Internet-Draft DNHPKE July 2023
Harkins Expires 7 January 2024 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-irtf-cfrg-dnhpke-01
Published:
Intended Status:
Informational
Expires:
Author:
D. Harkins
Hewlett-Packard Enterprise

Deterministic Nonce-less Hybrid Public Key Encryption

Abstract

This document describes enhancements to the Hybrid Public Key Encryption standard published by CFRG. These include use of "compact representation" of relevant public keys, support for key-wrapping, and two ways to address the use of HPKE on lossy networks: a determinstic, nonce-less AEAD scheme, and use of a rolling sequence number with existing AEAD schemes.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2024.

Table of Contents

1. Introduction

[RFC9180], hereinafter simply HPKE, is a robust, provably-secure construct. It defines APIs to ensure proper use to retain its security guarantees. These APIs are therefore rigid and purposeful. Unfortunately, there are applications for which this rigidity is an impediment to use: networks with bandwidth constrained mediums, networks which cannot guarantee in-order delivery of every packet sent, and for key-wrapping applications.

This memo proposes three modifications to HPKE to make it more suitable for different use cases.

1.1. Compact Representation

HPKE generates an ephemeral keypair and uses it to perform a Diffie-Hellman with the static keypair of the proposed recipient of a secure message. The ephemeral public key is required to accompany the message, or at least the first of a stateful sequence of messages. HPKE therefore defines a serialization and deserialization for public keys used with defined KEMs.

HPKE defines KEMs that use three Weierstrass curves defined in [NISTCurves]. The serialization and deserialization for public keys in these KEMs use the uncompressed form of an elliptic curve from [SECG]. Unfortunately, this results in the string that accompanies the message to be over twice as long as it needs to be. This can be an issue for applications that have constrained bandwidth or that use the HPKE APIs in a stateless, "single shot" mode where the message being sent is dwarfed by the size of the serialized public key.

[RFC6090] defines a notion of "compact output" and "compact representation" for elliptic curves. Compact output means that the output of the ECDH operation is the x-coordinate of the resulting point, the y-coordinate is discarded. Compact representation is a way of communicating an elliptic curve Diffie-Hellman public key using the x-coordinate only. Compact representation will work if compact output is employed-- the sign of the ECDH secret is irrelevant so it doesn't matter what the sign of the peer's public key is.

HPKE uses compact output, it passes the x-coordinate of the ECDH secret key to HKDF to derive a key to pass to the AEAD cipher. Since HPKE uses compact output, it can define serialization and deserialization that uses compact representation and thereby address use cases in which message size is important. Redefining the serialization and deserialization, though, requires definition of new KEMs that will use the new technique.

1.2. Addressing Lossy Networks

To prevent the possibility of misuse, management of AEAD counters are entirely constrained to the HPKE context. The sender and receiver have no ability to know what particular counter was used with a particular invocation or to manage how counters are used.

This restriction is not an issue for an applications that use HPKE which have a guarantee of in-order packet delivery, where sender and receiver HPKE contexts are kept in sync. But not everyone has a guarantee of in-order delivery of packets and this restriction makes use of HPKE impracticle by a great many use cases. Any undetected packet loss or reordering would result in the sender and receiver HPKE contexts getting out of sync. Since HPKE provides no way to resynchronize such a situation, the result would be tragic.

Therefore, two techiques are added to allow HPKE to be used in lossy networks or networks that reorder packets: a rolling window of received sequence numbers, and a determinstic mode of AEAD.

1.2.1. Rolling Sequence Window

The technique from [RFC2401] can be adopted which implements a rolling window that represents received messages (inside the window). As the sequence number advances, and a message is successfully opened thus validating the sequence number, the window advances to include it. The result is that reorder and loss is acceptable for a number of messages defined by the size of the window and messages deemed "too old" are dropped. Messages replayed with a used sequence number are also dropped.

To implement such a scheme, the receiver needs to know the counter used with the AEAD algorithm. Therefore, the sequence number used to construct the counter in HPKE (it is XOR'd with a secret base nonce) is pre-peneded to the ciphertext.

1.2.2. Deterministic Authenticated Encryption

[SIV] defines a provably secure mode of deterministic authenticated encryption (DAE). In this mode, a counter is optional. If one is used and it is guaranteed to be unique, SIV achieves the same level of IND-CCA2 security offered by other HPKE ciphers. But if the nonce is reused or, in the case proposed here, the nonce is not used, SIV will provide a different security guarantee, that of deterministic security.

Determinsitic authenticity in a DAE scheme provides the traditional inability of an adversary to come up with a non-trivial query that will return a non-FAIL response-- i.e. a valid forgery-- with non-negligible probability. Deterministic privacy in a DAE scheme provides for the typical indistinguishability from random guarantee of a traditional AEAD scheme, with a caveat: it cannot achieve the indistinguishability goal that requires concealment of whether or not a given plaintext was encrypted twice in a sequence of ciphertexts.

What this means is that the security of a DAE scheme is the same as a traditional AE scheme with the exception that encrypting the same AAD and the same plaintext twice will result in the same ciphertext, an outcome an adversary would notice. Unlike other AEAD schemes, after this misuse the privacy and authenticity guarantees remain, albeit with this consideration to traffic analysis. This is a reasonable price to pay for the ability to use the HPKE APIs as more than a "single shot".

DAE can achieve the equivalent of semantic security if the message space is random enough. This is the justification for the security of key wrap schemes (see Section 1.3) in which (a portion of) the plaintext is a random key.

SIV takes a vector of AAD. When a unique sequence number can be managed it can be part of that vector. It should be noted, therefore, that it is trivial for an application that has control of the AAD to add a nonce as a component of the AAD vector to ensure unique AAD per invocation of the HPKE API and achieve the IND-CCA2 notion of security.

Alternately, for some situations-- e.g. when the message protected by HPKE is idempotent-- DAE security can be acceptable.

See Section 6.

1.3. Key Wrapping

Key wrapping schemes utilize a symmetric encryption algorithm to provide privacy and integrity to cryptographic keying material. Additionally, such schemes should provide integrity protection of cleartext associated data which contains control information about the wrapped key. Due to the symmetric nature of the algorithm, it is assumed both sides possess a shared secret whose establishment is problematic. Therefore HPKE is naturally an attractive option to use to wrap a cryptographic key to a receipent's public key.

Since the data being wrapped is, in effect, random, a probabalistic input like a nonce is not needed, hence the deterministic nature of proposed key-wrapping schemes (see [X9102] and [RFC5649]). [SIV] is superior to those schemes in a number of ways:

  • it accepts associated data;
  • it is more efficient;
  • it accepts natural data lengths without requiring padding; and,
  • it has a security proof.

Thus, making it well-suited for key wrapping use cases with HPKE.

2. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here

3. Notation

This document re-uses the notation from HPKE and adds the following:

4. Modifying HPKE

4.1. Adding Compact Representation

New DHKEMs are defined for the three NIST curves, P-256, P-384, and P-521. Being "compact", they are denoted here CP-256, CP-384, and CP-521 but are, for the purposes of cryptography, otherwise identical.

All KEM modes defined in HPKE are supported for these KEMs, including Auth and AuthPSK.

Table 1: KEM IDs
Value KEM Nsecret Nenc Npk Nsk Auth Reference
TBD1 DHKEM(CP-256, HKDF-SHA256) 32 32 32 32 yes [NISTCurves], [RFC6090]
TBD2 DHKEM(CP-384, HKDF-SHA384) 48 48 48 48 yes [NISTCurves], [RFC6090]
TBD3 DHKEM(CP-521, HKDF-SHA512) 64 66 66 66 yes [NISTCurves], [RFC6090]

These KEMs use the KDFs defined in HPKE and therefore are bound by the input length restrictions of the KDF used (see 7.2.1 of HPKE).

The security properties of these KEMs satisfy the security requirements of a KEM used in HPKE (see section 9.2 of HPKE).

4.1.1. SerializePublicKey and DeserializePublicKey

For CP-256, CP-384 and CP-521, the SerializePublicKey() function of the KEM performs the Integer-to-Octet-String conversion of the x-coordinate of the public key only, according to [RFC6090]. DeserializePublicKey() performs the Octet-String-to-Integer conversion of [RFC6090] to produce the x-coordinate of a the resulting point. Since all of these curves have a prime p = 3 mod 4, the y-coordindate can be computed using the equation of the curve and Shanks' method of computing the square root modulo p:

        y = ((x^3 + a*x + b)^((p + 1)/4)) mod p

for a, b, and p defined for the curve in [NISTCurves]. There will be two distinct solutions for y that will differ only in sign but either one is acceptable to produce a Diffie-Hellman shared secret that is used in compact output.

These deserialized public keys MUST be validated before they can be used. See HPKE for specifics.

4.1.2. SerializePrivateKey and DeserializePrivateKey

As with HPKE, CP-256, CP-384, and CP-521 private keys are field elements in the scalar field of the curve being used. Serialization of the private key uses the Integer-to-OctetString function from [RFC6090] and deserialization uses the OctetString-to-Integer function from [RFC6090]. If the private key is an integer outside the range [0, order-1], where order for each curve is defined in [NISTCurves], the private key MUST be reduced, modulo the order, to [0, order-1] before being serialized.

To catch invalid keys early on, implementers of DHKEMs SHOULD check that deserialized private keys are not equivalent to 0 (mod order), where order is the order of the curve.

4.2. Adding A Rolling Window

A rolling receiver replay window is added by overloading the way a context encrypts and decrypts messages-- ContextS.Seal() and ContextR.Open(). The calling parameters remain the same but the internals change and, for ContextS.Seal(), the output differs.

The replay window is implemented as a bitmask check for a window whose size is implementation-specific. For illustration purposes only it is described here as being of size 32, meaning it can tolerate loss and reorder of the previous 31 messages. The following pseudo-code has separate routines for a quick check of a received sequence number and an update to the window for sequence numbers that have been validated.

The context encryption API template is the same as that in HPKE except it prepends the sequence number, used to construct the counter for the AEAD operation, to the data returned from Seal(). Therefore the single "ct" output is, in fact, a concatenation of the four octet sequence number and the returned ciphertext.

The context decryption API template is changed to extract the sequence number from the input ciphertext, and check whether the received sequence number is conditionally good. If it is and the message is successfully opened, the window is updated with the received sequence number.

Details are as follows:

windowSize = 32

def CheckSeq(num):
  if num > self.seq
      return Good
  diff = self.seq - num
  if diff > windowSize
      return Bad
  if and(self.window, (1 << diff)) == 0
      return Good
  else
      return Bad

def UpdateWindow(num)
  if num > self.seq
      diff = num - self.seq
      if diff < windowSize
          self.window <<= diff
          self.window = or(self.window, 1)
      else
          self.window = 1
      self.seq = num
  else
      diff = self.seq - num
      self.window = or(self.window, (1 << diff))
  return

def ContextS.DSeal(aad, pt):
  num = self.ComputeNonce(self.seq)
  ct = num | Seal(self.key, num, aad, pt)
  return ct

def ContextR.DOpen(aad, m):
  num | ct = m
  if CheckSeq(num) == Bad
      raise OpenReplay
  pt = Open(self.key, num, aad, ct)
  if pt == OpenError
      raise OpenError
  else
      UpdateWindow(num)
  return pt

The window is added to the Encryption Context as well as a single datum to indicate whether the rolling receiver replay window is used (1) or not (0). When the replay window is used, Context<ROLE>.DOpen() and Context<ROLE>.DSeal() are used, when it is not the encryption and decryption operations from HPKE are used.

4.3. Adding DAE

AES-SIV, defined in [RFC5297] uses a "double-wide" key. A single large key is passed to AES-SIV which divides the key into two, one for encipherment and the other for authenticity. Since these cipher modes are being added in their determinsitic, nonce-less varient the nonce derived for these ciphers is zero (0).

Unlike other AEAD schemes, AES-SIV takes a vector of AAD. The number of components of that vector is up to the application using AES-SIV in HPKE.

Table 2: AEAD IDs
Value AEAD Nk Nn Reference
TBD4 AES-256-SIV 32 0 [RFC5297]
TBD5 AES-512-SIV 64 0 [RFC5297]

5. IANA Considerations

IANA is instructed to please update the "Hybrid Public Key Encryption" repositories:

- assign values for TBD1, TBD2, and TBD3 from the HPKE KEM
  Identifiers repository; and,
- assign values for TBD4, and TBD5 from the HPKE AEAD Identifiers
  repository.

Please replace the TBD placeholders above with the assigned values.

6. Security Considerations

Since HPKE uses Diffie-Hellman in "compact output", the sign of the public keys is irrelevant. Discarding that which has no impact on the result, i.e. doing "compact representation", does not present a security issue.

See [SIV] for a formal security proof.

Uses of the DAE ciphers in HPKE can achieve the same level of security as the non-DAE ciphers if the calling application guarantees unique AAD per invocation or if the calling application can guarantee a random message space.

This opens up the possibility of misuse where an application inadvertently makes a non-unique invocation (which is a good reason to hide nonce management inside the HPKE context, as the existing AEAD ciphers do). For some use cases-- e.g. messages are idempotent, or a probabalistic operation can be achieved (e.g. key wrapping), the DAE ciphers provide an acceptable option.

It deserves to be mentioned again that even if a nonce is reused (i.e. misused) by an application wishing to manage the AAD of AES-SIV, the security of the cipher is not completely voided as it is with a non-DAE mode. The notion of deterministic privacy and determinstic authenticity are retained (see [SIV]).

7. Acknowledgements

The algorithm for the sliding window to address dropped and reordered messages was proposed by James Hughes and Harry Varnis in [RFC2401].

8. Test Vectors

The following test vectors have been generated assuming the following registry value assignments would be made by IANA:

8.1. DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV

8.1.1. Base Setup Information

mode: 0
kem_id: 19
kdf_id: 1
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
4270e54f fd08d79d 5928020a f4686d8f 6b7d35db e470265f 1f5aa228 16ce860e

pkEm:
23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831

ikmR:
668b3717 1f1072f3 cf12ea8a 236a45df 23fc13b8 2af3609a d1e354f6 ef817550

pkRm:
3dbc347a e6a2a467 5a6848b3 4e10bf28 ed957847 18b43f05 959b2034 039c9626

enc:
23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831

kem_context:
23cd4f6a 91f37b51 3480ff24 9b4a08fd 27a56651 cb359476 02073780 7d5ce831
3dbc347a e6a2a467 5a6848b3 4e10bf28 ed957847 18b43f05 959b2034 039c9626

shared_secret:
97d46fdd 749db253 1604b8b6 763897ef bd75aee0 d0fc361e 186e86e6 5511ac45

key sched context:
0042df88 379ec00c 85fc09e8 fd8fce69 af9af9f4 9542c43e 7f40f222 88748ec4
6db0932e 0232d272 ff914ccb 9eb2ccfb 8d530d53 da2d99f9 5f2a8e34 ab6a4901
98

secret:
bba5e681 2bbd25f7 6ba0b01b 69431c59 6763ed32 f2614eda ab8b1798 ffd76848

key:
d76486f0 96d7b916 5dae3721 b7480709 a9253f57 134d7138 852cdbda e5d77d8a

exp:
c03303f5 8c920f88 2962d216 0fb989f3 351cfe36 846b39dc 359b876b bf6d638e

8.1.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
f663e10b f2d9ea5d 26b26f15 abf61f0c 7c02c1f1 8df3b8d9 76583d0d d7c2d190
e5e16271 2f4edd5c 1efb478c 78

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
d5462e1c 178ca945 47a21b8c d6d1fd84 32e925e4 6052b7f4 70929da5 a0342ff0
b8acc1d5 549b2bc6 30ae16d9 44

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
79c73f74 932621f2 7db58b8d 8c1c6f61 70b16944 6411f33d 2fd71b24 604ef25b
a2c5508c d06087d4 89993052 4f

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
86f34032 79358243 48b8a1c8 f4e479c4 fd1a7331 05b89b46 58b59797 1face390
7d5bcff2 41c2ea47 9d965bd1 38

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
20cb9542 523b9d2e 3ef45593 8c1edddd 72f93861 e50a273b e5ccab6b a56df502
7f56696b c49e9232 8f85be3e 17

8.2. DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-256-SIV

8.2.1. Auth Setup Information

mode: 2
kem_id: 19
kdf_id: 1
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
798d82a8 d9ea19db c7f2c6df a54e8a67 06f7cdc1 19db0813 dacf8440 ab37c857

pkEm:
ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d

ikmR:
7bc93bde 8890d1fb 55220e7f 3b0c107a e7e6eda3 5ca4040b b6651284 bf0747ee

pkRm:
48b9c95a 72c53280 d19d5886 15b1f3a6 b1f607c8 111b9802 1441b9ad 709da767

ikmS:
874baa0d cf93595a 24a45a7f 042e0d22 d368747d aaa7e19f 80a802af 19204ba8

pkSm:
57fc29c0 7963a7bb ec000475 c11b4633 c51788fb d2fff55e 3b9cd8cb 31acb077

enc:
ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d

kem_context:
ba2b510d 3808c4be ced6b153 120b79d7 78c785f9 2c3b67b3 0e153d94 5b20727d
48b9c95a 72c53280 d19d5886 15b1f3a6 b1f607c8 111b9802 1441b9ad 709da767
57fc29c0 7963a7bb ec000475 c11b4633 c51788fb d2fff55e 3b9cd8cb 31acb077

shared_secret:
ef299e8f 1be52e52 d66d3ee1 1b8a62f8 6a0b5e34 3508e6c4 8873f5ca 33926369

key sched context:
0242df88 379ec00c 85fc09e8 fd8fce69 af9af9f4 9542c43e 7f40f222 88748ec4
6db0932e 0232d272 ff914ccb 9eb2ccfb 8d530d53 da2d99f9 5f2a8e34 ab6a4901
98

secret:
b8ddfe01 c96ffeb7 713baa45 4054b2ff e724f89d 7d9b0700 487e3253 8d72d2d4

key:
215c527f e33c2626 28e08146 0b923adc 106ff93e 0ba9f297 9dc259af 14c06406

exp:
40d14e24 1ea8dfe2 62f46807 991dae10 6ccae6ed 497f2263 7676b887 a7b340a3

8.2.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
bedb26a7 9e3db3c1 bd289c88 9a269194 bf9bd3c1 b00b8009 a61bd95e 102c1d8b
dd84ec9e cb720af1 27a1322c 28

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
c8d84bc0 88814aba 99727a55 dd230ca7 d29c3033 87c3f6de 56d7ca6b 1cba1cb2
9798c7a3 5dddf1ff 4f005f46 43

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
1d15176a 07ee9bce 3bae7627 a94945bc 3a935792 1e18d47e 0a95b4b6 0bb8fada
433a162b b76b31c6 9a3b1935 3a

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
d25a11b8 c44b74ba a20be259 6e2e0d06 b5b9ba93 ccd82d05 0a613362 e0533983
887dcb70 2a3dd34a d610fb8f 5f

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
7f81b231 64c6cff3 76bbc46f 5c57fcfc dc16b80c c87ec709 6d27c40a 78619f03
1d30b956 10eb6f8a 47e880bf 1e

8.3. DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV

8.3.1. Base Setup Information

mode: 0
kem_id: 19
kdf_id: 1
aead_id: 5
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
a90d3417 c3da9cb6 c6ae19b4 b5dd6cc9 529a4cc2 4efb7ae0 ace1f318 87a8cd6c

pkEm:
0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b

ikmR:
a0ce15d4 9e28bd47 a18a97e1 47582d81 4b08cbe0 0109fed5 ec27d1b4 e9f6f5e3

pkRm:
d6643f01 efee734d 147e78f7 9722012f 22dbc5bd 640348e4 dc7872fd 6afb2748

enc:
0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b

kem_context:
0c83751b 613bf3e6 3fa4ee1a e64ffa4c 86c997bc 97983c2a 7ec9546b ee856e0b
d6643f01 efee734d 147e78f7 9722012f 22dbc5bd 640348e4 dc7872fd 6afb2748

shared_secret:
81a5c8af 1952bbdf d200ca47 9b9b6433 fe3c1a13 55cb1381 8fa0a828 99e5746e

key sched context:
00519e25 346f3708 db318b4d dcb49fd6 becbedd5 aa490f08 b61fcbf8 2d851c0a
404abd81 049c5f21 76ab65a4 b5dcc106 ce0debc6 75606d93 4c4c4f89 230221ab
9b

secret:
14cbd262 5b385b0b e6489b24 1b78fea2 5aa60ce1 65e457ac dbd27cb1 b514eb46

key:
4134d7b1 943fc7f1 72c5d85a 47d511f2 6f917be9 634fd16c 00c997f9 96cbfa84
4e96efd4 31ea4c37 ecd5190e 4ee27245 f6c659ea 68c3bf40 ee7ae8d9 a87f0cba

exp:
f6c659ea 68c3bf40 ee7ae8d9 a87f0cba 68dded2e 39b4f8fb 10fa73a5 c7835670

8.3.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
cc89205a 7b94242f 04c29c31 88269b09 e7ab0c3d 568bd477 6b5f79cc 7af12307
632c62b0 69dffeaa 881e9338 52

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
a6c382c8 202a4886 1125fcad a36084f6 6edcb1b1 704ba464 9549cf32 359a81d8
67a311d4 115e4735 d2a0d328 01

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
cac52c02 fc5136dc 80ab7ce8 5a23bb5a 08849278 ea1ff0d8 a239f1a2 4aa46f0e
e47bac8e 4ab5acbb b17ff7c0 07

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
62232cff 2e7e7d51 28f4f62a 5899fd42 808916cf daaa8192 974fe6ff aa588a9e
82776d62 04fadaac af1ae9d5 2b

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
822dba19 de41c774 5283731a 63456269 d3738459 1e6b4c33 0b558764 dc24cfa4
abdff166 42f572e1 356c6f4c 4f

8.4. DHKEM(CP-256, HKDF-SHA256), HKDF-SHA256, AES-512-SIV

8.4.1. Auth Setup Information

mode: 2
kem_id: 19
kdf_id: 1
aead_id: 5
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
d6c49e44 2aad90bc c1bc0d16 6e5c4d3d f845c803 ba08b8a4 d891af2e eae4f97e

pkEm:
5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0

ikmR:
3c567569 48f1c27a ed3eb27a 923c891d c073eccf 94bb6c1b 64a8bfaa 95f1f8f7

pkRm:
5ac93274 8d20c9aa af3c4126 51706a2a 08958a48 e7ed10f8 a944c556 9fbeca8c

ikmS:
0f3def8c c45967f8 6c566f2c 2a7deced ff0d5f8b 20a34ab6 5318144c 80cb6b2b

pkSm:
db74c19a 176482fe bad3e945 03c4b89d 622ddbf2 b1428cff 37627f6b e154011a

enc:
5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0

kem_context:
5fc3876c 0e3d841c 070d5c5b e41c048c e924f8d5 c8d11893 70955bbc 0fe349f0
5ac93274 8d20c9aa af3c4126 51706a2a 08958a48 e7ed10f8 a944c556 9fbeca8c
db74c19a 176482fe bad3e945 03c4b89d 622ddbf2 b1428cff 37627f6b e154011a

shared_secret:
a67f3222 eeb41eba 6c7a9f5a 10478fd7 a0e809e9 32ec4b8c f2edd01e cc96af50

key sched context:
02519e25 346f3708 db318b4d dcb49fd6 becbedd5 aa490f08 b61fcbf8 2d851c0a
404abd81 049c5f21 76ab65a4 b5dcc106 ce0debc6 75606d93 4c4c4f89 230221ab
9b

secret:
ba6d7757 d6cdadf1 d180c866 f32b7356 cdb12e74 f6260531 85afc26f 84a68be5

key:
2d4d5c2e 584baaf4 f280cc74 8554917a 97f20b61 661e6dc9 d8a890a9 64c08c8e
9afb8755 7dd86150 d2653b49 4fcb4c85 81188ab5 38617545 8bdaae78 492fce03

exp:
81188ab5 38617545 8bdaae78 492fce03 fe7f5779 f7fd6c75 beb65c2c 04e2996e

8.4.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
2f222fa0 1a9de65c ce5c6806 2b8c6eaf 2f093fe3 431ac27b 812dce8c e466767c
eb2fd896 f587f7e7 d5c77c24 16

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
1b630e19 f1c5eb24 471c02b8 e27a7627 b22b08ac 6c6da703 a8518de0 156996ea
8f3c909e 35c3d755 797f3546 72

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
1a14eb89 70e44530 5cf558a7 7dddfcfb 1bc859b1 9bf9867d 21de9caf 4dc625ce
9f7a006a 7eff8276 ba4509f0 04

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
fad19bf7 0ecb25f3 20187fb0 bbf2489c a1f47e91 ce251e9d 021c4595 98f945d8
2e6b10ac 7dca809e dd13eaf4 65

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
833c3db5 fe83d887 266629a5 712eead2 1824c4c5 2af25ea5 a5c999e7 6178033e
cc9b1caa 8ed0b19a e21433d2 f1

8.5. DHKEM(CP-256, HKDF-SHA256), HKDF-SHA512, AES-512-SIV

8.5.1. Auth PSK Setup Information

mode: 3
kem_id: 19
kdf_id: 3
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
37ae06a5 21cd5556 48c928d7 af58ad2a a4a85e34 b8cabd06 9e94ad55 ab872cc8

pkEm:
87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191

ikmR:
7466024b 7e2d2366 c3914d78 33718f13 afb9e3e4 5bcfbb51 0594d614 ddd9b4e7

pkRm:
474f1abb 69c066b7 1c1c35c6 a67dccb1 8d3a6cfd 5bf95501 d6594c3e 144b7b9b

ikmS:
ee27aaf9 9bf5cd83 98e9de88 ac09a82a c22cdb8d 0905ab05 c0f5fa12 ba1709f3

pkSm:
a2076645 915893d8 df5d99b2 5368e1de 74de3b6b 070d8fbe b85b242c bf00a47c

psk:
0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

psk_id:
456e6e79 6e204475 72696e20 6172616e 204d6f72 6961

enc:
87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191

kem_context:
87e52765 608be760 1d402d76 fd0cef53 c79365b6 96f0217f 89165f90 f07fb191
474f1abb 69c066b7 1c1c35c6 a67dccb1 8d3a6cfd 5bf95501 d6594c3e 144b7b9b
a2076645 915893d8 df5d99b2 5368e1de 74de3b6b 070d8fbe b85b242c bf00a47c

shared_secret:
0c554e67 af28a8cb 6548163c bba01e0c 882111cb 9a9d2b70 d52f27a6 b5da0e93

key sched context:
03642680 fd2063b9 86985586 8974385d 56017618 19fa5a72 37b63dc0 da6e4077
c5c78de8 337eca9c 42d67d80 a8325e74 054784b9 aee52c79 b2197221 1fe7818b
6152309f 3bf294d6 6d770cfd 89d0650d bf6b3965 4f2ea930 e7969658 9bc27908
57be3497 fbb54404 8c335380 9dfbdc6a 95d7ca0b 07bc85ef 7b0af851 1d553cf9
18

secret:
2647e270 0b8ea588 b2a63c6b d1393457 f78ff2d1 e9c4a94e 7bd0c8d4 342b0144
bea7736f 4326ae69 a64ba8ba 3e7c8638 6755d09a 2aa5a367 ae28ae7e acd0cba8

key:
3d42271a de1f9f1e dabf0e42 76ea6460 9537b59a 4b19da97 51f28001 04d82d1d

exp:
0c086497 bcf20cff 2d9f6afd 0b3a193c 2432bd7f 5ce1dc3d e486b58b eed4175d
2f0db038 f2f5251a 0d7031c2 4b7cd6f9 f5113aa2 63fb341e fcd75d53 ba517012

8.5.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
5791f3bc 18c026d4 ae772474 a941c730 e8221677 6e638c49 0d7995df 451f94c2
c6ccdd22 9f6b03fa bde4dfc2 53

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
6e277787 ad78afd6 3a05b3a1 b950f79c 2ae01270 77c2a415 a9da993e ad96021e
a4ab4157 4bccf4bd 9829e58b 32

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
0b228658 535cd69c 5b18906d 5c9f694c 00d2ce05 84831c15 5d9b52ca b28e7b4c
2e9cd3fd 5b71b269 74ac7b9c 24

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
ffec14a4 f2a60701 b720cbdc b80ceb46 038de563 53fec944 d2c1b732 b7c50cb9
393d5c23 f9dc4681 d12347d6 f7

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
49cf661e 681e07e1 d1016a84 6069f3b1 ce0e0465 09726f1f d7b15036 e5b5fa81
6fd58f65 7bd44afd 15c41608 da

8.6. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.6.1. Base Setup Information

mode: 0
kem_id: 21
kdf_id: 1
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
5040af7a 10269b11 f78bb884 812ad200 41866db8 bbd749a6 a69e3f33 e54da716
4598f005 bce09a9f e190e29c 2f42df9e 9e3aad04 0fccc625 ddbd7aa9 9063fc59
4f40

pkEm:
005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
a5f5

ikmR:
39a28dc3 17c3e48b 908948f9 9d608059 f882d3d0 9c054182 4bc25f94 e6dee7aa
0df1c644 296b06fb b76e84ae f5008f8a 908e08fb abadf706 58538d74 753a85f8
856a

pkRm:
01d07d98 c86f123e 13a052cf 58d4d7f9 ac98ab62 aa0fccc6 a2354ab4 4abc0e33
8cf8ba8a 8a26225a a1bf023a 9d4db0a1 2135b7b7 c95aadc6 eec3fdc6 4eb4fdf0
e440

enc:
005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
a5f5

kem_context:
005208f9 56649e60 0e958116 ae05435a 6adb3a17 2e29bc3b 22818043 535ede1a
977bc486 40f4163e 8fc68c3c fb629380 cad13675 b93d186d 39e754ed 62055014
a5f501d0 7d98c86f 123e13a0 52cf58d4 d7f9ac98 ab62aa0f ccc6a235 4ab44abc
0e338cf8 ba8a8a26 225aa1bf 023a9d4d b0a12135 b7b7c95a adc6eec3 fdc64eb4
fdf0e440

shared_secret:
01b5e494 8af1dae6 9fe69cf1 ff6c2f52 022ce691 6fa5e846 40351561 292f19c4
2fa6fd27 132d0414 dbc67d34 8f9efaaf 2064f76e b6e43f2c 0c59d72f 2b75b988

key sched context:
0039cb31 552274b7 da50f702 38462e6b e53b4160 074e225a 907a8190 97ddb649
abf15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
d8

secret:
f2d20b62 5e87880e a2480be2 521ff460 456aed76 c5a6126f ca17f425 1a560170

key:
d5af37fe 38083050 a54eaa25 5ce46c17 2885f187 b9264003 0e3fd60b a7d87380

exp:
6808978c 1be493c8 5b9422cc 0d4dcb86 0527807e 5df1c453 78932f9d de0fda57

8.6.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
4ff1fe67 2ff031c3 3fc6c14a 6c136699 7d851d0a 4590018f ae2066e4 dcfcb13c
3246d608 ca844350 a29ad685 5c

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
3ca22120 0355f2e6 439963de 114637bf 6f5377e1 87c549fe d17acfe8 90e66150
db037d42 dfd52d94 1b6705b9 68

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
1d37ce24 9aa151cd 55d9d15b 610af39c ced8b1f7 cdc1ef9b fcaaef90 304a1a97
1fed768a 69bdc3a9 77f85f60 a4

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
fb439464 8952c250 8e749bd6 d5efabfc ee6d3ce8 ac3af85c a2783e3d 052edcdf
3e0dede7 e69dc3ff 31034868 d4

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
23e2c812 e82fdd54 8dd72af8 0f16ae02 c23ceedc 250332b6 d18dd132 2d433692
895c7969 81fa655d d537ec20 2d

8.7. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.7.1. PSK Setup Information

mode: 1
kem_id: 21
kdf_id: 1
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
19484305 36ca540c 53351ae5 9d7a2240 8f1a0f20 1c1387e2 38ca8c52 ea162da7
ffe27652 fbbfef9b 60b66a03 9c80853a 4224c01f d83155a1 7373c92f 3d41bc25
4943

pkEm:
012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
cbd6

ikmR:
3c9a57ce 2773fc44 d2b03a9f ed866e9f 8dfd18bf c844c4dd c254fe0c 836643b9
fd3f54ce 090caf5f 07829fd0 17ebdf4b 43408579 85f21056 d5a2dd46 1dd61da9
afce

pkRm:
016368a1 295c5fef 6f80fd82 98401040 c2960e4b 8db4c265 c2eb4832 8ac026c1
74075384 12be0251 35f88f66 50f61fe1 0a6bd91a f4b9e431 442bbfa2 3192c08c
757d

psk:
0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

psk_id:
456e6e79 6e204475 72696e20 6172616e 204d6f72 6961

enc:
012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
cbd6

kem_context:
012c55eb 18a3184f 8fefb856 f2f16d9d 2e7bb9bd bf0842c4 f4d5d668 17302753
ee239e72 627e724d a393436d 47d7dede 97734ce6 db12387b cfa5713b b20e0ccd
cbd60163 68a1295c 5fef6f80 fd829840 1040c296 0e4b8db4 c265c2eb 48328ac0
26c17407 538412be 025135f8 8f6650f6 1fe10a6b d91af4b9 e431442b bfa23192
c08c757d

shared_secret:
7dbf19ed dced8520 cf9f4f09 cbe09c67 c7493d6e 798d69f0 f13fc693 e3161d27
8b37b1f7 78556a5d 293957bb 768a1567 75bded1e c835fc69 faeb6e01 d981110d

key sched context:
012c9501 61b56512 ae1c5fde be9b6c1e 680e1277 308a175e 6452aa32 28f6d60b
5ef15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
d8

secret:
7ef0b355 87409fe5 6a1fcad4 6f0615ae ae7b7481 a182a193 7496916c 50316b8e

key:
1896f4f4 95dd067d 784384af 71d3d58e 47dd910d c4262f98 c771a4ec a17de51f

exp:
d1aeffbc d46c96a6 2cdbc75d 9f7dc7dd 21ba50d5 9ec10191 b0e49add 953f9f21

8.7.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
46afb04f 153770d7 09a7781b 4363b9c2 69b9a0f8 686e76c6 e8a384c0 ea3c6713
70f7c37c 02da3702 3330ebda 64

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
0f1be046 2892d8b7 177659c6 1620981e 4d5d3220 b58a7d88 05f9423e a8c7d30e
e1837826 196c4bdb 33cdd0fc 28

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
cd2061da 9aca2be6 b740677d 0f37ad1d 3b0fad32 dbadbf48 0c8c665b 08472f6a
fb5a4516 cb292372 02470111 41

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
2aae252b bb85bf18 769f2c74 4919897e d3315cdc 00f00975 abf5552b 41be8182
13e10893 8359385e 3ba0b5d0 a1

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
e72f8b91 a13fb546 dd40a03d 178c1938 813fb62b ae1e45e4 fb2d8ed3 55cb6876
0b02cce5 38571845 c014f91c 8e

8.8. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-256-SIV

8.8.1. Auth Setup Information

mode: 2
kem_id: 21
kdf_id: 1
aead_id: 4
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
d45cc999 ba65eb6b ec00cf9b df308ae7 57558d62 8938ada2 d7bbf97b f58b401d
ea5710d5 c1f733fd 30dade61 6806669a cce09ba3 2cc57d58 02026955 3a19d632
d1f7

pkEm:
00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
33a3

ikmR:
fd95b48b 2a8e53cd 12da39ec c343c273 ce282b00 f185b6e9 80d3b4b8 55e938ea
0ba841e8 dfe5ac19 4ba830a5 23a7c5d1 faff6482 ff5e46ea 8f25b126 b8545c6d
eb11

pkRm:
01f7b479 fef9ddbf 10a12c7e 5d4e22f5 ca3745e6 12dc7007 96f80ecf 0a32e5d0
3b4e526d bc08234b 13740963 ea1e9de2 85a21647 72ae3fcf f7a513b8 f7c132f6
7b18

ikmS:
7c533451 b4b61ba8 ee879bb4 e11fb330 d0397244 2d74fd7c f5ebc0f8 84a90005
a87fcb0e 3401e9f7 24b45cec de6d9f6d d88f202e f23f790d a10867d6 bd8d9fb8
bf89

pkSm:
01715f0e 475571c9 9e0bfac5 eae86e08 fbea30db 23f670ed 471b053f f5f7c464
3daf384e 7714d25a 45170576 8d05ab73 00e0cb64 5d21c697 49a46680 f31eec0e
fc2a

enc:
00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
33a3

kem_context:
00941aa3 61e3df67 8316e950 f082f38d 972b4f5d 789d4abb ebb0bd10 7f3e1d77
66a02538 47840ec2 bb22dd43 6cbf9a8b fa90a38f 61e86ca1 44877699 8e1d7db7
33a301f7 b479fef9 ddbf10a1 2c7e5d4e 22f5ca37 45e612dc 700796f8 0ecf0a32
e5d03b4e 526dbc08 234b1374 0963ea1e 9de285a2 164772ae 3fcff7a5 13b8f7c1
32f67b18 01715f0e 475571c9 9e0bfac5 eae86e08 fbea30db 23f670ed 471b053f
f5f7c464 3daf384e 7714d25a 45170576 8d05ab73 00e0cb64 5d21c697 49a46680
f31eec0e fc2a

shared_secret:
fd55afea 8cf91399 eab366b2 1f9c1c5e 1be2cc06 92a988d3 58884755 7eaebf4b
1a85f6f1 150e34f5 0fa4faa8 2beba6b6 a06d97e7 8a63a43d 7c0369b4 851ddda4

key sched context:
0239cb31 552274b7 da50f702 38462e6b e53b4160 074e225a 907a8190 97ddb649
abf15bdf a83da9ab 26c13dc8 a615e0f0 3facb5b5 5a8363ed a76e52b2 fdbf04f7
d8

secret:
d0880b5f 93b8f99f 9c9abb4f 7601b1ca 2dff70fb 5529feef 0d99d93d 41884d40

key:
6d033540 ec5a1637 909a8a21 cd82f1eb 2ac87042 37a56060 e18ef2ac 477ad7db

exp:
dea686af f2384f2a dce9e499 2796f08d a0ff7261 95baa721 ae4000db c920673e

8.8.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
d07d5c55 86afa2a6 328c314c e93621cb 8ee6cb90 66970b1c e2f739bb 0706dd4d
142d3748 aed46417 af8005f2 78

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
9c8533d4 02a7cec4 e930f41a 26f97df9 2c5d3ee4 829f79e0 b3b3ff85 4c8ba34f
c58ab0be a948bd91 c5eb8a90 08

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
3e7da863 847fceb1 fcc49478 8f045e9b fcce98d7 9e091bae 0edeb004 cb9f0e93
75b59eeb 635e885c 6e810c1c 12

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
ac688968 d5a19dc7 206f79e3 068fc6ef 3a9e0ce2 f8ff3d37 809cb238 de30638a
81241150 f1cd8d77 89cd2513 a0

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
5c845010 89cb8655 7b84ba09 2ff19c20 3a771ca7 b4a0a5cb 57110ddc 71020a5a
ed746a56 679223a6 503e368c 1d

8.9. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA256, AES-512-SIV

8.9.1. Base Setup Information

mode: 0
kem_id: 21
kdf_id: 1
aead_id: 5
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
9953fbd6 33be69d9 84fc4fff c4d7749f 007dbf97 102d36a6 47a8108b 0bb7c609
e826b026 aec1cd47 b93fc5ac b7518fa4 55ed38d0 c29e900c 56990635 612fd3d2
20d2

pkEm:
00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
2cbb

ikmR:
17320bc9 3d9bc1d4 22ba0c70 5bf693e9 a51a855d 6e09c11b ddea5687 adc1a112
2ec81384 dc7e4795 9cae01c4 20a69e8e 39337d9e bf9a9b2f 3905cb76 a35b0693
ac34

pkRm:
00685b94 a565c40e 44467ded 521e51dd 27062392 7f076cae 5d2ac51e daa00c08
0cb53932 a0f96476 7016be86 e1828c97 406a1c45 210bd72a 6a4db565 a0a2ede1
66bf

enc:
00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
2cbb

kem_context:
00fd79f7 20262f2f 38f6e164 3139fad0 58a07210 a0ded183 092de949 b70271ab
7fc59999 b9f13ce8 a0c79454 841be330 e0298d6b b3449e1b e6835f52 2963fdbe
2cbb0068 5b94a565 c40e4446 7ded521e 51dd2706 23927f07 6cae5d2a c51edaa0
0c080cb5 3932a0f9 64767016 be86e182 8c97406a 1c45210b d72a6a4d b565a0a2
ede166bf

shared_secret:
f4016476 1b23e62a 825c3a12 f00a300c 7fc0bca7 d63a4b4d 8decd9e3 e6665c77
72e5caa3 1d81b01c 83f85fad 171604a5 f5620d0e b3adc049 cf84a244 da1b66fc

key sched context:
009c83af 569335de c008d972 3b99516d aeca636c f2f750ff d5097d80 b3325949
62d402df a706d773 c51099d3 c7a050a9 601fec9e fcd1d0fe ee84db47 31678771
a5

secret:
c1c03165 591c1b1f 402c6a2f e51cef09 fffe1014 5e1bbec1 48f16424 3e8e8657

key:
fcd7bd4d 7fb57f4b ac324cea fca16db2 c93579e9 cf3ac7d3 ebe1cc5d 9a961ff5
64a7a5f7 4a27fbc7 c527b6e9 f69df654 b544b8c5 4a9d17f1 af85e9c0 c4878c58

exp:
b544b8c5 4a9d17f1 af85e9c0 c4878c58 a209c5f4 431a199f 605c7179 9153500d

8.9.2. Encryption

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d30

ct:
904a4929 f11643ef 3225d8e2 503b13cf cc3eb26d 6c9f4ccf c551c960 19465f64
130278f3 492e3bad 15635243 3d

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d31

ct:
00d1baad b17b86a2 23eba165 0bf4b165 993365f0 c30d3a50 81f06d67 9a456e1a
e786644c 6c26b617 18d93bc0 2d

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d32

ct:
c61f2a7b 01451896 06efcd72 ae5835f4 3d563368 8635d2e0 6e33dfc3 b89d11f5
38a61f94 f1a48a98 4c74c01a 30

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d33

ct:
65f0fe74 1623cc3e 1f324cf6 51c30b9a cafff85c 53945d3c 1e9038df 4c3ffcd2
3a587a83 e6089a78 5e92825d a4

pt:
42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad:
436f756e 742d34

ct:
41466afb 39544cf3 39a1bb23 2b19660d 96d2b357 4c6ef39b a505e412 f49f5f3f
8b45c53b dbc35f0b 8876a387 9d

8.10. DHKEM(CP-521, HKDF-SHA521), HKDF-SHA512, AES-512-SIV

8.10.1. Auth PSK Setup Information

mode: 3
kem_id: 21
kdf_id: 3
aead_id: 5
info:
4f646520 6f6e2061 20477265 6369616e 2055726e

ikmE:
54272797 b1fbc128 a6967ff1 fd606e0c 67868f77 62ce1421 439cbc9e 90ce1b28
d566e6c2 acbce712 e48eebf2 36696eb6 80849d68 73e99593 95b29319 75d61d38
bd6c

pkEm:
01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
4510

ikmR:
3db434a8 bc25b27e b0c590dc 64997ab1 378a99f5 2b2cb5a5 a5b2fa54 0888f6c0
f09794c6 54f44685 24e040e6 b4eca2c9 dcf229f9 08b9d318 f960cc9e 9baa92c5
eee6

pkRm:
01bf5b74 278612e1 cfa7a47c dbe24a6f be41b73c 32e98e98 6d40c849 0a9201d3
187483b8 b66e2710 5a3eb80c 394a889a 24841875 7425b0e3 a4b376f3 fd8ea087
daf4

ikmS:
65d523d9 b37e1273 eb25ad05 27d3a7bd 33f67208 dd1666d9 904c6bc0 4969ae58
31a8b849 e7ff6425 81f2c3e5 6be84609 600d3c6b bdaded3f 6989c37d 2892b1e9
78d5

pkSm:
01856189 0c5378f2 dedf9da7 8c082f22 01110f1c ca97637c e4ae528c af38ee87
5d70b77f a72c4b6f 2fb42466 f98852dc 8466c4de f387db3a 6514872f 616d7379
e27e

psk:
0247fd33 b913760f a1fa51e1 892d9f30 7fbe65eb 171e8132 c2af1855 5a738b82

psk_id:
456e6e79 6e204475 72696e20 6172616e 204d6f72 6961

enc:
01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
4510

kem_context:
01b716a3 3ef96baa 96761a89 0b08efc6 762f2f20 fe7db159 7c3e3663 4a3973e6
8bdb71f9 1cc2d701 ad4424a3 04554f12 efce4c25 991f2033 d51c1f3c 43d95564
451001bf 5b742786 12e1cfa7 a47cdbe2 4a6fbe41 b73c32e9 8e986d40 c8490a92
01d31874 83b8b66e 27105a3e b80c394a 889a2484 18757425 b0e3a4b3 76f3fd8e
a087daf4 01856189 0c5378f2 dedf9da7 8c082f22 01110f1c ca97637c e4ae528c
af38ee87 5d70b77f a72c4b6f 2fb42466 f98852dc 8466c4de f387db3a 6514872f
616d7379 e27e

shared_secret:
3c1c20e2 16a48012 e032127b af46a725 e55448f8 511a5ea2 ebffd891 473ebc8c
20373d88 8738685b 018e7310 066976bb b35ad27f 9392a870 42865aeb 354b2428

key sched context:
03da3273 57c39707 4a257ebc 3c27e309 5b2cf890 951bd032 98123a00 638fa3e6
2e6a1e3d 436ec52f 6c250a5f 944b3626 28790988 4d63325b d9695d6f 4f553903
43600877 1dae94d9 1fb0cbbf 0fb8158c 0f900b77 6f6d42cf fb380ba2 1d7fdace
bfc89e97 42c05989 9df732ff abd7c0bb b6be7b4d ca65329c a793a0e5 a5444136
3b

secret:
4ed11ada 787796ec ae5c3893 f815b659 bc6f1639 410494da 971c3f30 5a4ad7cd
32184287 ab2bb55d 51d23620 38a0cc8f 973636dd 853dafb4 af399229 38e8c8cc

key:
d52bfae5 a7cd0d6c 41c1be93 9de5c0a5 3782ad74 6deb76d7 fd662509 727eeb9d
eaab86d1 7a444b7b 100519b9 d8ac2762 bdc1b9eb 64ec8bd8 362a2df3 e82bf4b0

exp:
bdc1b9eb 64ec8bd8 362a2df3 e82bf4b0 6ba82d93 e0bbf28c e286d3d6 53915dc1
97b0de63 38e56727 e44fdc59 a1a942b6 5b82641d 00aceaf1 08e2bbc2 becd40ee

8.10.2. Encryption

~~~

pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad: 436f756e 742d30

ct: 1bb2088e 0e946ce2 6925273d 498a474c 49c7e735 eb8d3cca ba242e98 c560d5a1 786c7982 234017bd 0f8a5985 0f

pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad: 436f756e 742d31

ct: d5052151 1c06077c 00d7eaed 143ee355 2d1d0c44 c96227c0 c89a20e6 121f9721 e288410c 4f94955c 32097c21 51

pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad: 436f756e 742d32

ct: 718eaaa6 97bae275 efbc2064 cd09cd81 48e45691 7de46704 d0ff2367 46d47fb9 3936dafc 5baf0485 b61c2e43 f0

pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad: 436f756e 742d33

ct: 141754a9 97b92442 bff79fcb 92d51261 f45c2922 1c58f577 95863b53 c87f1fda e5c25c77 bc277abc 0508deac 55

pt: 42656175 74792069 73207472 7574682c 20747275 74682062 65617574 79

aad: 436f756e 742d34

ct: 4e2f2352 29e2281b 92d40c86 2e84f9a5 19ac0766 49b42ef6 031c5967 3fbccb97 312962f0 c51ccf0e 2395f8f0 75

9. References

9.1. Normative References

[NISTCurves]
"Digital Signature Standard (DSS)", DOI 10.6028/nist.fips.186-4, National Institute of Standards and Technology report, , <https://doi.org/10.6028/nist.fips.186-4>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5297]
Harkins, D., "Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)", RFC 5297, DOI 10.17487/RFC5297, , <https://www.rfc-editor.org/info/rfc5297>.
[RFC6090]
McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, , <https://www.rfc-editor.org/info/rfc6090>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9180]
Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180, , <https://www.rfc-editor.org/info/rfc9180>.

9.2. Informative References

[RFC2401]
Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, DOI 10.17487/RFC2401, , <https://www.rfc-editor.org/info/rfc2401>.
[RFC5649]
Housley, R. and M. Dworkin, "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm", RFC 5649, DOI 10.17487/RFC5649, , <https://www.rfc-editor.org/info/rfc5649>.
[SECG]
"Elliptic Curve Cryptography, Standards for Efficient Cryptography Group, ver. 2", , <https://secg.org/sec1-v2.pdf>.
[SIV]
Rogaway, P. and T. Shrimpton, "Determinstic Authenticated Encryption: A Provable-Security Treatment of the Key-Wrap Problem", , <https://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf>.
[X9102]
ANSI X9, "Symmetric Key Cryptography For The Financial Services Industry-- Wrapping of Keys and Associated Data", .

Author's Address

Dan Harkins
Hewlett-Packard Enterprise