shallue_van_de_woestijne returns an off-curve point when t is 0. #279
Description
My suggestion is to either
A) Rewrite shallue_van_de_woestijne. The natural result for t equal to 0 is the point with x-coordinate d. In particular this is what the cited paper suggests that the function do.
or
B) Have secp256k1_generator_generate_internal return 0 if it calls shallue_van_de_woestijne with 0.
My preference would be for (A). The existing elements codebase already just crashes if secp256k1_generator_generate_internal returns 0. Therefore doing a cryptographically impossible hard-fork is not materially worse.
Doing (A) totally addresses the issue while, doing (B) requires still doing point addition with off-curve points in violation of that code's preconditions. While all the functions being called in secp256k1_generator_generate_internal should be safe to run on off-curve points, some code, (such as some scalar multiplication operations) really does requires on-curve points to avoid undefined behavior.