lsd0009

draft-guetschow-taler-protocol.xml (68555B)

---

 <?xml version='1.0' encoding='utf-8'?>
 <!DOCTYPE rfc [
   <!ENTITY nbsp    "&#160;">
   <!ENTITY zwsp   "&#8203;">
   <!ENTITY nbhy   "&#8209;">
   <!ENTITY wj     "&#8288;">
 ]>
 <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
 <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.35 (Ruby 3.1.2) -->
 <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-guetschow-taler-protocol" category="info" submissionType="independent" tocInclude="true" sortRefs="true" symRefs="true" version="3">
   <!-- xml2rfc v2v3 conversion 3.32.0 -->
   <front>
     <title>The GNU Taler Protocol</title>
     <seriesInfo name="Internet-Draft" value="draft-guetschow-taler-protocol"/>
     <author initials="M." surname="Gütschow" fullname="Mikolai Gütschow">
       <organization abbrev="TU Dresden">TUD Dresden University of Technology</organization>
       <address>
         <postal>
           <street>Helmholtzstr. 10</street>
           <city>Dresden</city>
           <code>D-01069</code>
           <country>Germany</country>
         </postal>
         <email>mikolai.guetschow@tu-dresden.de</email>
       </address>
     </author>
     <date year="2026" month="April" day="08"/>
     <workgroup>independent</workgroup>
     <keyword>taler</keyword>
     <keyword>cryptography</keyword>
     <keyword>ecash</keyword>
     <keyword>payments</keyword>
     <abstract>
       <?line 45?>
 
 <t>[ TBW ]</t>
     </abstract>
   </front>
   <middle>
     <?line 49?>
 
 <section anchor="introduction">
       <name>Introduction</name>
       <t>[ TBW ]</t>
       <t>Beware that this document is still work-in-progress and may contain errors.
 Use at your own risk!</t>
     </section>
     <section anchor="notation">
       <name>Notation</name>
       <ul spacing="normal">
         <li>
           <t><tt>"abc"</tt> denotes the literal string <tt>abc</tt> encoded as ASCII <xref target="RFC20"/></t>
         </li>
         <li>
           <t><tt>a | b</tt> denotes the concatenation of a with b</t>
         </li>
         <li>
           <t><tt>len(a)</tt> denotes the length in bytes of the byte string a</t>
         </li>
         <li>
           <t><tt>padZero(y, a)</tt> denotes the byte string a, zero-padded to the length of y bytes</t>
         </li>
         <li>
           <t><tt>bits(x)</tt>/<tt>bytes(x)</tt> denotes the minimal number of bits/bytes necessary to represent the multiple precision integer x</t>
         </li>
         <li>
           <t><tt>uint(y, x)</tt> denotes the <tt>y</tt> least significant bits of the integer <tt>x</tt>, zero-padded and encoded in network byte order (big endian)</t>
         </li>
         <li>
           <t><tt>uintY(x)</tt> where <tt>Y</tt> is a positive integer number is equivalent to <tt>uint(Y, x)</tt></t>
         </li>
         <li>
           <t><tt>random(y)</tt> denotes a randomly generated sequence of y bits</t>
         </li>
         <li>
           <t><tt>a * b (mod N)</tt> / <tt>a ** b (mod N)</tt> denotes the multiplication / exponentiation of multiple precision integers a and b, modulo N</t>
         </li>
         <li>
           <t><tt>for</tt>, <tt>if</tt>, variable assignment <tt>=</tt>, and conditional operators are to be interpreted like their Python/Julia equivalents</t>
         </li>
         <li>
           <t><tt>data.key</tt> denotes the property <tt>key</tt> on the object <tt>data</tt></t>
         </li>
         <li>
           <t><tt>0..n</tt> denotes the exclusive range of integer numbers from <tt>0</tt> to <tt>n-1</tt></t>
         </li>
         <li>
           <t><tt>⟨dataᵢ⟩</tt> within a context of <tt>i = 0..n</tt> denotes <tt>n</tt> objects <tt>dataᵢ</tt>, represented in memory as a continuous array</t>
         </li>
         <li>
           <t><tt>⟨dataᵢ.key⟩</tt> within a context of <tt>i = 0..n</tt> denotes an array of the <tt>n</tt> properties <tt>key</tt> of all <tt>n</tt> objects <tt>dataᵢ</tt></t>
         </li>
       </ul>
     </section>
     <section anchor="cryptographic-primitives">
       <name>Cryptographic Primitives</name>
       <t>// todo: maybe change this description to something more similar to protocol functions (Julia-inspired syntax)</t>
       <section anchor="cryptographic-hash-functions">
         <name>Cryptographic Hash Functions</name>
         <section anchor="sha256">
           <name>SHA-256</name>
           <artwork><![CDATA[
 SHA-256(msg) -> hash
 
 Input:
     msg     input message of length L < 2^61 octets
 
 Output:
     hash    message digest of fixed length HashLen = 32 octets
 ]]></artwork>
           <t><tt>hash</tt> is the output of SHA-256 as per Sections 4.1, 5.1, 6.1, and 6.2 of <xref target="RFC6234"/>.</t>
         </section>
         <section anchor="sha512">
           <name>SHA-512</name>
           <artwork><![CDATA[
 SHA-512(msg) -> hash
 
 Input:
     msg     input message of length L < 2^125 octets
 
 Output:
     hash    message digest of fixed length HashLen = 64 octets
 ]]></artwork>
           <t><tt>hash</tt> is the output of SHA-512 as per Sections 4.2, 5.2, 6.3, and 6.4 of <xref target="RFC6234"/>.</t>
         </section>
         <section anchor="sha512-trunc">
           <name>SHA-512-256 (truncated SHA-512)</name>
           <artwork><![CDATA[
 SHA-512-256(msg) -> hash
 
 Input:
     msg     input message of length L < 2^125 octets
 
 Output:
     hash    message digest of fixed length HashLen = 32 octets
 ]]></artwork>
           <t>The output <tt>hash</tt> corresponds to the first 32 octets of the output of SHA-512 defined in <xref target="sha512"/>:</t>
           <artwork><![CDATA[
 temp = SHA-512(msg)
 hash = temp[0:31]
 ]]></artwork>
           <t>Note that this operation differs from SHA-512/256 as defined in <xref target="SHS"/> in the initial hash value.</t>
         </section>
       </section>
       <section anchor="message-authentication-codes">
         <name>Message Authentication Codes</name>
         <section anchor="hmac">
           <name>HMAC</name>
           <artwork><![CDATA[
 HMAC-Hash(key, text) -> out
 
 Option:
     Hash    cryptographic hash function with output length HashLen
 
 Input:
     key     secret key of length at least HashLen
     text    input data of arbitary length
 
 Output:
     out     output of length HashLen
 ]]></artwork>
           <t><tt>out</tt> is calculated as defined in <xref target="RFC2104"/>.</t>
         </section>
       </section>
       <section anchor="key-derivation-functions">
         <name>Key Derivation Functions</name>
         <section anchor="hkdf">
           <name>HKDF</name>
           <t>The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of <xref target="RFC5869"/>
 with two different hash functions for the Extract and Expand step as suggested in <xref target="HKDF"/>:
 <tt>HKDF-Extract</tt> uses <tt>HMAC-SHA512</tt>, while <tt>HKDF-Expand</tt> uses <tt>HMAC-SHA256</tt> (cf. <xref target="hmac"/>).</t>
           <artwork><![CDATA[
 HKDF(salt, IKM, info, L) -> OKM
 
 Inputs:
     salt    optional salt value (a non-secret random value);
               if not provided, it is set to a string of 64 zeros.
     IKM     input keying material
     info    optional context and application specific information
               (can be a zero-length string)
     L       length of output keying material in octets
               (<= 255*32 = 8160)
 
 Output:
     OKM      output keying material (of L octets)
 ]]></artwork>
           <t>The output OKM is calculated as follows:</t>
           <artwork><![CDATA[
 PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512 (HashLen = 64)
 OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256 (HashLen = 32)
 ]]></artwork>
         </section>
         <section anchor="hkdf-mod">
           <name>HKDF-Mod</name>
           <t>Based on the HKDF defined in <xref target="hkdf"/>, this function returns an OKM that is smaller than a given multiple precision integer N.</t>
           <artwork><![CDATA[
 HKDF-Mod(N, salt, IKM, info) -> OKM
 
 Inputs:
     N        multiple precision integer
     salt     optional salt value (a non-secret random value);
               if not provided, it is set to a string of 64 zeros.
     IKM      input keying material
     info     optional context and application specific information
               (can be a zero-length string)
 
 Output:
     OKM      output keying material (smaller than N)
 ]]></artwork>
           <t>The final output <tt>OKM</tt> is determined deterministically based on a counter initialized at zero.</t>
           <artwork><![CDATA[
 counter = 0
 do until OKM < N:
     x = HKDF(salt, IKM, info | uint16(counter), bytes(N))
     OKM = uint(bits(N), x)
     counter += 1
 ]]></artwork>
         </section>
       </section>
       <section anchor="non-blind-signatures">
         <name>Non-Blind Signatures</name>
         <section anchor="ed25519">
           <name>Ed25519</name>
           <t>Taler uses EdDSA instantiated with curve25519 as Ed25519,
 as defined in Section 5.1 of <xref target="RFC8032"/>.
 In particular, Taler does <em>not</em> make use of Ed25519ph or Ed25519ctx
 as defined in that document.</t>
           <section anchor="key-generation">
             <name>Key generation</name>
             <artwork><![CDATA[
 Ed25519-GetPub(priv) -> pub
 
 Input:
     priv    private Ed25519 key
 
 Output:
     pub     public Ed25519 key
 ]]></artwork>
             <t><tt>pub</tt> is calculated as described in Section 5.1.5 of <xref target="RFC8032"/>.</t>
             <artwork><![CDATA[
 Ed25519-Keygen() -> (priv, pub)
 
 Output:
     priv    private Ed25519 key
     pub     public Ed25519 key
 ]]></artwork>
             <t><tt>priv</tt> and <tt>pub</tt> are calculated as described in Section 5.1.5 of <xref target="RFC8032"/>,
 which is equivalent to the following:</t>
             <artwork><![CDATA[
 priv = random(256)
 pub = Ed25519-GetPub(priv)
 ]]></artwork>
           </section>
           <section anchor="signing">
             <name>Signing</name>
             <artwork><![CDATA[
 Ed25519-Sign(priv, msg) -> sig
 
 Inputs:
     priv    Ed25519 private key
     msg     message to be signed
 
 Output:
     sig     signature on the message by the given private key
 ]]></artwork>
             <t><tt>sig</tt> is calculated as described in Section 5.1.6 of <xref target="RFC8032"/>.</t>
           </section>
           <section anchor="verifying">
             <name>Verifying</name>
             <artwork><![CDATA[
 Ed25519-Verify(pub, msg, sig) -> out
 
 Inputs:
     pub     Ed25519 public key
     msg     signed message
     sig     signature on msg
 
 Output:
     out     true, if sig is a valid signature for msg
 ]]></artwork>
             <t><tt>out</tt> is the outcome of the last check of Section 5.1.7 of <xref target="RFC8032"/>.</t>
           </section>
         </section>
       </section>
       <section anchor="key-agreement">
         <name>Key Agreement</name>
         <section anchor="x25519">
           <name>X25519</name>
           <t>Taler uses Elliptic Curve Diffie-Hellman (ECDH) on curve25519 as defined in Section 6.1 of <xref target="RFC7748"/>,
 but reuses Ed25519 keypairs for one side of the agreement instead of random bytes.
 Depending on whether the private or public part is from Ed25519, two different functions are used.</t>
           <artwork><![CDATA[
 ECDH-Ed25519-Priv(priv, pub) -> shared
 
 Input:
     priv    private Ed25519 key
     pub     public X25519 key
 
 Output:
     shared  shared secret based on the given keys
 ]]></artwork>
           <t><tt>shared</tt> is calculated as follows, using the function X25519 defined in Section 5 of <xref target="RFC7748"/>:</t>
           <artwork><![CDATA[
 priv' = SHA-512-256(priv)
 // todo: missing bit clamping from https://github.com/jedisct1/libsodium/blob/master/src/libsodium/crypto_sign/ed25519/ref10/keypair.c#L71
 shared' = X25519(priv', pub)
 shared = SHA-512(shared')
 ]]></artwork>
           <artwork><![CDATA[
 ECDH-Ed25519-Pub(priv, pub) -> shared
 
 Input:
     priv    private X25519 key
     pub     public Ed25519 key
 
 Output:
     shared  shared secret based on the given keys
 ]]></artwork>
           <t><tt>shared</tt> is calculated as follows, using the function X25519 defined in Section 5 of <xref target="RFC7748"/>,
 and <tt>Convert-Point-Ed25519-Curve25519(p)</tt> which implements the birational map of Section 4.1 of <xref target="RFC7748"/>:</t>
           <artwork><![CDATA[
 pub' = Convert-Point-Ed25519-Curve25519(pub)
 shared' = X25519(priv, pub')
 shared = SHA-512(shared')
 
 {::comment}
 see GNUNET_CRYPTO_eddsa_ecdh
 {:/}
 ]]></artwork>
           <artwork><![CDATA[
 ECDH-GetPub(priv) -> pub
 
 Input:
     priv    private X25519 key
 
 Output:
     pub     public X25519 key
 ]]></artwork>
           <t><tt>pub</tt> is calculated according to Section 6.1 of <xref target="RFC7748"/>:</t>
           <artwork><![CDATA[
 pub = X25519(priv, 9)
 ]]></artwork>
         </section>
       </section>
       <section anchor="blind-signatures">
         <name>Blind Signatures</name>
         <section anchor="rsa-fdh">
           <name>RSA-FDH</name>
           <section anchor="supporting-functions">
             <name>Supporting Functions</name>
             <artwork><![CDATA[
 RSA-FDH(msg, pubkey) -> fdh
 
 Inputs:
     msg     message
     pubkey  RSA public key consisting of modulus N and public exponent e
 
 Output:
     fdh     full-domain hash of msg over pubkey.N
 ]]></artwork>
             <t><tt>fdh</tt> is calculated based on HKDF-Mod from <xref target="hkdf-mod"/> as follows:</t>
             <artwork><![CDATA[
 info = "RSA-FDA FTpsW!"
 salt = uint16(bytes(pubkey.N)) | uint16(bytes(pubkey.e))
      | pubkey.N | pubkey.e
 fdh = HKDF-Mod(pubkey.N, salt, msg, info)
 ]]></artwork>
             <t>The resulting <tt>fdh</tt> can be used to test against a malicious RSA pubkey
 by verifying that the greatest common denominator (gcd) of <tt>fdh</tt> and <tt>pubkey.N</tt> is 1.</t>
             <artwork><![CDATA[
 RSA-FDH-Derive(bks, pubkey) -> out
 
 Inputs:
     bks     blinding key secret of length L = 32 octets
     pubkey  RSA public key consisting of modulus N and public exponent e
 
 Output:
     out     full-domain hash of bks over pubkey.N
 ]]></artwork>
             <t><tt>out</tt> is calculated based on HKDF-Mod from <xref target="hkdf-mod"/> as follows:</t>
             <artwork><![CDATA[
 info = "Blinding KDF"
 salt = "Blinding KDF extractor HMAC key"
 fdh = HKDF-Mod(pubkey.N, salt, bks, info)
 ]]></artwork>
           </section>
           <section anchor="blinding">
             <name>Blinding</name>
             <artwork><![CDATA[
 RSA-FDH-Blind(msg, bks, pubkey) -> out
 
 Inputs:
     msg     message
     bks     blinding key secret of length L = 32 octets
     pubkey  RSA public key consisting of modulus N and public exponent e
 
 Output:
     out     message blinded for pubkey
 ]]></artwork>
             <t><tt>out</tt> is calculated based on RSA-FDH from <xref target="rsa-fdh"/> as follows:</t>
             <artwork><![CDATA[
 data = RSA-FDH(msg, pubkey)
 r = RSA-FDH-Derive(bks, pubkey)
 r_e = r ** pubkey.e (mod pubkey.N)
 out = r_e * data (mod pubkey.N)
 ]]></artwork>
           </section>
           <section anchor="signing-1">
             <name>Signing</name>
             <artwork><![CDATA[
 RSA-FDH-Sign(data, privkey) -> sig
 
 Inputs:
     data    data to be signed, an integer smaller than privkey.N
     privkey RSA private key consisting of modulus N and private exponent d
 
 Output:
     sig     signature on data by privkey
 ]]></artwork>
             <t><tt>sig</tt> is calculated as follows:</t>
             <artwork><![CDATA[
 sig = data ** privkey.d (mod privkey.N)
 ]]></artwork>
           </section>
           <section anchor="unblinding">
             <name>Unblinding</name>
             <artwork><![CDATA[
 RSA-FDH-Unblind(sig, bks, pubkey) -> out
 
 Inputs:
     sig     blind signature
     bks     blinding key secret of length L = 32 octets
     pubkey  RSA public key consisting of modulus N and public exponent e
 
 Output:
     out     unblinded signature
 ]]></artwork>
             <t><tt>out</tt> is calculated as follows:</t>
             <artwork><![CDATA[
 r = RSA-FDH-Derive(bks, pubkey)
 r_inv = inverse of r (mod pubkey.N)
 out = sig * r_inv (mod pubkey.N)
 ]]></artwork>
           </section>
           <section anchor="verifying-1">
             <name>Verifying</name>
             <artwork><![CDATA[
 RSA-FDH-Verify(msg, sig, pubkey) -> out
 
 Inputs:
     msg     message
     sig     signature of pubkey over msg
     pubkey  RSA public key consisting of modulus N and public exponent e
 
 Output:
     out     true, if sig is a valid signature
 ]]></artwork>
             <t><tt>out</tt> is calculated based on RSA-FDH from <xref target="rsa-fdh"/> as follows:</t>
             <artwork><![CDATA[
 data = RSA-FDH(msg, pubkey)
 exp = sig ** pubkey.e (mod pubkey.N)
 out = (data == exp)
 ]]></artwork>
           </section>
         </section>
         <section anchor="clause-schnorr">
           <name>Clause-Schnorr</name>
         </section>
       </section>
     </section>
     <section anchor="datatypes-and-notation">
       <name>Datatypes and Notation</name>
       <section anchor="amounts">
         <name>Amounts</name>
         <t>Amounts are represented in Taler as positive fixed-point values
 consisting of <tt>value</tt> as the non-negative integer part of the base currency,
 the <tt>fraction</tt> given in units of one hundred millionth (1e-8) of the base currency,
 and <tt>currency</tt> as the 3-11 ASCII characters identifying the currency.</t>
         <t>Whenever used in the protocol, the binary representation of an <tt>amount</tt> is
 <tt>uint64(amount.value) | uint32(amount.fraction) | padZero(12, amount.currency)</tt>.</t>
       </section>
       <section anchor="timestamps">
         <name>Timestamps</name>
         <t>Absolute timestamps are represented as <tt>uint64(x)</tt> where <tt>x</tt> corresponds to
 the microseconds since <tt>1970-01-01 00:00 CEST</tt> (the UNIX epoch).
 The special value <tt>0xFFFFFFFFFFFFFFFF</tt> represents "never".
 <!--
 // todo: check if needed and correct
 Relative timestamps are represented as `uint64(x)` where `x` is given in microseconds.
 The special value `0xFFFFFFFFFFFFFFFF` represents "forever".
 -->
         </t>
       </section>
       <section anchor="signatures">
         <name>Signatures</name>
         <t>All messages to be signed in Taler start with a header containing their size and
 a fixed signing context (purpose) as registered by GANA in the
 <eref target="https://gana.gnunet.org/gnunet-signatures/gnunet_signatures.html">GNUnet Signature Purposes</eref>
 registry. Taler-related purposes start at 1000.</t>
         <artwork><![CDATA[
 Gen-Msg(purpose, msg) -> out
 
 Inputs:
     purpose signature purpose as registered at GANA
     msg     message content (excl. header) to be signed
 
 Output:
     out     complete message (incl. header) to be signed
 ]]></artwork>
         <t><tt>out</tt> is formed as follows:</t>
         <artwork><![CDATA[
 out = uint32(len(msg)) | uint32(purpose) | msg
 ]]></artwork>
       </section>
       <section anchor="helper-functions">
         <name>Helper Functions</name>
         <t>There are a certain number of single-argument functions which are often needed,
 and therefore omit the parentheses of the typical function syntax:</t>
         <ul spacing="normal">
           <li>
             <t><tt>Knows data</tt> specifies <tt>data</tt> that is known a priori at the start of the protocol operation</t>
           </li>
           <li>
             <t><tt>Check cond</tt> verifies that the boolean condition or variable <tt>cond</tt> is true,
 or aborts the protocol operation otherwise</t>
           </li>
           <li>
             <t><tt>Persist data</tt> persists the given <tt>data</tt> to the local database</t>
           </li>
           <li>
             <t><tt>data = Lookup by key</tt> retrieves previously persisted <tt>data</tt> by the given <tt>key</tt></t>
           </li>
           <li>
             <t><tt>Sum ⟨dataᵢ⟩</tt> is valid for numerical objects <tt>dataᵢ</tt> including amounts (cf. <xref target="amounts"/>),
 and denotes the numerical sum of these objects</t>
           </li>
         </ul>
         <t>Some more functions that are commonly used throughout <xref target="protocol"/>:</t>
         <artwork><![CDATA[
 Hash-Denom(denom) =
   SHA-512(uint32(0) | uint32(1) | denom.pub)
 
 Hash-Planchet(planchet, denom) =
   SHA-512( SHA-512( denom.pub ) | uint32(0x1) | planchet )
 
 Check-Subtract(value, subtrahend) =
   Check value >= subtrahend
   Persist value -= subtrahend
 ]]></artwork>
       </section>
     </section>
     <section anchor="protocol">
       <name>The Taler Crypto Protocol</name>
       <t>// todo: briefly introduce the three components wallet, exchange, merchant; maybe with ASCII diagram version</t>
       <t>// todo: capitalize wallet, exchange, merchant?</t>
       <section anchor="withdrawal">
         <name>Withdrawal</name>
         <t>The wallet generates <tt>n &gt; 0</tt> coins <tt>⟨coinᵢ⟩</tt> and requests <tt>n</tt> signatures <tt>⟨blind_sigᵢ⟩</tt> from the exchange,
 attributing value to the coins according to <tt>n</tt> chosen denominations <tt>⟨denomᵢ⟩</tt>.
 The total value and withdrawal fee (defined by the exchange per denomination)
 must be smaller or equal to the amount stored in the single reserve used for withdrawal.</t>
         <t>// todo: document TALER_MAX_COINS = 64 per operation (due to CS-encoding)</t>
         <t>// todo: extend with extra roundtrip for CBS</t>
         <artwork><![CDATA[
             wallet                                  exchange
 Knows ⟨denomᵢ⟩                          Knows ⟨denomᵢ.priv⟩
                |                                        |
 +-----------------------------+                         |
 | (W1) reserve key generation |                         |
 +-----------------------------+                         |
                |                                        |
                |----------- (bank transfer) ----------->|
                | (subject: reserve.pub, amount: value)  |
                |                                        |
                |                      +------------------------------+
                |                      | Persist (reserve.pub, value) |
                |                      +------------------------------+
                |                                        |
 +-----------------------------------+                   |
 | (W2) coin generation and blinding |                   |
 +-----------------------------------+                   |
                |                                        |
                |-------------- /withdraw -------------->|
                |    (reserve.pub, planchets, sig)       |
                |                                        |
                |                      +--------------------------------+
                |                      | (E1) coin issuance and signing |
                |                      +--------------------------------+
                |                                        |
                |<---------- (⟨blind_sigᵢ⟩) -------------|
                |                                        |
 +----------------------+                                |
 | (W3) coin unblinding |                                |
 +----------------------+                                |
                |                                        |
 ]]></artwork>
         <t>where (for RSA, without age-restriction)</t>
         <artwork><![CDATA[
 (W1) reserve key generation (wallet)
 
 reserve = Ed25519-Keygen()
 Persist (reserve, value)
 ]]></artwork>
         <t>The wallet derives coins and blinding secrets using a HKDF from a single seed per withdrawal operation,
 together with an integer index.
 This is strictly speaking an implementation detail since the seed is never revealed to any other party,
 and might be chosen to be implemented differently.</t>
         <t>// todo: blind_secret/coin.priv differently generated in TALER_EXCHANGE_post_withdraw_start/prepare_coins, double check with wallet-core (probably implementation detail here)</t>
         <artwork><![CDATA[
 (W2) coin generation and blinding (wallet)
 
 batch_seed = random(256)
 Persist batch_seed
 for i in 0..n:
   coin_seedᵢ = HKDF(uint32(i), batch_seed, "taler-withdrawal-coin-derivation", 64)
   blind_secretᵢ = coin_seedᵢ[32:]
   coinᵢ.priv = coin_seedᵢ[:32]
   coinᵢ.pub = Ed25519-GetPub(coinᵢ.priv)
   h_denomᵢ = Hash-Denom(denomᵢ)
   planchetᵢ = RSA-FDH-Blind(SHA-512(coinᵢ.pub), blind_secretᵢ, denomᵢ.pub)
   h_planchetᵢ = Hash-Planchet(planchetᵢ, denomᵢ)
 planchets = (⟨h_denomᵢ⟩, ⟨planchetᵢ⟩)
 msg = Gen-Msg(WALLET_RESERVE_WITHDRAW,
     ( Sum ⟨denomᵢ.value⟩ | Sum ⟨denomᵢ.fee_withdraw⟩
     | SHA-512( ⟨h_planchetᵢ⟩ ) | uint256(0x0) | uint32(0x0) | uint32(0x0) ))
 sig = Ed25519-Sign(reserve.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (E1) coin issuance and signing (exchange)
 
 (⟨h_denomᵢ⟩, ⟨planchetᵢ⟩) = planchets
 for i in 0..n:
   denomᵢ = Lookup by h_denomᵢ
   Check denomᵢ known and not withdraw-expired
   h_planchetᵢ = Hash-Planchet(planchetᵢ, denomᵢ)
 msg = Gen-Msg(WALLET_RESERVE_WITHDRAW,
     ( Sum ⟨denomᵢ.value⟩ | Sum ⟨denomᵢ.fee_withdraw⟩
     | SHA-512( ⟨h_planchetᵢ⟩ ) | uint256(0x0) | uint32(0x0) | uint32(0x0) ))
 Check Ed25519-Verify(reserve.pub, msg, sig)
 Check reserve KYC status ok or not needed
 total = Sum ⟨denomᵢ.value⟩ + Sum ⟨denomᵢ.fee_withdraw⟩
 Check-Subtract(reserve.balance, total)
 for i in 0..n:
   blind_sigᵢ = RSA-FDH-Sign(planchetᵢ, denomᵢ.priv)
 Persist withdrawal // todo: what exactly? should be checked first for replay?
 ]]></artwork>
         <artwork><![CDATA[
 (W3) coin unblinding (wallet)
 
 for i in 0..n:
   coinᵢ.sig = RSA-FDH-Unblind(blind_sigᵢ, blind_secretᵢ, denomᵢ.pub)
   Check RSA-FDH-Verify(SHA-512(coinᵢ.pub), coinᵢ.sig, denomᵢ.pub)
   coinᵢ.h_denom = h_denomᵢ
   coinᵢ.blind_secret = blind_secretᵢ  // todo: why save blind_secret, if batch_seed already persisted?
 Persist ⟨coinᵢ⟩
 ]]></artwork>
       </section>
       <section anchor="payment">
         <name>Payment</name>
         <t>The wallet obtains <tt>contract</tt> information for an <tt>order</tt> from the merchant
 after claiming it with a <tt>nonce</tt>.
 Payment of the order is prepared by signing (partial) deposit authorizations <tt>⟨depositᵢ⟩</tt> with coins <tt>⟨coinᵢ⟩</tt> of certain denominations <tt>⟨denomᵢ⟩</tt>,
 where the sum of all contributions (<tt>contributionᵢ &lt;= denomᵢ.value</tt>) must match the <tt>contract.price</tt> plus potential deposit fees.
 The payment is complete as soon as the merchant successfully redeems the deposit authorizations at the exchange (cf. <xref target="deposit"/>).</t>
         <artwork><![CDATA[
             wallet                                  merchant
 Knows ⟨coinᵢ⟩                           Knows merchant.priv
                                         Knows exchange, payto
                |                                        |
                |                      +-----------------------+
                |                      | (M1) order generation |
                |                      +-----------------------+
                |                                        |
                |<------- (QR-Code / NFC / URI) ---------|
                |          (order.{id,token?})           |
                |                                        |
 +-----------------------+                               |
 | (W1) nonce generation |                               |
 +-----------------------+                               |
                |                                        |
                |------- /orders/{order.id}/claim ------>|
                |       (nonce.pub, order.token?)        |
                |                                        |
                |                      +--------------------------+
                |                      | (M2) contract generation |
                |                      +--------------------------+
                |                                        |
                |<---- (contract, merchant.pub, sig) ----|
                |                                        |
 +--------------------------+                            |
 | (W2) payment preparation |                            |
 +--------------------------+                            |
                |                                        |
                |------- /orders/{order.id}/pay -------->|
                |             (⟨depositᵢ⟩)               |
                |                                        |
                |                      +--------------------+
                |                      | (M3) deposit check |
                |                      +--------------------+
                |                                        |
                |<--------------- (sig) -----------------|
                |                                        |
 +---------------------------+                           |
 | (W3) payment verification |                           |
 +---------------------------+                           |
                |                                        |
 ]]></artwork>
         <t>where (without age restriction, policy and wallet data hash)</t>
         <artwork><![CDATA[
 (M1) order generation (merchant)
 
 wire_salt = random(128)
 determine id, price, info, token?
 Persist order = (id, price, info, token?, wire_salt)
 ]]></artwork>
         <artwork><![CDATA[
 (W1) nonce generation (wallet)
 
 nonce = Ed25519-Keygen()
 Persist nonce.priv
 ]]></artwork>
         <t>Note that the private key of <tt>nonce</tt> is currently not used anywhere in the protocol.
 However, it could be used in the future to prove ownership of an order transaction,
 enabling use-cases such as "unclaiming" or transferring an order to another person,
 or proving the payment without resorting to the individual coins.</t>
         <artwork><![CDATA[
 (M2) contract generation (merchant)
 
 Check order.token? == token?
 h_wire = HKDF(wire_salt, payto, "merchant-wire-signature", 64)
 determine timestamp, refund_deadline, wire_deadline
 contract = (order.{id,price,info,token?}, exchange, h_wire, timestamp, refund_deadline, wire_deadline)
 contract.nonce = nonce.pub
 Persist contract
 h_contract = SHA-512(canonicalJSON(contract))
 msg = Gen-Msg(MERCHANT_CONTRACT, h_contract)
 sig = Ed25519-Sign(merchant.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (W2) payment preparation (wallet)
 
 h_contract = SHA-512(canonicalJSON(contract))
 msg = Gen-Msg(MERCHANT_CONTRACT, h_contract)
 Check Ed25519-Verify(merchant.pub, msg, sig)
 Check contract.nonce == nonce
 // TODO: double-check extra hash check?
 // todo: maybe get rid of CoinSelection altogether by claiming we already know coinᵢ and contributionᵢ
 ⟨selectionᵢ⟩ = CoinSelection(contract.{exchange,price}) TODO: include MarkDirty here
 for i in 0..n:
   (coinᵢ, denomᵢ, contributionᵢ) = selectionᵢ
   msgᵢ = Gen-Msg(WALLET_COIN_DEPOSIT,
       ( h_contract | uint256(0x0)
       | uint512(0x0) | contract.h_wire | coinᵢ.h_denom
       | contract.timestamp | contract.refund_deadline
       | contributionᵢ + denomᵢ.fee_deposit
       | denomᵢ.fee_deposit | merchant.pub | uint512(0x0) ))
   sigᵢ = Ed25519-Sign(coinᵢ.priv, msgᵢ)
   depositᵢ = (coinᵢ.{pub,sig,h_denom}, contributionᵢ, sigᵢ)
 Persist (contract, ⟨sigᵢ⟩, ⟨depositᵢ⟩)
 ]]></artwork>
         <t>// TODO: explain CoinSelection</t>
         <t>// TODO: maybe introduce symbol for pub/priv</t>
         <artwork><![CDATA[
 (M3) deposit check (merchant)
 
 Check Sum ⟨depositᵢ.contribution⟩ == contract.price
 Check Deposit(⟨depositᵢ⟩)
 msg = Gen-Msg(MERCHANT_PAYMENT_OK, h_contract)
 sig = Ed25519-Sign(merchant.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (W3) payment verification (wallet)
 
 msg = Gen-Msg(MERCHANT_PAYMENT_OK, h_contract)
 Check Ed25519-Verify(merchant.pub, msg, sig)
 ]]></artwork>
       </section>
       <section anchor="deposit">
         <name>Deposit</name>
         <t>// todo: add introductory text</t>
         <t>Deposit could also be used directly by a wallet with its own payto and a minimal contract.</t>
         <artwork><![CDATA[
             merchant                                 exchange
 Knows exchange.pub                      Knows exchange.priv
 Knows merchant.priv                     Knows ⟨denomᵢ⟩
 Knows payto, wire_salt                                  |
 Knows contract, ⟨depositᵢ⟩                              |
                |                                        |
 +--------------------------+                            |
 | (M1) deposit preparation |                            |
 +--------------------------+                            |
                |                                        |
                |----------- /batch-deposit ------------>|
                |    (info, h_contract, ⟨depositᵢ⟩       |
                |           merchant.pub, sig)           |
                |                                        |
                |                      +-------------------------+
                |                      | (E1) deposit validation |
                |                      +-------------------------+
                |                                        |
                |<--- (timestamp, exchange.pub, sig) ----|
                |                                        |
 +---------------------------+                           |
 | (M2) deposit verification |                           |
 +---------------------------+                           |
                |                                        |
 ]]></artwork>
         <t>where (without age restriction, policy and wallet data hash)</t>
         <artwork><![CDATA[
 (M1) Deposit preparation (merchant)
 
 info.time = contract.{timestamp, wire_deadline, refund_deadline}
 info.wire = (payto, wire_salt)
 h_contract = SHA-512(canonicalJSON(contract))
 msg = Gen-Msg(MERCHANT_CONTRACT, h_contract)
 sig = Ed25519-Sign(merchant.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (E1) Deposit validation (exchange)
 
 h_wire = HKDF(info.wire.wire_salt, info.wire.payto, "merchant-wire-signature", 64)
 for i in 0..n:
   coinᵢ = depositᵢ.coin
   denomᵢ = Lookup by coinᵢ.h_denom
   Check denomᵢ known and not deposit-expired
   totalᵢ = depositᵢ.contribution + denomᵢ.fee_deposit
   msgᵢ = Gen-Msg(WALLET_COIN_DEPOSIT,
       ( h_contract | uint256(0x0)
       | uint512(0x0) | h_wire | coinᵢ.h_denom
       | info.time.timestamp | info.time.refund_deadline
       | totalᵢ
       | denomᵢ.fee_deposit | merchant.pub | uint512(0x0) ))
   Check Ed25519-Verify(coinᵢ.pub, msgᵢ, depositᵢ.sig)
   Check RSA-FDH-Verify(SHA-512(coinᵢ.pub), coinᵢ.sig, denomᵢ.pub)
   Check-Subtract(coinᵢ.value, total)
 Persist deposit-record
 schedule bank transfer to payto
 timestamp = now()
 msg = Gen-Msg(EXCHANGE_CONFIRM_DEPOSIT,
     ( h_contract | h_wire | uint512(0x0)
     | timestamp | info.time.wire_deadline
     | info.time.refund_deadline
     | Sum ⟨depositᵢ.contribution⟩
     | SHA-512( ⟨depositᵢ.sig⟩ ) | merchant.pub ))
 sig = Ed25519-Sign(exchange.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (M2) Deposit verification (merchant)
 
 h_wire = HKDF(wire_salt, payto, "merchant-wire-signature", 64)
 msg = Gen-Msg(EXCHANGE_CONFIRM_DEPOSIT,
     ( h_contract | h_wire | uint512(0x0)
     | timestamp | contract.wire_deadline
     | contract.refund_deadline
     | Sum ⟨depositᵢ.contribution⟩
     | SHA-512( ⟨depositᵢ.sig⟩ ) | merchant.pub ))
 Check Ed25519-Verify(exchange.pub, msg, sig)
 ]]></artwork>
       </section>
       <section anchor="refresh">
         <name>Refresh</name>
         <t>The wallet obtains <tt>n</tt> new coins <tt>⟨coinᵢ⟩</tt> of denominations <tt>⟨denomᵢ⟩</tt>
 in exchange for one old <tt>coin</tt> of denomination <tt>denom</tt> from the exchange.
 There are two reasons why a wallet needs to do this:</t>
         <ol spacing="normal" type="1"><li>
             <t>Obtaining unlinkable change after using only a part of the coin's value during a payment (cf. <xref target="payment"/>) or deposit (cf. <xref target="deposit"/>),
 i.e. where <tt>contribution &lt;= denom.value</tt></t>
           </li>
           <li>
             <t>Renewing a coin before it deposit-expires.</t>
           </li>
         </ol>
         <t>The sum of the refresh fee of <tt>denom</tt> and the new denominations' values and withdrawal fees (defined by the exchange)
 must be smaller or equal to the residual value of the old <tt>coin</tt>.</t>
         <t>The private key of each new coin candidate <tt>⟨coinₖᵢ.priv⟩</tt> is transitively derived from the old coin's private key <tt>coin.priv</tt>
 via a 512-bit secret <tt>⟨sharedₖᵢ⟩</tt> according to <tt>Refresh-Derive</tt>.
 The secret is regeneratable with the knowledge of <tt>coin.priv</tt> via the link protocol (cf. <xref target="link"/>).
 The derivation ensures that ownership of coins (knowledge of the private key) is correctly transferred,
 and thereby that value transfer among untrusted parties can only happen via payment and deposit, not via refresh.</t>
         <artwork><![CDATA[
 Refresh-Derive(shared, denom) =
   planchet_seed = HKDF(uint32(i), shared, "taler-coin-derivation", 64)
   blind_secret = HKDF("bks", planchet_seed, "", 32)
   coin.priv = HKDF("coin", planchet_seed, "", 32)
   coin.pub = Ed25519-GetPub(coin.priv)
   planchet = RSA-FDH-Blind(SHA-512(coin.pub), blind_secret, denomᵢ.pub)
   h_planchet = Hash-Planchet(planchet, denomᵢ)
   return (coin, blind_secret, planchet, h_planchet)
 ]]></artwork>
         <t>Taler uses a cut-and-choose protocol with the fixed parameter <tt>κ=3</tt> to enforce correct derivation
 of <tt>⟨sharedₖᵢ⟩</tt> from a single seed per batch of planchets <tt>⟨batch_seedₖ⟩</tt>
 (in (κ-1)/κ of the cases, making income concealment for tax evasion purposes unpractical).</t>
         <t>Refreshing consists of two parts:</t>
         <ol spacing="normal" type="1"><li>
             <t>Melting of the old coin and commiting to κ batches of blinded planchet candidates</t>
           </li>
           <li>
             <t>Revelation of κ-1 secrets <tt>⟨revealed_seedₖ⟩</tt> to prove the proper construction of the (revealed) batches of blinded planchet candidates.</t>
           </li>
         </ol>
         <artwork><![CDATA[
             wallet                                  exchange
 Knows ⟨denomᵢ⟩                          Knows ⟨denomᵢ.priv⟩
 Knows coin                                              |
                |                                        |
 +-------------------+                                   |
 | (W1) coin melting |                                   |
 +-------------------+                                   |
                |                                        |
                |---------------- /melt ---------------->|
                |     (coin.{pub,sig,h_denom}, value,    |
                |      refresh_seed, planchets, sig)     |
                |                                        |
                |                      +---------------------------------------+
                |                      | (E1) gamma selection and coin signing |
                |                      +---------------------------------------+
                |                                        |
                |<------ (ɣ, exchange.pub, sig) ---------|
                |                                        |
 +------------------------+                              |
 | (W2) secret revelation |                              |
 +------------------------+                              |
                |                                        |
                |------------ /reveal-melt ------------->|
                |     (commitment, ⟨revealed_seedₖ⟩)     |
                |                                        |
                |                      +----------------------------+
                |                      | (E2) commitment validation |
                |                      +----------------------------+
                |                                        |
                |<---------- (⟨blind_sigᵢ⟩) -------------|
                |                                        |
 +----------------------+                                |
 | (W3) coin unblinding |                                |
 +----------------------+                                |
                |                                        |
 ]]></artwork>
         <t>where (for RSA, without age-restriction)</t>
         <artwork><![CDATA[
 (W1) coin melting (wallet)
 
 refresh_seed = random(256)
 ⟨batch_seedₖ⟩ = HKDF("refresh-batch-seeds", refresh_seed, coin.priv, k*64)
 for k in 0..κ:
   ⟨transferₖᵢ.priv⟩ = HKDF("refresh-transfer-private-keys", batch_seedₖ, "", n*32)
   for i in 0..n:
     transferₖᵢ.pub = ECDH-GetPub(transferₖᵢ.priv)
     sharedₖᵢ = ECDH-Ed25519-Pub(transferₖᵢ.priv, coin.pub)
     (coinₖᵢ, blind_secretₖᵢ, planchetₖᵢ, h_planchetₖᵢ) = Refresh-Derive(sharedₖᵢ, denomᵢ)
   h_planchetsₖ = SHA-512( ⟨h_planchetₖᵢ⟩ )
 value = coin.denom.fee_refresh + Sum ⟨denomᵢ.value⟩ + Sum ⟨denomᵢ.fee_withdraw⟩
 commitment = SHA-512( refresh_seed | uint256(0x0) | coin.pub | value
                     | SHA-512( ⟨h_planchetsₖ⟩ ) )
 for i in 0..n:
   h_denomᵢ = Hash-Denom(denomᵢ)
 planchets = (⟨h_denomᵢ⟩, ⟨planchetₖᵢ⟩, ⟨transferₖᵢ.pub⟩))
 msg = Gen-Msg(WALLET_COIN_MELT,
     ( commitment | coin.h_denom | uint256(0x0)
     | value | denom.fee_refresh ))
 sig = Ed25519-Sign(coin.priv, msg)
 Persist (coin.denom.pub, ...) // todo: double-check
 ]]></artwork>
         <artwork><![CDATA[
 (E1) gamma selection and coin signing (exchange)
 
 denom = Lookup by coin.h_denom
 Check denom known and not deposit-expired
 Check RSA-FDH-Verify(SHA-512(coin.pub), coin.sig, denom.pub)
 Check coin.pub known and dirty
 (⟨h_denomᵢ⟩, ⟨planchetₖᵢ⟩, ⟨transferₖᵢ.pub⟩)) = planchets
 for i in 0..n:
   denomᵢ = Lookup by h_denomᵢ
   Check denomᵢ known and not withdraw-expired
 value' = coin.denom.fee_refresh + Sum ⟨denomᵢ.value⟩ + Sum ⟨denomᵢ.fee_withdraw⟩
 Check value' == value
 Check-Subtract(coin.value, value)
 for k in 0..κ:
   for i in 0..n:
     h_planchetₖᵢ = Hash-Planchet(planchetₖᵢ, denomᵢ)
   h_planchetsₖ = SHA-512( ⟨h_planchetₖᵢ⟩ )
 commitment = SHA-512( refresh_seed | uint256(0x0) | coin.pub | value
                     | SHA-512( ⟨h_planchetsₖ⟩ ) )
 msg = Gen-Msg(WALLET_COIN_MELT,
     ( commitment | coin.h_denom | uint256(0x0)
     | value | denom.fee_refresh ))
 Check Ed25519-Verify(coin.pub, msg, sig)
 refresh_record = Lookup by commitment
 (ɣ, _, _, done, _) = refresh_record
 if refresh_record not found:
   ɣ = 0..κ at random
   for i in 0..n:
     blind_sigᵢ = RSA-FDH-Sign(planchetᵧᵢ, denomᵧᵢ.priv)
   link_info = (refresh_seed, ⟨transferₖᵢ.pub⟩, ⟨h_denomᵢ⟩, coin_sig)
   Persist refresh_record = (commitment, ɣ, ⟨blind_sigᵢ⟩, h_planchetsᵧ, false, link_info)
 msg = Gen-Msg(EXCHANGE_CONFIRM_MELT,
     ( commitment | uint32(ɣ) ))
 sig = Ed25519-Sign(exchange.priv, msg)
 ]]></artwork>
         <artwork><![CDATA[
 (W2) secret revelation (wallet)
 
 Check exchange.pub known
 msg = Gen-Msg(EXCHANGE_CONFIRM_MELT,
     ( commitment | ɣ ))
 Check Ed25519-Verify(exchange.pub, msg, sig)
 Persist refresh-challenge // what exactly?
 for k in 0..κ and k != ɣ:
   revealed_seedₖ = batch_seedₖ
 ]]></artwork>
         <artwork><![CDATA[
 (E2) commitment validation (exchange)
 
 refresh_record = Lookup by commitment
 (ɣ, ⟨blind_sigᵢ⟩, h_planchetsᵧ, done, _) = refresh_record
 Check not done // todo: sure?
 for k in 0..κ and k != ɣ:
   ⟨transferₖᵢ.priv⟩ = HKDF("refresh-transfer-private-keys", batch_seedₖ, "", n*32)
   for i in 0..n:
     transferₖᵢ.pub = ECDH-GetPub(transferₖᵢ.priv)
     sharedₖᵢ = ECDH-Ed25519-Pub(transferₖᵢ.priv, coin.pub)
     (_, _, _, h_planchetₖᵢ) = Refresh-Derive(sharedₖᵢ, denomᵢ)
   h_planchetsₖ = SHA-512( ⟨h_planchetₖᵢ⟩ )
 value = coin.denom.fee_refresh + Sum ⟨denomᵢ.value⟩ + Sum ⟨denomᵢ.fee_withdraw⟩
 commitment' = SHA-512( refresh_seed | uint256(0x0) | coin.pub | value
                      | SHA-512( ⟨h_planchetsₖ⟩ ) )
 Check commitment == commitment'
 Persist refresh_record = (_, _, _, true, _)
 ]]></artwork>
         <artwork><![CDATA[
 (W3) coin unblinding (wallet)
 
 for i in 0..n:
   coinᵧᵢ.sig = RSA-FDH-Unblind(blind_sigᵧᵢ, blind_secretᵧᵢ, denomᵢ.pub)
   Check RSA-FDH-Verify(SHA-512(coinᵧᵢ.pub), coinᵧᵢ.sig, denomᵢ.pub)
   coinᵧᵢ.h_denom = h_denomᵢ
   Persist ⟨coinᵧᵢ⟩
 ]]></artwork>
         <section anchor="link">
           <name>Link</name>
           <t>// todo: add introductory text</t>
           <artwork><![CDATA[
             wallet                                  exchange
 Knows coin                              Knows refresh_record for coin
                |                                        |
 +----------------------+                                |
 | (W1) history request |                                |
 +----------------------+                                |
                |                                        |
                |------ /coins/{coin.pub}/history ------>|
                |                 (sig)                  |
                |                                        |
                |                      +----------------------------+
                |                      | (E1) refresh secret lookup |
                |                      +----------------------------+
                |                                        |
                |<------------- (melt_info) -------------|
                |                                        |
 +-----------------------+                               |
 | (W2) coin acquisition |                               |
 +-----------------------+                               |
                |                                        |
 ]]></artwork>
           <t>where (for RSA, without age-restriction)</t>
           <artwork><![CDATA[
 (W1) history request (wallet)
 
 msg = Gen-Msg(COIN_HISTORY_REQUEST, uint64(0x0))
 sig = Ed25519-Sign(coin.priv, msg)
 ]]></artwork>
           <artwork><![CDATA[
 (E1) refresh secret lookup (exchange)
 
 refresh_record = Lookup by coin.pub
 (ɣ, ⟨blind_sigᵢ⟩, _, done, link_info) = refresh_record
 if done:
   melt_info = (ɣ, link_info, ⟨blind_sigᵢ⟩)
 else:
   melt_info = (ɣ, link_info)
 ]]></artwork>
           <artwork><![CDATA[
 (W2) coin acquisition (wallet)
 
 (ɣ, link_info, ⟨blind_sigᵢ⟩?) = melt_info
 (refresh_seed, ⟨transferₖᵢ.pub⟩, ⟨h_denomᵢ⟩, coin_sig) = link_info
 
 for i in 0..n:
   denomᵢ = Lookup by h_denomᵢ
 for k in 0..κ:
   for i in 0..n:
     sharedₖᵢ = ECDH-Ed25519-Priv(coin.priv, transferₖᵢ.pub)
     (coinₖᵢ, blind_secretₖᵢ _, h_planchetₖᵢ) = Refresh-Derive(sharedₖᵢ, denomᵢ)
   h_planchetsₖ = SHA-512( ⟨h_planchetₖᵢ⟩ )
 value = coin.denom.fee_refresh + Sum ⟨denomᵢ.value⟩ + Sum ⟨denomᵢ.fee_withdraw⟩
 commitment = SHA-512( refresh_seed | uint256(0x0) | coin.pub | value
                     | SHA-512( ⟨h_planchetsₖ⟩ ) )
 msg = Gen-Msg(WALLET_COIN_MELT,
     ( commitment | coin.h_denom | uint256(0x0)
     | value | denom.fee_refresh ))
 Check Ed25519-Verify(coin.pub, msg, sig)
 
 if ⟨blind_sigᵢ⟩ returned:
   for i in 0..n:
     coinᵧᵢ.sig = RSA-FDH-Unblind(blind_sigᵧᵢ, blind_secretᵧᵢ, denomᵢ.pub)
     Check RSA-FDH-Verify(SHA-512(coinᵧᵢ.pub), coinᵧᵢ.sig, denomᵢ.pub)
     coinᵧᵢ.h_denom = h_denomᵢ
   Persist ⟨coinᵧᵢ⟩
 ]]></artwork>
         </section>
       </section>
       <section anchor="refund">
         <name>Refund</name>
         <t>// todo</t>
       </section>
       <section anchor="recoup">
         <name>Recoup</name>
         <t>// todo</t>
       </section>
       <section anchor="w2w-push">
         <name>Wallet-to-Wallet Push Payment</name>
         <t>// todo</t>
       </section>
       <section anchor="w2w-pull">
         <name>Wallet-to-Wallet Pull Payment</name>
         <t>// todo</t>
       </section>
     </section>
     <section anchor="security-considerations">
       <name>Security Considerations</name>
       <t>[ TBD ]</t>
     </section>
     <section anchor="iana-considerations">
       <name>IANA Considerations</name>
       <t>None.</t>
     </section>
   </middle>
   <back>
     <references anchor="sec-normative-references">
       <name>Normative References</name>
       <reference anchor="RFC20">
         <front>
           <title>ASCII format for network interchange</title>
           <author fullname="V.G. Cerf" initials="V.G." surname="Cerf"/>
           <date month="October" year="1969"/>
         </front>
         <seriesInfo name="STD" value="80"/>
         <seriesInfo name="RFC" value="20"/>
         <seriesInfo name="DOI" value="10.17487/RFC0020"/>
       </reference>
       <reference anchor="RFC2104">
         <front>
           <title>HMAC: Keyed-Hashing for Message Authentication</title>
           <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
           <author fullname="M. Bellare" initials="M." surname="Bellare"/>
           <author fullname="R. Canetti" initials="R." surname="Canetti"/>
           <date month="February" year="1997"/>
           <abstract>
             <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
           </abstract>
         </front>
         <seriesInfo name="RFC" value="2104"/>
         <seriesInfo name="DOI" value="10.17487/RFC2104"/>
       </reference>
       <reference anchor="RFC5869">
         <front>
           <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
           <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
           <author fullname="P. Eronen" initials="P." surname="Eronen"/>
           <date month="May" year="2010"/>
           <abstract>
             <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
           </abstract>
         </front>
         <seriesInfo name="RFC" value="5869"/>
         <seriesInfo name="DOI" value="10.17487/RFC5869"/>
       </reference>
       <reference anchor="RFC6234">
         <front>
           <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>
           <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
           <author fullname="T. Hansen" initials="T." surname="Hansen"/>
           <date month="May" year="2011"/>
           <abstract>
             <t>Federal Information Processing Standard, FIPS</t>
           </abstract>
         </front>
         <seriesInfo name="RFC" value="6234"/>
         <seriesInfo name="DOI" value="10.17487/RFC6234"/>
       </reference>
       <reference anchor="RFC7748">
         <front>
           <title>Elliptic Curves for Security</title>
           <author fullname="A. Langley" initials="A." surname="Langley"/>
           <author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
           <author fullname="S. Turner" initials="S." surname="Turner"/>
           <date month="January" year="2016"/>
           <abstract>
             <t>This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t>
           </abstract>
         </front>
         <seriesInfo name="RFC" value="7748"/>
         <seriesInfo name="DOI" value="10.17487/RFC7748"/>
       </reference>
       <reference anchor="RFC8032">
         <front>
           <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
           <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
           <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
           <date month="January" year="2017"/>
           <abstract>
             <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
           </abstract>
         </front>
         <seriesInfo name="RFC" value="8032"/>
         <seriesInfo name="DOI" value="10.17487/RFC8032"/>
       </reference>
       <reference anchor="HKDF">
         <front>
           <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title>
           <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
             <organization/>
           </author>
           <date year="2010"/>
         </front>
         <seriesInfo name="Lecture Notes in Computer Science" value="pp. 631-648"/>
         <seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_34"/>
         <seriesInfo name="ISBN" value="[&quot;9783642146220&quot;, &quot;9783642146237&quot;]"/>
         <refcontent>Springer Berlin Heidelberg</refcontent>
       </reference>
       <reference anchor="SHS">
         <front>
           <title>Secure hash standard</title>
           <author>
             <organization/>
           </author>
           <date year="2015"/>
         </front>
         <seriesInfo name="DOI" value="10.6028/nist.fips.180-4"/>
         <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
       </reference>
     </references>
     <?line 1250?>
 
 <section anchor="change-log">
       <name>Change log</name>
     </section>
     <section numbered="false" anchor="acknowledgments">
       <name>Acknowledgments</name>
       <t>[ TBD ]</t>
       <t>This work was supported in part by the German Federal Ministry of
 Education and Research (BMBF) within the project Concrete Contracts.</t>
     </section>
   </back>
   <!-- ##markdown-source:
 H4sIAAAAAAAAA+19y3bbSJbgHl8RJS8MZhKkJDudTnUqc5SS/Oi0ZbcktzPH
 5SFBIESiBQJsAJTEtF2L/ojZ9jlTi5z5gN7Umd2salP/UPUlcx8RgQAIPmTL
 TvdDJ0+aBOJx477vjRtBz/Ocix1xx3GKqIjljtg4HUnx8OiFOPVjmYnnWVqk
 QRpvOGEaJP4YWoSZf1Z4w6ks8mCUXnoFNvQmqqET+IUcptlsR0TJWeo40STb
 EUU2zYvtzc1vNredyzQ7H2bpdIItQjmR8L+kcPIik/64+uxczqB1uOMI4Qma
 hz4F2WxSpMPMn4xm9EAGfj6iTxN/NoaeuePcupDJVO44t4TI5CTdEaOimOQ7
 3e4wKjrDZJrIopNmw26ch5sAWAced7FxDPDnRdkc3jc07zqOPy1GaQaweTCz
 EIycp9F5GvuRePj//i+jh95Bxx1x+uJAHGQyh5WJF0l0IbM8KmYiPROnMhgl
 aZwOZ9TaHwwyeYEddHt6jAiSANgjGY9HaVz8Ag86YmuTXgYw1E6leZCGAM+B
 t7m1ee8b9WSaFEiYhzIb+wlPJsd+FO+IMcPdMWT9b8XUC3m4TigdJ0mhTwFQ
 IzGOH+xvb+oPW5t31cev7t/7Rn28t31HP/3667v31cf7m3e28eOjHw8eAGzP
 Hne2NuG/za+733x937vj3bu77W3dhb7e1707d6HhyaMT0+7e5vb97tHjk9PO
 g8fPTzpb9ze9u8BewGQGMsfxPA/wB5jxg8Jxfv9KnP7wUvz+Nb8YR2EYw1pu
 iceAiDScBkWUJpVmP8hLP5OiGPkF/C/KBbD9FDlKwOe8iOJYIP96UYIcPwQE
 5cJPQjH2Z4DfpPCjRMgsS7O847zIpYBhZuk0E+llIrIoP/8dzn6UFj7P7In+
 hj8INvoC8JwC48GkUsRRITM/RopHyVD0oUVfyAQpGgo/F3sn+48fi1dEhdc4
 hi/eikF1DAAGJTGhiZDJfHEZFSMxwPaxTFy/VZtUJkN4D/APZvgMuuBj/KIB
 8bHvxA//u8xSd9YW9SEqbdviF2jmQXOEukjtSWDsGU+DIw6iInevWv1unx7h
 x8qw4yiJxoCOZDoegEqCztijy2AmMgAa+NkMpwBBB4ogtajfNC6iSSwFPAyi
 HPEQJaCcYIwrnHcK33AZ9fn6sz4A6ueFyKNhEp1FgQ8j4pwaKXqY/lW/ukxk
 BU0owCQoDeQWRgwoMujiDqIhNAkjP2lpIH6mJV+OJHBe/+c+spovJimoB+Bq
 M5laPryU/zyNLkAb4jpTtY6faR04YgZApGN3Zq3KF/wwnomhTIC3CoAvh2EA
 VqmoActjVvpCDIQ7TkNxBCN06UnlUYU0jGLAELFZV8irSZoAYJHhu8VUQLgQ
 YYO2gLGncSqOEAKQZ8BqPzqD/1/4WeQPoLOfIy1IEPu78AL7AYuHEU4DvJFO
 cFUpjonim4oBIy6DWXGxcXSOUi0jMGkz0NtJ9++nceRbqKTVh37hd8DqVFcJ
 kg7Dg67u0ytYAT5NB/8kg4L7EOI3O52k2lFeBfE0RyIC/oeE6So1c3GWpWPo
 2idKJt4WjfS3f/3fOOpf/+1//e1f/0+fBBe4yScNI68KHKcfiV1RnbEPnxmo
 nKGC/oAqIxTMk2M5BuuMaoTHi5JpOkW0Zf6sOjci4jrz+wmPoqUE4VGoixA8
 Rh5oIlCijbCibtwvbXsUgPsRjUkKwKB3u4CjEAw56FqgbjAilLKSlnmQRRNi
 OcBjno4lQjwEvgJuyGGM2M/wjfZSxNk0IeWfC5cYARR6PokyFIsZaPGrFsBS
 B+YROBnige6IDW6Bgdrztr+6J97cykc+fHjnOH/4wx8c9dgd58OW8L4TI/RP
 nMfJZFrskNmFF/gPEAQeAU1AhTF/KA35RHwrtv/HvS2RBoVEd+bZtDCdcTQa
 RHULoyG4LNj7LLpCZucxEN4n4GzsijvbehwEzunjAKRmiI9pZOytFwO8AUQT
 J1Kh6G5nqy2+wv/dw/+h7N3rbGOPV8rUv+6U6Phqa5vRAR8sdMC3D0XH1vZX
 N4OPe3fXxgeuZh4f24iPbcTHHY2Pu0vwQVh1wQkmmxzqxy2DJ4/eVbF1Ewx0
 YxircdBpiSeFvCDNQMuA8g9zbezPogzGND21WpjHbyjPooS105s3inHe7TAy
 CjmewPw2BzkE/a7AV682d+5svWagwK2yPTc2CagSwujszOhaNVJXMbo19yvw
 Nl/jBzbxoHfAsNBcYCGmEkiKOuGpQtkeuP9o6JTp2webr3TCo6d7+0DZ0djX
 FMUnHiLTBR3YFqhDiaqACqAL6S2myyNFl6CieAgGrbHYjVNIrNKpwiAwEzFI
 LgMwgfS15A6/UB6O7oktSbUblkKlTNo6A9cA/SvuWuUjAEOofxVNaxCxfMFr
 Eq/Aj4NpTCJQQ70KJF4rJP8I0B7IDEwzLbmmdDF8QASfh2fvmBdxOhhpQTfh
 Yo+WmOY8G4e2EVks0PuFb/srr1Qg89ohRIMDp/gHfY8KJYCh0oyY5fCKAg7S
 BIdXE/wnL+QEF5lPhyhaapkIx+sdp4//eqpXH+ECK0hMAtwJzAlW+3IUgduj
 G+KQ9XbAwH3hBmcdEBritXetjmI36OTmfly0xeMfn7YpEG+LJ8Ryz358qtgk
 ZxJiOyLhRLlS9IA4Xri+SNLEUyzEPiS/av0ddS7/ojNoWqCBvYjA+4VJOWSS
 5KP6OiwABIPyRZcZAiTsBwBaegy4lMw2sAg4frHDb87SCoDaC0E0+5PS+8wn
 4GCCty5MTJgmNShdcOXRNfTZa1fMyrC1qO0T1bKMVBRv10BDciqNWJvi212x
 /dVXX4De2xX3t+5ttqoi80wteNG4Lkz5RA3dmtO22HtOkM7SOE4vc6Uxnx//
 CDPbHFbyQou1xyNWoFr/urZlbDk4hxkAOc+FIS0uqg9Bxs02FQpsLare0zSE
 yNpH6VO+M0lwRe2TML9rs+o2ug7YbpolJKgIFSl35CoIB1GE4Tu6pUNwEJNl
 4d6RJRgIjXvUFjX5aBaOI03VxYNXhOi3lqI1xOgTyNH1+L1CzCOL5YE7MLJT
 bgaMQzYkhHguGxPj6I9RjmY4huh2oJnM52wXqnk25NEvKCsFwau4QbeAOMYJ
 UwFfopjA/VYcMexXSg7qylS8FRh0b91z1RitNqcz3KNWy6x6lxq5lN44amF8
 XqbhYNovd8WWFhRxBAzyQxwBJU4gzvWB67U3cRiCNtn6BlBCVotswGF4cLJn
 mS5YGgllMM0uJDVHtaB6tp2qrVVuLDr02t5hXg5M7+NETHwI1lC1ZG1lJsMU
 JuwBV/aAZhBEAwDYTQ0+ARWZ6S9BcVWbiwRWp9DYJ2bjrtIQlARDHKgRvIey
 eD4duBOw4SSRk+mg4tXgC/0vrFvPjFxVZTvoKNS/wNiVduyTwItGnwQjycEc
 pjpf1XBVgRpWBAtyCWKCvY3z1gRhGejrQQwd+yStDDxmOt4L+rYD3kUwmk8l
 kddOxgREVJkTAntXqS0XdH3LQUh3RRPJjOK/RXwMo1QRhQ8VgnRkk0fDqs7V
 eNII0PjSeNKRj45dONmD6SEZVjEOz4T6l0VKmx/ddTCjr2w/7HkY4dDvOixy
 r84ihId/BDV3NpvDBD92AZWEijYCWcYEFXwovjD4YP6oo4MRoJe2eP3QvtmH
 hxBUttECYTdKQQJjRKHVG91d7F516lVMF6RjqUO8GEOLYCSDcwrzLBx9PY8j
 0gd7w0xKVBKs9H5q0HlxjBmeQOyjkhMH4JNH0nsk43gMdsM93D941ML1VXVg
 g967V+o93JoAaRgABjKpNKuRuokfZezipwnyV2iW52tgSQVLP8QXyq6TGeg4
 B7SHRbY6wcwudMtULpG5DIZVhESVi3ik6FTr7FrcUYYcKPQYxwDq3uzsANIR
 jndOLmW5YxUN8jSMpmPc0xqk6XknSrughLt+eOEngQy7OXC0n/Wq2dtrjiEV
 I5f4BoC6KuBFania1Z/Dki2tSEI/gnWEa2v2BvX40wK9zyObf5XTNbCdTxZ3
 6KnTP9y2QdSVY90GjCMpST1q11QB0GRYK+xlqdHbpc9NyR1WmWVeM8ppGnAY
 RBD74wl+Ia6wti5H00EHqN79JxlGeVBslZTqDuJ00B2D6Mmsm2eB9YbTCT2U
 ZE23bibPtja7is87wa0nX285jAgEk1dHEN5WxkxhtMzFqNZK6de58eHRi6PD
 097+8c/PT5/1ZBjmfk8G4Wghlygbci0m+WltE/p5Mwn4aGjW99PkQmaF9zwF
 x9FgZt9ImDuhfSKy3WOIRmirm7feIvamwGEe+xNb696tqTvNj9MB0nn1jCXp
 a3xBhLq9jC+uyROEZ8MX1/UEFymExXpjsR8YBGlGyht8i0Vmo8RjHS3frCcR
 sG7ZAzh6Q1n0GDolG2AAm2OB45M978HBI/HmVpb73lk4eqedrelkkoLnDiBb
 uTKEQnVxyceAWWBCQid0rroZNbdK447SiDCI5XZg4JhjzMWRKO3dTXOIlZGH
 VTO9DyhklRowLc1yNo1jD+wl7pdTUg0HAghS4EY1bedIUQj61ClkRFVH9Kwn
 OY3gAUTv3s0nRihy2xUbjJI98eB0kr/83YZDofqujug4jtMgtFplrFd5I1Wg
 B6912/KjdHCduwY6M5xOOxA1KO1QhrtAZbTHuOFPK1YhNiUt0TfHBL0/9NHl
 AN8MguYoiHDnThEHORr82QvtbupMOKiyTFJNi0BuxHS4TFKImnG7VLjDIGzR
 fh7NqYMLApaQvtWp8JFH6VXpDs7zCjvNea3QgNAzQEZGcJBxlKK1dynsrYWP
 w3Lav21iOYSyieUaEtYfxHI/aCxAX8NwlacAPuXqgCa0fwDQbKziIiKCxUWk
 CvSgVbLRU1YCK0nXpAk+P3KaGA4hAsqcpZqKa9BQK1JFQq1NGyhI2yC7okmN
 Oln5okkunKwnMXLG+gmtGLiMwmgXB1cDTaDhF7zjUnu/IJ7Ws1I8jf3aZAc1
 Sediahpa/2sHzG3eA+E0aSUTp8YDkdBWFglHdCwD5eWEVO0MJdcJzwlC0GNq
 wqWReJVSONwu90eEK/BDhVG9GhulL5JBo7Co5y6MuIa46GVQn3Ixn6nYTBMt
 MCWkyzbpqjhezfFRgtmiCL1KThRmzSyPWPtCcPuFPF/LneiZVe5Ep02ur80a
 OO9M45zMAWY5Pi4dVmZbPpkWA0g1PVbpKZfH2cXVWZs8+7EPXop3glWsWYZV
 PAfQrphNJBdHlvWO0HhvjPnvHHxYnz+BD6ufYXKjVq7EGSCswND1cFSh4E0w
 YOFdlNyp0qNPT/vYCd0f3HtJ5NCvFNNR0kWXOAI+MW2UySSYtR0qXTpDWwwg
 91UgCJBME1UBiOmg0TQJMeoZR3EMzUCI3S3p3W8tGJP8Kv3VQHbH29pSxZwB
 xEwwI1YpRFj6bHy4chRwxF6OZCIvOCMW6koFXdPUVoFggpv1Botl/Wci+oxx
 5CeHqgbv3XX5UYe3o5Sve2dbP9ZowDe68HNrG4wGv9agtfqcyTuNQMoKfzyB
 4GNvkKfxFCsyzMM5+gIeNBxWBeRVvZrE4SrQIEtBddIziLQDaLn1zdeb3uYW
 /Cc2N3c2N8X+4clpX7jY/sXR45+EnKTBqNUh/5q2tSA+5k25/ubVg9pfv4Qt
 FxuE6I2O8+3vPK/M0XBSE7fppNQFnwRsUDjHMmYme58Vg4gbTrOX+l6wgy+k
 oPe874gydiS5F8daG+YVZ6CUN4Ae5IP2lHwxkj5WrqryZsWWETSKfpGIAMdX
 VUM5uyhmYxEc1gzEFvgKlp3JYYSpKVRgM/Fw72hPMbDzCgLjBAyigVE85375
 a9dkvvzEt8vw+aNntGWunvTKJ51RMY7BJNG82azDS/MyyVpUwZartUKstLW5
 uaminYcy8Z7mQ72AcreiITtPLSxTop9U1wzj45obdzAIX6DNXKwX7Sh8t5Zs
 bGgjAgHdJJZFuaHhglwsGqFqT3Bnt8nCs6JXWgDrxHHllmIwJH1bbgXgPr+M
 sUTOSj6cEmsj//sikBlVxpcV3Jgqi6XnZ0Ouri8T3Jze8skmA1aUoLEKxSy6
 ROYWEMBycAuKHPqPZF6WrIPhwe3gMgvHJZ07VG7/YwJrJS+xrze6pSpB7Zv6
 gvME6/V99BrTLBIqjmZGUZOYSlJTZoaj75N6QMHtcyQeUSWwGmCQprEEPWwK
 l3EXwJQ497kb7qigb+DgsRHhD9KsyBfMKFJEyGWUS5z7OR4oyQu1tgl/y61k
 pl6kKsVPEUf4CG2VLn4G2j9J0/PpBIWUCnbBVc0i0CY5lj5cYMYhnunRgYHU
 oJWdNKr0xRFPpmNRq2WG5bGjg/Ea8AMgCeGYqwUWyMlT8pmVn6BrnbTb8K6F
 OEK2sEuuyyFzmJyJletibWDLE9ymorLgkuWIQLSbSgkSWB8nXUZZOh2OUCLe
 vNHYN4WJWPACPnCSjl1KqLTELh1Y4RyokpZNS3K28DM17fDmMI3wPPYTMCqF
 O1Ef2qJhuPKDGUBYQ29e0eB6CAGDEyd6J9MBVwCR4QBvmb6DFxHy+MyvbFW+
 27VewzvNT/zWq7xlsRdomthgcKW0OS4G3p1BmFW5PQBOOgP0Rur4jWR5HWWS
 cM8eM6gADEMBEaAOqcgb1K/M8GPxd6r4mywTe05h5A8zfyzoPBX6mKWt9idR
 QZUfS0b8ntTXSxgvzHxoBpBfmi+qupB7m6MTWGkvvhOb6KZEwD5YMo+fNIsj
 S2Z4uALFDwvdS5tEbSkAQ0OlO5D/rs4LMHiOX4DUDabk0jIBlNjylJUMNU4R
 jEApW6k94muq5ccnaiL2JQrwxrUngaCWyxVnQAdXb1YokdYwUQm0PX7LGU+B
 PdDAqLwBSDQsG8ZRsLKkgt5Ms9JdZc2P2U6J+7gkaagLSjA6Fg3N8avTvSeH
 x72nez/19p89PjrhIm4EqdSGbsho2j/x6AwO1yKZocAjkWq5nGwTIN5JCHie
 EAD7P5ywZAvrT5F+5Z/GksP2pYr4xd3mWncwUQFdavVWINxr/r11vvSW/X25
 pOdb4b4ERaJJc16p01kCwofM+f7rrD+wJhTuwE/OwY76SX6GjpD17ruGOV1Q
 bWgfdvTaO1SXwfy7o2r1bhba5nbL8eh9ueYwb43ydisL0lHep4WmAb4VDLOY
 bZhJt1ukB23upINkOsvWBMiHzPn+66w/qM4mulrrieqLJiaFvyo1tbnPVfHQ
 zUPb3G4lHtdnU/dwS5EyyvMpFpYQIXUg+ckhaoBxrue3Fv3ceXPeqpLyQ8ix
 YFmL1anpiUJyR2F2miyVixubs/5gVY+yJ3mTnApx0RIfn+y1yU6j6w1hLcTs
 WFrMmSi20csMlctGG1rqBmWxoq7UdOoKUivHcj9Wmf6Q0ty5drxsNcOJ/FwV
 fvhc1U7OnK/dnFxiqkHa7k3psbSdIh1yaRinWsqtGEzRX6G/BvESnTzH5YPn
 DCGrf06zJWUJiDrlJCHGjlVqjDwtnDvCI9KYMsSMELjqtJfsJzOOHSkPqvKT
 42g4IndO+ZLqEK2eBOutdT1aPLN9NCUAhIwuoomcGLu1deoYU0zkyh3+tP9o
 7+jhYW+S5kVPo6dHQXYXQk0M7HuEdIiI0ilGyJx8I1QxcbwAAzkXQo0BhNCz
 BRhBxjJss8p0lMwz8Itg1CMkVstfNeuUDRzk2gjXhidiMUeDc9ArUAq6iFwF
 axEWi5uubbHBF2iUDOJhZy8055g22nQsQ1QQzePa07y6s73zWk2tPcl6k507
 25UmTYW8dn+cddTTzikupBb1wlNso00RN6puOuvQ1ZoUMVBdi4p69Xuatjpo
 c7Rc6dpyjEnEzQrQzSXsoJnb6GhbHVFZO5iL2xU63/dy78mTw9Pe8eHJ4fE/
 HvZePj59dHC897JNyg2icJXP0KCSykAH/+3cKwilDFNrf/5tGcYTbFVYTECP
 pYGbV5uV+H7uW6ulNjwrpdXGPzAl1mVV1Qpb6+oQBlh/LdTB3Abd8wJg8UyZ
 UCrHNLkH007l3AAiPAGjUefJKzqW/b4M8e+YvIyfWr14xQE0deOqrTZ3P/68
 j8nKYpqL9ByjcsQo51Edjv53F6/1y5VrraWWNEgDH9cLhpSmaM2zhO0oWVqC
 zwQ0kU+pIK1vLRNqbM8lpu7klY/G8XuRg8cQh2zDAEbMLNAZZAQFLErsz763
 5KHJQyrVf6NKR6BY7Oq1Avbi1tBuTLDahnazprTmnR9Hv1SSBYBVZEy/tuGB
 NnVDYuMTfAz/Qlaa0D61ZQ79OJN+aGWBvzc0qqTCzO7Ac76VCbOC/KmaWEsH
 uDuQUwZcHYm1jp4R9XD3ki5QsbJlOoXn+Gd4niqI/WiMNIzMzlU/SYEj+x1H
 A6CPoNNVLBGltCe+2pIyipDOQAEHA7Jp01nwTU/RL5W0Gr2yb+hYkA2EKfX2
 x/LsXFu5wOS6ce4ab8ognFAqkG6r6NvfkXbf7oqqEPdbghJzYyQYX8Sh8YoC
 BfgAvT3FDfWCLmqJzTpB0NV+oyITFR7oPSY8zJyiu5RXsA+wBngFD5bX4b5z
 KOWYWyxAn9oMMXlFldZXrctTzHaMsG4azrCESayVpFjSjVvrzqR26uHMir5l
 YhlQV6S/WQx+jdD7KbgDLAh2ku8Tzd8A0cJAW7j/cOzh/QqiK44e7MP/Xxw/
 tsLsZTC7tMLOmyhsF+m5TL5/17IbfoQM1qpI2aRZSTetl2D98DnrD1Z0WNJT
 E6VLmM27bxjDUfiuSxpY0WVBBgv+XFo4ezDclyljCPObZrCuI0AUS7JmvUkZ
 +hhiBFpWQdq29BySgM8drhCjVXMuW8ryniqdqw0OG+Q15OFD5qw/WHOZ1xMG
 WJFRUYuFgf/cukfRqjf/bUTiOsJwp/SXOE/zSWZugGVZwpap5Rqer/x9JAFY
 yo0mVasFgKtGgtUS8CFzvv867VStlaEVVoYWXKA0joIZby6rJCqWluChC52H
 a3Q+XK2ZoNUlRP09dVBCJd+2tu+3HHP9gwCTLsif1VeTsBkxoQgPvyvcBQ0x
 xazmsLMkjaa5DAv51ZKEsrJu6ELO3UolK7XzWKrKAQr52VRLiclSjNZpW9xP
 ZozqWqVnx3mUXmJSl+4HCXTMaxeFnk2pFo2vvINwLr2EteSjaKJKQRk5tEHK
 FZ5tRyY+Bn1DHMcLfCqNm2IpVi42pomOrjYwn6A3VjOViVajYWJZpZVhMhwT
 z2TgXSaqlFUzueYc4Bp1ak1VDGAUfhGFU7qdBKKpjmaXBabW5hgOqW2PAiuV
 FVOMekhsnYk1hFfuelts6IE8fFfWFarca8l1prYTL1Y8m0KMHEIsDHiTip/0
 V8fAu2t7ocyIxIfKIbWrUhjM9vqztMw0Hc2Zxr0yLKmbABYsoEy2AYiWYMXU
 3588OzJuQqueO3t6eIwJ+9Pe/rOj0+O9/VOE1rRuSkZW4qm5bOQiq1+K2keE
 tjG3VvWL6sm1Op4VonEb5PTZwbMdtUnhsfHjAhM6ZkYPvq9fXznEq4Aiujlg
 Hzj9RMbqnClwpd4UGszKpMalNGkXzJTqzI6+CNVOCTjgTeR6PBX77lZnMYjr
 vDHMR5wJ4RGvhsvvpHjqZ+cHEV5+ippoPiumk1VlaqpdhwczxTY8DlXAchKw
 lpnF2p7eweHzZyePT9vKTLkW5WopVEfbL3yI3KEyqWZ1Suzf1vNkpqNpaSTO
 fliTvWovKwfzpagkS5UfZJo3vcT6WYvf6mug06UmVVoRK3t/pq0w2aKMu3Yg
 UePoVm+QmTF1qFb+bo48bTWPtSdaxgrISnpnuy3m3FSWZyMC8moSY6KrwmvW
 e2b9svovn40HeBkrH93rktFUCn/OnZxX9SZPrSHq2Csjrt8V1dSX6nnAXebd
 7kVa5Pnez08P4d9nP36o1lvk6pVq75ogXEuV6YSsQoB4c0un3az9XD8MDY0K
 vCsYi/kdR/dhf8OP89Q4HWGEByDw/q0Z3jPOPh/lROnIzGXCZpZvGjP3eRvS
 zOf7THJx1V+t7k5/7ehT/3N/9XbIcg3pvyV9q2lb1Vm5EaXXuvLvrepZkbUK
 N67qX3+wek7d84PCdXTdtWj++wzXKQjs0oaGp1diw7Oo+oqjh1L4FpJsKcwN
 6ZePs9rmdovpcM2yLY05Kue/qczXTcf9wrVcaVs7fPzE1+q4H6Mag8X/PHH/
 QYPysK07ihn5Y8Iy328sOlYioLkI6R0PoOI9t66ZW59VFHRo4cMSJLsYoxq6
 mrV1rCC2fLheOLtobxvPz9veVJQsquSY96eXlnOoUa1qDioSaJiydOAWe9Uf
 OXpYGTQYBq1EDeXTRWGDXvMHBwaNPp9VNaDDgraNW3IAb67yoFYFotuqg0aq
 BsScSVP0BzcxzUInB5c+nMZ4TNoq06dsFe2elmjFKPvSrUuhqR0EKXzw+Php
 leg1khty2nhUBTvN9Kvmceo0b6Lu29XBSEOJUJU4ukaoQv3mMq+K+zqnU9Cs
 HDSZFVvJfmBC7BPQw6j+JnIsDdE/JjUaRa/qWMyHW8fyDAzlCO/t4k8L6l+S
 vkjk5eJCkuUFJA7+9pSuqtD3VqYx3jwAw8wNIPr0reH4Wcc6vIv3UGbSz/lo
 rhXeYT0ZHR8PU7q0e8dxtjri2UCfEZ8mQI9zn+t2CSQu0+FiaTpl6VeuYUAg
 b+fqYFo45dyyCZZVlYiuH3qH2wfGeZorIWk7UUd29PH6ilXR9TKqWMbZ7gB5
 AOs8HdWDDfiMcVS3W5iOPi2rcwq6tIspiyfnMJ+vUKoOKxM1K0S7ra6saDh5
 ly88erf6pB3AwFlzxp4uczK0V4DXdh+kH4wMw+F9YyH6H9Jw3t/+5X9aR9LU
 0WTQ1XQPB9CPS+PDkoFwQkVGe6q+KQrvOxeRD2jGGzDxmktVkYYT8q2BPCUf
 o6yccVQipG6dUUcZVfeITtrzrgAxHP9yAzRALySWIf8yigWGQDD4p9bAAJmT
 1YqP8CHVIZ1SFZP5PQmZ5HSIk3ZzKjsqLLFuZbradk+Li6kylSkxWyiVs+1E
 eF+fuTWG0R+nJFH0M4p4oMDnn1TCK+JIkkb+ZCITWpUWGD4YTezbJh8MXyp2
 1Xe6VXCq7m2snD/WZZm6DL5ex667qBr2dQrX9Sgbg/N8o12dAQaCR/gDAuyS
 6hp27oBPVvdYVNJu6tnNKellheoNVerLStQXliPbtchC/ZwBJ2frg5c9ymH1
 aZTyFmTQUNPCA9p6wSjFWyYM7xqe57s4MLIa466V6P/lT7t36Ni/xKLKQGou
 tFjbQfFoEsIFp1kod0KXJpmCezrZbGpEYQgySRCvCPcvf/K2Wt2//Mloetxc
 bON18lSumdDV0fiDhdKP+TYI3GP0r4S88OmnFsxdHdNkQjfSQJyGZYKKgdWd
 I3zfAc5xmZKIKJv0VMb6aiBbSamtkzH+wBgrGYCQVsBXSeh7sgyNjYLM2Whc
 0H0vfLsOLtGcB0JU6OM2NjbK7djyV+UIcJDrQI+Er1zdu7UmQB9QMnnjJ5d1
 WhMwfK2/m07DrDyyJqxiPAJ3rBhlnYk/ZM76gzU6LehZn190cQ1zpS2L6o9Y
 1TVsEakobgm0ypIoJdx0FPUzOIiqqXK9xObQH4/9csdS6Qngjxs/lnpN+Bog
 XlTsJNw//3FhwpP+PkrWcwX/m3I//Vs4pQ5dMfuHzFl/sHKBC3va04ouK2lv
 XuKWiBtaGzRxtHXQYCM+C9G5jrxQYY5e1c3uBXwcySDa/de57bJn/cGqHmXP
 a57btu9D73bRmawfBcab0FGcerhv4DQ4lKLST9sgSb9SRs16Rdo7h2DI75Vd
 cxxJx1LVmHbpeOUIOKoegGEzm+X4+8LFTGBgKKx76/mnACtRCKVTyt/baasf
 +2qLOmjQ1CRXlG9WhgTcqAo3HfGVFz36kdCyaQ5tqw3ZJ+wpR9I07PFB6ZwH
 sMS5ETtIpLKNg8j967/9amIG6/cd5j0r+2h+6T/Uzlc30V3HgKqbx5u3RN2N
 ds0ZMdFeW5x/obc7ztV2x1/+hPsdixmiPpFu5qlQ3sOfhNiwT3DDAByFJl9w
 HDq3uyKaSLxrs4vbAA3nRO2ITPexfzKjoWPbRMI8hFvmcqpBp35W5S07AOUn
 WMDVmCvQHewYt8Z/uwsOxRp+ES2Hsx18VL3DyTncENG5tfkTqdc4rGpxswVK
 hfvmjuWaRMJbdoQbz4ItOu2bK45tiYZ9ttVn6dc/wW4w2G5i5+kAbdqCA9C0
 Ufb08IlJ0FtYUsvXB0obtswUVvT+VYVWzfsVlkTSXoVVaGYoTi5qp9NpCevy
 r7Kicv4nNeg3NU4PH4HWSsIYFDMqmaXqaC3n3t561Wdqq/ueZj/Q2vJcsd+5
 ctPN2nGztttYhnX9qWLKcqYQ6zJXHNZfi0s+7VF+4p7bH0nerRsNb2P9Hwtw
 w2al3qlU177M24gGNT5nhhel/W5IMf6myuvTa46F29r1fTWNAd5Orgmo8Uwo
 BO7Rf2GKhSI9ZPRqXwecsNpoyLNneDMg0vzPf8SfB0WWwHPL7KU088Z6txv8
 arPFr7apx02Hnvq9ELfq0CwS3LaYF32+7oW3+rWanUNXJRBFLM2HQ7YXkAOo
 bXHmx3gTsoFz5SbwQjZRGwh//uOia0wW7m9X9L/yTtVPnXV1p54/iehSIYrM
 O8GOYAPBkcUZ/lzsCLTQyt5WeI+DTGSGVxL0dMJ9uePbmOMovd99dUjAqlYl
 pfneKAU+ve7mdI07wMwidLhRC6ip3KtRU46k2c/F73Zh1h3a1aimMfCCCds7
 Xkw623rzKGsY8YUZB9tyX0NDrMP7i/UHo5xsPm63G98FA8JViPvPFYX0tDL+
 jxle3L5hE72WjdauYekm7Frfbtdl3LIAhhr8QyS991KwNRVpiXAvPV+uIN/n
 7p1f/7rO9Tu/zsW5NbN7nUt4fq1Xw2kYFl3F86tVMFi/jWfukpxf/1q5J+eW
 eILlCG9uUQHC6hMZN7Tlt3qrjtvVmAiJpEpEa3y75t+HJkohmhtFOeFDXbf9
 uSZK6w9UFpouS8y7b7Q+eNfV6+EGq64NwD+3doDgI0Db3O7GdhDoIk9Wxcpl
 itlWf847CEg+lxQducIffe9gzWtl9O2WfvDP0yiPPuNrZa65d1A1TCtSznWt
 sOhsHQWzjx6fnD47/rl3fPgPLw5PTttC/TwP2uq1klnzdnNFCqqZ29f2XllX
 LPZdTbhbRmqNYS82QttquBjdAhzU9Gsav+VICAOX97smThq5tqTZapi+xwUa
 cJybiJ5hQDNlgz+yKiW2VjZpqVONv5lucdr8CtbK7f/Hdbf/KyFmx/Ioz/Ny
 oeoNZbiAAT+OV33TfvVNeNbI8FMIvqkAHz6UzrV6G6Qgw/gWP9TevuS7povU
 40/i+RTIU95pebl96U2mVNS/olscz3WL40o3/LnxaRYVM/xl9jwK1UUnueP8
 /pU4/eFA/P41tnqMP59Wb3EECr3jOOiaDPzgHNvtc+V9nA7x216gC5Tph+NB
 B/MPcslwd4OyexvvKvPQ7eOXaXYOkQVeBkO/Mc53zFDhvipTfyizsZ+IBxJh
 icVTzLAVGVaYO4cQsJSXbB/LXPpZMBLuD09/eNAic19ebYM/wIFrQt6S+IFy
 9XnH+f9L/aigpJ4AAA==
 
 -->
 
 </rfc>