Fix an overflow bug in the square root implementation on 32-bit platforms.

Co-authored-by: Greg Pfeil <greg@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to Rust's notion of
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed
+- Fix a bug on 32-bit platforms that could cause the square root implementation
+  to return an incorrect result.
 
 ## [0.5.0] - 2022-12-06
 ### Added

src/arithmetic/fields.rs

@@ -226,7 +226,7 @@ impl<F: SqrtTableHelpers> SqrtTables<F> {
 
         t_ += inv(alpha) << 24; // = t << 1
                                 // 1 == x3 * ROOT_OF_UNITY^t_
-        t_ = (t_ + 1) >> 1;
+        t_ = (((t_ as u64) + 1) >> 1) as usize;
         assert!(t_ <= 0x80000000);
 
         *uv * self.g0[t_ & 0xFF]

src/fields/fp.rs

@@ -798,6 +798,11 @@ fn test_sqrt() {
     assert!(v == Fp::TWO_INV || (-v) == Fp::TWO_INV);
 }
 
+#[test]
+fn test_sqrt_32bit_overflow() {
+    assert!((Fp::from(5)).sqrt().is_none().unwrap_u8() == 1);
+}
+
 #[test]
 fn test_pow_by_t_minus1_over2() {
     // NB: TWO_INV is standing in as a "random" field element

src/fields/fq.rs

@@ -797,6 +797,11 @@ fn test_sqrt() {
     assert!(v == Fq::TWO_INV || (-v) == Fq::TWO_INV);
 }
 
+#[test]
+fn test_sqrt_32bit_overflow() {
+    assert!((Fq::from(5)).sqrt().is_none().unwrap_u8() == 1);
+}
+
 #[test]
 fn test_pow_by_t_minus1_over2() {
     // NB: TWO_INV is standing in as a "random" field element