From 05da8ed8bfd3de97e65c6e91ef65d64a6ab78d73 Mon Sep 17 00:00:00 2001
From: Bogdan Opanchuk <bogdan@opanchuk.net>
Date: Mon, 14 Mar 2022 12:06:50 -0700
Subject: [PATCH] Normalize field elements before checking for is_odd()

---
 k256/src/arithmetic/affine.rs | 1 +
 k256/src/ecdsa/sign.rs        | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/k256/src/arithmetic/affine.rs b/k256/src/arithmetic/affine.rs
index fc5a4b2e..bd0ca171 100644
--- a/k256/src/arithmetic/affine.rs
+++ b/k256/src/arithmetic/affine.rs
@@ -151,6 +151,7 @@ impl DecompressPoint<Secp256k1> for AffinePoint {
             let beta = alpha.sqrt();
 
             beta.map(|beta| {
+                let beta = beta.normalize(); // Need to normalize for is_odd() to be consistent
                 let y = FieldElement::conditional_select(
                     &beta.negate(1),
                     &beta,
diff --git a/k256/src/ecdsa/sign.rs b/k256/src/ecdsa/sign.rs
index 4b69e62e..beca67d1 100644
--- a/k256/src/ecdsa/sign.rs
+++ b/k256/src/ecdsa/sign.rs
@@ -224,7 +224,7 @@ impl SignPrimitive<Secp256k1> for Scalar {
         }
 
         let signature = Signature::from_scalars(r, s)?;
-        let is_r_odd: bool = R.y.is_odd().into();
+        let is_r_odd: bool = R.y.normalize().is_odd().into();
         let is_s_high: bool = signature.s().is_high().into();
         let signature_low = signature.normalize_s().unwrap_or(signature);
         let recovery_id = ecdsa_core::RecoveryId::new(is_r_odd ^ is_s_high, false);