int crypto_sign_ed25519(
unsigned char *sm,unsigned long long *smlen,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk
)
{
sc25519 sck, scs, scsk;
ge25519 ger;
unsigned char r[32];
unsigned char s[32];
unsigned char extsk[64];
unsigned long long i;
unsigned char hmg[crypto_hash_sha512_BYTES];
unsigned char hram[crypto_hash_sha512_BYTES];
crypto_hash_sha512(extsk, sk, 32);
extsk[0] &= 248;
extsk[31] &= 127;
extsk[31] |= 64;
*smlen = mlen+64;
for(i=0;i<mlen;i++)
sm[64 + i] = m[i];
for(i=0;i<32;i++)
sm[32 + i] = extsk[32+i];
crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
/* Computation of R */
sc25519_from64bytes(&sck, hmg);
ge25519_scalarmult_base(&ger, &sck);
ge25519_pack(r, &ger);
/* Computation of s */
for(i=0;i<32;i++)
sm[i] = r[i];
get_hram(hram, sm, sk+32, sm, mlen+64);
sc25519_from64bytes(&scs, hram);
sc25519_from32bytes(&scsk, extsk);
sc25519_mul(&scs, &scs, &scsk);
sc25519_add(&scs, &scs, &sck);
sc25519_to32bytes(s,&scs); /* cat s */
for(i=0;i<32;i++)
sm[32 + i] = s[i];
return 0;
}
// Step 3
// y = (sk_r + c * sk) mod #(B) with sk secret
int schnorr_id_response(uint8_t response[SCHNORR_ID_RESPONSEBYTES],
const uint8_t sk[SCHNORR_SECRETKEYBYTES],
const uint8_t sk_r[SCHNORR_SECRETKEYBYTES],
const uint8_t challenge[SCHNORR_ID_CHALLENGEBYTES]) {
sc25519 sc_sk;
sc25519 sc_sk_r;
sc25519 sc_challenge;
sc25519_from32bytes(&sc_sk, sk);
sc25519_from32bytes(&sc_sk_r, sk_r);
sc25519_from_challenge_bytes(&sc_challenge, challenge);
sc25519_mul(&sc_sk, &sc_sk, &sc_challenge);
sc25519_add(&sc_sk, &sc_sk, &sc_sk_r);
sc25519_to32bytes(response, &sc_sk);
return 0;
}
