From 206f8474ff2016669a53d921789447cec74c8fab Mon Sep 17 00:00:00 2001
From: Miguel Oliveira <miguel.oliveira4224@gmail.com>
Date: Fri, 4 Mar 2022 13:19:51 -0300
Subject: [PATCH] Separate masked Fq multiply from unwrap

---
 ed25519c.lua       |  2 +-
 internal/maddq.lua | 15 +++++++++++----
 x25519c.lua        |  2 +-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/ed25519c.lua b/ed25519c.lua
index a7f52c1..85e3435 100644
--- a/ed25519c.lua
+++ b/ed25519c.lua
@@ -43,7 +43,7 @@ function mod.sign(sks, pk, msg)
     -- Response.
     -- Reduce secret key using the challenge and an extra mask.
     local m = fq.decodeWide(random.random(64))
-    local xme = maddq.reduce(maddq.add(sks, m), e)
+    local xme = maddq.unwrap(maddq.mul(maddq.add(sks, m), e))
     local s = fq.add(fq.add(k, fq.neg(xme)), fq.mul(m, e))
     local sStr = fq.encode(s)
 
diff --git a/internal/maddq.lua b/internal/maddq.lua
index 85d781c..df9127f 100644
--- a/internal/maddq.lua
+++ b/internal/maddq.lua
@@ -14,6 +14,12 @@ local function new(val, order)
     return out
 end
 
+local function unwrap(arr)
+    local sum = fq.num(0)
+    for i = 1, #arr do sum = fq.add(sum, arr[i]) end
+    return sum
+end
+
 local function encode(arr)
     local out = {}
     for i = 1, #arr do out[i] = fq.encode(arr[i]) end
@@ -32,9 +38,9 @@ local function remask(arr)
     return out
 end
 
-local function reduce(arr, k)
-    local out = fq.num(0)
-    for i = 1, #arr do out = fq.add(out, fq.mul(arr[i], k)) end
+local function mul(arr, k)
+    local out = {}
+    for i = 1, #arr do out[i] = fq.mul(arr[i], k) end
     return out
 end
 
@@ -47,9 +53,10 @@ end
 
 return {
     new = new,
+    unwrap = unwrap,
     encode = encode,
     decode = decode,
     remask = remask,
-    reduce = reduce,
+    mul = mul,
     add = add,
 }
diff --git a/x25519c.lua b/x25519c.lua
index be7add5..97d598e 100644
--- a/x25519c.lua
+++ b/x25519c.lua
@@ -81,7 +81,7 @@ function mod.exchange(sks, pk, mc)
     assert(#mc == 32, "multiplier length must be 32")
 
     -- Reduce secret key using the multiplier.
-    local skmc = maddq.reduce(sks, fq.decodeClamped(mc))
+    local skmc = maddq.unwrap(maddq.mul(sks, fq.decodeClamped(mc)))
 
     -- Get bits.
     -- We have our exponent modulo q. We also know that its value is 0 modulo 8.