Clarified why we need to hash the message twice in EdDSA

The code isn't crystal clear about the fact we reuse the result of the
first hash in the second hash.  A little comment makes sure reviewers
don't miss it.

diff --git a/src/monocypher.c b/src/monocypher.c
index aaf2b00114d17bbdc715ec6578a1e15cf6f86b60..2a096dff009b71a0c5f5e66776b0c5771577f545 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1536,6 +1536,8 @@ void crypto_sign(u8        signature[64],
     ge_scalarmult_base(&R, r);
     ge_tobytes(signature, &R);
 
+    // Hash R, the public key, and the message together.
+    // It cannot be done in paralell with the first hash.
     u8 h_ram[64];
     hash_ram(h_ram, signature, pk, message, message_size);