xwing: include X25519 public key in X-Wing private key

Aligns with what will likely be -01

kem/xwing/xwing.go

@@ -1,6 +1,8 @@
 // xwing implements the X-Wing PQ/T hybrid KEM
 //
 //	https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem
+//
+// Currently implements what will likely be -01.
 package xwing
 
 import (
@@ -18,7 +20,7 @@ import (
 type PrivateKey struct {
 	m   mlkem768.PrivateKey
 	x   x25519.Key
-	xpk x25519.Key // cache to prevent recomputation during each decapsulation
+	xpk x25519.Key
 }
 
 // An X-Wing public key.
@@ -35,7 +37,7 @@ const (
 	PublicKeySize = 1216
 
 	// Size of an X-Wing private key
-	PrivateKeySize = 2432
+	PrivateKeySize = 2464
 
 	// Size of the seed passed to EncapsulateTo
 	EncapsulationSeedSize = 64
@@ -73,7 +75,8 @@ func (sk *PrivateKey) Pack(buf []byte) {
 		panic(kem.ErrPrivKeySize)
 	}
 	sk.m.Pack(buf[:mlkem768.PrivateKeySize])
-	copy(buf[mlkem768.PrivateKeySize:], sk.x[:])
+	copy(buf[mlkem768.PrivateKeySize:mlkem768.PrivateKeySize+32], sk.x[:])
+	copy(buf[mlkem768.PrivateKeySize+32:], sk.xpk[:])
 }
 
 // Packs pk to buf.
@@ -290,7 +293,7 @@ func (sk *PrivateKey) Unpack(buf []byte) {
 		panic(kem.ErrPrivKeySize)
 	}
 
-	copy(sk.x[:], buf[mlkem768.PrivateKeySize:])
-	x25519.KeyGen(&sk.xpk, &sk.x)
+	copy(sk.x[:], buf[mlkem768.PrivateKeySize:mlkem768.PrivateKeySize+32])
+	copy(sk.xpk[:], buf[mlkem768.PrivateKeySize+32:])
 	sk.m.Unpack(buf[:mlkem768.PrivateKeySize])
 }

kem/xwing/xwing_test.go

@@ -66,7 +66,7 @@ func TestVectors(t *testing.T) {
 	var cs [32]byte
 	_, _ = h.Read(cs[:])
 	got := fmt.Sprintf("%x", cs)
-	want := "9d028dc61b89e10518a4e56bbc414b33becac69211b3d23131232a295dbd0a0f"
+	want := "1b2fd3a79ad0a82d814dcdf5da62a3830bc5f48e392dfe01ac1c3f9bb37ff86e"
 	if got != want {
 		t.Fatalf("%s ≠ %s", got, want)
 	}