Mention the identity element and its encoding

[FiloSottile]

The identity element just works with encoding and decoding, and there is a test vector for it in the appendix, but I feel like it might be worth calling out in two other places:

• in Section 4, spelling out its encoding and the fact that it does not require special handling
• in Section 7, to remind implementers that even if there are no invalid or low-order points, protocols might still have to check for equality with the zero element

[kevaundray]

Does the second point also imply that low order points are not representable internally?

[FiloSottile]

Does the second point also imply that low order points are not representable internally?

There are no low-order elements (except the identity element of order 1), so there is no way to represent them. (I don't actually know off the top of my head if low-order Curve25519 points all represent the identity element or if they are unreachable through allowed operations or a mix of the two, but it doesn't matter, because internal representatives MUST NOT be exposed.)