feat: optimize constraint counts in sha256/sha512

Author: TomAFrench

noir_stdlib/src/sha256.nr

@@ -5,7 +5,9 @@
 // Auxiliary mappings; names as in FIPS PUB 180-4
 fn rotr32(a: u32, b: u32) -> u32 // 32-bit right rotation
 {
-    (a >> b) | (a << (32 as u32 - b))
+    // None of the bits overlap between `(a >> b)` and `(a << (32 - b))`
+    // Addition is then equivalent to OR, with fewer constraints.
+    (a >> b) + (a << (32 as u32 - b))
 }
 
 fn ch(x: u32, y: u32, z: u32) -> u32

noir_stdlib/src/sha512.nr

@@ -5,7 +5,9 @@
 // Auxiliary mappings; names as in FIPS PUB 180-4
 fn rotr64(a: u64, b: u64) -> u64 // 64-bit right rotation
 {
-    (a >> b) | (a << (64 - b))
+    // None of the bits overlap between `(a >> b)` and `(a << (64 - b))`
+    // Addition is then equivalent to OR, with fewer constraints.
+    (a >> b) + (a << (64 - b))
 }
 
 fn sha_ch(x: u64, y: u64, z: u64) -> u64