PQHS

Server has a long-term static Classic McEliece 6960-119 and X25519
keypairs. They are transferred to client outside the connection.

hash = SHAKE256

Client:
    * has: serverStaticPubMcEliece, serverStaticPubX25519
    * clientEphPrvX25519, clientEphPubX25519 = Generate()
    * ctMcElice, ssMcEliece = Encapsulate(serverStaticPubMcEliece)
    * H = hash("VoRS v6")
    * H = hash(H || serverStaticPubMcEliece || serverStaticPubX25519)
    * H = hash(H || ctMcElice)
    * CK = HKDF-Expand(prk=HKDF-Extract(salt="", ikm=ssMcEliece),
                       info="VoRS v6 ck")
    * k = HKDF-Expand(prk=CK, info="VoRS v6 client x25519")
    * ctX25519 = ChaCha20-Poly1305(k, nonce=0, ad=H, pt=clientEphPubX25519)
    * H = hash(H || ctX25519)
    * ssX25519 = X25519(clientEphPrvX25519, serverStaticPubX25519)
    * CK = HKDF-Expand(prk=HKDF-Extract(salt=CK, ikm=ssX25519),
                       info="VoRS v6 ck")
    * sends: ctMcElice || ctX25519

Server:
    * ...
    * serverEphPrvX25519, serverEphPubX25519 = Generate()
    * k = HKDF-Expand(prk=CK, info="VoRS v6 server x25519")
    * ctX25519 = ChaCha20-Poly1305(k, nonce=0, ad=H, pt=serverEphPubX25519)
    * H = hash(H || ctX25519)
    * ssX25519 = X25519(serverEphPrvX25519, clientEphPubX25519)
    * CK = HKDF-Expand(prk=HKDF-Extract(salt=CK, ikm=ssX25519),
                       info="VoRS v6 ck")
    * serverEphPrvSNTRUP761, serverEphPubSNTRUP761 = Generate()
    * k = HKDF-Expand(prk=CK, info="VoRS v6 server sntrup761")
    * ctSNTRUP = ChaCha20-Poly1305(k, nonce=0, ad=H, pt=serverEphPubSNTRUP761)
    * H = hash(H || ctSNTRUP)
    * sends: ctX25519 || ctSNTRUP

Client:
    * has: prefinish message payload
    * ...
    * ctSNTRUP, ssSNTRUP = Encapsulate(serverEphPubSNTRUP761)
    * k = HKDF-Expand(prk=CK, info="VoRS v6 client sntrup761")
    * ctSNTRUP = ChaCha20-Poly1305(k, nonce=0, ad=H, pt=ctSNTRUP)
    * H = hash(H || ctSNTRUP)
    * CK = HKDF-Expand(prk=HKDF-Extract(salt=CK, ikm=ssSNTRUP),
                       info="VoRS v6 ck")
    * k = HKDF-Expand(prk=CK, info="VoRS v6 client prefinish")
    * ctPrefinish = ChaCha20-Poly1305(k, nonce=0, ad=H, pt=prefinish)
    * H = hash(H || ctPrefinish)
    * sends: ctPrefinish

Server:
    * ...

Both:
    clientChaPolyKey, serverChaPolyKey, VoIPKey = HKDF-Expand(
        prk=CK, info="VoRS v6 keymat")