diff --git a/src/crypto/crypto-ops.c b/src/crypto/crypto-ops.c
index 8bc86a2f..e7a2ed85 100644
--- a/src/crypto/crypto-ops.c
+++ b/src/crypto/crypto-ops.c
@@ -3013,3 +3013,15 @@ void fe_frombytes(fe h, const unsigned char *s)
   h[8] = h8;
   h[9] = h9;
 }
+
+// Implemented using sc_mulsub
+// TODO: make more efficient implementation
+void sc_mul(unsigned char *s, const unsigned char *a, const unsigned char *b)
+{
+  unsigned char c[32];
+  unsigned char neg_a[32];
+  sc_0(c);
+  sc_sub(neg_a, c, a);
+  // s = c - ab
+  sc_mulsub(s, neg_a, b, c);
+}
diff --git a/src/crypto/crypto-ops.h b/src/crypto/crypto-ops.h
index 138db1d2..3a6f16fe 100644
--- a/src/crypto/crypto-ops.h
+++ b/src/crypto/crypto-ops.h
@@ -120,6 +120,7 @@ void sc_reduce32(unsigned char *);
 void sc_add(unsigned char *, const unsigned char *, const unsigned char *);
 void sc_sub(unsigned char *, const unsigned char *, const unsigned char *);
 void sc_mulsub(unsigned char *, const unsigned char *, const unsigned char *, const unsigned char *);
+void sc_mul(unsigned char *z, const unsigned char *x, const unsigned char *y);
 int sc_check(const unsigned char *);
 int sc_isnonzero(const unsigned char *); /* Doesn't normalize */