1 files changed, 9 insertions, 6 deletions

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index dc984c3..05f934a 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1271,14 +1271,15 @@ S-Decrypt(zk,label,expiration,ciphertext):
          <artwork name="" type="" align="left" alt=""><![CDATA[
 ZKDF-Private(d,label):
   /* EdDSA clamping */
-  a := SHA-512 (d)
+  dh := SHA-512 (d)
+  a := dh[0..31]
   a[0] &= 248
   a[31] &= 127
   a[31] |= 64
-  /* Calculate zk from d */
+  /* Calculate zk corresponding to d */
   zk := a * G
 
-  /* Calculate the blinding factor */
+  /* Calculate the blinding factor h */
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
   /* Ensure that h == h mod L */
@@ -1354,12 +1355,14 @@ ZKDF-Public(zk,label):
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
 SignDerived(d,label,message):
+  /* Key expansion */
+  dh := SHA-512 (d)
   /* EdDSA clamping */
-  a := SHA-512 (d)
+  a := dh[0..31]
   a[0] &= 248
   a[31] &= 127
   a[31] |= 64
-  /* Calculate zk from d */
+  /* Calculate zk corresponding to d */
   zk := a * G
 
   /* Calculate blinding factor */
@@ -1367,7 +1370,7 @@ SignDerived(d,label,message):
   h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
 
   d' := ZKDF-Private(d,label)
-  dh := SHA-512 (d)
+  zk' := h * zk
   nonce := SHA-256 (dh[32..63] || h)
   r := SHA-512 (nonce || message)
   R := r * G