Don't constrain hashing public keys for unconstrained encryption

[nventuro]

The encryption flow is quite difficult to follow due to the passing of lambdas and wanting to do either constrained or unconstrained encryption. Something that is not obvious is that even when doing unconstrained encryption, we're still constraining the computation of the ovpk_hash.

I was originally puzzled by this, as I imagined these constraints would be dropped since ovpk_hash is not used for any constrained computation, but it actually is: we do the encryption using the app-siloed ovsk, which requires a kernel request:

let ovsk_app: Field  = context.request_ovsk_app(ovpk.hash());
let (encrypted_log, log_hash) = inner_compute(..., ovsk_app); // This is unconstrained

The hashing itself is not that expensive, but the combination of hash plus siloing request does result in multiple hundred extra gates. It'd be good to make it so that we only constrain the request of the app-siloed secret key if we're also doing constrained encryption - there's no point in doing this for the unconstrained case.

Doing this might be sort of tricky, since we can't just pass the context mutable reference to the function pointer, as mutable references are not allowed to cross the constrained -> unconstrained boundary. Perhaps we could have emit_with_keys receive the ovsk and either constrain it or not by encode_and_encrypt_note and encode_and_encrypt_note_unconstrained.