Re: [lamps] Whether to hash-then-sign with Dilithium and Falcon?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 17 August 2022 18:42 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D23C1522D9; Wed, 17 Aug 2022 11:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8AnTwVR0gpg; Wed, 17 Aug 2022 11:42:42 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D70EC14CE37; Wed, 17 Aug 2022 11:42:36 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27HEnoDP029156; Wed, 17 Aug 2022 13:42:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=7zF6J3cUwkjtIs/Wn5hOCLDrk3qA5FBoQdSgL1YZa5s=; b=CSehrksgRDHVjI/NbCscklzIe3g/laFKY35UVtC0lz7RBrR6u0nS5zrWykTS7zxJ0dsv VWFTbwYUWTwlN0kAsoNqO/3x43OolojBMRba86DKDvE1YbS0FtL6bM1UYzCdGYhqZ+y6 nyLjrDL0vLcI8LYeEmf6HGT6THer/1KkWT3aRX0xzNmr3cWvSmEOfvTI57jswXGh2aNG hgew4ziP+8vqwLYboRkLbwhHNQTMujwb4wLwN2iYmUzrmMtOLGZZwFaIFbDYi8GwfC3x dAgn+XKEA1vxfsnArdVysWZZv4mT7LOP7GJ3ucMs/XM3Wa+/CVfMiA9CGrHrdHCbPeyX YQ==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3hyv2my1xb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Aug 2022 13:42:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IjLHLHUrSFim08bp6o9+8mqmSVFHP7XBTnjJTxkgIB29Zt+GLe+rlFESwPi0Kw9T8UWNuQL7kwodFx+akFhRnt453MjV9FfOunE7WkEVlHUuOtqQ2ySrjCZHyFXg3ICL2/MFxStL520kpoUuAPZ2oc4DaSEq2YB45CV3/rHfJy6taH5PhstNIIvbdKW+NO3H99R9kHfB5lTnGoj3dYntnqPHT+WmjGeCyj4VherFufgjYTp4I9dSWVNtdVredun7Y5zKa2QOKdemFRVj9ouJg7kBpVnHp5AKG0lwtygF3iAhsKDwMUSd+0c4dFwqBEcjX0sqZlglp/cfWvOrBSC6HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7zF6J3cUwkjtIs/Wn5hOCLDrk3qA5FBoQdSgL1YZa5s=; b=cnsrzBDtv1KE+FzVS2LSaxbH7qbQv8UIsR+DITqVclhyoN4xwB6eCUKyqCTWh0HQ8PAI/nOTMEwGpnxtMLPFxBt1R5rUXh65RJDn9mezLkk/R7gUfm+prd5q1YJ76tYlNqDcVXjaytIGOaE0XJPnvq9nWDjDQynsBSfK1QD2o8nADRzyAcVE7GfGLGaLApfi6esE62lsaE7eMiXy+R8q8LbgtGb2VXKPHnnV4o+8s4plodLzdabIV4CaCCnQdIgJGtS9KruYY9kDAZ226F7InF7KapK/hAZbSBCRuLZ3TlncX4BR7JIA+xv3qXLuZZgdnH9a1wch3x5ou/v5dI09Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by IA1PR11MB6267.namprd11.prod.outlook.com (2603:10b6:208:3e5::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5525.11; Wed, 17 Aug 2022 18:42:26 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::ed02:6e67:98f7:f33d]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::ed02:6e67:98f7:f33d%8]) with mapi id 15.20.5525.010; Wed, 17 Aug 2022 18:42:26 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: 'LAMPS' <spasm@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, pqc-forum <pqc-forum@list.nist.gov>, "jakemas@amazon.com" <jakemas@amazon.com>, "kpanos@amazon.com" <kpanos@amazon.com>, "sean@ssn3rd.com" <sean@ssn3rd.com>, "bas@westerbaan.name" <bas@westerbaan.name>
Thread-Topic: Whether to hash-then-sign with Dilithium and Falcon?
Thread-Index: AdiyWmrrCCvkDLBiTn2DcOMWvaOQ/gADXTvw
Date: Wed, 17 Aug 2022 18:42:26 +0000
Message-ID: <CH0PR11MB5739557425DD3FDE5812D8479F6A9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB5739393F19DD5282E3D7EF549F6A9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739393F19DD5282E3D7EF549F6A9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 116d9205-c9be-4daf-df61-08da80803b0f
x-ms-traffictypediagnostic: IA1PR11MB6267:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LikhueVmoHUV3EeuoRUI5TwsF1h2hsYf6BoJou4GbKqEZURKa1Uu8JbagBbFJIzrYDvqzVB0Yp90UVcd5hyF5dxviGWuz09gRt4c/deJrsO3mtUyFcD9VH0VZH+Fbwog5K8CpmQlvBBTmy2vcNGg2tFaNaOo84Bhmc6BnOCWcN+HuKJOjZs2Jbtt6hvr96bR4OV+/Ug0qsIYipG9jZi1f8FlejyWnw7VWFtD6lHMM7FJyv6tOqwK6iMFmD2RxgAvMQVp7BjCIJTH4D+AXJmb61O9g1CmFdL+FqcXd81sywxi9O2owzH5epwr+yC0UIhAMaVVBu/2Al9l3zDudYneRT4wc00DkKDKqUoXfjjrglxqx/E+t8M7P5Q0Z2au5jMqra+7xchI1KxQEdKVTKf0vdvg21LsL4wkrdlN9zj9quxQmqaH3ioccChhA40Zt7kNXjps5oZZiQkcxLa8s0xaPbX+cDFNbekrCewyLD/PGOfS7aWtMK+1Px/3X5TT+qq6zH3zbzf1lVcsCZ8CYHP+rmFkW4kOoT/h+6WYmG0q1J8M+aRLyGnQGroXL4DUVXD3c1+N26KPslYj/XNH1D1wjiXY2L+DfvYVrGPJo17M9G5SPapnxlq9yZ0CbMJbh+K8UDu10N2DNb131JIuqj2ARpfnWDLzWJwQfaw2NHxKYWuP9RhcBQy2if1E6QjjbjwjOGfq391hvaZKAcqnPCXZ/C08vUEbcVDiRPO3TckvTPtoGpkOqy8uk7GWoErEhVH5Hy+df/2Z/toQVhVrq/ua+1UCi46iFAPuozdZXwLBgEc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(39860400002)(396003)(366004)(376002)(136003)(346002)(66556008)(186003)(66476007)(38100700002)(53546011)(5660300002)(66446008)(316002)(66946007)(76116006)(64756008)(55016003)(52536014)(8676002)(8936002)(2906002)(122000001)(33656002)(966005)(41300700001)(9686003)(7696005)(71200400001)(86362001)(38070700005)(478600001)(6506007)(83380400001)(45080400002)(110136005)(2940100002)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uuMcIRXTNOe6g3yML818aTTFaCXnv2ZodAsVAZutonH4dvogo6eGrXOarezYWIGEMmHohYztWTvugLSStaWsxuUNc4TozA2xtsFIzhH4mfWCEsNKBUrV12WTbU64goUPPMlfsaAUd2myg2qAebwl/tR/1WfgdG9XISAGKpIyhQvSDVuIWZ7Di+jSEookx9/JTqu42orx9knkB+7lpuoXsS2zByeU4MaZaSMmRrKbFnW8LRaF6DK04n1FAN8vXd4owKI5VYHGlNB4h0u9azmV4mMD5rUmwtF9SUaLVFbuMDTDnUjGjlIjIdMu/hDQFrxJ686+oAC7LraiL85m/YnxFzd+XuFF5qocbUcC53AHxSLtzrsQPofz877vLBM+fdgztX4wNrfdpoAa3Tq/T9QbplrKhZMWmZaKueyHYaejHTiQ1UCx85QOntLs70dbndSEbSTq+V7JGkALGI/uTBi2rnv2GfWF1Z2IR4+a0BpH70qky9g2KnvYMs1QzlbNWclZ+J3T+kZin6GwwBMl7pcEGNq/TLKmgP2RvYz5cPLb9J7okbfBeOXYnbQe4fGhR8cgBPrGCj/Z0jEmttQpDmGGUJ+U0RIUzLLpXsq4EXh66Kjg3f1V1Z4cbnuzuXLdI3eAs5bwkm6F1HKclp8yCz96OFbbbYYkiFc0dY8bfRxW5FH/pVoS5UEWuF9Q+QDBWiSK7jaWq0BtHTX1SEEQUrPga5MTRRu2n/XlE+uVdFQj+LBdg192va9jIP2ZCgv4F5sYKI1GiooOz1QnV1qaCW1oJBvRA709cgKcIeY6fYDlSaHGbgbK1G1ZaO6bquWrXy7EmTjuMRKVpDlgF/kzA7/EUzrYMOmt1/0891FG+F+wElCWUQiAb47UXQd3UUGZRg7zQYjJig3wqxCe5rs5nX2Amfn13h/KLEKMC+vbdiyHCMy1IAcr24M/9yP68pjekD8YqrW2mrx9O/+8NVy8S0TwBzhgrTt+E8gDCv239JLn6zDcVe4fnq2m+XP3OzAfGVzDjxJ8xyDAiHsHNX6S8NHKcOeVvHeW1q7qnSYaRQneqLG297ljsXyfGs9S04otvRBkTBX1IZP81rnDwmxM/kck5DUJk/ETOhi9h8zQ9P2M/chHXknWEH8mTBHDtMRSPMnnsl1W5Q4dcV4RKCjn6ooAOdYnu8YFGT42VfCCjC6o3js2LO7qK39lWfPK4k1yz6lyA7T4SaqMvF4lFiGiuTFTCpA3HeYf/VWSjnxPQN/K2Y6PTRODLLEg0bQHCDeQORxp5/ES95X9UKznOxrBKlT/rwbAVcb50rbyyX0uqrQxEisebt7ZSbf7AcFzfPjyJs12O5fAjL6ozyX8TyonQx2v7tMgi45a90ODzKi4TwwBigNNwb86h8BlfKsesRIcdnax5+JBsGhndY8q1xV6ZQ2lWjtQMnEceAsYv4VIPjr1YOvY4ihyB0ZDloWZw+lry0pFZLrnW2mSBV03e9yJcSD9ZOPoZenRvU3L8hZzJF8yDb6snlWdmPO5VlekymXej3nO0Uv/F3aD0YZz0QZ1pyEGNwCxvfzXU0Ywgt5wiY+X4SLaTFt1D+qqDmMCnYTkvhQC6hxlTcwxMhof/LSrpJP6QA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 116d9205-c9be-4daf-df61-08da80803b0f
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2022 18:42:26.1099 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 01IrthVh8930Mu+wSeb+FTKibIE33n2O0qQM3XT8RcogExhQY2tn1WP9SumbExpbOUgOk9JkOkRgxUFDW4iVzmg3aBAsfesfbZ2LYkCCFig=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB6267
X-Proofpoint-ORIG-GUID: JDjv2zu1qZnYrEYj0j7G1IfOm9zo6f5E
X-Proofpoint-GUID: JDjv2zu1qZnYrEYj0j7G1IfOm9zo6f5E
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-17_13,2022-08-16_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 spamscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208170070
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/lvMndtJA6I3l1l_5bgNmf_2F0FU>
Subject: Re: [lamps] Whether to hash-then-sign with Dilithium and Falcon?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 18:42:45 -0000

I want to break out and expand our third point as it is actually a question to NIST and not to the IETF authors.


> Third, I can imagine that some applications (like TLS) will want to use non-pre-hashed versions of Dilithium and Falcon, but other applications (like code-signing) would prefer pre-hashed versions. These are not interoperable with each other. Is NIST planning to produce algorithm definitions, OIDs, Codepoints, etc, for both versions?

Expanding on the code-signing example: the messages to be signed can be very large; consider a several GB firmware image. Assuming our understanding below is correct, a direct-sign algorithm would require the entire thing to be streamed to a network HSM for signing and to a TPM for verification. Conversely code-signing environments often include counter-signatures from Time Stamping Authorities which protect against future discovery of collision attacks against the hash function -- as an example, Windows still accepts RSA-SHA1 signatures produced before SHA1 was deprecated. I can imagine that the code-signing community will decide that the performance gains of hash-then-sign outweigh the security loss. 

So, will NIST standardize both direct-sign and some variant of hash-then-sign for PQC signature primitives?

---
Mike Ounsworth

-----Original Message-----
From: 'Mike Ounsworth' via pqc-forum <pqc-forum@list.nist.gov> 
Sent: August 17, 2022 12:27 PM
To: 'LAMPS' <spasm@ietf.org>; cfrg@irtf.org; pqc-forum <pqc-forum@list.nist.gov>; jakemas@amazon.com; kpanos@amazon.com; sean@ssn3rd.com; bas@westerbaan.name
Subject: [EXTERNAL] [pqc-forum] Whether to hash-then-sign with Dilithium and Falcon?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi Jake, Panos, Sean, Bas,


We notice that your IETF draft-massimo-lamps-pq-sig-certificates-00 has the following security consideration:

> Within the hash-then-sign paradigm, hash functions are used as a 
> domain restrictor over the message to be signed. By pre-hashing, the 
> onus of resistance to existential forgeries becomes heavily reliant on 
> the collision-resistance of the hash function in use. As well as this security goal, the hash-then-sign paradigm also has the ability to improve performance by reducing the size of signed messages. As a corollary, hashing remains mandatory even for short messages and assigns a further computational requirement onto the verifier. This makes the performance of hash-then-sign schemes more consistent, but not necessarily more efficient.
> Dilithium diverges from the hash-then-sign paradigm by hashing the message during the signing procedure (at the point in which the challenge polynomial).
> However, due to the fact that Dilithium signatures may require the 
> signing procedure to be repeated several times for a signature to be produced, Dilithium implementations can make use of pre-hashing the message to prevent rehashing with each attempt.


First, quoting from the Dilithium NIST Round 3 submission documents:

> Since our signing procedure may need to be repeated several times 
> until a signature is produced, we also append a counter in order to 
> make the SHAKE-256 output differ with each signing attempt of the same message.

So it seems like the Dilithium designers explicitly want the hash to differ across repeated attempts.



Second, we had a similar discussion within the context of composite signatures when figuring out how to combine Dilithium and Falcon with ECDSA and RSA. We came out with a different conclusion; that hash-then-sign reduces the security properties of Dilithium and Falcon down to the collision resistance of the hash function used to pre-hash.

We would like community opinion on this.


Here's the Security Consideration text that we're working on:




In the hash-then-sign paradigm, the message to be signed is hashed externally to the signature primitive, and then the hash value is signed.

The hash-then-sign paradigm is required, for example, with RSA signatures in order to sign messages larger than the RSA modulus. Hash-then-sign also gives performance and bandwidth benefits, for example, when the signature is performed by a networked cryptographic appliance since you only need to send a small hash value rather than streaming the entire message.

With Dilithium and Falcon signatures it is not recommended to pre-hash for the following reasons:


The Dilithium construction includes

~~~
Sign(sk,M):
10: mu \in {0, 1}^384 := CRH(tr || M)
~~~

where `CRH` is any collision-resistant hash function and `tr` is a component of the secret key. This provides strong security against pre-computed collision attacks since an attacker has no a-priori knowledge of `r` and provides per-key hash-domain separation of the message to be signed.


The Falcon construction includes

~~~
Sign (m, sk, beta^2):
1: r <- {0, 1}^320 uniformly
2: c <- HashToPoint(r || m, q, n)
~~~

where `HashToPoint` is a SHAKE-256-based construct. This provides strong security against pre-computed collision attacks since an attacker has no a-priori knowledge of `r` and provides per-signature hash-domain separation of the message to be signed.

If the message to be signed is pre-hashed, for example `m0 = SHA256(m)` and then m0 provided to Dilithium or Falcon to sign, then you have re-introduced the collision problem since two messages m1 and m2 where SHA256(m1) == SHA256(m2) hash value will result a single Falcon or Dilithium signature value which is simultaneously valid for both m1 and m2. This removes the extra collision resistance built in to the Dilithium and Falcon primitives and reduces it to the collision resistance strength of the underlying hash function. For this reason it is in general not recommended to pre-hash when using Dilithium or Falcon except in cases where the implementor is comfortable with this reduction in security.

Therefore, for the purpose of interoperability of composite signatures, implementations MUST NOT pre-hash messages for Dilithium and Falcon. If pre-hashed versions of these signatures are desired, then separate signature algorithms will need to be defined.






Third, I can imagine that some applications (like TLS) will want to use non-pre-hashed versions of Dilithium and Falcon, but other applications (like code-signing) would prefer pre-hashed versions. These are not interoperable with each other. Is NIST planning to produce algorithm definitions, OIDs, Codepoints, etc, for both versions?


---
Mike Ounsworth
Software Security Architect, Entrust

John Gray
Sr Prin Software Developer, Entrust
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739393F19DD5282E3D7EF549F6A9*40CH0PR11MB5739.namprd11.prod.outlook.com__;JQ!!FJ-Y8qCqXTj2!cQPnK1SOIs1r8xM1OYWVawbIa-o1FJJaQBpP6v4DaGtIq7GF7FJZwl4KqY3locbLDLUiMJJ0TDa7D8fgscKx8lKgHPb5$  .