From 602019f68770b37794c1c42ab7163e0b1488824f Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawning@schwanenlied.me>
Date: Sat, 14 Nov 2015 05:02:26 +0000
Subject: [PATCH] When calculating the Elligator 2 forward map, use -b if
 required.

Per section 5.5 of the Elligator paper:

  "Here |b| means b if b \in {0,1,...,(q - 1)/2}, otherwise b."

The old code would sometimes return representatives that are 255 bits
in length, which is incorrect (#S = (q + 1)/2).
---
 extra25519/extra25519.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/extra25519/extra25519.go b/extra25519/extra25519.go
index 571218f..3487d0b 100644
--- a/extra25519/extra25519.go
+++ b/extra25519/extra25519.go
@@ -196,6 +196,13 @@ func ScalarBaseMult(publicKey, representative, privateKey *[32]byte) bool {
 	vInSquareRootImage := feBytesLE(&vBytes, &halfQMinus1Bytes)
 	edwards25519.FeCMove(&r, &r1, vInSquareRootImage)
 
+	// 5.5: Here |b| means b if b in {0, 1, ..., (q - 1)/2}, otherwise -b.
+	var rBytes [32]byte
+	edwards25519.FeToBytes(&rBytes, &r)
+	negateB := 1 & (^feBytesLE(&rBytes, &halfQMinus1Bytes))
+	edwards25519.FeNeg(&r1, &r)
+	edwards25519.FeCMove(&r, &r1, negateB)
+
 	edwards25519.FeToBytes(publicKey, &u)
 	edwards25519.FeToBytes(representative, &r)
 	return true