Streamlined NTRU Prime 761 + X25519 + HKDF-BLAKE2b KEM.
=> https://ntruprime.cr.yp.to/ Streamlined NTRU Prime KEM algorithm
=> https://datatracker.ietf.org/doc/html/rfc7748.html X25519
=> https://datatracker.ietf.org/doc/html/rfc5869.html RFC 5869, HKDF
=> https://datatracker.ietf.org/doc/html/rfc7693.html RFC 7693, BLAKE2b

<<    [schemas/kem-with-encap.tcl]

"/kem/*/a" equals to "sntrup761-x25519-hkdf-blake2b".
Recipient public key with [cm/pub/sntrup761-x25519]
algorithm must be used. It should have "kem" key usage set.

Recipient's map "/kem/*/encap" field is a concatenation of 1047
bytes Streamlined NTRU Prime 761's ciphertext, containing
ephemeral key, with 32 bytes ephemeral X25519 public key.

Recipient performs X25519 and SNTRUP computations to derive/decapsulate
two 32-byte shared keys. Then it combines them to get the KEK decryption
key of the CEK.

          ====================================================
                                WARNING
          ====================================================
          Sender authentication uses only *NON*-PQ crypto!
          ====================================================

    H = BLAKE2b
    PRK = HKDF-Extract(H, salt="", ikm=
        sntrup761-shared-key || es-x25519-shared-key ||
        H(sntrup761-sender-ciphertext || e-x25519-sender-public-key) ||
        H(sntrup761-recipient-public-key || s-x25519-recipient-public-key))
    if {specified sender}
        PRK = HKDF-Expand(H, prk=PRK,
            info="cm/encrypted/sntrup761-x25519-hkdf-blake2b/auth")
        PRK = HKDF-Extract(H, salt=PRK, ikm=
            ss-x25519-shared-key ||
            s-x25519-sender-public-key ||
            s-x25519-recipient-public-key)
    KEK = HKDF-Expand(H, prk=PRK,
        info="cm/encrypted/sntrup761-x25519-hkdf-blake2b" || /id)

"/kem/*/cek" is wrapped with [cm/keywrap/xchapoly] mechanism.

KEM combiner nearly fully resembles:
=> https://datatracker.ietf.org/doc/draft-josefsson-chempat/.html Chempat
