From be340277fcaa57a813a898700c1aef9637cfa90e Mon Sep 17 00:00:00 2001
From: Jonas Nick <jonasd.nick@gmail.com>
Date: Mon, 24 Oct 2022 20:33:05 +0000
Subject: BIP 341: Fix taproot_tweak_pubkey

`lift_x` returns `None` if the input integer is not an X coordinate on the curve
to indicate failure. `point_add`, on the other hand, interprets `None` as the
point at infinity. Therefore, without this commit, if the internal `pubkey` is
not a valid X coordinate, the function will not fail, which contradicts the
specification in the "Script validation rules section". Instead, it sets `Q` to
`t*G`.
---
 bip-0341.mediawiki | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'bip-0341.mediawiki')

diff --git a/bip-0341.mediawiki b/bip-0341.mediawiki
index 504514e..17a1797 100644
--- a/bip-0341.mediawiki
+++ b/bip-0341.mediawiki
@@ -182,7 +182,10 @@ def taproot_tweak_pubkey(pubkey, h):
     t = int_from_bytes(tagged_hash("TapTweak", pubkey + h))
     if t >= SECP256K1_ORDER:
         raise ValueError
-    Q = point_add(lift_x(int(pubkey)), point_mul(G, t))
+    P = lift_x(int_from_bytes(pubkey))
+    if P is None:
+        raise ValueError
+    Q = point_add(P, point_mul(G, t))
     return 0 if has_even_y(Q) else 1, bytes_from_int(x(Q))
 
 def taproot_tweak_seckey(seckey0, h):
-- 
cgit v1.2.3