KeyGen() outputs a private key that is the concatenation of ML-KEM private key, X25519 private key, and X25519 public key. Since the private key never has to go over the wire, I wonder (a) why the spec is prescriptive about how the private key is encoded and (b) why the X25519 public key is redundantly included in the X-Wing private key. (One can recompute it as needed.)
Can we relax the spec to only specify that the actual ML-KEM and X25519 secrets are output from KeyGen, and then perhaps recommend that implementations also precompute and store the X25519 public key if desired?
KeyGen() is very fast, so if you want to save storage and don't care about a little extra computation, you can go all the way and store the seed instead of the private key.
KeyGen() outputs a private key that is the concatenation of ML-KEM private key, X25519 private key, and X25519 public key. Since the private key never has to go over the wire, I wonder (a) why the spec is prescriptive about how the private key is encoded and (b) why the X25519 public key is redundantly included in the X-Wing private key. (One can recompute it as needed.)
Can we relax the spec to only specify that the actual ML-KEM and X25519 secrets are output from KeyGen, and then perhaps recommend that implementations also precompute and store the X25519 public key if desired?