If ReduceNonZero implementations are supposed to follow "ECDSA Key Pair Generation using Extra Random Bits", then we should make sure we follow the recommended minimum size.

This seems to only be an issue for P-256 (and K-256?), which according to FIPS requires at least 288 bits and recommended are 352 bits. Currently we only reduce from 256 bits (and 512 bits in the case of K-256).