1735:
40:
836:(also known as "million message attack"). The attack uses the padding as an oracle. PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard. However, the vulnerable padding scheme remains in use and has resulted in subsequent attacks:
682:
is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the
868:
In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5. Variants of this attack are reported in 2008 and 2014. This class of attack exploits a flawed implementation of the signature verification; a proper implementation would not be vulnerable.
848:
tokens still use the v1.5 padding scheme for RSA. They propose an improved version of
Bleichenbacher's attack that requires fewer messages. As a result of this improvement, they managed to extract the secret key from several models in under an hour. They also show that the AES-CBC scheme is
167:
The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256.
560:, or more for multi-prime keys. Although mathematically redundant to the compact form, the additional terms allow for certain computational optimizations when using the key. In particular, the second format allows to derive the public key.
224:
Starting with version 2.1, this definition was generalized to allow for multi-prime keys, where the number of distinct primes may be two or more. When dealing with multi-prime keys, the prime factors are all generally labeled as
596:
By themselves the primitive operations do not necessarily provide any security. The concept of a cryptographic scheme is to define higher level algorithms or uses of the primitives so they achieve certain security goals.
1156:
SICHERHEIT 2008 – Sicherheit, Schutz und Zuverlässigkeit. Beiträge der 4. Jahrestagung des
Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI). Bonn: Gesellschaft für Informatik e. V.. PISSN 1617-5468.
864:
servers are vulnerable to a variation of the attack. TLS 1.2 contains anti-Bleichenbacher countermeasures, but the workarounds are not correctly implemented in many software due to their sheer complexity.
28:
694:
Note: A small change was made to RSAES-OAEP in PKCS #1 version 2.1, causing RSAES-OAEP in PKCS #1 version 2.0 to be totally incompatible with RSA-OAEP in PKCS #1 version 2.1 and version 2.2.
316:
568:
The standard defines several basic primitives. The primitive operations provide the fundamental instructions for turning the raw mathematical formulas into computable algorithms.
556:
1206:
411:
378:
342:
176:
The PKCS #1 standard defines the mathematical definitions and properties that RSA public and private keys must have. The traditional key pair is based on a modulus,
485:
446:
250:
160:. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related
219:
1715:
1545:
1007:
1175:
1383:
572:
I2OSP - Integer to Octet String
Primitive - Converts a (potentially very large) non-negative integer into a sequence of bytes (octet string).
1216:
833:
1252:
1162:
1129:
1068:
983:
617:
639:: old Signature Scheme with Appendix (SSA) as first standardized in version 1.5 of PKCS #1. Unforgeable, according to Jager
878:
1773:
1768:
1376:
123:
104:
76:
1763:
1594:
1525:
1108:
Tetsuya Izu; Masahiko
Takenaka; Takeshi Shimoyama (April 2007). "Analysis on Bleichenbacher's Forgery Attack".
931:. The Second International Conference on Availability, Reliability and Security (ARES'07). pp. 1195–1208.
803:
650:
262:
61:
83:
1369:
773:
161:
1710:
1665:
1468:
768:
1026:
Romain Bardou; Riccardo
Focardi; Yusuke Kawamoto; Lorenzo Simionato; Graham Steel; Joe-Kai Tsay (2012).
90:
1589:
496:
1705:
1245:
1179:
952:
664:: old encoding method for signature appendix (EMSA) as first standardized in version 1.5 of PKCS #1.
575:
OS2IP - Octet String to
Integer Primitive - Interprets a sequence of bytes as a non-negative integer
1695:
1685:
1540:
958:
72:
1690:
1680:
1473:
1433:
1426:
1411:
1406:
157:
57:
50:
670:: improved EMSA, based on the probabilistic signature scheme. Recommended for new applications.
587:
RSAVP1 - RSA Verification
Primitive 1 - Verifies a signature is for a message using a public key
1478:
1421:
1153:
1738:
1584:
1530:
1025:
850:
829:
383:
350:
321:
1700:
1624:
1238:
607:: older Encryption/decryption Scheme (ES) as first standardized in version 1.5 of PKCS #1.
584:
RSASP1 - RSA Signature
Primitive 1 - Creates a signature over a message using a private key
458:
419:
228:
195:
8:
1453:
825:
Multiple attacks were discovered against PKCS #1 v1.5, specifically its padding scheme.
1569:
1553:
1495:
1135:
1110:
The Second
International Conference on Availability, Reliability and Security (ARES'07)
1001:
989:
455:
The RSA private key may have two representations. The first compact form is the tuple
153:
1629:
1619:
1485:
1158:
1125:
979:
653:(PSS) originally invented by Bellare and Rogaway. Recommended for new applications.
97:
1564:
1416:
1196:
1139:
1117:
1050:
993:
971:
932:
747:
736:
725:
714:
149:
1220:
1210:
625:
1200:
1054:
751:
740:
729:
718:
152:. It provides the basic definitions of and recommendations for implementing the
1639:
1559:
1515:
1458:
1443:
954:
904:
899:
1757:
1720:
1675:
1634:
1614:
1505:
1463:
1438:
1107:
679:
621:
936:
1670:
1510:
1500:
1490:
1448:
1392:
763:
Below is a list of cryptography libraries that provide support for PKCS#1:
657:
The two signature schemes make use of separately defined encoding methods:
181:
137:
1154:
Variants of
Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA Signatures.
1152:
Kühn, Ulrich; Pyshkin, Andrei; Tews, Erik; Weinmann, Ralf-Philipp (2008):
975:
581:
RSADP - RSA Decryption Primitive - Decrypts ciphertext using a private key
1649:
1121:
24:
578:
RSAEP - RSA Encryption Primitive - Encrypts a message using a public key
1609:
1579:
1574:
1535:
1057:– Preventing the Million Message Attack on Cryptographic Message Syntax
923:
788:
1027:
713:
Version 1.5, November 1993. First public publication. Republished as
710:
Version 1.4, June 1991, published for NIST/OSI Implementors' Workshop.
1599:
1165:. pp. 97–109. Regular Research Papers. Saarbrücken. 2.- 4. April 2008
967:
813:
793:
707:
Versions 1.1–1.3, February through March 1991, privately distributed.
39:
1644:
1604:
798:
783:
678:, which means that rather than signing some input data directly, a
491:
is the private exponent. The second form has at least five terms
1342:
1337:
1332:
1327:
1322:
1317:
1085:
922:
Jager, Tibor; Kakvi, Saqib A.; May, Alexander (15 October 2018).
845:
808:
743:. Introduced multi-prime RSA and the RSASSA-PSS signature scheme
1520:
1312:
1307:
1302:
1297:
1292:
1287:
1282:
1277:
1037:
861:
778:
1069:"A bad couple of years for the cryptographic token industry"
1261:
1113:
145:
1087:
1029:
Efficient Padding Oracle Attacks on Cryptographic Hardware
1088:"ROBOT attack: Return Of Bleichenbacher's Oracle Threat"
632:
There are also two schemes for dealing with signatures:
1546:
Cryptographically secure pseudorandom number generator
1203:- PKCS #1: RSA Cryptography Specifications Version 2.2
966:. Lecture Notes in Computer Science. Vol. 1807.
600:
There are two schemes for encryption and decryption:
499:
461:
422:
386:
353:
324:
265:
231:
198:
1357:
1226:
925:
On the Security of the PKCS#1 v1.5 Signature Scheme
64:. Unsourced material may be challenged and removed.
832:published a seminal paper on what became known as
550:
479:
440:
405:
372:
336:
310:
244:
213:
900:"Can I get a public key from an RSA private key?"
1755:
1217:Raising the Standard for RSA Signatures: RSA-PSS
683:amount of data an application may wish to sign.
416:The RSA public key is represented as the tuple
897:
732:. Introduced the RSAEP-OAEP encryption scheme.
674:The signature schemes are actually signatures
1377:
1246:
921:
144:is the first of a family of standards called
1006:: CS1 maint: multiple names: authors list (
724:Version 2.0, September 1998. Republished as
180:, that is the product of two distinct large
1176:"Advanced Threat Research | Intel Security"
1086:Hanno Böck; Juraj Somorovsky; Craig Young.
1073:A Few Thoughts on Cryptographic Engineering
1384:
1370:
1253:
1239:
746:Version 2.2, October 2012. Republished as
917:
915:
311:{\displaystyle n=r_{1}r_{2}\cdots r_{i},}
124:Learn how and when to remove this message
1021:
1019:
1017:
146:Public-Key Cryptography Standards (PKCS)
1207:PKCS #1 v2.2: RSA Cryptography Standard
960:Advances in Cryptology — EUROCRYPT 2000
948:
946:
735:Version 2.1, June 2002. Republished as
1756:
912:
1365:
1234:
1066:
1014:
618:optimal asymmetric encryption padding
19:The correct title of this article is
943:
879:Comparison of cryptography libraries
62:adding citations to reliable sources
33:
844:(2012) find that several models of
628:. Recommended for new applications.
13:
898:Ilmari Karonen (27 October 2017).
758:
701:
14:
1785:
1190:
953:Jean-Sébastien Coron, Marc Joye,
1734:
1733:
1391:
551:{\displaystyle (p,q,dp,dq,qinv)}
38:
1168:
1146:
1067:Green, Matthew (21 June 2012).
860:(2018) report that many modern
49:needs additional citations for
1595:Information-theoretic security
1213: (archived April 10, 2016)
1178:. 1 April 2015. Archived from
1101:
1079:
1060:
1044:
957:, and Pascal Paillier (2000).
891:
688:
651:probabilistic signature scheme
545:
500:
474:
462:
435:
423:
1:
884:
649:: improved SSA; based on the
563:
347:As a notational convenience,
616:: improved ES; based on the
7:
1711:Message authentication code
1666:Cryptographic hash function
1469:Cryptographic hash function
872:
10:
1790:
1774:Digital Signature Standard
1590:Harvest now, decrypt later
1223: (archived 2004-04-04)
849:vulnerable to a different
820:
620:(OAEP) scheme proposed by
591:
18:
1769:Digital signature schemes
1729:
1706:Post-quantum cryptography
1658:
1399:
1361:
1268:
1230:
1696:Quantum key distribution
1686:Authenticated encryption
1541:Random number generation
1260:
452:is the public exponent.
164:syntax representations.
1691:Public-key cryptography
1681:Symmetric-key algorithm
1474:Key derivation function
1434:Cryptographic primitive
1427:Authentication protocol
1412:Outline of cryptography
1407:History of cryptography
937:10.1145/3243734.3243798
834:Bleichenbacher's attack
406:{\displaystyle q=r_{2}}
373:{\displaystyle p=r_{1}}
337:{\displaystyle i\geq 2}
171:
158:public-key cryptography
1764:Cryptography standards
1479:Secure Hash Algorithms
1422:Cryptographic protocol
1116:. pp. 1167–1174.
552:
481:
442:
407:
374:
338:
312:
246:
215:
29:technical restrictions
23:. The omission of the
1585:End-to-end encryption
1531:Cryptojacking malware
976:10.1007/3-540-45539-6
851:padding oracle attack
830:Daniel Bleichenbacher
553:
482:
480:{\displaystyle (n,d)}
443:
441:{\displaystyle (n,e)}
408:
375:
339:
313:
247:
245:{\displaystyle r_{i}}
216:
1701:Quantum cryptography
1625:Trusted timestamping
1122:10.1109/ARES.2007.38
970:. pp. 369–381.
497:
459:
448:, where the integer
420:
384:
351:
322:
263:
229:
214:{\displaystyle n=pq}
196:
58:improve this article
1454:Cryptographic nonce
1570:Subliminal channel
1554:Pseudorandom noise
1496:Key (cryptography)
548:
477:
438:
403:
370:
334:
308:
242:
211:
16:Technical standard
1751:
1750:
1747:
1746:
1630:Key-based routing
1620:Trapdoor function
1486:Digital signature
1355:
1354:
1351:
1350:
1163:978-3-88579-222-2
1131:978-0-7695-2775-8
985:978-3-540-67517-4
637:RSASSA-PKCS1-v1_5
609:Known-vulnerable.
134:
133:
126:
108:
1781:
1737:
1736:
1565:Insecure channel
1417:Classical cipher
1386:
1379:
1372:
1363:
1362:
1359:
1358:
1255:
1248:
1241:
1232:
1231:
1228:
1227:
1184:
1183:
1172:
1166:
1150:
1144:
1143:
1105:
1099:
1098:
1096:
1094:
1083:
1077:
1076:
1064:
1058:
1048:
1042:
1041:
1023:
1012:
1011:
1005:
997:
965:
950:
941:
940:
930:
919:
910:
909:
895:
695:
692:
669:
663:
648:
638:
615:
606:
605:RSAES-PKCS1-v1_5
559:
557:
555:
554:
549:
490:
486:
484:
483:
478:
451:
447:
445:
444:
439:
412:
410:
409:
404:
402:
401:
379:
377:
376:
371:
369:
368:
343:
341:
340:
335:
317:
315:
314:
309:
304:
303:
291:
290:
281:
280:
255:
251:
249:
248:
243:
241:
240:
220:
218:
217:
212:
191:
187:
179:
150:RSA Laboratories
129:
122:
118:
115:
109:
107:
66:
42:
34:
1789:
1788:
1784:
1783:
1782:
1780:
1779:
1778:
1754:
1753:
1752:
1743:
1725:
1654:
1395:
1390:
1356:
1347:
1264:
1259:
1221:Wayback Machine
1211:Wayback Machine
1193:
1188:
1187:
1174:
1173:
1169:
1151:
1147:
1132:
1106:
1102:
1092:
1090:
1084:
1080:
1065:
1061:
1049:
1045:
1024:
1015:
999:
998:
986:
963:
951:
944:
928:
920:
913:
896:
892:
887:
875:
823:
818:
761:
759:Implementations
704:
702:Version history
699:
698:
693:
689:
667:
662:EMSA-PKCS1-v1_5
661:
646:
636:
626:Phillip Rogaway
613:
604:
594:
566:
498:
495:
494:
492:
488:
460:
457:
456:
449:
421:
418:
417:
397:
393:
385:
382:
381:
364:
360:
352:
349:
348:
323:
320:
319:
299:
295:
286:
282:
276:
272:
264:
261:
260:
253:
236:
232:
230:
227:
226:
197:
194:
193:
189:
185:
177:
174:
148:, published by
130:
119:
113:
110:
67:
65:
55:
43:
32:
17:
12:
11:
5:
1787:
1777:
1776:
1771:
1766:
1749:
1748:
1745:
1744:
1742:
1741:
1730:
1727:
1726:
1724:
1723:
1718:
1716:Random numbers
1713:
1708:
1703:
1698:
1693:
1688:
1683:
1678:
1673:
1668:
1662:
1660:
1656:
1655:
1653:
1652:
1647:
1642:
1640:Garlic routing
1637:
1632:
1627:
1622:
1617:
1612:
1607:
1602:
1597:
1592:
1587:
1582:
1577:
1572:
1567:
1562:
1560:Secure channel
1557:
1551:
1550:
1549:
1538:
1533:
1528:
1523:
1518:
1516:Key stretching
1513:
1508:
1503:
1498:
1493:
1488:
1483:
1482:
1481:
1476:
1471:
1461:
1459:Cryptovirology
1456:
1451:
1446:
1444:Cryptocurrency
1441:
1436:
1431:
1430:
1429:
1419:
1414:
1409:
1403:
1401:
1397:
1396:
1389:
1388:
1381:
1374:
1366:
1353:
1352:
1349:
1348:
1346:
1345:
1340:
1335:
1330:
1325:
1320:
1315:
1310:
1305:
1300:
1295:
1290:
1285:
1280:
1275:
1269:
1266:
1265:
1258:
1257:
1250:
1243:
1235:
1225:
1224:
1214:
1204:
1192:
1191:External links
1189:
1186:
1185:
1182:on 2015-04-01.
1167:
1145:
1130:
1100:
1078:
1059:
1043:
1013:
984:
955:David Naccache
942:
911:
905:Stack Exchange
889:
888:
886:
883:
882:
881:
874:
871:
866:
865:
854:
822:
819:
817:
816:
811:
806:
801:
796:
791:
786:
781:
776:
771:
765:
760:
757:
756:
755:
744:
733:
722:
711:
708:
703:
700:
697:
696:
686:
685:
672:
671:
665:
655:
654:
644:
630:
629:
611:
593:
590:
589:
588:
585:
582:
579:
576:
573:
565:
562:
547:
544:
541:
538:
535:
532:
529:
526:
523:
520:
517:
514:
511:
508:
505:
502:
476:
473:
470:
467:
464:
437:
434:
431:
428:
425:
400:
396:
392:
389:
367:
363:
359:
356:
345:
344:
333:
330:
327:
307:
302:
298:
294:
289:
285:
279:
275:
271:
268:
239:
235:
210:
207:
204:
201:
173:
170:
156:algorithm for
132:
131:
46:
44:
37:
15:
9:
6:
4:
3:
2:
1786:
1775:
1772:
1770:
1767:
1765:
1762:
1761:
1759:
1740:
1732:
1731:
1728:
1722:
1721:Steganography
1719:
1717:
1714:
1712:
1709:
1707:
1704:
1702:
1699:
1697:
1694:
1692:
1689:
1687:
1684:
1682:
1679:
1677:
1676:Stream cipher
1674:
1672:
1669:
1667:
1664:
1663:
1661:
1657:
1651:
1648:
1646:
1643:
1641:
1638:
1636:
1635:Onion routing
1633:
1631:
1628:
1626:
1623:
1621:
1618:
1616:
1615:Shared secret
1613:
1611:
1608:
1606:
1603:
1601:
1598:
1596:
1593:
1591:
1588:
1586:
1583:
1581:
1578:
1576:
1573:
1571:
1568:
1566:
1563:
1561:
1558:
1555:
1552:
1547:
1544:
1543:
1542:
1539:
1537:
1534:
1532:
1529:
1527:
1524:
1522:
1519:
1517:
1514:
1512:
1509:
1507:
1506:Key generator
1504:
1502:
1499:
1497:
1494:
1492:
1489:
1487:
1484:
1480:
1477:
1475:
1472:
1470:
1467:
1466:
1465:
1464:Hash function
1462:
1460:
1457:
1455:
1452:
1450:
1447:
1445:
1442:
1440:
1439:Cryptanalysis
1437:
1435:
1432:
1428:
1425:
1424:
1423:
1420:
1418:
1415:
1413:
1410:
1408:
1405:
1404:
1402:
1398:
1394:
1387:
1382:
1380:
1375:
1373:
1368:
1367:
1364:
1360:
1344:
1341:
1339:
1336:
1334:
1331:
1329:
1326:
1324:
1321:
1319:
1316:
1314:
1311:
1309:
1306:
1304:
1301:
1299:
1296:
1294:
1291:
1289:
1286:
1284:
1281:
1279:
1276:
1274:
1271:
1270:
1267:
1263:
1256:
1251:
1249:
1244:
1242:
1237:
1236:
1233:
1229:
1222:
1218:
1215:
1212:
1208:
1205:
1202:
1198:
1195:
1194:
1181:
1177:
1171:
1164:
1160:
1155:
1149:
1141:
1137:
1133:
1127:
1123:
1119:
1115:
1111:
1104:
1089:
1082:
1074:
1070:
1063:
1056:
1052:
1047:
1040:. p. 19.
1039:
1035:
1031:
1030:
1022:
1020:
1018:
1009:
1003:
995:
991:
987:
981:
977:
973:
969:
962:
961:
956:
949:
947:
938:
934:
927:
926:
918:
916:
907:
906:
901:
894:
890:
880:
877:
876:
870:
863:
859:
855:
852:
847:
843:
839:
838:
837:
835:
831:
826:
815:
812:
810:
807:
805:
802:
800:
797:
795:
792:
790:
787:
785:
782:
780:
777:
775:
774:Bouncy Castle
772:
770:
767:
766:
764:
753:
749:
745:
742:
738:
734:
731:
727:
723:
720:
716:
712:
709:
706:
705:
691:
687:
684:
681:
680:hash function
677:
676:with appendix
666:
660:
659:
658:
652:
645:
642:
635:
634:
633:
627:
623:
622:Mihir Bellare
619:
612:
610:
603:
602:
601:
598:
586:
583:
580:
577:
574:
571:
570:
569:
561:
542:
539:
536:
533:
530:
527:
524:
521:
518:
515:
512:
509:
506:
503:
471:
468:
465:
453:
432:
429:
426:
414:
398:
394:
390:
387:
365:
361:
357:
354:
331:
328:
325:
305:
300:
296:
292:
287:
283:
277:
273:
269:
266:
259:
258:
257:
256:, such that:
237:
233:
222:
208:
205:
202:
199:
183:
182:prime numbers
169:
165:
163:
159:
155:
151:
147:
143:
139:
128:
125:
117:
106:
103:
99:
96:
92:
89:
85:
82:
78:
75: –
74:
70:
69:Find sources:
63:
59:
53:
52:
47:This article
45:
41:
36:
35:
30:
26:
22:
1671:Block cipher
1511:Key schedule
1501:Key exchange
1491:Kleptography
1449:Cryptosystem
1393:Cryptography
1272:
1180:the original
1170:
1148:
1109:
1103:
1093:February 27,
1091:. Retrieved
1081:
1072:
1062:
1046:
1033:
1028:
959:
924:
903:
893:
867:
857:
841:
827:
824:
762:
690:
675:
673:
656:
640:
631:
608:
599:
595:
567:
454:
415:
346:
223:
192:, such that
175:
166:
141:
138:cryptography
135:
120:
111:
101:
94:
87:
80:
68:
56:Please help
51:verification
48:
20:
1659:Mathematics
1650:Mix network
1758:Categories
1610:Ciphertext
1580:Decryption
1575:Encryption
1536:Ransomware
1036:(report).
885:References
647:RSASSA-PSS
614:RSAES-OAEP
564:Primitives
114:March 2019
84:newspapers
27:is due to
1600:Plaintext
1002:cite book
968:EUROCRYPT
828:In 1998,
814:wolfCrypt
794:Libgcrypt
329:≥
293:⋯
252:for some
1739:Category
1645:Kademlia
1605:Codetext
1548:(CSPRNG)
1526:Machines
1343:PKCS #15
1338:PKCS #14
1333:PKCS #13
1328:PKCS #12
1323:PKCS #11
1318:PKCS #10
873:See also
799:mbed TLS
789:Crypto++
784:cryptlib
668:EMSA-PSS
487:, where
73:"PKCS 1"
1400:General
1313:PKCS #9
1308:PKCS #8
1303:PKCS #7
1298:PKCS #6
1293:PKCS #5
1288:PKCS #4
1283:PKCS #3
1278:PKCS #2
1273:PKCS #1
1219:at the
1209:at the
1140:2459509
1034:Rr-7944
994:8447520
846:PKCS 11
840:Bardou
821:Attacks
809:OpenSSL
643:(2018).
592:Schemes
558:
493:
142:PKCS #1
98:scholar
21:PKCS #1
1521:Keygen
1199:
1161:
1138:
1128:
1053:
992:
982:
858:et al.
842:et al.
804:Nettle
750:
739:
728:
717:
641:et al.
100:
93:
86:
79:
71:
1556:(PRN)
1136:S2CID
1038:INRIA
990:S2CID
964:(PDF)
929:(PDF)
862:HTTPS
856:Böck
779:BSAFE
769:Botan
162:ASN.1
105:JSTOR
91:books
1262:PKCS
1201:8017
1159:ISBN
1126:ISBN
1114:IEEE
1095:2018
1055:3218
1008:link
980:ISBN
752:8017
741:3447
730:2437
719:2313
624:and
380:and
318:for
188:and
172:Keys
77:news
1197:RFC
1118:doi
1051:RFC
972:doi
933:doi
748:RFC
737:RFC
726:RFC
715:RFC
154:RSA
136:In
60:by
1760::
1134:.
1124:.
1112:.
1071:.
1032:.
1016:^
1004:}}
1000:{{
988:.
978:.
945:^
914:^
902:.
413:.
221:.
184:,
140:,
1385:e
1378:t
1371:v
1254:e
1247:t
1240:v
1142:.
1120::
1097:.
1075:.
1010:)
996:.
974::
939:.
935::
908:.
853:.
754:.
721:.
546:)
543:v
540:n
537:i
534:q
531:,
528:q
525:d
522:,
519:p
516:d
513:,
510:q
507:,
504:p
501:(
489:d
475:)
472:d
469:,
466:n
463:(
450:e
436:)
433:e
430:,
427:n
424:(
399:2
395:r
391:=
388:q
366:1
362:r
358:=
355:p
332:2
326:i
306:,
301:i
297:r
288:2
284:r
278:1
274:r
270:=
267:n
254:i
238:i
234:r
209:q
206:p
203:=
200:n
190:q
186:p
178:n
127:)
121:(
116:)
112:(
102:·
95:·
88:·
81:·
54:.
31:.
25:#
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.