[oleganza]

This curve order limit actually introduces a small bias. You can choose a number greater than a curve order, but then it'll be taken modulo the order, so some incredibly small amount of numbers will be biased closer to zero. In practice the probability to hit such numbers is less than 2^-128, so you may easily skip all checks and take the number as is. Of course, nitpickers will nitpick and that's why in all standards that describe key and nonce generation (BIP32, RFC 6979 etc), you'll see boilerplate code that checks for such numbers and does some extra cumbersome computations just to avoid these from happening.