Separate masked Fq multiply from unwrap

ed25519c.lua

@@ -43,7 +43,7 @@ function mod.sign(sks, pk, msg)
     -- Response.
     -- Reduce secret key using the challenge and an extra mask.
     local m = fq.decodeWide(random.random(64))
-    local xme = maddq.reduce(maddq.add(sks, m), e)
+    local xme = maddq.unwrap(maddq.mul(maddq.add(sks, m), e))
     local s = fq.add(fq.add(k, fq.neg(xme)), fq.mul(m, e))
     local sStr = fq.encode(s)
 

internal/maddq.lua

@@ -14,6 +14,12 @@ local function new(val, order)
     return out
 end
 
+local function unwrap(arr)
+    local sum = fq.num(0)
+    for i = 1, #arr do sum = fq.add(sum, arr[i]) end
+    return sum
+end
+
 local function encode(arr)
     local out = {}
     for i = 1, #arr do out[i] = fq.encode(arr[i]) end
@@ -32,9 +38,9 @@ local function remask(arr)
     return out
 end
 
-local function reduce(arr, k)
+local function mul(arr, k)
-    local out = fq.num(0)
+    local out = {}
-    for i = 1, #arr do out = fq.add(out, fq.mul(arr[i], k)) end
+    for i = 1, #arr do out[i] = fq.mul(arr[i], k) end
     return out
 end
 
@@ -47,9 +53,10 @@ end
 
 return {
     new = new,
+    unwrap = unwrap,
     encode = encode,
     decode = decode,
     remask = remask,
-    reduce = reduce,
+    mul = mul,
     add = add,
 }

x25519c.lua

@@ -81,7 +81,7 @@ function mod.exchange(sks, pk, mc)
     assert(#mc == 32, "multiplier length must be 32")
 
     -- Reduce secret key using the multiplier.
-    local skmc = maddq.reduce(sks, fq.decodeClamped(mc))
+    local skmc = maddq.unwrap(maddq.mul(sks, fq.decodeClamped(mc)))
 
     -- Get bits.
     -- We have our exponent modulo q. We also know that its value is 0 modulo 8.