File: rfc9180.html

package info (click to toggle)
doc-rfc 20230121-1
links: PTS, VCS
area: non-free
in suites: bookworm, forky, sid, trixie
size: 1,609,944 kB
file content (7504 lines) | stat: -rw-r--r-- 351,470 bytes
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 9180: Hybrid Public Key Encryption</title>
<meta content="Richard L. Barnes" name="author">
<meta content="Karthik Bhargavan" name="author">
<meta content="Benjamin Lipp" name="author">
<meta content="Christopher A. Wood" name="author">
<meta content="
       This document describes a scheme for hybrid public key encryption (HPKE).
This scheme provides a variant of public key encryption of arbitrary-sized
plaintexts for a recipient public key. It also includes three authenticated
variants, including one that authenticates possession of a pre-shared key 
and two optional ones that authenticate possession of a key encapsulation
mechanism (KEM) private key. HPKE works for any combination of an asymmetric
KEM, key derivation function (KDF), and authenticated encryption with
additional data (AEAD) encryption function. Some authenticated variants may not
be supported by all KEMs. We provide instantiations of the scheme using widely
used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key
agreement, HMAC-based key derivation function (HKDF), and SHA2. 
       This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. 
    " name="description">
<meta content="xml2rfc 3.12.2" name="generator">
<meta content="public key encryption" name="keyword">
<meta content="key encapsulation" name="keyword">
<meta content="post-quantum public key encryption" name="keyword">
<meta content="9180" name="rfc.number">
<!-- Generator version information:
  xml2rfc 3.12.2
    Python 3.6.15
    appdirs 1.4.4
    ConfigArgParse 1.4.1
    google-i18n-address 2.4.0
    html5lib 1.0.1
    intervaltree 3.0.2
    Jinja2 2.11.3
    kitchen 1.2.6
    lxml 4.4.2
    pycairo 1.15.1
    pycountry 19.8.18
    pyflakes 2.1.1
    PyYAML 5.4.1
    requests 2.24.0
    setuptools 40.5.0
    six 1.14.0
    WeasyPrint 52.5
-->
<link href="rfc9180.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
     support flexbox yet.
  */
  display: table;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.ulBare, li.ulBare {
  margin-left: 0em !important;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
  #identifiers dd {
    float: none;
  }
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
  break-after: avoid-page;
  break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
  break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode  {
  break-before: auto;
  break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
  break-before: auto;
  break-inside: auto;
}
dt {
  break-before: auto;
  break-after: avoid-page;
}
dd {
  break-before: avoid-page;
  break-after: auto;
  orphans: 3;
  widows: 3
}
span.break, dd.break {
  margin-bottom: 0;
  min-height: 0;
  break-before: auto;
  break-inside: auto;
  break-after: auto;
}
/* Undo break-before ToC */
@media print {
  #toc {
    break-before: auto;
  }
}
/* Text in compact lists should not get extra bottim margin space,
   since that would makes the list not compact */
ul.compact p, .ulCompact p,
ol.compact p, .olCompact p {
 margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
   backgrounds.  Changed to something a bit more selective. */
tt, code {
  background-color: transparent;
}
p tt, p code, li tt, li code {
  background-color: #f8f8f8;
}
/* Tweak the pre margin -- 0px doesn't come out well */
pre {
   margin-top: 0.5px;
}
/* Tweak the comact list text */
ul.compact, .ulCompact,
ol.compact, .olCompact,
dl.compact, .dlCompact {
  line-height: normal;
}
/* Don't add top margin for nested lists */
li > ul, li > ol, li > dl,
dd > ul, dd > ol, dd > dl,
dl > dd > dl {
  margin-top: initial;
}
/* Elements that should not be rendered on the same line as a <dt> */
/* This should match the element list in writer.text.TextWriter.render_dl() */
dd > div.artwork:first-child,
dd > aside:first-child,
dd > figure:first-child,
dd > ol:first-child,
dd > div:first-child > pre.sourcecode,
dd > table:first-child,
dd > ul:first-child {
  clear: left;
}
/* fix for weird browser behaviour when <dd/> is empty */
dt+dd:empty::before{
  content: "\00a0";
}
/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
li > p {
  margin-bottom: 0.5em
}
/* Don't let p margin spill out from inside list items */
li > p:last-of-type {
  margin-bottom: 0;
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc9180" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke-12" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 9180</td>
<td class="center">HPKE</td>
<td class="right">February 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Barnes, et al.</td>
<td class="center">Informational</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Research Task Force (IRTF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc9180" class="eref">9180</a></dd>
<dt class="label-category">Category:</dt>
<dd class="category">Informational</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-02" class="published">February 2022</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">R. Barnes</div>
<div class="org">Cisco</div>
</div>
<div class="author">
      <div class="author-name">K. Bhargavan</div>
<div class="org">Inria</div>
</div>
<div class="author">
      <div class="author-name">B. Lipp</div>
<div class="org">Inria</div>
</div>
<div class="author">
      <div class="author-name">C. Wood</div>
<div class="org">Cloudflare</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 9180</h1>
<h1 id="title">Hybrid Public Key Encryption</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This document describes a scheme for hybrid public key encryption (HPKE).
This scheme provides a variant of public key encryption of arbitrary-sized
plaintexts for a recipient public key. It also includes three authenticated
variants, including one that authenticates possession of a pre-shared key 
and two optional ones that authenticate possession of a key encapsulation
mechanism (KEM) private key. HPKE works for any combination of an asymmetric
KEM, key derivation function (KDF), and authenticated encryption with
additional data (AEAD) encryption function. Some authenticated variants may not
be supported by all KEMs. We provide instantiations of the scheme using widely
used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key
agreement, HMAC-based key derivation function (HKDF), and SHA2.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
<p id="section-abstract-2">This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.<a href="#section-abstract-2" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This document is not an Internet Standards Track specification; it is
            published for informational purposes.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This document is a product of the Internet Research Task Force
            (IRTF).  The IRTF publishes the results of Internet-related
            research and development activities.  These results might not be
            suitable for deployment.  This RFC represents the consensus of the Crypto Forum
            Research Group of the Internet Research Task Force (IRTF).
            Documents approved for publication by the IRSG are not
            candidates for any level of Internet Standard; see Section 2 of RFC
            7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc9180">https://www.rfc-editor.org/info/rfc9180</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2022 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="xref">2</a>.  <a href="#name-requirements-notation" class="xref">Requirements Notation</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1" class="keepWithNext"><a href="#section-3" class="xref">3</a>.  <a href="#name-notation" class="xref">Notation</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-cryptographic-dependencies" class="xref">Cryptographic Dependencies</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-dh-based-kem-dhkem" class="xref">DH-Based KEM (DHKEM)</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-hybrid-public-key-encryptio" class="xref">Hybrid Public Key Encryption</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>.  <a href="#name-creating-the-encryption-con" class="xref">Creating the Encryption Context</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.1">
                    <p id="section-toc.1-1.5.2.1.2.1.1"><a href="#section-5.1.1" class="xref">5.1.1</a>.  <a href="#name-encryption-to-a-public-key" class="xref">Encryption to a Public Key</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.2">
                    <p id="section-toc.1-1.5.2.1.2.2.1"><a href="#section-5.1.2" class="xref">5.1.2</a>.  <a href="#name-authentication-using-a-pre-" class="xref">Authentication Using a Pre-Shared Key</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.3">
                    <p id="section-toc.1-1.5.2.1.2.3.1"><a href="#section-5.1.3" class="xref">5.1.3</a>.  <a href="#name-authentication-using-an-asy" class="xref">Authentication Using an Asymmetric Key</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.4">
                    <p id="section-toc.1-1.5.2.1.2.4.1"><a href="#section-5.1.4" class="xref">5.1.4</a>.  <a href="#name-authentication-using-both-a" class="xref">Authentication Using Both a PSK and an Asymmetric Key</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>.  <a href="#name-encryption-and-decryption" class="xref">Encryption and Decryption</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="xref">5.3</a>.  <a href="#name-secret-export" class="xref">Secret Export</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-single-shot-apis" class="xref">Single-Shot APIs</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="xref">6.1</a>.  <a href="#name-encryption-and-decryption-2" class="xref">Encryption and Decryption</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="xref">6.2</a>.  <a href="#name-secret-export-2" class="xref">Secret Export</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-algorithm-identifiers" class="xref">Algorithm Identifiers</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
                <p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="xref">7.1</a>.  <a href="#name-key-encapsulation-mechanism" class="xref">Key Encapsulation Mechanisms (KEMs)</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.1">
                    <p id="section-toc.1-1.7.2.1.2.1.1"><a href="#section-7.1.1" class="xref">7.1.1</a>.  <a href="#name-serializepublickey-and-dese" class="xref">SerializePublicKey and DeserializePublicKey</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.2">
                    <p id="section-toc.1-1.7.2.1.2.2.1"><a href="#section-7.1.2" class="xref">7.1.2</a>.  <a href="#name-serializeprivatekey-and-des" class="xref">SerializePrivateKey and DeserializePrivateKey</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.3">
                    <p id="section-toc.1-1.7.2.1.2.3.1"><a href="#section-7.1.3" class="xref">7.1.3</a>.  <a href="#name-derivekeypair" class="xref">DeriveKeyPair</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.4">
                    <p id="section-toc.1-1.7.2.1.2.4.1"><a href="#section-7.1.4" class="xref">7.1.4</a>.  <a href="#name-validation-of-inputs-and-ou" class="xref">Validation of Inputs and Outputs</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.5">
                    <p id="section-toc.1-1.7.2.1.2.5.1"><a href="#section-7.1.5" class="xref">7.1.5</a>.  <a href="#name-future-kems" class="xref">Future KEMs</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
                <p id="section-toc.1-1.7.2.2.1"><a href="#section-7.2" class="xref">7.2</a>.  <a href="#name-key-derivation-functions-kd" class="xref">Key Derivation Functions (KDFs)</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.1">
                    <p id="section-toc.1-1.7.2.2.2.1.1"><a href="#section-7.2.1" class="xref">7.2.1</a>.  <a href="#name-input-length-restrictions" class="xref">Input Length Restrictions</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.3">
                <p id="section-toc.1-1.7.2.3.1"><a href="#section-7.3" class="xref">7.3</a>.  <a href="#name-authenticated-encryption-wi" class="xref">Authenticated Encryption with Associated Data (AEAD)
 Functions</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-api-considerations" class="xref">API Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
                <p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="xref">8.1</a>.  <a href="#name-auxiliary-authenticated-app" class="xref">Auxiliary Authenticated Application Information</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
                <p id="section-toc.1-1.8.2.2.1"><a href="#section-8.2" class="xref">8.2</a>.  <a href="#name-errors" class="xref">Errors</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
                <p id="section-toc.1-1.9.2.1.1"><a href="#section-9.1" class="xref">9.1</a>.  <a href="#name-security-properties" class="xref">Security Properties</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1.2.1">
                    <p id="section-toc.1-1.9.2.1.2.1.1"><a href="#section-9.1.1" class="xref">9.1.1</a>.  <a href="#name-key-compromise-impersonatio" class="xref">Key-Compromise Impersonation</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1.2.2">
                    <p id="section-toc.1-1.9.2.1.2.2.1"><a href="#section-9.1.2" class="xref">9.1.2</a>.  <a href="#name-computational-analysis" class="xref">Computational Analysis</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1.2.3">
                    <p id="section-toc.1-1.9.2.1.2.3.1"><a href="#section-9.1.3" class="xref">9.1.3</a>.  <a href="#name-post-quantum-security" class="xref">Post-Quantum Security</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2">
                <p id="section-toc.1-1.9.2.2.1"><a href="#section-9.2" class="xref">9.2</a>.  <a href="#name-security-requirements-on-a-" class="xref">Security Requirements on a KEM Used within HPKE</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.1">
                    <p id="section-toc.1-1.9.2.2.2.1.1"><a href="#section-9.2.1" class="xref">9.2.1</a>.  <a href="#name-encap-decap-interface" class="xref">Encap/Decap Interface</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.2">
                    <p id="section-toc.1-1.9.2.2.2.2.1"><a href="#section-9.2.2" class="xref">9.2.2</a>.  <a href="#name-authencap-authdecap-interfa" class="xref">AuthEncap/AuthDecap Interface</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.3">
                    <p id="section-toc.1-1.9.2.2.2.3.1"><a href="#section-9.2.3" class="xref">9.2.3</a>.  <a href="#name-kem-key-reuse" class="xref">KEM Key Reuse</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.3">
                <p id="section-toc.1-1.9.2.3.1"><a href="#section-9.3" class="xref">9.3</a>.  <a href="#name-security-requirements-on-a-k" class="xref">Security Requirements on a KDF</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.4">
                <p id="section-toc.1-1.9.2.4.1"><a href="#section-9.4" class="xref">9.4</a>.  <a href="#name-security-requirements-on-an" class="xref">Security Requirements on an AEAD</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.5">
                <p id="section-toc.1-1.9.2.5.1"><a href="#section-9.5" class="xref">9.5</a>.  <a href="#name-pre-shared-key-recommendati" class="xref">Pre-Shared Key Recommendations</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.6">
                <p id="section-toc.1-1.9.2.6.1"><a href="#section-9.6" class="xref">9.6</a>.  <a href="#name-domain-separation" class="xref">Domain Separation</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7">
                <p id="section-toc.1-1.9.2.7.1"><a href="#section-9.7" class="xref">9.7</a>.  <a href="#name-application-embedding-and-n" class="xref">Application Embedding and Non-Goals</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.1">
                    <p id="section-toc.1-1.9.2.7.2.1.1"><a href="#section-9.7.1" class="xref">9.7.1</a>.  <a href="#name-message-order-and-message-l" class="xref">Message Order and Message Loss</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.2">
                    <p id="section-toc.1-1.9.2.7.2.2.1"><a href="#section-9.7.2" class="xref">9.7.2</a>.  <a href="#name-downgrade-prevention" class="xref">Downgrade Prevention</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.3">
                    <p id="section-toc.1-1.9.2.7.2.3.1"><a href="#section-9.7.3" class="xref">9.7.3</a>.  <a href="#name-replay-protection" class="xref">Replay Protection</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.4">
                    <p id="section-toc.1-1.9.2.7.2.4.1"><a href="#section-9.7.4" class="xref">9.7.4</a>.  <a href="#name-forward-secrecy" class="xref">Forward Secrecy</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.5">
                    <p id="section-toc.1-1.9.2.7.2.5.1"><a href="#section-9.7.5" class="xref">9.7.5</a>.  <a href="#name-bad-ephemeral-randomness" class="xref">Bad Ephemeral Randomness</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.7.2.6">
                    <p id="section-toc.1-1.9.2.7.2.6.1"><a href="#section-9.7.6" class="xref">9.7.6</a>.  <a href="#name-hiding-plaintext-length" class="xref">Hiding Plaintext Length</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.8">
                <p id="section-toc.1-1.9.2.8.1"><a href="#section-9.8" class="xref">9.8</a>.  <a href="#name-bidirectional-encryption" class="xref">Bidirectional Encryption</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.9">
                <p id="section-toc.1-1.9.2.9.1"><a href="#section-9.9" class="xref">9.9</a>.  <a href="#name-metadata-protection" class="xref">Metadata Protection</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-message-encoding" class="xref">Message Encoding</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#section-11" class="xref">11</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1">
                <p id="section-toc.1-1.11.2.1.1"><a href="#section-11.1" class="xref">11.1</a>.  <a href="#name-kem-identifiers" class="xref">KEM Identifiers</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.2">
                <p id="section-toc.1-1.11.2.2.1"><a href="#section-11.2" class="xref">11.2</a>.  <a href="#name-kdf-identifiers" class="xref">KDF Identifiers</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.3">
                <p id="section-toc.1-1.11.2.3.1"><a href="#section-11.3" class="xref">11.3</a>.  <a href="#name-aead-identifiers" class="xref">AEAD Identifiers</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
            <p id="section-toc.1-1.12.1"><a href="#section-12" class="xref">12</a>. <a href="#name-references" class="xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.1">
                <p id="section-toc.1-1.12.2.1.1"><a href="#section-12.1" class="xref">12.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.2">
                <p id="section-toc.1-1.12.2.2.1"><a href="#section-12.2" class="xref">12.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
            <p id="section-toc.1-1.13.1"><a href="#appendix-A" class="xref">Appendix A</a>.  <a href="#name-test-vectors" class="xref">Test Vectors</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1">
                <p id="section-toc.1-1.13.2.1.1"><a href="#appendix-A.1" class="xref">A.1</a>.  <a href="#name-dhkemx25519-hkdf-sha256-hkd" class="xref">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1.2.1">
                    <p id="section-toc.1-1.13.2.1.2.1.1"><a href="#appendix-A.1.1" class="xref">A.1.1</a>.  <a href="#name-base-setup-information" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1.2.2">
                    <p id="section-toc.1-1.13.2.1.2.2.1"><a href="#appendix-A.1.2" class="xref">A.1.2</a>.  <a href="#name-psk-setup-information" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1.2.3">
                    <p id="section-toc.1-1.13.2.1.2.3.1"><a href="#appendix-A.1.3" class="xref">A.1.3</a>.  <a href="#name-auth-setup-information" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.1.2.4">
                    <p id="section-toc.1-1.13.2.1.2.4.1"><a href="#appendix-A.1.4" class="xref">A.1.4</a>.  <a href="#name-authpsk-setup-information" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2">
                <p id="section-toc.1-1.13.2.2.1"><a href="#appendix-A.2" class="xref">A.2</a>.  <a href="#name-dhkemx25519-hkdf-sha256-hkdf" class="xref">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2.2.1">
                    <p id="section-toc.1-1.13.2.2.2.1.1"><a href="#appendix-A.2.1" class="xref">A.2.1</a>.  <a href="#name-base-setup-information-2" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2.2.2">
                    <p id="section-toc.1-1.13.2.2.2.2.1"><a href="#appendix-A.2.2" class="xref">A.2.2</a>.  <a href="#name-psk-setup-information-2" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2.2.3">
                    <p id="section-toc.1-1.13.2.2.2.3.1"><a href="#appendix-A.2.3" class="xref">A.2.3</a>.  <a href="#name-auth-setup-information-2" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.2.2.4">
                    <p id="section-toc.1-1.13.2.2.2.4.1"><a href="#appendix-A.2.4" class="xref">A.2.4</a>.  <a href="#name-authpsk-setup-information-2" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.3">
                <p id="section-toc.1-1.13.2.3.1"><a href="#appendix-A.3" class="xref">A.3</a>.  <a href="#name-dhkemp-256-hkdf-sha256-hkdf" class="xref">DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.3.2.1">
                    <p id="section-toc.1-1.13.2.3.2.1.1"><a href="#appendix-A.3.1" class="xref">A.3.1</a>.  <a href="#name-base-setup-information-3" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.3.2.2">
                    <p id="section-toc.1-1.13.2.3.2.2.1"><a href="#appendix-A.3.2" class="xref">A.3.2</a>.  <a href="#name-psk-setup-information-3" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.3.2.3">
                    <p id="section-toc.1-1.13.2.3.2.3.1"><a href="#appendix-A.3.3" class="xref">A.3.3</a>.  <a href="#name-auth-setup-information-3" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.3.2.4">
                    <p id="section-toc.1-1.13.2.3.2.4.1"><a href="#appendix-A.3.4" class="xref">A.3.4</a>.  <a href="#name-authpsk-setup-information-3" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.4">
                <p id="section-toc.1-1.13.2.4.1"><a href="#appendix-A.4" class="xref">A.4</a>.  <a href="#name-dhkemp-256-hkdf-sha256-hkdf-" class="xref">DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.4.2.1">
                    <p id="section-toc.1-1.13.2.4.2.1.1"><a href="#appendix-A.4.1" class="xref">A.4.1</a>.  <a href="#name-base-setup-information-4" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.4.2.2">
                    <p id="section-toc.1-1.13.2.4.2.2.1"><a href="#appendix-A.4.2" class="xref">A.4.2</a>.  <a href="#name-psk-setup-information-4" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.4.2.3">
                    <p id="section-toc.1-1.13.2.4.2.3.1"><a href="#appendix-A.4.3" class="xref">A.4.3</a>.  <a href="#name-auth-setup-information-4" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.4.2.4">
                    <p id="section-toc.1-1.13.2.4.2.4.1"><a href="#appendix-A.4.4" class="xref">A.4.4</a>.  <a href="#name-authpsk-setup-information-4" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.5">
                <p id="section-toc.1-1.13.2.5.1"><a href="#appendix-A.5" class="xref">A.5</a>.  <a href="#name-dhkemp-256-hkdf-sha256-hkdf-s" class="xref">DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.5.2.1">
                    <p id="section-toc.1-1.13.2.5.2.1.1"><a href="#appendix-A.5.1" class="xref">A.5.1</a>.  <a href="#name-base-setup-information-5" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.5.2.2">
                    <p id="section-toc.1-1.13.2.5.2.2.1"><a href="#appendix-A.5.2" class="xref">A.5.2</a>.  <a href="#name-psk-setup-information-5" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.5.2.3">
                    <p id="section-toc.1-1.13.2.5.2.3.1"><a href="#appendix-A.5.3" class="xref">A.5.3</a>.  <a href="#name-auth-setup-information-5" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.5.2.4">
                    <p id="section-toc.1-1.13.2.5.2.4.1"><a href="#appendix-A.5.4" class="xref">A.5.4</a>.  <a href="#name-authpsk-setup-information-5" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.6">
                <p id="section-toc.1-1.13.2.6.1"><a href="#appendix-A.6" class="xref">A.6</a>.  <a href="#name-dhkemp-521-hkdf-sha512-hkdf" class="xref">DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.6.2.1">
                    <p id="section-toc.1-1.13.2.6.2.1.1"><a href="#appendix-A.6.1" class="xref">A.6.1</a>.  <a href="#name-base-setup-information-6" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.6.2.2">
                    <p id="section-toc.1-1.13.2.6.2.2.1"><a href="#appendix-A.6.2" class="xref">A.6.2</a>.  <a href="#name-psk-setup-information-6" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.6.2.3">
                    <p id="section-toc.1-1.13.2.6.2.3.1"><a href="#appendix-A.6.3" class="xref">A.6.3</a>.  <a href="#name-auth-setup-information-6" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.6.2.4">
                    <p id="section-toc.1-1.13.2.6.2.4.1"><a href="#appendix-A.6.4" class="xref">A.6.4</a>.  <a href="#name-authpsk-setup-information-6" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.7">
                <p id="section-toc.1-1.13.2.7.1"><a href="#appendix-A.7" class="xref">A.7</a>.  <a href="#name-dhkemx25519-hkdf-sha256-hkdf-" class="xref">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.7.2.1">
                    <p id="section-toc.1-1.13.2.7.2.1.1"><a href="#appendix-A.7.1" class="xref">A.7.1</a>.  <a href="#name-base-setup-information-7" class="xref">Base Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.7.2.2">
                    <p id="section-toc.1-1.13.2.7.2.2.1"><a href="#appendix-A.7.2" class="xref">A.7.2</a>.  <a href="#name-psk-setup-information-7" class="xref">PSK Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.7.2.3">
                    <p id="section-toc.1-1.13.2.7.2.3.1"><a href="#appendix-A.7.3" class="xref">A.7.3</a>.  <a href="#name-auth-setup-information-7" class="xref">Auth Setup Information</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13.2.7.2.4">
                    <p id="section-toc.1-1.13.2.7.2.4.1"><a href="#appendix-A.7.4" class="xref">A.7.4</a>.  <a href="#name-authpsk-setup-information-7" class="xref">AuthPSK Setup Information</a></p>
</li>
                </ul>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14">
            <p id="section-toc.1-1.14.1"><a href="#appendix-B" class="xref"></a><a href="#name-acknowledgements" class="xref">Acknowledgements</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
            <p id="section-toc.1-1.15.1"><a href="#appendix-C" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
</li>
        </ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">Encryption schemes that combine asymmetric and symmetric algorithms have been
specified and practiced since the early days of public key cryptography, e.g.,
<span>[<a href="#RFC1421" class="xref">RFC1421</a>]</span>. Combining the two yields the key management advantages of asymmetric
cryptography and the performance benefits of symmetric cryptography. The traditional
combination has been "encrypt the symmetric key with the public key." "Hybrid"
public key encryption (HPKE) schemes, specified here, take a different approach:
"generate the symmetric key and its encapsulation with the public key."
Specifically, encrypted messages convey an encryption key encapsulated with a
public key scheme, along with one or more arbitrary-sized ciphertexts encrypted
using that key. This type of public key encryption has many applications in
practice, including Messaging Layer Security <span>[<a href="#I-D.ietf-mls-protocol" class="xref">MLS-PROTOCOL</a>]</span> and
TLS Encrypted ClientHello <span>[<a href="#I-D.ietf-tls-esni" class="xref">TLS-ECH</a>]</span>.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">Currently, there are numerous competing and non-interoperable standards and
variants for hybrid encryption, mostly variants on the Elliptic Curve Integrated Encryption Scheme (ECIES), including ANSI X9.63
(ECIES) <span>[<a href="#ANSI" class="xref">ANSI</a>]</span>, IEEE 1363a <span>[<a href="#IEEE1363" class="xref">IEEE1363</a>]</span>, ISO/IEC 18033-2 <span>[<a href="#ISO" class="xref">ISO</a>]</span>, and SECG SEC 1
<span>[<a href="#SECG" class="xref">SECG</a>]</span>.  See <span>[<a href="#MAEA10" class="xref">MAEA10</a>]</span> for a thorough comparison.  All these existing
schemes have problems, e.g., because they rely on outdated primitives, lack
proofs of indistinguishable (adaptive) chosen-ciphertext attack (IND-CCA2) security, or fail to provide test vectors.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">This document defines an HPKE scheme that provides a subset
of the functions provided by the collection of schemes above but
specified with sufficient clarity that they can be interoperably
implemented. The HPKE construction defined herein is secure against (adaptive)
chosen ciphertext attacks (IND-CCA2-secure) under classical assumptions about
the underlying primitives <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span> <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span>. A summary of
these analyses is in <a href="#sec-properties" class="xref">Section 9.1</a>.<a href="#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">This document represents the consensus of the Crypto Forum Research Group (CFRG).<a href="#section-1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="requirements-notation">
<section id="section-2">
      <h2 id="name-requirements-notation">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-requirements-notation" class="section-name selfRef">Requirements Notation</a>
      </h2>
<p id="section-2-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>",
      "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>",
      "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
      "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document
      are to be interpreted as described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span>
        <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> when, and only when, they appear in all capitals,
      as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="notation">
<section id="section-3">
      <h2 id="name-notation">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-notation" class="section-name selfRef">Notation</a>
      </h2>
<p id="section-3-1">The following terms are used throughout this document to describe the
operations, roles, and behaviors of HPKE:<a href="#section-3-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-3-2">
        <dt id="section-3-2.1">
<code>(skX, pkX)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.2">A key encapsulation mechanism (KEM) key pair used in role X,
 where X is one of S, R, or E as sender, recipient, and ephemeral, respectively;
 <code>skX</code> is the private key and <code>pkX</code> is the public key.<a href="#section-3-2.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.3">
<code>pk(skX)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.4">The KEM public key corresponding to the KEM private key <code>skX</code>.<a href="#section-3-2.4" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.5">Sender (S):</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.6">Role of entity that sends an encrypted message.<a href="#section-3-2.6" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.7">Recipient (R):</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.8">Role of entity that receives an encrypted message.<a href="#section-3-2.8" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.9">Ephemeral (E):</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.10">Role of a fresh random value meant for one-time use.<a href="#section-3-2.10" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.11">
<code>I2OSP(n, w)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.12">Convert non-negative integer <code>n</code> to a <code>w</code>-length,
 big-endian byte
 string, as described in <span>[<a href="#RFC8017" class="xref">RFC8017</a>]</span>.<a href="#section-3-2.12" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.13">
<code>OS2IP(x)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.14">Convert byte string <code>x</code> to a non-negative integer, as described in
 <span>[<a href="#RFC8017" class="xref">RFC8017</a>]</span>, assuming big-endian byte order.<a href="#section-3-2.14" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.15">
<code>concat(x0, ..., xN)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.16">Concatenation of byte strings. <code>concat(0x01, 0x0203, 0x040506) =
 0x010203040506</code>.<a href="#section-3-2.16" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.17">
<code>random(n)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.18">A pseudorandom byte string of length <code>n</code> bytes<a href="#section-3-2.18" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
<dt id="section-3-2.19">
<code>xor(a,b)</code>:</dt>
        <dd style="margin-left: 1.5em" id="section-3-2.20">XOR of byte strings; <code>xor(0xF0F0, 0x1234) = 0xE2C4</code>. It is an error to
 call this function with two arguments of unequal length.<a href="#section-3-2.20" class="pilcrow">¶</a>
</dd>
      <dd class="break"></dd>
</dl>
</section>
</div>
<div id="base-crypto">
<section id="section-4">
      <h2 id="name-cryptographic-dependencies">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-cryptographic-dependencies" class="section-name selfRef">Cryptographic Dependencies</a>
      </h2>
<p id="section-4-1">HPKE variants rely on the following primitives:<a href="#section-4-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-2.1">
          <p id="section-4-2.1.1">A key encapsulation mechanism (KEM):<a href="#section-4-2.1.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-2.1.2.1">
              <code>GenerateKeyPair()</code>: Randomized algorithm to generate a key pair
       <code>(skX, pkX)</code>.<a href="#section-4-2.1.2.1" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.2">
              <code>DeriveKeyPair(ikm)</code>: Deterministic algorithm to derive a key
       pair <code>(skX, pkX)</code> from the
     byte string <code>ikm</code>, where <code>ikm</code> <span class="bcp14">SHOULD</span> have at
     least <code>Nsk</code> bytes of entropy (see <a href="#derive-key-pair" class="xref">Section 7.1.3</a> for discussion).<a href="#section-4-2.1.2.2" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.3">
              <code>SerializePublicKey(pkX)</code>: Produce a byte string of length <code>Npk</code> encoding the public key
     <code>pkX</code>.<a href="#section-4-2.1.2.3" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.4">
              <code>DeserializePublicKey(pkXm)</code>: Parse a byte string of length <code>Npk</code> to recover a public key. This
     function can raise a <code>DeserializeError</code> error upon <code>pkXm</code>
     deserialization failure.<a href="#section-4-2.1.2.4" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.5">
              <code>Encap(pkR)</code>: Randomized algorithm to generate an ephemeral, fixed-length symmetric key
     (the KEM shared secret) and a fixed-length encapsulation of that key that can
     be decapsulated by the holder of the private key corresponding to <code>pkR</code>.
     This function can raise an <code>EncapError</code> on encapsulation failure.<a href="#section-4-2.1.2.5" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.6">
              <code>Decap(enc, skR)</code>: Deterministic algorithm using the private key <code>skR</code> to recover the
     ephemeral symmetric key (the KEM shared secret) from its encapsulated
     representation <code>enc</code>. This function can raise a <code>DecapError</code> on
     decapsulation failure.<a href="#section-4-2.1.2.6" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.7">
              <code>AuthEncap(pkR, skS)</code> (optional): Same as <code>Encap()</code>, and the outputs encode an assurance that the KEM
     shared secret was generated by the holder of the private key <code>skS</code>.<a href="#section-4-2.1.2.7" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.8">
              <code>AuthDecap(enc, skR, pkS)</code> (optional): Same as <code>Decap()</code>, and the recipient is assured that the KEM shared
     secret was generated by the holder of the private key <code>skS</code>.<a href="#section-4-2.1.2.8" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.9">
              <code>Nsecret</code>: The length in bytes of a KEM shared secret produced by this KEM.<a href="#section-4-2.1.2.9" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.10">
              <code>Nenc</code>: The length in bytes of an encapsulated key produced by this KEM.<a href="#section-4-2.1.2.10" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.11">
              <code>Npk</code>: The length in bytes of an encoded public key for this KEM.<a href="#section-4-2.1.2.11" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.1.2.12">
              <code>Nsk</code>: The length in bytes of an encoded private key for this KEM.<a href="#section-4-2.1.2.12" class="pilcrow">¶</a>
</li>
          </ul>
</li>
        <li class="normal" id="section-4-2.2">
          <p id="section-4-2.2.1">A key derivation function (KDF):<a href="#section-4-2.2.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-2.2.2.1">
              <code>Extract(salt, ikm)</code>: Extract a pseudorandom key of fixed length <code>Nh</code> bytes from input
     keying material <code>ikm</code> and an optional byte string <code>salt</code>.<a href="#section-4-2.2.2.1" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.2.2.2">
              <code>Expand(prk, info, L)</code>: Expand a pseudorandom key <code>prk</code> using optional string <code>info</code>
     into <code>L</code> bytes of output keying material.<a href="#section-4-2.2.2.2" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.2.2.3">
              <code>Nh</code>: The output size of the <code>Extract()</code> function in bytes.<a href="#section-4-2.2.2.3" class="pilcrow">¶</a>
</li>
          </ul>
</li>
        <li class="normal" id="section-4-2.3">
          <p id="section-4-2.3.1">An AEAD encryption algorithm <span>[<a href="#RFC5116" class="xref">RFC5116</a>]</span>:<a href="#section-4-2.3.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-2.3.2.1">
              <code>Seal(key, nonce, aad, pt)</code>: Encrypt and authenticate plaintext <code>pt</code> with associated data
     <code>aad</code> using symmetric key <code>key</code> and nonce
     <code>nonce</code>,
     yielding ciphertext and tag <code>ct</code>. This function can raise a
     <code>MessageLimitReachedError</code> upon failure.<a href="#section-4-2.3.2.1" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.3.2.2">
              <code>Open(key, nonce, aad, ct)</code>: Decrypt ciphertext and tag <code>ct</code> using associated data
     <code>aad</code>
     with symmetric key <code>key</code> and nonce <code>nonce</code>, returning plaintext
     message <code>pt</code>. This function can raise an <code>OpenError</code> or
     <code>MessageLimitReachedError</code> upon failure.<a href="#section-4-2.3.2.2" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.3.2.3">
              <code>Nk</code>: The length in bytes of a key for this algorithm.<a href="#section-4-2.3.2.3" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.3.2.4">
              <code>Nn</code>: The length in bytes of a nonce for this algorithm.<a href="#section-4-2.3.2.4" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-4-2.3.2.5">
              <code>Nt</code>: The length in bytes of the authentication tag for this algorithm.<a href="#section-4-2.3.2.5" class="pilcrow">¶</a>
</li>
          </ul>
</li>
      </ul>
<p id="section-4-3">Beyond the above, a KEM <span class="bcp14">MAY</span> also expose the following functions, whose
      behavior is detailed in <a href="#serializeprivatekey" class="xref">Section 7.1.2</a>:<a href="#section-4-3" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-4.1">
          <code>SerializePrivateKey(skX)</code>: Produce a byte string of length <code>Nsk</code> encoding the private key
 <code>skX</code>.<a href="#section-4-4.1" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-4-4.2">
          <code>DeserializePrivateKey(skXm)</code>: Parse a byte string of length <code>Nsk</code> to recover a private key. This
 function can raise a <code>DeserializeError</code> error upon <code>skXm</code>
 deserialization failure.<a href="#section-4-4.2" class="pilcrow">¶</a>
</li>
      </ul>
<p id="section-4-5">A <em>ciphersuite</em> is a triple (KEM, KDF, AEAD) containing a choice of algorithm
for each primitive.<a href="#section-4-5" class="pilcrow">¶</a></p>
<p id="section-4-6">A set of algorithm identifiers for concrete instantiations of these
primitives is provided in <a href="#ciphersuites" class="xref">Section 7</a>.  Algorithm identifier
values are two bytes long.<a href="#section-4-6" class="pilcrow">¶</a></p>
<p id="section-4-7">Note that <code>GenerateKeyPair</code> can be implemented as <code>DeriveKeyPair(random(Nsk))</code>.<a href="#section-4-7" class="pilcrow">¶</a></p>
<p id="section-4-8">The notation <code>pk(skX)</code>, depending on its use and the KEM and its
implementation, is either the
computation of the public key using the private key, or just syntax
expressing the retrieval of the public key, assuming it is stored along
with the private key object.<a href="#section-4-8" class="pilcrow">¶</a></p>
<p id="section-4-9">The following two functions are defined to facilitate domain separation of
      KDF calls as well as context binding:<a href="#section-4-9" class="pilcrow">¶</a></p>
<div id="section-4-10">
<pre class="lang-pseudocode sourcecode">
def LabeledExtract(salt, label, ikm):
  labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
  return Extract(salt, labeled_ikm)

def LabeledExpand(prk, label, info, L):
  labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
                        label, info)
  return Expand(prk, labeled_info, L)
</pre><a href="#section-4-10" class="pilcrow">¶</a>
</div>
<p id="section-4-11">The value of <code>suite_id</code> depends on where the KDF is used; it is assumed
implicit from the implementation and not passed as a parameter. If used
inside a KEM algorithm, <code>suite_id</code> <span class="bcp14">MUST</span> start with "KEM" and identify
this KEM algorithm; if used in the remainder of HPKE, it <span class="bcp14">MUST</span> start with
"HPKE" and identify the entire ciphersuite in use. See Sections <a href="#dhkem" class="xref">4.1</a>
and <a href="#encryption-context" class="xref">5.1</a> for details.<a href="#section-4-11" class="pilcrow">¶</a></p>
<div id="dhkem">
<section id="section-4.1">
        <h3 id="name-dh-based-kem-dhkem">
<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-dh-based-kem-dhkem" class="section-name selfRef">DH-Based KEM (DHKEM)</a>
        </h3>
<p id="section-4.1-1">Suppose we are given a KDF, and a Diffie-Hellman (DH) group providing the
following operations:<a href="#section-4.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4.1-2.1">
            <code>DH(skX, pkY)</code>: Perform a non-interactive Diffie-Hellman exchange using the private key
   <code>skX</code> and public key <code>pkY</code> to produce a Diffie-Hellman shared
   secret of length <code>Ndh</code>. This function can raise a <code>ValidationError</code>
   as described in <a href="#validation" class="xref">Section 7.1.4</a>.<a href="#section-4.1-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-4.1-2.2">
            <code>Ndh</code>: The length in bytes of a Diffie-Hellman shared secret produced by
   <code>DH()</code>.<a href="#section-4.1-2.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-4.1-2.3">
            <code>Nsk</code>: The length in bytes of a Diffie-Hellman private key.<a href="#section-4.1-2.3" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-4.1-3">Then we can construct a KEM that implements the interface defined in <a href="#base-crypto" class="xref">Section 4</a>
called <code>DHKEM(Group, KDF)</code> in the following way, where <code>Group</code> denotes the
Diffie-Hellman group and <code>KDF</code> denotes the KDF. The function parameters <code>pkR</code> and <code>pkS</code>
are deserialized public keys, and <code>enc</code> is a serialized public key. Since
encapsulated keys are Diffie-Hellman public keys in this KEM algorithm,
we use <code>SerializePublicKey()</code> and <code>DeserializePublicKey()</code> to encode and decode
them, respectively. <code>Npk</code> equals <code>Nenc</code>. <code>GenerateKeyPair()</code> produces a key pair
for the Diffie-Hellman group in use. <a href="#derive-key-pair" class="xref">Section 7.1.3</a> contains the
<code>DeriveKeyPair()</code> function specification for DHKEMs defined in this document.<a href="#section-4.1-3" class="pilcrow">¶</a></p>
<div id="section-4.1-4">
<pre class="lang-pseudocode sourcecode">
def ExtractAndExpand(dh, kem_context):
  eae_prk = LabeledExtract("", "eae_prk", dh)
  shared_secret = LabeledExpand(eae_prk, "shared_secret",
                                kem_context, Nsecret)
  return shared_secret

def Encap(pkR):
  skE, pkE = GenerateKeyPair()
  dh = DH(skE, pkR)
  enc = SerializePublicKey(pkE)

  pkRm = SerializePublicKey(pkR)
  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret, enc

def Decap(enc, skR):
  pkE = DeserializePublicKey(enc)
  dh = DH(skR, pkE)

  pkRm = SerializePublicKey(pk(skR))
  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret

def AuthEncap(pkR, skS):
  skE, pkE = GenerateKeyPair()
  dh = concat(DH(skE, pkR), DH(skS, pkR))
  enc = SerializePublicKey(pkE)

  pkRm = SerializePublicKey(pkR)
  pkSm = SerializePublicKey(pk(skS))
  kem_context = concat(enc, pkRm, pkSm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret, enc

def AuthDecap(enc, skR, pkS):
  pkE = DeserializePublicKey(enc)
  dh = concat(DH(skR, pkE), DH(skR, pkS))

  pkRm = SerializePublicKey(pk(skR))
  pkSm = SerializePublicKey(pkS)
  kem_context = concat(enc, pkRm, pkSm)

  shared_secret = ExtractAndExpand(dh, kem_context)
  return shared_secret
</pre><a href="#section-4.1-4" class="pilcrow">¶</a>
</div>
<p id="section-4.1-5">The implicit <code>suite_id</code> value used within <code>LabeledExtract</code> and
<code>LabeledExpand</code> is defined as follows, where <code>kem_id</code> is defined
in <a href="#kem-ids" class="xref">Section 7.1</a>:<a href="#section-4.1-5" class="pilcrow">¶</a></p>
<div id="section-4.1-6">
<pre class="lang-pseudocode sourcecode">
suite_id = concat("KEM", I2OSP(kem_id, 2))
</pre><a href="#section-4.1-6" class="pilcrow">¶</a>
</div>
<p id="section-4.1-7">The KDF used in DHKEM can be equal to or different from the KDF used
in the remainder of HPKE, depending on the chosen variant.
Implementations <span class="bcp14">MUST</span> make sure to use the constants (<code>Nh</code>) and function
calls (<code>LabeledExtract</code> and <code>LabeledExpand</code>) of the appropriate KDF when
implementing DHKEM. See <a href="#kdf-choice" class="xref">Section 9.3</a> for a comment on the choice of
a KDF for the remainder of HPKE, and <a href="#domain-separation" class="xref">Section 9.6</a> for the
 rationale of the labels.<a href="#section-4.1-7" class="pilcrow">¶</a></p>
<p id="section-4.1-8">For the variants of DHKEM defined in this document, the size <code>Nsecret</code> of the
KEM shared secret is equal to the output length of the hash function
underlying the KDF. For P-256, P-384, and P-521, the size <code>Ndh</code> of the
Diffie-Hellman shared secret is equal to 32, 48, and 66, respectively,
corresponding to the x-coordinate of the resulting elliptic curve point <span>[<a href="#IEEE1363" class="xref">IEEE1363</a>]</span>.
For X25519 and X448, the size <code>Ndh</code> is equal to 32 and 56, respectively
(see <span>[<a href="#RFC7748" class="xref">RFC7748</a>], <a href="https://www.rfc-editor.org/rfc/rfc7748#section-5" class="relref">Section 5</a></span>).<a href="#section-4.1-8" class="pilcrow">¶</a></p>
<p id="section-4.1-9">It is important to note that the <code>AuthEncap()</code> and <code>AuthDecap()</code> functions of the
DHKEM variants defined in this document are vulnerable to key-compromise
impersonation (KCI). This means the assurance that the KEM shared secret
was generated by the holder of the private key <code>skS</code> does not hold if
the recipient private key <code>skR</code> is compromised. See <a href="#sec-properties" class="xref">Section 9.1</a>
for more details.<a href="#section-4.1-9" class="pilcrow">¶</a></p>
<p id="section-4.1-10">Senders and recipients <span class="bcp14">MUST</span> validate KEM inputs and outputs as described
in <a href="#kem-ids" class="xref">Section 7.1</a>.<a href="#section-4.1-10" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="hpke">
<section id="section-5">
      <h2 id="name-hybrid-public-key-encryptio">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-hybrid-public-key-encryptio" class="section-name selfRef">Hybrid Public Key Encryption</a>
      </h2>
<p id="section-5-1">In this section, we define a few HPKE variants.  All variants take a
recipient public key and a sequence of plaintexts <code>pt</code> and produce an
encapsulated key <code>enc</code> and a sequence of ciphertexts <code>ct</code>.  These outputs are
constructed so that only the holder of <code>skR</code> can decapsulate the key from
<code>enc</code> and decrypt the ciphertexts.  All the algorithms also take an
<code>info</code> parameter that can be used to influence the generation of keys
(e.g., to fold in identity information) and an <code>aad</code> parameter that
provides additional authenticated data to the AEAD algorithm in use.<a href="#section-5-1" class="pilcrow">¶</a></p>
<p id="section-5-2">In addition to the base case of encrypting to a public key, we
include three authenticated variants: one that authenticates
possession of a pre-shared key, one that authenticates
possession of a KEM private key, and one that authenticates possession of both
a pre-shared key and a KEM private key. All authenticated variants contribute
additional keying material to the encryption operation. The following one-byte
values will be used to distinguish between modes:<a href="#section-5-2" class="pilcrow">¶</a></p>
<span id="name-hpke-modes"></span><div id="hpke-modes">
<table class="center" id="table-1">
        <caption>
<a href="#table-1" class="selfRef">Table 1</a>:
<a href="#name-hpke-modes" class="selfRef">HPKE Modes</a>
        </caption>
<thead>
          <tr>
            <th class="text-left" rowspan="1" colspan="1">Mode</th>
            <th class="text-left" rowspan="1" colspan="1">Value</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">mode_base</td>
            <td class="text-left" rowspan="1" colspan="1">0x00</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">mode_psk</td>
            <td class="text-left" rowspan="1" colspan="1">0x01</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">mode_auth</td>
            <td class="text-left" rowspan="1" colspan="1">0x02</td>
          </tr>
          <tr>
            <td class="text-left" rowspan="1" colspan="1">mode_auth_psk</td>
            <td class="text-left" rowspan="1" colspan="1">0x03</td>
          </tr>
        </tbody>
      </table>
</div>
<p id="section-5-4">All these cases follow the same basic two-step pattern:<a href="#section-5-4" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-5-5">
        <li id="section-5-5.1">Set up an encryption context that is shared between the sender
and the recipient.<a href="#section-5-5.1" class="pilcrow">¶</a>
</li>
        <li id="section-5-5.2">Use that context to encrypt or decrypt content.<a href="#section-5-5.2" class="pilcrow">¶</a>
</li>
      </ol>
<p id="section-5-6">A <em>context</em> is an implementation-specific structure that encodes
the AEAD algorithm and key in use, and manages the nonces used so
that the same nonce is not used with multiple plaintexts. It also
has an interface for exporting secret values, as described in
<a href="#hpke-export" class="xref">Section 5.3</a>. See <a href="#hpke-dem" class="xref">Section 5.2</a> for a description of this structure
and its interfaces. HPKE decryption fails when the underlying AEAD
decryption fails.<a href="#section-5-6" class="pilcrow">¶</a></p>
<p id="section-5-7">The constructions described here presume that the relevant non-private
parameters (<code>enc</code>, <code>psk_id</code>, etc.) are transported between the sender and the
recipient by some application making use of HPKE. Moreover, a recipient with more
than one public key needs some way of determining which of its public keys was
used for the encapsulation operation. As an example, applications may send this
information alongside a ciphertext from the sender to the recipient. Specification of
such a mechanism is left to the application. See <a href="#message-encoding" class="xref">Section 10</a> for more
details.<a href="#section-5-7" class="pilcrow">¶</a></p>
<p id="section-5-8">Note that some KEMs may not support <code>AuthEncap()</code> or <code>AuthDecap()</code>.
For such KEMs, only <code>mode_base</code> or <code>mode_psk</code> are supported. Future specifications
which define new KEMs <span class="bcp14">MUST</span> indicate whether these modes are supported.
See <a href="#future-kems" class="xref">Section 7.1.5</a> for more details.<a href="#section-5-8" class="pilcrow">¶</a></p>
<p id="section-5-9">The procedures described in this section are laid out in a
Python-like pseudocode. The algorithms in use are left implicit.<a href="#section-5-9" class="pilcrow">¶</a></p>
<div id="encryption-context">
<section id="section-5.1">
        <h3 id="name-creating-the-encryption-con">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-creating-the-encryption-con" class="section-name selfRef">Creating the Encryption Context</a>
        </h3>
<p id="section-5.1-1">The variants of HPKE defined in this document share a common
key schedule that translates the protocol inputs into an encryption
context. The key schedule inputs are as follows:<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-2.1">
            <code>mode</code>: A one-byte value indicating the HPKE mode, defined in <a href="#hpke-modes" class="xref">Table 1</a>.<a href="#section-5.1-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.1-2.2">
            <code>shared_secret</code>: A KEM shared secret generated for this transaction.<a href="#section-5.1-2.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.1-2.3">
            <code>info</code>: Application-supplied information (optional; default value "").<a href="#section-5.1-2.3" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.1-2.4">
            <code>psk</code> A pre-shared key (PSK) held by both the sender and the recipient (optional;
   default value "").<a href="#section-5.1-2.4" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.1-2.5">
            <code>psk_id</code>: An identifier for the PSK (optional; default value "").<a href="#section-5.1-2.5" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-5.1-3">Senders and recipients <span class="bcp14">MUST</span> validate KEM inputs and outputs as described
in <a href="#kem-ids" class="xref">Section 7.1</a>.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
<p id="section-5.1-4">The <code>psk</code> and <code>psk_id</code> fields <span class="bcp14">MUST</span> appear together or not at all.
That is, if a non-default value is provided for one of them, then
the other <span class="bcp14">MUST</span> be set to a non-default value. This requirement is
encoded in <code>VerifyPSKInputs()</code> below.<a href="#section-5.1-4" class="pilcrow">¶</a></p>
<p id="section-5.1-5">The <code>psk</code>, <code>psk_id</code>, and <code>info</code> fields have maximum lengths that depend
on the KDF itself, on the definition of <code>LabeledExtract()</code>, and on the
constant labels used together with them. See <a href="#kdf-input-length" class="xref">Section 7.2.1</a> for
precise limits on these lengths.<a href="#section-5.1-5" class="pilcrow">¶</a></p>
<p id="section-5.1-6">The <code>key</code>, <code>base_nonce</code>, and <code>exporter_secret</code> computed by the key schedule
have the property that they are only known to the holder of the recipient
private key, and the entity that used the KEM to generate <code>shared_secret</code> and
<code>enc</code>.<a href="#section-5.1-6" class="pilcrow">¶</a></p>
<p id="section-5.1-7">In the Auth and AuthPSK modes, the recipient is assured that the sender
held the private key <code>skS</code>. This assurance is limited for the DHKEM
variants defined in this document because of key-compromise impersonation,
as described in Sections <a href="#dhkem" class="xref">4.1</a> and <a href="#sec-properties" class="xref">9.1</a>. If in the PSK and
AuthPSK modes, the <code>psk</code> and <code>psk_id</code> arguments are provided as required,
then the recipient is assured that the sender held the corresponding
pre-shared key. See <a href="#sec-properties" class="xref">Section 9.1</a> for more details.<a href="#section-5.1-7" class="pilcrow">¶</a></p>
<p id="section-5.1-8">The HPKE algorithm identifiers, i.e., the KEM <code>kem_id</code>, KDF <code>kdf_id</code>, and
AEAD <code>aead_id</code> 2-byte code points, as defined in Tables <a href="#kemid-values" class="xref">2</a>, <a href="#kdfid-values" class="xref">3</a>,
and <a href="#aeadid-values" class="xref">5</a>, respectively, are assumed implicit from the implementation
and not passed as parameters. The implicit <code>suite_id</code> value used within
<code>LabeledExtract</code> and <code>LabeledExpand</code> is defined based on them as follows:<a href="#section-5.1-8" class="pilcrow">¶</a></p>
<div id="section-5.1-9">
<pre class="lang-pseudocode sourcecode">
suite_id = concat(
  "HPKE",
  I2OSP(kem_id, 2),
  I2OSP(kdf_id, 2),
  I2OSP(aead_id, 2)
)
</pre><a href="#section-5.1-9" class="pilcrow">¶</a>
</div>
<div id="section-5.1-10">
<pre class="lang-pseudocode sourcecode">
default_psk = ""
default_psk_id = ""

def VerifyPSKInputs(mode, psk, psk_id):
  got_psk = (psk != default_psk)
  got_psk_id = (psk_id != default_psk_id)
  if got_psk != got_psk_id:
    raise Exception("Inconsistent PSK inputs")

  if got_psk and (mode in [mode_base, mode_auth]):
    raise Exception("PSK input provided when not needed")
  if (not got_psk) and (mode in [mode_psk, mode_auth_psk]):
    raise Exception("Missing required PSK input")

def KeySchedule&lt;ROLE&gt;(mode, shared_secret, info, psk, psk_id):
  VerifyPSKInputs(mode, psk, psk_id)

  psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
  info_hash = LabeledExtract("", "info_hash", info)
  key_schedule_context = concat(mode, psk_id_hash, info_hash)

  secret = LabeledExtract(shared_secret, "secret", psk)

  key = LabeledExpand(secret, "key", key_schedule_context, Nk)
  base_nonce = LabeledExpand(secret, "base_nonce",
                             key_schedule_context, Nn)
  exporter_secret = LabeledExpand(secret, "exp",
                                  key_schedule_context, Nh)

  return Context&lt;ROLE&gt;(key, base_nonce, 0, exporter_secret)
</pre><a href="#section-5.1-10" class="pilcrow">¶</a>
</div>
<p id="section-5.1-11">The <code>ROLE</code> template parameter is either S or R, depending on the role of
sender or recipient, respectively. See <a href="#hpke-dem" class="xref">Section 5.2</a> for a discussion of the
key schedule output, including the role-specific <code>Context</code> structure and its API.<a href="#section-5.1-11" class="pilcrow">¶</a></p>
<p id="section-5.1-12">Note that the <code>key_schedule_context</code> construction in <code>KeySchedule()</code> is
equivalent to serializing a structure of the following form in the TLS presentation
syntax:<a href="#section-5.1-12" class="pilcrow">¶</a></p>
<div id="section-5.1-13">
<pre class="lang-pseudocode sourcecode">
struct {
    uint8 mode;
    opaque psk_id_hash[Nh];
    opaque info_hash[Nh];
} KeyScheduleContext;
</pre><a href="#section-5.1-13" class="pilcrow">¶</a>
</div>
<div id="hpke-kem">
<section id="section-5.1.1">
          <h4 id="name-encryption-to-a-public-key">
<a href="#section-5.1.1" class="section-number selfRef">5.1.1. </a><a href="#name-encryption-to-a-public-key" class="section-name selfRef">Encryption to a Public Key</a>
          </h4>
<p id="section-5.1.1-1">The most basic function of an HPKE scheme is to enable encryption
to the holder of a given KEM private key.  The <code>SetupBaseS()</code> and
<code>SetupBaseR()</code> procedures establish contexts that can be used to
encrypt and decrypt, respectively, for a given private key.<a href="#section-5.1.1-1" class="pilcrow">¶</a></p>
<p id="section-5.1.1-2">The KEM shared secret is combined via the KDF
with information describing the key exchange, as well as the
explicit <code>info</code> parameter provided by the caller.<a href="#section-5.1.1-2" class="pilcrow">¶</a></p>
<p id="section-5.1.1-3">The parameter <code>pkR</code> is a public key, and <code>enc</code> is an encapsulated
KEM shared secret.<a href="#section-5.1.1-3" class="pilcrow">¶</a></p>
<div id="section-5.1.1-4">
<pre class="sourcecode">
def SetupBaseS(pkR, info):
  shared_secret, enc = Encap(pkR)
  return enc, KeyScheduleS(mode_base, shared_secret, info,
                           default_psk, default_psk_id)

def SetupBaseR(enc, skR, info):
  shared_secret = Decap(enc, skR)
  return KeyScheduleR(mode_base, shared_secret, info,
                      default_psk, default_psk_id)
</pre><a href="#section-5.1.1-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="mode-psk">
<section id="section-5.1.2">
          <h4 id="name-authentication-using-a-pre-">
<a href="#section-5.1.2" class="section-number selfRef">5.1.2. </a><a href="#name-authentication-using-a-pre-" class="section-name selfRef">Authentication Using a Pre-Shared Key</a>
          </h4>
<p id="section-5.1.2-1">This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given PSK. The PSK also
improves confidentiality guarantees in certain adversary models, as
described in more detail in <a href="#sec-properties" class="xref">Section 9.1</a>. We assume that both
parties have been provisioned with both the PSK value <code>psk</code> and another
byte string <code>psk_id</code> that is used to identify which PSK should be used.<a href="#section-5.1.2-1" class="pilcrow">¶</a></p>
<p id="section-5.1.2-2">The primary difference from the base case is that the <code>psk</code> and <code>psk_id</code> values
are used as <code>ikm</code> inputs to the KDF (instead of using the empty string).<a href="#section-5.1.2-2" class="pilcrow">¶</a></p>
<p id="section-5.1.2-3">The PSK <span class="bcp14">MUST</span> have at least 32 bytes of entropy and <span class="bcp14">SHOULD</span> be of length <code>Nh</code>
bytes or longer. See <a href="#security-psk" class="xref">Section 9.5</a> for a more detailed discussion.<a href="#section-5.1.2-3" class="pilcrow">¶</a></p>
<div id="section-5.1.2-4">
<pre class="lang-pseudocode sourcecode">
def SetupPSKS(pkR, info, psk, psk_id):
  shared_secret, enc = Encap(pkR)
  return enc, KeyScheduleS(mode_psk, shared_secret, info,
                           psk, psk_id)

def SetupPSKR(enc, skR, info, psk, psk_id):
  shared_secret = Decap(enc, skR)
  return KeyScheduleR(mode_psk, shared_secret, info, psk, psk_id)
</pre><a href="#section-5.1.2-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="mode-auth">
<section id="section-5.1.3">
          <h4 id="name-authentication-using-an-asy">
<a href="#section-5.1.3" class="section-number selfRef">5.1.3. </a><a href="#name-authentication-using-an-asy" class="section-name selfRef">Authentication Using an Asymmetric Key</a>
          </h4>
<p id="section-5.1.3-1">This variant extends the base mechanism by allowing the recipient
to authenticate that the sender possessed a given KEM private key.
This is because <code>AuthDecap(enc, skR, pkS)</code> produces the correct KEM
shared secret only if the encapsulated value <code>enc</code> was produced by
<code>AuthEncap(pkR, skS)</code>, where <code>skS</code> is the private key corresponding
to <code>pkS</code>.  In other words, at most two entities (precisely two, in the case
of DHKEM) could have produced this secret, so if the recipient is at most one, then
the sender is the other with overwhelming probability.<a href="#section-5.1.3-1" class="pilcrow">¶</a></p>
<p id="section-5.1.3-2">The primary difference from the base case is that the calls to
<code>Encap()</code> and <code>Decap()</code> are replaced with calls to <code>AuthEncap()</code> and
<code>AuthDecap()</code>, which add the sender public key to their internal
context string. The function parameters <code>pkR</code> and <code>pkS</code> are
public keys, and <code>enc</code> is an encapsulated KEM shared secret.<a href="#section-5.1.3-2" class="pilcrow">¶</a></p>
<p id="section-5.1.3-3">Obviously, this variant can only be used with a KEM that provides
<code>AuthEncap()</code> and <code>AuthDecap()</code> procedures.<a href="#section-5.1.3-3" class="pilcrow">¶</a></p>
<p id="section-5.1.3-4">This mechanism authenticates only the key pair of the sender, not
any other identifier.  If an application wishes to bind HPKE
ciphertexts or exported secrets to another identity for the sender
(e.g., an email address or domain name), then this identifier should be
included in the <code>info</code> parameter to avoid identity misbinding issues <span>[<a href="#IMB" class="xref">IMB</a>]</span>.<a href="#section-5.1.3-4" class="pilcrow">¶</a></p>
<div id="section-5.1.3-5">
<pre class="lang-pseudocode sourcecode">
def SetupAuthS(pkR, info, skS):
  shared_secret, enc = AuthEncap(pkR, skS)
  return enc, KeyScheduleS(mode_auth, shared_secret, info,
                           default_psk, default_psk_id)

def SetupAuthR(enc, skR, info, pkS):
  shared_secret = AuthDecap(enc, skR, pkS)
  return KeyScheduleR(mode_auth, shared_secret, info,
                      default_psk, default_psk_id)
</pre><a href="#section-5.1.3-5" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="mode-auth-psk">
<section id="section-5.1.4">
          <h4 id="name-authentication-using-both-a">
<a href="#section-5.1.4" class="section-number selfRef">5.1.4. </a><a href="#name-authentication-using-both-a" class="section-name selfRef">Authentication Using Both a PSK and an Asymmetric Key</a>
          </h4>
<p id="section-5.1.4-1">This mode is a straightforward combination of the PSK and
authenticated modes.  Like the PSK mode, a PSK is provided as input to the key schedule,
and like the authenticated mode, authenticated KEM variants are used.<a href="#section-5.1.4-1" class="pilcrow">¶</a></p>
<div id="section-5.1.4-2">
<pre class="lang-pseudocode sourcecode">
def SetupAuthPSKS(pkR, info, psk, psk_id, skS):
  shared_secret, enc = AuthEncap(pkR, skS)
  return enc, KeyScheduleS(mode_auth_psk, shared_secret, info,
                           psk, psk_id)

def SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS):
  shared_secret = AuthDecap(enc, skR, pkS)
  return KeyScheduleR(mode_auth_psk, shared_secret, info,
                      psk, psk_id)
</pre><a href="#section-5.1.4-2" class="pilcrow">¶</a>
</div>
<p id="section-5.1.4-3">The PSK <span class="bcp14">MUST</span> have at least 32 bytes of entropy and <span class="bcp14">SHOULD</span> be of length <code>Nh</code>
bytes or longer. See <a href="#security-psk" class="xref">Section 9.5</a> for a more detailed discussion.<a href="#section-5.1.4-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="hpke-dem">
<section id="section-5.2">
        <h3 id="name-encryption-and-decryption">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-encryption-and-decryption" class="section-name selfRef">Encryption and Decryption</a>
        </h3>
<p id="section-5.2-1">HPKE allows multiple encryption operations to be done based on a
given setup transaction.  Since the public key operations involved
in setup are typically more expensive than symmetric encryption or
decryption, this allows applications to amortize the cost of the
public key operations, reducing the overall overhead.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2-2">In order to avoid nonce reuse, however, this encryption must be
stateful. Each of the setup procedures above produces a role-specific
context object that stores the AEAD and secret export parameters.
The AEAD parameters consist of:<a href="#section-5.2-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.2-3.1">The AEAD algorithm in use<a href="#section-5.2-3.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.2-3.2">A secret <code>key</code><a href="#section-5.2-3.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.2-3.3">A base nonce <code>base_nonce</code><a href="#section-5.2-3.3" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.2-3.4">A sequence number (initially 0)<a href="#section-5.2-3.4" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-5.2-4">The secret export parameters consist of:<a href="#section-5.2-4" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.2-5.1">The HPKE ciphersuite in use and<a href="#section-5.2-5.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.2-5.2">An <code>exporter_secret</code> used for the secret export interface (see
   <a href="#hpke-export" class="xref">Section 5.3</a>)<a href="#section-5.2-5.2" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-5.2-6">All these parameters except the AEAD sequence number are constant.
The sequence number provides nonce uniqueness: The nonce used for
each encryption or decryption operation is the result of XORing
<code>base_nonce</code> with the current sequence number, encoded as a big-endian
integer of the same length as <code>base_nonce</code>. Implementations <span class="bcp14">MAY</span> use a
sequence number that is shorter than the nonce length (padding on the left
with zero), but <span class="bcp14">MUST</span> raise an error if the sequence number overflows. The AEAD
algorithm produces ciphertext that is Nt bytes longer than the plaintext.
Nt = 16 for AEAD algorithms defined in this document.<a href="#section-5.2-6" class="pilcrow">¶</a></p>
<p id="section-5.2-7">Encryption is unidirectional from sender to recipient. The sender's
context can encrypt a plaintext <code>pt</code> with associated data <code>aad</code> as
follows:<a href="#section-5.2-7" class="pilcrow">¶</a></p>
<div id="section-5.2-8">
<pre class="lang-pseudocode sourcecode">
def ContextS.Seal(aad, pt):
  ct = Seal(self.key, self.ComputeNonce(self.seq), aad, pt)
  self.IncrementSeq()
  return ct
</pre><a href="#section-5.2-8" class="pilcrow">¶</a>
</div>
<p id="section-5.2-9">The recipient's context can decrypt a ciphertext <code>ct</code> with associated
data <code>aad</code> as follows:<a href="#section-5.2-9" class="pilcrow">¶</a></p>
<div id="section-5.2-10">
<pre class="lang-pseudocode sourcecode">
def ContextR.Open(aad, ct):
  pt = Open(self.key, self.ComputeNonce(self.seq), aad, ct)
  if pt == OpenError:
    raise OpenError
  self.IncrementSeq()
  return pt
</pre><a href="#section-5.2-10" class="pilcrow">¶</a>
</div>
<p id="section-5.2-11">Each encryption or decryption operation increments the sequence number for
the context in use. The per-message nonce and sequence number increment
details are as follows:<a href="#section-5.2-11" class="pilcrow">¶</a></p>
<div id="section-5.2-12">
<pre class="lang-pseudocode sourcecode">
def Context&lt;ROLE&gt;.ComputeNonce(seq):
  seq_bytes = I2OSP(seq, Nn)
  return xor(self.base_nonce, seq_bytes)

def Context&lt;ROLE&gt;.IncrementSeq():
  if self.seq &gt;= (1 &lt;&lt; (8*Nn)) - 1:
    raise MessageLimitReachedError
  self.seq += 1
</pre><a href="#section-5.2-12" class="pilcrow">¶</a>
</div>
<p id="section-5.2-13">The sender's context <span class="bcp14">MUST NOT</span> be used for decryption. Similarly, the recipient's
context <span class="bcp14">MUST NOT</span> be used for encryption. Higher-level protocols reusing the HPKE
key exchange for more general purposes can derive separate keying material as
needed using use the secret export interface; see Sections <a href="#hpke-export" class="xref">5.3</a> and <a href="#bidirectional" class="xref">9.8</a>
for more details.<a href="#section-5.2-13" class="pilcrow">¶</a></p>
<p id="section-5.2-14">It is up to the application to ensure that encryptions and decryptions are
done in the proper sequence, so that encryption and decryption nonces align.
If <code>ContextS.Seal()</code> or <code>ContextR.Open()</code> would cause the <code>seq</code> field to
overflow, then the implementation <span class="bcp14">MUST</span> fail with an error. (In the pseudocode
below, <code>Context&lt;ROLE&gt;.IncrementSeq()</code> fails with an error when <code>seq</code> overflows,
which causes <code>ContextS.Seal()</code> and <code>ContextR.Open()</code> to fail accordingly.)
Note that the internal <code>Seal()</code> and <code>Open()</code> calls inside correspond to the
context's AEAD algorithm.<a href="#section-5.2-14" class="pilcrow">¶</a></p>
</section>
</div>
<div id="hpke-export">
<section id="section-5.3">
        <h3 id="name-secret-export">
<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-secret-export" class="section-name selfRef">Secret Export</a>
        </h3>
<p id="section-5.3-1">HPKE provides an interface for exporting secrets from the encryption context
using a variable-length pseudorandom function (PRF), similar to the TLS 1.3 exporter interface
(see <span>[<a href="#RFC8446" class="xref">RFC8446</a>], <a href="https://www.rfc-editor.org/rfc/rfc8446#section-7.5" class="relref">Section 7.5</a></span>). This interface takes as input a context
string <code>exporter_context</code> and a desired length <code>L</code> in bytes, and produces
a secret derived from the internal exporter secret using the corresponding
KDF Expand function. For the KDFs defined in this specification, <code>L</code> has
a maximum value of <code>255*Nh</code>. Future specifications that define new KDFs
<span class="bcp14">MUST</span> specify a bound for <code>L</code>.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
<p id="section-5.3-2">The <code>exporter_context</code> field has a maximum length that depends on the KDF
itself, on the definition of <code>LabeledExpand()</code>, and on the constant labels
used together with them. See <a href="#kdf-input-length" class="xref">Section 7.2.1</a> for precise limits on this
length.<a href="#section-5.3-2" class="pilcrow">¶</a></p>
<div id="section-5.3-3">
<pre class="lang-pseudocode sourcecode">
def Context.Export(exporter_context, L):
  return LabeledExpand(self.exporter_secret, "sec",
                       exporter_context, L)
</pre><a href="#section-5.3-3" class="pilcrow">¶</a>
</div>
<p id="section-5.3-4">Applications that do not use the encryption API in <a href="#hpke-dem" class="xref">Section 5.2</a> can use
the export-only AEAD ID <code>0xFFFF</code> when computing the key schedule. Such
applications can avoid computing the <code>key</code> and <code>base_nonce</code> values in the
key schedule, as they are not used by the Export interface described above.<a href="#section-5.3-4" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="single-shot-apis">
<section id="section-6">
      <h2 id="name-single-shot-apis">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-single-shot-apis" class="section-name selfRef">Single-Shot APIs</a>
      </h2>
<div id="single-shot-encryption">
<section id="section-6.1">
        <h3 id="name-encryption-and-decryption-2">
<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-encryption-and-decryption-2" class="section-name selfRef">Encryption and Decryption</a>
        </h3>
<p id="section-6.1-1">In many cases, applications encrypt only a single message to a recipient's public key.
This section provides templates for HPKE APIs that implement stateless "single-shot"
encryption and decryption using APIs specified in Sections <a href="#hpke-kem" class="xref">5.1.1</a> and <a href="#hpke-dem" class="xref">5.2</a>:<a href="#section-6.1-1" class="pilcrow">¶</a></p>
<div id="section-6.1-2">
<pre class="lang-pseudocode sourcecode">
def Seal&lt;MODE&gt;(pkR, info, aad, pt, ...):
  enc, ctx = Setup&lt;MODE&gt;S(pkR, info, ...)
  ct = ctx.Seal(aad, pt)
  return enc, ct

def Open&lt;MODE&gt;(enc, skR, info, aad, ct, ...):
  ctx = Setup&lt;MODE&gt;R(enc, skR, info, ...)
  return ctx.Open(aad, ct)
</pre><a href="#section-6.1-2" class="pilcrow">¶</a>
</div>
<p id="section-6.1-3">The <code>MODE</code> template parameter is one of Base, PSK, Auth, or AuthPSK. The optional parameters
indicated by "..." depend on <code>MODE</code> and may be empty. For example, <code>SetupBase()</code> has no
additional parameters. <code>SealAuthPSK()</code> and <code>OpenAuthPSK()</code> would be implemented as follows:<a href="#section-6.1-3" class="pilcrow">¶</a></p>
<div id="section-6.1-4">
<pre class="lang-pseudocode sourcecode">
def SealAuthPSK(pkR, info, aad, pt, psk, psk_id, skS):
  enc, ctx = SetupAuthPSKS(pkR, info, psk, psk_id, skS)
  ct = ctx.Seal(aad, pt)
  return enc, ct

def OpenAuthPSK(enc, skR, info, aad, ct, psk, psk_id, pkS):
  ctx = SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS)
  return ctx.Open(aad, ct)
</pre><a href="#section-6.1-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="secret-export">
<section id="section-6.2">
        <h3 id="name-secret-export-2">
<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-secret-export-2" class="section-name selfRef">Secret Export</a>
        </h3>
<p id="section-6.2-1">Applications may also want to derive a secret known only to a given recipient.
This section provides templates for HPKE APIs that implement stateless
"single-shot" secret export using APIs specified in <a href="#hpke-export" class="xref">Section 5.3</a>:<a href="#section-6.2-1" class="pilcrow">¶</a></p>
<div id="section-6.2-2">
<pre class="lang-pseudocode sourcecode">
def SendExport&lt;MODE&gt;(pkR, info, exporter_context, L, ...):
  enc, ctx = Setup&lt;MODE&gt;S(pkR, info, ...)
  exported = ctx.Export(exporter_context, L)
  return enc, exported

def ReceiveExport&lt;MODE&gt;(enc, skR, info, exporter_context, L, ...):
  ctx = Setup&lt;MODE&gt;R(enc, skR, info, ...)
  return ctx.Export(exporter_context, L)
</pre><a href="#section-6.2-2" class="pilcrow">¶</a>
</div>
<p id="section-6.2-3">As in <a href="#single-shot-encryption" class="xref">Section 6.1</a>, the <code>MODE</code> template parameter is one of Base, PSK,
Auth, or AuthPSK. The optional parameters indicated by "..." depend on <code>MODE</code> and may
be empty.<a href="#section-6.2-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="ciphersuites">
<section id="section-7">
      <h2 id="name-algorithm-identifiers">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-algorithm-identifiers" class="section-name selfRef">Algorithm Identifiers</a>
      </h2>
<p id="section-7-1">This section lists algorithm identifiers suitable for different HPKE configurations.
Future specifications may introduce new KEM, KDF, and AEAD algorithm identifiers
and retain the security guarantees presented in this document provided they adhere
to the security requirements in Sections <a href="#kem-security" class="xref">9.2</a>, <a href="#kdf-choice" class="xref">9.3</a>, and <a href="#aead-security" class="xref">9.4</a>,
respectively.<a href="#section-7-1" class="pilcrow">¶</a></p>
<div id="kem-ids">
<section id="section-7.1">
        <h3 id="name-key-encapsulation-mechanism">
<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-key-encapsulation-mechanism" class="section-name selfRef">Key Encapsulation Mechanisms (KEMs)</a>
        </h3>
<span id="name-kem-ids"></span><div id="kemid-values">
<table class="center" id="table-2">
          <caption>
<a href="#table-2" class="selfRef">Table 2</a>:
<a href="#name-kem-ids" class="selfRef">KEM IDs</a>
          </caption>
<thead>
            <tr>
              <th class="text-left" rowspan="1" colspan="1">Value</th>
              <th class="text-left" rowspan="1" colspan="1">KEM</th>
              <th class="text-left" rowspan="1" colspan="1">Nsecret</th>
              <th class="text-left" rowspan="1" colspan="1">Nenc</th>
              <th class="text-left" rowspan="1" colspan="1">Npk</th>
              <th class="text-left" rowspan="1" colspan="1">Nsk</th>
              <th class="text-left" rowspan="1" colspan="1">Auth</th>
              <th class="text-left" rowspan="1" colspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0000</td>
              <td class="text-left" rowspan="1" colspan="1">Reserved</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 9180</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0010</td>
              <td class="text-left" rowspan="1" colspan="1">DHKEM(P-256, HKDF-SHA256)</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">65</td>
              <td class="text-left" rowspan="1" colspan="1">65</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#NISTCurves" class="xref">NISTCurves</a>]</span>, <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0011</td>
              <td class="text-left" rowspan="1" colspan="1">DHKEM(P-384, HKDF-SHA384)</td>
              <td class="text-left" rowspan="1" colspan="1">48</td>
              <td class="text-left" rowspan="1" colspan="1">97</td>
              <td class="text-left" rowspan="1" colspan="1">97</td>
              <td class="text-left" rowspan="1" colspan="1">48</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#NISTCurves" class="xref">NISTCurves</a>]</span>, <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0012</td>
              <td class="text-left" rowspan="1" colspan="1">DHKEM(P-521, HKDF-SHA512)</td>
              <td class="text-left" rowspan="1" colspan="1">64</td>
              <td class="text-left" rowspan="1" colspan="1">133</td>
              <td class="text-left" rowspan="1" colspan="1">133</td>
              <td class="text-left" rowspan="1" colspan="1">66</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#NISTCurves" class="xref">NISTCurves</a>]</span>, <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0020</td>
              <td class="text-left" rowspan="1" colspan="1">DHKEM(X25519, HKDF-SHA256)</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>, <span>[<a href="#RFC7748" class="xref">RFC7748</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0021</td>
              <td class="text-left" rowspan="1" colspan="1">DHKEM(X448, HKDF-SHA512)</td>
              <td class="text-left" rowspan="1" colspan="1">64</td>
              <td class="text-left" rowspan="1" colspan="1">56</td>
              <td class="text-left" rowspan="1" colspan="1">56</td>
              <td class="text-left" rowspan="1" colspan="1">56</td>
              <td class="text-left" rowspan="1" colspan="1">yes</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>, <span>[<a href="#RFC7748" class="xref">RFC7748</a>]</span>
</td>
            </tr>
          </tbody>
        </table>
</div>
<p id="section-7.1-2">The <code>Auth</code> column indicates if the KEM algorithm provides the <code>AuthEncap()</code>/<code>AuthDecap()</code>
interface and is therefore suitable for the Auth and AuthPSK modes. The meaning of all
other columns is explained in <a href="#kem-template" class="xref">Section 11.1</a>. All algorithms are suitable for the
PSK mode.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
<div id="serializepublickey-and-deserializepublickey">
<section id="section-7.1.1">
          <h4 id="name-serializepublickey-and-dese">
<a href="#section-7.1.1" class="section-number selfRef">7.1.1. </a><a href="#name-serializepublickey-and-dese" class="section-name selfRef">SerializePublicKey and DeserializePublicKey</a>
          </h4>
<p id="section-7.1.1-1">For P-256, P-384, and P-521, the <code>SerializePublicKey()</code> function of the
KEM performs the uncompressed Elliptic-Curve-Point-to-Octet-String
conversion according to <span>[<a href="#SECG" class="xref">SECG</a>]</span>. <code>DeserializePublicKey()</code> performs the
uncompressed Octet-String-to-Elliptic-Curve-Point conversion.<a href="#section-7.1.1-1" class="pilcrow">¶</a></p>
<p id="section-7.1.1-2">For X25519 and X448, the <code>SerializePublicKey()</code> and <code>DeserializePublicKey()</code>
functions are the identity function, since these curves already use
fixed-length byte strings for public keys.<a href="#section-7.1.1-2" class="pilcrow">¶</a></p>
<p id="section-7.1.1-3">Some deserialized public keys <span class="bcp14">MUST</span> be validated before they can be used. See
<a href="#validation" class="xref">Section 7.1.4</a> for specifics.<a href="#section-7.1.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="serializeprivatekey">
<section id="section-7.1.2">
          <h4 id="name-serializeprivatekey-and-des">
<a href="#section-7.1.2" class="section-number selfRef">7.1.2. </a><a href="#name-serializeprivatekey-and-des" class="section-name selfRef">SerializePrivateKey and DeserializePrivateKey</a>
          </h4>
<p id="section-7.1.2-1">As per <span>[<a href="#SECG" class="xref">SECG</a>]</span>, P-256, P-384, and P-521 private keys are field elements in the
scalar field of the curve being used. For this section, and for
<a href="#derive-key-pair" class="xref">Section 7.1.3</a>, it is assumed that implementors of ECDH over these curves
use an integer representation of private keys that is compatible with the
<code>OS2IP()</code> function.<a href="#section-7.1.2-1" class="pilcrow">¶</a></p>
<p id="section-7.1.2-2">For P-256, P-384, and P-521, the <code>SerializePrivateKey()</code> function of the KEM
performs the Field-Element-to-Octet-String conversion according to <span>[<a href="#SECG" class="xref">SECG</a>]</span>. If
the private key is an integer outside the range <code>[0, order-1]</code>, where <code>order</code>
is the order of the curve being used, the private key <span class="bcp14">MUST</span> be reduced to its
representative in <code>[0, order-1]</code> before being serialized.
<code>DeserializePrivateKey()</code> performs the Octet-String-to-Field-Element conversion
according to <span>[<a href="#SECG" class="xref">SECG</a>]</span>.<a href="#section-7.1.2-2" class="pilcrow">¶</a></p>
<p id="section-7.1.2-3">For X25519 and X448, private keys are identical to their byte string
representation, so little processing has to be done. The
<code>SerializePrivateKey()</code> function <span class="bcp14">MUST</span> clamp its output and the
<code>DeserializePrivateKey()</code> function <span class="bcp14">MUST</span> clamp its input, where <em>clamping</em> refers to the
bitwise operations performed on <code>k</code> in the <code>decodeScalar25519()</code> and
<code>decodeScalar448()</code> functions defined in <span><a href="https://www.rfc-editor.org/rfc/rfc7748#section-5" class="relref">Section 5</a> of [<a href="#RFC7748" class="xref">RFC7748</a>]</span>.<a href="#section-7.1.2-3" class="pilcrow">¶</a></p>
<p id="section-7.1.2-4">To catch invalid keys early on, implementors of DHKEMs <span class="bcp14">SHOULD</span> check that
deserialized private keys are not equivalent to 0 (mod <code>order</code>), where <code>order</code>
is the order of the DH group. Note that this property is trivially true for X25519
and X448 groups, since clamped values can never be 0 (mod <code>order</code>).<a href="#section-7.1.2-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="derive-key-pair">
<section id="section-7.1.3">
          <h4 id="name-derivekeypair">
<a href="#section-7.1.3" class="section-number selfRef">7.1.3. </a><a href="#name-derivekeypair" class="section-name selfRef">DeriveKeyPair</a>
          </h4>
<p id="section-7.1.3-1">The keys that <code>DeriveKeyPair()</code> produces have only as much entropy as the provided
input keying material. For a given KEM, the <code>ikm</code> parameter given to <code>DeriveKeyPair()</code> <span class="bcp14">SHOULD</span>
have length at least <code>Nsk</code>, and <span class="bcp14">SHOULD</span> have at least <code>Nsk</code> bytes of entropy.<a href="#section-7.1.3-1" class="pilcrow">¶</a></p>
<p id="section-7.1.3-2">All invocations of KDF functions (such as <code>LabeledExtract</code> or <code>LabeledExpand</code>) in any
DHKEM's <code>DeriveKeyPair()</code> function use the DHKEM's associated KDF (as opposed to
the ciphersuite's KDF).<a href="#section-7.1.3-2" class="pilcrow">¶</a></p>
<p id="section-7.1.3-3">For P-256, P-384, and P-521, the <code>DeriveKeyPair()</code> function of the KEM performs
rejection sampling over field elements:<a href="#section-7.1.3-3" class="pilcrow">¶</a></p>
<div id="section-7.1.3-4">
<pre class="lang-pseudocode sourcecode">
def DeriveKeyPair(ikm):
  dkp_prk = LabeledExtract("", "dkp_prk", ikm)
  sk = 0
  counter = 0
  while sk == 0 or sk &gt;= order:
    if counter &gt; 255:
      raise DeriveKeyPairError
    bytes = LabeledExpand(dkp_prk, "candidate",
                          I2OSP(counter, 1), Nsk)
    bytes[0] = bytes[0] &amp; bitmask
    sk = OS2IP(bytes)
    counter = counter + 1
  return (sk, pk(sk))
</pre><a href="#section-7.1.3-4" class="pilcrow">¶</a>
</div>
<p id="section-7.1.3-5"><code>order</code> is the order of the curve being used (see Section D.1.2 of <span>[<a href="#NISTCurves" class="xref">NISTCurves</a>]</span>), and
is listed below for completeness.<a href="#section-7.1.3-5" class="pilcrow">¶</a></p>
<div class="alignLeft art-text artwork" id="section-7.1.3-6">
<pre>
P-256:
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

P-384:
0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf
  581a0db248b0a77aecec196accc52973

P-521:
0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  fa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409
</pre><a href="#section-7.1.3-6" class="pilcrow">¶</a>
</div>
<p id="section-7.1.3-7"><code>bitmask</code> is defined to be 0xFF for P-256 and P-384, and 0x01 for P-521.
The precise likelihood of <code>DeriveKeyPair()</code> failing with DeriveKeyPairError
depends on the group being used, but it is negligibly small in all cases.
See <a href="#api-errors" class="xref">Section 8.2</a> for information about dealing with such failures.<a href="#section-7.1.3-7" class="pilcrow">¶</a></p>
<p id="section-7.1.3-8">For X25519 and X448, the <code>DeriveKeyPair()</code> function applies a KDF to the input:<a href="#section-7.1.3-8" class="pilcrow">¶</a></p>
<div id="section-7.1.3-9">
<pre class="lang-pseudocode sourcecode">
def DeriveKeyPair(ikm):
  dkp_prk = LabeledExtract("", "dkp_prk", ikm)
  sk = LabeledExpand(dkp_prk, "sk", "", Nsk)
  return (sk, pk(sk))
</pre><a href="#section-7.1.3-9" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="validation">
<section id="section-7.1.4">
          <h4 id="name-validation-of-inputs-and-ou">
<a href="#section-7.1.4" class="section-number selfRef">7.1.4. </a><a href="#name-validation-of-inputs-and-ou" class="section-name selfRef">Validation of Inputs and Outputs</a>
          </h4>
<p id="section-7.1.4-1">The following public keys are subject to validation if the group
requires public key validation: the sender <span class="bcp14">MUST</span> validate the recipient's
public key <code>pkR</code>; the recipient <span class="bcp14">MUST</span> validate the ephemeral public key
<code>pkE</code>; in authenticated modes, the recipient <span class="bcp14">MUST</span> validate the sender's
static public key <code>pkS</code>. Validation failure yields a <code>ValidationError</code>.<a href="#section-7.1.4-1" class="pilcrow">¶</a></p>
<p id="section-7.1.4-2">For P-256, P-384, and P-521, senders and recipients <span class="bcp14">MUST</span> perform partial
public key validation on all public key inputs, as defined in Section 5.6.2.3.4 of <span>[<a href="#keyagreement" class="xref">keyagreement</a>]</span>. This includes checking that the coordinates are in the
correct range, that the point is on the curve, and that the point is not the
point at infinity. Additionally, senders and recipients <span class="bcp14">MUST</span> ensure the
Diffie-Hellman shared secret is not the point at infinity.<a href="#section-7.1.4-2" class="pilcrow">¶</a></p>
<p id="section-7.1.4-3">For X25519 and X448, public keys and Diffie-Hellman outputs <span class="bcp14">MUST</span> be validated
as described in <span>[<a href="#RFC7748" class="xref">RFC7748</a>]</span>. In particular, recipients <span class="bcp14">MUST</span> check whether
the Diffie-Hellman shared secret is the all-zero value and abort if so.<a href="#section-7.1.4-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="future-kems">
<section id="section-7.1.5">
          <h4 id="name-future-kems">
<a href="#section-7.1.5" class="section-number selfRef">7.1.5. </a><a href="#name-future-kems" class="section-name selfRef">Future KEMs</a>
          </h4>
<p id="section-7.1.5-1"><a href="#kem-security" class="xref">Section 9.2</a> lists security requirements on a KEM used within HPKE.<a href="#section-7.1.5-1" class="pilcrow">¶</a></p>
<p id="section-7.1.5-2">The <code>AuthEncap()</code> and <code>AuthDecap()</code> functions are <span class="bcp14">OPTIONAL</span>. If a KEM algorithm
does not provide them, only the Base and PSK modes of HPKE are supported.
Future specifications that define new KEMs <span class="bcp14">MUST</span> indicate whether or not
Auth and AuthPSK modes are supported.<a href="#section-7.1.5-2" class="pilcrow">¶</a></p>
<p id="section-7.1.5-3">A KEM algorithm may support different encoding algorithms, with different output
lengths, for KEM public keys. Such KEM algorithms <span class="bcp14">MUST</span> specify only one encoding
algorithm whose output length is <code>Npk</code>.<a href="#section-7.1.5-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="kdf-ids">
<section id="section-7.2">
        <h3 id="name-key-derivation-functions-kd">
<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-key-derivation-functions-kd" class="section-name selfRef">Key Derivation Functions (KDFs)</a>
        </h3>
<span id="name-kdf-ids"></span><div id="kdfid-values">
<table class="center" id="table-3">
          <caption>
<a href="#table-3" class="selfRef">Table 3</a>:
<a href="#name-kdf-ids" class="selfRef">KDF IDs</a>
          </caption>
<thead>
            <tr>
              <th class="text-left" rowspan="1" colspan="1">Value</th>
              <th class="text-left" rowspan="1" colspan="1">KDF</th>
              <th class="text-left" rowspan="1" colspan="1">Nh</th>
              <th class="text-left" rowspan="1" colspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0000</td>
              <td class="text-left" rowspan="1" colspan="1">Reserved</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 9180</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0001</td>
              <td class="text-left" rowspan="1" colspan="1">HKDF-SHA256</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0002</td>
              <td class="text-left" rowspan="1" colspan="1">HKDF-SHA384</td>
              <td class="text-left" rowspan="1" colspan="1">48</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0003</td>
              <td class="text-left" rowspan="1" colspan="1">HKDF-SHA512</td>
              <td class="text-left" rowspan="1" colspan="1">64</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>
</td>
            </tr>
          </tbody>
        </table>
</div>
<div id="kdf-input-length">
<section id="section-7.2.1">
          <h4 id="name-input-length-restrictions">
<a href="#section-7.2.1" class="section-number selfRef">7.2.1. </a><a href="#name-input-length-restrictions" class="section-name selfRef">Input Length Restrictions</a>
          </h4>
<p id="section-7.2.1-1">This document defines <code>LabeledExtract()</code> and <code>LabeledExpand()</code> based on the
KDFs listed above. These functions add prefixes to their respective
inputs <code>ikm</code> and <code>info</code> before calling the KDF's <code>Extract()</code> and <code>Expand()</code>
functions. This leads to a reduction of the maximum input length that
is available for the inputs <code>psk</code>, <code>psk_id</code>, <code>info</code>, <code>exporter_context</code>,
<code>ikm</code>, i.e., the variable-length parameters provided by HPKE applications.
The following table lists the maximum allowed lengths of these fields
for the KDFs defined in this document, as inclusive bounds in bytes:<a href="#section-7.2.1-1" class="pilcrow">¶</a></p>
<span id="name-application-input-limits"></span><div id="input-limits">
<table class="center" id="table-4">
            <caption>
<a href="#table-4" class="selfRef">Table 4</a>:
<a href="#name-application-input-limits" class="selfRef">Application Input Limits</a>
            </caption>
<thead>
              <tr>
                <th class="text-left" rowspan="1" colspan="1">Input</th>
                <th class="text-left" rowspan="1" colspan="1">HKDF-SHA256</th>
                <th class="text-left" rowspan="1" colspan="1">HKDF-SHA384</th>
                <th class="text-left" rowspan="1" colspan="1">HKDF-SHA512</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">psk</td>
                <td class="text-left" rowspan="1" colspan="1">2^{61} - 88</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 152</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 152</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">psk_id</td>
                <td class="text-left" rowspan="1" colspan="1">2^{61} - 93</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 157</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 157</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">info</td>
                <td class="text-left" rowspan="1" colspan="1">2^{61} - 91</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 155</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 155</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">exporter_context</td>
                <td class="text-left" rowspan="1" colspan="1">2^{61} - 120</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 200</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 216</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">ikm (DeriveKeyPair)</td>
                <td class="text-left" rowspan="1" colspan="1">2^{61} - 84</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 148</td>
                <td class="text-left" rowspan="1" colspan="1">2^{125} - 148</td>
              </tr>
            </tbody>
          </table>
</div>
<p id="section-7.2.1-3">This shows that the limits are only marginally smaller than the maximum
input length of the underlying hash function; these limits are large and
unlikely to be reached in practical applications. Future specifications
that define new KDFs <span class="bcp14">MUST</span> specify bounds for these variable-length
parameters.<a href="#section-7.2.1-3" class="pilcrow">¶</a></p>
<p id="section-7.2.1-4">The <span class="bcp14">RECOMMENDED</span> limit for these values is 64 bytes. This would enable
interoperability with implementations that statically allocate memory
for these inputs to avoid memory allocations.<a href="#section-7.2.1-4" class="pilcrow">¶</a></p>
<p id="section-7.2.1-5">The values for <code>psk</code>, <code>psk_id</code>, <code>info</code>, and <code>ikm</code>, which are inputs to
<code>LabeledExtract()</code>, were computed with the following expression:<a href="#section-7.2.1-5" class="pilcrow">¶</a></p>
<div class="alignLeft art-pseudocode art-text artwork" id="section-7.2.1-6">
<pre>
max_size_hash_input - Nb - size_version_label -
    size_suite_id - size_input_label
</pre><a href="#section-7.2.1-6" class="pilcrow">¶</a>
</div>
<p id="section-7.2.1-7">The value for <code>exporter_context</code>, which is an input to <code>LabeledExpand()</code>,
was computed with the following expression:<a href="#section-7.2.1-7" class="pilcrow">¶</a></p>
<div class="alignLeft art-pseudocode art-text artwork" id="section-7.2.1-8">
<pre>
max_size_hash_input - Nb - Nh - size_version_label -
    size_suite_id - size_input_label - 2 - 1
</pre><a href="#section-7.2.1-8" class="pilcrow">¶</a>
</div>
<p id="section-7.2.1-9">In these equations, <code>max_size_hash_input</code> is the maximum input length
of the underlying hash function in bytes, <code>Nb</code> is the block size of the
underlying hash function in bytes, <code>size_version_label</code> is the size
of "HPKE-v1" in bytes and equals 7, <code>size_suite_id</code> is the size of the
<code>suite_id</code> in bytes and equals 5 for DHKEM (relevant for <code>ikm</code>) and 10 for the
remainder of HPKE (relevant for <code>psk</code>, <code>psk_id</code>, <code>info</code>, and <code>exporter_context</code>),
and <code>size_input_label</code> is the size in bytes of the label used as parameter to
<code>LabeledExtract()</code> or <code>LabeledExpand()</code>, the maximum of which is 13
across all labels in this document.<a href="#section-7.2.1-9" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="aead-ids">
<section id="section-7.3">
        <h3 id="name-authenticated-encryption-wi">
<a href="#section-7.3" class="section-number selfRef">7.3. </a><a href="#name-authenticated-encryption-wi" class="section-name selfRef">Authenticated Encryption with Associated Data (AEAD)
 Functions</a>
        </h3>
<span id="name-aead-ids"></span><div id="aeadid-values">
<table class="center" id="table-5">
          <caption>
<a href="#table-5" class="selfRef">Table 5</a>:
<a href="#name-aead-ids" class="selfRef">AEAD IDs</a>
          </caption>
<thead>
            <tr>
              <th class="text-left" rowspan="1" colspan="1">Value</th>
              <th class="text-left" rowspan="1" colspan="1">AEAD</th>
              <th class="text-left" rowspan="1" colspan="1">Nk</th>
              <th class="text-left" rowspan="1" colspan="1">Nn</th>
              <th class="text-left" rowspan="1" colspan="1">Nt</th>
              <th class="text-left" rowspan="1" colspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0000</td>
              <td class="text-left" rowspan="1" colspan="1">Reserved</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 9180</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0001</td>
              <td class="text-left" rowspan="1" colspan="1">AES-128-GCM</td>
              <td class="text-left" rowspan="1" colspan="1">16</td>
              <td class="text-left" rowspan="1" colspan="1">12</td>
              <td class="text-left" rowspan="1" colspan="1">16</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#GCM" class="xref">GCM</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0002</td>
              <td class="text-left" rowspan="1" colspan="1">AES-256-GCM</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">12</td>
              <td class="text-left" rowspan="1" colspan="1">16</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#GCM" class="xref">GCM</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0x0003</td>
              <td class="text-left" rowspan="1" colspan="1">ChaCha20Poly1305</td>
              <td class="text-left" rowspan="1" colspan="1">32</td>
              <td class="text-left" rowspan="1" colspan="1">12</td>
              <td class="text-left" rowspan="1" colspan="1">16</td>
              <td class="text-left" rowspan="1" colspan="1">
                <span>[<a href="#RFC8439" class="xref">RFC8439</a>]</span>
</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">0xFFFF</td>
              <td class="text-left" rowspan="1" colspan="1">Export-only</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 9180</td>
            </tr>
          </tbody>
        </table>
</div>
<p id="section-7.3-2">The <code>0xFFFF</code> AEAD ID is reserved for applications that only use the Export
interface; see <a href="#hpke-export" class="xref">Section 5.3</a> for more details.<a href="#section-7.3-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="api-considerations">
<section id="section-8">
      <h2 id="name-api-considerations">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-api-considerations" class="section-name selfRef">API Considerations</a>
      </h2>
<p id="section-8-1">This section documents considerations for interfaces to implementations of HPKE.
This includes error handling considerations and recommendations that improve
interoperability when HPKE is used in applications.<a href="#section-8-1" class="pilcrow">¶</a></p>
<div id="auxiliary-authenticated-application-information">
<section id="section-8.1">
        <h3 id="name-auxiliary-authenticated-app">
<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-auxiliary-authenticated-app" class="section-name selfRef">Auxiliary Authenticated Application Information</a>
        </h3>
<p id="section-8.1-1">HPKE has two places at which applications can specify auxiliary authenticated information:
(1) during context construction via the Setup <code>info</code> parameter, and (2) during Context
operations, i.e., with the <code>aad</code> parameter for <code>Open()</code> and <code>Seal()</code>, and the <code>exporter_context</code> parameter
for <code>Export()</code>. Application information applicable to multiple operations on a single Context
should use the Setup <code>info</code> parameter. This avoids redundantly processing this information for
each Context operation. In contrast, application information that varies on a per-message basis
should be specified via the Context APIs (<code>Seal()</code>, <code>Open()</code>, or <code>Export()</code>).<a href="#section-8.1-1" class="pilcrow">¶</a></p>
<p id="section-8.1-2">Applications that only use the single-shot APIs described in <a href="#single-shot-apis" class="xref">Section 6</a> should use the
 Setup <code>info</code> parameter for specifying auxiliary authenticated information. Implementations which
only expose single-shot APIs should not allow applications to use both Setup <code>info</code> and Context
<code>aad</code> or <code>exporter_context</code> auxiliary information parameters.<a href="#section-8.1-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="api-errors">
<section id="section-8.2">
        <h3 id="name-errors">
<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-errors" class="section-name selfRef">Errors</a>
        </h3>
<p id="section-8.2-1">The high-level, public HPKE APIs specified in this document are all fallible.
These include the Setup functions and all encryption context functions.
For example, <code>Decap()</code> can fail if the encapsulated key <code>enc</code> is invalid,
and <code>Open()</code> may fail if ciphertext decryption fails. The explicit errors
generated throughout this specification, along with the conditions that
lead to each error, are as follows:<a href="#section-8.2-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.2-2.1">
            <code>ValidationError</code>: KEM input or output validation failure;
   <a href="#dhkem" class="xref">Section 4.1</a>.<a href="#section-8.2-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.2">
            <code>DeserializeError</code>: Public or private key deserialization
   failure; <a href="#base-crypto" class="xref">Section 4</a>.<a href="#section-8.2-2.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.3">
            <code>EncapError</code>: <code>Encap()</code> failure; <a href="#base-crypto" class="xref">Section 4</a>.<a href="#section-8.2-2.3" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.4">
            <code>DecapError</code>: <code>Decap()</code> failure; <a href="#base-crypto" class="xref">Section 4</a>.<a href="#section-8.2-2.4" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.5">
            <code>OpenError</code>: Context AEAD <code>Open()</code> failure; Sections
   <a href="#base-crypto" class="xref">4</a> and <a href="#hpke-dem" class="xref">5.2</a>.<a href="#section-8.2-2.5" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.6">
            <code>MessageLimitReachedError</code>: Context AEAD sequence number
   overflow; Sections <a href="#base-crypto" class="xref">4</a> and <a href="#hpke-dem" class="xref">5.2</a>.<a href="#section-8.2-2.6" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.2-2.7">
            <code>DeriveKeyPairError</code>: Key pair derivation failure; <a href="#derive-key-pair" class="xref">Section 7.1.3</a>.<a href="#section-8.2-2.7" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-8.2-3">Implicit errors may also occur. As an example, certain classes of failures,
e.g., malformed recipient public keys, may not yield explicit errors.
For example, for the DHKEM variant described in this specification,
the <code>Encap()</code> algorithm fails when given an invalid recipient public key.
However, other KEM algorithms may not have an efficient algorithm for verifying
the validity of public keys. As a result, an equivalent error may not manifest
until AEAD decryption at the recipient. As another example, DHKEM's <code>AuthDecap()</code>
function will produce invalid output if given the wrong sender public key.
This error is not detectable until subsequent AEAD decryption.<a href="#section-8.2-3" class="pilcrow">¶</a></p>
<p id="section-8.2-4">The errors in this document are meant as a guide for implementors. They are not
an exhaustive list of all the errors an implementation might emit. For example,
future KEMs might have internal failure cases, or an implementation might run
out of memory.<a href="#section-8.2-4" class="pilcrow">¶</a></p>
<p id="section-8.2-5">How these errors are expressed in an API or handled by applications is an
implementation-specific detail. For example, some implementations may abort or
panic upon a <code>DeriveKeyPairError</code> failure given that it only occurs with
negligible probability, whereas other implementations may retry the failed
DeriveKeyPair operation. See <a href="#derive-key-pair" class="xref">Section 7.1.3</a> for more information.
As another example, some implementations of the DHKEM specified in this document
may choose to transform <code>ValidationError</code> from <code>DH()</code> into an <code>EncapError</code> or
<code>DecapError</code> from <code>Encap()</code> or <code>Decap()</code>, respectively, whereas others may choose
to raise <code>ValidationError</code> unmodified.<a href="#section-8.2-5" class="pilcrow">¶</a></p>
<p id="section-8.2-6">Applications using HPKE APIs should not assume that the errors here are complete,
nor should they assume certain classes of errors will always manifest the same way
for all ciphersuites. For example, the DHKEM specified in this document will emit
a <code>DeserializationError</code> or <code>ValidationError</code> if a KEM public key is invalid. However,
a new KEM might not have an efficient algorithm for determining whether or not a
public key is valid. In this case, an invalid public key might instead yield an
<code>OpenError</code> when trying to decrypt a ciphertext.<a href="#section-8.2-6" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="sec-considerations">
<section id="section-9">
      <h2 id="name-security-considerations">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
      </h2>
<div id="sec-properties">
<section id="section-9.1">
        <h3 id="name-security-properties">
<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-security-properties" class="section-name selfRef">Security Properties</a>
        </h3>
<p id="section-9.1-1">HPKE has several security goals, depending on the mode of operation,
against active and adaptive attackers that can compromise partial
secrets of senders and recipients. The desired security goals are
detailed below:<a href="#section-9.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-9.1-2.1">Message secrecy: Confidentiality of the sender's messages against
   chosen ciphertext attacks<a href="#section-9.1-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-9.1-2.2">Export key secrecy: Indistinguishability of each export secret from
   a uniformly random bitstring of equal length, i.e.,
   <code>Context.Export</code> is a variable-length PRF<a href="#section-9.1-2.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-9.1-2.3">Sender authentication: Proof of sender origin for PSK, Auth, and
   AuthPSK modes<a href="#section-9.1-2.3" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-9.1-3">These security goals are expected to hold for any honest sender and
honest recipient keys, as well as if the honest sender and honest
recipient keys are the same.<a href="#section-9.1-3" class="pilcrow">¶</a></p>
<p id="section-9.1-4">HPKE mitigates malleability problems (called benign malleability <span>[<a href="#SECG" class="xref">SECG</a>]</span>) in prior
public key encryption standards based on ECIES by including all public keys in the
context of the key schedule.<a href="#section-9.1-4" class="pilcrow">¶</a></p>
<p id="section-9.1-5">HPKE does not provide forward secrecy with respect to recipient compromise.
In the Base and Auth modes, the secrecy properties are only expected to
hold if the recipient private key <code>skR</code> is not compromised at any point
in time. In the PSK and AuthPSK modes, the secrecy properties are
expected to hold if the recipient private key <code>skR</code> and the pre-shared key
are not both compromised at any point in time. See <a href="#non-goals" class="xref">Section 9.7</a> for more
details.<a href="#section-9.1-5" class="pilcrow">¶</a></p>
<p id="section-9.1-6">In the Auth mode, sender authentication is generally expected to hold if
the sender private key <code>skS</code> is not compromised at the time of message
reception. In the AuthPSK mode, sender authentication is generally
expected to hold if, at the time of message reception, the sender private
key skS and the pre-shared key are not both compromised.<a href="#section-9.1-6" class="pilcrow">¶</a></p>
<p id="section-9.1-7">Besides forward secrecy and key-compromise impersonation, which are highlighted
in this section because of their particular cryptographic importance, HPKE
has other non-goals that are described in <a href="#non-goals" class="xref">Section 9.7</a>: no tolerance of
message reordering or loss, no downgrade or replay prevention, no hiding of the
plaintext length, and no protection against bad ephemeral randomness. <a href="#non-goals" class="xref">Section 9.7</a>
suggests application-level mitigations for some of them.<a href="#section-9.1-7" class="pilcrow">¶</a></p>
<div id="kci">
<section id="section-9.1.1">
          <h4 id="name-key-compromise-impersonatio">
<a href="#section-9.1.1" class="section-number selfRef">9.1.1. </a><a href="#name-key-compromise-impersonatio" class="section-name selfRef">Key-Compromise Impersonation</a>
          </h4>
<p id="section-9.1.1-1">The DHKEM variants defined in this document are
vulnerable to key-compromise impersonation attacks <span>[<a href="#BJM97" class="xref">BJM97</a>]</span>,
which means that sender authentication cannot be expected to hold in the
Auth mode if the recipient private key <code>skR</code> is compromised, and in the
AuthPSK mode if the pre-shared key and the recipient private key <code>skR</code> are
both compromised.

NaCl's <code>box</code> interface <span>[<a href="#NaCl" class="xref">NaCl</a>]</span> has the same issue. At
the same time, this enables repudiability.<a href="#section-9.1.1-1" class="pilcrow">¶</a></p>
<p id="section-9.1.1-2">As shown by <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span>, key-compromise impersonation attacks are generally possible on HPKE
because KEM ciphertexts are not bound to HPKE messages. An adversary who
knows a recipient's private key can decapsulate an observed KEM ciphertext,
compute the key schedule, and encrypt an arbitrary message that the recipient
will accept as coming from the original sender. Importantly, this is possible even
with a KEM that is resistant to key-compromise impersonation attacks. As a
result, mitigating this issue requires fundamental changes that are out of scope
of this specification.<a href="#section-9.1.1-2" class="pilcrow">¶</a></p>
<p id="section-9.1.1-3">Applications that require resistance against key-compromise impersonation
<span class="bcp14">SHOULD</span> take extra steps to prevent this attack. One possibility is to
produce a digital signature over <code>(enc, ct)</code> tuples using a sender's
private key -- where <code>ct</code> is an AEAD ciphertext produced by the single-shot
or multi-shot API and <code>enc</code> is the corresponding KEM encapsulated key.<a href="#section-9.1.1-3" class="pilcrow">¶</a></p>
<p id="section-9.1.1-4">Given these properties, pre-shared keys strengthen both the authentication and the
secrecy properties in certain adversary models. One particular example in which
this can be useful is a hybrid quantum setting: if a
non-quantum-resistant KEM used with HPKE is broken by a
quantum computer, the security properties are preserved through the use
of a pre-shared key. As described in <span><a href="https://www.rfc-editor.org/rfc/rfc8696#section-7" class="relref">Section 7</a> of [<a href="#RFC8696" class="xref">RFC8696</a>]</span> this
assumes that the pre-shared key has not been compromised.<a href="#section-9.1.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="computational-analysis">
<section id="section-9.1.2">
          <h4 id="name-computational-analysis">
<a href="#section-9.1.2" class="section-number selfRef">9.1.2. </a><a href="#name-computational-analysis" class="section-name selfRef">Computational Analysis</a>
          </h4>
<p id="section-9.1.2-1">It is shown in <span>[<a href="#CS01" class="xref">CS01</a>]</span> that a hybrid public key encryption scheme of
essentially the same form as the Base mode described here is
IND-CCA2-secure as long as the underlying KEM and AEAD schemes are
IND-CCA2-secure. Moreover, it is shown in <span>[<a href="#HHK06" class="xref">HHK06</a>]</span> that IND-CCA2 security
of the KEM and the data encapsulation mechanism are necessary conditions
to achieve IND-CCA2 security for hybrid public key encryption.
The main difference between the scheme proposed in <span>[<a href="#CS01" class="xref">CS01</a>]</span>
and the Base mode in this document (both named HPKE) is that we interpose
some KDF calls between the KEM and the AEAD. Analyzing the HPKE Base mode
instantiation in this document therefore requires verifying that the
additional KDF calls do not cause the IND-CCA2 property to fail, as
well as verifying the additional export key secrecy property.<a href="#section-9.1.2-1" class="pilcrow">¶</a></p>
<p id="section-9.1.2-2">Analysis of the PSK, Auth, and AuthPSK modes defined in this document
additionally requires verifying the sender authentication property.
While the PSK mode just adds supplementary keying material to the key
schedule, the Auth and AuthPSK modes make use of a non-standard
authenticated KEM construction. Generally, the authenticated modes of
HPKE can be viewed and analyzed as flavors of signcryption <span>[<a href="#SigncryptionDZ10" class="xref">SigncryptionDZ10</a>]</span>.<a href="#section-9.1.2-2" class="pilcrow">¶</a></p>
<p id="section-9.1.2-3">A preliminary computational analysis of all HPKE modes has been done
in <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span>, indicating asymptotic security for the case where
the KEM is DHKEM, the AEAD is any IND-CPA-secure and INT-CTXT-secure scheme,
and the DH group and KDF satisfy the following conditions:<a href="#section-9.1.2-3" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-9.1.2-4.1">DH group: The gap Diffie-Hellman (GDH) problem is hard in the
     appropriate subgroup <span>[<a href="#GAP" class="xref">GAP</a>]</span>.<a href="#section-9.1.2-4.1" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-9.1.2-4.2">
              <code>Extract()</code> and <code>Expand()</code>: <code>Extract()</code> can
     be modeled as a random oracle. <code>Expand()</code> can be modeled as a
     pseudorandom function, wherein the first argument is the key.<a href="#section-9.1.2-4.2" class="pilcrow">¶</a>
</li>
          </ul>
<p id="section-9.1.2-5">In particular, the KDFs and DH groups defined in this document (see Sections
<a href="#kdf-ids" class="xref">7.2</a> and <a href="#kem-ids" class="xref">7.1</a>) satisfy these properties when used as
specified. The analysis in <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span> demonstrates that under these
constraints, HPKE continues to provide IND-CCA2 security, and provides
the additional properties noted above. Also, the analysis confirms the
expected properties hold under the different key compromise cases
mentioned above. The analysis considers a sender that sends one message
using the encryption context, and additionally exports two independent
secrets using the secret export interface.<a href="#section-9.1.2-5" class="pilcrow">¶</a></p>
<p id="section-9.1.2-6">The table below summarizes the main results from <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span>. N/A
means that a property does not apply for the given mode, whereas <code>Y</code> means
   the given mode satisfies the property.<a href="#section-9.1.2-6" class="pilcrow">¶</a></p>
<span id="name-hpke-mode-security-properti"></span><table class="center" id="table-6">
            <caption>
<a href="#table-6" class="selfRef">Table 6</a>:
<a href="#name-hpke-mode-security-properti" class="selfRef">HPKE Mode Security Properties</a>
            </caption>
<thead>
              <tr>
                <th class="text-left" rowspan="1" colspan="1">Variant</th>
                <th class="text-center" rowspan="1" colspan="1">Message Sec.</th>
                <th class="text-center" rowspan="1" colspan="1">Export Sec.</th>
                <th class="text-center" rowspan="1" colspan="1">Sender Auth.</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">Base</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">N/A</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">PSK</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">Auth</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
              </tr>
              <tr>
                <td class="text-left" rowspan="1" colspan="1">AuthPSK</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
                <td class="text-center" rowspan="1" colspan="1">Y</td>
              </tr>
            </tbody>
          </table>
<p id="section-9.1.2-8">If non-DH-based KEMs are to be used with HPKE, further analysis will be
necessary to prove their security. The results from <span>[<a href="#CS01" class="xref">CS01</a>]</span> provide
some indication that any IND-CCA2-secure KEM will suffice here, but are
not conclusive given the differences in the schemes.<a href="#section-9.1.2-8" class="pilcrow">¶</a></p>
<p id="section-9.1.2-9">A detailed computational analysis of HPKE's Auth mode single-shot
encryption API has been done in <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span>.
The paper defines security notions for authenticated
KEMs and for authenticated public key encryption, using the outsider and
insider security terminology known from signcryption <span>[<a href="#SigncryptionDZ10" class="xref">SigncryptionDZ10</a>]</span>.
The analysis proves that DHKEM's <code>AuthEncap()</code>/<code>AuthDecap()</code> interface
fulfills these notions for all Diffie-Hellman groups specified in this document.
The analysis also provides exact security bounds, under the assumptions that the
gap Diffie-Hellman (GDH) problem is hard in the appropriate subgroup <span>[<a href="#GAP" class="xref">GAP</a>]</span>,
and that HKDF can be modeled as a random oracle.<a href="#section-9.1.2-9" class="pilcrow">¶</a></p>
<p id="section-9.1.2-10">Further, <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> proves composition theorems, showing that HPKE's
Auth mode fulfills the security notions of authenticated public key encryption
for all KDFs and AEAD schemes specified in this document, given any
authenticated KEM satisfying the previously defined security notions
for authenticated KEMs. The theorems assume that the KEM is perfectly correct;
they could easily be adapted to work with KEMs that have a nonzero but negligible
probability for decryption failure. The assumptions on the KDF are that <code>Extract()</code>
and <code>Expand()</code> can be modeled as pseudorandom functions wherein the first
argument is the key, respectively. The assumption for the AEAD is
IND-CPA and IND-CTXT security.<a href="#section-9.1.2-10" class="pilcrow">¶</a></p>
<p id="section-9.1.2-11">In summary, the analysis in <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> proves that the single-shot encryption API of HPKE's
Auth mode satisfies the desired message confidentiality and sender
authentication properties listed at the beginning of this section;
it does not consider multiple messages, nor the secret export API.<a href="#section-9.1.2-11" class="pilcrow">¶</a></p>
</section>
</div>
<div id="post-quantum-security">
<section id="section-9.1.3">
          <h4 id="name-post-quantum-security">
<a href="#section-9.1.3" class="section-number selfRef">9.1.3. </a><a href="#name-post-quantum-security" class="section-name selfRef">Post-Quantum Security</a>
          </h4>
<p id="section-9.1.3-1">All of <span>[<a href="#CS01" class="xref">CS01</a>]</span>, <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span>, and <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> are premised on
classical security models and assumptions, and do not consider
adversaries capable of quantum computation. A full proof of post-quantum
security would need to take appropriate security models and assumptions
into account, in addition to simply using a post-quantum KEM. However,
the composition theorems from <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> for HPKE's Auth mode only make
standard assumptions (i.e., no random oracle assumption) that are expected
to hold against quantum adversaries (although with slightly worse bounds).
Thus, these composition theorems, in combination with a post-quantum-secure
authenticated KEM, guarantee the post-quantum security of HPKE's Auth mode.<a href="#section-9.1.3-1" class="pilcrow">¶</a></p>
<p id="section-9.1.3-2">In future work, the analysis from <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> can be extended to cover
HPKE's other modes and desired security properties.
The hybrid quantum-resistance property described above, which is achieved
by using the PSK or AuthPSK mode, is not proven in <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span> because
this analysis requires the random oracle model; in a quantum
setting, this model needs adaption to, for example, the quantum random
oracle model.<a href="#section-9.1.3-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="kem-security">
<section id="section-9.2">
        <h3 id="name-security-requirements-on-a-">
<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-security-requirements-on-a-" class="section-name selfRef">Security Requirements on a KEM Used within HPKE</a>
        </h3>
<p id="section-9.2-1">A KEM used within HPKE <span class="bcp14">MUST</span> allow HPKE to satisfy its desired security
properties described in <a href="#sec-properties" class="xref">Section 9.1</a>. <a href="#domain-separation" class="xref">Section 9.6</a> lists
requirements concerning domain separation.<a href="#section-9.2-1" class="pilcrow">¶</a></p>
<p id="section-9.2-2">In particular, the KEM
shared secret <span class="bcp14">MUST</span> be a uniformly random byte string of length <code>Nsecret</code>.
This means, for instance, that it would not be sufficient if the KEM
shared secret is only uniformly random as an element of some set prior
to its encoding as a byte string.<a href="#section-9.2-2" class="pilcrow">¶</a></p>
<div id="encapdecap-interface">
<section id="section-9.2.1">
          <h4 id="name-encap-decap-interface">
<a href="#section-9.2.1" class="section-number selfRef">9.2.1. </a><a href="#name-encap-decap-interface" class="section-name selfRef">Encap/Decap Interface</a>
          </h4>
<p id="section-9.2.1-1">As mentioned in <a href="#sec-considerations" class="xref">Section 9</a>, <span>[<a href="#CS01" class="xref">CS01</a>]</span> provides some indications
that if the KEM's <code>Encap()</code>/<code>Decap()</code> interface (which is used in the Base
and PSK modes) is IND-CCA2-secure, HPKE is able to satisfy its desired
security properties. An appropriate definition of IND-CCA2 security for
KEMs can be found in <span>[<a href="#CS01" class="xref">CS01</a>]</span> and <span>[<a href="#BHK09" class="xref">BHK09</a>]</span>.<a href="#section-9.2.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authencapauthdecap-interface">
<section id="section-9.2.2">
          <h4 id="name-authencap-authdecap-interfa">
<a href="#section-9.2.2" class="section-number selfRef">9.2.2. </a><a href="#name-authencap-authdecap-interfa" class="section-name selfRef">AuthEncap/AuthDecap Interface</a>
          </h4>
<p id="section-9.2.2-1">The analysis of HPKE's Auth mode single-shot encryption API in <span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span>
provides composition theorems that guarantee that HPKE's Auth mode achieves
its desired security properties if the KEM's <code>AuthEncap()</code>/<code>AuthDecap()</code>
interface satisfies multi-user Outsider-CCA, Outsider-Auth, and
Insider-CCA security, as defined in the same paper.<a href="#section-9.2.2-1" class="pilcrow">¶</a></p>
<p id="section-9.2.2-2">Intuitively, Outsider-CCA security formalizes confidentiality, and
Outsider-Auth security formalizes authentication of the KEM shared secret
in case none of the sender or recipient private keys are compromised.
Insider-CCA security formalizes confidentiality of the KEM shared secret
in case the sender private key is known or chosen by the adversary.
(If the recipient private key is known or chosen by the adversary,
confidentiality is trivially broken, because then the adversary knows
all secrets on the recipient's side).<a href="#section-9.2.2-2" class="pilcrow">¶</a></p>
<p id="section-9.2.2-3">An Insider-Auth security notion would formalize authentication of the
KEM shared secret in case the recipient private key is known or chosen
by the adversary. (If the sender private key is known or chosen by the
adversary, it can create KEM ciphertexts in the name of the sender).
Because of the generic attack on an analogous Insider-Auth security
notion of HPKE described in <a href="#sec-properties" class="xref">Section 9.1</a>, a definition of
Insider-Auth security for KEMs used within HPKE is not useful.<a href="#section-9.2.2-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="kem-key-reuse">
<section id="section-9.2.3">
          <h4 id="name-kem-key-reuse">
<a href="#section-9.2.3" class="section-number selfRef">9.2.3. </a><a href="#name-kem-key-reuse" class="section-name selfRef">KEM Key Reuse</a>
          </h4>
<p id="section-9.2.3-1">An <code>ikm</code> input to <code>DeriveKeyPair()</code> (<a href="#derive-key-pair" class="xref">Section 7.1.3</a>) <span class="bcp14">MUST NOT</span> be
reused elsewhere, in particular not with <code>DeriveKeyPair()</code> of a
different KEM.<a href="#section-9.2.3-1" class="pilcrow">¶</a></p>
<p id="section-9.2.3-2">The randomness used in <code>Encap()</code> and <code>AuthEncap()</code> to generate the
KEM shared secret or its encapsulation <span class="bcp14">MUST NOT</span> be reused elsewhere.<a href="#section-9.2.3-2" class="pilcrow">¶</a></p>
<p id="section-9.2.3-3">Since a KEM key pair belonging to a sender or recipient works with all modes, it can
be used with multiple modes in parallel. HPKE is constructed to be
secure in such settings due to domain separation using the <code>suite_id</code>
variable. However, there is no formal proof of security at the time of
writing for using multiple modes in parallel; <span>[<a href="#HPKEAnalysis" class="xref">HPKEAnalysis</a>]</span> and
<span>[<a href="#ABHKLR20" class="xref">ABHKLR20</a>]</span> only analyze isolated modes.<a href="#section-9.2.3-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="kdf-choice">
<section id="section-9.3">
        <h3 id="name-security-requirements-on-a-k">
<a href="#section-9.3" class="section-number selfRef">9.3. </a><a href="#name-security-requirements-on-a-k" class="section-name selfRef">Security Requirements on a KDF</a>
        </h3>
<p id="section-9.3-1">The choice of the KDF for HPKE <span class="bcp14">SHOULD</span> be made based on the security
level provided by the KEM and, if applicable, by the PSK. The KDF
<span class="bcp14">SHOULD</span> at least have the security level of the KEM and <span class="bcp14">SHOULD</span>
at least have the security level provided by the PSK.<a href="#section-9.3-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="aead-security">
<section id="section-9.4">
        <h3 id="name-security-requirements-on-an">
<a href="#section-9.4" class="section-number selfRef">9.4. </a><a href="#name-security-requirements-on-an" class="section-name selfRef">Security Requirements on an AEAD</a>
        </h3>
<p id="section-9.4-1">All AEADs <span class="bcp14">MUST</span> be IND-CCA2-secure, as is currently true for all AEADs
listed in <a href="#aead-ids" class="xref">Section 7.3</a>.<a href="#section-9.4-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="security-psk">
<section id="section-9.5">
        <h3 id="name-pre-shared-key-recommendati">
<a href="#section-9.5" class="section-number selfRef">9.5. </a><a href="#name-pre-shared-key-recommendati" class="section-name selfRef">Pre-Shared Key Recommendations</a>
        </h3>
<p id="section-9.5-1">In the PSK and AuthPSK modes, the PSK <span class="bcp14">MUST</span> have at least 32 bytes of
entropy and <span class="bcp14">SHOULD</span> be of length <code>Nh</code> bytes or longer. Using a PSK longer than
32 bytes but shorter than <code>Nh</code> bytes is permitted.<a href="#section-9.5-1" class="pilcrow">¶</a></p>
<p id="section-9.5-2">HPKE is specified to use HKDF as its key derivation function. HKDF is not
designed to slow down dictionary attacks (see <span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>). Thus, HPKE's
PSK mechanism is not suitable for use with a low-entropy password as the
PSK: In scenarios in which the adversary knows the KEM shared secret
<code>shared_secret</code> and has access to an oracle that distinguishes between
a good and a wrong PSK, it can perform PSK-recovering attacks. This oracle
can be the decryption operation on a captured HPKE ciphertext or any other
recipient behavior that is observably different when using a wrong PSK.
The adversary knows the KEM shared secret <code>shared_secret</code> if it knows all
KEM private keys of one participant. In the PSK mode, this is trivially
the case if the adversary acts as the sender.<a href="#section-9.5-2" class="pilcrow">¶</a></p>
<p id="section-9.5-3">To recover a lower entropy PSK, an attacker in this scenario can trivially
perform a dictionary attack. Given a set <code>S</code> of possible PSK values, the
attacker generates an HPKE ciphertext for each value in <code>S</code>, and submits
the resulting ciphertexts to the oracle to learn which PSK is being used by
the recipient. Further, because HPKE uses AEAD schemes that are not key-committing,
an attacker can mount a partitioning oracle attack <span>[<a href="#LGR20" class="xref">LGR20</a>]</span> that can recover
the PSK from a set of <code>S</code> possible PSK values, with |S| = m*k, in roughly
m + log k queries to the oracle using ciphertexts of length proportional to
k, the maximum message length in blocks. (Applying the multi-collision algorithm from
<span>[<a href="#LGR20" class="xref">LGR20</a>]</span> requires a small adaptation to the algorithm wherein the appropriate nonce
is computed for each candidate key. This modification adds one call to HKDF per key.
The number of partitioning oracle queries remains unchanged.) As a result, the PSK
must therefore be chosen with sufficient entropy so that m + log k is prohibitive for
attackers (e.g., 2^128). Future specifications can define new AEAD algorithms that
are key-committing.<a href="#section-9.5-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="domain-separation">
<section id="section-9.6">
        <h3 id="name-domain-separation">
<a href="#section-9.6" class="section-number selfRef">9.6. </a><a href="#name-domain-separation" class="section-name selfRef">Domain Separation</a>
        </h3>
<p id="section-9.6-1">HPKE allows combining a DHKEM variant <code>DHKEM(Group, KDF')</code> and a KDF
such that both KDFs are instantiated by the same KDF. By design, the
calls to <code>Extract()</code> and <code>Expand()</code> inside DHKEM and the remainder of
HPKE use separate input domains. This justifies modeling them as
independent functions even if instantiated by the same KDF.
This domain separation between DHKEM and the remainder of HPKE is achieved by
using prefix-free sets of <code>suite_id</code> values in <code>LabeledExtract()</code> and <code>LabeledExpand()</code> (<code>KEM...</code> in DHKEM and <code>HPKE...</code> in the remainder of HPKE). Recall that a set is prefix-free if no element is a prefix of
another within the set.<a href="#section-9.6-1" class="pilcrow">¶</a></p>
<p id="section-9.6-2">Future KEM instantiations <span class="bcp14">MUST</span> ensure, should <code>Extract()</code> and
<code>Expand()</code> be used internally, that they can be modeled as functions
independent from the invocations of <code>Extract()</code> and <code>Expand()</code> in the
remainder of HPKE. One way to ensure this is by using <code>LabeledExtract()</code>
and <code>LabeledExpand()</code> with a <code>suite_id</code> as defined in <a href="#base-crypto" class="xref">Section 4</a>,
which will ensure input domain separation, as outlined above.
Particular attention needs to
be paid if the KEM directly invokes functions that are used internally
in HPKE's <code>Extract()</code> or <code>Expand()</code>, such as <code>Hash()</code> and <code>HMAC()</code> in the case of HKDF.
It <span class="bcp14">MUST</span> be ensured that inputs to these invocations cannot collide with
inputs to the internal invocations of these functions inside <code>Extract()</code> or
<code>Expand()</code>. In HPKE's <code>KeySchedule()</code> this is avoided by using <code>Extract()</code> instead of
<code>Hash()</code> on the arbitrary-length inputs <code>info</code> and <code>psk_id</code>.<a href="#section-9.6-2" class="pilcrow">¶</a></p>
<p id="section-9.6-3">The string literal "HPKE-v1" used in <code>LabeledExtract()</code> and <code>LabeledExpand()</code>
ensures that any secrets derived in HPKE are bound to the scheme's name
and version, even when possibly derived from the same Diffie-Hellman or
KEM shared secret as in another scheme or version.<a href="#section-9.6-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="non-goals">
<section id="section-9.7">
        <h3 id="name-application-embedding-and-n">
<a href="#section-9.7" class="section-number selfRef">9.7. </a><a href="#name-application-embedding-and-n" class="section-name selfRef">Application Embedding and Non-Goals</a>
        </h3>
<p id="section-9.7-1">HPKE is designed to be a fairly low-level mechanism.  As a result, it assumes
that certain properties are provided by the application in which HPKE is
embedded and leaves certain security properties to be provided by other
mechanisms. Otherwise said, certain properties are out of scope for HPKE.<a href="#section-9.7-1" class="pilcrow">¶</a></p>
<div id="message-order-and-message-loss">
<section id="section-9.7.1">
          <h4 id="name-message-order-and-message-l">
<a href="#section-9.7.1" class="section-number selfRef">9.7.1. </a><a href="#name-message-order-and-message-l" class="section-name selfRef">Message Order and Message Loss</a>
          </h4>
<p id="section-9.7.1-1">The primary requirement that HPKE imposes on applications is the requirement
that ciphertexts <span class="bcp14">MUST</span> be presented to <code>ContextR.Open()</code> in the same order in
which they were generated by <code>ContextS.Seal()</code>.  When the single-shot API is
used (see <a href="#single-shot-apis" class="xref">Section 6</a>), this is trivially true (since there is only
ever one ciphertext).  Applications that allow for multiple invocations of
<code>Open()</code> / <code>Seal()</code> on the same context <span class="bcp14">MUST</span> enforce the ordering property
described above.<a href="#section-9.7.1-1" class="pilcrow">¶</a></p>
<p id="section-9.7.1-2">Ordering requirements of this character are usually fulfilled by providing a
sequence number in the framing of encrypted messages.  Whatever information is
used to determine the ordering of HPKE-encrypted messages <span class="bcp14">SHOULD</span> be included in
the associated data passed to <code>ContextS.Seal()</code> and <code>ContextR.Open()</code>.  The specifics of
this scheme are up to the application.<a href="#section-9.7.1-2" class="pilcrow">¶</a></p>
<p id="section-9.7.1-3">HPKE is not tolerant of lost messages. Applications <span class="bcp14">MUST</span> be able to detect when
a message has been lost.  When an unrecoverable loss is detected, the application <span class="bcp14">MUST</span> discard
any associated HPKE context.<a href="#section-9.7.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="downgrade-prevention">
<section id="section-9.7.2">
          <h4 id="name-downgrade-prevention">
<a href="#section-9.7.2" class="section-number selfRef">9.7.2. </a><a href="#name-downgrade-prevention" class="section-name selfRef">Downgrade Prevention</a>
          </h4>
<p id="section-9.7.2-1">HPKE assumes that the sender and recipient agree on what algorithms to use.
Depending on how these algorithms are negotiated, it may be possible for an
intermediary to force the two parties to use suboptimal algorithms.<a href="#section-9.7.2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="replay-protection">
<section id="section-9.7.3">
          <h4 id="name-replay-protection">
<a href="#section-9.7.3" class="section-number selfRef">9.7.3. </a><a href="#name-replay-protection" class="section-name selfRef">Replay Protection</a>
          </h4>
<p id="section-9.7.3-1">The requirement that ciphertexts be presented to the <code>ContextR.Open()</code> function
in the same order they were generated by <code>ContextS.Seal()</code> provides a degree of
replay protection within a stream of ciphertexts resulting from a given context.
HPKE provides no other replay protection.<a href="#section-9.7.3-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="forward-secrecy">
<section id="section-9.7.4">
          <h4 id="name-forward-secrecy">
<a href="#section-9.7.4" class="section-number selfRef">9.7.4. </a><a href="#name-forward-secrecy" class="section-name selfRef">Forward Secrecy</a>
          </h4>
<p id="section-9.7.4-1">HPKE ciphertexts are not forward secret with respect to recipient compromise
in any mode. This means that compromise of long-term recipient secrets allows
an attacker to decrypt past ciphertexts encrypted under said secrets. This is because
only long-term secrets are used on the side of the recipient.<a href="#section-9.7.4-1" class="pilcrow">¶</a></p>
<p id="section-9.7.4-2">HPKE ciphertexts are forward secret with respect to sender compromise in all
modes. This is because ephemeral randomness is used on the sender's side, which
is supposed to be erased directly after computation of the KEM shared secret and
ciphertext.<a href="#section-9.7.4-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="bad-ephemeral-randomness">
<section id="section-9.7.5">
          <h4 id="name-bad-ephemeral-randomness">
<a href="#section-9.7.5" class="section-number selfRef">9.7.5. </a><a href="#name-bad-ephemeral-randomness" class="section-name selfRef">Bad Ephemeral Randomness</a>
          </h4>
<p id="section-9.7.5-1">If the randomness used for KEM encapsulation is bad -- i.e., of low entropy or
compromised because of a broken or subverted random number generator -- the
confidentiality guarantees of HPKE degrade significantly. In Base mode,
confidentiality guarantees can be lost completely; in the other modes, at least forward secrecy with
respect to sender compromise can be lost completely.<a href="#section-9.7.5-1" class="pilcrow">¶</a></p>
<p id="section-9.7.5-2">Such a situation could also lead to the reuse of the same KEM shared secret
and thus to the reuse of same key-nonce pairs for the AEAD.
The AEADs specified in this document are not secure
in case of nonce reuse. This attack vector is particularly relevant in
authenticated modes because knowledge of the ephemeral randomness is not
enough to derive <code>shared_secret</code> in these modes.<a href="#section-9.7.5-2" class="pilcrow">¶</a></p>
<p id="section-9.7.5-3">One way for applications to mitigate the impacts of bad ephemeral randomness is
to combine ephemeral randomness with a local long-term secret that has been
generated securely, as described in <span>[<a href="#RFC8937" class="xref">RFC8937</a>]</span>.<a href="#section-9.7.5-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="hiding-plaintext-length">
<section id="section-9.7.6">
          <h4 id="name-hiding-plaintext-length">
<a href="#section-9.7.6" class="section-number selfRef">9.7.6. </a><a href="#name-hiding-plaintext-length" class="section-name selfRef">Hiding Plaintext Length</a>
          </h4>
<p id="section-9.7.6-1">AEAD ciphertexts produced by HPKE do not hide the plaintext length. Applications
requiring this level of privacy should use a suitable padding mechanism. See
<span>[<a href="#I-D.ietf-tls-esni" class="xref">TLS-ECH</a>]</span> and <span>[<a href="#RFC8467" class="xref">RFC8467</a>]</span> for examples of protocol-specific
padding policies.<a href="#section-9.7.6-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="bidirectional">
<section id="section-9.8">
        <h3 id="name-bidirectional-encryption">
<a href="#section-9.8" class="section-number selfRef">9.8. </a><a href="#name-bidirectional-encryption" class="section-name selfRef">Bidirectional Encryption</a>
        </h3>
<p id="section-9.8-1">As discussed in <a href="#hpke-dem" class="xref">Section 5.2</a>, HPKE encryption is unidirectional from sender
to recipient. Applications that require bidirectional encryption can derive
necessary keying material with the secret export interface (<a href="#hpke-export" class="xref">Section 5.3</a>).
The type and length of such keying material depends on the application use
case.<a href="#section-9.8-1" class="pilcrow">¶</a></p>
<p id="section-9.8-2">As an example, if an application needs AEAD encryption from the recipient to the
sender, it can derive a key and nonce from the corresponding HPKE context
as follows:<a href="#section-9.8-2" class="pilcrow">¶</a></p>
<div id="section-9.8-3">
<pre class="lang-pseudocode sourcecode">
key = context.Export("response key", Nk)
nonce = context.Export("response nonce", Nn)
</pre><a href="#section-9.8-3" class="pilcrow">¶</a>
</div>
<p id="section-9.8-4">In this example, the length of each secret is based on the AEAD algorithm
used for the corresponding HPKE context.<a href="#section-9.8-4" class="pilcrow">¶</a></p>
<p id="section-9.8-5">Note that HPKE's limitations with regard to sender authentication become limits
on recipient authentication in this context. In particular, in the Base mode,
there is no authentication of the remote party at all. Even in the Auth mode,
where the remote party has proven that they hold a specific private key, this
authentication is still subject to key-compromise impersonation, as discussed
in <a href="#kci" class="xref">Section 9.1.1</a>.<a href="#section-9.8-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="metadata-protection">
<section id="section-9.9">
        <h3 id="name-metadata-protection">
<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-metadata-protection" class="section-name selfRef">Metadata Protection</a>
        </h3>
<p id="section-9.9-1">The authenticated modes of HPKE (PSK, Auth, and AuthPSK) require that the recipient
know what key material to use for the sender.  This can be signaled in
applications by sending the PSK ID (<code>psk_id</code> above) and/or the sender's public
key (<code>pkS</code>).  However, these values themselves might be considered sensitive,
since, in a given application context, they might identify the sender.<a href="#section-9.9-1" class="pilcrow">¶</a></p>
<p id="section-9.9-2">An application that wishes to protect these metadata values without requiring
further provisioning of keys can use an additional instance of HPKE, using the
unauthenticated Base mode.  Where the application might have sent <code>(psk_id, pkS,
enc, ciphertext)</code> before, it would now send <code>(enc2, ciphertext2, enc, ciphertext)</code>,
where <code>(enc2, ciphertext2)</code> represent the encryption of the <code>psk_id</code> and <code>pkS</code>
values.<a href="#section-9.9-2" class="pilcrow">¶</a></p>
<p id="section-9.9-3">The cost of this approach is an additional KEM operation each for the sender and
the recipient.  A potential lower-cost approach (involving only symmetric
operations) would be available if the nonce-protection schemes in <span>[<a href="#BNT19" class="xref">BNT19</a>]</span>
could be extended to cover other metadata.  However, this construction would
require further analysis.<a href="#section-9.9-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="message-encoding">
<section id="section-10">
      <h2 id="name-message-encoding">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-message-encoding" class="section-name selfRef">Message Encoding</a>
      </h2>
<p id="section-10-1">This document does not specify a wire format encoding for HPKE messages. Applications
that adopt HPKE must therefore specify an unambiguous encoding mechanism that includes,
minimally: the encapsulated value <code>enc</code>, ciphertext value(s) (and order if there are
multiple), and any info values that are not implicit. One example of a non-implicit
value is the recipient public key used for encapsulation, which may be needed if a
recipient has more than one public key.<a href="#section-10-1" class="pilcrow">¶</a></p>
<p id="section-10-2">The AEAD interface used in this document is based on <span>[<a href="#RFC5116" class="xref">RFC5116</a>]</span>, which produces and
consumes a single ciphertext value. As discussed in <span>[<a href="#RFC5116" class="xref">RFC5116</a>]</span>, this ciphertext value
contains the encrypted plaintext as well as any authentication data, encoded in a manner
described by the individual AEAD scheme. Some implementations are not structured in this
way, instead providing a separate ciphertext and authentication tag. When such
AEAD implementations are used in HPKE implementations, the HPKE implementation must combine
these inputs into a single ciphertext value within <code>Seal()</code> and parse them out within
<code>Open()</code>, where the parsing details are defined by the AEAD scheme. For example, with
the AES-GCM schemes specified in this document, the GCM authentication tag is placed in
the last Nt bytes of the ciphertext output.<a href="#section-10-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana">
<section id="section-11">
      <h2 id="name-iana-considerations">
<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<p id="section-11-1">IANA has created three new registries:<a href="#section-11-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-11-2.1">HPKE KEM Identifiers<a href="#section-11-2.1" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-11-2.2">HPKE KDF Identifiers<a href="#section-11-2.2" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-11-2.3">HPKE AEAD Identifiers<a href="#section-11-2.3" class="pilcrow">¶</a>
</li>
      </ul>
<p id="section-11-3">All these registries are under "Hybrid Public Key
Encryption", and administered under a Specification Required policy <span>[<a href="#RFC8126" class="xref">RFC8126</a>]</span>.<a href="#section-11-3" class="pilcrow">¶</a></p>
<div id="kem-template">
<section id="section-11.1">
        <h3 id="name-kem-identifiers">
<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-kem-identifiers" class="section-name selfRef">KEM Identifiers</a>
        </h3>
<p id="section-11.1-1">The "HPKE KEM Identifiers" registry lists identifiers for key encapsulation
algorithms defined for use with HPKE.  These identifiers are two-byte values,
 so the maximum possible value is 0xFFFF = 65535.<a href="#section-11.1-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlNewline" id="section-11.1-2">
          <dt id="section-11.1-2.1">Template:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-2.2">
            <span class="break"></span><dl class="dlParallel" id="section-11.1-2.2.1">
              <dt id="section-11.1-2.2.1.1">Value:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.2">The two-byte identifier for the algorithm<a href="#section-11.1-2.2.1.2" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.3">KEM:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.4">The name of the algorithm<a href="#section-11.1-2.2.1.4" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.5">Nsecret:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.6">The length in bytes of a KEM shared secret produced by the algorithm<a href="#section-11.1-2.2.1.6" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.7">Nenc:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.8">The length in bytes of an encoded encapsulated key produced by the
       algorithm<a href="#section-11.1-2.2.1.8" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.9">Npk:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.10">The length in bytes of an encoded public key for the algorithm<a href="#section-11.1-2.2.1.10" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.11">Nsk:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.12">The length in bytes of an encoded private key for the algorithm<a href="#section-11.1-2.2.1.12" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.13">Auth:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.14">A boolean indicating if this algorithm provides the
       <code>AuthEncap()</code>/<code>AuthDecap()</code> interface<a href="#section-11.1-2.2.1.14" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.1-2.2.1.15">Reference:</dt>
              <dd style="margin-left: 1.5em" id="section-11.1-2.2.1.16">Where this algorithm is defined<a href="#section-11.1-2.2.1.16" class="pilcrow">¶</a>
</dd>
            <dd class="break"></dd>
</dl>
</dd>
        <dd class="break"></dd>
</dl>
<span class="break"></span><dl class="dlParallel" id="section-11.1-3">
          <dt id="section-11.1-3.1">Initial contents:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-3.2">Provided in <a href="#kemid-values" class="xref">Table 2</a><a href="#section-11.1-3.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
</section>
</div>
<div id="kdf-identifiers">
<section id="section-11.2">
        <h3 id="name-kdf-identifiers">
<a href="#section-11.2" class="section-number selfRef">11.2. </a><a href="#name-kdf-identifiers" class="section-name selfRef">KDF Identifiers</a>
        </h3>
<p id="section-11.2-1">The "HPKE KDF Identifiers" registry lists identifiers for key derivation
functions defined for use with HPKE.  These identifiers are two-byte values,
 so the maximum possible value is 0xFFFF = 65535.<a href="#section-11.2-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlNewline" id="section-11.2-2">
          <dt id="section-11.2-2.1">Template:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-2.2">
            <span class="break"></span><dl class="dlParallel" id="section-11.2-2.2.1">
              <dt id="section-11.2-2.2.1.1">Value:</dt>
              <dd style="margin-left: 1.5em" id="section-11.2-2.2.1.2">The two-byte identifier for the algorithm<a href="#section-11.2-2.2.1.2" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.2-2.2.1.3">KDF:</dt>
              <dd style="margin-left: 1.5em" id="section-11.2-2.2.1.4">The name of the algorithm<a href="#section-11.2-2.2.1.4" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.2-2.2.1.5">Nh:</dt>
              <dd style="margin-left: 1.5em" id="section-11.2-2.2.1.6">The output size of the Extract function in bytes<a href="#section-11.2-2.2.1.6" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.2-2.2.1.7">Reference:</dt>
              <dd style="margin-left: 1.5em" id="section-11.2-2.2.1.8">Where this algorithm is defined<a href="#section-11.2-2.2.1.8" class="pilcrow">¶</a>
</dd>
            <dd class="break"></dd>
</dl>
</dd>
        <dd class="break"></dd>
</dl>
<span class="break"></span><dl class="dlParallel" id="section-11.2-3">
          <dt id="section-11.2-3.1">Initial contents:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-3.2">Provided in <a href="#kdfid-values" class="xref">Table 3</a><a href="#section-11.2-3.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
</section>
</div>
<div id="aead-identifiers">
<section id="section-11.3">
        <h3 id="name-aead-identifiers">
<a href="#section-11.3" class="section-number selfRef">11.3. </a><a href="#name-aead-identifiers" class="section-name selfRef">AEAD Identifiers</a>
        </h3>
<p id="section-11.3-1">The "HPKE AEAD Identifiers" registry lists identifiers for authenticated
encryption with associated data (AEAD) algorithms defined for use with HPKE.
These identifiers are two-byte values, so the maximum possible value is
 0xFFFF = 65535.<a href="#section-11.3-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlNewline" id="section-11.3-2">
          <dt id="section-11.3-2.1">Template:</dt>
          <dd style="margin-left: 1.5em" id="section-11.3-2.2">
            <span class="break"></span><dl class="dlParallel" id="section-11.3-2.2.1">
              <dt id="section-11.3-2.2.1.1">Value:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.2">The two-byte identifier for the algorithm<a href="#section-11.3-2.2.1.2" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.3-2.2.1.3">AEAD:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.4">The name of the algorithm<a href="#section-11.3-2.2.1.4" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.3-2.2.1.5">Nk:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.6">The length in bytes of a key for this algorithm<a href="#section-11.3-2.2.1.6" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.3-2.2.1.7">Nn:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.8">The length in bytes of a nonce for this algorithm<a href="#section-11.3-2.2.1.8" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.3-2.2.1.9">Nt:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.10">The length in bytes of an authentication tag for this algorithm<a href="#section-11.3-2.2.1.10" class="pilcrow">¶</a>
</dd>
              <dd class="break"></dd>
<dt id="section-11.3-2.2.1.11">Reference:</dt>
              <dd style="margin-left: 1.5em" id="section-11.3-2.2.1.12">Where this algorithm is defined<a href="#section-11.3-2.2.1.12" class="pilcrow">¶</a>
</dd>
            <dd class="break"></dd>
</dl>
</dd>
        <dd class="break"></dd>
</dl>
<span class="break"></span><dl class="dlParallel" id="section-11.3-3">
          <dt id="section-11.3-3.1">Initial contents:</dt>
          <dd style="margin-left: 1.5em" id="section-11.3-3.2">Provided in <a href="#aeadid-values" class="xref">Table 5</a><a href="#section-11.3-3.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
</section>
</div>
</section>
</div>
<section id="section-12">
      <h2 id="name-references">
<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-12.1">
        <h3 id="name-normative-references">
<a href="#section-12.1" class="section-number selfRef">12.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC2119">[RFC2119]</dt>
        <dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5116">[RFC5116]</dt>
        <dd>
<span class="refAuthor">McGrew, D.</span>, <span class="refTitle">"An Interface and Algorithms for Authenticated Encryption"</span>, <span class="seriesInfo">RFC 5116</span>, <span class="seriesInfo">DOI 10.17487/RFC5116</span>, <time datetime="2008-01" class="refDate">January 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5116">https://www.rfc-editor.org/info/rfc5116</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8017">[RFC8017]</dt>
        <dd>
<span class="refAuthor">Moriarty, K., Ed.</span>, <span class="refAuthor">Kaliski, B.</span>, <span class="refAuthor">Jonsson, J.</span>, and <span class="refAuthor">A. Rusch</span>, <span class="refTitle">"PKCS #1: RSA Cryptography Specifications Version 2.2"</span>, <span class="seriesInfo">RFC 8017</span>, <span class="seriesInfo">DOI 10.17487/RFC8017</span>, <time datetime="2016-11" class="refDate">November 2016</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8017">https://www.rfc-editor.org/info/rfc8017</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8126">[RFC8126]</dt>
        <dd>
<span class="refAuthor">Cotton, M.</span>, <span class="refAuthor">Leiba, B.</span>, and <span class="refAuthor">T. Narten</span>, <span class="refTitle">"Guidelines for Writing an IANA Considerations Section in RFCs"</span>, <span class="seriesInfo">BCP 26</span>, <span class="seriesInfo">RFC 8126</span>, <span class="seriesInfo">DOI 10.17487/RFC8126</span>, <time datetime="2017-06" class="refDate">June 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8126">https://www.rfc-editor.org/info/rfc8126</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
      <dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-12.2">
        <h3 id="name-informative-references">
<a href="#section-12.2" class="section-number selfRef">12.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="ABHKLR20">[ABHKLR20]</dt>
        <dd>
<span class="refAuthor">Alwen, J.</span>, <span class="refAuthor">Blanchet, B.</span>, <span class="refAuthor">Hauck, E.</span>, <span class="refAuthor">Kiltz, E.</span>, <span class="refAuthor">Lipp, B.</span>, and <span class="refAuthor">D. Riepel</span>, <span class="refTitle">"Analysing the HPKE Standard"</span>, <time datetime="2020-11" class="refDate">November 2020</time>, <span>&lt;<a href="https://eprint.iacr.org/2020/1499">https://eprint.iacr.org/2020/1499</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="ANSI">[ANSI]</dt>
        <dd>
<span class="refAuthor">American National Standards Institute (ANSI)</span>, <span class="refTitle">"ANSI - X9.63 Public Key Cryptography for the Financial Services Industry Key Agreement and Key Transport Using Elliptic Curve Cryptography"</span>, <time datetime="2001-11" class="refDate">November 2001</time>. </dd>
<dd class="break"></dd>
<dt id="BHK09">[BHK09]</dt>
        <dd>
<span class="refAuthor">Bellare, M.</span>, <span class="refAuthor">Hofheinz, D.</span>, and <span class="refAuthor">E. Kiltz</span>, <span class="refTitle">"Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?"</span>, <time datetime="2009-08" class="refDate">August 2009</time>, <span>&lt;<a href="https://eprint.iacr.org/2009/418">https://eprint.iacr.org/2009/418</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="BJM97">[BJM97]</dt>
        <dd>
<span class="refAuthor">Blake-Wilson, S.</span>, <span class="refAuthor">Johnson, D.</span>, and <span class="refAuthor">A. Menezes</span>, <span class="refTitle">"Key agreement protocols and their security analysis: Extended Abstract"</span>, <span class="refContent">Crytography and Coding, pp. 30-45</span>, <span class="seriesInfo">DOI 10.1007/bfb0024447</span>, <time datetime="2005-06" class="refDate">June 2005</time>, <span>&lt;<a href="https://doi.org/10.1007/bfb0024447">https://doi.org/10.1007/bfb0024447</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="BNT19">[BNT19]</dt>
        <dd>
<span class="refAuthor">Bellare, M.</span>, <span class="refAuthor">Ng, R.</span>, and <span class="refAuthor">B. Tackmann</span>, <span class="refTitle">"Nonces Are Noticed: AEAD Revisited"</span>, <time datetime="2019-08" class="refDate">August 2019</time>, <span>&lt;<a href="http://dx.doi.org/10.1007/978-3-030-26948-7_9">http://dx.doi.org/10.1007/978-3-030-26948-7_9</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="CS01">[CS01]</dt>
        <dd>
<span class="refAuthor">Cramer, R.</span> and <span class="refAuthor">V. Shoup</span>, <span class="refTitle">"Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack"</span>, <time datetime="2001-12" class="refDate">December 2001</time>, <span>&lt;<a href="https://eprint.iacr.org/2001/108">https://eprint.iacr.org/2001/108</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="GAP">[GAP]</dt>
        <dd>
<span class="refAuthor">Okamoto, T.</span> and <span class="refAuthor">D. Pointcheval</span>, <span class="refTitle">"The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes"</span>, <span class="seriesInfo">ISBN 978-3-540-44586-9</span>, <time datetime="2001-06" class="refDate">June 2001</time>, <span>&lt;<a href="https://link.springer.com/content/pdf/10.1007/3-540-44586-2_8.pdf">https://link.springer.com/content/pdf/10.1007/3-540-44586-2_8.pdf</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="GCM">[GCM]</dt>
        <dd>
<span class="refAuthor">Dworkin, M.</span>, <span class="refTitle">"Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC"</span>, <span class="seriesInfo">DOI 10.6028/nist.sp.800-38d</span>, <span class="seriesInfo">SP 800-38D</span>, <time datetime="2007-11" class="refDate">November 2007</time>, <span>&lt;<a href="https://doi.org/10.6028/nist.sp.800-38d">https://doi.org/10.6028/nist.sp.800-38d</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="HHK06">[HHK06]</dt>
        <dd>
<span class="refAuthor">Herranz, J.</span>, <span class="refAuthor">Hofheinz, D.</span>, and <span class="refAuthor">E. Kiltz</span>, <span class="refTitle">"Some (in)sufficient conditions for secure hybrid encryption."</span>, <time datetime="2006-08" class="refDate">August 2006</time>, <span>&lt;<a href="https://eprint.iacr.org/2006/265">https://eprint.iacr.org/2006/265</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="HPKEAnalysis">[HPKEAnalysis]</dt>
        <dd>
<span class="refAuthor">Lipp, B.</span>, <span class="refTitle">"An Analysis of Hybrid Public Key Encryption"</span>, <time datetime="2020-02" class="refDate">February 2020</time>, <span>&lt;<a href="https://eprint.iacr.org/2020/243">https://eprint.iacr.org/2020/243</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="IEEE1363">[IEEE1363]</dt>
        <dd>
<span class="refAuthor">IEEE</span>, <span class="refTitle">"IEEE Standard Specifications for Public-Key Cryptography - Amendment 1: Additional Techniques"</span>, <span class="seriesInfo">IEEE Std 1363a-2004</span>. </dd>
<dd class="break"></dd>
<dt id="IMB">[IMB]</dt>
        <dd>
<span class="refAuthor">Diffie, W.</span>, <span class="refAuthor">Van Oorschot, P.</span>, and <span class="refAuthor">M. Wiener</span>, <span class="refTitle">"Authentication and authenticated key exchanges"</span>, <span class="refContent">Designs, Codes and Cryptography, Vol. 2, pp. 107-125</span>, <span class="seriesInfo">DOI 10.1007/bf00124891</span>, <time datetime="1992-06" class="refDate">June 1992</time>, <span>&lt;<a href="https://doi.org/10.1007/bf00124891">https://doi.org/10.1007/bf00124891</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="ISO">[ISO]</dt>
        <dd>
<span class="refAuthor">International Organization for Standardization</span>, <span class="refTitle">"Information technology - Security techniques - Encryption algorithms - Part 2: Asymmetric ciphers"</span>, <span class="seriesInfo">ISO/IEC 18033-2:2006</span>, <time datetime="2006-05" class="refDate">May 2006</time>. </dd>
<dd class="break"></dd>
<dt id="keyagreement">[keyagreement]</dt>
        <dd>
<span class="refAuthor">Barker, E.</span>, <span class="refAuthor">Chen, L.</span>, <span class="refAuthor">Roginsky, A.</span>, <span class="refAuthor">Vassilev, A.</span>, and <span class="refAuthor">R. Davis</span>, <span class="refTitle">"Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography"</span>, <span class="refContent">NIST Special Publication 800-56A Revision 3</span>, <span class="seriesInfo">DOI 10.6028/nist.sp.800-56ar3</span>, <time datetime="2018-04" class="refDate">April 2018</time>, <span>&lt;<a href="https://doi.org/10.6028/nist.sp.800-56ar3">https://doi.org/10.6028/nist.sp.800-56ar3</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="LGR20">[LGR20]</dt>
        <dd>
<span class="refAuthor">Len, J.</span>, <span class="refAuthor">Grubbs, P.</span>, and <span class="refAuthor">T. Ristenpart</span>, <span class="refTitle">"Partitioning Oracle Attacks"</span>. </dd>
<dd class="break"></dd>
<dt id="MAEA10">[MAEA10]</dt>
        <dd>
<span class="refAuthor">Gayoso Martinez, V.</span>, <span class="refAuthor">Hernandez Alvarez, F.</span>, <span class="refAuthor">Hernandez Encinas, L.</span>, and <span class="refAuthor">C. Sanchez Avila</span>, <span class="refTitle">"A comparison of the standardized versions of ECIES"</span>, <time datetime="2010-10" class="refDate">October 2010</time>, <span>&lt;<a href="https://ieeexplore.ieee.org/abstract/document/5604194/">https://ieeexplore.ieee.org/abstract/document/5604194/</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-mls-protocol">[MLS-PROTOCOL]</dt>
        <dd>
<span class="refAuthor">Barnes, R.</span>, <span class="refAuthor">Beurdouche, B.</span>, <span class="refAuthor">Robert, R.</span>, <span class="refAuthor">Millican, J.</span>, <span class="refAuthor">Omara, E.</span>, and <span class="refAuthor">K. Cohn-Gordon</span>, <span class="refTitle">"The Messaging Layer Security (MLS) Protocol"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-mls-protocol-12</span>, <time datetime="2021-10-11" class="refDate">11 October 2021</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-12">https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-12</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="NaCl">[NaCl]</dt>
        <dd>
<span class="refTitle">"Public-key authenticated encryption: crypto_box"</span>, <time datetime="2019-03" class="refDate">March 2019</time>, <span>&lt;<a href="https://nacl.cr.yp.to/box.html">https://nacl.cr.yp.to/box.html</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="NISTCurves">[NISTCurves]</dt>
        <dd>
<span class="refAuthor">National Institute of Standards and Technology (NIST)</span>, <span class="refTitle">"Digital Signature Standard (DSS)"</span>, <span class="seriesInfo">DOI 10.6028/nist.fips.186-4</span>, <span class="seriesInfo">FIPS PUB 186-4</span>, <time datetime="2013-07" class="refDate">July 2013</time>, <span>&lt;<a href="https://doi.org/10.6028/nist.fips.186-4">https://doi.org/10.6028/nist.fips.186-4</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC1421">[RFC1421]</dt>
        <dd>
<span class="refAuthor">Linn, J.</span>, <span class="refTitle">"Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures"</span>, <span class="seriesInfo">RFC 1421</span>, <span class="seriesInfo">DOI 10.17487/RFC1421</span>, <time datetime="1993-02" class="refDate">February 1993</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc1421">https://www.rfc-editor.org/info/rfc1421</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5869">[RFC5869]</dt>
        <dd>
<span class="refAuthor">Krawczyk, H.</span> and <span class="refAuthor">P. Eronen</span>, <span class="refTitle">"HMAC-based Extract-and-Expand Key Derivation Function (HKDF)"</span>, <span class="seriesInfo">RFC 5869</span>, <span class="seriesInfo">DOI 10.17487/RFC5869</span>, <time datetime="2010-05" class="refDate">May 2010</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5869">https://www.rfc-editor.org/info/rfc5869</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7748">[RFC7748]</dt>
        <dd>
<span class="refAuthor">Langley, A.</span>, <span class="refAuthor">Hamburg, M.</span>, and <span class="refAuthor">S. Turner</span>, <span class="refTitle">"Elliptic Curves for Security"</span>, <span class="seriesInfo">RFC 7748</span>, <span class="seriesInfo">DOI 10.17487/RFC7748</span>, <time datetime="2016-01" class="refDate">January 2016</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7748">https://www.rfc-editor.org/info/rfc7748</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8439">[RFC8439]</dt>
        <dd>
<span class="refAuthor">Nir, Y.</span> and <span class="refAuthor">A. Langley</span>, <span class="refTitle">"ChaCha20 and Poly1305 for IETF Protocols"</span>, <span class="seriesInfo">RFC 8439</span>, <span class="seriesInfo">DOI 10.17487/RFC8439</span>, <time datetime="2018-06" class="refDate">June 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8439">https://www.rfc-editor.org/info/rfc8439</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8446">[RFC8446]</dt>
        <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8446">https://www.rfc-editor.org/info/rfc8446</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8467">[RFC8467]</dt>
        <dd>
<span class="refAuthor">Mayrhofer, A.</span>, <span class="refTitle">"Padding Policies for Extension Mechanisms for DNS (EDNS(0))"</span>, <span class="seriesInfo">RFC 8467</span>, <span class="seriesInfo">DOI 10.17487/RFC8467</span>, <time datetime="2018-10" class="refDate">October 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8467">https://www.rfc-editor.org/info/rfc8467</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8696">[RFC8696]</dt>
        <dd>
<span class="refAuthor">Housley, R.</span>, <span class="refTitle">"Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)"</span>, <span class="seriesInfo">RFC 8696</span>, <span class="seriesInfo">DOI 10.17487/RFC8696</span>, <time datetime="2019-12" class="refDate">December 2019</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8696">https://www.rfc-editor.org/info/rfc8696</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8937">[RFC8937]</dt>
        <dd>
<span class="refAuthor">Cremers, C.</span>, <span class="refAuthor">Garratt, L.</span>, <span class="refAuthor">Smyshlyaev, S.</span>, <span class="refAuthor">Sullivan, N.</span>, and <span class="refAuthor">C. Wood</span>, <span class="refTitle">"Randomness Improvements for Security Protocols"</span>, <span class="seriesInfo">RFC 8937</span>, <span class="seriesInfo">DOI 10.17487/RFC8937</span>, <time datetime="2020-10" class="refDate">October 2020</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8937">https://www.rfc-editor.org/info/rfc8937</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="SECG">[SECG]</dt>
        <dd>
<span class="refAuthor">Standards for Efficient Cryptography Group</span>, <span class="refTitle">"SEC 1: Elliptic Curve Cryptography,"</span>, <span class="refContent">Version 2</span>, <time datetime="2009-05" class="refDate">May 2009</time>, <span>&lt;<a href="https://secg.org/sec1-v2.pdf">https://secg.org/sec1-v2.pdf</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="SigncryptionDZ10">[SigncryptionDZ10]</dt>
        <dd>
<span class="refAuthor">Dent, A.</span> and <span class="refAuthor">Y. Zheng</span>, <span class="refTitle">"Practical Signcryption"</span>, <span class="refContent">Information Security and Cryptography</span>, <span class="seriesInfo">DOI 10.1007/978-3-540-89411-7</span>, <time datetime="2010-11" class="refDate">November 2010</time>, <span>&lt;<a href="https://doi.org/10.1007/978-3-540-89411-7">https://doi.org/10.1007/978-3-540-89411-7</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="TestVectors">[TestVectors]</dt>
        <dd>
<span class="refTitle">"HPKE Test Vectors"</span>, <span>&lt;<a href="https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/5f503c564da00b0687b3de75f1dfbdfc4079ad31/test-vectors.json">https://github.com/cfrg/draft-irtf-cfrg-hpke/blob/5f503c564da00b0687b3de75f1dfbdfc4079ad31/test-vectors.json</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-tls-esni">[TLS-ECH]</dt>
      <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refAuthor">Oku, K.</span>, <span class="refAuthor">Sullivan, N.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"TLS Encrypted Client Hello"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-tls-esni-14</span>, <time datetime="2022-02-13" class="refDate">13 February 2022</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-14">https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-14</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="test-vectors">
<section id="appendix-A">
      <h2 id="name-test-vectors">
<a href="#appendix-A" class="section-number selfRef">Appendix A. </a><a href="#name-test-vectors" class="section-name selfRef">Test Vectors</a>
      </h2>
<p id="appendix-A-1">Each section below contains test vectors for a single HPKE ciphersuite and
contains the following values:<a href="#appendix-A-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="appendix-A-2">
        <li id="appendix-A-2.1">Configuration information and private key material: This includes the
 <code>mode</code>, <code>info</code> string, HPKE ciphersuite
 identifiers (<code>kem_id</code>, <code>kdf_id</code>, <code>aead_id</code>), and all
 sender, recipient, and ephemeral key material. For each role X, where X is one of
 S, R, or E, as sender, recipient, and ephemeral, respectively, key pairs are
 generated as <code>(skX, pkX) = DeriveKeyPair(ikmX)</code>. Each key pair <code>(skX,
 pkX)</code> is written in its serialized form, where <code>skXm =
 SerializePrivateKey(skX)</code> and <code>pkXm = SerializePublicKey(pkX)</code>. For
 applicable modes, the shared PSK and PSK identifier are also included.<a href="#appendix-A-2.1" class="pilcrow">¶</a>
</li>
        <li id="appendix-A-2.2">Context creation intermediate values and outputs: This includes the KEM outputs
 <code>enc</code> and <code>shared_secret</code> used to
 create the context, along with intermediate values <code>key_schedule_context</code>
 and <code>secret</code> computed in the KeySchedule function in <a href="#encryption-context" class="xref">Section 5.1</a>. The outputs include the context
 values <code>key</code>, <code>base_nonce</code>, and <code>exporter_secret</code>.<a href="#appendix-A-2.2" class="pilcrow">¶</a>
</li>
        <li id="appendix-A-2.3">Encryption test vectors: A fixed plaintext message is encrypted using
 different sequence numbers and associated data values using the context computed in (2).
 Each test vector lists the sequence number and corresponding nonce computed
 with <code>base_nonce</code>, the plaintext message <code>pt</code>, associated data <code>aad</code>, and
 output ciphertext <code>ct</code>.<a href="#appendix-A-2.3" class="pilcrow">¶</a>
</li>
        <li id="appendix-A-2.4">Export test vectors: Several exported values of the same length with differing
context parameters are computed using the context computed in (2). Each test
vector lists the <code>exporter_context</code>, output length <code>L</code>, and resulting export
value.<a href="#appendix-A-2.4" class="pilcrow">¶</a>
</li>
      </ol>
<p id="appendix-A-3">These test vectors are also available in JSON format at <span>[<a href="#TestVectors" class="xref">TestVectors</a>]</span>.<a href="#appendix-A-3" class="pilcrow">¶</a></p>
<div id="dhkemx25519-hkdf-sha256-hkdf-sha256-aes-128-gcm">
<section id="appendix-A.1">
        <h3 id="name-dhkemx25519-hkdf-sha256-hkd">
<a href="#appendix-A.1" class="section-number selfRef">A.1. </a><a href="#name-dhkemx25519-hkdf-sha256-hkd" class="section-name selfRef">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</a>
        </h3>
<div id="base-setup-information">
<section id="appendix-A.1.1">
          <h4 id="name-base-setup-information">
<a href="#appendix-A.1.1" class="section-number selfRef">A.1.1. </a><a href="#name-base-setup-information" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.1.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
pkEm:
37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
skEm:
52c4a758a802cd8b936eceea314432798d5baf2d7e9235dc084ab1b9cfa2f736
ikmR:
6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037
pkRm:
3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d
skRm:
4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8
enc:
37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
shared_secret:
fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc
key_schedule_context: 00725611c9d98c07c03f60095cd32d400d8347d45ed670
97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
12fff91991e93b48de37e7daddb52981084bd8aa64289c3788471d9a9712f397
key: 4531685d41d65f03dc48f6b8302c05b0
base_nonce: 56d890e5accaaf011cff4b7d
exporter_secret:
45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8
</pre><a href="#appendix-A.1.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions">
<section id="appendix-A.1.1.1">
            <h5 id="name-encryptions">
<a href="#appendix-A.1.1.1" class="section-number selfRef">A.1.1.1. </a><a href="#name-encryptions" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.1.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 56d890e5accaaf011cff4b7d
ct: f938558b5d72f1a23810b4be2ab4f84331acc02fc97babc53a52ae8218a355a9
6d8770ac83d07bea87e13c512a

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 56d890e5accaaf011cff4b7c
ct: af2d7e9ac9ae7e270f46ba1f975be53c09f8d875bdc8535458c2494e8a6eab25
1c03d0c22a56b8ca42c2063b84

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 56d890e5accaaf011cff4b7f
ct: 498dfcabd92e8acedc281e85af1cb4e3e31c7dc394a1ca20e173cb7251649158
8d96a19ad4a683518973dcc180

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 56d890e5accaaf011cff4b79
ct: 583bd32bc67a5994bb8ceaca813d369bca7b2a42408cddef5e22f880b631215a
09fc0012bc69fccaa251c0246d

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 56d890e5accaaf011cff4b82
ct: 7175db9717964058640a3a11fb9007941a5d1757fda1a6935c805c21af32505b
f106deefec4a49ac38d71c9e0a

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 56d890e5accaaf011cff4a7d
ct: 957f9800542b0b8891badb026d79cc54597cb2d225b54c00c5238c25d05c30e3
fbeda97d2e0e1aba483a2df9f2
</pre><a href="#appendix-A.1.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values">
<section id="appendix-A.1.1.2">
            <h5 id="name-exported-values">
<a href="#appendix-A.1.1.2" class="section-number selfRef">A.1.1.2. </a><a href="#name-exported-values" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.1.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
3853fe2b4035195a573ffc53856e77058e15d9ea064de3e59f4961d0095250ee

exporter_context: 00
L: 32
exported_value:
2e8f0b54673c7029649d4eb9d5e33bf1872cf76d623ff164ac185da9e88c21a5

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
e9e43065102c3836401bed8c3c3c75ae46be1639869391d62c61f1ec7af54931
</pre><a href="#appendix-A.1.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information">
<section id="appendix-A.1.2">
          <h4 id="name-psk-setup-information">
<a href="#appendix-A.1.2" class="section-number selfRef">A.1.2. </a><a href="#name-psk-setup-information" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.1.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
78628c354e46f3e169bd231be7b2ff1c77aa302460a26dbfa15515684c00130b
pkEm:
0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
skEm:
463426a9ffb42bb17dbe6044b9abd1d4e4d95f9041cef0e99d7824eef2b6f588
ikmR:
d4a09d09f575fef425905d2ab396c1449141463f698f8efdb7accfaff8995098
pkRm:
9fed7e8c17387560e92cc6462a68049657246a09bfa8ade7aefe589672016366
skRm:
c5eb01eb457fe6c6f57577c5413b931550a162c71a03ac8d196babbd4e5ce0fd
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
shared_secret:
727699f009ffe3c076315019c69648366b69171439bd7dd0807743bde76986cd
key_schedule_context: 01e78d5cf6190d275863411ff5edd0dece5d39fa48e04e
ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
3728ab0b024b383b0381e432b47cced1496d2516957a76e2a9f5c8cb947afca4
key: 15026dba546e3ae05836fc7de5a7bb26
base_nonce: 9518635eba129d5ce0914555
exporter_secret:
3d76025dbbedc49448ec3f9080a1abab6b06e91c0b11ad23c912f043a0ee7655
</pre><a href="#appendix-A.1.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-1">
<section id="appendix-A.1.2.1">
            <h5 id="name-encryptions-2">
<a href="#appendix-A.1.2.1" class="section-number selfRef">A.1.2.1. </a><a href="#name-encryptions-2" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.1.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 9518635eba129d5ce0914555
ct: e52c6fed7f758d0cf7145689f21bc1be6ec9ea097fef4e959440012f4feb73fb
611b946199e681f4cfc34db8ea

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 9518635eba129d5ce0914554
ct: 49f3b19b28a9ea9f43e8c71204c00d4a490ee7f61387b6719db765e948123b45
b61633ef059ba22cd62437c8ba

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 9518635eba129d5ce0914557
ct: 257ca6a08473dc851fde45afd598cc83e326ddd0abe1ef23baa3baa4dd8cde99
fce2c1e8ce687b0b47ead1adc9

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 9518635eba129d5ce0914551
ct: a71d73a2cd8128fcccbd328b9684d70096e073b59b40b55e6419c9c68ae21069
c847e2a70f5d8fb821ce3dfb1c

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 9518635eba129d5ce09145aa
ct: 55f84b030b7f7197f7d7d552365b6b932df5ec1abacd30241cb4bc4ccea27bd2
b518766adfa0fb1b71170e9392

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 9518635eba129d5ce0914455
ct: c5bf246d4a790a12dcc9eed5eae525081e6fb541d5849e9ce8abd92a3bc15517
76bea16b4a518f23e237c14b59
</pre><a href="#appendix-A.1.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-1">
<section id="appendix-A.1.2.2">
            <h5 id="name-exported-values-2">
<a href="#appendix-A.1.2.2" class="section-number selfRef">A.1.2.2. </a><a href="#name-exported-values-2" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.1.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
dff17af354c8b41673567db6259fd6029967b4e1aad13023c2ae5df8f4f43bf6

exporter_context: 00
L: 32
exported_value:
6a847261d8207fe596befb52928463881ab493da345b10e1dcc645e3b94e2d95

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
8aff52b45a1be3a734bc7a41e20b4e055ad4c4d22104b0c20285a7c4302401cd
</pre><a href="#appendix-A.1.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information">
<section id="appendix-A.1.3">
          <h4 id="name-auth-setup-information">
<a href="#appendix-A.1.3" class="section-number selfRef">A.1.3. </a><a href="#name-auth-setup-information" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.1.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
6e6d8f200ea2fb20c30b003a8b4f433d2f4ed4c2658d5bc8ce2fef718059c9f7
pkEm:
23fb952571a14a25e3d678140cd0e5eb47a0961bb18afcf85896e5453c312e76
skEm:
ff4442ef24fbc3c1ff86375b0be1e77e88a0de1e79b30896d73411c5ff4c3518
ikmR:
f1d4a30a4cef8d6d4e3b016e6fd3799ea057db4f345472ed302a67ce1c20cdec
pkRm:
1632d5c2f71c2b38d0a8fcc359355200caa8b1ffdf28618080466c909cb69b2e
skRm:
fdea67cf831f1ca98d8e27b1f6abeb5b7745e9d35348b80fa407ff6958f9137e
ikmS:
94b020ce91d73fca4649006c7e7329a67b40c55e9e93cc907d282bbbff386f58
pkSm:
8b0c70873dc5aecb7f9ee4e62406a397b350e57012be45cf53b7105ae731790b
skSm:
dc4a146313cce60a278a5323d321f051c5707e9c45ba21a3479fecdf76fc69dd
enc:
23fb952571a14a25e3d678140cd0e5eb47a0961bb18afcf85896e5453c312e76
shared_secret:
2d6db4cf719dc7293fcbf3fa64690708e44e2bebc81f84608677958c0d4448a7
key_schedule_context: 02725611c9d98c07c03f60095cd32d400d8347d45ed670
97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
56c62333d9d9f7767f5b083fdfce0aa7e57e301b74029bb0cffa7331385f1dda
key: b062cb2c4dd4bca0ad7c7a12bbc341e6
base_nonce: a1bc314c1942ade7051ffed0
exporter_secret:
ee1a093e6e1c393c162ea98fdf20560c75909653550540a2700511b65c88c6f1
</pre><a href="#appendix-A.1.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-2">
<section id="appendix-A.1.3.1">
            <h5 id="name-encryptions-3">
<a href="#appendix-A.1.3.1" class="section-number selfRef">A.1.3.1. </a><a href="#name-encryptions-3" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.1.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: a1bc314c1942ade7051ffed0
ct: 5fd92cc9d46dbf8943e72a07e42f363ed5f721212cd90bcfd072bfd9f44e06b8
0fd17824947496e21b680c141b

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: a1bc314c1942ade7051ffed1
ct: d3736bb256c19bfa93d79e8f80b7971262cb7c887e35c26370cfed62254369a1
b52e3d505b79dd699f002bc8ed

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: a1bc314c1942ade7051ffed2
ct: 122175cfd5678e04894e4ff8789e85dd381df48dcaf970d52057df2c9acc3b12
1313a2bfeaa986050f82d93645

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: a1bc314c1942ade7051ffed4
ct: dae12318660cf963c7bcbef0f39d64de3bf178cf9e585e756654043cc5059873
bc8af190b72afc43d1e0135ada

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: a1bc314c1942ade7051ffe2f
ct: 55d53d85fe4d9e1e97903101eab0b4865ef20cef28765a47f840ff99625b7d69
dee927df1defa66a036fc58ff2

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: a1bc314c1942ade7051fffd0
ct: 42fa248a0e67ccca688f2b1d13ba4ba84755acf764bd797c8f7ba3b9b1dc3330
326f8d172fef6003c79ec72319
</pre><a href="#appendix-A.1.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-2">
<section id="appendix-A.1.3.2">
            <h5 id="name-exported-values-3">
<a href="#appendix-A.1.3.2" class="section-number selfRef">A.1.3.2. </a><a href="#name-exported-values-3" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.1.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
28c70088017d70c896a8420f04702c5a321d9cbf0279fba899b59e51bac72c85

exporter_context: 00
L: 32
exported_value:
25dfc004b0892be1888c3914977aa9c9bbaf2c7471708a49e1195af48a6f29ce

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
5a0131813abc9a522cad678eb6bafaabc43389934adb8097d23c5ff68059eb64
</pre><a href="#appendix-A.1.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information">
<section id="appendix-A.1.4">
          <h4 id="name-authpsk-setup-information">
<a href="#appendix-A.1.4" class="section-number selfRef">A.1.4. </a><a href="#name-authpsk-setup-information" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.1.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
4303619085a20ebcf18edd22782952b8a7161e1dbae6e46e143a52a96127cf84
pkEm:
820818d3c23993492cc5623ab437a48a0a7ca3e9639c140fe1e33811eb844b7c
skEm:
14de82a5897b613616a00c39b87429df35bc2b426bcfd73febcb45e903490768
ikmR:
4b16221f3b269a88e207270b5e1de28cb01f847841b344b8314d6a622fe5ee90
pkRm:
1d11a3cd247ae48e901939659bd4d79b6b959e1f3e7d66663fbc9412dd4e0976
skRm:
cb29a95649dc5656c2d054c1aa0d3df0493155e9d5da6d7e344ed8b6a64a9423
ikmS:
62f77dcf5df0dd7eac54eac9f654f426d4161ec850cc65c54f8b65d2e0b4e345
pkSm:
2bfb2eb18fcad1af0e4f99142a1c474ae74e21b9425fc5c589382c69b50cc57e
skSm:
fc1c87d2f3832adb178b431fce2ac77c7ca2fd680f3406c77b5ecdf818b119f4
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
820818d3c23993492cc5623ab437a48a0a7ca3e9639c140fe1e33811eb844b7c
shared_secret:
f9d0e870aba28d04709b2680cb8185466c6a6ff1d6e9d1091d5bf5e10ce3a577
key_schedule_context: 03e78d5cf6190d275863411ff5edd0dece5d39fa48e04e
ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449
secret:
5f96c55e4108c6691829aaabaa7d539c0b41d7c72aae94ae289752f056b6cec4
key: 1364ead92c47aa7becfa95203037b19a
base_nonce: 99d8b5c54669807e9fc70df1
exporter_secret:
f048d55eacbf60f9c6154bd4021774d1075ebf963c6adc71fa846f183ab2dde6
</pre><a href="#appendix-A.1.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-3">
<section id="appendix-A.1.4.1">
            <h5 id="name-encryptions-4">
<a href="#appendix-A.1.4.1" class="section-number selfRef">A.1.4.1. </a><a href="#name-encryptions-4" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.1.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 99d8b5c54669807e9fc70df1
ct: a84c64df1e11d8fd11450039d4fe64ff0c8a99fca0bd72c2d4c3e0400bc14a40
f27e45e141a24001697737533e

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 99d8b5c54669807e9fc70df0
ct: 4d19303b848f424fc3c3beca249b2c6de0a34083b8e909b6aa4c3688505c05ff
e0c8f57a0a4c5ab9da127435d9

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 99d8b5c54669807e9fc70df3
ct: 0c085a365fbfa63409943b00a3127abce6e45991bc653f182a80120868fc507e
9e4d5e37bcc384fc8f14153b24

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 99d8b5c54669807e9fc70df5
ct: 000a3cd3a3523bf7d9796830b1cd987e841a8bae6561ebb6791a3f0e34e89a4f
b539faeee3428b8bbc082d2c1a

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 99d8b5c54669807e9fc70d0e
ct: 576d39dd2d4cc77d1a14a51d5c5f9d5e77586c3d8d2ab33bdec6379e28ce5c50
2f0b1cbd09047cf9eb9269bb52

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 99d8b5c54669807e9fc70cf1
ct: 13239bab72e25e9fd5bb09695d23c90a24595158b99127505c8a9ff9f127e0d6
57f71af59d67d4f4971da028f9
</pre><a href="#appendix-A.1.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-3">
<section id="appendix-A.1.4.2">
            <h5 id="name-exported-values-4">
<a href="#appendix-A.1.4.2" class="section-number selfRef">A.1.4.2. </a><a href="#name-exported-values-4" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.1.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
08f7e20644bb9b8af54ad66d2067457c5f9fcb2a23d9f6cb4445c0797b330067

exporter_context: 00
L: 32
exported_value:
52e51ff7d436557ced5265ff8b94ce69cf7583f49cdb374e6aad801fc063b010

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
a30c20370c026bbea4dca51cb63761695132d342bae33a6a11527d3e7679436d
</pre><a href="#appendix-A.1.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemx25519-hkdf-sha256-hkdf-sha256-chacha20poly1305">
<section id="appendix-A.2">
        <h3 id="name-dhkemx25519-hkdf-sha256-hkdf">
<a href="#appendix-A.2" class="section-number selfRef">A.2. </a><a href="#name-dhkemx25519-hkdf-sha256-hkdf" class="section-name selfRef">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</a>
        </h3>
<div id="base-setup-information-1">
<section id="appendix-A.2.1">
          <h4 id="name-base-setup-information-2">
<a href="#appendix-A.2.1" class="section-number selfRef">A.2.1. </a><a href="#name-base-setup-information-2" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.2.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
909a9b35d3dc4713a5e72a4da274b55d3d3821a37e5d099e74a647db583a904b
pkEm:
1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a
skEm:
f4ec9b33b792c372c1d2c2063507b684ef925b8c75a42dbcbf57d63ccd381600
ikmR:
1ac01f181fdf9f352797655161c58b75c656a6cc2716dcb66372da835542e1df
pkRm:
4310ee97d88cc1f088a5576c77ab0cf5c3ac797f3d95139c6c84b5429c59662a
skRm:
8057991eef8f1f1af18f4a9491d16a1ce333f695d4db8e38da75975c4478e0fb
enc:
1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a
shared_secret:
0bbe78490412b4bbea4812666f7916932b828bba79942424abb65244930d69a7
key_schedule_context: 00431df6cd95e11ff49d7013563baf7f11588c75a6611e
e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
5b9cd775e64b437a2335cf499361b2e0d5e444d5cb41a8a53336d8fe402282c6
key:
ad2744de8e17f4ebba575b3f5f5a8fa1f69c2a07f6e7500bc60ca6e3e3ec1c91
base_nonce: 5c4d98150661b848853b547f
exporter_secret:
a3b010d4994890e2c6968a36f64470d3c824c8f5029942feb11e7a74b2921922
</pre><a href="#appendix-A.2.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-4">
<section id="appendix-A.2.1.1">
            <h5 id="name-encryptions-5">
<a href="#appendix-A.2.1.1" class="section-number selfRef">A.2.1.1. </a><a href="#name-encryptions-5" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.2.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 5c4d98150661b848853b547f
ct: 1c5250d8034ec2b784ba2cfd69dbdb8af406cfe3ff938e131f0def8c8b60b4db
21993c62ce81883d2dd1b51a28

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 5c4d98150661b848853b547e
ct: 6b53c051e4199c518de79594e1c4ab18b96f081549d45ce015be002090bb119e
85285337cc95ba5f59992dc98c

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 5c4d98150661b848853b547d
ct: 71146bd6795ccc9c49ce25dda112a48f202ad220559502cef1f34271e0cb4b02
b4f10ecac6f48c32f878fae86b

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 5c4d98150661b848853b547b
ct: 63357a2aa291f5a4e5f27db6baa2af8cf77427c7c1a909e0b37214dd47db122b
b153495ff0b02e9e54a50dbe16

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 5c4d98150661b848853b5480
ct: 18ab939d63ddec9f6ac2b60d61d36a7375d2070c9b683861110757062c52b888
0a5f6b3936da9cd6c23ef2a95c

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 5c4d98150661b848853b557f
ct: 7a4a13e9ef23978e2c520fd4d2e757514ae160cd0cd05e556ef692370ca53076
214c0c40d4c728d6ed9e727a5b
</pre><a href="#appendix-A.2.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-4">
<section id="appendix-A.2.1.2">
            <h5 id="name-exported-values-5">
<a href="#appendix-A.2.1.2" class="section-number selfRef">A.2.1.2. </a><a href="#name-exported-values-5" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.2.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
4bbd6243b8bb54cec311fac9df81841b6fd61f56538a775e7c80a9f40160606e

exporter_context: 00
L: 32
exported_value:
8c1df14732580e5501b00f82b10a1647b40713191b7c1240ac80e2b68808ba69

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
5acb09211139c43b3090489a9da433e8a30ee7188ba8b0a9a1ccf0c229283e53
</pre><a href="#appendix-A.2.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-1">
<section id="appendix-A.2.2">
          <h4 id="name-psk-setup-information-2">
<a href="#appendix-A.2.2" class="section-number selfRef">A.2.2. </a><a href="#name-psk-setup-information-2" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.2.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
35706a0b09fb26fb45c39c2f5079c709c7cf98e43afa973f14d88ece7e29c2e3
pkEm:
2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04
skEm:
0c35fdf49df7aa01cd330049332c40411ebba36e0c718ebc3edf5845795f6321
ikmR:
26b923eade72941c8a85b09986cdfa3f1296852261adedc52d58d2930269812b
pkRm:
13640af826b722fc04feaa4de2f28fbd5ecc03623b317834e7ff4120dbe73062
skRm:
77d114e0212be51cb1d76fa99dd41cfd4d0166b08caa09074430a6c59ef17879
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04
shared_secret:
4be079c5e77779d0215b3f689595d59e3e9b0455d55662d1f3666ec606e50ea7
key_schedule_context: 016870c4c76ca38ae43efbec0f2377d109499d7ce73f4a
9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
16974354c497c9bd24c000ceed693779b604f1944975b18c442d373663f4a8cc
key:
600d2fdb0313a7e5c86a9ce9221cd95bed069862421744cfb4ab9d7203a9c019
base_nonce: 112e0465562045b7368653e7
exporter_secret:
73b506dc8b6b4269027f80b0362def5cbb57ee50eed0c2873dac9181f453c5ac
</pre><a href="#appendix-A.2.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-5">
<section id="appendix-A.2.2.1">
            <h5 id="name-encryptions-6">
<a href="#appendix-A.2.2.1" class="section-number selfRef">A.2.2.1. </a><a href="#name-encryptions-6" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.2.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 112e0465562045b7368653e7
ct: 4a177f9c0d6f15cfdf533fb65bf84aecdc6ab16b8b85b4cf65a370e07fc1d78d
28fb073214525276f4a89608ff

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 112e0465562045b7368653e6
ct: 5c3cabae2f0b3e124d8d864c116fd8f20f3f56fda988c3573b40b09997fd6c76
9e77c8eda6cda4f947f5b704a8

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 112e0465562045b7368653e5
ct: 14958900b44bdae9cbe5a528bf933c5c990dbb8e282e6e495adf8205d19da9eb
270e3a6f1e0613ab7e757962a4

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 112e0465562045b7368653e3
ct: c2a7bc09ddb853cf2effb6e8d058e346f7fe0fb3476528c80db6b698415c5f8c
50b68a9a355609e96d2117f8d3

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 112e0465562045b736865318
ct: 2414d0788e4bc39a59a26d7bd5d78e111c317d44c37bd5a4c2a1235f2ddc2085
c487d406490e75210c958724a7

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 112e0465562045b7368652e7
ct: c567ae1c3f0f75abe1dd9e4532b422600ed4a6e5b9484dafb1e43ab9f5fd662b
28c00e2e81d3cde955dae7e218
</pre><a href="#appendix-A.2.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-5">
<section id="appendix-A.2.2.2">
            <h5 id="name-exported-values-6">
<a href="#appendix-A.2.2.2" class="section-number selfRef">A.2.2.2. </a><a href="#name-exported-values-6" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.2.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
813c1bfc516c99076ae0f466671f0ba5ff244a41699f7b2417e4c59d46d39f40

exporter_context: 00
L: 32
exported_value:
2745cf3d5bb65c333658732954ee7af49eb895ce77f8022873a62a13c94cb4e1

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
ad40e3ae14f21c99bfdebc20ae14ab86f4ca2dc9a4799d200f43a25f99fa78ae
</pre><a href="#appendix-A.2.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-1">
<section id="appendix-A.2.3">
          <h4 id="name-auth-setup-information-2">
<a href="#appendix-A.2.3" class="section-number selfRef">A.2.3. </a><a href="#name-auth-setup-information-2" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.2.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
938d3daa5a8904540bc24f48ae90eed3f4f7f11839560597b55e7c9598c996c0
pkEm:
f7674cc8cd7baa5872d1f33dbaffe3314239f6197ddf5ded1746760bfc847e0e
skEm:
c94619e1af28971c8fa7957192b7e62a71ca2dcdde0a7cc4a8a9e741d600ab13
ikmR:
64835d5ee64aa7aad57c6f2e4f758f7696617f8829e70bc9ac7a5ef95d1c756c
pkRm:
1a478716d63cb2e16786ee93004486dc151e988b34b475043d3e0175bdb01c44
skRm:
3ca22a6d1cda1bb9480949ec5329d3bf0b080ca4c45879c95eddb55c70b80b82
ikmS:
9d8f94537d5a3ddef71234c0baedfad4ca6861634d0b94c3007fed557ad17df6
pkSm:
f0f4f9e96c54aeed3f323de8534fffd7e0577e4ce269896716bcb95643c8712b
skSm:
2def0cb58ffcf83d1062dd085c8aceca7f4c0c3fd05912d847b61f3e54121f05
enc:
f7674cc8cd7baa5872d1f33dbaffe3314239f6197ddf5ded1746760bfc847e0e
shared_secret:
d2d67828c8bc9fa661cf15a31b3ebf1febe0cafef7abfaaca580aaf6d471e3eb
key_schedule_context: 02431df6cd95e11ff49d7013563baf7f11588c75a6611e
e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
3022dfc0a81d6e09a2e6daeeb605bb1ebb9ac49535540d9a4c6560064a6c6da8
key:
b071fd1136680600eb447a845a967d35e9db20749cdf9ce098bcc4deef4b1356
base_nonce: d20577dff16d7cea2c4bf780
exporter_secret:
be2d93b82071318cdb88510037cf504344151f2f9b9da8ab48974d40a2251dd7
</pre><a href="#appendix-A.2.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-6">
<section id="appendix-A.2.3.1">
            <h5 id="name-encryptions-7">
<a href="#appendix-A.2.3.1" class="section-number selfRef">A.2.3.1. </a><a href="#name-encryptions-7" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.2.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: d20577dff16d7cea2c4bf780
ct: ab1a13c9d4f01a87ec3440dbd756e2677bd2ecf9df0ce7ed73869b98e00c09be
111cb9fdf077347aeb88e61bdf

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: d20577dff16d7cea2c4bf781
ct: 3265c7807ffff7fdace21659a2c6ccffee52a26d270c76468ed74202a65478bf
aedfff9c2b7634e24f10b71016

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: d20577dff16d7cea2c4bf782
ct: 3aadee86ad2a05081ea860033a9d09dbccb4acac2ded0891da40f51d4df19925
f7a767b076a5cbc9355c8fd35e

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: d20577dff16d7cea2c4bf784
ct: 502ecccd5c2be3506a081809cc58b43b94f77cbe37b8b31712d9e21c9e61aa69
46a8e922f54eae630f88eb8033

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: d20577dff16d7cea2c4bf77f
ct: 652e597ba20f3d9241cda61f33937298b1169e6adf72974bbe454297502eb4be
132e1c5064702fc165c2ddbde8

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: d20577dff16d7cea2c4bf680
ct: 3be14e8b3bbd1028cf2b7d0a691dbbeff71321e7dec92d3c2cfb30a0994ab246
af76168480285a60037b4ba13a
</pre><a href="#appendix-A.2.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-6">
<section id="appendix-A.2.3.2">
            <h5 id="name-exported-values-7">
<a href="#appendix-A.2.3.2" class="section-number selfRef">A.2.3.2. </a><a href="#name-exported-values-7" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.2.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
070cffafd89b67b7f0eeb800235303a223e6ff9d1e774dce8eac585c8688c872

exporter_context: 00
L: 32
exported_value:
2852e728568d40ddb0edde284d36a4359c56558bb2fb8837cd3d92e46a3a14a8

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
1df39dc5dd60edcbf5f9ae804e15ada66e885b28ed7929116f768369a3f950ee
</pre><a href="#appendix-A.2.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-1">
<section id="appendix-A.2.4">
          <h4 id="name-authpsk-setup-information-2">
<a href="#appendix-A.2.4" class="section-number selfRef">A.2.4. </a><a href="#name-authpsk-setup-information-2" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.2.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
49d6eac8c6c558c953a0a252929a818745bb08cd3d29e15f9f5db5eb2e7d4b84
pkEm:
656a2e00dc9990fd189e6e473459392df556e9a2758754a09db3f51179a3fc02
skEm:
5e6dd73e82b856339572b7245d3cbb073a7561c0bee52873490e305cbb710410
ikmR:
f3304ddcf15848488271f12b75ecaf72301faabf6ad283654a14c398832eb184
pkRm:
a5099431c35c491ec62ca91df1525d6349cb8aa170c51f9581f8627be6334851
skRm:
7b36a42822e75bf3362dfabbe474b3016236408becb83b859a6909e22803cb0c
ikmS:
20ade1d5203de1aadfb261c4700b6432e260d0d317be6ebbb8d7fffb1f86ad9d
pkSm:
3ac5bd4dd66ff9f2740bef0d6ccb66daa77bff7849d7895182b07fb74d087c45
skSm:
90761c5b0a7ef0985ed66687ad708b921d9803d51637c8d1cb72d03ed0f64418
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
656a2e00dc9990fd189e6e473459392df556e9a2758754a09db3f51179a3fc02
shared_secret:
86a6c0ed17714f11d2951747e660857a5fd7616c933ef03207808b7a7123fe67
key_schedule_context: 036870c4c76ca38ae43efbec0f2377d109499d7ce73f4a
9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796
secret:
22670daee17530c9564001d0a7e740e80d0bcc7ae15349f472fcc9e057cbc259
key:
49c7e6d7d2d257aded2a746fe6a9bf12d4de8007c4862b1fdffe8c35fb65054c
base_nonce: abac79931e8c1bcb8a23960a
exporter_secret:
7c6cc1bb98993cd93e2599322247a58fd41fdecd3db895fb4c5fd8d6bbe606b5
</pre><a href="#appendix-A.2.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-7">
<section id="appendix-A.2.4.1">
            <h5 id="name-encryptions-8">
<a href="#appendix-A.2.4.1" class="section-number selfRef">A.2.4.1. </a><a href="#name-encryptions-8" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.2.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: abac79931e8c1bcb8a23960a
ct: 9aa52e29274fc6172e38a4461361d2342585d3aeec67fb3b721ecd63f059577c
7fe886be0ede01456ebc67d597

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: abac79931e8c1bcb8a23960b
ct: 59460bacdbe7a920ef2806a74937d5a691d6d5062d7daafcad7db7e4d8c649ad
ffe575c1889c5c2e3a49af8e3e

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: abac79931e8c1bcb8a239608
ct: 5688ff6a03ba26ae936044a5c800f286fb5d1eccdd2a0f268f6ff9773b511693
18d1a1466bb36263415071db00

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: abac79931e8c1bcb8a23960e
ct: d936b7a01f5c7dc4c3dc04e322cc694684ee18dd71719196874e5235aed3cfb0
6cadcd3bc7da0877488d7c551d

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: abac79931e8c1bcb8a2396f5
ct: 4d4c462f7b9b637eaf1f4e15e325b7bc629c0af6e3073422c86064cc3c98cff8
7300f054fd56dd57dc34358beb

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: abac79931e8c1bcb8a23970a
ct: 9b7f84224922d2a9edd7b2c2057f3bcf3a547f17570575e626202e593bfdd99e
9878a1af9e41ded58c7fb77d2f
</pre><a href="#appendix-A.2.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-7">
<section id="appendix-A.2.4.2">
            <h5 id="name-exported-values-8">
<a href="#appendix-A.2.4.2" class="section-number selfRef">A.2.4.2. </a><a href="#name-exported-values-8" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.2.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
c23ebd4e7a0ad06a5dddf779f65004ce9481069ce0f0e6dd51a04539ddcbd5cd

exporter_context: 00
L: 32
exported_value:
ed7ff5ca40a3d84561067ebc8e01702bc36cf1eb99d42a92004642b9dfaadd37

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
d3bae066aa8da27d527d85c040f7dd6ccb60221c902ee36a82f70bcd62a60ee4
</pre><a href="#appendix-A.2.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemp-256-hkdf-sha256-hkdf-sha256-aes-128-gcm">
<section id="appendix-A.3">
        <h3 id="name-dhkemp-256-hkdf-sha256-hkdf">
<a href="#appendix-A.3" class="section-number selfRef">A.3. </a><a href="#name-dhkemp-256-hkdf-sha256-hkdf" class="section-name selfRef">DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM</a>
        </h3>
<div id="base-setup-information-2">
<section id="appendix-A.3.1">
          <h4 id="name-base-setup-information-3">
<a href="#appendix-A.3.1" class="section-number selfRef">A.3.1. </a><a href="#name-base-setup-information-3" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.3.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e
pkEm: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b32
5ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
skEm:
4995788ef4b9d6132b249ce59a77281493eb39af373d236a1fe415cb0c2d7beb
ikmR:
668b37171f1072f3cf12ea8a236a45df23fc13b82af3609ad1e354f6ef817550
pkRm: 04fe8c19ce0905191ebc298a9245792531f26f0cece2460639e8bc39cb7f70
6a826a779b4cf969b8a0e539c7f62fb3d30ad6aa8f80e30f1d128aafd68a2ce72ea0
skRm:
f3ce7fdae57e1a310d87f1ebbde6f328be0a99cdbcadf4d6589cf29de4b8ffd2
enc: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325
ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
shared_secret:
c0d26aeab536609a572b07695d933b589dcf363ff9d93c93adea537aeabb8cb8
key_schedule_context: 00b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce
efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
2eb7b6bf138f6b5aff857414a058a3f1750054a9ba1f72c2cf0684a6f20b10e1
key: 868c066ef58aae6dc589b6cfdd18f97e
base_nonce: 4e0bc5018beba4bf004cca59
exporter_secret:
14ad94af484a7ad3ef40e9f3be99ecc6fa9036df9d4920548424df127ee0d99f
</pre><a href="#appendix-A.3.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-8">
<section id="appendix-A.3.1.1">
            <h5 id="name-encryptions-9">
<a href="#appendix-A.3.1.1" class="section-number selfRef">A.3.1.1. </a><a href="#name-encryptions-9" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.3.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 4e0bc5018beba4bf004cca59
ct: 5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f
9076ac232e3ab2523f39513434

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 4e0bc5018beba4bf004cca58
ct: fa6f037b47fc21826b610172ca9637e82d6e5801eb31cbd3748271affd4ecb06
646e0329cbdf3c3cd655b28e82

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 4e0bc5018beba4bf004cca5b
ct: 895cabfac50ce6c6eb02ffe6c048bf53b7f7be9a91fc559402cbc5b8dcaeb52b
2ccc93e466c28fb55fed7a7fec

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 4e0bc5018beba4bf004cca5d
ct: 8787491ee8df99bc99a246c4b3216d3d57ab5076e18fa27133f520703bc70ec9
99dd36ce042e44f0c3169a6a8f

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 4e0bc5018beba4bf004ccaa6
ct: 2ad71c85bf3f45c6eca301426289854b31448bcf8a8ccb1deef3ebd87f60848a
a53c538c30a4dac71d619ee2cd

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 4e0bc5018beba4bf004ccb59
ct: 10f179686aa2caec1758c8e554513f16472bd0a11e2a907dde0b212cbe87d74f
367f8ffe5e41cd3e9962a6afb2
</pre><a href="#appendix-A.3.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-8">
<section id="appendix-A.3.1.2">
            <h5 id="name-exported-values-9">
<a href="#appendix-A.3.1.2" class="section-number selfRef">A.3.1.2. </a><a href="#name-exported-values-9" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.3.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
5e9bc3d236e1911d95e65b576a8a86d478fb827e8bdfe77b741b289890490d4d

exporter_context: 00
L: 32
exported_value:
6cff87658931bda83dc857e6353efe4987a201b849658d9b047aab4cf216e796

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
d8f1ea7942adbba7412c6d431c62d01371ea476b823eb697e1f6e6cae1dab85a
</pre><a href="#appendix-A.3.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-2">
<section id="appendix-A.3.2">
          <h4 id="name-psk-setup-information-3">
<a href="#appendix-A.3.2" class="section-number selfRef">A.3.2. </a><a href="#name-psk-setup-information-3" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.3.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
2afa611d8b1a7b321c761b483b6a053579afa4f767450d3ad0f84a39fda587a6
pkEm: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89
e4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f
skEm:
57427244f6cc016cddf1c19c8973b4060aa13579b4c067fd5d93a5d74e32a90f
ikmR:
d42ef874c1913d9568c9405407c805baddaffd0898a00f1e84e154fa787b2429
pkRm: 040d97419ae99f13007a93996648b2674e5260a8ebd2b822e84899cd52d874
46ea394ca76223b76639eccdf00e1967db10ade37db4e7db476261fcc8df97c5ffd1
skRm:
438d8bcef33b89e0e9ae5eb0957c353c25a94584b0dd59c991372a75b43cb661
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89e
4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f
shared_secret:
2e783ad86a1beae03b5749e0f3f5e9bb19cb7eb382f2fb2dd64c99f15ae0661b
key_schedule_context: 01b873cdf2dff4c1434988053b7a775e980dd2039ea24f
950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
f2f534e55931c62eeb2188c1f53450354a725183937e68c85e68d6b267504d26
key: 55d9eb9d26911d4c514a990fa8d57048
base_nonce: b595dc6b2d7e2ed23af529b1
exporter_secret:
895a723a1eab809804973a53c0ee18ece29b25a7555a4808277ad2651d66d705
</pre><a href="#appendix-A.3.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-9">
<section id="appendix-A.3.2.1">
            <h5 id="name-encryptions-10">
<a href="#appendix-A.3.2.1" class="section-number selfRef">A.3.2.1. </a><a href="#name-encryptions-10" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.3.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: b595dc6b2d7e2ed23af529b1
ct: 90c4deb5b75318530194e4bb62f890b019b1397bbf9d0d6eb918890e1fb2be1a
c2603193b60a49c2126b75d0eb

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: b595dc6b2d7e2ed23af529b0
ct: 9e223384a3620f4a75b5a52f546b7262d8826dea18db5a365feb8b997180b22d
72dc1287f7089a1073a7102c27

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: b595dc6b2d7e2ed23af529b3
ct: adf9f6000773035023be7d415e13f84c1cb32a24339a32eb81df02be9ddc6abc
880dd81cceb7c1d0c7781465b2

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: b595dc6b2d7e2ed23af529b5
ct: 1f4cc9b7013d65511b1f69c050b7bd8bbd5a5c16ece82b238fec4f30ba2400e7
ca8ee482ac5253cffb5c3dc577

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: b595dc6b2d7e2ed23af5294e
ct: cdc541253111ed7a424eea5134dc14fc5e8293ab3b537668b8656789628e4589
4e5bb873c968e3b7cdcbb654a4

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: b595dc6b2d7e2ed23af528b1
ct: faf985208858b1253b97b60aecd28bc18737b58d1242370e7703ec33b73a4c31
a1afee300e349adef9015bbbfd
</pre><a href="#appendix-A.3.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-9">
<section id="appendix-A.3.2.2">
            <h5 id="name-exported-values-10">
<a href="#appendix-A.3.2.2" class="section-number selfRef">A.3.2.2. </a><a href="#name-exported-values-10" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.3.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
a115a59bf4dd8dc49332d6a0093af8efca1bcbfd3627d850173f5c4a55d0c185

exporter_context: 00
L: 32
exported_value:
4517eaede0669b16aac7c92d5762dd459c301fa10e02237cd5aeb9be969430c4

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
164e02144d44b607a7722e58b0f4156e67c0c2874d74cf71da6ca48a4cbdc5e0
</pre><a href="#appendix-A.3.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-2">
<section id="appendix-A.3.3">
          <h4 id="name-auth-setup-information-3">
<a href="#appendix-A.3.3" class="section-number selfRef">A.3.3. </a><a href="#name-auth-setup-information-3" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.3.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
798d82a8d9ea19dbc7f2c6dfa54e8a6706f7cdc119db0813dacf8440ab37c857
pkEm: 042224f3ea800f7ec55c03f29fc9865f6ee27004f818fcbdc6dc68932c1e52
e15b79e264a98f2c535ef06745f3d308624414153b22c7332bc1e691cb4af4d53454
skEm:
6b8de0873aed0c1b2d09b8c7ed54cbf24fdf1dfc7a47fa501f918810642d7b91
ikmR:
7bc93bde8890d1fb55220e7f3b0c107ae7e6eda35ca4040bb6651284bf0747ee
pkRm: 04423e363e1cd54ce7b7573110ac121399acbc9ed815fae03b72ffbd4c18b0
1836835c5a09513f28fc971b7266cfde2e96afe84bb0f266920e82c4f53b36e1a78d
skRm:
d929ab4be2e59f6954d6bedd93e638f02d4046cef21115b00cdda2acb2a4440e
ikmS:
874baa0dcf93595a24a45a7f042e0d22d368747daaa7e19f80a802af19204ba8
pkSm: 04a817a0902bf28e036d66add5d544cc3a0457eab150f104285df1e293b5c1
0eef8651213e43d9cd9086c80b309df22cf37609f58c1127f7607e85f210b2804f73
skSm:
1120ac99fb1fccc1e8230502d245719d1b217fe20505c7648795139d177f0de9
enc: 042224f3ea800f7ec55c03f29fc9865f6ee27004f818fcbdc6dc68932c1e52e
15b79e264a98f2c535ef06745f3d308624414153b22c7332bc1e691cb4af4d53454
shared_secret:
d4aea336439aadf68f9348880aa358086f1480e7c167b6ef15453ba69b94b44f
key_schedule_context: 02b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce
efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
fd0a93c7c6f6b1b0dd6a822d7b16f6c61c83d98ad88426df4613c3581a2319f1
key: 19aa8472b3fdc530392b0e54ca17c0f5
base_nonce: b390052d26b67a5b8a8fcaa4
exporter_secret:
f152759972660eb0e1db880835abd5de1c39c8e9cd269f6f082ed80e28acb164
</pre><a href="#appendix-A.3.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-10">
<section id="appendix-A.3.3.1">
            <h5 id="name-encryptions-11">
<a href="#appendix-A.3.3.1" class="section-number selfRef">A.3.3.1. </a><a href="#name-encryptions-11" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.3.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: b390052d26b67a5b8a8fcaa4
ct: 82ffc8c44760db691a07c5627e5fc2c08e7a86979ee79b494a17cc3405446ac2
bdb8f265db4a099ed3289ffe19

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: b390052d26b67a5b8a8fcaa5
ct: b0a705a54532c7b4f5907de51c13dffe1e08d55ee9ba59686114b05945494d96
725b239468f1229e3966aa1250

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: b390052d26b67a5b8a8fcaa6
ct: 8dc805680e3271a801790833ed74473710157645584f06d1b53ad439078d880b
23e25256663178271c80ee8b7c

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: b390052d26b67a5b8a8fcaa0
ct: 04c8f7aae1584b61aa5816382cb0b834a5d744f420e6dffb5ddcec633a21b8b3
472820930c1ea9258b035937a2

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: b390052d26b67a5b8a8fca5b
ct: 4a319462eaedee37248b4d985f64f4f863d31913fe9e30b6e13136053b69fe5d
70853c84c60a84bb5495d5a678

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: b390052d26b67a5b8a8fcba4
ct: 28e874512f8940fafc7d06135e7589f6b4198bc0f3a1c64702e72c9e6abaf9f0
5cb0d2f11b03a517898815c934
</pre><a href="#appendix-A.3.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-10">
<section id="appendix-A.3.3.2">
            <h5 id="name-exported-values-11">
<a href="#appendix-A.3.3.2" class="section-number selfRef">A.3.3.2. </a><a href="#name-exported-values-11" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.3.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
837e49c3ff629250c8d80d3c3fb957725ed481e59e2feb57afd9fe9a8c7c4497

exporter_context: 00
L: 32
exported_value:
594213f9018d614b82007a7021c3135bda7b380da4acd9ab27165c508640dbda

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
14fe634f95ca0d86e15247cca7de7ba9b73c9b9deb6437e1c832daf7291b79d5
</pre><a href="#appendix-A.3.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-2">
<section id="appendix-A.3.4">
          <h4 id="name-authpsk-setup-information-3">
<a href="#appendix-A.3.4" class="section-number selfRef">A.3.4. </a><a href="#name-authpsk-setup-information-3" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.3.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
3c1fceb477ec954c8d58ef3249e4bb4c38241b5925b95f7486e4d9f1d0d35fbb
pkEm: 046a1de3fc26a3d43f4e4ba97dbe24f7e99181136129c48fbe872d4743e2b1
31357ed4f29a7b317dc22509c7b00991ae990bf65f8b236700c82ab7c11a84511401
skEm:
36f771e411cf9cf72f0701ef2b991ce9743645b472e835fe234fb4d6eb2ff5a0
ikmR:
abcc2da5b3fa81d8aabd91f7f800a8ccf60ec37b1b585a5d1d1ac77f258b6cca
pkRm: 04d824d7e897897c172ac8a9e862e4bd820133b8d090a9b188b8233a64dfbc
5f725aa0aa52c8462ab7c9188f1c4872f0c99087a867e8a773a13df48a627058e1b3
skRm:
bdf4e2e587afdf0930644a0c45053889ebcadeca662d7c755a353d5b4e2a8394
ikmS:
6262031f040a9db853edd6f91d2272596eabbc78a2ed2bd643f770ecd0f19b82
pkSm: 049f158c750e55d8d5ad13ede66cf6e79801634b7acadcad72044eac2ae1d0
480069133d6488bf73863fa988c4ba8bde1c2e948b761274802b4d8012af4f13af9e
skSm:
b0ed8721db6185435898650f7a677affce925aba7975a582653c4cb13c72d240
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 046a1de3fc26a3d43f4e4ba97dbe24f7e99181136129c48fbe872d4743e2b13
1357ed4f29a7b317dc22509c7b00991ae990bf65f8b236700c82ab7c11a84511401
shared_secret:
d4c27698391db126f1612d9e91a767f10b9b19aa17e1695549203f0df7d9aebe
key_schedule_context: 03b873cdf2dff4c1434988053b7a775e980dd2039ea24f
950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85
secret:
3bf9d4c7955da2740414e73081fa74d6f6f2b4b9645d0685219813ce99a2f270
key: 4d567121d67fae1227d90e11585988fb
base_nonce: 67c9d05330ca21e5116ecda6
exporter_secret:
3f479020ae186788e4dfd4a42a21d24f3faabb224dd4f91c2b2e5e9524ca27b2
</pre><a href="#appendix-A.3.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-11">
<section id="appendix-A.3.4.1">
            <h5 id="name-encryptions-12">
<a href="#appendix-A.3.4.1" class="section-number selfRef">A.3.4.1. </a><a href="#name-encryptions-12" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.3.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 67c9d05330ca21e5116ecda6
ct: b9f36d58d9eb101629a3e5a7b63d2ee4af42b3644209ab37e0a272d44365407d
b8e655c72e4fa46f4ff81b9246

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 67c9d05330ca21e5116ecda7
ct: 51788c4e5d56276771032749d015d3eea651af0c7bb8e3da669effffed299ea1
f641df621af65579c10fc09736

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 67c9d05330ca21e5116ecda4
ct: 3b5a2be002e7b29927f06442947e1cf709b9f8508b03823127387223d7127034
71c266efc355f1bc2036f3027c

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 67c9d05330ca21e5116ecda2
ct: 8ddbf1242fe5c7d61e1675496f3bfdb4d90205b3dfbc1b12aab41395d71a8211
8e095c484103107cf4face5123

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 67c9d05330ca21e5116ecd59
ct: 6de25ceadeaec572fbaa25eda2558b73c383fe55106abaec24d518ef6724a7ce
698f83ecdc53e640fe214d2f42

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 67c9d05330ca21e5116ecca6
ct: f380e19d291e12c5e378b51feb5cd50f6d00df6cb2af8393794c4df342126c2e
29633fe7e8ce49587531affd4d
</pre><a href="#appendix-A.3.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-11">
<section id="appendix-A.3.4.2">
            <h5 id="name-exported-values-12">
<a href="#appendix-A.3.4.2" class="section-number selfRef">A.3.4.2. </a><a href="#name-exported-values-12" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.3.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
595ce0eff405d4b3bb1d08308d70a4e77226ce11766e0a94c4fdb5d90025c978

exporter_context: 00
L: 32
exported_value:
110472ee0ae328f57ef7332a9886a1992d2c45b9b8d5abc9424ff68630f7d38d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
18ee4d001a9d83a4c67e76f88dd747766576cac438723bad0700a910a4d717e6
</pre><a href="#appendix-A.3.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemp-256-hkdf-sha256-hkdf-sha512-aes-128-gcm">
<section id="appendix-A.4">
        <h3 id="name-dhkemp-256-hkdf-sha256-hkdf-">
<a href="#appendix-A.4" class="section-number selfRef">A.4. </a><a href="#name-dhkemp-256-hkdf-sha256-hkdf-" class="section-name selfRef">DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM</a>
        </h3>
<div id="base-setup-information-3">
<section id="appendix-A.4.1">
          <h4 id="name-base-setup-information-4">
<a href="#appendix-A.4.1" class="section-number selfRef">A.4.1. </a><a href="#name-base-setup-information-4" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.4.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
4ab11a9dd78c39668f7038f921ffc0993b368171d3ddde8031501ee1e08c4c9a
pkEm: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a
15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580
skEm:
2292bf14bb6e15b8c81a0f45b7a6e93e32d830e48cca702e0affcfb4d07e1b5c
ikmR:
ea9ff7cc5b2705b188841c7ace169290ff312a9cb31467784ca92d7a2e6e1be8
pkRm: 04085aa5b665dc3826f9650ccbcc471be268c8ada866422f739e2d531d4a88
18a9466bc6b449357096232919ec4fe9070ccbac4aac30f4a1a53efcf7af90610edd
skRm:
3ac8530ad1b01885960fab38cf3cdc4f7aef121eaa239f222623614b4079fb38
enc: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a1
5565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580
shared_secret:
02f584736390fc93f5b4ad039826a3fa08e9911bd1215a3db8e8791ba533cafd
key_schedule_context: 005b8a3617af7789ee716e7911c7e77f84cdc4cc46e60f
b7e19e4059f9aeadc00585e26874d1ddde76e551a7679cd47168c466f6e1f705cc93
74c192778a34fcd5ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: 0c7acdab61693f936c4c1256c78e7be30eebfe466812f9cc49f0b58dc970
328dfc03ea359be0250a471b1635a193d2dfa8cb23c90aa2e25025b892a725353eeb
key: 090ca96e5f8aa02b69fac360da50ddf9
base_nonce: 9c995e621bf9a20c5ca45546
exporter_secret: 4a7abb2ac43e6553f129b2c5750a7e82d149a76ed56dc342d7b
ca61e26d494f4855dff0d0165f27ce57756f7f16baca006539bb8e4518987ba61048
0ac03efa8
</pre><a href="#appendix-A.4.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-12">
<section id="appendix-A.4.1.1">
            <h5 id="name-encryptions-13">
<a href="#appendix-A.4.1.1" class="section-number selfRef">A.4.1.1. </a><a href="#name-encryptions-13" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.4.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 9c995e621bf9a20c5ca45546
ct: d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c8890
7200b332003543754eb51917ba

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 9c995e621bf9a20c5ca45547
ct: d14414555a47269dfead9fbf26abb303365e40709a4ed16eaefe1f2070f1ddeb
1bdd94d9e41186f124e0acc62d

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 9c995e621bf9a20c5ca45544
ct: 9bba136cade5c4069707ba91a61932e2cbedda2d9c7bdc33515aa01dd0e0f7e9
d3579bf4016dec37da4aafa800

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 9c995e621bf9a20c5ca45542
ct: a531c0655342be013bf32112951f8df1da643602f1866749519f5dcb09cc6843
2579de305a77e6864e862a7600

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 9c995e621bf9a20c5ca455b9
ct: be5da649469efbad0fb950366a82a73fefeda5f652ec7d3731fac6c4ffa21a70
04d2ab8a04e13621bd3629547d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 9c995e621bf9a20c5ca45446
ct: 62092672f5328a0dde095e57435edf7457ace60b26ee44c9291110ec135cb0e1
4b85594e4fea11247d937deb62
</pre><a href="#appendix-A.4.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-12">
<section id="appendix-A.4.1.2">
            <h5 id="name-exported-values-13">
<a href="#appendix-A.4.1.2" class="section-number selfRef">A.4.1.2. </a><a href="#name-exported-values-13" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.4.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
a32186b8946f61aeead1c093fe614945f85833b165b28c46bf271abf16b57208

exporter_context: 00
L: 32
exported_value:
84998b304a0ea2f11809398755f0abd5f9d2c141d1822def79dd15c194803c2a

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
93fb9411430b2cfa2cf0bed448c46922a5be9beff20e2e621df7e4655852edbc
</pre><a href="#appendix-A.4.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-3">
<section id="appendix-A.4.2">
          <h4 id="name-psk-setup-information-4">
<a href="#appendix-A.4.2" class="section-number selfRef">A.4.2. </a><a href="#name-psk-setup-information-4" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.4.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
c11d883d6587f911d2ddbc2a0859d5b42fb13bf2c8e89ef408a25564893856f5
pkEm: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c350
57f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371
skEm:
a5901ff7d6931959c2755382ea40a4869b1dec3694ed3b009dda2d77dd488f18
ikmR:
75bfc2a3a3541170a54c0b06444e358d0ee2b4fb78a401fd399a47a33723b700
pkRm: 043f5266fba0742db649e1043102b8a5afd114465156719cea90373229aabd
d84d7f45dabfc1f55664b888a7e86d594853a6cccdc9b189b57839cbbe3b90b55873
skRm:
bc6f0b5e22429e5ff47d5969003f3cae0f4fec50e23602e880038364f33b8522
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c3505
7f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371
shared_secret:
2912aacc6eaebd71ff715ea50f6ef3a6637856b2a4c58ea61e0c3fc159e3bc16
key_schedule_context: 01713f73042575cebfd132f0cc4338523f8eae95c80a74
9f7cf3eb9436ff1c612ca62c37df27ca46d2cc162445a92c5f5fdc57bcde129ca7b1
f284b0c12297c037ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: ff2051d2128d5f3078de867143e076262ce1d0aecafc3fff3d607f1eaff0
5345c7d5ffcb3202cdecb3d1a2f7da20592a237747b6e855390cbe2109d3e6ac70c2
key: 0b910ba8d9cfa17e5f50c211cb32839a
base_nonce: 0c29e714eb52de5b7415a1b7
exporter_secret: 50c0a182b6f94b4c0bd955c4aa20df01f282cc12c43065a0812
fe4d4352790171ed2b2c4756ad7f5a730ba336c8f1edd0089d8331192058c385bae3
9c7cc8b57
</pre><a href="#appendix-A.4.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-13">
<section id="appendix-A.4.2.1">
            <h5 id="name-encryptions-14">
<a href="#appendix-A.4.2.1" class="section-number selfRef">A.4.2.1. </a><a href="#name-encryptions-14" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.4.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 0c29e714eb52de5b7415a1b7
ct: 57624b6e320d4aba0afd11f548780772932f502e2ba2a8068676b2a0d3b5129a
45b9faa88de39e8306da41d4cc

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 0c29e714eb52de5b7415a1b6
ct: 159d6b4c24bacaf2f5049b7863536d8f3ffede76302dace42080820fa51925d4
e1c72a64f87b14291a3057e00a

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 0c29e714eb52de5b7415a1b5
ct: bd24140859c99bf0055075e9c460032581dd1726d52cf980d308e9b20083ca62
e700b17892bcf7fa82bac751d0

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 0c29e714eb52de5b7415a1b3
ct: 93ddd55f82e9aaaa3cfc06840575f09d80160b20538125c2549932977d1238dd
e8126a4a91118faf8632f62cb8

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 0c29e714eb52de5b7415a148
ct: 377a98a3c34bf716581b05a6b3fdc257f245856384d5f2241c8840571c52f5c8
5c21138a4a81655edab8fe227d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 0c29e714eb52de5b7415a0b7
ct: cc161f5a179831d456d119d2f2c19a6817289c75d1c61cd37ac8a450acd9efba
02e0ac00d128c17855931ff69a
</pre><a href="#appendix-A.4.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-13">
<section id="appendix-A.4.2.2">
            <h5 id="name-exported-values-14">
<a href="#appendix-A.4.2.2" class="section-number selfRef">A.4.2.2. </a><a href="#name-exported-values-14" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.4.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
8158bea21a6700d37022bb7802866edca30ebf2078273757b656ef7fc2e428cf

exporter_context: 00
L: 32
exported_value:
6a348ba6e0e72bb3ef22479214a139ef8dac57be34509a61087a12565473da8d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
2f6d4f7a18ec48de1ef4469f596aada4afdf6d79b037ed3c07e0118f8723bffc
</pre><a href="#appendix-A.4.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-3">
<section id="appendix-A.4.3">
          <h4 id="name-auth-setup-information-4">
<a href="#appendix-A.4.3" class="section-number selfRef">A.4.3. </a><a href="#name-auth-setup-information-4" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.4.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
6bb031aa9197562da0b44e737db2b9e61f6c3ea1138c37de28fc37ac29bc7350
pkEm: 04fec59fa9f76f5d0f6c1660bb179cb314ed97953c53a60ab38f8e6ace60fd
59178084d0dd66e0f79172992d4ddb2e91172ce24949bcebfff158dcc417f2c6e9c6
skEm:
93cddd5288e7ef4884c8fe321d075df01501b993ff49ffab8184116f39b3c655
ikmR:
649a3f92edbb7a2516a0ade0b7dccc58a37240c4ba06f9726a952227b4adf6ff
pkRm: 04378bad519aab406e04d0e5608bcca809c02d6afd2272d4dd03e9357bd0ee
e8adf84c8deba3155c9cf9506d1d4c8bfefe3cf033a75716cc3cc07295100ec96276
skRm:
1ea4484be482bf25fdb2ed39e6a02ed9156b3e57dfb18dff82e4a048de990236
ikmS:
4d79b8691aab55a7265e8490a04bb3860ed64dece90953ad0dc43a6ea59b4bf2
pkSm: 0404d3c1f9fca22eb4a6d326125f0814c35593b1da8ea0d11a640730b215a2
59b9b98a34ad17e21617d19fe1d4fa39a4828bfdb306b729ec51c543caca3b2d9529
skSm:
02b266d66919f7b08f42ae0e7d97af4ca98b2dae3043bb7e0740ccadc1957579
enc: 04fec59fa9f76f5d0f6c1660bb179cb314ed97953c53a60ab38f8e6ace60fd5
9178084d0dd66e0f79172992d4ddb2e91172ce24949bcebfff158dcc417f2c6e9c6
shared_secret:
1ed49f6d7ada333d171cd63861a1cb700a1ec4236755a9cd5f9f8f67a2f8e7b3
key_schedule_context: 025b8a3617af7789ee716e7911c7e77f84cdc4cc46e60f
b7e19e4059f9aeadc00585e26874d1ddde76e551a7679cd47168c466f6e1f705cc93
74c192778a34fcd5ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: 9c846ba81ddbbd57bc26d99da6cf7ab956bb735ecd47fe21ed14241c7079
1b7484c1d06663d21a5d97bf1be70d56ab727f650c4f859c5ed3f71f8928b3c082dd
key: 9d4b1c83129f3de6db95faf3d539dcf1
base_nonce: ea4fd7a485ee5f1f4b62c1b7
exporter_secret: ca2410672369aae1afd6c2639f4fe34ca36d35410c090608d29
24f60def17f910d7928575434d7f991b1f19d3e8358b8278ff59ced0d5eed4774cec
72e12766e
</pre><a href="#appendix-A.4.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-14">
<section id="appendix-A.4.3.1">
            <h5 id="name-encryptions-15">
<a href="#appendix-A.4.3.1" class="section-number selfRef">A.4.3.1. </a><a href="#name-encryptions-15" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.4.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: ea4fd7a485ee5f1f4b62c1b7
ct: 2480179d880b5f458154b8bfe3c7e8732332de84aabf06fc440f6b31f169e154
157fa9eb44f2fa4d7b38a9236e

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: ea4fd7a485ee5f1f4b62c1b6
ct: 10cd81e3a816d29942b602a92884348171a31cbd0f042c3057c65cd93c540943
a5b05115bd520c09281061935b

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: ea4fd7a485ee5f1f4b62c1b5
ct: 920743a88d8cf6a09e1a3098e8be8edd09db136e9d543f215924043af8c7410f
68ce6aa64fd2b1a176e7f6b3fd

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: ea4fd7a485ee5f1f4b62c1b3
ct: 6b11380fcc708fc8589effb5b5e0394cbd441fa5e240b5500522150ca8265d65
ff55479405af936e2349119dcd

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: ea4fd7a485ee5f1f4b62c148
ct: d084eca50e7554bb97ba34c4482dfe32c9a2b7f3ab009c2d1b68ecbf97bee2d2
8cd94b6c829b96361f2701772d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: ea4fd7a485ee5f1f4b62c0b7
ct: 247da592cc4ce834a94de2c79f5730ee49342470a021e4a4bc2bb77c53b17413
e94d94f57b4fdaedcf97cfe7b1
</pre><a href="#appendix-A.4.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-14">
<section id="appendix-A.4.3.2">
            <h5 id="name-exported-values-15">
<a href="#appendix-A.4.3.2" class="section-number selfRef">A.4.3.2. </a><a href="#name-exported-values-15" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.4.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
f03fbc82f321a0ab4840e487cb75d07aafd8e6f68485e4f7ff72b2f55ff24ad6

exporter_context: 00
L: 32
exported_value:
1ce0cadec0a8f060f4b5070c8f8888dcdfefc2e35819df0cd559928a11ff0891

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
70c405c707102fd0041ea716090753be47d68d238b111d542846bd0d84ba907c
</pre><a href="#appendix-A.4.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-3">
<section id="appendix-A.4.4">
          <h4 id="name-authpsk-setup-information-4">
<a href="#appendix-A.4.4" class="section-number selfRef">A.4.4. </a><a href="#name-authpsk-setup-information-4" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.4.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
37ae06a521cd555648c928d7af58ad2aa4a85e34b8cabd069e94ad55ab872cc8
pkEm: 04801740f4b1b35823f7fb2930eac2efc8c4893f34ba111c0bb976e3c7d5dc
0aef5a7ef0bf4057949a140285f774f1efc53b3860936b92279a11b68395d898d138
skEm:
778f2254ae5d661d5c7fca8c4a7495a25bd13f26258e459159f3899df0de76c1
ikmR:
7466024b7e2d2366c3914d7833718f13afb9e3e45bcfbb510594d614ddd9b4e7
pkRm: 04a4ca7af2fc2cce48edbf2f1700983e927743a4e85bb5035ad562043e25d9
a111cbf6f7385fac55edc5c9d2ca6ed351a5643de95c36748e11dbec98730f4d43e9
skRm:
00510a70fde67af487c093234fc4215c1cdec09579c4b30cc8e48cb530414d0e
ikmS:
ee27aaf99bf5cd8398e9de88ac09a82ac22cdb8d0905ab05c0f5fa12ba1709f3
pkSm: 04b59a4157a9720eb749c95f842a5e3e8acdccbe834426d405509ac3191e23
f2165b5bb1f07a6240dd567703ae75e13182ee0f69fc102145cdb5abf681ff126d60
skSm:
d743b20821e6326f7a26684a4beed7088b35e392114480ca9f6c325079dcf10b
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04801740f4b1b35823f7fb2930eac2efc8c4893f34ba111c0bb976e3c7d5dc0
aef5a7ef0bf4057949a140285f774f1efc53b3860936b92279a11b68395d898d138
shared_secret:
02bee8be0dda755846115db45071c0cf59c25722e015bde1c124de849c0fea52
key_schedule_context: 03713f73042575cebfd132f0cc4338523f8eae95c80a74
9f7cf3eb9436ff1c612ca62c37df27ca46d2cc162445a92c5f5fdc57bcde129ca7b1
f284b0c12297c037ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9
secret: 0f9df08908a6a3d06c8e934cd3f5313f9ebccd0986e316c0198bb48bed30
dc3db2f3baab94fd40c2c285c7288c77e2255401ee2d5884306addf4296b93c238b3
key: b68bb0e2fbf7431cedb46cc3b6f1fe9e
base_nonce: 76af62719d33d39a1cb6be9f
exporter_secret: 7f72308ae68c9a2b3862e686cb547b16d33d00fe482c770c471
7d8b54e9b1e547244c3602bdd86d5a788a8443befea0a7658002b23f1c96a62a6498
6fffc511a
</pre><a href="#appendix-A.4.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-15">
<section id="appendix-A.4.4.1">
            <h5 id="name-encryptions-16">
<a href="#appendix-A.4.4.1" class="section-number selfRef">A.4.4.1. </a><a href="#name-encryptions-16" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.4.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 76af62719d33d39a1cb6be9f
ct: 840669634db51e28df54f189329c1b727fd303ae413f003020aff5e26276aaa9
10fc4296828cb9d862c2fd7d16

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 76af62719d33d39a1cb6be9e
ct: d4680a48158d9a75fd09355878d6e33997a36ee01d4a8f22032b22373b795a94
1b7b9c5205ff99e0ff284beef4

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 76af62719d33d39a1cb6be9d
ct: c45eb6597de2bac929a0f5d404ba9d2dc1ea031880930f1fd7a283f0a0cbebb3
5eac1a9ee0d1225f5e0f181571

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 76af62719d33d39a1cb6be9b
ct: 4ee2482ad8d7d1e9b7e651c78b6ca26d3c5314d0711710ca62c2fd8bb8996d7d
8727c157538d5493da696b61f8

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 76af62719d33d39a1cb6be60
ct: 65596b731df010c76a915c6271a438056ce65696459432eeafdae7b4cadb6290
dd61e68edd4e40b659d2a8cbcc

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 76af62719d33d39a1cb6bf9f
ct: 9f659482ebc52f8303f9eac75656d807ec38ce2e50c72e3078cd13d86b30e3f8
90690a873277620f8a6a42d836
</pre><a href="#appendix-A.4.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-15">
<section id="appendix-A.4.4.2">
            <h5 id="name-exported-values-16">
<a href="#appendix-A.4.4.2" class="section-number selfRef">A.4.4.2. </a><a href="#name-exported-values-16" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.4.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
c8c917e137a616d3d4e4c9fcd9c50202f366cb0d37862376bc79f9b72e8a8db9

exporter_context: 00
L: 32
exported_value:
33a5d4df232777008a06d0684f23bb891cfaef702f653c8601b6ad4d08dddddf

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
bed80f2e54f1285895c4a3f3b3625e6206f78f1ed329a0cfb5864f7c139b3c6a
</pre><a href="#appendix-A.4.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemp-256-hkdf-sha256-hkdf-sha256-chacha20poly1305">
<section id="appendix-A.5">
        <h3 id="name-dhkemp-256-hkdf-sha256-hkdf-s">
<a href="#appendix-A.5" class="section-number selfRef">A.5. </a><a href="#name-dhkemp-256-hkdf-sha256-hkdf-s" class="section-name selfRef">DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305</a>
        </h3>
<div id="base-setup-information-4">
<section id="appendix-A.5.1">
          <h4 id="name-base-setup-information-5">
<a href="#appendix-A.5.1" class="section-number selfRef">A.5.1. </a><a href="#name-base-setup-information-5" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.5.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
f1f1a3bc95416871539ecb51c3a8f0cf608afb40fbbe305c0a72819d35c33f1f
pkEm: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c09582782
4fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291
skEm:
7550253e1147aae48839c1f8af80d2770fb7a4c763afe7d0afa7e0f42a5b3689
ikmR:
61092f3f56994dd424405899154a9918353e3e008171517ad576b900ddb275e7
pkRm: 04a697bffde9405c992883c5c439d6cc358170b51af72812333b015621dc0f
40bad9bb726f68a5c013806a790ec716ab8669f84f6b694596c2987cf35baba2a006
skRm:
a4d1c55836aa30f9b3fbb6ac98d338c877c2867dd3a77396d13f68d3ab150d3b
enc: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c095827824
fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291
shared_secret:
806520f82ef0b03c823b7fc524b6b55a088f566b9751b89551c170f4113bd850
key_schedule_context: 00b738cd703db7b4106e93b4621e9a19c89c838e559642
40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
fe891101629aa355aad68eff3cc5170d057eca0c7573f6575e91f9783e1d4506
key:
a8f45490a92a3b04d1dbf6cf2c3939ad8bfc9bfcb97c04bffe116730c9dfe3fc
base_nonce: 726b4390ed2209809f58c693
exporter_secret:
4f9bd9b3a8db7d7c3a5b9d44fdc1f6e37d5d77689ade5ec44a7242016e6aa205
</pre><a href="#appendix-A.5.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-16">
<section id="appendix-A.5.1.1">
            <h5 id="name-encryptions-17">
<a href="#appendix-A.5.1.1" class="section-number selfRef">A.5.1.1. </a><a href="#name-encryptions-17" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.5.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 726b4390ed2209809f58c693
ct: 6469c41c5c81d3aa85432531ecf6460ec945bde1eb428cb2fedf7a29f5a685b4
ccb0d057f03ea2952a27bb458b

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 726b4390ed2209809f58c692
ct: f1564199f7e0e110ec9c1bcdde332177fc35c1adf6e57f8d1df24022227ffa87
16862dbda2b1dc546c9d114374

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 726b4390ed2209809f58c691
ct: 39de89728bcb774269f882af8dc5369e4f3d6322d986e872b3a8d074c7c18e85
49ff3f85b6d6592ff87c3f310c

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 726b4390ed2209809f58c697
ct: bc104a14fbede0cc79eeb826ea0476ce87b9c928c36e5e34dc9b6905d91473ec
369a08b1a25d305dd45c6c5f80

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 726b4390ed2209809f58c66c
ct: 8f2814a2c548b3be50259713c6724009e092d37789f6856553d61df23ebc0792
35f710e6af3c3ca6eaba7c7c6c

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 726b4390ed2209809f58c793
ct: b45b69d419a9be7219d8c94365b89ad6951caf4576ea4774ea40e9b7047a09d6
537d1aa2f7c12d6ae4b729b4d0
</pre><a href="#appendix-A.5.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-16">
<section id="appendix-A.5.1.2">
            <h5 id="name-exported-values-17">
<a href="#appendix-A.5.1.2" class="section-number selfRef">A.5.1.2. </a><a href="#name-exported-values-17" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.5.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
9b13c510416ac977b553bf1741018809c246a695f45eff6d3b0356dbefe1e660

exporter_context: 00
L: 32
exported_value:
6c8b7be3a20a5684edecb4253619d9051ce8583baf850e0cb53c402bdcaf8ebb

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
477a50d804c7c51941f69b8e32fe8288386ee1a84905fe4938d58972f24ac938
</pre><a href="#appendix-A.5.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-4">
<section id="appendix-A.5.2">
          <h4 id="name-psk-setup-information-5">
<a href="#appendix-A.5.2" class="section-number selfRef">A.5.2. </a><a href="#name-psk-setup-information-5" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.5.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
e1a4e1d50c4bfcf890f2b4c7d6b2d2aca61368eddc3c84162df2856843e1057a
pkEm: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653f
a805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246
skEm:
7d6e4e006cee68af9b3fdd583a0ee8962df9d59fab029997ee3f456cbc857904
ikmR:
ee51dec304abf993ef8fd52aacdd3b539108bbf6e491943266c1de89ec596a17
pkRm: 041eb8f4f20ab72661af369ff3231a733672fa26f385ffb959fd1bae46bfda
43ad55e2d573b880831381d9367417f554ce5b2134fbba5235b44db465feffc6189e
skRm:
12ecde2c8bc2d5d7ed2219c71f27e3943d92b344174436af833337c557c300b3
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653fa
805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246
shared_secret:
ac4f260dce4db6bf45435d9c92c0e11cfdd93743bd3075949975974cc2b3d79e
key_schedule_context: 01622b72afcc3795841596c67ea74400ca3b029374d7d5
640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
858c8087a1c056db5811e85802f375bb0c19b9983204a1575de4803575d23239
key:
6d61cb330b7771168c8619498e753f16198aad9566d1f1c6c70e2bc1a1a8b142
base_nonce: 0de7655fb65e1cd51a38864e
exporter_secret:
754ca00235b245e72d1f722a7718e7145bd113050a2aa3d89586d4cb7514bfdb
</pre><a href="#appendix-A.5.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-17">
<section id="appendix-A.5.2.1">
            <h5 id="name-encryptions-18">
<a href="#appendix-A.5.2.1" class="section-number selfRef">A.5.2.1. </a><a href="#name-encryptions-18" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.5.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 0de7655fb65e1cd51a38864e
ct: 21433eaff24d7706f3ed5b9b2e709b07230e2b11df1f2b1fe07b3c70d5948a53
d6fa5c8bed194020bd9df0877b

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 0de7655fb65e1cd51a38864f
ct: c74a764b4892072ea8c2c56b9bcd46c7f1e9ca8cb0a263f8b40c2ba59ac9c857
033f176019562218769d3e0452

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 0de7655fb65e1cd51a38864c
ct: dc8cd68863474d6e9cbb6a659335a86a54e036249d41acf909e738c847ff2bd3
6fe3fcacda4ededa7032c0a220

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 0de7655fb65e1cd51a38864a
ct: cd54a8576353b1b9df366cb0cc042e46eef6f4cf01e205fe7d47e306b2fdd90f
7185f289a26c613ca094e3be10

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 0de7655fb65e1cd51a3886b1
ct: 6324570c9d542c70c7e70570c1d8f4c52a89484746bf0625441890ededcc80c2
4ef2301c38bfd34d689d19f67d

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 0de7655fb65e1cd51a38874e
ct: 1ea6326c8098ed0437a553c466550114fb2ca1412cca7de98709b9ccdf19206e
52c3d39180e2cf62b3e9f4baf4
</pre><a href="#appendix-A.5.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-17">
<section id="appendix-A.5.2.2">
            <h5 id="name-exported-values-18">
<a href="#appendix-A.5.2.2" class="section-number selfRef">A.5.2.2. </a><a href="#name-exported-values-18" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.5.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
530bbc2f68f078dccc89cc371b4f4ade372c9472bafe4601a8432cbb934f528d

exporter_context: 00
L: 32
exported_value:
6e25075ddcc528c90ef9218f800ca3dfe1b8ff4042de5033133adb8bd54c401d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
6f6fbd0d1c7733f796461b3235a856cc34f676fe61ed509dfc18fa16efe6be78
</pre><a href="#appendix-A.5.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-4">
<section id="appendix-A.5.3">
          <h4 id="name-auth-setup-information-5">
<a href="#appendix-A.5.3" class="section-number selfRef">A.5.3. </a><a href="#name-auth-setup-information-5" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.5.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
0ecd212019008138a31f9104d5dba76b9f8e34d5b996041fff9e3df221dd0d5d
pkEm: 040d5176aedba55bc41709261e9195c5146bb62d783031280775f32e507d79
b5cbc5748b6be6359760c73cfe10ca19521af704ca6d91ff32fc0739527b9385d415
skEm:
085fd5d5e6ce6497c79df960cac93710006b76217d8bcfafbd2bb2c20ea03c42
ikmR:
d32236d8378b9563840653789eb7bc33c3c720e537391727bf1c812d0eac110f
pkRm: 0444f6ee41818d9fe0f8265bffd016b7e2dd3964d610d0f7514244a60dbb7a
11ece876bb110a97a2ac6a9542d7344bf7d2bd59345e3e75e497f7416cf38d296233
skRm:
3cb2c125b8c5a81d165a333048f5dcae29a2ab2072625adad66dbb0f48689af9
ikmS:
0e6be0851283f9327295fd49858a8c8908ea9783212945eef6c598ee0a3cedbb
pkSm: 04265529a04d4f46ab6fa3af4943774a9f1127821656a75a35fade898a9a1b
014f64d874e88cddb24c1c3d79004d3a587db67670ca357ff4fba7e8b56ec013b98b
skSm:
39b19402e742d48d319d24d68e494daa4492817342e593285944830320912519
enc: 040d5176aedba55bc41709261e9195c5146bb62d783031280775f32e507d79b
5cbc5748b6be6359760c73cfe10ca19521af704ca6d91ff32fc0739527b9385d415
shared_secret:
1a45aa4792f4b166bfee7eeab0096c1a6e497480e2261b2a59aad12f2768d469
key_schedule_context: 02b738cd703db7b4106e93b4621e9a19c89c838e559642
40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
9193210815b87a4c5496c9d73e609a6c92665b5ea0d760866294906d089ebb57
key:
cf292f8a4313280a462ce55cde05b5aa5744fe4ca89a5d81b0146a5eaca8092d
base_nonce: 7e45c21e20e869ae00492123
exporter_secret:
dba6e307f71769ba11e2c687cc19592f9d436da0c81e772d7a8a9fd28e54355f
</pre><a href="#appendix-A.5.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-18">
<section id="appendix-A.5.3.1">
            <h5 id="name-encryptions-19">
<a href="#appendix-A.5.3.1" class="section-number selfRef">A.5.3.1. </a><a href="#name-encryptions-19" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.5.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 7e45c21e20e869ae00492123
ct: 25881f219935eec5ba70d7b421f13c35005734f3e4d959680270f55d71e2f5cb
3bd2daced2770bf3d9d4916872

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 7e45c21e20e869ae00492122
ct: 653f0036e52a376f5d2dd85b3204b55455b7835c231255ae098d09ed138719b9
7185129786338ab6543f753193

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 7e45c21e20e869ae00492121
ct: 60878706117f22180c788e62df6a595bc41906096a11a9513e84f0141e43239e
81a98d7a235abc64112fcb8ddd

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 7e45c21e20e869ae00492127
ct: 0f9094dd08240b5fa7a388b824d19d5b4b1e126cebfd67a062c32f9ba9f1f386
6cc38de7df2702626e2ab65c0f

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 7e45c21e20e869ae004921dc
ct: dd29319e08135c5f8401d6537a364e92172c0e3f095f3fd18923881d11c0a683
9345dd0b54acd0edd8f8344792

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 7e45c21e20e869ae00492023
ct: e2276ec5047bc4b6ed57d6da7da2fb47a77502f0a30f17d040247c73da336d72
2bc6c89adf68396a0912c6d152
</pre><a href="#appendix-A.5.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-18">
<section id="appendix-A.5.3.2">
            <h5 id="name-exported-values-19">
<a href="#appendix-A.5.3.2" class="section-number selfRef">A.5.3.2. </a><a href="#name-exported-values-19" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.5.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
56c4d6c1d3a46c70fd8f4ecda5d27c70886e348efb51bd5edeaa39ff6ce34389

exporter_context: 00
L: 32
exported_value:
d2d3e48ed76832b6b3f28fa84be5f11f09533c0e3c71825a34fb0f1320891b51

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
eb0d312b6263995b4c7761e64b688c215ffd6043ff3bad2368c862784cbe6eff
</pre><a href="#appendix-A.5.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-4">
<section id="appendix-A.5.4">
          <h4 id="name-authpsk-setup-information-5">
<a href="#appendix-A.5.4" class="section-number selfRef">A.5.4. </a><a href="#name-authpsk-setup-information-5" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.5.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
f3a07f194703e321ef1f753a1b9fe27a498dfdfa309151d70bedd896c239c499
pkEm: 043539917ee26f8ae0aa5f784a387981b13de33124a3cde88b946720301831
10f331400115855808244ff0c5b6ca6104483ac95724481d41bdcd9f15b430ad16f6
skEm:
11b7e4de2d919240616a31ab14944cced79bc2372108bb98f6792e3b645fe546
ikmR:
1240e55a0a03548d7f963ef783b6a7362cb505e6b31dfd04c81d9b294543bfbd
pkRm: 04d383fd920c42d018b9d57fd73a01f1eee480008923f67d35169478e55d2e
8817068daf62a06b10e0aad4a9e429fa7f904481be96b79a9c231a33e956c20b81b6
skRm:
c29fc577b7e74d525c0043f1c27540a1248e4f2c8d297298e99010a92e94865c
ikmS:
ce2a0387a2eb8870a3a92c34a2975f0f3f271af4384d446c7dc1524a6c6c515a
pkSm: 0492cf8c9b144b742fe5a63d9a181a19d416f3ec8705f24308ad316564823c
344e018bd7c03a33c926bb271b28ef5bf28c0ca00abff249fee5ef7f33315ff34fdb
skSm:
53541bd995f874a67f8bfd8038afa67fd68876801f42ff47d0dc2a4deea067ae
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 043539917ee26f8ae0aa5f784a387981b13de33124a3cde88b9467203018311
0f331400115855808244ff0c5b6ca6104483ac95724481d41bdcd9f15b430ad16f6
shared_secret:
87584311791036a3019bc36803cdd42e9a8931a98b13c88835f2f8a9036a4fd6
key_schedule_context: 03622b72afcc3795841596c67ea74400ca3b029374d7d5
640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c
secret:
fe52b4412590e825ea2603fa88e145b2ee014b942a774b55fab4f081301f16f4
key:
31e140c8856941315d4067239fdc4ebe077fbf45a6fc78a61e7a6c8b3bacb10a
base_nonce: 75838a8010d2e4760254dd56
exporter_secret:
600895965755db9c5027f25f039a6e3e506c35b3b7084ce33c4a48d59ee1f0e3
</pre><a href="#appendix-A.5.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-19">
<section id="appendix-A.5.4.1">
            <h5 id="name-encryptions-20">
<a href="#appendix-A.5.4.1" class="section-number selfRef">A.5.4.1. </a><a href="#name-encryptions-20" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.5.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 75838a8010d2e4760254dd56
ct: 9eadfa0f954835e7e920ffe56dec6b31a046271cf71fdda55db72926e1d8fae9
4cc6280fcfabd8db71eaa65c05

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 75838a8010d2e4760254dd57
ct: e357ad10d75240224d4095c9f6150a2ed2179c0f878e4f2db8ca95d365d174d0
59ff8c3eb38ea9a65cfc8eaeb8

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 75838a8010d2e4760254dd54
ct: 2fa56d00f8dd479d67a2ec3308325cf3bbccaf102a64ffccdb006bd7dcb93268
5b9a7b49cdc094a85fec1da5ef

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 75838a8010d2e4760254dd52
ct: 1fe9d6db14965003ed81a39abf240f9cd7c5a454bca0d69ef9a2de16d537364f
bbf110b9ef11fa4a7a0172f0ce

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 75838a8010d2e4760254dda9
ct: eaf4041a5c9122b22d1f8d698eeffe45d64b4ae33d0ddca3a4cdf4a5f595acc9
5a1a9334d06cc4d000df6aaad6

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 75838a8010d2e4760254dc56
ct: fb857f4185ce5286c1a52431867537204963ea66a3eee8d2a74419fd8751faee
066d08277ac7880473aa4143ba
</pre><a href="#appendix-A.5.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-19">
<section id="appendix-A.5.4.2">
            <h5 id="name-exported-values-20">
<a href="#appendix-A.5.4.2" class="section-number selfRef">A.5.4.2. </a><a href="#name-exported-values-20" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.5.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
c52b4592cd33dd38b2a3613108ddda28dcf7f03d30f2a09703f758bfa8029c9a

exporter_context: 00
L: 32
exported_value:
2f03bebc577e5729e148554991787222b5c2a02b77e9b1ac380541f710e5a318

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
e01dd49e8bfc3d9216abc1be832f0418adf8b47a7b5a330a7436c31e33d765d7
</pre><a href="#appendix-A.5.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemp-521-hkdf-sha512-hkdf-sha512-aes-256-gcm">
<section id="appendix-A.6">
        <h3 id="name-dhkemp-521-hkdf-sha512-hkdf">
<a href="#appendix-A.6" class="section-number selfRef">A.6. </a><a href="#name-dhkemp-521-hkdf-sha512-hkdf" class="section-name selfRef">DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM</a>
        </h3>
<div id="base-setup-information-5">
<section id="appendix-A.6.1">
          <h4 id="name-base-setup-information-6">
<a href="#appendix-A.6.1" class="section-number selfRef">A.6.1. </a><a href="#name-base-setup-information-6" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.6.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 7f06ab8215105fc46aceeb2e3dc5028b44364f960426eb0d8e4026c2f8b5d7
e7a986688f1591abf5ab753c357a5d6f0440414b4ed4ede71317772ac98d9239f709
04
pkEm: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8
900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731
ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0
692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0
skEm: 014784c692da35df6ecde98ee43ac425dbdd0969c0c72b42f2e708ab9d5354
15a8569bdacfcc0a114c85b8e3f26acf4d68115f8c91a66178cdbd03b7bcc5291e37
4b
ikmR: 2ad954bbe39b7122529f7dde780bff626cd97f850d0784a432784e69d86ecc
aade43b6c10a8ffdb94bf943c6da479db137914ec835a7e715e36e45e29b587bab3b
f1
pkRm: 0401b45498c1714e2dce167d3caf162e45e0642afc7ed435df7902ccae0e84
ba0f7d373f646b7738bbbdca11ed91bdeae3cdcba3301f2457be452f271fa6837580
e661012af49583a62e48d44bed350c7118c0d8dc861c238c72a2bda17f64704f464b
57338e7f40b60959480c0e58e6559b190d81663ed816e523b6b6a418f66d2451ec64
skRm: 01462680369ae375e4b3791070a7458ed527842f6a98a79ff5e0d4cbde83c2
7196a3916956655523a6a2556a7af62c5cadabe2ef9da3760bb21e005202f7b24628
47
enc: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab89
00aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731e
ce2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed06
92237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0
shared_secret: 776ab421302f6eff7d7cb5cb1adaea0cd50872c71c2d63c30c4f1
d5e43653336fef33b103c67e7a98add2d3b66e2fda95b5b2a667aa9dac7e59cc1d46
d30e818
key_schedule_context: 0083a27c5b2358ab4dae1b2f5d8f57f10ccccc822a4733
26f543f239a70aee46347324e84e02d7651a10d08fb3dda739d22d50c53fbfa8122b
aacd0f9ae5913072ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 49fd9f53b0f93732555b2054edfdc0e3101000d75df714b98ce5aa295a37
f1b18dfa86a1c37286d805d3ea09a20b72f93c21e83955a1f01eb7c5eead563d21e7
key:
751e346ce8f0ddb2305c8a2a85c70d5cf559c53093656be636b9406d4d7d1b70
base_nonce: 55ff7a7d739c69f44b25447b
exporter_secret: e4ff9dfbc732a2b9c75823763c5ccc954a2c0648fc6de80a585
81252d0ee3215388a4455e69086b50b87eb28c169a52f42e71de4ca61c920e7bd24c
95cc3f992
</pre><a href="#appendix-A.6.1-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-20">
<section id="appendix-A.6.1.1">
            <h5 id="name-encryptions-21">
<a href="#appendix-A.6.1.1" class="section-number selfRef">A.6.1.1. </a><a href="#name-encryptions-21" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.6.1.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 55ff7a7d739c69f44b25447b
ct: 170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b20
0aafcc6d80ea4c795a7c5b841a

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 55ff7a7d739c69f44b25447a
ct: d9ee248e220ca24ac00bbbe7e221a832e4f7fa64c4fbab3945b6f3af0c5ecd5e
16815b328be4954a05fd352256

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 55ff7a7d739c69f44b254479
ct: 142cf1e02d1f58d9285f2af7dcfa44f7c3f2d15c73d460c48c6e0e506a3144ba
e35284e7e221105b61d24e1c7a

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 55ff7a7d739c69f44b25447f
ct: 3bb3a5a07100e5a12805327bf3b152df728b1c1be75a9fd2cb2bf5eac0cca1fb
80addb37eb2a32938c7268e3e5

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 55ff7a7d739c69f44b254484
ct: 4f268d0930f8d50b8fd9d0f26657ba25b5cb08b308c92e33382f369c768b558e
113ac95a4c70dd60909ad1adc7

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 55ff7a7d739c69f44b25457b
ct: dbbfc44ae037864e75f136e8b4b4123351d480e6619ae0e0ae437f036f2f8f1e
f677686323977a1ccbb4b4f16a
</pre><a href="#appendix-A.6.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-20">
<section id="appendix-A.6.1.2">
            <h5 id="name-exported-values-21">
<a href="#appendix-A.6.1.2" class="section-number selfRef">A.6.1.2. </a><a href="#name-exported-values-21" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.6.1.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
05e2e5bd9f0c30832b80a279ff211cc65eceb0d97001524085d609ead60d0412

exporter_context: 00
L: 32
exported_value:
fca69744bb537f5b7a1596dbf34eaa8d84bf2e3ee7f1a155d41bd3624aa92b63

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
f389beaac6fcf6c0d9376e20f97e364f0609a88f1bc76d7328e9104df8477013
</pre><a href="#appendix-A.6.1.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-5">
<section id="appendix-A.6.2">
          <h4 id="name-psk-setup-information-6">
<a href="#appendix-A.6.2" class="section-number selfRef">A.6.2. </a><a href="#name-psk-setup-information-6" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.6.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: f3ebfa9a69a924e672114fcd9e06fa9559e937f7eccce4181a2b506df53dbe
514be12f094bb28e01de19dd345b4f7ede5ad7eaa6b9c3019592ec68eaae9a14732c
e0
pkEm: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d
48d0768b368110fab21407c324b8bb4bec63f042cfa4d0868d19b760eb4beba1bff7
93b30036d2c614d55730bd2a40c718f9466faf4d5f8170d22b6df98dfe0c067d02b3
49ae4a142e0c03418f0a1479ff78a3db07ae2c2e89e5840f712c174ba2118e90fdcb
skEm: 012e5cfe0daf5fe2a1cd617f4c4bae7c86f1f527b3207f115e262a98cc6526
8ec88cb8645aec73b7aa0a472d0292502d1078e762646e0c093cf873243d12c39915
f6
ikmR: a2a2458705e278e574f835effecd18232f8a4c459e7550a09d44348ae5d3b1
ea9d95c51995e657ad6f7cae659f5e186126a471c017f8f5e41da9eba74d4e0473e1
79
pkRm: 04006917e049a2be7e1482759fb067ddb94e9c4f7f5976f655088dec452466
14ff924ed3b385fc2986c0ecc39d14f907bf837d7306aada59dd5889086125ecd038
ead400603394b5d81f89ebfd556a898cc1d6a027e143d199d3db845cb91c5289fb26
c5ff80832935b0e8dd08d37c6185a6f77683347e472d1edb6daa6bd7652fea628fae
skRm: 011bafd9c7a52e3e71afbdab0d2f31b03d998a0dc875dd7555c63560e142bd
e264428de03379863b4ec6138f813fa009927dc5d15f62314c56d4e7ff2b485753eb
72
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d4
8d0768b368110fab21407c324b8bb4bec63f042cfa4d0868d19b760eb4beba1bff79
3b30036d2c614d55730bd2a40c718f9466faf4d5f8170d22b6df98dfe0c067d02b34
9ae4a142e0c03418f0a1479ff78a3db07ae2c2e89e5840f712c174ba2118e90fdcb
shared_secret: 0d52de997fdaa4797720e8b1bebd3df3d03c4cf38cc8c1398168d
36c3fc7626428c9c254dd3f9274450909c64a5b3acbe45e2d850a2fd69ac0605fe5c
8a057a5
key_schedule_context: 0124497637cf18d6fbcc16e9f652f00244c981726f293b
b7819861e85e50c94f0be30e022ab081e18e6f299fd3d3d976a4bc590f85bc7711bf
ce32ee1a7fb1c154ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 2cf425e26f65526afc0634a3dba4e28d980c1015130ce07c2ac7530d7a39
1a75e5a0db428b09f27ad4d975b4ad1e7f85800e03ffeea35e8cf3fe67b18d4a1345
key:
f764a5a4b17e5d1ffba6e699d65560497ebaea6eb0b0d9010a6d979e298a39ff
base_nonce: 479afdf3546ddba3a9841f38
exporter_secret: 5c3d4b65a13570502b93095ef196c42c8211a4a188c4590d358
63665c705bb140ecba6ce9256be3fad35b4378d41643867454612adfd0542a684b61
799bf293f
</pre><a href="#appendix-A.6.2-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-21">
<section id="appendix-A.6.2.1">
            <h5 id="name-encryptions-22">
<a href="#appendix-A.6.2.1" class="section-number selfRef">A.6.2.1. </a><a href="#name-encryptions-22" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.6.2.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 479afdf3546ddba3a9841f38
ct: de69e9d943a5d0b70be3359a19f317bd9aca4a2ebb4332a39bcdfc97d5fe62f3
a77702f4822c3be531aa7843a1

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 479afdf3546ddba3a9841f39
ct: 77a16162831f90de350fea9152cfc685ecfa10acb4f7994f41aed43fa5431f23
82d078ec88baec53943984553e

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 479afdf3546ddba3a9841f3a
ct: f1d48d09f126b9003b4c7d3fe6779c7c92173188a2bb7465ba43d899a6398a33
3914d2bb19fd769d53f3ec7336

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 479afdf3546ddba3a9841f3c
ct: 829b11c082b0178082cd595be6d73742a4721b9ac05f8d2ef8a7704a53022d82
bd0d8571f578c5c13b99eccff8

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 479afdf3546ddba3a9841fc7
ct: a3ee291e20f37021e82df14d41f3fbe98b27c43b318a36cacd8471a3b1051ab1
2ee055b62ded95b72a63199a3f

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 479afdf3546ddba3a9841e38
ct: eecc2173ce1ac14b27ee67041e90ed50b7809926e55861a579949c07f6d26137
bf9cf0d097f60b5fd2fbf348ec
</pre><a href="#appendix-A.6.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-21">
<section id="appendix-A.6.2.2">
            <h5 id="name-exported-values-22">
<a href="#appendix-A.6.2.2" class="section-number selfRef">A.6.2.2. </a><a href="#name-exported-values-22" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.6.2.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
62691f0f971e34de38370bff24deb5a7d40ab628093d304be60946afcdb3a936

exporter_context: 00
L: 32
exported_value:
76083c6d1b6809da088584674327b39488eaf665f0731151128452e04ce81bff

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
0c7cfc0976e25ae7680cf909ae2de1859cd9b679610a14bec40d69b91785b2f6
</pre><a href="#appendix-A.6.2.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-5">
<section id="appendix-A.6.3">
          <h4 id="name-auth-setup-information-6">
<a href="#appendix-A.6.3" class="section-number selfRef">A.6.3. </a><a href="#name-auth-setup-information-6" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.6.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: fe1c589c2a05893895a537f38c7cb4300b5a7e8fef3d6ccb8f07a498029c61
e90262e009dc254c7f6235f9c6b2fd6aeff0a714db131b09258c16e217b7bd2aa619
b0
pkEm: 04017de12ede7f72cb101dab36a111265c97b3654816dcd6183f809d4b3d11
1fe759497f8aefdc5dbb40d3e6d21db15bdc60f15f2a420761bcaeef73b891c2b117
e9cf01e29320b799bbc86afdc5ea97d941ea1c5bd5ebeeac7a784b3bab524746f3e6
40ec26ee1bd91255f9330d974f845084637ee0e6fe9f505c5b87c86a4e1a6c3096dd
skEm: 0185f03560de87bb2c543ef03607f3c33ac09980000de25eabe3b224312946
330d2e65d192d3b4aa46ca92fc5ca50736b624402d95f6a80dc04d1f10ae95171372
61
ikmR: 8feea0438481fc0ecd470d6adfcda334a759c6b8650452c5a5dd9b2dd2cc9b
e33d2bb7ee64605fc07ab4664a58bb9a8de80defe510b6c97d2daf85b92cd4bb0a66
bf
pkRm: 04007d419b8834e7513d0e7cc66424a136ec5e11395ab353da324e3586673e
e73d53ab34f30a0b42a92d054d0db321b80f6217e655e304f72793767c4231785c4a
4a6e008f31b93b7a4f2b8cd12e5fe5a0523dc71353c66cbdad51c86b9e0bdfcd9a45
698f2dab1809ab1b0f88f54227232c858accc44d9a8d41775ac026341564a2d749f4
skRm: 013ef326940998544a899e15e1726548ff43bbdb23a8587aa3bef9d1b85733
8d87287df5667037b519d6a14661e9503cfc95a154d93566d8c84e95ce93ad05293a
0b
ikmS: 2f66a68b85ef04822b054ef521838c00c64f8b6226935593b69e13a1a2461a
4f1a74c10c836e87eed150c0db85d4e4f506cbb746149befac6f5c07dc48a615ef92
db
pkSm: 04015cc3636632ea9a3879e43240beae5d15a44fba819282fac26a19c989fa
fdd0f330b8521dff7dc393101b018c1e65b07be9f5fc9a28a1f450d6a541ee0d7622
1133001e8f0f6a05ab79f9b9bb9ccce142a453d59c5abebb5674839d935a3ca1a3fb
c328539a60b3bc3c05fed22838584a726b9c176796cad0169ba4093332cbd2dc3a9f
skSm: 001018584599625ff9953b9305849850d5e34bd789d4b81101139662fbea8b
6508ddb9d019b0d692e737f66beae3f1f783e744202aaf6fea01506c27287e359fe7
76
enc: 04017de12ede7f72cb101dab36a111265c97b3654816dcd6183f809d4b3d111
fe759497f8aefdc5dbb40d3e6d21db15bdc60f15f2a420761bcaeef73b891c2b117e
9cf01e29320b799bbc86afdc5ea97d941ea1c5bd5ebeeac7a784b3bab524746f3e64
0ec26ee1bd91255f9330d974f845084637ee0e6fe9f505c5b87c86a4e1a6c3096dd
shared_secret: 26648fa2a2deb0bfc56349a590fd4cb7108a51797b634694fc020
61e8d91b3576ac736a68bf848fe2a58dfb1956d266e68209a4d631e513badf8f4dcf
c00f30a
key_schedule_context: 0283a27c5b2358ab4dae1b2f5d8f57f10ccccc822a4733
26f543f239a70aee46347324e84e02d7651a10d08fb3dda739d22d50c53fbfa8122b
aacd0f9ae5913072ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 56b7acb7355d080922d2ddc227829c2276a0b456087654b3ac4b53828bd3
4af8cf54626f85af858a15a86eba73011665cc922bc59fd07d2975f356d2674db554
key:
01fced239845e53f0ec616e71777883a1f9fcab22a50f701bdeee17ad040e44d
base_nonce: 9752b85fe8c73eda183f9e80
exporter_secret: 80466a9d9cc5112ddad297e817e038801e15fa18152bc4dc010
a35d7f534089c87c98b4bacd7bbc6276c4002a74085adcd9019fca6139826b529256
9cfb7fe47
</pre><a href="#appendix-A.6.3-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-22">
<section id="appendix-A.6.3.1">
            <h5 id="name-encryptions-23">
<a href="#appendix-A.6.3.1" class="section-number selfRef">A.6.3.1. </a><a href="#name-encryptions-23" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.6.3.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 9752b85fe8c73eda183f9e80
ct: 0116aeb3a1c405c61b1ce47600b7ecd11d89b9c08c408b7e2d1e00a4d64696d1
2e6881dc61688209a8207427f9

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 9752b85fe8c73eda183f9e81
ct: 37ece0cf6741f443e9d73b9966dc0b228499bb21fbf313948327231e70a18380
e080529c0267f399ba7c539cc6

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 9752b85fe8c73eda183f9e82
ct: d17b045cac963e45d55fd3692ec17f100df66ac06d91f3b6af8efa7ed3c88955
50eb753bc801fe4bd27005b4bd

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 9752b85fe8c73eda183f9e84
ct: 50c523ae7c64cada96abea16ddf67a73d2914ec86a4cedb31a7e6257f7553ed2
44626ef79a57198192b2323384

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 9752b85fe8c73eda183f9e7f
ct: 53d422295a6ce8fcc51e6f69e252e7195e64abf49252f347d8c25534f1865a6a
17d949c65ce618ddc7d816111f

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 9752b85fe8c73eda183f9f80
ct: 0dfcfc22ea768880b4160fec27ab10c75fb27766c6bb97aed373a9b6eae35d31
afb08257401075cbb602ac5abb
</pre><a href="#appendix-A.6.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-22">
<section id="appendix-A.6.3.2">
            <h5 id="name-exported-values-23">
<a href="#appendix-A.6.3.2" class="section-number selfRef">A.6.3.2. </a><a href="#name-exported-values-23" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.6.3.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
8d78748d632f95b8ce0c67d70f4ad1757e61e872b5941e146986804b3990154b

exporter_context: 00
L: 32
exported_value:
80a4753230900ea785b6c80775092801fe91183746479f9b04c305e1db9d1f4d

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
620b176d737cf366bcc20d96adb54ec156978220879b67923689e6dca36210ed
</pre><a href="#appendix-A.6.3.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-5">
<section id="appendix-A.6.4">
          <h4 id="name-authpsk-setup-information-6">
<a href="#appendix-A.6.4" class="section-number selfRef">A.6.4. </a><a href="#name-authpsk-setup-information-6" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.6.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 54272797b1fbc128a6967ff1fd606e0c67868f7762ce1421439cbc9e90ce1b
28d566e6c2acbce712e48eebf236696eb680849d6873e9959395b2931975d61d38bd
6c
pkEm: 04000a5096a6e6e002c83517b494bfc2e36bfb8632fae8068362852b70d0ff
71e560b15aff96741ecffb63d8ac3090c3769679009ac59a99a1feb4713c5f090fc0
dbed01ad73c45d29d369e36744e9ed37d12f80700c16d816485655169a5dd66e4ddf
27f2acffe0f56f7f77ea2b473b4bf0518b975d9527009a3d14e5a4957e3e8a9074f8
skEm: 003430af19716084efeced1241bb1a5625b6c826f11ef31649095eb2795261
9e36f62a79ea28001ac452fb20ddfbb66e62c6c0b1be03c0d28c97794a1fb638207a
83
ikmR: 3db434a8bc25b27eb0c590dc64997ab1378a99f52b2cb5a5a5b2fa540888f6
c0f09794c654f4468524e040e6b4eca2c9dcf229f908b9d318f960cc9e9baa92c5ee
e6
pkRm: 0401655b5d3b7cfafaba30851d25edc44c6dd17d99410efbed8591303b4dbe
ea8cb1045d5255f9a60384c3bbd4a3386ae6e6fab341dc1f8db0eed5f0ab1aaac6d7
838e00dadf8a1c2c64b48f89c633721e88369e54104b31368f26e35d04a442b0b428
510fb23caada686add16492f333b0f7ba74c391d779b788df2c38d7a7f4778009d91
skRm: 0053c0bc8c1db4e9e5c3e3158bfdd7fc716aef12db13c8515adf821dd692ba
3ca53041029128ee19c8556e345c4bcb840bb7fd789f97fe10f17f0e2c6c25280728
43
ikmS: 65d523d9b37e1273eb25ad0527d3a7bd33f67208dd1666d9904c6bc04969ae
5831a8b849e7ff642581f2c3e56be84609600d3c6bbdaded3f6989c37d2892b1e978
d5
pkSm: 040013761e97007293d57de70962876b4926f69a52680b4714bee1d4236aa9
6c19b840c57e80b14e91258f0a350e3f7ba59f3f091633aede4c7ec4fa8918323aa4
5d5901076dec8eeb22899fda9ab9e1960003ff0535f53c02c40f2ae4cdc6070a3870
b85b4bdd0bb77f1f889e7ee51f465a308f08c666ad3407f75dc046b2ff5a24dbe2ed
skSm: 003f64675fc8914ec9e2b3ecf13585b26dbaf3d5d805042ba487a5070b8c5a
c1d39b17e2161771cc1b4d0a3ba6e866f4ea4808684b56af2a49b5e5111146d45d93
26
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04000a5096a6e6e002c83517b494bfc2e36bfb8632fae8068362852b70d0ff7
1e560b15aff96741ecffb63d8ac3090c3769679009ac59a99a1feb4713c5f090fc0d
bed01ad73c45d29d369e36744e9ed37d12f80700c16d816485655169a5dd66e4ddf2
7f2acffe0f56f7f77ea2b473b4bf0518b975d9527009a3d14e5a4957e3e8a9074f8
shared_secret: 9e1d5f62cb38229f57f68948a0fbc1264499910cce50ec62cb241
88c5b0a98868f3c1cfa8c5baa97b3f24db3cdd30df6e04eae83dc4347be8a981066c
3b5b945
key_schedule_context: 0324497637cf18d6fbcc16e9f652f00244c981726f293b
b7819861e85e50c94f0be30e022ab081e18e6f299fd3d3d976a4bc590f85bc7711bf
ce32ee1a7fb1c154ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d67753
08c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692
e85b09a4
secret: 50a57775958037a04098e0054576cd3bc084d0d08d29548ba4befa5676b9
1eb4dcd0752813a052c9a930d0aba6ca10b89dd690b64032dc635dece35d1bf4645c
key:
1316ed34bd52374854ed0e5cb0394ca0a79b2d8ce7f15d5104f21acdfb594286
base_nonce: d9c64ec8deb8a0647fafe8ff
exporter_secret: 6cb00ff99aebb2e4a05042ce0d048326dd2c03acd61a601b103
8a65398406a96ab8b5da3187412b2324089ea16ba4ff7e6f4fe55d281fc8ae5f2049
032b69ebd
</pre><a href="#appendix-A.6.4-1" class="pilcrow">¶</a>
</div>
<div id="encryptions-23">
<section id="appendix-A.6.4.1">
            <h5 id="name-encryptions-24">
<a href="#appendix-A.6.4.1" class="section-number selfRef">A.6.4.1. </a><a href="#name-encryptions-24" class="section-name selfRef">Encryptions</a>
            </h5>
<div id="appendix-A.6.4.1-1">
<pre class="lang-test-vectors sourcecode">
sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: d9c64ec8deb8a0647fafe8ff
ct: 942a2a92e0817cf032ce61abccf4f3a7c5d21b794ed943227e07b7df2d6dd92c
9b8a9371949e65cca262448ab7

sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: d9c64ec8deb8a0647fafe8fe
ct: c0a83b5ec3d7933a090f681717290337b4fede5bfaa0a40ec29f93acad742888
a1513c649104c391c78d1d7f29

sequence number: 2
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: d9c64ec8deb8a0647fafe8fd
ct: 2847b2e0ce0b9da8fca7b0e81ff389d1682ee1b388ed09579b145058b5af6a93
a85dd50d9f417dc88f2c785312

sequence number: 4
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: d9c64ec8deb8a0647fafe8fb
ct: fbd9948ab9ac4a9cb9e295c07273600e6a111a3a89241d3e2178f39d532a2ec5
c15b9b0c6937ac84c88e0ca76f

sequence number: 255
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: d9c64ec8deb8a0647fafe800
ct: 63113a870131b567db8f39a11b4541eafbd2d3cf3a9bf9e5c1cfcb41e52f9027
310b82a4868215959131694d15

sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: d9c64ec8deb8a0647fafe9ff
ct: 24f9d8dadd2107376ccd143f70f9bafcd2b21d8117d45ff327e9a78f603a3260
6e42a6a8bdb57a852591d20907
</pre><a href="#appendix-A.6.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="exported-values-23">
<section id="appendix-A.6.4.2">
            <h5 id="name-exported-values-24">
<a href="#appendix-A.6.4.2" class="section-number selfRef">A.6.4.2. </a><a href="#name-exported-values-24" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.6.4.2-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
a39502ef5ca116aa1317bd9583dd52f15b0502b71d900fc8a622d19623d0cb5d

exporter_context: 00
L: 32
exported_value:
749eda112c4cfdd6671d84595f12cd13198fc3ef93ed72369178f344fe6e09c3

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
f8b4e72cefbff4ca6c4eabb8c0383287082cfcbb953d900aed4959afd0017095
</pre><a href="#appendix-A.6.4.2-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="dhkemx25519-hkdf-sha256-hkdf-sha256-export-only-aead">
<section id="appendix-A.7">
        <h3 id="name-dhkemx25519-hkdf-sha256-hkdf-">
<a href="#appendix-A.7" class="section-number selfRef">A.7. </a><a href="#name-dhkemx25519-hkdf-sha256-hkdf-" class="section-name selfRef">DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD</a>
        </h3>
<div id="base-setup-information-6">
<section id="appendix-A.7.1">
          <h4 id="name-base-setup-information-7">
<a href="#appendix-A.7.1" class="section-number selfRef">A.7.1. </a><a href="#name-base-setup-information-7" class="section-name selfRef">Base Setup Information</a>
          </h4>
<div id="appendix-A.7.1-1">
<pre class="lang-test-vectors sourcecode">
mode: 0
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
55bc245ee4efda25d38f2d54d5bb6665291b99f8108a8c4b686c2b14893ea5d9
pkEm:
e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918
skEm:
095182b502f1f91f63ba584c7c3ec473d617b8b4c2cec3fad5af7fa6748165ed
ikmR:
683ae0da1d22181e74ed2e503ebf82840deb1d5e872cade20f4b458d99783e31
pkRm:
194141ca6c3c3beb4792cd97ba0ea1faff09d98435012345766ee33aae2d7664
skRm:
33d196c830a12f9ac65d6e565a590d80f04ee9b19c83c87f2c170d972a812848
enc:
e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918
shared_secret:
e81716ce8f73141d4f25ee9098efc968c91e5b8ce52ffff59d64039e82918b66
key_schedule_context: 009bd09219212a8cf27c6bb5d54998c5240793a70ca0a8
92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
04d64e0620aa047e9ab833b0ebcd4ff026cefbe44338fd7d1a93548102ee01af
key:
base_nonce:
exporter_secret:
79dc8e0509cf4a3364ca027e5a0138235281611ca910e435e8ed58167c72f79b
</pre><a href="#appendix-A.7.1-1" class="pilcrow">¶</a>
</div>
<div id="exported-values-24">
<section id="appendix-A.7.1.1">
            <h5 id="name-exported-values-25">
<a href="#appendix-A.7.1.1" class="section-number selfRef">A.7.1.1. </a><a href="#name-exported-values-25" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.7.1.1-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
7a36221bd56d50fb51ee65edfd98d06a23c4dc87085aa5866cb7087244bd2a36

exporter_context: 00
L: 32
exported_value:
d5535b87099c6c3ce80dc112a2671c6ec8e811a2f284f948cec6dd1708ee33f0

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
ffaabc85a776136ca0c378e5d084c9140ab552b78f039d2e8775f26efff4c70e
</pre><a href="#appendix-A.7.1.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="psk-setup-information-6">
<section id="appendix-A.7.2">
          <h4 id="name-psk-setup-information-7">
<a href="#appendix-A.7.2" class="section-number selfRef">A.7.2. </a><a href="#name-psk-setup-information-7" class="section-name selfRef">PSK Setup Information</a>
          </h4>
<div id="appendix-A.7.2-1">
<pre class="lang-test-vectors sourcecode">
mode: 1
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
c51211a8799f6b8a0021fcba673d9c4067a98ebc6794232e5b06cb9febcbbdf5
pkEm:
d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d
skEm:
1d72396121a6a826549776ef1a9d2f3a2907fc6a38902fa4e401afdb0392e627
ikmR:
5e0516b1b29c0e13386529da16525210c796f7d647c37eac118023a6aa9eb89a
pkRm:
d53af36ea5f58f8868bb4a1333ed4cc47e7a63b0040eb54c77b9c8ec456da824
skRm:
98f304d4ecb312689690b113973c61ffe0aa7c13f2fbe365e48f3ed09e5a6a0c
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d
shared_secret:
024573db58c887decb4c57b6ed39f2c9a09c85600a8a0ecb11cac24c6aaec195
key_schedule_context: 01446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72
f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
638b94532e0d0bf812cf294f36b97a5bdcb0299df36e22b7bb6858e3c113080b
key:
base_nonce:
exporter_secret:
04261818aeae99d6aba5101bd35ddf3271d909a756adcef0d41389d9ed9ab153
</pre><a href="#appendix-A.7.2-1" class="pilcrow">¶</a>
</div>
<div id="exported-values-25">
<section id="appendix-A.7.2.1">
            <h5 id="name-exported-values-26">
<a href="#appendix-A.7.2.1" class="section-number selfRef">A.7.2.1. </a><a href="#name-exported-values-26" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.7.2.1-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
be6c76955334376aa23e936be013ba8bbae90ae74ed995c1c6157e6f08dd5316

exporter_context: 00
L: 32
exported_value:
1721ed2aa852f84d44ad020c2e2be4e2e6375098bf48775a533505fd56a3f416

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
7c9d79876a288507b81a5a52365a7d39cc0fa3f07e34172984f96fec07c44cba
</pre><a href="#appendix-A.7.2.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="auth-setup-information-6">
<section id="appendix-A.7.3">
          <h4 id="name-auth-setup-information-7">
<a href="#appendix-A.7.3" class="section-number selfRef">A.7.3. </a><a href="#name-auth-setup-information-7" class="section-name selfRef">Auth Setup Information</a>
          </h4>
<div id="appendix-A.7.3-1">
<pre class="lang-test-vectors sourcecode">
mode: 2
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
43b078912a54b591a7b09b16ce89a1955a9dd60b29fb611e044260046e8b061b
pkEm:
5ac1671a55c5c3875a8afe74664aa8bc68830be9ded0c5f633cd96400e8b5c05
skEm:
83d3f217071bbf600ba6f081f6e4005d27b97c8001f55cb5ff6ea3bbea1d9295
ikmR:
fc9407ae72ed614901ebf44257fb540f617284b5361cfecd620bafc4aba36f73
pkRm:
ffd7ac24694cb17939d95feb7c4c6539bb31621deb9b96d715a64abdd9d14b10
skRm:
ed88cda0e91ca5da64b6ad7fc34a10f096fa92f0b9ceff9d2c55124304ed8b4a
ikmS:
2ff4c37a17b2e54046a076bf5fea9c3d59250d54d0dc8572bc5f7c046307040c
pkSm:
89eb1feae431159a5250c5186f72a15962c8d0debd20a8389d8b6e4996e14306
skSm:
c85f136e06d72d28314f0e34b10aadc8d297e9d71d45a5662c2b7c3b9f9f9405
enc:
5ac1671a55c5c3875a8afe74664aa8bc68830be9ded0c5f633cd96400e8b5c05
shared_secret:
e204156fd17fd65b132d53a0558cd67b7c0d7095ee494b00f47d686eb78f8fb3
key_schedule_context: 029bd09219212a8cf27c6bb5d54998c5240793a70ca0a8
92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
355e7ef17f438db43152b7fb45a0e2f49a8bf8956d5dddfec1758c0f0eb1b5d5
key:
base_nonce:
exporter_secret:
276d87e5cb0655c7d3dad95e76e6fc02746739eb9d968955ccf8a6346c97509e
</pre><a href="#appendix-A.7.3-1" class="pilcrow">¶</a>
</div>
<div id="exported-values-26">
<section id="appendix-A.7.3.1">
            <h5 id="name-exported-values-27">
<a href="#appendix-A.7.3.1" class="section-number selfRef">A.7.3.1. </a><a href="#name-exported-values-27" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.7.3.1-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
83c1bac00a45ed4cb6bd8a6007d2ce4ec501f55e485c5642bd01bf6b6d7d6f0a

exporter_context: 00
L: 32
exported_value:
08a1d1ad2af3ef5bc40232a64f920650eb9b1034fac3892f729f7949621bf06e

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
ff3b0e37a9954247fea53f251b799e2edd35aac7152c5795751a3da424feca73
</pre><a href="#appendix-A.7.3.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="authpsk-setup-information-6">
<section id="appendix-A.7.4">
          <h4 id="name-authpsk-setup-information-7">
<a href="#appendix-A.7.4" class="section-number selfRef">A.7.4. </a><a href="#name-authpsk-setup-information-7" class="section-name selfRef">AuthPSK Setup Information</a>
          </h4>
<div id="appendix-A.7.4-1">
<pre class="lang-test-vectors sourcecode">
mode: 3
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE:
94efae91e96811a3a49fd1b20eb0344d68ead6ac01922c2360779aa172487f40
pkEm:
81cbf4bd7eee97dd0b600252a1c964ea186846252abb340be47087cc78f3d87c
skEm:
a2b43f5c67d0d560ee04de0122c765ea5165e328410844db97f74595761bbb81
ikmR:
4dfde6fadfe5cb50fced4034e84e6d3a104aa4bf2971360032c1c0580e286663
pkRm:
f47cd9d6993d2e2234eb122b425accfb486ee80f89607b087094e9f413253c2d
skRm:
c4962a7f97d773a47bdf40db4b01dc6a56797c9e0deaab45f4ea3aa9b1d72904
ikmS:
26c12fef8d71d13bbbf08ce8157a283d5e67ecf0f345366b0e90341911110f1b
pkSm:
29a5bf3867a6128bbdf8e070abe7fe70ca5e07b629eba5819af73810ee20112f
skSm:
6175b2830c5743dff5b7568a7e20edb1fe477fb0487ca21d6433365be90234d0
psk:
0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc:
81cbf4bd7eee97dd0b600252a1c964ea186846252abb340be47087cc78f3d87c
shared_secret:
d69246bcd767e579b1eec80956d7e7dfbd2902dad920556f0de69bd54054a2d1
key_schedule_context: 03446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72
f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292
secret:
c15c5bec374f2087c241d3533c6ec48e1c60a21dd00085619b2ffdd84a7918c3
key:
base_nonce:
exporter_secret:
695b1faa479c0e0518b6414c3b46e8ef5caea04c0a192246843765ae6a8a78e0
</pre><a href="#appendix-A.7.4-1" class="pilcrow">¶</a>
</div>
<div id="exported-values-27">
<section id="appendix-A.7.4.1">
            <h5 id="name-exported-values-28">
<a href="#appendix-A.7.4.1" class="section-number selfRef">A.7.4.1. </a><a href="#name-exported-values-28" class="section-name selfRef">Exported Values</a>
            </h5>
<div id="appendix-A.7.4.1-1">
<pre class="lang-test-vectors sourcecode">
exporter_context:
L: 32
exported_value:
dafd8beb94c5802535c22ff4c1af8946c98df2c417e187c6ccafe45335810b58

exporter_context: 00
L: 32
exported_value:
7346bb0b56caf457bcc1aa63c1b97d9834644bdacac8f72dbbe3463e4e46b0dd

exporter_context: 54657374436f6e74657874
L: 32
exported_value:
84f3466bd5a03bde6444324e63d7560e7ac790da4e5bbab01e7c4d575728c34a
</pre><a href="#appendix-A.7.4.1-1" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="acknowledgements">
<section id="appendix-B">
      <h2 id="name-acknowledgements">
<a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
      </h2>
<p id="appendix-B-1">The authors would like to thank
<span class="contact-name">Joel Alwen</span>,
<span class="contact-name">Jean-Philippe Aumasson</span>,
<span class="contact-name">David Benjamin</span>,
<span class="contact-name">Benjamin Beurdouche</span>,
<span class="contact-name">Bruno Blanchet</span>,
<span class="contact-name">Frank Denis</span>,
<span class="contact-name">Stephen Farrell</span>,
<span class="contact-name">Scott Fluhrer</span>,
<span class="contact-name">Eduard Hauck</span>,
<span class="contact-name">Scott Hollenbeck</span>,
<span class="contact-name">Kevin Jacobs</span>,
<span class="contact-name">Burt Kaliski</span>,
<span class="contact-name">Eike Kiltz</span>,
<span class="contact-name">Julia Len</span>,
<span class="contact-name">John Mattsson</span>,
<span class="contact-name">Christopher Patton</span>,
<span class="contact-name">Doreen Riepel</span>,
<span class="contact-name">Raphael Robert</span>,
<span class="contact-name">Michael Rosenberg</span>,
<span class="contact-name">Michael Scott</span>,
<span class="contact-name">Martin Thomson</span>,
<span class="contact-name">Steven Valdez</span>,
<span class="contact-name">Riad Wahby</span>,
and other contributors in the CFRG for helpful feedback that greatly improved this document.<a href="#appendix-B-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-C">
      <h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Richard L. Barnes</span></div>
<div dir="auto" class="left"><span class="org">Cisco</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:rlb@ipv.sx" class="email">rlb@ipv.sx</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Karthik Bhargavan</span></div>
<div dir="auto" class="left"><span class="org">Inria</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:karthikeyan.bhargavan@inria.fr" class="email">karthikeyan.bhargavan@inria.fr</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Benjamin Lipp</span></div>
<div dir="auto" class="left"><span class="org">Inria</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:ietf@benjaminlipp.de" class="email">ietf@benjaminlipp.de</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Christopher A. Wood</span></div>
<div dir="auto" class="left"><span class="org">Cloudflare</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:caw@heapingbits.net" class="email">caw@heapingbits.net</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>