Paul Miller

`fp.fromBytes` does not do modulo-reducing by default. Maybe it's a bad idea, but it works like that now. So you need to do instead: ``` var x = fp.create(fp.fromBytes(derived)); ```...

It's only few lines of code - seems useful "just in case".

For 4 I don't see how $Fp$ is related to the security at all. I think the only thing we should base it on is `CURVE_ORDER` aka $Fn$ aka `nByteLength`...

Thanks Matthias, that's very helpful.

We've decreased bias, yes, but the security story still needs to be understood.

> Bernstein used bias in the context of EdDSA (Edwards-curve Digital Signature Algorithm) to address concerns about the security of nonces. In the case of EdDSA, it's important to avoid...

Your replies don't answer the questions. I highlight the important parts: 1. What does a $2^{-64}$ bias actually mean? **Is there any realistic attack? How many keys would an attacker...

Do you copy this from chatgpt?

all tests are failing. fix them first

fixed in a different way in braces