elliptic-curve: expose AffineCoordinates::y (#1891)

In the past we've deliberately avoided exposing the y-coordinate to
prevent the possibility of things like invalid curve attacks, although
with time we have exposed more and more to support things like
alternative point compression formats. See #1237 for some history.

We're now trying to use these traits with Edwards curves like Curve25519
(in `curve25519-dalek`) and Ed448-Goldilocks, which use compressed
Edwards y-coordinates as their compressed point format. That requires
y-coordinate access.

As such, this changes the previous `y_is_odd` method, which was used to
implement SEC1-like compressed points, to a full `fn y` which returns a
serialized field element for the y-coordinate.

Closes #1019

Author: tarcieri

elliptic-curve/src/dev.rs

@@ -473,6 +473,14 @@ impl AffineCoordinates for AffinePoint {
         unimplemented!();
     }
 
+    fn y(&self) -> FieldBytes {
+        unimplemented!();
+    }
+
+    fn x_is_odd(&self) -> Choice {
+        unimplemented!();
+    }
+
     fn y_is_odd(&self) -> Choice {
         unimplemented!();
     }

elliptic-curve/src/point.rs

@@ -22,12 +22,18 @@ pub type ProjectivePoint<C> = <C as CurveArithmetic>::ProjectivePoint;
 /// Access to the affine coordinates of an elliptic curve point.
 // TODO: use zkcrypto/group#30 coordinate API when available
 pub trait AffineCoordinates {
-    /// Field element representation.
+    /// Field element representation with curve-specific serialization/endianness.
     type FieldRepr: AsRef<[u8]>;
 
     /// Get the affine x-coordinate as a serialized field element.
     fn x(&self) -> Self::FieldRepr;
 
+    /// Get the affine y-coordinate as a serialized field element.
+    fn y(&self) -> Self::FieldRepr;
+
+    /// Is the affine x-coordinate odd?
+    fn x_is_odd(&self) -> Choice;
+
     /// Is the affine y-coordinate odd?
     fn y_is_odd(&self) -> Choice;
 }