186-5, Section 6.4.1, point 2 and Section 6.4.2, point 3. func hashToNat[P Point[P]](c *Curve[P], e *bigmod.Nat, hash []byte) { // ECDSA asks us to take the left-most log2(N) bits of hash, and use them as // an integer modulo N. This is the absolute worst of all worlds: we still // have to reduce, because the result might still overflow N, but to take // the left-most bits for P-521 we have to do a right shift. if size := c.N.Size(); len(hash) >= size { hash = hash[:size] if excess := len(hash)*8 -...