diff --git a/ChangeLog b/ChangeLog
index 682d0454d41001ae4a5d6143565309cf1e3fa6e6..4087cc56ef784833dc3e4848d3e20e9f8e3544d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-18  Niels Möller  <nisse@lysator.liu.se>
+
+	* eddsa-verify.c (_eddsa_verify): Change argument order, putting A
+	before ctx.
+	* eddsa.h: Updated prototype.
+	* testsuite/eddsa-verify-test.c (test_eddsa): Updated
+	_eddsa_verify calls.
+
 2014-10-14  Niels Möller  <nisse@lysator.liu.se>
 
 	* eddsa-verify.c (equal_h): New function.
diff --git a/eddsa-verify.c b/eddsa-verify.c
index b519f7bd21688404e0b0dfbf34688d2c359203a6..5541d9757ae35827b33ba0b781124fbcbc579c86 100644
--- a/eddsa-verify.c
+++ b/eddsa-verify.c
@@ -76,8 +76,8 @@ int
 _eddsa_verify (const struct ecc_curve *ecc,
 	       const struct nettle_hash *H,
 	       const uint8_t *pub,
-	       void *ctx,
 	       const mp_limb_t *A,
+	       void *ctx,
 	       size_t length,
 	       const uint8_t *msg,
 	       const uint8_t *signature,
diff --git a/eddsa.h b/eddsa.h
index 582e969b850eb037c306281d5531d1f69207b8b9..50214862f7ca55aa940430ad7c9bbff39c5960cf 100644
--- a/eddsa.h
+++ b/eddsa.h
@@ -96,8 +96,8 @@ int
 _eddsa_verify (const struct ecc_curve *ecc,
 	       const struct nettle_hash *H,
 	       const uint8_t *pub,
-	       void *ctx,
 	       const mp_limb_t *A,
+	       void *ctx,
 	       size_t length,
 	       const uint8_t *msg,
 	       const uint8_t *signature,
diff --git a/testsuite/eddsa-verify-test.c b/testsuite/eddsa-verify-test.c
index f78057b8213d53b300207d561d287817760310dd..39f972a34ee8c46f85ba6b12c7631cabdb475436 100644
--- a/testsuite/eddsa-verify-test.c
+++ b/testsuite/eddsa-verify-test.c
@@ -51,7 +51,7 @@ test_eddsa (const struct ecc_curve *ecc,
     die ("Invalid eddsa public key.\n");
 
   memcpy (csignature, signature, 2*nbytes);
-  if (!_eddsa_verify (ecc, H, pub, ctx, A,
+  if (!_eddsa_verify (ecc, H, pub, A, ctx,
 		      msg->length, msg->data, csignature, scratch))
     {
       fprintf (stderr, "eddsa_verify failed with valid signature.\n");
@@ -68,7 +68,7 @@ test_eddsa (const struct ecc_curve *ecc,
 
   memcpy (csignature, signature, 2*nbytes);
   csignature[nbytes/3] ^= 0x40;
-  if (_eddsa_verify (ecc, H, pub, ctx, A,
+  if (_eddsa_verify (ecc, H, pub, A, ctx,
 		     msg->length, msg->data, csignature, scratch))
     {
       fprintf (stderr,
@@ -79,7 +79,7 @@ test_eddsa (const struct ecc_curve *ecc,
   memcpy (csignature, signature, 2*nbytes);
   csignature[5*nbytes/3] ^= 0x8;
 
-  if (_eddsa_verify (ecc, H, pub, ctx, A,
+  if (_eddsa_verify (ecc, H, pub, A, ctx,
 		     msg->length, msg->data, csignature, scratch))
     {
       fprintf (stderr,
@@ -90,7 +90,7 @@ test_eddsa (const struct ecc_curve *ecc,
   memcpy (csignature, signature, 2*nbytes);
   if (msg->length == 0)
     {
-      if (_eddsa_verify  (ecc, H, pub, ctx, A,
+      if (_eddsa_verify  (ecc, H, pub, A, ctx,
 			  3, "foo", csignature, scratch))
 	{
 	  fprintf (stderr,
@@ -100,7 +100,7 @@ test_eddsa (const struct ecc_curve *ecc,
     }
   else
     {
-      if (_eddsa_verify  (ecc, H, pub, ctx, A,
+      if (_eddsa_verify  (ecc, H, pub, A, ctx,
 			  msg->length - 1, msg->data,
 			  csignature, scratch))
 	{
@@ -110,7 +110,7 @@ test_eddsa (const struct ecc_curve *ecc,
 	}
       memcpy (csignature, signature, 2*nbytes);
       cmsg[2*msg->length / 3] ^= 0x20;
-      if (_eddsa_verify  (ecc, H, pub, ctx, A,
+      if (_eddsa_verify  (ecc, H, pub, A, ctx,
 			  msg->length, cmsg, csignature, scratch))
 	{
 	  fprintf (stderr,