Logic behind selecting even square root for fe_sqrtm1 = sqrt(-1)

Question

That is the logic behind selecting even square root for fe_sqrtm1 = sqrt(-1)

x = sqrt(-1)
x = 547cdb7fb03e20f4d4b2ff66c2042858d0bce7f952d01b873b11e4d8b5f15f3d
x = 2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0

Value 2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0 is used here: https://github.com/monero-project/monero/blob/v0.17.1.9/src/crypto/crypto-ops-data.c#L38

Answer 1

If you follow your link it shows this code:

35     /* sqrt(x) is such an integer y that 0 <= y <= p - 1, y % 2 = 0, and y^2 = x (mod p). */
36     /* d = -121665 / 121666 */
37     const fe fe_d = {-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116}; /* d */
38     const fe fe_sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482}; /* sqrt(-1) */
39     const fe fe_d2 = {-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199}; /* 2 * d */

Searching that GitHub repository for fe_sqrtm1 finds monero/src/crypto/crypto_ops_builder/crypto-ops-old.c where that variable is used here:

1339     fe_mul(h->X, h->X, fe_sqrtm1);     //this is mapping X to X * sqrt(-1) c.f. 3.1 in hisil, dong, etc.

Searching the Internet for "Monero Hisil Dong" finds Mechanics of MobilCoin, April 6th 2021, Preview v0.0.39 by pseudonymous cryptographer U Koe, where Hisil and Dong are each mentioned once in the references:

[55] Changyu Dong. Math in Network Security: A Crash Course; Discrete Logarithm Problem. Wayback: https://www.doc.ic.ac.uk/~mrh/330tutor/ch06s02.html [(previously) Online; accessed 11/26/2020]
.[75] Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson. Twisted Edwards Curves Revisited. Cryptology ePrint Archive, Report 2008/522, 2008. https://eprint.iacr.org/2008/522 [(still) Online; accessed 10/05/2020].

Reference 55 appears only once on page 16:

Calculating the scalar product between any integer n and any point P, nP, is not difficult, whereas
finding n such that P₁ = nP₂ is thought to be computationally hard. By analogy to modular
arithmetic, this is often called the discrete logarithm problem (DLP).¹¹ Scalar multiplication can
be seen as a one-way function, which paves the way for using elliptic curves for cryptography.¹²

¹¹ In modular arithmetic, finding the discrete log of h with respect to g, x, such that g^x = h, is thought to be difficult for some group orders. [55]
¹² No known equation or algorithm can efficiently (based on available technology) solve for n in P₁ = nP₂, meaning it would take many, many years to unravel just one scalar product.
¹³ The private key is sometimes known as a secret key. This lets us abbreviate: pk = public key, sk = secret key.

Reference 75 appears both on pages 13 and 23 of the "Mechanics of MobilCoin" preview.

Answer 2

I believe you'll find that it's the positive (as opposed to "even"), that's chosen (by convention). The positive one has the sign-bit set as 0.