From 214c9aa553515b9f15e62b537f83fa4c62552d56 Mon Sep 17 00:00:00 2001
From: Paul Miller <paul@paulmillr.com>
Date: Mon, 27 Feb 2023 16:20:13 +0000
Subject: [PATCH] secp256k1: Fix schnorrGetExtPubKey y coordinate

---
 src/secp256k1.ts | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/secp256k1.ts b/src/secp256k1.ts
index 4e94bae..efe00bd 100644
--- a/src/secp256k1.ts
+++ b/src/secp256k1.ts
@@ -117,10 +117,13 @@ const GmulAdd = (Q: PointType<bigint>, a: bigint, b: bigint) =>
   Point.BASE.multiplyAndAddUnsafe(Q, a, b);
 // Calculate point, scalar and bytes
 function schnorrGetExtPubKey(priv: PrivKey) {
-  const d = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey
-  const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
-  const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
-  return { point, scalar, bytes: pointToBytes(point) };
+  let d = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey
+  let p = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
+  if (!p.hasEvenY()) {
+    d = modN(-d);
+    p = p.negate();
+  }
+  return { point: p, scalar: d, bytes: pointToBytes(p) };
 }
 /**
  * lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.