feat: truncate SHA hashes inside circuits (#5160)

Will close #2019

This PR converts SHA hashing inside noir circuits from outputting 2
128-bit fields to outputting 1 248-bit field. To fit inside the field,
we truncate one byte.

---
### Noir Changes

The constant `NUM_FIELDS_PER_SHA256` is now 1, so any hardcoded test
values and function returns have been changed to use an array of one.
I've kept it as an array rather than a single `Fr` to minimise changes
across the repo and ensure if we want to revert `NUM_FIELDS_PER_SHA256`
in future, it won't be so painful. However, we can also just use a
single `Fr` if that's preferable.

`TX_EFFECTS_HASH_LOG_FIELDS`

Methods:

- `field_from_bytes_32_trunc`: Converts a 32 byte array to a 31 byte
field element (useful for comparisons with new `sha256_to_field`), tests
in `types/src/utils/field.nr`.
- `sha256_to_field`: Uses the same method as the previous version to
convert the sha result (BE) bytes array to field, but leaves out the
final byte.
- `accumulate_sha256`: Used almost exclusively for enc/unenc logs
hashing - takes in 2 31 byte field elements, assumed to be outputs of a
previous sha hash, pads to 32 bytes and hashes them with
`sha256_to_field` as a 64 byte array. Note that as before, other
circuits that use sha (like tx effects hash and messages hash) do not
use this method and instead create a flat byte array, then call
`sha256_to_field`.

---
### L1 Contract Changes

To match the Noir method, the `sha256ToField` function now truncates a
byte and prepends a blank byte. Not prepending the blank byte means
changing many struct fields from `bytes32` to `bytes31`. This (IIRC) is
the same gas cost and creates more awkward encoding, so I kept the
length with a blank byte. This also changes the slither file, as I
removed some of the old encoding which flagged with new encoding...
which also flags.

~Only the 'leaves' used in computing the `txsHash` in `TxsDecoder` and
logs hashes have been changed to 31 bytes to match the Noir SHA
accumulation (since we are repeating hashes of hashes).~

~The TS code (see below) does pack the Header struct with 31 bytes per
SHA, so we must shift the decoding in HeaderLib` by 3 bytes.~

As of 21.3, there have been a lot of changes in master to the way the
txs effect hash (formerly calldata hash/txs hash) is calculated. Plus,
now we actually recalculate the in/outHash (i.e. the root of the sha
tree of messages) in the contract, so I have reverted to using 32 bytes
everywhere with a prepended blank byte.

---
### TS Changes

All `.hash()` methods which are also computed in the circuit have been
changed to match the Noir code. In most places this just means
truncating a byte with `.subarray(0, 31)` on the buffer.
~The `ContentCommitment` serialise/deserialise methods have been
modified, as keeping `NUM_BYTES_PER_SHA256 = 32` caused a lot of issues
in the background. Changing it to 31 to match Noir does mean slightly
different encoding, but many fewer changes across the repo (and
hopefully less confusion).~
As of 21.3, due to changes in master, it's now cleaner to keep
`NUM_BYTES_PER_SHA256 = 32` and be sure to truncate and pad all SHA
hashes which touch the Noir circuits.
Since I've kept the hash output as an array of one in Noir, there are
many tuples of one in ts (for the above reasoning) - this can be changed
if preferable.

Methods:

- `toTruncField`: Mirrors Noir's `field_from_bytes_32_trunc` to convert
to a field element - used in place of old method `to2Fields` (tested in
`free_funcs.test.ts`).
- `fromTruncField`: Converts the above back to a 31 byte buffer (tested
as above).

---

l1-contracts/slither_output.md

@@ -1,7 +1,7 @@
 Summary
  - [pess-unprotected-setter](#pess-unprotected-setter) (1 results) (High)
  - [uninitialized-local](#uninitialized-local) (2 results) (Medium)
- - [pess-dubious-typecast](#pess-dubious-typecast) (3 results) (Medium)
+ - [pess-dubious-typecast](#pess-dubious-typecast) (4 results) (Medium)
  - [missing-zero-check](#missing-zero-check) (2 results) (Low)
  - [reentrancy-events](#reentrancy-events) (2 results) (Low)
  - [timestamp](#timestamp) (1 results) (Low)
@@ -40,20 +40,28 @@ src/core/libraries/decoders/TxsDecoder.sol#L78
 Impact: Medium
 Confidence: High
  - [ ] ID-3
-Dubious typecast in [TxsDecoder.read1(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L333-L335):
-	bytes => bytes1 casting occurs in [uint256(uint8(bytes1(slice(_data,_offset,1))))](src/core/libraries/decoders/TxsDecoder.sol#L334)
+Dubious typecast in [Hash.sha256ToField(bytes)](src/core/libraries/Hash.sol#L42-L44):
+	bytes32 => bytes31 casting occurs in [bytes32(bytes.concat(new bytes(1),bytes31(sha256(bytes)(_data))))](src/core/libraries/Hash.sol#L43)
+	bytes => bytes32 casting occurs in [bytes32(bytes.concat(new bytes(1),bytes31(sha256(bytes)(_data))))](src/core/libraries/Hash.sol#L43)
 
-src/core/libraries/decoders/TxsDecoder.sol#L333-L335
+src/core/libraries/Hash.sol#L42-L44
 
 
  - [ ] ID-4
-Dubious typecast in [TxsDecoder.read4(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L343-L345):
-	bytes => bytes4 casting occurs in [uint256(uint32(bytes4(slice(_data,_offset,4))))](src/core/libraries/decoders/TxsDecoder.sol#L344)
+Dubious typecast in [TxsDecoder.read1(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L334-L336):
+	bytes => bytes1 casting occurs in [uint256(uint8(bytes1(slice(_data,_offset,1))))](src/core/libraries/decoders/TxsDecoder.sol#L335)
 
-src/core/libraries/decoders/TxsDecoder.sol#L343-L345
+src/core/libraries/decoders/TxsDecoder.sol#L334-L336
 
 
  - [ ] ID-5
+Dubious typecast in [TxsDecoder.read4(bytes,uint256)](src/core/libraries/decoders/TxsDecoder.sol#L344-L346):
+	bytes => bytes4 casting occurs in [uint256(uint32(bytes4(slice(_data,_offset,4))))](src/core/libraries/decoders/TxsDecoder.sol#L345)
+
+src/core/libraries/decoders/TxsDecoder.sol#L344-L346
+
+
+ - [ ] ID-6
 Dubious typecast in [HeaderLib.decode(bytes)](src/core/libraries/HeaderLib.sol#L143-L184):
 	bytes => bytes32 casting occurs in [header.lastArchive = AppendOnlyTreeSnapshot(bytes32(_header),uint32(bytes4(_header)))](src/core/libraries/HeaderLib.sol#L151-L153)
 	bytes => bytes4 casting occurs in [header.lastArchive = AppendOnlyTreeSnapshot(bytes32(_header),uint32(bytes4(_header)))](src/core/libraries/HeaderLib.sol#L151-L153)
@@ -82,14 +90,14 @@ src/core/libraries/HeaderLib.sol#L143-L184
 ## missing-zero-check
 Impact: Low
 Confidence: Medium
- - [ ] ID-6
+ - [ ] ID-7
 [Inbox.constructor(address,uint256)._rollup](src/core/messagebridge/Inbox.sol#L40) lacks a zero-check on :
 		- [ROLLUP = _rollup](src/core/messagebridge/Inbox.sol#L41)
 
 src/core/messagebridge/Inbox.sol#L40
 
 
- - [ ] ID-7
+ - [ ] ID-8
 [Outbox.constructor(address)._rollup](src/core/messagebridge/Outbox.sol#L31) lacks a zero-check on :
 		- [ROLLUP_CONTRACT = _rollup](src/core/messagebridge/Outbox.sol#L32)
 
@@ -99,7 +107,7 @@ src/core/messagebridge/Outbox.sol#L31
 ## reentrancy-events
 Impact: Low
 Confidence: Medium
- - [ ] ID-8
+ - [ ] ID-9
 Reentrancy in [Rollup.process(bytes,bytes32,bytes)](src/core/Rollup.sol#L58-L96):
 	External calls:
 	- [inHash = INBOX.consume()](src/core/Rollup.sol#L83)
@@ -110,7 +118,7 @@ Reentrancy in [Rollup.process(bytes,bytes32,bytes)](src/core/Rollup.sol#L58-L96)
 src/core/Rollup.sol#L58-L96
 
 
- - [ ] ID-9
+ - [ ] ID-10
 Reentrancy in [Inbox.sendL2Message(DataStructures.L2Actor,bytes32,bytes32)](src/core/messagebridge/Inbox.sol#L61-L95):
 	External calls:
 	- [index = currentTree.insertLeaf(leaf)](src/core/messagebridge/Inbox.sol#L91)
@@ -123,7 +131,7 @@ src/core/messagebridge/Inbox.sol#L61-L95
 ## timestamp
 Impact: Low
 Confidence: Medium
- - [ ] ID-10
+ - [ ] ID-11
 [HeaderLib.validate(HeaderLib.Header,uint256,uint256,bytes32)](src/core/libraries/HeaderLib.sol#L106-L136) uses timestamp for comparisons
 	Dangerous comparisons:
 	- [_header.globalVariables.timestamp > block.timestamp](src/core/libraries/HeaderLib.sol#L120)
@@ -134,35 +142,35 @@ src/core/libraries/HeaderLib.sol#L106-L136
 ## pess-public-vs-external
 Impact: Low
 Confidence: Medium
- - [ ] ID-11
-The following public functions could be turned into external in [FrontierMerkle](src/core/messagebridge/frontier_tree/Frontier.sol#L7-L93) contract:
-	[FrontierMerkle.constructor(uint256)](src/core/messagebridge/frontier_tree/Frontier.sol#L19-L27)
+ - [ ] ID-12
+The following public functions could be turned into external in [FrontierMerkle](src/core/messagebridge/frontier_tree/Frontier.sol#L12-L98) contract:
+	[FrontierMerkle.constructor(uint256)](src/core/messagebridge/frontier_tree/Frontier.sol#L24-L32)
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L7-L93
+src/core/messagebridge/frontier_tree/Frontier.sol#L12-L98
 
 
- - [ ] ID-12
+ - [ ] ID-13
 The following public functions could be turned into external in [Registry](src/core/messagebridge/Registry.sol#L22-L129) contract:
 	[Registry.constructor()](src/core/messagebridge/Registry.sol#L29-L33)
 
 src/core/messagebridge/Registry.sol#L22-L129
 
 
- - [ ] ID-13
+ - [ ] ID-14
 The following public functions could be turned into external in [Inbox](src/core/messagebridge/Inbox.sol#L24-L124) contract:
 	[Inbox.constructor(address,uint256)](src/core/messagebridge/Inbox.sol#L40-L51)
 
 src/core/messagebridge/Inbox.sol#L24-L124
 
 
- - [ ] ID-14
+ - [ ] ID-15
 The following public functions could be turned into external in [Rollup](src/core/Rollup.sol#L29-L105) contract:
 	[Rollup.constructor(IRegistry,IAvailabilityOracle)](src/core/Rollup.sol#L43-L50)
 
 src/core/Rollup.sol#L29-L105
 
 
- - [ ] ID-15
+ - [ ] ID-16
 The following public functions could be turned into external in [Outbox](src/core/messagebridge/Outbox.sol#L18-L132) contract:
 	[Outbox.constructor(address)](src/core/messagebridge/Outbox.sol#L31-L33)
 
@@ -172,41 +180,41 @@ src/core/messagebridge/Outbox.sol#L18-L132
 ## assembly
 Impact: Informational
 Confidence: High
- - [ ] ID-16
-[TxsDecoder.computeRoot(bytes32[])](src/core/libraries/decoders/TxsDecoder.sol#L257-L276) uses assembly
-	- [INLINE ASM](src/core/libraries/decoders/TxsDecoder.sol#L264-L266)
+ - [ ] ID-17
+[TxsDecoder.computeRoot(bytes32[])](src/core/libraries/decoders/TxsDecoder.sol#L258-L277) uses assembly
+	- [INLINE ASM](src/core/libraries/decoders/TxsDecoder.sol#L265-L267)
 
-src/core/libraries/decoders/TxsDecoder.sol#L257-L276
+src/core/libraries/decoders/TxsDecoder.sol#L258-L277
 
 
 ## dead-code
 Impact: Informational
 Confidence: Medium
- - [ ] ID-17
+ - [ ] ID-18
 [MessageBox.consume(mapping(bytes32 => DataStructures.Entry),bytes32,function(bytes32))](src/core/libraries/MessageBox.sol#L71-L79) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L71-L79
 
 
- - [ ] ID-18
+ - [ ] ID-19
 [MessageBox.contains(mapping(bytes32 => DataStructures.Entry),bytes32)](src/core/libraries/MessageBox.sol#L87-L92) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L87-L92
 
 
- - [ ] ID-19
+ - [ ] ID-20
 [MessageBox.get(mapping(bytes32 => DataStructures.Entry),bytes32,function(bytes32))](src/core/libraries/MessageBox.sol#L104-L112) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L104-L112
 
 
- - [ ] ID-20
+ - [ ] ID-21
 [MessageBox.insert(mapping(bytes32 => DataStructures.Entry),bytes32,uint64,uint32,uint32,function(bytes32,uint64,uint64,uint32,uint32,uint32,uint32))](src/core/libraries/MessageBox.sol#L30-L60) is never used and should be removed
 
 src/core/libraries/MessageBox.sol#L30-L60
 
 
- - [ ] ID-21
+ - [ ] ID-22
 [Hash.sha256ToField(bytes32)](src/core/libraries/Hash.sol#L52-L54) is never used and should be removed
 
 src/core/libraries/Hash.sol#L52-L54
@@ -215,25 +223,25 @@ src/core/libraries/Hash.sol#L52-L54
 ## solc-version
 Impact: Informational
 Confidence: High
- - [ ] ID-22
+ - [ ] ID-23
 solc-0.8.23 is not recommended for deployment
 
 ## similar-names
 Impact: Informational
 Confidence: Medium
- - [ ] ID-23
+ - [ ] ID-24
 Variable [Constants.LOGS_HASHES_NUM_BYTES_PER_BASE_ROLLUP](src/core/libraries/ConstantsGen.sol#L130) is too similar to [Constants.NOTE_HASHES_NUM_BYTES_PER_BASE_ROLLUP](src/core/libraries/ConstantsGen.sol#L123)
 
 src/core/libraries/ConstantsGen.sol#L130
 
 
- - [ ] ID-24
+ - [ ] ID-25
 Variable [Constants.L1_TO_L2_MESSAGE_LENGTH](src/core/libraries/ConstantsGen.sol#L110) is too similar to [Constants.L2_TO_L1_MESSAGE_LENGTH](src/core/libraries/ConstantsGen.sol#L111)
 
 src/core/libraries/ConstantsGen.sol#L110
 
 
- - [ ] ID-25
+ - [ ] ID-26
 Variable [Rollup.AVAILABILITY_ORACLE](src/core/Rollup.sol#L32) is too similar to [Rollup.constructor(IRegistry,IAvailabilityOracle)._availabilityOracle](src/core/Rollup.sol#L43)
 
 src/core/Rollup.sol#L32
@@ -242,7 +250,7 @@ src/core/Rollup.sol#L32
 ## constable-states
 Impact: Optimization
 Confidence: High
- - [ ] ID-26
+ - [ ] ID-27
 [Rollup.lastWarpedBlockTs](src/core/Rollup.sol#L41) should be constant 
 
 src/core/Rollup.sol#L41
@@ -251,39 +259,39 @@ src/core/Rollup.sol#L41
 ## pess-multiple-storage-read
 Impact: Optimization
 Confidence: High
- - [ ] ID-27
+ - [ ] ID-28
 In a function [Outbox.insert(uint256,bytes32,uint256)](src/core/messagebridge/Outbox.sol#L44-L64) variable [Outbox.roots](src/core/messagebridge/Outbox.sol#L29) is read multiple times
 
 src/core/messagebridge/Outbox.sol#L44-L64
 
 
- - [ ] ID-28
+ - [ ] ID-29
 In a function [Inbox.consume()](src/core/messagebridge/Inbox.sol#L104-L123) variable [Inbox.toConsume](src/core/messagebridge/Inbox.sol#L34) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L104-L123
 
 
- - [ ] ID-29
+ - [ ] ID-30
 In a function [Inbox.consume()](src/core/messagebridge/Inbox.sol#L104-L123) variable [Inbox.inProgress](src/core/messagebridge/Inbox.sol#L36) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L104-L123
 
 
- - [ ] ID-30
-In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76) variable [FrontierMerkle.HEIGHT](src/core/messagebridge/frontier_tree/Frontier.sol#L8) is read multiple times
+ - [ ] ID-31
+In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81) variable [FrontierMerkle.HEIGHT](src/core/messagebridge/frontier_tree/Frontier.sol#L13) is read multiple times
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76
+src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81
 
 
- - [ ] ID-31
+ - [ ] ID-32
 In a function [Inbox.sendL2Message(DataStructures.L2Actor,bytes32,bytes32)](src/core/messagebridge/Inbox.sol#L61-L95) variable [Inbox.inProgress](src/core/messagebridge/Inbox.sol#L36) is read multiple times
 
 src/core/messagebridge/Inbox.sol#L61-L95
 
 
- - [ ] ID-32
-In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76) variable [FrontierMerkle.frontier](src/core/messagebridge/frontier_tree/Frontier.sol#L13) is read multiple times
+ - [ ] ID-33
+In a function [FrontierMerkle.root()](src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81) variable [FrontierMerkle.frontier](src/core/messagebridge/frontier_tree/Frontier.sol#L18) is read multiple times
 
-src/core/messagebridge/frontier_tree/Frontier.sol#L43-L76
+src/core/messagebridge/frontier_tree/Frontier.sol#L48-L81
 
 

l1-contracts/src/core/libraries/ConstantsGen.sol

@@ -72,7 +72,7 @@ library Constants {
   uint256 internal constant L1_TO_L2_MSG_SUBTREE_HEIGHT = 4;
   uint256 internal constant L1_TO_L2_MSG_SUBTREE_SIBLING_PATH_LENGTH = 12;
   uint256 internal constant FUNCTION_SELECTOR_NUM_BYTES = 4;
-  uint256 internal constant NUM_FIELDS_PER_SHA256 = 2;
+  uint256 internal constant NUM_FIELDS_PER_SHA256 = 1;
   uint256 internal constant ARGS_HASH_CHUNK_LENGTH = 32;
   uint256 internal constant ARGS_HASH_CHUNK_COUNT = 32;
   uint256 internal constant INITIALIZATION_SLOT_SEPARATOR = 1000_000_000;
@@ -98,23 +98,23 @@ library Constants {
   uint256 internal constant VIEW_NOTE_ORACLE_RETURN_LENGTH = 212;
   uint256 internal constant AZTEC_ADDRESS_LENGTH = 1;
   uint256 internal constant CALL_CONTEXT_LENGTH = 7;
-  uint256 internal constant CONTENT_COMMITMENT_LENGTH = 7;
+  uint256 internal constant CONTENT_COMMITMENT_LENGTH = 4;
   uint256 internal constant CONTRACT_INSTANCE_LENGTH = 6;
   uint256 internal constant CONTRACT_STORAGE_READ_LENGTH = 2;
   uint256 internal constant CONTRACT_STORAGE_UPDATE_REQUEST_LENGTH = 2;
   uint256 internal constant ETH_ADDRESS_LENGTH = 1;
   uint256 internal constant FUNCTION_DATA_LENGTH = 2;
   uint256 internal constant FUNCTION_LEAF_PREIMAGE_LENGTH = 5;
   uint256 internal constant GLOBAL_VARIABLES_LENGTH = 6;
-  uint256 internal constant HEADER_LENGTH = 23;
+  uint256 internal constant HEADER_LENGTH = 20;
   uint256 internal constant L1_TO_L2_MESSAGE_LENGTH = 6;
   uint256 internal constant L2_TO_L1_MESSAGE_LENGTH = 2;
   uint256 internal constant NULLIFIER_KEY_VALIDATION_REQUEST_LENGTH = 4;
   uint256 internal constant NULLIFIER_KEY_VALIDATION_REQUEST_CONTEXT_LENGTH = 5;
   uint256 internal constant PARTIAL_STATE_REFERENCE_LENGTH = 6;
-  uint256 internal constant PRIVATE_CALL_STACK_ITEM_LENGTH = 213;
-  uint256 internal constant PRIVATE_CIRCUIT_PUBLIC_INPUTS_LENGTH = 210;
-  uint256 internal constant PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH = 202;
+  uint256 internal constant PRIVATE_CALL_STACK_ITEM_LENGTH = 208;
+  uint256 internal constant PRIVATE_CIRCUIT_PUBLIC_INPUTS_LENGTH = 205;
+  uint256 internal constant PUBLIC_CIRCUIT_PUBLIC_INPUTS_LENGTH = 198;
   uint256 internal constant STATE_REFERENCE_LENGTH = 8;
   uint256 internal constant TX_CONTEXT_DATA_LENGTH = 4;
   uint256 internal constant TX_REQUEST_LENGTH = 8;

l1-contracts/src/core/libraries/Hash.sol

@@ -35,17 +35,17 @@ library Hash {
 
   /**
    * @notice Computes the sha256 hash of the provided data and converts it to a field element
-   * @dev Using modulo to convert the hash to a field element.
+   * @dev Truncating one byte to convert the hash to a field element. We prepend a byte rather than cast bytes31(bytes32) to match Noir's to_be_bytes.
    * @param _data - The bytes to hash
    * @return The hash of the provided data as a field element
    */
   function sha256ToField(bytes memory _data) internal pure returns (bytes32) {
-    return bytes32(uint256(sha256(_data)) % Constants.P);
+    return bytes32(bytes.concat(new bytes(1), bytes31(sha256(_data))));
   }
 
   /**
    * @notice Computes the sha256 hash of the provided data and converts it to a field element
-   * @dev Using modulo to convert the hash to a field element.
+   * @dev Truncating one byte to convert the hash to a field element.
    * @param _data - A bytes32 value to hash
    * @return The hash of the provided data as a field element
    */

l1-contracts/src/core/libraries/MerkleLib.sol

@@ -3,6 +3,7 @@
 pragma solidity >=0.8.18;
 
 import {Errors} from "../libraries/Errors.sol";
+import {Hash} from "../libraries/Hash.sol";
 
 /**
  * @title Merkle Library
@@ -40,8 +41,8 @@ library MerkleLib {
       bool isRight = (indexAtHeight & 1) == 1;
 
       subtreeRoot = isRight
-        ? sha256(bytes.concat(_path[height], subtreeRoot))
-        : sha256(bytes.concat(subtreeRoot, _path[height]));
+        ? Hash.sha256ToField(bytes.concat(_path[height], subtreeRoot))
+        : Hash.sha256ToField(bytes.concat(subtreeRoot, _path[height]));
       /// @notice - We divide by two here to get the index of the parent of the current subtreeRoot in its own layer
       indexAtHeight >>= 1;
     }

l1-contracts/src/core/libraries/decoders/TxsDecoder.sol

@@ -177,7 +177,7 @@ library TxsDecoder {
           bytes.concat(vars.encryptedLogsHash, vars.unencryptedLogsHash)
         );
 
-        vars.baseLeaves[i] = sha256(vars.baseLeaf);
+        vars.baseLeaves[i] = Hash.sha256ToField(vars.baseLeaf);
       }
     }
 
@@ -235,14 +235,15 @@ library TxsDecoder {
 
       // Hash the logs of this iteration's function call
       bytes32 privateCircuitPublicInputsLogsHash =
-        sha256(slice(_body, offset, privateCircuitPublicInputLogsLength));
+        Hash.sha256ToField(slice(_body, offset, privateCircuitPublicInputLogsLength));
       offset += privateCircuitPublicInputLogsLength;
 
       // Decrease remaining logs length by this privateCircuitPublicInputsLogs's length (len(I?_LOGS)) and 4 bytes for I?_LOGS_LEN
       remainingLogsLength -= (privateCircuitPublicInputLogsLength + 0x4);
 
-      kernelPublicInputsLogsHash =
-        sha256(bytes.concat(kernelPublicInputsLogsHash, privateCircuitPublicInputsLogsHash));
+      kernelPublicInputsLogsHash = Hash.sha256ToField(
+        bytes.concat(kernelPublicInputsLogsHash, privateCircuitPublicInputsLogsHash)
+      );
     }
 
     return (kernelPublicInputsLogsHash, offset);
@@ -267,7 +268,7 @@ library TxsDecoder {
 
     for (uint256 i = 0; i < treeDepth; i++) {
       for (uint256 j = 0; j < treeSize; j += 2) {
-        _leafs[j / 2] = sha256(bytes.concat(_leafs[j], _leafs[j + 1]));
+        _leafs[j / 2] = Hash.sha256ToField(bytes.concat(_leafs[j], _leafs[j + 1]));
       }
       treeSize /= 2;
     }