From b64dd7c4c6456176383803751412d3e81f408cbe Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Mon, 9 Mar 2020 16:48:22 +0100
Subject: [PATCH] Elligator: fixed failure to ignore padding

---
 src/monocypher.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/monocypher.c b/src/monocypher.c
index 33f9442..7af9030 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -2268,8 +2268,16 @@ void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32])
     static const fe A2  = {12721188, 3529, 0, 0, 0, 0, 0, 0, 0, 0};
     static const fe one = {1, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 
+    // Representatives are encoded in 254 bits.
+    // The two most significant ones are random padding that must be ignored.
+    u8 clamped[32];
+    FOR (i, 0, 32) {
+        clamped[i] = hash[i];
+    }
+    clamped[31] &= 0x3f;
+
     fe r, u, t1, t2, t3;
-    fe_frombytes(r, hash);
+    fe_frombytes(r, clamped);
     fe_sq2(t1, r);
     fe_add(u, t1, one);
     fe_sq (t2, u);
-- 
2.47.3