From 9e7b83d69cbd4daca5a16353499cc428a261c65e Mon Sep 17 00:00:00 2001
From: Yawning Angel <yawning@schwanenlied.me>
Date: Fri, 30 Oct 2020 21:00:18 +0000
Subject: [PATCH] ed25519: Remove PublicKey.IsSmallOrder

This is more trouble than it's worth.
---
 ed25519.go          | 23 +++++++----------------
 small_order_test.go |  4 ----
 2 files changed, 7 insertions(+), 20 deletions(-)

diff --git a/ed25519.go b/ed25519.go
index 7150977..a9bc0d0 100644
--- a/ed25519.go
+++ b/ed25519.go
@@ -203,16 +203,6 @@ func (pub PublicKey) Equal(x crypto.PublicKey) bool {
 	return bytes.Equal(pub, xx)
 }
 
-// IsSmallOrder returns true iff a Public Key is a small order point.
-// This routine will panic if the public key length is invalid.
-func (pub PublicKey) IsSmallOrder() bool {
-	if l := len(pub); l != PublicKeySize {
-		panic("ed25519: bad public key length: " + strconv.Itoa(l))
-	}
-
-	return isSmallOrderVartime(pub)
-}
-
 // Sign signs the message with privateKey and returns a signature. It will
 // panic if len(privateKey) is not PrivateKeySize.
 func Sign(privateKey PrivateKey, message []byte) []byte {
@@ -294,11 +284,6 @@ func verify(publicKey PublicKey, message, sig []byte, f dom2Flag, c []byte, zip2
 		panic("ed25519: bad public key length: " + strconv.Itoa(l))
 	}
 
-	// Reject small order A to make the scheme strongly binding.
-	if !zip215 && isSmallOrderVartime(publicKey) {
-		return false
-	}
-
 	var (
 		hash                [64]byte
 		Rproj, R, A, checkR ge25519.Ge25519
@@ -309,6 +294,11 @@ func verify(publicKey PublicKey, message, sig []byte, f dom2Flag, c []byte, zip2
 		return false
 	}
 
+	// Reject small order A to make the scheme strongly binding.
+	if !zip215 && isSmallOrderVartime(publicKey) {
+		return false
+	}
+
 	// hram = H(R,A,m)
 	h := sha512.New()
 	if f != fPure {
@@ -476,7 +466,8 @@ func isSmallOrderVartime(s []byte) bool {
 	var t1, t2 ge25519.Ge25519
 
 	if !ge25519.UnpackVartime(&t1, s) {
-		panic("ed25519/isSmallOrderVartime: failed to unpack")
+		// Treat unpack failures as equivalent to small order (invalid A).
+		return true
 	}
 
 	ge25519.CofactorMultiply(&t2, &t1)
diff --git a/small_order_test.go b/small_order_test.go
index 801469b..748a94f 100644
--- a/small_order_test.go
+++ b/small_order_test.go
@@ -98,9 +98,5 @@ func TestSmallOrderCheck(t *testing.T) {
 		if !isSmallOrderVartime(v[:]) {
 			t.Errorf("point %d should fail small order check", idx)
 		}
-
-		if pub := PublicKey(v[:]); !pub.IsSmallOrder() {
-			t.Errorf("point %d as public key should fail small order check", idx)
-		}
 	}
 }