Murisi/poseidon 0.6.0

[murisi]

An experiment to replace the Pedersen hash in the Sapling circuit with a Poseidon hash. The Poseidon hash implementation comes from Lurk Labs's Neptune repository. This chosen implementation was audited by ADBK Consulting. Some notes on this PR:

• The core change in this PR is the replace of a call to the Pedersen hash (spanning 12 lines) with a call to Poseidon hash (spanning 25 lines).
• The main challenge in this PR was that Neptune uses a different version of bellman (called bellpepper) than Zcash's Sapling circuit.
• As a result of the bellman version mismatch, this PR uses 229 lines to provide functions that convert between bellman and bellpepper types. These conversions are trivial and do not use any serious logic.
• The resulting circuit based on the Poseidon hash uses 63129 constraints. The original circuit based on the Pedersen hash uses 98777 constraints. As a baseline, a circuit using the identity function as a hash uses 54649 constraints.
• Therefore it seems that the Poseidon hash uses about 5x less constraints than the Pedersen. These seems to be consistent with other benchmarks. Overall, this could result in a reduction of spend statement proving time.
• Because the Sapling circuit has been reviewed independently and so has the Poseidon hash circuit, it could potentially be the case that an audit would need to cover only the trivial glueing code (spanning 254 lines).
• This PR was mostly just a test to see whether the Sapling circuit could be easily glued to an existing Poseidon implementation at the "does it compile?" level. More thinking and testing would have to be done to determine whether this makes sense at the conceptual level.

Depends on anoma/neptune#1 and anoma/bellman#1 .