rfc9180_Richard.txt   rfc9180.txt 
Internet Research Task Force (IRTF) R. Barnes Internet Research Task Force (IRTF) R. Barnes
Internet-Draft Cisco Request for Comments: 9180 Cisco
Intended status: Informational K. Bhargavan Category: Informational K. Bhargavan
Expires: 16 July 2022 B. Lipp ISSN: 2070-1721 B. Lipp
Inria Inria
C. Wood C. Wood
Cloudflare Cloudflare
12 January 2022 January 2022
Hybrid Public Key Encryption Hybrid Public Key Encryption
draft-irtf-cfrg-hpke-latest
Abstract Abstract
This document describes a scheme for hybrid public key encryption This document describes a scheme for hybrid public key encryption
(HPKE). This scheme provides a variant of public key encryption of (HPKE). This scheme provides a variant of public key encryption of
arbitrary-sized plaintexts for a recipient public key. It also arbitrary-sized plaintexts for a recipient public key. It also
includes three authenticated variants, including one that includes three authenticated variants, including one that
authenticates possession of a pre-shared key and two optional ones authenticates possession of a pre-shared key and two optional ones
that authenticate possession of a key encapsulation mechanism (KEM) that authenticate possession of a key encapsulation mechanism (KEM)
private key. HPKE works for any combination of an asymmetric KEM, private key. HPKE works for any combination of an asymmetric KEM,
key derivation function (KDF), and authenticated encryption with key derivation function (KDF), and authenticated encryption with
additional data (AEAD) encryption function. Some authenticated additional data (AEAD) encryption function. Some authenticated
variants may not be supported by all KEMs. We provide instantiations variants may not be supported by all KEMs. We provide instantiations
of the scheme using widely used and efficient primitives, such as of the scheme using widely used and efficient primitives, such as
Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key Elliptic Curve Diffie-Hellman (ECDH) key agreement, the HMAC-based
derivation function (HKDF), and SHA2. key derivation function (HKDF), and SHA2.
This document is a product of the Crypto Forum Research Group (CFRG) This document is a product of the Crypto Forum Research Group (CFRG)
in the IRTF. in the IRTF.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Research Task Force
and may be updated, replaced, or obsoleted by other documents at any (IRTF). The IRTF publishes the results of Internet-related research
time. It is inappropriate to use Internet-Drafts as reference and development activities. These results might not be suitable for
material or to cite them other than as "work in progress." deployment. This RFC represents the consensus of the Crypto Forum
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not candidates for any level
of Internet Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 16 July 2022. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9180.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document.
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 2. Requirements Notation
3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Notation
4. Cryptographic Dependencies . . . . . . . . . . . . . . . . . 6 4. Cryptographic Dependencies
4.1. DH-Based KEM (DHKEM) . . . . . . . . . . . . . . . . . . 8 4.1. DH-Based KEM (DHKEM)
5. Hybrid Public Key Encryption . . . . . . . . . . . . . . . . 11 5. Hybrid Public Key Encryption
5.1. Creating the Encryption Context . . . . . . . . . . . . . 12 5.1. Creating the Encryption Context
5.1.1. Encryption to a Public Key . . . . . . . . . . . . . 15 5.1.1. Encryption to a Public Key
5.1.2. Authentication Using a Pre-Shared Key . . . . . . . . 15 5.1.2. Authentication Using a Pre-Shared Key
5.1.3. Authentication Using an Asymmetric Key . . . . . . . 16 5.1.3. Authentication Using an Asymmetric Key
5.1.4. Authentication Using Both a PSK and an Asymmetric 5.1.4. Authentication Using Both a PSK and an Asymmetric Key
Key . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.2. Encryption and Decryption
5.2. Encryption and Decryption . . . . . . . . . . . . . . . . 17 5.3. Secret Export
5.3. Secret Export . . . . . . . . . . . . . . . . . . . . . . 19 6. Single-Shot APIs
6. Single-Shot APIs . . . . . . . . . . . . . . . . . . . . . . 19 6.1. Encryption and Decryption
6.1. Encryption and Decryption . . . . . . . . . . . . . . . . 19 6.2. Secret Export
6.2. Secret Export . . . . . . . . . . . . . . . . . . . . . . 20 7. Algorithm Identifiers
7. Algorithm Identifiers . . . . . . . . . . . . . . . . . . . . 21 7.1. Key Encapsulation Mechanisms (KEMs)
7.1. Key Encapsulation Mechanisms (KEMs) . . . . . . . . . . . 21 7.1.1. SerializePublicKey and DeserializePublicKey
7.1.1. SerializePublicKey and DeserializePublicKey . . . . . 21 7.1.2. SerializePrivateKey and DeserializePrivateKey
7.1.2. SerializePrivateKey and DeserializePrivateKey . . . . 22 7.1.3. DeriveKeyPair
7.1.3. DeriveKeyPair . . . . . . . . . . . . . . . . . . . . 22 7.1.4. Validation of Inputs and Outputs
7.1.4. Validation of Inputs and Outputs . . . . . . . . . . 24 7.1.5. Future KEMs
7.1.5. Future KEMs . . . . . . . . . . . . . . . . . . . . . 24 7.2. Key Derivation Functions (KDFs)
7.2. Key Derivation Functions (KDFs) . . . . . . . . . . . . . 24 7.2.1. Input Length Restrictions
7.2.1. Input Length Restrictions . . . . . . . . . . . . . . 25
7.3. Authenticated Encryption with Associated Data (AEAD) 7.3. Authenticated Encryption with Associated Data (AEAD)
Functions . . . . . . . . . . . . . . . . . . . . . . . . 26 Functions
8. API Considerations . . . . . . . . . . . . . . . . . . . . . 26 8. API Considerations
8.1. Auxiliary Authenticated Application Information . . . . . 27 8.1. Auxiliary Authenticated Application Information
8.2. Errors . . . . . . . . . . . . . . . . . . . . . . . . . 27 8.2. Errors
9. Security Considerations . . . . . . . . . . . . . . . . . . . 28 9. Security Considerations
9.1. Security Properties . . . . . . . . . . . . . . . . . . . 28 9.1. Security Properties
9.1.1. Key-Compromise Impersonation . . . . . . . . . . . . 29 9.1.1. Key-Compromise Impersonation
9.1.2. Computational Analysis . . . . . . . . . . . . . . . 30 9.1.2. Computational Analysis
9.1.3. Post-Quantum Security . . . . . . . . . . . . . . . . 32 9.1.3. Post-Quantum Security
9.2. Security Requirements on a KEM Used within HPKE . . . . . 33 9.2. Security Requirements on a KEM Used within HPKE
9.2.1. Encap/Decap Interface . . . . . . . . . . . . . . . . 33 9.2.1. Encap/Decap Interface
9.2.2. AuthEncap/AuthDecap Interface . . . . . . . . . . . . 33 9.2.2. AuthEncap/AuthDecap Interface
9.2.3. KEM Key Reuse . . . . . . . . . . . . . . . . . . . . 34 9.2.3. KEM Key Reuse
9.3. Security Requirements on a KDF . . . . . . . . . . . . . 34 9.3. Security Requirements on a KDF
9.4. Security Requirements on an AEAD . . . . . . . . . . . . 34 9.4. Security Requirements on an AEAD
9.5. Pre-Shared Key Recommendations . . . . . . . . . . . . . 34 9.5. Pre-Shared Key Recommendations
9.6. Domain Separation . . . . . . . . . . . . . . . . . . . . 35 9.6. Domain Separation
9.7. Application Embedding and Non-Goals . . . . . . . . . . . 36 9.7. Application Embedding and Non-Goals
9.7.1. Message Order and Message Loss . . . . . . . . . . . 36 9.7.1. Message Order and Message Loss
9.7.2. Downgrade Prevention . . . . . . . . . . . . . . . . 37 9.7.2. Downgrade Prevention
9.7.3. Replay Protection . . . . . . . . . . . . . . . . . . 37 9.7.3. Replay Protection
9.7.4. Forward Secrecy . . . . . . . . . . . . . . . . . . . 37 9.7.4. Forward Secrecy
9.7.5. Bad Ephemeral Randomness . . . . . . . . . . . . . . 37 9.7.5. Bad Ephemeral Randomness
9.7.6. Hiding Plaintext Length . . . . . . . . . . . . . . . 38 9.7.6. Hiding Plaintext Length
9.8. Bidirectional Encryption . . . . . . . . . . . . . . . . 38 9.8. Bidirectional Encryption
9.9. Metadata Protection . . . . . . . . . . . . . . . . . . . 38 9.9. Metadata Protection
10. Message Encoding . . . . . . . . . . . . . . . . . . . . . . 39 10. Message Encoding
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 11. IANA Considerations
11.1. KEM Identifiers . . . . . . . . . . . . . . . . . . . . 40 11.1. KEM Identifiers
11.2. KDF Identifiers . . . . . . . . . . . . . . . . . . . . 40 11.2. KDF Identifiers
11.3. AEAD Identifiers . . . . . . . . . . . . . . . . . . . . 41 11.3. AEAD Identifiers
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 12. References
12.1. Normative References . . . . . . . . . . . . . . . . . . 41 12.1. Normative References
12.2. Informative References . . . . . . . . . . . . . . . . . 42 12.2. Informative References
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 45 Appendix A. Test Vectors
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 45 A.1. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
B.1. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM . . 46 A.1.1. Base Setup Information
B.1.1. Base Setup Information . . . . . . . . . . . . . . . 46 A.1.2. PSK Setup Information
B.1.2. PSK Setup Information . . . . . . . . . . . . . . . . 49 A.1.3. Auth Setup Information
B.1.3. Auth Setup Information . . . . . . . . . . . . . . . 52 A.1.4. AuthPSK Setup Information
B.1.4. AuthPSK Setup Information . . . . . . . . . . . . . . 55 A.2. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
B.2. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, A.2.1. Base Setup Information
ChaCha20Poly1305 . . . . . . . . . . . . . . . . . . . . 58 A.2.2. PSK Setup Information
B.2.1. Base Setup Information . . . . . . . . . . . . . . . 58 A.2.3. Auth Setup Information
B.2.2. PSK Setup Information . . . . . . . . . . . . . . . . 61 A.2.4. AuthPSK Setup Information
B.2.3. Auth Setup Information . . . . . . . . . . . . . . . 64 A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
B.2.4. AuthPSK Setup Information . . . . . . . . . . . . . . 67 A.3.1. Base Setup Information
B.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM . . . 70 A.3.2. PSK Setup Information
B.3.1. Base Setup Information . . . . . . . . . . . . . . . 70 A.3.3. Auth Setup Information
B.3.2. PSK Setup Information . . . . . . . . . . . . . . . . 73 A.3.4. AuthPSK Setup Information
B.3.3. Auth Setup Information . . . . . . . . . . . . . . . 76 A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM
B.3.4. AuthPSK Setup Information . . . . . . . . . . . . . . 79 A.4.1. Base Setup Information
B.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM . . . 82 A.4.2. PSK Setup Information
B.4.1. Base Setup Information . . . . . . . . . . . . . . . 82 A.4.3. Auth Setup Information
B.4.2. PSK Setup Information . . . . . . . . . . . . . . . . 85 A.4.4. AuthPSK Setup Information
B.4.3. Auth Setup Information . . . . . . . . . . . . . . . 88 A.5. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
B.4.4. AuthPSK Setup Information . . . . . . . . . . . . . . 91 A.5.1. Base Setup Information
B.5. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, A.5.2. PSK Setup Information
ChaCha20Poly1305 . . . . . . . . . . . . . . . . . . . . 94 A.5.3. Auth Setup Information
B.5.1. Base Setup Information . . . . . . . . . . . . . . . 94 A.5.4. AuthPSK Setup Information
B.5.2. PSK Setup Information . . . . . . . . . . . . . . . . 97 A.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM
B.5.3. Auth Setup Information . . . . . . . . . . . . . . . 100 A.6.1. Base Setup Information
B.5.4. AuthPSK Setup Information . . . . . . . . . . . . . . 103 A.6.2. PSK Setup Information
B.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM . . . 106 A.6.3. Auth Setup Information
B.6.1. Base Setup Information . . . . . . . . . . . . . . . 106 A.6.4. AuthPSK Setup Information
B.6.2. PSK Setup Information . . . . . . . . . . . . . . . . 109 A.7. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD
B.6.3. Auth Setup Information . . . . . . . . . . . . . . . 112 A.7.1. Base Setup Information
B.6.4. AuthPSK Setup Information . . . . . . . . . . . . . . 115 A.7.2. PSK Setup Information
B.7. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only A.7.3. Auth Setup Information
AEAD . . . . . . . . . . . . . . . . . . . . . . . . . . 118 A.7.4. AuthPSK Setup Information
B.7.1. Base Setup Information . . . . . . . . . . . . . . . 118 Acknowledgements
B.7.2. PSK Setup Information . . . . . . . . . . . . . . . . 120 Authors' Addresses
B.7.3. Auth Setup Information . . . . . . . . . . . . . . . 121
B.7.4. AuthPSK Setup Information . . . . . . . . . . . . . . 123
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 125
1. Introduction 1. Introduction
Encryption schemes that combine asymmetric and symmetric algorithms Encryption schemes that combine asymmetric and symmetric algorithms
have been specified and practiced since the early days of public key have been specified and practiced since the early days of public key
cryptography, e.g., [RFC1421]. Combining the two yields the key cryptography, e.g., [RFC1421]. Combining the two yields the key
management advantages of asymmetric cryptography and the performance management advantages of asymmetric cryptography and the performance
benefits of symmetric cryptography. The traditional combination has benefits of symmetric cryptography. The widely used combination has
been "encrypt the symmetric key with the public key." "Hybrid" been "encrypt the symmetric key with the public key." "Hybrid"
public key encryption (HPKE) schemes, specified here, take a public key encryption (HPKE) schemes, specified here, take a
different approach: "generate the symmetric key and its encapsulation different approach: "generate the symmetric key and its encapsulation
with the public key." Specifically, encrypted messages convey an with the public key." Specifically, encrypted messages convey an
encryption key encapsulated with a public key scheme, along with one encryption key encapsulated with a public key scheme, along with one
or more arbitrary-sized ciphertexts encrypted using that key. This or more arbitrary-sized ciphertexts encrypted using that key. This
type of public key encryption has many applications in practice, type of public key encryption has many applications in practice,
including Messaging Layer Security [I-D.ietf-mls-protocol] and TLS including Messaging Layer Security [MLS-PROTOCOL] and TLS-encrypted
Encrypted ClientHello [I-D.ietf-tls-esni]. ClientHello messages [TLS-ESNI].
Currently, there are numerous competing and non-interoperable Currently, there are numerous competing and non-interoperable
standards and variants for hybrid encryption, mostly variants on the standards and variants for hybrid encryption, mostly variants on the
Elliptic Curve Integrated Encryption Scheme (ECIES), including ANSI Elliptic Curve Integrated Encryption Scheme (ECIES), including ANSI
X9.63 (ECIES) [ANSI], IEEE 1363a [IEEE1363], ISO/IEC 18033-2 [ISO], X9.63 (ECIES) [ANSI], IEEE 1363a [IEEE1363], ISO/IEC 18033-2 [ISO],
and SECG SEC 1 [SECG]. See [MAEA10] for a thorough comparison. All and Standards for Efficient Cryptography Group (SECG) SEC 1 [SECG].
these existing schemes have problems, e.g., because they rely on See [MAEA10] for a thorough comparison. All these existing schemes
outdated primitives, lack proofs of indistinguishable (adaptive) have problems, e.g., because they rely on outdated primitives, lack
chosen-ciphertext attack (IND-CCA2) security, or fail to provide test proofs of indistinguishable (adaptive) chosen-ciphertext attack (IND-
vectors. CCA2) security, or fail to provide test vectors.
This document defines an HPKE scheme that provides a subset of the This document defines an HPKE scheme that provides a subset of the
functions provided by the collection of schemes above but specified functions provided by the collection of schemes above but specified
with sufficient clarity that they can be interoperably implemented. with sufficient clarity that they can be interoperably implemented.
The HPKE construction defined herein is secure against (adaptive) The HPKE construction defined herein is secure against (adaptive)
chosen ciphertext attacks (IND-CCA2-secure) under classical chosen ciphertext attacks (IND-CCA2-secure) under classical
assumptions about the underlying primitives [HPKEAnalysis] assumptions about the underlying primitives [HPKEAnalysis]
[ABHKLR20]. A summary of these analyses is in Section 9.1. [ABHKLR20]. A summary of these analyses is in Section 9.1.
This document represents the consensus of the Crypto Forum Research This document represents the consensus of the Crypto Forum Research
skipping to change at page 5, line 39 skipping to change at line 213
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Notation 3. Notation
The following terms are used throughout this document to describe the The following terms are used throughout this document to describe the
operations, roles, and behaviors of HPKE: operations, roles, and behaviors of HPKE:
* (skX, pkX): A key encapsulation mechanism (KEM) key pair used in (skX, pkX): A key encapsulation mechanism (KEM) key pair used in
role X, where X is one of S, R, or E as sender, recipient, and role X, where X is one of S, R, or E as sender, recipient, and
ephemeral, respectively; skX is the private key and pkX is the ephemeral, respectively; skX is the private key and pkX is the
public key. public key.
* pk(skX): The KEM public key corresponding to the KEM private key pk(skX): The KEM public key corresponding to the KEM private key
skX. skX.
* Sender (S): Role of entity that sends an encrypted message. Sender (S): Role of entity that sends an encrypted message.
* Recipient (R): Role of entity that receives an encrypted message. Recipient (R): Role of entity that receives an encrypted message.
* Ephemeral (E): Role of a fresh random value meant for one-time Ephemeral (E): Role of a fresh random value meant for one-time use.
use.
* I2OSP(n, w): Convert non-negative integer n to a w-length, big- I2OSP(n, w): Convert nonnegative integer n to a w-length, big-endian
endian byte string, as described in [RFC8017]. byte string, as described in [RFC8017].
* OS2IP(x): Convert byte string x to a non-negative integer, as OS2IP(x): Convert byte string x to a nonnegative integer, as
described in [RFC8017], assuming big-endian byte order. described in [RFC8017], assuming big-endian byte order.
* concat(x0, ..., xN): Concatenation of byte strings. concat(0x01, concat(x0, ..., xN): Concatenation of byte strings; concat(0x01,
0x0203, 0x040506) = 0x010203040506. 0x0203, 0x040506) = 0x010203040506.
* random(n): A pseudorandom byte string of length n bytes random(n): A pseudorandom byte string of length n bytes.
* xor(a,b): XOR of byte strings; xor(0xF0F0, 0x1234) = 0xE2C4. It xor(a,b): XOR of byte strings; xor(0xF0F0, 0x1234) = 0xE2C4. It is
is an error to call this function with two arguments of unequal an error to call this function with two arguments of unequal
length. length.
4. Cryptographic Dependencies 4. Cryptographic Dependencies
HPKE variants rely on the following primitives: HPKE variants rely on the following primitives:
* A key encapsulation mechanism (KEM): * A key encapsulation mechanism (KEM):
- GenerateKeyPair(): Randomized algorithm to generate a key pair - GenerateKeyPair(): Randomized algorithm to generate a key pair
(skX, pkX). (skX, pkX).
skipping to change at page 8, line 15 skipping to change at line 333
Beyond the above, a KEM MAY also expose the following functions, Beyond the above, a KEM MAY also expose the following functions,
whose behavior is detailed in Section 7.1.2: whose behavior is detailed in Section 7.1.2:
* SerializePrivateKey(skX): Produce a byte string of length Nsk * SerializePrivateKey(skX): Produce a byte string of length Nsk
encoding the private key skX. encoding the private key skX.
* DeserializePrivateKey(skXm): Parse a byte string of length Nsk to * DeserializePrivateKey(skXm): Parse a byte string of length Nsk to
recover a private key. This function can raise a DeserializeError recover a private key. This function can raise a DeserializeError
error upon skXm deserialization failure. error upon skXm deserialization failure.
A _ciphersuite_ is a triple (KEM, KDF, AEAD) containing a choice of A _ciphersuite_ is a triple (KEM, KDF, AEAD), containing a choice of
algorithm for each primitive. algorithm for each primitive.
A set of algorithm identifiers for concrete instantiations of these A set of algorithm identifiers for concrete instantiations of these
primitives is provided in Section 7. Algorithm identifier values are primitives is provided in Section 7. Algorithm identifier values are
two bytes long. two bytes long.
Note that GenerateKeyPair can be implemented as Note that GenerateKeyPair can be implemented as
DeriveKeyPair(random(Nsk)). DeriveKeyPair(random(Nsk)).
The notation pk(skX), depending on its use and the KEM and its The notation pk(skX), depending on its use and the KEM and its
implementation, is either the computation of the public key using the implementation, is either the computation of the public key using the
private key, or just syntax expressing the retrieval of the public private key, or just syntax expressing the retrieval of the public
key, assuming it is stored along with the private key object. key, assuming it is stored along with the private key object.
The following two functions are defined to facilitate domain The following two functions are defined to facilitate domain
separation of KDF calls as well as context binding: separation of KDF calls, as well as context binding:
def LabeledExtract(salt, label, ikm): def LabeledExtract(salt, label, ikm):
labeled_ikm = concat("HPKE-v1", suite_id, label, ikm) labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
return Extract(salt, labeled_ikm) return Extract(salt, labeled_ikm)
def LabeledExpand(prk, label, info, L): def LabeledExpand(prk, label, info, L):
labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id, labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
label, info) label, info)
return Expand(prk, labeled_info, L) return Expand(prk, labeled_info, L)
The value of suite_id depends on where the KDF is used; it is assumed The value of suite_id depends on where the KDF is used; it is assumed
implicit from the implementation and not passed as a parameter. If implicit from the implementation and not passed as a parameter. If
used inside a KEM algorithm, suite_id MUST start with "KEM" and used inside a KEM algorithm, suite_id MUST start with "KEM" and
identify this KEM algorithm; if used in the remainder of HPKE, it identify this KEM algorithm; if used in the remainder of HPKE, it
MUST start with "HPKE" and identify the entire ciphersuite in use. MUST start with "HPKE" and identify the entire ciphersuite in use.
See sections Section 4.1 and Section 5.1 for details. See Sections 4.1 and 5.1 for details.
4.1. DH-Based KEM (DHKEM) 4.1. DH-Based KEM (DHKEM)
Suppose we are given a KDF, and a Diffie-Hellman (DH) group providing Suppose we are given a KDF, and a Diffie-Hellman (DH) group providing
the following operations: the following operations:
* DH(skX, pkY): Perform a non-interactive Diffie-Hellman exchange DH(skX, pkY): Perform a noninteractive Diffie-Hellman exchange using
using the private key skX and public key pkY to produce a Diffie- the private key skX and public key pkY to produce a Diffie-Hellman
Hellman shared secret of length Ndh. This function can raise a shared secret of length Ndh. This function can raise a
ValidationError as described in Section 7.1.4. ValidationError, as described in Section 7.1.4.
* Ndh: The length in bytes of a Diffie-Hellman shared secret Ndh: The length in bytes of a Diffie-Hellman shared secret produced
produced by DH(). by DH().
* Nsk: The length in bytes of a Diffie-Hellman private key. Nsk: The length in bytes of a Diffie-Hellman private key.
Then we can construct a KEM that implements the interface defined in Then, we can construct a KEM that implements the interface defined in
Section 4 called DHKEM(Group, KDF) in the following way, where Group Section 4 called DHKEM(Group, KDF) in the following way, where Group
denotes the Diffie-Hellman group and KDF denotes the KDF. The denotes the Diffie-Hellman group and KDF denotes the KDF. The
function parameters pkR and pkS are deserialized public keys, and enc function parameters pkR and pkS are deserialized public keys, and enc
is a serialized public key. Since encapsulated keys are Diffie- is a serialized public key. Since encapsulated keys are Diffie-
Hellman public keys in this KEM algorithm, we use Hellman public keys in this KEM algorithm, we use
SerializePublicKey() and DeserializePublicKey() to encode and decode SerializePublicKey() and DeserializePublicKey() to encode and decode
them, respectively. Npk equals Nenc. GenerateKeyPair() produces a them, respectively. Npk equals Nenc. GenerateKeyPair() produces a
key pair for the Diffie-Hellman group in use. Section 7.1.3 contains key pair for the Diffie-Hellman group in use. Section 7.1.3 contains
the DeriveKeyPair() function specification for DHKEMs defined in this the DeriveKeyPair() function specification for DHKEMs defined in this
document. document.
skipping to change at page 12, line 25 skipping to change at line 538
sender and the recipient by some application making use of HPKE. sender and the recipient by some application making use of HPKE.
Moreover, a recipient with more than one public key needs some way of Moreover, a recipient with more than one public key needs some way of
determining which of its public keys was used for the encapsulation determining which of its public keys was used for the encapsulation
operation. As an example, applications may send this information operation. As an example, applications may send this information
alongside a ciphertext from the sender to the recipient. alongside a ciphertext from the sender to the recipient.
Specification of such a mechanism is left to the application. See Specification of such a mechanism is left to the application. See
Section 10 for more details. Section 10 for more details.
Note that some KEMs may not support AuthEncap() or AuthDecap(). For Note that some KEMs may not support AuthEncap() or AuthDecap(). For
such KEMs, only mode_base or mode_psk are supported. Future such KEMs, only mode_base or mode_psk are supported. Future
specifications which define new KEMs MUST indicate whether these specifications that define new KEMs MUST indicate whether these modes
modes are supported. See Section 7.1.5 for more details. are supported. See Section 7.1.5 for more details.
The procedures described in this section are laid out in a Python- The procedures described in this section are laid out in a Python-
like pseudocode. The algorithms in use are left implicit. like pseudocode. The algorithms in use are left implicit.
5.1. Creating the Encryption Context 5.1. Creating the Encryption Context
The variants of HPKE defined in this document share a common key The variants of HPKE defined in this document share a common key
schedule that translates the protocol inputs into an encryption schedule that translates the protocol inputs into an encryption
context. The key schedule inputs are as follows: context. The key schedule inputs are as follows:
* mode - A one-byte value indicating the HPKE mode, defined in mode: A one-byte value indicating the HPKE mode, defined in Table 1.
Table 1.
* shared_secret - A KEM shared secret generated for this shared_secret: A KEM shared secret generated for this transaction.
transaction.
* info - Application-supplied information (optional; default value info: Application-supplied information (optional; default value "").
"").
* psk - A pre-shared key (PSK) held by both the sender and the psk: A pre-shared key (PSK) held by both the sender and the
recipient (optional; default value ""). recipient (optional; default value "").
* psk_id - An identifier for the PSK (optional; default value ""). psk_id: An identifier for the PSK (optional; default value "").
Senders and recipients MUST validate KEM inputs and outputs as Senders and recipients MUST validate KEM inputs and outputs, as
described in Section 7.1. described in Section 7.1.
The psk and psk_id fields MUST appear together or not at all. That The psk and psk_id fields MUST appear together or not at all. That
is, if a non-default value is provided for one of them, then the is, if a non-default value is provided for one of them, then the
other MUST be set to a non-default value. This requirement is other MUST be set to a non-default value. This requirement is
encoded in VerifyPSKInputs() below. encoded in VerifyPSKInputs() below.
The psk, psk_id, and info fields have maximum lengths that depend on The psk, psk_id, and info fields have maximum lengths that depend on
the KDF itself, on the definition of LabeledExtract(), and on the the KDF itself, on the definition of LabeledExtract(), and on the
constant labels used together with them. See Section 7.2.1 for constant labels used together with them. See Section 7.2.1 for
precise limits on these lengths. precise limits on these lengths.
The key, base_nonce, and exporter_secret computed by the key schedule The key, base_nonce, and exporter_secret computed by the key schedule
have the property that they are only known to the holder of the have the property that they are only known to the holder of the
recipient private key, and the entity that used the KEM to generate recipient private key, and the entity that used the KEM to generate
shared_secret and enc. shared_secret and enc.
In the Auth and AuthPSK modes, the recipient is assured that the In the Auth and AuthPSK modes, the recipient is assured that the
sender held the private key skS. This assurance is limited for the sender held the private key skS. This assurance is limited for the
DHKEM variants defined in this document because of key-compromise DHKEM variants defined in this document because of key-compromise
impersonation, as described in Section 4.1 and Section 9.1. If in impersonation, as described in Sections 4.1 and 9.1. If in the PSK
the PSK and AuthPSK modes, the psk and psk_id arguments are provided and AuthPSK modes, the psk and psk_id arguments are provided as
as required, then the recipient is assured that the sender held the required; then, the recipient is assured that the sender held the
corresponding pre-shared key. See Section 9.1 for more details. corresponding pre-shared key. See Section 9.1 for more details.
The HPKE algorithm identifiers, i.e., the KEM kem_id, KDF kdf_id, and The HPKE algorithm identifiers, i.e., the KEM kem_id, KDF kdf_id, and
AEAD aead_id 2-byte code points, as defined in Table 2, Table 3, and AEAD aead_id 2-byte code points, as defined in Tables 2, 3, and 5,
Table 5, respectively, are assumed implicit from the implementation respectively, are assumed implicit from the implementation and not
and not passed as parameters. The implicit suite_id value used passed as parameters. The implicit suite_id value used within
within LabeledExtract and LabeledExpand is defined based on them as LabeledExtract and LabeledExpand is defined based on them as follows:
follows:
suite_id = concat( suite_id = concat(
"HPKE", "HPKE",
I2OSP(kem_id, 2), I2OSP(kem_id, 2),
I2OSP(kdf_id, 2), I2OSP(kdf_id, 2),
I2OSP(aead_id, 2) I2OSP(aead_id, 2)
) )
default_psk = "" default_psk = ""
default_psk_id = "" default_psk_id = ""
def VerifyPSKInputs(mode, psk, psk_id): def VerifyPSKInputs(mode, psk, psk_id):
got_psk = (psk != default_psk) got_psk = (psk != default_psk)
got_psk_id = (psk_id != default_psk_id) got_psk_id = (psk_id != default_psk_id)
if got_psk != got_psk_id: if got_psk != got_psk_id:
raise Exception("Inconsistent PSK inputs") raise Exception("Inconsistent PSK inputs")
if got_psk and (mode in [mode_base, mode_auth]): if got_psk and (mode in [mode_base, mode_auth]):
skipping to change at page 15, line 46 skipping to change at line 687
string psk_id that is used to identify which PSK should be used. string psk_id that is used to identify which PSK should be used.
The primary difference from the base case is that the psk and psk_id The primary difference from the base case is that the psk and psk_id
values are used as ikm inputs to the KDF (instead of using the empty values are used as ikm inputs to the KDF (instead of using the empty
string). string).
The PSK MUST have at least 32 bytes of entropy and SHOULD be of The PSK MUST have at least 32 bytes of entropy and SHOULD be of
length Nh bytes or longer. See Section 9.5 for a more detailed length Nh bytes or longer. See Section 9.5 for a more detailed
discussion. discussion.
def SetupPSKS(pkR, info, psk, psk_id): def SetupPSKS(pkR, info, psk, psk_id):
shared_secret, enc = Encap(pkR) shared_secret, enc = Encap(pkR)
return enc, KeyScheduleS(mode_psk, shared_secret, info, psk, psk_id) return enc, KeyScheduleS(mode_psk, shared_secret, info,
psk, psk_id)
def SetupPSKR(enc, skR, info, psk, psk_id): def SetupPSKR(enc, skR, info, psk, psk_id):
shared_secret = Decap(enc, skR) shared_secret = Decap(enc, skR)
return KeyScheduleR(mode_psk, shared_secret, info, psk, psk_id) return KeyScheduleR(mode_psk, shared_secret, info, psk, psk_id)
5.1.3. Authentication Using an Asymmetric Key 5.1.3. Authentication Using an Asymmetric Key
This variant extends the base mechanism by allowing the recipient to This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given KEM private key. This authenticate that the sender possessed a given KEM private key. This
is because AuthDecap(enc, skR, pkS) produces the correct KEM shared is because AuthDecap(enc, skR, pkS) produces the correct KEM shared
secret only if the encapsulated value enc was produced by secret only if the encapsulated value enc was produced by
AuthEncap(pkR, skS), where skS is the private key corresponding to AuthEncap(pkR, skS), where skS is the private key corresponding to
pkS. In other words, at most two entities (precisely two, in the pkS. In other words, at most two entities (precisely two, in the
case of DHKEM) could have produced this secret, so if the recipient case of DHKEM) could have produced this secret, so if the recipient
skipping to change at page 16, line 47 skipping to change at line 738
def SetupAuthR(enc, skR, info, pkS): def SetupAuthR(enc, skR, info, pkS):
shared_secret = AuthDecap(enc, skR, pkS) shared_secret = AuthDecap(enc, skR, pkS)
return KeyScheduleR(mode_auth, shared_secret, info, return KeyScheduleR(mode_auth, shared_secret, info,
default_psk, default_psk_id) default_psk, default_psk_id)
5.1.4. Authentication Using Both a PSK and an Asymmetric Key 5.1.4. Authentication Using Both a PSK and an Asymmetric Key
This mode is a straightforward combination of the PSK and This mode is a straightforward combination of the PSK and
authenticated modes. Like the PSK mode, a PSK is provided as input authenticated modes. Like the PSK mode, a PSK is provided as input
to the key schedule, and like the authenticated mode, authenticated to the key schedule, and like authenticated mode, authenticated KEM
KEM variants are used. variants are used.
def SetupAuthPSKS(pkR, info, psk, psk_id, skS): def SetupAuthPSKS(pkR, info, psk, psk_id, skS):
shared_secret, enc = AuthEncap(pkR, skS) shared_secret, enc = AuthEncap(pkR, skS)
return enc, KeyScheduleS(mode_auth_psk, shared_secret, info, return enc, KeyScheduleS(mode_auth_psk, shared_secret, info,
psk, psk_id) psk, psk_id)
def SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS): def SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS):
shared_secret = AuthDecap(enc, skR, pkS) shared_secret = AuthDecap(enc, skR, pkS)
return KeyScheduleR(mode_auth_psk, shared_secret, info, return KeyScheduleR(mode_auth_psk, shared_secret, info,
psk, psk_id) psk, psk_id)
skipping to change at page 17, line 42 skipping to change at line 778
* The AEAD algorithm in use * The AEAD algorithm in use
* A secret key * A secret key
* A base nonce base_nonce * A base nonce base_nonce
* A sequence number (initially 0) * A sequence number (initially 0)
The secret export parameters consist of: The secret export parameters consist of:
* The HPKE ciphersuite in use and * The HPKE ciphersuite in use
* An exporter_secret used for the secret export interface (see * An exporter_secret used for the secret export interface (see
Section 5.3) Section 5.3).
All these parameters except the AEAD sequence number are constant. All these parameters except the AEAD sequence number are constant.
The sequence number provides nonce uniqueness: The nonce used for The sequence number provides nonce uniqueness: The nonce used for
each encryption or decryption operation is the result of XORing each encryption or decryption operation is the result of XORing
base_nonce with the current sequence number, encoded as a big-endian base_nonce with the current sequence number, encoded as a big-endian
integer of the same length as base_nonce. Implementations MAY use a integer of the same length as base_nonce. Implementations MAY use a
sequence number that is shorter than the nonce length (padding on the sequence number that is shorter than the nonce length (padding on the
left with zero), but MUST raise an error if the sequence number left with zero), but MUST raise an error if the sequence number
overflows. The AEAD algorithm produces ciphertext that is Nt bytes overflows. The AEAD algorithm produces ciphertext that is Nt bytes
longer than the plaintext. Nt = 16 for AEAD algorithms defined in longer than the plaintext. Nt = 16 for AEAD algorithms defined in
skipping to change at page 18, line 44 skipping to change at line 829
return xor(self.base_nonce, seq_bytes) return xor(self.base_nonce, seq_bytes)
def Context<ROLE>.IncrementSeq(): def Context<ROLE>.IncrementSeq():
if self.seq >= (1 << (8*Nn)) - 1: if self.seq >= (1 << (8*Nn)) - 1:
raise MessageLimitReachedError raise MessageLimitReachedError
self.seq += 1 self.seq += 1
The sender's context MUST NOT be used for decryption. Similarly, the The sender's context MUST NOT be used for decryption. Similarly, the
recipient's context MUST NOT be used for encryption. Higher-level recipient's context MUST NOT be used for encryption. Higher-level
protocols reusing the HPKE key exchange for more general purposes can protocols reusing the HPKE key exchange for more general purposes can
derive separate keying material as needed using use the secret export derive separate keying material as needed, using use the secret
interface; see Section 5.3 and Section 9.8 for more details. export interface; see Sections 5.3 and 9.8 for more details.
It is up to the application to ensure that encryptions and It is up to the application to ensure that encryptions and
decryptions are done in the proper sequence, so that encryption and decryptions are done in the proper sequence so that encryption and
decryption nonces align. If ContextS.Seal() or ContextR.Open() would decryption nonces align. If ContextS.Seal() or ContextR.Open() would
cause the seq field to overflow, then the implementation MUST fail cause the seq field to overflow, then the implementation MUST fail
with an error. (In the pseudocode below, with an error. (In the pseudocode below,
Context<ROLE>.IncrementSeq() fails with an error when seq overflows, Context<ROLE>.IncrementSeq() fails with an error when seq overflows,
which causes ContextS.Seal() and ContextR.Open() to fail which causes ContextS.Seal() and ContextR.Open() to fail
accordingly.) Note that the internal Seal() and Open() calls inside accordingly.) Note that the internal Seal() and Open() calls inside
correspond to the context's AEAD algorithm. correspond to the context's AEAD algorithm.
5.3. Secret Export 5.3. Secret Export
skipping to change at page 19, line 43 skipping to change at line 876
in the key schedule, as they are not used by the Export interface in the key schedule, as they are not used by the Export interface
described above. described above.
6. Single-Shot APIs 6. Single-Shot APIs
6.1. Encryption and Decryption 6.1. Encryption and Decryption
In many cases, applications encrypt only a single message to a In many cases, applications encrypt only a single message to a
recipient's public key. This section provides templates for HPKE recipient's public key. This section provides templates for HPKE
APIs that implement stateless "single-shot" encryption and decryption APIs that implement stateless "single-shot" encryption and decryption
using APIs specified in Section 5.1.1 and Section 5.2: using APIs specified in Sections 5.1.1 and 5.2:
def Seal<MODE>(pkR, info, aad, pt, ...): def Seal<MODE>(pkR, info, aad, pt, ...):
enc, ctx = Setup<MODE>S(pkR, info, ...) enc, ctx = Setup<MODE>S(pkR, info, ...)
ct = ctx.Seal(aad, pt) ct = ctx.Seal(aad, pt)
return enc, ct return enc, ct
def Open<MODE>(enc, skR, info, aad, ct, ...): def Open<MODE>(enc, skR, info, aad, ct, ...):
ctx = Setup<MODE>R(enc, skR, info, ...) ctx = Setup<MODE>R(enc, skR, info, ...)
return ctx.Open(aad, ct) return ctx.Open(aad, ct)
skipping to change at page 21, line 11 skipping to change at line 927
As in Section 6.1, the MODE template parameter is one of Base, PSK, As in Section 6.1, the MODE template parameter is one of Base, PSK,
Auth, or AuthPSK. The optional parameters indicated by "..." depend Auth, or AuthPSK. The optional parameters indicated by "..." depend
on MODE and may be empty. on MODE and may be empty.
7. Algorithm Identifiers 7. Algorithm Identifiers
This section lists algorithm identifiers suitable for different HPKE This section lists algorithm identifiers suitable for different HPKE
configurations. Future specifications may introduce new KEM, KDF, configurations. Future specifications may introduce new KEM, KDF,
and AEAD algorithm identifiers and retain the security guarantees and AEAD algorithm identifiers and retain the security guarantees
presented in this document provided they adhere to the security presented in this document provided they adhere to the security
requirements in Section 9.2, Section 9.3, and Section 9.4, requirements in Sections 9.2, 9.3, and 9.4, respectively.
respectively.
7.1. Key Encapsulation Mechanisms (KEMs) 7.1. Key Encapsulation Mechanisms (KEMs)
+=======+===============+=========+====+===+===+====+===============+ +=======+===============+=========+====+===+===+====+===============+
|Value | KEM | Nsecret |Nenc|Npk|Nsk|Auth| Reference | |Value | KEM | Nsecret |Nenc|Npk|Nsk|Auth| Reference |
+=======+===============+=========+====+===+===+====+===============+ +=======+===============+=========+====+===+===+====+===============+
|0x0000 | Reserved | N/A |N/A |N/A|N/A|yes | RFC 9180 | |0x0000 | Reserved | N/A |N/A |N/A|N/A|yes | RFC 9180 |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
|0x0010 | DHKEM(P-256, | 32 |65 |65 |32 |yes | [NISTCurves], | |0x0010 | DHKEM(P-256, | 32 |65 |65 |32 |yes | [NISTCurves], |
| | HKDF-SHA256) | | | | | | [RFC5869] | | | HKDF-SHA256) | | | | | | [RFC5869] |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
|0x0011 | DHKEM(P-384, | 48 |97 |97 |48 |yes | [NISTCurves], | |0x0011 | DHKEM(P-384, | 48 |97 |97 |48 |yes | [NISTCurves], |
| | HKDF-SHA384) | | | | | | [RFC5869] | | | HKDF-SHA384) | | | | | | [RFC5869] |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
|0x0012 | DHKEM(P-521, | 64 |133 |133|66 |yes | [NISTCurves], | |0x0012 | DHKEM(P-521, | 64 |133 |133|66 |yes | [NISTCurves], |
| | HKDF-SHA512) | | | | | | [RFC5869] | | | HKDF-SHA512) | | | | | | [RFC5869] |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
|0x0020 | DHKEM(X25519, | 32 |32 |32 |32 |yes | [RFC7748], | |0x0020 | DHKEM(X25519, | 32 |32 |32 |32 |yes | [RFC5869], |
| | HKDF-SHA256) | | | | | | [RFC5869] | | | HKDF-SHA256) | | | | | | [RFC7748] |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
|0x0021 | DHKEM(X448, | 64 |56 |56 |56 |yes | [RFC7748], | |0x0021 | DHKEM(X448, | 64 |56 |56 |56 |yes | [RFC5869], |
| | HKDF-SHA512) | | | | | | [RFC5869] | | | HKDF-SHA512) | | | | | | [RFC7748] |
+-------+---------------+---------+----+---+---+----+---------------+ +-------+---------------+---------+----+---+---+----+---------------+
Table 2: KEM IDs Table 2: KEM IDs
The Auth column indicates if the KEM algorithm provides the The Auth column indicates if the KEM algorithm provides the
AuthEncap()/AuthDecap() interface and is therefore suitable for the AuthEncap()/AuthDecap() interface and is therefore suitable for the
Auth and AuthPSK modes. The meaning of all other columns is Auth and AuthPSK modes. The meaning of all other columns is
explained in Section 11.1. All algorithms are suitable for the PSK explained in Section 11.1. All algorithms are suitable for the PSK
mode. mode.
skipping to change at page 23, line 23 skipping to change at line 1033
if counter > 255: if counter > 255:
raise DeriveKeyPairError raise DeriveKeyPairError
bytes = LabeledExpand(dkp_prk, "candidate", bytes = LabeledExpand(dkp_prk, "candidate",
I2OSP(counter, 1), Nsk) I2OSP(counter, 1), Nsk)
bytes[0] = bytes[0] & bitmask bytes[0] = bytes[0] & bitmask
sk = OS2IP(bytes) sk = OS2IP(bytes)
counter = counter + 1 counter = counter + 1
return (sk, pk(sk)) return (sk, pk(sk))
order is the order of the curve being used (see Section D.1.2 of order is the order of the curve being used (see Section D.1.2 of
[NISTCurves]), and is listed below for completeness. [NISTCurves]) and is listed below for completeness.
P-256: P-256:
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
P-384: P-384:
0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf
581a0db248b0a77aecec196accc52973 581a0db248b0a77aecec196accc52973
P-521: P-521:
0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
skipping to change at page 24, line 14 skipping to change at line 1069
7.1.4. Validation of Inputs and Outputs 7.1.4. Validation of Inputs and Outputs
The following public keys are subject to validation if the group The following public keys are subject to validation if the group
requires public key validation: the sender MUST validate the requires public key validation: the sender MUST validate the
recipient's public key pkR; the recipient MUST validate the ephemeral recipient's public key pkR; the recipient MUST validate the ephemeral
public key pkE; in authenticated modes, the recipient MUST validate public key pkE; in authenticated modes, the recipient MUST validate
the sender's static public key pkS. Validation failure yields a the sender's static public key pkS. Validation failure yields a
ValidationError. ValidationError.
For P-256, P-384 and P-521, senders and recipients MUST perform For P-256, P-384, and P-521, senders and recipients MUST perform
partial public key validation on all public key inputs, as defined in partial public key validation on all public key inputs, as defined in
Section 5.6.2.3.4 of [keyagreement]. This includes checking that the Section 5.6.2.3.4 of [keyagreement]. This includes checking that the
coordinates are in the correct range, that the point is on the curve, coordinates are in the correct range, that the point is on the curve,
and that the point is not the point at infinity. Additionally, and that the point is not the point at infinity. Additionally,
senders and recipients MUST ensure the Diffie-Hellman shared secret senders and recipients MUST ensure the Diffie-Hellman shared secret
is not the point at infinity. is not the point at infinity.
For X25519 and X448, public keys and Diffie-Hellman outputs MUST be For X25519 and X448, public keys and Diffie-Hellman outputs MUST be
validated as described in [RFC7748]. In particular, recipients MUST validated as described in [RFC7748]. In particular, recipients MUST
check whether the Diffie-Hellman shared secret is the all-zero value check whether the Diffie-Hellman shared secret is the all-zero value
skipping to change at page 27, line 20 skipping to change at line 1215
the aad parameter for Open() and Seal(), and the exporter_context the aad parameter for Open() and Seal(), and the exporter_context
parameter for Export(). Application information applicable to parameter for Export(). Application information applicable to
multiple operations on a single Context should use the Setup info multiple operations on a single Context should use the Setup info
parameter. This avoids redundantly processing this information for parameter. This avoids redundantly processing this information for
each Context operation. In contrast, application information that each Context operation. In contrast, application information that
varies on a per-message basis should be specified via the Context varies on a per-message basis should be specified via the Context
APIs (Seal(), Open(), or Export()). APIs (Seal(), Open(), or Export()).
Applications that only use the single-shot APIs described in Applications that only use the single-shot APIs described in
Section 6 should use the Setup info parameter for specifying Section 6 should use the Setup info parameter for specifying
auxiliary authenticated information. Implementations which only auxiliary authenticated information. Implementations that only
expose single-shot APIs should not allow applications to use both expose single-shot APIs should not allow applications to use both
Setup info and Context aad or exporter_context auxiliary information Setup info and Context aad or exporter_context auxiliary information
parameters. parameters.
8.2. Errors 8.2. Errors
The high-level, public HPKE APIs specified in this document are all The high-level, public HPKE APIs specified in this document are all
fallible. These include the Setup functions and all encryption fallible. These include the Setup functions and all encryption
context functions. For example, Decap() can fail if the encapsulated context functions. For example, Decap() can fail if the encapsulated
key enc is invalid, and Open() may fail if ciphertext decryption key enc is invalid, and Open() may fail if ciphertext decryption
fails. The explicit errors generated throughout this specification, fails. The explicit errors generated throughout this specification,
along with the conditions that lead to each error, are as follows: along with the conditions that lead to each error, are as follows:
* ValidationError: KEM input or output validation failure; ValidationError: KEM input or output validation failure;
Section 4.1. Section 4.1.
* DeserializeError: Public or private key deserialization failure; DeserializeError: Public or private key deserialization failure;
Section 4. Section 4.
* EncapError: Encap() failure; Section 4. EncapError: Encap() failure; Section 4.
* DecapError: Decap() failure; Section 4. DecapError: Decap() failure; Section 4.
* OpenError: Context AEAD Open() failure; Section 4 and Section 5.2. OpenError: Context AEAD Open() failure; Sections 4 and 5.2.
* MessageLimitReachedError: Context AEAD sequence number overflow; MessageLimitReachedError: Context AEAD sequence number overflow;
Section 4 and Section 5.2. Sections 4 and 5.2.
* DeriveKeyPairError: Key pair derivation failure; Section 7.1.3. DeriveKeyPairError: Key pair derivation failure; Section 7.1.3.
Implicit errors may also occur. As an example, certain classes of Implicit errors may also occur. As an example, certain classes of
failures, e.g., malformed recipient public keys, may not yield failures, e.g., malformed recipient public keys, may not yield
explicit errors. For example, for the DHKEM variant described in explicit errors. For example, for the DHKEM variant described in
this specification, the Encap() algorithm fails when given an invalid this specification, the Encap() algorithm fails when given an invalid
recipient public key. However, other KEM algorithms may not have an recipient public key. However, other KEM algorithms may not have an
efficient algorithm for verifying the validity of public keys. As a efficient algorithm for verifying the validity of public keys. As a
result, an equivalent error may not manifest until AEAD decryption at result, an equivalent error may not manifest until AEAD decryption at
the recipient. As another example, DHKEM's AuthDecap() function will the recipient. As another example, DHKEM's AuthDecap() function will
produce invalid output if given the wrong sender public key. This produce invalid output if given the wrong sender public key. This
skipping to change at page 28, line 50 skipping to change at line 1291
9. Security Considerations 9. Security Considerations
9.1. Security Properties 9.1. Security Properties
HPKE has several security goals, depending on the mode of operation, HPKE has several security goals, depending on the mode of operation,
against active and adaptive attackers that can compromise partial against active and adaptive attackers that can compromise partial
secrets of senders and recipients. The desired security goals are secrets of senders and recipients. The desired security goals are
detailed below: detailed below:
* Message secrecy: Confidentiality of the sender's messages against Message secrecy: confidentiality of the sender's messages against
chosen ciphertext attacks chosen ciphertext attacks
* Export key secrecy: Indistinguishability of each export secret Export key secrecy: indistinguishability of each export secret from
from a uniformly random bitstring of equal length, i.e., a uniformly random bitstring of equal length, i.e., Context.Export
Context.Export is a variable-length PRF is a variable-length PRF
* Sender authentication: Proof of sender origin for PSK, Auth, and Sender authentication: proof of sender origin for PSK, Auth, and
AuthPSK modes AuthPSK modes
These security goals are expected to hold for any honest sender and These security goals are expected to hold for any honest sender and
honest recipient keys, as well as if the honest sender and honest honest recipient keys, as well as if the honest sender and honest
recipient keys are the same. recipient keys are the same.
HPKE mitigates malleability problems (called benign malleability HPKE mitigates malleability problems (called benign malleability
[SECG]) in prior public key encryption standards based on ECIES by [SECG]) in prior public key encryption standards based on ECIES by
including all public keys in the context of the key schedule. including all public keys in the context of the key schedule.
skipping to change at page 29, line 50 skipping to change at line 1339
protection against bad ephemeral randomness. Section 9.7 suggests protection against bad ephemeral randomness. Section 9.7 suggests
application-level mitigations for some of them. application-level mitigations for some of them.
9.1.1. Key-Compromise Impersonation 9.1.1. Key-Compromise Impersonation
The DHKEM variants defined in this document are vulnerable to key- The DHKEM variants defined in this document are vulnerable to key-
compromise impersonation attacks [BJM97], which means that sender compromise impersonation attacks [BJM97], which means that sender
authentication cannot be expected to hold in the Auth mode if the authentication cannot be expected to hold in the Auth mode if the
recipient private key skR is compromised, and in the AuthPSK mode if recipient private key skR is compromised, and in the AuthPSK mode if
the pre-shared key and the recipient private key skR are both the pre-shared key and the recipient private key skR are both
compromised. NaCl's box interface [NaCl] has the same issue. At the compromised. The box interface of the Networking and Cryptography
same time, this enables repudiability. library [NaCl] has the same issue. At the same time, this enables
repudiability.
As shown by [ABHKLR20], key-compromise impersonation attacks are As shown by [ABHKLR20], key-compromise impersonation attacks are
generally possible on HPKE because KEM ciphertexts are not bound to generally possible on HPKE because KEM ciphertexts are not bound to
HPKE messages. An adversary who knows a recipient's private key can HPKE messages. An adversary who knows a recipient's private key can
decapsulate an observed KEM ciphertext, compute the key schedule, and decapsulate an observed KEM ciphertext, compute the key schedule, and
encrypt an arbitrary message that the recipient will accept as coming encrypt an arbitrary message that the recipient will accept as coming
from the original sender. Importantly, this is possible even with a from the original sender. Importantly, this is possible even with a
KEM that is resistant to key-compromise impersonation attacks. As a KEM that is resistant to key-compromise impersonation attacks. As a
result, mitigating this issue requires fundamental changes that are result, mitigating this issue requires fundamental changes that are
out of scope of this specification. out of scope of this specification.
Applications that require resistance against key-compromise Applications that require resistance against key-compromise
impersonation SHOULD take extra steps to prevent this attack. One impersonation SHOULD take extra steps to prevent this attack. One
possibility is to produce a digital signature over (enc, ct) tuples possibility is to produce a digital signature over (enc, ct) tuples
using a sender's private key - where ct is an AEAD ciphertext using a sender's private key -- where ct is an AEAD ciphertext
produced by the single-shot or multi-shot API and enc is the produced by the single-shot or multi-shot API and enc is the
corresponding KEM encapsulated key. corresponding KEM encapsulated key.
Given these properties, pre-shared keys strengthen both the Given these properties, pre-shared keys strengthen both the
authentication and the secrecy properties in certain adversary authentication and the secrecy properties in certain adversary
models. One particular example in which this can be useful is a models. One particular example in which this can be useful is a
hybrid quantum setting: if a non-quantum-resistant KEM used with HPKE hybrid quantum setting: if a non-quantum-resistant KEM used with HPKE
is broken by a quantum computer, the security properties are is broken by a quantum computer, the security properties are
preserved through the use of a pre-shared key. As described in preserved through the use of a pre-shared key. As described in
Section 7 of [RFC8696] this assumes that the pre-shared key has not Section 7 of [RFC8696], this assumes that the pre-shared key has not
been compromised. been compromised.
9.1.2. Computational Analysis 9.1.2. Computational Analysis
It is shown in [CS01] that a hybrid public key encryption scheme of It is shown in [CS01] that a hybrid public key encryption scheme of
essentially the same form as the Base mode described here is IND- essentially the same form as the Base mode described here is IND-
CCA2-secure as long as the underlying KEM and AEAD schemes are IND- CCA2-secure as long as the underlying KEM and AEAD schemes are IND-
CCA2-secure. Moreover, it is shown in [HHK06] that IND-CCA2 security CCA2-secure. Moreover, it is shown in [HHK06] that IND-CCA2 security
of the KEM and the data encapsulation mechanism are necessary of the KEM and the data encapsulation mechanism are necessary
conditions to achieve IND-CCA2 security for hybrid public key conditions to achieve IND-CCA2 security for hybrid public key
skipping to change at page 31, line 18 skipping to change at line 1398
schedule, the Auth and AuthPSK modes make use of a non-standard schedule, the Auth and AuthPSK modes make use of a non-standard
authenticated KEM construction. Generally, the authenticated modes authenticated KEM construction. Generally, the authenticated modes
of HPKE can be viewed and analyzed as flavors of signcryption of HPKE can be viewed and analyzed as flavors of signcryption
[SigncryptionDZ10]. [SigncryptionDZ10].
A preliminary computational analysis of all HPKE modes has been done A preliminary computational analysis of all HPKE modes has been done
in [HPKEAnalysis], indicating asymptotic security for the case where in [HPKEAnalysis], indicating asymptotic security for the case where
the KEM is DHKEM, the AEAD is any IND-CPA-secure and INT-CTXT-secure the KEM is DHKEM, the AEAD is any IND-CPA-secure and INT-CTXT-secure
scheme, and the DH group and KDF satisfy the following conditions: scheme, and the DH group and KDF satisfy the following conditions:
* DH group: The gap Diffie-Hellman (GDH) problem is hard in the DH group: The gap Diffie-Hellman (GDH) problem is hard in the
appropriate subgroup [GAP]. appropriate subgroup [GAP].
* Extract() and Expand(): Extract() can be modeled as a random Extract() and Expand(): Extract() can be modeled as a random oracle.
oracle. Expand() can be modeled as a pseudorandom function, Expand() can be modeled as a pseudorandom function, wherein the
wherein the first argument is the key. first argument is the key.
In particular, the KDFs and DH groups defined in this document (see In particular, the KDFs and DH groups defined in this document (see
Section 7.2 and Section 7.1) satisfy these properties when used as Sections 7.2 and 7.1) satisfy these properties when used as
specified. The analysis in [HPKEAnalysis] demonstrates that under specified. The analysis in [HPKEAnalysis] demonstrates that under
these constraints, HPKE continues to provide IND-CCA2 security, and these constraints, HPKE continues to provide IND-CCA2 security, and
provides the additional properties noted above. Also, the analysis provides the additional properties noted above. Also, the analysis
confirms the expected properties hold under the different key confirms the expected properties hold under the different key
compromise cases mentioned above. The analysis considers a sender compromise cases mentioned above. The analysis considers a sender
that sends one message using the encryption context, and additionally that sends one message using the encryption context and additionally
exports two independent secrets using the secret export interface. exports two independent secrets using the secret export interface.
The table below summarizes the main results from [HPKEAnalysis]. N/A The table below summarizes the main results from [HPKEAnalysis]. N/A
means that a property does not apply for the given mode, whereas Y means that a property does not apply for the given mode, whereas Y
means the given mode satisfies the property. means that the given mode satisfies the property.
+=========+==============+=============+==============+ +=========+==============+=============+==============+
| Variant | Message Sec. | Export Sec. | Sender Auth. | | Variant | Message Sec. | Export Sec. | Sender Auth. |
+=========+==============+=============+==============+ +=========+==============+=============+==============+
| Base | Y | Y | N/A | | Base | Y | Y | N/A |
+---------+--------------+-------------+--------------+ +---------+--------------+-------------+--------------+
| PSK | Y | Y | Y | | PSK | Y | Y | Y |
+---------+--------------+-------------+--------------+ +---------+--------------+-------------+--------------+
| Auth | Y | Y | Y | | Auth | Y | Y | Y |
+---------+--------------+-------------+--------------+ +---------+--------------+-------------+--------------+
| AuthPSK | Y | Y | Y | | AuthPSK | Y | Y | Y |
+---------+--------------+-------------+--------------+ +---------+--------------+-------------+--------------+
Table 6 Table 6: HPKE Mode Security Properties
If non-DH-based KEMs are to be used with HPKE, further analysis will If non-DH-based KEMs are to be used with HPKE, further analysis will
be necessary to prove their security. The results from [CS01] be necessary to prove their security. The results from [CS01]
provide some indication that any IND-CCA2-secure KEM will suffice provide some indication that any IND-CCA2-secure KEM will suffice
here, but are not conclusive given the differences in the schemes. here, but are not conclusive given the differences in the schemes.
A detailed computational analysis of HPKE's Auth mode single-shot A detailed computational analysis of HPKE's Auth mode single-shot
encryption API has been done in [ABHKLR20]. The paper defines encryption API has been done in [ABHKLR20]. The paper defines
security notions for authenticated KEMs and for authenticated public security notions for authenticated KEMs and for authenticated public
key encryption, using the outsider and insider security terminology key encryption, using the outsider and insider security terminology
skipping to change at page 35, line 47 skipping to change at line 1609
HPKE allows combining a DHKEM variant DHKEM(Group, KDF') and a KDF HPKE allows combining a DHKEM variant DHKEM(Group, KDF') and a KDF
such that both KDFs are instantiated by the same KDF. By design, the such that both KDFs are instantiated by the same KDF. By design, the
calls to Extract() and Expand() inside DHKEM and the remainder of calls to Extract() and Expand() inside DHKEM and the remainder of
HPKE use separate input domains. This justifies modeling them as HPKE use separate input domains. This justifies modeling them as
independent functions even if instantiated by the same KDF. This independent functions even if instantiated by the same KDF. This
domain separation between DHKEM and the remainder of HPKE is achieved domain separation between DHKEM and the remainder of HPKE is achieved
by using prefix-free sets of suite_id values in LabeledExtract() and by using prefix-free sets of suite_id values in LabeledExtract() and
LabeledExpand() (KEM... in DHKEM and HPKE... in the remainder of LabeledExpand() (KEM... in DHKEM and HPKE... in the remainder of
HPKE). Recall that a set is prefix-free if no element is a prefix of HPKE). Recall that a set is prefix-free if no element is a prefix of
another within the set. another within the set).
Future KEM instantiations MUST ensure, should Extract() and Expand() Future KEM instantiations MUST ensure, should Extract() and Expand()
be used internally, that they can be modeled as functions independent be used internally, that they can be modeled as functions independent
from the invocations of Extract() and Expand() in the remainder of from the invocations of Extract() and Expand() in the remainder of
HPKE. One way to ensure this is by using LabeledExtract() and HPKE. One way to ensure this is by using LabeledExtract() and
LabeledExpand() with a suite_id as defined in Section 4, which will LabeledExpand() with a suite_id as defined in Section 4, which will
ensure input domain separation, as outlined above. Particular ensure input domain separation, as outlined above. Particular
attention needs to be paid if the KEM directly invokes functions that attention needs to be paid if the KEM directly invokes functions that
are used internally in HPKE's Extract() or Expand(), such as Hash() are used internally in HPKE's Extract() or Expand(), such as Hash()
and HMAC() in the case of HKDF. It MUST be ensured that inputs to and HMAC() in the case of HKDF. It MUST be ensured that inputs to
these invocations cannot collide with inputs to the internal these invocations cannot collide with inputs to the internal
invocations of these functions inside Extract() or Expand(). In invocations of these functions inside Extract() or Expand(). In
HPKE's KeySchedule() this is avoided by using Extract() instead of HPKE's KeySchedule(), this is avoided by using Extract() instead of
Hash() on the arbitrary-length inputs info and psk_id. Hash() on the arbitrary-length inputs info and psk_id.
The string literal "HPKE-v1" used in LabeledExtract() and The string literal "HPKE-v1" used in LabeledExtract() and
LabeledExpand() ensures that any secrets derived in HPKE are bound to LabeledExpand() ensures that any secrets derived in HPKE are bound to
the scheme's name and version, even when possibly derived from the the scheme's name and version, even when possibly derived from the
same Diffie-Hellman or KEM shared secret as in another scheme or same Diffie-Hellman or KEM shared secret as in another scheme or
version. version.
9.7. Application Embedding and Non-Goals 9.7. Application Embedding and Non-Goals
HPKE is designed to be a fairly low-level mechanism. As a result, it HPKE is designed to be a fairly low-level mechanism. As a result, it
assumes that certain properties are provided by the application in assumes that certain properties are provided by the application in
which HPKE is embedded and leaves certain security properties to be which HPKE is embedded and leaves certain security properties to be
provided by other mechanisms. Otherwise said, certain properties are provided by other mechanisms. Otherwise said, certain properties are
out-of-scope for HPKE. out of scope for HPKE.
9.7.1. Message Order and Message Loss 9.7.1. Message Order and Message Loss
The primary requirement that HPKE imposes on applications is the The primary requirement that HPKE imposes on applications is the
requirement that ciphertexts MUST be presented to ContextR.Open() in requirement that ciphertexts MUST be presented to ContextR.Open() in
the same order in which they were generated by ContextS.Seal(). When the same order in which they were generated by ContextS.Seal(). When
the single-shot API is used (see Section 6), this is trivially true the single-shot API is used (see Section 6), this is trivially true
(since there is only ever one ciphertext. Applications that allow (since there is only ever one ciphertext). Applications that allow
for multiple invocations of Open() / Seal() on the same context MUST for multiple invocations of Open() / Seal() on the same context MUST
enforce the ordering property described above. enforce the ordering property described above.
Ordering requirements of this character are usually fulfilled by Ordering requirements of this character are usually fulfilled by
providing a sequence number in the framing of encrypted messages. providing a sequence number in the framing of encrypted messages.
Whatever information is used to determine the ordering of HPKE- Whatever information is used to determine the ordering of HPKE-
encrypted messages SHOULD be included in the AAD passed to encrypted messages SHOULD be included in the additional authenticated
ContextS.Seal() and ContextR.Open(). The specifics of this scheme data (AAD) passed to ContextS.Seal() and ContextR.Open(). The
are up to the application. specifics of this scheme are up to the application.
HPKE is not tolerant of lost messages. Applications MUST be able to HPKE is not tolerant of lost messages. Applications MUST be able to
detect when a message has been lost. When an unrecoverable loss is detect when a message has been lost. When an unrecoverable loss is
detected, the application MUST discard any associated HPKE context. detected, the application MUST discard any associated HPKE context.
9.7.2. Downgrade Prevention 9.7.2. Downgrade Prevention
HPKE assumes that the sender and recipient agree on what algorithms HPKE assumes that the sender and recipient agree on what algorithms
to use. Depending on how these algorithms are negotiated, it may be to use. Depending on how these algorithms are negotiated, it may be
possible for an intermediary to force the two parties to use possible for an intermediary to force the two parties to use
skipping to change at page 37, line 35 skipping to change at line 1690
encrypted under said secrets. This is because only long-term secrets encrypted under said secrets. This is because only long-term secrets
are used on the side of the recipient. are used on the side of the recipient.
HPKE ciphertexts are forward secret with respect to sender compromise HPKE ciphertexts are forward secret with respect to sender compromise
in all modes. This is because ephemeral randomness is used on the in all modes. This is because ephemeral randomness is used on the
sender's side, which is supposed to be erased directly after sender's side, which is supposed to be erased directly after
computation of the KEM shared secret and ciphertext. computation of the KEM shared secret and ciphertext.
9.7.5. Bad Ephemeral Randomness 9.7.5. Bad Ephemeral Randomness
If the randomness used for KEM encapsulation is bad - i.e., of low If the randomness used for KEM encapsulation is bad -- i.e., of low
entropy or compromised because of a broken or subverted random number entropy or compromised because of a broken or subverted random number
generator - the confidentiality guarantees of HPKE degrade generator -- the confidentiality guarantees of HPKE degrade
significantly. In Base mode, confidentiality guarantees can be lost significantly. In Base mode, confidentiality guarantees can be lost
completely; in the other modes, at least forward secrecy with respect completely; in the other modes, at least forward secrecy with respect
to sender compromise can be lost completely. to sender compromise can be lost completely.
Such a situation could also lead to the reuse of the same KEM shared Such a situation could also lead to the reuse of the same KEM shared
secret and thus to the reuse of same key-nonce pairs for the AEAD. secret and thus to the reuse of same key-nonce pairs for the AEAD.
The AEADs specified in this document are not secure in case of nonce The AEADs specified in this document are not secure in case of nonce
reuse. This attack vector is particularly relevant in authenticated reuse. This attack vector is particularly relevant in authenticated
modes because knowledge of the ephemeral randomness is not enough to modes because knowledge of the ephemeral randomness is not enough to
derive shared_secret in these modes. derive shared_secret in these modes.
One way for applications to mitigate the impacts of bad ephemeral One way for applications to mitigate the impacts of bad ephemeral
randomness is to combine ephemeral randomness with a local long-term randomness is to combine ephemeral randomness with a local long-term
secret that has been generated securely, as described in [RFC8937]. secret that has been generated securely, as described in [RFC8937].
9.7.6. Hiding Plaintext Length 9.7.6. Hiding Plaintext Length
AEAD ciphertexts produced by HPKE do not hide the plaintext length. AEAD ciphertexts produced by HPKE do not hide the plaintext length.
Applications requiring this level of privacy should use a suitable Applications requiring this level of privacy should use a suitable
padding mechanism. See [I-D.ietf-tls-esni] and [RFC8467] for padding mechanism. See [TLS-ESNI] and [RFC8467] for examples of
examples of protocol-specific padding policies. protocol-specific padding policies.
9.8. Bidirectional Encryption 9.8. Bidirectional Encryption
As discussed in Section 5.2, HPKE encryption is unidirectional from As discussed in Section 5.2, HPKE encryption is unidirectional from
sender to recipient. Applications that require bidirectional sender to recipient. Applications that require bidirectional
encryption can derive necessary keying material with the secret encryption can derive necessary keying material with the secret
export interface Section 5.3. The type and length of such keying export interface (Section 5.3). The type and length of such keying
material depends on the application use case. material depends on the application use case.
As an example, if an application needs AEAD encryption from the As an example, if an application needs AEAD encryption from the
recipient to the sender, it can derive a key and nonce from the recipient to the sender, it can derive a key and nonce from the
corresponding HPKE context as follows: corresponding HPKE context as follows:
key = context.Export("response key", Nk) key = context.Export("response key", Nk)
nonce = context.Export("response nonce", Nn) nonce = context.Export("response nonce", Nn)
In this example, the length of each secret is based on the AEAD In this example, the length of each secret is based on the AEAD
skipping to change at page 39, line 25 skipping to change at line 1777
unambiguous encoding mechanism that includes, minimally: the unambiguous encoding mechanism that includes, minimally: the
encapsulated value enc, ciphertext value(s) (and order if there are encapsulated value enc, ciphertext value(s) (and order if there are
multiple), and any info values that are not implicit. One example of multiple), and any info values that are not implicit. One example of
a non-implicit value is the recipient public key used for a non-implicit value is the recipient public key used for
encapsulation, which may be needed if a recipient has more than one encapsulation, which may be needed if a recipient has more than one
public key. public key.
The AEAD interface used in this document is based on [RFC5116], which The AEAD interface used in this document is based on [RFC5116], which
produces and consumes a single ciphertext value. As discussed in produces and consumes a single ciphertext value. As discussed in
[RFC5116], this ciphertext value contains the encrypted plaintext as [RFC5116], this ciphertext value contains the encrypted plaintext as
well as any authentication data, encoded in a manner described by the well as any authentication data encoded in a manner described by the
individual AEAD scheme. Some implementations are not structured in individual AEAD scheme. Some implementations are not structured in
this way, instead providing a separate ciphertext and authentication this way, instead providing a separate ciphertext and authentication
tag. When such AEAD implementations are used in HPKE tag. When such AEAD implementations are used in HPKE
implementations, the HPKE implementation must combine these inputs implementations, the HPKE implementation must combine these inputs
into a single ciphertext value within Seal() and parse them out into a single ciphertext value within Seal() and parse them out
within Open(), where the parsing details are defined by the AEAD within Open(), where the parsing details are defined by the AEAD
scheme. For example, with the AES-GCM schemes specified in this scheme. For example, with the AES-GCM schemes specified in this
document, the GCM authentication tag is placed in the last Nt bytes document, the GCM authentication tag is placed in the last Nt bytes
of the ciphertext output. of the ciphertext output.
skipping to change at page 39, line 47 skipping to change at line 1799
IANA has created three new registries: IANA has created three new registries:
* HPKE KEM Identifiers * HPKE KEM Identifiers
* HPKE KDF Identifiers * HPKE KDF Identifiers
* HPKE AEAD Identifiers * HPKE AEAD Identifiers
All these registries are under "Hybrid Public Key Encryption", and All these registries are under "Hybrid Public Key Encryption", and
administered under a Specification Required policy [RFC8126] administered under a Specification Required policy [RFC8126].
11.1. KEM Identifiers 11.1. KEM Identifiers
The "HPKE KEM Identifiers" registry lists identifiers for key The "HPKE KEM Identifiers" registry lists identifiers for key
encapsulation algorithms defined for use with HPKE. These encapsulation algorithms defined for use with HPKE. These
identifiers are two-byte values, so the maximum possible value is identifiers are two-byte values, so the maximum possible value is
0xFFFF = 65535. 0xFFFF = 65535.
Template: Template:
Value: the two-byte identifier for the algorithm
* Value: The two-byte identifier for the algorithm KEM: the name of the algorithm
* KEM: The name of the algorithm
* Nsecret: The length in bytes of a KEM shared secret produced by Nsecret: the length in bytes of a KEM shared secret produced by
the algorithm the algorithm
* Nenc: The length in bytes of an encoded encapsulated key produced Nenc: the length in bytes of an encoded encapsulated key produced
by the algorithm by the algorithm
* Npk: The length in bytes of an encoded public key for the Npk: the length in bytes of an encoded public key for the
algorithm algorithm
* Nsk: The length in bytes of an encoded private key for the Nsk: the length in bytes of an encoded private key for the
algorithm algorithm
* Auth: A boolean indicating if this algorithm provides the Auth: a boolean indicating if this algorithm provides the
AuthEncap()/AuthDecap() interface AuthEncap()/AuthDecap() interface
* Reference: Where this algorithm is defined Reference: where this algorithm is defined
Initial contents: Provided in Table 2 Initial contents: Provided in Table 2
11.2. KDF Identifiers 11.2. KDF Identifiers
The "HPKE KDF Identifiers" registry lists identifiers for key The "HPKE KDF Identifiers" registry lists identifiers for key
derivation functions defined for use with HPKE. These identifiers derivation functions defined for use with HPKE. These identifiers
are two-byte values, so the maximum possible value is 0xFFFF = 65535. are two-byte values, so the maximum possible value is 0xFFFF = 65535.
Template: Template:
Value: the two-byte identifier for the algorithm
* Value: The two-byte identifier for the algorithm KDF: the name of the algorithm
* KDF: The name of the algorithm Nh: the output size of the Extract function in bytes
* Nh: The output size of the Extract function in bytes Reference: where this algorithm is defined
* Reference: Where this algorithm is defined Initial contents: Provided in Table 3
Initial contents: Provided in Table 3
11.3. AEAD Identifiers 11.3. AEAD Identifiers
The "HPKE AEAD Identifiers" registry lists identifiers for The "HPKE AEAD Identifiers" registry lists identifiers for
authenticated encryption with associated data (AEAD) algorithms authenticated encryption with associated data (AEAD) algorithms
defined for use with HPKE. These identifiers are two-byte values, so defined for use with HPKE. These identifiers are two-byte values, so
the maximum possible value is 0xFFFF = 65535. the maximum possible value is 0xFFFF = 65535.
Template: Template:
Value: the two-byte identifier for the algorithm
* Value: The two-byte identifier for the algorithm AEAD: the name of the algorithm
* AEAD: The name of the algorithm
* Nk: The length in bytes of a key for this algorithm Nk: the length in bytes of a key for this algorithm
* Nn: The length in bytes of a nonce for this algorithm Nn: the length in bytes of a nonce for this algorithm
* Nt: The length in bytes of an authentication tag for this Nt: the length in bytes of an authentication tag for this
algorithm algorithm
* Reference: Where this algorithm is defined Reference: where this algorithm is defined
Initial contents: Provided in Table 5 Initial contents: Provided in Table 5
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 42, line 12 skipping to change at line 1902
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References 12.2. Informative References
[ABHKLR20] Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B., [ABHKLR20] Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B.,
and D. Riepel, "Analysing the HPKE Standard", 2020, and D. Riepel, "Analysing the HPKE Standard", November
<https://eprint.iacr.org/2020/1499>. 2020, <https://eprint.iacr.org/2020/1499>.
[ANSI] American National Standards Institute, "ANSI X9.63 Public [ANSI] American National Standards Institute (ANSI), "ANSI -
Key Cryptography for the Financial Services Industry -- X9.63 Public Key Cryptography for the Financial Services
Key Agreement and Key Transport Using Elliptic Curve Industry Key Agreement and Key Transport Using Elliptic
Cryptography", 2001. Curve Cryptography", November 2001.
[BHK09] Mihir Bellare, ., Dennis Hofheinz, ., and . Eike Kiltz, [BHK09] Bellare, M., Hofheinz, D., and E. Kiltz, "Subtleties in
"Subtleties in the Definition of IND-CCA: When and How the Definition of IND-CCA: When and How Should Challenge-
Should Challenge-Decryption be Disallowed?", 2009, Decryption be Disallowed?", August 2009,
<https://eprint.iacr.org/2009/418>. <https://eprint.iacr.org/2009/418>.
[BJM97] Blake-Wilson, S., Johnson, D., and A. Menezes, "Key [BJM97] Blake-Wilson, S., Johnson, D., and A. Menezes, "Key
agreement protocols and their security analysis: Extended agreement protocols and their security analysis: Extended
Abstract", Crytography and Coding pp. 30-45, Abstract", Crytography and Coding, pp. 30-45,
DOI 10.1007/bfb0024447, 1997, DOI 10.1007/bfb0024447, June 2005,
<https://doi.org/10.1007/bfb0024447>. <https://doi.org/10.1007/bfb0024447>.
[BNT19] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed: [BNT19] Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed:
AEAD Revisited", 2019, AEAD Revisited", August 2019,
<http://dx.doi.org/10.1007/978-3-030-26948-7_9>. <http://dx.doi.org/10.1007/978-3-030-26948-7_9>.
[CS01] Cramer, R. and V. Shoup, "Design and Analysis of Practical [CS01] Cramer, R. and V. Shoup, "Design and Analysis of Practical
Public-Key Encryption Schemes Secure against Adaptive Public-Key Encryption Schemes Secure against Adaptive
Chosen Ciphertext Attack", 2001, Chosen Ciphertext Attack", December 2001,
<https://eprint.iacr.org/2001/108>. <https://eprint.iacr.org/2001/108>.
[GAP] Okamoto, T. and D. Pointcheval, "The Gap-Problems - a New [GAP] Okamoto, T. and D. Pointcheval, "The Gap-Problems: A New
Class of Problems for the Security of Cryptographic Class of Problems for the Security of Cryptographic
Schemes", ISBN 978-3-540-44586-9, 2001, Schemes", ISBN 978-3-540-44586-9, June 2001,
<https://link.springer.com/content/ <https://link.springer.com/content/
pdf/10.1007/3-540-44586-2_8.pdf>. pdf/10.1007/3-540-44586-2_8.pdf>.
[GCM] Dworkin, M., "Recommendation for block cipher modes of [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
operation :: GaloisCounter Mode (GCM) and GMAC", National Operation: Galois/Counter Mode (GCM) and GMAC",
Institute of Standards and Technology report, DOI 10.6028/nist.sp.800-38d, SP 800-38D, November 2007,
DOI 10.6028/nist.sp.800-38d, 2007,
<https://doi.org/10.6028/nist.sp.800-38d>. <https://doi.org/10.6028/nist.sp.800-38d>.
[HHK06] Herranz, J., Hofheinz, D., and E. Kiltz, "Some [HHK06] Herranz, J., Hofheinz, D., and E. Kiltz, "Some
(in)sufficient conditions for secure hybrid encryption", (in)sufficient conditions for secure hybrid encryption.",
2006, <https://eprint.iacr.org/2006/265>. August 2006, <https://eprint.iacr.org/2006/265>.
[HPKEAnalysis] [HPKEAnalysis]
Lipp, B., "An Analysis of Hybrid Public Key Encryption", Lipp, B., "An Analysis of Hybrid Public Key Encryption",
2020, <https://eprint.iacr.org/2020/243>. February 2020, <https://eprint.iacr.org/2020/243>.
[I-D.ietf-mls-protocol]
Barnes, R., Beurdouche, B., Robert, R., Millican, J.,
Omara, E., and K. Cohn-Gordon, "The Messaging Layer
Security (MLS) Protocol", Work in Progress, Internet-
Draft, draft-ietf-mls-protocol-12, 11 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-mls-protocol-
12.txt>.
[I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-13, 12 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-tls-esni-
13.txt>.
[IEEE1363] Institute of Electrical and Electronics Engineers, "IEEE [IEEE1363] IEEE, "IEEE Standard Specifications for Public-Key
1363a, Standard Specifications for Public Key Cryptography Cryptography - Amendment 1: Additional Techniques", IEEE
- Amendment 1 -- Additional Techniques"", 2004. Std 1363a-2004.
[IMB] Diffie, W., Van Oorschot, P., and M. Wiener, [IMB] Diffie, W., Van Oorschot, P., and M. Wiener,
"Authentication and authenticated key exchanges", Designs, "Authentication and authenticated key exchanges", Designs,
Codes and Cryptography Vol. 2, pp. 107-125, Codes and Cryptography, Vol. 2, pp. 107-125,
DOI 10.1007/bf00124891, June 1992, DOI 10.1007/bf00124891, June 1992,
<https://doi.org/10.1007/bf00124891>. <https://doi.org/10.1007/bf00124891>.
[ISO] International Organization for Standardization / [ISO] International Organization for Standardization,
International Electrotechnical Commission, "ISO/IEC "Information technology - Security techniques - Encryption
18033-2, Information Technology - Security Techniques - algorithms - Part 2: Asymmetric ciphers", ISO/
Encryption Algorithms - Part 2 -- Asymmetric Ciphers", IEC 18033-2:2006, May 2006.
2006.
[keyagreement] [keyagreement]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for pair-wise key-establishment Davis, "Recommendation for Pair-Wise Key-Establishment
schemes using discrete logarithm cryptography", National Schemes Using Discrete Logarithm Cryptography", NIST
Institute of Standards and Technology report, Special Publication 800-56A Revision 3,
DOI 10.6028/nist.sp.800-56ar3, April 2018, DOI 10.6028/nist.sp.800-56ar3, April 2018,
<https://doi.org/10.6028/nist.sp.800-56ar3>. <https://doi.org/10.6028/nist.sp.800-56ar3>.
[LGR20] Len, J., Grubbs, P., and T. Ristenpart, "Partitioning [LGR20] Len, J., Grubbs, P., and T. Ristenpart, "Partitioning
Oracle Attacks", 2021, Oracle Attacks".
<https://eprint.iacr.org/2020/1491>.
[MAEA10] Gayoso Martinez, V., Hernandez Alvarez, F., Hernandez [MAEA10] Gayoso Martinez, V., Hernandez Alvarez, F., Hernandez
Encinas, L., and C. Sanchez Avila, "A Comparison of the Encinas, L., and C. Sanchez Avila, "A comparison of the
Standardized Versions of ECIES", 2010, standardized versions of ECIES", October 2010,
<https://ieeexplore.ieee.org/abstract/document/5604194/>. <https://ieeexplore.ieee.org/abstract/document/5604194/>.
[NaCl] "Public-key authenticated encryption: crypto_box", 2019, [MLS-PROTOCOL]
<https://nacl.cr.yp.to/box.html>. Barnes, R., Beurdouche, B., Robert, R., Millican, J.,
Omara, E., and K. Cohn-Gordon, "The Messaging Layer
Security (MLS) Protocol", Work in Progress, Internet-
Draft, draft-ietf-mls-protocol-12, 11 October 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-mls-
protocol-12>.
[NaCl] "Public-key authenticated encryption: crypto_box", March
2019, <https://nacl.cr.yp.to/box.html>.
[NISTCurves] [NISTCurves]
"Digital Signature Standard (DSS)", National Institute of National Institute of Standards and Technology (NIST),
Standards and Technology report, "Digital Signature Standard (DSS)",
DOI 10.6028/nist.fips.186-4, July 2013, DOI 10.6028/nist.fips.186-4, FIPS PUB 186-4, July 2013,
<https://doi.org/10.6028/nist.fips.186-4>. <https://doi.org/10.6028/nist.fips.186-4>.
[RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic [RFC1421] Linn, J., "Privacy Enhancement for Internet Electronic
Mail: Part I: Message Encryption and Authentication Mail: Part I: Message Encryption and Authentication
Procedures", RFC 1421, DOI 10.17487/RFC1421, February Procedures", RFC 1421, DOI 10.17487/RFC1421, February
1993, <https://www.rfc-editor.org/info/rfc1421>. 1993, <https://www.rfc-editor.org/info/rfc1421>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010, DOI 10.17487/RFC5869, May 2010,
skipping to change at page 45, line 10 skipping to change at line 2033
[RFC8696] Housley, R., "Using Pre-Shared Key (PSK) in the [RFC8696] Housley, R., "Using Pre-Shared Key (PSK) in the
Cryptographic Message Syntax (CMS)", RFC 8696, Cryptographic Message Syntax (CMS)", RFC 8696,
DOI 10.17487/RFC8696, December 2019, DOI 10.17487/RFC8696, December 2019,
<https://www.rfc-editor.org/info/rfc8696>. <https://www.rfc-editor.org/info/rfc8696>.
[RFC8937] Cremers, C., Garratt, L., Smyshlyaev, S., Sullivan, N., [RFC8937] Cremers, C., Garratt, L., Smyshlyaev, S., Sullivan, N.,
and C. Wood, "Randomness Improvements for Security and C. Wood, "Randomness Improvements for Security
Protocols", RFC 8937, DOI 10.17487/RFC8937, October 2020, Protocols", RFC 8937, DOI 10.17487/RFC8937, October 2020,
<https://www.rfc-editor.org/info/rfc8937>. <https://www.rfc-editor.org/info/rfc8937>.
[SECG] "Elliptic Curve Cryptography, Standards for Efficient [SECG] Standards for Efficient Cryptography Group, "SEC 1:
Cryptography Group, ver. 2", 2009, Elliptic Curve Cryptography,", Version 2, May 2009,
<https://secg.org/sec1-v2.pdf>. <https://secg.org/sec1-v2.pdf>.
[SigncryptionDZ10] [SigncryptionDZ10]
"Practical Signcryption", Information Security Dent, A. and Y. Zheng, "Practical Signcryption",
and Cryptography, DOI 10.1007/978-3-540-89411-7, 2010, Information Security and Cryptography,
DOI 10.1007/978-3-540-89411-7, November 2010,
<https://doi.org/10.1007/978-3-540-89411-7>. <https://doi.org/10.1007/978-3-540-89411-7>.
[TestVectors] [TestVectors]
"HPKE Test Vectors", 2021, <https://github.com/cfrg/draft- "HPKE Test Vectors", <https://github.com/cfrg/draft-irtf-
irtf-cfrg- cfrg-hpke/blob/5f503c564da00b0687b3de75f1dfbdfc4079ad31/
hpke/blob/5f503c564da00b0687b3de75f1dfbdfc4079ad31/test- test-vectors.json>.
vectors.json>.
Appendix A. Acknowledgements
The authors would like to thank Joel Alwen, Jean-Philippe Aumasson, [TLS-ESNI] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
David Benjamin, Benjamin Beurdouche, Bruno Blanchet, Frank Denis, Encrypted Client Hello", Work in Progress, Internet-Draft,
Stephen Farrell, Scott Fluhrer, Eduard Hauck, Scott Hollenbeck, Kevin draft-ietf-tls-esni-13, 12 August 2021,
Jacobs, Burt Kaliski, Eike Kiltz, Julia Len, John Mattsson, <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
Christopher Patton, Doreen Riepel, Raphael Robert, Michael Rosenberg, esni-13>.
Michael Scott, Martin Thomson, Steven Valdez, Riad Wahby, and other
contributors in the CFRG for helpful feedback that greatly improved
this document.
Appendix B. Test Vectors Appendix A. Test Vectors
Each section below contains test vectors for a single HPKE Each section below contains test vectors for a single HPKE
ciphersuite and contains the following values: ciphersuite and contains the following values:
1. Configuration information and private key material: This includes 1. Configuration information and private key material: This includes
the mode, info string, HPKE ciphersuite identifiers (kem_id, the mode, info string, HPKE ciphersuite identifiers (kem_id,
kdf_id, aead_id), and all sender, recipient, and ephemeral key kdf_id, aead_id), and all sender, recipient, and ephemeral key
material. For each role X, where X is one of S, R, or E, as material. For each role X, where X is one of S, R, or E, as
sender, recipient, and ephemeral, respectively, key pairs are sender, recipient, and ephemeral, respectively, key pairs are
generated as (skX, pkX) = DeriveKeyPair(ikmX). Each key pair generated as (skX, pkX) = DeriveKeyPair(ikmX). Each key pair
skipping to change at page 46, line 17 skipping to change at line 2082
along with intermediate values key_schedule_context and secret along with intermediate values key_schedule_context and secret
computed in the KeySchedule function in Section 5.1. The outputs computed in the KeySchedule function in Section 5.1. The outputs
include the context values key, base_nonce, and exporter_secret. include the context values key, base_nonce, and exporter_secret.
3. Encryption test vectors: A fixed plaintext message is encrypted 3. Encryption test vectors: A fixed plaintext message is encrypted
using different sequence numbers and AAD values using the context using different sequence numbers and AAD values using the context
computed in (2). Each test vector lists the sequence number and computed in (2). Each test vector lists the sequence number and
corresponding nonce computed with base_nonce, the plaintext corresponding nonce computed with base_nonce, the plaintext
message pt, AAD aad, and output ciphertext ct. message pt, AAD aad, and output ciphertext ct.
1. Export test vectors: Several exported values of the same length 4. Export test vectors: Several exported values of the same length
with differing context parameters are computed using the context with differing context parameters are computed using the context
computed in (2). Each test vector lists the exporter_context, computed in (2). Each test vector lists the exporter_context,
output length L, and resulting export value. output length L, and resulting export value.
These test vectors are also available in JSON format at These test vectors are also available in JSON format at
[TestVectors]. [TestVectors].
B.1. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM A.1. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
A.1.1. Base Setup Information
B.1.1. Base Setup Information
mode: 0 mode: 0
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234 7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234
pkEm: pkEm:
37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431
skEm: skEm:
skipping to change at page 47, line 35 skipping to change at line 2125
key_schedule_context: 00725611c9d98c07c03f60095cd32d400d8347d45ed670 key_schedule_context: 00725611c9d98c07c03f60095cd32d400d8347d45ed670
97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352 97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449 6106f637abb05449
secret: secret:
12fff91991e93b48de37e7daddb52981084bd8aa64289c3788471d9a9712f397 12fff91991e93b48de37e7daddb52981084bd8aa64289c3788471d9a9712f397
key: 4531685d41d65f03dc48f6b8302c05b0 key: 4531685d41d65f03dc48f6b8302c05b0
base_nonce: 56d890e5accaaf011cff4b7d base_nonce: 56d890e5accaaf011cff4b7d
exporter_secret: exporter_secret:
45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8 45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8
B.1.1.1. Encryptions A.1.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 56d890e5accaaf011cff4b7d nonce: 56d890e5accaaf011cff4b7d
ct: f938558b5d72f1a23810b4be2ab4f84331acc02fc97babc53a52ae8218a355a9 ct: f938558b5d72f1a23810b4be2ab4f84331acc02fc97babc53a52ae8218a355a9
6d8770ac83d07bea87e13c512a 6d8770ac83d07bea87e13c512a
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 48, line 46 skipping to change at line 2169
ct: 7175db9717964058640a3a11fb9007941a5d1757fda1a6935c805c21af32505b ct: 7175db9717964058640a3a11fb9007941a5d1757fda1a6935c805c21af32505b
f106deefec4a49ac38d71c9e0a f106deefec4a49ac38d71c9e0a
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 56d890e5accaaf011cff4a7d nonce: 56d890e5accaaf011cff4a7d
ct: 957f9800542b0b8891badb026d79cc54597cb2d225b54c00c5238c25d05c30e3 ct: 957f9800542b0b8891badb026d79cc54597cb2d225b54c00c5238c25d05c30e3
fbeda97d2e0e1aba483a2df9f2 fbeda97d2e0e1aba483a2df9f2
B.1.1.2. Exported Values A.1.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
3853fe2b4035195a573ffc53856e77058e15d9ea064de3e59f4961d0095250ee 3853fe2b4035195a573ffc53856e77058e15d9ea064de3e59f4961d0095250ee
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
2e8f0b54673c7029649d4eb9d5e33bf1872cf76d623ff164ac185da9e88c21a5 2e8f0b54673c7029649d4eb9d5e33bf1872cf76d623ff164ac185da9e88c21a5
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
e9e43065102c3836401bed8c3c3c75ae46be1639869391d62c61f1ec7af54931 e9e43065102c3836401bed8c3c3c75ae46be1639869391d62c61f1ec7af54931
B.1.2. PSK Setup Information A.1.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
78628c354e46f3e169bd231be7b2ff1c77aa302460a26dbfa15515684c00130b 78628c354e46f3e169bd231be7b2ff1c77aa302460a26dbfa15515684c00130b
pkEm: pkEm:
0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b 0ad0950d9fb9588e59690b74f1237ecdf1d775cd60be2eca57af5a4b0471c91b
skEm: skEm:
skipping to change at page 50, line 38 skipping to change at line 2222
key_schedule_context: 01e78d5cf6190d275863411ff5edd0dece5d39fa48e04e key_schedule_context: 01e78d5cf6190d275863411ff5edd0dece5d39fa48e04e
ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352 ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449 6106f637abb05449
secret: secret:
3728ab0b024b383b0381e432b47cced1496d2516957a76e2a9f5c8cb947afca4 3728ab0b024b383b0381e432b47cced1496d2516957a76e2a9f5c8cb947afca4
key: 15026dba546e3ae05836fc7de5a7bb26 key: 15026dba546e3ae05836fc7de5a7bb26
base_nonce: 9518635eba129d5ce0914555 base_nonce: 9518635eba129d5ce0914555
exporter_secret: exporter_secret:
3d76025dbbedc49448ec3f9080a1abab6b06e91c0b11ad23c912f043a0ee7655 3d76025dbbedc49448ec3f9080a1abab6b06e91c0b11ad23c912f043a0ee7655
B.1.2.1. Encryptions A.1.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 9518635eba129d5ce0914555 nonce: 9518635eba129d5ce0914555
ct: e52c6fed7f758d0cf7145689f21bc1be6ec9ea097fef4e959440012f4feb73fb ct: e52c6fed7f758d0cf7145689f21bc1be6ec9ea097fef4e959440012f4feb73fb
611b946199e681f4cfc34db8ea 611b946199e681f4cfc34db8ea
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 51, line 46 skipping to change at line 2266
ct: 55f84b030b7f7197f7d7d552365b6b932df5ec1abacd30241cb4bc4ccea27bd2 ct: 55f84b030b7f7197f7d7d552365b6b932df5ec1abacd30241cb4bc4ccea27bd2
b518766adfa0fb1b71170e9392 b518766adfa0fb1b71170e9392
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 9518635eba129d5ce0914455 nonce: 9518635eba129d5ce0914455
ct: c5bf246d4a790a12dcc9eed5eae525081e6fb541d5849e9ce8abd92a3bc15517 ct: c5bf246d4a790a12dcc9eed5eae525081e6fb541d5849e9ce8abd92a3bc15517
76bea16b4a518f23e237c14b59 76bea16b4a518f23e237c14b59
B.1.2.2. Exported Values A.1.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
dff17af354c8b41673567db6259fd6029967b4e1aad13023c2ae5df8f4f43bf6 dff17af354c8b41673567db6259fd6029967b4e1aad13023c2ae5df8f4f43bf6
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
6a847261d8207fe596befb52928463881ab493da345b10e1dcc645e3b94e2d95 6a847261d8207fe596befb52928463881ab493da345b10e1dcc645e3b94e2d95
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
8aff52b45a1be3a734bc7a41e20b4e055ad4c4d22104b0c20285a7c4302401cd 8aff52b45a1be3a734bc7a41e20b4e055ad4c4d22104b0c20285a7c4302401cd
B.1.3. Auth Setup Information A.1.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
6e6d8f200ea2fb20c30b003a8b4f433d2f4ed4c2658d5bc8ce2fef718059c9f7 6e6d8f200ea2fb20c30b003a8b4f433d2f4ed4c2658d5bc8ce2fef718059c9f7
pkEm: pkEm:
23fb952571a14a25e3d678140cd0e5eb47a0961bb18afcf85896e5453c312e76 23fb952571a14a25e3d678140cd0e5eb47a0961bb18afcf85896e5453c312e76
skEm: skEm:
skipping to change at page 53, line 41 skipping to change at line 2322
key_schedule_context: 02725611c9d98c07c03f60095cd32d400d8347d45ed670 key_schedule_context: 02725611c9d98c07c03f60095cd32d400d8347d45ed670
97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352 97bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449 6106f637abb05449
secret: secret:
56c62333d9d9f7767f5b083fdfce0aa7e57e301b74029bb0cffa7331385f1dda 56c62333d9d9f7767f5b083fdfce0aa7e57e301b74029bb0cffa7331385f1dda
key: b062cb2c4dd4bca0ad7c7a12bbc341e6 key: b062cb2c4dd4bca0ad7c7a12bbc341e6
base_nonce: a1bc314c1942ade7051ffed0 base_nonce: a1bc314c1942ade7051ffed0
exporter_secret: exporter_secret:
ee1a093e6e1c393c162ea98fdf20560c75909653550540a2700511b65c88c6f1 ee1a093e6e1c393c162ea98fdf20560c75909653550540a2700511b65c88c6f1
B.1.3.1. Encryptions A.1.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: a1bc314c1942ade7051ffed0 nonce: a1bc314c1942ade7051ffed0
ct: 5fd92cc9d46dbf8943e72a07e42f363ed5f721212cd90bcfd072bfd9f44e06b8 ct: 5fd92cc9d46dbf8943e72a07e42f363ed5f721212cd90bcfd072bfd9f44e06b8
0fd17824947496e21b680c141b 0fd17824947496e21b680c141b
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 54, line 46 skipping to change at line 2366
ct: 55d53d85fe4d9e1e97903101eab0b4865ef20cef28765a47f840ff99625b7d69 ct: 55d53d85fe4d9e1e97903101eab0b4865ef20cef28765a47f840ff99625b7d69
dee927df1defa66a036fc58ff2 dee927df1defa66a036fc58ff2
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: a1bc314c1942ade7051fffd0 nonce: a1bc314c1942ade7051fffd0
ct: 42fa248a0e67ccca688f2b1d13ba4ba84755acf764bd797c8f7ba3b9b1dc3330 ct: 42fa248a0e67ccca688f2b1d13ba4ba84755acf764bd797c8f7ba3b9b1dc3330
326f8d172fef6003c79ec72319 326f8d172fef6003c79ec72319
B.1.3.2. Exported Values A.1.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
28c70088017d70c896a8420f04702c5a321d9cbf0279fba899b59e51bac72c85 28c70088017d70c896a8420f04702c5a321d9cbf0279fba899b59e51bac72c85
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
25dfc004b0892be1888c3914977aa9c9bbaf2c7471708a49e1195af48a6f29ce 25dfc004b0892be1888c3914977aa9c9bbaf2c7471708a49e1195af48a6f29ce
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
5a0131813abc9a522cad678eb6bafaabc43389934adb8097d23c5ff68059eb64 5a0131813abc9a522cad678eb6bafaabc43389934adb8097d23c5ff68059eb64
B.1.4. AuthPSK Setup Information A.1.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
4303619085a20ebcf18edd22782952b8a7161e1dbae6e46e143a52a96127cf84 4303619085a20ebcf18edd22782952b8a7161e1dbae6e46e143a52a96127cf84
pkEm: pkEm:
820818d3c23993492cc5623ab437a48a0a7ca3e9639c140fe1e33811eb844b7c 820818d3c23993492cc5623ab437a48a0a7ca3e9639c140fe1e33811eb844b7c
skEm: skEm:
skipping to change at page 56, line 44 skipping to change at line 2425
key_schedule_context: 03e78d5cf6190d275863411ff5edd0dece5d39fa48e04e key_schedule_context: 03e78d5cf6190d275863411ff5edd0dece5d39fa48e04e
ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352 ec1ed9b71be34729d18ccb6cffde367bb0565ba28bb02c90744a20f5ef37f3052352
6106f637abb05449 6106f637abb05449
secret: secret:
5f96c55e4108c6691829aaabaa7d539c0b41d7c72aae94ae289752f056b6cec4 5f96c55e4108c6691829aaabaa7d539c0b41d7c72aae94ae289752f056b6cec4
key: 1364ead92c47aa7becfa95203037b19a key: 1364ead92c47aa7becfa95203037b19a
base_nonce: 99d8b5c54669807e9fc70df1 base_nonce: 99d8b5c54669807e9fc70df1
exporter_secret: exporter_secret:
f048d55eacbf60f9c6154bd4021774d1075ebf963c6adc71fa846f183ab2dde6 f048d55eacbf60f9c6154bd4021774d1075ebf963c6adc71fa846f183ab2dde6
B.1.4.1. Encryptions A.1.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 99d8b5c54669807e9fc70df1 nonce: 99d8b5c54669807e9fc70df1
ct: a84c64df1e11d8fd11450039d4fe64ff0c8a99fca0bd72c2d4c3e0400bc14a40 ct: a84c64df1e11d8fd11450039d4fe64ff0c8a99fca0bd72c2d4c3e0400bc14a40
f27e45e141a24001697737533e f27e45e141a24001697737533e
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 57, line 46 skipping to change at line 2469
ct: 576d39dd2d4cc77d1a14a51d5c5f9d5e77586c3d8d2ab33bdec6379e28ce5c50 ct: 576d39dd2d4cc77d1a14a51d5c5f9d5e77586c3d8d2ab33bdec6379e28ce5c50
2f0b1cbd09047cf9eb9269bb52 2f0b1cbd09047cf9eb9269bb52
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 99d8b5c54669807e9fc70cf1 nonce: 99d8b5c54669807e9fc70cf1
ct: 13239bab72e25e9fd5bb09695d23c90a24595158b99127505c8a9ff9f127e0d6 ct: 13239bab72e25e9fd5bb09695d23c90a24595158b99127505c8a9ff9f127e0d6
57f71af59d67d4f4971da028f9 57f71af59d67d4f4971da028f9
B.1.4.2. Exported Values A.1.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
08f7e20644bb9b8af54ad66d2067457c5f9fcb2a23d9f6cb4445c0797b330067 08f7e20644bb9b8af54ad66d2067457c5f9fcb2a23d9f6cb4445c0797b330067
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
52e51ff7d436557ced5265ff8b94ce69cf7583f49cdb374e6aad801fc063b010 52e51ff7d436557ced5265ff8b94ce69cf7583f49cdb374e6aad801fc063b010
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
a30c20370c026bbea4dca51cb63761695132d342bae33a6a11527d3e7679436d a30c20370c026bbea4dca51cb63761695132d342bae33a6a11527d3e7679436d
B.2. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 A.2. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
A.2.1. Base Setup Information
B.2.1. Base Setup Information
mode: 0 mode: 0
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
909a9b35d3dc4713a5e72a4da274b55d3d3821a37e5d099e74a647db583a904b 909a9b35d3dc4713a5e72a4da274b55d3d3821a37e5d099e74a647db583a904b
pkEm: pkEm:
1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a 1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a
skEm: skEm:
skipping to change at page 59, line 36 skipping to change at line 2522
e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1 e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796 e798c0bb19eb9796
secret: secret:
5b9cd775e64b437a2335cf499361b2e0d5e444d5cb41a8a53336d8fe402282c6 5b9cd775e64b437a2335cf499361b2e0d5e444d5cb41a8a53336d8fe402282c6
key: key:
ad2744de8e17f4ebba575b3f5f5a8fa1f69c2a07f6e7500bc60ca6e3e3ec1c91 ad2744de8e17f4ebba575b3f5f5a8fa1f69c2a07f6e7500bc60ca6e3e3ec1c91
base_nonce: 5c4d98150661b848853b547f base_nonce: 5c4d98150661b848853b547f
exporter_secret: exporter_secret:
a3b010d4994890e2c6968a36f64470d3c824c8f5029942feb11e7a74b2921922 a3b010d4994890e2c6968a36f64470d3c824c8f5029942feb11e7a74b2921922
B.2.1.1. Encryptions A.2.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 5c4d98150661b848853b547f nonce: 5c4d98150661b848853b547f
ct: 1c5250d8034ec2b784ba2cfd69dbdb8af406cfe3ff938e131f0def8c8b60b4db ct: 1c5250d8034ec2b784ba2cfd69dbdb8af406cfe3ff938e131f0def8c8b60b4db
21993c62ce81883d2dd1b51a28 21993c62ce81883d2dd1b51a28
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 60, line 46 skipping to change at line 2566
ct: 18ab939d63ddec9f6ac2b60d61d36a7375d2070c9b683861110757062c52b888 ct: 18ab939d63ddec9f6ac2b60d61d36a7375d2070c9b683861110757062c52b888
0a5f6b3936da9cd6c23ef2a95c 0a5f6b3936da9cd6c23ef2a95c
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 5c4d98150661b848853b557f nonce: 5c4d98150661b848853b557f
ct: 7a4a13e9ef23978e2c520fd4d2e757514ae160cd0cd05e556ef692370ca53076 ct: 7a4a13e9ef23978e2c520fd4d2e757514ae160cd0cd05e556ef692370ca53076
214c0c40d4c728d6ed9e727a5b 214c0c40d4c728d6ed9e727a5b
B.2.1.2. Exported Values A.2.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
4bbd6243b8bb54cec311fac9df81841b6fd61f56538a775e7c80a9f40160606e 4bbd6243b8bb54cec311fac9df81841b6fd61f56538a775e7c80a9f40160606e
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
8c1df14732580e5501b00f82b10a1647b40713191b7c1240ac80e2b68808ba69 8c1df14732580e5501b00f82b10a1647b40713191b7c1240ac80e2b68808ba69
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
5acb09211139c43b3090489a9da433e8a30ee7188ba8b0a9a1ccf0c229283e53 5acb09211139c43b3090489a9da433e8a30ee7188ba8b0a9a1ccf0c229283e53
B.2.2. PSK Setup Information A.2.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
35706a0b09fb26fb45c39c2f5079c709c7cf98e43afa973f14d88ece7e29c2e3 35706a0b09fb26fb45c39c2f5079c709c7cf98e43afa973f14d88ece7e29c2e3
pkEm: pkEm:
2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04 2261299c3f40a9afc133b969a97f05e95be2c514e54f3de26cbe5644ac735b04
skEm: skEm:
skipping to change at page 62, line 39 skipping to change at line 2620
9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1 9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796 e798c0bb19eb9796
secret: secret:
16974354c497c9bd24c000ceed693779b604f1944975b18c442d373663f4a8cc 16974354c497c9bd24c000ceed693779b604f1944975b18c442d373663f4a8cc
key: key:
600d2fdb0313a7e5c86a9ce9221cd95bed069862421744cfb4ab9d7203a9c019 600d2fdb0313a7e5c86a9ce9221cd95bed069862421744cfb4ab9d7203a9c019
base_nonce: 112e0465562045b7368653e7 base_nonce: 112e0465562045b7368653e7
exporter_secret: exporter_secret:
73b506dc8b6b4269027f80b0362def5cbb57ee50eed0c2873dac9181f453c5ac 73b506dc8b6b4269027f80b0362def5cbb57ee50eed0c2873dac9181f453c5ac
B.2.2.1. Encryptions A.2.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 112e0465562045b7368653e7 nonce: 112e0465562045b7368653e7
ct: 4a177f9c0d6f15cfdf533fb65bf84aecdc6ab16b8b85b4cf65a370e07fc1d78d ct: 4a177f9c0d6f15cfdf533fb65bf84aecdc6ab16b8b85b4cf65a370e07fc1d78d
28fb073214525276f4a89608ff 28fb073214525276f4a89608ff
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 63, line 46 skipping to change at line 2664
ct: 2414d0788e4bc39a59a26d7bd5d78e111c317d44c37bd5a4c2a1235f2ddc2085 ct: 2414d0788e4bc39a59a26d7bd5d78e111c317d44c37bd5a4c2a1235f2ddc2085
c487d406490e75210c958724a7 c487d406490e75210c958724a7
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 112e0465562045b7368652e7 nonce: 112e0465562045b7368652e7
ct: c567ae1c3f0f75abe1dd9e4532b422600ed4a6e5b9484dafb1e43ab9f5fd662b ct: c567ae1c3f0f75abe1dd9e4532b422600ed4a6e5b9484dafb1e43ab9f5fd662b
28c00e2e81d3cde955dae7e218 28c00e2e81d3cde955dae7e218
B.2.2.2. Exported Values A.2.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
813c1bfc516c99076ae0f466671f0ba5ff244a41699f7b2417e4c59d46d39f40 813c1bfc516c99076ae0f466671f0ba5ff244a41699f7b2417e4c59d46d39f40
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
2745cf3d5bb65c333658732954ee7af49eb895ce77f8022873a62a13c94cb4e1 2745cf3d5bb65c333658732954ee7af49eb895ce77f8022873a62a13c94cb4e1
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
ad40e3ae14f21c99bfdebc20ae14ab86f4ca2dc9a4799d200f43a25f99fa78ae ad40e3ae14f21c99bfdebc20ae14ab86f4ca2dc9a4799d200f43a25f99fa78ae
B.2.3. Auth Setup Information A.2.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
938d3daa5a8904540bc24f48ae90eed3f4f7f11839560597b55e7c9598c996c0 938d3daa5a8904540bc24f48ae90eed3f4f7f11839560597b55e7c9598c996c0
pkEm: pkEm:
f7674cc8cd7baa5872d1f33dbaffe3314239f6197ddf5ded1746760bfc847e0e f7674cc8cd7baa5872d1f33dbaffe3314239f6197ddf5ded1746760bfc847e0e
skEm: skEm:
skipping to change at page 65, line 42 skipping to change at line 2721
e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1 e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796 e798c0bb19eb9796
secret: secret:
3022dfc0a81d6e09a2e6daeeb605bb1ebb9ac49535540d9a4c6560064a6c6da8 3022dfc0a81d6e09a2e6daeeb605bb1ebb9ac49535540d9a4c6560064a6c6da8
key: key:
b071fd1136680600eb447a845a967d35e9db20749cdf9ce098bcc4deef4b1356 b071fd1136680600eb447a845a967d35e9db20749cdf9ce098bcc4deef4b1356
base_nonce: d20577dff16d7cea2c4bf780 base_nonce: d20577dff16d7cea2c4bf780
exporter_secret: exporter_secret:
be2d93b82071318cdb88510037cf504344151f2f9b9da8ab48974d40a2251dd7 be2d93b82071318cdb88510037cf504344151f2f9b9da8ab48974d40a2251dd7
B.2.3.1. Encryptions A.2.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: d20577dff16d7cea2c4bf780 nonce: d20577dff16d7cea2c4bf780
ct: ab1a13c9d4f01a87ec3440dbd756e2677bd2ecf9df0ce7ed73869b98e00c09be ct: ab1a13c9d4f01a87ec3440dbd756e2677bd2ecf9df0ce7ed73869b98e00c09be
111cb9fdf077347aeb88e61bdf 111cb9fdf077347aeb88e61bdf
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 66, line 46 skipping to change at line 2765
ct: 652e597ba20f3d9241cda61f33937298b1169e6adf72974bbe454297502eb4be ct: 652e597ba20f3d9241cda61f33937298b1169e6adf72974bbe454297502eb4be
132e1c5064702fc165c2ddbde8 132e1c5064702fc165c2ddbde8
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: d20577dff16d7cea2c4bf680 nonce: d20577dff16d7cea2c4bf680
ct: 3be14e8b3bbd1028cf2b7d0a691dbbeff71321e7dec92d3c2cfb30a0994ab246 ct: 3be14e8b3bbd1028cf2b7d0a691dbbeff71321e7dec92d3c2cfb30a0994ab246
af76168480285a60037b4ba13a af76168480285a60037b4ba13a
B.2.3.2. Exported Values A.2.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
070cffafd89b67b7f0eeb800235303a223e6ff9d1e774dce8eac585c8688c872 070cffafd89b67b7f0eeb800235303a223e6ff9d1e774dce8eac585c8688c872
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
2852e728568d40ddb0edde284d36a4359c56558bb2fb8837cd3d92e46a3a14a8 2852e728568d40ddb0edde284d36a4359c56558bb2fb8837cd3d92e46a3a14a8
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
1df39dc5dd60edcbf5f9ae804e15ada66e885b28ed7929116f768369a3f950ee 1df39dc5dd60edcbf5f9ae804e15ada66e885b28ed7929116f768369a3f950ee
B.2.4. AuthPSK Setup Information A.2.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
49d6eac8c6c558c953a0a252929a818745bb08cd3d29e15f9f5db5eb2e7d4b84 49d6eac8c6c558c953a0a252929a818745bb08cd3d29e15f9f5db5eb2e7d4b84
pkEm: pkEm:
656a2e00dc9990fd189e6e473459392df556e9a2758754a09db3f51179a3fc02 656a2e00dc9990fd189e6e473459392df556e9a2758754a09db3f51179a3fc02
skEm: skEm:
skipping to change at page 68, line 45 skipping to change at line 2825
9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1 9e1ec37f21d3d063b97cb69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1
e798c0bb19eb9796 e798c0bb19eb9796
secret: secret:
22670daee17530c9564001d0a7e740e80d0bcc7ae15349f472fcc9e057cbc259 22670daee17530c9564001d0a7e740e80d0bcc7ae15349f472fcc9e057cbc259
key: key:
49c7e6d7d2d257aded2a746fe6a9bf12d4de8007c4862b1fdffe8c35fb65054c 49c7e6d7d2d257aded2a746fe6a9bf12d4de8007c4862b1fdffe8c35fb65054c
base_nonce: abac79931e8c1bcb8a23960a base_nonce: abac79931e8c1bcb8a23960a
exporter_secret: exporter_secret:
7c6cc1bb98993cd93e2599322247a58fd41fdecd3db895fb4c5fd8d6bbe606b5 7c6cc1bb98993cd93e2599322247a58fd41fdecd3db895fb4c5fd8d6bbe606b5
B.2.4.1. Encryptions A.2.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: abac79931e8c1bcb8a23960a nonce: abac79931e8c1bcb8a23960a
ct: 9aa52e29274fc6172e38a4461361d2342585d3aeec67fb3b721ecd63f059577c ct: 9aa52e29274fc6172e38a4461361d2342585d3aeec67fb3b721ecd63f059577c
7fe886be0ede01456ebc67d597 7fe886be0ede01456ebc67d597
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 69, line 46 skipping to change at line 2869
ct: 4d4c462f7b9b637eaf1f4e15e325b7bc629c0af6e3073422c86064cc3c98cff8 ct: 4d4c462f7b9b637eaf1f4e15e325b7bc629c0af6e3073422c86064cc3c98cff8
7300f054fd56dd57dc34358beb 7300f054fd56dd57dc34358beb
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: abac79931e8c1bcb8a23970a nonce: abac79931e8c1bcb8a23970a
ct: 9b7f84224922d2a9edd7b2c2057f3bcf3a547f17570575e626202e593bfdd99e ct: 9b7f84224922d2a9edd7b2c2057f3bcf3a547f17570575e626202e593bfdd99e
9878a1af9e41ded58c7fb77d2f 9878a1af9e41ded58c7fb77d2f
B.2.4.2. Exported Values A.2.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
c23ebd4e7a0ad06a5dddf779f65004ce9481069ce0f0e6dd51a04539ddcbd5cd c23ebd4e7a0ad06a5dddf779f65004ce9481069ce0f0e6dd51a04539ddcbd5cd
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
ed7ff5ca40a3d84561067ebc8e01702bc36cf1eb99d42a92004642b9dfaadd37 ed7ff5ca40a3d84561067ebc8e01702bc36cf1eb99d42a92004642b9dfaadd37
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
d3bae066aa8da27d527d85c040f7dd6ccb60221c902ee36a82f70bcd62a60ee4 d3bae066aa8da27d527d85c040f7dd6ccb60221c902ee36a82f70bcd62a60ee4
B.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM
A.3.1. Base Setup Information
B.3.1. Base Setup Information
mode: 0 mode: 0
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e 4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e
pkEm: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b32 pkEm: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b32
5ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4 5ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4
skEm: skEm:
skipping to change at page 71, line 35 skipping to change at line 2921
key_schedule_context: 00b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce key_schedule_context: 00b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce
efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1 efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85 1d493ae1c1d9ac85
secret: secret:
2eb7b6bf138f6b5aff857414a058a3f1750054a9ba1f72c2cf0684a6f20b10e1 2eb7b6bf138f6b5aff857414a058a3f1750054a9ba1f72c2cf0684a6f20b10e1
key: 868c066ef58aae6dc589b6cfdd18f97e key: 868c066ef58aae6dc589b6cfdd18f97e
base_nonce: 4e0bc5018beba4bf004cca59 base_nonce: 4e0bc5018beba4bf004cca59
exporter_secret: exporter_secret:
14ad94af484a7ad3ef40e9f3be99ecc6fa9036df9d4920548424df127ee0d99f 14ad94af484a7ad3ef40e9f3be99ecc6fa9036df9d4920548424df127ee0d99f
B.3.1.1. Encryptions A.3.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 4e0bc5018beba4bf004cca59 nonce: 4e0bc5018beba4bf004cca59
ct: 5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f ct: 5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f
9076ac232e3ab2523f39513434 9076ac232e3ab2523f39513434
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 72, line 46 skipping to change at line 2965
ct: 2ad71c85bf3f45c6eca301426289854b31448bcf8a8ccb1deef3ebd87f60848a ct: 2ad71c85bf3f45c6eca301426289854b31448bcf8a8ccb1deef3ebd87f60848a
a53c538c30a4dac71d619ee2cd a53c538c30a4dac71d619ee2cd
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 4e0bc5018beba4bf004ccb59 nonce: 4e0bc5018beba4bf004ccb59
ct: 10f179686aa2caec1758c8e554513f16472bd0a11e2a907dde0b212cbe87d74f ct: 10f179686aa2caec1758c8e554513f16472bd0a11e2a907dde0b212cbe87d74f
367f8ffe5e41cd3e9962a6afb2 367f8ffe5e41cd3e9962a6afb2
B.3.1.2. Exported Values A.3.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
5e9bc3d236e1911d95e65b576a8a86d478fb827e8bdfe77b741b289890490d4d 5e9bc3d236e1911d95e65b576a8a86d478fb827e8bdfe77b741b289890490d4d
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
6cff87658931bda83dc857e6353efe4987a201b849658d9b047aab4cf216e796 6cff87658931bda83dc857e6353efe4987a201b849658d9b047aab4cf216e796
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
d8f1ea7942adbba7412c6d431c62d01371ea476b823eb697e1f6e6cae1dab85a d8f1ea7942adbba7412c6d431c62d01371ea476b823eb697e1f6e6cae1dab85a
B.3.2. PSK Setup Information A.3.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
2afa611d8b1a7b321c761b483b6a053579afa4f767450d3ad0f84a39fda587a6 2afa611d8b1a7b321c761b483b6a053579afa4f767450d3ad0f84a39fda587a6
pkEm: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89 pkEm: 04305d35563527bce037773d79a13deabed0e8e7cde61eecee403496959e89
e4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f e4d0ca701726696d1485137ccb5341b3c1c7aaee90a4a02449725e744b1193b53b5f
skEm: skEm:
skipping to change at page 74, line 38 skipping to change at line 3018
key_schedule_context: 01b873cdf2dff4c1434988053b7a775e980dd2039ea24f key_schedule_context: 01b873cdf2dff4c1434988053b7a775e980dd2039ea24f
950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1 950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85 1d493ae1c1d9ac85
secret: secret:
f2f534e55931c62eeb2188c1f53450354a725183937e68c85e68d6b267504d26 f2f534e55931c62eeb2188c1f53450354a725183937e68c85e68d6b267504d26
key: 55d9eb9d26911d4c514a990fa8d57048 key: 55d9eb9d26911d4c514a990fa8d57048
base_nonce: b595dc6b2d7e2ed23af529b1 base_nonce: b595dc6b2d7e2ed23af529b1
exporter_secret: exporter_secret:
895a723a1eab809804973a53c0ee18ece29b25a7555a4808277ad2651d66d705 895a723a1eab809804973a53c0ee18ece29b25a7555a4808277ad2651d66d705
B.3.2.1. Encryptions A.3.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: b595dc6b2d7e2ed23af529b1 nonce: b595dc6b2d7e2ed23af529b1
ct: 90c4deb5b75318530194e4bb62f890b019b1397bbf9d0d6eb918890e1fb2be1a ct: 90c4deb5b75318530194e4bb62f890b019b1397bbf9d0d6eb918890e1fb2be1a
c2603193b60a49c2126b75d0eb c2603193b60a49c2126b75d0eb
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 75, line 46 skipping to change at line 3062
ct: cdc541253111ed7a424eea5134dc14fc5e8293ab3b537668b8656789628e4589 ct: cdc541253111ed7a424eea5134dc14fc5e8293ab3b537668b8656789628e4589
4e5bb873c968e3b7cdcbb654a4 4e5bb873c968e3b7cdcbb654a4
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: b595dc6b2d7e2ed23af528b1 nonce: b595dc6b2d7e2ed23af528b1
ct: faf985208858b1253b97b60aecd28bc18737b58d1242370e7703ec33b73a4c31 ct: faf985208858b1253b97b60aecd28bc18737b58d1242370e7703ec33b73a4c31
a1afee300e349adef9015bbbfd a1afee300e349adef9015bbbfd
B.3.2.2. Exported Values A.3.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
a115a59bf4dd8dc49332d6a0093af8efca1bcbfd3627d850173f5c4a55d0c185 a115a59bf4dd8dc49332d6a0093af8efca1bcbfd3627d850173f5c4a55d0c185
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
4517eaede0669b16aac7c92d5762dd459c301fa10e02237cd5aeb9be969430c4 4517eaede0669b16aac7c92d5762dd459c301fa10e02237cd5aeb9be969430c4
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
164e02144d44b607a7722e58b0f4156e67c0c2874d74cf71da6ca48a4cbdc5e0 164e02144d44b607a7722e58b0f4156e67c0c2874d74cf71da6ca48a4cbdc5e0
B.3.3. Auth Setup Information A.3.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
798d82a8d9ea19dbc7f2c6dfa54e8a6706f7cdc119db0813dacf8440ab37c857 798d82a8d9ea19dbc7f2c6dfa54e8a6706f7cdc119db0813dacf8440ab37c857
pkEm: 042224f3ea800f7ec55c03f29fc9865f6ee27004f818fcbdc6dc68932c1e52 pkEm: 042224f3ea800f7ec55c03f29fc9865f6ee27004f818fcbdc6dc68932c1e52
e15b79e264a98f2c535ef06745f3d308624414153b22c7332bc1e691cb4af4d53454 e15b79e264a98f2c535ef06745f3d308624414153b22c7332bc1e691cb4af4d53454
skEm: skEm:
skipping to change at page 77, line 41 skipping to change at line 3118
key_schedule_context: 02b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce key_schedule_context: 02b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ce
efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1 efc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85 1d493ae1c1d9ac85
secret: secret:
fd0a93c7c6f6b1b0dd6a822d7b16f6c61c83d98ad88426df4613c3581a2319f1 fd0a93c7c6f6b1b0dd6a822d7b16f6c61c83d98ad88426df4613c3581a2319f1
key: 19aa8472b3fdc530392b0e54ca17c0f5 key: 19aa8472b3fdc530392b0e54ca17c0f5
base_nonce: b390052d26b67a5b8a8fcaa4 base_nonce: b390052d26b67a5b8a8fcaa4
exporter_secret: exporter_secret:
f152759972660eb0e1db880835abd5de1c39c8e9cd269f6f082ed80e28acb164 f152759972660eb0e1db880835abd5de1c39c8e9cd269f6f082ed80e28acb164
B.3.3.1. Encryptions A.3.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: b390052d26b67a5b8a8fcaa4 nonce: b390052d26b67a5b8a8fcaa4
ct: 82ffc8c44760db691a07c5627e5fc2c08e7a86979ee79b494a17cc3405446ac2 ct: 82ffc8c44760db691a07c5627e5fc2c08e7a86979ee79b494a17cc3405446ac2
bdb8f265db4a099ed3289ffe19 bdb8f265db4a099ed3289ffe19
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 78, line 46 skipping to change at line 3162
ct: 4a319462eaedee37248b4d985f64f4f863d31913fe9e30b6e13136053b69fe5d ct: 4a319462eaedee37248b4d985f64f4f863d31913fe9e30b6e13136053b69fe5d
70853c84c60a84bb5495d5a678 70853c84c60a84bb5495d5a678
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: b390052d26b67a5b8a8fcba4 nonce: b390052d26b67a5b8a8fcba4
ct: 28e874512f8940fafc7d06135e7589f6b4198bc0f3a1c64702e72c9e6abaf9f0 ct: 28e874512f8940fafc7d06135e7589f6b4198bc0f3a1c64702e72c9e6abaf9f0
5cb0d2f11b03a517898815c934 5cb0d2f11b03a517898815c934
B.3.3.2. Exported Values A.3.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
837e49c3ff629250c8d80d3c3fb957725ed481e59e2feb57afd9fe9a8c7c4497 837e49c3ff629250c8d80d3c3fb957725ed481e59e2feb57afd9fe9a8c7c4497
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
594213f9018d614b82007a7021c3135bda7b380da4acd9ab27165c508640dbda 594213f9018d614b82007a7021c3135bda7b380da4acd9ab27165c508640dbda
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
14fe634f95ca0d86e15247cca7de7ba9b73c9b9deb6437e1c832daf7291b79d5 14fe634f95ca0d86e15247cca7de7ba9b73c9b9deb6437e1c832daf7291b79d5
B.3.4. AuthPSK Setup Information A.3.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
3c1fceb477ec954c8d58ef3249e4bb4c38241b5925b95f7486e4d9f1d0d35fbb 3c1fceb477ec954c8d58ef3249e4bb4c38241b5925b95f7486e4d9f1d0d35fbb
pkEm: 046a1de3fc26a3d43f4e4ba97dbe24f7e99181136129c48fbe872d4743e2b1 pkEm: 046a1de3fc26a3d43f4e4ba97dbe24f7e99181136129c48fbe872d4743e2b1
31357ed4f29a7b317dc22509c7b00991ae990bf65f8b236700c82ab7c11a84511401 31357ed4f29a7b317dc22509c7b00991ae990bf65f8b236700c82ab7c11a84511401
skEm: skEm:
skipping to change at page 80, line 44 skipping to change at line 3221
key_schedule_context: 03b873cdf2dff4c1434988053b7a775e980dd2039ea24f key_schedule_context: 03b873cdf2dff4c1434988053b7a775e980dd2039ea24f
950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1 950b26b056ccedcb933198e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed1
1d493ae1c1d9ac85 1d493ae1c1d9ac85
secret: secret:
3bf9d4c7955da2740414e73081fa74d6f6f2b4b9645d0685219813ce99a2f270 3bf9d4c7955da2740414e73081fa74d6f6f2b4b9645d0685219813ce99a2f270
key: 4d567121d67fae1227d90e11585988fb key: 4d567121d67fae1227d90e11585988fb
base_nonce: 67c9d05330ca21e5116ecda6 base_nonce: 67c9d05330ca21e5116ecda6
exporter_secret: exporter_secret:
3f479020ae186788e4dfd4a42a21d24f3faabb224dd4f91c2b2e5e9524ca27b2 3f479020ae186788e4dfd4a42a21d24f3faabb224dd4f91c2b2e5e9524ca27b2
B.3.4.1. Encryptions A.3.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 67c9d05330ca21e5116ecda6 nonce: 67c9d05330ca21e5116ecda6
ct: b9f36d58d9eb101629a3e5a7b63d2ee4af42b3644209ab37e0a272d44365407d ct: b9f36d58d9eb101629a3e5a7b63d2ee4af42b3644209ab37e0a272d44365407d
b8e655c72e4fa46f4ff81b9246 b8e655c72e4fa46f4ff81b9246
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 81, line 46 skipping to change at line 3265
ct: 6de25ceadeaec572fbaa25eda2558b73c383fe55106abaec24d518ef6724a7ce ct: 6de25ceadeaec572fbaa25eda2558b73c383fe55106abaec24d518ef6724a7ce
698f83ecdc53e640fe214d2f42 698f83ecdc53e640fe214d2f42
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 67c9d05330ca21e5116ecca6 nonce: 67c9d05330ca21e5116ecca6
ct: f380e19d291e12c5e378b51feb5cd50f6d00df6cb2af8393794c4df342126c2e ct: f380e19d291e12c5e378b51feb5cd50f6d00df6cb2af8393794c4df342126c2e
29633fe7e8ce49587531affd4d 29633fe7e8ce49587531affd4d
B.3.4.2. Exported Values A.3.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
595ce0eff405d4b3bb1d08308d70a4e77226ce11766e0a94c4fdb5d90025c978 595ce0eff405d4b3bb1d08308d70a4e77226ce11766e0a94c4fdb5d90025c978
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
110472ee0ae328f57ef7332a9886a1992d2c45b9b8d5abc9424ff68630f7d38d 110472ee0ae328f57ef7332a9886a1992d2c45b9b8d5abc9424ff68630f7d38d
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
18ee4d001a9d83a4c67e76f88dd747766576cac438723bad0700a910a4d717e6 18ee4d001a9d83a4c67e76f88dd747766576cac438723bad0700a910a4d717e6
B.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM
A.4.1. Base Setup Information
B.4.1. Base Setup Information
mode: 0 mode: 0
kem_id: 16 kem_id: 16
kdf_id: 3 kdf_id: 3
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
4ab11a9dd78c39668f7038f921ffc0993b368171d3ddde8031501ee1e08c4c9a 4ab11a9dd78c39668f7038f921ffc0993b368171d3ddde8031501ee1e08c4c9a
pkEm: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a pkEm: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a
15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580 15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580
skEm: skEm:
skipping to change at page 83, line 38 skipping to change at line 3320
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1 4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9 252ef4f9
secret: 0c7acdab61693f936c4c1256c78e7be30eebfe466812f9cc49f0b58dc970 secret: 0c7acdab61693f936c4c1256c78e7be30eebfe466812f9cc49f0b58dc970
328dfc03ea359be0250a471b1635a193d2dfa8cb23c90aa2e25025b892a725353eeb 328dfc03ea359be0250a471b1635a193d2dfa8cb23c90aa2e25025b892a725353eeb
key: 090ca96e5f8aa02b69fac360da50ddf9 key: 090ca96e5f8aa02b69fac360da50ddf9
base_nonce: 9c995e621bf9a20c5ca45546 base_nonce: 9c995e621bf9a20c5ca45546
exporter_secret: 4a7abb2ac43e6553f129b2c5750a7e82d149a76ed56dc342d7b exporter_secret: 4a7abb2ac43e6553f129b2c5750a7e82d149a76ed56dc342d7b
ca61e26d494f4855dff0d0165f27ce57756f7f16baca006539bb8e4518987ba61048 ca61e26d494f4855dff0d0165f27ce57756f7f16baca006539bb8e4518987ba61048
0ac03efa8 0ac03efa8
B.4.1.1. Encryptions A.4.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 9c995e621bf9a20c5ca45546 nonce: 9c995e621bf9a20c5ca45546
ct: d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c8890 ct: d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c8890
7200b332003543754eb51917ba 7200b332003543754eb51917ba
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 84, line 46 skipping to change at line 3364
ct: be5da649469efbad0fb950366a82a73fefeda5f652ec7d3731fac6c4ffa21a70 ct: be5da649469efbad0fb950366a82a73fefeda5f652ec7d3731fac6c4ffa21a70
04d2ab8a04e13621bd3629547d 04d2ab8a04e13621bd3629547d
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 9c995e621bf9a20c5ca45446 nonce: 9c995e621bf9a20c5ca45446
ct: 62092672f5328a0dde095e57435edf7457ace60b26ee44c9291110ec135cb0e1 ct: 62092672f5328a0dde095e57435edf7457ace60b26ee44c9291110ec135cb0e1
4b85594e4fea11247d937deb62 4b85594e4fea11247d937deb62
B.4.1.2. Exported Values A.4.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
a32186b8946f61aeead1c093fe614945f85833b165b28c46bf271abf16b57208 a32186b8946f61aeead1c093fe614945f85833b165b28c46bf271abf16b57208
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
84998b304a0ea2f11809398755f0abd5f9d2c141d1822def79dd15c194803c2a 84998b304a0ea2f11809398755f0abd5f9d2c141d1822def79dd15c194803c2a
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
93fb9411430b2cfa2cf0bed448c46922a5be9beff20e2e621df7e4655852edbc 93fb9411430b2cfa2cf0bed448c46922a5be9beff20e2e621df7e4655852edbc
B.4.2. PSK Setup Information A.4.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 16 kem_id: 16
kdf_id: 3 kdf_id: 3
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
c11d883d6587f911d2ddbc2a0859d5b42fb13bf2c8e89ef408a25564893856f5 c11d883d6587f911d2ddbc2a0859d5b42fb13bf2c8e89ef408a25564893856f5
pkEm: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c350 pkEm: 04a307934180ad5287f95525fe5bc6244285d7273c15e061f0f2efb211c350
57f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371 57f3079f6e0abae200992610b25f48b63aacfcb669106ddee8aa023feed301901371
skEm: skEm:
skipping to change at page 86, line 41 skipping to change at line 3420
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1 4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9 252ef4f9
secret: ff2051d2128d5f3078de867143e076262ce1d0aecafc3fff3d607f1eaff0 secret: ff2051d2128d5f3078de867143e076262ce1d0aecafc3fff3d607f1eaff0
5345c7d5ffcb3202cdecb3d1a2f7da20592a237747b6e855390cbe2109d3e6ac70c2 5345c7d5ffcb3202cdecb3d1a2f7da20592a237747b6e855390cbe2109d3e6ac70c2
key: 0b910ba8d9cfa17e5f50c211cb32839a key: 0b910ba8d9cfa17e5f50c211cb32839a
base_nonce: 0c29e714eb52de5b7415a1b7 base_nonce: 0c29e714eb52de5b7415a1b7
exporter_secret: 50c0a182b6f94b4c0bd955c4aa20df01f282cc12c43065a0812 exporter_secret: 50c0a182b6f94b4c0bd955c4aa20df01f282cc12c43065a0812
fe4d4352790171ed2b2c4756ad7f5a730ba336c8f1edd0089d8331192058c385bae3 fe4d4352790171ed2b2c4756ad7f5a730ba336c8f1edd0089d8331192058c385bae3
9c7cc8b57 9c7cc8b57
B.4.2.1. Encryptions A.4.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 0c29e714eb52de5b7415a1b7 nonce: 0c29e714eb52de5b7415a1b7
ct: 57624b6e320d4aba0afd11f548780772932f502e2ba2a8068676b2a0d3b5129a ct: 57624b6e320d4aba0afd11f548780772932f502e2ba2a8068676b2a0d3b5129a
45b9faa88de39e8306da41d4cc 45b9faa88de39e8306da41d4cc
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 87, line 46 skipping to change at line 3464
ct: 377a98a3c34bf716581b05a6b3fdc257f245856384d5f2241c8840571c52f5c8 ct: 377a98a3c34bf716581b05a6b3fdc257f245856384d5f2241c8840571c52f5c8
5c21138a4a81655edab8fe227d 5c21138a4a81655edab8fe227d
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 0c29e714eb52de5b7415a0b7 nonce: 0c29e714eb52de5b7415a0b7
ct: cc161f5a179831d456d119d2f2c19a6817289c75d1c61cd37ac8a450acd9efba ct: cc161f5a179831d456d119d2f2c19a6817289c75d1c61cd37ac8a450acd9efba
02e0ac00d128c17855931ff69a 02e0ac00d128c17855931ff69a
B.4.2.2. Exported Values A.4.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
8158bea21a6700d37022bb7802866edca30ebf2078273757b656ef7fc2e428cf 8158bea21a6700d37022bb7802866edca30ebf2078273757b656ef7fc2e428cf
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
6a348ba6e0e72bb3ef22479214a139ef8dac57be34509a61087a12565473da8d 6a348ba6e0e72bb3ef22479214a139ef8dac57be34509a61087a12565473da8d
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
2f6d4f7a18ec48de1ef4469f596aada4afdf6d79b037ed3c07e0118f8723bffc 2f6d4f7a18ec48de1ef4469f596aada4afdf6d79b037ed3c07e0118f8723bffc
B.4.3. Auth Setup Information A.4.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 16 kem_id: 16
kdf_id: 3 kdf_id: 3
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
6bb031aa9197562da0b44e737db2b9e61f6c3ea1138c37de28fc37ac29bc7350 6bb031aa9197562da0b44e737db2b9e61f6c3ea1138c37de28fc37ac29bc7350
pkEm: 04fec59fa9f76f5d0f6c1660bb179cb314ed97953c53a60ab38f8e6ace60fd pkEm: 04fec59fa9f76f5d0f6c1660bb179cb314ed97953c53a60ab38f8e6ace60fd
59178084d0dd66e0f79172992d4ddb2e91172ce24949bcebfff158dcc417f2c6e9c6 59178084d0dd66e0f79172992d4ddb2e91172ce24949bcebfff158dcc417f2c6e9c6
skEm: skEm:
skipping to change at page 89, line 44 skipping to change at line 3523
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1 4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9 252ef4f9
secret: 9c846ba81ddbbd57bc26d99da6cf7ab956bb735ecd47fe21ed14241c7079 secret: 9c846ba81ddbbd57bc26d99da6cf7ab956bb735ecd47fe21ed14241c7079
1b7484c1d06663d21a5d97bf1be70d56ab727f650c4f859c5ed3f71f8928b3c082dd 1b7484c1d06663d21a5d97bf1be70d56ab727f650c4f859c5ed3f71f8928b3c082dd
key: 9d4b1c83129f3de6db95faf3d539dcf1 key: 9d4b1c83129f3de6db95faf3d539dcf1
base_nonce: ea4fd7a485ee5f1f4b62c1b7 base_nonce: ea4fd7a485ee5f1f4b62c1b7
exporter_secret: ca2410672369aae1afd6c2639f4fe34ca36d35410c090608d29 exporter_secret: ca2410672369aae1afd6c2639f4fe34ca36d35410c090608d29
24f60def17f910d7928575434d7f991b1f19d3e8358b8278ff59ced0d5eed4774cec 24f60def17f910d7928575434d7f991b1f19d3e8358b8278ff59ced0d5eed4774cec
72e12766e 72e12766e
B.4.3.1. Encryptions A.4.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: ea4fd7a485ee5f1f4b62c1b7 nonce: ea4fd7a485ee5f1f4b62c1b7
ct: 2480179d880b5f458154b8bfe3c7e8732332de84aabf06fc440f6b31f169e154 ct: 2480179d880b5f458154b8bfe3c7e8732332de84aabf06fc440f6b31f169e154
157fa9eb44f2fa4d7b38a9236e 157fa9eb44f2fa4d7b38a9236e
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 90, line 46 skipping to change at line 3567
ct: d084eca50e7554bb97ba34c4482dfe32c9a2b7f3ab009c2d1b68ecbf97bee2d2 ct: d084eca50e7554bb97ba34c4482dfe32c9a2b7f3ab009c2d1b68ecbf97bee2d2
8cd94b6c829b96361f2701772d 8cd94b6c829b96361f2701772d
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: ea4fd7a485ee5f1f4b62c0b7 nonce: ea4fd7a485ee5f1f4b62c0b7
ct: 247da592cc4ce834a94de2c79f5730ee49342470a021e4a4bc2bb77c53b17413 ct: 247da592cc4ce834a94de2c79f5730ee49342470a021e4a4bc2bb77c53b17413
e94d94f57b4fdaedcf97cfe7b1 e94d94f57b4fdaedcf97cfe7b1
B.4.3.2. Exported Values A.4.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
f03fbc82f321a0ab4840e487cb75d07aafd8e6f68485e4f7ff72b2f55ff24ad6 f03fbc82f321a0ab4840e487cb75d07aafd8e6f68485e4f7ff72b2f55ff24ad6
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
1ce0cadec0a8f060f4b5070c8f8888dcdfefc2e35819df0cd559928a11ff0891 1ce0cadec0a8f060f4b5070c8f8888dcdfefc2e35819df0cd559928a11ff0891
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
70c405c707102fd0041ea716090753be47d68d238b111d542846bd0d84ba907c 70c405c707102fd0041ea716090753be47d68d238b111d542846bd0d84ba907c
B.4.4. AuthPSK Setup Information A.4.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 16 kem_id: 16
kdf_id: 3 kdf_id: 3
aead_id: 1 aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
37ae06a521cd555648c928d7af58ad2aa4a85e34b8cabd069e94ad55ab872cc8 37ae06a521cd555648c928d7af58ad2aa4a85e34b8cabd069e94ad55ab872cc8
pkEm: 04801740f4b1b35823f7fb2930eac2efc8c4893f34ba111c0bb976e3c7d5dc pkEm: 04801740f4b1b35823f7fb2930eac2efc8c4893f34ba111c0bb976e3c7d5dc
0aef5a7ef0bf4057949a140285f774f1efc53b3860936b92279a11b68395d898d138 0aef5a7ef0bf4057949a140285f774f1efc53b3860936b92279a11b68395d898d138
skEm: skEm:
skipping to change at page 92, line 47 skipping to change at line 3629
4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1 4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1
252ef4f9 252ef4f9
secret: 0f9df08908a6a3d06c8e934cd3f5313f9ebccd0986e316c0198bb48bed30 secret: 0f9df08908a6a3d06c8e934cd3f5313f9ebccd0986e316c0198bb48bed30
dc3db2f3baab94fd40c2c285c7288c77e2255401ee2d5884306addf4296b93c238b3 dc3db2f3baab94fd40c2c285c7288c77e2255401ee2d5884306addf4296b93c238b3
key: b68bb0e2fbf7431cedb46cc3b6f1fe9e key: b68bb0e2fbf7431cedb46cc3b6f1fe9e
base_nonce: 76af62719d33d39a1cb6be9f base_nonce: 76af62719d33d39a1cb6be9f
exporter_secret: 7f72308ae68c9a2b3862e686cb547b16d33d00fe482c770c471 exporter_secret: 7f72308ae68c9a2b3862e686cb547b16d33d00fe482c770c471
7d8b54e9b1e547244c3602bdd86d5a788a8443befea0a7658002b23f1c96a62a6498 7d8b54e9b1e547244c3602bdd86d5a788a8443befea0a7658002b23f1c96a62a6498
6fffc511a 6fffc511a
B.4.4.1. Encryptions A.4.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 76af62719d33d39a1cb6be9f nonce: 76af62719d33d39a1cb6be9f
ct: 840669634db51e28df54f189329c1b727fd303ae413f003020aff5e26276aaa9 ct: 840669634db51e28df54f189329c1b727fd303ae413f003020aff5e26276aaa9
10fc4296828cb9d862c2fd7d16 10fc4296828cb9d862c2fd7d16
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 93, line 46 skipping to change at line 3673
ct: 65596b731df010c76a915c6271a438056ce65696459432eeafdae7b4cadb6290 ct: 65596b731df010c76a915c6271a438056ce65696459432eeafdae7b4cadb6290
dd61e68edd4e40b659d2a8cbcc dd61e68edd4e40b659d2a8cbcc
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 76af62719d33d39a1cb6bf9f nonce: 76af62719d33d39a1cb6bf9f
ct: 9f659482ebc52f8303f9eac75656d807ec38ce2e50c72e3078cd13d86b30e3f8 ct: 9f659482ebc52f8303f9eac75656d807ec38ce2e50c72e3078cd13d86b30e3f8
90690a873277620f8a6a42d836 90690a873277620f8a6a42d836
B.4.4.2. Exported Values A.4.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
c8c917e137a616d3d4e4c9fcd9c50202f366cb0d37862376bc79f9b72e8a8db9 c8c917e137a616d3d4e4c9fcd9c50202f366cb0d37862376bc79f9b72e8a8db9
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
33a5d4df232777008a06d0684f23bb891cfaef702f653c8601b6ad4d08dddddf 33a5d4df232777008a06d0684f23bb891cfaef702f653c8601b6ad4d08dddddf
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
bed80f2e54f1285895c4a3f3b3625e6206f78f1ed329a0cfb5864f7c139b3c6a bed80f2e54f1285895c4a3f3b3625e6206f78f1ed329a0cfb5864f7c139b3c6a
B.5. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305 A.5. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
A.5.1. Base Setup Information
B.5.1. Base Setup Information
mode: 0 mode: 0
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
f1f1a3bc95416871539ecb51c3a8f0cf608afb40fbbe305c0a72819d35c33f1f f1f1a3bc95416871539ecb51c3a8f0cf608afb40fbbe305c0a72819d35c33f1f
pkEm: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c09582782 pkEm: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c09582782
4fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291 4fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291
skEm: skEm:
skipping to change at page 95, line 36 skipping to change at line 3726
40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140 40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c 0b47c33038b0269c
secret: secret:
fe891101629aa355aad68eff3cc5170d057eca0c7573f6575e91f9783e1d4506 fe891101629aa355aad68eff3cc5170d057eca0c7573f6575e91f9783e1d4506
key: key:
a8f45490a92a3b04d1dbf6cf2c3939ad8bfc9bfcb97c04bffe116730c9dfe3fc a8f45490a92a3b04d1dbf6cf2c3939ad8bfc9bfcb97c04bffe116730c9dfe3fc
base_nonce: 726b4390ed2209809f58c693 base_nonce: 726b4390ed2209809f58c693
exporter_secret: exporter_secret:
4f9bd9b3a8db7d7c3a5b9d44fdc1f6e37d5d77689ade5ec44a7242016e6aa205 4f9bd9b3a8db7d7c3a5b9d44fdc1f6e37d5d77689ade5ec44a7242016e6aa205
B.5.1.1. Encryptions A.5.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 726b4390ed2209809f58c693 nonce: 726b4390ed2209809f58c693
ct: 6469c41c5c81d3aa85432531ecf6460ec945bde1eb428cb2fedf7a29f5a685b4 ct: 6469c41c5c81d3aa85432531ecf6460ec945bde1eb428cb2fedf7a29f5a685b4
ccb0d057f03ea2952a27bb458b ccb0d057f03ea2952a27bb458b
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 96, line 46 skipping to change at line 3770
ct: 8f2814a2c548b3be50259713c6724009e092d37789f6856553d61df23ebc0792 ct: 8f2814a2c548b3be50259713c6724009e092d37789f6856553d61df23ebc0792
35f710e6af3c3ca6eaba7c7c6c 35f710e6af3c3ca6eaba7c7c6c
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 726b4390ed2209809f58c793 nonce: 726b4390ed2209809f58c793
ct: b45b69d419a9be7219d8c94365b89ad6951caf4576ea4774ea40e9b7047a09d6 ct: b45b69d419a9be7219d8c94365b89ad6951caf4576ea4774ea40e9b7047a09d6
537d1aa2f7c12d6ae4b729b4d0 537d1aa2f7c12d6ae4b729b4d0
B.5.1.2. Exported Values A.5.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
9b13c510416ac977b553bf1741018809c246a695f45eff6d3b0356dbefe1e660 9b13c510416ac977b553bf1741018809c246a695f45eff6d3b0356dbefe1e660
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
6c8b7be3a20a5684edecb4253619d9051ce8583baf850e0cb53c402bdcaf8ebb 6c8b7be3a20a5684edecb4253619d9051ce8583baf850e0cb53c402bdcaf8ebb
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
477a50d804c7c51941f69b8e32fe8288386ee1a84905fe4938d58972f24ac938 477a50d804c7c51941f69b8e32fe8288386ee1a84905fe4938d58972f24ac938
B.5.2. PSK Setup Information A.5.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
e1a4e1d50c4bfcf890f2b4c7d6b2d2aca61368eddc3c84162df2856843e1057a e1a4e1d50c4bfcf890f2b4c7d6b2d2aca61368eddc3c84162df2856843e1057a
pkEm: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653f pkEm: 04f336578b72ad7932fe867cc4d2d44a718a318037a0ec271163699cee653f
a805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246 a805c1fec955e562663e0c2061bb96a87d78892bff0cc0bad7906c2d998ebe1a7246
skEm: skEm:
skipping to change at page 98, line 39 skipping to change at line 3824
640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140 640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c 0b47c33038b0269c
secret: secret:
858c8087a1c056db5811e85802f375bb0c19b9983204a1575de4803575d23239 858c8087a1c056db5811e85802f375bb0c19b9983204a1575de4803575d23239
key: key:
6d61cb330b7771168c8619498e753f16198aad9566d1f1c6c70e2bc1a1a8b142 6d61cb330b7771168c8619498e753f16198aad9566d1f1c6c70e2bc1a1a8b142
base_nonce: 0de7655fb65e1cd51a38864e base_nonce: 0de7655fb65e1cd51a38864e
exporter_secret: exporter_secret:
754ca00235b245e72d1f722a7718e7145bd113050a2aa3d89586d4cb7514bfdb 754ca00235b245e72d1f722a7718e7145bd113050a2aa3d89586d4cb7514bfdb
B.5.2.1. Encryptions A.5.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 0de7655fb65e1cd51a38864e nonce: 0de7655fb65e1cd51a38864e
ct: 21433eaff24d7706f3ed5b9b2e709b07230e2b11df1f2b1fe07b3c70d5948a53 ct: 21433eaff24d7706f3ed5b9b2e709b07230e2b11df1f2b1fe07b3c70d5948a53
d6fa5c8bed194020bd9df0877b d6fa5c8bed194020bd9df0877b
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 99, line 46 skipping to change at line 3868
ct: 6324570c9d542c70c7e70570c1d8f4c52a89484746bf0625441890ededcc80c2 ct: 6324570c9d542c70c7e70570c1d8f4c52a89484746bf0625441890ededcc80c2
4ef2301c38bfd34d689d19f67d 4ef2301c38bfd34d689d19f67d
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 0de7655fb65e1cd51a38874e nonce: 0de7655fb65e1cd51a38874e
ct: 1ea6326c8098ed0437a553c466550114fb2ca1412cca7de98709b9ccdf19206e ct: 1ea6326c8098ed0437a553c466550114fb2ca1412cca7de98709b9ccdf19206e
52c3d39180e2cf62b3e9f4baf4 52c3d39180e2cf62b3e9f4baf4
B.5.2.2. Exported Values A.5.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
530bbc2f68f078dccc89cc371b4f4ade372c9472bafe4601a8432cbb934f528d 530bbc2f68f078dccc89cc371b4f4ade372c9472bafe4601a8432cbb934f528d
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
6e25075ddcc528c90ef9218f800ca3dfe1b8ff4042de5033133adb8bd54c401d 6e25075ddcc528c90ef9218f800ca3dfe1b8ff4042de5033133adb8bd54c401d
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
6f6fbd0d1c7733f796461b3235a856cc34f676fe61ed509dfc18fa16efe6be78 6f6fbd0d1c7733f796461b3235a856cc34f676fe61ed509dfc18fa16efe6be78
B.5.3. Auth Setup Information A.5.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
0ecd212019008138a31f9104d5dba76b9f8e34d5b996041fff9e3df221dd0d5d 0ecd212019008138a31f9104d5dba76b9f8e34d5b996041fff9e3df221dd0d5d
pkEm: 040d5176aedba55bc41709261e9195c5146bb62d783031280775f32e507d79 pkEm: 040d5176aedba55bc41709261e9195c5146bb62d783031280775f32e507d79
b5cbc5748b6be6359760c73cfe10ca19521af704ca6d91ff32fc0739527b9385d415 b5cbc5748b6be6359760c73cfe10ca19521af704ca6d91ff32fc0739527b9385d415
skEm: skEm:
skipping to change at page 101, line 42 skipping to change at line 3925
40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140 40e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c 0b47c33038b0269c
secret: secret:
9193210815b87a4c5496c9d73e609a6c92665b5ea0d760866294906d089ebb57 9193210815b87a4c5496c9d73e609a6c92665b5ea0d760866294906d089ebb57
key: key:
cf292f8a4313280a462ce55cde05b5aa5744fe4ca89a5d81b0146a5eaca8092d cf292f8a4313280a462ce55cde05b5aa5744fe4ca89a5d81b0146a5eaca8092d
base_nonce: 7e45c21e20e869ae00492123 base_nonce: 7e45c21e20e869ae00492123
exporter_secret: exporter_secret:
dba6e307f71769ba11e2c687cc19592f9d436da0c81e772d7a8a9fd28e54355f dba6e307f71769ba11e2c687cc19592f9d436da0c81e772d7a8a9fd28e54355f
B.5.3.1. Encryptions A.5.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 7e45c21e20e869ae00492123 nonce: 7e45c21e20e869ae00492123
ct: 25881f219935eec5ba70d7b421f13c35005734f3e4d959680270f55d71e2f5cb ct: 25881f219935eec5ba70d7b421f13c35005734f3e4d959680270f55d71e2f5cb
3bd2daced2770bf3d9d4916872 3bd2daced2770bf3d9d4916872
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 102, line 46 skipping to change at line 3969
ct: dd29319e08135c5f8401d6537a364e92172c0e3f095f3fd18923881d11c0a683 ct: dd29319e08135c5f8401d6537a364e92172c0e3f095f3fd18923881d11c0a683
9345dd0b54acd0edd8f8344792 9345dd0b54acd0edd8f8344792
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 7e45c21e20e869ae00492023 nonce: 7e45c21e20e869ae00492023
ct: e2276ec5047bc4b6ed57d6da7da2fb47a77502f0a30f17d040247c73da336d72 ct: e2276ec5047bc4b6ed57d6da7da2fb47a77502f0a30f17d040247c73da336d72
2bc6c89adf68396a0912c6d152 2bc6c89adf68396a0912c6d152
B.5.3.2. Exported Values A.5.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
56c4d6c1d3a46c70fd8f4ecda5d27c70886e348efb51bd5edeaa39ff6ce34389 56c4d6c1d3a46c70fd8f4ecda5d27c70886e348efb51bd5edeaa39ff6ce34389
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
d2d3e48ed76832b6b3f28fa84be5f11f09533c0e3c71825a34fb0f1320891b51 d2d3e48ed76832b6b3f28fa84be5f11f09533c0e3c71825a34fb0f1320891b51
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
eb0d312b6263995b4c7761e64b688c215ffd6043ff3bad2368c862784cbe6eff eb0d312b6263995b4c7761e64b688c215ffd6043ff3bad2368c862784cbe6eff
B.5.4. AuthPSK Setup Information A.5.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 16 kem_id: 16
kdf_id: 1 kdf_id: 1
aead_id: 3 aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
f3a07f194703e321ef1f753a1b9fe27a498dfdfa309151d70bedd896c239c499 f3a07f194703e321ef1f753a1b9fe27a498dfdfa309151d70bedd896c239c499
pkEm: 043539917ee26f8ae0aa5f784a387981b13de33124a3cde88b946720301831 pkEm: 043539917ee26f8ae0aa5f784a387981b13de33124a3cde88b946720301831
10f331400115855808244ff0c5b6ca6104483ac95724481d41bdcd9f15b430ad16f6 10f331400115855808244ff0c5b6ca6104483ac95724481d41bdcd9f15b430ad16f6
skEm: skEm:
skipping to change at page 104, line 45 skipping to change at line 4029
640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140 640bda367c5d67b3fbeb2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b140
0b47c33038b0269c 0b47c33038b0269c
secret: secret:
fe52b4412590e825ea2603fa88e145b2ee014b942a774b55fab4f081301f16f4 fe52b4412590e825ea2603fa88e145b2ee014b942a774b55fab4f081301f16f4
key: key:
31e140c8856941315d4067239fdc4ebe077fbf45a6fc78a61e7a6c8b3bacb10a 31e140c8856941315d4067239fdc4ebe077fbf45a6fc78a61e7a6c8b3bacb10a
base_nonce: 75838a8010d2e4760254dd56 base_nonce: 75838a8010d2e4760254dd56
exporter_secret: exporter_secret:
600895965755db9c5027f25f039a6e3e506c35b3b7084ce33c4a48d59ee1f0e3 600895965755db9c5027f25f039a6e3e506c35b3b7084ce33c4a48d59ee1f0e3
B.5.4.1. Encryptions A.5.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 75838a8010d2e4760254dd56 nonce: 75838a8010d2e4760254dd56
ct: 9eadfa0f954835e7e920ffe56dec6b31a046271cf71fdda55db72926e1d8fae9 ct: 9eadfa0f954835e7e920ffe56dec6b31a046271cf71fdda55db72926e1d8fae9
4cc6280fcfabd8db71eaa65c05 4cc6280fcfabd8db71eaa65c05
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 105, line 46 skipping to change at line 4073
ct: eaf4041a5c9122b22d1f8d698eeffe45d64b4ae33d0ddca3a4cdf4a5f595acc9 ct: eaf4041a5c9122b22d1f8d698eeffe45d64b4ae33d0ddca3a4cdf4a5f595acc9
5a1a9334d06cc4d000df6aaad6 5a1a9334d06cc4d000df6aaad6
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 75838a8010d2e4760254dc56 nonce: 75838a8010d2e4760254dc56
ct: fb857f4185ce5286c1a52431867537204963ea66a3eee8d2a74419fd8751faee ct: fb857f4185ce5286c1a52431867537204963ea66a3eee8d2a74419fd8751faee
066d08277ac7880473aa4143ba 066d08277ac7880473aa4143ba
B.5.4.2. Exported Values A.5.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
c52b4592cd33dd38b2a3613108ddda28dcf7f03d30f2a09703f758bfa8029c9a c52b4592cd33dd38b2a3613108ddda28dcf7f03d30f2a09703f758bfa8029c9a
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
2f03bebc577e5729e148554991787222b5c2a02b77e9b1ac380541f710e5a318 2f03bebc577e5729e148554991787222b5c2a02b77e9b1ac380541f710e5a318
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
e01dd49e8bfc3d9216abc1be832f0418adf8b47a7b5a330a7436c31e33d765d7 e01dd49e8bfc3d9216abc1be832f0418adf8b47a7b5a330a7436c31e33d765d7
B.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM A.6. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM
A.6.1. Base Setup Information
B.6.1. Base Setup Information
mode: 0 mode: 0
kem_id: 18 kem_id: 18
kdf_id: 3 kdf_id: 3
aead_id: 2 aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 7f06ab8215105fc46aceeb2e3dc5028b44364f960426eb0d8e4026c2f8b5d7 ikmE: 7f06ab8215105fc46aceeb2e3dc5028b44364f960426eb0d8e4026c2f8b5d7
e7a986688f1591abf5ab753c357a5d6f0440414b4ed4ede71317772ac98d9239f709 e7a986688f1591abf5ab753c357a5d6f0440414b4ed4ede71317772ac98d9239f709
04 04
pkEm: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8 pkEm: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8
900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731 900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731
skipping to change at page 107, line 50 skipping to change at line 4140
e85b09a4 e85b09a4
secret: 49fd9f53b0f93732555b2054edfdc0e3101000d75df714b98ce5aa295a37 secret: 49fd9f53b0f93732555b2054edfdc0e3101000d75df714b98ce5aa295a37
f1b18dfa86a1c37286d805d3ea09a20b72f93c21e83955a1f01eb7c5eead563d21e7 f1b18dfa86a1c37286d805d3ea09a20b72f93c21e83955a1f01eb7c5eead563d21e7
key: key:
751e346ce8f0ddb2305c8a2a85c70d5cf559c53093656be636b9406d4d7d1b70 751e346ce8f0ddb2305c8a2a85c70d5cf559c53093656be636b9406d4d7d1b70
base_nonce: 55ff7a7d739c69f44b25447b base_nonce: 55ff7a7d739c69f44b25447b
exporter_secret: e4ff9dfbc732a2b9c75823763c5ccc954a2c0648fc6de80a585 exporter_secret: e4ff9dfbc732a2b9c75823763c5ccc954a2c0648fc6de80a585
81252d0ee3215388a4455e69086b50b87eb28c169a52f42e71de4ca61c920e7bd24c 81252d0ee3215388a4455e69086b50b87eb28c169a52f42e71de4ca61c920e7bd24c
95cc3f992 95cc3f992
B.6.1.1. Encryptions A.6.1.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 55ff7a7d739c69f44b25447b nonce: 55ff7a7d739c69f44b25447b
ct: 170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b20 ct: 170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b20
0aafcc6d80ea4c795a7c5b841a 0aafcc6d80ea4c795a7c5b841a
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 108, line 46 skipping to change at line 4184
ct: 4f268d0930f8d50b8fd9d0f26657ba25b5cb08b308c92e33382f369c768b558e ct: 4f268d0930f8d50b8fd9d0f26657ba25b5cb08b308c92e33382f369c768b558e
113ac95a4c70dd60909ad1adc7 113ac95a4c70dd60909ad1adc7
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 55ff7a7d739c69f44b25457b nonce: 55ff7a7d739c69f44b25457b
ct: dbbfc44ae037864e75f136e8b4b4123351d480e6619ae0e0ae437f036f2f8f1e ct: dbbfc44ae037864e75f136e8b4b4123351d480e6619ae0e0ae437f036f2f8f1e
f677686323977a1ccbb4b4f16a f677686323977a1ccbb4b4f16a
B.6.1.2. Exported Values A.6.1.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
05e2e5bd9f0c30832b80a279ff211cc65eceb0d97001524085d609ead60d0412 05e2e5bd9f0c30832b80a279ff211cc65eceb0d97001524085d609ead60d0412
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
fca69744bb537f5b7a1596dbf34eaa8d84bf2e3ee7f1a155d41bd3624aa92b63 fca69744bb537f5b7a1596dbf34eaa8d84bf2e3ee7f1a155d41bd3624aa92b63
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
f389beaac6fcf6c0d9376e20f97e364f0609a88f1bc76d7328e9104df8477013 f389beaac6fcf6c0d9376e20f97e364f0609a88f1bc76d7328e9104df8477013
B.6.2. PSK Setup Information A.6.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 18 kem_id: 18
kdf_id: 3 kdf_id: 3
aead_id: 2 aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: f3ebfa9a69a924e672114fcd9e06fa9559e937f7eccce4181a2b506df53dbe ikmE: f3ebfa9a69a924e672114fcd9e06fa9559e937f7eccce4181a2b506df53dbe
514be12f094bb28e01de19dd345b4f7ede5ad7eaa6b9c3019592ec68eaae9a14732c 514be12f094bb28e01de19dd345b4f7ede5ad7eaa6b9c3019592ec68eaae9a14732c
e0 e0
pkEm: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d pkEm: 040085eff0835cc84351f32471d32aa453cdc1f6418eaaecf1c2824210eb1d
skipping to change at page 110, line 22 skipping to change at line 4252
e85b09a4 e85b09a4
secret: 2cf425e26f65526afc0634a3dba4e28d980c1015130ce07c2ac7530d7a39 secret: 2cf425e26f65526afc0634a3dba4e28d980c1015130ce07c2ac7530d7a39
1a75e5a0db428b09f27ad4d975b4ad1e7f85800e03ffeea35e8cf3fe67b18d4a1345 1a75e5a0db428b09f27ad4d975b4ad1e7f85800e03ffeea35e8cf3fe67b18d4a1345
key: key:
f764a5a4b17e5d1ffba6e699d65560497ebaea6eb0b0d9010a6d979e298a39ff f764a5a4b17e5d1ffba6e699d65560497ebaea6eb0b0d9010a6d979e298a39ff
base_nonce: 479afdf3546ddba3a9841f38 base_nonce: 479afdf3546ddba3a9841f38
exporter_secret: 5c3d4b65a13570502b93095ef196c42c8211a4a188c4590d358 exporter_secret: 5c3d4b65a13570502b93095ef196c42c8211a4a188c4590d358
63665c705bb140ecba6ce9256be3fad35b4378d41643867454612adfd0542a684b61 63665c705bb140ecba6ce9256be3fad35b4378d41643867454612adfd0542a684b61
799bf293f 799bf293f
B.6.2.1. Encryptions A.6.2.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 479afdf3546ddba3a9841f38 nonce: 479afdf3546ddba3a9841f38
ct: de69e9d943a5d0b70be3359a19f317bd9aca4a2ebb4332a39bcdfc97d5fe62f3 ct: de69e9d943a5d0b70be3359a19f317bd9aca4a2ebb4332a39bcdfc97d5fe62f3
a77702f4822c3be531aa7843a1 a77702f4822c3be531aa7843a1
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 111, line 46 skipping to change at line 4296
ct: a3ee291e20f37021e82df14d41f3fbe98b27c43b318a36cacd8471a3b1051ab1 ct: a3ee291e20f37021e82df14d41f3fbe98b27c43b318a36cacd8471a3b1051ab1
2ee055b62ded95b72a63199a3f 2ee055b62ded95b72a63199a3f
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 479afdf3546ddba3a9841e38 nonce: 479afdf3546ddba3a9841e38
ct: eecc2173ce1ac14b27ee67041e90ed50b7809926e55861a579949c07f6d26137 ct: eecc2173ce1ac14b27ee67041e90ed50b7809926e55861a579949c07f6d26137
bf9cf0d097f60b5fd2fbf348ec bf9cf0d097f60b5fd2fbf348ec
B.6.2.2. Exported Values A.6.2.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
62691f0f971e34de38370bff24deb5a7d40ab628093d304be60946afcdb3a936 62691f0f971e34de38370bff24deb5a7d40ab628093d304be60946afcdb3a936
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
76083c6d1b6809da088584674327b39488eaf665f0731151128452e04ce81bff 76083c6d1b6809da088584674327b39488eaf665f0731151128452e04ce81bff
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
0c7cfc0976e25ae7680cf909ae2de1859cd9b679610a14bec40d69b91785b2f6 0c7cfc0976e25ae7680cf909ae2de1859cd9b679610a14bec40d69b91785b2f6
B.6.3. Auth Setup Information A.6.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 18 kem_id: 18
kdf_id: 3 kdf_id: 3
aead_id: 2 aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: fe1c589c2a05893895a537f38c7cb4300b5a7e8fef3d6ccb8f07a498029c61 ikmE: fe1c589c2a05893895a537f38c7cb4300b5a7e8fef3d6ccb8f07a498029c61
e90262e009dc254c7f6235f9c6b2fd6aeff0a714db131b09258c16e217b7bd2aa619 e90262e009dc254c7f6235f9c6b2fd6aeff0a714db131b09258c16e217b7bd2aa619
b0 b0
pkEm: 04017de12ede7f72cb101dab36a111265c97b3654816dcd6183f809d4b3d11 pkEm: 04017de12ede7f72cb101dab36a111265c97b3654816dcd6183f809d4b3d11
skipping to change at page 113, line 29 skipping to change at line 4371
e85b09a4 e85b09a4
secret: 56b7acb7355d080922d2ddc227829c2276a0b456087654b3ac4b53828bd3 secret: 56b7acb7355d080922d2ddc227829c2276a0b456087654b3ac4b53828bd3
4af8cf54626f85af858a15a86eba73011665cc922bc59fd07d2975f356d2674db554 4af8cf54626f85af858a15a86eba73011665cc922bc59fd07d2975f356d2674db554
key: key:
01fced239845e53f0ec616e71777883a1f9fcab22a50f701bdeee17ad040e44d 01fced239845e53f0ec616e71777883a1f9fcab22a50f701bdeee17ad040e44d
base_nonce: 9752b85fe8c73eda183f9e80 base_nonce: 9752b85fe8c73eda183f9e80
exporter_secret: 80466a9d9cc5112ddad297e817e038801e15fa18152bc4dc010 exporter_secret: 80466a9d9cc5112ddad297e817e038801e15fa18152bc4dc010
a35d7f534089c87c98b4bacd7bbc6276c4002a74085adcd9019fca6139826b529256 a35d7f534089c87c98b4bacd7bbc6276c4002a74085adcd9019fca6139826b529256
9cfb7fe47 9cfb7fe47
B.6.3.1. Encryptions A.6.3.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: 9752b85fe8c73eda183f9e80 nonce: 9752b85fe8c73eda183f9e80
ct: 0116aeb3a1c405c61b1ce47600b7ecd11d89b9c08c408b7e2d1e00a4d64696d1 ct: 0116aeb3a1c405c61b1ce47600b7ecd11d89b9c08c408b7e2d1e00a4d64696d1
2e6881dc61688209a8207427f9 2e6881dc61688209a8207427f9
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 114, line 46 skipping to change at line 4415
ct: 53d422295a6ce8fcc51e6f69e252e7195e64abf49252f347d8c25534f1865a6a ct: 53d422295a6ce8fcc51e6f69e252e7195e64abf49252f347d8c25534f1865a6a
17d949c65ce618ddc7d816111f 17d949c65ce618ddc7d816111f
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: 9752b85fe8c73eda183f9f80 nonce: 9752b85fe8c73eda183f9f80
ct: 0dfcfc22ea768880b4160fec27ab10c75fb27766c6bb97aed373a9b6eae35d31 ct: 0dfcfc22ea768880b4160fec27ab10c75fb27766c6bb97aed373a9b6eae35d31
afb08257401075cbb602ac5abb afb08257401075cbb602ac5abb
B.6.3.2. Exported Values A.6.3.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
8d78748d632f95b8ce0c67d70f4ad1757e61e872b5941e146986804b3990154b 8d78748d632f95b8ce0c67d70f4ad1757e61e872b5941e146986804b3990154b
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
80a4753230900ea785b6c80775092801fe91183746479f9b04c305e1db9d1f4d 80a4753230900ea785b6c80775092801fe91183746479f9b04c305e1db9d1f4d
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
620b176d737cf366bcc20d96adb54ec156978220879b67923689e6dca36210ed 620b176d737cf366bcc20d96adb54ec156978220879b67923689e6dca36210ed
B.6.4. AuthPSK Setup Information A.6.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 18 kem_id: 18
kdf_id: 3 kdf_id: 3
aead_id: 2 aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 54272797b1fbc128a6967ff1fd606e0c67868f7762ce1421439cbc9e90ce1b ikmE: 54272797b1fbc128a6967ff1fd606e0c67868f7762ce1421439cbc9e90ce1b
28d566e6c2acbce712e48eebf236696eb680849d6873e9959395b2931975d61d38bd 28d566e6c2acbce712e48eebf236696eb680849d6873e9959395b2931975d61d38bd
6c 6c
pkEm: 04000a5096a6e6e002c83517b494bfc2e36bfb8632fae8068362852b70d0ff pkEm: 04000a5096a6e6e002c83517b494bfc2e36bfb8632fae8068362852b70d0ff
skipping to change at page 116, line 32 skipping to change at line 4493
e85b09a4 e85b09a4
secret: 50a57775958037a04098e0054576cd3bc084d0d08d29548ba4befa5676b9 secret: 50a57775958037a04098e0054576cd3bc084d0d08d29548ba4befa5676b9
1eb4dcd0752813a052c9a930d0aba6ca10b89dd690b64032dc635dece35d1bf4645c 1eb4dcd0752813a052c9a930d0aba6ca10b89dd690b64032dc635dece35d1bf4645c
key: key:
1316ed34bd52374854ed0e5cb0394ca0a79b2d8ce7f15d5104f21acdfb594286 1316ed34bd52374854ed0e5cb0394ca0a79b2d8ce7f15d5104f21acdfb594286
base_nonce: d9c64ec8deb8a0647fafe8ff base_nonce: d9c64ec8deb8a0647fafe8ff
exporter_secret: 6cb00ff99aebb2e4a05042ce0d048326dd2c03acd61a601b103 exporter_secret: 6cb00ff99aebb2e4a05042ce0d048326dd2c03acd61a601b103
8a65398406a96ab8b5da3187412b2324089ea16ba4ff7e6f4fe55d281fc8ae5f2049 8a65398406a96ab8b5da3187412b2324089ea16ba4ff7e6f4fe55d281fc8ae5f2049
032b69ebd 032b69ebd
B.6.4.1. Encryptions A.6.4.1. Encryptions
sequence number: 0 sequence number: 0
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30 aad: 436f756e742d30
nonce: d9c64ec8deb8a0647fafe8ff nonce: d9c64ec8deb8a0647fafe8ff
ct: 942a2a92e0817cf032ce61abccf4f3a7c5d21b794ed943227e07b7df2d6dd92c ct: 942a2a92e0817cf032ce61abccf4f3a7c5d21b794ed943227e07b7df2d6dd92c
9b8a9371949e65cca262448ab7 9b8a9371949e65cca262448ab7
sequence number: 1 sequence number: 1
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31 aad: 436f756e742d31
skipping to change at page 117, line 46 skipping to change at line 4537
ct: 63113a870131b567db8f39a11b4541eafbd2d3cf3a9bf9e5c1cfcb41e52f9027 ct: 63113a870131b567db8f39a11b4541eafbd2d3cf3a9bf9e5c1cfcb41e52f9027
310b82a4868215959131694d15 310b82a4868215959131694d15
sequence number: 256 sequence number: 256
pt: 4265617574792069732074727574682c20747275746820626561757479 pt: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536 aad: 436f756e742d323536
nonce: d9c64ec8deb8a0647fafe9ff nonce: d9c64ec8deb8a0647fafe9ff
ct: 24f9d8dadd2107376ccd143f70f9bafcd2b21d8117d45ff327e9a78f603a3260 ct: 24f9d8dadd2107376ccd143f70f9bafcd2b21d8117d45ff327e9a78f603a3260
6e42a6a8bdb57a852591d20907 6e42a6a8bdb57a852591d20907
B.6.4.2. Exported Values A.6.4.2. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
a39502ef5ca116aa1317bd9583dd52f15b0502b71d900fc8a622d19623d0cb5d a39502ef5ca116aa1317bd9583dd52f15b0502b71d900fc8a622d19623d0cb5d
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
749eda112c4cfdd6671d84595f12cd13198fc3ef93ed72369178f344fe6e09c3 749eda112c4cfdd6671d84595f12cd13198fc3ef93ed72369178f344fe6e09c3
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
f8b4e72cefbff4ca6c4eabb8c0383287082cfcbb953d900aed4959afd0017095 f8b4e72cefbff4ca6c4eabb8c0383287082cfcbb953d900aed4959afd0017095
B.7. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD A.7. DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD
A.7.1. Base Setup Information
B.7.1. Base Setup Information
mode: 0 mode: 0
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 65535 aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
55bc245ee4efda25d38f2d54d5bb6665291b99f8108a8c4b686c2b14893ea5d9 55bc245ee4efda25d38f2d54d5bb6665291b99f8108a8c4b686c2b14893ea5d9
pkEm: pkEm:
e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918 e5e8f9bfff6c2f29791fc351d2c25ce1299aa5eaca78a757c0b4fb4bcd830918
skEm: skEm:
skipping to change at page 119, line 35 skipping to change at line 4589
key_schedule_context: 009bd09219212a8cf27c6bb5d54998c5240793a70ca0a8 key_schedule_context: 009bd09219212a8cf27c6bb5d54998c5240793a70ca0a8
92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd 92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292 c9c64fee26bdd292
secret: secret:
04d64e0620aa047e9ab833b0ebcd4ff026cefbe44338fd7d1a93548102ee01af 04d64e0620aa047e9ab833b0ebcd4ff026cefbe44338fd7d1a93548102ee01af
key: key:
base_nonce: base_nonce:
exporter_secret: exporter_secret:
79dc8e0509cf4a3364ca027e5a0138235281611ca910e435e8ed58167c72f79b 79dc8e0509cf4a3364ca027e5a0138235281611ca910e435e8ed58167c72f79b
B.7.1.1. Exported Values A.7.1.1. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
7a36221bd56d50fb51ee65edfd98d06a23c4dc87085aa5866cb7087244bd2a36 7a36221bd56d50fb51ee65edfd98d06a23c4dc87085aa5866cb7087244bd2a36
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
d5535b87099c6c3ce80dc112a2671c6ec8e811a2f284f948cec6dd1708ee33f0 d5535b87099c6c3ce80dc112a2671c6ec8e811a2f284f948cec6dd1708ee33f0
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
ffaabc85a776136ca0c378e5d084c9140ab552b78f039d2e8775f26efff4c70e ffaabc85a776136ca0c378e5d084c9140ab552b78f039d2e8775f26efff4c70e
B.7.2. PSK Setup Information A.7.2. PSK Setup Information
mode: 1 mode: 1
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 65535 aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
c51211a8799f6b8a0021fcba673d9c4067a98ebc6794232e5b06cb9febcbbdf5 c51211a8799f6b8a0021fcba673d9c4067a98ebc6794232e5b06cb9febcbbdf5
pkEm: pkEm:
d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d d3805a97cbcd5f08babd21221d3e6b362a700572d14f9bbeb94ec078d051ae3d
skipping to change at page 120, line 41 skipping to change at line 4642
key_schedule_context: 01446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72 key_schedule_context: 01446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72
f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292 c9c64fee26bdd292
secret: secret:
638b94532e0d0bf812cf294f36b97a5bdcb0299df36e22b7bb6858e3c113080b 638b94532e0d0bf812cf294f36b97a5bdcb0299df36e22b7bb6858e3c113080b
key: key:
base_nonce: base_nonce:
exporter_secret: exporter_secret:
04261818aeae99d6aba5101bd35ddf3271d909a756adcef0d41389d9ed9ab153 04261818aeae99d6aba5101bd35ddf3271d909a756adcef0d41389d9ed9ab153
B.7.2.1. Exported Values A.7.2.1. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
be6c76955334376aa23e936be013ba8bbae90ae74ed995c1c6157e6f08dd5316 be6c76955334376aa23e936be013ba8bbae90ae74ed995c1c6157e6f08dd5316
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
1721ed2aa852f84d44ad020c2e2be4e2e6375098bf48775a533505fd56a3f416 1721ed2aa852f84d44ad020c2e2be4e2e6375098bf48775a533505fd56a3f416
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
7c9d79876a288507b81a5a52365a7d39cc0fa3f07e34172984f96fec07c44cba 7c9d79876a288507b81a5a52365a7d39cc0fa3f07e34172984f96fec07c44cba
B.7.3. Auth Setup Information A.7.3. Auth Setup Information
mode: 2 mode: 2
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 65535 aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
43b078912a54b591a7b09b16ce89a1955a9dd60b29fb611e044260046e8b061b 43b078912a54b591a7b09b16ce89a1955a9dd60b29fb611e044260046e8b061b
pkEm: pkEm:
5ac1671a55c5c3875a8afe74664aa8bc68830be9ded0c5f633cd96400e8b5c05 5ac1671a55c5c3875a8afe74664aa8bc68830be9ded0c5f633cd96400e8b5c05
skEm: skEm:
skipping to change at page 122, line 41 skipping to change at line 4698
key_schedule_context: 029bd09219212a8cf27c6bb5d54998c5240793a70ca0a8 key_schedule_context: 029bd09219212a8cf27c6bb5d54998c5240793a70ca0a8
92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd 92234bd5e082bc619b6a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292 c9c64fee26bdd292
secret: secret:
355e7ef17f438db43152b7fb45a0e2f49a8bf8956d5dddfec1758c0f0eb1b5d5 355e7ef17f438db43152b7fb45a0e2f49a8bf8956d5dddfec1758c0f0eb1b5d5
key: key:
base_nonce: base_nonce:
exporter_secret: exporter_secret:
276d87e5cb0655c7d3dad95e76e6fc02746739eb9d968955ccf8a6346c97509e 276d87e5cb0655c7d3dad95e76e6fc02746739eb9d968955ccf8a6346c97509e
B.7.3.1. Exported Values A.7.3.1. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
83c1bac00a45ed4cb6bd8a6007d2ce4ec501f55e485c5642bd01bf6b6d7d6f0a 83c1bac00a45ed4cb6bd8a6007d2ce4ec501f55e485c5642bd01bf6b6d7d6f0a
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
08a1d1ad2af3ef5bc40232a64f920650eb9b1034fac3892f729f7949621bf06e 08a1d1ad2af3ef5bc40232a64f920650eb9b1034fac3892f729f7949621bf06e
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
ff3b0e37a9954247fea53f251b799e2edd35aac7152c5795751a3da424feca73 ff3b0e37a9954247fea53f251b799e2edd35aac7152c5795751a3da424feca73
B.7.4. AuthPSK Setup Information A.7.4. AuthPSK Setup Information
mode: 3 mode: 3
kem_id: 32 kem_id: 32
kdf_id: 1 kdf_id: 1
aead_id: 65535 aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ikmE:
94efae91e96811a3a49fd1b20eb0344d68ead6ac01922c2360779aa172487f40 94efae91e96811a3a49fd1b20eb0344d68ead6ac01922c2360779aa172487f40
pkEm: pkEm:
81cbf4bd7eee97dd0b600252a1c964ea186846252abb340be47087cc78f3d87c 81cbf4bd7eee97dd0b600252a1c964ea186846252abb340be47087cc78f3d87c
skEm: skEm:
skipping to change at page 124, line 44 skipping to change at line 4757
key_schedule_context: 03446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72 key_schedule_context: 03446fb1fe2632a0a338f0a85ed1f3a0ac475bdea2cd72
f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd f8c713b3a46ee737379a3f4c22aa6d9a0424c2b4292fdf43b8257df93c2f6adbf6dd
c9c64fee26bdd292 c9c64fee26bdd292
secret: secret:
c15c5bec374f2087c241d3533c6ec48e1c60a21dd00085619b2ffdd84a7918c3 c15c5bec374f2087c241d3533c6ec48e1c60a21dd00085619b2ffdd84a7918c3
key: key:
base_nonce: base_nonce:
exporter_secret: exporter_secret:
695b1faa479c0e0518b6414c3b46e8ef5caea04c0a192246843765ae6a8a78e0 695b1faa479c0e0518b6414c3b46e8ef5caea04c0a192246843765ae6a8a78e0
B.7.4.1. Exported Values A.7.4.1. Exported Values
exporter_context: exporter_context:
L: 32 L: 32
exported_value: exported_value:
dafd8beb94c5802535c22ff4c1af8946c98df2c417e187c6ccafe45335810b58 dafd8beb94c5802535c22ff4c1af8946c98df2c417e187c6ccafe45335810b58
exporter_context: 00 exporter_context: 00
L: 32 L: 32
exported_value: exported_value:
7346bb0b56caf457bcc1aa63c1b97d9834644bdacac8f72dbbe3463e4e46b0dd 7346bb0b56caf457bcc1aa63c1b97d9834644bdacac8f72dbbe3463e4e46b0dd
exporter_context: 54657374436f6e74657874 exporter_context: 54657374436f6e74657874
L: 32 L: 32
exported_value: exported_value:
84f3466bd5a03bde6444324e63d7560e7ac790da4e5bbab01e7c4d575728c34a 84f3466bd5a03bde6444324e63d7560e7ac790da4e5bbab01e7c4d575728c34a
Acknowledgements
The authors would like to thank Joel Alwen, Jean-Philippe Aumasson,
David Benjamin, Benjamin Beurdouche, Bruno Blanchet, Frank Denis,
Stephen Farrell, Scott Fluhrer, Eduard Hauck, Scott Hollenbeck, Kevin
Jacobs, Burt Kaliski, Eike Kiltz, Julia Len, John Mattsson,
Christopher Patton, Doreen Riepel, Raphael Robert, Michael Rosenberg,
Michael Scott, Martin Thomson, Steven Valdez, Riad Wahby, and other
contributors in the CFRG for helpful feedback that greatly improved
this document.
Authors' Addresses Authors' Addresses
Richard L. Barnes Richard L. Barnes
Cisco Cisco
Email: rlb@ipv.sx Email: rlb@ipv.sx
Karthik Bhargavan Karthik Bhargavan
Inria Inria
 End of changes. 218 change blocks. 
434 lines changed or deleted 493 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/