From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Wed, 18 Aug 2021 18:54:01 +0000 (+0200)
Subject: ge_frombytes_vartime() does not parse (0, 1)
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=ac78283e72209a04a73545e007e579fd3765f736;p=Monocypher.git

ge_frombytes_vartime() does not parse (0, 1)

But that's okay, because that point has low order.
---

diff --git a/src/monocypher.c b/src/monocypher.c
index 4205814..79f7e85 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1758,6 +1758,12 @@ static void ge_tobytes(u8 s[32], const ge *h)
 //   isr = invsqrt(num * den)  // abort if not square
 //   x   = num * isr
 // Finally, negate x if its sign is not as specified.
+//
+// Note that using invsqrt causes this function to fail when y = 1.
+// The point (0, 1) *is* on the curve, so in principle we should not
+// reject it.  However, we are only using it to read EdDSA public keys,
+// And the legitimate ones never have low order. Indeed, some libraries
+// reject *all* low order points, on purpose.
 static int ge_frombytes_vartime(ge *h, const u8 s[32])
 {
     fe_frombytes(h->Y, s, 1);