Separate masked Fq multiply from unwrap

2022-03-04 13:19:51 -03:00 · 2022-03-04 13:19:51 -03:00 · 206f8474ff
parent 1019623aec
commit 206f8474ff
3 changed files with 13 additions and 6 deletions
--- a/ed25519c.lua
+++ b/ed25519c.lua
@ -43,7 +43,7 @@ function mod.sign(sks, pk, msg)
    -- Response.
    -- Reduce secret key using the challenge and an extra mask.
    local m = fq.decodeWide(random.random(64))
-    local xme = maddq.reduce(maddq.add(sks, m), e)
+    local xme = maddq.unwrap(maddq.mul(maddq.add(sks, m), e))
    local s = fq.add(fq.add(k, fq.neg(xme)), fq.mul(m, e))
    local sStr = fq.encode(s)

--- a/internal/maddq.lua
+++ b/internal/maddq.lua
@ -14,6 +14,12 @@ local function new(val, order)
    return out
 end

+local function unwrap(arr)
+    local sum = fq.num(0)
+    for i = 1, #arr do sum = fq.add(sum, arr[i]) end
+    return sum
+end
+
 local function encode(arr)
    local out = {}
    for i = 1, #arr do out[i] = fq.encode(arr[i]) end
@ -32,9 +38,9 @@ local function remask(arr)
    return out
 end

-local function reduce(arr, k)
-    local out = fq.num(0)
-    for i = 1, #arr do out = fq.add(out, fq.mul(arr[i], k)) end
+local function mul(arr, k)
+    local out = {}
+    for i = 1, #arr do out[i] = fq.mul(arr[i], k) end
    return out
 end

@ -47,9 +53,10 @@ end

 return {
    new = new,
+    unwrap = unwrap,
    encode = encode,
    decode = decode,
    remask = remask,
-    reduce = reduce,
+    mul = mul,
    add = add,
 }
--- a/x25519c.lua
+++ b/x25519c.lua
@ -81,7 +81,7 @@ function mod.exchange(sks, pk, mc)
    assert(#mc == 32, "multiplier length must be 32")

    -- Reduce secret key using the multiplier.
-    local skmc = maddq.reduce(sks, fq.decodeClamped(mc))
+    local skmc = maddq.unwrap(maddq.mul(sks, fq.decodeClamped(mc)))

    -- Get bits.
    -- We have our exponent modulo q. We also know that its value is 0 modulo 8.