@soatok looks a lot like a Noise_K pattern using the shared key to verify the message HMAC (?). Doesn’t seem like you’d get too much cryptographer side-eye for that. Neil did mention using auth KEM for something similar right? I kinda like it a lot.