From 59647d1a9645d26f2643965b5b865c5c6b3fec33 Mon Sep 17 00:00:00 2001
From: Miguel Oliveira <miguel.oliveira4224@gmail.com>
Date: Wed, 2 Mar 2022 15:18:28 -0300
Subject: [PATCH] Move clamped Fq decoding into fq.lua

---
 internal/fq.lua | 18 ++++++++++++++++++
 x25519c.lua     | 16 ++--------------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/internal/fq.lua b/internal/fq.lua
index 294044b..25120ee 100644
--- a/internal/fq.lua
+++ b/internal/fq.lua
@@ -280,6 +280,23 @@ local function decodeWide(str)
     return add(montgomery(low), montgomery(montgomery(high)))
 end
 
+--- Decodes a scalar using the X25519/Ed25519 bit clamping scheme.
+--
+-- @tparam string str A 32-byte string encoding some little-endian number a.
+-- @treturn 2²⁶⁵ * clamp(a) mod q as 11 linbs in [0..2²⁴).
+--
+local function decodeClamped(str)
+    -- Decode.
+    local words = {("<I3I3I3I3I3I3I3I3I3I3I2"):unpack(str)} words[12] = nil
+
+    -- Clamp.
+    words[1] = bit32.band(words[1], 0xfffff8)
+    words[11] = bit32.band(words[11], 0x7fff)
+    words[11] = bit32.bor(words[11], 0x4000)
+
+    return montgomery(words)
+end
+
 --- Returns a scalar in binary.
 --
 -- @tparam {number...} a A number a < q as limbs in [0..2²⁴).
@@ -300,5 +317,6 @@ return {
     encode = encode,
     decode = decode,
     decodeWide = decodeWide,
+    decodeClamped = decodeClamped,
     bits = bits,
 }
diff --git a/x25519c.lua b/x25519c.lua
index 2df6c46..32ca452 100644
--- a/x25519c.lua
+++ b/x25519c.lua
@@ -25,18 +25,6 @@ local function fqRandom()
     return fq.decodeWide(random.random(64))
 end
 
-local function fqDecodeStd(str)
-    -- Decode.
-    local words = {("<I3I3I3I3I3I3I3I3I3I3I2"):unpack(str)} words[12] = nil
-
-    -- Clamp.
-    words[1] = bit32.band(words[1], 0xfffff8)
-    words[11] = bit32.band(words[11], 0x7fff)
-    words[11] = bit32.bor(words[11], 0x4000)
-
-    return fq.montgomery(words)
-end
-
 local function ladder8(dx, bits)
     local x1 = fp.num(1)
     local z1 = fp.num(0)
@@ -68,7 +56,7 @@ end
 local mod = {}
 
 function mod.secretKeyInit(sk)
-    sk = fqDecodeStd(sk)
+    sk = fq.decodeClamped(sk)
 
     -- Set up the mask.
     local sks = {}
@@ -119,7 +107,7 @@ function mod.exchange(sks, pk, mc)
     assert(#mc == 32, "multiplier length must be 32")
 
     -- Get the multiplier in Fq.
-    mc = fqDecodeStd(mc)
+    mc = fq.decodeClamped(mc)
 
     -- Multiply secret key members and add them together.
     -- This unwraps into the "true" secret key times the multiplier (mod q).