Both ss1||ss2 or ss2||ss1 are allowed in SP.800-56Cr2

[ounsworth]

Wow. Ok. I completely mis-read Quynh's email to LAMPS: https://mailarchive.ietf.org/arch/msg/spasm/Yh5AelwiAOXhhdjEPzWPmWekYLA/

Similarly, the order of ss1 and ss2 may be in reverse and run the "Process" on page14 in SP 800-56r2 here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf .

That means we can un-twist the order in which the ss inputs are fed into the KDF; because in fact we do not need to put the traditional alg first -- keep everything consistent with the order (mlkem, trad).

[ounsworth]

To the extent possible, synchronize with the equivalent OpenPGP drafts:

https://github.com/openpgp-pqc/draft-openpgp-pqc/issues/132#issuecomment-2220386567

Request a meeting with Quynh, Falko, Aron. We also want to discuss whether we can (and whether we should) synchronize domain separators so that our composite KEMs are binary compatible.