Fused modular square root on 32-bit - wrong "isSquare" result

[mratsim]

Reproduced locally in 32-bit mode (might not be related to 32-bit as the RNG will initialize differently)

test_ec_weierstrass_projective_g1 xoshiro512** seed: 1591646170

[Suite] Elliptic curve in Short Weierstrass form y² = x³ + a x + b with projective coordinates (X, Y, Z): Y²Z = X³ + aXZ² + bZ³ i.e. X = xZ, Y = yZ
  [OK] The infinity point is the neutral element w.r.t. to EC addition
  [OK] Adding opposites gives an infinity point
  [OK] EC add is commutative
  [OK] EC add is associative
    /home/beta/Programming/Nim/constantine/tests/test_ec_weierstrass_projective_g1.nim(170, 19): Check failed: bool(r0 == r1)
  [FAILED] EC double and EC add are consistent
  [OK] EC mul [0]P == Inf
  [OK] EC mul [Order]P == Inf
  [OK] EC mul [1]P == P
  [OK] EC mul [2]P == P.double()
  [OK] EC mul is distributive over EC add
  [OK] EC mul constant-time is equivalent to a simple double-and-add algorithm
Error: execution of an external program failed: '/home/beta/Programming/Nim/constantine/build/test_ec_weierstrass_projective_g1 '

constantine/tests/test_ec_weierstrass_projective_g1.nim

Lines 157 to 175 in 082edaa

	test "EC double and EC add are consistent":
	proc test(F: typedesc, randZ: static bool) =
	for _ in 0 ..< Iters:
	when randZ:
	let a = rng.random_unsafe_with_randZ(ECP_SWei_Proj[F])
	else:
	let a = rng.random_unsafe(ECP_SWei_Proj[F])
	var r0{.noInit.}, r1{.noInit.}: ECP_SWei_Proj[F]
	r0.double(a)
	r1.sum(a, a)
	check: bool(r0 == r1)
	test(Fp[BN254_Snarks], randZ = false)
	test(Fp[BN254_Snarks], randZ = true)
	test(Fp[BLS12_381], randZ = false)
	test(Fp[BLS12_381], randZ = true)

[mratsim]

Similar to #30 and #43 another square root bug:

import
  # Standard library
  std/[unittest, times],
  # Internals
  ../constantine/config/[common, curves],
  ../constantine/arithmetic,
  ../constantine/io/[io_bigints, io_fields],
  ../constantine/elliptic/[ec_weierstrass_affine, ec_weierstrass_projective]

proc trySetFromCoordX_debug*[F](P: var ECP_SWei_Proj[F], x: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## y² = x³ + a x + b     (affine coordinate)
  ##
  ## The `Z` coordinates is set to 1
  ##
  ## return true and update `P` if `x` leads to a valid point
  ## return false otherwise, in that case `P` is undefined.
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
  P.y.curve_eq_rhs(x)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377

  echo "P.y: ", P.y.toHex()
  echo "P.y.isSquare: ", bool P.y.isSquare
  result = sqrt_if_square_p3mod4(P.y)
  echo "P.y.wasSquare: ", bool result
  P.x = x
  P.z.setOne()

var a: ECP_SWei_Proj[Fp[BLS12_381]]

var x: Fp[BLS12_381]
x.fromHex("0x1494859e30da25337d020ccf8629c81df7ddab3185acee7a5712c47e2192bc71d6bf74db134d3c7f7f21e43b59242ff3")

let ok = a.trySetFromCoordX_debug(x)

echo "ok: ", bool ok
echo "a.x: ", a.x.toHex()
echo "a.y: ", a.y.toHex()

doAssert bool isOnCurve(a.x, a.y)

var r0{.noInit.}, r1{.noInit.}: ECP_SWei_Proj[Fp[BLS12_381]]

r0.double(a)
r1.sum(a, a)

doAssert bool(r0 == r1)

P.y: 0x0f16d7854229d8804bcadd889f70411d6a482bde840d238033bf868e89558d39d52f9df60b2d745e02584375f16c34a3
P.y.isSquare: false
P.y.wasSquare: true
ok: true
a.x: 0x1494859e30da25337d020ccf8629c81df7ddab3185acee7a5712c47e2192bc71d6bf74db134d3c7f7f21e43b59242ff3
a.y: 0x0aad1bf39cd801cc5b917b70205bac4706e330eb8b5bac50967780f9db6025149b60fe93402bdea86f4b403807d3f4ea
...../Programming/Nim/constantine/build/debug_double_add.nim(43) debug_double_add
...../.choosenim/toolchains/nim-#devel/lib/system/assertions.nim(29) failedAssertImpl
...../.choosenim/toolchains/nim-#devel/lib/system/assertions.nim(22) raiseAssert
...../.choosenim/toolchains/nim-#devel/lib/system/fatal.nim(49) sysFatal
Error: unhandled exception: /home/beta/Programming/Nim/constantine/build/debug_double_add.nim(43, 10) `bool isOnCurve(a.x, a.y)`  [AssertionDefect]