Select between ZEXE and ZCash crates

[burdges]

We should select between using Zexe's algebra and algebra-core vs Zcash's new crates, so I'll outline the trade offs:

I think both curve abstraction traits hierarchies differ only somewhat, like both use core::ops traits similarly.

• Pro-Zcash: Zcash's traits looks slightly more detailed, so maybe Zexe would adopt Zcash's traits eventually. Zexe would surely accept pulls that made these traits more similar. Also Toni Aceri uses Zcash's traits some places. Zcash's traits look stable.
• Pro-Zexe: Zexe's maybe handled serialization nicer, but not sure. It's a smaller migration, so less work now, but much less stable.

Zexe support's bls12_377 which gives us Plonk proofs eventually, although only groth16 works right now probably. At first, I imagined this gave Zexe a definitive win, but not really: We suspect altering the bls12_381 crate to handle bls12_377 might not be that hard, and @drskalman might enjoy doing so. If so, a Zcash based signer could supply signatures for a Zexe based prover, although not sure how muc extra effort this requires. If annoying, then Zcash removed their prover abstraction trait JubjubEngine, which makes Zcash even more annoying.

Zcash support gives us constant time bls12_381, which becomes extremely important for bls. Zexe maybe added constant time, or will do so. Zcash folks were much more careful about this however. Zcash code was written to be production and they'd spend vastly more on auditing. Zcash could abandon pairing entirely if halo2 works out, but that's at least 5 years away.

All this gives us three questions:

1. Is it easier to migrate to Zexe traits than to Zcash traits?
2. Is it trivial to modify Zcash's bls12_381 crate into bls12_377?
3. Is either or their forks tracking the IRTF hash-to-curve spec closer?

[drskalman]

I'm going to branch out and try to migrate to zexe and get a sense how much work it is, to answer 1.

[drskalman]

We are using arkworks now.