.\" $OpenBSD: BN_mod_sqrt.3,v 1.2 2022/12/06 22:22:42 tb Exp $ .\" .\" Copyright (c) 2022 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .Dd $Mdocdate: December 6 2022 $ .Dt BN_MOD_SQRT 3 .Os .Sh NAME .Nm BN_mod_sqrt .Nd square root in a prime field .Sh SYNOPSIS .In openssl/bn.h .Ft BIGNUM * .Fo BN_mod_sqrt .Fa "BIGNUM *r" .Fa "const BIGNUM *a" .Fa "const BIGNUM *p" .Fa "BN_CTX *ctx" .Fc .Sh DESCRIPTION .Fn BN_mod_sqrt solves .Bd -unfilled -offset indent .EQ r sup 2 == a ( roman mod p ) .EN .Ed .Pp for .Fa r in the prime field of characteristic .Fa p using the Tonelli-Shanks algorithm if needed and places one of the two solutions into .Fa r . The other solution is .Fa p \- .Fa r . .Pp The argument .Fa p is expected to be a prime number. .Sh RETURN VALUES In case of success, .Fn BN_mod_sqrt returns .Fa r , or a newly allocated .Vt BIGNUM object if the .Fa r argument is .Dv NULL . .Pp In case of failure, .Dv NULL is returned. This for example happens if .Fa a is not a quadratic residue or if memory allocation fails. .Sh SEE ALSO .Xr BN_CTX_new 3 , .Xr BN_kronecker 3 , .Xr BN_mod_sqr 3 , .Xr BN_new 3 .Rs .%A Henri Cohen .%B A Course in Computational Algebraic Number Theory .%I Springer .%C Berlin .%D 1993 .%O Algorithm 1.5.1 .Re .Sh HISTORY .Fn BN_mod_sqrt first appeared in OpenSSL 0.9.7 and has been available since .Ox 3.2 . .Sh CAVEATS If .Fa p is not prime, .Fn BN_mod_sqrt may succeed or fail. If it succeeds, the square of the returned value is congruent to .Fa a modulo .Fa p . If it fails, the reason reported by .Xr ERR_get_error 3 is often misleading. In particular, even if .Fa a is a perfect square, .Fn BN_mod_sqrt often reports .Dq not a square instead of .Dq p is not prime .