We actually want better tests for this; even just code coverage is better than nothing here. My code does not seem to have any either, sorry about that. I do not have time to implement this right now and I am not sure when I will. So I am just writing something here with no well-thought intent. Some things that are probably true, and if they are, would be useful to check:
Any multiple of the base point should unmarshal correctly.
x_B + y_S should return error if B is the base point and S is a point of order 2 or order 4 and y is less than its order.
There is an additional complication that a normal elliptic curve library might not even care to support the "bad" points, so using them for testing might end up being awkward. In particular, multiplication y*S does clear the low bits of y in some libraries, which would not work here.
from @andres-erbsen referring to https://github.com/yahoo/end-to-end/pull/58/files#diff-a0c7c92381b7dc233e58a7f3139fe63cR36
We actually want better tests for this; even just code coverage is better than nothing here. My code does not seem to have any either, sorry about that. I do not have time to implement this right now and I am not sure when I will. So I am just writing something here with no well-thought intent. Some things that are probably true, and if they are, would be useful to check:
There is an additional complication that a normal elliptic curve library might not even care to support the "bad" points, so using them for testing might end up being awkward. In particular, multiplication y*S does clear the low bits of y in some libraries, which would not work here.