From 3c2a5ad4ee216f1fc237ce650e9271ab1d1e0f2d Mon Sep 17 00:00:00 2001
From: Miguel Oliveira <miguel.oliveira4224@gmail.com>
Date: Fri, 4 Mar 2022 12:20:36 -0300
Subject: [PATCH] Add masked Ed25519

---
 ed25519c.lua | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 ed25519c.lua

diff --git a/ed25519c.lua b/ed25519c.lua
new file mode 100644
index 0000000..778f78b
--- /dev/null
+++ b/ed25519c.lua
@@ -0,0 +1,53 @@
+local expect  = require "cc.expect".expect
+local fq      = require "ccryptolib.internal.fq"
+local sha512  = require "ccryptolib.internal.sha512"
+local ed25519 = require "ccryptolib.internal.ed25519"
+local maddq   = require "ccryptolib.internal.maddq"
+local random  = require "ccryptolib.random"
+
+local ORDER = 4
+
+local mod = {}
+
+function mod.new(sk)
+    expect(1, sk, "string")
+    assert(#sk == 32, "secret key length must be 32")
+
+    return maddq.new(fq.decodeClamped(sha512.digest(sk):sub(1, 32)), ORDER)
+end
+
+function mod.encode(sks)
+    return maddq.encode(sks)
+end
+
+function mod.decode(str)
+    expect(1, str, "string")
+    assert(#str == 128, "encoded sks length must be 128")
+
+    return maddq.decode(str)
+end
+
+function mod.remask(sks)
+    return maddq.remask(sks)
+end
+
+function mod.sign(sks, pk, msg)
+    -- Commitment.
+    local k = fq.decodeWide(random.random(64))
+    local r = ed25519.mulG(fq.bits(k))
+    local rStr = ed25519.encode(ed25519.scale(r))
+
+    -- Challenge.
+    local e = fq.decodeWide(sha512.digest(rStr .. pk .. msg))
+
+    -- Reduce secret key using the challenge.
+    local xe = maddq.reduce(sks, e)
+
+    -- Response.
+    local s = fq.add(k, fq.neg(xe))
+    local sStr = fq.encode(s)
+
+    return rStr .. sStr
+end
+
+return mod