Next: Classic McEliece 6960-119+X25519+HKDF-SHAKE256 KEM, Previous: GOST R 34.10+HKDF KEM, Up: Key encapsulation mechanisms [Index]
kem-with-encap {
{field a {str} >0} {# sntrup4591761-x25519-hkdf-blake2b}
{# mceliece6960119-x25519-hkdf-shake256}
{field cek {bin} >0} {# wrapped CEK}
{field encap {bin} >0}
{field to {with fpr} optional} {# recipient's public key}
{field from {with fpr} optional} {# sender's public key}
}
/kem/*/a equals to "sntrup4591761-x25519-hkdf-blake2b".
Recipient public key with sntrup4591761-x25519 algorithm must be used. It should have
"kem" key usage set.
Recipient’s map /kem/*/encap field is a concatenation of 1047
bytes of Streamlined NTRU Prime 4591^761’s ciphertext, containing
ephemeral key, with 32 bytes of ephemeral X25519 public key.
Recipient performs X25519 and SNTRUP computations to derive/decapsulate two 32-byte shared keys. Then it combines them to get the KEK decryption key of the CEK.
H = BLAKE2b
PRK = HKDF-Extract(H, salt="", ikm=
sntrup4591761-shared-key || es-x25519-shared-key ||
H(sntrup4591761-sender-ciphertext || e-x25519-sender-public-key) ||
H(sntrup4591761-recipient-public-key || s-x25519-recipient-public-key))
if specified(sender):
PRK = HKDF-Extract(H, salt=PRK, ikm=
ss-x25519-shared-key ||
s-x25519-sender-public-key ||
s-x25519-recipient-public-key)
KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/sntrup4591761-x25519-hkdf-blake2b" || /id)
/kem/*/cek is wrapped with XChaCha20-Poly1305 key wrapping mechanism mechanism.
KEM combiner nearly fully resembles Chempat.