Fp.fromBytes does not mod-reduce by default

[vincenzoiovino]

Hi, Paul

Consider the array derived set to Uint8Array(32) [ 239, 58, 3, 206, 5, 236, 79, 101, 215, 253, 95, 44, 114, 216, 108, 195, 191, 131, 86, 158, 222, 211, 233, 216, 103, 133, 230, 212, 191, 1, 173, 98 ]

I have the following code that uses derived:

   bg = require('@noble/curves/bn254').bn254;
        const fp = mod.Field(bg.CURVE.Fp.ORDER);
        var three = fp.create(3n);
        var one = fp.create(1n);
        var x = fp.fromBytes(derived);
        var y;
        while (true) {
            y = fp.mul(x, x);
            y = fp.mul(y, x);
            y = fp.add(y, three);
            try {
                y = fp.sqrt(y);
                break;
            } catch (err) {
                console.log("iterate");
                x = fp.add(x, one);
            }
        }
        console.log("x:" + x + " order:" + bg.CURVE.Fp.ORDER + " x<order:" + (x < bg.CURVE.Fp.ORDER)); 

I get the result:

x:108205274200769640731677027225433911640053818717593242889612531000506144894306 order:21888242871839275222246405745257275088696311157297823662689037894645226208583 x<order:false

The code is just doing some modular computations with fp, where p is initialized to the prime p=21888242871839275222246405745257275088696311157297823662689037894645226208583 of the bn254 curve. The issue is that each output of fp.mul/add/sqrt should be than p, Instead I get values larger than p. Isn't that incorrect?

(Btw, this should be the code for a hash to point function for bn254 that uses the basic hash and pray approach.)