diff --git a/kem/hybrid/hybrid.go b/kem/hybrid/hybrid.go
index 54a552457..f6cb9d9dc 100644
--- a/kem/hybrid/hybrid.go
+++ b/kem/hybrid/hybrid.go
@@ -13,6 +13,21 @@
 // deterministically, we expand a single seed to both using SHAKE256,
 // so that a non-uniform seed (such as a shared secret generated by a hybrid
 // KEM where one of the KEMs is weak) doesn't impact just one of the KEMs.
+//
+// Of our XOF (SHAKE256), we desire two security properties:
+//
+//  1. The internal state of the XOF should be big enough so that we
+//     do not loose entropy.
+//  2. From one of the new seeds, we shouldn't be able to derive
+//     the other or the original seed.
+//
+// SHAKE256, and all siblings in the SHA3 family, have a 200B internal
+// state, so (1) is fine if our seeds are less than 200B.
+// If SHAKE256 is computationally indistinguishable from a random
+// sponge, then it affords us 256b security against (2) by the
+// flat sponge claim [https://keccak.team/files/SpongeFunctions.pdf].
+// None of the implemented schemes claim more than 256b security
+// and so SHAKE256 will do fine.
 package hybrid
 
 import (
@@ -92,9 +107,6 @@ func (sch *scheme) SeedSize() int {
 	if first > second {
 		ret = first
 	}
-	if ret > 32 {
-		panic("SeedSize too big for SHAKE256")
-	}
 	return ret
 }
 
@@ -113,9 +125,6 @@ func (sch *scheme) EncapsulationSeedSize() int {
 	if first > second {
 		ret = first
 	}
-	if ret > 32 {
-		panic("EncapsulationSeedSize too big for SHAKE256")
-	}
 	return ret
 }
 
diff --git a/kem/schemes/schemes_test.go b/kem/schemes/schemes_test.go
index df6206d85..1af1b4f72 100644
--- a/kem/schemes/schemes_test.go
+++ b/kem/schemes/schemes_test.go
@@ -62,6 +62,9 @@ func TestApi(t *testing.T) {
 				t.Fatal()
 			}
 
+			_ = scheme.SeedSize()
+			_ = scheme.EncapsulationSeedSize()
+
 			pk, sk, err := scheme.GenerateKeyPair()
 			if err != nil {
 				t.Fatal()