Internet DRAFT - draft-harkins-cfrg-dnhpke

draft-harkins-cfrg-dnhpke







Network Working Group                                         D. Harkins
Internet-Draft                                Hewlett-Packard Enterprise
Intended status: Informational                             9 August 2022
Expires: 10 February 2023


         Deterministic Nonce-less Hybrid Public Key Encryption
                      draft-harkins-cfrg-dnhpke-02

Abstract

   This document describes enhancements to the Hybrid Public Key
   Encryption standard published by CFRG.  These include use of "compact
   representation" of relevant public keys, support for key-wrapping,
   and two ways to address the use of HPKE on lossy networks: a
   determinstic, nonce-less AEAD scheme, and use of a rolling sequence
   number with existing AEAD schemes.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 10 February 2023.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.






Harkins                 Expires 10 February 2023                [Page 1]

Internet-Draft                   DNHPKE                      August 2022


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Compact Representation  . . . . . . . . . . . . . . . . .   3
     1.2.  Addressing Lossy Networks . . . . . . . . . . . . . . . .   4
       1.2.1.  Rolling Sequence Window . . . . . . . . . . . . . . .   4
       1.2.2.  Deterministic Authenticated Encryption  . . . . . . .   5
     1.3.  Key Wrapping  . . . . . . . . . . . . . . . . . . . . . .   6
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   6
   3.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  Modifying HPKE  . . . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  Adding Compact Representation . . . . . . . . . . . . . .   7
       4.1.1.  SerializePublicKey and DeserializePublicKey . . . . .   7
       4.1.2.  SerializePrivateKey and DeserializePrivateKey . . . .   8
     4.2.  Adding A Rolling Window . . . . . . . . . . . . . . . . .   8
     4.3.  Adding DAE  . . . . . . . . . . . . . . . . . . . . . . .  10
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  11
   8.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  11
     8.1.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV  . .  11
       8.1.1.  Base Setup Information  . . . . . . . . . . . . . . .  11
       8.1.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  12
     8.2.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV  . .  14
       8.2.1.  Auth Setup Information  . . . . . . . . . . . . . . .  14
       8.2.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  15
     8.3.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV  . .  16
       8.3.1.  Base Setup Information  . . . . . . . . . . . . . . .  16
       8.3.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  17
     8.4.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV  . .  19
       8.4.1.  Auth Setup Information  . . . . . . . . . . . . . . .  19
       8.4.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  20
     8.5.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA512, AES-512-SIV  . .  21
       8.5.1.  Auth PSK Setup Information  . . . . . . . . . . . . .  21
       8.5.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  22
     8.6.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV  . .  23
       8.6.1.  Base Setup Information  . . . . . . . . . . . . . . .  23
       8.6.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  24
     8.7.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV  . .  26
       8.7.1.  PSK Setup Information . . . . . . . . . . . . . . . .  26
       8.7.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  27
     8.8.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV  . .  28
       8.8.1.  Auth Setup Information  . . . . . . . . . . . . . . .  28
       8.8.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  30
     8.9.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-512-SIV  . .  31
       8.9.1.  Base Setup Information  . . . . . . . . . . . . . . .  31
       8.9.2.  Encryption  . . . . . . . . . . . . . . . . . . . . .  32
     8.10. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA512, AES-512-SIV  . .  33



Harkins                 Expires 10 February 2023                [Page 2]

Internet-Draft                   DNHPKE                      August 2022


       8.10.1.  Auth PSK Setup Information . . . . . . . . . . . . .  33
       8.10.2.  Encryption . . . . . . . . . . . . . . . . . . . . .  35
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  36
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  36
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  36
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  37

1.  Introduction

   [RFC9180], hereinafter simply HPKE, is a robust, provably-secure
   construct.  It defines APIs to ensure proper use to retain its
   security guarantees.  These APIs are therefore rigid and purposeful.
   Unfortunately, there are applications for which this rigidity is an
   impediment to use: networks with bandwidth constrained mediums,
   networks which cannot guarantee in-order delivery of every packet
   sent, and for key-wrapping applications.

   This memo proposes three modifications to HPKE to make it more
   suitable for different use cases.

1.1.  Compact Representation

   HPKE generates an ephemeral keypair and uses it to perform a Diffie-
   Hellman with the static keypair of the proposed recipient of a secure
   message.  The ephemeral public key is required to accompany the
   message, or at least the first of a stateful sequence of messages.
   HPKE therefore defines a serialization and deserialization for public
   keys used with defined KEMs.

   HPKE defines KEMs that use three Weierstrass curves defined in
   [NISTCurves].  The serialization and deserialization for public keys
   in these KEMs use the uncompressed form of an elliptic curve from
   [SECG].  Unfortunately, this results in the string that accompanies
   the message to be over twice as long as it needs to be.  This can be
   an issue for applications that have constrained bandwidth or that use
   the HPKE APIs in a stateless, "single shot" mode where the message
   being sent is dwarfed by the size of the serialized public key.

   [RFC6090] defines a notion of "compact output" and "compact
   representation" for elliptic curves.  Compact output means that the
   output of the ECDH operation is the x-coordinate of the resulting
   point, the y-coordinate is discarded.  Compact representation is a
   way of communicating an elliptic curve Diffie-Hellman public key
   using the x-coordinate only.  Compact representation will work if
   compact output is employed-- the sign of the ECDH secret is
   irrelevant so it doesn't matter what the sign of the peer's public
   key is.




Harkins                 Expires 10 February 2023                [Page 3]

Internet-Draft                   DNHPKE                      August 2022


   HPKE uses compact output, it passes the x-coordinate of the ECDH
   secret key to HKDF to derive a key to pass to the AEAD cipher.  Since
   HPKE uses compact output, it can define serialization and
   deserialization that uses compact representation and thereby address
   use cases in which message size is important.  Redefining the
   serialization and deserialization, though, requires definition of new
   KEMs that will use the new technique.

1.2.  Addressing Lossy Networks

   To prevent the possibility of misuse, management of AEAD counters are
   entirely constrained to the HPKE context.  The sender and receiver
   have no ability to know what particular counter was used with a
   particular invocation or to manage how counters are used.

   This restriction is not an issue for an applications that use HPKE
   which have a guarantee of in-order packet delivery, where sender and
   receiver HPKE contexts are kept in sync.  But not everyone has a
   guarantee of in-order delivery of packets and this restriction makes
   use of HPKE impracticle by a great many use cases.  Any undetected
   packet loss or reordering would result in the sender and receiver
   HPKE contexts getting out of sync.  Since HPKE provides no way to
   resynchronize such a situation, the result would be tragic.

   Therefore, two techiques are added to allow HPKE to be used in lossy
   networks or networks that reorder packets: a rolling window of
   received sequence numbers, and a determinstic mode of AEAD.

1.2.1.  Rolling Sequence Window

   The technique from [RFC2401] can be adopted which implements a
   rolling window that represents received messages (inside the window).
   As the sequence number advances, and a message is successfully opened
   thus validating the sequence number, the window advances to include
   it.  The result is that reorder and loss is acceptable for a number
   of messages defined by the size of the window and messages deemed
   "too old" are dropped.  Messages replayed with a used sequence number
   are also dropped.

   To implement such a scheme, the receiver needs to know the counter
   used with the AEAD algorithm.  Therefore, the sequence number used to
   construct the counter in HPKE (it is XOR'd with a secret base nonce)
   is pre-peneded to the ciphertext.








Harkins                 Expires 10 February 2023                [Page 4]

Internet-Draft                   DNHPKE                      August 2022


1.2.2.  Deterministic Authenticated Encryption

   [SIV] defines a provably secure mode of deterministic authenticated
   encryption (DAE).  In this mode, a counter is optional.  If one is
   used and it is guaranteed to be unique, SIV achieves the same level
   of IND-CCA2 security offered by other HPKE ciphers.  But if the nonce
   is reused or, in the case proposed here, the nonce is not used, SIV
   will provide a different security guarantee, that of deterministic
   security.

   Determinsitic authenticity in a DAE scheme provides the traditional
   inability of an adversary to come up with a non-trivial query that
   will return a non-FAIL response-- i.e. a valid forgery-- with non-
   negligible probability.  Deterministic privacy in a DAE scheme
   provides for the typical indistinguishability from random guarantee
   of a traditional AEAD scheme, with a caveat: it cannot achieve the
   indistinguishability goal that requires concealment of whether or not
   a given plaintext was encrypted twice in a sequence of ciphertexts.

   What this means is that the security of a DAE scheme is the same as a
   traditional AE scheme with the exception that encrypting the same AAD
   and the same plaintext twice will result in the same ciphertext, an
   outcome an adversary would notice.  Unlike other AEAD schemes, after
   this misuse the privacy and authenticity guarantees remain, albeit
   with this consideration to traffic analysis.  This is a reasonable
   price to pay for the ability to use the HPKE APIs as more than a
   "single shot".

   DAE can achieve the equivalent of semantic security if the message
   space is random enough.  This is the justification for the security
   of key wrap schemes (see Section 1.3) in which (a portion of) the
   plaintext is a random key.

   SIV takes a vector of AAD.  When a unique sequence number can be
   managed it can be part of that vector.  It should be noted,
   therefore, that it is trivial for an application that has control of
   the AAD to add a nonce as a component of the AAD vector to ensure
   unique AAD per invocation of the HPKE API and achieve the IND-CCA2
   notion of security.

   Alternately, for some situations-- e.g. when the message protected by
   HPKE is idempotent-- DAE security can be acceptable.

   See Section 6.







Harkins                 Expires 10 February 2023                [Page 5]

Internet-Draft                   DNHPKE                      August 2022


1.3.  Key Wrapping

   Key wrapping schemes utilize a symmetric encryption algorithm to
   provide privacy and integrity to cryptographic keying material.
   Additionally, such schemes should provide integrity protection of
   cleartext associated data which contains control information about
   the wrapped key.  Due to the symmetric nature of the algorithm, it is
   assumed both sides possess a shared secret whose establishment is
   problematic.  Therefore HPKE is naturally an attractive option to use
   to wrap a cryptographic key to a receipent's public key.

   Since the data being wrapped is, in effect, random, a probabalistic
   input like a nonce is not needed, hence the deterministic nature of
   proposed key-wrapping schemes (see [X9102] and [RFC5649]).  [SIV] is
   superior to those schemes in a number of ways:

   *  it accepts associated data;

   *  it is more efficient;

   *  it accepts natural data lengths without requiring padding; and,

   *  it has a security proof.

   Thus, making it well-suited for key wrapping use cases with HPKE.

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here

3.  Notation

   This document re-uses the notation from HPKE and adds the following:

   *  "or(a,b)": logical OR of byte strings; "or(0x9876, 0x1234) =
      0x9cf6".  It is an error to call this function with two arguments
      of unequal length.

   *  "and(a,b)": logical AND of byte strings; "and(0x1234, 0x5678) =
      0x1230".  It is an error to call this function with two arguments
      of unequal length.

   *  "a | b": concatenation of byte strings "a" and "b".  The length of
      the resulting string is the sum of the lengths of "a" and "b".  If



Harkins                 Expires 10 February 2023                [Page 6]

Internet-Draft                   DNHPKE                      August 2022


      this symbol is on the left side of an equation it represents
      distinct data, represented by "a" and "b", as the result of the
      equation.

4.  Modifying HPKE

4.1.  Adding Compact Representation

   New DHKEMs are defined for the three NIST curves, P-256, P-384, and
   P-521.  Being "compact", they are denoted here CP-256, CP-384, and
   CP-521 but are, for the purposes of cryptography, otherwise
   identical.

   All KEM modes defined in HPKE are supported for these KEMs, including
   Auth and AuthPSK.

   +-------+---------------+---------+----+---+---+----+---------------+
   | Value | KEM           | Nsecret |Nenc|Npk|Nsk|Auth| Reference     |
   +=======+===============+=========+====+===+===+====+===============+
   | TBD1  | DHKEM(CP-256, | 32      | 32 |32 |32 |yes | [NISTCurves], |
   |       | HKDF-SHA256)  |         |    |   |   |    | [RFC6090]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   | TBD2  | DHKEM(CP-384, | 48      | 48 |48 |48 |yes | [NISTCurves], |
   |       | HKDF-SHA384)  |         |    |   |   |    | [RFC6090]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   | TBD3  | DHKEM(CP-521, | 64      | 66 |66 |66 |yes | [NISTCurves], |
   |       | HKDF-SHA512)  |         |    |   |   |    | [RFC6090]     |
   +-------+---------------+---------+----+---+---+----+---------------+

                              Table 1: KEM IDs

   These KEMs use the KDFs defined in HPKE and therefore are bound by
   the input length restrictions of the KDF used (see 7.2.1 of HPKE).

   The security properties of these KEMs satisfy the security
   requirements of a KEM used in HPKE (see section 9.2 of HPKE).

4.1.1.  SerializePublicKey and DeserializePublicKey

   For CP-256, CP-384 and CP-521, the "SerializePublicKey()" function of
   the KEM performs the Integer-to-Octet-String conversion of the
   x-coordinate of the public key only, according to [RFC6090].
   "DeserializePublicKey()" performs the Octet-String-to-Integer
   conversion of [RFC6090] to produce the x-coordinate of a the
   resulting point.  Since all of these curves have a prime p = 3 mod 4,
   the y-coordindate can be computed using the equation of the curve and
   Shanks' method of computing the square root modulo p:




Harkins                 Expires 10 February 2023                [Page 7]

Internet-Draft                   DNHPKE                      August 2022


           y = ((x^3 + a*x + b)^((p + 1)/4)) mod p

   for a, b, and p defined for the curve in [NISTCurves].  There will be
   two distinct solutions for y that will differ only in sign but either
   one is acceptable to produce a Diffie-Hellman shared secret that is
   used in compact output.

   These deserialized public keys MUST be validated before they can be
   used.  See HPKE for specifics.

4.1.2.  SerializePrivateKey and DeserializePrivateKey

   As with HPKE, CP-256, CP-384, and CP-521 private keys are field
   elements in the scalar field of the curve being used.  Serialization
   of the private key uses the Integer-to-OctetString function from
   [RFC6090] and deserialization uses the OctetString-to-Integer
   function from [RFC6090].  If the private key is an integer outside
   the range "[0, order-1]", where "order" for each curve is defined in
   [NISTCurves], the private key MUST be reduced, modulo the order, to
   "[0, order-1]" before being serialized.

   To catch invalid keys early on, implementers of DHKEMs SHOULD check
   that deserialized private keys are not equivalent to 0 (mod "order"),
   where "order" is the order of the curve.

4.2.  Adding A Rolling Window

   A rolling receiver replay window is added by overloading the way a
   context encrypts and decrypts messages-- ContextS.Seal() and
   ContextR.Open().  The calling parameters remain the same but the
   internals change and, for ContextS.Seal(), the output differs.

   The replay window is implemented as a bitmask check for a window
   whose size is implementation-specific.  For illustration purposes
   only it is described here as being of size 32, meaning it can
   tolerate loss and reorder of the previous 31 messages.  The following
   pseudo-code has separate routines for a quick check of a received
   sequence number and an update to the window for sequence numbers that
   have been validated.

   The context encryption API template is the same as that in HPKE
   except it prepends the sequence number, used to construct the counter
   for the AEAD operation, to the data returned from Seal().  Therefore
   the single "ct" output is, in fact, a concatenation of the four octet
   sequence number and the returned ciphertext.

   The context decryption API template is changed to extract the
   sequence number from the input ciphertext, and check whether the



Harkins                 Expires 10 February 2023                [Page 8]

Internet-Draft                   DNHPKE                      August 2022


   received sequence number is conditionally good.  If it is and the
   message is successfully opened, the window is updated with the
   received sequence number.

   Details are as follows:

   windowSize = 32

   def CheckSeq(num):
     if num > self.seq
         return Good
     diff = self.seq - num
     if diff > windowSize
         return Bad
     if and(self.window, (1 << diff)) == 0
         return Good
     else
         return Bad

   def UpdateWindow(num)
     if num > self.seq
         diff = num - self.seq
         if diff < windowSize
             self.window <<= diff
             self.window = or(self.window, 1)
         else
             self.window = 1
         self.seq = num
     else
         diff = self.seq - num
         self.window = or(self.window, (1 << diff))
     return

   def ContextS.DSeal(aad, pt):
     num = self.ComputeNonce(self.seq)
     ct = num | Seal(self.key, num, aad, pt)
     return ct

   def ContextR.DOpen(aad, m):
     num | ct = m
     if CheckSeq(num) == Bad
         raise OpenReplay
     pt = Open(self.key, num, aad, ct)
     if pt == OpenError
         raise OpenError
     else
         UpdateWindow(num)
     return pt



Harkins                 Expires 10 February 2023                [Page 9]

Internet-Draft                   DNHPKE                      August 2022


   The window is added to the Encryption Context as well as a single
   datum to indicate whether the rolling receiver replay window is used
   (1) or not (0).  When the replay window is used,
   "Context<ROLE>.DOpen()" and "Context<ROLE>.DSeal()" are used, when it
   is not the encryption and decryption operations from HPKE are used.

4.3.  Adding DAE

   AES-SIV, defined in [RFC5297] uses a "double-wide" key.  A single
   large key is passed to AES-SIV which divides the key into two, one
   for encipherment and the other for authenticity.  Since these cipher
   modes are being added in their determinsitic, nonce-less varient the
   nonce derived for these ciphers is zero (0).

   Unlike other AEAD schemes, AES-SIV takes a vector of AAD.  The number
   of components of that vector is up to the application using AES-SIV
   in HPKE.

               +-------+-------------+----+----+-----------+
               | Value | AEAD        | Nk | Nn | Reference |
               +=======+=============+====+====+===========+
               | TBD4  | AES-256-SIV | 32 | 0  | [RFC5297] |
               +-------+-------------+----+----+-----------+
               | TBD5  | AES-512-SIV | 64 | 0  | [RFC5297] |
               +-------+-------------+----+----+-----------+

                             Table 2: AEAD IDs

5.  IANA Considerations

   IANA is instructed to please update the "Hybrid Public Key
   Encryption" repositories:

   - assign values for TBD1, TBD2, and TBD3 from the HPKE KEM
     Identifiers repository; and,
   - assign values for TBD4, and TBD5 from the HPKE AEAD Identifiers
     repository.

   Please replace the TBD placeholders above with the assigned values.

6.  Security Considerations

   Since HPKE uses Diffie-Hellman in "compact output", the sign of the
   public keys is irrelevant.  Discarding that which has no impact on
   the result, i.e. doing "compact representation", does not present a
   security issue.

   See [SIV] for a formal security proof.



Harkins                 Expires 10 February 2023               [Page 10]

Internet-Draft                   DNHPKE                      August 2022


   Uses of the DAE ciphers in HPKE can achieve the same level of
   security as the non-DAE ciphers if the calling application guarantees
   unique AAD per invocation or if the calling application can guarantee
   a random message space.

   This opens up the possibility of misuse where an application
   inadvertently makes a non-unique invocation, which is a good reason
   to hide nonce management inside the HPKE context, as the existing
   AEAD ciphers do.  For some use cases-- e.g. messages are idempotent,
   or a probabalistic operation can be achieved (e.g. key wrapping), the
   DAE ciphers provide an acceptable option.

   It deserves to be mentioned again that even if a nonce is reused
   (i.e. misused) by an application wishing to manage the AAD of AES-
   SIV, the security of the cipher is not completely voided as it is
   with a non-DAE mode.  The notion of deterministic privacy and
   determinstic authenticity are retained (see [SIV]).

7.  Acknowledgements

   The algorithm for the sliding window to address dropped and reordered
   messages was proposed by James Hughes and Harry Varnis in [RFC2401].

8.  Test Vectors

   The following test vectors have been generated assuming the following
   registry value assignments would be made by IANA:

   *  DHKEM(CP-256, HKDF-SHA256): 19

   *  DHKEM(CP-384, HKDF-SHA384): 20

   *  DHKEM(CP-521, HKDR-SHA512): 21

   *  AES-256-SIV: 4

   *  AES-512-SIV: 5

8.1.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV

8.1.1.  Base Setup Information










Harkins                 Expires 10 February 2023               [Page 11]

Internet-Draft                   DNHPKE                      August 2022


   mode: 0
   kem_id: 19
   kdf_id: 1
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   4270e54f fd08d79d 5928020a f4686d8f 6b7d35db e470265f 1f5aa228 16ce860e

   pkEm:
   23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831

   ikmR:
   668b3717 1f1072f3 cf12ea8a 236a45df 23fc13b8 2af3609a d1e354f6 ef817550

   pkRm:
   3dbc347a e6a2a467 5a6848b3 4e10bf28 ed957847 18b43f05 959b2034 039c9626

   enc:
   23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831

   kem_context:
   23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831
   3dbc347a e6a2a467 5a6848b3 4e10bf28 ed957847 18b43f05 959b2034 039c9626

   shared_secret:
   97d46fdd 749db253 1604b8b6 763897ef bd75aee0 d0fc361e 186e86e6 5511ac45

   key sched context:
   0042df88 379ec00c 85fc09e8 fd8fce69 af9af9f4 9542c43e 7f40f222 88748ec4
   6db0932e 0232d272 ff914ccb 9eb2ccfb 8d530d53 da2d99f9 5f2a8e34 ab6a4901
   98

   secret:
   bba5e681 2bbd25f7 6ba0b01b 69431c59 6763ed32 f2614eda ab8b1798 ffd76848

   key:
   d76486f0 96d7b916 5dae3721 b7480709 a9253f57 134d7138 852cdbda e5d77d8a

   exp:
   c03303f5 8c920f88 2962d216 0fb989f3 351cfe36 846b39dc 359b876b bf6d638e

8.1.2.  Encryption







Harkins                 Expires 10 February 2023               [Page 12]

Internet-Draft                   DNHPKE                      August 2022


   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   f663e10b f2d9ea5d 26b26f15 abf61f0c 7c02c1f1 8df3b8d9 76583d0d d7c2d190
   e5e16271 2f4edd5c 1efb478c 78

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   d5462e1c 178ca945 47a21b8c d6d1fd84 32e925e4 6052b7f4 70929da5 a0342ff0
   b8acc1d5 549b2bc6 30ae16d9 44

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   79c73f74 932621f2 7db58b8d 8c1c6f61 70b16944 6411f33d 2fd71b24 604ef25b
   a2c5508c d06087d4 89993052 4f

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   86f34032 79358243 48b8a1c8 f4e479c4 fd1a7331 05b89b46 58b59797 1face390
   7d5bcff2 41c2ea47 9d965bd1 38

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   20cb9542 523b9d2e 3ef45593 8c1edddd 72f93861 e50a273b e5ccab6b a56df502



Harkins                 Expires 10 February 2023               [Page 13]

Internet-Draft                   DNHPKE                      August 2022


   7f56696b c49e9232 8f85be3e 17

8.2.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV

8.2.1.  Auth Setup Information

   mode: 2
   kem_id: 19
   kdf_id: 1
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   798d82a8 d9ea19db c7f2c6df a54e8a67 06f7cdc1 19db0813 dacf8440 ab37c857

   pkEm:
   ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d

   ikmR:
   7bc93bde 8890d1fb 55220e7f 3b0c107a e7e6eda3 5ca4040b b6651284 bf0747ee

   pkRm:
   48b9c95a 72c53280 d19d5886 15b1f3a6 b1f607c8 111b9802 1441b9ad 709da767

   ikmS:
   874baa0d cf93595a 24a45a7f 042e0d22 d368747d aaa7e19f 80a802af 19204ba8

   pkSm:
   57fc29c0 7963a7bb ec000475 c11b4633 c51788fb d2fff55e 3b9cd8cb 31acb077

   enc:
   ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d

   kem_context:
   ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d
   48b9c95a 72c53280 d19d5886 15b1f3a6 b1f607c8 111b9802 1441b9ad 709da767
   57fc29c0 7963a7bb ec000475 c11b4633 c51788fb d2fff55e 3b9cd8cb 31acb077

   shared_secret:
   ef299e8f 1be52e52 d66d3ee1 1b8a62f8 6a0b5e34 3508e6c4 8873f5ca 33926369

   key sched context:
   0242df88 379ec00c 85fc09e8 fd8fce69 af9af9f4 9542c43e 7f40f222 88748ec4
   6db0932e 0232d272 ff914ccb 9eb2ccfb 8d530d53 da2d99f9 5f2a8e34 ab6a4901
   98

   secret:



Harkins                 Expires 10 February 2023               [Page 14]

Internet-Draft                   DNHPKE                      August 2022


   b8ddfe01 c96ffeb7 713baa45 4054b2ff e724f89d 7d9b0700 487e3253 8d72d2d4

   key:
   215c527f e33c2626 28e08146 0b923adc 106ff93e 0ba9f297 9dc259af 14c06406

   exp:
   40d14e24 1ea8dfe2 62f46807 991dae10 6ccae6ed 497f2263 7676b887 a7b340a3

8.2.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   bedb26a7 9e3db3c1 bd289c88 9a269194 bf9bd3c1 b00b8009 a61bd95e 102c1d8b
   dd84ec9e cb720af1 27a1322c 28

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   c8d84bc0 88814aba 99727a55 dd230ca7 d29c3033 87c3f6de 56d7ca6b 1cba1cb2
   9798c7a3 5dddf1ff 4f005f46 43

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   1d15176a 07ee9bce 3bae7627 a94945bc 3a935792 1e18d47e 0a95b4b6 0bb8fada
   433a162b b76b31c6 9a3b1935 3a

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   d25a11b8 c44b74ba a20be259 6e2e0d06 b5b9ba93 ccd82d05 0a613362 e0533983



Harkins                 Expires 10 February 2023               [Page 15]

Internet-Draft                   DNHPKE                      August 2022


   887dcb70 2a3dd34a d610fb8f 5f

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   7f81b231 64c6cff3 76bbc46f 5c57fcfc dc16b80c c87ec709 6d27c40a 78619f03
   1d30b956 10eb6f8a 47e880bf 1e

8.3.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV

8.3.1.  Base Setup Information




































Harkins                 Expires 10 February 2023               [Page 16]

Internet-Draft                   DNHPKE                      August 2022


   mode: 0
   kem_id: 19
   kdf_id: 1
   aead_id: 5
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   a90d3417 c3da9cb6 c6ae19b4 b5dd6cc9 529a4cc2 4efb7ae0 ace1f318 87a8cd6c

   pkEm:
   0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b

   ikmR:
   a0ce15d4 9e28bd47 a18a97e1 47582d81 4b08cbe0 0109fed5 ec27d1b4 e9f6f5e3

   pkRm:
   d6643f01 efee734d 147e78f7 9722012f 22dbc5bd 640348e4 dc7872fd 6afb2748

   enc:
   0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b

   kem_context:
   0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b
   d6643f01 efee734d 147e78f7 9722012f 22dbc5bd 640348e4 dc7872fd 6afb2748

   shared_secret:
   81a5c8af 1952bbdf d200ca47 9b9b6433 fe3c1a13 55cb1381 8fa0a828 99e5746e

   key sched context:
   00519e25 346f3708 db318b4d dcb49fd6 becbedd5 aa490f08 b61fcbf8 2d851c0a
   404abd81 049c5f21 76ab65a4 b5dcc106 ce0debc6 75606d93 4c4c4f89 230221ab
   9b

   secret:
   14cbd262 5b385b0b e6489b24 1b78fea2 5aa60ce1 65e457ac dbd27cb1 b514eb46

   key:
   4134d7b1 943fc7f1 72c5d85a 47d511f2 6f917be9 634fd16c 00c997f9 96cbfa84
   4e96efd4 31ea4c37 ecd5190e 4ee27245 f6c659ea 68c3bf40 ee7ae8d9 a87f0cba

   exp:
   f6c659ea 68c3bf40 ee7ae8d9 a87f0cba 68dded2e 39b4f8fb 10fa73a5 c7835670

8.3.2.  Encryption






Harkins                 Expires 10 February 2023               [Page 17]

Internet-Draft                   DNHPKE                      August 2022


   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   cc89205a 7b94242f 04c29c31 88269b09 e7ab0c3d 568bd477 6b5f79cc 7af12307
   632c62b0 69dffeaa 881e9338 52

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   a6c382c8 202a4886 1125fcad a36084f6 6edcb1b1 704ba464 9549cf32 359a81d8
   67a311d4 115e4735 d2a0d328 01

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   cac52c02 fc5136dc 80ab7ce8 5a23bb5a 08849278 ea1ff0d8 a239f1a2 4aa46f0e
   e47bac8e 4ab5acbb b17ff7c0 07

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   62232cff 2e7e7d51 28f4f62a 5899fd42 808916cf daaa8192 974fe6ff aa588a9e
   82776d62 04fadaac af1ae9d5 2b

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   822dba19 de41c774 5283731a 63456269 d3738459 1e6b4c33 0b558764 dc24cfa4



Harkins                 Expires 10 February 2023               [Page 18]

Internet-Draft                   DNHPKE                      August 2022


   abdff166 42f572e1 356c6f4c 4f

8.4.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV

8.4.1.  Auth Setup Information

   mode: 2
   kem_id: 19
   kdf_id: 1
   aead_id: 5
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   d6c49e44 2aad90bc c1bc0d16 6e5c4d3d f845c803 ba08b8a4 d891af2e eae4f97e

   pkEm:
   5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0

   ikmR:
   3c567569 48f1c27a ed3eb27a 923c891d c073eccf 94bb6c1b 64a8bfaa 95f1f8f7

   pkRm:
   5ac93274 8d20c9aa af3c4126 51706a2a 08958a48 e7ed10f8 a944c556 9fbeca8c

   ikmS:
   0f3def8c c45967f8 6c566f2c 2a7deced ff0d5f8b 20a34ab6 5318144c 80cb6b2b

   pkSm:
   db74c19a 176482fe bad3e945 03c4b89d 622ddbf2 b1428cff 37627f6b e154011a

   enc:
   5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0

   kem_context:
   5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0
   5ac93274 8d20c9aa af3c4126 51706a2a 08958a48 e7ed10f8 a944c556 9fbeca8c
   db74c19a 176482fe bad3e945 03c4b89d 622ddbf2 b1428cff 37627f6b e154011a

   shared_secret:
   a67f3222 eeb41eba 6c7a9f5a 10478fd7 a0e809e9 32ec4b8c f2edd01e cc96af50

   key sched context:
   02519e25 346f3708 db318b4d dcb49fd6 becbedd5 aa490f08 b61fcbf8 2d851c0a
   404abd81 049c5f21 76ab65a4 b5dcc106 ce0debc6 75606d93 4c4c4f89 230221ab
   9b

   secret:



Harkins                 Expires 10 February 2023               [Page 19]

Internet-Draft                   DNHPKE                      August 2022


   ba6d7757 d6cdadf1 d180c866 f32b7356 cdb12e74 f6260531 85afc26f 84a68be5

   key:
   2d4d5c2e 584baaf4 f280cc74 8554917a 97f20b61 661e6dc9 d8a890a9 64c08c8e
   9afb8755 7dd86150 d2653b49 4fcb4c85 81188ab5 38617545 8bdaae78 492fce03

   exp:
   81188ab5 38617545 8bdaae78 492fce03 fe7f5779 f7fd6c75 beb65c2c 04e2996e

8.4.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   2f222fa0 1a9de65c ce5c6806 2b8c6eaf 2f093fe3 431ac27b 812dce8c e466767c
   eb2fd896 f587f7e7 d5c77c24 16

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   1b630e19 f1c5eb24 471c02b8 e27a7627 b22b08ac 6c6da703 a8518de0 156996ea
   8f3c909e 35c3d755 797f3546 72

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   1a14eb89 70e44530 5cf558a7 7dddfcfb 1bc859b1 9bf9867d 21de9caf 4dc625ce
   9f7a006a 7eff8276 ba4509f0 04

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:



Harkins                 Expires 10 February 2023               [Page 20]

Internet-Draft                   DNHPKE                      August 2022


   fad19bf7 0ecb25f3 20187fb0 bbf2489c a1f47e91 ce251e9d 021c4595 98f945d8
   2e6b10ac 7dca809e dd13eaf4 65

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   833c3db5 fe83d887 266629a5 712eead2 1824c4c5 2af25ea5 a5c999e7 6178033e
   cc9b1caa 8ed0b19a e21433d2 f1

8.5.  DHKEM(CP-256, HKDF-SHA256), HKDF-SHA512, AES-512-SIV

8.5.1.  Auth PSK Setup Information

   mode: 3
   kem_id: 19
   kdf_id: 3
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   37ae06a5 21cd5556 48c928d7 af58ad2a a4a85e34 b8cabd06 9e94ad55 ab872cc8

   pkEm:
   87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191

   ikmR:
   7466024b 7e2d2366 c3914d78 33718f13 afb9e3e4 5bcfbb51 0594d614 ddd9b4e7

   pkRm:
   474f1abb 69c066b7 1c1c35c6 a67dccb1 8d3a6cfd 5bf95501 d6594c3e 144b7b9b

   ikmS:
   ee27aaf9 9bf5cd83 98e9de88 ac09a82a c22cdb8d 0905ab05 c0f5fa12 ba1709f3

   pkSm:
   a2076645 915893d8 df5d99b2 5368e1de 74de3b6b 070d8fbe b85b242c bf00a47c

   psk:
   0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

   psk_id:
   456e6e79 6e204475 72696e20 6172616e 204d6f72 6961




Harkins                 Expires 10 February 2023               [Page 21]

Internet-Draft                   DNHPKE                      August 2022


   enc:
   87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191

   kem_context:
   87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191
   474f1abb 69c066b7 1c1c35c6 a67dccb1 8d3a6cfd 5bf95501 d6594c3e 144b7b9b
   a2076645 915893d8 df5d99b2 5368e1de 74de3b6b 070d8fbe b85b242c bf00a47c

   shared_secret:
   0c554e67 af28a8cb 6548163c bba01e0c 882111cb 9a9d2b70 d52f27a6 b5da0e93

   key sched context:
   03642680 fd2063b9 86985586 8974385d 56017618 19fa5a72 37b63dc0 da6e4077
   c5c78de8 337eca9c 42d67d80 a8325e74 054784b9 aee52c79 b2197221 1fe7818b
   6152309f 3bf294d6 6d770cfd 89d0650d bf6b3965 4f2ea930 e7969658 9bc27908
   57be3497 fbb54404 8c335380 9dfbdc6a 95d7ca0b 07bc85ef 7b0af851 1d553cf9
   18

   secret:
   2647e270 0b8ea588 b2a63c6b d1393457 f78ff2d1 e9c4a94e 7bd0c8d4 342b0144
   bea7736f 4326ae69 a64ba8ba 3e7c8638 6755d09a 2aa5a367 ae28ae7e acd0cba8

   key:
   3d42271a de1f9f1e dabf0e42 76ea6460 9537b59a 4b19da97 51f28001 04d82d1d

   exp:
   0c086497 bcf20cff 2d9f6afd 0b3a193c 2432bd7f 5ce1dc3d e486b58b eed4175d
   2f0db038 f2f5251a 0d7031c2 4b7cd6f9 f5113aa2 63fb341e fcd75d53 ba517012

8.5.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   5791f3bc 18c026d4 ae772474 a941c730 e8221677 6e638c49 0d7995df 451f94c2
   c6ccdd22 9f6b03fa bde4dfc2 53

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:



Harkins                 Expires 10 February 2023               [Page 22]

Internet-Draft                   DNHPKE                      August 2022


   6e277787 ad78afd6 3a05b3a1 b950f79c 2ae01270 77c2a415 a9da993e ad96021e
   a4ab4157 4bccf4bd 9829e58b 32

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   0b228658 535cd69c 5b18906d 5c9f694c 00d2ce05 84831c15 5d9b52ca b28e7b4c
   2e9cd3fd 5b71b269 74ac7b9c 24

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   ffec14a4 f2a60701 b720cbdc b80ceb46 038de563 53fec944 d2c1b732 b7c50cb9
   393d5c23 f9dc4681 d12347d6 f7

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   49cf661e 681e07e1 d1016a84 6069f3b1 ce0e0465 09726f1f d7b15036 e5b5fa81
   6fd58f65 7bd44afd 15c41608 da

8.6.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.6.1.  Base Setup Information

   mode: 0
   kem_id: 21
   kdf_id: 1
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   5040af7a 10269b11 f78bb884 812ad200 41866db8 bbd749a6 a69e3f33 e54da716
   4598f005 bce09a9f e190e29c 2f42df9e 9e3aad04 0fccc625 ddbd7aa9 9063fc59
   4f40



Harkins                 Expires 10 February 2023               [Page 23]

Internet-Draft                   DNHPKE                      August 2022


   pkEm:
   005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
   977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
   a5f5

   ikmR:
   39a28dc3 17c3e48b 908948f9 9d608059 f882d3d0 9c054182 4bc25f94 e6dee7aa
   0df1c644 296b06fb b76e84ae f5008f8a 908e08fb abadf706 58538d74 753a85f8
   856a

   pkRm:
   01d07d98 c86f123e 13a052cf 58d4d7f9 ac98ab62 aa0fccc6 a2354ab4 4abc0e33
   8cf8ba8a 8a26225a a1bf023a 9d4db0a1 2135b7b7 c95aadc6 eec3fdc6 4eb4fdf0
   e440

   enc:
   005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
   977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
   a5f5

   kem_context:
   005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
   977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
   a5f501d0 7d98c86f 123e13a0 52cf58d4 d7f9ac98 ab62aa0f ccc6a235 4ab44abc
   0e338cf8 ba8a8a26 225aa1bf 023a9d4d b0a12135 b7b7c95a adc6eec3 fdc64eb4
   fdf0e440

   shared_secret:
   01b5e494 8af1dae6 9fe69cf1 ff6c2f52 022ce691 6fa5e846 40351561 292f19c4
   2fa6fd27 132d0414 dbc67d34 8f9efaaf 2064f76e b6e43f2c 0c59d72f 2b75b988

   key sched context:
   0039cb31 552274b7 da50f702 38462e6b e53b4160 074e225a 907a8190 97ddb649
   abf15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
   d8

   secret:
   f2d20b62 5e87880e a2480be2 521ff460 456aed76 c5a6126f ca17f425 1a560170

   key:
   d5af37fe 38083050 a54eaa25 5ce46c17 2885f187 b9264003 0e3fd60b a7d87380

   exp:
   6808978c 1be493c8 5b9422cc 0d4dcb86 0527807e 5df1c453 78932f9d de0fda57

8.6.2.  Encryption





Harkins                 Expires 10 February 2023               [Page 24]

Internet-Draft                   DNHPKE                      August 2022


   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   4ff1fe67 2ff031c3 3fc6c14a 6c136699 7d851d0a 4590018f ae2066e4 dcfcb13c
   3246d608 ca844350 a29ad685 5c

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   3ca22120 0355f2e6 439963de 114637bf 6f5377e1 87c549fe d17acfe8 90e66150
   db037d42 dfd52d94 1b6705b9 68

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   1d37ce24 9aa151cd 55d9d15b 610af39c ced8b1f7 cdc1ef9b fcaaef90 304a1a97
   1fed768a 69bdc3a9 77f85f60 a4

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   fb439464 8952c250 8e749bd6 d5efabfc ee6d3ce8 ac3af85c a2783e3d 052edcdf
   3e0dede7 e69dc3ff 31034868 d4

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   23e2c812 e82fdd54 8dd72af8 0f16ae02 c23ceedc 250332b6 d18dd132 2d433692



Harkins                 Expires 10 February 2023               [Page 25]

Internet-Draft                   DNHPKE                      August 2022


   895c7969 81fa655d d537ec20 2d

8.7.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.7.1.  PSK Setup Information

   mode: 1
   kem_id: 21
   kdf_id: 1
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   19484305 36ca540c 53351ae5 9d7a2240 8f1a0f20 1c1387e2 38ca8c52 ea162da7
   ffe27652 fbbfef9b 60b66a03 9c80853a 4224c01f d83155a1 7373c92f 3d41bc25
   4943

   pkEm:
   012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
   ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
   cbd6

   ikmR:
   3c9a57ce 2773fc44 d2b03a9f ed866e9f 8dfd18bf c844c4dd c254fe0c 836643b9
   fd3f54ce 090caf5f 07829fd0 17ebdf4b 43408579 85f21056 d5a2dd46 1dd61da9
   afce

   pkRm:
   016368a1 295c5fef 6f80fd82 98401040 c2960e4b 8db4c265 c2eb4832 8ac026c1
   74075384 12be0251 35f88f66 50f61fe1 0a6bd91a f4b9e431 442bbfa2 3192c08c
   757d

   psk:
   0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

   psk_id:
   456e6e79 6e204475 72696e20 6172616e 204d6f72 6961

   enc:
   012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
   ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
   cbd6

   kem_context:
   012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
   ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
   cbd60163 68a1295c 5fef6f80 fd829840 1040c296 0e4b8db4 c265c2eb 48328ac0



Harkins                 Expires 10 February 2023               [Page 26]

Internet-Draft                   DNHPKE                      August 2022


   26c17407 538412be 025135f8 8f6650f6 1fe10a6b d91af4b9 e431442b bfa23192
   c08c757d

   shared_secret:
   7dbf19ed dced8520 cf9f4f09 cbe09c67 c7493d6e 798d69f0 f13fc693 e3161d27
   8b37b1f7 78556a5d 293957bb 768a1567 75bded1e c835fc69 faeb6e01 d981110d

   key sched context:
   012c9501 61b56512 ae1c5fde be9b6c1e 680e1277 308a175e 6452aa32 28f6d60b
   5ef15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
   d8

   secret:
   7ef0b355 87409fe5 6a1fcad4 6f0615ae ae7b7481 a182a193 7496916c 50316b8e

   key:
   1896f4f4 95dd067d 784384af 71d3d58e 47dd910d c4262f98 c771a4ec a17de51f

   exp:
   d1aeffbc d46c96a6 2cdbc75d 9f7dc7dd 21ba50d5 9ec10191 b0e49add 953f9f21

8.7.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   46afb04f 153770d7 09a7781b 4363b9c2 69b9a0f8 686e76c6 e8a384c0 ea3c6713
   70f7c37c 02da3702 3330ebda 64

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   0f1be046 2892d8b7 177659c6 1620981e 4d5d3220 b58a7d88 05f9423e a8c7d30e
   e1837826 196c4bdb 33cdd0fc 28

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32



Harkins                 Expires 10 February 2023               [Page 27]

Internet-Draft                   DNHPKE                      August 2022


   ct:
   cd2061da 9aca2be6 b740677d 0f37ad1d 3b0fad32 dbadbf48 0c8c665b 08472f6a
   fb5a4516 cb292372 02470111 41

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   2aae252b bb85bf18 769f2c74 4919897e d3315cdc 00f00975 abf5552b 41be8182
   13e10893 8359385e 3ba0b5d0 a1

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   e72f8b91 a13fb546 dd40a03d 178c1938 813fb62b ae1e45e4 fb2d8ed3 55cb6876
   0b02cce5 38571845 c014f91c 8e

8.8.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.8.1.  Auth Setup Information

   mode: 2
   kem_id: 21
   kdf_id: 1
   aead_id: 4
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   d45cc999 ba65eb6b ec00cf9b df308ae7 57558d62 8938ada2 d7bbf97b f58b401d
   ea5710d5 c1f733fd 30dade61 6806669a cce09ba3 2cc57d58 02026955 3a19d632
   d1f7

   pkEm:
   00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
   66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
   33a3

   ikmR:
   fd95b48b 2a8e53cd 12da39ec c343c273 ce282b00 f185b6e9 80d3b4b8 55e938ea
   0ba841e8 dfe5ac19 4ba830a5 23a7c5d1 faff6482 ff5e46ea 8f25b126 b8545c6d



Harkins                 Expires 10 February 2023               [Page 28]

Internet-Draft                   DNHPKE                      August 2022


   eb11

   pkRm:
   01f7b479 fef9ddbf 10a12c7e 5d4e22f5 ca3745e6 12dc7007 96f80ecf 0a32e5d0
   3b4e526d bc08234b 13740963 ea1e9de2 85a21647 72ae3fcf f7a513b8 f7c132f6
   7b18

   ikmS:
   7c533451 b4b61ba8 ee879bb4 e11fb330 d0397244 2d74fd7c f5ebc0f8 84a90005
   a87fcb0e 3401e9f7 24b45cec de6d9f6d d88f202e f23f790d a10867d6 bd8d9fb8
   bf89

   pkSm:
   01715f0e 475571c9 9e0bfac5 eae86e08 fbea30db 23f670ed 471b053f f5f7c464
   3daf384e 7714d25a 45170576 8d05ab73 00e0cb64 5d21c697 49a46680 f31eec0e
   fc2a

   enc:
   00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
   66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
   33a3

   kem_context:
   00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
   66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
   33a301f7 b479fef9 ddbf10a1 2c7e5d4e 22f5ca37 45e612dc 700796f8 0ecf0a32
   e5d03b4e 526dbc08 234b1374 0963ea1e 9de285a2 164772ae 3fcff7a5 13b8f7c1
   32f67b18 01715f0e 475571c9 9e0bfac5 eae86e08 fbea30db 23f670ed 471b053f
   f5f7c464 3daf384e 7714d25a 45170576 8d05ab73 00e0cb64 5d21c697 49a46680
   f31eec0e fc2a

   shared_secret:
   fd55afea 8cf91399 eab366b2 1f9c1c5e 1be2cc06 92a988d3 58884755 7eaebf4b
   1a85f6f1 150e34f5 0fa4faa8 2beba6b6 a06d97e7 8a63a43d 7c0369b4 851ddda4

   key sched context:
   0239cb31 552274b7 da50f702 38462e6b e53b4160 074e225a 907a8190 97ddb649
   abf15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
   d8

   secret:
   d0880b5f 93b8f99f 9c9abb4f 7601b1ca 2dff70fb 5529feef 0d99d93d 41884d40

   key:
   6d033540 ec5a1637 909a8a21 cd82f1eb 2ac87042 37a56060 e18ef2ac 477ad7db

   exp:
   dea686af f2384f2a dce9e499 2796f08d a0ff7261 95baa721 ae4000db c920673e



Harkins                 Expires 10 February 2023               [Page 29]

Internet-Draft                   DNHPKE                      August 2022


8.8.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   d07d5c55 86afa2a6 328c314c e93621cb 8ee6cb90 66970b1c e2f739bb 0706dd4d
   142d3748 aed46417 af8005f2 78

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   9c8533d4 02a7cec4 e930f41a 26f97df9 2c5d3ee4 829f79e0 b3b3ff85 4c8ba34f
   c58ab0be a948bd91 c5eb8a90 08

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   3e7da863 847fceb1 fcc49478 8f045e9b fcce98d7 9e091bae 0edeb004 cb9f0e93
   75b59eeb 635e885c 6e810c1c 12

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   ac688968 d5a19dc7 206f79e3 068fc6ef 3a9e0ce2 f8ff3d37 809cb238 de30638a
   81241150 f1cd8d77 89cd2513 a0

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34




Harkins                 Expires 10 February 2023               [Page 30]

Internet-Draft                   DNHPKE                      August 2022


   ct:
   5c845010 89cb8655 7b84ba09 2ff19c20 3a771ca7 b4a0a5cb 57110ddc 71020a5a
   ed746a56 679223a6 503e368c 1d

8.9.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-512-SIV

8.9.1.  Base Setup Information

   mode: 0
   kem_id: 21
   kdf_id: 1
   aead_id: 5
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   9953fbd6 33be69d9 84fc4fff c4d7749f 007dbf97 102d36a6 47a8108b 0bb7c609
   e826b026 aec1cd47 b93fc5ac b7518fa4 55ed38d0 c29e900c 56990635 612fd3d2
   20d2

   pkEm:
   00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
   7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
   2cbb

   ikmR:
   17320bc9 3d9bc1d4 22ba0c70 5bf693e9 a51a855d 6e09c11b ddea5687 adc1a112
   2ec81384 dc7e4795 9cae01c4 20a69e8e 39337d9e bf9a9b2f 3905cb76 a35b0693
   ac34

   pkRm:
   00685b94 a565c40e 44467ded 521e51dd 27062392 7f076cae 5d2ac51e daa00c08
   0cb53932 a0f96476 7016be86 e1828c97 406a1c45 210bd72a 6a4db565 a0a2ede1
   66bf

   enc:
   00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
   7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
   2cbb

   kem_context:
   00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
   7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
   2cbb0068 5b94a565 c40e4446 7ded521e 51dd2706 23927f07 6cae5d2a c51edaa0
   0c080cb5 3932a0f9 64767016 be86e182 8c97406a 1c45210b d72a6a4d b565a0a2
   ede166bf

   shared_secret:



Harkins                 Expires 10 February 2023               [Page 31]

Internet-Draft                   DNHPKE                      August 2022


   f4016476 1b23e62a 825c3a12 f00a300c 7fc0bca7 d63a4b4d 8decd9e3 e6665c77
   72e5caa3 1d81b01c 83f85fad 171604a5 f5620d0e b3adc049 cf84a244 da1b66fc

   key sched context:
   009c83af 569335de c008d972 3b99516d aeca636c f2f750ff d5097d80 b3325949
   62d402df a706d773 c51099d3 c7a050a9 601fec9e fcd1d0fe ee84db47 31678771
   a5

   secret:
   c1c03165 591c1b1f 402c6a2f e51cef09 fffe1014 5e1bbec1 48f16424 3e8e8657

   key:
   fcd7bd4d 7fb57f4b ac324cea fca16db2 c93579e9 cf3ac7d3 ebe1cc5d 9a961ff5
   64a7a5f7 4a27fbc7 c527b6e9 f69df654 b544b8c5 4a9d17f1 af85e9c0 c4878c58

   exp:
   b544b8c5 4a9d17f1 af85e9c0 c4878c58 a209c5f4 431a199f 605c7179 9153500d

8.9.2.  Encryption

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d30

   ct:
   904a4929 f11643ef 3225d8e2 503b13cf cc3eb26d 6c9f4ccf c551c960 19465f64
   130278f3 492e3bad 15635243 3d

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d31

   ct:
   00d1baad b17b86a2 23eba165 0bf4b165 993365f0 c30d3a50 81f06d67 9a456e1a
   e786644c 6c26b617 18d93bc0 2d

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d32

   ct:
   c61f2a7b 01451896 06efcd72 ae5835f4 3d563368 8635d2e0 6e33dfc3 b89d11f5



Harkins                 Expires 10 February 2023               [Page 32]

Internet-Draft                   DNHPKE                      August 2022


   38a61f94 f1a48a98 4c74c01a 30

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d33

   ct:
   65f0fe74 1623cc3e 1f324cf6 51c30b9a cafff85c 53945d3c 1e9038df 4c3ffcd2
   3a587a83 e6089a78 5e92825d a4

   pt:
   42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad:
   436f756e 742d34

   ct:
   41466afb 39544cf3 39a1bb23 2b19660d 96d2b357 4c6ef39b a505e412 f49f5f3f
   8b45c53b dbc35f0b 8876a387 9d

8.10.  DHKEM(CP-521, HKDF-SHA521), HKDF-SHA512, AES-512-SIV

8.10.1.  Auth PSK Setup Information

   mode: 3
   kem_id: 21
   kdf_id: 3
   aead_id: 5
   info:
   4f646520 6f6e2061 20477265 6369616e 2055726e

   ikmE:
   54272797 b1fbc128 a6967ff1 fd606e0c 67868f77 62ce1421 439cbc9e 90ce1b28
   d566e6c2 acbce712 e48eebf2 36696eb6 80849d68 73e99593 95b29319 75d61d38
   bd6c

   pkEm:
   01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
   8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
   4510

   ikmR:
   3db434a8 bc25b27e b0c590dc 64997ab1 378a99f5 2b2cb5a5 a5b2fa54 0888f6c0
   f09794c6 54f44685 24e040e6 b4eca2c9 dcf229f9 08b9d318 f960cc9e 9baa92c5
   eee6




Harkins                 Expires 10 February 2023               [Page 33]

Internet-Draft                   DNHPKE                      August 2022


   pkRm:
   01bf5b74 278612e1 cfa7a47c dbe24a6f be41b73c 32e98e98 6d40c849 0a9201d3
   187483b8 b66e2710 5a3eb80c 394a889a 24841875 7425b0e3 a4b376f3 fd8ea087
   daf4

   ikmS:
   65d523d9 b37e1273 eb25ad05 27d3a7bd 33f67208 dd1666d9 904c6bc0 4969ae58
   31a8b849 e7ff6425 81f2c3e5 6be84609 600d3c6b bdaded3f 6989c37d 2892b1e9
   78d5

   pkSm:
   01856189 0c5378f2 dedf9da7 8c082f22 01110f1c ca97637c e4ae528c af38ee87
   5d70b77f a72c4b6f 2fb42466 f98852dc 8466c4de f387db3a 6514872f 616d7379
   e27e

   psk:
   0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

   psk_id:
   456e6e79 6e204475 72696e20 6172616e 204d6f72 6961

   enc:
   01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
   8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
   4510

   kem_context:
   01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
   8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
   451001bf 5b742786 12e1cfa7 a47cdbe2 4a6fbe41 b73c32e9 8e986d40 c8490a92
   01d31874 83b8b66e 27105a3e b80c394a 889a2484 18757425 b0e3a4b3 76f3fd8e
   a087daf4 01856189 0c5378f2 dedf9da7 8c082f22 01110f1c ca97637c e4ae528c
   af38ee87 5d70b77f a72c4b6f 2fb42466 f98852dc 8466c4de f387db3a 6514872f
   616d7379 e27e

   shared_secret:
   3c1c20e2 16a48012 e032127b af46a725 e55448f8 511a5ea2 ebffd891 473ebc8c
   20373d88 8738685b 018e7310 066976bb b35ad27f 9392a870 42865aeb 354b2428

   key sched context:
   03da3273 57c39707 4a257ebc 3c27e309 5b2cf890 951bd032 98123a00 638fa3e6
   2e6a1e3d 436ec52f 6c250a5f 944b3626 28790988 4d63325b d9695d6f 4f553903
   43600877 1dae94d9 1fb0cbbf 0fb8158c 0f900b77 6f6d42cf fb380ba2 1d7fdace
   bfc89e97 42c05989 9df732ff abd7c0bb b6be7b4d ca65329c a793a0e5 a5444136
   3b

   secret:
   4ed11ada 787796ec ae5c3893 f815b659 bc6f1639 410494da 971c3f30 5a4ad7cd



Harkins                 Expires 10 February 2023               [Page 34]

Internet-Draft                   DNHPKE                      August 2022


   32184287 ab2bb55d 51d23620 38a0cc8f 973636dd 853dafb4 af399229 38e8c8cc

   key:
   d52bfae5 a7cd0d6c 41c1be93 9de5c0a5 3782ad74 6deb76d7 fd662509 727eeb9d
   eaab86d1 7a444b7b 100519b9 d8ac2762 bdc1b9eb 64ec8bd8 362a2df3 e82bf4b0

   exp:
   bdc1b9eb 64ec8bd8 362a2df3 e82bf4b0 6ba82d93 e0bbf28c e286d3d6 53915dc1
   97b0de63 38e56727 e44fdc59 a1a942b6 5b82641d 00aceaf1 08e2bbc2 becd40ee

8.10.2.  Encryption

   ~~~

   pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad: 436f756e 742d30

   ct: 1bb2088e 0e946ce2 6925273d 498a474c 49c7e735 eb8d3cca ba242e98
   c560d5a1 786c7982 234017bd 0f8a5985 0f

   pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad: 436f756e 742d31

   ct: d5052151 1c06077c 00d7eaed 143ee355 2d1d0c44 c96227c0 c89a20e6
   121f9721 e288410c 4f94955c 32097c21 51

   pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad: 436f756e 742d32

   ct: 718eaaa6 97bae275 efbc2064 cd09cd81 48e45691 7de46704 d0ff2367
   46d47fb9 3936dafc 5baf0485 b61c2e43 f0

   pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad: 436f756e 742d33

   ct: 141754a9 97b92442 bff79fcb 92d51261 f45c2922 1c58f577 95863b53
   c87f1fda e5c25c77 bc277abc 0508deac 55

   pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

   aad: 436f756e 742d34

   ct: 4e2f2352 29e2281b 92d40c86 2e84f9a5 19ac0766 49b42ef6 031c5967
   3fbccb97 312962f0 c51ccf0e 2395f8f0 75



Harkins                 Expires 10 February 2023               [Page 35]

Internet-Draft                   DNHPKE                      August 2022


9.  References

9.1.  Normative References

   [NISTCurves]
              "Digital Signature Standard (DSS)",
              DOI 10.6028/nist.fips.186-4, National Institute of
              Standards and Technology report, July 2013,
              <https://doi.org/10.6028/nist.fips.186-4>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5297]  Harkins, D., "Synthetic Initialization Vector (SIV)
              Authenticated Encryption Using the Advanced Encryption
              Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, October
              2008, <https://www.rfc-editor.org/info/rfc5297>.

   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090,
              DOI 10.17487/RFC6090, February 2011,
              <https://www.rfc-editor.org/info/rfc6090>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC9180]  Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid
              Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180,
              February 2022, <https://www.rfc-editor.org/info/rfc9180>.

9.2.  Informative References

   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
              Internet Protocol", RFC 2401, DOI 10.17487/RFC2401,
              November 1998, <https://www.rfc-editor.org/info/rfc2401>.

   [RFC5649]  Housley, R. and M. Dworkin, "Advanced Encryption Standard
              (AES) Key Wrap with Padding Algorithm", RFC 5649,
              DOI 10.17487/RFC5649, September 2009,
              <https://www.rfc-editor.org/info/rfc5649>.

   [SECG]     "Elliptic Curve Cryptography, Standards for Efficient
              Cryptography Group, ver. 2", 2009,
              <https://secg.org/sec1-v2.pdf>.




Harkins                 Expires 10 February 2023               [Page 36]

Internet-Draft                   DNHPKE                      August 2022


   [SIV]      Rogaway, P. and T. Shrimpton, "Determinstic Authenticated
              Encryption: A Provable-Security Treatment of the Key-Wrap
              Problem", 2007,
              <https://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf>.

   [X9102]    ANSI X9, "Symmetric Key Cryptography For The Financial
              Services Industry-- Wrapping of Keys and Associated Data",
              2020.

Author's Address

   Dan Harkins
   Hewlett-Packard Enterprise

   Email: daniel.harkins@hpe.com




































Harkins                 Expires 10 February 2023               [Page 37]