Classic McEliece 6960-119 + X25519 + HKDF-SHAKE256 KEM.
=> https://classic.mceliece.org/ Classic McEliece
=> https://datatracker.ietf.org/doc/html/rfc7748.html X25519
=> https://datatracker.ietf.org/doc/html/rfc5869.html RFC 5869, HKDF
=> https://keccak.team/ SHAKE XOF function

<<    [schemas/kem-with-encap.tcl]

"/kem/*/a" equals to "mceliece6960119-x25519-hkdf-shake256".
Recipient public key with [cm/pub/mceliece6960119-x25519]
algorithm must be used. It should have "kem" key usage set.

"/kem/*/encap" field is a concatenation of 194 bytes of
Classic McEliece 6960-119 ciphertext, with XChaCha20-Poly1305-encrypted
32 bytes ephemeral X25519 public key:

    mceliece-ciphertext || XChaCha20-Poly1305(
        key=decapKey,
        nonce=decapNonce,
        data=e-x25519-sender-public-key,
        ad=mceliece-ciphertext)

Recipient performs Classic McEliece decapsulation, decrypts ephemeral
X25519 public key, computes shared secrets, combines them and derives KEK.

          ====================================================
                                WARNING
          ====================================================
          Sender authentication uses only *NON*-PQ crypto!
          ====================================================

    H = SHAKE256
    mceliece-ciphertext, mceliece-shared-key = KEM-Encap(mceliece-recipient-public-key)
    mceliece-shared-key = KEM-Decap(mceliece-recipient-private-key, mceliece-ciphertext)

    decapKey, decapNonce = HKDF-Expand(H, prk=mceliece-shared-key,
        info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256/decap" || /id)
    es-x25519-shared-key = X25519(e-x25519-sender-private-key,
                                  s-x25519-recipient-public-key)
    PRK = HKDF-Extract(H, salt="", ikm=
        mceliece-shared-key || es-x25519-shared-key ||
        H(mceliece-sender-ciphertext || e-x25519-sender-public-key) ||
        H(mceliece-recipient-public-key || s-x25519-recipient-public-key))
    if {specified sender}
        ss-x25519-shared-key = X25519(s-x25519-sender-private-key,
                                      s-x25519-recipient-public-key)
        PRK = HKDF-Expand(H, prk=PRK,
            info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256/auth")
        PRK = HKDF-Extract(H, salt=PRK, ikm=
            ss-x25519-shared-key || s-x25519-sender-public-key)
    KEK = HKDF-Expand(H, prk=PRK,
        info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256" || /id)

"/kem/*/cek" is wrapped with [cm/keywrap/xchapoly] mechanism.

KEM combiner nearly fully resembles:
=> https://datatracker.ietf.org/doc/draft-josefsson-chempat/ Chempat

If sender/recipient's public key structure contains "/data/prehash" field,
then it could be used as already calculated values of SHAKE256 calls of PRK.
