From 87731f183aed350a96a05ee36f02987d5ccb9b38 Mon Sep 17 00:00:00 2001
From: Isis Lovecruft <isis@patternsinthevoid.net>
Date: Tue, 3 Nov 2020 00:14:10 +0000
Subject: [PATCH] Clarify the group element check in verify_strict().

 * FIXES part of https://github.com/dalek-cryptography/ed25519-dalek/issues/130
---
 src/public.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/public.rs b/src/public.rs
index b172ffe..af70df0 100644
--- a/src/public.rs
+++ b/src/public.rs
@@ -256,12 +256,16 @@ impl PublicKey {
     /// 2. Point malleability
     ///
     /// The authors of the RFC added in a malleability check to step #3 in
-    /// §5.1.7, for small torsion components in the `R` value of the signature,
-    /// *which is not strictly required*, as they state:
+    /// §5.1.7, for points of small order in the `R` value of the signature and
+    /// the public key `A`, *which is not strictly required*, as they state:
     ///
     /// > Check the group equation \[8\]\[S\]B = \[8\]R + \[8\]\[k\]A'.  It's
     /// > sufficient, but not required, to instead check \[S\]B = R + \[k\]A'.
     ///
+    /// However, this only ensures that the signature `R` and the public key are
+    /// not points of small order; it does *not* guarantee that the group
+    /// elements are torsion-free.
+    ///
     /// # History of Malleability Checks
     ///
     /// As originally defined (cf. the "Malleability" section in the README of