Please explain variable p in Deriving the ES256 public key algortihm

[merijndejonge]

Could you please explain the variable p in the algorithm?
It seems to be used without further introduction.

[nickray]

p is the order of the curve P256. Perhaps this reference implementation helps understanding: https://github.com/solokeys/seedweed/blob/main/seedweed/reference.py#L52

For context, the goal is to get an unbiased random secret key (=scalar). The NIST-approved way to do this is rejection sampling as done here. A slightly biased key could be obtained by taking random 32 bytes and reducing modulo p. Alternative approaches would be to reduce a 64 byte hash such as SHA-512 (which has negligible bias), or more generally using an expanding function to get sufficiently many bytes to reduce. This latter approach described in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-14#section-5 has the advantage (over rejection sampling) of being constant time.