Check invariant that xonly keys have even y #1892

issue real-or-random opened this issue on July 16, 2026
  1. real-or-random commented at 7:31 AM on July 16, 2026: contributor

    Independently of this PR, I wonder whether creating secp256k1_xonly_pubkey instances with underlying odd y coordinates should be generally prevented, since doing so contradicts the definition of x-only pubkeys in the first place (cc @real-or-random @sipa)? E.g. with a VERIFY check like

    diff --git a/src/modules/extrakeys/main_impl.h b/src/modules/extrakeys/main_impl.h
    index 0c7e266..22bce63 100644
    --- a/src/modules/extrakeys/main_impl.h
    +++ b/src/modules/extrakeys/main_impl.h
    @@ -16,6 +16,13 @@ static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context*
     }
     
     static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge) {
    +#ifdef VERIFY
    +    /* ensure that the group element's Y coordinate is even */
    +    secp256k1_fe y = ge->y;
    +    secp256k1_fe_normalize_var(&y);
    +    VERIFY_CHECK(!secp256k1_fe_is_odd(&y));
    +#endif
    +
         secp256k1_pubkey_save((secp256k1_pubkey *) pubkey, ge);
     }
     
    
    

    (passes on master, fails only on the silentpayments tests without the proposed patch)

    Originally posted by @theStack in #1765 (review)


    I think the answer is yes, we should check this in the tests.

  2. real-or-random added the label assurance on Jul 16, 2026
  3. real-or-random added the label tweak/refactor on Jul 16, 2026

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-07-17 06:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me