The blake2b XOF is not standard

[cgrigis]

Security Code Review observation:

The way the XOF is built from a keyed blake2b instance in Kyber is unusual: it is taking the seed, and if the seed is bigger than blake2b key size, it is splitting it into a seed1 value of the key size and an extra seed2 value that is then fed to the state of the blake2b instance using Write.

This means that if one were to implement the Reset() operation on that XOF, it might be difficult to feed again the seed2 value to the state, since the original seed is not stored after initialization and only seed1 is stored to.