Consider using `crypto_generichash_BYTES_MIN` for lower bound checking

[touilleMan]

Hi ;-)

Currently crypto_generichash_BYTES_MIN is not mentioned in nacl.hash.blake2b's documentation:

key (bytes) – the key to be set for keyed MAC/PRF usage; if set, the key must be at most BLAKE2B_KEYBYTES_MAX long

On the other hand, libsodium's documentation states that crypto_generichash_BYTES_MIN is the lower bound:

However, for specific use cases, the size can be any value between crypto_generichash_BYTES_MIN (included) and crypto_generichash_BYTES_MAX (included).

The tricky part is that in practice libsodium's code doesn't use crypto_generichash_BYTES_MIN for lower bound checking (so any value between 0 and BLAKE2B_OUTBYTES can be used)

However, libsodium-rs (made by the same author than libsodium) does lower bound checking using crypto_generichash_BYTES_MIN, and the author states that this behavior is the correct one.

For more context: I currently use blake2 with a 5 bytes long output to generate a MAC code that is then split into two short authenticated strings (i.e. 4-characters-long hexadecimal code, each one being shown to a peer to prevent from MITM during Diffie-Hellman exchange). This code was originally written in Python with pynacl, then ported to Rust using sodiumoxide, and is finally being ported again to libsodium-rs (since sodiumoxide has been deprecated).