nickray
commented
2 years ago p is the order of the curve P256. Perhaps this reference implementation helps understanding: https://github.com/solokeys/seedweed/blob/main/seedweed/reference.py#L52
For context, the goal is to get an unbiased random secret key (=scalar). The NIST-approved way to do this is rejection sampling as done here. A slightly biased key could be obtained by taking random 32 bytes and reducing modulo p. Alternative approaches would be to reduce a 64 byte hash such as SHA-512 (which has negligible bias), or more generally using an expanding function to get sufficiently many bytes to reduce. This latter approach described in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-14#section-5 has the advantage (over rejection sampling) of being constant time.
Could you please explain the variable p in the algorithm? It seems to be used without further introduction.