Update sha256 coprocessor discarded bits (#1127)

* Update sha256 coprocessor discarded bits

Previously, the pallas curve had a capacity of 254 bits. The new bn256
curve has a capacity of 253 bits. This makes the pack_bits gadget used by
sha256 coprocessor drop the three most significant bits of the output
instead of just two.

This commit updates the coprocessor's evaluate_simple implementation to
set the correct number of bits to zero based on the field used to avoid a
panic caused by a mismatch between the synthesize and evaluate outputs.

* clippy

---------

Co-authored-by: Arthur Paulino <arthurleonardo.ap@gmail.com>

src/coprocessor/sha256.rs

@@ -77,11 +77,13 @@ fn compute_sha256<F: LurkField, T: Tag>(n: usize, z_ptrs: &[ZPtr<T, F>]) -> F {
 
     hasher.update(input);
     let mut bytes = hasher.finalize();
-    bytes.reverse();
-    let l = bytes.len();
-    // Discard the two most significant bits.
-    bytes[l - 1] &= 0b00111111;
 
+    // The pack_bits gadget used by the synthesize_sha256 function
+    // sets the n most significant bits of the hash output to zero,
+    // where n is 256 minus the field's capacity. We do the same
+    // here to match the output.
+    discard_bits::<F>(&mut bytes);
+    bytes.reverse();
     F::from_bytes(&bytes).unwrap()
 }
 
@@ -127,6 +129,20 @@ impl<F: LurkField> Sha256Coprocessor<F> {
     }
 }
 
+// Retains the Scalar::CAPACITY last bits of a big-endian input
+fn discard_bits<Scalar: LurkField>(bytes: &mut [u8]) {
+    let bits_to_zero = 256 - Scalar::CAPACITY as usize;
+    let full_bytes_to_zero = bits_to_zero / 8;
+    let partial_bits_to_zero = bits_to_zero % 8;
+
+    bytes[..full_bytes_to_zero].iter_mut().for_each(|b| *b = 0);
+
+    if partial_bits_to_zero > 0 {
+        let mask = 0xFF >> partial_bits_to_zero;
+        bytes[full_bytes_to_zero] &= mask;
+    }
+}
+
 #[derive(Clone, Debug, Coproc, Serialize, Deserialize)]
 pub enum Sha256Coproc<F: LurkField> {
     SC(Sha256Coprocessor<F>),