Add masked Ed25519

ed25519c.lua

@@ -0,0 +1,53 @@
+local expect  = require "cc.expect".expect
+local fq      = require "ccryptolib.internal.fq"
+local sha512  = require "ccryptolib.internal.sha512"
+local ed25519 = require "ccryptolib.internal.ed25519"
+local maddq   = require "ccryptolib.internal.maddq"
+local random  = require "ccryptolib.random"
+
+local ORDER = 4
+
+local mod = {}
+
+function mod.new(sk)
+    expect(1, sk, "string")
+    assert(#sk == 32, "secret key length must be 32")
+
+    return maddq.new(fq.decodeClamped(sha512.digest(sk):sub(1, 32)), ORDER)
+end
+
+function mod.encode(sks)
+    return maddq.encode(sks)
+end
+
+function mod.decode(str)
+    expect(1, str, "string")
+    assert(#str == 128, "encoded sks length must be 128")
+
+    return maddq.decode(str)
+end
+
+function mod.remask(sks)
+    return maddq.remask(sks)
+end
+
+function mod.sign(sks, pk, msg)
+    -- Commitment.
+    local k = fq.decodeWide(random.random(64))
+    local r = ed25519.mulG(fq.bits(k))
+    local rStr = ed25519.encode(ed25519.scale(r))
+
+    -- Challenge.
+    local e = fq.decodeWide(sha512.digest(rStr .. pk .. msg))
+
+    -- Reduce secret key using the challenge.
+    local xe = maddq.reduce(sks, e)
+
+    -- Response.
+    local s = fq.add(k, fq.neg(xe))
+    local sStr = fq.encode(s)
+
+    return rStr .. sStr
+end
+
+return mod