Migrate to blake2b_simd and blake2s_simd crates

The primary reason for migrating is that these crates provide APIs for
setting the personalisation string. This enables us to depend solely on
published crates, and thus publish our own crates.

The SIMD implementations are ported from libsodium.

Closes #67.

sapling-crypto/Cargo.toml

@@ -14,15 +14,13 @@ features = ["expose-arith"]
 
 [dependencies]
 bellman = { path = "../bellman" }
+blake2b_simd = "0.5"
+blake2s_simd = "0.5"
 ff = { path = "../ff" }
 rand = "0.4"
 digest = "0.7"
 byteorder = "1"
 
-[dependencies.blake2-rfc]
-git = "https://github.com/gtank/blake2-rfc"
-rev = "7a5b5fc99ae483a0043db7547fb79a6fa44b88a9"
-
 [dev-dependencies]
 hex-literal = "0.1"
 rust-crypto = "0.2"

sapling-crypto/src/circuit/blake2s.rs

@@ -320,13 +320,13 @@ pub fn blake2s<E: Engine, CS: ConstraintSystem<E>>(
 
 #[cfg(test)]
 mod test {
+    use blake2s_simd::Params as Blake2sParams;
     use rand::{XorShiftRng, SeedableRng, Rng};
     use pairing::bls12_381::{Bls12};
     use ::circuit::boolean::{Boolean, AllocatedBit};
     use ::circuit::test::TestConstraintSystem;
     use super::blake2s;
     use bellman::{ConstraintSystem};
-    use blake2_rfc::blake2s::Blake2s;
 
     #[test]
     fn test_blank_hash() {
@@ -392,7 +392,7 @@ mod test {
 
         for input_len in (0..32).chain((32..256).filter(|a| a % 8 == 0))
         {
-            let mut h = Blake2s::with_params(32, &[], &[], b"12345678");
+            let mut h = Blake2sParams::new().hash_length(32).personal(b"12345678").to_state();
 
             let data: Vec<u8> = (0..input_len).map(|_| rng.gen()).collect();
 

sapling-crypto/src/circuit/test/mod.rs

@@ -16,7 +16,7 @@ use byteorder::{BigEndian, ByteOrder};
 use std::cmp::Ordering;
 use std::collections::BTreeMap;
 
-use blake2_rfc::blake2s::Blake2s;
+use blake2s_simd::{Params as Blake2sParams, State as Blake2sState};
 
 #[derive(Debug)]
 enum NamedObject {
@@ -96,7 +96,7 @@ fn proc_lc<E: Engine>(
 
 fn hash_lc<E: Engine>(
     terms: &[(Variable, E::Fr)],
-    h: &mut Blake2s
+    h: &mut Blake2sState
 )
 {
     let map = proc_lc::<E>(terms);
@@ -226,7 +226,7 @@ impl<E: Engine> TestConstraintSystem<E> {
     }
 
     pub fn hash(&self) -> String {
-        let mut h = Blake2s::new(32);
+        let mut h = Blake2sParams::new().hash_length(32).to_state();
         {
             let mut buf = [0u8; 24];
 

sapling-crypto/src/group_hash.rs

@@ -8,7 +8,7 @@ use ff::{
     PrimeField
 };
 
-use blake2_rfc::blake2s::Blake2s;
+use blake2s_simd::Params;
 use constants;
 
 /// Produces a random point in the Jubjub curve.
@@ -25,13 +25,15 @@ pub fn group_hash<E: JubjubEngine>(
     // Check to see that scalar field is 255 bits
     assert!(E::Fr::NUM_BITS == 255);
 
-    let mut h = Blake2s::with_params(32, &[], &[], personalization);
-    h.update(constants::GH_FIRST_BLOCK);
-    h.update(tag);
-    let h = h.finalize().as_ref().to_vec();
-    assert!(h.len() == 32);
+    let h = Params::new()
+        .hash_length(32)
+        .personal(personalization)
+        .to_state()
+        .update(constants::GH_FIRST_BLOCK)
+        .update(tag)
+        .finalize();
 
-    match edwards::Point::<E, _>::read(&h[..], params) {
+    match edwards::Point::<E, _>::read(h.as_ref(), params) {
         Ok(p) => {
             let p = p.mul_by_cofactor(params);
 

sapling-crypto/src/lib.rs

@@ -1,6 +1,7 @@
 extern crate pairing;
 extern crate bellman;
-extern crate blake2_rfc;
+extern crate blake2b_simd;
+extern crate blake2s_simd;
 extern crate digest;
 extern crate ff;
 extern crate rand;

sapling-crypto/src/primitives/mod.rs

@@ -22,7 +22,7 @@ use jubjub::{
     FixedGenerators
 };
 
-use blake2_rfc::blake2s::Blake2s;
+use blake2s_simd::Params as Blake2sParams;
 
 #[derive(Clone)]
 pub struct ValueCommitment<E: JubjubEngine> {
@@ -87,9 +87,12 @@ impl<E: JubjubEngine> ViewingKey<E> {
         self.ak.write(&mut preimage[0..32]).unwrap();
         self.nk.write(&mut preimage[32..64]).unwrap();
 
-        let mut h = Blake2s::with_params(32, &[], &[], constants::CRH_IVK_PERSONALIZATION);
-        h.update(&preimage);
-        let mut h = h.finalize().as_ref().to_vec();
+        let mut h = [0; 32];
+        h.copy_from_slice(Blake2sParams::new()
+            .hash_length(32)
+            .personal(constants::CRH_IVK_PERSONALIZATION)
+            .hash(&preimage)
+            .as_bytes());
 
         // Drop the most significant five bits, so it can be interpreted as a scalar.
         h[31] &= 0b0000_0111;
@@ -255,10 +258,12 @@ impl<E: JubjubEngine> Note<E> {
         let mut nf_preimage = [0u8; 64];
         viewing_key.nk.write(&mut nf_preimage[0..32]).unwrap();
         rho.write(&mut nf_preimage[32..64]).unwrap();
-        let mut h = Blake2s::with_params(32, &[], &[], constants::PRF_NF_PERSONALIZATION);
-        h.update(&nf_preimage);
-        
-        h.finalize().as_ref().to_vec()
+        Blake2sParams::new()
+            .hash_length(32)
+            .personal(constants::PRF_NF_PERSONALIZATION)
+            .hash(&nf_preimage)
+            .as_bytes()
+            .to_vec()
     }
 
     /// Computes the note commitment

sapling-crypto/src/util.rs

@@ -1,9 +1,9 @@
-use blake2_rfc::blake2b::Blake2b;
+use blake2b_simd::Params;
 
 use jubjub::{JubjubEngine, ToUniform};
 
 pub fn hash_to_scalar<E: JubjubEngine>(persona: &[u8], a: &[u8], b: &[u8]) -> E::Fs {
-    let mut hasher = Blake2b::with_params(64, &[], &[], persona);
+    let mut hasher = Params::new().hash_length(64).personal(persona).to_state();
     hasher.update(a);
     hasher.update(b);
     let ret = hasher.finalize();