Detecting an asymmetric Curve25519 backdoor in RSA key generation algorithms

It seems trivial to avoid detection: Just generate a random number, and if it's a valid x-coordinate, only then backdoor it. Sure, you'll only backdoor half the keys, but then you have to weigh whether the probability of being detected and severity of it is worth the cost.

If anyone's particularly bored, the password, from which the master key used in my original backdoor is derived, should be fairly easy to crack. It is eight nonrandom characters.

Of course, the Elligator and related mappings allow for (a subset of) valid curve points to be mapped to indistinguishable bit strings, which is very handy in some protocols. A backdoor merchant using Elligator 2, or Elligator Squared, in this particular setup wouldn't be detectable.