algorithm of the
.BR key (1))
command to generate the key.
+.TP
+.B symm
+This is a simple symmetric encapsulation scheme. It works by hashing a
+binary key with a randomly-generated salt. Use the
+.B binary
+algorithm of the
+.B key add
+command (see
+.BR key (1))
+to generate the key.
.PP
As well as the KEM itself, a number of supporting algorithms are used.
These are taken from appropriately named attributes on the key or,
command (see
.BR key (1))
to generate the key.
+.TP
+.B mac
+This uses a symmetric message-authentication algorithm rather than a
+digital signature. The precise message-authentication scheme used is
+determined by the
+.B mac
+attribute on the key, which defaults to
+.IB hash -hmac
+if unspecified. Use the
+.B binary
+algorithm of the
+.B key add
+command (see
+.BR key (1))
+to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
scheme; use the next bits to key a message authentication code.
.hP 4.
If we're signing the message then extract 1024 bytes from the keystream,
-sign them, and emit a packet containing the signature. The signature
-packet doesn't contain the signed message, just the signature.
+sign the header and public value, and the keystream bytes; emit a packet
+containing the signature. The signature packet doesn't contain the
+signed message, just the signature.
.hP 5.
Split the message into blocks. For each block, pick a random IV from
the keystream, encrypt the block and emit a packet containing the