From 1baa127c6561ea604f6250b68b48105d026df575 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Thu, 1 Jan 2026 23:48:26 +0100
Subject: [PATCH] crypto.edwards25519: optimize rejectLowOrder

Reject low-order points by checking projective coordinates directly
instead of using affine coordinates.

Equivalent, but saves CPU cycles (~254 field multiplications total
before, 3 field multiplications after).
---
 lib/std/crypto/25519/edwards25519.zig | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/std/crypto/25519/edwards25519.zig b/lib/std/crypto/25519/edwards25519.zig
index 521ec74c6d..0bce0139f6 100644
--- a/lib/std/crypto/25519/edwards25519.zig
+++ b/lib/std/crypto/25519/edwards25519.zig
@@ -127,12 +127,10 @@ pub const Edwards25519 = struct {
     /// Check that the point does not generate a low-order group.
     /// Return a `WeakPublicKey` error if it does.
     pub fn rejectLowOrder(p: Edwards25519) WeakPublicKeyError!void {
-        const zi = p.z.invert();
-        const x = p.x.mul(zi);
-        const y = p.y.mul(zi);
-        const x_neg = x.neg();
-        const iy = Fe.sqrtm1.mul(y);
-        if (x.isZero() or y.isZero() or iy.equivalent(x) or iy.equivalent(x_neg)) {
+        const y_sqrtm1 = Fe.sqrtm1.mul(p.y);
+        if (p.x.isZero() or p.y.isZero() or p.z.isZero() or
+            y_sqrtm1.sub(p.x).isZero() or y_sqrtm1.add(p.x).isZero())
+        {
             return error.WeakPublicKey;
         }
     }