`8@21nel2^%$
zhrpfTpKUEBo5bUhHCPQ2f4V~YjaK3)c!()BcA^~E><eH1dt6v_4B9BOk0W^rKwn7K
zYeC;bdryJ_e$ZwrGRmIJcLI>8)8q_i{u9NT#LJVS5Aju*!gh_JGGY=Rfh(5JN@#MF
z47zlA^~*ryjFmc)Pr6n}<_t);&nWKNYbuWqv}a(Pwiwqj0GL}8G@9pfnIkrT60_q=
zUk*#|#nw8`N#B1uG|co<h;~F2SJ;Hfm#&$X1x<?eNZfunk;f&!=A$I&*V`g{nz|2c
z)yn*)Kl!k`Fy*<8|38<D!IOKLo$(Qp7`_Q$&I5C`D3Vio)Q$v?1aNA2Fh`w|$=Uz;
zP)3p^{Qa}3j18d==zbd`2S?3Nb5y+dLe?FA6|Gy)R$`JtB=geum&r*!h1ni1pK6sS
zf{Nx*kWsPk9&fEs2xkwJb5E)s%IR_tBwM2&w@5DJcQDrB?nyDOHBgrWBW<xUI4DQk
zfDd(aSdW(#LqlXet>Ol9Be}|-Ge$ICIu{T0PM$aD3~Uf;%&%CErFDEA3A+pBMs)!j
zA3g^4SEHQBRxySf9tr%rUhkSv<LiMdUBu%v0L^%SI%EoXeA;Gvz0Q;tN|PpjUAw~>
zed`x+^td>9JBMD6>QoXdqSU>Ai9vQvGFdB~!x*G&<DTa<!EsT@YcyS9X8s<1e+2ly
z4X!RP;@p6O)!JlP1(Mh2@nNqtxSn&T8Yt^NQz`@SMJ(FiC`Ai)*o&}zU-HKcSo*LI
zbMAk_Iux%nWg-(g9FYRdfu7l!TsozCteR+jm}p{hClvJSKBO`I4w}b2r6L$8)+s(a
z(Zei1w;X1=LLQ;ate6y+BU$2|4xW-RgXYGH2bSHUG*EsR24magcz^T<zCv|Lc^V71
zml8QKhW4g;Go!sJ;hLF}-c^(ak$1EnTKc!s$4a;DbP&OwWcj;b%!$DYH_4nOpM88%
z32+h}8uv|@FMUU3tH;`CR}^9*DH^eGhY|NyM9e71|2(e#s^k<NKr6Ku%3n`YUv~~A
zqJwF*V*G|%fzE=D!sfBV_2g1w8Dykk!xi>-+`h>T&D`vdqJi4;T$tzR86D3gv8iVD
ziXP90jz=}LSD|MH^B^an0yVk<K0#{$5cZ<kk{_ey)q66a1n^4Bo<{M=J|-*SMWohZ
z7x7pI=E$@oi_EeeMyRf*;cWx^dE@EhWVMSF%xTL>{*d5%85aehAVx;Xf(I}=BckO$
z;AlM$6pOa%0Y@k;<Y@Jwh>#<_91vQi*GsEWYy>yMhCz_n04(jA@#EN~gSispTAe@l
zdM$ee>f$ksqj#lzsY|UVo<3XFYpozXi<`Rg0gF<+8+EFlbMi~XK90G|Pi<W>Xw}5S
zF=3Gkz5F~&SROCb(6ObqzcgGsN{_~rjQ38d%0p}<ar-5r^(5r=GDyi4U+&TWU*8J=
zpisdNbhwDW7Cv$s06#n6yVo;1Y6^N*KD~%}wyOW(vniu+S61W|UQym4Gkugr%;#W#
z3Yz);DkF%dj_&1tXz~K4P=sCOlW!kspn!65;d9VaFT%kJ^J12hD+Ur%Q8hS_hq`#`
zP#)6`LsoH@yFEQ9z!0ORdMm;u=q%V98ATq?42Z7LtmSu7K|$~C!?z~dZ<xVuppsh?
zAb*U5IeFfx{Nv;>HHn6xD#J<WZT(O8D}f=kfz#N<>G`f50W)lsdoBKR)0X(kL&c2&
z;3IlTKo}<L);=1%p5|$|_vu|!gB*&iXc$2_Z}UO<urA#+pg|rTZWe$xwx}*)GRqWt
zWs$GPPNdJ=KL~5uT()@Cd#;ElYWn!0?5Qm}8f2VW3PD5uv=$6<Z_rEnN&2AVe+=Eb
z+~-INZvjBt^<Sa;mHV9TJ=)-AS5?d8F6(Bk0+n^Eb1vG<ALS&>u(48oOT=eP52pHC
zMio&4%6>eZB#Z-6WXA1T`n7A7&l+5;R+7SB#@vEtDJ_<<<-2t=Q*py8dgpII?I$V_
zTLzK5xKy8VovS+)NQlUE$VsRVlyRa}Ilr_Q?9<3~UJ!_MD`t_cjI&ZgF(@4$&it-I
z+?+U?_Y*7CV~0aG?YFp~`eX1c;$BY)eXb3V)mKa#jc8W-=ktCpMYImIRP#aB4ec0$
zl#nk|k5{qnoEPJ`^iQs2hAXIkQtk5se(tM}2su=bEeEt9hpAbry=Q!4LFCM5kGC?M
zyM4)SM~iiV9FV6m8tRo?4&7-%G#pOZ8IL`PmeEYv|9a<gt!ogF?^#P-HmYZ!@Vv>b
z+WhdE^ruhcf~{nw!;|6!G|@7QR12NfbpX5b(F<GHFLb;f;^jLHDAm#{<V1{t{$D$(
zdZAHWONTsli&Qeb7y5e+ibuCft~oy;V0XM=W}(X%c@CaT{@piB``J{iT{A%Mm{YHB
z^gyoorO^l(DZv{r>R2}q`ZvMz51;IEn1t8LZ(2$%#==blPP+6noLab*^;>*u0Z;3=
z6{Lxd{_A?OxD=QcBMejdKW{N&+(r_w6we>ZAKuquPDi52#ErE%v9CY8230m9@<+#1
z)d^7(SQ9_PMT0|`(8he=+&cbeu}){*rv|Hkv8}<{b~@7o4X&k6XXwjpm(*0AhQj(J
zoIAY*vOFJVE&-18UWLA$5$@NZYkl`WYUFNF=#xR}K!;4KT!}6C0*-4K$Wj`*jN@x?
zL>(~|q~20$^s8CuFV6USOkmCO%0W$3XgK)xfjGgD*IAB&V8}MeMB&(26JU5(EkWov
z&5vi9UZay;Amaoj@heE_P=hkWK${2q?>6(4(d*(X>}*dOIR|mwhSZ$CfO_b5dB&eN
zlQMQVKi(NCyxSmnzA?e-5T}gFCobcn4$cP$dlIwC8fc_Sxxbbtgh90=dT91*o!3cQ
z>@OUzw#`%3JnYSM?~J!0YcCpHUT3=>1yan`uaFRLWW`IV8aay0?Cg{bPmIg(RB-#|
zm{`w*yn@dhRq~zH8-5<tSPrzRf8yiRlIz%_&pRDBE>(6RUG}v!cg=qFYbA^Q7}ONO
zu9y{&@pIGn<rI(^|I6b5GQxaR;S~nV-l;&UT??<?_WtT2QI<@}U>_~99jF;)ceXh!
zQ|d7+Qm1e*XkS=XZ@3+B&g-};@eX-l{hb(Ri{AE`jL)2O<6cxsV{K2yOsQq{n1|YD
z!Do%qvkKF>UWjZLFKAP~Z`(n@#aE^6$%XWz`W8>v3q#ncscu=|*rlal>m@4SauEv6
zg&some%JN??q&$MnEajX^;V5eav*-9X~}0$J>W<ie!6=mV)51MY@=McZvB-~L75%k
zRUVZ@D=^*zNi{!Gs}UgXzt;zdC^%^d!Y|)q;75-B$cl=Tk6zBMd&(=*`t<SKYPZ&B
zst@OC-<b7oh%sQwQ}fXeOH9G?#$4#-hLY{7(8HHH$nD(T6G`LG^k%~W$Ke;36VqF6
z^Y&aXSYw7R>z#Hr>K2ui<U>dtRbM(}ULM%g&3#z}O42LlpETqI8JG+s`%g(Gp@|KK
zeV<1i<=46cX<A%U+V~i-Ler$Iu8lG}n(#kdbc}I`n3|rL8J4ncJKt?`f9YX{oO!AF
z^x~-Xeml&^rDpJK%~zsy4Qs64xRBY70%i`?@cWh%;FzghsyQ;XRr&cqCNHAeWZ(pr
zlkKr0>@oV@c;n5h;i>-WS@*OeL-p1#hf~hFN|AP3em+@hJ~qW?o@f4slW`m*HMS5(
z3tcIf^uenWeBXJLUG&Qwx3g58`Y|1m<B4aypqvtGIGgOr5-yxgGn@`?+H|0Cml@H2
zDsJMRCM9#hn|@hgxi?lmbgM*X>J}+!J;$ui<k)#jH_5D>Ow(4Ft9=Qbu(5Bx+MWG*
zdXbZhS2_iw-5wjkO7hf)AC&)MW*cw!*Dh|?I&K9H72v3iiHs#zZ#B$*^gj=_bhlsc
z+{{_ITi-N{Ks9jP^<JX&kVg(~?jI^OwO-cxq}H|~J`+nXKbLTs!y#@L_;bR6$~}n*
zsKBAydX-M^uktiJg)NY;cA6uhwrAFBr1f;c(5~LbwdvwVOxYhr$Rty!x~t4|s|UTr
zQIQEu+7dLP1(70Pw}S6rIGrJR<$s*j0N%+4bVb2|;ORhLF8-Z5F56nT__^vt5)G8b
zZPT(xL1d}20PtD%$ttOvKO{ca;hSXs5~-r`Twf_A(ojIfhwn@G^KDFx-}SSqV&Xid
zAMG*_nd*;pmCJv^ATmogK0TS4<61*LCs?sZsD8~zc#F^Qa@_QACX|2r%rwB3mv415
zlO0wxv}`yLN2xfip&C#rcJ!nUh^n<X%x!b`nWKlKetVs{wU2wOBO^9ySQ@8mTZZde
z>xt|5Tj7q5bNiZ4j|@$`LVnI!`!;QFaF3Hi=Ps&xJytytF%e>G-^vgBN9Q)PB1Kmx
zKekW`P|o`FsW&XzPJeFS@=(t&3x#j2;C4v3N_%W>HoF_24KE%|{uU0L-e_VMH&;5d
zG|jd!CKa9Vh^rCfVa7|ls6~~FU&dO@jDoLJNK4eAIdHdp3;ityzJtL*w^Xy;L!zac
zG83mMYd-7-I#S?3=EyK6T+JRnyIHEy^Z_OL6cEdY6LZdM{+db<@dYf7f%sSM2+I6~
zCvXe?A-|s4rX_NY_~V(?^xUfV962_sy63dy1B<09OJ5JsiEp-6Xi$OG*)zMM>oav9
zHd`<FK+=}^-e`>L@&>a<tJ(iqmVn=#yuJscaPM+VYC&Yk{Pvy}XO`w9NIRYWQLV&>
zXm{$IlD4?+z0`P?wN8=uX>GD+f=%jFe|T&&TeQO`NFm&1JwIY24<A-L*WLCim-o0k
z3Le9<drwyh7wfv};FgV>Flwn$K^~`l6%{yrkEUVH63bx!%yDSy8HKZ;<<^RaDl$Y~
zDw18L&~C`NlF#IhLQ_G@<(iwF=VYJ9IBjT_(}#iRJ2iFNL5ubq*T<)4C4{R^3q71x
zD2^xc)0xrl{N>4jEe$EAJ(pixvX`*bZ^Xc9LdI?fdEk1kmX0vm-#j{T9EhRe{uBwZ
zs1cF*SU@R4O42+wlW@y+-2{Kqxh$bVLcIwYNBrP)i`TNu;^c;+Kp4kdz$Bm4>5H?q
zdedKN)H{Nu(+Z3Xe^Ej)|0FniW?WQ>zTDSARqP@y9%ay1!pzjZTonDe>VajEc|S8P
z@riRc*iVD-FgGtG@Jjrc9piF9yr<-F9LiZMz18Y=H7t81a<!`ptIX`FbK^6sq4|7%
zcd|Lbce5cfF$3akcs8Vu&)Ft@8t&ifltT%9R(@xThpn|@w>vKc@_btLbP}FB=$4ku
z!ov3|LfFB)%)`!hsXvwb4dVS)gA89y&z#>#YyA0zg1mgoQ5VOM6kiUa!T%47$K?f7
z46DMs_IJ5m<c*MDl>)-$P08*tPLW$p_3;2&`jc+`>VBl(V4d2+u!hg)T&RF*y6sw3
zr>kf*0Q0g)xj65&t6RH@$@g6Ldx5W5D)T84KEq5cO!B*<qq>LWAO<0G*I91beVTrw
zz)oo@5g0vwD{Xnee2ht7+C*&Cw$W3Zbhh1crJV09F;rko_-kr2{&Q+EaHBgKBC-*B
zx3TkQWIs*XHPnCO>@A?G?A9(&L6DMGKtf6okr0tq8YBdyL+P$fcZqbTfTVzQgTUT&
zr=&ES?go*rySCr?&hh;J_m6S!9mC<!4f~DtuJx>E&SyUJ?Q(ZH|H)?&&wDgx$~Kxn
z)`q?KWa_9lB<W%RHU)E?asBD%*b&uP$d!R$rq6Titq&erM3RZ2G@sy~luoC*I#byA
zI5c%mTwV<bR2dG8MKxWEq>LIkJQ_na@3V{QyJ@S|wt;9vp;tKrJT~pvL;-POiN$Mi
z#|x?zmN$oPJS-G6Y>%<4CaDQJ52f0Mzr84i9wc2T;_fwQZ4Y~gomA2F#?>5W#_$fF
zgw<}xjMx%x#rcmKoUqdt+v0Pvi)xowrCrTqKPG{V5eqbkE_T$eEW}mK5WN#yG?I1L
zH3|H@E?gHO_w1l!`+@jsg|UG9kM@cA;^W;u{ji$Yw^U7NYSqDlsfd!gG0mSlE>L4o
zH9ngejy9BjDhq!Dv-O?+PH6Xhw}lLzizma(x~|{$b3WVA_R+(&cIp$gt&R)moHpoN
zckF|@0j4Jt?XJ!4+k2FO{7iby+zip~I&U6juU)cuyuZX-L^8)5Bjh~3y;s|<b@5B&
zVlg#mrrt}mP_i=Iaz#%{Paop${>Gk3VJk$=e(_1_ia!dP2ZX|4NZ4Q_cm+SC`zp$Q
z$nw4R)O*{Eif=kLLA!3xdu8f;k>kT35J~nt>rjzB2ZhI-GrehXd+V!@L#*mMq&G58
zcJ$LS+GXMczkKz&M;U@j%%oi_D!OKfPh7Fi9&J56ZB~&8;SXBaaBQNM9en%HZ3%S^
zGeFrmfVmp9_nkf%+o6fX{at1h`>!(NZe0bONxi)74+uKhBL>eNR&Ke+HKRdp5%6Nt
ztG;+~cf_=@s-KxTYGu{We7DT*_3V7x9phH()$TsRPUv^zWah&k(b_wM%{evLoHh?j
zJbtE6Qz=T22)-47n6`a+1Kn1k{q)OFAL0ZtxlCm;;t1z&Y9CJ?&#RWU{-CB&XCG8S
zg|{3&A@t_kbj4?Ek42>TZK_o0LB?iSx_+n#d*_>!ZFq6%d(exKWCxKjdscU2s8TO=
zfBNhzt)|6Lq?R#k4%jeUajy7`@AO8=y-Nx7(;r~3ot`tlsX8E@S#Rt2%Y@i?u!cdY
z6-hrL9~@aNH!e<TRT_nH@MnhTyJ|ivLyoK29mlr!a<lp2(ghRW#tASXcq*pCTgb|v
z-h{83451vj7;eW}NaR}ml#>h<{z?NmeYI=#=#dF@CY+N=&oVOttFvx-*kgRdBQoR@
zZ$)bv<XTT!-B9`+nPlb_P`gYeu;~{9i?=FZm6yGxpW_N#AM_CGz2cEIJETTY#7R`p
ze(K8FOqH1?lGJ-H?h1c$Ei|}|=OoY|_A2c}&dg~mzYetMl>^dD7tvac8D*ie!2}}C
zx^t+r2lXiHu67V+k|&DP&4S2wri*srTAY9HWQA&&^;k5aRV^GAF5eaDKTQ%xqNfyI
z3yhC~LR;t)`koWT_mDvh<iz_Wfs(s<dsIS79}}WKo@Nb^XEar~ul?LL!R~b?-r>On
z9T$uhiSv*=IOsHke6%i%`C4DH4Yi~=?By0F-`*@)*sp<5pONmAl2_wK{V7Yubj?WP
zG4Q4k>IR)V0`|u8<T%1B30tfTn5Q{AZUYT1HQRIjqu$)yjM1_47uv)yuj+`eTGu}>
ztZ0uMN<(T=pbs^?0*znxVsCsKAh9Wub{0hTGq42Pf;!(qoRFC1AZJT&2-#u~9)oq}
z+*fn@ja#1=0*zZL@1~y}uT=zZei^vFrC2EP=>0w%7WiUf?R9yDd~Q;q^H4Wc1{!Ey
zI0V!w%*<@Oxc*_IsKDuC8m60IsJ=?LfgNZlckemb5C-`7F9Fw~)1ikH(VOQ!`GJDj
z=!Ie1lWHLbK6J(ES<5It`)w6%QL-9oLq%Rn&$(Xm;otWX8^$Iaz<-BF?R8yA6Rlhn
z?)J3O_Q>pAxqBYgo7Zr>>T-`|a*9P8JmoU0V)T*6it1T`R8uZnJ8+{{HKp>M<qGdN
z&AnbpqUI~jPN@4a1iqX)^ge48pM7tkRF=_uPrTVO%>IX((K?wVQATf~7foJz<JA;r
zNll*RyQfFkE{vBkmDt1`x9!w+9ULQQY(%bpolSS~2>yCH8&4niydT>9vFgXz^puhE
zbrN?ov4XRmEIylJvfc9M12^9-xyBpP2Tn&&hj<nEn<UOYpr)_}z3V@=GeTGxqq-#h
z@`{0nCOYuGlW}HJj`>#&3*%XU7To$yw<q>71Ftii;HL+$(KI_kirBQM@MWRQG;tJ_
zLTL9$X&3yse~ogoJ=3aUU^mgAHnqx=vq98D1P;o79al8~@{iTKIi2JHLCj~;@TvPq
z_!2+}DK0I7urj$u)K{9!PI+wym#CxI)fo8M)jn)KcPt?0qMSW8f%{OgkCl;IOoSwv
zjz=)^Dl#axa<7CJyw5=E!BU;G<V$lm=+O)!;<}~}N{&4MPnbawFbIah@4|op&49-n
zsF@HN5J2~-gNErMAgDCO#(dAdLR;ZAW^{J%@!qUJ6gS;4)zVxZLFg?YqrbrKjkQF|
zyU)id2|9n<WNc{APM`?CxQ5e3Ec3xH-pWCbKE4IR#XyFjDy&l<*whv)7x_m8Ym1>g
z7yEEUV$&VAxeHCb@X9`qHQ!lHft~@$#WupLawzllJ8(6_q!X8W+UB;F4Wo0&^rb>8
zBR&Qpgj@%rvLQsw7C>V$R&Ay2cDfK?3D|N*ong`%^jKyD;pogoIq{>WntSAq{pS5{
zahMSICxpa}+8Zz<_Gs>M<S&?vTPdWtmj_t~_<r{_PXp6}LZ`ji-97v4k2oHjO6lkZ
z7~U|uwJBgvr?82=i||&dKxn-psYNV+e^nK*KFGE&VIctX0Z}*R7BTxDx-LGecI*uk
zuF&q>`{eOvc-}2krM!z8CqO_IZ&C`3oXXonh^N6yWVTVHu?6Ozf2k@5=0LIFKZ+2S
zrx0hKm%1$|KyaX`F*E#eNfnzWG6hA!M*8s8;}DH_7EO3_3ecW?TA}C5QL69JM-29x
z;y)>F1Pz=+3OrdcK=^idH9^Qy8h1cX8xUgmj(!m`<U@>^k;Fg9G9%+rf(f~XGCFXz
zfQebW_nl9)zjsuIKX=rBi97|h2m&8N7K2EENo=wwHe=`StWNjOtnPP35DZ1#BTzvP
zCgcESUOZQ%O5wi?RxJqq#QzkRx=7x#Vb^K8h46hSRLqf;>|_9jh=KOr=wHJSh{oi9
z<Uqd_sV<TT1*A%zLRM@i{cjaI19CcojY7-&hj9@^p#k^w?XD=59pc_}S^pe=gd!*J
z4zRHTo~%H>$bcBB{XeyAfX+@r2%rYjMT+Fo_^S^4`QCx1{C|r+)oLA!JV3WICoovu
z8ZSxX8&nhn%%ufla9Yp&AB(I1NFkjPa(hvM%{f7pEQMfZBb%&xuS>TmDGhU~_jHe{
z3Kd&w9b5o!&Z!PmT-FE3_ZgK2nLrIa7T+7;6A8RSSqt97%0IDcH-u^^vja91jC!H>
zZ+S+PN2~vRMt{Y0Gkk9aJT>s>J2c?VnNliRtn1Q3gBE`(v7K-3+=xr%nT^YUL;Ur}
z6j8NPsmp&4O1+3Dx;){VSNpG@;>m#Uv;~U5e}yOUg5UoH|Fca1&jv>>wFWo?;_?1N
zY{A65>(QMnjIWk<E42XJLXO8lJMq{Tq1y;Q-e>=j#18zwCQc85K6(-fja&y9MpXUD
zp02^)r18(311kxHZ7z`7X&DZhK{yV8Il%-r7hDI(wz7fs;Q&HWcv8r_;7eEt++|@L
z3HMwtz%Nb9aLs(1{e&pjkU0h5P$=Yz#eW4gZ~FUE-6f{{r8y2(Ho4gABfULO-f7tC
z)X*@a5HVd3C8mx4pvNIK>f7X!l_opWG6fPCR4gJjpy#n{@x=h5T)v<rckO0UZ56yh
z>eP0*Rv<OA1RlX`S`7$o5{vS&c}cwy2r|VxKpM#Du&Gp___#7Q4N=lQsRy%6o$Vxu
z_uywQ>ohQ;*%o~dSlt;zEtDG|Y46~Mz*gc4AKp&6088C6$+D^pR0=z$s;$yKU3~(`
zK?4xFe<`v6#Y-Zv3%JAnw;X|j&0vu{@x&kpay8k=I^Y)pTxxz~gaDDJ&DKz60HUz5
z>t3wXlb4gaxd{}H5el%E`s2<vhr`mWFk+d8$mf@cBKQ-<?1_KbUi7O`E^&m082)<j
zxb9iOyXs<~W#=(3k^%FRiTWRc$Om*$Fv%Wi-La}aibGi2K!Dc*AGoRU+I`@z%c+M7
zexPzvi!k2NyckiGoAf7xn4nSEM<QID`;if~w#h!OISWL|uGkA9Tj5h(2m6Ynm$g%7
z5yF=<k;@9g+HjhoY1>WLuWSwK%#|R{^RkV??2O4?m_(ZIfxD@s^gL~b{UjQ997ugN
za|CQ@m`QJ+fa*3ye}37h%DW==Do}X}S)bz=f3J^@R;ZRNBkqOg_P4MSwtvREV7K5$
zJe3*2zxn=D_T_=7@tN==8<Xun)s)4!$<-(UPm7@~ypG%Jo*hRBpXCLXaUfR|d1O1m
z?$?^OAmDlFd;uPFO1tUl{z5qO<=G?--?k1yR+toG@e~Z?_rO1+nhhvuHb2O}gU^8Q
zatw-ZdUXQV2i5vS;P%o<$1ACFJfV*ppNwRV6ZBx>%i$i7*YdEn-brc04opUrG%=`A
z?(RZ>Z6}oQIl@Xh#CyuNml^1Y5L(sq4<ytqn5x{HO;X;yB#k26_s5SB8{+<av)D&p
zn{A+O_orJ0p3K@-YM^2KqkjTf59l$OnG1{oKbi)vMfT&>U}BF2k)H<|q9L)HjWF=7
z#41{VN_;gi-I;}*4n1~$CW|uQb$v*wN~vcWBg0t+YWz(YB#X%!RTdjlS;asE`rF6`
zAw#~ty5RF1!TpgX9Y0m7+e+>RM?K@oSOuC>2Zv^c>0mH2>@@!r(7n+?C~xb%WsaR>
zgn~&139kMwIwzJ)MYf6XnN_E%yEU)1*`(3B2ioQT(o>Zl5Zx~%|GUNCa&|H_rWvOI
zrN!S7ifi5nx@dOw?v=6FXxdob0BcypM!+Zk;i#q7{LHJ9V1Lmlgt@8|1e1}g#N)u~
z^m&zlx6K*DH4f%ve@ZUx<DM{afEe8fWQxGtd6(LEJ|-VZJ-bmcz;AcJexK&?pkj^v
z#^U)04lJ8n(;%b`0yV*UA)nmK17AWrM4JtK7<2i_V;e;(!jzR(&{4)OR1QZm&LtK7
zGLP^N)<RYjEw1}1W$dDxDc5|3xrKyUfJTJ8m*ICyFc%nBPa`aOjQ!Ge<a0GDH+dKD
zY<)+lYzhewezNk9@ty|~>A9C)&fALBLtPH6+Aus$fhaq<b{rH{S2?e`r#ciA8{A!t
zF@#2v9mdolhkJx~L>2cJ??_{ek^J_utQ!PYENg`?pq?|Js>}krg=`7ztDMGl<uk4e
zN*bnMOS)0Nt&iqnf%6b|e7#be46x<YOtX0!B8&dvi#|>%p6-D+mV2$!-Y%2m<-%Mr
z>`8KGQk%@ecL&Z0rA7MFZJ<B;uUn?Hrqr*HyA-$3y*<#8DDw-LJFRjqw1t*-&w`Oo
zzPPX64%*Axq(KkTOg1GOp=O{V&swrwva<ha3@`?oLT#f>C>^wZ)#3|{4tVI=g?jSX
zJPG;`4lVtFSL-9@@0{dJ7xj)bj&4e;&bf>%hEm|DgPyo)@#7~9&ouX+K}$mFAQ2#B
z0*hi7qUL5TjWAw^lbHSpp`DupX5X-hv@p)8E-kMs2ZU{lw7p;`b{s7e&q$UpvfqI@
zt7O;Tz5szS&?liT{m1fBaFjF<Lg())`=H-@iI~mOO^s*9`e98vio00FW+>;hI#3)T
z!EN+7a?ay>R%gHjMuO@CRkH_X)I8Q&uTB;<#w|M^la{Qz@y|H7+6v)7og%A)N9gM;
zi2letX{(H16G$yt=5K&+m>mspp7l3}rEOccZN2>2MLSlY${Nz2-=T)6*KdvF#T1Z+
z;6wC4ChBlQU&*-ypa#g8?c%6<5DHA+&<L2&I=<Vz6n?kGwjkMOQG?znXn`DF{4vB|
z17Dv?!S8j@$}VO<TjiO4{ltdQ-5->+*p;wp-tL2(ELa=aVg$pz)7BPj(qw4rG;b!9
z+)iG!VNdpy?v_d#(+;eXE-Y~UYV*f~d(L^Bz?PB2$haJL72Cq8Osp65L?WyMi5>=$
zi=wbGw^h{vZ7oX@X?txib#8QJ-;n{O$XEGb>6Q2It6mh+g;F?izaIn!OlylDt#N5t
zFtomTf5M0ocVx#z&H>ea7W$xTR~wNuVD7)_OS*>2CX0}3I)naX5)ldNQat5SdSxya
zyKi#u)OyxwZN$}_@azpfwGymqVpVL2l=vbqeE0wFaQ!b+XUtTPGaX3Z;s<K71W{sz
z2l`^ou0GJ_8fzf%sdXm7Bs1lN8*H{zVp9L?d0KKWh0Ldy$TSpR5Sn%-e9X%EvmsI_
zEbJw6fcXZl_aQpDRiB^%c#7wjlP~#==!d!haN_qNe}l(}&cVdWKY6Q+#o)=3@jVo(
z43shvYULMY5?XM)P9H&Uv=ahFlyO9NK^WP>$J{oJ6)fSH3Hstrx-g|-_#UvZS&U*B
z38NC8kL+gthX{*MJ0+)sEdL`y+ciZ%h4*mlt{36$k4=H9zz2S)gD&_s-DEPY-X)Cn
zGF;G^@`K!6Ohgawe6b&yhN*OURlSLj^$XMCuiyF#ohX;6H95^OIMqxtumn0uMUrvj
zSj*dVJ(_967fyiRq*EE^BeFnMya4M(&*BgkDEf1*Ha==13DzB~7Tl*eb%di7q=5=b
zzzP!6#0CP0!GAZFH6mE0Th`t4FOeITZJr>Yssx~U#z9|7QP>0ajucwqP#-Bze8IOi
zyLZ?2@Sgfq(#FuKzzxb-KSMx+T=E0xLXiBJeU885;6vc1fcm@k4hSsWaRL4wS*y9$
zO-uF1gqmGvoQM6kt@I(c;m%uY1MFRA>ch80snF0%7gmb6b`^(&4tWM09N18i`DFt@
zNa<<$HuZJz(lwq60xYED(uqNuq|)^Blb3qCgw!wWr)|}_{y&02Hou5b7^W7i9ztfN
z)ZMd%>X8?R5Lzq95B@8AZzm9}TP$DITzVcB60Zgg+@Oo&;i~zUNo&`yZ@C`7J(amZ
z=m?eb=KVY4|HJ;A>IRYV&n26Q{+02gg4VI@5A^Ru5Zr_mLIshdJ&?%J3+(KzfYe#_
zt<Esr7c5aKZlrR_D9hjvcKuHQ2$R~EI{bPE8p+8cPc6o_tDLMz_^xZyp$Q2MdT67E
zwULtMw#!3{{k&KmNIxoQ!?|0+c~%oLq#w(rZuk3BZ%qMXRG1b8xyl((=uZKcMVMCN
zrs&m5>06wkP?ld_K=)qSpTbvbKbCiI_(e=g=%GOi%hx#i9d-x1TWi2G&vK$vck4x~
z3orRE$;7pZ?-sfzk7tfRp;N?pmCLSBrINHtrtikE2P?-2NPhAN)hdlD`;z%ONk?af
z@>OOZ9g#U0;v-N@@~=K49iSi|%U6Di%4uE(nlbUHuvy8vKtma662xoR?ZJzbBN^+r
zbWePFD*W$;m#yR%6x*VyKXl)3-o@(&EuOW~FBKQx-vO?IIB~xO)}D0($4F>wck-F=
zXV6|G{mK1bHhmkzZ|ufGaG{Ss+1R`4?=H~colvFX3FpNkS_^@Vwk0sAWvOvLSZtRy
zurc}$mh1ecj0&DZ@}!8SZaiX(0{sg+TK3d6+<37*{AZAT({hBXppz$#$2GtRGYe@j
zV4c(Q8TO}yB)L4x@3wMfY(mq=b^(pUL)WP`Az+|%)j`*w&9$D4z`%Ikc!<WeHoSW1
z!n6Jm)&}lfzaX5tM}cWR{P--Of3+HPEKTgzY_S+)2=7N8&!Uak$=*fN(<_4lH1l3+
z7dS8Yv-?J{0#SP&2jp^&wLdzTtbCy!h;p|=fr4<qxt!g3fBtI$BjKXIk1WDYJfoo=
z0Y<7U--+mGd7iCEUL+S00|3p=4)Dugy`-RbD3sD^EoH@DvB4#Y2QVg1!PN@GceEb?
zm2xy77$hU0=_;HvP}KvA)|FmLg`i66V?jw2JQfpj`=F37#9V>I{dv0Vdss9ms!(9@
ztB!cF1QQp42Pq!FqzSw%1q$^MZfYasg3jrp@&Hya`Br8f&_3-(_5r=#M5WzkUQP{r
z7XvVf@ebe!ZUhOhoAHAh;0c&gnP)tZx|<5ri$q5lTbC40a9tqp{qFhzPM{6}HW_<%
zKxV2r{nrEG`M+TikWH?F){SKc7Exa+HSk@$7f=Ox@KzTSMB;}ZU^gU2%(FmHl59UL
z=?EHy$PNOa<qL7*?pP2FsGf}g>Nwl`DeJx#<=)yXz%up$GeI%XvSbQB2R478%ZNAK
z24EK6YSA|IxD;SIT63*0mO%ku!NU&>GO=l$z_V17FJ-v`Xrvz#tasM&6KWBEZgaes
zmq=y5ZugEM5?3t&MSQM8^>ZK8yWS&UT_j&I0ltLY;U9P)#5;bTIAS|je{&|*Z3l*b
zXu)mRHazGLdl1=l|EF|!u=P~|p>3^m9FSp-?>1aOj8TJBt;=X!ZVBJf{QwnW8UbFc
zma7BYOLvVWsfkuV2bfc11QFMW<lVO!gj4wUp<fXAS*(w+T7(C@ea7;80-Fkp?f!e<
zR|%pCzunb-v7Kg(y^a27KBryYMSo}JLJ9Oo=aM`i$C)|BXMOaHN~`;XGD;-l*3F(8
z4#?j;=!fna_9yf7C;DYQO})<)&p&|xVR8SxtHX!?&R+~*l65GcNkZ1&7i$PrzIk=(
z9i-ISdFTTN3cir|i(LwScjqB`O6q6U^G(n&z57C!z_F|Y<4zmajTZo%lOV^RXJQPb
zeBXI`0vu?esn917AzFw8+;&Xe7}kp?49HMh8~#94;H_c^EoQ4S2|<VGs#yo(X50*6
zphEW$>Dz-5yoaGFC|I-42`$-#M+W)hn9@E_*9?IBS?o2oYt4%AbOfz4upcY7V2?CD
z{wFT(ccXXAdw48;`mJKaHoWMtyIgFd&ETa$2H>SiPQp}G^VxpfEeZq_c0SP0Ad9WF
zy1qQ?zX}mWg%$xUpV78Ruk{_9?O7lf0Vx#?qiXT?xopkK`bXsek_;>s=obmNbI3it
zz(S+i-I{_|XUj4E&wef5Y4*2nB^b$kjcdHnlES1V+0M+I#t%gddG?<}{x6nO5Rorx
z-WDp)l4m>MFc1@gQr!(q(LKCI^s4>HmKirqawc9>D(%6W*dxTGg5XId3-~@0BsrTu
zFKz2Xh>;~|sFB8K^z=)k>i~um^GN2l$&gkNjP_kmAQPZh1HFW;nsSYJc3N<%ed}qT
zPCz2fcYIKbfwBQ2bd8PapU@`QV!s8G6_N)cH3BhW7I1s(N8Lue_9DOucrlKFHqOnD
zyGekU09R;7lnR`iI06K3K+|Pg5X$=+Jn6E<)hY852R0tiV;R9$EDHJx-a=h<ql7}K
zZM$MS<^m&uFL5^pVH+`v<IrM9CkC~zg!6~{>%mWpt>Y-$u+bn2rJL49*zGwTaZvDp
zx2VBo5=o8{`huhr&-JEWmF?f8fvvPOn6F~D)0<cMwIpMi!_0Zo?mWHQd~AT1Ij`Yg
z3Cv7q)pB@?Ymdg>6@lG-cTJ6(`yJYXH|S&{-8C`bSaQ18hAngnEs{q+&k+bJ&$4+%
zcbrV-30OIfwQ%tp35gFMnq~Tk6%=CnKa&vS&}32I9JGzzT@ZeW<9F9Qh0m!9V1~J@
zaQY486+po`#XY9<i4Cl&);SZs3oRLPv|wCstB8Bo7_~y5d=~vjO84JPR`+*;Q-S0D
z+YQ-=H%pXyZH4l+Mt)M2GSc#->?6gmLh#Chr`)Xa>Vu*to>m4=Nts$wjF^N)l8SwA
zdvmjPc$#t{N3*q>T<F#~u(vX*4Yx}@Og`b^-n*a(pctKq3N7CUz?j;wCl;e3k|Dgu
z=yp7-whI1(Dz|X6(!5&(etT65Uq}?9f8p5HpeTGKsgFKL{LmG~<Ma{yMQ%u>k0J^Q
zJs^a!^~)LIAqxxAQrXg03%w`M!F)*e=-EnG<!cLF=A|2qKzM>37x=4H-iS?HaJhp-
zASss2^GBz<Rrd4!di3v4;;B)51>pobeVrgCkMhY*^s9Ld>A@c=8&wk{zYZstuN1Yw
z?tAenXv(+#Ck@x?rDOuslTGTLqxh!?sn_SJkL|)ARiJx!VZhyf-69-g7LV7Ec}w;B
zq0oISWX|}wj)1~1U#LFW6*qFT5WP1brlvwEeAHw$;^X6^+=u!OwRdn9$!;%5=b5))
zpraM)EUxHSVTtzs6Iv#30FvfI<a*K_V5OGTelZRxsV}j`rHVM2m4n;jXH925ca2GY
z77RSzeKs3ns>s(O)bJ%@H0v7=Ea*P!q$D~z5;YzgiZBG;S)d=kq+|410r3$Pith)!
zz(6pRaAILWbaZcS8bR2ZZnIR8U9XvgugWL$OkG&M3Z>;}#B}N5$W0?F{Ur*mhQ0Xp
zHmoR>i*4tb^Tu6wwJ+$2aU~B~dwKUeF}}}K5j{N*fBn<IDw{Pzz2cVF9F)k2`BEHs
zF`lT?Eq9;SYzQfk5+fIXnOn>=>s|?o7c4n1iW&ZCSoHf6NbvDsLHP8O5{L`bd4<%|
zmvQi8P<K_rxpK?Twx8v6Bo8`Dc%=ROz9JWk$fO<%{w`lmuMYQ`+xVsn;SZcWr{V}w
zx?bJr*J&p4M*}m{41>kIoH!}riFBHoGyECY4560UcZCL>IwNU5zK|OCw6q?(iH^SI
z0e2w@q+RoR?f+t9|8UumAv#B}Fq|Td&%?=?D^X@UAnEDx!sla!5e_t`rVBKISVj$U
zY1h#3fvm1FFp7A{2f~8O^jgn)g~0zxUn8flte$0$?^y@+4X$)_kuOACq{WT*arWA<
z>9JRH*xK#PB{^4n$XJj($FAgOrYukl41#k%a%#H92x<K;2TMP_JDy?aljPd5IdK5{
zk$79+%jmL@6r}vCmo!Dqb;850Sbm=_8Fwvoo;bwG#hX@_{aJkqfH{S$O>#j&!9C8-
z>7qwy<;KVs^i56?&aSTc)xEV)QF7f<F7cu6KL1uX>(!|_lHqS6u_k&nTwKU|UuM^L
z*XMF6+#Ri2(kpT*W%*!in+3&*x9Y+nC<0#o>AgmJ-NiDSYc+<98Ez?Yr>8R~BLj!u
zUNAR`)E+ERb{@bEJ9CdE)qk1J7t@fLS6W@F?#^W&>n6_Zsj_4YttqpOR#4g+^yD8K
zClXU;<KDQCQr@#}nHZaquNUPxoon#!AapITJX$BDOTV~0*e82&f3Gg(_QDE%c_qBY
z3vJZjzNOu(I76rZ<@$l)Q~TmcQHsoy49SU$E&1i|mz<=rMIY1q_%woBy?EU)X;r_s
zr;W2LROnHf%Ew=xjtxBS>5>t(Jv=qVD}QlCPLa>mQrPb^;=<l;Iq`EcILNL+c>gkk
zT0=F@9F|>2blW{UUjpxQ9HRnx0j@>of@Ckg^_t2zi;t<V+N~|GkESYJ4t}EMd;WaT
zQF(R;_U&+)+v)1Lk)^s{n82R0z&NAw!?~)hFdt*tj4ikgI@C>C6Sw%J;)I_77PKt)
z?#y#nV=9-dX4En-i?Ji@bb5Nu+qPkh5bC%_|Nf$?dCEIxbngE1!pAyxwo7|^xW>lD
zr)Ou)eSI>^9p`Ss$9Tvpgpnt3(NHE{*n=7iqACi3K*As6qTTP~lN8y<8p<?zJ745$
zu8&UNG<8>0o!7-2muhpX@`t|XA&&T%HeWV}e-ydL=D{7eGn4T!ls#J}pqtG7Ky=I6
z$@IW+o7)B*yYoo+f|c}3&6rCFZpRO<k`GQN_$HaJa^)sVmD~i={I{(P<%jowwcGvD
ze4*am({K<{y0ol2LNSU>IDI^_DPOL?k=mCp8;I}2hl?y<Cw<%EA*W(DPG_oi#FviJ
z{!_bI`nsg2RwS@VTLZ7J=6NUThICdh9ZzbQ2WxCKm;2%f{ier<`=7jW9W(cfFVV`c
zEN?JXZVXCPy2Or$gpE$sj+qu47@TZqkML$lNn^2c$yI(Uo_wdO`(?oX^qACV^}ZQn
zP~nTxl*Pd+vscOI7joYxYwob~VT*Q>hBfmNr}Bvv=FsbP-tZPotamopA8LHFFpD@P
z6-c{~sVxp$h~*RLD0vsS#;UdW9gZy#!^qKdWLZ>f6~WrrLV4|_yXkLeHeCfddS>~<
zmg!XYm61L9mr+dRp*GfnE}2JOQ_HWoRBlFD`Pz_>Tn55ya%s3a9`xK5ZrTM~QCkFD
z)IL^<(leMMbM4)-KklXLOwY+{FHxVeS2nJzyrU}LBm#J)-uQEF<!0-}W>&_P|GElP
zXUw<0Tzv56V7q|dtym0wn2RY4DeTp^^?`9B*d(tWXTIm<=P9G1{=Gq$V-oVu<pk1>
zR!UK6jl>Ye@&l@Mwro=eVQuC7FjeZ3437`E6fj+1hWtujIcc)mj(0(DtBR}rSw7U!
zDF%{PL~q&*W#HmPi6vqMoQr9OZU>GXZ#M0+<Jes9eS+`X_4x9WFfW?Om(dfQkYthK
zD^b9O#C(dGCUx^>OkXx|dDhw@t*u$fM-le4hpk*ha<p!Jd)9;59?=;t3qk&NPE*~S
zns9N1=d5J@<ygRDgIwy!BAr7d;R}t$*|cYRJz?gPY=`v{{v7hz8ZWt^{I6N<mnFtg
zNeLCv%uC^5*RrYlb3jGiu|)5|biex3G?(p6Anhbw6|AR=k#Q^Jya|FhXw<QNeh5qd
z>Ps1_@~lWY0$#Xr!@Oz!L_MAI<B3_+r_N>}#&Ti&3_P(H2{o1P+}5w9w+I}!7b&6c
z?1EXaFv#dA4VSk$j`t7^&MU^|b&2d>50oGIFZDkEq;#%qS@e)zHO?Y#M~@V?KrUZI
zR|hZkHz?@%xi!_tl(SMYy0TC0b)sfvpTwmlmXG6lronH_^-ccin%EPr@jZCe_io;d
z>61OZGJ45S|CFRg^{gwNv8Q<%&(q1so-yx@%&qM&*JkDpHWu-&f<VO7X~auj+uAM)
zsd~s4$gfeOS@Dx2l4Hr7XHkQ}%5_F=#rt6}u~=bMT(nAk+gd(8@>~?PE#YBfsu)DC
zU#cpU4;hTyWH6k>n1LM~srE6IE#Uz(UKIS-yO*d*;oFLQa2IRsR}6;>3ABnecNsAW
zJlnpmipM7nBBy(`%E5F4%1Y?5+lKO<E-0)!gvqQo^CqUwYBAOa<94(k6068R5JwU2
z?W+iT%oK+H>+I+rb5DOwnxk$!y@Y$y+WyI;Uw}}=Y#<n;fUO_~X6Bko-*_^9_>Jq?
z$6zI2%ANeN*Pn!TlvDb6nFBN_**Qy;hIM2#NKXu<)Gr>;J}cRJ`z`lNRtpD<kDd#b
z`tZ)Lvj?LOhRWIbx2N9LA9)(i1;y#JD~Fy48Q2mg_AwT51`u@I;}V|}j=-dhRZ?hY
zAQOYs#%Xl%vdk*hZ&f!tpIC`P3Qwoimpd@k%1x6&4#F0$vfRNf@>vLd;uTU<QlJ%5
zg*hZ+Gma<){?%S0U7_rk241oA&0goA%@{)=CAXNECgxhd@di!@mw_=vV>hg;&kyyT
zQW!3pxvkoTt^1T2`LF@~>ue?s>c*t=?cu(y`PRi!qLe{}m=75gTe;`NSFZ#Lxe}qC
zHomrpvgXwc;{;j|XPh^DwH2FRf(NZjp=n|lGnI?h*|QXl&O|rG=R-eb$zDzA7r{~Z
zJp;*^pE54!D;4O}l4>k7xh3QdW@{fWoD>i%XQF3+(QG)1$d4Eb(7I^TKYX8|*E+&|
zk|$E?G4fvNEcaXDqV6DJ*bL1GvnIyp%3|Y&MC-Bx5hG^TV+HeFAya*WwcSl04g38s
z_R=8>bAvQoY$(89`w3DM*^;vuB$Pe&f$xVILXfvn!qf*Xoqf^rb3J?ps`@P$@YI*H
z-wff(FD7M|P=-z)zja_Ml*AZRC{bf=slnlgS`E)qh?G4@A1&RdPQmx--nqzyyk{CV
z7P-|>vG#qm@ms+96UM|Q4Pws631z0JM&^6)ykELcicD^x`6rXl3~Htx%Unh0KP4l>
zfqOVp_SI{R2Y?`u$Nfb!*4$-(neFGd;*3r2395O$4~>kQR_b{~uA}DI{N#5BgReg=
ze?L$h!fN<o^i_p#B-@sv@X9nNIN4h5DHrQEBh(Gj*m6;E`oec#d9&mlNlmfuPUPxD
z?%k~<B0AWLdib#RlZscH(Vf`)R}*y*`Lgb0YTD$faq%H1Or19c5JtMlP6N`1V(dv{
zkG#QKg6<Cha@H&=%d67q=jC%3zu@&3!)6~yD)Sc=NH-{cNQrn$Tz3$`$}YTm2vBc<
zk&PGnbN)?qV^an@CBM9<%c!ybU@|4-C*Gu5$t&pd(ZW(=W?z=m@gE(h#YEXjDUF_D
z7y()&d#eiKZu5H?T1-8=hL-fW9Xn_zBf6)h-$xjUT3JVUvuB2UeQgzG%;}r-oN@Yj
z-kGyrHpI0!vhTBKI3FoiQl8KAnOxqHEBoHM=o<b~-Ohw&KAT2>sm54CYuz7tsL0PU
z&KzeiLsZzxxyk6x%$i&&c~YKU=)HrLZ0Z|7ou+8he7gkx1W4z)_`d&AJ}2Gf7abd4
zuK{c?R&#dM(X8#omLiGltB4JEi(<U<y7=RV1zN}5`X|~il~W4%yHd=@+k-<h^+dA!
z=zmqdC+pvu@qp4vbzHebJfjHnNh_h?mK1Y^fZYtdN?Q41^ThvE-P-DS@7jTUb4Jwl
z=b-i5QDg<y-5oZf0O@h7ff2oHc!yf&1Ykv)2Gk5`Y3V?+fcEw4n^{5E9VE5A*{qT!
zWr;v~!T2avH<lx8fzB|u8=8=@l@Nz#v1HjDWu5^Wa&VT*c|O(aQ4N6#3j6frJ>Rp0
zJ@W<k%d2%QD$-F6u+?M*Z(5n*?!H8;5?Y;aeT5o6gykrM<#o3KE3h-?^sVf7^4P$q
z8t3YeB5&kOy@k%1*SPn%8ngq73MZGT>_-@QISUIGU{QSIdkKuAWEM{<!lzt#OgH@Q
zk$YIrxkWsram)TL^<qZ|GSR+!9rHS$PiJQMzP^1P2<*O+oWc5tz>XC1XJD^~pJFFw
zJd{!&kG>ahotl)p=^4G~Lf4kKW~F`N4{z(_O>jJoIliWG4AvJlmy8%Xu$e&NxwGQW
znz@quw(hGd&*QE7^7>Ca!$*PeM_pObKK=k;>tDu!Ald&G0B%P)fP8FW>RdBqw>`AS
zy?!BNwc%Ql3wH=$Y<r9wwuI_Z$u6%k`3PzGWF9woM#$Gc|D=2sQxraEo0+C>A5Ckk
zU*IG%%*zTM(zx`W)4pqEb+oLP)5fbbGWChPQI6dt3i(sHkK~^ji5e;^KK<xgmB$N|
zfMmpwN0Gs@2yP=nl4|qnGX1k>cv@Oo)=o|VF)@VEuirA5ktclzcvsK_nOdW$1Hk)*
ztt~8ET-@cpB-LA{DAyM!QPz0KHnLxox5jewIi8pts8@0es3`CVD%lc#UM}U}nUic2
zzdJPQOLrfqy#MR#`BarOF5MZu9SVIJCd-qUS@lQT!IrX+)5!bx?xDPX{ram!6piji
z&ye2-3Vi1*53+ijCGoGrm?<mLsC+g1w)q&cUpy|3a|>TZaxp8@HIGND5h3vOWqRe)
zi0;83qh=<oqJ5uMETw&d6SkjDqa#&d_?q-7OoXRJ%>?rDBznAjmprh#+(E<|og9NF
z!HDAeYu$U}hxT}U7lH&qe{>J2fjDqxMUQvF1ER9lY*JK@Cg~5rqGZyCE}7v5&vIAl
z$Xs-I?a4XCljjH~KmeIeDprtioOQ6)_3)I>ghqg1T9fkn(EeM2eZQ)NgS@#~RsNVz
z@!N0Hy>}32@C36h=!Uc#yq6dp7knZrH4oHdVo#YDpFw5G(timc4~@bDN4kn=P%Pp>
z#<rvNj)(m(-l6n1__CGOa@Vr>*AAR(!LBD$uaJ^rl0JO6rBtYfKRY{X?cm@CsF4|M
z10*Vx#l%}l7|AbP2vSp1_YV%dLqeqAQ!1<yBMXBU4vIoD;*%02WB{hxG)$Y>tP=fc
z(7k+3fQ%tLKb4YXy)%8s98Fd{kEWf_09*3v3+H35>+5Sm7VW&hwE)(Rj{a$BlyEp)
z6cT+-!MG(yfC932$;Id0G?uYoyq0YV3G;?d;!fZb>y(j?95sHXk}VOx`D3z@)i$D{
z2qF{U!CVMEccL`qU&tZ-GM^ygd2SpwG>ZS5)nEt*nLh~{ldXPoI+%{zsbEZI=8%!8
zkih447&jY-YdUVm=Kft_9N!G4p)_EfB^QE3*Z;W>Ua1=xFh?&e^baVHz~?ybQDk=9
zJxm?w;D}3|^?z=}Wf$)RZ#|*{tHEwQ<WIf}ERRcrJKzDl0LQW=L-+PYEM*+GKM(a7
zoHGrvRuH_<ZDA@Q1aIb}z1%?_{yc;Ye6Qm)2u`y07$lC=fM`4UfG6=5e7ZVM3}Xw(
z{H_-YzQ^VXe(kLLE|?O5@UB->C<I^(!+1``Am0}lDo79~4NU|0<q7T!4{<5D=-w!F
zh)ePO|9B~rU*RZs?zHswV(sqkTHD$R14VI|Vl>D|@B*U+B_z<n8=)|@wY8m{ovEy5
z>xAC`n#&n6t~l#KTf~{7y2c;_dI8vKqyDc!CUI=$MDu%O<1K{@%E7UxrGoe)7li~r
z4f>)2Rm>ZuVJGWIAR!24sZ9JL82<7YtEK7lG~DgK)_lt?(n)1NUYVoUxgKFQH#bYf
z&|{O6lNU}ZSKUVzZn_1Y%I$sOo%3bWX9{Km*zWVy?F&;S*!}0)!e@(gOgT<#x>VuG
zHxv(szqSs<#HUN7A_rZMTreem9djS-<r*sC;KaInwkNQ!^(JWwALl2khXvl$tn^EL
zF(F3+#3BUGB~lbTv`0f&!~?zA|E875KW8)z_*buoHp{$Pa#0?mEbdKalY+>;(bm7}
zFAvbfD}{B1X};&+k^F0g;vwJsW>UeJiPCdLq}`#G{xL9=?n?W8^QDB0!+ZoGNtHXN
zXQM5C{~2cUVTiwpW>)davw;58j$3JYj08$MG35-(U%6E%C&F7};`FD>ZtGyeXKg|v
z``N;#jAyGVPp{V_PCeT!j_d|2a!88%8m|W-b<StV$^vJ1m!{l(-hZA`N!#N+Vkf#R
zeVF7q8Ss(kFt_rka2yk8CH1E|R-Er$qEI$oJUkB5E~FuUjtK8yG70?6ZA!F&&=9@f
z9@3fh`Vp60nn34vQNgo8V_tW+Frh<C4k4So7o`+EM0P^c`A629djf36TcqE&U*J)g
zzv%G$@RVUT%R4$eRlBO?ps`;MkQpUeE4BJ+4SR0(2|NT&Diop}-!?|}A^@c_D{#7S
zK0LFzHbvXeF|g(-l9Tv9`GZqA>E50-E$lG<l3>6_mR<Z}O=$F>0OVwGU;M+?xW3^r
z>-$<euIZ*{o6$A*BTn8b@Wgh>D8LlTW&eI6_;`4*sA(E{6b7z0YZ-6Wmlg$7M{g|u
z!r*?(-O-tw^Eju6Q*`gu%WprqRu!0ZcDK58TtV(1nEP04*O`~w^A{9<N2ETPC-zQ{
zhAR{khJD-yF9~SM)VN)Fvmw3qHs2VlaGeh+{E1@v0#r+FW)2IxrzUS8$4bk4@eHfL
z2sb*8D5k)2Zh9gaj)H>nMXx=0|M=MdH|;oma>Z;+DTgxgW`4OlX8+eO--rm@_wU~?
zZgkm_fZGs-e21a+oY=i?wS}y!RA(JWTDi>(Gaz7a$9QGZ6P?gVc!L*lh?Av~sn*)6
z)mV+)iobq+G$UhcZV*4tjf+Oed~$2dUU-J^P1R;KuAGL^+2uO{%DY;;wBokx`iD}b
zPXzx1he;^(X5{#oHGY{!tU|BmAM!h0t7X-Xo_~AE&oKYBs?q@l`w!u!T$6Tp3j^HL
z>BU9s<m3ZSPfu$*J3?65b!y}*-w&fGS`F?&z>?;RZma)9oeMkg)ipdKFGs|%GO$z#
z`5+4?<wt;&Q?YA}Ek9-#*U=hJH<3>#dd~S9s;0XJ+3Mo4<+EoP8oN(arkj1PFW(dG
zUHiew{JODSk>(SbxEtqnooZHA*+b)z9v8-TX7~Cxez;PMc{Ml7_?+akK6{ntDa@~r
z3&0yrpKHdDt0u*h0cz<$U;qT%e{)L{SIktm2qF<7cYjA2f=nqO8Xk9_twve(m(>Uk
z>hx$6pOrE053|pHSB={Bfz&d5xvrmktFPsc*v|J8_{n>ZA@a5rt4+8je3lHwW~P>~
zas$Pr*qtAk*TCo)rVjHWgXiEhAIsY*CqC$G{qh);LGU-@iodoYGVr02g)MaaX&Tjs
z%ii{RKXmp^#lZFe-{pK2(iJA7t;NGbjVA!+!D2uKxfr@AB0o>QXwh0(Z7+zI82@t5
zb==D5V0X@hHS+ym(Cbq{KIS>vS-)VfROPeGrCXyfKSZTQX?ujJd@?KOH;cWG(}Qhp
z*YnFPZ@9l^%rrbD2d6+n=D50?0R}rcMfwAk<!6#cz?4IV->a3P0>(Rcq<Ukj%-Ovm
zB)~zih;dwgYpd3zTq<iiCrI`H*-tqok{KK9b&ZMt*Wg-eLKtyOas>VU#x-9hKamm>
zL&To%c)hBxFEv?nA}TF(QJ-=vbe%Nr@}gdEbk1k|IUbNC{eVs=mJDa$Gi|BfoXXLS
zH1XA~z15zOnH<kDd+Cdf?I$mi231E#t*y28c3YKiBaO}3C%z(;e&IcYmPEBp&W`I+
zzS=aa9g%TfD!ZBKX6`BM+WBo2ek;g;2<-C2!vC0=u%R^+^@df(LQMPa6q{@q!zxG0
z>n3d*$}Rv7*+*1Mq8|$Y{$IG-W$6=qonnk6-Q|4yfvs`h!-e!T^Sx>wuPaO~Gi+0}
zrKJQ$<%AuQW|;jF@AI62TaR~0o=_;L@f+XvUDGJanJwy@vI`m5Au~;x^XJ?PjKCxc
z8`4FflqWr5pj`KF(%`>ym9|vcIT1oFh@L=_<<95LUbztrjuC}zQq!5!)45!b7aeS|
z{$ui#a9ews{+QeWhB0gXUMv3rP9_W2xz+2(JTzQojkrgz{_pe%oKmqj!3Y2fyKUod
zDX&_4Wqw1F%c(zMl>SNehg%YYh(xF9uSAC+P7u&bpO-=U)#&qo-w~qPSSAZ;k;c)E
z)cB^ax&5FTFOAQOiCbR?z$T)>-(|oSkTpi}38OzEN91f1#6NSrRW)3d`<bkg*weq$
zfOIYAn&0?7TGi<6;TApswz+;Y6aNe5JgzQ^=X(GhD=)wcWJji^riQv6F}izrEG#T|
zgEtU#OqLnwfe4H^8QWU;`o<MA^6so~g9YpxS3STCt9a;F{9o3M3g6Z}%8zFXc*=Dn
zw0EaSp6Ye#x?|J;EfuIlwEiw(a`W=ihy~y51+l1VgM11~*JSk)Wa?4$GNjzx+-*C}
z29Dr7Ouu9OgWr|P9T+u8s8-)FRG=e;3EFdT`HJS5o;Gq0sk0j)?}>35TStP%Y6slO
zWO!Tf$L&WT`$QlLsvvN!k{QIZahAj=8PQ3AE!!#j?$}JrFRQRj&(F}y_Sf$TqPO7#
zmW~_w=?_dKLUhqbTr?c?AHwu7qmrO2Pb;uMriwUXpdxsFHo>a&#K`{WzHwwxq#_LZ
zbroGQq4M4Se`QV}Riy++YIBk?5EB-BEC}n4;(2<`VSzQkO4`h(%;-(niDCihYh>iN
zWqM-HZf>okqso{`OQ(0DH~em4lzwgkuDS~w8yJ+7lu#%X9kJyt1|cHxm);XQRk4}B
z(8(}sA9?=s-tWv$i=q?FoggihR%C?~+z+yX?-73}LyYwQsQJ(nartf2pcK+k?ZL|8
z5-eCzzW+|$rCow@{;Gi&!!aY{ok>N|qsV-289IUU0vZX1<tx~NpfdyN|E!fS&Hi5z
z?VmGrQZOxH*#CH_|CHUA#dksG`33RRo53Q*dHuPa1bk2b5-g6x7(_-6Cb=7cjSPrM
zzW>j_L=>|85Dytc3Tz7Gmte73$Et@SuD?SL1T+Ca$D$)H1<hCRBVrb#HU4>5|GzI~
zIv9RRG3B=xL4kgo&ZT_WnM+kmiB%pat?u1-a-HYW$>7S_!j)(3{ter{eXRNeV}b7@
z%4#4f%`}o!eIy<CrWwPPD0GQ<U{QXbuyA+J?~dWjcW?TN1X%<br2t@VQ<I>xi%av&
z427($tVHTdn2pqLEF@2Wj)Bqq-~2=%1}NXlA;uNymCco2EW>svBju+m32z?u&ON3Y
zI9%I}1Qh)>a6C_jZoB_-5V_a;4!yR6C2(A<e)u}f`q}==W1#(`+c4L|-gcXENGyf0
z)r^>ZMCSRaR#9MaA%F}3v3nOLCg#V?Oj?Dn64b;RzhTn;=IB!tG&EZ9@(ycj>%g4M
z9^Kzhk!|gv^UoI~Pb$~^m7XXhvg;!E5qySQ^AulA%^&-?aSM2bXr$cikgeC75FB5-
z-s53!EE2QN*D*N^C%RKBdliZ*P}m9h>2yRT_ia5ssPCa>!;~rDNZ38Fh565f6E=&b
zQ(hA6axY5W{;*w@KC$R%JCe3ONGs@y;Xpg*Fe_O7vL5=b7LRN9DnyuPuDNc<+-9xW
zW8{e@l3mT+GKopJrFj`hV7M>WOx@o$Vd%eeQq6N97aB;_JN-GS=4HaARp;)VpXTmw
zW7#0YVo4$C;%h?F=@zADCW;>O{C1{!H4lspQ}h@R41Xc2Sb$_7Wfj~%F%Oe~2w!70
zgA%#C;afLQz4`#t#ub`h3SfXY5IxV9De+xdDTpVTXUE3wRc_DsBpki%$bVvH^2<f}
z(_+;hS-+?3(aPgZ0}bWk%nVI)+})<CCA2cY$sZjCd%PQRoO)|tG(!%djBn<b`H~HC
z@4VEjeTN;Rb#C)}aobb5UrhyRaVuHr%-(E4*2hbkJweUZ;k83+Th%KLwjP||VOg0f
zNby7f)5e_e4!-u%nq6bMVqb@KPYUJIICI+}F{_QyuKzRq0_bCw*Af<Bei2OHk2?Ar
zJe7U~QR{x`wvM7EgaP|WbYs5`?1A&^(doCyI5HZ+Z#JIi){sLkrY!{OPGp5DXOfG|
z2lbmp-)q%TJia+61l40q#Y_>NC#j94(ZoG6K&mmp=b0Y745S2i)?|<NB^UHSg&!4U
zqk=$BQtH*Bhvm>;eN(Lutv&xD1}SE`MuKs;EHE6%DBknPxutTP61aQ#SSOVTcILLg
ziKq_aetZZ(py6r0f+Y&P9vhSsrG^>I$#Ym!MDkLZOEdORUR>8DQoJ|iY41Yt5cNRb
z^Vhb50jd>}EyS!iamBrTfpMBl8-}<XY&uHI1LpBcO8!Hi&-Gn(3dWSf<nMW$-nbFI
z3*YYCEt^e5Uun&Gm00kiY9K{Gyi%?wV=QMy*_8xs#prF!@x0Bi1%8J>BAK)MuXBop
zt5#Ro3dJ7ZHJxhyd8Q;Id(QefKZEtQNA^+<dydjqG0L#clRM)z`oG+_&yLW|?rs(G
zpO?R(bGV$EI<PbB_J5G1nh_BvJ6`CHZP0fbH|6iZ6I-#s%&Tv$IKWNyRFVEZ*vuqX
zq`G<k&Atf=E{j7#22p4VU@$yu)b`pJZ-q<0ov0~2T=&*y)fT*9)q2e@9O0<ERe;`e
z^*Ew*VgKQ%M&fX5nQoW8jICBqmdwv}pIwJ{zELq)NUCKHZ5H=_=B95N3l9kB&d}Wb
zv1tG)xs;de2YQah{jY}jJ=k6`=2|B|SW1rr9Jt7@`D;t9b121&k^{myNE@R*sx0_K
zGg`{}UlEk@z%bC!1%b!?!p;u1s;cS}i>f)dcl|FP{;xf=ZE0xbt#DHVf_JjJ0=woo
z4e4*F7-w`;<7cZtF3)j~VWt4J+^Eafl6FmPxMjDHH+OXAt74ASq?(6LEj<%+<%^QT
z#LHyWBUbXl=De3(w>K1Wh7^W~p1@4sRX$vGqR8g=%Ddu=tZL557dJL7vDv)YqRFx=
z<T?k+>}E-64GksRRwHDd=Z0n9ihwYHccM6H=!-DVEK;VZs|W6y7s)SCbFETz2WeH|
zjSR|1?b118?mPW5&|^!V%G-}Km7*3Uk6#klF8oC`{z)$q{M?P!pT<Tg0%qQu@eGMd
zAOKK^p7|aOV-7Phc4A?Bb_tD}%_Ge0*;`W`zHfy}SoNEgcjii-3rgQtjArk|ecgW(
zj(Ih$=h}&6@-?e$#)TyJ*!Z?L08MJ7n57+l4%`4ys$wInSt;h&i`l2}$vS9EzqFw5
zsXL)QHo?Y7bUW(oDrx9w>UbzsoDogN+DP}iyyo;EREjdL#akdevw0$w(e{^m8ScVJ
zLsc+KnCU3?2Kf(@ofzW07qwVeRgX4^dJq(-7bq$Jb28s44oRpw61?~%;0CcH(rsaS
zGfrAzghUgaL^OBY>B`)<wLbF6`pK_U#tGwv2L4kV^08$g<5C?h1wcmwBZPk<QfDo}
zCBLX*_N|~Cac?9&h3lA=VP09fC`|4_MosEQ>&%WcowTV!miXGFzLEihy9OyO(8J8!
ztqUR2y4wFSsTg;qez?Tt9Bii3G-t(`UXqWoIDb%Ii!1k&mEk^&?K%Ll9sgbA{SSc)
zU=oL|NZx0dA)S$#-%iZbiI6#SVw4hEZ7!m|CMGb!!K@CAts~ROsg&j_rnNi2Yuyt=
z`Gi8tNhcHjW@}J;bi~?AT)w4|Ht?hURX;Nw)%I)$QU6%D-8k#g9GZ7N#f!NhLf4n$
zvsSJ8>~!IJs|k#sDt|n#*#V=eO#lGgzl&Ad*F<=?Fc5Qu{FE&!3FH(_dxI=Ti(LiP
zH}Ys&r+r<IfD>L;POl6Q8|w4<Z4)Db3~8y_@Bg5UFLRgaY4V05%m!>*?^X13Bqi7(
z84!tq<DZ5BTJ#@y>4e(?G_W8kvu#ZX&^{@fnmi#V{|>wL9H4p06R<}}QW=s`>kNSX
zWBY8g7xwrCBE2gXG=cG)ji*_CO%rpx=N1M}5YaTkkP`%X=N`uYb$_u*JsQ0Wp&P^I
zdWSb097BEAV7tpbZO$38q))^0Cc%e#+_2R2lSRB*B3iUti_rfTVR0`GTml>)?9wFk
z;QC3@-%z3G$pC0Iw%)R>_DzK1tJG(ytp<n5e2huXv%;G>l^t3#Ebn#neX%?mt|9s0
zQ@g0737eRDur;8AVGxIacPCmSk}chmoGcFoC`rQ)8m{d?qF+qhQ{89L-9-1z#A{P5
zz*&Tww6|K;hU<ewA$rJ9qb)@tcbj4~K{R#-=NI2a`TIDO4e3qCO9JYfkc?>ZJdlew
ze*c;HVFchtLIjk!4HRxGs7_8!+<+Nz`MKQj<Tr6HDoOR|5sGSwmS0H;>&urfBSE!<
znjVy}ULx{gv|nvUA@Uie?D_6Wyx&8ZG7%*(yVG8#lK&|_Z6*NX)BnovoUe#9AAkXC
zd*!V<MV9e5a+5G0grc#${)_h2?=RZ_7ej4fMLrbx#ukjo0&7JbJ>Jhbulf1}&PrPH
zWvp|x86t4-vJ5Idkfi<wSrQpw@D@*6{Nl-@l1^7xUlSq^fh!IQk924Gd;i5p?7s;i
zhf9=?pBat1f6G@uD|$LEnIP6Bj~G55#3Q};Hz13C1^}6Fy))o%1N8HiFly0xY5+JS
z0^6VM?;-@^sDD$vF<AiY>G1xqO46qmqaRieKEFk;ll;(!BAfaWLrzZa^z^i;y<P0t
zfAVY1hBQ9XI6IN*8s?~%>d)=yKdJkE_=HkC1H%|^uq<_)H;83afcMlJ+97tdgOihh
ziVF72%gg!IReDehf#C(BA^%KG`hTi>>#!=ft#23*1W^Q$l9m#X?rs(W(jZ;Z-60@?
zNJ%3S0@B^xNP{5VumI`q?r$#LXS>hyob&zlzJI*?y1X{J<d!+_ImaAx{9?Fz(fMN_
zM8K{Mt79m)UkMzHVGnYGVM=5BA5AU(+Yb1*8xPnkzcCb3Fr!Nx;94XB3j-(r_Lu%I
zUW@+Q4Xp)w$1<ovuNlE|rWPA?F?#+Hi{^d5;4LB0ibD1mD#ynTC(BH7kzCLAL93bh
zPjUjnfQ=u)VWn~Ifawq0THeq9%l)tfdIvxzXFwNIVlmF3T%dssEJ50UAUadb-(ars
z?FPRV^Aq6yp(^5dx}$CQJ(7~Dj-rc0SXlT)3<D7=Hth$Xa+)jk0|G4qpcE1ZQm|r|
zU7d8G6A&IVK}QBbf0g#Xjf?KI3G^QW>JcG2t!fNnV&dqzZ;tDjXK)ul@{nsP`?4cf
zC2t^AJcxpv6WC9*c14i4CVYvB!39l}!mck*(?onxnYpccIDlY?B(nWL{3A4m9NZHt
z2E>X>z(o}oP&)o2h?cek53!2%R7r!NSx#4Ohg`m%EHwgdJS0p89S;n9zhDQu2II4%
zYF1h{S6Gb81M6!xi?Ns27r>KZ5O^(Uee=}5Hwdk9P^h$2zdBnC!{c);{&<&JYN*6O
zqPnhb@nm~?qZ)K+76D!kqa}IDIjLl{KqK)=@UXpOu_L6_`wsGm=sUws0oOfJ7>W$+
z`cpm556tI)QFY!i%uxi7$I&#_VVIor(f8h+nK~83pwy1TRL39joO0K-9_OV}<BOib
zJGKCd%UuM$^X}p@XvtspedQ+rw_CLaH}+^o-B93!q`&eb?xQg9+s5iA<hIYg23_h%
z9Cv4lfMTc(*p0|%$r8PcV?hF~r9k5;PWd`#E6OC$BccO1(0_Q3bpQ3%M9Ib}H&ETl
zvCo0dbXlHbr~R?aX&2lqH}|e#05i8LY=`^}RNC2q^2oo?Q;@Fw{1L~Rn@Qy{LRA{?
zL)Kz-d9<E(vUrDcc>GMhzuDhj3XWt4I9GUqMSZ`pu#j4{FySL=B0!x%m%Ww*Zigt8
zefStNTdX_Q(oY9S&K#Dzea8wkeI8K=j7T_HTE{;X1wKh5l9Jf|3^Y+3Qp#(O;-K=%
z)ViBv1xjQ}$wKgJ5%iFBE_5R!U~|u9x9}mif3V#EK$fm&dryHkbtuqS=Jh|5`SJni
zy~sevE<EPfh+hTX=JxsUQ5!Pq)C-loZjTCp+2BZ}`#pH_zB7zuaiKk^+GY1^<daa)
z$ckD3>$w!hrk`Tw%fO)wX>!mz)O;3b+C+&yP20~b;b7l>xRQp=(ZxTbNI%uG-)%Ar
z_WL>G1Ck<u+Yn??z(OkqrFVEZhE{_cc4K4XMl&x!P@N@$AH{;+0J;9hp!1D-x)=IF
z3i3N=2ZvTK_&ZVIYwc$eVZ<uv;}<vc!$Y(xx#{L=pjZ}8CXUKZnc;6{oo|yuQ4-M%
zx@C+w=^^@{??eRwGpP4SH^4Ptu`^_6;_C9#;C)p1F!47UC9i#@BGM2+IS-5M<0E9F
z7_xS7dk6u`Ij@2VL8N3}i!kb=<z(qRFgs9;gb+u?0aZ`lA`?&R6geb_nkOoLz=Ip+
zH4}Bkw9)eBWNR`l^(A4JY@*^&+jduieVRnZ8F!jSenhIYmnhr6xBy*-eF;y%IV=o}
zqErk63_$FvcG`^QfjC}0KJbGTe{cSry;IhT_`Oe`mBmW_oJ~WH{Zm<q<*u0dVdM}&
zAYiy3F9!G^J$Jljv}AyCH{1(xf-*QqosQ7O*7ilyXNn&w>TLbWOj5$YFKm?TY@pZQ
zArx%Smd?)3$W(E7z1)cia)~Gu+jpo<VCV`BZcY`6Iu4&`l&IRH#4lk!8VNsBME#W!
z{RdGqUowXTA+#~Na#8b>ygiEem<$B7$mY{PSgH11Lb=me16OH)8WoUWLqgxTm@1y7
zNLWu$3x{p&>HI9grPoNWZ3nU;S)%v|%D&Zwh1YR@5mbPBK5FTm1B$=ssuAQIN~Fj)
z3;k|Oei3+?({>4h?}$N@Mq*&Zlcy$^!1YM(D_@DD$>JNuNT8c7NcXjG-4vc&99Z_x
zanr&b-ory$_!1ZSs?1nM<#`)h<Jy^jOygPoeNcByx&D=Kuq4rnt9f&pILC>jv;_+V
z;5e=Poo&Pl->>@I`&}lVx=Z#~df<bo#`%d+SK!!|SU{sS=X|d(;JwbfmZ?XOyVN4V
z3{3Bvm5T$G{3`gOAW}kS<xG$)usYE^OIo+_GW4_`D%Ii1z&g!+T#zSJb7|R5<K@Wk
zBANniq|(R;qNpIz0@p{wFP5oNzYsvY@Wfv$`*yCJJ6!XH4fsSf0>2~3HIBFeh@jC}
z{H6L7{;REBX#GkySjj#2hNojWIs!1rRWDY9AM6J)aIlkVcFU}d0OpUV<P!TlN0eYU
zRhXpn;J#cUPen5?^+{b2wC!u+77fT|wn4sB(qKVr0_xyG2pB&_In&6a2&IsQ6GYH)
zzOjl2+bgAt-NPnIMpW?QI_i=WvlksqhJ%Uh&OpOD`eEydVt8-@*5wk-CztP?1xFV5
z`68X<OQw)AnX|mR@lbh(Ia9(N^L3@eiS<h}wWJt%t{+1F)7K>e?c^>yP}+kwEY|M#
z0(cSnJOt$IeCWhso6CBSy;pkUpEIZblxM?R9<nf*@bEfj&XP-dwQe4T2Psr@Z?ywW
z45MgOq((WIb8$XHi=$1z`E34BhZj``c>kzqKi+&tZ3qVJH7!d7%J(T<J$4}5dl3vW
z0?b8~2zHQ$g;U&H6JL!&#z`sL*#(v~xioMjBisP&u2{IkMos{>w`xmsIU~noJ*@YM
z?P{&9*$;=Ic-;E9j1a?#{a~^tm-Rj2deFDn-1A|>U0?M1C_)I?Q2>H?z(MP=n2Tkm
z9&>MyNLw>|sqC}VN1vfgDxvG<e7I5%Eh5y&#ZvUK0$7@{crrilC!BE;Anmzs-R)%K
zf@H)Fby_<_5kNfg+VvA3wEGRxqN4dmqMs+2fTbcOtM=UCY)>D6#(9UKQr6VU`KR*&
zSiG5y;IMuOYjuP9ypV?H=AP5=M<@l>8}34oy#_`AQqk*r+EOZzHAm9HL!QSXv~%=b
z3<OO9=af92_X;{k_?T}AASe?UUgAelL}PKqXl&DbthCK;7@08&dPmK*7@4o_G((@O
z7G@*63M8{iwKh{BN8J~ImgT@nICdIu8is;gg?2ubS|K+7GeLt-0)ttCe+1qb>N+@0
zED2vqrXeyDy(Gy`TL*S(M!oq+Watke850VjGb>zpPYjkMNS0bQo89oc(RnL<tzRT(
zWhh7;*SOMMpFxxCzZ)Y)6|S90pimQgDlJhFllDA?rQs|vbYwy@U=Hg5-s?7b(m>xK
zvgXn-g+tT}Y3Zf!>s3aaUVjF>s<=<(3u3XU9msDWgm~V1Vx+0f3oZhVtV6AZhD%*j
zSedpZ9DWhF&U6OdQM2a}Gj*}{9ad_KkEb7jmAh+_^fptm<LI=p?L;l*l$@aO7T6Zh
zmbORL4T##z{8+*AFdd)MPrLs_lkaf%4aE3hwg0vw5>GOfkma?w<S=hfyW=)AX{c3$
zNC#J&@c6oSfn@l&&5##}3*<j~#vfcm2a6M6+MK|p5)W_7BZ&z54?-jVehoOd2qJhg
z_6S@9^e^BY($pVx+e`x%dEHY(i>DX_uv@@{ymb8~(?SamPUS0OdW>n(XGbXXoc9`{
z+nizKt-^r%)xUBTkeV1=RagD<%3kSozZi*yfS@?jzd|%nKL9G`i48L68qxob&`j5&
zov|2ZI+dsimIUK6>SSLA)5jTofbpvOh@SqJj9cMUs4L^$vJSXii0B=~4g!H4S8n6&
zihBU2p|IppGN>^gwM<Tw!U_}elG3dIqI{BZHU;%&ZQTf9z=@F3!0vP1s{PJm41gJ`
z@lRpFowLg=F;JfwY1rGZ+tqgs>U%YZ3&=z%)AjqnW?gZO-y_Y*UaH&Rym5DbT<`{O
zuvEG}@owC!i#;Va>dli5=Ie*sEvKCiKb&6!e#_#F)*FR}4<`sCF1p_^Mxr}Al1^Jp
zPN|$e>W*9c<&wNJ?#UupuL*=sEE~x=KBEUeP9#8R|JFI&Nr<b1hZRN-6e?ryZ^RV5
zK7MPryMJfNQvKfKT=)BynmNlut=cu@*on%l(L<_CA~!d8{oNvo{muMiW{oikZGsf*
z^^bTnxfa2dVWw&Cx6PA9Lm+q)6N@2X5`_stB^LDxW$Di&uZym22FmmZ0aqW$t@NDU
z6`^EMj|EA7;3aO@Lk2t+{A(OJZ<wM=DZ`pf%LvLSxkR<|q~}p8OpU>xwpRJ~omr?H
zM93Rm>rh$kdl0qPtd2Et&_?vyQL{(!G_w=WmcC(ZClY;^iR%fL1pEA><l}L3zjOvF
zdxv-1`sp&;rrhmyVZ=YviU?BGW<@60oxPuA5ifG<nC&9i56n7XO*gy1ucsRK66Q2s
zi7jO+T0JnI5>U8~D_Ozsu9QpyS@pgJ^*<^@G9&hfs}<6*pgKnN=IGub9MMfjU=H;E
z2afr%+t7;ssqwIRIUb(2A-6!2Uz*LVzes|~W?BPVm?oT@lNO6H@FryXsYGTzOhw1j
ziyv~L%huF=JzWd{6Ix96_Oc>M@u2A+Q>CacO%}3Ma`_sq#tEJbXWk)ys%m}fL&*=(
zlr6dre$<sjj|(Fl?Abpa)z}E#@FS5W6ak`6`Kp)V>?SatS)&KX7|B!!E~9Sp#<L`S
zt$3U8=ZDi9uKhZEo#7d*CFg6N=`JsWfOyP&mrsqzYKf{IYRdpqie5JJCnS9n?<JZk
zaY?**a^F)eOy=8`Xmi4w0YHm8${&~Fr&fibSmn54#C#42yt0H4S*r%oFK=>>*I{Bf
zz>~ShaN~dtxEn&>AXcM<SVZ=CjjuU6$~Q8vT|#lxd3*q}@QS4cizl>Zie1~`Co;D0
zd9v5zj>?_F!nZHS`aqFsW8rxOLEY^sT?#ymdjQHHf0#dF^qjo1#E`@YZ99v0Pea)x
z=AldRnD|DtnL)A<(V|9CZ^Ac#euu`>hwn>S$B~P?1|Py#ynQBoEX1Gb#0lf8dc4S#
z2cQ<*_^BZLrWQ5Lv&<rePR1n#(b44c+tjB!eDz^AD{?R{P81)L`1)aE!RS+U&ZuV=
z&K{eqKJnfzw$?Ys^@+@nyUmiaq#`i+8?R8`o!$E85Jbb^rw#qu?eY{Zz$1AGs9W4}
zQX)Vx@jB&%lvu;MaIOY>SwjtdSbv4u<7C$V48n_JA^a~z9#KDyi)XNI6-K{qy|S5i
zaQ)ud^AoGlSvFnl_HqN+xq6X|n2@WDP3qwxksh=(Z9qhX02vW>D}d(|Rxw9Qp3r~)
zO~1=kgm$^#oH$KzIo4jpEi?`0+7rQOprCteO5rr1HI4Rbv5wDHI6G9o)w+Ahw!bu$
z<#wXv#DpaSWHV7~XqH37r^GYkOQX2f3`WIPON5kyQNo$@2VeGyCvv`z^<rO!Q(kKh
z+CQ#=r=aiMxuucDf&(bH?%jXZeSUn7@3PKrSj5e-*#tDS(lg|xF=9h*DUV_0#{mdx
zlP+Yjek$@oU4StnpYcrLi<F~HCO?*Ya{BOPY^nY)ZJd~I+U%N*@`v{#sXe`L1p-D<
zREUJZBOciqrp(%f5mabENaqdMs=3@;m4uUFny0%treQ#Re6TB+rgeYyVPdp1pmEv~
zY~>jG3^m(b3~@(oOd>qLkQMsgvYTew$wRA=I!?v>MN#^3>e`ZDYAo3sRQ6}$p(0{$
zc-YKnSTcIN)<U;qS+Ma#H?cDz{`QJ|@AN4dL8jDn5~`a`#@*bX)Lf&)?*YoFS9fI;
zR^tTS8Mcy&C+yF;=Wgag=Yg;Y2Pg+@SsLk-B&}NU<HUJ6v-|5T-glcq=k8ZMwW&;S
z#W=zn=3r2Y2=J<_N?RH`J2W>J2!y^^>e#tumPY(FuZZ!V2pT>5{;+`U@4V^h*oSE?
z1yDYivLpPnjJmtY_QW0EO%%RiW##laZgT)y=M(zcW}6j%j?DnJ+q_M^LFdXU7JuP%
z32VGZb}p9(Xdb@yE54xiC}r)*;~*ve{Adu+D)~l;O~=s^-dDxf<zg`rGp6pJhFGYb
z4$EF;T%XocF#wdNF#TCM)RKsq_vLtgey^5_qY0!FKAUggj$k5x2JwxB1&!ILv`6Sc
zyL9#ujm46mMUXlD6<;~@$3#8mTO1jY-#kXmjS)QNxH6}Zk1TJK1I5TgMAs@<Khr6F
zDjn=btE*zhZx;>?{=l4Q3$(Gcs8};4(<%l2a_(%ZkuTs2fF66~qP$)TeKDEq!4Mfk
zN?jW>=HX$DuASost)YbuajS-7OL!&`U5sTe)wAoEmnwrXB%vgV5%Cs{b;=i{$o+Ml
z?*maTcJMr}7P-tHxX+}79kecvkA)^Zm##D&7pTt3G733?%Ihs$v{NfgsDC%LG>_g|
z-{s{VuO_#Z%R7xPwk|nAQhZEr#U%$N>hd$G<gS?)eI+lCK}bXtLDs%$Gj9m1HJl=X
zK4!i@f9f6IeS?hbUoEId#w+4llfw5vokOYMAh5$1y&?GFnn6!-988@bTNYr}i?-}{
zfW>nx9TP7;7p$10<Hn=p`Z9l%dOGW~hIFDLHW0J=mQTg;YdEgz<JFuSb)!m$^h$3}
zt(dASJm0z%5tsRDQNa*AW;w2y0_c@#sf2&&0m;A`R??bd+=pmrI9kk4iT3oyvfpPi
zU*>bnA3O`0$^c42v7c%F8)qr;Jht0r1RnSW&<{m0+*RD^TiOfyZGN0VqWBz>(<DAc
zz6p&l9$Xv`;tD1EHp|(@w491AZ$rpjdl?Y5R9HGJI=;|Az8x|DhFF6D#QJDDlt|g$
z!DLieWxDN=hP9&UyOrt{C&6umG?o0id6<IIm-jk#siVSS!hLDw`><a6$X5c#?=pt(
z+PmzxJ^&{OU$kBE%t?GRy4TOD$@pZz261nUwci1^W(q=Ya5%bAj*UUZ#_8#4VY=Z^
zw^);MZw2IsQlBhzU5caq=k{1XV%6ScEqFOgsfkDcx9d>hppQjCGjdl>I7!DhsKXW6
zGQjnsSv7BUZMaE$bXT4jPiEeSV>r!?F(ExP1$Um6|D!_Sm_|CSM{kG@$>T{4*DWCU
z8BbhuqP@BTio*hwcM)R@wUHXq8Q$B<jyX!bRQhAY+8P>SXh>40=HB^FSaQBZuZ7B#
zoF5;&Q8{dD_W#uF!xzrrginuc6@lqrso`kiIj+9}Y=_j+%F4&NoO&H2hIWZE?}Nja
z<)wy(p?&LJ%)c?*+T5r5Y}xXmE>U>m9U=4`;?|fuyAQcb!EI~>Mkb2M`T^h-uS85H
zCF`>$&F#ffn{dNziH3gKyz=rcGEQDdziN(D6j~#J-(0uc?9V*nzH{riV~vQLHI+lV
zfgaqNiYUsthWOE{3(GezYq%G0tIVmJT(-~9zM|rcqn{+E3=K@kd(kMw#YZbW^3yri
z$h(XDRpapeJCeH#G2fq;7ux1UZOKzXwWM05H*eapiUO95k2cN~3Vj_8`8nyrlV;v9
z%}ON^%WhlbO_4dHEv^PzTaJ=Z;^J5ef30$8%CIn~fAA)d{rZ~<LUS!vAwP$G>q8SP
zQI6L?-=*=KpcTkw0nW4(oO+C-#A5UHq>$Gm`i2xZ3m-LqR-j-X#d?3t;Z%Nl_7`BB
zFMiZ*iiY(UU|f~28I#wwWZd16@fTK{&mKgbF^WPY0Tk;hOKZSq0aD}4f80Jx&gp!i
z8k10oQOpgJ6Al;2<qsc(hRF7SG4oTCzJwP*w@9`8=y8p{+an~((nr}De$3a;ONHT6
zk{!SDL&Wd3WMwdGG*RD4qukC!D@%uz?D&`&1h-wKVaJS<Oy2=i$gGF0WG-W-#g#q?
zEn}@w1kOs+S=eO`Oukkk@x;-uhCEP6)>ySO((H<T#(|N7ask5duG*#W`NB`=tpLi1
z;@*LQaMk?U@-_X$P2B3E84bL3eWJDjqcS>nVXV)_k1ui;*E&yj1fZBDXWIuz9y#KC
zfGVk&RJP-rqg#+SB76(ko)wZVG3Ztoi})9wEiLB|v@wx?z0T%dj*0WOn9A%Q@HKha
z*JDj}b4zNu9VNf)LX!)<8EhjOncNYz<3*10L4j{oE6+w3zKF_6-v<O%X6yM;xxfSg
z*Bwuvtn9mY2kjOG$T%Zz20x+0F4>@Kp>^aydt?SGye64Y&J$i|I#_`nRLWC@yb&ZX
zjsR8i0}r#n-dzi%<MVO`t$F18=fhc&7BsS1Y9#?*fX&PNowvf<{5<d)b;eREX9yNJ
z8)ZsyX(vCoqj-}r69#;&zCKY8%ssAXd~0YiC?3u@@-mSnV>#t3jiV)JZ`XtI4yyYp
zok6M^7HfI$a-vwAAF?`t@(RS3VWzq;(d90enMlmgywmoxcJG;Gy#0l#CvQ=8r-g;d
zI2#0l=o1Qvwk$h0`%H1?e6ZZas+=PTEX;aNV6h1T!z$t7;j`6B$m$y!<~KIXV|;r9
z_aUFyCpq9b9&^1ppy1=@pI=<OgNqyULe3RbOVp~Y6EBXJzHi#x0N-{?R{O=#!k81C
z=&<B*W{QgEMOE(~YDXoF^gU%RRE;619FVnKEP8jPV!~DVwQ|+kZ27XrqQd+a!vtqr
zDtdz9Q+}r`idLP2QeK2*nt1CkHixtQ*vi+;-tQsbz6mBICeE*}B6D(bf?ND9Zk!B?
z*b7ps-I~A`=11Qxg{^Nis<B7?8m$}hUG7SMtO{b_?93|Y@J9-wXjgg>WswPGYR^Bs
z#V4Z36la(^C#t`S&ZZ0*)@kcD#ya6zqWpT|I{J8yyT=_QjF0~$jNqMSr*}jzt+cP)
z7CF7>=4^Xjka$yu+dpSokr35S!<?UJ=J8V0pvU-0;3rUATBv6@siXzpud4Mo$-z5d
ziHb_mK-%61x9Hc^{hnyk@?uy8$I$2?(ENQ+_X;6YS?Yi=7-9;dfp5i?|MRT__QT)a
zy}JT^KK0GbQ}2v`Hp_<HQ8cx^OAerfMMlbGHO1zkTuj}K8&W?e(<CmZw-Wt%?Nt`i
zU3RM?o*&;qfdMd{JGh+w49T%3N41C;z!d(#?pvds0`yFIk<#!)3#L+pIibjGdSq4j
zhvxQHAD2zd5pO-<N-pv53c1$45OeAP*B(ajn}4A@Dde1>vqL+uuU202%Q0hqQaK<`
zO0`Ne4fx5Vd%(9mH^%p2;V>0LW>q{lC4H|ogHx)20{B^CB>s#sz}$LbMcw9{FcHwY
zfr^3x?g0$Lg<~8k{3l!z=KhBoj-gUj9{VB`rsESq_)FadLpT8>0P~pQlKL~;*Ptep
zO#%M79h;}{dS2jS4etsb+w@8OC5+2UnDJ*c%n<}ciefNj>}gdv91|dRb-?j~)%No{
zT_z0v4^{m8hlaOUg7~+;g#`d$i})IV7S!^|UNa6@pf1A!0>x|5?cTTPEB}Uy{ci%Q
zmfI-7HyNM}#9;Tv*e*D+yxsa+Aj{d&Ma@k(gv!&=WhnX-!w-hDakl-zK=47Cm(@fO
z)a%v$CkmogQ)OxW=?`tZyEPKJC_+kn@88973;SL6)KB&1z>oW*=0@)8UGj{R#)4nm
zQW*XHwJ_<@x7#LnW-D_Et}fi85>iv2h<G)H@I(*|e+f@16u?OX3RT}rK}9*>G0bfX
z=UJ4Y;%`a<D7V5ioMa75rF7s=FoCpD=Dl8w4=Vic&zbyTLjq1>;J21A@`06>1o!>l
zpB2M6<IZmL%jK{qhkF6^K}ZM=ScRk5*w|Fp)=KG@LC?U5Q2r<NyRB7W83Tm0UoxCi
zVW3SlRqI28(ZB82qm3Ub$F-XyjPF1{Sj=&#@!GOTVbfS2-<0~GabWHJ4_blCFIqv#
zn|>KSI_ZZ`5w~E>Ozs$Uz(@W~vIbN#W>4t!3K=KZ6gH@UC9MX-_%vRZHefJ?!TvJc
zzgG=q=+0mbdt-q&FoF9@Um^kM@*$eY<Mf(s6X4i`pm`4PX1xRKwk3m40@op+datxD
zJl_d=H)Mp4mYXT1%fxeJ4u5wRA=Lo0Ge{N*xZ%HCGmr~@PvpNW*#eQi0Y}3$fE1nq
zEB6Ri6Iu2<BwMlxT;9`FHfaE%k7Y5EDrcRmfAbjh`e*@|uK&gHrbJx>JHZ}h=K4^E
zXo`sM9>BRZov(o>rrpVwdK8V)UH8)+6-Lddr-(mD!N$2O9w&;@1{`5zwyJ&SfPnlD
z02~Nyd!NL>S?9d1$j*PECwvS#T?Ycg*9E}RAA~>_M6Ch%=m+36KW=G8M#iJvIg-oM
zT?t=Q?0mAlq?0kIVF_L7QX^r>%v`Q-cgH^9Z&S@i^uYUi`NF1^)8~H;w`<8yNr4Ii
zP^PhKATGxZPJZx&1rY$it-xa$AnCe#z_y$AHPE<JZ)Yo{6&v;7Xw^BR0nbnf0GUUM
z05F<+RPiqael#I$+O`jXdw$%H`RyM^K-V^PE6hKCiC+X=H`;zS`!q-KLfk;l0~Ej?
zI#$=yOXk@DU7u~|Tad6TzVN$qBqSshyB(X;={6D`Z;ZAA{Co5U(7BsIXX$WqiH8-p
zpwUp;(5~|iG!P(TIpzG2N>p5iU;<9-WME^7$7M^3!>AJs9A@u<rW<V&B?hCr4p#tV
zG8ceUa~)l?f@Un+QwDZ#jAGP44jo9zH7SD<3kz3>0aIB29y6sy;h#T&P;p}6k3nta
zWw~-yi$VdUm?j;=K&_Y_;AWZ?1p^b&Ndz8ziiWwO!&n%gwYe~`<{fPnNE5<B?Uo0i
z_dt%)vmc4Ps=Wn82H^AulL!HK!I#$5v{<;^W6M1;3IJ%Q#IlU*t#EgB&31153%nly
zREZ$hmtXnR3*La1M=z2D8l+kcwiN)aB!b`FIT()_0rZ_g>i2O_=mOsJ-ayru<8TAE
zN%I<-(eD0YXSM4-86ZDo8T$DIQ@_Mw`ENM8Y%J5$sS3?EW=0NoKt%gZ3KIq!<u3e<
zjSGn4f6KO?*+0JTS*yI~EufV7()=z5vR(sPXVJHtkHD%_UR?C7F%j14<l`m42s2PG
zp6u&MsjYp9hre?-+XZ_q1TK`AKbLsRWoyD4Y_OacsA;%Z@3CkUsrS`NUL)<yHsn!|
z9t|w}iL@Em?#&;9b9UqQkVt5Ix=Qu-8}OUVedxc7yiiYwhR-Iy+Kf+B7|7yqb!O*8
z2r(He(k)6A$0F(uX@tDpc}T=VeXc*U3}E(_ul(-HQGuc+P3%ksVZRXcbASt~xRHoc
zIjsEX`t%IF)_FUZOq3A#!nS~&)?^@7b)u%FGf5c@JB;qhIzL9Bf*q>xsT_c#_{YC-
zaTc?tBr=78GuWO9zqL7_o$=e%d+@X7Wg`q%0{_FzFZat$2N6JDEtP3z`{rzv;eKl7
zlx073e-F-n7(o7^_-E3i2YugBFotVm-$NAi(tRBi<;l!-l6%mWrNTCfsRBw%O$W&;
zb{tmwa*lygDZAqi3_TC$a$F1l_>*aY1#}2`K%&;ppY$&-fPj{GC_blk{#c9dm3kPI
z3A6R?UBX}~(DKP0){h92Fmv9wP<Y`F*e$AVK2e-9r5lrU2l-+4A+Uf+6VhT;8ZsZt
z&uI&<;2kXBuRl_MlVjxY98l8L;H5dR5vTxq!i=2#&&haP10rYF&`>O-J;oo_Ws3G~
z5P~R;-UmvLX(I@sR220ih_zZ(OEw~J7IW<<dQFbcewjUJB*bNg-`{gsO=Wl8wa~?z
z(I2neBhQ6_*FXlQqU>vCwiVmq<S%C>4HPH2BvOey?9}*Rua~EPw|g7B#H11u5f2C-
z(rIwovT8xCQJjz%Vm?>B^MnLYs!>t8^Oa<o%F$dK6lL@x?pLK;DV({!JP7#?0ze=L
z0N||#BC$=1qr}2AorK~4-2QSv>vok2?!(B=&g2GBhTy<49nHlSaZyP-0?|em`==7!
zQ5TwpC0?A~461JcINt$zL~Y6MTc;agW=)A{(%=J#BpJTKceG7cwS2jKJ*x)<B!5HR
zO2C;M26^+w(sttG5zD>9MOWGY{b@ph#Rg4tiYe1j`gmXQIozg!Y?461&}i2OGn@Q|
zc`oNIJRsuD*a&j<1W#7FjiysiUD5l9Pm=ru&EP1Aj>agWAaOJL5zJ#^A*_N>66FJc
zXAJuI{|!#FRJ2xOlWW!k9Hot5p;&G}sfO^J$@kXcWqK&+#iq88Fl1UOSWcjYury`+
zfEB*9H=k&+Qb|{7()}d<9uq=Kq4CS+*I!gYA~m{h%iHZ=0SYAuc0^Hxg@K7fXS$h*
z3LVssu~;+5OJ@DeT=<B2bC}UWSHD}^07jRReQP#)8dv_OlnEw9@st|3<J{cI`TCc`
zi+7kTj3x}d(eTvrfMc6{w%Ts%TWV*+3D7eMn<!1qPDY_%=Eo+3gSd>>Ag_)M1Szgm
z(kvQgf_eqpq5g+|ay$(kO}&STag;cSJN#~5_cn3TqzkC1!^!37jKj4p3s?Nm)q}N|
zjwKnxIS*MRC^^Alr<(JM&eMedUfOe5k2W>}y+qWy<o#1Mto|6U4aWVEP1U0c7M^Bm
zwEJf?yq1YS6v|B%DEYU#I<kE$>_IGfG8z)HZo|jX?pyFh{bv#SSS3?p@TQRzK4rkV
z-i02K%s0<#I(E){q}Ne?K7+|`4p(vvY>Qb5$OSKcCIl0geDy<b#cCQryLVL1#$Vd@
z7jV64%=&(9%zDKsrY7}SQ-G1JZ84@xcl861?JfLD0~3;dS*w=F=3?o`AH}lP!4gmi
zso14`!s+X&kx*Nv^ZOUE1*GdXMh^C$CK&EnK-B8{vyq0gskI}}aAps^lW5GbSOw?~
zw3$FVq)M@5fy*sc>9)=v4jGmu{A^*c=3-1rn+5UbKfB+F9lK1diF8n7*A?s&f=RpW
zD5Z|aVjJ6)AIkqMyCb*$l(#hH=Lcf&rd~o=Vqn=WDKktI8LTQk2BU|74wE&K)CaGK
zV;<p-l@wR7Y}&<kM-PyfLn)3lmd<{$WZYp8aFMD`pC*uX1;B(%5tr}j!zZ~zj+s2X
zjb7sc8<%<7E_{$p7rTIS>ckVd>m2ZCF@Vjk3}y|<1hu!B_WZQev!w&wde;=iK{bP?
zqA0(FLYUw-Ak$(SlLm6>a4wj3zWBt4vB=PyFKDcn&eGFqO3+S6T>Udf01`ZMOmT%u
zNo-5${ms_11=YrcvCd9p1_lO5=BKwHx&BLVlsZxFA?U(Jx9Vr@q)AqDl4|-yg!C!w
zKK{7y?X=!@(|2l>B_{`}zp(cpeVm;`->|K0qe|$@ugqwIH=bGwUneS`eQZ=};#rs)
zYmM%|Ycm^gx32uh?w9hpLHpb9<VQy*BBwm``v8$v?|sI>`(wHi=T_iB+ki3A+{E={
z(CQkS`w_vn+gDRZQx_jo_E$%hRWUV*|FW&!!0N$e^cK+m<}G?}b9bf-@4LIT<@rv8
zgY?#~3ycVW^M9Z5UEmJC4-;FyVlrF;$}k2lw;OcVS2h8eg}S7`F!0rnJ-1=ZIkt9~
zL8@g5=eL=aDslHt#!|Pww({2Arn;_G9qi3=8=^+K$8Q&X1cIpMyUyo8t&wvqYY-Sb
zYSq3$17*o~2BFC&auGR_>R3PGko(@uRd{%=uQ*-3*~XLtx^mu5I-xJhIR<a9+8P&u
ztJUk?W}>~DX7r4YIR3j;Wq^HiDgNpBo;MyWgL|57$^nFw|8#PBbuhfVVrLufW*fGh
z4Bcyg>FJZ%=KPWA()S8C)pwxxt-9ITo#IgkmggczW8E?_+y+t5gxE%^F}~MioT6Wx
zn}E+<3!%Y~OC#PAFHv2mTV8-4d#eV+eB6PFMYTp*Wmjc^U?wt4Mn5c>e+iO#3QVvH
zSG0hX^`E(t0p+)~CF84Faq39kr06nD_U<?XGETt+t`GCijSYb5+SI$%pJ(l?XV7y4
zR~Hg*7l#JVOZTQ3%{3kuKH!w-1#HZcBch)}vr>404J|6<c}JnT*KQbb(=l(A{C=yP
zN_tM<Nstfv5mu_|l(d{G$r(JOPNPtr`7v|4I`T0>SyLxEv%w*1K7aLN+}j#d&KQ>1
zK|459i`A;-F3;e>m04cvM?>6=)>KX9#k*lQ0lN}EAg(om=JaW*{hj3@J^R#Wfl~U@
zoSr38k9dJy^5@1*l$d|`&dzTDp!|M?Zq+U_kd_rz=QRwT&Zb=|K&*jmhW{I}aEN|l
zNqxU-yI)J`PygeM@z0vK$q8lm?^-Cftv!@b)*3U9i1>V2m0}(DQR9VUg@$`tf8Og{
z6G0~#E<EA&l#H!yf#V>aRgI+RPKvPEjW4q(^*(NCb!qR?ocAUh?g7YjjDm|3@^(}u
zk-W2JGltosht~4yP0>ZotDJ+gN^Kj%m+`W|I~P>Gp5G4itcZ}_gPjzsWP$&*8QP&Y
zGke7pENk6;V&;q5F8#Xxl2f5is^)v-4LwlD?1pTY8g;*i*~g-P-%;`>75(CfH<8}p
zW@{4V9a#e4)Z);k)<U%Xt9EH%gZv2I#l~Q%yGAPi)p2}4V-S_WeqqR(`Zw&4tIzX^
zqpN`NZJ7fnt#A%+E&;Xt%aAm#ght1Q!|ZW`NP1mEapojN&JBA^Ys|*x=p*YDg{FXG
zp!{tPSV}|Hodyo%dkt8Z*MW75O_z+aMa`RA20!|EU!Z;)EdjRHp}Kw7eo}X)b1Etd
zG|;nvX_P}{Ve=2!JA)+<gPwh9o`x_W?JXALl|xmdl==DFg%;~GgF{CPQ0ZtL-4LIb
zt@_2xVeUcWKNop#P<ES*>pyq?dZC`kx%`}#L5YK|9WKdi;{wfU_K{qLMVrIwo2_9*
zG~If)K=elI<ibgy=8SrQHjH=@cw#?NcF1A2a0Dm&wPKWiFvs{YR^MkiZ6&DzgKy+7
z*258&FDhRhOfL2m?fKv8#@6b`RazMYTg_;Hmsf^z6#+HpyPrl%z#Isi0I?1!pw{wF
zGp5g1KY$y09?2ly`RF*{v$T?Nrfj~tp#S<FV6r~}P#fKU&eZSk7HVgKOWXX@hbK+I
z*S_&im^s>rNhiaNxBXiUgFGDdoQr)EoSJ)TwaAmR-T9Sf{BMeJ+9yM^2*T3TvKS*~
zndv>_N=5jU9UA6{W<!K!_)CEQMc$I}-p~_;LP`$}jnQTzW%?hVDS5+NnuQAr_RnU|
zw!4u4@8XwKH2T34dNWIOw)5_>dXI8@QH39I=T_`<J>fAhqt@%&H`@NG+M^dzWThMq
zDzD3c`0@A&C5uZQE%2$$jLZX8n_}HYD=VL+tQ|X`?|@HkQxtdiAXw=G#@!f{dKc_z
z%F!E>A_Xbk5*eSNjz!ZVK`TcJohEGgKoQ5q??42+E&{Hsz6k-f6+81zk$?%-_Sm(%
z>8<!3vCfd`AgI_;maL~73We3L2qyT?2-ev^X>Wkk3izn&YJdTir=Dr0m6=LbA*~`W
z$SPi7jfiv{4BZoUmyKz*A>=oSu2NB!2!m=J&KOCWy*^6)3x<W5=9mYw0L?d7i>xkV
z#aKOo=WH6g;2BYjHIm+~P3K7KW%PX6Ui&j6KyS2vR2z`=C_J<bGM`I@9pr4)l>PZ|
zgl7`})1~sT=e~&rIp<&jWjVCiv#Uf$QsqjwY-v-OF0}RC*D*4#)sd+)FToc<#v!JY
z?FVmwsqBk5GV!Pg0?26NKq@m~k%*2N8cJbac9_!6)tNz`3s*)UBu<B3<zi04_oK!N
z(37rU|CXZ5ue(Or4U)qgbk&EBCo=L~WA4&^aaIfxdb_#$c;!ok%+%eaRFj5RQX15p
z78mb=E{yWB7dH=DsUB<L_8(@IWsQ9K3oS1+_f^Bh#;$rcN2C%-Yj4m_;yS5}Lh<O=
zd{h7Xe2ZJ>>)}N}nXtDDqggtdU%-*v%y~Zl1ftpZgV=@1(-88%d~I`d!A&x<wH5=S
zPG(LuV5`M=Tp&>QxnzbpjaAozMlEHz<7v$ufZ!UdCkfo@&T7I;A_@5%Fyr4%W@VIJ
zrw=v8Mj!VqVeie9oriSEjMpqG6TJ{KGy65Wd~a_EpAg*Yx}TD0s;YO|T}@BxR%t5h
z8BphQ8711r$tTu?2fzNjNlHMfNa&qYr-5qC6WEQDc{RjbhAq!AA;=cZ!O?t8U0m8F
z=##@NLe6$y>_>9(abM{@%{p$=szDNgIaZtXyW88_hetPDr*AP0N@ouFSL^#&?FCP{
z`%kqteDA%bvpmZje-h#`>|QQy!oc>Rjq`eF7D!%mI)@zRHk?koNxr^==*;Y;s~;W|
z{;1pJ*sXTEnx8((G5KC<VSRFAN)a;`XPd{$+4<G;O}2s%Ujp0BmgjCs$+Me-{5J`^
zMWXMDSVfbn=M~kh$E0T5M$vSt&1zO7QY-}7p@f_kX-AC$7Q{3j8@v5)ypLDsG%Sf_
zv{-Vd-v&j$u+x7uPZjuX*8|Jj@)0Stx<=^(0cWUk$zxLJ#Q7uZ$RmeyHH}njv%r?#
z+Gr~E$zs{5F`LNAq{MaYz&=#A?FlM^T@N9K3x&^BJLEUBF+|2IE8TTAyfo1I+AQta
zi|Zu6MpFx+0pRK?zr%U|+9sCQW{sb{R_%rtz3|AG@#cEx-O?rc+;(qjo2I@+S5QOQ
zF8TaQi$njXfyhk=e~c1|^l)cird*=)Q2x-X$E7;kuC1Dug69`|15;!T*4jO(@1nQ9
z5X`8KKh>_<a6Ui$;>JB)e*D#GlReX0C<GU0A-=E6qvJ>Rx*L`D9oER69-I0V-}rG7
z_l`}!toTBMAtz2o{woQa?NAPTS0mA~1i@>E**S|el!{>&g16TTd)f2GU+!h&)9qFZ
zZ1AUMmI+KjG(~d+a$N_*tnmhA#tGIte#k`LuAOrssFMm++c|tf;j|{qdHqbNy5x`?
zO0mAm0$od4WQEWA>c@~fuDe{3()5CrbINJ6UUS7gXms~>mIavbiyrv+@9x*y6x_}y
zvTUyuxy`hfPitH@#zIfJiW(+y6NS~(>^`4Iy4Q`%3$?!Q^W(c-IMh)an)H!~xe{5K
zt5Xgo7F-#980S@LZSiTn@zt}7*aQy7fzB#NtM0I(n(rQFw{@r4(G2N=PAe;Ux>r&y
z4mF4Sb8mXl9S5(sp0H*(_blpUm8;BMm)ygg3*Y9|WlPa(pu3ntC^CpI)E}&%o07T|
zdAvpJQQGV%>u#?#4{6m}ieWdtYmqn}@v`Xh^GuODqv@z0Qb@nmF+TU2ff2qn#9^@F
z1-`Z8ibOp5Rax51hp;)fFf{Yz!M!XC=kh)qo0``9&!m6!i0d+;Va>8VJuH56zHZ9O
zse5sCZhsNt&~VHyShwRon`XnlxqGOilgnyuQ8f~_0jZWeAmJmCAeBZ0vu%wv-w{Ht
zvIV|&_WTe}aovGw?RX-@s~S?-uDifJWa1ccdy>fL8q{CManq~WRH%7XQZk#R6L}@n
zWC33w19vn?G2=K`SBW$xF|e>HxX`I)BH~>sJJtbr%aT~*X+HI6mt|A9+##kiYD{Jt
zXY;{(0gbFMo%LWyedW!y4bGgkF&d7$Znp(-O}_<Qa(t!a*sG4IS+&;QcQ294huTRR
z+gJx{9Ag=;Rc9O)u36n0kh~Fguh^Q}IMJ+XyL9^tdK|Iq%(hVnC#h!~-}c4y-+wbN
z#QQz57X19@b_L10K@Bv^J&oJ^jaj_}<yMt_^6U6XXPNNwKGD``HEl%>U(F_x%h+no
z&Y*fNseVi|<*d^(70<rFuVs#x9e+KZb;Cy!WVOIa7zro6QTx(IXGZ@POF`81s&VZm
z{*}NQJNbab1;k-^k=fxeV!oM#H2fF=M1rbt+r^FuT4(Szui(tIi-mP<U0p_H<*U@e
z?5NM5C7V8YiD~NUCb6-ze;-xVrB}-Ox|Vrtr<rQ|X^rdg{wY4&?9?~aKK?_?dpOvM
zjsd4KX+9Hmm-X$dQ%*1E%*y8SpASlWXRBVr50-HeSo0-(iykDf!RFz<YZ_Mmjp&mO
zt4~_u_`<Gv;5&$D$Dl#y(iY7yrp}b<YO00VQO|{)14*XGf|6(j8^wB^@sVB05Ub$Z
zA?EUsgZRsnFK-3H8Dk~t*|ut?%5%JlPrc&M;@>#ujQ`Z9W7xNK@UV!lw=%9enq8a9
zP~t?>+{nGbM_nYE?{K@R{pR;oPoboyYSj(i?2O~fw3u%^JZmKn&yOE^25HKws?uib
zfiBD?PraJj?qgU(@iw<k6XKrkcBU$S)0^zYmTyN#&|YbHYr!!d@6>+ZpV;oS)hXiu
z-vihBNcxqWTo|H{Fb&g88Dx4P#TeiNL$k9Cpcia3Xbc=&EzJkrx;P~+(mpi8^*kr{
zCjHFWzoIrpFY`@n(-JA3z<YkaLq^<1rJQwk?uTW9v-@x-D9O1hAFKxRjdeOKc|Klo
z>*aNq`f(Y4a68xH&gV3N438KILOR7N`%u=g1lM+L&Mu~bD5*BWos~{aqM(Zxbv-23
z!%qC`T!p(Wy=oYzTa)BK33YOF8ul*1wOq2Q<U{=Ox7r@fq}2GzEqcyP(o#EeX!SRX
zI6`a3%+-#HXFR9cF6-mV-gTbae9&s#3^D|iU~w;7RvbzJA2@^>vT&t&<8=8?FRPyf
z5FNEo3>-i479##8&s`rsRUtzn{+u~1$mjxxYt^wuCUcIW58ay?6~np%rM(kFi1Znv
zJsFe&mHqpN_-2=|rM9M@WY_fJE**v~A>VA6RbxaEKExB&PHNF20Q22Fr|Ksb*-tF0
zC9}UHV+g^)BVxQLft#ml|4H}|9+5?($z?vXtW1faZi}S`v?0wXDA-PCXAj(IyE;EK
z8cKg`6*Gw;q_>4I)ga4@y)#uIU1>E<wY<D+Fc&9B=H>MnZocEAjp=HSs#vdk7g_1n
zlsINrkAqSaEeZuq@oAH1j#}eH{mT5)d;MP$mu5Y*kia{CT@tGWI*+rs>}XAv82Fn?
zl$Tf^uJn>agRz79pEA7^s>3p`o~&`mvYczwZkcBiKp_n$gKr5TFr9Vyz5jq>p|8Jc
zo(c<9(!rrD!FkGT_SQm`?X4L7V05;oM(XvsJEFac&^s|xE341BxwK|xW>29@8$v&8
zhsnU1)GAwTxA+2^7d$gDX}48|0&{=1DrNiYVnLF`eeMqgm+<1gP%KjD(#qS_Tvkyp
z+r<?Du&lWh+hx6M4OU}V=c)RlsFyITw~(>0?UlT2KgFLW=Jh=Q&x^kV&;Qr6b^Cnd
z#h&`x8VDw5hsT500<GWGaxz8%&w?U@@kr!O+yf7}vgd%dO-@Zu8^PB8$jA~qF~~R2
zscDxo!JFdT<yB350t-K<-haZ+w*+*~EWZRGG5QX~n%gQlUP7VZS@v6g4mD3GVdpOI
zzn!}imkRLkh{164e)?WQ7qC-e>)t=l<=>y9a0bI84$;D<Nbb)tNaj0c!%$JcX|Df(
zH2f9pO?dv}r$+&WI%Tl3TF?yOyvxBlh3-B6Gg+%Ww!<?s^c58qm?4mi{QQ>)-d+uu
z*kDm9dwYAsudl6zcXU8<3Jar$h7{Yt@)m~;bpRY|Js^bCEG$S<Ff#VbDCClcrwffo
zw3Zq>G|*`m%Nr*+$ws;#+UfccTt|)$50f|R$ph=C>K@o)@xHn7T;JaQ92trEy}w^>
zP=Wga0&LcUy-&kVq*Bgj<(1{vGD%f1@cf&aekQM}B`6a{d3Yw1_$PPyS;=+fhJ<}@
zZuN&i1#Jc_7jye$QAoYu5Ku^&Qou{Rx17O+fMOU2-c64+URDt71Ft4qF#bg_#TaMu
zUbd~Kzjm4sX%G?$r@F@>mlGm}Ed!WVSt((}U%OBd<U^8)>=Ghy-al~nw5!**wxYVb
zrE>D}K7IU%io;=YgSYhHEopKu;?&esdS)gBA0I!xz8;FK+D=ItPV{RztRG-2<a{BB
zFdAowgqs<HCM!~!c{d=RNVgxfmzph$Vt!@kUB8}e_D4ekTkeC%Q!{Jp=ob_s)%sE7
z;RxQ1jRIzWZ;uFDu7vk#_9%!L@~~BG*W~`!D+Er{=j*eL@ikAul0>B?4bKPTR%aFn
z^MY+30_p#-5Xiwo!6OY9fPL=%A3p!j3q_*3<TMQd_L}hSprosSP3M>NXT1xygfx(V
zRRiW0Pl&VtHvTK{>rZaJb)5}f(FcMKI0Q3nkh;%5gI3$6e@p}csxQpeU{?YO5rY)U
zbQj}A9{3|P!GESm1nz>g;04e7F?$JVfH!7+_J3+`cs%(ZDFP`*v1%$9WiTxh6B8*B
z5z)}Z1oi0XsG^3(M?3_S^cP^<cipz5-QrkTDO9yQ0+*JTYiOjf5hJnIc<j~2EDK{Y
z?&EX^m-R{7+X(FR*rw^0y1BVg;60EM7KV3u0*|OjF)%mB*wE0RsHjMGetu5FL+dXL
zc4tUD^WM#%4h`EJ!ADfo8LV_vghdQIJfQsu`t;E!vLF3u5d&+oc>A7u#Xd8)>)AlS
z<to}2E3MJVdtg<=)-#ndIKfitu_WNU>A>-6IEl9C_~_R{#{+9ypAWW2NWlKbL;Jm5
z3}FXNkPUHGC>%l`nASc?nt)%MMQ8&Apq#Rm7htcRBQ)OUOiWBvR9B~Qa&l5sP-t#h
z`9b27kb;g_9w(%!89y>I@<LS9Cn_f9@@H-}B4X+9fUMm}MyujL{_Ds|*8D=CoJ&Ff
z*NLOXQQ+~SrOfzQgCOr&af%Qf&L??lir(H{%s?>^;_ML>Ne9NqpA{4oD5|JX($mvp
zKJ-_zRetCVhX9LxtPfrLe+TEiufG#LR!(pz2n!=2MuMe9@w{X8kuBK2b_SCFJ4ot*
zp*^^RIP~lD|5HKq|INLT#Mmn1;!-s-HYUY}|GBi3<sKr!i4-_0ycLk{-o2ZimL`f%
zK#);et05&V{YVtf8w;FZP@$q3MMei>zom~sj1l$qe4OGr?}Z`}v?U()eCa(db!--i
zvm4`<-0AIn`{W<#BQ^C;268W<kBAqSml;)6s!~!?6oP_+;u6bDu#?M<_3o_T)N|hz
zcTol5l=%0`!g_=VcYJ(O4eS){<PXlhJqh2F5mfR&&EpWDLPjUSx4W$uE(^)y;eGlm
z@_RLX04tj+DrNz!StD=?(ADWDFu)=|96~Et+rh|SkNgw`hd>(a5CCJO!vR}lzjtxu
zkx)|&2szv|NWVAB3lNj2oW=;jwqnu!EB~T>{yd|wP?naKR&65T+#sCw$lHtKv8jc{
zr!Qad%}gm0eGuW`;GvRY!pf%M2M6{fTG%mOLe9T3i7b$OWtdxwMQhi+KyZ|H@R9nQ
zj&wpi!HC_1+mrbjUD9=IEB(|2nS=u?p#3!_s&9HtjXGHb%DkUKs1PdR#l=N>MTJUk
zF6eBPA>J}?iyGSf6hlY|76&`vcWZuUGl1l^n&p0Jz2XP58R~2=p;9mhhV5s7kPJ&E
z=>9{%{5#oTgKlklXiA|54Y^<na2=$4Jx!meU(8I;o<LS@r8La*Y6Q}*g=f-K((t>%
z1mjkG7tMC}aBweI`8hAPZh3d>$xRaM{IKHh8-O)3f<h?hsa0EB3uApMs&z^4DW>%)
zU|^_!^K9rEL{Bcp;yRdhS2VntZg)YJe&Jk&IbfS+V0QqrW9;<F^JmXJ1zz9NSuo4%
zx%ul*|Mh;uAA#`%SED5${(h&wKbrvW+!AS$<gWnuD+;oRfPC*!mG`ILM?5T}2487{
z09!zMN&b7W{El)E@OoGlIBYTh`48zm2Za!9!*{<!>aQnabfI|P!oL=^c#^Fx{~8Vs
j?xB&Iq_K<)94+`71^j~jH>C6l_CHB+S+PP9z4!kg#>H{A


From b701adea506d65cdc9f622bc17337cbddfb6c05d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 14 Jul 2024 22:49:53 -0400
Subject: [PATCH 29/50] Rename "Async Payjoin"

---
 README.mediawiki   | 2 +-
 bip-0077.mediawiki | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.mediawiki b/README.mediawiki
index 1801ebcdb1..34a83ac8c9 100644
--- a/README.mediawiki
+++ b/README.mediawiki
@@ -402,7 +402,7 @@ Those proposing changes should consider that ultimately consent may rest with th
 |-
 | [[bip-0077.mediawiki|77]]
 | Applications
-| Payjoin Version 2: Serverless Payjoin
+| Payjoin Version 2 — Async Payjoin
 | Dan Gould
 | Standard
 | Draft
diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 2b347c588f..88ceebb677 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -1,7 +1,7 @@
 <pre>
   BIP: 77
   Layer: Applications
-  Title: Payjoin Version 2: Serverless Payjoin
+  Title: Payjoin Version 2 — Async Payjoin
   Author: Dan Gould <d@ngould.dev>
   Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0077
   Status: Draft

From 93b1e60d8a2b6c879a37d611a591d599612b1fde Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Mon, 15 Jul 2024 11:38:11 -0400
Subject: [PATCH 30/50] Replace BIP21 params with fragment params

---
 bip-0077.mediawiki | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 88ceebb677..50a0b3e7d4 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -185,15 +185,21 @@ The Payjoin Directory provides a rendezvous point for sender and receiver to mee
 
 Each receiver subdirectory allocated on the directory has one buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
-===BIP 21 receiver parameters===
+===Receiver fragment parameters===
 
 A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-This proposal defines the following new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters:
+Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> character and follow the semantics of the [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki#abnf-grammar| BIP 21 "otherparam" grammar]], being separated by an <code>&</code> character.
 
 * <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 Payjoin URIs.
 * <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
+The '=' and '&' characters parameters must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%3D' and '%26' respectively according to BIP 21.
+
+For example, a properly encoded endpoint URL fragment looks like this <code>https://payjo.in/A_AIjiMHeXGyelsouuwGLELpdzisOfj8eWzjh2OJ3cim#ohttp%3DAQAgF9BeZJPsVQ4dQ-yFmNE_vAzHHD-CGfcRTOGxCngofR8ABAABAAM%26exp%3D1721098849</code>
+
+Using the fragment for Payjoin URI parameters makes for more compact QR codes too, since all of the characters are contained in alphanumeric QR mode is more compact than the byte mode.
+
 ===Optional sender parameters===
 
 When a Payjoin sender posts an Original PSBT to the receiver, the sender should specify the following HTTP query string parameters:

From 7e7b3b4bac93a3000cfbf55156122482283cc872 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Mon, 15 Jul 2024 12:58:39 -0400
Subject: [PATCH 31/50] Revise document to describe Payjoin Sessions

Enrollment was a less clear than sessions
---
 bip-0077.mediawiki | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 50a0b3e7d4..a84d4aabd4 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -46,13 +46,13 @@ The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Origina
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to enroll with a store-and-forward directory server to send and receive Payjoin messages. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to initiate a Payjoin Session at a store-and-forward directory server to send and receive Payjoin messages. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
 
 ===Basic scheme===
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation at a related to a public key. This key is used to identify a store-and-forward subdirectory on the Payjoin Directory server and establish end-to-end encryption. A POST request  to the Payjoin Directory including the receiver's public key enrolls it as a subdirectory identifier. The response message from the directory to the receiver includes the new session subdirectory payjoin endpoint using the public key as a subdirectory identifier. Once a session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation related to a public key. This key is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. A POST request to the Payjoin Directory including the receiver's public key initiates an associated Payjoin Session. The response message from the directory to the receiver includes the new Session subdirectory payjoin endpoint using the public key as a subdirectory identifier. Once a Session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
 The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
 
@@ -106,7 +106,7 @@ Payjoin version 2 messages use [[https://github.com/bitcoin/bips/blob/master/bip
 
 The Payjoin version 2 protocol takes the following steps:
 
-* The receiver sends their Payjoin Session public key and optional authentication credential according to the [[#enroll-messaging|enroll messaging]] protocol to receive a subdirectory allocation. The receiver may go offline and replay enrollment to come back online.
+* The receiver sends their Payjoin Session public key and optional authentication credential according to the [[#session-initiation|Session initiation]] protocol to receive a Payjoin Session subdirectory. The receiver may go offline and replay Session initiation to come back online.
 * Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided.
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
@@ -144,13 +144,13 @@ The Payjoin PSBT MUST NOT:
 * Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
 * Decrease the absolute fee of the Original PSBT.
 
-====Enroll Messaging====
+====Session Initiation====
 
-Receivers must enroll with a directory to have a subdirectory allocated to them, as follows:
+Receivers must initialize a Payjoin Session on a directory to have a Session subdirectory allocated to them, as follows:
 
-A receiver must first discover the directory's OHTTP gateway Key Configuration via an authenticated bootstrap mechanism before it can enroll to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialilze a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin Sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL as response. Enrollment may be replayed in case the receiver goes offline and should result in the same response, i.e. it Is idempotent.
+Payjoin Sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL as response. Initiation may be replayed in case the receiver goes offline and should result in the same response, i.e. it Is idempotent.
 
 Optionally, before returning the URI, the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code>, after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails, an error is returned.
 
@@ -179,11 +179,11 @@ The version 2 sender's checklist is largely the same as the [[https://github.com
 
 ===Directory interactions===
 
-The Payjoin Directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without HTTP to enrolled subdirectories to support backwards compatible Payjoin version 1 requests.
+The Payjoin Directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without OHTTP to Payjoin Session subdirectories to support backwards compatible Payjoin version 1 requests.
 
 ===Subdirectories===
 
-Each receiver subdirectory allocated on the directory has one buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
+Each Payjoin Session subdirectory allocated on the directory has one buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===Receiver fragment parameters===
 
@@ -259,7 +259,7 @@ The PSBT version 1 protocol was replaced because it was not designed to have inp
 
 ===Attack vectors===
 
-Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a subdirectory to receivers.
+Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a Payjoin Session subdirectory to receivers.
 
 Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 

From df3bd5239b20a9183d24d27c0d1d46da367a5262 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Mon, 15 Jul 2024 13:00:10 -0400
Subject: [PATCH 32/50] Revise Sequence Diagram

---
 bip-0077.mediawiki | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index a84d4aabd4..69830246c9 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -69,10 +69,10 @@ Key:
 | Receiver |                 | Directory |       | Sender |  | Network |
 +----------+                 +-----------+       +--------+  +---------+
 |                                  |                  |                |
-| Request subdirectory             |                  |                |
+|   Request Session subdirectory   |                  |                |
 +--------------------------------->|                  |                |
 |                                  |                  |                |
-|           subdirectory           |                  |                |
+|       Session subdirectory       |                  |                |
 |<---------------------------------|                  |                |
 |                                  |                  |                |
 |      destination (address,       |                  |                |
@@ -89,7 +89,7 @@ Key:
 |<---------------------------------|                  |                |
 |                                  |                  |                |
 |                                  |                  |                |
-|             Payjoin PSBT         |                  |                |
+|           Payjoin PSBT           |                  |                |
 +--------------------------------->|                  |                |
 |                                  |   Payjoin PSBT   |                |
 |                                  |----------------->|                |

From dc4a9757343a8449ee3c8239db53fbdc180c834b Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 26 Sep 2024 14:30:35 -0400
Subject: [PATCH 33/50] Spell initialize

---
 bip-0077.mediawiki | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 69830246c9..27d7c7fa86 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -111,7 +111,7 @@ The Payjoin version 2 protocol takes the following steps:
 * The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends [[#receive-messaging|<code>/receive</code>]] requests to await updates from the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends [[#receive-messaging|<code>/payjoin</code>]] requests to await updates from the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, the directory relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
@@ -148,7 +148,7 @@ The Payjoin PSBT MUST NOT:
 
 Receivers must initialize a Payjoin Session on a directory to have a Session subdirectory allocated to them, as follows:
 
-A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialilze a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialize a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
 Payjoin Sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL as response. Initiation may be replayed in case the receiver goes offline and should result in the same response, i.e. it Is idempotent.
 

From 87f892dce6146605842d25d4c91bc6412d2f78cd Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 26 Sep 2024 15:25:39 -0400
Subject: [PATCH 34/50] Update the bip to represent the stable protocol

---
 bip-0077.mediawiki | 42 +++++++++++++++++-------------------------
 1 file changed, 17 insertions(+), 25 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 27d7c7fa86..0ab74b05ee 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -30,11 +30,11 @@ The primary goal of this proposal is to provide a practical coordination mechani
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism. This protocol also upgrades to [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| PSBT Version 2]] to simplify transaction construction.
+The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution while using a directory relay without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution by using a directory server without compromising sender or receiver privacy.
 
-Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory stealing funds.
+Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory, acting as a version 1 unsecured Payjoin server, stealing funds.
 
 The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Original PSBT" timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
 
@@ -52,9 +52,9 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation related to a public key. This key is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. A POST request to the Payjoin Directory including the receiver's public key initiates an associated Payjoin Session. The response message from the directory to the receiver includes the new Session subdirectory payjoin endpoint using the public key as a subdirectory identifier. Once a Session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation related to their keypair's public key. This public key is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. A POST request to the Payjoin Directory including the receiver's public key initiates an associated Payjoin Session. A successful <code>201 CREATED</code> response message from the directory to the receiver includes the new Session subdirectory payjoin endpoint in the <code>Location</code> header using the compressed public key as a subdirectory identifier. As long as a Session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
-The sender constructs an encrypted and authenticated payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
+The sender constructs an [[https://www.rfc-editor.org/rfc/rfc9180.html#name-authentication-using-an-asy| HPKE Auth mode]] payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
 
 Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin Directory.
 
@@ -102,16 +102,14 @@ Key:
 
 ===Payjoin version 2 messaging===
 
-Payjoin version 2 messages use [[https://github.com/bitcoin/bips/blob/master/bip-0370.mediawiki| BIP 370: PSBT Version 2]] (PSBTv2) format to facilitate [[#psbt-version-2|PSBT mutation]].
-
 The Payjoin version 2 protocol takes the following steps:
 
 * The receiver sends their Payjoin Session public key and optional authentication credential according to the [[#session-initiation|Session initiation]] protocol to receive a Payjoin Session subdirectory. The receiver may go offline and replay Session initiation to come back online.
-* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided.
-* The sender creates a valid version 2 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, optional sender parameters, and HPKE keys are encrypted and authenticated, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is sent to the directory's OHTTP Gateway.
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the compressed Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> fragment parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided. It should also include an <code>exp=</code> parameter with a Unix timestamp after which the receiver will broadcast the Original PSBT and stop polling the session.
+* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is made to the directory's OHTTP Gateway.
 * The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
 * The request is stored in the subdirectory.
-* Once the receiver is online, it sends [[#receive-messaging|<code>/payjoin</code>]] requests to await updates from the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+* Once the receiver is online, it sends [[#receive-messaging|<code>GET</code>]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 * The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, the directory relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
@@ -120,14 +118,12 @@ The Original PSBT MUST:
 
 * Include complete UTXO data.
 * Be signed.
-* Exclude unnecessary fields such as global xpubs or keypath information. <!-* I believe PSBTv2 obviates this requirement -->
-* Set input and output Transaction Modifiable Flags to 1.
+* Exclude unnecessary fields such as global xpubs or keypath information.
 * Be broadcastable.
 
 The Original PSBT MAY:
 
 * Include outputs unrelated to the sender-receiver transfer for batching purposes.
-* Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1.
 
 The Payjoin PSBT MUST:
 
@@ -158,24 +154,24 @@ If a directory is operated by an exchange, it may give out authentication tokens
 
 ====Send Messaging====
 
-The version 2 Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated Payjoin Session keypair public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
+The Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated Payjoin Session keypair public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
 
 Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway awaits a request from the receiver to the Payjoin Session subdirectory endpoint and responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory followed by <code>/receive</code>. This request is encapsulated in OHTTP. 
-The receiver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, or sends a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
+The receiver sends a GET request to the path of the subdirectory followed by. This request is encapsulated in OHTTP.
+The receiver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, and otherwise continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
 
-Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair <code>e</code> from which it derives a shared secret <code>ee</code> with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a POST message to the subdirectory followed by <code>/receive</code>.
+Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Payjoin PSBT payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a PUT message to the subdirectory.
 
 ===Receiver's Payjoin PSBT checklist===
 
-Other than requiring PSBTv2, the receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]]
+The receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]], except for the "Verify that the payjoin proposal did not introduce mixed input's type" step, which may be ignored.
 
 ===Sender's Payjoin PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that mixed input script types are allowed, and it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
@@ -196,7 +192,7 @@ Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.m
 
 The '=' and '&' characters parameters must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%3D' and '%26' respectively according to BIP 21.
 
-For example, a properly encoded endpoint URL fragment looks like this <code>https://payjo.in/A_AIjiMHeXGyelsouuwGLELpdzisOfj8eWzjh2OJ3cim#ohttp%3DAQAgF9BeZJPsVQ4dQ-yFmNE_vAzHHD-CGfcRTOGxCngofR8ABAABAAM%26exp%3D1721098849</code>
+For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:bcrt1qq34p97ah7fwxl3mnuyvtlg2serkawma8r9ylzr?pj=https://payjo.in/AoE6sWvRXaG5VAxea61t39syjhQGELKcXiI0DiLlnKtE#ohttp%3DAQJEXdFvFV4dCy48eYt8NEDsAXQznb67o2HObVYuE50cHg%26exp%3D1727464869&pjos=0</code>
 
 Using the fragment for Payjoin URI parameters makes for more compact QR codes too, since all of the characters are contained in alphanumeric QR mode is more compact than the byte mode.
 
@@ -253,10 +249,6 @@ This authenticated encryption with additional data [[https://en.wikipedia.org/wi
 
 SHA-256 is considered secure and is necessarily available in bitcoin contexts.
 
-===PSBT Version 2===
-
-The PSBT version 1 protocol was replaced because it was not designed to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 78 uses a workaround where a new PSBT is created by the receiver instead of mutating it. This can cause strange behaviors from signers who don't know where to look to find the scripts that they are accountable for. PSBT version 2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates the transaction finalization step. Receivers who do not understand PSBT version 1 may choose to reject Payjoin version 1 requests and only support PSBT version 2.
-
 ===Attack vectors===
 
 Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a Payjoin Session subdirectory to receivers.
@@ -281,7 +273,7 @@ Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for b
 
 ==Reference implementation==
 
-An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the Payjoin Directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation implements an asynchronous payment flow using HTTP using PSBTv1 with encryption and Oblivious HTTP and may be configured to the following independent production relays:
+An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the Payjoin Directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation may be configured to the following independent production relays as of 24/09/26:
 
 A Payjoin Directory is run by the Payjoin Dev Kit team on [[https://payjo.in]].
 

From 11b1b83db699e8f6f68e708b6e3b1fa258b03e7d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 26 Sep 2024 16:49:29 -0400
Subject: [PATCH 35/50] Spell according to Type Checks's job

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 0ab74b05ee..fdf041f80e 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -229,7 +229,7 @@ OHTTP relays can be run as basic HTTP proxies from wallet providers or third par
 
 ===Message Padding===
 
-All cyphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
+All ciphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
 
 ===Secp256k1 Hybrid Public Key Encryption===
 

From e44f748f6a273219462a97058a064db0b70d2dab Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 26 Sep 2024 17:04:46 -0400
Subject: [PATCH 36/50] Mention the format of the ohttp fragment

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index fdf041f80e..9dd9c956f5 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -187,7 +187,7 @@ A major benefit of BIP 78 Payjoin over other coordination mechanisms is its comp
 
 Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> character and follow the semantics of the [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki#abnf-grammar| BIP 21 "otherparam" grammar]], being separated by an <code>&</code> character.
 
-* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded public key of the directory's OHTTP Gateway. This parameter is required for version 2 Payjoin URIs.
+* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded compressed public key of the directory's OHTTP Gateway, prefixed by the one byte Key Identifier, from which the [[https://www.ietf.org/rfc/rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for version 2 Payjoin URIs.
 * <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 The '=' and '&' characters parameters must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%3D' and '%26' respectively according to BIP 21.

From f7a5d25b522dcb0304e0f444426403f3dd930462 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 8 Oct 2024 00:17:58 -0400
Subject: [PATCH 37/50] Reference BIP 78 attack vectors

---
 bip-0077.mediawiki | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 9dd9c956f5..f7ed8b1766 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -251,6 +251,8 @@ SHA-256 is considered secure and is necessarily available in bitcoin contexts.
 
 ===Attack vectors===
 
+In addition to the attack vectors and mitigations in [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#attack-vectors| BIP 78 Payjoin version 1]], Payjoin version 2 has the following attack vectors.
+
 Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a Payjoin Session subdirectory to receivers.
 
 Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.

From 3b7be8cf18e60ccf4f516ca02db50c8ba2d1cd22 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Tue, 8 Oct 2024 14:17:47 -0400
Subject: [PATCH 38/50] Remove straggling text

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index f7ed8b1766..5acf1917bf 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -160,7 +160,7 @@ Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and h
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory followed by. This request is encapsulated in OHTTP.
+The receiver sends a GET request to the path of the subdirectory. This request is encapsulated in OHTTP.
 The receiver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, and otherwise continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
 
 Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Payjoin PSBT payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a PUT message to the subdirectory.

From 66457a011186b0175f7f027d8c226e07e7fd8aa9 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 9 Oct 2024 01:12:09 -0400
Subject: [PATCH 39/50] Specify authorization mechanism

The specifics of a credential issuance are left out, however
---
 bip-0077.mediawiki | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 5acf1917bf..a7245f6e9b 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -142,15 +142,13 @@ The Payjoin PSBT MUST NOT:
 
 ====Session Initiation====
 
-Receivers must initialize a Payjoin Session on a directory to have a Session subdirectory allocated to them, as follows:
+Sessions between senders and receivers are established out of band when a receiver shares a Payjoin URI containing its Payjoin Session public key with a sender.
 
 A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialize a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Payjoin Sessions begin by having a receiver send the static public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL as response. Initiation may be replayed in case the receiver goes offline and should result in the same response, i.e. it Is idempotent.
+Senders and receivers POST their Payjoin Session public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL in the Location header of a <code>201 CREATED</code> response.
 
-Optionally, before returning the URI, the receiver may request an authentication token by presenting a message containing only the word <code>Authenticate: <description></code>, after which the receiver is required to submit an <code>Authenticate: <token></code> including the token from the directory out of band. If authentication fails, an error is returned.
-
-If a directory is operated by an exchange, it may give out authentication tokens for users of its app, or may require some proof of work out of band. Tokens should be anonymous credentials from the directory describing the parameters of their authorization. Specific credentialing is out of the scope of this proposal.
+If a directory is subject to denial of service attacks, it may require [[https://datatracker.ietf.org/doc/html/rfc6750| RFC 6750]] authorization and otherwise respond with <code>401</code> unauthorized responses to requests. Authorization tokens must be unlinkable to preserve client privacy. A specific unlinkable authorization token mechanism is out of the scope of this proposal.
 
 ====Send Messaging====
 

From c917eab7e8d2c4cd72b50bb6db877a171ffcd037 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Wed, 9 Oct 2024 01:01:27 -0400
Subject: [PATCH 40/50] Use implicit session initialization

---
 bip-0077.mediawiki | 48 +++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index a7245f6e9b..7bda249a34 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -69,31 +69,26 @@ Key:
 | Receiver |                 | Directory |       | Sender |  | Network |
 +----------+                 +-----------+       +--------+  +---------+
 |                                  |                  |                |
-|   Request Session subdirectory   |                  |                |
-+--------------------------------->|                  |                |
-|                                  |                  |                |
-|       Session subdirectory       |                  |                |
-|<---------------------------------|                  |                |
 |                                  |                  |                |
 |      destination (address,       |                  |                |
 |        subdirectory)             |                  |                |
 +---------------------------------------------------->|                |
 |                                  |                  |                |
-|      Request Original PSBT       |                  |                |
-+- - - - - - - - - - - - - - - - ->|                  |                |
+|    GET Request Original PSBT     |                  |                |
++- - - - - - - - - - - - - - - - ->|   POST Request   |                |
 |                                  |  Original PSBT   |                |
+|    GET Response Original PSBT    |<-----------------|                |
+|<---------------------------------|   GET Request    |                |
+|                                  |   Payjoin PSBT   |                |
 |                                  |<- - - - - - - - -|                |
 |                                  |                  |                |
 |                                  |                  |                |
-|          Original PSBT           |                  |                |
-|<---------------------------------|                  |                |
 |                                  |                  |                |
-|                                  |                  |                |
-|           Payjoin PSBT           |                  |                |
-+--------------------------------->|                  |                |
+|      POST Payjoin PSBT           |                  |                |
++--------------------------------->|   GET Response   |                |
 |                                  |   Payjoin PSBT   |                |
 |                                  |----------------->|                |
-|                                  |                  |                |
+|                                  |                  |   Broadcast    |
 |                                  |                  |   Payjoin      |
 |                                  |                  +--------------->|
 |                                  |                  |                |
@@ -104,13 +99,13 @@ Key:
 
 The Payjoin version 2 protocol takes the following steps:
 
-* The receiver sends their Payjoin Session public key and optional authentication credential according to the [[#session-initiation|Session initiation]] protocol to receive a Payjoin Session subdirectory. The receiver may go offline and replay Session initiation to come back online.
+* The receiver generates a Payjoin Session public key.
 * Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the compressed Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> fragment parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided. It should also include an <code>exp=</code> parameter with a Unix timestamp after which the receiver will broadcast the Original PSBT and stop polling the session.
-* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, and encapsulated in OHTTP. This [[#send-messaging|Original PSBT Request send message]] is made to the directory's OHTTP Gateway.
-* The sender continues to replay this request in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops after expiry.
+* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, including a sender session public key as associated data, and encapsulats it all as OHTTP. This [[#send-messaging|Original PSBT Request send message]] is made to the directory's OHTTP Gateway.
+* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops polling after expiry.
 * The request is stored in the subdirectory.
 * Once the receiver is online, it sends [[#receive-messaging|<code>GET</code>]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
-* The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and sent to the directory's OHTTP Gateway.
+* The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the directory's OHTTP Gateway.
 * The directory awaits a request from the sender if it goes offline. Upon request, the directory relays the encrypted <code>Payjoin PSBT</code>.
 * The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
@@ -152,16 +147,21 @@ If a directory is subject to denial of service attacks, it may require [[https:/
 
 ====Send Messaging====
 
-The Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to the HPKE using a shared secret derived from a newly generated Payjoin Session keypair public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway.
+The Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to HPKE using a shared secret derived from the sender's Payjoin Session public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway to the receiver's payjoin session subdirectory.
 
-Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver. The directory's OHTTP Gateway awaits a request from the receiver to the Payjoin Session subdirectory endpoint and responds with the HPKE encrypted Original PSBT payload acording to OHTTP.
+Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the receiver's Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver.
+
+The sender then polls GET requests to the receiver's Payjoin Session subdirectory endpoint in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops polling after expiry.
 
 ====Receive Messaging====
 
-The receiver sends a GET request to the path of the subdirectory. This request is encapsulated in OHTTP.
-The receiver then awaits an OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, and otherwise continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
+After sharing the Payjoin URI with the sender, the receiver sends a GET request to the path of the receiver's Payjoin Session subdirectory. This request is encapsulated in OHTTP. It continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
+
+Upon receiving OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, the receiver decrypts the payload and checks the <code>Payjoin PSBT</code> according to the [[#receivers-payjoin-psbt-checklist|checklist]].
+
+The receiver then updates the <code>Original PSBT</code> to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
 
-Once an Original PSBT Payload is decrypted and checked according to the [[#receivers-payjoin-psbt-checklist|checklist]], the receiver should respond with a Payjoin PSBT or an error. The receiver encrypts the PSBT according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's key <code>e</code> from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Payjoin PSBT payload is then sent to the directory in an OHTTP request encapsulating the binary payload as a PUT message to the subdirectory.
+The receiver encrypts the <code>Payjoin PSBT</code> according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's Payjoin Session public key from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Payjoin PSBT payload is then sent as a POST message to the directory in an OHTTP request encapsulating the binary payload to the sender's Payjoin Session subdirectory.
 
 ===Receiver's Payjoin PSBT checklist===
 
@@ -177,7 +177,7 @@ The Payjoin Directory provides a rendezvous point for sender and receiver to mee
 
 ===Subdirectories===
 
-Each Payjoin Session subdirectory allocated on the directory has one buffer for requests and one for responses. Each buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
+Each Payjoin Session subdirectory allocated on the directory has one buffer for a PSBT payload. The buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ===Receiver fragment parameters===
 
@@ -196,7 +196,7 @@ Using the fragment for Payjoin URI parameters makes for more compact QR codes to
 
 ===Optional sender parameters===
 
-When a Payjoin sender posts an Original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
+When a Payjoin sender POSTs an Original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
 
 * <code>v</code>: represents the version number of the Payjoin protocol that the sender is using. This version is <code>2</code>.
 

From 3046520ebaf481fa77e0e887bbb2be29f1961832 Mon Sep 17 00:00:00 2001
From: Dan Gould <d@ngould.dev>
Date: Wed, 16 Oct 2024 15:27:22 -0400
Subject: [PATCH 41/50] Specify cryptographic handshake based on Noise IK

Co-authored-by: Yuval Kogman <nothingmuch@woobling.org>
---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 7bda249a34..5034d44402 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -233,7 +233,7 @@ All ciphertexts should be padded to the same length of 7168 bytes to prevent tra
 
 Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the Payjoin version 2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/NKpsk0/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single Payjoin Session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a Payjoin Directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/IK/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single Payjoin Session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a Payjoin Directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 

From 28f064b98afd4c9138aa4ace51ebf348d3654d23 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 20 Oct 2024 21:39:40 -0400
Subject: [PATCH 42/50] Add Spacebear's clarifications

Co-authored-by: spacebear <git@spacebear.dev>
---
 bip-0077.mediawiki | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 5034d44402..e82f110f99 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -32,7 +32,7 @@ The primary goal of this proposal is to provide a practical coordination mechani
 
 The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism.
 
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Payjoin PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution by using a directory server without compromising sender or receiver privacy.
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Proposal PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution by using a directory server without compromising sender or receiver privacy.
 
 Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory, acting as a version 1 unsecured Payjoin server, stealing funds.
 
@@ -79,14 +79,14 @@ Key:
 |                                  |  Original PSBT   |                |
 |    GET Response Original PSBT    |<-----------------|                |
 |<---------------------------------|   GET Request    |                |
-|                                  |   Payjoin PSBT   |                |
+|                                  |  Proposal PSBT   |                |
 |                                  |<- - - - - - - - -|                |
 |                                  |                  |                |
 |                                  |                  |                |
 |                                  |                  |                |
-|      POST Payjoin PSBT           |                  |                |
+|      POST Proposal PSBT          |                  |                |
 +--------------------------------->|   GET Response   |                |
-|                                  |   Payjoin PSBT   |                |
+|                                  |   Proposal PSBT  |                |
 |                                  |----------------->|                |
 |                                  |                  |   Broadcast    |
 |                                  |                  |   Payjoin      |
@@ -100,14 +100,14 @@ Key:
 The Payjoin version 2 protocol takes the following steps:
 
 * The receiver generates a Payjoin Session public key.
-* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter where the subdirectory is the compressed Payjoin Session public key. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding. To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless. An <code>ohttp=</code> fragment parameter containing the directory's base64url encoded [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| Oblivious HTTP Key Configuration]] must also be provided. It should also include an <code>exp=</code> parameter with a Unix timestamp after which the receiver will broadcast the Original PSBT and stop polling the session.
-* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, including a sender session public key as associated data, and encapsulats it all as OHTTP. This [[#send-messaging|Original PSBT Request send message]] is made to the directory's OHTTP Gateway.
-* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops polling after expiry.
-* The request is stored in the subdirectory.
-* Once the receiver is online, it sends [[#receive-messaging|<code>GET</code>]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
-* The <code>Payjoin PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the directory's OHTTP Gateway.
-* The directory awaits a request from the sender if it goes offline. Upon request, the directory relays the encrypted <code>Payjoin PSBT</code>.
-* The sender validates the <code>Payjoin PSBT</code> according to [[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter. The <code>pj</code> URL contains the compressed Payjoin Session public key, [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url-encoded]] followed by the [[#receiver-fragment-parameters| receiver fragment parameters]] .
+  * To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
+* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, including a sender session public key as associated data, and encapsulates it all as OHTTP. This [[#send-messaging| Original PSBT Request send message]] is made to the directory's OHTTP Gateway. The request is stored in the receiver subdirectory.
+* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
+* Once the receiver is online, it sends <code>GET</code> requests [[#receive-messaging| to the receiver subdirectory]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
+* The <code>Proposal PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the directory's OHTTP Gateway.
+* The directory awaits a GET request from the sender. Upon request, the directory relays the encrypted <code>Proposal PSBT</code>.
+* The sender validates the <code>Proposal PSBT</code> according to [[#senders-proposal-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 The Original PSBT MUST:
 
@@ -120,17 +120,17 @@ The Original PSBT MAY:
 
 * Include outputs unrelated to the sender-receiver transfer for batching purposes.
 
-The Payjoin PSBT MUST:
+The Proposal PSBT MUST:
 
 * Include all inputs from the Original PSBT.
 * Include all outputs which do not belong to the receiver from the Original PSBT.
 * Include complete UTXO data.
 
-The Payjoin PSBT sender MAY:
+The Proposal PSBT sender MAY:
 
 * Add, remove or modify Original PSBT outputs under the control of the receiver (i.e. not sender change).
 
-The Payjoin PSBT MUST NOT:
+The Proposal PSBT MUST NOT:
 
 * Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
 * Decrease the absolute fee of the Original PSBT.
@@ -151,23 +151,23 @@ The Original PSBT is serialized in base64, followed by the query parameter strin
 
 Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the receiver's Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver.
 
-The sender then polls GET requests to the receiver's Payjoin Session subdirectory endpoint in order to await a response from the directory containing a <code>Payjoin PSBT</code>. It stops polling after expiry.
+The sender then polls GET requests to the sender's Payjoin Session subdirectory endpoint in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
 
 ====Receive Messaging====
 
 After sharing the Payjoin URI with the sender, the receiver sends a GET request to the path of the receiver's Payjoin Session subdirectory. This request is encapsulated in OHTTP. It continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
 
-Upon receiving OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, the receiver decrypts the payload and checks the <code>Payjoin PSBT</code> according to the [[#receivers-payjoin-psbt-checklist|checklist]].
+Upon receiving OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, the receiver decrypts the payload and checks the <code>Proposal PSBT</code> according to the [[#receivers-proposal-psbt-checklist|checklist]].
 
-The receiver then updates the <code>Original PSBT</code> to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Payjoin PSBT</code>.
+The receiver then updates the <code>Original PSBT</code> to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
 
-The receiver encrypts the <code>Payjoin PSBT</code> according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's Payjoin Session public key from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Payjoin PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Payjoin PSBT payload is then sent as a POST message to the directory in an OHTTP request encapsulating the binary payload to the sender's Payjoin Session subdirectory.
+The receiver encrypts the <code>Proposal PSBT</code> according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's Payjoin Session public key from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Proposal PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Proposal PSBT payload is then sent as a POST message to the directory in an OHTTP request encapsulating the binary payload to the sender's Payjoin Session subdirectory.
 
-===Receiver's Payjoin PSBT checklist===
+===Receiver's Proposal PSBT checklist===
 
 The receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]], except for the "Verify that the payjoin proposal did not introduce mixed input's type" step, which may be ignored.
 
-===Sender's Payjoin PSBT checklist===
+===Sender's Proposal PSBT checklist===
 
 The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that mixed input script types are allowed, and it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
 
@@ -255,7 +255,7 @@ Since directories store arbitrary encrypted payloads they are vulnerable to the
 
 Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
 
-Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce penalties if a receiver fails to construct a Payjoin PSBT and wait for a signature once a Payjoin PSBT is returned to a sender. However, such basic transactions that comply with the common-input assumption are the norm, so falling back to them is no worse than typical bitcoin transaction behavior.
+Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce penalties if a receiver fails to construct a Proposal PSBT and wait for a signature once a Proposal PSBT is returned to a sender. However, such basic transactions that comply with the common-input assumption are the norm, so falling back to them is no worse than typical bitcoin transaction behavior.
 
 ===Network privacy===
 
@@ -269,7 +269,7 @@ The receivers advertise Payjoin capabilities through [[https://github.com/bitcoi
 
 Senders not supporting Payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel Payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support Payjoin, it MUST consider the entire URI invalid per BIP 21.
 
-Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these version 1 senders disable output substitution. Since the version 1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Payjoin PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
+Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these version 1 senders disable output substitution. Since the version 1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Proposal PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
 
 ==Reference implementation==
 

From 915258a925da7061b60c380269a255f1ede3877f Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 5 Jan 2025 22:04:52 -0500
Subject: [PATCH 43/50] Document subdirectory Short IDs

---
 bip-0077.mediawiki | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index e82f110f99..7355ef7d84 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -52,9 +52,13 @@ Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP e
 
 The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server itself, the receiver initializes a Payjoin Session by requesting a subdirectory allocation related to their keypair's public key. This public key is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. A POST request to the Payjoin Directory including the receiver's public key initiates an associated Payjoin Session. A successful <code>201 CREATED</code> response message from the directory to the receiver includes the new Session subdirectory payjoin endpoint in the <code>Location</code> header using the compressed public key as a subdirectory identifier. As long as a Session is active, the receiver uses long polling to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the directory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server itself, the receiver specifies a Payjoin Session associated with their keypair's public key. This public key, compressed, hashed, truncated to 8 bytes, and bech32 encoded without a checksum [[#short-id| short ID]], is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. As long as a Session is active, the receiver long polls GET requests to this subdirectory to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the subdirectory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
-The sender constructs an [[https://www.rfc-editor.org/rfc/rfc9180.html#name-authentication-using-an-asy| HPKE Auth mode]] payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver by the subdirectory <code>pj=</code> endpoint.
+The sender constructs an [[https://www.rfc-editor.org/rfc/rfc9180.html#name-authentication-using-an-asy| HPKE Auth mode]] payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver using the subdirectory <code>pj=</code> endpoint.
+
+The receiver augments the Sender's PSBT with new inputs and outputs, and may adjust the fee. The receiver then encrypts the resulting PSBT and sends it back to the sender by POSTing it to a new subdirectory derived from the sender's reply key shared in their payload along with their original PSBT.
+
+The sender will be long polling this second subdirectory for a response from the receiver. Upon receipt, the sender validates the receiver's Proposal PSBT, and if satisfied, signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin Directory.
 
@@ -100,12 +104,12 @@ Key:
 The Payjoin version 2 protocol takes the following steps:
 
 * The receiver generates a Payjoin Session public key.
-* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter. The <code>pj</code> URL contains the compressed Payjoin Session public key, [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url-encoded]] followed by the [[#receiver-fragment-parameters| receiver fragment parameters]] .
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter. The <code>pj</code> URL path ends with the [[#short-id| short ID]], [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url-encoded]] followed by the [[#receiver-fragment-parameters| receiver fragment parameters]] .
   * To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
 * The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, including a sender session public key as associated data, and encapsulates it all as OHTTP. This [[#send-messaging| Original PSBT Request send message]] is made to the directory's OHTTP Gateway. The request is stored in the receiver subdirectory.
-* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
+* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key short ID in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
 * Once the receiver is online, it sends <code>GET</code> requests [[#receive-messaging| to the receiver subdirectory]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
-* The <code>Proposal PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the directory's OHTTP Gateway.
+* The <code>Proposal PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the sender's subdirectory via the directory's OHTTP Gateway.
 * The directory awaits a GET request from the sender. Upon request, the directory relays the encrypted <code>Proposal PSBT</code>.
 * The sender validates the <code>Proposal PSBT</code> according to [[#senders-proposal-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
@@ -141,8 +145,6 @@ Sessions between senders and receivers are established out of band when a receiv
 
 A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialize a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-Senders and receivers POST their Payjoin Session public key to the directory via OHTTP, receiving their subdirectory in a base64url encoded directory URL in the Location header of a <code>201 CREATED</code> response.
-
 If a directory is subject to denial of service attacks, it may require [[https://datatracker.ietf.org/doc/html/rfc6750| RFC 6750]] authorization and otherwise respond with <code>401</code> unauthorized responses to requests. Authorization tokens must be unlinkable to preserve client privacy. A specific unlinkable authorization token mechanism is out of the scope of this proposal.
 
 ====Send Messaging====
@@ -179,6 +181,14 @@ The Payjoin Directory provides a rendezvous point for sender and receiver to mee
 
 Each Payjoin Session subdirectory allocated on the directory has one buffer for a PSBT payload. The buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
+
+====Short ID====
+
+Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are generated by hashing a compressed secp256k1 public key with Sha256, truncating it to 8 bytes, and encoding it in bech32 with the HRP "ID". The Short ID HRP prefix (including the '1' separator) "ID1" is stripped from the bech32 encoded uppercase string before it is used as the subdirectory identifier.
+
+64 bits are sufficient to make the probability of experiencing a random collisions negligible. As of writing, the UTXO set has ~2^28 elements. This is a very loose upper bound for the number of concurrent (non-spam) sessions, for which the probability of a random collision with will be less than 1%. The actual number of sessions will of course be (orders of magnitudes) lower given they are short lived. With ~2^21 sessions (loose bound on number of transactions that can be confirmed in 24 hours) the probability is less than 1e-6. These figures are for the existence of a collision in the set, the probability for an individual session to experience a random collision is << 1e-10 in either case.
+
+
 ===Receiver fragment parameters===
 
 A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
@@ -190,7 +200,7 @@ Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.m
 
 The '=' and '&' characters parameters must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%3D' and '%26' respectively according to BIP 21.
 
-For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:bcrt1qq34p97ah7fwxl3mnuyvtlg2serkawma8r9ylzr?pj=https://payjo.in/AoE6sWvRXaG5VAxea61t39syjhQGELKcXiI0DiLlnKtE#ohttp%3DAQJEXdFvFV4dCy48eYt8NEDsAXQznb67o2HObVYuE50cHg%26exp%3D1727464869&pjos=0</code>
+For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:tb1q6q6de88mj8qkg0q5lupmpfexwnqjsr4d2gvx2p?amount=0.00666666&pjos=0&pj=HTTPS://PAYJO.IN/TXJCGKTKXLUUZ%23RK1Q0DJS3VVDXWQQTLQ8022QGXSX7ML9PHZ6EDSF6AKEWQG758JPS2EV+OH1QYPM59NK2LXXS4890SUAXXYT25Z2VAPHP0X7YEYCJXGWAG6UG9ZU6NQ+EX1WKV8CEC</code>
 
 Using the fragment for Payjoin URI parameters makes for more compact QR codes too, since all of the characters are contained in alphanumeric QR mode is more compact than the byte mode.
 

From 113c2370830c9b31cda7cf0a722c9783fc1b364a Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 5 Jan 2025 22:07:03 -0500
Subject: [PATCH 44/50] Require uppercase URL

bech32 fragment prefixes are case sensitive, and
alphanumeric mode only works on capital letters.
---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 7355ef7d84..f3ee387a70 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -193,7 +193,7 @@ Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are
 
 A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> character and follow the semantics of the [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki#abnf-grammar| BIP 21 "otherparam" grammar]], being separated by an <code>&</code> character.
+Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> character and follow the semantics of the [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki#abnf-grammar| BIP 21 "otherparam" grammar]], being separated by an <code>&</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode, the URL must be uppercased and should come as the last parameter of the URI.
 
 * <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded compressed public key of the directory's OHTTP Gateway, prefixed by the one byte Key Identifier, from which the [[https://www.ietf.org/rfc/rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for version 2 Payjoin URIs.
 * <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.

From a2b800903b9140dedaff03bc39c3fd8b5966d2c2 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Sun, 5 Jan 2025 22:16:33 -0500
Subject: [PATCH 45/50] Specify bech32 fragment parameter definitions

---
 bip-0077.mediawiki | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index f3ee387a70..9362928547 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -193,12 +193,15 @@ Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are
 
 A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> character and follow the semantics of the [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki#abnf-grammar| BIP 21 "otherparam" grammar]], being separated by an <code>&</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode, the URL must be uppercased and should come as the last parameter of the URI.
+Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> as bech32 prameters separated by an <code>+</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode, the URL must be uppercased and should come as the last parameter of the URI.
 
-* <code>ohttp</code>: represents the OHTTP Key Configuration of the directory. This is a base64url encoded compressed public key of the directory's OHTTP Gateway, prefixed by the one byte Key Identifier, from which the [[https://www.ietf.org/rfc/rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for version 2 Payjoin URIs.
-* <code>exp</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
+The '#' fragment separator character  must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%23' according to BIP 21.
 
-The '=' and '&' characters parameters must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%3D' and '%26' respectively according to BIP 21.
+Bech32 encoded parameters with no checksum are separated by an <code>+</code> character and prefixed with HRPs according to their role:
+
+* <code>RK</code>: represents the receiver's Payjoin Session public key. This is a compressed public key of the receiver's Payjoin Session. Senders will initiate HPKE with the receiver using this key.
+* <code>OH</code>: represents the OHTTP Key Configuration of the directory. This is a compressed public key of the directory's OHTTP Gateway, prefixed by the 2-byte Key Identifier, from which the [[https://www.ietf.org/rfc/rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for version 2 Payjoin URIs.
+* <code>EX</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
 
 For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:tb1q6q6de88mj8qkg0q5lupmpfexwnqjsr4d2gvx2p?amount=0.00666666&pjos=0&pj=HTTPS://PAYJO.IN/TXJCGKTKXLUUZ%23RK1Q0DJS3VVDXWQQTLQ8022QGXSX7ML9PHZ6EDSF6AKEWQG758JPS2EV+OH1QYPM59NK2LXXS4890SUAXXYT25Z2VAPHP0X7YEYCJXGWAG6UG9ZU6NQ+EX1WKV8CEC</code>
 

From 952156e52b75821a434e5f33bc483b074ec57f07 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 16 Jan 2025 22:19:02 -0500
Subject: [PATCH 46/50] Uppercase URL specifically only after subdirectory

---
 bip-0077.mediawiki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 9362928547..8b0d0b6ba5 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -193,7 +193,7 @@ Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are
 
 A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
 
-Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> as bech32 prameters separated by an <code>+</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode, the URL must be uppercased and should come as the last parameter of the URI.
+Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> as bech32 parameters separated by a <code>+</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode wherever possible, the <code>pj</code> parameter subdirectory and fragment that follows must be uppercased and should come as the last parameter of the URI. Since URLs are case sensitive, path elements of a payjoin-directory may be lowercased but SHOULD be configured to be uppercased.
 
 The '#' fragment separator character  must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%23' according to BIP 21.
 

From 73941ab3d16b2f432ac25c7c6cbe11790cfb60b9 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Thu, 9 Jan 2025 23:46:08 -0500
Subject: [PATCH 47/50] Note payload uniformity via padding and ellswift

---
 bip-0077.mediawiki | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 8b0d0b6ba5..e54b0f1f66 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -238,9 +238,16 @@ OHTTP relays can be run as basic HTTP proxies from wallet providers or third par
 <img src=bip-0077/oblivious-http-sequence.png></img>
 
 
-===Message Padding===
+===Uniform Payloads===
+
+Encapsulated OHTTP payloads and messages seen by the Payjoin Directory are constructed to be uniform so that the third-party services are unable to distinguish between them based on payload size or by distinguishing them from random bytes. However, the Encapsulated OHTTP message includes an uncompressed key for the DHKEM which is distinguishable from random bytes but uniform across different encapsulated requests.
+
+OHTTP messages are padded to 8192 bytes.
+
+HPKE message payloads are padded to 7168 bytes. Elligator swift is used to encode encapsulated HPKE public keys prepended to the HPKE ciphertext so that the payjoin directory can't distinguish between key material, the ciphertext, and randomness, so that the directory may accomodate new protocols in the future without discrimination.
+
+This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
 
-All ciphertexts should be padded to the same length of 7168 bytes to prevent traffic analysis. This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
 
 ===Secp256k1 Hybrid Public Key Encryption===
 

From 4853f5a163c1b44210bbdd27b7182c2cc4bd1f87 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 10 Jan 2025 00:04:32 -0500
Subject: [PATCH 48/50] Include Message Byte Representations

This is the most straightforward way to explain the various padding
requirements.
---
 bip-0077.mediawiki | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index e54b0f1f66..a9dab1bbc2 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -248,6 +248,38 @@ HPKE message payloads are padded to 7168 bytes. Elligator swift is used to encod
 
 This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
 
+====Message Byte Representations====
+
+<pre>
+OHTTP Encapsulated Message Byte Representation (8192 bytes total)
++-----------------------------------------------------------------------------------+
+| Uncompressed Public Key |  AEAD Tag  | OHTTP Header |   Padded BHTTP Request      |
+|       (65 bytes)        | (16 bytes) |  (7 bytes)   | (8104 bytes = 8192-65-16-7) |
++-----------------------------------------------------------------------------------+
+</pre>
+
+<pre>
+Message A Byte Representation (7168 bytes total)
++---------------------------------------------------------------------------------------+
+| ElligatorSwift |                             Ciphertext                               |
+|   (64 bytes)   |                            (7104 bytes)                              |
+|                |----------------------------------------------------------------------|
+|                |    Reply Public Key   |         Padded Plaintext        |  AEAD Tag  |
+|                |       (33 bytes)      |   (7055 bytes = 7168-64-33-16)  | (16 bytes) |
++---------------------------------------------------------------------------------------+
+</pre>
+
+<pre>
+Mesage B Byte Representation (7168 bytes total)
++---------------------------------------------------------------------------------------+
+| ElligatorSwift |                             Ciphertext                               |
+|   (64 bytes)   |                            (7104 bytes)                              |
+|                |----------------------------------------------------------------------|
+|                |           Padded Plaintext                              |  AEAD Tag  |
+|                |       (7088 bytes = 7168-64-16)                         | (16 bytes) |
++---------------------------------------------------------------------------------------+
+</pre>
+
 
 ===Secp256k1 Hybrid Public Key Encryption===
 

From 69ae3f1a066b7d7e09ba1eca552b27d3c140ff1d Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 24 Jan 2025 15:39:40 -0500
Subject: [PATCH 49/50] Document HPKE `info` strings

---
 bip-0077.mediawiki | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index a9dab1bbc2..04cfb713c2 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -280,6 +280,13 @@ Mesage B Byte Representation (7168 bytes total)
 +---------------------------------------------------------------------------------------+
 </pre>
 
+The HPKE <code>info</code> strings used for message encryption are:
+* Message A: <code>PjV2MsgA</code> (Original PSBT Request)
+* Message B: <code>PjV2MsgB</code> (Proposal PSBT Response)
+
+These info strings are used as the application-specific info parameter during HPKE encryption to bind the ciphertext
+to its specific role in the protocol.
+
 
 ===Secp256k1 Hybrid Public Key Encryption===
 

From 799e8c145da0304d847abfe59bd2311a1cf78968 Mon Sep 17 00:00:00 2001
From: DanGould <d@ngould.dev>
Date: Fri, 24 Jan 2025 15:56:05 -0500
Subject: [PATCH 50/50] Truncate lines to 120 characters

---
 bip-0077.mediawiki | 396 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 305 insertions(+), 91 deletions(-)

diff --git a/bip-0077.mediawiki b/bip-0077.mediawiki
index 04cfb713c2..386312eff9 100644
--- a/bip-0077.mediawiki
+++ b/bip-0077.mediawiki
@@ -12,7 +12,13 @@
 
 ==Abstract==
 
-This document proposes a backwards-compatible second version of the Payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing complete Payjoin receiver functionality, including payment output substitution, without requiring one to host a secure public endpoint. This requirement is replaced with an untrusted third-party directory accessed via HTTP clients that communicate using an asynchronous protocol and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent the directory and Payjoin peers from linking requests to client IP addresses.
+This document proposes a backwards-compatible second version of the Payjoin protocol described in
+[[bip-0078.mediawiki|BIP 78]], allowing complete Payjoin receiver functionality, including payment output
+substitution, without requiring one to host a secure public endpoint. This requirement is replaced with an
+untrusted third-party directory accessed via HTTP clients that communicate using an asynchronous protocol
+and authenticated, encrypted payloads. Authenticated encryption depends only on cryptographic primitives
+available in Bitcoin Core. Requests use [[https://www.ietf.org/rfc/rfc9458.html| Oblivious HTTP]] to prevent
+the directory and Payjoin peers from linking requests to client IP addresses.
 
 ==Copyright==
 
@@ -20,52 +26,113 @@ This BIP is licensed under the 2-clause BSD license.
 
 ==Motivation==
 
-Payjoin is the simplest case of interactive bitcoin batching, allowing two participants to combine their transaction intents. It solves the sole privacy problem left open in the bitcoin paper, that transactions with multiple inputs "necessarily reveal that their inputs were owned by the same owner," by enabling two owners to provide input in a transaction.
+Payjoin is the simplest case of interactive bitcoin batching, allowing two participants to combine their
+transaction intents. It solves the sole privacy problem left open in the bitcoin paper, that transactions
+with multiple inputs "necessarily reveal that their inputs were owned by the same owner," by enabling two
+owners to provide input in a transaction.
 
-The Payjoin protocols automate cooperative transaction construction to break that common-input assumption. The increased opportunity to batch payments and execute transaction cut-through increases intent throughput, since multiple intents combined take up fewer bytes than independent transactions.
+The Payjoin protocols automate cooperative transaction construction to break that common-input assumption.
+The increased opportunity to batch payments and execute transaction cut-through increases intent throughput,
+since multiple intents combined take up fewer bytes than independent transactions.
 
-Payjoin version 1's requirements have proven to be an obstacle to adoption. Version 1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1 is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both requirements present significant barriers for all but sophisticated server operators or those wallets with complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-January/018358.html| regard]] these as limits to Payjoin adoption.
+Payjoin version 1's requirements have proven to be an obstacle to adoption. Version 1 coordinates payjoins
+over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. Version 1
+is also synchronous, requiring both sender and receiver to be online simultaneously to payjoin. Both
+requirements present significant barriers for all but sophisticated server operators or those wallets with
+complex Tor integration. Wallet developers [[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-
+January/018358.html| regard]] these as limits to Payjoin adoption.
 
-The primary goal of this proposal is to provide a practical coordination mechanism that can be implemented in a majority of bitcoin software environments. This is done here using a simple protocol built on bitcoin URI requests, web standards, common cryptography, and minimal dependencies.
+The primary goal of this proposal is to provide a practical coordination mechanism that can be implemented
+in a majority of bitcoin software environments. This is done here using a simple protocol built on bitcoin
+URI requests, web standards, common cryptography, and minimal dependencies.
 
 ===Relation to BIP 78 (Payjoin version 1)===
 
-The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model is replaced with an asynchronous store-and-forward mechanism.
-
-The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server" responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Proposal PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for a number of block space optimizations, including payment batching and transaction cut-through. This proposal introduces authentication and encryption to secure output substitution by using a directory server without compromising sender or receiver privacy.
-
-Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their payloads are saved in plaintext, so that they may payjoin without the risk of the directory, acting as a version 1 unsecured Payjoin server, stealing funds.
-
-The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Original PSBT" timeout parameter is introduced which may also help coordinate the synchronous version 1 protocol.
+The message payloads in this version parallel those used in BIP 78, while being encapsulated in authenticated
+encryption. TLS and Tor security, which depend on third-party authorities, are replaced with Hybrid Public
+Key Encryption ([[https://www.rfc-editor.org/rfc/rfc9180| HPKE]]). The synchronous HTTP client-server model
+is replaced with an asynchronous store-and-forward mechanism.
+
+The BIP 78 standard allows for an [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#unsecured-
+payjoin-server| unsecured Payjoin server|]] to operate separately from the so-called "payment server"
+responsible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] request
+URIs. Because BIP 78 messages relayed over an unsecured server are neither end-to-end authenticated nor
+encrypted between sender and receiver, a malicious unsecured Payjoin server is able to modify the Proposal
+PSBT in flight, thus requiring payment output substitution to be disabled. Output substitution is useful for
+a number of block space optimizations, including payment batching and transaction cut-through. This proposal
+introduces authentication and encryption to secure output substitution by using a directory server without
+compromising sender or receiver privacy.
+
+Although unsecured Payjoin server separation is mentioned in BIP 78, no known specification or implementation
+exists. This document specifies a way to use the Payjoin directory as an unsecured backwards compatible server
+for version 1 senders. Receivers responding to version 1 senders must disable output substitution, since their
+payloads are saved in plaintext, so that they may payjoin without the risk of the directory, acting as a
+version 1 unsecured Payjoin server, stealing funds.
+
+The protocols in this document reuse BIP 78's BIP 21 URI parameters. An "Original PSBT" timeout parameter is
+introduced which may also help coordinate the synchronous version 1 protocol.
 
 ===Relation to Stowaway===
 
-[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a Payjoin coordination mechanism that depended on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki| BIP 47]] "payment codes" directory for subdirectory identification and encryption. The Payjoin version 2 protocol uses per-request public keys for relay subdirectory identification, authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in 2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
+[[https://docs.samourai.io/en/spend-tools#stowaway| Stowaway]] was a Payjoin coordination mechanism that
+depended on Tor, a third-party relay, and the [[https://paynym.is| PayNym]] [[https://github.com/bitcoin/bips/
+blob/master/bip-0047.mediawiki| BIP 47]] "payment codes" directory for subdirectory identification and
+encryption. The Payjoin version 2 protocol uses per-request public keys for relay subdirectory identification,
+authentication, and encryption instead of BIP 47 public keys derived from a wallet. Payjoin version 2 also
+supports asynchronous messaging, in contrast to Stowaway's synchronous messaging. Offline Stowaway depends on
+manual message passing rather than an asynchronous network protocol. Successful Stowaway execution results in
+2-output transactions, while BIP 78, and this work may produce batched transactions with many outputs.
 
 ==Specification==
 
 ===Overview===
 
-Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows an HTTP client to initiate a Payjoin Session at a store-and-forward directory server to send and receive Payjoin messages. Directories may optionally require an authorization credential before allocating resources in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing BIP 78 specification.
+Payjoin requests are made using familiar BIP 21 URIs. Instead of a public HTTP endpoint, this scheme allows
+an HTTP client to initiate a Payjoin Session at a store-and-forward directory server to send and receive
+Payjoin messages. Directories may optionally require an authorization credential before allocating resources
+in order to prevent DoS attacks. Sender and receiver payloads are buffered at the directory to support
+asynchronous interaction. Authenticated encryption prevents the directory from snooping on message contents
+or forging messages by way of HPKE. Oblivious HTTP is required for version 2 interactions in order to separate
+client IP addresses from the directory to prevent metadata attacks. Aside from application layer authenticated
+encryption and relayed asynchronous networking, version 2 messaging takes much the same form as the existing
+BIP 78 specification.
 
 ===Basic scheme===
 
-The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated encryption and identification of a particular payjoin over the directory.
+The receiver first generates a 256-bit keypair. This key will be the basis of end-to-end authenticated
+encryption and identification of a particular payjoin over the directory.
 
-Rather than hosting a public server itself, the receiver specifies a Payjoin Session associated with their keypair's public key. This public key, compressed, hashed, truncated to 8 bytes, and bech32 encoded without a checksum [[#short-id| short ID]], is used to identify a store-and-forward Session subdirectory on the Payjoin Directory server and establishes end-to-end encryption. As long as a Session is active, the receiver long polls GET requests to this subdirectory to await a payjoin request to a Payjoin Session from the sender. Out of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]] Payjoin URI including the subdirectory endpoint in the <code>pj=</code> query parameter and a new Oblivious HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
+Rather than hosting a public server itself, the receiver specifies a Payjoin Session associated with their
+keypair's public key. This public key, compressed, hashed, truncated to 8 bytes, and bech32 encoded without a
+checksum [[#short-id| short ID]], is used to identify a store-and-forward Session subdirectory on the Payjoin
+Directory server and establishes end-to-end encryption. As long as a Session is active, the receiver long
+polls GET requests to this subdirectory to await a payjoin request to a Payjoin Session from the sender. Out
+of band, the receiver shares a [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21]]
+Payjoin URI including the subdirectory endpoint in the <code>pj=</code> query parameter and a new Oblivious
+HTTP <code>ohttp=</code> fragment parameter including the Payjoin Directory's [[https://www.ietf.org/rfc/
+rfc9458.html#name-key-configuration| OHTTP Key Configuration]].
 
-The sender constructs an [[https://www.rfc-editor.org/rfc/rfc9180.html#name-authentication-using-an-asy| HPKE Auth mode]] payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext ensures message secrecy and integrity when passed to the receiver using the subdirectory <code>pj=</code> endpoint.
+The sender constructs an [[https://www.rfc-editor.org/rfc/rfc9180.html#name-authentication-using-an-asy| HPKE
+Auth mode]] payload containing a PSBT and optional parameters similar to BIP 78. The resulting ciphertext
+ensures message secrecy and integrity when passed to the receiver using the subdirectory <code>pj=</code>
+endpoint.
 
-The receiver augments the Sender's PSBT with new inputs and outputs, and may adjust the fee. The receiver then encrypts the resulting PSBT and sends it back to the sender by POSTing it to a new subdirectory derived from the sender's reply key shared in their payload along with their original PSBT.
+The receiver augments the Sender's PSBT with new inputs and outputs, and may adjust the fee. The receiver then
+encrypts the resulting PSBT and sends it back to the sender by POSTing it to a new subdirectory derived from
+the sender's reply key shared in their payload along with their original PSBT.
 
-The sender will be long polling this second subdirectory for a response from the receiver. Upon receipt, the sender validates the receiver's Proposal PSBT, and if satisfied, signs its inputs and broadcasts the transaction to the Bitcoin network.
+The sender will be long polling this second subdirectory for a response from the receiver. Upon receipt, the
+sender validates the receiver's Proposal PSBT, and if satisfied, signs its inputs and broadcasts the
+transaction to the Bitcoin network.
 
-Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may experience network interruption and proceed with the protocol since their request and response are buffered at the Payjoin Directory.
+Messages are secured by symmetric cipher rather than TLS or Onion routing session key. Sender and receiver may
+experience network interruption and proceed with the protocol since their request and response are buffered at
+the Payjoin Directory.
 
 ====Sequence Diagram====
 
 <pre>
-Key: 
+Key:
 |-----> Single transmission
 |- - -> Polled transmission
 
@@ -104,14 +171,33 @@ Key:
 The Payjoin version 2 protocol takes the following steps:
 
 * The receiver generates a Payjoin Session public key.
-* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter. The <code>pj</code> URL path ends with the [[#short-id| short ID]], [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url-encoded]] followed by the [[#receiver-fragment-parameters| receiver fragment parameters]] .
-  * To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code> must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
-* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated encryption, including a sender session public key as associated data, and encapsulates it all as OHTTP. This [[#send-messaging| Original PSBT Request send message]] is made to the directory's OHTTP Gateway. The request is stored in the receiver subdirectory.
-* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key short ID in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
-* Once the receiver is online, it sends <code>GET</code> requests [[#receive-messaging| to the receiver subdirectory]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
-* The <code>Proposal PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed to the sender's subdirectory via the directory's OHTTP Gateway.
-* The directory awaits a GET request from the sender. Upon request, the directory relays the encrypted <code>Proposal PSBT</code>.
-* The sender validates the <code>Proposal PSBT</code> according to [[#senders-proposal-psbt-checklist|the sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
+* Out of band, the receiver shares a bitcoin URI with the sender, including a <code>pj=</code> query parameter.
+The <code>pj</code> URL path ends with the [[#short-id| short ID]], [[https://datatracker.ietf.org/doc/html/
+rfc4648#section-5| base64url-encoded]] followed by the [[#receiver-fragment-parameters| receiver fragment
+parameters]].
+  * To support version 1 senders, the directory acts as an unsecured Payjoin server, so <code>pjos=0</code>
+must be specified in the URI. Version 2 senders may safely allow output substitution regardless.
+* The sender creates a valid version 0 PSBT satisfying the [[https://github.com/bitcoin/bips/blob/master/bip-
+0078.mediawiki#receivers-original-psbt-checklist| the receiver checklist]]. We call this the <code>Original
+PSBT</code>. This <code>Original PSBT</code>, and optional sender parameters, are wrapped in HPKE authenticated
+encryption, including a sender session public key as associated data, and encapsulates it all as OHTTP. This
+[[#send-messaging| Original PSBT Request send message]] is made to the directory's OHTTP Gateway. The request
+is stored in the receiver subdirectory.
+* The sender polls GET requests to the subdirectory defined by the sender's Payjoin Session public key short
+ID in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling
+after expiry.
+* Once the receiver is online, it sends <code>GET</code> requests [[#receive-messaging| to the receiver
+subdirectory]] requests to the subdirectory. The receiver decrypts and authenticates the response, which it
+checks according to [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-
+checklist| the receiver checklist]]. The receiver updates the Original PSBT to include new signed inputs and
+outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal
+PSBT</code>.
+* The <code>Proposal PSBT</code> and HPKE keys are encrypted, authenticated, encapsulated in OHTTP, and POSTed
+to the sender's subdirectory via the directory's OHTTP Gateway.
+* The directory awaits a GET request from the sender. Upon request, the directory relays the encrypted
+<code>Proposal PSBT</code>.
+* The sender validates the <code>Proposal PSBT</code> according to [[#senders-proposal-psbt-checklist|the
+sender checklist]], signs its inputs and broadcasts the transaction to the Bitcoin network.
 
 The Original PSBT MUST:
 
@@ -136,82 +222,150 @@ The Proposal PSBT sender MAY:
 
 The Proposal PSBT MUST NOT:
 
-* Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a random index.
+* Shuffle the order of inputs or outputs; the additional outputs or additional inputs must be inserted at a
+random index.
 * Decrease the absolute fee of the Original PSBT.
 
 ====Session Initiation====
 
-Sessions between senders and receivers are established out of band when a receiver shares a Payjoin URI containing its Payjoin Session public key with a sender.
+Sessions between senders and receivers are established out of band when a receiver shares a Payjoin URI
+containing its Payjoin Session public key with a sender.
 
-A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap mechanism before it can initialize a Session to receive payjoin requests. This mechanism may vary by implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary, https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
+A receiver must first discover the directory's OHTTP Gateway Key Configuration via an authenticated bootstrap
+mechanism before it can initialize a Session to receive payjoin requests. This mechanism may vary by
+implementation but must follow [[https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-
+01| OHTTP Consistency Requirements]] and should not reveal a receiver IP address to the directory. Some
+examples of suitable mechanisms include fetching over a VPN, using keys included with an application binary,
+https-in-http CONNECT method, https-in-WebSocket, or a Tor hidden service.
 
-If a directory is subject to denial of service attacks, it may require [[https://datatracker.ietf.org/doc/html/rfc6750| RFC 6750]] authorization and otherwise respond with <code>401</code> unauthorized responses to requests. Authorization tokens must be unlinkable to preserve client privacy. A specific unlinkable authorization token mechanism is out of the scope of this proposal.
+If a directory is subject to denial of service attacks, it may require [[https://datatracker.ietf.org/doc/html/
+rfc6750| RFC 6750]] authorization and otherwise respond with <code>401</code> unauthorized responses to
+requests. Authorization tokens must be unlinkable to preserve client privacy. A specific unlinkable
+authorization token mechanism is out of the scope of this proposal.
 
 ====Send Messaging====
 
-The Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext string is encrypted according to HPKE using a shared secret derived from the sender's Payjoin Session public key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway to the receiver's payjoin session subdirectory.
+The Original PSBT is serialized in base64, followed by the query parameter string on a new line. This plaintext
+string is encrypted according to HPKE using a shared secret derived from the sender's Payjoin Session public
+key combined with the receiver's subdirectory Payjoin Session public key. The resulting HPKE payload body is
+then encapsulated according to Oblivious HTTP as a POST request to the directory's OHTTP Gateway to the
+receiver's payjoin session subdirectory.
 
-Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request at the receiver's Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be forwarded to the receiver.
+Upon receipt, the directory's OHTTP Gateway decapsulates the OHTTP request and handles the inner POST request
+at the receiver's Payjoin Session subdirectory endpoint, which stores the HPKE encrypted payload to be
+forwarded to the receiver.
 
-The sender then polls GET requests to the sender's Payjoin Session subdirectory endpoint in order to await a response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
+The sender then polls GET requests to the sender's Payjoin Session subdirectory endpoint in order to await a
+response from the directory containing a <code>Proposal PSBT</code>. It stops polling after expiry.
 
 ====Receive Messaging====
 
-After sharing the Payjoin URI with the sender, the receiver sends a GET request to the path of the receiver's Payjoin Session subdirectory. This request is encapsulated in OHTTP. It continues to poll by sending a new OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory has not yet received a request from the sender.
+After sharing the Payjoin URI with the sender, the receiver sends a GET request to the path of the receiver's
+Payjoin Session subdirectory. This request is encapsulated in OHTTP. It continues to poll by sending a new
+OHTTP request after receiving an encapsulated 202 ACCEPTED response notifying the receiver that the directory
+has not yet received a request from the sender.
 
-Upon receiving OHTTP response from the directory encapsulating a request from the sender with status code 200 OK, the receiver decrypts the payload and checks the <code>Proposal PSBT</code> according to the [[#receivers-proposal-psbt-checklist|checklist]].
+Upon receiving OHTTP response from the directory encapsulating a request from the sender with status code 200
+OK, the receiver decrypts the payload and checks the <code>Proposal PSBT</code> according to the [[#receivers-
+proposal-psbt-checklist|checklist]].
 
-The receiver then updates the <code>Original PSBT</code> to include new signed inputs and outputs, invalidating sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
+The receiver then updates the <code>Original PSBT</code> to include new signed inputs and outputs, invalidating
+sender signatures, and may adjust the fee. The result is called the <code>Proposal PSBT</code>.
 
-The receiver encrypts the <code>Proposal PSBT</code> according to the HPKE protocol, generating an ephemeral keypair from which it derives a shared secret with the sender's Payjoin Session public key from the payload. It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Proposal PSBT and serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Proposal PSBT payload is then sent as a POST message to the directory in an OHTTP request encapsulating the binary payload to the sender's Payjoin Session subdirectory.
+The receiver encrypts the <code>Proposal PSBT</code> according to the HPKE protocol, generating an ephemeral
+keypair from which it derives a shared secret with the sender's Payjoin Session public key from the payload.
+It generates a nonce from sufficient randomness, and constructs a ciphertext containing the Proposal PSBT and
+serialized receiver ephemeral key <code>e</code>'s public key as associated data using ChaCha20Poly1305. A
+payload is constructed by concatenating the ephemeral public key, the nonce, and the ciphertext. This Proposal
+PSBT payload is then sent as a POST message to the directory in an OHTTP request encapsulating the binary
+payload to the sender's Payjoin Session subdirectory.
 
 ===Receiver's Proposal PSBT checklist===
 
-The receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-original-psbt-checklist| the BIP 78 receiver checklist]], except for the "Verify that the payjoin proposal did not introduce mixed input's type" step, which may be ignored.
+The receiver checklist is the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#
+receivers-original-psbt-checklist| the BIP 78 receiver checklist]], except for the "Verify that the payjoin
+proposal did not introduce mixed input's type" step, which may be ignored.
 
 ===Sender's Proposal PSBT checklist===
 
-The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that mixed input script types are allowed, and it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the Payjoin proposal PSBT. Version 2 has no such requirement.
+The version 2 sender's checklist is largely the same as the [[https://github.com/bitcoin/bips/blob/master/bip-
+0078.mediawiki#senders-payjoin-proposal-checklist| the BIP 78 checklist]], with the exception that mixed input
+script types are allowed, and it expects all UTXO data to be filled in. BIP 78 required sender inputs UTXO data
+to be excluded from the PSBT, which has caused many issues, as it required the sender to add them back to the
+Payjoin proposal PSBT. Version 2 has no such requirement.
 
 ===Directory interactions===
 
-The Payjoin Directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST requests without OHTTP to Payjoin Session subdirectories to support backwards compatible Payjoin version 1 requests.
+The Payjoin Directory provides a rendezvous point for sender and receiver to meet. The directory stores Payjoin
+payloads to support asynchronous communication. The directory must only accept OHTTP requests with an OHTTP
+Gateway for Payjoin version 2, accepting encrypted payloads. The directory may optionally accept HTTP/1.1 POST
+requests without OHTTP to Payjoin Session subdirectories to support backwards compatible Payjoin version 1
+requests.
 
 ===Subdirectories===
 
-Each Payjoin Session subdirectory allocated on the directory has one buffer for a PSBT payload. The buffer updates listeners through awaitable events so that updates are immediately apparent upon client request.
-
+Each Payjoin Session subdirectory allocated on the directory has one buffer for a PSBT payload. The buffer
+updates listeners through awaitable events so that updates are immediately apparent upon client request.
 
 ====Short ID====
 
-Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are generated by hashing a compressed secp256k1 public key with Sha256, truncating it to 8 bytes, and encoding it in bech32 with the HRP "ID". The Short ID HRP prefix (including the '1' separator) "ID1" is stripped from the bech32 encoded uppercase string before it is used as the subdirectory identifier.
-
-64 bits are sufficient to make the probability of experiencing a random collisions negligible. As of writing, the UTXO set has ~2^28 elements. This is a very loose upper bound for the number of concurrent (non-spam) sessions, for which the probability of a random collision with will be less than 1%. The actual number of sessions will of course be (orders of magnitudes) lower given they are short lived. With ~2^21 sessions (loose bound on number of transactions that can be confirmed in 24 hours) the probability is less than 1e-6. These figures are for the existence of a collision in the set, the probability for an individual session to experience a random collision is << 1e-10 in either case.
+Short IDs are an 8-byte identifier for a Payjoin Session subdirectory. They are generated by hashing a
+compressed secp256k1 public key with Sha256, truncating it to 8 bytes, and encoding it in bech32 with the HRP
+"ID". The Short ID HRP prefix (including the '1' separator) "ID1" is stripped from the bech32 encoded uppercase
+string before it is used as the subdirectory identifier.
 
+64 bits are sufficient to make the probability of experiencing a random collisions negligible. As of writing,
+the UTXO set has ~2^28 elements. This is a very loose upper bound for the number of concurrent (non-spam)
+sessions, for which the probability of a random collision with will be less than 1%. The actual number of
+sessions will of course be (orders of magnitudes) lower given they are short lived. With ~2^21 sessions (loose
+bound on number of transactions that can be confirmed in 24 hours) the probability is less than 1e-6. These
+figures are for the existence of a collision in the set, the probability for an individual session to
+experience a random collision is << 1e-10 in either case.
 
 ===Receiver fragment parameters===
 
-A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal BIP 21 bitcoin URI standard.
-
-Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]] parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the <code>#</code> as bech32 parameters separated by a <code>+</code> character. In order to simplify parsing and allow QR encoders to use alphanumeric QR mode wherever possible, the <code>pj</code> parameter subdirectory and fragment that follows must be uppercased and should come as the last parameter of the URI. Since URLs are case sensitive, path elements of a payjoin-directory may be lowercased but SHOULD be configured to be uppercased.
-
-The '#' fragment separator character  must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]] percent-encoded as '%23' according to BIP 21.
-
-Bech32 encoded parameters with no checksum are separated by an <code>+</code> character and prefixed with HRPs according to their role:
-
-* <code>RK</code>: represents the receiver's Payjoin Session public key. This is a compressed public key of the receiver's Payjoin Session. Senders will initiate HPKE with the receiver using this key.
-* <code>OH</code>: represents the OHTTP Key Configuration of the directory. This is a compressed public key of the directory's OHTTP Gateway, prefixed by the 2-byte Key Identifier, from which the [[https://www.ietf.org/rfc/rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for version 2 Payjoin URIs.
-* <code>EX</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only support synchonous execution of the protocol, like automated payment processors.
-
-For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:tb1q6q6de88mj8qkg0q5lupmpfexwnqjsr4d2gvx2p?amount=0.00666666&pjos=0&pj=HTTPS://PAYJO.IN/TXJCGKTKXLUUZ%23RK1Q0DJS3VVDXWQQTLQ8022QGXSX7ML9PHZ6EDSF6AKEWQG758JPS2EV+OH1QYPM59NK2LXXS4890SUAXXYT25Z2VAPHP0X7YEYCJXGWAG6UG9ZU6NQ+EX1WKV8CEC</code>
-
-Using the fragment for Payjoin URI parameters makes for more compact QR codes too, since all of the characters are contained in alphanumeric QR mode is more compact than the byte mode.
+A major benefit of BIP 78 Payjoin over other coordination mechanisms is its compatibility with the universal
+BIP 21 bitcoin URI standard.
+
+Instead of defining new [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21 URI]]
+parameters, Payjoin version 2 encodes parameters in the [[https://datatracker.ietf.org/doc/html/rfc3986#section-
+3.5| fragment]] of the URL following the <code>pj=</code> parameter in the BIP 21 URI. They follow the
+<code>#</code> as bech32 parameters separated by a <code>+</code> character. In order to simplify parsing and
+allow QR encoders to use alphanumeric QR mode wherever possible, the <code>pj</code> parameter subdirectory and
+fragment that follows must be uppercased and should come as the last parameter of the URI. Since URLs are case
+sensitive, path elements of a payjoin-directory may be lowercased but SHOULD be configured to be uppercased.
+
+The '#' fragment separator character must be [[https://datatracker.ietf.org/doc/html/rfc3986| RFC 3986]]
+percent-encoded as '%23' according to BIP 21.
+
+Bech32 encoded parameters with no checksum are separated by an <code>+</code> character and prefixed with HRPs
+according to their role:
+
+* <code>RK</code>: represents the receiver's Payjoin Session public key. This is a compressed public key of the
+receiver's Payjoin Session. Senders will initiate HPKE with the receiver using this key.
+* <code>OH</code>: represents the OHTTP Key Configuration of the directory. This is a compressed public key of
+the directory's OHTTP Gateway, prefixed by the 2-byte Key Identifier, from which the [[https://www.ietf.org/rfc/
+rfc9458.html#section-3.1| RFC 9458 Key Configuration can be constructed]]. This parameter is required for
+version 2 Payjoin URIs.
+* <code>EX</code>: represents a request expiration in [[https://pubs.opengroup.org/onlinepubs/9699919799/
+basedefs/V1_chap04.html#tag_04_16| Unix time]] after which the receiver reserves the right to broadcast the
+transaction extracted from the Original PSBT and ignore requests. This is only necessary for receivers who only
+support synchonous execution of the protocol, like automated payment processors.
+
+For example, a properly encoded endpoint URL fragment looks like this <code>bitcoin:tb1q6q6de88mj8qkg0q5lupmpfex
+wnqjsr4d2gvx2p?amount=0.00666666&pjos=0&pj=HTTPS://PAYJO.IN/TXJCGKTKXLUUZ%23RK1Q0DJS3VVDXWQQTLQ8022QGXSX7ML9PHZ
+6EDSF6AKEWQG758JPS2EV+OH1QYPM59NK2LXXS4890SUAXXYT25Z2VAPHP0X7YEYCJXGWAG6UG9ZU6NQ+EX1WKV8CEC</code>
+
+Using the fragment for Payjoin URI parameters makes for more compact QR codes too, since all of the characters
+are contained in alphanumeric QR mode is more compact than the byte mode.
 
 ===Optional sender parameters===
 
-When a Payjoin sender POSTs an Original PSBT to the receiver, the sender should specify the following HTTP query string parameters:
+When a Payjoin sender POSTs an Original PSBT to the receiver, the sender should specify the following HTTP
+query string parameters:
 
-* <code>v</code>: represents the version number of the Payjoin protocol that the sender is using. This version is <code>2</code>.
+* <code>v</code>: represents the version number of the Payjoin protocol that the sender is using. This version
+is <code>2</code>.
 
 BIP 78's optional query parameters are also valid as version 2 parameters.
 
@@ -219,17 +373,27 @@ BIP 78's optional query parameters are also valid as version 2 parameters.
 
 ===Request expiration & Original PSBT===
 
-The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78 spec [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receiver-does-not-need-to-be-a-full-node| recommends]] broadcasting Original PSBTs in the case of an offline counterparty. Doing so exposes a naïve, surveillance-vulnerable transaction which Payjoin intends to avoid.
+The directory may hold a request for an offline payjoin peer until that peer comes online. However, the BIP 78
+spec [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receiver-does-not-need-to-be-a-full-node|
+recommends]] broadcasting Original PSBTs in the case of an offline counterparty. Doing so exposes a naïve,
+surveillance-vulnerable transaction which Payjoin intends to avoid.
 
-The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after which they will broadcast this original with a new expiration parameter <code>exp=</code>.
+The existing BIP 78 protocol has to be synchronous only for automated endpoints, which may be vulnerable to
+probing attacks. It can cover this tradeoff by demanding an Original PSBT, from which a valid payment
+transaction may be extracted that would not preserve privacy the same way as a payjoin. BIP 21 URIs can
+communicate a request expiration to alleviate both of these problems. Receivers may specify a deadline after
+which they will broadcast this original with a new expiration parameter <code>exp=</code>.
 
 ===HTTP===
 
-HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consider an implementation. Unlike a WebSockets protocol, plain HTTP can benefit from metadata protection by using Oblivious HTTP.
+HTTP is ubiquitous. Using simple HTTP polling allows even Bitcoin Core to consider an implementation. Unlike a
+WebSockets protocol, plain HTTP can benefit from metadata protection by using Oblivious HTTP.
 
 ===Oblivious HTTP===
 
-OHTTP protects sender and receiver IP addresses both from one another and from the directory. This makes it more difficult for a directory to correlate many payjoin transactions with specific IP addresses by intersection.
+OHTTP protects sender and receiver IP addresses both from one another and from the directory. This makes it
+more difficult for a directory to correlate many payjoin transactions with specific IP addresses by
+intersection.
 
 OHTTP relays can be run as basic HTTP proxies from wallet providers or third parties.
 
@@ -237,16 +401,23 @@ OHTTP relays can be run as basic HTTP proxies from wallet providers or third par
 
 <img src=bip-0077/oblivious-http-sequence.png></img>
 
-
 ===Uniform Payloads===
 
-Encapsulated OHTTP payloads and messages seen by the Payjoin Directory are constructed to be uniform so that the third-party services are unable to distinguish between them based on payload size or by distinguishing them from random bytes. However, the Encapsulated OHTTP message includes an uncompressed key for the DHKEM which is distinguishable from random bytes but uniform across different encapsulated requests.
+Encapsulated OHTTP payloads and messages seen by the Payjoin Directory are constructed to be uniform so that
+the third-party services are unable to distinguish between them based on payload size or by distinguishing
+them from random bytes. However, the Encapsulated OHTTP message includes an uncompressed key for the DHKEM
+which is distinguishable from random bytes but uniform across different encapsulated requests.
 
 OHTTP messages are padded to 8192 bytes.
 
-HPKE message payloads are padded to 7168 bytes. Elligator swift is used to encode encapsulated HPKE public keys prepended to the HPKE ciphertext so that the payjoin directory can't distinguish between key material, the ciphertext, and randomness, so that the directory may accomodate new protocols in the future without discrimination.
+HPKE message payloads are padded to 7168 bytes. Elligator swift is used to encode encapsulated HPKE public keys
+prepended to the HPKE ciphertext so that the payjoin directory can't distinguish between key material, the
+ciphertext, and randomness, so that the directory may accomodate new protocols in the future without
+discrimination.
 
-This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image sharing, making misuse of the Payjoin Directory impractical.
+This is sufficient size for most PSBTs without exceeding the [[https://www.geekersdigest.com/max-http-request-
+header-size-server-comparison/| 8KB limit]] of many HTTP/1.1 web servers. 8KB is also too small for image
+sharing, making misuse of the Payjoin Directory impractical.
 
 ====Message Byte Representations====
 
@@ -284,23 +455,35 @@ The HPKE <code>info</code> strings used for message encryption are:
 * Message A: <code>PjV2MsgA</code> (Original PSBT Request)
 * Message B: <code>PjV2MsgB</code> (Proposal PSBT Response)
 
-These info strings are used as the application-specific info parameter during HPKE encryption to bind the ciphertext
-to its specific role in the protocol.
-
+These info strings are used as the application-specific info parameter during HPKE encryption to bind the
+ciphertext to its specific role in the protocol.
 
 ===Secp256k1 Hybrid Public Key Encryption===
 
-Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since client and server agree on a configuration out of band, we can pre-define the Payjoin version 2 application specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
+Hybrid Public Key Encryption (HPKE) is a modern web standard for secure message exchange without TLS. Since
+client and server agree on a configuration out of band, we can pre-define the Payjoin version 2 application
+specific configuration to use DHKEM(Secp256k1, HKDF-SHA256) and ChaCha20Poly1305 AEAD.
 
-The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/IK/| IK]] pattern. A receiver shares its public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single Payjoin Session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding as a Payjoin Directory subdirectory in the <code>pj=</code> parameter.
+The cryptographic handshake is conducted in parallel to the payjoin messaging inspired by the [[http://www.
+noiseprotocol.org/noise.html#zero-rtt-and-noise-protocols| zero-RTT]] version of the [[http://www.noiseprotocol.
+org/noise.html| Noise Framework]] [[https://noiseexplorer.com/patterns/IK/| IK]] pattern. A receiver shares its
+public key out of band in the BIP 21 URI. Static keys shared in URIs must only be used for a single Payjoin
+Session. The key is encoded in [[https://datatracker.ietf.org/doc/html/rfc4648#section-5| base64url]] encoding
+as a Payjoin Directory subdirectory in the <code>pj=</code> parameter.
 
 ====Secp256k1-based DHKEM====
 
-[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html| Secp256k1-based DHKEM for HPKE]] is most appropriate because of secp256k1's availability in bitcoin contexts.
+[[https://www.ietf.org/archive/id/draft-wahby-cfrg-hpke-kem-secp256k1-01.html| Secp256k1-based DHKEM for HPKE]]
+is most appropriate because of secp256k1's availability in bitcoin contexts.
 
 ====ChaCha20Poly1305 AEAD====
 
-This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305| algorithm]] is standardized in [[https://www.rfc-editor.org/rfc/rfc8439| RFC 8439]] and has high performance. ChaCha20Poly1305 AEAD has been implemented [[https://github.com/bitcoin/bitcoin/pull/15649| in Bitcoin Core]] [[https://github.com/bitcoin/bips/blob/master/bip-0324.mediawiki| BIP 324]] as well. The protocol has widespread support in browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily already a dependency in bitcoin software.
+This authenticated encryption with additional data [[https://en.wikipedia.org/wiki/ChaCha20-Poly1305| algorithm]]
+is standardized in [[https://www.rfc-editor.org/rfc/rfc8439| RFC 8439]] and has high performance. ChaCha20Poly1305
+AEAD has been implemented [[https://github.com/bitcoin/bitcoin/pull/15649| in Bitcoin Core]] [[https://github.
+com/bitcoin/bips/blob/master/bip-0324.mediawiki| BIP 324]] as well. The protocol has widespread support in
+browsers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, slower, and not necessarily
+already a dependency in bitcoin software.
 
 ====HKDF-SHA256====
 
@@ -308,32 +491,63 @@ SHA-256 is considered secure and is necessarily available in bitcoin contexts.
 
 ===Attack vectors===
 
-In addition to the attack vectors and mitigations in [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#attack-vectors| BIP 78 Payjoin version 1]], Payjoin version 2 has the following attack vectors.
+In addition to the attack vectors and mitigations in [[https://github.com/bitcoin/bips/blob/master/bip-0078.
+mediawiki#attack-vectors| BIP 78 Payjoin version 1]], Payjoin version 2 has the following attack vectors.
 
-Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and denial of service attacks. To mitigate such attacks, directory operators may impose an authentication requirement before they allocate a Payjoin Session subdirectory to receivers.
+Since directories store arbitrary encrypted payloads they are vulnerable to the tragedy of the commons and
+denial of service attacks. To mitigate such attacks, directory operators may impose an authentication
+requirement before they allocate a Payjoin Session subdirectory to receivers.
 
-Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the compromiser.
+Since we make use of 0-RTT HPKE, the first message containing the sender's Original PSBT has minimal forward
+secrecy. If the receiver's key is compromised, this message containing the Original PSBT could be read by the
+compromiser.
 
-Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce penalties if a receiver fails to construct a Proposal PSBT and wait for a signature once a Proposal PSBT is returned to a sender. However, such basic transactions that comply with the common-input assumption are the norm, so falling back to them is no worse than typical bitcoin transaction behavior.
+Receivers may break spec by ignoring the <code>exp=</code> without financial consequence since the sender
+payload contains a valid transaction that may be broadcast at any time. There is no mechanism to enforce
+penalties if a receiver fails to construct a Proposal PSBT and wait for a signature once a Proposal PSBT is
+returned to a sender. However, such basic transactions that comply with the common-input assumption are the
+norm, so falling back to them is no worse than typical bitcoin transaction behavior.
 
 ===Network privacy===
 
-Oblivious HTTP must be used to protect the IP addresses of both sender and receiver from the directory. This requires an OHTTP Key Configuration to be shared in the BIP 21 URI and for the directory to support Oblivious HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in bitcoin contexts.
+Oblivious HTTP must be used to protect the IP addresses of both sender and receiver from the directory. This
+requires an OHTTP Key Configuration to be shared in the BIP 21 URI and for the directory to support Oblivious
+HTTP. A secp256k1 HPKE OHTTP configuration should be used to leverage the cryptography already available in
+bitcoin contexts.
 
-Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory and not that of their peers. Directories may additionally be made available via Tor hidden services to allow either of the peers to protect their IP from the directory without OHTTP.
+Unlike BIP 78 implementations, sender and receiver peers will only see the IP address of the directory and not
+that of their peers. Directories may additionally be made available via Tor hidden services to allow either of
+the peers to protect their IP from the directory without OHTTP.
 
 ==Backwards compatibility==
 
-The receivers advertise Payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki| BIP 21's URI Scheme]].
+The receivers advertise Payjoin capabilities through [[https://github.com/bitcoin/bips/blob/master/bip-0021.
+mediawiki| BIP 21's URI Scheme]].
 
-Senders not supporting Payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel Payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support Payjoin, it MUST consider the entire URI invalid per BIP 21.
+Senders not supporting Payjoin will just ignore the <code>pj=</code> parameter and proceed to typical address-
+based transaction flows. A <code>req-pj=</code> parameter, as specified in BIP 21, may be advertised to compel
+Payjoin. If a sender intending to pay such a URI containing <code>req-pj=</code> does not support Payjoin, it
+MUST consider the entire URI invalid per BIP 21.
 
-Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for backwards compatible receivers MUST enable <code>pjos=0</code> so that these version 1 senders disable output substitution. Since the version 1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Proposal PSBTs to the same subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP 78]].
+Receivers may choose to support version 1 payloads. Version 2 Payjoin URIs for backwards compatible receivers
+MUST enable <code>pjos=0</code> so that these version 1 senders disable output substitution. Since the version
+1 messages are neither encrypted nor authenticated, they would otherwise be at risk for man-in-the-middle
+attacks. The directory protocol should carry on as normal, responding to payjoin requests instead with this
+version 1 request as BHTTP in an OHTTP response. The receiver should POST version 1 Proposal PSBTs to the same
+subdirectory as in version 2 to respond to these version 1 senders within 30 seconds. If no response is
+received within 30 seconds, the directory should respond with an <code>unavailable</code> error code as
+[[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receivers-well-known-errors| defined in BIP
+78]].
 
 ==Reference implementation==
 
-An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source code for the clients, the Payjoin Directory, and development kit may be found here: [[https://github.com/payjoin/rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/payjoin/ohttp-relay]]. The reference implementation may be configured to the following independent production relays as of 24/09/26:
+An production reference implementation client can be found at [[https://crates.io/crates/payjoin-cli]]. Source
+code for the clients, the Payjoin Directory, and development kit may be found here: [[https://github.com/payjoin/
+rust-payjoin]]. Source code for an Oblivous HTTP relay implementation may be found here [[https://github.com/
+payjoin/ohttp-relay]]. The reference implementation may be configured to the following independent production
+relays as of 24/09/26:
 
 A Payjoin Directory is run by the Payjoin Dev Kit team on [[https://payjo.in]].
 
-An independent Oblivious HTTP relay is run by [[https://www.bobspaces.net| BOB Spaces]] at [[https://pj.bobspacebkk.com]].
+An independent Oblivious HTTP relay is run by [[https://www.bobspaces.net| BOB Spaces]] at [[https://pj.
+bobspacebkk.com]].