Improve Ed25519c masking

ed25519c.lua

@@ -40,11 +40,11 @@ function mod.sign(sks, pk, msg)
     -- Challenge.
     local e = fq.decodeWide(sha512.digest(rStr .. pk .. msg))
 
-    -- Reduce secret key using the challenge.
-    local xe = maddq.reduce(sks, e)
-
     -- Response.
-    local s = fq.add(k, fq.neg(xe))
+    -- Reduce secret key using the challenge and an extra mask.
+    local m = fq.decodeWide(random.random(64))
+    local xme = maddq.reduce(maddq.add(sks, m), e)
+    local s = fq.add(fq.add(k, fq.neg(xme)), fq.mul(m, e))
     local sStr = fq.encode(s)
 
     return rStr .. sStr

internal/fq.lua

@@ -280,6 +280,10 @@ local function bits(a)
     return util.rebaseLE(demontgomery(a), 2 ^ 24, 2)
 end
 
+local function clone(a)
+    return {unpack(a)}
+end
+
 return {
     num = num,
     add = add,
@@ -292,4 +296,5 @@ return {
     decodeWide = decodeWide,
     decodeClamped = decodeClamped,
     bits = bits,
+    clone = clone,
 }

internal/maddq.lua

@@ -38,10 +38,18 @@ local function reduce(arr, k)
     return out
 end
 
+local function add(arr, v)
+    local out = {}
+    for i = 1, #arr do out[i] = fq.clone(arr[i]) end
+    out[#arr] = fq.add(out[#arr], v)
+    return out
+end
+
 return {
     new = new,
     encode = encode,
     decode = decode,
     remask = remask,
     reduce = reduce,
+    add = add,
 }