Since p = 1 mod 4, we can't use the exponentiation by (p + 1) / 4 like // for the other primes. Instead, implement a variation of Tonelli–Shanks. // The constant-time implementation is adapted from Thomas Pornin's ecGFp5. // // https://github.com/pornin/ecgfp5/blob/82325b965/rust/src/field.rs#L337-L385 // p = q*2^n + 1 with q odd -> q = 2^128 - 1 and n = 96 // g^(2^n) = 1 -> g = 11 ^ q (where 11 is the smallest non-square) // GG[j] = g^(2^j) for j = 0 to n-1 p224GGOnce.Do(func() { p224GG = new([...

Mateusz Chudyk, Matt Conley, mbhuiyan, mdfaijul, Mei Jie, Melissa Grueter,
merturl, MichaelKonobeev, Michael KäUfl, Michal W. Tarnowski, MickaëL
Schoentgen, Miguel Morin, Mihail Salnikov, Mikalai Drabovich, Mike Arpaia, Mike
Holcomb, minds, monklof, Moses Marin, mpppk, Mr. Metal, Mshr-H, musikisomorphie,
nammbash, Natalia Gimelshein, Nathan Luehr, Nayana-Ibm, Nayana Thorat, neargye,