Next: PBKDF2 KEM, Previous: SNTRUP4591761+X25519+HKDF-BLAKE2b KEM, Up: Key encapsulation mechanisms [Index]
kem-with-encap {
{field a {str} >0} {# sntrup4591761-x25519-hkdf-blake2b}
{# mceliece6960119-x25519-hkdf-shake256}
{field cek {bin} >0} {# wrapped CEK}
{field encap {bin} >0}
{field to {with fpr} optional} {# recipient's public key}
{field from {with fpr} optional} {# sender's public key}
}
/kem/*/a equals to "mceliece6960119-x25519-hkdf-shake256".
Recipient public key with
mceliece6960119-x25519
algorithm must be used. It should have "kem" key usage set.
Recipient’s map /kem/*/encap field is a concatenation of
194 bytes of Classic McEliece 6960-119 ciphertext, containing
ephemeral key, with 32 bytes of ephemeral X25519 public key.
Recipient performs X25519 and Classic McEliece computations to derive/decapsulate two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK.
H = SHAKE256
PRK = HKDF-Extract(H, salt="", ikm=
mceliece6960119-shared-key || es-x25519-shared-key ||
H(mceliece6960119-sender-ciphertext || e-x25519-sender-public-key) ||
H(mceliece6960119-recipient-public-key || s-x25519-recipient-public-key))
if specified(sender):
PRK = HKDF-Extract(H, salt=PRK, ikm=
ss-x25519-shared-key ||
s-x25519-sender-public-key ||
s-x25519-recipient-public-key)
KEK = HKDF-Expand(H, prk=PRK,
info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /salt)
/kem/*/cek is wrapped with XChaCha20-Poly1305 key wrapping mechanism mechanism.
HKDF is KDF algorithm, RFC 5869. SHAKE is a XOF function. KEM combiner nearly fully resembles Chempat.
If sender/recipient’s public key structure contains
/load/v/prehash field, then it could be used as already
calculated values of SHAKE256 calls of PRK.