I am reading materials related to the Taproot (specially, BIP341) and I know that there is two possible ways to spend the output:
- via key path
- via script path
I also know that the Taproot output contains only the X coordinate, while the Y coordinate is indirectly assumed to be EVEN. So, in case you want to consume the output via the key path, you need to create a signature for the (X, Yeven) point.
However, reading BIP341, one of the consensus rules for spending via the script path is:
If q ≠ x(Q) or c[0] & 1 ≠ y(Q) mod 2, fail.
From the content to the right of OR
, it looks like the first bit (00000000) inside first byte within control block denotes the parity (sign) of the Y coordinate (0
- even Y, 1
- odd Y) and that we must set the correct parity, that is, indirectly, the correct (even/odd) Y coordinate in order to make valid witness.
It follows that although we always use an even Y coordinate when spending via the key path (regardless of whether a point with an even or odd Y coordinate is obtained after tweaking), for spending via the script path we still need to know what was that original point obtained after tweaking (that is, whether it has an even or odd Y coordinate) and to set the correct parity bit. Am I right?
Also, since tweaking by the consensus rules (BIP341) between underlaying key (P) and MAST root is done in a such way that the even Y coordinate of the point P is used, does it mean that if I get from the underlaying private key (not the tweaked one) a point that has an odd Y coordinate, I have to negate it first before further tweaking with the MAST root? And also from this, my private key becomes -private key
, that is, the public key is private key * (-G)
?
Thanks to all in advance.