Since p = 1 mod 4, we can't use the exponentiation by (p + 1) / 4 like // for the other primes. Instead, implement a variation of Tonelli–Shanks. // The constant-time implementation is adapted from Thomas Pornin's ecGFp5. // // https://github.com/pornin/ecgfp5/blob/82325b965/rust/src/field.rs#L337-L385 // p = q*2^n + 1 with q odd -> q = 2^128 - 1 and n = 96 // g^(2^n) = 1 -> g = 11 ^ q (where 11 is the smallest non-square) // GG[j] = g^(2^j) for j = 0 to n-1 p224GGOnce.Do(func() { p224GG = new([...

Since p = 1 mod 4, we can't use the exponentiation by (p + 1) / 4 like // for the other primes. Instead, implement a variation of Tonelli–Shanks. // The constant-time implementation is adapted from Thomas Pornin's ecGFp5. // // https://github.com/pornin/ecgfp5/blob/82325b965/rust/src/field.rs#L337-L385 // p = q*2^n + 1 with q odd -> q = 2^128 - 1 and n = 96 // g^(2^n) = 1 -> g = 11 ^ q (where 11 is the smallest non-square) // GG[j] = g^(2^j) for j = 0 to n-1 p224GGOnce.Do(func() { p224GG = new([...