Reducing ML-KEM-768 encapsulation key sizes by 24 octets

Forgot to click the self-authored checkbox just now \o/

This was proposed under the name Kemeleon, with the additional goal of making the encapsulation key indistinguishable from random: https://datatracker.ietf.org/meeting/121/materials/slides-121-cfrg-ml-kem-public-key-compression-and-random-encodings-00 https://ssveitch.github.io/draft-kemeleon/draft-irtf-cfrg-kemeleon.html