Independently of this PR, I wonder whether creating secp256k1_xonly_pubkey instances with underlying odd y coordinates should be generally prevented, since doing so contradicts the definition of x-only pubkeys in the first place (cc @real-or-random @sipa)? E.g. with a VERIFY check like
diff --git a/src/modules/extrakeys/main_impl.h b/src/modules/extrakeys/main_impl.h
index 0c7e266..22bce63 100644
--- a/src/modules/extrakeys/main_impl.h
+++ b/src/modules/extrakeys/main_impl.h
@@ -16,6 +16,13 @@ static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context*
}
static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge) {
+#ifdef VERIFY
+ /* ensure that the group element's Y coordinate is even */
+ secp256k1_fe y = ge->y;
+ secp256k1_fe_normalize_var(&y);
+ VERIFY_CHECK(!secp256k1_fe_is_odd(&y));
+#endif
+
secp256k1_pubkey_save((secp256k1_pubkey *) pubkey, ge);
}
(passes on master, fails only on the silentpayments tests without the proposed patch)
Originally posted by @theStack in #1765 (review)
I think the answer is yes, we should check this in the tests.