From a14db84fea018c3750d1701f47a1884509f422bf Mon Sep 17 00:00:00 2001
From: Kris Nuttycombe <kris.nuttycombe@gmail.com>
Date: Mon, 12 Apr 2021 18:43:21 -0600
Subject: [PATCH] Minor comment on epk canonicity.

Extracted from: https://github.com/zcash/librustzcash/commit/389e6ca6a38c4b7418d49bd13639a9511c981885
---
 src/lib.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib.rs b/src/lib.rs
index b4df91e..d4ab8df 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -458,6 +458,9 @@ pub fn try_output_recovery_with_ock<D: Domain, Output: ShieldedOutput<D>>(
     let esk = D::extract_esk(&op)?;
 
     let shared_secret = D::ka_agree_enc(&esk, &pk_d);
+    // The small-order point check at the point of output parsing rejects
+    // non-canonical encodings, so reencoding here for the KDF should
+    // be okay.
     let key = D::kdf(shared_secret, &D::epk_bytes(output.epk()));
 
     let mut plaintext = [0; ENC_CIPHERTEXT_SIZE];