ckd: reduce IL modulo N before range check

Restore pre-v3.0.0 behavior of applying ilNum.Mod(N) before the range
check in DeriveChildKey. Required for non-hardened CKD to work on
Edwards curves where N ≈ 2^252 and ~94%% of raw 256-bit HMAC outputs
exceed N.

v3.0.0 made the check strict, matching BIP-32 spec, which mandates
retrying with the next index when IL >= N. This library does not
implement retry (non-hardened Ed25519 CKD is non-standard anyway per
SLIP-0010), so the strict check would make EdDSA CKD effectively
unusable.

Trade-off: introduces a modular bias of ~2^-4 on derived child public
keys. Bias is washed out on private shares by the uniform parent share
so does not enable key recovery or forgery. Preserves address
compatibility with production wallets derived under prior library
versions.

Tests verified:
- crypto/ckd: PASS (BIP-32 test vectors for secp256k1)
- eddsa/signing TestE2EConcurrentWithHDDerive: PASS
- ecdsa/signing TestE2EWithHDKeyDerivation: PASS

Author: anhthii

crypto/ckd/child_key_derivation.go

@@ -227,6 +227,16 @@ func DeriveChildKey(index uint32, pk *ExtendedKey, curve elliptic.Curve) (*big.I
 	il := ilr[:32]
 	childChainCode := ilr[32:]
 	ilNum := new(big.Int).SetBytes(il)
+	// Reduce IL modulo N before the range check. On Edwards curves (Ed25519)
+	// N ≈ 2^252, so ~94% of raw 256-bit HMAC outputs exceed N; strict rejection
+	// would make non-hardened CKD effectively unusable. BIP-32 spec says to
+	// retry with the next index, but non-hardened derivation on Ed25519 is
+	// non-standard to begin with (SLIP-0010 specifies hardened-only) and the
+	// retry semantics would also change addresses vs. prior library versions.
+	// The modular bias introduced here is ~2^-4 on the child public key but
+	// is washed out on private shares by the uniform parent share, so it does
+	// not enable key recovery or forgery
+	ilNum = ilNum.Mod(ilNum, curve.Params().N)
 
 	if ilNum.Cmp(curve.Params().N) >= 0 || ilNum.Sign() == 0 {
 		// falling outside of the valid range for curve private keys