diff --git a/main.c b/main.c
index c2ab96c..e8235a1 100644
--- a/main.c
+++ b/main.c
@@ -357,8 +357,23 @@ static void combine(const char *privpath, const char *hs_secretkey)
 	ge25519_scalarmult_base(&A, &a);
 	ge25519_pack(pk, &A);
 
+	// Save secret scalar.
 	sc25519_to32bytes(&secret[32], &a);
 
+	// Compute second half of the key.
+	// See "Pseudorandom generation of r.", page 8 of https://ed25519.cr.yp.to/ed25519-20110926.pdf
+	// You're supposed to generate it together with the secret scalar, but
+	// we can't really do that here. As far as I can tell, it just needs to
+	// be another secret value.
+	// In normal Ed25519 you never have a pair of keys with the same secret
+	// scalar but different second halves (I can't find the proper term for
+	// it...). If I generated them independently from the secret scalar,
+	// someone could run --combine and get such a pair of keys.
+	// I don't know if that would mess anything up, but to err on the side
+	// of caution, I'm setting it to a hash of the secret scalar and the
+	// original generated key.
+	FIPS202_SHAKE256(secret, sizeof secret, &secret[64], 32);
+	
 	sc25519_from32bytes(&a, &secret[32]);
 	ge25519_scalarmult_base(&A, &a);
 	ge25519_pack(pk, &A);