> Because for embedded devices that don’t have enough memory to hold all
> of those objects in simultaneously, this is likely the order in which it
> would have those things available to stream into SHA3.
>
That will not make a difference: the SHA3-256 rate is 136 bytes.
> Another thing to cons
Bas Westerbaan writes:
> SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519
> )
One critique:
I would consider changing the order of the X25519 params to
SHA3-256( xwing-label || ss_ML-KEM || pk_X25519 || ct_X25519 || ss_X25519 )
Because for embedded device
