X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/7c40480318648672af86e03bc72bc45c07194c37..222c8a436f09da82e2ee7c84c7aca47d11a2c843:/mp-modsqrt.c

diff --git a/mp-modsqrt.c b/mp-modsqrt.c
index f9e4b0f..1cacacd 100644
--- a/mp-modsqrt.c
+++ b/mp-modsqrt.c
@@ -51,6 +51,9 @@
  *		work if %$p$% is composite: you must factor the modulus, take
  *		a square root mod each factor, and recombine the results
  *		using the Chinese Remainder Theorem.
+ *
+ *		We guarantee that the square root returned is the smallest
+ *		one (i.e., the `positive' square root).
  */
 
 mp *mp_modsqrt(mp *d, mp *a, mp *p)
@@ -131,9 +134,14 @@ mp *mp_modsqrt(mp *d, mp *a, mp *p)
     c = mpmont_reduce(&mm, c, c);
   }
 
-  /* --- Done, so tidy up --- */
+  /* --- Done, so tidy up --- *
+   *
+   * Canonify the answer.
+   */
 
   d = mpmont_reduce(&mm, d, r);
+  r = mp_sub(r, p, d);
+  if (MP_CMP(r, <, d)) { mp *tt = r; r = d; d = tt; }
   mp_drop(ainv);
   mp_drop(r); mp_drop(c);
   mp_drop(dd);
@@ -161,11 +169,6 @@ static int verify(dstr *v)
     ok = 0;
   else if (MP_EQ(r, rr))
     ok = 1;
-  else {
-    r = mp_sub(r, p, r);
-    if (MP_EQ(r, rr))
-      ok = 1;
-  }
 
   if (!ok) {
     fputs("\n*** fail\n", stderr);