exchange, because it is large and // requires careful parsing to reject malformed keys. Seeds instead are just 32 // bytes, are always valid, and always expand to valid keys in memory. It is // *also* a poor in-memory format, because it defers computing the NTT of s1, // s2, and t0 and the expansion of A until signing time, which is inefficient. // For a hot second, it looked like we could have all agreed to only use seeds, // but unfortunately OpenSSL and BouncyCastle lobbied hard against that during //...