Clarify the group element check in verify_strict().

* FIXES part of dalek-cryptography#130
isislovecruft · Nov 3, 2020 · 87731f1 · 87731f1
1 parent ad2e75f
commit 87731f1
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/public.rs b/src/public.rs
@@ -256,12 +256,16 @@ impl PublicKey {
     /// 2. Point malleability
     ///
     /// The authors of the RFC added in a malleability check to step #3 in
-    /// §5.1.7, for small torsion components in the `R` value of the signature,
-    /// *which is not strictly required*, as they state:
+    /// §5.1.7, for points of small order in the `R` value of the signature and
+    /// the public key `A`, *which is not strictly required*, as they state:
     ///
     /// > Check the group equation \[8\]\[S\]B = \[8\]R + \[8\]\[k\]A'.  It's
     /// > sufficient, but not required, to instead check \[S\]B = R + \[k\]A'.
     ///
+    /// However, this only ensures that the signature `R` and the public key are
+    /// not points of small order; it does *not* guarantee that the group
+    /// elements are torsion-free.
+    ///
     /// # History of Malleability Checks
     ///
     /// As originally defined (cf. the "Malleability" section in the README of