feat: Blake2s round precompile

[storojs72]

This PR implements gadget and syscall for Blake2s round function.

The integrated code that allows using this syscall in external sphinx programs is located in zkvm branch of RustCrypto.

The following is a comparison of single Blake2s hashing inside Sphinx program without / with precompile:

summary: cycles=5989, e2e=2.196652208, khz=2726.42, proofSize=1789916 (without precompile)
summary: cycles=4401, e2e=2.104103333, khz=2091.63, proofSize=3188917 (with precompile)

TODO:

• Explore if it makes sense to extend the precompile to round_x10 or any other possible imprevements from performance perspective.

[huitseeker]

This looks pretty good at first glance! I'll come back to this.

[adr1anh]

The constraints look good, though I'm taking a better look to see if we can do some optimizations (for example, by using transition constraints and chaining the calls to the compression function, avoiding extra memory accesses).

I was wondering where the test vectors came from. There are some proposed in the RFC and was wondering if they cam from there. Would it also be possible to show a full end-to-end test that computes a full hash using the precompile. The classic would be checking BLAKE2s-256("abc") = 50 8C 5E 8C 32 7C 14 E2 E1 A7 2B A3 4E EB 45 2F 37 45 8B 20 9E D6 3A 29 4D 99 9B 4C 86 67 59 82.

[storojs72]

@adr1anh, this precompile implements single round function of Blake2s - not a whole compress function, so I extracted the test values by injecting printlns directly into the macro code, using Blake2s("") initially. Then, in order to guarantee that it will work, I used sphinx program from argumentcomputer/zk-light-clients#241 that runs single hashing using randomised input passed from the following unit-test in Kadena LC, which compares the outputs of hashing performed in-circuit and out-of-circuit.