From 069ec701df22480be2a7d820f5a2095e8e38b19c Mon Sep 17 00:00:00 2001
From: Conner Fromknecht <conner@lightning.engineering>
Date: Thu, 10 Oct 2019 18:00:37 -0700
Subject: [PATCH] btcec/pubkey: normalize sqrt(x^3) before checking parity

This commit fixes an issue introduced in the recent #1429, where
the output of SqrtVal is not normalized before using IsOdd() to compare
with the expected parity of the y-coordinate. The IsOdd() is only
guaranteed to work if the value has been denormalized, so a denormalized
sqrt >= p would report the opposite parity. We fix this by normalizing
both after compute sqrt(x^3) and when negating the root as directed by
the ybit.
---
 btcec/pubkey.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/btcec/pubkey.go b/btcec/pubkey.go
index c72f8705..3c9d5d02 100644
--- a/btcec/pubkey.go
+++ b/btcec/pubkey.go
@@ -38,11 +38,10 @@ func decompressPoint(curve *KoblitzCurve, bigX *big.Int, ybit bool) (*big.Int, e
 	// but this was replaced by the algorithms referenced in
 	// https://bitcointalk.org/index.php?topic=162805.msg1712294#msg1712294
 	var y fieldVal
-	y.SqrtVal(&x3)
+	y.SqrtVal(&x3).Normalize()
 	if ybit != y.IsOdd() {
-		y.Negate(1)
+		y.Negate(1).Normalize()
 	}
-	y.Normalize()
 
 	// Check that y is a square root of x^3 + B.
 	var y2 fieldVal