f(x) = p(x)^k. x is the input sent to the second party by the first party after blinding it using a random invertible scalar r, and k is a secret key only known by the second party. p(x) is a hash-to-curve function.crypto_core_ed25519_is_valid_point() function checks that p represents a point on the edwards25519 curve, in canonical form, on the main subgroup, and that the point doesn't have a small order.1 on success, and 0 if the checks didn't pass.p with the representation of a random group element.crypto_core_ed25519_from_uniform() function maps a 32 bytes vector r to a point, and stores its compressed representation into p.crypto_scalarmult_ed25519() function multiplies a point p by a scalar n and puts the Y coordinate of the resulting point into q.q should not be used as a shared key prior to hashing.0 on success, or -1 if n is 0 or if p is not on the curve, not on the main subgroup, is a point of small order, or is not provided in canonical form.n is "clamped" (the 3 low bits are cleared to make it a multiple of the cofactor, bit 254 is set and bit 255 is cleared to respect the original design).crypto_scalarmult_ed25519_base() function multiplies the base point (x, 4/5) by a scalar n (clamped) and puts the Y coordinate of the resulting point into q.-1 if n is 0, and 0 otherwise.scalarmult functions above clear lower bits of the scalar. This may be indesirable to build protocols that requires n to be invertible.noclamp variants of these functions do not clear these bits, and do not set the high bit either. These variants expect a scalar in the ]0..L[ range.p is on the prime-order subgroup before performing the multiplication, and return -1 if this is not the case or n is 0. It returns 0 on success.0 on success, or -1 if n is 0.crypto_core_ed25519_add() function adds the point p to the point q and stores the resulting point into r.0 on success, or -1 if p and/or q are not valid points.crypto_core_ed25519_sub() function subtracts the point p to the point q and stores the resulting point into r.0 on success, or -1 if p and/or q are not valid points.crypto_core_ed25519_scalar_*() function set operates over scalars in the [0..L[ interval, L being the order of the main subgroup (2^252 + 27742317777372353535851937790883648493).crypto_core_ed25519_scalar_random() function introduced in libsodium 1.0.17:crypto_core_ed25519_scalar_random() fills r with a crypto_core_ed25519_SCALARBYTES bytes representation of the scalar in the ]0..L[ interval.[0..L[ interval can also be obtained by reducing a possibly larger value:crypto_core_ed25519_scalar_reduce() function reduces s to s mod L and puts the crypto_core_ed25519_SCALARBYTES integer into r.s is much larger than r (64 bytes vs 32 bytes). Bits of s can be left to 0, but the interval s is sampled from should be at least 317 bits to ensure almost uniformity of r over L.crypto_core_ed25519_scalar_invert() function computes the multiplicative inverse of s over L, and puts it into recip.crypto_core_ed25519_scalar_negate() function returns neg so that s + neg = 0 (mod L).crypto_core_ed25519_scalar_complement() function returns comp so that s + comp = 1 (mod L).crypto_core_ed25519_scalar_add() function stores x + y (mod L) into z.crypto_core_ed25519_scalar_sub() function stores x - y (mod L) into z.crypto_core_ed25519_scalar_mul() function stores x * y (mod L) into z.crypto_scalarmult_ed25519_BYTEScrypto_scalarmult_ed25519_SCALARBYTEScrypto_core_ed25519_BYTEScrypto_core_ed25519_UNIFORMBYTEScrypto_core_ed25519_SCALARBYTEScrypto_core_ed25519_NONREDUCEDSCALARBYTEScrypto_core_ed25519_from_uniform() exposes the Elligator 2 map, using the high bit for the sign of the X coordinate.