Balloon-BLAKE2b + HKDF KEM.
=> Balloon
=> RFC 7693, BLAKE2b
=> RFC 5869, HKDF

    balloon-cost {
        {field . {map}}
        {field s {int} >0} {# space cost}
        {field t {int} >0} {# time cost}
        {field p {int} >0} {# parallel cost}
    }
    
    kem-balloon-blake2b-hkdf {
        {field . {map}}
        {field a {str} =balloon-blake2b-hkdf}
        {field cek {bin} >0} {# wrapped CEK}
        {field salt {bin} >0}
        {field cost {with balloon-cost}}
    }

    H = BLAKE2b
    KEK = HKDF-Expand(H,
        prk=Balloon(H, passphrase, /kem/salt, s, t, p),
        info="cm/encrypted/balloon-blake2b-hkdf" || /id)

"/kem/*/cek" is wrapped with [cm/keywrap/xchapoly] mechanism.