p224SqrtCandidate sets r to a square root candidate for x. r and x must not overlap. func p224SqrtCandidate(r, x *fiat.P224Element) { // Since p = 1 mod 4, we can't use the exponentiation by (p + 1) / 4 like // for the other primes. Instead, implement a variation of Tonelli–Shanks. // The constant-time implementation is adapted from Thomas Pornin's ecGFp5. // // https://github.com/pornin/ecgfp5/blob/82325b965/rust/src/field.rs#L337-L385 // p = q*2^n + 1 with q odd -> q = 2^128 - 1 and n = 96 // g^(2^n) =...