Ensure that all unsigned arithmetic never underflows #1
Description
The use of the Nat (unsigned) primitive makes subtraction dangerous. Even if a + b > c, the expression
a + b - c
might see an underflow (because b < c, and ergo b-c underflows) and an erroneous result.
A simple caution is to group (and perform first) addition, i.e.
(a + b) - c
An example of such expressions occur when calculating whether the target qubit lies in the prefix qubit subsets (see densitymatrix_oneQubitDepolarising()).