cm/kem/mceliece6960119-x25519-hkdf-shake256

Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM.
[schemas/kem-with-encap.tcl]
"/kem/*/a" equals to "mceliece6960119-x25519-hkdf-shake256".
Recipient public key with [cm/pub/mceliece6960119-x25519]
algorithm must be used. It should have "kem" key usage set.

Recipient's map "/kem/*/encap" field is a concatenation of
194 bytes of Classic McEliece 6960-119 ciphertext, containing
ephemeral key, with 32 bytes of ephemeral X25519 public key.

Recipient performs X25519 and Classic McEliece computations to
derive/decapsulate two 32-byte shared keys. Then it combines
them to get the KEK decryption key of the CEK.

    H = SHAKE256
    PRK = HKDF-Extract(H, salt="", ikm=
        mceliece6960119-shared-key || es-x25519-shared-key ||
        H(mceliece6960119-sender-ciphertext || e-x25519-sender-public-key) ||
        H(mceliece6960119-recipient-public-key || s-x25519-recipient-public-key))
    if specified(sender):
        PRK = HKDF-Extract(H, salt=PRK, ikm=
            ss-x25519-shared-key ||
            s-x25519-sender-public-key ||
            s-x25519-recipient-public-key)
    KEK = HKDF-Expand(H, prk=PRK,
        info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)

"/kem/*/cek" is wrapped with [cm/keywrap/xchapoly] mechanism.

=> RFC 5869, HKDF
=> SHAKE XOF function
KEM combiner nearly fully resembles:
=> Chempat

If sender/recipient's public key structure contains
"/load/v/prehash" field, then it could be used as already
calculated values of SHAKE256 calls of PRK.