Issue in limit value chosen to avoid modulo bias?

[jat9292]

https://github.com/privacy-scaling-explorations/maci/blob/78609349aecd94186216ac8743d61b1cb81a097f/crypto/ts/index.ts#L236C1-L236C1

I do not understand why are you taking the Snarks Field size when sampling for Baby Jubjub curve, instead of the order of base point ( 2736030358979909402780800718157159386076813972158567259200215660948447373041 ). Won't this cause modulo bias issue? Maybe I am missing something?

[kcharbo3]

@jat9292 my understanding is that the private key can be any scalar in the field that baby jubjub is defined over. But either way, the order of the base point = L and the snark field size is H * L, where H = 8. Since the snark field size is a multiple of the order of the base point, there shouldn't be any modulo bias here.

https://eips.ethereum.org/EIPS/eip-2494

[ctrlc03]

Closing this - the seed is converted into a secret scalar before being used in the circuit or for public key generation (there are no modulo bias calculations anymore). This is handled here: https://github.com/privacy-scaling-explorations/zk-kit/blob/main/packages/eddsa-poseidon/src/eddsa-poseidon.ts#L42