[Search] [pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-barnes-cfrg-hpke)   00 01 02 03           Informational
          04 05 06 07 08 09                                             
Internet Research Task Force (IRTF)                          R.L. Barnes
Internet-Draft                                                     Cisco
Intended status: Informational                              K. Bhargavan
Expires: 19 June 2021                                            B. Lipp
                                                                   Inria
                                                               C.A. Wood
                                                              Cloudflare
                                                        16 December 2020


                      Hybrid Public Key Encryption
                        draft-irtf-cfrg-hpke-07

Abstract

   This document describes a scheme for hybrid public-key encryption
   (HPKE).  This scheme provides authenticated public key encryption of
   arbitrary-sized plaintexts for a recipient public key.  HPKE works
   for any combination of an asymmetric key encapsulation mechanism
   (KEM), key derivation function (KDF), and authenticated encryption
   with additional data (AEAD) encryption function.  We provide
   instantiations of the scheme using widely used and efficient
   primitives, such as Elliptic Curve Diffie-Hellman key agreement,
   HKDF, and SHA2.

   This document is a product of the Crypto Forum Research Group (CFRG)
   in the IRTF.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 19 June 2021.







Barnes, et al.            Expires 19 June 2021                  [Page 1]


Internet-Draft                    HPKE                     December 2020


Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   5
   3.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Cryptographic Dependencies  . . . . . . . . . . . . . . . . .   5
     4.1.  DH-Based KEM  . . . . . . . . . . . . . . . . . . . . . .   8
   5.  Hybrid Public Key Encryption  . . . . . . . . . . . . . . . .  11
     5.1.  Creating the Encryption Context . . . . . . . . . . . . .  12
       5.1.1.  Encryption to a Public Key  . . . . . . . . . . . . .  15
       5.1.2.  Authentication using a Pre-Shared Key . . . . . . . .  15
       5.1.3.  Authentication using an Asymmetric Key  . . . . . . .  16
       5.1.4.  Authentication using both a PSK and an Asymmetric
               Key . . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.2.  Encryption and Decryption . . . . . . . . . . . . . . . .  17
     5.3.  Secret Export . . . . . . . . . . . . . . . . . . . . . .  19
   6.  Single-Shot APIs  . . . . . . . . . . . . . . . . . . . . . .  19
     6.1.  Encryption and Decryption . . . . . . . . . . . . . . . .  19
     6.2.  Secret Export . . . . . . . . . . . . . . . . . . . . . .  20
   7.  Algorithm Identifiers . . . . . . . . . . . . . . . . . . . .  20
     7.1.  Key Encapsulation Mechanisms (KEMs) . . . . . . . . . . .  21
       7.1.1.  SerializePublicKey and DeserializePublicKey . . . . .  21
       7.1.2.  SerializePrivateKey and DeserializePrivateKey . . . .  22
       7.1.3.  DeriveKeyPair . . . . . . . . . . . . . . . . . . . .  22
       7.1.4.  Validation of Inputs and Outputs  . . . . . . . . . .  23
       7.1.5.  Future KEMs . . . . . . . . . . . . . . . . . . . . .  24
     7.2.  Key Derivation Functions (KDFs) . . . . . . . . . . . . .  24
       7.2.1.  Input Length Restrictions . . . . . . . . . . . . . .  25
     7.3.  Authenticated Encryption with Associated Data (AEAD)
           Functions . . . . . . . . . . . . . . . . . . . . . . . .  26
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  26
     8.1.  Security Properties . . . . . . . . . . . . . . . . . . .  26
       8.1.1.  Key-Compromise Impersonation  . . . . . . . . . . . .  27
       8.1.2.  Computational Analysis  . . . . . . . . . . . . . . .  28



Barnes, et al.            Expires 19 June 2021                  [Page 2]


Internet-Draft                    HPKE                     December 2020


       8.1.3.  Post-Quantum Security . . . . . . . . . . . . . . . .  30
     8.2.  Security Requirements on a KEM used within HPKE . . . . .  30
       8.2.1.  Encap/Decap Interface . . . . . . . . . . . . . . . .  31
       8.2.2.  AuthEncap/AuthDecap Interface . . . . . . . . . . . .  31
     8.3.  Security Requirements on a KDF  . . . . . . . . . . . . .  31
     8.4.  Pre-Shared Key Recommendations  . . . . . . . . . . . . .  31
     8.5.  Domain Separation . . . . . . . . . . . . . . . . . . . .  32
     8.6.  External Requirements / Non-Goals . . . . . . . . . . . .  33
     8.7.  Bidirectional Encryption  . . . . . . . . . . . . . . . .  33
     8.8.  Metadata Protection . . . . . . . . . . . . . . . . . . .  34
   9.  Message Encoding  . . . . . . . . . . . . . . . . . . . . . .  35
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  35
     10.1.  KEM Identifiers  . . . . . . . . . . . . . . . . . . . .  35
     10.2.  KDF Identifiers  . . . . . . . . . . . . . . . . . . . .  36
     10.3.  AEAD Identifiers . . . . . . . . . . . . . . . . . . . .  36
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  37
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  37
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  37
     12.2.  Informative References . . . . . . . . . . . . . . . . .  37
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  41
     A.1.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM  . .  41
       A.1.1.  Base Setup Information  . . . . . . . . . . . . . . .  41
       A.1.2.  PSK Setup Information . . . . . . . . . . . . . . . .  43
       A.1.3.  Auth Setup Information  . . . . . . . . . . . . . . .  45
       A.1.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  47
     A.2.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256,
           ChaCha20Poly1305  . . . . . . . . . . . . . . . . . . . .  49
       A.2.1.  Base Setup Information  . . . . . . . . . . . . . . .  49
       A.2.2.  PSK Setup Information . . . . . . . . . . . . . . . .  51
       A.2.3.  Auth Setup Information  . . . . . . . . . . . . . . .  53
       A.2.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  55
     A.3.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM . . .  57
       A.3.1.  Base Setup Information  . . . . . . . . . . . . . . .  57
       A.3.2.  PSK Setup Information . . . . . . . . . . . . . . . .  59
       A.3.3.  Auth Setup Information  . . . . . . . . . . . . . . .  61
       A.3.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  63
     A.4.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM . . .  65
       A.4.1.  Base Setup Information  . . . . . . . . . . . . . . .  65
       A.4.2.  PSK Setup Information . . . . . . . . . . . . . . . .  67
       A.4.3.  Auth Setup Information  . . . . . . . . . . . . . . .  69
       A.4.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  72
     A.5.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA256,
           ChaCha20Poly1305  . . . . . . . . . . . . . . . . . . . .  75
       A.5.1.  Base Setup Information  . . . . . . . . . . . . . . .  75
       A.5.2.  PSK Setup Information . . . . . . . . . . . . . . . .  77
       A.5.3.  Auth Setup Information  . . . . . . . . . . . . . . .  79
       A.5.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  81
     A.6.  DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM . . .  83



Barnes, et al.            Expires 19 June 2021                  [Page 3]


Internet-Draft                    HPKE                     December 2020


       A.6.1.  Base Setup Information  . . . . . . . . . . . . . . .  83
       A.6.2.  PSK Setup Information . . . . . . . . . . . . . . . .  86
       A.6.3.  Auth Setup Information  . . . . . . . . . . . . . . .  89
       A.6.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  92
     A.7.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only
           AEAD  . . . . . . . . . . . . . . . . . . . . . . . . . .  95
       A.7.1.  Base Setup Information  . . . . . . . . . . . . . . .  95
       A.7.2.  PSK Setup Information . . . . . . . . . . . . . . . .  96
       A.7.3.  Auth Setup Information  . . . . . . . . . . . . . . .  97
       A.7.4.  AuthPSK Setup Information . . . . . . . . . . . . . .  98
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  99

1.  Introduction

   Encryption schemes that combine asymmetric and symmetric algorithms
   have been specified and practiced since the early days of public-key
   cryptography, e.g., [RFC1421].  Combining the two yields the key
   management advantages of asymmetric cryptography and the performance
   benefits of symmetric cryptography.  The traditional combination has
   been "encrypt the symmetric key with the public key."  "Hybrid"
   public-key encryption schemes (HPKE), specified here, take a
   different approach: "generate the symmetric key and its encapsulation
   with the public key."  Specifically, encrypted messages convey an
   encryption key encapsulated with a public-key scheme, along with one
   or more arbitrary-sized ciphertexts encrypted using that key.  This
   type of public key encryption has many applications in practice,
   including Messaging Layer Security [I-D.ietf-mls-protocol] and TLS
   Encrypted ClientHello [I-D.ietf-tls-esni].

   Currently, there are numerous competing and non-interoperable
   standards and variants for hybrid encryption, mostly based on ECIES,
   including ANSI X9.63 (ECIES) [ANSI], IEEE 1363a [IEEE1363], ISO/IEC
   18033-2 [ISO], and SECG SEC 1 [SECG].  See [MAEA10] for a thorough
   comparison.  All these existing schemes have problems, e.g., because
   they rely on outdated primitives, lack proofs of IND-CCA2 security,
   or fail to provide test vectors.

   This document defines an HPKE scheme that provides a subset of the
   functions provided by the collection of schemes above, but specified
   with sufficient clarity that they can be interoperably implemented.
   The HPKE construction defined herein is secure against (adaptive)
   chosen ciphertext attacks (IND-CCA2 secure) under classical
   assumptions about the underlying primitives [HPKEAnalysis],
   [ABHKLR20].  A summary of these analyses is in Section 8.1.

   This document represents the consensus of the Crypto Forum Research
   Group (CFRG).




Barnes, et al.            Expires 19 June 2021                  [Page 4]


Internet-Draft                    HPKE                     December 2020


2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Notation

   The following terms are used throughout this document to describe the
   operations, roles, and behaviors of HPKE:

   *  "(skX, pkX)": A KEM key pair used in role X; "skX" is the private
      key and "pkX" is the public key.

   *  "pk(skX)": The KEM public key corresponding to the KEM private key
      "skX".

   *  Sender (S): Role of entity which sends an encrypted message.

   *  Recipient (R): Role of entity which receives an encrypted message.

   *  Ephemeral (E): Role of a fresh random value meant for one-time
      use.

   *  "I2OSP(n)" and "OS2IP(x)": Convert a byte string to and from a
      non-negative integer as described in [RFC8017].  Note that these
      functions operate on byte strings in big-endian byte order.

   *  "concat(x0, ..., xN)": Concatenation of byte strings.
      "concat(0x01, 0x0203, 0x040506) = 0x010203040506".

   *  "random(n)": A pseudorandom byte string of length "n" bytes

   *  "xor(a,b)": XOR of byte strings; "xor(0xF0F0, 0x1234) = 0xE2C4".
      It is an error to call this function with two arguments of unequal
      length.

4.  Cryptographic Dependencies

   HPKE variants rely on the following primitives:

   *  A Key Encapsulation Mechanism (KEM):

      -  "GenerateKeyPair()": Randomized algorithm to generate a key
         pair "(skX, pkX)"




Barnes, et al.            Expires 19 June 2021                  [Page 5]


Internet-Draft                    HPKE                     December 2020


      -  "DeriveKeyPair(ikm)": Deterministic algorithm to derive a key
         pair "(skX, pkX)" from the byte string "ikm", where "ikm"
         SHOULD have at least "Nsk" bytes of entropy (see Section 7.1.3
         for discussion)

      -  "SerializePublicKey(pkX)": Produce a byte string of length
         "Npk" encoding the public key "pkX".

      -  "DeserializePublicKey(pkXm)": Parse a byte string of length
         "Npk" to recover a public key.  This function can raise a
         "DeserializeError" error upon "pkXm" deserialization failure.

      -  "Encap(pkR)": Randomized algorithm to generate an ephemeral,
         fixed-length symmetric key (the KEM shared secret) and a fixed-
         length encapsulation of that key that can be decapsulated by
         the holder of the private key corresponding to "pkR".

      -  "Decap(enc, skR)": Deterministic algorithm using the private
         key "skR" to recover the ephemeral symmetric key (the KEM
         shared secret) from its encapsulated representation "enc".
         This function can raise an "DecapError" on decapsulation
         failure.

      -  "AuthEncap(pkR, skS)" (optional): Same as "Encap()", and the
         outputs encode an assurance that the KEM shared secret was
         generated by the holder of the private key "skS".

      -  "AuthDecap(enc, skR, pkS)" (optional): Same as "Decap()", and
         the recipient is assured that the KEM shared secret was
         generated by the holder of the private key "skS".

      -  "Nsecret": The length in bytes of a KEM shared secret produced
         by this KEM

      -  "Nenc": The length in bytes of an encapsulated key produced by
         this KEM

      -  "Npk": The length in bytes of an encoded public key for this
         KEM

      -  "Nsk": The length in bytes of an encoded private key for this
         KEM

   *  A Key Derivation Function (KDF):

      -  "Extract(salt, ikm)": Extract a pseudorandom key of fixed
         length "Nh" bytes from input keying material "ikm" and an
         optional byte string "salt"



Barnes, et al.            Expires 19 June 2021                  [Page 6]


Internet-Draft                    HPKE                     December 2020


      -  "Expand(prk, info, L)": Expand a pseudorandom key "prk" using
         optional string "info" into "L" bytes of output keying material

      -  "Nh": The output size of the "Extract()" function in bytes

   *  An AEAD encryption algorithm [RFC5116]:

      -  "Seal(key, nonce, aad, pt)": Encrypt and authenticate plaintext
         "pt" with associated data "aad" using symmetric key "key" and
         nonce "nonce", yielding ciphertext and tag "ct".  This function
         can raise a "NonceOverflowError" upon failure.

      -  "Open(key, nonce, aad, ct)": Decrypt ciphertext and tag "ct"
         using associated data "aad" with symmetric key "key" and nonce
         "nonce", returning plaintext message "pt".  This function can
         raise an "OpenError" or "NonceOverflowError" upon failure.

      -  "Nk": The length in bytes of a key for this algorithm

      -  "Nn": The length in bytes of a nonce for this algorithm

   Beyond the above, a KEM MAY also expose the following functions,
   whose behavior is detailed in Section 7.1.2:

   *  "SerializePrivateKey(skX)": Produce a byte string of length "Nsk"
      encoding the private key "skX".

   *  "DeserializePrivateKey(skXm)": Parse a byte string of length "Nsk"
      to recover a private key.  This function can raise a
      "DeserializeError" error upon "skXm" deserialization failure.

   A _ciphersuite_ is a triple (KEM, KDF, AEAD) containing a choice of
   algorithm for each primitive.

   A set of algorithm identifiers for concrete instantiations of these
   primitives is provided in Section 7.  Algorithm identifier values are
   two bytes long.

   Note that "GenerateKeyPair" can be implemented as
   "DeriveKeyPair(random(Nsk))".

   The notation "pk(skX)", depending on its use and the KEM and its
   implementation, is either the computation of the public key using the
   private key, or just syntax expressing the retrieval of the public
   key assuming it is stored along with the private key object.

   The following two functions are defined to facilitate domain
   separation of KDF calls as well as context binding:



Barnes, et al.            Expires 19 June 2021                  [Page 7]


Internet-Draft                    HPKE                     December 2020


   def LabeledExtract(salt, label, ikm):
     labeled_ikm = concat("HPKE-07", suite_id, label, ikm)
     return Extract(salt, labeled_ikm)

   def LabeledExpand(prk, label, info, L):
     labeled_info = concat(I2OSP(L, 2), "HPKE-07", suite_id,
                           label, info)
     return Expand(prk, labeled_info, L)

   [[RFC editor: please change "HPKE-07" to "RFCXXXX", where XXXX is the
   final number, before publication.]]

   The value of "suite_id" depends on where the KDF is used; it is
   assumed implicit from the implementation and not passed as a
   parameter.  If used inside a KEM algorithm, "suite_id" MUST start
   with "KEM" and identify this KEM algorithm; if used in the remainder
   of HPKE, it MUST start with "HPKE" and identify the entire
   ciphersuite in use.  See sections Section 4.1 and Section 5.1 for
   details.

4.1.  DH-Based KEM

   Suppose we are given a KDF, and a Diffie-Hellman group providing the
   following operations:

   *  "GenerateKeyPair()": Randomized algorithm to generate a key pair
      "(skX, pkX)" for the DH group in use

   *  "DeriveKeyPair(ikm)": Deterministic algorithm to derive a key pair
      "(skX, pkX)" from the byte string "ikm", where "ikm" SHOULD have
      at least "Nsk" bytes of entropy (see Section 7.1.3 for discussion)

   *  "DH(skX, pkY)": Perform a non-interactive DH exchange using the
      private key "skX" and public key "pkY" to produce a Diffie-Hellman
      shared secret of length "Ndh".  This function can raise a
      "ValidationError" as described in Section 7.1.4.

   *  "Serialize(pk)": Produce a byte string of length "Npk" encoding
      the public key "pk"

   *  "Deserialize(enc)": Parse a byte string of length "Npk" to recover
      a public key.  This function can raise a "DeserializeError" error
      upon "enc" deserialization failure.

   *  "Ndh": The length in bytes of a Diffie-Hellman shared secret
      produced by "DH()"

   *  "Nsk": The length in bytes of a Diffie-Hellman private key



Barnes, et al.            Expires 19 June 2021                  [Page 8]


Internet-Draft                    HPKE                     December 2020


   Since an encapsulated key is a Diffie-Hellman public key in this KEM
   algorithm, we use "Serialize()" to encode them, and "Npk" equals
   "Nenc".  The same applies to "Deserialize()".

   Then we can construct a KEM called "DHKEM(Group, KDF)" in the
   following way, where "Group" denotes the Diffie-Hellman group and
   "KDF" the KDF.  The function parameters "pkR" and "pkS" are
   deserialized public keys, and "enc" is a serialized public key.
   Section 7.1.3 contains the "DeriveKeyPair" function specification for
   DHKEMs defined in this document.

   def ExtractAndExpand(dh, kem_context):
     eae_prk = LabeledExtract("", "eae_prk", dh)
     shared_secret = LabeledExpand(eae_prk, "shared_secret",
                                   kem_context, Nsecret)
     return shared_secret

   def Encap(pkR):
     skE, pkE = GenerateKeyPair()
     dh = DH(skE, pkR)
     enc = Serialize(pkE)

     pkRm = Serialize(pkR)
     kem_context = concat(enc, pkRm)

     shared_secret = ExtractAndExpand(dh, kem_context)
     return shared_secret, enc

   def Decap(enc, skR):
     pkE = Deserialize(enc)
     dh = DH(skR, pkE)

     pkRm = Serialize(pk(skR))
     kem_context = concat(enc, pkRm)

     shared_secret = ExtractAndExpand(dh, kem_context)
     return shared_secret

   def AuthEncap(pkR, skS):
     skE, pkE = GenerateKeyPair()
     dh = concat(DH(skE, pkR), DH(skS, pkR))
     enc = Serialize(pkE)

     pkRm = Serialize(pkR)
     pkSm = Serialize(pk(skS))
     kem_context = concat(enc, pkRm, pkSm)

     shared_secret = ExtractAndExpand(dh, kem_context)



Barnes, et al.            Expires 19 June 2021                  [Page 9]


Internet-Draft                    HPKE                     December 2020


     return shared_secret, enc

   def AuthDecap(enc, skR, pkS):
     pkE = Deserialize(enc)
     dh = concat(DH(skR, pkE), DH(skR, pkS))

     pkRm = Serialize(pk(skR))
     pkSm = Serialize(pkS)
     kem_context = concat(enc, pkRm, pkSm)

     shared_secret = ExtractAndExpand(dh, kem_context)
     return shared_secret

   The implicit "suite_id" value used within "LabeledExtract" and
   "LabeledExpand" is defined as follows, where "kem_id" is defined in
   Section 7.1:

   suite_id = concat("KEM", I2OSP(kem_id, 2))

   The KDF used in DHKEM can be equal to or different from the KDF used
   in the remainder of HPKE, depending on the chosen variant.
   Implementations MUST make sure to use the constants ("Nh") and
   function calls ("LabeledExtract", "LabeledExpand") of the appropriate
   KDF when implementing DHKEM.  See Section 8.3 for a comment on the
   choice of a KDF for the remainder of HPKE, and Section 8.5 for the
   rationale of the labels.

   For the variants of DHKEM defined in this document, the size
   "Nsecret" of the KEM shared secret is equal to the output length of
   the hash function underlying the KDF.  For P-256, P-384 and P-521,
   the size "Ndh" of the Diffie-Hellman shared secret is equal to 32,
   48, and 66, respectively, corresponding to the x-coordinate of the
   resulting elliptic curve point [IEEE1363].  For X25519 and X448, the
   size "Ndh" of is equal to 32 and 56, respectively (see [RFC7748],
   Section 5).

   It is important to note that the "AuthEncap()" and "AuthDecap()"
   functions of the DHKEM variants defined in this document are
   vulnerable to key-compromise impersonation (KCI).  This means the
   assurance that the KEM shared secret was generated by the holder of
   the private key "skS" does not hold if the recipient private key
   "skR" is compromised.  See Section 8.1 for more details.

   Senders and recipients MUST validate KEM inputs and outputs as
   described in Section 7.1.






Barnes, et al.            Expires 19 June 2021                 [Page 10]


Internet-Draft                    HPKE                     December 2020


5.  Hybrid Public Key Encryption

   In this section, we define a few HPKE variants.  All variants take a
   recipient public key and a sequence of plaintexts "pt", and produce
   an encapsulated key "enc" and a sequence of ciphertexts "ct".  These
   outputs are constructed so that only the holder of "skR" can
   decapsulate the key from "enc" and decrypt the ciphertexts.  All the
   algorithms also take an "info" parameter that can be used to
   influence the generation of keys (e.g., to fold in identity
   information) and an "aad" parameter that provides Additional
   Authenticated Data to the AEAD algorithm in use.

   In addition to the base case of encrypting to a public key, we
   include three authenticated variants, one which authenticates
   possession of a pre-shared key, one which authenticates possession of
   a KEM private key, and one which authenticates possession of both a
   pre-shared key and a KEM private key.  All authenticated variants
   contribute additional keying material to the encryption operation.
   The following one-byte values will be used to distinguish between
   modes:

                         +===============+=======+
                         | Mode          | Value |
                         +===============+=======+
                         | mode_base     | 0x00  |
                         +---------------+-------+
                         | mode_psk      | 0x01  |
                         +---------------+-------+
                         | mode_auth     | 0x02  |
                         +---------------+-------+
                         | mode_auth_psk | 0x03  |
                         +---------------+-------+

                                  Table 1

   All these cases follow the same basic two-step pattern:

   1.  Set up an encryption context that is shared between the sender
       and the recipient

   2.  Use that context to encrypt or decrypt content

   A _context_ encodes the AEAD algorithm and key in use, and manages
   the nonces used so that the same nonce is not used with multiple
   plaintexts.  It also has an interface for exporting secret values, as
   described in Section 5.3.  See Section 5.2 for a description of this
   structure and its interfaces.  HPKE decryption fails when the
   underlying AEAD decryption fails.



Barnes, et al.            Expires 19 June 2021                 [Page 11]


Internet-Draft                    HPKE                     December 2020


   The constructions described here presume that the relevant non-
   private parameters ("enc", "psk_id", etc.) are transported between
   the sender and the recipient by some application making use of HPKE.
   Moreover, a recipient with more than one public key needs some way of
   determining which of its public keys was used for the encapsulation
   operation.  As an example, applications may send this information
   alongside a ciphertext from sender to recipient.  Specification of
   such a mechanism is left to the application.  See Section 9 for more
   details.

   Note that some KEMs may not support "AuthEncap()" or "AuthDecap()".
   For such KEMs, only "mode_base" or "mode_psk" are supported.  Future
   specifications which define new KEMs MUST indicate whether these
   modes are supported.  See Section 7.1.5 for more details.

   The procedures described in this session are laid out in a Python-
   like pseudocode.  The algorithms in use are left implicit.

5.1.  Creating the Encryption Context

   The variants of HPKE defined in this document share a common key
   schedule that translates the protocol inputs into an encryption
   context.  The key schedule inputs are as follows:

   *  "mode" - A one-byte value indicating the HPKE mode, defined in
      Section 5.

   *  "shared_secret" - A KEM shared secret generated for this
      transaction

   *  "info" - Application-supplied information (optional; default value
      "")

   *  "psk" - A pre-shared key (PSK) held by both the sender and the
      recipient (optional; default value "")

   *  "psk_id" - An identifier for the PSK (optional; default value "")

   Senders and recipients MUST validate KEM inputs and outputs as
   described in Section 7.1.

   The "psk" and "psk_id" fields MUST appear together or not at all.
   That is, if a non-default value is provided for one of them, then the
   other MUST be set to a non-default value.  This requirement is
   encoded in "VerifyPSKInputs()" below.






Barnes, et al.            Expires 19 June 2021                 [Page 12]


Internet-Draft                    HPKE                     December 2020


   The "psk", "psk_id", and "info" fields have maximum lengths that
   depend on the KDF itself, on the definition of "LabeledExtract()",
   and on the constant labels used together with them.  See
   Section 7.2.1 for precise limits on these lengths.

   The "key", "base_nonce", and "exporter_secret" computed by the key
   schedule have the property that they are only known to the holder of
   the recipient private key, and the entity that used the KEM to
   generate "shared_secret" and "enc".

   In the Auth and AuthPSK modes, the recipient is assured that the
   sender held the private key "skS".  This assurance is limited for the
   DHKEM variants defined in this document because of key-compromise
   impersonation, as described in Section 4.1 and Section 8.1.  If in
   the PSK and AuthPSK modes, the "psk" and "psk_id" arguments are
   provided as required, then the recipient is assured that the sender
   held the corresponding pre-shared key.  See Section 8.1 for more
   details.

   The HPKE algorithm identifiers, i.e., the KEM "kem_id", KDF "kdf_id",
   and AEAD "aead_id" 2-byte code points as defined in Section 7, are
   assumed implicit from the implementation and not passed as
   parameters.  The implicit "suite_id" value used within
   "LabeledExtract" and "LabeledExpand" is defined based on them as
   follows:

   suite_id = concat(
     "HPKE",
     I2OSP(kem_id, 2),
     I2OSP(kdf_id, 2),
     I2OSP(aead_id, 2)
   )



















Barnes, et al.            Expires 19 June 2021                 [Page 13]


Internet-Draft                    HPKE                     December 2020


   default_psk = ""
   default_psk_id = ""

   def VerifyPSKInputs(mode, psk, psk_id):
     got_psk = (psk != default_psk)
     got_psk_id = (psk_id != default_psk_id)
     if got_psk != got_psk_id:
       raise Exception("Inconsistent PSK inputs")

     if got_psk and (mode in [mode_base, mode_auth]):
       raise Exception("PSK input provided when not needed")
     if (not got_psk) and (mode in [mode_psk, mode_auth_psk]):
       raise Exception("Missing required PSK input")

   def KeySchedule<ROLE>(mode, shared_secret, info, psk, psk_id):
     VerifyPSKInputs(mode, psk, psk_id)

     psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id)
     info_hash = LabeledExtract("", "info_hash", info)
     key_schedule_context = concat(mode, psk_id_hash, info_hash)

     secret = LabeledExtract(shared_secret, "secret", psk)

     key = LabeledExpand(secret, "key", key_schedule_context, Nk)
     base_nonce = LabeledExpand(secret, "base_nonce",
                                key_schedule_context, Nn)
     exporter_secret = LabeledExpand(secret, "exp",
                                     key_schedule_context, Nh)

     return Context<ROLE>(key, base_nonce, 0, exporter_secret)

   The "ROLE" template parameter is either S or R, depending on the role
   of sender or recipient, respectively.  See Section 5.2 for a
   discussion of the key schedule output, including the role-specific
   "Context" structure and its API.

   Note that the "key_schedule_context" construction in "KeySchedule()"
   is equivalent to serializing a structure of the following form in the
   TLS presentation syntax:

   struct {
       uint8 mode;
       opaque psk_id_hash[Nh];
       opaque info_hash[Nh];
   } KeyScheduleContext;






Barnes, et al.            Expires 19 June 2021                 [Page 14]


Internet-Draft                    HPKE                     December 2020


5.1.1.  Encryption to a Public Key

   The most basic function of an HPKE scheme is to enable encryption to
   the holder of a given KEM private key.  The "SetupBaseS()" and
   "SetupBaseR()" procedures establish contexts that can be used to
   encrypt and decrypt, respectively, for a given private key.

   The KEM shared secret is combined via the KDF with information
   describing the key exchange, as well as the explicit "info" parameter
   provided by the caller.

   The parameter "pkR" is a public key, and "enc" is an encapsulated KEM
   shared secret.

   def SetupBaseS(pkR, info):
     shared_secret, enc = Encap(pkR)
     return enc, KeyScheduleS(mode_base, shared_secret, info,
                              default_psk, default_psk_id)

   def SetupBaseR(enc, skR, info):
     shared_secret = Decap(enc, skR)
     return KeyScheduleR(mode_base, shared_secret, info,
                         default_psk, default_psk_id)

5.1.2.  Authentication using a Pre-Shared Key

   This variant extends the base mechanism by allowing the recipient to
   authenticate that the sender possessed a given PSK.  The PSK also
   improves confidentiality guarantees in certain adversary models, as
   described in more detail in Section 8.1.  We assume that both parties
   have been provisioned with both the PSK value "psk" and another byte
   string "psk_id" that is used to identify which PSK should be used.

   The primary difference from the base case is that the "psk" and
   "psk_id" values are used as "ikm" inputs to the KDF (instead of using
   the empty string).

   The PSK MUST have at least 32 bytes of entropy and SHOULD be of
   length "Nh" bytes or longer.  See Section 8.4 for a more detailed
   discussion.

  def SetupPSKS(pkR, info, psk, psk_id):
    shared_secret, enc = Encap(pkR)
    return enc, KeyScheduleS(mode_psk, shared_secret, info, psk, psk_id)

  def SetupPSKR(enc, skR, info, psk, psk_id):
    shared_secret = Decap(enc, skR)
    return KeyScheduleR(mode_psk, shared_secret, info, psk, psk_id)



Barnes, et al.            Expires 19 June 2021                 [Page 15]


Internet-Draft                    HPKE                     December 2020


5.1.3.  Authentication using an Asymmetric Key

   This variant extends the base mechanism by allowing the recipient to
   authenticate that the sender possessed a given KEM private key.  This
   assurance is based on the assumption that "AuthDecap(enc, skR, pkS)"
   produces the correct KEM shared secret only if the encapsulated value
   "enc" was produced by "AuthEncap(pkR, skS)", where "skS" is the
   private key corresponding to "pkS".  In other words, at most two
   entities (precisely two, in the case of DHKEM) could have produced
   this secret, so if the recipient is at most one, then the sender is
   the other with overwhelming probability.

   The primary difference from the base case is that the calls to
   "Encap()" and "Decap()" are replaced with calls to "AuthEncap()" and
   "AuthDecap()", which add the sender public key to their internal
   context string.  The function parameters "pkR" and "pkS" are public
   keys, and "enc" is an encapsulated KEM shared secret.

   Obviously, this variant can only be used with a KEM that provides
   "AuthEncap()" and "AuthDecap()" procedures.

   This mechanism authenticates only the key pair of the sender, not any
   other identifier.  If an application wishes to bind HPKE ciphertexts
   or exported secrets to another identity for the sender (e.g., an
   email address or domain name), then this identifier should be
   included in the "info" parameter to avoid identity mis-binding issues
   [IMB].

   def SetupAuthS(pkR, info, skS):
     shared_secret, enc = AuthEncap(pkR, skS)
     return enc, KeyScheduleS(mode_auth, shared_secret, info,
                              default_psk, default_psk_id)

   def SetupAuthR(enc, skR, info, pkS):
     shared_secret = AuthDecap(enc, skR, pkS)
     return KeyScheduleR(mode_auth, shared_secret, info,
                         default_psk, default_psk_id)

5.1.4.  Authentication using both a PSK and an Asymmetric Key

   This mode is a straightforward combination of the PSK and
   authenticated modes.  The PSK is passed through to the key schedule
   as in the former, and as in the latter, we use the authenticated KEM
   variants.







Barnes, et al.            Expires 19 June 2021                 [Page 16]


Internet-Draft                    HPKE                     December 2020


   def SetupAuthPSKS(pkR, info, psk, psk_id, skS):
     shared_secret, enc = AuthEncap(pkR, skS)
     return enc, KeyScheduleS(mode_auth_psk, shared_secret, info,
                              psk, psk_id)

   def SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS):
     shared_secret = AuthDecap(enc, skR, pkS)
     return KeyScheduleR(mode_auth_psk, shared_secret, info,
                         psk, psk_id)

   The PSK MUST have at least 32 bytes of entropy and SHOULD be of
   length "Nh" bytes or longer.  See Section 8.4 for a more detailed
   discussion.

5.2.  Encryption and Decryption

   HPKE allows multiple encryption operations to be done based on a
   given setup transaction.  Since the public-key operations involved in
   setup are typically more expensive than symmetric encryption or
   decryption, this allows applications to amortize the cost of the
   public-key operations, reducing the overall overhead.

   In order to avoid nonce reuse, however, this encryption must be
   stateful.  Each of the setup procedures above produces a role-
   specific context object that stores the AEAD and Secret Export
   parameters.  The AEAD parameters consist of:

   *  The AEAD algorithm in use

   *  A secret "key"

   *  A base nonce "base_nonce"

   *  A sequence number (initially 0)

   The Secret Export parameters consist of:

   *  The HPKE ciphersuite in use

   *  An "exporter_secret" used for the Secret Export interface; see
      Section 5.3










Barnes, et al.            Expires 19 June 2021                 [Page 17]


Internet-Draft                    HPKE                     December 2020


   All these parameters except the AEAD sequence number are constant.
   The sequence number provides nonce uniqueness: The nonce used for
   each encryption or decryption operation is the result of XORing
   "base_nonce" with the current sequence number, encoded as a big-
   endian integer of the same length as "base_nonce".  Implementations
   MAY use a sequence number that is shorter than the nonce length
   (padding on the left with zero), but MUST raise an error if the
   sequence number overflows.

   Encryption is unidirectional from sender to recipient.  The sender's
   context can encrypt a plaintext "pt" with associated data "aad" as
   follows:

   def ContextS.Seal(aad, pt):
     ct = Seal(self.key, self.ComputeNonce(self.seq), aad, pt)
     self.IncrementSeq()
     return ct

   The recipient's context can decrypt a ciphertext "ct" with associated
   data "aad" as follows:

   def ContextR.Open(aad, ct):
     pt = Open(self.key, self.ComputeNonce(self.seq), aad, ct)
     if pt == OpenError:
       raise OpenError
     self.IncrementSeq()
     return pt

   Each encryption or decryption operation increments the sequence
   number for the context in use.  The per-message nonce and sequence
   number increment details are as follows:

   def Context<ROLE>.ComputeNonce(seq):
     seq_bytes = I2OSP(seq, Nn)
     return xor(self.base_nonce, seq_bytes)

   def Context<ROLE>.IncrementSeq():
     if self.seq >= (1 << (8*Nn)) - 1:
       raise NonceOverflowError
     self.seq += 1

   The sender's context MUST NOT be used for decryption.  Similarly, the
   recipient's context MUST NOT be used for encryption.  Higher-level
   protocols re-using the HPKE key exchange for more general purposes
   can derive separate keying material as needed using use the Secret
   Export interface; see Section 5.3 and Section 8.7 for more details.





Barnes, et al.            Expires 19 June 2021                 [Page 18]


Internet-Draft                    HPKE                     December 2020


   It is up to the application to ensure that encryptions and
   decryptions are done in the proper sequence, so that encryption and
   decryption nonces align.  If "ContextS.Seal()" or "ContextR.Open()"
   would cause the "seq" field to overflow, then the implementation MUST
   fail with an error.  (In the pseudocode below,
   "Context<ROLE>.IncrementSeq()" fails with an error when "seq"
   overflows, which causes "ContextS.Seal()" and "ContextR.Open()" to
   fail accordingly.)  Note that the internal "Seal()" and "Open()"
   calls inside correspond to the context's AEAD algorithm.

5.3.  Secret Export

   HPKE provides an interface for exporting secrets from the encryption
   context using a variable-length PRF, similar to the TLS 1.3 exporter
   interface (see [RFC8446], Section 7.5).  This interface takes as
   input a context string "exporter_context" and a desired length "L" in
   bytes, and produces a secret derived from the internal exporter
   secret using the corresponding KDF Expand function.  For the KDFs
   defined in this specification, "L" has a maximum value of "255*Nh".
   Future specifications which define new KDFs MUST specify a bound for
   "L".

   The "exporter_context" field has a maximum length that depends on the
   KDF itself, on the definition of "LabeledExpand()", and on the
   constant labels used together with them.  See Section 7.2.1 for
   precise limits on this length.

   def Context.Export(exporter_context, L):
     return LabeledExpand(self.exporter_secret, "sec",
                          exporter_context, L)

   Applications that do not use the encryption API in Section 5.2 can
   use the export-only AEAD ID "0xFFFF" when computing the key schedule.
   Such applications can avoid computing the "key" and "base_nonce"
   values in the key schedule, as they are not used by the Export
   interface described above.

6.  Single-Shot APIs

6.1.  Encryption and Decryption

   In many cases, applications encrypt only a single message to a
   recipient's public key.  This section provides templates for HPKE
   APIs that implement stateless "single-shot" encryption and decryption
   using APIs specified in Section 5.1.1 and Section 5.2:






Barnes, et al.            Expires 19 June 2021                 [Page 19]


Internet-Draft                    HPKE                     December 2020


   def Seal<MODE>(pkR, info, aad, pt, ...):
     enc, ctx = Setup<MODE>S(pkR, info, ...)
     ct = ctx.Seal(aad, pt)
     return enc, ct

   def Open<MODE>(enc, skR, info, aad, ct, ...):
     ctx = Setup<MODE>R(enc, skR, info, ...)
     return ctx.Open(aad, ct)

   The "MODE" template parameter is one of Base, PSK, Auth, or AuthPSK.
   The optional parameters indicated by "..." depend on "MODE" and may
   be empty.  "SetupBase()", for example, has no additional parameters.
   "SealAuthPSK()" and "OpenAuthPSK()" would be implemented as follows:

   def SealAuthPSK(pkR, info, aad, pt, psk, psk_id, skS):
     enc, ctx = SetupAuthPSKS(pkR, info, psk, psk_id, skS)
     ct = ctx.Seal(aad, pt)
     return enc, ct

   def OpenAuthPSK(enc, skR, info, aad, ct, psk, psk_id, pkS):
     ctx = SetupAuthPSKR(enc, skR, info, psk, psk_id, pkS)
     return ctx.Open(aad, ct)

6.2.  Secret Export

   Applications may also want to derive a secret known only to a given
   recipient.  This section provides templates for HPKE APIs that
   implement stateless "single-shot" secret export using APIs specified
   in Section 5.3:

   def SendExport<MODE>(pkR, info, exporter_context, L, ...):
     enc, ctx = Setup<MODE>S(pkR, info, ...)
     exported = ctx.Export(exporter_context, L)
     return enc, exported

   def ReceiveExport<MODE>(enc, skR, info, exporter_context, L, ...):
     ctx = Setup<MODE>R(enc, skR, info, ...)
     return ctx.Export(exporter_context, L)

   As in Section 6.1, the "MODE" template parameter is one of Base, PSK,
   Auth, or AuthPSK.  The optional parameters indicated by "..." depend
   on "MODE" and may be empty.

7.  Algorithm Identifiers







Barnes, et al.            Expires 19 June 2021                 [Page 20]


Internet-Draft                    HPKE                     December 2020


7.1.  Key Encapsulation Mechanisms (KEMs)

   +=======+===============+=========+====+===+===+====+===============+
   |Value  | KEM           | Nsecret |Nenc|Npk|Nsk|Auth| Reference     |
   +=======+===============+=========+====+===+===+====+===============+
   |0x0000 | (reserved)    | N/A     |N/A |N/A|N/A|yes | N/A           |
   +-------+---------------+---------+----+---+---+----+---------------+
   |0x0010 | DHKEM(P-256,  | 32      |65  |65 |32 |yes | [NISTCurves], |
   |       | HKDF-SHA256)  |         |    |   |   |    | [RFC5869]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   |0x0011 | DHKEM(P-384,  | 48      |97  |97 |48 |yes | [NISTCurves], |
   |       | HKDF-SHA384)  |         |    |   |   |    | [RFC5869]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   |0x0012 | DHKEM(P-521,  | 64      |133 |133|66 |yes | [NISTCurves], |
   |       | HKDF-SHA512)  |         |    |   |   |    | [RFC5869]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   |0x0020 | DHKEM(X25519, | 32      |32  |32 |32 |yes | [RFC7748],    |
   |       | HKDF-SHA256)  |         |    |   |   |    | [RFC5869]     |
   +-------+---------------+---------+----+---+---+----+---------------+
   |0x0021 | DHKEM(X448,   | 64      |56  |56 |56 |yes | [RFC7748],    |
   |       | HKDF-SHA512)  |         |    |   |   |    | [RFC5869]     |
   +-------+---------------+---------+----+---+---+----+---------------+

                                  Table 2

   The "Auth" column indicates if the KEM algorithm provides the
   "AuthEncap()"/"AuthDecap()" interface.  The meaning of all other
   columns is explained in Section 10.1.

7.1.1.  SerializePublicKey and DeserializePublicKey

   For P-256, P-384 and P-521, the "Serialize()" function of the KEM
   performs the uncompressed Elliptic-Curve-Point-to-Octet-String
   conversion according to [SECG].  "Deserialize()" performs the
   uncompressed Octet-String-to-Elliptic-Curve-Point conversion.

   For X25519 and X448, the "Serialize()" and "Deserialize()" functions
   are the identity function, since these curves already use fixed-
   length byte strings for public keys.

   Some deserialized public keys MUST be validated before they can be
   used.  See Section 7.1.4 for specifics.









Barnes, et al.            Expires 19 June 2021                 [Page 21]


Internet-Draft                    HPKE                     December 2020


7.1.2.  SerializePrivateKey and DeserializePrivateKey

   As per [SECG], P-256, P-384, and P-521 private keys are field
   elements in the scalar field of the curve being used.  For this
   section, and for Section 7.1.3, it is assumed that implementers of
   ECDH over these curves use an integer representation of private keys
   that is compatible with the "OS2IP()" function.

   For P-256, P-384 and P-521, the "SerializePrivateKey()" function of
   the KEM performs the Field-Element-to-Octet-String conversion
   according to [SECG].  If the private key is an integer outside the
   range "[0, order-1]", where "order" is the order of the curve being
   used, the private key MUST be reduced to its representative in "[0,
   order-1]" before being serialized.  "DeserializePrivateKey()"
   performs the Octet-String-to-Field-Element conversion according to
   [SECG].

   For X25519 and X448, private keys are identical to their byte string
   representation, so little processing has to be done.  The
   "SerializePrivateKey()" function MUST clamp its output and
   "DeserializePrivateKey()" MUST clamp its input, where _clamping_
   refers to the bitwise operations performed on "k" in the
   "decodeScalar25519()" and "decodeScalar448()" functions defined in
   section 5 of [RFC7748].

   To catch invalid keys early on, implementers of DHKEMs SHOULD check
   that deserialized private keys are not equivalent to 0 (mod "order"),
   where "order" is the order of the DH group.  Note that this property
   is trivially true for X25519 and X448 groups, since clamped values
   can never be 0 (mod "order").

7.1.3.  DeriveKeyPair

   The keys that "DeriveKeyPair()" produces have only as much entropy as
   the provided input keying material.  For a given KEM, the "ikm"
   parameter given to "DeriveKeyPair()" SHOULD have length at least
   "Nsk", and SHOULD have at least "Nsk" bytes of entropy.

   All invocations of KDF functions (such as "LabeledExtract" or
   "LabeledExpand") in any DHKEM's "DeriveKeyPair()" function use the
   DHKEM's associated KDF (as opposed to the ciphersuite's KDF).

   For P-256, P-384 and P-521, the "DeriveKeyPair()" function of the KEM
   performs rejection sampling over field elements:







Barnes, et al.            Expires 19 June 2021                 [Page 22]


Internet-Draft                    HPKE                     December 2020


   def DeriveKeyPair(ikm):
     dkp_prk = LabeledExtract("", "dkp_prk", ikm)
     sk = 0
     counter = 0
     while sk == 0 or sk >= order:
       if counter > 255:
         raise DeriveKeyPairError
       bytes = LabeledExpand(dkp_prk, "candidate",
                             I2OSP(counter, 1), Nsk)
       bytes[0] = bytes[0] & bitmask
       sk = OS2IP(bytes)
       counter = counter + 1
     return (sk, pk(sk))

   "order" is the order of the curve being used (see section D.1.2 of
   [NISTCurves]), and is listed below for completeness.

   P-256:
   0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

   P-384:
   0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf
     581a0db248b0a77aecec196accc52973

   P-521:
   0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     fa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409

   "bitmask" is defined to be 0xFF for P-256 and P-384, and 0x01 for
   P-521.  The precise likelihood of "DeriveKeyPair()" failing with
   DeriveKeyPairError depends on the group being used, but it is
   negligibly small in all cases.

   For X25519 and X448, the "DeriveKeyPair()" function applies a KDF to
   the input:

   def DeriveKeyPair(ikm):
     dkp_prk = LabeledExtract("", "dkp_prk", ikm)
     sk = LabeledExpand(dkp_prk, "sk", "", Nsk)
     return (sk, pk(sk))

7.1.4.  Validation of Inputs and Outputs

   The following public keys are subject to validation if the group
   requires public key validation: the sender MUST validate the
   recipient's public key "pkR"; the recipient MUST validate the
   ephemeral public key "pkE"; in authenticated modes, the recipient
   MUST validate the sender's static public key "pkS".



Barnes, et al.            Expires 19 June 2021                 [Page 23]


Internet-Draft                    HPKE                     December 2020


   For P-256, P-384 and P-521, senders and recipients MUST perform
   partial public-key validation on all public key inputs, as defined in
   section 5.6.2.3.4 of [keyagreement].  This includes checking that the
   coordinates are in the correct range, that the point is on the curve,
   and that the point is not the point at infinity.  Additionally,
   senders and recipients MUST ensure the Diffie-Hellman shared secret
   is not the point at infinity.

   For X25519 and X448, public keys and Diffie-Hellman outputs MUST be
   validated as described in [RFC7748].  In particular, recipients MUST
   check whether the Diffie-Hellman shared secret is the all-zero value
   and abort if so.

7.1.5.  Future KEMs

   Section 8.2 lists security requirements on a KEM used within HPKE.

   The "AuthEncap()" and "AuthDecap()" functions are OPTIONAL.  If a KEM
   algorithm does not provide them, only the Base and PSK modes of HPKE
   are supported.  Future specifications which define new KEMs MUST
   indicate whether or not Auth and AuthPSK modes are supported.

   A KEM algorithm may support different encoding algorithms, with
   different output lengths, for KEM public keys.  Such KEM algorithms
   MUST specify only one encoding algorithm whose output length is
   "Npk".

7.2.  Key Derivation Functions (KDFs)

                +========+=============+=====+===========+
                | Value  | KDF         | Nh  | Reference |
                +========+=============+=====+===========+
                | 0x0000 | (reserved)  | N/A | N/A       |
                +--------+-------------+-----+-----------+
                | 0x0001 | HKDF-SHA256 | 32  | [RFC5869] |
                +--------+-------------+-----+-----------+
                | 0x0002 | HKDF-SHA384 | 48  | [RFC5869] |
                +--------+-------------+-----+-----------+
                | 0x0003 | HKDF-SHA512 | 64  | [RFC5869] |
                +--------+-------------+-----+-----------+

                                 Table 3









Barnes, et al.            Expires 19 June 2021                 [Page 24]


Internet-Draft                    HPKE                     December 2020


7.2.1.  Input Length Restrictions

   This document defines "LabeledExtract()" and "LabeledExpand()" based
   on the KDFs listed above.  These functions add prefixes to their
   respective inputs "ikm" and "info" before calling the KDF's
   "Extract()" and "Expand()" functions.  This leads to a reduction of
   the maximum input length that is available for the inputs "psk",
   "psk_id", "info", "exporter_context", i.e., the variable-length
   parameters provided by HPKE applications.  The following table lists
   the maximum allowed lengths of these fields for the KDFs defined in
   this document, as inclusive bounds in bytes:

    +==================+==============+===============+===============+
    | Input            | HKDF-SHA256  | HKDF-SHA384   | HKDF-SHA512   |
    +==================+==============+===============+===============+
    | psk              | 2^{61} - 88  | 2^{125} - 152 | 2^{125} - 152 |
    +------------------+--------------+---------------+---------------+
    | psk_id           | 2^{61} - 93  | 2^{125} - 157 | 2^{125} - 157 |
    +------------------+--------------+---------------+---------------+
    | info             | 2^{61} - 91  | 2^{125} - 155 | 2^{125} - 155 |
    +------------------+--------------+---------------+---------------+
    | exporter_context | 2^{61} - 120 | 2^{125} - 200 | 2^{125} - 216 |
    +------------------+--------------+---------------+---------------+

                                  Table 4

   This shows that the limits are only marginally smaller than the
   maximum input length of the underlying hash function; these limits
   are large and unlikely to be reached in practical applications.
   Future specifications which define new KDFs MUST specify bounds for
   these variable-length parameters.

   The values for "psk", "psk_id", and "info" which are inputs to
   "LabeledExtract()" were computed with the following expression:

   max_size_hash_input - Nb - size_label_rfcXXXX -
       size_suite_id - size_input_label

   The value for "exporter_context" which is an input to
   "LabeledExpand()" was computed with the following expression:

   max_size_hash_input - Nb - Nh - size_label_rfcXXXX -
       size_suite_id - size_input_label - 2 - 1

   In these equations, "max_size_hash_input" is the maximum input length
   of the underlying hash function in bytes, "Nb" is the block size of
   the underlying hash function in bytes, "size_label_rfcXXXX" is the
   size of "HPKE-07" in bytes and equals 7, "size_suite_id" is the size



Barnes, et al.            Expires 19 June 2021                 [Page 25]


Internet-Draft                    HPKE                     December 2020


   of the "suite_id" and equals 10, and "size_input_label" is the size
   of the label used as parameter to "LabeledExtract()" or
   "LabeledExpand()".

   [[RFC editor: please change "HPKE-07" to "RFCXXXX", where XXXX is the
   final number, before publication.]]

7.3.  Authenticated Encryption with Associated Data (AEAD) Functions

          +========+==================+=====+=====+=============+
          | Value  | AEAD             | Nk  | Nn  | Reference   |
          +========+==================+=====+=====+=============+
          | 0x0000 | (reserved)       | N/A | N/A | N/A         |
          +--------+------------------+-----+-----+-------------+
          | 0x0001 | AES-128-GCM      | 16  | 12  | [GCM]       |
          +--------+------------------+-----+-----+-------------+
          | 0x0002 | AES-256-GCM      | 32  | 12  | [GCM]       |
          +--------+------------------+-----+-----+-------------+
          | 0x0003 | ChaCha20Poly1305 | 32  | 12  | [RFC8439]   |
          +--------+------------------+-----+-----+-------------+
          | 0xFFFF | Export-only      | N/A | N/A | [[RFCXXXX]] |
          +--------+------------------+-----+-----+-------------+

                                  Table 5

   The "0xFFFF" AEAD ID is reserved for applications which only use the
   Export interface; see Section 5.3 for more details.

8.  Security Considerations

8.1.  Security Properties

   HPKE has several security goals, depending on the mode of operation,
   against active and adaptive attackers that can compromise partial
   secrets of senders and recipients.  The desired security goals are
   detailed below:

   *  Message secrecy: Confidentiality of the sender's messages against
      chosen ciphertext attacks

   *  Export key secrecy: Indistinguishability of each export secret
      from a uniformly random bitstring of equal length, i.e.,
      "Context.Export" is a variable-length PRF

   *  Sender authentication: Proof of sender origin for PSK, Auth, and
      AuthPSK modes





Barnes, et al.            Expires 19 June 2021                 [Page 26]


Internet-Draft                    HPKE                     December 2020


   These security goals are expected to hold for any honest sender and
   honest recipient keys, as well as if the honest sender and honest
   recipient keys are the same.

   As noted in Section 8.6, HPKE does not provide forward secrecy.  In
   the Base and Auth modes, the secrecy properties are only expected to
   hold if the recipient private key "skR" is not compromised at any
   point in time.  In the PSK and AuthPSK modes, the secrecy properties
   are expected to hold if the recipient private key "skR" and the pre-
   shared key are not both compromised at any point in time.

   In the Auth mode, sender authentication is generally expected to hold
   if the sender private key "skS" is not compromised at the time of
   message reception.  In the AuthPSK mode, sender authentication is
   generally expected to hold if at the time of message reception, the
   sender private key skS and the pre-shared key are not both
   compromised.

8.1.1.  Key-Compromise Impersonation

   The DHKEM variants defined in this document are vulnerable to key-
   compromise impersonation attacks [BJM97], which means that sender
   authentication cannot be expected to hold in the Auth mode if the
   recipient private key "skR" is compromised, and in the AuthPSK mode
   if the pre-shared key and the recipient private key "skR" are both
   compromised.  NaCl's "box" interface [NaCl] has the same issue.  At
   the same time, this enables repudiability.

   As shown by [ABHKLR20], key-compromise impersonation attacks are
   generally possible on HPKE because KEM ciphertexts are not bound to
   HPKE messages.  An adversary who knows a recipient's private key can
   decapsulate an observed KEM ciphertext, compute the key schedule, and
   encrypt an arbitrary message that the recipient will accept as coming
   from the original sender.  Importantly, this is possible even with a
   KEM that is resistant to key-compromise impersonation attacks.  As a
   result, mitigating this issue requires fundamental changes that are
   out-of-scope of this specification.

   Applications that require resistance against key-compromise
   impersonation SHOULD take extra steps to prevent this attack.  One
   possibility is to produce a digital signature over "(enc, ct)" tuples
   using a sender's private key - where "ct" is an AEAD ciphertext
   produced by the single-shot or multi-shot API, and "enc" the
   corresponding KEM encapsulated key.

   Given these properties, pre-shared keys strengthen both the
   authentication and the secrecy properties in certain adversary
   models.  One particular example in which this can be useful is a



Barnes, et al.            Expires 19 June 2021                 [Page 27]


Internet-Draft                    HPKE                     December 2020


   hybrid quantum setting: if a non-quantum-resistant KEM used with HPKE
   is broken by a quantum computer, the security properties are
   preserved through the use of a pre-shared key.  This assumes that the
   pre-shared key has not been compromised, as described in [WireGuard].

8.1.2.  Computational Analysis

   It is shown in [CS01] that a hybrid public-key encryption scheme of
   essentially the same form as the Base mode described here is IND-
   CCA2-secure as long as the underlying KEM and AEAD schemes are IND-
   CCA2-secure.  Moreover, it is shown in [HHK06] that IND-CCA2 security
   of the KEM and the data encapsulation mechanism are necessary
   conditions to achieve IND-CCA2 security for hybrid public-key
   encryption.  The main difference between the scheme proposed in
   [CS01] and the Base mode in this document (both named HPKE) is that
   we interpose some KDF calls between the KEM and the AEAD.  Analyzing
   the HPKE Base mode instantiation in this document therefore requires
   verifying that the additional KDF calls do not cause the IND-CCA2
   property to fail, as well as verifying the additional export key
   secrecy property.

   Analysis of the PSK, Auth, and AuthPSK modes defined in this document
   additionally requires verifying the sender authentication property.
   While the PSK mode just adds supplementary keying material to the key
   schedule, the Auth and AuthPSK modes make use of a non-standard
   authenticated KEM construction.  Generally, the authenticated modes
   of HPKE can be viewed and analyzed as flavors of signcryption
   [SigncryptionDZ10].

   A preliminary computational analysis of all HPKE modes has been done
   in [HPKEAnalysis], indicating asymptotic security for the case where
   the KEM is DHKEM, the AEAD is any IND-CPA and INT-CTXT-secure scheme,
   and the DH group and KDF satisfy the following conditions:

   *  DH group: The gap Diffie-Hellman (GDH) problem is hard in the
      appropriate subgroup [GAP].

   *  "Extract()" and "Expand()" (in DHKEM): "Extract()" can be modeled
      as a random oracle.  "Expand()" can be modeled as a pseudorandom
      function, wherein the first argument is the key.

   *  "Extract()" and "Expand()" (elsewhere): "Extract()" can be modeled
      as a random oracle.  "Expand()" can be modeled as a pseudorandom
      function, wherein the first argument is the key.

   In particular, the KDFs and DH groups defined in this document (see
   Section 7.2 and Section 7.1) satisfy these properties when used as
   specified.  The analysis in [HPKEAnalysis] demonstrates that under



Barnes, et al.            Expires 19 June 2021                 [Page 28]


Internet-Draft                    HPKE                     December 2020


   these constraints, HPKE continues to provide IND-CCA2 security, and
   provides the additional properties noted above.  Also, the analysis
   confirms the expected properties hold under the different key
   compromise cases mentioned above.  The analysis considers a sender
   that sends one message using the encryption context, and additionally
   exports two independent secrets using the secret export interface.

   The table below summarizes the main results from [HPKEAnalysis].  N/A
   means that a property does not apply for the given mode, whereas "y"
   means the given mode satisfies the property.

          +=========+==============+=============+==============+
          | Variant | Message Sec. | Export Sec. | Sender Auth. |
          +=========+==============+=============+==============+
          | Base    |      y       |      y      |     N/A      |
          +---------+--------------+-------------+--------------+
          | PSK     |      y       |      y      |      y       |
          +---------+--------------+-------------+--------------+
          | Auth    |      y       |      y      |      y       |
          +---------+--------------+-------------+--------------+
          | AuthPSK |      y       |      y      |      y       |
          +---------+--------------+-------------+--------------+

                                  Table 6

   If non-DH-based KEMs are to be used with HPKE, further analysis will
   be necessary to prove their security.  The results from [CS01]
   provide some indication that any IND-CCA2-secure KEM will suffice
   here, but are not conclusive given the differences in the schemes.

   A detailed computational analysis of HPKE's Auth mode single-shot
   encryption API has been done in [ABHKLR20].  The paper defines
   security notions for authenticated KEMs and for authenticated public
   key encryption, using the outsider and insider security terminology
   known from signcryption [SigncryptionDZ10].  The analysis proves that
   DHKEM's "AuthEncap()"/"AuthDecap()" interface fulfills these notions
   for all Diffie-Hellman groups specified in this document, and
   indicates exact security bounds, under the assumption that the gap
   Diffie-Hellman (GDH) problem is hard in the appropriate subgroup
   [GAP], and that HKDF can be modeled as a random oracle.











Barnes, et al.            Expires 19 June 2021                 [Page 29]


Internet-Draft                    HPKE                     December 2020


   Further, [ABHKLR20] proves composition theorems, showing that HPKE's
   Auth mode fulfills the security notions of authenticated public key
   encryption for all KDFs and AEAD schemes specified in this document,
   given any authenticated KEM satisfying the previously defined
   security notions for authenticated KEMs.  The assumptions on the KDF
   are that "Extract()" and "Expand()" can be modeled as pseudorandom
   functions wherein the first argument is the key, respectively.  The
   assumption for the AEAD is IND-CPA and IND-CTXT security.

   In summary, the analysis in [ABHKLR20] proves that the single-shot
   encryption API of HPKE's Auth mode satisfies the desired message
   confidentiality and sender authentication properties listed at the
   beginning of this section; it does not consider multiple messages,
   nor the secret export API.

8.1.3.  Post-Quantum Security

   All of [CS01], [HPKEAnalysis], and [ABHKLR20] are premised on
   classical security models and assumptions, and do not consider
   adversaries capable of quantum computation.  A full proof of post-
   quantum security would need to take appropriate security models and
   assumptions into account, in addition to simply using a post-quantum
   KEM.  However, the composition theorems from [ABHKLR20] for HPKE's
   Auth mode only make standard assumptions (i.e., no random oracle
   assumption) that are expected to hold against quantum adversaries
   (although with slightly worse bounds).  Thus, these composition
   theorems, in combination with a post-quantum-secure authenticated
   KEM, guarantee the post-quantum security of HPKE's Auth mode.  In
   future work, the analysis from [ABHKLR20] can be extended to cover
   HPKE's other modes and desired security properties.  The hybrid
   quantum-resistance property described above, which is achieved by
   using the PSK or AuthPSK mode, is not proven in [HPKEAnalysis]
   because this analysis requires the random oracle model; in a quantum
   setting, this model needs adaption to, for example, the quantum
   random oracle model.

8.2.  Security Requirements on a KEM used within HPKE

   A KEM used within HPKE MUST allow HPKE to satisfy its desired
   security properties described in Section 8.1.  In particular, the KEM
   shared secret MUST be a uniformly random byte string of length
   "Nsecret".  This means, for instance, that it would not be sufficient
   if the KEM shared secret is only uniformly random as an element of
   some set prior to its encoding as byte string.







Barnes, et al.            Expires 19 June 2021                 [Page 30]


Internet-Draft                    HPKE                     December 2020


8.2.1.  Encap/Decap Interface

   As mentioned in Section 8, [CS01] provides some indications that if
   the KEM's "Encap()"/"Decap()" interface (which is used in the Base
   and PSK modes), is IND-CCA2-secure, HPKE is able to satisfy its
   desired security properties.  An appropriate definition of IND-
   CCA2-security for KEMs can be found in [CS01] and [BHK09].

8.2.2.  AuthEncap/AuthDecap Interface

   The analysis of HPKE's Auth mode single-shot encryption API in
   [ABHKLR20] provides composition theorems that guarantee that HPKE's
   Auth mode achieves its desired security properties if the KEM's
   "AuthEncap()"/"AuthDecap()" interface satisfies multi-user Outsider-
   CCA, Outsider-Auth, and Insider-CCA security as defined in the same
   paper.

   Intuitively, Outsider-CCA security formalizes confidentiality, and
   Outsider-Auth security formalizes authentication of the KEM shared
   secret in case none of the sender or recipient private keys are
   compromised.  Insider-CCA security formalizes confidentiality of the
   KEM shared secret in case the sender private key is known or chosen
   by the adversary.  (If the recipient private key is known or chosen
   by the adversary, confidentiality is trivially broken, because then
   the adversary knows all secrets on the recipient's side).

   An Insider-Auth security notion would formalize authentication of the
   KEM shared secret in case the recipient private key is known or
   chosen by the adversary.  (If the sender private key is known or
   chosen by the adversary, it can create KEM ciphertexts in the name of
   the sender).  Because of the generic attack on an analogous Insider-
   Auth security notion of HPKE described in Section 8.1, a definition
   of Insider-Auth security for KEMs used within HPKE is not useful.

8.3.  Security Requirements on a KDF

   The choice of the KDF for the remainder of HPKE SHOULD be made based
   on the security level provided by the KEM and, if applicable, by the
   PSK.  The KDF SHOULD have at least have the security level of the KEM
   and SHOULD at least have the security level provided by the PSK.

8.4.  Pre-Shared Key Recommendations

   In the PSK and AuthPSK modes, the PSK MUST have at least 32 bytes of
   entropy and SHOULD be of length "Nh" bytes or longer.  Using a PSK
   longer than 32 bytes but shorter than "Nh" bytes is permitted.





Barnes, et al.            Expires 19 June 2021                 [Page 31]


Internet-Draft                    HPKE                     December 2020


   HPKE is specified to use HKDF as key derivation function.  HKDF is
   not designed to slow down dictionary attacks, see [RFC5869].  Thus,
   HPKE's PSK mechanism is not suitable for use with a low-entropy
   password as the PSK: in scenarios in which the adversary knows the
   KEM shared secret "shared_secret" and has access to an oracle that
   allows to distinguish between a good and a wrong PSK, it can perform
   PSK-recovering attacks.  This oracle can be the decryption operation
   on a captured HPKE ciphertext or any other recipient behavior which
   is observably different when using a wrong PSK.  The adversary knows
   the KEM shared secret "shared_secret" if it knows all KEM private
   keys of one participant.  In the PSK mode this is trivially the case
   if the adversary acts as sender.

   To recover a lower entropy PSK, an attacker in this scenario can
   trivially perform a dictionary attack.  Given a set "S" of possible
   PSK values, the attacker generates an HPKE ciphertext for each value
   in "S", and submits the resulting ciphertexts to the oracle to learn
   which PSK is being used by the recipient.  Further, because HPKE uses
   AEAD schemes that are not key-committing, an attacker can mount a
   partitioning oracle attack [LGR20] which can recover the PSK from a
   set of "S" possible PSK values, with |S| = m*k, in roughly m + log k
   queries to the oracle using ciphertexts of length proportional to k,
   the maximum message length in blocks.  The PSK must therefore be
   chosen with sufficient entropy so that m + log k is prohibitive for
   attackers (e.g., 2^128).

8.5.  Domain Separation

   HPKE allows combining a DHKEM variant DHKEM(Group, KDF') and a KDF
   such that both KDFs are instantiated by the same KDF.  By design, the
   calls to "Extract()" and "Expand()" inside DHKEM and the remainder of
   HPKE have different prefix-free encodings for the second parameter.
   This is achieved by the different prefix-free label parameters in the
   calls to "LabeledExtract()" and "LabeledExpand()".  This serves to
   separate the input domains of all "Extract()" and "Expand()"
   invocations.  It also justifies modeling them as independent
   functions even if instantiated by the same KDF.

   Future KEM instantiations MUST ensure that all internal invocations
   of "Extract()" and "Expand()" can be modeled as functions independent
   from the invocations of "Extract()" and "Expand()" in the remainder
   of HPKE.  One way to ensure this is by using an equal or similar
   prefixing scheme with an identifier different from "HPKE-07".
   Particular attention needs to be paid if the KEM directly invokes
   functions that are used internally in HPKE's "Extract()" or
   "Expand()", such as "Hash()" and "HMAC()" in the case of HKDF.  It
   MUST be ensured that inputs to these invocations cannot collide with
   inputs to the internal invocations of these functions inside Extract



Barnes, et al.            Expires 19 June 2021                 [Page 32]


Internet-Draft                    HPKE                     December 2020


   or Expand.  In HPKE's "KeySchedule()" this is avoided by using
   "Extract()" instead of "Hash()" on the arbitrary-length inputs "info"
   and "psk_id".

   The string literal "HPKE-07" used in "LabeledExtract()" and
   "LabeledExpand()" ensures that any secrets derived in HPKE are bound
   to the scheme's name, even when possibly derived from the same
   Diffie-Hellman or KEM shared secret as in another scheme.

8.6.  External Requirements / Non-Goals

   HPKE is designed to be a fairly low-level primitive, and thus does
   not provide several features that a more high-level protocol might
   provide, for example:

   *  Downgrade prevention - HPKE assumes that the sender and recipient
      agree on what algorithms to use.  Depending on how these
      algorithms are negotiated, it may be possible for an intermediary
      to force the two parties to use suboptimal algorithms.

   *  Replay protection - The requirement that ciphertexts be presented
      to the "ContextR.Open()" function in the same order they were
      generated by "ContextS.Seal()" provides a degree of replay
      protection within a stream of ciphertexts resulting from a given
      context.  HPKE provides no other replay protection.

   *  Forward secrecy - HPKE ciphertexts are not forward-secure.  In the
      Base and Auth modes, a given ciphertext can be decrypted if the
      recipient's public encryption key is compromised.  In the PSK and
      AuthPSK modes, a given ciphertext can be decrypted if the
      recipient's private key and the PSK are compromised.

   *  Hiding plaintext length - AEAD ciphertexts produced by HPKE do not
      hide the plaintext length.  Applications requiring this level of
      privacy should use a suitable padding mechanism.  See
      [I-D.ietf-tls-esni] and [RFC8467] for examples of protocol-
      specific padding policies.

8.7.  Bidirectional Encryption

   As discussed in Section 5.2, HPKE encryption is unidirectional from
   sender to recipient.  Applications that require bidirectional
   encryption can derive necessary keying material with the Secret
   Export interface Section 5.3.  The type and length of such keying
   material depends on the application use case.






Barnes, et al.            Expires 19 June 2021                 [Page 33]


Internet-Draft                    HPKE                     December 2020


   As an example, if an application needs AEAD encryption from recipient
   to sender, it can derive a key and nonce from the corresponding HPKE
   context as follows:

   key = context.Export("response key", Nk)
   nonce = context.Export("response nonce", Nn)

   In this example, the length of each secret is based on the AEAD
   algorithm used for the corresponding HPKE context.

   Note that HPKE's limitations with regard to sender authentication
   become limits on recipient authentication in this context.  In
   particular, in the Base mode, there is no authentication of the
   remote party at all.  Even in the Auth mode, where the remote party
   has proven that they hold a specific private key, this authentication
   is still subject to Key-Compromise Impersonation, as discussed in
   Section 8.1.1.

8.8.  Metadata Protection

   The authenticated modes of HPKE (PSK, Auth, AuthPSK) require that the
   recipient know what key material to use for the sender.  This can be
   signaled in applications by sending the PSK ID ("psk_id" above) and/
   or the sender's public key ("pkS").  However, these values themselves
   might be considered sensitive, since in a given application context,
   they might identify the sender.

   An application that wishes to protect these metadata values without
   requiring further provisioning of keys can use an additional instance
   of HPKE, using the unauthenticated Base mode.  Where the application
   might have sent "(psk_id, pkS, enc, ciphertext)" before, it would now
   send "(enc2, ciphertext2, enc, ciphertext)", where "(enc2,
   ciphertext2)" represent the encryption of the "psk_id" and "pkS"
   values.

   The cost of this approach is an additional KEM operation each for the
   sender and the recipient.  A potential lower-cost approach (involving
   only symmetric operations) would be available if the nonce-protection
   schemes in [BNT19] could be extended to cover other metadata.
   However, this construction would require further analysis.











Barnes, et al.            Expires 19 June 2021                 [Page 34]


Internet-Draft                    HPKE                     December 2020


9.  Message Encoding

   This document does not specify a wire format encoding for HPKE
   messages.  Applications that adopt HPKE must therefore specify an
   unambiguous encoding mechanism which includes, minimally: the
   encapsulated value "enc", ciphertext value(s) (and order if there are
   multiple), and any info values that are not implicit.  One example of
   a non-implicit value is the recipient public key used for
   encapsulation, which may be needed if a recipient has more than one
   public key.

10.  IANA Considerations

   This document requests the creation of three new IANA registries:

   *  HPKE KEM Identifiers

   *  HPKE KDF Identifiers

   *  HPKE AEAD Identifiers

   All these registries should be under a heading of "Hybrid Public Key
   Encryption", and administered under a Specification Required policy
   [RFC8126]

10.1.  KEM Identifiers

   The "HPKE KEM Identifiers" registry lists identifiers for key
   encapsulation algorithms defined for use with HPKE.  These are two-
   byte values, so the maximum possible value is 0xFFFF = 65535.

   Template:

   *  Value: The two-byte identifier for the algorithm

   *  KEM: The name of the algorithm

   *  Nsecret: The length in bytes of a KEM shared secret produced by
      the algorithm

   *  Nenc: The length in bytes of an encoded encapsulated key produced
      by the algorithm

   *  Npk: The length in bytes of an encoded public key for the
      algorithm

   *  Nsk: The length in bytes of an encoded private key for the
      algorithm



Barnes, et al.            Expires 19 June 2021                 [Page 35]


Internet-Draft                    HPKE                     December 2020


   *  Auth: A boolean indicating if this algorithm provides the
      "AuthEncap()"/"AuthDecap()" interface

   *  Reference: Where this algorithm is defined

   Initial contents: Provided in Section 7.1

10.2.  KDF Identifiers

   The "HPKE KDF Identifiers" registry lists identifiers for key
   derivation functions defined for use with HPKE.  These are two-byte
   values, so the maximum possible value is 0xFFFF = 65535.

   Template:

   *  Value: The two-byte identifier for the algorithm

   *  KDF: The name of the algorithm

   *  Nh: The output size of the Extract function in bytes

   *  Reference: Where this algorithm is defined

   Initial contents: Provided in Section 7.2

10.3.  AEAD Identifiers

   The "HPKE AEAD Identifiers" registry lists identifiers for
   authenticated encryption with associated data (AEAD) algorithms
   defined for use with HPKE.  These are two-byte values, so the maximum
   possible value is 0xFFFF = 65535.

   Template:

   *  Value: The two-byte identifier for the algorithm

   *  AEAD: The name of the algorithm

   *  Nk: The length in bytes of a key for this algorithm

   *  Nn: The length in bytes of a nonce for this algorithm

   *  Reference: Where this algorithm is defined

   Initial contents: Provided in Section 7.3






Barnes, et al.            Expires 19 June 2021                 [Page 36]


Internet-Draft                    HPKE                     December 2020


11.  Acknowledgements

   The authors would like to thank Joel Alwen, Jean-Philippe Aumasson,
   David Benjamin, Benjamin Beurdouche, Bruno Blanchet, Frank Denis,
   Stephen Farrell, Scott Fluhrer, Eduard Hauck, Scott Hollenbeck, Kevin
   Jacobs, Burt Kaliski, Eike Kiltz, Julia Len, John Mattsson,
   Christopher Patton, Doreen Riepel, Raphael Robert, Michael Rosenberg,
   Michael Scott, Steven Valdez, Riad Wahby, and other contributors in
   the CFRG for helpful feedback that greatly improved this document.

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
              <https://www.rfc-editor.org/info/rfc5116>.

   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
              "PKCS #1: RSA Cryptography Specifications Version 2.2",
              RFC 8017, DOI 10.17487/RFC8017, November 2016,
              <https://www.rfc-editor.org/info/rfc8017>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

12.2.  Informative References

   [ABHKLR20] Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B.,
              and D. Riepel, "Analysing the HPKE Standard", 2020,
              <https://eprint.iacr.org/2020/1499>.

   [ANSI]     American National Standards Institute, "ANSI X9.63 Public
              Key Cryptography for the Financial Services Industry --
              Key Agreement and Key Transport Using Elliptic Curve
              Cryptography", 2001.




Barnes, et al.            Expires 19 June 2021                 [Page 37]


Internet-Draft                    HPKE                     December 2020


   [BHK09]    Mihir Bellare, ., Dennis Hofheinz, ., and . Eike Kiltz,
              "Subtleties in the Definition of IND-CCA: When and How
              Should Challenge-Decryption be Disallowed?", 2009,
              <https://eprint.iacr.org/2009/418>.

   [BJM97]    Blake-Wilson, S., Johnson, D., and A. Menezes, "Key
              agreement protocols and their security analysis: Extended
              Abstract", DOI 10.1007/bfb0024447, Crytography and
              Coding pp. 30-45, 1997,
              <https://doi.org/10.1007/bfb0024447>.

   [BNT19]    Bellare, M., Ng, R., and B. Tackmann, "Nonces Are Noticed:
              AEAD Revisited", 2019,
              <http://dx.doi.org/10.1007/978-3-030-26948-7_9>.

   [CS01]     Cramer, R. and V. Shoup, "Design and Analysis of Practical
              Public-Key Encryption Schemes Secure against Adaptive
              Chosen Ciphertext Attack", 2001,
              <https://eprint.iacr.org/2001/108>.

   [GAP]      Okamoto, T. and D. Pointcheval, "The Gap-Problems - a New
              Class of Problems for the Security of Cryptographic
              Schemes", ISBN 978-3-540-44586-9, 2001,
              <https://link.springer.com/content/
              pdf/10.1007/3-540-44586-2_8.pdf>.

   [GCM]      Dworkin, M., "Recommendation for block cipher modes of
              operation :: GaloisCounter Mode (GCM) and GMAC",
              DOI 10.6028/nist.sp.800-38d, National Institute of
              Standards and Technology report, 2007,
              <https://doi.org/10.6028/nist.sp.800-38d>.

   [HHK06]    Herranz, J., Hofheinz, D., and E. Kiltz, "Some
              (in)sufficient conditions for secure hybrid encryption",
              2006, <https://eprint.iacr.org/2006/265>.

   [HPKEAnalysis]
              Lipp, B., "An Analysis of Hybrid Public Key Encryption",
              2020, <https://eprint.iacr.org/2020/243.pdf>.

   [I-D.ietf-mls-protocol]
              Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-
              Gordon, K., and R. Robert, "The Messaging Layer Security
              (MLS) Protocol", Work in Progress, Internet-Draft, draft-
              ietf-mls-protocol-10, 31 October 2020,
              <http://www.ietf.org/internet-drafts/draft-ietf-mls-
              protocol-10.txt>.




Barnes, et al.            Expires 19 June 2021                 [Page 38]


Internet-Draft                    HPKE                     December 2020


   [I-D.ietf-tls-esni]
              Rescorla, E., Oku, K., Sullivan, N., and C. Wood, "TLS
              Encrypted Client Hello", Work in Progress, Internet-Draft,
              draft-ietf-tls-esni-08, 16 October 2020,
              <http://www.ietf.org/internet-drafts/draft-ietf-tls-esni-
              08.txt>.

   [IEEE1363] Institute of Electrical and Electronics Engineers, "IEEE
              1363a, Standard Specifications for Public Key Cryptography
              - Amendment 1 -- Additional Techniques"", 2004.

   [IMB]      Diffie, W., Van Oorschot, P., and M. Wiener,
              "Authentication and authenticated key exchanges",
              DOI 10.1007/bf00124891, Designs, Codes and
              Cryptography Vol. 2, pp. 107-125, June 1992,
              <https://doi.org/10.1007/bf00124891>.

   [ISO]      International Organization for Standardization /
              International Electrotechnical Commission, "ISO/IEC
              18033-2, Information Technology - Security Techniques -
              Encryption Algorithms - Part 2 -- Asymmetric Ciphers",
              2006.

   [keyagreement]
              Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
              Davis, "Recommendation for pair-wise key-establishment
              schemes using discrete logarithm cryptography",
              DOI 10.6028/nist.sp.800-56ar3, National Institute of
              Standards and Technology report, April 2018,
              <https://doi.org/10.6028/nist.sp.800-56ar3>.

   [LGR20]    Len, J., Grubbs, P., and T. Ristenpart, "Partitioning
              Oracle Attacks".

   [MAEA10]   Gayoso Martinez, V., Hernandez Alvarez, F., Hernandez
              Encinas, L., and C. Sanchez Avila, "A Comparison of the
              Standardized Versions of ECIES", 2010,
              <https://ieeexplore.ieee.org/abstract/document/5604194/>.

   [NaCl]     "Public-key authenticated encryption: crypto_box", 2019,
              <https://nacl.cr.yp.to/box.html>.

   [NISTCurves]
              "Digital Signature Standard (DSS)",
              DOI 10.6028/nist.fips.186-4, National Institute of
              Standards and Technology report, July 2013,
              <https://doi.org/10.6028/nist.fips.186-4>.




Barnes, et al.            Expires 19 June 2021                 [Page 39]


Internet-Draft                    HPKE                     December 2020


   [RFC1421]  Linn, J., "Privacy Enhancement for Internet Electronic
              Mail: Part I: Message Encryption and Authentication
              Procedures", RFC 1421, DOI 10.17487/RFC1421, February
              1993, <https://www.rfc-editor.org/info/rfc1421>.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8439]  Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
              Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
              <https://www.rfc-editor.org/info/rfc8439>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC8467]  Mayrhofer, A., "Padding Policies for Extension Mechanisms
              for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467,
              October 2018, <https://www.rfc-editor.org/info/rfc8467>.

   [SECG]     "Elliptic Curve Cryptography, Standards for Efficient
              Cryptography Group, ver. 2", 2009,
              <https://secg.org/sec1-v2.pdf>.

   [SigncryptionDZ10]
              "Practical Signcryption", DOI 10.1007/978-3-540-89411-7,
              Information Security and Cryptography, 2010,
              <https://doi.org/10.1007/978-3-540-89411-7>.

   [TestVectors]
              "HPKE Test Vectors", 2020, <https://github.com/cfrg/draft-
              irtf-cfrg-
              hpke/blob/3d6ced124134825ed7a953b126cf5f756d960bc9/test-
              vectors.json>.

   [WireGuard]
              Donenfeld, J.A., "WireGuard: Next Generation Kernel
              Network Tunnel", 2020,
              <https://www.wireguard.com/papers/wireguard.pdf>.






Barnes, et al.            Expires 19 June 2021                 [Page 40]


Internet-Draft                    HPKE                     December 2020


Appendix A.  Test Vectors

   These test vectors are also available in JSON format at
   [TestVectors].  Note that the plaintext is the same for each test
   vector.  Only the nonce and AAD values differ.  In these vectors,
   "GenerateKeyPair()" is implemented as "DeriveKeyPair(random(Nsk))".

A.1.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM

A.1.1.  Base Setup Information

mode: 0
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 6305de86b3cec022fae6f2f2d2951f0f90c8662112124fd62f17e0a99bdbd08e
pkEm: 950897e0d37a8bdb0f2153edf5fa580a64b399c39fbb3d014f80983352a63617
skEm: 6cee2e2755790708a2a1be22667883a5e3f9ec52810404a0d889a0ed3e28de00
ikmR: 6d9014e4609687b0a3670a22f2a14eac5ae6ad8c0beb62fb3ecb13dc8ebf5e06
pkRm: a5912b20892e36905bac635267e2353d58f8cc7525271a2bf57b9c48d2ec2c07
skRm: ecaf25b8485bcf40b9f013dbb96a6230f25733b8435bba0997a1dedbc7f78806
enc: 950897e0d37a8bdb0f2153edf5fa580a64b399c39fbb3d014f80983352a63617
shared_secret:
799b7b9a6a070e77ee9b9a2032f6624b273b532809c60200eba17ac3baf69a00
key_schedule_context: 002acc146c3ed28a930a50da2b269cb150a8a78a54081f81db
457ac52d5bd2f581cb95a2c63b1dac72dc030fbe46d152ccb09f43fdf6e74d13660a4bd8
0ff49b55
secret: 3ed37d4c4c7e3ebe6cb1fca03eabd4c878b442da340915d51d6ed49d8369d785
key: e20cee1bf5392ad2d3a442e231f187ae
base_nonce: 5d99b2f03c452f7a9441933a
exporter_secret:
00c3cdacab28e981cc907d12e4f55f0aacae261dbb4eb610447a6bc431bfe2aa

A.1.1.1.  Encryptions
















Barnes, et al.            Expires 19 June 2021                 [Page 41]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 5d99b2f03c452f7a9441933a
ciphertext: 9418f1ae06eddc43aa911032aed4a951754ee2286a786733761857f8d96a
7ec8d852da93bc5eeab49623344aba

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 5d99b2f03c452f7a9441933b
ciphertext: 74d69c61899b9158bb50e95d92fbad106f612ea67c61b3c4bef65c8bf3dc
18e17bf41ec4c408688aae58358d0e

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 5d99b2f03c452f7a94419338
ciphertext: e6602db9be05d81c4ab8fa621bc35993a7b759851075a34b3bffd2573400
11c70c9fa1f5c11868a076fc3adb3b

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 5d99b2f03c452f7a9441933e
ciphertext: 71b51365cdd10e13883b12811d31132e5fbe39f9bd19c414cc0dfd81f853
d11dbb3fe70bb3bb93210f4785e27f

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 5d99b2f03c452f7a944193c5
ciphertext: 2cabaf3c878715e4fd81233753178b67210267c6468cb47d1385c3795997
f17ec871267abbcbdb920ffe8a315e

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 5d99b2f03c452f7a9441923a
ciphertext: f49d01ae618057302fc2652626e563cbaa849381b1aa8f4ae69dc5778c9e
c7751ac755f2f486241d150b969263

A.1.1.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 42]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   be82c06bd83fd6edd74385de5a70859b9e03def4c7bb224a10cfae86087f8a25

   exporter_context: 00
   L: 32
   exported_value:
   82cbfd3c2b2db75e2311d457e569cf12b6387eb4309bca8e77adb2f2b599fc85

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   c8387c1e6ec4f026c7f3577e3f29df51f46161295eec84c4f64a9174f7b64e4f

A.1.2.  PSK Setup Information

mode: 1
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: abd63dfd2fb9ccf8789cae5a6aff91e07f9f5925c27f005e702bf956b0000a85
pkEm: f16fa9440b2cb36c855b4b82fb87e1c02ce656dd132f7a7aec739294b6912768
skEm: 4c1feed23e15ec6a55b8457e0c0f42a3a1ab3ccc309b7cbb7ac6165fc657bd3b
ikmR: 654e8b44e8e29fc75f3beadf7f28dc065e38a53c1a731e15f2d46fd6130574da
pkRm: 13c789187a2dda71889e4b98dc5443624ae68f309cea91865561cfa207586e3a
skRm: 8e5430f0d821407670e5e3f6eecc9f52b2cad27b15a5fad1f3d05359ae30d81c
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: f16fa9440b2cb36c855b4b82fb87e1c02ce656dd132f7a7aec739294b6912768
shared_secret:
eeca0089c3e7d96d31f7c492f719a7a6cddec0170e9aba954c7ac8ca98388e0d
key_schedule_context: 01deb296ccdb4fa0a001eef56dd3b10577b30352610d1639fd
5738efd4acb8e4e6cb95a2c63b1dac72dc030fbe46d152ccb09f43fdf6e74d13660a4bd8
0ff49b55
secret: d09cfdb666083e43919c63130bc51234fcb1111f23795ac299cf60353447492f
key: 70030b55bfb737d4f4355cf62302d281
base_nonce: 746d5e6255902701c3e0b99f
exporter_secret:
716043e2ac96b23e6f12983e11b6894e7b7dab8a9e40976b467c514f59700d9a

A.1.2.1.  Encryptions








Barnes, et al.            Expires 19 June 2021                 [Page 43]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 746d5e6255902701c3e0b99f
ciphertext: 63f7ed3d99e625d4a7373982b5f04daf0c3dfff39cac4b38eeb9d5c225cc
3183bdbc91a053db9b195319cc8c45

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 746d5e6255902701c3e0b99e
ciphertext: 65e7160f80fdf47893a5abe1edcff46c85899f04acb97882e194ce6d4fce
ec2dc4cb2d3abe5d969880722859b2

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 746d5e6255902701c3e0b99d
ciphertext: 915e08e6e340fca64982e90ad93490826bfb74af8f48062212c87105dad2
b7569c83688e564ed5862592b77cdc

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 746d5e6255902701c3e0b99b
ciphertext: 2dfc4bd86f24d09126959252139a5cb19a39995b68e3babbe331a512c6f1
a18e4b02f5f38423ac63a0c1e95809

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 746d5e6255902701c3e0b960
ciphertext: 5489a14805bdd8e4012e89d7e5de3f5831fd4b9ce02c108df8245fb5c7c6
f48120f2fce32201c2ead19baba011

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 746d5e6255902701c3e0b89f
ciphertext: 298dbeb43b37066d7d4694a44382d6c71bace7b81e11ae60f49f925f9038
74a8387e6be66a20439c66cdbfe832

A.1.2.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 44]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   7c40ceb745e14d19fceeac6e4756c796957fe5ff28709198c3f8cbdb5d368fe1

   exporter_context: 00
   L: 32
   exported_value:
   1ef0fd07bd40326f1b88f3545c92969cff202ca7186b9fd1315241f93fcc2edf

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   997368419db9490aa96c977cdd90bda8fd6234054d4add3d2f31aaaa2f8c1172

A.1.3.  Auth Setup Information

mode: 2
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 42d691088397246b00e9d9ce8f5406a317433558dc28132e02618970005d02fd
pkEm: 96f2d7d320decc5da12913a8251104fb4a410af12428a2c4f6213e568bc2f667
skEm: 6cdeec1514dd68afb70e7f2b14885acab48dbf997cdf6f367ce2ae551a6b627f
ikmR: fb953f486ef5f7a1ceddff40bffe02b857c8af9d611966e417a24d6efa7c9d1c
pkRm: 2b91c9e32324d39a018df09cd0a542b3e084e138a5f07f46a72f97e7fb7b0f04
skRm: c60d9ae57ca4dbba20f6f66afee34b0032bb6ee20c12c4801a3add63150ad746
ikmS: 131aa907c85b05726e7a058b064bf29cb2cb72a2afbffbd8076a884291f3143e
pkSm: 8e3052be1d6dc84f542a787b83002b3d57f4dc80ff4d1cd5e7d42d83c1e9b809
skSm: 639e6c9994f499e17eaf385f06d412fd8c2f74e17636b17ddeb1dffb0d6bfeee
enc: 96f2d7d320decc5da12913a8251104fb4a410af12428a2c4f6213e568bc2f667
shared_secret:
372455d46f8b665bc6c1335c9aef7f82289c4f0f75e3d934f52961404449ca4e
key_schedule_context: 022acc146c3ed28a930a50da2b269cb150a8a78a54081f81db
457ac52d5bd2f581cb95a2c63b1dac72dc030fbe46d152ccb09f43fdf6e74d13660a4bd8
0ff49b55
secret: 2d13ab71ea12f2dec7645f42f558cb0c791bd2cb4efa5e388d8bc9becd907a94
key: 1fb76aa488e82d61a1bddd9c0be51299
base_nonce: 5c4cf7f8b977e3b820a2555e
exporter_secret:
6b0d8f39bc80648a1ec0d2061afcb655358f66fa78fa826731d5dd58d22f1478

A.1.3.1.  Encryptions







Barnes, et al.            Expires 19 June 2021                 [Page 45]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 5c4cf7f8b977e3b820a2555e
ciphertext: e0d7a2da87292d7f3266a3d4e111af43baf5b72e0bf34c6a301d66a20f52
b84ef752bf2a4e9be760cb5f1664db

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 5c4cf7f8b977e3b820a2555f
ciphertext: 014430e7ea83f18570a4a523245b7aa1f7ca058ab6a78f7fd348e80e1359
e966cfc327b683f5c8e2c6525fa525

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 5c4cf7f8b977e3b820a2555c
ciphertext: be2c05cbb61276c68469eb482b08f8c2974c2df185e44b5cc526ee411ef4
57304d86b6efafac85daf8f19bdb7e

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 5c4cf7f8b977e3b820a2555a
ciphertext: 8111e411693a73884a25673e0aa423701634d10dc4a27843a93e2e9d745d
d74072de63afd0d7999d34ab463b31

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 5c4cf7f8b977e3b820a255a1
ciphertext: 1e4f396ad6d1537c3fda112e1311e6f79914fd5c1651620dc8d88cadddb4
bbd9b57d4d24bf6b043685b82f5b64

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 5c4cf7f8b977e3b820a2545e
ciphertext: ef9a271a5e2481228cc85270ec74760daa952ce233846cdc58321f4eca1a
8166a2f0c25388262373a659bc044a

A.1.3.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 46]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   e7144368d4722037591022b6ac29ac1a8f530a76dcfd8ad0d395501e7c5e8fb5

   exporter_context: 00
   L: 32
   exported_value:
   1725c4cd5e7f3cd5764d12dd1d9628485ed06a0db43b8b71e169177b905622d4

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   175eb5d853ed45eb38934d3d3fdd5b9297711fba6b1f03224d7b1b3b24dfa8fe

A.1.4.  AuthPSK Setup Information

mode: 3
kem_id: 32
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 0c3a14fe896a7166f4d5e2a21c903b69f9ca71783290ca10f1b8c5eb258149be
pkEm: 073dc67ae68dec787f15bd37049cde739292efe95f5424d5a4cc1a1fe64a262c
skEm: 4ef985b4e27405436f849731258af97a5f4f286a3caf1ebe6222e166d132e884
ikmR: b759021868fba28c1ddd509eaac450a896ab0f5edffead0a019fecb574950d64
pkRm: 99c4a48235a345f11dd05ae39a142248af70abb88ade8004de38521328975212
skRm: 45baf5fb10484279eaad27c931bd2951065952829b79546d046f12637ce8fad1
ikmS: 2e7219703b6659698e4c2d141d13e0092df7039212db9c97e347c7d2c0aee239
pkSm: 08dd3ff3cab7fb8d530ac02474596cd72dd71c3bc0254bd1c8cd37ebe65b4312
skSm: 821c5beee84061b34016bd55c957fc4175754fde521e0604de7163a5d1c7b428
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 073dc67ae68dec787f15bd37049cde739292efe95f5424d5a4cc1a1fe64a262c
shared_secret:
aa853495243000a36aa1be4731b3eb14813794433fe18bd78057e314d6f682ee
key_schedule_context: 03deb296ccdb4fa0a001eef56dd3b10577b30352610d1639fd
5738efd4acb8e4e6cb95a2c63b1dac72dc030fbe46d152ccb09f43fdf6e74d13660a4bd8
0ff49b55
secret: 625974aec089efecf8625256d999db5fea57a935d338bdbe4235339b5c5f9d90
key: fbe3c9277490b6ad5b69b372fa0dfe13
base_nonce: d1fbd77027365203a477ceb4
exporter_secret:
5745f3469e3518ca6d34880c72185fb64170e4b2d07f168fb451a453a993161a

A.1.4.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 47]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: d1fbd77027365203a477ceb4
ciphertext: 03fcb03822447fbf52a5b951ffe1f615a428cfa9bda02297e19e7fb959c5
440ad39ace9d9f8b84917248842559

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: d1fbd77027365203a477ceb5
ciphertext: 58d0c84286319ea43ca1c362cb04fb81df33ca85c5b9d1ec99986bff1882
be6a6ebc5c5c3a2f46dde0a3bbd8aa

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: d1fbd77027365203a477ceb6
ciphertext: 922fb5157aaa9e27c61bd505be4a1ff7a55ae94caee77a195417aa467d34
c318a35f956820e2ad3579487b4211

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: d1fbd77027365203a477ceb0
ciphertext: 23581839629da5cf878ed3cc67feb6ba60b650fb1b5b0d1df98c65496258
0ff57ca797c7d8a5b32d871fc81469

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: d1fbd77027365203a477ce4b
ciphertext: f6add683e306145f0c0107c65014b3bf72e3c3d0bf988e31471cef869f4f
cf0abf7daa59e5b1e932c865ae6a10

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: d1fbd77027365203a477cfb4
ciphertext: 63c770333ac20e56ac84d6a7371836ad4c942f6d1386cd1ca9433333023e
7203a9583df04875aca35a0fa49014

A.1.4.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 48]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   e8968c8558146edf379954a674c71e7b2d713e0a39d45b783b10af55492f54ab

   exporter_context: 00
   L: 32
   exported_value:
   fef7d33a45fdd148a4f8f12d18405539957326f6f0fea0ebdf6b37f25a9238b8

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   aad4715950a355afd7e44e27c17b656088b1801e8b3c61f5e5c4722b5e28ee47

A.2.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305

A.2.1.  Base Setup Information

mode: 0
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: d01cb3b75c48f80151f4efeb972fb2097f8efa64d29ca70f10f51e116cb6ef31
pkEm: 1440805f4e60cbd34835baf0813c3071d17def1dbd8c04e75889bb2271d7823a
skEm: efda8f0538ce6ab9f165aae26e02ad96dcb1775b248267174aeb3d140e002ee3
ikmR: af2dfc6182ef4bdc3ec2118a0c3d0dd7daf2f2dfef6706ca861fafb5415e6b78
pkRm: 26147d5c2978bccc3cc03a4f9ac607560b5d83f852be4e9024f2cb7207d4c30e
skRm: 14365bb26500e7cf263720c4ab04bd45b8e146b4f724facd1fa01d58b63975e4
enc: 1440805f4e60cbd34835baf0813c3071d17def1dbd8c04e75889bb2271d7823a
shared_secret:
5f32519d9ca90b0572df7aa3b2e2f35376cafc61e027a406e03d6441ab818a7f
key_schedule_context: 00dd0a37ad96727124b021d7c81c42bfbb68c11f38050b13aa
54adb5a92dd165760f0d33c7dafc645fdc165ad9d110e77f68358179ad974a9a9b71dd05
5dec5eee
secret: a8c7098db69fc65995338ef616bd4d3c2bb4ccbe0ee91294f377df65893d28d3
key: a17448a542d0d6d75e3b21be0a1f68607904b4802c6b19a7e7e90976aa00a5c8
base_nonce: 6f6b832dba944a91e5684514
exporter_secret:
bbbd4216184bd12888e0cec08e384c2e39639fe1527f220f3aa751f5290a9aa7

A.2.1.1.  Encryptions








Barnes, et al.            Expires 19 June 2021                 [Page 49]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 6f6b832dba944a91e5684514
ciphertext: 1b9ce69bd0e6b4242ac2dd841ef093fc9dfa9e684f81c2d1778fd3268ca5
aa7d612cd87f72acd2aeaee084dee2

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 6f6b832dba944a91e5684515
ciphertext: f041fb8de275b5319587269cb39190029906b9267eb5619b7bec8a5e0b3b
3a0bead169617f2c4d45d028b1b654

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 6f6b832dba944a91e5684516
ciphertext: 0042c74002608a20e432ee9628e84cba76482aca29359e93d60067371be5
47355acca2c271a2072b85a77a6237

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 6f6b832dba944a91e5684510
ciphertext: 1d38eb05ddf406b77385c264e5424cc812de6deeb46990ab811013768100
95fb175f6a5bc18b70ca59bdd33fc1

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 6f6b832dba944a91e56845eb
ciphertext: 7f25184ece5359a927f857b449c97d07438461418b38f75438a648b81ca6
3bdc8903289a1b14e276c9c320d018

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 6f6b832dba944a91e5684414
ciphertext: c8a9a7fbfc865fe1de53349e27533ea957f20e8ac9617f389aa1db20b7c4
a60291bdacaa9405332d8d416ee535

A.2.1.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 50]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   996dc6fda1dc47e687613e0e221d64a3598e1ead9585177d22f230716569c04d

   exporter_context: 00
   L: 32
   exported_value:
   6d07b4e3e06ace3dc3f1b2a0826a0f896aa828769ff993c2e3829ae40325c27d

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   bb69068c4f7767331512d375e4ab0ca0c6c51446040096ea0ae1cc3f9a3f54bd

A.2.2.  PSK Setup Information

mode: 1
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: d820fd699360f7b65024a0cab8df9e2444a78b9f050305329f9c26ff02a0513d
pkEm: 8e4b29035c22b67b3a7a0f5a52f12b3ab17a9ae1f0c63b029137ba09f420224a
skEm: db1c9dfba77e1e3b8687ea18af207cffca803bdd983f955376b8271ef9c78a46
ikmR: 3667287b229ce92386c1d3fe5b58f61e72eeef983dd02220f29c75bc8fed6ccc
pkRm: 94ea1227a357dfd3548aadb9ef19d9974add594871498e123390a8bcb4db5d51
skRm: 4e335da3ec60e68c156586b8217de6801cb83b5a4de413645fcb112c00b2228b
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 8e4b29035c22b67b3a7a0f5a52f12b3ab17a9ae1f0c63b029137ba09f420224a
shared_secret:
f2aa15c783c62c7e55485a61404d8beae0644d15042848e5adf3d315981337e1
key_schedule_context: 0151af0d3a80f50ff5d606ae45bf724c2f872698eacd389476
90bf75e1262a72a30f0d33c7dafc645fdc165ad9d110e77f68358179ad974a9a9b71dd05
5dec5eee
secret: d5c8a90c9d1ef47662ddbbad6a8e8722194a605017718fab2b0172eacc51a4d3
key: a603fe0f9897dc6ce042a467d6bd430a01cd679e930f1b5706ad425e4153496d
base_nonce: 318e48afae42913a928146e6
exporter_secret:
965e593816181bd8f14211f5e5773b3fa256a24972a1793165177987cb82cb6e

A.2.2.1.  Encryptions








Barnes, et al.            Expires 19 June 2021                 [Page 51]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 318e48afae42913a928146e6
ciphertext: c87f8158a501c7a2f31708bbdba10f9c5ad035624c3153eeb028e65b82f4
1f38cbe1cd9aafb10e502d328b83c1

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 318e48afae42913a928146e7
ciphertext: aef7a0b0e3a58b177dac9628439b44d1e706724e265ab3b46d791612b516
37342479ad945607b8b54112bd8c86

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 318e48afae42913a928146e4
ciphertext: c00884a5c658213bd4381d65b54d93682692fef9408a6e437a97a9042677
27269b242d3d81725ad8f0c764e082

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 318e48afae42913a928146e2
ciphertext: a867345a23c686e141d0e4a754a8b800c79cfbe854c95ab52e41ccc61e18
787e0ee7ab42d53390b2ca0508e3b1

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 318e48afae42913a92814619
ciphertext: 3eeb72e8f8dc6b792529042b0f74c17e8dd112bf1aaa1a17179359931fb6
81bd35cae9467bdda5d05a77be344b

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 318e48afae42913a928147e6
ciphertext: 17b14d194a1f3f243a9cc21c19484f86b44f558dc0ffee8a06ef2085b9f7
d4908881fd80b0ce2c73f680a6632a

A.2.2.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 52]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   23c31ee2757bbecf105f74c90bf1e640b6ddc545dc8d80b1abbf2aa9dd1786ce

   exporter_context: 00
   L: 32
   exported_value:
   05af7597519945fe8443f7cb84cdb651a8dd18cd7bbbd65d31095d3c69c1257e

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   5814619f842c7c328c9657854154e51b581c7bbd3b646bd773be67f93900a109

A.2.3.  Auth Setup Information

mode: 2
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: a7ea00294fd58b6f17cea5402a8301cf8f13f31fd7923da79e4d22fbdc114a10
pkEm: bb693083e02109b884e823a43cc5354810c74c14ef8096e2b2b46dbdbc1f0354
skEm: 81a126244b2fdbe305a344f96a4d4c12db3516abac07237595e0951194303fc9
ikmR: daf40bb219e0672b442e93f0dd142be3f6293aa5f759bdd659be59b2670183e4
pkRm: 57c3eb0f67944545c6f87e813336fad0ca292876b033686e49333c7b7969ea43
skRm: b127bc7ce70fb29c32afe4afccfde11a86d87b75056f76a9cb2c12c56e230202
ikmS: 8548ec6ef3eba79e53eee89776c8a954421eb56ad037049ba6a71345ac4e4d7d
pkSm: efb2383804afaa8b10ed364917013af2f7bee72b45f3fe3436158bfe5b48c556
skSm: f07411fac6c0e43f727873b3ca7ec1e6dc18d47d7252bbb7efa363254523878f
enc: bb693083e02109b884e823a43cc5354810c74c14ef8096e2b2b46dbdbc1f0354
shared_secret:
9b8dedc0eea8669e6619016d5b507ebbbdf88f2ae7e56ab5419c6f7b730d3c3b
key_schedule_context: 02dd0a37ad96727124b021d7c81c42bfbb68c11f38050b13aa
54adb5a92dd165760f0d33c7dafc645fdc165ad9d110e77f68358179ad974a9a9b71dd05
5dec5eee
secret: 88cabbab550b94987d062601f348559c9ffe39ea74f8b197c634abccb6e2150e
key: ae2acf842b01392303b1ac325a0884bdc66221561773e78b3f90bfffc7b7cf6b
base_nonce: 51e9a58b065bcaeb4bd5ae3f
exporter_secret:
91146b6874694292df424bc1bacf4eae19ebac1046f3c7f28d77fd14f769a30d

A.2.3.1.  Encryptions







Barnes, et al.            Expires 19 June 2021                 [Page 53]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 51e9a58b065bcaeb4bd5ae3f
ciphertext: 95213d48a449db6c76c831970154e31ea368344efb257635aa2b8f04b621
77ecdf7544d4905d24251c5f2633e0

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 51e9a58b065bcaeb4bd5ae3e
ciphertext: d34c6735d87abc0b4dfe45436f8ab1dc9267906887bb02f7a18e3bab7487
83873589e9872264dbbcc41e4c5450

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 51e9a58b065bcaeb4bd5ae3d
ciphertext: d31f5c42c15ccb0b78c7cb389ec7ef581b02691288f3e4329ad65c5845b3
e4c023d5611e87aec983060329fa78

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 51e9a58b065bcaeb4bd5ae3b
ciphertext: f0e8ee58337724257ba191aa19b6db229ad2b2ef1b35af710833897bfea7
d2366cf07982bac7202f73d1422e02

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 51e9a58b065bcaeb4bd5aec0
ciphertext: 688a5c8223cfb7f1af032bbeb146b40c90734b47b956e633c7d9f7c3d54f
5c74325cd81072a9bd313f096be0ef

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 51e9a58b065bcaeb4bd5af3f
ciphertext: 6bd76cc851f39c00dbdd4abc8fe016321d487f600968665bbc40f8459a0f
ea56cb07665b92383de6f2d2a6f6e9

A.2.3.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 54]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   da976957d7d640eff1493ae7447c6029fc49544e877b2355ad04798a9534a214

   exporter_context: 00
   L: 32
   exported_value:
   be6de0f31f14a514ad7b39128dd3f8aa147a6404273ec4e8f93b4008752a4d29

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   d8d13d7a1fc443a25e17c9d4e76819a771c028e98467258853980d56bea40c67

A.2.4.  AuthPSK Setup Information

mode: 3
kem_id: 32
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ee151f6f9d7675264c9b3a6e79d693e30f30fcdd2da490b173728e02a96ce94c
pkEm: 15119783fec42323b69bd9366d08728c3235a33d7b5efd13696b2cf24ae2d326
skEm: 4e2331094c64808028d9faf3db953e07c1ab699865b9f2e4932ef6c5298c5e8b
ikmR: 1bf7a5146de616c717448ce90858a1b42460d9208f91bdb7ebcd88f3b258c888
pkRm: f615ef89a538025819d3b59e9d7feaf08ceb32bb6e25e7159dcb2c5327713040
skRm: 0e465977bdcaf8bd22a234c047b0c57e7faa5d706e8259f8350b188b79178a8b
ikmS: 9640d1d632eec4fec539da6329d835e799ab689aa81ff90084dcc8dd642aae67
pkSm: b3f4381c28453f8f9e7f5f6748282d210ca9aab14a1af8b70396940a6bf79514
skSm: ea8a1964469e94548e2e7923199479cd835d6c14ab972ea98fac4d5e4e7985e4
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 15119783fec42323b69bd9366d08728c3235a33d7b5efd13696b2cf24ae2d326
shared_secret:
6c8ee916db78a8753e39c16a9c7edcc0ddd3cf74de4724c1a2d48db4e6117781
key_schedule_context: 0351af0d3a80f50ff5d606ae45bf724c2f872698eacd389476
90bf75e1262a72a30f0d33c7dafc645fdc165ad9d110e77f68358179ad974a9a9b71dd05
5dec5eee
secret: 9b53a68e242161dfc6e39ed4fc8fc6a697cf4148016f3b2a887400c3ab930ec8
key: bedc7ab24c27e4a352fdee21a72037018f1d7da58e8b559a05ead86a373a0acd
base_nonce: b2d8ee6f49682c201478ffe2
exporter_secret:
5354659d14b4a5934c148648ea5a1892e9210f0aa0913edf0b928c8548acaad5

A.2.4.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 55]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: b2d8ee6f49682c201478ffe2
ciphertext: c16313e94c81ad5cfba39c61b0a92555de7bf7687a33c846571ef41ea394
76cd9de8333f490b90137505ee7f1a

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: b2d8ee6f49682c201478ffe3
ciphertext: 9f3a6d1538b98efcfcea7e639d3a296de0b884b4a72e8de66c82b487d969
a190b8ce289b3da0a35ce0fb442cd6

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: b2d8ee6f49682c201478ffe0
ciphertext: 44442489d1e3d0d457e4791345fcd9af580f37543347e410e5c3aad6f2fb
b0e4bed75c30c529917b6ae946128d

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: b2d8ee6f49682c201478ffe6
ciphertext: c3e98672a8b26ccd0f88a98b08dcb5d2937c059441dd3a511f79255ebcdd
f03506d6b686dda63280f50b8dd128

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: b2d8ee6f49682c201478ff1d
ciphertext: c321b3fefc2b5db66da44993f4a2ac7b00960d1832ef08129732b09a3648
0bd142405daada3971e4c2f206b487

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: b2d8ee6f49682c201478fee2
ciphertext: ca68883d2acf213cfe68fa09a3f8d366ea51463d64279d266e2e7c00ccd5
7514acc9f3680b9924d8a91259eb52

A.2.4.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 56]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   d29bbb7ec1acdaa89e0a640a95060f42beb7f7e462c3b637e7a875945da0d490

   exporter_context: 00
   L: 32
   exported_value:
   a22dcb81ba0ed07ae2d8893e081d22a7a44c3651da561bfa0c34f1fdc66d93eb

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   9865bccc8c38f8c4273e7c1afb67bf1a877542473c8d861de8215d63dc6c8b91

A.3.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM

A.3.1.  Base Setup Information

mode: 0
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 217684b3a5dae4e826b32f539381aaab0fcd4829319beffbf60f7e52ae9ea7d1
pkEm: 043da16e83494bb3fc8137ae917138fb7daebf8afba6ce7325478908c653690be7
0a9c9f676106cfb87a5c3edd1251c5fae33a12aa2c5eb7991498e345aa766004
skEm: 03e52d2261cb7ac9d69811cdd880eee627eb9c2066d0c24cfb33de82dbe27cf5
ikmR: cc82b085f48f5fc966237b8fd9f88f919b3ecb7067937e6e051316759652446e
pkRm: 04dc8b502e23e9bd533918ad19238aa39e334f5fac3114875fcf3be3a67f003fa5
215d39a8bb0d42e2a883a0b7f3cea08bf73aaa3b3e057ab6db766e75d2a141e3
skRm: 579cab9fb3cede795644e91469d6bb0a61dded7c8737bcbae428d7b4940bdf72
enc: 043da16e83494bb3fc8137ae917138fb7daebf8afba6ce7325478908c653690be70
a9c9f676106cfb87a5c3edd1251c5fae33a12aa2c5eb7991498e345aa766004
shared_secret:
49fb00067f3f00cd750a310038a4d4b80b79119a823bfef415defd2d524aa1f9
key_schedule_context: 00abdc9c4089964f95ca07f84a7d90d1864490d302249bfb20
7a247b89813e9d1e4adacd502dd077a8465b84cced711d5a741aace2f80a9ac865043442
2fe23927
secret: b692c66d9d7d55aab582e338f2b1eebea189b31afe21cf682f7bd012f2bff755
key: 42794156fa4b990dacda4e1625b52f9d
base_nonce: 8f56564f842b8bb03cc426b7
exporter_secret:
b5ed294c49327fd46172b0623a01125432a51d6447cf053c57ca1de30df7352c

A.3.1.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 57]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 8f56564f842b8bb03cc426b7
ciphertext: bec8250980e4e092e821bb9e90d2ad445980048bde2419355315cefcc9b0
18aeb9912df99483dabe0927bcaa0b

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 8f56564f842b8bb03cc426b6
ciphertext: 8c3476a017d986bb00d1675cee7d051bf68e3a27311463a0fd59c44d66c6
1c34a205702f29a7476fc8bf12a03c

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 8f56564f842b8bb03cc426b5
ciphertext: e7674cc026ee19360f08108f9bd54b5d4c6aabf94d0b350d319d9cd9bdd9
c41e4d807e76d7f9ffff5c6a7416e3

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 8f56564f842b8bb03cc426b3
ciphertext: 401ab30e14b87c8b5ce90eb7ee8a1800ed4d5034ab6afe792a1df81b59fc
65151c6ed4847015aadf7423d395f4

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 8f56564f842b8bb03cc42648
ciphertext: 05204daeb0a306473e6c6f176ced15b2c31d34fc4a20be381dec69f08800
c72a64573da0a23242f1dc7fbc05a4

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 8f56564f842b8bb03cc427b7
ciphertext: 9ae29c3bc3bc545b490f743847e0aff85ca76991c88a1584387ab8a6278e
4f02e550a62fcca9dc541563c63340

A.3.1.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 58]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   69621533ee044f8715b37171e9a5f553b8533899fc0fc73c5856b99c8594d88b

   exporter_context: 00
   L: 32
   exported_value:
   cafdd05454242eab5b23ecac1705bdd56162906522e7e3f18461ad5a9f6f223c

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   b568edc82226d209d8509d101bd7b07db37f3f736eef50e0586551def45843b8

A.3.2.  PSK Setup Information

mode: 1
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 87de910e077b5ecd0bc741a716cb819dd10fd1b9641030cc34b73e15f5b82419
pkEm: 0409cbb5d409939003aa30d4e59b5664381fc529bc4b92d026efc3b2ac59405594
029d7456d30d14547c627a6f6aa9db346afb8fa8f49b78a0cc1f7e16d63a26bb
skEm: 5055721c0086cab0ac1b36b79c15daaf558ba3b6f720feee8cf9bce450dda2bc
ikmR: 2faf0aecd41afb526fa7ecb859a739ddf0ba11fccdd262d751c5921b9bab3c2f
pkRm: 0475072da3e5d06e61a356af605cc937ec9363fa3c4faccb309afc1fb7c001a7f7
08d8c609a05327bd07c05dd4ad258d8e1e5ae21d291bab1e00769c8b7948353e
skRm: 282b4d09b5119171becb6bf99da831cf1ac81aad27f6ce80ab795ec895cb3bec
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 0409cbb5d409939003aa30d4e59b5664381fc529bc4b92d026efc3b2ac594055940
29d7456d30d14547c627a6f6aa9db346afb8fa8f49b78a0cc1f7e16d63a26bb
shared_secret:
85a8809b1a7ffdd2be2c61cfbb5256a4dcb9c04f05bdd711b575e8ba3352058c
key_schedule_context: 01b1ef02398e702f654bf6f28d9825bef0e545000702cb1839
b14bfe7c754c501e4adacd502dd077a8465b84cced711d5a741aace2f80a9ac865043442
2fe23927
secret: f33646dce5d6c3d4ab773f280eb90b0711be5d1ec7c8fa70e25f6d0fbc4658f2
key: b2bc0d3b74a5adaa215a56ee24bcd5a5
base_nonce: 92b4a0c272b1b2ac88a78c9c
exporter_secret:
e2dcd92c807e115f30e6ce2f931c9b7703354205aaa176ef9d439c8688830a70

A.3.2.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 59]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 92b4a0c272b1b2ac88a78c9c
ciphertext: ef8f226aa672114a81dad68f8dbaa0464d581723f7572cf8d461601013b4
0cfe91fb29266f66a8b28769b865a0

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 92b4a0c272b1b2ac88a78c9d
ciphertext: 04d33b9e0719a90f9b9fcffeaa572865eb9700be7bd629f838c54d09f0cc
e8abff1aab35fc146982206dbad974

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 92b4a0c272b1b2ac88a78c9e
ciphertext: bd6d4efe598c3569fad97eb91dad048e21fd6751da6ef82f0d359c2b026f
e67f4cafa4dde786fe38a21b93aacf

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 92b4a0c272b1b2ac88a78c98
ciphertext: 9f74c91b24a277ba3712b4f2fc24b30b5c862436c9c6012a3552e88a99d3
18d2e8f328cf812aa019f2fb35d996

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 92b4a0c272b1b2ac88a78c63
ciphertext: 85a0f219128bb6473266c1727d957209ce03af2615eda040dc5f6ef84428
0dd7fae5301a571dc4cc5059b67cad

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 92b4a0c272b1b2ac88a78d9c
ciphertext: 346cb2255740dedd0712b5406a07a693becd7e5888fefd9b290481fe3e67
546918654cfb5719f0cb241269d47b

A.3.2.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 60]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   ac856c29f6fe37c8c8cd5a43f0bf089795155732e805386ac87268b820fdd5fd

   exporter_context: 00
   L: 32
   exported_value:
   a7d4a142d6449b0dbd59afd1efc2f628444fbb56e5bf472cb60ad7f2747e57b0

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   79820a63b55d5d3f7a3a40fb542c6c31d8180239cd9500c763ff2355e5f535a2

A.3.3.  Auth Setup Information

mode: 2
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 065d5319c2ec55de1961da81f2b1c5269fc0d3e91f6845116c67f8aa3b2359be
pkEm: 04343a6ee2de9b0a3a5526d2832a237e4c962e8a8862ca41f06b3d4abb95f7a327
400bb30ef5fb633dfb7777bc93c7a70097f77cbb0cb889a135b77174f3361894
skEm: f0f4a95f666c4acb2f4a95a88a94a43d0a0ef3c4730f73c003f1468ad531ab46
ikmR: 234e1581536597dc464ee28518c56da07a2520188d29fed4d4f22146e9ec0137
pkRm: 04e52bea06f7df551af20abd964320e8cff1ee8c2a29a25e6c18af57db6270d583
32f68faba6b81c65e8cc585456819dd831754fb60c617b4d6b75c381a87335da
skRm: d7dc1db5df0799cb10803e6d39e4994d09bbfa0a7a89a93efaa014b3522a7df2
ikmS: bad181a04924b176f973874c5d8a9fbefef99bbff0974bd08b5bb2bff7bf7e33
pkSm: 04014b9a1db837c79e9ea3d771ad7fd52647baaed31d0930acf2bc4e37ae8b9c10
8d07b36625944cf2db636af39ea13f02d90e54cc93acb6f81520dd7161b7cebe
skSm: 79b8d2219ad0aae321a523d44e848245db997de1d56210ecdb0f761572c0a473
enc: 04343a6ee2de9b0a3a5526d2832a237e4c962e8a8862ca41f06b3d4abb95f7a3274
00bb30ef5fb633dfb7777bc93c7a70097f77cbb0cb889a135b77174f3361894
shared_secret:
2e39bc45c156e72f6aff72104d138f7f7323430d3822880e196c5e12e80e405d
key_schedule_context: 02abdc9c4089964f95ca07f84a7d90d1864490d302249bfb20
7a247b89813e9d1e4adacd502dd077a8465b84cced711d5a741aace2f80a9ac865043442
2fe23927
secret: 8234f5fcb9b39710445a6fb4b14251f04eb019cde58799184419c128f189be26
key: 74bdf9a5e59a7b9fa7d2f79776c91ead
base_nonce: 832c6d062d1f68e58544b407
exporter_secret:
4e8f1ce833028ae349056fb95c8aaa1b439c89e66a12cd7663c488f1f57ded68





Barnes, et al.            Expires 19 June 2021                 [Page 61]


Internet-Draft                    HPKE                     December 2020


A.3.3.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 832c6d062d1f68e58544b407
ciphertext: c3c904de9d74651a19e8a205b683381c876a7b06d537454c2e04466e20ad
0e56551c463cbc6c03fc241694ccd6

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 832c6d062d1f68e58544b406
ciphertext: 3cee516a8d3306c889a34c4fd1822ef628c80ec4f1fb089538e69fbb5eef
bc9ff8d883b9ee4551644b693fb901

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 832c6d062d1f68e58544b405
ciphertext: b452541f8787888c8af2d58eff449c2cfb9d884b5425f88f7b09624da356
d08facf561b95105bec39e2e15fc7e

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 832c6d062d1f68e58544b403
ciphertext: 1357058b45507b5080444611be4a5def77123e48264ea8bd79ccc04910ac
4ab2f6802c3e15e18c292d4e91b71e

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 832c6d062d1f68e58544b4f8
ciphertext: 81ebbf73373305ae41c7a1f9ce46fff4404674a3c5968413409777658e1a
412b3d3ae1c6d08aaf94894986cb33

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 832c6d062d1f68e58544b507
ciphertext: 7b94d1787a4935286e6a04724bb6ef7825e0f287cb6ed26e82b7773e8dfd
0ef3aea99546358505c0a862cca3f9

A.3.3.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 62]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   45b8805ad41e8133decb2cf41f23bf3c394b2f36b1e94c7d2f088b68d106bd2d

   exporter_context: 00
   L: 32
   exported_value:
   bf22e7557268fe6e7264cdec6537c41c920da6486dfe6eb26bb40dc2ad39b0e6

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   3e110ec362b22cb77d455c5a5031e0708b4e8dca273626621f6210b39bdaa3ce

A.3.4.  AuthPSK Setup Information

mode: 3
kem_id: 16
kdf_id: 1
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: f8583351cdaf7ab4ec91ad306602d4822fd0f84a2e5ea563c360d4ba6308f93a
pkEm: 04dd8aae40c4286412f9ba7951066da54ea42c2cf21f83d66ec9b4ab3358637a18
797495bc8f717937e75d31846a585afda6113be5c82d9b8b0cda43f0a76d05d5
skEm: 0fd2397b795907eaaa63f9c5552af8f2032c5c7411ad2f7b5760894e4ec8d240
ikmR: 3b16243c4382065ef6fa0701442f80810ed68fdc361a13b953733d9ce82a9e4c
pkRm: 0464b4a0b01cccadebb4ccc46260699cb995579feed53241a7e210665b89ea9607
d978400eea20b4921b92eda98ad63fd55271304c28489ef2f7a340912ba49566
skRm: c58ac157b4d776628d34cf3aae37af91749e8ee8f7b20e79f8017c82a679682c
ikmS: bb16b05e401acb2d245f825df3317024aede39c92952a42c19846d97384f79ce
pkSm: 04b373ecb4a475ffac6efa4924c5b8327d47bcfc028dbc2be44b0c23c2eac7302d
1943d8d5a01991888103f0357c346b047cea6137aefb016cebdc52f58b72c862
skSm: 2d6b29b62182f18f3836945624e9950e2d1119f5b065f6ab98c9ecf869a3bb8c
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04dd8aae40c4286412f9ba7951066da54ea42c2cf21f83d66ec9b4ab3358637a187
97495bc8f717937e75d31846a585afda6113be5c82d9b8b0cda43f0a76d05d5
shared_secret:
b48cf089f62be3e5ec158c01f3d32788672d5de3f73f8116e02f501bd9abd545
key_schedule_context: 03b1ef02398e702f654bf6f28d9825bef0e545000702cb1839
b14bfe7c754c501e4adacd502dd077a8465b84cced711d5a741aace2f80a9ac865043442
2fe23927
secret: d93e46cc616af860a5ac36f4c8d7e1e2fe9a583b202f8e801b6def73f1a890f4
key: 393a59b50e6b394a4ca0c3f9bebaac7e
base_nonce: 96a5653db53e05025c7f12bb
exporter_secret:
b61db4f5d5118602108cbef98f6a51d0977cc166f070b9dd597269907268ab31



Barnes, et al.            Expires 19 June 2021                 [Page 63]


Internet-Draft                    HPKE                     December 2020


A.3.4.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 96a5653db53e05025c7f12bb
ciphertext: fc5101a56d1f28a6381079c46c4c701b34bd730be5ee55ad8d95a0692ce8
3a4c11ba991ef3fbc25026c2b2a9d1

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 96a5653db53e05025c7f12ba
ciphertext: 60c788f75deebe151eed8fc03256057b7b356c493ff0704b7db20372baeb
b8c89b7c10792bde2158d0ae0ea084

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 96a5653db53e05025c7f12b9
ciphertext: 344507d1afd34327600a3eefe793e4f320fc6d57a65cb9d6ad358078d94b
1dc7fa6c0ac1cf5045b3d34aa802aa

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 96a5653db53e05025c7f12bf
ciphertext: 485fbc3badb0a84fe12ffa0171834cb5873714317f31b793624586cf5845
056ca165fe2b2880cf0ebacddc84c9

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 96a5653db53e05025c7f1244
ciphertext: 7bba24051a704ba9044a86a2ceb6984e808ac8eefed6c8c124b07b78702c
c414be6e0c5d12ed67de261375a1d5

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 96a5653db53e05025c7f13bb
ciphertext: fb7b2affa7ad31b705385c1b7b728d8d2516fae09c653718965e1eb8e40e
eca7aac3d5d619900733952430013e

A.3.4.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 64]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   6a6206e184b6308c104d5ed4de17b8c460fb5ae6511e39a99e84d124942848c2

   exporter_context: 00
   L: 32
   exported_value:
   42880d4e3b9865cefe708472b3d58d8800f1e5ad31e5fd692173bf1622ebf635

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   e7bcbccc00c31a3e068aee4286aa280b473ce9fee3e9a46fdfe58b8feb9d4ba4

A.4.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM

A.4.1.  Base Setup Information

mode: 0
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 1be1a54220f95e65d4865efc314753feab34d867fb922613506839698e165744
pkEm: 045703c14ae77d584727e31f1179c680977359ab12a8842344d25d70d94c989c7c
bbc0d2de9258ce4258d2841e5b80d232e5226d5788f25835e53301e4b8b32c45
skEm: b1f9adb16d96a4d6efb95aa42abdb92eceab5124a6690fd9a35969c59df77ff3
ikmR: a3a4746d926dd36270656e365e6914c9c0b22e447e2ab670f221700e3c880d9e
pkRm: 04fe24564aef5463d7fb4efc238a4c6029364a0fbfbfa2201eb935fb1e6ef7cf9f
5f3ecf4d98017c42d25ed11e5c37795c6996dbf79f54db013258373ea09ff3ff
skRm: 07df110dfe250958de0d46374bdbdb5df61fd5e9cec35a04ec45911cc674c7b0
enc: 045703c14ae77d584727e31f1179c680977359ab12a8842344d25d70d94c989c7cb
bc0d2de9258ce4258d2841e5b80d232e5226d5788f25835e53301e4b8b32c45
shared_secret:
d6785d582e6706b0e2695f4aa3cb2216865144326af47aef77c5f16938bf2115
key_schedule_context: 008bba5aff4a4a949c4caaf55df2daa905f5946efb46343832
6fb2dac8504145236cccff5a2a6115fd54f5fcb61614d951a1506b918aea54eda6f60967
8f4c506f0aa4844da0eb89cd2aecb3dd959e4e33cc9a46aa8a7aaea199f4e99149ac50b1
a05cd20c970376cfaa5e61479dfc4f1fb4d39ba794f274965065a79536faa517
secret: e407d8700ec99486fc20fb0e54d2c7684d6b78ea0e6bc3c91400f286527141f3
91285cb7bb8ed47889693c9485634b97a64c68bcee31c6eb5161d5ba9daeab7a
key: d0aa3853ec6a21814c2876a76b62f3c7
base_nonce: 8dd480f20352222b7f2b51be
exporter_secret: b5c030ccb103a70348dce847de662ab57c01519165b63f13c12e6d2
187ca5469077130df244e0dbc0f93fde972d9c39676e9c763272e28d3bd66366660386d1
7




Barnes, et al.            Expires 19 June 2021                 [Page 65]


Internet-Draft                    HPKE                     December 2020


A.4.1.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 8dd480f20352222b7f2b51be
ciphertext: 885be6ea1756ebeff3d0f2216cc52a193054a0c2b31f6d42f0e6025a2779
6e65336b6d7377819e70c0ce486ced

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 8dd480f20352222b7f2b51bf
ciphertext: ab40a05bceb8589e5466a7deb1fa27d208431ad6c8398edd95da19cb1231
b2f4151df79c121077ea54a8b57d0b

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 8dd480f20352222b7f2b51bc
ciphertext: 955c94ed7ef09a543a479e3de2a7b66549ae252c7fd605bf789b3e583c72
87f95af64437af607538a5291b0e32

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 8dd480f20352222b7f2b51ba
ciphertext: b21f0867b531a8ec9c6bdf97a1d87919162b544f5a6f72471c18c07c3560
52cb7941ece10717a2a8c92db15337

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 8dd480f20352222b7f2b5141
ciphertext: 568ef11857b20b6d94309be34592eb28dba24f9d563395a698bbf6b4fe42
905baf4101da7e0b478bd50478885f

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 8dd480f20352222b7f2b50be
ciphertext: f0a97864ce8261bfe18ef38eed82b702cb4455ba93cf9179b6c90e008ea8
bd1a38e98c8d1204211c6ee6273b1f

A.4.1.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 66]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   3523af5ece737004383d7583bbbd0e152d139ae3c5460d213bb0d6b521934215

   exporter_context: 00
   L: 32
   exported_value:
   26f64e97f5591c4aa215bc593ee0977b4372a894b6e07d52adcf4e27434dd45e

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   a94035e80df74969ba074d51539048a7e238df3e62b63d8be500e517b79387c3

A.4.2.  PSK Setup Information

mode: 1
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: c62c050ffc3573b9d0f5fe976afc913ee415b5746f9da906f205b591898e296d
pkEm: 04a9866332764dfb16d2ae5f6485a8d8198e5c7fe9f9c79e2728f59852648de367
309ddd35993229ba6201f0eeaa014fad860e8098eb29e2044fd80cbe04215248
skEm: 783de5184f6e61c4ea8ee688dc8e2b427869ef6d4472b134c12eef130df2b29e
ikmR: e06f47f500ee149266590166c52e3f35366542206a666579bc641139f1cbd2d2
pkRm: 04303656e359e35ff4c337ab17f6daefbe3a60adbe9a09608623a0d81c7d01a3b3
cd4de3e54fe92b039c98c86c3c5f1f4ef3c8d229375537bbedae8e26a9ed6f12
skRm: 090327ae0309d4fe19a3f1ab5c5cd2097f810b4dbad57a208408168588a44584
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04a9866332764dfb16d2ae5f6485a8d8198e5c7fe9f9c79e2728f59852648de3673
09ddd35993229ba6201f0eeaa014fad860e8098eb29e2044fd80cbe04215248
shared_secret:
9615d8a9ebdb765b07bb79656ee430711cf8fe7ed391767aa58de4ff5eeb29d1
key_schedule_context: 01f37d94392114a83426ed4ef40b204fcabab8c86d1541b7dd
7f71d1b09337e947844179d92df0874ed2232caaea0079bba932bb2369afb9a8ed2832c4
e0d537cc0aa4844da0eb89cd2aecb3dd959e4e33cc9a46aa8a7aaea199f4e99149ac50b1
a05cd20c970376cfaa5e61479dfc4f1fb4d39ba794f274965065a79536faa517
secret: 27d31fe80311249e1c8ae9bfb3d834a96486c91370595363b0e6f5d4236aea09
f8d78b2c712217fd5bb63c0e1c220ce8488df9d02991ddbd8b8e4340f19cdeeb
key: 30a72ea42ab066063c1a7fd99641ac76
base_nonce: 8d182b77260bd9e6bd2305d3
exporter_secret: d762b3b46ec8c4551ec2daad04153efaa9821707069af57a161fbb9
61e5cc0aed0e89dfa8e7ca06ee6d93757ac8744447f434c19d6efb0a926ba3fb77f471b7
a




Barnes, et al.            Expires 19 June 2021                 [Page 67]


Internet-Draft                    HPKE                     December 2020


A.4.2.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 8d182b77260bd9e6bd2305d3
ciphertext: 4b455b6aef37f8692d8bf49ade5229d389db9d0e830669d5a7c6a746b6ee
aa18fa0569279e9868a19d2499637c

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 8d182b77260bd9e6bd2305d2
ciphertext: c1702ed997d8857b57e93b34c8a8155da168cd33583d57b34c56e46c63cd
8b5924d75666fa0709fac4cfb58dc0

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 8d182b77260bd9e6bd2305d1
ciphertext: 5b24d3042345607d39a9c2a1db55ea606281c6f1d9f09e9b9bede75e775a
03cee1cb6cd1eac6be19d8c9da3e99

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 8d182b77260bd9e6bd2305d7
ciphertext: e6fd63b63191201ee897a6f94b8d39cd30cff410682b1740e7841b4ae0e7
e49ae21d41b1bd52630388311ed922

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 8d182b77260bd9e6bd23052c
ciphertext: a06576ba21dad0a31a1bb5ea5fb5107acf3e4c99678da814f34f8759969a
11e76f27827820dea3f8a0f71a80a0

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 8d182b77260bd9e6bd2304d3
ciphertext: 22b68ad15ee5485eae80ec5c98df381cdc408e24817ca3e12721bd346734
f07e910edb46073a2a94b0ce9c4dc1

A.4.2.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 68]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   16f6a26d5af4d16364d25415569a69634aa712b9dbb47ec26b10a74fbfd31779

   exporter_context: 00
   L: 32
   exported_value:
   55d529a9cdd5670cf00179aad14c70b9453f4f46e12b43d2ab07db9f301842fd

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   a63161b41e23bb4cb3329af4a25fab4d6c4818f200e84fdb332f02df57c638b6

A.4.3.  Auth Setup Information



































Barnes, et al.            Expires 19 June 2021                 [Page 69]


Internet-Draft                    HPKE                     December 2020


mode: 2
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 729bf523707d5e574aca2180a334ffeb5f56a3a8b326ca60225cc1389309978c
pkEm: 04074a6d306328719df46bc7ff5bcceb9c2084829132b4d2b2b1ae9a2e069ae568
67a1c748872af0fd179b11056968bdf9cef3ab43b07e92926f28207624574204
skEm: e43e5b4a68805ff5a06638d8cd895a06d9bfe1513acfe68d81052ae444f1da32
ikmR: 8578264010512322174ffa2528a697f4ed9d10335b9794b23bfbc464f60d70a9
pkRm: 041135938c8882b61de5ae7466b76d795bbb1490ab64ae79e86632ceb15026c9c6
2cf02fc523a48ed7bcd23b06c046b638bb15890698cd84569f72d3c8a8d18764
skRm: 3c91bc9a2541c205ded2a3fc7b558286dccec0aa01ed0ff7842b7a31a6ce0b61
ikmS: 157225ca14ab53875997e5f5bdd5bce4c714c631e4774d145313aa0f97ea46ef
pkSm: 04c9952edda21598d76a1348c327a43d13fc5ca1ce3c85d0fe2adebf867906b7cc
c404c909626f87128be720069e518ecfcaa4e355b1f47ede8cc443390f0792c9
skSm: f68d1d0b5c64933bcb4e70e59079f69f1b352c630dbb8d22e8e176c20c19f77f
enc: 04074a6d306328719df46bc7ff5bcceb9c2084829132b4d2b2b1ae9a2e069ae5686
7a1c748872af0fd179b11056968bdf9cef3ab43b07e92926f28207624574204
shared_secret:
c934fb34c38776491139e8773b9426290921d86cb88d501828893baf908e6ff5
key_schedule_context: 028bba5aff4a4a949c4caaf55df2daa905f5946efb46343832
6fb2dac8504145236cccff5a2a6115fd54f5fcb61614d951a1506b918aea54eda6f60967
8f4c506f0aa4844da0eb89cd2aecb3dd959e4e33cc9a46aa8a7aaea199f4e99149ac50b1
a05cd20c970376cfaa5e61479dfc4f1fb4d39ba794f274965065a79536faa517
secret: 98353fac2dae40ffa8265823561fe0357ef38e65b91de3b7798b6a6f71b7f728
7a430d15f140f187fe1722868daf26afc0795e57f7af5340a61be78edf99345a
key: 8168f3f41ba5c2a91680a52d3864e842
base_nonce: db0d76e9dd18e596db180b39
exporter_secret: 706cbf9128b9e0d2007f231b6ddef31799bf648abdda67b916c7788
5417c6362418ee1494799613088f5029509c1afbfcec32d269e4fae9d2fc8158966c9fa7
6

A.4.3.1.  Encryptions

















Barnes, et al.            Expires 19 June 2021                 [Page 70]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: db0d76e9dd18e596db180b39
ciphertext: 0f06bc617f9ec9c96d862a83752dd6b9ff1320a85b4138354e159998db35
b1320a06c621a24eaea83f1fe43d59

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: db0d76e9dd18e596db180b38
ciphertext: c492d99c7f765306373c5355ffb684aa7c54b62782224eb1bf4f56d79011
b109dce53b0d917bccba6a46eb21ee

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: db0d76e9dd18e596db180b3b
ciphertext: 2307c1c71a8d09431d42a36ae2a01e162f1b286e7671fe94f8ad0b9604f4
32ec49e83ff45d99429e3735ceecc2

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: db0d76e9dd18e596db180b3d
ciphertext: af051a28b402ebe3fd48084def6482f7c987d459a796396a927be08c5d98
70f577e16234159b608727edf1d7a6

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: db0d76e9dd18e596db180bc6
ciphertext: 05793661de9dd2c9fd338f66c2d571b4480f3efe24f0dacea86634f4c328
7a2a4ac315d76d271e5f459ed15559

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: db0d76e9dd18e596db180a39
ciphertext: 18179e63bdbfa18511738fa89a4886d13fc5e6b710bd618662f85dee3e09
58547402d35696629e3c5c308fce3e

A.4.3.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 71]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   a29981c98fc41b7ae1bb0ce6795f966d833f4d1c6c16dc2fa8f885f1e622a75f

   exporter_context: 00
   L: 32
   exported_value:
   620e4a48a9144a534177c91724f0fe602ef5031d589a97486b71feaef3bb3e8e

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   75f73e0f68dec42a2c70913923cfe6e1cc07c2e8d3e4af4cf4c2ebaaeb5857c5

A.4.4.  AuthPSK Setup Information



































Barnes, et al.            Expires 19 June 2021                 [Page 72]


Internet-Draft                    HPKE                     December 2020


mode: 3
kem_id: 16
kdf_id: 3
aead_id: 1
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: c77066b17070dcb73af19d0e52f94ee22f2e2da85f509b877d4a6bb2d9cfe742
pkEm: 041bdc639637ed1cb1ce00cce7093ac2bfc199c763fa8a9d76012ea6aa2230ffcd
5f2e26014dd1d18461fa3e8cb82511e7c804307c5d107b3a8cf392d65900f25f
skEm: 3040327029ad07bb6e246e3c1d8c93e2a7f286eee335ad8dac5cd761fa85f8b9
ikmR: 4f3df69eca2cd20da5068badaaca64393299d41435b7fb2c869327f350a9c33b
pkRm: 04205d8891d2234ff0656f0478bec3582e19e41b006e6eca94860735e4e8541d79
3ac37e4d7b71d7fe7e79ca8e41b8b0defb3d510e42abefaf25b6296ab2b6b5ad
skRm: 069a36056c439dbefc28e57e8db05bcdf2abab75cdc821fa2eb1e635632120fd
ikmS: 4f8d660d9aadc7f1d2eba192fd1510028b23626d96aa5d8e077fcb1248fd84ee
pkSm: 04c7fa4aa253ce2ddf9d9f48b170721f850bb7d111f6763c25207cac56f66d1a9c
a525dfcd3bba8c95c1077230868f8ab8a841a5caa8e52aa019be4ae54635344a
skSm: 61a57ae5362fccc2e2e49fad1f74fb3fb4513321115d087222c6be5ad89eb0c0
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 041bdc639637ed1cb1ce00cce7093ac2bfc199c763fa8a9d76012ea6aa2230ffcd5
f2e26014dd1d18461fa3e8cb82511e7c804307c5d107b3a8cf392d65900f25f
shared_secret:
889ed188ab8ba218fa0aae4dc2c674d1a338fda00364c117c89143a183137aaf
key_schedule_context: 03f37d94392114a83426ed4ef40b204fcabab8c86d1541b7dd
7f71d1b09337e947844179d92df0874ed2232caaea0079bba932bb2369afb9a8ed2832c4
e0d537cc0aa4844da0eb89cd2aecb3dd959e4e33cc9a46aa8a7aaea199f4e99149ac50b1
a05cd20c970376cfaa5e61479dfc4f1fb4d39ba794f274965065a79536faa517
secret: a4f50d164d17138e349c92e3ba4b11d5dddc8f82595f95f8e7b3a3a6291fa247
3543c92a8b55a60bb4c83030222a50fbed64cdcfc4ba40c3c97a7121ca3d064d
key: 7d069bc8de13d63e068ce2ffcae5eaea
base_nonce: cc061682cc7950fa3d95a6ab
exporter_secret: d584d697189c664ff6be2b9bdad061a47e0360b1f6243e07b64e34c
7098cf092a89e0c738180a19da9873a0c22909bf85e7c211ef0e2bd62770036c529dc069
f

A.4.4.1.  Encryptions















Barnes, et al.            Expires 19 June 2021                 [Page 73]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: cc061682cc7950fa3d95a6ab
ciphertext: 37ce5e9bf49f03584c1a5616a79c1974ee70ae7102b16d8938d61086a79a
fc93448cc17cb510d6bbc0cca4bdf3

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: cc061682cc7950fa3d95a6aa
ciphertext: 971bb5565b382c2e8b38afec66d1427b3793c14a574b38766e1ddb5abecb
e5b60500e0359b3663f6ba50161a7a

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: cc061682cc7950fa3d95a6a9
ciphertext: 4123081c123fcc76d72af6867738c9eb51df246bf56eaf2314e7201ea2ce
deb06823dcab77d99e0a7f5badad2b

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: cc061682cc7950fa3d95a6af
ciphertext: 1a93014d03b16ec0ac0a00b2ddf7d883958d2dc007ff5f5e627926e4c3fc
1409b40166cdf2b8944c27cfb01bc1

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: cc061682cc7950fa3d95a654
ciphertext: 2afcacc3f92b189bbd050b2e07e82851d69c56bdb32cdd5ca409ef3e83fb
96c2772e2ea08e9cbe9b69232e06a4

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: cc061682cc7950fa3d95a7ab
ciphertext: 8093f61a1ed70c9b0657313db0e949519d560d4b9cf47d46d3d1426fcea4
aa0fe9926d913d8d75ae05ed496077

A.4.4.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 74]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   a03ce90958dea682f1e74bddb8c5531729a647dc363ec01214e59243f631b095

   exporter_context: 00
   L: 32
   exported_value:
   6e1f2ca1924ce2f28490f0ab61ec2d8b66ba0f05ff0a355428c82c8888c090bf

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   e48cf1562dd1047c3138f11ac074727f807b8c55cd3a48d63906aac03a6757e5

A.5.  DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305

A.5.1.  Base Setup Information

mode: 0
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 1c7ea2dd703c3a98678dcb4a0c75029c803bcddd7f045c497e5ad2f6120c006d
pkEm: 04115d2cc2e317e363c2884f3f850f99e1292a1c0fb5c768f18096858a1fbf0ee1
d573f3a6a40543207094ad89a2e1f87a1dc46bc98638e635dc2aefd40275d1d2
skEm: a4f41913f40f3d78562311e8b32cf26152731f7393f0219036302e59e3e8affa
ikmR: fa73e26ec21d46f603dc79eef82c023a738fe93e4bd559fa84d154887f05d117
pkRm: 0494eb40a3754f10995ab4fa52871d23731e551c401fdac3fe91ad502224148300
6830de6232df192e003f08103bb7a8f62af6ba115fcc9b993afd939337b5d1f5
skRm: ce56f433ee00c982a7f3c32c537de5af083ab467d662215e18b2deafb2e3750c
enc: 04115d2cc2e317e363c2884f3f850f99e1292a1c0fb5c768f18096858a1fbf0ee1d
573f3a6a40543207094ad89a2e1f87a1dc46bc98638e635dc2aefd40275d1d2
shared_secret:
992458cc139e5ae3cff92f7916454be0aea2effbcf455991db991671436d9854
key_schedule_context: 00f1c18fd8da4af5b3ba4b18ab1b66fc11804d8e56de307dcc
375c6c528520c91eec1f66cc97b192a4dbe73c73fbbd95df11beb60644bac645bdb003f9
3eae1438
secret: 1603d091f8c0ba27376622826a61479bbc6e266b52898a269fb0e399a23c36d5
key: 40fb9b449fb4d8dafb435125bac1574b3321f51441492fd286f325b0db2bcbd6
base_nonce: c4341b77afe0f43c618a8edc
exporter_secret:
3f54879c6b015df5d6887d1326edd7dc5861789a51dbce7e74a7135eb738e50f

A.5.1.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 75]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: c4341b77afe0f43c618a8edc
ciphertext: 393e3090eb0b369f5ea3e0ea7dc981e0b8336d3b3e3d1def5d9501f3e32e
f00826d4ca4b626341a1eaf0f4ce3e

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: c4341b77afe0f43c618a8edd
ciphertext: 9a9960994ae5b16e588cdd1c8dde16fd80b5065fd499ffb29356e0893b75
ea0bd470874bbf75ce2ae8caffa590

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: c4341b77afe0f43c618a8ede
ciphertext: 0c7ac0e674d28ff5ffe867c846a9897128aae26ef9c4ab92013dc581f009
08efe69e4eaa8eea11d9a7c966ec1f

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: c4341b77afe0f43c618a8ed8
ciphertext: 6cffcd0e2b46d74f8c8547c73e6112157b514e236a3b74d44cba8df219e7
84dbbbf22e98e4177ae2d867fb86b3

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: c4341b77afe0f43c618a8e23
ciphertext: 223c7fcda08551ce2162422ec833d00bd5f25a56de9d2242de63365a7c9d
0cab90e847cc2c0450b12ad3ae6989

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: c4341b77afe0f43c618a8fdc
ciphertext: b3aa3be16c072da3aa06a850438bbe0895a51aea6bc0a3e5228c19915c4e
ac73aaf9df028bfbebb4ec0f899405

A.5.1.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 76]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   3e580133b27fc552e7229a5f0891ba1ee2297d4338c3f7fc2d36735c65bbea1e

   exporter_context: 00
   L: 32
   exported_value:
   145399af8fc0191326b81a8062a48c2b6d897c947e24043e1b24adf730d62c4b

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   8c457c5c614c15aee373f5ee78e1e983b7a20ceec3717e49c3986ed1789da577

A.5.2.  PSK Setup Information

mode: 1
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 26f07846c6436ac9e1f9fc3dd0b815308f59bce72142cbfb770c31d1a5ec0f72
pkEm: 04596cb40b1b29dd2612c9511c0704d475fedd641362b3a21ee92188cccc41d454
c77e209b828f0faba98ac5781a38e4694d6bd872da1f796f770750f6e89166e1
skEm: df8264f39aaa49d217201250483ecac8a91e3d93fb05ba6340beb470189d7dd7
ikmR: 86634f92d35c41ddfdfbbfef1f7cc871ac2fa40d5710f1f33ef2fbe8209b7660
pkRm: 0468416621586e3f9d55b277e4205472b04a33173f366b946d5e2b61242220b89c
d91076873158dc0424232fc9b181c850480a54c54380a39434735d60d9a6051c
skRm: 6a000c019a2fe5d300da437988c930b1c16b454aacb5cc909c7dbb4a47c87734
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04596cb40b1b29dd2612c9511c0704d475fedd641362b3a21ee92188cccc41d454c
77e209b828f0faba98ac5781a38e4694d6bd872da1f796f770750f6e89166e1
shared_secret:
695216faf075dbf9e819b3115076a769ca4e087b978940c974e3e2ad4963e472
key_schedule_context: 01eb05e31a1def4df3a3750746823861cf1546335001189fe2
870b59b88ab18eb9ec1f66cc97b192a4dbe73c73fbbd95df11beb60644bac645bdb003f9
3eae1438
secret: d145d15200d2f6d7fd923ce9b5a0dab2817c5c8be868f1f2e9aba8eee0c6c766
key: f03ecda0fe9dcdf6677afe4d0c5b63317c539fad44cf467000f13121fd56ec1f
base_nonce: 4cbde1b60ff66f9fba5514da
exporter_secret:
d85015754a4581003a3b835b08eab687a782862b4a3ded3d1e82c9eaccb3f28e

A.5.2.1.  Encryptions





Barnes, et al.            Expires 19 June 2021                 [Page 77]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 4cbde1b60ff66f9fba5514da
ciphertext: 317900d5594ac44c0fb670dc6943ede71dbb227aa00274adac242e65b6e1
a4e4ed67d13d03fcb1911e78de5cd4

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 4cbde1b60ff66f9fba5514db
ciphertext: b2780f4a3f13c64aad7a519b7a239c3fa510caf61f400a4e9cb7623ca43a
1fb9d9e4006c2661b91e494b7c7d1d

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 4cbde1b60ff66f9fba5514d8
ciphertext: e774243ac0d83ee556563f8c790054219d19c974ce4d9265cd4bd8d0303f
ae0ff88c7443e6fb02298b1334cb0b

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 4cbde1b60ff66f9fba5514de
ciphertext: 9605698d1fec0bb2b3b85ef6caa51ceb8df31a0399a24bc3679c1b4b2fbc
bbf9f684f822e0eb2782375ce951f2

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 4cbde1b60ff66f9fba551425
ciphertext: 0780af9e129d67a61073078b62d2e75b2f94b765dfa1c66046f0794ede3b
a7b5d637ce8cc3571c65d34740eb33

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 4cbde1b60ff66f9fba5515da
ciphertext: 48907dcbaade5de1238d05751c700f5971b79b1615f8b9e15baf282e0878
ac081363e20171156c72b844fe44fa

A.5.2.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 78]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   18bfe65f86a68a2eabfd4cb674239f5bffb3a1f3fed95a368124850842707e65

   exporter_context: 00
   L: 32
   exported_value:
   24822d24aa1cd4947f463d43ad33c611278d7fd20bce5ac5b01374d7851d0a31

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   19db4d73cc5ab16705ceb5e18d89f4091d0d0621209e6034f71c66d5f6830196

A.5.3.  Auth Setup Information

mode: 2
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 82c9f7cdc3d55b5523d1eef476e3438d2e5dd910d13b17308f53fc61ac93c2a8
pkEm: 04a382ed93de16e67c3c68876d3b5d10c54f87629d32cb4098938cfb69b79a4e39
a47e376458d7c42a41f0a06a0a137c0550212b8c67e2a9c6ad863af4d6288f7e
skEm: 4f908a50f69dff2a769a3f223b859242f9b293f96e138f564c67517a939671f6
ikmR: 8f48a15aa6f9a1b15b7c8d2064140364a1a61ce6fd5dfd6a1fa7d94f09882787
pkRm: 04ce41ebe6d8931e4252adae4a792355510b73fedb04c58c779828763ab63d83fc
2ec6eb22359c36da0d3daa654f72cb79e81fcc8345d36285aefb66b9094549c0
skRm: c4946c90738ad3336d2c7c94e3e58743d156225e742d5ca0b1f995eaad82d92e
ikmS: c65c7e9d5913816dfe0f5246ef876fd69ab045e88256eeaac1d16e810a4ee1d0
pkSm: 04077d4a2b05263599f893ba492554bb325ad471498db672d0bacdfa74e1d6097f
a663947874759514545ed00f38c496f78a28ba574cc51710adaa8356b6d4beda
skSm: a29e05133a4d4b52df2b8d33798dee8be48f79bf63daf3ec9579df40fb6f704a
enc: 04a382ed93de16e67c3c68876d3b5d10c54f87629d32cb4098938cfb69b79a4e39a
47e376458d7c42a41f0a06a0a137c0550212b8c67e2a9c6ad863af4d6288f7e
shared_secret:
0cb8e6087fc5a8679347f5700411d40dceb6983f620cc25ca680bfab7c25ac2d
key_schedule_context: 02f1c18fd8da4af5b3ba4b18ab1b66fc11804d8e56de307dcc
375c6c528520c91eec1f66cc97b192a4dbe73c73fbbd95df11beb60644bac645bdb003f9
3eae1438
secret: 170ba1cba1890983dd4f8bdb136dc8d8a80db0c6cdc42150090ef8b51e365ce4
key: ea8b805ac458810c7b9dc316b1e84f7531c26b765ffb5b6eb0e08adb5f020e26
base_nonce: 1c6dba370cf5af89cdcf0ef9
exporter_secret:
a1eef29eab08f7774c2119b03f5d6e79ae734d5c42830e2dad16461efdf51fb4





Barnes, et al.            Expires 19 June 2021                 [Page 79]


Internet-Draft                    HPKE                     December 2020


A.5.3.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 1c6dba370cf5af89cdcf0ef9
ciphertext: 9deb6199c98fd6fae9d791d16be10e9870cb1dec1d5aed58ed60c9053ae0
e23f14b7f45d1f9d7b66f5ef4cd18d

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 1c6dba370cf5af89cdcf0ef8
ciphertext: fe2de76cf1763e0785164fae9618984922eb9aedcf5f03d060ea87998150
140339ddb5209d972ca709dc2a1d8f

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 1c6dba370cf5af89cdcf0efb
ciphertext: 16a2b8119c4695e8ad2f6dd59470071c390c4666a44e55f58abade397ff2
a4b71258c0efab257cf50cbdbb51d1

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 1c6dba370cf5af89cdcf0efd
ciphertext: 0b198300565c245bde451cc9224d2337532613b4254b3120796c5c5726e2
92f7e23d2641a5c2d7f96358febfec

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 1c6dba370cf5af89cdcf0e06
ciphertext: 4f14b12b4eb93e63c23a436f42066e9a1f69a6d200acbd79463d622a4633
8a8ad25e85b2bcc6766aaf12be0b56

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 1c6dba370cf5af89cdcf0ff9
ciphertext: f77682b845648b450b9e1ecc922020abf92e4deb88c57e9ffaa9137a8100
40c4f3e84edc49a9a98a70561a2bbd

A.5.3.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 80]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   bf435fa4b29e4c40dc253dcacb7d346c8ec5deef4eb3d724fc29df1cbb54321f

   exporter_context: 00
   L: 32
   exported_value:
   0f756e3317dcd06d8edfdd466d09555647fb2a5d97222309677a87c73d66cb25

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   cafbc83f4431d0a1aa3769ea61a19f25025fe9f022dda5dfbc621e786a73b449

A.5.4.  AuthPSK Setup Information

mode: 3
kem_id: 16
kdf_id: 1
aead_id: 3
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: d25ae0f5772d29c7631b3e6fbeddbd5ea3480cfcdedf52b62ea53a78eada0b51
pkEm: 04522b87fef8597fb474df8bffbb338bb4aa7870ca1a9ca00b7280933110559cc9
0985ac90c68af10c5ec2a8a7602e0d124efec764808917dcea31a44a7ed7d887
skEm: 491a0cbcdde5a45ae7e5b5008214d138274a38810177aaec36c1c7ee8a926443
ikmR: 991577662e9bed488a7152b4994e212806919d1c685ac81b2c83bc307c835f98
pkRm: 049da19c2e909d90ed12c59fd476bc49283cf2efc99088171603d83801aa8f762f
6ac7d66d333d4c43b5489e92dcb0a11c59efd5729ae633f96da99fc073ef32fc
skRm: 0c2e886e11eef8d6858d5745089b8c48441edcfe1db4bb6fecffd8d729dd8f5d
ikmS: 330f1e1338cfb63cd4fb94f5f315da37d71e89350446b2510e76d2dfa8568181
pkSm: 048e36f8faa39be80d56ab8db82fb29c66c6a0507efe6e16385ad3269c88476048
e9d905fe5b930f8e84a9dc4f8a39e19971273515e4a29d762fa721d26b5fc771
skSm: 415c85bd71e31f84b98a283b7aadd1ba5ceadc024657801c0d5208b28f97072d
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 04522b87fef8597fb474df8bffbb338bb4aa7870ca1a9ca00b7280933110559cc90
985ac90c68af10c5ec2a8a7602e0d124efec764808917dcea31a44a7ed7d887
shared_secret:
f8ac47019149b291838334655c301df8a4fbe457fcb384ca7fc3da561ec24ba6
key_schedule_context: 03eb05e31a1def4df3a3750746823861cf1546335001189fe2
870b59b88ab18eb9ec1f66cc97b192a4dbe73c73fbbd95df11beb60644bac645bdb003f9
3eae1438
secret: 7cb3f10b577b9aa168c43cac9cc892ee08a84ad07ee10c29d401924324e31c3b
key: cb923fa29319dbd29c8eb0e3f508140c55b1abab7358f8a7cfa90fe636849e27
base_nonce: 2d0c3bef72040774293c586b
exporter_secret:
d7a2c747836c0d76542c98535c4268767bdfb8fdf5b4cdd452cb0affa2013a45



Barnes, et al.            Expires 19 June 2021                 [Page 81]


Internet-Draft                    HPKE                     December 2020


A.5.4.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 2d0c3bef72040774293c586b
ciphertext: 0a0a68b3cdc8c4cc5129c2db2d5e66062757b5ef7c50e72b3df94baffcde
b1e9ccab54a48357b68d339508e07e

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 2d0c3bef72040774293c586a
ciphertext: 60207e04871f4a3327ea7079b217700b24db58632ad208476d4a83e3bca6
c3d68060c1a4336bf36f34ecc608db

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 2d0c3bef72040774293c5869
ciphertext: 35f45af0971268fdd8fa8c41780ad734140917a712e3eace6daad62852be
1ba1c687d53250ee1db700f2269fa7

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 2d0c3bef72040774293c586f
ciphertext: 0e77d22a859a074cc6f2bad3a5e419e3d1ba5fd06e1dbc7283878f5e07b6
41a7877616dc6d07120ec6f9fc834e

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 2d0c3bef72040774293c5894
ciphertext: d773082e101266a4757ad6ec18b11734e9cb70f6165734bdce3c02253403
7839afecd838cb82f89613a9c29609

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 2d0c3bef72040774293c596b
ciphertext: 2c57d926e3d696b2c7f1b8b5bc04a76038a94901d321dd62100e48655073
d600a9eb61305c7c421a1af5981022

A.5.4.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 82]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   3f9a976e3eb099fdc6ea1a97dd2418209d76249ba32abf5698a6444277f75bae

   exporter_context: 00
   L: 32
   exported_value:
   45f006575c8c415c8b6bb4c4520f9c4975feb24bc2ea544530bd15509f38869a

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   a8db571cc01acc0b157efb86abc4d02a53a11f2f5adf125b588cb2d29a92f169

A.6.  DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM

A.6.1.  Base Setup Information

































Barnes, et al.            Expires 19 June 2021                 [Page 83]


Internet-Draft                    HPKE                     December 2020


mode: 0
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: ea39fec1941c5f516e19533f40d415c65fde023c10c559f3845e71ffccea478101
573d069cc67874d5b2aba6a22eb51cdd689836b7e9cabbb4469c57947db7316fa7
pkEm: 040197302e6c03e86ca3d9aa27ccd387944acc362099711a96b874f7bb07eaf770
a0e11228441d184aff4be0916184f2b38779b9127b5edb9c8046f7b558d75fffefea01dd
5754fc8c82b4076558d53fb2f3e60fd1f809d2bc9d304c2d3f35e28ae7757d5129295c94
bbfe1ef2d01a459ecb7a361a8ae43a3d38e41d01b466f73ebef26ab7
skEm: 01ba7db044a52f3586a59e3f8c2953cc7f45a044a1389abddfac481c2354899bd4
370807345e5c04e35e0fff0ef755f209fa6cb6f5f63917f37ca140a001bd2bc6b2
ikmR: 8249fd42416aba5b0d51dcd3548d774ae172148cbba1519107c5d84a160225441a
9c018fdf3b9ffc2c41c1c62e29208d5165a59e7f14fe93b4f911cbbebda1904391
pkRm: 04003aefb3330e704d6c22ce7b67bab9b0e404be7f1374d0e6d3feeadc57f6b203
1c5669516a8cbc309e895c6634fcfe95039a4648fc093f5bdad77756b363073d80c10051
63c6fbea2c8268bebf70c6ca79928938d3e8d71471b1f116c1f3d23930e361219b7e104d
3a76b7377f18a84abdbc84a41ddc9a83d6b6e7c55887a95fc66a6137
skRm: 00c0c8e2de2efc6aa11f3420cdc1c6cba2c44d79ccf1c89d86b16090fa05247454
d3808b5133ddb923a8bfb35704f5d3c210f3ecf8afe8235b0cb4aaa38eff05f17d
enc: 040197302e6c03e86ca3d9aa27ccd387944acc362099711a96b874f7bb07eaf770a
0e11228441d184aff4be0916184f2b38779b9127b5edb9c8046f7b558d75fffefea01dd5
754fc8c82b4076558d53fb2f3e60fd1f809d2bc9d304c2d3f35e28ae7757d5129295c94b
bfe1ef2d01a459ecb7a361a8ae43a3d38e41d01b466f73ebef26ab7
shared_secret: 86af77da36582559e432f71964d74e7bbe972d8a13dd2bdf8375672d4
fe446d75c6b5f82694f45aecad75cd8d5ef0ef91ccfcfd0228691087c66b5ef75384e27
key_schedule_context: 00da5a1a3c5b8143e6db5a30d288a2ce1eba163576d754f4cb
c4ee43552ebf7dd475cdc5d45d9277ff3f7d2edcc13bd6c17f5a87fd01740e4f9d336aeb
b64be9f73b4b7a4cf3d95651612d822dde9365526adc78d0a7d77e570fbf3067ea90b138
e491d673d8666d8e312fc9b576111f058a7678a2ecfbcb0b9c509f3c3707875f
secret: 80a375f439f5f6f3596cc7e9f10f3c864d93d8984186183675aa66917bfc990d
6a3777ccbc800c3c72c0334b08746bcb51ad076ba61a6990af5999fc1031356e
key: 780b67de89a3c702fc30c5f159f25292c0e2f16560ea9c6b4b6183fd542c094e
base_nonce: cf6470b12bbea9f9ecc1fa7e
exporter_secret: 82a365c4c7bc1d11e2c43aae232b23f709abce3bae7e70c0c48cf6f
73dcf31655a466cf64a5ebb059196a7cf28996f050b8b9990480a44d5ece8e02e76b4340
a

A.6.1.1.  Encryptions











Barnes, et al.            Expires 19 June 2021                 [Page 84]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: cf6470b12bbea9f9ecc1fa7e
ciphertext: 173900910caf7c88867dfa2a67ef51b092246818ff889f1f7652cfa7ba6f
f46e14657d491c8276fb0518521b98

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: cf6470b12bbea9f9ecc1fa7f
ciphertext: dcd904b4b5f6f28c7a2f6df76feddf873a9d50df9ce80414088f5a2f5774
072ae262a4d022eb70e5fbe78aa3aa

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: cf6470b12bbea9f9ecc1fa7c
ciphertext: b20313aa367924629b7bb987dc7fe773b423e679a6a95ef9fc0bee22c92e
e2e6ca5df41038f42ab2b04ae141f5

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: cf6470b12bbea9f9ecc1fa7a
ciphertext: f2d5f28f1325df43b603bf58587daa38d3843972582e5d8f8e07570b0c86
1324b58b2a1f14460f2382defc3a1b

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: cf6470b12bbea9f9ecc1fa81
ciphertext: 14e55d0f6aa6ab051c2e14718a3a967c98c0e0621e3c88dd378aced3bb93
84f0d30d6372f59ae9f06eb9e752e3

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: cf6470b12bbea9f9ecc1fb7e
ciphertext: 93ceee2ac547e0adb129be803b88540c09b63c1885a7deaadac421b24339
e5b1ed4b808cd6af9bfd9770ae3c31

A.6.1.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 85]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   bdb9c5c4783ae29aa24dc38b6b8f65e798cdbc406c2625458d0af113e2082186

   exporter_context: 00
   L: 32
   exported_value:
   a1740f5e40a73fa65afe3de3257731e361e373cd329f9d8737f9c2c136829345

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   f375c057106cb17acc1c32fab4e53ed03b96df53880b9b85539629e82e21ba8c

A.6.2.  PSK Setup Information



































Barnes, et al.            Expires 19 June 2021                 [Page 86]


Internet-Draft                    HPKE                     December 2020


mode: 1
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: b563555965facaa37a5e754cf2e50193953e1d527e61637e521df1868354799258
f0d15d8807750cea08e9b6a358d2440ab06725861b237fb69973cf41e802434433
pkEm: 0400761083a4d901be728ba30c9d2bc1efb73a022dc1d177a1dadc1b8395a44073
bc8e7988ff43e7f50f320f06c4bfa6b2cdb4c103678cc829b3ab0f80fe407283420300bb
3c9150e880b55207ce8205ec56bd3cf888b89fa17ecd760785706928dfe18d64f2a5f4b3
dca1dab32289a420c24d1cbbe58ef53d1435cd0b6f77fa633f8e76aa
skEm: 01d319414b6313fafd44e4f3a30f923344b9ed784ec26b97c6653a290ce9f2ad3a
1c4f6331966b9c8d69855b39df1fa994abee346de26fdca5834a2b5df0a7b18a38
ikmR: 2be954cd856c0c548ec6de490c821be20c4fc9610b5dba1831c698045fa01dbceb
49f8324bae26e5d1ee62db3246d65492812e2c539b96bc580d46c247304adfc55e
pkRm: 040035d455bcf95a7c9d492dc4ba04110435706a6fe6e53fb5aacdb624a03ce9cf
ebae3cbad679615ce00dd455b78a3b7de5d891f4ce4f6832c5ec190dec97a31a79650150
00e29189dd08b1058d5d66fa995b068022781c6ea7ec16dfc2d33891ebecaadb17003dcc
e0f6bdc6fe6d7c4d0cd912c536c1f69d08faf6e7f299b0ffc2057c87
skRm: 009a5e4535cca836dde84fecc03d4f2efe7045bb79c43a9d995845fd2386bfec8a
c415fa35ebbf5e26617bf7fb6b789f2cc086c1075df94868f84a9cd90b48195348
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 0400761083a4d901be728ba30c9d2bc1efb73a022dc1d177a1dadc1b8395a44073b
c8e7988ff43e7f50f320f06c4bfa6b2cdb4c103678cc829b3ab0f80fe407283420300bb3
c9150e880b55207ce8205ec56bd3cf888b89fa17ecd760785706928dfe18d64f2a5f4b3d
ca1dab32289a420c24d1cbbe58ef53d1435cd0b6f77fa633f8e76aa
shared_secret: fed1702d573f7331a30173abc5f7f536763159391c71cabd6ee368105
1a8b0c4f8213ae78b920f9e33f880a4e3a717180274d86340438bd0a3e25eaee3ea8c92
key_schedule_context: 010fd8cefea7dbcb4870549c1d9aa61cc82348ba99f41333bb
3688fad192a16d85283c8d5041a16ed08480f03dee01579b9f0e2bb7104cc36fce2d8bee
39bc20f63b4b7a4cf3d95651612d822dde9365526adc78d0a7d77e570fbf3067ea90b138
e491d673d8666d8e312fc9b576111f058a7678a2ecfbcb0b9c509f3c3707875f
secret: f79e77d8b118c984d7e178073c3a1c385b5cbe18b737b93ce54c8979ff84c5e9
c095b37b93530433c75dfac7db9b9b6489e6aad0bf411f0d05ef272389d9ca3d
key: 030217f89b8673d7702c8698cf7e1eddaf1ad4b5c457c9f4888d8d22bd3816c7
base_nonce: 826086111c4d7b535e35b56f
exporter_secret: f747a66e44d7de00c8486f04d3a0d37f3f43c2c0d7355a7810c9eea
7b16eec36d3c1e590dc2c48f024ac2c2dc2418c7fa901c2b1ce1903d230986f5b04745fe
3

A.6.2.1.  Encryptions









Barnes, et al.            Expires 19 June 2021                 [Page 87]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 826086111c4d7b535e35b56f
ciphertext: ff0bdaa192f9d3c9b2456bf17f1a4f5e558f1925ea96112d6c8c388bcdff
a54c7554dbe809bcaac4aa36681572

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 826086111c4d7b535e35b56e
ciphertext: 48662931e6d079c8e23d36318adef8025feef6d218cc99f80e234fb28b2a
d55975d1ce8a731b70b4b1e6c5d31b

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 826086111c4d7b535e35b56d
ciphertext: 0d0b49d991a0303bbc36cec1318e7276d6e9d9bd9fccf0e7474934636562
35fc23fc724a6b3e55f95510638ce5

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 826086111c4d7b535e35b56b
ciphertext: 6734836f67a84edb6262747242c88bfd6c7dbef60393a0480d297a83a22d
da51f3fed7d531cd83315e833bf8df

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 826086111c4d7b535e35b590
ciphertext: d7e4aa09cdb5db8b9ff206b747645263ee14c72d9b5f99f6e5fbcb0d8b88
eb9fa053702a1f2d977ed76db2cf74

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 826086111c4d7b535e35b46f
ciphertext: a0370c07b913dd731b8dc342beb13a89f29c017bfc6618c16ba1cdbb6092
cc305852c96d6324e4ba128335bc5a

A.6.2.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 88]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   b07b939766998971abe37fcdf96d868c97675049ca2656d464b12c71d79712f6

   exporter_context: 00
   L: 32
   exported_value:
   8ec328319c37142becb6620c8b5a7ee7cf090e8964dd13f869d08f78c00db889

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   18b05591dafe354b5b4e3db924f4f8f4a6d433890722b5b85fca83391286da60

A.6.3.  Auth Setup Information



































Barnes, et al.            Expires 19 June 2021                 [Page 89]


Internet-Draft                    HPKE                     December 2020


mode: 2
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: c9621b9ef899275dc970606a2b0806fe860f62d539f3ee618a9409009b8ae154bc
4acf495dd9fa8f850c4dca82b923b42270d7b16ed343c7e86e3036c88d0d7d77ee
pkEm: 04005b8909175cbc8e7e8e94d0d8c6e5079d53da3ff6489e2ecea431e14747321d
ff54548f3b89842a2a0cbb326aa7537a5747464de79a4e71411cdbc06f439852a3f001a2
2941e560fe64ef80ac36ff28b1df51070e5c59585008e4e4a724915b88c011cf7493b915
f53c705fbcd461e0cfad34b09e74f1e201bddc6a95284c7a41f5b84c
skEm: 015f1715cb1d849065d403e0d3cb3ba7bd083ccf59b23ff8f289b4aa11c0d060d6
b7f22eda773e490fdd4ef76d6a0e48a5947f3e3a2c2952cef15337444c0e1a36b3
ikmR: ef805c20cda1fa06e06cfb968ad68c748a3dd94337f7357ca0060a382a84fa5de6
df3e3216f886957694547264d5bc63450cfdcc4d2b33fc8ebf8d7c708f8b5e4bb5
pkRm: 0400c171be51c683af5ff8eb5a0e03c907a6f6e14d8314a4f81733ddd6055b8c81
26f50b539f7b825356ae96d638f357122739c950f80ce5d7ed0a65bad442b66b38770111
861d3ba2d5d57c0f5064e7b60781d38785f04ae767840cb764bf854b0d411337c9e4e415
b3491a97c1a2555bac39e2910ce0e010379929ac3e0d2938c8baf6ca
skRm: 00e7212fe01bf83edba622ed8c317db92cb3901a0c2584cf6ac0d2878453a4394b
15656df990913eefc87dd88fbf54c4aa2e04fc9b19712f84277cc2e27395eccecf
ikmS: d8779e14425887ebb21b1952b1a0b77842830aef910724b082807dfebc8ec309b4
969da762369e77834593970215b85510c9a0347ff14c8583aae7c9c2208275b740
pkSm: 04010400b58ba4680c7bca0d634efa7dda9a74ee1cd90bce25ced4eea703c558ea
b6f196236230eb420c41c8cef7d9466c7d0689f31031bd2451e959eadea9cd5161ac0088
6db94d8cc001caca6ee8003ed5b9885e657a7f41e79e5e53b42a5fb7f5dad9e7a871797e
6f070bdf1ecdfc2f8660bbf0b2048f34ac4c51a818134eeb153b552d
skSm: 00bad304cf8e460014c92a20e122949f4a617f23a9dbf370c85972121e6445a5e6
d81c633cc7c33a015ad4d09473f0d0c05f3d1bbe73d5d5824298038ed12ace3fb1
enc: 04005b8909175cbc8e7e8e94d0d8c6e5079d53da3ff6489e2ecea431e14747321df
f54548f3b89842a2a0cbb326aa7537a5747464de79a4e71411cdbc06f439852a3f001a22
941e560fe64ef80ac36ff28b1df51070e5c59585008e4e4a724915b88c011cf7493b915f
53c705fbcd461e0cfad34b09e74f1e201bddc6a95284c7a41f5b84c
shared_secret: 8dbc4f750e506eed8271d6c48efc8a65981bb40bb9215907429ecb396
e8ac19efc5e1c22c26191391e6782552e2e84b62998ed9577eab755c03d12c3f221009c
key_schedule_context: 02da5a1a3c5b8143e6db5a30d288a2ce1eba163576d754f4cb
c4ee43552ebf7dd475cdc5d45d9277ff3f7d2edcc13bd6c17f5a87fd01740e4f9d336aeb
b64be9f73b4b7a4cf3d95651612d822dde9365526adc78d0a7d77e570fbf3067ea90b138
e491d673d8666d8e312fc9b576111f058a7678a2ecfbcb0b9c509f3c3707875f
secret: 9684d096debdf231690f99b7db15b7ad60a7feafad670dfa0806845dd462782f
655f51e5e5fffcc3cec6d39439ebbd898f10fb93cea7bc88ccb9ea8f5f2ef082
key: 6a2322915597c63a3dfd1acb98e095aa7b0b43d7b6113f0009b1518daeeab81f
base_nonce: 18ebf5c7e04f885a4e7cdd79
exporter_secret: 85aeb64ee2265bc1f9b2fe3fcfb94adab727c7729b5f2bb526045e9
5f11ae9834d08f81e59ec4fb6cc0112dce1e0e029b1ff60082af01f463e469a9268284cf
1





Barnes, et al.            Expires 19 June 2021                 [Page 90]


Internet-Draft                    HPKE                     December 2020


A.6.3.1.  Encryptions

sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 18ebf5c7e04f885a4e7cdd79
ciphertext: 6b15afafb3221c5bcb5388e00a844385147163317d4180dbd30570689f74
bebc08000124a63bd6245385cd398a

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 18ebf5c7e04f885a4e7cdd78
ciphertext: f6940d2fea5b3fb27f64b61319d57296c14b6612244a6d9df969d33f6d68
ff6740541ffd29aaad815640f2f4b4

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 18ebf5c7e04f885a4e7cdd7b
ciphertext: bb40476001f11ca66c75ec2a6755ec96a53f24becaa6d1135073369fcb13
21c10222956e1186148ecaf9349bc3

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 18ebf5c7e04f885a4e7cdd7d
ciphertext: 2aebad36cbe3c6b0eee74a0fa9f68040680ff0c7ff5600b6854c13c3a316
581722a56c566d633aeebb9946939a

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 18ebf5c7e04f885a4e7cdd86
ciphertext: e05a8eee88748cdd53d37cc79778afa28609b491aef446faa0fdb923ca35
5e3236c4eaa570b9ff373399487fc6

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 18ebf5c7e04f885a4e7cdc79
ciphertext: 7e5cefb4a94f4b70e3bd35f6ff3f638bd0364d2e93acc8a167a7a67f29c2
8848318ea85c8288bc0f2d31ad910e

A.6.3.2.  Exported Values






Barnes, et al.            Expires 19 June 2021                 [Page 91]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   d174923ac520b8cf125e9b43d2c30fda710362b9dc3cc2d37f6d7838bfe7ce18

   exporter_context: 00
   L: 32
   exported_value:
   ea8b6a12c7e6660722548ed750825feac6f215934e06ff3381a456e017239b44

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   164c91035f1d5fbef901eabebfa4890e8e7ddad325e9786b149deb26a16f65ec

A.6.4.  AuthPSK Setup Information

mode: 3
kem_id: 18
kdf_id: 3
aead_id: 2
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: d7537fd470c0beece615e26dd109922460292e973127cb4e22da16c0756fc33622
4e07dbecdf36edd144ebcd82aece3db52f814a33a639b5e7c964b27f6e3195cd73
pkEm: 04013c31cd06bce15d1b463800639a69d289d76144c1426f9061f4b0245b8490d4
8e29ecb8b3f2165970f341544a50d6017957e5c3f09b71f0a3b56af12383a53fbd9200b1
d5c6833a5095d97982d2e3528b38e4664bf29a719beeb3bb2b7e5c4e2acb3f0bc1387eaf
a7048e5718a27b6d7e25ca4b7e750386cde8d89e52c39f98db734671
skEm: 01129211d633b2e9593d1512f890bb8256e748cc6a45f75162d1936763957b3882
306f2dec7b70a8f6f46a70ca0bb1b3a4037fb4308661f45c56f04ff027c8721f6c
ikmR: f0858f5e1865db4fe45dc3274bcd273a29088d80f9203a16ec1210e3d81dd50a99
f15c427d547fea55593e2ef834beb5f80c536fdd2881a8943c05488a371a3c988d
pkRm: 0401c45cce1bda6afdefd49a12d9fc2d091f89e87e6d7932023342ce78d87e564a
0ca371795554d687a0d5d5982df2ab507091f0ffa70235710ebdc19db8968876d7ed00d4
051e3d606e88886c97de770fbc6270978d71c6b7a374f2cde4f66c776678799991cb35e0
9000b2b001bf035a1aa67f18d551c0d2c7a8a7a8e38956325c775892
skRm: 012dab66607b30642ecc1314f5345a595826c3c04432ae9a7f8fec1ca7ee71687d
b7b120f123e7f21f5326e5a379f78d8f1af3c971a1407f66632e68b23c75b28b1a
ikmS: 1e8d0026273feb61537181872e03ed2c7756f0ed1c4bb9ecd159614c2afdcaacc5
fcf70f6d30d7ea6760c98a1ce1138a82497eb72461ca5da50c8729d431de53857f
pkSm: 04000890a9d2ef896c4c307b4e8c6e56639b68d442309e8a67ebdd80108b4bf350
1b30c341a119b61bba2d17fa5a61f570be6ccc0f930057c1fa51050830e932eb2c3a006e
1b2e05fc108b4851df60235fe387ae441c74df048e7a4c31e93f4ef3f44ecd2e7aeaf34f
03db68a91e5cc7862a35aa4e6503cd40ac4456ea5b0c21e1fb00e26a
skSm: 011e4054db844866d6e99c6973972ba646842cc1b19cfcfceb3b5175dce007ec5e
36e3f9a6e63e06615c6f1b6f983022040a00f64428bc9107f6e3e370d33f158de2
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961



Barnes, et al.            Expires 19 June 2021                 [Page 92]


Internet-Draft                    HPKE                     December 2020


enc: 04013c31cd06bce15d1b463800639a69d289d76144c1426f9061f4b0245b8490d48
e29ecb8b3f2165970f341544a50d6017957e5c3f09b71f0a3b56af12383a53fbd9200b1d
5c6833a5095d97982d2e3528b38e4664bf29a719beeb3bb2b7e5c4e2acb3f0bc1387eafa
7048e5718a27b6d7e25ca4b7e750386cde8d89e52c39f98db734671
shared_secret: 0f942166336ecbb2ccaed99d7b9573fffdb7da9b8c1c68000d0fcfbc3
39c86e826f1d80eac229fa924990d465136734dd94ff5ac53d95ce0955c527a35d47151
key_schedule_context: 030fd8cefea7dbcb4870549c1d9aa61cc82348ba99f41333bb
3688fad192a16d85283c8d5041a16ed08480f03dee01579b9f0e2bb7104cc36fce2d8bee
39bc20f63b4b7a4cf3d95651612d822dde9365526adc78d0a7d77e570fbf3067ea90b138
e491d673d8666d8e312fc9b576111f058a7678a2ecfbcb0b9c509f3c3707875f
secret: 5262f5c006ae9f942ba4326c683cac0d3885fe4e97a4bc4445ed5975a50ad696
a20ed2adfdcd9b3d83f1909e8e3f6fcb7501e4e3debcac274959f243575a5a5a
key: efdc16c82ea9dd9761b6379e11e78c87931700e1f6714dc8c24019ff083e3c98
base_nonce: 506b1a27c322908a696ff219
exporter_secret: 702d2ed8e95bd3d75202950a39ff26a7cf24b4f6bbd9556646992c7
770b3c8d74fb8e82fe6da5518ce364ac3cd0a93cf15ccc86cc6f18af420a62ad8c06cd9c
1

A.6.4.1.  Encryptions
































Barnes, et al.            Expires 19 June 2021                 [Page 93]


Internet-Draft                    HPKE                     December 2020


sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 506b1a27c322908a696ff219
ciphertext: f287e90cccad8b3d74098f52c837b528711e45b1b908276c53227742f560
820f5f92bfc4b52bc9a0201d65f7fc

sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 506b1a27c322908a696ff218
ciphertext: fa030f97ebb74d8693217f1f71951d8945116b8363ab2ee7eeaa7483747d
183bf87dfa04b4369cfc60342f7d6e

sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 506b1a27c322908a696ff21b
ciphertext: f713224d98ab0f41e19dee499a69b002dc0eeb4ed2f1d25bc51c8d46872e
6658b8b727d85d7fe3c5f2496dfc2d

sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 506b1a27c322908a696ff21d
ciphertext: 87a207c668e277338124f24283fd2fead99ca9e7758e2a261a0b1e23c804
aeccaa8c9db788fec59a4ff60d9d01

sequence number: 255
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323535
nonce: 506b1a27c322908a696ff2e6
ciphertext: 2f206ae4f0c305ca7bb143e5799d3fc1ca3f1967907ee2cefe354b607582
e6da5ee2c151ed4e006ac0bea0b705

sequence number: 256
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d323536
nonce: 506b1a27c322908a696ff319
ciphertext: 45663902baba32b1d4bc30bdf6bc84fd0d6c75d8183171798d660683e20b
0da5eed47cd4a1d8e50e724d3d92ff

A.6.4.2.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 94]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   bee5710e3cdbb45ccf19225c70e441d59f9f5a03c8d18265b535184479ef99a8

   exporter_context: 00
   L: 32
   exported_value:
   0946a53f89b63824aede60e9a39349dc60e645401ef6a8b20a4b96912e13a944

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   d4b25aa19d6c39e24a6a33b449e0a601308fb4273c74a07831dae99ee31dd5fb

A.7.  DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, Export-Only AEAD

A.7.1.  Base Setup Information

mode: 0
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: fd25fee6390a3e6ac22a2803bb7ad8a5cb5840909cd9eec5477861fcf80e95c6
pkEm: 3dd7692d425314fbdafe93d30b270b6a6b1334a3fd91ffcdf7dd5f2e47287e19
skEm: 0c936a530f1fefef3dc36824d68dec25c8a45cdd65b2c2d509d4e729de864199
ikmR: 0e92d2106717b970b151fcd12b3254acdc7a5d1b404970447b36dba57322e2a3
pkRm: 7a71e8fb1172ce7911aae98fc95f3dfabee0ca941ad4f7a80cd1e12cc3ac1a0f
skRm: de14dc512e274f434203e210891a2126e080d877f634b81ed99819055fdd9a75
enc: 3dd7692d425314fbdafe93d30b270b6a6b1334a3fd91ffcdf7dd5f2e47287e19
shared_secret:
69e652a203f63aaaeeda4251629db85e3a86c400b7e6c0af66e6b7c65829a460
key_schedule_context: 003d46e6b74658a4c6178186c0256fcfbb80388dfced042733
31809098351cc19d56a7644fe2c4ed575dbd11f82d995403da7875c62d59381862798f75
71b0e9aa
secret: b2841af7aa53b01e042bfb39b1dc45135050badfc3fa5d281f4f105659d22d6a
key:
base_nonce:
exporter_secret:
26984b32209a528926a617fb1bacd8e394bb137ec136556ff8d93019e36fdc2f

A.7.1.1.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 95]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   3ce6bd2dd444ec89a6fc1f530b05bf4147a01ee783e0696479832c680aa93fa1

   exporter_context: 00
   L: 32
   exported_value:
   f3c6d57e1f355ab143ee1bca88c059dc8b6bdc933d8489d01afa637a012118a3

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   5a9527dfb98087e0e0c57ec3cd8064979242f3f316ac66e0877f01d9b91d1f92

A.7.2.  PSK Setup Information

mode: 1
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 0b1e8a08ab372010dcbffb81a133ccab19393b3566bd348d7ee14e3756a0742c
pkEm: 689e540564c01729f650eaa1268d166581faa17880fef0d4f71aba4b99c84879
skEm: f523df71b0e5dc36d6357124e9df29fb0210203dc68cfd1a095134a3c448f6fd
ikmR: fe22b2df8c8a5c83a61309ae5c8cacbcef66a0a5ab272f365fa7e9ca313ba988
pkRm: c407e88d9aa29930a3b0a80d5bf6c6a61ca9ffd82ea1a19aad2d81a19a44ee1c
skRm: b5cb06a707b4ff5fb002322eb61df776f4c21e234e317d1130b6e55b690ef3f3
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 689e540564c01729f650eaa1268d166581faa17880fef0d4f71aba4b99c84879
shared_secret:
95cf26b7bb1c3482528cdf535701917255f2a92932e7716d17857cbe4728b843
key_schedule_context: 01771a4a301d8c0172c15f39ef4c403817bbef77efb9f826bb
4b2ba5cd43b6169456a7644fe2c4ed575dbd11f82d995403da7875c62d59381862798f75
71b0e9aa
secret: cde26ee46a8e18ae767f856cd79cdef1c64ff4229710c0205e7e8c44e8e0fac4
key:
base_nonce:
exporter_secret:
426c1002a7bb83968ad38191561c1286ef50d84f6b12f1cdfceae437f5ae3585

A.7.2.1.  Exported Values








Barnes, et al.            Expires 19 June 2021                 [Page 96]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   0afde49f42e7d63376f85586534983c94e06af873a7c28c79a5422b71e176478

   exporter_context: 00
   L: 32
   exported_value:
   8f413a30d2839a2e64a7aedbff817d07475a1f9321d385f74f11b1373a49847f

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   19134871abbef7cc8a5aa6eccd04733cc266f607dfba7cdc2d7e86aaf421f97c

A.7.3.  Auth Setup Information

mode: 2
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 354f6caefa215f87e9c783edacbc33f1892153a2fb9b358e766e30ff3283ae42
pkEm: 7fe0da26c3d0b589990261d7a04c90fc73c5240d11f73eabb459a5bf875be608
skEm: 3a2af8a9e4309b3b777d58437f13ed2cadc820b3b7465c9e227ab2f57998239f
ikmR: 50e916b01df1eb4ca7fad822b7f448579d9ed6046dabf917ebc6460da9082b73
pkRm: a9b03c18e25100d4dece73844cb1db2e5787567f84a948af411dcc7f43ebe962
skRm: 94a80804342a0df234bf6bdbd3b16c23b7b0803f0c1133e572da9a63bcf96233
ikmS: 0c9b2083832ade0e86e635639b6e2b60a1a51d6ad495f49da221f290e89d08cb
pkSm: 7feea4f2d7e48765042e053bd89c39c5a50ee9c20a6bae4086a9f17cb6119e01
skSm: 658a21e96d5d2fb6d1c1d4f31dea225652457d53d245201c858637eb60876f9f
enc: 7fe0da26c3d0b589990261d7a04c90fc73c5240d11f73eabb459a5bf875be608
shared_secret:
57d627f15d2876222f2558a8080c806a193a10605126be7f2467025dad635fe2
key_schedule_context: 023d46e6b74658a4c6178186c0256fcfbb80388dfced042733
31809098351cc19d56a7644fe2c4ed575dbd11f82d995403da7875c62d59381862798f75
71b0e9aa
secret: 2d58089c497d3908d6b11fbc5619fd9c1297ad0f9e435174d805bd1138767639
key:
base_nonce:
exporter_secret:
c123f918736c12f532a57b073d4bdc14a60111ae19f14bd2e8215cc2c07eb787

A.7.3.1.  Exported Values







Barnes, et al.            Expires 19 June 2021                 [Page 97]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   22379fcb605adc88d3845914b863710b93627208e91e272553136e8a8352f8c0

   exporter_context: 00
   L: 32
   exported_value:
   34899d55939a49c4080102e0a0ddeb25adaae11ffcb86421c1d2ca0d97835ddc

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   302b4e7e121f6b0688f64f0b4ac18ea7f0b34bdf3b80b4e2d18c15d677f10069

A.7.4.  AuthPSK Setup Information

mode: 3
kem_id: 32
kdf_id: 1
aead_id: 65535
info: 4f6465206f6e2061204772656369616e2055726e
ikmE: 9b11f0f5d478e01039dea03ff9dd3be09bf658bbae353eba10daae44de5b3db7
pkEm: 2990ffd43ebdc605493ce691731dfef3bfe8cc95ddc51fb1e60c494c30b88f18
skEm: a9d2cd9459f2a799701d995e49adef541c73137e93ae6889cfe28ba1e54f0052
ikmR: 27aac8140906b3821c7a423b362b6a30ab964b246e9ba8c7fccc5201c30ccb83
pkRm: 7822195255235325b19d65f2cab89801d59b9677b8697bba9ee7a27849c5a353
skRm: 3feadefdc39e82a355a52d912cf2467df9c6650580484cb6eef23af89b1a386b
ikmS: 0a935724b0cf5f51910079665a4175aa83aa4882a1ebbd93b54fa2cb00155723
pkSm: ac058bf5eb28717a8f12c8c5bbcbc42328ae8d5951ec0570796b43d4caf60962
skSm: 94834fed3c583bb8dd79f4574e1a69ab616963b19ddfb375b8a58510b906cdb5
psk: 0247fd33b913760fa1fa51e1892d9f307fbe65eb171e8132c2af18555a738b82
psk_id: 456e6e796e20447572696e206172616e204d6f726961
enc: 2990ffd43ebdc605493ce691731dfef3bfe8cc95ddc51fb1e60c494c30b88f18
shared_secret:
d3f1e60e497270d40c5f4f96a964a0983164a07be6357627c99790720b432f34
key_schedule_context: 03771a4a301d8c0172c15f39ef4c403817bbef77efb9f826bb
4b2ba5cd43b6169456a7644fe2c4ed575dbd11f82d995403da7875c62d59381862798f75
71b0e9aa
secret: bc6d1f12ce23bb6fa9d2d17b800fe69024964cee4577dc2162c0c050f1f23242
key:
base_nonce:
exporter_secret:
5b85ceaba3f301c7cf01c1f0aeba71678f11a74618a6f09c6ddbf65f6ef432c2

A.7.4.1.  Exported Values





Barnes, et al.            Expires 19 June 2021                 [Page 98]


Internet-Draft                    HPKE                     December 2020


   exporter_context:
   L: 32
   exported_value:
   573c24d581994a81a6518ee5b1d48abf85b1cc38fc8f70f01de1cdc7f5bf2ee8

   exporter_context: 00
   L: 32
   exported_value:
   6fe60913b0a0af95ac071d7b53d83692970b5b4c030bc8a2e0074671eb4002c1

   exporter_context: 54657374436f6e74657874
   L: 32
   exported_value:
   d2b79beaacda50f1fca777e8f2d0f7b70dd296b6a2c18326816d6e11a6d5860c

Authors' Addresses

   Richard L. Barnes
   Cisco

   Email: rlb@ipv.sx


   Karthik Bhargavan
   Inria

   Email: karthikeyan.bhargavan@inria.fr


   Benjamin Lipp
   Inria

   Email: ietf@benjaminlipp.de


   Christopher A. Wood
   Cloudflare

   Email: caw@heapingbits.net












Barnes, et al.            Expires 19 June 2021                 [Page 99]